Hackers Target Snowflake in Newly Discovered Cloud Attacks

Snowflake DB Hacked

In the realm of modern cloud computing, where hybrid technology infrastructure is the norm, security threats are an ever-present concern. Recently, customers of the IT services provider Snowflake have found themselves in the crosshairs of cyber attackers.

On June 10, Mandiant, a security company owned by Google, reported that customer instances on the Snowflake cloud were being targeted for attacks using leaked login credentials. The attacks are currently concentrated solely on customer accounts and not on the Snowflake service itself, which offers a number of hosted cloud and data management services.

Mandiant has filed these attacks under the banner of UNC5537, a financially motivated threat actor suspected of stealing a significant volume of records from Snowflake customer environments. UNC5537 is systematically compromising Snowflake customer instances using stolen customer credentials, advertising victim data for sale on cybercrime forums, and attempting to extort many of the victims.

Interestingly, the Mandiant team did not connect these attacks with the recently reported breach of Snowflake by the hacking crew ShinyHunters. The hackers claim to possess hundreds of millions of credentials, though Snowflake maintains that the breached system was a test environment used by a former employee. As a result of that attack, Ticketmaster and Santander Bank reported data breaches to their customers.

The UNC5537 operation dates back to at least 2020, and Mandiant estimates that at least 165 organizations are at risk of attack. It is believed that the attackers are using a piece of info-stealing malware to pilfer user login credentials. Those stolen accounts are, in turn, used to access the victims’ Snowflake instances to steal further data, either to sell on the dark web or perform a ransomware extortion.

In light of these attacks, Mandiant advises Snowflake customers to implement two-factor authentication on their instances, noting that all of the breaches it observed were customers who had not enabled this feature. This incident serves as a stark reminder of the importance of robust security measures in the era of cloud computing.

You may also like:

Related Posts

Leave a Reply