Last week, global bank Santander reported that a cyberattack had breached customer and employee data in Spain, Chile and Uruguay. The attackers stole the data from a database hosted by a third party, meaning the bank's own operations and systems were not affected. The compromised data did not include transaction data or credentials that would allow the criminals to perform transactions.
Santander has not disclosed the number of customers and employees affected. Data in other countries were not affected, the bank said.
This is the latest example of an IT supply chain attack against a bank, in which hackers break in through a technology provider rather than the bank's own systems. In February,
These kinds of attacks have gained greater attention from prudential regulators, who have looked to hold banks responsible for auditing their IT suppliers for adequate cybersecurity practices. At
"Reliance by banks on third-party service providers has grown considerably in recent years, and with that reliance comes the potential for greater cyber risk," Barr said. "It is ultimately the responsibility of banks to manage their third-party risk, and we have historically seen gaps in this regard."
This month, cyberattacks against IT supply chains and third-party vendors were a key subject of discussion at the RSA conference.
During another session, a panel of cybersecurity attorneys discussed lessons from recent supply chain attacks. One of the key takeaways from one such
Thousands of organizations, including at least 60 banks, had data compromised in the MoveIt breaches. Progress Software became so inundated with inquiries from victims during the fallout that the company could not keep up with the requests, according to Jennifer Burnside, a practice leader of crisis communications at Google-owned cybersecurity firm Mandiant.
"In many cases, they didn't have an obligation in contract to respond," Burnside said. "As they could get information, they did respond, but it wasn't a requirement."
Another example discussed by the panelists was a
One facet of the Barracuda attack that Joe highlighted was the adversary's use of three malware packages that masqueraded as legitimate software. Joe said in other cases, attackers use tactics called "living off the land," which refers to attacks that do not involve installing software but rather using the tools already present in an environment. One example of such a tool is PowerShell, which is a command line and scripting language for Windows.
Another noteworthy facet of the Barracuda attack was the method the attackers used to exfiltrate the data they stole — i.e. the method they used to transfer data out of victims' systems and onto the attacker's systems. Joe said in this case, the attackers created large temporary files in the process of staging the exfiltration — the kind of red flag that she said endpoint detection software is supposed to detect.
A third facet of the attack that Joe highlighted involved how the attackers and responders interacted. "Incident response is no longer a game of cat and mouse," she said. "It's a game of chess."
In the Barracuda attack, threat actors were able to watch what incident responders acting on behalf of victims were doing to try to staunch the attack. Attackers often reacted directly to what the incident responders did, Joe said, by changing their tactics or deleting and destroying information that would be critical for incident responders.
Joe said this means incident response teams need to re-examine what they are doing in their response and recovery processes, "because the threat actors have done that." An example in this case was that, as vendors installed updated software to patch the bugs in Barracuda that made the attacks possible, the attackers maintained malware on the systems because they had installed backdoors to ensure they maintained access even after victims patched the bugs.
Lastly, Joe said that many victims in the Barracuda attacks learned that they had been compromised only after the attackers posted the victims' data on victim-shaming websites, even though the attackers attempted to reach out to the victims directly after they stole the data. In other cases, attackers eventually stopped trying to reach out to each victim individually because there were too many of them, and instead posted the list of victims on their victim-shaming site.
"You need to be monitoring sites," Joe said. "We talk a lot about telling you to monitor sites for data that's been disclosed so that you're aware of it, but here, you're monitoring for a warning that you've been compromised and you don't know it yet."
