Executive Summary
This report delves into a case study on a security incident unveiled with CloudSEK’s Digital Supply Chain Security platform SVigil on an HRMS software provider for a prominent bank and its subsidiaries.
In a chilling wake-up call for cybersecurity in the financial sector, a seemingly harmless mistake by a support employee at an HRMS (Human Resource Management System) software provider has triggered a data breach exposing sensitive information of a prominent bank and its subsidiaries.
- The story begins with a downloaded crack. A regional support employee, seeking a shortcut, installed unauthorized software, unaware of the malware lurking within. This "info stealer" malware, operating like a digital pickpocket, silently snatched the employee's credentials, granting unauthorized access to a treasure trove of sensitive data.
- With admin-level privileges, the attackers gained a panoramic view of the bank and its subsidiaries, encompassing Asset Management Companies, Mutual Funds, Lending/Loan operations, Stocks Trading, and Life Insurance. Imagine a hacker peering into the bank's inner workings, able to view and manipulate the very information that keeps its financial heart beating.
- But the stolen data went beyond mere numbers. Personal and professional details of employees, including names, emails, and even potentially identification numbers, were laid bare. Employee codes, the keys to internal systems, were exposed, granting attackers the potential to escalate their access and wreak further havoc.
The consequences of this breach are far-reaching. Let's dive deep to understand how the breach happened.
Step-by-Step Process of the Security Breach
- Downloading Cracked Software: The security breach began when a support employee of the HRMS (Human Resource Management System) software provider for a prominent bank and its subsidiaries downloaded cracked software. Cracked software refers to illegal versions of paid software, often available on the internet for free. In this case, the employee sought unauthorized access to licensed software by downloading a cracked version.
- Infection with Info Stealer Malware: Unbeknownst to the employee, the cracked software they downloaded was infected with an information stealer malware. This type of malware is designed to infiltrate a victim's computer and gather sensitive information, such as usernames, email addresses, passwords, and more. The malware operates silently in the background, making it difficult for the user to detect.
- Unauthorized Access to HRMS Data: With the malware now resident on the employee's computer, it began to collect sensitive data from the infected system. The malware had the capability to record keystrokes, capture login credentials, and access stored information.
- Leakage of Credentials to Dark Web: As the malware continued to collect data, it exfiltrated the stolen information, including login credentials, to a remote server controlled by the attackers. This server was likely located on the dark web, a hidden part of the internet where illegal activities often take place.
- Unauthorized Users Gain Access: With the stolen login credentials, unauthorized users gained access to the HRMS system of the bank and its subsidiaries. This access allowed them to view and manipulate sensitive HRMS data related to various financial activities, including Asset Management Companies (AMC), Mutual Funds, Lending/Loan, Stocks Trading, and Life Insurance.
- Exploitation of Account Takeover Functionality: The attackers exploited built-in account takeover functionality within the HRMS system. This functionality allowed them to gain unauthorized access to user accounts, hijack active sessions, clone accounts, elevate their privileges, and conduct targeted social engineering attacks within the system.
- Password Changes Without Authentication: The unauthorized access and account takeover functionality also enabled the attackers to change passwords without proper authentication. This led to the exposure of Personally Identifiable Information (PII) of employees due to unauthorized password changes, further compromising the security of the HRMS system.
- Compromise of Internal Messages: As the attackers gained control over the HRMS system, they were able to compromise internal messages within the organization. This included sensitive communication related to identity theft, unauthorized access, data tampering, and even payroll fraud.
- Data Risk and Legal Implications: The consequences of this breach were significant, resulting in data risk such as identity theft, unauthorized access, data tampering, and payroll fraud. The exposure of sensitive information had legal and regulatory implications for the bank and its subsidiaries, posing a serious threat to their operations and financial stability.
What are Information Stealer malwares?
An information stealer is a type of malware that cybercriminals use to gather sensitive details, for example, information related to the victim's credentials (usernames, email addresses, passwords), financial information like credit card details, bank account numbers, etc.
This info stealer operates on a MaaS (malware-as-a-service) model and is distributed on underground forums according to the users’ needs; The cost is set to $275/month, or $125/week subscription option. In the Telegram channel, the malware can be acquired and paid in Bitcoin, Ethereum, XMR, LTC and USDT.
Recommendations
- Invalidate all the exposed credentials and notify the employee about the malware infection.
- Isolate the compromised computer and verify the successful quarantine or removal of the malware to ensure the device's security.
- Review access logs for potential data exfiltration/manipulation and backdoors.
- Conduct a Root Cause Analysis (RCA) of the malware infection to uncover its origins and implement preventive measures against future infections.
- Educate employees on the importance of avoiding untrusted links, email attachments, and unverified executable files.
- Enforce a strong password policy and change passwords on a periodic basis.
- Encourage employees not to store passwords in their web browsers.
- Keep the security team well-informed about the current Tactics, Techniques, and Procedure (TTPs) employed by ransomware groups to achieve their objectives.
References
- https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability
- https://en.wikipedia.org/wiki/Traffic_Light_Protocol
- Recordbreaker: The Resurgence of Raccoon - CloudSEK
- Technical Analysis of the RedLine Stealer - CloudSEK