Threat Advisory: Snowflake Data Breach Impacts Its Clients

Executive Summary

On May 20, 2024, Live Nation discovered and disclosed an unauthorized activity in its third-party cloud database environment, which was eventually identified to be Snowflake, in its SEC filing. The database contains information regarding the company, primarily from its Ticketmaster subsidiary. Following this filing and in the following days, analysts discovered multiple clients of Snowflake have had data posted on the Dark Web for sale. On May 23, a threat actor “Whitewarlock” posted Santander Group data for sale. On May 27, 2024, the threat actor “ShinyHunters” offered the Live Nation/Ticketmaster data of 560M users for $500k USD in the Dark Web. According to various reports, the breach occurred via stolen credentials of a Snowflake employee’s ServiceNow account through the Lumma Stealer campaign last October 2023. In the most recent response of Snowflake on June 2, 2024, they have released Indicators of Compromise (IOC) and recommended actions to assist in the investigation of Snowflake customer accounts.

Technical Details

On May 23, a threat actor going by the alias “Whitewarlock,” first appeared on a Russian Dark Web forum. They claimed responsibility for the breach and posted data they allegedly obtained related to Santander Group. In the post, the threat actor expressed a desire to sell back the stolen data to Snowflake for $2 million USD.

On May 26th through a Telegram conversation, a threat actor claimed to have hacked two major companies, Ticketmaster and Santander Bank. In the conversation, the threat actor relayed some of the details of the attack. Recent data breaches at Ticketmaster and Santander have been attributed to malicious access to their Snowflake environments. Snowflake's cloud data platform is used by 9,437 customers, including some of the largest companies worldwide, like Adobe, AT&T, Capital One, Doordash, HP, Instacart, JetBlue, Kraft Heinz, Mastercard, Micron, NBC Universal, Nielsen, Novartis, Okta, PepsiCo, Siemens, US Foods, Western Union, Yamaha, and many others.

Screenshot of the Telegram conversation described above

Breach Impact

While Ticketmaster was the marquee victim during the initial disclosure of this breach, many reports have stated they were not the only company whose data was stolen. As of now, there have been 2 companies whose data were being sold online but it is assumed that other companies were affected by this breach. While it is unclear all who are impacted, the Threat Actor has claimed to gained access to data from the following companies: Anheuser-Busch, State Farm, Mitsubishi, Progressive, Neiman Marcus, Allstate, and Advanced Auto Parts.

Based on the post by whitewarlock in selling the Santander data, these were among the data that were stolen:

• Customer data
• Account number and balances
• Credit card numbers
• HR employee list
• Consumer citizenship information
• Other data not disclosed in the post

Based on the post by ShinyHunters in selling the Ticketmaster data, these were among the data that were stolen:

• Customer data
• Account number and balances
• Credit card numbers
• HR employee list
• Consumer citizenship information

The exposure of such crucial information about the company and its users could lead to identify theft, financial fraud, and many other malicious activities.

Snowflake’s Response

In a joint advisory with CrowdStrike and Mandiant, Snowflake provided an update on the ongoing investigation which targets Snowflake customer accounts. These are they key preliminary findings in their report:

1. There was no evidence suggesting that it was caused by a vulnerability, misconfiguration, or breach of the platform.
2. There was no evidence suggesting that this was due to a compromised credential of a current or former Snowflake employee.
3. This is a targeted campaign directed at users with single-factor authentication.
4. Threat actors have used credentials purchased/obtained through infostealing malware.
5. There was evidence of personal credentials being stolen to access demo accounts of a former employee. However, this does not contain any sensitive data as the accounts are not connected to their production or corporate systems. This happened due to the demo accounts not behind Okta or Multi-Factor Authentication.

Snowflake has also reached out to their customers who may have been infected and has provided steps to secure their applications.

Indicators of Compromise

Table 1: Client Identifier from malicious traffic

Table 2: IP addresses released by Snowflake

IOC Investigation

During investigation of the IOCs that were provided by a security bulletin from Snowflake, the IPs are associated with the VPN service Mullvad VPN, a legitimate VPN service. Additionally, some of these IPs have been observed to be conducting other scanning activities , particularly scanning for Ivanti Connect “Secure” VPN (CVE-2023-46805).

Mitigations

Trustwave analysts recommend that client organizations implement the below mitigations to improve your organization’s cybersecurity readiness and posture based on the threat actors’ outlined activity.

• As recommended by Snowflake in their released joint statement:
  o Enforce Multi Factor Authentication (MFA) on all accounts.
  o Set-up Network Policy Rules to only allow authorized users and traffic from trusted locations.
  o Impacted organizations should reset and rotate credentials.
• Conduct regular security audits of all third-party service providers.
• User Role-Based Access Controls (RBAC) to manage and restrict access of sensitive data.
• Snowflake has released steps for identification, investigation, and prevention of this attack which can be found here.