Banks and other financial institutions have the one thing every criminal desires. Money.
So, it only makes sense that cybercriminals prioritize attacking this industry sector, and it makes even more sense for these institutions to harden their systems to prevent attacks.
An in-depth investigation by Trustwave's elite SpiderLabs team dove deep into this issue, and it recently released a report that describes the most prevalent attackers, how those attacks are happening, and the best defensive measures to have in place to remain secure.
The report, "2023 Financial Services Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies," accomplishes this task with a multi-step approach discussing prominent trends, a typical attack flow, and a breakdown of the key threat groups most directly involved in attacking the financial services sector.
The financial services sector ranks second in terms of the cost of a data breach, trailing only behind the healthcare industry. In 2023, the average cost of a data breach in the financial services sector amounted to $5.9 million, compared to the industry average of $4.4 million, according to data from the Ponemon Institute.
In March 2023, Melbourne-based Latitude Financial had more than 14 million records compromised when a threat actor stole an employee's login credentials. In June 2022, one of the largest financial providers in the U.S., Flagstar Bank, suffered a massive data breach, leaking the Social Security numbers of almost 1.5 million customers – their second cybersecurity incident in two years.
While there are some lesser-known adversaries mentioned in the report, Trustwave SpiderLabs found quite a few well-known threat groups active in this area, including:
The adversaries' preferred attack vectors cover a wide spectrum. However, the preferred method is email-centric techniques such as phishing emails with malicious attachments and business email compromise (BEC.)
Other popular methods Trustwave SpiderLabs uncovered were exploiting vulnerabilities, illegally gaining access to legitimate credentials, and spreading malware like ransomware and infostealers.
The report also includes preventative measures financial organizations can take to help protect their customers. Trustwave SpiderLabs noted some of the key recommendations and mitigations:
Attackers have developed a plan that sees every attack follows a specific path for them to obtain the most out of each effort. There are also specific threats that fall under each step of the attack flow; these are the methods attackers use to complete the step.
Let's take a quick look at what is taking place, but for the full details, please download and read the report.
For the financial services area, a typical attack process and its associated threats are:
Initial Foothold – This step can take various forms, ranging from successful phishing attacks to vulnerability exploitation or even logging into public-facing systems using previously acquired credentials.
Initial Payload – After establishing an initial foothold, attackers typically don't expect to gain full control over the entire network. They often secure access to a less critical system with restricted network privileges. Nevertheless, at this stage, they proceed to download more advanced tools and malware to strengthen their position or make use of existing tools like PowerShell or LOLBins (Living-off-the-Land Binaries) for their advantage.
Expansion/Pivoting - The initial foothold typically involves a low-value workstation, such as a phishing victim's laptop, or a network appliance like a VPN endpoint; the attacker now is going to target higher-value accounts and systems with the appropriate tools at their disposal. These include Domain Admins, Root Accounts, Active Directory Systems, and Database servers.
Malware – Attackers implement a variety of malware, such as:
Exfiltration / Post Compromise – Exfiltration is the final step and can manifest differently, contingent on the attackers' goals. This includes a "smash and grab" approach, seeking to rapidly collect as much information as possible before a quick departure, while others may have precise targets in their sights.
Attacks on financial services institutions are unlikely to subside.
The fact that these organizations store and process a large amount of easily monetized sensitive data (e.g., credit card and bank information,) means attackers will remain highly motivated continually adapt their methods to outpace defenses.
Additionally, the broad scope of financial services also means these organizations house various levels of personal information, including sensitive health information, such as those from insurance organizations. All of which are highly prized by threat actors.
Please see the report for a complete list of threats, how attackers go about invading a system, and the mitigation methods that SpiderLabs has provided.