YetiHunter: Open-source threat hunting tool for Snowflake environments
Cloud identity protection company Permiso has created YetiHunter, a threat detection and hunting tool companies can use to query their Snowflake environments for evidence of compromise.
YetiHunter executing queries (Source: Permiso Security)
Recent attacks against Snowflake customers
Cloud-based data storage and analytics company Snowflake has recently stated that attackers have accessed accounts of some of its customers by leveraging compromised credentials.
Mandiant’s analysts have concluded that most of the credentials were compromised via info-stealing malware and some of them purchased on the dark web. They have also indentified approximately 165 Snowflake customers that have been hit in these attacks.
Both companies have provided indicators of compromise and advice on how the potential victims can check for suspicious activity in their Snowflake accounts and data assets.
About YetiHunter
“But investigating Snowflake compromises is not a skillset many folks in security have experience in,” Ian Ahl, SVP of P0 Labs (Permiso’s threat research arm), told Help Net Security.
“We wanted to provide a free, open source tool to help analysts review TTPs and atomic indicators associated with recent attacks targeting Snowflake users. We’ve done this with other open source tools like CloudGrappler, Cloud Console Cartographer and LogLicker.”
YetiHunter is an easy-to-run script that blends indicators published by Snowflake, Mandiant, and Datadog with a series of detections created by Permiso.
The queries YetiHunter runs can be extended, updated, removed, and new ones can be added. The list of known malicious IPs it users can also be updated.
Currently implemented queries search for evidence of attackers doing reconnaisance, exfiltration of records, suspicious modifications, and more.
“By casting a wider net of indicators and centralizing them in a single script, YetiHunter can provide a comprehensive way to triage threats in your Snowflake environment,” Ahl noted.
“We will continue to update the tool in order to keep up with the TTPs of threat groups that are leveraging compromised credentials to infiltrate Snowflake instances of organizations.”
UPDATE (June 18, 2024, 08:10 a.m. ET):
Mandiant has published a threat hunting guide and queries to help Snowflake customers detect malicious activity across their instances. “This guide should help organizations uncover the recent UNC5537 campaign or other discrete security incidents,” Madiant CTO Charles Carmakal noted.