The Flagstar Information Breach and What Lenders Can Study From It

Flagstar Bancorp was recently the victim of a data breach in which personal information of employees and customers, including social security numbers and mailing addresses, was leaked and the thieves tried to blackmail some employees.

The hackers exploited a bug in Accellion's file transfer appliance software that the bank used to secure confidential content. Dozens of other Accellion clients were affected by the incident, including the Jones Day law firm, Harvard Business School and the Reserve Bank of New Zealand.

The $ 31 billion fortune flag star from Troy, Michigan declined a request for an interview but referred to the breach notification it posted on its website on March 6.

The incident is a reminder that while banks generally have top-notch security, they are still vulnerable to threats affecting the software they use and the third-party vendors they work with, and even the vendors these vendors work with work together.

The case also highlights the relatively new trend of cyber criminals losing pieces of sensitive customer data in order to force companies or individuals to pay money to stop the leaks. And it shows that even medium-sized and smaller banks may need to invest in sophisticated attack simulations and cyberthreat-hunting exercises in addition to all of the security practices already in place.

"We are seeing a clear trend of attacks against third parties, especially software providers, in the financial sector and other industries," said Steve Silberstein, CEO of the Financial Services Information Sharing and Analysis Center. "While financial services companies typically have solid cybersecurity controls and defenses in place, third and fourth parties providing critical services to multiple valuable customers will continue to be lucrative targets for threat actors with diverse motivations."

Public pressure on banks only increases as consumers say they care very much about the way the companies they work with protect their data. A recent consumer survey conducted by Arizent, American Banker's parent company, found that nearly eight in ten consumers consider security a primary or major consideration when choosing banks.

What can other banks do to avoid falling victim to such an attack? The answer is to educate yourself about their occurrence, understand the possible consequences, and take innovative countermeasures.

How the violation happened

According to a FireEye Mandiant investigation, hackers discovered several vulnerabilities in Accellion's File Transfer Appliance software, which they exploited to inject malicious code into the program that allowed them to extract personal information.

The attacks that were carried out in December and January were zero-days, which means they hadn't been seen at the time and no patches were available. Accellion issued patches within four days of the initial attack.

"When we looked at the hackers' ability to apply this vulnerability and create a working exploit, it really seemed like it was someone who was very experienced and spent a lot of time creating the exploit," said David Wong. Cybersecurity leader and incident responder at Mandiant, a FireEye advisory unit.

Accellion hired FireEye Mandiant to investigate the attacks on its FTA software, review the FTA software for other potential security vulnerabilities, and prepare a report.

Ironically, Accellion describes FTA as a content firewall, and companies buy it to protect their most valuable data. To the victims, this injury was like buying a safe and putting in your most expensive jewelry, only to have burglars break into that safe and grab all that jewelry and leave the rest of the house intact.

It's unclear who the hackers were, according to Brett Callow, threat analyst at Emsisoft, a threat investigation and anti-malware company.

A ransomware gang called Clop posted some of the stolen data on the dark internet, then threatened the victims, who Callow said would post more if they didn't pay.

"But it's not clear if they were actually responsible for the hacks or if they were just brought in because blackmail is their specialty," Callow said.

The FTA software is 20 years old and should be discontinued at the end of April. Accellion has been working for three years to migrate customers to a new version of the software, kiteworks, while supporting FTA.

Wong sees the injury as both a third party risk and a third party risk.

"If you use vendors to print credit cards or send bank statements, you are still responsible for the security of those third parties," he said. "So if you are a bank and you have a third party using Accellion FTA and it has been hacked, you need to make sure your customers' information is safe."

For example, some of the victims of the Accellion data breach were law firms.

"If you've uploaded information about your clients to an affected law firm, you need to check with those vendors what information is on them and whether it may have been compromised," said Wong.

Extortion effort

An unusual aspect of this attack, Wong said, is that the criminal gangs used the stolen information as a lever to pressure employees to pay in order to prevent more data from being released.

Ransomware groups have been exfiltrating stolen data and posting some of it on the dark internet to motivate businesses to pay ransom since late 2019. In most cases, in the past year they started shutting down systems and encrypting data and then the stolen data to use data for extortion.

In this case, there was data theft and extortion, but no file encryption. This could be because the hackers were unable to gain access to the entire corporate network.

"They are slowly blackmailing victims one couple at a time," said Wong. “You probably have more victims to try to extort money from than you actually have time. There were some that came out in December and January, and three more came out in early March. So it seems like they are trying to take their time and maximize the amount of money that they are going to get out. "

Blackmail, like ransom demands, is extremely difficult to handle.

"The best answer is that the organization should never pay as it is an incentive for cybercrime," Callow said. “If nobody paid, the attacks would stop. But realistically, the answer may not be that obvious when faced with the choice of either making their data public or permanently losing it. "

Typically in such attacks, hackers make a copy of a company's data they are holding and encrypt that company's version so that it cannot be accessed, Callow said.

When a company pays the criminals to prevent their data from being published, "all they get is a small promise from the criminal that they won't," Callow said. And some organizations have been blackmailed twice with the same record, he said.

There doesn't seem to be a game book out yet on what to do if you're being blackmailed.

"It is a very challenging situation for victims of cyberattacks and extortion as companies want to keep their customers safe so that they can at least notify them and encourage them to take steps to protect themselves by checking their credit reports and so on. " Said Wong. “At the same time, if you are trying to possibly pay off these criminals, nobody will. It just sounds so bad. And when you pay these people it's like adding fuel to the fire – you're just encouraging them to commit more crimes. "

US banking regulators have also warned banks that some cyber criminals have been linked to terrorist organizations.

"If a bank humorously or unknowingly makes a payment to such a terrorist organization, it is a federal crime," said Wong. "It's a very difficult situation because if you don't pay, the attacker invariably starts releasing data, which can potentially harm customers. As a bank, the best way to find out what data is there, do forensic analysis, and then customers." notify. "

Red teaming, other defense tactics

Two defensive tactics banks can use to try not to fall victim to such a breach are red teaming – simulating attacks to measure how well you're ready to respond – and threat hunting.

"The prerequisite for threat hunting is the assumption that you are already compromised and that a team is searching your systems for the compromise," said Silberstein. “To do this effectively, cyberdefense teams should understand the current threat actors targeting the sector and their attack strategies. FS-ISAC creates intelligence reports for security testers that list attack scenarios that they can use internally to detect the same malicious behaviors. "

Most banks have such defense tactics in place, Callow said.

"Ransomware attacks are very common in most sectors, but it is quite rare for US banks to be affected," said Callow. "And that's because they generally have pretty good security."

Some banking regulations, such as those from the New York State Department of Financial Services and the Interagency Federal Financial Institutions Examination Council, recommend vulnerability testing, network scans, and annual penetration testing, and red teaming.

Such efforts might not necessarily create a zero-day vulnerability, Wong warned. A best practice is to “design computer systems to assume that part of your network is being hacked and your network is not always perfect. The attackers will be able to find some cracks, but what you want to avoid is a small flare that turns into something that burns the entire building down. "

Another best practice is to keep checking and testing the controls, Wong said.

"It would be like making sure all locks and windows are closed before going to bed at night," said Wong. "You want to be able to check this before you go to sleep. Make sure you have a good lock that won't open."

Many banks share information about their attacks with organizations like the FS-ISAC as soon as possible.

"By subscribing to these sources and getting this information quickly, you can potentially proactively identify the attacks or know they're coming and mitigate them before they happen," said Wong.

A standard response for banks is to give customers free credit monitoring for a year so they can theoretically see whether their account details are being used to take out loans or credit cards.

Some say a year is not enough.

Some groups have said, 'Go ahead and do this. We're only going to sit on this data for a year and then cheat your customers, ”Callow said.

Related Articles