Cracking the Ice: Unraveling the Snowflake Data Breach — Lessons, Impacts, and Strategies for Resilience
The Snowflake attack began by repurposing refresh tokens. It’s been clear from the beginning that attackers exploit, via the dark web, vulnerabilities in supposedly well-protected ecosystems.
In the screenshot, the conversation reveals critical details:
The threat actor found that Snowflake’s refresh tokens did not expire as they should and could be used repeatedly indefinitely. This malicious actor used a tool called ‘lift’ to ‘dump’ the Snowflake refresh tokens and generate the session tokens needed to bypass authentication mechanisms. The ‘lift’ could also use the same cookies to bypass Okta, log in to ServiceNow, and continue exploiting sessions across platforms.
This method of attack highlights several key points:
This shows us the value of good token management and the vulnerability of authentication processes to single points of failure.
Credit: WhiteIntel Dark Web
The attacker in this conversation tells the ransom demanders that they entered the network via a single credential that had been picked up by infostealer malware — a type of keylogger that logs keystrokes and other sensitive data for sale or malicious use. The installation was bought by the threat actor from a log seller, suggesting that this level of access is sold as an install service on a black market. The attacker included the log file of the initial access used for infection. The file was linked to an enterprise user named ‘adelou’, pointing out that it only takes a single compromised user account to cause a massive hole in security defenses.
The lengthy discussion and crude concern about the expense of the attack with the ransom demanders point to the fact that the threat actors had detailed logs from the day the infection broke out. This indicates that they had been tracking their operation carefully, suggesting that they may have put in a good amount of effort prior research before intruding. At one point in the conversation, the ransom demanders suggested purchasing Hudson Rock’s protection, a cyber-security company that joins commercial and cyber-defense expertise. This implies that perhaps the organization could have taken better measures to fortify its defenses so that the ransomware barricade could have been repelled before it occurred.
Now, let’s shift attention to the attack path diagram to understand the mechanism and tactics by conducting a snowflake attack and doing it in a pseudo-forensic way.
This diagram provides us with a clear illustration of how the attack is carried out.
As shown in the diagram:
This attack chain was exploited by an adversary group known as UNC5537, a highly covert group that’s been linked in a Mandiant report to sophisticated cyberespionage and extortion operations. It uses high-profile vulnerabilities in popular platforms such as Snowflake to steal data.
That knowledge of this attack path helps identify the best security points to fortify.
The following graph highlights how Snowflake’s data breach affected the number of customers involved at three different points in time.
On the whole, it is clear that there was an increment in the number of customers affected from April until July 2024.
In April 2024, around 20 customers were affected. After two months, more than 100 customers were directly involved. However, from July, it is noticeable that the number has increased by 74.5%.
The data indicates a troubling trend:
- In mid-April 2024, the breach had impacted a small number of customers.
- By May 2024, the number of affected customers had more than doubled.
- This growth continued at an alarming rate through June and into early July 2024.
Official data — ranging from 170 to 180 — designated organizations hit. However, unofficial reports and industry surveys estimate that almost 400 organizations might have been affected, and the count is likely to grow. It is the same story every time with security incidents like these: their reach is much greater than meets the eye initially.
This diagram illustrates the continuum of the campaign undertaken against Snowflake customer instances, from obtaining access to making it public.
To make sense of the Snowflake data breach, it helps to consider what the root causes and more generally contributing factors into its occurrence were, and these could be divided into three distinct categories: stealer logs, remote code execution (RCE), and phishing.
Rogue operator logs refer to network activity that is accessible through breaches. In many cases, these are immediately discoverable by defenders. Stealer logs refer to data captured by infostealer malware that logs keystrokes, takes screenshots, and steals login credentials, which are then sold on the underground. These stolen credentials were used to obtain initial access in the Snowflake breach.
Arbitrary Code Execution or Remote Code Execution (RCE) is a vulnerability that allows an attacker to run arbitrary code on a target system at their will. Anything that can be demanded of software can be done. Effectively, it means the attacker could take control of the system, install software such as malware or backdoors, or exfiltrate data (possibly sensitive data). Arbitrary Code Execution vulnerabilities are some of the most destructive because they break many security mechanisms and let the attacker interact with the target systems directly.
Phishing leads users to divulge sensitive information (such as usernames and passwords) on the pretense of it being requested by a trusted entity, preying on human vulnerabilities. This is one reason why obtaining credentials is often the lauded objective of phishing attacks.
To fully grasp the complexity and execution of the Snowflake data breach, it’s essential to understand the vulnerability exploitation process. This diagram provides a step-by-step overview of how the attackers managed to infiltrate and exploit the system.
Originally published at https://ensarseker.substack.com.
