According to a new study by cybersecurity firm Tenable, there are more than 26,500 vulnerabilities in the external attack surfaces of the top 90 banking and financial services organisations in Southeast Asia. Around 11,000 of these exploitable internet-facing assets belong to top-tier Singaporean institutions, including lenders and insurers.
The assessment found weak SSL/TSL encryption, misconfigured internal assets, inconsistent URL encryption, and legacy APIs across the banking and financial industry in Thailand, Indonesia, Malaysia, Vietnam, the Philippines, and Singapore. Assets assessed included domain names, subdomains, IP addresses, web servers, IoT devices, network printers, and any device connected to the Internet or internal network, among others.
Singapore records the largest exploitable exposures
Singapore had the highest number of vulnerabilities among the six countries assessed, with more than 11,000 problematic assets connected to the internet across its 16 largest banking, financial services and insurance companies. More than 6,000 of those problematic assets were hosted in the United States.
The number of vulnerabilities in other markets included:
- Thailand: 5,000.
- Indonesia: 4,600.
- Malaysia: 4,200.
- Vietnam: 3,600.
- Philippines: 2,600.
The risks lie in software, encryption, APIs, and configurations.
Tenable’s assessment found a number of “potential, easily exploitable entry points” within banking, financial and insurance organisations in Southeast Asia. The cybersecurity firm stated that these “cyber hygiene gaps” were “posing a potential risk to the integrity and security of financial data”.
Weak and outdated SSL/TLS encryption
According to the report:
- Secure Sockets Layer and Transport Layer Security encryption are designed to protect data sent over the Internet or a computer network, but weak SSL/TLS encryption was found among the entities tested.
- Among the assets surveyed, 2,500 were still using TLS 1.0, which Tenable says is “a 25-year-old security protocol introduced in 1999 and disabled by Microsoft in September 2022.”
“This highlights the significant challenge faced by organizations with a broad Internet presence in identifying and updating outdated technologies,” Tenable said in a press release.
Poor internal asset configuration
A large number of assets originally intended for internal use have been inadvertently exposed. Tenable found 4,000 that had been misconfigured in a way that external actors could access.
“Failure to protect these internal assets poses a significant risk to organizations, as it creates an opportunity for malicious actors to attack sensitive information and critical systems,” the firm said.
Inconsistent final URL encryption
More than 900 assets were found with unencrypted final URLs.
When URLs are unencrypted, data transmitted between a browser and a server is not protected by encryption, making it vulnerable to interception, eavesdropping, and manipulation by malicious actors.
“This lack of encryption can lead to the exposure of sensitive information such as login credentials, personal data or payment details, and can compromise the integrity of the communication,” Tenable said.
API v3 used by institutions
The report identified over 2,000 API v3 instances out of the total number of assets assessed.
Tenable said inadequate authentication, insufficient input validation, weak access controls, and vulnerabilities in dependencies within v3 API implementations create a vulnerable attack surface.
“Malicious actors can exploit such weaknesses to gain unauthorized access, compromise data integrity, and launch devastating cyberattacks,” Tenable’s commentary states.
Weaknesses lie in Southeast Asia's major banks and insurers
Tenable’s assessment focused on the largest companies by market capitalization in Southeast Asian countries. This makes the results even more worrying, as they suggest that even the largest institutions in the sector are prone to cybersecurity vulnerabilities, even though they may have more resources available.
Nigel Ng, Tenable's senior vice president for Asia Pacific and Japan, said the weaknesses in these assets revealed that many financial institutions in Indonesia, Malaysia, the Philippines, Singapore, Thailand and Vietnam were “struggling to close priority security gaps that put them at risk.”
Cyber risk a major risk for banking and financial sectors in APAC
Global rating agency S&P Global, which provides investment ratings in APAC, has indicated that the cyber risks facing the region's banking and financial sector are real and could impact their bottom lines.
In a July 2024 update, S&P Global analysts said rising cyber risks in Asia-Pacific banks particularly affect third parties and banks with “skills shortages.”
S&P Global cited research showing:
As the risk is most acute for smaller lenders in the region, S&P Global warned that while risk mitigation initiatives by regulators and banks have prevented cyber threats, such issues could still occur and impact ratings.
As noted in S&P Global’s update, “inadequate risk mitigation could increase the likelihood of a successful incursion and cause us to weaken our view of how cyber risks are managed. This could impact the ratings.”