The landscape and consequences of cyberattacks against financial services organizations is growing, but the truth is the weak points, or attack vectors, haven’t changed.
President Biden recently stressed to executives at a meeting of the Business Roundtable on Monday evening: “One of the tools [Putin’s] most likely to use, in my view and our view, is cyber, cyberattacks,” he said. “He has the capability. He hasn’t used it yet but it’s part of his playbook.”
That playbook is based on successful cyberattacks by Russian adversaries – both nation-state and cybercriminal. The MITRE ATT&CK knowledge base details how these actors conduct reconnaissance, gain initial access, and move laterally through networks. And despite all of this being laid out, these actors continue to use these same tactics and techniques because they work.
LookingGlass has been monitoring the financial sector for a decade. Given the increasing geopolitical tensions and growing threat of cyberattacks on U.S. critical infrastructure, we produced a cyber profile for the sector. This profile highlights the most prevalent vulnerabilities and security exposures across the U.S. and which ones have been used by Russian actors in the past.
Ignoring Cybersecurity Best Practices
Our research found, for example, that some financial organizations had port 3389, which enables Remote Desktop, discoverable on the public-facing internet. Leveraging this port and protocol is a standard technique employed by multiple Russian actors successfully in the past. It’s also a major risk for a financial entity. It’s what security experts would consider a serious security exposure that goes against standard cybersecurity best practices.
Given the recent Securities and Exchange Commission’s proposed rule on cybersecurity risk management and incident disclosure, which proposes to “require periodic disclosures about a [company’s] policies and procedures to identify and manage cybersecurity risks,” having a security risk as fundamentally basic as Remote Desktop enabled should raise regulatory eyebrows. And if an investigation shows that the port is an open security exposure, this should kick off a more thorough risk assessment and review.
While it’s critical for the financial services sector to, as the White House noted, “remain vigilant to all cyber threats and anomalous activity,” the fact is that many organizations across this sector continue to exhibit cybersecurity exposures and vulnerabilities that Russian threat actors know, like, and use, with great impact.
Along with the port for Remote Desktop, LookingGlass found additional, basic security exposures across the financial sector. Two additional cybersecurity exposures found across the sector that are disturbing and should cause regulators concern include:
- Default passwords for Telnet: Telnet is a network protocol that allows a user on one computer to log into another computer that is on that same network. By having Telnet enabled with a default password (e.g., “password), anyone from anywhere could log into that computer via Telnet and take control of it. In general, changing passwords on administrative tools is a basic cybersecurity best practice.
- Port 69 – TFTP: TFTP is a protocol used for transferring data. While seemingly innocuous, DHS CISA previously released an alert (TA18-106A) noting that Russian state-sponsored cyber actors have used this port and protocol to target U.S. network infrastructure devices. If this port is not properly secured, it can be used for more nefarious activities
Old Vulnerabilities Persist Across the Sector
Beyond risky security exposures like open ports, another finding from our research was how many old vulnerabilities the sector had, including ones used by Russian threat actors.
From a cybersecurity perspective, the most active campaigns we’ve seen in the Russia/Ukraine conflict are distributed denial of service (DDoS) attacks. Within the financial sector, we found more than 20% of the sector had CVE-2015-1635. While this vulnerability has not been tied to previous Russian attacks, it is old and has been shown to easily launch denial of service (DoS) attacks and to execute data leaks, where information is copied from memory.
LookingGlass also saw CVE-2021-31206 within the sector. This vulnerability was part of the Microsoft Exchange Server “ProxyShell” vulnerabilities identified last year. The silver lining with this set of vulnerabilities is that they are only in approximately 2% of the sector, which shows that many financial services organizations took the steps they needed to when the vulnerabilities were released.
Beyond these specific vulnerabilities, our research found more than 1,000 potentially vulnerable instances of Apache 2.2, Cisco Web VPN, and Mikrotik VPNFilter across the financial services sector. The VPNFilter malware is especially disturbing because it has been attributed by the FBI to APT28. This malware can collect traffic sent through infected routers, including credential data, and it can tamper with the device’s firmware to effectively render it useless. When the VPNFilter malware was discovered, Cisco reported that 500,000 infected devices could be collectively destroyed with the press of a button.
At least 4 of the top 7 most prevalent vulnerabilities found across the financial sector are more than 2 years old. Again, while the consequences may be shifting, the landscape of IT infrastructure – and the attack vectors – haven’t. And this is why Russian adversaries don’t need to drop a never-before-seen zero-day attack to compromise U.S. critical infrastructure. The weak points from years ago remain the weak points today.
Get the Full Sector Cyber Profile
For more details, download our Financial Services Sector Cyber Profile. It identifies and summarizes vulnerabilities, cybersecurity exposures, and botnet infections currently seen across the financial sector, and highlights which items have the most pressing ties to Russian nation-state or affiliated threat actors.
The financial sector can use the information in this report to begin prioritizing actions to reduce their risk and improve their cybersecurity posture, especially in light of the pressing threats facing these companies.