A risk actor claiming current Santander and Ticketmaster breaches says they stole knowledge after hacking into an worker’s account at cloud storage firm Snowflake. Nevertheless, Snowflake disputes these claims, saying current breaches have been brought on by poorly secured buyer accounts.
Snowflake’s cloud knowledge platform is utilized by 9,437 prospects, together with a number of the largest firms worldwide, like Adobe, AT&T, Capital One, Doordash, HP, Instacart, JetBlue, Kraft Heinz, Mastercard, Micron, NBC Common, Nielsen, Novartis, Okta, PepsiCo, Siemens, US Meals, Western Union, Yamaha, and lots of others.
In keeping with cybersecurity agency Hudson Rock, the risk actor claimed they additionally gained entry to knowledge from different high-profile firms utilizing Snowflake’s cloud storage companies, together with Anheuser-Busch, State Farm, Mitsubishi, Progressive, Neiman Marcus, Allstate, and Advance Auto Components.
To do this, they are saying they bypassed Okta’s safe authentication course of by signing right into a Snowflake worker’s ServiceNow account utilizing stolen credentials. Subsequent, they declare they may generate session tokens to exfiltrate knowledge belonging to Snowflake prospects.
“To put it bluntly, a single credential resulted in the exfiltration of potentially hundreds of companies that stored their data using Snowflake, with the threat actor himself suggesting 400 companies are impacted,” Hudson Rock mentioned.
“[T]he threat actor shared with Hudson Rock’s researchers, which shows the depth of their access to Snowflake servers. This file documents over 2,000 customer instances relating to Snowflake’s Europe servers.”
The risk actor claims they needed to blackmail Snowflake into shopping for again the stolen knowledge for $20 million, however the firm did not reply to their extortion makes an attempt.
Hudson Rock added {that a} Snowflake worker was contaminated by a Lumma-type Infostealer in October. The malware stole their company credentials to Snowflake infrastructure, as seen in a screenshot shared by the risk actor and embedded under.
BleepingComputer contacted Snowflake concerning the risk actor’s claims that an worker was breached, however a spokesperson mentioned the corporate had “nothing else to add.”
Santander and Ticketmaster spokesperson weren’t instantly out there for remark when contacted by BleepingComputer earlier right now.
BleepingComputer was in a position to affirm that each Santander and Ticketmaster are utilizing Snowflake’s cloud storage companies.
When you’ve got any data concerning this incident or different Snowflake knowledge theft breaches, you may contact us confidentially through Sign at 646-961-3731 or at suggestions@bleepingcomputer.com.
Snowflake confirms buyer account hacks​
Snowflake did not affirm Hudson Rock’s report, as an alternative stating that the attacker compromised buyer accounts in these breaches, and did not exploit any vulnerability or misconfiguration in the corporate’s merchandise.
The cloud storage supplier additionally warned prospects on Friday that it is investigating “an increase” in assaults concentrating on a few of their accounts, with Snowflake CISO Brad Jones including that some buyer accounts have been compromised on Could 23.
“We became aware of potentially unauthorized access to certain customer accounts on May 23, 2024. During our investigation, we observed increased threat activity beginning mid-April 2024 from a subset of IP addresses and suspicious clients we believe are related to unauthorized access,” Jones mentioned.
“To date, we do not believe this activity is caused by any vulnerability, misconfiguration, or malicious activity within the Snowflake product. Throughout the course of our ongoing investigation, we have promptly informed the limited number of customers who we believe may have been impacted.”
Jones says Snowflake notified all prospects of the assaults and urged them to safe their accounts and knowledge by enabling multi-factor authentication (MFA).
The info cloud firm additionally printed a safety bulletin with Indicators of Compromise (IoCs), investigative queries, and recommendation on how doubtlessly affected prospects can safe their accounts.
One of many IOCs signifies that the risk actors created a customized device named ‘RapeFlake’ to exfiltrate knowledge from Snowflake’s databases.
One other one confirmed the risk actors connecting to databases utilizing the DBeaver Final knowledge administration instruments, with logs exhibiting consumer connections from the ‘DBeaver_DBeaverUltimate’ consumer agent.
