Cyber Threats Pose Growing Risk to Financial Services

The financial services industry faces heightened cyber threats, with ransomware attacks and zero-day vulnerabilities posing significant risks.
By: | August 26, 2024

With a growing exposure to cyber attacks, financial services organizations need to strengthen their cyber defenses and resiliency in the face of an evolving threat landscape, according to a report from QBE North America.

Ransomware and extortion attacks pose a high threat to organizations across all industries, and the financial services sector is no exception. Financial services was the fourth-most targeted sector by ransomware attacks in 2023, following business services (first), retail (second) and manufacturing (third), according to the report.

The criminal ecosystem behind ransomware has evolved, providing threat actors with a variety of methods to gain access to corporate networks, QBE states. From exploiting vulnerabilities to phishing and purchasing credentials on the dark web, attackers have numerous ways to breach a financial services organization’s defenses. Even advanced security measures are not foolproof, as sophisticated threat actors can adapt their techniques to evade detection.

According to data from ransomware leak sites, the United States was by far the most affected country in the financial services sector, with 346 instances of financial services organizations listed as victims in 2023 alone.

The interconnected nature of the financial services industry means that an attack on one organization can have ripple effects across the entire sector, according to QBE. Supply chain attacks, where a threat actor compromises a service provider or vendor to gain access to their clients’ networks, pose a particularly high risk. The disruption caused by such attacks can be extensive, as seen in several incidents in 2023 and 2024.

Key vulnerabilities

One of the primary ways attackers breach financial services organizations is through the exploitation of external-facing infrastructure and leveraging zero-day vulnerabilities, per the report.

A report by Mandiant published in June 2024 noted that the top initial access vector in 30% of ransomware attacks was exploitation of vulnerabilities in infrastructure, enabling unauthorized access to the victim’s environment, the report noted. Exploits was followed by stolen credentials in 25% of cases and brute force authentication and phishing each accounted for 14% of initial intrusion vectors

In 2023, security teams grappled with a series of critical vulnerabilities that enabled threat actors to breach networks, such as MOVEit and Citrix Bleed. These zero-day vulnerabilities were exploited either before patches were available or shortly after disclosure, leaving organizations vulnerable as they scrambled to implement fixes.

The growing availability of zero-day vulnerabilities to a wider range of threat actors poses an increasing risk.

Once exclusive to advanced nation-state actors, zero-days are now accessible to more threat actors due to the growing technical proficiency of organized crime groups, the report noted. It is almost inevitable that zero-days and other high-impact vulnerabilities will continue to be discovered and leveraged by dangerous actors like ransomware operators, particularly in edge systems such as VPNs, email servers, firewalls, and file transfer applications.

Threat actors consistently adapt their phishing tactics to overcome new security controls. QBE cited a report by Egress that provides insights into the state of phishing in 2024:

  • Finance, legal, and health care are the most targeted sectors
  • Finance, accounting, HR, and marketing teams are the most targeted departments within businesses
  • HTML attachments have seen the biggest increase in adoption by threat actors
  • PDF and Word document attachments now typically contain links to malicious sites
  • File sharing sites like Dropbox, Google Drive, and attacker-controlled SharePoint sites are increasingly used to host malware

Threat actors are also bypassing multi-factor authentication through techniques like MFA-fatigue attacks, where users are pestered with multiple MFA requests until they accept, QBE stated. Phishing kits can offer actors the ability to bypass MFA as well, often through reverse proxies that relay multi-factor codes to attackers in real-time.

Threat actors also drop malware onto victims’ systems through fake or compromised websites. When a user visits these websites, they may be presented with pop-ups urging them to update their browser, as seen in the prominent FakeUpdates/SocGholish campaign. Another technique, malvertising, uses websites imitating legitimate brands or applications to trick users into downloading malware alongside seemingly legitimate programs, the report noted.

Access the full QBE North America report here. &

The R&I Editorial Team can be reached at [email protected].

More from Risk & Insurance