Hackers steal “significant volume” of data from hundreds of Snowflake customers

As many as 165 customers of cloud storage provider Snowflake have been compromised by a group that obtained login credentials through information-stealing malware, researchers said Monday.

On Friday, Lending Tree subsidiary QuoteWizard confirmed it was among the customers notified by Snowflake that it was affected in the incident. Lending Tree spokesperson Megan Greuling said the company is in the process of determining whether data stored on Snowflake has been stolen.

“That investigation is ongoing,” she wrote in an email. “As of this time, it does not appear that consumer financial account information was impacted, nor information of the parent entity, Lending Tree.”

Researchers from Mandiant, a Google-owned security firm Snowflake retained to investigate the mass compromise, said Monday that the companies have so far identified 165 customers whose data may have been stolen in the spree. Live Nation confirmed 10 days ago that data its TicketMaster group stored on Snowflake had been stolen following a posting offering the sale of the full names, addresses, phone numbers, and partial credit card numbers for 560 million Ticketmaster customers.

Santander, Spain’s biggest bank, said recently that data belonging to some of its customers has also been stolen. The same group advertising the Ticketmaster data offered the sale of Santander data. Researchers from security firm Hudson Rock said that stolen data was also stored on Snowflake. Santander has neither confirmed nor denied the claim.

Mandiant’s Monday post said that all the compromises it has tracked so far were the result of login credentials for Snowflake accounts being stolen by infostealer malware and stored in vast logs, sometimes for years at a time. None of the affected accounts made use of multifactor authentication, which requires users to provide a one-time password or additional means of authentication besides a password.

The group carrying out the attacks is financially motivated, with members principally located in North America. Mandiant is tracking it as UNC5537. Company researchers wrote:

Based on our investigations to date, UNC5537 obtained access to multiple organizations’ Snowflake customer instances via stolen customer credentials. These credentials were primarily obtained from multiple infostealer malware campaigns that infected non-Snowflake owned systems. This allowed the threat actor to gain access to the affected customer accounts and led to the export of a significant volume of customer data from the respective Snowflake customer instances. The threat actor has subsequently begun to extort many of the victims directly and is actively attempting to sell the stolen customer data on recognized cybercriminal forums.

Mandiant identified that the majority of the credentials used by UNC5537 were available from historical infostealer infections, some of which dated as far back as 2020.

The threat campaign conducted by UNC5537 has resulted in numerous successful compromises due to three primary factors:

1. The impacted accounts were not configured with multi-factor authentication enabled, meaning successful authentication only required a valid username and password.
2. Credentials identified in infostealer malware output were still valid, in some cases years after they were stolen, and had not been rotated or updated.
3. The impacted Snowflake customer instances did not have network allow lists in place to only allow access from trusted locations.

Attack Path UNC5537 has used in attacks against as many as 165 Snowflake customers.

Credit: Mandiant

Initial access to affected Snowflake accounts often occurred with the use of the company’s native SnowSight or SnowSQL, which are a web-based user interface and a command-line interface respectively. The threat actors also used a custom utility that shows up as “rapeflake” in logs and that Mandiant tracks as FrostBite.

The earliest infostealer infection date observed in the mass credential theft occurred in November 2020. In all, Mandiant identified hundreds of customer Snowflake credentials exposed via infostealers since then. The earliest known breach in the UNC5537 campaign took place on April 24. Mandiant provided the following image illustrating the timeline:

UNC5537 Snowflake campaign timeline.

Credit: Mandiant

Some of the infostealers used to harvest the credentials have names such as Vidar, Risepro, Redline, Racoon Stealer, Lumma, and MetaStealer. In some cases, the malware was installed on machines that contractors used for work and personal activities, including gaming and pirated software.

“These devices, often used to access the systems of multiple organizations, present a significant risk,” Mandiant wrote. “If compromised by infostealer malware, a single contractor's laptop can facilitate threat actor access across multiple organizations, often with IT and administrator-level privileges.”

Mandiant has been tracking UNC5537 since last month. The group has targeted hundreds of organizations around the world and often extorts its victims for financial gain. UNC5537 uses multiple aliases on Telegram. Besides members in North America, the group collaborates with an additional member in Turkey, Mandiant assessed with moderate confidence. Connections come primarily through IP addresses belonging to VPNs from Mullvad or Private Internet Access. The group used Moldovan VPS systems from Alexhost SRL, with the autonomous system AS200019, to exfiltrate data. Stolen data was stored on several VPS providers and the cloud storage provider MEGA.

Monday’s post further observed:

UNC5537’s campaign against Snowflake customer instances is not the result of any particularly novel or sophisticated tool, technique, or procedure. This campaign’s broad impact is the consequence of the growing infostealer marketplace and missed opportunities to further secure credentials:

• UNC5537 was likely able to aggregate credentials for Snowflake victim instances by accessing a variety of different sources of infostealer logs. The underground infostealer economy is also extremely robust, and large lists of stolen credentials exist both for free and for purchase inside and outside of the dark web.
• The affected customer instances did not require multi-factor authentication and in many cases, the credentials had not been rotated for as long as four years. Network allow lists were also not used to limit access to trusted locations.

This campaign highlights the consequences of vast amounts of credentials circulating on the infostealer marketplace and may be representative of a specific focus by threat actors on similar SaaS platforms. Mandiant assesses UNC5337 will continue this pattern of intrusion, targeting additional SaaS platforms in the near future.

The broad impact of this campaign underscores the urgent need for credential monitoring, the universal enforcement of MFA and secure authentication, limiting traffic to trusted locations for crown jewels, and alerting on abnormal access attempts. For further recommendations on how to harden Snowflake environments, please see Snowflake’s Hardening Guide.

While Mandiant has largely absolved Snowflake of any blame in the mass compromise of its customers, researcher Kevin Beaumont has vocally held the cloud provider responsible for much of it.

“They need to, at an engineering and secure by design level, go back and review how authentication works—as it’s pretty transparent that given the number of victims and scale of the breach that the status quo hasn’t worked,” he wrote last week. “Secure authentication should not be optional.” On Mastodon, the researcher characterized the Snowflake authentication system as “terrible.”

But clearly, the victims in this breach have also made decisions that played a key role. Anyone using Snowflake should carefully investigate if their accounts have been affected by this campaign using the indicators of compromise provided in Monday’s post. Customers should further review their authentication configurations to ensure multifactor authentication is turned on and follow other advice in the above-mentioned hardening guide.