Snowflake, the leading cloud data storage platform, has confirmed that the data of up to 165 of its customers have been potentially exposed in an ongoing extortion campaign. This revelation indicates that the operation has broader implications than had been previously reported.
The security company Mandiant, owned by Google, is assisting Snowflake in its incident response efforts. Mandiant has identified the previously unclassified activity group under the name UNC5537, describing it as a financially motivated threat actor.
UNC5537 has been systematically compromising Snowflake client instances using stolen credentials. The victims' data have been publicized for sale on cybercrime forums, and many of the victims have been subjected to extortion attempts. This group has directed its attacks against hundreds of organizations worldwide and operates under several aliases on Telegram channels and cybercrime forums.
It is suspected that the members of the group are located in North America and collaborate with at least one additional party located in Turkey.
This is the first time the number of affected customers has been officially disclosed. Previously, Snowflake had indicated that a 'limited number' of its customers were affected by the incident. The company has more than 9,820 customers worldwide.
The campaign, as has been detailed previously, originates from compromised customer credentials acquired on cybercrime forums or obtained through information-stealing malware such as Lumma, MetaStealer, Raccoon, RedLine, RisePro and Vidar. It is believed that the campaign began on April 14, 2024.
In several cases, information-stealing malware infections have been detected on contractor systems that were also used for personal activities, such as games and downloading pirated software.
Unauthorized access to client instances has allowed the use of a reconnaissance tool called FROSTBITE (also known as 'rapeflake'), which is used to execute SQL queries and obtain information about users, current roles, current IP addresses, session IDs, and organization names.
Mandiant noted that it has not been able to obtain a complete sample of FROSTBITE and highlighted the use of a legitimate utility called DBeaver Ultimate to connect and execute SQL queries on Snowflake instances. The final stage of the attack involves the execution of commands to prepare and exfiltrate data.
Snowflake, in an updated notice, has reported that it is working closely with its customers to strengthen its security measures and is developing a plan to implement advanced security controls, such as multifactor authentication (MFA) and network policies.
The attacks have been successful due to three main reasons: the lack of MFA, the lack of periodic credential rotation, and the absence of controls to ensure access only from trusted locations.
The earliest observed infection by information-stealing malware associated with a credential used by the threat actor dates back to November 2020, said Mandiant, adding that "hundreds of Snowflake customer credentials exposed through information-stealing malware since 2020 were identified."
This campaign highlights the consequences of the large number of credentials circulating in the information-stealing malware market and may represent a specific approach by threat actors on similar SaaS platforms.
