Background
In this research, we aim to shed light on one of the largest data breaches to date. By directly communicating with the threat actor behind the massive data breach of cloud storage giant, Snowflake, we gained unprecedented insight into the devastating impact of Infostealer infections.
The story begins on May 26th, in a Telegram conversation with a threat actor claiming to have hacked two major companies, Ticketmaster and Santander Bank.
The data from these companies was put up for sale on the Russian-speaking cybercrime forum, exploit[.]in. Database samples provided by the threat actor led Hudson Rock researchers to believe that the data is genuine.
In the conversation with Hudson Rock, the threat actor reveals that there is much more to the story than these two breaches, and that additional major companies suffered a similar fate, allegedly including many of Snowflake’s customers which can be found on their website https://www.snowflake.com/en/customers/all-customers/
Further explaining the source of the hack, the threat actor adds that all of these breaches stem from the hack of a single vendor — Snowflake.
To understand how the hack was carried out, the threat actor explains that they were able to sign into a Snowflake employee’s ServiceNow account using stolen credentials, thus bypassing OKTA which is located on lift.snowflake.com.
Following the infiltration, the threat actor claims that they were able to generate session tokens, which enabled them to exfiltrate massive amounts of data from the company.
To put it bluntly, a single credential resulted in the exfiltration of potentially hundreds of companies that stored their data using Snowflake, with the threat actor himself suggesting 400 companies are impacted.
The goal of the threat actor, as in most cases, was to blackmail Snowflake into buying their own data back for $20,000,000.
However it seems the company was not responsive.
Further evidence of the hack includes a CSV file that the threat actor shared with Hudson Rock’s researchers, which shows the depth of their access to Snowflake servers.
This file documents over 2,000 customer instances relating to Snowflake’s Europe servers.
Going over the data found in the CSV file, Hudson Rock researchers identified a Snowflake employee who was infected by a Lumma-type Infostealer on October 5th, 2023. Along with other sensitive credentials to Snowflake’s infrastructure, this employee’s login details (adelou) to a specific server (https://sfseeurope-demo_adelou.snowflakecomputing.com) were also compromised.
When asked about the specific credentials used to carry out the hack, the threat actor confirmed to Hudson Rock researchers that indeed these are the same credentials they used, and shared a mutual sentiment with us around the absolute ease in which this gigantic hack could have been prevented.
It is still undetermined what other companies were impacted by the hack. We expect that this information will be revealed slowly and over time as negotiations with the impacted companies are still ongoing.
On may 31st, Snowflake released a statement in which they claim that they are investigating an industry-wide identity-based attacks that have impacted “some” of their customers.
Hudson Rock will follow up with updates relating to this hack.
Info-stealer infections as a cybercrime trend surged by an incredible 6000% since 2018, positioning them as the primary initial attack vector used by threat actors to infiltrate organizations and execute cyberattacks, including ransomware, data breaches, account overtakes, and corporate espionage.
To learn more about how Hudson Rock protects companies from imminent intrusions caused by info-stealer infections of employees, partners, and users, as well as how we enrich existing cybersecurity solutions with our cybercrime intelligence API, please schedule a call with us, here: https://www.hudsonrock.com/schedule-demo
We also provide access to various free cybercrime intelligence tools that you can find here: www.hudsonrock.com/free-tools
Thanks for reading, Rock Hudson Rock!
Follow us on LinkedIn: https://www.linkedin.com/company/hudson-rock
Follow us on Twitter: https://www.twitter.com/RockHudsonRock
