An overwhelming majority of brokerage and investment advisory firms examined by the U.S. Securities and Exchange Commission (SEC) have been the subject of a cyber-attack.

In its recent ‘Cybersecurity Examination Sweep Summary‘ report, the SEC took a look at 57 registered broker-dealers and 49 registered investment advisors. Eighty-eight percent of the broker-dealers and 74 percent of the advisers stated that they have experienced cyber-attacks either directly or through one or more of their vendors.

The majority of the cyber-related incidents are related to malware and fraudulent email. In fact, more than half of the broker-dealers (54 percent) and 43 percent of the advisers reported receiving fraudulent emails seeking to transfer client funds. More than a quarter of those broker-dealers reported losses in excess of $ 5,000 related to these emails, with no single loss being greater than $ 75,000. Twenty-five percent of the broker-dealers confessing losses related to the emails said the damage was the result of employees not following their firm’s identity authentication procedures.

<a href="http://redirect.viglink.com?key=11fe087258b6fc0532a5ccfc924805c0&u=http%3A%2F%2Fwww.securityweek.com%2Fcybersecurity-healthcare-retail-sectors-lags-behind-utility-and-financial-industries-report%22%3E"Brokers and advisors, especially those who handle very wealthy clients, are used to dealing with substantial sums of money, but they’re also human beings who can be duped by a well-crafted phishing scam,” said Tim Erlin, director of IT security and risk strategy at Tripwire. “Not all of these brokerages are as big as Wells Fargo and Morgan Stanley. Small and medium financial firms are gaining visibility because criminals are walking away with meaningful sums of money. The criminals are becoming more savvy about which kinds of transactions remain under the radar, and the more success they have with these targets, the more of these businesses they go after.”

The good news is the vast majority of examined broker-dealers (93 percent) and advisers (83 percent) have adopted written information security policies, and 89 percent of the broker-dealers and 57 percent of the advisers conduct periodic audits to determine compliance with these policies. For the majority of both broker-dealers (82 percent) and the advisers (51 percent), these written policies discuss mitigating the effects of a cyber-security incident and/or outline the plan to recover from such an incident. These policies however generally did not address how firms determine whether they are responsible for client losses associated with cyber incidents.

While firms identified misconduct by employees and other authorized users of their networks as a significant concern, only a small proportion of the broker-dealers (11 percent) and the advisers (four percent) reported incidents in which insiders engaged in misconduct resulting in the misappropriation of funds, securities, sensitive client or firm information, or damage to the firms’ networks. 

The vast majority of examined firms conduct firm-wide risk assessments on a periodic basis to identify cybersecurity threats, vulnerabilities and any potential impact to business. While most of the broker-dealers (93 percent) and advisers (79 percent) reported considering such risk assessments in establishing their cybersecurity policies and procedures, fewer firms applied these requirements to their vendors. While 84 percent of the brokerage firms require cyber-security risk assessments of vendors with access to their firm’s networks, only 32 percent of the advisers do so.

“Cybersecurity threats know no boundaries,” said SEC Chair Mary Jo White, in a statement. “That’s why assessing the readiness of market participants and providing investors with information on how to better protect their online investment accounts from cyber threats has been and will continue to be an important focus of the SEC. Through our engagement with other government agencies as well as with the industry and educating the investing public, we can all work together to reduce the risk of cyber attacks.”

Tags:

• NEWS & INDUSTRY
• Vulnerabilities

Researchers from FireEye have discovered a nasty zero-day exploit that bypasses the ASLR and DEP protections in Microsoft Windows and is being used in targeted attacks.

The security flaw is a remote code execution vulnerability (CVE-2014-1776) that affects versions of IE6 through IE11, which in total accounted for 26.25% of the browser market in 2013. 

The campaign is currently targeting US-based firms tied to the defense and financial sectors, a FireEye spokesperson told SecurityWeek, and is specifically targeting IE9 through IE11. 

“The exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections,” FireEye wrote in a blog post Saturday. 

Microsoft also issued a security advisory on Saturday and said they were working with partners in its Microsoft Active Protections Program (MAPP) to extend broader protections to customers as soon as possible.

If successfully exploited, an attacker could gain the same user rights on the impacted system as the current user, Microsoft said. Accounts configured with fewer rights on the could be less impacted than users who operate with administrative privilages.

FireEye has named the campaign “Operation Clandestine Fox,” but has shared very little details other than saying the group behind the exploit has been the first to have access to a select number of browser-based 0-days in the past.

FireEye warned that the attackers are “extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure.”

“They have a number of backdoors including one known as Pirpi that we previously discussed here,” the researchers wrote. “CVE-2010-3962, then a 0-day exploit in Internet Explorer 6, 7, and 8 dropped the Pirpi payload discussed in this previous case.” 

“The SWF file calls back to Javascript in IE to trigger the IE bug and overwrite the length field of a Flash vector object in the heapspray,” FireEye explained. “The SWF file loops through the heapspray to find the corrupted vector object, and uses it to again modify the length of another vector object. This other corrupted vector object is then used for subsequent memory accesses, which it then uses to bypass ASLR and DEP.”

Because the attack leverages Adobe Flash, users who do not have Flash installed or have the Flash plugin for IE disabled, will be protected. Additionally, several versions of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) will break the exploit.

Additional technical details are available from FireEye. Microsoft also has provided some mitigation information. 

Related: ASLR Bypass Techniques Appearing More Frequently in Attacks

Tags:

• Network Security
• NEWS & INDUSTRY
• Incident Management
• Vulnerabilities
• Data Protection