Tracking Emerging Threats Within the Financial Services Industry

By Anthony Giandomenico, Senior Security Strategist and Researcher, CTI Lead, FortiGuard Labs

The financial services industry has long been a target for cyber criminals looking to steal valuable customer and financial information. Defending against these criminal efforts has become even more challenging in recent years due to digital transformation efforts that have weakened the ability of many organizations to adequately secure their data. Many financial institutions feel trapped in a classic Catch-22 situation: Customers continue to demand new digital solutions, which force banks and other institutions to expand their potential attack surface through the adoption of new platforms and services. At the same time, regulatory controls require them to have the necessary security infrastructures in place to protect both their clients and themselves from malicious activity.

Anthony Giandomenico

To address this conundrum, organizations within the financial services industry must take two steps. First, they need to adopt a security-driven networking strategy that binds any expansion of networks and services to a consistent and enforceable security architecture – you have to be able to secure it before you can build it, send it, develop it or connect to it. And second, they need to stay up to date with the latest cyber threat trends, as this will directly impact their ability to secure critical client data. With that in mind, Fortinet’s recent Q3 Threat Landscape Report highlights several emerging threats that CISOs and their teams need to be aware of moving forward.

Emotet is Still Highly Active

The past quarter saw cybercriminals increasingly using banking Trojans as a means to maximize their financial gains. This was reflected by the increased level of Emotet Trojan activity that was observed across networks. This spike in activity can be attributed in part to Emotet being used in a spear phishing campaign to distribute TrickBot, another well-known banking Trojan. By using Emotet as a payload delivery mechanism, cyber criminals were able to infect vulnerable systems with a variety of banking malware in a single attack.

This threat is particularly concerning due to the fact that Emotet is wormable, meaning that once it infects a system it can spread laterally, quickly infecting entire networks. Furthermore, packaging additional malware with Emotet gives cybercriminals the ability to launch large-scale attacks with relative ease. This form of malware distribution is consistent with attack trends that have been observed across the cyber landscape in Q3, highlighting the growth of the Malware-as-a-Service (MaaS) model. In fact, the Emotet developers have now launch a MaaSversion of their malware, allowing criminal consumers – for a fee – to leverage the millions of devices currently infected with Emotet to deliver additional malware to targeted organizations.

The scale of Emotet’s current campaign, as well as its capabilities, gives the banking Trojan enormous threat potential. It’s why the US Department of Homeland Security has labeled as one of the most costly and destructive systems in the world. And the continuous updates being provided by its very active development team mean that it is unlikely to be thwarted for quite some time. For that reason, it is essential that financial organizations stay informed on its latest iterations. And with that very concern in mind, FortiGuard Labs recently released a new Adversary Playbook that provides valuable information for detecting, understanding, and addressing recent iterations of Emotet.

Banking Malware is Evolving

TrickBot and IcedID were two other banking malware families that were highly active over the third quarter. TrickBot, while initially only functioning as a banking trojan, has begun to evolve its capabilities, making it a more persistent threat. There were several new iterations of TrickBot that were observed, one of which employed a spamming module to gain access to systems and steal data. Another variation of the malware was equipped with a module for stealing credentials, autofill data and other information from an infected host.

IcedID, while still a relatively new trojan, has enormous threat potential within the financial sector. This is because the malware is constantly evolving, making it incredibly difficult for security teams to detect and manage. Initially, IcedID worked by infecting itself on browsers and manipulating traffic to steal bank account information. However, recent variants of the malware are able to do more than just steal data. Fortinet research conducted on the malware in June revealed that it is now able to deliver a TrickBot payload and, presumably, other payloads as well.

The evolution of these malware variants targeting the financial sector highlights how important having actionable threat intelligence is when creating secure infrastructures. The ever-growing threat they pose to the financial services industry must not be understated, and in order for organizations to protect their data, they must constantly monitor the latest iterations of each of these banking trojans.

Final Thoughts

Cybercriminals are continually modifying their attack techniques to not only improve the accuracy of attacks but to better exploit the digital transformation efforts of their targeted organizations. Their goal is to deliver more effective and malicious payloads, as well as use advanced techniques to evade detection. In order to protect against this, financial institutions must rely on threat intelligence, as it will enhance their ability to thwart potential attacks and keep their critical data secure. This must be combined with a security-driven networking strategy to ensure that none of their efforts to meet evolving consumer demands ever puts themselves or their customers at risk.