Snowflake tells customers to enable MFA as investigations continue • The Register
infosec in brief Cloud data analytics platform Snowflake said it is going to begin forcing customers to implement multi-factor authentication to prevent more intrusions.
The move comes in response to an incident discovered late last month by analysts at Hudson Rock, which saw criminals make off with more than a terabyte of data from Ticketmaster, information from Spanish bank Santander, and most recently (it’s been claimed), hundreds of millions of customer files from Advance Auto Parts. All are Snowflake customers.
While Snowflake threatened legal action against Hudson Rock and forced it to retract its report, the cloud vendor has also admitted that it was investigating “a targeted threat campaign against some Snowflake customer accounts.”
Snowflake continues to deny it was directly attacked, saying it didn’t believe incidents at its customers were caused by any vulnerability or misconfiguration in its environment. It also said it hadn’t found evidence suggesting the incident was due to a compromised set of Snowflake employee credentials, as Hudson Rock had claimed, though it did say it believed credentials were obtained through purchase or malware.
Additionally, Snowflake admitted a threat actor did obtain credentials belonging to a former Snowflake employee, but claimed those credentials were only used to access demo accounts that didn’t contain any sensitive information.
In the meantime, Snowflake did say threat actors are targeting customers without MFA enabled, so that’s where it’s taking action for now.
“We are also developing a plan to require our customers to implement advanced security controls,” Snowflake said. “While we do so, we are continuing to strongly engage with our customers to help guide them to enable MFA and other security controls as a critical step in protecting their business.”
Other outlets reported this week discovering credentials belonging to “hundreds” of Snowflake customers for sale on cybercriminal forums, suggesting the problem might be larger than the few high-profile customers reported.
Critical vulnerabilities of the week
Just a few vulnerabilities on the OT side to report this week – far less likely to grab headlines, but no less important to address.
- CVSS 9.8 – Multiple CVEs: Emerson Ovation plant control software has several authentication protocols and fails to verify data authenticity, enabling RCE, data exfiltration, etc.
- CVSS 9.1 – CVE-2024-32752: Johnson Controls iStar Pro Door Controller and ICU products are failing to authenticate properly, allowing an attacker to inject commands and compromise physical security of door controls.
- CVSS 8.5 – Multiple CVEs: Fuji Electric’s Monitouch V-SFT screen configuration software is vulnerable to OOB write, stack-based buffer overflow and type confusing, allowing arbitrary code execution.
Industry begs White House: Please harmonize cybersecurity regs
After asking industry partners to share their concerns about the cybersecurity regulatory environment in the US, the White House Office of the National Cyber Director said the answer was near unanimous: Regulations are a mess.
“Respondents believe that there was a lack of cybersecurity regulatory harmonization and reciprocity and that this posed a challenge to both cybersecurity outcomes and to business competitiveness,” National Cyber Director Harry Coker, Jr. said in a statement from the White House.
By reciprocity, participants meant they had invested to meet government compliance measures, while at the same time seeing “a net reduction in actual programmatic cybersecurity spending.”
Coker’s office is working to develop a reciprocity framework for use in critical infrastructure sectors, but the Director said getting regulations harmonized may well be impossible.
“We need Congress’s help to bring all the relevant agencies in the government together to develop a cross-sector framework for harmonization and reciprocity for baseline cybersecurity requirements,” Coker noted.
When’s the last time you examined your container configurations?
Two different sets of analysts reported two different campaigns attacking two different container service providers last week, so consider this your reminder to go audit yours for misconfigurations.
Researchers at cloud security firm Wiz reported a cryptojacking campaign Friday that saw criminals targeting misconfigured Kubernetes clusters, while a couple of days earlier Trend Micro reported another campaign targeting exposed and misconfigured Docker remote API servers.
While it’s not clear the two are related, both appear to have the same end goal: get cryptocurrency mining malware installed on vulnerable containers for the benefit of the malware’s operator.
Attack methods vary slightly as well, but not remediation recommendations: Both Wiz and TrendMicro suggest properly configuring containers, as well as limiting access from external, anonymous, and unnecessary connections and users.
“This incident should encourage organizations to adopt a security-posture solution, enabling security teams to mitigate toxic risk combinations and reduce attack surfaces vulnerable to threat actors,” Wiz researchers said. ®