Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Snowflake Attacks: Mandiant Links Data Breaches to Infostealer Infections

Mandiant says a financially motivated threat actor has compromised hundreds of Snowflake instances using customer credentials stolen via infostealer malware that infected non-Snowflake owned systems.

Snowflake hack

A new report from Mandiant says about 165 organizations have been affected by a large-scale campaign that uses stolen customer credentials to target Snowflake cloud storage systems.

According to Mandiant, a financially motivated threat actor tracked as UNC5537 has compromised hundreds of Snowflake instances using customer credentials stolen via infostealer malware that infected non-Snowflake owned systems.

“Mandiant’s investigation has not found any evidence to suggest that unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflake’s enterprise environment,” the Google-owned company said.

“Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials.”

According to the Mandiant report, attacks started on April 14 and targeted accounts that did not have proper multi-factor authentication (MFA) protections in place. Some of the credentials used in the campaign, Mandiant says, were compromised years ago.

“Mandiant identified that the majority of the credentials used by UNC5537 were available from historical infostealer infections, some of which dated as far back as 2020,” the company said.

The credentials used in the Snowflake campaign were stolen using malware such as Lumma, Meta, Racoon Stealer, Redline, Risepro, and Vidar. In some instances, contractor systems also used for personal activities were infected with infostealers.

In addition to lacking MFA and using long-exposed credentials that had not been rotated, the compromised Snowflake instances also lacked network allow lists. Approximately 80% of the accounts had prior credential exposure, Mandiant said.

Advertisement. Scroll to continue reading.

As part of the observed attacks, UNC5537 accessed the compromised customer accounts and exfiltrated significant amounts of data, which it then used to extort many of the victim organizations directly. The threat actor “is actively attempting to sell the stolen customer data on recognized cybercriminal forums”.

UNC5537 accessed Snowflake instances using the native web-based UI, the command-line tool SnowSQL, an attacker-named utility ‘rapeflake’ tracked as FrostBite (which was used for reconnaissance), and the database management utility DBeaver Ultimate (for run queries).

The threat actor was seen repeatedly executing SQL commands to perform reconnaissance and to stage and exfiltrate data.

UNC5537, which has targeted hundreds of organizations worldwide and which operates under various names on Telegram channels and cybercrime forums, consists mainly of individuals in North America, with a member in Turkey. Some members are associated with other known threat groups.

“UNC5537’s campaign against Snowflake customer instances is not the result of any particularly novel or sophisticated tool, technique, or procedure. This campaign’s broad impact is the consequence of the growing infostealer marketplace and missed opportunities to further secure credentials,” Mandiant added.

Ticketmaster, Santander Bank, Anheuser-Busch, Allstate, Advance Auto Parts, Mitsubishi, Neiman Marcus, Progressive, and State Farm were previously named as potential victims in the Snowflake campaign.

Update: Mandiant published a 65-page threat hunting guide on June 17th to help organizations look for abnormal and unauthorized activity in their Snowflake instances.

Related: Ransomware Declines as InfoStealers and AI Threats Gain Ground

Related: Several Infostealers Using Persistent Cookies to Hijack Google Accounts

Related: macOS Infostealer Malware ‘MetaStealer’ Targeting Businesses

Related: Snowflake Embroiled in Breach Impacting Ticketmaster, Other Organizations

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

Satellite cybersecurity company SpiderOak has named Kip Gering as its new Chief Revenue Officer.

More People On The Move

Expert Insights