Insurance and Third-Party Services Providers are Responsible for Most Vulnerabilities in Finance
By: Meredith Wallace
This report examines the top vulnerabilities present in the United States financial services sector over the month of November. The analysis draws heavily from the LookingGlass platform, which seeks to detect all Internet-facing devices, their exposures, and vulnerabilities. The findings from this report will be of most interest to the federal agency responsible for the Known Exploited Vulnerabilities Catalog – the Cybersecurity and Infrastructure Security Agency (CISA), Sector Risk Management Agencies like Department of Treasury, CIOs and CISOs in the financial sector, and threat researchers. This reporting is the second (the first focused on the Chemical Sector) in a series of papers that will address the cybersecurity risks to critical infrastructure sectors across the U.S.
The LookingGlass platform identified several known exploited vulnerabilities over the month of November 2022 across thousands of organizations we track in the U.S. financial sector. This analysis is designed to highlight the adversary perspective of the external attack surface specific to financial services. We make this assessment with moderate confidence based on a sample of the financial industry ingested by our system, which includes over 7 million IP addresses belonging to the sector. It should be noted that our platform detects publicly Internet-facing assets and therefore is not exhaustive in its discoveries as it does not contain results from internal networks. Additionally, vulnerabilities detected over this span of time (30 days of November 2022) are inferred as they are based on historic vulnerabilities associated with the assets detected by our platform. The financial services industry is a strategically important critical infrastructure sector as it contributes significantly to world trade and the U.S. economy. It is important to prioritize patch management within any organization, especially of internet facing devices, as this gives the adversary access to the network and an easy way to establish and maintain persistence.
According to CISA, the “Financial Services Sector includes thousands of depository institutions, providers of investment products, insurance companies, other credit and financing organizations, and the providers of the critical financial utilities and services that support these functions.” Some financial institutions represent the world’s biggest companies. In total, the industry makes up $1.5 trillion or 7.4% of the total U.S. GDP and employs almost 8 million Americans. The sector represents a ripe target for a range of actors from insider threats to criminal actors, and to nation state actors with geopolitical or financial motivations simply because it is where the money is. Historic examples of such activities underscore the persistent threat the industry faces and how unpatched vulnerabilities can lead to grave damage.
In 2016, the FBI indicted several Iranians working on behalf of the Iran government for a series of cybercrimes that cost U.S. financial institutions tens of millions of dollars. They carried out a systematic campaign of DDoS attacks against fifty institutions in the U.S. financial sector between 2011 and 2013.
In 2017, major credit reporting agency Equifax reported a breach affecting more than 140 million Americans. Hundreds of thousands of stolen records, including full credit card numbers, were compromised. The Equifax breach likely occurred after it failed to patch the vulnerability CVE-2017-5638 despite the availability of a patch.
Outside of the U.S. one of the most well-known cyber attacks – NotPetya – targeted Ukrainian accounting software and later affected banks, among several other targets in related industries. The event led to an estimated $10 billion in losses. Years later, courts are still debating how cyber events like NotPetya affect the cyber insurance industry.
One of the most infamous attacks on the sector was a series of cyber attacks from 2015-2016 that targeted vulnerabilities in several banks to gain access and leverage their SWIFT credentials. The actors, attributed to North Korean APT38, used those credentials to send SWIFT funds to accounts they controlled, stealing millions of dollars. This example highlights how vulnerabilities can be exploited in a way that causes systemic effects so damaging it could cause a bank to fail.
Across the U.S. financial sector, more than half of the vulnerabilities our platform detected reside in the insurance subsector, roughly a quarter fell under credit intermediaries, and about one in three of all vulnerabilities were carried over from third party services providers. The insurance subsector is a primary target for criminal activity as it hosts significant troves of PII and customer data, so it is noteworthy that this sector contains so many inferred open vulnerabilities compared to others in the financial services sector. Additionally, a report in mid-2022 from Black Kite concluded that 82% of the insurance industry alone are the focus of cyber criminals, further highlighting the threat posed to the subsector.
The most common KEV detected in the U.S. financial services sector is seven years old, but one of the most commonly detected by our platform in critical infrastructure sectors. It is also one of the earliest KEVs CISA added to its catalog, CVE-2015-1635, and it is rated as a critical vulnerability. The LookingGlass platform observed this vulnerability open to adversary exploitation in the finance sector over 900 times throughout the month of November in 2022.
CVE-2015-1635 is a Remote Code Execution vulnerability affecting Microsoft Windows. Successful exploitation of this vulnerability allows a remote attacker to cause a buffer overflow and potentially execute arbitrary code with system privileges. Inclusion in CISA’s KEV Catalog indicates that this vulnerability has been observed exploited in the wild, though we have no reporting to indicate the type of actor or attribution to a specific adversary at this time. The LookingGlass platform indicates this is a very common vulnerability across different critical infrastructure sectors where it showed up hundreds of times over one-month periods in Q4 of 2022.
The next most common KEV in the sector was CVE-2021-31206, which is a known, frequently exploited vulnerability in Microsoft Exchange Server. It appeared in a CISA Threat Bulletin as a vulnerability that could potentially be exploited by IRGC threat actors as they maintain interest in attacking Microsoft Exchange Server. The bulletin did not explicitly state that Iran specifically exploits this vulnerability. The LookingGlass platform observed this vulnerability open in the U.S. financial services sector seven hundred times in the month of November.
The following vulnerabilities were significantly less common, but still noteworthy due to their severity scores and known exploitation in the wild, especially those connected to sophisticated state-sponsored groups:
- CVE-2017-7269 is a high severity, zero day flaw in a legacy Microsoft product that is no longer supported since its end of life in 2015. Chinese researchers, however, published evidence that it has been actively exploited in the wild for years. The LookingGlass platform detected 60 instances of this vulnerability in the financial sector last month alone.
- CVE-2021-34523, CVE-2021-31207 and CVE-2021-34473 affect Microsoft Exchange Server. These three, in combination, are known as “ProxyShell.” ProxyShell was included in CISA’s list of the Top Routinely Exploited Vulnerabilities of 2021. Our platform observed this string of vulnerabilities exposed almost 60 times in the sector last month.
- CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 were observed being exploited by likely Chinese state-backed actors, through chained attacks in the wild last year. The LookingGlass platform observed these flaws open to adversary exploitation 30 times in November 2022. Microsoft previously published a blog attributing the exploitation of these flaws to a state-sponsored group it calls HAFNIUM.
Methodology & Terminology
To generate the above table, we leveraged the LookingGlass platform which has a continuous stream of several billions of Internet-facing IPs (nearly 5B detected over November 2022). Our data holdings attribute roughly 7 million of these to the U.S. financial services sector, which includes insurance companies, rental & leasing companies, and creditors, among other subsectors. The platform also ingests CISA’s Known Exploited Vulnerabilities (KEV) catalog and their CVSS scores from NIST’s National Vulnerability Database (NVD). Evaluating all IPs in the U.S. financial sector, we counted the occurrence of KEVs across the month of November 2022 and pulled their CVSS scores to produce the table shown in this report.
The LookingGlass platform is an attack surface intelligence solution designed to quickly illuminate unknown or unmanaged assets, risky services, and exposures. In the U.S. financial sector alone, the platform identified more than 7M internet-facing assets, their primary owners, exposures, inferred vulnerabilities, and locality, among other details. The 7 million figure is lower compared to other critical infrastructure sectors, possibly indicating it has fewer Internet-facing assets than the chemical sector, for example, where we detected ~24 million instances of Internet-facing assets across the same span of time (one month).
NVD: Stands for the National Vulnerability Database. NVD is owned and operated by the National Institute of Standards and Technology (NIST). The NVD is the U.S. government repository of standards-based vulnerability management data. The NVD includes a database of security checklist references, security-related software flaws (CVEs), misconfigurations, product names, and impact metrics. The NVD supports both versions 2.0 and 3.x of CVSS.
CVE: Stands for Common Vulnerabilities and Exposures. CVEs include serial numbers assigned to publicly disclosed software vulnerabilities that could be exploited by adversaries to compromise a system or device. The CVE system was launched by MITRE in 1999 and has been widely accepted as the primary way to track software vulnerabilities, their severity, and mitigations or solutions to patch them. It should be noted that not all vulnerabilities have been discovered, or made publicly known, or assigned a CVE number and may not be actively tracked.
CVSS: Stands for Common Vulnerability Scoring System. CVSS is a free and open industry standard for assessing the severity of computer system security vulnerabilities – or CVEs. CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources to a threat.
KEV: Stands for Known Exploited Vulnerabilities. Through the KEV Catalog, CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. The KEV Catalog is another tool designed to help security responders prioritize their responses and resources. CISA recommends organizations prioritize patching vulnerabilities listed in the KEV Catalog to reduce the likelihood of compromise by known threat actors. There are three thresholds for KEV catalog updates:
- The vulnerability has an assigned Common Vulnerabilities and Exposures (CVE) ID.
- There is reliable evidence that the vulnerability has been actively exploited in the wild.
- There is a clear remediation action for the vulnerability, such as a vendor-provided update.
Organizations can subscribe to KEV Catalog updates here.
According to recent reporting from the U.S. Department of Treasury, U.S. financial institutions absorbed nearly $1.2 billion in costs associated with ransomware attacks alone in 2021, a nearly 200% increase over the previous year. The report, from Treasury’s Financial Crimes Enforcement Network (FCEN) also identified Russia as the top culprit for many ransomware strains affecting the sector. Ransomware continues to remain a top threat to all sectors, and according to the International Monetary Fund, the most dangerous cyber threats to the sector
Resources for financial sector organizations and partners can be found on the U.S. Department of Treasury’s website.