More than 26,500 vulnerabilities exist in the external attack surfaces of Southeast Asia’s 90 top banking and financial services organisations, according to new research by cybersecurity firm Tenable. About 11,000 of these exploitable internet-facing assets belong to Singapore’s top-tier institutions, including lenders and insurers.
The assessment found weak SSL/TSL encryption, misconfigured internal assets, inconsistent URL encryption, and older APIs across the banking and finance industry in Thailand, Indonesia, Malaysia, Vietnam, the Philippines, and Singapore. The assets evaluated included domain names, subdomains, IP addresses, web servers, IoT devices, network printers, and any device connected to the internet or internal network, among others.
Singapore had the highest number of vulnerabilities among six countries assessed, with over 11,000 internet-facing problem assets across its top 16 banking, financial services, and insurance companies. Over 6,000 of those problem assets were hosted in the United States.
The number of vulnerabilities in other markets included:
Tenable’s assessment found a range of “easily exploitable potential entry points” within banking, finance, and insurance organisations in Southeast Asia. The cybersecurity firm declared that these “cyber hygiene gaps” were “posing potential risk to the integrity and security of financial data.”
According to the report:
“This highlights the significant challenge organisations with extensive internet footprints face in identifying and updating outdated technologies,” Tenable said in a press release.
A large number of assets originally intended for internal use have been inadvertently exposed. Tenable found 4,000 that had been misconfigured in ways that made them accessible by external actors.
“Failing to secure these internal assets poses a significant risk to organisations, as it creates an opportunity for malicious actors to target sensitive information and critical systems,” the firm said.
Over 900 assets were found to have unencrypted final URLs.
When URLs are unencrypted, the data transmitted between a browser and a server is not protected by encryption, making it vulnerable to interception, eavesdropping, and manipulation by malicious actors.
“This lack of encryption can lead to exposure of sensitive information, such as login credentials, personal data, or payment details, and can compromise the integrity of the communication,” Tenable said.
The report identified over 2,000 API v3 instances from the total number of assets assessed.
Tenable said inadequate authentication, insufficient input validation, weak access controls, and vulnerabilities in dependencies within API v3 implementations create a vulnerable attack surface.
“Malicious actors can exploit such weaknesses to gain unauthorised access, compromise data integrity, and launch devastating cyber attacks,” Tenable’s commentary said.
Tenable’s assessment focused on the largest firms by market capitalisation in Southeast Asian countries. This makes the findings even more concerning, as they suggest even the largest institutions in the sector are prone to cybersecurity vulnerabilities, even though they may have more resources available.
Nigel Ng, Tenable’s senior vice president for Asia Pacific and Japan, said weaknesses in these assets revealed many financial institutions across Indonesia, Malaysia, the Philippines, Singapore, Thailand, and Vietnam were “struggling to close the priority security gaps that put them at risk.”
Global ratings agency S&P Global, which provides investment ratings in APAC, has indicated the cyber risks facing the region’s banking and finance sector are real — and could impact their bottom line.
In an update in July 2024, S&P Global’s analysts said that the rising cyber risks across Asia-Pacific banks particularly affect third parties and banks “with a shortage of skills.”
S&P Global cited research showing:
With the risk more acute for smaller lenders in the region, S&P Global warned that, although risk mitigation initiatives by regulators and banks have staved off cyber threats, these issues could still occur and affect ratings.
As the S&P Global update noted, “Improper risk mitigation could increase the likelihood of a successful incursion and lead us to weaken our view of how cyber risks are managed. This could have ratings effects.”