People usually associate “advanced persistent threat” (APT) with malicious outsiders—nation-state or other sophisticated attackers. Generally, once an APT attacker has established an initial foothold, they conduct “low-and-slow”-style attacks involving a prolonged period of reconnaissance and lateral movement. Insider threats are usually thought of as intentional (or sometimes accidental) acts of data theft or other compromise committed by trusted users who know their way around and have legitimate, open access to sensitive assets.
The threat news of the week is about MoneyTaker – a cybercrime group apparently responsible for theft of over $10M from 18 banks in the US and Russia. If you’ve read any of the online accounts, it’s easy to be overwhelmed by the details and the growing sophistication of cybercrime groups. While it’s important not to downplay their fierceness and the growing risks associated with advanced persistent threats, it’s also important to focus on the relatively simple capability organizations can embrace to combat them.
It goes without saying that rigorous security controls are irreplaceable. But no matter how strong an organization’s cybersecurity defenses are, determined attackers will still get in. Whether malicious insiders or external actors, persistent attackers fly below the radar and reside for months inside a network. They’re patient, studying the infrastructure and carefully planning their attack because what they’re typically after are the crown jewels of your business: essential data volumes, intellectual property, financial transactions, or revenue-dependent business operations.
*This blog was originally posted on Dark Reading
In discussions about cyber attacks, “when, not if” has become overused. We all know attacks are going to happen to every organization that depends on the Internet—which of course, is nearly every one. The risk of an attack is always present—and, in fact, malicious actors or software are probably present at most times in most environments.
“Hello darkness, my old friend”—Simon & Garfunkel couldn’t have said it better when it comes to describing ideal conditions for APTs. New targeted attacks against banks in Russia, Armenia, and Malaysia have been detected and attributed to the Silence group. Silence represents an ongoing cybercrime shift from targeting end users (bank account fraud) to carrying out advanced direct attacks against the banks themselves. According to Web India, Silence joins the ranks of the most devastating and complex cyber-robbery operations like Metel, GCMAN, and Carbanak, which succeeded in stealing millions of dollars from financial organizations.
Attacks on banks’ SWIFT wire transfer systems in 2016 made headlines, with the Bank of Bangladesh’s $81 million heist leading the losses. There might be another wave of fraud attacks underway, with news of NIC Asia Bank, one of Nepal’s largest private-sector commercial banks, experiencing an attack between October 17 and October 21. Attackers extracted $4.4 million in fraudulent money transfers from NIC Asia Bank to accounts in six other countries through a compromise of NIC systems. Earlier in October, attackers also stole $60 million from Far Eastern International Bank in Taiwan via fraudulent SWIFT money-moving messages. According to several reports from the past year, these attacks may be attributable to the Lazarus Group which has been very active in The Far East and Africa over the past decade. The group utilizes sophisticated TTPs, tailor-made to compromise SWIFT systems.