Data Breaches on the Rise in Financial Services

By Jacob Serpa, Product Marketing Manager, Bitglass

Financial World: Breach Kingdom report coverFinancial services organizations are a prime target for hackers looking to steal and sell valuable data. This is because these firms handle sensitive information known as PII, personally identifiable information, as well as other financial data. In Financial World: Breach Kingdom, Bitglass’ latest financial breach report, the Next-Gen CASB reveals information about the state of security for financial services in 2018. Read on to learn more.

The rise of financial services breaches

2018 has seen the number of financial services breaches reach new heights. This is likely due to a large number of reasons. For example, some organizations may have an overreliance upon existing cybersecurity infrastructure and find it difficult to justify additional expenses in light of their existing sunk costs in security. Other firms may simply overestimate what traditional endpoint and premises-based tools can do to protect data from evolving threats. Regardless, the fact remains that financial services firms were breached in 2018 nearly three times more than they were in Bitglass’ previous, 2016 report.

Malware leads the pack

In prior years, the causes of financial services breaches were fairly diverse. Lost or stolen devices and hacking each caused about 20 percent of breaches, while unintended disclosures and malicious insiders were responsible for 14 percent and 13 percent, respectively.

However, this year saw a massive shift in the balance of power. Nearly three quarters of all financial services breaches in 2018 were caused by malware or hacking. This seems consistent with headlines over the last year – ransomware, cloud cryptojacking, and highly specialized malware variants have dominated the news when it comes to breaches.

What to do?

In financial services, far more must be done to secure sensitive information. While it is imperative that the enterprise can protect data against any threat, it is now clear that defending against malware deserves special attention. This is particularly true in light of the rise of cloud and BYOD. More devices and applications are storing and processing data than ever before, creating more opportunities for malware to infect the enterprise. Fortunately, there are appropriate solutions available.

To learn more about the state of cybersecurity in financial services, download Financial World: Breach Kingdom.

Bitglass Security Spotlight: LinkedIn, Vector, and AWS

By Jacob Serpa, Product Marketing Manager, Bitglass

man reading cybersecurity headlines while eating breakfastHere are the top cybersecurity stories of recent weeks:

—LinkedIn security gap exposes users’ data
—Vector app reveals customers’ information
—AWS misconfiguration makes LocalBlox user information public
—New malware steals data via power lines
—Banking apps deemed the most unsecured

LinkedIn security gap exposes users’ data
LinkedIn’s AutoFill functionality was recently discovered to be easily exploitable. The feature allows users to have fields on other websites automatically populated with information from their LinkedIn accounts (for rapid registrations and logins, for example). Researchers quickly realized that this could be exploited by malicious websites that initiate AutoFill, regardless of where visitors click, in order to steal information.

Vector app reveals customers’ information
New Zealand energy company, Vector, developed an application designed to update users on the status of their power; for example, by providing estimates on when power might return during outages. Unfortunately, the app didn’t provide the functionality that the company originally intended. Additionally, it made all of its users’ information (including home address) accessible to anyone who downloaded the app.

AWS misconfiguration makes LocalBlox user information public
Another AWS misconfiguration has exposed the personal information of various individuals – 48 million of them. LocalBlox, which gathers information from public online profiles, was recently found to be leaking Twitter, Facebook, and LinkedIn information through an unsecured AWS S3 bucket. Leaked information included email addresses, job histories, and even IP addresses in some cases.

New malware steals data via powerlines
PowerHammer, a new type of malware, can steal data in a variety of complex, frightening ways. For example, through computers’ power cables. To learn more about the ins and outs of PowerHammer, click here.

Banking apps deemed the most unsecured
A recent study found that banking applications are typically the most vulnerable type of cloud app. Despite the fact that these services are used by hundreds of millions of people, they consistently hold security flaws that leave them open to the advances of hackers.

Learn more about cloud access security brokers (CASBs) and how they can help you secure data in our cloud-first world with the Definitive Guide to CASBs.

baseStriker: Office 365 Security Fails To Secure 100 Million Email Users

By Yoav Nathaniel, Customer Success Manager, Avanan

We recently uncovered what may be the largest security flaw in Office 365 since the service was created. Unlike similar attacks that could be learned and blocked, using this vulnerability hackers can completely bypass all of Microsoft’s security, including its advanced services – ATP, Safelinks, etc.

The name baseStriker refers to the method hackers use to take advantage of this vulnerability: splitting and disguising a malicious link using a tag called the <base> URL tag.

So far we have only seen hackers using this vulnerability to send phishing attacks, but but it is also capable of distributing ransomware, malware and other malicious content.

How a baseStriker Attack Works

The attack sends a malicious link, that would ordinarily be blocked by Microsoft, past their security filters by splitting the URL into two snippets of HTML: a base tag and a regular href tag. Here’s a short video showing how it works:

Traditional Phish: This html email would be blocked because the URL is known to be malicious.

When scanning this, Office 365 sees the malicious URL, performs a lookup against a list of known bad links, and blocks it. Office 365 Safelink, for customers that purchased ATP, also replaces the URL with a Safelink URL and prevents the end-user from going to the phishing site.

Phish using baseStriker method: This email, however, has the same malicious link presented to the end-user but is let through because the email filters are not handling the <base> HTML code correctly.

In this example, Office 365 only performs the lookup on the base domain, ignoring the relative URL in the rest of the body. Because only part of the URL is tested, it mistakenly appears to not exist in the malicious URL database and the email is let through. Furthermore, Safelinks does not replace the malicious link, and the user get the original malicious link, can click it to get right to the phishing page.

In a nutshell, this attack method is the email equivalent of a virus that blinds the immune system. So even if the attack is already known, Microsoft does not have a way to see it and lets it through.

Are you vulnerable?

We have tested the vulnerability on several configurations and found that anyone using Office 365 in any configuration is vulnerable. If you are using Gmail, you don’t have this issue. If you are protecting Office 365 with Mimecast you are secure. Proofpoint is also vulnerable – if you are using Proofpoint you also have this problem.

Here’s a summary of our findings:

I am using:  Am I Vulnerable to baseStriker?
Office 365  Yes – you are vulnerable
Office 365 with ATP and Safelinks  Yes – you are vulnerable
Office 365 with Proofpoint MTA  Yes – you are vulnerable
Office 365 with Mimecast MTA  No – you are safe
Gmail  No – you are safe
Gmail with Proofpoint MTA  We are still in testing and will be updated soon
Gmail with Mimecast MTA  No – you are safe
Other configurations not here?  Contact us if you want us to help you test it

What can you do?

As of the time of writing, there still is no fix so there’s no configuration you can make in your Office 365. We have notified Microsoft and Proofpoint and will update if we learn more.

Because this vulnerability is already known to hackers, an immediate first step would be to notify your end-users and reinforce the risk of phishing attacks.

We are recommending customers enable multi-factor authentication to make it harder to take over their account. This will not protect from malware and other types of phishing, but will help with credential harvesting.

Finally, for users of Gmail and Office 365, even if you are not vulnerable to this attack, we always recommend adding a layer of email security for malware, phishing, and account take-over to protect from the sophisticated attacks that the default security does not block. As this is not the first attack that has found a way past default security measures and it will not be the last.

 


Updates

  • 5/1/2018: Avanan identified attackers are leveraging a critical vulnerability in Microsoft Office 365 email service that allows them to completely bypass O365 built in security
  • 5/2/2018 11:00am: Avanan reported this issue to Microsoft
  • 5/2/2018 11:00am: Avanan tested Gmail and it does not suffer from this vulnerability
  • 5/2/2018 11:30am: Avanan tested Mimecast and Proofpoint.
    • Mimecast is fine.
    • Proofpoint has the same vulnerability. Therefore, if you use Proofpoint you are not secured. We informed Proofpoint at 11:44am EDT on May 2nd, 2018.

The Early Bird Gets the Virus

By Kevin Lee, Systems QA Engineer, Bitglass

man touching screen with virus written across itMost people have heard of the proverb, “The early bird gets the worm.” The part that many haven’t heard is the followup, “But the second mouse gets the cheese.” The latter proverb makes a lot of sense when you apply it to the current state of virus and malware detection.

Today, most established virus and malware detection services use a signature-based method. This means that they leverage lists of known malware signatures to scan files for threats. This works well when protecting against known malware. However, as with the mice in the proverb above, someone has to spring the trap to make the cheese obtainable. When enterprises use these solutions, they must simply hope that other organizations encounter new malware first. That way, lists of dangerous signatures can be updated.

An additional problem with these tools rests with the strictness of their signature matching. This is because they search for highly specific hashes (patterns) generated from the contents of known malicious files. Unfortunately, it is extremely easy to create new variants with new signatures by changing even minor aspects of attacks. In other words, even a small edit to a file containing a threat can alter the signature enough so that it will go undetected by signature-based tools. This results in the signature-based method always being reactionary and a second too slow.

More and more, organizations are turning to behavior-based anti-malware solutions. The advantage of these advanced detection methods is that they don’t require a sacrificial lamb (mouse) to figure out that a certain file is dangerous. Instead, they scrutinize large numbers of file characteristics and behaviors in order to identify threats. In addition, due to the fact that they don’t depend on signatures for detection, they cannot be fooled as easily by altered variants of existing malware. This leads to a simple conclusion. When implemented and utilized effectively, a zero-day solution should make any early bird, mouse, or human feel safe.

To learn more about cloud access security brokers and true advanced threat protection, download Bitglass’ Malware P.I. report.