Financial organizations are still one of the most attractive targets for cybercriminals, with the number of successful cyberattacks in the financial sector growing every year. In the third quarter of 2023, we recorded twice as many unique cyberincidents as in Q3 2022. Attackers are targeting the least secure companies and compromise supply chains while hacktivists continue to get plenty of media attention. The most common consequences of attacks are data breaches and shutdowns of key services. Leaked databases and methods of accessing organizations' networks remain in high demand on darkweb forums.
Cyberthreat trends in the financial sector
According to our data, the number of successful cyberattacks in the financial sector is growing year on year. In the third quarter of 2023, we recorded twice as many unique cyberincidents as in the same period a year earlier. This indicates the increased attention of criminals to this industry.
Among the consequences of attacks, data leaks (64%) and disruption of services or key business processes (40%) stand out. A year earlier, the proportion of leaks was 51%, while disruption of the company's core activities occurred in 42% of incidents. This trend is understandable: sophisticated attacks on well-protected financial organizations with the goal of stealing money have become a rare occurrence amid the rise of easier-to-implement ransomware attacks and large-scale customer data leaks. Today, criminals not only sell databases but also distribute them for free to punish organizations for refusing to pay ransoms or to draw more public attention to the incident, thus causing more damage. The latter especially applies when hacktivists are behind the attack. The cost of such databases and the frequency of offers for their sale and purchase on shadow markets are discussed in the following section.
The vast majority of leaks contain clients' personal data and commercial information about organizations. Leaks also often include payment card numbers and account details, while leaks from insurance companies include medical information.
Such incidents have a negative impact on the victim company's reputation. For example, following a cyberattack and leak of confidential data at the Angel One brokerage firm, its shares fell in price by 2%.
Geopolitics has become one of the determining factors shaping how cyberattacks on this industry differ from region to region. For example, Russian banks not only suffer from leaks but also continue to face powerful DDoS attacks. One such example is an attack on Sberbank that was deemed the most serious in the organization's history. Globally, the main cause of interruptions to financial services is ransomware, standing out significantly (63%) in the statistics as the most commonly used malware. For comparison, the previous year, ransomware accounted for only 18%, with loaders occupying the top spot at 59%.
This trend is confirmed by other researchers. For example, Sophos observes in its report the highest-ever level of ransomware attacks in the financial sector: 64% of respondents reported falling victim to such attacks. In 2021, this figure was just 34%, so it nearly doubled. According to the report, among financial organizations facing ransomware-related cyberincidents, 81% had their data encrypted, with only 14% managing to stop the attack before their systems were locked. In 25% of successful attacks, the criminals not only encrypted data but also exfiltrated it. For instance, the LockBit ransomware attack on one of Indonesia's largest banks, BSI, disrupted the operations of the bank's branches and ATMs. The attackers demanded a ransom of $20 million but were refused, so they posted 1.5 TB of the bank's confidential data online. However, not all companies refused the criminals' offer—about 43% of financial companies paid the ransom. The average payout size was estimated at $1.6 million, with every tenth paying organization (11%) giving more than $5 million to the extortionists.
If we consider cyberattacks in terms of methods used, a significant decrease in the proportion of social engineering (25%) is notable. In the previous year's study, its share was 47%. This doesn’t necessarily mean a reduction in the number of phishing attacks as such; rather, we attribute this change to an increased share of other methods—we observed significantly more incidents exploiting software vulnerabilities. In particular, a significant contribution to this category was made by attacks exploiting the vulnerability in the secure data transfer application MOVEit Transfer (CVE-2023-34362). The Cl0p group was actively exploiting it at the beginning of the year, and a patch to fix the flaw was only released in May. A large number of incidents occurred in Q2 and Q3 when other criminals began leveraging the exploit. This indicates that not all financial companies using such software (widespread in North American countries) responded to the threat in time. So, in 2023, attackers compromise financial organizations not only through traditional means (via phishing messages) but also by actively exploiting vulnerabilities in the network perimeter—to the profit of so-called initial access brokers. Further in this study, we’ll show some access sale ads and assess the cost of this service on shadow markets. Financial organizations need to build reliable protection for their external network perimeter and strengthen the vulnerability management process.
Regarding the most common attack methods, there was also a significant percentage of incidents (22%) in which the compromise primarily occurred through supply chain attacks.
For example, experts at Checkmarx identified several successful attacks on the supply chain of open-source software in the banking sector. In one attack, the cybercriminals even created a fake LinkedIn page where they impersonated an employee of the targeted bank to avoid suspicion while distributing malicious npm packages. Such attacks could become a trend in the coming years, given the widespread use of open-source software by companies, including financial organizations, in their in-house software development projects.
To summarize, several important trends can be identified:
- Attacks are becoming simpler yet continue to bring considerable profits to criminals.
- Database leaks pose substantial risks to clients of financial companies; access to stolen information enables criminals to carry out their fraudulent schemes more efficiently, as they can cite personal data, account and card numbers, and sometimes account balances while conversing with victims, increasing their trust and thereby the likelihood of a successful attack.
- Attacks are not only carried out by financially motivated criminals; hacktivists also pose a serious threat to certain regions.
- Ransomware is used to compromise the infrastructure of financial organizations, causing significant damage to businesses.
- Criminals actively exploit vulnerabilities in organizations' network perimeters for infiltration.
- Attacks involving the replacement of npm packages with malicious ones could become a serious threat to financial organizations using open-source components in their systems.
An assessment of current threats would be incomplete without analyzing how the attackers themselves view the financial sector. So next we will examine which topics appear most prominently in the communications of criminals on shadow markets.
Attackers target customer data
Analysis of postings on themed dark web sites and messages in specialized Telegram channels revealed that the trends described above are generally reflected in attackers' communication. Their messages reflect not only the specifics of attacks but also the geography of compromised companies.
One-third of the analyzed ads (36%) contain topics not tied to any specific region, where the victim's location is irrelevant to the criminals. However, most messages about the sale or purchase of goods and services include references to specific regions. Russia and the CIS countries are the most frequently mentioned due to the particularly acute geopolitical situation, which is also reflected in cyberspace. Large-scale attacks driven by ideological motives (hacktivism) were directed towards Russian companies, including those in the financial sector. The attackers tried to destabilize Russia's financial industry not only by disrupting banking systems but also by undermining citizens’ trust in the country's financial system as a whole. Attempts to achieve these goals included, among other things, spreading misinformation and extensively publicizing each cybersecurity incident related to financial institutions. Criminals with negative sentiments toward Russia released leaked databases online; as a result, approximately 83% of postings on shadow markets which are in some way connected to the Russian financial sector are focused specifically on customer databases.
The overall statistics from all the analyzed advertisements also indicate that cybercriminals are greatly interested in the client data of financial companies worldwide. In 42% of the messages, there are announcements for the sale, purchase, or free distribution of databases.
We've separately highlighted the category "Ransomware announcements", which includes posts about the activities of criminal groups engaged in cyber-extortion. In these announcements, the authors of Telegram channels and forum threads aggregate information about ransomware attacks on organizations, announce imminent leaks, or release the confidential data of victims who haven't paid the ransom.
A new form of extortion is emerging, in which criminals draw the attention of regulators to the incident and thereby force the victim to pay the ransom. This precedent was set in connection with MeridianLink, a developer of digital solutions for financial organizations and banks. The operators of the BlackCat ransomware accused the company of failing to meet the deadline for officially disclosing information about the cyberattack and filed a corresponding complaint with the U.S. Securities and Exchange Commission (SEC). MeridianLink is not directly related to the financial sector, but criminals attacking this sector could easily adopt such an extortion method given the industry's high regulation.
In the largest percentage of the analyzed messages (43%), databases are given away for free, while the shares of announcements for the purchase and sale of databases are almost equal to each other. Usually, databases from recent leaks of major companies are sold, as well as the services of insiders providing information about clients upon request. Purchase advertisements mainly contain requests for specific data or companies not found among the active offers. The fact that there is a significant amount of such requests (29%) is the result of attackers targeting specific organizations or groups of organizations. According to our statistics, targeted attacks predominate in the financial sector (98% of all incidents).
The price in the ad can be indicated either for the entire database or as a fixed cost for each row (also known as record or line). One database record will cost the buyer approximately five dollars. The cost of half of the databases from the analyzed sources does not exceed $1,000, but, depending on the volume of the information contained in the database (and its significance for criminals), the price can reach up to $10,000 and even significantly exceed this amount.
The purchased databases are used in further attacks on clients of financial organizations using social engineering methods, as well as for hacking accounts if the databases contain account credentials (for example, logins and password hashes). With each new leak, criminals gain additional information about potential victims; they can aggregate different databases, enriching the information they’ve already collected. As a result, criminals can gather such a wealth of information that they can form detailed digital profiles⁵ of their victims for use in fraudulent schemes or further resale.
Access is still valued
An equally valuable commodity in the criminal service market is initial access⁶ to the information infrastructure of financial organizations. Every fifth advertisement we studied mentions sale of access. As early as 2020, we noticed a trend that we called "access for sale" (some sources also use the term "access as a service"); later, we researched the development of this trend.
Today, access is actively sold on shadow markets alongside personal data and malware, and the supply (90% of ads) significantly exceeds the share of purchase ads (10%). This could indicate that the number of successful penetrations into the networks of financial companies is so high that criminals do not need to place purchase ads: they can get the access they need from existing offers on the market. Purchase messages usually demand access to specific organizations or banking systems.
There are different types of access available on dark web forums. The most common accesses are via RDP, VPN, and SSH protocols as they allow attackers to execute operating system commands on the targeted host interactively. The compromised computer or server is typically located within the organization's internal infrastructure. Less common is access through a web shell, which allows attackers to execute commands through a compromised web application. Access via a web shell also grants the attacker control over a server, but usually this server is located on the external network perimeter rather than within the local network, and commands are executed in a non-interactive mode, limiting the range of possible actions. The criminals must further develop the attack to gain a more convenient, covert, and stable control channel.
The listed connection types typically grant the attacker local privileges (administrative or user) on an endpoint. These are the most common (38% and 16% respectively) privilege levels advertised for sale. The value of such access directly depends on the importance of the corresponding server or computer. The most extensive privileges an intruder can acquire involve gaining an Active Directory domain administrator access (12% of announcements). These privileges enable attacks on all critical systems connected to the domain, including the computers of key company employees and business systems. Obtaining such a high level of access is much more challenging than local access on individual servers. It requires attackers not only to penetrate the organization's internal network but also to establish their presence, remain unnoticed, and further develop the attack. Consequently, the cost of such access is higher, and it’s offered for sale less commonly.
The price in most access ads doesn't exceed $1,000, primarily due to the widespread availability of local privilege access. However, expensive offers are not uncommon. For example, one advertisement offers privileged access to a major bank's domain for 15 bitcoins (at the time of posting, this amount was equivalent to several hundred thousand dollars).
High-cost offers for access to the networks of non-banking financial companies are less common. Presumably this is due to the fact that, unlike in the case with non-banking financial companies, attackers can potentially steal from banks not only a wealth of confidential information and customer data for subsequent attacks, but also substantial amounts of money directly. This was exemplified in the "attack on the Indian Mahesh Bank", whose security measures were found lacking.
The examples and figures above demonstrate that there are serious problems in the security of company network perimeters worldwide. We've confirmed this in practice. The results of penetration tests into the networks of financial organizations conducted by our experts in 2023 indicate that an external attacker can gain access to the corporate local area network of all tested banks. In all cases, vulnerabilities in software accessible from the Internet were exploited, with the oldest vulnerability dating back to 2017. Only in one bank was the perimeter so well protected that the pentesters had to identify and exploit a zero-day vulnerability to gain access. This confirms the thesis that a motivated external attacker will always find a way to penetrate even a well-protected bank. Therefore, it’s extremely important to employ a security system that eliminates the possibility of non-tolerable damage to the business of a financial organization—even in the event of a breach by an intruder.