September 2020: Financial Industry Cyber Update

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

Attacks on the financial industry continue to be high as cybercriminals use the pandemic and other geopolitical issues to craft both general and targeted campaigns. Citizens are using online digital services more than ever and the FBI suggests the onus is on the organization to protect their clients. With much of the workforce continuing their digital commute, threat actors continue to prey on unsuspecting remote workers. Attackers continue relying on fewer security controls and outdated software, typically employed by users outside the protection of organizational infrastructure, and security protocols. In an almost unprecedented decrease, phishing dropped 62% in August to levels more closely rivaling many of the attack vectors it has dominated for the last couple of years. Initially, the downward shift was seen as part of a settling trend since the large spike observed in April. As cybercriminals first saw a world-wide news item in COVID-19, it was ripe for exploitation within their phishing lures. The cause for this is likely two-fold: big tech companies have joined together to keep bad actors from manipulating their platforms for nefarious purposes while users continue to become more educated on the pitfalls of telework and ways to mitigate risk. Meanwhile, DDoS attack statistics ramped up as disruption for extortion attacks took aim at several financial institutions in August. Joining DDoS attacks were two newer members to the top of the list, Point of Sale (PoS) skimmers and cryptomining. The uptick in PoS skimmers make sense as the service industry slowly begins to resume operations during the current coronavirus pandemic. Regarding cryptomining, as cryptocurrencies continue to become more popular, these attacks will become more pervasive due to threat actors believing they are getting more return on their investment. Malware in the financial industry for August included many familiar names. Ryuk/Conti topped the charts and has recently joined the ranks of ransomware gangs operating leak sites. Qakbot, Trickbot, and Emotet have all returned as top challenges for security professionals, while Maze rounds out the group and continues to rule as the champion of "Big Game Hunting" by adding such notable victims as Canon, Xerox, and LG. Mobile malware saw EventBot return as a top threat to Android devices and is purportedly targeting well over 200 financial applications currently available to mobile devices, with infections across the US and Europe. Last month's new addition, BlackRock, continues to frustrate users and is equipped with a wide range of data theft capabilities that allow it to target a whopping 337 Android applications. SpyNote and MoqHao round out the top threats for Android, with MoqHao providing a cross-platform threat to iOS users. Breaches of interest to the financial sector include a number of disruption attacks hoping to extort payouts from money transfer services such as MoneyGram and PayPal, as well as institutions like the New Zealand Stock Exchange. The groups behind these DDoS attacks are said to be the Armada Collective and Fancy Bear; both have been sophisticated enough to change tactics and attack types between engagements to keep targets on their toes. In the dark web and underground markets, Paypal reclaimed its spot as the most talked about topic followed closely by BINs. The next two spots belong to Diebold Nixdorf, the American multinational finance and retail technology company, and ATM skimmers. This is likely not a coincidence since Diebold Nixdorf is considered the largest manufacturer in the global ATM market. Finally, multiple Advanced Persistent Threats (APTs) were active in August targeting the financial sector. APTs are typically well-funded, sometimes state-sponsored, cyber criminals who launch more advanced and generally destructive attacks. These actors rely on superior hacking skills and often take a low-and-slow approach to their attacks. Sometimes lurking for months or even years in the victim environment to accomplish their goals. BlueVoyant is an analytics-driven cyber security company whose mission is to protect businesses of all sizes against agile and well-financed cyber attackers by providing unparalleled visibility, insight, and responsiveness. BlueVoyant provides advanced Threat Intelligence capabilities, Managed Security Service, and effective Incident Response.