Spain is facing a significant wave of hacks aimed at companies. Only this month have they met hacks massive attacks to the General Directorate of Traffic, Iberdrola, Telefónica and Santander that have put the Spanish business market and its users in check. A possible culprit is already being pointed out: snowflake, a major cloud data platform used by almost 10,000 clients, which would have been attacked.
This is reported by the cybersecurity firm Hudson Rock, which specifies that the cyber attackers who have participated in the hacks massive tickets from Santander and Ticketmaster They would have accessed the data by attacking the account of a Snowflake employee. This platform, founded in 2012, has 9,437 high-profile business clients, with names ranging from Adobe to HP, among others. Among them are both Santander and Ticketmaster.
Snowflake basically allows corporate users collaborating with it to store and analyze data using both hardware as software directly cloud-based. Hudson Rock points directly to Snowflake as the catalyst for this wave of attacks, going so far as to claim that just one credential has caused the leak of “potentially hundreds of companies.”
A leaked database
It all starts in October of last year. Hudson Rock claims that a Snowflake employee was attacked with Lumma, a software ‘infostealer’ type. This is a type of malicious program that is usually executed in the form of a Trojan; As their name indicates in English, they seek to steal critical information from the computers it infects, including access credentials.
As reported BleepingComputer, Once the robbery has been carried out, the hackers They bypassed Okta’s secure authentication processes by logging into this employee’s ServiceNow accounts using their credentials. With this access, attackers could generate session tokens to get the data out of the data platform belonging to Snowflake customers.
Snowflake logo.
snowflake
Omicrono
Hudson Rock is blunt about this. “A single credential resulted in the exfiltration of potentially hundreds of companies that stored their data using Snowflake, with the threat actors themselves suggesting that 400 companies were affected“says their statement.
Said actor shared with the cybersecurity company a file that housed more than 2,000 customer records related to Snowflake servers in Europe. The objective of this robbery was monetary. The objective was blackmail Snowflake so that it could buy back the stolen data from other companies in a ransom that would cost $20 million.
Banco Santander, one of the affected companies.
Europe Press.
Snowflake apparently refused to pay, and did not even respond to the attackers. While Snowflake does not appear to have confirmed the veracity of Hudson Rock’s report, it has released an announcement on its community website explaining that it is investigating “an increase in threat activity targeting some of our customer accounts.”
On the other hand, Brad Jones, Snowflake’s CISO (Chief Information Security Officer), acknowledged on the website that Snowflake was aware of “recent reports related to a possible compromise of Snowflake’s production environment.” They describe some of the information as erroneous, and detail that there is no evidence that said activity was caused by vulnerabilities or bad configurations.
Of course, Jones admits that “potentially unauthorized access was made to certain customer accounts on May 23, 2024.” It was not until April 2024 that the company observed increased activity in terms of cyber threats “from a set of suspicious IP addresses and clients that we believe are related to unauthorized access.”
Additionally, Snowflake is notifying all of its platform customers about these attacks and advised them to protect their accounts by enabling multi-factor authentication technology. They also published security bulletins with instructions and questions, as well as advice on how these customers could protect their accounts.
Wave of hacks in Spain
The successive attacks that have been seen in recent weeks have affected all types of companies, from telecommunications firms to banking entities. This is the case of Banco Santander, which on May 14 was able to detect a security breach that affected the company’s clients. distributed throughout Spain, Chile and Uruguay.
Photomontage of the Ticketmaster logo with a code background.
Reuters/NC
Omicrono
The investigation carried out by Santander itself revealed unauthorized access to an entity’s database hosted by a provider, which would confirm Hudson Rock’s suspicions. Fortunately, there was no transactional information or user access credentials in that database.
More recently, there was the gigantic hacking to Ticketmaster. This massive attack would have given the attackers access to data from more than 500 million of the company’s customers. Behind this event would be the famous hackers ShinyHunters, who have already sold a pack of 1.3 terabytes of data at a price of $500,000.
It should be noted that cybersecurity experts from the Civil Guard and other National Security specialists in Spain They do not believe that a foreign power stands behind this wave of hacks. Sources consulted by EL ESPAÑOL have already attributed these cyberattacks to the most common common crime, which rules out the hypothesis that an enemy power plans to destabilize the Spanish business market.
