Cyber Risk in the Financial Services Sector
Understand more about cyber risk in this sector.
Cyber Risk Graph
Explore how this sector relates to the wider risk graph
Threat Reports
Publicly available threat reporting on cyber attacks against Financial Services.
APT45: North Korea’s Digital Military Machine
This report from threat intelligence analysts at Google's Mandiant marks the graduation of this cyber actor to a fully designated APT - APT45. The ...
ANALYSIS OF THE APT31 INDICTMENT
Blog post providing analysis of a March 2024 US Department of Justice indictment of 7 hackers associated with APT31. The post details attribution ...
Unveiling TeleBoyi: Chinese APT Group Targeting Critical Infrastructure Worldwide
This presentation from TeamT5 describes the intrusion set they refer to as TeleBoyi and was presented at JPCERT's JSAC2024 conference on January ...
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
This article by researchers at Trend Micro discusses an Advanced Persistent Threat (APT) group they name Earth Krahang who have been observed ...
Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns
This Security Intelligence blog post by researchers at IBM's X-Force describes activity by ITG05 - a group which shows overlap with APT28/Forest ...
Operation Blockbuster: Unraveling the Long Thread of the Sony Attack
This report by Novetta covers 'Operation Blockbuster' which was a Novetta-led coalition of private industry partners aiming to understand and ...
REDCURL - The pentest you didn't know about
This report by researchers at Group-IB outlines activity by a group they call RedCurl. The report identifies victimology and motivation (corporate ...
I-Soon leak: KELA’s insights
This blog post outlines KELA's analysis of the 2024 I-SOON data leak. According to the article, I-Soon had relationships with Chinese governmental ...
Ransomware Spotlight: Black Basta
This report from Trend Micro outlines tactics, techniques and procedures used by the Black Basta Ransomware group. According to the report, Black ...
APT37 (REAPER) - The Overlooked North Korean Actor
This special report by FireEye discusses an investigation into APT37, a suspected North Korean cyber espionage group. According to the report, ...
Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day
Reporting from Mandiant which discusses the exploitation of Pulse Secure VPN devices in 2021 and 12 malware families associated with the campaign. ...
APT1: Exposing One of China's Cyber Espionage Units
The APT1 report represents years of work by Mandiant, who analysed data across hundreds of breaches globally. The report identifies APT1 as a ...
MITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use against Financial Services.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1036 | Masquerading | Defense Evasion |
| T1598.003 | Spearphishing Link | Reconnaissance |
| T1070.006 | Timestomp | Defense Evasion |
| T1595.003 | Wordlist Scanning | Reconnaissance |
| T1020 | Automated Exfiltration | Exfiltration |
| T1566.002 | Spearphishing Link | Initial Access |
| T1057 | Process Discovery | Discovery |
| T1087.002 | Domain Account | Discovery |
| T1036.007 | Double File Extension | Defense Evasion |
| T1583.001 | Domains | Resource Development |
| T1059.006 | Python | Execution |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1003.001 | LSASS Memory | Credential Access |
| T1574.002 | DLL Side-Loading | Defense Evasion, Persistence, Privilege Escalation |
| T1110.003 | Password Spraying | Credential Access |
| T1059.001 | PowerShell | Execution |
| T1543.003 | Windows Service | Persistence, Privilege Escalation |
| T1059.003 | Windows Command Shell | Execution |
| T1586.002 | Email Accounts | Resource Development |
| T1584.004 | Server | Resource Development |
| T1112 | Modify Registry | Defense Evasion |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1608.005 | Link Target | Resource Development |
| T1078.003 | Local Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1036.005 | Match Legitimate Name or Location | Defense Evasion |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
| T1003.002 | Security Account Manager | Credential Access |
| T1588.001 | Malware | Resource Development |
| T1033 | System Owner/User Discovery | Discovery |
| T1595.002 | Vulnerability Scanning | Reconnaissance |
| T1588.003 | Code Signing Certificates | Resource Development |
| T1592 | Gather Victim Host Information | Reconnaissance |
| T1505.003 | Web Shell | Persistence |
| T1087.001 | Local Account | Discovery |
| T1021.006 | Windows Remote Management | Lateral Movement |
| T1047 | Windows Management Instrumentation | Execution |
| T1539 | Steal Web Session Cookie | Credential Access |
| T1133 | External Remote Services | Initial Access, Persistence |
| T1140 | Deobfuscate/Decode Files or Information | Defense Evasion |
| T1608.001 | Upload Malware | Resource Development |
| T1608.002 | Upload Tool | Resource Development |
| T1569.002 | Service Execution | Execution |
| T1583.003 | Virtual Private Server | Resource Development |
| T1595.001 | Scanning IP Blocks | Reconnaissance |
| T1203 | Exploitation for Client Execution | Execution |
| T1204.002 | Malicious File | Execution |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
| T1114 | Email Collection | Collection |
| T1071.001 | Web Protocols | Command and Control |
| T1069.002 | Domain Groups | Discovery |
| T1534 | Internal Spearphishing | Lateral Movement |
| T1199 | Trusted Relationship | Initial Access |
| T1656 | Impersonation | Defense Evasion |
| T1573 | Encrypted Channel | Command and Control |
| T1007 | System Service Discovery | Discovery |
| T1572 | Protocol Tunneling | Command and Control |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1590 | Gather Victim Network Information | Reconnaissance |
| T1566.001 | Spearphishing Attachment | Initial Access |
| T1119 | Automated Collection | Collection |
| T1105 | Ingress Tool Transfer | Command and Control |
| T1087.003 | Email Account | Discovery |
| T1005 | Data from Local System | Collection |
| T1218.011 | Rundll32 | Defense Evasion |
| T1114.001 | Local Email Collection | Collection |
| T1070.004 | File Deletion | Defense Evasion |
| T1555.003 | Credentials from Web Browsers | Credential Access |
| T1537 | Transfer Data to Cloud Account | Exfiltration |
| T1082 | System Information Discovery | Discovery |
| T1564.001 | Hidden Files and Directories | Defense Evasion |
| T1056.002 | GUI Input Capture | Collection, Credential Access |
| T1547.001 | Registry Run Keys / Startup Folder | Persistence, Privilege Escalation |
| T1039 | Data from Network Shared Drive | Collection |
| T1102 | Web Service | Command and Control |
| T1080 | Taint Shared Content | Lateral Movement |
| T1552.002 | Credentials in Registry | Credential Access |
| T1083 | File and Directory Discovery | Discovery |
| T1552.001 | Credentials In Files | Credential Access |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1059.005 | Visual Basic | Execution |
| T1489 | Service Stop | Impact |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1018 | Remote System Discovery | Discovery |
| T1486 | Data Encrypted for Impact | Impact |
| T1491 | Defacement | Impact |
| T1562.001 | Disable or Modify Tools | Defense Evasion |
| T1570 | Lateral Tool Transfer | Lateral Movement |
| T1562.009 | Safe Mode Boot | Defense Evasion |
| T1484.001 | Group Policy Modification | Defense Evasion, Privilege Escalation |
| T1567 | Exfiltration Over Web Service | Exfiltration |
| T1490 | Inhibit System Recovery | Impact |
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1003 | OS Credential Dumping | Credential Access |
| T1620 | Reflective Code Loading | Defense Evasion |
| T1136 | Create Account | Persistence |
| T1070.001 | Clear Windows Event Logs | Defense Evasion |
| T1574 | Hijack Execution Flow | Defense Evasion, Persistence, Privilege Escalation |
| T1070 | Indicator Removal | Defense Evasion |
| T1049 | System Network Connections Discovery | Discovery |
| T1016 | System Network Configuration Discovery | Discovery |
| T1111 | Multi-Factor Authentication Interception | Credential Access |
| T1592.004 | Client Configurations | Reconnaissance |
| T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
| T1556.004 | Network Device Authentication | Credential Access, Defense Evasion, Persistence |
| T1518 | Software Discovery | Discovery |
| T1554 | Compromise Client Software Binary | Persistence |
| T1098 | Account Manipulation | Persistence, Privilege Escalation |
| T1134.001 | Token Impersonation/Theft | Defense Evasion, Privilege Escalation |
| T1562 | Impair Defenses | Defense Evasion |
| T1600 | Weaken Encryption | Defense Evasion |
| T1053 | Scheduled Task/Job | Execution, Persistence, Privilege Escalation |
| T1059 | Command and Scripting Interpreter | Execution |