What can be learned from the Snowflake incident and what should CISOs be doing to boost their security going into 2025?
In April 2024, it emerged that customers of popular cloud platform Snowflake were being targeted by attackers using credentials stolen via infostealing malware to access accounts.
Snowflake itself was not breached, but it is estimated that 165 of its customers including telecoms giant AT&T and Ticketmaster were compromised via the simple credential stuffing attacks.
A couple of months after the initial breaches, researchers at Google’s Mandiant identified a campaign targeting Snowflake customer database instances. It named the attacker as UNC5537, “a financially motivated threat actor suspected to have stolen a significant volume of records from Snowflake customer environments”.
“UNC5537 is systematically compromising Snowflake customer instances using stolen customer credentials, advertising victim data for sale on cybercrime forums, and attempting to extort many of the victims,” Mandiant said.
Access was easy, due to a lack of multi-factor authentication (MFA) on the targeted accounts. “Just enabling MFA could have blocked these attacks and users would’ve been alerted about any suspicious login attempts,” says Matt Hull, global head of threat intelligence at NCC Group.
The Snowflake breaches could have been avoided if customers had been using MFA, agrees Ian Thornton-Trump, CISO at Inversion6. Taking this into account, he calls the Snowflake incident and resulting breaches “one of the best examples of the importance of one security control in recent memory”.
It’s certainly one of the most memorable security events of 2024. So, nearly nine months later, what can be learned from the Snowflake incident and what should companies and CISOs be doing to boost their security?
Big changes
In a way, the incident was a positive thing, since it was a catalyst for change including the much-needed industry roll-out of MFA.
Snowflake was quick to respond to the breaches of its customers, working with Google’s Mandiant and publishing detailed detection and hardening guidance. MFA is now enforced by default for all human users of any account created starting October 2024.
By November 2025, Snowflake will block sign-in for all password-only logins, meaning that users will only be able to sign-in to their Snowflake account with MFA.
Snowflake has also hardened password practices. It will require both newly-created and altered user passwords to have a minimum length of 14 characters, up from eight – and to be different to the last five credentials used.
The cloud provider shared a statement with SC Media UK to reiterate that Snowflake itself was not breached. “Snowflake has not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform, and that this has also been verified following investigations with third-party cybersecurity experts Mandiant and CrowdStrike,” a spokesperson said.
Snowflake is “continuing investing in the security capabilities of customer accounts” and the firm has highlighted its commitment to the US Cybersecurity and Infrastructure Agency (CISA)’s Secure By Design Pledge.
Other vendors have also been taking note, with tech giants including Microsoft gradually rolling out MFA for accounts. Google is implementing mandatory MFA for Google Cloud in a phased approach that will roll out to all users worldwide during 2025. At the same time, AWS has made it mandatory for customers to use MFA for root users in the AWS Management Console.
Avoiding attack
Other than misconfigurations, identity access and management are “a key vulnerability” in cloud platforms, points out Rob Demain, CEO of e2e-assure. He points out that “weak or non-existent credential attacks” made up almost half (47 percent) of intrusions in the first half of 2024, according to Google Cloud’s Threat Horizons report.
Mandiant identified that the majority of the credentials used by UNC5537 were available from historical infostealer infections, some of which dated as far back as 2020. Infostealing malware, or infostealers, have become more popular because they allow attackers to access sensitive data such as passwords and cryptocurrencies stored in someone’s browser or on their machine, says Aaron Walton, threat intel analyst at Expel.
Infostealers are often distributed through malicious advertisements for software, phishing emails, personal downloads, or pirated software. “Some of the incidents Mandiant investigated were the result of contractors downloading pirated software to the same device they used to service customers,” he says.
This form of malware is readily available on the dark web and can target both Windows and Apple macOS systems – and it’s efficient, says Walton. “In most cases, if the malware is able to run successfully once, it’s done its job and doesn’t need to establish itself to start again — unlike other malware which often requires installing itself as part of the system startup process.”
From the data stolen, criminals can “pretty easily “find developer and data storage platform credentials and “abuse them silently”, Walton says. “So what happened to Snowflake is unfortunately more likely the rule than the exception.”
Overcoming challenges
The roll out of MFA across the industry will help improve security, but challenges still remain. Walton thinks the threat of infostealers is not being fully realised by businesses, despite the fact it can be mitigated by measures such as good password security and credential theft detection.
The Snowflake breaches are “unfortunately only likely the tip of the iceberg”, Walton warns. “We only know about them primarily because an attacker publicly disclosed their actions in an attempt to extort victims. So how many incidents occur silently, going undetected or unreported?”
So what steps can firms take to avoid this threat and avoid becoming a victim of an incident similar to Snowflake? First of all, organisations need to make MFA mandatory, says Hull. “It’s a simple fix to a huge problem.”
It’s also a good idea to start monitoring dark web forums for stolen credentials, Hull advises. “Getting ahead of the problem by detecting leaks early can make a big difference.”
Implementing network-allow lists can further lock things down by restricting access to trusted sources only, says Hull.
This is on top of user awareness, such as training employees to spot phishing emails to help protect the business from attacks. As Hull says: “Training people to spot phishing, avoid malware and take care of their credentials is essential to stopping these attacks in their tracks.”
Written by
Kate O'Flaherty
Cybersecurity and privacy journalist