A new study conducted by cybersecurity company Certain unveiled that more than 26,500 vulnerabilities can be found in the external attack surfaces of the top 90 banking and financial institutions in Southeast Asia. Approximately 11,000 of these exploitable internet-facing assets belong to the leading financial organizations in Singapore, including banks and insurers.
The analysis highlighted issues such as inadequate SSL/TSL encryption, poorly configured internal assets, inconsistent URL encryption, and outdated APIs across the banking and finance sector in Thailand, Indonesia, Malaysia, Vietnam, the Philippines, and Singapore. The assessed assets encompassed domain names, subdomains, IP addresses, web servers, IoT devices, network printers, and other internet-connected or internal network devices.
Singapore hosts most exploitable exposures
Among the six countries evaluated, Singapore displayed the highest count of vulnerabilities, with over 11,000 problematic internet-facing assets spread across its top 16 banking, financial services, and insurance firms. More than 6,000 of these problematic assets were hosted in the United States.
The number of vulnerabilities in other regions were as follows:
- Thailand: 5,000.
- Indonesia: 4,600.
- Malaysia: 4,200.
- Vietnam: 3,600.
- The Philippines: 2,600.
Software encryption, APIs, and configurations entail risks
The Certain evaluation revealed a variety of “readily exploitable potential entry points” within Southeast Asia’s banking, finance, and insurance institutions. The cybersecurity company warned that these “cyber hygiene inconsistencies” were “posing potential threats to the confidentiality and security of financial data.”
Insecure, antiquated SSL/TLS encryption
As per the report:
- While Secure Sockets Layer and Transport Layer Security encryption are meant to safeguard data transmission over the internet or a computer network, vulnerable SSL/TLS encryption was identified among the entities assessed.
- Among the surveyed assets, 2,500 were still utilizing TLS 1.0, a security protocol introduced in 1999 and disabled by Microsoft in September 2022, according to Certain.
“This underscores the significant challenge faced by organizations with extensive online presence in identifying and upgrading outdated technologies,” Certain noted in a press statement.
Misconfiguration of internal assets
A substantial quantity of assets originally intended for internal use have been mistakenly exposed. Certain discovered 4,000 misconfigured assets that were accessible to external parties.
“Failing to secure these internal assets poses a major hazard to organizations, as it offers a chance for malicious actors to target crucial systems and sensitive information,” the company stated.
Unreliable final URL encryption
More than 900 assets had final URLs lacking encryption.
When URLs lack encryption, the data exchange between a browser and a server becomes susceptible to interception, monitoring, and manipulation by malicious entities.
“This absence of encryption can lead to the exposure of sensitive data like login credentials, personal information, or payment data, jeopardizing communication integrity,” Certain remarked.
Institutions using API v3
The report identified over 2,000 instances of API v3 among the total evaluated assets.
Certain highlighted that inadequate authentication, insufficient input validation, weak access controls, and vulnerabilities in API v3 implementations pose a vulnerable attack surface.
“Malicious entities can exploit these weaknesses to gain unauthorized access, compromise data integrity, and launch severe cyber assaults,” expressed Certain’s analysis.
Weaknesses in Southeast Asia’s leading banks and insurers
Certain evaluated the largest firms based on market capitalization in Southeast Asian countries. This heightens concerns as the findings suggest even the sector’s largest institutions are vulnerable to cybersecurity threats, despite potentially having greater resources at their disposal.
Nigel Ng, Certain’s senior vice president for Asia Pacific and Japan, commented that weaknesses identified in these assets indicate that numerous financial organizations across Indonesia, Malaysia, the Philippines, Singapore, Thailand, and Vietnam are “struggling to address key security vulnerabilities putting them at risk.”
Cyber risks loom largely over banking and financial sectors in APAC
S&P Global, a global credit rating agency specializing in providing investment ratings in APAC, has highlighted the tangible cyber risks faced by the banking and finance sectors in the region, which could have repercussions on their financial performance.
In a July 2024 update, analysts from S&P Global indicated that escalating cyber risks among Asia-Pacific banks specifically impact third parties and banks “with a paucity of skilled labor.”
S&P Global referenced studies showing:
With smaller institutions in the region facing a particularly acute risk, S&P Global cautioned that despite mitigation efforts by regulators and banks, cyber threats could still manifest, potentially affecting credit ratings.
As per the update issued by S&P Global, “Ineffective risk mitigation could heighten the chances of a successful breach and lead us to reassess our evaluation of cyber risk management. This could have implications on credit ratings.”
About Author
