Not a Snowflake's chance

2024-12-20

Over the last few months, WhiteBlueOcean have been monitoring various high-profile attacks being carried out that are all tied together with one constant thread; the data cloud provider Snowflake Inc. (headquartered in Montana, USA). The chain of events contains echoes of 2023’s MoveIt incident, which WhiteBlueOcean have recently published an article on, albeit with a smaller number of known victims at this stage.

Who are Snowflake?

Snowflake Inc. provide high volume cloud based data storage to companies, enabling low latency access to multiple data points and greater reporting and querying abilities than traditional data infrastructure. Founded in 2012, the company now serves almost 700 customers from the Forbes Global 2000 (and almost 10,000 customers in total), it has now grown to offer a swath of services relating to data storage and analytics.

What happened?

In late May 2024 databases belonging to Santander bank and Ticketmaster appeared for sale on underground forums priced, at the time, for $2,000,000 and $500,000 respectively. Whilst these prices may appear extremely high, the contents of these databases justified the asking price; the Santander allegedly contained information on 30 million customers while the Ticketmaster breach was said, by the hackers, to contain data relating to 560 million customers.

A now-deleted report from security intelligence provider Hudson Rock (due to legal pressure levied by Snowflake, per Hudson Rock), showed screenshots from a conversation, claiming to be between the hacker and a Hudson Rock researcher. Within this chat it was claimed , acquired from an infostealer (infostealers are a family of that, as the name suggests, will extract login credentials from an infected device and report them back to the behind the infection); the alleged conversation also showed screenshots purporting to show over 2,000 instances that the hacker had access to via these credentials. A final note on this alleged conversation shows the hacker had intent to blackmail Snowflake with a  $20,000,000

In the days and weeks following, more and more high value databases popped up for sale across various underground forums. Whilst the initial breaches were claimed by the notorious ShinyHunters (who have a long history of hacking, extortion and data exposure – former victims include Cognizant and Bombardier), later breaches were offered by other actors (such as Sp1d3r, also known as SpiderHunters). The known list of victims includes (but is not limited to):

  • Santander Bank
  • Ticketmaster
  • Neiman Marcus
  • AT&T
  • Advance Auto Parts
  • Los Angeles Unified Schools District

Snowflake have consistently denied that these breaches were caused by access into their database through credentials belonging to one of their staff or contractors. The alleged credentials discussed in the now-expunged Hudson Rock article were for a demo environment that did not have access to the production database. In early June a joint statement was issued by Snowflake and cyber security firms CrowdStrike and Mandiant  denying that the root cause of the breaches was an underlying vulnerability in Snowflake’s products nor compromised staff credentials.

If not Snowflake, then who?

If the breaches did not, then, originate from a breach of Snowflake’s own systems, we must ask how exactly this flurry of activity affected so many users of Snowflake’s product in such a relatively short time frame.

 

It would appear that hundreds of credentials, if not more, giving access to Snowflake data pools (belonging to individual companies) have been gathered by stealer malware over the last few years. Per Mandiant, the first stealer log that they have on record as containing Snowflake access credentials dates back to 2020. as the data it gathers on a potential victim is very rich. WhiteBlueOcean published an article on the topic of Stealer Logs in April 2024 if further reading is desired.

In terms of policy issues, it seems that there were implementation issues at play too. Snowflake, as a service, did not at the time enforce multi-factor authentication as default (in fact, this is only being enforced as a policy to new users from October 2024). It was also not possible for administrators to apply a blanket policy to users across their company, instead each user would have needed to manually implement MFA for their own login (which many often did not for the sake of convenience).

Further to this, poor password hygiene added fuel to the fire. Mandiant observed that many of the credentials they observed in older stealer log files were still valid, meaning that passwords had not been updated by users for a very long time.

These factors seem to have culminated in threat actors such as ShinyHunters realising that these credentials would allow easy access to huge amounts of data with very little getting in the way of extracting their ill-gotten games. There is no singular specific point of failure that can be identified as the root cause overall. Snowflake are taking steps to implement changes in their systems to enforce stricter security policies. Information security teams across the world continue their efforts to educate staff in the importance of a good security posture, but human nature often wins out.

What are the takeaways?

  • Multi factor authentication should always be implemented where possible as a second line of security
  • Regularly updating passwords is a must
  • If using a third part service provider, take care to integrate properly with a security first approach
  • Infostealers are proving to be a huge risk vector

 

Reference list:

https://www.snowflake.com/en/blog/multi-factor-identification-default/

https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion

https://www.theregister.com/2024/06/04/snowflake_report_pulled/

https://blog.talosintelligence.com/infostealer-landscape-facilitates-breaches/

https://www.cm-alliance.com/cybersecurity-blog/snowflake-ticketmaster-santander-breaches-a-live-timeline

 

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.

Protected by Copyscape

 

 

 

 

 

 

 

Related news

Evil Corp The New Targets of the National Crime Agency
2024-10-25

Evil Corp, a notorious Russian cybercrime group, has been hit with sanctions by the UK, US, and Australia following their involvement in ransomware attacks. The group is also known for its connections to the Russian Government. Recent international efforts, including Operation Cronos, aim to disrupt their activities and weaken their influence on the global ransomware industry.

Read more
The rise of cyber attacks in Italy | White Blue Ocean
The rise of cyber attacks in Italy
2023-12-04

In the last years many countries have invested deeply in digital security. Despite being world’s 8th largest economy, Italy has been struggling with the process of digitalization and is still considered as an easy target for cyberattacks. Why is it so?

Read more
Mind the Gap: Understanding Cybersecurity Gap Analysis
2025-01-10

A cybersecurity gap analysis is a process used in organisations to evaluate the organization’s current defences, identifies vulnerabilities and weaknesses in the company security framework, and guides improvements, helping businesses prioritize risks and enhance defences. It’s an essential step in building a compliant security framework and staying ahead of evolving cyber threats.

Read more
The shift to private clouds: how cybercriminals are changing the monetization of stolen data
2024-11-22

Subscription-based models in cybercrime allow hackers to offer stolen data in private clouds, reducing risks and boosting profits. For victims, this means greater threats as data becomes more accessible and exploitable over time.

Read more
Cyber Security Risks of the Metaverse
Cyber Security Risks of the Metaverse
2023-05-25

As more people enter the metaverse, whether it's through virtual reality or other forms of immersive technology, there are a growing number of cybersecurity risks that individuals and businesses need to be aware of.

Read more
Law Abiding Netizens: How Legislation Can Counter Cybercrime
2025-01-17

Cybercrime threatens global economies, with losses expected to hit $10.5 trillion by 2025. This article explores how the EU leads the global fight against cybercrime threats through legislation like GDPR and DORA, setting global standards for data protection and cybersecurity.

Read more
Intel 471 Issues a Warning on RansomHub
2024-10-10

In September 2024, Intel 471's 'HUNTER', a threat detection platform, issued a widespread warning to their mailing list regarding a surge in attacks led by RansomHub, a Ransomware-as-a-Service (RaaS) operator with an apparent focus on businesses operating in Europe and North America. Discover how they recruit skilled hackers to target different types of business organizations and learn defence tecniques.

Read more
Avoid online shopping scams at Christmas
2024-12-06

The risks of online scams, including imposter scams, fake deals, and malvertising, are significantly higher during the holiday season. With so many tempting offers, shoppers are often targeted by cybercriminals. Learn some simple tips for safe online shopping and safeguard your personal and financial information.

Read more
Cyber Resilience: Checklist for Organizations
2024-11-08

As cyber criminals develop new tactics, companies must strengthen their defenses. This guide provides a list of essential cybersecurity practices to protect businesses against data breaches, ransomware and other online risks.

Read more

Contacts

Let's talk

Please fill in the form below (fields with * are mandatory) and we will respond to your request as soon as possible!