Skip to content

Snowflake services targeted by hackers: Multiple companies report stolen data


Published:
Cybersecurity

In the realm of cloud data management and analysis, Snowflake stands out as a leading provider, serving over 9,800 companies globally, including renowned names like Mastercard, Adobe, and Pfizer. However, the recent widespread9 attacks in June targeting Snowflake customers have brought to light the critical importance of robust security measures.

These attacks resulted in significant data theft, potentially affecting more than 100 customers. This incident underscores a crucial lesson: when utilizing cloud-based services, security cannot be solely entrusted to cloud vendors. Users must take proactive steps to safeguard their data. This week’s Cyber Security Insights delves into the details of the attack, the vulnerabilities exploited, and the broader implications for global cybersecurity.

Hackers first targeted Santander Bank

Santander Bank, headquartered in Spain, may have been the first to be affected by the data breach. The bank confirmed it had suffered a cyber incident on May 14 reporting to Spain’s National Securities Commission that there had been ‘unauthorized access to a database hosted by a third-party provider’ – the third party later identified as Snowflake.

Personal information of over 12,000 employees at the bank may have been compromised, in addition to information relating to customers in Spain, Chile and Uruguay. Subsequently, the Shinyhunters threat group, who owned Breachforums at the time, posted on the world’s largest hacker forum that it would sell data containing information on 30 million Santander Bank customers for $2 million.

Figure 1. ShinyHunter’s post selling Santander customer information

The attackers used stolen credentials to access Santander’s Snowflake instance to steal data. Investigations confirmed that stolen credentials used in the attacks had been in circulation amongst hackers for some time and were primarily obtained from multiple infostealer malware campaigns that infected non-Snowflake owned systems. A number of successful compromises were the result of accounts not configured with multi-factor authentication, credentials being valid despite being years old and Snowflake customer instances failing to have allow lists in place for trusted locations.

In addition to Santander Bank, ticketing company Ticketmaster was targeted with the Shinyhunters threat group attempting to sell stolen data. Other victims include auto parts company Advanced Auto Parts and department store giant Neiman Marcus. Mandiant stated it has alerted around 165 organizations that may have been targeted.

Snowflake urges customers to use Multi-Factor Authentication

In a joint statement with security companies Mandiant and CrowdStrike, Snowflake stated the attack was not the result of a Snowflake vulnerability or system misconfiguration, nor were the accounts of current or former Snowflake employees used. It urged customers to use multi-factor authentication and allow access only from secure locations.

It’s not uncommon for companies to force reset customer passwords in the event of a cyberattack, but the company did not do so after becoming aware of the attack. Experts have questioned Snowflake’s failure to prevent the damage from spreading. Under Snowflake’s shared responsibility model, “customers are responsible for applying multi-factor authentication” the company told tech media.

Summary

When using cloud-based services, security measures cannot be left to cloud vendors alone. It is typically the user’s responsibility to enable multi-factor authentication, manage authentication and set access restrictions. In the past, data leaks have occurred from cloud services operated by major companies such as Salesforce and Office365, not due to system defects, but due to poor configuration and unauthorized access using stolen information.

In its “Guidelines for Appropriate Settings for the Use and Provision of Cloud Services” published by the Japanese Ministry of Internal Affairs and Communications in October 2022, the company emphasizes the introduction of multi-factor authentication as a “particularly important configuration item” and a measure recommended to be mandatory by cloud service users. It also recommends setting controls to allow access only from specific IP addresses, in conjunction with management and monitoring of logs.

However, the introduction of multi-factor authentication may reduce user experience but is clearly a balance between useability and security. Depending on the purpose of the cloud service in use, strict access control may not be necessary.

In order to leverage cloud services safely, it is vitally important to confirm and understand the demarcation of responsibility with cloud providers and take appropriate security measures in areas that should be managed by users.

About our Cyber Security Insights

This blog post is part of our The Cyber Security Insights, that are released several times every month, providing invaluable insights into the evolving threat landscape. Crafted by NTT Security Japan Inc. Consulting Services
Department’s OSINT Monitoring Team and NTT Security Sweden’s Incident Response Team, our content includes expert analysis on recent breaches, vulnerabilities, and cyber events. Stay ahead of the curve with our timely updates and actionable intelligence, ensuring your digital assets remain secure in an ever-changing environment.

Read more Cyber Security Insights here.

Sources:

Want to know more about how we can help you with your cybersecurity?

Book a meeting with NTT Security experts to learn more about our advisory services and penetration testing. We help you protect sensitive data while ensuring privacy and convenience.