Executive Summary

    On May 31st, cybercrime intelligence firm Hudson Rock published a report detailing communications with a threat actor behind recent high-profile, high-impact breaches of Ticketmaster and Santander Bank. In their conversation, the threat actor revealed they were able to compromise Ticketmaster and Santander data due to an initial breach they executed against cloud data services company Snowflake. 

    This Snowflake breach is highly consequential, as they provide services to over 9,000 clients. At the time of Hudson Rock’s report, there did not seem to be any prior reporting or confirmation of affected Snowflake clients. 

    In response, Snowflake published a notification stating that they “became aware of potentially unauthorized access to certain customer accounts on May 23, 2024.” Snowflake clarified that they began their own investigation, found the threat activity starting around mid-April, and notified the customers they believed to have been affected. They also shared the Indicators of Compromise (IoCs) and detection guidance here

    Affected Systems or Products

    Any organization that uses Snowflake may have had their data exposed by this breach. 

    Indicators of Compromise

    Snowflake published a comprehensive set of queries that clients can run on their own Snowflake environments to see if the threat actor may have accessed their data. 

    The following query will return login events that originated from suspected IP addresses: 

    SELECT
    *
FROM
    snowflake.account_usage.login_history
WHERE
    client_ip IN (
'104.223.91.28',
'198.54.135.99'
'184.147.100.29'
'146.70.117.210'
'198.54.130.153'
'169.150.203.22'
'185.156.46.163'
'146.70.171.99'
'206.217.206.108'
'45.86.221.146'
'193.32.126.233'
'87.249.134.11'
'66.115.189.247'
'104.129.24.124'
'146.70.171.112'
'198.54.135.67'
'146.70.124.216'
'45.134.142.200'
'206.217.205.49'
'146.70.117.56'
'169.150.201.25'
'66.63.167.147'
'194.230.144.126'
'146.70.165.227'
'154.47.30.137'
'154.47.30.150'
'96.44.191.140'
'146.70.166.176'
'198.44.136.56'
'176.123.6.193'
'192.252.212.60'
'173.44.63.112'
'37.19.210.34'
'37.19.210.21'
'185.213.155.241'
'198.44.136.82'
'93.115.0.49'
'204.152.216.105'
'198.44.129.82'
'185.248.85.59'
'198.54.131.152'
'102.165.16.161'
'185.156.46.144'
'45.134.140.144'
'198.54.135.35'
'176.123.3.132'
'185.248.85.14'
'169.150.223.208'
'162.33.177.32'
'194.230.145.67'
'5.47.87.202'
'194.230.160.5'
'194.230.147.127'
'176.220.186.152'
'194.230.160.237'
'194.230.158.178'
'194.230.145.76'
'45.155.91.99'
'194.230.158.107'
'194.230.148.99'
'194.230.144.50'
'185.204.1.178'
'79.127.217.44'
'104.129.24.115'
'146.70.119.24'
'138.199.34.144' 
    ) 
ORDER BY 
event_timestamp; 
 
The following query will return sessions belonging to the suspected clients. 
SELECT 
    * 
FROM 
    snowflake.account_usage.sessions 
WHERE 
    PARSE_JSON(CLIENT_ENVIRONMENT):APPLICATION = 'rapeflake' 
    OR 
    ( 
        PARSE_JSON(CLIENT_ENVIRONMENT):APPLICATION = 'DBeaver_DBeaverUltimate' 
        AND 
        PARSE_JSON(CLIENT_ENVIRONMENT):OS = 'Windows Server 2022' 
    ) 
ORDER BY CREATED_ON;

    Threat Intelligence

    Public research and reporting attributes the breach to a threat actor labelled UNC5537. The threat actor appears to be financially motivated (not APT), with a history of high-profile breaches. In this particular attack, they moved quickly to identify high-value client data-sets in the Snowflake environment. Public analysis estimates 400 affected clients, two of which (Ticketmaster and Santander) have their Snowflake data for sale in cybercriminal black markets. 

    How Beazley Security is responding

    Beazley Security is monitoring client perimeter devices through our Karma product to identify impacted devices and support organizations in remediation of any issues found.

    Sources