Scribd
Upload
142 views5 pages

CSIRT-Fin Advisory - 251500052501 (Responding To Immediate Cyber Threats in The BFSI Sector) May1

An urgent cybersecurity advisory has been issued for the BFSI sector in India, warning of imminent coordinated cyber threats, including ransomware and supply chain attacks. Organizations are advised to implement various prevention and mitigation measures, such as third-party risk management and incident response planning, to enhance their cybersecurity resilience. Continuous monitoring and adherence to existing CERT-In advisories are crucial for safeguarding against these threats.

Uploaded by

saket
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
142 views5 pages

CSIRT-Fin Advisory - 251500052501 (Responding To Immediate Cyber Threats in The BFSI Sector) May1

An urgent cybersecurity advisory has been issued for the BFSI sector in India, warning of imminent coordinated cyber threats, including ransomware and supply chain attacks. Organizations are advised to implement various prevention and mitigation measures, such as third-party risk management and incident response planning, to enhance their cybersecurity resilience. Continuous monitoring and adherence to existing CERT-In advisories are crucial for safeguarding against these threats.

Uploaded by

saket
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

[ RESTRICTED - Not for Hosting in Public Domain ] TLP: AMBER

CSIRT-Fin Advisory- 251500052501

Urgent Cybersecurity Advisory: Responding to Immediate Cyber Threats in the


BFSI Sector

Original Issue Date: May 01, 2025

Severity Rating: Critical

Overview

CERT-In/CSIRT-Fin have intelligence regarding an imminent and coordinated cyber


threat campaign specifically targeting Indian organizations operating within the
Banking, Financial Services, and Insurance (BFSI) sector. Threat actors are reportedly
preparing to launch high-impact cyber-attacks such as ransomware, supply chain
intrusions, DDoS attacks, website defacement, data breach and malware attacks.
These vectors, whether executed individually or in combination, present a serious
threat to the integrity, confidentiality, and availability of BFSI systems and services.

Description

There is a significant likelihood of threat actors leveraging supply chain attack vectors,
wherein they may exploit trusted relationships between organizations and their Third-
Party Service Providers (TSPs). Such trust-based access makes it increasingly difficult
to detect malicious activity originating from these providers. Moreover, the threat is not
confined to direct TSPs; attacks may also originate from secondary or “fourth-party”
suppliers and service providers. This layered structure of interdependencies
introduces considerable complexity in both detection and mitigation, making supply
chain attacks particularly challenging and dangerous to defend against.

Further there is increased likelihood of sophisticated ransomware attacks and data


breaches across the financial sector. Threat actors may use advanced tactics such as
double extortion, data exfiltration, and exploitation of unpatched vulnerabilities,
targeting both large institutions and less-secured entities. These potential attacks pose
serious risks to data confidentiality, integrity and operational continuity across the BFSI
sector.

Indian BFSI entities are advised to follow the recommendations outlined in “CERT-In
Advisory CIAD-2022-0023 titled "Responding to Ransomware Attacks” for corrective
and protective measures specifically targeting ransomware threats, “CERT-In
Advisory CIAD-2021-0004 titled "Preventing Data Breaches / Data leaks" for strategies
to mitigate the risks associated with data breaches, and “CERT-In Advisory CIAD-S-
2025-01 titled "Cyber-attack campaigns against Indian websites and ICT
infrastructure" for comprehensive guidance on defending against DDoS attacks,
[ RESTRICTED - Not for Hosting in Public Domain ] TLP: AMBER

website defacement, and malware infections. These advisories (attached herewith)


provide detailed actions to strengthen defences, minimize potential damage, and
enhance overall cybersecurity resilience. However these advisories are not to be
considered as a substitute for 24x7 heightened vigilance in your Security Operation
Centre and Network Operation Centre. In addition you are encouraged to ensure that
your business continuity plans and disaster recovery plans are in place to ensure
business resilience. Further, mitigation measures for supply chains attacks are
provided below.

Prevention and mitigation measures for supply chain attacks

Prevention Measures:
1. Third-Party Risk Management:
- Conduct thorough due diligence when onboarding as well as onboarded vendors
and third-party service providers. Assess their cybersecurity posture, data handling
practices, and compliance with industry standards (e.g., ISO 27001, SOC 2).
- Implement a vendor risk management program to continuously monitor and assess
the security maturity of third-party vendors, including secondary (fourth-party)
suppliers.
- Enforce security clauses in contracts requiring vendors to maintain robust
cybersecurity measures, including incident reporting, access controls, and regular
audits.

2. Limit Vendor Access:


- Implement strict access controls to limit third-party access to only the necessary
systems and data required for their operations. Use multi-factor authentication and
least privilege access principles to minimize exposure.
- Use segmentation within internal networks to isolate third-party access from critical
systems. Restrict vendors' access to sensitive data and infrastructure through secure
channels (e.g., VPNs, Zero Trust networks).

3. Supply Chain Monitoring:


- Establish continuous monitoring of vendor and supplier activities, especially
focusing on any anomalies in software updates or system configurations.
- Use third-party risk assessment tools to regularly scan and assess the security of
supply chain partners, including identifying any known vulnerabilities in their systems
or applications.
[ RESTRICTED - Not for Hosting in Public Domain ] TLP: AMBER

4. Software Integrity and Code Review:


- Implement code signing for software and updates to ensure the integrity of the code
provided by third-party vendors. Any unsigned code should be flagged as potentially
malicious.
- Perform regular code reviews and static analysis of third-party applications and
components integrated into internal systems to detect any potential vulnerabilities or
malicious code.

5. Multi-Factor Authentication (MFA):


- Require MFA for all third-party access, especially for sensitive systems and data.
This adds an additional layer of defense, reducing the risk of unauthorized access in
case credentials are compromised.

6. Require and Analyze SBOMs from All Vendors:


- Mandate comprehensive, regularly updated SBOMs (Software Bill of Materials)
from third-party software providers, and automatically analyze them for known
vulnerabilities using trusted databases.

7. Use SBOMs for Continuous Monitoring and Incident Response:


- Maintain an internal SBOM repository to track component dependencies, verify
software integrity, and enable rapid impact assessment during supply chain security
incidents.
- It is advised to adopt and implement CERT-In’s “Technical Guidelines on Software
Bill of Materials (SBOM)” (CISG-2024-02) which provides guidance on creating and
using SBOMs for better software security and risk management.

Mitigation Measures:
1. Incident Response and Reporting:
- Develop and implement a robust supply chain incident response plan, ensuring all
stakeholders, including third-party vendors, know their roles and responsibilities
during a breach.
- Create a communication protocol with suppliers for prompt reporting of suspected
or confirmed security incidents, including data breaches or compromise of their
systems.

2. Timely Patch Management:


[ RESTRICTED - Not for Hosting in Public Domain ] TLP: AMBER

- Work with vendors to ensure timely deployment of patches and security updates.
Establish a patch management program that prioritizes patches based on risk
assessment.
- Monitor vendor-provided updates for any signs of compromise (e.g., trojanized
updates) before deployment to internal systems.

3. Network Segmentation and Isolation:


- Segregate critical internal systems from vendor access via network segmentation.
This reduces the impact of a compromise on a less critical system from reaching
more sensitive infrastructure.
- Consider isolating third-party vendor networks from your core infrastructure using
dedicated VLANs or separate subnets, preventing lateral movement if a vendor's
system is compromised.

4. Backup and Recovery:


- Regularly back up critical data and ensure backups are stored in a separate
location (offline or cloud) with strong encryption. Test backup recovery procedures
periodically to ensure rapid restoration in case of a supply chain attack.
- Ensure that backup systems are disconnected from the main network to prevent
them from being affected in the event of ransomware or malware attacks.

5. Supply Chain Simulation and Testing:


- Conduct simulated supply chain attack exercises to assess vulnerabilities in your
supply chain defence mechanisms. Regularly test response plans and ensure staff
are trained to recognize suspicious behaviour from third-party vendors.
- Perform penetration testing that mimics supply chain compromise scenarios,
particularly focusing on the weakest links in vendor integrations and third-party
software components.

6. Zero Trust Architecture:


- Implement a Zero Trust security model where no entity, whether inside or outside
the organization, is trusted by default. Enforce strict identity verification and
authorization for every access request, including from vendors.

Organisations are requested to strictly monitor their ICT infrastructure. If any


suspicious activity found, preserve all logs as per CERT-In directions of April 28, 2022,
[ RESTRICTED - Not for Hosting in Public Domain ] TLP: AMBER

take containment measures and report with all relevant logs to CERT-In/CSIRT-Fin (at
[email protected]) immediately without any delay.

You might also like