New Tooling
Arkime: Open-Source Network Analysis And Packet Capture System"Arkime is an open-source system for large-scale network analysis and packet capture. It works with your existing security tools to store and index network traffic in standard PCAP format, making it easy to search and access. The solution includes a simple web interface for browsing, searching, and exporting PCAP files. Arkime also provides APIs for downloading PCAP data and session data in JSON format. Because Arkime uses standard PCAP files, you can analyze the data with other tools, such as Wireshark."
https://www.helpnetsecurity.com/2025/09/15/arkime-open-source-network-analysis-packet-capture-system/
https://github.com/arkime/arkime
Vulnerabilities
New Phoenix Attack Bypasses Rowhammer Defenses In DDR5 Memory"Academic researchers have devised a new variant of Rowhammer attacks that bypass the latest protection mechanisms on DDR5 memory chips from SK Hynix. A Rowhammer attack works by repeatedly accessing specific rows of memory cells at high-speed read/write operations to cause enough electrical interference to alter the value of the nearby bits from one to zero and vice-versa (bit flipping). An attacker could potentialluy corrupt data, increase their privileges on the system, execute malicious code, or gain access to sensitive data."
https://www.bleepingcomputer.com/news/security/new-phoenix-attack-bypasses-rowhammer-defenses-in-ddr5-memory/
https://comsec-files.ethz.ch/papers/phoenix_sp26.pdf
https://github.com/comsec-group/phoenix
https://security.googleblog.com/2025/09/supporting-rowhammer-research-to.html
Malware
Hive0154, Aka Mustang Panda, Drops Updated Toneshell Backdoor And Novel SnakeDisk USB Worm"In July 2025, IBM X-Force discovered new malware attributed to China-aligned threat actor Hive0154. This includes an updated Toneshell variant evading detections and supporting several new features, as well as a novel USB worm called SnakeDisk discovered in mid-August. The worm only executes on devices with Thailand-based IP addresses and drops the Yokai backdoor, discovered by Netskope in December 2024."
https://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor
https://thehackernews.com/2025/09/mustang-panda-deploys-snakedisk-usb.html Inside Maranhão Stealer: Node.js-Powered InfoStealer Using Reflective DLL Injection
"CRIL identified an active Maranhão Stealer campaign that is being distributed through social engineering websites hosted on cloud platforms. Current intelligence indicates that the malware has been active since May 2025 and is actively being developed. The threat actors primarily target gaming users by distributing gaming-related links, cheats, and pirated software downloads. (e.g., hxxps://derelictsgame[.]in/DerelictSetup.zip). The ZIP archives include an Inno Setup installer, which launches a Node.js-compiled binary responsible for exfiltrating credentials."
https://cyble.com/blog/inside-maranhao-stealer-node-js-powered-infostealer/ AI-Driven Deepfake Military ID Fraud Campaign By Kimsuky APT
"On July 17, 2025, the Genians Security Center (GSC) detected a spear-phishing attack attributed to the Kimsuky group. This was classified as an APT attack impersonating a South Korean defense-related institution, disguised as if it were handling ID issuance tasks for military-affiliated officials. The threat actor used ChatGPT, a generative AI, to produce sample ID card images, which were then leveraged in the attack. This is a real case demonstrating the Kimsuky group’s application of deepfake technology."
https://www.genians.co.kr/en/blog/threat_intelligence/deepfake
https://www.infosecurity-magazine.com/news/ai-military-ids-north-korea/
https://hackread.com/north-korea-kimsuky-group-ai-generated-military-ids/
https://www.theregister.com/2025/09/15/north_korea_chatgpt_fake_id/ You’re Invited: Four Phishing Lures In Campaigns Dropping RMM Tools
"Red Canary Intelligence and Zscaler threat hunters have identified multiple campaigns utilizing the RMM tools ITarian (aka Comodo), PDQ, SimpleHelp, and Atera for remote access. Remote monitoring and management (RMM) tools continue to be a favorite tool for adversaries because they offer a veneer of legitimacy as the solutions are often used by IT professionals for remote access, system monitoring, and managing machines."
https://redcanary.com/blog/threat-intelligence/phishing-rmm-tools/
https://www.infosecurity-magazine.com/news/phishing-campaigns-rmm-tools/
https://hackread.com/hackers-rmm-installs-fake-chrome-updates-teams-invite/ Shiny Tools, Shallow Checks: How The AI Hype Opens The Door To Malicious MCP Servers
"In this article, we explore how the Model Context Protocol (MCP) — the new “plug-in bus” for AI assistants — can be weaponized as a supply chain foothold. We start with a primer on MCP, map out protocol-level and supply chain attack paths, then walk through a hands-on proof of concept: a seemingly legitimate MCP server that harvests sensitive data every time a developer runs a tool. We break down the source code to reveal the server’s true intent and provide a set of mitigations for defenders to spot and stop similar threats."
https://securelist.com/model-context-protocol-for-ai-integration-abused-in-supply-chain-attacks/117473/ Ukraine Claims Cyberattacks On Russian Election Systems; Moscow Confirms Disruptions
"Ukraine’s military intelligence agency (HUR) said on Sunday it hacked Russia’s Central Election Commission and other government services in response to voting in occupied Ukrainian regions. The operation coincided with Russia’s “unified voting day,” when regional and local elections are held simultaneously across the country. This year, ballots were also cast in Crimea and other occupied parts of Ukraine. Kyiv and its allies say those elections are illegal."
https://therecord.media/ukraine-claims-ddos-attack-russian-election-system Phishing Campaign Targets Rust Developers
"Developers publishing crates (binaries and libraries written in Rust) on crates.io, Rust’s main public package registry, have been targeted with emails echoing the recent npm phishing campaign. The emails started hitting developers’ inboxes on Friday, minutes after they published a (new) crate on the registry. The emails – titled “Important: Breach notification regarding crates.io” and made to look like they’ve been sent by the Rust Foundation – claimed that an attacker compromised the crates.io infrastructure and accessed some user information."
https://www.helpnetsecurity.com/2025/09/15/phishing-campaign-targets-rust-developers/ Inside The 2025 Energy Phishing Wave: Chevron, Conoco, PBF, Phillips 66
"Phishing continues to hit critical industries hard, and in 2025 we’ve tracked a sharp rise in domains built to impersonate major U.S. energy companies. The sector is an obvious target: its brands are globally recognized, widely trusted, and therefore valuable to attackers looking to run credential theft or fraud at scale. Drawing on Hunt.io data, this report highlights how adversaries cloned the websites of Chevron, ConocoPhillips, PBF Energy, and Phillips 66. We detail the tactics uncovered, including HTTrack-based site copying, exposed directories, and investment scam templates, and show why so many of these domains slip past vendor detections. The following key takeaways summarize the most important patterns observed across this activity."
https://hunt.io/blog/us-energy-phishing-wave-report
Breaches/Hacks/Leaks
Google Confirms Fraudulent Account Created In Law Enforcement Portal"Google has confirmed that hackers created a fraudulent account in its Law Enforcement Request System (LERS) platform that law enforcement uses to submit official data requests to the company. "We have identified that a fraudulent account was created in our system for law enforcement requests and have disabled the account," Google told BleepingComputer. "No requests were made with this fraudulent account, and no data was accessed." The FBI declined to comment on the threat actor's claims."
https://www.bleepingcomputer.com/news/security/google-confirms-fraudulent-account-created-in-law-enforcement-portal/
https://databreaches.net/2025/09/15/hackers-claim-access-to-law-enforcement-portals-but-do-they-really-have-access/ FinWise Insider Breach Impacts 689K American First Finance Customers
"FinWise Bank is warning on behalf of corporate customers that it suffered a data breach after a former employee accessed sensitive files after the end of their employment. "On May 31, 2024, FinWise experienced a data security incident involving a former employee who accessed FinWise data after the end of their employment," reads a data breach notification sent by FinWise on behalf of American First Finance (AFF). American First Finance (AFF) is a company that offers consumer financing products, including installment loans and lease-to-own programs, for a diverse range of products and services. Customers use AFF to apply for and manage the loans, with the company handling the services, account setup, repayment process, and customer support."
https://www.bleepingcomputer.com/news/security/finwise-insider-breach-impacts-689k-american-first-finance-customers/
https://www.securityweek.com/689000-affected-by-insider-breach-at-finwise-bank/
https://www.theregister.com/2025/09/15/finwise_insider_data_breach/ Update: Kering Confirms Gucci And Other Brands Hacked; Claims No Conversations With Hackers?
"On September 11, DataBreaches broke the story that customers of several high-end fashion brands owned by Paris-headquartered Kering had their personal information acquired by ShinyHunters as part of two Salesforce attacks. As we reported, a spokesperson for ShinyHunters claimed to have acquired more than 43 million customer records from Gucci and almost 13 million records from Balenciaga, Brioni, and Alexander McQueen combined."
https://databreaches.net/2025/09/15/update-kering-confirms-gucci-and-other-brands-hacked-claims-no-conversations-with-hackers/
https://www.bbc.com/news/articles/crl5j8ld615o
https://securityaffairs.com/182236/cyber-crime/hackers-steal-millions-of-gucci-balenciaga-and-alexander-mcqueen-customer-records.html West Virginia Credit Union Notifying 187,000 People Impacted By 2023 Data Breach
"Fairmont Federal Credit Union is notifying over 187,000 individuals that their personal and financial information was stolen in a two-year-old data breach. A not-for-profit financial organization, Fairmont Federal Credit Union offers services such as business and home mortgage loans, financial first aid, and personal checking. It operates nine regional branches in West Virginia. The organization discovered the cybersecurity incident on January 23, 2024 and launched a prompt and thorough forensic investigation, concluding on August 17, 2025, that files stolen from its network contained personal information."
https://www.securityweek.com/west-virginia-credit-union-notifying-187000-people-impacted-by-2023-data-breach/
https://securityaffairs.com/182217/data-breach/fairmont-federal-credit-union-2023-data-breach-impacted-187k-people.html Uvalde School District Says Ransomware Attack Forcing Closure Until Thursday
"A ransomware attack has forced the public school district in Uvalde, Texas, to shut down for most of the week as officials attempt to restore systems. The Uvalde Consolidated Independent School District serves about 5,000 students in Uvalde County as well as parts of Zavala and Real counties. Anne Marie Espinoza, chief of communications for the school district, said on social media this weekend that they are dealing with a “significant technology incident.” “Ransomware has been detected within our district’s servers, severely affecting access to essential systems like phones, AC controls, camera monitoring, visitor management, Skyward, and more,” she said."
https://therecord.media/uvalde-texas-school-district-temporarily-closing-ransomware
General News
Most Enterprise AI Use Is Invisible To Security Teams"Most enterprise AI activity is happening without the knowledge of IT and security teams. According to Lanai, 89% of AI use inside organizations goes unseen, creating risks around data privacy, compliance, and governance. This blind spot is growing as AI features are built directly into business tools. Employees often connect personal AI accounts to work devices or use unsanctioned services, making it difficult for security teams to monitor usage. Lanai says this lack of visibility leaves companies exposed to data leaks and regulatory violations."
https://www.helpnetsecurity.com/2025/09/15/lanai-enterprise-ai-visibility-tools/ Static Feeds Leave Intelligence Teams Reacting To Irrelevant Or Late Data
"Boards and executives are not asking for another feed of indicators. They want to know whether their organization is being targeted, how exposed they are, and what steps need to be taken. A new report from Flashpoint argues that most current intelligence models cannot keep up with these demands and that primary source collection (PSC) should become the standard approach."
https://www.helpnetsecurity.com/2025/09/15/primary-source-collection-intelligence-model/ When ‘minimal Impact’ Isn’t Reassuring: Lessons From The Largest Npm Supply Chain Compromise
"Earlier this week, Aikido Security disclosed what is being described as the largest npm supply chain compromise to date. Attackers successfully injected malicious code into 18 popular npm packages, collectively accounting for more than 2.6 billion weekly downloads. The entire campaign began not with a technical exploit, but with a single, well-trained maintainer clicking on a convincingly crafted phishing email."
https://cyberscoop.com/npm-supply-chain-compromise-brian-fox-sonatype-op-ed/ Building Resilient IT Infrastructure From The Start
"For years, the cybersecurity industry has put an emphasis on protecting network infrastructure. But as innovations have focused on firewalls and intrusion detection systems, other forms of IT infrastructure — which are mission-critical to operations — were left exposed. Beyond the perimeter, IT infrastructure remains one of the most overlooked attack surfaces in the enterprise. Increasing complexity in hybrid environments has complicated matters, both impeding zero-trust adoption and creating a target for adversaries."
https://www.darkreading.com/vulnerabilities-threats/building-resilient-it-infrastructure Zero Trust Is 15 Years Old — Why Full Adoption Is Worth The Struggle
"The implementation of zero trust is essential for cybersecurity: but after 15 years, we’re still not there. Implementation is like the curate’s egg: good in parts. Zero Trust turned fifteen years old on September 14, 2025. Its invention was announced with Forrester’s publication of John Kindervag’s paper, No More Chewy Centers: Introducing The Zero Trust Model of Information Security, on that date in 2010 (archived here)."
https://www.securityweek.com/zero-trust-is-15-years-old-why-full-adoption-is-worth-the-struggle/ New Zealand Sanctions Russian Military Hackers Over Cyberattacks On Ukraine
"New Zealand has imposed sanctions on Russian military intelligence hackers accused of cyberattacks on Ukraine, including members of a notorious hacking unit previously tied to destructive malware campaigns. The sanctions announced Friday target Unit 29155 of Russia’s GRU intelligence agency. Western security agencies say the unit — also tracked by researchers as Cadet Blizzard and Ember Bear — has been involved in espionage, sabotage, and assassination plots across Europe. It was behind the 2022 WhisperGate malware attack on Ukrainian government networks ahead of Moscow’s full-scale invasion."
https://therecord.media/new-zealand-russia-gru-ukraine Huntress Threat Advisory: The Dangers Of Storing Unencrypted Passwords
"This is an offshoot of our other blog, "Huntress Threat Advisory: Active Exploitation of SonicWall VPNs," which allowed initial access and was followed by the rapid deployment of Akira ransomware across the victim environment. This blog outlines an interesting individual case from within that timeframe. TL;DR: The threat actor entered through the organization’s SonicWall device. When searching through the host, the threat actor found a plaintext file on the user’s desktop that contained the client's Huntress recovery codes. The threat actor then used these codes to enter the client’s Huntress portal and began remediating reports and uninstalling hosts isolated by Huntress."
https://www.huntress.com/blog/dangers-of-storing-unencrypted-passwords
https://www.theregister.com/2025/09/15/ransomware_recovery_codes_plaintext/ The Risks Of Code Assistant LLMs: Harmful Content, Misuse And Deception
"We recently looked into AI code assistants that connect with integrated development environments (IDEs) as a plugin, much like GitHub Copilot. We found that both users and threat actors could misuse code assistant features like chat, auto-completion and writing unit tests for harmful purposes. This misuse includes injecting backdoors, leaking sensitive information and generating harmful content."
https://unit42.paloaltonetworks.com/code-assistant-llms/
อ้างอิง
Electronic Transactions Development Agency(ETDA) 6792fb6c-e948-4ec3-a23a-a960b192af42-image.png