Snowflake compromised? Attackers exploit stolen credentials


Have attackers compromised Snowflake or just their customers’ accounts and databases? Conflicting claims muddy the situation.

What is Snowflake?

Snowflake is cloud-based data storage and analytics company based in the US, and claims nearly 9,500 organizations around the world as customers.

“From an enterprise perspective, Snowflake is typically set up as a cloud-based data warehousing solution. Enterprises choose a cloud provider (AWS, Azure, or Google Cloud), and set up their Snowflake account within the chosen region. Data is ingested from various sources, transformed, and analyzed using SQL,” Doron Karmi, Senior Cloud Security Researcher at Mitiga, told Help Net Security.

“While Snowflake manages the infrastructure, customers have specific responsibilities regarding security and data protection. These include implementing role-based access control (RBAC), and enforcing data governance policies. Customers must also monitor activities using Snowflake’s auditing features. Access to stored data is typically handled through RBAC, single sign-on (SSO) integration with identity providers, and network policies that restrict access through IP whitelisting or private endpoints.”

Data theft with extortion as the goal

A threat actor (UNC5537) has been stealing data from organizations that use the Snowflake cloud-based platform by leveraging stolen customer credentials and an attack tool named “rapeflake”, Mitiga researchers have discovered.

They say UNC5537 is primarily exploiting environments lacking two-factor authentication and the attacks come from commercial VPN IPs. The group is focused on data theft and then tries to extort organizations by threatening to offer the stolen data on hacker forums.

“UNC5537 is a designation by Mandiant for an uncategorized threat actor group,” Karmi told Help Net Security.

“Information about the incident and the group’s tactics is not yet fully published, but from what we know, the group utilizes custom tools to find Snowflake instances and employs credential stuffing techniques to gain unauthorized access. Once access is obtained, they leverage built-in Snowflake features to exfiltrate data to external locations, possibly using cloud storage services.”

Brad Jones, VP of Information Security and CISO at Snowflake, says that they became aware of potentially unauthorized access to certain customer accounts on May 23, 2024.

“During our investigation, we observed increased threat activity beginning mid-April 2024 from a subset of IP addresses and suspicious clients we believe are related to unauthorized access,” he added.

“Research indicates that these types of attacks are performed with our customers’ user credentials that were exposed through unrelated cyber threat activity. To date, we do not believe this activity is caused by any vulnerability, misconfiguration, or malicious activity within the Snowflake product.”

Snowflake says a limited number of customers has been impacted. Security researcher Kevin Beaumont says that “mass scraping has been happening” and that “it appears a lot of data has gone walkies from a bunch of orgs.”

Attackers claim to have compromised Snowflake

Cybersecurity firm Hudson Rock has spoken with the threat actor, who says that they have actually breached Snowflake, by infecting an employee’s device with an infostealer and grabbing credentials for accessing Snowflake’s servers.

“To understand how the hack was carried out, the threat actor explains that they were able to sign into a Snowflake employee’s ServiceNow account using stolen credentials, thus bypassing OKTA which is located on lift.snowflake.com. Following the infiltration, the threat actor claims that they were able to generate session tokens, which enabled them to exfiltrate massive amounts of data from the company,” the company says.

“The goal of the threat actor, as in most cases, was to blackmail Snowflake into buying their own data back for $20,000,000. However it seems the company was not responsive.”

Apparently, this is how the threat actor has been able to steal data belonging to Ticketmaster and Santander Bank.

“It is still undetermined what other companies were impacted by the hack. We expect that this information will be revealed slowly and over time as negotiations with the impacted companies are still ongoing,” Hudson Rock researchers added.

What can Snowflake admins do?

Snowflake has compiled a document outlining known indicators of compromise, investigative queries Snowflake admins can use to detect access from suspected IP addresses and clients, remediation measures (disabling suspected users, resetting credentials) they should take if they find their databases have been accessed by the attackers, and attack prevention advice.

Mitiga has provided advice on how organizations can leverage Snowflake’s logs to perform threat hunting.

“In every Snowflake environment, there is a database named ‘Snowflake’ housing a schema called ‘ACCOUNT_USAGE.’ This schema holds metadata and historical usage data for the current Snowflake account, updating with each action taken, providing a comprehensive audit trail,” they explained.

The database can be used to spot anomalous user activity and unusual IP addresses, and detect suspicious login patterns.

They’ve also advised Snowlake admins to check whether single sign-on (SSO) and multi-factor authentication (MFA) is correctly enforced, and to consider permitting access to their Snowflake database only from authorized IP addresses.




Source link