Information on the Snowflake data breach targeting customers

Information on the Snowflake data breach targeting customers

In a recent development, a financially-motivated cybercriminal group known as UNC5537 has been identified as the perpetrator behind a series of cyberattacks targeting Snowflake customer environments. This group, which operates under a cluster designation by cybersecurity firms and analysts, is known for conducting sophisticated intrusions with the goal of financial gain.

Identity of UNC5537

UNC5537 is not publicly linked to a known individual or nation-state and is considered a cybercrime group rather than a nation-sponsored actor. The group's activities are characterised by the use of common tools, infrastructure, and tactics.

Tactics, Techniques, and Procedures (TTPs) of UNC5537

UNC5537 employs a range of tactics to gain access, maintain persistence, escalate privileges, evade detection, access credentials, discover vulnerabilities, execute commands, exfiltrate data, and cause impact.

• Initial Access: The group exploits vulnerabilities in cloud infrastructure and customer environments, conducts phishing campaigns targeting credentials, and uses stolen or weak credentials to access Snowflake accounts or related cloud services.
• Persistence: UNC5537 creates persistent backdoors via compromised cloud resources and leverages service accounts or API keys with escalated privileges.
• Privilege Escalation: The group abuses misconfigured permissions within Snowflake environments and uses legitimate tools and administrative interfaces to escalate privileges undetected.
• Defense Evasion: UNC5537 uses encrypted channels for command and control, obfuscates scripts and tools, and removes or alters logs to hide evidence of their activities.
• Credential Access: The group harvests stored credentials from compromised environments and uses password dumping or credential reconnaissance tools.
• Discovery: UNC5537 enumerates Snowflake account configurations, role assignments, and stored data, and scans cloud assets linked with the victim.
• Execution: The group runs malicious scripts and commands inside Snowflake and connected services, and uses legitimate Snowflake functions to extract or manipulate data.
• Exfiltration: UNC5537 extracts sensitive data from Snowflake environments and transfers stolen data using encrypted channels.
• Impact: The group causes data theft followed by ransom demands, potential deployment of ransomware on associated infrastructure, and disruption of customer cloud services.

Timeline of Events

• The earliest evidence of unauthorized access to Snowflake customer instances occurred on April 14.
• Mandiant began investigating data stolen from an unknown database on April 19.
• The earliest known instance of a cybercriminal posting allegedly stolen data from a Snowflake customer database for sale occurred on May 24.
• Approximately 165 businesses are potentially exposed to the attacks.
• Snowflake is suspending certain user accounts where there are strong indicators of malicious activity.
• Mandiant discovered additional Snowflake customers impacted by the cyberattacks on May 22.
• Snowflake disclosed the attacks on customers' databases on May 30.
• Stolen credentials obtained from multiple infostealer malware infections on non-Snowflake owned systems were the point of entry for the attacks.
• The attacks were not caused by a vulnerability, misconfiguration, or breach of Snowflake's systems.
• Mandiant released a threat hunting guide to help Snowflake customers detect malicious activity on database instances on May 31.
• Impacted customer accounts were not configured with multifactor authentication.
• As of June 13, the financially-motivated attacker, which Mandiant refers to as UNC5537, was still actively extorting victims with data stolen from Snowflake customer environments.
• Mandiant notified Snowflake and law enforcement agencies about the attacks on May 22.
• Pure Storage is the first Snowflake customer to publicly confirm being impacted by the attacks.
• Snowflake is also blocking IP addresses associated with the cyber threat.
• At least 100 Snowflake customers are confirmed impacted by the cyberattacks.

Recommendations

Organisations using Snowflake should ensure robust identity and access management, multi-factor authentication, and continuous monitoring to detect and mitigate these threats. Snowflake has provided indicators of compromise and additional recommended actions for companies to investigate potential threat activity within their Snowflake accounts.

1. The UNC5537 cybercrime group, known for conducting sophisticated intrusions with financial gain in mind, is a significant threat to cybersecurity, particularly in the technology-driven finance sector.
2. The TTPs of UNC5537 include various tactics such as exploiting vulnerabilities, conducting phishing campaigns, defense evasion, credential access, discovery, execution, exfiltration, and causing impact on victim's data, cloud resources, and services.
3. The data breach targeting Snowflake customer environments was not caused by a vulnerability, misconfiguration, or breach of Snowflake's systems but instead originated from stolen credentials obtained from multiple infostealer malware infections on non-Snowflake owned systems.
4. As a response to the data breach, Snowflake is suspending certain user accounts where there are strong indicators of malicious activity, blocking IP addresses associated with the cyber threat, and providing indicators of compromise and additional recommended actions for companies to investigate potential threat activity within their Snowflake accounts.
5. To protect against such threats, organizations using Snowflake should implement robust identity and access management, multi-factor authentication, continuous monitoring, and threat intelligence to deter such cyberattacks and uphold privacy and security in their operations.

Read also: