LockBit’s latest attack shows why fintech needs more zero trust

Claiming to have breached the U.S. Treasury and instead releasing 33 terabytes of data on the dark web exfiltrated from banking and fintech provider Evolve, LockBit’s latest breach shows how vulnerable fintech is to cyberattacks. Evolve announced the breach on June 26, posting a notice on their site, saying the breach included personally identifiable information (PII), including customer names, Social Security numbers, dates of birth and account information, which has severe implications for the affected individuals and companies​​​​.

Evolve began notifying affected parties on July 8. The fintech provider and financial services organization traced the attack to a phishing email in which an employee inadvertently clicked on a malicious internet link.

“We refused to pay the ransom demanded by the threat actor. As a result, they leaked the data they downloaded. They also mistakenly attributed the source of the data to the Federal Reserve Bank,” Evolve said in a recent update shared on their site.

The attack immediately sent shockwaves through the fintech startup community and its major backers. Affirm, Airwallex, Alloy, Bond (now part of FIS), Branch, Dave, EarnIn, Marqeta, Mastercard, Melio, Mercury, PrizePool, Step, Stripe, TabaPay and Visa are all Evolve customers.

Affirm alerted their Affirm credit card customers via X (formerly Twitter) of the cybersecurity incident and offered support if fraudulent transactions appeared on their accounts. Mercury reported that the breach affected account numbers, deposit balances and business owner names, significantly impacting their operations and customer trust. Additionally, the breach led to a temporary suspension of Evolve’s online banking services, causing disruptions for customers relying on real-time transaction processing.

The Federal Reserve found risk gaps before the breach

The ransomware attack shows how an at-risk organization can put the entire fintech ecosystem at risk. The Federal Reserve Board’s prescient warning just two weeks before the breach expresses concern over the bank’s many partnerships with fintech providers who provide banking products and services to a broad base of customers. Examinations conducted during 2023 found that Evolve engaged in unsafe and unsound banking practices by failing to implement an effective risk management framework for their fintech partnerships.

The Federal Reserve’s enforcement action included requiring the bank to strengthen its risk management practices to address potential risks, including compliance and fraud risks, by implementing appropriate oversight and monitoring of those relationships. Unfortunately, Affirm wasn’t able to fully respond and complete all the tasks the Reserve had required, which might have prevented the broader impact of the breach across its many fintech partners, including startups.

LockBit looks to turn chaos into cash

Ransomware attackers look to create chaos across supply chains, ensuring their attacks reverberate across as wide of a network as possible. United Healthcare is a case in point. The greater the chaos, the greater the cash payout, as United Healthcare paid a $22 million ransom in Bitcoin.  

LockBit’s Ransomware-as-a-Service (RaaS) business model needs to keep recruiting affiliates to drive revenue, making street credibility earned from creating chaos across supply chains core to its business. Seventy percent to 80% of revenue goes to affiliates who carry out the attacks, and 20% to 30% goes to operators like LockBit.  

Operation Cronos, an international task force of law-enforcement agencies from 10 countries, disrupted LockBit operations earlier this year. The task force successfully took down its infrastructure and recovered more than 7,000 encryption keys. Despite this, LockBit has continued to seek out affiliates and conduct cyberattacks, as the breach at Evolve Bank shows. The National Crime Agency has specifics of how LockBit’s operations were disrupted.

“LockBit is blowing a lot of smoke lately to try to rehabilitate its reputation with affiliate attackers. We do continue to see new victims like Evolve Bank & Trust getting popped by LockBit, so they are still a viable threat. Still, we need to remember that news cycles and social media move much faster than the truth,” Jon Miller, CEO and co-founder of Halcyon, told VentureBeat. “There are plenty of examples of RaaS groups falsely posting organizations on their leak sites who were not compromised to get the alleged victim organization to pay a ransom, so it’s best everyone refrain from further speculation until there is some concrete evidence of an attack available.”

Miller advises companies that “even if a victim organization pays the ransom demand or decides not to pay and can restore systems via other means like backups, there is no guarantee that their stolen data will be secure or that the attackers will not simply make additional extortion demands by threatening to leak the data or sell it on the black market. In many cases, the data exfiltration can be a bigger issue for the victim organization than the actual ransomware payload.”

CISOs: Cut through deception with data

“This problem set drove me to start a company that does ongoing permissioning and heuristics. It’s the only way to get closer to mature security. I feel for the set of folks affected here because I know how hard it can be– that’s why we work at it,” Ofer Klein, CEO and co-founder Reco, told VentureBeat. Having solid permissioning and heuristics data is key.

LockBit claiming to have breached the U.S. Treasury and, instead, exfiltrated customer data from a bank is a common deception strategy ransomware attackers use in an attempt to increase their street credibility and keep affiliates using their adversarial technologies and services, including RaaS.

“This is MO (modus operandi) for ransomware actors– they make a threat to disclose sensitive data and sometimes make good on it. It’s their business interest. For enterprises, there will always be a next bad day. But it doesn’t mean you have to accept bad outcomes,” Merritt Baer, CISO at Reco and advisor to Expanso, Andesite and EnkryptAI told VentureBeat. “With fine-grained and behavioral data, we (CISOs) notice bad acts–not just when they are in flight, but also before. We can prune and garden our ecosystem at the access layer, from hardware to apps,” Baer said.

A CrowdStrike survey found that 96% of victims who paid the ransom also paid additional extortion fees equal to $792,493, on average, only to find the attackers also shared or sold their information on the dark web via Telegram channels. The Office of Foreign Assets Control has also fined companies who paid certain ransomware attackers.

Fintech boards need a CISO who can speak zero trust

VentureBeat has learned that Fortune 500 boards of directors continue to invest in and prioritize task forces dedicated to quantifying risk management as a core part of their cyber-resilience and cybersecurity strategies. What enterprises need is a member of the board who can translate risk metrics into actionable results. In short, they need a CISO who can speak zero trust. “I’m seeing more and more CISOs joining boards,” George Kurtz, co-founder and CEO of CrowdStrike, told VentureBeat earlier this year during an interview. “Adding security should be a business enabler. It should be something that adds to your business resiliency, and it should be something that helps protect the productivity gains of digital transformation.”  Strong zero-trust frameworks provide the foundation needed to scale and harden cyber-resilience and cybersecurity corporate-wide.

It takes a CISO with board-level authority to do the following and make a fintech more secure. That’s especially the case for fintech companies like Evolve, whose business model puts dozens of partners at risk in the event of a breach:

Eliminating trust from tech stacks is core to reducing risk and becoming more resilient. In any network, trust is a liability. Enforcing least privilege access and replacing legacy perimeter-based systems has to happen one endpoint or threat surface at a time. “You don’t start at a technology, and that’s the misunderstanding of this. Of course, the vendors want to sell the technology, so [they say] you need to start with our technology. None of that is true. You start with a protective surface and then you figure out,” said John Kindervag, creator of Zero Trust and Chief Evangelist at Illumio, during a recent VentureBeat interview. Being disciplined about implementing zero trust takes a seasoned CISO on the board who has the clout and influence to make that happen. Fintechs need CISOs on their boards that provide that insight and guide strategy.

Monitoring and scanning all network traffic is zero-trust table stakes. Another reason CISOs need a board seat is that network telemetry data is the lifeblood of any fintech business. The board needs to know in real time how changing patterns of network telemetry affect risk profiles and probabilities. An experienced CISO will be able to break down the risks and limitations of how they’re managing telemetry data and understand why monitoring and scanning all network traffic is core to their business.

Rely on microsegementation to shut down the lateral movement of attackers. It is not just the breach; it’s the lateral movement that distributes malicious code to destroy IT infrastructures, making zero trust a priority. Getting microsegmentation right has saved more banks, savings & loans, and financial services firms from billions of dollars in losses by containing a breach. It also helps thwart ransomware attacks from ever starting.

Do a complete audit of access privileges and kill zombie credentials immediately. It’s common for identity and access management (IAM) and privileged access management (PAM) systems to have active logins from decades ago. From contractors to sales, service and previous employees, zombie credentials are the attack surface no one thinks about until they’re used for an intrusion that often goes undetected for weeks. Keeping with a zero-trust mindset, every fintech needs to remove obsolete identities and logins immediately.

Every enterprise app, cloud database, and cloud platform needs to have multi-factor authentication as default. Snowflakes’ breach, in part, was caused by the decision to make multi-factor authentication optional. There were a series of technical reasons why that decision was made. All the more reason to have an experienced CISO on the board who can explain those nuances and be firm in making MFA standard.

Conclusion

Fintech has a cybersecurity problem. LockBit’s ransomware attack on Evolve and the risk it placed on its partnership network show why the industry needs to focus more on the foundations of zero trust across financial networks. When the Federal Reserve finds gaps two weeks before a ransom attack, it’s time to rethink cyber resilience and cybersecurity at the company and industry level. CISOs are needed to bring the resilience and experience fintechs need to stay secure and grow.

During an interview with VentureBeat on the topic last week, Baer cautioned, “We’re going into the July 4th weekend, and I bet it’s no coincidence for this to hit now—security never takes a holiday”. Wise words from an experienced CISO.