สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Industrial Sector

• Siemens RUGGEDCOM, SINEC NMS, And SINEMA
  "Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service, crash the product, or perform remote code execution."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-259-04
• Delta Electronics DIALink
  "Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-259-07
• OT Security Needs Continuous Operations, Not One-Time Fixes
  "Cyberattacks keep hitting the OT systems that critical infrastructure operators run, according to new research from Forrester. In a survey of 262 OT security decision-makers, 91% reported at least one breach or system failure caused by a cyberattack in the past 18 months. These attacks disrupted essential services, damaged reputations, and created regulatory and financial consequences."
  https://www.helpnetsecurity.com/2025/09/16/ciso-ot-cybersecurity-strategy/
• Schneider Electric Altivar Products, ATVdPAC Module, ILC992 InterLink Converter
  "Successful exploitation of this vulnerability could allow an attacker to read or modify data."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-259-01
• Hitachi Energy RTU500 Series
  "Successful exploitation of these vulnerabilities could cause a Denial-of-Service condition in RTU500 devices."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-259-02
• Siemens SIMATIC NET CP, SINEMA, And SCALANCE
  "Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service (DoS) condition in the affected devices by exploiting integer overflow bugs."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-259-03
• Siemens OpenSSL Vulnerability In Industrial Products
  "Successful exploitation of these vulnerabilities could allow an unauthenticated remote attacker to execute arbitrary code or to cause a denial-of-service condition."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-259-05
• Siemens Multiple Industrial Products
  "Successful exploitation of this vulnerability could allow an attacker to create a denial-of-service condition."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-259-06

Vulnerabilities

• Chaotic Deputy: Critical Vulnerabilities In Chaos Mesh Lead To Kubernetes Cluster Takeover
  "JFrog Security Research recently discovered and disclosed multiple CVEs in the highly popular Chaos engineering platform – Chaos-Mesh. The discovered CVEs, which we’ve named Chaotic Deputy are CVE-2025-59358, CVE-2025-59360, CVE-2025-59361 and CVE-2025-59359. The last three Chaotic Deputy CVEs are critical severity (CVSS 9.8) vulnerabilities which can be easily exploited by in-cluster attackers to run arbitrary code on any pod in the cluster, even in the default configuration of Chaos-Mesh."
  https://jfrog.com/blog/chaotic-deputy-critical-vulnerabilities-in-chaos-mesh-lead-to-kubernetes-cluster-takeover/
  https://www.darkreading.com/cyber-risk/critical-bugs-chaos-mesh-cluster-takeover
  https://thehackernews.com/2025/09/chaos-mesh-critical-graphql-flaws.html
• Apple Backports Zero-Day Patches To Older iPhones And iPads
  "Apple has released security updates to backport patches released last month to older iPhones and iPads, addressing a zero-day bug that was exploited in "extremely sophisticated" attacks. This security flaw is the same one Apple has patched for devices running iOS 18.6.2 and iPadOS 18.6.2, iPadOS 17.7.10, and macOS (Sequoia 15.6.1, Sonoma 14.7.8, and Ventura 13.7.8) on August 20. Tracked as CVE-2025-43300, this vulnerability was discovered by Apple security researchers and is caused by an out-of-bounds write weakness in the Image I/O framework, which enables apps to read and write image file formats."
  https://www.bleepingcomputer.com/news/security/apple-backports-zero-day-patches-to-older-iphones-and-ipads/
  https://thehackernews.com/2025/09/apple-backports-fix-for-cve-2025-43300.html
  https://www.theregister.com/2025/09/16/apple_0day_spy_attacks/
• Apple Rolls Out iOS 26, MacOS Tahoe 26 With Patches For Over 50 Vulnerabilities
  "Apple on Monday announced the release of major iOS and macOS platform updates with fixes for a total of more than 50 vulnerabilities. iOS 26 and iPadOS 26 were released for the latest generation iPhone and iPad devices with fixes for 27 unique CVEs that could lead to memory corruption, information disclosure, crashes, and sandbox escapes. WebKit received the largest number of fixes, at five, for security defects that could lead to process crashes, Safari crashes, or could allow websites to access sensor information without consent."
  https://www.securityweek.com/apple-rolls-out-ios-26-macos-tahoe-26-with-patches-for-over-50-vulnerabilities/
  https://cyberscoop.com/apple-security-updates-september-2025/
  https://www.malwarebytes.com/blog/news/2025/09/update-your-apple-devices-to-fix-dozens-of-vulnerabilities
• Bypassing AI Agent Defenses With Lies-In-The-Loop
  "Checkmarx Zero has identified a new type of attack against AI agents that use a “human-in-the-loop” safety net to try to avoid high-risk behaviors: we’re calling it “lies-in-the-loop” (LITL). It lets us fairly easily trick users into giving permission for AI agents to do extremely dangerous things, by convincing the AI to act as though those things are much safer than they are."
  https://checkmarx.com/zero-post/bypassing-ai-agent-defenses-with-lies-in-the-loop/
  https://www.darkreading.com/application-security/-lies-in-the-loop-attack-ai-coding-agents

Malware

• Self-Propagating Supply Chain Attack Hits 187 Npm Packages
  "Security researchers have identified at least 187 npm packages compromised in an ongoing supply chain attack, with a malicious self-propagating payload to infect other packages. The coordinated worm-style campaign dubbed 'Shai-Hulud' started yesterday with the compromise of the @ctrl/tinycolor npm package, which receives over 2 million weekly downloads. Since then, the campaign has expanded significantly and now includes packages published under CrowdStrike's npm namespace."
  https://www.bleepingcomputer.com/news/security/self-propagating-supply-chain-attack-hits-187-npm-packages/
  https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages
  https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages
  https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again
  https://www.darkreading.com/application-security/self-replicating-shai-hulud-worm-npm-packages
  https://thehackernews.com/2025/09/40-npm-packages-compromised-in-supply.html
  https://securityaffairs.com/182274/malware/new-supply-chain-attack-hits-npm-registry-compromising-40-packages.html
  https://www.helpnetsecurity.com/2025/09/16/self-replicating-worm-hits-180-npm-packages-in-largely-automated-supply-chain-attack/
  https://www.theregister.com/2025/09/16/npm_under_attack_again/
• SmokeLoader Rises From The Ashes
  "Active since 2011, SmokeLoader (aka Smoke or Dofoil) is a popular malware loader that is designed to deliver second-stage payloads such as trojans, ransomware, and information stealers. Over the years, SmokeLoader has been updated and enhanced to evade detection and optimize payload delivery. SmokeLoader’s capabilities have also been expanded through a modular plugin framework that is capable of credential harvesting, browser hijacking, cryptocurrency mining, and more."
  https://www.zscaler.com/blogs/security-research/smokeloader-rises-ashes
• Satori Threat Intelligence Alert: SlopAds Covers Fraud With Layers Of Obfuscation
  "HUMAN’s Satori Threat Intelligence and Research Team has uncovered and disrupted a sophisticated ad fraud and click fraud operation dubbed SlopAds. The threat actors behind SlopAds operate a collection of 224 apps and growing, collectively downloaded from Google Play more than 38 million times across 228 countries and territories. These apps deliver their fraud payload using steganography and create hidden WebViews to navigate to threat actor-owned cashout sites, generating fraudulent ad impressions and clicks. The threat actors’ infrastructure and many of the apps share an AI theme, contributing to the name of the operation."
  https://www.humansecurity.com/learn/blog/satori-threat-intelligence-alert-slopads-covers-fraud-with-layers-of-obfuscation/
  https://www.bleepingcomputer.com/news/security/google-nukes-224-android-malware-apps-behind-massive-ad-fraud-campaign/
  https://thehackernews.com/2025/09/slopads-fraud-ring-exploits-224-android.html
  https://www.bankinfosecurity.com/slopads-fraud-campaign-uses-novel-obfuscation-techniques-a-29450
• FileFix In The Wild! New FileFix Campaign Goes Beyond POC And Leverages Steganography
  "Early last week, researchers from Acronis' Threat Research Unit discovered a rare in-the-wild example of a FileFix attack — a new variant of the now infamous ClickFix attack vector. The discovered attack not only leverages FileFix, but, to our knowledge, is the first example of such an attack that does not strictly adhere to the design of the original proof of concept (POC) demonstrated by Mr. d0x in July, 2025. Furthermore, the attack features a sophisticated phishing site and payload, in many ways ahead of what we’ve come to expect from ClickFix or FileFix attacks seen in the past (with some notable exceptions)."
  https://www.acronis.com/en/tru/posts/filefix-in-the-wild-new-filefix-campaign-goes-beyond-poc-and-leverages-steganography/
  https://www.bleepingcomputer.com/news/security/new-filefix-attack-uses-steganography-to-drop-stealc-malware/
  https://thehackernews.com/2025/09/new-filefix-variant-delivers-stealc.html
  https://hackread.com/filefix-attack-stealc-infostealer-fake-facebook-pages/
  https://www.theregister.com/2025/09/16/filefix_attacks_facebook_security_alert/
• Microsoft Seizes 338 Websites To Disrupt Rapidly Growing ‘RaccoonO365’ Phishing Service
  "Microsoft’s Digital Crimes Unit (DCU) has disrupted RaccoonO365, the fastest-growing tool used by cybercriminals to steal Microsoft 365 usernames and passwords (“credentials”). Using a court order granted by the Southern District of New York, the DCU seized 338 websites associated with the popular service, disrupting the operation’s technical infrastructure and cutting off criminals’ access to victims. This case shows that cybercriminals don’t need to be sophisticated to cause widespread harm—simple tools like RaccoonO365 make cybercrime accessible to virtually anyone, putting millions of users at risk."
  https://blogs.microsoft.com/on-the-issues/2025/09/16/microsoft-seizes-338-websites-to-disrupt-rapidly-growing-raccoono365-phishing-service/
  https://therecord.media/microsoft-cloudflare-disrupt-raccoono365-credential-stealing-tool
  https://cyberscoop.com/microsoft-seizes-phishing-sites-raccoono365/
  https://www.theregister.com/2025/09/16/microsoft_cloudflare_shut_down_raccoono365/
• Deniability By Design: DNS-Driven Insights Into a Malicious Ad Network
  "One typically imagines the digital underworld—trojans, malware droppers, fake dating sites, investment scams, and more—as operating in the dark corners of the internet. But increasingly, these threats are hiding in plain sight, camouflaged by the glossy veneer of mainstream digital advertising. In some cases, the adtech platforms are abused, but we have uncovered an increasing number of adtech companies that are either complicit or actively engaged in the distribution of malicious content. Cybercriminals aren’t just exploiting adtech platforms, sometimes, they are the adtech platforms."
  https://blogs.infoblox.com/threat-intelligence/deniability-by-design-dns-driven-insights-into-a-malicious-ad-network/
  https://www.darkreading.com/vulnerabilities-threats/vane-viper-threat-group-propellerads
• Innovative FileFix Phishing Attack Proves Plenty Potent
  "The most widespread, customized, sophisticated FileFix campaign to date has recently emerged in the wild. Fewer than three months have passed since a red team researcher conceived of the FileFix social engineering technique, and attackers seem to be taking to it like ducks to water. Over the past couple of weeks, for instance, researchers from Acronis have observed the most mature FileFix campaign to date, combining convincing phishing, tough code obfuscation, robust steganography, and more."
  https://www.darkreading.com/cyberattacks-data-breaches/innovative-filefix-attack-potent
• RevengeHotels: a New Wave Of Attacks Leveraging LLMs And VenomRAT
  "RevengeHotels, also known as TA558, is a threat group that has been active since 2015, stealing credit card data from hotel guests and travelers. RevengeHotels’ modus operandi involves sending emails with phishing links which redirect victims to websites mimicking document storage. These sites, in turn, download script files to ultimately infect the targeted machines. The final payloads consist of various remote access Trojan (RAT) implants, which enable the threat actor to issue commands for controlling compromised systems, stealing sensitive data, and maintaining persistence, among other malicious activities."
  https://securelist.com/revengehotels-attacks-with-ai-and-venomrat-across-latin-america/117493/
• Going Underground: China-Aligned TA415 Conducts U.S.-China Economic Relations Targeting Using VS Code Remote Tunnels
  "Throughout July and August 2025, TA415 conducted spearphishing campaigns targeting United States government, think tank, and academic organizations utilizing U.S.-China economic-themed lures. In this activity, the group masqueraded as the current Chair of the Select Committee on Strategic Competition between the United States and the Chinese Communist Party (CCP), as well as the US-China Business Council, to target a range of individuals and organizations predominantly focused on U.S.-China relations, trade, and economic policy."
  https://www.proofpoint.com/us/blog/threat-insight/going-underground-china-aligned-ta415-conducts-us-china-economic-relations

Breaches/Hacks/Leaks

• 2 Eye Care Practice Hacks Affect 260,000 Patients, Staff
  "Two separate hacks on ophthalmology practices in South Dakota and Florida have affected more than a quarter-million patients. The cyberattacks were among the latest of several major data breaches reported in recent months by eye care providers. The incidents were reported by Black Hills Regional Eye Institute, which is based in Rapid City, South Dakota, and Retina Group of Florida, based in Fort Lauderdale, Florida."
  https://www.bankinfosecurity.com/2-eye-care-practice-hacks-affect-260000-patients-staff-a-29458

General News

• Building Security That Protects Customers, Not Just Auditors
  "In this Help Net Security interview, Nir Rothenberg, CISO at Rapyd, discusses global differences in payment security maturity and the lessons that can be learned from leading regions. He points out that good engineering usually leads to strong security, and cautions against just going through the motions to meet compliance requirements. Rothenberg also points to overlooked areas such as monitoring, account takeover prevention, and collaboration across the payments ecosystem."
  https://www.helpnetsecurity.com/2025/09/16/nir-rothenberg-rapyd-payment-security-maturity/
• August 2025 Trends Report On Phishing Emails
  "This report provides the distribution quantity, statistics, trends, and case information on phishing emails and attachments collected and analyzed over the course of a month in August 2025. The following are some statistics and cases included in the original report."
  https://asec.ahnlab.com/en/90158/
• August 2025 Threat Trend Report On Ransomware
  "This report provides the statistics and major ransomware-related issues in Korea and worldwide, as well as the number of affected systems and ransomware cases based on Dedicated Leak Sites (DLS) over the course of August 2025. Below is a summary of the report."
  https://asec.ahnlab.com/en/90159/
• August 2025 APT Attack Trends Report (South Korea)
  "AhnLab has been using AhnLab Smart Defense (ASD) to monitor advanced persistent threat (APT) attacks against targets in South Korea. This report will cover the types and statistics of APT attacks in Korea during August 2025 as well as features for each type."
  https://asec.ahnlab.com/en/90152/
• August 2025 Infostealer Trend Report
  "This report provides statistics, trends, and case information on Infostealer, including distribution volume, distribution methods, and disguises based on the data collected and analyzed in August 2025. The following is a summary of the original report."
  https://asec.ahnlab.com/en/90154/
• BreachForums Hacking Forum Admin Resentenced To Three Years In Prison
  "Conor Brian Fitzpatrick, the 22-year-old behind the notorious BreachForums hacking forum, was resentenced today to three years in prison after a federal appeals court overturned his prior sentence of time served and 20 years of supervised release. Fitzpatrick, of New York, operated under the alias "Pompompurin" and created the BreachForums hacking forum in 2022 after the FBI took down RaidForums. Fitzpatrick was arrested on March 15, 2023, and charged with conspiracy to solicit individuals to sell unauthorized access devices. At the time of his arrest, he admitted to FBI agents that he was Pompompurin and the administrator of BreachForums."
  https://www.bleepingcomputer.com/news/security/breachforums-hacking-forum-admin-resentenced-to-three-years-in-prison/
  https://therecord.media/conor-fitzpatrick-pompompurin-three-year-sentence-breachforums-administrator
  https://www.bankinfosecurity.com/original-breachforums-admin-gets-3-year-prison-sentence-a-29459
  https://cyberscoop.com/conor-fitzpatrick-pompompurin-resetenced-breachforums/
• Security Industry Skeptical Of Scattered Spider-ShinyHunters Retirement Claims
  "The notorious cybercrime groups Scattered Spider and ShinyHunters claim they are retiring, but the cybersecurity industry is skeptical and believes the hackers will continue to be active. Scattered Spider has been around for several years and it recently made many headlines for targeting the retail, insurance, and aviation industries. The threat group has also been in the spotlight for its widespread Salesforce hacking campaign, which impacted major companies such as Google. Several individuals with alleged ties to Scattered Spider have been arrested, charged and sentenced over the past year."
  https://www.securityweek.com/security-industry-skeptical-of-scattered-spider-shinyhunters-retirement-claims/
  https://www.infosecurity-magazine.com/news/fifteen-ransomware-gangs-retire/
• API Threats Surge To 40,000 Incidents In 1H 2025
  "The financial services, telecoms and travel sectors were in the crosshairs of threat actors in the first half of the year, after Thales observed 40,000 incidents in the period alone. The firm’s Imperva business analyzed data from over 4000 environments worldwide to produce its API Threat Report (H1 2025). The report claimed that APIs now attract 44% of advanced bot traffic, which is generated by sophisticated software designed to mimic human behavior."
  https://www.infosecurity-magazine.com/news/api-threats-surge-40000-incidents/
  https://www.imperva.com/resources/resource-library/reports/imperva-api-threat-report/

อ้างอิง
Electronic Transactions Development Agency(ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

New Tooling

• Arkime: Open-Source Network Analysis And Packet Capture System
  "Arkime is an open-source system for large-scale network analysis and packet capture. It works with your existing security tools to store and index network traffic in standard PCAP format, making it easy to search and access. The solution includes a simple web interface for browsing, searching, and exporting PCAP files. Arkime also provides APIs for downloading PCAP data and session data in JSON format. Because Arkime uses standard PCAP files, you can analyze the data with other tools, such as Wireshark."
  https://www.helpnetsecurity.com/2025/09/15/arkime-open-source-network-analysis-packet-capture-system/
  https://github.com/arkime/arkime

Vulnerabilities

• New Phoenix Attack Bypasses Rowhammer Defenses In DDR5 Memory
  "Academic researchers have devised a new variant of Rowhammer attacks that bypass the latest protection mechanisms on DDR5 memory chips from SK Hynix. A Rowhammer attack works by repeatedly accessing specific rows of memory cells at high-speed read/write operations to cause enough electrical interference to alter the value of the nearby bits from one to zero and vice-versa (bit flipping). An attacker could potentialluy corrupt data, increase their privileges on the system, execute malicious code, or gain access to sensitive data."
  https://www.bleepingcomputer.com/news/security/new-phoenix-attack-bypasses-rowhammer-defenses-in-ddr5-memory/
  https://comsec-files.ethz.ch/papers/phoenix_sp26.pdf
  https://github.com/comsec-group/phoenix
  https://security.googleblog.com/2025/09/supporting-rowhammer-research-to.html

Malware

• Hive0154, Aka Mustang Panda, Drops Updated Toneshell Backdoor And Novel SnakeDisk USB Worm
  "In July 2025, IBM X-Force discovered new malware attributed to China-aligned threat actor Hive0154. This includes an updated Toneshell variant evading detections and supporting several new features, as well as a novel USB worm called SnakeDisk discovered in mid-August. The worm only executes on devices with Thailand-based IP addresses and drops the Yokai backdoor, discovered by Netskope in December 2024."
  https://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor
  https://thehackernews.com/2025/09/mustang-panda-deploys-snakedisk-usb.html
• Inside Maranhão Stealer: Node.js-Powered InfoStealer Using Reflective DLL Injection
  "CRIL identified an active Maranhão Stealer campaign that is being distributed through social engineering websites hosted on cloud platforms. Current intelligence indicates that the malware has been active since May 2025 and is actively being developed. The threat actors primarily target gaming users by distributing gaming-related links, cheats, and pirated software downloads. (e.g., hxxps://derelictsgame[.]in/DerelictSetup.zip). The ZIP archives include an Inno Setup installer, which launches a Node.js-compiled binary responsible for exfiltrating credentials."
  https://cyble.com/blog/inside-maranhao-stealer-node-js-powered-infostealer/
• AI-Driven Deepfake Military ID Fraud Campaign By Kimsuky APT
  "On July 17, 2025, the Genians Security Center (GSC) detected a spear-phishing attack attributed to the Kimsuky group. This was classified as an APT attack impersonating a South Korean defense-related institution, disguised as if it were handling ID issuance tasks for military-affiliated officials. The threat actor used ChatGPT, a generative AI, to produce sample ID card images, which were then leveraged in the attack. This is a real case demonstrating the Kimsuky group’s application of deepfake technology."
  https://www.genians.co.kr/en/blog/threat_intelligence/deepfake
  https://www.infosecurity-magazine.com/news/ai-military-ids-north-korea/
  https://hackread.com/north-korea-kimsuky-group-ai-generated-military-ids/
  https://www.theregister.com/2025/09/15/north_korea_chatgpt_fake_id/
• You’re Invited: Four Phishing Lures In Campaigns Dropping RMM Tools
  "Red Canary Intelligence and Zscaler threat hunters have identified multiple campaigns utilizing the RMM tools ITarian (aka Comodo), PDQ, SimpleHelp, and Atera for remote access. Remote monitoring and management (RMM) tools continue to be a favorite tool for adversaries because they offer a veneer of legitimacy as the solutions are often used by IT professionals for remote access, system monitoring, and managing machines."
  https://redcanary.com/blog/threat-intelligence/phishing-rmm-tools/
  https://www.infosecurity-magazine.com/news/phishing-campaigns-rmm-tools/
  https://hackread.com/hackers-rmm-installs-fake-chrome-updates-teams-invite/
• Shiny Tools, Shallow Checks: How The AI Hype Opens The Door To Malicious MCP Servers
  "In this article, we explore how the Model Context Protocol (MCP) — the new “plug-in bus” for AI assistants — can be weaponized as a supply chain foothold. We start with a primer on MCP, map out protocol-level and supply chain attack paths, then walk through a hands-on proof of concept: a seemingly legitimate MCP server that harvests sensitive data every time a developer runs a tool. We break down the source code to reveal the server’s true intent and provide a set of mitigations for defenders to spot and stop similar threats."
  https://securelist.com/model-context-protocol-for-ai-integration-abused-in-supply-chain-attacks/117473/
• Ukraine Claims Cyberattacks On Russian Election Systems; Moscow Confirms Disruptions
  "Ukraine’s military intelligence agency (HUR) said on Sunday it hacked Russia’s Central Election Commission and other government services in response to voting in occupied Ukrainian regions. The operation coincided with Russia’s “unified voting day,” when regional and local elections are held simultaneously across the country. This year, ballots were also cast in Crimea and other occupied parts of Ukraine. Kyiv and its allies say those elections are illegal."
  https://therecord.media/ukraine-claims-ddos-attack-russian-election-system
• Phishing Campaign Targets Rust Developers
  "Developers publishing crates (binaries and libraries written in Rust) on crates.io, Rust’s main public package registry, have been targeted with emails echoing the recent npm phishing campaign. The emails started hitting developers’ inboxes on Friday, minutes after they published a (new) crate on the registry. The emails – titled “Important: Breach notification regarding crates.io” and made to look like they’ve been sent by the Rust Foundation – claimed that an attacker compromised the crates.io infrastructure and accessed some user information."
  https://www.helpnetsecurity.com/2025/09/15/phishing-campaign-targets-rust-developers/
• Inside The 2025 Energy Phishing Wave: Chevron, Conoco, PBF, Phillips 66
  "Phishing continues to hit critical industries hard, and in 2025 we’ve tracked a sharp rise in domains built to impersonate major U.S. energy companies. The sector is an obvious target: its brands are globally recognized, widely trusted, and therefore valuable to attackers looking to run credential theft or fraud at scale. Drawing on Hunt.io data, this report highlights how adversaries cloned the websites of Chevron, ConocoPhillips, PBF Energy, and Phillips 66. We detail the tactics uncovered, including HTTrack-based site copying, exposed directories, and investment scam templates, and show why so many of these domains slip past vendor detections. The following key takeaways summarize the most important patterns observed across this activity."
  https://hunt.io/blog/us-energy-phishing-wave-report

Breaches/Hacks/Leaks

• Google Confirms Fraudulent Account Created In Law Enforcement Portal
  "Google has confirmed that hackers created a fraudulent account in its Law Enforcement Request System (LERS) platform that law enforcement uses to submit official data requests to the company. "We have identified that a fraudulent account was created in our system for law enforcement requests and have disabled the account," Google told BleepingComputer. "No requests were made with this fraudulent account, and no data was accessed." The FBI declined to comment on the threat actor's claims."
  https://www.bleepingcomputer.com/news/security/google-confirms-fraudulent-account-created-in-law-enforcement-portal/
  https://databreaches.net/2025/09/15/hackers-claim-access-to-law-enforcement-portals-but-do-they-really-have-access/
• FinWise Insider Breach Impacts 689K American First Finance Customers
  "FinWise Bank is warning on behalf of corporate customers that it suffered a data breach after a former employee accessed sensitive files after the end of their employment. "On May 31, 2024, FinWise experienced a data security incident involving a former employee who accessed FinWise data after the end of their employment," reads a data breach notification sent by FinWise on behalf of American First Finance (AFF). American First Finance (AFF) is a company that offers consumer financing products, including installment loans and lease-to-own programs, for a diverse range of products and services. Customers use AFF to apply for and manage the loans, with the company handling the services, account setup, repayment process, and customer support."
  https://www.bleepingcomputer.com/news/security/finwise-insider-breach-impacts-689k-american-first-finance-customers/
  https://www.securityweek.com/689000-affected-by-insider-breach-at-finwise-bank/
  https://www.theregister.com/2025/09/15/finwise_insider_data_breach/
• Update: Kering Confirms Gucci And Other Brands Hacked; Claims No Conversations With Hackers?
  "On September 11, DataBreaches broke the story that customers of several high-end fashion brands owned by Paris-headquartered Kering had their personal information acquired by ShinyHunters as part of two Salesforce attacks. As we reported, a spokesperson for ShinyHunters claimed to have acquired more than 43 million customer records from Gucci and almost 13 million records from Balenciaga, Brioni, and Alexander McQueen combined."
  https://databreaches.net/2025/09/15/update-kering-confirms-gucci-and-other-brands-hacked-claims-no-conversations-with-hackers/
  https://www.bbc.com/news/articles/crl5j8ld615o
  https://securityaffairs.com/182236/cyber-crime/hackers-steal-millions-of-gucci-balenciaga-and-alexander-mcqueen-customer-records.html
• West Virginia Credit Union Notifying 187,000 People Impacted By 2023 Data Breach
  "Fairmont Federal Credit Union is notifying over 187,000 individuals that their personal and financial information was stolen in a two-year-old data breach. A not-for-profit financial organization, Fairmont Federal Credit Union offers services such as business and home mortgage loans, financial first aid, and personal checking. It operates nine regional branches in West Virginia. The organization discovered the cybersecurity incident on January 23, 2024 and launched a prompt and thorough forensic investigation, concluding on August 17, 2025, that files stolen from its network contained personal information."
  https://www.securityweek.com/west-virginia-credit-union-notifying-187000-people-impacted-by-2023-data-breach/
  https://securityaffairs.com/182217/data-breach/fairmont-federal-credit-union-2023-data-breach-impacted-187k-people.html
• Uvalde School District Says Ransomware Attack Forcing Closure Until Thursday
  "A ransomware attack has forced the public school district in Uvalde, Texas, to shut down for most of the week as officials attempt to restore systems. The Uvalde Consolidated Independent School District serves about 5,000 students in Uvalde County as well as parts of Zavala and Real counties. Anne Marie Espinoza, chief of communications for the school district, said on social media this weekend that they are dealing with a “significant technology incident.” “Ransomware has been detected within our district’s servers, severely affecting access to essential systems like phones, AC controls, camera monitoring, visitor management, Skyward, and more,” she said."
  https://therecord.media/uvalde-texas-school-district-temporarily-closing-ransomware

General News

• Most Enterprise AI Use Is Invisible To Security Teams
  "Most enterprise AI activity is happening without the knowledge of IT and security teams. According to Lanai, 89% of AI use inside organizations goes unseen, creating risks around data privacy, compliance, and governance. This blind spot is growing as AI features are built directly into business tools. Employees often connect personal AI accounts to work devices or use unsanctioned services, making it difficult for security teams to monitor usage. Lanai says this lack of visibility leaves companies exposed to data leaks and regulatory violations."
  https://www.helpnetsecurity.com/2025/09/15/lanai-enterprise-ai-visibility-tools/
• Static Feeds Leave Intelligence Teams Reacting To Irrelevant Or Late Data
  "Boards and executives are not asking for another feed of indicators. They want to know whether their organization is being targeted, how exposed they are, and what steps need to be taken. A new report from Flashpoint argues that most current intelligence models cannot keep up with these demands and that primary source collection (PSC) should become the standard approach."
  https://www.helpnetsecurity.com/2025/09/15/primary-source-collection-intelligence-model/
• When ‘minimal Impact’ Isn’t Reassuring: Lessons From The Largest Npm Supply Chain Compromise
  "Earlier this week, Aikido Security disclosed what is being described as the largest npm supply chain compromise to date. Attackers successfully injected malicious code into 18 popular npm packages, collectively accounting for more than 2.6 billion weekly downloads. The entire campaign began not with a technical exploit, but with a single, well-trained maintainer clicking on a convincingly crafted phishing email."
  https://cyberscoop.com/npm-supply-chain-compromise-brian-fox-sonatype-op-ed/
• Building Resilient IT Infrastructure From The Start
  "For years, the cybersecurity industry has put an emphasis on protecting network infrastructure. But as innovations have focused on firewalls and intrusion detection systems, other forms of IT infrastructure — which are mission-critical to operations — were left exposed. Beyond the perimeter, IT infrastructure remains one of the most overlooked attack surfaces in the enterprise. Increasing complexity in hybrid environments has complicated matters, both impeding zero-trust adoption and creating a target for adversaries."
  https://www.darkreading.com/vulnerabilities-threats/building-resilient-it-infrastructure
• Zero Trust Is 15 Years Old — Why Full Adoption Is Worth The Struggle
  "The implementation of zero trust is essential for cybersecurity: but after 15 years, we’re still not there. Implementation is like the curate’s egg: good in parts. Zero Trust turned fifteen years old on September 14, 2025. Its invention was announced with Forrester’s publication of John Kindervag’s paper, No More Chewy Centers: Introducing The Zero Trust Model of Information Security, on that date in 2010 (archived here)."
  https://www.securityweek.com/zero-trust-is-15-years-old-why-full-adoption-is-worth-the-struggle/
• New Zealand Sanctions Russian Military Hackers Over Cyberattacks On Ukraine
  "New Zealand has imposed sanctions on Russian military intelligence hackers accused of cyberattacks on Ukraine, including members of a notorious hacking unit previously tied to destructive malware campaigns. The sanctions announced Friday target Unit 29155 of Russia’s GRU intelligence agency. Western security agencies say the unit — also tracked by researchers as Cadet Blizzard and Ember Bear — has been involved in espionage, sabotage, and assassination plots across Europe. It was behind the 2022 WhisperGate malware attack on Ukrainian government networks ahead of Moscow’s full-scale invasion."
  https://therecord.media/new-zealand-russia-gru-ukraine
• Huntress Threat Advisory: The Dangers Of Storing Unencrypted Passwords
  "This is an offshoot of our other blog, "Huntress Threat Advisory: Active Exploitation of SonicWall VPNs," which allowed initial access and was followed by the rapid deployment of Akira ransomware across the victim environment. This blog outlines an interesting individual case from within that timeframe. TL;DR: The threat actor entered through the organization’s SonicWall device. When searching through the host, the threat actor found a plaintext file on the user’s desktop that contained the client's Huntress recovery codes. The threat actor then used these codes to enter the client’s Huntress portal and began remediating reports and uninstalling hosts isolated by Huntress."
  https://www.huntress.com/blog/dangers-of-storing-unencrypted-passwords
  https://www.theregister.com/2025/09/15/ransomware_recovery_codes_plaintext/
• The Risks Of Code Assistant LLMs: Harmful Content, Misuse And Deception
  "We recently looked into AI code assistants that connect with integrated development environments (IDEs) as a plugin, much like GitHub Copilot. We found that both users and threat actors could misuse code assistant features like chat, auto-completion and writing unit tests for harmful purposes. This misuse includes injecting backdoors, leaking sensitive information and generating harmful content."
  https://unit42.paloaltonetworks.com/code-assistant-llms/

อ้างอิง
Electronic Transactions Development Agency(ETDA)

Financial Sector

• August 2025 Security Issues In Korean & Global Financial Sector
  "This report comprehensively covers actual cyber threats and security issues related to financial companies in South Korea and abroad. This article includes an analysis of malware and phishing cases distributed to the financial sector, the top 10 malware strains targeting the financial sector, and the industry statistics of leaked Korean accounts on Telegram. A detailed look into the phishing email distribution case targeting the financial sector is also covered."
  https://asec.ahnlab.com/en/90110/

Healthcare Sector

• Attackers Are Coming For Drug Formulas And Patient Data
  "In the pharmaceutical industry, clinical trial data, patient records, and proprietary drug formulas are prime targets for cybercriminals. These high-value assets make the sector a constant focus for attacks. Disruptions to research or medicine distribution can have life-threatening consequences. “During global health crises, cyber attackers swiftly exploit vulnerabilities. The COVID-19 pandemic saw a fivefold increase in phishing attempts targeting WHO, with attackers impersonating leadership to distribute malware,” said Flavio Aggio, CISO at the World Health Organization."
  https://www.helpnetsecurity.com/2025/09/12/ciso-pharma-cybersecurity-risks/

Vulnerabilities

• Samsung Patches Actively Exploited Zero-Day Reported By WhatsApp
  "Samsung has patched a remote code execution vulnerability that was exploited in zero-day attacks targeting its Android devices. Tracked as CVE-2025-21043, this critical security flaw affects Samsung devices running Android 13 or later and was reported by the security teams of Meta and WhatsApp on August 13. As Samsung explains in a recently updated advisory, this vulnerability was discovered in libimagecodec.quram.so (a closed-source image parsing library developed by Quramsoft that implements support for various image formats) and is caused by an out-of-bounds write weakness that allows attackers to execute malicious code on vulnerable devices remotely."
  https://www.bleepingcomputer.com/news/security/samsung-patches-actively-exploited-zero-day-reported-by-whatsapp/
  https://thehackernews.com/2025/09/samsung-fixes-critical-zero-day-cve.html
  https://securityaffairs.com/182135/hacking/samsung-fixed-actively-exploited-zero-day.html
  https://www.theregister.com/2025/09/12/samsung_fixes_android_0day/
  https://hackread.com/samsung-android-image-parsing-vulnerability-attacks/
• NFC Card Vulnerability Exploitation Leading To Free Top-Up In KioSoft "Stored Value" Unattended Payment Solution (Mifare)
  "Some KioSoft customers currently use outdated MiFare Classic cards in "Stored Value" Unattended Payment Solutions from KioSoft. A new detection algorithm has been rolled out through firmware according to KioSoft. As a long-term fix, hardware changes with a new reader and secure cards are planned as well. KioSoft understands that its customers continually take steps to track suspicious activity as routine. Mifare Classic cards have been found to be vulnerable to attacks in the past, allowing these cards to be modified or copied. A short-term solution may be to transition away from the Stored Value Payment System to the Online Payment System of KioSoft, which does not have this vulnerability according to the vendor."
  https://sec-consult.com/vulnerability-lab/advisory/nfc-card-vulnerability-exploitation-leading-to-free-top-up-kiosoft-payment-solution/
  https://www.securityweek.com/payment-system-vendor-took-year-to-patch-infinite-card-top-up-hack-security-firm/

Malware

• Introducing HybridPetya: Petya/NotPetya Copycat With UEFI Secure Boot Bypass
  "ESET Research has discovered HybridPetya, on the VirusTotal sample sharing platform. It is a copycat of the infamous Petya/NotPetya malware, adding the capability of compromising UEFI-based systems and weaponizing CVE‑2024‑7344 to bypass UEFI Secure Boot on outdated systems."
  https://www.welivesecurity.com/en/eset-research/introducing-hybridpetya-petya-notpetya-copycat-uefi-secure-boot-bypass/
  https://www.bleepingcomputer.com/news/security/new-hybridpetya-ransomware-can-bypass-uefi-secure-boot/
  https://thehackernews.com/2025/09/new-hybridpetya-ransomware-bypasses.html
  https://www.bankinfosecurity.com/hybridpetya-crypto-locker-outsmarts-uefi-secure-boot-a-29437
  https://www.helpnetsecurity.com/2025/09/12/hybridpetya-ransomware-secure-boot-bypass/
  https://www.theregister.com/2025/09/12/hopefully_just_a_poc_hybridpetya/
  https://securityaffairs.com/182149/malware/hybridpetya-ransomware-bypasses-uefi-secure-boot-echoing-petya-notpetya.html
• Meet Yurei: The New Ransomware Group Rising From Open-Source Code
  "A new ransomware group calling itself Yurei has appeared on the cyber crime scene, and it wasted no time in making headlines. First observed on September 5 by Check Point Research, the group listed its first victim, a food manufacturing company in Sri Lanka, on its darknet site. Within just a few days, two more victims, one in India and one in Nigeria, were added. Yurei’s quick rise illustrates a growing challenge: how easily cyber criminals can turn open-source malware into real-world ransomware operations, even with limited skills and effort."
  https://blog.checkpoint.com/research/meet-yurei-the-new-ransomware-group-rising-from-open-source-code/
• SEO Poisoning Attack Targets Chinese-Speaking Users With Fake Software Sites
  "In August 2025, FortiGuard Labs identified an SEO poisoning campaign aimed at Chinese-speaking users. The attackers manipulated search rankings with SEO plugins and registered lookalike domains that closely mimicked legitimate software sites. By using convincing language and small character substitutions, they tricked victims into visiting spoofed pages and downloading malware"
  https://www.fortinet.com/blog/threat-research/seo-poisoning-attack-targets-chinese-speaking-users-with-fake-software-sites
  https://hackread.com/seo-poisoning-attack-windows-hiddengh0st-winos-malware/
• Massive L7 DDoS Botnet Expands To 5.76M Devices, Qrator Labs Reports
  "On September 1, 2025, Qrator.AntiDDoS detected and mitigated another large-scale attack carried out by the largest L7 DDoS botnet observed to date. The target was an organization in the government sector. In total, 5.76 million IP addresses were blocked during the incident. Qrator Labs has been monitoring this botnet for several months. The first attack, recorded on March 26, targeted an organization in the online betting sector. It involved about 1.33 million IP addresses, mostly from Brazil, Argentina, Russia, Iraq, and Mexico. A second incident followed on May 16, this time hitting an organization in the government sector, with the botnet already grown to 4.6 million devices. Most of the traffic originated from IP addresses in Brazil, the United States, Vietnam, India, and Argentina."
  https://qrator.net/blog/details/massive-l7-ddos-botnet-expands-to-576m-devices-qra
  https://hackread.com/qrator-labs-mitigate-l7-ddos-attack-5-76m-botnet/
• FBI Warns Of UNC6040 And UNC6395 Targeting Salesforce Platforms In Data Theft Attacks
  "The U.S. Federal Bureau of Investigation (FBI) has issued a flash alert to release indicators of compromise (IoCs) associated with two cybercriminal groups tracked as UNC6040 and UNC6395 for a string of data theft and extortion attacks. "Both groups have recently been observed targeting organizations' Salesforce platforms via different initial access mechanisms," the FBI said."
  https://thehackernews.com/2025/09/fbi-warns-of-unc6040-and-unc6395.html
  https://www.ic3.gov/CSA/2025/250912.pdf
  https://www.bleepingcomputer.com/news/security/fbi-warns-of-unc6040-unc6395-hackers-stealing-salesforce-data/
  https://securityaffairs.com/182159/cyber-crime/fbi-warns-of-salesforce-attacks-by-unc6040-and-unc6395-groups.html
• WhiteCobra's Playbook Exposed: Critical Mistake Reveals 24-Extension Campaign Targeting VS Code And Cursor
  "A new wave 24 of malicious extensions targeting VSCode, Cursor and Windsurf users have infiltrated the VSCode and OpenVSX marketplaces over the past month, and now we now know exactly how they did it. Today we unveil a coordinated campaign by a threat actor group nicknamed WhiteCobra, that we’ve been tracking for over a year. This is the same group behind the $500K crypto theft revealed two months ago, a slew of malicious extensions published on the VSCode and OpenVSX marketplaces in 2024 and 2025, and now they're back with evolved tactics."
  https://www.koi.security/blog/whitecobra-vscode-cursor-extensions-malware
  https://www.bleepingcomputer.com/news/security/whitecobra-floods-vscode-market-with-crypto-stealing-extensions/

Breaches/Hacks/Leaks

• Vietnam, Panama Governments Suffer Incidents Leaking Citizen Data
  "Data from the government organizations in Vietnam and Panama was stolen by hackers in multiple cyber incidents that came to light this week. Vietnam’s state news outlet said the country’s Cyber Emergency Response Team (VNCERT) confirmed that it received a report of an incident impacting the National Credit Information Center (CIC), which is run by the State Bank of Vietnam and manages credit information for the country’s citizens and businesses. VNCERT said initial reports show that personal data was leaked as a result of the attack. The organization is now coordinating with multiple agencies and state-owned telecom Viettel on the investigation."
  https://therecord.media/vietnam-cic-panama-finance-ministry-cyberattacks
  https://securityaffairs.com/182189/cyber-crime/shinyhunters-attack-national-credit-information-center-of-vietnam.html
• China’s Great Firewall Suffers Its Biggest Leak Ever As 500GB Of Source Code And Docs Spill Online — Censorship Tool Has Been Sold To Three Different Countries
  "Chinese censorship sprang a major leak on September 11, when researchers confirmed that more than 500GB of internal documents, source code, work logs, and internal communications from the so-called Great Firewall were dumped online, including packaging repos and operational runbooks used to build and maintain China’s national traffic filtering system. The files appear to originate from Geedge Networks, a company that has long been linked to Fang Binxing — widely described as the “father” of the Great Firewall — and from the MESA lab at the Institute of Information Engineering, a research arm of the Chinese Academy of Sciences."
  https://www.tomshardware.com/tech-industry/chinas-great-firewall-springs-huge-leak
  https://gfw.report/blog/geedge_and_mesa_leak/en/
  https://hackread.com/great-firewall-of-china-data-published-largest-leak/

General News

• August 2025 APT Group Trends
  "North Korea-linked APT groups have been intensively launching advanced cyber attacks targeting the areas of diplomacy, finance, technology, media, and policy research in South Korea. They have been highly active in their sophisticated spear-phishing campaigns employing various malware strains, social engineering techniques, and cloud-based C2 infrastructures. They have been combining various infiltration techniques such as LNK and PowerShell-based loaders, steganography (JPEG image concealment), and fileless techniques to distribute RATs and data exfiltration malware."
  https://asec.ahnlab.com/en/90104/
• Exclusive: US Warns Hidden Radios May Be Embedded In Solar-Powered Highway Infrastructure
  "U.S. officials say solar-powered highway infrastructure including chargers, roadside weather stations, and traffic cameras should be scanned for the presence of rogue devices – such as hidden radios – secreted inside batteries and inverters. The advisory, disseminated late last month by the U.S. Department of Transportation’s Federal Highway Administration, comes amid escalating government action over the presence of Chinese technology in America's transportation infrastructure."
  https://www.reuters.com/legal/government/us-warns-hidden-radios-may-be-embedded-solar-powered-highway-infrastructure-2025-09-10/
  https://www.darkreading.com/ics-ot-security/undocumented-radios-found-solar-powered-devices
• Your Heartbeat Could Reveal Your Identity, Even In Anonymized Datasets
  "A new study has found that electrocardiogram (ECG) signals, often shared publicly for medical research, can be linked back to individuals. Researchers were able to re-identify people in anonymous datasets with surprising accuracy, raising questions about how health data is protected and shared."
  https://www.helpnetsecurity.com/2025/09/12/heartbeat-ecg-data-privacy-risk/
• CISOs Brace For a New Kind Of AI Chaos
  "AI is being added to business processes faster than it is being secured, creating a wide gap that attackers are already exploiting, according to the SANS Institute. Attackers are using AI to work at speeds that humans cannot match. Phishing messages are more convincing, privilege escalation happens faster, and automated scripts can adjust mid-attack to avoid detection. The report highlights research showing that AI-driven attacks can move more than 40 times faster than traditional methods. This means a breach can happen before a defender even sees the first alert."
  https://www.helpnetsecurity.com/2025/09/12/sans-ai-security-blueprint/
• HP Wolf Security Threat Insights Report: September 2025
  "Welcome to the September 2025 edition of the HP Wolf Security Threat Insights Report. In the report, we review notable malware campaigns, trends and techniques identified from HP Wolf Security’s customer telemetry in calendar Q2 2025. In Q2 2025, the HP Threat Research team identified attackers refining their use of living-off-the-land (LOTL) tools to evade detection. In one campaign that targeted businesses, threat actors chained together multiple LOTL tools, including lesser-known ones, to deliver XWorm malware. The final payload was hidden in the pixels of an image (T1027.003) downloaded from a trusted website, decoded via PowerShell (T1059.001), and executed through MSBuild (T1127.001), enabling remote access and data theft."
  https://threatresearch.ext.hp.com/hp-wolf-security-threat-insights-report-september-2025/
  https://threatresearch.ext.hp.com/wp-content/uploads/2025/09/HP_Wolf_Security_Threat_Insights_Report_September_2025.pdf
  https://www.infosecurity-magazine.com/news/attackers-novel-lotl-detection/
• Trusted Connections, Hidden Risks: Token Management In The Third-Party Supply Chain
  "You are about to log off for the weekend when a high-severity alert flashes on your cloud security tool’s dashboard. A single, unfamiliar OAuth token is making hundreds of connections from three different IP addresses, two of which are flagged as belonging to an unknown VPN service. The token belongs to a third-party application integrated with the company's Salesforce instance, one of those forgotten dormant integrations. A threat actor has stolen an OAuth token to bypass traditional defenses and is enumerating CRM accounts and exfiltrating sensitive data. A pit forms in your stomach; you are experiencing a supply chain attack."
  https://unit42.paloaltonetworks.com/third-party-supply-chain-token-management/
• Are Cybercriminals Hacking Your Systems – Or Just Logging In?
  "Why break a door down and set the house alarm off when you have a key and a code to walk in silently? This is the rationale behind a trend in cybersecurity where adversaries are increasingly looking to steal passwords, and even authentication tokens and session cookies to bypass MFA codes so they can access networks by masquerading as legitimate users. According to Verizon, “use of stolen credentials” has been one of the most popular methods for gaining initial access over recent years. The use of stolen credentials appeared in a third (32%) of data breaches last year, its report notes. However, while there are several ways threat actors can get hold of credentials, there are also plenty of opportunities to stop them."
  https://www.welivesecurity.com/en/business-security/cybercriminals-hacking-systems-logging-in/

อ้างอิง
Electronic Transactions Development Agency(ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand