Stolen Credential Campaign affecting Snowflake Environments

On May 31, 2024, Hudson Rock reported that customer data from Snowflake, a cloud-based data warehouse platform, had been compromised through the theft of employee credentials via an infostealer to obtain access to customer accounts and data. Separate reporting from Mitiga, an independent security consulting firm, stated that a threat actor referred to as UNC5537 had used stolen customer credentials and gained unauthorized access to Snowflake databases, with the primary focus of data theft and extortion. 

We are sharing details of this ongoing campaign to provide situational awareness and help organizations defend against this threat. As this is a developing situation, we may add further information via additional Security Bulletins as more threat intelligence becomes available. 

According to available reporting by Hudson Rock, a Snowflake employee's credentials were compromised through an infostealer infection in October 2023. Allegedly, this allowed the threat actor to bypass Okta and generate Snowflake session tokens, enabling them to exfiltrate significant amounts of data from Snowflake's servers. The threat actor claimed to have access to data from 400 companies that stored their data with Snowflake. 

Hudson Rock reported that they corresponded with an alleged threat actor who claimed that they were able to exfiltrate data from TicketMaster and Santander via the compromised employee credentials they gained access to. 

According to Snowflake, increased threat activity was observed around mid-April 2024 from a subset of IP addresses originating from providers of commercial VPN services. 

Based on their investigation as of May 31, 2024 at 2:16 PM ET, Snowflake statedthat they did not believe that they were the source of any compromised credentials in this campaign, and that they didn’t have specific evidence of misconfiguration or vulnerabilities in their product leading to the compromise. Snowflake has contacted the customers thought to be impacted. 

Arctic Wolf is a customer of its own products/services and if applicable, we will follow the same recommendations outlined for our customers in this Security Bulletin.

  

Follow Snowflake’s Recommended Steps

In their knowledge base article, Snowflake provided additional context on how to detect and prevent unauthorized user access. Highlights are listed below. For more details: https://community.snowflake.com/s/article/Communication-ID-0108977-Additional-Information

Setup Network Policies

• Set up account-level and user-level Network Policies for highly credentialed users/service accounts.

Review Account Parameters

• Review account parameters to restrict how data can be exported from your Snowflake Account. 
  • Customers will need to do due diligence on enabling these features and their impacts on existing account integrations.

Review Account for Configuration Drift

• Monitor your Snowflake accounts for unauthorized privilege escalation or configuration changes.

Review Service Account Authentication

• For service accounts, use key pair authentication or OAuth for machine-to-machine communication in lieu of static credentials