Mandiant Discovers 165 Snowflake Customers Affected by Hackers

Highlights:

• Mandiant reports that its researchers are monitoring the cybercrime group responsible for the hacking campaign, known as UNC5537.
• As per Mandiant, the majority of the login credentials utilized by UNC5537 to access Snowflake environments were obtained through “historical infostealer” cyberattacks.

Recently, Mandiant discovered 165 Snowflake customers affected by a hacking campaign.

Google LLC’s division, specializing in breach response services, is partnering with the cloud data platform provider to notify affected users. This includes Ticketmaster Entertainment LLC and LendingTree Inc., a publicly traded loan provider, among the impacted customers. Additionally, a recent post on a hacker forum suggests that Advance Auto Parts Inc.’s Snowflake environment might have been compromised as well.

Mandiant reports that its researchers are monitoring the cybercrime group responsible for the hacking campaign, known as UNC5537. This threat actor is believed to have financial motivations. Mandiant explained that the hackers are infiltrating Snowflake environments not by exploiting a security vulnerability in the cloud data platform but by using login credentials stolen from customers.

Mandiant’s researchers stated in a blog post, “UNC5537’s campaign against Snowflake customer instances is not the result of any particularly novel or sophisticated tool, technique, or procedure. This campaign’s broad impact is the consequence of the growing infostealer marketplace and missed opportunities to further secure credentials.”

The Google unit first became aware of the malicious activity in April. During that month, its researchers acquired threat intelligence regarding stolen database records, which were eventually traced back to an unnamed organization’s Snowflake environment. Mandiant shared its findings with the affected organization, which then enlisted the Google unit for a more in-depth investigation.

In May, the incident response provider’s researchers found that multiple other Snowflake customers had also experienced breaches. Mandiant informed Snowflake, and they began notifying the affected users together. The cloud data platform provider officially revealed the hacking campaign on May 30.

Mandiant reports that most of the login credentials UNC5537 used to access Snowflake environments were stolen through “historical infostealer” cyberattacks, with some of these attacks dating back to 2020.

Mandiant pinpointed three primary reasons why the hackers were able to breach the targeted Snowflake environments. The affected customers didn’t update their login details, overlooked setting up multifactor authentication, and neglected to establish network allow lists. These lists restrict login attempts unless they originate from specified locations, such as a company’s office building.

The researchers from Google’s team offered additional information in their recently published blog post: “According to Mandiant and Snowflake’s analysis, at least 79.7% of the accounts leveraged by the threat actor in this campaign had prior credential exposure.”

Snowflake stated on Friday that it is currently “developing a plan” to ensure customers enable multifactor authentication. Moreover, the company has provided technical guidance on safeguarding the deployments of its platform against hacking attempts.