The financial sector is constantly under threat from cybercriminals and state-sponsored groups, and in 2024, there has been a significant increase in advanced attacks exploiting vulnerabilities, supply chain weaknesses, and sophisticated malware.
One of the key aspects of these attacks is the collaboration among threat actors, utilizing models like Initial Access Brokers (IABs) and Ransomware-as-a-Service (RaaS) ecosystems to expand their reach and impact.
These attackers are employing various tactics, from deploying ransomware to stealing biometric data, creating a complex threat environment that combines technical complexity with psychological manipulation.
A troubling trend is the involvement of IABs such as TA577 and Scattered Spider, who specialize in infiltrating networks and selling access to ransomware operators. They exploit vulnerabilities in tools like Cleo file-transfer software and conduct phishing campaigns that mimic legitimate login portals to steal credentials.
Once they gain access, attackers deploy advanced malware like RansomHub, a custom ransomware strain equipped with evasion tools to bypass detection systems. State-sponsored groups, such as North Korean APTs like Lazarus and Chinese-linked groups like GoldFactory, further add to the complexity of the threat landscape.
North Korean APTs target financial institutions to evade international sanctions, while Chinese-linked groups develop mobile Trojans capable of harvesting facial recognition data. Additionally, Iranian-nexus APT33 has been observed collaborating with ransomware affiliates, blurring the line between cybercrime and state-backed operations.
A notable campaign in 2024 was carried out by GoldFactory, deploying the GoldPickaxe Trojan to target iOS and Android users in Asia-Pacific countries where facial recognition is widely used for banking authentication. The malware captures biometric data to create deepfakes that can bypass security checks.
GoldFactory’s infrastructure relies on compromised domains and cloud services like AWS to host phishing pages and exfiltrate data. It is essential for financial institutions to prioritize patch management for vulnerabilities, enforce multi-factor authentication (MFA) solutions, and utilize network segmentation and behavioral analytics tools to detect anomalies like unexpected biometric data transfers.
As APTs and cybercriminals continue to collaborate and share tools and infrastructure, cross-industry threat intelligence sharing will be crucial in disrupting these evolving campaigns.