Tue. May 26th, 2020

Department of Homeland Security Warns Financial Services Entities About Ongoing Dridex Attacks

Today, the Department of Homeland Security issued a warning to financial services institutions about ongoing Dridex malware attacks targeting private-sector financial firms through phishing e-mail spam campaigns, Bleeping Computer reports.


In the alert,  the Cybersecurity and Infrastructure Security Agency (CISA) says:

“Because actors using Dridex malware and its derivatives continue to target the financial services sector, including financial institutions and customers, the techniques, tactics, and procedures contained in this report warrant renewed attention.”

“Treasury and CISA encourage network security specialists to incorporate these indicators into existing Dridex-related network defense capabilities and planning.”


Along with the warning, CISA also provides a list of tips to minimize the risks of a Dridex attack.


The recommendations include:

  • Ensuring systems are set by default to prevent execution of macros.
  • Inform and educate employees on the appearance of phishing messages, especially those used by the hackers for distribution of malware in the past.
  • Update intrusion detection and prevention systems frequently to ensure the latest variants of malware and downloaders are included.
  • Conduct regular backup of data, ensuring backups are protected from potential ransomware attack.
  • Exercise employees’ response to phishing messages and unauthorized intrusion.
  • If there is any doubt about message validity, call and confirm the message with the sender using a number or e-mail address already on file.
  • Treasury and CISA remind users and administrators to use the following best practices to strengthen the security posture of their organization’s systems:
    • Maintain up-to-date antivirus signatures and engines.
    • Keep operating system patches up-to-date.
    • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators’ group unless required.
  • Enforce a strong password policy and require regular password changes.
  • Exercise caution when opening email attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on workstations, and configure it to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
  • Scan all software downloaded from the Internet before executing.
  • Maintain situational awareness of the latest threats.
  • Implement appropriate access control lists.
  • Exercise cybersecurity procedures and continuity of operations plans to enhance and maintain ability to respond during and following a cyber incident.


Additionally, if your organization has been affected by a Dridex attack, contact CISA or the FBI at:

  • CISA (CISAservicedesk@hq.dhs.gov or 888-282-0870)
  • FBI through a local field office (https://www.fbi.gov/contact-us/field-offices)
  • FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937)


It’s also worth noting that the US Department of Justice has charged Russian hacker, Maksim Yakubets, with computer hacking and fraud charges, TechCrunch reports.


Yakubets is the leader of ‘Evil Corp’ hacking group. And aside from developing and distributing Dridex, Yakubets has also been charged with conspiracy to commit bank fraud in connection with the infamous “Zeus” banking malware that stole $70 million from victims’ bank accounts.