Ransomware, Threat Management

Finance organizations targeted by ransomware may be ‘left chasing shadows’

A vendor sells replicas of the Wall Street Bull outside of the New York Stock Exchange (NYSE) on Sept. 16, 2021, in New York City.  (Photo by Spencer Platt/Getty Images)

Threat against the financial industry amplified in recent months, with adversaries evolving tactics to potentially expose gaps in risk management efforts.

Indeed, the financial sector was the most targeted in the third quarter of last year, with cyber incidents increasing by 21% over the previous quarter, per research from Trellix, the company formed by the merger of FireEye and McAfee. More than one in five (22%) of ransomware incidents and more than one-third (37%) of advanced persistent threat (APT) incursions hit financial services institutions in the third quarter of 2021. Almost half of the APT attacks were emanating from Russia or China.

“While we ended 2021 focused on a resurgent pandemic and the revelations around the Log4j vulnerability, our third-quarter deep dive into cyber threat activity found notable new tools and tactics among ransomware groups and advanced global threat actors,” said Raj Samani, chief scientist and Fellow at Trellix, in a prepared statement.

In the third quarter of 2021, Trellix researchers saw a “resurgence in... ransomware groups,” which posed significant financial damage on their victims. The cybersecurity firm also observed that several cybercrime rings evolved their tactics, especially involving APT, to “bypass security controls and perform their operations,” according to the report from Trellix. Nearly two out of five of the observed APT attacks tracked by Trellix were aimed at financial firms.

“Gaining initial access via an unprivileged account can be as easy as buying stolen credentials from past breaches on the dark web,” said Steve Povolny, principal engineer and head of advanced threat research. “Coupled with this vulnerability to execute code as root, attackers will look to implement this into malware and rootkits quickly for a full exploit chain.” With so much of the infrastructure relying on Linux, Trellix researchers maintain that the potential exposure for financial firms is “massive,” despite the fact that operating system patches may be available soon.

David Mahdi, chief security officer for Sectigo and a former vice president at Gartner, reiterated that "ransomware isn’t solely a malware problem; bad actors want access to your data, so it really is a data security and access problem.

"However, many organizations are missing the point.”

For instance, Mahdi said, the elusive 'White Rabbit' strain of ransomware threatening U.S. financial institutions "appears to be much more difficult to find and weed out than previous strains. Typically, organizations that approach ransomware as a malware issue are left chasing shadows. And for more advanced ransomware strains like White Rabbit, they aim to render traditional defenses useless.”

Povolny points out that potential attack vectors could be increasing already in this new year. “We’re into January but this could well be month four given how packed with critical vulnerabilities the beginning of the year has been,” he said, adding that one of the more critical threats to financial services organizations is CVE-2021-4034, otherwise known as ‘PwnKit.’

"This vulnerability, unlike other recent flaws, brings credibility for its ease of exploitation and wide attack surface, though it is constrained to local privilege escalation," he said. While it was widely present on all forms of the Linux operating system, introduced more than a dozen years ago, it took several years to fix.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.