Editor-DN
Cloud computing and analytics company Snowflake said a “limited number” of its customers had been selected as part of a targeted campaign.
“We have not identified any evidence that suggests this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform,” the company said. said In a joint statement with CrowdStrike and Google-owned Mandiant.
“We have not identified evidence that suggests this activity was caused by the compromised credentials of current or former Snowflake personnel.”
It added that this activity is directed against users with single-factor authentication, with unknown threat actors leveraging credentials previously purchased or acquired by information-stealing malware.
“Threatening actors are targeting organizations’ Snowflake customer tenants by using stolen credentials obtained through malware and logging into databases configured with single-factor authentication,” said Mandiant CTO Charles Carmichael. Compromising.” said In a post on LinkedIn.
Snowflake is urging organizations to enable multi-factor authentication (MFA) and restrict network traffic to only trusted locations.
In an alert issued by the US Cyber Security and Infrastructure Security Agency (CISA) on Monday, Recommended Organizations follow the guidance provided by Snowflake to detect signs of unusual activity and take steps to prevent unauthorized user access.
A similar advisory from the Australian Signals Directorate’s Australian Cyber Security Center (ACSC) warned “Successful Compromises of Multiple Companies Using the Snowflake Environment.”
Some of the clues involved in Malicious communications originating from clients identifying themselves as “rapflake” and “DBeaver_DBeaverUltimate”.
The development comes days after the company. Admitted that it has seen an increase in malicious activity targeting customer accounts on its cloud data platform;
While a report by cybersecurity firm Hudson’s Rock previously indicated that the Ticketmaster and Santander Bank breaches may have been caused by threat actors using stolen Snowflake employee credentials, it has since taken offReferring to a letter received from Snowflake’s legal counsel
It’s currently unknown how the information from the two companies — both Snowflake customers — was stolen. Shiny Hunters, the person who claimed responsibility for the twin breaches on the now-revived Breach Forums, told DataBreaches.net that Hudson Rock’s description was incorrect and is “misinformation”.
“Infostealers are a significant problem – it has overtaken botnets and the like in the real world – and the only real solution is strong multi-factor authentication,” said independent security researcher Kevin Beaumont. said. It is believed that a youth gang is behind the incident.
