Why does the company stubbornly refuse to admit the compromise of its networks, when everything is already as obvious as possible?
Last week, thanks to a report by Hudson Rock, it became known that a cyber attack was made on the cloud company Snowflake, during which confidential data of Snowflake customers — Ticketmaster and Santander companies-were stolen.
Snowflake itself reacted extremely negatively to the information about the potential hacking of its systems. After a brief investigation, the company stated that no one had hacked it, and a request was sent to Hudson Rock to delete the information security report, as the information in it allegedly "does not correspond to reality."
However, as it turned out later, it still matches. After involving the companies Mandiant and CrowdStrike in the investigation, it turned out that the attackers really tried to gain access to the accounts of Snowflake customers using stolen usernames and passwords. As you might guess, they successfully managed to do this.
Over the past few days, cybercriminals have made several statements about the sale of stolen data from two other large companies, allegedly also obtained from Snowflake systems. At the same time, TechCrunch reported on hundreds of passwords of Snowflake clients that were publicly available.
The scale of the attack on Snowflake clients, the identity of the attackers, and the operation of the rapeflake malware tool are still unclear. Most of the Snowflake incident unfolded on the hacker forum BreachForums. The FBI closed the forum in May, but it quickly reopened, with ShinyHunters claiming to have sold 560 million Ticketmaster records and 30 million Santander records. ShinyHunters is probably behind the Snowflake hack.
Both Ticketmaster and Santander quickly confirmed the data leaks, and both indicated that they were not directly hacked, but the databases of a third-party provider were affected, which, apparently, in this situation is Snowflake.
In recent days, BreachForums has reported alleged data leaks from Advance Auto Parts (380 million customer records) and LendingTree with its subsidiary QuoteWizard (190 million records). Some of the published email addresses of Advance Auto Parts employees and customers turned out to be valid.
Advance Auto Parts spokesman Darryl Carr said the company is investigating a possible leak related to Snowflake. LendingTree has not yet commented on the situation.
Snowflake in its blog admitted that the accounts fell into the hands of intruders due to the use of usernames and passwords stolen by infostealers. The company found no evidence of compromise of its employees and revealed access only to the demo account of the former employee. However, judging by the scale of the leaks, hackers still have the necessary level of access.
The incident shows the close integration of companies using third-party services. According to expert Tori Hunt, this is a recognition of how difficult it is to control the security of third-party vendors in modern digital realities.
In response to the attacks, Snowflake recommended that customers enable multi-factor authentication and allow access only from authorized sources. Companies affected by leaks should reset their Snowflake passwords.
As for the infostealers that Snowflake blames for the attack, in recent years, especially during the pandemic, their use to steal usernames, passwords, and files from devices has grown significantly. In addition, according to Ian Gray of Flashpoint, due to high demand, there are many inexpensive infostilers available to literally every attacker.
"These programs steal confidential information in various ways: cookies, credentials, credit cards, crypto wallets. And then, with the help of the obtained data, hackers try to get into corporate accounts," explains Gray.
Last week, thanks to a report by Hudson Rock, it became known that a cyber attack was made on the cloud company Snowflake, during which confidential data of Snowflake customers — Ticketmaster and Santander companies-were stolen.
Snowflake itself reacted extremely negatively to the information about the potential hacking of its systems. After a brief investigation, the company stated that no one had hacked it, and a request was sent to Hudson Rock to delete the information security report, as the information in it allegedly "does not correspond to reality."
However, as it turned out later, it still matches. After involving the companies Mandiant and CrowdStrike in the investigation, it turned out that the attackers really tried to gain access to the accounts of Snowflake customers using stolen usernames and passwords. As you might guess, they successfully managed to do this.
Over the past few days, cybercriminals have made several statements about the sale of stolen data from two other large companies, allegedly also obtained from Snowflake systems. At the same time, TechCrunch reported on hundreds of passwords of Snowflake clients that were publicly available.
The scale of the attack on Snowflake clients, the identity of the attackers, and the operation of the rapeflake malware tool are still unclear. Most of the Snowflake incident unfolded on the hacker forum BreachForums. The FBI closed the forum in May, but it quickly reopened, with ShinyHunters claiming to have sold 560 million Ticketmaster records and 30 million Santander records. ShinyHunters is probably behind the Snowflake hack.
Both Ticketmaster and Santander quickly confirmed the data leaks, and both indicated that they were not directly hacked, but the databases of a third-party provider were affected, which, apparently, in this situation is Snowflake.
In recent days, BreachForums has reported alleged data leaks from Advance Auto Parts (380 million customer records) and LendingTree with its subsidiary QuoteWizard (190 million records). Some of the published email addresses of Advance Auto Parts employees and customers turned out to be valid.
Advance Auto Parts spokesman Darryl Carr said the company is investigating a possible leak related to Snowflake. LendingTree has not yet commented on the situation.
Snowflake in its blog admitted that the accounts fell into the hands of intruders due to the use of usernames and passwords stolen by infostealers. The company found no evidence of compromise of its employees and revealed access only to the demo account of the former employee. However, judging by the scale of the leaks, hackers still have the necessary level of access.
The incident shows the close integration of companies using third-party services. According to expert Tori Hunt, this is a recognition of how difficult it is to control the security of third-party vendors in modern digital realities.
In response to the attacks, Snowflake recommended that customers enable multi-factor authentication and allow access only from authorized sources. Companies affected by leaks should reset their Snowflake passwords.
As for the infostealers that Snowflake blames for the attack, in recent years, especially during the pandemic, their use to steal usernames, passwords, and files from devices has grown significantly. In addition, according to Ian Gray of Flashpoint, due to high demand, there are many inexpensive infostilers available to literally every attacker.
"These programs steal confidential information in various ways: cookies, credentials, credit cards, crypto wallets. And then, with the help of the obtained data, hackers try to get into corporate accounts," explains Gray.
