Ransomware plagues financial institutions as they face increasingly complex threats over previous years owing to the changing behavior of cybercriminal cartels, according to VMware’s latest Modern Bank Heists report.
This has happened as the cybercrime cartels have evolved beyond wire transfer frauds to target market strategies, take over brokerage accounts, and island-hop into banks, according to the report.
For the report, VMware surveyed 130 financial sector CISOs and security leaders from across different regions including North America, Europe, Asia Pacific, Central and South America, and Africa.
Report findings were consistent with observations by other security experts. “The Secret Service, in its investigative capacity to protect the nation’s financial payment systems and financial infrastructure, has seen an evolution and increase in complex cyber-enabled fraud,” says Jeremy Sheridan, former assistant director at the US Secret Service. “The persistent, inadequate security of systems connected to the internet provides opportunity and methodology.”
Conti ransomware reported as most prevalent
Ransomware continues to plague companies, with 74% of the surveyed security leaders reporting that they experienced one or more attacks in the past year, and 63% saying they ended up paying ransom. Conti ransomware was found to be the most prevalent.
Sixty-three percent of the respondents acknowledged experiencing an increase in “destructive attacks” in which cybercriminals destroy data and evidence of their intrusion. This was a 17% jump from the last year. These attacks involve malware variants that destroy, disrupt or degrade victim systems by taking actions such as encrypting files, deleting data, destroying hard drives, terminating connections, or executing malicious code.
Although 71% of the survey participants noted increased wire transfer fraud in their organizations, many said that cybercriminals have moved on from activity related to wire transfers and access to capital, to targeting non-public market information. Two out of three (66%) financial institutions experienced attacks targeting data related to market strategies.
“The market strategies that are most targeted are long-term portfolio positions, confidential merger and acquisition information, and IPO filings,” says Tom Kellermann, head of Cybersecurity Strategy at VMware. “Modern market manipulation aligns with economic espionage and can be used to digitize insider trading.”
Additionally, security leaders in 63% of the financial institutions polled said they experienced an increase in brokerage account takeover, up from 41% last year. Attackers are increasingly leveraging compromised login credentials to move freely in the network and gain access to the brokerage accounts.
Survey respondents also said they observed Chronos attacks, a term borrowed from the Greek god of time, which involve manipulating time stamps on security trades. Sixty-seven percent of financial institutions reported Chronos attacks and 44% of such attacks targeted market positions.
“Although the damage radius of Chronos attacks isn’t large, manipulating time undermines safety, soundness, trust, and confidence in the financial sector,” says Kellermann. “Financial institutions need to keep a close eye on the clock and ensure that security teams are prepared to protect the integrity of time.”
Island hopping has emerged as one of the most threatening attack trends and was reported as affecting 60% of the financial institutes polled, a 58% jump from the last year. In island hopping, cybercriminals study the interdependencies of financial institutions and understand which managed service provider (MSP) is used. This, in turn, allows them to target these organizations in order to island hop into the bank.
Cryptocurrency exchanges have emerged as a bigger concern over the years and about 83% of respondents expressed concerns over their security.
Top defenses for financial firm CISOs
The report has recommended a few top defenses for CISOs and security leaders to defend against these attacks:
- Integrating NDR with EDR: network detection and response (NDR) needs to integrate with endpoint detection response (EDR) for real-time, continuous monitoring of systems to detect and investigate potential threats.
- Apply micro segmentation: restrict lateral movement by enforcing trust boundaries will improve detection.
- Deploy decoys: utilize deception technology to divert the intruder.
- Implement DevSecOps and API security: introduce security early in the life cycle of application development.
- Automate vulnerability management: prioritize risk to focus on high-risk vulnerabilities.
“Investments in API security and workload security are necessitated, and increased dialogue between the surveillance department and information security departments must occur to thwart digital front-running,” says Kellermann. “The CISO must also report to the CEO and regularly brief the Board in order to ensure a smooth flow of discussion and transparency.”