UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion

Summary:
Mandiant has identified a campaign by the financially motivated group UNC5537, targeting Snowflake customer database instances to steal data and extort victims. Snowflake is a multi-cloud data warehousing platform used for storing and analyzing large datasets. UNC5537 gains access to these databases using stolen customer credentials, obtained through various info stealer malware campaigns. These credentials are then used to compromise Snowflake instances, sell stolen data on cybercrime forums, and extort the victims. Mandiant’s investigation revealed that the breaches were not due to a compromise of Snowflake’s enterprise environment but rather from compromised customer credentials. In April 2024, Mandiant discovered that database records stolen from a Snowflake instance belonged to one of its clients. The breach occurred because the account lacked multi-factor authentication.

By May 22, 2024, Mandiant identified a broader campaign affecting multiple Snowflake customers and began notifying approximately 165 organizations through their Victim Notification Program. Mandiant and Snowflake have been working together on a joint investigation and coordinating with law enforcement. On May 30, 2024, Snowflake published detailed guidance on detecting and securing their environments.

Security Officer Comments:
The campaign has been successful due to several factors: the absence of MFA, outdated and unchanged credentials, and the lack of network allow lists. UNC5537 has been leveraging stolen credentials from malware such as VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA, and METASTEALER, with some credentials dating back to 2020. Many initial compromises were linked to contractors' systems used for personal activities, leading to further spread within organizations. The attackers use tools like “rapeflake,” tracked as FROSTBITE, to perform reconnaissance and execute SQL commands to exfiltrate data. They accessed Snowflake instances using VPNs and VPS systems, storing stolen data on various international servers and the cloud storage provider MEGA. Mandiant assesses that UNC5537 will likely continue targeting SaaS platforms due to the robust underground infostealer economy.

Suggested Corrections:

IOCs:
https://www.virustotal.com/gui/coll...53d24c805a473822fafd7da683ab2123d0f1e688001b8

  • Enforce Multi-Factor Authentication on all accounts;
  • Set up Network Policy Rules to only allow authorized users or only allow traffic from trusted locations (VPN, Cloud workload NAT, etc.); and
  • Impacted organizations should reset and rotate Snowflake credentials.

Snowflakes Hardening Guide:
https://community.snowflake.com/s/article/Communication-ID-0108977-Additional-Information

Link(s):
https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion