Snowflake is a cloud-based data warehousing company that provides a scalable and high-performance data platform for storing, analyzing, and sharing large volumes of data.
On May 31, 2024, Hudson Rock shared screenshots of a conversation with a threat actor who claimed to have used a Snowflake employee’s stolen credentials to exfiltrate customer data from Santander and Ticketmaster. Snowflake disputed this claim and, on June 2, 2024, issued a joint statement with third-party cybersecurity experts, CrowdStrike and Mandiant, stating that there is no evidence of data exfiltration resulting from compromised employee credentials. The investigation shows this incident to be a targeted campaign directed at users with single-factor authentication, using credentials previously purchased or obtained through infostealing malware. Hudson Rock has since removed its post. The compromised credentials accessed demo accounts, which were not connected to Snowflake’s production or corporate systems.
In the joint statement, the company reported investigating activity from multiple IP addresses and observed malicious traffic from clients with the following characteristics:
- Connections from a client identifying itself as rapeflake
- Connections from a client identifying itself as DBeaver_DBeaverUltimate and running from Windows Server 2022
What to do if you or your vendors have active relationships with Snowflake
According to Snowflake’s instructions, it is recommended to run various queries to identify and disable suspected accounts, reset the credentials of the suspected users, review actions taken by the identified users, examine executed queries for external access, and inspect sessions for unusual applications.
As part of its prevention measures, Snowflake has issued the following guidelines:
-
Setting up Network Policies: Set up account-level and user-level Network Policies for highly credentialed users/service accounts.
//Aggregate of client IPs leveraged at authentication for service discovery (client IP/ user), driver, and authentication mechanism (recommendation is to leverage SAML, Key Pair, or OAuth). *The customer will update the trusted CIDR ranges that will apply to the Network Policy enforced at the Account level.
select client_ip, user_name, reported_client_type, first_authentication_factor, count(*) from login_history
group by client_ip, user_name, reported_client_type, first_authentication_factor order by count(*) desc; -
Reviewing Account Parameters: Review account parameters to restrict how data can be exported from your Snowflake Account. Customers will need to do due diligence on enabling these features and their impacts on existing account integrations.
alter account set PREVENT_UNLOAD_TO_INLINE_URL = true; alter account set REQUIRE_STORAGE_INTEGRATION_FOR_STAGE_CREATION = true; alter account set REQUIRE_STORAGE_INTEGRATION_FOR_STAGE_OPERATION = true; alter account set PREVENT_UNLOAD_TO_INTERNAL_STAGES = true; -
Reviewing Accounts for Configuration Drift
Monitor your Snowflake accounts for unauthorized privilege escalation or configuration changes.
//The query below will display potential indicators of privilege escalation as users are granted the ACCOUNTADMIN role as the highest privilege role in Snowflake. This does not include custom roles that may have been granted the ACCOUNTADMIN role.
select user_name || ‘ granted the ‘ || role_name || ‘ role on ‘ || end_time ||’ [‘ || query_text ||’]’ as
Grants
from query_history where execution_status = ‘SUCCESS’
and query_type = ‘GRANT’and
query_text ilike ‘%grant%accountadmin%to%’
order by end_time desc;
//Example query to detect unauthorized change management/ security anomalies
SELECT
query_text,
user_name,
role_name,
start_time,
end_time
FROM snowflake.account_usage.query_history
WHERE execution_status = ‘SUCCESS’
AND query_type NOT in (‘SELECT’)
AND (query_text ILIKE ‘%create role%’
OR query_text ILIKE ‘%manage grants%’
OR query_text ILIKE ‘%create integration%’
OR query_text ILIKE ‘%alter integration%’
OR query_text ILIKE ‘%create share%’
OR query_text ILIKE ‘%create account%’
OR query_text ILIKE ‘%monitor usage%’
OR query_text ILIKE ‘%ownership%’
OR query_text ILIKE ‘%drop table%’
OR query_text ILIKE ‘%drop database%’
OR query_text ILIKE ‘%create stage%’
OR query_text ILIKE ‘%drop stage%’
OR query_text ILIKE ‘%alter stage%’
OR query_text ILIKE ‘%create user%’
OR query_text ILIKE ‘%alter user%’
OR query_text ILIKE ‘%drop user%’
OR query_text ILIKE ‘%create_network_policy%’
OR query_text ILIKE ‘%alter_network_policy%’
OR query_text ILIKE ‘%drop_network_policy%’
OR query_text ILIKE ‘%copy%’ )
ORDER BY end_time desc; - Reviewing Service Account Authentication: For service accounts (i.e., non-human interactive use cases), use key pair authentication or OAuth for machine-to-machine communication (client credentials grant) in lieu of static credentials. In change management, enabling one authentication mechanism does not disable another in Snowflake. As Key Pair or OAuth is configured, customers can choose to unset the user password to remediate static credentials stored in Snowflake.
Additionally, as per the joint statement issued by Snowflake and third-party cybersecurity experts CrowdStrike and Mandiant, it is recommended that organizations immediately take the following steps:
- Enforce Multi-Factor Authentication (MFA) on all accounts
- Set up Network Policy Rules to only allow authorized users or traffic from trusted locations (VPN, Cloud workload NAT, etc.)
- Reset and rotate Snowflake credentials for impacted organizations.
Sign up for the RiskSnaps newsletter
Stay informed on third-party breaches and what you can do to reduce risk by subscribing to this newsletter.