Weekly Threat Report 13th February 2017

Created:  13 Feb 2017
Updated:  13 Feb 2017
This report is drawn from recent open source reporting.

Polish banks in watering hole attack

The Polish financial sector has been hit by what is being described as the most serious incident in the history of Polish banking. A web server of the Polish financial regulator Komisja Nadzoru Finansowego (KNF) was probably compromised in early October 2016, but it wasn’t until early February that Polish banks noticed unusual network activity and unauthorised files on several workstations. Investigations revealed that the KNF website had been used as a watering hole and malware downloaded onto the devices of selected users who visited the website, including bank employees. At least 20 Polish commercial banks have been affected.

Watering hole attacks target websites used by a particular group, organisation or industry. By infecting websites commonly used by these groups, the attackers increase their chances of at least one member of the group being infected with malware. This technique is particularly effective, because while internet users are increasingly wary of unsolicited emails, they are naturally less cautious about visiting legitimate websites.

Cyber jobs boom - Demand for security skills continues to grow

Analysis of IT job adverts by the Tech Partnership found an 18% annual increase in demand for cyber security specialists, with average salaries for permanent positions also rising to £57,000. In addition to traditional IT security skills, employers are also increasingly demanding knowledge of topics such as cyber crime and big data.

Most openings continue to be in London and the South East of England, but strengthening demand in other regions suggests that a broader range of businesses are taking cyber threats seriously.

Insiders and the dark web

A recently released study by cyber security companies RedOwl and IntSights identified increased efforts by cyber criminals to recruit insiders with access to corporate networks, using the dark web. The report studied dark web forums over a two-year period, noting a significant increase in discussions relating to insiders between 2015 and 2016. The dark web is reportedly criminals' favoured means for recruiting insiders, due to the deniability and privacy that it offers.

There are several main types of insider, including accidental insiders and deliberate insiders. Malicious insiders may act alone based on their individual grievances (whether work-related, personal, financial or ethical) or may be recruited by malicious actors (whether criminal, state or others) through financial incentives or, in some cases, blackmail. Depending on their level of access and knowledge, insiders may carry out a number of functions, such as enabling Computer Network Exploitation (CNE), directly exfiltrating sensitive or commercially valuable data, or otherwise enabling fraud through unauthorised lookups.

Insiders present a significant threat to all organisations, and the authors note that financial institutions are particularly at risk. One recent example of such a threat may have included the Bangladesh Bank theft, in which authorities suspect that an insider at the bank provided the hackers with technical details about its computer network. An earlier example was the 2013 disruption of a criminal plot to compromise high street banks by exploiting hardware in local branches.

The NCSC website includes links to the key principles of managing insider risk as well as a previous CPNI study of insider behaviour.

Was this report helpful?

We need your feedback to improve this content.

Yes No