Yesterday I posted about the Managed Service Provider – Snowflake – which had been suspected to be the root cause of the breaches against TicketMaster & Santander.
Late yesterday, Snowflake issued a formal statement, categorically denying that they were the weak point which led to the data leaks affecting the two companies being touted by ShinyHunters.
The statement, issued jointly by Snowflake, Mandiant, and Crowdstrike outlined 5 key elements:
- There is no evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform;
- There is no evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel;
- This appears to be a targeted campaign directed at users with single-factor authentication;
- as part of this campaign, threat actors have leveraged credentials previously purchased or obtained through infostealing malware; and
- evidence was found that a threat actor obtained personal credentials to and accessed demo accounts belonging to a former Snowflake employee. It did not contain sensitive data. Demo accounts are not connected to Snowflake’s production or corporate systems. The access was possible because the demo account was not behind Okta or Multi-Factor Authentication (MFA), unlike Snowflake’s corporate and production systems.
Throughout the course of the investigation, Snowflake has informed the limited number of Snowflake customers who it believes may have been affected. Mandiant has also engaged in outreach to potentially affected organizations.
The company is also advising all customers to review their investigative and hardening guidelines, and to take the following steps to harden their systems and prevent any future unwanted access:
- Enforce Multi-Factor Authentication on all accounts;
- Set up Network Policy Rules to only allow authorized users or only allow traffic from trusted locations (VPN, Cloud workload NAT, etc.); and
- Impacted organizations should reset and rotate Snowflake credentials.
