Free Threat Intel for Financial Services: 80+ IOCs Covering SOX, Chinese Walls, and Ransomware

TL;DR: We published 3 OTX pulses with 80+ financial-sector IOCs covering Clop/MOVEit supply chain attacks, LockBit/BlackBasta ransomware, and SOX Section 404 compliance indicators. Free. No paywall. Mapped to SEC, FINRA, and NY DFS requirements.

The Regulatory Problem

FS-ISAC reported 406 financial sector ransomware victims between April 2024 and April 2025. The SEC now treats ransomware as a potential material weakness requiring 8-K disclosure within 4 business days. NY DFS 23 NYCRR Part 500 mandates specific cybersecurity controls.

The audit committee asks: "How do we know our Chinese Wall is intact?"

The CISO answers: "We monitor for these indicators."

The Three Pulses

Pulse 1: Supply Chain Attacks - Clop MOVEit + GoAnywhere **30 IOCs** | [Subscribe](https://otx.alienvault.com/pulse/692cbdd81c9e491ba2e3a201)

The file transfer apocalypse. Clop exploited MOVEit (CVE-2023-34362) and GoAnywhere (CVE-2023-0669) to hit 2,773 organizations including Bank of America (57K customers exposed).

• 40+ SHA256 hashes (LEMURLOOT web shell variants)

• 60+ C2 IPs from both campaigns

• 4 CVEs (MOVEit, GoAnywhere, Cleo, Oracle EBS)

• Phishing domains (fake Zoom installers)

If you run MOVEit or any file transfer appliance, subscribe to this pulse.

Pulse 2: Ransomware - LockBit + BlackBasta + Lazarus **28 IOCs** | [Subscribe](https://otx.alienvault.com/pulse/692cbe4c87d612455d6b0c77)

LockBit hit ICBC and disrupted $9B in US Treasury settlement. BlackBasta targeted 500+ organizations including finance. Lazarus/APT38 stole $81M from Bangladesh Bank via SWIFT.

• Citrix Bleed campaign IPs (20 C2 addresses)

• LockBit payload hashes (8 SHA256)

• CVEs for initial access (Citrix, ConnectWise, Log4j, ZeroLogon)

• QakBot persistence indicators

This is the "too big to fail" ransomware pulse.

Pulse 3: SOX 404 + Chinese Wall Control Indicators **24 IOCs** | [Subscribe](https://otx.alienvault.com/pulse/692cbe715ca1bdece7a1675b)

This is the one your auditors will love.

Mapped attack patterns to regulatory violations:

| Attack Tool | Control Bypassed | Regulatory Implication | |-------------|------------------|------------------------| | BloodHound | Chinese Wall enumeration | Information barrier breach | | Mimikatz | Credential harvesting | Segregation of duties failure | | vssadmin delete | Shadow copy destruction | SEC 17a-4 recordkeeping violation | | wevtutil cl | Event log clearing | FINRA 3110 audit trail gap | | net group 'domain admins' | Access boundary mapping | Chinese Wall reconnaissance |

Why this matters: If your SIEM alerts on these patterns, you have documented due diligence. If you ignore them, you have negligence.

SOX Material Weakness: The New Cyber Risk

The SEC's position: A cybersecurity incident *can* constitute a material weakness in ICFR (Internal Control over Financial Reporting) if:

1. It demonstrates control deficiency - Your controls didn't prevent or detect the attack 2. There's reasonable possibility - The incident could result in material misstatement 3. Magnitude matters - Ransomware demanding $10M+ qualifies

The Bank of America example: Incident in November 2023, public notification in February 2024. That's a 90-day gap. The SEC wants 4 business days.

Our thesis: If you're actively monitoring for these IOCs and can demonstrate detection capability, you're in a stronger position when the inevitable breach occurs.

Chinese Wall: It's Not Just Policy

For investment banks, the "Chinese Wall" (information barrier) prevents conflicts between advisory and trading desks. A cyber breach that crosses this barrier is:

• Regulatory violation (SEC, FINRA)

• Client notification trigger

• Potential litigation exposure

• `Get-ADGroupMember` - PowerShell group enumeration

• `BloodHound` - Attack path visualization

• `ADRecon` - Full AD structure mapping

If attackers can map your AD, they can map your Chinese Wall.

How to Use This

Option 1: OTX Integration If your SIEM has OTX integration, subscribe and ingest automatically.

Option 2: STIX Feed ``` https://analytics.dugganusa.com/api/v1/stix-feed ``` Machine-readable. Works with any STIX 2.1 consumer.

Option 3: Compliance Documentation Download the IOC lists, add to your control documentation. When auditors ask "How do you monitor for threats?", you have an answer.

The Uncomfortable Conversation

Most financial institutions pay $50K-$200K/year for threat intel that sits in a dashboard nobody watches. We're publishing 80+ actionable IOCs for free because:

1. We make money on consulting, not paywalled IOCs 2. Sharing raises the floor for everyone 3. Your auditor will ask about threat monitoring

FS-ISAC does great work, but membership costs money. CISA publishes advisories, but who has time to parse government PDFs? We extracted the IOCs so you don't have to.

Resources

• [DugganUSA OTX Profile](https://otx.alienvault.com/user/pduggusa) - 18 pulses, 1,134+ indicators

• [STIX Feed](https://analytics.dugganusa.com/api/v1/stix-feed) - Machine-readable

• [CISA AA23-158A](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a) - Clop/MOVEit advisory

• [CISA AA23-325A](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a) - LockBit Citrix Bleed

• [CISA AA24-131A](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a) - BlackBasta advisory

• [FS-ISAC Navigating Cyber 2025](https://www.fsisac.com/navigatingcyber2025) - Annual threat report

• [NY DFS Industry Letter](https://www.dfs.ny.gov/industry_guidance/industry_letters/il20250623_impact-global-conflict) - June 2025 guidance

*Patrick Duggan is founder of DugganUSA, a Minnesota-based security company. He spent the stone ages of PowerShell and VBScript enforcing Chinese Walls before there were frameworks for it. He believes threat intel should be shared, compliance should be demonstrable, and auditors deserve better than "we have a SIEM."*

*Questions? Reach out: [email protected]*