Since Snowflake acknowledged that the accounts had been attacked, it provided more information about the incident. Brad Jones, Chief Information Security Officer at Snowflake, said in a blog post that The threat actors used login data on accounts that had been “purchased or obtained through data-stealing malware,” which is designed to extract usernames and passwords from devices that have been compromised. The incident appears to be a “campaign targeting users with single-factor authentication,” Jones added.
Jones’ post said that Snowflake, along with cybersecurity firms CrowdStrike and Mandiant, which it employed to investigate the incident, found no evidence to show that the attack was “caused by compromised credentials of current or former Snowflake staff.” However, it discovered that a former employee’s demo accounts were accessed, claiming that they did not contain sensitive data.
When asked about potential data breaches from specific companies, a Snowflake person pointed to Jones’ statement: “We have identified no evidence to suggest that this activity was caused by a vulnerability, misconfiguration, or breach of the Snowflake platform.” The company did not provide any official comment clarifying what is meant by “non-compliance.” (Security company Hudson Rock said it removed an investigative post that included several unverified claims about the Snowflake incident after receive a legal letter of Snowflake).
The US Cybersecurity and Infrastructure Security Agency has issued a alert on the Snowflake incident, while the Australian Cyber Security Center saying is “aware of the successful engagements of several companies using Snowflake environments.”
Unclear origins
Little is known about the Sp1d3r account’s advertising data on BreachForums, and it is unclear whether ShinyHunters obtained the data it was selling from another source or directly from the victims’ Snowflake accounts; originally published on another cybercrime forum by a new user named SpidermanData.
The Sp1d3r account posted on BreachForums that the 2 terabytes of supposed data from LendingTree and QuoteWizard were for sale for $2 million; while 3TB of data supposedly from Advance Auto Parts would cost someone $1.5 million. “The price set by the threat actor seems extremely high for a typical listing posted on BreachForums,” says Chris Morgan, senior cyber threat intelligence analyst at security firm ReliaQuest.
Morgan says Sp1d3r’s legitimacy is unclear; However, he notes that there is a nod to the teenage hacker group Scattered Spider. “Interestingly, the threat actor’s profile photo is taken from an article referencing the Scattered Spider threat group, although it is unclear if this is an intentional association with the threat group.”
While the exact source of the alleged data breaches is unclear, the incident highlights how interconnected companies can be when they rely on products and services from third-party providers. “I think a lot of this is just a recognition of how interdependent these services are now and how difficult it is to control the security posture of third parties,” security researcher Tory Hunt told WIRED when the incidents first emerged.
As part of its response to the attacks, Snowflake has told all customers to ensure they apply multi-factor authentication on all accounts and allow traffic only from authorized users or locations. Businesses that have been affected should also reset their Snowflake login credentials. Enable multi-factor authentication greatly reduces the possibilities that online accounts will be compromised. As mentioned, TechCrunch reported this week that it has seen “Hundreds of alleged Snowflake customer credentials” taken by stealing malware information from the computers of people who have accessed Snowflake accounts.
In recent years, coinciding with a greater number of people working from home since the Covid-19 pandemic, there has been a Increased use of information-stealing malware.. “Information stealers have become more popular because they are in high demand and are fairly easy to create,” says Ian Gray, vice president of intelligence at security company Flashpoint. Hackers have been seen copying or modifying existing data stealers and selling them for as little as $10 for all login details, cookies, files and more from an infected device.
“This malware can be distributed in different ways and targets sensitive information such as browser data (cookies and credentials), credit cards, and crypto wallets,” says Gray. “Hackers could review logs looking for business credentials to enter accounts without permission.”