Financial Services Sector Rife with Hidden Tunnels

Attackers use the approach to look like legitimate traffic and hide data exfiltration in plain sight.

Global financial services organizations are seeing a significant uptick in the rate of being actively targeted by sophisticated cyber-attackers using hidden-tunnel techniques for post-intrusion data exfiltration.

In an attempt to steal critical data and personally-identifiable information (PII), cybercriminals are building hidden tunnels into compromised systems to further break into networks and steal critical data and personal information, while remaining largely undetected. That’s because the traffic flowing through these tunnels looks and behaves just like normal web traffic, such as packets flowing to and from legitimate cloud apps that workers are using.

As a result, the technique allows the malicious traffic to camouflage itself alongside the high volume of traffic from web-based enterprise applications, effectively evading strong access controls, firewalls and intrusion detection systems.

While these types of attacks are not new, they have dramatically increased since hidden tunnels were used in the 2017 Equifax breach, where over 147 million personal records were taken — one of the largest data breaches in history. Financial services firms are now seeing double the number of hidden-tunnel attacks in other verticals, according to an analysis of the technique from Vectra released Wednesday.

Targeted to Financial Services

According to the report, security breaches across multiple industries continue in an upward trajectory, and the financial services industry is no exception. However, cybercriminals are increasingly tailoring their attacks to their targeted vertical.

The hidden-tunnel tactic for post-intrusion data exfiltration matches the financial-services environment perfectly, it added, and as a result more and more efforts using this tactic are being unleashed.

The analysis, of anonymized metadata from more than 4.5 million devices and workloads from customer cloud, data center and enterprise environments, showed significantly more hidden command-and-control tunnels per 10,000 devices in financial services than all other industries combined, and twice as many hidden data-exfiltration tunnels.

“Every industry has a profile of network and user behaviors that relate to specific business models, applications and users,” said Chris Morales, head of security analytics at Vectra. “Attackers will mimic and blend in with these behaviors, making them difficult to expose.”

For instance, in the education vertical, “we see much more suspicious HTTP traffic – which is a very traditional attack, where some kind of payload is delivered from a malicious website,” explained Morales in an interview with Threatpost. “There’s also a lot of cryptomining in higher ed. These kinds of attacks are more obvious, and financial organizations are good at detecting that, so criminals turn to different tactics when they go after a bank.”

Hiding in Plain Sight

Financial services firms already use hidden tunnels for legitimate purposes, including stock-ticker feeds, internal financial management services, third-party financial analytics tools and other cloud-based financial applications. Hidden tunnels are typically used to circumvent security controls that would otherwise limit their ability to function, the report explained.

This is the same reason attackers use hidden tunnels, which were employed in the Equifax data breach, Morales noted.

“Using hidden tunnels from an attacker perspective is an advanced technique, a natural evolution of the way the internet works,” Morales told Threatpost. “For instance, companies have a lot more granular control over their environments these days, and they rely heavily on apps and the cloud.”

He added that this has naturally evolved to the use of tunnels, where data is broken into chunks and carried through the network in encrypted pieces, similar to VPN traffic – which creates an unintended attack surface.

As the report explained, hidden-tunnel communications are concealed within multiple connections that use normal, commonly allowed protocols. For example, communications can be embedded as text in HTTP-GET requests, as well as in headers, cookies and other fields. The requests and responses are hidden among messages within the allowed protocol.

“With the rise of web applications, the use of SSL/TLS encryption has become widespread, and HTTPS traffic is the norm; certificate pinning is also widely used to prevent network security systems from performing man-in-the-middle decryption to inspect packets for threats,” the report noted.

The bad guys employ the same techniques.

Once inside the network, “bad actors use tunnels to break up the data and exfiltrate it through firewalls in the same way, to avoid anomaly detection, mainly,” Morales told Threatpost. “And if legitimate apps are using these same techniques, then there’s nothing to detect because it’s not an anomaly.”

Also, while many attackers use SSL/TLS for encryption, the most adept attackers will also create their own encryption schemes, he added: “Custom encryption is especially difficult to detect, because the protocol might be unidentifiable and use any available port.”

Once attackers locate key assets to steal, the focus shifts to accumulating those assets and smuggling them out. In this exfiltration phase, attackers control the transmission of large data flows from the network and into the wild.


Unfortunately, the ability to detect this kind of activity remains rudimentary on the traditional tools front, but there are options.

“CISOs typically have a lot of tools around access control and the perimeter,” said Mike Banic, vice president at Vectra, in an interview. “They usually don’t have the tools to determine whether hidden tunnels exist on their networks. Machine learning is evolving to help them do that, however.”

Will LaSala, director of security solutions at OneSpan (formerly VASCO), told Threatpost via email that another aspect of the hidden-tunnel threat is that attackers can make use of those already in place for legitimate applications. However, these can be defanged by app developers so that malefactors can’t use them.

“Many app developers put holes through firewalls to make services easier to access from their apps, but these same holes can be exploited by hackers,” he said. “Using the proper development tools, app developers can properly encrypt and shape the data being passed through these holes. Sometimes developers are at a rush to implement a new feature to maintain customers or to increase business, and this often leads to situations where a hidden tunnel is created and not secured. By leveraging development tools that create an end to end secure communications whenever a hidden tunnel is needed, developers can start with a solid foundation of security before hackers attack.”

He added that secure communication APIs allow for a developer to encrypt their data within their application before the network layer is applied, which often protects apps from the injection of a malicious backdoor.

“Applying further application shielding techniques can often harden the application from attack even further,” he said. “Taking a layered security approach to applications can not only stop current attacks, such as the malicious hidden tunnel, but can often prevent new ones from being attempted against a protected app.”

Suggested articles