Credit:
Mandiant
Attack Path UNC5537 has been used in attacks against as many as 165 Snowflake customers.
Credit:
Mandiant
None of the affected accounts used multifactor authentication, which requires users to provide a one-time password or additional means of authentication besides a password. After that revelation, Snowflake enforced mandatory MFA for accounts and required that passwords be at least 14 characters long.
Mandiant had identified the threat group behind the breaches as UNC5537. The group has referred to itself as ShinyHunters. Snowflake offers its services under a model known as SaaS (software as a service).
“UNC5537 aka Alexander ‘Connor’ Moucka has proven to be one of the most consequential threat actors of 2024,” Mandiant wrote in an emailed statement. “In April 2024, UNC5537 launched a campaign, systematically compromising misconfigured SaaS instances across over a hundred organizations. The operation, which left organizations reeling from significant data loss and extortion attempts, highlighted the alarming scale of harm an individual can cause using off-the-shelf tools.”
Mandiant said a co-conspirator, John Binns, was arrested in June. The status of that case wasn’t immediately known.
Besides Ticketmaster, other customers known to have been breached include AT&T and Spain-based bank Santander. In July, AT&T said that personal information and phone and text message records for roughly 110 million customers were stolen. WIRED later reported that AT&T paid $370,000 in return for a promise the data would be deleted.
Other Snowflake customers reported by various news outlets as breached are Pure Storage, Advance Auto Parts, Los Angeles Unified School District, QuoteWizard/LendingTree, Neiman Marcus, Anheuser-Busch, Allstate, Mitsubishi, and State Farm.
KrebsOnSecurity reported Tuesday that Moucka has been named in multiple charging documents filed by US federal prosecutors. Reporter Brian Krebs said specific charges and allegations are unknown because the cases remain sealed.