In the spring of 2024, a series of data breaches linked to Snowflake, a leading cloud data platform, sent shockwaves through the cybersecurity community. The breach campaign, which began in mid-April 2024, resulted in the theft of a significant volume of sensitive data from various high-profile companies.
This article explores the Snowflake breach’s intricacies, causes, impact, and implications for organizations worldwide.
Quick overview of the Snowflake breach
The Snowflake breach wasn’t a singular event but rather a coordinated campaign targeting multiple organizations using Snowflake’s cloud storage services. At least 165 organizations were potentially affected by unauthorized access to their Snowflake customer instances
How the breach happened: UNC5537 threat group
UNC5537 is a financially motivated threat actor group that emerged in May 2024. They’ve targeted numerous Snowflake customer databases worldwide with a specific modus operandi: data theft and extortion.
Stolen login credentials
The core of UNC5537’s strategy lies in compromised credentials. They leverage infostealer malware, a malicious software program designed to steal login credentials and other sensitive information from unsuspecting victims’ devices.
These stolen credentials, often including usernames and passwords for diverse online services, are then sold on cybercrime forums. It’s believed that UNC5537 purchases these credentials on the dark web, specifically targeting those granting access to Snowflake accounts.
Exploiting the lack of MFA
Once they have a valid username and password for a Snowflake account, UNC5537 bypasses additional security measures by exploiting accounts lacking multi-factor authentication (MFA). MFA adds an extra layer of security by requiring a second verification step beyond just a username and password. Unfortunately, its absence creates a vulnerability that UNC5537 capitalizes on.
“Rapeflake” tool used to collect data
Some reports suggest UNC5537 might utilize a custom tool called “rapeflake” (also referred to as FROSTBITE). The tool’s functionality is still under investigation, but it’s believed to be used for reconnaissance within the compromised Snowflake instance. FROSTBITE might interact with Snowflake through drivers like .NET or JDBC, potentially allowing UNC5537 to perform actions such as listing users, identifying current roles, and even discovering IP addresses and session IDs.
The following Client Application IDs have been flagged as potentially malicious:
- Rapeflake
- DBeaver_DBeaverUltimate
- Go 1.1.5
- JDBC 3.13.30
- JDBC 3.15.0
- PythonConnector 2.7.6
- SnowSQL 1.2.32
- Snowflake UI
- Snowsight AI
Of particular concern are connections from clients identifying themselves as “rapeflake” and “DBeaver_DBeaverUltimate” (the latter specifically when running from Windows Server 2022). And an updated list of suspicious IP addresses and recommended actions to take, please refer to the Snowflake community post.
Exfiltrating data with Client IDs
UNC5537 extracts valuable data from the compromised Snowflake database conducting reconnaissance with “rapeflake”. This data exfiltration process involves a series of SQL commands:
- SHOW TABLES: This command allows UNC5537 to identify all databases and associated tables within the victim’s Snowflake environment.
- SELECT * FROM: With this command, they can download specific tables containing the desired data.
- CREATE (TEMP|TEMPORARY) STAGE: This creates temporary storage locations within the compromised Snowflake instance to stage the stolen data before exfiltration.
- COPY INTO: This command copies the data from targeted tables into the temporary storage locations.
- GET: Finally, UNC5537 utilizes the GET command to exfiltrate the stolen data from the temporary storage and transfer it to their own systems.
Discovery and response
Mandiant, a cybersecurity firm acquired by Google in 2022, is credited with discovering UNC5537’s campaign in April 2024. They identified a pattern of suspicious activity involving Snowflake database access and data exfiltration. Upon investigation, Mandiant observed the use of stolen credentials, lack of MFA, and the aforementioned SQL commands, leading them to UNC5537.
Following the discovery, Mandiant notified the affected organizations and collaborated with Snowflake to investigate the campaign further. Snowflake promptly issued security advisories, including indicators of compromise (IoCs) and investigative queries, to help their customers identify potential breaches and secure their accounts.
Snowflake breach victims
Several major companies were victims of the Snowflake breach, suffering significant data losses and reputational damage. Many of these made the news due to the severity of the breach, as millions of users’ data was stolen and leaked online.
The breach affected many countries and was seen separately until the recent discovery of the Snowflake link. However, this link is still being investigated.
Ticketmaster data breach
Live Nation Entertainment, Ticketmaster’s parent company, confirmed unauthorized access to a third-party cloud database containing primarily Ticketmaster data. The breach potentially impacted up to 560 million Ticketmaster customers, exposing sensitive information such as names, addresses, email addresses, phone numbers, and partial credit card details.
Santander Bank data breach
Santander Bank reported unauthorized access to a database hosted by a third-party provider, which was later linked to the Snowflake breach. The attack allegedly compromised the data of 30 million customers, including account details, credit card numbers, and employee information.
AT&T data breach
In a shocking revelation, AT&T disclosed that call and text records of “nearly all” its cellular customers were stolen during the breach. The compromised data spanned from May 1, 2022, to October 31, 2022, with some records from January 2, 2023, also affected. While the stolen information didn’t include call or text content, it comprised interaction records that could potentially be used to infer customer identities.
Advance Auto Parts
Advance Auto Parts reported a data breach affecting over 2.3 million individuals. The company’s Snowflake environment was compromised for 40 days, exposing sensitive personal information collected during job application processes, including names, Social Security numbers, and driver’s license details.
The anatomy of the cyber attack and lessons learned
Understanding how the Snowflake breach unfolded is crucial for preventing similar incidents in the future. The tactics, techniques, and procedures (TTPs) the attackers employ can help create more effective security solutions to prevent and respond to cyber-attacks quickly.
Credential theft and exploitation
The UNC5537 group primarily relied on credentials stolen through various infostealer malware variants. These malware infections often occurred on contractor systems used for both work and personal activities, highlighting the risks associated with inadequate endpoint security.
Many of the compromised credentials were several years old, had weak passwords, and lacked regular credential rotation.
Organizations must implement strict password policies and educate employees about the dangers of credential reuse across personal and professional accounts.
Bypassing authentication
It’s reported that many compromised accounts lacked multi-factor authentication (MFA), allowing attackers to gain access using only stolen usernames and passwords. In some cases, the threat actors managed to bypass MFA through sophisticated phishing techniques or by exploiting vulnerabilities in certain MFA implementations.
The widespread success of the UNC5537 campaign underscores the importance of implementing strong multi-factor authentication for all user accounts, especially those with elevated privileges. Organizations should consider mandating MFA and regularly reviewing its effectiveness against evolving threats.
Third-party risk management
The group used publicly available database management utilities, such as DBeaver Ultimate, to connect to and run queries across compromised Snowflake instances.
This breach emphasizes the need for robust third-party risk management practices. Organizations must carefully vet and monitor their cloud service providers, ensuring they maintain appropriate security controls and can quickly detect and respond to potential breaches.
Prevention and mitigation strategies
Organizations should implement a multi-layered security approach to protect against similar attacks and mitigate the impact of potential breaches.
Here are some key strategies to consider:
- Implement strong access controls, including MFA and network allow lists for critical systems.
- Regularly rotate credentials and monitor for exposed credentials on the dark web.
- Conduct thorough security assessments of third-party vendors and cloud service providers.
- Implement robust endpoint detection and response (EDR) solutions to prevent infostealer infections.
- Encrypt sensitive data both in transit and at rest.
- Regularly train employees on cybersecurity best practices and the latest threat landscape.
For organizations seeking to enhance their security posture and respond to potential breaches, it’s crucial to partner with experienced cybersecurity professionals. Proven Data offers comprehensive digital forensics, vulnerability testing, and ransomware removal and recovery services to help organizations protect their valuable data assets and recover from cyber incidents.
