CrowdStrike Intelligence finds eCrime Group Shifts Approach to Targeted Attacks

Last month saw a coordinated effort by the STARDUST CHOLLIMA (known to support the Democratic People’s Republic of Korea, DPRK), to hack cash machines in 28 countries to loot over £10 million from an Indian bank. Research from CrowdStrike suggests that this type of attack is on the rise such as the adversary behind Dridex that used sub botnets, including sub-botnet 7200 to targets financial institutions in the United Kingdom

Modern financial cyberattacks are sophisticated and well-coordinated and increasingly turning to tactics and techniques originally the domain of state sponsored cyberactors. Banking trojans such as Trickbot and Dridex are no longer distributed through blanket emails to catch out the unwary. Rather they are well-researched and organised spear-phishing attempts that can raise millions in funding for criminal activities using sophisticated and targeted tactics.

Over the past year, CrowdStrike has been monitoring a range of banking Trojan threats. Early in 2017, INDRIK SPIDER, the adversary behind Dridex, appeared to be the most active eCrime adversary in the banking Trojan landscape. In the first few months of the year, this adversary released several new sub-botnets designed to focus on specific victim regions. However, since the latter half of 2017, Dridex spamming has appeared to decrease, suggesting this adversary has shifted to a more targeted approach.

That’s not the only change, throughout 2018, the threat has shifted toward larger organisations targeted for one extremely large payment rather than small payments from multiple consumers. This peaked in August 2018 with the ‘Cosmos ATM Cashout’ that secured an estimated $10m in revenue for the Lazarus Group.

Such targeted attacks represent a huge threat to organisations. Industries such as finance and banking are facing a constant barrage of attacks that threaten their ability to do business, reputation, customer trust, and assets. When looking to protect your business there are some simple steps you can take to reduce the risk of an attacker slipping through the net:

· Automation and AI – The threat landscape is changing faster than ever before and human reaction times can only do so much. Automation and AI can be trained to recognise indicators of a attack at the speed of the bad guys. More importantly, it helps organisation detect known threats, including new ransomware variants.

· Collaborative Cloud Intelligence – Hackers are not sitting by, they are innovating day by day, but by leveraging the speed and scalability of the cloud organisations can combine millions of sensors to feed in and build a huge data set. This intelligence can be analysed to see how the attack landscape is changing and pivoting second by second to spot new attacks and identify anomalies to prevent attacks in real-time.

· Behavioural Analytics – Dealing with financial ransomware can be like playing whack-a-mole, if you’re just constantly having to look over your shoulder about what you have learned from the past, you’re not really going to progress. A way around this is to adopt a behavioural approach that looks at the indicators of attack, identifies patterns and can then highlight if an attack is in the early stages before it penetrates the system.

Against these shifting threat types businesses need speed and intelligence to defend themselves and understand the rapidly evolving and emerging threat landscape to help their organisation and customers to prepare.