Threat Research

July 2025 Security Issues in Korean & Global Financial Sector

Ahnlab
July 2025 Security Issues in Korean & Global Financial Sector

The report details data breaches, ransomware, and DDoS incidents targeting financial and insurance organizations, highlighting leaked customer records, ransomware exfiltration, and politically motivated service disruptions. Key actors and malware include Xsskiller (data seller), DAIXIN ransomware, and the hacktivist group Black Ember. #Xsskiller #DAIXIN #BlackEmber

Keypoints

  • Adeslas (Spain) customer data (~600,000 records) was posted for sale by threat actor Xsskiller, including personal and business leads with sensitive identifiers.
  • DAIXIN ransomware attacked a US insurance broker, exfiltrating data and threatening public release, demonstrating supply-chain risk via brokers.
  • Black Ember conducted DDoS attacks against an Egyptian bank’s website, reflecting politically motivated disruptions to national financial services.
  • Leaked datasets contain high-risk identifiers (DNI/CIF, policy numbers) increasing risks of identity theft and insurance fraud.
  • Recommendations include data encryption, role-based access control, segregation of customer/internal data, offline backups, and DDoS mitigation (CDN, WAF, traffic anomaly detection).
  • Ransomware incidents illustrate potential for cascading damage across interconnected insurers and broker networks.
  • Provided MD5 file hashes indicate associated malicious or leaked artifacts for further investigation.

MITRE Techniques

  • [T1486] Data Encrypted for Impact – Ransomware DAIXIN encrypted and exfiltrated data, with the group stating they “plan to publicly release the exfiltrated data.”
  • [T1531] Email Collection (Credential Harvesting) – Phishing emails distributed to the financial industry were analyzed, indicating use of emails to collect credentials or deliver malware (“phishing emails being distributed to the financial industry”).
  • [T1499] Endpoint Denial of Service (DDoS) – Black Ember launched DDoS attacks against a bank website, causing service disruption (“launched a DDoS attack against the website of *** Bank of Egypt”).
  • [T1530] Data from Information Repositories – Database leaks from Adeslas exposing customer and corporate records, including DNI/CIF and policy numbers (“stolen over 600,000 customer records… released a portion of the data as a sample”).

Indicators of Compromise

  • [Domain ] Data sale/listing – dark forum listing for Adeslas data on DarkForums (threat actor Xsskiller).
  • [Malware/Ransomware Name ] Incident context – DAIXIN ransomware targeting a US insurance broker (claims of exfiltration).
  • [Actor Name ] Attack context – Black Ember claimed DDoS attacks against NBE (National Bank of Egypt) website.
  • [File Hash – MD5 ] Suspicious artifacts or leaked files – 2d1d181e9de7cced74db9dd816f8d003, 47fd8d820c2e183c1d6fc0348d650579, and 3 more hashes.

Read more: https://asec.ahnlab.com/en/89575/