Numerous companies have fallen victim to a cyberattack perpetrated via a data-stealing virus, with the attackers compromising data from about 165 customers of cloud storage provider Snowflake.
QuoteWizard Affected
Last Friday, a representative from QuoteWizard, a subsidiary of the online lending platform Lending Tree, confirmed that their firm is one of the many affected by the cyberattack. Snowflake brought this to their attention. Currently, the company’s representative is conducting an inquiry to check if any of its own data was stolen. Cybersecurity firm Mandiant, owned by Google and hired by Snowflake to investigate the mass hacking, currently identified 165 customers whose data might have been stolen during the cyber incident.
Major Companies Impacted
Previously, concert promoter Live Nation confirmed that a massive data breach targeted Ticketmaster, its ticket operator, compromising 560 million customer data records. These include full names, addresses, telephone numbers, and partial credit card numbers. Santander, the largest bank in Spain, also confirmed data theft that affected some of its customers. The same criminals who traded Ticketmaster’s database for profit advertised these stolen data for sale. Cybersecurity experts from Hudson Rock revealed that this stolen information was stored in Snowflake’s resources; Santander did not confirm or deny these allegations.
The Hack
Mandiant found that unauthorized access resulted from credential theft using malware. None of the instances involved two-factor authentication. The Majority of the suspected hacking group, tracked as UNC5537, is based in North America. In some instances, the credentials used to access the cloud storage date back to 2020, meaning they haven’t been changed since. This reflects a lack of security measures such as two-factor authentication or geographical access restriction when logging in to the Snowflake system.
Threat Actors
Vidar, Risepro, Redline, Racoon Stealer, Lumma, and MetaStealer malware were exploited to steal credentials. In some cases, these viruses were found on computers used for both work and personal purposes, indicating that they contained games and pirated software. While UNC5537’s activity has been tracked since May by Mandiant, the group allegedly targeted hundreds of organizations worldwide, driven primarily by monetary gain. UNC5537 operates using several Telegram addresses, with members in North America and an additional participant in Turkey. They connect through Mullvad or Private Internet Access, and they use Moldova-based VPS systems Alexhost during their operations. Stolen data were stored with multiple VPS providers and cloud storage provider Mega. Given the modus operandi, the hackers are likely to continue the same intrusion technique, targeting other SaaS platforms.