In late May, the news broke: data from several hundred thousand Ticketmaster customers was put up for sale by a cyber criminal. The same would claim to have data relating to tens of millions of Santander customers.
From malicious actors I say I received 3TB of data from Advance Auto Parts, a North American auto parts dealer. They are said to have been obtained as part of an extensive campaign targeting Snowflake customers. Like for Ticketmaster and Santander.
Most recently, Pure Storage said it was also affected. In a briefing note he noted by “confirming and resolving a security incident involving a third party that temporarily gained unauthorized access to a unique Snowflake data analytics workspace.” The workspace contains telemetry information that Pure uses to provide proactive customer support services. This information includes company names, LDAP usernames, email addresses, and Purity software version numbers.
Pure Storage states that this space “does not contain compromising information such as passwords” and that “telemetry information cannot be used to gain unauthorized access to client systems.”
In fact, according to Mandiant, which Snowflake commissioned to investigate, about 165 of the publisher’s customers are susceptible have been affected by a campaign attributed to an actor monitored under reference UNC5537.
This actor allegedly gained “access to Snowflake client instances of multiple organizations via stolen client credentials.” These credentials are mainly obtained from several malware campaigns type of information thief that have infected systems other than Snowflake.
Compromised accounts “are not configured with multi-factor authentication (MFA) enabled”. During the investigation, “credentials identified in the infostealer malware results were still valid, sometimes years after they were stolen, and had not been rotated or updated.
Among the information thieves involved, Mandiant mentions Vidar, RisePro, Redline, Racoon, Lumma and Metastealer: “at least 79.7% of the accounts exploited by the threat in this campaign have already been exposed.” The first observed compromise of such identifiers dates back to. .. November 2020 Enough to raise the question of knowing how much the victims of the cyberattacks being prepared don’t know yet.
So far, Mandiant’s findings date the first use of stolen IDs to April 14, 2024.