Incident response firm Mandiant says together with Snowflake it has contacted 165 victims of recent large-scale data theft from the data platform provider’s environment — blaming all on compromised credentials and a lack of multi-factor authentication on the customer side.
A summary of its recent IR work adds detail to an initial investigation previously shared by Snowflake, CrowdStrike, and Mandiant on June 2, in the wake of widespread data theft from Snowflake environments.
Mandiant’s write-up highlights its observation of a custom utility written in both .NET and Java that the attacker calls “rapeflake” and which it dubs “Frostbite” that it says appears “used to perform reconnaissance against target Snowflake instances.” It has not recovered a complete sample.
Mandiant added on June 10 that its investigations showed that initial attacker access to Snowflake customer instances “often occurred via the native web-based UI (SnowFlake UI AKA SnowSight) and/or command-line interface (CLI) tool (SnowSQL) running on Windows Server 2022.”
Mandiant said it “identified that the threat actor used Snowflake customer credentials that were previously exposed via several infostealer malware variants, including; VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA and METASTEALER. For the organizations that directly engaged Mandiant for incident response services, Mandiant determined the root cause of their Snowflake instance compromise was exposed credentials.”
Critically, it noted that "the initial compromise of infostealer malware occurred on contractor systems that were also used for personal activities, including gaming and downloads of pirated software."
Unmonitored contractor devices "often used to access the systems of multiple organizations, present a significant risk. If compromised by infostealer malware, a single contractor's laptop can facilitate threat actor access across multiple organizations, often with IT and administrator-level privileges."
See also :Five Eyes: Customers should ask these 8 things of their MSPs
The data platform provider had disputed initial characterisation on a now deleted blog from cybersecurity firm Hudson Rock that a threat actor had stolen Snowflake customer data, after using access to a staffer’s account to somehow enumerate security tokens via their ServiceNow environment. (A subsequent post by Hudson Rock suggested that Snowflake threatened it legally.) Both Hudson Rock and cybersecurity firm SOS Intelligence have independently reported finding Snowflake employee credentials exposed in dark web data dumps. These were for separate employees, SOS Intelligence confirmed to The Stack. There is no allegation that they were used to expose customer data, but the incidents show that vendors are as ripe for the plucking as their customers when it comes to exposed credentials that have the potential to be exploited in attacks.
Google-owned firm Mandiant added: “... at least 79.7% of the accounts leveraged by the threat actor in this campaign had prior credential exposure. The earliest… associated with a credential leveraged by the threat actor dated back to November 2020…Mandiant identified hundreds of customer Snowflake credentials exposed via infostealers since 2020.”
Snowflake says it is now “developing a plan to require [our italics] our customers to implement advanced security controls, like multi-factor authentication (MFA) or network policies, especially for privileged Snowflake customer accounts. While we do so, we are continuing to strongly engage with our customers to help guide them to enable MFA and other security controls as a critical step in protecting their business.”
The threat group appears to be US-based Mandiant said.
It added: "The broad impact of this campaign underscores the urgent need for credential monitoring, the universal enforcement of MFA and secure authentication, limiting traffic to trusted locations for crown jewels, and alerting on abnormal access attempts. For further recommendations on how to harden Snowflake environments, please see Snowflake’s Hardening Guide."
