AGS Cyber’s Post

👾 Hackers Detail How They Allegedly Stole Ticketmaster Data From Snowflake 👾 Hackers who stole terabytes of data from Ticketmaster and other Snowflake customers claim they accessed some accounts by breaching a contractor, EPAM Systems, a Belarusian-founded firm. This breach potentially impacted 165 customer accounts, though only a few have been identified, including Santander and Ticketmaster. The hackers, known as ShinyHunters, used data from an EPAM employee system to access Snowflake accounts. They reportedly infected an EPAM worker's computer in Ukraine with info-stealer malware, gaining access to unencrypted usernames and passwords stored in a project management tool. This allowed them to infiltrate Snowflake accounts lacking multifactor authentication (MFA), leaving the victims vulnerable to attacks. EPAM denies involvement, suggesting the hacker's claims are fabricated. However, evidence includes EPAM credentials and internal URLs pointing to Ticketmaster's Snowflake account. Mandiant, a Google-owned security firm, confirmed that hackers used old data from info-stealers to access Snowflake accounts, with about 80% of victims compromised using previously stolen credentials. The breach serves as a stark reminder of the risks associated with third-party contractors and the pressing need for robust security measures, such as MFA. Snowflake is now diligently working on implementing MFA for its customers to significantly enhance account security. AGS Cyber takes cybersecurity seriously, considering each organisation's unique needs. Contact me to inquire about our services. michele.leandro@agscyber.com https://lnkd.in/ezMzy4dR #cybercareers #cyberattacks #cyberdefence #hackers

If you haven’t heard in the news yet, in a recent cyberattack, hackers targeted Snowflake, a major cloud storage firm, by first breaching a contractor of Snowflake’s, EPAM Systems. The sophisticated attack compromised data from prominent clients, including Ticketmaster and Santander. The stolen data included bank account details for 30 million customers, including 6 million account numbers and balances, 28 million credit card numbers, and human resources information about staff. 😱 The hackers, part of a group known as ShinyHunters, gained access by infecting an EPAM employee’s computer with malware which allowed them to steal unencrypted credentials stored in a project management tool. Imagine the surprise when EPAM discovered that these credentials provided direct access to Snowflake accounts because multi-factor authentication (MFA) was not enabled. This oversight turned out to be a significant vulnerability. The takeaway? Another incident underscoring the critical need to implement MFA, encrypt sensitive information, and have vigilant monitoring for malware in place. & a reminder that in cybersecurity, every link in the chain must be fortified, especially when third-party contractors are involved. So next time you complain about MFA - save your breath! You’re doing your part to safeguard valuable company data & information 🔐🔐 #cybersecurity #multifactorauthentication

Three things: 1. Third-party risk is crucial.  2. If MFA was required on Snowflake's side, it could have stopped or at the very least slowed down the attackers from gaining access.  3. What a chain of breaches the Snowflake breach has unfolded if only the basic security controls were in place! The hacker who spoke with WIRED says that a computer belonging to one of EPAM’s employees in Ukraine was infected with info-stealer malware through a spear-phishing attack. Once on the EPAM worker’s system, they installed a remote-access Trojan, giving them complete access to everything on the worker’s computer. Using this access, they say, they found unencrypted usernames and passwords that the worker used to access and manage EPAM customers’ Snowflake accounts, including an account for Ticketmaster. The hacker says the credentials were stored on the worker’s machine in a project management tool called Jira. The hackers were able to use those credentials, they say, to access the Snowflake accounts because the Snowflake accounts didn’t require multifactor authentication (MFA) to access them. https://lnkd.in/g8Rvnqq3

❄ The REAL STORY here is that the Snowflake public statements re: ongoing #cyber investigation DIFFER from the information provided by the hackers (#ShinyHunter). Who do we believe? Important takeaways from the Kim Zetter's WIRED article: ❄ Third-PARTY Risk: Snowflake has not provided specific details on how the hackers accessed the accounts, only stating that the intruders did not directly breach Snowflake’s network. In contrast, the article reveals that #hackers accessed Snowflake accounts through compromised credentials found on an EPAM employee’s computer. (EPAM Systems is a publicly traded software engineering and digital services firm- if true, this is a perfect example of a third party cyber incident) ❄ Credential Management: The article highlights that the hackers found unencrypted usernames and passwords on the EPAM worker's system, stored in a project management tool called Atlassian Jira. Snowflake’s public statements did not mention this specific method of credential storage or its vulnerabilities. ❄ Scope and Impact: Snowflake has been more general about the number of affected accounts and the extent of the breach. The article provides more specific examples, including the impact on Ticketmaster, Santander, Lending Tree, and Advance Auto Parts, and mentions the potential involvement of 165 customer accounts. ❄ Security Measures and Investigations: The article includes comments from EPAM Systems denying their involvement and suggesting misinformation, whereas Snowflake's statements have been more focused on their internal investigations and measures to improve security post-breach. The key differences lie in the specificity and details provided by the hackers and covered in the article, compared to the more general and less detailed statements from Snowflake (which is exactly as an attorney would advise). But with an ongoing cyber incident... anything is possible. We'll see where this story goes to next! https://lnkd.in/g6QyYb_4

wired has additional details about how ShinyHunters allegedly accessed customer data on Snowflake. if true, there is some insanely terrible cyber security practices from the Belarusian-founded contractor who was ostensibly breached, leading to ShinyHunters being able to access Ticketmaster data on Snowflake - an EPAM Systems employee had their computer infected with a commodity information stealer. these tools generally harvest usernames, passwords, cookies, and other machine data automagically and in real-time. in some cases, the threat actor is stealing the data for their own usage. in others, the credential packs are sold on dark web markets like Russian Market, and a myriad of other sites. malware like Lumma, Redline, Raccoon Stealer, and a few others are the most widely used info stealers in 2024 - multi-factor authentication (MFA) was *sigh* not enabled on the targeted Snowflake accounts. why oh why are enterprises not *forcing* MFA on all their applications, particularly SaaS and cloud-based file storage tools? this is a huge security #fail right here! - aforementioned EPAM Systems employee had *plaintext* usernames and passwords stored in Jira *facepalm*. tools like 1Password and LastPass exist for this very reason. who in their right mind stores login credentials in Jira? this is a mind-boggling #securityfail this breach underscores the severe security risks inherent in relying on third-party contractors and supply chain relationships. it is crucial to comprehensively assess the security posture of every company you engage with, especially those handling and/or storing your sensitive data. without a clear understanding of contractor and sub-contractor relationships, you cannot accurately gauge the true risk level to your organization or the additional risk assumed through these partnerships once again, i cannot help but harp on the missing MFA. whenever i signup for a new online service, literally the first thing i do after completing the initial login, is to turn on MFA, or two-step authentication if MFA is unavailable. if supported, i also configure the service to use a hardware token, like a yubikey. there is no excuse for not enabling MFA other than sheer laziness, security stupidity, or gross negligence lastly, if credentials were harvested through an information stealer, this begs the question: was the work being completed on a home computer *or* is the security posture of this contractor’s corporate machines so bad they were using endpoint technology incapable of detecting commodity malware? this debacle epitomizes a staggering level of incompetence and disregard for basic cyber security practices, serving as a stark reminder that the weakest link in the chain can devastate even the most robust systems #threatintelligence #cybersecurity #breach #hack #cyberattack

How did Ticketmaster get breached? It was a litany of bad #cybersecurity practices: - Customer data was stored in Snowflake. - Software engineering services (that require access to the Snowflake account) were contracted out to EPAM. - One of the staff computers at EPAM was breached. - Due to the poor cybersecurity practices of that staff member, his breached computer gave hackers the passwords to breach Ticketmaster's Snowflake account: ❝The hacker says the credentials were stored on the worker’s machine in a project management tool called Jira. The hackers were able to use those credentials, they say, to access the Snowflake accounts because the Snowflake accounts didn’t require multifactor authentication (MFA) to access them.❞ - Then Ticketmaster got breached.

Attackers are very good at finding, understanding, and leveraging a company's attack surface to gain access. 🌐🔍 In the case of Snowflake, which affected Ticketmaster and over 165 companies in total, attackers did just that. They identified and leveraged a third-party contractor to gain access, and they gained access to that third-party contractor through an employee, using data and information to conduct the identification and infiltration. The overall attack surface is much larger than most people think. It’s not just your organization, but also your clients, vendors, employees, and their families. Additionally, it includes the teams and families of clients and vendors. The more exposed a third party's attack surface is, the more you are exposed directly. Start taking proactive action to reduce your attack surface and vet partners to ensure they are doing the same. 🛡️🔒 #freeze #attacksurface #security #cybersecurity #data #privacy https://lnkd.in/e55sGif9

A critical thinking point for any business, and another example of why cybersecurity should be at the top of every business's agenda, is the recent Ticketmaster hack. Initial findings suggest it was a supply chain attack targeting one of Ticketmaster's contractors. From there, the attackers pivoted several times, ultimately gaining access to the sensitive data they were after. While we do not have full details yet, and those provided are perhaps unverified, it seems the hackers gained access to the contractor through a spear phishing campaign. The key takeaway is clear: Employee Training. Educate your staff about cybersecurity best practices and phishing scams. It’s the simplest way into a business and one of the easiest to narrow the gap with consistent, good communication to and from employees on what to expect and how to avoid phishing attempts. Read more about the incident here: https://lnkd.in/eir2ZniA #Cybersecurity #SupplyChainSecurity #DataProtection #ITSecurity #TechTips #BusinessSafety #TicketmasterHack

💻 Hackers Detail How They Allegedly Stole Ticketmaster Data From Snowflake 📈 Hacking is at an all-time high, and the recent breach involving Ticketmaster's data from their Snowflake cloud account underscores the urgency of robust cybersecurity measures. ShinyHunters reportedly accessed sensitive information by breaching a third-party contractor, highlighting the critical need for comprehensive security across all partnerships. 🌐 ⚔ As cyber threats evolve, so must our defenses. Stay vigilant, prioritize security, and ensure every link in your supply chain is fortified. 🛡 #Veterans #CyberSecurity #DataProtection #StaySafe #TechSecurity

In late May of 2023 there was a major exploit reaping data from a widely used file transfer service, MOVEit. The repercussions from the data leaks are still being revealed, but data from hundreds of thousands of users across many organizations was leaked to a group of Russian hackers. Since we are in the business of secure file transfer, we spent some time examining what happened, to make sure it couldn't happen to us.   The exploit was accomplished by an old technique - SQL injection - where an attacker constructs an SQL query and inserts it into an improperly sanitized field of a web form. The failure to sanitize the input fields was MOVEit's sin, but the magnitude of the data leak came from the fact that organizations were using MOVEit as an infrastructure to provide database access to the internet. This is not a file transmission function, it's a cloud infrastructure function.   secure-transmit will never leak data about hundreds of thousands of users, because secure-transmit follows a strict design methodology that ensures that every record is encrypted with its own key. There is no database query that can deliver data about more than one user, and that data will always be encrypted with a key that secure-transmit has to receive from the user. Furthermore, secure-transmit never provides a direct interface to its underlying database to any https interface. Finally, secure-transmit only supplies the data to be transmitted to an enumerated list of correspondents, whose identities are established by multi-factor authentication. If a correspondent's proofs of identity and email security are so compromised that a hacker can successfully provide stolen claimchecks and spoof their identity, a complete record of the data theft will appear in the activity records.   secure-transmit's internal structure was designed so that even full access to secure-transmit's servers and credentials will not allow an attacker to gain access to unencrypted user data or metadata.   The MOVEit exploit does provide a useful cautionary example, however. Many of the users affected by the data leak did not even know that they were using the MOVEit infrastructure. secure-transmit utilizes several critical pieces of infrastructure. Furthermore, our users are dependent on the integrity of the secure-transmit code itself. As a result of reviewing the MOVEit exploit, we are instituting automated checks to ensure the integrity of our infrastructure and code. This should make us less vulnerable to an adversary corrupting our necessary infrastructure, or back-dooring our application.   We're doing our best to be paranoid enough for the both of us because at secure-transmit, your business is none of our business - or anyone else's.