Security News > 2024 > May > Snowflake compromised? Attackers exploit stolen credentials

Have attackers compromised Snowflake or just their customers' accounts and databases? Conflicting claims muddy the situation.

"From an enterprise perspective, Snowflake is typically set up as a cloud-based data warehousing solution. Enterprises choose a cloud provider, and set up their Snowflake account within the chosen region. Data is ingested from various sources, transformed, and analyzed using SQL," Doron Karmi, Senior Cloud Security Researcher at Mitiga, told Help Net Security.

A threat actor has been stealing data from organizations that use the Snowflake cloud-based platform by leveraging stolen customer credentials and an attack tool named "Rapeflake", Mitiga researchers have discovered.

"Information about the incident and the group's tactics is not yet fully published, but from what we know, the group utilizes custom tools to find Snowflake instances and employs credential stuffing techniques to gain unauthorized access. Once access is obtained, they leverage built-in Snowflake features to exfiltrate data to external locations, possibly using cloud storage services."

Snowflake has compiled a document outlining known indicators of compromise, investigative queries Snowflake admins can use to detect access from suspected IP addresses and clients, remediation measures they should take if they find their databases have been accessed by the attackers, and attack prevention advice.

"In every Snowflake environment, there is a database named 'Snowflake' housing a schema called 'ACCOUNT USAGE.' This schema holds metadata and historical usage data for the current Snowflake account, updating with each action taken, providing a comprehensive audit trail," they explained.

News URL

https://www.helpnetsecurity.com/2024/05/31/snowflake-compromised-data-theft/