Risky Network Traffic in Fortune 500 Financial Services Companies

Welcome to the second installment of Expanse’s new blog series, Internet Data Bytes. In our last article, we demonstrated just how common risky Internet assets and communications are across a set of major healthcare companies. 

In this edition, we’re looking at what a typical week looks like for the global enterprise networks of 12 of the world’s largest financial services companies. Of these companies, nine were in the Fortune 500, one was in the Fortune 1,000 but not in the Fortune 500, and two were based outside of the United States. The smallest company had annual revenue of $3 billion U.S. dollars and the largest over $110 billion. 

Over the course of one week in June 2020, Expanse monitored for Internet traffic anomalies and exposed services from these organizations. Here’s what we found:

Nearly All Had Connections to OFAC-prohibited Countries

Of the types of risky connections made, connections to and from systems and services in regions prohibited by the U.S. Office of Foreign Assets Control (OFAC) were the most common. Eleven of the 12 companies examined had connections to an OFAC-prohibited country on more than half the days in the period of interest and seven of 12 had such connections every day over the period of interest. 

Concerningly, eight of the 12 companies — all but one of which are headquartered in the United States — had outbound connections to Iranian-based servers on more than half the days during this study.

Because Iran has economic and trade sanctions levied against it by OFAC, there are few, if any, legitimate reasons for U.S.-based financial services institutions to be making connections to these regions, or for international financial institutions that do business with U.S. financial institutions. Penalties for OFAC violations in some cases exceed millions of dollars.

Comparatively Few Allow Connections to the Tor Network

Four of the 12 companies examined had connections to the Tor network on multiple days, indicating a more effective — though still incomplete — set of controls banning usage of Tor across financial services compared to those present in the healthcare industry we covered in our previous post.  

A Number Are Engaged in Cryptocurrency Mining

Five of the 12 organizations had cryptocurrency mining occurring on core networks over the period of interest. Mining volumes were low enough to indicate these were likely not large-scale revenue generation attempts authorized by the organization, but rather smaller efforts by individuals designed to mine (at most) modest amounts of crypto and to stay under the radar of IT security monitoring. 

Given the size and importance of these organizations in the global financial system, the risk posed by this activity is less from the (relatively) small amounts of money these organizations are likely losing, but rather from a lack of controls that more generally allows for unauthorized software to be installed and run from core networks.

The Bottom Line

These results show that there is a lot of work to do on basic network and security hygiene, even among some of the world’s largest, most sophisticated, and most well-resourced organizations. Financial institutions should be particularly sensitive about any connections to systems and services in OFAC-prohibited countries, so the fact that 11 of the 12 companies examined had such connections is both surprising and concerning.  

Organizations like these that are the backbone of our global financial infrastructure would be prime targets for attackers. It is critical that they identify exposed assets and risky Internet communications like those outlined in this research on an ongoing basis to protect themselves from becoming the victims of a damaging breach.