Fintech firm Finastra is investigating a cybersecurity breach related to one of its file transfer systems, and experts have told ITPro that this highlights an important issue for organizations.
Finastra first detected suspicious activity on an internally hosted Secure File Transfer Platform (SFTP) on November 7, according to a statement first reported on and shared by cybersecurity journalist Brian Krebs.
The following day, a threat actor on the dark web claimed to have data exfiltrated from Finastra, which provides services to 45 out of the top 50 banks globally.
The situation has no direct impact on customer operations, customer systems, or the firm’s ability to serve customers, Finastra said, and the organization has brought in an alternative SFTP while investigations are ongoing.
Finastra said the affected system has been isolated while the investigation takes place, adding that it believes the incident is limited to the system in question and there is no evidence to suggest lateral movement beyond it.
While the root cause has not yet been fully identified, Finastra added, initial evidence suggests that compromised credentials are to blame for the attack.
Paige Mullen, product manager at cyber defense from ACDS, told ITPro that, similar to a recent breach at MOVEit over the summer, this incident points to the importance of transfer tooling.
“Just like we saw last year with the MOVEit vulnerability that had massive volumes of records stolen across different corporate users of their file transfer system, weak and improperly managed file transfer tooling is still an active attack vector,” Mullen said.
The MOVEit breach involved an authentication flaw that could allow an attacker to bypass SFTP authentication processes, according to a security advisory from Progress Software at the time.
“It is imperative that companies do proper due diligence when putting loads of corporate data (including customer data) into systems that have internet-accessible capabilities or remote access functions,” Mullen said.
“We saw a different flavor of this with the data breaches from the Snowflake data platform: administrators of demo accounts had not implemented Multifactor Authentication but still put reams of live customer and production data in these accounts,” she added.
Mullen explained that it is the responsibility of vendors to require multi-factor authentication (MFA) by default, while it is the responsibility of buyers to validate whether or not a vendor has made their product secure.
