This past summer JPMorgan Chase was hit with one of the biggest intrusions to hit an American bank. Given the political tensions with Russia at the time with their incursion into the Ukraine and resulting sanctions, that is where fingers started pointing. The media even made claims that it was Russia citing “anonymous sources close to the matter” (sound familiar?).
There were claims that the intrusion was the result of a sophisticated zero-day exploit that only a nation state would have access to. But this all proved to be highly speculative and in October the FBI made an announcement that there was no connection between sanctions and the attack that hit JPMorgan and several other banks.
New information has come to light regarding the JPMorgan breach. What many thought to be the result of a sophisticated intrusion utilizing a zero-day exploit developed by state-sponsored actors, may instead have been the result of a simple misconfiguration on a single server in JPMorgan’s massive infrastructure. One server for some reason had two-factor authentication disabled. The attackers were able to exploit this and along with stolen credentials were able to gain access.
Once inside the attackers were able to compromise an additional 90 servers before the attack was thwarted. The attack was believed to be part of a larger campaign targeting multiple financial services firms. JPMorgan was able to detect the attack at one point and shut the attackers down, a good sign that multiple security controls were in place.
This new information can help other companies. Instead of the attack being orchestrated by what was perceived to be a sophisticated adversary, capable of circumventing any defenses, it is as a lesson revealing that even massive financial services companies with significant resources allocated to securing their networks make mistakes. What should be noted is that although the attackers gained access, they were not able to compromise account information.
Unfortunately we now live in a time where even the smallest mistake or misconfiguration on a single entry point can be amplified and used against us to disastrous effect. The digital hole in the dike has a cascading effect once attackers gain their foothold. It often does not take a nation state level actor to inflict damage or compromise network systems, all it takes is a motivated individual or group with the right skills and a chink in the armor.