A recent report from Google Cloud’s Mandiant revealed that exposed credentials were used in attacks against Snowflake database customers. The threat actor, known as UNC5537, targeted customers of the cloud storage and analytics giant by utilizing stolen credentials. Mitiga Security first identified the threat on May 30, and Snowflake confirmed the activity on May 31. However, Snowflake denied that the attacks were a result of vulnerabilities or malicious activity within their products.
In a statement released on June 1, Snowflake, along with CrowdStrike and Mandiant, clarified that the compromised credentials did not belong to current or former Snowflake personnel. Instead, the threat actor gained access to demo accounts of a former employee which did not contain sensitive data. Mandiant further elaborated on UNC5537’s campaign in a blog post on June 10, revealing that the threat actor was financially motivated and aimed to compromise Snowflake customer instances, advertise victim data for sale, and extort victims.
Mandiant identified a custom attack tool, Frostbite, used by UNC5537 along with multiple variants of info-stealing malware to expose customer credentials. The post also disclosed that most targeted customers had their credentials compromised prior to being targeted by UNC5537, and at least 79.7% of the accounts used in the campaign had previous credential exposure. This highlights the importance of implementing strong security measures such as multi-factor authentication (MFA) and regularly rotating credentials.
The report emphasized the need for organizations to assess their vulnerability to stolen credentials by infostealers, as Mandiant and Snowflake have already identified approximately 165 potentially exposed organizations. Organizations should be proactive in securing their environments, as threat actors may replicate similar attacks on other SaaS solutions in the future. Mandiant Consulting CTO Charles Carmakal warned that organizations should expect further attempts from threat actors to conduct similar attacks due to the combination of factors that contributed to UNC5537’s campaign.
When asked about their plans to enforce MFA policies or enable it by default in customer environments, Snowflake did not respond. This lack of response raises questions about the company’s approach to enhancing security measures for their customers moving forward. As the cybersecurity landscape continues to evolve, organizations must prioritize implementing robust security measures to protect against threats like UNC5537 and ensure the safety of their data.
In conclusion, the recent attacks on Snowflake database customers serve as a reminder of the importance of securing credentials and implementing strong authentication measures. Organizations must remain vigilant and proactive in safeguarding their data against evolving threats in the digital landscape.