AJ Thompson is CCO at Northdoor plc.
28th October 2020
The hack was not a direct attack on the bank, but seems to have come through a third-party file sharing system, Accellion. Accellion, which was used by the bank to share documents with external stakeholders, was hacked on Christmas Day.
Although it released a patch within 72 hours, the time difference between the Californian based company and the New Zealand bank means that the implementation of the patch was not done in time.
This is one of many hacks through third-party suppliers and systems over the past year. Cyber-criminals have been upping their efforts and the levels of the sophistication of their attacks, during the pandemic. Many having been trying to take advantage of new working conditions for employees and searching for any vulnerabilities within third party suppliers to gain access to valuable data and infrastructure.
As a result, companies need to ensure that they have visibility of the potential vulnerabilities across their entire supply chain, not just their own defences. Too many companies are continuing to rely on building increasingly high defensive walls around their internal infrastructure and data. However, with so many of their own employees now sitting outside of those walls, and with third-party suppliers having access to internal infrastructure, these defences are no longer effective. Being proactive and ensuring that all vulnerabilities are closed across internal and external sources is crucial.
Another factor highlighted in the New Zealand reserve bank hack is the fact that the bank was relying on legacy technology. The Accellion file sharing system being used has been described as a 20-year-old solution which did not carry the same levels of security as the updated version, Kiteworks.
This brings up another issue that companies have to be more aware of than ever as cyber criminals up their efforts. The use of legacy solutions, that are no longer supported by vendors or no longer have the minimum levels of security, are an open invite for cyber-criminals, as AJ Thompson, CCO at Northdoor explains.
“This case is a really good example of how two sets of issues, both of which could be easily resolved, have culminated in criminals potentially gaining access to really sensitive, valuable and important data.
“We have seen a huge increase in the amount of attacks coming through third parties. Instead of directly targeting companies, cyber-criminals are coming through the ‘back-door’. This negates any defence in place, as the third party allows criminals direct access into infrastructure and systems.
“This particular case seems to have been exacerbated by the fact that the bank was running legacy software. If it had updated its software the criminals would have had a much harder task in getting in. It is crucial that companies look at the current solutions to ensure that they are running the latest versions which have the highest levels of security. With criminals continually adding sophistication to their attacks, any legacy software is at a real risk of being hacked, particularly if it is 20 years old, as seems to be the case here.
“The bank has since acknowledged that there was under investment in cyber security and other challenges within its IT services. Ensuring that you are running the very latest versions of solutions and that you have visibility over across all of your potential vulnerabilities, both internal and external, are now both crucial steps for companies to take.
“This combination of vulnerabilities through a third-party and running legacy software is a situation that many in the financial sector find themselves in. Both are relatively easy to solve, and with criminals always trying to find the route of least resistance, closing these off will deter them and go some way to securing data,” concluded Thompson.