Rumors have been swirling that the Ticketmaster data breach reported last week was caused by compromise of a third party vendor, but there was initially no word of who it might have been. A hacker with the threat group ShinyHunters appears to have confirmed the attack to a security research firm and claims that cloud storage company Snowflake, which is used by numerous major corporations, is the source of the breach.
Snowflake says that it has performed a security review and found that the credentials of a “demo account” belonging to a former employee were recently used for unauthorized access by a threat actor, but that account did not have access to sensitive data or to the company’s production or corporate systems. The company denies that it is the responsible party in the Ticketmaster data breach, and the security firm that posted the story has since removed it from its blog without explanation. But the Australian government has also since issued a direct warning to Snowflake customers that it has become aware of a successful compromise of “several” companies that use its environments.
Seemingly retracted story ties Snowflake, Infostealer malware to Ticketmaster data breach
A blog post from Israeli security firm Hudson Rock claimed that the company had been in contact with a hacker from ShinyHunters, who confirmed both the Ticketmaster data breach and a hack on Spain’s Santander Bank. ShinyHunters had already been openly offering the stolen data from these incidents for sale on BreachForums, the underground forum the group is a part owner-operator of, but the new element to the story was the claim that Ticketmaster was breached by way of Snowflake.
Snowflake caters to enterprise needs and has over 9,400 customers, which include Fortune 500 firms and some of the largest companies in the world. ShinyHunters claimed to have breached a number of these other companies as part of the action: Allstate, Anheuser-Busch, Progressive, Neiman Marcus and Mitsubishi among them. In total the threat actor claimed to have breached about 400 of Snowflake’s customers.
The hackers were also forthcoming with technical details, claiming that the Ticketmaster data breach can be blamed on stolen credentials for a Snowflake employee’s ServiceNow account. The credentials were obtained by infecting the employee with Infostealer malware back in October. This access apparently allowed the attackers to generate valid session tokens providing them with further access to thousands of Snowflake clients. The hacker provided Hudson Rock with screenshots appearing to support this level of access to Snowflake’s European servers.
ShinyHunters also claimed that they demanded a $20 million ransom from Snowflake for the Santander and Ticketmaster data breaches, but that the company would not communicate with them. The group is thought to have separately attempted to ransom Ticketmaster before putting the stolen data up for sale at a price of $500,000.
Abrupt blog post deletion, conflicting stories cast doubt over Snowflake’s account
Snowflake has thus far acknowledged the breach of a former employee’s account, but has downplayed the damage and suggested that the stolen data is not legitimate. The fact that Hudson Rock’s blog post disappeared without explanation over the weekend has made the story more hazy, but there are other strong indicators that Snowflake has been compromised and that the Ticketmaster data breach (and likely Santander and the others that were claimed) is related.
After the stolen information was posted for sale on the dark web, independent security research team VX-Underground claimed to have made contact with someone from ShinyHunters and confirmed that a third party vendor breach was the cause. The Australian Cyber Security Centre (ACSC) has since issued a warning of increased threat activity targeting Snowflake customers and advised them to take security precautions, and Mandiant Consulting CTO Charles Carmakal has told media sources that the company has been assisting unspecified Snowflake customers with breaches for several weeks now.
While the Ticketmaster data breach has yet to be formally acknowledged by the company, Santander has confirmed that it has been breached. This has left many in the cybersecurity community waiting for “the other shoe to drop,” so to speak, under the assumption this is another breach in the manner of the MOVEit incident about a year ago that will ultimately prove to have impacted many of Snowflake’s downstream customers. ShinyHunters is seeking $20 million for the data stolen from Santander, which includes account and credit card numbers for tens of millions of customers in Spain, Chile and Uruguay as well as internal information about bank employees.
The original Hudson Rock post was archived by the Wayback Machine before being taken down. The company has yet to answer multiple media queries about why the post was removed. While Snowflake is still only admitting to limited damage at this time, it has issued a recommendation to clients to enforce MFA on all accounts and reset and rotate their credentials.
Brian Soby, CTO and co-founder at AppOmni, sees the Ticketmaster data breach and associated attacks as yet another incident that makes the case for zero trust architecture: “The incident playing out at Snowflake is due to the same issue we’re seeing across the market: Companies are not incorporating the security of their SaaS applications into their security architectures … We’re seeing incident after incident due to companies implementing SSO or Zero Trust solutions like SSE/SASE, but not going far enough to secure the applications themselves. As demonstrated again today, these partial solutions not integrating SaaS Security Posture Management (SSPM) fail to stop a major source of modern data breaches. Incomplete solutions can be trivially bypassed in the vast majority of cases because of poor application security posture and do not allow organizations to leverage behavioral detections for their SaaS applications provided by an SSPM that would have quickly identified a login with stolen credentials.”