An individual allegedly behind recent attacks on Ticketmaster and Santander Bank has claimed that they gained initial access to their victims by using stolen Snowflake credentials.

The possible connection was first revealed by cybersecurity company Hudson Rock, which today published a blog post detailing a conversation with an alleged perpetrator of the two breaches. According to the post, the threat actor used stolen credentials to sign into a Snowflake employee’s ServiceNow account, thus bypassing Okta. 

The stolen credentials are believed to have originated from an Infostealer downloaded to the same Snowflake employee’s account in October 2023. After gaining initial access, Hudson Rock said, the threat actor was able to access refresh tokens from Okta, allowing them to maintain persistent access and steal data from some companies using Snowflake software.

Snowflake, an American data cloud company, is used by thousands of companies to store, manage, and analyze large volumes of data. On May 31st, the company released a statement on its community forums stating they had “recently observed and are investigating an increase in cyber threat activity targeting” some of their customers’ accounts, without specifically mentioning Ticketmaster or Santander Bank.

The threat actor allegedly tried to extort a 20 million dollar ransom from Snowflake as well, writing to a Hudson Rock researcher:

anyway my goal is for them [Snowflake] to buy their data back rather than let it end up in the wrong hands and a few already have independently but snowflake could just pay me 20m and save everyone time.

At of the time of writing, neither the threat actor’s nor Hudson Rock’s claims have been validated by third-party sources.

According to the Snowflake statement, companies using Snowflake software are recommended to:

• Review IoCs, investigative queries, and preventive actions that have been published on a Snowflake Community Security Bulletin.
• Enable the Snowflake-delivered implementation of Snowflake Duo MFA for privileged human users. More details are outlined in the Identifying Non-MFA Users and Enabling MFA document

Detecting months-long threat campaigns, such as those behind the alleged Snowflake hack, takes a team of security professionals scouring your systems 24×7 for IOCs and suspicious activity observed on endpoints.

In late January 2024, the ThreatDown Managed Detection and Response (MDR) team found and stopped a three-month long malware campaign against a Managed Service Provider (MSP) based in Europe. Read the details of how ThreatDown MDR neutralized the threat.

Learn more about ThreatDown MDR here.

UPDATE 6/2/2024: Hudson Rock has since taken down their blog post.