Information on the Snowflake client assaults
Snowflake Data Breach: UNC5537 Continues to Extort Victims
On May 30, Snowflake, a leading cloud-based data warehousing platform, issued indicators of compromise and recommended actions for companies to investigate potential threat activity within their Snowflake accounts. Approximately 165 businesses are potentially exposed to the attacks.
The attacks, which were first detected by cybersecurity firm Mandiant on April 14, were not caused by a vulnerability, misconfiguration, or breach of Snowflake's systems. Instead, stolen credentials obtained from multiple infostealer malware infections on non-Snowflake owned systems were the point of entry for the attacks.
Snowflake is taking several measures to protect its customers. The company is suspending certain user accounts with strong indicators of malicious activity and blocking IP addresses associated with the cyber threat. Mandiant, in collaboration with Snowflake and law enforcement agencies, notified the company about the attacks on May 22.
In response to the breach, Snowflake's Chief Information Security Officer (CISO), Brad Jones, has been communicating with customers about protecting themselves. This includes enabling multifactor authentication and implementing network access policies.
As of June 13, the financially-motivated attacker, which Mandiant refers to as UNC5537, was still actively extorting victims with data stolen from Snowflake customer environments. The earliest known instance of a cybercriminal posting allegedly stolen data from a Snowflake customer database for sale occurred on May 24.
Pure Storage, a data storage vendor, is one of the confirmed impacted Snowflake customers. At least 100 Snowflake customers are confirmed to have been affected by the cyberattacks. It's important to note that impacted customer accounts were not configured with multifactor authentication.
To help Snowflake customers detect malicious activity on database instances, Mandiant released a threat hunting guide on May 30. This guide provides valuable insights for businesses to secure their Snowflake accounts and protect their data.
For the most current and detailed information about UNC5537's activities, it's recommended to consult recent security advisories from Snowflake, cybersecurity firms like Mandiant or CrowdStrike, or threat intelligence reports which regularly track groups like UNC5537.
- The malware used in the Snowflake Data Breach was an infostealer, which extracted stolen credentials from non-Snowflake owned systems.
- The Snowflake Data Breach was not caused by a vulnerability or breach of Snowflake's systems, but rather through stolen credentials obtained from infostealer malware.
- In the incident response to the Snowflake Data Breach, Snowflake is suspending user accounts with indicators of malicious activity and blocking IP addresses associated with the cyber threat.
- Snowflake's Chief Information Security Officer (CISO), Brad Jones, has been communicating with customers about protecting themselves against cyber threats, including enabling multifactor authentication and implementing network access policies.
- The ransomware group UNC5537, responsible for the Snowflake Data Breach, is still actively extorting victims as of June 13.
- The Snowflake Data Breach serves as a reminder of the importance of privacy and cybersecurity measures, particularly in the realm of data-and-cloud-computing, and the need for businesses to stay updated on general-news and crime-and-justice matters related to technology.
