Tomcat
Professional
- Messages
- 2,689
- Reaction score
- 916
- Points
- 113
The snow avalanche of compromises may surpass last year's incident with MOVEit Transfer.
The situation unfolding around Snowflake continues to rapidly gain momentum. Every day it becomes more and more reminiscent of last year's compromise of the MOVEit Transfer platform, organized by the extortionist group Clop. At that time, hundreds of organizations were victims of hackers, but Snowflake is not far behind, offering the Internet public a similar scale of digital disaster.
So, an unknown financially motivated criminal group, which Mandiant track under the code name UNC5537, stole a significant amount of data from the databases of Snowflake customers using stolen credentials.
According to experts, only 165 potentially affected organizations have been notified so far, as in fact there may be many more of them. UNC5537 criminals may reportedly have links to the Scattered Spider group, known for hacking Las Vegas hotels and casinos last year.
During the investigation of the incident, Mandiant and Snowflake revealed that the data leaks occurred due to the compromise of customer credentials. The Snowflake corporate environment itself was not hacked.
The first attack on the Snowflake client was recorded on April 14. During the investigation, it turned out that UNC5537 used legitimate credentials stolen earlier using malware to get into the victim's systems and steal data. The victim did not have multi-factor authentication enabled.
About a month later, after discovering several customer compromises, Mandiant and Snowflake began notifying affected organizations. Already on May 24, criminals began selling stolen data on the Internet, and on May 30, Snowflake issued a statement on this issue.
Criminals used both .NET and Java versions of the utility known as "FROSTBITE" to conduct intelligence on the systems of Snowflake clients, identifying users, their roles and IP addresses. The DBeaver Ultimate utility was also used to perform database queries.
Some compromises occurred on contractors devices that were used for both work and personal purposes. These devices posed a significant risk, as a single malware infection could give attackers access to several organizations at once.
All successful attacks had three things in common: no configured multi-factor authentication, use of valid stolen credentials, and no network whitelists.
Separately, it is worth noting the cases with Ticketmaster and Santander Bank. Initially, it was assumed that their massive data leaks were related to the Snowflake hack, but this was later refuted. Ultimately, Snowflake claimed that the accounts of these customers were hacked, also due to the use of one-factor authentication.
Later, the American financial company LendingTree confirmed that its subsidiary QuoteWizard, specializing in insurance, suffered as a result of hacking. According to the representative of LendingTree, the investigation is ongoing, and so far no leaks of financial information of customers or data of LendingTree itself have been revealed.
After a while, Pure Storage, which specializes in the development and production of flash-based storage solutions, also announced the hacking. The company also confirmed that it was affected by the hacking of Snowflake accounts. In a published message, the company assured that client data was not compromised, and that the hack concerned only one Snowflake workspace.
According to Mandiant, the UNC5537 cybercrime group used credentials stolen by malware starting in 2020. About 80% of all affected organizations used previously compromised credentials.
Hudson Rock was the first to draw attention to a series of hacks of Snowflake clients. However, their report was quickly removed after the intervention of Snowflake's lawyers, who disputed the allegations that the Snowflake employee's account was hacked. However, perhaps if it weren't for Snowflake's tenacity and integrity, more companies would now be aware of the scale of the problem and take action to protect themselves more quickly.
In the future, we will hear more than once about how a particular company confirms the compromise of its systems related to the Snowflake platform. The same situation with MOVEit Transfer was still present even a year after the attack.
The situation unfolding around Snowflake continues to rapidly gain momentum. Every day it becomes more and more reminiscent of last year's compromise of the MOVEit Transfer platform, organized by the extortionist group Clop. At that time, hundreds of organizations were victims of hackers, but Snowflake is not far behind, offering the Internet public a similar scale of digital disaster.
So, an unknown financially motivated criminal group, which Mandiant track under the code name UNC5537, stole a significant amount of data from the databases of Snowflake customers using stolen credentials.
According to experts, only 165 potentially affected organizations have been notified so far, as in fact there may be many more of them. UNC5537 criminals may reportedly have links to the Scattered Spider group, known for hacking Las Vegas hotels and casinos last year.
During the investigation of the incident, Mandiant and Snowflake revealed that the data leaks occurred due to the compromise of customer credentials. The Snowflake corporate environment itself was not hacked.
The first attack on the Snowflake client was recorded on April 14. During the investigation, it turned out that UNC5537 used legitimate credentials stolen earlier using malware to get into the victim's systems and steal data. The victim did not have multi-factor authentication enabled.
About a month later, after discovering several customer compromises, Mandiant and Snowflake began notifying affected organizations. Already on May 24, criminals began selling stolen data on the Internet, and on May 30, Snowflake issued a statement on this issue.
Criminals used both .NET and Java versions of the utility known as "FROSTBITE" to conduct intelligence on the systems of Snowflake clients, identifying users, their roles and IP addresses. The DBeaver Ultimate utility was also used to perform database queries.
Some compromises occurred on contractors devices that were used for both work and personal purposes. These devices posed a significant risk, as a single malware infection could give attackers access to several organizations at once.
All successful attacks had three things in common: no configured multi-factor authentication, use of valid stolen credentials, and no network whitelists.
Separately, it is worth noting the cases with Ticketmaster and Santander Bank. Initially, it was assumed that their massive data leaks were related to the Snowflake hack, but this was later refuted. Ultimately, Snowflake claimed that the accounts of these customers were hacked, also due to the use of one-factor authentication.
Later, the American financial company LendingTree confirmed that its subsidiary QuoteWizard, specializing in insurance, suffered as a result of hacking. According to the representative of LendingTree, the investigation is ongoing, and so far no leaks of financial information of customers or data of LendingTree itself have been revealed.
After a while, Pure Storage, which specializes in the development and production of flash-based storage solutions, also announced the hacking. The company also confirmed that it was affected by the hacking of Snowflake accounts. In a published message, the company assured that client data was not compromised, and that the hack concerned only one Snowflake workspace.
According to Mandiant, the UNC5537 cybercrime group used credentials stolen by malware starting in 2020. About 80% of all affected organizations used previously compromised credentials.
Hudson Rock was the first to draw attention to a series of hacks of Snowflake clients. However, their report was quickly removed after the intervention of Snowflake's lawyers, who disputed the allegations that the Snowflake employee's account was hacked. However, perhaps if it weren't for Snowflake's tenacity and integrity, more companies would now be aware of the scale of the problem and take action to protect themselves more quickly.
In the future, we will hear more than once about how a particular company confirms the compromise of its systems related to the Snowflake platform. The same situation with MOVEit Transfer was still present even a year after the attack.
