June 11 (Portaltic/EP) –
The group of cybercriminals behind the recent security breach that exposed data from Snowflake client companies, identified as UNC5537used stolen customer credentials in previous malware campaigns to steal “a significant volume of data” and extort victims.
Cloud data storage and analytics service Snowflake published a end of May a statement in which he admitted to being investigating, together with cybersecurity experts CrowdStrike and Mandiant, a threat campaign directed at some of its clients’ accounts.
In this context, the company assured that “a limited number” of these accounts had been compromised, although it did not detail exactly which ones. Furthermore, he clarified that They found no indication that the malicious activity was caused by a vulnerability or breach of their platform nor that there was evidence that the incident was caused by compromised passwords of current or former platform personnel.
Likewise, the firm determined that “it seemed like a campaign targeting users with single-factor authentication” -that is, they did not have multi-factor authentication (MFA)- and that malicious actors would have taken advantage of credentials previously purchased or obtained through ‘ransomware’.
They were later identified More than 500 login credentials leaked online, which allegedly belong to Snowflake customers. Among them would be the signatures Ticketmaster and Banco Santanderwho also recently reported an “unauthorized access” security incident.
Now, the cybersecurity firm Mandiant has shared some findings on the threat campaign directed at Snowflake customer databases and has commented that it is a group of cybercriminals who act with the intention of stealing data and use them to extort victims.
As explained in a statement on his blogthe attack has been attributed to a group of malicious activity identified as UNC5537, which consists of cybercriminals from North America and Turkey. Likewise, researchers have pointed out that it is a threat actor with financial motivationwhich has stolen “a significant volume” of logs from Snowflake customer environments.
The modus operandi of the UNC5537 group is systematically compromise victim instances using stolen customer credentials and, after that, announce the sale of this data on cybercrime forums to blackmail the victims and threaten to publish this information if they are not paid a specific amount of money. money.
OUTDATED PASSWORDS
As a result of this campaign, the cybersecurity company has stated in this document that they have identified around 165 Snowflake customers that may have been affected by the malicious campaign or whose data is “potentially exposed.”
However, Mandiant has reiterated that, within the framework of its investigations, they have not found no evidence suggesting that unauthorized access to Snowflake customer accounts was caused by a violation of the company’s business environment.
In fact, it has ensured that all incidents found can be traced back to compromised customer credentials.. These were obtained mainly from multiple ‘ransomware’ campaigns that “infected systems not owned by Snowflake.” Among these campaigns are some such as VIDAR, RACCON STEALER, LUMMA AND METASTEALER.
Most of these passwords were part of other information theft attacks and some even dated back to the year 2020. Likewise, the keys were not configured with multi-factor authentication enabled and had not even been updated in recent years.
Mandiant has concluded that the attack campaign from the group UNC5537 against Snowflake customers “is not the result of any particularly novel or sophisticated tool, technique or procedure,” but rather is consequence of the “growing market for information theft”.
Likewise, it has indicated that its experts They first became aware of these attacks in April, when the first evidence of unauthorized access to an unidentified Snowflake customer’s environment was identified.
Already in May Mandiant contacted Snowflake to inform them about a broader campaign aimed at cloud storage service customers and began notifying potential victims through its Victim Notification Program.
From Snowflake they have indicated that they continue working “closely” with its clients to reduce cyber threats to their businesses and that they are developing a plan to require customers to implement advanced security controls, as noted in an update to the statement on his blog.
Add Comment