UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion
June 12, 2024, 11:03 a.m.
Tags
External References
Description
An extensive cybercriminal campaign led by a threat actor codenamed UNC5537 has compromised numerous Snowflake customer database instances with the intent of data theft and extortion. The threat actor exploited stolen customer credentials, predominantly obtained through infostealer malware infections dating back to 2020, to gain unauthorized access to Snowflake instances lacking multi-factor authentication and network-level restrictions. UNC5537 systematically exfiltrated valuable data and subsequently attempted to extort victims or advertise the stolen data on cybercrime forums for sale. This campaign highlights the consequences of credential theft, inadequate authentication measures, and the need for enhanced security practices.
Date
Published: June 12, 2024, 10:34 a.m.
Created: June 12, 2024, 10:34 a.m.
Modified: June 12, 2024, 11:03 a.m.
Indicators
45.27.26.205
96.44.191.140
93.115.0.49
87.249.134.11
79.127.217.44
66.115.189.247
5.47.87.202
45.86.221.146
45.134.142.200
37.19.210.21
206.217.205.49
198.54.131.152
198.54.130.153
198.44.136.82
198.44.136.56
194.230.160.237
194.230.158.107
194.230.148.99
194.230.147.127
194.230.145.67
194.230.144.50
194.230.144.126
193.32.126.233
192.252.212.60
185.248.85.59
185.248.85.14
185.213.155.241
185.156.46.163
184.147.100.29
176.220.186.152
176.123.6.193
176.123.3.132
173.44.63.112
162.33.177.32
154.47.30.150
154.47.30.137
146.70.171.99
146.70.171.112
146.70.166.176
146.70.124.216
146.70.119.24
146.70.117.56
146.70.117.210
194.230.158.178
194.230.145.76
169.150.201.25
146.70.165.227
194.230.160.5
Attack Patterns
TrojanSpy:MSIL/RacoonStealer
FROSTBITE
Lumma Stealer
MetaStealer
RedLine Stealer
Vidar
RisePro
UNC5537
T1562.008
T1557.002
T1110.002
T1213.002
T1557.001
T1589.001
T1136.001
T1537
T1482
T1059.005
T1059.001
T1199
T1059.002
T1592