UNC5537: Extortion and Data Theft of Snowflake Customers

Targeting Snowflake Customer Instances for Extortion and Data Theft, UNC5537 Overview. Mandiant has discovered a threat campaign that targets Snowflake client database instances with the goal of extortion and data theft. This campaign has been discovered through Google incident response engagements and threat intelligence collections. The multi-Cloud data warehousing software Snowflake can store and analyze massive amounts of structured and unstructured data.

Mandiant is tracking UNC5537, a financially motivated threat actor that stole several Snowflake customer details. UNC5537 is using stolen customer credentials to methodically compromise Snowflake client instances, post victim data for sale on cybercrime forums, and attempt to blackmail many of the victims.

Snowflake instance According to Mandiant’s analysis, there is no proof that a breach in Snowflake’s enterprise environment led to unauthorized access to consumer accounts. Rather, Mandiant was able to link all of the campaign-related incidents to hacked client credentials.

Threat intelligence about database records that were later found to have come from a victim’s Snowflake instance was obtained by Mandiant in April 2024. After informing the victim, Mandiant was hired by the victim to look into a possible data theft affecting their Snowflake instance. Mandiant discovered during this investigation that a threat actor had gained access to the company’s Snowflake instance by using credentials that had previously been obtained through info stealer malware.

Using these credentials that were taken, the threat actor gained access to the customer’s Snowflake instance and eventually stole important information. The account did not have multi-factor authentication (MFA) activated at the time of the intrusion.

Following further intelligence that revealed a wider campaign aimed at more Snowflake customer instances, Mandiant notified Snowflake and potential victims via their Victim Notification Programme on May 22, 2024.

Snowflakes Mandiant and Snowflake have notified about 165 possibly vulnerable organizations thus far. To guarantee the security of their accounts and data, these customers have been in direct contact with Snowflake’s Customer Support. Together with collaborating with pertinent law enforcement organizations, Mandiant and Snowflake have been undertaking a cooperative investigation into this continuing threat campaign. Snowflake released comprehensive detection and hardening guidelines for Snowflake clients on May 30, 2024.

Campaign Synopsis According to Google Cloud current investigations, UNC5537 used stolen customer credentials to gain access to Snowflake client instances for several different organizations. The main source of these credentials was many info stealer malware campaigns that compromised systems controlled by people other than Snowflake.

As a result, a sizable amount of customer data was exported from the corresponding Snowflake customer instances, giving the threat actor access to the impacted customer accounts. Subsequently, the threat actor started personally extorting several of the victims and is aggressively trying to sell the stolen consumer data on forums frequented by cybercriminals.

Mandiant Mandiant discovered that most of the login credentials utilized by UNC5537 came from infostealer infections that occurred in the past, some of which were from 2020. Three main causes have contributed to the multiple successful compromises that UNC5537’s threat campaign has produced:

Since multi-factor authentication was not enabled on the affected accounts, successful authentication just needed a working login and password. The credentials found in the output of the infostealer virus were not cycled or updated, and in certain cases, they remained valid years after they were stolen. There were no network allow lists set up on the affected Snowflake client instances to restrict access to reliable sources. Infostealer Mandiant found that the first infostealer malware penetration happened on contractor computers that were also used for personal purposes, such as downloading pirated software and playing games. This observation was made during multiple investigations related to Snowflake.

Customers that hire contractors to help them with Snowflake may use unmonitored laptops or personal computers, which worsen this initial entry vector. These devices pose a serious concern because they are frequently used to access the systems of several different organizations. A single contractor’s laptop can enable threat actors to access numerous organizations if it is infected with infostealer malware, frequently with administrator- and IT-level access.

Identifying The native web-based user interface (SnowFlake UI, also known as SnowSight) and/or command-line interface (CLI) tool (SnowSQL) on Windows Server 2022 were frequently used to get initial access to Snowflake customer instances. Using an attacker-named utility called “rapeflake,” which Mandiant records as FROSTBITE, Mandiant discovered more access.

Mandiant believes FROSTBITE is used to conduct reconnaissance against target Snowflake instances, despite the fact that Mandiant has not yet retrieved a complete sample of FROSTBITE. Mandiant saw the use of FROSTBITE in both Java and.NET versions. The Snowflake.NET driver communicates with the.NET version. The Snowflake JDBC driver is interfaced with by the Java version.

SQL recon actions by FROSTBITE have been discovered, including a listing of users, current roles, IP addresses, session IDs, and names of organizations. Mandiant also saw UNC5537 connect to many Snowflake instances and conduct queries using DBeaver Ultimate, a publicly accessible database management tool.

Finish the mission Mandiant saw UNC5537 staging and exfiltrating data by continuously running identical SQL statements on many client Snowflake systems. The following instructions for data staging and exfiltration were noted.

Generate (TEMP|TEMPORARY) STAGE UNC5537 used the CREATE STAGE command to generate temporary stages for data staging. The data files that are loaded and unloaded into database tables are stored in tables called stages. When a stage is created and designated as temporary, it is removed after the conclusion of the creator’s active Snowflake session.

UNC5537 Credit Since May 2024, Mandiant has been monitoring UNC5537, a threat actor with financial motivations, as a separate cluster. UNC5537 often extorts people for financial benefit, having targeted hundreds of organizations globally. Under numerous aliases, UNC5537 participates in cybercrime forums and Telegram channels. Mandiant has recognized individuals who are linked to other monitored groups. Mandiant interacts with one member in Turkey and rates the composition of UNC5537 as having a moderate degree of confidence among its members who are located in North America.

In order to gain access to victim Snowflake instances, Attacker Infrastructure UNC5537 mostly leveraged Mullvad or Private Internet Access (PIA) VPN IP addresses. Mandiant saw that VPS servers from Moldovan supplier ALEXHOST SRL (AS200019) were used for data exfiltration. It was discovered that UNC5537 was storing stolen victim data on other foreign VPS providers in addition to the cloud storage provider MEGA.

Prospects and Significance The campaign launched by UNC5537 against Snowflake client instances is not the product of a highly advanced or unique method, instrument, or process. The extensive reach of this campaign is a result of both the expanding infostealer market and the passing up of chances to further secure credentials:

UNC5537 most likely obtained credentials for Snowflake victim instances by gaining access to several infostealer log sources. There’s also a thriving black market for infostealerry, with huge lists of credentials that have been stolen available for purchase and distribution both inside and outside the dark web.

Infostealers Multi-factor authentication was not necessary for the impacted customer instances, and in many cases, the credentials had not been changed in up to four years. Additionally, access to trusted locations was not restricted using network allow lists.

This ad draws attention to the ramifications of a large number of credentials floating throughout the infostealer market and can be a sign of a targeted attack by threat actors on related SaaS services. Mandiant predicts that UNC5337 will carry on with similar intrusion pattern, soon focusing on more SaaS systems.

This campaign’s wide-ranging effects highlight the pressing necessity for credential monitoring, the ubiquitous application of MFA and secure authentication, traffic restriction to approved sites for royal jewels, and alerts regarding unusual access attempts. See Snowflake’s Hardening Guide for additional suggestions on how to fortify Snowflake environments.

Read more on Govindhtech.com

White Hat Hackers

White hat hackers, also known as ethical hackers or penetration testers, are the good guys of the hacking world 💻✨.

Using the same techniques as black hat hackers, they legally hack systems with permission 🔐

to identify and fix vulnerabilities. Their mission? To enhance security and protect IT systems 🛡️.

White hat hacking is ethical and essential for a safer digital world.

Learn more and stay safe! 🌟 Check the out the full tutorial here: https://bit.ly/3QPDslo

In today's hyper-connected world, our smartphones hold a treasure trove of personal information – from banking details and private photos to work documents and social media accounts. This makes them prime targets for cybercriminals looking to steal data, install malware, or commit financial fraud. The good news is, that you can significantly reduce the risk of your smartphone being compromised by following some basic security best practices. This article dives deep into the National Security Agency's (NSA) "Mobile Device Best Practices" guide, outlining essential steps to secure your iOS or Android device. Tips to Secure Your Smartphone Daily Habits for Smartphone Security Here are some easy-to-implement daily practices that can significantly enhance your smartphone security: Strong Passwords and Screen Locks: Ditch the simple four-digit PIN and opt for a strong, six-digit PIN or a complex alphanumeric password for your screen lock. Additionally, enable the feature that wipes your device data after 10 unsuccessful unlock attempts. This acts as a deterrent against brute-force attacks. Bluetooth: Use Wisely: Bluetooth is a convenient way to connect to headphones and speakers, but leave it disabled when not in use. This minimizes the attack surface for hackers who might exploit Bluetooth vulnerabilities. Beware of Public Wi-Fi: Public Wi-Fi networks are notoriously insecure. Avoid accessing sensitive information like bank accounts or online banking apps while connected to public Wi-Fi. If necessary, consider using a Virtual Private Network (VPN) to encrypt your internet traffic. Maintain Physical Control: Your smartphone is a personal device. Keep it with you at all times and avoid leaving it unattended in public places. This simple precaution can prevent physical theft, which can be a gateway to further security breaches. App Management: Keeping Your Digital Ecosystem Safe The apps you install on your phone can be a double-edged sword. While they offer a plethora of functionalities, they can also pose security risks if not managed properly. Here's how to maintain a secure app environment: Download from Official Sources: Only install apps from official app stores like the App Store or Google Play Store. These stores have vetting procedures in place to minimize the risk of malware distribution. Avoid downloading apps from untrusted third-party sources. Essential Apps Only: Don't clutter your phone with unnecessary apps. Stick to installing only the apps you genuinely need and use regularly. The fewer apps you have, the smaller the attack surface for potential vulnerabilities. App Permissions: Be mindful of the permissions you grant to apps. An app requesting access to your location or microphone when it doesn't seem necessary might be a red flag. Only grant permissions that are essential for the app's functionality. Close Unused Apps: Many apps run in the background even when not actively in use. This can drain battery life and potentially expose vulnerabilities. Make it a habit to close apps you're not actively using to tighten your phone's security. Staying Updated: Software and Apps Software updates often contain critical security patches that address vulnerabilities exploited by cybercriminals. Here's why keeping your software and apps updated is crucial: Install Updates Promptly: Whenever software updates are available for your phone's operating system or apps, install them promptly. Don't procrastinate – timely updates are essential for maintaining a secure mobile environment. Automatic Updates: Consider enabling automatic updates for your phone's operating system and apps whenever possible. This ensures you're always protected with the latest security patches. Be Wary of Social Engineering and Phishing Attacks Cybercriminals often rely on social engineering tactics to trick users into compromising their own devices. Here's how to stay vigilant against such attempts: Think Before You Click: Never open suspicious email attachments or links, even if they appear to come from a trusted source. Phishing emails often try to trick you into clicking on malicious links that can download malware onto your device. Beware of Pop-Ups: Unexpected pop-ups on your phone can be a sign of a malicious website or app. Don't interact with them. Instead, force close the browser or app immediately. Advanced Security Measures For users who want to take their smartphone security to the next level, here are some additional tips: No Jailbreaking or Rooting: Jailbreaking an iPhone or rooting an Android phone gives you more control over your device, but it can also bypass security measures built into the operating system. These modifications can make your phone more vulnerable to attacks. Unless you're a highly technical user, avoid jailbreaking or rooting. Frequently Asked Questions Q: Is a fingerprint or facial recognition unlock secure enough for my phone? A: While fingerprint and facial recognition unlock features offer convenience, they might not be as secure as a strong PIN or password. Consider using a PIN or password in conjunction with fingerprint or facial recognition for an extra layer of security. Q: What if I accidentally download a malicious app? A: Most reputable antivirus and security apps can scan your phone for malware. Consider installing a reputable security app from a trusted source and running regular scans. Q: I'm not very tech-savvy. Can I still secure my phone? A: Absolutely! Many of the tips in this article, like using strong passwords and keeping your software updated, are easy to implement regardless of technical expertise.

https://bit.ly/3TDVHwq - 🔒 Netskope Threat Labs has identified a sophisticated Azorult malware campaign leveraging advanced evasion techniques for data theft. This campaign uses HTML smuggling through Google Sites for payload delivery and employs various methods to evade detection, including reflective code loading and AMSI bypass, targeting sensitive information such as credentials and crypto wallet data. #CyberSecurity #DataTheft 🌐 The Azorult information stealer, first spotted in 2016, has been increasingly targeting the healthcare industry. This malware steals user credentials, browser info, and crypto wallet data, showcasing the growing threat to personal and sensitive data online. #HealthcareCybersecurity #Malware 🛡️ The campaign utilizes HTML smuggling with a unique twist by embedding the payload in a separate JSON file, enhancing its evasiveness. This technique allows the malware to bypass traditional security measures, demonstrating the sophistication of modern cyber threats. #CyberDefense #ThreatIntelligence 🔑 A notable aspect of this campaign is the use of a CAPTCHA as an additional evasion layer, making the malicious payload more difficult for security scanners to detect. This highlights the evolving tactics cybercriminals use to outmaneuver cybersecurity defenses. #CybersecurityAwareness #InfoSec 📁 The execution phase involves a fileless approach, where the Azorult malware operates directly in memory to minimize detection. Such stealthy tactics challenge existing security frameworks, underscoring the need for advanced threat detection and response strategies. #DigitalForensics #EndpointSecurity 💼 The campaign targets a wide array of sensitive data, including 137 crypto wallets, demonstrating the high stakes involved in protecting digital assets against sophisticated cyber threats. The use of legitimate-looking domains further complicates the challenge for users and defenders alike. #CryptoSecurity #DigitalAssetsProtection 🚨 Netskope Threat Labs' analysis underscores the importance of vigilance and advanced security measures in the face of evolving cyber threats. The use of comprehensive defense strategies is crucial to safeguard sensitive information against sophisticated malware campaigns like Azorult.

What’s Your Data Worth to Hackers - Shocking Dark Web Price List Revealed

id really like to live in a world where people were able to put the fear of god into corporations any time they dared to overstep.

like rn google is doing this horrible new opt out "find my device" horseshit that triangulates any and all devices (even offline) that have signed into google. the threat of somebody stealing your device and not wiping it is infinitely less than the threat of this level of corporate surveillance and data harvesting. they DO have. the option to "opt out", but it involves agreeing to some other breaches of privacy just to access the ability to click "no i dont want this dogshit service". also their directions are purposely confusing, i assume to get as many people to agree to the small datatheft as they can, while limiting who can opt out.

anyways my point is, much like a corrupt king in a kingdom that he'd pissed off so badly for so long that the people finally got together and executed him? i really wish we'd do the same to ceos etc. i wish these big companies that have some part in running/ruining all of our lives would be AFRAID with every decision they make. i want these motherfuckers to fear the mob.

Musk Has Access to DATA of Non-US Citizens Around the WorldStop The International DATA BREACH of DOGE! Even citizens of countries around the world outside of the United States are having their data breached by DOGE and do not even know it! Trump, Musk and others are breaching international treaties and privacy agreements. The international community outside of the United States MUST STAND UP TO THIS ILLEGAL ACTIVITY! #taxtreaties #internationalagreements #personaldata #businessdata #sensitivedata #databreach #DOGE #ElonMusk #Tesla #SpaceX #Neurolink #UnitedStates #USGovernment #NationalSecurity #Taxation #Taxinfo #medicalData #fraud #Grok #GrokAI #X #Twitter #DOGETeam #USSenate #UnitedNations #WorldTradeOrganization #News #Machinelearning #AI #AISystems #AIDatasets #datasets #MachineLearningSystems #AITraining #DATASecurity #ArtificialIntelligence #GenerativeAI #Deepseek #MetaAI #BreakingNews #Wired #AssociatedPress #USjudiciary #ICC #NATO #Parliament #Visas #DataTheft #Security #WorldNews #law #lawandorder #TrumpCorruption #TrumpAdministration #SignalBreach #SignalGate #PeteHegseth #Boebert #Intelligence #CSIS #FBI #CIA #RCMP #MarkCarney #JagmeetSingh #MI5 #MI6 #Interpol #Mexico #China #Japan #Australia #Denmark #Spain #Greece #Italy #Sweden #Greenland #USIntelligence #Poland #Europe #EuropeanUnion #Unitedkingdom #KingCharles 

Political memes part #105 #digitalindia

Public WiFi can be found in coffee shops, airports, and hotels around the world. While it's convenient to have access to free internet, it's important to understand the risks associated with it.

Here are some of the ways cybercriminals can exploit public WiFi networks 👇

Man-in-the-Middle Attacks: Attackers can intercept the traffic between your device and the WiFi network, allowing them to steal your data or inject malware into your device.

Fake WiFi Networks: Attackers can set up fake WiFi networks with similar names to legitimate ones, tricking users into connecting to them and giving them access to their devices.

Snooping: Attackers can monitor your online activity and steal sensitive information, such as passwords and credit card details.

Here are some steps you can take to protect yourself when using public WiFi:

Use a VPN: A Virtual Private Network (VPN) encrypts your internet traffic, making it unreadable to attackers. This is the most effective way to protect yourself on public WiFi.

Avoid Accessing Sensitive Information: Try to avoid accessing sensitive information, such as banking or email accounts, while on public WiFi.

Update Your Device and Software: Make sure your device and software are up to date, as updates often contain security patches.

Turn Off Automatic WiFi Connections: Disable the auto-connect feature on your device, as it can automatically connect to open WiFi networks without your knowledge.

Public WiFi can be a convenient way to access the internet, but it also comes with risks. By using a VPN and following the other tips outlined in this post, you can protect yourself and your sensitive information while using public WiFi.

Stay safe out there 🔒

🔗 https://www.valevpn.com/

PublicWiFi #InternetSecurity #DataSafety #OnlinePrivacy #CyberSecurity #NetworkSecurity #DataTheft #WiFiHacking #HotspotSecurity #SecureNetworking

                  @datatheft​  APPROACHED  THE  OUTLAW.

a  hush - SHH, so  gentle  one  could  mistake  it  for  a  whisper  from  on high, from  a  messenger  with  divine  purpose. but  the  face  above  is  by  no  means  angelic, it’s  time-worn, creased  in  places  with  a  thick  beard  outlining  a  heavy  set  mouth  and  jaw  and  long  grayed  morals. his  hands  are  sunk  beside  her  head  then  they  move  again  lower  on  her  body. his  intention  had  been  to  cover  her  up  with  their  blanket  as  it’d  slid  off  her  shoulders  sometime  while  he’d  been  preoccupied  in  the  shower. just  before  they  tuck  the  comfortable  thing  back  beneath  her  chin  they  bend  to  press  a  kiss  to  her  neck, tasting  a  sweet-bitterness  and  effectively  ending  the  scene  with  an  air  of  domesticity.        “ didn’t  mean  to  wake  you. ”

Gray Hat Hackers

⚙️Gray hat hackers are hybrids of black and white hat hackers 🌗.

They hack systems without permission to test security 🔓 but don’t steal money 💰 or cause harm 🛡️. Often, they report vulnerabilities to administrators 📩. While their intentions may be good, hacking without consent remains illegal in most cases ⚖️. Gray hat hacking operates in a legal gray area—sometimes lawful, sometimes not 🤷‍♂️.

Learn more and stay safe! 🌟 Check the out the full tutorial here: https://bit.ly/3QPDslo

https://bit.ly/3QVvTe0 - 🔐 A sophisticated new variant of the Jupyter information stealer, also known as Yellow Cockatoo, Solarmarker, and Polazert, has been increasingly targeting users of Chrome, Edge, and Firefox browsers. This malware is capable of backdooring machines and harvesting a variety of sensitive data, including credentials, cookies, and information from browser password managers. #JupyterMalware #CyberSecurity #DataTheft 🕵️ VMware's Carbon Black researchers have observed this variant using PowerShell command modifications and digitally signed payloads to evade detection. The malware's advanced evasion techniques and use of legitimate-looking certificates are of particular concern, as they allow it to bypass malware detection tools. #MalwareDetection #Infosec #VMwareCarbonBlack 🌐 Other cybersecurity firms like Morphisec and BlackBerry have identified Jupyter's diverse capabilities, including functioning as a full-fledged backdoor and acting as a dropper for other malware. Its sophisticated methods include hollowing shell code to evade detection and executing PowerShell scripts. #CyberThreats #BackdoorMalware #Morphisec #BlackBerry 💳 The malware operators have employed various distribution techniques, including search engine redirects, drive-by downloads, phishing, and SEO poisoning. Recent attacks have seen the use of valid certificates to sign the malware, making it appear legitimate and tricking users into downloading it. #MalwareDistribution #DigitalCertificates #Phishing 📈 The rise in infostealers like Jupyter follows a trend of increased remote work. Infostealers are being used more frequently to gather credentials that enable access to enterprise networks. Firms like Red Canary and Uptycs have reported a significant rise in such attacks, emphasizing the opportunistic nature of these malware campaigns. #RemoteWorkSecurity #InfostealerTrend #RedCanary #Uptycs 🌐 The impact of Jupyter and other infostealers is severe, with stolen data often sold on the dark web, posing significant risks to both organizations and individuals. The increasing sophistication and frequency of these attacks highlight the need for advanced cybersecurity measures.

‘ aHH STOP! i could’ve dropped my croissant! ’

vine  starters     💥     accepting   !

     “   and   ?   “   bullet  rolls  between  her  fingers   ,   attention  remaining  distant   ,   indifferent   …   before  she  pockets  ammunition  and  meets  sombra’s  gaze   .   “   y’know   ,   it’s  rude  to  come  to  a  lady  eatin’  food  and  not  offer  her  some   .   common  courtesy   ,   ain’t  it   ?   “

     she  doesn’t  care  either  way   ;   a  hint  of  a  smirk  on  her  face  makes  it  clear   .   can’t  help  but  want  to  test  this  theory   —    ashe  does  the  very  thing  that  almost  caused  croissant  to  fall  in  the  first  place   .

     “   oops   .   “

“gabe watch this” does her lil reaper marionette gag B)

Nonchalantly :  “  Why  are  his  thighs  so  big  .  ”