Ticketmaster incident shows: Attackers no longer break in, but log in

Ticketmaster, Santander and Advance Auto Parts are believed to have been defrauded of customer data by the same hacker. At this point, it’s almost inevitable to argue that the attacks are linked, suggesting that the attacker may have found an entry point via a third party. The evidence leads security specialists to believe that Snowflake may be the third party involved.

A hacker used a tool he developed himself to gain access to Snowflake’s online areas that are not protected by 2FA. This is the result of an investigation by cloud security solutions provider Mitiga. These online areas do not contain any information; for example, it is possible to view Snowflake customers’ login data and databases. The hacker then misused these login data (UNC5537) to simply log into Snowflake customers’ protected environments.

This is how customer data from Ticketmaster, Santander and Advance Auto Parts was stolen. The number of victims of these three companies already amounts to 970 million. The most affected are Ticketmaster with 560 million affected customers and Advance Auto Parts with 380 million victims. Sensitive data is at stake, including credit card details, employee information and customer card numbers.

There are probably more victims

It is also not yet clear which other Snowflake customers the hacker obtained login data from. Given that Snowflake has more than 9,000 customers, it would not be surprising if more victims came forward in the coming weeks. However, Mitiga does know the following: “UNC5537 blackmailed organizations directly and put them under additional pressure by publicly offering stolen data for sale in hacker forums.” People close to Ticketmaster know that there were attempts to contact them, but the company did not respond.

In addition, the hacker attacks have been going on since April. This came to light during Mitiga’s investigation, as well as alarming information about the extent of the events: “It quickly became clear that the problem was much more extensive than initially thought, affecting multiple organizations and attracting the attention of law enforcement authorities.”

It is difficult to trace the extent of the hack because the hacked parties reported the incidents at very different times. For example, Santander’s report was received first on May 14. After that, things were quiet for a while until Ticketmaster reported an incident on May 29. Then things calmed down until the latest victim, Advance Auto Parts, was added a week later, on June 6. So a new incident is made public about every week and a half.

No brutal violence

Obviously, the impact of the security incident is huge and most likely not even fully known yet. In terms of security, the incident reflects a larger trend. For example, cybercriminals are increasingly using traditional login methods to gain access to companies’ important online data stores rather than breaking into them.

Companies can protect themselves against this trend by securing passwords using multi-layered MFA. While this security solution is not 100% safe from phishing attempts, it ensures that hackers have to take extra steps before they can break in. Another option is IP restrictions that check the location before a login is possible. Mitiga has already recommended these things in internal communications with customers, as well as installing brute force detection. Such tools identify suspicious activity where login attempts from the same IP address occur in quick succession.

Really, this should all be part of solid cloud security. Often, a cloud provider will also transfer some of the responsibility to the customer through an agreement. The customer must ensure that identity security is in order and MFA is installed. In this respect, you can say that the cloud provider is more strict with companies that don’t install these security things. However, Patrick Tiquet, vice president of security at Keeper Security, questions the viability of this approach at Dark Reading: “Every organization has unique security needs and preferences, and one-size-fits-all security measures can limit the flexibility and customization that customers expect from cloud services.”

Snowflake contradicts evidence

Snowflake, by the way, has stopped all communications. The company is waiting for an internal investigation before making a clear statement. It says that suspicious activity has recently been discovered and that some of its customers may be affected.

The company also says that Snowflake was not a targeted attack by hackers, but rather a “targeted campaign aimed at users with single-factor authentication.” The company also describes the incident as an isolated case that will not have major consequences. The company states that a hacker allegedly gained access to a demo account belonging to a former Snowflake employee. According to Snowflake, this account does not contain any sensitive data and was not connected to Snowflake’s production or corporate systems.

The blog was a response to a claim made by US cybersecurity provider Hudson Rock, which was gathering evidence of Snowflake’s involvement. It contained the stark allegation that data had been stolen from a Snowflake cloud database. The blog has since been taken offline.

However, there are repeated indications that Snowflake was involved in the recent attack on Advance Auto Parts. For example, the attack was allegedly possible via a Snowflake cloud storage account. A final verdict on the data cloud company’s involvement has not yet been made.

Responsibility of the victims

Regardless, Ticketmaster and Santander remain responsible for failing to implement adequate identity security. A cloud provider passes this risk on to the customer. Those who do not do so are easy prey for hackers who are increasingly able to easily log into corporate environments by stealing credentials from third parties.

Also read: Hugging Face discovers potential security vulnerability in its Spaces platform