Mandiant recently issued a warning to Snowflake customers, urging them to prioritize basic credential hygiene in light of a targeted campaign by a financially motivated threat actor known as UNC5537. Evidence has revealed that over 160 customers, including major companies like Santander and Ticketmaster, have been compromised in this campaign.
UNC5537 has been systematically compromising Snowflake customer instances using stolen credentials, selling purloined data on dark web forums, and extorting many of the victims. Mandiant emphasized that the compromises were a result of poor cybersecurity hygiene on the part of the victimized customers, rather than any issues with Snowflake’s own enterprise environment.
It was discovered that the threat actor leveraged stolen credentials to access over 100 Snowflake customer tenants since at least April 2024. Mandiant highlighted that factors contributing to the success of the campaign included accounts without multifactor authentication, credentials stolen by infostealer malware, and tenants lacking network allow lists. Organizations were advised to assess their exposure to stolen credentials by infostealers to prevent similar attacks across other SaaS solutions.
Additionally, Mandiant noted that the impacted accounts did not have multifactor authentication enabled, making it easy for threat actors to access them. Many of the compromised credentials had not been updated or rotated since being stolen, and affected customers had not implemented network allow lists to restrict access to trusted locations.
UNC5537, a financially motivated threat actor not associated with any nation state, operates mainly in North America and collaborates with others through Telegram channels and cyber crime forums. They primarily use Mullvad or Private Internet Access (PIA) VPN IP addresses to access victim instances. The stolen data is transmitted over VPS from Alexhost in Moldova and stored on various other VPS providers and cloud storage services.
In conclusion, Mandiant stressed the importance of organizations tightening their security measures, particularly with contractors who may use personal devices to access systems, which can leave them vulnerable to attacks like those orchestrated by UNC5537.