UNC5537: Snowflake Customer Extortion and Data Taking

Mandiant is tracking UNC5537, a financially motivated threat actor that stole several Snowflake customer details

[{"selector":"#anim-74766bf6-1ebb-4fa5-9307-7c4612396fc7 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(-34.179687404002955%, 0, 0)","translate3d(0%, 0, 0)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"both"}] [{"selector":"#anim-363af0e4-7e15-415c-ae73-fb2dbabf860e","keyframes":[{"offset":0,"transform":"translate3d(0, -174.13729%, 0)","easing":"cubic-bezier(.5, 0, 1, 1)"},{"offset":0.29,"transform":"translate3d(0, 0%, 0)","easing":"cubic-bezier(0, 0, .5, 1)"},{"offset":0.45,"transform":"translate3d(0, -48.967405948%, 0)","easing":"cubic-bezier(.5, 0, 1, 1)"},{"offset":0.61,"transform":"translate3d(0, 0%, 0)","easing":"cubic-bezier(0, 0, .5, 1)"},{"offset":0.71,"transform":"translate3d(0, -16.647524924000002%, 0)","easing":"cubic-bezier(.5, 0, 1, 1)"},{"offset":0.8,"transform":"translate3d(0, 0%, 0)","easing":"cubic-bezier(0, 0, .5, 1)"},{"offset":0.85,"transform":"translate3d(0, -6.251528711000001%, 0)","easing":"cubic-bezier(.5, 0, 1, 1)"},{"offset":0.92,"transform":"translate3d(0, 0%, 0)","easing":"cubic-bezier(0, 0, .5, 1)"},{"offset":0.96,"transform":"translate3d(0, -2.716541724%, 0)","easing":"cubic-bezier(.5, 0, 1, 1)"},{"offset":1,"transform":"translate3d(0, 0%, 0)","easing":"cubic-bezier(0, 0, .5, 1)"}],"delay":0,"duration":600,"fill":"both"}]

According to Mandiant’s analysis, there is no proof that a breach in Snowflake’s enterprise environment led to unauthorized access to consumer accounts

[{"selector":"#anim-5891ae12-bccb-42e1-8488-85602f9c84bd [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(35.937499914669296%, 0, 0)","translate3d(0%, 0, 0)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"both"}] [{"selector":"#anim-9048e475-da63-4682-adc7-a49a06dcfa22","keyframes":{"opacity":[0,1]},"delay":0,"duration":600,"easing":"cubic-bezier(0.4, 0.4, 0.0, 1)","fill":"both"}]

Mandiant and Snowflake have notified about 165 possibly vulnerable organizations thus far

[{"selector":"#anim-9d34f5a7-87d0-4760-903f-ab8f0bec14d2 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(-3.552713678800501e-15%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}] [{"selector":"#anim-d2042637-d2c0-402e-92f3-85afc9fee638","keyframes":{"opacity":[0,1]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-679601f9-0c46-46cb-96dc-f68ce94ae9d0","keyframes":{"transform":["translate3d(-115.2381%, 0px, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}]

Since multi-factor authentication was not enabled on the affected accounts, successful authentication just needed a working login and password

[{"selector":"#anim-207e5f1f-95cd-4b5f-a51a-52941735bce2 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(-21.874999829338588%, 0, 0) translate(-25%, 0%) scale(1.5)","translate3d(0%, 0, 0) translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"fill":"forwards"}] [{"selector":"#anim-3ee4ae10-9f3a-42c2-b8fe-4d65d5e33118","keyframes":{"opacity":[0,1]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-11c964ca-9e45-4898-b805-4dd8ce69f105","keyframes":{"transform":["translate3d(0px, -201.26037%, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}]

The first infostealer virus penetration occurred on contractor PCs used for personal activities including downloading pirated software and playing games, according to Mandiant

[{"selector":"#anim-fd84435e-da35-45a0-a1f7-a10006db84f1 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(-34.2382811543585%, 0, 0)","translate3d(0%, 0, 0)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"both"}] [{"selector":"#anim-8f1a5956-b8fc-4300-af8b-0bd2243019ce","keyframes":{"transform":["scale(1)","scale(1.5)","scale(0.95)","scale(1)"],"offset":[0,0.33,0.66,1]},"delay":0,"duration":1450,"easing":"ease-in-out","fill":"both","iterations":1}]

Mandiant believes FROSTBITE is used to conduct reconnaissance against target Snowflake instances, despite the fact that Mandiant has not yet retrieved a complete sample of FROSTBITE

[{"selector":"#anim-7c05710e-24a1-4f96-a87b-5c8547ccbd9e","keyframes":{"transform":["scale(1)","scale(1.5)","scale(0.95)","scale(1)"],"offset":[0,0.33,0.66,1]},"delay":0,"duration":1450,"easing":"ease-in-out","fill":"both","iterations":1}] [{"selector":"#anim-949ee7de-e2c6-4a95-a23e-0dce849db9d4 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(21.874999829338595%, 0, 0)","translate3d(0%, 0, 0)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"both"}]

The campaign launched by UNC5537 against Snowflake client instances is not the product of a highly advanced or unique method, instrument, or process

[{"selector":"#anim-4243f869-fd2f-4847-95c4-774bdc3fe37c [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(-3.552713678800501e-15%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}] [{"selector":"#anim-c5dfe16f-6d92-4b6f-b264-89cb628c767b","keyframes":{"transform":["translate3d(-115.87301%, 0px, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":1000,"easing":"cubic-bezier(.2, 0, .8, 1)","fill":"both"}] [{"selector":"#anim-e5675325-6d25-4803-ba65-400d0edf0f4b","keyframes":{"transform":["rotateZ(-180deg)","rotateZ(0deg)"]},"delay":0,"duration":1000,"easing":"cubic-bezier(.2, 0, .5, 1)","fill":"forwards"}]

Multi-factor authentication was unnecessary for the affected customers, and many had not changed their credentials in four years For more details Govindhtech.com

[{"selector":"#anim-c971aebc-93e3-496a-ac30-49ae5556e4d8","keyframes":{"transform":["rotate(-540deg) scale(0.1)","none"],"opacity":[0,1]},"delay":0,"duration":1000,"fill":"both","iterations":1}] [{"selector":"#anim-f6b6f9a0-c570-48e7-807f-f1f7305872b5 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(-21.874999829338588%, 0, 0) translate(-25%, 0%) scale(1.5)","translate3d(0%, 0, 0) translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"fill":"forwards"}]