February 2025 Security Issues in Korean & Global Financial Sector
This report comprehensively covers actual cyber threats and security issues that have occurred in the financial industry in South Korea and abroad.
This includes an analysis of malware and phishing cases targeting the financial industry, a list of the top 10 malware strains that target the industry, and statistics on the industries of the Korean accounts leaked on Telegram. A case of phishing email distribution targeting the financial industry is also covered in detail.
The report also analyzes major financial threats and cases that occurred in the dark web. It looks into threats and cases of credit card data breach, database breach, ransomware, and other cyber attacks that targeted the financial sector.
[Summary of Key Deep Web and Dark Web Issues Related to the Financial Sector]
– Cases of Credit Card Information Leaks
Affected Company: 436 Indian credit card details being sold on an exploit forum
The Indian credit card information of 436 people is being sold on the cybercrime forum Exploit.
The threat actor (Valag) stated that all credit card (CC) information was collected from their own sources, and most of the information was provided without address details. They also explained that some of the data did not include email and phone number information. The starting bid for the auction is $100, with bids increasing by $100 each time. The buy now price is set at $100. On the same day, the threat actor also posted a thread on the same forum selling UK and US credit card information.
The credit card information being sold may have a relatively low risk of being exploited due to the lack of details such as address, email, and phone number. However, the fact that the auction starting price is the same as the immediate purchase price may indicate an intent to prompt quick transactions. This may suggest that the data is of low reliability or that the leaked information has a relatively low value. Additionally, the threat actor in question also posted an ad selling credit card information from the UK and the US on the same day, indicating a high possibility that they are continuously collecting multinational financial data. However, further analysis is required to determine whether or not all the data was leaked from the same source. Financial institutions and relevant companies must continue to monitor the threat actor’s activities and enhance their security measures to protect customer information.
Figure. Post on the exploit forum about the sale of credit card data
– Case of Database Leak
Affected Company: union****
Data of Union****, a public sector bank in India, is being sold on the cybercrime forum BreachForums.
Union**** is a public sector bank established in 1919. It offers deposit, loan, insurance, and card services to individual customers, as well as loan and cash management services to corporate clients. The bank has over 8,500 branches and 9,000 ATMs in India, employing more than 74,000 staff and 23,000 business correspondents. It has also expanded its business to other countries, operating branches in the Dubai International Financial Centre and Sydney, Australia, a subsidiary in London, and a joint bank in Malaysia. Union**** was the first among India’s public sector banks to introduce a 100% core banking solution (CBS). The bank has been recognized for its technology prowess, winning awards in digital banking, micro, small, and medium-sized enterprise (MSME) finance, financial inclusion, and human resources development.
The threat actor (Black_Devil) claims to have stolen the personal data of 2,001 Union**** employees, including their names, employee IDs, emails, addresses, contacts, and financial information. The threat actor posted a sample of the stolen data, emphasizing that it was only a small portion of the entire dataset.
Union**** is a large financial institution operating in India and abroad, managing a vast amount of customer information. As the bank has been recognized for its technology prowess by leading the way in digital banking and core banking solutions, this breach could have a significant negative impact on customer trust. Given that the threat actor has posted a sample of the stolen data, the breach is likely to be credible. In particular, the inclusion of employee IDs, emails, and financial information poses a risk of the credentials being exploited for unauthorized access to internal systems. The bank needs to conduct a thorough investigation to assess the possibility of further data leaks and implement security measures to prevent additional breaches, as financial institutions are vulnerable to secondary attacks such as phishing.
Figure. Post on BreachForums about the sale of data stolen from affected companies
– Cases of ransomware infection
Ransomware: Fog
Victim: next****
The ransomware group Fog claimed to have attacked the Indonesian fintech company next****. next**** is an Indonesian fintech company established in 2017 and is a subsidiary of Korea’s Hana Financial Group. It mainly provides various financial digital platform solutions such as core banking systems, API management, collection systems, contact center systems, and mobile app development.
The group posted a GitLab link and an 8GB torrent file. This attack shows that companies operating financial IT systems can become targets. Fintech companies must prioritize source code protection and API security enhancement. They must separate their development and operation environments, and important data must be protected through access control and encryption. They also need to enhance their supply chain security, and take proactive measures through continuous security monitoring and threat intelligence.
Figure. Companies affected by the Fog ransomware group DLS, as posted on the DLS blog
– Cases of Damage Due to Selling Access Permissions
Affected Company: Affected Company: Access to RDWeb of a U.S. insurance company
At the cybercrime forum Exploit, a threat actor is selling access to the RDWeb (Remote Desktop Web Access) of an American insurance company. While the name of the affected company was not disclosed, it is known to have an annual revenue of 25 million USD. The threat actor, going by the name samy01, claims to have stolen the local network user privilege and stated that there are 1,000 computers connected to the domain. The auction for the access started at 3,000 USD, with bids increasing by 1,000 USD each time. The system can also be purchased immediately for 6,000 USD. The system has CrowdStrike security software installed, but the leak of access credentials increases the risk of the internal system being exploited remotely.
This incident demonstrates that remote access permissions through RDWeb can be traded in the cybercrime market. While RDWeb supports remote work and access to internal systems, if security is weak, it can provide threat actors with a point of entry into the internal network. In particular, the fact that a company with an annual revenue of 25 million dollars suffered damages suggests that mid-sized and small companies with relatively limited security budgets are likely to become key targets. Companies operating remote access systems like RDWeb need to take proactive measures such as implementing multi-factor authentication (MFA), strengthening access control policies, and cleaning up unused accounts and privileges. Furthermore, as the threat actor claimed to have stolen local user credentials in the internal network, account activity monitoring and log analysis for anomaly and threat detection need to be strengthened. This incident should serve as a reminder to check the security of remote access environments and regularly review for any existing vulnerabilities.
Figure. Company affected by the exploit posted on the exploit forum
