Snowflake Breach Exposes 165 Customers' Data in Ongoing Extortion Campaign

As many as 165 customers of Snowflake are said to have had their information potentially exposed as part of an ongoing campaign designed to facilitate data theft and extortion, indicating the operation has broader implications than previously thought.

Google-owned Mandiant, which is assisting the cloud data warehousing platform in its incident response efforts, is tracking the as-yet-unclassified activity cluster under the name UNC5537, describing it as a financially motivated threat actor.

“UNC5537 is systematically compromising Snowflake customer instances using stolen customer credentials, advertising victim data for sale on cybercrime forums, and attempting to extort many of the victims,” the threat intelligence firm said on Monday.

“UNC5537 has targeted hundreds of organizations worldwide, and frequently extorts victims for financial gain. UNC5537 operates under various aliases on Telegram channels and cybercrime forums.”

There is evidence to suggest that the hacking group is made up of members based in North America. It’s also believed to collaborate with at least one additional party based in Turkey.

This is the first time that the number of affected customers has been officially disclosed. Previously, Snowflake had noted that a “limited number” of its customers were impacted by the incident. The company has more than 9,820 global customers.

The campaign, as previously outlined by Snowflake, stems from compromised customer credentials purchased from cybercrime forums or obtained through information-stealing malware such as Lumma, MetaStealer, Raccoon, RedLine, RisePro, and Vidar. It’s believed to have commenced on April 14, 2024.

In several instances, the stealer malware infections have been detected on contractor systems that were also used for personal activities, such as gaming and downloading pirated software, the latter of which has been a tried-and-tested conduit for distributing stealers.

The unauthorized access to customer instances has been found to pave the way for a reconnaissance utility dubbed FROSTBITE (aka “rapeflake”) that’s used to run SQL queries and glean information about the users, current roles, current IPs, session IDs, and organization names.

Mandiant said it has been unable to obtain a complete sample of FROSTBITE, with the company also spotlighting the threat actor’s use of a legitimate utility called DBeaver Ultimate to connect and run SQL queries across Snowflake instances. The final stage of the attack involves the adversary running commands to stage and exfiltrate data.

Snowflake, in an updated advisory, said it’s working closely with its customers to harden their security measures. It also said it’s developing a plan to require them to implement advanced security controls, like multi-factor authentication (MFA) or network policies.

The attacks, Mandiant pointed out, have become hugely successful due to three main reasons: A lack of multi-factor authentication (MFA), not rotating credentials periodically, and missing checks to ensure access only from trusted locations.

“The earliest infostealer infection date observed associated with a credential leveraged by the threat actor dated back to November 2020,” Mandiant said, adding it “identified hundreds of customer Snowflake credentials exposed via infostealers since 2020.”

“This campaign highlights the consequences of vast amounts of credentials circulating on the infostealer marketplace and may be representative of a specific focus by threat actors on similar SaaS platforms.”

The findings serve to underscore the burgeoning market demand for information stealers and the pervasive threat they pose to organizations, resulting in the regular emergence of new stealer variants like AsukaStealer, Cuckoo, Iluria, k1w1, SamsStealer, and Seidr that are offered for sale to other criminal actors.

“In February, Sultan, the name behind Vidar malware, shared an image featuring the Lumma and Raccoon stealers, depicted together in combat against antivirus solutions,” Cyfirma said in a recent analysis. “This suggests collaboration among threat actors, as they join forces and share infrastructure to achieve their goals.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.