Fingers point to Lazarus, Cobalt, FIN7 as key hacking groups attacking finance industry
The Lazarus, Cobalt, and FIN7 hacking groups have been labeled as the most prevalent threat actors striking financial organizations today.
Security
According to "Follow the Money," a new report (.PDF) published on the financial sector by Outpost24's Blueliv on Thursday, members of these groups are the major culprits of theft and fraud in the industry today.
The financial sector has always been, and possibly always will be, a key target for cybercriminal groups. Organizations in this area are often custodians of sensitive personally identifiable information (PII) belonging to customers and clients, financial accounts, and cash.
They also often underpin the economy: if a payment processor or bank's systems go down due to malware, this can cause irreparable harm not only to the victim company in question, but this can also have severe financial and operational consequences for customers.
PII for identity theft, bank accounts to make fraudulent purchases, a high probability a financial firm would rather submit to a ransomware blackmail demand rather than disrupt operations: these potential attack vectors mean that it is no surprise cyberattackers are relentless in their quest to compromise players in the sector.
The COVID-19 pandemic, and the disruption to operations and training it has caused, has only made the situation worse.
Blueliv's whitepaper, based on the unit's threat intelligence gathering, outlines the main ways in which financial entities are targeted. Phishing, Business Email Compromise (BEC) scams, malware, and credential theft all make an appearance: of which Azorult, Arkei, Redline, Raccoonstealer, and Collector are the top five credential stealers as of October 2021.
TinyBanker/Tinba, Dridex, Anubis, Trickbot, and Kronos Trojans are commonly associated with financial service attacks, and some of these malware families may also be used to pull and execute second-stage ransomware strains including BitPaymer.
Banks and payment processors also face other threats including point-of-sale (PoS) malware, ATM compromise, digital card skimmers physically placed at outlets that are used to clone consumer cards, and distributed denial-of-service (DoS) attacks designed to disrupt a business by flooding their online platforms with illegitimate traffic.
When it comes to the most dangerous threat actors focused on the banking sector, Lazarus, Cobalt, and FIN7 have secured the top spots.
Lazarus is a state-sponsored advanced persistent threat (APT) group from North Korea and has been linked to high-profile attacks against Sony Pictures Entertainment, the Bangladesh Bank via SWIFT, and the spread of WannaCry ransomware in 2017.
The group has targeted the SWIFT transaction system in a number of attacks. In February last year, the US Department of Justice (DoJ) charged two members of Lazarus for their roles in attacks including those taking place against banks in Vietnam, Bangladesh, Taiwan, Mexico, and other countries.
Cobalt/Gold Kingswood has also been named. Believed to have been active since at least 2016 and appearing on the scene with an ATM jackpotting attack on a Taiwanese bank, Cobalt has been linked to attacks against financial institutions worldwide, leading to the theft of millions of dollars. Despite arrests, the group is still thought to be active.
FIN7 is another major, financially-motivated threat group. FIN7/Carbanak specializes in BEC and the deployment of Point-of-Sale (PoS) malware designed to steal vast numbers of consumer credit card records from retailers.
Other cybercriminal groups of note, according to the researchers, are Dridex and TA505.
"In order to maintain a deeper level of defense, financial institutions need to take stock of their current cybersecurity posture and prepare their organizations to adapt, making cybersecurity a core part of not just their business strategy, but also their culture," Blueliv says. "While cybersecurity strategies within the banking and finance sector are maturing, there are still many improvements that can be made."
In related news this week, Which? has conducted an investigation into the security posture of the top 15 UK banks. HSBC, NatWest, and Barclays scored the best results overall, but few managed anything close to a stellar performance in online banking services, including the use of encryption, account management, and secure login systems.
Previous and related coverage
- This banking Trojan abuses YouTube to manage remote settings
- New banking Trojan SharkBot makes waves across Europe, US
- Meet Janeleiro: a new banking Trojan striking company, government targets
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0