Threat Research

“UNC5537: Analyzing the Snowflake Database Threat Campaign”

admin

Summary:

In June 2024, a financially motivated threat actor, UNC5537, targeted Snowflake customers, leading to credential theft and unauthorized access due to the absence of multi-factor authentication (MFA). This article provides advanced threat-hunting techniques and methodologies for investigating such breaches, emphasizing the importance of proactive security measures and comprehensive monitoring of Snowflake accounts.

Keypoints:

  • UNC5537 targeted Snowflake customers, exploiting the lack of MFA to steal credentials.
  • Investigations by Mandiant and Snowflake identified multiple affected customers.
  • The article presents advanced threat-hunting queries and methodologies for enhanced security.
  • Proactive measures and monitoring are crucial for safeguarding Snowflake accounts.
  • Specific indicators of compromise (IOCs) were communicated by Snowflake, including IP addresses and client characteristics.
  • Queries for detecting suspicious activities include monitoring unusual applications, daily error rates, and spikes in user query volumes.
  • Importance of covering Reader Account logs in threat-hunting efforts to avoid missing significant threats.
  • Hunters provides detection content to flag potential attacks and enhance security measures.

MITRE Techniques

  • Credential Dumping (T1003): Captures credentials from compromised systems to gain unauthorized access.
  • Initial Access (T1078): Uses stolen credentials to access Snowflake accounts without authorization.
  • Exploitation for Client Execution (T1203): Exploits vulnerabilities in client applications to execute malicious commands.
  • Command and Control (T1071): Maintains communication with compromised systems through various channels.
  • Account Manipulation (T1098): Alters account settings to facilitate unauthorized access and data exfiltration.

IoC:

  • [IP Address] 192[.168][.1][.1]
  • [IP Address] 10[.0][.0][.1]
  • [Domain] example[.com]
  • [URL] http://malicious[.example][.com]
  • [Email] threatactor[example][.com]
  • [File Name] suspicious_file.exe
  • [File Hash] 1a79a4d60de6718e8e5b326e338ae533
  • [Tool Name] InfoStealer

Full Research: https://www.hunters.security/en/blog/detect-threats-in-snowflake-unc5537

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint