Snowflake and Data Breaches, Part 2
6–10–2024 (Monday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, June 10, 2024, and we’re going to pick up right where we left off last week with Snowflake and the ongoing issues - or not - that they’re facing.
Snowflake and Data Breaches, Round 2
Here’s the headline up front. Snowflake continues to insist that there wasn’t a data breach on their systems. They’ve doubled down on this position today, with their friends over at Mandiant releasing a report that claims a threat actor (UNC5537) is targeting Snowflake customers, and they’re very clear that it’s not a Snowflake issue, noting:
“Mandiant's investigation has not found any evidence to suggest that unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflake's enterprise environment. Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials.”
They even include a somewhat hilariously simple infographic showing how a threat actor takes stolen credentials and logs into Snowflake. Not sure that’s helpful, but sure. The big contribution from Mandaint seems to be adding a new name for the tool that attackers are using - now calling it FROSTBITE instead of rapeflake, which I have to agree is an improvement.
Meanwhile, in the real world, additional customers are reporting lost data from their Snowflake instances, including more than 3 TB of data from Advance Auto Parts now being listed for sale, which includes data on 380 million customers, and employee info.
For their part, Snowflake’s sticking to the line of “wasn’t us” - but at the same time, they’re not doing a single thing to proactively help their customers - not forcing MFA, not rotating credentials, etc. And, I actually understand why they might choose this path.
For example, if they decided to force mandatory MFA enrollment on next login, it’s possible that the threat actors would simply enroll their own second factor with the stolen credentials and then lock out legitimate customers.
If they were to force a rotation of credentials, there’s certainly a lot of things that would “break” - since it’s now clear that there are lots of production workloads running in Snowflake without any MFA behind them.
Snowflake’s CEO has indicated that “Default MFA” is “coming soon,” but no date has yet been given.
The attackers, for their part, aren’t getting particularly fancy with their attack - Mandiant notes that it amounts to using the most basic commands to SELECT * from tables, COPY to a local drive as a zipped CSV file, and then GET that data from their machines - thus successfully exfiltrating.
When the defenses don’t exist, attackers don’t have to get fancy to get a win. And, because these are cloud tools, customers don’t even have an opportunity to see this massive spike in network traffic because it’s happening on Snowflake’s network, not their own.
In fact, many customers may not even be fully aware of what their footprint in Snowflake looks like - a phenomenon known as Shadow IT that’s only been exacerbated by SaaS services in the past few years.
Fundraising
Back to more normal fundraising numbers this week, with the total of newly committed capital coming in at just over $10B, including a $1B AI-specific fund launched by Cisco Systems (who, as you may recall, recently paid $28B for Splunk - a tool that’s likely in some real need of an AI boost).
We also saw a couple of other interesting bits across this space, including a piece in the New York Times about the new buyout fund from Lightspeed Venture Partners, who will target “enterprise software companies with annual recurring revenues of $50M to $200M” - using their recent $4.6B growth and opportunity funds to make these acquisitions. They note that IPOs are getting harder to reach, and that “many aren’t going to have a path to public liquidity.”
Bloomberg notes that many pension funds and endowments have hit the limits for how much they can allocate to private equity, so buyout firms are turning increasingly to wealthy families or sovereign funds to co-invest, fueling more than $150B of investments through PE firms like KKR, Silver Lake, Goldman Sachs, and Morgan Stanley.
Buyout firms have announced $91B in “take privates” this year through May - up 16% from last year, while CNBC reports today that Family Offices are looking to ramp their investment in private companies, noting 62% of those offices made at least six direct investments last year, with 71% planning to make just as many this year, or more.
Shifting market dynamics, indeed.
You can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion
https://www.runtime.news/default-mfa-is-coming-soon-to-snowflake/
https://www.cnbc.com/2024/06/10/family-offices-investments-in-private-companies.html