Live Nation disclosed unauthorized activity in a Snowflake-based third-party cloud database, exposing Ticketmaster and other client data. In the following days, threat actors traded or offered Snowflake-related data on the Dark Web, with Snowflake linking the breach to stolen credentials from a former employee’s ServiceNow account via the Lumma Stealer campaign.
Keypoints
- Unauthorized activity was detected in a Snowflake environment tied to Live Nation’s Ticketmaster data, disclosed May 20, 2024.
- Dark Web listings claimed data from Santander Group and Live Nation/Ticketmaster, with 560M Live Nation/Ticketmaster records offered for $500k.
- The breach is attributed to stolen Snowflake credentials via the Lumma Stealer campaign active in Oct 2023.
- Snowflake’s joint advisory with CrowdStrike and Mandiant states preliminary findings: no platform vulnerability or compromised Snowflake credentials; campaign targeted at single-factor authentication users.
- Indicated IOCs include specific client identifiers (rapeflake, DBeaver_DBeaverUltimate) and a large list of IP addresses, some tied to Mullvad VPN and scanning for Ivanti Connect vulnerability (CVE-2023-46805).
- Mitigations emphasize MFA, network policies, credential rotation, RBAC, and third-party provider audits; Snowflake provided steps to identify and prevent such attacks.
- Exposure could lead to identity theft and financial fraud for affected individuals and organizations (e.g., Anheuser-Busch, State Farm, Mitsubishi, and others).
MITRE Techniques
- [T1078] Valid Accounts – Using stolen credentials to access Snowflake customer accounts, including a Snowflake employee’s ServiceNow credentials. “breach occurred via stolen credentials of a Snowflake employee’s ServiceNow account…”
- [T1003] Credential Access – Infostealing malware used to obtain credentials later used for access. “Threat actors have used credentials purchased/obtained through infostealing malware.”
- [T1041] Exfiltration – Data posted to the Dark Web for sale, indicating data exfiltration to attacker-controlled channels. “data posted on the Dark Web for sale.”
Indicators of Compromise
- [IOC Type] Client identifiers – rapeflake, DBeaver_DBeaverUltimate, identified from malicious traffic
- [IOC Type] IP addresses – 104.223.91.28, 198.54.135.99, 184.147.100.29, and other listed addresses
Indicators of Compromise (continued)
- [IOC Type] IP addresses related to suspicious activity – addresses associated with Mullvad VPN and scanning for Ivanti Connect CVE-2023-46805
IOC Investigation
- IP addresses linked to Mullvad VPN, a legitimate service, with some observed for scanning Ivanti Connect VPN (CVE-2023-46805).
Mitigations
- Enforce Multi Factor Authentication (MFA) on all accounts and set up Network Policy Rules to allow only trusted locations; reset and rotate credentials for impacted orgs.
- Conduct regular security audits of third-party service providers and implement User Role-Based Access Controls (RBAC) to limit access to sensitive data.
- Snowflake provides steps for identification, investigation, and prevention of the attack (see linked advisory).