Cloud vendor Snowflake is now reporting it's the victim of a campaign apparently targeting customers with single-factor authentication.
The cloud IT service provider provided new information around the attacks on its clients, including Ticketmaster, using credentials lifted from a former employee.
A report from Snowflake along with security providers CrowdStrike and Mandiant outlined how a third-party hacker was able to use stolen credentials to access what was classified as demo account data.
This is in contrast to what the malware operators known as "ShinyHunters" claimed to be roughly 600 million leaked account details from Ticketmaster and Santander Bank. The cybercriminals reportedly put the pilfered data for ransom at an asking price of $500,000.
“We did find evidence that a threat actor obtained personal credentials to and accessed demo accounts belonging to a former Snowflake employee,” Snowflake said on its website.
While not a technical qualifier for the CVSS, one could argue that the ability for an unauthorized user to re-use credentials from ex-employees probably qualifies as a “vulnerability” in all practical terms.
The technical details of the incident remain up in the air, as the initial report on the breach from Hudson Rock was redacted due to reported legal actions.
According to Andrew Costis, chapter lead of AttackIQ’s threat research group, the hacking group are people who should be taken seriously.
“ShinyHunters are well versed in the art of data breaches,” Costis explained, adding that the group's members are known for gaining access via Microsoft Office 365, GitHub, obtaining access to valid accounts, as well as exploiting vulnerabilities.
The leak was serious enough that the U.S. Cybersecurity and Infrastructure Agency (CISA) decided to issue an alert on the matter.
“Users and administrators are encouraged to hunt for any malicious activity, report positive findings to CISA, and review the following Snowflake notice for additional information.”
Snowflake, for its part, said that users should be weary of targeted phishing emails and keep an eye out for specially crafted messages aimed at specific users.
“This appears to be a targeted campaign directed at users with single-factor authentication,” Snowflake said in its notice.
As a best practice, it is advised that users opt for two-factor authentication and keep an eye out for suspicious activity.