June 10, 2024 at 11:32PM
Unknown financially motivated crime crew “UNC5537” has stolen a substantial amount of data from Snowflake customers by using stolen credentials. The crew may have ties to “Scattered Spider” and has targeted multiple organizations by compromising contractor systems. The theft was enabled by the absence of multi-factor authentication and the use of old, unrenewed credentials.
Based on the meeting notes, it’s evident that a financially motivated crime crew, known as UNC5537, has targeted Snowflake customers’ databases by utilizing stolen credentials. Mandiant has informed approximately 165 potentially exposed organizations and is investigating potential ties between the UNC5537 crew and another notorious gang, UNC3944. The breaches were determined to be a result of compromised customer credentials and not a breach of Snowflake’s own enterprise environment.
The attackers gained initial access using legitimate credentials stolen through infostealer malware and took advantage of the absence of multi-factor authentication and network allow-lists. The compromised accounts did not have network allow-lists in place, and the intrusions were traced back to compromised customer credentials.
Mandiant confirmed that the compromised accounts did not have network allow-lists in place, and urged Snowflake customers to implement stronger security measures such as multi-factor authentication and regular credential rotation to prevent similar incidents in the future.