Proactive Intelligence Against Infostealers: Lessons from the Snowflake Data Breach

After major cyber attacks or data breaches, cybersecurity companies and professionals universally face the question, "How would you have detected or prevented this type of attack?" This week, the question is related to the Snowflake data breach.

The Snowflake Data Breach: What Happened and Its Implications 

Security analysts at Mandiant have reported a significant data breach affecting hundreds of Snowflake cloud storage customers. Snowflake is a cloud-based data platform that provides a single place for data storage, processing, and analytics. It is available on public clouds like Amazon Web Services (AWS), Google Cloud, and Microsoft Azure, making it considered cloud-agnostic.

Key Details of the Breach:

• A financially motivated threat actor, identified as UNC5537, used stolen credentials from various infostealer malware campaigns to infiltrate Snowflake accounts.
• The breach, discovered in April 2024, has affected at least 165 organizations, with compromised credentials dating back to 2020.
• Attackers bypassed traditional defenses, gaining unauthorized access and exfiltrating significant volumes of data, leading to potential data theft and extortion.
• The hacking group includes members based in North America and Turkey and collaborates with other threat actors.

The primary issue in this case appears to have been a lack of proper security controls on the victim Snowflake instances (no MFA, open network ACL, no requirement to change passwords), which enabled the use of previously compromised credentials. While technically fixable, this is another high-profile incident affected by fundamental security issues.

The incident underscores the critical importance of leveraging proactive threat intelligence to detect novel and evolving cyber threats before they can launch campaigns using vulnerabilities like missing Multi-Factor Authentication (MFA).

What Are Infostealers?

Infostealers are a type of malware designed to infiltrate systems and steal sensitive information such as login credentials, financial data, and other personal information. These tools are often deployed via phishing emails or malicious websites and can evade traditional security measures.

According to Mandiant's analysis, infostealer activity related to this breach dates back to 2020. The threat actors accessed credentials from various infostealer campaigns, successfully infecting systems, executing their malware, and exfiltrating data for multiple victims. They bypassed traditional defenses such as firewalls, intrusion detection systems (IDS), and endpoint protections, transmitting stolen data to Command and Control (C2) servers. This highlights the importance of network-based detections and proactive threat intelligence, which can effectively detect such activities and add an essential layer of security to the overall cyber ecosystem.

Setting Up an Attack

1. Acquire Attack Infrastructure Hosts: Attackers acquire servers, IP addresses, domain names, and paths to set up their attack infrastructure.
2. Configure Hosts with Required Assets: Attackers configure the acquired infrastructure with necessary assets, such as TLS certificates for secure communication, malware tools, configuration files, and other necessary scripts and documents.
3. Launch Attacks Against Targets: Attackers use the configured infrastructure to launch attacks against their chosen targets, leveraging the assets and setup from the previous steps.

The Role of IronRadar in Proactive Defense

Malware typically requires external communication to a Command and Control (C2) server to receive additional instructions, maintain persistence, exfiltrate data, etc. Knowing the adversary C2 servers provides critical information applicable to a majority of cyber attacks. 

IronRadar is designed to proactively detect and neutralize such threats by identifying and monitoring C2 servers. IronRadar currently tracks 19 information stealer frameworks, and since the beginning of this year, over 700 infostealer indicators have been distributed to our customers across the Collective Defense community. This proactive approach ensures that threats are identified and mitigated before they can cause significant harm.

Why Proactive Defense is Critical

Reflecting on these types of attacks, blog posts and technical debriefs often contain indicators of compromise (IoCs) which are quickly implemented across the industry. While helpful, this is a reactionary response and requires one or more victims to educate the industry. Collective Defense and Proactive Threat Intelligence are increasingly valuable in bridging the gaps of a community that gets its information post-compromise (days to months depending on the victim organization and disclosure requirements).

How IronNet Detects and Responds to Breaches

To answer the question, how would IronNet detect and respond to the Snowflake data breach?

1. • Proactive Threat Intelligence: Provide intelligence of adversary C2 to the customer’s cybersecurity ecosystem (Firewall, IDS, EDR, etc.) so that malicious external communications get caught and mitigated.
   • Network Anomaly Detection: Detect network anomalies at all stages of the C2 cycle: download of suspicious files (infostealer/loader/etc.), communication to suspicious external hosts, beaconing activity, exfiltration of sensitive data.
   • Emerging Threat Research: Network detections based on emerging threat research on malware tactics, techniques, and procedures (TTPs), specific to network communication and activity.
   • Collective Defense Correlation: Correlation of alerts across all members of our Collective Defense community, anonymously informing other customers based on successful detections of another.

Attackers are always a step ahead. They know what technology and detections are commercially available and focus their efforts on evading them. Through our Collective Defense community and Proactive Threat Intelligence, we are enabling our customers to bridge that gap. The bigger we grow, the more power we have. An attack against one is an attack against all.

_________

INTERESTED IN LEARNING MORE ABOUT IRON RADAR AND COLLECTIVE DEFENSE?

Contact us to learn more about how IronRadar can improve your organization’s visibility into novel and evolving threats before they’re able to cause damage.