Around 165 Snowflake customers have already fallen victim to hackers. They found their way there because of the customers’ own lack of security in their Snowflake accounts.
The security company Mandiant, together with the data cloud specialist Snowflake, has already contacted 165 organizations that have fallen victim to hackers. Criminals have stolen customer data from their Snowflake accounts and are now trying to make money by blackmailing the targets or reselling this data.
The customers were targeted by attackers from a group that goes by the name UNC5537. It is currently targeting Snowflake customers, but is not exploiting any bugs or vulnerabilities in Snowflake itself. Snowflake accounts are a good target because Snowflake is intended to serve as a central location for all users’ corporate data.
Login details stolen
Mandiant points out that in all cases uncovered, the root cause of the breach lies with the customer themselves. Specifically, UNC5537’s hackers broke in using stolen credentials for accounts without MFA protection. They were able to obtain these credentials through a mix of infostealer malware, but often because they were simply available on the dark web, having previously been stolen by other gangs.
Mandiant points out that the oldest stolen username and password combination dates back to November 2020. The data that UNC5537 misuses is fundamentally not new and has been circulating in criminal circles for some time. Victims have not changed the login credentials for their Snowflake accounts since the original password theft, although there is a good chance that they were unaware of any damage during that time.
Enter through the front door
The UNC5537 attack is therefore not very sophisticated. The criminals simply log in using an account with available credentials and sufficient privileges and then get to work using various tools. They examine what data they have access to and then steal it.
Mandiant points out that the affected accounts not only do not have MFA, but also do not use it Allow network-Lists. This allows access to an account to be restricted to known locations (e.g. the corporate network).
Essentially, the affected Snowflake customers lost their keys at some point in the last four years, did not replace the lock or install an additional lock, and thieves have now used the key to break in through the front door.
Snowflake’s customer service is working with affected customers to limit the impact of the attack. Snowflake itself insists that there is nothing wrong with the security of the Snowflake platform or its own systems. The fact that at least one demo account without MFA was hacked by Snowflake itself does not change this, according to the company. After all, this demo account is nothing other than what the name suggests and had no access to production systems.
Mandiant points out that in some cases UNC5537 was able to access data from client partners who managed multiple systems, which of course only amplifies the impact. It is unlikely that the approximately 165 clients now identified as victims comprise the total number of victims targeted by UNC5537.
Lucrative attack model
Mandiant further concludes that UNC5537 is likely to continue its strategy and will not necessarily continue to focus on Snowflake. After all, attacking SaaS services via stolen credentials is not that difficult as long as users do not enable MFA. According to Mandiant, the UNC5537 group itself still consists of members in North America and at least one hacker in Turkey.
Snowflake does not (currently) require customers to enable MFA. The company recommends that users do so. Following the attack, the company is also evaluating whether it can require its customers to implement enhanced security mechanisms in the future. Several SaaS providers and cloud specialists already do this.