The past week witnessed a significant breach as the infamous hacker group, ShinyHunters, reportedly accessed 1.3 terabytes of data from 560 million Ticketmaster users. This extensive breach, valued at $500,000, potentially exposes vital personal details of a substantial portion of Ticketmaster’s customer base, sparking widespread concern and backlash.
An extensive breach incident
Let’s examine the key details. Live Nation officially acknowledged the breach through an 8-K submission to the SEC. As per the report released on May 20, the company detected unauthorized activities within a third-party cloud database environment holding the company’s data, mainly from the Ticketmaster branch. The filing states that Live Nation initiated an investigation and is collaborating with law enforcement agencies. Currently, the company doesn’t anticipate a significant impact on its operations due to the breach.
Of note is that the same hacker group is claiming to possess data linked to Santander. According to reports, the leaked data includes sensitive information of millions of Santander clients and employees. Santander confirmed a breach on a database provided by a third-party service, leading to data exposure for customers in Chile, Spain, Uruguay, and a portion of current and former Santander staff.
The cloud aspect
A possible link between the two breaches is the cloud service provider Snowflake, utilized by both Santander and Live Nation/Ticketmaster. Ticketmaster acknowledged that the compromised database was hosted on Snowflake.
Snowflake issued a cautionary notice in collaboration with CISA, highlighting an observed rise in cyber threats targeting customer accounts on its cloud data platform. The advisory urged users to monitor database logs for unusual activities, conduct additional analysis to thwart unauthorized access by threat actors.
In a separate communication, Snowflake’s Chief Information Security Officer, Brad Jones, clarified that the Snowflake system itself remained secure from any breaches. Jones mentioned that the attacks seemed targeted at users with single-factor authentication, exploiting credentials acquired through diverse methods. Snowflake offered several recommendations to its customers, such as enforcing multi-factor authentication on all accounts, configuring network policy rules for restricted cloud environment access, and regular resetting and rotation of Snowflake credentials.
Streamlining cybersecurity practices
Cybersecurity is often perceived as a complex realm within IT. Nevertheless, not all cybersecurity challenges are equally intricate. Snowflake’s guidance underlines a crucial aspect: the indispensable nature of multi-factor authentication (MFA) in fortifying security against various cyber threats, including credential stuffing attempts.
Research findings by cloud security company Mitiga suggest that Snowflake-related incidents form part of a concerted campaign where threat actors leverage stolen user credentials to target organizations utilizing Snowflake databases. The research notes that the threat actors exploit setups lacking two-factor authentication and typically initiate attacks from commercial VPN IP addresses.
Effective policy implementation and enforcement are pivotal. While technologies like corporate single sign-on (SSO) and MFA may be in place, their enforcement across all environments and users is crucial. Eliminating the possibility of users relying on usernames/passwords beyond SSO for accessing any corporate resource is imperative. Similarly, MFA enforcement should be mandatory for all users across varied systems and environments, encompassing cloud and third-party services.
Ensuring comprehensive control
As the saying goes, “There is no cloud – it’s essentially someone else’s computer”. While organizations benefit from vast resources on that ‘computer’, the access granted is inherently limited, a core characteristic of cloud computing. Multi-tenant cloud technologies optimize operational efficiencies by restricting individual customer actions on the shared platform, including security measures.
Automatic password rotation exemplifies this limitation. Modern privileged access management tools, like One Identity Safeguard, facilitate timely password changes. This ensures passwords are effectively single-use, safeguarding against credential stuffing attacks and more sophisticated threats like keyloggers. However, the presence of an API providing this feature is essential. Snowflake provides the interface for updating user passwords, placing the responsibility on the customer to utilize it for password rotation either based on usage frequency or a predefined timeframe.
While selecting a platform for hosting critical data, ensure the provision of such APIs through privileged identity management. This allows the integration of new environments under corporate security oversight. Features like MFA, SSO, password rotation, and centralized logging should be fundamental prerequisites in this threat landscape, empowering customers to reinforce data protection on their end.
Addressing non-human identity protection
Modern technology underscores the significance of non-human identities. For instance, robotic process automation (RPA) tools and service accounts hold trusted positions for database operations. Securing these identities poses a unique challenge, as conventional methods like push notifications or TOTP tokens are unfeasible for service account use cases.
Non-human accounts represent attractive targets for attackers due to their robust permissions for task execution. Protecting their credentials must be a key priority for security teams. Snowflake employs a variety of service accounts for system operations and has developed a series of guidelines on safeguarding these accounts and their associated credentials.
Cost considerations in cybersecurity
Cybercriminals follow a simplistic strategy: optimize profits through automated mass attacks targeting sizable victim pools with straightforward yet effective methods. Credential stuffing attacks, as seen in the assaults on Snowflake users, represent one of the most cost-efficient techniques – akin to the 2024 equivalent of email spam. Given its minimal cost, such attacks should ideally have minimal success rates. However, the compromise of substantial critical data by two major organizations highlights the alarming status of global cybersecurity.
Final Thoughts
By implementing basic safeguards like SSO, MFA, and password rotation, the cost of orchestrating large-scale attacks becomes prohibitive. While this doesn’t guarantee immunity against targeted assaults or schemes by advanced persistent threats (APTs), it substantially deters mass attacks leveraging these vectors, thereby enhancing overall security.
About Author
