The report details multiple cyber incidents affecting financial institutions worldwide, including database leaks, large-scale ransomware attacks (notably by Qilin), and statistics on malware and leaked account credentials targeting the finance sector. It highlights supply-chain infection vectors, data sale attempts on cybercrime forums, and recommends stronger data integrity verification and response strategies. #Qilin #COMMUNISM
Keypoints
- A purported database leak affecting an Indonesian bank (advertised by the actor “COMMUNISM”) claimed 20 million user records but appears partially recycled and the seller’s account was suspended.
- Ransomware groups including Qilin (and others like Daixin, INC Ransom) breached multiple financial firms and posted stolen data on dedicated leak sites (DLS).
- Qilin conducted a large-scale, coordinated attack in September 2025 that affected 28–29 Korean asset management companies simultaneously, suggesting an organized campaign against the financial sector.
- Several asset management firms were impacted via a shared IT management company’s cloud-hosted file servers, indicating a supply-chain attack vector that enabled mass compromise.
- The threat actors’ public posts were crafted to maximize impact—listing company names, data types and scales, promising further leaks, and encouraging law enforcement attention to spread social unrest.
- Statistics in the report summarize malware distribution targeting the financial sector and leaked Korean account credentials disseminated via Telegram, underscoring ongoing credential exposure risks.
- Recommendations include strengthening customer data integrity verification systems and establishing clear communication strategies to counter false claims and reputational harm.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Used to breach multiple companies via a shared cloud/IT management service, enabling simultaneous compromise: “…server of this IT management company was infected with ransomware, other asset management companies using the same service were also affected at the same time.”
- [T1490] Inhibit System Recovery – Ransomware groups posted stolen data on Dedicated Leak Sites and impacted victims’ operations, consistent with encryption and denial of access behavior: “…breached multiple financial companies and posted their data on their dedicated leak sites (DLS).”
- [T1531] Account Discovery – Large volumes of leaked account credentials were distributed via Telegram, enabling credential-based access or targeted follow-on attacks: “Statistics of leaked accounts by industry in South Korea via Telegram.”
- [T1584] Compromise Infrastructure – Threat actors sold or advertised large databases on cybercrime forums and used DLS to host extortion content, demonstrating use of adversary-controlled infrastructure: “posted the victims on Dedicated Leak Sites (DLS) … being sold on the cybercrime forum DarkForums.”
- [T1592] Data Staged – Samples and claimed datasets were posted and reused across forum listings, indicating staging and recycling of stolen data for sale: “it was confirmed that at least one row in the sample from the left post matches the one posted on the right about a month ago.”
Indicators of Compromise
- [File Hash – MD5] Ransomware-related file hashes observed in report samples – 01377880245b1621f9c81cd171bb81bc, 031c4fcdce5a18eb6a144bd7602153ab, and 3 more hashes.
- [Threat Actor Username] Cybercrime forum vendor/account – COMMUNISM (claimed to sell a 20M-user bank database) – account was suspended after attempted sale.
- [Leak Site] Dedicated Leak Sites (DLS) used by ransomware groups – Qilin DLS posts listing affected companies and data types (example: “Korean Leak” series announcing future releases).
- [Organization] Affected companies / services – Indonesian bank (referred to as b***.co / Bank ***) — sample rows matched prior posts; 28–29 Korean asset management companies impacted by Qilin.
Read more: https://asec.ahnlab.com/en/90687/