Snowflake, a cloud computing and analytics company, disclosed that a “limited number” of its customers have been specifically targeted in a recent campaign. However, the company emphasized that there’s no evidence suggesting the activity stemmed from platform vulnerabilities, misconfigurations, or breaches. They also ruled out compromised credentials of current or former Snowflake personnel as the cause. Instead, the attacks seem to be directed at users with single-factor authentication, with threat actors utilizing stolen credentials acquired through information-stealing malware.
In response to the threat, Snowflake, in collaboration with CrowdStrike and Mandiant, urges organizations to implement multi-factor authentication (MFA) and restrict network traffic to trusted locations. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) echoed these recommendations, advising organizations to proactively hunt for signs of unusual activity and prevent unauthorized access. Similarly, the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) warned of successful compromises in several companies using Snowflake environments, stressing the importance of heightened security measures.
The development follows Snowflake’s recent acknowledgment of a surge in malicious activity targeting customer accounts on its cloud data platform. While initial reports hinted at Snowflake employee credentials being linked to breaches at Ticketmaster and Santander Bank, these claims have been retracted. Hudson Rock, a cybersecurity firm, withdrew its report following communication with Snowflake’s legal counsel. However, concerns persist as independent security experts stress the urgency of robust multi-factor authentication to combat escalating infostealer threats.
Amidst speculation, the incident’s origins remain murky, with conflicting explanations from various sources. Despite claims from the persona “ShinyHunters” denying Hudson Rock’s assertions, security researchers stress the severity of infostealer threats. It’s believed that a teenage criminal group may be involved in the recent incidents, highlighting the need for comprehensive security measures to safeguard against evolving cyber threats.
Reference: