JPMorgan Chase Data Breach

Overview

JPMorgan Chase is the largest bank in the United States and the world's largest bank by market capitalization, with $3.9 trillion in assets. The cyberattack compromised data associated with 76 million households, 2 of 3 American households at the time of the attack. Stole names, email and postal addresses, and phone numbers from account holders.

Vulnerability Details

Attackers likely acquired original credentials from an employee who registered an account on the Corporate Challenge website. JPMorgan failed to implement two-factor authentication on the network server where the attackers logged in, which allowed the attackers to use the stolen credentials to log in. Once inside, the attackers gained access to 90 further network servers. The attack did not involve the use of any kind of zero-day. FBI first suspected a sophisticated adversary, such as the Russian government, but by mid-October had ruled them out as a suspect. Four individuals were indicted on 23 federal counts in relation to the attack on JPMorgan and similar attacks on other institutions. The attackers used the stolen account information to operate a stock price manipulation scheme and illegal gambling websites to make millions in profit. The defendants planned on starting their own brokerage business, using the stolen information to give them a leg up against competitors. In October 2015, the Senate Banking Committee asked federal banking regulators to create a process for mitigating attacks like this against the financial sector.

Lab Terminal

In this terminal activity, we'll investigate how attackers were able to compromise JPMorgan Chase's network by logging into a public-facing server that was missing required security controls. In the real incident, attackers used stolen employee credentials to access a server that did not enforce two-factor authentication and had not been updated to match the company's newer security standards. Using the commands provided, you will scan a simulated server for exposed services, identify outdated software, inspect authentication settings, and verify whether multi-factor authentication is configured. This activity demonstrates how lapses in patching, configuration management, and authentication enforcement can create the conditions for large-scale breaches like the JPMorgan Chase attack.

Instructions:

  • Use the help command to see all available commands.
  • Scan the target system at 192.168.1.45 to determine which services and ports are publicly exposed: nmap -sS -p 22,80,443 192.168.1.45.
  • Retrieve the web server's banner to identify the software version in use: curl -I http://192.168.1.45 | grep -i 'server'.
  • Search the server's configuration files for authentication settings: grep -R 'Auth' /etc/httpd/conf/ /etc/nginx/ 2>/dev/null | head.
  • Check the system for outdated or unpatched web packages:
    • dpkg -l | grep apache
    • apt list --upgradable | grep apache
  • Determine whether two-factor authentication is present on the system (empty if not present): grep -R 'pam_google_authenticator' /etc/pam.d/ 2>/dev/null.

Resources

Review Questions

What happened in the JPMorgan Chase data breach of 2014?
What are two effective security mechanisms that could guard against vulnerabilities like those exploited in the JPMorgan breach?
If you were a hacker, how would you launch a similar attack on another financial institution?
What are some ways to perform privilege escalation in financial networks?
How can vulnerability scanning be performed in a financial institution's network?
As the CTO of JPMorgan Chase, what measures would you implement to enhance the security of financial transaction systems?
How should financial institutions balance the need for third-party integrations with maintaining data security standards?
If you were responsible for mitigating the misuse of stolen data, what steps would you take?
What IT weaknesses paved the way for the JPMorgan Chase hackers?
As the CIO of JPMorgan Chase, how would you improve IT security?