IBM Cloud Pak | Security

Financial Services Industry Profile

Report type: Industry analysis

Created by X-Force IRIS

Last updated: May 6 2022

OmniBsic Bank
IBM Cloud Pak | Security

Contents
Overview ....................................................................................................................................................... 3
Key Takeaways .............................................................................................................................................. 3
Notable Activity and Findings ....................................................................................................................... 4
ITG14 Shift to Ransomware with New Malware and Tactics ................................................................ 4
IBM Data Reveals Dramatic Drop in POS Malware Activity .................................................................. 4
New ZE Loader Targets Online Banking Users ...................................................................................... 4
Assets at Risk................................................................................................................................................. 5
Inter-bank Financial Network Platforms ............................................................................................... 5
Personally Identifying Information (PII) ................................................................................................ 5
Customer Credentials and Bank Account Information ......................................................................... 5
Top Threat Groups ........................................................................................................................................ 6
Sophisticated Ransomware Actors ....................................................................................................... 6
ITG14 ..................................................................................................................................................... 6
ITG19 ..................................................................................................................................................... 6
Top Attack Types ........................................................................................................................................... 7
Server Access ........................................................................................................................................ 7
Banking Trojans ..................................................................................................................................... 7
Phishing Attacks .................................................................................................................................... 7
RISK MITIGATION MEASURES ....................................................................................................................... 8
IBM Cloud Pak | Security

Overview
The financial services industry has long been an attractive target for cybercriminals seeking financial
gain, and as sophisticated nation-state groups progressively target this sector, risks to financial assets
are growing. X-Force assesses with medium confidence that increasingly stealthy banking Trojans and
phishing attacks, as well as a high percentage of injection attacks, will continue to affect financial
institutions over the next year. While ransomware attacks are not affecting finance and insurance as
significantly as other industries, threat actors are increasingly finding ways to compromise servers at
financial organizations for data theft and are stealing credentials to gain unauthorized access to financial
networks.

According to IBM Security's X-Force Threat Intelligence Index 2022, the financial services industry is the
second most-attacked industry, along with insurance, making up 22% of total attacks and incidents for
the top ten industries in 2021, down from 23% the year prior. This is the first time in the past five years
where finance and insurance did not lead the list, however it does not represent a meaningful decline in
attack activity. Instead, it speaks to the surge in attacks targeting the manufacturing sector, which now
tops the list.

In addition, cybersecurity incidents tend to be more expensive for financial services companies
compared to other sectors, due to compliance standards, reporting regulations, customer identification
protection, and monetary loss. According to an IBM-sponsored study by the Ponemon Institute for 2021,
the financial services industry was the second-costliest sector for data breaches, with each breach
costing the victim organization $5.72 million on average—above the overall mean of $4.24 million.

According to IBM Security's X-Force Threat Intelligence Index 2022, the financial services industry is the
second most-attacked industry, along with insurance, making up 22% of total attacks and incidents for
the top ten industries in 2021, down from 23% the year prior. This is the first time in the past five years
where finance and insurance did not lead the list, however it does not represent a meaningful decline in
attack activity. Instead, it speaks to the surge in attacks targeting the manufacturing sector, which now
tops the list.

Key Takeaways
Top Assets at Risk

• Inter-bank financial network platforms

• Personally identifiable information (PII)
• Client credentials
• Bank account information
Top Threat Groups

• Sophisticated Ransomware Actors

• ITG14
• ITG19
IBM Cloud Pak | Security

Top Attack Methods

 Server access
 Ransomware
 Fraud remote access points
 Use software solutions to flag suspicious emails
 Develop and drill a response plan for ransomware that includes recovery from backups
 Use penetration testing to identify weaknesses in ATM networks

Top Recommendations

 Use strong password policies and implement MFA on all remote access points
 Use software solutions to flag suspicious emails
 Develop and drill a response plan for ransomware that includes recovery from backups
 Use penetration testing to identify weaknesses in ATM networks

Notable Activity and Findings

ITG14 Shift to Ransomware with New Malware and Tactics

IBM Security X-Force assesses that the advanced cybercriminal group ITG14 over the past year has
shifted away from previous tactics that included targeted attacks on Point-of-Sale (POS) systems to the
use of ransomware. To support this shift, ITG14 has adopted new malware and tactics and has likely
forged relationships with new underground suppliers and other threat actors.

IBM Data Reveals Dramatic Drop in POS Malware Activity

IBM data as of November 2020 reveals that point-of-sale (POS) malware used to siphon payment card
data out of payment terminals has significantly decreased since 2017. This development follows a steady
decline of POS malware attacks over 2018-2020. X-Force research indicates that some threat groups
which have focused on POS malware in the past have now shifted focus to e-commerce card skimmers
or even ransomware—attack types that are probably more profitable as chip-and-pin technologies have
decreased the effectiveness of POS malware.
While this downward trend is a positive sign, X-Force cautions that POS malware is not gone, as other
security researchers have observed POS malware in 2020 and some threat actors may identify methods
for circumventing chip-and-pin technologies.

New ZE Loader Targets Online Banking Users

IBM Trusteer closely follows developments in the financial cybercrime arena. Recently, we discovered a
new remote overlay malware that is more persistent and more sophisticated than most current-day
codes. Overlay malware is not a new threat, nor is it very sophisticated. Yet, this malware category,
which typically spreads in Latin America, Spain and Portugal, is an enduring one. We keep seeing it used
IBM Cloud Pak | Security

in attacks on online banking users in those regions, and its success fuels the interest of cyber criminals to
continue using it. In the case of ZE Loader, we did see some new features that push the typical
boundaries of overlay Trojans. For example, most malware in this category does not keep assets on the
infected device, but ZE Loader does. In most cases, this sort of malware does not go to the lengths of
hiding its presence; its lifecycle is short and the effort is futile. ZE Loader does use some stealth tactics.

Assets at Risk
The allure of financial services assets for a cybercriminal is clear: customer bank account information or
payment card data, access to networks for shifting large sums of money, and customer or employee
Personally Identifiable Information (PII) can all lead to direct financial profit or be sold on the dark web
for monetary gain. Some nation-state actors have also focused on financial services firms since 2015,
directly stealing millions of dollars probably to fund state activities. IBM Security X-Force analysts assess
that financial transactions—and particularly inter-bank financial network platforms—as well as PII,
customer credentials, and bank account information are the assets most at risk for financial services
companies.

Inter-bank Financial Network Platforms

Systems that facilitate funds transfers between banks would be a highly lucrative target for
cybercriminal and nation-state threat actors alike, as these networks transfer large volumes of money in
each transaction and—money that can be difficult to recover if sent to an attacker’s account. The
Society for Worldwide Interbank

Personally Identifying Information (PII)

Banks hold a significant amount of PII on their clients, to include names, government identification
numbers, addresses, and a range of financial data. This information would be of interest to
cybercriminals seeking to sell it on the dark web for a profit or nation-state actors seeking data on
individuals of interest.

Customer Credentials and Bank Account Information

Credentials associated with bank accounts and financial organizations are a prime target for
cybercriminals, who will seek to steal them through phishing messages, banking Trojans, mobile overlay
attacks, and a range of other techniques. While a stolen credit card might garner $12-$20 on the dark
web, stolen banking credentials bring in around $65 on average.
IBM Cloud Pak | Security

Top Threat Groups

Cybercriminals pose the most significant threat to the financial services industry, with threats from
nation state groups in this sector increasing over the past three years. While the majority of attacks in
this sector target bank customers and their accounts, some sophisticated groups have been successful in
targeting banks at the enterprise level. Banks in Mexico, Canada and the UK came under particular
attack in 2018, and attacks exploiting the SWIFT monetary transfer network from participating banks—
most notably the Bank of Bangladesh in 2016—have prompted SWIFT administrators to implement
additional security measures. The following chart portrays a matrix of threat actor groups that X-Force
threat intelligence assesses as of this publication are most capable of targeting the financial industry
now or in the future. The chart assesses the intent and capability of several groups to target
organizations in this industry, with sophisticated ransomware actors, ITG14 (FIN7), and ITG19 receiving
the highest rankings. Additional information on each of these threat groups can be found on IBM
Security X-Force’s Premium Threat Intelligence platform.

Sophisticated Ransomware Actors

Due to the high profitability of ransomware attacks, more and more cybercriminals are entering the
ransomware space and many active ransomware groups have shifted to a Ransomware-as-
a-Service (RaaS) model, where central administrators develop the ransomware and then contract out to
affiliates the task of compromising victims and deploying ransomware. Notably, Ryuk and
Sodinokibi/REvil are the top ransomware strains observed by X-Force in 2021, and Sodinokibi attacks
have made up 37% of all ransomware attacks X-Force has remediated in 2021.

ITG14

Since at least 2016, the cybercrime threat group tracked by IBM X-Force as ITG14, also known as FIN7
and Carbon Spider, has conducted illegal operations against organizations within the retail, restaurant,
banking, and hospitality sectors worldwide. ITG14, which is likely based in Eastern Europe, has used a
variety of techniques such as phishing, malware, and infected Microsoft Office documents to
successfully compromise their targets. Three ITG14 figures were arrested in January and June 2018. In
August 2018, the U.S. Department of Justice (U.S. DOJ) unsealed indictments against these ITG14
operators with 26 felony counts each ranging from conspiracy to commit wire fraud to identity theft.
Despite the indictments against three ITG14 leaders, ITG14 has remained active. On a historical note, it
is highly likely some members of ITG14 were previously associated with the cybercrime threat actor
known as Carbanak Group, which operated from approximately 2013-2015 and also shares overlap with
Hive0040 aka Cobalt Gang. While some organizations associate FIN7 and/or Cobalt Gang directly with
Carbanak Group, IBM X-Force tracks these as three separate threat actors. X-Force has evidence that
ITG14 also assists in ransomware operations such as Sodinokibi and Ryuk, and is behind the DarkSide
ransomware that emerged in late 2020.

ITG19

Since at least 2014, ITG19, also known as TA505 and sharing campaign overlap with EvilCorp and Dridex,
has been observed conducting massive malicious spam campaigns delivering a wide array of payloads
ranging from banking Trojans to ransomware.
IBM Cloud Pak | Security

Monetary gain is known to be the sole motivator for ITG19’s activity and the geographic location of its
targets are secondary to the potential for financial gain. ITG19 has been seen targeting various
industries worldwide including the finance, retail, and restaurant sectors indicating willingness to adapt
in an effort to follow the money. ITG19 is believed to be the group behind Dridex, one of the most
notorious banking Trojans responsible for millions of dollars in losses, as well as Locky, a ransomware
variant that first appeared in 2016. IBM X-Force IRIS assesses with high confidence that ITG19 will
remain a consistent threat in the cyber landscape going forward.

Top Attack Types

Server Access

Threat actor operations that involved unauthorized access to a server emerged as the second-most
common attack type across all industries in 2021, and the top attack type for finance and insurance,
according to the 2022 X-Force Threat Intelligence Index. In some instances, the threat actors exploited a
known vulnerability, such as CVE-2020-7961, which would allow for remote code execution on a server.
In multiple cases threat actors exploited vulnerabilities in Microsoft Exchange servers to gain
unauthorized access to networks of interest.

Banking Trojans

Cybercriminals for decades have been building malware specifically tailored to steal banking credentials
and account information—a trend that continues with constant transformations of trojans in the wild.
IBM Security X-Force Threat Intelligence has found that banking trojans built to exploit Linux based
operation systems have increased, suggesting possible correlation with organizations moving into cloud
environments.

Ransomware

Ransomware continued being a top attack type in 2021, however was down as a percentage of overall
attacks compared to 2020. X-Force research indicates that 17 months is the average time before
ransomware groups either rebrand or shuts down. The finance industry appears to be the most resilient
to ransomware attacks due to typically having a more mature security posture than other industries,
however the threat of ransomware remains high for organizations in this sector.

Phishing Attacks

Phishing operations emerged as the top pathway to compromise in 2021, with 41% of incidents X-Force
remediated using this technique to gain initial access. Phishing attacks aimed at financial services
customers or employees are a common attack vector— and, we assess, will remain so for the
foreseeable future. Phishing attacks are usually the preferred method of delivery even for sophisticated
malware delivered by organized crime groups, such as ITG14 (FIN7). In one instance, attackers used
phishing emails to twice gain access to the same bank's networks, including machines that process debit
card transactions.
IBM Cloud Pak | Security

RISK MITIGATION MEASURES

Server Access: Employ strong password policies and multifactor authentication on servers to decrease
the potential for threat actors to gain access using stolen credentials. In addition, implement a robust
patch management program with an emphasis on server vulnerabilities applicable to your environment.

Data Theft and phishing: There are several steps organizations can take to combat this threat. For data
theft attacks involving phishing, employ software that can detect and flag suspicious e-mails. Disable
macros, email delegates, and mail forwarding. Routinely provide employee education with updated
phishing.

Trojans: In addition to implementing security practices to defend against phishing and patching known
vulnerabilities, download software only from sources you can trust and be wary of clicking on suspicious
links or popups while browsing the Internet. Keeping your web browser and operating system up to date
can also help prevent RAT-associated attacks.

Ransomware: End users are often the first line of defense against ransomware attacks and employee
education is critical.
Organizations that have implemented a well-rehearsed defense-in- depth strategy and a thought-out
preparatory plan can help thwart a ransomware attack. Review X-Force’s The Definitive Guide to
Ransomware for more information.

DDoS: The deployment of load balancers can significantly reduce the risk of a DDoS attack. While no
single equipment installation can prevent a DDoS attack, a load balancer, in combination with other
multi-layered defense mechanisms, can greatly reduce this risk. Ensure any third-party cloud providers
implement DDoS attack prevention mechanisms on their networks. Most major cloud service providers
will provide built-in DDoS protection.

SQL Injection: Sanitize data input to decrease the risk of SQLi attacks. Employ strict data checking
controls and inform a user when data entered is incorrect. Encourage web programmers and developers
to invest time into running thorough data input checks. Identify weaknesses in your network
infrastructure by running a penetration test project, which allows testers to attempt to compromise
assets using the same tools techniques, practices and mindset as criminal attackers. Employ patch
management tools to ensure applications and operating systems are up to date.