A financial technology company Finastra is investigating allegations of a major data theft from its internal file transfer facility, KrebsOnSecurity has learned. Finastra, which provides software and services to 45 of the world’s top 50 banks, has notified customers of a security incident after a hacker began selling more than 400 gigabytes of data allegedly stolen from the company.
London-based Finastra has offices in 42 countries and reported $1.9 billion in revenue last year. The company employs more than 7,000 people and serves approximately 8,100 financial institutions worldwide. A large part of Finastra’s daily business involves processing large volumes of digital files containing wire and bank transfer instructions on behalf of its clients.
On November 8, 2024, Finastra informed the customers of the financial institution that on Nov. 7 its security team detected suspicious activity on Finastra’s internally hosted file transfer platform. Finastra also told customers that someone has started selling a large number of files allegedly stolen from its systems.
“On November 8, a threat actor communicated on the dark web claiming to have data extracted from this platform,” reads Finastra’s disclosure, a copy of which was shared by a source in one of the client companies.
“There is no direct impact on customer performance, our customer plans, or Finastra’s ability to serve our customers at this time,” the notice continued. “We have used another secure file sharing platform to ensure continuity, and the investigation is ongoing.”
But its notice to customers indicates that the hacker was able to extract or “exfiltrate” an unspecified volume of customer data.
“The threat actor did not use malware or tamper with any customer files on the site,” the notification read. “Furthermore, no files are viewed or accessed other than those that have been filtered. We are still focused on determining the scope and nature of the data contained within the extracted files. “
In a written statement in response to questions about the incident, Finastra said it “actively and transparently responded to our customers’ questions and informed them of what we were doing and did not know about the information sent.” The company also shared an updated communication with its customers, saying that while it is still investigating the cause, “initial evidence points to compromised credentials.”
“Additionally, we have been sharing Indicators of Compromise (IOCs) and our CISO has been speaking directly with our customers’ security teams to provide updates on investigations and our eDiscovery process,” the statement continued. Here’s what they shared:
“In terms of eDiscovery, we analyze the data to determine which specific customers were affected, while at the same time checking and communicating which of our products that do not rely on a specific version of the SFTP platform were compromised. The affected SFTP platform is not used by all customers and is not the default platform used by Finastra or its customers to exchange data files associated with our broad suite of products, so we are working as quickly as possible to get affected customers out. However, as you can imagine, this is a time-consuming process because we have many large customers who use different Finastra products in different parts of their business. We prioritize accuracy and transparency in our communications.
Importantly, for any customers who appear to be affected, we will be contacting them and working with them directly.”
On Nov. 8, a hacker using the nickname “in the abyss0” posted to the English-speaking cybercrime community BreachForums that they stole the files of some of Finastra’s major banking clients. The data auction did not specify the starting price or “buy it now”, but said that interested buyers should contact them on Telegram.
abyss0’s sales thread for Nov. 7 on BreachForums includes several screenshots showing file directories for various Finastra clients. Photo: Ke-la.com.
According to screenshots collected by cyber intelligence platform Ke-la.com, kawalasha0 first tried to sell data allegedly stolen from Finastra on October 31, but that earlier sales thread did not mention the victim’s company. However, it referred to many of the same banks named as Finastra customers in a post dated Nov. 8 on BreachForums.
The original post of October 31st is from lasha0, where they advertise the sale of data to several large banks that are customers of a large financial software company. Photo: Ke-la.com.
The October sales thread also posted a starting price: $20,000. By November 3, that price had been reduced to $10,000. A review of abyss0’s post on BreachForums reveals that this user has volunteered to sell stolen data from over a dozen other breaches posted in the past six months.
The apparent timeline of the breach suggests that valasha0 gained access to Finastra’s file-sharing system at least a week before the company says it first detected suspicious activity, and that the Nov. 7 mentioned by Finastra may be a hacker coming back to extract more data.
Maybe abyss0 found a buyer who paid for early retirement. We may not know, because this person has effectively disappeared. A Telegram account labeled abyss0 in its sales listing appears to have been suspended or deleted. Likewise, abyss0’s account on BreachForums is gone, and all of their sales threads have disappeared.
It seems unlikely that both Telegram and BreachForums would have booted this user at the same time. The simplest explanation is that someone has gone crazy enough to throw away a number of pending sales opportunities, in addition to well-executed cybercrime.
In March 2020, Finastra was attacked by ransomware that sidelined a number of the company’s key businesses for days. According to a report from Bloomberg, Finastra was able to recover from that incident without paying a ransom.
This is a developing story. Updates will be noted with time stamps. If you have more information about this incident, please contact krebsonsecurity @ gmail.com or protonmail.com.
Source link