The Snowflake attack showcases a sophisticated exploitation of refresh tokens and infostealer malware to breach security defenses, leading to mass data compromise. Cybercriminals utilized tools to manipulate token management practices, resulting in unauthorized access across multiple platforms. The incident highlights vulnerabilities within authentication systems and emphasizes the necessity for robust cybersecurity measures. Affected: Snowflake, Okta, ServiceNow, multiple organizations
Keypoints :
- Attackers exploited non-expiring refresh tokens from Snowflake.
- The attackers used a tool called ‘lift’ to dump refresh tokens and generate session tokens.
- The breach was initiated through a single compromised credential obtained via infostealer malware.
- Log files indicated that attackers had tracked their operations from the moment of the infection.
- The number of affected customers grew significantly from April to July 2024, with estimates reaching nearly 400 organizations.
- Key factors contributing to the breach included stealer logs, remote code execution, and phishing.
- UNC5537, a covert adversary group, executed the sophisticated attack.
- The vulnerability exploitation process was methodical, demonstrating multi-layered attack tactics.
MITRE Techniques :
- Credential Dumping (T1003): Attackers dumped the refresh tokens from Snowflake to generate session tokens for authentication bypass.
- Remote Code Execution (RCE) (T1203): Exploited vulnerabilities allowed arbitrary code execution on target systems, facilitating further attacks.
- Phishing (T1566): Attackers leveraged phishing techniques to obtain user credentials through deception.
- Initial Access (T1071): Gained initial access via a compromised credential collected by infostealer malware.
- Impact (T1036): Threat actors executed an extortion campaign against affected organizations.