A brand new report from Mandiant, a part of Google Cloud, reveals {that a} financially motivated menace actor named UNC5537 collected and exfiltrated knowledge from about 165 organizations’ Snowflake buyer cases. Snowflake is a cloud knowledge platform used for storing and analyzing massive volumes of information.
The menace actor managed to get entry to those knowledge by triggering credentials that have been beforehand stolen by infostealer malware or bought from different cybercriminals.
Based on Mandiant, the menace actor UNC5537 advertises sufferer knowledge on the market on cybercrime boards and makes an attempt to extort lots of the victims. When the information is bought, any cybercriminal would possibly purchase this data for various functions similar to cyber espionage, aggressive intelligence or extra financially-oriented fraud.
How have been some Snowflake customers focused for this knowledge theft and extortion?
A joint assertion supplied by Snowflake, Mandiant and cybersecurity firm CrowdStrike signifies there isn’t any proof suggesting the fraudulent exercise could be brought on by a vulnerability, misconfiguration or breach of Snowflake’s platform. There may be additionally no proof the exercise would have been brought on by compromised credentials from present or previous Snowflake staff.
As a substitute, proof exhibits the attackers obtained credentials from a number of infostealer malware campaigns that contaminated non-Snowflake owned methods. The menace actor then gained entry to the affected accounts, which allowed the exfiltration of a major quantity of buyer knowledge from the respective Snowflake buyer cases.
Mandiant researchers said the vast majority of the credentials utilized by UNC5537 have been accessible from historic infostealer malware; a few of these credentials date again to November 2020 however have been nonetheless usable. Totally different infostealer malware households have been accountable for the credentials theft  — essentially the most used ones being Vidar, Risepro, Redline, Racoon Stealer, Lumma and Metastealer.
Based on Mandiant and Snowflake, at the very least 79.7% of the accounts leveraged by the menace actor had prior credential publicity.
Mandiant additionally reported the preliminary compromise of infostealer malware occurred on contractor methods that have been additionally used for private actions, together with gaming and downloads of pirated software program, which is a sturdy vector for spreading infostealers.
How did UNC5537 receive the stolen credentials?
As reported, the menace actor obtained credentials from quite a lot of infostealer malware, but UNC5537 additionally leveraged credentials that have been beforehand bought.
Whereas no extra data is supplied by Mandiant, it’s affordable to suppose these credentials have been purchased in a single or a number of cybercriminal underground marketplaces on to so-called Preliminary Entry Brokers, that are a class of cybercriminals who promote stolen company entry to different fraudsters.
As written by Mandiant in its report, “the underground infostealer economic system can be extraordinarily sturdy, and enormous lists of stolen credentials exist each without spending a dime and for buy inside and out of doors of the darkish net.” Mandiant additionally reported that, in 2023, 10% of total intrusions started with stolen credentials, representing the fourth most notable preliminary intrusion vector.
What was the preliminary entry and knowledge exfiltration strategies on this Snowflake assault?
On this assault marketing campaign, the preliminary entry to Snowflake buyer cases usually occurred through the native person interface accessible from the net (Snowflake SnowSight) or from the command-line interface software supplied by Snowflake (SnowSQL). An extra attacker-named software referred to as “rapeflake” and tracked underneath FROSTBITE by Mandiant has been used to carry out reconnaissance towards Snowflake cases.
FROSTBITE exists in at the very least two variations: one utilizing .NET to work together with the Snowflake .NET driver, and one model utilizing Java to work together with the Snowflake JDBC driver. The software permits the attackers to carry out SQL actions similar to itemizing customers, present roles, present IP addresses, session IDs and organizations’ names.
A public software for managing databases, DBeaver Final, has additionally been utilized by the menace actor to run queries on the Snowflake cases.
Utilizing SQL queries, the menace actor was capable of exfiltrate data from databases. As soon as fascinating knowledge was discovered, it was compressed as GZIP utilizing the “COPY INTO” command to scale back the scale of the information to be exfiltrated.
The attacker primarily used Mullvad and Non-public Web Entry VPN providers to entry the victims’ Snowflake cases. A moldovan VPS supplier, ALEXHOST SRL, was additionally used for knowledge exfiltration. The menace actor saved sufferer knowledge on a number of worldwide VPS suppliers, in addition to on the cloud storage supplier MEGA.
What organizations are in danger?
The assault marketing campaign seems to be a focused marketing campaign geared toward Snowflake customers with single-factor authentication. All customers with multifactor authentication are secure from this assault marketing campaign and weren’t focused.
As well as, the impacted Snowflake buyer cases didn’t have permit lists in place to solely permit connections from trusted areas.
Ideas from Snowflake on tips on how to defend your small business from this cybersecurity menace
Snowflake printed data on detecting and stopping unauthorized person entry.
The corporate supplied a listing of just about 300 suspicious IP addresses utilized by the menace actor and shared a question to establish entry from the suspect IP addresses. The corporate additionally supplied a question to establish the utilization of the “rapeflake” and “DBeaver Final” instruments. Any person account returning outcomes from these queries should instantly be disabled.
Safety hardening is extremely beneficial by Snowflake:
- Implement MFA for customers.
- Arrange account-level and user-level community insurance policies for extremely credentialed customers/providers accounts.
- Evaluate account parameters to limit knowledge exportation from Snowflake accounts.
- Monitor Snowflake accounts for unauthorized privilege escalation or configuration adjustments and examine any of these occasions.
Moreover, it’s strongly beneficial to have all software program and working methods updated and patched to keep away from being compromised by a typical vulnerability, which could result in credentials leak.
Safety options have to be deployed on each endpoint to forestall infostealer an infection.
Additionally it is suggested to boost consciousness on pc safety and practice workers to detect and report suspicious cybersecurity occasions.
Disclosure: I work for Pattern Micro, however the views expressed on this article are mine.