A cyberattack targeting customers of cloud storage provider Snowflake is rapidly escalating and may become one of the largest data breaches ever recorded. Last week, Snowflake, which facilitates massive dataset storage for companies, revealed that hackers have been attempting to access its customers’ accounts using stolen login credentials.
Data breaches involving Ticketmaster and Santander have been linked to these attacks. We already covered this news, but more has surfaced since then.
Since Snowflake initially reported that a “limited number” of customer accounts were accessed, cybercriminals have claimed to be selling stolen data from two other major firms, purportedly obtained from Snowflake accounts. TechCrunch has also reported that hundreds of Snowflake customer passwords are now available online to cybercriminals.
The scope and scale of the attack remain uncertain, including the identities of the attackers and the specifics of an attack tool named “rapeflake.” This situation underscores the rising use of infostealer malware and the importance for companies to implement multifactor authentication to protect their accounts.
The Snowflake Attack targets cloud environments, exploiting vulnerabilities to access sensitive data. Protect your organization with strong access controls, regular monitoring, timely patches, encryption, and security assessments. Stay safe! #CyberSecurity #CloudSecurity #Infosec
— Mark Murphy (@mmurphy7) June 7, 2024
Much of the Snowflake incident has been discussed on the infamous cybercrime marketplace BreachForums. Although the FBI seized the forum in mid-May, it quickly resurfaced, and hacker group ShinyHunters has claimed to be selling 560 million records from Ticketmaster and 30 million from Santander.
Both companies have confirmed data breaches, with Ticketmaster linking the incident to Snowflake and Santander noting unauthorized access to a database hosted by a third party. Neither company has confirmed the exact size of the breaches.
In recent days, a BreachForums user named Sp1d3r has claimed that data from Advance Auto Parts and financial services company LendingTree, including its subsidiary QuoteWizard, is also linked to the Snowflake breach. Advance Auto Parts appears to have legitimate customer email addresses in the sample data, but LendingTree has not responded to inquiries about the alleged breaches.
Snowflake has since provided more details about the incident. Chief Information Security Officer Brad Jones stated that threat actors used login details obtained through infostealing malware, targeting users with single-factor authentication. Jones clarified that the attack did not result from compromised credentials of current or former Snowflake personnel. However, some former team member demo accounts were accessed, but they did not contain sensitive data.
Seems like more and more companies could fall foul of the #snowflake attack.
Thanks @DarkWebInformer for the tip off. pic.twitter.com/7oWomCeRaG
— Gordie 🖤 🏴 🇺🇦 🏳️🌈 💉x6 (@gordsec) June 5, 2024
In response to the incident, the US Cybersecurity and Infrastructure Security Agency and Australia’s Cyber Security Center have issued alerts. Snowflake advises all customers to enforce multifactor authentication on their accounts and restrict access to authorized users or locations.
The exact origin of the Sp1d3r account and the authenticity of the sold data remain unclear. However, this incident highlights the interconnected nature of companies relying on third-party services and the challenges in controlling these providers’ security posture.
The rise in infostealer malware corresponds with increased remote work since the COVID-19 pandemic. Infostealers, which can be created and modified easily, are in high demand and often sold for as little as $10, providing hackers with login details, cookies, files, and more from infected devices.
These malware attacks target sensitive information such as browser data, credit cards, and crypto wallets, allowing hackers to gain unauthorized access to enterprise credentials.
The Snowflake incident emphasizes the critical need for robust security measures and multifactor authentication to protect against increasingly sophisticated cyber threats.
Start Growing with Cloudways Today.
Our Clients Love us because we never compromise on these
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.