Information on Snowflake's Customer Assaults

Information on Snowflake's Customer Assaults

In a recent development, Snowflake, the cloud-based data warehousing platform, has disclosed attacks on customers' databases that began as early as April 14 [1]. The first confirmed connection to Snowflake was identified by cybersecurity firm Mandiant on May 14, when they learned two of their incident response clients had lost data from their Snowflake tenant [2].

Mandiant initiated an investigation into data stolen from an unknown database on April 19, and uncovered evidence of a broad campaign impacting additional Snowflake customers on May 22 [3][4]. The earliest known instance of a cybercriminal posting allegedly stolen data from a Snowflake customer database for sale occurred on May 24 [5].

As of June 13, the financially-motivated attacker, which Mandiant refers to as UNC5537, is still actively extorting victims with data stolen from Snowflake customer environments [6]. This threat actor specifically targets Snowflake customer environments to steal data and conduct extortion.

UNC5537 gains access to Snowflake customer instances by using stolen credentials, typically obtained through infostealer malware campaigns [7]. Once inside these instances, the actor exfiltrates sensitive data and attempts to extort the victims for ransom or payment.

To defend against UNC5537, Snowflake recommends enforcing multi-factor authentication, regularly rotating credentials, and implementing network allow lists to prevent unauthorized access [8]. Snowflake's Chief Information Security Officer (CISO), Brad Jones, has also communicated with customers about protecting themselves, including these measures and implementing network access policies [9].

Approximately 165 businesses are potentially exposed to the attacks, with at least 100 Snowflake customers confirmed to have been impacted [10][11]. Notably, Pure Storage, a data storage vendor, is one of the confirmed impacted Snowflake customers [12].

Snowflake has provided indicators of compromise and additional recommended actions for companies to investigate potential threat activity within their Snowflake accounts on May 30 [13]. Mandiant has also released a threat hunting guide to help Snowflake customers detect malicious activity on database instances [14].

As the investigation continues, Snowflake is suspending certain user accounts with strong indicators of malicious activity and blocking IP addresses associated with the cyber threat [15]. Mandiant notified Snowflake and law enforcement agencies of the attacks on May 22 [16].

This breach serves as a reminder for all businesses to prioritise cybersecurity measures, including the implementation of multi-factor authentication and regular credential rotation, to protect their sensitive data.

[1] Snowflake disclosed the attacks on customers' databases on May 30. [2] Mandiant identified the first confirmed connection to Snowflake on May 14 when it learned two of its incident response clients had lost data from their Snowflake tenant. [3] Mandiant began investigating data stolen from an unknown database on April 19. [4] The earliest evidence of unauthorized access to Snowflake customer instances occurred on April 14, as reported by Mandiant. [5] Snowflake provided indicators of compromise and additional recommended actions for companies to investigate potential threat activity within their Snowflake accounts on May 30. [6] Mandiant uncovered evidence of a broad campaign impacting additional Snowflake customers on May 22. [7] The earliest known instance of a cybercriminal posting allegedly stolen data from a Snowflake customer database for sale occurred on May 24. [8] Snowflake is suspending certain user accounts with strong indicators of malicious activity and blocking IP addresses associated with the cyber threat. [9] Mandiant released a threat hunting guide to help Snowflake customers detect malicious activity on database instances on Monday. [10] Impacted customer accounts were not configured with multifactor authentication. [11] Approximately 165 businesses are potentially exposed to the attacks. [12] At least 100 Snowflake customers are confirmed to have been impacted by the cyberattacks. [13] Pure Storage, a data storage vendor, is one of the confirmed impacted Snowflake customers. [14] As of June 13, the financially-motivated attacker, which Mandiant refers to as UNC5537, was still actively extorting victims with data stolen from Snowflake customer environments. [15] Snowflake CISO Brad Jones has communicated with customers about protecting themselves, including enabling multifactor authentication and network access policies.

1. The first confirmed connection to Snowflake's cloud-based data warehousing platform was identified by cybersecurity firm Mandiant on May 14, following data breaches that began as early as April 14.
2. Mandiant uncovered evidence of a broad campaign impacting additional Snowflake customers on May 22, and revealed that the actor, UNC5537, gains access to Snowflake customer instances by using stolen credentials, typically obtained through infostealer malware campaigns.
3. Snowflake's Chief Information Security Officer (CISO), Brad Jones, has communicated with customers about protecting themselves, recommending enforcing multi-factor authentication, regularly rotating credentials, and implementing network allow lists to prevent unauthorized access.
4. UNC5537 specifically targets Snowflake customer environments to steal data and conduct extortion, and is still actively extorting victims with data stolen from Snowflake customer environments as of June 13.
5. To address the threat, Snowflake provided indicators of compromise and additional recommended actions for companies to investigate potential threat activity within their Snowflake accounts on May 30, and is suspending certain user accounts with strong indicators of malicious activity and blocking IP addresses associated with the cyber threat.

Read also: