What ever happened to stealth?
Nowadays, cyberattackers aren’t just noisy — they’re downright nasty.
Adversaries are fighting back against financial institutions’ (FIs’) attempts to scrape them off, struggling to maintain persistence on systems and networks, while also ratcheting up their victims’ pain by demolishing all the data they can reach.
Contrast’s 2023 Cyber Bank Heists report has tracked upward trends in destructive attacks and in cyberattacks targeting FIs’ integrity, epitomized by the use of wiper malware — malware such as the NotPetya attacks of 2017 or, more recently, CryWiper malware used to target Russian organizations in the fall of 2022.
The rise in destructive attacks is just one insight contained in the report, which analyzes a year of cybersecurity threats faced by the financial sector. The report portrays the current threat landscape, as depicted by FI CISOs, SVPs of Cybersecurity, and Managing Directors of Information Security from the global Tier 1 (those FIs with a minimum of $200 billion in assets) and Tier 2 (those with between $5 billion and over $10 billion in assets).
The report delves into three areas:
- Cyberattack trends,
- eFraud and
- Trends in cyber defense.
This post takes a look at some of the cyberattack trends uncovered by the Cyber Bank Heists research. As well, check out an overview of the report’s findings on eFraud in the financial sector. To check out how FIs are — or should be — fending off these threats, here’s a look at trends in cyber defense.
App attacks skyrocket
With regards to cyberattacks, 64% of FIs saw an increase in application attacks, including Class Loader manipulation: the kind of attack against application class loaders that we saw in the Spring4Shell vulnerability, a remote code execution (RCE) flaw in the Spring Framework. The report also notes an increase in Expression Language Injection — an attack that enabled a security researcher in December 2022 to bypass Akamai web application firewalls (WAFs) running Spring Boot, potentially leading to RCE.
As well, the report found that untrusted deserialization attacks are becoming more common. In fact, analysts recently used untrusted deserialization in the so-called Trojan Puzzle attack (PDF), which they used to train AI assistants into suggesting malicious code.
The Cyber Bank Heists report notes that these new supply-chain threats are targeting software development, integration and delivery infrastructure.
60% of FIs victimized by integrity/destructive attacks
One of the most significant cyberattack trends was that 60% of FIs have been victimized by integrity/destructive attacks: i.e., those launched punitively to destroy data.
Mind you, sometimes ransomware accidentally gets turned into data wiper malware, with Cryptonite being one recent example of cryptographic blunder. But as Kaspersky researchers reported last month — December 2022 — CryWiper, for one, was no mistake. It wasn’t that the malware developers bungled encryption algorithms. Indeed, the authors of CryWiper didn’t use encryption at all, choosing instead to overwrite files with what Kaspersky described as “pseudo-randomly generated data.”
In many of these cases, the financial sector is being targeted as an act of cyber war. Such attacks continue even now, a year after the Russian invasion commenced: In early January 2023, for example, some of the largest Danish banks were DDoSed by a pro-Russia hacking cabal.
60% of FIs suffered watering-hole attacks
Sixty percent of FIs also reported being targeted by watering-hole attacks, where cyberattackers hijack and poison a website or mobile app used by e-finance customers. One recent example of a watering-hole attack was spotted in early January 2023, when a website impersonating a video chat service was used by an advanced persistent threat (APT) group to target Android users with a trojanized version of the Telegram app.
Attackers also glom onto the mobile applications that FIs develop to conveniently provide financial services to their customers. In short, the attackers are trying to hijack businesses’ digital transformation and use it to attack their constituencies.
Attackers zeroing in on APIs
What is digital transformation, and why does it make for a great attack surface? One example is the shift to new development approaches to microservices architecture, which has led to an explosion in application programming interfaces (APIs).
API sprawl has expanded application attack surfaces. Unsurprisingly, that’s led to API attacks. In fact, 50% of Cyber Bank Heists respondents reported having experienced attacks against their APIs.
[For a look at how to secure APIs, check out our series on Building a modern API security strategy. Also, check out Contrast’s API security site.]
Island hopping
The report also called out island hopping as a serious, growing threat. These attacks aren’t new, but they remain a huge problem, as cybercrime cartels have made it their business to bone up on the interdependencies of FIs’ supply chains.
In island-hopping attacks, assailants infiltrate the corporate environment via application attacks or API attacks and then use access to the environment to launch attacks against the customer base. That’s why cyberattackers make it their business to learn, for example, which managed service provider (MSP) a given FI uses, or which outside firm serves as general counsel. If they can compromise a system of one such trusted suppliers, they can use that access to “hop” into the systems of their primary target: namely, an FI or other business.
There’s been a dramatic increase in island hopping, with 58% of FIs reporting that they’ve been victimized. The attacks represent a tremendous operational and reputational risk to victim organizations.
Yet more bank robberies
These are just a handful of the threats confronting FIs as detailed in the Cyber Bank Heists report. For more, download the full report here.