Report finds company and manufacturing belongings weren’t compromised
Professional
Cloud-based knowledge warehouse vendor Snowflake established a brand new safety coverage to permit directors to require multifactor authentication for all customers or particular roles after a wave of assaults focused greater than 100 buyer environments with out the safety management.
MFA might be enabled by default for all newly created Snowflake buyer accounts, CISO Brad Jones mentioned in a Tuesday letter to prospects.
The change, which comes practically three months after an attacker intruded Snowflake demo accounts and buyer environments, permits directors the pliability to set MFA insurance policies on the person stage or systemwide. Beforehand, Snowflake customers needed to enroll themselves in MFA.
The MFA coverage roll out comes as the corporate accomplished its investigations with CrowdStrike and Mandiant, and reaffirmed findings it shared final month.
“We have now not recognized proof suggesting this exercise was attributable to a vulnerability, misconfiguration or breach of Snowflake’s platform,” Jones mentioned. “The Snowflake surroundings continues to be protected.”
Snowflake’s company and manufacturing belongings weren’t compromised, CrowdStrike mentioned in a abstract of its investigation, which Snowflake obtained 25 June and shared publicly Tuesday. This consists of infrastructure supporting enterprise operations and external-facing services.
Demo accounts, which the attacker accessed from 17 April to 24 Could, usually are not related to any manufacturing, company or buyer Snowflake environments, CrowdStrike mentioned.
“The menace actor used the demo account credentials of a former Snowflake worker whose credentials had been acquired by way of infostealing malware,” the report discovered. The demo accounts weren’t protected with MFA or single-sign on.
CrowdStrike analysed the company laptop computer of the previous worker and located no proof of infostealing malware on the machine. This means the previous worker’s demo account credentials had been obtained from a non-Snowflake asset, CrowdStrike mentioned.
“We imagine that is the results of ongoing industrywide, identity-based assaults with the intent to acquire buyer knowledge,” Jones instructed Cybersecurity Dive through e-mail. “Analysis signifies that these kind of assaults are carried out with our prospects’ person credentials that had been uncovered by way of unrelated cyber menace exercise.”
CrowdStrike confirmed the attacker was not in a position to entry any Snowflake buyer account or any Snowflake manufacturing or company environments through the compromised demo accounts.
Snowflake, which Mandiant first notified of a broad marketing campaign impacting prospects on 22 Could, disabled the previous worker’s account on 24 Could.
Mandiant accomplished and revealed findings from its investigation into assaults concentrating on Snowflake buyer environments on 10 June.
Snowflake’s MFA coverage displays the challenges know-how distributors confront in instituting sweeping adjustments to a extensively used platform.
Directors of present Snowflake buyer accounts can nonetheless choose out of MFA. The corporate ended its most up-to-date quarter on 30 April with 9,822 prospects.
The corporate is taking extra steps to coax present prospects into adopting MFA.
Customers that log into Snowflake with out MFA might be prompted to allow the safety management and guided by way of configuration steps. “This dialog may be dismissed, however it can reappear in three days if MFA has not been configured for the person,” the corporate mentioned.
The corporate additionally stood up the Snowflake Belief Middle, which can assist directors implement MFA, test their account towards safety benchmarks, and supply visibility into customers’ adherence to safety insurance policies.
Scanners Snowflake launched Tuesday are designed to mitigate credential theft dangers by detecting overprivileged entities, figuring out MFA compliance and community insurance policies, and different potential safety dangers in its prospects’ environments.
