Research from cybersecurity firm CrowdStrike has unveiled a harrowing surge in cybercrime targeting the financial services industry, reporting an 80% increase over the past year.
This jump in volume of activity also marks the largest increase CrowdStrike has observed for the financial services industry, cementing it as the second most targeted sector globally behind the technology sector.
CrowdStrike’s Australia CTO, Fabio Fratucello, said while the financial services industry has long been an attractive target for cybercriminals, there are a few reasons behind the dramatic increase.
“First and foremost, we’re seeing an increased focus from eCrime actors targeting financial services firms via opportunistic big game hunting ransomware and data theft campaigns,” Fratucello said.
“Due to the importance of financial services companies being able to continue operations, eCrime threat actors know they are more likely to pay a ransom. This makes the sector a prime target for profiteering.”
Across the board, cybercrime had become ’industrialised” over the last decade, and is now worth over $1.5 trillion annually.
The Asia-Pacific and Japan (APJ) region also experienced a concerning 11% share of these attacks, with the financial sector ranking as the third most targeted in the region.
Particularly, state-sponsored North Korean criminals, such as LABYRINTH CHOLLIMA, continue to target the financial services sector.
According to the report, LABYRINTH CHOLLIMA are “notorious” for targeting financial technology and cryptocurrency organisations and have updated both their custom-tooling and their tradecraft to work specifically on Linux and macOS.
“These adversaries continue to engage in prolific, financially motivated operations against the financial services sector with the aim of generating currency for the DPRK regime,” Fratucello said.
While the rise in attacks is concerning, Fratucello said that the cybercriminals are finding new ways to infiltrate the defences of unsuspecting businesses.
Crowdstrike revealed there has been a “massive increase” in identity-based intrusions and growing expertise among cybercriminals targeting the cloud, while cybercriminals using legitimate remote monitoring and management (RMM) tools have tripled.
“Identity-based attacks have emerged as a leading attack vector, where a cybercriminal uses legitimate means to enter a victim’s system. This is difficult to defend against,” Fratucello said.
However, these cybercriminals don’t just rely solely on compromised valid credentials like passwords.
Instead, they are demonstrating sophisticated capacity to abuse all forms of identification and authorisation, including weak credentials purchased from criminal groups.
“Beyond credential harvesting, threat actors targeting financial services firms have elevated their phishing and social engineering tradecraft, manipulating employees into giving them their privileged credentials, granting the adversary access to sensitive data,” Fratucello said.
While brokers and other financial services businesses have looked to address cybercrime in the past, the report emphasised how critical it has become.
The research showed that cybercriminals are getting faster at breaching victim’s systems, with the average “breakout time” falling globally by 6% since 2022, from 84 minutes to 79 minutes.
Fratucello said that financial services firms need to continue enhancing their detection and response capabilities, and in doing so they need to leverage the right tools and processes to secure identities.
“When it comes to stopping identity threats in their tracks, the key capabilities at an organisation’s disposal are to implement identity threat detection and protection and a proactive and continuous threat hunting approach across the identity domain for identifying anomalous behaviours,” he said.
“Furthermore, defenders should regularly audit their user accounts. A key step for defenders in identifying identity-based risks in their organization is auditing the vast array of different user accounts that may be available to an adversary and ensuring that these implement the principle of least privilege and role-based access control.”
To protect themselves, Fratucello said organisations should follow a few security principles:
Gain visibility in your security gaps – it’s impossible to protect what you don’t know about.
Prioritise identity protection – with the huge rise in identity-based crime, it is evident this is becoming a growing concern, and preparation is key.
Prioritise cloud protection – cloud infrastructure is being aggressively targeted, so invest in agentless capabilities to protect against misconfiguration, control plane and identity-based attacks.
Know your adversary – You can’t protect yourself if you don’t know what threat is coming.
Practice makes perfect – routinely perform tabletop exercises and red and blue teaming, and initiate user-awareness programs to combat phishing and social engineering techniques.
