cyberplace.social Open in urlscan Pro
2a01:4f9:c012:53c3::1  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Mastodon
Luo tiliKirjaudu

VIIME HAUT

Ei viimeaikaisia hakuja

HAUN ASETUKSET

has: media, poll tai embedis: reply tai sensitivelanguage: ISO-kielikoodifrom:
käyttäjäbefore: tietty päivämääräduring: tietty päivämääräafter: tietty
päivämääräin: all tai library
cyberplace.social kuuluu hajautettuun sosiaaliseen verkostoon, jonka voimanlähde
on Mastodon.

Cybersecurity, fandom, video games, technology, dog photos and most importantly,
you.

YLLÄPITÄJÄ:

Kevin Beaumont @GossiTheDog

PALVELIMEN TILASTOT:

913
aktiivista käyttäjää

--------------------------------------------------------------------------------

Lue lisää


cyberplace.social: Tietoja · Tila · Profiilihakemisto · Tietosuojakäytäntö

Mastodon: Tietoja · Hanki sovellus · Pikanäppäimet · Näytä lähdekoodi · v4.2.9


TAKAISIN




Kevin Beaumont @GossiTheDog@cyberplace.social

Very big cyber incident playing out at Snowflake, who describe themselves as “AI
Data Cloud”. They have a free trial where anybody can sign up and upload data…
and they have.

Threat actors have been scraping customer data using a tool called rapeflake,
for about a month.

31. toukok. 2024 klo 18.28 · · Ivory for iOS · 142 · 137

31. toukok.

Kevin Beaumont @GossiTheDog

The tl;dr of the Snowflake thing is mass scraping has been happening, but nobody
noticed.. and they're pointing at customers for having poor credentials. It
appears a lot of data has gone walkies from a bunch of orgs.

Snowflake is a big AI data company with a conference in the US next week,
chances of that going ahead are interesting.


2

31. toukok.

Kevin Beaumont @GossiTheDog

IOCs:
https://community.snowflake.com/s/article/Communication-ID-0108977-Additional-Information

Snowflake admin users need to check their Snowflake environment, not sec
departments check their on prem.


community.snowflake.comSnowflake CommunityJoin our community of data
professionals to learn, connect, share and innovate together
1

31. toukok.

Kevin Beaumont @GossiTheDog




12

1. kesäk.

Kevin Beaumont @GossiTheDog

Five orgs have told me they are running incidents for Snowflake, where their
data has been copied.

2

1. kesäk.

Kevin Beaumont @GossiTheDog

Snowflake: there is absolutely no cybersecurity incident.

Also Snowflake: Please run these commands and look for "threat activity" logins
with the user agent "rapeflake" using this knowledge base article we haven't
listed on our website.

https://community.snowflake.com/s/article/Communication-ID-0108977-Additional-Information


5

1. kesäk.

Kevin Beaumont @GossiTheDog

Live Nation said its stolen database was hosted on Snowflake, a cloud storage
and analytics company.

https://techcrunch.com/2024/05/31/live-nation-confirms-ticketmaster-was-hacked-says-personal-information-stolen-in-data-breach/


TechCrunch · 1. kesäk.Live Nation confirms Ticketmaster was hacked, says
personal information stolen in data breach | TechCrunchLive Nation says its
Ticketmaster subsidiary was hacked. A hacker claims to be selling 560 million
customer records.
3

1. kesäk. *

Kevin Beaumont @GossiTheDog

I've now confirmed 6 major orgs running Snowflake cyber incidents, so I've made
a theme song about Snowflake's response.

Media piilotettuNapsauta näyttääksesi

11

2. kesäk.

Kevin Beaumont @GossiTheDog

https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/increased-cyber-threat-activity-targeting-snowflake-customers


1

2. kesäk. *

Kevin Beaumont @GossiTheDog

The deleted Hudson Rock post on Snowflake breach:
https://web.archive.org/web/20240531140540/https://hudsonrock.com/blog/snowflake-massive-breach-access-through-infostealer-infection

For the record I don't think all the content is accurate - however Snowflake did
have a security incident via their former employee, they have full IR stood up.
They didn't follow their own best practices.

I also know multiple orgs who've had their full databases taken from Snowflake.


web.archive.orgSnowflake, Cloud Storage Giant, Suffers Massive Breach: Hacker
Confirms to Hudson Rock Access Through Infostealer InfectionHudson Rock is able
to confirm a massive breach at Snowflake was caused by credentials compromised
via an Infostealer infection.
4

2. kesäk.

Kevin Beaumont @GossiTheDog

I wrote a blog on everything I know about the Snowflake situation
https://doublepulsar.com/snowflake-at-central-of-worlds-largest-data-breach-939fc400912e


DoublePulsar · 2. kesäk.Snowflake at centre of world’s largest data breach -
DoublePulsarJulkaissut Kevin Beaumont
7

3. kesäk. *

Kevin Beaumont @GossiTheDog

The Snowflake authentication setup is terrible.

MFA can’t be enabled org wide, each user has to manually log in and enable it.
There’s no policy to block users without MFA. And it uses Duo MFA rather than
your orgs MFA. (You can bring your own MFA with SAML).

Also all users log in via a Snowflake domain, so you can just pull creds from
info stealer marketplaces or logs.

That’s why they’re being targeted as a platform.

4

3. kesäk.

Kevin Beaumont @GossiTheDog

Hudson Rock have put out a statement saying a legal threat from Snowflake caused
them to remove their blog.
https://www.linkedin.com/posts/hudson-rock_activity-7203433945919578113-RH05 HT
@mattburgess


6

31. toukok.

joy larkin @joy@mastodon.social

@GossiTheDog

Gotta be uncomfortable that Snowflake's big AI Data themed user conference is
next week here in SF at Moscone.

0

31. toukok.

Pavel Bartoň @barton@mas.to

@GossiTheDog What a terrible session management

0

31. toukok.

Robert Thau @rst@mastodon.social

@GossiTheDog Sounds like they have no way of revoking an id token once issued,
short of banning the user altogether.

1

31. toukok.

Ben Aveling @BenAveling@infosec.exchange

@rst @GossiTheDog it sounds like tokens are irrevocably valid for 6 hours

0

31. toukok.

Gabriel Adrian Samfira @gabriel@mastodon.samfira.com

@GossiTheDog sounds like a great design.

0

31. toukok.

Jesper Johansson @jesperjo@infosec.exchange

@GossiTheDog I was today years old when I learned that running one SQL statement
to revoke a token was so difficult that writing a help article and looking like
fools was actually easier.

3

31. toukok.

Adam Shostack :rebelverified: @adamshostack@infosec.exchange

@jesperjo @GossiTheDog When I was at Fidelity in 1995 or 96 there was a hard
limit of 60 seconds to propagate a password change or revoke.

The primary threat was divorce and being able to act on an instruction from a
customer.

1

1. kesäk.

Covidiocracy @ampersine@mastodon.online

@adamshostack @GossiTheDog @jesperjo

Seems oddly fitting that that “divorce” was a prime security threat at a company
called “Fidelity”

0

1. kesäk.

Tuxedo Wa-Kamen @wakame@tech.lgbt

joking Näytä lisää

@jesperjo @GossiTheDog

@jesperjo @GossiTheDog

"To provide bleeding-edge security, your access tokens are provided as training
material to our authentication AI. This ensures that even in the event of a
breach of our cloud platform, your tokens can't be easily extracted."

0

2. kesäk.

Enno Rehling @enno@mastodon.gamedev.place

@jesperjo @GossiTheDog JWT is not session management.

0

31. toukok.

Chris Clark @chris_clark@mastodon.social

@GossiTheDog

https://youtu.be/pXw7LYWNi5E?si=9spfLV3r1H6Ybuy1&t=25

YouTubeGiving Instructions in the ClassroomJulkaissut ugbroncos
0

1. kesäk.

Llafgorf @llafgorf@mastodon.podycust.co.uk

@GossiTheDog


0

1. kesäk. *

insecurity princess @saraislet@infosec.exchange

Snowflake observed:
+ "malicious traffic"
+ "cyber threat activity targeting some of our customers’ accounts"

Snowflake has not observed
- "a security incident"
- "vulnerability, misconfiguration, or malicious activity within the Snowflake
product"

Threading a mighty fine needle there

@GossiTheDog

ALT
1

1. kesäk.

insecurity princess @saraislet@infosec.exchange

To be clear: I'd like to see Snowflake own up to responsibility for creating
security capabilities with secure defaults that are hard to misuse in a way that
creates severe unintended consequences

Sounds currently like the leaky data lake version of the classic public S3
bucket misconfiguration

I hope they're bringing humility to their customers now, and public
acknowledgement later

0

1. kesäk.

Dan Goodin @dangoodin@infosec.exchange

@GossiTheDog

I'm still trying to parse this statement. A non-exclusive list of meanings is:
(a) someone gained access to a trusted part of the Snowflake network and made
off with customer credentials or (b) there were credential stuffing attacks that
gained access to Snowflake customer accounts.

In either case, the Snowflake statement that management does "not believe this
activity is caused by any vulnerability, misconfiguration, or malicious activity
within the Snowflake product" would be true.

Does this sound possible to you?

3

1. kesäk.

chort @chort@infosec.exchange

@dangoodin @GossiTheDog password spraying/credential stuffing is vastly more
probable than the other explanations, especially with the advice Snowflake are
giving to customers.

0

1. kesäk.

Loren Kohnfelder @lmk@infosec.exchange

@dangoodin @GossiTheDog Without attempting to interpret the statement to discern
any actual facts, I can reconcile this -- in the tradition of Bill Clinton
straining the meaning of "is". First, note that "believe" is subjective and
people are capable of believing crazy things (a la Upton Sinclair's line about
understanding things that threaten one's job). Also, they list and then deny
three possible causes -- but there are more problematic possible causes left
unmentioned; e.g. weak password isn't quite config, and malicious activity
"outside" the product whatever that might mean.

0

1. kesäk.

Daniel Reich @DanielReich@infosec.exchange

@dangoodin @GossiTheDog I can't this is common, but I have seen Snowflake
configured such that you have SAMLfied logins, but then you create exceptions
for local auth against snowflake (key auth, pass auth). my guess would be a key
walked out the door somewhere.

0

1. kesäk.

Jerry Bell :verified_paw: :verified_dragon: :rebelverified:
@jerry@infosec.exchange

@GossiTheDog well done

1

1. kesäk.

Bill @Sempf@infosec.exchange

@jerry @GossiTheDog All in all, that was a hell of a solid thread. Top to
bottom.

0

1. kesäk.

JJDavis @jjdavis@infosec.exchange

@GossiTheDog Ah but it's a special Snowflake.

0

1. kesäk.

Hacker Memes @i0null@infosec.exchange

@GossiTheDog holy crap it's both epic and cringe at the same time.

0

1. kesäk.

Miri @miri@infosec.exchange

@GossiTheDog I enjoyed this one!

0

1. kesäk.

chebra @chebra@mstdn.io

@GossiTheDog "Oh look, squirrel" literally made me cry

0

1. kesäk.

Jean @tho_jea@mamot.fr

@GossiTheDog These exploit theme songs are so much better than the traditional
logos, thank you!

0

1. kesäk.

Thibug @Thibug@mastodon.social

@GossiTheDog I love it, you made my morning with that song

0

1. kesäk.

Chris Farris :verified: @jcfarris@infosec.exchange

@GossiTheDog Was that made with GenAI? Because this is the first actual creative
use of GenAI I've seen in a long time.

0

2. kesäk.

Cali @Cali@infosec.exchange

@GossiTheDog why was it deleted?

1

2. kesäk.

Cali @Cali@infosec.exchange

@GossiTheDog some of HR commentary in telegram screengrabs seemed a little
strange.. the “should have used HR and they wouldn’t have been breached” bit

0

2. kesäk.

raspberryswirl @raspberryswirl@chaos.social

@GossiTheDog One thing regarding this, as it might be even more WORSE:
what about datamanipulation? anybody seeing this? as a new threat vector?

0

2. kesäk.

PhreakByte @nieldk@infosec.exchange

@GossiTheDog thanks, great writeup i do fear snowflake might not be telling the
whole story - but time may show

0

2. kesäk.

Simon @spzb@infosec.exchange

@GossiTheDog looking forward to Monday morning at the day job where we've
recently gone all-in on Snowflake. And yes, it's PII stuff.

0

2. kesäk.

patryko @patryko@woof.group

@GossiTheDog I interviewed with them couple months ago, on cloud infra team.
Interviewers seemed anxious when I started asking them on security posture
practices and procedures. They don’t have any org wide authorization mechanisms
and focus only on cost optimization+some automation.

1

2. kesäk.

JA @caspicat@infosec.exchange

@patryko @GossiTheDog

IMHO, at least on paper, they look alright
https://community.snowflake.com/s/article/Snowflake-Security-Overview-and-Best-Practices

https://www.snowflake.com/wp-content/uploads/2019/12/Snowflake-Security-Overview-Q4-2019-2.pdf

1

2. kesäk.

patryko @patryko@woof.group

@caspicat @GossiTheDog exactly, couple slides assuring there’s “encryption at
rest/in transit” vs AWS security controls document show the difference and org
immaturity -
https://docs.aws.amazon.com/pdfs/prescriptive-guidance/latest/aws-security-controls/aws-security-controls.pdf

1

3. kesäk.

Michael Weiss @mweiss@infosec.exchange

@patryko @caspicat @GossiTheDog the key isn't to look at what they say, but
rather to look at what they don't say.

0

2. kesäk.

Alan Miller :verified_paw: @fencepost@infosec.exchange

@GossiTheDog re: credential theft, MFA and Recall - what's one of the things
that'll be saved? Those handy QR codes for TOTP...

1

3. kesäk.

Chris Bussard @cwbussard@ioc.exchange

@fencepost @GossiTheDog

Oh fuu....you're right! This just keeps getting worse and worse.

0

3. kesäk. *

agarithil @agarithil@infosec.town

I got to this point in your write-up, and I don't think it can be emphasized
enough:

> Note that in the age of SaaS, your providers will throw you under the bus to
> save themselves. When you transfer your security risk to a provider, they
> don’t accept your risk — they just take the money.

[EDIT: typo]

@GossiTheDog



0

3. kesäk.

Stuart Gray @StuartGray@mastodonapp.uk

@GossiTheDog Might be a coincidence, but Prolific (paid study/research site) has
just temporarily paused pay outs until further notice due to a cryptically
worded “possible cyber security incident targeting users”.

0

3. kesäk.

Sam J Sharpe @SamJSharpe@mastodon.me.uk

@GossiTheDog I don't think that's completely accurate. I login to a couple of
Snowflake accounts with my organisational SSO which includes our standard MFA.

0

3. kesäk.

Paul Bailey @paulbailey@mas.to

@GossiTheDog Our (fairly large) org uses SAML federation, with MFA enforced.

0

3. kesäk.

Nick @Nickiquote@mstdn.social

@GossiTheDog @mattburgess Snowflake by name…

0

3. kesäk.

Bill @Sempf@infosec.exchange

@GossiTheDog @mattburgess Oooooh shit.

0

3. kesäk.

Paul_IPv6 @paul_ipv6@infosec.exchange

@GossiTheDog @mattburgess

huh. that's a real old school IBM move.

what do you do when you have better lawyers than tech/security folks? sue for
defamation, patent infringement, and anything else you can think of to try to
quiet competitors or embarassment.

1

3. kesäk.

chort @chort@infosec.exchange

@paul_ipv6 @GossiTheDog @mattburgess it does seem like the post had
unsubstantiated claims, so I’m not surprised.

The real situation is bad enough. It’s irresponsible to pile on with potentially
inaccurate statements.

0

Mastodon

--------------------------------------------------------------------------------

SelaaLive-syötteet

--------------------------------------------------------------------------------

Kirjaudu sisään, niin voit seurata profiileja tai aihetunnisteita, lisätä
julkaisuja suosikkeihin, jakaa julkaisuja ja vastata niihin. Voit olla
vuorovaikutuksessa myös eri palvelimella olevalta tililtäsi.

Luo tiliKirjaudu

--------------------------------------------------------------------------------

Tietoja



Lataa raahaamalla ja pudottamalla tähän