Time: 2024-06-01
A recent data breach at popular cloud storage company Snowflake has been linked to security incidents at Santander and Ticketmaster. The threat actor responsible claims to have gained access to high-profile companies' data by exploiting an employee's account at Snowflake. Snowflake, however, denies these allegations, attributing the breaches to poorly secured customer accounts. Hudson Rock, a cybersecurity firm, reports that the threat actor used a compromised ServiceNow account to bypass Okta's authentication process and steal data from hundreds of companies using Snowflake's platform. The threat actor sought to extort $20 million from Snowflake but received no response. Snowflake confirms that customer accounts were hacked, emphasizing the need for increased security measures, including multi-factor authentication.
Despite Snowflake's denial of the breach, they acknowledge a rise in attacks targeting customer accounts, with some accounts compromised on May 23, 2024. The company is actively investigating the incidents and has warned customers of the threat activity. Snowflake's CISO, Brad Jones, stresses that the attacks were not due to any vulnerabilities in their products. Snowflake has advised customers to enable MFA and has provided security bulletins with IoCs and guidance on securing accounts. The IoCs reveal that threat actors used custom tools like 'RapeFlake' to exfiltrate data and connected to databases with DBeaver Ultimate tools. The company continues to monitor the situation and assist affected customers in safeguarding their data.