Kaspersky Discovers Massive Cyber-Attack: Losses Could Reach $1 Billion

Over the weekend, Kaspersky Lab announced details of what may be the largest cyber-attack to date, targeting the banking industry. The breach affected more than 100 banks in 30 different countries worldwide and could total as much as $1 Billion in total losses.

The perpetrators of the attack targeted many banks around the world with a sophisticated multi-layered plan that used a variety of methods to first penetrate banking systems and then steal money from banks over the past two years. In most instances, it appears that the hackers had access to secure networks for months before taking any funds, making this a dedicated long term approach versus a one-time snatch and grab. The cyber criminals used spear phishing, or targeting of specific individuals, to gain access to networks and then built on that access to compromise additional users and systems.

Attacks of this scope emphasize the need to ensure that all networked devices, be they servers, desktops or laptops, have their security settings constantly monitored for compliance and risk. Attackers are constantly monitoring for vulnerabilities, and the openings they find are typically temporary lapses in security. An automated and continuous monitoring and enforcement solution is one of the best ways to mitigate those lapses. If a monitoring tool is in place, those devices that are not compliant with an organization's security standards can be identified and then blocked from accessing critical network data. Solutions to directly improve email security for Exchange, or to provide a second layer of defense for other mail security solutions, should also be seriously considered.

That said, details revealed about the bank hack reveal some additional gaps in security that other enterprises can learn from and proactively address. In this particular situation, threats were embedded within seemingly innocuous files. The initial breach can be traced back to Microsoft Word files attached to an email containing malicious embedded code. This attack vertical demonstrates how important it is to scan attachments, as well as the email messages themselves, as both could be potential carriers of malware. Scanning email messages and attachments is not always enough, especially if the attack has been designed to target a particular person and thwart specific defenses. If the malware has been designed for a one-time use in a very specific scenario, existing antivirus engines may not be able to detect that threat. If the threat is not detected, then an additional layer of security is needed by sanitizing the data in case there is an embedded threat. There are multiple ways to do this, such as stripping out embedded objects or converting to a different file type.

Another security gap that this exploit reveals is the need to scan web traffic and systems that are already within a secure network. The perpetrators, in this case, were not able to get to their end target in one step, they had to first compromise other trusted systems and then use those as a springboard to get closer and closer to their principal target. It took months for the attackers to reach their principal target in some organizations, which signifies that there were several months where there was malware operating within a secure network when it could have been detected before any money was extracted from the bank. It is important never to assume that everything within a secure network is inherently safe. Proactively scanning for threats anytime files or data are transferred within a network, whether it is through HTTP traffic, internal email, secure file transfer, or other transfer technologies, is always a good practice. This will help to protect against threats that evaded detection when entering the network, either because the threat was not yet known or because the network was compromised by files or data being introduced in a way where it was not checked for threats.

Preventing cyber-attacks such as these requires time and company resources to address, but companies have even more at stake if left unprotected. Unfortunately, there are a lot of people with extensive resources dedicated to getting around the cyber defenses organizations put in place. The major takeaway from this attack is that companies can never let down their guard and have to be vigilant about making sure they are protecting themselves against threats coming from all sources and against threats that may already be within their secure networks.