Executive Summary
On May 20, 2024, Live Nation discovered and disclosed an unauthorized activity in its third-party cloud database environment, which was eventually identified to be Snowflake, in its SEC filing. The database contains information regarding the company, primarily from its Ticketmaster subsidiary. Following this filing and in the following days, analysts discovered multiple clients of Snowflake have had data posted on the Dark Web for sale. On May 23, a threat actor “Whitewarlock” posted Santander Group data for sale. On May 27, 2024, the threat actor “ShinyHunters” offered the Live Nation/Ticketmaster data of 560M users for $500k USD in the Dark Web. According to various reports, the breach occurred via stolen credentials of a Snowflake employee’s ServiceNow account through the Lumma Stealer campaign last October 2023. In the most recent response of Snowflake on June 2, 2024, they have released Indicators of Compromise (IOC) and recommended actions to assist in the investigation of Snowflake customer accounts.
Technical Details
On May 23, a threat actor going by the alias “Whitewarlock,” first appeared on a Russian Dark Web forum. They claimed responsibility for the breach and posted data they allegedly obtained related to Santander Group. In the post, the threat actor expressed a desire to sell back the stolen data to Snowflake for $2 million USD.
On May 26th through a Telegram conversation, a threat actor claimed to have hacked two major companies, Ticketmaster and Santander Bank. In the conversation, the threat actor relayed some of the details of the attack. Recent data breaches at Ticketmaster and Santander have been attributed to malicious access to their Snowflake environments. Snowflake’s cloud data platform is used by 9,437 customers, including some of the largest companies worldwide, like Adobe, AT&T, Capital One, Doordash, HP, Instacart, JetBlue, Kraft Heinz, Mastercard, Micron, NBC Universal, Nielsen, Novartis, Okta, PepsiCo, Siemens, US Foods, Western Union, Yamaha, and many others.
Screenshot of the Telegram conversation described above
Breach Impact
While Ticketmaster was the marquee victim during the initial disclosure of this breach, many reports have stated they were not the only company whose data was stolen. As of now, there have been 2 companies whose data were being sold online but it is assumed that other companies were affected by this breach. While it is unclear all who are impacted, the Threat Actor has claimed to gained access to data from the following companies: Anheuser-Busch, State Farm, Mitsubishi, Progressive, Neiman Marcus, Allstate, and Advanced Auto Parts.
Based on the post by whitewarlock in selling the Santander data, these were among the data that were stolen:
- Customer data
- Account number and balances
- Credit card numbers
- HR employee list
- Consumer citizenship information
- Other data not disclosed in the post
Based on the post by ShinyHunters in selling the Ticketmaster data, these were among the data that were stolen:
- Customer data
- Account number and balances
- Credit card numbers
- HR employee list
- Consumer citizenship information
The exposure of such crucial information about the company and its users could lead to identify theft, financial fraud, and many other malicious activities.
Snowflake’s Response
In a joint advisory with CrowdStrike and Mandiant, Snowflake provided an update on the ongoing investigation which targets Snowflake customer accounts. These are they key preliminary findings in their report:
- There was no evidence suggesting that it was caused by a vulnerability, misconfiguration, or breach of the platform.
- There was no evidence suggesting that this was due to a compromised credential of a current or former Snowflake employee.
- This is a targeted campaign directed at users with single-factor authentication.
- Threat actors have used credentials purchased/obtained through infostealing malware.
- There was evidence of personal credentials being stolen to access demo accounts of a former employee. However, this does not contain any sensitive data as the accounts are not connected to their production or corporate systems. This happened due to the demo accounts not behind Okta or Multi-Factor Authentication.
Snowflake has also reached out to their customers who may have been infected and has provided steps to secure their applications.
Indicators of Compromise
Table 1: Client Identifier from malicious traffic
Name |
Description |
rapeflake |
Identified from malicious traffic |
DBeaver_DBeaverUltimate |
Identified from malicious traffic running from Windows Server 2022 |
Table 2: IP addresses released by Snowflake
IP Addresses |
Description |
104.223.91.28 198.54.135.99 184.147.100.29 146.70.117.210 198.54.130.153 169.150.203.22 185.156.46.163 146.70.171.99 206.217.206.108 45.86.221.146 193.32.126.233 87.249.134.11 66.115.189.247 104.129.24.124 146.70.171.112 198.54.135.67 146.70.124.216 45.134.142.200 206.217.205.49 146.70.117.56 169.150.201.25 66.63.167.147 194.230.144.126 146.70.165.227 154.47.30.137 154.47.30.150 96.44.191.140 146.70.166.176 198.44.136.56 176.123.6.193 192.252.212.60 173.44.63.112 37.19.210.34 37.19.210.21 185.213.155.241 198.44.136.82 93.115.0.49 204.152.216.105 198.44.129.82 185.248.85.59 198.54.131.152 102.165.16.161 185.156.46.144 45.134.140.144 198.54.135.35 176.123.3.132 185.248.85.14 169.150.223.208 162.33.177.32 194.230.145.67 5.47.87.202 194.230.160.5 194.230.147.127 176.220.186.152 194.230.160.237 194.230.158.178 194.230.145.76 45.155.91.99 194.230.158.107 194.230.148.99 194.230.144.50 185.204.1.178 79.127.217.44 104.129.24.115 146.70.119.24 138.199.34.144 185.248.85.14 |
IP addresses related to suspicious activities |
IOC Investigation
During investigation of the IOCs that were provided by a security bulletin from Snowflake, the IPs are associated with the VPN service Mullvad VPN, a legitimate VPN service. Additionally, some of these IPs have been observed to be conducting other scanning activities , particularly scanning for Ivanti Connect “Secure” VPN (CVE-2023-46805).
Mitigations
Trustwave analysts recommend that client organizations implement the below mitigations to improve your organization’s cybersecurity readiness and posture based on the threat actors’ outlined activity.
- As recommended by Snowflake in their released joint statement:
o Enforce Multi Factor Authentication (MFA) on all accounts.
o Set-up Network Policy Rules to only allow authorized users and traffic from trusted locations.
o Impacted organizations should reset and rotate credentials. - Conduct regular security audits of all third-party service providers.
- User Role-Based Access Controls (RBAC) to manage and restrict access of sensitive data.
- Snowflake has released steps for identification, investigation, and prevention of this attack which can be found here.
Source: Original Post