Safety researchers say they imagine financially motivated cybercriminals have stolen a “important quantity of knowledge” from a whole lot of shoppers who host their huge banks of knowledge on cloud storage big Snowflake.
Incident response agency Mandiant, which is working with Snowflake to research a current wave of knowledge thefts, mentioned in a weblog submit on Monday that the 2 corporations notified about 165 prospects that their knowledge could have been stolen.
That is the primary time the variety of affected Snowflake prospects has been disclosed since accounts have been hacked in April. Up to now, Snowflake has mentioned little concerning the assaults, solely {that a} “restricted quantity” of its prospects have been affected. The cloud knowledge big has greater than 9,800 enterprise prospects comparable to healthcare organizations, retail giants and a few of the world’s largest expertise corporations that use Snowflake for knowledge evaluation.
To this point, solely Ticketmaster and LendingTree have confirmed knowledge breaches when their stolen knowledge was hosted on Snowflake. A number of different Snowflake prospects say they’re at the moment investigating doable knowledge theft from their Snowflake environments.
Mandiant mentioned the menace marketing campaign is “ongoing,” suggesting that the variety of Snowflake enterprise prospects reporting knowledge breaches may rise.
In a weblog submit, Mandiant attributed the account breaches to UNC5537, an as-yet-unclassified cybercriminal group that the safety agency says is motivated by being profitable. The gang, which Mandiant says consists of members in North America and a minimum of one member in Turkey, is making an attempt to extort its victims to pay to return their information or forestall their prospects’ knowledge from being made public.
Mandiant confirmed that assaults primarily based on using “stolen credentials to entry a buyer’s Snowflake occasion and in the end steal priceless knowledge” occurred a minimum of on April 14, when its researchers first found proof of unauthorized entry to an unnamed Snowflake buyer atmosphere. . Mandiant mentioned it notified Snowflake of the intrusions into its prospects’ accounts on Could 22.
The safety agency mentioned many of the stolen credentials utilized by UNC5537 have been “obtainable from historic contaminated thefts,” with some courting again to 2020. Mandiant’s findings assist Snowflake’s restricted disclosure, which mentioned there was no direct breach of Snowflake’s personal techniques. however blamed its buyer accounts for not utilizing multi-factor authentication (MFA).
Final week, TechCrunch found on-line that a whole lot of Snowflake buyer credentials had been stolen by malware that contaminated the computer systems of workers accessing their employer’s Snowflake atmosphere. The variety of credentials obtainable on-line related to the Snowflake atmosphere suggests an ongoing danger to prospects who haven’t but modified their passwords or enabled MFA.
Mandiant mentioned it has additionally seen “a whole lot of Snowflake buyer credentials uncovered by means of data theft.”
For its half, Snowflake doesn’t require its prospects to make use of a default or implement safety characteristic. In a quick replace on Friday, Snowflake mentioned it was “growing a plan” to implement MFA on its prospects’ accounts, however didn’t but present a timeline.
Snowflake spokeswoman Danica Stanczak declined to say why the corporate hasn’t reset prospects’ passwords and carried out MFA. Snowflake didn’t instantly touch upon Mandiant’s weblog submit on Monday.
Are you aware extra about Snowflake account hacks? Get in contact. To contact this reporter, contact Sign and WhatsApp at +1 646-755-8849 or e-mail. You may also ship information and paperwork through SecureDrop.