Very big cyber incident playing out at Snowflake, who describe themselves as “AI Data Cloud”. They have a free trial where anybody can sign up and upload data… and they have.
Threat actors have been scraping customer data using a tool called rapeflake, for about a month.
The tl;dr of the Snowflake thing is mass scraping has been happening, but nobody noticed.. and they're pointing at customers for having poor credentials. It appears a lot of data has gone walkies from a bunch of orgs.
Snowflake is a big AI data company with a conference in the US next week, chances of that going ahead are interesting.
IOCs: https://community.snowflake.com/s/article/Communication-ID-0108977-Additional-Information
Snowflake admin users need to check their Snowflake environment, not sec departments check their on prem.
Snowflake: there is absolutely no cybersecurity incident.
Also Snowflake: Please run these commands and look for "threat activity" logins with the user agent "rapeflake" using this knowledge base article we haven't listed on our website.
https://community.snowflake.com/s/article/Communication-ID-0108977-Additional-Information
I'm still trying to parse this statement. A non-exclusive list of meanings is: (a) someone gained access to a trusted part of the Snowflake network and made off with customer credentials or (b) there were credential stuffing attacks that gained access to Snowflake customer accounts.
In either case, the Snowflake statement that management does "not believe this activity is caused by any vulnerability, misconfiguration, or malicious activity within the Snowflake product" would be true.
Does this sound possible to you?
Kevin Beaumont
Dan Goodin
Daniel Reich 🇺🇦