GEC NEWS WIREAs the financial organizations all over the world are grappling with the news of the major phishing attacks against Wall Street firms, the questions arising are way too many- why, when and how the attacks could be possible
“Web applications tend to be riddled with vulnerabilities unless a Security Development Lifecycle (SDL) is strictly followed and the developers are highly skilled in secure coding practices”
Lucas Zaichkowsky Enterprise Defence Architect
What happened? How an attacker could carry out an attack against a major financial institution such as JP Morgan Chase?
Targeted attacks begin by finding an initial point of entry. Chinese APTs are well known for preferring spear phishing. Eastern European criminals targeting large victims tend to prefer web application exploits. They’ve both been known to change it up and enter through alternate means if their preference isn’t working out. They important thing to accept is that they will always get onto an initial system, victim zero. From there, they still have to gain administrative level access and map out the internal network to figure out where they are in relation to the data they’re after and map out user accounts to understand who has access. They often have to hack through multiple secured network segments, one at a time, finding or creating holes that let them pivot from one secured environment to the next. All the while, they have to identify what security systems are in place and test their techniques and tools in a lab environment to ensure they’ll evade detection.
How does an attacker prepare, how long does it take to prepare, and when do you think the attack began?
The amount of up-front effort that goes into an attack is usually tied to how the attackers break-in. In this case, they broke in through a vulnerable web application which means the attack started the minute they started identifying and probing web applications for weaknesses. The web application they compromised could be completely unrelated to financial data such as the company blog. Once they gain initial entry, that’s when a bulk of reconnaissance efforts kicks in. Attackers breaching relatively secure organizations have to spend significant energy mapping out the internal network, figuring out how to get through several layers of defences undetected.
It seems zero-day vulnerability was exploited – what do you think that involved? Was it vulnerability in the security system, or somewhere else?
Reports have said that the flaw was on a web site. Eastern European attackers are well known for exploiting web application security flaws to gain initial access to a corporate environment. That’s because web applications tend to be riddled with these types of vulnerabilities unless a Security Development Lifecycle (SDL) is strictly followed and the developers are highly skilled in secure coding practices. If the exploited web application is commercial, JPMorgan Chase most likely already reported the vulnerability to the vendor. If it’s a custom built web application, JPMorgan Chase will need to review their own secure coding practices or scrutinize contracted developers to identify where improvements need to be made.
What type of data was stolen? Do you think it will be used to drain bank accounts, or for other purposes?
What’s currently known is that gigabytes of data were stolen, including checking and savings account information. If financial criminals are behind this, they may use that information to commit fraud or identify account holders worth attacking next based on account details. If this is an act of espionage, that data will be used to enhance the foreign government’s collective intelligence, similar to the hypotheses surrounding the motives of the recent Community Health Systems breach. Personally, I suspect financial criminals are behind this breach although there’s not enough information to say for sure. There certainly are financially motivated attackers that show this level of sophistication and attack pattern despite claims to the contrary.
What does JPMorgan Chase, as well as any other impacted entities, have to do to recover from this incident? What is the best course of action for them to take right now?
In any breach where customer information is affected, transparency and regular communications is very important for re-building trust. It’s very likely JPMorgan Chase doesn’t know the extent of the breach and many important questions can’t be answered until the forensic investigation is complete. I’d encourage them to maintain a communications page with definitive updates as progress is made. They should notify customers of the incident via email and postal mail, directing them to the web page to get up to the minute information. Additionally, they’ll probably have to offer credit monitoring for affected customers to meet the requirements of state laws.
Anything else you find interesting or important?
What I find interesting is what isn’t said. Saying that multiple gigabytes of data were stolen including checking and savings account information leaves a large, vague hole. Were entire databases stolen? Was anything stolen that doesn’t require disclosure by law, but affects shareholder value?
