Lax Credential Hygiene at Root of Snowflake Breach: Researchers

Security researchers at Google subsidiary Mandiant have traced the months-long Snowflake security breach to an attack group taking advantage of old credentials and weak authentication methods.

Cloud storage provider Snowflake has been at the center of an ongoing data incident affecting customers including Ticketmaster, Lending Tree and multinational banking firm Santander. In an account of the incident on its Web site, Snowflake said attackers likely began targeting its customers in mid-April, though its alarms didn't go off until late May.

Snowflake conscripted security firm Mandiant to help it investigate the attack. This week, Mandiant released its findings, stating that a North American hacking group named UNC5537 was behind the campaign, which to date has exposed the data of about 165 Snowflake customers.

Both Mandiant and Snowflake contend that UNC5537 didn't gain access to customers' data via flaws in Snowflake's security posture, but rather via the victims' (even if at least one of those victims was also a Snowflake employee). Per Snowflake's Web site:

  • We have no evidence suggesting this activity was caused by any vulnerability, misconfiguration, or breach of Snowflake's product.
  • Snowflake does not believe that it was the source of any of the leaked customer credentials.
  • There is no "master Application Programming Interface (API)" or pathway for customers' credentials to be accessed and exfiltrated from the Snowflake production environment.
  • Snowflake is a cloud product and anyone can sign up for an account at any time. If a threat actor obtains customer credentials, they may be able to access the account. Snowflake employees are no different and can also create their own Snowflake "customer" accounts using personal credentials.
  • We did find evidence that similar to impacted customer accounts, the threat actor obtained personal credentials to and accessed a demo account owned by a former Snowflake employee. It did not contain sensitive data. Demo accounts are not connected to Snowflake's production or corporate systems. The access was possible because the demo account was not behind Okta or MFA, unlike Snowflake's corporate and production systems.

Mandiant's investigation seems to bear this out. According to the researchers, the primary avenue the hackers used to infiltrate customers' Snowflake instances was those customers' own credentials, nearly 80 percent of which had already been compromised in infostealer campaigns dating as far back as 2020. Most of these stolen credentials were never changed nor strengthened with multifactor-authentication (MFA), and were already being disseminated in the Dark Web by the time UNC5537 got its hands on them:

UNC5537 obtained access to multiple organizations' Snowflake customer instances via stolen customer credentials. These credentials were primarily obtained from multiple infostealer malware campaigns that infected non-Snowflake owned systems. This allowed the threat actor to gain access to the affected customer accounts and led to the export of a significant volume of customer data from the respective Snowflake customer instances.

In addition, Mandiant noted that most of the affected customers did not use network allowlists to limit access to their Snowflake instances.

Snowflake attack path
[Click on image for larger view.]   Snowflake attack path. (Source: Mandiant)

Mandiant also found that some of the affected customers had, at some point, interacted with contractors whose devices had been infected with infostealer malware. The researchers specifically singled out contractors who use their work devices for personal tasks, such as gaming or downloading media.

"These devices, often used to access the systems of multiple organizations, present a significant risk," Mandiant explained. "If compromised by infostealer malware, a single contractor's laptop can facilitate threat actor access across multiple organizations, often with IT and administrator-level privileges."

UNC5537's modus operandi is financial extortion. The group "is systematically compromising Snowflake customer instances using stolen customer credentials, advertising victim data for sale on cybercrime forums, and attempting to extort many of the victims," Mandiant said.

Mandiant characterized the attack as not being particularly sophisticated -- and, therefore, extremely repeatable. The researchers predict UNC5537 eventually will try the same methods on other SaaS platforms, particularly those that don't enforce MFA, network allow lists or credential monitoring.

Meanwhile, Snowflake offers some security guidance for its customers here.

About the Author

Gladys Rama (@GladysRama3) is the editorial director of Converge360.


comments powered by Disqus

Subscribe on YouTube