Reserve Bank breach: Ransomware gang involvement means risk of files being made public – expert

A US law firm caught up in the same data breach as the Reserve Bank has had some of its stolen files leaked online by a ransomware gang.

A security expert says that means it’s now possible that some of the RBNZ’s stolen files – described by the banks as “sensitive” could now be leaked onto the internet.

Read More

  • Infratil nudges up guidance, new boss drops strong hints at takeover targets
  • Data breach: The questions the Reserve Bank must answer

Ransomware gangs typically make small amounts of data public in a bid to pressure a victim to pay millions for the return of the rest. That was the case with an attempt to blackmail F&P Appliances last year – although the whiteware maker refused to pay.

Hackers in mid-December breached the security of US company Accellion’s file-sharing service called FTA – used by the Reserve Bank and other customers to transfer large files.

Other organisations affected included Singapore’s largest phone company, SingTel, the Australian Securities and Investments Commission and the Washington State Auditor’s Office in the US.

Overnight, giant US law firm Jones Day – recently in the news for dropping high-profile client Donald Trump – confirmed to that it also lost files in the Accellion hack. The site said Jones Day files had been leaked online by a ransomware gang known as Clop that has been behind a number of high-profile cyber-heists. The Herald was shown links and screen shots indicating this was the case.

Clop later told the Wall Street Journal it had more than 100 gigabytes in files taken from Accellion customers.

A ZDNet report says Clop has a history of combing through stolen documents, looking for details that can be used to blackmail top managers.

'Up for grabs

Brett Callow, a threat assessment expert with security company Emisoft, told the Herald:
“If Clop was responsible for the attack on Accellion, it means that Clop may also be in the possession of data relating to RBNZ and the other Accellion customers.

“It also means that those organisations’ data may end up being posted online, as Jones Day’s data already has.”

Callow added, “Another possibility is that Clop bought the data for the purpose of extorting Jones Day, or came to a revenue-sharing agreement with the group responsible for the attack on Accellion. That’s no better though, as it would mean the data is up for grabs.”

Clop said in a statement to the Wall Street Journal earlier today that it contacted Jones Day on February 3, but that negotiations had yet to commence.

'Sensitive' RBNZ files stolen

The Reserve Bank has been asked for comment, and if it has received a ransomware demand.

Earlier the bank said it had identified “sensitive” files that had been exposed in the data breach, and that it was talking to the parties concerned. The RBNZ has not said what information was exposed, however, or who it belonged to. It’s likely the Reserve Bank was using Accellion’s FTA (File Transfer Appliance) to share files with retail banks and insurance companies.

Today, a spokesman said it was unlikely the RBNZ would ever say what files were stolen, citing security reasons.

Service being axed

In another development,Accellion has announced it will phase out its FTA file-sharing service by April 30 this year.

Earlier, Accellion said it had been urging clients to move off the 20-year-old FTA and onto its newer, more secure, four-year-old Kiteworks service.

The RBNZ was told to move to Kiteworks by its own chief information officer in a May 2020 report on its IT systems, which also included the general assessment that the RBNZ had”high operational risk due to technical obsolescence and an underinvestment in security across many of the core technology platforms”.

He said, they said

On February 10, Reserve Bank Governor Adrian Orr challenged Accellion’s claim that it released a patch to all customers within 72 hours of discovering the FTA vulnerability. Orr said it was five days.

Accellion refused to comment on Orr’s timeline when approached by the Herald.

The most recent public statement by the company sticks with its claim of a fix being distributed within 72 hours of the initial breach, but adds the new information that attacks continued through December and into January.

“This initial incident was the beginning of a concerted cyberattack on the Accellion FTA product that continued into January 2021. Accellion identified additional exploits in the ensuing weeks and rapidly developed and released patches to close each vulnerability,” the company says.

An Accellion spokesman would not comment this morning on reports of ransomware gang Clop’s involvement or elaborate further on its timeline.

In the meantime, the RBNZ has gone on the front foot, expanded Orr’s comments into its own timeline (below).

Callow says the only thing we can be sure of its that more attacks lie ahead.

“Data theft is becoming increasingly problematic. More than 1300 organisations had data stolen and published in 2020,” the threat analyst told the Herald.

“The incidents affected organisations in all sectors – including healthcare, law enforcement, governments, defence – and resulted in extremely sensitive information being posted online.”

Accellion data breach: the Reserve Bank's timeline

• In mid-December, Accellion FTA users in other countries started being attacked.

• Accellion released a patch to address the vulnerability on December 20, 2020, but failed to notify the bank it was available.

• Breach against the bank occurred on December 25, 2020, and a number of files were illegally downloaded.

• There was a period of five days from the patch on December 20 until December 25when the breach occurred, during which the bank would have applied the patch if it had been notified it was available.

• In early January, the Reserve Bank patched and secured the Accellion FTA, became aware of the breach, and closed the system.

The bank says it is aware of shortcomings within its processes and systems. An independent review by KPMG is underway.

Source: Read Full Article