Last Wednesday, a ransomware attack on banking technology provider C-Edge Technology impacted the banking transactions of nearly 300 small banks. According to a report by cybersecurity company CloudSEK, the cyberattack was carried out by the RansomEXX group, which attacked Brontoo Technology Solutions, which collaborates with C-Edge Technology, a joint venture between Tata Consultancy Services (TCS) and State Bank of India (SBI).
Understanding The Mechanism Of Ransomware Attack
Deepak Chand Thakur, CEO and co-founder, NPST, breaks down the ransomware attack in layman’s language. “A ransomware attack on a system is akin to someone breaking into your house illegally and changing the locks. The homeowner, who has been locked out, then needs to pay the intruder to get the new key and regain access to their house,” he said.
Anirudh Batra, researcher at CloudSEK, explained that in ransomware attacks, cybercriminals take advantage of any misconfiguration or vulnerability of one of the servers of the technology entity, and then they encrypt all the data once they get access to the server.
Ransomware attacks saw a sharp increase in India, jumping by 22 per cent, according to the 2024 SonicWall mid-year cyber threat report
In the recent ransomware attack, attackers entered one of the Jenkins servers of Brontoo Technology Solutions and encrypted all the data. Once the data gets encrypted, an entity has to pay an extortion amount to access their data again because they are unable to operate unless their data gets decrypted. You need a key, just like any lock, to decrypt that data again and then make that server operational.
In recent times, attackers have adopted a more sophisticated approach by not only encrypting data but also exfiltrating it. This stolen data is often highly sensitive, and attackers threaten to misuse it. The rationale behind this strategy stems from the fact that modern infrastructure technology typically includes backups. After a cyberattack, organisations can restore their data from these backups and resume operations. To counteract this, threat actors now exfiltrate data during an attack. For instance, in a recent case, a big amount of financial and customer data was stolen. The attackers then threatened to release this sensitive information unless they were paid. This tactic, known as 'double extortion,' forces victims to pay twice: once for decrypting the data and again to prevent the release of the stolen information.
Modus Operandi Of Recent Ransomware Attack
In a brief conversation with BW Businessworld, Anirudh Batra disclosed details about the ransomware attack that occurred last Wednesday, revealing that Brontoo Technology Solutions was the compromised company.
Brontoo Technology Solutions is closely associated with C-Edge Technology, which serves as their hosting provider. The two companies work synergistically, with Brontoo handling orders and running its production server within the C-Edge environment. This incident is a textbook example of a supply chain attack. Much like a bank robber seeking the path of least resistance rather than entering through the heavily guarded main entrance, hackers in the digital realm also look for the easiest way in.
For targeting banks in India, the path of least resistance is through their vendors, through their subsidiaries, through these parties, which may not have so much of a security budget, security teams, etc.
Batra provided a detailed breakdown of the recent cyberattack, explaining that a Jenkins server was involved. Jenkins is a tool developers use to manage and deploy their code, automating the process of putting it online. In January, a security vulnerability was discovered in Jenkins, which highlights the importance of regularly checking and fixing such issues. This means maintaining an inventory of all tools and services, like Jenkins and ensuring they are updated as needed. In this case, the team was using an outdated version of Jenkins with known security flaws, which were documented and exploited, leading to a ransomware attack.
To prevent similar incidents in the future, Batra stressed the importance of keeping an updated list of all technologies in use and monitoring for high-severity vulnerabilities. New vulnerabilities should be addressed as quickly as possible to minimize risk. Regular updates and vigilance are key to safeguarding against cyber threats, ensuring that all software and tools are secure and up-to-date.
In the same context, NPST’s Thakur said, “When banks experience delays in applying security patches for software and operating systems, they leave their systems exposed to attackers who can exploit these known weaknesses. Furthermore, cybercriminals often utilise zero-day exploits, which target previously unknown vulnerabilities that have not yet been patched or disclosed.”
“These zero-day attacks are particularly damaging because they exploit vulnerabilities for which there are no existing defences. To mitigate these risks, banks should invest in advanced threat detection systems that leverage machine learning. Such systems can enhance the ability to identify and respond to zero-day exploits and other sophisticated threats,” he added.
Preventive Measures
CloudSEK’s Batra prescribed some suggestions to mitigate the risk of ransomware attacks. He said the BFSI (banking, financial services, and insurance) sector in India is well-regulated by authorities like the Reserve Bank of India (RBI), which conducts audits and requires banks to report suspicious activities promptly. However, issues can arise from third-party companies outside of this regulated framework.
To mitigate risks, banks need to focus on their supply chains. This includes creating a list of critical vendors that handle data and ensuring they comply with the same security standards as the banks themselves.
Regardless of size, every bank must prioritise this responsibility, as vulnerabilities often exist in third-party services. By regularly monitoring and auditing these vendors, banks can enhance their security and protect sensitive data from potential attacks.
