This Is a Hold-Up: Financial Services Under Attack
Financial services are facing an escalating threat landscape characterized by massive DDoS attacks, AI-empowered botnets, and targeted web attacks against API endpoints. Attackers are increasingly exploiting overlooked DNS misconfigurations and leveraging hyperscale IoT botnets to bypass traditional IP reputation defenses, necessitating a shift toward behavioral heuristics and adaptive security architectures.
Authors: Kimberly Gomez
Source:
Akamai
Detection / HunterGoogle
What Happened
Cybercriminals are aggressively targeting the financial services industry, including banks and insurance companies, using massive networks of infected devices (botnets) and artificial intelligence. These attacks aim to disrupt services through overwhelming traffic (DDoS) or steal sensitive data by exploiting hidden weaknesses in web addresses (DNS) and application connections (APIs). This matters because the scale and duration of these attacks are growing dramatically, putting personal and financial data at risk. Organizations should focus on securing their web infrastructure, monitoring for unusual behavior rather than just known bad traffic, and adopting AI-aware security measures.
Key Takeaways
- DDoS attacks against financial services are growing rapidly, with maximum event sizes increasing by 236% and median duration by 738% from 2024 to 2025.
- DNS infrastructure is a critical, often overlooked attack surface, vulnerable to subdomain takeover and unauthorized certificate issuance due to misconfigurations.
- Web attacks surged by 11%, with API endpoints serving as a major vector exacerbated by shadow APIs and AI-assisted coding.
- Advanced bot activity increased by 147% in late 2025, utilizing AI-enabled evasion techniques and hyperscale IoT zombie botnets to bypass static defenses.
Affected Systems
- Financial Services Infrastructure
- Banking Systems
- API Endpoints
- DNS Infrastructure
- IoT Devices
Attack Chain
Attackers leverage hyperscale IoT botnets and AI-enabled evasion techniques to launch massive Layer 3, 4, and 7 DDoS attacks against financial institutions. Concurrently, they target web infrastructure by exploiting shadow APIs and DNS misconfigurations, such as missing CAA records or unnecessary wildcards, to facilitate subdomain takeovers and unauthorized access. These combined vectors allow threat actors to disrupt services and target sensitive financial data while bypassing static perimeter defenses.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article provides strategic threat intelligence and trend analysis rather than specific detection rules or queries.
Detection Engineering Assessment
EDR Visibility: Low — The threats described (DDoS, API abuse, DNS misconfigurations, botnet traffic) are primarily network-level and external infrastructure issues, which fall outside standard endpoint detection and response scope. Network Visibility: High — Network telemetry, WAF logs, and DNS query logs are essential for detecting DDoS patterns, API abuse, and botnet activity. Detection Difficulty: Moderate — While volumetric DDoS is easy to detect, distinguishing sophisticated AI-enabled bot traffic and subtle API abuse from legitimate financial transactions requires advanced behavioral analytics.
Required Log Sources
- WAF Logs
- DNS Query Logs
- API Gateway Logs
- Network Flow Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Unauthenticated or anomalous API requests are targeting undocumented (shadow) API endpoints. | API Gateway Logs | Initial Access | Medium |
| DNS misconfigurations are allowing unauthorized subdomain takeovers or certificate issuance. | DNS Zone configurations and logs | Resource Development | Low |
| Distributed botnet traffic is attempting to bypass IP reputation blocks by rotating through large pools of IoT devices. | WAF Logs | Impact | High |
Control Gaps
- Static IP reputation blocks
- Lack of API visibility and governance (Shadow APIs)
- Unmonitored or legacy DNS infrastructure
Key Behavioral Indicators
- Spikes in Layer 7 traffic from diverse IoT IP ranges
- API requests lacking standard authentication headers or exhibiting abnormal parameter usage
- DNS queries for orphaned subdomains
False Positive Assessment
- Medium (Behavioral heuristics for bot detection and API anomaly detection can flag legitimate users or poorly designed internal applications if not tuned properly.)
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Audit external DNS records for missing CAA records, unnecessary wildcards, and misconfigured SOA.
- Ensure DDoS protection services are actively configured to handle both volumetric (Layer 3/4) and application-layer (Layer 7) attacks.
Infrastructure Hardening
- Consider implementing comprehensive API discovery tools to identify and govern shadow APIs.
- Evaluate transitioning from static IP reputation blocking to behavioral heuristics and user-risk telemetry.
- If supported by your registrar, enable registry locks on critical domains to prevent unauthorized modifications.
User Protection
- Consider enforcing strong authentication and behavioral monitoring for user identities within transactional flows.
Security Awareness
- Consider training development teams on secure API coding practices and the risks associated with AI-assisted coding.
- Evaluate incorporating MITRE ATT&CK and ATLAS frameworks into security operations and red team assessments.
MITRE ATT&CK Mapping
- T1498 - Network Denial of Service
- T1499 - Endpoint Denial of Service
- T1583.005 - Acquire Infrastructure: Botnet
- T1190 - Exploit Public-Facing Application