Safety researchers say they imagine financially motivated cybercriminals have stolen a “vital quantity of information” from a whole lot of consumers internet hosting their huge banks of information with cloud storage large Snowflake.
Incident response agency Mandiant, which is working with Snowflake to analyze the current spate of information thefts, mentioned in a weblog publish Monday that the 2 corporations have notified round 165 clients that their knowledge might have been stolen.
It’s the primary time that the variety of affected Snowflake clients has been disclosed because the account hacks started in April. Snowflake has mentioned little to this point in regards to the assaults, solely {that a} “restricted quantity” of its clients are affected. The cloud knowledge large has greater than 9,800 company clients, like healthcare organizations, retail giants and among the world’s largest tech firms, which use Snowflake for knowledge analytics.
Up to now, solely Ticketmaster and LendingTree have confirmed knowledge thefts the place their stolen knowledge was hosted on Snowflake. A number of different Snowflake clients say they’re at the moment investigating potential knowledge thefts from their Snowflake environments.
Mandiant mentioned the menace marketing campaign is “ongoing,” suggesting the variety of Snowflake company clients reporting knowledge thefts might rise.
In its weblog publish, Mandiant attributed the account hacks to UNC5537, an as-yet-unclassified cybercriminal gang that the security agency says is motivated by earning profits. The gang, which Mandiant says contains members in North America and not less than one member in Turkey, makes an attempt to extort its victims into paying to get their recordsdata again or to forestall the general public launch of their clients’ knowledge.
Mandiant confirmed the assaults — which depend on using “stolen credentials to entry the shopper’s Snowflake occasion and finally exfiltrate useful knowledge” — date again to not less than April 14, when its researchers first recognized proof of improper entry to an unnamed Snowflake buyer’s atmosphere. Mandiant mentioned it notified Snowflake to its buyer account intrusions on Might 22.
The security agency mentioned the vast majority of stolen credentials utilized by UNC5537 have been “obtainable from historic infostealer infections,” with some relationship way back to 2020. Mandiant’s findings verify Snowflake’s restricted disclosure, which mentioned there wasn’t a direct breach of Snowflake’s personal programs however blamed its buyer accounts for not utilizing multi-factor authentication (MFA).
Final week, information.killnetswitch discovered circulating on-line a whole lot of Snowflake buyer credentials stolen by malware that contaminated the computer systems of staffers who’ve entry to their employer’s Snowflake atmosphere. The variety of credentials obtainable on-line linked to Snowflake environments suggests an ongoing danger to clients who haven’t but modified their passwords or enabled MFA.
Mandiant mentioned it has additionally seen “a whole lot of buyer Snowflake credentials uncovered through infostealers.”
For its half, Snowflake doesn’t require its clients to make use of by default or implement the security characteristic’s use. In a short replace on Friday, Snowflake has mentioned it’s “growing a plan” to implement using MFA on its clients’ accounts, however has not but supplied a timeline.
Snowflake spokesperson Danica Stanczak declined to say why the corporate hasn’t reset buyer passwords or enforced MFA. Snowflake didn’t instantly touch upon Mandiant’s weblog publish Monday.
Are you aware extra in regards to the Snowflake account intrusions? Get in contact. To contact this reporter, get in contact on Sign and WhatsApp at +1 646-755-8849, or by electronic mail. You may as well ship recordsdata and paperwork through SecureDrop.
