Note: Our findings in this blog stem from analysis of all Q4 2020 cyber threat activity by our in-house research team Photon using open and restricted access resources including Digital Shadows (now ReliaQuest)’ Dark Web Spider. You can subscribe to our weekly threat intelligence newsletter here.

In recent years, financially-motivated cyber criminals have been increasingly drawn to the realm of asset and wealth management companies (AWM). The AWM industry plays a vital role in managing the world’s financial capital. Global assets under management run by money and wealth managers are set to grow by up to 5.6% a year by 2025, to USD 147.4 trillion. This level of wealth attracts threat actors. AWM firms frequently hold and protect the same lucrative client financial data as banking institutions, yet often have smaller budget or smaller-headcount security teams to ensure their digital borders are secure.

 In addition to valuable client information, AWM companies possess valuable intellectual property to protect; proprietary investment strategies and mechanisms that can be exposed by competitors, third parties, or company insiders.

If you work in the asset and wealth management industry and are concerned with proactively avoiding a data breach and the reputational and financial damages that come with it, here are the top 2021 cybersecurity threats.

Data Loss to ransomware variants “Sodinokibi” and “NetWalker

In Q4 2020, data from asset and wealth management companies was found on public data leak sites operated by two well-known ransomware operators Sodinokibi and NetWalker. These ransomware operators typically steal highly sensitive, consequential data from organizations to post on their data leak website. Threats of releasing this data or even portions of it help them to extort high ransom payments from their victim organizations. Sodinokibi, a particularly creative operator, auctions the data on dark web cybercriminal forums.

In Nov 2020, a post was added to Happy Blog, dark website of Sodinokibi ransomware, indicating that a financial services and consulting company was likely a victim of an attack. The post included employee files, IT files, audit files, financial files, payroll files, and client files.

In Dec 2020, a post was added to NetWalker Blog, the dark website of NetWalker ransomware indicating that a financial management company was likely the victim of an attack. The post included screenshots of files included financial files, client files, payroll files, bank files, application files, administration files, and marketing files. 

Preventing data loss due to ransomware is possible, and we’ve included some mitigation strategies against ransomware variants from Digital Shadows (now ReliaQuest) researchers at the end of this blog.

Impersonation through business email compromise (BEC)

Throughout 2020, there was a reported increase in the number of business email compromise (BEC) complaints. BEC involves cyber criminal spoofing or compromising legitimate business email accounts of executive or high-level employees to send transfer-of-funds requests. This money transfer scam is highly applicable to asset managers who may frequently deal with wire transfer payments. 

This tactic has grown increasingly popular as organizations move to cloud-based emails services, where cybercriminals can more easily harvest employees credentials with phishing webpages that look identical to their typical log-in screens (for more reading, our blog on the Ecosystem of Phishing here).

On 25 Nov 2020 the FBI issued a Private Industry Notification (PIN), warning US companies that threat actors are actively adding automatic email rules to targeted web-based email clients, which assists in hiding their activity while impersonating employees or business partners and increases likelihood of success. The FBI additionally warned about threat actors abusing Microsoft Office 365 and Google G Suite in BEC attacks. They are initiating emails through specifically developed phishing kits designed to mimic the cloud-based email services, to compromise business email accounts and request or misdirect transfers of funds.

BEC Payroll scams

Most reported complaints in Q4 2020 have involved targeting of company’s HR and payroll departments with these departments receiving emails impersonating employees requesting changes to their direct deposit accounts— the new direct deposit leading to an untraceable prepaid card account.

Example of spoofed employee email payroll scam
Figure 1: Example of spoofed employee email payroll scam (source)

Some of the AWM companies targeted reported that the emails were sent through legitimate employee email accounts, meaning cybercriminals first gathered employee credentials by sending them a spoofed email log-in page from an external sender and then harvesting their usernames and passwords to use to send these payroll requests.

BEC Invoice fraud

In December 2020, a US-based AWM firm was targeted in an invoice fraud attack that attempted to steal USD 80,000. The threat actor impersonated a client via email address and requested the money to conduct home renovations (a common request from this client), the threat actor additionally attached a valid invoice from a general contractor, making the withdrawal attempt seem even more urgent and convincing. Thankfully, the firm mitigated the attempted theft when contacting the client per their protocol to confirm the transactions with clients via phone.

Dual impersonation BEC

Though not exclusive to the AWM industry, an emerging Russian cybercriminal group Cosmic Lynx has been associated with more than 200 BEC campaigns targeting senior level executives in 46 countries since July 2019. The group is unique in its operational level and scale, with the amount requested in Cosmic Lynx attacks averaging USD 1.27 million.

Map of Cosmic Lynx targets
Figure 2: Map of Cosmic Lynx targets (Source: Agari)

Cosmic Lynx employs a dual impersonation scheme where they impersonate the CEO of a company to be acquired by the target organization, and request a target employee to work with “external legal counsel” and coordinate payments to close the acquisition. They then hijack the identity of a legal attorney at a legitimate UK-based law firm.

Introduction email from the second impersonated “lawyer” in Cyber Lynx attacks
Figure 3: Introduction email from the second impersonated “lawyer” in Cyber Lynx attacks (Source: Agari)

Cyber Lynx is highly sophisticated in its tactics, include exploiting Domain-based Message Authentication, Reporting & Conformance (DMARC) controls to spoof CEO email addresses, and using domains that impersonate a legitimate email infrastructure (e.g. secure-mail-gateway[.]cc, encrypted-smtp-transport[.]cc, mx-secure-net[.]com). 

Impersonation through spearphishing and voice phishing

High-ranking executives at AWM companies are attractive targets for spearphishing attacks. Spearphishing attacks are often observed in the initial stages of a BEC campaign, with cybercriminals conducting research on how the company operates, who the executives are, and when transfers of money are made before crafting an email to slide under the radar. 

As phone verification has become a common response to suspicious emails, voice phishing attacks are expected to continue to grow. The emergence of deepfake audio enabled by maturity in artificial intelligence (AI) and machine learning (ML) technologies allows threat actors to bypass traditional security detection mechanisms. Within the AWM sector, attackers could begin regarding employees and clients as potential targets, not just executives.

Outlook on Threats to AWM Firms in 2021

  • Ransomware prices will increase as more large organizations are targeted, while small and medium sized businesses will suffer the majority of attacks. Digital Shadows (now ReliaQuest) continues to observe more ransomware attacks targeting small and medium-sized organizations such as AWM companies in the financial services sector. This is likely owing to the fact that they have fewer resources dedicated to cyber-security practices, such as patch management, user awareness, and tools intended for intrusion detections/prevention (IDS and IPS). 
  •  Initial access brokers will continue selling access to financial firms. Dark-web cybercriminal forums such as Exploit, XSS, and others will likely remain active in selling network access to AWM companies. Although cybercriminals typically do not name the companies to which they are selling access, these firms are often identified by attributing them to a specific country and listing their revenue or employee headcount. Access sold to organizations can be used to monetize additional company data or launch future cyber attacks for financial gain.
  • BEC and impersonation campaigns will adapt to changing current events. Threat actors aggressively exploited the COVID-19 pandemic in 2020, using it as a theme to launch cyber attacks across all sectors. For example, phishing emails with subject lines related to COVID-19 have a higher rate of open. As a potential return to normality begins to take shape later in 2021, threat actors will likely conduct impersonation campaigns centered on changing current events. Firms in the AWM industry should be aware of threat actors targeting their remote workforce, as they would likely be the target of phishing campaigns casting a “wide net” of fraudulent emails that could lead to credential theft or VPN theft.

Mitigation Strategies for Security Threats to Asset and Wealth Management

Ransomware-specific recommendations

The majority of an organization’s planning should occur before a ransomware attack. Steps to be considered when planning for a possible ransomware attack include identifying what kind of information is stored on backups, how they’re stored, and if reverting to backups is feasible during an incident; conducting cybersecurity risk analysis; training staff on cybersecurity best practices; and performing penetration testing to evaluate system security and fortify defenses. 

Common ransomware infection and attack vectors include distributing weaponized attachments via phishing and targeting remote desktop protocol (RDP). Restricting RDP behind an RDP Gateway and enabling Network Level Authentication can provide security benefits if RDP is required to be Internet-facing. Organizations should prioritize patching based on the impact a vulnerability has on organization data, the types of systems that are impacted, the number of systems that are affected, the access level required to exploit the vulnerability, and how widely known the vulnerability is. Last but not least, organizations should create a robust security awareness program that trains employees to identify malicious emails and report them to an incident response authority.

Executive awareness of Business Email Compromise

Executives responsible for fund transfers should be aware of seemingly legitimate emails that request a transfer of funds to other financial institutions, or of in-house transfer-of-fund requests including:

  • Spoofed emails containing links to fraudulent domains are often similar to, or identical to, legitimate emails from close company contacts.
  • Fraudulent website domain addresses that appear in impersonated emails, typically with only one extra letter added or changed in the domain name.

Employee awareness of Business Email Compromise

Employees linked to decision makers or who control transfer of funds should be educated on the characteristics of phishing attacks including:

  •  91% of BEC attacks occur on weekdays, to align with workdays and lend a legitimate air to emails. 
  • A majority of BEC emails involve a sense of urgency to rush the recipient into doing the attacker’s bidding, with 85% marked urgent, 59% requesting help, and 26% inquiring about availability. 
  • Attackers often thoroughly research their targets, using real names of HR, finance, and other executives, as well as the targeted employees. Some attackers make an extra effort to create very personalized messages, often going after larger amounts of money, not just trying to compromise single credentials.

Security around internal sender email traffic

Of all spearphishing attacks, 13% from internally compromised accounts. Organizations need to invest in protecting their internal email traffic with the same urgency as they do in protecting from external senders.

Threat Intelligence can help security professionals (How Threat Intelligence Helps) identify data exposure on data dump sites early, research associated vulnerabilities, and identify early discussions and advertisements for sensitive information and employee credentials on cybercriminal marketplaces and forums. You can trial Digital Shadows (now ReliaQuest)’ threat intelligence library of over 400 threat actors, events, and campaigns here.

For additional reading you can view our data sheet, Security Challenges for Asset Management Organizations.