Sekoia: Latest in the Financial Sector Cyber Threat Landscape

We Keep you Connected

Sekoia: Latest in the Financial Sector Cyber Threat Landscape

Sekoia: Latest in the Financial Sector Cyber Threat Landscape
Your email has been sent
Phishing, infostealer malware, ransomware, supply chain attacks, data breaches and crypto-related attacks are among the top evolving threats in the financial sector, says Sekoia.
A new report from French-based cybersecurity company Sekoia describes evolutions in the financial sector threat landscape. The sector is the most impacted by phishing worldwide and is increasingly targeted by QR code phishing.
The financial industry also suffers from attacks on the software supply chain and stands among the most targeted sectors impacted by ransomware in 2023. And an increase in attacks on Android smartphones affects the sector, both for cybercrime and cyberespionage operations.
Jump to:
Phishing is the top digital crime for 2022, according to the FBI, with more than 300,000 victims in 2022. The Anti-Phishing Working Group indicates that in the third quarter of 2022, the financial sector was the most impacted by phishing campaigns, with 23% of financial institutions being targeted.
According to Sekoia, the phishing-as-a-service model has been massively adopted in 2023. Phishing kits built of phishing pages impersonating different financial organizations are being sold to cybercriminals in addition to kits made to usurp Microsoft and collect Microsoft 365 login credentials, which companies use for authenticating to various services.
One example of such a threat is NakedPages PhaaS, which provides phishing pages for a large variety of targets, including financial organizations. The threat actor manages licenses and regularly announces updates via its Telegram channel, which currently has about 3,500 members (Figure A). About this number, Livia Tibirna, strategic threat intelligence analyst at Sekoia, told TechRepublic that “generally speaking, cybercrime actors tend to increase their audience, and so their visibility, by inviting users to join their public resources. Therefore, the users are potential (future) customers of the threat actors’ services. Yet, other type of users joining threat actors’ Telegram resources are cybersecurity experts monitoring the related threats.”
Figure A
Among all of the provided phishing pages, the threat actor mentions the online accounting software QuickBooks, used by many organizations in the financial sector.
The most active tool sets used for PhaaS over the past year in addition to NakedPages are EvilProxy, Dadsec, Caffeine and Greatness, according to Sekoia’s researchers.
An increase in the number of QR code phishing, or quishing, campaigns has been observed by Sekoia. Quishing attacks consist of targeting users with QR codes to deceive them into providing their personal information, such as login credentials or financial information.
Sekoia assesses that QR code phishing will increase due to its “effectiveness in evading detection and circumventing email protection solutions.”
Quishing capabilities are part of the Dadsec OTT phishing as a service platform, the most used kit in Q3 for 2023, according to Sekoia. It has been observed in several large-scale attack campaigns, impersonating banking companies in particular.
Another large quishing campaign targeted investment organizations via the Tycoon PhaaS kit. The quishing attack leveraged PDF and XLSX email attachments containing a QR code, ultimately leading to Microsoft 365 session cookie theft.
Business email compromise campaigns have increased by 55% for the first six months of 2023. While those attacks typically impersonated CEOs and high-level executives, they now also impersonate vendors or business partners.
One recent case has impacted the financial sector with a sophisticated multi-stage adversary-in-the-middle phishing and BEC attack. The attack specifically targeted banking and financial services and originated from a compromised trusted vendor, showing an evolution in the BEC threat landscape.
Open-source software supply chain attacks have seen a 200% increase from 2022 to 2023. As 94% of organizations in the financial sector use open-source components in their digital products or services, the sector can be affected by attacks leveraging compromises in the open-source software supply chain.
A striking example has been the Log4Shell vulnerability and its exploitation, which affected thousands of companies worldwide for financial gain and espionage.
Supply chain attacks specifically targeting the banking sector have also been reported, showing that some threat actors have the capability to build sophisticated attacks against the sector.
As stated by Sekoia, “It is highly likely that advanced threat actors will persist in explicitly targeting the banking sector’s software supply chain.”
Financial aggregators also appear as a new opportunity for threat actors to target the sector. According to Sekoia, those aggregators “are not submitted to the same level of regulation as traditional banking entities and are supported by technologies with potential vulnerabilities.”
The International Monetary Fund also states that “new technologies in financial services can also generate new risks” and that “APIs with poor security architecture could lead to leaks of potentially sensitive data.”
An attack on one such aggregator called Dexible in February 2023 stands as an example. In that attack, a vulnerability allowed attackers to orient tokens of users towards their own smart contracts before being withdrawn.
Malware designed to collect financial data, including credit card information, banking credentials, cryptocurrency wallets and more sensitive data, have been around for many years already.
A particular concern raised by Sekoia resides in the increasing number of mobile banking Trojans, which doubled in 2022 as compared to the previous year and continues to grow in 2023. Sekoia predicts that this is likely due to the increase in mobile devices being used for financial services and to the fact that those malware help bypass two-factor authentication.
Spyware — malicious pieces of code designed for collecting keystrokes, credentials and more sensitive data — have increasingly been used in 2023 for bank fraud, according to Sekoia. One Android malware is SpyNote, which started targeting banking applications in addition to its previous functionalities.
Ransomware targets the financial sector heavily, which became the fourth-most impacted sector in the third quarter of 2023, with ransom requests varying from $180,000 USD to $40 million USD and having huge physical impacts in some cases.
Sekoia reports an important change for known ransomware actors leveraging extortion impacting the financial sector, such as BianLian: They have shifted to an exfiltration-based extortion without any encryption of the victims’ systems and data. This move is likely done to avoid encryption problems at scale during mass compromise campaigns.
Decentralized finance, based on blockchain technology, also faces threat actors.
Cryptocurrencies are built on various blockchains, which are closed environments that cannot communicate with each other. To address this challenge, interoperability solutions have been developed, including cross-chain bridges and atomic swaps. These solutions rely on smart contracts, segments of code that execute token transfers based on the validation of specific conditions.
Attacks on DeFi organizations mostly target their employees, who may be lured into providing their credentials to attackers or becoming compromised by malware. Once inside the organization’s network, the attackers are able to steal cryptocurrencies.
An example of a state-sponsored threat actor targeting DeFi and blockchain bridges is Lazarus. The North Korean threat actor has generated 10 times more money than other actors and mostly focuses on the crypto assets industry entities located in Asia and the U.S. rather than European traditional banking institutions. Three attacks targeting DeFi platforms have been attributed to Lazarus in 2023 against Atomic Wallet, Alphapo and CoinsPaid, overall generating the theft of $132 million USD.
It seems that targeting on DeFi is mostly done by state-sponsored threat actors, as told to TechRepublic by Coline Chavane, strategic threat intelligence analyst at Sekoia: “DeFi platforms and services seem to be mostly targeted by state-sponsored intrusion sets rather than cybercriminals. In 2023, we did not observe significant attacks perpetrated by cybercrime actors against DeFi. These services can nevertheless be used to make illegal transfers for cybercriminal administrator or ransomware groups.”
Globally, a loss of $3.8 billion USD has been reported by blockchain company Chainalysis for 2022, with 64% of the loss coming from cross-chain bridge protocols.
Attacks can sometimes be difficult to attribute, especially when an attacker’s motivation is not easy to estimate. Some attacks targeting the financial sector are fully aimed at financial gain, but others might aim at cyberespionage. Yet even more intriguing is the fact that some threat actors disguise their operations as being financially oriented when they are in fact strategic operations with an espionage goal.
In 2022, Secureworks, a Dell Technologies company, published research on threat actor Bronze Starlight targeting companies with ransomware. Secureworks indicates that “the combination of victimology and the overlap with infrastructure and tooling associated with government-sponsored threat group activity indicate that BRONZE STARLIGHT may deploy ransomware to hide its cyberespionage activity.”
Another case exposed by Kaspersky sheds light on a cryptocurrency miner being an element of a more complex malware called StripedFly and associated with the Equation malware.
The financial sector is prone to several security threats. Phishing and BEC have been around for many years but have evolved in complexity to still affect the sector and keep up with new technologies. All employees working for financial organizations should be educated to detect phishing attempts or fraud that could target them. They should also have an easy way to report any suspicious activity to their IT department.
More indirect attacks are observed in the wild, as attackers have increasingly been targeting organizations via supply chain attacks. In particular, open-source software used in products or services should be carefully checked before being deployed.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays
Sekoia: Latest in the Financial Sector Cyber Threat Landscape
Your email has been sent
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.
This is a comprehensive list of the best AI art generators. Explore the advanced technology that transforms imagination into stunning artworks.
Find the perfect payroll service for your business without breaking the bank. Discover the top cheap payroll services, features, pricing and pros and cons.
Is NordVPN worth it? How much does it cost and is it safe to use? Read our NordVPN review to learn about pricing, features, security, and more.
Free project management software provides flexibility for managing projects without paying a cent. Check out our list of the top free project management tools.
Australian and New Zealand enterprises in the public cloud are facing pressure to optimize cloud strategies due to a growth in usage and expected future demand, including for artificial intelligence use cases.
Whether your organization uses Amazon S3, Dropbox, iCloud, OneDrive or another option, cloud data storage services enable collaboration, simplified governance and compliance responsibilities and provide built-in off-site backup advantages. Cloud storage accounts require regular administration and maintenance. As a best practice, someone should regularly review the organization’s file storage accounts. There’s much to remember. Periodic …
Coding a digital video game not only requires a thorough knowledge of programming language, it also requires a deep understanding of the game engine, the APIs and the creative assets that will eventually inhabit the game being produced. Successfully applying all of these skills requires exceptional attention to detail and an inherent ability to collaborate …
Blockchain systems are part of a trend that is moving the internet-of-information era into an internet-of-value era, where assets — and asset ownership — can be transferred instantly and with absolute confidence. Whether you’re a recent hire at an IT department help desk or the CEO of a Fortune 100 company, you need to know …
Retail technology, a.k.a. retailtech, continues to be the driving force behind the changing retail landscape today. Some of the newest developments include scan-and-go checkouts, visual outfitting software and digital price tags. In this glossary, TechRepublic Premium presents more than 90 key retail tech concepts to help your understanding. From the glossary: Brick and click Brick …
Get the web’s best business technology news, tutorials, reviews, trends, and analysis—in your inbox. Let’s start with the basics.
* – indicates required fields
Lost your password? Request a new password
Please enter your email adress. You will receive an email message with instructions on how to reset your password.
Check your email for a password reset link. If you didn’t receive an email don’t forgot to check your spam folder, otherwise contact support.
This will help us provide you with customized content.
Thanks for signing up! Keep an eye out for a confirmation email from our team. To ensure any newsletters you subscribed to hit your inbox, make sure to add newsletters@nl.technologyadvice.com to your contacts list.

source

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE