Cybersecurity Threat Advisory: Recent Attacks Targeting Indian BFSI Sector

This advisory highlights recent attacks on Indian banks, focusing on two primary attack vectors: geopolitical tensions and credential stealers/social media account takeovers.

Abhishek Mathew
June 26, 2024
Green Alert
Last Update posted on
July 19, 2024
Proactive Monitoring of the Dark Web for your organization.

Proactively monitor and defend your organization against threats from the dark web with CloudSEK XVigil.

Schedule a Demo
Table of Contents
Author(s)
Coauthors image
Anirudh Batra
Coauthors image
Anshuman Das
Coauthors image
Naren Thota

Category: Adversary Intelligence

Industry: BFSI

Motivation:Financial

Region: India

Source*

B - Usually Reliable 

2 - Possibly true

Executive Summary

This is an ongoing report and we will keep on updating as we have more information

This advisory highlights recent attacks on Indian banks, focusing on two primary attack vectors: geopolitical tensions and credential stealers/social media account takeovers.

In the last year we have observed that hacktivist groups have the following techniques that they generally use:

  1. DDOS attacks - They use free tools and scripts sourced from github to attack their targets
  2. Breached Credentials - Hacktvist groups have realized that freely available credentials give them much more visibility. We have observed that groups have utilized customer credentials as well to garner attention
  3. .git/.svn/.env - Some threat actors have started scanning for these aforementioned endpoints to get environment variables or code repository which has been shipped to prod environment by mistake

Geopolitical Attacks

The ongoing Israel-Palestine conflict has fueled the activities of hacktivist groups, who have targeted Indian banks due to perceived political stances. The attacks have primarily focused on Distributed Denial of Service (DDoS) attacks aiming to disrupt online banking services and websites.

Screenshot of a poll conducted by one of the hacktivist groups 

Timeline of  Attacks on Indian Banks/Insurance firms:

  • February 21: Lulsezsec Indonesia claims to start targeting Indian banks.
  • June 6: A hacktivist group claims to have compromised a major Indian bank, however, the claim was later debunked as the target was an unrelated service.
  • June 7: The RADNET  group claims a DDoS attack against a indian  Bank

Screenshot of the attacks conducted by a hacktivist group

  • June 11: Multiple banks suffer DDoS attacks from the same RADNET hacktivist group.
  • June 21: Rippersec targets claims to target an Indian bank with a DDoS attack.
  • June 22: “Infamous” targeted an Indian headquartered Insurance firm and dumped PII data of ~150k customers
Screenshot of the forum posts made by a threat actor 

  • June 23: An Indian Wallet application/subscription management service was breached by a TA called  “billy100” ~110k customer PII details were dumped
  • June 23: Sulawesi Indonesia carries out a DDoS attack against another Indian Bank.
Screenshot of hacktivist groups targeting indian banks 
Screenshot of hacktivist groups targeting indian banks 


Screenshot of hacktivist groups targeting indian banks 

Please Note - Hacktivist groups are notorious for making claims to create chaos, at the time of writing this report most of these claims have been debunked and there was no spike noticed by the said banks/targeted banks. This happens because of the attention that they get in the pursuit of making these lofty claims.

Recommendations : 

  • DDoS Mitigation: Invest in DDoS protection services and implement effective mitigation strategies to minimize the impact of attacks. This includes:
  • Cloud-based DDoS protection: Utilize cloud-based solutions to distribute traffic and absorb attacks.
  • Traffic filtering: Implement firewalls and other security measures to filter malicious traffic and prevent it from reaching critical servers.
  • Rate limiting: Set limits on the number of requests allowed from individual IP addresses or specific locations to prevent excessive traffic.
  • Network optimization: Optimize network infrastructure for performance and resilience, ensuring quick recovery from DDoS attacks.

Credential Stealers and Social Media Takeovers

In recent weeks, there has been a rise in attacks where hackers hijack social media accounts of major Indian banks, primarily Twitter, and use them to promote cryptocurrency scams. Hackers employ various techniques to acquire these accounts, including:

Screenshot of another Indian Bank’s twitter account taken of by threat actors 

  • Credential stealers: Malicious software that steals usernames, passwords, and other sensitive data.
  • Underground forums: Online marketplaces where stolen account credentials are bought and sold.

Screenshot of a threat actor selling compromised  twitter accounts for crypto scams 

Once control is gained, the compromised accounts spread links to fraudulent crypto websites and "crypto drainers," malicious tools designed to steal cryptocurrencies from unsuspecting users. The scams often leverage the popularity of Elon Musk and other prominent figures to gain trust.

Screenshot of a underground marketplace selling twitter accounts 

Recomendations for Banks:

  • Enhanced security: Implement robust security measures to protect online banking platforms and social media accounts from DDoS attacks and credential theft. This includes multi-factor authentication (MFA), strong password policies, and regular security audits.
  • Social media security: Implement strong authentication protocols and monitor social media accounts for suspicious activity. Consider using social media management tools to prevent unauthorized access.
  • Public awareness: Educate customers about the risks of cryptocurrency scams and how to identify fake websites and malicious links.

Recommendations For Users:

  • Be cautious: Be vigilant about suspicious links and unsolicited messages, especially on social media.
  • Verify information: Always verify information before clicking on any links, especially when it comes to financial transactions or cryptocurrency investments.
  • Protect your accounts: Use strong, unique passwords for all online accounts and enable MFA where available.

Enhanced Cybersecurity Measures for Strengthening Organizational Defenses

  • Conduct comprehensive scans for viruses and malware on all information systems within the ecosystem, and ensure they are updated with the latest patches after appropriate testing.
  • Establish necessary defenses against DDoS attacks, including investing in cloud-based DDoS protection services and implementing traffic filtering measures.
  • Implement stringent access control measures to restrict and monitor access to critical systems.
  • Maintain continuous monitoring of network activities and server logs to quickly identify and address suspicious and malicious activities within the organization's network.
  • Disable vulnerable services like Remote Desktop Protocol (RDP) and Server Message Block (SMB) by default on all critical systems. Remote access to networks hosting critical payment infrastructure should also be disabled by default, with restricted access granted on a need-to-know basis and appropriate monitoring. Remote logon activities should be restricted and closely monitored for potential unauthorized access whenever allowed.

References

Author

Abhishek Mathew

Cyber threat intel researcher, I excel in OSINT, HUMINT, and social engineering

Predict Cyber threats against your organization

Related Posts

Deepfake Controversy: Scammers Use Deepfakes of Virat Kohli, Anant Ambani to Fraud

CloudSEK’s latest research uncovers a troubling trend involving scammers using deepfake technology to promote fraudulent mobile applications. High-profile individuals, such as Virat Kohli, Anant Ambani, and even international figures like Cristiano Ronaldo and Ryan Reynolds, have been targeted through deepfake videos. These manipulated clips showcase them endorsing a mobile gaming app, luring unsuspecting users into scams. The fraudulent ads leverage the credibility of renowned news channels to enhance their legitimacy, fooling users into downloading harmful applications from fake domains resembling Google Play or Apple App Store. This emerging threat is particularly aimed at the Indian market but extends to other regions like Nigeria, Pakistan, and Southeast Asia. The deceptive gaming apps, designed to siphon money from users, require a minimum deposit, promising quick earnings but leading to significant financial losses. These scams exploit deepfake videos in creative ways to bypass detection, making them even more dangerous. To combat this growing threat, CloudSEK’s Deep Fake Analyzer offers a free solution for the cybersecurity community, helping professionals detect and mitigate the risks posed by manipulated videos, images, and audio. This tool is crucial in safeguarding organizations from deepfake-related scams and fraud. To access the CloudSEK Deep Fake Analyzer, visit https://community.cloudsek.com/

Starhealth Insurance Debacle: Information warfare using fabricated evidence

On 20 September 2024, CloudSEK’s XVigil discovered threat actor “xenZen” selling 7TB of data from Star Health Insurance, impacting over 31 million customers. While the data is confirmed authentic, claims of insider involvement from the company’s CISO appear fabricated.

Telegram Bots Masquerade as Digital Wallet Brands to push Referral Reward Scams to Indonesian Customers

In Indonesia, scammers are using Telegram bots to impersonate digital wallet brands, promoting fake referral reward schemes. These scams deceive users into sharing their account details, leading to significant financial losses. Discover the full details and protective measures in CloudSEK's comprehensive blog report.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Adversary Intelligence

9

min read

Cybersecurity Threat Advisory: Recent Attacks Targeting Indian BFSI Sector

This advisory highlights recent attacks on Indian banks, focusing on two primary attack vectors: geopolitical tensions and credential stealers/social media account takeovers.

Authors
Abhishek Mathew
Cyber threat intel researcher, I excel in OSINT, HUMINT, and social engineering
Co-Authors

Category: Adversary Intelligence

Industry: BFSI

Motivation:Financial

Region: India

Source*

B - Usually Reliable 

2 - Possibly true

Executive Summary

This is an ongoing report and we will keep on updating as we have more information

This advisory highlights recent attacks on Indian banks, focusing on two primary attack vectors: geopolitical tensions and credential stealers/social media account takeovers.

In the last year we have observed that hacktivist groups have the following techniques that they generally use:

  1. DDOS attacks - They use free tools and scripts sourced from github to attack their targets
  2. Breached Credentials - Hacktvist groups have realized that freely available credentials give them much more visibility. We have observed that groups have utilized customer credentials as well to garner attention
  3. .git/.svn/.env - Some threat actors have started scanning for these aforementioned endpoints to get environment variables or code repository which has been shipped to prod environment by mistake

Geopolitical Attacks

The ongoing Israel-Palestine conflict has fueled the activities of hacktivist groups, who have targeted Indian banks due to perceived political stances. The attacks have primarily focused on Distributed Denial of Service (DDoS) attacks aiming to disrupt online banking services and websites.

Screenshot of a poll conducted by one of the hacktivist groups 

Timeline of  Attacks on Indian Banks/Insurance firms:

  • February 21: Lulsezsec Indonesia claims to start targeting Indian banks.
  • June 6: A hacktivist group claims to have compromised a major Indian bank, however, the claim was later debunked as the target was an unrelated service.
  • June 7: The RADNET  group claims a DDoS attack against a indian  Bank

Screenshot of the attacks conducted by a hacktivist group

  • June 11: Multiple banks suffer DDoS attacks from the same RADNET hacktivist group.
  • June 21: Rippersec targets claims to target an Indian bank with a DDoS attack.
  • June 22: “Infamous” targeted an Indian headquartered Insurance firm and dumped PII data of ~150k customers
Screenshot of the forum posts made by a threat actor 

  • June 23: An Indian Wallet application/subscription management service was breached by a TA called  “billy100” ~110k customer PII details were dumped
  • June 23: Sulawesi Indonesia carries out a DDoS attack against another Indian Bank.
Screenshot of hacktivist groups targeting indian banks 
Screenshot of hacktivist groups targeting indian banks 


Screenshot of hacktivist groups targeting indian banks 

Please Note - Hacktivist groups are notorious for making claims to create chaos, at the time of writing this report most of these claims have been debunked and there was no spike noticed by the said banks/targeted banks. This happens because of the attention that they get in the pursuit of making these lofty claims.

Recommendations : 

  • DDoS Mitigation: Invest in DDoS protection services and implement effective mitigation strategies to minimize the impact of attacks. This includes:
  • Cloud-based DDoS protection: Utilize cloud-based solutions to distribute traffic and absorb attacks.
  • Traffic filtering: Implement firewalls and other security measures to filter malicious traffic and prevent it from reaching critical servers.
  • Rate limiting: Set limits on the number of requests allowed from individual IP addresses or specific locations to prevent excessive traffic.
  • Network optimization: Optimize network infrastructure for performance and resilience, ensuring quick recovery from DDoS attacks.

Credential Stealers and Social Media Takeovers

In recent weeks, there has been a rise in attacks where hackers hijack social media accounts of major Indian banks, primarily Twitter, and use them to promote cryptocurrency scams. Hackers employ various techniques to acquire these accounts, including:

Screenshot of another Indian Bank’s twitter account taken of by threat actors 

  • Credential stealers: Malicious software that steals usernames, passwords, and other sensitive data.
  • Underground forums: Online marketplaces where stolen account credentials are bought and sold.

Screenshot of a threat actor selling compromised  twitter accounts for crypto scams 

Once control is gained, the compromised accounts spread links to fraudulent crypto websites and "crypto drainers," malicious tools designed to steal cryptocurrencies from unsuspecting users. The scams often leverage the popularity of Elon Musk and other prominent figures to gain trust.

Screenshot of a underground marketplace selling twitter accounts 

Recomendations for Banks:

  • Enhanced security: Implement robust security measures to protect online banking platforms and social media accounts from DDoS attacks and credential theft. This includes multi-factor authentication (MFA), strong password policies, and regular security audits.
  • Social media security: Implement strong authentication protocols and monitor social media accounts for suspicious activity. Consider using social media management tools to prevent unauthorized access.
  • Public awareness: Educate customers about the risks of cryptocurrency scams and how to identify fake websites and malicious links.

Recommendations For Users:

  • Be cautious: Be vigilant about suspicious links and unsolicited messages, especially on social media.
  • Verify information: Always verify information before clicking on any links, especially when it comes to financial transactions or cryptocurrency investments.
  • Protect your accounts: Use strong, unique passwords for all online accounts and enable MFA where available.

Enhanced Cybersecurity Measures for Strengthening Organizational Defenses

  • Conduct comprehensive scans for viruses and malware on all information systems within the ecosystem, and ensure they are updated with the latest patches after appropriate testing.
  • Establish necessary defenses against DDoS attacks, including investing in cloud-based DDoS protection services and implementing traffic filtering measures.
  • Implement stringent access control measures to restrict and monitor access to critical systems.
  • Maintain continuous monitoring of network activities and server logs to quickly identify and address suspicious and malicious activities within the organization's network.
  • Disable vulnerable services like Remote Desktop Protocol (RDP) and Server Message Block (SMB) by default on all critical systems. Remote access to networks hosting critical payment infrastructure should also be disabled by default, with restricted access granted on a need-to-know basis and appropriate monitoring. Remote logon activities should be restricted and closely monitored for potential unauthorized access whenever allowed.

References