Cyber-criminals are getting more sophisticated, with advanced attack techniques and tools coming to the fore. In fact, there’s really no difference between the tactics, techniques and procedures (TTPs) used by state-sponsored actors and those used by financially motivated actors.
That’s according to FireEye’s M-Trend 2017 report, which found that nation-states continue to set a high bar for sophisticated cyberattacks—but some financial threat actors have caught up to the point where there is no longer much of a line separating the two. Financial attackers have improved their TTPs to the point where they have become difficult to detect and, challenging to investigate and remediate.
Prior to 2013, the firm characterized actors targeting financial information (ACH, PCI, direct deposit, tax return, etc.) as “smash and grab.” The attackers did not hide their actions and did not demonstrate an intent to maintain access to an environment once detected. The targets were largely opportunistic, the tools rudimentary and the skill of the attacker—in all but a few cases—was limited.
Today, that has completely changed. In 2016, financial attackers moved to using custom backdoors with a unique configuration for each compromised system, FireEye said, and they further increased the resilience of their command and control infrastructure. They also started employing improved counter-forensic techniques.
But that’s not all. “While financial threat actors have come a long way with the tools they use and how they use them, they have shown innovation in other areas as well,” the firm said in its report. “Perhaps the most unexpected trend we observed in 2016 is attackers calling targets on the telephone to help them enable macros in a phishing document or obtain the personal email address of an employee to circumvent controls protecting corporate email accounts.”
When a phishing email did not result in access to a target environment, the attackers sought to circumvent email controls, by picking up the phone. And all it takes is one successful scam.
“Unfortunately, most networks, including those with payment card information, are not segmented,” FireEye said. “The compromise of a single retail location often leads to the compromise of the larger PCI environment, making customer-facing employees in these retail environments the low-hanging fruit sought by attackers.”
To compound the issue, threat groups have also shown increased sophistication when it comes to escalating privileges and maintaining persistence, the report shows. For instance, one privilege escalation tool leveraged CVE-2016-0167, a previously unknown vulnerability. The tool allowed attackers to obtain elevated privileges in environments where the initially compromised user did not have them.
Targets are changing too. “Although our investigations show that interbanking networks are particularly attractive to financial threat groups, we also saw plenty of activity in 2016 involving the use of malware to drain ATMs of cash,” FireEye noted.
Meanwhile, as there has been this marked acceleration of both the aggressiveness and sophistication of cyberattacks, defensive capabilities have been slow to evolve and respond. A majority of both victim organizations and those working diligently on defensive improvements are still lacking fundamental security controls and capabilities to either prevent breaches or to minimize the damages and consequences of an inevitable compromise.
“Based on our observations of trends from the past several years, organizations must adopt a posture of continuous cybersecurity, risk evaluation and defensive adaptation, or they risk significant gaps in both fundamental security controls and—more critically—visibility and detection of targeted attacks,” the report noted.
The good news is that last year there was a rise in companies either exploring or implementing intelligence integration, automation and threat hunting capabilities, which were once limited to government and global financial services organizations. Even so, “with an increased willingness of both nation-state and financial threat actors to operate increasingly blatant business disruption, extortion, and public disclosure attacks, fundamental protections such as data and key application segregation, network segmentation, and continuous visibility and monitoring of critical systems have returned to prominence and should remain a primary focus for many IT and security teams,” FireEye warned.