Kaspersky Security Bulletin

Cyberthreats to financial organizations in 2022

A look back on the year 2021 and what to expect in 2022

First of all, we are going to analyze the forecasts we made at the end of 2020 and see how accurate they were. Then we will go through the key events of 2021 relating to attacks on financial organizations. Finally, we will make some forecasts about financial attacks in 2022.

Analysis of forecasts for 2021

  • The COVID-19 pandemic is likely to cause a massive wave of poverty, and that invariably translates into more people resorting to crime, including cybercrime. We might see certain economies crashing and local currencies plummeting, which would make Bitcoin theft a lot more attractive. We should expect more fraud, targeting mostly BTC, because this cryptocurrency is the most popular.
  • Yes. Data from the Brazilian Federation of Banks registered a considerable increase in crime (such as explosions at bank branches to steal money) and cybercrime (increased phishing and social-engineering attacks) against banking customers and banking infrastructure. Of course, this is the result of economic problems caused by the pandemic.

    In addition, bitcoin ended 2020 at around $28,000 and quickly rose to a peak of $40,000 in January 2021. Currently, at a value of approximately $60,000, cybercriminals have adapted their malware to monitor the operating system’s clipboard and redirect funds to addresses under their control. In fact, from January through the end of October, Kaspersky detected more than 2,300 fraudulent global resources aimed at 85,000 potential crypto investors or users who are interested in cryptocurrency mining. The lockdown’s effect on the global economy is leading emerging markets and different regions to adopt cryptocurrency as legal tender or at least as a way of storing value during these times.

  • MageCart attacks moving to the server side. We can see that the number of threat actors that rely on client-side attacks (JavaScript) is diminishing by the day. It is reasonable to believe that there will be a shift to the server side.
  • Yes. Magecart Group 12, known for skimming payment information from online shoppers, now uses PHP web shells to gain remote administrative access to the sites under attack to steal credit card data, rather than using their previously favored JavaScript code. A file that attempts to pass itself as ‘image/png’ but does not have the proper .PNG format loads a PHP web shell in compromised sites by replacing the legitimate shortcut icon tags with a path to the fake .PNG file. The web shell is harder to detect and block because it injects the skimmer code on the server-side rather than the client-side.

  • A re-integration and internalization of operations inside the cybercrime ecosystem: the major players on the cybercrime market and those who made enough profit will mostly rely on their own in-house development, reducing outsourcing to boost their profits.
  • Yes. Lots of groups recruited numerous affiliates, but this approach comes with the potential problems of human error and leaks. To boost their profits and depend less on outsourcing, some groups such as Revil even scammed their affiliates, adding a backdoor capable of hijacking negotiations with victims and taking the 70% of the ransom payments that is supposed to go to the affiliates.

    The Conti Gang was another group that also had issues with their associates when an apparently vengeful affiliate leaked the ransomware group’s playbook after claiming the notorious cybercriminal organization underpaid him for doing its dirty work. The data revealed in the post included the IP addresses for the group’s Cobalt Strike command-and-control servers (C2s) and a 113MB archive containing numerous tools and training materials explaining how Conti performs ransomware attacks.

  • Advanced threat actors from countries placed under economic sanctions may rely more on ransomware imitating cybercriminal activity. They may reuse publicly available code or create their own campaigns from scratch.
  • Yes. In April 2021, the Andariel group attempted to spread custom Ransomware. According to the Korean Financial Security Institute, Andariel is a sub-group of the Lazarus threat actor. Interestingly, one victim was found to have received ransomware after the third stage payload. This ransomware sample is custom made and developed explicitly by the threat actor behind this attack. This ransomware is controlled by command line parameters and can either retrieve an encryption key from the C2 or an argument at launch time.

  • As ransomware groups continue to maximize profits, we should expect to see the use of 0-day exploits as well as N-day exploits in upcoming attacks. These groups will purchase both to expand the scale of their attacks even further, boosting their success rate, and resulting in more profit.
  • Definitely yes. We saw many attacks using N-days, such as the attack that targeted the Brazilian Supreme Court (exploiting vulnerabilities in VMWare ESXI (CVE-2019-5544 and CVE-2020-3992). Also, many groups relied on vulnerabilities in VPN servers. Threat actors conducted a series of attacks using the Cring ransomware. An incident investigation conducted by Kaspersky ICS CERT at one of the attacked enterprises revealed that they exploited a vulnerability in FortiGate VPN servers (CVE-2018-13379).

    We also saw attackers relying on 0-days. Probably the most impactful was the Kaseya compromise, using supply-chain vulnerabilities to distribute ransomware (CVE-2021-30116). Another impressive attack, also relying on supply-chain compromise, was against BQE Software, the company behind billing software BillQuick, which claims to have a 400,000 strong user base worldwide. An unknown ransomware group exploited a critical SQL injection bug found in the BillQuick Web Suite time and billing solution to deploy ransomware on their targets’ networks in ongoing attacks (CVE-2021-42258).
    As these groups have deep pockets with all the money they have received from numerous attacks, we can expect more attacks exploiting N-days and 0-days to deliver ransomware to lots of targets.

  • Cracking down hard on the cybercrime world. In 2020, OFAC announced that they would supervise any payment to ransomware groups. Then US Cyber Command took down Trickbot temporarily ahead of the elections. There should be an expansion of the “persistent engagement” strategy to financial crime. There is also a possibility of economic sanctions against institutions, territories or even countries that show a lack of resolve to combat cybercrime that originates on their territory.
  • Yes. With continued opposition to ransomware payments, OFAC made clear its view that making ransomware payments encourages future ransomware attacks and, if such payments (and related services and facilitation) violate US sanctions prohibitions, may expose payment participants to OFAC sanctions enforcement. And while “the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers,” the Updated Advisory strongly discourages all private companies and citizens from paying the ransom or extortion demands and recommends focusing on strengthening defensive and resilience measures to prevent and protect against ransomware attacks.

    The Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments describes the potential sanctions risks associated with making and facilitating ransomware payments and provides information for contacting relevant US government
    agencies, including OFAC, if there is any reason to suspect the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.

    In addition, a new proposed law compels US businesses to disclose any ransomware payments within 48 hours of the transaction. The Ransom Disclosure Act will:

    • Require ransomware victims (excluding individuals) to disclose information about ransom payments no later than 48 hours after the date of payment, including the amount of ransom demanded and paid, the type of currency used for payment of the ransom, and any known information about the entity demanding the ransom;
    • Require DHS to make public the information disclosed during the previous year, excluding identifying information about the entities that paid ransoms;
    • Require DHS to establish a website through which individuals can voluntarily report payment of ransoms;
    • Direct the Secretary of Homeland Security to conduct a study on commonalities among ransomware attacks and the extent to which cryptocurrency facilitated these attacks and provide recommendations for protecting information systems and strengthening cybersecurity.

    The US Department of the Treasury recently sanctioned two virtual currency exchanges, which helped ransomware threat actors to process victims’ payments. Back in September 2021, SUEX got sanctioned and accused of money laundering. In November 2021, Chatex, which is directly connected to SUEX, also got sanctioned with similar charges, according to public information.

  • With the special technical capabilities of monitoring, deanonymization and seizing of BTC accounts now in place, we should expect cybercriminals to switch to transit cryptocurrencies for charging victims. There is reason to believe they might switch to other privacy-enhanced currencies, such as Monero, to use these first as a transition currency and then convert the funds to any other cryptocurrency of choice including BTC.
  • No. While the Department of Justice seized $2.3 million in cryptocurrency paid to the ransomware extortionists Darkside, other privacy and anonymity-focused cryptocurrencies such as Monero, Dash or Zcash, still aren’t the default choice used by cybercriminal groups. With more regulatory pressure aimed at exchanges, threat actors attempting to cash out ransomware bounties obtained through anonymous coins could face additional difficulties than those that rely on Bitcoin or Ethereum for their illegal businesses. Even if the payments are traceable, different coin-mixing and coin-laundering underground services facilitate re-entering funds into the legitimate exchange ecosystem. Monero, among other similar cryptocurrencies, has been delisted (banned from operating) from popular exchanges. Using it for trading or simply swapping is not as easy as it used to be.

  • Extortion on the rise. One way or another, cybercriminals targeting financial assets will rely on extortion. If not ransomware, then DDoS or possibly both. This could be especially critical to companies that lose data, go through an exhausting data recovery process and then have their online operations knocked out.
  • Yes. 2021 saw the appearance of two new botnets. News broke in January of the FreakOut malware that attacks Linux devices. Cybercriminals exploited several critical vulnerabilities in programs installed on victim devices, including the newly discovered CVE-2021-3007. Botnet operators use infected devices to carry out DDoS attacks or mine cryptocurrency.

    Cybercriminals also found a host of new tools for amplifying DDoS attacks.

    The most significant event in Q1 was the COVID-19 vaccination program. As new segments of the population became eligible for vaccination, related websites suffered interruptions. For example, at the end of January, a vaccine registration website in the US state of Minnesota crashed under the load.

    We have seen how some groups like Egregor (arrested) extorted via massive LAN printing. Other groups rely on telephone calls, leaving voice messages and threatening employees and their families.

Key events in 2021

  • Ransomware threat actor arrests
  • With ransomware attacks going wild and stealing the headlines this year, law enforcement all around the world intensified their fight against ransomware groups. In 2021, we saw Egregor, one of the noisiest ransomware families, reborn from Sekhmet and previously from Maze, get busted. Another case in point is REvil, aka Sodinokibi, that came from GandCrab, which came from Cerber. In November, some of their affiliates were arrested as well. The arrest of Yaroslav Vasinskyi and the charges against Yevgeniy Polyanin are excellent examples of effective international cooperation in the cybercrime fight.

  • Facebook incidents (a data breach in April and a data leak in October)
  • Because of Facebook’s rebrand and new mission announced by its CEO, the company’s data leaks may represent a severe risk to their customers. Some companies have gone entirely virtual, and an account takeover could cause severe harm to their business or sales.
    We also learned that Meta’s goal is to consolidate people’s lives, connecting them in all aspects of life, including financially. This concerns, for instance, money transfers and, potentially, other financial activities. With customers’ plain text information disclosed by leaks on the internet, cybercriminals have gained new attack possibilities.

  • Android Trojan bankers on the rise
  • This year, we saw more Android Trojan bankers targeting users worldwide with a special focus on Europe, Latin America and the Middle East. In 2021, we have witnessed several families, such as RealRAT, Coper, Bian, SMisor, Ubel, TwMobo, BRata, and BasBanke actively targeting mobile users. Some of those campaigns are accompanied by social engineering where the threat actor calls the victim and sends a specially crafted text message with a download link leading to a malicious APK file after a short conversation.

Forecasts for 2022

  • Rise and consolidation of information stealers
  • Our telemetry shows an exponential growth in infostealers in 2021. Given the variety of offers, low costs, and effectiveness, we believe this trend will continue. Additionally, it might even be used as a bulk collector for targeted and more complex attacks.

  • Cryptocurrency targeted attack
  • The cryptocurrency business continues to grow, and people continue to invest their money in this market because it’s a digital asset and all transactions occur online. It also offers anonymity to users. These are attractive aspects that cybercrime groups will be unable to resist.
    And not only cybercrime groups but also state-sponsored groups who have already started targeting this industry. After the Bangladesh bank heist, the BlueNoroff group is still aggressively attacking the cryptocurrency business, and we anticipate this activity will continue.

  • More cryptocurrency-related threats: fake hardware wallets, smart contract attacks, DeFi hacks and more
  • While in some regions cryptocurrency has been banned, it has received official recognition and acceptance in others. And it’s not just about El Salvador. For example, the Mayor of Miami declared that the City plans to start paying residents who use cryptocurrency, and he stated on Twitter that he would receive his salary 100% in bitcoin.
    While some people consider it risky to invest in cryptocurrencies, those who do realize that their wallet is the weakest link. While most infostealers can easily steal a locally stored wallet, a cloud-based one is also susceptible to attacks with the risk of losing funds. Then there are hardware-based cryptocurrencies wallets. But the question is, are there sufficiently reliable and transparent security assessments to prove that they are safe?
    In the scramble for cryptocurrency investment opportunities, we believe that cybercriminals will take advantage of fabricating and selling rogue devices with backdoors, followed by social engineering campaigns and other methods to steal victims’ financial assets.

  • Targeted ransomware – more targeted and more regional
  • With the international efforts to crack down on major targeted ransomware groups, we will see a rise in small regionally derived groups focused on regional victims.

  • The adoption of Open Banking in more countries may lead to more opportunities for cyberattacks
  • The UK was the pioneer, but nowadays many countries are adopting it. As most of the Open Banking systems are based in APIs and Web API queries, performed by financial institutions, we can expect more attacks against them, as pointed out by Gartner: “in 2022, API abuses will move from an infrequent to the most frequent attack vector, resulting in data breaches for enterprise web applications.”

  • Mobile banking Trojans on the rise
  • As mobile banking experienced booming adoption worldwide due the pandemic (in Brazil it represented 51% of all transactions in 2020), we can expect more mobile banking Trojans for Android, especially RATs that can bypass security measures adopted by banks (such as OTP and MFA). Regional Android implant projects will move globally, exporting attacks to Western European countries.

  • Rise of threat to online payment systems
  • Amid the pandemic, many companies have gone digital and moved their systems online. And the longer people stay at home because of quarantine and lockdowns, the more they rely on online markets and payment systems. However, this rapid shift does is not accompanied by the appropriate security measures, and it is attracting lots of cybercriminals. This issue is particularly severe in developing countries, and the symptoms will last for a while.

  • With more fintech apps out there, the increasing volume of financial data is attracting cybercriminals
  • Thanks to online payment systems and fintech applications, lots of important personal information is stored on mobile. Many cybercrime groups will continue to attack personal mobile phones with evolved strategies such as deep fake technology and advanced malware to steal victims’ data.

  • Remote workers using corporate computers for entertainment purposes, such as online games, continue to pose financial threats to organizations
  • In 2020, the number of gamers surpassed 2.7 billion, with the Asia-Pacific becoming the most active region. Even if video game platforms such as Steam reached all-time highs during April and May 2020, this year, Steam peaked at 27 million concurrent players in March. In our Do cybercriminals play cyber games during quarantine? article, we wrote that users relied on corporate laptops to play video games, watch movies and use e-learning platforms. This behavior was easy to identify because there was a boom in the Intel and AMD mobile graphic cards market in 2020-2021 compared to previous years. This trend is here to stay, and while during 2020, 46% of employees had never worked remotely before, now two-thirds of them state they wouldn’t go back to an office, with the rest claiming to have a shorter office work week.
    Cybercriminals spread malware and steal logins, in-game items, payment information and more through the use of video games such as Minecraft or Counter-Strike: Global Offensive. In addition, Hollywood blockbuster movies have become the perfect lure for those desperate to watch a film before it’s released, and all from the comfort of their own homes. That was the case with the latest James Bond film, No Time to Die, with cybercriminals using adware, Trojans and ransomware to steal private information and even blackmailing victims who wanted their data back.

  • ATM and PoS malware to return with a vengeance
  • During the pandemic, some locations saw PoS/ATM transaction levels drop significantly. Lockdowns forced people to stay at home and make purchases online, and this was mirrored in PoS/ATM malware too. As restrictions are lifted, we should expect the return of known PoS/ATM malware projects and the appearance of new projects. Cybercriminals will regain their easy physical access to ATMs and PoS devices at the same time as customers of retailers and financial institutions.

Cyberthreats to financial organizations in 2022

Your email address will not be published. Required fields are marked *

 

Reports

Meet the GoldenJackal APT group. Don’t expect any howls

GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher.

APT trends report Q1 2023

For more than five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.

Subscribe to our weekly e-mails

The hottest research right in your inbox