A financially driven threat actor monitored as UNC5537 is executing a cyber attack on Snowflake client databases. About 165 Snowflake clients are believed to have been impacted. Snowflake is a multi-cloud data storage platform that clients use for storing and analyzing large amounts of structured and unstructured information. Based on Google’s cybersecurity company Mandiant, the threat actor uses stolen credentials to systematically access client accounts. The very first time an account breach was discovered was on April 14, 2024.
When account access is acquired, the threat actor extracts data and issues a ransom demand to stop selling the stolen information. Mandiant has reported to 165 clients about the breach, but Snowflake has no confirmation yet regarding the number of clients that were impacted. Pure Storage has reported one instance of breach of customer support, though no client information was compromised.
Although Snowflake accounts are being attacked, no proof is identified that suggests a compromise of Snowflake’s platform. Mandiant stated that every incident it has dealt with to date involved breached credentials. Compromise of credentials can happen in different ways, however, this campaign involves stealing credentials using several infostealer malware variants such as Lumma, Racoon Stealer, Metastealer, Redline, Vidar, and Risepro. In certain instances, the infostealer malware infection happened many years in the past. The first discovered infection that was connected to attacks was in November 2020.
Infostealers are spread during phishing campaigns using malvertising and bogus websites, and the malware frequently goes with pirated software programs. One popular theme recognized by Mandiant was infostealer malware infections on contractor programs, and systems employed for personal activities like gaming or installing pirated software programs.
Businesses normally employ contractors to handle their Snowflake instances. Those contractors usually employ personal and unchecked laptop computers. Because contractors work with several organizations, an infostealer malware infection enables a threat actor to get the credentials for several accounts. The threat is particularly high because contractors are often provided IT and admin-level privileges.
As per Mandiant, the success of a campaign is because of three primary security problems. The impacted clients didn’t have multifactor authentication activated for their Snowflake accounts; passwords were not modified or rotated for very long periods, in certain instances a few years, and clients had not set up their Snowflake instances’ allow lists, which give access from trustworthy locations only.
Although the attacks seem to entail credentials compromised in unrelated cyber attacks, Snowflake states the activity may be associated with the CVE-2023-51662 vulnerability. The vulnerability is caused by poor certificate validation and impacts the Snowflake .NET driver, which gives the interface to the Microsoft .NET open-source software platform for creating programs.
Snowflake has created a listing of IP addresses from clients identified as DBeaver_DBeaverUltimate and rapeflake and has given a query that will provide login activities that started from those malicious IP addresses and queries to determine the actions undertaken by those clients. The Health Sector Cybersecurity Coordination Center has additionally released a healthcare and public health sector advisory regarding the malicious activity and proposed mitigations.
The breach at Snowflake began with the exploitation of stolen credentials. Platform access was not secured by any type of additional authentication besides a password. All organizations utilizing third-party cloud services must make sure their accounts in those services are secured just like their own admin accounts. Keep in mind the least privilege principle and the just-in-time strategy, and utilizing strong multifactor authentication (MFA). Least privilege combined with just-in-time will give adequate access to carry out particular tasks for a restricted period. MFA will generally call for using another ID criterion to access a particular account, putting one more step of validation.
A company’s third-party risk management must also have an incident response plan (IRP) for this kind of instance, where the information they give to a company is breached and will probably be employed against themselves. An IRP allows a company’s security team to quickly deal with possible exploitation efforts and take action depending on what information was exposed. In this instance, the leaked information involved names of companies, email addresses, and usernames. With this data, a malicious actor could perform a phishing attack by sending an email requesting to confirm a sign-in attempt to a bogus website that looks like a genuine one. By knowing this, a company can get ready for the next phishing attempt, which is necessary to avoid potential data breaches and HIPAA violations.