Getty Images

A group of researchers stated on Monday that nearly 165 clients of the cloud storage provider Snowflake were impacted by cybercriminals who acquired access through malware designed to steal information.

Last Friday, QuoteWizard, a subsidiary of Lending Tree, acknowledged that they were one of the clients notified by Snowflake about the incident. Megan Greuling, a spokesperson for Lending Tree, mentioned that they are currently investigating whether data stored on Snowflake was compromised.

“The investigation is ongoing,” she mentioned in an email. “At this moment, there is no evidence that sensitive financial details of consumers were affected or any information regarding Lending Tree as the parent company.”

Researchers from Mandiant, a security firm owned by Google, hired by Snowflake to investigate the breach, disclosed on Monday that they have identified 165 clients whose data may have been stolen in the attack. Live Nation previously confirmed that data stored by their TicketMaster unit on Snowflake had been taken, after a post appeared online offering the sale of personal data such as names, addresses, phone numbers, and partial credit card information of 560 million TicketMaster customers.

Santander, the largest bank in Spain, recently reported that data belonging to some of its customers has also been compromised. The same group that leaked Ticketmaster data also attempted to sell Santander client details. According to security firm Hudson Rock, the stolen data was found on Snowflake servers. Santander has neither confirmed nor refuted these claims.

A post published on Monday by Mandiant revealed that all identified breaches were due to stolen login credentials, gathered by information-stealing malware and stored in logs for extended periods. None of the affected accounts had multi-factor authentication enabled, a security measure that requires users to provide additional verification beyond just a password.

The cybercriminals behind the attacks are motivated by financial gain and are primarily based in North America. Mandiant is monitoring their activities under the label UNC5537. In a statement, their researchers mentioned:

Based on our investigations, UNC5537 accessed various Snowflake client accounts by utilizing stolen credentials. These credentials were obtained primarily through information-stealing malware on systems not owned by Snowflake. This unauthorized access allowed the threat actors to extract a substantial amount of client data from affected Snowflake accounts. The hackers have now resorted to extorting many victims and are actively marketing the stolen data on well-known cybercriminal platforms.

Mandiant discovered that a majority of the stolen credentials used by UNC5537 were obtained from historical data breaches, some dating back to 2020.

The campaign conducted by UNC5537 led to numerous successful breaches due to three main causes:

  1. The compromised accounts did not have multi-factor authentication enabled, making it possible to access with just a username and password.
  2. Credentials from previous malware were still valid, in some cases years after being stolen, and had not been updated.
  3. The affected Snowflake client instances did not employ network allow lists to restrict access to trusted locations only.
Attack Path UNC5537 has used in attacks against as many as 165 Snowflake customers.
Enlarge / Attack Path UNC5537 has used in attacks against as many as 165 Snowflake customers.

Mandiant

The initial unauthorized access to Snowflake accounts often took place using SnowSight or SnowSQL, which are the platform’s web-based and command-line interfaces, respectively. The threat actors also utilized a customized tool identified as “rapeflake” in logs, tracked by Mandiant under the name FrostBite.