From Heist to Hijack: How the security game is changing within financial institutions

Cyber cartels are escalating to more targeted and destructive attacks on financial institutions. Due to the impact of major cyber events in recent years, such as SolarWinds and Log4j, cybersecurity has become top of mind for business leaders with nation-state threats and Zero Day exploits only elevating the risk.

 Adversaries are moving laterally within financial organizations' networks, manipulating data, confiscating intellectual property and wreaking havoc. New defense mechanisms must be put in place to fight back against cyber cartels who are moving from heist to hijack, and from dwell to destruction.

Recently, we published the fifth edition of our Modern Bank Heists report, which annually takes the pulse of the financial industry’s top CISOs and security leaders to shed light on the changing actions of cybercriminal cartels and the defensive shift of the financial sector. This year, 130 security leaders from financial institutions shared how cybercrime cartels have evolved beyond wire transfer fraud to more destructive attacks. Attackers are targeting market strategies, brokerage accounts and island hopping into banks.

Market Strategy Manipulation

Accessing non-public market information has become a cybercrime cartel's new objective. In fact, two out of 3 (66%) financial institutions experienced attacks that targeted market strategies. It is no longer just about wire transfer fraud–cybercriminals are now trying to gain access to non-public market information with the goal of digitizing insider trading.

Additionally, cybercriminals are exploiting the fact that the financial sector is completely dependent on time. The report found that 67% of financial institutions observed the manipulation of timestamps, known as a “Chronos” attack. We’re witnessing a shift from bank heists to economic espionage and defending the accuracy of time is crucial to protect the financial sector.

Never Trust a RAT

Ransomware attacks have become a popular tactic for cybercriminals. So much so that 74% of financial sector security leaders experienced one or more ransomware attacks in the past year, and 63% of those victims paid the ransom. By leveraging ransomware kits created by threat groups like Conti, cybercrime cartels can now compromise a network, encrypt sensitive data within the network, and demand ransom easier than ever before. However, as of May 1, U.S. banks are now required to inform the government of a "computer-security incident” within 36 hours of the attack. This includes any form of cyberattack, ransomware or computer failure. The hope is that with this new legislation, financial institutions will have clear guidance on how to respond appropriately to an attack, ensuring continued trust in the financial sector.

In a recent report by VMware’s Threat Analysis Unit, a technical analysis showed how Remote Access Tools (RATs) aid cybercrime cartels in gaining control of systems, specifically in Linux-based environments, to launch ransomware attacks. Remote access allows bad actors to persist within the environment, creating a staging server that is used to attack new platforms and systems. Once an attacker has entered the network, they may use ransomware to monetize for extortion, including double and triple extortion, or by taking assets from cloud services using cryptojacking attacks.

Improving the Security of Crypto Exchanges

The recent Axie Infinity security breach and the Bitfinex hack are just a few examples of large crypto attacks pulled off by cybercriminals seeking instant cyber cash. Convenience and immediate satisfaction play a significant role in the motivation of these hacks. Crypto exchanges have become the digitized version of a bank robbery, with 83% of respondents concerned with the security of cryptocurrency exchanges. Additionally, cybercriminals have been making money with nefarious exchanges and digital currency easier and faster due to a lack of proper regulations in place. These criminals are also leveraging cybercrime to fight off economic sanctions set by Western governments. The end goal should be for any illegal funds seized under government action to be disbursed to help finance the protection of critical infrastructure from cyber criminals.

Looking Ahead

According to our report, the majority of financial institutions plan to increase their budget by 20-30% this year, with extended detection and response (XDR) being their top priority when it comes to security investment. However, more must be done. We need financial security leaders to continue proactive threat hunting and adopt this practice on a weekly basis.

Additionally, cybersecurity teams and C-level executives need to be communicating on a daily basis. Financial institutions must adopt a defensive and resilient mindset and integrate their network capabilities with their network response controls to further mitigate risks. The game has changed for cybercriminals, and so the defensive posture of financial institutions must change as well.

About the author: Tom Kellermann is the Head Of Cybersecurity Strategy for VMware. Prior to this role,  Tom was the Chief Cybersecurity Officer for Carbon Black. Tom serves as the Wilson Center’s Global Fellow for Cybersecurity Policy. In 2020 Tom was appointed to the Secret Service Cybercrime Investigations Advisory Board. Tom previously held the positions CEO and founder of Strategic Cyber Ventures; Chief Cybersecurity Officer for Trend Micro; Vice President of Security for Core Security and Deputy CISO for the World Bank Treasury. In 2008 Tom was appointed a commissioner on the Commission on Cyber Security for the 44th President of the United States. In 2003 he co-authored the Book “Electronic Safety and Soundness: Securing Finance in a New Age.”

Comments are closed.