Threat actor compromising Snowflake database customers

A threat actor has breached customers of cloud storage and analytics giant Snowflake by using stolen credentials to access databases, according to cloud security vendor Mitiga.

According to a blog post published Thursday, the threat actor, tracked as UNC5537, "has been observed using stolen customer credentials to target organizations utilizing Snowflake databases" to conduct data theft and extortion-related activity. The threat actor is using a custom attack tool to target Snowflake environments that primarily lack two-factor authentication (2FA).

Mitiga noted the threat activity originated from commercial VPN IP addresses. Moreover, the blog post claimed that "UNC5537 has directly extorted organizations, further pressuring them by publicly posting stolen data for sale on hacker forums."

Snowflake is a major player in the cloud storage and analytics markets; Mitiga noted in its blog that Snowflake has more than 9,000 customers and a 20%-plus market share of the data warehousing market. Moreover, its September 2020 IPO was one of the largest ever for a software company at the time.

Or Aspir, Mitiga's director of research and co-author of the blog post, told TechTarget Editorial in an email that activity was first observed following a number of customer inquiries and threat intelligence reports dedicated to emerging threats in Snowflake customer environments.

"Recognizing the potential severity, we initiated our own investigation to determine if there was a correlation," Aspir said. "It quickly became apparent that the issue was far more extensive than initially thought, involving multiple organizations and attracting the attention of law enforcement agencies."

Aspir said Mitiga had not contacted Snowflake directly because "our investigation indicated that the campaign started in April and was targeting Snowflake customers without breaching or compromising Snowflake's internal systems." Mitiga assumed Snowflake was already aware, he said.

TechTarget Editorial contacted Snowflake for comment. In response, a spokesperson shared a security advisory that said certain customer accounts were being targeted and that to date, Snowflake "[does] not believe this activity is caused by any vulnerability, misconfiguration, or malicious activity within the Snowflake product."

The advisory said Snowflake first became aware of the unauthorized account access on May 23. After launching an investigation, Snowflake's incident response team discovered the threat activity had begun in mid-April.

"Snowflake recently observed and is investigating an increase in cyber threat activity targeting some of our customers' accounts," the advisory read. "We believe this is the result of ongoing industry-wide, identity-based attacks with the intent to obtain customer data. Research indicates that these types of attacks are performed with our customers' user credentials that were exposed through unrelated cyber threat activity."

The company advised customers to review indicators of compromise and mitigations, found in a separate security bulletin.

Threat actors targeting environments that lack MFA or 2FA account protection is an unfortunately common occurrence. Earlier this week, Check Point Software Technologies warned of cyber attacks against a small number of its VPN customers by targeting accounts that use password-based authentication. However, Check Point later discovered the campaign also involved the use of a vulnerability in its Security Gateway product, which the vendor quickly patched.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial