Nathan Gilks by Nathan Gilks | | Blog

Cyber crime is targeting banks and financial institutions across the world in a way that is quite unprecedented. With traditional cyber security products often proving ineffective in the face of this onslaught, Deep Secure has pioneered a new approach to combatting cyber crime.

One of the most striking aspects of the National Cyber Security Centre’s “The cyber threat to UK business 2016/2017” is the observation that what might be termed ‘old’ exploits keep coming back to wreak havoc anew.

In the area of financial crime alone there’s plenty of evidence that this is the case. Look at the malware variously named Bugat, Cridex and Dridex – malicious exploit code that enables attackers to steal banking credentials. These malware strains are not new. They were “discovered” and patches issued to combat them many months and even years ago. And yet they are still highly effective, still being delivered via email attachments and still making cyber criminals rich.Another example is Trickbot, cyber criminals are using it to attack banks across Scandinavia and over 20 corporate, investment and private banking firms across France. Trickbot draws heavily on Dyreza, malware contained in malicious attachments designed to redirect traffic to fake banking servers while the user believes they have a secure connection with a legitimate site. This exploit was originally identified in 2014.

Perhaps the most eye-popping example of financial crime committed using “old” vulnerabilities is the Carbanak campaign which has been reputed to have reaped up to $1 billion from banks worldwide using old MS-Office vulnerabilities in email attachments.

Of course, the unfortunate truth behind this re-use of “old” exploits is that it is relatively easy for an experienced threat actor to bypass first generation cyber security products like Anti-Virus by simply making minor changes to the code of the malware. In doing so, they create an effective Zero-Day window in which the “old” malware code can propagate and yield a return without being detected. Add to this the fact that there are always large numbers of systems that either haven’t been or simply can’t be easily patched due to the critical nature of the work they undertake and you begin to see just how lucrative it is for cyber criminals to re-use old exploits and vulnerabilities.

The authors of the National Cyber Security Centre report call for email attachments to be sandboxed to counter the threat of financial crime. At Deep Secure we remain unconvinced that second generation cyber security techniques like sandboxing provide an effective answer to the problem. Cyber criminals are extremely adept at spotting and avoiding detection via sandboxing technologies. Furthermore, sandboxing introduces latency into business processes while users wait for business documents to be isolated, observed and analysed.

Our Content Threat Removal Platform is the only truly effective way to remove the threats contained in business documents (email attachments for example) so that they cannot be used to commit financial crime. The way the platform works is to use a process of transformation to intercept business documents, extract the valid business information from them, discard everything else including any active code, malware and un-necessary metadata and build brand new documents for delivery to the user. The essence of this approach is that nothing is trusted. “Old” or “new” the threat is removed from the document and the financial crime is prevented before it starts.

This summer’s Trickbot campaign is using a poisoned PDF file containing an embedded Microsoft Office productivity file often referred to as a “Russian Doll” exploit. The Office file, once opened, prompts the victim to enable macros to initiate the exploit and compromise the system.

If you’d like to see exactly how the Deep Secure Content Threat Removal Platform prevents this type of financial crime by transforming the content why not take 5 minutes to view our short webinar.


View all posts

Are you ready to talk to Deep Secure?