“UNC5537” breached at least 165 Snowflake instances, including Ticketmaster, LendingTree and, allegedly, Advance  Auto  Parts.

Not Our Fault, says CISO

What’s the craic, Zack? Mr. Whittaker reports: Hackers stole a ‘significant volume of data’ from Snowflake customers

“Declined to say”
Financially motivated cybercriminals have stolen … data from hundreds of customers [of] cloud storage giant Snowflake. … It’s the first time that the number of affected Snowflake customers has been disclosed since the account hacks began in April. Snowflake has said little to date about the attacks.
…
Mandiant attributed the account hacks to UNC5537, an as-yet-unclassified cybercriminal gang. … Mandiant’s findings confirm Snowflake’s limited disclosure, which said there wasn’t a direct breach of Snowflake’s own systems but blamed its customer accounts for not using multi-factor authentication (MFA).
…
Snowflake spokesperson Danica Stanczak declined to say why the company hasn’t reset customer passwords or enforced MFA. … So far, only Ticketmaster and LendingTree have confirmed data thefts where their stolen data was hosted on Snowflake.

LendingTree, you say? Jonathan Greig fills us in: LendingTree confirms

“Stolen database”
Financial services firm LendingTree confirmed that one of its subsidiaries was potentially affected by a cybersecurity incident following a wider attack. … It was informed by Snowflake directly of an incident involving QuoteWizard — an insurance information platform acquired by LendingTree in 2018.
…
The company did not respond to followup questions about whether data being sold … was part of what was stolen from Snowflake. On June 1, a hacker going by the name “Sp1d3r” posted … that they had stolen the sensitive information of over 190 million people from QuoteWizard, [including] customer details, partial credit card numbers [and] insurance quotes.
…
The same hacker posted another stolen database allegedly from automotive giant Advance Auto Parts that contained information on 380 million customers. … Advance Auto Parts [said] it is investigating.

Horse’s mouth? Google’s Mandiant attributes the perp: UNC5537 Targets Snowflake Customer Instances

“Significant risk”
UNC5537 is systematically compromising Snowflake customer instances using stolen customer credentials, advertising victim data for sale on cybercrime forums, and attempting to extort many of the victims. … Every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials [where] accounts were not configured with [MFA]. Not the result of any particularly novel or sophisticated tool, technique, or procedure.
…
The majority of the credentials … were available from historical infostealer infections, some of which dated as far back as 2020 … and had not been rotated or updated. [They] were previously exposed via several infostealer malware variants, including: VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA and METASTEALER. [We have] moderate confidence that UNC5537 comprises members based in North America … with an additional member in Turkey.
…
In several Snowflake related investigations, … the initial compromise of infostealer malware occurred on contractor systems that were also used for personal activities. … These devices, often used to access the systems of multiple organizations, present a significant risk: … A single contractor’s laptop can facilitate threat actor access across multiple organizations, often with IT and administrator-level privileges.

Okay, not Snowflake’s fault, right? Not so fast, thinks DaveSimmons:

A user apparently can’t set a policy to require company-wide use of MFA. It must be enabled account-by-account. I’d assign the majority of blame to the customers but Snowflake gets a share.

Some of those accounts belong to contractors who also use the endpoint for gaming, Mandiant points out. KeshLives wonders why that’s relevant:

I work for a bank, in IT, and also play some online games. … I know a lot more people who have 2FA on their gaming accounts, than people who have 2FA on their banking accounts. And, yes, people will whine about 2FA on their banking accounts endlessly.

Is it time for a colorful metaphor? A slightly sweary u/indignant_halitosis obliges thuswise:

Ouch. This Anonymous Coward is a fan of nominative determinism:

Why would you name a data storage company Snowflake? [Is the] service just as permanent as the name implies?

Apparently, the going rate for Advance Auto Parts’ data is $1.5 million. zoky scratches their head:

The detailed employment info might be worth something to identity thieves, but … it’s kind of hard to see what benefit a criminal would derive from knowing what brand of turn signal bulbs you buy.

Lest we forget, Snowflake says it’s not the company’s fault. This boggles beheadedstraw’s mind:

The fact that MFA isn’t required not only for Snowflake, but any organization accounts in general these days is ****ing mind boggling. The fact that Snowflake makes it so hard to implement MFA in general is college-level-project garbage. And even that’s giving a lot of college projects a bad name.

Meanwhile, Lord Elpuss snaps us back to reality:

These gangs are scum and should be ejected into space for the benefit of Humanity.

And Finally:

Dan’s latest “little moment of peace”

Previously in And Finally

You have been reading SB  Blogwatch by Richi  Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to  @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Snowflake