Hudson Rock yanks report fingering Snowflake employee creds snafu for mega-leak

Analysis Hudson Rock, citing legal pressure from Snowflake, has removed its online report that claimed miscreants broke into the cloud storage and analytics giant's underlying systems and stole data from potentially hundreds of customers including Ticketmaster and Santander Bank.

More specifically, the infosec house reported criminals got hold of a Snowflake employee's work credentials using info-stealing malware, and used that privileged access to exfiltrate tons of data from Snowflake's customer cloud accounts. Snowflake said that didn't happen.

It's true at least that Ticketmaster and Santander had their info stolen, though how and from where exactly isn't officially known yet; both are Snowflake customers. A Ticketmaster media rep reportedly told TechCrunch its pilfered data was hosted by Snowflake.

Snowflake said if any customer data was taken from its servers, it may have been obtained by thieves who got hold of individual customers' account credentials – via targeted phishing, some other leak, or malware, for example – and not by a general compromise of Snowflake's security.

Indeed, Snowflake believes a "limited" number of its as-yet-unnamed customers may in reality have had their data accessed using purloined account credentials where those accounts did not have two-factor authentication enabled.

But the cloud biz denied its underlying security was breached, and leaned on Hudson Rock to pull its report suggesting as much.

"In accordance to a letter we received from Snowflake's legal counsel, we have decided to take down all content related to our report," Hudson Rock said in a statement on Monday. The cyber-crime intel firm declined to answer The Register's specific questions about the report and its removal.

On Friday, in its now-deleted write-up, Hudson Rock wrote that data thieves claimed to have signed into a Snowflake employee's ServiceNow work account and used this access to siphon databases belonging to as many as 400 Snowflake corporate clients.

"By directly communicating with the threat actor behind the massive data breach of cloud storage giant, Snowflake, we gained unprecedented insight into the devastating impact of infostealer infections," the cyber-crime intel firm wrote.

One has to wonder if it was a good idea believing this particular threat actor. We suppose there could have been some kind of misunderstanding, miscommunication, or poor translation that led to Hudson Rock conveying that Snowflake customers had their info swiped via stolen Snowflake employee creds versus stolen individual account credentials.

It's possible the crooks didn't want to say they broke into individual accounts, and instead preferred to brag they somehow compromised Snowflake as a whole for extra internet leet points or to obfuscate their tracks.

Demo-lition, man

Snowflake CISO Brad Jones in a statement said crooks did steal a Snowflake worker's credentials, but did not use them to access sensitive information, such as customer data in the cloud; instead those creds got the intruder or intruders into worthless demo accounts, we're told. Jones said there was no multi-factor authentication on those pretend accounts:

Meanwhile, a "limited number of Snowflake customers" may well have had have their actual cloud accounts compromised by intruders, Jones admitted in that same statement. This would have been due to "a targeted campaign directed at users with single-factor authentication," he said.

We're told miscreants may have used Snowflake user account login information "previously purchased or obtained through infostealing malware" to get into and ransack those clients' cloud storage. That's not the same as the provider itself being pwned, Snowflake argued.

"We have not identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel," Jones wrote. Nor was any data theft "caused by a vulnerability, misconfiguration, or breach of Snowflake's platform," he said in his statement jointly signed by CrowdStrike and Mandiant, which were hired to assist in Snowflake's ongoing investigation into this affair.

Snowflake also urged all customers to immediately enable MFA on their accounts, and on Monday released relevant indicators-of-compromise. These are IP addresses and client identifiers to look out for as these seem to have been used by miscreants targeting Snowflake accounts. Those software clients tend to identify themselves using the unfortunate "rapeflake" handle.

If a threat actor obtains customer credentials, they may be able to access the account

This shows Snowflake is walking a tightrope. On the one side, it doesn't want people to think its servers were compromised at a fundamental level, and on the other, it has to tell customers to enable MFA ASAP and look for indications of compromise after individual accounts were targeted if not broken into.

Mandiant declined to comment on the case, and CrowdStrike referred additional questions back to Snowflake. And Snowflake declined to answer The Register's questions, including which customer accounts were targeted. 

"Snowflake is a cloud product and anyone can sign up for an account at any time," a Snowflake spokesperson told us. "If a threat actor obtains customer credentials, they may be able to access the account. Snowflake employees are no different and can also create their own Snowflake 'customer' accounts using personal credentials."

Ticketmaster owner Live Nation Entertainment, in an SEC filing on Friday, only said "unauthorized activity within a third-party cloud database environment containing company data" led to the theft of 560 million individuals' records. Santander declined to comment, citing an ongoing investigation.

More speculation

Infosec watcher Kevin Beaumont wrote over the weekend that he had heard of a number of Snowflake customers hit by database thieves: "I have spoken to people in multiple industries at large corporations where they’ve had significant data exfiltration in May via Snowflake."

It's worth noting ShinyHunters – the one or more criminals who put the stolen Santander and Ticketmaster data up for sale on the web – told DataBreaches.net that Hudson Rock's report was incorrect. It's believed ShinyHunters is acting as a broker for the data, which was stolen by someone else.

ShinyHunters said the ServiceNow part was made up by whoever spoke to Hudson Rock, and added the bit "that's true is we wanted Snowflake to send us $20 million," referring to the crime ring trying to extort that amount from Snowflake to keep any data stolen from the biz under wraps.

• Snowflake denies miscreants melted its security to steal data from top customers
• Miscreants claim they've snatched 560M people's info from Ticketmaster
• Crooks threaten to leak 3B personal records 'stolen from background check firm'

We know at least that Snowflake accounts are under attack using phished, purchased, or otherwise stolen credentials, and securing them should be a priority. You'd hope that MFA would be forced on for customers going forward.

We're also likely to see more Snowflake customers reporting database heists in the near future, as Beaumont hinted.

The Australian government's cybersecurity center warned in a June 1 alert of "successful compromises of several companies utilizing Snowflake environments."

So now we sit and wait for the other shoe(s) to drop.

"I feel bad for Snowflake on a human level as they're in a bad situation – this is a potentially business ending event for them – so they have to use every lever possible to point the fingers at their own customers as being negligent over 'rapeflake' activity to avoid responsibility," Beaumont wrote. "And to be clear, some of this is their customers' responsibility."

"But also," he added, Snowflake – which is holding a corporate summit for customers this week – needs to "own this issue" if it wants to survive, as "there's an extremely high chance this is going to play out publicly over the coming weeks and months." ®