Snowflake Customers Targeted in Credential Theft Scheme

Snowflake has reported an active campaign targeting customer accounts, noting a significant uptick in cybersecurity threats. This activity is attributed to compromised user credentials obtained from external breaches. Believed to be part of a broader identity-based attack campaign aimed at data theft, it has not been linked to any vulnerabilities within Snowflake's infrastructure. Snowflake has specifically identified suspicious connections from clients named "rapeflake" and "DBeaver_DBeaverUltimate" operating from Windows Server 2022, which are key indicators of compromise that help pinpoint potentially malicious activities within affected systems.

Snowflake's response includes a comprehensive guide for identifying, investigating, and preventing further unauthorized access. Customers are advised to monitor and disable suspect IP addresses and client identifiers, reset credentials, and scrutinize the actions and queries performed by flagged users. Prevention strategies emphasize the importance of establishing network policies, reviewing account parameters to limit data exportation, and securing service accounts with robust authentication methods such as OAuth or key pairs, rather than relying on static credentials.

Mitiga, in a related report, has identified the threat actor UNC5537, which exploits stolen credentials to infiltrate organizations using Snowflake. This actor, consistent with Snowflake's findings, is known for deploying a tool named "rapeflake" and has been implicated in data theft and extortion activities, particularly targeting environments lacking two-factor authentication (2FA). Mitiga has provided guidance for organizations to analyze query histories for anomalies that might suggest data exfiltration, such as unusual data scan volumes, accessing an abnormally high number of databases or warehouses, utilizing rare client applications, and copying Snowflake tables through inline URLs.

The guidance from both Snowflake and Mitiga is crucial for monitoring and countering this active threat. Snowflake's report includes a list of IP addresses associated with suspicious activities. By closely monitoring query histories, implementing stringent access controls, and continuously updating security protocols, organizations can enhance their defenses against this ongoing threat.

The Anvilogic Forge team will continue to closely monitor the situation, develop applicable detections, and refine our response strategies to ensure comprehensive coverage against this active threat.