Stolen credentials → no-MFA Snowflake → mass tenant exfil (2024)

§ Context

Assumed environment: target organisation uses Snowflake. MFA + IP allow-list not enforced tenant-wide. Some service accounts use static credentials without rotation, stored on user machines.

§ Steps

1. 01
   Bulk export critical tablesExfiltration

   T1041— Exfiltration Over C2 Channel
2. 02
   Sell / leak data; ransom tenantImpact

   T1486— Data Encrypted for Impact
3. 03
   List databases / schemas / tablesDiscovery

   T1087— Account Discovery
4. 04
   Grep logs for *.snowflakecomputing.comReconnaissance

   W-RECON-GITHUB-DORK— GitHub / GitLab Dorking
5. 05
   Acquire infostealer logs (forum / Telegram)Resource Development

   T1583— Acquire Infrastructure
6. 06
   Authenticate as tenant userCredential Access

   APT-SNOWFLAKE-2024— Snowflake Stolen-Credential Mass Theft (2024)

§ References

• T1041Exfiltration Over C2 Channel
• T1486Data Encrypted for Impact
• T1087Account Discovery
• T1583Acquire Infrastructure

§ Frequently asked

What is the "Stolen credentials → no-MFA Snowflake → mass tenant exfil (2024)" attack path?

Infostealer logs from third-party machines yielded credentials for many Snowflake tenants. Tenants without enforced MFA / IP allow-lists were directly queried; dozens of customer data sets exfiltrated. It chains 6 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Bulk export critical tables (T1041) — a exfiltration primitive. Assumed environment: target organisation uses Snowflake.

What is the final impact of this kill-chain?

The final step lands on Authenticate as tenant user (APT-SNOWFLAKE-2024), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques3

  Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)

  Wide SMS phishing campaign targeting employees of ~130 organisations with a single phishlet that captures Okta credentials + push approval. Mass automated logins to Twilio, MailChimp, DoorDash et al.

• Shared techniques3

  Open MongoDB → dump every collection

  Shodan-indexed MongoDB on 27017 with no auth. Connect, list databases, dump every collection. Often the second stage is a ransom note in a new 'README' collection.

• Shared techniques2

  Unauth DICOM PACS → mass medical-image exfil

  PACS server accepts unauthenticated C-FIND / C-MOVE on port 104 / 11112. Query for every study, pull every image — exfil hundreds of thousands of patient scans + DICOM metadata (PII).

• Shared techniques2

  Insider admin panel coercion → mass account takeover (Twitter 2020)

  Identify employees with access to an internal admin panel. SE / coerce one to use the panel to change target accounts' email + 2FA, then take them over.

• Shared techniques2

  BACnet HVAC → disrupt building operations

  BACnet on UDP/47808 is unauthenticated. From a foothold in corporate IT, write to HVAC controllers — over-cool a data centre, disable smoke evacuation, mess with elevators.

• Shared techniques2

  MOVEit Transfer (CVE-2023-34362) → mass data exfil (Cl0p)

  Pre-auth SQLi in MOVEit's web UI forges an admin session. .NET deserialisation chain drops a webshell as SYSTEM. Cl0p's 2023 mass-exfil playbook: download every file under /var/files.