In the 1950s, the American bank robber Willie Sutton is alleged to have said that he robs banks because “that’s where the money is”.
It should be no surprise, then, that the finance sector is consistently one of the sectors which is the most targeted by cyber criminals. Finance has actually been the number one most targeted industry sector in six of the seven years NTT Security has written the annual Global Threat Intelligence Report (GTIR). The ultimate motivation for this consistent focus is clear – financial gain.
Attackers target finance to directly steal funds. They target credit cards to either use the cards or to sell them. They target client credentials to steal account details. They target users within the financial community with phishing attacks, to gather credentials, gain access, or generate wire transfers. The variety of attack types is wide, and the specific attack techniques used are endless.
Targeting finance regionally
In the 2019 GTIR, NTT Security identified attacks which ranked finance as the single most attacked industry sector globally. The finance sector also obtained incident response services from NTT Security more than any other sector, with 18% of all incident response engagements – a number on par with the total percentage of attacks against the sector. Overall, attack volumes against targets in the finance sector rose over 13% from volumes in 2017.
And that 13% is important. Financial organizations experienced an average of over 13% MORE attacks during 2018 than they did in 2017. If finance organizations are not spending 13% more money, or have 13% more staff, or have not dedicated 13% more resources than the previous year, they are in danger of falling behind current attack volumes. “Status Quo” means falling behind. Falling behind means you are more vulnerable than previously, especially with rising numbers of vulnerabilities.
Attack sources are, unfortunately, less meaningful than hoped. While sources in the United States account for 42% of all global attacks targeting finance, the top 10 attack sources account for 77% of all such attacks. That 77% is a low number and suggests that attacks are highly distributed across many providers and attack sources, helping to hide the source of the attacker. At the same time, if we review the top 10 attack sources from all of the geographic regions, those three lists (Americas, EMEA and APAC) only combine for 12 attack sources (United States, China, United Kingdom, France, Norway, Finland, Russian Federation, Netherlands, Germany, Egypt, Seychelles and Iran), meaning the most active sources are mostly consistent across all regions – suggesting that they are consistent attackers or using consistent tools regardless of the actual geography of victims.
Profiling technical attacks
Globally, and in every region, the single most common attack type targeting victims in the finance sector was web attacks. Globally, web attacks accounted for 32% of all attacks, while 46% of all attacks against finance were some form of web attack. That difference was the largest in attacks in the Americas. While 25% of all attacks against targets within the Americas were web attacks, 46% of all attacks against finance organizations within the Americas were web attacks.
Web attack volumes targeting finance in the Americas were consistent from 2017 to 2018. At the same time, the percentage of web attacks targeting the finance sector in EMEA and APAC doubled from 2017 to 2018. This indicates a clear emphasis on web attacks targeting the finance sector.
Web attacks, such as those targeting web applications and application-specific vulnerabilities are heavily used by threat actors. These attacks were rarely used more consistently during 2018 than they were against targets in the finance sector. These attacks include cross-site scripting (XSS) injection attacks, buffer overflows, mishandled parameters, directory traversal and more. Such attacks take advantage of exploits against vulnerabilities in applications like Apache Struts, Oracle, and Java – the very software which organizations are using to support their external web presence. Even into 2019, web attacks against these three common applications often make up more than half of all attacks against finance for extended periods of time.
Beyond web attacks, service-specific attacks are also at the top of the “attack type” list against finance in every region. Service-specific attacks are directed at services which often do not require authentication and run on a server, desktop or mobile devices. These attacks are most frequently seen in exploit attempts against common services such as SMTP, DNS, SMB, FTP and Telnet, but often target databases and remote access services. Such attacks often provide the attacker access to the underlying operating system allowing opportunities for further exploitation.
Such services often support the same internet presence as the software exposed to web attacks.
Profiling 'other' attacks
In reality, attacks against the finance sector continually evolve. Phishing attacks, for instance, are common. They bring with them attempts to install malware and steal credentials. Dealing with phishing attacks was one of the more common reasons finance organizations engaged with NTT Security Incident Response services.
Phishing attacks and malspam campaigns continue attempts to deliver malware, which is regularly seen targeting finance. Common malware observed in the finance sector so far in 2019 includes GandCrab ransomware, Emotet Trojan and downloader, NanoCore RAT, and Trojans/data thieves AZORult, Lokibot, and Dridex, among others – the list very quickly gets endless. Often, multiple variants of malware are installed at the same time and paired with phishing attacks.
Ultimately, the problem is that finance is highly targeted by advanced attackers using a wide variety of techniques, which cannot be defeated by any single control. But that does not mean such attacks are destined to be successful.
A comprehensive list of recommendations would consist of defining a multi-level security program with a wide variety of overlapping technical and non-technical controls. But, focusing on these three recommendations is a start:
- Prioritize patching – especially on critical and exposed systems. Ensure this includes operating system and application patching to help reduce exposure to web attacks.
- Segment your organizational environment – breaking down critical systems into protected subnets can help make it more difficult for attackers to locate and exfiltrate sensitive data.
- Train everyone – train IT and security staff in the best use of implemented technology, train development staff in secure coding techniques, and train management and users at all level about security basics designed to help protect key data from attacks which require user interaction, such as phishing attacks.
For more information about attacks against the finance sector, or about web attacks, download and read the 2019 NTT Security GTIR.