Threat actors and attack vectors targeting financial institutions

By Lidia Lopez, Threat Intelligence Analyst at Blueliv (an Outpost24 company)

If you were to watch any crime series, the chances are you have heard of the term “follow the money”. Cybersecurity is the same. As with most criminal groups, the chief driver is financial gain, be it by performing payment fraud or manipulating the stock market after sowing dissent amongst shareholders. Most crime motifs include a bank heist of some description, and cybercrime is no exemption. Banks and other financial institutions handle some of the most valuable information that cybercriminals can monetise, from account and credit card data to sensitive PII (personally identifiable information). As such, these organisations remain at the forefront for risk as cybercriminals become increasingly sophisticated and malicious in their methods.

A new generation of cybercriminals is emerging. A generation that is no longer satisfied with simply stealing funds and holding companies’ information hostage, instead, aiming to infiltrate and manipulate companies and environments, threatening the credibility and integrity of the institution, leaking sensitive information to the public, or committing fraud at different levels.

The COVID-19 pandemic has only bolstered these threats, as financial institutions’ already large exposure to such risks has been amplified by sudden shifts to remote working practices and other operational challenges. As a result, many financial organisations saw employees access data from unprotected networks and re-use passwords, compared to the highly controlled environment they had typically used in the office. This exposed their systems to a multitude of potential threats that could infiltrate the enterprise’s network easier than ever before.

What cyber threats are facing banks and financial institutions?

Our latest study ‘Follow the Money’ reveals certain threat actors are responsible for the most complex and longer-lasting campaigns and attacks on financial institutions. APT groups like the Lazarus Group, the Cobalt Gang and FIN7, to name but a few, present a major threat against the availability, integrity and confidentiality of the information of any entity. They often target big corporations and governments, however due to the literal wealth of information held within their digital vaults, banks and financial institutions present a lucrative target.

But how are these highly sophisticated and organised criminal groups targeting financial institutions? Below are a list of the top attack vectors.

Credential theft

Credential theft is often the initial access vector of a successful attack. While all industries are impacted by credential theft, the wealth of data within financial institutions makes them a key target for this threat vector. Think of a key card that has been swiped from the belt of an inattentive security guard. All it takes is a single good credential to gain access into an organisation and cause havoc. Once credentials are captured, they can be used in a variety of ways, depending on their type and the more privileged the credentials are, the greater damage the theft could cause.

With access to accounts or systems, sensitive and confidential information is not sold but ransomed to the legitimate owners. Detecting compromised credentials at an early stage – within days after they are compromised – can massively reduce the impact of an attack.

Phishing & BEC

Phishing is the bread-and-butter technique used by cybercriminals to steal credentials and personally identifiable information (PII) from their victims. It remains one of the most effective attack vectors, because it is often tag-teamed with social engineering techniques to extract information from victims. Like using sleight of hand, the goal is to trick the individual into believing that something is important and that they must act imminently. However, once their guard is lowered, the threat comes from where they least expect it, typically in the form of a link or attachment.

Phishing techniques are becoming increasingly sophisticated and are in a constant state of evolution. One of these successful evolutions takes the form of a business email compromise (BEC) attack. Like phishing, BECs require compromised credentials malicious actors obtain access to a business email account and imitate the owner’s identity or use a spoofing email address to look like the legitimate email address. Their objective is to defraud the company and BECs require compromised credentials and social engineering. Put simply, malicious actors obtain access to a business email account and imitate the owner’s identity or use a spoofing email address to look like the legitimate email address. Their objective is to defraud the company and as many stakeholders as possible. In this way, BEC attackers are able to gain access to critical data and infiltrate all sorts of company systems and networks.

Malware infection & Banking Trojans

Malware distribution campaigns may use email as an attack vector amongst a variety of others. The malware could have different purposes, including stealing credentials. Malware infections are among the most popular attack vectors used by nefarious cyber crooks. A banking trojan is a malicious computer program designed to steal sensitive and confidential information stored or processed through online banking systems. Like their Odyssean namesake, banking trojans may appear to be safe, or even beneficial at first, however inside are fearsome surprises. Many may use form-grabbing, code injection and specific stealer modules dropped in the infected machines to harvest sensitive data and may masquerade as a legitimate piece of software to dupe victims into downloading the malware.

Ransomware

Ransomware, perhaps one of the more notorious methods of extortion, is a form of malware that encrypts the victim’s files. The attacker holds the victims’ information and files hostage, demanding a ransom to restore access to the data upon payment. A particular window of time is usually specified in which to deliver the ransom, and the cybercriminal usually requires payment in cryptocurrency. After receiving payment, the cybercriminal may provide an avenue for the victim to regain access to the system or data. However, alarmingly, the past two years has seen many prominent ransomware gangs begin to add double extortion to the attacks, exfiltrating data from targeted systems prior to the encryption and threatening victims with data leak if the ransom is not paid. Leveraging this new strategy, many ransomware gangs have increased the ransom amounts and escalated the number of attacks. Ransomware targets are mostly opportunistic, aimed at obtaining the highest ransom amount as possible.

Conclusion

According to PwC, there are two kinds of financial services firms: those that have faced a cyberattack and those that will.

Don’t delay. Organisations, and particularly the financial industry, must put in place proactive security measures that help them prioritise detection and response, enabling them to react quickly to incidents. As with life, meaningful change comes from the top. Executives must believe their own message and spread a culture of security within their enterprise. This will help to manage cyber-risk and reduce the impact from cyberattacks which are all but inevitable.

However, the best defence is a good understanding of the threats and risks that you face. Threat intelligence is actionable information, delivered in an automated way so that organizations can detect threats both inside and outside their network, and prioritize their responses. The reason it is so important is that it allows security teams of all sizes to focus their resources – which are often limited – on the most crucial threats targeting their networks and infrastructure. Threat intelligence is the best way to level the playing field and take the advantage back from the cybercriminals.