Fintech Giant Finastra Investigating Data Breach Krebs on Security
pThe financial technology firm Finastra is investigating the alleged largescale theft of information from its internal file transfer platform KrebsOnSecurity has learned Finastra which provides software and services to 45 of the worlds top 50 banks notified customers of the security incident after a cybercriminal began selling more than 400 gigabytes of data purportedly stolen from the companyppppLondonbased Finastra has offices in 42 countries and reported 19 billion in revenues last year The company employs more than 7000 people and serves approximately 8100 financial institutions around the world A major part of Finastras daytoday business involves processing huge volumes of digital files containing instructions for wire and bank transfers on behalf of its clientsppOn November 8 2024 Finastra notified financial institution customers that on Nov 7 its security team detected suspicious activity on Finastras internally hosted file transfer platform Finastra also told customers that someone had begun selling large volumes of files allegedly stolen from its systemsppOn November 8 a threat actor communicated on the dark web claiming to have data exfiltrated from this platform reads Finastras disclosure a copy of which was shared by a source at one of the customer firmsppThere is no direct impact on customer operations our customers systems or Finastras ability to serve our customers currently the notice continued We have implemented an alternative secure file sharing platform to ensure continuity and investigations are ongoingppBut its notice to customers does indicate the intruder managed to extract or exfiltrate an unspecified volume of customer datappThe threat actor did not deploy malware or tamper with any customer files within the environment the notice reads Furthermore no files other than the exfiltrated files were viewed or accessed We remain focused on determining the scope and nature of the data contained within the exfiltrated filesppIn a written statement in response to questions about the incident Finastra said it has been actively and transparently responding to our customers questions and keeping them informed about what we do and do not yet know about the data that was posted The company also shared an updated communication to its clients which said while it was still investigating the root cause initial evidence points to credentials that were compromisedppAdditionally we have been sharing Indicators of Compromise IOCs and our CISO has been speaking directly with our customers security teams to provide updates on the investigation and our eDiscovery process the statement continues Here is the rest of what they sharedppIn terms of eDiscovery we are analyzing the data to determine what specific customers were affected while simultaneously assessing and communicating which of our products are not dependent on the specific version of the SFTP platform that was compromised The impacted SFTP platform is not used by all customers and is not the default platform used by Finastra or its customers to exchange data files associated with a broad suite of our products so we are working as quickly as possible to rule out affected customers However as you can imagine this is a timeintensive process because we have many large customers that leverage different Finastra products in different parts of their business We are prioritizing accuracy and transparency in our communicationsppImportantly for any customers who are deemed to be affected we will be reaching out and working with them directlyppOn Nov 8 a cybercriminal using the nickname abyss0 posted on the Englishlanguage cybercrime community BreachForums that theyd stolen files belonging to some of Finastras largest banking clients The data auction did not specify a starting or buy it now price but said interested buyers should reach out to them on Telegramppabyss0s Nov 7 sales thread on BreachForums included many screenshots showing the file directory listings for various Finastra customers Image KelacomppAccording to screenshots collected by the cyber intelligence platform Kelacom abyss0 first attempted to sell the data allegedly stolen from Finastra on October 31 but that earlier sales thread did not name the victim company However it did reference many of the same banks called out as Finastra customers in the Nov 8 post on BreachForumsppThe original October 31 post from abyss0 where they advertise the sale of data from several large banks that are customers of a large financial software company Image KelacomppThe October sales thread also included a starting price 20000 By Nov 3 that price had been reduced to 10000 A review of abyss0s posts to BreachForums reveals this user has offered to sell databases stolen in several dozen other breaches advertised over the past six monthsppThe apparent timeline of this breach suggests abyss0 gained access to Finastras file sharing system at least a week before the company says it first detected suspicious activity and that the Nov 7 activity cited by Finastra may have been the intruder returning to exfiltrate more datappMaybe abyss0 found a buyer who paid for their early retirement We may never know because this person has effectively vanished The Telegram account that abyss0 listed in their sales thread appears to have been suspended or deleted Likewise abyss0s account on BreachForums no longer exists and all of their sales threads have since disappearedppIt seems improbable that both Telegram and BreachForums would have given this user the boot at the same time The simplest explanation is that something spooked abyss0 enough for them to abandon a number of pending sales opportunities in addition to a wellmanicured cybercrime personappIn March 2020 Finastra suffered a ransomware attack that sidelined a number of the companys core businesses for days According to reporting from Bloomberg Finastra was able to recover from that incident without paying a ransomppThis is a developing story Updates will be noted with timestamps If you have any additional information about this incident please reach out to krebsonsecurity gmailcom or at protonmailcompp
This entry was posted on Tuesday 19th of November 2024 0812 PM
ppHey Krebs you can browse BreachForums without an account if you use the TOR hidden service mirrorppAs a Finastra customer this is the first im hearing have received no notification but also doesnt sound surprising as recently they have processed allot of emergency changes and password resetsppLooking through a comms trial of notifications I believe Finastra knew about this allot earlier than maybe suggested as we experienced allot of strange outages access issueschanges prior to the 7thppThis topic has been hot on FSISAC for a couple of weeks Highly recommend joiningpp400GB worth of data stolen For comparison when I downloaded the entire English language wikipedia last year it was a tad under 100GBppWould be interesting to know what data was transferred over these SFTP services Sounds like Business to Business b2b data used for automation ppWhat are the chances the data is worthless and it is a smoke screen to cover the fact they have modified a bunch of what I imagine is B2B csv data ppCould any of these files be transactional files where the miscreant can insert their information which then results in money being transferred to them due to bank staff blindly trusting the information their system has ingestedppThe threat actors will try to overplay it and the company will try to downplay it For all we know it could be daily copies of 100mb xlsx spreadsheets going back 10 years growing each day generated by a nightly cronjob ppBut fortunately for these companies these threat actors are more the smashandgrab kind and not slipstream a row of data into a spreadsheet during a holiday kind Persistence and longterm moves like what you described or something akin to the Bangladesh bank breach are not their primary focus since it requires a lot of time and manpower to study how everything operates as well as a massive network of launderers and real bank accounts connected to real identitiesppYes that may sound like a lot of data to the average home user but depending on the level of compromise achieved the threat actors may have had access to Finastras backend transport service IBM Aspera can support speeds of up to 10 GpspphttpswwwibmcomasperafiletransfercalculatorppEven at 1 Gps moving that amount of data from the US to Europe could take less than an hourpp Gbps not Gps My badppI am from Nigeria and it is my dream to learn cybersecurity But unfortunately in my Country the course is for wealthy people Its not available in our local universities
But now that I have a Laptop I enrolled in a Cybersecurity course on Coursera Yesterday with financial aid Today I came across this platform while researching cybersecurity and ethical Hacking on GPTppThe internet is full of courses If a degree is what you seek that is different than an educationppRead everything Brian has written look up everything you dont understand Learn the basics of TCP DLLs Registry injections Watch every DEFCON video you can and branch out as you find things of interest Welcome to the digital warzoneppIts so cute how they mention eDiscovery as a response to a breach Total disconnect with incident response practicesppI wonder if internal secure file transfer platform unpatched MoveIT instanceppMoveIT or Accellion aka Kiteworks have both been plagued by 0days over the past few years Why It isnt because they are worse than other software product categories It is because threat actors figured out the category is a valuable source of sensitive data Whenever any application is relentlessly scanned fuzzed attacked and users social engineered the app failsppWhy Because they made the horrid mistake of putting the management interface on the outside unrestricted
If it was a bathroom door in your house that has the twist lock on one side they messed up and put it on BOTH sides so anyone could unlock it and change settings All it took was one person to notice the mistake MoveIT was very lucky it wasnt being abused from day 1 of its release This is sadly to common an issueppYour email address will not be published Required fields are marked ppComment ppName ppEmail ppWebsite pp
ppppΔdocumentgetElementById akjs1 setAttribute value new Date getTime ppMailing ListppSearch KrebsOnSecurityppRecent PostsppStory CategoriesppWhy So Many Top Hackers Hail from Russiap
This entry was posted on Tuesday 19th of November 2024 0812 PM
ppHey Krebs you can browse BreachForums without an account if you use the TOR hidden service mirrorppAs a Finastra customer this is the first im hearing have received no notification but also doesnt sound surprising as recently they have processed allot of emergency changes and password resetsppLooking through a comms trial of notifications I believe Finastra knew about this allot earlier than maybe suggested as we experienced allot of strange outages access issueschanges prior to the 7thppThis topic has been hot on FSISAC for a couple of weeks Highly recommend joiningpp400GB worth of data stolen For comparison when I downloaded the entire English language wikipedia last year it was a tad under 100GBppWould be interesting to know what data was transferred over these SFTP services Sounds like Business to Business b2b data used for automation ppWhat are the chances the data is worthless and it is a smoke screen to cover the fact they have modified a bunch of what I imagine is B2B csv data ppCould any of these files be transactional files where the miscreant can insert their information which then results in money being transferred to them due to bank staff blindly trusting the information their system has ingestedppThe threat actors will try to overplay it and the company will try to downplay it For all we know it could be daily copies of 100mb xlsx spreadsheets going back 10 years growing each day generated by a nightly cronjob ppBut fortunately for these companies these threat actors are more the smashandgrab kind and not slipstream a row of data into a spreadsheet during a holiday kind Persistence and longterm moves like what you described or something akin to the Bangladesh bank breach are not their primary focus since it requires a lot of time and manpower to study how everything operates as well as a massive network of launderers and real bank accounts connected to real identitiesppYes that may sound like a lot of data to the average home user but depending on the level of compromise achieved the threat actors may have had access to Finastras backend transport service IBM Aspera can support speeds of up to 10 GpspphttpswwwibmcomasperafiletransfercalculatorppEven at 1 Gps moving that amount of data from the US to Europe could take less than an hourpp Gbps not Gps My badppI am from Nigeria and it is my dream to learn cybersecurity But unfortunately in my Country the course is for wealthy people Its not available in our local universities
But now that I have a Laptop I enrolled in a Cybersecurity course on Coursera Yesterday with financial aid Today I came across this platform while researching cybersecurity and ethical Hacking on GPTppThe internet is full of courses If a degree is what you seek that is different than an educationppRead everything Brian has written look up everything you dont understand Learn the basics of TCP DLLs Registry injections Watch every DEFCON video you can and branch out as you find things of interest Welcome to the digital warzoneppIts so cute how they mention eDiscovery as a response to a breach Total disconnect with incident response practicesppI wonder if internal secure file transfer platform unpatched MoveIT instanceppMoveIT or Accellion aka Kiteworks have both been plagued by 0days over the past few years Why It isnt because they are worse than other software product categories It is because threat actors figured out the category is a valuable source of sensitive data Whenever any application is relentlessly scanned fuzzed attacked and users social engineered the app failsppWhy Because they made the horrid mistake of putting the management interface on the outside unrestricted
If it was a bathroom door in your house that has the twist lock on one side they messed up and put it on BOTH sides so anyone could unlock it and change settings All it took was one person to notice the mistake MoveIT was very lucky it wasnt being abused from day 1 of its release This is sadly to common an issueppYour email address will not be published Required fields are marked ppComment ppName ppEmail ppWebsite pp
ppppΔdocumentgetElementById akjs1 setAttribute value new Date getTime ppMailing ListppSearch KrebsOnSecurityppRecent PostsppStory CategoriesppWhy So Many Top Hackers Hail from Russiap
