Very big cyber incident playing out at Snowflake, who describe themselves as “AI Data Cloud”. They have a free trial where anybody can sign up and upload data… and they have.
Threat actors have been scraping customer data using a tool called rapeflake, for about a month.
The tl;dr of the Snowflake thing is mass scraping has been happening, but nobody noticed.. and they're pointing at customers for having poor credentials. It appears a lot of data has gone walkies from a bunch of orgs.
Snowflake is a big AI data company with a conference in the US next week, chances of that going ahead are interesting.
IOCs: https://community.snowflake.com/s/article/Communication-ID-0108977-Additional-Information
Snowflake admin users need to check their Snowflake environment, not sec departments check their on prem.
Snowflake: there is absolutely no cybersecurity incident.
Also Snowflake: Please run these commands and look for "threat activity" logins with the user agent "rapeflake" using this knowledge base article we haven't listed on our website.
https://community.snowflake.com/s/article/Communication-ID-0108977-Additional-Information
Live Nation said its stolen database was hosted on Snowflake, a cloud storage and analytics company.
The deleted Hudson Rock post on Snowflake breach: https://web.archive.org/web/20240531140540/https://hudsonrock.com/blog/snowflake-massive-breach-access-through-infostealer-infection
For the record I don't think all the content is accurate - however Snowflake did have a security incident via their former employee, they have full IR stood up. They didn't follow their own best practices.
I also know multiple orgs who've had their full databases taken from Snowflake.
The Snowflake authentication setup is terrible.
MFA can’t be enabled org wide, each user has to manually log in and enable it. There’s no policy to block users without MFA. And it uses Duo MFA rather than your orgs MFA. (You can bring your own MFA with SAML).
Also all users log in via a Snowflake domain, so you can just pull creds from info stealer marketplaces or logs.
That’s why they’re being targeted as a platform.
IMHO it's fair to call out Snowflake's authentication isn't very good - it's the worst SaaS MFA solution I've seen as it has no top level, easy switch for org wide MFA enforcement.
Combined with putting all customers under *.snowflakecomputing.com sub domain is why their customers are getting owned - infostealers are just full of creds ready to go.
I gather Snowflake are discussing changes to fix, don't tell the fanboys (and yes, they're all dudes).
Mandiant have informed 165 organisations they may have had data exfiltration from their Snowflake hosted databases
https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion/
✅ won a game of Call of Duty
✅ hacked the world’s largest companies
✅ used an infostealer
Can’t wait for these guys to have super secure Microsoft Recall, which is definitely encrypted from the user 🤪🤪🫡
Snowflake have told customers "We are also developing a plan to require our customers to implement advanced security controls, like multi-factor authentication (MFA) or network policies, especially for privileged Snowflake customer accounts."
Good! They also say the attack was "not caused by a vulnerability, misconfiguration, or breach of its product". Just happy little bad MFA.
Nice: "In a phone call this week, Jones (Snowflake CISO) told WIRED that Snowflake is working on giving its customers the ability to mandate that users of their accounts employ multifactor authentication going forward, “and then we’ll be looking in the future to [make the] default MFA,” he says."
This will be a great outcome for Snowflake customers and Snowflake itself. I know Snowflake got big mad at me for pointing it out, but that was a prime weakness in their MFA.
https://www.wired.com/story/epam-snowflake-ticketmaster-breach-shinyhunters/
By Nick Biasini with contributions from Kendall McKay and Guilherme Venere Headlines continue to roll in about the many implications and follow-on attacks originating from leaked and/or stolen credentials for the Snowflake cloud data platform. Adversaries obtained stolen login credentials for Snowflake accounts acquired via information-stealing malware and used
I think SaaS providers who provide their own authentication have a responsibility to provide robust, *enforceable* MFA for their customers - so if an org wants all their users to require MFA, they can and it’s just an easy tick box.
Some SaaS providers aren’t doing this - - and it’s the reason infostealer logs are such a problem. Their angle is customer is solely responsible, but as a counterpoint: see how that is working out for Snowflake.
Snowflake have rolled out MFA changes:
- A new authentication policy that requires MFA for all users in a Snowflake account
- prompting for user-level MFA setup
- Snowflake Trust Center for monitoring adherence to MFA policies
This solves all the inherent product weaknesses from the prior setup, they did a good job.
https://www.snowflake.com/blog/snowflake-admins-enforce-mandatory-mfa/
@GossiTheDog if the SaaS vendors could provide SSO integration without having to pay extra, it will definitely help reduce these type of events. Stop putting paywalls on basic security features. Not all companies can afford to pay for enterprise licences to get SSO.
@zackwhittaker @GossiTheDog Exactly.
Blaming the users on their password hygiene, when you don't offer org admins any way to enforce SSO or MFA, is a bit ... let's say, not a great look
@GossiTheDog seems like misconfiguration if it can be fixed by forcing customers into using a different configuration…
but I guess it wasn’t a misconfiguration of snowflake’s own production account(s) at least
@GossiTheDog people who still use #Windows11 should be legally barred from doing anything re: #ITsec.
@GossiTheDog
@Johnhultquist
Even if Snowflake had "proper" MFA authentication across the board, would that have significantly changed the outcome?
That is, if an info stealer is what's at play, and it steals my authentication cookie, I can't really rest at night knowing that MFA is keeping me safe, right?
@jawnsy @wdormann @GossiTheDog @Johnhultquist
How do you device bound credentials? I have only heard of IP bounding them (so if it’s suddenly being used from a different location a new login is required)
And that is already being used by some companies afaik.
> putting all customers under *.snowflakecomputing.com sub domain
How else would you have them handle it? Nearly all SaaS providers do exactly this.
A popular one you might have come across is *.github.io.
(Not a fanboy; I just work for another SaaS vendor and would like to know if we’re doing anything terribly wrong.)
Oh fuu....you're right! This just keeps getting worse and worse.
I got to this point in your write-up, and I don't think it can be emphasized enough:
Note that in the age of SaaS, your providers will throw you under the bus to save themselves. When you transfer your security risk to a provider, they don’t accept your risk — they just take the money.[EDIT: typo]
Kevin Beaumont
Allan Chow
Ænðr E. Feldstraw
barunick
agnivesh
Cali
Zack Whittaker
toadjaune
clam
Michael Kohne
Sunsetish
Felix 🇨🇦 🇩🇪 🇺🇦
Kevin Karhan 
Anthropy
devopscats
Will Dormann
Jonathan Yu
Euph0r14
Brian Clark
Ankit Pati
Gordon
Ricky Boone
Samofhearts
Alan Miller 
🇺🇦
Ben Brockert
Nick
Bill
Vinny Troia 
Sam J Sharpe
Paul Bailey
patryko
JA
Chris Bussard
agarithil
Stuart Gray