TicketMaster breach: Leaked credentials are the golden ticket once again (2024)

It had already been a challenging few weeks for Live Nation Entertainment, Inc. as they faced down a lawsuit from The Justice Department regarding anti-competitive practices. Things got worse at the end of May when a cybercriminal known as “SpidermanData” claimed to have breached a huge database of 560 million records (including personal and financial data) belonging to TicketMaster Entertainment, LLC – a Live Nation company.

Outpost24’s Threat Intelligence team, KrakenLabs, has been analyzing the situation and looking into the role of leaked credentials. We’ll walk through what happened and share some advice on avoiding the same fate for your own organization.

How was the breach discovered?

On May 27^th, a user nicknamed “SpidermanData” put a database up for sale on the underground “forum Exploit” that contained info from 560 million users. They alleged the data belonged to Live Nation and TicketMaster (both companies fall under Live Nation Entertainment, Inc.). The user had registered on the forum on that same day and has shown no further activity beyond that original post.

The next day, on May 28^th, a known threat actor named “ShinyHunters” posted the same content on the underground forum “BreachForums”. This forum had been seized on May 15^th by law enforcement authorities earlier this year. However, its administrators (with ShinyHunters among them) managed to get it back online on May 28^th, exactly the same day that the Live Nation/TicketMaster database was put up for sale ^{[1] [2]}.

How did the attackers gain access?

Researchers from vx-underground managed to speak with individuals involved in the alleged breach, and on May 30^th they published ^[3] this claim: “Sometime in April, an unidentified Threat Group was able to get access to TicketMaster AWS instances by pivoting from a Managed Service Provider (MSP). The TicketMaster breach was not performed by ShinyHunters group. ShinyHunters is the individual and/or group which posted the auction of the data, they are acting as a proxy for the Threat Group responsible for the compromise.”

On June 1^st, these same researchers said it had been confirmed that the MSP in question was Snowflake, an American cloud computing–based data cloud company. The individuals who claimed responsibility for the breach claimed said had gained access via an infostealer.

On May 31^st, security company Hudson Rock confirmed that a Snowflake employee’s credentials were stolen via a Lumma Stealer campaign. The information provided by the firm was based on a conversation in Telegram with the alleged threat actor. Security company White Intel corroborated that the account was compromised as well. Along with the TicketMaster compromise, the threat actor claimed authorship of other relevant data breaches that had been disclosed recently: Santander Bank, Anheuser-Busch, State Farm, Mitsubishi, Progressive, Neiman Marcus, Allstate, and Advance Auto Part.

It’s worth noting both posts from these security firms have now been removed due to ambiguities ^{[4] [5]} after Snowflake’s statements about the incident. However, an archived version of the Hudson Rock article can still be reached ^[6].

What have TicketMaster and Snowflake said?

On May 31^st, Live Nation Entertainment, Inc. (TicketMaster’s parent company) filed an 8-K form to inform the Securities and Exchange Commission (SEC) ^[7] that on May 20^th, they “identified unauthorized activity within a third-party cloud database environment containing Company data (primarily from its TicketMaster L.L.C. subsidiary)”.

After being accused of acting as an unwilling entry vector, Snowflake, together with third-party cybersecurity experts, CrowdStrike and Mandiant, published their own joint statement on June 2^nd. They said they were involved in an ongoing investigation into a targeted threat campaign against some Snowflake customer accounts ^[8]. Among their key preliminary findings, they claim that they “had not been able to identify as the cause of the activity, a vulnerability, misconfiguration, or breach of Snowflake’s platform and neither a compromised credential of current or former Snowflake personnel.”

Snowflake did not deny what security firms had been saying over the previous days and confirmed they found evidence that “a threat actor obtained personal credentials to and accessed demo accounts belonging to a former Snowflake employee.” However, they said this account would not have given access to sensitive data. Furthermore, they claim the reason it became compromised was because was it was a demo account not secured with Okta or multi-factor authentication (MFA), unlike the usual set-up for Snowflake’s corporate and production systems.

Snowflake does confirm that behind the current issue there “appears to be a targeted campaign directed at users with single-factor authentication,” and that “as part of this campaign, threat actors have leveraged credentials previously purchased or obtained through infostealing malware”. With these two key points, Snowflake are saying although they haven’t been compromised, they would have detected an active campaign against their clients where threat actors were using credentials previously compromised with infostealers to target accounts that have not been properly secured with multi-factor authentication.

The company did not provide a public list of customers that they believe might have been affected but claimed to have promptly informed them. In addition, to assist its clients in investigating potential threat activity based on their findings, they provided some guidelines for clients to follow ^[9].

What conclusions can we draw?

1. Both Snowflake and Live Nation (TicketMaster) have been compromised.

One employee of Snowflake got their credentials stolen via a Lumma Stealer campaign, likely on October 5^th, 2023 ^[6]. The compromised credentials belong to a demo account that was not behind Okta or Multi-Factor Authentication (MFA) ^[8]. This account was compromised and threat actors were able to access it. However, this account did not have access to sensitive data. Live Nation (TicketMaster) was compromised through a third-party cloud database environment containing company data ^[7].

Despite both compromises being true, what hasn’t been confirmed is the relationship between them. Snowflake has confirmed ^[8] that they have detected an active campaign against their clients where threat actors would be using credentials previously compromised with infostealers to target accounts that have not been properly secured with multi-factor authentication. However, they have denied that the cause of this activity would be a compromised credential of current or former Snowflake personnel.

Live Nation has not confirmed nor denied yet if the access to the third-party cloud database environment containing company data was done using a compromised credential and neither if the account had MFA enabled or not.

2. We can’t confirm the impact of the targeted campaign.

Hudson Rock mentioned ^[6] at least nine potential victims related to this attack campaign. Security researcher Kevin Beaumont confirmed on June 1^st, that six major organizations were running Snowflake incidents ^[10]. One of these companies would be Advance Auto Parts, whose data had already been put up for sale on BreachForums on June 5^{th [11]}. Also citing Beaumont, Snowflake offers a free trial where anybody can sign up and upload data ^[12], and their authentication setup would not be an easy task ^[13].

If threat actors are indeed targeting Snowflake’s customers by leveraging credentials previously purchased or obtained through infostealing malware, it’s very likely that more customers will be affected. For these credentials to work out, these customers must also have single-factor authentication enabled, something more likely due to the complications highlighted by researchers for enabling the MFA.

3. Identity-based attacks are in the spotlight over the last couple of months.

Citing the alleged threat actors, vx-underground mentioned ^[3] “Sometime in April an unidentified Threat Group was able to get access to TicketMaster AWS instances by pivoting from a Managed Service Provider.” Coincidentally, Okta security published on May 28, 2024, a warning for “suspicious activity that started on April 15” and that was related to endpoints used to support a cross-origin authentication feature in their Customer Identity Cloud (CIC) prone to being targeted by threat actors orchestrating credential-stuffing attacks ^[13].

Okta’s advisory comes right after Cisco Talos confirmed they were actively monitoring a global increase in brute-force attacks against a variety of targets, since at least March 18^th, 2024 ^[14]. Based on their findings, the brute-forcing attempts were this time using generic usernames and valid usernames for specific organizations. It’s important to highlight that we’re not establishing a relation between all these advisories, but rather just pointing out the likelihood of the campaign that Snowflake mentioned in their statement.

4. Credentials are (almost) always the root cause!

Identity-based attacks can be achieved through brute-force but it’s more efficient to directly use a previously-compromised credential. The benefits of the second option are likely one of the reasons behind the massive spurge of infostealers infections nowadays. Recent reporting from Mandiant ^[14] and Kaspersky ^[15] cite this type of malware as the most prevalent during the past year, with nearly 10 million devices falling victim to infostealers during 2023.

To accommodate the huge amount of stolen information, the current credential theft ecosystem has also evolved and welcomed other business models such as the traffers organizations (check Outpost24 KrakenLabs analyst’s The Rising Threat of Traffers report for further information) together with other sharing platforms like the legitimate messaging application Telegram.

5. Who’s really behind the attacks?

Some researchers have dared to mention a possible implication of “Scattered Spider” ^[16] in this new campaign. This idea would not be far-fetched since this group has already been involved in carrying out identity-based attacks. However, so far, we have not been able to gather conclusive information that would allow us to confirm this hypothesis.

Secure your organization against leaked credentials

Breaches like these highlight the importance of gaining visibility over whether your end users’ credentials have been leaked. Outpost24’s exposure management platform offers several ways to get your leaked credential risk under control:

• Outpost24’s external attack surface management (EASM) solution uses a threat intelligence module to detect whether users of any of your domains have had their credentials leaked on the dark web – book a free attack surface scan here.
• Gain further insights with Outpost24’s Threat Compass, where you can detect and retrieve compromised credentials in real time.
• And what if your end users are already using compromised passwords? Specops Password Policy continuously monitors your Active Directory for compromised credentials and alerts end users to change their password if theirs is breached. Specops is an Outpost24 company – trial Specops Password Policy for free here.

Unsure where to start? Speak to an expert about the best fit for your organization.

References

[1] Dark Web Informer [@DarkWebInformer]. (2024, May 28). Post. X. https://x.com/DarkWebInformer/status/1795237523238551694

[2] vx-underground [@vxunderground]. (2024, May 30). Post. X. https://x.com/vxunderground/status/1796217510544527857

[3] vx-underground [@vxunderground]. (2024, May 30). Post. X. https://x.com/vxunderground/status/1796063116574314642

[4] Hudson Rock LinkedIn [@hudson-rock]. (2024, May 4). Post. LinkedIn. https://www.linkedin.com/posts/hudson-rock_activity-7203433945919578113-RH05/

[5] WhiteIntel Dark-Web Intelligence [@whiteintel_io]. (2024, June 1). Post. X. https://x.com/whiteintel_io/status/1796794483339669968

[6] Archive – Hudson Rock. (2024, May 31). Snowflake, Cloud Storage Giant, Suffers Massive Breach: Hacker Confirms to Hudson Rock Access Through Infostealer Infection. https://web.archive.org/web/20240531140540/https://hudsonrock.com/blog/snowflake-massive-breach-access-through-infostealer-infection

[7] United States Securities and Exchange Commission. (2024, May 31). FORM 8-K Live Nation Entertainment, Inc. https://www.sec.gov/Archives/edgar/data/1335258/000133525824000081/lyv-20240520.htm

[8] Snowflake. (2024, June 2). Detecting and Preventing Unauthorized User Access. https://community.snowflake.com/s/question/0D5VI00000Emyl00AB/detecting-and-preventing-unauthorized-user-access

[9] Snowflake. (2024, June 3). Detecting and Preventing Unauthorized User Access: Instructions. https://community.snowflake.com/s/article/Communication-ID-0108977-Additional-Information

[10] Kevin Beaumont [@GossiTheDog@cyberplace.social]. (2024, June 1). Post. Mastodon. https://cyberplace.social/@GossiTheDog/112538298122679069

[11] HackManac [@H4ckManac]. (2024, June 5). Post. X. https://x.com/H4ckManac/status/1798342651407663254

[12] Kevin Beaumont [@GossiTheDog@cyberplace.social]. (2024, May 31). Post. Mastodon. https://cyberplace.social/@GossiTheDog/112536407633131499

[13] Kevin Beaumont [@GossiTheDog@cyberplace.social]. (2024, June 3). Post. Mastodon. https://cyberplace.social/@GossiTheDog/112552067562285307

[14] Mandiant – Google. (2024, February 23). A year in the cybersecurity trenches with Mandiant Managed Defense. https://cloud.google.com/blog/products/identity-security/a-year-in-the-cybersecurity-trenches-with-mandiant-managed-defense

[15] Kaskersky. (2024, April 2). Data-stealing malware infections increased sevenfold since 2020, Kaspersky experts say. https://www.kaspersky.com/about/press-releases/2024_data-stealing-malware-infections-increased-sevenfold-since-2020-kaspersky-experts-say

[16] CyberKnow. (2024, June 3). Navigating The TicketMaster Data Breach. https://cyberknow.substack.com/p/navigating-the-TicketMaster-data