Lessons From a Mortgage Bank Data Breach
Secure Thoughts and Security Expert Jeremiah Fowler joined forces to expose a leak of over 3 million records including references to loans and leads. Learn how this database was at risk of a ransomware attack:
On June, 1st 2021 I discovered a non password protected database that contained 3,238,820 records. Upon further investigation there were many references to home mortgage loans and indications that the data belonged to Nations Reliable Lending (NRL). I immediately sent a responsible disclosure notice to multiple contacts at NRL. When I checked the database the following day, I was surprised to see that it was still publicly exposed and remained open for 3-4 days before access was finally restricted.
Although loan and borrower data appeared to be encrypted and was not a part of the leak there are still a range of other risks and valuable lessons to be learned from this exposure. The exposed records contained a wide range of internal processes such as error logs, system information, middleware, and other data that gives a very clear understanding of how the network operates. It also gives some indication of how the data is collected, what applications are being used, and where data is stored.
Banks and lenders are targets for cyber criminals
According to the American Land Title Association, a national trade association representing more than 6,400 title insurance companies, title and settlement agents: Title insurance professionals reported cyber criminals had attempted to trick employees to wire funds to a fraudulent account in a third of all real estate and mortgage transactions. This is a massive number that appears to have gone underreported as to just how common attacks on the mortgage industry really are. Any exposure of internal records of a financial organization is a high value target for criminals. Financial institution fraud (FIF) is when criminals target banks, credit unions, and other financial institutions. Technology has made this type of fraud much easier and increased the neverending number of attempts.
The real danger is that sometimes these logs can contain information that should not be publicly exposed. One good example of this type of data is our discovery of what appears to be an administrator or contractor account that showed the email, access key and user ID. Hypothetically, this individual would have full access to the entire network or any highly sensitive information stored in any restricted areas of the database. There were references in the dataset to Evoke Technologies, a “Digital Transformation” company based in the USA & India with 700 employees. According to their website they are a global information technology services company offering innovative software development, IT outsourcing and IT consulting services.
What the database contained
- Total Records: 3,238,820
- Total Size: 1.34 GB
- Login IDs for SalesForce, AWS Workspaces and other internal information including references to loans and leads (people who are interested in home loans).
- Security and access tokens exposed. These could be used to bypass enhanced security measures or access encrypted data.
- Suspected contractor or system admin login and access data.
- The files also show where data is stored and a blueprint of how the service operates from the backend. The security information could potentially allow cyber criminals to create a “Man in the Middle” attack.
- Types of records: crawlers, error, lambda-insights, AWSTransferFileStack-GetUserConfig, LendingTree-Leads, Leads2SFDC-JotForms, WorkSpaces_Logs, System, VPCFlowLogsGrup, _doc, logging-CloudTrailLog
- The database was at risk of a ransomware attack.
- The records contained middleware or build information that could allow for a secondary path for malware. IP addresses, Ports, Pathways, and storage info that cyber criminals could exploit to access deeper into the network. Tokens and security information.
With the pandemic and more people working out of the office it is no surprise that we see more businesses and organizations turning to collaboration software or remote access tools. If these remote access points are not configured properly it can lead to unwanted public access and a data breach. In this specific database I saw AWS Workspaces records that included account numbers, ip addresses, operating system, and more. If cyber criminals gained access to this mobile and remote environment it could provide a treasure trove of information or allow for a man in the middle attack.
According to Amazon’s website: WorkSpaces is a fully managed, persistent desktop virtualization service that enables your users to access the data, applications, and resources they need, anywhere, anytime, from any supported device.
Man in the middle attack (MitM) is a serious threat
Just like it sounds (MitM) is where information is intercepted between 2 parties by a 3rd party. Cybercriminals target banks and other financial institutions for obvious reasons. By monitoring transactions on communications between a bank and their customers they would know exactly where they are in the loan process. At the last moment they could change information to trick the bank or title company to send the funds to a criminal’s account instead of the intended account. They could also contact customers as if they were a bank employee and try to receive fraudulent payments or get personal information. This person would have all of the correct information and the victim would assume this is a legitimate request.
As a security researcher we never bypass administrative credentials or extract data. Our goal is to educate and raise awareness of how data is exposed and how real people are affected. Unfortunately, cyber criminals do not follow the same code of ethics. Criminals are always looking for information that can be exploited for financial gain. Data breaches can expose customers’ accounts or personal identifying information (PII) and each piece of data is a puzzle piece that can be connected to build a bigger picture of their victims.
Many years ago before my career in the technology sector, I worked for a mortgage company. I was able to see the process of what it takes to obtain a home loan or refinance an existing loan. Financial records are among the most sensitive and pose the highest risks of theft or fraud. A house is often the largest purchase many people will make in their lifetime. What makes the financial industry so dangerous is that borrowers understand that they must provide their social security number (SSN), personal details, banking data, and more. This information would provide everything that a criminal would need to commit identity theft.
Banks and financial institutions have taken big steps to be on the forefront of data protection and cyber security. Using encryption is a necessary first step but as technology evolves older algorithms can now be decrypted where just a few years ago they were believed to be fully secure. Another danger is encrypting the data but exposing the access keys or other details about the internal network and information that could allow cyber criminals or nation state actors to gain access deeper in the organizations’ infrastructure. Finally, social engineering using privileged data is the most common and effective form of crime.
The threat landscape is always evolving and cyber criminals are finding new ways to hack or scam companies and customers alike. Exploiting vulnerabilities is easy when networks go unpatched or do not update to the latest versions of middleware and software. I would advise that any organization who outsources their system administration, development, or networking to require regular audits and data protection reports. Far too often companies will outsource their most valuable data to contractors who are sometimes out of the United States or have limited responsibility in the event of a data breach. We are not implying any wrongdoing by NRL, their contractors or partners and we are only highlighting our findings to raise awareness and data protection best practices.
Nations Reliable Lending (NRL) was founded in 2007 and Mortgage Executive Magazine listed NRL in the top 100 Mortgage Companies in America. In 2017 NRL was licensed in 45 states and operating in more than 55 branches. It is unclear how long the data was exposed or who else may have had access to the records. No one from Nations Reliable Lending or Evoke Technologies replied to our disclosure notice or follow up message at the time of publication.