5 min Security

Ticketmaster incident shows: attackers no longer break in, but log in

Ticketmaster incident shows: attackers no longer break in, but log in

Ticketmaster, Santander, and Advance Auto Parts are believed to have been robbed of customer data by the same hacker. At this point, it is almost inevitable to argue that the attacks are linked, indicating that the attacker would have found an entry point through a third party. The evidence leads security specialists to believe that Snowflake would be the third party involved.

A hacker was able to break into Snowflake’s online areas that were not protected by 2FA with a self-developed tool. That’s according to an investigation by Mitiga, a provider of cloud security solutions. Those online zones do not contain the least bit of information; for example, it is possible to see log-in data and Snowflake customers’ databases. Those login credentials the hacker (UNC5537) then abused to simply log into the protected environments of Snowflake customers.

Through this route, customer data from Ticketmaster, Santander and Advance Auto Parts were stolen. The number of victims through these three companies already amounts to 970 million. The largest affected parties are Ticketmaster, with 560 million affected customers, and Advance Auto Parts, with 380 million victims. At stake is sensitive data, including credit card data, employee information and loyalty card numbers.

Likely there are more victims

Furthermore, it is not yet certain of which other Snowflake customers the hacker obtained login information from. Given that Snowflake’s customer base amounts to more than 9,000 customers, it would not be surprising if more victims step up in the coming weeks. Mitiga does know the following: “UNC5537 directly extorted organizations and further pressured them by publicly posting stolen data for sale on hacker forums.” Around Ticketmaster, it is known that there have been attempts to establish contact, but the company did not respond.

Moreover, the hacks have been ongoing since April. That came up further in Mitiga’s investigation, as did alarming information about the scale of events: “It quickly became clear that the issue was much more extensive than initially thought, involved multiple organizations and attracted the attention of law enforcement agencies.”

Charting the extent of the hack is difficult. That’s because the hacked parties reported the incidents at very different times. Santander’s report, for example, rolled in first on May 14. Afterwards, it was quiet for a while until Ticketmaster reported an incident on May 29. Then things settled down until the most recent victim, Advance Auto Parts, was added a week later, on June 6. Thus, approximately every week and a half, a new incident becomes publicly known.

No brutal force

Obviously, the implications of the security incident are huge and most likely not even all known yet. On the security front, the incident does chart a larger trend. For example, it is increasingly common for cybercriminals to penetrate companies’ important online data stores via traditional login methods instead of breaking into them.

Companies can protect against that trend by securing passwords at multiple layers using MFA. While this security solution is not 100 percent safe from phishing attempts, it does ensure that hackers must take additional steps before breaking in. IP restrictions are another option, which checks for location before login is possible. Mitiga already recommended these things in internal communications to customers, as did installing brute force detection. Such tools identify suspicious activity in which login attempts from the same IP address are in rapid succession.

Actually, all should be part of solid cloud security. Often, a cloud provider also places part of the responsibility on the customer through an agreement. The customer must ensure that identity security is in order and that MFA is installed. In this regard, it can be said that the cloud provider does take stricter action against companies that fail to install these security things. However, Patrick Tiquet, vice president of security at Keeper Security, questions the feasibility of that approach at Dark Reading: “Each organization has unique security requirements and preferences, and uniform security measures can limit the flexibility and customization that customers expect from cloud services.”

Snowflake contradicts evidence

Snowflake, by the way, is throwing all communications on hold. The company is awaiting an internal investigation before clear communication is made. It does communicate that suspicious activity was discovered recently and that some of its customers may be affected.

Further, according to the company, Snowflake was not specifically targeted by hackers but rather a “targeted campaign aimed at users with single-factor authentication”. The incident is further described by the company as an isolated case that will not have many consequences. For example, the company states that a hacker allegedly gained access to a demo account of a former Snowflake employee. According to Snowflake, it contained no sensitive data and was not connected to Snowflake’s production or corporate systems.

The blog came in response to a claim by U.S. cybersecurity provider Hudson Rock that gathered evidence of Snowflake’s involvement. It involved a hard-hitting claim that data had been stolen from a Snowflake cloud database. Meanwhile, the blog in question with the claim has been taken offline.

However, indications of Snowflake’s involvement in the most recent attack on Advance Auto Parts are resurfacing. For example, the attack was allegedly possible through a Snowflake cloud storage account. Thus, the final word on the data cloud company’s involvement has not yet emerged.

Responsibility of victims

Regardless, Ticketmaster and Santander remain responsible for failing to implement proper identity security. A cloud provider passes this risk on to the customer. Those who lack it are easy victims for hackers, who increasingly simply log into corporate environments by stealing login credentials from a third party.

Also read: Hugging Face discovers potential breach in its Spaces platform