Threat Research

May 2025 Security Issues in Korean & Global Financial Sector

Ahnlab
May 2025 Security Issues in Korean & Global Financial Sector
EXTRACT IOC
This report analyzes recent cyber threats targeting financial companies in Korea and internationally, with a focus on ransomware attacks by groups like Arkana and LockBit. It highlights significant data breaches affecting customer information and emphasizes the need for stronger security measures beyond basic regulatory compliance. #Arkana #LockBit #FinancialSectorBreaches

Keypoints

  • The ransomware groups Arkana, LockBit, Play, SafePay, and Stormous have targeted multiple financial companies and exposed stolen data on Dedicated Leak Sites (DLS).
  • The Arkana ransomware attack targeted the global online brokerage firm In*, stealing approximately 50 GB of customer data including over 202,000 KYC submissions.
  • Leaked data from the Arkana breach includes sensitive customer details such as names, birthdates, emails, ID card images, and server logs.
  • In* has a history of regulatory fines from the Financial Conduct Authority for reporting breaches, illustrating a gap between compliance and security practices.
  • The report calls for enhanced security controls on storing and accessing sensitive information like KYC data, going beyond firewalls and MFA to include encryption and stricter access monitoring.
  • Additional cases of phishing campaigns and data breaches on the dark web affecting the financial sector were also analyzed in the report.
  • File hashes related to the ransomware incidents were identified for tracking and forensic purposes.

MITRE Techniques

  • [T1566] Phishing – Financial industry targeted by phishing emails to steal credentials and deliver malware, as described in “cases of phishing emails being distributed to the financial industry.”
  • [T1486] Data Encrypted for Impact – Ransomware groups such as Arkana and LockBit encrypted company data and demanded ransom, exemplified by “Arkana…claimed to have stolen about 50 GB of customer data” and threatening to leak if payment was not made.
  • [T1005] Data from Local System – Sensitive information such as KYC data and server logs was stolen, indicating data collection from local systems before exfiltration.
  • [T1530] Data from Cloud Storage Object – The breach of In* involved large-scale customer data that potentially included cloud-stored files given modern brokerage operational models.

Indicators of Compromise

  • [File Hashes] Related to ransomware samples – 1a0e3b24a57f31c796adfd22860e0bcf, 29412d5502f06cafba5402d1822d8949, and 3 more hashes identifying malicious ransomware payloads.
  • [Domains] Targeted financial company – https://www.in*.com/ (partially redacted), the online brokerage firm compromised by the Arkana ransomware.

Read more: https://asec.ahnlab.com/en/88437/

Views: 32

Tags: CLOUD, COLLECTION, DARK WEB, EXFILTRATION, FINANCIAL, IMPACT, LEAK, PHISHING