Banking Orgs Come Up Short Against Internal Threats

Banking organizations have built up formidable barriers to prevent external attacks but are falling short in their defense against internal threats, according to a report from the Framingham, Mass.-based enterprise security firm Positive Technologies.

Every year, Positive Technologies completes dozens of penetration tests for various organizations. In this study it shared the most instructive penetration tests carried out for financial institutions over the past three years and their susceptibility to cybercriminal activity.

“In the wild, we currently see attacks on interbank transfers, card processing, ATM management, e-banking and payment gateways,” the report explained. “The range of targets is broad – if intruders have the necessary knowledge and technical means, access to such systems can bring them more revenue than fraud against bank customers.”

With access to the internal network of client banks, Positive Technologies testers succeeded in obtaining access to financial applications in 58% of cases. At 25% of banks, they were able to compromise the ATM management workstations. Those banks were susceptible to techniques such as ones used by Cobalt, a cybercrime syndicate that infiltrated more than 100 financial institutions in 40 countries since 2013, and other cybercriminal gangs in actual attacks.

Moving money to criminal-controlled accounts via interbank transfers, a favorite method of the North Korean cybergang Lazarus and Russia-linked MoneyTaker groups, was possible at 17% of tested banks. Also, at 17% of financial institutions, card processing systems were poorly defended, which can enable attackers to manipulate card balances as done in early 2017 against banks in Eastern Europe.

Positive Technologies noted the Carbanak group, notorious for its ability to attack nearly any bank application, would have been able to steal funds from more than half of the tested banks.

The report observed financial institutions tend to do a better job than other organizations in protecting their network perimeter. Penetration testers could access the internal network at 58% of all clients, but only at 22% of banks. In all test cases, access was enabled by vulnerabilities in web applications utilizing methods used by such groups as ATMitch and Lazarus.

This percentage of susceptible financial institutions may be an underestimate, however. Testers did not exploit vulnerabilities that could damage the customer’s infrastructure such as the use of outdated software at 67% of financial institutions.

Positive Technologies found staff members are usually the weakest links in any bank organization’s security: 75% of employees clicked a phishing message link, 25% entered their credentials in a fake authentication form, and at 25% of financial institutions at least one employee ran a malicious attachment. Almost every criminal group including Cobalt, Lazarus, Carbanak, Metel and GCMAN use phishing.

The report also described hacker forums that offer bank insider services. Experts stated in some cases, the privileges of an employee with mere physical access to network jacks (such as a janitor or security guard) are enough for a successful attack. Other methods for infecting financial institutions include hacking business partners and contractors, and placing malware on sites regularly visited by bank employees, as seen with Lazarus and Lurk.

To continue their attacks, the criminals rely on key helpers, weak password policies and poor protection against the recovery of passwords from OS memory. Every bank had a weak password policy on its internal network.

The external network perimeter also demonstrated flaws. The most hazardous are remote access and control interfaces, which are often easily accessed by any external user. Among the most common are the Secure Shell and Telnet protocols, which occur on the network perimeter at 58% of financial institutions, as well as protocols for access to file servers, present at 42%.

Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies outlined recommendations: “The good news is that it’s possible to stop an attack and prevent loss of funds at any stage, as long as the attack is detected in time and appropriate measures are taken.” This includes scanning attachments in a sandbox, without depending on endpoint antivirus solutions, and receiving and immediately reacting to alerts with the help of an in-house or contracted 24/7 security operations center. In addition, she added security information and event management solutions substantially simplify and improve the effectiveness of incident management.