in News

More than 160 Snowflake customers hit in targeted data theft spree

63 Views

More than 160 Snowflake customers hit in targeted data theft spree

Jakub Jirsák – stock.adobe.com

Mandiant reports that more than 160 Snowflake customers have been hit in a broad data theft and extortion campaign targeting organisations that have failed to pay proper attention to securing valuable credentials

By

Alex Scroxton,
Security Editor

Published: 11 Jun 2024 16:22

Mandiant has warned Snowflake customers to step up their game when it comes to basic credential hygiene, after revealing evidence that more than 160 customers – including Santander and Ticketmaster – have been compromised in a targeted campaign by a financially motivated threat actor it tracks as UNC5537.

Mandiant said UNC5537 was systematically compromising Snowflake customer instances using stolen credentials, offering purloined data for sale on dark web forums, and attempting to extort many of the victims.

Vindicating Snowflake – which has previously said it was unable to identify any compromise of its own enterprise environment – Mandiant said that in every instance it tracked, the compromise was the result of poor cyber security hygiene at the victimised customer.

“Since at least April 2024, UNC5537 has leveraged stolen credentials to access over 100 Snowflake customer tenants. The threat actor systematically compromised customer tenants, downloaded data, extorted victims, and advertised victim data for sale on cyber criminal forums,” said Mandiant Consulting CTO Charles Carmakal.

“The combination of multiple factors contributed to the targeted threat campaign including Snowflake customer accounts configured without MFA, credentials stolen by infostealer malware – often from personal computers – and the tenants configured without network allow lists. It’s critical that organisations assess their exposure to stolen credentials by infostealers, as we anticipate this threat actor and others will replicate this campaign across other SaaS solutions.”

Mandiant said that the infostealers used to snaffle the victims’ credentials were distributed in various malware campaigns, some of them dating as far back as 2020. Some of the malwares used included Vidar, Risepro, Redline, Racoon Stealer, Lumma and Metast.

It also noted that the impacted accounts did not have multifactor authentication enabled – making it trivial for threat actors to log on, and in many cases, the credentials identified dated back years, and had not been rotated or updated since being compromised. Nor had the affected customers put network allow lists in place to only enable access from trusted locations.

Concerningly, in many cases, the infostealers were determined to have arrived on third-party contractor computer systems that were also being used in a personal capacity, including for gaming and downloads of pirated software or content.

Mandiant warned organisations to be stricter with contractors’ hygiene, as many use personal or unmonitored PCs to access the systems of multiple clients, often with elevated, administrator privileges, further facilitating UNC5537’s campaign.

Who are UNC5537?
UNC5537 has only been formally identified and tracked by Mandiant in the past few weeks – so only shows up in Mandiant’s taxonomy for now.

A financially motivated threat actor with no apparent alignment with any nation state, UNC5537 has targeted hundreds of organisations worldwide. Its members are almost all based in North America, with one known collaborator tracked to Turkey, and they may have associations with other groups.

They operate under a number of aliases, coordinating via Telegram channels and cyber crime forums, and primarily access their victim instances using Mullvad or Private Internet Access (PIA) virtual private network (VPN) IP addresses. The stolen data travelled over virtual private servers (VPS) from Moldova-based Alexhost, and has been stored on the systems of several other VPS providers, and cloud-storage provider Mega.

Mandiant said UNC5537’s campaign was not particularly novel or sophisticated, and the fact that it has had such a broad impact is more accurately a consequence of the growing use of infostealers, combined with missed opportunities by victims to secure themselves.

Read more on Data breach incident management and recovery

AWS touts security culture, AI protections at re:Inforce 2024

By: Rob Wright

Pure Storage hit by Snowflake credential hackers

By: Alex Scroxton

Mandiant: ‘Exposed credentials’ led to Snowflake attacks

By: Alexander Culafi

Risk & Repeat: Sorting out Snowflake’s security mess

By: Alexander Culafi

What do you think?

2 Points

Browse and manage your votes from your Member Profile Page

Newbie

Written by Buzzapp Master

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

    Meta Forced to Delay Plans of Using EU Users’ Data for AI Training

    Meta Forced to Delay Plans of Using EU Users’ Data for AI Training
    Kubernetes at 10: Persistent storage matures, helped by Operators

    Kubernetes at 10: Persistent storage matures, helped by Operators