TL;DR - A threat actor named UNC5537 has been targeting Snowflake database customers using stolen credentials, leading to data theft and extortion. The attackers exploit environments lacking two-factor authentication. Snowflake has issued security advisories and recommendations to help customers enhance their security.
In a recent wave of cyber attacks, a threat actor known as UNC5537 has been targeting Snowflake database customers using stolen credentials. According to cloud security firm Mitiga, these attacks have led to significant data theft and extortion activities, putting numerous organizations at risk.
Details of the Attack
UNC5537 has been observed utilizing stolen customer credentials to access Snowflake environments, focusing primarily on those lacking two-factor authentication (2FA). The attackers have employed a custom attack tool named "rapeflake" to facilitate these breaches. The threat activity has been traced back to commercial VPN IP addresses, adding a layer of anonymity to the attackers' operations.
Mitiga reported that UNC5537 has not only stolen data but also engaged in direct extortion. The stolen data has been publicly posted for sale on hacker forums, increasing the pressure on the affected organizations to comply with the attackers' demands.
Investigation and Findings
The initial signs of this campaign were detected following inquiries from multiple Snowflake customers and subsequent threat intelligence reports. Mitiga launched its investigation, uncovering a pattern of attacks that began in mid-April 2024. Although Mitiga did not directly contact Snowflake, they assumed the company was aware of the ongoing campaign.
Snowflake confirmed the unauthorized account access on May 23, 2024, through its incident response team. They noted that the attacks did not result from any vulnerability or misconfiguration within Snowflake's product but were likely due to identity-based attacks leveraging exposed customer credentials.
Mitigation and Response
In response to these incidents, Snowflake has issued a security advisory urging customers to enhance their account security. Key recommendations include:
- Enforcing Multi-Factor Authentication (MFA): Ensure that all accounts, especially those accessing critical data, are protected by MFA.
- Reviewing Access Logs: Regularly monitor login attempts and access logs for any unusual activities.
- Implementing Network Segmentation: Restrict access to Snowflake environments through network segmentation and whitelisting of IP addresses.
Additionally, Snowflake has provided indicators of compromise (IoCs) and investigative queries to help customers identify and respond to potential threats.
Broader Implications
The attacks on Snowflake customers highlight a broader trend of increasing identity-based attacks. These incidents underscore the challenges cloud service providers face in securing customer data and the need for robust security measures. Continuous monitoring, threat hunting, and proactive security practices are essential to mitigate such risks.
Wrapping Up
The UNC5537 threat actor's campaign against Snowflake customers serves as a stark reminder of the importance of robust security measures. Organizations must prioritize the implementation of multi-factor authentication, regular monitoring of access logs, and stringent access controls to protect their data. Proactive threat hunting and continuous vigilance are crucial in staying ahead of potential security threats.