Final week, the infamous hacker gang, ShinyHunters, despatched shockwaves throughout the globe by allegedly plundering 1.3 terabytes of knowledge from 560 million Ticketmaster customers. This colossal breach, with a price ticket of $500,000, may expose the non-public info of a large swath of the dwell occasion firm’s clientele, igniting a firestorm of concern and outrage.
A large knowledge breach
Let’s evaluate the info. Reside Nation has formally confirmed the breach in an 8-Okay submitting to the SEC. In response to the doc launched on Could 20, the corporate “identified unauthorized activity within a third-party cloud database environment containing Company data,” primarily from the Ticketmaster subsidiary. The submitting claims Reside Nation launched an investigation and is cooperating with regulation enforcement. Up to now, the corporate does not imagine that the breach can have a fabric impression on its enterprise operations.
It is noteworthy that the identical group of hackers can also be providing knowledge purportedly from Santander. In response to the claims, the stolen knowledge incorporates confidential info belonging to hundreds of thousands of Santander workers and clients. The financial institution confirmed that “a database hosted by a third-party provider” was accessed, leading to knowledge leaks for purchasers in Chile, Spain and Uruguay, in addition to all present and a few former Santander workers.
The cloud connection
What may hyperlink these two breaches is the cloud knowledge firm Snowflake, which counts amongst its customers each Santander and Reside Nation/Ticketmaster. Ticketmaster did affirm that the stolen database was hosted by Snowflake.
Snowflake did publish a warning with CISA, indicating a “recent increase in cyber threat activity targeting customer accounts on its cloud data platform.” Snowflake issued a suggestion for customers to question the database logs for uncommon exercise and conduct additional evaluation to forestall unauthorized person entry.
In a separate communique, Snowflake CISO Brad Jones was clear that the Snowflake system itself was not breached. In response to Jones, “this appears to be a targeted campaign directed at users with single-factor authentication,” and risk actors have leveraged credentials beforehand obtained via numerous strategies.
Snowflake additionally listed some suggestions for all clients, like imposing multi-factor authentication (MFA) on all accounts, organising community coverage guidelines to permit entry to the cloud surroundings solely from pre-set trusted areas, and resetting and rotating Snowflake credentials.
Simplifying cybersecurity
We are inclined to romanticize cybersecurity – and it’s an extremely tough and complicated self-discipline in IT. Nonetheless, not all cybersecurity challenges are equally arduous. The steerage provided by Snowflake actually makes this level: MFA is a should. It’s an extremely efficient instrument in opposition to a variety of cyberattacks, together with credential stuffing.
Analysis achieved by the cloud safety firm Mitiga claims the Snowflake-incidents are a part of a marketing campaign the place a risk actor is utilizing stolen buyer credentials to focus on organizations utilizing Snowflake databases. In response to the printed analysis, “the threat actor primarily exploited environments lacking two-factor authentication,” and the assaults sometimes originated from industrial VPN IPs.
Insurance policies are solely as efficient as their implementation and enforcement. Applied sciences like company single sign-on (SSO) and MFA may be in place, however not actually enforced throughout all environments and customers. There needs to be no risk that customers can nonetheless authenticate utilizing username/password exterior of SSO to achieve any company useful resource. The identical is true for MFA: as a substitute of self-enrollment, it needs to be necessary for all customers throughout all methods and all environments, together with cloud and third-party providers.
Are you in full management?
There isn’t a cloud – it is simply another person’s laptop, because the outdated saying goes. And when you (and your group) do get pleasure from a number of entry to that laptop’s assets, finally that entry is rarely full, a limitation inherent to cloud computing. Multi-tenant cloud applied sciences obtain economies of scale by limiting what a single buyer can do on that “computer”, and that typically consists of the flexibility to implement safety.
A living proof is computerized password rotation. Fashionable privileged entry administration instruments like One Identification Safeguard can rotate out passwords after use. This makes them successfully single-use, and immunizes the surroundings in opposition to credential stuffing assaults, but in addition in opposition to extra subtle threats like keyloggers, which had been used within the LastPass hack. Nonetheless, the API that gives this characteristic must be current. Snowflake does present the interface to replace person passwords, so it was on the shopper to make use of it and rotate passwords on a usage-based or time-based method.
When selecting the place to host business-critical knowledge, make sure that the platform affords these APIs via privileged id administration and lets you convey the brand new surroundings underneath your company safety umbrella. MFA, SSO, password rotation and centralized logging ought to all be base necessities on this risk panorama, as these options permit the shopper to guard the information on their finish.
The non-human id
One distinctive facet of contemporary expertise is the non-human id. For instance, RPA (robotic course of automation) instruments, and likewise service accounts are trusted to carry out some duties on the database. Defending these identities is an fascinating problem, as out-of-band mechanisms like push notifications or TOTP tokens will not be possible for service account use circumstances.
Non-human accounts are useful targets for attackers as they normally have very highly effective permissions to carry out their duties. Defending their credentials ought to all the time be a precedence for safety groups. Snowflake makes use of a large number of service accounts to function the answer, and developed a collection of weblog posts on tips on how to shield these accounts and their credentials.
It is all about the associated fee
Cybercriminals have brutally easy logic: maximize revenue by automating mass assaults and goal massive swimming pools of victims with easy however efficient strategies. Credential stuffing assaults, like the kind of assault used in opposition to Snowflake tenants, is among the most cost-effective assault strategies – the 2024 equal of e mail spam. And consistent with its low price, it needs to be nearly 100% ineffective. The truth that at the very least two main organizations misplaced a major quantity of crucial knowledge paints a bleak image of our present state of worldwide cybersecurity.
Conclusion
By implementing easy controls like SSO, MFA and password rotation, the price of large-scale assaults turns into prohibitive. Whereas this doesn’t suggest focused assaults will not succeed or assaults by non-profit superior persistent threats (APTs) will probably be fully deterred, it does make mass assaults on this assault vector unfeasible, making everybody a bit safer.
