UNC5537: Snowflake Database Threat Campaign

A security threat has emerged targeting Snowflake database customers, attributed to a threat actor designated as UNC5537. Financial attackers target Snowflake users with stolen credentials. Learn how to protect your data with MFA and strong security practices.

A security threat has emerged targeting Snowflake database customers, attributed to a threat actor designated as UNC5537.

Given Snowflake’s market share (Approximately 24,969 companies using Snowflake globally making it a market leader in Cloud Database Management Systems. ) makes the threat quite significant. What is interesting is this threat impacts a diverse range of organizations across various industries, including software development, financial services, and IT consulting, all of them being Snowflake customers.

This campaign has raised alarms due to its sophisticated exploitation of stolen credentials, leading to data theft and extortion across various organizations.

Deeproot Technologies as a snowflake partner aims to provide an analysis of the threat actor’s reputation, tactics employed, and relevant MITRE ATT&CK mappings and insights into the ongoing campaign.

Threat Actor Reputation

UNC5537 is characterized as a financially motivated threat actor primarily engaging in data theft and extortion activities. The group has been linked to the use of infostealer malware which facilitates the acquisition of user credentials from compromised systems.

These credentials are often sourced from historical breaches or malware infections dating back several years, demonstrating the long-term implications of credential exposure[1][5].

The threat actor operates under a veil of anonymity, utilizing commercial VPN services to mask their origins.

Reports indicate that UNC5537 has targeted hundreds of organizations globally, with operations traced back to mid-April 2024.

Their tactics include posting stolen data for sale on cybercriminal forums, thereby applying pressure on victims to comply with extortion demands[1][2][5].

Attack Methodology

The attacks executed by UNC5537 have primarily exploited environments lacking multi-factor authentication (MFA). The following key factors have contributed to the success of their campaign:

Absence of MFA: Many compromised accounts did not have MFA enabled, allowing attackers to gain access using only valid usernames and passwords[4][5].
Absence of password lifecylce management: Credentials obtained through infostealer malware remained unchanged for extended periods, some dating back to 2020, making them vulnerable to exploitation[4][5].
Lack of Network Controls: The absence of network segmentation and allow lists enabled unauthorized access from untrusted locations[4].

The attackers employed a custom tool referred to as “rapeflake”, which facilitates reconnaissance within Snowflake environments by executing SQL queries to gather sensitive information about users and their roles[5].

MITRE ATT&CK Mapping

The tactics used by UNC5537 can be mapped to several techniques within the MITRE ATT&CK framework:

Initial Access (T1078): Use of valid accounts obtained through credential theft.
Credential Dumping (T1003): Extraction of credentials using infostealer malware.
Exploitation for Client Execution (T1203): Utilizing legitimate tools like DBeaver Ultimate for SQL execution.
Data Exfiltration (T1041): Staging and exfiltrating data from compromised environments.

These mappings illustrate how UNC5537 aligns with established attack patterns recognized in cybersecurity frameworks, underscoring the importance of robust security measures.

Mitigation Strategies

In response to this ongoing threat campaign, Snowflake has issued several recommendations aimed at bolstering customer security:

Implement Multi-Factor Authentication (MFA): Enforcing MFA across all accounts is crucial in mitigating unauthorized access risks.
Regular Credential Rotation: Organizations should establish policies for periodic credential updates to reduce the window of opportunity for attackers.
Network Segmentation: Limiting access based on trusted IP addresses can significantly enhance security posture.
Monitoring and Logging: Regular reviews of access logs can help identify unusual activities indicative of compromise.

Snowflake has also provided indicators of compromise (IoCs) and investigative queries to assist customers in identifying potential threats[1][2][4].

Conclusion

TThe UNC5537 campaign against Snowflake database customers highlights the vulnerabilities inherent in cloud-based environments, particularly concerning credential management.

Organizations must prioritize implementing comprehensive security measures such as MFA, password lifecycle management and vigilant monitoring practices.

By adopting these strategies, businesses can better protect themselves against identity-based attacks and safeguard their sensitive data from malicious actors.

The evolving nature of cyber threats necessitates continuous vigilance and proactive measures in the face of emerging threats like UNC5537.

Citations

[1] https://www.threatkey.com/resource/unc5537-threat-actor-targeting-snowflake-databases-for-data-theft-and-extortion-indn
[2] https://thisweekhealth.com/news_story/unc5537-targets-snowflake-customer-instances-for-data-theft-and-extortion-google-cloud-blog/
[3] https://www.techtarget.com/searchsecurity/news/366587176/Threat-actor-targeting-Snowflake-database-customers
[4] https://www.dataprivacyandsecurityinsider.com/2024/06/update-on-snowflake-cyber-threat/
[5] https://thehackernews.com/2024/06/snowflake-breach-exposes-165-customers.html
[6] https://www.hunters.security/en/blog/detect-threats-in-snowflake-unc5537
[7] https://www.reddit.com/r/snowflake/comments/1fmu9e6/investigating_unc5537_snowflake_database_threat/
[8] https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion

Post Tags :