Lessons from the Ticketmaster-Snowflake Breach
https://firewall.firm.in/wp-content/uploads/2024/06/one.png
Last week, the notorious hacker gang, ShinyHunters, sent shockwaves across the globe by allegedly plundering 1.3 terabytes of data from 560 million Ticketmaster users. This colossal breach, with a price tag of $500,000, could expose the personal information of a massive swath of the live event company’s clientele, igniting a firestorm of concern and outrage.
A massive data breach
Let’s review the facts. Live Nation has officially confirmed the breach in an 8-K filing to the SEC. According to the document released on May 20, the company “identified unauthorized activity within a third-party cloud database environment containing Company data,” primarily from the Ticketmaster subsidiary. The filing claims Live Nation launched an investigation and is cooperating with law enforcement. So far, the company doesn’t believe that the breach will have a material impact on its business operations.
It’s noteworthy that the same group of hackers is also offering data purportedly from Santander. According to the claims, the stolen data contains confidential information belonging to millions of Santander staff and customers. The bank confirmed that “a database hosted by a third-party provider” was accessed, resulting in data leaks for customers in Chile, Spain and Uruguay, as well as all current and some former Santander employees.
The cloud connection
What might link these two breaches is the cloud data company Snowflake, which counts among its users both Santander and Live Nation/Ticketmaster. Ticketmaster did confirm that the stolen database was hosted by Snowflake.
Snowflake did publish a warning with CISA, indicating a “recent increase in cyber threat activity targeting customer accounts on its cloud data platform.” Snowflake issued a recommendation for users to query the database logs for unusual activity and conduct further analysis to prevent unauthorized user access.
In a separate communique, Snowflake CISO Brad Jones was clear that the Snowflake system itself was not breached. According to Jones, “this appears to be a targeted campaign directed at users with single-factor authentication,” and threat actors have leveraged credentials previously obtained through various methods.
Snowflake also listed some recommendations for all customers, like enforcing multi-factor authentication (MFA) on all accounts, setting up network policy rules to allow access to the cloud environment only from pre-set trusted locations, and resetting and rotating Snowflake credentials.
Simplifying cybersecurity
We tend to romanticize cybersecurity – and it is an incredibly difficult and complex discipline in IT. However, not all cybersecurity challenges are equally hard. The guidance offered by Snowflake really makes this point: MFA is a must. It is an incredibly effective tool against a range of cyberattacks, including credential stuffing.
Research done by the cloud security company Mitiga claims the Snowflake-incidents are part of a campaign where a threat actor is using stolen customer credentials to target organizations using Snowflake databases. According to the published research, “the threat actor primarily exploited environments lacking two-factor authentication,” and the attacks typically originated from commercial VPN IPs.
Policies are only as effective as their implementation and enforcement. Technologies like corporate single sign-on (SSO) and MFA might be in place, but not truly enforced across all environments and users. There should be no possibility that users can still authenticate using username/password outside of SSO to reach any corporate resource. The same is true for MFA: instead of self-enrollment, it should be mandatory for all users across all systems and all environments, including cloud and third-party services.
Are you in full control?
There is no cloud – it’s just someone else’s computer, as the old saying goes. And while you (and your organization) do enjoy a lot of access to that computer’s resources, ultimately that access is never complete, a limitation inherent to cloud computing. Multi-tenant cloud technologies achieve economies of scale by limiting what a single customer can do on that “computer”, and that sometimes includes the ability to implement security.
A case in point is automatic password rotation. Modern privileged access management tools like One Identity Safeguard can rotate out passwords after use. This makes them effectively single-use, and immunizes the environment against credential stuffing attacks, but also against more sophisticated threats like keyloggers, which were used in the LastPass hack. However, the API that provides this feature needs to be present. Snowflake does provide the interface to update user passwords, so it was on the customer to use it and rotate passwords on a usage-based or time-based manner.
When choosing where to host business-critical data, make sure the platform offers these APIs through privileged identity management and allows you to bring the new environment under your corporate security umbrella. MFA, SSO, password rotation and centralized logging should all be base requirements in this threat landscape, as these features allow the customer to protect the data on their end.
The non-human identity
One unique aspect of modern technology is the non-human identity. For example, RPA (robotic process automation) tools, and also service accounts are trusted to perform some tasks on the database. Protecting these identities is an interesting challenge, as out-of-band mechanisms like push notifications or TOTP tokens are not feasible for service account use cases.
Non-human accounts are valuable targets for attackers as they usually have very powerful permissions to perform their tasks. Protecting their credentials should always be a priority for security teams. Snowflake uses a multitude of service accounts to operate the solution, and developed a series of blog posts on how to protect these accounts and their credentials.
It’s all about the cost
Cybercriminals have brutally simple logic: maximize profit by automating mass attacks and target large pools of victims with simple but effective methods. Credential stuffing attacks, like the type of attack used against Snowflake tenants, is one of the cheapest attack methods – the 2024 equivalent of email spam. And in line with its low cost, it should be almost 100% ineffective. The fact that at least two major organizations lost a significant amount of critical data paints a bleak picture of our current state of global cybersecurity.
Conclusion
By implementing simple controls like SSO, MFA and password rotation, the cost of large-scale attacks becomes prohibitive. While this doesn’t mean targeted attacks won’t succeed or attacks by non-profit advanced persistent threats (APTs) will be completely deterred, it does make mass attacks on this attack vector unfeasible, making everyone a bit safer.