SEE AMAZON.COM DEALS FOR TODAY
Accident – Death – Obituary News : : 1. Snowflake data breach
2. Threat actor extortion Snowflake customers
A cyber threat actor, UNC5537, has stolen customer data from Snowflake, a data warehousing platform. Mandiant has warned that the stolen data is being advertised for sale on cybercrime forums, with attempts to extort victims. So far, 165 organizations have been notified of potential exposure. The compromised instances were traced back to stolen credentials obtained from malware campaigns. Mandiant and Snowflake conducted a joint investigation and found that lack of MFA, outdated credentials, and no network allow lists were factors in the successful attacks. Organizations are advised to monitor credentials and enforce MFA for security.
You may also like to watch : Who Is Kamala Harris? Biography - Parents - Husband - Sister - Career - Indian - Jamaican Heritage
1. Snowflake Data Breach Victims
2. Cyber Extortion Snowflake Customers
A cyber threat actor is suspected to have stolen a significant volume of customer data from data warehousing platform Snowflake, Mandiant has warned. The financially motivated threat actor, named UNC5537, is advertising the stolen data for sale on cybercrime forums, and is attempting to extort many of the victims. To date, 165 organizations using Snowflake have been notified they have potentially been exposed.
Snowflake is a multi-cloud data warehousing platform that allows customers to store and analyze large amounts of structured and unstructured data. Mandiant researchers said that UNC5537 is “systematically” compromising Snowflake customer instances using stolen customer credentials. Every incident Mandiant has responded to associated with this campaign has been traced back to compromised customer credentials, which were primarily obtained from multiple infostealer malware campaigns that infected non-Snowflake owned systems. There is no evidence that the incidents were caused by a breach of Snowflake’s enterprise environment.
**How Snowflake Customer Data Was Compromised**
Mandiant analyzed database records that were subsequently determined to have originated from a victim’s Snowflake instance in April 2024. The organization’s Snowflake platform had been compromised by a threat actor using stolen credentials, enabling them to exfiltrate valuable data, an investigation by Mandiant revealed. After obtaining additional intelligence identifying a broader campaign targeting customers’ Snowflake platform, Mandiant contacted the data warehousing platform with their findings in May 2024. This reporting led to a Victim Notification Program to notify potential victims and helping them secure their accounts and data.
You may also like to watch: Is US-NATO Prepared For A Potential Nuclear War With Russia - China And North Korea?
A joint investigation by Mandiant and Snowflake found that the majority of the credentials used by UNC5537 were available from historical infostealer infections dating back as far as 2020. The infostealer malware variants included VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA and METASTEALER. At least 79.7% of the accounts leveraged by the threat actor had prior credential exposure, Mandiant and Snowflake’s analysis found. UNC5537 was also assessed to have conducted reconnaissance against target Snowflake platforms. The threat actor used a tool named FROSTBOTE to perform SQL recon activities, including listing users, current roles, current IPs, session IDs and organization names. Once customer accounts were compromised, UNC5537 repeatedly executed similar SQL commands across numerous customer Snowflake instances to stage and exfiltrate data. Mandiant wrote: “The threat actor has subsequently begun to extort many of the victims directly and is actively attempting to sell the stolen customer data on recognized cybercriminal forums.” UNC5537 has been identified as a distinct cluster since May 2024, with Mandiant assessing with moderate confidence that members are based in North America. The threat actor has been observed targeting hundreds of organizations worldwide, and frequently extorts victims for financial gain.
**Lack of MFA Allowed Attackers to Succeed**
Mandiant researchers identified three primary factors that enabled the attackers to successfully compromise impacted Snowflake customer instances, revolving around basic security protocols not being followed:
1. Multi-factor authentication (MFA) was not enabled, meaning successful authentication only required a valid username and password
2. Credentials stolen from past infostealer infections had not been rotated or updated
3. The impacted Snowflake customer instances did not have network allow lists in place to only allow access from trusted locations
Mandiant advised organizations to conduct urgent credential monitoring and the universal enforcement of MFA and secure authentication to mitigate similar campaigns in the future.
*Image credit: Poetra.RH / Shutterstock.com*
