Mandiant's Analysis Unveils Cause of Snowflake Data Theft

Share
The theft has affected as many as 165 of Snowflake's 9000+ customers worldwide
Mandiant identified three key issues things that the customers affected by the data breach shared

Google-owned cybersecurity firm Mandiant has been called in to assist cloud computing giant Snowflake in its incident response efforts for a major data theft incident.

The theft, which Mandiant is tracking under the codename UNC5537, has affected as many as 165 of Snowflake's 9000+ customers worldwide.

Last week, alarm was sounded by authorities alleging companies utilising Snowflake environments had been compromised, with Santander Bank and Ticketmaster, two of Snowflake’s biggest customers, confirming breaches.

At the heart of the attack is a financially motivated threat group that has systematically compromised Snowflake customer instances using stolen credentials obtained from various infostealer malware campaigns. 

Youtube Placeholder

Sophisticated Attack Methodology

Mandiant's investigation has shed light on the tactics employed by the UNC5537 group. The method of attack involved leveraging the stolen credentials to gain unauthorised access to Snowflake customer instances. 

It noted that there's no evidence a breach of Snowflake's own enterprise environment was to blame for its customers' breaches. 

This breach was traced back to Snowflake’s customer credentials being compromised, through earlier malware campaigns known as infostealer. 

"The earliest infostealer infection date observed associated with a credential leveraged by the threat actor dated back to November 2020," Mandiant said, with the company having "identified hundreds of customer Snowflake credentials exposed via infostealers since 2020."

Mandiant determined that UNC5537 used legitimate credentials to break into the victim's Snowflake environment. The victim did not have multi-factor authentication turned on.

Once inside, the attackers deployed a reconnaissance utility dubbed FROSTBITE, to gather sensitive information and run SQL queries.

Several of the initial compromises occurred on contractor systems that were being used for both work and personal activities.

"These devices, often used to access the systems of multiple organisations, present a significant risk," a Mandiant researchers wrote. "If compromised by infostealer malware, a single contractor's laptop can facilitate threat actor access across multiple organisations, often with IT and administrator-level privileges."

This understanding of security supply chain and third-party partners expanding an attack surface of an organisation has been recently brought up in studies highlighting the pervasive nature of the problem.

Examining the attack

All of the successful intrusions, Mandiant said they shared three things in common. 

Three facts shared by those affected
  • 1 - The victims didn't use Multi-factor authentication (MFA), which is the security process that requires users to provide two or more verification factors to gain access to an account, system or application.
  • 2 - The attackers used valid credentials, "hundreds" of which were stolen during infostealer infections. Even in some of those thefts, which occurred as far back as 2020, the credentials had not been updated or rotated. Mandiant's analysis revealed that around 80% of the affected accounts had previously been exposed.
  • 3 - The compromised accounts did not have network allow-lists in place. Network allow-lists, also known as IP allow-lists or whitelists, are security controls that restrict network access to specified IP addresses or ranges of IP addresses, allowing only approved sources to connect to systems, applications, or services.

In response to the breach, Mandiant has been working closely with Snowflake to notify the affected organisations and assist them in hardening their security measures. 

******

Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024

******

Cyber Magazine is a BizClik brand

Share

Featured Articles

SonicWall and CrowdStrike Unite for SMB Security Service

SonicWall partners with endpoint protection specialist CrowdStrike to offer managed detection and response capabilities through managed service providers

FS-ISAC CISO Talks Cyber Strategies for Financial Providers

FS-ISAC CISO JD Denning explains the cyber strategies financial providers need to adopt in order to stay afloat in the wave of cyber attacks

Darktrace Reports 692% Surge in Black Friday Cyber Scams

AI cybersecurity firm Darktrace reveals increase in brand impersonation attacks targeting retailers, with holiday-themed phishing attacks rising 327%

KnowBe4 Launches AI Agents to Counter Phishing Threats

Technology & AI

Gen Reports 614% Rise in Command Prompt Manipulation Scams

Cyber Security

SAVE THE DATE – Cyber LIVE London 2025

Cyber Security