FROSTBITE (Exploit Kit) – Malware

Overview

FROSTBITE is a sophisticated piece of malware that has emerged as a significant threat within the cybersecurity landscape. This malware, attributed to the threat actor UNC5537, specifically targets Snowflake customer database instances to exfiltrate sensitive information and facilitate extortion. FROSTBITE’s primary mode of operation involves leveraging compromised credentials to access Snowflake environments, where it performs extensive reconnaissance and data exfiltration.

The malware’s sophistication lies in its dual-functionality: it is used for both information gathering and data theft. FROSTBITE is adept at interacting with Snowflake’s web-based user interface and command-line tools, making it highly effective in infiltrating and navigating these environments. It utilizes various techniques to conceal its activities and bypass traditional security measures, such as encrypted communications and legitimate-looking data exfiltration commands.

What makes FROSTBITE particularly concerning is its operational precision and the impact it has had on numerous organizations. By exploiting stolen credentials from infostealer malware, FROSTBITE has managed to infiltrate multiple Snowflake instances without triggering immediate alerts or suspicion. The malware’s ability to conduct detailed reconnaissance and execute complex SQL commands to extract and stage data highlights its advanced nature and the serious risks it poses to enterprise data security.

Targets

Snowflake Users: The primary targets are organizations that use Snowflake’s cloud-based data warehousing platform. This includes any entity that stores and manages data within Snowflake’s ecosystem, making them vulnerable to data theft and extortion attempts by UNC5537.

Organizations with Stolen Credentials: FROSTBITE relies on credentials obtained from various infostealer malware campaigns. Consequently, any organization whose Snowflake credentials have been compromised through these infostealers is at risk. This includes businesses across various sectors that use Snowflake for data analysis and storage.

Accounts Lacking Multi-Factor Authentication (MFA): Organizations that have not implemented MFA on their Snowflake accounts are particularly vulnerable. MFA serves as an additional layer of security, and the lack of it makes accounts more susceptible to unauthorized access.

Contractor and Personal Systems: The malware often finds its way into Snowflake environments through compromised contractor systems. Contractors who use personal or less secure devices for work, including those used for gaming or downloading pirated software, present a risk as these systems can be exploited to gain access to Snowflake customer instances.

Victims of Infostealer Malware: FROSTBITE’s operation is closely linked with infostealer malware, such as VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA, and METASTEALER. Organizations whose employees have been affected by these infostealers are also targeted, as their compromised credentials can be used to access Snowflake accounts.

How they operate

FROSTBITE’s operation begins with the initial compromise of Snowflake instances through stolen credentials. These credentials are often harvested from infostealer malware infections on non-Snowflake systems. Once attackers acquire valid credentials, they gain access to Snowflake’s web-based UI (SnowSight) and command-line interface (SnowSQL). From this vantage point, FROSTBITE performs critical reconnaissance and operational tasks. It uses a custom-built utility, which Mandiant has identified as “rapeflake” or FROSTBITE, to interact with Snowflake’s database management systems. This utility allows the attackers to execute SQL commands for data exploration and exfiltration.

The malware’s operation involves several key stages. Initially, FROSTBITE performs reconnaissance by listing databases, tables, and other critical metadata using SQL commands like SHOW TABLES. This reconnaissance phase is crucial for identifying valuable data within the Snowflake environment. Once the data of interest is identified, FROSTBITE stages it for exfiltration by creating temporary data storage stages within Snowflake. The CREATE TEMPORARY STAGE command is employed to facilitate this process, allowing attackers to aggregate and compress data before its transfer.

Exfiltration is executed using the COPY INTO command, which enables the malware to copy data from the Snowflake database into the temporary stages. The data is then compressed and prepared for transfer using the GET command. This final stage involves moving the data from Snowflake’s temporary stages to the attacker’s local machine, where it can be accessed or sold. Throughout the process, FROSTBITE’s use of temporary stages and data compression minimizes the risk of detection and leaves fewer traces in the victim’s environment.

MITRE Tactics and Techniques

Initial Access:

Valid Accounts (T1078): The attackers gain initial access to Snowflake instances using stolen credentials, primarily obtained from infostealer malware.

Execution:

Command-Line Interface (T1059.001): The attackers use SnowSQL (a command-line tool) and custom SQL commands to execute operations on the Snowflake database.

Persistence:

Create Account (T1136): The creation of temporary stages for data staging may be considered a form of persistence as it allows the attacker to maintain access and prepare data for exfiltration.

Privilege Escalation:

Exploitation for Client Execution (T1068): If attackers exploit vulnerabilities or misconfigurations within the Snowflake environment, it could lead to privilege escalation, although specific instances of this were not detailed.

Defense Evasion:

Indicator Removal (T1070): The use of temporary stages and the deletion of these stages after data is exfiltrated helps in evading detection and minimizing traces.

Credential Access:

Credential Dumping (T1003): While the direct credential dumping is not involved, the use of stolen credentials to access Snowflake instances reflects credential access techniques.

Discovery:

File and Directory Discovery (T1083): The SHOW TABLES and similar SQL commands used to enumerate databases and tables indicate discovery tactics.

Collection:

Data Staged (T1074): Data staging commands like CREATE TEMPORARY STAGE and COPY INTO for aggregating and compressing data for exfiltration fall under collection tactics.

Exfiltration:

Exfiltration Over Command and Control Channel (T1041): The use of commands like GET to transfer data from Snowflake stages to the attacker’s local machine represents exfiltration activities.

Impact:

Data Destruction (T1485): Although not explicitly mentioned, the deletion of temporary stages after exfiltration may impact the integrity of the victim’s data.

References

• UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion