John Dillinger became infamous in the depression era for robbing two dozen banks. He and his gang were effective due to three tactics: they cased the institution and understood their security posture and programs; they utilized superior firepower; and they drove faster vehicles so they could escape across state lines. The modern Dillinger gangs reside in the former soviet bloc. These cyber crews have pilfered billions from global financial institutions. It is paramount that we learn from their advanced tactics. In 2014, there are key shifts in organized cyber attacks against financial institutions. The elite “safe cracker” now embraces four vectors of infiltration:
Web Application Attacks: Zero days for web applications are being widely utilized against financial institutions. A significant European financial institution suffered one on July 24, as did a handful of U.S. institutions.
Watering Hole Attacks: In a watering hole attack, threat actors compromise a specific webpage within a financial institution’s website by inserting an exploit resulting in malware infection; 25 percent of these are located in the USA. This is due to a lack of website security and testing for the OWASP Top 10 Vulnerabilities.
Credential Attacks: As evidenced by Operation Emmental (discovered by Trend Micro), hackers develop custom malware that bypasses two-factor authentication and deletes its footprint from the registry to avoid detection.
Island Hopping and Secondary Infections: The targeted attacks against the “virtual supply chain” of financial institutions abound. In addition to this new dynamic of counterparty risk, there is widespread utilization of previously installed backdoors within trusted systems to leverage a secondary infection. Backdoors—applications that open computers to remote access—play a crucial role in targeted attacks.Often initially used in the second (point of entry) or third (command-and-control [C&C]) stage of the targeted attack process, backdoors enable threat actors to gain command and control of their target network. Breach detection systems are crucial in thwarting this form of attack.
The financial crisis of 2008 and 2009 disenfranchised thousands of banking and financial professionals. A small percentage of these have lent their financial acumen and strategic knowledge to the underground shadow economy. There is evidence that cybercriminals are now combining cyber attacks with financial fraud schemes. These secondary schemes of monetization represent a harbinger of a crime wave not yet seen in modern history. Note: These scenarios were detailed and foreshadowed in the May 2005 World Bank Report, “Capital Markets and E-fraud.” For an illustration of these schemes, see: http://elibrary.worldbank.org/doi/book/10.1596/1813-9450-3586
Due to the increased organization and sophistication of cyber criminal crews, cooperation with law enforcement has become and imperative. Trend Micro has been collaborating with both domestic and international law enforcement for the past 25 years. Our partnership with Interpol and the recent assistance we provided to Europol on Gameover Zeus are illustrative of that. One unique case wherein our cooperation was deemed essential was that of Spyeye. Trend Micro researchers uncovered a cybercriminal operation involving SpyEye that began as early as January 2011. The said operation was orchestrated by “Soldier” (the cybercriminal’s handle), who was based in Russia. Trend Micro researchers had been monitoring Soldier and his activities since March 2011. Based on the investigation, this attack mainly targeted U.S. users, and some of those affected were large enterprises and institutions such as the U.S. government and military. In fact, 97 percent of the affected corporations are based in the U.S. The FBI was successful in prosecuting “Gribodemon” Aleksandr Panin of Tver, Russia as he vacationed in the Dominican Republic in January of 2014.
Only through global cooperation can we begin to defend our enterprises from cyber-attacks. The modern-day Dillinger gangs can now longer retain the mantle of “Untouchable.”
Additional resources:
The DTCC recently released a brief report about the state of cyber threats and systemic risk, and a whitepaper also was published, highlighting some recommendations for addressing future cyber threats. You can download the whitepaper here.
As Cyber Security Awareness Month comes to a close, Jon Clay, Trend Micro Senior Manager of Threat Research Communications, will moderate a live session on Tuesday, Oct. 28, at 1:00 p.m. EST with a special agent who will share special insights on fighting cybercrime. Click here to sign up for the webinar.
During the month of October, we’re supporting the National Cyber Security Alliance in celebration of Cyber Security Month – an effort that aims to educate organizations and individuals about how to stay safe online. Check out the helpful videos, infographics, blog posts and reports we’ve gathered for you here.
