An estimated 165 organizations operating Snowflake globally might have been impacted by a scheme that exploited stolen credentials to breach customer environments.
In a blog post, Mandiant revealed that the threat actor, referred to as UNC5537, is believed to have acquired a substantial amount of information from Snowflake customer environments.
Responding to the incident, Mandiant stated that UNC5337 likely compiled a list of credentials for Snowflake environments “through various sources of infostealer logs” found online and on the dark web.
Infostealer malware, a type of trojan that collects data from systems, played a key role in the theft. Mandiant mentioned that the stolen Snowflake credentials “were mostly collected from numerous infostealer malware operations that targeted non-Snowflake systems”.
The impacted organizations generally had Snowflake accounts lacking multi-factor authentication (MFA), outdated credentials, and/or overly permissive network settings.
“The affected customer instances didn’t mandate multi-factor authentication and, in several instances, the credentials hadn’t been changed for up to four years,” Mandiant reported.
“Network allow lists were also absent to restrict access to trusted sites.
“The extensive impact of this operation emphasizes the critical need for credential monitoring, the across-the-board enforcement of MFA and secure authentication, restricting traffic to trusted locations for critical data, and alerting about suspicious access attempts.”
Mandiant suggested that the tactics used in this incident could be replicated in similar campaigns targeting other software-as-a-service platforms.
“This operation illustrates the repercussions of a large number of credentials circulating in the infostealer market and may be indicative of threat actors focusing on similar SaaS platforms,” they commented.
“Mandiant predicts that UNC5537 will persist in these intrusions, aiming at additional SaaS platforms in the immediate future.”
CrowdStrike also participated in the response measures.
Snowflake, in a forum statement, announced that they are “collaborating closely with customers as they reinforce their security frameworks to mitigate cyber threats to their operations.”
“We are also devising a strategy to mandate that our customers adopt advanced security measures, such as multi-factor authentication or network policies,” they elaborated.
Snowflake confirmed no signs of any present or previous personnel having their platform credentials compromised.
Mandiant disclosed that UNC5537 operated with financial motives and attempted to extort the affected entities.
About Author
