Bank Vault or Screen Door? How Attackers View Financial Services
The Financial Services industry has always been a vanguard in addressing security, but in today’s environment, there is no industry that can keep pace with the relentless and aggressive nature of attacks. In 2021, The Financial Services Information Sharing and Analysis Center (FS-ISAC) reported its Regional Cyber Threat Level (CTL) was raised from guarded to elevated three times in one year due to cyberattacks and critical zero-day vulnerabilities. This was a historical event because CTL escalation typically occurs once per year resulting from a major world event like the COVID-19 pandemic or geopolitical tensions – not cyberattacks.
While digital transformation has vastly increased opportunity and access, those gains have come with an exponential expansion of the potential attack surface – from the cloud to the supply chain, to the mobile apps on millions of unpredictable and uncontrollable consumer devices. Adding yet another attack surface management (ASM) complexity to a highly interconnected global financial system, a recent International Monetary Fund (IMF) survey of 51 countries with emerging markets and developing economies found that most financial supervisors haven’t introduced cybersecurity regulations or built resources to enforce.
Financial services have an extraordinarily complex attack surface weaving a web of systemic technologies across regions, third party providers, and regulatory bodies. But how do financial organizations ensure that they can harvest the benefits of innovation, without falling victim to a crop of devastating attacks?
In the this blog, let’s take an attacker’s perspective to look at popular attack methods, as well as types of attack surfaces that are most prevalent for financial organizations.
Popular Attack Methods
Despite the financial sector having a high level of regulation combined with steep penalties for data loss and non-compliance with critical regulation, a recent report noted that 55% of financial services were hit by ransomware in 2021, marking a 62% increase from the previous year. In another whopping increase during the same year, ransomware payments more than doubled for financial organizations, up from 25% to 52%.
The ransom payments are only one chapter in the ransomware story. The consequences of ransomware attacks contribute significantly in the ability to operate and provide services to clients (91% of respondents), while 85% of respondents lost business or revenue. We expect ransomware attacks to worsen with the increased adoption of ransomware-as-a-service (RaaS), which lowers the barrier to entry for this attack vector.
The nature of ransomware attacks has also grown immensely more intricate. Several major ransomware events have been launched with a combination of tactics that culminate in exploiting a zero-day vulnerability of a third-party provider and then used to launch ransomware attacks. Ransomware only continues to be a lucrative and accessible vector for attackers wanting to reap the benefits of financial targets.
Zero-Day Exploits Are Increasing
FS-ISAC reports that the financial sector is experiencing an increase in zero-day vulnerability exploits due to the attack surface expansion. Along with this, the kill chain has diversified, and cybercriminals specialize in providing access to different parts of attack vectors. Malware, access, code, and tech support are all for sale for those that can afford them. With the dramatic growth of cybersecurity-as-a-service offerings, it is easy for attackers to buy or sell vulnerabilities without having the knowledge to discover them. Therefore, attackers have more access than ever to utilize this type of threat.
Zero-day attacks don’t have to be directly aimed at financial organizations to be caught up in the crossfire. Take the Log4j (CVE-2021-44228) zero-day event for example. This incident involved widespread exploitation of a critical remote code execution (RCE) vulnerability in Apache’s Log4j software library. Log4j is broadly used in consumer and enterprise services, websites, applications, and operational technology products. Successful exploitation of this vulnerability potentially enabled an unauthenticated remote actor to take control of an affected system. Attackers were not intentionally targeting the financial sector, but this zero-day vulnerability affected multiple, major software providers used by hundreds of financial organizations, including the biggest banks of the world. Impacted vendors (who subsequently investigated and released statements) included: Adobe, Amazon, Cisco, Docker, IBM, Oracle, Trend Micro, VMWare just to name a few.
No industry is safe from email phishing anymore, but according to the Anti-Phishing Working Group’s Q3 2022 quarterly report, financial services was the most frequently targeted industry representing 23.3% of all phishing attacks. Business Email Compromise (BEC) attacks rose by 59%. While the topic of phishing might seem like a broken record, attackers will most certainly continue trying to capitalize from this easily accessible and low-lift attack vector.
A DDoS attack aimed at an ordinary website may be nothing more than a nuisance. However, when directed at high-volume online banking services or payment systems, the ensuing downtime can lead to lost revenue and reduced services for customers. Financial services are a popular DDoS target with an increased attack rate of 22% year-over-year. Extortion and politically motivated hacktivists are common catalysts for DDoS against financial organizations. DDoS-for-hire services are available to purchase on the Dark Web, so it is a tactic that financial services can count on only increasing as an attack vector.
New Account Fraud
New account fraud is a type of compromise that attackers use to conduct a specific type of cyber identity theft. In 2021, new account fraud increased by an astounding 109%. Attackers take advantage of Know Your Customer (KYC) processes to open a new account using stolen or completely fabricated details.
The first step in successfully executing new account fraud is to obtain personal information about the intended victim. Attackers often use phishing or social engineering to steal personal data like names, SSNs, addresses, and phone numbers. Or if they know where to shop on the dark web, PII can be purchased for as little as $15 for a hacked credit card with CVV information. For a bit more money ($100 to $150), you can purchase databases of stolen email addresses and compromised online banking logins.
The attacker can then develop a false identity using these details by creating different email addresses and phone numbers for the stolen details and use them to set up a new account with the financial services company being targeted.
Should that account be approved and created by the targeted organization, the attacker will then activate that account and engage in fraudulent activity with it – whether that involves applying for credit, stealing money, using the account for money laundering purposes, or other more esoteric purposes. New account fraud can be exceedingly difficult to detect, as neither your organization nor the victim of the identity theft may become aware of fraudulent activity until it has already happened.
Financial Services Attack Surfaces
What does the financial sector attack surface look like from an attacker’s perspective? Ripe with opportunity. It is diverse and ever-expanding which means attackers have many types of attack surfaces to target seeking money, stolen personally identifiable information (PII), geopolitical influence, and insider information.
Mobile & Online Banking
Digital banking has become a truly ubiquitous global resource. In 2022, an estimated 203 million people used digital banking estimated 203 million people used digital banking, and this number is expected to approach 216.8 million by 2025 creating a sprawling attack surface for financial institutions. Mobile and online banking applications are particularly lucrative from an attacker’s perspective yet bring heightened danger to financial institutions’ attack surfaces.
- Recent studies have shown that less than 50% of finance applications were found to have the correct security controls.
- According to OWASP, the top three attack risks impacting web applications in this sector by volume are data leakage, RCE/Remote File Inclusion (RFI), and cross-site scripting (XSS).
- In 2022, cybercriminals deployed 200,000 new mobile banking trojans, marking a 100% increase from the previous year and the biggest acceleration in six years.
To fully understand the level of risk and vulnerabilities that exist, financial services organizations should vigorously test their application(s) throughout all stages of the software development lifecycle (SDLC). This includes offensive security initiatives like threat modeling, source-code review, application penetration testing, and tailored mobile application assessments.
Third Party Vendors
The financial services sector is one of the most interconnected of any industry relying heavily on third-party vendors. While this supports more impactful solutions and products for financial organizations and their customers, it adds a wide swath of attack surface that is most likely vulnerable and most certainly out of the control of financial security teams.
Let’s look at a prominent third-party vendor breach that impacted Morgan Stanley, one of the leading global financial firms with services spanning 41 countries. Guidehouse, a third-party vendor that provides account maintenance services to Morgan Stanley’s StockPlan Connect business fell victim to an Accellion FTA vulnerability in January 2021. Guidehouse discovered the breach in March and notified Morgan Stanley in May that its Accellion FTA server had been hacked. Attackers stole encrypted files from the compromised server, but the they also found the decryption key and got away with things like names, addresses, and SSNs of stock plan participants.
Here are a few key takeaways from Joe Sechman, AVP of R&D at Bishop Fox, to evaluate third-party vendors’ security measures:
- Take time to research and review past security disclosures from vendors.
- Enrollment in a bug bounty program is good, but it’s not enough.
- Ask if your vendor maintains a Software Bill of Materials (SBoM).
- Don’t leave the Secure-SDLC in the dust.
- Maintain an acceptable level of risk across the organization.
Financial organizations, like countless other sectors, are enjoying the benefits of shifting to cloud computing from on-premises infrastructure to support rapid digitization. Cloud computing has revolutionized the financial services industry making leaps and bounds in offering cost-effective and efficient IT infrastructure solutions. But with rapid cloud adoption comes risk. The consequences of even basic cloud misconfigurations are dire for data security and could end up in the release of customer information, passwords, or other confidential data.
In early 2023 the U.S. Treasury Department released its first ever public report focused on cloud security for financial services. The report states that while cloud computing may help financial institutions become more resilient and secure, there are several red flags that may detract from these benefits:
- Gaps in human capital and tools to securely deploy cloud services.
- Exposure to potential operational incidents, including those originating at a cloud service provider.
- Potential impact of market concentration in cloud service offerings on the financial sector’s resilience.
- International landscape and regulatory fragmentation.
Looking to gain control of your cloud security strategy? Consider cloud penetration testing, so the good guys can find vulnerabilities in your cloud environments before attackers do.
Digital Assets, Blockchain, and Cryptocurrency
It is no secret that the decentralized finance world is clouded with volatility these days. However, this hasn’t deterred the world’s largest banks from adding this attack surface to their portfolios. Morgan Stanley, Goldman Sachs, BNY Mello Corporation, Commonwealth Bank of Australia, and Citigroup have each invested hundreds of millions of dollars into blockchain-related firms and cryptocurrency. Morgan Stanley alone pumped $1.1 billion into the crypto landscape over two investment rounds from August 2021 to May 2022. However, a recent study of 130 global financial CISOs notes that 83% of respondents are concerned with the security of cryptocurrency exchanges. Successful attacks can be immediately transformed into cyber cash.
In early January 2023, the U.S. Board of Governors of the Federal Reserve, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) issued a public warning to banking institutions involved with cryptocurrency and related companies. Eight key risks are highlighted including:
- Risk of fraud and scams among crypto-asset sector participants.
- Risk management and governance practices in the crypto-asset sector exhibit a lack of maturity and robustness.
- Vulnerabilities related to cyberattacks, outages, lost or trapped assets and illicit finance.
The statement urges that risks associated with the cryptocurrency industry that can’t be mitigated or controlled cannot migrate to the regulated banking system. Experts argue that until the Cryptocurrency Security Standard (CSS) is improved and enforced to match the protection of the Payment Card Industry Data Security Standard (PCI DSS), involvement with cryptocurrency will be susceptible to volatility for financial institutions and potentially their customers.
Think Like a FinServ Attacker
There is no doubt that the global financial sector is one of the most highly sought-after targets by cybercriminals and nation-states alike. Therefore, proactive security measures to defend forward are essential to ensure your organization is thinking just like the attackers that are trying to take advantage.
Check out these resources to kickstart your offensive security journey:
- Put your security teams to the ultimate test with Red Teaming and see how well your security controls kick in when a real-world attack simulation happens.
- Use penetration testing services to find weaknesses in applications, cloud infrastructure, external attack surface, or internal networks.
Better yet, continuously monitor the external attack surface with human validated attack surface management to ensure attackers don’t find vulnerabilities before you.
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.