Is the financial sector still on cybercriminals’ radars?

The Middle East is one of the world’s fastest-growing financial hubs with the banking and finance services sector having seen immense transformation and innovation in the past few years.

However, organisations in the financial sector face a hostile threat landscape, as they are often the preferred targets of profit-seeking cybercriminals. According to Group-IB, ransomware gangs published information about 127 financial sector victim-companies, including from the UAE, on data leak sites, while a year ago, the number was less than 50. Another threat came from initial access brokers: Group-IB’s MEA Threat Intelligence & Research Center witnessed 95 cases of threat actors selling access to systems belonging to financial companies located in 25 countries, including organisations in the UAE and Saudi Arabia. In fact, a recent report by Financial Services Information Sharing and Analysis Centre, (FS-ISAC) predicted that financial firms may experience more cyber-attacks this year. In these difficult times, we need to use symmetrical measures to protect business, especially in the financial sector, as cybercriminals have become bolder and more aggressive.

Recognising the threat, countries in the Middle East regularly come up with new measures to curb cybercrime. For example, in November 2021, the UAE Central Bank established a new Networking and Cyber Security Operations Centre to help defend the financial system’s IT infrastructure against cyberattacks. Moreover, the Saudi Arabia Monetary Authority (SAMA) has issued a cybersecurity framework to enhance the cybersecurity posture of financial institutions.

Massive investment into expensive cybersecurity services and products alone will not help financial organisations win the race. The secret component is knowledge; real—time knowledge about the threats relevant to their geography and industry.

Growing appetite of ransomware gangs
In the past few months, ransomware has been the most damaging cyberthreat globally. Ransomware threat actors took advantage of the pandemic-driven increase in the attack surface like no one else did.

Not only did it become the most damaging type of digital crime it quite literally became the most lucrative for the cybercriminals. The ransom demands skyrocketed recently and reached as much as $240m. Accounting, insurance, and banking firms were among those targeted.

Meanwhile, the threat landscape is becoming increasingly diverse, old groups rebrand when they start attracting too much attention. The market is fuelled another cohort of cybercriminals – initial access brokers who sell of access to compromised networks.

Who’s behind your door?
Over the past four years, one of the most evident trends on underground forums is a sharp increase in the number of offers to sell access to compromised corporate networks. In the last year, the number of offers to sell access to banks and financial institutions increased by almost 206 per cent, from 31 to 95. Among this list were organisations from UAE and Saudi Arabia. The number of initial access brokers selling access to financial institutions also more than doubled, from 18 to 47. The total cost of access to financial sector companies offered for sale was $530,000.

The availability of tools for executing attacks on corporate networks, combined with poor corporate cyber risk management, resulted in an increase in the number of initial access brokers. The number of IABs will only keep growing paving the way for ransomware operators.

Masters of disguise
Phishing and scam affiliate programmes have become highly popular in the last few years. There are more than 70 phishing and scam affiliate programmes. Participants aim to steal money, as well as personal and payment data. Between the second half of 2020 and first half of 2021, the threat actors who took part in such schemes pocketed at least $10m in total.

What’s next? How can financial nstitutions protect themselves?
As you can see, the threat landscape for financial sector companies is very diverse. When it comes to combatting ransomware, there are three key factors that financial institutions need to consider: technology, the skillsets required within organisations, and knowledge about the attackers.

As most attacks are human-operated, these companies need to study and understand ransomware operators’ tactics and techniques and be able detect the tools in their arsenal based on the most frequently used initial vectors relevant for a financial sector in the region. Once they know the threats relevant to their entity, they can optimise their cybersecurity investment. If financial institutions are proactive and boost their cyber defences today, they will be well-equipped to deal with the inevitable cyberattacks of the future.

Moreover, to defend against the sale of access to their compromised networks, financial institutions should configure account access blocking to protect against brute-force attacks and limit remote access so that it can be gained only from trusted IP addresses. They should also check public data leaks for sets of credentials and change passwords found in leaks.

Ashraf Koheil is the director of Business Development – META at Group-IB