Red Teaming
The 2024 AT&T breach was one of the most significant security incidents in recent history. Attackers accessed the call metadata of nearly all of the company’s customers from March 1 through October 31, 2022.
Due to the potential national security implications of the breach, the American Securities and Exchange Commission (SEC) even provided a nearly three-month extension on its usual four-day notification rule (the breach was identified on April 19th but was publicly disclosed on July 12).
AT&T was only one of an estimated 165 companies impacted by the same campaign. Other victims included TicketMaster, Santander Group, and Advance Auto Parts. Who was responsible?
The ShinyHunters threat group.
ShinyHunters Technique | MITRE ATT&CK Technique | HTB Academy modules | HTB Machines | HTB Sherlocks |
Malware targeting trusted partner | T1199 Trusted Relationship | |||
T1552 Unsecured Credentials | ||||
Identify previously breached credentials | T1589.001 Gather Victim Identity Information | |||
Credential stuffing | T1110.004 Brute Force: Credential Stuffing | |||
Data theft and exfiltration of Snowflake data | T1530 Data from Cloud Storage | |||
T1567 Exfiltration Over Web Service | ||||
T1560 Archive Collected Data | ||||
Extorting ransom to delete stolen data | T1657 Financial Theft |
They gained access to the companies’ Snowflake accounts via credential stuffing and a supply chain breach of EPAM Systems.
Once inside, ShinyHunters accessed and exfiltrated sensitive data from these cloud storage locations. Then, they demanded ransoms ranging from $300,000 to $5 million in exchange for deleting the data.
We’re going to dive into the anatomy of the Snowflake attack in this post. Like our deep dive into the Cuttlefish malware, this attack anatomy article uses the MITRE ATT&CK framework to explore the various techniques used by the attackers in this incident.
For each technique, we’ll also point to Hack the Box (HTB) resources that can provide hands-on training about how the technique works—and how to defend against it.
AT&T and other companies were the victims of a supply chain attack that targeted their Snowflake cloud storage.
Instead of exploiting vulnerabilities in Snowflake’s environment, ShinyHunters used compromised credentials to access and steal data.
Note💡: While we have a pretty good idea of the techniques and tools that the ShinyHunters group used during this attack, we are not certain and not everything has been confirmed by affected parties. So, this anatomy is alleging these techniques based on public reporting.
Snowflake environments breached by ShinyHunters are believed to be exploited via compromised credentials rather than security flaws within the Snowflake environment. The attackers may have collected credentials in a couple of different ways:
EPAM Systems is a managed service provider (MSP) that offers a range of different services to its customers. This includes managing an organization’s Snowflake cloud storage deployments.
ShinyHunters exploited this trust relationship (MITRE ATT&CK Technique T1199) to target the company’s customers.
ShinyHunters breached the computer of an EPAM employee and installed a remote access trojan (RAT). This tool—allegedly Lumma Stealer, which is also a keylogger—provided control over the system.
With access to the employee’s system, the attackers identified customers’ Snowflake credentials stored unencrypted within Jira, a project management tool (MITRE ATT&CK T1552).
MITRE ATT&CK + NIST NICE-aligned content
Managers using the HTB Enterprise Platform can easily search courses using MITRE terminology and assign them based on the techniques and tactics relevant to their teams.
The mapping of HTB Professional Labs to the MITRE ATT&CK matrix aligned training sessions to real-world scenarios and correlated skills development to improved client engagements.
This search feature works with specific MITRE tactics or techniques (for example, T1594 or Active Scanning) or with text keywords found in the course material.
The NIST | NICE framework is also integrated into the HTB Enterprise Platform, allowing teams to build essential Knowledge, Skills, Abilities, and Tasks (KSATs) for cybersecurity roles.
We’ve categorized all Academy Modules according to these standards. So managers can now develop skill-focused training by adding tailored content to their Lab, using any keyword, NICE skill code, task, knowledge area, or work role.
ShinyHunters also took advantage of past breaches and poor password hygiene to gain access to additional Snowflake accounts. The attackers trawled through leaked credentials compiled from past breaches using infostealer malware (MITRE ATT&CK T1589.001).
This also included a previous incident where the infostealer malware was installed on the same EPAM employee’s computer. In some cases, credentials breached as far back as 2020 were still in use on Snowflake accounts.
In addition to identifying Snowflake credentials within these past breaches, the threat group also identified credentials used by Snowflake users for other, unrelated accounts.
With these credentials, they performed a credential stuffing attack (MITRE ATT&CK T1110.004), exploiting password reuse to compromise additional Snowflake accounts.
Access to a Snowflake environment requires a few different pieces of information.
In addition to the login credentials for the user’s account, the attackers also need to know the URL of an organization’s Snowflake instance.
For companies like Ticketmaster, whose Snowflake credentials were identified via the EPAM breach, an internal EPAM URL used to access the company’s Snowflake account was cached alongside the credentials.
For other accounts breached via credential stuffing, the attackers could take advantage of the fact that Snowflake has a standard URL format (https://<orgname>-<account_name>.snowflakecomputing.com) to brute-force potential account names.
With the users’ login credentials, ShinyHunters was able to log into the companies’ Snowflake instances (MITRE ATT&CK T1530).
At the time of the breach, Snowflake didn’t have an option for organizations to require the use of multi-factor authentication (MFA). Without MFA in place, all the attackers needed was knowledge of the username and password.
Additionally, these customer accounts lacked allowlists that would restrict the IP addresses from which the accounts could be accessed.
After gaining access to customer Snowflake instances, ShinyHunters used both custom tools and DBeaver Ultimate (a database management tool) to perform reconnaissance on these environments (MITRE ATT&CK T1580).
The attackers enumerated tables and exfiltrated those of particular interest and value using the GET command (MITRE ATT&CK T1567).
They often created temporary stages within the Snowflake environment where they could compress data using GZIP before exfiltration (MITRE ATT&CK T1560.001).
ShinyHunters are primarily motivated by financial gain. After exfiltrating high-value data, the group demanded ransoms in exchange for deleting the stolen data (MITRE ATT&CK T1657).
One high-profile victim was AT&T, who paid $370,000 of a $1 million ransom in exchange for a video of the attackers deleting call metadata for approximately 110 million AT&T customers.
The MITRE ATT&CK framework offers a wealth of useful information about how a particular technique works and methods for detecting and mitigating it. HTB provides hands-on experience with these techniques.
This enables security personnel to stay ahead of emerging threats and threat actor behavior, allowing teams to design more effective mitigations.
The following table maps the techniques used by ShinyHunters in the Snowflake breach to the corresponding MITRE ATT&CK Techniques. Additionally, it identifies HTB resources that contain content related to these techniques.
ShinyHunters Technique | MITRE ATT&CK Technique | HTB Academy modules | HTB Machines | HTB Sherlocks |
Malware targeting trusted partner | T1199 Trusted Relationship | |||
T1552 Unsecured Credentials | ||||
Identify previously breached credentials | T1589.001 Gather Victim Identity Information | |||
Credential stuffing | T1110.004 Brute Force: Credential Stuffing | |||
Data theft and exfiltration of Snowflake data | T1530 Data from Cloud Storage | |||
T1567 Exfiltration Over Web Service | ||||
T1560 Archive Collected Data | ||||
Extorting ransom to delete stolen data | T1657 Financial Theft |
Aside from understanding emerging threats, security teams need to develop threat models, develop detection strategies for specific environments, and prioritize security investments. For this reason, HTB carefully maps courses and labs to the MITRE ATT&CK framework.
Blue Teaming
Odysseus (c4n0pus), Dec 20, 2024