Finastra, a leading financial technology provider from the UK, announced that it had to take several servers offline following a ransomware attack detected earlier today.
The fintech company provides financial software and services to more than 9,000 customers of all sizes from 130 countries across the globe, including 90 of the top 100 banks globally.
Finastra also has over 10,000 employees working from 42 offices, including London, New York, and Toronto, and a $1.9 billion in revenues.
Servers taken offline following attack
Earlier today, Finastra discovered the incident after its security team spotted potentially anomalous activity on some of the company’s systems.
They immediately turned off some of the servers offline and started an investigation with the help of a leading digital forensic firm.
“At this time, we strongly believe that the incident was the result of a ransomware attack and do not have any evidence that customer or employee data was accessed or exfiltrated, nor do we believe our clients’ networks were impacted,” Finastra’s Chief Operating Officer Tom Kilroy said.
Finastra is currently working to bring back its systems online and to resolve the issues caused by part of the servers on the company’s network being shut down.
“While we have an industry-standard security program in place, we are conducting a rigorous review of our systems to ensure that our customer and employee data continues to be safe and secure,” Kilroy added.
“We have also informed and are cooperating with the relevant authorities and we are in touch directly with any customers who may be impacted as a result of disrupted service.”
Finastra takes data security very seriously, and we have committed to updating our stakeholders regularly and providing more information as soon as our investigation into this matter continues. – Tom Kilroy
Vulnerable Pulse Secure VPN and Citrix servers
While the method used by the attackers to infiltrate Finastra’s network was not disclosed, cyber threat intelligence firm Bad Packets says that it previously detected Pulse Secure VPN servers unpatched against the CVE-2019-11510 vulnerability.
If successfully exploited, CVE-2019-11510 could enable remote unauthenticated attackers to compromise vulnerable VPN servers, gain access to all active users as well as their plain-text credential, and execute arbitrary commands.
Vulnerable Pulse Secure VPN servers were used as a point of entry by Sodinokibi (REvil) ransomware as part of an attack that took down the network of Travelex on December 31, 2019.
In January, the US Cybersecurity and Infrastructure Security Agency (CISA) alerted organizations to patch their Pulse Secure VPN servers to block attacks attempting to exploit this remote code execution (RCE) vulnerability.
Bad Packets also states that, on January 11, Finastra also had four Citrix ADC (NetScaler) servers vulnerable to attacks targeting the critical CVE-2019-1978 vulnerability, a flaw that was actively exploited by hackers starting with January 17 to plant backdoors and block subsequent exploitation efforts.
According to reports, the City of Potsdam had to sever the administration servers’ Internet connection after a cyberattack was able to take down Citrix ADC servers on the administration’s network unpatched against the CVE-2019-1978 flaw.
Citrix released all the fixes needed to secure vulnerable Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances against the actively exploited CVE-2019-19781 vulnerability on January 24.
Finastra also had four Citrix (NetScaler) servers vulnerable to CVE-2019-19781 on January 11, 2020.https://t.co/8PGiZmWkvk
— Bad Packets Report (@bad_packets) March 20, 2020