What to Learn from the Snowflake Breach?

Introduction

The recent series of incidents involving Snowflake, a leading cloud-based data storage and analytics platform, has sparked widespread concern and speculation. While Snowflake concluded that the data leaks were not due to vulnerabilities or breaches in their systems, the situation highlights critical lessons for the cybersecurity community. This blog will explore what we can learn from these incidents, emphasizing the importance of strong security practices and shared responsibility in cloud environments.

The Nature of the Incident

On June 12, 2024, Snowflake reported a targeted threat campaign against some of its customer accounts. According to investigations, the breaches were not due to any vulnerability or misconfiguration within Snowflake's systems. Instead, the culprit was compromised customer credentials, primarily obtained through various infostealer malware variants.

Key Points:

• **Threat actors accessed multiple organizations' Snowflake instances using stolen credentials.
  **

• **Infostealer malware such as VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA, and METASTEALER were used to harvest these credentials.
  **

• **Many initial compromises occurred on contractor systems used for personal activities.
  **

Detailed Findings

Mandiant's Investigation:

• The attacks were attributed to a financially motivated group named UNC5537.

• Hundreds of Snowflake customer credentials were compromised since 2020.

• The attack vector was stolen credentials, not vulnerabilities in Snowflake's infrastructure.

Snowflake's Response:

• Affected customers were notified.

• Emphasized the need for advanced security controls like multi-factor authentication (MFA).

  

Key Factors Contributing to the Breach

Lack of Multi-Factor Authentication (MFA):

Many compromised accounts did not have MFA enabled, making it easier for threat actors to gain access with just a username and password.

Outdated Credentials:

Credentials from infostealer malware remained valid for years without being updated or rotated.

Absence of Network Allow Lists:

Impacted accounts did not restrict access to trusted locations, providing an open gateway for attackers.

Credential Exposure:

Mandiant's analysis revealed that the threat actor used credentials exposed by various infostealer malware, including VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA, and METASTEALER. Over 79.7% of the leveraged accounts had prior credential exposure dating back to as early as 2020.

Root Cause

The primary root cause identified was exposed credentials from infostealer malware infections. These infections often originated from contractor systems used for both personal and professional activities, increasing the risk of exposure. Contractors using non-monitored laptops for personal activities like gaming and downloading pirated software were particularly vulnerable.

Reconnaissance and Data Exfiltration

The attackers used Snowflake's native UI (SnowSight) and command-line interface (SnowSQL) to perform reconnaissance and exfiltrate data. They also employed an attacker-named utility, "rapeflake" (tracked as FROSTBITE), for reconnaissance. Key SQL commands used for data staging and exfiltration included:

• SHOW TABLES: To list all databases and associated tables.

• SELECT * FROM: To download tables of interest.

• CREATE TEMPORARY STAGE: To create temporary stages for data storage.

• COPY INTO: To copy data into temporary stages, compressing it using GZIP.

• GET: To exfiltrate data from temporary stages to local directories.

Attribution and Infrastructure

UNC5537, tracked since May 2024, targets hundreds of organizations globally, operating under various aliases on Telegram channels and cybercrime forums. The threat actor primarily used Mullvad or Private Internet Access (PIA) VPNs and VPS systems from ALEXHOST SRL for their operations. They stored stolen data on several international VPS providers and MEGA, a cloud storage provider.

Outlook and Implications

The campaign's impact highlights the need for improved credential security. Despite the lack of novel techniques, the campaign succeeded due to the widespread availability of stolen credentials and insufficient security measures.

Lessons Learned

1. Implementing Multi-Factor Authentication (MFA)

MFA should be mandatory for all critical accounts. Relying solely on passwords is no longer viable given the sophistication of modern cyberattacks. Even though some MFA methods can be intercepted, they still add a crucial layer of security.

Action Points:

• Enforce MFA across all user accounts.

• Consider advanced MFA methods resistant to phishing, such as hardware tokens.

2. Securing Contractor Systems

Contractor systems used for both work and personal activities pose significant risks. The breaches highlighted the vulnerability of these systems to malware and credential theft.

Action Points:

• Implement strict usage policies for contractor systems.

• Ensure regular security audits and monitoring of these systems.

3. Shared Responsibility Model

Snowflake's adherence to the shared responsibility model underscores that while the platform provides tools and guidance, customers must actively implement and manage their security measures.

Action Points:

• Regularly review and follow the security recommendations provided by cloud service providers.

• Perform continuous monitoring and audits of your cloud environment.

Key Recommendations

• Enforce Multi-Factor Authentication (MFA): Implementing MFA can significantly reduce the risk of unauthorized access.

• Regular Credential Rotation: Regularly updating and rotating credentials can prevent the use of outdated, compromised credentials.

• Use Network Allow Lists: Restrict access to trusted locations to minimize exposure.

• Credential Monitoring: Continuously monitor credentials for signs of compromise and take immediate action if detected.

Moving Forward

The Snowflake incidents remind us of the ongoing need to bolster data security measures. Organizations must not only rely on the security of their service providers but also actively participate in maintaining robust security practices.

Conclusion

In an era where data is the lifeblood of business, incidents like the Snowflake breach serve as critical reminders of the shared responsibilities in modern data security. By learning from these events and continuously improving our security practices, we can better protect our valuable data assets.