Snowflake Data Breach: Lessons Learned | PacketWatch Threat Intelligence | June 17, 2024

This week, we explore lessons learned from the recent Snowflake data breach and vulnerabilities around Microsoft MSMQ, PHP remote code execution, and an actively exploited CVE by Black Basta.

Snowflake Data Breach

Over the last several weeks, a large number of massive data breaches have been reported and tied back to Snowflake, a cloud-based data storage and analytics provider.

These data breaches have involved organizations including Ticketmaster, Santander Bank, QuoteWizard, LendingTree, Advanced Auto Parts, Cylance, and more.

In a recent report, Mandiant has attributed this cluster of activity to a group they call UNC5537. Mandiant stated in the report that there is no evidence of unauthorized access to Snowflake customer accounts due to a breach in the Snowflake environment. Instead, in each incident they investigated, they were able to trace the unauthorized access back to credentials discovered in infostealer malware logs. Using these stolen valid credentials from the infostealer malware, the threat actor was able to gain direct access to the victim's Snowflake instance and exfiltrate large quantities of data.

Lessons Learned

One of the most important details in Mandiant's findings was that none of the accounts abused in these attacks had multi-factor authentication (MFA) enabled.

Additionally, it was noted that some of the observed credentials were still valid several years after they were stolen, indicating they had not been rotated or updated.

Finally, it was observed that Snowflake customer instances did not have any network allow lists enabled on their accounts. Doing this would only allow connections from trusted sources (not the entire internet).

While organizations may enforce strict security policies within the boundaries of their own networks, sometimes third-party relationships can be overlooked.

Today, almost every organization stores data with 3rd party storage providers. This introduces a certain level of risk that must be managed accordingly. This management should include documenting the vendor, the services the vendor provides, the sensitivity of the data being stored, and the management of access for this provider.

Access management standards that have been applied for internal use should be replicated to these providers – this includes MFA, password rotation, and separation of duties.

How To Protect Your Organization

The following steps are recommended for all Snowflake customers:

• Implement Vendor Management and access control standards for service platforms. PacketWatch provides vendor management and auditing services as part of a range of expert Governance, Risk, and Compliance solutions.
• Enable multi-factor authentication on all accounts.
• Review known indicators of compromise (IOCs) and investigate any suspicious activity from them. A full list of associated IOCs can be found here.
• Disable suspicious users.
• Create separate administrative accounts from standard user accounts.
• Reset credentials for any user accounts that might have been exposed.
• Monitor executed queries by regularly reviewing logs, especially queries involving data access.
• Establish network access policies at the account and user levels, especially for users or services accounts with higher permissions.
• Review account parameters and settings to ensure account settings are configured to limit data exportation.
• Monitor configuration changes for unauthorized changes or privilege escalation.
• Utilize more secure authentication methods for service accounts such as key pair authentication or OAuth instead of static credentials.

Additionally, there are some general best practices for securing cloud environments:

• Choose the right cloud provider. Not all cloud providers are equal, and they vary drastically on which party is responsible for security. Properly vet the security standards for all service providers.
• Encrypt data at rest and in transit to prevent unauthorized access.
• Implement and Identity and Access Management (IAM) system that can help granularly manage user access policies and authentication methods.
• Maintain data backups and offline storage to prevent losing your data.
• Constantly monitor and audit cloud-based systems and applications.

Additional Resources

• https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion
  
• https://www.virustotal.com/gui/collection/0d487b996555e03ea2853d24c805a473822fafd7da683ab2123d0f1e688001b8/iocs
  
• https://socradar.io/overview-of-the-snowflake-breach/
  
• https://socradar.io/secure-your-cloud-environment-5-best-practices/
  
• https://community.snowflake.com/s/article/Communication-ID-0108977-Additional-Information

Vulnerability Rundown

Microsoft Patch Tuesday MSMQ Critical Vulnerability

The latest Patch Tuesday update from Microsoft includes a critical remote code execution vulnerability in the Microsoft Message Queueing (MSMQ) service. The vulnerability is tracked as CVE-2024-30080, and has a CVSS score of 9.8.

It can be exploited by an unauthenticated attacker sending a specially crafted malicious MSMQ packet to a vulnerable server which then allows for remote code execution on the server. The MSMQ service needs to be enabled on the system for a server to be vulnerable.

Administrators can verify if this service is enabled by checking for the Message Queuing service running on port 1801.

While there are currently no publicly available exploits for this vulnerability, administrators are urged to apply the security updates as soon as possible.

Additional Resources

• https://msrc.microsoft.com/update-guide/releaseNote/2024-Jun
  
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30080
  
• https://socradar.io/microsofts-june-2024-patch-tuesday-highlights-keytrap-zero-day-critical-msmq-flaw-windows-lpe-exploit/
  
• https://platform.socradar.com/app/threatfeed/cve/CVE-2024-30080/details
  
• https://learn.microsoft.com/en-us/previous-versions/windows/desktop/msmq/ms711472(v=vs.85)

Critical PHP RCE Vulnerability

A "trivially easy" to exploit remote code execution vulnerability in PHP was recently disclosed by security researchers at Devcore. The vulnerability, tracked as CVE-2024-4577, is due to errors in the way PHP converts Unicode characters into ASCII.

The flaw affects all versions of PHP when using Apache and PHP-CGI on Windows servers (which includes all versions of XAMPP). Proof-of-concept exploit code is already in the wild for this vulnerability, and CISA added it to the Known Exploited Vulnerabilities Catalog on June 13.

Administrators are urged to upgrade to the latest PHP versions as soon as possible (8.3.8, 8.2.20, and 8.1.29), or disable PHP CGI in the Apache HTTP Server configuration if it is not needed.

Additional Resources

• https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/
  
• https://socradar.io/critical-rce-vulnerability-cve-2024-4577-in-php-on-windows-patch-now-available/
  
• https://www.bleepingcomputer.com/news/security/php-fixes-critical-rce-flaw-impacting-all-versions-for-windows/
  
• https://platform.socradar.com/app/threatfeed/cve/CVE-2024-4577/details
  
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-4577
  
• https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/

Actively Exploited Privilege Escalation Vulnerability Used by Black Basta

CISA recently added a high-severity Windows privilege escalation vulnerability to its Known Exploited Vulnerability Catalog. The vulnerability is tracked as CVE-2024-26169, and is a flaw in the Microsoft Windows Error Reporting Service.

Successful exploitation of this flaw can lead to an attacker gaining SYSTEM privileges.

Research from Symantec showed evidence the Black Basta ransomware gang leveraged this vulnerability as a zero-day.

Security updates for this vulnerability were part of Microsoft's March Patch Tuesday. Administrators are urged to apply the security updates as soon as possible.

Additional Resources

• https://www.bleepingcomputer.com/news/security/cisa-warns-of-windows-bug-exploited-in-ransomware-attacks/
  
• https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-26169
  
• https://platform.socradar.com/app/threatfeed/cve/CVE-2024-26169/details
  
• https://symantec-enterprise-blogs.security.com/threat-intelligence/black-basta-ransomware-zero-day
  
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Stay updated with PacketWatch's cybersecurity content by subscribing to our monthly newsletter, delivered to your inbox on the last Tuesday of the month.

PacketWatch publishes this report and other cybersecurity threat intel to the security community for free via our blog.

If you want personalized threat intel, contact us today to learn about our enterprise threat intelligence services.

Note: We've also enriched our original threat intelligence report by including resources from our partner in cyber threat intelligence, SOCRadar. You may need a registered SOCRadar account to view their threat intelligence resources.

DISCLAIMER

Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.