Full Report
The financial technology firm Finastra is investigating the alleged large-scale theft of information from its internal file transfer platform, KrebsOnSecurity has learned. Finastra, which provides software and services to 45 of the world's top 50 banks, notified customers of a potential breach after a cybercriminal began selling more than 400 gigabytes of data purportedly stolen from the company.
Analysis Summary
# Incident Report: Finastra Alleged Large-Scale Data Exfiltration via File Transfer Platform
## Executive Summary
The financial technology firm Finastra is investigating a situation where a threat actor, "abyss0," allegedly stole over 400 GB of data from its internally hosted file transfer platform. The incident was discovered on November 7, 2024, when suspicious activity was flagged, leading to the public sale of data shortly thereafter. The primary attack vector appears to be compromised credentials, although the full scope of customer data exfiltrated remains under investigation. Finastra has contained the immediate threat by switching to an alternative secure platform and is working to notify affected customers directly.
## Incident Details
- Discovery Date: November 7, 2024
- Incident Date: Threat actor accessed the platform potentially as early as October 31, 2024.
- Affected Organization: Finastra
- Sector: Financial Technology (Fintech)
- Geography: Global operations (with headquarters in London)
## Timeline of Events
### Initial Access
- Date/Time: Potentially as early as October 31, 2024
- Vector: Compromised credentials, leading to access of the file transfer platform.
- Details: Threat actor "abyss0" began advertising data allegedly stolen from Finastra customers on October 31, initially without naming the victim, for a starting price of $20,000.
### Lateral Movement
- *Not explicitly detailed*, but the attacker gained access to the internally hosted file transfer platform and was able to exfiltrate customer data files.
### Data Exfiltration/Impact
- Date/Time: Active around November 7, 2024.
- Details: Over 400 GB of data purportedly belonging to Finastra clients was stolen. The thread actor began actively selling this data on BreachForums on November 8, 2024.
- Impact: Unspecified volume of customer data exfiltrated. No malware was deployed, and customer files were not tampered with, suggesting the compromise was limited to unauthorized data access and theft.
### Detection & Response
- Date/Time: November 7, 2024 (Detection); November 8, 2024 (Customer Notification)
- Details: Finastra’s security team detected suspicious activity on November 7. The company immediately notified affected financial institution customers on November 8. Response included implementing an alternative secure file sharing platform to ensure operational continuity.
## Attack Methodology
- Initial Access: Stolen or compromised credentials used to access the SFTP platform.
- Persistence: Not explicitly detailed, but access was maintained long enough for initial data staging (pre-Nov 7) and subsequent mass exfiltration (Nov 7).
- Privilege Escalation: Not specified.
- Defense Evasion: Not specified, as no malware was deployed or tampering occurred, suggesting the attacker operated with the permissions gained via compromised credentials.
- Credential Access: Implied via compromised credentials.
- Discovery: Implied reconnaissance necessary to locate and stage high-value customer files.
- Lateral Movement: Contained to the file transfer platform environment.
- Collection: Gathering customer data files from the SFTP platform.
- Exfiltration: Data uploaded/transferred off the platform, leading to the public sale announcement.
- Impact: Data theft/confidentiality breach.
## Impact Assessment
- Financial: Ongoing investigation; specifics on direct costs undisclosed. (Previous 2020 ransomware incident recovery was successful without ransom payment.)
- Data Breach: Over 400 GB of data allegedly stolen, containing instructions for wire and bank transfers, impacting Finastra's financial services clients.
- Operational: Finastra implemented an alternative secure file-sharing platform, ensuring continuity; "no direct impact on customer operations" currently reported.
- Reputational: Significant, given the high-profile notification to 4,800 financial institutions and public dark web sale announcement.
## Indicators of Compromise
- *Note: Specific IOCs shared internally by Finastra with customers are not fully disclosed publicly in the source material.*
- Network indicators: Sales activity noted on BreachForums using the handle "abyss0."
- File indicators: Exfiltrated data volume exceeding 400 GB.
- Behavioral indicators: Suspicious activity detected on the internally hosted file transfer platform (SFTP). Threat actor selling data linked to known Finastra bank clients.
## Response Actions
- Containment measures: Implemented an alternative secure file sharing platform to ensure business continuity.
- Eradication steps: Ongoing investigation focused on determining the scope and nature of data loss. Sharing Indicators of Compromise (IOCs) with customers.
- Recovery actions: E-discovery process underway to analyze data and identify precisely which customers were affected. Direct communication established with CISO-to-CISO updates for confirmed victims.
## Lessons Learned
- The reliance on a specific, internally hosted file transfer platform (SFTP) presents a concentrated point of failure if credentials are compromised.
- The timeline suggests potential unauthorized access resided within the system for at least a week before suspicious activity was formally detected (Nov 7).
- Transparency in initial communication (sharing notifications and IOCs) is key, even while the investigation is preliminary.
## Recommendations
- Immediately review and enforce Multi-Factor Authentication (MFA) across all platforms providing access to sensitive customer data, especially SFTP/file transfer services.
- Conduct thorough access reviews for the specific file transfer platform used to identify any dormant or misused credentials.
- Segment and restrict network access to the file transfer platform, ensuring only absolutely necessary systems and users can connect.
- Enhance monitoring on data transfer volumes and baseline activity on internal file transfer platforms to detect unusual egress activity faster.