- Table of contents
The author
Experienced in various public diplomacy projects, OSINT, WEBINT, analytical research, troubleshooting, intelligence gathering, auditing, and more.
Table of contents
Related Articles
Finastra Breach: Findings and Summary
In this blog we will cover what we know about the Finastra breach, what we know about who might have been compromised and an analysis of the validity of the Threat Actor abyss0.
Incident Overview
On November 8th a threat actor (TA) known as “abyss0” posted on BreachForums, a well–known online platform for illicit data trade, and claimed to have exfiltrated and put for sale 400 GB of data from Finastra using IBM Aspera. The data, allegedly taken from Finastra’s Enterprise Service Bus, claimed to have various file types and documentation. The reported breach, which the threat actor claimed to occur in November 2024, has not been officially confirmed or denied by Finastra. The user “abyss0” has a history of leaking and selling data breaches on the forum, and has a credible reputation.
Since then Finastra have formally acknowledged the alleged breach and have announced that they are investigating it.
Finastra and IBM Aspera
- Finastra is one of the world’s largest fintech companies, providing software solutions and services to financial institutions, including banks, credit unions, and investment firms. It offers a wide range of products, including core banking, payments, lending, and treasury management systems, serving over 9,000 customers globally.
- In 2020, the company experienced a significant data breach involving vulnerabilities in its systems, detecting an unknown TA attempting to induce malware into its network through a ransomware attack.
- IBM Aspera is a high–speed file transfer solution designed to move large volumes of data quickly and securely over long distances, regardless of network conditions. Unlike traditional file transfer protocols, which can be slow and unreliable over wide–area networks (WANs), Aspera leverages its proprietary FASP (Fast Adaptive Secure Protocol) technology to maximize transfer speeds while ensuring data integrity and security.
Timeline and mentions of the breach:
- On October 31st, user/TA “abyss0” made a post on BreachForums offering to sell IBM Aspera access to an “unidentified financial software company” for $20,000, with 10 TB’s of data easily accessed.
- On November 8th, the thread selling 400GB of exfiltrated data from Finastra was posted on BreachForums by user “abyss0”.
- On November 8th, several articles were written on CyberPress, CloudSEKNews and Dark Web Informer about the alleged breach.
- On November 8th, twitter accounts HackManac and ThreatMon also reported about the alleged breach.
- As of November 12th, the original thread of the breach no longer appears to exist and has been deleted by the Threat Actor.
Alleged Compromised Data
- According to the Threat Actor, the data for sale consists of multiple file types (.dmp, .bak, .war, .jar, .iso,), documentation and many more files that the Threat Actor deemed important and worthy enough to extract.
Threat Actor Reputation – “abyss0”
- The Threat Actor of this alleged breach goes by the name of “abyss0” and claimed to be selling access to IBM Aspera for an “unidentified financial software company” and subsequently an alleged breach of 400GB of data from them.
- The user has received vouches, likes and reputation from various users, including a notorious and major player “IntelBroker” who is part of the “CyberNiggers” crew (see Figure 2).
- Following the FBI’s takedown of breach forums’ administrators, Cyber Niggers emerged as a significant threat group within the revived Breach Forums.
- While recruitment efforts have slowed, key member IntelBroker has assumed a prominent role in leading the group’s cyber activities. This threat group, comprising a small membership all currently active on BreachForums, has been targeting critical entities, particularly within the US.
- In addition, Cyberint identified the threat actor in 81 intelligence items from BreachForums since September 2024, related to various breaches, sales, and leaks.
- It is important to consider that if threat actors such as IntelBroker and others are vouching for abyss0, it bolsters credibility and validation that the breach is most likely valid, and that abyss0 is a reputable Threat Actor.
Conclusions
Based on Cyberint’s investigation, the Threat Actor only posted a small sample size of what they claimed to be included in the data before deleting the thread entirely. In addition, only a minimal amount information was available about the alleged breach and remains as such.
With that taken into consideration, it is plausible to assume that the TA either managed to sell the data, resulting in the closing of the thread, or removed it without selling it. After conducting an extension OSINT search, Cyberint searches, and various monitoring of the Threat Actor’s threads and posts it appears that threads are credible, created and deleted daily pertaining to different leaks and breaches.
About Cyberint, a Check Point Company
Cyberint, now a Check Point company, reduces risk by helping organizations detect and mitigate external cyber threats before they have an adverse impact. The Check Point External Risk Management solution provides superior visibility through continuous discovery of the evolving attack surface, combined with the automated collection and analysis of vast quantities of intelligence from across the open, deep and dark web.
A team of global military-grade cybersecurity experts work alongside customers to rapidly detect, investigate, and disrupt relevant threats – before they have the chance to develop into major incidents. Global customers, including Fortune 500 leaders across all major market verticals, rely on Check Point External Risk Management to protect themselves from an array of external risks, including vulnerabilities,
misconfigurations, phishing, impersonation attacks, malware infections, exposed credentials, data leaks, fraud, and 3rd party risks.
