Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Banks. Show all posts

Lessons for Banks from the Recent CrowdStrike Outage

 


The recent disruption caused by CrowdStrike has been a wake-up call for financial institutions, highlighting that no cybersecurity system is entirely foolproof. However, this realisation doesn’t lessen the need for rigorous preparation against potential cyber threats.

What Happened with CrowdStrike?

CrowdStrike, a well-known cybersecurity company based in Austin, Texas, recently faced a major issue that caused extensive system crashes. The problem originated from a software update to their Falcon Sensor, which led to a "logic error." This error caused systems to crash, showing the infamous "Blue Screen of Death" (BSOD). The company later revealed that a pre-deployment test, meant to catch such errors, failed, leading to widespread issues.

This incident impacted various organisations, including big names like ICE Mortgage Technology, Fifth Third Bank (with $214 billion in assets), TD Bank, and Canandaigua National Bank in New York, which holds $5 billion in assets.

The Need for Better Planning

Dave Martin, founder of the advisory firm BankMechanics, emphasised that while such events are often discussed in theoretical terms when planning for worst-case scenarios, they can quickly become real, underscoring the ardent need for being well-prepared.

According to Martin, this event has likely prompted bank leaders around the world to focus even more on their contingency plans and backup strategies. The fact that this outage affected so many organisations shows just how unpredictable such crises can be.

As cybersecurity threats become more common, financial institutions are increasingly focused on their defences. The risks of not being adequately prepared are growing. For example, after a cyberattack in June, Patelco Credit Union in California, which manages $9.6 billion in assets, is now facing multiple lawsuits. These lawsuits claim that the credit union did not properly secure sensitive data, such as Social Security numbers and addresses.

Andrew Retrum, a managing director at Protiviti, a consulting firm specialising in technology risk and resilience, pointed out that while organisations face numerous potential threats, they should focus on creating strong response and recovery strategies for the most likely negative outcomes, like technology failures or site unavailability.

Preparing for Future Cyber Incidents

Experts agree on the importance of having detailed action plans in place to restore operations quickly after a cyber incident. Kim Phan, a partner at Troutman Pepper who specialises in privacy and data security, advises financial institutions to be ready to switch to alternative systems or service providers if necessary. In some cases, this might even mean going back to manual processes to ensure that operations continue smoothly.

Phan also suggests that financial institutions should manage customer expectations, reminding them that the convenience of instant online services is not something that can always be guaranteed.

The CrowdStrike outage is a recurring reminder of how unpredictable cyber threats can be and how crucial it is to be prepared. Financial institutions must learn from this incident, regularly updating their security measures and contingency plans. While technology is essential in protecting against cyber threats, having a solid, human-driven response plan is equally important for maintaining security and stability.

By looking at past cyber incidents in the banking sector, we can draw valuable lessons that will help strengthen the industry's overall defences against future attacks.


Major Ransomware Attack Targets Evolve Bank, Impacting Millions

 


An Arkansas-based financial services organization confirmed the incident on July 1 shortly after the ransomware gang published data it claimed had been stolen during the attack and published it on its website. According to the company, there was no payment made to the ransom demand, so the stolen data was leaked online due to the failure to pay the ransom. 

Additionally, the bank also reported that the attackers had exfiltrated personal information from some of the bank's customers, including their names, Social Security numbers, and the bank account numbers associated with their accounts, along with their contact information. One of the nation's largest financial institutions, Evolve Bank & Trust, has shared the news of a data breach posing a massive threat to all 7.64 million individuals impacted by the data breach. 

After a period of system outages started occurring at the Arkansas-based bank in late May, officials initially thought that a "hardware failure" had caused the outages, but an investigation revealed that the outages were caused by a cyberattack. It was confirmed by Evolve that hackers infiltrated the company's network as early as February. This could have had a significant impact on sensitive customer data. 

Understandably, the official notification letter filed with the Maine Attorney General avoids specific details. Still, it is worth noting that the bank has acknowledged that it has lost names, social security numbers, bank account numbers, and contact information. The Maine Attorney General's Office was informed by one of the financial institutions on Monday that the personal information about 7,640,112 individuals was compromised in the attack and that it would provide them with 24 months of credit monitoring and identity protection due to the breach. 

Also on Monday, Evolve Bank started sending out written notifications to the impacted individuals, explaining that the ransomware attack occurred on May 29 and that the attackers had access to its network since at least February. Evolve did not specify what types of data had been compromised in the filing, but it previously said in a statement on its website that attackers accessed the names, Social Security numbers, bank account numbers, and contact information belonging to its personal banking customers, the personal data of Evolve employees and information belonging to customers of its financial technology partners. 

There are several partners in this list, including Affirm, which recently made a statement assuring customers that the Evolve breach "may have compromised some personal information and data" of its customers." Evolve's partner Mercury, which offers fintech solutions to businesses, made a statement on X in regards to the data breach that affected "some account numbers, deposit balances, and business owner names as well as emails" that were exposed. 

The money transfer company Wise (formerly TransferWise) confirmed last week that there may have been an issue with the confidentiality of some of its customers' personal information. A statement by Evolve confirmed this week that the intrusion was the result of a ransomware attack that was instigated by the Russia-linked LockBit group. LockBit's administrator, who was disrupted earlier this year by a multigovernmental operation, is still at large. 

When the bank discovered the hacker had accessed its systems in May, it was able to identify the intrusion as an attack by hackers. It's no secret that LockBit made a deal with hackers to release the compromised data on its dark web leak site, which has since been revived after Evolve refused to pay the ransom demand.  This letter, sent to customers, expresses Evolve's concern over the hacking of its customer database and a file-sharing system during February and May 2024, during which data about customers was accessed and downloaded. 

RaaS groups, like this one, often deploy misinformation or disinformation campaigns alongside cyberattacks as part of their tactics to cause confusion and add maximum impact to their operations. As a result of the breach at Evolve, financial institutions can be reminded of the critical need for them to take robust cybersecurity measures to prevent data breaches in the future. 

A growing number of open banking platforms are on the rise and several RaaS attacks are ever-present, as well as a growing warning about data security threats. Institutions need to prioritize data security and implement strong access controls, encryption, and incident response protocols to ensure that their data is secure.

Singapore Banks Phasing Out OTPs in Favor of Digital Tokens

 


It has been around two decades since Singapore started issuing one-time passwords (OTPs) to users to aid them in logging into bank accounts. However, the city-state is planning to ditch this method of authentication shortly. Over the next three months, major retail banks in Singapore are expected to phase out the use of one-time passwords (OTP) for account log-in by digital token users as part of their transition away from one-time passwords. 

With an activated digital token on their mobile device, customers will need to either use the token to sign in to their bank account through a browser or the mobile banking app on their mobile device. In a joint statement on Tuesday (Jul 9), the Monetary Authority of Singapore (MAS) and The Association of Banks (ABS) said that, while the digital token is designed to authenticate customers' logins, there will not be an OTP needed to prove identity, which scammers can steal or trick victims into disclosing. 

There is also a strong recommendation to activate digital tokens by those who haven't already done so, as this will greatly reduce the chance of having one's credentials stolen by unauthorized personnel. According to The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS), within the next three months, major retail banks in Singapore will gradually phase out the use of One-Time Passwords (OTPs) to log into bank accounts by customers who are using digital tokens. 

By doing this, the banks hope to better protect their customers against phishing attacks - at the very least against scams in which scammers get their customers to divulge their OTPs. To secure bank accounts, MAS and ABS encourage the use of digital tokens - apps that run on smartphones and provide OTPs - as a source of second-factor authentication, as opposed to software programs that are installed on computers. 

There will be better protection for them against phishing scams since they have been among the top five scam types over the past year, with at least SGD 14.2 million being lost to these scams, as outlined in the Singapore Police Force Annual Scams and Cybercrime Brief 2023, which was released in January of this year. When customers activate their digital tokens on their mobile devices, they will have to use these tokens when logging in to their bank accounts through the browser or by using the mobile banking app on their mobile devices. 

With the help of the token, scammers will be unable to steal your OTP, which customers may be tricked into revealing, or steal non-public information about themselves that they will be asked to provide. To lower the chances of having identity credentials phished, MAS and ABS have urged customers who haven't activated their digital token to do so, so that they don't become a victim of identity theft. The use of One Time Passwords (OTPs) has been used since early 2000 as a multi-factor authentication option to strengthen the security of online transactions. 

Nevertheless, technological advancements and more sophisticated social engineering tactics have since made it possible for scammers to manipulate phishing requests for customers' OTPs with more ease, such as setting up fake bank websites that closely resemble real banks' websites and asking for the OTP from them. As a result of this latest step, the authentication process will be strengthened, and it will be harder for scammers to trick customers out of money and funds by fraudulently accessing their accounts using their mobile devices without explicit authorization. 

During the 2000s, one-time passwords were implemented as a means to enhance the security of online transactions to strengthen multi-factor authentication. MAS and ABS have both warned consumers to be cautious about phishing for their OTP as a result of technological improvements and increasingly sophisticated social engineering techniques. There have been several phishing scams in Singapore over the past year, with at least $14.2 million lost to these scams, according to records released by the Singapore Police Force earlier this month. 

It is expected that this latest measure will enhance authentication and will ensure that scammers will not be able to fraudulently access a customer's accounts and funds without the explicit permission of the customer using their mobile devices," they commented. According to ABS Director Ong-Ang Ai Boon, this measure may cause some inconveniences for some consumers, but it is essential to help prevent unscrupulous suppliers and protect customers in the long run. 

The Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) announced a collaborative effort to strengthen protections against digital banking scams. This initiative involves the gradual phasing out of One-Time Passwords (OTPs) for bank logins by customers utilizing digital tokens on their mobile devices. This rollout is anticipated to occur over the next three months. MAS, represented by Loo Siew Yee, Assistant Managing Director (Policy, Payments & Financial Crime), emphasized their ongoing commitment to safeguarding consumers through decisive action against fraudulent digital banking activities. 

The elimination of OTPs aims to bolster customer security by mitigating the risks associated with phishing attacks. Phishing scams have evolved alongside advancements in technology, enabling fraudsters to more effectively target customer OTPs. They often achieve this by creating deceptive websites that closely mimic legitimate banking platforms. ABS, represented by Director Ong-Ang Ai Boon, acknowledged that this measure might cause minor inconveniences. 

However, they firmly believe such steps are essential to prevent scams and ensure customer protection. MAS, through Ms. Loo, reaffirmed the significance of maintaining good cyber hygiene practices in conjunction with this latest initiative. Customers are urged to remain vigilant and safeguard their banking credentials at all times. MAS and ABS jointly urge customers who haven't activated their digital tokens to do so promptly. 

This action minimizes the vulnerability of their credentials to phishing attempts. By implementing this multifaceted approach, MAS and ABS aim to create a more secure digital banking environment for customers in Singapore.

Enhancing Cybersecurity: Automated Vulnerability Detection and Red Team Exercises with Validation Scans



In today's digital age, cybersecurity has become a top priority for organizations of all sizes. The ever-evolving landscape of cyber threats necessitates robust and comprehensive approaches to identifying and mitigating vulnerabilities.

Two effective methods in this domain are automated vulnerability detection and red team exercises. This article explores how these methods work together, the process of recording identified vulnerabilities, and the crucial role of human analysts in prioritizing them.

Automated Vulnerability Detection:

Automated vulnerability detection tools are designed to scan systems, networks, and applications for known vulnerabilities. These tools leverage databases of known threats and employ various scanning techniques to identify potential security weaknesses. The benefits of automated detection include:

1. Speed and Efficiency: Automated tools can quickly scan large volumes of data, significantly reducing the time needed to identify vulnerabilities.

2. Consistency: Automated processes eliminate the risk of human error, ensuring that every scan is thorough and consistent.

3. Continuous Monitoring: Many automated tools offer continuous monitoring capabilities, allowing organizations to detect vulnerabilities in real time.

However, automated tools are not without their limitations. They may not detect new or complex threats, and false positives can lead to wasted resources and effort.


Red Team Exercises:


Red team exercises involve ethical hackers, known as red teams, who simulate real-world cyber attacks on an organization's systems. These exercises aim to uncover vulnerabilities that automated tools might miss and provide a realistic assessment of the organization's security posture. The advantages of red team exercises include:

1. Real-World Scenarios: Red teams use the same tactics, techniques, and procedures as malicious hackers, providing a realistic assessment of the organization's defenses.

2. Human Ingenuity: Human testers can think creatively and adapt to different situations, identifying complex and hidden vulnerabilities.

3. Comprehensive Assessment: Red team exercises often reveal vulnerabilities in processes, people, and technologies that automated tools might overlook.

Recording and Prioritizing Vulnerabilities:

Once vulnerabilities are identified through automated tools or red team exercises, they need to be meticulously recorded and managed. This is typically done using a bugtrack Excel sheet, which includes details such as the vulnerability description, severity, affected systems, and potential impact.

The recorded vulnerabilities are then reviewed by human analysts who prioritize them based on their severity and potential impact on the organization.

This prioritization is crucial for effective vulnerability management, as it ensures that the most critical issues are addressed first. The analysts categorize vulnerabilities into three main levels:

1. High: These vulnerabilities pose a significant risk and require immediate attention. They could lead to severe data breaches or system compromises if exploited.

2. Medium: These vulnerabilities are less critical but still pose a risk that should be addressed promptly.

3. Low: These vulnerabilities are minor and can be addressed as resources allow.

Machine-Readable Vulnerability Reports and Automated Validation:

Once the vulnerabilities are prioritised and added to the bugtrack, it is essential to provide customers with the information in a machine-readable format. This enables seamless integration with their existing systems and allows for automated processing. The steps involved are:

1. Machine-Readable Format: The bugtrack data is converted into formats such as JSON or XML which can be easily read and processed by machines.

2. Customer Integration: Customers can integrate these machine-readable reports into their security information and event management (SIEM) systems or other security tools to streamline vulnerability management and remediation workflows.

3. Automated Remediation and Validation: After addressing the vulnerabilities, customers can use automated methods to validate the fixes. This involves re-scanning the systems with automated tools to ensure that the vulnerabilities have been effectively mitigated. This is done using YAML scripts specifically added to the vulnerability scanning tool to scan. Output is analyzed to see if a vulnerability is fixed.

Network and Application Vulnerability Revalidation:

For network level vulnerabilities, revalidation can be done using the Security Content Automation Protocol (SCAP) or by automating the process using YAML/Nuclei vulnerability scanners.

These tools can efficiently verify that the identified network vulnerabilities have been patched and no longer pose a risk.

For application level vulnerabilities, SCAP is not suitable. Instead, the bugtrack system should have a feature to revalidate vulnerabilities using YAML/Nuclei scanners or validation scripts via tools like Burp Suite Replicator plugin. These methods are more effective for confirming that application vulnerabilities have been properly addressed.

Conclusion:

Combining automated vulnerability detection with red team exercises provides a comprehensive approach to identifying and mitigating security threats.  Automated tools offer speed and consistency, while red teams bring creativity and real-world testing scenarios. Recording identified vulnerabilities in a bugtrack Excel sheet, providing machine-readable reports, and validating fixes through automated methods ensure that resources are effectively allocated to address the most pressing security issues.

By leveraging these methods, organizations can enhance their cybersecurity posture, protect sensitive data, and mitigate the risk of cyber attacks. As the threat landscape continues to evolve, staying proactive and vigilant in vulnerability management will remain essential for safeguarding digital assets.

The entire vulnerability monitoring with the automated machine-readable format for validating has been implemented in DARWIS VM module.

-----------
Suriya Prakash & Sabari Selvan
CySecurity Corp 
www.cysecuritycorp.com

Case Study: Implementing an Anti-Phishing Product and Take-Down Strategy


Introduction:

Phishing attacks have become one of the most prevalent cybersecurity  threats, targeting individuals and organizations to steal sensitive information such as login credentials, financial data, and personal information. To combat this growing threat, a comprehensive approach involving the deployment of an anti-phishing product and an efficient take-down strategy is essential.

This case study outlines a generic framework for implementing such measures, with a focus on regulatory requirements mandating the use of locally sourced solutions and ensuring proper validation before take-down actions.


Challenge:

Organizations across various sectors, including finance, healthcare, and e-commerce, face persistent phishing threats that compromise data security and lead to financial losses. The primary challenge is to develop and implement a solution that can detect, prevent, and mitigate phishing attacks effectively while complying with regulatory requirements to use locally sourced cybersecurity products and ensuring that take-down actions are only executed when the orginization is phished/imitated.


Objectives:

1. Develop an advanced anti-phishing product with real-time detection and response capabilities.

2. Establish a rapid and effective take-down process for phishing websites.

3. Ensure the anti-phishing product is sourced from a local provider to meet regulatory requirements.

4. Implement a policy where take-down actions are only taken when the orginization is phished.


Solution:

A multi-faceted approach combining technology, processes, and education was adopted to address the phishing threat comprehensively.


1. Anti-Phishing Product Development

An advanced anti-phishing product from a local cybersecurity provider was developed with the following key features:

Real-time Monitoring and Detection:

Utilizing AI and machine learning algorithms to monitor email traffic, websites, and network activity for phishing indicators.

- Threat Intelligence Integration:

  Incorporating global threat intelligence feeds to stay updated on new phishing tactics and campaigns.

- Automated Detection of Brand Violations: Implementing capabilities to automatically detect the use of logos, brand names, and other identifiers indicative of phishing activities.

- Automated Response Mechanisms:

Implementing automated systems to block phishing emails and malicious websites at the network level, while flagging suspicious sites for further review.

- User Alerts and Guidance: Providing immediate alerts to users when suspicious activities are detected, along with guidance on how to respond.


2. Phishing Website Take-Down Strategy

We developed a proactive approach to swiftly take down phishing websites, ensuring a balance between automation and human oversight, and validating the phishing activity before take-down:

- Rapid Detection Systems: Leveraging real-time monitoring tools to quickly identify phishing websites, especially those violating brand identities.

- Collaboration with ISPs and Hosting Providers:

Establishing partnerships with internet service providers and hosting companies to expedite the take-down process.

- Human Review Process and Validation of Phishing Activity:

Ensuring that no site is taken down without a human review to verify the phishing activity, preventing erroneous takedowns/rejections.

- Legal Measures:

Employing legal actions such as cease-and-desist letters to combat persistent phishing sites.

- Dedicated Incident Response Team:

Forming a specialized team to handle take-down requests and ensure timely removal of malicious sites, following human verification.


Results:

1. Reduction in Phishing Incidents: Organizations reported a significant decrease in successful phishing attempts due to the enhanced detection and response capabilities of the locally sourced anti-phishing product.

2. Efficient Phishing Site Take-Downs:

The majority of reported phishing websites were taken down within 24 hours, following human review and validation of phishing activity, minimizing the potential impact of phishing attacks.


Conclusion:

The implementation of an advanced, locally sourced anti-phishing product, combined with a robust take-down strategy and comprehensive educational initiatives, significantly enhances the cybersecurity posture of organizations. By adopting a multi-faceted approach that leverages technology, collaborative efforts, and user education, while ensuring compliance with regulatory requirements to use local solutions and validating phishing activity before take-down actions, organizations can effectively mitigate the risks posed by phishing attacks. This case study underscores the importance of an integrated strategy, ensuring automated systems are complemented by human oversight, in protecting against the ever-evolving threat of phishing.


By

Suriya Prakash & Sabari Selvan

CySecurity Corp

Enhancing API Security: CSPF's Contribution to Wallarm's Open-Source Project

 

In the ever-evolving landscape of digital security, the Cyber Security & Privacy Foundation (CSPF) remains a beacon of innovation and support. Our mission extends beyond mere advocacy for cybersecurity; we actively enhance the tools that fortify our digital world. A testament to this commitment is our recent focus on Wallarm's API Firewall, a robust tool designed to protect APIs from emerging cyber threats. 
 
Our journey with Wallarm's API Firewall began with a simple yet powerful intention: to make this tool not just effective but also adaptable to the stringent requirements of B2B and high-security environments. In doing so, we embarked on a path that not only led us to add new functionalities but also to discover and rectify hidden vulnerabilities. 
 
Introducing the AllowedIPList Feature and Addressing the Denylist Bug 
 
The new feature we introduced, the AllowedIPList, is a game-changer for API security. It restricts API access to specific, pre-approved IP addresses, an essential requirement for secure, business-to-business communications and high-security domains. This addition ensures that only authorized machines can interact with the API, thereby enhancing the security manifold. 
 
In our journey of innovation, we encountered a critical bug in the existing Denylist feature. The Denylist, designed to block requests using certain compromised keys, cookies, or tokens, had a significant flaw. The bug stemmed from a cache implementation error, leading to the failure of adding entries to the Denylist if the list was shorter than 53 characters. This vulnerability was particularly concerning for shorter tokens, commonly used in HTTP basic authentication and cookies.  
 
Our team promptly addressed this issue, ensuring that the Denylist functioned as intended, regardless of the character count. The resolution of this bug, alongside the implementation of the AllowedIPList, marked a significant enhancement in the API Firewall's security capabilities. 
 
The Broader Impact of Open-Source Contributions 
 
This initiative underscores the importance of not just using open-source software but actively contributing to it. While the immediate financial returns might be non-evident, such contributions lead to a more secure and robust digital ecosystem. It is through diverse collaboration and multiple perspectives that we can uncover and rectify latent vulnerabilities. 

Link - 

https://github.com/CSPF-Founder/api-firewall/tree/main
 
Founder & TechCore Team
Cyber Security and Privacy Foundation
https://github.com/CSPF-Founder/

Security Issue in Banking Applications?

Recently, we tested a mobile application of a BFSI platform, which allowed the organization's employees to view and interact with new customer leads. 

The mobile app had a password-based authentication system, with the username being the mobile number of the user. We identified a major weakness in this mobile app. The app allows a user to reset the password if they can prove themselves via an OTP. When the 'forgot password' button is pressed, the user is sent to a page where they are prompted to enter an OTP. The OTP is sent to the phone number, and if the wrong OTP is entered, the server responds with `{"OTP":"Failure"}`. While this seems to have been implemented properly, we tried to change the server response by conducting an MITM. We changed the response from the server to `{"OTP":"Success"}`. This redirection led us to the password change screen, where we were prompted to enter a new password. 

Initially, we believed this was only a visual bug and that the password reset would fail. However, we soon discovered that the password reset page itself does not check the OTP, and there is no session to track the successful OTP. This means any attacker can take the password change request, replace the phone number, and change the password of any other user (phone number). In simple terms, the OTP verification and the password reset page are not connected. The password reset API call did not have any verification or authentication to ensure only the correct user can change the password. 

This reveals how BFSI developers, when asked to build an app, often create the requested features without considering any security architecture. These apps are usually rushed, and only the positive/happy paths are checked. Security testing and architecture are often considered only as an afterthought. Unless BFSI incorporates security architecture into the development stage itself, such vulnerabilities will continue to emerge.  

By
Suriya Prakash
Head DARWIS 
CySecurity Corp

Tips for Banks to Prevent Data Breaches Through Phishing Education


Despite the roaring advancement in the field of technology, phishing remains one of the most common cybersecurity hazards. According to recent studies, phishing losses in the US alone were $52 million.

The lack of proper awareness in regards to cybersecurity could be one of the reasons why phishing attacks are escalating at a concerning rate. While many finance institutions are aware of the importance to cybersecurity, they fail to educate their employees of the same. 

Here, we are mentioning some ideas which might help banks to thwart phishing efforts and safeguard the information of their customers and employees:

Focus on Behavioral Change

The majority of banks use a similar approach for their cybersecurity training programs: they put all of their non-technical staff in a room, have their security team show a lecture with a few slides showing breach numbers, and attempt to scared them into acting accordingly.

It goes without saying that this strategy is ineffective. It is time for banks to start seeing their staff as a bulwark against phishing attempts rather than as a risk.

One way to do this is for banks to change their employees’ behaviors under stress, rather than threatening them by making them aware of the stressful situations. For example, instead of showing them the malicious emails, they must be educated on the right measure they must follow to identify such emails. 

A bank can also do this by running simulations of the situations, where an employee will be free to make mistakes and learn from those mistakes. This way, an employee can as well make judgements on their actions and even receive instant feedbacks in a safe environment. By doing so, an actual breach will not be the only time the employee is dealing with a feedback. 

Employees can view learning paths and review progress on simulation platforms. The skills of a technological employee will differ greatly from those of a non-technical person. The way forward is to provide positive feedback throughout and to customize learning routes.

Install Security as a Founding Principle

For most banks, the importance of security is communicated with a negative attitude. They draw attention to the possibility of a breach, the harm to the bank's reputation, and the possible consequences for an employee's career should they fall prey to phishing scams.

When a worker receives a phony email from someone posing as their manager, these intimidation techniques are ineffective. Because they trust the manager's persona, employees are unlikely to refuse a request from that organization. Rather, banks ought to embrace a proactive stance and integrate security into their overall brand.

For example, inducing fear among the employees into not clicking the malicious links, banks should instead introduce policies when an employee could quickly determine whether an email is a phishing attempt, rather than attempting to scare them into not clicking on harmful links. Giving them access to an automated tool or having a security guard on duty are excellent choices.

Policies like shredding and discarding important documents in secure bins to cybersecurity practices is essential. Employees must be reminded that the work they do is in fact critical and their actions do matter.

Set Communication Templates

Bank personnel utilize emails, which are rich in data, to communicate with a variety of stakeholders. This is used by malicious actors, who impersonate a different individual and deceive workers into downloading malware.

Informing staff members of appropriate communication styles and methods is one way to avoid situations like this one. Establishing a communication template, for example, will enable staff members to quickly spot emails that depart from the standard.

External actors are unlikely to be familiar with internal communications templates, thus they will likely send emails in a manner that is easily recognized by staff as being out of compliance. Although putting in place such a procedure may sound oppressive, it is the most effective technique to assist staff in overcoming the appearance of a false identity.

For instance, the majority of staff members will click on an email from the bank's CEO right away. They will overlook the fact that the email was sent by the CEO persona, though, if they see that the communication format is incorrect. With their minds thus occupied, kids are less likely to click on a link that could be harmful.

These templates are ingrained in the company's culture, and how banks convey their significance will determine a lot. Once more, a fear-based strategy rarely succeeds. Banks need to consider effective ways to enforce them.  

French Cybercriminals Opera1or Stole up to $30m from Banks

 

Based on a new report published by cybersecurity firm Group-IB, a French-speaking cybercrime group may have stolen more than $30 million from banks and other types of organizations in recent years. 

Group-IB has identified the threat actor as Opera1er. Others have previously investigated some of its activities, naming it Common Raven, Desktop-Group, and NXSMS. The cybersecurity firm is aware of 30 successful attacks carried out between 2019 and 2021, with many of the victims being attacked multiple times. 

The majority of the attacks targeted African banks, but victims also included financial services, mobile banking services, and telecommunications companies. Victims were discovered in 15 countries across Africa, Latin America, and Asia.

Group-IB has confirmed stealing $11 million from victims since 2019, but believes cybercriminals may have stolen more than $30 million. The typical Opera1er attack begins with a spear-phishing email sent to a small number of people within the targeted organisation. Access to domain controllers and banking back-office systems is the goal.

The hackers waited 3-12 months after gaining access to an organization's systems before stealing money. The cybercriminals used the banking infrastructure in the final phase of the operation to transfer money from bank customers to mule accounts, from which it was withdrawn at ATMs by money mules, typically on weekends and public holidays.

“In at least two banks, Opera1er got access to the SWIFT messaging interface,” Group-IB explained. “In one incident, the hackers obtained access to an SMS server which could be used to bypass anti-fraud or to cash out money via payment systems or mobile banking systems. In another incident, Opera1er used an antivirus update server which was deployed in the infrastructure as a pivoting point.”

There does not appear to be any zero-day vulnerabilities or custom malware used by Opera1er. They have exploited old software flaws as well as widely available malware and tools. The majority of the attackers' emails were written in French, according to Group-analysis, IB's and their English and Russian are "quite poor."  

Reserve Bank Stress Tests Simulate Stagflation


As part of their latest Reserve Bank solvency stress test, New Zealand banks were asked to take into account a cyberattack for the first time. Despite a severe stagflation-like scenario, the Reserve Bank says most firms would have to raise capital, restrict dividends and cut expenses to be able to keep functioning, even though they will have to raise fresh capital, limit dividends, and cut expenses to do so. 

During the stagflation scenario considered in the model, high inflation, increasing interest rates, and a severe recession resulting in a surging unemployment rate are some of the features modeled. Since 2014, it has been the first time a reserve bank has conducted a stress test in which high-interest rates were present. 

Banks included in the annual stress test were ANZ NZ, ASB, BNZ, Westpac NZ, Kiwibank, Heartland Bank, TSB, ICBC, and Bank of China. They received instructions from the Reserve Bank in April. 

6% was the Consumer Price Index inflation rate for the NZ economy. According to Statistics NZ, this was below the 7.2% reported in the current year, as well as the 6.9% reported by Statistics NZ in May for March. 

As part of the arrangement, the Reserve Bank also had to increase the Official Cash Rate (OCR) from just 1% – the rate it had at that time – to 3% by the year 2022. Currently, the OCR stands at 3.5%. It is expected to increase to at least 4% on November 23, 2022. This is when it will be reviewed for the last time of the year. A significant part of this scenario includes the sale of the NZ dollar. This has been an element of inflation that has been imported, and which has been occurring this year as well. 

The Reserve Bank will incorporate a specific cyber risk event into the stress test that will be administered to participating banks in 2022 for the first time. Over time, this resulted in 1.3 billion dollars in aggregate costs. 

In addition to considering how a cyberattack would impact the banks' business, this year's solvency stress test also asked banks to consider how low the likelihood of such an attack was. This is in response to a one-in-25-year cyber risk event that may threaten the general banking system. 

To tackle this challenge, banks have come up with several strategies, such as modeling the impacts of different scenarios. These include distributed denial of service attacks, attacks that lock banks out of critical infrastructure, kill chain malware, ransomware, and other threats. These attacks are modeled to last for at least one to two months in the event of a significant attack.

It can be assumed, therefore, that the estimated losses resulting from each event will vary as expected. This is based on the benchmark and the operational risk of the bank at the time. There is an assortment of reasons why companies lose money, including reimbursements from customers, consultancy and legal fees, losses in business, technology upgrades, communications and media expenses, and technology upgrades, according to the Reserve Bank of Australia. 

Banks should be aware that multiple risks can crystallize and need to be managed during economic downturns, the Reserve Banks emphasize. The Reserve Bank also shared, "this is even though the aggregate cost of the cyber risk event was small compared with impairment expenses in this stress test. Our understanding of banks' handling and quantification of cyber-risk stress events was enhanced by the exercise." There is one thing in your life that you have no control over:

Last week, in an interview with interest.co.NZ, ANZ NZ CEO Antonia Watson told the website that attackers strive "all the time" to penetrate the bank's security system. 

According to Watson, "This is one of the things you cannot do anything about since there will always be someone who will find some way of finding a backdoor."

Cyberattacks can happen to organizations of all sizes, which is why it plays a crucial role in our risk management strategy as a business. Because of that, it is one of the key risks that we see as a business. This is why we invest so much money to help educate our customers regarding these types of attacks.

National Australia Bank's Ross McEwan, the CEO of the bank's parent company BNZ, revealed last week that NAB's digital channels receive approximately 50 million attacks every month. He further notes that this incident along with the recent cyber-attack on Optus in Australia is what keeps CEOs awake at night. 

The scenario

During the NZ economy's stress test scenario, the following scenarios will be experienced:

• In comparison to the peak in November 2021, house prices have fallen by 42% (47% from its peak in November 2021) 

• A 38% decline in equity prices has been recorded since December 2021 (42% in the past year). 

• At the same time, the unemployment rate rose from 3.3% to 9.3%. 

• During the period of the recession, the gross domestic product decreased by 5%. 

• A peak in the OCR has been recorded at 5.5%, as well as the peak in the 2-year mortgage rate of 8.4% (the average bank's 2-year rate at the moment is 5.8%, but the big five banks all have rates above 6%); 

• There is one more aspect of the economic scenario that banks must take into account and model as well, which is a cyber-risk event that occurs once every 25 years. 

A scenario like this has the potential to generate aggregate impairment expenses for banks of $20.8 billion over the next four years, which is higher than the $1.7 billion that has been incurred from the COVID-19 pandemic in the last four years, according to the Reserve Bank. During the second year of the four-year stress test, banks have been sinking into the red. 

During the stress test, the common equity Tier 1 ratio for the aggregate company fell by 3.3 percentage points to a minimum of 8.9% before mitigation. This is well above the regulatory minimum of 4.5% as shown in Figure 1 [below]. 

According to the Reserve Bank of Australia's report on its 2022 stress testing program, this annual solvency stress test was included in the Reserve Bank's stress testing program for the year 2022. Additionally, a liquidity stress test and a test to determine whether the residential mortgage portfolio is sensitive to flooding risks were also included in the study. As part of the Reserve Bank's Financial Stability Report released on Wednesday, the Reserve Bank will present a summary of the "high-level results" in these two areas. 

In its description of the stress test on solvency, the Reserve Bank thinks that it is predominantly a bottom-up exercise, where banks normally use their models, sometimes on a loan-by-loan basis, to estimate the impact of the Reserve Bank's specified scenario on capital ratios in the future. 

During the release of the instructions and templates for the solvency stress test, the company noted that it is the first time that these have been published publicly.

Data of SBI & 17 Other Bank Customers at Risk

 

A new version of the Drinik malware has been discovered, putting the data of 18 bank customers at risk. According to Cyble analysts (via Bleeping Computers), the malware has evolved into an Android trojan capable of stealing sensitive personal information and banking credentials. 

Drinik is a banking malware that has been plaguing the industry since 2016. It used to be an SMS stealer, but it now has banking trojan features – capable of screen recording, keylogging, abusing Accessibility services, and performing overlay attacks in its new form. According to the report, the most recent version of Drinik malware is in the form of an APK called iAssist.

The India Tax Department's official tax management tool is iAssist. When installed on a device, the APK file will request permission to read, receive, and send SMS messages, as well as read the user's call log. It also requests read and write access to external storage.

Drinik, like other banking trojans, makes use of Accessibility Service. After launching, the malware requests permissions from the victim, followed by a request to enable Accessibility Service. It then disables Google Play Protect and begins performing auto-gestures and key presses.

Instead of displaying fake phishing pages, it then loads the genuine Indian income tax website. The malware will display an authentication screen for biometric verification before showing the victim the login page. When the victim enters a PIN, the malware records the screen using MediaProjection and captures keystrokes to steal the biometric PIN. The stolen information is then sent to the C&C server.

Concerningly, in the most recent version of Drinik, the TA only targets victims with legitimate income tax site accounts. When the victim successfully logs into the account, a fake dialogue box appears on the screen with the following message: "Our database indicates that you are eligible for an instant tax refund of ₹57,100 – from your previous tax miscalculations till date. Click Apply to apply for instant refund and receive your refund in your registered bank account in minutes."

When the user clicks the Apply button, he is redirected to a phishing website. The malware now requests personal information such as full name, Aadhar number, PAN number, and other details, as well as financial information such as account number and credit card number.

Drinik trojan malware searches the Accessibility Service for events related to the targeted banking apps, such as their apps, to target banks. Drinik takes advantage of the "CallScreeningService" to disable incoming calls in order to disrupt the login and steal data. According to the report, the malware targets 18 customers, including SBI.

Octo: A New Malware Strain that Targets Banking Institutions

 

Last year, an Android banking malware strain was found in the open, few organizations called it "Coper," belonging to a new family, however, ThreatFabric intelligence hinted it as a direct inheritance of the infamous malware family Exobot. Found in 2016, Exobot used to target financial institutions until 2018, these campaigns were focused in France, Turkey, Thailand, Germany, Japan, and Australia. Following the incident, another "lite" variant surfaced, named ExobotCompact by the developer famous as "Android" on the dark web. 

Analysts from ThreatFabric established a direct connection between ExobotCompact and the latest malware strain, named "ExobotCompact.B." The latest malware strain surfaced in November 2021, named ExobotCompact.D. "We would like to point out that these set of actions that the Trojan is able to perform on victim’s behalf is sufficient to implement (with certain updates made to the source code of the Trojan) an Automated Transfer System (ATS)," says ThreatFabric report. The recent actions by this malware family involve distribution via various malicious apps on Google Play Store. 

The apps were installed more than 50k times, targeting financial organizations around the world, including broad and generic campaigns having a high number of targets, along with focused and narrow campaigns across Europe. Earlier this year, experts noticed a post on a dark web forum, a user was looking for an Octo Android botnet. Later, a direct connection was found between ExobotCompact and Octo. Interestingly, ExobotCompact was updated with various features and rebranded as Octo, bringing remote access capability, therefore letting malicious actors behind the Trojan to perform on-device fraud (ODF). 

ODF is the riskiest, most dangerous fraud threat. Here, transactions begin from the same device that a target uses on a daily basis. Here, anti-fraud programmes are challenged to detect the scam activity with less in number malicious indicators and different fraud done via different channels. ThreatFabric reports, "to establish remote access to the infected device, ExobotCompact.D relies on built-in services that are part of Android OS: MediaProjection for screen streaming and AccessibilityService to perform actions remotely."

Indian Banks Failing to Protect Their Cyber Security

 


Indian Banks Failing to Protect Their Cyber Security In Thane, Maharastra some unidentified fraudsters hacked the server and tampered with the data of a cooperative bank. According to Police, the hackers allegedly siphoned off Rs. 1.51 crore to various accounts from the Dombivli Nagarik Sahkari (DNS) bank on March 12. 
 
Following the attack, a case has been registered against unidentified persons under section 420 (Cheating and dishonestly inducing delivery of property) of the Indian Penal Code (IPC) and section 65 of the Information Technology Act at Manpada police station under the Kalyan division who has started a probe into the incident in collaboration with Thane cyber police.  
 
The security incident draws light on the issue of bank frauds that have become deep-seated in the Indian Financial System. In just over seven years, Indian banks have witnessed frauds surpassing $5 trillion with total fraud loans amounting to Rs. 1.37 lakh crore in the last year alone.  
 
Shocking scams like Punjab National Bank (PNB) scam (2018), Cosmos Bank cyberattack (2018), Canara Bank ATM Hack (2018), along with many other vishing, phishing, ATM skimming, and spamming attacks have continued to plague Indian banks over the recent years. With an increase in digital-based transactions, money cheating cases have also witnessed a sharp rise. The techniques and resistance measures employed by banks to safeguard their customers’ financial data and money have met with progressive and sophisticated hacking techniques used by fraudsters in India.  
 
John Maynard Keynes, after examining the condition of banking in India said banking in India should be conducted on the safest possible principles while calling India a “dangerous country for banking”. The apprehension has proven to be prophetic in the modern world as financial institutions failing to conduct prudent banking have become the center of monetary scams. Reportedly, the State Bank of India (SBI), HDFC Bank, and ICICI Bank constituted a majority of incidents totaling more than 50,000 fraudulent incidents in the last 11 fiscal years.  
 
Digitalization in India has led to the manifestation of ‘Digital Money’ and cashless transactions have been on a continual rise. Consequently, the protection of data and privacy becomes more important as a fragile cybersecurity system can have serious repercussions for any bank’s customer base.  
 
Data breaches have emerged to be a serious threat in the banking sector which further amplifies the need for an impenetrable banking system as recovering from data breaches and regaining control of a breached server can be extremely stressful and time-consuming. In order to strengthen the evolution of the banking system, banks require to identify and plug the gaps in security. Part of the problem can be attributed to the accelerated pace of digitization which has increasingly required the same kind of investment on the cyber hygiene side as well.  
 
Some of the viable measures that banks can undertake include proactive security techniques like ‘Whitelisting’ (blocks unapproved programs while only allowing a limited set of programs to run) and BIOS passwords (prevents external access to systems and servers). Awareness of employees, stringent filtering, and communicating regularly with regional offices are some of the other preventive measures as advised by the security experts.

DDoS Attacks Hit Ukrainian Government Websites

 

DDoS attacks are causing havoc for the Ministry of Defense and the Armed Forces of Ukraine, as well as two of the country's state-owned banks, Privatbank (Ukraine's largest bank) and Oschadbank (the State Savings Bank). 

Bank customers got text messages saying that bank ATMs were down today, according to Ukraine's Cyberpolice, who added that the messages were "part of an information attack and do not correspond to reality." 

The Ukrainian Ministry of Defense, whose website was taken down as a result of the attacks, stated their website was most likely assaulted by DDoS: an excessive number of requests per second was observed. 

"Starting from the afternoon of February 15, 2022, there is a powerful DDOS attack on a number of information resources of Ukraine," Ukraine's State Service for Special Communication and Information Protection added. 

"In particular, this caused interruptions in the work of web services of Privatbank and Oschadbank. The websites of the Ministry of Defense and the Armed Forces of Ukraine were also attacked."

While the Ukrainian defence ministry's website is down, Oschadbank and Privatbank's websites are still up and running, albeit users are unable to access their online banking. Privatbank users have been experiencing problems with payments and the bank's mobile app, according to the Ukrainian Center for Strategic Communications and Information Security. Some stated that they couldn't get into their Privat24 internet banking accounts, while others said they observed inaccurate balances and recent transactions. 

A traffic geofencing rule was added to Privatbank's web application firewall (WAF), which automatically removed the website's contents for IP addresses outside of Ukraine and displayed a "BUSTED! PRIVATBANK WAF is watching you)" message. 

The Security Service of Ukraine (SSU) stated on Monday that the country is being targeted in a "massive wave of hybrid warfare" aimed at instilling fear in Ukrainians and undermining their faith in the state's ability to safeguard them. The SSU further stated that it has already blocked many such attempts related to hostile intelligence agencies, as well as dismantled bot farms aimed at spreading fear in Ukrainian residents through bomb threats and fake news.  

Attacks on Ukrainian authorities are being coordinated by the Gamaredon hacking organisation (connected to Russia's Federal Security Service (FSB) by Ukrainian security and secret agencies), according to the country's Computer Emergency Response Team. 

A day later, the SSU announced that it has prevented more than 120 cyberattacks aimed at Ukrainian governmental institutions in January 2022. 

Gamaredon has been directing a wave of spear-phishing emails targeting Ukrainian businesses and organisations relevant to Ukrainian issues since October 2021, according to Microsoft.

How Banks Evade Regulators For Cyber Risks

 


As of late, the equilibrium between the banks, regulators, and vendors has taken a hit as critics claim that banks are not doing enough for safeguarding the personally identifiable information of the clients and customers they are entrusted with. As there has been rapid modernization in internet banking and modes of instant payments, it has widened the scope of attack vectors, introducing new flaws and loopholes in the system; consequently, demanding financial institutions to combat the threat more actively than ever. 

In the wake of the tech innovations that have broadened the scope of cybercrime, the RBI has constantly felt the need to put forth reminders for banks to strengthen their cyber security mechanisms; of which they reportedly fell short. As financial frauds relating to electronic money laundering, identity theft, and ATM card frauds surge, banks have increasingly avoided taking the responsibility.  

It's a well-known fact that banks hire top-class vendors to circumvent cyber threats, however, not a lot of people would know that banks have gotten complacent with their reliance on vendors to the point of holding them accountable for security loopholes and cybersecurity mismanagement. Subsequently, regulators fine the third-party entity, essentially the 'vendors' providing diligent cyber security risk management to the banks.  

The question that arises is that are banks on their own doing enough to protect their customers from cyber threats? Banks need to understand monitoring and management tools available to manage cyber security and mitigate risks. Financial institutions have an inherent responsibility of aggressively combating fraud and working on behalf of their customers and clients to stay one step ahead of threats.  

Banks can detect and effectively prevent their customers' privacy and security from being jeopardized. For instance, banks can secure user transactions by proactively monitoring SMS using the corresponding mobile bank app. They can screen phishing links and unauthorized transactions and warn customers if an OTP comes during a call.  

Further, banks are expected to strictly adhere to the timeframe fixed for reporting frauds and ensuring that customer complaints regarding unscrupulous activities are timely registered with police and investigation agencies. Banks must take accountability in respect of reporting fraud cases of their customers by actively tracking the accounts and interrupting vishing/phishing campaigns on behalf of their customers as doing so will allow more stringent monitoring of the source, type, and modus operandi of the attacks. 

“We are getting bank fraud cases from the customers of SBI and Axis Bank also. It is yet to be verified whether the data has been leaked or not. There might be data loss or it could be some social engineering fraud,” Telangana’s Cyberabad Crimecrime police said. 

“Police said that the fraudsters had updated data of the thousands of customers who received new credit cards and it was a bank’s insider who is the architect of this whole fraud,” reads a report pertaining to an aforementioned security incident by The Hindu.  

“This is a classic case to explain the poor procedure practised by the network providers while issuing SIM cards, and of course the data security system at the banks,” a senior police officer said. 

In relation to the above stated, banks should assume accountability for their customers’ security and shall review and strengthen the monitoring process, while meticulously following the preventive course of action based on risk categorization like checking at multiple levels, closely monitoring credits and debits, sending SMS alerts, and (wherever required) alerting the customer via a phone call. The objective, essentially, is for banks to direct the focus on aspects of prevention, prompt detection, and timely reporting for the purpose of aggregation and necessary corrective measures by regulators which will inhibit the continuity of crime, in turn reducing the ‘quantum’ of loss.  

Besides, vigorously following up with police and law authorities, financial institutions have many chances to detect ‘early warning signals’ which they can not afford to ignore, banks should rather use those signals as a trigger to instigate detailed pre-investigations. Cyber security is a ‘many-leveled’ thing conception, blaming the misappropriations on vendors not only demonstrates the banks’ tendency to avoid being a defaulter but also impacts the ‘recoverability aspects’ like effective monitoring for the customers to a great degree.

Covid-19 has led to Increase in Cyberattacks Against Banks and Insurers

 

According to recent studies, the coronavirus pandemic and working from home (WFH) provisions are triggering a "huge" increase in attacks against financial institutions. The COVID Crime Index 2021 survey, published on Wednesday by BAE Systems Applied Intelligence, looked at how the remote working paradigm is affecting the banking and insurance industries.

Cybersecurity analysts expected that every 11 seconds in 2021, a cyberattack will occur. It's almost twice as frequent as it was in 2019 (every 19 seconds), and four times as frequent as it was five years earlier (every 40 seconds in 2016). Cybercrime is estimated to cost the global economy $6.1 trillion a year, making it the world's third-largest economy, behind only the United States and China. 

The situation is ripe for manipulation, given that the current pandemic has a greater portion of the population operating from home — and all of the associated disruptions. The harried, rushed, exhausted, and depressed employee has become the weapon of choice, and the humble home router has become the surface attack. It's no surprise that over 4,000 malicious COVID pages appeared on the internet within months of the pandemic's first lockdown.

The gradual transition to WFH models is being loosened in certain places as the pandemic appears to have a global effect, but many organizations are preferring to either continue encouraging workers to operate remotely or follow hybrid working practices. For the near future, HSBC and JP Morgan, for example, would encourage thousands of their workers to work from home. 

Security has also proved to be difficult. According to a survey by BAE Systems, 74 percent of banks and insurers have seen an increase in cyberattacks since the pandemic began, and "criminal behavior" reported by financial institutions has increased by about a third (29 percent). The study is focused on two surveys of 902 financial services companies, as well as fieldwork in both the US and UK markets in March 2021. 

According to the survey, 42% of banks and insurers agree that working from home has rendered their companies "less safe," and 44% believe that remote models have caused visibility issues through established networks. Many businesses have been forced to cut expenses anywhere they can, and when it comes to cybersecurity, average risk, anti-fraud, and cybersecurity budgets have been slashed by 26%, contributing to 37% of businesses saying their consumers are now more vulnerable to cybercrime and fraud. 

According to the survey, 56 percent of UK and US banks have suffered such casualties, with the average expense of online illegal activities approaching $720,000 since the pandemic.

Yanbian Gang Malware Continues With Large-Scale Distribution and C2

 

Fake banking apps laced with malware remain a crucial factor in the success of threat actors. For the Yanbian gang, a criminal group in Yanbian, China that targets organizations across Asia, it's a skill they have been honing for more than a decade. 

Since 2013, the Yanbian Gang has been targeting South Korean Android mobile banking customers with malicious Android apps impersonating major banks, including Shinhan Savings Bank, Saemaul Geumgo, Shinhan Finance, KB Kookmin Bank, and NH Savings Bank. RiskIQ's threat research team examined some of the threat group's most recent activity in this vector to examine their malware of choice as well as the large-scale hosting infrastructure they use to distribute and control it. 

Hundreds of Korean language-specific apps were discovered across an extensive list of IP addresses during the researchers' analysis of Yanbian Android apps. These apps were created to steal information from infected victims, such as loan application details, contacts, SMS messages, phone call details, call logs, and applications currently installed on the device. 

Since December 2020, RiskIQ's analysis has identified 377 individual samples of malicious Android apps developed and distributed by the Yanbian Gang. Many of these apps have multiple versions and set up services to run in the background of victim phones, both of which fit the Yanbian Gang's known method of operation. 

While these apps appear to be simple, they are capable of performing a variety of malicious activities that the victim is unaware of. Yanbian Gang actors obtain information not only about the victim, but also their contacts, installed applications, and even messages sent from the infected device. These apps also have a plethora of permissions that they can potentially abuse for malicious purposes that can be abused for malicious purposes. 

One of the discoveries of research was references to various URL paths that led to a specific IP address via HTTP. The Yanbian Gang refers to these paths as "methods," and they serve as Command and Control (C2), allowing the app to initiate device registration, assess device capabilities, steal information, and receive instructions from specified C2 servers. 

Researchers at RiskIQ observed one of the samples communicating using only some of these "methods," most likely due to the limited amount of data stored in their testing device and its lack of features. These communications were sent to the C2 server via encrypted HTTP POST and GET requests. 

The Yanbian Gang continues to target South Korean users with malware, tactics, and targeting similar to that previously reported in 2015. However, the group has evolved to separate infrastructure based on function and to switch hosting providers. Yanbian Gang actively leverages web servers hosting their call-to-action and malicious application delivery, C2 servers, and servers running the Real-Time Messaging Protocol that receive call information, according to RiskIQ.