Affected Snowflake customers did not use multi-factor authentication, and in many cases, passwords had not been rotated for as long as four years, Google’s Mandiant says.
Mandiant says that approximately 165 Snowflake customers may be potentially exposed by a financially motivated threat actor labeled UNC5537. No evidence suggests any breach in Snowflake’s environment – instead, every incident can be traced to a compromise of customer credentials.
Cybercriminals used multiple info stealer malware campaigns to infect customer systems and later, using stolen credentials, systematically compromised instances at Snowflake.
The stolen data then appears for sale on cybercrime forums, where cybercriminals attempt to extort many victims directly.
Three primary factors led to numerous successful compromises. First, the impacted accounts did not have multi-factor authentication enabled. Therefore, malicious actors only required a valid username and password.
Second, the stolen credentials were still valid years after they were stolen and had not been rotated or updated. The last reason was that the impacted Snowflake customer instances did not use network allow lists, so they could be accessed from anywhere in the world.
Hackers employed various infostealers
The threat actor used several infostealer malware variants to extract Snowflake customer credentials: Vidar, Risepro, Redline, Racoon Stealer, Lumma, and Metastealer. Vast amounts of credentials are also circulating the infostealer market.
“According to Mandiant and Snowflake’s analysis, at least 79.7% of the accounts leveraged by the threat actor in this campaign had prior credential exposure,” the Mandiant report says.
The earliest infostealer infection was observed in November 2020, and since then, Mandiant has identified hundreds of Snowflake instances with credentials exposed via infostealers. In several cases, the initial compromise came from contractor systems.
Attackers accessed Snowflake customer instances using VPNs, relied on reconnaissance software like Frostbite, and finally, copied and exfiltrated the data. When exfiltrating the data, attackers were observed using virtual private server (VPS) systems from Alexhost SRL, a Moldovan provider. Other international VPS providers and cloud storage provider MEGA were used to store stolen victim data.
“UNC5537’s campaign against Snowflake customer instances is not the result of any particularly novel or sophisticated tool, technique, or procedure. This campaign’s broad impact is the consequence of the growing infostealer marketplace and missed opportunities to further secure credentials,” researchers say.
Researchers expect the cybergang to continue a similar intrusion pattern and to target additional software-as-a-service platforms.
They believe that organizations urgently need credential monitoring, universal MFA and secure authentication enforcement, traffic limitation to trusted locations for crown jewels, and alerting on abnormal access attempts.
In the update, Snowflake said they “continue to work closely with our customers as they harden their security measures to reduce cyber threats to their businesses.”
Snowflake is also developing a plan to require its customers to implement advanced security controls, like multi-factor authentication (MFA) or network policies.
Your email address will not be published. Required fields are markedmarked