Web app, API attacks surge as cybercriminals target financial services

Web application and application programming interface (API) attacks against the global financial services industry grew by 65% in Q2 2023 compared to Q2 2022, accounting for nine billion attacks in 18 months with banks bearing the brunt. That's according to the High Stakes of Innovation: Attack Trends in Financial Services report from cybersecurity firm Akamai.

The research is based on an analysis of security events detected on Akamai Connected Cloud, a network of approximately 340,000 servers in 4,000 locations on 1,300 networks in 130+ countries. Along with the rise in web app/API attacks, the financial services sector has experienced an increase in Layer 3 and Layer 4 DDoS attacks, the report found.

The increase appears to be caused by the dramatic surge in the power of virtual machine botnets and pro-Russian hacktivism motivated by the Russia-Ukraine conflict, Akamai said.

API security and DDoS risks pose persistent threats to organizations across sectors. In April, security researchers warned of a vulnerability in a UDP-based network service called the Service Location Protocol (SLP) that can be abused to significantly amplify DDoS attacks.

The growing use of APIs gives attackers more ways to break authentication controls, exfiltrate data, or perform disruptive acts, driving API security up the agenda for businesses and the cybersecurity community. Meanwhile, the global financial services industry continues to come into the crosshairs of cybercriminals as breaches and ransomware costs rise.

Financial services third-most targeted sector by web app, API attacks

The financial services sector was the third most targeted by web app and API attacks during Akamai's reporting period, largely due to the industry's continued digitalization and the rate at which adversaries are exploiting vulnerabilities in attacks, the firm said.

Banks faced the most attacks (58%) followed by other financial services such as FinTech, capital markets, property and casualty insurance, and payment and lending companies (28%). Insurance companies accounted for 14% of web app and API traffic within the financial services sub-verticals, according to the report.

Local file inclusion biggest driver of web app, API attacks

Local file inclusion (LFI) vulnerabilities were the top driver of web app and API attacks, accounting for almost 58%. LFI enables attackers to launch a directory traversal (also known as path traversal) attack and subsequently gain access to sensitive information, Akamai wrote. Adversaries use LFI for a variety of nefarious purposes such as exposing files or disclosing information on web servers, performing remote code execution (RCE), or gaining a foothold in an enterprise network.

LFI vulnerabilities were followed by cross-site scripting (XSS) and structured query language injection (SQLi), accounting for 24% and 11% of web app and API attacks, respectively.

"As technology reshapes the financial services landscape, firms must take an active, ongoing approach to hardening systems and managing third-party risk," Teresa Walsh, global head of intelligence at the Financial Services Information Sharing and Analysis Center (FS-ISAC), tells CSO.

Apps and APIs must be kept patched and current, and it's also important to share threat intelligence and test incident response processes through exercises, both within organizations and across the industry, she adds.

Financial services top DDoS targets as Layer 3 and 4 attacks increase

The financial services sector is now the top vertical for DDoS attacks, surpassing gaming, with the EMEA region accounting for 63.5% of global DDoS events, according to Akamai's report. Layer 3 and Layer 4 DDoS attacks against financial services have increased, with EMEA seeing almost double these attack events as North America (32.58%). Akamai surmised this was due to Europe's close ties with Ukraine with financially and politically motivated attacks by Russia in relation to the Russie-Ukraine conflict.

The report also recorded a growth in the number of Layer 7 DDoS attacks targeting financial services. Unlike traditional Layer 3 or Layer 4 DDoS attacks -- which aim to overwhelm network and transport layer infrastructure -- Layer 7 (application layer) DDoS attacks target specific application functionalities, or the application server itself. They can cause significant damage even with a relatively smaller amount of malicious traffic.

"DDoS is unfortunately a common attack and has evolved beyond an institutional nuisance to a significant threat," says Walsh. "Financial services institutions have been particularly targeted by DDoS, which now often include ransom demands to halt the barrage of application requests that disrupt operations."

These attacks will continue to grow in quantity and severity, she says. As more services are moved to the cloud or contracted as software-as-a-service (SaaS), third-party solution providers are additional threat vectors, giving more opportunities for malicious actors to access financial firms' systems, Walsh adds. "Financial firms are increasingly integrating third party risk management into overall bank risk management policies, both due to regulatory guidance and the higher potential for operational and reputational risks due to their supply chain."

Cybercriminals target financial services as breaches, ransomware costs rise

The number of cybersecurity breaches for UK financial services firms has tripled in 2022/23, with the highest number of breaches being reported within the pensions sector. A report from the international law firm RPC highlighted that the number of breaches reported to the Information Commissioners Office (ICO) has increased from 187 to 640, with reports within the pensions industry increasing significantly from six to 246.

In July, it was revealed that ransomware attacks on the global finance sector have cost $32.3 billion in downtime alone since 2018, according to research from Comparitech. It found that 225 financial organizations are confirmed to have been hit by a ransomware attack in the last five years, exposing at least 32.3 million individual records.

Separate data from Forrester revealed that attackers remain in the network of financial services and insurance providers the longest compared to other industries, with financial firms struggling to both eradicate and recover from breaches. Furthermore, financial services breaches incur higher costs, with organizations paying an average of $3 million in total, according to Forrester.