Why cybercriminals won’t take a vacation from island hopping
Article by Tom Kellermann, Head of Cybersecurity Strategy at VMware
Island hopping – the term has a nice ring to it with the two words conjuring images of fun-filled adventure or an exotic holiday exploring new locales. The reality is anything but. Island hopping is a technique used by cybercriminals to hijack an organization’s infrastructure to attack its customers. The term is derived from a World War II military strategy of the same name. While this poses a serious threat to organizations, the financial sector, in particular, is being targeted by cybercrime cartels and nation-states leveraging this attack method. These are not the bank heists of old, as mere wire transfer fraud is no longer the ultimate goal.
Understanding island hopping and its impact
Cybercriminals commonly target smaller organizations with fewer security resources down the supply chain as a means to infiltrate their high-value target. Attackers exploit vulnerabilities in the defenses of these less sophisticated companies and use their affiliation with the target as a point of entry, essentially commandeering an organization’s information supply chain to attack the institution from within. Once in, hackers take advantage of the trust between the two companies and use their shared networks to reach the true target. At this point, the whole supply chain, including customer data, is at risk.
State of affairs: Island hopping today
Island hopping attacks have risen in recent years and there has been growing concern among business leaders, especially in the financial sector. VMware’s fifth annual Modern Bank Heists report found that 60 percent of financial institutions experienced an increase in island hopping in 2021, a 38% increase from the previous year. We’ve entered a new era of conspiracy, whereby hijacking the digital transformation of a financial institution via island hopping to attack its constituents has become the ultimate outcome.
Cybercrime cartels have studied the interdependencies of financial institutions to understand, for example, which managed service provider (MSP) is used and who the outside general counsel is. In turn, these organizations are targeted and leveraged by cybercrime cartels to island hop into the bank. The Modern Bank Heists report also found that 87 percent of financial institutions are concerned with the security posture of their shared service providers. Shared service providers, when compromised, pose a systemic risk to the financial sector as their infrastructure can be polluted to attack dozens of financial institutions at a time. This type of island hop is very concerning.
The five stratagems of island hopping
As island hopping has grown in prevalence, five forms have emerged as the most common which organizations should keep an eye on:
- Application Programming Interface (API) attacks: APIs associated with fintech are being targeted by cybercriminals due to their inherent accessibility and the reality that these APIs become a gateway to fintech platforms. Our recent report points to 94 percent of financial security leaders having experienced attacks on an API associated with fintech. APIs have become the data plane—essentially the central nervous system—that carries critical information and data from one part of the application to another. In other words, APIs have become an essential and core component of modern applications. Thus, they make a perfect target for cybercrime cartels. As such, managing and securing modern applications cannot take place without managing and securing APIs
- Network-based island hopping: This is one of the most frequently used forms of island hopping. With network-based island hopping, attackers infiltrate one network and use it to hop onto an affiliate network
- Watering-hole attacks: These take place when the adversary hijacks a website or mobile app used for e-finance by customers
- Reverse business email compromise (RBEC) attacks: These occur when a hacker successfully takes over a victim’s Office 365 environment and executes fileless malware attacks against the C-suite of the financial institution and the board
- Island hopping as a service, or access mining: This is a tactic where an attacker leverages the footprint and distribution of commodity malware, using it to mask a hidden agenda of selling system access to targeted machines on the dark web
Embrace Zero Trust to combat island hopping
At its core, island hopping preys on the implicit trust one may have in a brand. In the modern threat landscape, organizations must embrace a Zero Trust approach to security and assume that every digital transaction could be dangerous – even if it appears to come from a trusted third party. In addition to continuous security monitoring, Zero Trust requires all users to be authenticated, and only access the authorized, relevant systems. This reduces the blast radius of attack by disabling any east-west spread to other systems.
In the spirit of Zero Trust, security teams should also assume attackers have multiple avenues into their organization. Weekly threat hunting on all devices can help security teams maintain proper cyber hygiene and detect behavioral anomalies as adversaries can maintain clandestine persistence in an organization’s system. And don’t assume that traffic shipped in a familiar wrapper is safe.
Lastly, to combat island hopping and evolving attacks against the financial sector, organizations need to ensure CISOs have the authority, resources, and access to the CEO to build a proper defense. Empowering the CISOs and ensuring they report directly to the CEO will help make cybersecurity a board-level issue and better protect financial institutions from cyberattacks.
The views in this article may not reflect the views of Tech Wire Asia