Why a threat campaign targeting Snowflake customers isn’t exactly a special snowflake

An active threat campaign targeting Snowflake customers underscores an all-too-common attack pattern of exploiting users’ cloud and SaaS identities and gaps in MFA coverage.

Recent reports of data breaches at Ticketmaster, LendingTree, Advanced Auto Parts, and other businesses indicate an emerging threat campaign actively targeting Snowflake customer environments. It's worth noting that these breaches are not related to a data breach of Snowflake’s own systems—a fact confirmed in a Mandiant blog post, which also identifies the threat campaign as UNC5537.

Despite the headlines, the high-profile nature of the victims may be the only remarkable aspect of this threat campaign. Frankly, the attack approach is fairly uncomplicated and easy to understand: a financially motivated threat actor acquired credentials tied to Snowflake customer database instances, and was able to gain access to accounts not protected by MFA in order to exfiltrate data. (I think I’ve heard this one before.)

In fact, attacks that exploit compromised cloud and SaaS identities are now commonplace. In the freshly minted Verizon 2024 Verizon Data Breach Investigations Report, compromised credentials once again topped the list of initial attack vectors. As it’s said, “modern attackers don’t break in; they log in.”

The advice for protecting against modern cloud and SaaS identity threats has been repeated hundreds of times in hundreds of blog posts and articles like those mentioned above: use MFA, use MFA, use MFA.

A-ha! Now, we’re getting to the complex part; the next chapter of the defender’s dilemma: securing SaaS identities and access—all SaaS identities and access.

While folks may squabble over methods and favorite hardware tokens, it’s widely accepted that enabling multi-factor authentication on all cloud and SaaS accounts is a good security practice. But is anyone actually accomplishing this? A recent study found that 87% of organizations have MFA disabled on some or all of their Microsoft 365 admin accounts. That’s right—highly privileged admin accounts.

Depending on the method, it only takes a few moments to enable MFA on an account, so why do we continue to see cloud and SaaS data breaches of this nature in headlines week over week? Why is securing SaaS identities and access still such a hard problem to solve?

MFA is the ultimate shared security responsibility.

Snowflake clearly (and correctly) stated that enabling and enforcing multi-factor authentication on user accounts falls on the customers’ side of the cloud shared security model. Generally speaking, end users are responsible for managing and protecting access to any data they store in third-party cloud and SaaS environments, including enabling and enforcing MFA.

Still, this is only half the story. Modern cloud and SaaS apps are designed for user-led adoption, making it fast and simple for any employee to sign up and start sharing data and access with colleagues and third parties. Gone are the days when every technology decision goes through a centralized procurement process and ends up tidily configured and managed by an IT administrator.

So now, that “customer responsibility” Snowflake refers to could be literally anyone in your org who spins up a new Snowflake instance, making them a de facto app admin. While security or IT may be ultimately accountable for secure SaaS access, the modern reality is that shared responsibility now extends to Alice in accounting, Mark in marketing, and who knows who else.

Given this dynamic, it’s increasingly difficult for organizations to monitor and secure all SaaS access across thousands of accounts. Even SSO has its limitations. This leaves many organizations resorting to security awareness training to plead with users to remember to always enable MFA.

The underlying issue is that security and IT teams often lack a clear view of all the SaaS apps and providers, instances, and identities in their organization. These assets make up an organization’s overall SaaS attack surface, which can change daily, thanks to a confluence of business- and employee-led SaaS adoption, remote and hybrid work, an increased reliance on contract and temporary workers, and BYOD and other trends. These visibility challenges make something as basic as ensuring MFA an untenable problem at scale.

How Nudge Security can help

Nudge Security can help you close the visibility gaps that leave you vulnerable to this type of attack.

With Nudge Security, you can:

  • Discover your entire SaaS attack surface: Continuously discover and inventory all the SaaS in use across your organization and who has access to them, including sanctioned and unsanctioned apps, multiple instances of the same app, employee and contractor identities, and SaaS-to-SaaS.
  • Govern SaaS identities and access at scale: Enumerate SaaS identities, including the authentication method (SSO, username and password) used to access each SaaS app. Monitor SSO and MFA status, and automatically nudge users to enable MFA as they start to use an app, not six months later in a training session.
  • Monitor your SaaS supply chain: Get visibility of the apps in your SaaS supply chain and be alerted to any breaches affecting your third- or fourth-party providers.

Let’s take a closer look at these steps in the context of protecting yourself from this particular threat campaign.

1. Discover your entire SaaS attack surface, including unsanctioned app instances and contractor accounts.

Organizations consistently underestimate the size of their SaaS attack surface, leaving unmonitored access for threat actors to exploit. Nudge Security helps you close that gap by providing visibility of all the SaaS apps, instances, accounts, and OAuth grants associated with your organization.

Unique SaaS apps & instances

While an organization may maintain an inventory of critical cloud and SaaS apps, individual instances or tenants may be not be accounted for. For example, an organization may have a sanctioned Snowflake environment, but a developer signs up for a separate free trial environment. Each instance of an application increases your organization’s attack surface, giving threat actors another potential target. Nudge Security discovers distinct SaaS instances for apps like Snowflake using our patented email discovery method. (We recently wrote about the challenges of SaaS instance sprawl and how Nudge Security can help in more detail, if you’d like to dig in further.)

Employee & contractor accounts

Identifying all the accounts (and OAuth grants) associated with your apps and instances can help you understand all the potential access points to your corporate data and take steps to protect them. For example, several UNC5537 victims were compromised with credentials stolen from contractors who signed into corporate resources using personal laptops infected with infostealer malware. Contractors often have a corporate email address, but typically don’t receive a managed corporate device and may not follow otherwise standard security precautions, making it especially important to understand the scope of their access. Nudge Security shows you all accounts from your domain associated with a particular app or instance, as well as all accounts tied to a particular user or group from your domain.

2. Govern SaaS identities at scale.

Visibility is great; action is better. Nudge Security helps you govern and secure your organization’s SaaS identities at scale with automated playbooks and workflows, including several key interventions that can help protect against UNC5537’s campaign targeting Snowflake customers.

Accelerate SSO enrollment with purpose-built playbooks.

While we’re not in a passwordless world yet, enrolling critical apps in SSO can help reduce the risk of threat actors using compromised credentials to access your environment. Nudge Security provides playbooks for Okta and Entra AD to help you streamline the process of enrolling eligible apps in SSO. You can track which of your apps support SSO, choose the apps you want to prioritize, and nudge the technical contact for each of those apps to kickstart the enrollment process.

Audit and enforce MFA adoption.

MFA can help reduce the risk of an attacker using stolen credentials to access your critical apps. For each app in your environment, Nudge Security shows a summary of MFA enrollment and enables you to nudge employees through email or Slack to enable MFA. Users can respond directly from the nudge to let you know when they’ve taken action. You can send a nudge for one app at a time, or you can create an automated rule to nudge users as soon as they create a new account.

Offboard employees and contractors completely.

All too often, organizations handle SaaS offboarding by revoking Okta access and calling it a day, leaving orphaned accounts and data behind for bad actors to exploit. Nudge Security provides a playbook to help you automate the hardest parts of SaaS offboarding and eliminate lingering access.

And—if you ever suspect that one of your employees or contractors may have used an infected device, Nudge Security’s offboarding playbook can support your remediation efforts by helping you understand the scope of SaaS access that an infostealer could have captured.

3. Monitor your supply chain and be alerted to breaches affecting your third- and fourth-party providers.

Supply chain breaches can represent a serious threat to your corporate data and software pipeline, making it it essential to stay informed of new breaches affecting your SaaS providers.

While Snowflake itself wasn’t breached in this instance, many of their customers were.

Nudge Security provides visibility of your supply chain and alerts you any time a provider your employees are using (or one of their providers) experiences a data breach.

Ready to learn more?

Find out how else Nudge Security can help you tackle SaaS sprawl and enforce SaaS security and governance at scale.

Related posts


Debunking the "stupid user" myth
in security

Exploring the influence of employees’ perception
and emotions on security behaviors