Customers of IT services provider Snowflake are being targeted for attacks using stolen credentials.

A security company owned by Google Mandant reported on June 10. that consumer instances on the Snowflake cloud are being targeted for attacks using leaked login credentials.

Mandant noted that attacks are currently focused solely on customer accounts and not the Snowflake service itself. Snowflake offers several hosted cloud and data management services.

The security firm did not name any specific cybercrime groups as perpetrators, but it listed the attacks under the banner of UNC5537.

“Mandiant tracks this cluster of activity as UNC5537, a financially motivated threat actor suspected of stealing large amounts of records from Snowflake’s customer environments,” Mandant wrote.

“UNC5537 is systematically compromising Snowflake customer instances, using stolen customer credentials, advertising victim data for sale on cybercrime forums, and extorting multiple victims. Trying to.”

The Mandate team linked these attacks to the recently reported Snowflake breach Hacking crew ShinyHunters.

The hackers claim to have millions of credentials, though Snowflake says the breached system was a test environment used by a former employee.

As a result of the attack, Ticketmaster and Santander Bank notified customers of a data breach.

Operation UNC5537 dates back to at least 2020 and Mandiant estimates that at least 165 organizations are at risk of attack.

It is believed that attackers are using information-stealing malware to steal user login credentials. Those stolen accounts, in turn, are used to access victims’ Snowflake instances to steal more data to either sell on the dark web or extort ransomware.

Mandant advised Snowflake users to implement two-factor authentication on their instances, noting that all of the breaches it has seen were from users who did not enable the feature. what was

Source link