Ticketmaster and other organisations' Snowflake accounts were said to have been accessed by a ShinyHunters hacker via a breach of software engineering firm EPAM Systems, validating a Mandiant report attributing some of the intrusions to third-party contractor hacks, Wired reported.
According to the hacker, information-stealing malware and a remote access trojan deployed against one of EPAM Systems' Ukraine-based employees allowed ShinyHunters to gain access to unencrypted credentials used by the employee to access the firm's customers' Snowflake accounts, which were then used to infiltrate the Snowflake accounts, including the one owned by Ticketmaster.
EPAM ruled out the ShinyHunters hacker's claims, but independent security researcher "Reddington" discovered an infostealer-harvested data repository online, including the internal EPAM URL to Ticketmaster's Snowflake account and the credentials employed by the EPAM worker to access Ticketmaster's account.
"This means that anyone that knew the correct URL to [Ticketmaster’s] Snowflake could have simply looked up the password, logged in, and stolen the data" noted Reddington.
In the hacking campaign targeting Snowflake's clients, nearly 165 customer accounts were potentially compromised, but only a few of these have been identified thus far. In addition to Ticketmaster, the banking corporation Santander has recognised that their data was stolen but has neglected to name the account from which it was taken.
However, a local media outlet has confirmed that it was a Snowflake account; the stolen data included bank account information for 30 million customers, including 6 million account numbers and balances, 28 million credit card numbers, and human resources information about employees, according to a post published by the hackers. Lending Tree and Advance Auto Parts have also confirmed that they could possibly be victims of this campaign.
In a notice published earlier this week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged that organisations follow Snowflake's recommendations to look for signals of odd behaviour and take precautions to prevent unauthorised access. A similar advice issued by the Australian Signals Directorate's Australian Cyber Security Centre (ACSC) warned of "successful compromises of several companies using Snowflake environments.”
