Targeted Credential Theft Campaign Hits Cloud Customers
Cloud computing and analytics company Snowflake said a “limited number” of its customers have been singled out as part of a targeted campaign.
“We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform,” the company said in a joint statement along with CrowdStrike and Google-owned Mandiant.
“We have not identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel.”
It further said the activity is directed against users with single-factor authentication, with the unidentified threat actors leveraging credentials previously purchased or obtained through information-stealing malware.
“Threat actors are actively compromising organizations’ Snowflake customer tenants by using stolen credentials obtained by infostealing malware and logging into databases that are configured with single factor authentication,” Mandiant CTO Charles Carmakal said in a post on LinkedIn.
Snowflake is also urging organizations to enable multi-factor authentication (MFA) and limit network traffic only from trusted locations.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in an alert issued on Monday, recommended organizations follow the guidance outlined by Snowflake to hunt for signs of unusual activity and take steps to prevent unauthorized user access.
A similar advisory from the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) warned of “successful compromises of several companies utilizing Snowflake environments.”
Some of the indicators include malicious connections originating from clients identifying themselves as “rapeflake” and “DBeaver_DBeaverUltimate.”
The development comes days after the company acknowledged that it has observed a spike in malicious activity targeting customer accounts on its cloud data platform.
While a report from cybersecurity firm Hudson Rock previously implied that the breach of Ticketmaster and Santander Bank may have stemmed from threat actors using a Snowflake employee’s stolen credentials, it has since been taken down, citing a letter it received from Snowflake’s legal counsel.
It’s currently not known how the two companies – which are both Snowflake customers – had their information stolen. ShinyHunters, the persona who claimed responsibility for the twin breaches on the now-resurrected BreachForums, told DataBreaches.net that Hudson Rock’s explanation was incorrect and that it’s “disinformation.”
“Infostealers are a significant problem — it has long since outpaced botnets etc. in the real world — and the only real solution is robust multi-factor authentication,” independent security researcher Kevin Beaumont said. It’s believed that a teen crime group is behind the incident.