For the uninitiated Snowflake is a data cloud company that provides a versatile platform for managing and analyzing massive amounts of data. At the end of May 2024, their clients data was ending up on Breached Data forums. Shortly after Cybersecurity firm Hudson Rock released a now deleted article outlining what they claimed to be a breach of Snowflake. Snowflake denied this and in another now deleted post quoted by The Register, Snowflake claimed that nothing had been compromised on their end. Now both of those statements are partially true and the whole situation is an absolute mess.
Many of their customers are reporting breaches, have been notified of a potential breach or are currently experiencing a breach. While the common theme of the breaches is a lack of multi-factor authentication. Much of the data is now being actively sold on breached data forums.
Companies Affected – (As of June 25, 2024)
- Stantander
- LiveNation
- Advance Auto Parts
- Lending Tree (QuoteWizzard)
- PureStorage
- Los Angeles Unified School District (LAUSD)
- Neiman Marcus
- Ticketek
- Mandiant has notified 165 companies of potential impact
Google’s Mandiant released a great blog and dubbed the threat actor as UNC5537 (Mandiant). The team showcased UNC5537’s toolkit designed to quickly extract data and interact with SQL databases. The tool was embarrassingly named “rapeflake”, but was renamed to FROSTBITE by Mandiant. It is described as “having been observed performing SQL recon activities including listing users, current roles, current IPs, session IDs, and organization names.”
Some interesting finds in the report include that not only were the accounts not secured with MFA they also belonged to contractors who were implied to be compromised because they were using the same accounts and computes to pirate software.
So who is responsible
Snowflake – Did not enforce MFA, had their own demo account compromised because they didn’t secure it. Had terrible PR and left the community confused.
Clients – Did not enforce MFA when storing sensitive data. Sensitive data was seemingly unencrypted.
Contractors – Using compromised credentials, all around bad cyber-hygiene.
Government – No good regulations, fines when it comes to cloud storage and mandating MFA for sensitive data.
This should be a wake-up call to not only companies that are using whatever as a service that they need to monitor and secure it; but also to providers that they will be lambasted by the community regardless of how hard they try to shift blame to the user. While Snowflake did have the option to enable multi-factor authentication they designed it in a way that did not push customers, or even in one case themselves to set it up.
IOCs
- Rapeflake
- DBeaver_DBeaverUltimate
- Go 1.1.5
- JDBC 3.13.30
- JDBC 3.15.0
- PythonConnector 2.7.6
- SnowSQL 1.2.32
- Snowflake UI
- Snowsight Al
More from Snowflake
Associated IPs
- 102.165.16.161
- 104.129.24.115
- 104.129.24.124
- 104.223.91.28
- 146.70.117.210
- 146.70.117.56
- 146.70.119.24
- 146.70.124.216
- 146.70.165.227
- 146.70.166.176
Ocelot Security 