Threat Advisory: Snowflake Data Breach Impacts Its Clients (2024)

SpiderLabs Blog

June 04, 2024 4 minutes read

Executive Summary

On May 20, 2024, Live Nation discovered and disclosed an unauthorized activity in its third-party cloud database environment, which was eventually identified to be Snowflake, in itsSEC filing. The database contains information regarding the company, primarily from its Ticketmaster subsidiary. Following this filing and in the following days, analysts discovered multiple clients of Snowflake have had data posted on the Dark Web for sale. On May 23, a threat actor “Whitewarlock” posted Santander Group data for sale. On May 27, 2024, the threat actor “ShinyHunters” offered the Live Nation/Ticketmaster data of 560M users for $500k USD in theDark Web. According to various reports, the breach occurred via stolen credentials of a Snowflake employee’s ServiceNow account through theLummaStealer campaign last October 2023. In the most recent response of Snowflake on June 2, 2024, they have releasedIndicators of Compromise (IOC)and recommended actions to assist in the investigation of Snowflake customer accounts.

Technical Details

On May 23, a threat actor going by the alias “Whitewarlock,” first appeared on a Russian Dark Web forum. They claimed responsibility for the breach and posted data they allegedly obtained related to Santander Group. In the post, the threat actor expressed a desire to sell back the stolen data to Snowflake for $2 million USD.

On May 26th through a Telegram conversation, a threat actor claimed to have hacked two major companies, Ticketmaster and Santander Bank. In the conversation, the threat actor relayed some of the details of the attack. Recent data breaches at Ticketmaster and Santander have been attributed to malicious access to their Snowflake environments. Snowflake's cloud data platform is used by 9,437 customers, including some of the largest companies worldwide, like Adobe, AT&T, Capital One, Doordash, HP, Instacart, JetBlue, Kraft Heinz, Mastercard, Micron, NBC Universal, Nielsen, Novartis, Okta, PepsiCo, Siemens, US Foods, Western Union, Yamaha, and many others.

Threat Advisory: Snowflake Data Breach Impacts Its Clients (1)Screenshot of the Telegram conversation described above

Breach Impact

While Ticketmaster was the marquee victim during the initial disclosure of this breach, many reports have stated they were not the only company whose data was stolen. As of now, there have been 2 companies whose data were being sold online but it is assumed that other companies were affected by this breach. While it is unclear all who are impacted, the Threat Actor has claimed to gained access to data from the following companies: Anheuser-Busch, State Farm, Mitsubishi, Progressive, Neiman Marcus, Allstate, and Advanced Auto Parts.

Based on the post by whitewarlock in selling the Santander data, these were among the data that were stolen:

  • Customer data
  • Account number and balances
  • Credit card numbers
  • HR employee list
  • Consumer citizenship information
  • Other data not disclosed in the post

Threat Advisory: Snowflake Data Breach Impacts Its Clients (2)

Based on the post byShinyHuntersin selling the Ticketmaster data, these were among the data that were stolen:

  • Customer data
  • Account number and balances
  • Credit card numbers
  • HR employee list
  • Consumer citizenship information

Threat Advisory: Snowflake Data Breach Impacts Its Clients (3)

The exposure of such crucial information about the company and its users could lead to identify theft, financial fraud, and many other malicious activities.

Snowflake’s Response

In ajoint advisorywith CrowdStrike and Mandiant, Snowflake provided an update on the ongoing investigation which targets Snowflake customer accounts. These are they key preliminary findings in their report:

  1. There was no evidence suggesting that it was caused by a vulnerability, misconfiguration, or breach of the platform.
  2. There was no evidence suggesting that this was due to a compromised credential of a current or former Snowflake employee.
  3. This is a targeted campaign directed at users with single-factor authentication.
  4. Threat actors have used credentials purchased/obtained throughinfostealingmalware.
  5. There was evidence of personal credentials being stolen to access demo accounts of a former employee. However, this does not contain any sensitive data as the accounts are not connected to their production or corporate systems. This happened due to the demo accounts not behind Okta or Multi-Factor Authentication.

Snowflake has also reached out to their customers who may have been infected and has provided steps to secure their applications.

Indicators of Compromise

Table 1: Client Identifier from malicious traffic

Name

Description

rapeflake

Identified from malicious traffic

DBeaver_DBeaverUltimate

Identified from malicious traffic running from Windows Server 2022

Table 2: IP addresses released by Snowflake

IP Addresses

Description

104.223.91.28

198.54.135.99

184.147.100.29

146.70.117.210

198.54.130.153

169.150.203.22

185.156.46.163

146.70.171.99

206.217.206.108

45.86.221.146

193.32.126.233

87.249.134.11

66.115.189.247

104.129.24.124

146.70.171.112

198.54.135.67

146.70.124.216

45.134.142.200

206.217.205.49

146.70.117.56

169.150.201.25

66.63.167.147

194.230.144.126

146.70.165.227

154.47.30.137

154.47.30.150

96.44.191.140

146.70.166.176

198.44.136.56

176.123.6.193

192.252.212.60

173.44.63.112

37.19.210.34

37.19.210.21

185.213.155.241

198.44.136.82

93.115.0.49

204.152.216.105

198.44.129.82

185.248.85.59

198.54.131.152

102.165.16.161

185.156.46.144

45.134.140.144

198.54.135.35

176.123.3.132

185.248.85.14

169.150.223.208

162.33.177.32

194.230.145.67

5.47.87.202

194.230.160.5

194.230.147.127

176.220.186.152

194.230.160.237

194.230.158.178

194.230.145.76

45.155.91.99

194.230.158.107

194.230.148.99

194.230.144.50

185.204.1.178

79.127.217.44

104.129.24.115

146.70.119.24

138.199.34.144

185.248.85.14

IP addresses related to suspicious activities

IOC Investigation

During investigation of the IOCs that were provided by a security bulletin from Snowflake, the IPs are associated with the VPN service Mullvad VPN, a legitimate VPN service. Additionally, some of these IPshave been observed to be conducting other scanning activities, particularly scanning forIvanti Connect “Secure” VPN (CVE-2023-46805).Threat Advisory: Snowflake Data Breach Impacts Its Clients (4)

Mitigations

Trustwave analysts recommend that client organizations implement the below mitigations to improve your organization’s cybersecurity readiness and posture based on the threat actors’ outlined activity.

  • As recommended by Snowflake in their released joint statement:
    o Enforce Multi Factor Authentication (MFA) on all accounts.
    o Set-up Network Policy Rules to only allow authorized users and traffic from trusted locations.
    o Impacted organizations should reset and rotate credentials.
  • Conduct regular security audits of all third-party service providers.
  • User Role-Based Access Controls (RBAC) to manage and restrict access of sensitive data.
  • Snowflake has released steps for identification, investigation, and prevention of this attack which can be foundhere.

Latest SpiderLabs Blogs

Fake Advanced IP Scanner Installer Delivers Dangerous CobaltStrike Backdoor

During a recent client investigation, Trustwave SpiderLabs found a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. Our client had been searching for...

Read More

Cyber Exterminators: Monitoring the Shop Floor with OT Security

Pressure is increasing on manufacturers to monitor their shop floors for malicious activity to avoid creating major disruptions in the supply chain. One key security defensive tool for monitoring...

Read More

Important Security Defenses to Help Your CISO Sleep at Night

This is Part 13 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More

Threat Advisory: Snowflake Data Breach Impacts Its Clients (2024)

References

Top Articles
Latest Posts
Article information

Author: Tyson Zemlak

Last Updated:

Views: 5690

Rating: 4.2 / 5 (63 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Tyson Zemlak

Birthday: 1992-03-17

Address: Apt. 662 96191 Quigley Dam, Kubview, MA 42013

Phone: +441678032891

Job: Community-Services Orchestrator

Hobby: Coffee roasting, Calligraphy, Metalworking, Fashion, Vehicle restoration, Shopping, Photography

Introduction: My name is Tyson Zemlak, I am a excited, light, sparkling, super, open, fair, magnificent person who loves writing and wants to share my knowledge and understanding with you.