Identities are a best seller on the dark web and are proving to be the fuel that drives billions of dollars in fraud yearly. Santander, TicketMaster, Snowflakeand last Advanced Auto Parts, LendingTreeand its subsidiary QuoteWizard show how quickly attackers refine their methods to use organizations’ security weaknesses. TechCrunch has confirmed that tons of of Snowflake customers' passwords found online are linked to information-stealing malware. Snowflake's decision to make multi-factor authentication (MFA) optional relatively than mandatory has partly contributed to the identity siege its hacked customers are experiencing today.
Cybercrime gangs, organizations, and nation-states are so confident of their ability to perform identity thefts that they reportedly communicate with cybercrime information providers over Telegram to share the main points. The latest incident reflecting this growing trend involves cybercrime information provider Hudson Rock, who published an in depth blog post on May 31 describing how threat actors successfully breached Snowflake, claiming to have had a Telegram conversation with the threat actor who also breached Santander Bank and TicketMaster.
Their now-deleted blog post explained how the threat actor was in a position to log right into a Snowflake worker's ServiceNow account using stolen credentials to bypass OKTA. Once inside Snowflake's systems, the attackers generated session tokens that allowed them to maneuver undetected through Snowflake's systems and exfiltrate massive amounts of information, in accordance with the blog post.
One-factor authentication is a magnet for attacks
Snowflake configures its platform with one-factor authentication by default. documentation states: “By default, MFA isn’t enabled for individual Snowflake users. If you need to use MFA for safer login, it’s essential to register using the Snowflake web interface.” CrowdStrike, Client and Snowflake found evidence of a targeted campaign targeting users who’ve enabled one-factor authentication. According to a Community Forum Update June 2Threat actors “leverage credentials previously purchased or obtained through info-stealing malware.” CISA also has a alarm for all Snowflake customers.
Snowflake, CrowdStrike, and Mandiant determined that the attackers obtained the non-public credentials of a former Snowflake worker to access demo accounts. The demo accounts didn’t contain any sensitive data and weren’t connected to Snowflake's production or enterprise systems. Access was gained since the demo account was not behind Okta or Multi-Factor Authentication (MFA), unlike Snowflake's enterprise and production systems. Snowflake's latest community forum update states that there isn’t any indication that the client breaches were attributable to a vulnerability, misconfiguration, or breach of the Snowflake platform.
Tens of hundreds of thousands of individuals face an identity security nightmare
Up to 30 million In considered one of the biggest data thefts in Santander Bank's history, customers' bank card and private information was stolen. Five hundred and sixty million TicketMaster customers Their data was also exfiltrated during a separate attack targeting the entertainment conglomerate. The stolen dataset includes customer names, addresses, emails, phone numbers, and bank card details. Threat Actors ShinyHunters took advantage of the revived hacker forum BreachForums, which the FBI had previously shut down, and offered the information of 560 million TicketMaster customers for $500,000.
.
Wired reports that one other BreachForums account with the handle Sp1d3r has released data from two more firms allegedly linked to the Snowflake incident. These include automotive giant Advance Auto Parts, which Sp1d3r says has 380 million customer records, and financial services company LendingTree and its subsidiary QuoteWizard, which Sp1d3r says have 190 million customer profiles and identity records.
Santander and TicketMaster damage limitation plan: go all out with transparency
Santander and TicketMaster were quick to reveal unauthorized access to their third-party cloud database environments, demonstrating the importance CISOs and security leaders place on disclosing any event that could possibly be interpreted as having a cloth impact on business operations.
TicketMaster owner Live Nation filed a 8 THOUSAND with the Securities and Exchange Commission (SEC) on Friday, writing that they first detected unauthorized activity of their third-party cloud database environment on May 20 and initiated an investigation with industry-leading forensic investigators. The Live Nation 8-K further says that on May 27, “a criminal threat actor allegedly offered the corporate's user data on the market via the dark web.”
LiveNation continued in its 8-K, writing, “We work to scale back risk to our users and the corporate and have notified and are cooperating with law enforcement authorities. Where appropriate, we also notify regulators and users about unauthorized access to private information.”
Statement from Santander begins with the words “We recently became aware of unauthorized access to a Santander database hosted by a 3rd party,” which is consistent with what Live Nation wrote in its 8-K filing on Friday, May 31.
Too much trust encourages identity attacks
When attackers are so confident that they were in a position to steal nearly 600 million customer records containing helpful identity data in two breaches, it's time to enhance authentication and identity protection. The greater the perceived trust in an authentication and identity and access management (IAM) system, the greater the danger of a breach.
One of the cornerstones of Zero Trust is the idea that a breach has already occurred and that the attacker is moving laterally through a company's networks. 78 percent of firms say identity-based security breaches have had a direct impact on their business operations this 12 months. Of those affected, 96% now imagine they might have avoided a breach in the event that they had implemented identity-based zero trust protections earlier. IAM is taken into account an integral a part of Zero Trust and is a component of the National Institute of Standards and Technology (NIST). SP 800-207 Zero Trust framework. Identity security and management are central components of President Biden’s Implementing Regulation 14028
VentureBeat has learned that IT and security teams across the enterprise are evaluating advanced user authentication methods and more thoroughly handling the activation of normal and non-standard applications. Interest and proof of concept to guage passwordless authentication is increasing. “Despite the adoption of passwordless authentication, passwords persist in lots of use cases and remain a big source of risk and user frustration,” Ant Allan, VP Analyst, and James Hoover, Principal Analyst, wrote within the gardener IAM Leader's Guide to User Authentication.
CISOs tell VentureBeat that their goals to strengthen authentication and IAM include:
- Achieve and scale continuous authentication of each identity as quickly as possible.
- More frequent implementation of credential hygiene and rotation policies is driving adoption of the newest generation of cloud-based IAM, PAM and IGA platforms.
- Regardless of the industry, it limits which apps users can download on their very own and only selects a verified, tested list of apps and publishers.
- Increasingly depend on AM systems and platforms to observe all activities of each identity, every credential, and each endpoint.
- Improving user self-service, Bring-Your-Own-Identity (BYOI), and enabling non-standard applications with more external use cases.
CISOs need passwordless authentication systems which can be designed to be intuitive in order to not frustrate users while ensuring adaptive authentication on any device. Leading providers of passwordless authentication solutions include Microsoft Authenticator, Okta, Duo Security, Auth0, Yubico and Zero Sign-On (ZSO) from Ivanti.
