A new report from Mandiant, part of Google Cloud, reveals that a financially motivated threat actor called UNC5537 collected and exfiltrated data from around 165 organizations' Snowflake customer instances. Snowflake is a cloud data platform used to store and analyze large volumes of data.
The threat actor managed to access this data by activating credentials that were previously stolen by data-stealing malware or purchased from other cybercriminals.
According to Mandiant, the UNC5537 threat actor advertises the sale of victims' data on cybercrime forums and attempts to extort many of the victims. When the data is sold, any cybercriminal could buy this information for different purposes such as cyber espionage, competitive intelligence or more financially oriented fraud.
How were some Snowflake users targeted by this data theft and extortion?
A joint statement provided by Snowflake, Mandiant and cybersecurity company CrowdStrike indicates that there is no evidence to suggest that the fraudulent activity could be caused by a vulnerability, misconfiguration or breach of Snowflake's platform. There is also no evidence that the activity was caused by compromised credentials of current or former Snowflake employees.
Instead, evidence shows that the attackers obtained credentials from multiple data-stealing malware campaigns that infected systems not owned by Snowflake. The threat actor then gained access to the affected accounts, allowing a significant volume of customer data to be leaked from the respective Snowflake customer instances.
Mandiant researchers claimed that most of the credentials used by UNC5537 were available in historical data-stealing malware; Some of those credentials dated back to November 2020, but were still usable. Different information theft malware families were responsible for credential theft; the most used were Vidar, Risepro, Redline, Racoon Stealer, Lumma and Metastealer.
According to Mandiant and Snowflake, at least 79.7% of the accounts exploited by the threat actor had prior credential exposure.
Mandiant also reported that the initial attack of the data-stealing malware occurred on contractor systems that were also being used for personal activities, including gaming and pirated software downloads, which is a strong vector for the spread of data theft.
How did UNC5537 obtain the stolen credentials?
As reported, the threat actor obtained credentials from a variety of information-stealing malware, but UNC5537 also leveraged credentials that were previously purchased.
While Mandiant does not provide additional information, it is reasonable to believe that these credentials were purchased on one or several cybercriminal underground markets directly from so-called initial access brokers, which are a category of cybercriminals who sell stolen corporate access to other fraudsters.
As Mandiant writes in its report, “the underground economy of information theft is also extremely robust, and large lists of stolen credentials exist both for free and for purchase on and off the dark web.” Mandiant also reported that in 2023, 10% of total intrusions began with stolen credentials, representing the fourth most notable initial intrusion vector.
What were the initial data access and exfiltration methods in this Snowflake attack?
In this attack campaign, initial access to Snowflake customer instances often occurred through the native web-accessible user interface (Snowflake SnowSight) or from the command-line interface tool provided by Snowflake. (SnowSQL). An additional tool called “rapeflake” and tracked on FROSTBITE by Mandiant has been used to perform reconnaissance against Snowflake instances.
FROSTBITE exists in at least two versions: one that uses .NET to interact with the Snowflake .NET driver and a version that uses Java to interact with the Snowflake JDBC driver. The tool allows attackers to perform SQL activities such as listing users, current roles, current IP addresses, session IDs, and organization names.
The threat actor has also used a public database management tool, DBeaver Ultimate, to run queries on Snowflake instances.
Using SQL queries, the threat actor was able to extract information from the databases. Once interesting data was found, it was compressed as GZIP using the “COPY TO” command to reduce the size of the data to be extracted.
The attacker primarily used Mullvad and Private Internet Access VPN services to access victims' Snowflake instances. A Moldovan VPS provider, ALEXHOST SRL, was also used for the data breach. The attacker stored victims' data on several international VPS providers as well as cloud storage provider MEGA.
What organizations are at risk?
The attack campaign appears to be a campaign targeting Snowflake users with single-factor authentication. All users with multi-factor authentication are safe from this attack campaign and were not targeted.
Additionally, the affected Snowflake client instances did not have allowlists to only allow connections from trusted locations.
Tips from Snowflake on how to protect your business from this cybersecurity threat
Snowflake published information on how to detect and prevent access by unauthorized users.
The company provided a list of nearly 300 suspicious IP addresses used by the threat actor and shared a query to identify access from the suspicious IP addresses. The company also provided a query to identify the use of the “rapeflake” and “DBeaver Ultimate” tools. Any user account that returns results from those queries should be deactivated immediately.
Snowflake strongly recommends strengthening security:
- Apply MFA for users.
- Configure network policies at the account and user level for service accounts/users with high credentials.
- Review account settings to restrict exporting data from Snowflake accounts.
- Monitor Snowflake accounts for unauthorized configuration changes or privilege escalations and investigate any such events.
Additionally, it is highly recommended to have all software and operating systems updated and patched to avoid being compromised by a common vulnerability, which could lead to a credentials leak.
It is necessary to implement security solutions on all terminals to avoid infection due to information theft.
It is also recommended to raise awareness about cybersecurity and train staff to detect and report suspicious cybersecurity events.
Divulgation: I work for Trend Micro, but the opinions expressed in this article are my own.
