Threat Research

October 2024 Security Challenges in Korean and Global Financial Sectors

Ahnlab

Summary:

This report provides an in-depth analysis of cyber threats and security incidents affecting the financial industry, both in Korea and globally. It highlights malware and phishing attacks, significant data breaches, and ransomware incidents, along with statistics on compromised accounts and the implications for financial institutions.

Keypoints:

  • Overview of cyber threats in the financial sector.
  • Analysis of malware and phishing cases targeting financial institutions.
  • Top 10 malware strains affecting the financial industry.
  • Statistics on leaked Korean accounts via Telegram.
  • Details on major financial threats from the dark web.
  • Case studies of database breaches and ransomware attacks.
  • Risks associated with the sale of access privileges in financial companies.

    • MITRE Techniques

  • Data Breach (T1071): Involves unauthorized access and extraction of sensitive data from financial institutions.
  • Ransomware (T1486): Encrypts files and demands ransom for decryption, affecting operational capabilities.
  • Credential Dumping (T1003): Acquiring user credentials to gain unauthorized access to systems.
  • Exploitation of Remote Services (T1210): Targeting vulnerabilities in remote services to gain access to networks.
  • Phishing (T1566): Using deceptive emails to trick users into revealing sensitive information.
  • Access Token Manipulation (T1134): Exploiting access tokens to gain unauthorized access to systems.

    • This report comprehensively covers real-world cyber threats and security issues that have occurred in the financial industry both in Korea and abroad.

    This article includes an analysis of malware and phishing cases distributed to the financial industry. It also provides a list of the top 10 malware strains targeting the financial industry and the statistics on industries to which Korean accounts leaked via Telegram belong. A case of phishing emails distributed to the financial industry is also covered in detail.

    The analysis also covers major financial threats and cases in the dark web. The threat and cases of credit card data breach, financial institution database breach, and the cases of ransomware breach and infection against the financial sector are examined.

    Deep Web and Dark Web Issues in the Financial Sector
     

    Case of Database Breach

    Targeted Company: https://www.credit-***.com

    The data of Swiss financial service company Credit *** was breached and leaked on the cybercrime forum BreachForums.

    Credit *** is a global financial service company that has been continuously growing for over 150 years since its establishment in 1856 as Schweizerische *** (***), a bank that raised funds for the expansion of the Swiss railway network and industrialization. It operates in 50 countries around the world and employs over 45,000 people in 150 countries. Currently, Credit *** has merged with *** AG, and under Swiss law, *** AG has succeeded to all assets and liabilities of Credit ***.

    Threat Actor (888) claimed to have leaked 92,130 pieces of data from Credit ***, including claim IDs, customer names, customer genders, claimant names, claimant dates of birth, claimant genders, claimant relationships, claimant ages, reservation dates, claim creation dates, employee codes, insurance plan types, company names, and other details. However, due to the fact that Threat Actor (888) has posted fake breach claims multiple times in the past, the authenticity of this breach is currently being questioned.
     

    Ransomware Breach Cases

    The KillSec, Meow, and RansomHub ransomware gangs have breached multiple financial companies and posted their information on the Dedicated Leak Sites (DLS) operated by the gangs. The cases of breach are as follows:

    Ransomware: KillSec

    Targeted Company: https://group.***.com/

    The ransomware gang KillSec claimed to have attacked the world’s largest financial service group, P***, in China.

    P*** is one of the world’s largest financial service companies, established in China in 1988, with over 232 million retail customers. They offer a wide range of services and products, including insurance, banking, investment, fintech, health, and elderly care. Through their comprehensive financial and social services, they have become one of China’s leading financial institutions and play a crucial role in the global market.

    KillSec claimed to have stolen 323GB of internal data from P***. The stolen data includes the insurance subscriber’s name, identification number, insurance period, and insurance claim details according to specific conditions. Part of the stolen data was released as a sample. The ransomware gang stated that if no agreement is reached by October 16, 2024, they will release all of the data.

    Cases of Damage Due to Sale of Access Privileges

    Targeted Company: The name of the targeted company has not been disclosed.

    In the Cyber Crime Forum, access to the firewall and network administrator of a Hong Kong insurance company is being sold.

    The threat actor (user72347) did not disclose the name of the affected company, but stated that it is a part of an insurance company in Asia with an annual revenue of 245.7 million dollars. The threat actor stated that the sales list includes access to the firewall, SuperAdmin privilege, and network VPN access. They also mentioned that the password received from the user backup can be used to access the directory.

    In this particular case, the access being sold is a key element of firewall and network management. If this access were to be exploited, the security system of the entire company could be compromised. Super admin access refers to the highest level of access that allows control over the network and system as a whole, enabling full control over the internal system. Additionally, the fact that this access also includes VPN credentials is a serious threat as it provides a route for external threat actors to breach the network. This poses a significant risk of the insurance company and their customers’ sensitive information being exploited. Companies must take immediate action to block this access route and enhance their system security.

    MD5

    0e4c875fee53ca6ecff5969e1db26639
    58f4a699cd23c0484f8a3677b2510470
    70afbb1534149b83fd0a90b62a54d356
    7fa9b1c53dc7ec00ccb0059661a62f68
    99447b8c6fb3b85be61f297a04b03915

    Source: Original Post

    Tags: DARK WEB, PRIVILEGE, PHISHING, BREACH, BANK, VPN, FINANCIAL, BACKUP