Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Threat Advisory: Snowflake Data Breach Impacts Its Clients

Executive Summary

On May 20, 2024, Live Nation discovered and disclosed an unauthorized activity in its third-party cloud database environment, which was eventually identified to be Snowflake, in its SEC filing. The database contains information regarding the company, primarily from its Ticketmaster subsidiary. Following this filing and in the following days, analysts discovered multiple clients of Snowflake have had data posted on the Dark Web for sale. On May 23, a threat actor “Whitewarlock” posted Santander Group data for sale. On May 27, 2024, the threat actor “ShinyHunters” offered the Live Nation/Ticketmaster data of 560M users for $500k USD in the Dark Web. According to various reports, the breach occurred via stolen credentials of a Snowflake employee’s ServiceNow account through the Lumma Stealer campaign last October 2023. In the most recent response of Snowflake on June 2, 2024, they have released Indicators of Compromise (IOC) and recommended actions to assist in the investigation of Snowflake customer accounts.

 

Technical Details

On May 23, a threat actor going by the alias “Whitewarlock,” first appeared on a Russian Dark Web forum. They claimed responsibility for the breach and posted data they allegedly obtained related to Santander Group. In the post, the threat actor expressed a desire to sell back the stolen data to Snowflake for $2 million USD.

On May 26th through a Telegram conversation, a threat actor claimed to have hacked two major companies, Ticketmaster and Santander Bank. In the conversation, the threat actor relayed some of the details of the attack. Recent data breaches at Ticketmaster and Santander have been attributed to malicious access to their Snowflake environments. Snowflake's cloud data platform is used by 9,437 customers, including some of the largest companies worldwide, like Adobe, AT&T, Capital One, Doordash, HP, Instacart, JetBlue, Kraft Heinz, Mastercard, Micron, NBC Universal, Nielsen, Novartis, Okta, PepsiCo, Siemens, US Foods, Western Union, Yamaha, and many others.

Screenshot of the Telegram conversation described aboveScreenshot of the Telegram conversation described above

 

Breach Impact

While Ticketmaster was the marquee victim during the initial disclosure of this breach, many reports have stated they were not the only company whose data was stolen. As of now, there have been 2 companies whose data were being sold online but it is assumed that other companies were affected by this breach. While it is unclear all who are impacted, the Threat Actor has claimed to gained access to data from the following companies: Anheuser-Busch, State Farm, Mitsubishi, Progressive, Neiman Marcus, Allstate, and Advanced Auto Parts.

Based on the post by whitewarlock in selling the Santander data, these were among the data that were stolen:

  • Customer data
  • Account number and balances
  • Credit card numbers
  • HR employee list
  • Consumer citizenship information
  • Other data not disclosed in the post

Sell Santander Group Data

Based on the post by ShinyHunters in selling the Ticketmaster data, these were among the data that were stolen:

  • Customer data
  • Account number and balances
  • Credit card numbers
  • HR employee list
  • Consumer citizenship information

Live nation Ticketmaster

The exposure of such crucial information about the company and its users could lead to identify theft, financial fraud, and many other malicious activities.

 

Snowflake’s Response

In a joint advisory with CrowdStrike and Mandiant, Snowflake provided an update on the ongoing investigation which targets Snowflake customer accounts. These are they key preliminary findings in their report:

  1. There was no evidence suggesting that it was caused by a vulnerability, misconfiguration, or breach of the platform.
  2. There was no evidence suggesting that this was due to a compromised credential of a current or former Snowflake employee.
  3. This is a targeted campaign directed at users with single-factor authentication.
  4. Threat actors have used credentials purchased/obtained through infostealing malware.
  5. There was evidence of personal credentials being stolen to access demo accounts of a former employee. However, this does not contain any sensitive data as the accounts are not connected to their production or corporate systems. This happened due to the demo accounts not behind Okta or Multi-Factor Authentication.

Snowflake has also reached out to their customers who may have been infected and has provided steps to secure their applications.

 

Indicators of Compromise

Table 1: Client Identifier from malicious traffic

Name

Description

rapeflake

Identified from malicious traffic

DBeaver_DBeaverUltimate

Identified from malicious traffic running from Windows Server 2022

 

Table 2: IP addresses released by Snowflake

IP Addresses

Description

104.223.91.28

198.54.135.99

184.147.100.29

146.70.117.210

198.54.130.153

169.150.203.22

185.156.46.163

146.70.171.99

206.217.206.108

45.86.221.146

193.32.126.233

87.249.134.11

66.115.189.247

104.129.24.124

146.70.171.112

198.54.135.67

146.70.124.216

45.134.142.200

206.217.205.49

146.70.117.56

169.150.201.25

66.63.167.147

194.230.144.126

146.70.165.227

154.47.30.137

154.47.30.150

96.44.191.140

146.70.166.176

198.44.136.56

176.123.6.193

192.252.212.60

173.44.63.112

37.19.210.34

37.19.210.21

185.213.155.241

198.44.136.82

93.115.0.49

204.152.216.105

198.44.129.82

185.248.85.59

198.54.131.152

102.165.16.161

185.156.46.144

45.134.140.144

198.54.135.35

176.123.3.132

185.248.85.14

169.150.223.208

162.33.177.32

194.230.145.67

5.47.87.202

194.230.160.5

194.230.147.127

176.220.186.152

194.230.160.237

194.230.158.178

194.230.145.76

45.155.91.99

194.230.158.107

194.230.148.99

194.230.144.50

185.204.1.178

79.127.217.44

104.129.24.115

146.70.119.24

138.199.34.144

185.248.85.14

IP addresses related to suspicious activities

 

IOC Investigation

During investigation of the IOCs that were provided by a security bulletin from Snowflake, the IPs are associated with the VPN service Mullvad VPN, a legitimate VPN service. Additionally, some of these IPs have been observed to be conducting other scanning activities , particularly scanning for Ivanti Connect “Secure” VPN (CVE-2023-46805).IOC investigation

 

Mitigations

Trustwave analysts recommend that client organizations implement the below mitigations to improve your organization’s cybersecurity readiness and posture based on the threat actors’ outlined activity.

  • As recommended by Snowflake in their released joint statement:
    o Enforce Multi Factor Authentication (MFA) on all accounts.
    o Set-up Network Policy Rules to only allow authorized users and traffic from trusted locations.
    o Impacted organizations should reset and rotate credentials.
  • Conduct regular security audits of all third-party service providers.
  • User Role-Based Access Controls (RBAC) to manage and restrict access of sensitive data.
  • Snowflake has released steps for identification, investigation, and prevention of this attack which can be found here.

Latest SpiderLabs Blogs

Using AWS Secrets Manager and Lambda Function to Store, Rotate and Secure Keys

When working with Amazon Web Services (AWS), we often find that various AWS services need to store and manage secrets. AWS Secrets Manager is the go-to solution for this. It's a centralized service...

Read More

Facebook Malvertising Epidemic – Unraveling a Persistent Threat: SYS01

The Trustwave SpiderLabs Threat Intelligence team's ongoing study into how threat actors use Facebook for malicious activity has uncovered a new version of the SYS01 stealer. This stealer is designed...

Read More

Tips for Optimizing Your Security Operations Framework

Building an effective Security Operations framework that provides the right balance of people, processes, and technologies can take years.

Read More