Full Report
Contrast Security reveals a 12.5% annual increase in destructive cyber-attacks on banks
Analysis Summary
# Incident Report: Surge in Destructive Cyber Attacks Against Financial Institutions
## Executive Summary
Over half (54%) of global financial institutions experienced cyber-attacks resulting in data destruction during the last year, marking a 12.5% increase from the previous year. While ultimate destruction can serve as sabotage, the primary motive appears to be using destructive malware to erase evidence following a compromise. Key attack vectors involved exploitation of applications, APIs, and cloud environments, leading to potential data theft (insider trading/shoxing) and customer account takeovers.
## Incident Details
- Discovery Date: Based on reporting metrics from the "Modern Bank Heists Report 2025," reflecting trends observed over the past year (2024).
- Incident Date: Primarily occurred throughout 2024.
- Affected Organization: Global financial institutions (Respondents to the Contrast Security survey).
- Sector: Financial Services.
- Geography: Global.
## Timeline of Events
### Initial Access
- Date/Time: Not specifically dated, but occurred during 2024.
- Vector: Web Application Firewalls (WAFs) were bypassed, indicating attacks targeted modern application layers. Specifically cited vectors include exploitation of **Cloud environments and APIs**.
- Details: 46 impactful attacks per month bypassed WAF controls. Zero-day threats are a major concern regarding application/API security.
### Lateral Movement
- Details: The report notes the occurrence of **"island hopping"** attacks (43% of respondents), where initial unauthorized access in one victim bank was used to target customers and partners.
### Data Exfiltration/Impact
- Details: Threat actors sought to **steal and monetize non-public market information** (observed by two-thirds of respondents) for insider trading or "shoxing." Destructive attacks (54% of FIs affected) involved encrypting files, deleting data, destroying hard drives, or terminating connections, often escalating from theft to **cover tracks** post-incident. A further 48% experienced an increase in **customer account takeovers**.
### Detection & Response
- Detection: 94% of respondents claimed they were able to successfully detect and respond to incidents.
- Response Actions: The report implies standard response measures were utilized, but notes the need for enhanced Application Defense and Response (ADR) to block attacks in production.
## Attack Methodology
- Initial Access: Cloud environment exploitation, API vulnerabilities, and attacks bypassing WAFs (potentially zero-days).
- Persistence: Not explicitly detailed, but implied prior to destructive actions.
- Privilege Escalation: Not explicitly detailed.
- Defense Evasion: Destructive malware variants were used to **erase evidence** ("burn the evidence") as a counter-incident response measure.
- Credential Access: Not explicitly detailed, but required for Customer Account Takeovers (CATOs).
- Discovery: Not explicitly detailed, but necessary to locate market information.
- Lateral Movement: **Island hopping**.
- Collection: Stealing non-public market information.
- Exfiltration: Data theft for monetization (insider trading/shoxing).
- Impact: Data destruction/disruption via malware variants (encryption, deletion, termination) and unauthorized fund access via CATO.
## Impact Assessment
- Financial: Indirect costs related to potential insider trading facilitation and operational disruption.
- Data Breach: Confidential non-public market information was targeted for theft. Customer account takeover attempts increased significantly.
- Operational: Businesses experienced destructive events (file encryption, termination of connections) causing disruption.
- Reputational: Increased customer account takeovers and breaches of market confidentiality would negatively impact trust.
## Indicators of Compromise
(Note: As this is a general industry report summarizing trends, specific IPs/URLs/File Hashes are not provided in the source text.)
- Network indicators: Traffic associated with exploiting APIs and Cloud infrastructure.
- File indicators: Destructive malware variants initiating encryption, deletion, or hard drive destruction commands.
- Behavioral indicators: Abnormal application behavior preceding data destruction events; evidence of credential compromise leading to CATO.
## Response Actions
- Containment: Not explicitly detailed, but necessary to stop ongoing destructive malware execution.
- Eradication steps: Required removal of destructive malware and remediation of compromised APIs/Cloud access points.
- Recovery actions: Restoring systems from backups following data destruction events.
## Lessons Learned
- Threat Focus Shift: Destructive attacks are increasingly used proactively to **destroy forensic evidence** rather than solely for sabotage.
- Evasion Success: WAFs are proving insufficient against modern threats, allowing a significant volume (46 impactful attacks/month) to reach production environments.
- Cloud/API Risk: These environments are the primary entry points for current attacks against the financial sector.
- What could have been done better: Institutions need to move beyond perimeter defense (WAFs) to application-layer security if they wish to stop attacks before they impact the application runtime.
## Recommendations
- Implement **Application Defense and Response (ADR)** strategies to continuously monitor the application layer for behavioral anomalies and block attacks in production.
- Prioritize vulnerability management and continuous security assessment for **APIs and Cloud environments**.
- Enhance detection capabilities to spot early-stage reconnaissance and data collection attempts *before* destruction/exfiltration occurs, to limit the ability of adversaries to "burn the evidence."