artbase - stock.adobe.com

Pure Storage hit by Snowflake credential hackers

Pure Storage emerges as the latest victim of a fast-spreading breach of Snowflake customers targeting users with lax credential security measures in place

Pure Storage has stepped forward as the latest known victim of the fast-spreading Snowflake credentials breach, joining a list of over 150 organisations to have had their data stolen by a cyber criminal gang after their Snowflake instances were breached.

The data storage specialist said it had confirmed and addressed a security incident involving unauthorised access to a single Snowflake data analytics workspace. This workspace contained telemetry information used by Pure’s customer support teams, and is known to include company names, LDAP usernames, email addresses and Purity software release version numbers.

Pure attempted to reassure customers that more sensitive information, such as passwords for array access or any data stored on customers’ systems, does not form part of any telemetry information and cannot be communicated beyond the storage array itself. Nor can telemetry information be used to gain access to customer systems, it claimed.

“Pure Storage took immediate action to block any further unauthorised access to the workspace,” said the firm in a statement. “Additionally, we see no evidence of unusual activity on other elements of the Pure infrastructure.

“Pure is monitoring our customers’ systems and has not found any unusual activity. We are currently in contact with customers who similarly have not detected unusual activity targeting their Pure systems.

“Preliminary findings from a leading cyber security firm we engaged also validates the conclusion we reached regarding the information in the workspace,” it continued.

“Pure Storage remains fully committed to providing timely and transparent updates to our customers, and we will continue to monitor this situation and use this forum for important updates.”

Threat actor

Pure’s disclosure came mere hours after Mandiant published new information on the scope of the Snowflake incident, which it has attributed to a threat actor tracked as UNC5537, likely made up of hackers based mainly in North America.

UNC5537 is now suspected of conducting a massive campaign of intrusions at Snowflake’s customers, using stolen credentials gleaned mostly from the use of info-stealing malware.

Mandiant said that in all the attacks of which it was aware, UNC5537 was able to get its hands on the data because the Snowflake customers had neglected basic credential hygiene, such as the use of multi-factor authentication (MFA). In many cases, it said, victims had also failed to rotate or update credentials in a timely manner, while others had been compromised by outside contractors who were allowed to connect to their systems using their own PCs.

Pure Storage has not addressed this point at the time of writing.

No MFA is no longer an option

Chester Wisniewski, director and global field chief technology officer at Sophos, expressed his frustration that basic credential security measures are still being so widely neglected when the consequences are so well-established.

“Just like you can’t buy a car without a seatbelt, deploying MFA can no longer be optional,” he said. “Compromised credentials continue to be one of the most pervasive ways for attackers to breach systems, which is supported again and again by in-the-field findings. Sophos’ most recent Active adversary report found that compromised credentials were the number one root cause of attacks in 2023 – and were the root cause in a third of all attacks since 2020.

“Ensuring MFA is deployed on any and all accounts that contain sensitive and important data needs to be a collaborative effort between companies and their service providers,” said Wisniewski. “Companies should implement strong cyber security hygiene programmes for their employees, while service providers need to enforce policies that push organisations to implement MFA when using their products.

“One of the six key focus areas for software vendors signing CISA’s recent Secure by Design pledge was improving the adoption of MFA among their clients,” he said. “It’s a goal Sophos believes strongly in, and it was one of the reasons we signed onto the pledge. We encourage other software vendors to do the same.”

Read more about the Snowflake campaign

  • Significant data breaches at Ticketmaster and Santander appear to have been orchestrated through careful targeting of the victims’ Snowflake cloud data management accounts.
  • This podcast episode discusses the recent attacks against Snowflake customers and a controversial report that claimed the cloud storage and analytics giant had been breached.
  • Mandiant reports that more than 160 Snowflake customers have been hit in a broad data theft and extortion campaign targeting organisations that have failed to pay proper attention to securing valuable credentials.

Read more on Data breach incident management and recovery