Pure Storage, a number one supplier of cloud storage methods and providers, confirmed on Monday that attackers breached its Snowflake workspace and gained entry to what the corporate describes as telemetry info.
Whereas the uncovered info additionally included buyer names, usernames, and electronic mail addresses, it didn’t comprise credentials for array entry or some other knowledge saved on buyer methods.
“Following an intensive investigation, Pure Storage has confirmed and addressed a security incident involving a 3rd celebration that had quickly gained unauthorized entry to a single Snowflake knowledge analytics workspace,” the storage firm mentioned.
“The workspace contained telemetry info that Pure makes use of to offer proactive buyer help providers. That info consists of firm names, LDAP usernames, electronic mail addresses, and the Purity software program launch model quantity.”
Pure took measures to stop additional unauthorized entry to its Snowflake workspace and has but to seek out proof of malicious exercise on different elements of its buyer infrastructure.
“We’re at the moment in touch with prospects who equally haven’t detected uncommon exercise focusing on their Pure methods,” the corporate added.
Greater than 11,000 prospects use Pure Storage’s knowledge storage platform, together with high-profile firms and organizations like Meta, Ford, JP Morgan, NASA, NTT, AutoNation, Equinix, and Comcast.
No less than 165 orgs doubtless impacted by Snowflake assaults
In a joint advisory with Mandiant and CrowdStrike, Snowflake revealed that attackers use stolen buyer credentials to focus on accounts missing multi-factor authentication safety.
Mandiant additionally linked the Snowflake assaults to a financially motivated risk actor tracked as UNC5537 since Might 2024.
The malicious actor beneficial properties entry to Snowflake buyer accounts utilizing buyer credentials stolen in historic infostealer malware infections relationship again to 2020, focusing on tons of of organizations worldwide and extorting victims for monetary acquire.
“The impacted accounts weren’t configured with multi-factor authentication enabled, that means profitable authentication solely required a legitimate username and password,” Mandiant mentioned.
“Credentials recognized in infostealer malware output had been nonetheless legitimate, in some instances years after they had been stolen, and had not been rotated or up to date. The impacted Snowflake buyer situations didn’t have community enable lists in place to solely enable entry from trusted places.”
To this point, the cybersecurity firm has recognized tons of of buyer Snowflake credentials uncovered in Vidar, RisePro, Redline, Racoon Stealer, Lumm, and Metastealer infostealer malware assaults.
Snowflake and Mandiant have already notified round 165 organizations doubtlessly uncovered to those ongoing assaults.
Whereas Mandiant has not disclosed a lot details about UNC5537, BleepingComputer has realized that they’re half of a bigger neighborhood of risk actors who steadily go to the identical web sites, Telegram and Discord servers, the place they frequently collaborate on assaults.
Current breaches at Santander, Ticketmaster, and QuoteWizard/LendingTree have additionally been linked to those ongoing Snowflake assaults. Ticketmaster’s mother or father firm, Stay Nation, confirmed {that a} data breach affected the ticketing firmafter its Snowflake account was compromised on Might 20.
A risk actor is now promoting 3TB of information from automotive aftermarket elements supplier Advance Auto Elements, allegedly together with 380 million buyer profiles and 44 million Loyalty / Gasoline card numbers (with buyer particulars), stolen after the corporate’s Snowflake account was breached.
