On May 20, 2024, Live Nation discovered and disclosed an unauthorized activity in its third-party cloud database environment, which was eventually identified to be Snowflake, in its SEC filing. The database contains information regarding the company, primarily from its Ticketmaster subsidiary. Following this filing and in the following days, analysts discovered multiple clients of Snowflake have had data posted on the Dark Web for sale. On May 23, a threat actor “Whitewarlock” posted Santander Group data for sale. On May 27, 2024, the threat actor “ShinyHunters” offered the Live Nation/Ticketmaster data of 560M users for $500k USD in the Dark Web. According to various reports, the breach occurred via stolen credentials of a Snowflake employee’s ServiceNow account through the Lumma Stealer campaign last October 2023. In the most recent response of Snowflake on June 2, 2024, they have released Indicators of Compromise (IOC) and recommended actions to assist in the investigation of Snowflake customer accounts.
On May 23, a threat actor going by the alias “Whitewarlock,” first appeared on a Russian Dark Web forum. They claimed responsibility for the breach and posted data they allegedly obtained related to Santander Group. In the post, the threat actor expressed a desire to sell back the stolen data to Snowflake for $2 million USD.
On May 26th through a Telegram conversation, a threat actor claimed to have hacked two major companies, Ticketmaster and Santander Bank. In the conversation, the threat actor relayed some of the details of the attack. Recent data breaches at Ticketmaster and Santander have been attributed to malicious access to their Snowflake environments. Snowflake's cloud data platform is used by 9,437 customers, including some of the largest companies worldwide, like Adobe, AT&T, Capital One, Doordash, HP, Instacart, JetBlue, Kraft Heinz, Mastercard, Micron, NBC Universal, Nielsen, Novartis, Okta, PepsiCo, Siemens, US Foods, Western Union, Yamaha, and many others.
While Ticketmaster was the marquee victim during the initial disclosure of this breach, many reports have stated they were not the only company whose data was stolen. As of now, there have been 2 companies whose data were being sold online but it is assumed that other companies were affected by this breach. While it is unclear all who are impacted, the Threat Actor has claimed to gained access to data from the following companies: Anheuser-Busch, State Farm, Mitsubishi, Progressive, Neiman Marcus, Allstate, and Advanced Auto Parts.
Based on the post by whitewarlock in selling the Santander data, these were among the data that were stolen:
Based on the post by ShinyHunters in selling the Ticketmaster data, these were among the data that were stolen:
The exposure of such crucial information about the company and its users could lead to identify theft, financial fraud, and many other malicious activities.
In a joint advisory with CrowdStrike and Mandiant, Snowflake provided an update on the ongoing investigation which targets Snowflake customer accounts. These are they key preliminary findings in their report:
Snowflake has also reached out to their customers who may have been infected and has provided steps to secure their applications.
Table 1: Client Identifier from malicious traffic
|
Name |
Description |
|
rapeflake |
Identified from malicious traffic |
|
DBeaver_DBeaverUltimate |
Identified from malicious traffic running from Windows Server 2022 |
Table 2: IP addresses released by Snowflake
|
IP Addresses |
Description |
|
104.223.91.28 198.54.135.99 184.147.100.29 146.70.117.210 198.54.130.153 169.150.203.22 185.156.46.163 146.70.171.99 206.217.206.108 45.86.221.146 193.32.126.233 87.249.134.11 66.115.189.247 104.129.24.124 146.70.171.112 198.54.135.67 146.70.124.216 45.134.142.200 206.217.205.49 146.70.117.56 169.150.201.25 66.63.167.147 194.230.144.126 146.70.165.227 154.47.30.137 154.47.30.150 96.44.191.140 146.70.166.176 198.44.136.56 176.123.6.193 192.252.212.60 173.44.63.112 37.19.210.34 37.19.210.21 185.213.155.241 198.44.136.82 93.115.0.49 204.152.216.105 198.44.129.82 185.248.85.59 198.54.131.152 102.165.16.161 185.156.46.144 45.134.140.144 198.54.135.35 176.123.3.132 185.248.85.14 169.150.223.208 162.33.177.32 194.230.145.67 5.47.87.202 194.230.160.5 194.230.147.127 176.220.186.152 194.230.160.237 194.230.158.178 194.230.145.76 45.155.91.99 194.230.158.107 194.230.148.99 194.230.144.50 185.204.1.178 79.127.217.44 104.129.24.115 146.70.119.24 138.199.34.144 185.248.85.14 |
IP addresses related to suspicious activities |
During investigation of the IOCs that were provided by a security bulletin from Snowflake, the IPs are associated with the VPN service Mullvad VPN, a legitimate VPN service. Additionally, some of these IPs have been observed to be conducting other scanning activities , particularly scanning for Ivanti Connect “Secure” VPN (CVE-2023-46805).
Trustwave analysts recommend that client organizations implement the below mitigations to improve your organization’s cybersecurity readiness and posture based on the threat actors’ outlined activity.