[BreachExchange] Flagstar’s data breach and what lenders can learn from it

[Destry Winant]

https://www.nationalmortgagenews.com/news/flagstars-data-breach-and-what-lenders-can-learn-from-it

Flagstar Bancorp fell victim to a recent data breach in which personal
information of employees and customers, including Social Security
numbers and mailing addresses, was leaked and the thieves sought to
extort some employees.

The hackers exploited a flaw in Accellion’s File Transfer Appliance
software, which the bank was using to secure sensitive content. Dozens
of other Accellion clients were affected by the incident, including
the law firm Jones Day, Harvard Business School and the Reserve Bank
of New Zealand.

The $31 billion-asset Flagstar, of Troy, Mich., declined a request for
an interview but pointed to the breach notification it posted on its
website on March 6.

The incident is a reminder that though banks generally have top-notch
security, they are still vulnerable to threats involving the software
they use and the third-party vendors with which they work, and even
the vendors with which those vendors work.

The case also highlights the relatively new trend of cybercriminals
leaking portions of sensitive customer data to coerce companies or
individuals to pay money to stop the leaks. And it demonstrates that
even midsize and smaller banks may need to invest in sophisticated
attack simulations and cyberthreat-hunting exercises in addition to
all the security practices they already follow.

“We are seeing a clear trend of attacks on third-party suppliers,
especially software vendors, to the financial sector as well as other
industries,” said Steve Silberstein, CEO of the Financial Services
Information Sharing and Analysis Center. “While financial services
firms tend to have robust cybersecurity controls and defenses, third
and fourth parties performing critical services for multiple valuable
clients will continue to be lucrative targets for threat actors with a
variety of motivations.”

Public pressure on banks is only building as consumers say they care
heavily about how the companies they work with protect their data. A
recent consumer survey by Arizent, the parent company of American
Banker, found that nearly eight out of 10 consumers consider security
a primary or important consideration when choosing banks.

What can other banks do to avoid falling victim to this kind of
attack? The answer is to educate themselves on how they occur,
understand the potential consequences and adopt cutting-edge defensive
measures.

How the breach happened

Hackers broke in through several vulnerabilities in Accellion’s File
Transfer Appliance software that they exploited to inject malicious
code into the program, which enabled them to extract personal
information, according to an investigation conducted by FireEye
Mandiant.

The attacks, which were conducted in December and January, were
zero-days, meaning that at the time they hadn’t been seen before and
there were no available patches. Accellion issued patches within four
days of the first attack.

“When we looked at the hackers’ ability to apply that vulnerability
and create an exploit that worked, it really appeared like it was
somebody that was very experienced who had invested quite a
significant amount of time creating the exploit,” said David Wong,
cybersecurity leader and incident responder at Mandiant, a consulting
unit of FireEye.

Accellion engaged FireEye Mandiant to investigate the attacks on its
FTA software, to review the FTA software for any other potential
security vulnerabilities and to produce a report.

Somewhat ironically, Accellion describes FTA as a content firewall,
and companies buy it to protect their most valuable data. So for the
victims, this breach was like buying a safe and putting your most
expensive jewelry in it, only to have burglars break into that safe
and grab all that jewelry, leaving the rest of the house intact.

It’s unclear who the hackers were, according to Brett Callow, threat
analyst at Emsisoft, a threat investigation and anti-malware provider.

A ransomware gang called Clop published some of the stolen data on the
dark web and then threated victims it would publish more if they
didn't pay up, according to Callow.

“But it's not clear whether they were actually responsible for the
hacks or whether they were simply brought in because extortion is
their area of expertise,” Callow said.

The FTA software is 20 years old and was due to be retired at the end
of April. Accellion has been working for the past three years to
migrate customers to a new version of the software, kiteworks, while
still supporting FTA.

Wong sees the breach as a third-party as well as a first-party risk.

“If you use vendors for printing credit cards or sending statements,
you're still responsible for the security of those third parties,” he
said. “So if you're a bank and you have third parties that are using
Accellion FTA and they were hacked, you have a responsibility to make
sure that your customers’ data is secure.”

For instance, some of the victims of the Accellion data breach were law firms.

“If you uploaded information about your customers to a law firm that
was affected, you have a responsibility to go check with those vendors
to make sure you understand what data was stored there and whether it
was possibly compromised,” Wong said.

Extortion effort

An unusual aspect of this attack, Wong said, is that the criminal
gangs used the stolen information as leverage to pressure employees to
pay to prevent more data from being made public.

Ransomware groups have been exfiltrating stolen data and posting some
of it on the dark web to motivate companies to pay ransom since late
2019. In most such cases during the past year, they would start
shutting down systems and encrypting data, then start using the stolen
data for extortion.

In this case, there was data theft and extortion, but no encryption of
files. This could be because the hackers were unable to obtain access
to the entire corporate network.

“They're slowly extorting victims a couple at a time,” Wong said.
“They probably have more victims to try to extort money from than they
actually have time. There were some that came out in December and
January, and three more came out in early March. So it seems like
they're trying to take their time, and try to maximize the amount of
money that they're going to get out.”

Like demands for ransom, extortion is exceedingly tricky to deal with.

“The best answer is, the organization should never pay because that
incentivizes cybercrime,” Callow said. “If nobody paid, the attacks
would stop. But realistically, when companies are faced with the
choice of either having their data exposed to the public or losing
access to it permanently, the answer may not be so obvious.”

Typically in such attacks, hackers make a copy of an organization’s
data, which they keep, and encrypt the company’s version of it so it
becomes inaccessible, Callow said.

If a company pays the criminals to prevent its data from being
published, “all they receive is a pinkie promise from the criminal
that they won’t do this,” Callow said. And some organizations have
been extorted twice with the same set of data, he said.

There doesn’t seem to be a playbook yet for what to do when you’re extorted.

“It's a very challenging situation for victims of cyberattacks and
extortion, because companies want to protect their customers, so they
can at least notify them and encourage them to take some measures to
try to protect themselves, by checking their credit reports and
whatnot,” Wong said. “At the same time, when you're looking at
potentially paying off these criminals, nobody wants to do that. It
just sounds so bad. And if you pay these guys, it's like adding fuel
to the fire — you're just encouraging them to commit more crimes.”

U.S. bank regulators have also warned banks that some cybercriminals
are associated with terrorist organizations.

“If a bank makes a payment, wittingly or unwittingly, to a terrorist
organization like that, that's a federal crime,” Wong said. “It's a
very difficult situation, because if you don’t pay, invariably what
the attacker will do is start releasing data, which potentially can
cause some harm to customers. As the bank, the best thing you could do
is find out what data was there, do forensic analysis, and then notify
customers.”

Red-teaming, other defensive tactics

Two defensive tactics banks can use to try to avoid falling victim to
a breach like this one are red-teaming — simulating attacks to measure
how well you are prepared to respond — and threat-hunting.

“The premise behind threat-hunting is to assume you are already
compromised and have a team comb your systems for what the compromise
is,” Silberstein said. “To do this effectively, cyberdefense teams
should understand the current threat actors targeting the sector and
their attack strategies. FS-ISAC produces intelligence reports for
security testers that detail attack scenarios that they can use
internally to detect the same malicious behaviors.”

Most banks do have these kinds of defense tactics in place, Callow said.

“Ransomware attacks are very common across most sectors, but it's
quite rare for U.S. banks to be affected,” Callow said. “And that's
because generally they do have quite good security.”

Some banking regulations, for instance from the New York State
Department of Financial Services and the interagency Federal Financial
Institutions Examination Council, recommend vulnerability testing,
network scans and annual penetration tests as well as red teaming.

Such efforts might not necessarily catch a zero-day vulnerability,
Wong cautioned. A best practice is to “build computer systems assuming
that part of your network might get hacked, your network is not always
going to be perfect. The attackers are going to be able to find some
cracks, but what you want to be able to avoid is a small flare-up
turning into something that burns down the entire building.”

Another best practice is to constantly audit and test controls, Wong said.

“It would be like making sure all your locks are locked in, your
windows are closed before you go to bed at night,” Wong said. “You
want to be able to check that before you go to sleep, make sure you
have a good lock that can't be picked.”

Many banks share information about their attacks as soon as they can
with organizations like the FS-ISAC.

“If you subscribe to those sources and you get that information
quickly, you could be able to be proactive at either identifying the
attacks or knowing that they're coming, and mitigate it before it
happens,” Wong said.

A standard breach response for banks is to provide customers with free
credit monitoring for a year, so in theory they can see if their
account data is being used to take out loans or credit cards.

Some say a year is not enough.

“Some groups have said: ‘Go ahead and do that. We'll just sit on this
data for a year and then defraud your customers,’ ” Callow said.