Breach of cloud services: large-scale attack against Snowflake customers

The recent compromise of cloud instances of customers of Snowflake, a major cloud storage services company, raises serious concerns. Online there is talk of over 165 companies violated, with significant consequences for many important companies. The issue surfaced a few weeks ago, when Ticketmaster, a well-known ticketing platform, reported the theft of 560 million customer records, stored on Snowflake. This vast trove of personal information, including names, addresses, phone numbers and partial credit card information, was then offered for sale on dark web channels. To make the situation even more critical, Santander, a Spanish banking institution, also revealed that it had been the victim of the theft of confidential data of its account holders, which were also kept on Snowflake's cloud services and subsequently put up for sale.

Mandiant identifies the scope of the breach

Unfortunately, these were not isolated cases, but just the tip of the iceberg. Mandiant, the Google-associated cybersecurity firm tasked with investigating the incident, identified at least 165 customers involved. However, the casualty estimate could rise further as the investigation deepens. The compromised accounts were initially accessed using Snowflake utilities, such as SnowSight and SnowSQL. All through an intrusion tool called Frostbite, which made use of stolen credentials via various infostealers such as Vidar, Risepro, Redline, Racoon Stealer, Lumma and MetaStealerMalware, often obtained by exploiting customers via malware on their systems, not necessarily those of Snowflake . One critical point made by Mandiant is that many of the target accounts did not use multifactor authentication, the presence of which could have prevented the compromise.

UNC5537 and the strategy behind the attack

According to Mandiant, the hacker group responsible is identified as UNC5537, operating primarily in North America and motivated solely by financial extortion. Analysts believe the attack began as early as November 2020, with a significant peak last April. UNC5537 uses several tools to disguise their activities, such as VPNs, VPS servers, and the MEGA cloud storage service, as well as frequent aliases on Telegram. The stolen data was distributed across various hosting providers and storage services, including those of MEGA. This well-organized network of tools and methods allowed cybercriminals to store and sell huge amounts of data without being easily traced, increasing the complexity of the entire incident.

Consequences and safety recommendations

Mandiant's analysis suggests that the incident is not due to poor management by Snowflake, although some experts, such as Kevin Beaumont, harshly criticize their authentication system as "terrible". Despite this, the main responsibilities fall on the victim companies, guilty of not having implemented adequate security policies. Mandiant published indicators of compromise and suggested constantly monitoring credentials as a preventative practice. This incident highlights the importance of regularly updating login credentials and implementing robust security measures, such as multi-factor authentication. Finally, a document on how to strengthen the security of Snowflake environments has been made available to customers, in order to avoid future compromises.