By Derek Taylor, lead principal security consultant at Trustwave
Criminals throughout the ages have had their sights set on targeting banks. For a thief seeking to maximise their profit, a successful bank heist has been the ultimate pay day, and this holds true in the digital age. Rather than seeking gold bars and bank notes, attackers are now concerned with the personal and financial data that will allow them to access accounts, seize control of cryptocurrency, or execute targeted fraud campaigns.
Indeed, the annual Trustwave Global Security Report has consistently found the finance sector to be one of most-targeted industries. In the 2020 report, 14 percent of all attacks we investigated targeted financial organisations.
However, the chance for illicit reward has always been balanced against added security. For a traditional bank robbery, thieves will have to contend with armoured vaults, alarms and even armed guards. For cyber attacks, criminals will have to contend with some of the most regulated and well defended organisations in the world.
Nevertheless, because banks represent such a hardened yet lucrative target, they are often on the receiving end of the very latest, and more sophisticated, attack strategies. One of the most recent techniques we have seen deployed against banks involves a multi-level phishing attack that exploits the increasing use of cloud-based solutions.
The multi-layered strike
As with most cyber attacks, this new multi-level technique begins with a fairly standard phishing email. Attackers will either impersonate a senior executive at the target bank, or a known or trusted partner or supplier. Actionable requests that include attachments are the most common approach, with fake invoice PDFs being a particular favourite. The PDF may harbour malicious script that will initiate the installation of malware, enabling the threat actor to gain persistence in the system and begin escalating their attack. Alternatively, it will lead to a phishing site disguised as a real web page or login portal belonging to the bank that will harvest the victim’s login credentials.
But rather than sending over a standard attachment, attackers will send a link to a popular and legitimate cloud hosting service. Microsoft’s OneDrive, SharePoint and OneNote are some of the most often used, but many other services are also exploited for these attacks.
The workforce has become increasingly used to utilising the in-built sharing capabilities of these tools, which have been designed for greater collaboration and ease of use, especially while working from home during the pandemic, versus physically attaching documents as was commonplace a few months ago. By exploiting the trust automatically placed in these familiar services, as long as the accompanying phishing email or message is convincing, targets will have little reason to be suspicious.
Furthermore, hosting the file on a legitimate cloud hosting service, leaves no readily detectible threat signature, making detection more difficult for most email security solutions.
Exploiting the accessibility of the cloud
In the next stage, attackers further exploit the accessibility of the cloud. Workers have become accustomed to opening hosted files directly into their browser, a useful feature if their machine lacks the required software tools. While this feature is highly convenient, it also means that the user will not be warned when they click the malicious link and are directed away to the phishing site. Although users will be presented with an alert about the potential for such issues, they will likely be well used to ignoring it by now.
An even more recent evolution of this strategy involves sending a calendar invite rather than an attached file. The invites are sent via iCalendar, a plain text file containing calendaring and scheduling information. The invitation contains what appears to be a security key for the meeting but is actually an HTML object hosted on Google Cloud.
Unlike the PDF attachment, this approach will not issue users with any kind of warning about the potential for security issues. As with the email attack, the net result will be a phishing page designed to harvest credentials.
Credential harvesting is an increasingly popular option in comparison to attempts to install malware as there are fewer signs for security tools to detect. Successfully stealing credentials also enables attackers to immediately begin exploiting the stolen account to launch even more attacks.
With a stolen account, threat actors can send phishing emails with a legitimate address along with the already benign use of a familiar cloud hosting service. Armed with access to a compromised account, attackers can also exploit the Office 365 “Share with Anyone” option to send files to all contacts regardless of their actual access authorisation.
Countering the multi-layered attack
We have observed these new multi-stage attack techniques being deployed against organisations in multiple sectors over the last year, but major global banks have been prominent targets. Criminals with banks in their sights are well aware that they have a high level of funding and resources allocated to security, so attacks will need to be more inventive in order to succeed.
These multi-stage attacks are however countered with a multi-stage approach to defence. First, banks need to harden email security to reduce the chances of phishing emails reaching their staff. Regardless of the more advanced portions of the attack, these emails are still likely to use standard spoofing techniques such as altering the sender address. Setting email security tools such as Secure Email Gateways (SEGs) to identify and block emails that demonstrate misaligned sender IDs and other signs of spoofing will help block a majority of attacks.
Alongside this, banks should ensure that any cloud solutions they use are configured to limit the damage that can be done by stolen credentials. Features such as SharePoint’s “Anyone” option can be disabled to prevent threat actors from escalating their attack by sending out more document links to others in the organisation.
While banks will continue to be some of the first to be targeted by new attacks and techniques such a multi-layered defence will deflect most attempts and send opportunist criminals in search of easier marks.