In a new analysis of a recent high-profile campaign impacting customers of cloud-based data storage company Snowflake, researchers with Mandiant said that since at least April 14, the threat group behind the attack has used compromised credentials to access over 100 customer tenants.
Mandiant’s analysis reiterated a joint statement issued last week with both Snowflake and CrowdStrike, that the attack did not stem from a breach of Snowflake’s platform, but instead leveraged stolen credentials for accounts that did not have MFA enabled. The joint statement came after reports emerged of several companies discovering unauthorized access on databases hosted by Snowflake, such as Ticketmaster.
Mandiant tied the campaign to an actor it called UNC5537, which it said is a financially motivated threat actor that has been compromising "a significant volume of records from Snowflake customer environments," extorting victims and advertising their data for sale on cybercrime forums. Researchers said they have identified members of the threat group that had associations to other tracked groups, but they assessed with “moderate confidence” that UNC5537 is made up of members based in North America, and that the group works with one additional member in Turkey.
“To date, Mandiant and Snowflake have notified approximately 165 potentially exposed organizations,” according to Mandiant’s threat intelligence team in a Monday post. “Snowflake’s Customer Support has been directly engaged with these customers to ensure the safety of their accounts and data. Mandiant and Snowflake have been conducting a joint investigation into this ongoing threat campaign and coordinating with relevant law enforcement agencies.”
UNC5537 was able to access the companies’ Snowflake instances through credentials stolen from the customers, primarily via infostealer malware campaigns targeting non-Snowflake owned systems, some of which dated as far back as November 2020, said researchers. The infostealer malware variants associated with this campaign included well-known ones like the Racoon stealer, Vidar and Redline. In some of the investigations into the incident, researchers found that these malware families had targeted contractor systems, which were also used for personal activities like gaming or downloading pirated software.
“Contractors that customers engage to assist with their use of Snowflake may utilize personal and/or non-monitored laptops that exacerbate this initial entry vector,” said researchers. “These devices, often used to access the systems of multiple organizations, present a significant risk. If compromised by infostealer malware, a single contractor's laptop can facilitate threat actor access across multiple organizations, often with IT and administrator-level privileges.”
"Mandiant and Snowflake have been conducting a joint investigation into this ongoing threat campaign and coordinating with relevant law enforcement agencies.”
The successful compromises primarily targeted Snowflake accounts that didn’t have MFA enabled and that still had credentials that had not been rotated or updated, sometimes for years. The impacted instances also did not have network allow lists in place to only enable access from trusted locations, said Mandiant.
Researchers weren’t able to recover the complete sample of a utility that had been reportedly used by the threat actors in the attacks (which researchers called FrostBite), but they assessed that it was being leveraged to perform reconnaissance against target Snowflake instances.
“Mandiant observed usage of both .NET and Java versions of FROSTBITE,” said researchers. “The .NET version interacts with the Snowflake .NET driver. The JAVA version interacts with the Snowflake JDBC driver. FROSTBITE has been observed performing SQL recon activities including listing users, current roles, current IPs, session IDs, and organization names. Mandiant also observed UNC5537 use a publicly available database management utility DBeaver Ultimate to connect and run queries across Snowflake instances.”
The campaign highlights the prevalence and dangers of infostealer malware, and also several basic security issues like a lack of MFA and the problem of “exposed credentials” (in fact, Mandiant found that almost 80 percent of the accounts leveraged by the threat actor in this attack had prior credential exposure). However, the campaign has also brought Snowflake’s own security control implementation policies for customers into question. Snowflake on its website has said that it supports MFA for users connecting to its platform, and that MFA support is provided as an integrated Snowflake feature. However, though Snowflake “strongly recommends that all users with the ACCOUNTADMIN role be required to use MFA” at a minimum, MFA is enabled on a per-user basis, and users that aren’t automatically enrolled in MFA and instead must enroll themselves.
Snowflake is now looking at changing its policies around implementing security controls.
“As we shared on June 6, we continue to work closely with our customers as they harden their security measures to reduce cyber threats to their businesses, and we are developing a plan to require our customers to implement advanced security controls, like multi-factor authentication (MFA) or network policies,” said Brad Jones, CISO at Snowflake in an update on Monday.