By Prasanna Abeysekera

In today's interconnected world, safeguarding personal information has become more critical. The recent incident involving a potential data breach at Ticketmaster is a potent reminder of the constant danger cyberattacks pose. Hackers have reportedly obtained the personal information of 560 million customers, highlighting the need for heightened security measures.

The Breach

Reports indicate that ShinyHunters, a name linked to numerous high-profile data thefts, is responsible for this alleged breach. The hackers have gained access to valuable customer data, such as names, addresses, email addresses, phone numbers, and partial credit card details.

The Techniques

Although the specific methods employed in this breach have not been revealed, ShinyHunters has a reputation for exploiting weaknesses in web applications to gain unauthorised access to databases. Strong security measures must be prioritised at every online platform's architecture level.

Here are the essential details and techniques connected to the incident:

• The specific technical methods used in this breach have not yet been detailed in the available information. However, ShinyHunters is known for its previous breaches, which often involve exploiting vulnerabilities in web applications or services to gain unauthorised access to databases.
• Allegedly, the group has offered the stolen data for sale on the dark web for a single transaction of $500,000. Ticketmaster has not officially confirmed the breach, and there are differing perspectives regarding the claim's validity. Certain researchers require clarification regarding the validity of the data set. Conversely, some contend it may be legitimate, as evidenced by discussions with relevant parties and examining data set samples.
• Among the many data breaches linked to ShinyHunters is a major one that affected AT&T. They have been responsible for large-scale financial damages for individuals and businesses due to their reputation for storing and selling stolen data on the dark web.

Here are the analyses we conducted to identify the tactics they are reportedly using:

• Targeting Companies Using Microsoft Office 365: ShinyHunters often begin by searching for companies using Microsoft Office 365 and seeking valid accounts.
  • The initial step often involves identifying organisations using Microsoft 365. This could involve various reconnaissance techniques.
  • Threat actors often turn off mailbox audit logs, making it difficult for organisations to detect malicious activity.
  • Older technique involves attackers abusing mailbox folder permissions to gain unauthorised access.
  • A new technique in which attackers exploit enterprise applications to gain unauthorised access.
  • Some APT groups have downgraded user licenses from Microsoft 365 E5 to E3. The E5 license provides advanced telemetry to help organisations detect malicious activity. By downgrading the license, attackers can turn off these detection mechanisms.
  • Attackers often target AD FS token sign-in keys to gain access to SAML tokens.
• Searching for Third Parties Storing GitHub OAuth Tokens: They frequently seek out third-party providers that store GitHub open authorisation tokens.
  • Hackers use OAuth to identify third-party applications linked to GitHub and examine the data types the applications seek to access.
  • Applications may request read or write access to your GitHub data. Hackers analyse the types of application access and data.
  • OAuth scopes are groups of permissions that an application can request to access public and non-public data. Hackers abuse these scopes to gain unauthorised access.
  • When logging in through a provider, hackers can use the OAuth tokens received to authenticate against a third-party API.
  • Some hackers use CRON, a time-based job scheduling daemon found in Unix-like operating systems, to automatically update the access token stored in JSON format on a server.

Forget about snoozing during office hours regarding your cyber security work.

It is essential to observe robust security measures and continuous system monitoring to detect and respond to suspicious activities.

• Identifying R&D Employees: ShinyHunters researches research and development employees within an organisation.
• Using Stolen Credentials: Once they obtain valid accounts or tokens, they utilise these credentials in subsequent or tertiary attacks.
  • Credential Stuffing: This type of cyber attack involves using stolen account credentials, usually including lists of usernames and/or email addresses and their corresponding passwords. These credentials are used to gain unauthorised access to user accounts by carrying out large-scale automated login requests directed against a web application.
  • Pass the Hash: In this method, hackers obtain hashed versions of passwords (instead of the actual passwords) and then reuse those hashes to authenticate with servers.
  • Phishing is obtaining sensitive information such as usernames, passwords, and credit card details by disguising it as a trustworthy entity in an electronic communication.
  • Keylogging involves using a program to record every keystroke a computer user makes, typically to gain fraudulent access to passwords and other confidential information.
  • Brute-force attacks: In this method, attackers systematically check all possible passwords until they find the correct one.
  • Exploiting System Vulnerabilities: Some attackers exploit system vulnerabilities to gain unauthorised access to systems.
  • Social Engineering Techniques: These techniques deceive users into disclosing their credentials.
  • Man-in-the-Middle Attacks: In this type of attack, the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating.
• Targeting Websites and Using Static Web Apps: In some cases, hackers use Static Web Apps (a service provided by Microsoft Azure) to create false landing pages with Microsoft's logo.
  • Identifying Vulnerabilities: Hackers often begin by identifying vulnerabilities in the website or repository. This may involve scanning for known vulnerabilities or using automated tools to discover potential weak points.
  • Exploiting Vulnerabilities: Hackers capitalise on identified vulnerabilities to illicitly obtain unauthorised authorisation, which entails injecting malicious code, manipulating data, or elevating privileges.
  • Credential theft is a common objective for hackers, who frequently focus their efforts on repositories. This may entail searching for explicitly specified credentials within the code or configuration files.
  • Exploiting Permissions: Hackers can exploit permissions to obtain unauthorised access to confidential data or system functionality. This may entail leveraging misconfigurations or vulnerabilities in the authorisation model.
  • Exploiting Stolen OAuth Tokens: Cybercriminals can utilise pilfered OAuth tokens to verify their identity as genuine users. This may entail pilfering tokens from third-party applications or intercepting tokens during transmission.
  • Malicious actors may employ malware to infiltrate a website or repository. This may entail uploading harmful files or injecting malicious code.

The phrase "we have a second chance" does not hold true in cybersecurity.

It is imperative to adhere to optimal cybersecurity practices to safeguard your data and systems.

The Response

Ticketmaster has not made an official statement regarding the breach, and opinions within the cybersecurity community are split on the validity of the allegations. Nevertheless, the reported sale of the data on the dark web for $500,000 adds weight to the situation and emphasises the need for a prompt response.

The Implications

If verified, this breach has the potential to rank among the most massive in history, impacting countless individuals throughout the globe. It emphasises that cybersecurity is essential and that security protocols must be monitored and updated continuously.

The Precautions

To address data security concerns, diligently monitoring financial statements for unauthorised transactions is recommended. Modify passwords and use two-factor authentication when possible.
Exercise caution with phishing attempts that may exploit the stolen data.

Individuals who may have been affected by the security breach are advised to closely observe their accounts for any signs of unusual behaviour, update their passwords, and remain cautious of any phishing attacks that could exploit the stolen data. You should consult Ticketmaster for official announcements and recommendations on how to proceed.

The Takeaway

This incident reminds us that no organisation is impervious to cyberattacks. It emphasises the importance of proactive defence strategies and rigorous cybersecurity measures to safeguard customer data.
As we anticipate additional developments, let us seize this opportunity to evaluate our cybersecurity protocols and guarantee that we take all necessary precautions to protect our digital presence.
For additional cybersecurity and online safety insights, follow the GABEY Cybersecurity News.
Please be advised that the information provided is derived from the most recent reports and may be modified as additional information becomes available. While maintaining a professional tone appropriate for a tech-savvy audience, this blog post is designed to offer a comprehensive overview of the situation. It is crucial to bear in mind that the specifics of the breach are still being developed, and it is essential to remain informed through reputable sources.

Acknowledgements

Explore the resources provided below to uncover vital information and acquire insight. You can find a wealth of information guiding your decision-making process on these sites.

• The 'remarkably devious' ShinyHunters hackers allegedly behind the...
• Australia looking into alleged Ticketmaster hack - BBC.
• Researchers Share Common Tactics of ShinyHunters Threat Group.
• The most dangerous (and interesting) Microsoft 365 attacks.
• APT actors target Microsoft 365 using novel techniques.
• Why Hackers Are Targeting Microsoft 365 - Rubrik.
• Build a winning marketing strategy - Microsoft Support.
• Microsoft-365-copilot-logo
• Connecting with third-party applications - GitHub Docs
• Scopes for OAuth apps - GitHub Docs
• Auth.js | Integrating Third Party Backends
• VidyaCKabber/oauth-token-of-third-party-clients - GitHub
• Setting up Github OAuth 2.0 (Client ID and Client Secret).
• OAuth
• How are user credentials stolen and used by threat actors?
• Credential Access, Tactic TA0006 - Enterprise | MITRE ATT&CK®.
• Defusing the threat of compromised credentials - Cisco Blogs.
• What Are Credential Theft Attacks? - Kiteworks.
• Detecting Compromised Credentials: A Comprehensive Guide.
• GitHub Repository Best Practices - DEV Community.
• 19 GitHub Repositories Every Developer Should Bookmark
• 100+ Most Useful GitHub Repositories Every Programmer Needs.
• esProc SPL is an intriguing programming language and a powerful data computing middleware

Legal Disclaimer