A brand new report from Mandiant, a part of Google Cloud, reveals {that a} financially motivated menace actor named UNC5537 collected and exfiltrated information from about 165 organizations’ Snowflake buyer situations. Snowflake is a cloud information platform used for storing and analyzing massive volumes of knowledge.
The menace actor managed to get entry to those information by triggering credentials that had been beforehand stolen by infostealer malware or bought from different cybercriminals.
In response to Mandiant, the menace actor UNC5537 advertises sufferer information on the market on cybercrime boards and makes an attempt to extort most of the victims. When the information is offered, any cybercriminal may purchase this data for various functions similar to cyber espionage, aggressive intelligence or extra financially-oriented fraud.
How had been some Snowflake customers focused for this information theft and extortion?
A joint assertion offered by Snowflake, Mandiant and cybersecurity firm CrowdStrike signifies there isn’t a proof suggesting the fraudulent exercise can be brought on by a vulnerability, misconfiguration or breach of Snowflake’s platform. There’s additionally no proof the exercise would have been brought on by compromised credentials from present or previous Snowflake workers.
As a substitute, proof reveals the attackers obtained credentials from a number of infostealer malware campaigns that contaminated non-Snowflake owned programs. The menace actor then gained entry to the affected accounts, which allowed the exfiltration of a big quantity of buyer information from the respective Snowflake buyer situations.
Mandiant researchers acknowledged nearly all of the credentials utilized by UNC5537 had been accessible from historic infostealer malware; a few of these credentials date again to November 2020 however had been nonetheless usable. Completely different infostealer malware households had been chargeable for the credentials theft — essentially the most used ones being Vidar, Risepro, Redline, Racoon Stealer, Lumma and Metastealer.
In response to Mandiant and Snowflake, a minimum of 79.7% of the accounts leveraged by the menace actor had prior credential publicity.
Mandiant additionally reported the preliminary compromise of infostealer malware occurred on contractor programs that had been additionally used for private actions, together with gaming and downloads of pirated software program, which is a robust vector for spreading infostealers.
How did UNC5537 receive the stolen credentials?
As reported, the menace actor obtained credentials from a wide range of infostealer malware, but UNC5537 additionally leveraged credentials that had been beforehand bought.
Whereas no extra data is offered by Mandiant, it’s cheap to assume these credentials had been purchased in a single or a number of cybercriminal underground marketplaces on to so-called Preliminary Entry Brokers, that are a class of cybercriminals who promote stolen company entry to different fraudsters.
As written by Mandiant in its report, “the underground infostealer financial system can be extraordinarily strong, and huge lists of stolen credentials exist each totally free and for buy inside and outdoors of the darkish internet.” Mandiant additionally reported that, in 2023, 10% of total intrusions started with stolen credentials, representing the fourth most notable preliminary intrusion vector.
What was the preliminary entry and information exfiltration strategies on this Snowflake assault?
On this assault marketing campaign, the preliminary entry to Snowflake buyer situations typically occurred by way of the native person interface accessible from the net (Snowflake SnowSight) or from the command-line interface instrument offered by Snowflake (SnowSQL). An extra attacker-named instrument known as “rapeflake” and tracked underneath FROSTBITE by Mandiant has been used to carry out reconnaissance in opposition to Snowflake situations.
FROSTBITE exists in a minimum of two variations: one utilizing .NET to work together with the Snowflake .NET driver, and one model utilizing Java to work together with the Snowflake JDBC driver. The instrument permits the attackers to carry out SQL actions similar to itemizing customers, present roles, present IP addresses, session IDs and organizations’ names.
A public instrument for managing databases, DBeaver Final, has additionally been utilized by the menace actor to run queries on the Snowflake situations.
Utilizing SQL queries, the menace actor was in a position to exfiltrate data from databases. As soon as fascinating information was discovered, it was compressed as GZIP utilizing the “COPY INTO” command to cut back the dimensions of the information to be exfiltrated.
The attacker primarily used Mullvad and Personal Web Entry VPN companies to entry the victims’ Snowflake situations. A moldovan VPS supplier, ALEXHOST SRL, was additionally used for information exfiltration. The menace actor saved sufferer information on a number of worldwide VPS suppliers, in addition to on the cloud storage supplier MEGA.
What organizations are in danger?
The assault marketing campaign seems to be a focused marketing campaign aimed toward Snowflake customers with single-factor authentication. All customers with multifactor authentication are protected from this assault marketing campaign and weren’t focused.
As well as, the impacted Snowflake buyer situations didn’t have permit lists in place to solely permit connections from trusted places.
Ideas from Snowflake on how one can shield your corporation from this cybersecurity menace
Snowflake revealed data on detecting and stopping unauthorized person entry.
The corporate offered a listing of virtually 300 suspicious IP addresses utilized by the menace actor and shared a question to determine entry from the suspect IP addresses. The corporate additionally offered a question to determine the utilization of the “rapeflake” and “DBeaver Final” instruments. Any person account returning outcomes from these queries should instantly be disabled.
Safety hardening is very really helpful by Snowflake:
- Implement MFA for customers.
- Arrange account-level and user-level community insurance policies for extremely credentialed customers/companies accounts.
- Assessment account parameters to limit information exportation from Snowflake accounts.
- Monitor Snowflake accounts for unauthorized privilege escalation or configuration modifications and examine any of these occasions.
Moreover, it’s strongly really helpful to have all software program and working programs updated and patched to keep away from being compromised by a typical vulnerability, which could result in credentials leak.
Safety options must be deployed on each endpoint to stop infostealer an infection.
It’s also suggested to boost consciousness on laptop safety and practice workers to detect and report suspicious cybersecurity occasions.
Disclosure: I work for Pattern Micro, however the views expressed on this article are mine.
