Analysis Hudson Rock, citing legal pressure from Snowflake, has removed its online report claiming that miscreants broke into the cloud storage and analytics giant’s underlying systems and stole data from potentially hundreds of customers, including Ticketmaster and Santander Bank.
More specifically, the infosec house reported that criminals obtained a Snowflake employee’s work credentials using info-stealing malware, and used that privileged access to exfiltrate tons of data from Snowflake customers’ cloud accounts. Snowflake said that didn’t happen.
In any case, it is true that the data from Ticketmaster and Santander were stolen, but how and where exactly is not yet officially known; both are Snowflake customers. A Ticketmaster media representative reportedly told TechCrunch that the stolen data was hosted by Snowflake.
Snowflake said that if any customer data was taken from its servers, it may have been obtained by thieves who obtained individual customers’ account information — through targeted phishing, another breach or malware, for example — and not through a blanket compromise of The security of Snowflake.
In fact, Snowflake believes that a “limited” number of its as-yet unnamed customers may have actually accessed their data using stolen account credentials, even though those accounts did not have two-factor authentication enabled.
But the cloud biz denied that underlying security had been breached and leaned on Hudson Rock to retract its report suggesting this.
“In accordance with a letter we received from Snowflake’s legal counsel, we have decided to remove all content related to our report,” Hudson Rock said in a statement Monday. The cybercrime information company declined to respond The register‘ specific questions about the report and its removal.
On Friday, Hudson Rock wrote in its now-deleted article that data thieves claimed to have logged into a Snowflake employee’s ServiceNow work account and used that access to siphon databases from as many as 400 of Snowflake’s enterprise customers.
“By communicating directly with the threat actor behind cloud storage giant Snowflake’s massive data breach, we gained unprecedented insight into the devastating impact of infostealer infections,” the cybercrime intelligence company wrote.
You have to wonder if it was a good idea to believe this particular threat actor. We’re guessing there was some sort of misunderstanding, miscommunication, or poor translation that led to Hudson Rock reporting that Snowflake customer data was wiped via stolen Snowflake employee data versus stolen individual account data.
It’s possible that the crooks didn’t want to say they’d broken into individual accounts, preferring instead to brag that they’d somehow compromised Snowflake as a whole for extra internet points or to cover their tracks.
Demolition man
Snowflake CISO Brad Jones said in a statement that crooks stole a Snowflake employee’s credentials but did not use them to access sensitive information such as customer data in the cloud; instead, those credits provided the intruder or intruders with worthless demo accounts, we’re told. Jones said there was no multi-factor authentication on those so-called accounts:
Meanwhile, a “limited number of Snowflake customers” may have had their actual cloud accounts compromised by intruders, Jones admitted in the same statement. This could be due to “a targeted campaign targeting users with single-factor authentication,” he said.
We’re told miscreants have used Snowflake user account credentials “previously purchased or obtained via infostealing malware” to access and plunder those customers’ cloud storage. That is not the same as the provider itself being pwned, Snowflake argued.
“We found no evidence to suggest that this activity was caused by compromised credentials of current or former Snowflake personnel,” Jones wrote. Nor was any data theft “caused by a vulnerability, misconfiguration or compromise of Snowflake’s platform,” he said in his statement jointly signed by CrowdStrike and Mandiant, who were hired to assist in Snowflake’s ongoing investigation into the matter .
Snowflake also urged all customers to immediately enable MFA on their accounts, publishing relevant indicators of compromise on Monday. These are IP addresses and customer IDs to look out for, as they appear to have been used by miscreants targeting Snowflake accounts. These software clients tend to identify themselves using the unfortunate ‘rapeflake’ handle.
If a threat actor obtains customer credentials, they may be able to gain access to the account
This shows Snowflake walking on a tightrope. On the one hand, it doesn’t want people to think its servers have been compromised at a fundamental level, and on the other, it needs to tell customers to enable MFA as soon as possible and look for evidence of a compromise after individual accounts have been attacked or not are broken. go inside.
Mandiant declined to comment on the matter and CrowdStrike referred additional questions back to Snowflake. And Snowflake refused to answer The register‘s questions, including which customer accounts were targeted.
“Snowflake is a cloud product and anyone can sign up for an account at any time,” a Snowflake spokesperson told us. “If a threat actor obtains customer credentials, they may have access to the account. Snowflake employees are no different and can also create their own Snowflake ‘customer’ accounts using personal credentials.”
Ticketmaster owner Live Nation Entertainment said in an SEC filing Friday only that “unauthorized activities within a third-party cloud database environment containing company data” led to the theft of the data of 560 million individuals. Santander declined to comment, citing an ongoing investigation.
More speculation
Infosec watcher Kevin Beaumont wrote this weekend that he had heard from a number of Snowflake customers who had been affected by database thieves: “I’ve spoken to people across multiple industries at large companies where they had significant data exfiltration through Snowflake in May.”
It’s worth noting that ShinyHunters – the one or more criminals who put Santander and Ticketmaster’s stolen data up for sale on the Internet – told DataBreaches.net that Hudson Rock’s report was incorrect. It is believed that ShinyHunters is acting as a broker for the data, which has been stolen by someone else.
ShinyHunters said the ServiceNow part was made up by whoever spoke to Hudson Rock, adding the bit: “That’s true, we wanted Snowflake to send us $20 million,” referring to the crime ring trying to get that amount from Snowflake to extort to keep any data stolen. of the biz under the wraps.
In any case, we know that Snowflake accounts are being attacked using phished, purchased, or otherwise stolen credentials, and securing them should be a priority. One would hope that MFA will be enforced for customers in the future.
We’ll also likely see more Snowflake customers report database robberies in the near future, as Beaumont hinted.
The Australian government’s cybersecurity center warned in a June 1 alert of “successful compromises by several companies using Snowflake environments.”
So now we sit and wait for the other shoe(s) to drop.
“I feel sorry for Snowflake on a human level because they are in a bad situation – this is a potential end to their business for them – so they have to use every lever possible to point fingers at their own customers for being negligent have been about “‘rapeflake’ activity to avoid responsibility,” Beaumont wrote “And to be clear, some of this is their customers’ responsibility.”
“But also,” he added, Snowflake — which is hosting a customer business summit this week — “must take this issue head on” if it wants to survive, because “there’s a good chance this will play out publicly in the coming years.” coming weeks and months.” ®