Mandiant's Analysis Unveils Cause of Snowflake Data Theft
Google-owned cybersecurity firm Mandiant has been called in to assist cloud computing giant Snowflake in its incident response efforts for a major data theft incident.
The theft, which Mandiant is tracking under the codename UNC5537, has affected as many as 165 of Snowflake's 9000+ customers worldwide.
Last week, alarm was sounded by authorities alleging companies utilising Snowflake environments had been compromised, with Santander Bank and Ticketmaster, two of Snowflake’s biggest customers, confirming breaches.
At the heart of the attack is a financially motivated threat group that has systematically compromised Snowflake customer instances using stolen credentials obtained from various infostealer malware campaigns.
Sophisticated Attack Methodology
Mandiant's investigation has shed light on the tactics employed by the UNC5537 group. The method of attack involved leveraging the stolen credentials to gain unauthorised access to Snowflake customer instances.
It noted that there's no evidence a breach of Snowflake's own enterprise environment was to blame for its customers' breaches.
This breach was traced back to Snowflake’s customer credentials being compromised, through earlier malware campaigns known as infostealer.
"The earliest infostealer infection date observed associated with a credential leveraged by the threat actor dated back to November 2020," Mandiant said, with the company having "identified hundreds of customer Snowflake credentials exposed via infostealers since 2020."
Mandiant determined that UNC5537 used legitimate credentials to break into the victim's Snowflake environment. The victim did not have multi-factor authentication turned on.
Once inside, the attackers deployed a reconnaissance utility dubbed FROSTBITE, to gather sensitive information and run SQL queries.
Several of the initial compromises occurred on contractor systems that were being used for both work and personal activities.
"These devices, often used to access the systems of multiple organisations, present a significant risk," a Mandiant researchers wrote. "If compromised by infostealer malware, a single contractor's laptop can facilitate threat actor access across multiple organisations, often with IT and administrator-level privileges."
This understanding of security supply chain and third-party partners expanding an attack surface of an organisation has been recently brought up in studies highlighting the pervasive nature of the problem.
Examining the attack
All of the successful intrusions, Mandiant said they shared three things in common.
- 1 - The victims didn't use Multi-factor authentication (MFA), which is the security process that requires users to provide two or more verification factors to gain access to an account, system or application.
- 2 - The attackers used valid credentials, "hundreds" of which were stolen during infostealer infections. Even in some of those thefts, which occurred as far back as 2020, the credentials had not been updated or rotated. Mandiant's analysis revealed that around 80% of the affected accounts had previously been exposed.
- 3 - The compromised accounts did not have network allow-lists in place. Network allow-lists, also known as IP allow-lists or whitelists, are security controls that restrict network access to specified IP addresses or ranges of IP addresses, allowing only approved sources to connect to systems, applications, or services.
In response to the breach, Mandiant has been working closely with Snowflake to notify the affected organisations and assist them in hardening their security measures.
******
Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024
******
Cyber Magazine is a BizClik brand
- How Partnerships Proved Pivotal for UnitedHealth After HackData Breaches
- Zscaler Races to Control Narrative Amid Rumours of HackCloud Security
- Checkmarx uncover attack impersonating GitHub DependabotApplication Security
- Research explores consumer susceptibility to ChatGPT scamsOperational Security