Published: 3 June 2024
Prepared by: Adam Skupien, Vulnerability Security Analyst
PURPOSE
The purpose of this alert is to bring attention to an increase in cyber threat activity being observed targeting Snowflake customers’ accounts.
Snowflake is investigating this activity and believes that it is not caused by any vulnerability in or misconfiguration of the Snowflake product; rather, user account credentials exposed through an unrelated incident are being used.
On 01 June 2024, the Australian Cyber Security Centre (ACSC) released an advisory addressing this development and urging organisations to take immediate action to reset credentials for active accounts, disable non-active accounts, enable Multi-Factor Authentication (MFA) and review user activity.
Snowflake has published an advisory to assist with investigating any potential threat activity and taking preventative actions.
DETAILS
Snowflake has recently observed an increase in cyber threat activity targeting some of their customers’ accounts, which they believe is the result of ongoing industry-wide identity-based attacks with the intent of obtaining customer data.
The attacks are performed with Snowflake user credentials that were exposed through unrelated cyber threat activity.
No vulnerability or misconfiguration of the Snowflake product has been implicated in the attack at this time. Snowflake has directly contacted a limited number of customers who they believe may have been impacted.
MITIGATION ACTIONS
ASCS advises that organisations utilising Snowflake should immediately reset credentials for active accounts, disable non-active accounts, enable MFA, and review user activity.
Snowflake has outlined the commands required to be executed to perform the required actions in their advisory, along with further security hardening steps.
Triskele Labs advise that these actions should be implemented as a priority for the organisation and that administrators of the affected product monitor their instance for anomalous user authentication and activity.
DETECTION
During their investigation, Snowflake has identified several IP addresses and clients that are potentially associated with the attack and has provided SQL queries in their advisory that can be used to identify login events originating from the suspicious IP addresses or clients.
Any user accounts identified as logging in from suspicious IP addresses or clients should be immediately disabled, and any actions taken by them should be reviewed for suspicious activity.
An updated record of associated IP Addresses can be found in the advisory: https://community.snowflake.com/s/article/Communication-ID-0108977-Additional-Information
