Chase Attackers Exploited Basic FlawsHackers Compromised Server that Had Only Basic Authentication
The JPMorgan Chase breach that began this past spring might have been prevented, if the bank's information security team hadn't failed to upgrade a sensitive server to require two-factor authentication controls.
While the bank's IT department upgraded every other critical server to require multi-factor access controls, attackers successfully exploited the one server that the security team overlooked, after which they gained access to more than 90 of the bank's servers, according to a report published by The New York Times.
The report, which cites unnamed sources with knowledge of the investigation, also notes that the attack began after hackers stole a Chase employee's access credentials through a spear-phishing attack, and then broke into a third-party website used by Chase to promote a charitable race that it sponsors.
Eventually, the compromise provided hackers access to more than 90 internal bank servers, The Times reports. The attack was both detected and blocked by the bank in August.
Chase's oversight highlights the importance of keeping an accurate inventory of every critical enterprise system, Dublin-based information security consultant and Europol cybersecurity advisor Brian Honan tells Information Security Media Group. "Having up-to-date registries of where your sensitive data is - and where that data is located - is essential to ensuring you can protect that data," he says. "If you do not know what you have or where it is, how can you expect to protect it properly?"
But Chris Pierson, an attorney and chief security officer for business-to-business payments provider Viewpost, says the real problem in this case is not that Chase overlooked dual-factor authentication on one of its servers, but rather that attackers successfully targeted one of the bank's employees.
"The broader issue here is one not specific to [Chase], but to all companies," Pierson says. "The greatest weakness for all security is how to keep users who click on links from causing damage without slowing down business. Sandboxing, using VMs [virtual machines], and other technologies exist to mitigate these risks; but as we see, they are not deployed everywhere and the threat of phishing still exists."
Sophisticated social-engineering techniques fool employees at leading firms and banks throughout the world every day, he adds. "This is still the easiest and most-used method to break into companies and gain access to systems that are protected," Pierson says (see Russian Ring Blamed for Retail Breaches).
A JPMorgan Chase spokeswoman declined to comment about The Times report. But the bank has repeatedly said that its data breach, which exposed information related to 76 million households and 7 million small businesses, did not include the loss of any sensitive financial information. Only customer e-mail passwords, home addresses and phone numbers were exposed, according to Chase.
"These criminals accessed customer contact information, but no account information," Patricia Wexler, a Chase spokeswoman, tells Information Security Media Group. "We have seen no evidence of fraud as a result of this."
Simple Flaw Exploited
The report that the Chase attackers exploited a relatively simple error ends speculation that the attack might have been the work of a gang that was wielding advanced and previously unseen zero-day vulnerabilities. The attack is also notable in that even with access to numerous bank systems, the attackers did not deploy destructive wiper malware - as seen in the recent Sony Pictures attack - against the bank's PCs or servers.
The bank reportedly detected the breach after finding attackers had infiltrated its JPMorgan Chase Corporate Challenge charitable race website, and launched a related, bank-wide investigation, which found that the bank's own network had likewise been hacked, after attackers infiltrated the server that wasn't secured using two-factor authentication.
Security experts have long warned that network attackers typically look for the easiest possible way to hack into a network, preferring simple exploits to advanced attacks. Or in the words of the 2013 Data Breach Investigations Report from Verizon: "Would you fire a guided missile at an unlocked screen door?"
One immediate takeaway for all businesses is that they must actively look for and catalog all network-connected systems that store sensitive data, says Honan, who heads Ireland's computer emergency response team, referring to outdated or overlooked systems. "Regular audits and network discovery exercises are important to ensure all systems are properly identified," he says. "One great source of such data that companies often overlook is their DNS servers which can highlight the carious [outdated] devices on a company's network."
The FBI and Secret Service have said they're both participating in the Chase breach investigation. The bank reportedly also brought in a number of digital forensic investigation firms to assist, including CrowdStrike, FireEye and Stroz Friedberg. All have declined to comment. The National Security Agency is also assisting with the JPMorgan Chase investigation, The Times reports, on the basis that the institution comprises part of the U.S. critical infrastructure.
State attorneys general for Connecticut and Illinois are investigating the breach, Reuters reports, as are federal prosecutors, led by the U.S. Attorney for Manhattan, Preet Bharara.
Attribution Is Tough
In the wake of the FBI attributing the recent Sony Pictures Entertainment wiper malware and data-stealing attack to North Korea, the JPMorgan Chase breach investigation offers a cautionary lesson in attempting to attribute attacks too quickly. Notably, Bloomberg - which first reported the news of the Chase breach - also reported in August that unnamed "people familiar with the probe" reported that the Chase attack was the work of "Russian hackers," perhaps as revenge for U.S.-led sanctions imposed on Russia over its actions in the Ukraine (see Report: Russians Hack JPMorgan Chase).
At the time, however, multiple information security experts voiced skepticism over those conclusions, especially coming so early in the investigation. And by mid-October, the FBI ruled out the Russian government as a suspect in the JPMorgan Chase breach.
"Yet again we see attribution given in the wake of an attack from 'unnamed sources close to the investigation' proven to be wrong," Honan says. "Laying blame and accusing others, be they nation states, hacktivist groups or individuals, is a dangerous game to play."
To date, the true culprit behind the Chase hack has yet to be identified, The Times reports.
Executive Editor Tracy Kitten also contributed to this story.