SOCRadar® Cyber Intelligence Inc. | Overview of the Snowflake Breach: Threat Actor Offers Data of Cloud Company’s Customers
Home

Resources

Blog
Jun 02, 2024
19 Mins Read

Overview of the Snowflake Breach: Threat Actor Offers Data of Cloud Company’s Customers

[Update] June 14, 2024: “Update on Truist Bank Data Breach”

[Update] June 12, 2024: “Pure Storage Confirms Snowflake Breach”

[Update] June 11, 2024: “New Data Breach Post by Sp1d3r, Targeting Cylance,” “Attribution to ‘UNC5537’ and More Details,” “Truist Bank Data Listed Following a Snowflake Breach”

[Update] June 6, 2024: “Advance Auto Parts Data Breach Post,” “ShinyHunters Removes the Post for Santander”

[Update] June 5, 2024: “Detailed Timeline of Events Surrounding the Snowflake Breach”

[Update] June 4, 2024: “CISA Issues Alert on Snowflake Breach, Urges Immediate Action”

In recent weeks, Snowflake, a leading cloud-based data storage and analytics provider, has found itself at the center of a cybersecurity controversy. Reports of the Snowflake breach have emerged suggesting unauthorized access to its systems, which may have compromised sensitive data belonging to multiple high-profile clients, including Santander Bank and Ticketmaster.

Snowflake is a cloud-based data platform that facilitates data storage, processing, and analytics, offering essential tools for data-driven applications.

Snowflake is a cloud-based data platform that facilitates data storage, processing, and analytics, offering essential tools for data-driven applications.

This blog post will detail the Snowflake breach, based on disclosures from Snowflake, news reports, and additional information from cybersecurity researchers, covering the full timeline of the breach with updates.

The Background of the Snowflake Breach and Initial Disclosure

Snowflake noticed unusual activity within its systems around mid-April 2024 and officially acknowledged potential unauthorized access on May 23, 2024. Since then, the company has been actively investigating the situation and has communicated with affected customers, providing them with Indicators of Compromise (IoCs) and recommended actions to secure their accounts.

Despite allegations of a widespread breach, Snowflake maintains that the incidents resulted from compromised user credentials rather than any inherent vulnerabilities or flaws within Snowflake’s product itself.

The company emphasized in a disclosure on Snowflake Forums, published a month ago, that the breach was not due to any misconfiguration or malicious activities within Snowflake’s products, and that customers are recommended to review their security configurations.

How Did the Snowflake Breach Occur?

Investigations reveal that the breach was likely facilitated by a compromised machine used by a Snowflake sales engineer. Or, just as a speculation, it might even be the work of an insider threat. However, if an account of this level is involved, the breach could potentially affect prospect and sales-related environments and production accounts.

The machine was reportedly infected with Lumma Stealer, a type of malware that logs keystrokes and other activities, which could have been the attackers’ initial access point.

Who Is Behind the Snowflake Breach?

An emerging figure in this incident is a threat actor known by the alias “Whitewarlock.” This threat actor first appeared on a Russian dark web forum, Exploit.in, on May 23, 2024, the same day they posted data allegedly obtained from the breach.

Whitewarlock’s activities and reputation within the cybersecurity community remain unclear, with no prior known history. Their sudden appearance and the specific demands suggest a potentially opportunistic attack rather than a coordinated campaign.

With SOCRadar’s Dark Web News, you can stay updated with the latest events and developments in the dark web landscape. The module allows viewing the latest posts through Deep and Dark Web forums, and various other hacker channels.

Dark Web News – Visit SOCRadar LABS to try its complementary version, DarkMirror

Dark Web News – Visit SOCRadar LABS to try its complementary version, DarkMirror

The First Victims of the Snowflake Breach: Santander Bank and Ticketmaster

The threat actor responsible for the breach claimed to have extracted sensitive data from major entities like Santander Bank and Ticketmaster.

Santander Bank disclosed on May 14 that attackers accessed a database hosted by a third-party provider. While they did not explicitly name Snowflake, subsequent revelations linked the breach to Snowflake’s compromised environments.

Similarly, Ticketmaster’s parent company, Live Nation Entertainment, confirmed unauthorized activity in a third-party cloud database environment containing data primarily from Ticketmaster. This breach was also later attributed to Snowflake’s platform. The company filed a report to the SEC (Securities and Exchange Commission), which is dated May 20.

How Many Individuals Are Affected by the Snowflake Breach?

The alleged breach of Santander Bank through the Snowflake incident reportedly affects 30 million customers. Meanwhile, the Ticketmaster breach is said to potentially impact 560 million customers.

Following the breach, several cybersecurity firms conducted detailed analyses to understand the scope and impact. Reports indicated that over 500 demo environment instances were detected in the stealer logs linked to the compromised Snowflake account.

Also importantly, security researcher Kevin Beaumont noted on Mastodon that six major organizations have experienced cybersecurity issues related to their use of Snowflake, indicating a broader impact.

Detailed Timeline of Events Surrounding the Snowflake Breach

Below is a detailed timeline of events regarding the Snowflake breach.

Santander Bank’s Announcement – May 14, 2024

On May 14, Santander announced, “We recently became aware of an unauthorized access to a Santander database hosted by a third-party provider. We immediately implemented measures to contain the incident, including blocking the compromised access to the database and establishing additional fraud prevention controls to protect affected customers.” This initial response highlighted the bank’s quick action to secure the compromised data and mitigate potential fraud risks.

Santander Data Breach Post on Hacker Forum – May 24, 2024

On May 24, a threat actor named “whitewarlock,” who registered on the same day, claimed on the Russian-speaking hacker forum Exploit that they had hacked Santander Group.

The attacker stated that they had obtained the bank account details of 30 million people, 6 million account numbers and balances, 28 million credit card numbers, and HR information for staff. The hacker demanded 30 BTC (approximately $2 million) for the data.

Santander Group data breach post by the Whitewarlock threat actor

Santander Group data breach post by the Whitewarlock threat actor

Ticketmaster Data Breach Post on Hacker Forum – May 27, 2024

On May 27, a threat actor using the alias SpidermanData registered on the Exploit hacking forum. On the same day, they claimed to have access to Ticketmaster’s systems and claimed possession of 560 million user and financial records. SpidermanData demanded $500,000 for the data.

The extensive information offered included full names, addresses, email addresses, phone numbers, order details, ticket sale information, event details, and even credit card information, including expiration dates.

Ticketmaster data breach post

Ticketmaster data breach post

ShinyHunters Mirrors the Ticketmaster Breach Post – May 28, 2024

On May 28, ShinyHunters, a notorious hacking group, shared a Ticketmaster post mirrored from Exploit on BreachForums.

This was significant because it coincided with the reactivation of BreachForums’ clear net domain, which had been seized by law enforcement in mid-May 2024. ShinyHunters announced via a Telegram post that they had regained control of the domain, signaling a major event in the cybercriminal community.

Ticketmaster data breach post. ShinyHunters, whose reputation was damaged after the law enforcement operation, shared the same data to attract attention, while also further promoting the Snowflake breach.

Ticketmaster data breach post. ShinyHunters, whose reputation was damaged after the law enforcement operation, shared the same data to attract attention, while also further promoting the Snowflake breach.

ShinyHunters Mirrors the Santander Breach Post – May 30, 2024

On May 30, the threat actor ShinyHunters reposted the previously reported Santander breach on BreachForums, mirroring an earlier post originally published by the threat actor known as “whitewarlock”. ShinyHunters, known for acting as a data broker for various threat actors, brought significant attention to this incident.

Santander Bank data breach post by ShinyHunters

Santander Bank data breach post by ShinyHunters

Live Nation Confirms the Ticketmaster Data Breach – May 31, 2024

On May 31, Live Nation, Ticketmaster’s parent company, confirmed the data breach. In their SEC filing, Live Nation stated, “On May 20, 2024, Live Nation Entertainment, Inc. (the “Company” or “we”) identified unauthorized activity within a third-party cloud database environment containing Company data (primarily from its Ticketmaster L.L.C. subsidiary) and launched an investigation with industry-leading forensic investigators to understand what happened. On May 27, 2024, a criminal threat actor offered what it alleged to be Company user data for sale via the dark web. We are working to mitigate risk to our users and the Company, and have notified and are cooperating with law enforcement. As appropriate, we are also notifying regulatory authorities and users with respect to unauthorized access to personal information.”

Snowflake’s Disclosure About the Breach – May 31, 2024

On May 31, Snowflake began updating a thread about an investigation into a targeted threat campaign against some customer accounts. In their latest statement, Snowflake, along with third-party cybersecurity experts, reported no evidence of vulnerabilities, misconfigurations, or breaches within Snowflake’s platform. They also confirmed that no current or former employee credentials were compromised.

The thread was later updated, on June 2, to state that there was evidence that a threat actor obtained personal credentials and accessed demo accounts belonging to a former Snowflake employee.

Another Breach Post, Possibly Related to the Snowflake Incident: QuoteWizard & LendingTree – June 1, 2024

On June 1, a claim posted on BreachForums caught the attention of SOCRadar researchers. The post, made by a user with a nickname resembling the “SpidermanData” threat actor from the Exploit forum, was identified as belonging to a threat actor named Sp1d3r. This threat actor claimed to have obtained a significant amount of data from two leading companies in the insurance and financial services sectors, QuoteWizard and LendingTree.

The data, which allegedly reached 2TB when compressed, was said to include highly sensitive personal information of 190 million individuals and 3 billion tracking pixel data records.

QuoteWizard & LendingTree data breach post by Sp1d3r

QuoteWizard & LendingTree data breach post by Sp1d3r

When asked in the comments how he obtained the data, the threat actor hinted at stealing it from SnowFlake by stating, “I *** the flake.”

Threat actor’s comment, hinting at a breach of Snowflake

Threat actor’s comment, hinting at a breach of Snowflake

Advance Auto Parts Data Breach Post – June 5, 2024

The Sp1d3r threat actor, previously mentioned in other breach posts, claims to be selling 3TB of data from Advance Auto Parts on a hacking forum. This breach is allegedly linked to the Snowflake incident, with data purportedly stolen after breaching the company’s Snowflake account.

Advanced Auto Parts data breach post by Sp1d3r

Advanced Auto Parts data breach post by Sp1d3r

The threat actor lists the stolen data as including 380 million customer profiles, 140 million customer order records, 44 million loyalty card numbers with related customer details, auto parts information, sales history, and employment candidate details such as Social Security numbers, driver’s license numbers, and demographic details. It also includes transaction details, and critically, information on 358,000 employees.

In actuality, Advance Auto Parts currently employs around 68,000 people. If the breach is authentic, it could mean that the remaining data belongs to former employees.

The threat actor is offering this data for $1.5 million. The only partial confirmation of this breach is that the leaked data contains numerous references to Snowflake, supporting the claim that it is linked to the recent Snowflake breach.

References to SNOWFLAKE in the stolen data (@H4ckManac on X)

References to SNOWFLAKE in the stolen data (@H4ckManac on X)

ShinyHunters Removes the Post for Santander – June 6, 2024

On June 6, 2024, SOCRadar noticed that ShinyHunters removed its breach post for Santander Bank. There is no trace of it in the threat group’s recent postings on their forum profile.

Recent forum posts by ShinyHunters

Recent forum posts by ShinyHunters

The data of Santander was initially put on sale for $2 million by the “whitewarlock” threat actor. The post was mirrored by the ShinyHunters group on BreachForums.

The removal of the breach post by ShinyHunters could suggest that the data was quickly sold by the threat actors, although there are no announcements by them.

New Data Breach Post by Sp1d3r, Targeting Cylance – June 7, 2024

The Sp1d3r threat actor, known for claiming the Snowflake breaches, is now selling stolen data from Cylance, a cybersecurity company and Snowflake customer.

The data allegedly includes 34 million customer and employee emails and PII, along with product details, sales prospects, partners, and user lists, and is put up for $750,000.

Cylance data breach post by Sp1d3r

Cylance data breach post by Sp1d3r

Cylance has confirmed the legitimacy of the data breach post while clarifying that it is old data accessed from a third-party platform between 2015 and 2018, predating BlackBerry’s acquisition of Cylance. The company assured that no current customers are affected by this breach.

Attribution to ‘UNC5537’ and More Details – June 10, 2024

Google Mandiant is tracking the activity targeting Snowflake customers as UNC5537, attributing it to be a financially motivated threat actor.

Researchers described UNC5537 as a threat actor who systematically compromises Snowflake customer instances, using stolen credentials from stealer logs for access. They advertise the exfiltrated victim data for sale on hacker forums and attempt to extort the victims.

A diagram for Snowflake incidents (Google Cloud Blog)

A diagram for Snowflake incidents (Google Cloud Blog)

According to reports, there is no evidence that unauthorized access to Snowflake customer accounts resulted from a breach of Snowflake’s enterprise environment. Instead, every incident responded to in this campaign was traced back to compromised customer credentials.

Truist Bank Data Listed Following a Snowflake Breach – June 11, 2024

The Sp1d3r threat actor has recently posted about a significant data breach involving Truist Bank. This breach, linked to the earlier Snowflake incident, has resulted in the theft of a substantial amount of sensitive data, being sold for a staggering $1 million.

The compromised information includes detailed records of 65,000 employees, covering both personal and professional details. Additionally, the breach involves sensitive bank transaction data and the source code for Truist Bank’s IVR funds transfer system.

Truist Bank data breach post (Daily Dark Web)

Truist Bank data breach post (Daily Dark Web)

Pure Storage Confirms Snowflake Breach – June 11, 2024

Pure Storage reported a security incident involving unauthorized access to a Snowflake data analytics workspace.

Pure Storage is a cloud storage systems provider; its platform serves many well-known brands, including Comcast, Equinix, Meta, Ford, JP Morgan, Johnson Controls, and NASA.

This workspace contained telemetry data for customer support, including company names, LDAP usernames, email addresses, and Purity software release versions.

According to the company’s security bulletin, although customer names, usernames, and email addresses were exposed in the Pure Storage breach, credentials for array access or other customer-stored data were not affected.

Update on Truist Bank Data Breach – June 13, 2024

There has been a confirmation following the Truist Bank data breach we mentioned on June 11, 2024. The company revealed that its systems were breached in an October 2023 cyberattack, which was swiftly contained.

However, Truist Bank clarified that this breach was not connected to Snowflake, and they have not found any evidence pointing to a Snowflake-related incident within their systems.

Based on new information from the ongoing investigation of the October 2023 incident, Truist Bank has notified additional clients. They also report finding no indication of fraud arising from this breach.

Since the Sp1d3r threat actor’s breach of Truist Bank was confirmed to be unrelated to a Snowflake incident, this clarification calls into question any purported links to Snowflake in other previous or future breach claims by the threat actor.

By utilizing the SOCRadar XTI platform, organizations can stay ahead of cyber threats, protecting their data and reputation. With its extensive monitoring capabilities across all internet surfaces, including the often elusive dark web, SOCRadar offers Dark Web Monitoring and Dark Web News services, among its other capabilities.

Dark Web Monitoring acts as a digital periscope, delving into the dark web to detect and track the unauthorized distribution of sensitive data. With the Dark Web Monitoring module, organizations can receive immediate notifications about potential threats, enabling swift actions to mitigate risks.

By monitoring the dark web, you can maintain a vigilant watch on discussions and activities related to your organization among threat actors, ensuring you are always informed of potential vulnerabilities.

Dark Web Monitoring feature under the Digital Risk Protection module

Dark Web Monitoring feature under the Digital Risk Protection module

Recommended Actions for Snowflake Users in the Aftermath of the Breach

In response to the recent security breach, Snowflake has issued several recommendations to help customers secure their accounts and prevent future incidents. The recommendations included enabling Multi-Factor Authentication (MFA), reviewing IoCs, and following security best practices, along with several steps.

As the issue became more concerning, the company updated its initial breach disclosure from May 2024 on June 1, adding a guide for identifying non-MFA users and enabling MFA; another update came on June 3 with detection and prevention guidelines.

Here’s a detailed action plan in the context of the Snowflake security breach, based on the company’s guidelines:

  • Enable Multi-Factor Authentication (MFA): Implementing MFA adds an additional layer of security, making unauthorized access more challenging.
  • Review Indicators of Compromise (IoCs): Check for any signs of compromise provided by Snowflake and investigate any suspicious activity linked to these indicators. This includes identifying access from suspected IP addresses and clients.
  • Disable Suspicious Users: Immediately disable any users who show unusual activity or are suspected of being compromised.
  • Reset Credentials: For any users or accounts that might have been exposed, reset their credentials to prevent further unauthorized access.
  • Monitor Executed Queries: Regularly review the logs for executed queries, especially those that involve external data access or could potentially expose sensitive information. Doing this for identified suspects is especially important.
  • Analyze Sessions for Unusual Applications: Examine active sessions to identify any non-standard applications or tools that might indicate a breach.

There are also a few preventative measures recommended by the company:

  • Set Up Network Policies: Establish network policies at both the account and user levels, particularly for users or service accounts with extensive permissions.
  • Review Account Parameters: Ensure that account settings are configured to limit data exportation and align with best security practices.
  • Monitor Configuration Changes: Keep an eye on your account configurations for any unauthorized changes that could suggest privilege escalation.
  • Authenticate Service Accounts Securely: For machine-to-machine communications, utilize more secure methods like key pair authentication or OAuth instead of static credentials.

Snowflake’s guidance for detecting and preventing unauthorized access includes numerous IP addresses under investigation for suspicious activity, potentially related to the breach, as well as complete guides and queries to implement these measures.

CISA Issues Alert on Snowflake Breach, Urges Immediate Action

Following the security breach targeting the cloud data platform, the Cybersecurity and Infrastructure Security Agency (CISA) issued a new alert as a complimentary action plan to Snowflake’s guidance.

The agency noted for context that Snowflake has observed a significant increase in cyber threat activity targeting customer accounts and issued recommendations to prevent unauthorized access. CISA advises users and administrators to hunt for malicious activity, report any positive findings to CISA, and review Snowflake’s recommendations.

Threat Hunting & Real-Time Security Monitoring with SOCRadar

SOCRadar’s cybersecurity solutions can strengthen your organization’s security posture against similar breaches. The Cyber Threat Intelligence and Attack Surface Management modules from SOCRadar provide essential tools designed to proactively manage such security threats.

By using the Threat Hunting service under the CTI module, defenders can actively monitor and evaluate the security of assets, track potentially harmful IPs and domains, find exposed data on hacker forums and other channels, and examine stealer logs for compromised data.

SOCRadar’s Threat Hunting

SOCRadar’s Threat Hunting

The Threat Actor Intelligence feature, also offered under our CTI module, offers insights into malicious entities and delivers actionable IoCs, enhancing your ability to respond to threats swiftly.

Threat actor details page of ShinyHunters (SOCRadar Threat Actor Intelligence)

Threat actor details page of ShinyHunters (SOCRadar Threat Actor Intelligence)

Additionally, SOCRadar’s Attack Surface Management module enables real-time monitoring of your digital environment, detecting and reporting unusual activities that could indicate unauthorized access or other security breaches. This continuous monitoring helps to ensure that any anomalies are quickly identified and addressed, maintaining the integrity and security of your valuable data.

SOCRadar’s Alarm Management tab

SOCRadar’s Alarm Management tab