This report comprehensively covers actual cyber threats and related security issues that have occurred targeting domestic and foreign financial companies.

It includes analysis of malware and phishing cases distributed targeting the financial sector, presents the top 10 major malware targeting the financial sector, and also provides industry statistics on domestic accounts leaked through Telegram. Cases of distribution of phishing emails targeting the financial sector were also covered in detail.

We also analyzed major financial threats and cases that occurred on the dark web. We investigated threats and actual cases of credit card data leaks, and threats and cases of database leaks from financial institutions. We also analyzed damage caused by ransomware infringement threats and infections targeting the financial sector, as well as various cyber attack threats and actual damage cases targeting financial institutions.

[Table of Contents]

• Statistics on Malware Distributed to Financial Sectors
• Top 10 Major Malware Targeting Financial Sector
• Statistics on Korean Accounts Exfiltrated Via Telegram by Industry
• Phishing Email Distribution Cases Targeting the Financial Sector
  • Case 1. Phishing Disguised as Receipt-Related Document
  • Case 2. Phishing Disguised as Post-Clearance Customs Tax Notice
• Major Deep Web & Dark Web Issues Related to the Financial Sector
  • Threat of Credit Card Data Breach
    • Cases of Credit Card Breach
  • Threat of Database Breach
    • Cases of Database Breach
  • Threat of Ransomware Breach
    • Cases of Ransomware Infection
  • Cyberattack Threat
  • Cyberattack Damage
  • Threat of Access Permission Sales
    • Cases of Access Permission Sales

 

[Statistical Summary]

 

– Statistics on Malware Distributed to Financial Sectors

 

– Statistics on Korean Accounts Exfiltrated Via Telegram by Industry

 

 

[Major Deep Web & Dark Web Issues Related to the Financial Sector]

 

Database leak case 

 

• Leaked company : https://www.***bank.com/

 

A post was uploaded to a cybercrime forum about a data leak related to the database of ***Bank, one of the major banking institutions in the US.  The original data leak is actually a post uploaded by Intelbroker, a threat actor who is active in breachforums. 

***Bank was founded in 1853 and is the largest financial service provider in the US. Mainly focused on commercial banking, it provides various financial services. It is considered to be a stable and reliable bank in the US. 

In August 2024, the infamous threat actor IntelBroker claimed to have breached **kykun’s database. In this database was information on 2.7 million customers of ***Bank.

A portion of the data was revealed as a sample, and this included very sensitive information including names, emails, addresses, social security numbers, and bank account details. 

Even if a bank maintains strict management of its security systems, a data breach of its partnered company may lead to serious risks. In other words, the partner’s security vulnerabilities can be a crucial risk factor in the bank’s security strategies. If sensitive information about the bank’s customers gets leaked externally due to the data breach of their partner, the information can be abused for financial fraud, identity theft, and other crimes. This not only brings about financial damage to the customers but also a significant impact on their trust in the bank.

 

 

 

Cases of companies affected by ransomware infection

LockBit, RansomHub, Rhysida, BianLian, Medusa, Play, BlackSuit, Hunters International, and KillSec ransomware gangs breached multiple financial companies and posted them as victims on their DLS. Below are brief outlines of the attack cases.

 

Ransomware: LockBit

 

The ransomware gang uploaded the following financial institution as a victim.

• Affected company: https://***forest.co.uk/

 

The LockBit ransomware gang claimed to have attacked ****& Forest. 

Headquartered in the UK, ****& Forest specializes in accounting and financial services. The main services include statutory audits, taxation, value-added tax compliance, and payroll management. It offers services to various customers from small businesses to conglomerates. The firm is also highly reliable as it is registered to the institute of chartered accountants. The annual sales are around $13.8 million and the firm is expanding its services globally as of right now. 

On July 16th, 2024, access permissions of ****& Forest went up for sale on the dark web. The threat actor launched a brute force attack on RDWeb, which allows access to remote desktop services through a web browser, and gained access permissions to ****& Forest. There are threat actors who aim to gain initial access using leaked or weak credentials caused by the absence of multi-factor authentication (MFA) in RDWeb.

 

 

 

Cyberattack Threat

 

• Affected company:: https://www.***.org.il/

 

The pro-Muslim hacktivist Islamic Hacker Army launched a DDoS attack on the central bank of ****. 

Bank of **** is Israel’s central bank that was founded in 1954. As a core institution for the stability and growth of Israel’s economy, it maintains high reliability and popularity. Based on independent economic policies and expertise, it has the trust of Israeli citizens and plays an important part in Israel’s continuous economic development. Its main roles include managing financial stability and monetary policies, which maintain the balance of the nation’s economy. 

The pro-Muslim hacktivist group claimed that they targeted the Bank of ****’s website and posted proof of the attack on its Telegram channel. The proof showed that accessing the website in various countries including Israel, Iran, Germany, France, and Japan all resulted in a connection failure error.

 

 

 

MD5

2163267b6ed8d8ca5f6684b50fbb84b5

529ff4084f3f24e90c7cb330a74dda35

7af6ba85c1ccc878b2187d244daaa9e0

83a9806eedd5186fc0594301a7cfba30

8a9d62671157e1019b364ff4c969706e