Report: Banks More Subject to Network Intrusion And Ransomware Attacks
While the global banking sector has made strides in protecting its data from malware such as Trojans, cyberthreats such as network intrusion, ransomware and criminal gang cooperation are presenting fresh challenges to the financial industry, according to a report issued this week by the Carnegie Endowment for International Peace.
In a paper entitled, “Enduring Cyber Threats and Emerging Challenges to the Financial Sector,” researchers for the think tank note that while banks and financial institutions are pushing toward various digital transformation projects to make their organizations more agile, the pace of change has also created more opportunities for attacks against networks and infrastructure.
Further, while financial institutes have improved over the past several years, including doing a better job of defending against malware threats and improving the security around systems such as SWIFT – the global money-transfer network – the types of challenges that come from ransomware and other attacks is making an impact.
“One of the most significant threats today is from network intrusions that lead to ransom and extortion, according to the report, which included input from the World Economic Forum as well. “Over a dozen threat groups are using the same business model and finding it very effective. The estimated loss to victims caused by these groups in 2020 has reached hundreds of millions of dollars, with the REvil group [aka Sodinokibi] alone claiming over $100 million in profits in one year, and the rate of attack is still accelerating.”
Adrian Nish, Saher Naumaan and James Muir, the report’s authors, note that the threats from network intrusion and ransomware that lead to data theft and extortion are likely to continue into 2021, which requires a better response from private industry and governments worldwide.
The three also call for banks and governments to band together and develop a collective defense against such attacks.
“A response may include sanctions, arrests, asset seizures, or other actions,” the researchers note. “For such actions to be justified, there must be a mutual understanding that a line has been crossed; in addition, since sanctions and other actions to hold actors accountable may provoke an escalatory response, financial actors will need to have a minimum level of resilience so that they can withstand such responses.”
One of the biggest threats facing banks and other financial institutions is the use of various network intrusion techniques by cybercriminal gangs to gain a foothold within networks and then use this access to move laterally around the infrastructure looking for files and data, as well as other weaknesses, according to the report.
In many cases, attackers are using legitimate penetration testing tools, such as Cobalt Strike and PowerShell Empire, to gain initial access. At the same time, living-off-the-land techniques that leverage Windows tools, such as PowerShell, help maintain persistence and assist with reconnaissance (see: Ransomware Attackers May Lurk for Months, FBI Warns).
Other techniques attackers are increasingly using to target bank networks are fileless malware that avoids security tools and leaves little forensic trace as well as domain name system (DNS) command-and-control modules, which can effectively evade web-proxy controls and intrusion detection tools, according to the report.
Ransomware and Extortion
Perhaps the greatest cyberthreats facing banks and financial institutes are ransomware attacks that lock files, and the use of extortion threatening to release data if the victim does not pay. Over the past several months, these cybercriminal gangs have become even more brazen with their tactics (see: Ransomware Gang Devises Innovative Extortion Tactic).
“Banks in Chile and Seychelles, as well as financial technology companies like Silverlake Axis, a supplier of core banking systems throughout the Asia-Pacific, are all reportedly victims of separate ransom and extortion attempts,” the report notes.
The report notes that the New Year’s Even attack against Travelex, a London-based foreign currency exchange, is a prime example of how these tactics can produce a significant payday for gangs (see: Travelex Paid $2.3 Million to Ransomware Gang: Report).
Source: Carnegie Endowment for International Peace
Other criminal gangs have put a fresh twist on older tactics, such as distributed denial-of-service attacks, often demanding payments to stop an attack. DDoS has also been on the rise over the past few months, with criminal groups targeting the New Zealand Stock Exchange over several days, which included knocking its website offline and stopping trading (see: New Zealand Stock Exchange Trades Again After DDoS).
The researchers also note that threat actors and criminal gangs have created an active underground ecosystem that is strengthened by collaboration and transactions to buy or sell their products and services.
In 2018, for example, several attacks linked to North Korea-based Lazarus Group happened on networks within the same timeframe as a Russian-speaking criminal group known as TA505, which was also probing these networks. Forensic evidence from the incident response confirmed that the Russian criminal actors effectively handed over access to Lazarus, according to the report.
TA505, which is also referred to as Hive0065 by IBM X-Force, is a financially motivated cybercrime group that has been active since at least 2014 (see: TA505 Group Targeted Corporate Networks With RAT: Report).
“TA505, has been busy providing access to other groups. For example, Silence, a Russian-speaking criminal group, also appears to have a relationship with TA505,” the report notes. “During a 2019 BAE Systems investigation of a Silence intrusion against a European bank, Silence malware was deployed off the back of an initial TA505 intrusion. This suggests the group also has links to other parties within the criminal underground.”
Tom Kellermann, head of cybersecurity strategy at VMware Carbon Black, who also sits on the Cyber Investigations Advisory Board for the U.S. Secret Service, tells Information Security Media Group that his own team’s researchers have shown this level of criminal overlap continuing to grow (see: Modern Bank Heists 3.0: ‘A Hostage Situation’).
“Cybercriminals have formed cybercrime cartels, and they maintain their untouchable status from law enforcement because they are seen as national assets by rogue regimes as ways to offset economic sanctions,” Kellermann says. “They have capitalized on the intersection of cybercrime and fraud in their operation of modern criminal enterprises.”