As many as 165 customers of Snowflake are said to have had their information potentially exposed as part of an ongoing campaign designed to facilitate data theft and extortion. Google-owned Mandiant, which is assisting the cloud data warehousing platform in its incident response efforts, is tracking the activity cluster under the name UNC5537, describing it as a financially motivated threat actor. This is the first time the number of affected customers has been officially disclosed; previously, Snowflake had noted that a “limited number” of its customers were impacted by the incident. The company has more than 9,820 global customers.
UNC5537 systematically compromises Snowflake customer instances using stolen customer credentials, advertising victim data for sale on cybercrime forums, and attempting to extort many of the victims. The campaign stems from compromised customer credentials purchased from cybercrime forums or obtained through information-stealing malware such as Lumma, MetaStealer, Raccoon, RedLine, RisePro, and Vidar. It’s believed to have commenced on April 14, 2024. In several instances, the stealer malware infections have been detected on contractor systems that were also used for personal activities, such as gaming and downloading pirated software.
The unauthorized access to customer instances has been found to pave the way for a reconnaissance utility dubbed FROSTBITE that’s used to run SQL queries and gather information about the users, current roles, current IPs, session IDs, and organization names. Mandiant said it has been unable to obtain a complete sample of FROSTBITE, with the company also spotlighting the threat actor’s use of a legitimate utility called DBeaver Ultimate to connect and run SQL queries across Snowflake instances. The final stage of the attack involves the adversary running commands to stage and exfiltrate data.
Snowflake is working closely with its customers to harden their security measures and is developing a plan to require them to implement advanced security controls, like multi-factor authentication (MFA) or network policies. The attacks have become hugely successful due to a lack of MFA, not rotating credentials periodically, and missing checks to ensure access only from trusted locations. Mandiant pointed out that the earliest infostealer infection date observed associated with a credential leveraged by the threat actor dated back to November 2020. This campaign highlights the consequences of vast amounts of credentials circulating on the infostealer marketplace and the pervasive threat they pose to organizations.
Reference:
