Pure Storage hit by Snowflake credential hackers


Pure Storage has stepped forward as the latest known victim of the fast-spreading Snowflake credentials breach, joining a list of over 150 organisations to have had their data stolen by a cyber criminal gang after their Snowflake instances were breached.

The data storage specialist said it had confirmed and addressed a security incident involving unauthorised access to a single Snowflake data analytics workspace. This workspace contained telemetry information used by Pure’s customer support teams, and is known to include company names, LDAP usernames, email addresses, and Purity software release version numbers.

Pure attempted to reassure customers that more sensitive information, such as passwords for array access or any data stored on customers systems does not form part of any telemetry information and cannot be communicated beyond the storage array itself. Nor can telemetry information be used to gain access to customer systems, it claimed.

“Pure Storage took immediate action to block any further unauthorised access to the workspace. Additionally, we see no evidence of unusual activity on other elements of the Pure infrastructure,” said the firm in a statement.

“Pure is monitoring our customers’ systems and has not found any unusual activity. We are currently in contact with customers who similarly have not detected unusual activity targeting their Pure systems.

“Preliminary findings from a leading cyber security firm we engaged also validates the conclusion we reached regarding the information in the workspace. Pure Storage remains fully committed to providing timely and transparent updates to our customers and we will continue to monitor this situation and use this forum for important updates.”

Pure’s disclosure came mere hours after Mandiant published new information on the scope of the Snowflake incident, which it has attributed to a threat actor tracked as UNC5537, likely made up of hackers based mainly in North America.

UNC5537 is now suspected of conducting a massive campaign of intrusions at Snowflake’s customers, using stolen credentials gleaned mostly from the use of infostealing malware.

Mandiant said that in all the attacks of which it was aware, UNC5537 was able to get its hands on the data because the Snowflake customers had neglected basic credential hygiene, such as the use of multifactor authentication (MFA). In many cases, it said, victims had also failed to rotate or update credentials in a timely manner, while others had been compromised by outside contractors who were allowed to connect to their systems using their own PCs.

Pure Storage has not addressed this point at the time of writing.

No MFA is no longer an option

Chester Wisniewski, director and global Field CTO at Sophos, expressed frustration that basic credential security measures are still being so widely neglected when the consequences are so well-established.

“Just like you can’t buy a car without a seatbelt, deploying MFA can no longer be optional. Compromised credentials continue to be one of the most pervasive ways for attackers to breach systems, which is supported again and again by in-the-field findings. Sophos’ most recent Active Adversary report found that compromised credentials were the number one root cause of attacks in 2023 – and were the root cause in a third of all attacks since 2020,” said Wisniewski.

“Ensuring MFA is deployed on any and all accounts that contain sensitive and important data needs to be a collaborative effort between companies and their service providers. Companies should implement strong cyber security hygiene programs for their employees, while service providers need to enforce policies that push organisations to implement MFA when using their products.

He added: “One of the six key focus areas for software vendors signing CISA’s recent Secure by Design pledge was improving the adoption of MFA among their clients. It’s a goal Sophos believes strongly in, and it was one of the reasons we signed onto the pledge. We encourage other software vendors to do the same.”



Source link