Snowflake compromised creds abuse campaign

Type

Incident

Actors

💡UNC5537

Pub. date

May 29, 2024

Initial access

End-user compromise

Impact

Data exfiltration

Observed techniques

Valid creds abuse

Observed tools

rapeflake

Targeted technologies

Snowflake

References

https://community.snowflake.com/s/article/Communication-ID-0108977-Additional-Informationhttps://community.snowflake.com/s/question/0D5VI00000Emyl00AB/detecting-and-preventing-unauthorized-user-accesshttps://www.mitiga.io/blog/tactical-guide-to-threat-hunting-in-snowflake-environmentshttps://web.archive.org/web/20240531140540/https://www.hudsonrock.com/blog/snowflake-massive-breach-access-through-infostealer-infectionhttps://permiso.io/blog/introducing-yetihunter-an-open-source-tool-to-detect-and-hunt-for-suspicious-activity-in-snowflakehttps://posts.specterops.io/mapping-snowflakes-access-landscape-3bf232251945https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion/https://securitylabs.datadoghq.com/articles/a-guide-to-threat-hunting-and-monitoring-in-snowflake/https://medium.com/anton-on-security/no-snow-no-flakes-pondering-cloud-security-shared-responsibility-again-10b51e4ebba3

Status

Stub

Last edited

Jun 17, 2024 10:27 AM

On May 30, 2024, researchers published a report concerning activity by a threat actor dubbed UNC5537, involving abuse of stolen credentials to gain illicit access to Snowflake accounts unprotected by MFA by using a toolkit known as rapeflake.

On May 31, 2024, Snowflake published an advisory notifying of malicious activity they detected involving illicit access to customer accounts, dating as far back as mid-April 2024. The company stated that they estimate the common initial access vector to be compromised credentials for these accounts, and have also stated that they do not believe the root cause of this activity to be any sort of vulnerability, misconfiguration, or malicious activity within the Snowflake product itself.

On the same day, another group of researchers published a report (which has since been taken down) based on conversations with a person claiming to be behind this activity, in which the alleged cyber criminal stated that they gained access to Snowflake's customers by abusing prior access to a Snowflake employee. However, Snowflake has refuted these claims. The same report also links the activity described by Snowflake to recent breaches impacting Ticketmaster and several other companies, attributed to a group known as ShinyHunters, but this remains unvalidated.