Identity & Access Management , Incident & Breach Response , Security Operations

Snowflake Clients Targeted With Credential Attacks

Company Says Single-Factor Authentication Accounts Are to Blame - Not a Flaw
Snowflake Clients Targeted With Credential Attacks
Snowflake says hackers are targeting accounts that do not have multifactor authentication enabled. (Image: Snowflake)

Hackers are targeting clients of artificial intelligence data platform provider Snowflake that lack multifactor authentication, the company said.

See Also: OnDemand | Hybrid Mesh Firewalls and Microsoft Azure, Extending Your Network Security to the Cloud

The Bozeman, Montana-based company told customers Friday it observed "an increase in cyber threat activity targeting some of our customers' accounts." The activity, it said, is unrelated to vulnerabilities or a misconfiguration within Snowflake.

The Australian Cyber Security Center published an alert Saturday warning it's tracking cyberthreat activity in Snowflake customer environments.

The attacks originate from clients identifying themselves as rapeflake and DBeaver_DBeaverUltimate.

The multiple warnings came after threat intel firm Hudson Rock published a now-removed blog post saying that recent major data breaches touted on criminal forums stemmed from an info stealer operating on the computer of a Snowflake employee.

TechCrunch on Friday reported that an unidentified TicketMaster spokesperson said that stolen company data advertised for sale on a criminal forum originated with Snowflake (see: Stolen Ticketmaster Data Advertised on Rebooted BreachForums).

The company confirmed a data breach in a Friday filing with federal regulators that doesn't name the "third-party cloud database environment" that hackers infiltrated. The company did not return a request for comment.

In a Sunday update containing "preliminary findings," Snowflake said it has not "identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel." A threat actor did access a demo account belonging to a former Snowflake employee through compromised personal credentials - but the demo site did not contain sensitive data. Snowflake said CrowdStrike and Mandiant back its initial conclusions.

Mandiant CTO Charles Carmakal said in a LinkedIn post Monday that info stealers do have a role in the Snowflake campaign. "Threat actors are actively compromising organizations' Snowflake customer tenants by using stolen credentials obtained by info-stealing malware and logging into databases that are configured with single-factor authentication," he said.

Carmakal said corporate environments have become more vulnerable to info stealers as employees increasingly use personal computers to access company systems and synchronize web browsers between work and home computers. "People (or their children) sometimes inadvertently install software laced with info-stealing malware on their personal computers. The malware can capture credentials from their web browsers," he said.

Security researcher Kevin Beaumont in a Sunday blog post criticized Snowflake for not enforcing multifactor authentication or disabling the former employee's account. "Note that in the age of SaaS, your providers will throw you under the bus to save themselves. When you transfer your security risk to a provider, they don't accept your risk - they just take the money," he said. In a Friday social media post, he said "6 major orgs" - customers of Snowflake - have had data breaches.

Snowflake did not immediately respond to a request for comment.

With reporting from Jayant Chakravarti in Pune, India.


About the Author

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.