A new report from Trustwave SpiderLabs provides a rich description of the myriad of threats facing financial services companies. 2023 Financial Services Sector Threat Landscape covers prominent threat actors and tactics, breaks down the financial services attack flow into steps, and covers several common hacker entry points.
Financial services firms are especially vulnerable to leaks from Generative AI and Large Language Models (LLMs) due to the types of data they store. Their many third-party relationships with companies who are increasingly likely to use those tools leave them vulnerable to losing control over their data. With the security of these new technologies still being assessed, fiservs should take a risk/benefit approach and consider their implications before proceeding.
Generative AI and LLMs help criminals create much better phishing emails. Largely gone are the days of grammatically poor messages that are easy to detect. They are replaced by more convincing entries crafted by such LLMs as FraudGPT and Worm GPT.
The threat of third-party risk
AI and LLMs are one of many areas where third-party relationships bring risk. Trustwave’s global chief information security officer Kory Daniels said it is critical for institutions to have clear insight into their third-party vendors’ plans for current and future use of those technologies. Given the heavy regulatory burden placed on financial institutions, they must ensure their third-party partners, who often see less scrutiny, are also compliant.
“A lot of security programs got brought in late to the game,” Daniels said. “Many organizations saw the financial benefit, the business benefit in the speed of scale and elasticity, moving their engineering and pushing faster to market. And they raced to do so, or the pandemic forced them out of necessity. But the question is, did they do it securely?
“We need to measure how digitally connected we are with our partners. We need to understand how they connect to us. Is it our API? Is it their API? How much is open source? How do you prioritize the critical partners versus the less critical partners, and how do you go through that effort?”
For Daniels, the process includes going through relationships step-by-step to identify risks, protection levels, capabilities and controls. Determine how protections are enforced. Where can protections not be enforced, and where do they introduce friction? Should detection and response fail, how do you promote resiliency?
Keep AI in mind when conducting evaluations. Work with partners that have proven capabilities in detecting AI-generated threats. Develop strong internal policies and training to minimize breach risk. Consider creating working groups across relevant teams to address governance and data-sharing concerns.
Ransomware threats
In 2022, a U.S. Commodity Futures Trading Commission survey discovered that three out of every four global financial institutions experienced at least one ransomware attack that year. Ransomware-as-a-service tools lower the criminal barrier to entry and increase the attack scope potential.
Clop, LockBit, and Alphv/BlackCat are among the most infamous ransomware groups. The effects are multiplied as stolen data is published on the Dark Web for others to exploit.
Frequently back up data to increase your company’s recovery ability should an attack occur. Store backups off-site and confirm they can be restored. Secure exposed remote desktop protocols, patch known vulnerabilities and disable them if they are not necessary.
American financial services firms make up 51% of global ransomware victims. No other country reaches double digits.
The 5 steps of an attack
Initial foothold
The report details the five steps of an attack flow: initial foothold, initial payload, expansion/pivoting, malware and exfiltration/post-compromise.
Phishing and business email compromises are the most popular methods by which criminals insert themselves into institutions. Phishers want to steal credentials, insert malware and trigger actions like sending money to a stranded executive. Close to 80% of malicious attachments are HTML. Other common features are executables, PDFs, Excel and Word documents. Messages often include voicemail notifications, payment receipts, purchase orders, remittances, bank deposits, and quotation requests.
The most common companies cited in phishing emails with malicious attachments are American Express, DHL and Microsoft. Together they comprise 60%. Companies most spoofed in pure phishing attacks are Microsoft at a whopping 52%, DocuSign at 10%, and American Express at 8%.
Institutions can protect themselves by conducting frequent mock phishing tests and retraining repeat offenders. They should add anti-spoofing measures, such as technologies on email gateways, deploy layered email scanning with a tool like TrustWave’s Mail Marshal, and adopt methods of detecting domain misspellings to identify phishing and BEC attacks.
Initial payload
Criminals often gain entry into institutions simply by logging in, thanks to successful phishing attempts and poor cybersecurity hygiene. Credential access is used in 20% of attacks.
This is one area where simple diligence can prevent many attacks. Many administrative and high-access accounts have old or shared passwords. Many companies have unsecured files containing passwords and ones that have ‘password’ in their title.
Daniels said remote working has worsened the problem.
“The separation of corporate versus personal is becoming more and more blurred in this digital workforce,” he observed. “Ensuring that we don’t have just good hygiene in the corporate environment, but that users are taking that with them home. We want to educate every user in the business… because they are the first line of defense.”
Safety strategies include regular password changes, multi-factor authentication, and secure, encrypted storage.
Also read:
Expansion pivoting
Attackers often gain entry into financial institutions through software vulnerabilities, which can be addressed through patches. The most common exploits targeting financial services firms are:
- Apache Log4J (CVE-2021-44228)
- Cross-Site Scripting
- SQL Injection
- Directory Traversal
- ZeroLogon (CVE-2020-1472)
- Spring Core RCE (CVE-2022-22965)
- MOVEit RCE (CVE-2023-34362)
- Exchange Server RCE (CVE-2022- 41040, CVE-2022-41082)
- Exchange Server SSRF
- MS Windows RDP RCE (CVE-2019-0708)
- NTPsec ntpd (CVE-2019-6443)
- Cloud Instance Metadata Service (IMDS) Abuse
- Samba ServerPasswordSet Vulnerable API Request
- Other unspecified RCE attempts
The report notes that financial institutions also struggle with some old vulnerabilities.
“…Bigger financial services companies with older, legacy systems are more hesitant to make changes in their infrastructure that could potentially disrupt operations,” it reads. “Another challenge is poor asset inventory, particularly where critical data resides. This makes it more difficult to determine what to prioritize in terms of security vulnerability remediation.
“Additionally, a recent Trustwave SpiderLabs search of Shodan, which scans all public IP addresses on the Internet, turned up more than 110,000 open ports, service banners and/or application fingerprinting in financial services organizations with 30,000 residing in the U.S.”
Malware
Attackers often gain initial access via low-value systems. But once inside, they use more sophisticated tools like PowerShell and LOLBins to expand their reach.
Close to 30% of financial sector incidents involve adversary-controlled code running in local or remote systems. Criminals often use PowerShell because of its presence in Windows environments. They also cajole folks into opening malicious files.
If undetected, attackers move on to higher-value institutional targets such as domain admins and database servers. Remcom, Bloodhound, Lazagne, and Sharphound are commonly used tools. Attackers further implant themselves by creating new accounts, modifying or manipulating existing ones, and prompting operating systems to initiate various actions.
Many criminals deploy a specific type of malware called infostealers, which often target data like contacts, passwords and cryptocurrency information. In-transit infostealers focus on data that is entered into but not stored on a system, such as account information that can be used to siphon money from accounts.
Popular info stealers used to target the financial services industry include FormBook, XLoader, Lokibot and Snake Keylogger. Host-based anti-malware tools, audit controls and active monitoring are among the suggested remedies.
Remote Access Trojans (RATs) help criminals access administrative levels. It allows them to operate webcams, take screenshots and download files. Common RATs used to target the financial services sector are Agent Tesla and Gigabud RAT.
Exfiltration/ Post compromise
The final stage is exfiltration and compromise, which is when attackers execute their final plan. That may mean stealing as much information as they can before moving on, targeting specific sources, or causing havoc. Suggested tactics include Dark Web monitoring, conducting regular penetration and incident response tests, and minimizing the amount of time to address the damage.
Daniels said data brokers are a major industry concern. Their significance will only grow in a data-based economy. The financial services industry must prepare for an increased number of threats due to AI reducing entry barriers.
“We’re going to see more of these things and an added diversity,” Daniels said. “Their reach across organizations is just going to continue to increase.
“As a business leader, how do you help your security team find success? How well do you know the security actors and threat actors? Do you have a shared ability to share that with your partners?”