In a frightening extension of their activities, the cybercrime group Scattered Spider has recently shifted its focus to the exfiltration of sensitive data from Snowflake data storage systems. Hailed for their sophisticated, multi-step attack methodologies, the group is exploiting inherent flaws in the design of cloud storage offerings, attacking Snowflake environments in which businesses store substantial volumes of sensitive business data.

The attackers employ advanced techniques, typically starting with an extensive reconnaissance phase before leveraging social engineering or credential stuffing to compromise the victim systems. Once compromising the systems, they bypass traditional security controls, rapidly exfiltrating significant quantities of data to distant destinations to go unnoticed.

The employment of this speed-based approach allows the attackers to create widespread harm within a compressed time frame, typically without generating real-time suspicion for parties involved. The growing number of such attacks is an ugly reminder of the vulnerabilities that are built into widely used cloud services and the never-ending game of cat-and-mouse between security professionals and cybercriminals.

Security Officer Comments:
The attack methods employed by Scattered Spider are frightening as well as part of a larger, ongoing phenomenon directed against cloud-stored data storage infrastructure. Snowflake, although widely praised for its flexibility and scalability to accommodate massive datasets, has also become an increasingly attractive target for criminals since it has been so widely used across so many different industries. With its inherent openness and the monetary worth of data it handles, an attacker can simply exploit even a small weakness in security controls to obtain unauthorized access and export data with ease. Dispersed Spider's modus operandi, which is based on a mix of social engineering, brute-force attacks, and exploiting weak access controls, already presents a manifestation of the multi-pronged nature of cyberattacks currently. In addition, data exfiltration is sometimes only the tip of the iceberg, these attacks can potentially enable secondary exploitation, i.e., ransomware deployment or corporate espionage. The fact that Snowflake would be included as part of a larger cloud environment only contributes to the attack surface, and it is thus imperative that organizations adopt an end-to-end cybersecurity strategy. It's also worth noting that while the initial exfiltration may be fast, the long-term effect, financially and reputationally, can be devastating when intellectual property or customer data is leaked.

Suggested Corrections:
Companies that utilize Snowflake for their data warehousing are compelled to respond quickly to mitigate threats that are spawned by crews like Scattered Spider. Most critically, the addition of multi-factor authentication (MFA) is essential to add an added layer of security to user accounts, hence significantly reducing the risk of unauthorized access. Additionally, cloud-native encryption has to be implemented in order to prevent data stolen during a breach from ever being readable unless decryption keys are in place. These technical controls alone, however, will not suffice. Patching and upgrading Snowflake instances and any related APIs on a regular basis needs to become a priority because cybercriminals tend to take advantage of unpatched vulnerabilities to gain access. Since insider threats or compromised credentials pose a heightened risk, companies should also implement a rigid access audit log procedure and diligently check for suspicious activity, especially in off-peak or weekend hours when attacks would be less apt to be noticed.

Besides these technical countermeasures, organizations need to spend money on employee sensitivity programs in order to identify and respond to phishing attacks and social engineering attacks, two attack vectors Scattered Spider frequently employs to acquire initial entry. Role-based access control (RBAC) and data segmentation can also go a long way in limiting the scope of harm in the event of a breach, so that attackers cannot move horizontally on an organization's network. Lastly, companies need to come up with a comprehensive incident response plan for cloud environments, including pre-agreed-upon procedures for detection, containment, and damage control following a breach targeting Snowflake.

Link(s):
https://therecord.media/scattered-spider-targeting-snowflake-access-data-exfiltration