Little is known about his identity, or even if he’s just one person or a group. The only thing we know for certain is that he has been making large companies around the world nervous for years. In this case, it was the turn of a bank in the Cayman Islands.
A few months ago, Cayman National Bank announced that it had suffered a data theft, and that it was investigating the incident. The bank didn’t reveal who was behind the attack; it was the perpetrator himself who came forward: Phineas Fisher, who is well known in both the hacktivist and cybercriminal worlds.
Who is Phineas Fisher?_
Phineas Fisher first came to public attention in 2014 when he broke into the IT systems of Gamma International, a German company that supplies surveillance programs to various governments around the world. The 40GB of information that Fisher stole was immediately published.
A year later, in 2015, the hacktivist did the same thing with HackingTeam, an Italian company specialized in working with all kinds of governments and surveillance agencies, and which also supplies surveillance software.
After four years of keeping a relatively low profile, Phineas Fisher has returned to the limelight in 2019 thanks to the data theft in Cayman National Bank. In this breach, he accessed the accounts of 1,400 customers and the financial information of 3,800 companies. The leak, one of the most explosive since the Panama Papers, was delivered to Distributed Denial of Secrets, an agency run by Emma Best, a journalist and activist, who published the more than 2TB of files.
How did he make his way into the bank?_
Many people wondered how Phineas Fisher could have managed to access the bank’s data. The answer, however, lies in his own public manifesto. This wasn’t a selected or targeted cyberattack. Rather, he prepared several exploits and scanned the information of all the banks he had analyzed, looking for vulnerable devices until he came across the Cayman Islands.
Fisher discovered that the access passwords were the same as the Windows domain, making it simple to gain entry to the bank’s entire network. What’s more, thanks to a keylogger, he managed to record and analyze the activity of many of the bank’s employees, and thus got hold of their credentials too. The hacktivist needed to find out the process for making a bank transfer. He discovered that it involved three different employees: one to create the transfer, one to verify it, and a third to authorize it. None of them carried out subsequent checks on the transfers made, which meant that he was able to steal money without being discovered. In fact, this cyberattack wasn’t stopped by a third-party intervention; it was brought down by a mistake he made when writing the code for an international transfer that caused an error messages to be sent. This set of the bank’s cybersecurity alarms.
Throughout all of this process, Phineas Fisher relied on on vital tool: PowerShell, a legitimate Windows shell. The vulnerability of this tool allowed him to act on the network without anyone noticing a thing, and without setting off any kind of alarms, a textbook example of a successful Living-off-the-Land attack. Besides this, with Mimikatz, he was able to get his hands on new credentials.
How to avoid these cyberattacks_
This case is further proof of that fact that data breaches are still a major concern for all kinds of organizations. It also serves to highlight the fact that new threats, along with the professionalization of cyberattackers like Phineas Fisher, are increasing the risks of not adequately protecting endpoints.
At Cytomic we believe that, within corporate cybersecurity policies, the control and management of personal and sensitive data on endpoints must play a central role. This is why we have the solution Cytomic Data Watch. This module of Cytomic Platform allows organizations to align themselves with a more mature security program, reducing the attack surface for personal data and sensitive information. This solution monitors the files found on devices and searches for personal and sensitive data, allowing files to be deleted from the single console in order to mitigate risks.
Though the scale and frequency of data breaches is currently rather alarming, too many organizations with highly flexible and adaptable network environments still depend of isolated, second generation security solutions and strategies. In these cases, the important thing is to have an advanced security system to avoid falling victim to cybercriminals. It is essential to act swiftly, following expert recommendations when faced with an attack like this one.