Threat Research

June 2025 Security Issues in Korean & Global Financial Sector

Ahnlab
June 2025 Security Issues in Korean & Global Financial Sector

This report highlights significant cyber threats targeting the financial sector, including a major data breach of 44 million Indonesian users by the threat actor Bjorka and a ransomware attack by the Everest group on J*** Bank in Jordan. It emphasizes the need for enhanced security measures such as real-time protection systems and breach response plans in financial institutions. #Bjorka #EverestRansomware #M***id #J***Bank

Keypoints

  • The threat actor Bjorka sold a 30 GB dataset containing personal data of 44 million users of the Indonesian digital payment platform M*** on BreachForums in November 2022.
  • The leaked data from M*** includes sensitive information like customer IDs, identification numbers, account statuses, and activation codes, increasing the risk of account takeover and fraud.
  • The Everest ransomware group targeted J*** Bank in Jordan, stealing 11.7 GB of internal data including employee information and trade secrets, and threatened to release the full dataset.
  • The ransomware attack on J*** Bank exposed vulnerabilities in multiple business systems, highlighting the need for stronger internal defense such as privilege separation and two-factor authentication.
  • Financial institutions are urged to implement real-time protection measures like abnormal login notifications and account takeover detection to mitigate secondary damage from leaked data.
  • Regular training and automated incident response processes are critical for banks to effectively respond to data breaches and ransomware threats.
  • The trading and reuse of leaked data among cybercriminals are increasing, underscoring the importance of continuous security vulnerability assessments for organizations.

MITRE Techniques

  • [T1486] Data Encrypted for Impact – Everest ransomware encrypted and stole 11.7 GB of internal company data affecting J*** Bank. (“…the ransomware group Everest claimed responsibility for the attack… and leaked data…”)
  • [T1078] Valid Accounts – The article recommends implementing account takeover detection and abnormal login notification systems, implying the threat actors may leverage compromised credentials. (“…measures such as real-time protection systems, including account takeover detection…”)
  • [T1537] Transfer Data to Cloud Account – The large 12.1 GB compressed file posted by Everest ransomware group suggests data exfiltration across multiple systems. (“…a 12.1 GB compressed file is currently available for download…”)

Indicators of Compromise

  • [File Hashes] Everest ransomware attack on J*** Bank – 0951f60ff64db5f868301e3285a49231, 26b1a8a50619f48acd83e82a350d1c93, and 3 more hashes
  • [Data Sets] Breach of M***.id user database – 30 GB dataset containing personal data of 44 million users

Read more: https://asec.ahnlab.com/en/88936/