Below the Waterline: The Evolution of Island Hopping
This year’s Cyber Bank Heists report by Contrast Security was eye opening. The annual report sheds light on the cybersecurity threats facing the financial sector and the findings reflect the impact that the cybercrime events of the past year have had—and continue to have—on financial institutions (FIs) around the world.
The report authors interviewed financial sector security leaders about the type of attacks they’re seeing, what threats they’re most concerned about, and how they’re adjusting their security strategy.
Given that 60 percent of FIs were victims of destructive attacks in 2022, it’s critical that the financial sector understands that cybercrime cartels and nation-states are evolving in both attack sophistication and organization. These are not the bank heists of the past, as mere wire transfer fraud is no longer the ultimate goal—to hijack the digital transformation of an FI is.
What is Island Hopping?
One of the most notable findings from the report is the evolution of island hopping. Island hopping occurs when an adversary hijacks a bank’s digital transformation and uses it to launch attacks against their customers and partners.
The modus operandi is simple: Infiltrate the corporate environment via application attacks and then use access to the environment to launch attacks against the customer base. Just look at Kaseya or SolarWinds. Both were victims of historic supply-chain attacks that spread to the two companies’ clients. With SolarWinds, cybercriminals broke into the company’s systems and poisoned its Orion IT resource management software system, triggering an incident that affected thousands of organizations. Kaseya was hit by a supply-chain attack where hundreds of organizations around the world saw their systems flooded with ransomware and their data encrypted.
There has been a dramatic increase in island hopping in 2022, with 58 percent of respondents saying they’ve been victimized by this type of attack—an increase that represents a tremendous operational and reputational risk to victim organizations. PricewaterhouseCoopers (PwC) has reported that 87 percent of consumers are willing to take their money—and their business—and walk away if, or when, a data breach occurs. Companies run the risk of losing not just customers, but also their best talent, suppliers, and investors. The first two look for companies they can trust, while financial analysts include reputation metrics as part of investment criteria.
Fifty-four percent of FIs are most concerned with the cyber threat posed by Russia, followed closely by North Korea and China. This is because cybercrime cartels operating from these countries have studied the interdependences of FIs, understand which managed service providers are being used, and are targeting their application programming interfaces (APIs). According to the report’s findings, 50 percent of FIs have experienced attacks against their APIs.
Mere wire transfer fraud is no longer the ultimate goal.
Why is this happening? Well, APIs enable essential communications between applications in finance. They connect the intricate moving parts of sophisticated cloud-native applications that run the bank. Modern Web apps are clusters of interconnected APIs, microservices, frameworks, libraries, and serverless functions crossing multiple cloud and on-premises environments.
APIs’ growing ubiquity, and the physical spread of distributed infrastructure where they’re deployed, present an ever-expanding attack surface for cybercriminals. Even more concerning is the reality that API’s can be used to island hop—hijacking the API to launch attacks against customers.
Future Attacks on APIs
We should expect to see APIs increase as an attack vector for several reasons. The total number of public and private APIs in use is approaching 200 million. There is a shift in new development approaches to microservices architecture. Third-party APIs that have not been managed or secured by the organization using it, also known as Shadow APIs, are abound. Continuous development leads to sprawl and versioning issues. Hybrid apps spanning on-premises, cloud, and serverless environments increase the attack surface.
When an API is called by the client application to retrieve the requested data from an external server or program and deliver back to the client, the results are presumed to be trusted. Zero Trust must be applied. APIs are dangerous and open banks up to hostage situations where the API is poisoned and used to attack bank customers and employees.
Given this reality we must allow for this offensive tactic to inform our defense. Cyber vigilance must extend to APIs.
To mitigate this burgeoning threat, FIs must follow these best practices:
- Maintain a complete inventory of APIs in development and exposed in production.
- Perform full security testing against running APIs during development to identify and remediate unknown vulnerabilities.
- Establish strong authentication and access control.
- Identify security gaps in the software supply chain by finding vulnerabilities in active third-party libraries, frameworks, and services.
- Finally, protect against zero-day attacks by ensuring all APIs are deployed with Runtime security.
Mitigating island hopping via API attacks is central to sustainable digital transformation. In 2023, we must assess what is below the waterline in our digital environments. Trust and confidence in your brand are underpinned by cyber vigilance.
Tom Kellermann is the senior vice president of cyber strategy at Contrast Security and the author of the annual Cyber Bank Heists report. Previously, Kellermann held the positions of head of cybersecurity strategy for VMware and chief cybersecurity officer for Carbon Black Inc. In 2020, he was appointed to the Cyber Investigations Advisory Board for the U.S. Secret Service; he was previously appointed the Wilson Center’s Global Fellow for Cyber Policy. Kellermann also held the positions of chief cybersecurity officer for Trend Micro, vice president of security for Core Security, and deputy CISO for the World Bank Treasury. In 2008, Kellerman was appointed a commissioner on the Commission on Cyber Security for the 44th President of the United States. In 2003, he co-authored the book Electronic Safety and Soundness: Securing Finance in a New Age.
© Contrast Security