adimas - Fotolia

Legit tools exploited in bank heists

Cyber criminals attacking the finance and other industry sector are continuing to exploit legitimate administration tools to hide their activities, highlighting the need for threat hunting, a report reveals

Common IT administration tools are being hijacked to act as invisibility cloaks for cyber criminals targeting financial institutions, according to a report by security firm Carbon Black.

The report is based on a survey of CISOs at 40 financial institutions and notes that cyber attacks against financial institutions are most often conducted for the purpose of yielding illicit financial gain and are typically undetectable, global and instantaneous.

During the past three years, the report said researchers have seen a tremendous amount of innovation from cyber criminals, with marked evolution in attack methods in the past six months.

“Cyber criminals are leveraging new techniques, tactics and procedures (TTPs) specific to maintaining persistence and countering incident response,” the report said.

The top finding of the survey is that cyber criminals are continuing to hide in plain sight and move laterally using attack methods that do not involve malware.

Instead, attackers are using legitimate tools such as PowerShell (89%), Windows Management Instrumentation (59%) and secure file transfer protocol (28%) to carry out activities so that they remain undetected.  

Native tools such as PowerShell and Windows Management Instrumentation (WMI) grant users exceptional rights and privileges to carry out the most basic commands across a network.

These “non-malware” or fileless attacks account for more than 50% of successful breaches, the report said, with attackers using existing software, allowed applications and authorised protocols to carry out malicious activities.

In this way, attackers are able to gain control of computers without downloading any malicious files and therefore remain unnoticed by malware-detection security systems.

For example, someone in the targeted organisation is lured to a compromised website, which launches Flash. This in turn invokes PowerShell, enabling the attacker to feed instructions to it through the command line, all operating in memory.

Finally, PowerShell is used to connect to a command and control server to download a malicious PowerShell script designed to find sensitive data and send it to the attacker, all without downloading any malware.

Almost every Carbon Black customer (97%) was targeted by a non-malware attack during each of the past two years, but the report notes that awareness of malicious usage for tools such as PowerShell has never been higher, with 90% of CISOs reporting seeing an attempted attack using PowerShell.

The report also reveals that 90% of financial institutions reported being targeted by a ransomware attack in the past year.

This is not surprising, the report said, with Carbon Black researchers observing in the past year a 2,502% increase in the sale of ransomware on the dark web. Cyber criminals are increasingly seeing opportunities to enter the market and looking to make money fast through one of the many ransomware offerings available, the report said.

“Unlike many other forms of cyber attacks, ransomware can be quickly and brainlessly deployed with a high probability of profit,” the report added.

A game of digital chess

A quarter of CISOs polled reported experiencing counter incident response, further illustrating the trend toward criminal sophistication and persistence. This statistic is “concerning”, the report said, because it means cyber criminals are increasingly reacting and adapting to defenders’ response efforts.

“Cyber defence is evolving into a high-stakes game of digital chess where opponents are responding to every move made on the board. Teams should be prepared to throw out the IR [incident response] playbook when necessary,” the report said.

Despite the nature of the threats facing financial organisations, the survey shows that only 37% have established threat hunting teams.

Active threat hunting is an important step for organisations with mature security programs, the report said, because it puts defenders “on the offensive” by finding abnormal activity on servers and endpoints that may be signs of compromise, intrusion or exfiltration of data.

Nearly half (44%) of financial institution CISOs said they are concerned with the security posture of their technology service providers (TSPs).

The report recommends that organisations’ threat hunting teams and defenders to assess TSP security posture.

“Given that 63% of financial institutions have yet to establish threat hunting teams, there should be concern regarding limited visibility into exposure created by TSPs,” the report said.

The report concludes that although financial institutions have a more robust cyber security posture than peers in other verticals, this does not make them immune to attack.

“There is still considerable opportunity for financial institutions to improve cyber security posture and go on the offensive with threat hunting teams,” the report said.

In the light of the survey’s findings, the report said financial institutions should aim to improve situational awareness and visibility into the more advanced attacker movements post breach, and that this must be accompanied with a tactical paradigm shift from prevention to detection.

“The increasing attack surface, coupled with the utilisation of advanced tactics, has allowed attackers to become invisible. Decreasing dwell time is the true return on investment for any cyber security program,” the report said.

Read more about cyber attacks on banks

Read more on Hackers and cybercrime prevention

Data Center
Data Management