Some 165 organisations worldwide that run Snowflake may have been exposed to a campaign that used stolen credentials to gain access to customer environments.
Mandiant said in a blog post that the threat actor – which it calls UNC5537 – is “suspected to have stolen a significant volume of records from Snowflake customer environments.”
The incident response firm said that UNC5337 likely assembled a list of credentials for Snowflake environments “by accessing a variety of different sources of infostealer logs” both on the internet and dark web.
Infostealer malware is a type of trojan used to gain information from systems. Mandiant said the stolen Snowflake credentials “were primarily obtained from multiple infostealer malware campaigns that infected non-Snowflake owned systems”.
Victim organisations typically had Snowflake accounts that did not have multi-factor authentication (MFA) set up for them, did not regularly rotate credentials and/or had overly permissive network rules.
“The affected customer instances did not require multi-factor authentication and in many cases, the credentials had not been rotated for as long as four years,” Mandiant said.
“Network allow lists were also not used to limit access to trusted locations.
“The broad impact of this campaign underscores the urgent need for credential monitoring, the universal enforcement of MFA and secure authentication, limiting traffic to trusted locations for crown jewels, and alerting on abnormal access attempts.”
Mandiant said the nature of the activity also suggested that other campaigns could similarly follow that target other software-as-a-service platforms.
“This campaign highlights the consequences of vast amounts of credentials circulating on the infostealer marketplace and may be representative of a specific focus by threat actors on similar SaaS platforms,” it said.
“Mandiant assesses UNC5537 will continue this pattern of intrusion, targeting additional SaaS platforms in the near future.”
CrowdStrike has also been involved in incident response efforts.
Snowflake said in a forum posting that it “continues to work closely with customers as they harden their security measures to reduce cyber threats to their businesses.”
“We are [also] developing a plan to require our customers to implement advanced security controls, like multi-factor authentication or network policies,” it said.
Snowflake said it had found no evidence to suggest that any current or former personnel had their platform credentials compromised.
Mandiant said that UNC5537 was financially motivated and had attempted to extort victims.