Suspect arrested in Snowflake data-theft attacks affecting millions

Threat actor exploited account credentials swept up by infostealers years earlier.

Canadian authorities have arrested a man on suspicion he breached hundreds of accounts belonging to users of cloud storage provider Snowflake and used that access to steal personal data belonging to millions of people, authorities said Tuesday.

“Following a request by the United States, Alexander Moucka (aka Connor Moucka) was arrested on a provisional arrest warrant on Wednesday, October 30, 2024,” an official with the Canada Department of Justice wrote in an email Tuesday. “He appeared in court later that afternoon, and his case was adjourned to Tuesday, November 5, 2024. As extradition requests are considered confidential state-to-state communications, we cannot comment further on this case.”

Word of the arrest first came from Bloomberg News and was later confirmed by 404 Media.

Scourge of the infostealers

The Snowflake compromise came to light in late May, following the disclosure by Live Nation that data held by its Ticketmaster group had been stolen and put up for sale online. The data included the full names, addresses, phone numbers, and partial credit card numbers for 560 million Ticketmaster customers. Live Nation later told TechCrunch the data had been stored in an account on Snowflake.

Mandiant, a Google-owned security firm Snowflake retained to investigate the breach has said that 165 customers of the cloud storage provider may have had data stolen during that spree. Data purporting to be taken from many customers was later put up for auction online, creating major risks for the breached companies and the individual holders of that personal data.

Mandiant went on to say that all the compromises it had tracked were the result of login credentials for Snowflake accounts being stolen by infostealer malware and stored in vast logs, sometimes for years at a time, before eventually making their way into the hands of the threat actors who used them in the individual breaches.

Attack Path UNC5537 has used in attacks against as many as 165 Snowflake customers.

Credit: Mandiant

None of the affected accounts used multifactor authentication, which requires users to provide a one-time password or additional means of authentication besides a password. After that revelation, Snowflake enforced mandatory MFA for accounts and required that passwords be at least 14 characters long.

Mandiant had identified the threat group behind the breaches as UNC5537. The group has referred to itself ShinyHunters. Snowflake offers its services under a model known as SaaS (software as a service).

“UNC5537 aka Alexander ‘Connor’ Moucka has proven to be one of the most consequential threat actors of 2024,” Mandiant wrote in an emailed statement. “In April 2024, UNC5537 launched a campaign, systematically compromising misconfigured SaaS instances across over a hundred organizations. The operation, which left organizations reeling from significant data loss and extortion attempts, highlighted the alarming scale of harm an individual can cause using off-the-shelf tools.”

Mandiant said a co-conspirator, John Binns, was arrested in June. The status of that case wasn’t immediately known.

Besides Ticketmaster, other customers known to have been breached include AT&T and Spain-based bank Santander. In July, AT&T said that personal information and phone and text message records for roughly 110 million customers were stolen. WIRED later reported that AT&T paid $370,000 in return for a promise the data would be deleted.

Other Snowflake customers reported by various news outlets as breached are Pure Storage, Advance Auto Parts, Los Angeles Unified School District, QuoteWizard/LendingTree, Neiman Marcus, Anheuser-Busch, Allstate, Mitsubishi, and State Farm.

KrebsOnSecurity reported Tuesday that Moucka has been named in multiple charging documents filed by US federal prosecutors. Reporter Brian Krebs said specific charges and allegations are unknown because the cases remain sealed.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend