Snowflake confirmed that accounts were targeted and provided more details about the incident. In a blog post, Snowflake’s chief information officer, Brad Jones, said the attackers used account login information “obtained through purchase or information-stealing malware.” The malware is designed to extract usernames and passwords from compromised devices. Jones added that the incident appears to be a “targeted attack aimed at single-factor authentication users.”
Jones’ post said Snowflake, along with the cybersecurity firms it hired to investigate the incident, CrowdStrike and Mandiant, found no evidence to suggest the attack was “caused by compromised credentials of any current or former Snowflake employees,” but that it did find that a demo account belonging to one former employee had been accessed, though it claims that it did not contain any sensitive data.
Asked about possible data breaches for specific companies, a Snowflake representative pointed to Jones’ statement: “We have not seen any evidence to suggest that this activity was caused by a vulnerability, misconfiguration, or compromise of the Snowflake platform.” The company did not offer any official comment to clarify what “compromise” means. (Security firm Hudson Rock said it had removed an investigative article containing various unverified claims about the Snowflake incident after receiving a legal letter from Snowflake.)
The US Cybersecurity and Infrastructure Security Agency has issued a warning about the Snowflake incident, and the Australian Cyber Security Centre said it was “aware of multiple breaches at companies using the Snowflake environment.”
Unknown origins
Little is known about the Sp1d3r account advertising the data on BreachForums, and it’s not clear whether the data ShinyHunters was selling came from another source or directly from victims’ Snowflake accounts. Information about the Ticketmaster and Santander breaches was originally posted to another cybercrime forum by a new user named “SpidermanData.”
The Sp1d3r account posted on BreachForums that 2 terabytes of data from LendingTree and QuoteWizard were for sale for $2 million, while 3 terabytes of data from Advance Auto Parts was said to be worth $1.5 million. “The prices set by this threat actor seem extremely high for a typical listing posted on BreachForums,” said Chris Morgan, senior cyber threat intelligence analyst at security firm ReliaQuest.
Morgan noted that while the legitimacy of Sp1d3r is unclear, it does reference the teenage hacker group Scattered Spider: “Interestingly, the threat actor’s profile photo is taken from an article that references the Scattered Spider threat group, although it is unclear if this is an intentional attempt to associate them with the threat group.”
While the exact source of the data breach is unclear, the incident highlights just how interconnected companies are that rely on products and services from third-party providers. “I think this is just a recognition of how interdependent these services are now, and how difficult it is to manage third-party security postures,” security researcher Tory Hunt told WIRED when the incident first came to light.
As part of its response to the attack, Snowflake has instructed all customers to implement multi-factor authentication on all accounts and only allow traffic from authorized users or locations. Affected businesses should also reset their Snowflake login credentials. Enabling multi-factor authentication significantly reduces the chances of online accounts being compromised. As previously mentioned, TechCrunch reported this week that information-stealing malware had stolen “hundreds of purported Snowflake customer credentials” from the computers of people who had access to Snowflake accounts.
In recent years, the use of infostealer malware has increased, coinciding with the rise in people working from home since the COVID-19 pandemic. “Infostealers are becoming more popular because they’re in high demand and are easy to create,” said Ian Gray, vice president of intelligence at security firm Flashpoint. Hackers have been seen copying or modifying existing infostealers to obtain all login information, cookies, files, and more from a single infected device and selling them for as little as $10.
“The malware is delivered in a variety of ways, targeting sensitive information such as browser data (cookies and credentials), credit cards, and crypto wallets,” Gray said. “Hackers can comb through logs looking for corporate credentials to break into accounts without authorization.”
