In what has been referred to as an “unprecedented anomaly”, cyber criminals are increasingly targeting the financial services sector during the COVID-19 coronavirus pandemic, with attacks on banks and other financial institutions spiking by 38% between February and March to account for 52% of all attacks observed by VMware’s Carbon Black Cloud.
The sudden shift observed by Carbon Black threat researchers Patrick Upatham and Jim Treinen was also reflected by equally sharp declines in other verticals. Retail, for example, accounted for 31% of observed threats in February, but this dropped to 1.6% in March, suggesting that the shutdown of vast swathes of the industry has caused cyber criminals to turn their attention elsewhere.
Equally, healthcare, which usually falls in the top three verticals for targeting by malicious actors, ended March as the seventh most frequently attacked industry.
“As the COVID-19 battle continues globally, it is clear attackers will continue to target vulnerable populations and organisations,” wrote Upatham and Treinen in a blog detailing their findings.
“As the VMware Carbon Black Threat Analysis Unit (TAU) has found, attackers have been using COVID-19 to launch phishing attacks, fake apps/maps, trojans, backdoors, cryptominers, botnets and ransomware. Increased vigilance and visibility into enterprise-wide endpoint activity are more paramount than ever.”
Upatham and Treinen revealed that of the 52% of attacks targeting the financial services sector in March 2020, 70.9% of those came from the Kryptik trojan, a particularly nefarious and persistent threat, which targets victims through malicious installers and them tries to acquire admin rights to make registry modifications to let it execute each time a Windows machine boots.
Without the appropriate visibility tools, it can be very hard to spot because it tends to delete its executable file after running to obfuscate itself.
While overall volumes of cyber crime have remained relatively constant as the pandemic has developed, Carbon Black’s analysts said they had seen a clear correlation between notable coronavirus-related news and cyber attacks.
“Cyber criminals often exploit fear and uncertainty during major world events by launching cyber attacks,” they said. “These attacks are often performed with social engineering campaigns leveraging malicious emails that lure victims to install malware that steals financial data and other valuable personal information or, in some cases, turns a user’s computer into a cryptomining zombie.”
For example, Carbon Black observed a 48% spike in attacks over baseline levels on 30 January, the day the US announced its first case of COVID-19; a 64% spike on 29 February, when multiple US states declared public emergencies; a 28% spike on 8 March, when Italy went into full lockdown; and a 22% spike on 11 March, when the World Health Organization declared COVID-19 a pandemic.
Upatham and Treinen said their findings highlighted the importance of incorporating threat data analytics services into organisational cyber security postures to help security teams keep pace and stay ahead of attackers by observing wider trends in behaviour.
“Without big data analytics, companies can only focus on finding and stopping known methods and attacks, which leaves them vulnerable to new and emerging attacks,” they said. “Security teams must be able to predict and prevent not only known attacks, but future and unknown ones, too.
“Innovative processes like big data analytics take advantage of all available data – unfiltered endpoint data, event streams, attackers’ tactics and techniques, global threat intelligence, and more – to provide the most comprehensive protection possible.”