📄 Original Report (PDF): Download EQST Insight 2025 February →
EQST’s February 2025 report tackles Korea’s evolving financial sector network separation regulations, the rise of FunkSec as a data-auction-focused threat actor, and a remote code execution vulnerability in the XWiki enterprise wiki platform (CVE-2024-55879).
Headline: Network Separation Reform for Korea’s Financial Sector
Korea’s Financial Services Commission proposed a reform of the mandatory network separation requirements that have long governed how financial institutions must isolate their internal networks from the internet. The existing rules — designed in an era before cloud and SaaS were ubiquitous — have created significant operational friction without always improving security outcomes. The proposed reform moves toward a risk-based model: institutions can connect internal financial systems to the internet if they implement equivalent compensating controls (strong authentication, DLP, behavioural monitoring, etc.) and obtain regulatory approval. EQST analysts caution that relaxed network separation must be accompanied by significantly improved monitoring and detection capabilities, or it will increase rather than decrease risk.
Keep Up with Ransomware: FunkSec — Beyond RaaS to Data Auctions
FunkSec represents a departure from conventional ransomware operations. Rather than focusing on encryption-based extortion, FunkSec prioritises data theft and operates a dark web marketplace where stolen data is auctioned to the highest bidder. This model is dangerous for victims because payment of a traditional ransom does not resolve the data exposure threat — data may be sold to competitors, nation-state actors, or multiple buyers. EQST analysed FunkSec’s auction mechanics, noting that the group has developed a sophisticated reputation system to build buyer trust. Organisations should treat any ransomware incident as a potential data exfiltration event and prepare communications for regulators and affected parties regardless of whether a ransom is paid.
Research & Technique: XWiki RCE — CVE-2024-55879
EQST disclosed CVE-2024-55879, a server-side template injection (SSTI) vulnerability in XWiki, the open-source enterprise wiki used extensively in corporate knowledge management and documentation. By inserting malicious XWiki syntax into a wiki page that is rendered server-side, an attacker with page-edit access can execute arbitrary code on the XWiki server. The vulnerability is particularly dangerous because wiki platforms are often granted broad internal access and may contain sensitive corporate information. XWiki released a patch and EQST recommends immediate upgrade, as well as reviewing which users have page-edit permissions.
Source: SK Shieldus EQST Insight, February 2025 — skshieldus.com
