A sophisticated threat campaign by UNC5537 has targeted Snowflake customer databases, leading to widespread data theft and extortion. Leveraging stolen customer credentials obtained through info stealer malware, the financially motivated threat actor has compromised numerous Snowflake instances, highlighting server vulnerabilities and prompting urgent security measures.
The campaign was initially discovered in April 2024, when intelligence revealed compromised database records linked back to a specific Snowflake instance. Upon being alerted, the affected organisation brought in cybersecurity specialists to examine the data breach. The investigation found that the breach was caused by stolen credentials obtained through info stealer malware. Notably, the compromised account did not enable multi-factor authentication (MFA), which made unauthorized access easier.
Cybersecurity researchers received intelligence on May 22, 2024, indicating a broader campaign targeting additional Snowflake customer instances. They contacted Snowflake and initiated a notification program, alerting approximately 165 potentially exposed organisations.
“The threat actor used these stolen credentials to access the customer’s Snowflake instance and ultimately exfiltrate valuable data. At the time of the compromise, the account did not have multi-factor authentication (MFA) enabled,” said researchers from Mandiant.
Researchers also enlisted the help of law enforcement agencies, which led to Snowflake publishing detailed detection and gardening guidance for its customers.
UNC5537 has systematically targeted Snowflake instances by using credentials obtained from various inforstealer malware campaigns, including Vidar, Risepro, Redline, Racoon Stealer, Lumma, and Meta. Some of these credentials, dating back to 2020, were acquired from compromised systems not owned by Snowflake. The lack of MFA, outdated credentials, and the absence of network allow lists facilitated these breaches.
The campaigns by UNC5537 were successful due to the following reasons:
- The account did not have multi-factor authentication enabled.
- Credentials that were stolen are still valid and have not been updated.
- The Snowflake customer instances did not have a network-allow list.
The threat actor utilised the Snowflake UI and CLI tools on compromised Windows Server 2022 systems, often aided by Frostbite. Frostbite, observed in both .NET and Java versions, was used for reconnaissance, interacting with Snowflake drivers to gather extensive information about the targeted instances. Researchers also discovered additional tools like DBeaver Ultimate were employed to run queries and manage the database.
The attack pattern followed these commands to exfiltrate data:
- SHOW TABLES: For reconnaissance and listing all databases and tables.
- SELECT * FORM: To download specific tables of interest.
- LIST/LS: To enumerate stages before creating temporary ones.
- CREATE (TEMP) STAGE: For staging data.
- COPY INTO: To copy data into temporary stages, often compressed for efficiency.
- GET: For final data exfiltration to local directories.
Researchers have tracked UNC5537 since May 2024. The group has been responsible for numerous breaches and subsequent extortion attempts. Operating under various aliases on cybercrime forums and Telegram channels, the group compromises members based in North America, with at least one collaborator in Turkey.
Their infrastructure includes using VPN IPs from Mullvad, Private Internet Access (PIA), and VPS systems from providers like ALEXHOS SRL, along with cloud storage services like MEGA, to store stolen data.
Researchers have urged individuals and organisations to turn on MFA, regularly rotate credentials, and check unrestricted network access to protect themselves.
In the News: Delhi-based hacker arrested for breaching Telangana police’s Hawk Eye app
