MISCELLANEOUS CYBERSECURITY NEWS:

State Department puts $10M bounty on AlphV ransomware group - The prolific threat group and its affiliates are behind some of the most high-profile attacks in the last year. https://www.cybersecuritydive.com/news/alphv-ransomware-bounty/707660/

Financial Firms Expect Big Changes from European Cyber Rules - Financial firms and their technology suppliers will need to put in a lot of work to comply with a European cybersecurity law set to take effect early next year. https://www.wsj.com/articles/financial-firms-expect-big-changes-from-european-cyber-rules-a72bf791

Feds remove Ubiquiti router botnet used by Russian intelligence - The FBI dismantled a botnet of several hundred small office/home office (SOHO) routers that U.S. authorities said was used in large credential-harvesting campaigns for Russia’s intelligence service. https://www.scmagazine.com/news/feds-remove-ubiquiti-router-botnet-used-by-russian-intelligence

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Bank of America notifies customers of third-party breach of ‘deferred compensation plans’ - Bank of America (BoA) has sent notification letters to customers impacted by a third-party breach that the LockBit ransomware group claimed responsibility for last fall of BoA business partner Infosys McCamish Systems (IMS). https://www.scmagazine.com/news/bank-of-america-notifies-customers-of-third-party-breach-of-deferred-compensation-plans

Planet Home Lending notifies customers of LockBit ransomware incident - News that Planet Home Lending experienced a cyberattack by the LockBit ransomware group leveraging the Citrix Bleed flaw has come out in dribs and drabs. https://www.scmagazine.com/news/planet-home-lending-notifies-customers-of-lockbit-ransomware-incident

Hackers ‘steal your face’ to create deepfakes that rob bank accounts - An iconic Grateful Dead lyric in the song “He’s Gone” uses what’s become a catchphrase for many Deadheads: "steal your face." It's so popular that it’s even on a bumper sticker. https://www.scmagazine.com/news/hackers-steal-your-face-to-create-deepfakes-that-rob-bank-accounts

U.S. conducted cyberattack on suspected Iranian spy ship - The covert operation was intended to inhibit the ship’s ability to share intelligence with Houthi rebels who have been attacking cargo ships in the Red Sea. https://www.nbcnews.com/news/investigations/us-conducted-cyberattack-suspected-iranian-spy-ship-rcna138638

Volt Typhoon Hits Multiple Electric Utilities, Expands Cyber Activity - The portion of China's Volt Typhoon advanced persistent threat (APT) that focuses on infiltrating operational technology (OT) networks in critical infrastructure has already performed reconnaissance and enumeration of multiple US-based electric companies, while also targeting electric transmission and distribution organizations in African nations. https://www.darkreading.com/vulnerabilities-threats/volt-typhoon-hits-multiple-electric-cos-expands-cyber-activity

Southern Water cyberattack expected to hit hundreds of thousands of customers - Southern Water has admitted between five and ten percent of its customers had their details stolen from the British utilities giant during a January cyberattack. https://www.theregister.com/2024/02/14/southern_water_cyberattack/

Prudential Financial Faces Cybersecurity Breach - Prudential Financial has disclosed a cybersecurity breach. Detected on February 5 2024, the breach involved unauthorized access to certain company systems. https://www.infosecurity-magazine.com/news/prudential-financial-faces-breach/

Cyberattack Disrupts Production at Varta Battery Factories - The attack was detected on February 12 and forced the company to shut down IT systems and disconnect them from the internet, which caused disruption to production, as well as to administrative processes. https://www.securityweek.com/cyberattack-disrupts-production-in-varta-battery-factories/

Ex-Employee’s Admin Credentials Used in US Gov Agency Hack - A threat actor gained access to a US government organization’s network using the compromised credentials for a former employee’s administrative account, the US cybersecurity agency CISA says. https://www.securityweek.com/ex-employees-admin-credentials-used-in-us-gov-agency-hack/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
    
    While the Board of Directors has the responsibility for ensuring that appropriate security control processes are in place for e-banking, the substance of these processes needs special management attention because of the enhanced security challenges posed by e-banking.  Over the next number of weeks we will cover the principles of Security Controls.
    
   Board and Management Oversight - Principle 4: Banks should take appropriate measures to authenticate the identity and authorization of customers with whom it conducts business over the Internet.  (Part 1 of 2)
    
    It is essential in banking to confirm that a particular communication, transaction, or access request is legitimate. Accordingly, banks should use reliable methods for verifying the identity and authorization of new customers as well as authenticating the identity and authorization of established customers seeking to initiate electronic transactions.
    
    Customer verification during account origination is important in reducing the risk of identity theft, fraudulent account applications and money laundering. Failure on the part of the bank to adequately authenticate customers could result in unauthorized individuals gaining access to e-banking accounts and ultimately financial loss and reputational damage to the bank through fraud, disclosure of confidential information or inadvertent involvement in criminal activity.
    
    Establishing and authenticating an individual's identity and authorization to access banking systems in a purely electronic open network environment can be a difficult task. Legitimate user authorization can be misrepresented through a variety of techniques generally known as "spoofing." Online hackers can also take over the session of a legitimate authorized individual through use of a "sniffer" and carry out activities of a mischievous or criminal nature. Authentication control processes can in addition be circumvented through the alteration of authentication databases.
    
    Accordingly, it is critical that banks have formal policy and procedures identifying appropriate methodology(ies) to ensure that the bank properly authenticates the identity and authorization of an individual, agent or system by means that are unique and, as far as practical, exclude unauthorized individuals or systems. Banks can us a variety of methods to establish authentication, including PINs, passwords, smart cards, biometrics, and digital certificates. These methods can be either single factor or multi-factor (e.g. using both a password and biometric technology to authenticate). Multi-factor authentication generally provides stronger assurance.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
   
   SECURITY CONTROLS - IMPLEMENTATION
   
   LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
   
   Access Rights Administration (4 of 5)
   
   The access rights process programs the system to allow the users only the access rights they were granted. Since access rights do not automatically expire or update, periodic updating and review of access rights on the system is necessary. Updating should occur when an individual's business needs for system use changes. Many job changes can result in an expansion or reduction of access rights. Job events that would trigger a removal of access rights include transfers, resignations, and terminations. Institutions should take particular care to remove promptly the access rights for users who have remote access privileges, and those who administer the institution's systems.
   
   Because updating may not always be accurate, periodic review of user accounts is a good control to test whether the access right removal processes are functioning, and whether users exist who should have their rights rescinded or reduced. Financial institutions should review access rights on a schedule commensurate with risk.
   
   Access rights to new software and hardware present a unique problem. Typically, hardware and software are installed with default users, with at least one default user having full access rights. Easily obtainable lists of popular software exist that identify the default users and passwords, enabling anyone with access to the system to obtain the default user's access. Default user accounts should either be disabled, or the authentication to the account should be changed.  Additionally, access to these default accounts should be monitored more closely than other accounts.
   
   Sometimes software installs with a default account that allows anonymous access. Anonymous access is appropriate, for instance, where the general public accesses an informational web server. Systems that allow access to or store sensitive information, including customer information, should be protected against anonymous access.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE CYCLE
 
 8.4.2.3 Obtaining the System and Related Security Activities
 
 During this phase, the system is actually built or bought. If the system is being built, security activities may include developing the system's security aspects, monitoring the development process itself for security problems, responding to changes, and monitoring threat. Threats or vulnerabilities that may arise during the development phase include Trojan horses, incorrect code, poorly functioning development tools, manipulation of code, and malicious insiders.
 
 If the system is being acquired off the shelf, security activities may include monitoring to ensure security is a part of market surveys, contract solicitation documents, and evaluation of proposed systems. Many systems use a combination of development and acquisition. In this case, security activities include both sets.
 
 As the system is built or bought, choices are made about the system, which can affect security. These choices include selection of specific off-the-shelf products, finalizing an architecture, or selecting a processing site or platform. Additional security analysis will probably be necessary.
 
 In addition to obtaining the system, operational practices need to be developed. These refer to human activities that take place around the system such as contingency planning, awareness and training, and preparing documentation. The chapters in the Operational Controls section of this handbook discuss these areas. These areas, like technical specifications, should be considered from the beginning of the development and acquisition phase.
 
 In federal government contracting, it is often useful if personnel with security expertise participate as members of the source selection board to help evaluate the security aspects of proposals.