The Federal Financial Institutions Examinations Council (FFIEC) has issued a rare warning to banks on destructive new malware tools that are being used by attackers to compromise data and render critical systems inoperable.
In a separate alert, the interagency council that develops standards for federal oversight of financial institutions also warned of targeted cyberattacks seeking to steal the online login credentials used by bank employees to access critical systems and data.
It’s unclear whether the alerts were prompted by any specific incidents or were driven by broader concerns about targeted attacks against banks and other financial services institutions. Last year’s cyberattack on JPMorgan Chase, which exposed the data of an estimated 83 million banking customers, has spawned considerable worries about sophisticated malware tools being used to breach financial services networks.
One example of such tools is the Dyre banking Trojan, which first started circulating last June and has since been used in attacks against Citigroup, Chase, the Royal Bank of Scotland and Bank of America. IBM recently identified a variant of the tool being used in a campaign dubbed “Dyre Wolf,” which has already resulted in more than $1 million being siphoned out of corporate bank accounts.
Variety of Risks From Malware
The FFIEC’s alert on malware tools does not name any specific threats but noted that financial institutions faced a variety of risks from them, including financial loss, operational disruption, fraud and reputational damage.
The alert highlighted the targeted social engineering tactics being used by attackers to infect banking systems and noted how malicious software could be introduced via rogue attachments in phishing emails, through watering hole attacks or by connecting external devices such as USB drives to systems containing sensitive data.
“Once introduced, destructive malware may be further distributed through compromised enterprise system management technologies,” the alert said.
The FFIEC urged financial institutions to include cyberattacks in the list of eventualities for which they must prepare when developing business continuity and disaster recovery plans. Data recovery strategies should address the potential for corrupted data to be replicated on backup systems as the result of simultaneous attacks on backup centers, it cautioned.
The FFIEC alert provides a checklist of items for mitigating malware-borne threats, but it stressed that none of them represent new regulatory requirements for banks. The recommendations include measures such as network segmentation, air gapping, hard backups, data encryption, access controls, continuous monitoring and ongoing risk assessments.
In keeping with the recent emphasis on threat information sharing, the FFIEC also urged banking institutions to cooperate with each other to identify, respond to and mitigate targeted security threats.
Meanwhile, the council’s separate alert on credential theft warned banks to be on the lookout for phishing, malvertising, watering hole and Web-based attacks that are designed to steal usernames and passwords to critical customer and employee accounts. Stolen credentials are widely stored in underground forums and provide attackers with a way to take over accounts and commit identity theft.
Credential theft presents two distinct risks. Stolen customer data allows attackers to access their online banking accounts and steal money from them, while stolen employee data provides access to critical internal systems.
“System credentials may be targeted directly through vulnerabilities in authentication systems or indirectly by compromising the credentials of trusted third parties,” the FFIEC said.
Many of the recommendations the FFIEC had for mitigating the risk of credential theft were the same as its recommendations for protecting against malware threats. However, banks should also review their access and permissions to critical systems on a regular basis, restrict the number of people with privileged access, implement strong password management policies and regularly patch systems.