By Richard Hughes, Head of Technical Cyber Security, A&O IT Group
Criminals are resourceful and will look to a range of methods to achieve their goals. This is especially true when it comes to attacks against the financial sector, where the potential gains can be seen to justify a significant investment in time and resources for criminal groups. In the virtual world, cyber criminals conduct research and reconnaissance against their targets to decide how best to attack, whether that’s using malware, zero-day exploits or denial of service. As a consequence, banks invest large sums into protecting their IT networks from cyber attacks.
Yet what banks’ security teams often overlook is that their attack surface extends far beyond the virtual element of their IT network. Banks provide a unique opportunity for threat actors due to the vast amount of physical infrastructure they have. This includes offices, branches, and ATMs, all of which can be vulnerable to intruders gaining physical access to IT assets so that they can infiltrate the corporate network. Such tactics often go undetected by traditional IT security solutions.
To combat the rising sophistication and audacity of criminals, financial institutions need to deploy a combination of technical security and human ingenuity.
Advanced persistent threats
To highlight the rising cyber threat banks face it is worth considering Advanced Persistent Threat (APT) groups. These criminal gangs are well resourced and well-funded, often by nation states, and run by threat actors that are at the height of their game. For example, North Korean-linked APT 38 specialises in striking the SWIFT system and is believed to have stolen more than £100m so far. Meanwhile the Russian-speaking Silence group is expanding its operations beyond former Soviet bloc nations and is now targeting more than 30 countries, including the UK.
Groups like these don’t tend to be constrained by money or resources, meaning not only can they deploy advanced attacks rarely seen in security circles, but they have the ability to keep trying different attacks until one is successful.
Two examples include zero-day attacks, which exploit previously unknown vulnerabilities; and advanced malware strains created by the APT groups to target banks, both of which are tactics replicated by other threat actors to be used against other industries. For instance, the Hermes ransomware used in the SWIFT campaign was the basis for Ryuk, which targets multiple sectors and is able to identify and encrypt network drivers and essential resources in order to extract a ransom. In September 2020, for example, healthcare institutions around the world were on high alert following a spate of debilitating Ryuk attacks against several hospitals in the US.
The human element
To help initiate their attacks, threat actors will target unwitting staff. As financial institutions are often staffed by thousands of employees, it is highly likely that someone will be the weak link who will unknowingly allow a threat actor onto the corporate network. This will often involve the attacker contacting the intended mark with an email containing malware or a phishing scam. Those threat actors with time on their side will even research what emails an employee is most likely to respond to, such as imitating a work colleague or a supplier asking them to look at an attached document on a familiar task or project. Such deception will also accurately copy the look and style of the typical email that employee receives and will even attempt to present a legitimate address, all to make the con more convincing.
This type of cyber criminal activity has been particularly exacerbated this year due to remote working enforced by COVID-related lockdowns. A fundamental issue here is that the security of home networks lag behind corporate equivalents, making it more likely for malicious emails to make it through to end users and provide little warning against suspect phishing sites. There is also the consideration that employees are more likely to fall for phishing and malware scams by not being able to confer with colleagues about the legitimacy of an email, as well as the distractions of homelife, such as children and doorbells.
Physical infrastructure under attack
More audacious threat actors have another attack surface of which they can take advantage within the banking sector – offices, branches, and ATMs. Often isolated and accessible 24/7, ATMs are a particularly vulnerable asset. While the cash they contain is heavily protected with anti-tamper and anti-theft devices, the same cannot be said for the ATM’s other components, including routers, card readers and cheque scanners, which often only have a simple metal panel encasing them.
For example, the 4G router of one type of ATM we investigated could potentially be removed by threat actors with little effort and enable them to access the ATM network. Elsewhere, another brand of ATM we assessed had no application-level encryption, instead relying on a VPN for data transport security. This would enable threat actors to connect to the device and manipulate information such as the available balance, giving them free reign to withdraw more cash than they had funds available.
Those willing to take greater risks could even potentially enter secure areas of bank branches and offices in order to initiate their cyber attacks. For instance, possessing a fake identity card and cover story, our red team – which emulates real criminal tactics to test defences – has been able to frequently access restricted areas of bank buildings. In one incident, armed guards buzzed our imposter through to a highly controlled section of a bank following a story that his RFD card was faulty.
Another time one of our operatives was able to walk into a bank off the street and remain there until 10pm, long after all the staff went home. During that time, he searched employees’ desks and found written down passwords and security passes that could be used to access other secure buildings.
Having such physical access enables an intruder to place a drop box somewhere discrete that will give them access to the network. They can then carry out their attack slowly and avoid detection.
Defending against the virtual and physical
Being able to detect and remove vulnerabilities on the corporate network is a fundamental element of cyber security. Automated vulnerability scans are able to identify basic gaps in security that could assist a cyber attack, such as incorrectly set security controls and missing patches and updates, as well as other anomalies. To be of any use these scans need to be run frequently, as often as once a month, otherwise due to the continually changing nature of IT networks, they rapidly become out of date and vulnerabilities go undetected.
However, while useful, these scans are unable to detect more sophisticated attacks that advanced threat actors might use such as multi-step attacks or zero-day vulnerabilities. Detecting such tactics requires manual investigations by experienced security analysts who can think like threat actors to uncover more imaginative routes onto the system.
A safe and effective way of exploring more advanced methods a threat actor might use against a specific organisation is red teaming. This extensive exercise involves ethical hackers attempting to break into a network to achieve a set of specific objectives, such as gain access to customer accounts. For banks, red teaming exercises should simulate a range of attacks that combine the physical and virtual world as outlined above to include elements such as social engineering, branch infiltration, and attacks on ATMs. Armed with this information, banks can then amend their security infrastructure and processes accordingly.
Motivated and well-resourced threat actors will use any means they can to infiltrate the IT networks of banks. To ensure they are well defended, banks need to recognise this and plan to ensure there are minimal vulnerabilities that can be exploited whether in the physical or virtual world.