Application security, Identity, Breach, Third-party code

Third-party hack may have spread to JPMorgan, Citi, and Morgan Stanley

The JPMorgan logo is displayed on a smartphone screen and in the background

(Adobe Stock)

A third-party attack on residential loan mortgage origination and collection company SitusAMC caused great concern because the company services some of the world’s largest banks.

The New York Times reported on Nov. 22 that JPMorgan Chase, Citi, and Morgan Stanley are among the banks notified by SitusAMC that some of their data may have been stolen.

SitusAMC officials said in a Nov. 22 statement that they became aware of the cybersecurity incident pertaining to its clients' accounting records and legal agreements on Nov. 12. They then hired industry cybersecurity experts and notified the FBI.

According to SitusAMC, the incident was contained and its services are fully operational. It also pointed out that no encrypting malware was involved, meaning that it was not a ransomware incident.

“The note that 'no encrypting malware was involved' signals a quiet, credential-driven break-in, much like the Salesforce supply chain incidents that hit earlier this year and most recently via Gainsight,” said Amir Khayat, co-founder and CEO of Vorlon. “In every case, attackers grabbed trusted identities first and, in many instances, never bothered with ransomware at all.”

Michael Bell, chief executive officer of Suzu Labs, pointed out that SitusAMC has 1,500 clients, so one breach gave the attackers access to mortgage data across JPMorgan, Citi, Morgan Stanley and hundreds of others simultaneously. Bell said hitting shared service providers is more efficient than targeting individual banks — and threat actors know it.

“As pentesters, we've been inside these third-party environments and the gap between what vendors claim in their security questionnaires versus what we find during actual assessments is alarming,” said Bell. “Organizations need independent verification of vendor security controls, because asking vendors to self-report their security posture clearly isn't working.”

Agnidipta Sarkar, chief evangelist at ColorTokens, added that there’s been a substantial rise in reliance on third-party service apps and vendors across Wall Street firms in recent years, with many banks offloading core processes, such as mortgage servicing, analytics, compliance, and even payment processing, to specialized technology providers.

“The breach should be of significant concern to firms on Wall Street because of interconnectedness of data flows,” said Sarkar. “Typically, accounting records and legal agreements contain system architecture diagrams, data-sharing clauses, SLAs, or references to internal tools which could be goldmines for attackers planning follow-on intrusions. If credentials are stolen, then there is potential of lateral movement at each of the firms who use the app, unless they have adequately designed microsegmentation or if they use cryptographic passwordless credentials tied to associated hardware.”

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Attack VectorBannerBasic AuthenticationBiometricsBrowserCertificate-Based AuthenticationChallenge-Handshake Authentication Protocol (CHAP)ClientDigest AuthenticationDiscretionary Access Control (DAC)

You can skip this ad in 5 seconds