Snowflake established a new security policy to allow administrators to require multifactor authentication for all users or specific roles after a wave of attacks targeted more than 100 customer environments without the security control.
MFA will be enabled by default for all newly created Snowflake customer accounts, CISO Brad Jones said in a Tuesday letter to customers.
The change, which comes nearly three months after an attacker intruded Snowflake demo accounts and customer environments, allows administrators the flexibility to set MFA policies at the user level or systemwide. Previously, Snowflake users had to enroll themselves in MFA.
The MFA policy roll out comes as the cloud-based data warehouse vendor completed its investigations with CrowdStrike and Mandiant, and reaffirmed findings it shared last month.
“We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration or breach of Snowflake’s platform,” Jones said. “The Snowflake environment continues to be safe.”
Snowflake’s corporate and production assets were not compromised, CrowdStrike said in a summary of its investigation, which Snowflake received June 25 and shared publicly Tuesday. This includes infrastructure supporting business operations and external-facing products and services.
Demo accounts, which the attacker accessed from April 17 to May 24, are not associated with any production, corporate or customer Snowflake environments, CrowdStrike said.
“The threat actor used the demo account credentials of a former Snowflake employee whose credentials were acquired through infostealing malware,” the report found. The demo accounts were not protected with MFA or single-sign on.
CrowdStrike analyzed the corporate laptop of the former employee and found no evidence of infostealing malware on the device. This indicates the former employee’s demo account credentials were obtained from a non-Snowflake asset, CrowdStrike said.
“We believe this is the result of ongoing industrywide, identity-based attacks with the intent to obtain customer data,” Jones told Cybersecurity Dive via email. “Research indicates that these types of attacks are performed with our customers’ user credentials that were exposed through unrelated cyber threat activity.”
CrowdStrike confirmed the attacker was not able to access any Snowflake customer account or any Snowflake production or corporate environments via the compromised demo accounts.
Snowflake, which Mandiant first notified of a broad campaign impacting customers on May 22, disabled the former employee’s account on May 24.
Mandiant completed and published findings from its investigation into attacks targeting Snowflake customer environments on June 10.
Snowflake customer admins gain controls
Snowflake’s MFA policy reflects the challenges technology vendors confront in instituting sweeping changes to a widely used platform.
Administrators of existing Snowflake customer accounts can still opt out of MFA. The company ended its most recent quarter on April 30 with 9,822 customers.
The company is taking additional steps to coax existing customers into adopting MFA.
Users that log into Snowflake without MFA will be prompted to enable the security control and guided through configuration steps. “This dialog can be dismissed, but it will reappear in three days if MFA has not been configured for the user,” the company said.
The company also stood up the Snowflake Trust Center, which will help administrators enforce MFA, check their account against security benchmarks, and provide visibility into users’ adherence to security policies.
Scanners Snowflake introduced Tuesday are designed to mitigate credential theft risks by detecting overprivileged entities, determining MFA compliance and network policies, and other potential security risks in its customers' environments.
