Security Issues in Korean & Global Financial Sector – Malware, Phishing, Deep Web & Dark Web Cases in September 2024
This report comprehensively covers actual cyber threats and related security issues that have occurred targeting domestic and foreign financial companies.
It includes analysis of malware and phishing cases distributed targeting the financial sector, presents the top 10 major malware targeting the financial sector, and also provides industry statistics on domestic accounts leaked through Telegram. Cases of distribution of phishing emails targeting the financial sector were also covered in detail.
We also analyzed major financial threats and cases that occurred on the dark web. We investigated threats and actual cases of credit card data leaks, and threats and cases of database leaks from financial institutions. We also analyzed damage caused by ransomware infringement threats and infections targeting the financial sector, as well as various cyber attack threats and actual damage cases targeting financial institutions.
[Table of Contents]
- Statistics on Malware Distributed to the Financial Sector
- Top 10 Major Malware Distributed to the Financial Sector
- Statistics on Accounts of Korean Industries Exfiltrated via Telegram
- Phishing Email Distribution Cases Targeting the Financial Sector
- Case 1. Phishing targeting Yuanta Securities, disguised as a foreign shipping company
- Case 2. Phishing targeting the National Credit Union Federation of Korea, disguised as a request for a quotation
- Major Deep Web & Dark Web Issues in the Financial Sector
- Credit card data leakage threat
- Credit card leakage cases
- Database Leakage Threat
- Database Leakage Case
- Ransomware Breach Threat
- Ransomware Infection Case
- Access Authorization Sale Threat
- Case of damage from selling access rights
- Case of damage from selling access rights
- Credit card data leakage threat
[Statistical Summary]
– Statistics on Malware Distributed to Financial Sectors
– Statistics on Korean Accounts Exfiltrated Via Telegram by Industry
[Major Deep Web & Dark Web Issues Related to the Financial Sector]
Credit card leakage cases
- Affected company: Australian credit card information leakage on the Exploit forum
150 pieces of Australian credit card information are being sold on the Exploit cybercrime forum.
The threat actor (Forbs) claimed that the credit card information was collected within the last week and that 80-90% of the 150 credit cards contain valid information. Additionally, it was emphasized that the data includes card information, emails, and phone numbers. The data is being sold at auction, with a starting bid of $1,000, a bid increment of $200, and a buy-now price of $1,500.
The leakage of 150 valid credit card information this time is highly likely to lead to serious financial crime. In particular, the inclusion of personal information such as emails and phone numbers along with credit card information poses a high risk of being abused for phishing attacks or additional fraudulent activities. This can lead to not only personal financial loss but also larger issues, such as a decline in corporate trust. Relevant organizations should promptly block the information and take measures to minimize the damage. Additionally, this incident underscores the need to strengthen overall card information security.
Database Leakage Threat
- Affected company: http://***.co.au
Data from an Australian financial services company and AWS access rights are being sold on the cybercrime forum BreachForums.
*** Capital is a financial company established in New Zealand in 2005, and it has been operating in the Australian market since 2007. It primarily provides secured business loans, invoice financing, supply chain financing, trade finance, and foreign exchange services. Over 3,000 small and medium-sized enterprises and corporations in Australia utilize *** Capital’s financial solutions, and it collaborates with the government and other institutions to improve the stability and fairness of the Australian financial system.
The threat actor (0xy0um0m) claimed that the leaked data is 60GB and was leaked on September 1, 2024. The database and AWS access rights of Fifo Capital are being sold for $3,000.
The leakage of AWS access rights from a financial company represents a serious security risk. AWS access rights mean having the authority to control the company’s core infrastructure and data, so if abused, it can lead to unauthorized access to internal systems, data leakage, and service disruptions, causing serious damage. Especially in the case of financial services companies, if such access rights are used for malicious purposes, there is a high possibility that customer assets and sensitive financial information could be at risk. The company should immediately conduct a thorough review of AWS access rights and strengthen additional security measures.
Ransomware Breach Threat
Hunters International, KillSec, RansomHub, Stormous ransomware gangs breached multiple financial companies and posted them as victims on their dedicated leak sites (DLS). The cases have been summarized as follows.
Ransomware: Hunters International
The ransomware gang uploaded the following financial corporation as a victim.
- Affected company: https://q***.q***.com.mx/
The Hunters International ransomware gang claimed to have stolen data from the Mexican car insurance company Q*** México.
Q*** established in 1994, is a car insurance provider with the largest market share in Mexico. It has an international presence in several countries, including El Salvador, Costa Rica, the United States, and Peru, and develops and offers customized products based on over 25 years of expertise in car insurance.
The Hunters International ransomware gang claimed to have stolen 5.5TB (3,250,192 files) of organizational data from Q***. The gang announced that they would release all the data on September 3, 2024.
Given that Q*** México holds the largest market share in the Mexican car insurance market, this ransomware attack could severely damage customer trust. The leaked data likely includes sensitive customer information, such as insurance contracts and claim records, which could be misused for identity theft and fraud. Additionally, this incident could raise awareness about the importance of security across the entire insurance industry. Q*** must respond swiftly to prevent the spread of damage and implement enhanced security measures.
Case of damage from selling access rights
- Affected company: RDP access rights of a U.S. financial company
RDP access rights of a U.S. financial company are being sold on the Exploit cybercrime forum.
The threat actor (sudo) did not disclose the name of the affected company but claimed that the company has an annual revenue of approximately $18 million and a total of 123 computers within its domain. This implies the size of the company and the complexity of its IT infrastructure, suggesting the potential impact of the attack.
The threat actor used the ([adsisearcher]”(ObjectClass=computer)”).FindAll().count code (a PowerShell code that searches Active Directory to return the number of all computer objects within the domain) to find and disclose the number of all computer objects in the domain. To execute this code, authenticated access rights to the Active Directory domain and PowerShell access rights are required. The fact that such code was executed suggests that the threat actor may have high-level domain administrator privileges, implying that the company’s network security has already been severely compromised. The access rights are being sold at auction, with a starting bid of $500, a bid increment of $200, and a buy-now price of $1,000.
The fact that the threat actor holds high-level domain administrator privileges means they can freely access and manipulate the core systems and data of the affected company. If such access rights are sold externally, the likelihood of additional hacking attempts or abuse of company data could increase significantly. The affected company should promptly review access rights and enhance security to prevent further damage.
