June 11, 2024NewsroomData Theft / Cloud Security

Snowflake

About 165 Snowflake users are said to have had their information potentially exposed as part of an ongoing campaign designed to facilitate data theft and extortion, revealing That the operation has wider implications than previously thought.

Google-owned Mandant, which is helping the cloud data warehouse platform with its incident response efforts, is tracking the as-yet-unclassified activity cluster. UNC5537describing him as a financially motivated threat actor.

“UNC5537 is systematically compromising Snowflake customer instances using stolen customer credentials, advertising victim data for sale on cybercrime forums, and extorting multiple victims. Trying,” threat intelligence firm said on Monday.

“UNC5537 has targeted hundreds of organizations worldwide, and often extorts victims for financial gain. UNC5537 operates under various aliases on Telegram channels and cybercrime forums.”

There is evidence that the hacking group consists of members based in North America. It is also believed to cooperate with at least one additional party based in Turkey.

Cyber ​​security

This is the first time that the number of affected users has been officially disclosed. Earlier, Snowflake noted that a “limited number” of its customers were affected by the incident. The company has more than that. 9,820 global users.

campaign, as described earlier By Snowflake, cybercrime originates from compromised customer credentials purchased from forums or obtained by information-stealing malware such as Loma, Meta Stellar, A type of animal, Red line, RiseProAnd More. It is believed to have started on April 14, 2024.

In several instances, stealth malware infections have been detected on contractor systems that were also used for personal activities, such as gaming and downloading pirated software, the latter of which Tested conduit To divide the stealers.

Snowflake

Unauthorized access to customer instances has been found to pave the way for a spying utility called FROSTBITE (aka “rapeflake”) that executes SQL queries and records users, existing roles, existing IPs, session IDs, and organization names. Used to get information about .

While Mandiant said it was unable to obtain a full sample of FROSTBITE, the company also highlighted the threat actor’s use of a legitimate utility. De Beaver Ultimate To integrate and run SQL queries in Snowflake instances. The final stage of the attack involves the adversary running commands to stage and exfiltrate data.

Snowflake, in one Update Advisory, said it is working with its customers to tighten their security measures. It also said it was developing a plan that would require them to implement more advanced security controls, such as multi-factor authentication (MFA) or network policies.

Mandant points out that attacks are highly successful for three main reasons: lack of multi-factor authentication (MFA), not rotating credentials periodically, and missing checks to ensure access is only from trusted locations. .

Cyber ​​security

“The earliest InfoStellar infection linked to credentials leveraged by a malicious actor dates back to November 2020,” Mendient said, adding that “hundreds of customer Snowflake credentials exposed by InfoStellars since 2020 pointed out.”

“This campaign highlights the consequences of the large amount of credentials circulating on the infostealer marketplace and may be representative of a specific focus by threat actors on similar SaaS platforms.”

Consequences serve as underscores. Growing market demand The widespread threat to and from information thieves to organizations, resulting in the regular emergence of new thief variants e.g. Resident burglar, Cuckoo, Iluria, k1w1, Sam StillerAnd Cider which are offered for sale to other criminal actors.

“In February, Sultan, who is behind the Vader malware, shared a photo showing the Lumma and Raccoon hackers, together, in a battle against an antivirus solution,” Cyfirma said. said In a recent analysis. “This suggests cooperation among threat actors, as they join forces and share infrastructure to achieve their objectives.”

Did you find this article interesting? Follow us. Twitter And LinkedIn To read more exclusive content we post.





Source link