hacker-4031973_1920

VMware’s fifth annual Modern Bank Heists report

Estimated reading time: 6 minutes

Tom Kellermann, head of cybersecurity strategy, VMware

EITN: Could you share your insights into the following: changing cybercriminal behaviour and the defensive shift of financial sector? Cybercriminals that target market strategies – what does that mean for financial institutions?

Tom Kellermann: VMware’s annual Modern Bank Heists report found that financial institutions are facing increased destructive attacks and falling victim to ransomware more than in years’ past, as sophisticated cybercrime cartels evolve beyond wire transfer fraud to now target market strategies, take over brokerage accounts and island hop into banks.

2 out of 3 (66 percent) of the leaders I interviewed experienced attacks that targeted market strategies, and 1 in 4 (25 percent) stated that market data was the primary target for cyberattacks on their financial institution.

We’re witnessing an evolution from bank heist to economic espionage, where cybercriminals target corporate information or strategies that can affect the share price of a company as soon as it becomes public.

What cybercrime cartels want to do is to get their hands on confidential information that can affect the share price of a company as soon as it becomes public, such as earnings estimates, public offerings, and significant transactions. Cybercrime cartels are seeking long-term market strategies of major financial institutions to facilitate front-running. Front-running is the illegal practice of purchasing a security based on advance nonpublic information regarding an expected large transaction.

The financial market is a sector that is entirely dependent on the accuracy of the clock, and this is where I would like to highlight that Chronos attacks are also surging, which are manipulation of time stamps. In the last year, 67% of financial institutions observed these attacks. Nearly half of Chronos attacks targeted market positions—a concerning development considering how critical of a role the clock plays in the markets.

We’re witnessing an evolution from bank heist to economic espionage, where cybercriminals target corporate information or strategies that can affect the share price of a company as soon as it becomes public.

Financial institutions need to keep a close eye on the clock and ensure that security teams are prepared to protect the integrity of time. As financial institutions work to mitigate and respond to modern cyber threats, collaboration within the financial sector and with law enforcement is critical to ensure that the public maintains their trust and confidence in the safety of financial institutions and the global financial market.

EITN: What does island hopping mean? What does it mean that for 60-percent of FIs there is a 58-percent increase from last year?

Tom Kellermann: Island hopping is a method wherein an organisation’s information supply chain is commandeered to attack the institution from within its trusted supply chain. Having done their due diligence, the cybercrime cartels understand the interdependencies of the financial sector, by studying which managed service provider a bank uses and who their outside general counsel is.

So instead of a direct focus on the financial institutions, the cybercriminals are finding success by attacking their third-party service providers to then island hop into the bank. Once a financial institution is compromised, they can then use its legacy and trusted reputation to target its constituents.

The increase in island hopping percentage represents a new era of conspiracy where hijacking the digital transformation of a financial institution via island hopping to attack its constituents has become the ultimate attack outcome.

EITN: A large number of financial sectors experienced at least one ransomware attack. What does it mean that 63-percent of victims paid the ransom?

Tom Kellermann: Our research finding shows just how pervasive ransomware remains to financial institutions globally. For instance, Conti ransomware (a ransomware group known for its ransomware-as-a-service (RaaS) structure) was the most prevalent in these attack campaigns. The VMware Threat Analysis Unit™ discovered the Conti ransomware family in July 2020.

Chainalysis has identified more than $602 million worth of ransomware payments paid in 2021—with the Conti ransomware gang accounting for $180 million—although the true total for 2021 is likely to be much higher. In a six-month span last year, FinCEN said it identified approximately $5.2 billion in outgoing bitcoin transactions potentially tied to ransomware payments.

Global law enforcement agencies have taken significant actions aimed at curbing ransomware, including mitigating the money laundering associated with cybercrime, treating ransomware attacks on critical infrastructure as a national security issue, and banning ransomware payments as they represent modern-day terror financing.

EITN: With Russia posing the greatest concern (in terms of cybersecurity), what are financial institutions doing to prepare for it?

Tom Kellermann: Geopolitical tension is metastasizing in cyberspace and majority of financial institutions we surveyed stated that Russia posed the greatest concern. We’ve recently witnessed destructive malware being launched following Russia’s invasion of Ukraine. 

Global law enforcement agencies have taken significant actions aimed at curbing ransomware, including mitigating the money laundering associated with cybercrime, treating ransomware attacks on critical infrastructure as a national security issue, and banning ransomware payments as they represent modern-day terror financing.

It is worth noting that cybercriminals in the financial sector will typically leverage destructive attacks as an escalation to burn the evidence as part of a counter incident response. Destructive malware variants seek to destroy, disrupt, or degrade victim systems by taking actions such as encrypting

files, deleting data, destroying hard drives, terminating connections, or executing malicious code.

Some of the best practices which financial institutions can look at incorporating in their cybersecurity strategies include:

  • Integrate your network detection and response (NDR) with your endpoint detection and response (EDR): Detection and response technology employs real-time, continuous monitoring of systems to detect and investigate potential threats. A detection and response system then uses automation to contain and remove those threats.
  • Apply micro-segmentation: Limit an adversary’s ability to move laterally within the organisation. Forcing intruders to cross trust boundaries provides an improved opportunity for detection and prevention.
  • Automate vulnerability management: This will enable security teams to have improved risk-prioritisation and can focus on vulnerabilities that are actually exploitable.
  • Deploy decoys: This is also known as deception technology, to divert the intruder.
  • Activate application control in high enforcement:  This will help prevent unauthorised change and help stop malware, ransomware, Zero Day, and non-malware attacks.
  • Deploy workload security: Such a move will reduce the attack surface, increase visibility across environments, and secure workloads against emerging threats.
  • Conduct weekly threat hunting: Security teams should assume attackers have multiple avenues into their organisation. Threat hunting on all devices can help security teams detect behavioural anomalies as adversaries can maintain clandestine persistence in an organisation’s system.
  • Implement DevSecOps and API security: To keep modern applications secure.
  • Apply just-in-time administration: To reduce the attack surface to only the times when privileges are actively being used.
  • Ensure backups are viable and periodic: To ensure that critical data can be rapidly restored if the organisation is impacted by ransomware or a destructive cyberattack.