“These credentials have been primarily obtained from a number of infostealer malware campaigns that contaminated non-Snowflake owned programs. This allowed the menace actor to realize entry to the affected buyer accounts and led to the export of a major quantity of buyer knowledge from their Snowflake buyer cases. The menace actor has subsequently begun to extort lots of the victims immediately and is actively trying to promote the stolen buyer knowledge on acknowledged cybercriminal discussion board,” Mandiant mentioned.
Many of the stolen credentials, it added, got here from infostealer infections that in some circumstances dated way back to 2020.
Cybersecurity specialists have been speaking about Snowflake assaults for a while. In September, after extra assaults, Brian Soby, CTO of AppOmni, mentioned, “what we noticed within the Snowflake ecosystem is most positively not distinctive to that resolution. This situation may have simply performed out in any main SaaS software, because the core vulnerabilities are the identical; they focus on a scarcity of significant visibility into the security configuration of purposes and a scarcity of efficient monitoring functionality.”
