สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Healthcare Sector

• Claroty’s State Of CPS Security Report: Healthcare Exposures 2025
  "Hospitals and healthcare delivery organizations must manage a barrage of risks to connected medical devices and critical OT systems, protecting them from disruptions that could impact patient safety and the uninterrupted availability of patient care. This is the backdrop for Claroty’s latest State of CPS Security Report: Healthcare Exposures 2025. The goal of this report is to shed light on the riskiest exposures facing healthcare devices and networks—as well as OT within hospitals—provide some context to help identify those assets most in jeopardy, and demonstrate the number of devices burdened not only by known and exploited vulnerabilities, but those that are most at risk to ransomware and extortion attacks, and insecurely connected to the internet."
  https://claroty.com/blog/clarotys-state-of-cps-security-report-healthcare-exposures-2025
  https://claroty.com/resources/reports/state-of-cps-security-healthcare-exposures-2025
  https://www.securityweek.com/critical-condition-legacy-medical-devices-remain-easy-targets-for-ransomware/
  https://www.infosecurity-magazine.com/news/healthcare-vulnerable-iot-devices/
  https://www.helpnetsecurity.com/2025/03/28/healthcare-devices-vulnerabilities/

New Tooling

• Cloudflare Open Sources OPKSSH To Bring Single Sign-On To SSH
  "OPKSSH (OpenPubkey SSH) makes it easy to authenticate to servers over SSH using OpenID Connect (OIDC), allowing developers to ditch manually configured SSH keys in favor of identity provider-based access. By tightly integrating with identity providers (IdPs) and avoiding any additional trusted third party, OPKSSH offers a streamlined and secure way to manage SSH authentication. This week, OPKSSH was officially open-sourced under the umbrella of the OpenPubkey project. While OpenPubkey itself became a Linux Foundation open-source initiative in 2023, OPKSSH remained closed-source until now."
  https://www.helpnetsecurity.com/2025/03/28/opkssh-sso-ssh/
  https://github.com/openpubkey/opkssh/

Vulnerabilities

• Qualys TRU Discovers Three Bypasses Of Ubuntu Unprivileged User Namespace Restrictions
  "Qualys TRU uncovered three distinct bypasses of these namespace restrictions, each enabling local attackers to create user namespaces with full administrative capabilities. These bypasses facilitate exploiting vulnerabilities in kernel components requiring powerful administrative privileges within a confined environment. The restrictions on unprivileged user namespaces were initially introduced in Ubuntu 23.10 and enabled by default in Ubuntu 24.04. It is important to note that these bypasses alone do not enable complete system takeover; however, they become dangerous when combined with other vulnerabilities, typically kernel-related."
  https://blog.qualys.com/vulnerabilities-threat-research/2025/03/27/qualys-tru-discovers-three-bypasses-of-ubuntu-unprivileged-user-namespace-restrictions
  https://www.bleepingcomputer.com/news/security/new-ubuntu-linux-security-bypasses-require-manual-mitigations/

Malware

• CISA Releases Malware Analysis Report On RESURGE Malware Associated With Ivanti Connect Secure
  "CISA has published a Malware Analysis Report (MAR) with analysis and associated detection signatures on a new malware variant CISA has identified as RESURGE. RESURGE contains capabilities of the SPAWNCHIMERA[1] malware variant, including surviving reboots; however, RESURGE contains distinctive commands that alter its behavior."
  https://www.cisa.gov/news-events/alerts/2025/03/28/cisa-releases-malware-analysis-report-resurge-malware-associated-ivanti-connect-secure
  https://www.cisa.gov/news-events/analysis-reports/ar25-087a
  https://thehackernews.com/2025/03/resurge-malware-exploits-ivanti-flaw.html
  https://securityaffairs.com/176040/breaking-news/cisa-warns-of-resurge-malware-exploiting-ivanti-flaw.html
• Gamaredon Campaign Abuses LNK Files To Distribute Remcos Backdoor
  "The invasion of Ukraine is a common theme used by the Gamaredon group in their phishing campaigns and this campaign continues the use of this technique. The actor distributes LNK files compressed inside ZIP archives, usually disguising the file as an Office document and using names that are related to the invasion. Although Talos was not able to pinpoint the exact method by which these files are distributed, it is likely that Gamaredon continues to send phishing e-mails with either the ZIP file directly attached to it or containing a URL link to download the file from a remote host."
  https://blog.talosintelligence.com/gamaredon-campaign-distribute-remcos/
• TsarBot: A New Android Banking Trojan Targeting Over 750 Banking, Finance, And Cryptocurrency Applications
  "Cyble Research and Intelligence Labs (CRIL) discovered a new Android banking trojan that uses an overlay attack to target over 750 applications, including banking, finance, cryptocurrency, payment, social media, and e-commerce applications, across multiple regions. While the malware mainly utilizes overlay attacks to steal credentials, it also carries out various other malicious actions. It is capable of recording and remotely controlling the screen, enabling attackers to monitor and manipulate the device. Additionally, it employs lock-grabbing techniques, keylogging, and intercepting SMS messages."
  https://cyble.com/blog/tsarbot-using-overlay-attacks-targeting-bfsi-sector/
• Stealing User Credentials With Evilginx
  "Evilginx, a tool based on the legitimate (and widely used) open-source nginx web server, can be used to steal usernames, passwords, and session tokens, allowing an attacker to potentially bypass multifactor authentication (MFA). In this post, we’ll demonstrate how evilginx works and what information it is able to acquire; we also have advice for detecting this tool in use, as well as potential mitigations against its use."
  https://news.sophos.com/en-us/2025/03/28/stealing-user-credentials-with-evilginx/
  https://www.darkreading.com/endpoint-security/evilginx-bypasses-mfa
• Russian Intelligence Service-Backed Campaigns Impersonate The CIA To Target Ukraine Sympathizers, Russian Citizens And Informants
  "The rise in cyberattacks during ongoing conflicts of war has become a significant concern in recent years, especially as cyber capabilities are increasingly being leveraged as a form of modern warfare. Motivations behind these cyberattacks vary, from disrupting an opponent’s operations and causing widespread panic to gathering intelligence and creating strategic advantages. Silent Push Threat Researchers have identified phishing pages on a known bulletproof hosting provider, Nybula LLC, ASN 401116, but a financial motive has not yet been found for the threat actor group. The phishing pages appear to impersonate the official websites of multiple organizations, including the U.S. Central Intelligence Agency (CIA), the Russian Volunteer Corps (RVC), Legion Liberty, and the appeals hotline group Hochuzhit."
  https://www.silentpush.com/blog/russian-intelligence-phishing/
  https://hackread.com/russia-phishing-fake-cia-sites-anti-war-ukraine-supporters/
• Grandoreiro Trojan Distributed Via Contabo-Hosted Servers In Phishing Campaigns
  "Cybercriminals are reviving the Grandoreiro banking trojan. It is actively being used in large-scale phishing campaigns, primarily targeting banking users in Latin America and Europe. Cybercriminals are leveraging VPS hosting providers and obfuscation techniques to evade detection. The malware continuously adapts, using dynamic URLs and social engineering to maximize its reach and effectiveness."
  https://www.forcepoint.com/blog/x-labs/grandoreiro-trojan-targets-mexico-argentina-spain
  https://www.securityweek.com/fresh-grandoreiro-banking-trojan-campaigns-target-latin-america-europe/
  https://securityaffairs.com/175964/malware/crooks-are-reviving-the-grandoreiro-banking-trojan.html
• A Deep Dive Into Water Gamayun’s Arsenal And Infrastructure
  "Water Gamayun, a suspected Russian threat actor also known as EncryptHub and Larva-208, has been exploiting the MSC EvilTwin (CVE-2025-26633), a zero-day vulnerability that was patched on March 11. In the first installment of this two-part series, Trend Research discussed in depth its discovery of an Water Gamayun campaign exploiting this vulnerability. In this blog entry, we will cover the various delivery methods, custom payloads and techniques used by Water Gamayun to compromise victim systems and exfiltrate sensitive data."
  https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
• Iran's MOIS-Linked APT34 Spies On Allies Iraq & Yemen
  "Hackers believed to be working on behalf of Iranian government intelligence have been spying on organizations in Iraq and Yemen. In many other respects — religiously, politically, economically, etc. — these countries might be considered allies. But as it is with friends of the US, North Korea, and other major cyber powers, diplomatic ties with Iran do not preclude attempts at cyberespionage."
  https://www.darkreading.com/cyberattacks-data-breaches/irans-mois-linked-apt34-spies-allies-iraq-yemen
• SnakeKeylogger: A Multistage Info Stealer Malware Campaign
  "Info-stealer malware has become a growing threat, with attackers constantly refining their techniques to evade detection. Among these threats, SnakeKeylogger has emerged as one of the highly active credential-stealing malware, targeting individuals and businesses. Known for its multi-stage infection chain and stealthy in-memory execution, SnakeKeylogger is designed to harvest sensitive data while remaining undetected. Recently, at Seqrite Labs, we observed an interesting malicious campaign delivering SnakeKeylogger as a final payload to compromised systems."
  https://www.seqrite.com/blog/snakekeylogger-a-multistage-info-stealer-malware-campaign/
• SquareX Discloses Browser-Native Ransomware That Puts Millions At Risk
  "From WannaCry to the MGM Resorts Hack, ransomware remains one of the most damaging cyberthreats to plague enterprises. Chainalysis estimates that corporations spend nearly $1 billion dollars on ransom each year, but the greater cost often comes from the reputational damage and operational disruption caused by the attack."
  https://hackread.com/squarex-discloses-browser-native-ransomware-that-puts-millions-at-risk/
  https://sqrx.com/browser-native-ransomware
• Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices
  "The mobile threat landscape has been shaped over the years by well-established banking Trojan families such as Anatsa, Octo, Hook, each evolving to introduce new techniques for evading detection and maximising financial gain. These malware strains have demonstrated how effective mobile-focused threats can be, particularly when equipped with capabilities like overlay attacks, keylogging, and abuse of Android’s Accessibility Services. Their success has not only impacted banks and crypto platforms globally, but also has inspired a growing underground market hungry for similar or improved tools."
  https://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices
  https://thehackernews.com/2025/03/new-android-trojan-crocodilus-abuses.html
  https://www.bleepingcomputer.com/news/security/new-crocodilus-malware-steals-android-users-crypto-wallet-keys/
  https://securityaffairs.com/175976/malware/new-sophisticate-crocodilus-mobile-banking-trojan.html

Breaches/Hacks/Leaks

• Twitter (X) Hit By 2.8 Billion Profile Data Leak In Alleged Insider Job
  "A data leak involving a whopping 2.87 billion Twitter (X) users has surfaced on the infamous Breach Forums. According to a post by a user named ThinkingOne, the leak is the result of a disgruntled X employee who allegedly stole the data during a period of mass layoffs. If true, this would be the largest social media data leak in history, but surprisingly, neither X nor the broader public appears to be aware of it."
  https://hackread.com/twitter-x-of-2-8-billion-data-leak-an-insider-job/
• Retail Giant Sam’s Club Investigates Clop Ransomware Breach Claims
  "Sam's Club, an American warehouse supermarket chain owned by U.S. retail giant Walmart, is investigating claims of a Clop ransomware breach. The Walmart division operates over 600 warehouse clubs with millions of members across the United States and Puerto Rico and almost 200 additional locations in Mexico and China. Sam's Club has over 2.3 million employees and reported a total revenue of $84.3 billion for the fiscal year ending January 31, 2023."
  https://www.bleepingcomputer.com/news/security/retail-giant-sams-club-investigates-clop-ransomware-breach-claims/
  https://securityaffairs.com/175999/cyber-crime/sams-club-investigates-alleged-cl0p-ransomware-breach.html
• Oracle Health Breach Compromises Patient Data At US Hospitals
  "A breach at Oracle Health impacts multiple US healthcare organizations and hospitals after a threat actor stole patient data from legacy servers. Oracle Health has not yet publicly disclosed the incident, but in private communications sent to impacted customers and from conversations with those involved, BleepingComputer confirmed that patient data was stolen in the attack."
  https://www.bleepingcomputer.com/news/security/oracle-health-breach-compromises-patient-data-at-us-hospitals/
• Cardiff's Children's Chief Confirms Data Leak 2 Months After Cyber Risk Was 'escalated'
  "Cardiff City Council's director of children's services says data was leaked or stolen from the organization, although she did not clarify how or what was pilfered. Deborah Driffield confirmed a "data breach" while giving an update to the Welsh council's Governance and Audit Committee, which assembled on Tuesday. "We have had a data breach that we are currently managing, and drawing up new arrangements in relation to this world of people stealing data and sharing it on the dark web, and trying to understand how we can mitigate against that."
  https://www.theregister.com/2025/03/28/cardiff_childrens_chief_says_city/

General News

• Navigating Cyber-Risks And New Defenses
  "Cyberattacks on critical infrastructure are on the rise, driven by supply chain vulnerabilities, bad actors exploiting small and midsize businesses (SMBs) as entry points into larger organizations, and the rapid pace of digitalization. Internet of Things (IoT) devices have connected industrial settings and physical environments to digital networks, enhancing monitoring and management. But this connectivity has also introduced new entry points for cyber threats. In 2025, the threat of cyberattacks on critical infrastructure most likely will remain significant. However, continued advancements and adoption of technologies like artificial intelligence (AI) and private networks can serve as powerful countermeasures."
  https://www.darkreading.com/vulnerabilities-threats/navigating-cyber-risks-new-defenses
• Student-Powered SOCs Train Security's Next Generation
  "Higher educational institutions are among the most common targets of cyberattacks in the US, but universities increasingly see a silver lining to the threat landscape: Defending against such attacks can be a good training opportunity for the next generation of cybersecurity professionals. The cybersecurity incidents are usually fairly simple — a phishing attack, a bad password, or suspicious network traffic — and can be handled by student analysts, such as Ellen Hoffman, an industrial engineering student at Louisiana State University."
  https://www.darkreading.com/cybersecurity-operations/student-powered-socs-train-security-next-generation
• Android Financial Threats: What Businesses Need To Know To Protect Themselves And Their Customers
  "The rise of mobile banking has changed how businesses and customers interact. It brought about increased convenience and efficiency, but has also opened new doors for cybercriminals, particularly on the Android platform, which dominates the global smartphone market. According to ESET research, Android financial threats, targeting banking apps and cryptocurrency wallets, grew by 20% in H2 of 2024 compared to the first half of the year."
  https://www.helpnetsecurity.com/2025/03/28/android-financial-threats/
• Cybersecurity Spending Set To Jump 12.2% In 2025
  "Global cybersecurity spending is expected to grow by 12.2% in 2025, according to the latest forecast from the IDC Worldwide Security Spending Guide. The rise in cyber threats is pushing organizations to invest more in their defenses. AI tools are making these threats more sophisticated, which is adding to the urgency. IDC says this steady climb in spending will continue through 2028, hitting $377 billion by then."
  https://www.helpnetsecurity.com/2025/03/28/idc-cybersecurity-spending-2025/
• U.S. Seized $8.2 Million In Crypto Linked To 'Romance Baiting' Scams
  "The U.S. Department of Justice (DOJ) has seized over $8.2 million worth of USDT (Tether) cryptocurrency that was stolen via 'romance baiting' scams. Previously referred to as 'pig butchering,' in this type of financial fraud victims are manipulated into making investments on fraudulent websites/apps that showcase massive returns. Convinced they're making a profit, the victims invest increasing amounts, but when they attempt to make any significant withdrawals, they hit various problems that prevent them from completing the action."
  https://www.bleepingcomputer.com/news/cryptocurrency/us-seized-82-million-in-crypto-linked-to-romance-baiting-scams/
  https://securityaffairs.com/175990/cyber-crime/fbi-and-doj-seize-8-2-million-in-romance-baiting-crypto-fraud-scheme.html
• Malware In Lisp? Now You're Just Being Cruel
  "Malware authors looking to evade analysis are turning to less popular programming languages like Delphi or Haskell. Computer scientists affiliated with the University of Piraeus and Athena Research Center in Greece and Delft University of Technology in the Netherlands have taken a look at recent malware to better understand why some of it gets missed by static analysis – a software testing technique for understanding code without executing it."
  https://www.theregister.com/2025/03/29/malware_obscure_languages/
  https://arxiv.org/abs/2503.19058

อ้างอิง
Electronic Transactions Development Agency(ETDA)

Cybersecurity and Infrastructure Security Agency (CISA) ได้มีการเผยแพร่เมื่อวันที่ 28 มีนาคม 2568 เกี่ยวกับมัลแวร์ "Resurge" ที่เชื่อมโยงกับ Ivanti Connect Secure มีรายละเอียดเพิ่มเติมดังนี้ มัลแวร์นี้ถูกออกแบบมาเพื่อใช้ประโยชน์จากช่องโหว่ในระบบ VPN ของ Ivanti โดยเฉพาะ โดยมีเป้าหมายเพื่อเข้าถึงเครือข่ายขององค์กรอย่างลับ ๆ รายงานระบุว่า "Resurge" มีความสามารถในการคงอยู่ในระบบ (persistence) หลบเลี่ยงการตรวจจับ และขโมยข้อมูลที่ละเอียดอ่อน เช่น ข้อมูลการรับรองตัวตน (credentials) และข้อมูลส่วนตัวอื่น ๆ

CISA ยังได้ให้ข้อมูลเชิงเทคนิค เช่น Indicators of Compromise (IOCs) และเทคนิคที่มัลแวร์ใช้ รวมถึงคำแนะนำในการลดความเสี่ยง เช่น การติดตั้งแพตช์ล่าสุดจาก Ivanti การตรวจสอบบันทึก (logs) เพื่อหาสัญญาณการบุกรุก และการใช้การยืนยันตัวตนแบบหลายขั้นตอน (multi-factor authentication) รายงานนี้เน้นย้ำถึงความสำคัญของการตอบสนองอย่างรวดเร็วต่อภัยคุกคาม และเรียกร้องให้องค์กรที่ใช้ Ivanti Connect Secure ดำเนินการตรวจสอบและป้องกันทันทีเพื่อลดความเสียหายที่อาจเกิดขึ้นจากการโจมตีนี้

อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/03/28/cisa-releases-malware-analysis-report-resurge-malware-associated-ivanti-connect-secure

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) 1 รายการ เมื่อวันที่ 27 มีนาคม 2568 ซึ่งคำแนะนำเหล่านี้ให้ข้อมูลที่ทันท่วงทีเกี่ยวกับปัญหาด้านความปลอดภัยช่องโหว่ และช่องโหว่ที่อยู่รอบ ๆ ICS ในปัจจุบัน มีดังต่อไปนี้

• ICSA-25-037-01 Schneider Electric EcoStruxure Power Monitoring Expert (PME) (Update A)
  CVSS เวอร์ชัน 4 7.3
  หมายเหตุ : สามารถใช้ประโยชน์ได้จากระยะไกล
  อุปกรณ์ : EcoStruxure Power Monitoring Expert (PME)
  ช่องโหว่ : การแยกข้อมูลที่ไม่น่าเชื่อถือออกจากกัน
  การใช้ประโยชน์จากช่องโหว่นี้สำเร็จอาจทำให้ผู้โจมตีสามารถรันโค้ดจากระยะไกลได้
  ผลิตภัณฑ์ที่ได้รับผลกระทบ
  Schneider Electric รายงานว่าผลิตภัณฑ์ต่อไปนี้ได้รับผลกระทบ ดังนี้
  EcoStruxure Power Monitoring Expert (PME): เวอร์ชัน 2022 และก่อนหน้า

ทั้งนี้ CISA สนับสนุนให้ผู้ใช้และผู้ดูแลระบบตรวจสอบคำแนะนำ ICS ที่เผยแพร่ใหม่สำหรับรายละเอียดทางเทคนิคและการบรรเทาผลกระทบ รายละเอียดเพิ่มเติมที่ https://www.cisa.gov/news-events/alerts/2025/03/25/cisa-releases-four-industrial-control-systems-advisories

อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/03/27/cisa-releases-one-industrial-control-systems-advisory

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Vulnerabilities

• NetApp SnapCenter Flaw Could Let Users Gain Remote Admin Access On Plug-In Systems
  "A critical security flaw has been disclosed in NetApp SnapCenter that, if successfully exploited, could allow privilege escalation. SnapCenter is an enterprise-focused software that's used to manage data protection across applications, databases, virtual machines, and file systems, offering the ability to backup, restore, and clone data resources. The vulnerability, tracked as CVE-2025-26512, carries a CVSS score of 9.9 out of a maximum of 10.0."
  https://thehackernews.com/2025/03/netapp-snapcenter-flaw-could-let-users.html
  https://security.netapp.com/advisory/ntap-20250324-0001/
• Forescout Vedere Labs Uncovers Severe Systemic Security Risks In Global Solar Power Infrastructure
  "Forescout Technologies, Inc., a global cybersecurity leader, today published its “SUN:DOWN – Destabilizing the Grid via Orchestrated Exploitation of Solar Power Systems” research report. Forescout Research – Vedere Labs discovered 46 new vulnerabilities across three of the world’s 10 leading solar inverter vendors. Additionally, Vedere Labs found that 80% of vulnerabilities in solar power systems disclosed in the last three years were classified as high or critical severity. These findings reveal severe systemic security weaknesses in the solar ecosystem that could impact power grid stability, utility operations, and consumer data privacy."
  https://www.forescout.com/press-releases/forescout-vedere-labs-uncovers-severe-systemic-security-risks-in-global-solar-power-infrastructure/
  https://www.bleepingcomputer.com/news/security/dozens-of-solar-inverter-flaws-could-be-exploited-to-attack-power-grids/
  https://www.securityweek.com/more-solar-system-vulnerabilities-expose-power-grids-to-hacking/
• Mozilla Warns Windows Users Of Critical Firefox Sandbox Escape Flaw
  "Mozilla has released Firefox 136.0.4 to patch a critical security vulnerability that can let attackers escape the web browser's sandbox on Windows systems. Tracked as CVE-2025-2857, this flaw is described as an "incorrect handle could lead to sandbox escapes" and was reported by Mozilla developer Andrew McCreight. The vulnerability impacts the latest Firefox standard and extended support releases (ESR) designed for organizations that require extended support for mass deployments. Mozilla fixed the security flaw in Firefox 136.0.4 and Firefox ESR versions 115.21.1 and 128.8.1."
  https://www.bleepingcomputer.com/news/security/mozilla-warns-windows-users-of-critical-firefox-sandbox-escape-flaw/
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
  CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability"
  https://www.cisa.gov/news-events/alerts/2025/03/27/cisa-adds-one-known-exploited-vulnerability-catalog
  https://securityaffairs.com/175936/security/u-s-cisa-adds-google-chromium-mojo-flaw-to-its-known-exploited-vulnerabilities-catalog.html
• Splunk Patches Dozens Of Vulnerabilities
  "Splunk on Wednesday announced patches for dozens of vulnerabilities across its products, including two high-severity flaws in Splunk Enterprise and Secure Gateway App. The enterprise monitoring solution received patches for a remote code execution (RCE) bug that could be exploited by low-privileged users by uploading a file to the ‘$SPLUNK_HOME/var/run/splunk/apptemp’ directory."
  https://www.securityweek.com/splunk-patches-dozens-of-vulnerabilities/

Malware

• Over 150K Websites Hit By Full-Page Hijack Linking To Chinese Gambling Sites
  "In February, we uncovered a threat actor targeting over 35,000 websites with a malicious full-page hijack injection. We’ve continued to monitor this actor’s activities and have identified new tactics and techniques. They’ve scaled up their operations significantly, as we now estimate that approximately 150,000 websites have been impacted by this campaign."
  https://cside.dev/blog/over-150k-websites-hit-by-full-page-hijack-linking-to-chinese-gambling-sites
  https://thehackernews.com/2025/03/150000-sites-compromised-by-javascript.html
• Hijacked Microsoft Stream Classic Domain "spams" SharePoint Sites
  "The legacy domain for Microsoft Stream was hijacked to show a fake Amazon site promoting a Thailand casino, causing all SharePoint sites with old embedded videos to display it as spam. Microsoft Stream is an enterprise video streaming service that allows organizations to upload and share videos in Microsoft 365 apps, such as Teams and SharePoint. Video content hosted on Microsoft Stream was accessed or embedded through a portal at microsoftstream.com."
  https://www.bleepingcomputer.com/news/microsoft/hijacked-microsoft-stream-classic-domain-spams-sharepoint-sites/
• Multiple Crypto Packages Hijacked, Turned Into Info-Stealers
  "Sonatype has identified multiple npm cryptocurrency packages, latest versions of which have been hijacked and altered to steal sensitive information such as environment variables from the target victims. Some of these packages have lived on npmjs.com for over 9 years, and provide legitimate functionality to blockchain developers. However, our automated malware detection systems detected that the latest versions of each of these packages were laden with obfuscated scripts, raising alarms."
  https://www.sonatype.com/blog/multiple-crypto-packages-hijacked-turned-into-info-stealers
  https://www.bleepingcomputer.com/news/security/infostealer-campaign-compromises-10-npm-packages-targets-devs/
• Snow White — Beware The Bad Apple In The Torrent
  "As the new Snow White movie arrives in theaters with lackluster audience attendance, the absence of streaming options on platforms like Disney+ has nudged many users to seek pirated versions online. From our perspective, this kind of consumer behavior isn’t new, every high-profile movie release without a digital option becomes an opportunity for attackers to exploit users eager to watch from home."
  https://veriti.ai/blog/beware-the-bad-apple-in-the-torrent/
  https://hackread.com/fake-snow-white-movie-torrent-infects-device-malware/
• A Phishing Tale Of DoH And DNS MX Abuse
  "Threat actors are increasingly adept at leveraging DNS to enhance the effectiveness of their cyber campaigns. We recently discovered a DNS technique used to tailor content to victims. We have discovered a phishing kit that creatively employs DNS mail exchange (MX) records to dynamically serve fake, tailored, login pages, spoofing over 100 brands. The threat actor behind the campaigns often exploits open redirects on adtech infrastructure, compromises domains for phishing distribution, and distributes stolen credentials through several mechanisms, including Telegram. We have found many variations of this phishing kit and assessed that they likely stem from a phishing-as-a-service (PhaaS) platform."
  https://blogs.infoblox.com/threat-intelligence/a-phishing-tale-of-doh-and-dns-mx-abuse/
  https://thehackernews.com/2025/03/new-morphing-meerkat-phishing-kit.html
• Turning Aid Into Attack: Exploitation Of Pakistan's Youth Laptop Scheme To Target India
  "In this report, CYFIRMA examines the tactics employed by a Pakistan-based APT group, assessed with medium confidence as APT36, who created a fake IndiaPost website to target and infect both Windows and Android users. We analysed the dropped Android executable and also revealed metadata indicating that the PDF was created in same time zone that Pakistan is in. Additionally, the laptop used to generate the file is part of Pakistan’s Prime Minister Youth Laptop Scheme. Further investigation into the IP resolution uncovered a domain associated with tactics commonly used by Pakistani APT groups."
  https://www.cyfirma.com/research/turning-aid-into-attack-exploitation-of-pakistans-youth-laptop-scheme-to-target-india/
  https://thehackernews.com/2025/03/apt36-spoofs-india-post-website-to.html
• Serbia: BIRN Journalists Targeted With Pegasus Spyware
  "Two journalists from Balkan Investigative Reporting Network (BIRN), an award-winning Serbian network of investigative journalists, were targeted with NSO Group’s Pegasus spyware last month, a new Amnesty International investigation reveals. Journalists Bogdana (not her real name) and Jelena Veljkovic received suspicious messages on the Viber messaging app from an unknown Serbian number linked to Telekom Srbija, the state-telecommunications operator. Suspecting that their smartphones were being targeted by a spyware attack, they approached Amnesty International’s Security Lab, whose forensic analysis confirmed their suspicions."
  https://www.amnesty.org/en/latest/news/2025/03/serbia-birn-journalists-targeted-with-pegasus-spyware/
  https://therecord.media/two-serbian-journalists-targeted-with-pegasus-spyware
• PJobRAT Makes a Comeback, Takes Another Crack At Chat Apps
  "In 2021, researchers reported that PJobRAT – an Android RAT first observed in 2019 – was targeting Indian military personnel by imitating various dating and instant messaging apps. Since then, there’s been little news about PJobRAT – until, during a recent threat hunt, Sophos X-Ops researchers uncovered a new campaign – now seemingly over – that appeared to target users in Taiwan. PJobRAT can steal SMS messages, phone contacts, device and app information, documents, and media files from infected Android devices."
  https://news.sophos.com/en-us/2025/03/27/pjobrat-makes-a-comeback-takes-another-crack-at-chat-apps/
  https://www.infosecurity-magazine.com/news/pjobrat-malware-targets-taiwan-via/

Breaches/Hacks/Leaks

• Thousands Of Driver’s Licenses, Bank Documents & PII Exposed In Australian Fintech Data Breach
  "Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to Website Planet about a non-password-protected database that contained 27,000 records belonging to Vroom by YouX — an Australia-based Fintech company that facilitates automotive financing."
  https://www.websiteplanet.com/news/vroom-report-breach/
  https://hackread.com/aussie-fintech-vroom-pii-records-aws-misconfiguration/

General News

• Navigating Cybercrime Currents In Latin America: Strengthening The Region’s Defenses
  "Gather all, gather ye! Group-IB experts are here to uncover trade secrets from the dark side—cybercrime insights on unseen TTPs, hidden infrastructures, and strategies of the most nefarious threat actors. The fight against cybercrime is a constant ordeal, but the shadows grow weaker with each shore we conquer. Group-IB’s two-decade-long perseverance, technological and human expertise know no bounds — from shore to shore, land to land, we extend and stand with people, governments, and businesses as their shield against evolving crime."
  https://www.group-ib.com/blog/navigating-cybercrime-latin-america/
• The Hidden Costs Of Security Tool Bloat And How To Fix It
  "In this Help Net Security interview, Shane Buckley, President and CEO at Gigamon, discusses why combating tool bloat is a top priority for CISOs as they face tighter budgets and expanding security stacks. Buckley shares insights on how deep observability can streamline security operations, optimize costs, and strengthen a defense-in-depth strategy."
  https://www.helpnetsecurity.com/2025/03/27/shane-buckley-gigamon-deep-observability-tool-stacks/
• Cyber Insurance Isn’t Always What It Seems
  "Many companies think cyber insurance will protect them from financial losses after an attack. But many policies have gaps. Some claims get denied. Others cover less than expected. CISOs must understand the risks before an attack happens."
  https://www.helpnetsecurity.com/2025/03/27/cyber-insurance-ciso/
• New Year, New Threats: Q1 2025’s Most Exploited WordPress Vulnerabilities
  "WordPress remains the backbone of millions of websites, offering flexibility and scalability through its extensive library of plugins and themes. However, this same openness also makes it a frequent target for cyber threats. Attackers are constantly scanning for outdated software, unpatched vulnerabilities, and misconfigurations that can be exploited to gain unauthorized access. The reality is clear: many WordPress sites remain vulnerable long after security flaws are disclosed, simply because updates are delayed or neglected. In this environment, relying solely on developer-issued patches isn’t enough—proactive security measures are essential."
  https://patchstack.com/articles/new-year-new-threats-q1-2025s-most-exploited-wordpress-vulnerabilities/
  https://www.bleepingcomputer.com/news/security/the-four-wordpress-flaws-hackers-targeted-the-most-in-q1-2025/
• Hacktivists Increasingly Target France For Its Diplomatic Efforts
  "According to a Cyble report sent to clients recently, France is increasingly becoming a target of hacktivists for its active role in international diplomacy and in ongoing conflicts in Ukraine and the Middle East. France’s role in those conflicts “has drawn the ire of pro-Russian and pro-Palestinian hacktivist groups,” Cyble said, as those hacktivists have found ideological alignment and a common adversary in France."
  https://cyble.com/blog/hacktivists-france-for-its-diplomatic-efforts/
• New Security Requirements Adopted By HTTPS Certificate Industry
  "The Chrome Root Program launched in 2022 as part of Google’s ongoing commitment to upholding secure and reliable network connections in Chrome. We previously described how the Chrome Root Program keeps users safe, and described how the program is focused on promoting technologies and practices that strengthen the underlying security assurances provided by Transport Layer Security (TLS). Many of these initiatives are described on our forward looking, public roadmap named “Moving Forward, Together.”"
  https://security.googleblog.com/2025/03/new-security-requirements-adopted-by.html
• Good Security Practice For Domain Registrars
  "This guidance is for domain registrars and operators of Domain Name System (DNS) services. It sets out outcomes and recommendations to promote good practice in a set of principles, and aims to reduce the prevalence of malicious and abusive domain registrations. It builds on existing industry good practice from international bodies such as ICANN and the NetBeacon Institute. It is consistent with other UK government guidance issued to registrars and other infrastructure service providers to tackle other issues such as fraud, extremist and illegal content."
  https://www.ncsc.gov.uk/collection/security-practice-domain-registrars
  https://www.infosecurity-magazine.com/news/ncsc-urges-domain-registrars/
  https://www.helpnetsecurity.com/2025/03/27/ncsc-offers-security-guidance-for-domain-and-dns-registrars/
• A Closer Look At The Ultimate Cybersecurity Careers Guide
  "In this Help Net Security interview, Kim Crawley, cybersecurity expert and Professor at the Open Institute of Technology, discusses her latest book, The Ultimate Cybersecurity Careers Guide. She shares insights on how aspiring professionals can break into the field and explores the importance of continuous learning."
  https://www.helpnetsecurity.com/2025/03/27/kim-crawley-ultimate-cybersecurity-careers-guide/
• National Strategic Assessment 2025 Of Serious And Organised Crime
  "Serious and organised crime (SOC) continues to cause more harm to more people than any other national security threat. It is responsible for danger in our homes and on our streets, stunting our economy, and damaging our communities. The purpose of this assessment is to understand these threats, so that we can better address them. The National Strategic Assessment of Serious and Organised Crime 2025 builds on last year’s comprehensive baseline and draws out the trends and themes of the last 12 months."
  https://www.nationalcrimeagency.gov.uk/nsa-2025
  https://www.infosecurity-magazine.com/news/nca-warns-of-sadistic-online-com/
• Russia Arrests Three For Allegedly Creating Mamont Malware, Tied To Over 300 Cybercrimes
  "Russian authorities have arrested three individuals suspected of developing the Mamont malware, a recently identified banking trojan targeting Android devices. The suspects, whose identities remain undisclosed, were apprehended in the Saratov region. A video released by the Russian Ministry of Internal Affairs (MVD) shows the arrested individuals in handcuffs, being escorted by police officers. According to the MVD, the trio is linked to over 300 cybercrime incidents. Authorities also seized computers, storage devices, communication tools and bank cards."
  https://therecord.media/mamont-banking-malware-arrests-russia
• Cloud Threats On The Rise: Alert Trends Show Intensified Attacker Focus On IAM, Exfiltration
  "The attacks against cloud-hosted infrastructure are increasing, and the proof is in the analysis of security alert trends. Recent research reveals that organizations saw nearly five times as many daily cloud-based alerts at the end of 2024 compared to the start of the year. This means attackers have significantly intensified their focus on targeting and breaching cloud infrastructure. These alerts aren’t simply noise. We’ve seen the greatest increases in high severity alerts, meaning indicators of attacks are successfully targeting critical cloud resources as explained in Table 1."
  https://unit42.paloaltonetworks.com/2025-cloud-security-alert-trends/
  https://www.darkreading.com/cyber-risk/high-severity-cloud-security-alerts-tripled-2024

อ้างอิง
Electronic Transactions Development Agency(ETDA)