Financial Threat Landscape - August 2019

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

The financial threat landscape is treacherous. Developers of malicious software are hard at work creating new toolsets and techniques to land the next big payday. New malware surfaces daily. Older malware families are updated with new capabilities. And new campaigns change tactics to exploit new vulnerabilities. So far in 2019 we are witnessing more sophisticated threats from targeted ransomware, DNS attacks, cryptominers and more. Attackers are targeting cloud infrastructures, mobile devices, trusted third-parties, and popular email platforms.

State sponsored actors keep malware and vulnerabilities under wraps for years at a time. Tom Burt, Vice President - Customer Security & Trust at Microsoft, recently stated that Microsoft notified nearly ten thousand customers that their organizations have been targeted or compromised by state-sponsored cyber attacks. Approximately 84% targeted enterprise customers, while only 16% targeted personal accounts. According to Mr. Burt, “This data demonstrates the significant extent to which nation-states continue to rely on cyberattacks as a tool to gain intelligence, influence geopolitics or achieve other objectives.” Microsoft’s research revealed that the majority of state-sponsored attacks, involving Microsoft products, originate from Iran, North Korea, and Russia.

Threat actors continuously monitor web usage, follow security reports, and use gathered intelligence to advance their attacks. Cybercriminals monitor geo-political and other major news events to deceive individuals seeking related information. They use these situations to lure victims into clicking on social media links that claim to provide videos or additional information. For example, recent campaigns claim to be associated with the Capital One breach and the Equifax settlement claims.

Check Point researchers discovered a large-scale campaign that has been using Facebook posts to distribute Remote Access Trojans (RATs) for the past 5+ years (Source: Checkpoint Research Labs, Operation Tripoli, July 1, 2019). The campaign used political tension in Libya to convince Facebook page visitors to click on links that downloaded malware. The posts claimed to provide information regarding the latest airstrikes in the country. Facebook took down the page. However, this is one of potentially thousands of like-intentioned pages on Facebook and other social media platforms.

Multi-stage malware attacks have become more commonplace. These sophisticated attacks deliver multiple malware families that serve diverse criminal purposes such as credential scraping, network reconnaissance, and lateral movement. Commoditized attack kits and associated malware are available via open source code communities or malware-as-a-service sites.

Recent examples of commodity multi-stage malware include Trickbot and Emotet. Trickbot accounted for a large percent of malware attacks in the financial sector in the first half of 2019. Trickbot is a banking Trojan that targets financial information and can act as a dropper for other malware. An attacker can leverage TrickBot modules to steal banking information such as passwords and credit card numbers, conduct system and network reconnaissance, and propagate additional malware across the network.

Emotet also target the financial sector in the first half of 2019. Emotet is another banking Trojan. It is often used in untargeted "watering hole" attacks, where anyone who goes to the well gets infected. After systems are compromised, threat actors survey the infected system and network to determine the target’s value. The malicious program can then be used to inject code into the networking stack of an infected Microsoft Windows computer. This allows sensitive data to be monitored and corrupted by ransomware. Data access is often sold to third parties, depending on the motivations of the attacker and the value of the compromised asset.

Other prominent malware in the financial sector in the first half of 2019 includes:

• Ramnit, a banking trojan that steals banking credentials, FTP passwords, session cookies, and personal data.

• Ursnif, a banking trojan that targets the Windows platform. It has the capability to steal information related to Verifone Point-of-Sale (POS) payment software. Ursnif is usually spread through exploit kits such as Angler and Rig. It contacts a remote C2 server to upload collected information and receive instructions, and then downloads and executes files on the infected system.

Ransomware has declined over time. But don’t expect the threat to disappear entirely. Trend Micro recently reported their year-over-year ransomware detections which shows the reduction in real numbers:

Year-Over-Year Ransomware Detections from

Year-Over-Year Number of New Ransomware Families

* Source: Trend Micro - Huge Increase in Ransomware Attacks on Businesses, August 12, 2019

However, the first half of 2019 saw some very high-profile attacks resulting in large ransom payments and up to months of recovery time. Threat actors deploying ransomware are switching their focus to more targeted campaigns. They are targeting organizations that offer the path of least resistance and the quickest return on investment.

Ransomware continues to use phishing, malvertising, malicious webpages, exploits and exploit kits to infect an organization. Organizations will continue to see attackers look to social engineering as the most effective option for an initial infection.