This report highlights multiple cyber threats targeting financial institutions globally, including large-scale credit card data sales, employee database leaks, ransomware attacks, and disruptive DDoS incidents. It emphasizes the urgent need for enhanced security measures across financial systems and their supply chains to prevent data breaches and service disruptions. #FinancialInstitutions #Cybersecurity
Keypoints
- A cybercriminal known as B_ose sold over 1,700 valid credit and debit card details on the Exploit forum, including sensitive personal information facilitating online payment fraud and identity theft.
- A data breach involving approximately 2,600 employee records from Russia’s largest private bank A* was posted on BreachForums, exposing names and emails that increase risks of phishing and internal attacks.
- The Everest ransomware group claimed responsibility for stealing and threatening to release 11.7 GB of internal and HR data from a Jordanian commercial bank, demonstrating insider data exposure risks.
- The Finnish central bank suffered a DDoS attack by the hacktivist group Dark Storm Team, causing potential instabilities in monetary policy operations and financial market oversight.
- The report stresses the importance of securing third-party and supply chain systems to prevent indirect breaches impacting major financial institutions.
- It underscores critical needs for financial organizations to enhance encryption, access control, abnormal transaction detection, and staff training to mitigate evolving cyber risks.
- Regular vulnerability assessments, threat modeling, and incident response preparation are vital for protecting financial systems against ongoing and emerging cyber threats.
MITRE Techniques
- [T1586] Compromise Infrastructure – Used by threat actor B_ose to sell large amounts of valid card data likely collected via automated routes: “…may have an internal automated collection route.”
- [T1190] Exploit Public-Facing Application – Indirect infiltration through third-party service providers causing the A* bank employee data leak: “…poor management of an external service provider led to the leak…”;
- [T1486] Data Encrypted for Impact – Everest ransomware group encrypted systems and leaked stolen internal HR data to extort the Jordanian bank: “…the group claims to have stolen 11.7 GB… threatening to release the data.”
- [T1499] Endpoint Denial of Service – Dark Storm Team launched a DDoS attack on the Finnish central bank, disrupting critical financial services: “…launched a DDoS attack against the * bank in Finland.”
- [T1086] PowerShell – Implied use of automated tools and scripts for carding and data theft: “…high possibility that it will be used by automated carding tools.”
Indicators of Compromise
- [File Hashes] MD5 – 02134b159240a06722d250381501498d, 0ebe19e549781865af5659e40132094c, and 3 more hashes related to malware or ransomware samples.
- [Domains] Financial institutions’ websites – https://www.j.com/ (Jordanian bank), http://www.s.fi/ (Finnish bank) involved in ransomware and DDoS attacks.
- [Threat Actors] Usernames – B_ose (Exploit forum card sales), Dull (BreachForums data leak), Everest (ransomware group), Dark Storm Team (DDoS attackers).
Read more: https://asec.ahnlab.com/en/87975/