Self Assessment

CYFIRMA INDUSTRY REPORT : FINANCE INDUSTRY

Published On : 2024-09-30
Share :
CYFIRMA INDUSTRY REPORT : FINANCE INDUSTRY

EXECUTIVE SUMMARY

The CYFIRMA Industry Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the finance industry, presenting key trends and statistics in an engaging infographic format.

INTRODUCTION

Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the finance industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the finance industry.
 
We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.

METHODOLOGY

CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research.

For the purpose of these reports, we leverage the following data from our platform. This is data processed by AI and ML automation, based on both human research input and automated ingestions.

OBSERVED ATTACK CAMPAIGNS

  • Leveraging our Early Warning platform data set, we present known attack campaigns conducted by known advanced persistent threat actors, both nation-state and financially motivated.
  • Each attack campaign may target multiple organizations across various countries.
  • Campaign durations can vary from weeks to months or even years. They are sorted by the “last seen” date of activity to include the most relevant ones. Note that this may result in campaigns stacking up on later dates, affecting time-based trends.
  • Attribution to specific threat actors can be murky due to increasingly overlapping TTPs and commodity tools used. While suspected threat actors in this report are attributed with high confidence, we acknowledge the potential for inaccuracy.

PHISHING

  • Our data focuses on phishing campaigns rather than individual phishing or spear-phishing emails, which may limit visibility into more advanced single-target attacks.
  • Our primary focus is on detecting brand impersonation over intended targets. Due to our collection methodology and automation, we may not present comprehensive victimology for phishing campaigns across all industries as some are simply not good phishing lures.

RANSOMWARE

  • The victim data presented in this report is directly sourced from the blogs of respective ransomware groups. However, it’s worth noting that certain blogs may provide limited victim information, such as only names or domains, while others may be entirely obfuscated. These limitations can impact the accuracy of victimology during bulk data processing.
  • In some cases, multiple companies share the same name but are located in different countries, which may lead to discrepancies in geography and industry. Similar discrepancies occur with multinational organizations where we are not able to identify which branch in which country was compromised. In such a case, we count the country of the company’s HQ.
  • During the training of our processing algorithms, we manually verified results for industry and geography statistics at an accuracy rate of 85% with a deviation of ±5%. We continuously fine-tune and update the process.
  • Data related to counts of victims per ransomware group and respective dates is 100% accurate at the time of ingestion, as per its publishing on the respective group’s blog sites.
  • Finally, we acknowledge that many victims are never listed as they are able to make a deal with the attackers to avoid being published on their blogs.

VULNERABILITIES

  • Statistics presented are processed from CYFIRMA DeCYFIR platform which collects reported vulnerabilities from a plethora of available sources and vendors.
  • Filtering is based on categorization of vendors, specifically, vendors directly related to specific industry and supporting vendors such as Microsoft or Oracle, used in most industry’s operations.
  • We are only presenting vulnerabilities with CYFIRMA score 8 and higher to maintain clarity and concise presentation.

While this report contains statistics and graphs generated primarily by automation, it undergoes thorough review and enhancement for additional context by CYFIRMA CTI analysts to ensure the highest quality and provide valuable insights.

ADVANCED PERSISTENT THREAT ATTACK CAMPAIGNS

Finance organizations featured in 12 out of the 12 observed campaigns, which is a presence in 100% of all campaigns.

OBSERVED CAMPAIGNS PER MONTH

After period of lower detections in earlier months, we observe a spike in newly detected campaigns during September.

SUSPECTED THREAT ACTORS

As expected, due to the nature of the finance industry allowing for direct monetization, we are observing predominantly financially motivated cybercriminal APTs.

GEOGRAPHICAL DISTRIBUTION

Recorded victims of observed attack campaigns span 24 different countries. There does not appear to a be clear geographic pattern besides economy size. Considering suspected TAs, it is suggesting opportunistic targeting and financial motivation over geopolitical.

TOP ATTACKED TECHNOLOGY

Web applications continue to be the most targeted technology across industries.

APT CAMPAIGNS

EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: High

In the past 90 days, finance organizations have been significantly impacted by advanced persistent threat (APT) campaigns. All 100% of observed APT campaigns recorded finance industry victims, with 12 out of 12 total campaigns.

Monthly Trends
Since lower detections in earlier months, the observed campaigns spiked during September to 6.

Key Threat Actors
Since the finance industry allows for direct ways to monetize cybercrime, most suspected threat actors are known financially motivated cybercriminal groups. Russian cybercrime syndicates FIN7, FIN11, TA505, or the notorious North Korean Lazarus Group are behind most of the observed campaigns.

Geographical Impact
The campaigns impacted a total of 24 countries seemingly randomly spread across continents. Countries with large economies such as the US, Japan and India are most frequent victims.

Targeted Technologies
Web applications remain the most frequently targeted technology. We have also observed software asset management tools and operating systems being targeted.

PHISHING ATTACKS IN THE FINANCE INDUSTRY

Over the past 3 months, CYFIRMA’s telemetry detected 11,309 phishing campaigns themed around the finance sector out of a total of 2224,391.
 
The chart below illustrates the global distribution of observed themes. Finance accounts for 5.04% of all captured phishing attempts, placing the industry as the 5th most frequent phishing theme.

GLOBAL DISTRIBUTION OF PHISHING THEMES

TOP IMPERSONATED BRANDS

In total 215 financial organizations were impersonated in captured phishing attempts during the last 90 days. Top are Asian financial platform DANA, Credit Agricole S.A. and Commonwealth Bank of Australia.

TOP COUNTRIES OF ORIGIN (ASN)

The US is a leading source of financially themed phishing, despite collectively non-US organizations being more frequently impersonated. In total 57 countries were observed.

PHISHING

EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Moderate

The finance sector remains a popular phishing theme due to the direct monetization avenue for threat actors. However, its share significantly decreased from 13.16% to 5.04%. This is largely due to the increasing share of unique and uncategorized Generic/Spear Phishing.

Asian financial platform DANA and French Credit Agricole S.A. stand out as the most impersonated brands, indicating large U.S. phishing campaigns in the last 90 days.

Overall, the list includes 215 organizations from 57 countries, such as the Commonwealth Bank of Australia (AU), Bancolombia (CO), and DBS Bank (Singapore), underscoring the worldwide nature of these threats.

ASN-origin data reveals that the United States is the leading source of phishing emails impersonating financial organizations, reflecting the extensive financial sector in the U.S. and the vast number of compromised devices used in botnets to send phishing emails. Significant activity is also observed in Australia, the Netherlands, and Germany for similar reasons.

India ranked as 5th most frequent target. Furthermore, Hong Kong and Singapore are often used by Chinese cyber criminals as a proxy. Southeast Asia and Latin America are steadily growing as sources and targets of global finance-themed phishing.

The presence in both developed and developing nations highlights that phishing campaigns are opportunistic and globally pervasive. Regional variations suggest more sophisticated attacks in high-count countries, while lesser-known regions like Kazakhstan and Uganda show expanding attacker reach.

RANSOMWARE VICTIMOLOGY

In the past 90 days, CYFIRMA has identified 66 verified ransomware victims in the finance industry. This accounts for 4.9% of the overall total of 1,344 ransomware victims during the same period, placing finance industry as 9th most frequent victim of ransomware.

GLOBAL DISTRIBUTION BY INDUSTRY

VICTIMS PER INDUSTRY SECTORS

Banking and Insurance sectors are the most frequent victims of ransomware in the finance industry.

INDUSTRY MONTHLY ACTIVITY CHART

Considering just a few days of June, we can see sustained numbers of victims with a spike during August.

BREAKDOWN OF ACTIVITY PER GANG

A breakdown of the monthly activity provides insights into which gangs were active each month. For example, Bianlian with Play was most active in August, Killsec during September and Akira together with other smaller gangs in July.

INDUSTRY RANSOMWARE VICTIMS PER GANG

In total 24 out of 59 active groups recorded finance organizations victims in the past 90 days. Notable is a relatively even distribution among a large number of groups in this period.

ALL RANSOMWARE VICTIMS PER GANG

Comparing the finance industry to all recorded victims, Killsec stands out with a high percentage of victims in this industry recording 7 out of 28 (25%) of their victims in the finance industry, implying a focus on this industry. The second highest is Bianlian with 8 out of 49 (16.3%) and Cactus with 4 out of 48 (12%).

GEOGRAPHIC DISTRIBUTION OF VICTIMS

The geographic distribution heatmap underscores the widespread impact of ransomware, highlighting the countries where victims in this industry have been recorded.

INDUSTRY VICTIMS PER COUNTRY

In total 21 countries recorded ransomware victims with the US alone accounting for ~44% of all victims with identified geography.

RANSOMWARE

EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Moderate

The finance industry is placed as the 9th most frequent victim. It faces a sustained ransomware threat, with attacks affecting a wide range of sub-sectors and a broad geographic distribution. The steady monthly activity, coupled with the involvement of numerous ransomware groups, highlights the ongoing risk.

Monthly Activity Trends
Ransomware activity in the finance industry recorded a spike during August.

Bianlian with Play was most active in August, Killsec during September, and Akira together with other smaller gangs in July.

Ransomware Gangs
A total of 24 out of 59 active ransomware groups targeted the finance industry in the past 90 days:

Killsec: 25% of their victims were from the finance industry (7 out of 28 victims).

Bianlian: 16.3% of their victims were from the finance industry (8 out of 49 victims).

The relatively even distribution among many groups indicates no single gang currently dominates the ransomware landscape in the finance sector.

Geographic Distribution
The geographic distribution of ransomware victims in the finance industry reflects the industry’s global nature and the widespread reach of these attacks:

44% of all victims with identified geography are located in the US.

In total, 21 countries recorded ransomware victims in the finance industry.

For a comprehensive, up-to-date global ransomware tracking report, please refer to our new monthly “Tracking Ransomware” series here.

VULNERABILITIES IN THE FINANCE INDUSTRY

Over the past 3 months, CYFIRMA’s DECYFIR platform recorded 5,671 reported vulnerabilities with scores higher than 8. This is out of a total of 17,280 reported vulnerabilities.
 
Filtered by vendors, we have observed 18 vulnerabilities related specifically to the finance industry. None of the reported vulnerabilities have a known exploit.

We also recorded 930 vulnerabilities related to various related IT supporting infrastructure out of which 2 have reported and documented exploits for Atlassian Confluence.

INDUSTRY VULNERABILITES BY SCORE

INDUSTRY VULNERABILITES BY VENDOR

SUPPORTING VULNERABILITES BY SCORE

SUPPORTING VULNERABILITES BY VENDOR

CONCLUSION

In the past 90 days, finance organizations have faced moderate to high risks across monitored categories.

APT campaigns have heavily targeted the finance sector, with 100% of observed campaigns (12 out of 12) impacting this industry, particularly affecting countries like the United States, Japan, and India. Monthly trends showed a significant spike in APT activities during September. Russian cybercrime syndicates such as FIN7, FIN11, TA505, and the notorious North Korean Lazarus Group were the most active threat actors.

Phishing remains a prevalent impersonation threat, with the financial sector being a prime target due to its direct monetization potential, comprising 5.04% of all observed phishing and placing 5th overall. Asian financial platform DANA and French Credit Agricole S.A. were the most impersonated brands, indicating extensive campaigns. In total 215 organizations across 57 countries, were impersonated, mostly originating from the United States, Australia, the Netherlands, Germany, India, and growing regions like Southeast Asia and Latin America.

Ransomware attacks pose a moderate but sustained risk, placing the finance industry as the 9th most targeted sector. The industry experienced steady monthly activity with a noticeable spike in August due to the Bianlian and Play gangs and increased activity from KillSec in September. Out of 59 active ransomware groups, 24 targeted the finance sector, with attacks being geographically widespread, notably affecting the United States, where 44% of victims are located. This diverse and persistent threat landscape underscores the ongoing ransomware risks facing the finance sector.

Furthermore, the finance industry faces additional risks from vulnerabilities within its IT infrastructure. Over the past three months, 5,671 high-severity vulnerabilities were reported out of a total of 17,280, with 18 specifically related to the finance industry. While none currently have known exploits, they represent potential entry points for attackers. Additionally, 930 vulnerabilities were identified in supporting IT infrastructure, with two documented exploits for Atlassian Confluence, highlighting areas requiring immediate attention.