Snowflake customers not using MFA are not unique – over 165 of them have been compromised

Mandiant warns criminal gang UNC5537, which may be friendly with Scattered Spider, is on the rampage

An unknown financially motivated crime crew has swiped a "significant volume of records" from Snowflake customers' databases using stolen credentials, according to Mandiant.

"To date, Mandiant and Snowflake have notified approximately 165 potentially exposed organizations," the Google-owned threat hunters wrote on Monday, and noted they track the perps as "UNC5537."

The crew behind the Snowflake intrusions may have ties to Scattered Spider, aka UNC3944 – the notorious gang behind the mid-2023 Las Vegas casino breaches.

"Mandiant is investigating the possibility that a member of UNC5537 collaborated with UNC3944 on at least one past intrusion in the past six months, but we don't have enough data to confidently link UNC5537 to a broader group at this time," senior threat analyst Austin Larsen told The Register.

Mandiant – one of the incident response firms hired by Snowflake to help investigate its recent security incident – also noted that there's no evidence a breach of Snowflake's own enterprise environment was to blame for its customers' breaches.

"Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials," the Google-owned threat hunters confirmed.

The earliest detected attack against a Snowflake customer instance happened on April 14. Upon investigating that breach, Mandiant says it determined that UNC5537 used legitimate credentials – previously stolen using infostealer malware – to break into the victim's Snowflake environment and exfiltrate data. The victim did not have multi-factor authentication turned on.

About a month later, after uncovering "multiple" Snowflake customer compromises, Mandiant contacted the cloud biz and the two began notifying affected organizations. By May 24 the criminals had begun selling the stolen data online, and on May 30 Snowflake issued its statement about the incidents.

After gaining initial access – which we're told occurred through the Snowflake native web-based user interface or a command-line-interface running on Windows Server 2002 – the criminals used a horribly named utility, "rapeflake," which Mandiant has instead chosen to track as "FROSTBITE."

UNC5537 has used both .NET and Java versions of this tool to perform reconnaissance against targeted Snowflake customers, allowing the gang to identify users, their roles, and IP addresses.

The crew also sometimes uses DBeaver Ultimate – a publicly available database management utility – to query Snowflake instances.

Several of the initial compromises occurred on contractor systems that were being used for both work and personal activities.

"These devices, often used to access the systems of multiple organizations, present a significant risk," Mandiant researchers wrote. "If compromised by infostealer malware, a single contractor's laptop can facilitate threat actor access across multiple organizations, often with IT and administrator-level privileges."

All of the successful intrusions had three things in common, according to Mandiant. First, the victims didn't use MFA.

Second, the attackers used valid credentials, "hundreds" of which were stolen thanks to infostealer infections – some as far back as 2020. Common variants used included VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA and METASTEALER. But even in these years-old thefts, the credentials had not been updated or rotated.

Almost 80 percent of the customer accounts accessed by UNC5537 had prior credential exposure, we're told.

Finally, the compromised accounts did not have network allow-lists in place. So if you are a Snowflake customer, it's time to get a little smarter. ®

More about

TIP US OFF

Send us news


Other stories you might like