WEBINAR | From Deal to Defense: Unifying Cybersecurity Post-M&A
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
March 15, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Note: Our findings in this blog stem from analysis of all Q4 2020 cyber threat activity by our in-house research team Photon using open and restricted access resources including Digital Shadows (now ReliaQuest)’ Dark Web Spider. You can subscribe to our weekly threat intelligence newsletter here.
In recent years, financially-motivated cyber criminals have been increasingly drawn to the realm of asset and wealth management companies (AWM). The AWM industry plays a vital role in managing the world’s financial capital. Global assets under management run by money and wealth managers are set to grow by up to 5.6% a year by 2025, to USD 147.4 trillion. This level of wealth attracts threat actors. AWM firms frequently hold and protect the same lucrative client financial data as banking institutions, yet often have smaller budget or smaller-headcount security teams to ensure their digital borders are secure.
In addition to valuable client information, AWM companies possess valuable intellectual property to protect; proprietary investment strategies and mechanisms that can be exposed by competitors, third parties, or company insiders.
If you work in the asset and wealth management industry and are concerned with proactively avoiding a data breach and the reputational and financial damages that come with it, here are the top 2021 cybersecurity threats.
In Q4 2020, data from asset and wealth management companies was found on public data leak sites operated by two well-known ransomware operators Sodinokibi and NetWalker. These ransomware operators typically steal highly sensitive, consequential data from organizations to post on their data leak website. Threats of releasing this data or even portions of it help them to extort high ransom payments from their victim organizations. Sodinokibi, a particularly creative operator, auctions the data on dark web cybercriminal forums.
In Nov 2020, a post was added to Happy Blog, dark website of Sodinokibi ransomware, indicating that a financial services and consulting company was likely a victim of an attack. The post included employee files, IT files, audit files, financial files, payroll files, and client files.
In Dec 2020, a post was added to NetWalker Blog, the dark website of NetWalker ransomware indicating that a financial management company was likely the victim of an attack. The post included screenshots of files included financial files, client files, payroll files, bank files, application files, administration files, and marketing files.
Preventing data loss due to ransomware is possible, and we’ve included some mitigation strategies against ransomware variants from Digital Shadows (now ReliaQuest) researchers at the end of this blog.
Throughout 2020, there was a reported increase in the number of business email compromise (BEC) complaints. BEC involves cyber criminal spoofing or compromising legitimate business email accounts of executive or high-level employees to send transfer-of-funds requests. This money transfer scam is highly applicable to asset managers who may frequently deal with wire transfer payments.
This tactic has grown increasingly popular as organizations move to cloud-based emails services, where cybercriminals can more easily harvest employees credentials with phishing webpages that look identical to their typical log-in screens (for more reading, our blog on the Ecosystem of Phishing here).
On 25 Nov 2020 the FBI issued a Private Industry Notification (PIN), warning US companies that threat actors are actively adding automatic email rules to targeted web-based email clients, which assists in hiding their activity while impersonating employees or business partners and increases likelihood of success. The FBI additionally warned about threat actors abusing Microsoft Office 365 and Google G Suite in BEC attacks. They are initiating emails through specifically developed phishing kits designed to mimic the cloud-based email services, to compromise business email accounts and request or misdirect transfers of funds.
BEC Payroll scams
Most reported complaints in Q4 2020 have involved targeting of company’s HR and payroll departments with these departments receiving emails impersonating employees requesting changes to their direct deposit accounts— the new direct deposit leading to an untraceable prepaid card account.
Some of the AWM companies targeted reported that the emails were sent through legitimate employee email accounts, meaning cybercriminals first gathered employee credentials by sending them a spoofed email log-in page from an external sender and then harvesting their usernames and passwords to use to send these payroll requests.
BEC Invoice fraud
In December 2020, a US-based AWM firm was targeted in an invoice fraud attack that attempted to steal USD 80,000. The threat actor impersonated a client via email address and requested the money to conduct home renovations (a common request from this client), the threat actor additionally attached a valid invoice from a general contractor, making the withdrawal attempt seem even more urgent and convincing. Thankfully, the firm mitigated the attempted theft when contacting the client per their protocol to confirm the transactions with clients via phone.
Dual impersonation BEC
Though not exclusive to the AWM industry, an emerging Russian cybercriminal group Cosmic Lynx has been associated with more than 200 BEC campaigns targeting senior level executives in 46 countries since July 2019. The group is unique in its operational level and scale, with the amount requested in Cosmic Lynx attacks averaging USD 1.27 million.
Cosmic Lynx employs a dual impersonation scheme where they impersonate the CEO of a company to be acquired by the target organization, and request a target employee to work with “external legal counsel” and coordinate payments to close the acquisition. They then hijack the identity of a legal attorney at a legitimate UK-based law firm.
Cyber Lynx is highly sophisticated in its tactics, include exploiting Domain-based Message Authentication, Reporting & Conformance (DMARC) controls to spoof CEO email addresses, and using domains that impersonate a legitimate email infrastructure (e.g. secure-mail-gateway[.]cc, encrypted-smtp-transport[.]cc, mx-secure-net[.]com).
High-ranking executives at AWM companies are attractive targets for spearphishing attacks. Spearphishing attacks are often observed in the initial stages of a BEC campaign, with cybercriminals conducting research on how the company operates, who the executives are, and when transfers of money are made before crafting an email to slide under the radar.
As phone verification has become a common response to suspicious emails, voice phishing attacks are expected to continue to grow. The emergence of deepfake audio enabled by maturity in artificial intelligence (AI) and machine learning (ML) technologies allows threat actors to bypass traditional security detection mechanisms. Within the AWM sector, attackers could begin regarding employees and clients as potential targets, not just executives.
Ransomware-specific recommendations
The majority of an organization’s planning should occur before a ransomware attack. Steps to be considered when planning for a possible ransomware attack include identifying what kind of information is stored on backups, how they’re stored, and if reverting to backups is feasible during an incident; conducting cybersecurity risk analysis; training staff on cybersecurity best practices; and performing penetration testing to evaluate system security and fortify defenses.
Common ransomware infection and attack vectors include distributing weaponized attachments via phishing and targeting remote desktop protocol (RDP). Restricting RDP behind an RDP Gateway and enabling Network Level Authentication can provide security benefits if RDP is required to be Internet-facing. Organizations should prioritize patching based on the impact a vulnerability has on organization data, the types of systems that are impacted, the number of systems that are affected, the access level required to exploit the vulnerability, and how widely known the vulnerability is. Last but not least, organizations should create a robust security awareness program that trains employees to identify malicious emails and report them to an incident response authority.
Executive awareness of Business Email Compromise
Executives responsible for fund transfers should be aware of seemingly legitimate emails that request a transfer of funds to other financial institutions, or of in-house transfer-of-fund requests including:
Employee awareness of Business Email Compromise
Employees linked to decision makers or who control transfer of funds should be educated on the characteristics of phishing attacks including:
Security around internal sender email traffic
Of all spearphishing attacks, 13% from internally compromised accounts. Organizations need to invest in protecting their internal email traffic with the same urgency as they do in protecting from external senders.
Threat Intelligence can help security professionals (How Threat Intelligence Helps) identify data exposure on data dump sites early, research associated vulnerabilities, and identify early discussions and advertisements for sensitive information and employee credentials on cybercriminal marketplaces and forums. You can trial Digital Shadows (now ReliaQuest)’ threat intelligence library of over 400 threat actors, events, and campaigns here.
For additional reading you can view our data sheet, Security Challenges for Asset Management Organizations.