October 2020: Financial Industry Cyber Update

October 29, 2020 | 3 min read

BlueVoyant

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response, and mitigation actions that can improve your defensive capabilities.

Attacks on the financial industry continue to be high as cyber criminals resume pre-pandemic-type attacks and methodologies while adapting to the changing threat climate and using some of the methods developed during the heavier stages of COVID-19.

Point-of-sale (PoS) skimming was one of the criminal industries hardest hit by the pandemic with less people active in the public square using PoS systems to pay for goods and services.

However, with many countries, including the U.S., slowly reopening service industries - albeit with restrictions and guidelines - PoS has not only returned but is currently among the most popular vectors for financial criminal activity. The target environment is ripe for this kind of activity as well, with researchers stating that debit transactions utilizing mobile wallets are up by an astounding 76% compared to last year.

Phishing saw its first rise in activity since June, nearly tripling its total from August. Previous dips were attributed to collaboration and a tightening of standards by several big tech companies during the COVID-19 pandemic. This resurgence can be tied to popular banking trojans such as Emotet returning to the fold, along with the hotly contested U.S. presidential race providing a plethora of tasty topics. These topics can easily be used to create phishing lures to play on the partisan feelings of a divided electorate.

Malware in the financial industry was a mixture of new and old. HOPLIGHT claimed the top spot as a result of North-Korean backed actors using subgroups to carry out financially motivated attacks to fund nation-state initiatives. Baka is a new E-skimming tool with some nifty tricks to avoid detection. The increased usage of Baka in September lines up with the assessment that as the economy gets back on track and workers return to work in some fashion, in-person and electronic commerce (e-commerce) should see a rise in activity that provides a valuable target for cybercriminals.

Mobile malware saw Cerberus return as a top threat to Android devices. However, in a strange twist, the malware's development team had a falling out and opted to auction off the source code. Due to an unclear culmination of factors, the author later decided to publish the project source code for premium users on a popular Russian-speaking underground forum. This dismantling of Cerberus paved the way for Alien, a fork of Cerberus malware. Although quite similar to Cerberus (and oftentimes mistaken for Cerberus), Alien is a separate malware run by a separate group and appears to have some updated functionality.

Breaches of interest to the financial sector include a virtual mail service that allowed some private details of 50,000 sensitive letters sent from institutions such as Metro Bank to be indexed by Google after exposure to the internet. Two other breaches involved cryptocurrency exchanges and the theft of currency from "hot wallets." In yet another breach, BancoEstado, one of Chile's three largest banks, was forced to shut down all branches following a ransomware attack.

In the dark web and underground markets, BINs reclaimed its spot as the most talked about topic, followed by its usual competitor PayPal. The next spot belongs to carding topics, possibly in relation to the spike in PoS skimming and E-skimming activity. Also, a new contender entered the dark web marketplace, named VClub Shop. The shop appears to have opened late in 2019 after the threat actor “vclub” announced the shop's launch on various carding-related forums.

Finally, multiple Advanced Persistent Threats (APTs) were active in September, targeting the financial sector. APTs are typically well-funded, sometimes state-sponsored, cyber criminals who launch more advanced and generally destructive attacks. These actors rely on superior hacking skills and often take a low-and-slow approach to their attacks. Sometimes lurking for months or even years in the victim environment to accomplish their goals.

BlueVoyant is an analytics-driven cyber security company whose mission is to protect businesses of all sizes against agile and well-financed cyber attackers by providing unparalleled visibility, insight, and responsiveness. BlueVoyant provides advanced Threat Intelligence capabilities, Managed Security Service, and effective Incident Response.