Cybersecurity News: A Fed Weakness & Banking Trojan Named Gustuff

(From Credit Union Times) – Catching up on a couple of banking related cybersecurity related news items and reactions includes a focus on a Federal Reserve weakness, and a fund-stealing advanced banking trojan named Gustuff.

The U.S. Government Accountability Office found new weaknesses in the security of the information systems the Treasury Department uses to keep track of and otherwise manage the debt, including one in a Federal Reserve Bank system that Treasury relies on. “This new weakness, along with some unresolved earlier ones, could lead to an increased risk of unauthorized access to Federal Reserve Bank systems.”

The GAO said it “continued to identify deficiencies in Fiscal Service’s information system controls that, along with unresolved control deficiencies from prior audits, collectively represent a significant deficiency in internal control over financial reporting.” There were eight newly identified problems: two related to access controls and six linked to configuration management.

“Until these new and continuing control deficiencies, which collectively represent a significant deficiency, are fully addressed, there will be an increased risk of unauthorized access to, modification of, or disclosure of sensitive data and programs and disruption of critical operations,” the GAO warned.

Steven Rogers, CEO of, Herndon, Va.-based cybersecurity firm Centripetal, observed, there was not a clear indication the actual vulnerability. It could be something as simple as a bad password, or some other server update left undone, allowing unauthorized access to malware. “We just don’t know.”

Rogers indicated all these systems should employ more advanced intelligence in their security stacks such as external threat intelligence-based and internal rule-based systems to protect enterprises and reduce security team burdens and discovery times. “It’s great that an audit found this key vulnerability. However, well-designed network security systems should already employ both internal and external protective technologies to prevent successful attackers from stealing data.”

Coincidently, the Federal Reserve announced members of its Fraud Definitions Work Group. Over the next year, these 23 payments industry leaders and subject matter specialists will work collaboratively with Federal Reserve leaders to formulate recommendations for improving the quality and consistency of automated clearing house, wire, and check fraud data.

Meanwhile details emerged about a previously unreported advanced banking trojan named Gustuff considered at the core of stolen funds from accounts at over 100 financial institutions across the world and of 32 payment and cryptocurrency Android app thefts.

In its “High-Tech Crime Trends” report, cybersecurity firm Group IB found this new Trojan quickly ascending the hacker tool ranks. Initially noticed about a year ago, Gustuff features an automatic transfer service system, enabling it to open the supported apps, fill in the phished credentials (obtained through social engineering), and generate transactions.

The malware includes code to target top international banks such as Bank of America, Bank of Scotland, JPMorgan Chase, Wells Fargo, Capital One, TD Bank, and PNC Bank as well as payment apps for Western Union, eBay, PayPal, Skype, Revolut, Walmart, WhatsApp, Coinbase, Bitcoin Wallet, and others.

According to Bleeping Computer, the threat, first spotted in April 2018 sells for a monthly subscription of $800. It’s promoted as an upgraded variant of AndyBot banking malware.

“What’s interesting is more and more modular malware that will target not only mobile banking or not only payment services or not only cryptowallets, but all of them,” Sam Bakken, senior product marketing manager, of Chicago-based cybersecurity firm OneSpan said. Bakken noted this example even targeted messaging and retail apps. “Developers need to remember if their app handles payments in any way, shape or form, that right there makes it imperative to raise the level of the security within their app. “

Bakken pointed out, “Criminals are increasingly targeting mobile apps as consumers increasingly use them to buy things and move money around. it’s imperative to give your app developers a leg up with one-stop mobile app security tools that allows them to build security into mobile apps from the start.”