Recent breaches involving Snowflake have underscored vulnerabilities in SaaS environments. Snowflake has attributed these breaches to insufficient security measures by customers, particularly the lack of two-factor authentication (MFA) in production environments. The incidents have highlighted the pressing need for organisations to adopt proactive security measures for their SaaS applications.
Snowflake, a SaaS data storage and analytics platform, offers a robust data warehousing solution. The breaches involved two primary attack vectors: compromised credentials and a credential-stuffing attack. Initial reports suggest that threat actors gained access by purchasing stolen credentials, which enabled them to bypass multi-factor authentication (MFA) and generate session tokens. These tokens subsequently facilitated the exfiltration of vast amounts of sensitive data.
The first attack vector involved stolen credentials, including passwords, tokens, or session cookies. Attackers employed these credentials to access the Identity Provider (IdP) and bypassed it by logging into the ServiceNow system directly. Once inside, they generated session tokens, allowing them to exfiltrate data, including support and case-related information pertaining to various customers. The default optional configuration of ServiceNow's single sign-on (SSO) meant that SSO was not enforced, creating a vulnerability that could be exploited by attackers.
The second identified threat actor, UNC5537, utilised custom tools to locate Snowflake instances and executed a credential-stuffing attack. This method involved trying multiple login credentials against various user accounts to gain unauthorised access. The credentials used in this attack were reportedly obtained through info-stealing malware and targeted demo accounts of former employees, which did not enforce MFA or SSO. Despite not accessing highly sensitive data, this campaign reflected continuous data theft and extortion attempts against organisations utilising Snowflake databases secured by single-factor authentication alone.
In response to these incidents, several security measures have been recommended to enhance the security of SaaS environments. Firstly, organisations are urged to enforce SSO and require MFA for all employees accessing sensitive data. This configuration should apply to both internal and external users. To mitigate risks, tools like AppOmni can provide automated detection and alerts if SSO is enabled but not fully enforced. Such tools ensure that configurations are correctly set to prevent unauthorised access.
Another critical step is ensuring that SSO and MFA cannot be bypassed. While SSO provides enhanced security by centralising credential management through an IdP, misconfigurations can allow local logins that bypass SSO. Continuous monitoring to identify and rectify such vulnerabilities is essential for maintaining robust security. AppOmni offers proactive monitoring to flag potential misconfigurations and vulnerabilities, helping organisations secure their SaaS environments effectively.
Enabling and correctly configuring IP restrictions is also advised. Snowflake has recently published investigative and hardening guidelines, which include identifying suspicious IP addresses and malicious traffic. Overly permissive IP ranges can increase the risk of unauthorised access. Thus, it is advisable to restrict IP ranges to the minimum necessary for legitimate access while monitoring and adjusting settings as needed.
Organisations should also avoid uploading sensitive data to unsecured demo or sandbox accounts. AppOmni's solutions can detect and alert on such misconfigurations before they reach production environments, thereby averting potential risks. Furthermore, monitoring threat detection alerts is crucial, as each SaaS application generates unique audit logs that can highlight abnormal activities, pointing to possible security breaches.
Finally, deactivating inactive accounts can prevent dormant gateways for attackers. Comprehensive visibility into user activities and identity management across all services helps identify and deactivate inactive accounts, particularly those with elevated permissions.
The instances of compromised security in Snowflake stress the importance of granular controls and zero-trust capabilities in managing SaaS security postures. AppOmni's unified SaaS Security Posture Management (SSPM) and Zero Trust Posture Management (ZTPM) platforms offer a thorough analysis of SaaS app configurations, assisting organisations in reinforcing their defences against potential threats through a zero-trust architecture.