More than 26,500 vulnerabilities exist in the external attack surfaces of Southeast Asia’s 90 top banking and financial services organisations, according to new research by cybersecurity firm Tenable. About 11,000 of these exploitable internet-facing assets belong to Singapore’s top-tier institutions, including lenders and insurers.
The assessment found weak SSL/TSL encryption, misconfigured internal assets, inconsistent URL encryption, and older APIs across the banking and finance industry in Thailand, Indonesia, Malaysia, Vietnam, the Philippines, and Singapore. The assets evaluated included domain names, subdomains, IP addresses, web servers, IoT devices, network printers, and any device connected to the internet or internal network, among others.
Singapore experiences most exploitable exposures
Singapore had the highest number of vulnerabilities among six countries assessed, with over 11,000 internet-facing problem assets across its top 16 banking, financial services, and insurance companies. Over 6,000 of those problem assets were hosted in the United States.
The number of vulnerabilities in other markets included:
- Thailand: 5,000.
- Indonesia: 4,600.
- Malaysia: 4,200.
- Vietnam: 3,600.
- The Philippines: 2,600.
Risks reside in software, encryption, APIs, and configurations
Tenable’s assessment found a range of “easily exploitable potential entry points” within banking, finance, and insurance organisations in Southeast Asia. The cybersecurity firm declared that these “cyber hygiene gaps” were “posing potential risk to the integrity and security of financial data.”
Weak, outdated SSL/TLS encryption
According to the report:
- Secure Sockets Layer and Transport Layer Security encryption is designed to protect data sent over the internet or a computer network, but weak SSL/TLS encryption was found among assessed entities.
- 2,500 assets among those surveyed were still using TLS 1.0, which Tenable said is “a 25-year-old security protocol introduced in 1999 and disabled by Microsoft in September 2022.”
“This highlights the significant challenge organisations with extensive internet footprints face in identifying and updating outdated technologies,” Tenable said in a press release.
Misconfiguration of internal assets
A large number of assets originally intended for internal use have been inadvertently exposed. Tenable found 4,000 that had been misconfigured in ways that made them accessible by external actors.
“Failing to secure these internal assets poses a significant risk to organisations, as it creates an opportunity for malicious actors to target sensitive information and critical systems,” the firm said.
Inconsistent final URL encryption
Over 900 assets were found to have unencrypted final URLs.
When URLs are unencrypted, the data transmitted between a browser and a server is not protected by encryption, making it vulnerable to interception, eavesdropping, and manipulation by malicious actors.
“This lack of encryption can lead to exposure of sensitive information, such as login credentials, personal data, or payment details, and can compromise the integrity of the communication,” Tenable said.
API v3 being used by institutions
The report identified over 2,000 API v3 instances from the total number of assets assessed.
Tenable said inadequate authentication, insufficient input validation, weak access controls, and vulnerabilities in dependencies within API v3 implementations create a vulnerable attack surface.
“Malicious actors can exploit such weaknesses to gain unauthorised access, compromise data integrity, and launch devastating cyber attacks,” Tenable’s commentary said.
Weaknesses reside in Southeast Asia’s top banks and insurers
Tenable’s assessment focused on the largest firms by market capitalisation in Southeast Asian countries. This makes the findings even more concerning, as they suggest even the largest institutions in the sector are prone to cybersecurity vulnerabilities, even though they may have more resources available.
Nigel Ng, Tenable’s senior vice president for Asia Pacific and Japan, said weaknesses in these assets revealed many financial institutions across Indonesia, Malaysia, the Philippines, Singapore, Thailand, and Vietnam were “struggling to close the priority security gaps that put them at risk.”
Cyber risk prominent for banking and financial sectors in APAC
Global ratings agency S&P Global, which provides investment ratings in APAC, has indicated the cyber risks facing the region’s banking and finance sector are real — and could impact their bottom line.
In an update in July 2024, S&P Global’s analysts said that the rising cyber risks across Asia-Pacific banks particularly affect third parties and banks “with a shortage of skills.”
S&P Global cited research showing:
- Asia-Pacific recorded a 16% year-on-year increase in cyber attacks in the first quarter of 2024, according to data from cyber security solutions provider Checkpoint.
- 2.5 million skilled cyber representatives are needed in APAC to deal with the rising threat to the region, according to the World Economic Forum.
With the risk more acute for smaller lenders in the region, S&P Global warned that, although risk mitigation initiatives by regulators and banks have staved off cyber threats, these issues could still occur and affect ratings.
As the S&P Global update noted, “Improper risk mitigation could increase the likelihood of a successful incursion and lead us to weaken our view of how cyber risks are managed. This could have ratings effects.”