Review: Snowflake Attack Summary

560M customer info sold in darkweb including Ticketmaster and 165+ others.

Summaries are based on Snowflake’s blog, Mandaint via Google Threat Intelligence and Crowdstrike.

Timeline:

• April 2024: Mandiant receives threat intelligence on database records stolen from a Snowflake instance.

• May 22, 2024: Mandiant contacts Snowflake and begins notifying potential victims (approx. 165 organizations).

• May 30, 2024: Snowflake publishes hardening guidance for customers.

Key Findings:

• No evidence of Snowflake platform vulnerability or breach: The attacks appear to be targeting customers, not Snowflake's systems.

• No evidence of compromised Snowflake employee credentials: The attackers appear to be leveraging previously compromised customer credentials.

• Targeted campaign focused on single-factor authentication: The attacks mainly target accounts without Multi-Factor Authentication (MFA).

• Attackers using purchased or stolen credentials: Credentials were likely obtained through infostealer malware and other cyber threats.

• Demo account accessed with personal credentials: A demo account belonging to a former Snowflake employee was compromised, highlighting the need for MFA even on non-production accounts.

Attacker:

• UNC5537: A financially motivated threat actor stealing data from Snowflake instances and extorting victims.

• Active since: May 2024, but some stolen credentials date back to 2020.

• Location: Members based in North America with a collaborator in Turkey.

Attack Method:

• Stolen Credentials: Primary intrusion vector, obtained from infostealer malware (VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA and METASTEALER).

• Infostealer Malware: Primarily targeted contractor systems used for personal activities.

• Reconnaissance: Uses tools like:

  • FROSTBITE (“.NET” and “JAVA” versions) for SQL recon (listing users, roles, IPs, session IDs, etc.)

  • DBeaver Ultimate for database management and queries.

Data Exfiltration:

• SQL commands used:

  • SHOW TABLES: List databases and tables.

  • SELECT: Download specific tables.

  • LIST/LS: Enumerate stages before creating temporary stages.

  • CREATE STAGE: Create temporary stages for data staging.

  • COPY INTO: Copy data to temporary stages.

  • GET: Exfiltrate data from temporary stages to local machines.

Impact:

• Hundreds of organizations targeted: Data theft and extortion.

• Data theft: Stolen data sold on cybercrime forums.

• Compromised credentials: 79.7% of affected accounts had prior exposure.

Causes:

• Lack of multi-factor authentication (MFA): Enabled easy access with stolen credentials.

• Unrotated credentials: Some credentials stolen years ago were still valid.

• No network allow lists: Allowed access from untrusted locations.

Recommendations:

• Credential monitoring and rotation: Detect and replace exposed credentials.

• Universal MFA enforcement: Secure authentication.

• Network allow lists: Limit traffic to trusted locations.

• Abnormal access alerts: Monitor for unusual activity.

Additional Information:

• Attacker infrastructure: Mullvad or PIA VPNs for access, VPS systems (ALEXHOST SRL), MEGA cloud storage.

• Indicators of Compromise (IOCs): Google Threat Intelligence Collection of IPs available, client application IDs (Rapeflake, DBeaver, etc.)

Reference:

1. Google Threat Intelligence: https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion

2. Snowflake, https://community.snowflake.com/s/question/0D5VI00000Emyl00AB/detecting-and-preventing-unauthorized-user-access