Snowflake Attacks Evolve: How Stolen Credentials Now Threaten Your Salesforce Data
A sophisticated and financially motivated cyber campaign targeting Snowflake data warehouses has taken an alarming new turn. Security researchers have discovered that the threat actors behind these attacks are now pivoting from compromised Snowflake accounts to steal massive amounts of data from connected Salesforce instances.
This development marks a significant escalation, demonstrating how a security lapse in one cloud platform can create a domino effect, exposing sensitive data across your entire software ecosystem. The core of this threat isn’t a complex software vulnerability but something far more fundamental: stolen user credentials.
How Hackers Are Breaching Cloud Platforms
The group, tracked by cybersecurity experts as UNC5537, operates with a straightforward yet highly effective strategy. Their campaign begins by acquiring login credentials for Snowflake accounts, which are often harvested using infostealer malware deployed on the systems of employees or third-party contractors.
Once they have valid usernames and passwords, the attackers seek out accounts that are not properly secured. Their primary targets are Snowflake accounts that do not have multi-factor authentication (MFA) enabled. After gaining initial access to a company’s Snowflake environment, the attackers don’t stop there. In a recent documented case, they used the compromised access to generate new security tokens, which then allowed them to connect to and exfiltrate an enormous volume of records from the victim’s Salesforce environment.
It is crucial to understand that this is not a vulnerability within the Snowflake or Salesforce platforms themselves. Instead, the attackers are exploiting weaknesses in customer security practices, specifically the failure to enforce MFA and manage user credentials effectively.
A Widespread Campaign Driven by Financial Gain
This is not an isolated incident. The campaign is widespread, with the threat actors systematically targeting hundreds of organizations that use Snowflake. Their ultimate goal is financial gain, either by extorting victims for the return of their data or by selling the stolen information on the dark web.
The attackers have been observed using a variety of infostealers, including VIDAR, RISEPRO, and LUMMA, to harvest credentials. This highlights the pervasive threat of malware on endpoint devices and the critical need for comprehensive security that extends beyond the cloud platform itself.
Crucial Steps to Protect Your Cloud Data
Protecting your organization from this evolving threat requires a proactive and layered security posture. Simply relying on the native security of your cloud provider is not enough. The following measures are essential to defending your critical data assets.
Enforce Mandatory Multi-Factor Authentication (MFA): This is the single most effective defense against these attacks. Ensure that MFA is enabled and required for every user accessing your Snowflake, Salesforce, and other critical cloud services. Credentials alone should never be enough for access.
Implement Network Controls: Set up IP address allow lists for your Snowflake and Salesforce accounts. This ensures that users can only log in from trusted corporate networks or through a VPN, significantly reducing the risk of unauthorized access from an attacker’s location.
Conduct Proactive Credential Reviews: Regularly audit and review all user accounts. Promptly disable credentials for former employees and contractors to close potential security gaps. Be especially vigilant about service accounts and administrative credentials.
Enhance Endpoint Security and User Education: Since the initial point of compromise is often a malware-infected device, strengthen your endpoint detection and response (EDR) capabilities. Educate employees about the dangers of phishing, malware, and the importance of strong, unique passwords.
The escalation of this campaign to include connected applications like Salesforce is a stark reminder that cloud security is interconnected. A weakness in one area can quickly be exploited to compromise another. By prioritizing foundational security controls like MFA and vigilant credential management, organizations can build a resilient defense against even the most determined attackers.
Source: https://go.theregister.com/feed/www.theregister.com/2025/08/06/google_salesforce_attacks/
