XQ Message

View Original

Snowflake Breach: Learn how to Keep your Data Safe in Snowflake

Brian Wane

Beyond MFA

External control channels that separate data from the environment are essential to stopping data theft. XQ allows you to retain control of your data in comp[lex environments even after it has been exfiltrated. XQ also allows for granular access control that adds additional security beyond MFA.


Overview

On May 20, 2024, Live Nation disclosed unauthorized activity in its third-party cloud database environment in an SEC filing. This breach was traced back to Snowflake, compromised data from its Ticketmaster subsidiary. In the days following the filing, it was revealed that multiple Snowflake clients had their data posted for sale on the Dark Web.

By May 23, a threat actor named “Whitewarlock” listed data from the Santander Group for sale. On May 27, another actor, “ShinyHunters,” offered Live Nation/Ticketmaster data, including information on 560 million users, for $500,000. The breach involved stolen credentials from a Snowflake employee’s ServiceNow account, compromised through the Lumma Stealer campaign in October 2023. Snowflake’s response on June 2 included releasing Indicators of Compromise (IOC) and recommended actions for investigating customer accounts.

The Scope of the Breach

Hudson Rock, a cybersecurity firm, reported that the threat actor responsible for the breach claimed to have accessed data from major organizations like Anheuser-Busch, Allstate, Advance Auto Parts, Mitsubishi, Neiman Marcus, Progressive, Santander Bank, and State Farm. Santander Bank confirmed unauthorized access to a database hosted by a third-party provider, affecting customers in Chile, Spain, and Uruguay, along with data on all former and current employees.

The breach potentially impacted around 400 organizations, with attackers demanding $20 million from Snowflake in exchange for the data. They bypassed Okta protections and generated session tokens, enabling them to steal massive amounts of data. Snowflake’s cloud platform, is used by 9,437 customers, including giants like Adobe, AT&T, Capital One, and PepsiCo, was significantly affected.

How Did It Happen?

The attackers provided Hudson Rock with a CSV file containing data on over 2,000 customer instances running on Snowflake’s servers, including information on a Snowflake employee compromised by an info stealer in October 2023. A cybersecurity vendor later issued a report, which has since been deleted, confirming data theft from Ticketmaster and Santander Bank via their Snowflake accounts. The report was taken down after a legal request from Snowflake.

One cybersecurity researcher pointed out Snowflake’s failure to use multi-factor authentication (MFA) on their demo environment and not disabling access for a former employee as contributing factors. However, Snowflake, along with CrowdStrike and Google-owned Mandiant, stated there was no evidence of a vulnerability or misconfiguration in Snowflake’s platform itself.

The Bigger Picture

According to Mandiant CTO Charles Carmakal, threat actors compromise Snowflake customer tenants using stolen credentials obtained through infostealing malware, exploiting databases configured with single-factor authentication. The group behind the attack, described as teenagers active on Telegram, relied on these methods to access Snowflake databases.


While MFA is crucial, it is not enough to fully protect your data. Hackers can still impersonate legitimate users with stolen credentials, leading to data exfiltration. External control channels that separate data from the environment are essential to stop data theft. This is where XQ Zero Trust Data Protection comes in.


How XQ Zero Trust Data Protection Works

Unique Encryption for Each Data Item

XQ encrypts individual items within a database table uniquely. This means each piece of data is encrypted separately, with specific access controls around the encryption keys for each item. Encryption and decryption happen at the edge, ensuring that your sensitive information remains under your control.

SaaS and Self-Hosted Keystore for Complete Control

Each data record can have its own key to prevent lateral movement. The Keystore can be self-hosted or use XQ SaaS, allowing you to manage the encryption keys internally. This provides an additional layer of security since the keys are not stored on an external server, reducing the risk of unauthorized access.

Separation of Data Store and Keystore

XQ separates the data store from the keystore. Even if an individual's Snowflake credentials are compromised, the attacker would only access encrypted data. Decrypting each value within the tables would require significant effort and processing, making unauthorized access exceedingly difficult.

Comprehensive Access Logging

Every access attempt to the encrypted data is meticulously logged within the management portal, generating a detailed record of who accessed the data, what was accessed, where, and when. This allows you to monitor and audit real-time data access.

Remote Revocation of Access

You can remotely revoke access to specific keys or users in case of malicious access attempts. This immediate response capability ensures that any potential security breaches are swiftly mitigated.

Why Choose XQ Zero Trust Data Protection


  • Universal Data Protection Across Every Environment: XQ guarantees encryption and control of every data record, eliminating security gaps.

  • External Role-Based Access Control (RBAC): XQ secures and controls your data across all platforms by separating tool access from data access.

  • Ransomware Protection: XQ blocks data access immediately, preventing exploitation for extortion.

  • Automated Governance & Compliance: Automated secrets management and data loss prevention provide a secure chain of custody for compliance.

  • Zero Trust Data Sharing: XQ separates network and application access from data access, allowing you to control and monitor data remotely.

  • Cloud Portability: XQ’s external key control allows safe data movement between cloud environments while retaining security and compliance.


Conclusion

To truly protect your data, implement more than just MFA. XQ Zero Trust Data Protection offers robust security by encrypting data, separating data and keys, providing detailed access logs, and allowing remote access revocation. These features ensure that your data remains secure, even if credentials are compromised, offering you peace of mind and comprehensive protection for your sensitive information.


Credits

Snowflake Data Breach Impacts Ticketmaster, Other Organizations

https://www.securityweek.com/snowflake-hack-impacts-ticketmaster-other-organizations/

Mysterious corporate breaches could link to Snowflake cloud accounts

https://www.axios.com/2024/06/04/snowflake-ticketmaster-data-leaks