
More details surrounding the Ticketmaster attack have come to light as cloud storage provider Snowflake says no breach of its systems took place. At the same time, the cloud provider confirmed that attackers are targeting its customers using purchased credentials.
Lack of basic cyber hygiene could be behind the attack against Live Nation, one of the largest data breaches of 2024, which likely exposed 560 million Ticketmaster customers. According to the company‘s filing with the US Securities and Exchange Commission (SEC), attackers accessed a “third-party cloud database environment” with Ticketmaster’s data.
While the company did not specify which cloud provider it was, an anonymous Ticketmaster spokesperson confirmed to the media that the stolen database was hosted by Snowflake, a cloud storage and analytics company. We have reached out to Ticketmaster for independent verification of the claims but did not receive a response before publishing.
Cybersecurity researchers at Hudson Rock revealed their conversation with the Ticketmaster and Santander attackers in a now-deleted post. The post said that the attackers targeted multiple Snowflake clients and managed to exfiltrate their data. According to Kevin Beaumont, a cybersecurity researcher, multiple organizations had their full databases taken from Snowflake.
Meanwhile, Snowflake issued a joint statement with cybersecurity titans CrowdStrike and Mandiant. The cloud storage provider said that preliminary investigation did not return any evidence suggesting unauthorized activity was related to any “vulnerability, misconfiguration, or breach of Snowflake’s platform.”
Interestingly, while the company’s statement says that there’s no evidence suggesting unauthorized access was “caused by compromised credentials of current or former Snowflake personnel,” it explains there’s “evidence that a threat actor obtained personal credentials to and accessed demo accounts belonging to a former Snowflake employee.”
The company explained that the exposed credentials led to environments that held no sensitive data, as demo accounts are not connected to Snowflake's production or corporate systems. The exposed attack was only possible because the account “was not behind Okta or Multi-Factor Authentication (MFA).”
“Throughout the course of the investigation, Snowflake has promptly informed the limited number of Snowflake customers who it believes may have been affected,” Snowflake said.
While the company doesn’t specify the names of the exposed clients, researchers at Hudson Rock, who claim to have discussed the attacks with their perpetrators, indicated that Ticketmaster, Santander, and several other prominent organizations had their data stolen from Snowflake.
The cloud provider’s public statement shifts the responsibility for the attack on the clients, saying the unauthorized access attempts were part of a “targeted campaign directed at users with single-factor authentication.”
Beaumont believes that the attackers utilized infostealers to access Snowflake databases using its customers’ stolen credentials. So while the cloud provider technically wasn’t breached, Beaumont surmised, the optics of allowing single-factor authentication “isn’t great.”
Today Snowflake, a digital storage provider who was recently surrounded in controversy from the TicketMaster breach, put out a joint statement with both Mandiant and Crowdstrike.
undefined vx-underground (@vxunderground) June 2, 2024
tl;dr Snowflake was not breached
Mandiant and Crowdstrike are both heavy-hitters in the DFIR…
The attacks targeted at Snowflake’s customers did not go unnoticed. The Australian Cyber Security Center (ACSC) said it’s “aware of successful compromises of several companies utilizing Snowflake environments.” ACSC advised organizations using Snowflake to reset their credentials, enable Multi-Factor Authentication (MFA), and review user activity.
Snowflake issued an advisory with a list of IP addresses it suspects launched the attack. The company added that it noticed malicious traffic coming from a client identifying itself as “rapeflake,” which most likely is a tremendously juvenile attempt at naming an account meant to breach Snowflake clients.
Founded in 2012, the Montana-headquartered Snowflake boasts numerous prominent clients such as Mastercard, AT&T, ExxonMobil, Cisco, Adobe, CapitalOne, Doordash, Roku, EA, and others. The company employs over 7,000 staff and reported revenue exceeding $2.8 billion in 2023.
Your email address will not be published. Required fields are markedmarked