The Snowflake Attack: Ensure MFA is Enabled

On June 2nd, Snowflake, one of the most popular data warehouse Software-as-a-Service (SaaS), used by almost ten thousand customers, including AT&T, CapitalOne, Mastercard, and NBC Universal, announced a possible breach via a joint statement with cybersecurity experts CrowdStrike and Mandiant. In this statement, Snowflake discussed the ongoing investigation into a targeted attack campaign against Snowflake and its customers’ accounts that may turn out to be one of the largest data breaches in history.

While the investigation is ongoing, Snowflake has clarified that the breach is likely not their responsibility but instead reflects on how their customers choose to leverage their SaaS product. The implication is that because the targets failed to enable multi-factor authentication (MFA), they left themselves open to numerous attacks, such as phishing, credential stuffing, and credential theft.

Preliminary Findings

Even though the investigation is still in its early stages, several important insights about the campaign have already been revealed.

Most importantly, this is an enormously wide-reaching attack with many big-name victims, likely including AutoZone and Ticketmaster, who have recently been noted as breach victims. In the case of Ticketmaster, their breach may impact over half a billion users.

The threat actors claim to have leveraged stolen credentials from a Snowflake employee’s ServiceNow account. This account had a direct login, which bypassed existing single sign-on controls. Using these credentials might have given them insight into potential targets for the attack, which is important as these attacks appear to all focus on businesses’ authentication processes to access Snowflake.

The attackers look to have leveraged stolen credentials obtained from prior breaches or credential-stealing malware in the attack. This became incredibly impactful as the victims looked to be using single-factor authentication, making them easy targets for threat actors using stolen credentials. Had they implemented MFA, these attacks would likely have fallen flat.

Unpacking the Snowflake Attack

To better understand the Snowflake attack, it’s helpful to map findings about the tools, techniques, and procedures (TTPs) referenced in the campaign against the MITRE ATT&CK SaaS Matrix.

Initial Access
Initial access is a critical stage where attackers infiltrate networks. In SaaS environments, they focus on acquiring legitimate user accounts to avoid the need to hack in. This is achieved through purchasing compromised credentials, phishing, and deploying information-stealing malware.

Purchases of Compromised Credentials
This method involves buying access to usernames and passwords previously exposed in data breaches, enabling unauthorized access to personal and corporate accounts. It’s a stark reminder of why robust, proactive security measures are non-negotiable.

Phishing
Common in the early stages of attacks, phishing involves sending deceptive emails to impersonate trusted sources and manipulate targets into revealing sensitive information. It often leads to system infiltration and data theft.

Info Stealing Malware
This type of malware quietly bypasses defenses to extract sensitive data like passwords and financial information. The increase in remote work has contributed to a rise in such malware attacks.

Valid Accounts
Attackers gain access to networks using legitimate user credentials, often obtained through phishing or theft. They target local accounts with weak security practices, such as reused or compromised credentials without multi-factor authentication (MFA).

A particular nuance in the Snowflake attack campaign was a preference for local accounts, also called direct logins with SaaS systems. These accounts do not use SSO and are commonly used for app administration or in emergencies to access the app should centralized IdP systems fail. Another common attribute of these local accounts is that they have some of the worst identity hygiene despite their often-escalated privileges (e.g., admin accounts). They usually use weak, reused, shared, and compromised credentials with no MFA enabled. So, it’s no coincidence these accounts fascinated the threat actors.

Account Access
Within the MITRE ATT&CK Matrix for SaaS, the Account Access tactic is pivotal for understanding how attackers infiltrate cloud-based services. This tactic exploits the legitimate user accounts obtained as described in the previous Initial Access tactic to gain unauthorized access to SaaS applications. Credential stuffing and password spraying are standard techniques for exploiting and accessing accounts. Once inside, they can further exploit these accounts to navigate the SaaS environment, potentially accessing sensitive data, altering configurations, or leveraging the account’s privileges to escalate their control. Using valid accounts allows attackers to blend in with regular user activity, making detection challenging.

Credential Stuffing
Attackers use automated tools to test stolen credentials across various services, exploiting weak or reused passwords to gain unauthorized access. This emphasizes the need for unique passwords and MFA.

Token Theft
SAML (Security Assertion Markup Language) tokens and session tokens are critical in identity and access management, particularly in cloud and SaaS environments. Attackers exploit these tokens to gain unauthorized access and persist within compromised systems.

Session Tokens: Session tokens are temporary credentials created when users log in, maintaining their authenticated state across different requests. In the ATT&CK framework, attackers target session tokens to hijack active sessions, enabling them to act with the same permissions as the legitimate user. This can be done through session fixation, session side jacking, or exploiting vulnerabilities that expose these tokens. Once an attacker gains access to a session token, they can perform actions on behalf of the user, accessing sensitive data or executing unauthorized operations.

Lack of MFA
Without MFA, attackers can easily use valid credentials obtained through phishing or other means to access accounts, impersonate users, and move laterally within networks. The absence of MFA significantly increases vulnerability to attacks.

Below: A screenshot from the Savvy SaaS Security Platform, identifying a toxic account related to Snowflake, including direct login, compromised credentials, no MFA, and password reuse.

The Shared Security Responsibility Model for SaaS

Even if not targeted by the attack, businesses can take away lessons on the critical importance of understanding and implementing a shared responsibility model for SaaS security. This model is pivotal for effectively managing and mitigating risks, especially in cloud environments where responsibilities are distributed between service providers and customers.

Key Elements of the Shared Responsibility Model

Service Provider Responsibilities

Infrastructure Security and Compliance: Service providers like Snowflake are responsible for securing the underlying cloud infrastructure. They must ensure their infrastructure complies with relevant regulatory standards and certifications, facilitating a secure customer environment.

Customer Responsibilities

Data Security and Access Controls: Customers are responsible for securing their data, including implementing robust encryption, access controls, and backup procedures. They must also secure their apps and have processes and identity security tools in place to manage user access. This includes configuring and enforcing multi-factor authentication (MFA), as highlighted in the recent attack in which single-factor authentication was exploited.

Strengthening Cybersecurity Through Shared Responsibility

Given the findings from the investigation, it’s evident that both service providers and customers must take proactive steps to secure their environments:

For Service Providers: Ensure the cloud infrastructure is continually monitored, updated, and compliant with security standards. Providers should also offer tools and guidance to help customers secure their data and applications.

For Customers: Implement robust security practices, including enforcing MFA, regular user access audits, and ensuring that all apps and accounts are accounted for, configured securely, and promptly offboarded when no longer needed.

Strengthening Cybersecurity Defenses with Savvy

Understanding the Snowflake attack is crucial as it underscores how poor identity hygiene is a significant vulnerability. The attack leverages compromised credentials and exploits weak security practices in SaaS environments, highlighting the importance of good SaaS-identity hygiene.

A shared responsibility model is essential to combat such threats, where the SaaS provider and users play active roles in maintaining robust security. Tools like Savvy are indispensable in this model, as they help monitor user activities and enforce safer practices, ensuring a more secure digital landscape. Considering these findings, organizations must enhance cybersecurity to protect against sophisticated attacks. Here’s how Savvy’s extreme visibility and detection capabilities can help:

Detect SSO Bypass and Direct Logins: Savvy continuously monitors and detects when a user logs in directly to a SaaS app instead of logging in through your organization’s SSO. By monitoring direct logins, Savvy ensures that all user activity is authenticated and authorized through your organization’s secure single sign-on (SSO) system. This reduces the risk of unauthorized access and potential data breaches, as SSO typically enforces more robust authentication mechanisms such as multi-factor authentication (MFA). Additionally, it helps maintain compliance with security policies and provides a centralized log for all access events, which is crucial for auditing and incident response.

Below: A screenshot from the Savvy SaaS Security Platform, identifying IAM gaps, including the number of accounts using SSO vs direct login.

Identify Apps Without MFA Configuration: Savvy monitors and discovers SaaS apps without MFA and provides automated workflows to require users to adhere to the org policies and requirements. Savvy also goes beyond a single point-in-time review to provide continuous validation that MFA is enabled and that users are not circumventing the secondary authentication method, significantly reducing the risk of unauthorized access through stolen credentials.

Below: A screenshot from the Savvy SaaS Security Platform, listing all accounts detected for the Snowflake app, with one account being identified as a toxic account with critical identity hygiene issues.

Detect Dormant Accounts and Automate Offboarding: Savvy identifies and locates accounts requiring offboarding using email API, IDP integration, or browser extension. After reviewing the accounts to offboard, users must launch the offboarding workflow with the click of a button. It will automatically send a message to application administrators via your internal messaging platform, informing them it’s time to remove the former employee’s accounts.

Identify Weak, Reused, or Compromised Credentials: Savvy detects and provides complete visibility into weak, reused, or compromised credentials within SaaS apps, seamlessly prompting users to update their passwords and improve security.

Find and Fix Toxic Combinations of Risks: In SaaS, “toxic combinations” occur when minor identity-related risks combine to create an unacceptable level of risk. This involves scenarios such as an employee reusing the same weak password across multiple critical apps combined with the absence of multi-factor authentication (MFA). Savvy combines app, identity, and risk visibility with business context to surface the issues that lead to a successful breach. Savvy gives you a complete picture of how apps are used and takes automated actions, from detecting weak passwords combined with no MFA to implementing robust security measures.

Below: A screenshot from the Savvy SaaS Security Platform, depicting a graph of the identity hygiene issues detected, which combine to form a toxic combination of risk.

User Guidance and Just-in-time Guardrails: Savvy continuously guides users on best practices for cybersecurity and enforces policies to ensure compliance with security protocols. Guardrails are driven by automation playbooks, which are easily customizable with our no-code visual editor to match your security policy. Just-in-time security guardrails can empower employees to recognize phishing attempts and other social engineering tactics cybercriminals use to steal credentials.

Combatting SaaS Challenges with Savvy

Savvy helps organizations overcome the challenges of managing their SaaS environments like Snowflake. It uses a sophisticated, identity-first approach, assisting organizations in discovering and understanding their SaaS landscape and operations. With Savvy, organizations can discover where their authentication controls are weak, such as lacking MFA, and take steps to secure them. Savvy also evaluates toxic access combinations, uncovers hidden Business-led IT resources, and streamlines compliance processes.

Take control over SaaS security, making it part of your overall IT organization rather than an exception. Schedule a demo today to see Savvy in action.