The Financial Times reports Russian criminals have been targeting cyber attacks at Russian owned banks and are making decent profit:

In Russia, however, the scourge of its hackers is fast becoming a problem for the country’s own businesses.

Russia was one of the countries worst affected by the WannaCry attack last year. Even though the US and UK have blamed the Kremlin for using the NotPetya attack a few months later to target Ukraine, Russian companies such as Rosneft, state-run oil giant, were also affected.

Most vulnerable, however, are Russia’s banks. Hackers used the Cobalt Strike security-testing tool to steal more than $17m from more than 240 Russian banks in 2017, according to the central bank. In the past few months, hackers used the Swift payment system to steal $6m from an unnamed bank and tried to steal nearly $1m from state-owned Globex.

Russia is now keen to change the perception of the country as a hacker’s paradise by showing that it, too, is trying to clamp down on cyber threats.

No honor among thieves indeed.

NBC News is reporting the Equifax hack is worse than originally thought, with an additional 2.4 million customer records affected:

The company said it was able confirm the identities of U.S. consumers whose driver’s license information was taken by referencing other information in proprietary company records that the attackers did not steal.

“Equifax will notify these newly identified U.S. consumers directly, and will offer identity theft protection and credit file monitoring services at no cost to them,” the company said.

The new information is the latest blow to the industry giant, which lost three top executives — including its longtime CEO Rick Smith — in the fallout of the mega-breach that exposed private information belonging to 143 million people.

Equifax is a company whose entirely existence relies upon their collecting personally identifiable information. Therefore it should be blatantly obvious to even the most inexperienced layman that properly securing and defending this data is of the utmost importance. To have identified an additional 2.4m people months after the original disclosure demonstrates their complete and utter disregard for the people.

This company needs to be slapped with fines and investigated for their exceedingly poor security posture, even they had any to begin with.

ZDNET reports about new Lazarus attack activity designed to steal bitcoins from global banking organizations:

Now Lazarus has resurfaced once again, with a phishing campaign which aims to plant malware on the systems of global financial organisations and bitcoin users for both short-term and long-term gain.

Dubbed ‘HaoBao’, the campaign has been uncovered by MacAfee [sic] Labs. It’s different to other phishing operations by the Lazarus group and uses novel code to infect machines.

The latest Lazarus campaign was first spotted in mid-January, when researchers discovered a malicious document being distributed via a Dropbox link, which claimed to be a job advert for a business development executive located in Hong Kong for a large multi-national bank.

The author is listed as ‘Windows User’ and the document was created in Korean, with additional similar documents appearing in the days which followed.

Attackers pose as a job recruiter, and send the target a spear-phishing email with a fake job advert, which when opened encourages the user to ‘enable content’ to see a document they’re told was created with an earlier version of Word.

The entire campaign does not appear to be all that sophisticated despite the techniques not having been previously witnessed. North Korea seems to be laser focused on stealing money rather than disruption or destruction. Now is an interesting time to focus on stealing bitcoin considering its recent major devaluation, but if Lazarus is in it for the long-term then it may prove lucrative.

The Guardian reports thousands of UK government web sites have been unwittingly infected with malware designed to force visitors into crytocurrency mining:

Late on Sunday, the website of the UK’s data protection watchdog, the Information Commissioner’s Office, was taken down to deal with the issue after it was reportedly infected by the malware.

The cryptojacking script was inserted into website codes through BrowseAloud, a popular plugin that helps blind and partially-sighted people access the web.

More than 5,000 websites have been flooded by the malware. Software known as Coinhive, which quietly uses the processing power of a user’s device to mine open source cryptocurrency Monero, appears to have been injected into the compromised BrowseAloud plugin.

Texthelp, which operates BrowseAloud, took its website down on Sunday while it tried to resolve the problem.

The National Cyber Security Centre confirmed the issue was being investigated, adding there was nothing to suggest members of the public were at risk after the malware attack.

One problem with using plugins, such as BrowseAloud, is that if the company developing the software is not reputable, or lacks the proper quality assurance, there is a risk for malware to be either purposely or inadvertently injected into the code. Although the details in this instance remain unknown while UK’s NCSC investigates, one does have to wonder how this happened when so many UK government web sites are reliant upon this accessibility plugin.

CNN is reporting the Equifax breach, one of the worst cyber attacks in 2017, may be worse than originally thought:

Additional information, including tax IDs and driver’s license details, may have been accessed in a hack that affected 145.5 million customers, according to confidential documents Equifax provided to the Senate Banking Committee seen by CNN.

The Senate Banking Committee has been looking into the Equifax hack to determine exactly what and how the breach occurred. The Equifax CEO testified late last year in front of a committee panel during a major hearing.

I found the following comment from an Equifax spokesman to be incredulous:

Equifax spokesperson Meredith Griffanti told CNNMoney Friday that the original list of vulnerable personal information was never intended to represent the full list of potentiality exposed information.

The new documents now raise questions of how much information hackers may have accessed in Equifax’s cyberattack.

It is imperative to keep an eye on your credit report to ensure nothing shady is happening without your knowledge. A motive for the attack has not yet been established, and the stolen personally identifiable information has yet to be leveraged by the attackers.

WIRED on the devastating jackpotting ATM hack phenomenon finally starting to spread throughout the United States:

ATM hackers in Taiwan raked in more than $2 million using a new type of malware attack that manipulated machines into spitting out tons of cash. The method, dubbed “jackpotting,” quickly spread across parts of Asia, Europe, and Central America, resulting in tens of millions of dollars of stolen cash. By November 2016, the FBI issued a warning that “well-resourced and organized malicious cyber actors have intentions to target the US financial sector” using this approach. But it took a year for the attack to arrive stateside.

This week, the Secret Service began warning financial institutions about a rash of jackpotting attacks across the US, and the threat that more could be coming. In a jackpotting attack, hackers—often dressed as technicians to deflect suspicion—penetrate an ATM’s physical and digital security, install malware, establish remote access, and set it up to display an out-of-order screen. With those hardware and software modifications in place, another attacker can approach the compromised ATM and stand with a bag while co-conspirators remotely instruct it to dispense cash. In past incidents, law enforcement observed a cashflow rate of 40 bills every 23 seconds.

Diebold Nixdorf has to be one of the worst companies on the planet. This is the same company from years ago that had a host of issues with their voting machines and failed to take the appropriate action to fix their vulnerabilities.

Russian criminals are leveraging cyber to steal money from banks from Moscow to Utah:

A previously unknown ring of Russian-language hackers has stolen as much as $10 million from U.S. and Russian banks in the last 18 months, according to a Moscow-based cyber-security firm that runs the largest computer forensics laboratory in eastern Europe.

The hackers, who also breached a U.K. software and service provider, are now probing institutions in Latin America and may be trying to compromise the Swift international bank messaging service, according to the security firm, whose clients range from Russia’s biggest lender Sberbank PJSC to Raiffeisen Bank International AG. “Criminals have changed tactics and are now focusing on banks rather than their clients, as was standard operating procedure in the past,” Dmitry Volkov, the head of Group-IB’s cyber intelligence department, said by phone.

Since its first successful breach in May 2016, MoneyTaker has stolen from banks in New York, California, Utah and Moscow, primarily targeting smaller institutions with limited cyber defenses, Group-IB found.

The average haul from U.S. banks was about $500,000, and it stole over $3 million from three Russian lenders.

Group-IB said the U.S. banks were targeted by gaining access to their card-processing system and then opening accounts at the compromised institutions.

Russia is all over the internet, using it for everything from stealing money, to geopolitical operations, to stealing intellectual property, and more. Do not expect the Russians to cease anytime soon considering how lucrative, and inexpensive it is to use cyber for these attacks

The financial industry has shown time and time again they cannot be trusted, and hiding cyber attacks seem to be par for the course. This time the Federal Deposit Insurance Corporation was hacked by China and covered up by the CIO:

The FDIC failed at the time of the “advanced persistent threat” attacks to report the incidents. Then-Inspector General at FDIC, Jon Rymer, lambasted FDIC officials for failing to follow their own policies on breach reporting. Further investigation into those breaches led the committee to conclude that former FDIC CIO Russ Pittman misled auditors about the extent of those breaches, and told employees not to talk about the breaches by a foreign government so as not to ruin FDIC Chairman Martin Gruenberg’s chances of confirmation.

The cascade of bad news began with an FDIC Office of the Inspector General (OIG) investigation into the October “Florida incident.” On October 23, 2015, a member of the Federal Deposit Insurance Corporation’s Information Security and Privacy Staff (ISPS) discovered evidence in the FDIC’s data loss prevention system of a significant breach of sensitive data—over 1,200 documents, including Social Security numbers from bank data for over 44,000 individuals and 30,715 banks, were copied to a USB drive by a former employee of FDIC’s Risk Management Supervision field office in Gainesville, Florida. The employee had copied the files prior to leaving his position at FDIC. Despite intercepting the employee, the actual data was not recovered from him until March 25, 2016. The former employee provided a sworn statement that he had not disseminated the information, and the matter was dropped.

Sure, successful breaches are embarrassing, but it is always better to get out ahead of these incidents rather than allowing them to drive the story themselves.

Seemingly taking cues from their adversary, cyber criminals are targeting the less savvy firms because the larger banks have locked-down security too tight to make for an attractive target:

Larger banks are getting harder to penetrate since they’ve invested in security for years. They’ve had their big breach through which they get religion, they get spend [more budget] and they get harder,” said Bill Stewart, an EVP with Booz Allen BAH 0.69% . “Now, the adversaries are moving down the food chain.” In practice, this means the same hackers who once targeted big banks are seeking easier prey: credit unions, small hedge funds, PR firms, and a wide variety of other mid-tier enterprises.

The attackers are led by mafia-like criminal gangs but also outfits like Lazarus, which hit the Bangladesh central banks, and which is widely believed to be tied to the government of North Korea. According to McArdle of eSentire, some nation states are expanding their hacking targets as a way to fund their cyber-military capacities.

He added that the mid-tier firms, now the targets of hackers of all stripes, can be defined as companies that lack resources for chief security officers, and other full-time defense operations.

If you are a financial institution, there is no excuse for not having full-time defensive operations, or a 24/7 security operations center.

The U.S. Attorney’s office in New Jersey has indicted nine people for cyber related insider trading activities netting the perpetrators roughly $100M (emphasis added):

Prosecutors with the U.S. Attorney’s office in New Jersey initially announced the indictment of nine people, five of whom were arrested in Georgia and Pennsylvania, Tuesday morning. A follow-up announcement in Newark revealed that 32 people connected to the scheme in total were facing charges.

According to Reuters, it’s the first time that prosecutors have brought criminal charges against individuals for perpetrating a securities fraud scheme involving hacked insider information.

The hackers purportedly infiltrated servers belonging to press release agencies: PRNewswire Association, Marketwire, and the Berkshire Hathaway subsidiary Business Wire, first accessing the newswires’ networks as early as 2010. Once they were in, over the course of five years, the hackers passed along sensitive information – some of which pertained to large Fortune 500 companies – to traders, who then used it to their benefit.

A related SEC complaint filed in tandem with the indictments notes that civil charges are being brought against 32 individuals and claims the hackers used “malicious programming code and other deceptive techniques to hack into the computer systems.”

The European Central Bank web site was hacked by an unknown group of malicious actors who were able to exfiltrate data from a conference database:

In the statement released by the ECB it states it was unaware of the attack until it was contact by an anonymous party claiming to be behind the attack. The anonymous contact then proceeded to try to extort the bank, threatening to publish the compromised data unless the bank met their demands. The ECB refused to meet the demands and is in the process of contacting the individuals affected and resetting the passwords for all users on the system.

According to the ECB’s website it “is responsible for the prudential supervision of credit institutions located in the euro area and participating non-euro area Member States, within the Single Supervisory Mechanism, which also comprises the national competent authorities.” While the ECB states no market data or internal systems were compromised by the breach it is no doubt embarrassing for an institution of this stature to become victim to such an attack.

The ECB have assured all those affected that its security experts have identified and addressed the vulnerability that led to the compromise. The ECB is also working with German police to try and track down those responsible for the attack.

If they have such poor security practices for their public facing web site I wonder how well their internal network is protected.

Because there is not enough complex and dangerous malware out there already, we now how a new strain of the Bartalex malware dropping Pony loader malware and the Dyre banking Trojan to increase the power and sophistication of an attack:

Primarily spread through spam, the first iterations of Bartalex were observed in late March embedded in Microsoft Word and Excel macros.

Macros have been a popular infection method for a decade-plus but as is often the case in malware, everything old eventually becomes new again. The attack vector never really went away but Word documents booby-trapped with macro malware have been enjoying a comeback of sorts as of late. Microsoft’s Malware Protection Center even sounded the alarm over an increasing number of threats using macros in January.

Brad Duncan, a security researcher at Rackspace and handler at the SANS Internet Storm Center spotted Bartalex propagating through a rigged Word document on Tuesday.

The Word document purports to come from the payroll service ADP and pertain to a rejected Automated Clearing House (ACH) payment. As Duncan notes, a quick look at the email’s header however indicates the email did not come from ADP and if a user were to open the file, assuming they have macros enabled in Microsoft Word, they’d execute any associated macros.

A new variant of the Dyre financial industry-oriented malware has been identified witnessed attacking seventeen Spanish banks:

As Europeans head to the beaches of Spain this summer, the cybercriminals behind the highly successful Dyre malware are not taking a break. In fact, they are turning up the heat and have set their sights on 17 Spanish banks, and several European banks’ Spain-based subsidiaries. IBM Security X-Force researchers were able to analyze a new Dyre Trojan configuration file that followed the release of a new Dyre build. This is the first configuration that targets such a large number of Spanish banks. Previous versions only included three or five Spain-based banks on the victim roster, likely as a way to test the waters before moving to a more aggressive phase.

The analysis reveals that Dyre’s developers have expanded the capabilities and reach of the malware by updating its webinjections to match the new banks they are targeting in Spain. On top of its Spanish targets the Dyre gang sees opportunities in other Spanish speaking countries beyond Spain, attacking in Chile, Colombia and Venezuela. This is hardly surprising given that Spanish is the second most spoken language in the world.

Dyre is not new in Europe. It already targets banks all over the European continent, unsurprisingly leaving out only Russia and the former Soviet Union region. Within Europe, Dyre infection rates in Spain are ranked third after the UK and France.

The Government Accountability Office (GAO) recently conducted an audit of the US banking regulators and discovered they really need to hire and train more examiners with technology and cyber security expertise so they can provide more useful recommendations to small and mid-sized banks:

Multiple U.S. regulators, including the Federal Deposit Insurance Corporation (FDIC) and the Federal Reserve, examine banks and other financial institutions that take deposits. Examiners’ findings may include how the institutions can improve their cyber security practices.

Each of the regulators employs dozens of examiners with specialized technology expertise, but typically assigns those examiners to the largest banking institutions, the GAO said.

Examiners with “little to no” information technology expertise generally examine small and mid-sized banks. Their findings may not be as “specific or useful” as those from more experienced counterparts, the GAO said.

The various regulators have been trying to improve their oversight of bank technology, the GAO noted. For example, the FDIC imposed a four-course training requirement for examiners in 2010 to boost their technology know-how. Three-quarters of examiners had completed between one and three courses as of the end of 2014.

Among the GAO’s other concerns: regulators are not collecting and storing technology exam findings in a way that makes it easy to search industry-wide trends.

The regulators, in letters to the GAO, said they are ramping up their systems for categorizing the data.

A regulation team with little or no IT and cyber security experience is essentially pointless. While they can surely read a checking, they have no context for which to properly comprehend what those recommendations mean in practical terms.

SC Magazine on how dyre malware rose to the top of the financial malware threat list:

Dyre malware, which quickly emerged as one of the most prominent financial trojans following the Gameover Zeus botnet takedown last June, is still steadily making its mark in the underground market – and in victims’ accounts – prompting researchers to deem the threat a malicious tool successfully, though likely temporarily, filling the void of Zeus.

On Tuesday, Symantec released a whitepaper (PDF) on Dyre and its impact on the financial fraud landscape, noting that the malware targets all three major browsers (Internet Explorer, Firefox, and Chrome), and that it has been configured to target customers at more than 1,000 banks and other firms around the globe. Users in the U.S. and UK have primarily been targeted by the trojan, Symantec added in a blog post covering its research.