Data leaks
8
mins read

Case Study: HRMS Provider's Credential Leak Exposes Bank's Employee Data and Enables Account Takeover

Supply Chain Case Study: Leaked credentials of an HRMS Provider’s Employee Expose Critical Employee Information and PII for a Bank and Multiple Subsidiaries; Allows Account Takeover

Aarushi Koolwal
February 16, 2024
Green Alert
Last Update posted on
February 16, 2024
Make sure there's no weak link in your supply chain.

2023 was marked by a rise in supply chain attacks. Ensure robust protection across your software supply chain with CloudSEK SVigil.

Schedule a Demo
Table of Contents
Author(s)
No items found.

Executive Summary

This report delves into a case study on a security incident unveiled with CloudSEK’s Digital Supply Chain Security platform SVigil on an HRMS software provider for a prominent bank and its subsidiaries.

In a chilling wake-up call for cybersecurity in the financial sector, a seemingly harmless mistake by a support employee at an HRMS (Human Resource Management System) software provider has triggered a data breach exposing sensitive information of a prominent bank and its subsidiaries.

  • The story begins with a downloaded crack. A regional support employee, seeking a shortcut, installed unauthorized software, unaware of the malware lurking within. This "info stealer" malware, operating like a digital pickpocket, silently snatched the employee's credentials, granting unauthorized access to a treasure trove of sensitive data.
  • With admin-level privileges, the attackers gained a panoramic view of the bank and its subsidiaries, encompassing Asset Management Companies, Mutual Funds, Lending/Loan operations, Stocks Trading, and Life Insurance. Imagine a hacker peering into the bank's inner workings, able to view and manipulate the very information that keeps its financial heart beating.
  • But the stolen data went beyond mere numbers. Personal and professional details of employees, including names, emails, and even potentially identification numbers, were laid bare. Employee codes, the keys to internal systems, were exposed, granting attackers the potential to escalate their access and wreak further havoc.

The consequences of this breach are far-reaching. Let's dive deep to understand how the breach happened.

Step-by-Step Process of the Security Breach

  • Downloading Cracked Software: The security breach began when a support employee of the HRMS (Human Resource Management System) software provider for a prominent bank and its subsidiaries downloaded cracked software. Cracked software refers to illegal versions of paid software, often available on the internet for free. In this case, the employee sought unauthorized access to licensed software by downloading a cracked version.
  • Infection with Info Stealer Malware: Unbeknownst to the employee, the cracked software they downloaded was infected with an information stealer malware. This type of malware is designed to infiltrate a victim's computer and gather sensitive information, such as usernames, email addresses, passwords, and more. The malware operates silently in the background, making it difficult for the user to detect.
  • Unauthorized Access to HRMS Data: With the malware now resident on the employee's computer, it began to collect sensitive data from the infected system. The malware had the capability to record keystrokes, capture login credentials, and access stored information.
  • Leakage of Credentials to Dark Web: As the malware continued to collect data, it exfiltrated the stolen information, including login credentials, to a remote server controlled by the attackers. This server was likely located on the dark web, a hidden part of the internet where illegal activities often take place.
  • Unauthorized Users Gain Access: With the stolen login credentials, unauthorized users gained access to the HRMS system of the bank and its subsidiaries. This access allowed them to view and manipulate sensitive HRMS data related to various financial activities, including Asset Management Companies (AMC), Mutual Funds, Lending/Loan, Stocks Trading, and Life Insurance.
  • Exploitation of Account Takeover Functionality: The attackers exploited built-in account takeover functionality within the HRMS system. This functionality allowed them to gain unauthorized access to user accounts, hijack active sessions, clone accounts, elevate their privileges, and conduct targeted social engineering attacks within the system.
  • Password Changes Without Authentication: The unauthorized access and account takeover functionality also enabled the attackers to change passwords without proper authentication. This led to the exposure of Personally Identifiable Information (PII) of employees due to unauthorized password changes, further compromising the security of the HRMS system.
  • Compromise of Internal Messages: As the attackers gained control over the HRMS system, they were able to compromise internal messages within the organization. This included sensitive communication related to identity theft, unauthorized access, data tampering, and even payroll fraud.
  • Data Risk and Legal Implications: The consequences of this breach were significant, resulting in data risk such as identity theft, unauthorized access, data tampering, and payroll fraud. The exposure of sensitive information had legal and regulatory implications for the bank and its subsidiaries, posing a serious threat to their operations and financial stability.

What are Information Stealer malwares? 

An information stealer is a type of malware that cybercriminals use to gather sensitive details, for example, information related to the victim's credentials (usernames, email addresses, passwords), financial information like credit card details, bank account numbers, etc.

This info stealer operates on a MaaS (malware-as-a-service) model and is distributed on underground forums according to the users’ needs; The cost is set to $275/month, or $125/week subscription option. In the Telegram channel, the malware can be acquired and paid in Bitcoin, Ethereum, XMR, LTC and USDT.

Recommendations

  • Invalidate all the exposed credentials and notify the employee about the malware infection.
  • Isolate the compromised computer and verify the successful quarantine or removal of the malware to ensure the device's security.
  • Review access logs for potential data exfiltration/manipulation and backdoors.
  • Conduct a Root Cause Analysis (RCA) of the malware infection to uncover its origins and implement preventive measures against future infections.
  • Educate employees on the importance of avoiding untrusted links, email attachments, and unverified executable files.
  •  Enforce a strong password policy and change passwords on a periodic basis.
  •  Encourage employees not to store passwords in their web browsers.
  • Keep the security team well-informed about the current Tactics, Techniques, and Procedure (TTPs) employed by ransomware groups to achieve their objectives.

References

Author

Aarushi Koolwal

Aarushi Koolwal is an avid cyber security learner.

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Adversary Intelligence
November 24, 2023

Understanding Vendor-Related or Third-Party Cyber Risk

Uncover the complexities of third-party cyber risks and learn how to fortify your organization's digital defenses against these evolving threats.

Blog Image
Data leaks
November 24, 2023

Top 5 famous software supply chain attacks in 2023

Explore the critical nature of supply chain cyber attacks and learn how to fortify your defenses against this growing threat in 2023.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Data leaks

8

min read

Case Study: HRMS Provider's Credential Leak Exposes Bank's Employee Data and Enables Account Takeover

Supply Chain Case Study: Leaked credentials of an HRMS Provider’s Employee Expose Critical Employee Information and PII for a Bank and Multiple Subsidiaries; Allows Account Takeover

Authors
Aarushi Koolwal
Aarushi Koolwal is an avid cyber security learner.
Co-Authors
No items found.

Executive Summary

This report delves into a case study on a security incident unveiled with CloudSEK’s Digital Supply Chain Security platform SVigil on an HRMS software provider for a prominent bank and its subsidiaries.

In a chilling wake-up call for cybersecurity in the financial sector, a seemingly harmless mistake by a support employee at an HRMS (Human Resource Management System) software provider has triggered a data breach exposing sensitive information of a prominent bank and its subsidiaries.

  • The story begins with a downloaded crack. A regional support employee, seeking a shortcut, installed unauthorized software, unaware of the malware lurking within. This "info stealer" malware, operating like a digital pickpocket, silently snatched the employee's credentials, granting unauthorized access to a treasure trove of sensitive data.
  • With admin-level privileges, the attackers gained a panoramic view of the bank and its subsidiaries, encompassing Asset Management Companies, Mutual Funds, Lending/Loan operations, Stocks Trading, and Life Insurance. Imagine a hacker peering into the bank's inner workings, able to view and manipulate the very information that keeps its financial heart beating.
  • But the stolen data went beyond mere numbers. Personal and professional details of employees, including names, emails, and even potentially identification numbers, were laid bare. Employee codes, the keys to internal systems, were exposed, granting attackers the potential to escalate their access and wreak further havoc.

The consequences of this breach are far-reaching. Let's dive deep to understand how the breach happened.

Step-by-Step Process of the Security Breach

  • Downloading Cracked Software: The security breach began when a support employee of the HRMS (Human Resource Management System) software provider for a prominent bank and its subsidiaries downloaded cracked software. Cracked software refers to illegal versions of paid software, often available on the internet for free. In this case, the employee sought unauthorized access to licensed software by downloading a cracked version.
  • Infection with Info Stealer Malware: Unbeknownst to the employee, the cracked software they downloaded was infected with an information stealer malware. This type of malware is designed to infiltrate a victim's computer and gather sensitive information, such as usernames, email addresses, passwords, and more. The malware operates silently in the background, making it difficult for the user to detect.
  • Unauthorized Access to HRMS Data: With the malware now resident on the employee's computer, it began to collect sensitive data from the infected system. The malware had the capability to record keystrokes, capture login credentials, and access stored information.
  • Leakage of Credentials to Dark Web: As the malware continued to collect data, it exfiltrated the stolen information, including login credentials, to a remote server controlled by the attackers. This server was likely located on the dark web, a hidden part of the internet where illegal activities often take place.
  • Unauthorized Users Gain Access: With the stolen login credentials, unauthorized users gained access to the HRMS system of the bank and its subsidiaries. This access allowed them to view and manipulate sensitive HRMS data related to various financial activities, including Asset Management Companies (AMC), Mutual Funds, Lending/Loan, Stocks Trading, and Life Insurance.
  • Exploitation of Account Takeover Functionality: The attackers exploited built-in account takeover functionality within the HRMS system. This functionality allowed them to gain unauthorized access to user accounts, hijack active sessions, clone accounts, elevate their privileges, and conduct targeted social engineering attacks within the system.
  • Password Changes Without Authentication: The unauthorized access and account takeover functionality also enabled the attackers to change passwords without proper authentication. This led to the exposure of Personally Identifiable Information (PII) of employees due to unauthorized password changes, further compromising the security of the HRMS system.
  • Compromise of Internal Messages: As the attackers gained control over the HRMS system, they were able to compromise internal messages within the organization. This included sensitive communication related to identity theft, unauthorized access, data tampering, and even payroll fraud.
  • Data Risk and Legal Implications: The consequences of this breach were significant, resulting in data risk such as identity theft, unauthorized access, data tampering, and payroll fraud. The exposure of sensitive information had legal and regulatory implications for the bank and its subsidiaries, posing a serious threat to their operations and financial stability.

What are Information Stealer malwares? 

An information stealer is a type of malware that cybercriminals use to gather sensitive details, for example, information related to the victim's credentials (usernames, email addresses, passwords), financial information like credit card details, bank account numbers, etc.

This info stealer operates on a MaaS (malware-as-a-service) model and is distributed on underground forums according to the users’ needs; The cost is set to $275/month, or $125/week subscription option. In the Telegram channel, the malware can be acquired and paid in Bitcoin, Ethereum, XMR, LTC and USDT.

Recommendations

  • Invalidate all the exposed credentials and notify the employee about the malware infection.
  • Isolate the compromised computer and verify the successful quarantine or removal of the malware to ensure the device's security.
  • Review access logs for potential data exfiltration/manipulation and backdoors.
  • Conduct a Root Cause Analysis (RCA) of the malware infection to uncover its origins and implement preventive measures against future infections.
  • Educate employees on the importance of avoiding untrusted links, email attachments, and unverified executable files.
  •  Enforce a strong password policy and change passwords on a periodic basis.
  •  Encourage employees not to store passwords in their web browsers.
  • Keep the security team well-informed about the current Tactics, Techniques, and Procedure (TTPs) employed by ransomware groups to achieve their objectives.

References