Credential Compromise at Core of Snowflake's Incident

Investigation of the Snowflake incident through Mandiant (now part of Google Cloud) provides valuable insights into the threat campaign associated with a threat actor tracked as UNC5537 targeting Snowflake customer database instances for data theft and extortion. This financially motivated threat actor is known for compromising Snowflake customer instances using stolen credentials, then advertising the stolen data on cybercrime forums and attempting to extort the victims. "UNC5537 is systematically compromising Snowflake customer instances using stolen customer credentials, advertising victim data for sale on cybercrime forums, and attempting to extort many of the victims," reports Mandiant. As of June 10, 2024, Mandiant and Snowflake have notified about 165 potentially impacted organizations with the commonality of the breaches centered on compromised credentials. Mandiant's findings are supported by Snowflake, as evidenced by Snowflake referencing Mandiant's report in the latest update on Snowflake's Forum.

The breaches were primarily enabled by the lack of multi-factor authentication (MFA) and the use of compromised credentials previously exposed in various infostealer malware campaigns. The threat actor exploited these vulnerabilities to gain unauthorized access to Snowflake instances, leading to substantial data exfiltration. "Mandiant identified that the majority of the credentials used by UNC5537 were available from historical infostealer infections, some of which dated as far back as 2020," underscores the long-standing vulnerabilities exploited by these attackers. This method of attack illustrates the critical need for strict password policies and the necessity to implement MFA and regular credential rotation to protect against such intrusions.

Mandiant's investigations reveal that UNC5537 consistently used similar SQL commands across multiple compromised Snowflake customer instances to stage and extract valuable data. The sequence of activity began with the execution of simple reconnaissance commands 'SHOW TABLES', 'SELECT * FROM', and 'LIST' (or 'LS') in order to gain the necessary context of the database. Following these commands, a temporary stage was created with data of interest gathered using 'COPY INTO', allowing information to be copied "to/from internal stages, external stages tied to cloud services, and internal Snowflake tables." Lastly, to complete data exfiltration, the 'GET' command was utilized. Understanding these behavior patterns offers valuable insights to identify suspicious SQL command activity that could indicate a breach. Furthermore, key indicators with applications named "rapeflake" (Mandiant tracks as FROSTBITE) and "DBeaver_DBeaverUltimate" were reiterated by Mandiant in their analysis.

Mandiant emphasizes the severity of the threat posed by compromised credentials. "Further, according to Mandiant and Snowflake’s analysis, at least 79.7% of the accounts leveraged by the threat actor in this campaign had prior credential exposure." Strengthening password policies is mandatory to defend against advancing adversary activity and the relevance of the cybercrime ecosystem with thriving info-stealing capabilities. Along with enforcing password policies, the necessity of proper network allow lists is evident. These findings are not only applicable to Snowflake's incident but can be applied to all organizations as the threat of compromised credentials is not unique to one product or organization. "This campaign’s broad impact is the consequence of the growing infostealer marketplace and missed opportunities to further secure credentials."