Red Teaming
The 2024 AT&T breach was one of the most significant security incidents in recent history. Attackers accessed the call metadata of nearly all of the company’s customers from March 1 through October 31, 2022.
Due to the potential national security implications of the breach, the American Securities and Exchange Commission (SEC) even provided a nearly three-month extension on its usual four-day notification rule (the breach was identified on April 19th but was publicly disclosed on July 12).
AT&T was only one of an estimated 165 companies impacted by the same campaign. Other victims included TicketMaster, Santander Group, and Advance Auto Parts. Who was responsible?
The ShinyHunters threat group.
ShinyHunters Technique | MITRE ATT&CK Technique | HTB Academy modules | HTB Machines | HTB Sherlocks |
Malware targeting trusted partner | T1199 Trusted Relationship | |||
T1552 Unsecured Credentials | ||||
Identify previously breached credentials | T1589.001 Gather Victim Identity Information | |||
Credential stuffing | T1110.004 Brute Force: Credential Stuffing | |||
Data theft and exfiltration of Snowflake data | T1530 Data from Cloud Storage | |||
T1567 Exfiltration Over Web Service | ||||
T1560 Archive Collected Data | ||||
Extorting ransom to delete stolen data | T1657 Financial Theft |
They gained access to the companies’ Snowflake accounts via credential stuffing and a supply chain breach of EPAM Systems.
Once inside, ShinyHunters accessed and exfiltrated sensitive data from these cloud storage locations. Then, they demanded ransoms ranging from $300,000 to $5 million in exchange for deleting the data.
We’re going to dive into the anatomy of the Snowflake attack in this post. Like our deep dive into the Cuttlefish malware, this attack anatomy article uses the MITRE ATT&CK framework to explore the various techniques used by the attackers in this incident.
For each technique, we’ll also point to Hack the Box (HTB) resources that can provide hands-on training about how the technique works—and how to defend against it.
AT&T and other companies were the victims of a supply chain attack that targeted their Snowflake cloud storage.
Instead of exploiting vulnerabilities in Snowflake’s environment, ShinyHunters used compromised credentials to access and steal data.
Noteđź’ˇ: While we have a pretty good idea of the techniques and tools that the ShinyHunters group used during this attack, we are not certain and not everything has been confirmed by affected parties. So, this anatomy is alleging these techniques based on public reporting.
Snowflake environments breached by ShinyHunters are believed to be exploited via compromised credentials rather than security flaws within the Snowflake environment. The attackers may have collected credentials in a couple of different ways:
EPAM Systems is a managed service provider (MSP) that offers a range of different services to its customers. This includes managing an organization’s Snowflake cloud storage deployments.
ShinyHunters exploited this trust relationship (MITRE ATT&CK Technique T1199) to target the company’s customers.
ShinyHunters breached the computer of an EPAM employee and installed a remote access trojan (RAT). This tool—allegedly Lumma Stealer, which is also a keylogger—provided control over the system.
With access to the employee’s system, the attackers identified customers’ Snowflake credentials stored unencrypted within Jira, a project management tool (MITRE ATT&CK T1552).
MITRE ATT&CK + NIST NICE-aligned content
Managers using the HTB Enterprise Platform can easily search courses using MITRE terminology and assign them based on the techniques and tactics relevant to their teams.