Bloomberg recently reported that JPMorgan Chase, as well as at least four other financial institutions, have been hacked. While no-one is definitively sure who the attackers are or how they gained access, initial reports hint that they may have been Russian and they possibly exploited a zero-day vulnerability in at least one bank’s website. The Bloomberg reports claim that ‘gigabytes of sensitive data’ was stolen in the attack.
Lucas Zaichkowsky, Enterprise Defense Architect at AccessData, has commented on this security breach, taking a look at how an attack like this could have happened and how to protect yourself from similar attempts.
How an attacker could carry out an attack like this
Targeted attacks begin by finding an initial point of entry. Chinese APT are well known for preferring spear phishing. Eastern European criminals targeting large victims tend to prefer web application exploits. They’ve both been known to change it up and enter through alternate means if their preference isn’t working out. They important thing to accept is that they will always get onto an initial system, victim zero. From there, they still have to gain administrative level access and map out the internal network to figure out where they are in relation to the data they’re after and map out user accounts to understand who has access. They often have to hack through multiple secured network segments, one at a time, finding or creating holes that let them pivot from one secured environment to the next. All the while, they have to identify what security systems are in place and test their techniques and tools in a lab environment to ensure they’ll evade detection.
How attackers prepare for attacks of this sort
The amount of up-front effort that goes into an attack is usually tied to how the attackers break-in. In this case, they broke in through a vulnerable web application, which means the attack started the minute they started identifying and probing web applications for weaknesses. The web application they compromised could be completely unrelated to financial data such as the company blog. Once they gain initial entry, that’s when a bulk of reconnaissance efforts kicks in. Attackers breaching relatively secure organisations have to spend significant energy mapping out the internal network, figuring out how to get through several layers of defences undetected.
Where was the flaw and how was it exploited
Reports have said that the flaw was on a web site. Eastern European attackers are well known for exploiting web application security flaws to gain initial access to a corporate environment. That’s because web applications tend to be riddled with these types of vulnerabilities unless a Security Development Lifecycle (SDL) is strictly followed and the developers are highly skilled in secure coding practices. If the exploited web application is commercial, JPMorgan Chase most likely already reported the vulnerability to the vendor. If it’s a custom-built web application, JPMorgan Chase will need to review their own secure coding practices or scrutinise contracted developers to identify where improvements need to be made.
Impact of the attack
What’s currently known is that gigabytes of data were stolen, including checking and savings account information. If financial criminals are behind this, they may use that information to commit fraud or identify account holders worth attacking next based on account details. If this is an act of espionage, that data will be used to enhance the foreign government’s collective intelligence, similar to the hypotheses surrounding the motives of the recent Community Health Systems breach. Personally, I suspect financial criminals are behind this breach although there’s not enough information to say for sure. There certainly are financially motivated attackers that show this level of sophistication and attack pattern despite claims to the contrary.
How do organisations recover from attacks like this?
In any breach where customer information is affected, transparency and regular communications is very important for re-building trust. It’s very likely JPMorgan Chase doesn’t know the extent of the breach and many important questions can’t be answered until the forensic investigation is complete. I’d encourage them to maintain a communications page with definitive updates as progress is made. They should notify customers of the incident via email and postal mail, directing them to the web page to get up to the minute information. Additionally, they’ll probably have to offer credit monitoring for affected customers to meet the requirements of state laws.