Charter Communications (Spectrum) has officially confirmed a data breach following an extortion threat from the notorious threat actor ShinyHunters. This incident is not an isolated event but part of a broader, aggressive campaign targeting Snowflake data warehousing customers. ShinyHunters has leveraged compromised credentials—likely harvested from infostealers on employee endpoints—to gain unauthorized access to sensitive data repositories. For defenders, this is a critical signal: if you rely on SaaS data platforms like Snowflake, your perimeter has effectively shifted to the identity layer and the endpoint. The time to audit access logs and enforce rigorous identity controls is now.
Technical Analysis
Threat Actor: ShinyHunters (Known for extorting victims via data leak sites).
Attack Vector: Compromised Credentials & Identity Access. While no specific CVE within the Snowflake platform is being exploited, the attackers are leveraging a vulnerability in the enterprise credential management lifecycle. Credentials are stolen via information-stealing malware (e.g., RedLine, Lumma) from contractor or employee endpoints and used to authenticate against Snowflake instances.
Mechanism of Attack:
- Initial Access: Threat actors use valid credentials (username/password or session tokens) obtained from the dark web or malware logs.
- Execution: Attackers authenticate to the Snowflake web interface or, more commonly for bulk exfiltration, utilize the
snowsqlCLI tool or Python connectors. - Exfiltration: Once authenticated, actors run SQL queries to dump sensitive tables and export the data to CSV/JSON formats. Traffic flows over port 443 to
*.snowflakecomputing.com, often blending in with legitimate administrative traffic.
Exploitation Status: Confirmed Active Exploitation. This campaign is currently in the wild, with hundreds of organizations potentially affected. ShinyHunters has demonstrated capability to bypass basic authentication controls where MFA is not enforced or where legacy authentication methods remain active.
Detection & Response
The following detection logic focuses on identifying the abuse of Snowflake administration tools (snowsql) and anomalies in network traffic indicative of bulk data exfiltration. Since ShinyHunters relies on valid credentials, behavioral detection is paramount.
SIGMA Rules
---
title: Potential Snowflake Bulk Exfiltration via SnowSQL
id: 8c4d2f10-9b3a-4a1c-8e2d-1f5a6b7c8d9e
status: experimental
description: Detects the execution of the Snowflake CLI tool (snowsql) which is frequently used by threat actors for bulk data extraction. Legitimate usage is rare on non-admin endpoints.
references:
- https://attack.mitre.org/techniques/T1041/
author: Security Arsenal
date: 2024/06/14
tags:
- attack.exfiltration
- attack.t1041
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\snowsql.exe'
- '\snowsql'
CommandLine|contains:
- '-o'
- '-f'
- 'query'
condition: selection
falsepositives:
- Legitimate administration by database administrators
level: high
---
title: PowerShell Script Interacting with Snowflake Data
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects PowerShell scripts loading the Snowflake .NET driver, potentially indicating automation used for data theft.
references:
- https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2024/06/14
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- 'Snowflake.Data'
- 'SnowflakeDbConnection'
condition: selection
falsepositives:
- Legitimate data pipeline scripts
level: medium
KQL (Microsoft Sentinel / Defender)
This query hunts for snowsql usage on endpoints and correlates it with network connections to Snowflake infrastructure.
// Hunt for snowsql execution process creation
let ProcessEvents = DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("snowsql.exe", "snowsql")
| project DeviceName, AccountName, ProcessCommandLine, Timestamp, InitiatingProcessFileName;
// Hunt for network connections to Snowflake domains
let NetworkEvents = DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "snowflakecomputing.com"
| summarize ConnectionCount=count(), TotalBytesSent=sum(SentBytes), TotalBytesReceived=sum(ReceivedBytes) by DeviceName, AccountName, bin(Timestamp, 1h)
| where ConnectionCount > 10 or TotalBytesReceived > 50000000; // 50MB threshold
// Correlate Process and Network Activity
ProcessEvents
| join kind=inner (NetworkEvents) on DeviceName, AccountName
| project DeviceName, AccountName, ProcessCommandLine, ConnectionCount, TotalBytesReceived, Timestamp
| sort by TotalBytesReceived desc
Velociraptor VQL
Use this artifact to hunt for the presence of the snowsql binary on disk and active network connections to Snowflake hosts.
-- Hunt for snowsql executable on disk
SELECT FullPath, Size, Mtime, Atime
FROM glob(globs="\\Users\\*\\AppData\\Local\\snowsql\\snowsql.exe")
-- Hunt for active connections to Snowflake infrastructure
SELECT Pid, Name, RemoteAddress, RemotePort, State
FROM netstat()
WHERE RemoteAddress =~ "snowflakecomputing.com"
OR RemoteAddress =~ "*.snowflakecomputing.com"
Remediation Script (PowerShell)
This script audits endpoints for the presence of snowsql configuration files that might contain stored credentials or session tokens, which are high-value targets for infostealers.
# Audit for Snowflake Credentials and Configs
Write-Host "[+] Auditing for Snowflake CLI configurations..."
# Check common config paths
$paths = @(
"$env:USERPROFILE\.snowsql\config",
"$env:APPDATA\snowsql\config",
"$env:USERPROFILE\.snowsql\history"
)
foreach ($path in $paths) {
if (Test-Path $path) {
Write-Host "[!] FOUND CONFIG FILE: $path" -ForegroundColor Yellow
# Check if file contains 'password' or 'token' keyword (base64 encoded or plain)
$content = Get-Content $path -Raw -ErrorAction SilentlyContinue
if ($content -match "(password|token|private_key)") {
Write-Host "[!!!] Potential sensitive credential keyword found in $path" -ForegroundColor Red
}
}
}
# Check for running snowsql processes
$process = Get-Process -Name "snowsql" -ErrorAction SilentlyContinue
if ($process) {
Write-Host "[!] ALERT: snowsql.exe is currently running on this endpoint." -ForegroundColor Red
Write-Host " PID: $($process.Id), User: $($process.StartInfo.Environment)"
} else {
Write-Host "[-] No snowsql.exe process detected."
}
Remediation
To defend against this specific threat vector involving ShinyHunters and credential-based access to Snowflake:
- Enforce MFA Immediately: Ensure Multi-Factor Authentication (MFA) is enabled for all users, especially those with access to Snowflake. ShinyHunters relies on static credentials; MFA blocks the vast majority of these automated authentication attempts.
- Network Policy Whitelisting: In the Snowflake Admin console, configure Network Policies to whitelist only specific corporate IP addresses or VPN egress ranges. This prevents attackers from using stolen credentials from unknown geographic locations.
- Credential Rotation: Assume any credentials associated with service accounts or users who have accessed Snowflake from unmanaged endpoints are compromised. Force a password rotation and regenerate access tokens/keys.
- Audit Third-Party Access: Review logs for access from third-party contractors or supply chain partners, as this is a common initial vector in these campaigns.
- Endpoint Hygiene: Deploy EDR solutions capable of detecting information-stealing malware (RedLine, Vidar, etc.). The breach originates on the endpoint, not in the cloud.
Official Vendor Advisory: Snowflake Security Advisories
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.