Home / Banking Strategies / A vicious cybercycle: Hackers attack, banks react, hackers strike back

A vicious cybercycle: Hackers attack, banks react, hackers strike back

In banking’s cash-and-coin-only days, robbers walked up to tellers, pulled out a gun and said “stick ’em up.” These days, thieves can just walk up to an ATM, unarmed, and perform a digital variation you could call “stick ’em out.”

Case in point: In April, a man walked up to a Russian bank automated teller machine—which started spitting out money, literally into his hands, without his touching anything.

It was caught on closed circuit video after authorities discovered hackers robbed at least eight ATMs in Russia that way and stole $800,000 in just one night, according to SecurityAffairs.co, citing a Kaspersky Labs report.

Malicious code was injected into the ATM’s memory system. And that’s just the latest way bad guys known as “financial threat actors” cyber rob banks.

In the ceaseless attack-and-response Whack-a-Mole—hack-a-mole, if you prefer—the cycle is speeding up, the threats are getting worse and the response has been less than adequate says FireEye, one of the world’s leading cybersecurity firms.

All this comes at a time when IBM says financial institutions are now the top target of those actors. From both the outside and inside, financial institutions find themselves more under siege because they store both personally identifying information and wealth. Trillions of dollars worth.

So more than ever, financial institutions attract unwanted attention from people with the means to intrude into their electronic systems that store and disseminate all their data.

As quickly as banks can react, the financial threat actors become rapid reactors. The cycle, says one expert, is driven by banks acting to shore up their defenses.

“The attackers don’t evolve unless they have to,” says John Miller, FireEye’s manager of threat intelligence. A recent FireEye study shows that there “has been a marked acceleration of both the aggressiveness and sophistication of cyberattacks.”

Defensive capabilities “have been slow to evolve and respond.” And most victims and those working to protect them “are still lacking fundamental security controls and capabilities to either prevent breaches or to minimize the damages and consequences of an inevitable compromise.”

Sophisticated raiders

When it comes to being targeted by cybercriminals, the financial services industry is now the top victim, leapfrogging healthcare and manufacturing according to a recent study by IBM Managed Security Services, “Security Trends in the Finance Industry.”

Increasingly, the financial threat actors are going for the wealth, not merely the data, says IBM.

“Hacking groups that target financial institutions are now focusing more on financial gain rather than on digital sabotage,” according to IBM.

It is difficult to keep up.

“Attackers are more sophisticated than ever before,” according to a recent report on cybercrime trends by FireEye. “State-sponsored actors continue to set a high bar for sophisticated cyberattacks, but some financial threat actors have caught up—making them difficult to detect, and challenging to investigate and remediate.”

A lethal command injection

To achieve their goals, financial threat actors have deployed new versions of well-known techniques to rob the financial sector. The main culprit, according to IBM, can be found in attacks called SQLi and OS CMDi—two mysterious-sounding acronyms that belong to a spy-worthy, stealthy series of processes known as command injection. These attacks get into an information system, bore through security and take over various system aspects.

Attacks of this type were responsible for almost half of those suffered by IBM’s financial services clients, “perhaps the most popular attack vectors within this sector because these vulnerabilities provides attackers with the ability to read, modify and destroy sensitive data.”

Like a castle under siege, the financial services sector has responded to cyberattacks by building a moat and lifting up the drawbridge—controlling access to systems and the authentication to use them, according to IBM.

Banks have invested heavily in such measures, say cybersecurity experts.

But the bad guys “are always one step ahead,” said Brian White of the RedOwl cybersecurity firm, pointing to the example of “sandboxing” as just one instance.

Sandboxing is a method for detecting malware before it enters the system. The bad guys, said White, countered by writing even more sophisticated malware that would detect if it was being placed in the sandbox.

Much like the white hats in the high-tech world, “They are always going to be iterating and innovating,” White said.

Clearwater, Florida-based cybersecurity expert Stu Sjouwerman, who runs the KnowBe4 cybersecurity firm, agrees. In the past, companies have used techniques such as whitelisting or “gateway security” to prevent infections by letting known good files run, blocking bad or unknown files, Sjouwerman says.

But the marauding hordes of cyberattackers have found ways to get around that. IBM says that subverting those controls has become the second-most popular form of attack on financial services firms.

When the inside is the dark side

The castle isn’t only under siege from the outside—but the inside as well.

The “Subvert Access Control” attack—essentially opening the drawbridge—comes from “insiders to gain control of end systems,” according to IBM.

“Insider threat is emerging as a key risk” for the financial services industry, White notes. “They’ve done a great job shoring up external attack service, so employees and contractors and others with legitimate access often may be a weak link.”

The insiders aren’t necessarily doing the damage themselves but letting the bad guys inside to do the dirty work.

Sieging cybercrooks can get inside the castle because they find legitimate access from an illegitimate source—the “dark web,” where anonymity reigns. “We did report with a threat intelligence company that discovered people selling credentials on the dark web,” White says.

Once bad actors have legitimate credentials to access a system, they can “masquerade around the network as a privileged legitimate employee.” To counter that, White suggests banks need “better systems to detect individuals” who may be more likely to go rouge from the inside.

“Banks have realized that security comes down to individuals now,” he said. “So there’s a need to monitor individuals—and that requires precision analytics and deep expertise. But that is ultimately needed to enhance overall security as you move forward.”

Financial institutions need to step up their game, says FireEye.

“Sophisticated intelligence integration, automation, and threat hunting should be the end-state goal,” according to the findings of its Mandiant M-Trends cybersecurity report for 2017.

If only it were as simple as looking for a smoking gun—or for that matter, any kind of gun.


Want more Banking Strategies? Sign up for our free newsletter!

Howard Altman covers the military and national security for the Tampa Bay Times. He has won more than 50 journalism awards and his work has appeared in the New York Times, Daily Beast, Philadelphia magazine, the Philadelphia Inquirer, New York Observer, Newsday and many other publications around the world.