Full Report
On May 30, 2024, researchers published a report concerning activity by a threat actor dubbed UNC5537, involving abuse of stolen credentials to gain illicit access to Snowflake accounts unprotected by MFA by using a toolkit known as rapeflake.On May 31, 2024, Snowflake publishe...
Analysis Summary
# Incident Report: UNC5537 Credential Abuse Campaign Targeting Snowflake
## Executive Summary
Between mid-April and late May 2024, threat actor UNC5537 conducted a campaign leveraging infostealer malware to harvest credentials, which were then used to illicitly access Snowflake customer accounts lacking Multi-Factor Authentication (MFA). While initial reports suggested internal compromise, Snowflake maintains the root cause was customer-side credential compromise. The response involved investigation, customer notification, and issuing security advisories detailing the scope of the problem.
## Incident Details
- **Discovery Date:** Mid-April 2024 (when illicit activity began, as per Snowflake advisory) / May 30, 2024 (public reporting)
- **Incident Date:** Activity observed starting mid-April 2024 through May 30, 2024.
- **Affected Organization:** Multiple Snowflake customers.
- **Sector:** Multiple (Impacted customers across various sectors).
- **Geography:** Not specified for targets, but reporting originated globally.
## Timeline of Events
### Initial Access
- **Date/Time:** Starting mid-April 2024.
- **Vector:** Compromised credentials stolen primarily via infostealer malware infections on end-user machines.
- **Details:** Attacker group UNC5537 used stolen credentials to attempt logins against Snowflake accounts. Success depended on the target account *not* having MFA enabled.
### Lateral Movement
- **Date/Time:** Following initial access.
- **Vector:** Abuse of valid, existing credentials for session establishment within Snowflake environments.
- **Details:** Specific lateral movement techniques within the Snowflake platform are not detailed, but the access was facilitated by the abuse toolkit known as 'rapeflake'.
### Data Exfiltration/Impact
- **Date/Time:** Ongoing during the active period.
- **Impact:** Data exfiltration from compromised Snowflake instances.
- **Details:** The core impact was unauthorized access and theft of customer data.
### Detection & Response
- **Date/Time:** Prior to May 31, 2024 (when Snowflake responded).
- **Vector:** Snowflake detected malicious activity via internal monitoring systems.
- **Details:** On May 31, 2024, Snowflake published an advisory notifying customers of the activity.
## Attack Methodology
- **Initial Access:** Valid credential abuse (stolen via infostealers).
- **Persistence:** Not explicitly detailed, likely session-based leveraging valid tokens or newly established sessions.
- **Privilege Escalation:** Not explicitly detailed; relied on existing user permissions.
- **Defense Evasion:** Targeting accounts lacking MFA provided inherent evasion of primary cloud security control.
- **Credential Access:** Infostealer infections on endpoints.
- **Discovery:** Used the valid credentials to explore accessible Snowflake resources.
- **Lateral Movement:** Movement assumed to be via established user sessions within the cloud data platform.
- **Collection:** Directly interacting with the Snowflake environment to gather target data.
- **Exfiltration:** Data theft via the compromised user sessions.
- **Impact:** Data loss/theft.
## Impact Assessment
- **Financial:** Not specified in context.
- **Data Breach:** Unauthorized access and exfiltration from multiple customer Snowflake environments. Specific volume/type unknown.
- **Operational:** Potential disruption to customer data governance and security posture.
- **Reputational:** Damage to trust in cloud data platform security, though Snowflake strongly asserted the flaw was external (lack of MFA).
## Indicators of Compromise
*Note: No specific IOCs were provided in the source text, only behavioral and tool names.*
- **Network indicators:** N/A
- **File indicators:** Infection of endpoints with commodity infostealer malware (Implied).
- **Behavioral indicators:** Multiple login attempts using previously validated credentials against Snowflake without MFA enforcement. Use of the 'rapeflake' toolkit.
## Response Actions
- **Containment measures:** Snowflake engaged in investigation and customer notification.
- **Eradication steps:** Customers were urged to rotate credentials and enforce MFA.
- **Recovery actions:** Customers must perform internal security reviews and remediation.
## Lessons Learned
- The most significant lesson is the critical failure point of relying solely on passwords for access to sensitive cloud data platforms, even when the platform vendor itself is secure.
- Threat actors are actively utilizing commodity malware to compromise endpoints specifically to target cloud service credentials.
- While vendors cannot force MFA adoption, customers exhibited widespread failure to implement this baseline control.
## Recommendations
- **Mandatory MFA Enforcement:** All customer accounts accessing Snowflake or any critical cloud service must enforce MFA immediately.
- **Endpoint Hygiene:** Implement robust endpoint detection and response (EDR) and anti-infostealer measures to prevent credential theft at the source.
- **Continuous Monitoring:** Customers must adopt detailed logging and threat hunting within their Snowflake environments to detect anomalous access patterns from otherwise valid accounts.