Financial Malware, Regulatory Bodies, and Risk Management Practices and Standards.
Banks, and indeed the entire global financial infrastructure, is something we rely on daily to keep economies moving and hold society together. The ever increasing volume and sophistication of financial malware attacks have led regulatory bodies to extend their purview to include cybersecurity and risk management practices and standards. To date, consultations have been underway and we can expect to see enhanced and detailed regulatory guidelines and expectations set both in North America and in Europe in the coming year. Without question, it is in the public interest to keep banks and financial Market Infrastructures cyber secure, which is why some degree of oversight is required.
Attacks go where the money is
Banks and financial institutions remain the most obvious target for cyber attack. Just as banks and the movement of cash money were the most obvious target for theft in the 20th Century, here in the 21st Century it is the electronic management, disbursement and movement systems that offer the greatest reward for risk to criminal actors.
Additionally, banks and financial institutions are such a critical element of national infrastructures that they also pose a high value target for nation state attacks. Wiping out the reserves of a country effectively takes it off the board in terms of functionality. Freezing the retail banking operations of a large bank result in widespread panic amongst the populace, distracting from other possible aggressive actions.
Financial Malware – not Ransomware – is the biggest threat to banks
Recent research has shed light on a reality that is not featured in the news. While ransomware is getting all the media attention, it is actually financial malware that is far more prevalent – at a rate of 2.5 times; numbering 1.2 million financial malware attacks. Almost 40% of financial threat detections are against corporations, not customers. Recently, Dr. Web and other security firms reported a resurgence of Android banking Trojans, and Kaspersky Lab discovered Nukebot, a ready-to-attack version of TinyNuke that infects banks’ sites aiming to steal credentials.
From financial Trojans to attacks on ATMs and POS devices, the range of attacks uniquely targeting elements of the financial infrastructure is on the rise and continue to become increasingly sophisticated. Criminal attacks have directly attempted fraudulent transactions or focused on acquiring customer account information in order to target individual customers in follow up schemes.
The recent high profile NotPetya attack that compromised entities ranging from airlines and utilities to banks and ATMs worldwide is understood to have been an example of cyber-warfare, with NATO evaluating response options. NotPetya also exemplifies how old malware is made new again with modifications and adjustments, resulting in a highly damaging piece of software. Initially thought to be ransomware, NotPetya, in fact, was a wiper that paralyzed scores of organizations across the world, and offered poorly designed methods of collecting ransom while not returning seized data when the ransom was paid.
There can be no doubt that as cyber-warfare escalates, banks and financial institutions will be amongst the prime targets.
There is no Trust
The Polish Financial regulatory KNF was also attacked in a breach that may very well have been a test of cyber warfare capabilities. It led to 20 banks in Poland subsequently being compromised, followed by almost 100 other organizations in over 30 countries.
The key to this attack was that it was enabled, and predicated upon, trust. Just as we trust banks, banks themselves trust entities such as national financial regulators. Yet this watering hole attack occurred just the same. Visitors to the KNF website, the lion’s share of whom would have been users working in banks and financial institutions, ended up encountering injected code that redirected them to a custom exploit kit.
Another example of trust gone wrong is the well-known Carbanak malware that targeted over 100 financial institutions. Attackers used a stolen security certificate to evade defenses, using the organizational trust in vendor certificates against them.
Defense is not enough – take a proactive security posture with Infocyte HUNT
Trust in defensive measures must be re-examined as well. Whether firewalls, AV or whitelisting, defensive solutions work to prevent malware from breaching, however malware does in fact breach. A study by Crowd Research Partners has indicated that up to 44% of threats go undetected by automated security tools.
As seen most recently with NotPetya, the impact of such breaches can be both widespread and catastrophic for businesses and institutions. And while the immediate breach by NotPetya may be dealt with, what about other secondary malware that is seeded by the original malicious file?
It is incumbent upon organizations, particularly financial institutions and banks, to take proactive measures to combat malware. One way to do that is to adopt a threat hunting platform, to buttress the defensive measures taken.
Enterprises using Infocyte HUNT are able to dramatically reduce dwell time – the period from malware infection to discovery. The Infocyte HUNT platform enables and equips enterprises to scour endpoints, from servers and workstations to ATMs and POS systems, at a frequency of their choosing (hourly, daily, etc.), looking for malware. This enables organizations to ensure that malware is not allowed to persist undiscovered after it breaches existing defenses, and put controls around dwell time to dramatically limit potential damage.
Infocyte HUNT uses memory un-mapping techniques and volatile memory analysis to collect data from each endpoint and analyzes the data to deliver simple reports that validate whether enterprise endpoints are clean or compromised. Infocyte HUNT detects malware when it is a known recognized variant, and also detects malware in cases where the software has never been seen before.
We rely on banks and financial institutions to maintain and protect our assets and their infrastructure, therefore it must be a priority for banks to use a threat hunting tool like Infocyte HUNT to ensure that both customers and the infrastructure as a whole are kept as safe from cyber attacks as possible.
Read more about financial malware, and how Infocyte HUNT can offer financial institutions an easy-to-use threat hunting and incident response platform to hunt malware that has breached existing defenses.
More from our blog
Despite the rich data provided by SIEMs, organizations find themselves drowning in false positives, making it difficult to focus on high-priority events. This problem of alert fatigue prevents cyber security teams from identifying and addressing real threats – impacting small teams with no SOC, large enterprise teams with a SOC, and MSSPs overseeing the security for many SOCs/customers.Read More »
In 2018, the U.S. Healthcare Industry Remained a Hot Target for Data Breaches. Last year alone, over 15 million patient records were affected with an average of one data breach occurring every 24 hours in the healthcare industry. It goes without saying that hackers and cyber attackers are finding ways around/through/past security defenses—exploiting vulnerabilities and…Read More »
A Brief History of Forensic State Analysis Prior to starting Infocyte, our co-founders, Chris Gerritz and Russ Morris, created the first enterprise-scoped threat hunting team for the entire U.S. Department of Defense. Their teams were responsible for hunting, detecting, and responding to highly sophisticated attacks across an 800,000-node network. With virtually unlimited resources and access…Read More »