By Trend News Line 2024-06-11 14:35:00.
**Cyber Threat Actor Strikes Snowflake Data Warehousing Platform**
You may also like to watch : Who Is Kamala Harris? Biography - Parents - Husband - Sister - Career - Indian - Jamaican Heritage
A cyber threat actor known as UNC5537 has recently targeted the popular data warehousing platform Snowflake, stealing a significant volume of customer data. The malicious actor is believed to be financially motivated, and they have been actively advertising the stolen data on cybercrime forums while attempting to extort the victims. Mandiant, a leading cybersecurity firm, has issued a warning after identifying 165 organizations that use Snowflake as potential victims of this data breach.
**UNC5537’s Modus Operandi**
According to Mandiant researchers, UNC5537 has been systematically compromising Snowflake customer instances by using stolen credentials obtained from multiple infostealer malware campaigns. The compromised customer credentials were primarily sourced from non-Snowflake owned systems that were infected with various malware variants such as VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA, and METASTEALER. This allowed the threat actor to gain unauthorized access to the Snowflake platforms and exfiltrate valuable data.
**Investigation and Response**
You may also like to watch: Is US-NATO Prepared For A Potential Nuclear War With Russia - China And North Korea?
Mandiant conducted an investigation into a database breach that originated from a victim’s Snowflake instance in April 2024. It was discovered that the threat actor had gained access to the organization’s platform using stolen credentials, leading to the exfiltration of sensitive data. Upon identifying a broader campaign targeting Snowflake customers, Mandiant informed the data warehousing platform, which initiated a Victim Notification Program to alert potential victims and assist them in securing their accounts.
**Reconnaissance and Extortion**
UNC5537 was found to have conducted reconnaissance against target Snowflake platforms using a tool named FROSTBOTE to perform SQL recon activities. The threat actor targeted hundreds of organizations worldwide and is actively extorting victims for financial gain. Mandiant and Snowflake’s analysis revealed that the majority of compromised accounts had prior credential exposure, highlighting the importance of regular credential rotation and monitoring to prevent such incidents.
**Security Lapses**
Mandiant researchers identified three key factors that enabled the attackers to successfully compromise Snowflake customer instances. These included the lack of multi-factor authentication (MFA), failure to rotate or update stolen credentials from past infections, and the absence of network allow lists to restrict access to trusted locations. The cybersecurity firm advised organizations to implement MFA and secure authentication practices to mitigate similar attacks in the future.
In conclusion, the cyber threat actor UNC5537 has exploited vulnerabilities in Snowflake’s customer instances, highlighting the importance of robust cybersecurity measures to protect sensitive data. Organizations are urged to prioritize security protocols such as MFA and credential monitoring to safeguard against malicious actors seeking to profit from data breaches..
1. Threat Actor Breaches Snowflake Customers
2. Victims Extorted by Threat Actor Breaches Snowflake Customers.
