Mortgage industry attack spree punctuates common errors
A spree of recent attacks against mortgage servicing and title settlement companies are a repeat of what businesses across sectors have come to see as commonplace: Threat actors descend on high pressure and critical sectors, seemingly at random, to cause chaos.
Cyberattacks hit four major mortgage industry firms, Mr. Cooper Group, Fidelity National Financial, First American Financial and loanDepot, between late October and early January.
While there aren’t any known direct links between the attacks – the victim organizations haven’t disclosed how their networks were breached – the resulting damages were similar and widespread.
The attacks compromised sensitive corporate and customer data, delayed closing times on new loans and prevented customers from making payments.
Regardless of size or resources, financial services organizations are marred by the same malicious activity as any other business sector. Though government agencies can support and defend organizations in the mortgage industry, companies and their technology vendors have to secure and patch the products in use.
Swarms of malicious activity have become routine. Organizations in healthcare, financial services, education and manufacturing were hit by the largest number of data compromises last year, according to the Identity Theft Resource Center.
“Think of this all as a picnic and the attackers are ants … Nothing succeeds like success.” said Christopher Budd, director of threat intelligence at Sophos.
The financial sector’s built-in reliance on rapid transaction processing and turnaround times plays right into threat actors’ objectives.
“This is an industry that is very time driven,” Budd said. “That’s something that favors the attackers because time pressure creates urgency and in this case the attackers don’t even need to take steps to generate the urgency that business generates for them.”
These industry-centric attacks are often fueled by threat actors’ strategies to target victims opportunistically, according to cyber authorities and experts.
The Treasury Department’s Office of Cybersecurity and Critical Infrastructure Protection is tracking these incidents, which “appear to be the result of malicious cyber actors pursuing targets of opportunity, rather than a concentrated effort to target the mortgage industry in particular,” an agency spokesperson said via email.
Financial services organizations remain a target, despite a long history of institutional and regulatory efforts to mitigate risk across the sector, because of its critical functions, funding that helps power the economy and vast amounts of sensitive information it handles and produces, the spokesperson said.
“Some industries are simply a more attractive target for bad actors. While many factors influence this, financial incentives frequently play a pivotal role,” Patrick Tiquet, VP of security and architecture at Keeper Security, said via email.
Common attack vectors
Across industries, threat actors mostly gain access to victim organizations through three main entry points — compromise of remote desktop protocol, phishing via credential theft or malware, and software vulnerability exploits, said Jack Cable, senior technical advisor at the Cybersecurity and Infrastructure Security Agency.
Cable declined to speak about the specific attacks against the mortgage industry organizations of late, but threat vectors are largely consistent across critical infrastructure sectors.
“In the vast majority of cases we’re aware, these are either known classes of vulnerabilities or known insecure default configurations — actions that we think are preventable at scale by technology manufacturers,” Cable said.
The Treasury Department acknowledges that financial sector organizations likely use commodity software products and networking devices with known vulnerabilities.
“The nature of the systems that these organizations use may also make them a target of opportunity,” the agency spokesperson said.
Once threat actors gain access they can pull multiple levers to compel financial services organizations, such as those in the mortgage industry, to meet ransom demands.
“The financial impact and the pressure that interrupting financial transactions imparts on the financial organizations make them more likely to comply with ransomware demands,” Pathlock CEO Piyush Pandey said via email.
Government-led support
Part of CISA’s remit is to provide support to all 16 critical infrastructure sectors, including financial services.The Treasury Department, which serves as the risk management agency for the financial services sector, works with government partners and financial institutions involved in real estate, the agency’s spokesperson said. This includes relevant information sharing, exercises, incident coordination, risk identification and the development of policies to improve the sector’s security and resilience.
Experts applaud these government-led efforts and desired outcomes, but note organizations have to meet their own responsibilities internally to thwart or mitigate attacks.
“There are limitations to how much support the government can provide, especially if the institutions themselves are not following cybersecurity best practices on their own networks and systems,” said Amy Chang, senior fellow of cybersecurity and emerging threats at R Street Institute.
These oft-repeated security controls include widespread deployment of phishing-resistant multifactor authentication, especially for administrative accounts and internet connected systems. Organizations are also consistently reminded to patch vulnerabilities, particularly those known to be exploited, and have backups in place to limit the damages or downtime caused by attacks.
“We say that while also recognizing that the current situation we’re in, where organizations are faced with these to-do lists that we can’t feasibly expect everyone to complete,” Cable said. “We have to start looking at how can technology manufacturers start to take ownership of more of the security outcomes for their customers.”