Detection at Scale

Share this post

Detection at Scale
Detection at Scale
The Snowflake, Live Nation, and Santander Quick Hits
Copy link
Facebook
Email
Notes
More

The Snowflake, Live Nation, and Santander Quick Hits

The latest news about the Snowflake-related incidents reported by Live Nation and Santander Bank.

Jack Naglieri
Jun 04, 2024
2

Share this post

Detection at Scale
Detection at Scale
The Snowflake, Live Nation, and Santander Quick Hits
Copy link
Facebook
Email
Notes
More
1
Share

Disclaimer: I am not speculating that Snowflake was breached. Their public statements have not confirmed the alleged breaches.

Snowflake had a rough start to its yearly Summit with several claims of hundreds of millions of customer records stolen from customer databases. This blog post will explain what we know, who is affected, and how to protect your Snowflake clusters.

What do we know?

  1. On Friday, May 31st, 2024, Hudson Rock released a blog (that has since been taken down) claiming that Snowflake had suffered a massive data breach. They referenced a dark web forum post where a threat actor was selling data from Santander Bank, Ticketmaster, and potentially others. The attacker claims they obtained the records by stealing credentials from a prior Snowflake employee and then pivoting to production data (Snowflake has denied this).

    A screenshot from Hudson Rock's LinkedIn claiming they took down the Snowflake report
    The response from Hudson Rock taking down their original post

  2. On May 20th, 2024, Live Nation filed an 8-K with the SEC about unauthorized activity in a third-party cloud database environment after discovering the data for sale on the dark web. According to a post on the dark web, 560M of their users were affected by the breach but did not disclose a root cause.

    “We continue to evaluate the risks and our remediation efforts are ongoing.” - Ticketmaster

  3. On May 14th, 2024, Santander Bank reported that “information relating to customers of Santander Chile, Spain, and Uruguay, as well as all current and some former Santander employees of the group had been accessed.” In their post, they also referenced a third-party database. Although not directly mentioned, both Santander and Live Nation are referring to Snowflake.

  4. Over the weekend, June 2nd, 2024, Snowflake posted a joint response denying the claims that any production data had been stolen as a direct “result of a vulnerability, misconfiguration, or breach of the platform.” They mention that the breaches happened due to a targeted campaign via infostealing malware.

    • we have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform;

    • we have not identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel;

    • this appears to be a targeted campaign directed at users with single-factor authentication;

    • as part of this campaign, threat actors have leveraged credentials previously purchased or obtained through infostealing malware; and 

    • we did find evidence that a threat actor obtained personal credentials to and accessed demo accounts belonging to a former Snowflake employee. It did not contain sensitive data

  5. The ShinyHunters hacker group has claimed responsibility for the Santander and Ticketmaster breaches using an infostealer malware. Darktrace has a comprehensive write-up about how this malware works and its recent prevalence in these related posts.

Who is affected?

As of today, the two confirmed companies that have publicly disclosed breaches are Santander Bank and Live Nation. Reports imply that more companies may disclose similar breaches in the coming days or weeks.

Similar to the prominent Amazon S3 breaches of the past, Snowflake recommends that customers protect access to their databases through good multifactor authentication and the other recommendations below.

How do we remediate?

In Snowflake’s initial community post, the recommendations posted were:

  1. Enforce Multi-Factor Authentication on all accounts;

  2. Set up Network Policy Rules to only allow authorized users or only allow traffic from trusted locations (VPN, Cloud workload NAT, etc.); and

  3. Impacted organizations should reset and rotate Snowflake credentials.

In a follow-up post about monitoring and security controls, Snowflake also provides tactical guidance for:

  • Identifying Access from Suspected IP Addresses

  • Identifying Access from Suspected Clients

  • Disabling Suspected Users

  • Resetting Credentials for Suspected Users

  • Reviewing What Actions Were Taken by Identified Users

  • Reviewing Sessions for Unusual Applications

  • Setting up Network Policies

  • and more

For Panther customers, you can use our latest release here, which contains new queries and rules similar to the guidance above.

Cover photo by Point Blanq on Unsplash

Thanks for reading Detection at Scale! Subscribe for free to receive new posts.

2

Share this post

Detection at Scale
Detection at Scale
The Snowflake, Live Nation, and Santander Quick Hits
Copy link
Facebook
Email
Notes
More
1
Share

No posts

Ready for more?

© 2024 Jack Naglieri
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More