June 27, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple Linux Kernel Zero-Day Vulnerabilities
June 11, 2024
Multiple Apple visionOS Vulnerabilities
June 11, 2024
Multiple Linux Kernel Zero-Day Vulnerabilities
June 11, 2024
Multiple Apple visionOS Vulnerabilities
June 11, 2024
Severity
High
Analysis Summary
An ongoing campaign aimed at facilitating data theft and extortion is alleged to have exposed the personal information of up to 165 Snowflake customers, suggesting the operation may have wider ramifications than previously believed.
The as-yet-unclassified activity cluster is being tracked by Google-owned Mandiant, which supports the cloud data warehousing platform in its incident response activities. It is identified as a financially driven threat actor and goes by the name UNC5537. UNC5537 uses stolen customer credentials to methodically compromise Snowflake client instances, sell victim data on cybercrime sites, and attempt to extort many victims.
The report reads, “UNC5537 has targeted hundreds of organizations worldwide, and frequently extorts victims for financial gain. UNC5537 operates under various aliases on Telegram channels and cybercrime forums.”
There is evidence to imply that members of the threat group are situated in North America. It is also thought to work with one or more other Turkish-based parties. The number of impacted clients has never before been formally released. Before this, Snowflake had reported that the incident only affected a small portion of its clients. The company serves over 9,820 clients worldwide.
According to Snowflake's earlier description, the campaign is the result of compromised user credentials that were either acquired by information-stealing software like Lumma, MetaStealer, Raccoon, RedLine, RisePro, and Vidar or bought on cybercrime forums. The campaign’s start date is expected to be April 14, 2024. The contractor systems utilized for personal activities, like gaming and downloading pirated software—the latter of which has proven to be a reliable route for the distribution of stealers—have shown many cases of infected contractor systems with stealer malware infestations.
It has been discovered that unauthorized access to customer instances opens the door for a reconnaissance tool called FROSTBITE, which is used to execute SQL queries and obtain data about current roles, users, IP addresses, session IDs, and names of organizations. Mandiant revealed the threat actor's exploitation of a genuine program named DBeaver Ultimate to connect to and execute SQL queries across Snowflake instances, despite the company's inability to collect a full sample of FROSTBITE. The adversary executes commands to stage and exfiltrate data as the attack's last phase.
In the latest alert, Snowflake stated that it is closely collaborating with its clients to strengthen their security protocols. Additionally, it stated that it is creating a strategy to mandate the implementation of sophisticated security measures such as network policies and multi-factor authentication (MFA). According to Mandiant, there are three primary reasons why the cyberattacks have grown so successful: there is no multi-factor authentication (MFA); there is no regular credential rotation; and there are no checks to make sure that access is only granted from reliable sources.
November 2020 was the earliest infostealer infection date that was found to be connected to a credential that the threat actor had used. Since 2020, hundreds of customer Snowflake credentials have been revealed by infostealers. This campaign may be indicative of a targeted attack by threat actors on comparable SaaS systems and emphasizes the ramifications of massive quantities of credentials floating around on the infostealer market.
Impact
- Exposure of Sensitive Data
- Information Theft
- Unauthorized Access
- Code Execution
- Data Exfiltration
Indicators of Compromise
IP
- 102.165.16.161
- 146.70.117.56
- 146.70.119.24
- 169.150.223.208
- 185.156.46.144
- 45.155.91.99
- 45.86.221.146
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Regularly change passwords for all accounts and use strong, unique passwords for sensitive accounts.
- Implement multi-factor authentication (MFA) on all accounts to add an extra layer of security to login processes.
- Consider the use of phishing-resistant authenticators to further enhance security. These types of authenticators are designed to resist phishing attempts and provide additional protection against social engineering attacks.
- Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
- Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
- Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
- Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
- Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
- Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
- Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
- Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
- Never trust or open links and attachments received from unknown sources/senders.