Skip to content
    
The evolution of island hopping

Cyber Bank Heists report sheds light on the evolution of island-hopping cyber threats

This year’s Cyber Bank Heists report by Contrast Security was eye-opening. The annual report sheds light on the cybersecurity threats facing the financial sector, and the findings reflect the impact that the cybercrime events of the past year have had — and continue to have — on financial institutions (FIs) around the world.

The report authors interviewed financial sector security leaders about the type of attacks they’re seeing, what threats they’re most concerned about and how they’re adjusting their security strategy.

Given that 60% of FIs were victims of destructive attacks in 2022, it’s critical that the financial sector understands that cybercrime cartels and nation states are evolving in both attack sophistication and organization. These are not the bank heists of the past, as mere wire transfer fraud is no longer the ultimate goal — to hijack the digital transformation of an FI is. 

What is island hopping?

One of the most notable findings from the report is the evolution of island hopping. Island hopping occurs when an adversary hijacks a bank’s digital transformation and uses it to launch attacks against their customers and partners. 

The modus operandi is simple: Infiltrate the corporate environment via application attacks and then use access to the environment to launch attacks against the customer base. Just look at Kaseya or SolarWinds. Both were victims of historic supply-chain attacks that spread to the two companies’ clients. With SolarWinds, cybercriminals broke into the company’s systems and poisoned its Orion IT resource management software system, triggering an incident that affected thousands of organizations. Kaseya was hit by a supply-chain attack where hundreds of organizations around the world saw their systems flooded with ransomware and their data encrypted.

In 2022, there was a dramatic increase in island hopping, with 58% of respondents saying they’d been victimized by this type of attack: an increase that represents a tremendous operational and reputational risk to victim organizations. PricewaterhouseCoopers (PwC) has reported that 87% of consumers are willing to take their money and their business and walk away if, or when, a data breach occurs. Companies run the risk of losing not just customers, but also their best talent, suppliers and investors, as the first two look for companies they can trust, while financial analysts include reputation metrics as part of investment criteria.

Fifty-four percent of FIs are most concerned with the cyber threat posed by Russia, followed closely by North Korea and China, as those cybercrime cartels have studied the interdependencies of FIs, understand which managed service providers are being used and are targeting their application programming interfaces (APIs). According to the report’s findings, 50% of FIs have experienced attacks against their APIs.

Why this is happening: APIs enable essential communications between applications in finance. They connect the intricate moving parts of sophisticated cloud-native applications that run the bank. Modern Web apps are clusters of interconnected APIs, microservices, frameworks, libraries and serverless functions crossing multiple cloud and on-premises environments.

APIs’ growing ubiquity, and the physical spread of distributed infrastructure where they’re deployed, present an ever-expanding attack surface for cybercriminals. Even more concerning is the reality that APIs can be used to island hop, as in, hijacking the API to launch attacks against customers. 

Future attacks on APIs

We should expect to see APIs increase as an attack vector for several reasons. The total number of public and private APIs in use is approaching 200 million. There is a shift in new development approaches to microservices architecture. Third-party APIs that have not been managed or secured by the organization using it, also known as Shadow APIs, abound. Continuous development leads to sprawl and versioning issues. Hybrid apps spanning on-premises, cloud and serverless environments increase the attack surface.

When an API is called by the client application to retrieve the requested data from an external server or program and deliver it back to the client, the results are presumed to be trusted. Zero Trust must be applied. APIs are dangerous  and open banks up to hostage situations where the API is poisoned and used to attack bank customers and employees. 

Given this reality we must allow for this offensive tactic to inform our defense.  Cyber vigilance must extend to APIs.

To mitigate this burgeoning threat, FIs must follow these best practices: 

  1. Maintain a complete inventory of APIs in development and exposed in production.
  2. Perform full security testing against running APIs during development to identify and remediate unknown vulnerabilities.
    3. Establish strong authentication and access control.
  3. Identify security gaps in the software supply chain by finding vulnerabilities in active third-party libraries, frameworks, and services.                          
  4. Finally, protect against zero-day attacks by ensuring all APIs are deployed with Runtime security.

Mitigating island hopping via API attacks is central to sustainable digital transformation. In 2023, we must assess what is below the waterline in our digital environments. Trust and confidence in your brand are underpinned by cyber vigilance.

Get Demo

Read more: 

Tom Kellermann, SVP Cyber Strategy, Contrast Security

Tom Kellermann, SVP Cyber Strategy, Contrast Security