3rd Party Risk Management , Cloud Security , Cybercrime

Victims of Snowflake Data Breach Receive Ransom Demands

Attackers Demanding Up to $5 Million to Delete Stolen Data, Investigators Report
Victims of Snowflake Data Breach Receive Ransom Demands
Snowflake customers caught up in a massive credential attack are receiving extortion demands. (Image: Shutterstock)

Attackers who stole terabytes of data from clients of cloud-based data warehousing platform Snowflake have been shaking down the victims, demanding a ransom to not leak exfiltrated data.

See Also: New OnDemand | Protecting Your Workloads from Modern Threats with VMware Ransomware Recovery

The criminal group involved "is using stolen customer data to extort victims, and simultaneously attempting to sell the data on cybercriminal forums," said Google's Mandiant incident response group. Mandiant assisted with Snowflake's investigation into the data breach, which appears to have affected about 165 customer accounts.

Most victims have yet to be publicly named, beyond Live Nation Entertainment's Ticketmaster, Santander Bank and automotive parts supplier Advance Auto Parts.

Mandiant told Bloomberg that it knows of up to 10 Snowflake customers who have received ransom demands of $300,000 to $5 million each from the attackers, a group it's been tracking under the codename UNC5537, since first detecting the campaign in April.

"We anticipate the actor to continue to attempt to extort victims," Austin Larsen, a senior threat analyst at Mandiant, told Bloomberg.

Mandiant on Monday released a threat hunting guide for Snowflake that includes "guidance and queries for detecting abnormal and malicious activity across Snowflake customer database instances." Mandiant said all instances retain the log data required for such threat hunting for 365 days, by default.

Snowflake, based in Bozeman, Montana, and founded in 2012 as a cloud-based data storage and analytics service, offers an AI Data Cloud among its products and services. The company's customers include CapitalOne, Citi, Dropbox, Exxon Mobil and KFC.

Known victims of this campaign include Ticketmaster, owned by Live Nation Entertainment, from which attackers allegedly stole data pertaining to 680 million customers. The attackers listed that data for sale on English-language data leak marketplace BreachForums, led by administrator ShinyHunters (see: Stolen Ticketmaster Data Advertised on Rebooted BreachForums).

On Thursday, the BreachForums user Sp1d3r reported that "Ticketmaster will not respond to request to buy data from us" and lowered the sale price to $100,000. Sp1d3r also claimed to dump onto the data leak marketplace, for free, data on 1 million customers, including their name, address, email address, birthdate, the last four digital of their credit card number and more.

Sp1d3rm, a prolific poster of stolen data sets, previously listed for sale on BreachForums stolen data pertaining to Santander Bank customers located in Chile, Spain and Uruguay as well as internal employee data. The advertisement for the dataset said it contained 6 million account numbers and balances and 28 million credit card numbers belonging to Santander, which issued a security alert to customers on May 14 saying it suffered a data breach. Santander subsequently advised customers to change their passwords.

The stolen Santander data was being stored in a Snowflake account, and the loose group of attackers involved in the campaign call themselves ShinyHunters, Wired reported. ShinyHunters is the name of a prolific cybercrime group that launched in 2020, executed a string of major data breaches and shepherded the previous instance of BreachForums, before it was disrupted by law enforcement.

On June 4, Sp1d3r listed for sale stolen data from Advance Auto Parts, which said it was investigating. On Friday, the company said in an Form 8-K filing to the U.S. Securities Exchange Commission that on May 23 it "identified unauthorized activity within a third-party cloud database environment containing company data and launched an investigation with industry-leading experts," as Bleeping Computer first reported.

The company said a review of the stolen data found that the attacker obtained personal information for current and former employees, including Social Security numbers and government identification documents. The company said it would direct notify affected individuals and offer free credit monitoring services.

On June 9, data storage platform Pure Storage reported that together with a third-party cybersecurity firm, it found an attacker had accessed its Snowflake environment and stolen "telemetry information that Pure uses to provide proactive customer support services," including email addresses, company names and LDAP usernames, but no passwords or any other "compromising information."

"Pure is monitoring our customers' systems and has not found any unusual activity," it said. "We are currently in contact with customers who similarly have not detected unusual activity targeting their Pure systems."

One suspected but as yet unconfirmed victim of the Snowflake campaign is LendingTree, which appears to have suffered a breach involving its QuoteWizard insurance platform.

Breaching Snowflake Customers' Data

The attackers gained initial access to most systems by targeting SnowSight, which is Snowflake's web-based user interface, or its SnowSQL command-line interface tool, using a utility they call "rapeflake," said Mandiant, which tracks the malicious utility as "Frostbite."

Mandiant said some of the breaches appear to trace to employees of third-party contractors who used their computer for both business and personal purposes. The attackers infected the computers with information-stealing malware.

A hacker who claims to be part of ShinyHunters told Wired one of the victims of the campaign was EPAM Systems, a publicly traded firm that offers software development and managed services for numerous customers. EPAM told the publication it believes the hacker is lying.

Warnings about a campaign targeting Snowflake customers first surfaced last month. On May 30, after the Ticketmaster data appeared for sale, Snowflake reported seeing "a potential compromise of the Snowflake production environment" and said it was immediately informing all customers that might have been affected.

Australia's Signals Director on June 1 reported that it was "tracking increased cyberthreat activity relating to Snowflake customer environments" and that it was "aware of successful compromises of several companies utilizing Snowflake environments."

On June 2, Snowflake published a joint statement with the third-party cybersecurity incident responders it hired - CrowdStrike and Mandiant - detailing key findings. It said attackers used stolen username and password pairs to breach accounts for which administrators hadn't enabled multifactor authentication. "As part of this campaign, threat actors have leveraged credentials previously purchased or obtained through info-stealing malware," Snowflake said (see: Alert: Info Stealers Target Stored Browser Credentials).

"Incidents are running at multiple other companies who are Snowflake customers where full databases have been taken," British security researcher Kevin Beaumont reported in a June 2 blog post. "I have spoken to people in multiple industries at large corporations where they've had significant data exfiltration in May via Snowflake."

Snowflake continues to say that "to date, we do not believe this activity is caused by any vulnerability, misconfiguration, or malicious activity within the Snowflake product."

Mandiant said its investigation "has not found any evidence to suggest that unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflake's enterprise environment. Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials."

"Multiple factors contributed to the targeted threat campaign, including Snowflake customer accounts configured without MFA, credentials stolen by info stealer malware - often from personal computers, and the tenants configured without network allow lists," said Charles Carmakal, CTO of Mandiant Consulting.

Mandiant said the group of attackers who have been targeting Snowflake users have been using info stealers since at least November 2020 and that it "identified hundreds of customer Snowflake credentials exposed via info stealers" since then.

Expect attackers to apply their breach strategies to many more environments. "It's critical that organizations assess their exposure to stolen credentials by info stealers, as we anticipate this threat actor and others will replicate this campaign across other SaaS solutions," Carmakal said.

Lack of MFA

Numerous major data breaches, including the breach of UnitedHealth Group's Change Healthcare unit this year, and Australia's Medibank hack in 2022, involved attackers being able to remotely log in, in part because they accessed a system unprotected by MFA.

Until earlier this month, Snowflake gave customers no way to require their users to use MFA, and the only second factor offered was a version of Cisco Duo managed by Snowflake. In addition, MFA could only be activated on a per-account basis by each individual accountholder.

On June 11, Snowflake published updated security guidance that says administrators can now create network policies to require that users authenticate using a second factor, such as SAML for single sign-on, a cryptographic hardware key that generates a key pair, or OAuth. The security advisory also details nearly 300 IP addresses the company has tied to malicious activity targeting customers.

Snowflake CISO Brad Jones told Wired the company is now working to make MFA authentication the default option for all users.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing ransomware.databreachtoday.com, you agree to our use of cookies.