Tag Archive for: banks

The New FDIC InTREx Security Procedures: The Impact on Banks’ Digital Strategy

/in


The use of technology continues to change in banking, and with it changes in cybersecurity risks. To address these changes, the FDIC updated the Information Technology Risk Examination (InTREx) procedures.

Updates include the requirement for banks to notify the FDIC within 36 hours of any computer security incident. InTREx also evaluates whether banks notify law enforcement and customers in these cases. It also applies to third-party organizations serving banks.

These rules are bound to impact banks’ digital strategy. Here are some questions to ask bank security staff to make sure they’re in compliance with the updates.

In most cases, community banks adding digital tools will use vendors, so it’s important to understand these rules. The InTREx exam procedures can help protect banks and their customers by gaining a deeper understanding of their vendors. It’s paramount in keeping customer trust to know where their data is, what controls protect it, who has access to it, and what happens when a failure occurs.

With this updated guidance, is your bank reviewing existing vendors as part of your vendor review process, especially for critical or high-risk vendors? Make sure they’re updating contact information, getting current due diligence packets, and understanding any new technology partners they’ve engaged with since the last review, as sometimes these would be considered fourth-party vendors.

Even if your bank relies more heavily on vendors, the risk responsibility does not fall entirely on them. Banks bear the responsibility to make sure they fully understand the risks of each relationship. Contractually, there may be language to help the bank financially in case of a vendor breach.

It’s critical to understand the information each vendor has and make sure your bank gets status reports, remains in touch and conducts timely reviews. Don’t focus on responsibility from a financial perspective alone — make sure your bank accounts for reputational risk to the institution, as well.

How Should Banks Better Secure Their Data?
As chief information security officers would advise, all data should be secured consistently and at the highest level based on its defined…

Source…

Xenomorph malware now targets banks and crypto apps in Canada, other regions

/in


Security researchers at cybersecurity company ThreatFabric discovered a new campaign leveraging the ‘Xenomorph’ malware on Android.

The campaign targets people in the U.S., Canada, Spain and other regions, and Xenomorph uses overlays that look like various financial institutions to steal peoples’ banking credentials. It also targets cryptocurrency wallets.

Bleeping Computer reported on ThreatFabric’s findings, offering a brief overview of Xenomorph’s history since it appeared in 2022. The malware has gone through a few revisions, and the newest campaign using it tries to get it onto devices by tricking people into downloading a fake Chrome update. A pop-up warns people that they’re using an outdated version of Google Chrome and encourages them to update the browser. However, if people tap the pop-up’s update button, it installs the Xenomorph malware instead.

The main takeaway for Android users should be to avoid installing Chrome updates — or anything for that matter — from a website pop-up. For the vast majority of Android users, updates from Chrome and other apps will come via the Play Store and only the Play Store.

Once installed, ThreatFabric says Xenomorph uses ‘overlays’ to steal information. The malware comes loaded with roughly 100 overlays targeting different sets of banks and crypto apps depending on the targeted region.

Moreover, the recent versions of Xenomorph include new features to enhance it. That includes a  ‘mimic’ feature that gives the malware the ability to act as another application. Mimic includes a built-in activity called ‘IDLEActivity,’ which can act as a WebView to show legitimate web content. These capabilities replace the need for the malware to hide icons from the app launcher after installation, behaviour that can be flagged as suspicious by security tools.

Xenomorph also has a ‘ClickOnPoint’ feature that allows the malware’s operators to simulate taps on specific parts of the screen. That allows operators to move past confirmation screens or perform other simple actions without triggering security warnings.

The last new feature researchers found was an ‘antisleep’ tool to prevent a device from…

Source…

Gozi strikes again, targeting banks, cryptocurrency and more

/in


ttps://securityintelligence.com/posts/gozi-strikes-again-targeting-banks-cryptocurrency-and-more/”http://www.w3.org/TR/REC-html40/loose.dtd”>

In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest.

Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms, recognizing the lucrative nature of these sectors.

The history of Gozi

In 2006, a Russian developer named Nikita Kurmin created the first version of Gozi CRM. While developing the malware, Kurmin borrowed code from another spyware called Ursnif, also known as Snifula, developed by Alexey Ivanov around 2000. As a result, Gozi v1.0 featured a formgrabber module and was often classified as Ursnif/Snifula due to the shared codebase. With these capabilities, Gozi CRM quickly gained attention in the cybercriminal community.

In September 2010, a significant event occurred that would shape the future of Gozi. The source code of a specific Gozi CRM dynamic link library (DLL) version was leaked, exposing its inner workings to the wider world. This leak had far-reaching consequences, as it enabled the creation of new malware strains that leveraged Gozi’s codebase.

In June 2023, Mihai Ionut Paunescu, a Romanian hacker, was sentenced to three years in U.S. federal prison for his role in running a “bulletproof hosting” service called PowerHost[.]ro. This service aided cybercriminals in distributing various malware strains, including Gozi Virus, Zeus Trojan, SpyEye Trojan and BlackEnergy malware.

New Gozi campaigns aim high

Cryptocurrency companies are an attractive target, and the latest iteration of Gozi has brought new elements to its modus operandi. Notably, it is now spreading across Asia, broadening its reach beyond its previous target regions. 

A key weapon in Gozi’s arsenal is the use of web injects. These…

Source…

Ransomware gang lists first victims of MOVEit mass-hacks, including US banks and universities

/in


Clop, the ransomware gang responsible for exploiting a critical security vulnerability in a popular corporate file transfer tool, has begun listing victims of the mass-hacks, including a number of U.S. banks and universities.

The Russia-linked ransomware gang has been exploiting the security flaw in MOVEit Transfer, a tool used by corporations and enterprises to share large files over the internet, since late May. Progress Software, which develops the MOVEit software, patched the vulnerability — but not before hackers compromised a number of its customers.

While the exact number of victims remains unknown, Clop on Wednesday listed the first batch of organizations it says it hacked by exploiting the MOVEit flaw. The victim list, which was posted to Clop’s dark web leak site, includes U.S.-based financial services organizations 1st Source and First National Bankers Bank; Boston-based investment management firm Putnam Investments; the Netherlands-based Landal Greenparks; and the U.K.-based energy giant Shell.

GreenShield Canada, a non-profit benefits carrier that provides health and dental benefits, was listed on the leak site but has since been removed.

Other victims listed include financial software provider Datasite; educational non-profit National Student Clearinghouse; student health insurance provider United Healthcare Student Resources; American manufacturer Leggett & Platt; Swiss insurance company ÖKK; and the University System of Georgia (USG).

A USG spokesperson, who did not provide their name, told TechCrunch that the university is “evaluating the scope and severity of this potential data exposure. If necessary, consistent with federal and state law, notifications will be issued to any individuals affected.”

Florian Pitzinger, a spokesperson for German mechanical engineering company Heidelberg, which Clop listed as a victim, told TechCrunch in a statement that the company is “well aware of its mentioning on the Tor website of Clop and the incident connected to a supplier software.” The spokesperson added that the “incident occurred a few weeks ago, was countered fast and effectively and based on our analysis did not lead to any data breach.”

None of…

Source…