J.P. Morgan Breach Incident Score: Analysis & Impact (NYLJPMOUTOUT1773678705)

In this Rankiteo incident briefing, we review the J.P. Morgan breach identified under incident ID NYLJPMOUTOUT1773678705.

The analysis begins with a detailed overview of J.P. Morgan's information like the linkedin page: https://www.linkedin.com/company/jpmorgan, the number of followers: 5796290, the industry type: Financial Services and the number of employees: 82484 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 820 and after the incident was 809 with a difference of -11 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on J.P. Morgan and their customers.

Outpost24 recently reported "Sophisticated Phishing Attack Targets Outpost24 C-Level Executive Using Kratos Kit", a noteworthy cybersecurity incident.

A high-profile phishing attack targeted a C-level executive at Outpost24, a Swedish exposure management and identity security firm, leveraging the recently identified Kratos phishing-as-a-service (PhaaS) kit.

The disruption is felt across the environment, and exposing Credentials (Microsoft 365).

Formal response steps have not been shared publicly yet.

The case underscores how teams are taking away lessons such as The incident underscores the growing sophistication of phishing campaigns, particularly those leveraging trusted infrastructure to bypass security controls.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Phishing (T1566) with high confidence (95%), with evidence including high-profile phishing attack targeted a C-level executive, and phishing email, disguised as a legitimate message from JP Morgan and Phishing: Spearphishing Link (T1566.002) with high confidence (90%), with evidence including malicious link initially pointed to Cisco’s secure-web.cisco.com, and seven-step chain of redirects through trusted services. Under the Credential Access tactic, the analysis identified Brute Force: Password Guessing (T1110.001) with moderate to high confidence (80%), supported by evidence indicating real-time credential validation to ensure stolen logins were functional and Input Capture: Keylogging (T1056.001) with moderate to high confidence (70%), supported by evidence indicating convincing Microsoft 365 phishing page, complete with fake Outlook loading animation. Under the Defense Evasion tactic, the analysis identified Subvert Trust Controls: Code Signing (T1553.002) with moderate to high confidence (85%), supported by evidence indicating two DKIM signatures to bypass DMARC authentication, Valid Accounts: Cloud Accounts (T1078.004) with moderate to high confidence (70%), supported by evidence indicating abuse of trusted infrastructure (Cisco Secure Email Gateway, Nylas), Dynamic Resolution: Domain Generation Algorithms (T1568.002) with moderate to high confidence (75%), supported by evidence indicating repurposed domain originally registered in 2017, reacquired on March 12, Masquerading: Match Legitimate Name or Location (T1036.005) with moderate to high confidence (80%), supported by evidence indicating redirects through trusted services (Cisco, Nylas) to evade detection, and Impair Defenses: Disable or Modify Tools (T1562.001) with moderate confidence (60%), supported by evidence indicating browser validation check to evade security analysis. Under the Command and Control tactic, the analysis identified Application Layer Protocol: Web Protocols (T1071.001) with moderate to high confidence (80%), supported by evidence indicating cloudflare-protected infrastructure to conceal origin server and Web Service: Bidirectional Communication (T1102.002) with moderate to high confidence (70%), supported by evidence indicating seven-step chain of redirects through trusted services. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with moderate to high confidence (70%), supported by evidence indicating real-time credential validation to ensure stolen logins were functional. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.