Cloud Security

Hackers take aim at Snowflake in newly discovered cloud attacks

Modern cloud computing server setup with hybrid technology infrastructure background concept. Concept Cloud Computing, Server Setup, Hybrid Technology, Infrastructure, Background Concept

Customers of embattled IT services provider Snowflake are being targeted for attacks using stolen credentials.

Google-owned security company Mandiant reported June 10 that customer instances on the Snowflake cloud are being targeted for attacks using leaked login credentials.

Mandiant made a point of noting that the attacks are currently concentrated solely on customer accounts and not on the Snowflake service itself. Snowflake offers a number of hosted cloud and data management services.

The security firm did not name a specific cybercrime group as the perpetrators, but it filed the attacks under the banner of UNC5537.

“Mandiant tracks this cluster of activity as UNC5537, a financially motivated threat actor suspected to have stolen a significant volume of records from Snowflake customer environments,” Mandiant wrote.

“UNC5537 is systematically compromising Snowflake customer instances using stolen customer credentials, advertising victim data for sale on cybercrime forums, and attempting to extort many of the victims.”

The Mandiant team did not connect the attacks with the recently reported breach of Snowflake by hacking crew ShinyHunters.

The hackers claim to possess hundreds of millions of credentials, though Snowflake maintains that the breached system was a test environment that was used by a former employee.

As a result of that attack, Ticketmaster and Santander Bank reported data breaches to customers.

The UNC5537 operation dates back to at least 2020 and Mandiant estimates that at least 165 organizations have been to be at risk of attack.

It is believed that the attackers are using a piece of info-stealing malware in order to pilfer user login credentials. Those stolen accounts are, in turn, used to access the victims’ Snowflake instances to steal further data in order to either sell on the dark web or perform a ransomware extortion.

Mandiant advised that Snowflake customers to implement two-factor authentication on their instances, noting that all of the breaches it observed were customers who had not enabled the feature.                                                                                                                                      

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.