A new report from Mandiant says about 165 organizations have been affected by a large-scale campaign that uses stolen customer credentials to target Snowflake cloud storage systems.
According to Mandiant, a financially motivated threat actor tracked as UNC5537 has compromised hundreds of Snowflake instances using customer credentials stolen via infostealer malware that infected non-Snowflake owned systems.
“Mandiant’s investigation has not found any evidence to suggest that unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflake’s enterprise environment,” the Google-owned company said.
“Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials.”
According to the Mandiant report, attacks started on April 14 and targeted accounts that did not have proper multi-factor authentication (MFA) protections in place. Some of the credentials used in the campaign, Mandiant says, were compromised years ago.
“Mandiant identified that the majority of the credentials used by UNC5537 were available from historical infostealer infections, some of which dated as far back as 2020,” the company said.
The credentials used in the Snowflake campaign were stolen using malware such as Lumma, Meta, Racoon Stealer, Redline, Risepro, and Vidar. In some instances, contractor systems also used for personal activities were infected with infostealers.
In addition to lacking MFA and using long-exposed credentials that had not been rotated, the compromised Snowflake instances also lacked network allow lists. Approximately 80% of the accounts had prior credential exposure, Mandiant said.
As part of the observed attacks, UNC5537 accessed the compromised customer accounts and exfiltrated significant amounts of data, which it then used to extort many of the victim organizations directly. The threat actor “is actively attempting to sell the stolen customer data on recognized cybercriminal forums”.
UNC5537 accessed Snowflake instances using the native web-based UI, the command-line tool SnowSQL, an attacker-named utility ‘rapeflake’ tracked as FrostBite (which was used for reconnaissance), and the database management utility DBeaver Ultimate (for run queries).
The threat actor was seen repeatedly executing SQL commands to perform reconnaissance and to stage and exfiltrate data.
UNC5537, which has targeted hundreds of organizations worldwide and which operates under various names on Telegram channels and cybercrime forums, consists mainly of individuals in North America, with a member in Turkey. Some members are associated with other known threat groups.
“UNC5537’s campaign against Snowflake customer instances is not the result of any particularly novel or sophisticated tool, technique, or procedure. This campaign’s broad impact is the consequence of the growing infostealer marketplace and missed opportunities to further secure credentials,” Mandiant added.
Ticketmaster, Santander Bank, Anheuser-Busch, Allstate, Advance Auto Parts, Mitsubishi, Neiman Marcus, Progressive, and State Farm were previously named as potential victims in the Snowflake campaign.
Update: Mandiant published a 65-page threat hunting guide on June 17th to help organizations look for abnormal and unauthorized activity in their Snowflake instances.
Related: Ransomware Declines as InfoStealers and AI Threats Gain Ground
Related: Several Infostealers Using Persistent Cookies to Hijack Google Accounts
Related: macOS Infostealer Malware ‘MetaStealer’ Targeting Businesses
Related: Snowflake Embroiled in Breach Impacting Ticketmaster, Other Organizations
