Hidden Breach Tunnels Could Take a Toll on Financial Institutions
Hidden tunnels also enable attackers to sneak out of networks with stolen data, undetected.
San Jose, Calif.-based cyberattack detection and threat hunting firm Vectra, as part of key findings in its new 2018 Spotlight Report on Financial Services, disclosed these tunnels remotely control an attack, known as command-and-control, and steal data, known as exfiltration, while remaining largely undetected.
According to the Vectra report, security breaches across multiple industries continue in an upward trajectory, and financial services is no exception. But while financial services firms did not experience the same volume of breaches as other industries, they still face considerable risk as lucrative targets of cyberattackers in search of a windfall of critical data and personally-identifiable information.
Information in the Vectra report, based on observations and data from the 2018 RSA Conference Edition of the Attacker Behavior Industry Report, revealed attacker behaviors and trends in networks from 246 opt-in customers in financial services and 13 other industries.
“While financial services firms don’t experience the same volume of breaches as other industries, the ones that do happen have caused exponential damage along with far-reaching consequences and public scrutiny,” the report said.
Chris Morales, head of security analytics at Vectra said “Every industry has a profile of network and user behaviors that relate to specific business models, applications and users. Attackers will mimic and blend in with these behaviors, making them difficult to expose.”
In the Equifax exposure, which resulted in the theft of driver’s license numbers, email addresses, Social Security numbers and other personal information from 145.6 million consumers, attackers exploited a vulnerability in the Apache Struts Web Framework to gain root access to online dispute web applications. Attackers customized tools to efficiently exploit Equifax’s software, and to query and analyze dozens of databases to decide which held the most valuable data.
Attackers set up about 30 web shells accessed from around 35 distinct public IP addresses, then used hidden tunnels to bypass firewalls, analyzing and cracking one database after the next while stockpiling data on the company’s own storage systems. The report indicated, “The trove of data the attackers collected was so large it had to be broken up into smaller pieces to avoid triggering as an anomalous behavior.”
Vectra found the same type of attacker behaviors across the financial services industry as those that led to the Equifax breach. What stood out the most is the presence of hidden tunnels, which attackers use to get into networks that have strong access controls. Hidden tunnels also enable attackers to sneak out of networks with stolen data, undetected.
In many cases, hidden tunnels are applications used for legitimate purposes, like stock ticker feeds, internal financial management services, third-party financial analytics tools and other cloud-based financial applications. This is the same reason attackers use hidden tunnels as those employed in the Equifax data breach.
Key findings from Vectra include:
- Significantly more hidden command-and-control tunnels per 10,000 devices in financial services than all other industries combined; and more than twice as many hidden data-exfiltration tunnels per 10,000 devices in financial services than all other industries combined.
- For every 10,000 devices across all industries, there were 11 hidden exfiltration tunnels disguised as encrypted web traffic detected. But in financial services, that number more than doubled to 23. From August 2017 through January 2018, hidden exfiltration tunnels disguised as unencrypted web traffic jumped from seven per 10,000 devices to 16 in financial services.
- For every 10,000 devices across all industries, there were two hidden tunnels disguised as encrypted web traffic detected. But in financial services, that number was five. From August 2017 through January 2018, hidden exfiltration tunnels disguised as unencrypted web traffic went from two per 10,000 devices to four in financial services.
Vectra’s Cognito platform identifies behaviors that indicate in-progress attacks by directly monitoring all traffic and relevant logs, including traffic to and from the internet, internal traffic between network devices, and virtualized workloads in private data centers and public clouds.