Incident Of The Week: Finastra’s Ransomware Attack
London-based Finastra, the world’s third largest FinTech bank with around 9,000 customers across 130 countries, reported that it detected a ransomware attack on its servers, last Friday.
Finastra, founded in 2017, employs more than 10,000 people and has offices in 42 countries. Its clients include 48 of the top 50 banks, worldwide. Last year, it reported more than $2 billion in revenues.
March 20, Tom Kilroy, Finastra’s chief operating officer, reported on its website that:
The Finastra risk and security services team has detected anomalous activity on our systems. In order to safeguard our customers and employees, we have made the decision to take a number of our servers offline while we investigate. This, of course, has an impact on some of our customers and we are in touch directly with those who may be affected.
Finastra followed that up by acknowledging it had detected ransomware activity - but that customer and employee data remained untouched.
Ransomware attacks try to penetrate customer data for blockchain or publishing until a ransom is paid. The Department of Justice (DOJ) described ransomware as a new business model for cybercrime, and a global phenomenon. Last year's Official Annual Cybercrime Report warned that ransomware “has reached epidemic proportions and is the fastest growing cybercrime.”
See Related: The Cost Of An Enterprise Ransomware Attack
At the end of 2016, businesses fell prey to ransomware attacks every 40 seconds. Cybersecurity Ventures predicts that will rise to every 14 seconds by 2019 - and to every 11 seconds by 2021.
Last year, the FBI estimated that the total amount of ransom payments was approaching $1 billion a year.
How Finastra Acted
Finastra used an ‘isolation, investigation and containment’ approach where the company temporarily disconnected its affected servers while it contained the breach. At the same time, Finastra conducted a rigorous review of their servers, before it restored them Monday morning.
It, also, admitted that it anticipated disruption to certain server services, particularly those in North America.
“Our priority,” Kilroy stressed, “is ensuring the integrity of the servers before we bring them back online and protecting our customers and their data at this time.”
What could have gone wrong?
While Kilroy was more reserved, Chicago-based threat intelligence firm Bad Packets said it had warned the company some months ago on its VPNs. Apparently, Finastra had run an unpatched Pulse Secure VPN, which is vulnerable to CVE-2019-11510. This popular SSL VPN solution used by large organizations and governments around the world had received a 10.0 rating via the Common Vulnerability Scoring System (CVSS) in 2019 for its vulnerability to breach.
In January, Packet’s internet scans had identified 3,825 Pulse Secure VPN servers that remained at risk because they had not been updated with a patch to fix that “critical” vulnerability.
Also in 2019, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) had warned that “multiple vulnerabilities [affect] Pulse Secure Virtual Private Network (VPN). An attacker could exploit these vulnerabilities to take control of an affected system.”
It urged users and administrators to patch those vulnerabilities.
Brad Packet pointed out that Finastra had also run outdated Pulse Secure VPN servers last year, as well as four outdated Citrix (Netscaler) servers earlier this year. Both types of servers had been exploited by state-sponsored hackers and ransomware marauders over the past months.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) provided a list of outdated software patches with vulnerabilities and warned users:
There is no viable workaround except to apply the patch and updates provided by the vendor. It is incorrect to assume use of client certificates or two-factor authentication (2FA) can prevent CVE-2019-11510 RCE pre-auth vulnerability.
The National Security Agency provides details on relevant updates and on how to mitigate recent VPN vulnerabilities. Recently, CISA referred administrators to the following upgrades:
- Palo Alto Security Advisory PAN-SA-2019-0020
- FortiGuard Security Advisory FG-IR-18-384
- Pulse Secure Security Advisory SA44101
Meanwhile, the US Department of Homeland Security warned organizations that as they transfer to remote work because of COVID-19, they should heighten their attention to cyber security and take particular care on the VPNs their employees use.
Read More: Incident Of The Week
Photo courtesy: StockPhotoSecrets