Professional Documents
Culture Documents
CONTENTS
FOREWORD
KEY THREATS
03 / Data theft and data manipulation stems from new vulnerabilities and
cybercriminal behaviors
2
FOREWORD
What a difference a year makes. Although many of the threat scenarios we reviewed in last
year’s report still apply, security teams in the financial services sector are experiencing even
more exacting demands as they defend their organizations in a world under a new and
unexpected threat—a global pandemic.
Malicious threat actors are taking advantage as organizations reconfigure vulnerable supply
chains and offer more digital experiences. Working from home has opened a pandora’s box
of new attack vectors and workforce challenges—including those from insider threats. And
there are challenges around rethinking culture and collaborative practices as organizations
seek to outmaneuver uncertainty in the future.
The 2020 Accenture cyber threat intelligence research revisits the trouble spots for security
leaders. We see that credential and identity theft continue to accelerate while new
vulnerabilities and cybercriminal behavior increase data theft and data manipulation. We
look at emerging technologies, especially deepfakes and 5G, and how these are advancing
cyberthreats. We see how destructive and disruptive malware attacks are spurring
multiparty and cross-sector targeting and report on how misinformation is affecting trust in
retail and state-owned banks. One new area that has joined our list of key threats this year is
the topic of vulnerable supply chains and new interdependent attack surfaces that
adversaries can undermine.
We hope this latest view of the market will inform the necessary steps to adapt your security
strategy and the collective activities of the financial sector.
Valerie Abend
Managing Director, Accenture Security
Howard Marshall
Managing Director, Accenture Security
3
KEY THREATS
Through this report, based on research by the Accenture iDefense threat intelligence team,
we revisit the central themes outlined in the Future Cyber Threats: Extreme but Plausible
Threat Scenarios in Financial Services report published in 2019.
In addition, as the threat landscape evolves, we identified a sixth trend that is gaining
significance: vulnerable supply chains that introduce increasingly interconnected attack
surfaces.
This report evaluates the current state of each of the six threat trends and offers insights into
how the threats are likely to influence financial institutions going forward.
03 / Data theft and data manipulation stems from new vulnerabilities and
cybercriminal behaviors.
4
01 /
Supply chains introduce increasingly
interconnected attack surfaces
Financial institutions have complex, For years, actors exploiting SS7
interdependent supply chains. These offer successfully drained retail banking clients’
a broad, target-rich attack surface that accounts. While some mobile carriers have
adversaries can undermine. Attackers employed compensating security
have been conducting supply chain measures to deter SS7 attacks, others
attacks for years.1 However, supply chain have yet to do so. This lack of
threats to financial institutions in the past standardization in the approach to counter
year have primarily involved technology this threat exposes financial institutions
service providers (TSPs), including and their clients to risk when SMS 2FA is
managed service providers (MSPs) and used. The nexus between the
cloud service providers (CSPs). Core telecommunications and financial sectors
financial TSPs and IT service providers could continue to be a chokepoint for
have been affected by ransomware cybersecurity, as actors exploit
incidents, disrupting services for some of vulnerabilities or even focus on disrupting
their financial institution clients.2,3 communication systems at scale.
1 Third Annual State of Cyber Resilience 2020. and its related key, which are used to identify and
https://www.accenture.com/us-en/insights/security/invest- authenticate subscribers on mobile telephony devices such
cyber-resilience as mobile phones and computers
2 Cyberattack on IT services giant [REDACTED] impacts 5 Signaling system number 7 is a set
5
(ATMs) would no longer work because the advantage as businesses shift the
banks would be unable to verify the information security focus from an
money is there.”7 GNSS’s are controlled by enterprise infrastructure to a virtual and
a handful of nations across the globe and cloud environment to support remote
have attracted nation state interference 8,9 workforces.14 Looking ahead, adversaries
including by countries that have been will exploit vulnerabilities across each of
suspected culprits of state-sponsored the core service categories of cloud—SaaS
cyberattacks against the financial sector in (Software as-a-Service), PaaS (Platform as-
the past. a-Service) and IaaS (Infrastructure as-a-
Service) (Figure 1). These layers often sit
Other supply chain threat scenarios which on top of one another, chaining together
pose significant risk to the financial sector potentially vulnerable environments
include power grid outages. Actors have supporting critical business functions.
made strides in targeting each of these Protections need to exist both within each
areas through malicious cyber activity in layer and holistically to thwart
the past few years—in some cases leading exploitation.
to warnings from governments around
One of the biggest challenges to securing
such attacks. “An electricity disruption,
cloud has been misconfigurations. For
such as a blackout, can have a domino
example, a failure to deploy multifactor
effect—a series of failures that can affect
authentication (MFA) for all cloud services
banking, communications, traffic, and
and disable legacy services threat actors
security.”10 Such blackouts have famously
can manipulate to bypass controls
occurred in Ukraine11 and have been linked
contributed to the majority of cloud
to a malware which other actors later
repurposed for destructive, financially- intrusions that the Accenture Cyber
motivated attacks against banks in Latin Investigation and Forensics Response
(CIFR) team responded to in 2019.15 It is
America.12,13
likely this trend will continue;
The COVID-19 pandemic has rapidly unprecedented usage of PaaS, SaaS and
increased the role the nesting aspects of IaaS solutions due to the COVID-19
cloud will play in supply chain threats to pandemic foreshadow large cloud breach
critical infrastructure, including financial disclosures in the future.
services. Cyber threat actors are taking
7 The entire global financial system depends on GPS, and 12 New Killdisk Variant Hits Financial Organizations in Latin
it’s shockingly vulnerable to attack, October, America, January, 2018,
2017,https://qz.com/1106064/the-entire-global-financial- https://blog.trendmicro.com/trendlabs-security-
system-depends-on-gps-and-its-shockingly-vulnerable-to- intelligence/new-killdisk-variant-hits-financial-
attack/ organizations-in-latin-america/
8 [REDACTED] are screwing with the GPS system to send 13 Hackers Crashed a Bank’s Computers While Attempting a
bogus navigation data to thousands of ships, April, 2019, SWIFT Hack, June, 2018,
https://www.businessinsider.com/gnss-hacking-spoofing- https://www.bleepingcomputer.com/news/security/hacker
jamming- [REDACTED]-screwing-with-gps-2019-4 s-crashed-a-bank-s-computers-while-attempting-a-swift-
9 [REDACTED] “jamming GPS signals” near South Korea hack/
Border, April, 2016, https://www.bbc.com/news/world-asia- 14 Emerge stronger with adaptive security, Accenture, June
Caused Ukraine Power Outage, January 6, 2020, iDefense Edition, February, 2020, https://www.accenture.com/us-
Threat Intelligence en/blogs/blogs-looking-back-future
6
Figure 1. Core service categories of cloud
7
02 /
Credential and identity theft continue to
accelerate
Credential and identity theft, compromise themselves to new working conditions and
and abuse continue to be cornerstones for technologies.
targeted attacks and fraud. As novel
coronavirus, COVID-19 spread across the The increase in credential theft campaigns
globe, financial institutions moved rapidly and related cybercrime during the COVD-
to adjust their operations. Cybercriminals 19 pandemic comes hard on the heels of
also moved swiftly to take advantage of sustained threat activity in recent years. In
the expanded attack surface presented early July 2019, cyber threat actors
through largely remote workforces and launched a highly targeted credential theft
rich feeding ground for fraud from the attack against at least 100 organizations
extensive government funding programs around the world. Security researchers
extended through financial institutions to believe the actors’ goal was to deploy the
small businesses in greatest need. well-known malware Lokibot to exfiltrate
Credential-stealing malwares surged, sensitive data, including credentials.21 A
including mobile malwares such as financial sector-wide alert was issued in
EventBot19 and Cerberus which are late 2019 noting a spear phishing attempt
collectively capable of stealing customer made on a Middle Eastern bank using a
credentials for more than 200 financial Lokibot variant.
institutions. The premier seller of Cerberus
noted their sales increased exponentially Identity theft also continued to grow over
in early April 2020, netting them more the last year, especially as governments
profit in a single week than the prior four and financial institutions implemented
months combined. financial relief programs to assist
individuals and businesses affected by
As most financial institutions’ employees COVID-19. Cybercriminals created COVID-
moved to remote workforces, there was a 19 channels on major criminal forums and
surge in reliance on mobile devices. There marketplaces, peddling information to
are claims that actors were able to install support identity theft activities as part of
Cerberus nearly one million times.20 This cybercriminals fraud activities. This shift
activity foreshadows an increase in fraud came as chatter around tax season-related
and intrusions that will be a drain on identity theft reduced somewhat in the
security and fraud teams as financial light of opportunities to use similar stolen
institutions continue to orientate and fabricated data for stimulus fraud.
This pivot highlights the versatility and
8
flexibility actors have to use resources threat actors can then bypass anti-fraud
related to identity theft through different measures. For example, digital fingerprints
mechanisms. Even as organizations work for specific organizations’ infrastructures
to thwart identity theft and account appeared in criminal forums and months
takeovers, actors’ commonization of later these organizations experienced
superior tools keeps them a step ahead. Maze ransomware infections and data
exfiltration attacks\22 The availability and
A prime example is a thriving digital multidimensionality of digital fingerprints
fingerprint marketplace on a well-known and other compromised data could enable
criminal forum. On the forum, actors are actors to continually defraud banks’
able to buy, sell and exchange customers. Organizations should remain
compromised data including login vigilant in their anti-phishing and security
credentials for sites visited, cookies, IP awareness education programs to reduce
addresses, user agent, location, OS, the likelihood of adversary success around
operating times, keyboard layout and capturing credentials, customer data and
more. By using these digital fingerprints, sensitive, nonpublic information.
9
03 /
Data theft and data manipulation stems from
new vulnerabilities and cybercriminal
behaviors
While threat actors continue to target data this activity remains a threat, actors have
their motivations often go beyond theft to expanded their arsenal, combining data
include destruction and disruption. A new theft and data extortion during
wave of cyberattacks sees data no longer ransomware attacks. Threat actors realize
simply being copied, but being that multi-pronged approaches against
destroyed—or changed—breeding businesses help to sustain ransomware as
distrust.23 In late 2019, security a lucrative long-term approach.27 The
researchers disclosed a Microsoft Azure concept of “naming and shaming”
vulnerability referred to as BlackDirect.24 If ransomware victims, coupled with
not remediated, threat actors could threatening to release stolen data makes
exploit this vulnerability to steal sensitive the process of responding to ransomware
data, compromise production servers, infections more challenging.
manipulate data, or even encrypt all of a
victim organization’s data (ransomware).25 Recently, a ransomware group claimed
This vulnerability disclosure came as they successfully exfiltrated millions of
financial institutions and regulators were credit card records from a state-owned
scrutinizing cloud security vulnerabilities bank in Central America.28 This comes at a
and related cyber threats following the time when cybercriminal groups are
large scale data theft from a major United cooperating with one another, quickly
States financial institution.26 shifting from commodity malware
infections to targeted attacks. In some
In last year’s Future Cyber Threats: instances, it has only taken hours for
Extreme but Plausible Threat Scenarios crimeware to cause devastating
ransomware to enter the network.29
in Financial Services, we discussed “the
Looking ahead, this “collective offense” of
anatomy of the cover-up,” how actors use
cybercriminals will prove a formidable
pseudo-ransomware to distract
threat to businesses across all industry
organizations during their attacks. While
sectors.
research-blog/blackdirect-microsoft-azure-account- 2020,
takeover/ https://www.bleepingcomputer.com/news/security/hacker
25 Ibid. s-say-they-stole-millions-of-credit-cards-from
26 A hacker gained access to 100 million credit card 29 Trickbot to Ryuk in Two Hours, March, 2020,
10
04 /
Emerging technologies, especially deepfakes
and 5G, advance cyberthreats
services organizations, providing new
Deepfakes
opportunities to create, store, and protect
As technology rapidly advances, cyber- value, to move money, and to access
defenders and adversaries alike are credit.”31 However, it also presents risks,
exploring means of using cutting-edge including those raised by governments
tools. In particular, malicious actors including supply chain threats, software
recently used deepfake to increase the vulnerabilities, organized cybercrime,
effectiveness of their campaigns. In March espionage as well as cross-sector threats.
2019, criminals used artificial intelligence
Dependence upon a select handful of
(AI)-based deepfake recording software to
suppliers for 5G technology mirrors similar
impersonate a chief executive’s voice,
cyber threat scenarios raised at the advent
leading to the fraudulent transfer of
of other technologies, such as cloud.
approximately US$245,000.30 This
Concentration of targets across a
incident set a dangerous precedent for
relatively undiversified pool of technology
voice-spoofing attacks aimed at exploiting
providers amplifies the impact a single
human vulnerabilities. As financial
malicious campaign can have globally.
institutions continue to combat business
This also increases the return on
e-mail compromise (BEC) and account
investment (ROI) for adversaries—as
takeover (ATO) attacks, they will need to
witnessed during previous campaigns
track the emerging tactics, techniques and
such as CloudHopper.32 Governments and
procedures (TTPs) adversaries may use to
think tanks have also voiced concern
stay a step ahead. Organizations should
around the potential for nation-states to
also explore technological
willfully exploit technological
countermeasures in development to
vulnerabilities present in software and
prevent adversarial abuse of this emerging
hardware manufactured by companies
technology.
within the reach of their influence.
5G FinTechs
As the world adopts fifth generation
Financial technology (FinTech) disruptors
mobile networks, threat actors will seek to
have rapidly expanded to new markets,
gain new advantages with 5G technology.
increasing the level of dependence the
The opportunities for 5G in financial
broader financial sector has on these
services abound, “5G will become a
companies to deliver their core products
general-purpose technology for financial
30 Fraudsters Used AI to Mimic CEO’s Voice in Unusual 31 5G In Financial Services, April, 2020,
Cybercrime Case, August, https://go.forrester.com/blogs/5g-in-financial-services/
https://www.wsj.com/articles/fraudsters-use-ai-to-mimic- 32 HOGFISH Actors Responsible for Cloud Hopper Indicted
11
and services. In the future, it is these areas long as vulnerabilities in software,
on the periphery of financial institutions platforms and infrastructure
and markets, like FinTech, where large- configurations afford them access to
scale, disruptive attacks may originate. networks and valuable data.
33 Hack Brief: Hackers Stole $40 Million From Binance 35 Banks currency services knocked out by [REDACTED]
Cryptocurrency Exchange, May, 2019, ransomware attack, January, 2020,
https://www.wired.com/story/hack-binance- https://www.finextra.com/newsarticle/35047/banks-
cryptocurrency-exchange/. currency-services-knocked-out-by-travelex-ransomware-
34 Security Breach Disrupts Fintech Firm [REDACTED], attack
March, 2020, 36 Mind the Gap: Addressing Challenges to FinTech
12
05 /
Disruptive and destructive malware attacks
spur multiparty and cross-sector targeting
Threat groups leveraging ransomware are parties fall victim to targeted malware
targeting multiple related parties at once campaigns, actors are likely to have a
globally. On August 16, 2019, more than growing negative impact on the
20 entities in Texas, United States, availability of some banking and insurance
reported ransomware attacks, prompting a services on a global scale.
coordinated state and federal response to
a multi-jurisdictional cybersecurity event Financial services organizations are not
that was the first of its kind.37 Testing the always first in line to suffer from disruptive
resilience of the affected entities, this and destructive malware campaigns—but
multiparty attack is a bellwether indicating as referenced in Section 01 (page 5), they
the likelihood of additional concurrent, can be affected indirectly through the
disruptive attacks. A proactive cyber- supply chain. For example, an investment
defense plan that incorporates multiparty fund that owned two chemical companies
attack simulations with industry and cross- was impacted when these companies
industry peers could help financial incurred LockerGoga ransomware
institutions be better prepared to face this infections in 2019.38 Since LockerGoga
threat. had already crippled a Norwegian
aluminum company and led to at least
The disruptive and destructive impact US$40 million in immediate losses,39 the
upon financial institutions is a noteworthy attack on the chemical companies had the
recent change in ransomware attacks. Two potential to not only undermine their
UK-based organizations, integral to global performance, but also have a knock-on
financial organizations, were affected by effect on the performance of the
ransomware in December 2019 and March investment fund. Financial services
2020 respectively. The companies, one a organizations can address this risk by
foreign exchange (forex) market leader following high exposure sectors in their
and the other a financial services TSP, had portfolio and by participating in forums
to take systems offline following the that facilitate cross-sector information
cyberattacks which left services disrupted sharing.
for their global banking clients. As third
13
06 /
Misinformation shakes trust in retail and
government-backed banks
Disinformation and misinformation is not rumors the bank was collapsing and
only a threat to efforts to manage COVID- encouraging customers to empty their
19, it also impacts the financial sector. accounts.46 Public sector banks (PSBs) in
Multiple United States entities, including East Asia fell victim to a similar event via
the NASDAQ,40, Securities Exchange social media in September 2019. Following
Commission41 and FINRA42 have warned of an announcement from the central bank
spikes in market manipulation in the wake that many of the India’s PSBs would be
of the COVID-19 pandemic. Often, market consolidated, unknown individuals
manipulation involves elements of amplified a false narrative that nine PSBs
disinformation or misinformation directed would be closed permanently. Word also
at influencing unsuspecting investors to spread that the central bank was urging
aid criminal actors’ objectives.43 Some the public to withdraw money from the
groups undertaking these activities, as supposedly folding banks.47 In both
well as pumping and dumping (a form of instances, the banks were able to quickly
securities fraud that involves artificially correct the record but these incidents
inflating the price of a stock through false highlight how susceptible financial
positive statements), have been markets are to manipulation as a result of
connected to cyber intrusions in the disinformation.
past.44,45 Bad actors can take advantage of
There is no evidence that sophisticated
high market volatility which could further
actors are spreading misinformation to
reduce confidence in the economy.
support a financial or political agenda—
Disinformation has affected the financial but it is plausible. As a result, the financial
sector multiple times in the last year. A sector should consider how to combat
United Kingdom bank had to reassure both accidental misinformation and highly
customers of its financial health after its sophisticated disinformation campaigns
share price dropped 11% due to false that may arise in the future.
14
PROACTIVE, COLLECTIVE
DEFENSE
In the face of evolving threats and • Deploy a zero trust network access
adversaries in difficult times, security approach with built-in technologies
leaders have an opportunity to reimagine to enable secure application access
their strategy and technologies from the without relying on traditional VPN
ground up. Security leaders are in pole solutions.
position to act as decision makers and key
• Automate with endpoint
influencers to help their institutions to be management detection and
safe and secure and guide people to adapt response to reduce the amount of
to new ways of working that improve human intervention needed.
security in the long term. By adopting the
attributes of adaptive security, security
leaders can put the right controls in place
to create a working environment that Become agile and adaptive
builds resilience.
• Bring your existing focus on
Actions security leaders can take include: business risk and resilience into the
broader executive planning
Adopt a secure mindset discussions.
15
Focus on Nth party risks Collectively respond and act
• Advise cyber threat intelligence • Collaborate with others with the
teams to monitor and report common goal of securing the
upstream on cyberthreats to enterprise and the broader
critical suppliers and partners. ecosystem to help smaller partners
beat cyberthreats with better
• Expand risk frameworks and protection for the front and back
automate response protocols to doors.
include cyberattacks against nth
parties. • Deepen and widen your
relationships with other financial
• Mobilize a rapid-response center to institutions, information-sharing
identify and prioritize third party communities and law enforcement.
and supply chain risks or blind
spots. • Participate in sector-wide or joint
cyber exercises with peer financial
institutions to more frequently
gauge the effectiveness of current
cyber defense resources,
processes and technologies.
16
potential mitigations set out in this report,
CONTACT US entirely at their own discretion.
Valerie Abend
Managing Director, Accenture Security
valerie.abend@accenture.com
Howard Marshall
ABOUT ACCENTURE
Accenture is a leading global professional
Managing Director, Accenture Security services company, providing a broad
howard.marshall@accenture.com range of services in strategy and
consulting, interactive, technology and
operations, with digital capabilities across
all of these services. We combine
unmatched experience and specialized
LEGAL NOTICE & DISCLAIMER capabilities across more than 40
© 2020 Accenture. All rights reserved. industries—powered by the world’s largest
Accenture, the Accenture logo, and other network of Advanced Technology and
trademarks, service marks, and designs Intelligent Operations centers. With
are registered or unregistered trademarks 506,000 people serving clients in more
of Accenture and its subsidiaries in the than 120 countries, Accenture brings
United States and in foreign countries. All continuous innovation to help clients
trademarks are properties of their improve their performance and create
respective owners. All materials are lasting value across their enterprises. Visit
intended for the original recipient only. us at www.accenture.com
The reproduction and distribution of this
material is prohibited without express
written permission from iDefense.
Given the inherent nature of threat ABOUT ACCENTURE
intelligence, the content contained in this SECURITY
report is based on information gathered Accenture Security is a leading provider of
and understood at the time of its creation. end-to-end cybersecurity services,
The information in this report is general in including advanced cyber defense,
nature and does not take into account the applied cybersecurity solutions and
specific needs of your IT ecosystem and managed security operations. We bring
network, which may vary and require security innovation, coupled with global
unique action. As such, Accenture scale and a worldwide delivery capability
provides the information and content on through our network of Advanced
an “as-is” basis without representation or Technology and Intelligent Operations
warranty and accepts no liability for any centers. Helped by our team of highly
action or failure to act taken in response to skilled professionals, we enable clients to
the information contained or referenced in innovate safely, build cyber resilience and
this report. The reader is responsible for grow with confidence. Follow us
determining whether or not to follow any @AccentureSecure on Twitter or visit us at
of the suggestions, recommendations or www.accenture.com/security
17