It is hard to believe that a year has gone since our last article on financial attacks and our predictions for 2020. It has been a tough one, but first things first. Let us review the forecasts we made at the end of 2019 and see how accurate we were. Then we will go through the key events of 2020 relating to financial attacks. Finally, we need to make a forecast of financial attacks in 2021. So let us begin.
Analysis of forecasts for 2020
- Attacks against Libra and TON/Gram: There is no short answer here; it is complicated. After all, Libra is yet to be released, therefore the prospects of attacks are still uncertain, and there is no room for cyberattacks either. The Gram project has simply been canceled.
- Reselling bank access: Yes. Unfortunately, this is true. There is a whole market with plenty of offers to provide remote access to various banks around the globe. Usually, attackers exploit one or more vulnerabilities and then resell access to financially motivated threat actors including targeted ransomware operators.
- Ransomware attacks against banks: Yes. That is another sad reality these days. Various targeted ransomware groups have attacked banks all around the world, for example, in Costa Rica, Chile and Seychelles. These three cases have been covered by the media. The Maze group is responsible for the attack in Costa Rica, while REvil (Sodinokibi) is behind the attack in Chile. Victims who pay up do not show up on the list of breached organizations. Nobody can be certain how many more banks have been hit by targeted ransomware attacks.
- The return of custom tooling: Yes. As we predicted last year, some cybercriminals would invest in new trojans and exploits as a part of their custom tooling operations. That situation has become particularly pathetic with various vulnerabilities and exploitations of commercial VPN providers, and their appliances running on customer infrastructure. On a different note, we have also seen cybercriminals creating tiny tools for network reconnaissance and data harvesting.
- Global expansion of mobile banking trojans: Yes, absolutely. Ginp, Ghimob, Anubis and Basbanke are just a few examples of the trend. By the way, Anubis source code has been leaked and published on the Internet. So, this is another cause of a global expansion of attacks against mobile banking systems.
- Targeting investment apps: Yes, partially. The Ghimob family is a good example of that. If we consider cryptocurrency exchange apps as investment apps, then the answer is also a solid yes. However, the scale of these attacks has not been massive yet.
- Magecarting 3.0: Yes. The expansion of Magecart has been impressive. You can find it everywhere. Today, it is also an umbrella for various groups that harvest payment cards. For example, the Lazarus threat actor is believed to have added digital payment-card skimming to its repertoire by using Magecart code.
- Political instability leading to a spread of cybercrime: No, partially. The COVID-19 situation and lockdowns around the world prevented people from travelling freely. This is the key reason why this prediction did not materialize in full. However, global expansions took place via the Internet, taking advantage of poorly configured and exposed systems, for example, running on vulnerable or misconfigured RDP protocols and so on.
Key events of 2020
-
- All sorts of financial cyberattacks linked to the impact of the COVID-19 crisis.
Companies became less secure due to hastily deployed remote work solutions. Some literally did not even have enough laptops to provide to their employees. They had to purchase whatever they found on the retail market, even if the machines did not comply with the security standards of the organization. At least, this kept the business running. However, those poorly configured machines had to connect to remote systems, something for which they were not prepared. Lack of employee training, default laptop configurations left unchanged and vulnerable remote access connections together made all sorts of attacks, including targeted ransomware, possible.
There is an increase in “red team” tools used once remote access to organizations has been established, for example, to dump passwords from the memory, to reconnoiter the victim’s network and to make lateral movements inside the network.
-
- Expansion of Brazilian threat actors to the rest of the world.
The Brazilian cybercrime ecosystem used to be a regional player. This year, we have seen a few families expanding to other continents, targeting victims in Europe and elsewhere. We dubbed the first four families to do this (Guildma, Javali, Melcoz, Grandoreiro) “the Tétrade”. Others then followed: Amavaldo, Lampion and Bizarro. Speaking of mobile banking trojan threat actors, Ghimob is now targeting Latin America and Africa, while Basbanke is active in Portugal and Spain.
-
- PoS and ATM malware.
The infamous Prilex has positioned itself as a MaaS bazar and recently implemented the replay attack. It is also moving to target PIN pad communications. In general, Prilex is positioning itself as a hacking group with a variety of skills in ATM malware, PoS malware, DDoS services, EMV software for cloning payment cards and other.
Some ATM malware families have evolved and now include RAT features. One of them is using dnscat2 to mask C2 communications and bypass traditional network detection mechanisms.
CESSO has become a type of MaaS and is now targeting Diebold, Wincor and NCR ATMs. It is designed to steal US dollars, euros, local Latin American currencies and others. The code suggests that the developer is a native speaker of Portuguese.
-
- Targeted ransomware is the new normal and a part of financial organizations’ threat models.
Emboldened by success and excellent media coverage, threat actors behind targeted ransomware attacks have systematically increased the amounts they demand in exchange for not publishing stolen information. This point is important because it is not about data encryption any more, but about disclosing confidential information exfiltrated from the victim’s network. Due to payment card industry security and other regulations, leaks like this may result in significant financial losses.
Another key point regarding ransomware is that this year has seen it exploit the human factor as an initial infection vector. The story about an attempt to infect Tesla is a good example of this. When it comes to very high-profile targets, threat actors do not hesitate to spend time and resources to work within the MICE framework (Money, Ideology, Compromise and Ego) to get to victims’ networks.
Unfortunately, the ransomware story does not end there. The Lazarus group has tried its hand at the big game with the VHD ransomware family. This received attention, and other APT threat actors followed suit, MuddyWater among them.
Forecast for 2021
Before we proceed with our forecasts for 2021, it is important to state that most of the threats we have seen in 2020 will stay around for the next year. For example, targeted ransomware will remain relevant. Here is our list of new things to expect in the upcoming year, in no particular order:
- The COVID-19 pandemic is likely to cause a massive wave of poverty, and that invariably translates into more people resorting to crime including cybercrime. We might see certain economies crashing and local currencies plummeting, which would make Bitcoin theft a lot more attractive. We should expect more fraud, targeting mostly BTC, due to this cryptocurrency being the most popular one.
- MageCart attacks moving to the server side. We can see that the number of threat actors that rely on client-side attacks (JavaScript) is diminishing by the day. It is reasonable to believe that there will be a shift to the server side.
- A re-integration and internalization of operations inside of the cybercrime ecosystem: the major players on the cybercrime market and those who made enough profit will rely on their own in-house development mostly, reducing outsourcing to boost their profits.
- Advanced threat actors from countries placed under economic sanctions may rely more on ransomware imitating cybercriminals’ work. They may reuse already-available code or create their own campaigns from scratch.
- With a great profit by ransomware groups, we should expect the use of 0-day exploits as well as N-days exploits in upcoming attacks. They will purchase both of these to expand even further the scale of attacks and boost their success, resulting in more profit.
- Cracking down hard on the cybercrime world. In 2020, OFAC announced that they would supervise any payment to ransomware groups. Then US Cyber Command took down Trickbot temporarily ahead of the elections. There should be an expansion of the “persistent engagement” strategy to financial crime. There is also a possibility of economic sanctions against institutions, territories or even countries which show lack of resolve to combat cybercrime that originates on their territory.
- With the special technical capabilities of monitoring, deanonymization and seizing of BTC accounts now in place, we should expect cybercriminals to switch to transit cryptocurrencies for charging victims. There is a reason to believe they might switch to other privacy-enhanced currencies, such as Monero, to use these first as a transition currency and then convert the funds to any other cryptocurrency of choice including BTC.
- Extortion on the rise. One way or another, cybercriminals targeting financial assets will rely on extortion. If not ransomware, then DDoS or possibly both. This could be especially critical to companies that lose data, go through an exhausting data recovery process and then get knocked out of online operations.
Those are only a few of the things to expect in 2021. It is exciting to watch these times we live in. Who could have predicted one year ago that we would have to live through a pandemic for most of the year! We shall see when we get there.