Cloud computing and analytics firm Snowflake mentioned a “limited number” of its prospects have been singled out as a part of a focused marketing campaign.
“We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform,” the corporate mentioned in a joint assertion together with CrowdStrike and Google-owned Mandiant.
“We have not identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel.”
It additional mentioned the exercise is directed towards customers with single-factor authentication, with the unidentified menace actors leveraging credentials beforehand bought or obtained by means of information-stealing malware.
“Threat actors are actively compromising organizations’ Snowflake customer tenants by using stolen credentials obtained by infostealing malware and logging into databases that are configured with single factor authentication,” Mandiant CTO Charles Carmakal mentioned in a put up on LinkedIn.
Snowflake can be urging organizations to allow multi-factor authentication (MFA) and restrict community visitors solely from trusted places.
The U.S. Cybersecurity and Infrastructure Safety Company (CISA), in an alert issued on Monday, advisable organizations observe the steerage outlined by Snowflake to hunt for indicators of surprising exercise and take steps to forestall unauthorized person entry.
An analogous advisory from the Australian Indicators Directorate’s Australian Cyber Security Centre (ACSC) warned of “successful compromises of several companies utilizing Snowflake environments.”
A few of the indicators embody malicious connections originating from shoppers figuring out themselves as “rapeflake” and “DBeaver_DBeaverUltimate.”
The event comes days after the corporate acknowledged that it has noticed a spike in malicious exercise concentrating on buyer accounts on its cloud knowledge platform.
Whereas a report from cybersecurity agency Hudson Rock beforehand implied that the breach of Ticketmaster and Santander Financial institution might have stemmed from menace actors utilizing a Snowflake worker’s stolen credentials, it has since been taken down, citing a letter it acquired from Snowflake’s authorized counsel.
It is at the moment not identified how the 2 corporations – that are each Snowflake prospects – had their data stolen. ShinyHunters, the persona who claimed duty for the dual breaches on the now-resurrected BreachForums, instructed DataBreaches.internet that Hudson Rock’s clarification was incorrect and that it is “disinformation.”
“Infostealers are a significant problem — it has long since outpaced botnets etc. in the real world — and the only real solution is robust multi-factor authentication,” impartial safety researcher Kevin Beaumont mentioned. It is believed {that a} teen crime group is behind the incident.