Cyber Incident Victim: Finastra
Date:
Mar 2020
Location:
United Kingdom
Summary
Finastra, a UK-based financial technology provider, experienced a ransomware attack prompting the immediate shutdown of affected servers to contain the incident. The company initiated an investigation with external forensic experts, stating no evidence of customer or employee data exfiltration or client network compromise. Service disruptions occurred as systems were taken offline, with efforts focused on restoring operations while cooperating with authorities and impacted customers. Prior vulnerabilities in Pulse Secure VPN (CVE-2019-11510) and Citrix ADC (CVE-2019-1978) had been identified on the firm's infrastructure, though no direct link to the attack was confirmed. Finastra emphasized its commitment to security reviews and stakeholder updates throughout the response.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 20, 2020, UK-based financial technology provider Finastra detected anomalous activity on its systems, prompting its security team to immediately take several servers offline. The company, serving over 9,000 customers across 130 countries including 90 of the world's top 100 banks, initiated an investigation with assistance from a leading digital forensics firm. Finastra's Chief Operating Officer Tom Kilroy publicly confirmed the incident as a ransomware attack, stating there was no evidence of customer or employee data exfiltration or compromise of client networks. The company emphasized its standard security protocols while launching a rigorous system review to ensure continued protection of sensitive information. Service disruptions occurred due to the server shutdowns, with Finastra directly contacting affected customers while coordinating with relevant authorities. Restoration efforts focused on bringing systems back online while maintaining operational security throughout the incident response process.
Prior cybersecurity intelligence indicated potential vulnerabilities in Finastra's infrastructure that could have facilitated such an attack. Bad Packets had previously identified unpatched Pulse Secure VPN servers vulnerable to CVE-2019-11510, a critical flaw enabling remote attackers to compromise systems, steal credentials, and execute arbitrary commands – the same vulnerability exploited in the December 2019 Sodinokibi ransomware attack against Travelex. Additionally, Bad Packets reported four vulnerable Citrix ADC servers (CVE-2019-19781) in Finastra's network as of January 11, 2020, though Citrix released patches for this actively exploited vulnerability by January 24. While Finastra never confirmed these specific vulnerabilities as entry points, the company acknowledged implementing security enhancements during its post-incident system review. The incident occurred despite warnings from US Cybersecurity and Infrastructure Security Agency (CISA) about patching Pulse Secure VPN vulnerabilities, highlighting the operational challenges of maintaining complex financial technology infrastructures against evolving ransomware threats.