Hackers steal “significant volume” of data from hundreds of Snowflake customers


Getty Photos

As many as 165 clients of cloud storage supplier Snowflake have been compromised by a bunch that obtained login credentials by way of information-stealing malware, researchers mentioned Monday.

On Friday, Lending Tree subsidiary QuoteWizard confirmed it was among the many clients notified by Snowflake that it was affected within the incident. Lending Tree spokesperson Megan Greuling mentioned the corporate is within the technique of figuring out whether or not knowledge saved on Snowflake has been stolen.

“That investigation is ongoing,” she wrote in an electronic mail. “As of this time, it doesn’t seem that shopper monetary account data was impacted, nor data of the guardian entity, Lending Tree.”

Researchers from Mandiant, a Google-owned safety agency Snowflake retained to analyze the mass compromise, mentioned Monday that the businesses have thus far recognized 165 clients whose knowledge could have been stolen within the spree. Stay Nation confirmed 10 days in the past that knowledge its TicketMaster group saved on Snowflake had been stolen following a posting providing the sale of the total names, addresses, cellphone numbers, and partial bank card numbers for 560 million Ticketmaster clients.

Santander, Spain’s greatest financial institution, mentioned just lately that knowledge belonging to a few of its clients has additionally been stolen. The identical group promoting the Ticketmaster knowledge supplied the sale of Santander knowledge. Researchers from safety agency Hudson Rock mentioned that stolen knowledge was additionally saved on Snowflake. Santander has neither confirmed nor denied the declare.

Mandiant’s Monday post mentioned that every one the compromises it has tracked thus far had been the results of login credentials for Snowflake accounts being stolen by infostealer malware and saved in huge logs, generally for years at a time. Not one of the affected accounts made use of multifactor authentication, which requires customers to supply a one-time password or further technique of authentication in addition to a password.

The group finishing up the assaults is financially motivated, with members principally positioned in North America. Mandiant is monitoring it as UNC5537. Firm researchers wrote:

Based mostly on our investigations so far, UNC5537 obtained entry to a number of organizations’ Snowflake buyer cases through stolen buyer credentials. These credentials had been primarily obtained from a number of infostealer malware campaigns that contaminated non-Snowflake owned techniques. This allowed the menace actor to achieve entry to the affected buyer accounts and led to the export of a major quantity of buyer knowledge from the respective Snowflake buyer cases. The menace actor has subsequently begun to extort lots of the victims immediately and is actively trying to promote the stolen buyer knowledge on acknowledged cybercriminal boards.

Mandiant recognized that almost all of the credentials utilized by UNC5537 had been out there from historic infostealer infections, a few of which dated way back to 2020.

The menace marketing campaign carried out by UNC5537 has resulted in quite a few profitable compromises because of three major elements:

  1. The impacted accounts weren’t configured with multi-factor authentication enabled, that means profitable authentication solely required a sound username and password.
  2. Credentials recognized in infostealer malware output had been nonetheless legitimate, in some instances years after they had been stolen, and had not been rotated or up to date.
  3. The impacted Snowflake buyer cases didn’t have community permit lists in place to solely permit entry from trusted places.
Attack Path UNC5537 has used in attacks against as many as 165 Snowflake customers.
Enlarge / Assault Path UNC5537 has utilized in assaults in opposition to as many as 165 Snowflake clients.


Preliminary entry to affected Snowflake accounts typically occurred with using the corporate’s native SnowSight or SnowSQL, that are a web-based consumer interface and a command-line interface respectively. The menace actors additionally used a customized utility that reveals up as “rapeflake” in logs and that Mandiant tracks as FrostBite.

Source link