VMware Issues “Modern Bank Heists 3.0” Report Featuring Cyberthreat Data Analysis and CISO Survey Data

On May 14, enterprise software firm VMware released its “Modern Bank Heists 3.0” report on key trends and developments pertaining to cyberattacks against financial institutions. The report (available here) combines threat data analysis by VMWare’s Carbon Black team with survey responses from 25 financial institution Chief Information Security Officers (CISOs) reflecting trends over the past 12 months.

Key findings and responses in the report included the following:

• Threat Data Analysis:
  • From the start of February to the end of April 2020, attacks targeting the financial sector grew by 238 percent, and ransomware attacks against the financial sector increased by nine times.
  • 27 percent of all cyberattacks to date in 2020 have targeted either the healthcare sector or the financial sector.
• Survey Responses:
  • 80 percent of surveyed financial institutions reported an increase in cyberattacks (a 13 percent increase from 2019).
  • 82 percent said that cybercriminals have become more sophisticated.
  • 64 percent reported increased fraudulent wire transfer attempts (a 17 percent increase from 2019). The report added that these attacks “are often performed by exploiting gaps in the wire transfer verification process or through social engineering attacks targeting customer service representatives and consumers directly.”  It also noted that cybercriminals “exhibit tremendous situational awareness regarding SWIFT messaging. This is compounded with their newfound understanding of the criticality of portfolio managers’ positions.”
  • 33 percent said that they have encountered an attack leveraging “island hopping” (i.e., “an attack where supply chains and partners are commandeered to target the primary financial institution”).
  • 25 percent said that they were targeted by destructive attacks (i.e., attacks “launched punitively to destroy data and dismantle subnets”).
  • 20 percent said that they experienced a “watering-hole attack” (i.e., attacks in which financial institution and bank regulatory websites “are hijacked and used to pollute visitors’ browsers”).
• Key Attack Trends:
  • Among the top attacks seen across multiple sectors, including finance, are the Emotet family of banking malware and the Kryptic trojan, which was one of the infections found in the 2015 attack on the Ukrainian power grid.
• Cyberattacker Tactics, Techniques, and Procedures (TTPs):
  • The report stated that
    • “cybercriminals have dramatically increased their knowledge of the policies and procedures of financial institutions. They are keenly aware of the incident response (IR) stratagems being employed by IR teams and the blind spots that exist within every institution. Given the tactical shifts of the cognitive attack loop, they are maintaining and manipulating their positions within networks because of the noise created by incident response and the lack of security controls integration.”
  • It also discussed leading methods by which cybercriminals are exploiting processes running on systems. According to data from MITRE, the most prominent threat identifications affecting the financial sector from March 2019 to February 2020 were process discovery (64.81 percent) and process injection (i.e., “a method of executing arbitrary code in the address space of a separate live process,” which “may allow access to the process’s memory, system/network resources, and possibly elevated privileges”) (25.04 percent).

To respond to these cyberattack methods, the report recommended five steps for financial institutions in responding to incidents:

1. “Stand up a secondary line of secure communications” to discuss the ongoing incident, as cyberattackers may be intercepting, viewing, modifying, and otherwise compromising internal communications.
2. “Assume the adversary has multiple means of gaining access into the environment.”
3. “Watch and wait” rather than immediately starting to block malware activity and to shut off access, as the institution needs to determine potential avenues of reentry by the attackers.
4. “Deploy agents (if you must) in monitor-only mode” to avoid tipping off the attackers by trying to block or otherwise impede their activities.
5. Deploy honey tokens (i.e., “fake digital data objects planted among real data objects and used in an attempt to detect data misuse by insiders”) or “deception grids” (i.e. cyber deception technology that uses decoys that “mimic user activities, while acting like real exploited users,” as well as hacker-tracing capabilities).

Note:  Information-security officers at financial institutions should distribute copies of this report to their teams, and incorporate specific findings from it into executive-level briefings and training on cybersecurity risks.  Senior leadership in financial institutions needs to understand the degree of sophistication that cyberattackers routinely display in their efforts to acquire or destroy vital data, if they are to make sound judgments about the resources that their CISOs need on a continuing basis.