The Snowflake Attack May Be Turning Into One of the Largest Data Breaches Ever

The number of alleged hacks targeting the customers of cloud storage firm Snowflake appears to be snowballing into one of the biggest data breaches of all time.

-wired

Cloud services provider Snowflake has posted information on its forums about “a targeted threat campaign against some Snowflake customer accounts,” in which the company maintains that this activity was not caused by a vulnerability, misconfiguration, or breach of its product.

For details, Snowflake points to research by Google’s Mandiant, which found that one cybercriminal obtained access to multiple organizations’ Snowflake customer instances using stolen customer credentials.

Mandiant identified that the threat actor used Snowflake customer credentials that were previously exposed via several infostealer malware variants, including VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA and METASTEALER. These credentials were primarily obtained from infected non-Snowflake owned systems. It says it’s identified hundreds of customer Snowflake credentials that were obtained this way since 2020.

Another remarkable fact the analysis mentions is that in several cases, the initial compromise with the infostealer malware occurred on contractor systems that were also used for personal activities, including gaming and downloads of pirated software.

Mandiant attributes the attacks to a financially motivated group it calls UNC5537. We think it’s likely that this group is represented by the data seller posting under the handle Sp1d3r, which we have seen offering data sets for sale that are associated with the campaign targeting Snowflake customers.

The investigation’s preliminary findings are:

• Threat actors used credentials purchased or obtained through info-stealing malware.

• It appears to be a targeted campaign directed at users with single-factor authentication.

• It wasn’t a vulnerability, misconfiguration, or breach of Snowflake’s platform.

• It didn’t use credentials taken from current or former Snowflake personnel.

• A threat actor did use a former Snowflake employee’s personal credentials to access demo accounts. Snowflake says demo accounts are not connected to its production or corporate systems.

What baffles me is this advisory statement from Snowflake:

We are also developing a plan to require our customers to implement advanced security controls, like multi-factor authentication (MFA) or network policies, especially for privileged Snowflake customer accounts.

At this point, it’s time to say MFA should have been mandatory, not a customer choice. It is not just the first step to becoming NIS2 compliant. Given the sophistication of modern day cyberattacks and the cyber-arsenal available at an attacker’s fingertips, reliance on user-chosen passwords as a reliable form of defense must end.

It’s even debatable if every form of MFA is sufficient to protect important accounts like these. As we have seen, modern phishing kits are quite capable of intercepting and using some types of second factors, such as codes sent by SMS or generated by apps. Capturing a code entered by a user is just as easy as capturing a password entered by a user.

If your targets are important enough, cybercriminals can afford to invest in tools, methodology, and invested time. To date, Mandiant and Snowflake have notified approximately 165 potentially exposed organizations.

what companies may have been impacted?

See how organizations across industries and regions use Snowflake

We learned that AT&T customer data was illegally downloaded from our workspace on a third-party cloud platform. We started an investigation and engaged leading cybersecurity experts to help us determine the nature and scope of the issue. We have confirmed the access point has been secured.

Our investigation found that the downloaded data included phone call and text message records of nearly all of AT&T cellular customers from May 1, 2022 to October 31, 2022 as well as on January 2, 2023. These records identify other phone numbers that an AT&T wireless number interacted with during this time, including AT&T landline (home phone) customers. For a subset of the records, one or more cell site ID numbers associated with the interactions are also included.

At this time, we do not believe the data is publicly available. We continue to work with law enforcement in their efforts to arrest those involved. Based on information available to us, we understand that at least one person has been apprehended.

Data that was involved

The call and text records identify the phone numbers with which an AT&T number interacted during this period, including AT&T landline (home phone) customers. It also included counts of those calls or texts and total call durations for specific days or months.

We’ll notify current and former customers if their information was involved.

The Snowflake Data Cloud has given us the power to harness and integrate data to create insights. With data at our fingertips, we are growing revenue, becoming more cost effective and, most importantly, improving the customer experience.”

Andy Markus

Chief Data Officer, AT&T

Incident linked to recent Snowflake breaches

AT&T’s spokesperson Andrea Hugely reportedly told Tech Crunch that the most recent compromise of customer records were stolen from Snowflake during the recent flurry of incidents the cloud data company experienced. The telecom giant confirmed to SC Media that the data breach occurred outside of its network via cloud IT service provider Snowflake.

Because matrix multiplication is such a central operation in many numerical algorithms, much work has been invested in making matrix multiplication algorithms efficient. Applications of matrix multiplication in computational problems are found in many fields including scientific computing and pattern recognition and in seemingly unrelated problems such as counting the paths through a graph. Many different algorithms have been designed for multiplying matrices on different types of hardware, including parallel and distributed systems, where the computational work is spread over multiple processors (perhaps over a network).

It is like the Matrix, except with more advanced machine learning.

-rws

Here are a few things not to do:

• Don’t dry your iPhone using an external heat source or compressed air.

• Don't insert a foreign object, such as a cotton swab or a paper towel, into the connector.

• Don’t put your iPhone in a bag of rice. Doing so could allow small particles of rice to damage your iPhone.