2016 has been a big year in cyber security. The Internet of Things (IoT) facilitated Distributed Denial of Service (DDoS) attacks on scales never seen before. The Russian ‘Fancy Bears’ hacking team leaked athlete’s medical data, and Tesco Bank suffered a very public incident when cyber criminals targeted their accounts. And this is all before we even consider the Bank of Bangladesh cyber heist, where $101 million was stolen through manipulation of the SWIFT network.
2017 will undoubtedly see cyber attacks continuing to escalate, with hackers, cyber criminals and hostile nation states all attempting to gain an advantage. As a result, there is much that is going to keep Finance and Banking’s Chief Information Security Officers (CISOs) up at night. Those that play smart and stay agile, however, will be able to defend their ships well.
Don’t be a DDoS dodo
With the release of the Mirai malware onto the dark web in October 2016, which can turn IoT devices into large, malevolent networks called a ‘Botnet’, we are likely to see an increase in the size and frequency of large scale DDoS attacks in 2017.
Whilst the attacks on the Brian Krebs security website, French Internet Service Provider OVH and on the Dyn Domain Name Service in the latter half of 2016 utilised around 150,000 devices each, there are already criminal gangs offering to rent botnets consisting of over 400,000 compromised IoT gadgets on the Dark Web. Such botnets are likely to be included in the arsenal of Anonymous members taking part in their ongoing campaign against the financial sector, known as #OpIcarus.
As a result, it’s likely we will see further very large DDoS attacks during 2017. To help mitigate the risks companies are advised to check that their current anti-DDoS service can handle attacks in excess of 600Gbps. For those that do not currently have protection, it is recommended that you seek assistance in anti-DDoS measures as a matter of urgency, especially if many of your critical systems are reliant on internet access.
Crime-as-a-Service getting bigger and smarter
Hackers are now looking to further monetise their skills by offering a range of cyber attacks for hire on the dark web. Whilst hiring out IoT botnets for undertaking DDoS is a growing area, the real expansion is in ransomware where the profits can significantly exceed the required investment.
Some cyber criminals are now offering a customised ransomware package for as little as $100, enabling people with almost no technical expertise to launch a campaign. With one version of the CryptoWall family estimated to have generated $325m in 2015, it’s easy to see why people are tempted.
Continual user education, combined with effective anti-spam and anti-phishing measures, are key to mitigating this threat since most ransomware relies on end-user interaction (such as opening an infected email attachment) to activate.
Tailored SWIFT attacks
A custom malware toolkit called Odinaff – linked to a Russian-language cyber criminal group called Carbanak – discovered in early 2016 has since been used in sophisticated campaigns targeting financial institutions. It was not, however, used in the Bank of Bangladesh heist which suggests at least two groups are attempting to compromise the SWIFT banking network to obtain funds.
Banks are therefore advised to increase their monitoring of SWIFT requests or orders to look for evidence of suspicious transactions, as well as ensuring they are aware of the indicators of compromise associated with Odinaff. Banks should also react quickly to any security alerts issued by SWIFT.
Hackers now targeting insider information for trading on dark web
In November 2016, a new marketplace on the dark web began to provide insider trading information that hackers had gleaned from infiltrating businesses.
As well as providing the usual dark web marketplace services to its 7,000 registered members, the site administrators set up a sub-forum called ‘Insider Trading’, only accessible by paying a monthly fee of one bitcoin (currently around £600). The administrators claim that the forum contains genuine insider information that can be used to trade on stocks, forex and commodities prior to the data being made public. It remains to be seen whether the information contained within the forum is genuine.
We’re likely to see an increase in this kind of activity in 2017, as hackers and criminals realise the potential of the data they have accessed during their attacks. This is a change in tactic to attempt to monetise this knowledge to a wider group.
It’s easy to read the above and get a sense that we cannot win against the cyber criminals. The good news is that there are a number of measures that businesses can take to protect their key data. It just requires some focus and effort and a certain degree of board priority throughout 2017 and beyond.
Vince Warrington, Director, Protective Intelligence