Ticketmaster vs ShinyHunters
Hello there my Security Solutioneers! I hope your week so far has been filled with HR's donuts and better than average coffee! Sorry for the delay in posting, but I have been knee deep into a really interesting AI project for Business that will protect your IP, more info in the coming months!
This all being said, I needed a break and cranked out a few blogs, the first being a write up of the massive Ticketmaster hack. This hack was first reported by Mandiant to be committed by UNC5537, an as-yet-unclassified cybercriminal gang that Mandiant says is motivated by making money. A few days later, ShinyHunters took credit for the hack and gave details how they completed the hack. As of now, to our best knowledge, ShinyHackers did this attack, but since the attack is still ongoing, and the fact that these teams sometimes have massive overlap in their "employee pools", let's assume that we might update this blog at a later time. As for ShinyHunters...
ShinyHunters are a relatively well known black hat hacking group that are not known to be associated with any state level funding...they are a hacking group whose goal is to sell the data they obtain...credit card information being the most lucrative. They are pretty efficient a their job and can hold their own against some of the best groups out there...and what makes them really interesting is that in the realm of the social engineering umbrella of black hat attacks, they seem to be really proficient at it.
So let's dissect the Ticketmaster hack. Long story short, this is a massive fail on the side of the executives who looked to bolster up short term profits in exchange for long term vision. They are also part of the financial mindset that you can cut expenses to make profit...and how did they cut expenses? Offshoring the IT team...because of course they did, that always works well and has a happy ending! <cue Disney princess music and the forest animals>
Now before anyone cranks up their email client to assail me as being anti offshoring...no, I am not saying that entirely. I am saying that if you offshore, you have to not only ask governance questions and check off the box once, but you have to routinely audit them as you would any onshore team you manage...You have to have someone on your side take accountability for the actions of the offshore teams. If you merely hand everything over, especially something as important as your IT infrastructure, then you really should want some type of oversight. Handing the keys to your kingdom to an outside firm without some form of oversight is literally asking for trouble, and Ticketmaster found it.
The data was stolen from Snowflake. As some of you know Snowflake is a data analytics platform used by many large companies. It does way more than that, but for the purpose of this blog, lets leave it at that. Its also in the realm of PaaS, Platform as a service...meaning that while it in and of itself can have security layered into it, it still needs a knowledgeable team to set it up.
This is important...I hear too many times from the C-Suite that they are protected by the security that the providers security team...and this is not the case. Without proper setting up of the landscape and without proper process, any of these platforms will not have enough built in protections to protect you...and the main rule of of any data protection is that...protecting YOUR data is YOUR responsibility. <dun dun dun dun!!!>.
For any exec reading this...No one will take accountability for your responsibility. You need someone on your side to do this for you. If you hear from ANY service provider that their systems are secure and you can drop your existing security/IT team, this is how Ticketmaster landed in this multi-million dollar mess.
This being said, Snowflake was not directly attacked...the biggest clue to this is that not only did Ticketmaster get hit, but so did LendingTree. Chances are there was a common vector here as to how they got in and that common vector seems to be an outsourced IT services company called EPAM. Now while EPAM is an American company who "technically" is not considered an offshore company, it seems that 2/3rds of its massive 55k workforce resides in Belarus and neighboring countries...according to ShinyHunters, this is where they got in. An account who was not properly protected had access to EPAM's customers Snowflake accounts and boom goes the dynamite. Childhood is ruined, everything is ruined. Worst part is that as of this writing, EPAM denies it was the vector...but then again, ShinyHunters flat out called them out on it...so believe who you will, but as of the current data we have, it really does seem like the massively offshored company EPAM dropped the ball here.
Now how to mitigate this...well, your data is your responsibility, so you protect it. You can offload this work to other companies, if you value your data, then you have a team on your side to verify all the outsourced pieces to your landscape. You can hire directly, or you can hire a third party to run with this.
If I ran an "outsourced first" paradigm in my organization, I would hire my outsourced vendors and then hire a trusted third party to audit and verify their work. There are many ways to fix this, but at the end of the day, you need at least one other set of eyes to verify the work of your offshore people. people who will not only ask the questions but also audit for you. People who will act on your behalf and fight for you...the outsourced vendor will ultimately work for themselves...but if they know they will be audited, then they walk a tighter line.
We used to have managers walk the office to check up on their people if they were following process and policies, but in the age of remote workers, we need to maintain that visibility and too many companies are relying on the honor system without vetting out their vendors and their practices.
Anyhow, that’s all for today. Hopefully your days are devoid of any Sev 1's and you don’t Ticketmaster yourself into an issue by outsourcing your IT staff and having no one properly audit and manage them.