Snowflake breach aftermath

Mandiant has come with an assessment that at least 165 organizations were targeted by a recent hacking campaign against Snowflake  customers.

Mandiant tracking the cybercrime group behind the hacking campaign as UNC5537. Threat actors breached the Snowflake environments not by exploiting a security flaw in the cloud data platform but rather using login credentials stolen from customers.

In April, Mandiant researchers obtained threat intelligence about stolen database records, which were later traced to an unnamed organization’s Snowflake environment. Mandiant shared its findings with the organization in question, which subsequently hired to investigate further.

In May, Mandiant has discovered that several other Snowflake customers experienced breaches as well. Mandiant notified Snowflake, and the two companies began alerting impacted users. The cloud data platform provider officially disclosed the hacking campaign on May 30.

According to Mandiant, most of the login credentials that UNC5537 used to access Snowflake environments were stolen via “historical infostealer” cyberattacks. Some of those cyberattacks date back as far as 2020.

Mandiant identified three main reasons the hackers managed to access the targeted Snowflake environments.

• Credentials are not refreshed
• No MFA was enabled,
• Network allow list was not implemented.

According to Mandiant and Snowflake’s analysis, at least 79.7% of the accounts leveraged by the threat actor in this campaign had prior credential exposure.

On Friday, Snowflake issued a statement saying that it’s “developing a plan” for ensuring customers enable multifactor authentication. Additionally, the company has released technical guidance on how organizations can protect their deployments of its platform against hacking attempts.

The affected customers

• Ticketmaster
• Santander
• Advance Auto parts