Play AppSec WarGames
Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.
Snowflake Infostealer Malware Incident
In May 2024, Snowflake, a prominent cloud data storage provider, suffered a severe data breach traced back to an info-stealer malware infection. The breach originated from compromised credentials belonging to a Snowflake employee, specifically linked to their ServiceNow account. These credentials, stolen via a Lumma-type infostealer in October 2023, allowed the attacker to bypass multi-factor authentication mechanisms such as Okta, which was integrated with the employee portal. Once inside, the adversary generated valid session tokens and exploited them to extract data stored across multiple Snowflake customer environments. The incident resulted in the unauthorized access of potentially over 2,000 instances, with the threat actor claiming the data of approximately 400 companies was compromised.
The stolen data was listed for sale on cybercrime forums, with high-profile targets such as Ticketmaster and Santander Bank among the victims. The threat actor attempted to extort Snowflake, demanding a $20 million ransom in exchange for withholding the leaked data. Hudson Rock, a cybersecurity firm, engaged directly with the attacker, gaining unique insights into the breach’s mechanics and verifying the legitimacy of the stolen datasets. This breach not only highlights the dangers of info-stealer infections—whose prevalence has surged by over 6000% since 2018—but also underscores the critical importance of robust identity and access management systems. Moreover, the incident emphasizes the risks associated with JWT (JSON Web Token) mismanagement, as the attacker’s ability to forge valid tokens played a key role in maintaining prolonged unauthorized access.
Attack Vector: Infostealer Malware and Credential Reuse
The breach originated from a Lumma-type infostealer infection on a Snowflake employee’s machine. This malware exfiltrated browser-stored credentials—including those for the employee’s ServiceNow account. Notably, this account provided access to internal Snowflake systems, and was not adequately protected by hard token-based MFA (e.g., hardware keys or conditional access policies).
Critically, this allowed the attacker to bypass Snowflake’s Okta instance, which was assumed to reside on a separate subdomain (lift.snowflake.com). Since the stolen credentials were used on a third-party service (ServiceNow), which may not have been fully integrated with Snowflake’s identity provider protections, this created an unintended trust boundary bypass.
Once authenticated using the compromised ServiceNow credentials, the attacker reportedly generated session tokens that allowed them to interact directly with Snowflake’s cloud storage systems. These session tokens were JWTs (JSON Web Tokens)—a common mechanism used in modern cloud services to represent authenticated user sessions.
The attacker exfiltrated a CSV (snowflake_eu-orgadmin.csv) listing over 2,000 customer orgs, suggesting internal administrative privileges were exploited.
We made a challenge recreating this incident:
This challenge is available for a Limited Time on our Weekly Incident Game
Read more about the incident: Snowflake, Cloud Storage Giant, Suffers Massive Breach: Hacker Confirms to Hudson Rock Access Through Infostealer Infection
