Update: On July 9th, 2024, Snowflake announced in this blog that administrators can now require, enforce, and monitor mandatory multi-factor authentication (MFA) for all users in a Snowflake account. Zilla is pleased to see this update and our guidance below remains unchanged regarding the importance of leveraging Zilla Security to inventory and monitor all user accounts, service accounts, permissions, and authentication settings.
tl;dr – Snowflake accounts are under attack from malware password stealers resulting in large data breaches for at least 6 known Snowflake customers. The root cause points to accounts that are not protected by MFA. Customers may believe they are protected with MFA enabled once they turn on SSO. However, there is an SSO bypass vulnerability at play if not configured correctly – new authentication methods do not override previously configured ones, allowing account access with simple password authentication even when SSO is in place. Zilla Security can help.
This week, Snowflake has observed an uptick in cyber threat activity targeting some of their customers’ accounts. The most notable of these events is the recent Ticketmaster data breach of their Snowflake tenant that resulted in the leakage of 560 million Ticketmaster customers and the Advance Auto Parts data breach of 3TB of customer data. Reports also indicate that there are 5 additional customer accounts that have fallen victim to the same attack, including an internal Snowflake test environment that was compromised this week.
As they continue to investigate, Snowflake believes these incidents are part of a broader trend of industry-wide, identity-based attacks aimed at obtaining customer data.
Understanding the Nature of the Threat
Industry reports indicate that these attacks are likely the result of malware harvesting individual snowflake credentials on infected machines that are then sold on the dark web. These usernames and passwords are then tested by attackers to locate accounts where MFA is not enabled.
Snowflake has released a statement that “the breaches are not the result of any vulnerabilities, or malicious activity within the Snowflake product itself. Instead, these threats stem from user credentials exposed through unrelated cyber incidents”.
In other words, attackers are leveraging previously compromised credentials and are able to gain unauthorized access to accounts due to MFA misconfigurations.
What This Means for Snowflake Customers
For customers to be impacted by this attack, they must have snowflake accounts where simple username and password authentication is enabled and MFA is not enabled.
If SSO is enabled for Snowflake access, there is one major caveat. If an account was created directly in Snowflake and then enabled for SSO, this does not disable prior authentication methods. That account is still able to login with the previously configured username and password.
This SSO Bypass vulnerability is common across SaaS applications and is also at play with Snowflake.
Steps You Can Take to Protect Your Snowflake Environment
While Snowflake continues to monitor and address these threats, there are several proactive measures customers can take to protect their accounts. Unfortunately for security professionals, these steps require SQL level access, so best to engage your Snowflake administrator to limit business impact in case of errors.
- Enable Single Sign On (SSO) and Multi-Factor Authentication (MFA) for all Snowflake accounts, including service accounts using keypairs or Oauth for machine authentication. When enforcing SSO, ensure that the account password is removed per Snowflake’s documentation.
https://community.snowflake.com/s/article/How-to-restrict-user-to-only-being-able-to-access-the-Snowflake-account-using-Single-Sign-On-SSO - Identify any Snowflake accounts that were created outside of the enterprise Identity Platform with a static password. Unfortunately, this is not visible in the UI configuration. Customers must query the snowflake Users table and look for a flag on each individual account to detect if a password is enabled. https://docs.snowflake.com/en/sql-reference/account-usage/users3
- Scan the environment for evidence of compromised activity per Snowflake’s recommended queries https://community.snowflake.com/s/article/Communication-ID-0108977-Additional-Information
Zilla Security Can Help
Identifying missing MFA control, especially in conjunction with SSO configuration, can be challenging. Ideally, SSO provides MFA. However, SSO bypass is a fairly common misconfiguration. The Zilla Security & Snowflake integration inventories all user accounts, service accounts, permissions, and authentication settings.
This provides the ability to identify and audit :
- User accounts where MFA is disabled
- Service accounts where MFA is disabled
- Accounts where password access is enabled even with SSO/MFA in place
- Terminated employees with active Snowflake accounts
- New Snowflake accounts with elevated access
More importantly, the integration correctly identifies accounts with password access disabled, thereby eliminating false positives.
Get a Free Identity Assessment for your Snowflake Environment
Understanding the urgency and difficulty of detecting vulnerable accounts in Snowflake environments, Zilla Security is offering a free, no-strings-attached identity assessment.
Zilla customers already have access to these capabilities, but we offer them at no cost to any organization seeking to improve the identity security posture of their Snowflake environment. The assessment can be completed in minutes and requires a simple API integration to Snowflake and an authoritative directory such as Okta or Entra ID.
The Zilla Security Customer Success team will work with organizations to deploy Zilla Security.