Safety researchers say they consider financially motivated cybercriminals have stolen a “vital quantity of knowledge” from a whole lot of shoppers internet hosting their huge banks of knowledge with cloud storage big Snowflake.
Incident response agency Mandiant, which is working with Snowflake to research the current spate of knowledge thefts, mentioned in a weblog put up Monday that the 2 companies have notified round 165 prospects that their knowledge could have been stolen.
It’s the primary time that the variety of affected Snowflake prospects has been disclosed for the reason that account hacks started in April. Snowflake has mentioned little up to now concerning the assaults, solely {that a} “restricted quantity” of its prospects are affected. The cloud knowledge big has greater than 9,800 company prospects, like healthcare organizations, retail giants and a number of the world’s largest tech corporations, which use Snowflake for knowledge analytics.
To this point, solely Ticketmaster and LendingTree have confirmed knowledge thefts the place their stolen knowledge was hosted on Snowflake. A number of different Snowflake prospects say they’re at present investigating doable knowledge thefts from their Snowflake environments.
Mandiant mentioned the risk marketing campaign is “ongoing,” suggesting the variety of Snowflake company prospects reporting knowledge thefts could rise.
In its weblog put up, Mandiant attributed the account hacks to UNC5537, an as-yet-unclassified cybercriminal gang that the safety agency says is motivated by making a living. The gang, which Mandiant says contains members in North America and not less than one member in Turkey, makes an attempt to extort its victims into paying to get their information again or to stop the general public launch of their prospects’ knowledge.
Mandiant confirmed the assaults — which depend on using “stolen credentials to entry the shopper’s Snowflake occasion and in the end exfiltrate worthwhile knowledge” — date again to not less than April 14, when its researchers first recognized proof of improper entry to an unnamed Snowflake buyer’s surroundings. Mandiant mentioned it notified Snowflake to its buyer account intrusions on Could 22.
The safety agency mentioned nearly all of stolen credentials utilized by UNC5537 have been “accessible from historic infostealer infections,” with some relationship way back to 2020. Mandiant’s findings affirm Snowflake’s restricted disclosure, which mentioned there wasn’t a direct breach of Snowflake’s personal techniques however blamed its buyer accounts for not utilizing multi-factor authentication (MFA).
Final week, TechCrunch discovered circulating on-line a whole lot of Snowflake buyer credentials stolen by malware that contaminated the computer systems of staffers who’ve entry to their employer’s Snowflake surroundings. The variety of credentials accessible on-line linked to Snowflake environments suggests an ongoing threat to prospects who haven’t but modified their passwords or enabled MFA.
Mandiant mentioned it has additionally seen “a whole lot of buyer Snowflake credentials uncovered through infostealers.”
For its half, Snowflake doesn’t require its prospects to make use of by default or implement the safety function’s use. In a short replace on Friday, Snowflake has mentioned it’s “growing a plan” to implement using MFA on its prospects’ accounts, however has not but supplied a timeline.
Snowflake spokesperson Danica Stanczak declined to say why the corporate hasn’t reset buyer passwords or enforced MFA. Snowflake didn’t instantly touch upon Mandiant’s weblog put up Monday.
Have you learnt extra concerning the Snowflake account intrusions? Get in contact. To contact this reporter, get in contact on Sign and WhatsApp at +1 646-755-8849, or by e mail. You can too ship information and paperwork through SecureDrop.
