Snowflake guide for threat hunters released by Google’s Mandiant

Google’s cybersecurity research arm Mandiant on Monday released a 65-page guide to help companies fend off threat actors intent on exploiting the latest Snowflake vulnerabilities.

The "Snowflake Threat Hunting Guide" is aimed at equipping security teams with the tools and knowledge to identify potential threats and suspicious activities in Snowflake environments, Mandiant said.

Using the online document is expected to help security teams enhance their threat detection capabilities, better safeguard their data environments, and ultimately improve incident response times in the event of an attack.

The Version 1.0 resource guide follows the recent notifications sent by Mandiant and Snowflake to 165 organizations that were potentially exposed to the ongoing threat campaign, first identified by the company in May.

“#Snowflake customer database instances are being targeted for data theft and extortion,” Mandiant posted on X with a link to the guide on Monday.

Snowflake is a multi-cloud data warehousing platform used to store and analyze large amounts of structured and unstructured data.

Considered a big Data-as-a-Service (DaaS) business model, as of January 2024, data analytics company 6Sense reports over 14,000 customers using the Snowflake platform, and over 60% are located in the US, including big names Wells Fargo, Uber, Qualcomm, and Accenture.

Researchers expect the cybergang to continue a similar intrusion pattern and to target additional software-as-a-service (SaaS) platforms.

Guide will help detect abnormalities

Mandiant researchers had found the threat group – named UNC5537 – was compromising instances using several infostealer malware variants to extract Snowflake customer credentials.

The comprehensive guide is designed “to help defenders” aids in detecting abnormal and malicious activities within Snowflake customer database instances, Mandiant states.

It’s structured to provide actionable insights and detailed queries to uncover unusual patterns indicative of security breaches, over a 365-day retention period, the Virginia-based company said.

The guide begins with foundational tips and techniques such as Common Table Expressions (CTEs), Timestamp Normalization, and JSON Extraction.

There is also a significant focus on Identity and Access Management (IAM) reviews, detailing how to detect abnormal usage and identify spikes in administrative permission changes.

Snowflake threat hunting guide cover
Image by Cybernews.

Key areas of investigation include user activity by application name, IP address, and operating system, and provides sample queries to illustrate how to aggregate and analyze these types of activities.

Detecting unusual access patterns is another critical focus to help IT teams identify spikes in assess to databases, schemas, views, and tables.

Mandiant also provides specific behaviors for corporations to watch for including rapid account creation and deletion, the presence of invalid email domains, and unusual password reset times.

The guide highlights the importance of monitoring user creation and deletion activities, which can indicate compromised accounts or insider threats.

It also provides methods to identify all users, both current and historical, and to focus on anomalies that deviate from expected patterns.

Furthermore, the threat-hunting guide is filled with query examples that are tailored to uncover specific types of abnormal activities, such as administrative changes, unusual access patterns, and suspicious user activities.

Breaches result of third party

The threat actors have already carried out numerous successful breaches, including of Ticketmaster, exposing 560 million customers.

That breach is thought to have likely happened after attackers accessed its Snowflake account, as Ticketmaster confirmed that attackers accessed its “third-party cloud database environment.”

New information was revealed on Monday in a piece by Wired about the Ticketmaster breach claiming the entertainment behemoth Snowflake account was compromised through an American contractor, EPAM Systems.

“EPAM has workers in Belarus, Ukraine and, before war, Russia. Hacker told me they breached an EPAM worker in Ukraine,” said cybersecurity journalist and author Kim Zetter, who posted the news on X.

EPAM is a multi-billion dollar software engineering services company headquartered in Pennsylvania.

According to its website, EPAM Continuum was named a Top 20 fastest growing firm by Consulting Magazine in 2023. Its has customers in over 55 countries.

Meantime, the malicious UNC5537 has also claimed to have stolen three terabytes of data from the US-based retail chain Advance Auto Parts, which allegedly included 380 million customer profiles.

Additionally, Snowflake has said it is assisting customers to help harden their networks and is expected to release its own plan to require its customers to implement advanced security controls.