As an update of our continuous investigation, which includes a targeted threat campaign against some of the snowflake customer accounts, the latest results we reached (see June 2 below), with the support of Cyber ​​Crowdstrike and Mandiant experts, has not changed.
We continue to work closely with our customers because they crucify their security measures to reduce their electronic threats. We also develop a plan to ask our customers to implement advanced safety controls, such as multi -factor authentication (MFA) or network policies, especially for the distinctive SNOWFLAKE customer accounts. Although we do this, we continue to deal strongly with our customers to help direct them to empower MFA and other security controls as a critical step in protecting their business.
A joint statement regarding the preliminary results in the investigation of cybersecurity, snowflake
Snowflake, Crowstrike and Mandriant provides a joint statement related to our continuous achievement that includes a targeted threat campaign against some Snowflake customer accounts.
The main primary results that have been identified so far:
We did not specify the evidence that this activity was caused by the weakness or composition of the misfortune or the violation of the Snowflake platform; We did not specify the evidence that this activity was the result of the current or former snowflower accreditation data; This seems to be a targeted campaign for users who have one authentication of the worker; As part of this campaign, the actors have threatened to benefit from the accreditation data that was purchased or obtained through the Infostealing programs; We have found evidence that the representative of the threat obtained personal accreditation papers and experimental accounts, reaching a former snowfall employee. It did not contain sensitive data. Experimental accounts are not connected to SNOWFLAKE production systems or corporate systems. It was possible that the experimental account was not behind OKTA or a multi -factor authentication (MFA), unlike the SNOWFLAKE production companies and systems.
Throughout the investigation period, Snouflake immediately informed the limited number of snowflake customers you think may have been affected. Mandyan also participated in communicating with organizations that are likely to be affected.
We recommend the organizations immediately take the following steps:
Implementing multiple factors on all accounts; Prepare the network policy rules to allow only accredited users or only allow traffic from reliable sites (VPN, the burden of NAT cloud work, etc.); The affected organizations must reset and rotate the snowflake accreditation data.
In addition, please review the guidelines of the investigation and sclerosis in Snouflake for the recommended procedures to help investigate the potential threat activity within the accounts of the Snowflake customer. This investigation is continuing. We also coordinate with the application of law and other governmental authorities.
