UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion – Google

2 minutes, 1 second Read

Credential Exposure

Mandiant identified that the threat actor used Snowflake customer credentials that were previously exposed via several infostealer malware variants, including; VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA and METASTEALER. For the organizations that directly engaged Mandiant for incident response services, Mandiant determined the root cause of their Snowflake instance compromise was exposed credentials. Further, according to Mandiant and Snowflake’s analysis, at least 79.7% of the accounts leveraged by the threat actor in this campaign had prior credential exposure. 

The earliest infostealer infection date observed associated with a credential leveraged by the threat actor dated back to November 2020. In total, Mandiant identified hundreds of customer Snowflake credentials exposed via infostealers since 2020. 

Stolen credentials pose a serious security risk to organizations and were the fourth most notable initial intrusion vector in 2023, as 10% of intrusions began with stolen credentials. Attackers often obtain credentials due to password reuse or users inadvertently downloading trojanized software on corporate or personal devices. The prevalence of both widespread infostealer malware and credential purchasing continue to challenge defenders.

Contractor Accounts

In several Snowflake related investigations, Mandiant observed that the initial compromise of infostealer malware occurred on contractor systems that were also used for personal activities, including gaming and downloads of pirated software. 

Contractors that customers engage to assist with their use of Snowflake may utilize personal and/or non-monitored laptops that exacerbate this initial entry vector. These devices, often used to access the systems of multiple organizations, present a significant risk. If compromised by infostealer malware, a single contractor’s laptop can facilitate threat actor access across multiple organizations, often with IT and administrator-level privileges. 

Reconnaissance 

Initial access to Snowflake customer instances often occurred via the native web-based UI (SnowFlake UI AKA SnowSight) and/or command-line interface (CLI) tool (SnowSQL) running on Windows Server 2022. Mandiant identified additional access leveraging an attacker-named utility, “rapeflake”, which Mandiant tracks as FROSTBITE. 

While Mandiant has not yet recovered a complete sample of FROSTBITE, Mandiant assesses FROSTBITE is used to perform reconnaissance against target Snowflake instances. Mandiant observed usage of both .NET and Java versions of FROSTBITE. The .NET version interacts with the Snowflake .NET driver. The JAVA version interacts with the Snowflake JDBC driver. FROSTBITE has been observed performing SQL recon activities including listing users, current roles, current IPs, session IDs, and organization names. Mandiant also observed UNC5537 use a publicly available database management utility DBeaver Ultimate to connect and run queries across Snowflake instances.

Example FROSTBITE Snowflake Log Entry

This post was originally published on the 3rd party site mentioned in the title of this this site

Similar Posts