“These credentials were primarily obtained from multiple infostealer malware campaigns that infected non-Snowflake owned systems. This allowed the threat actor to gain access to the affected customer accounts and led to the export of a significant volume of customer data from their Snowflake customer instances. The threat actor has subsequently begun to extort many of the victims directly and is actively attempting to sell the stolen customer data on recognized cybercriminal forum,” Mandiant said.
Most of the stolen credentials, it added, came from infostealer infections that in some cases dated as far back as 2020.
Cybersecurity experts have been talking about Snowflake attacks for some time. In September, after more attacks, Brian Soby, CTO of AppOmni, said, “what we saw in the Snowflake ecosystem is most definitely not unique to that solution. This scenario could have easily played out in any major SaaS application, as the core vulnerabilities are the same; they center around a lack of meaningful visibility into the security configuration of applications and a lack of effective monitoring capability.”
