UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion
June 12, 2024, 11:03 a.m.
Description
An extensive cybercriminal campaign led by a threat actor codenamed UNC5537 has compromised numerous Snowflake customer database instances with the intent of data theft and extortion. The threat actor exploited stolen customer credentials, predominantly obtained through infostealer malware infections dating back to 2020, to gain unauthorized access to Snowflake instances lacking multi-factor authentication and network-level restrictions. UNC5537 systematically exfiltrated valuable data and subsequently attempted to extort victims or advertise the stolen data on cybercrime forums for sale. This campaign highlights the consequences of credential theft, inadequate authentication measures, and the need for enhanced security practices.
Date
Published | Created | Modified |
---|---|---|
June 12, 2024, 10:34 a.m. | June 12, 2024, 10:34 a.m. | June 12, 2024, 11:03 a.m. |
Attack Patterns
TrojanSpy:MSIL/RacoonStealer
FROSTBITE
Lumma Stealer
MetaStealer
RedLine Stealer
Vidar
RisePro
UNC5537
T1562.008
T1557.002
T1110.002
T1213.002
T1557.001
T1589.001
T1136.001
T1537
T1482
T1059.005
T1059.001
T1199
T1059.002
T1592