SVB Collapse Prompts New Wave of Cyber Threats

Last week’s collapse of Silicon Valley Bank (SVB) has given cybercriminals an opportunity to take advantage of the ensuing chaos.

SVB was closed by the California Department of Financial Protection and Innovation on March 10. The FDIC then was appointed receiver. On Monday, the FDIC transferred all deposits – both insured and uninsured – and substantially all assets of the former bank to a newly created FDIC-operated “bridge bank” to protect all SVB depositors.

Sounil Yu is JupiterOne‘s CISO. He said the SVB situation creates a “tremendous opportunity” for attackers to launch fraudulent vendor email compromise (VEC) and business email compromise (BEC) attacks. They’ll try to convince finance teams to switch banking details over to an attacker-controlled account.

JupiterOne’s Sounil Yu

“Given SVB’s breadth of exposure across the startup ecosystem, we should expect to see many finance teams receiving an unusually high number of updates about new banking relationships and wire instructions,” he said. “Attackers are likely to indiscriminately impersonate vendors regardless of whether the vendor previously banked with SVB or not.”

Finance teams should confirm that the updated details of any of their vendors are indeed correct, Yu said.

SVB Collapse Prompts Social Engineering Attacks

Ashley Allocca is intelligence analyst at Flashpoint.

Flashpoint’s Ashley Allocca

“Financially motivated threat actors will often act opportunistically, seeking to take advantage of newsworthy events,” she said. “These events may influence the theme of various social engineering tactics used to gain initial access to compromise victims.”

Generally speaking, threat actors are likely to execute SVB-themed social engineering attacks, Allocca said. They’ll focus on phishing scams and malware lures.

What Flashpoint is seeing now is the potential use of newly registered domains that can be used in phishing attacks, Allocca said. They aim to collect sensitive information or coerce victims into sharing information or sending funds to actor-controlled accounts.

Threat actors have been registering new domains to look like legitimate pages affiliated with SVB, she said.

“For example, on March 11, the day following the SVB collapse, new domains like login-svb[.]com, svbbailout[.]com, svbdividendpayout[.]com, and svbfail[.]com were registered,” Allocca said. “That day, at least 16 other domains using SVB were registered.”

Registrants may not leverage all of those domains for malicious purposes, she said.

“But it is clear in the case of login-svb[.]com that that page will likely resolve to a login page for SVB affiliates, malicious or otherwise,” Allocca said.

Domains for SVB Competitors Cropping Up

Similarly, newly registered domains for known SVB competitors have been and will likely continue to crop up, Allocca said.

“For example, we have seen domains mimicking Revolut, a British-Lithuanian financial services company, including customer-revolut[.]com, logon-revolut[.]com, and revolutbank[.]net,” she said. “This may portend social engineering attacks with themes of transferring a financial relationship from one bank to another.”

A victim could be anybody who clicks on a malicious link, Allocca said. This could occur as part of a spear phishing campaign. That’s when a threat actor sends a personalized email to a specified targeted person, business or organization. The email generally impersonates a trusted source, such as an executive. And it contains either malware-infected documents or links to malicious websites.

There are many concerns about the interconnectedness of financial accounts, she said. Therefore Flashpoint recommends extra due diligence with any requests to update bank account information.

“There are many companies taking rapid action to update their payment information away from SVB, which presents a prime opportunity for cybercriminals to capitalize on this crisis situation, Allocca said.

Similar Threats Likely from Signature Bank Failure

It’s likely that the fallout from Signature Bank’s failure will lead to similar cyber threats, Allocca said. Financially motivated threat actors will act opportunistically. They’ll use the same low-level initial access techniques like phishing to prey upon those most impacted by the failure.

James Liolios is senior threat intelligence researcher at Arctic Wolf.

Arctic Wolf’s James Liolios

“Threat actors can leverage phishing emails which could contain new banking wire information, instructing an employee to make changes to benefit the threat actor in this scenario for financial gain,” he said. “Threat actors may also target employees’ social media accounts, such as LinkedIn, where they can identify individuals working at startups or other affected organizations.” 

Arctic Wolf Labs has multiple detections in place for suspicious activity on email accounts associated with BEC and account takeover attacks, Liolios said.

Arctic Wolf continues to monitor for tactics, techniques and procedures (TTPs) associated with campaigns that may arise from these events.