Finastra Ransomware Attack
An In-Depth Look at the Situation. How Did Finastra Survive the Attack Without Paying?
The Finastra ransomware attack was aimed at the world’s third-largest financial services software provider in March 2020.
Finastra was formed through the merger of Misys and DH Corp. and, since June 2017, provides a wide range of software and services across the financial services ecosystem, ranging from retail and investment banking systems through to treasury, payments or cash management, trade and supply chain finance just to name a few offerings.
Finastra’s has 9,000 customers including 90 of the top 100 banks globally and it employs over 10,000 whilst having an annual revenue of close to $2 billion.
On March 20th, 2020, sources from two United States financial institutions alerted a cybersecurity writer saying they received a notice from Finastra. The note it was mentioned that they should be expecting an “outage” that will imminently disrupt key services of the fintech company, moreover for the North American clients, whilst pointing out that the cause of the outage could be the result of a “potential security breach,” Finastra investigating the issue.
A few hours after communicating this message to its clients passed and Finastra issued another statement where they provided further details regarding the nature of the breach. This is where they revealed the fact they have suffered a serious ransomware attack as a result of the incident.
Earlier today, our teams learned of potentially anomalous activity on our systems. Upon learning of the situation, we engaged an independent, leading forensic firm to investigate the scope of the incident. Out of an abundance of caution and to safeguard our systems, we immediately acted to voluntarily take a number of our servers offline while we continue to investigate.
At this time, we strongly believe that the incident was the result of a ransomware attack and do not have any evidence that customer or employee data was accessed or exfiltrated, nor do we believe our clients’ networks were impacted.
We are working to resolve the issue as quickly and diligently as possible and to bring our systems back online, as appropriate. While we have an industry-standard security program in place, we are conducting a rigorous review of our systems to ensure that our customer and employee data continues to be safe and secure. We have also informed and are cooperating with the relevant authorities and we are in touch directly with any customers who may be impacted as a result of disrupted service.
Bad Packets, a threat intelligence company, said that its Internet-Wide scans discovered that the fintech company was running unpatched servers for a long time, therefore, leaving its systems exposed to attacks.
Finastra seems to have run outdated Pulse Secure VPN servers, and also ran outdated Citrix servers before being attacked, with both technologies facing severe vulnerabilities mass-exploited by hackers.
Finastra’s Course of Action
Finastra has used an ‘isolation, investigation and containment approach in which the company disconnected its affected servers while it contained the breach and at the same time managed to conduct a rigorous review of their servers, before restoring them on Monday morning.
As announced earlier, Finastra teams learned of potentially anomalous activity on our systems. Statement here as we continue to investigate: https://t.co/SQZKBNSR6C
— Finastra (@FinastraFS) March 20, 2020
They admitted to having as a priority ensuring the integrity of their servers before bringing them back online and protecting their customers and data.
New kid on the block – RaaS – Ransomware as a Service
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) provided a list of outdated software patches with vulnerabilities and warned users:
Other than applying the patch and updates provided by the vendor there is no viable workaround. Assuming the use of client certificates or two-factor authentication (2FA) can prevent CVE-2019-11510 RCE pre-auth vulnerability is less than a misfortunate course of action and an undesired one, to say the least.
Heimdal™ Ransomware Encryption Protection
- Blocks any unauthorized encryption attempts;
- Detects ransomware regardless of signature;
- Universal compatibility with any cybersecurity solution;
- Full audit trail with stunning graphics;
The National Security Agency provides details on relevant updates and on how to mitigate recent VPN vulnerabilities. Recently, CISA referred administrators to the following upgrades:
- Palo Alto Security Advisory PAN-SA-2019-0020
- FortiGuard Security Advisory FG-IR-18-384
- Pulse Secure Security Advisory SA44101
Meanwhile, the US Department of Homeland Security warned organizations that as they transfer to remote work because of COVID-19, they should heighten their attention to cybersecurity and take particular care of the VPNs their employees use.
What is Finastra doing now?
Finastra quickly recovered after the incident and, in 2021, became one of the partners that help make the 2021 edition possible.
It’s a well-known fact that fintech is one of the most innovative fields at the moment, with some serious investment from banks/private equity/VC and government.
Finastra is the third largest fintech in the world, with 8,500 financial institutions as clients. We have opened up APIs to our clients’ core systems, to allow fintech app connectivity. Hack to the Future will use these APIs, to bring your new innovation to this audience and enable “tech for good.”
We truly believe that the future of finance is OPEN, and this hackathon embraces open. Students, fintech enthusiasts, financial institution developers, fintechs, tech developers, tech founders – all are welcome!