Attack on cloud provider: Database theft from Snowflake customers
Security researchers and Snowflake found evidence of systematic attacks. Meanwhile, the event company Live Nation confirmed a successful attack.
The "Snowflake Data Cloud" has apparently been the target of several attacks in which customer data was copied without authorization and offered for sale on the darknet. The provider of cloud-based data storage sees no evidence of a security leak, but suspects access data theft via infostealer malware. The Australian cybersecurity authority has now also issued a warning.
According to the ACSC (Australian Cybersecurity Center), the unknown attackers have already compromised several Snowflake customers. Brad Jones, Chief Information Security Officer (CISO) of the company, also confirms this, but emphasizes that it is not a data leak at Snowflake. Rather, the intrusions were due to access data stolen using Infostealer malware, which the attacker or attackers bought on the black market. Only customers who do not use two-factor authentication in their Snowflake accounts have become victims. The affected customers and organizations have been informed, Jones added.
Attack on Snowflake: No, but was it?
However, Jones must admit that the access data of a former Snowflake employee was stolen and used to access internal accounts. However, these were only intended for demonstration purposes, but were not secured by multifactor authentication, just like the affected customer accounts.
The Snowflake CISO recommends that all customers set up multifactor authentication and network access rules and – if affected by the data leak – change all access credentials. The company also provides a collection of "Indicators of Compromise" (IoC), which essentially consists of almost 70 IP addresses and the version identifiers of the attackers. The IoC list is part of an extensive help page that also provides tips on hardening the Snowflake account. The company itself is relying on experts from Mandiant and CrowdStrike to investigate the incident.
The US company Live Nation, whose customer data recently appeared on the darknet, has now also confirmed a security incident in which Snowflake databases were stolen in a mandatory notification (Form 8-K) to the US Securities and Exchange Commission. The incident occurred on May 20 and is currently being investigated by IT forensic experts. However, the provider of concerts and other events, which is involved in a legal dispute with the US government, says it does not expect any serious impact on its business operations.
(cku)