This report analyzes recent cyber threats targeting financial companies in Korea and internationally, with a focus on ransomware attacks by groups like Arkana and LockBit. It highlights significant data breaches affecting customer information and emphasizes the need for stronger security measures beyond basic regulatory compliance. #Arkana #LockBit #FinancialSectorBreaches
Keypoints
- The ransomware groups Arkana, LockBit, Play, SafePay, and Stormous have targeted multiple financial companies and exposed stolen data on Dedicated Leak Sites (DLS).
- The Arkana ransomware attack targeted the global online brokerage firm In*, stealing approximately 50 GB of customer data including over 202,000 KYC submissions.
- Leaked data from the Arkana breach includes sensitive customer details such as names, birthdates, emails, ID card images, and server logs.
- In* has a history of regulatory fines from the Financial Conduct Authority for reporting breaches, illustrating a gap between compliance and security practices.
- The report calls for enhanced security controls on storing and accessing sensitive information like KYC data, going beyond firewalls and MFA to include encryption and stricter access monitoring.
- Additional cases of phishing campaigns and data breaches on the dark web affecting the financial sector were also analyzed in the report.
- File hashes related to the ransomware incidents were identified for tracking and forensic purposes.
MITRE Techniques
- [T1566] Phishing β Financial industry targeted by phishing emails to steal credentials and deliver malware, as described in βcases of phishing emails being distributed to the financial industry.β
- [T1486] Data Encrypted for Impact β Ransomware groups such as Arkana and LockBit encrypted company data and demanded ransom, exemplified by βArkanaβ¦claimed to have stolen about 50 GB of customer dataβ and threatening to leak if payment was not made.
- [T1005] Data from Local System β Sensitive information such as KYC data and server logs was stolen, indicating data collection from local systems before exfiltration.
- [T1530] Data from Cloud Storage Object β The breach of In* involved large-scale customer data that potentially included cloud-stored files given modern brokerage operational models.
Indicators of Compromise
- [File Hashes] Related to ransomware samples β 1a0e3b24a57f31c796adfd22860e0bcf, 29412d5502f06cafba5402d1822d8949, and 3 more hashes identifying malicious ransomware payloads.
- [Domains] Targeted financial company β https://www.in*.com/ (partially redacted), the online brokerage firm compromised by the Arkana ransomware.
Read more: https://asec.ahnlab.com/en/88437/