Permiso, a cloud identity protection company, has developed YetiHunter, a tool designed to help companies detect and hunt for threats in their Snowflake environments. This tool comes as a response to recent attacks against Snowflake customers, where attackers gained access to accounts through compromised credentials.
Snowflake, a cloud-based data storage and analytics company, recently confirmed that some of its customers had their accounts breached due to compromised credentials. Mandiant’s analysts traced the source of the compromised credentials to info-stealing malware and purchases on the dark web. In total, approximately 165 Snowflake customers were affected by these attacks. To help potential victims, Snowflake and Mandiant provided indicators of compromise and guidance on how to check for suspicious activity in Snowflake accounts and data assets.
Ian Ahl, the Senior Vice President of P0 Labs at Permiso, highlighted the challenge many security professionals face in investigating Snowflake compromises. To address this gap in expertise, Permiso developed YetiHunter as a free and open-source tool to assist analysts in reviewing Tactics, Techniques, and Procedures (TTPs) associated with recent attacks on Snowflake users. YetiHunter incorporates indicators from Snowflake, Mandiant, and Datadog, as well as custom detections created by Permiso.
YetiHunter is a user-friendly script that allows for the customization of queries, updates to the list of known malicious IPs, and the addition of new detection capabilities. The tool currently includes queries that search for signs of reconnaissance, record exfiltration, unauthorized modifications, and other suspicious activities. By consolidating a wide range of indicators into a single script, YetiHunter offers a comprehensive solution for threat triage in Snowflake environments.
Ahl emphasized that Permiso will continue to enhance YetiHunter to align with the Tactics, Techniques, and Procedures (TTPs) of threat groups exploiting compromised credentials to infiltrate organizations’ Snowflake instances. The tool’s flexibility and adaptability make it a valuable asset for companies seeking to strengthen their threat detection and response capabilities in cloud environments.
In conclusion, YetiHunter represents a proactive approach to bolstering security defenses in response to evolving cyber threats targeting cloud-based data storage and analytics platforms like Snowflake. By providing analysts with a practical tool for identifying and investigating potential compromises, Permiso aims to empower organizations to safeguard their sensitive data and mitigate the risks posed by malicious actors in the digital landscape.