The recent incident involving the hacking group ShinyHunters has caused a significant stir worldwide after they allegedly extracted 1.3 terabytes of data from 560 million Ticketmaster users. This large-scale breach, valued at $500,000, has the potential to compromise the personal details of a substantial portion of Ticketmaster’s customer base, sparking widespread concern and indignation.
The Extensive Data Breach
An investigation confirmed by Live Nation through an 8-K disclosure to the SEC has substantiated the breach. As per the report released on May 20, the company acknowledged “unauthorized activities within a third-party cloud database environment holding corporate data,” primarily associated with the Ticketmaster subsidiary. Live Nation has initiated a probe and is collaborating with law enforcement. The company currently believes that the breach won’t significantly impact its business operations.
Of note, the same hackers are claiming to possess data from Santander. The compromised data allegedly includes confidential information of several million Santander clients and employees. Santander’s acknowledgment states that “a third-party hosted database” was breached, leading to data leaks for customers in Chile, Spain, and Uruguay, and some past and present Santander employees.
The Cloud Connection
A potential link between these breaches is the cloud service provider Snowflake, which serves both Santander and Live Nation/Ticketmaster. Ticketmaster confirmed that the breached database was hosted on Snowflake.
Snowflake issued a cautionary alert with CISA, highlighting a “recent surge in cyber threats targeting customer accounts on its cloud data platform.” Snowflake advised users to monitor database logs for unusual activities and perform additional analyses to prevent unauthorized user entry.
Snowflake’s CISO Brad Jones clarified in a separate communication that the Snowflake system itself remained uncompromised. Jones suggested that “this seems to be a targeted scheme aimed at users with single-factor authentication,” with threat actors leveraging credentials acquired through various means.
Snowflake also recommended various measures for all clients, such as enforcing multi-factor authentication (MFA) on all accounts, establishing network policies to restrict cloud environment access to specific trusted locations, and resetting and rotating Snowflake credentials.
Simplification of Cybersecurity
Cybersecurity is often portrayed romantically, but it is a complex and challenging field within IT. However, not all cybersecurity tasks are equally formidable. Snowflake’s recommendations emphasize the critical importance of MFA, which serves as a highly effective defense against various cyber threats, including credential stuffing.
Research conducted by cloud security firm Mitiga suggests that the Snowflake incidents are part of a strategy where threat actors exploit stolen user credentials to target entities utilizing Snowflake databases. According to the research findings, “the threat actor mainly exploited environments lacking two-factor authentication,” with attacks originating predominantly from commercial VPN IPs.
Enforcement and implementation are key to the effectiveness of policies. While technologies like corporate single sign-on (SSO) and MFA may be in place, ensuring their universal application across all environments and users is crucial. Users must not have the option to authenticate using username/password outside of SSO for accessing any corporate resources. Similarly, MFA should be mandatory for all users across every system and environment, encompassing both cloud and third-party services.
Assessing Control
The cloud is merely another entity’s computer, an adage that underscores the nature of cloud computing, where access is not absolute due to the inherent limitations of multi-tenant cloud technologies. Automatic password rotation, a feature offered by modern privileged access management tools like One Identity Safeguard, minimizes the risk of threats such as credential stuffing and keyloggers. Snowflake provides a mechanism to update user passwords, leaving it to the clients to utilize this feature and promptly rotate passwords based on usage or timing.
When selecting a platform for hosting critical business data, ensure that the provider offers APIs through privileged identity management, enabling integration into corporate security protocols. MFA, SSO, password rotation, and centralized logging should be fundamental prerequisites in the current threat environment, empowering customers to safeguard their data.
The Role of Non-Human Identities
Modern technology features the concept of non-human identities, such as RPA tools and service accounts utilized to execute specific tasks on databases. Securing these identities poses a unique challenge, considering that traditional mechanisms like push notifications or TOTP tokens are impractical for service accounts.
Service accounts are lucrative targets for cyber attackers due to their extensive permissions for task execution. Protecting their credentials should be a top priority for security teams. Snowflake employs numerous service accounts to operate its solution and has published a series of blog posts detailing how to secure these accounts and their credentials.
Evaluating Costs
Cybercriminals adopt a straightforward strategy based on automation to launch mass attacks targeting large victim pools using simple yet effective techniques. Credential stuffing attacks, resembling the approach used against Snowflake tenants, exemplify a low-cost method – akin to the contemporary equivalent of email spam. Given its low-cost nature, the effectiveness of such attacks should be close to negligible. However, the occurrence of significant data breaches involving major organizations reveals the grim reality of global cybersecurity today.
Concluding Remarks
By implementing basic controls like SSO, MFA, and password rotation, the viability of large-scale attacks diminishes significantly. While these measures do not guarantee immunity against targeted or advanced persistent threats (APTs), they do render mass attacks through this vector practically infeasible, thereby enhancing overall security.
About Author
