Share this article on:
Security researchers have outlined a coordinated campaign targeting a raft of Snowflake customers with disabled multifactor authentication.
Ticketmaster’s data breach earlier this month saw the data of more than 500 million people exposed via compromised Snowflake cloud storage accounts, but that figure may just be the tip of the iceberg, according to security firm Mandiant.
The company has revealed it has been working closely with Snowflake to identify a possible 165 victims of a coordinated hacking campaign that may have exposed “a significant volume of data”.
Alarmingly, a single threat actor – which Mandiant has dubbed UNC5537 – appears to be behind the whole thing.
Mandiant got on the case on 19 April when it was called in to investigate suspected data theft involving an unnamed customer’s Snowflake instance. Mandiant traced that activity back to 14 April, with evidence of malware being deployed for reconnaissance on 17 April.
On 14 May, Mandiant discovered “multiple impacted Snowflake customer instances”, after which it notified Snowflake itself and law enforcement authorities of what appeared to be a well-organised campaign. On 24 May, stolen data was first advertised for sale on hacking forums, and Snowflake released its own statement on the incident on 30 May, in the wake of the Ticketmaster hack becoming widely reported.
Santander Bank and LendingTree subsidiary QuoteWizard has been caught up in the data breaches as well, but Mandiant noted that it and Snowflake have alerted many more companies.
“To date, Mandiant and Snowflake have notified approximately 165 potentially exposed organisations,” Mandiant said in an 11 June blog post.
“Snowflake’s customer support has been directly engaged with these customers to ensure the safety of their accounts and data. Mandiant and Snowflake have been conducting a joint investigation into this ongoing threat campaign and coordinating with relevant law enforcement agencies.”
The campaign is using previously stolen login credentials, in some cases years old, to access Snowflake instances – in each case, all without multifactor authentication enabled. Similarly, the compromised instances did not have network allow lists in place.
Snowflake released its own statement last week with Mandiant and CrowdStrike to confirm the coordinated activity, linking it with a compromised demo account.
“We have not identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel," Snowflake said.
"This appears to be a targeted campaign directed at users with single-factor authentication," Snowflake continued. "As part of this campaign, threat actors have leveraged credentials previously purchased or obtained through info-stealing malware.
"We did find evidence that a threat actor obtained personal credentials to and accessed demo accounts belonging to a former Snowflake employee,” Snowflake confirmed.
“It did not contain sensitive data. Demo accounts are not connected to Snowflake’s production or corporate systems. The access was possible because the demo account was not behind Okta or multifactor authentication (MFA), unlike Snowflake’s corporate and production systems.”
Stolen credentials, according to Mandiant, were the fourth most used intrusion vector in 2023.
“Attackers often obtain credentials due to password reuse or users inadvertently downloading trojanised software on corporate or personal devices,” Mandiant said.
“The prevalence of both widespread info-stealer malware and credential purchasing continue to challenge defenders.”
Chester Wisniewski, director, global field chief technology officer at Sophos, said the news is a reminder that multifactor authentication is no longer optional, but absolutely necessary.
“Ensuring MFA is deployed on any and all accounts that contain sensitive and important data needs to be a collaborative effort between companies and their service providers. Companies should implement strong cyber security hygiene programs for their employees, while service providers need to enforce policies that push organisations to implement MFA when using their products,” Wisniewski said via email.
“One of the six key focus areas for software vendors signing CISA’s recent Secure by Design pledge was improving the adoption of MFA among their clients. It’s a goal Sophos believes strongly in, and it was one of the reasons we signed onto the pledge. We encourage other software vendors to do the same.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.