Finance CISOs report novel attack methods; five main trojans in use in 2019

News by Jay Jay

Cyber-criminals used five different banking trojans so far in 2019 to target financial institutions: Egguard used to set proxies accompanied with false SSL certificates for MITM attacks, Adload creates backdoors...

Banks and financial institutions across the world are grappling with a sustained rise in cyber-attacks targeting their IT systems, supply chain attacks, watering hole attacks, island-hopping attacks, and social engineering scams targeting their customers and conning them out of their savings.

A new survey of CISOs at top banking and financial institutions across the globe has found that cyber attacks targeting such institutions and their millions of customers have not only survived serious fight-backs by nations, law enforcement authorities and banks themselves, but have, in fact, grown in terms of scale and frequency over the past year.

The threat environment in which banks and financial institutions are operating is wide-ranging and extremely complex, so much so that CISOs ar 67 percent of financial institutions told Carbon Black that their organisations observed an increase in cyber attacks over the past year and 26 percent said their organisations were targeted by destructive attacks that sought to wreck their IT systems.

The CISOs also described how cyber-criminals, over the past year, have been targeting their institutions in various ways not only to gain access to customer accounts but also to take control over their applications. While 32 percent of organisations suffered island-hopping attacks that involved hackers using the supply chain to mount attacks, 21 percent of them suffered watering-hole attacks that involved hackers compromising financial institution and bank regulation websites to pollute visitors' browsers.

At the same time, 47 percent of financial institutions observed a rise in wire transfer fraud, 31 percent reported an increase in home equity loan fraud, and 79 percent reported increased use of social engineering attacks by cyber-criminals to target customers. Most of the social engineering attacks were aimed at gaining foothold into IT systems in order to transfer funds and exfiltrate sensitive data.

Commenting on this phenomenon, Robert Ramsden-Board, VP EMEA at Securonix, told SC Magazine UK that when cyber-attacks target customers directly - the phishing attack being one we are now all too familiar with - the customer or client will often be outside of any official bank IT system when the key data is exfiltrated, thereby making the issue tough for banks to address.

"The issue is the customer will often still expect the bank to remain vigilant when their stolen credentials are used to enact a fraudulent transaction. Banks, therefore, increasingly need to discern which are legitimate and which are potential security breaches within millions of daily transactions. If the transactions are prefaced with legitimate security credentials then the task clearly becomes harder. This is where machine learning and behavioural analytics are key to the future of security.

"The ability to dramatically reduce fraudulent transactions is a goal which not only saves the bank money but also increases consumer confidence and protects the brand. Banks leading the way in understanding which new technologies can assist with reducing fraud based on behaviour and not traditional rules-based technology will gain advantages for their brand beyond just the monies saved and customers protected," he added.

According to Carbon Black's Threat Analysis Unit (TAU), cyber-criminals used five different banking trojans so far in 2019 to target financial institutions, namely Adload trojan (21.9 percent), ATRAPS trojan (22.9 percent), GenericKD trojan (36.3 percent), Emotet trojan (12.9percent), and Egguard trojan (6 percent).

While Egguard is being used by hackers to set proxies accompanied with false SSL certificates to perform man-in-the-middle (MITM) attacks, the Adload trojan creates backdoors in affected systems for it to download and install adware or malware, GenericKD is a ransomware that encrypts files and demands payments to decrypt them, and ATRAPS trojan steals confidential information from targeted systems and sends the information to a remote server.

Aside from using such complex malware and trojans to target financial institutions, cyber-criminals are also confident enough to carry out counter-incident response which involves them taking counter-measures to thwart responders and maintain their presence throughout the network. This was observed by CISOs at 32 percent of surveyed financial institutions.

Over 20 percent of such organisations also observed cyber-criminals deploying C2 on a sleep cycle. This capability allowed them to minimise detection by varying their presence, appearing from different locations throughout the network at different times, and disconnecting before their access channels could be fully identified and cut off.

According to Carbon Black, cyber-criminals are also now using  steganography in various campaigns to target financial institutions. This technique involves concealment of either a malware or a command and communication channel in other content types such as images, videos, network traffic, etc.

"Embedding multiple content types within a single file (by utilising unused portions of the file format, appending data to the end of the file etc.) has been a common technique seen in many malware droppers for some time. This technique is used to evade detection on the network wire and on the endpoint as well has hide content on disk in familiar file types such as images.

"More sinister and advanced versions of this tactic have been observed, which involve covertly embedding malware code payloads in image files. One example is ZeroT’s use of BMP files, such as pictures of Britney Spears, to download in later payload stages. Steganography is also used in command and control protocols for malware, including reading content from image files available via sharing and social media sites. The network traffic and the associated downloaded images hide in plain sight among the other legitimate common uses of such services," the firm noted.

Commenting on the use of novel techniques by cyber-criminals, Javvad Malik, security advocate at AT&T Cybersecurity, told SC that the trends show that attackers will continue to use a wide variety of attacks against financial institutions. So, there is no one technology or approach that can address all of them in one sweep but rather, a mixture of technologies and best practices deployed in an orchestrated manner across the endpoint, network, and across cloud apps is needed.

"The other piece to this puzzle is actionable threat intelligence that can power these technologies into making quick and accurate decisions. So when a malicious website or email campaign is detected, the appropriate steps can be taken to block potentially infected users from connecting and making transactions.

"Finally, user awareness isn't just for internal employees, rather the challenge needs to extend to all customers. All corporate comms from the enterprise to the customer should be done in a standard manner, reminding users to never divulge their credentials or to click on links in unsolicited emails," he added.

Felix Rosbach, product manager at comforte AG, said that the problem of classic perimeter or network defence is that it only protects you from known attack methods. Sometimes organisations only discover backdoors and other vulnerabilities long after hackers have already used them and it’s way too late.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews