Financial Sector
August 2025 Security Issues In Korean & Global Financial Sector"This report comprehensively covers actual cyber threats and security issues related to financial companies in South Korea and abroad. This article includes an analysis of malware and phishing cases distributed to the financial sector, the top 10 malware strains targeting the financial sector, and the industry statistics of leaked Korean accounts on Telegram. A detailed look into the phishing email distribution case targeting the financial sector is also covered."
https://asec.ahnlab.com/en/90110/
Healthcare Sector
Attackers Are Coming For Drug Formulas And Patient Data"In the pharmaceutical industry, clinical trial data, patient records, and proprietary drug formulas are prime targets for cybercriminals. These high-value assets make the sector a constant focus for attacks. Disruptions to research or medicine distribution can have life-threatening consequences. “During global health crises, cyber attackers swiftly exploit vulnerabilities. The COVID-19 pandemic saw a fivefold increase in phishing attempts targeting WHO, with attackers impersonating leadership to distribute malware,” said Flavio Aggio, CISO at the World Health Organization."
https://www.helpnetsecurity.com/2025/09/12/ciso-pharma-cybersecurity-risks/
Vulnerabilities
Samsung Patches Actively Exploited Zero-Day Reported By WhatsApp"Samsung has patched a remote code execution vulnerability that was exploited in zero-day attacks targeting its Android devices. Tracked as CVE-2025-21043, this critical security flaw affects Samsung devices running Android 13 or later and was reported by the security teams of Meta and WhatsApp on August 13. As Samsung explains in a recently updated advisory, this vulnerability was discovered in libimagecodec.quram.so (a closed-source image parsing library developed by Quramsoft that implements support for various image formats) and is caused by an out-of-bounds write weakness that allows attackers to execute malicious code on vulnerable devices remotely."
https://www.bleepingcomputer.com/news/security/samsung-patches-actively-exploited-zero-day-reported-by-whatsapp/
https://thehackernews.com/2025/09/samsung-fixes-critical-zero-day-cve.html
https://securityaffairs.com/182135/hacking/samsung-fixed-actively-exploited-zero-day.html
https://www.theregister.com/2025/09/12/samsung_fixes_android_0day/
https://hackread.com/samsung-android-image-parsing-vulnerability-attacks/ NFC Card Vulnerability Exploitation Leading To Free Top-Up In KioSoft "Stored Value" Unattended Payment Solution (Mifare)
"Some KioSoft customers currently use outdated MiFare Classic cards in "Stored Value" Unattended Payment Solutions from KioSoft. A new detection algorithm has been rolled out through firmware according to KioSoft. As a long-term fix, hardware changes with a new reader and secure cards are planned as well. KioSoft understands that its customers continually take steps to track suspicious activity as routine. Mifare Classic cards have been found to be vulnerable to attacks in the past, allowing these cards to be modified or copied. A short-term solution may be to transition away from the Stored Value Payment System to the Online Payment System of KioSoft, which does not have this vulnerability according to the vendor."
https://sec-consult.com/vulnerability-lab/advisory/nfc-card-vulnerability-exploitation-leading-to-free-top-up-kiosoft-payment-solution/
https://www.securityweek.com/payment-system-vendor-took-year-to-patch-infinite-card-top-up-hack-security-firm/
Malware
Introducing HybridPetya: Petya/NotPetya Copycat With UEFI Secure Boot Bypass"ESET Research has discovered HybridPetya, on the VirusTotal sample sharing platform. It is a copycat of the infamous Petya/NotPetya malware, adding the capability of compromising UEFI-based systems and weaponizing CVE‑2024‑7344 to bypass UEFI Secure Boot on outdated systems."
https://www.welivesecurity.com/en/eset-research/introducing-hybridpetya-petya-notpetya-copycat-uefi-secure-boot-bypass/
https://www.bleepingcomputer.com/news/security/new-hybridpetya-ransomware-can-bypass-uefi-secure-boot/
https://thehackernews.com/2025/09/new-hybridpetya-ransomware-bypasses.html
https://www.bankinfosecurity.com/hybridpetya-crypto-locker-outsmarts-uefi-secure-boot-a-29437
https://www.helpnetsecurity.com/2025/09/12/hybridpetya-ransomware-secure-boot-bypass/
https://www.theregister.com/2025/09/12/hopefully_just_a_poc_hybridpetya/
https://securityaffairs.com/182149/malware/hybridpetya-ransomware-bypasses-uefi-secure-boot-echoing-petya-notpetya.html Meet Yurei: The New Ransomware Group Rising From Open-Source Code
"A new ransomware group calling itself Yurei has appeared on the cyber crime scene, and it wasted no time in making headlines. First observed on September 5 by Check Point Research, the group listed its first victim, a food manufacturing company in Sri Lanka, on its darknet site. Within just a few days, two more victims, one in India and one in Nigeria, were added. Yurei’s quick rise illustrates a growing challenge: how easily cyber criminals can turn open-source malware into real-world ransomware operations, even with limited skills and effort."
https://blog.checkpoint.com/research/meet-yurei-the-new-ransomware-group-rising-from-open-source-code/ SEO Poisoning Attack Targets Chinese-Speaking Users With Fake Software Sites
"In August 2025, FortiGuard Labs identified an SEO poisoning campaign aimed at Chinese-speaking users. The attackers manipulated search rankings with SEO plugins and registered lookalike domains that closely mimicked legitimate software sites. By using convincing language and small character substitutions, they tricked victims into visiting spoofed pages and downloading malware"
https://www.fortinet.com/blog/threat-research/seo-poisoning-attack-targets-chinese-speaking-users-with-fake-software-sites
https://hackread.com/seo-poisoning-attack-windows-hiddengh0st-winos-malware/ Massive L7 DDoS Botnet Expands To 5.76M Devices, Qrator Labs Reports
"On September 1, 2025, Qrator.AntiDDoS detected and mitigated another large-scale attack carried out by the largest L7 DDoS botnet observed to date. The target was an organization in the government sector. In total, 5.76 million IP addresses were blocked during the incident. Qrator Labs has been monitoring this botnet for several months. The first attack, recorded on March 26, targeted an organization in the online betting sector. It involved about 1.33 million IP addresses, mostly from Brazil, Argentina, Russia, Iraq, and Mexico. A second incident followed on May 16, this time hitting an organization in the government sector, with the botnet already grown to 4.6 million devices. Most of the traffic originated from IP addresses in Brazil, the United States, Vietnam, India, and Argentina."
https://qrator.net/blog/details/massive-l7-ddos-botnet-expands-to-576m-devices-qra
https://hackread.com/qrator-labs-mitigate-l7-ddos-attack-5-76m-botnet/ FBI Warns Of UNC6040 And UNC6395 Targeting Salesforce Platforms In Data Theft Attacks
"The U.S. Federal Bureau of Investigation (FBI) has issued a flash alert to release indicators of compromise (IoCs) associated with two cybercriminal groups tracked as UNC6040 and UNC6395 for a string of data theft and extortion attacks. "Both groups have recently been observed targeting organizations' Salesforce platforms via different initial access mechanisms," the FBI said."
https://thehackernews.com/2025/09/fbi-warns-of-unc6040-and-unc6395.html
https://www.ic3.gov/CSA/2025/250912.pdf
https://www.bleepingcomputer.com/news/security/fbi-warns-of-unc6040-unc6395-hackers-stealing-salesforce-data/
https://securityaffairs.com/182159/cyber-crime/fbi-warns-of-salesforce-attacks-by-unc6040-and-unc6395-groups.html WhiteCobra's Playbook Exposed: Critical Mistake Reveals 24-Extension Campaign Targeting VS Code And Cursor
"A new wave 24 of malicious extensions targeting VSCode, Cursor and Windsurf users have infiltrated the VSCode and OpenVSX marketplaces over the past month, and now we now know exactly how they did it. Today we unveil a coordinated campaign by a threat actor group nicknamed WhiteCobra, that we’ve been tracking for over a year. This is the same group behind the $500K crypto theft revealed two months ago, a slew of malicious extensions published on the VSCode and OpenVSX marketplaces in 2024 and 2025, and now they're back with evolved tactics."
https://www.koi.security/blog/whitecobra-vscode-cursor-extensions-malware
https://www.bleepingcomputer.com/news/security/whitecobra-floods-vscode-market-with-crypto-stealing-extensions/
Breaches/Hacks/Leaks
Vietnam, Panama Governments Suffer Incidents Leaking Citizen Data"Data from the government organizations in Vietnam and Panama was stolen by hackers in multiple cyber incidents that came to light this week. Vietnam’s state news outlet said the country’s Cyber Emergency Response Team (VNCERT) confirmed that it received a report of an incident impacting the National Credit Information Center (CIC), which is run by the State Bank of Vietnam and manages credit information for the country’s citizens and businesses. VNCERT said initial reports show that personal data was leaked as a result of the attack. The organization is now coordinating with multiple agencies and state-owned telecom Viettel on the investigation."
https://therecord.media/vietnam-cic-panama-finance-ministry-cyberattacks
https://securityaffairs.com/182189/cyber-crime/shinyhunters-attack-national-credit-information-center-of-vietnam.html China’s Great Firewall Suffers Its Biggest Leak Ever As 500GB Of Source Code And Docs Spill Online — Censorship Tool Has Been Sold To Three Different Countries
"Chinese censorship sprang a major leak on September 11, when researchers confirmed that more than 500GB of internal documents, source code, work logs, and internal communications from the so-called Great Firewall were dumped online, including packaging repos and operational runbooks used to build and maintain China’s national traffic filtering system. The files appear to originate from Geedge Networks, a company that has long been linked to Fang Binxing — widely described as the “father” of the Great Firewall — and from the MESA lab at the Institute of Information Engineering, a research arm of the Chinese Academy of Sciences."
https://www.tomshardware.com/tech-industry/chinas-great-firewall-springs-huge-leak
https://gfw.report/blog/geedge_and_mesa_leak/en/
https://hackread.com/great-firewall-of-china-data-published-largest-leak/
General News
August 2025 APT Group Trends"North Korea-linked APT groups have been intensively launching advanced cyber attacks targeting the areas of diplomacy, finance, technology, media, and policy research in South Korea. They have been highly active in their sophisticated spear-phishing campaigns employing various malware strains, social engineering techniques, and cloud-based C2 infrastructures. They have been combining various infiltration techniques such as LNK and PowerShell-based loaders, steganography (JPEG image concealment), and fileless techniques to distribute RATs and data exfiltration malware."
https://asec.ahnlab.com/en/90104/ Exclusive: US Warns Hidden Radios May Be Embedded In Solar-Powered Highway Infrastructure
"U.S. officials say solar-powered highway infrastructure including chargers, roadside weather stations, and traffic cameras should be scanned for the presence of rogue devices – such as hidden radios – secreted inside batteries and inverters. The advisory, disseminated late last month by the U.S. Department of Transportation’s Federal Highway Administration, comes amid escalating government action over the presence of Chinese technology in America's transportation infrastructure."
https://www.reuters.com/legal/government/us-warns-hidden-radios-may-be-embedded-solar-powered-highway-infrastructure-2025-09-10/
https://www.darkreading.com/ics-ot-security/undocumented-radios-found-solar-powered-devices Your Heartbeat Could Reveal Your Identity, Even In Anonymized Datasets
"A new study has found that electrocardiogram (ECG) signals, often shared publicly for medical research, can be linked back to individuals. Researchers were able to re-identify people in anonymous datasets with surprising accuracy, raising questions about how health data is protected and shared."
https://www.helpnetsecurity.com/2025/09/12/heartbeat-ecg-data-privacy-risk/ CISOs Brace For a New Kind Of AI Chaos
"AI is being added to business processes faster than it is being secured, creating a wide gap that attackers are already exploiting, according to the SANS Institute. Attackers are using AI to work at speeds that humans cannot match. Phishing messages are more convincing, privilege escalation happens faster, and automated scripts can adjust mid-attack to avoid detection. The report highlights research showing that AI-driven attacks can move more than 40 times faster than traditional methods. This means a breach can happen before a defender even sees the first alert."
https://www.helpnetsecurity.com/2025/09/12/sans-ai-security-blueprint/ HP Wolf Security Threat Insights Report: September 2025
"Welcome to the September 2025 edition of the HP Wolf Security Threat Insights Report. In the report, we review notable malware campaigns, trends and techniques identified from HP Wolf Security’s customer telemetry in calendar Q2 2025. In Q2 2025, the HP Threat Research team identified attackers refining their use of living-off-the-land (LOTL) tools to evade detection. In one campaign that targeted businesses, threat actors chained together multiple LOTL tools, including lesser-known ones, to deliver XWorm malware. The final payload was hidden in the pixels of an image (T1027.003) downloaded from a trusted website, decoded via PowerShell (T1059.001), and executed through MSBuild (T1127.001), enabling remote access and data theft."
https://threatresearch.ext.hp.com/hp-wolf-security-threat-insights-report-september-2025/
https://threatresearch.ext.hp.com/wp-content/uploads/2025/09/HP_Wolf_Security_Threat_Insights_Report_September_2025.pdf
https://www.infosecurity-magazine.com/news/attackers-novel-lotl-detection/ Trusted Connections, Hidden Risks: Token Management In The Third-Party Supply Chain
"You are about to log off for the weekend when a high-severity alert flashes on your cloud security tool’s dashboard. A single, unfamiliar OAuth token is making hundreds of connections from three different IP addresses, two of which are flagged as belonging to an unknown VPN service. The token belongs to a third-party application integrated with the company's Salesforce instance, one of those forgotten dormant integrations. A threat actor has stolen an OAuth token to bypass traditional defenses and is enumerating CRM accounts and exfiltrating sensitive data. A pit forms in your stomach; you are experiencing a supply chain attack."
https://unit42.paloaltonetworks.com/third-party-supply-chain-token-management/ Are Cybercriminals Hacking Your Systems – Or Just Logging In?
"Why break a door down and set the house alarm off when you have a key and a code to walk in silently? This is the rationale behind a trend in cybersecurity where adversaries are increasingly looking to steal passwords, and even authentication tokens and session cookies to bypass MFA codes so they can access networks by masquerading as legitimate users. According to Verizon, “use of stolen credentials” has been one of the most popular methods for gaining initial access over recent years. The use of stolen credentials appeared in a third (32%) of data breaches last year, its report notes. However, while there are several ways threat actors can get hold of credentials, there are also plenty of opportunities to stop them."
https://www.welivesecurity.com/en/business-security/cybercriminals-hacking-systems-logging-in/
อ้างอิง
Electronic Transactions Development Agency(ETDA) 1163a90f-67e9-4a45-9b5d-61ef6b131e16-image.png