Several publications recently released news of an ongoing campaign attempting to steal data from Snowflake customers by gaining unauthorized access to their Snowflake environment. The latest information provided by Snowflake confirms such a campaign and provides additional information on how customers can potentially detect and mitigate such activity.
What is Satori doing?
Satori is a Data Security and Governance Partner of Snowflake, and as such, observes a large number of Snowflake environments. Since learning of the campaign, the Satori team has continuously monitored these Snowflake environments to ensure any suspicious activity is immediately reported and blocked.
The latest monitoring results show the following:
- A single connection attempt from IP address 185.204.1.178 on May 8th was detected. The connection attempt did not contain a hostname which prevented it from being routed further. The connection was blocked.
- No query activity has been detected from any suspicious IPs or clients provided by Snowflake.
To help customers monitor for suspicious activity in their Snowflake environments, Satori released a new report called Activity by Suspicious IPs that indicates query activity from the list of suspicious IPs provided by Snowflake.
To proactively block activity from the list of suspicious IPs provided by Snowflake, Satori can push a network policy to the relevant data stores on request. Please open a support ticket at support@satoricyber.com for more information.
The Satori support team is on standby to answer customer queries and provide additional information as needed.