Banks and other financial institutions have the one thing every criminal desires. Money.
So, it only makes sense that cybercriminals prioritize attacking this industry sector, and it makes even more sense for these institutions to harden their systems to prevent attacks.
An in-depth investigation by Trustwave's elite SpiderLabs team dove deep into this issue, and it recently released a report that describes the most prevalent attackers, how those attacks are happening, and the best defensive measures to have in place to remain secure.
The report, "2023 Financial Services Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies," accomplishes this task with a multi-step approach discussing prominent trends, a typical attack flow, and a breakdown of the key threat groups most directly involved in attacking the financial services sector.
An Attacker's Second Favorite Target
The financial services sector ranks second in terms of the cost of a data breach, trailing only behind the healthcare industry. In 2023, the average cost of a data breach in the financial services sector amounted to $5.9 million, compared to the industry average of $4.4 million, according to data from the Ponemon Institute.
In March 2023, Melbourne-based Latitude Financial had more than 14 million records compromised when a threat actor stole an employee's login credentials. In June 2022, one of the largest financial providers in the U.S., Flagstar Bank, suffered a massive data breach, leaking the Social Security numbers of almost 1.5 million customers – their second cybersecurity incident in two years.
The Who and the How
While there are some lesser-known adversaries mentioned in the report, Trustwave SpiderLabs found quite a few well-known threat groups active in this area, including:
- Clop
- LockBit
- Alphv/BlackCat
- Black Basta
The adversaries' preferred attack vectors cover a wide spectrum. However, the preferred method is email-centric techniques such as phishing emails with malicious attachments and business email compromise (BEC.)
Other popular methods Trustwave SpiderLabs uncovered were exploiting vulnerabilities, illegally gaining access to legitimate credentials, and spreading malware like ransomware and infostealers.
Protecting Clients
The report also includes preventative measures financial organizations can take to help protect their customers. Trustwave SpiderLabs noted some of the key recommendations and mitigations:
- Consumer Security Education: Inform customers about the dangers associated with phishing and malware threats, including education on recognizing phishing attempts and safe online practices.
- Security Controls: Implement robust security measures to safeguard customer accounts, such as encryption, multi-factor authentication (MFA), human identification, penetration testing for consumer-facing apps, and intrusion detection systems.
- Customer Support and Incident Response: Provide a support mechanism to customers when a security incident occurs, including assisting customers in changing passwords, securing compromised accounts, and providing guidance on reinforcing their personal security practices.
Attack Flow and Threats
Attackers have developed a plan that sees every attack follows a specific path for them to obtain the most out of each effort. There are also specific threats that fall under each step of the attack flow; these are the methods attackers use to complete the step.
Let's take a quick look at what is taking place, but for the full details, please download and read the report.
For the financial services area, a typical attack process and its associated threats are:
Initial Foothold – This step can take various forms, ranging from successful phishing attacks to vulnerability exploitation or even logging into public-facing systems using previously acquired credentials.
- Phishing and Business Email Compromise - Phishing and email-borne malware stand out as the most commonly exploited methods for gaining an initial foothold in an organization. Instead of attempting to exploit the software or systems on the network, attackers direct their focus towards targeting the individuals operating the keyboard.
- Logging In – This is the simplest method of gaining access and can occur if an organization does not change default credentials for devices, uses weak passwords, which makes them vulnerable to brute-forcing, or if an attacker purchases credentials on an underground forum.
- Vulnerability Exploitation - This covers various aspects, including zero-day vulnerabilities, the speed at which organizations deploy patches, proof-of-concept exploits, and the disclosure of vulnerabilities. In simple terms, a vulnerability denotes a flaw in software that poses security risks. Malicious actors create specialized software or scripts to exploit such vulnerabilities and evade security measures like authorization, authentication, and audit controls.
- Supply Chain - Instead of going after multiple prominent organizations directly, attackers focus their attention on trusted third-party partners. This approach is sometimes dubbed "the Domino Risk," as the attackers aim to tip over one domino, setting off a chain reaction that impacts many others. Given its increasing popularity and the alarming security breaches frequently making headlines, the return on investment for this kind of attack seems significant.
Initial Payload – After establishing an initial foothold, attackers typically don't expect to gain full control over the entire network. They often secure access to a less critical system with restricted network privileges. Nevertheless, at this stage, they proceed to download more advanced tools and malware to strengthen their position or make use of existing tools like PowerShell or LOLBins (Living-off-the-Land Binaries) for their advantage.
Expansion/Pivoting - The initial foothold typically involves a low-value workstation, such as a phishing victim's laptop, or a network appliance like a VPN endpoint; the attacker now is going to target higher-value accounts and systems with the appropriate tools at their disposal. These include Domain Admins, Root Accounts, Active Directory Systems, and Database servers.
Malware – Attackers implement a variety of malware, such as:
- Infostealers: Specialized malware designed to steal information.
- Remote Access Trojans (RAT): Malware that provides an administrative-level backdoor to a compromised system.
- Ransomware: Typically encrypts or locks data and then demands the victim pay a ransom to regain access to the data. More recently, ransomware groups have added an extortion component to these attacks. They will exfiltrate valuable data prior to deploying the ransomware and then publicly post proof of the attack to scare/shame the victim organization into paying the ransom.
Exfiltration / Post Compromise – Exfiltration is the final step and can manifest differently, contingent on the attackers' goals. This includes a "smash and grab" approach, seeking to rapidly collect as much information as possible before a quick departure, while others may have precise targets in their sights.
The Takeaway
Attacks on financial services institutions are unlikely to subside.
The fact that these organizations store and process a large amount of easily monetized sensitive data (e.g., credit card and bank information,) means attackers will remain highly motivated continually adapt their methods to outpace defenses.
Additionally, the broad scope of financial services also means these organizations house various levels of personal information, including sensitive health information, such as those from insurance organizations. All of which are highly prized by threat actors.
Please see the report for a complete list of threats, how attackers go about invading a system, and the mitigation methods that SpiderLabs has provided.
