Cloud computing and analytics company Snowflake said a “limited number” of its customers have been singled out as part of a targeted campaign.
“We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform,” the company said in a joint statement along with CrowdStrike and Google-owned Mandiant.
“We have not identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel.”
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
It further said the activity is directed against users with single-factor authentication, with the unidentified threat actors leveraging credentials previously purchased or obtained through information-stealing malware.
“Threat actors are actively compromising organizations’ Snowflake customer tenants by using stolen credentials obtained by infostealing malware and logging into databases that are configured with single factor authentication,” Mandiant CTO Charles Carmakal said in a post on LinkedIn.
Snowflake is also urging organizations to enable multi-factor authentication (MFA) and limit network traffic only from trusted locations.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in an alert issued on Monday, recommended organizations follow the guidance outlined by Snowflake to hunt for signs of unusual activity and take steps to prevent unauthorized user access.
A similar advisory from the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) warned of “successful compromises of several companies utilizing Snowflake environments.”
Some of the indicators include malicious connections originating from clients identifying themselves as “rapeflake” and “DBeaver_DBeaverUltimate.”
The development comes days after the company acknowledged that it has observed a spike in malicious activity targeting customer accounts on its cloud data platform.
While a report from cybersecurity firm Hudson Rock previously implied that the breach of Ticketmaster and Santander Bank may have stemmed from threat actors using a Snowflake employee’s stolen credentials, it has since been taken down, citing a letter it received from Snowflake’s legal counsel.
It’s currently not known how the two companies – which are both Snowflake customers – had their information stolen. ShinyHunters, the persona who claimed responsibility for the twin breaches on the now-resurrected BreachForums, told DataBreaches.net that Hudson Rock’s explanation was incorrect and that it’s “disinformation.”
“Infostealers are a significant problem — it has long since outpaced botnets etc. in the real world — and the only real solution is robust multi-factor authentication,” independent security researcher Kevin Beaumont said. It’s believed that a teen crime group is behind the incident.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
DarkGate Malware Replaces AutoIt with AutoHotkey in Latest Cyber Attacks