A threat actor claiming recent breaches of Santander and Ticketmaster says they stole data after hacking into an employee’s account at cloud storage company Snowflake. However, Snowflake disputes these claims, saying that recent breaches were caused by poorly secured customer accounts.
Snowflake’s cloud data platform is used by 9,437 customers, including some of the largest companies worldwide, such as Adobe, AT&T, Capital One, Doordash, HP, Instacart, JetBlue, Kraft Heinz, Mastercard, Micron, NBC Universal, Nielsen, Novartis, Okta, PepsiCo, Siemens, US Foods, Western Union, Yamaha and many others.
According to cybersecurity firm Hudson Rock, the threat actor claimed they also gained access to data from other high-profile companies using Snowflake’s cloud storage services, including Anheuser-Busch, State Farm, Mitsubishi, Progressive , Neiman Marcus, Allstate and Advance Auto Parts. .
To do this, they say they bypassed Okta’s secure verification process by signing into a Snowflake employee’s ServiceNow account using stolen credentials. Next, they claim they can generate session tokens to extract data belonging to Snowflake clients.
“To put it bluntly, a single credential resulted in the exfiltration of hundreds of companies that stored their data using Snowflake, with the threat actor himself suggesting that 400 companies were affected,” said Hudson Rock.
“[T]threat actor shared with Hudson Rock researchers, which shows the depth of their access to Snowflake’s servers. This file documents over 2000 customer cases related to Snowflake Europe servers.”
The threat actor claims that they wanted to blackmail Snowflake into buying the stolen data for $20 million, but the company did not respond to their extortion attempts.
Hudson Rock added that a Snowflake employee was infected by a Lumma-type Infostealer in October. The malware stole their corporate credentials on the Snowflake infrastructure, as seen in a screenshot shared by the threat actor and embedded below.
Mandiant Consulting CTO Charles Carmakal told BleepingComputer that Mandiant has been helping Snowflake customers over the past few weeks who were compromised.
The company’s investigations to date indicate that threat actors likely used credentials stolen by information-stealing malware to gain access to the victim’s Snowflake tenants.
“Any SaaS solution that is configured without multi-factor authentication is vulnerable to mass exploitation by threat actors. We encourage all cloud users to implement 2-factor or better and IP-based restrictions,” it warned Carmakal.
“We anticipate that threat actors will repeat this campaign across other SaaS solutions that contain sensitive enterprise data”
BleepingComputer contacted Snowflake about the threat actor’s claims that an employee had been breached, but a spokesperson said the company had “nothing else to add.”
Santander and Ticketmaster spokesman were not immediately available for comment when contacted by BleepingComputer earlier today.
BleepingComputer was able to confirm that Santander and Ticketmaster are using Snowflake’s cloud storage services.
If you have any information about this incident or other Snowflake data theft breaches, you can contact us confidentially via Signal at 646-961-3731 or at [email protected].
Snowflake confirms customer account hacks
Snowflake did not confirm Hudson Rock’s report, instead stating that the attacker compromised customer accounts in these breaches and did not exploit any vulnerabilities or misconfigurations in the company’s products.
The cloud storage provider also warned customers on Friday that it is investigating “an increase” in attacks targeting some of their accounts, with Snowflake CISO Brad Jones adding that some customer accounts were compromised on May 23.
“We became aware of potentially unauthorized access to several customer accounts on May 23, 2024. During our investigation, we observed increased threat activity beginning in mid-April 2024 from a subset of suspicious IP addresses and customers that we believe that they are associated with unauthorized access.” Jones said.
“To date, we do not believe this activity was caused by any vulnerability, misconfiguration, or malicious activity within the Snowflake product. Throughout the course of our ongoing investigation, we have immediately notified the limited number of customers we believe may have have been influenced.”
Jones says Snowflake notified all customers of the attacks and asked them to secure their accounts and data by enabling multi-factor authentication (MFA).
The cloud data company also published a security bulletin with Indicators of Compromise (IoC), investigative questions and advice on how potentially affected customers can secure their accounts.
One of the IOCs indicates that threat actors created a custom tool called ‘RapeFlake’ to extract data from Snowflake’s databases.
Another showed threat actors connecting to databases using the DBeaver Ultimate database management tools, with logs showing client connections from the ‘DBeaver_DBeaverUltimate’ user agent.
5/31/24: Statement added by Charles Carmakal of Mandiant.
