Since Snowflake acknowledged that accounts had been targeted, it has provided some more information about the incident. Brad Jones, Snowflake’s chief information security officer, said in a blog post that threat actors used login details to accounts that had been “purchased or obtained through infostealing malware,” which is designed to pull usernames and passwords from devices that have been compromised. The incident appears to be a “targeted campaign directed at users with single-factor authentication,” Jones added.
Jones’ post said Snowflake, alongside cybersecurity companies CrowdStrike and Mandiant, which it employed to investigate the incident, did not find evidence showing the attack was “caused by compromised credentials of current or former Snowflake personnel.” However, it has found one former employee’s demo accounts were accessed, claiming they did not contain sensitive data.
When asked about potential breaches of specific companies’ data, a Snowflake person pointed to Jones’ statement: “We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform.” The company did not provide an on-record comment clarifying what was meant by a “breach.” (Security company Hudson Rock said it removed a research post including various unverified claims about the Snowflake incident after receiving a legal letter from Snowflake).
The US Cybersecurity and Infrastructure Security Agency has issued an alert about the Snowflake incident, while Australia’s Cyber Security Center said it is “aware of successful compromises of several companies utilizing Snowflake environments.”
Unclear Origins
Little is known about the Sp1d3r account advertising data on BreachForums, and it is not clear whether ShinyHunters obtained the data it was selling from another source or directly from victims’ Snowflake accounts—information about a Ticketmaster and Santander breach was originally posted on another cybercrime forum by a new user called SpidermanData.
The Sp1d3r account posted on BreachForums that the 2 terabytes of alleged LendingTree and QuoteWizard data was for sale for $2 million; while 3 TB of data allegedly from Advance Auto Parts would cost someone $1.5 million. “The price set by the threat actor appears extremely high for a typical listing posted to BreachForums,” says Chris Morgan, a senior cyber-threat intelligence analyst at security firm ReliaQuest.
Morgan says the legitimacy of Sp1d3r is not clear; however, he points out there is a nod to teenage hacking group Scattered Spider. “Interestingly, the threat actor’s profile picture is taken from an article referencing the threat group Scattered Spider, although it is unclear whether this is to make an intentional association with the threat group.”
While the exact source of the alleged data breaches is unclear, the incident highlights how interconnected companies can be when relying on products and services from third-party providers. “I think a lot of this is just a recognition of how interdependent these services now are and how hard it is to control the security posture of third parties,” security researcher Tory Hunt told WIRED when the incidents first emerged.
As part of its response to the attacks, Snowflake has told all customers to make sure they enforce multifactor authentication on all accounts and allow traffic only from authorized users or locations. Companies that have been impacted should also reset their Snowflake login credentials. Enabling multifactor authentication vastly reduces the chances that online accounts will be compromised. As mentioned, TechCrunch reported this week that it has seen “hundreds of alleged Snowflake customer credentials” taken by infostealing malware from computers of people who have accessed Snowflake accounts.
In recent years, coinciding with more people working from home since the Covid-19 pandemic, there has been a rise in the use of infostealer malware. “Infostealers have become more popular because they’re in high demand and pretty easy to create,” says Ian Gray, the vice president of intelligence at security company Flashpoint. Hackers have been seen to be copying or modifying existing infostealers and selling them on for as little as $10 for all the login details, cookies, files, and more from one infected device.
“This malware can be delivered in different ways and targets sensitive info like browser data (cookies and credentials), credit cards, and crypto wallets,” Gray says. “Hackers might comb through the logs for enterprise credentials to break into accounts without permission.”