UNC5537 hackers are actively exploiting vulnerabilities in Snowflake customer instances, emphasizing the need for heightened cybersecurity measures. The ongoing attacks highlight the necessity for enhanced credential management and multi-factor authentication protocols to protect sensitive data. These incidents illustrate how attackers capitalize on compromised credentials to infiltrate and exploit cloud environments.
Snowflake is a cloud-based data-warehousing platform launched in 2014 by engineers Benoit Dageville and Thierry Cruanes. The platform allows organizations to store, analyze, and share large volumes of data seamlessly across various services. Known for its scalability and performance, Snowflake was initially launched in Bozeman, Montana, and has since gained traction among businesses for its robust data management capabilities.
Recent findings by cybersecurity researchers reveal that UNC5537 hackers have hijacked Snowflake customer accounts using stolen credentials without employing multi-factor authentication. Malicious actors have infiltrated the system using infostealer malware to amass a significant amount of sensitive data. This data is then publicized for sale, putting victims under pressure to pay to prevent further exposure.
Extent of Data Theft
UNC5537’s campaign, dating back to 2020, targets misconfigured Snowflake instances. The threat actors gain access using compromised credentials obtained via malware. This lack of multi-factor authentication on accounts exacerbates the risk, allowing attackers to conduct data exfiltration activities undetected. Coordination efforts between Mandiant and Snowflake aim to mitigate these breaches.
Investigations indicate that unauthorized access originates from compromised customer credentials rather than system-level hacks within Snowflake’s infrastructure. Numerous instances of client data have been stolen, drawing attention to the critical importance of access controls and credential hygiene within cloud environments.
IOCs
- Rapeflake
- DBeaver_DBeaverUltimate
- Go 1.1.5
- JDBC 3.13.30
- JDBC 3.15.0
- PythonConnector 2.7.6
- SnowSQL 1.2.32
- Snowflake UI
- Snowsight Al
Mandiant and Snowflake’s joint investigation has identified and informed around 165 potentially affected organizations. The effort includes providing advice on detection and protection against such attacks, emphasizing the necessity for stringent credential management protocols.
UNC5537’s use of various infostealer malware since 2020 underscores the persistent threat of credential-based attacks. A significant percentage of breached accounts lacked multi-factor authentication, highlighting a critical vulnerability. These attacks frequently stem from password reuse and infections on personal devices used by contractors accessing client environments.
Enhanced security measures, such as the implementation of multi-factor authentication and regular password rotations, are critical to preventing such breaches. Organizations must also educate employees and contractors on best practices for maintaining credential security.
