In an attempt to steal sensitive data, cyber-criminals have been targeting financial firms by building hidden tunnels in order to break into networks. According to a report released today by Vectra, these attack behaviors are the same as those that led to the 2017 Equifax breach.
According to a new report, 2018 Spotlight Report on Financial Services, attackers are able to gain remote access through the use of command-and-control (C&C). In the data analyzed, attackers had established nearly 30 web shells accessible from approximately 35 different public IP addresses, which allowed them to exfiltrate data while going undetected.
Attackers often leverage hidden tunnels to infiltrate networks with strong access controls because legitimate applications also use hidden tunnels to bypass security controls that can sometimes compromise full functionality. That’s why it’s a successful attack method.
“Every industry has a profile of network and user behaviors that relate to specific business models, applications and users,” said Chris Morales, head of security analytics at Vectra. “Attackers will mimic and blend in with these behaviors, making them difficult to expose.”
In this latest discovery, Vectra detected more hidden C&C tunnels and more than twice as many hidden data-exfiltration tunnels per 10,000 devices in financial services than all other industries combined.
To evade firewalls, attackers use special tunneling tools to move laterally, stockpiling data from database after database as they go. They were able to amass so much data that it then needed to be divided into smaller stockpiles so that no alarm bells went off during exfiltration.
“All this points to one painful fact: The largest enterprise organizations in the world remain lucrative targets for sophisticated cyber-attackers. Security breaches across multiple industries forge ahead in an upward trajectory, and the financial services industry is no exception,” the report said.