Financial institutions a top target for COVID-era cyberattacks
Here are six best practices for strengthening cybersecurity in a work-from-home world.
In July 2020, Kroll observed a 22% increase in attacks targeting the financial services sector based on its incident response case intakes. Business email compromise (BEC), fraud and ransomware were the top three threats impacting the industry, and Kroll has seen the number of incidents steadily rise amidst the COVID-19 crisis.
From a network topography perspective, this year’s shift from predominantly physical to remote access brought unexpected operational challenges. Businesses, including financial institutions, had to quickly educate workers on secure home internet connections as well as ramp up stable virtual private network (VPN) access and collaboration tools, while IT teams were also tasked with monitoring a multitude of diverse endpoints.
Opportunistic cybercriminals were quick to adjust their own tactics to exploit vulnerabilities of the newly remote workforce.
Known vulnerabilities converge
Even before organizations were pressured to provide VPN access to a majority of their employees, warnings were launched in 2019 regarding vulnerabilities to popular VPN applications that could allow for remote code execution. In several of our fraud and ransomware-related investigations this year, Kroll was able to show that unauthorized actors initially gained access to networks via unpatched VPN appliances.
The large influx of consumer cash via the U.S. stimulus payments also made financial institutions an attractive target for hackers looking to divert these funds to their own accounts. Likewise, threat actors were quick to try and exploit expanded unemployment benefits programs by infiltrating organizations and leveraging access to HRIS data to defraud several state systems.
Meanwhile, the closing of physical bank branches moved consumers to mobile banking applications, prompting the FBI to warn that new mobile banking customers were being targeted by “app-based banking trojans and fake banking apps.”
BEC schemes trip up employees, aid fraudsters
Of Kroll cases impacting the financial services industry, email compromises were the most observed threat. Two representative cases demonstrate the pervasive, persistent and evolving nature of BEC schemes:
- Threat actors leveraged a user’s compromised Office365 account to send out thousands of phishing email messages to internal and external users trying to obtain password information.
- An employee was socially engineered to send a million-dollar wire transfer to actors who were able to inject themselves in an email conversation thread and fraudulently change bank account payment information.
Most attacks like these start with a phishing email message. For this reason, Kroll stresses the importance of raising awareness and educating all employees on current phishing email schemes. This includes such practices as email conversation thread hijacking, in which threat actors are able to create authentic-looking messages appearing to respond to established email threads in order to spread malware such as Emotet or QakBot, which in turn are often the precursors to ransomware.
Bad actors actively seek unprotected applications
A significant number of attacks investigated by Kroll started with a Remote Desktop Protocol, which is a Microsoft proprietary network, or an application vulnerability, such as those surrounding Citrix NetScaler devices. Frequently, this unauthorized access led to ransomware attacks. In some ransomware cases, actors were able to encrypt files after entering through an RDP port which was accidentally left open. In several instances, ransomware actors were able to log onto an RDP instance using compromised domain admin credentials. Once they acquire the administrative credentials, malicious actors can move laterally throughout the enterprise, reconnoitering the network for areas they want to target.
As operators of major ransomware variants, such as Maze, have added data exfiltration and publication to their bag of tricks, a number of compromised financial institutions have found their confidential data posted on actor-controlled websites, also known as ransomware shaming sites. Such sites are web domains managed by the ransomware groups where they post stolen data in an effort to pressure victim companies to pay their ransom demands. Such tactics have turned standard ransomware investigations into data breaches, meaning a financial institution now has to meet regulators’ standards on incident response and breach notification.
Six cybersecurity best practices
As attacks grow in number and complexity, organizations should prioritize security measures for a workforce likely to continue operating from home for the foreseeable future.
Here are six best practices that can help your organization strengthen data security from attacks favored by cybercriminals in today’s work-from-home (WFH) world:
- Implement filters at the email gateway to filter out emails with known malspam indicators and block suspicious IP addresses at the firewall.
- Use antivirus programs with automatic updates of signatures and software, both on clients and servers.
- Adhere to the principle of least privilege, ensuring that users have the minimum level of access required to accomplish their duties. Limit administrative credentials to designated administrators.
- Mark external emails with a banner denoting it is from an external source. This will assist users in detecting spoofed emails and fostering a “trust but verify” mindset.
- Apply relevant patches and updates immediately (after appropriate testing).
- Conduct regular training and testing of employees.
Work from home challenges can lead to fatigue and complacency around data security measures, both for employees adhering to security policies as well as for IT teams tasked with implementing and enforcing them.
For their part, cybercriminals are always on the lookout for high-value targets and vulnerabilities to exploit, ready to launch social engineering, ransomware and other attacks. To paraphrase an old saying, time and cybercriminals wait for no one. Now more than ever, organizations must be proactive in strengthening their cybersecurity posture and vigilant in monitoring developments and trends to better protect their employees and customers, operations and bottom line.
This article is published with permission from Laurie Iacono (laurie.iacono@kroll.com), vice president of cyber risk at Kroll, and Keith Wojcieszek (keith.wojcieszek@kroll.com), managing director of cyber risk at Kroll. Kroll is a division of the global business advisory Duff & Phelps. Reproduction of this piece is prohibited without the authors’ consent.
Keep reading…