This article reviews recent cyber threats targeting the financial sector, detailing database breaches, ransomware incidents, phishing campaigns, and the sale of privileged access on crime forums. It highlights specific incidents involving gangs and affected organizations and provides indicators such as MD5 hashes and victim URLs. #KillSec #Credit***
Keypoints
- Comprehensive review of cyber threats affecting the financial industry in Korea and worldwide.
- Analysis of malware and phishing campaigns aimed at financial institutions, including a top-10 malware list.
- Documented database breach claim involving Credit ***, with 92,130 records allegedly leaked to BreachForums.
- Ransomware groups KillSec, Meow, and RansomHub claimed breaches of multiple financial firms and posted data on Dedicated Leak Sites.
- Reported sale of firewall, SuperAdmin, and VPN access for an Asian insurance company on a cybercrime forum.
- Case studies cover credit card data exposures, database breaches, ransomware encryptions, and operational impacts.
- Provided technical indicators include multiple MD5 hashes and victim URLs for further investigation.
MITRE Techniques
- [T1071] Data Breach β Unauthorized access and extraction of sensitive data from financial institutions (βThe data of Swiss financial service company Credit *** was breached and leaked on the cybercrime forum BreachForums.β)
- [T1486] Ransomware β Encrypting files and demanding ransom, with gangs publishing stolen data on DLS (βThe KillSec, Meow, and RansomHub ransomware gangs have breached multiple financial companies and posted their information on the Dedicated Leak Sites (DLS) operated by the gangs.β)
- [T1003] Credential Dumping β Obtaining user credentials to gain unauthorized access (βthe password received from the user backup can be used to access the directory.β)
- [T1210] Exploitation of Remote Services β Targeting vulnerabilities in remote services to gain network access (βTargeting vulnerabilities in remote services to gain access to networks.β)
- [T1566] Phishing β Using deceptive emails to trick financial-industry users into revealing sensitive information (βA case of phishing emails distributed to the financial industry is also covered in detail.β)
- [T1134] Access Token Manipulation β Exploiting access tokens to escalate or maintain unauthorized access (βExploiting access tokens to gain unauthorized access to systems.β)
Indicators of Compromise
- [MD5 hashes] Malware/sample identifiers β 0e4c875fee53ca6ecff5969e1db26639, 58f4a699cd23c0484f8a3677b2510470, and 3 more hashes.
- [URLs / Domains] Victim and campaign infrastructure β https://www.credit-***.com, https://group.***.com/, and mentions of BreachForums as the leak forum.
- [Credentials] Access items being sold on forums β SuperAdmin password, VPN credentials (advertised for an Asian insurance company) as a route to network access.
Read more: https://asec.ahnlab.com/en/84394/