Bloomberg Credits Agio for API Permissions Detection
During a comprehensive Cybersecurity Risk Assessment, which included a penetration test, for one of our enterprise hedge fund clients, we recently discovered a vulnerability affecting the default installation settings for the Bloomberg Professional Client software — a vulnerability which had the potential to compromise over 300,000 Bloomberg subscribers, including many of our Hedge Fund, Private Equity Investment Bank and other Asset Management clients. If an attacker had successfully exploited this vulnerability, they could have gained local administrative privileges, with full control of the environment only a short step away.
Agio, led by CEO, Bart R. McDonough, worked closely with Bloomberg to ensure specifics of the vulnerability did not fall into the adversaries’ hands. Bloomberg and their management have been extremely responsive and professional, proactively collaborating with us to address this potential cybersecurity issue.
Bloomberg has since released a software update, remediating the vulnerability, as well as release notes highlighting Agio’s discovery and assistance.
Agio also recommends all firms, especially our Hedge Fund, Private Equity and other Asset Management clients, verify their users do not have administrative privileges unless specifically intended; orphan administrative accounts could have been created prior to Bloomberg’s software update, and companies will want to ensure no legacy threats remain in their environment. This is a powerful reminder employees are a firm’s front lines, and therefore are potentially the weakest link.
The detection of this vulnerability by the Agio Cybersecurity team is pivotal to changing the way firms conduct cybersecurity risk assessments. It’s safe to say at least 1,000 assessments were performed last year, and not one uncovered this vulnerability. Why? Many cybersecurity firms focus on external surfaces or exposures identified by automated scanning tools. Best of breed tools are important, but at the end of the day you’re only as good as the person doing the work. Agio harnesses these automated tools as a starting point, but it’s our policy to dig deeper, utilizing the keen sense of awareness our engineers have built over years and years of experience. If something piques our interest, it’s for good reason. We’ve always said 360° cybersecurity is about diligence, expertise, and process first and, only then, technology; our Bloomberg vulnerability discovery is a perfect example of why we adhere to such a holistic philosophy.
If you have any questions or concerns, please contact Ray Hillen, Agio’s Director of Cybersecurity, or Bart McDonough, Agio’s CEO.
We’ve got you covered.