Incident Details
| Victimized Company: | Multiple Customers |
| Incident Dates: | 2024-05-20 to 2023-03-02 |
| Disclosure Date: | 2023-03-01 |
| Current Status: | N/A |
Snowflake
In the spring of 2024, a number of Snowflake customers suffered data breaches when cybercriminals announced they had data sets from high-profile customers like TicketMaster, LendingTree, Neiman Marcus, and Santander.
While Snowflake & Mandiant found no evidence their cloud offering was compromised, these incidents became a serious public relations issue.
Incident
Details of the Incident
The threat actor used infostealer tools to gain access to several companies’ Snowflake credentials. These accounts lacked MFA, even though they had access to millions of records of sensitive personal information. Mitiga identified an attack tool named “rapeflake,” which was then used to extract the data.
This first came to light when…
… one or more crooks going by the handle ShinyHunters was spotted putting what’s understood to be 1.3TB of data stolen from Ticketmaster up for sale on an underworld forum. That trove, yours for $500,000, is said to contain records on 560 million Ticketmaster customers: Their names, email addresses, phone numbers, physical addresses, transaction details, and partial payment card information. (The Register)
Victims
165 Victims have been identified and notified. The following notable organizations have confirmed breaches:
- Advanced Auto Parts
- Los Angeles Unified School District
- Lending Tree / QuoteWizard
- Santander
- Ticketmaster
Timeline
| Date | Event |
|---|---|
| Apr 14th, 2024 | First activity identified by Mandiant |
| May 22th, 2024 | Snowflake & Law Enforcement notified |
| May 27th, 2024 | ShinyHunters offers up records on 560 million TicketMaster customers on BreachForums |
| May 31st, 2024 | Hudson Rock publishes report on the incident, which Snowflake pressured to have taken down. |
| May 31st, 2024 | Mitiga publishes the first report on issues with Snowflake breaches |
| June 10th, 2024 | Mandiant releases report confirming no breach with Snowflake itself and attributing the attack to UNC5537. |
| July 9th, 2024 | Snowflake finally allows customers to force MFA on all their users |
Attribution / Perpetrator
It’s believed ShinyHunters is acting as a broker for the data, which was stolen by someone else. (The Register)
Mandiant is tracking this group as UNC5537, “a financially motivated threat actor” primarily based in North America.
Summary of Coverage
- Mitiga: Tactical Guide to Threat Hunting in Snowflake Environments May 31st, 2024
- SEC: 8-K Item 8.01 - Live Nation Entertainment May 31, 2024
- TechCrunch: Live Nation confirms Ticketmaster was hacked, says personal information stolen in data breach May 31, 2024
- Australian Cyber Security Centre: Increased cyber threat activity targeting Snowflake customers June 1st, 2024
- Snowflake: Detecting and Preventing Unauthorized User Access: Instructions June 3, 2024
- CISA: Snowflake Recommends Customers Take Steps to Prevent Unauthorized Access June 03, 2024
- The Register: Hudson Rock yanks report fingering Snowflake employee creds snafu for mega-leak June 4th, 2024
- TechCrunch: Hundreds of Snowflake customer passwords found online are linked to info-stealing malware June 5th, 2024
- BleepingComputer: Advance Auto Parts stolen data for sale after Snowflake attack June 5, 2024
- Wired: https://www.wired.com/story/snowflake-breach-advanced-auto-parts-lendingtree/ June 6, 2024
- TechCrunch: What Snowflake isn’t saying about its customer data breaches June 7, 2024
- Wired: Hackers Detail How They Allegedly Stole Ticketmaster Data From Snowflake June 17, 2024
- The Record: More than 12,000 Santander employees in US affected by Snowflake customer breach June 20th, 2024
- BleepingComputer: Neiman Marcus confirms data breach after Snowflake account hack
Cloud Security Lessons Learned
This was not a breach for which Snowflake was directly responsible.
Mandiant’s investigation has not found any evidence to suggest that unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflake’s enterprise environment. Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials. (Mandiant Report)
However, Snowflake, like all cloud providers, is responsible for ensuring its products are used safely.
Despite the sensitive data that Snowflake holds for its customers, Snowflake lets each customer manage the security of their environments and does not automatically enroll or require its customers to use multi-factor authentication, or MFA, according to Snowflake’s customer documentation. (src)
Specific to the customer side of Shared-Responsibility, Mandiant indicates that the victimized customers
…did not require multi-factor authentication and in many cases, the credentials had not been rotated for as long as four years. Network allow lists were also not used to limit access to trusted locations.
Mandiant also calls out unmanaged contractor devices as the initial compromise point for several customers.
In several Snowflake related investigations, Mandiant observed that the initial compromise of infostealer malware occurred on contractor systems that were also used for personal activities, including gaming and downloads of pirated software. Contractors that customers engage to assist with their use of Snowflake may utilize personal and/or non-monitored laptops that exacerbate this initial entry vector.