GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE
  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Conversation

Notices

  1. Embed this notice
    Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 01-Jun-2024 00:29:28 JST Kevin Beaumont Kevin Beaumont

    Very big cyber incident playing out at Snowflake, who describe themselves as “AI Data Cloud”. They have a free trial where anybody can sign up and upload data… and they have.

    Threat actors have been scraping customer data using a tool called rapeflake, for about a month.

    In conversation Saturday, 01-Jun-2024 00:29:28 JST from cyberplace.social permalink
    • Embed this notice
      Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 01-Jun-2024 00:36:42 JST Kevin Beaumont Kevin Beaumont
      in reply to

      The tl;dr of the Snowflake thing is mass scraping has been happening, but nobody noticed.. and they're pointing at customers for having poor credentials. It appears a lot of data has gone walkies from a bunch of orgs.

      Snowflake is a big AI data company with a conference in the US next week, chances of that going ahead are interesting.

      In conversation Saturday, 01-Jun-2024 00:36:42 JST permalink

      Attachments


      1. https://cyberplace.social/system/media_attachments/files/112/536/433/295/766/619/original/079caafcfeb360a2.png
    • Embed this notice
      Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 01-Jun-2024 00:54:57 JST Kevin Beaumont Kevin Beaumont
      in reply to

      IOCs: https://community.snowflake.com/s/article/Communication-ID-0108977-Additional-Information

      Snowflake admin users need to check their Snowflake environment, not sec departments check their on prem.

      In conversation Saturday, 01-Jun-2024 00:54:57 JST permalink

      Attachments


    • Embed this notice
      Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 01-Jun-2024 00:57:12 JST Kevin Beaumont Kevin Beaumont
      in reply to

      ❓ 😅

      In conversation Saturday, 01-Jun-2024 00:57:12 JST permalink

      Attachments


      1. https://cyberplace.social/system/media_attachments/files/112/536/514/493/632/337/original/1ee5e6d7723ff591.jpeg
    • Embed this notice
      Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 01-Jun-2024 07:03:47 JST Kevin Beaumont Kevin Beaumont
      in reply to

      Five orgs have told me they are running incidents for Snowflake, where their data has been copied.

      In conversation Saturday, 01-Jun-2024 07:03:47 JST permalink
    • Embed this notice
      Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 01-Jun-2024 07:35:14 JST Kevin Beaumont Kevin Beaumont
      in reply to

      Snowflake: there is absolutely no cybersecurity incident.

      Also Snowflake: Please run these commands and look for "threat activity" logins with the user agent "rapeflake" using this knowledge base article we haven't listed on our website.

      https://community.snowflake.com/s/article/Communication-ID-0108977-Additional-Information

      In conversation Saturday, 01-Jun-2024 07:35:14 JST permalink

      Attachments


      1. https://cyberplace.social/system/media_attachments/files/112/538/073/540/176/630/original/6566bc52a4adee27.png
    • Embed this notice
      Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 01-Jun-2024 08:29:40 JST Kevin Beaumont Kevin Beaumont
      in reply to

      Live Nation said its stolen database was hosted on Snowflake, a cloud storage and analytics company.

      https://techcrunch.com/2024/05/31/live-nation-confirms-ticketmaster-was-hacked-says-personal-information-stolen-in-data-breach/

      In conversation Saturday, 01-Jun-2024 08:29:40 JST permalink
    • Embed this notice
      Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 01-Jun-2024 08:31:15 JST Kevin Beaumont Kevin Beaumont
      in reply to

      I've now confirmed 6 major orgs running Snowflake cyber incidents, so I've made a theme song about Snowflake's response.

      In conversation Saturday, 01-Jun-2024 08:31:15 JST permalink

      Attachments


    • Embed this notice
      Diego Elio Pettenò (flameeyes@mastodon.social)'s status on Saturday, 01-Jun-2024 10:07:56 JST Diego Elio Pettenò Diego Elio Pettenò
      in reply to

      @GossiTheDog wait. They provided an easily recognized user-agent?

      I..
      What..

      ..

      In conversation Saturday, 01-Jun-2024 10:07:56 JST permalink
    • Embed this notice
      Diego Elio Pettenò (flameeyes@mastodon.social)'s status on Saturday, 01-Jun-2024 10:31:51 JST Diego Elio Pettenò Diego Elio Pettenò

      @GossiTheDog wow. I mean that's taunting to be caught.

      I shouldn't comment since I have friends over at Snowflake and I can't imagine they're having a good time.

      But if I had to give a mild take I would say that they've probably been at it much longer before getting so cocky.

      In conversation Saturday, 01-Jun-2024 10:31:51 JST permalink
    • Embed this notice
      Markham_Mike (markham_mike@cyberplace.social)'s status on Sunday, 02-Jun-2024 03:42:48 JST Markham_Mike Markham_Mike
      in reply to

      @GossiTheDog Alberta Health Services is a provincial authority for all residents of the province of Alberta. A recent job listing indicates that 'snowflake training preferred'.

      In conversation Sunday, 02-Jun-2024 03:42:48 JST permalink
    • Embed this notice
      Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 02-Jun-2024 07:27:35 JST Kevin Beaumont Kevin Beaumont
      in reply to

      https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/increased-cyber-threat-activity-targeting-snowflake-customers

      In conversation Sunday, 02-Jun-2024 07:27:35 JST permalink

      Attachments


      1. https://cyberplace.social/system/media_attachments/files/112/543/715/035/813/568/original/39df0fd7cc105a15.png

    • Embed this notice
      Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 02-Jun-2024 18:51:54 JST Kevin Beaumont Kevin Beaumont
      in reply to

      The deleted Hudson Rock post on Snowflake breach: https://web.archive.org/web/20240531140540/https://hudsonrock.com/blog/snowflake-massive-breach-access-through-infostealer-infection

      For the record I don't think all the content is accurate - however Snowflake did have a security incident via their former employee, they have full IR stood up.

      I also know multiple orgs who've had their full databases take from Snowflake.

      In conversation Sunday, 02-Jun-2024 18:51:54 JST permalink

      Attachments


    • Embed this notice
      Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 02-Jun-2024 20:39:12 JST Kevin Beaumont Kevin Beaumont
      in reply to

      I wrote a blog on everything I know about the Snowflake situation https://doublepulsar.com/snowflake-at-central-of-worlds-largest-data-breach-939fc400912e

      In conversation Sunday, 02-Jun-2024 20:39:12 JST permalink

      Attachments

      1. Domain not in remote thumbnail source whitelist: miro.medium.com
        Snowflake at centre of world’s largest data breach
        from https://medium.com/@networksecurity
        Cloud AI Data platform Snowflake are having a bad month. Due to teenager threat actors and cybersecurity of its own customers.
    • Embed this notice
      patryko (patryko@woof.group)'s status on Monday, 03-Jun-2024 02:24:13 JST patryko patryko
      in reply to

      @GossiTheDog I interviewed with them couple months ago, on cloud infra team. Interviewers seemed anxious when I started asking them on security posture practices and procedures. They don’t have any org wide authorization mechanisms and focus only on cost optimization+some automation.

      In conversation Monday, 03-Jun-2024 02:24:13 JST permalink
    • Embed this notice
      Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 03-Jun-2024 18:51:46 JST Kevin Beaumont Kevin Beaumont
      in reply to

      The Snowflake authentication setup is terrible.

      MFA can’t be enabled org wide, each user has to manually log in and enable it. There’s no policy to block users without MFA. And it uses Duo MFA rather than your orgs MFA.

      Also all users log in via a Snowflake domain, so you can just pull creds from info stealer marketplaces or logs.

      That’s why they’re being targeted as a platform.

      In conversation Monday, 03-Jun-2024 18:51:46 JST permalink
    • Embed this notice
      Sam J Sharpe (samjsharpe@mastodon.me.uk)'s status on Monday, 03-Jun-2024 20:08:44 JST Sam J Sharpe Sam J Sharpe
      in reply to

      @GossiTheDog I don't think that's completely accurate. I login to a couple of Snowflake accounts with my organisational SSO which includes our standard MFA.

      In conversation Monday, 03-Jun-2024 20:08:44 JST permalink
    • Embed this notice
      Sam J Sharpe (samjsharpe@mastodon.me.uk)'s status on Monday, 03-Jun-2024 20:43:37 JST Sam J Sharpe Sam J Sharpe

      @GossiTheDog It federates with SAML: https://docs.snowflake.com/en/user-guide/admin-security-fed-auth-overview

      So you can setup MFA with your federated identity - one of ours is using PingOne, so first it takes my AD credentials, then it takes my MFA code. Could do the same with a fully MS solution like Azure Directory with MS Authenticator.

      In conversation Monday, 03-Jun-2024 20:43:37 JST permalink

      Attachments


    • Embed this notice
      Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 04-Jun-2024 03:20:15 JST Kevin Beaumont Kevin Beaumont
      in reply to
      • Matt Burgess

      Hudson Rock have put out a statement saying a legal threat from Snowflake caused them to remove their blog. https://www.linkedin.com/posts/hudson-rock_activity-7203433945919578113-RH05 HT @mattburgess

      In conversation Tuesday, 04-Jun-2024 03:20:15 JST permalink

      Attachments


      1. https://cyberplace.social/system/media_attachments/files/112/554/066/614/811/896/original/9c9092ff8501a6e6.jpeg
      2. Domain not in remote thumbnail source whitelist: media.licdn.com
        Hudson Rock posted on LinkedIn
        Hudson Rock posted images on LinkedIn

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.