Cloud computing and analytics startup Snowflake says a "limited number" of its clients had been sought out as part of a targeted operation.
"We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake's platform," the business stated in a joint statement together with CrowdStrike and Google-owned Mandiant.
"We have not identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel."
It also noted the activity is intended targeting customers using single-factor authentication, with the suspected threat actors exploiting credentials previously acquired or obtained via information-stealing malware.
"Threat actors are actively compromising organizations' Snowflake customer tenants by using stolen credentials obtained by infostealing malware and logging into databases that are configured with single factor authentication," Mandiant CTO Charles Carmakal wrote in a post on LinkedIn.
Snowflake is also recommending enterprises to adopt multi-factor authentication (MFA) and restrict network traffic solely from trustworthy places.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in a notice released on Monday, urged enterprises follow the recommendations offered by Snowflake to seek for signals of odd behavior and take actions to prevent unauthorized user access.
A similar notice from the Australian Signals Directorate's Australian Cyber Security Centre (ACSC) warned of "successful compromises of several companies utilizing Snowflake environments."
Some of the signs include malicious connections emanating from clients identifying themselves as "rapeflake" and "DBeaver_DBeaverUltimate."
The news comes days after the corporation announced that it has seen a rise in malicious activity targeting user accounts on its cloud data platform.
While a report by cybersecurity company Hudson Rock initially claimed that the breach of Ticketmaster and Santander Bank may have emanated from threat actors utilizing a Snowflake employee's stolen credentials, it has subsequently been pulled down, citing a letter it received from Snowflake's legal counsel.
It's presently not clear how the two organizations — who are both Snowflake clients – had their information taken. ShinyHunters, the persona that claimed responsibility for the twin breaches on the now-resurrected BreachForums, informed DataBreaches.net that Hudson Rock's explanation was erroneous and that it's "disinformation."
"Infostealers are a significant problem — it has long since outpaced botnets etc. in the real world — and the only real solution is robust multi-factor authentication," independent security researcher Kevin Beaumont stated. It's thought that an adolescent criminal organization is behind the event.
