Security firm Mandiant says attackers have used stolen credentials to steal the data of as many as 165 organisations from storage provider Snowflake.
In a blog post issued on Monday, Mandiant said it had not found any evidence to indicate that the theft of data had been due to a breach of Snowflake's enterprise environment.
In its post, Mandiant, which is owned by Google, said it had received the first indications of data theft from Snowflake in April when it "received threat intelligence on database records that were subsequently determined to have originated from a victim’s Snowflake instance. Mandiant notified the victim, who then engaged Mandiant to investigate suspected data theft involving their Snowflake instance".
"During this investigation, Mandiant determined that the organisation’s Snowflake instance had been compromised by a threat actor using credentials previously stolen via infostealer malware," the researchers said.
{loadposition sam08}"The threat actor used these stolen credentials to access the customer’s Snowflake instance and ultimately exfiltrate valuable data. At the time of the compromise, the account did not have multi-factor authentication enabled."
Mandiant said it had continued its investigations after receiving additional indications that a broader campaign was targeting Snowflake customers.
"To date, Mandiant and Snowflake have notified approximately 165 potentially exposed organisations. Snowflake’s Customer Support has been directly engaged with these customers to ensure the safety of their accounts and data," the blog post said.
"Mandiant and Snowflake have been conducting a joint investigation into this ongoing threat campaign and coordinating with relevant law enforcement agencies. On 30 May, Snowflake published detailed detection and hardening guidance to Snowflake customers."
Asked about the Mandiant post, Snowflake's CISO Brad Jones said in part of a blog post dated 10 June: "As part of our commitment to transparency around our ongoing investigation involving a targeted threat campaign against some Snowflake customer accounts, cyber security expert Mandiant shared this blog post today detailing their findings to date.
"As we shared on 6 June, we continue to work closely with our customers as they harden their security measures to reduce cyber threats to their businesses, and we are developing a plan to require our customers to implement advanced security controls, like multi-factor authentication or network policies."
Mandiant has given the attackers the name UNC5537 and says three primary factors have resulted in the attacks being successful:
- "The impacted accounts were not configured with multi-factor authentication enabled, meaning successful authentication only required a valid username and password;
- "Credentials identified in infostealer malware output were still valid, in some cases years after they were stolen, and had not been rotated or updated; and
- "The impacted Snowflake customer instances did not have network allow lists in place to only allow access from trusted locations."