Summary:
Snowflake, a cloud computing and analytics company, has released a joint statement in coordination with third-party cybersecurity experts at CrowdStrike and Mandiant stating that it is investigating a threat campaign that targeted a “limited” number of Snowflake customers. Snowflake notes that the recent activity was not caused by a vulnerability, misconfiguration, or breach on its platform. Nor has the company identified any evidence to suggest that this attack was caused by compromised credentials of current or former Snowflake personnel. According to Snowflake, threat actors leveraged credentials previously purchased or obtained from malware campaigns to gain access to demo accounts belonging to a former Snowflake employee. These demo accounts did not contain any sensitive data and were not connected to Snowflake’s production or corporate systems. Snowflake says that access to the demo accounts was only possible as they were not behind Okta or Multi-Factor Authentication (MFA), unlike Snowflake’s corporate and production systems.

Security Officer Comments:
The development comes after an actor named ShinyHunters claimed to have breached Ticketmaster and Santander Bank, both of which are Snowflake customers, on BreachForums, an underground marketplace used by cybercriminals to purchase and sell services, tools, and access to various victim organizations. In a recent report from Hudson Rock, the cybersecurity firm implied that these two breaches stemmed from threat actors using a Snowflake employee’s stolen credentials. According to Hudson Rock, a threat actor allegedly responsible for the Snowflake campaign reached out claiming that they compromised a Snowflake employee’s ServiceNow account, bypassed Okta protections, and generated session tokens allowing them to steal massive amounts of data. While it’s unclear if this actor’s claims are true, the actor allegedly provided Hudson Rock with a CSV file containing data on more than 2,000 customer instances running on Snowflake’s servers, including information on a Snowflake employee infected with an infostealer back in October 2023.

Suggested Corrections:
Snowflake says that it has informed the limited number of Snowflake customers who it believes may have been affected. The company is also advising organizations to take the following steps to stay protected:

1. Enforce Multi-Factor Authentication on all accounts;
2. Set up Network Policy Rules to only allow authorized users or only allow traffic from trusted locations (VPN, Cloud workload NAT, etc.); and
3. Impacted organizations should reset and rotate Snowflake credentials.

Link(s):
https://thehackernews.com/2024/06/snowflake-warns-targeted-credential.html
https://community.snowflake.com/s/q...cting-and-preventing-unauthorized-user-access
https://www.securityweek.com/snowflake-hack-impacts-ticketmaster-other-organizations/