April 10, 2015 By Jaikumar Vijayan 3 min read

The Federal Financial Institutions Examinations Council (FFIEC) has issued a rare warning to banks on destructive new malware tools that are being used by attackers to compromise data and render critical systems inoperable.

In a separate alert, the interagency council that develops standards for federal oversight of financial institutions also warned of targeted cyberattacks seeking to steal the online login credentials used by bank employees to access critical systems and data.

Targeted Attacks

It’s unclear whether the alerts were prompted by any specific incidents or were driven by broader concerns about targeted attacks against banks and other financial services institutions. Last year’s cyberattack on JPMorgan Chase, which exposed the data of an estimated 83 million banking customers, has spawned considerable worries about sophisticated malware tools being used to breach financial services networks.

One example of such tools is the Dyre banking Trojan, which first started circulating last June and has since been used in attacks against Citigroup, Chase, the Royal Bank of Scotland and Bank of America. IBM recently identified a variant of the tool being used in a campaign dubbed “Dyre Wolf,” which has already resulted in more than $1 million being siphoned out of corporate bank accounts.

Variety of Risks From Malware

The FFIEC’s alert on malware tools does not name any specific threats but noted that financial institutions faced a variety of risks from them, including financial loss, operational disruption, fraud and reputational damage.

The alert highlighted the targeted social engineering tactics being used by attackers to infect banking systems and noted how malicious software could be introduced via rogue attachments in phishing emails, through watering hole attacks or by connecting external devices such as USB drives to systems containing sensitive data.

“Once introduced, destructive malware may be further distributed through compromised enterprise system management technologies,” the alert said.

The FFIEC urged financial institutions to include cyberattacks in the list of eventualities for which they must prepare when developing business continuity and disaster recovery plans. Data recovery strategies should address the potential for corrupted data to be replicated on backup systems as the result of simultaneous attacks on backup centers, it cautioned.

Risk Mitigation

The FFIEC alert provides a checklist of items for mitigating malware-borne threats, but it stressed that none of them represent new regulatory requirements for banks. The recommendations include measures such as network segmentation, air gapping, hard backups, data encryption, access controls, continuous monitoring and ongoing risk assessments.

In keeping with the recent emphasis on threat information sharing, the FFIEC also urged banking institutions to cooperate with each other to identify, respond to and mitigate targeted security threats.

Credential Theft

Meanwhile, the council’s separate alert on credential theft warned banks to be on the lookout for phishing, malvertising, watering hole and Web-based attacks that are designed to steal usernames and passwords to critical customer and employee accounts. Stolen credentials are widely stored in underground forums and provide attackers with a way to take over accounts and commit identity theft.

Credential theft presents two distinct risks. Stolen customer data allows attackers to access their online banking accounts and steal money from them, while stolen employee data provides access to critical internal systems.

“System credentials may be targeted directly through vulnerabilities in authentication systems or indirectly by compromising the credentials of trusted third parties,” the FFIEC said.

Many of the recommendations the FFIEC had for mitigating the risk of credential theft were the same as its recommendations for protecting against malware threats. However, banks should also review their access and permissions to critical systems on a regular basis, restrict the number of people with privileged access, implement strong password management policies and regularly patch systems.

More from

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today