The Covid-19 lockdown period has seen a whopping 238 per cent jump in cyberattacks targeting financial services institutions, with a new report revealing a surge in malicious cyber incidents between February and April this year.

According to VMWare’s Modern Bank Heists 3.0 report, which measured responses from 25 security leaders worldwide across the financial services sector, 80 per cent of those surveyed reported an increase in malicious cyber incidents over the past 12 months, representing a 13 per cent jump on 2019 figures.

“This year, while virtually all sectors of the global economy fell victim to cybercrime of one kind or another, no sector was more regularly targeted than the financial sector,” said Jonah Force Hill, senior cyber policy advisor and executive director of the US Secret Service Cyber Investigations Advisory Board (CIAB), who was cited in the report.

Perhaps a hint of the pandemic’s impact on cybercriminals’ evolving M.O., more than a quarter (27 per cent) of all cyberattacks launched so far in 2020 have targeted either the healthcare sector or the financial sector, according to VMware Carbon Black data.

Increasingly, as FSIs invest greater resources in their digital defences, criminals are striking a perceived ‘weak link’ in organisations’ security perimeters – human resources – relying increasingly on advanced social engineering tactics (for example, phishing emails and spoof calls) to trick staff and penetrate networks.

Indeed, 82 per cent of surveyed CISOs and security heads believed cyberattacks had grown in sophistication, utilising “highly targeted social engineering attacks and advanced TTPs (Tactics, Techniques and Procedures) for hiding malicious activity”.

“These criminals exploit weaknesses in people, processes and technology to gain a foothold and persist in the network, enabling the ability to transfer funds and exfiltrate sensitive data,” the report said.

Third-parties also appear to be a soft spot in FSIs’ defensive perimeter, with one in three (33 per cent) security leaders noting instances of ‘island hopping’, where organisations’ “supply chains and partners are commandeered to target the primary financial institution”.

Third-party networks appear the most frequent vector for ‘island-hopping’ attacks, with cybercriminals using partners to “hop on” – or launch attacks against – an affiliate network. Watering-hole attacks, where hackers infect websites or mobile apps that customers or partners are known to visit, were also popular methods of breach, representing one out of every five island-hopping attacks.

Notably, two-thirds of those surveyed reported increased attempts of wire fraud transfer – a considerable 17 per cent jump on 2019 figures.

“Cybercriminals exhibit tremendous situational awareness regarding SWIFT messaging,” the report said. “This is compounded with their newfound understanding of the criticality of portfolio managers’ positions.”

Curiously, one in four surveyed financial institutions said they had been targeted by “destructive attacks” over the past year. Rarely committed for financial gain, destructive attacks are often launched by cybercriminals in an effort to burn evidence of their presence as part of a counter-incident response.

Behavioural change

The Kryptik (used in 40 per cent of attacks) and Emotet (in 24 per cent of attacks) malware families appeared the toolkits of choice for FSI-targeting cybercriminals. Often, these are executed through spoof emails that trick staff into opening malicious, malware-laden executable files. These tools were commonly used in island-hopping attacks as an indirect gateway to FSIs’ networks.

“These malware types are often used in longer, more complex campaigns where the end goal is to leverage native operating system tools to remain invisible or gain a foothold on one system (sometimes a supply-chain partner) to ‘island hop’ to a larger, more lucrative target,” the report said.

VMWare noted an evolution of the traditional macro-based attack used in phishing campaigns, with Microsoft Word docs offering fertile ground for a new generation of malicious scripts.

“Several attacks have been observed as originating from phishing campaigns that are leveraging Microsoft Office Word documents with obfuscated VBScripts using PowerShell and the ConvertTo-SecureString cmdlet, which in the later stages is used to decrypt the C2(s) and associated logic. This represented an evolution of current macro attack techniques, where these types of cmdlets are not typically associated with phishing campaigns.”

Attackers’ behaviours have evolved quickly around advances in FSIs’ cyber defences, with criminal adversaries taking advantage of information gained on backend ICT systems to track common software running within corporate networks.

“Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviours, including whether or not the adversary fully infects the target and/or attempts specific actions.”

The report authors warned that cybercriminals’ are increasingly exploiting the knowledge they have gained in FSIs’ cyber policies and procedures.

“They are keenly aware of the incident response (IR) stratagems being employed by IR teams and the blind spots that exist within every institution,” the report authors said.

“Given the tactical shifts of the cognitive attack loop, they are maintaining and manipulating their positions within networks because of the noise created by incident response and the lack of security controls integration.”