Cybercrime , Fraud Management & Cybercrime , Identity & Access Management
Snowflake Hacking Spree Puts 165 Organizations at Risk
Customers That Did Not Use Multifactor Authentication Were VulnerableAn investigation into info stealer-driven attacks on Snowflake customers shows that approximately 165 clients potentially had data stolen by financially motivated hackers, says cyber threat intel firm Mandiant.
See Also: 57 Tips to Secure Your Organization
Snowflake, a data management platform provider, disclosed the campaign earlier this month along with a warning that customers without multifactor authentication enabled are vulnerable (see: Snowflake Clients Targeted With Credential Attacks).
Google-owned Mandiant attributed Monday the attacks to a cluster of threat activity it now tracks as UNC5537. The threat actor "has targeted hundreds of organizations worldwide, and frequently extorts victims for financial gain."
"UNC5537 has leveraged stolen credentials to access over 100 Snowflake customer tenants," said Charles Carmakal, CTO of Mandiant Consulting. Mandiant says it first detected the campaign in April.
"The threat actor systematically compromised customer tenants, downloaded data, extorted victims, and advertised victim data for sale on cybercriminal forums," Carmakal told Information Security Media Group.
Hackers used Snowflake customer credentials already exposed in hacks dating as far back as four years ago by several infostealer malware variants including idar, Risepro, Redline, Raccoon Stealer Lumma and Metastealer.
Possible victims linked to the hacking spree include Ticketmaster, which reportedly acknowledged that a breach compromising the information of 560 million customers involved a database hosted on Snowflake infrastructure. Online lending middleman LendingTree also reportedly told TechCrunch that subsidiary QuoteWizard "may have had data impacted by this incident."
One venue for data apparently tied to Snowflake breaches has been English-language forum BreachForums, a criminal site recently targeted by the FBI. A reconstituted version of the site appeared to be inaccessible on the clear web and dark web on Monday afternoon.
Mandiant says that to gain initial access in most attacks, UNC5537 targeted Snowflake's web-based user interface, SnowFlake UI, aka SnowSight, as well as a command-line interface tool, SnowSQL. Attackers ran a utility they dubbed "rapeflake," which Mandiant tracks as "Frostbite."
In certain cases, the attackers used .NET and Java versions of the utility that interacted with the Snowflake JDBC driver, a necessary component for a Java application to interact with a database. This allowed attackers to access information such as users, current roles, current IPs, session IDs, and organization names.
Snowflake did not immediately respond to a request for comment, but in an update on Friday, the company said it is working with customers to enable their multi-factor authentication.
"The combination of multiple factors contributed to the targeted threat campaign including Snowflake customer accounts configured without MFA, credentials stolen by infostealer malware (often from personal computers), and the tenants configured without network allow lists," Carmakal said.
Some security experts say that multifactor authentication sounds easier than it is to enable. "With Snowflake, at the moment they don't have an easy way for organizations to ensure their MFA solution is enabled organization-wide - each user inside an organization has to manually enroll MFA," said security researcher Kevin Beaumont .
"Because of the data Snowflake holds - vast amounts of often sensitive data - and their MFA setup, their customers are being targeted as it is easy pickings. Snowflake needs to fix that or the breaches will keep coming," Beaumont told ISMG.