Cyberattacks on the financial sector increase in 2023

The financial sector is one of the targets that receives the most cyberattacks today and cybercrime continues to increase. Today, Thursday, November 30, marks International Information Security Day and we must keep in mind that digital transformations within the sector are a major concern for companies worldwide and make the possibilities of attacks grow. This requires knowing the behavior of cybercriminals to be able to adequately protect themselves and boost digital financial security.

S2 Grupo's cybersecurity team reminds us that to execute their attacks, cybercriminals use the so-called 'Techniques, Tactics and Procedures' (TTPs), which are attack behaviors executed against victim organizations.

Our managing partner, José Rosell, has emphasized that cybersecurity professionals working in the financial sector must correctly identify the TTPs most frequently used by the main hostile groups that launch cyberattacks against organizations in the financial sector. This is the only way to implement specific tools that detect these threats and initiate the mitigation of the intrusion attempt or incident response.

Who is behind cyberattacks on the financial sector?

APT (advanced persistent threat) groups

They have high technical knowledge, experience and a large amount of resources that they employ to infiltrate their victims' networks and systems with the aim of accessing confidential information, sabotaging their opponents' operations or establishing persistence to carry out these actions in the future. APTs are characterized by tenacity in the pursuit of their objectives over time, the ability to adapt to the defensive efforts of their adversaries and the determination to maintain a continuous level of interaction necessary to achieve their goals.

They are often internal or external intelligence agencies that work in the interests of a State, providing intelligence that assists its leaders in strategic decision making.

Their objectives are: to serve military, political, economic and internal security interests, intelligence gathering and national security, as well as foreign intelligence, military, strategic, economic, scientific and technological targeting, information gathering and financial theft to finance regimes.

Some TTPs of these cybercrime groups are the:

• Exploitation of vulnerabilities shortly after they are published by the manufacturers or even unknown to the device manufacturers themselves.
• Use of social engineering for initial access or for downloading malicious artifacts.
• Use of legitimate cloud services such as Yandex, Dropbox and Google Drive to spread malware and leak data from victims' machines.
• Use of files with double extensions to confuse the user.
• Create services, scheduled tasks and modify registry keys to establish persistence.

Cybercrime

Most cybercrime is committed by cybercriminals or hackers who want to make money. However, sometimes cybercrime is aimed at damaging computers or networks for reasons other than profit which could be political or personal.

In this case, different types of criminal activities such as ransomware attacks, email and Internet fraud and identity fraud, as well as attempts to steal financial account, credit card or other payment card information can take place. In fact, ransomware-as-a-service has become one of the top cyber threats globally.

Some TTPs that can be highlighted in this group are:

• Use of exploits and unpatched software vulnerabilities to gain unauthorized access to systems.
• Phishing with malicious attachments or links.
• Use of valid credentials.
• Digital signatures to circumvent specific EDR (Endpoint Detection and Response) security measures.
• Data theft and double extortion (threat with publication).
• Disabling anti-malware and monitoring solutions.
• Use of WinRAR to compress files.

Hacktivist groups

Hacktivism consists in carrying out cyberattacks to promote political, religious or social ideas. The financial sector is one of the sectors most attacked by hacktivist groups because one of their main motivations is to create disruption in the victim's systems and to have a media impact. In this way they generate an enormous discredit to the company or organization.

Some of the TTPs most commonly used by hacktivist groups against the financial sector are:

• Botnet-based vulnerability scanning with IoT devices days before denial-of-service attacks.
• Use of DDoSIA software to perform DDoS attacks.
• Distributed command and control servers tasked with sending targets to be attacked by users of the DDoSIA platform.
• Use of GodzillaBotnet to carry out their cyberattacks, a botnet also associated with the SkyNet group.
• Launching HTTP attacks. They have sent floods of HTTP traffic specifically designed to overwhelm specific infrastructure.
• Specialized in DDoS, Hacking, Doxing and Defacement.
• Brute force dictionary attacks.
• DDoS attacks on the OSI model.

In this context, our team offers you some basic recommendations for cyber protection in the financial sector: carry out proactive review tasks as a threat hunting service, have an intelligence provider that keeps you updated on new TTPs and integrate the rules provided by a company like S2 Grupo into your perimeter defense system.