I. Targeted Entities
Snowflake customers
II. Introduction
Snowflake is investigating a recent increase in cybersecurity threats on a limited number of customers accounts. Snowflake has attributed these attacks to unrelated exposure of customer credentials from other cyber threat activity. Malicious traffic has been observed from a list of IPs along with clients identifying as “rapeflake” and “DBeaver_DBeaverUltimate.” Clients identifying as “DBeaver_DBeaverUltimate” were running from Windows Server 2022. Snowflake does not currently believe these attacks stemmed from a vulnerability, misconfiguration, or an insider threat. Customers believed to have been impacted have been notified by the Snowflake team.
III. Additional Background Information
Snowflake is a cloud-based data-warehousing company that provides a data platform that allows customers to store and analyze their data in the cloud. Snowflake’s service allows customers to store data in a central hub without the worry of managing internal hardware and software. Snowflake also provides a range of data security features allowing customers to share, track, and audit their data.
IV. Recommendations and IOCs (Indicators of Compromise)
296 IPs were identified as being associated with the following activity. In addition to the IPs, the malicious activity has also been linked from clients identifying as: “rapeflake” and “DBeaver_DBeaverUltimate,” with “DBeaver” running from Window Server 2022. Snowflake has released SQL queries to identify suspected clients and their sessions, disable suspected users, and reset the credentials of compromised accounts. A full list of IPs and recommended actions can be found on Snowflake’s community site in an article titled “Detecting and Preventing Unauthorized User Access: Instructions”, which can also be found in the references of this advisory.
VI. References
(2024, June 3). Detecting and Preventing Unauthorized User Access: Instructions. Snowflake Community. (2024, June 4). https://community.snowflake.com/s/article/Communication-ID-0108977-Additional-Information
(2024, June 4). Snowflake Warns: Targeted Credential Theft Campaign Hits Cloud Customers. (2024, June 4). The Hacker News. https://thehackernews.com/2024/06/snowflake-warns-targeted-credential.html
Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Benjamin Price, Erika Delvalle
.fusion-body .fusion-builder-column-0{width:100% !important;margin-top : 0px;margin-bottom : 20px;}.fusion-builder-column-0 > .fusion-column-wrapper {padding-top : 0px !important;padding-right : 0px !important;margin-right : 1.92%;padding-bottom : 0px !important;padding-left : 0px !important;margin-left : 1.92%;}@media only screen and (max-width:992px) {.fusion-body .fusion-builder-column-0{width:100% !important;order : 0;}.fusion-builder-column-0 > .fusion-column-wrapper {margin-right : 1.92%;margin-left : 1.92%;}}@media only screen and (max-width:576px) {.fusion-body .fusion-builder-column-0{width:100% !important;order : 0;}.fusion-builder-column-0 > .fusion-column-wrapper {margin-right : 1.92%;margin-left : 1.92%;}}
.fusion-body .fusion-flex-container.fusion-builder-row-1{ padding-top : 0px;margin-top : 0px;padding-right : 10%;padding-bottom : 3%;margin-bottom : 0px;padding-left : 10%;}