A recent report from Google Mandiant has revealed that approximately 165 organizations have been impacted by data breaches affecting customers of the cloud storage provider Snowflake. The breaches, which have caused concern among high-profile organizations such as Ticketmaster, Advance Auto Parts, and Santander, were initially thought to be linked to Snowflake’s own environment. However, Mandiant’s investigation has confirmed that the breaches actually originated from compromised customer credentials, many of which did not have multi-factor authentication enabled.
UNC5537, a financially motivated threat actor based in North America with an additional member in Turkey, has been identified as the group behind the breaches. According to Mandiant, UNC5537 has been systematically compromising Snowflake customer instances using stolen customer credentials and attempting to extort the victims. The investigation found no evidence to suggest that the breaches stemmed from a compromise of Snowflake’s enterprise environment, with all incidents traced back to compromised customer credentials.
The data breach campaign targeting Snowflake customers was first discovered by Mandiant in April. The threat actor, using credentials stolen with infostealer malware, gained access to customer instances and exfiltrated valuable data. Many of the compromised accounts did not have multi-factor authentication enabled, making them vulnerable to unauthorized access.
Investigations by Mandiant have revealed that UNC5537 obtained access to Snowflake customer instances via stolen credentials from multiple infostealer malware campaigns. Some of these infections date back to 2020 and involve malware variants such as VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA, and METASTEALER. Initial access to customer instances often occurred via the native web-based UI or command-line interface, with additional access facilitated by an attacker utility known as “rapeflake.”
In addition to the lack of multi-factor authentication, some affected accounts had not updated their credentials despite being stolen, and the affected instances did not use network allow lists to restrict access to trusted locations. A list of suspect IP addresses associated with the breaches can be found on VirusTotal, and Snowflake has published detailed security information, including indicators of compromise (IoCs), to help customers detect and prevent unauthorized access.
Overall, the data breaches affecting Snowflake customers highlight the importance of implementing strong security measures, such as multi-factor authentication and regular credential updates, to protect against threat actors seeking to compromise sensitive data. By staying vigilant and proactive in their security practices, organizations can mitigate the risk of falling victim to similar breaches in the future.