The Ever Expanding Attack Surface

by David Michael Berry on June 28, 2024

Everything, these days, is connected. The fridge, the oven, your fitness tracker, your thermostat, the locks on your front door…

It’s the same for businesses as well as at home. Everything is connected. Convenient right? Yes, but this can also be a security nightmare. Like a chain being only as strong as it’s weakest link, so it goes for the security of any network. Our attack surfaces are expanding all the time, and there’s plenty of room for more weak links…

Thinking of APIs, when partners and affiliates tap into them, they are also expanding the attack surface. You can have a great security posture, but if a trusted partner is compromised (let’s face it, they are often allow listed to make things more conductive to business), you now have a huge security nightmare.

A Perfect Storm: The Open Banking Model

Open banking is a financial services model that allows third-party financial service providers to access consumer banking, transaction, and other financial data from banks and non-bank financial institutions through the use of APIs. This system aims to provide consumers with greater financial flexibility, by allowing partners and affiliates to tap into their spending habits, financial situation and personal details.

The claimed benefit is that better, more applicable and personalized offers (interest rates, rebates, etc) can be offered…

Some have expressed privacy concerns with this. While it is claimed that only the data which users have opted into sharing, is shared with partners, trust in this system will still need to be earned.

However, this increased connectivity also introduces significant cybersecurity challenges. APIs, the backbone of open banking, can become entry points for cybercriminals if not properly secured. Given that each “Open Bank” will likely have dozens of partners (many already do), it’s not just the bank that can leak sensitive data, but any partner who is hacked.

In this situation, as a consumer, it doesn’t mater if you’ve opted in to share your data, or not. If your open bank, or one of their many partners, is the victim of a breach and ransomware attack, your data is out there…

Evolve Bank & Trust Faces Ransomware Crisis in the Era of Open Banking

In an alarming development, hackers have stolen 33 terabytes of data from Evolve Bank & Trust. Initially claiming the data belonged to the Federal Reserve, the attackers have now demanded a ransom directly from Evolve Bank. This incident highlights a growing concern in the realm of open banking, where APIs facilitate seamless integration and data exchange between financial institutions and third-party providers, but also significantly increase the attack surface.

LockBit, the notorious ransomware gang, is reportedly responsible for the attack on Evolve Bank. Known for its sophisticated techniques and high-profile attacks, LockBit often employs double extortion tactics—both encrypting data and threatening to release it unless the ransom is paid. Their ransomware-as-a-service model (they maintain the malicious software, and allow others to use it for a charge) allows affiliates to carry out attacks, increasing the reach and frequency of their operations.

However, the sensitive financial details stolen open up the possibility to triple extortion by way of ongoing fraud and targeting of customers.

Fallout

Ransomware attacks have surged in recent years, targeting organizations of all sizes and sectors. Financial institutions, with their vast repositories of sensitive data, are particularly attractive targets. The attack on Evolve Bank is a stark reminder of the high stakes involved. Beyond the immediate financial impact, such breaches will erode customer trust and damage reputations.

One of the most troubling aspects of this breach is the aparent inclusion of full KYC (Know Your Customer) data and images of identity credentials. This puts every entity in the financial system at risk for fraud, not just users and programs associated with Evolve Bank. The exposure of such sensitive information can lead to widespread identity theft, financial fraud, and other malicious activities across the financial ecosystem.

The Observability Nightmare

Investigations can take time, and one complicating aspect will be the length of time that attackers lurked in Evolve’s network. The below screen shot of various directories and data stolen shows an April 7th, 2024 timestamp. Let’s hope full logging is retained and complete that far back. Unfortunately, there is a good chance it is not.

In today’s cybersecurity landscape, achieving comprehensive observability is a significant challenge, particularly for organizations utilizing multiple vendors.

Different security tools often create data silos, complicating integration and correlation efforts. Inconsistent data formats and lack of centralized visibility further hinder threat detection and response. The complexity of integrating diverse solutions and vendor-specific limitations add to the difficulty. As organizations grow, scalability issues arise due to high data volumes.

So, in summary, it will be a huge challenge to get a full picture of the actions taken by attackers over that period of time. Factor in the complications of attack surfaces in a hyper connected world and open banking, a consensus won’t likely be reached soon.

Protecting Yourself from Friendly Fire

It’s no longer enough to put a rate limiter on an API and call it a day. Today, it’s essential to get better observability across all aspects of your networks and attack surface, while implementing better control like zero trust frameworks and a more granular principle of least privilege for affiliate APIs and related data sets…

Unfortunately, it will still need to go much further than that, and the dreaded audit/security questionnaires are going to fly like never before in an effort to ensure affiliates/partners are actually doing what they say they do.

In the meantime, the need for a Data Privacy Revolution continues…