Adversary Intelligence
9
mins read

Cybersecurity Threat Advisory: Recent Attacks Targeting Indian BFSI Sector

This advisory highlights recent attacks on Indian banks, focusing on two primary attack vectors: geopolitical tensions and credential stealers/social media account takeovers.

Abhishek Mathew
June 26, 2024
Green Alert
Last Update posted on
July 19, 2024
Proactive Monitoring of the Dark Web for your organization.

Proactively monitor and defend your organization against threats from the dark web with CloudSEK XVigil.

Schedule a Demo
Table of Contents
Author(s)
Coauthors image
Anirudh Batra
Coauthors image
Anshuman Das
Coauthors image
Naren Thota

Category: Adversary Intelligence

Industry: BFSI

Motivation:Financial

Region: India

Source*

B - Usually Reliable 

2 - Possibly true

Executive Summary

This is an ongoing report and we will keep on updating as we have more information

This advisory highlights recent attacks on Indian banks, focusing on two primary attack vectors: geopolitical tensions and credential stealers/social media account takeovers.

In the last year we have observed that hacktivist groups have the following techniques that they generally use:

  1. DDOS attacks - They use free tools and scripts sourced from github to attack their targets
  2. Breached Credentials - Hacktvist groups have realized that freely available credentials give them much more visibility. We have observed that groups have utilized customer credentials as well to garner attention
  3. .git/.svn/.env - Some threat actors have started scanning for these aforementioned endpoints to get environment variables or code repository which has been shipped to prod environment by mistake

Geopolitical Attacks

The ongoing Israel-Palestine conflict has fueled the activities of hacktivist groups, who have targeted Indian banks due to perceived political stances. The attacks have primarily focused on Distributed Denial of Service (DDoS) attacks aiming to disrupt online banking services and websites.

Screenshot of a poll conducted by one of the hacktivist groups 

Timeline of  Attacks on Indian Banks/Insurance firms:

  • February 21: Lulsezsec Indonesia claims to start targeting Indian banks.
  • June 6: A hacktivist group claims to have compromised a major Indian bank, however, the claim was later debunked as the target was an unrelated service.
  • June 7: The RADNET  group claims a DDoS attack against a indian  Bank

Screenshot of the attacks conducted by a hacktivist group

  • June 11: Multiple banks suffer DDoS attacks from the same RADNET hacktivist group.
  • June 21: Rippersec targets claims to target an Indian bank with a DDoS attack.
  • June 22: “Infamous” targeted an Indian headquartered Insurance firm and dumped PII data of ~150k customers
Screenshot of the forum posts made by a threat actor 

  • June 23: An Indian Wallet application/subscription management service was breached by a TA called  “billy100” ~110k customer PII details were dumped
  • June 23: Sulawesi Indonesia carries out a DDoS attack against another Indian Bank.
Screenshot of hacktivist groups targeting indian banks 
Screenshot of hacktivist groups targeting indian banks 


Screenshot of hacktivist groups targeting indian banks 

Please Note - Hacktivist groups are notorious for making claims to create chaos, at the time of writing this report most of these claims have been debunked and there was no spike noticed by the said banks/targeted banks. This happens because of the attention that they get in the pursuit of making these lofty claims.

Recommendations : 

  • DDoS Mitigation: Invest in DDoS protection services and implement effective mitigation strategies to minimize the impact of attacks. This includes:
  • Cloud-based DDoS protection: Utilize cloud-based solutions to distribute traffic and absorb attacks.
  • Traffic filtering: Implement firewalls and other security measures to filter malicious traffic and prevent it from reaching critical servers.
  • Rate limiting: Set limits on the number of requests allowed from individual IP addresses or specific locations to prevent excessive traffic.
  • Network optimization: Optimize network infrastructure for performance and resilience, ensuring quick recovery from DDoS attacks.

Credential Stealers and Social Media Takeovers

In recent weeks, there has been a rise in attacks where hackers hijack social media accounts of major Indian banks, primarily Twitter, and use them to promote cryptocurrency scams. Hackers employ various techniques to acquire these accounts, including:

Screenshot of another Indian Bank’s twitter account taken of by threat actors 

  • Credential stealers: Malicious software that steals usernames, passwords, and other sensitive data.
  • Underground forums: Online marketplaces where stolen account credentials are bought and sold.

Screenshot of a threat actor selling compromised  twitter accounts for crypto scams 

Once control is gained, the compromised accounts spread links to fraudulent crypto websites and "crypto drainers," malicious tools designed to steal cryptocurrencies from unsuspecting users. The scams often leverage the popularity of Elon Musk and other prominent figures to gain trust.

Screenshot of a underground marketplace selling twitter accounts 

Recomendations for Banks:

  • Enhanced security: Implement robust security measures to protect online banking platforms and social media accounts from DDoS attacks and credential theft. This includes multi-factor authentication (MFA), strong password policies, and regular security audits.
  • Social media security: Implement strong authentication protocols and monitor social media accounts for suspicious activity. Consider using social media management tools to prevent unauthorized access.
  • Public awareness: Educate customers about the risks of cryptocurrency scams and how to identify fake websites and malicious links.

Recommendations For Users:

  • Be cautious: Be vigilant about suspicious links and unsolicited messages, especially on social media.
  • Verify information: Always verify information before clicking on any links, especially when it comes to financial transactions or cryptocurrency investments.
  • Protect your accounts: Use strong, unique passwords for all online accounts and enable MFA where available.

Enhanced Cybersecurity Measures for Strengthening Organizational Defenses

  • Conduct comprehensive scans for viruses and malware on all information systems within the ecosystem, and ensure they are updated with the latest patches after appropriate testing.
  • Establish necessary defenses against DDoS attacks, including investing in cloud-based DDoS protection services and implementing traffic filtering measures.
  • Implement stringent access control measures to restrict and monitor access to critical systems.
  • Maintain continuous monitoring of network activities and server logs to quickly identify and address suspicious and malicious activities within the organization's network.
  • Disable vulnerable services like Remote Desktop Protocol (RDP) and Server Message Block (SMB) by default on all critical systems. Remote access to networks hosting critical payment infrastructure should also be disabled by default, with restricted access granted on a need-to-know basis and appropriate monitoring. Remote logon activities should be restricted and closely monitored for potential unauthorized access whenever allowed.

References

Author

Abhishek Mathew

Cyber threat intel researcher, I excel in OSINT, HUMINT, and social engineering

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Adversary Intelligence
Breach
Data leaks
Emerging Threats
Hacktivism
October 10, 2024

Analyzing Recent Cyber Attacks in the United States Coinciding with Columbus Day Celebration

Over recent months, the United States has faced a surge in cyber attacks, with ransomware incidents rising sharply from June to October 2024. Prominent groups, including Play, RansomHub, Lockbit, Qilin, and Meow, have targeted sectors such as Business Services, Manufacturing, IT, and Healthcare, compromising over 800 organizations. Major attacks included a breach of the City of Columbus by Rhysida ransomware and data leaks impacting Virginia’s Department of Elections and Healthcare.gov. Additionally, China’s "Salt Typhoon" espionage campaign is aggressively targeting U.S. ISPs, further complicating the cyber threat landscape. Hacktivist groups advocating pro-Russian and pro-Palestinian positions have also increased their attacks, affecting government entities and critical infrastructure. This report highlights the need for enhanced security protocols, regular audits, and public awareness initiatives to mitigate the growing cyber risks. Key recommendations include implementing multi-factor authentication, frequent employee training, and advanced threat monitoring to safeguard the nation's critical infrastructure and public trust.

Blog Image
Deep Fake Monitoing
Scam
Threat Intelligence
October 4, 2024

Deepfake Controversy: Scammers Use Deepfakes of Virat Kohli, Anant Ambani to Fraud

CloudSEK’s latest research uncovers a troubling trend involving scammers using deepfake technology to promote fraudulent mobile applications. High-profile individuals, such as Virat Kohli, Anant Ambani, and even international figures like Cristiano Ronaldo and Ryan Reynolds, have been targeted through deepfake videos. These manipulated clips showcase them endorsing a mobile gaming app, luring unsuspecting users into scams. The fraudulent ads leverage the credibility of renowned news channels to enhance their legitimacy, fooling users into downloading harmful applications from fake domains resembling Google Play or Apple App Store. This emerging threat is particularly aimed at the Indian market but extends to other regions like Nigeria, Pakistan, and Southeast Asia. The deceptive gaming apps, designed to siphon money from users, require a minimum deposit, promising quick earnings but leading to significant financial losses. These scams exploit deepfake videos in creative ways to bypass detection, making them even more dangerous. To combat this growing threat, CloudSEK’s Deep Fake Analyzer offers a free solution for the cybersecurity community, helping professionals detect and mitigate the risks posed by manipulated videos, images, and audio. This tool is crucial in safeguarding organizations from deepfake-related scams and fraud. To access the CloudSEK Deep Fake Analyzer, visit https://community.cloudsek.com/

Blog Image
Adversary Intelligence
Threat Intelligence
September 24, 2024

Starhealth Insurance Debacle: Information warfare using fabricated evidence

On 20 September 2024, CloudSEK’s XVigil discovered threat actor “xenZen” selling 7TB of data from Star Health Insurance, impacting over 31 million customers. While the data is confirmed authentic, claims of insider involvement from the company’s CISO appear fabricated.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Adversary Intelligence

9

min read

Cybersecurity Threat Advisory: Recent Attacks Targeting Indian BFSI Sector

This advisory highlights recent attacks on Indian banks, focusing on two primary attack vectors: geopolitical tensions and credential stealers/social media account takeovers.

Authors
Abhishek Mathew
Cyber threat intel researcher, I excel in OSINT, HUMINT, and social engineering
Co-Authors
Anirudh Batra
Anshuman Das
Naren Thota

Category: Adversary Intelligence

Industry: BFSI

Motivation:Financial

Region: India

Source*

B - Usually Reliable 

2 - Possibly true

Executive Summary

This is an ongoing report and we will keep on updating as we have more information

This advisory highlights recent attacks on Indian banks, focusing on two primary attack vectors: geopolitical tensions and credential stealers/social media account takeovers.

In the last year we have observed that hacktivist groups have the following techniques that they generally use:

  1. DDOS attacks - They use free tools and scripts sourced from github to attack their targets
  2. Breached Credentials - Hacktvist groups have realized that freely available credentials give them much more visibility. We have observed that groups have utilized customer credentials as well to garner attention
  3. .git/.svn/.env - Some threat actors have started scanning for these aforementioned endpoints to get environment variables or code repository which has been shipped to prod environment by mistake

Geopolitical Attacks

The ongoing Israel-Palestine conflict has fueled the activities of hacktivist groups, who have targeted Indian banks due to perceived political stances. The attacks have primarily focused on Distributed Denial of Service (DDoS) attacks aiming to disrupt online banking services and websites.

Screenshot of a poll conducted by one of the hacktivist groups 

Timeline of  Attacks on Indian Banks/Insurance firms:

  • February 21: Lulsezsec Indonesia claims to start targeting Indian banks.
  • June 6: A hacktivist group claims to have compromised a major Indian bank, however, the claim was later debunked as the target was an unrelated service.
  • June 7: The RADNET  group claims a DDoS attack against a indian  Bank

Screenshot of the attacks conducted by a hacktivist group

  • June 11: Multiple banks suffer DDoS attacks from the same RADNET hacktivist group.
  • June 21: Rippersec targets claims to target an Indian bank with a DDoS attack.
  • June 22: “Infamous” targeted an Indian headquartered Insurance firm and dumped PII data of ~150k customers
Screenshot of the forum posts made by a threat actor 

  • June 23: An Indian Wallet application/subscription management service was breached by a TA called  “billy100” ~110k customer PII details were dumped
  • June 23: Sulawesi Indonesia carries out a DDoS attack against another Indian Bank.
Screenshot of hacktivist groups targeting indian banks 
Screenshot of hacktivist groups targeting indian banks 


Screenshot of hacktivist groups targeting indian banks 

Please Note - Hacktivist groups are notorious for making claims to create chaos, at the time of writing this report most of these claims have been debunked and there was no spike noticed by the said banks/targeted banks. This happens because of the attention that they get in the pursuit of making these lofty claims.

Recommendations : 

  • DDoS Mitigation: Invest in DDoS protection services and implement effective mitigation strategies to minimize the impact of attacks. This includes:
  • Cloud-based DDoS protection: Utilize cloud-based solutions to distribute traffic and absorb attacks.
  • Traffic filtering: Implement firewalls and other security measures to filter malicious traffic and prevent it from reaching critical servers.
  • Rate limiting: Set limits on the number of requests allowed from individual IP addresses or specific locations to prevent excessive traffic.
  • Network optimization: Optimize network infrastructure for performance and resilience, ensuring quick recovery from DDoS attacks.

Credential Stealers and Social Media Takeovers

In recent weeks, there has been a rise in attacks where hackers hijack social media accounts of major Indian banks, primarily Twitter, and use them to promote cryptocurrency scams. Hackers employ various techniques to acquire these accounts, including:

Screenshot of another Indian Bank’s twitter account taken of by threat actors 

  • Credential stealers: Malicious software that steals usernames, passwords, and other sensitive data.
  • Underground forums: Online marketplaces where stolen account credentials are bought and sold.

Screenshot of a threat actor selling compromised  twitter accounts for crypto scams 

Once control is gained, the compromised accounts spread links to fraudulent crypto websites and "crypto drainers," malicious tools designed to steal cryptocurrencies from unsuspecting users. The scams often leverage the popularity of Elon Musk and other prominent figures to gain trust.

Screenshot of a underground marketplace selling twitter accounts 

Recomendations for Banks:

  • Enhanced security: Implement robust security measures to protect online banking platforms and social media accounts from DDoS attacks and credential theft. This includes multi-factor authentication (MFA), strong password policies, and regular security audits.
  • Social media security: Implement strong authentication protocols and monitor social media accounts for suspicious activity. Consider using social media management tools to prevent unauthorized access.
  • Public awareness: Educate customers about the risks of cryptocurrency scams and how to identify fake websites and malicious links.

Recommendations For Users:

  • Be cautious: Be vigilant about suspicious links and unsolicited messages, especially on social media.
  • Verify information: Always verify information before clicking on any links, especially when it comes to financial transactions or cryptocurrency investments.
  • Protect your accounts: Use strong, unique passwords for all online accounts and enable MFA where available.

Enhanced Cybersecurity Measures for Strengthening Organizational Defenses

  • Conduct comprehensive scans for viruses and malware on all information systems within the ecosystem, and ensure they are updated with the latest patches after appropriate testing.
  • Establish necessary defenses against DDoS attacks, including investing in cloud-based DDoS protection services and implementing traffic filtering measures.
  • Implement stringent access control measures to restrict and monitor access to critical systems.
  • Maintain continuous monitoring of network activities and server logs to quickly identify and address suspicious and malicious activities within the organization's network.
  • Disable vulnerable services like Remote Desktop Protocol (RDP) and Server Message Block (SMB) by default on all critical systems. Remote access to networks hosting critical payment infrastructure should also be disabled by default, with restricted access granted on a need-to-know basis and appropriate monitoring. Remote logon activities should be restricted and closely monitored for potential unauthorized access whenever allowed.

References