Hidden Tunnels Help Hackers Launch Financial Services Attacks

  /     /     /  
Publicated : 22/11/2024   Category : security


Hidden Tunnels Help Hackers Launch Financial Services Attacks


Hackers are using the infrastructure, meant to transmit data between applications, for command and control.



The security tools and strategies financial services organizations use to protect their data could be leveraged by cybercriminals who sneak in undetected via hidden tunnels to conceal their theft, according to a new report published by Vectra.
Ironically, financial firms have the biggest non-government security budgets in the world, Vectra says. Bank of America invests more than $600 million in cybersecurity each year, while JPMorgan Chase spends $500 million. Equifax, while smaller than both, spends an annual $85 million on security.
Yet, in Equifaxs case – despite budget, staff, and a security operations center – in 2017 it took 78 days for it to detect a massive breach of its network, in which attackers accessed 145.5 million Social Security numbers, 17.6 million drivers license numbers, 20.3 million phone numbers, and 1.8 million email addresses.
The question of how attackers were able to exfiltrate so much data, and whether the same thing could happen at another financial firm, prompted Vectra researchers to take a closer look at exactly what happened.
A Review of the Equifacts
Equifaxs breach started when a Web server was exploited to access the corporate network. The attackers avoided using tools that would alert the companys security team, instead building command-and-control (C&C) tunnels into Equifax. They installed more than 30 Web shells with different addresses to burrow into Equifax and, once inside the network, customized their hacking tools to exploit Equifax software, evade firewalls, and exfiltrate information.
For six months following the Equifax breach, Vectra researchers combed metadata from 246 opt-in customers and more than 4.5 million devices to learn more about attacker behaviors and network trends. They found the same activity that led to the Equifax breach is prevalent throughout the financial services industry.
What stood out most is the use of hidden tunnels in HTTP, HTTPS, and DNS traffic, which threat actors use to get into networks protected with strong access controls. These tunnels have been used for about three to four years, says Chris Morales, head of security analytics at Vectra, where researchers had been looking into this tactic long before Equifax was hit.
Attackers dont use hidden tunnels unless they have to, he explains. When enterprise security defenses are strong, threat actors have to seek new ways to break through them.
Tunneling Into Financial Services
Financial firms have stronger security than most, securing Web applications with layers upon layers of access controls. Because apps are locked down, data has to be sent through hidden tunnels to move across an organization. There are legitimate use cases for this: Specific stock-tickers commercial apps and internal financial services use tunnels to communicate.
The high volume of traffic flowing to and from enterprise Web applications creates an ideal place for attackers to hide, Morales says. Hidden tunnels are tough to detect because communications are hidden within connections that use normal, permitted protocols. Messages can be embedded as text in headers, cookies, and other fields,
researchers say
.
Morales breaks down how an attack might work: A threat actor might start with an entry point as simple as a phishing campaign. With a foothold in the organization, the attactor can use reconnaissance techniques to learn the network – the number of devices and how he can make his footprint more durable and infect more machines.
As he does all those things, hell need to find ways to look like normal traffic, Morales explains. Maybe hell find a network scanning machine and perform recon from there because itll look more normal. Once a tunnel is established, the hacker passes data in small chunks so it isnt picked up by anomaly detection systems.
Attackers could leverage tools purchased on the Dark Web to exfiltrate data and bypass access controls. The tools are out there, and attackers have a great ecosystem for sharing them, says Mike Banic, vice president of marketing at Vectra. In some cases, their ecosystem could be better than the defenders.
Compared with the industry average, there are fewer C&C behaviors in financial services, and HTTP C&C communications are lower overall, the report states. However, there are significantly more tunnels per 10,000 devices in financial services than all other industries combined.
Related Content:
Most Websites and Web Apps No Match for Attack Barrage
The Best and Worst Tasks for Security Automation
Cisco CPO: Privacy Is Not About Secrecy or Compliance
5 Tips for Integrating Security Best Practices into Your Cloud Strategy
Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go
here
for more information on this free event.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Hidden Tunnels Help Hackers Launch Financial Services Attacks