With the joint advisory published by the US, UK, Canada and ANZ warning of malicious cyber activity targeting MSPs this week, VMware’s data shows over 60 per cent of financial institutions experienced an increase in island hopping, a 58 per cent increase from last year.
VMware’s recent Modern Bank Heists report revealed that cyber crime cartels have studied the interdependences of financial institutions and now understand which managed service provider (MSP) is used and who the outside general counsel is, as observed by the VMware threat analysis unit.
According to Tom Kellermann, head of cyber security strategy at VMware, there has been a fundamental restructuring of cyber crime cartels thanks to a booming dark web economy of scale.
“Powerful cyber criminal groups now operate like multinational corporations and are relied upon by traditional crime syndicates to carry out illegal activities such as extortion and money laundering.
“Cyber crime cartels are more organised than ever before and enjoy greater protection and resources from the nation-states that view them as national assets,” Kellermann said.
Serving as the backdrop for the threats facing financial institutions, VMware interviewed 130 financial security leaders and CISOs from around the world for the fifth edition of the Modern Bank Heists report.
The findings should serve as a warning to the financial sector that attackers are “moving from dwell to destruction”.
What is “island-hopping”?
This type of attack increased in prevalence in 2018 and is becoming more and more common as advanced cyber attacks evolve, attackers target supply chains and undertake “island hopping” to the extent that today this hacking technique poses a serious and complex threat to business.
In particular, island hopping tends to be initiated in smaller organisations where cyber criminals infiltrate their target organisation through its smaller partner target.
These smaller companies usually have more vulnerable security systems than the larger target organisations, making them easier for hackers to access.
Hackers take advantage of the trust between the two companies after breaking in and use their shared networks to reach the true target. At this point, the whole supply chain, including customer data, is at risk.
The term “island hopping” comes from a WWII military tactic used by the United States in the Pacific. Also known as leapfrogging, this involved capturing smaller, strategically located islands and establishing military bases there, as opposed to outwardly attacking mainland Japan. From these new bases, allied soldiers would start the process again and continue until they reached their ultimate target.
Geopolitical tension has spilled over into cyber space
Cyber criminals targeting the financial sector often escalate their destructive attacks in order to burn evidence as part of their counter incident response.
The VMware report found that 63 per cent of financial institutions experienced an increase in destructive attacks, a 17 per cent increase from last year. Destructive attacks are launched punitively to destroy, disrupt, or degrade victim systems by taking actions such as encrypting files, deleting data, destroying hard drives, terminating connections, or executing malicious code.
According to Kellermann, the VMware researchers recently witnessed destructive malware like HermeticWiper being launched following Russia’s invasion of Ukraine.
“Notably, the majority of financial leaders I spoke to for this report stated that Russia posed the greatest concern to their institution,” Kellermann added.
The year of the RAT
Financial institutions were certainly not immune to the recent resurgence of ransomware.
About 74 per cent of financial security leaders experienced one or more ransomware attacks in the past year, and 63 per cent of those victims paid the ransom which is a “staggering statistic”, the VMware researchers have noted.
One of the reasons that traditional crime syndicates have become loyal dark web customers is because of the well-funded ecosystem of ready-made and available ransomware kits. Cyber crime cartels, such as the Conti ransomware gang, have made it as easy as possible for their associates to launch ransomware attacks on critical industries like the financial sector.
A technical analysis in the VMware threat analysis unit’s latest threat report provides a view into the proliferation of ransomware and how remote access tools (RATs) help adversaries gain control of systems. Ransomware has a sinister relationship with these RATs, given these tools allow bad actors to persist within the environment and establish a staging server that can be used to target additional systems.
Once an adversary has gained this limited access, they will typically work to monetise it by relying on the victim’s data for extortion (including double and triple extortion) or through stealing resources from cloud services using cryptojacking attacks.
Manipulation of financial markets
Cyber crime cartels have realised that the most significant asset of a financial institution is non-public market information.
The VMware data shows that two out of three (66 per cent) of the leaders interviewed experienced attacks that targeted market strategies, and one in four (25 per cent) stated that market data was the primary target for cyber attacks on their financial institution.
What exactly are these cyber crime cartels looking for?
VMware researchers have witnessed an evolution from bank heist to economic espionage, where cyber criminals target corporate information or strategies that can affect the share price of a company as soon as it becomes public. This information can then be used to digitise insider trading and front-run the market.
The report also found that 44 per cent of Chronos attacks targeted market positions. A Chronos attack involves the manipulation of time stamps – a concerning development considering how critical of a role the clock plays in the markets.
Defence is the best offense
Security has become a top-of-mind issue for financial sector leaders. According to the report findings, the majority of financial institutions plan to increase their security budget by 20-30 per cent this year and named extended detection and response (XDR) as their top security investment priority.
As security leaders know, a strong defence is the best offence. Modern threat hunting on a weekly basis should be adopted as a best practice to help security teams detect behavioural anomalies, as adversaries can maintain clandestine persistence in an organisation’s system. Additionally, the VMware report found that currently, only 51 per cent of financial institutions are conducting weekly threat hunts.
In today’s evolving threat landscape, cyber security has become a brand protection imperative, Kellermann added, emphasising that trust and confidence in the safety of financial institutions depends on effectively avoiding, mitigating and responding to modern cyber threats.
“I am hopeful that this number will jump in next year’s report as threat hunting programs have multiple outputs beyond finding a cyber criminal, such as fuelling threat intelligence,” Kellermann concluded.