A breach at one third-party provider can compromise multiple organisations, as allegedly seen with the Snowflake compromise that affected approximately 165 companies including Santander and Ticketmaster.
Snowflake, a cloud data company claims they have been the victim of an alleged “targeted threat campaign”. Snowflake provides cloud-based data storage and analytics for a large number of organisations. [1] Due to this third-party relationship it meant that when Snowflake was allegedly breached, this had an impact on a large number of companies. In this case, Mandiant states that 165 organisations may have been impacted, some of them in the UK.
On June 10, Mandiant published a threat intelligence overview of the incident, naming “UNC55377” as the threat actor targeting snowflake customer instances. The report provides a detailed review of the targeted campaign which began with the use of infostealer malware to obtain credentials which were then used to compromise Snowflake customer accounts. By compromising these accounts, the threat actor was able to access a large amount of sensitive data relating to a number of separate organisations.
The impacted accounts were not configured with multi-factor authentication, meaning only username and password were required for access. The report states the majority of the stolen credentials had been gathered from historical infostealer campaigns, noting that some credentials dated back to 2020, demonstrating the need for organisations to change credentials often and be aware of how and when credentials are stolen. [2]
One notable victim of this alleged third-party incident is allegedly Santander. The threat actor allegedly gained unauthorised access to a Santander database hosted by Snowflake, exposing sensitive information of millions of customers. On May 14 Santander stated in a post “We recently became aware of an unauthorized access to a Santander database hosted by a third-party provider.” [3] Although UK customer data was not affected, the breach impacted Santander customers in Chile, Spain, and Uruguay, as well as current and former employees. While Santander's core banking systems remained secure, the breach highlights the broader implications of third-party risks.
On May 31, Live Nation the parent company of Ticketmaster confirmed the data breach through an SEC filing. An excerpt states “On May 20, 2024, Live Nation Entertainment, Inc. (the “Company” or “we”) identified unauthorized activity within a third-party cloud database environment containing Company data”. [4] Ticketmaster’s alleged use of this third-party allowed the threat actor to gain access to their data that was allegedly hosted on the Snowflake cloud platform.
On June 3, CISA, America’s Cyber Defence Agency, issued an alert about the snowflake breach and urged immediate action, encouraging users and administrators to “hunt for any malicious activity”. [5] CISA is aware of the fact that a breach of a third-party can have major repercussions on other organisations due to the relationship that exists between third-parties. The breach highlights the broader implications of third-party risks, emphasising the vulnerabilities that arise when relying on third-party providers for critical operations and data storage.
On May 24, a post by the threat actor “whitewarlock” appeared on the Russian dark web forum, Exploit.in. Whitewarlock claimed to have stolen data relating to Santander Group. The alleged Santander Group breach affects 30 million customers. [2] The post stated the stolen data contained balances, account numbers, credit card numbers and HR information of the staff and demanded 30 BTC for the data, approximately $2 million.[6][8] The threat actor was able to obtain this sensitive data through a relatively simple process, using stolen credentials to allegedly gain access to the third-party, demonstrating the importance for organisations to evaluate their third-party relationships.
On May 27, a threat actor “SpidermanData” posted to the Exploit.in hacking forum and alleged to have access to Ticketmaster’s systems. The threat actor demanded $500,000 for the stolen data. The post claimed to impact 560 million customers and included data relating to user and financial records.
On June 1, the threat actor “Sp1d3r” posted to BreachForums claiming to have obtained a significant amount of data relating to QuoteWizard and LendingTree, two major insurance and financial services providers. The data allegedly contained 190 million persons data and 3 billion tracking pixel data records. [7]
In this case, the dark web activity demonstrates how the threat actor compromised multiple organisations in a short time period of time, through one centralised source. Allegedly accessing a huge amount of sensitive and valuable data through the compromise of one third-party, the cloud-based data storage platform, Snowflake.
Mandiant states that approximately 165 organisations may have been affected by the breach. So far only a small number of these companies have been named, it is currently unclear the number of UK companies affected by this incident. Black Room Intelligence provides solutions to monitor third-party risks and identify stolen credentials. By prioritising third-party risk management and implementing robust security controls, your organisation can mitigate the risks posed by such compromises.
Black Room Intelligence has a specific focus on protecting UK organisations and provides an extensive third-party monitoring solution to detect and mitigate targeted attacks against organisations. Our Russia and Asia Desks include analysts with significant language and geopolitical expertise, with the cybersecurity knowledge to follow trends and developments.
1. Detecting and Preventing Unauthorized User Access. Snowflake. 2024 June 7. Available from: https://community.snowflake.com/s/question/0D5VI00000Emyl00AB/detecting-and-preventing-unauthorized-user-access
2. UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion. Mandiant. 2024 June 10. Available from: https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion
3. Statement. Santander. 2024 May 14. Available from: https://www.santander.com/en/stories/statement
4. Live Nation probing Ticketmaster hack amid user data leak concerns. Reuters. 2024 June 3. Available from:
https://www.reuters.com/technology/cybersecurity/live-nation-probing-ticketmaster-hack-amid-user-data-leak-concerns-2024-06-01/
5. Snowflake Recommends Customers Take Steps to Prevent Unauthorized Access. Cisa. 2024 June 3. Available from: https://www.cisa.gov/news-events/alerts/2024/06/03/snowflake-recommends-customers-take-steps-prevent-unauthorized-access
6. Overview of the Snowflake breach. SOCRadar. 2024 June 2. Available from: https://socradar.io/overview-of-the-snowflake-breach/
7. Santander staff and ‘30 million’ customers hacked. Santander. 2024 May 31. Available from: https://www.bbc.co.uk/news/articles/c6ppv06e3n8o
8. Snowflake Breach: Examination of ‘whitewarlock’ claims. Cyberint. 2024 June 2. Available from: https://cyberint.com/blog/threat-intelligence/snowflake-breach-examination-of-whitewarlock-claims/
Registered in England and Wales (number 14885394) whose registered office is at 20-22 Wenlock Road, London, N1 7GU.
Address: 20-22 Wenlock Road, London, N1 7GU
Email: contact@blackroomintelligence.comPhone: +44 (0) 208 058 2971Linkedin: linkedin.com/black-room-intel.png)
.png)
