Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

UNC5537 Attacks Snowflake Customers

June 11, 2024
Reading Time: 3 mins read
in Alerts
UNC5537 Attacks Snowflake Customers

As many as 165 customers of Snowflake are said to have had their information potentially exposed as part of an ongoing campaign designed to facilitate data theft and extortion. Google-owned Mandiant, which is assisting the cloud data warehousing platform in its incident response efforts, is tracking the activity cluster under the name UNC5537, describing it as a financially motivated threat actor. This is the first time the number of affected customers has been officially disclosed; previously, Snowflake had noted that a “limited number” of its customers were impacted by the incident. The company has more than 9,820 global customers.

UNC5537 systematically compromises Snowflake customer instances using stolen customer credentials, advertising victim data for sale on cybercrime forums, and attempting to extort many of the victims. The campaign stems from compromised customer credentials purchased from cybercrime forums or obtained through information-stealing malware such as Lumma, MetaStealer, Raccoon, RedLine, RisePro, and Vidar. It’s believed to have commenced on April 14, 2024. In several instances, the stealer malware infections have been detected on contractor systems that were also used for personal activities, such as gaming and downloading pirated software.

The unauthorized access to customer instances has been found to pave the way for a reconnaissance utility dubbed FROSTBITE that’s used to run SQL queries and gather information about the users, current roles, current IPs, session IDs, and organization names. Mandiant said it has been unable to obtain a complete sample of FROSTBITE, with the company also spotlighting the threat actor’s use of a legitimate utility called DBeaver Ultimate to connect and run SQL queries across Snowflake instances. The final stage of the attack involves the adversary running commands to stage and exfiltrate data.

Snowflake is working closely with its customers to harden their security measures and is developing a plan to require them to implement advanced security controls, like multi-factor authentication (MFA) or network policies. The attacks have become hugely successful due to a lack of MFA, not rotating credentials periodically, and missing checks to ensure access only from trusted locations. Mandiant pointed out that the earliest infostealer infection date observed associated with a credential leveraged by the threat actor dated back to November 2020. This campaign highlights the consequences of vast amounts of credentials circulating on the infostealer marketplace and the pervasive threat they pose to organizations.

Reference:

  • UNC5537 Targets Snowflake Customers for Data Theft and Extortion

Tags: Cyber AlertCyber Alerts 2024Cyber RiskCyber threatGoogleJune 2024LummaMandiantMetaStealerRaccoonRedLineRiseProSnowflake
ADVERTISEMENT

Related Posts

COLDRIVER Hackers Target Sensitive Data

COLDRIVER Hackers Target Sensitive Data

May 8, 2025
COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

May 8, 2025
COLDRIVER Hackers Target Sensitive Data

CoGUI Targets Consumer and Finance Brands

May 8, 2025
Critical Kibana Flaws Allows Code Execution

Mirai Botnet Exploits Vulnerabilities in IoT

May 7, 2025
Critical Kibana Flaws Allows Code Execution

Critical Kibana Flaws Allows Code Execution

May 7, 2025
Critical Kibana Flaws Allows Code Execution

New OttoKit Flaw Targets WordPress Sites

May 7, 2025

Latest Alerts

CoGUI Targets Consumer and Finance Brands

COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

New OttoKit Flaw Targets WordPress Sites

Mirai Botnet Exploits Vulnerabilities in IoT

Critical Kibana Flaws Allows Code Execution

Subscribe to our newsletter

    Latest Incidents

    Masimo Cyberattack Disrupts Manufacturing

    Cyberattack Targets Tepotzotlán Facebook

    West Lothian Schools Hit by Ransomware

    UK Legal Aid Agency Faces Cyber Incident

    South African Airways Hit by Cyberattack

    Coweta County School System Cyberattack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial