Full Report
This report comprehensively covers real-world cyber threats and security issues that have occurred in the financial industry both in Korea and abroad. This article includes an analysis of malware and phishing cases distributed to the financial industry. It also provides a list of the top 10 malware strains targeting the financial industry and the statistics […] 게시물 October 2024 Security Issues in Korean & Global Financial Sector이 ASEC에 처음 등장했습니다.
Analysis Summary
# Incident Report: Multiple Financial Sector Breaches and Access Sales
## Executive Summary
This report synthesizes multiple threats observed in the financial sector, including data breaches at a Swiss financial service company (Credit \*\*\*) and ransomware attacks against a major Chinese financial group (P\*\*\*) by groups like KillSec. Additionally, an instance of pre-compromise access, including firewall and VPN credentials for an Asian insurance company, was observed being sold on a cybercrime forum, highlighting the threat of access resale and direct system compromise in the industry.
## Incident Details
- Discovery Date: Variable (Based on threat actor posting/detection timeframe)
- Incident Date: Variable (Specific dates not provided for all cases)
- Affected Organization: Credit \*\*\* (Suspected), P\*\*\* (Claimed), Unnamed Hong Kong/Asian Insurance Company (Access Sale)
- Sector: Financial Services, Insurance
- Geography: Switzerland, China, Hong Kong/Asia
## Timeline of Events
### Initial Access
- Date/Time: Not specified for database breach/ransomware cases. Access sale was noted as currently happening on the forum.
- Vector: Database breach (Credit \*\*\*), Ransomware deployment (P\*\*\*). Access sale involved firewall/network admin credentials.
- Details: For Credit \*\*\*, data was leaked on BreachForums. For P\*\*\*, KillSec claimed internal data theft. For the insurance firm, SuperAdmin, firewall, and network VPN access are being sold.
### Lateral Movement
- Details: Not explicitly detailed, but the sale of **SuperAdmin privilege** and **network VPN access** to an insurance company strongly implies the potential for unrestricted lateral movement once exploited.
### Data Exfiltration/Impact
- Credit \*\*\*: Leak of 92,130 records including personal details, claim IDs, and employee codes.
- P\*\*\*: Theft of 323GB of internal data, including insurance subscriber names, ID numbers, and claim details.
- Insurance Company Access Sale: Potential for complete system control via SuperAdmin access.
### Detection & Response
- Detection: Public posting of leaked data on cybercrime forums (BreachForums, DLS). Observation of access privilege sales on cybercrime forums.
- Response: The report notes the *observed* threats but does not detail specific response actions taken by the victim organizations, although warnings are issued for the access sale case.
## Attack Methodology
- Initial Access: Exploitation leading to database compromise (Credit \*\*\*), Ransomware deployment (P\*\*\*), Sale of existing valid access credentials (SuperAdmin/Firewall/VPN for Insurance firm).
- Persistence: Not explicitly detailed, but ransomware implies establishing persistence for encryption/exfiltration.
- Privilege Escalation: Sale of **SuperAdmin privilege** indicates the attacker already possesses or is selling the highest level of access, circumventing escalation.
- Defense Evasion: Not detailed, but implied through successful ransomware execution.
- Credential Access: Implied in ransomware scenario; explicitly involved in the access sale via "password received from the user backup" mentioned by the seller.
- Discovery: Not detailed.
- Lateral Movement: Implied via high-level access (SuperAdmin/VPN) being sold.
- Collection: Theft of customer/subscriber personal and insurance data.
- Exfiltration: Data posted on Dedicated Leak Sites (DLS) or forums.
- Impact: Data exposure, potential system encryption/disruption (ransomware).
## Impact Assessment
- Financial: Unknown costs for the breaches; business disruption imminent due to ransomware threats and potential access compromise. Threat actor for P\*\*\* demanded agreement by October 16, 2024.
- Data Breach: Highly sensitive customer PII (names, DOBs, ID numbers, claim details) from large financial institutions.
- Operational: Potential for full operational shutdown if ransomware encrypts critical systems, or core control loss if SuperAdmin access is leveraged.
- Reputational: Significant negative impact due to public data leaks from major global financial service providers.
## Indicators of Compromise
- Network indicators: None provided (URLs are mocked).
- File indicators:
- MD5: `0e4c875fee53ca6ecff5969e1db26639`, `58f4a699cd23c0484f8a3677b2510470`, `70afbb1534149b83fd0a90b62a54d356`, `7fa9b1c53dc7ec00ccb0059661a62f68`, `99447b8c6fb3b85be61f297a04b03915` (Associated with the incidents analyzed).
- Behavioral indicators: Posting of sample data on cybercrime forums; active sale of high-level access credentials (SuperAdmin, VPN).
## Response Actions
- Containment: Not specified beyond the general threat of immediate action needed upon discovery of unauthorized access sale.
- Eradication: Not specified.
- Recovery: Not specified.
## Lessons Learned
- **Supply Chain/Access Risk:** Sale of complete administrative access (Firewall, SuperAdmin, VPN details) poses an extremely high risk, bypassing traditional security layers before the breach is even executed.
- **Verification of Breaches:** The Credit \*\*\* claim highlights the need to verify the authenticity of data presented by threat actors, as claims can be fabricated.
- **Ransomware Pressure:** Threat actors utilize strict deadlines (e.g., October 16, 2024) to maximize pressure for ransom payment following data theft.
## Recommendations
- **Mandatory Credential Rotation:** Immediately rotate credentials, especially privileged accounts (SuperAdmin, Network Admin), for any system components whose access is known or suspected to have been on the dark web or sold.
- **MFA Enforcement:** Deploy Multi-Factor Authentication on all VPN and critical network management interfaces (Firewalls).
- **Data Access Auditing:** Conduct immediate forensic audits on database access logs for the period corresponding to the data exfiltration claims to confirm the scope of PII exposure.
- **Enhanced Threat Intelligence Monitoring:** Increase daily monitoring of cybercrime forums for internal company names, employee codes, or unique data snippets that might signal an ongoing compromise or future sale of access.