Snowflake Customers Attacked in Ongoing Extortion Campaign
A financially motivated threat actor tracked as UNC5537 has been conducting a campaign targeting Snowflake customer databases. At least 165 Snowflake customers are thought to have been affected. Snowflake is a multi-cloud data warehousing platform that customers use to store and analyze large volumes of structured and unstructured data. According to the Google-owned cybersecurity firm Mandiant, the threat actor has been systematically compromising customer accounts using stolen credentials, with the earliest evidence of account compromise detected on April 14, 2024.
When access is gained to the accounts, data is exfiltrated and demands are issued for payment to prevent the sale of the stolen data. Mandiant has notified 165 customers that they are exposed, but Snowflake has yet to confirm how many of its customers have been affected. Pure Storage has confirmed that an instance used for customer support was compromised, although no compromising customer data was accessed.
While Snowflake accounts are being targeted, no evidence has been found to indicate that there has been a breach of Snowflake’s environment. Mandiant said that every incident it has responded to so far has involved compromised credentials. Credentials can be compromised in many ways, but this campaign involves credential theft using multiple infostealer malware variants including Racoon Stealer, Lumma, Metastealer, Vidar, Risepro, and Redline. In some cases, the infostealer malware infection was years ago. The earliest detected infection linked to the attacks was in November 2020.
Infostealers are distributed in phishing campaigns, through malvertising and fake websites, and the malware is often packaged with pirated software. One common theme identified by Mandiant was infostealer malware infections on contractor systems, commonly systems also used for personal activities such as gaming or downloading pirated software.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Companies often use contractors to manage their Snowflake instances and those contractors often use personal and unmonitored laptops. Since contractors work with multiple companies, an infostealer malware infection will allow a threat actor to obtain the credentials for multiple accounts. The risk is especially high since contractors are usually given IT and administrator-level privileges.
According to Mandiant, the campaign has been successful due to three main security failures. The affected customers did not have multifactor authentication enabled for their Snowflake accounts; passwords had not been changed or rotated for long periods, in some cases several years, and customers had not configured their Snowflake instances to use allow lists that only permit access from trusted locations.
While the attacks appear to involve credentials exposed in unrelated cyber incidents, Snowflake says the activity may be linked to the CVE-2023-51662 vulnerability. The vulnerability is due to improper certificate validation and affects the Snowflake .NET driver, which provides an interface to the Microsoft .NET open source software framework for developing applications.
Snowflake has created a list of IP addresses from clients identifying themselves as rapeflake and DBeaver_DBeaverUltimate, and has provided a query that will return login events that originated from those malicious IP addresses and queries to identify the actions that those clients took. The Health Sector Cybersecurity Coordination Center has also issued a healthcare and public health sector alert about the malicious activity and recommended mitigations.
“The breach at Snowflake started with leveraging stolen credentials. The access was not protected by any form of additional authentication other than a password. Every organization using third-party cloud services should ensure their accounts in those services are protected in the same way as they protect their own administrator accounts: with the least privilege principle and the just-in-time approach in mind, using strong multifactor authentication (MFA). Least privilege together with just-in-time will grant just enough access to perform specific tasks for a limited period of time. MFA will always require another identification criterion to be used to grant access to a given account, adding another step of verification,” explained Dirk Schrader, VP of Security Research at Netwrix.
“An organization’s third-party risk management should also include an incident response plan (IRP) for such a scenario, where the data they provide to a service provider is breached and is likely to be used against themselves. An IRP enables an organization’s security team to swiftly address potential exploitation attempts and make decisions based on what data was compromised specifically. In this case, the leaked data included company names, usernames, and email addresses. With this information, a malicious actor can conduct a phishing attack by sending an email with a request to confirm a login attempt to a fake portal that resembles a real one. By being aware of this, an organization can predict what the next phishing attempts will look like and prepare their users for it.”
