สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 
ข้อมูลกลุ่ม
ส่วนตัว
administrators
รายชื่อสมาชิก
-
พบโทรศัพท์ Android ราคาถูกจากจีนฝังมัลแวร์ในแอป WhatsApp และ Telegram ขโมยคริปโตโพสต์ใน Cyber Security News
-
Apple ออกแพตช์แก้ไขช่องโหว่ zero-day ที่ถูกใช้ในการโจมตี iPhoneโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA ออกคำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม 6 รายการโพสต์ใน OT Cyber Security News
Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) 6 รายการ เมื่อวันที่ 17 เมษายน 2568 ซึ่งคำแนะนำเหล่านี้ให้ข้อมูลที่ทันท่วงทีเกี่ยวกับปัญหาด้านความปลอดภัยช่องโหว่ และช่องโหว่ที่อยู่รอบ ๆ ICS ในปัจจุบัน มีดังต่อไปนี้
- ICSA-25-107-01 Schneider Electric Trio Q Licensed Data Radio
- ICSA-25-107-02 Schneider Electric Sage Series
- ICSA-25-107-03 Schneider Electric ConneXium Network Manager
- ICSA-25-107-04 Yokogawa Recorder Products
- ICSA-24-326-04 Schneider Electric Modicon M340, MC80, and Momentum Unity M1E (Update A)
- ICSA-25-058-01 Schneider Electric Communication Modules for Modicon M580 and Quantum Controllers (Update A)
ทั้งนี้ CISA สนับสนุนให้ผู้ใช้และผู้ดูแลระบบตรวจสอบคำแนะนำ ICS ที่เผยแพร่ใหม่สำหรับรายละเอียดทางเทคนิคและการบรรเทาผลกระทบ รายละเอียดเพิ่มเติมที่ https://www.cisa.gov/news-events/alerts/2025/04/17/cisa-releases-six-industrial-control-systems-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 17 April 2025โพสต์ใน Cyber Security News
Energy Sector
- Cyber Threats Against Energy Sector Surge As Global Tensions Mount
"Cyberattacks targeting the energy sector are increasing, driven by a host of geopolitical and technological factors. A report published by Sophos in July 2024, and which surveyed 275 cybersecurity and IT leaders from the energy, oil/gas, and utilities sector across 14 countries, found 67% of respondents who said their organizations had suffered a ransomware attack in the last year. While Sophos’ figure remained steady year-over-year, a January 2025 report authored by TrustWave said that ransomware attacks targeting the energy and utilities sectors increased by 80% in 2024 compared to the previous year. Most of these breaches have only managed to compromise IT environments, as opposed to more critical operational technology (OT) networks, but the threat to the latter is rapidly intensifying."
https://www.resecurity.com/blog/article/cyber-threats-against-energy-sector-surge-global-tensions-mount
https://securityaffairs.com/176591/hacking/cyber-threats-against-energy-sector-surge-as-global-tensions-mount.html
Vulnerabilities
- Over 16,000 Fortinet Devices Compromised With Symlink Backdoor
"Over 16,000 internet-exposed Fortinet devices have been detected as compromised with a new symlink backdoor that allows read-only access to sensitive files on previously compromised devices. This exposure is being reported by threat monitoring platform The Shadowserver Foundation, which initially reported 14,000 devices were exposed. Today, Shadowserver's Piotr Kijewski told BleepingComputer that the cybersecurity organization now detects 16,620 devices impacted by the recently revealed persistence mechanism."
https://www.bleepingcomputer.com/news/security/over-16-000-fortinet-devices-compromised-with-symlink-backdoor/ - Chrome 135, Firefox 137 Updates Patch Severe Vulnerabilities
"Google and Mozilla on Tuesday announced security updates for Chrome 135 and Firefox 137 that address potentially exploitable critical- and high-severity vulnerabilities. Chrome versions 135.0.7049.95/.96 for Windows and macOS and version 135.0.7049.95 for Linux were rolled out with fixes for two memory safety vulnerabilities reported by external researchers."
https://www.securityweek.com/chrome-135-firefox-137-updates-patch-severe-vulnerabilities/ - Oracle Patches 180 Vulnerabilities With April 2025 CPU
"On April 15, Oracle announced the release of 378 new security patches as part of its second Critical Patch Update (CPU) of 2025, including 255 fixes for vulnerabilities that are remotely exploitable without authentication. SecurityWeek has identified roughly 180 unique CVEs in Oracle’s April 2025 CPU and counted approximately 40 security patches that resolve critical-severity flaws. Oracle Communications received the largest number of security fixes, at 103, including 82 patches for bugs that can be exploited by remote, unauthenticated attackers."
https://www.securityweek.com/oracle-patches-180-vulnerabilities-with-april-2025-cpu/ - Cisco Webex App Client-Side Remote Code Execution Vulnerability
"A vulnerability in the custom URL parser of Cisco Webex App could allow an unauthenticated, remote attacker to persuade a user to download arbitrary files, which could allow the attacker to execute arbitrary commands on the host of the targeted user. This vulnerability is due to insufficient input validation when Cisco Webex App processes a meeting invite link. An attacker could exploit this vulnerability by persuading a user to click a crafted meeting invite link and download arbitrary files. A successful exploit could allow the attacker to execute arbitrary commands with the privileges of the targeted user."
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-app-client-rce-ufyMMYLC - CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2021-20035 SonicWall SMA100 Appliances OS Command Injection Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/04/16/cisa-adds-one-known-exploited-vulnerability-catalog - Apple Fixes Two Zero-Days Exploited In Targeted iPhone Attacks
"Apple released emergency security updates to patch two zero-day vulnerabilities that were used in an "extremely sophisticated attack" against specific targets' iPhones. The two vulnerabilities are in CoreAudio (CVE-2025-31200) and RPAC (CVE-2025-31201), with both bugs impacting iOS, macOS, tvOS, iPadOS, and visionOS. "Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS," reads an Apple security bulletin released today."
https://www.bleepingcomputer.com/news/security/apple-fixes-two-zero-days-exploited-in-targeted-iphone-attacks/
https://support.apple.com/en-us/122282
https://www.securityweek.com/apple-pushes-ios-macos-patches-to-quash-two-zero-days/ - Eclipse And STMicroelectronics Vulnerabilities
"Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three vulnerabilities found in Eclipse ThreadX and four vulnerabilities in STMicroelectronics. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy."
https://blog.talosintelligence.com/eclipse-and-stmicroelectronics-vulnerabilities/ - CVE-2025-24054, NTLM Exploit In The Wild
"NTLM (New Technology LAN Manager) is a suite of authentication protocols developed by Microsoft to verify user identities and protect the integrity and confidentiality of network communications. NTLM operates through a direct client-server exchange known as the NTLM challenge/response mechanism, in which the server challenges the client to prove its identity without sending the user’s actual password over the network."
https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/
https://www.darkreading.com/cyberattacks-data-breaches/multiple-group-exploiting-ntlm-flaw - Task Scheduler– New Vulnerabilities For Schtasks.exe
"The schtasks.exe binary is a core component of the Task Scheduler Service in Windows, enabling users to schedule and manage tasks automatically. As part of the Windows Task Scheduler framework, schtasks.exe provides both system administrators and regular users with the ability to streamline operations by automating tasks, from simple programs to complex system maintenance processes."
https://cymulate.com/blog/task-scheduler-new-vulnerabilities-for-schtasks-exe/
https://thehackernews.com/2025/04/experts-uncover-four-new-privilege.html
Malware
- CrazyHunter Campaign Targets Taiwanese Critical Sectors
"CrazyHunter has quickly emerged as a serious ransomware threat. The group made their introduction in the past month with the opening of their data leak site where they posted ten victims – all located from Taiwan. We have followed some of their operations through internal monitoring since the start of January and have witnessed a clear pattern of specifically targeting organizations in Taiwan. The victims of the group consists mainly of hospitals and medical centers, educational institutions and universities, manufacturing companies, and industrial organizations, which reflects a targeted focus on organizations with valuable data and sensitive operations."
https://www.trendmicro.com/en_us/research/25/d/crazyhunter-campaign.html
https://www.darkreading.com/threat-intelligence/ransomware-gang-crazyhunter-critical-taiwanese-orgs - “I Sent You An Email From Your Email Account,” Sextortion Scam Claims
"In a new version of the old “Hello pervert” emails, scammers are relying on classic email spoofing techniques to try and convince victims that they have lost control of their email account and computer systems. Email spoofing basically comes down to sending emails with a false sender address, a method in use in various ways by scammers. Obviously, pretending to be someone else can have its advantages, especially if that someone else holds a position of power or trust with regards to the receiver."
https://www.malwarebytes.com/blog/news/2025/04/i-sent-you-an-email-from-your-email-account-sextortion-scam-claims - Latest Mustang Panda Arsenal: ToneShell And StarProxy | P1
"The Zscaler ThreatLabz team discovered new activity associated with Mustang Panda, originating from two machines from a targeted organization in Myanmar. This research led to the discovery of new ToneShell variants and several previously undocumented tools. Mustang Panda, a China-sponsored espionage group, traditionally targets government-related entities, military entities, minority groups, and non-governmental organizations (NGOs) primarily in countries located in East Asia, but they have also been known to target entities in Europe."
https://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-toneshell-and-starproxy-p1
https://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-paklog-corklog-and-splatcloak-p2 - Threat Actors Misuse Node.js To Deliver Malware And Other Malicious Payloads
"Since October 2024, Microsoft Defender Experts (DEX) has observed and helped multiple customers address campaigns leveraging Node.js to deliver malware and other payloads that ultimately lead to information theft and data exfiltration. While traditional scripting languages like Python, PHP, and AutoIT remain widely used in threats, threat actors are now leveraging compiled JavaScript—or even running the scripts directly in the command line using Node.js—to facilitate malicious activity. This shift in threat actor techniques, tactics, and procedures (TTPs) might indicate that while Node.js-related malware aren’t as prevalent, they’re quickly becoming a part of the continuously evolving threat landscape."
https://www.microsoft.com/en-us/security/blog/2025/04/15/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads/
https://www.securityweek.com/microsoft-warns-of-node-js-abuse-for-malware-delivery/ - Multi-Stage Phishing Attack Exploits Gamma, An AI-Powered Presentation Tool
"AI-powered content generation platforms are reshaping how we work—and how threat actors launch attacks. In this newly uncovered campaign, attackers weaponize Gamma, a relatively new AI-based presentation tool, to deliver a link to a fraudulent Microsoft SharePoint login portal. Capitalizing on the fact that employees may not be as familiar with the platform (and thus not aware of its potential for exploitation), threat actors create a phishing flow so polished it feels legitimate at every step."
https://abnormal.ai/blog/multi-stage-phishing-attack-gamma-presentation
https://thehackernews.com/2025/04/ai-powered-gamma-used-to-host-microsoft.html - Malicious PyPI Package Hijacks MEXC Orders, Steals Crypto Tokens
"The JFrog Security Research team regularly monitors open source software repositories using advanced automated tools, in order to detect malicious packages. In cases of potential supply chain security threats, our research team reports any malicious packages that were discovered to the repository’s maintainers in order to have them removed. This blog provides an analysis of the ccxt-mexc-futures malicious package which aims to leak crypto currency trading credentials."
https://jfrog.com/blog/malicious-pypi-package-hijacks-mexc-orders-steals-crypto-tokens/
https://thehackernews.com/2025/04/malicious-pypi-package-targets-mexc.html - A Long Shadow: The Expansion And Export Of China’s Digital Repression Model In Tibet
"Recent procurement documents reveal that Meiya Pico, a Chinese state-owned digital forensics firm, will provide an offensive cyber operations training environment and digital forensic laboratory to the Tibet Police College in Lhasa. This development underscores the Chinese government's strategic investment in advanced Public Security Bureau (PSB) training infrastructure in Tibet and highlights Meiya Pico's integral role in meeting these specialized requirements."
https://turquoiseroof.org/a-long-shadow-the-expansion-and-export-of-chinas-digital-repression-model-in-tibet/
https://therecord.media/chinese-firm-tied-to-uyghur-abuses-training-police-hacking-tibet - JUICYJAM: How Thai Authorities Use Online Doxxing To Suppress Dissent
"A sustained, coordinated social media harassment and doxxing campaign – which we codenamed JUICYJAM – targeting the pro-democracy movement in Thailand has run uninterrupted, and unchallenged, since at least August 2020. We define doxxing as the search for and the publication of an individual’s personal data on the Internet with malicious intent, in this instance, to suppress and harass the Thai pro-democracy movement. The operation utilized an inauthentic persona over multiple social media platforms (primarily X and Facebook) to target pro-democracy protesters by doxxing individuals, continuously harassing them, and instructing followers to report them to the police."
https://citizenlab.ca/2025/04/how-thai-authorities-use-online-doxxing-to-suppress-dissent/
https://therecord.media/researchers-uncover-social-media-harassment-campaign-thai-activists - Cascading Shadows: An Attack Chain Approach To Avoid Detection And Complicate Analysis
"In December 2024, we uncovered an attack chain that employs distinct, multi-layered stages to deliver malware like Agent Tesla variants, Remcos RAT or XLoader. Attackers increasingly rely on such complex delivery mechanisms to evade detection, bypass traditional sandboxes, and ensure successful payload delivery and execution. The phishing campaign we analyzed used deceptive emails posing as an order release request to deliver a malicious attachment. This multi-layered attack chain leverages multiple execution paths to evade detection and complicate analysis. Figure 1 below illustrates the attack chain used by this campaign."
https://unit42.paloaltonetworks.com/phishing-campaign-with-complex-attack-chain/ - Waiting Thread Hijacking: A Stealthier Version Of Thread Execution Hijacking
"In our previous blog on process injections we explained the foundations of this topic and basic ideas behind detection and prevention. We also proposed a new technique dubbed Thread Name-Calling – abusing the Thread Name API that was originally intended to assign names to running threads. The technique allowed writing to a process using a handle without write access. Remote execution was achieved through the new API for Asynchronous Procedure Calls (APC), requesting a Special User APC. With the help of those building blocks, we were able to inject a payload and run it without being noticed by most tested EDRs (Endpoint Detection & Response systems). While remote write was implemented using an unexpected API, execution wasn’t completely novel since it was a variant of APC injection."
https://research.checkpoint.com/2025/waiting-thread-hijacking/
Breaches/Hacks/Leaks
- BidenCash Market Dumps 1 Million Stolen Credit Cards On Russian Forum
"BidenCash, a dark web carding marketplace known for its aggressive tactics, has leaked a fresh batch of 910,380 stolen credit card records on the Russian-language cybercrime forum XSS. The leak, published on April 14 at 6:37 PM (UTC), includes card numbers, CVV codes, and expiration dates but lacks names or other personally identifying information. Despite the limited data set, the dump poses a clear risk for online fraud, particularly in card-not-present transactions."l
https://hackread.com/bidencash-market-leak-credit-cards-russian-forum/
General News
- CISA Releases Guidance On Credential Risks Associated With Potential Legacy Oracle Cloud Compromise
"CISA is aware of public reporting regarding potential unauthorized access to a legacy Oracle cloud environment. While the scope and impact remains unconfirmed, the nature of the reported activity presents potential risk to organizations and individuals, particularly where credential material may be exposed, reused across separate, unaffiliated systems, or embedded (i.e., hardcoded into scripts, applications, infrastructure templates, or automation tools). When credential material is embedded, it is difficult to discover and can enable long-term unauthorized access if exposed."
https://www.cisa.gov/news-events/alerts/2025/04/16/cisa-releases-guidance-credential-risks-associated-potential-legacy-oracle-cloud-compromise
https://therecord.media/cisa-warns-of-potential-data-breaches-tied-to-oracle-issue - CISA Extends Funding To Ensure 'no Lapse In Critical CVE Services'
"CISA says the U.S. government has extended MITRE's funding to ensure no continuity issues with the critical Common Vulnerabilities and Exposures (CVE) program. "The CVE Program is invaluable to cyber community and a priority of CISA," the U.S. cybersecurity agency told BleepingComputer. "Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners' and stakeholders' patience." BleepingComputer has learned that the extension of the contract is for 11 months."
https://www.bleepingcomputer.com/news/security/cisa-extends-funding-to-ensure-no-lapse-in-critical-cve-services/
https://therecord.media/cisa-extends-cve-program-contract-with-mitre
https://www.securityweek.com/mitre-cve-program-gets-last-hour-funding-reprieve/
https://cyberscoop.com/cisa-reverses-course-extends-mitre-cve-contract/
https://hackread.com/cve-program-online-cisa-temporary-mitre-extension/
https://securityaffairs.com/176608/security/cisas-11-month-extension-ensures-continuity-of-mitres-cve-program.html
https://www.theregister.com/2025/04/16/cve_program_funding_save/ - APT Rogues’ Gallery: The World’s Most Dangerous Cyber Adversaries
"Advanced Persistent Threat (APT) groups are not a new scourge. These sophisticated, state-sponsored cyber adversaries, with deep pockets and highly advanced technical skills, conduct prolonged and targeted attacks to infiltrate networks, exfiltrate sensitive data, and disrupt critical infrastructure. The stakes have never been higher, so in this blog, we’ll look at some of the most notorious APT actors, their unique Tactics, Techniques, and Procedures (TTPs), and attacks attributed to them, and offer a few tips on how to defend against them."
https://www.tripwire.com/state-of-security/apt-rogues-gallery-worlds-most-dangerous-cyber-adversaries - Q1 2025 Global Cyber Attack Report From Check Point Software: An Almost 50% Surge In Cyber Threats Worldwide, With a Rise Of 126% In Ransomware Attacks
"The first quarter of 2025 saw cyber attacks around the global up sharply, with businesses experiencing more frequent – and more sophisticated – attacks. The average number of cyber attacks per organization reached 1,925 per week, marking a 47% rise compared to the same period in 2024. As cyber criminals adapt and evolve their tactics, sectors such as education, government, and telecommunications found themselves most frequently in the cross hairs of these attacks. The following are the most important attack trends Check Point Research has documented for the first three months of 2025."
https://blog.checkpoint.com/research/q1-2025-global-cyber-attack-report-from-check-point-software-an-almost-50-surge-in-cyber-threats-worldwide-with-a-rise-of-126-in-ransomware-attacks/ - Your Apps Are Leaking: The Hidden Data Risks On Your Phone
"Personally identifiable information (PII), financial data, medical information, account credentials, intellectual property - What all these types of sensitive data have in common is that you need tight control over who can access them, regardless of whether they belong to you or your organization. And sure, you might be following the best practices, but what about the apps that you or your employees use? With the ever-growing dependence upon mobile devices in everyday business and personal activities, and especially with many companies opting for a BYOD policy, it is of particular importance to know how those apps might compromise your privacy and sensitive corporate data."
https://zimperium.com/blog/your-apps-are-leaking-the-hidden-data-risks-on-your-phone
https://www.darkreading.com/endpoint-security/cloud-cryptography-flaws-mobile-apps-expose-enterprise-data
https://www.infosecurity-magazine.com/news/92-mobile-apps-insecure/
https://www.securityweek.com/many-mobile-apps-fail-basic-security-posing-serious-risks-to-enterprises/ - Active Directory Recovery Can't Be An Afterthought
"Although it's decades old and used in legacy IT systems, Microsoft's Active Directory remains foundational to many large enterprises — and likely will be for the foreseeable future. Yet, despite Active Directory's role in determining who has access to which parts of on-premises enterprise networks, many businesses fail to adequately safeguard this vital piece of infrastructure from intruders. That leaves companies far too vulnerable to financial and reputational damage."
https://www.darkreading.com/vulnerabilities-threats/active-directory-recovery-afterthought - Accounting Firms Can't Skimp On Cybersecurity
"Early in 2024, an employee at UK engineering firm Arup joined a video call with the company's senior management. The call seemed routine — but it wasn’t. What the employee didn't realize was that the entire interaction was using deepfake technology. The faces and voices of the individuals on the call were fake, and by the time the call had ended, the criminals had $25 million. The only real part about the incident was the trust in thinking the people were who they claimed to be."
https://www.darkreading.com/cloud-security/accounting-firms-cannot-skimp-cybersecurity - Typical Dark Web Fraud: Where Scammers Operate And What They Look Like
"In the dark corners of the internet, countless individuals claim to be cybercriminals responsible for massive breaches and sensitive data leaks. These self-proclaimed threat actors often boast about hacking major corporations resulting in compromising internal resources (accesses, documents, source codes, databases, personal data and much more)—actions that inevitably attract the attention of the media, researchers, analysts and cybersecurity experts. In reality, many of these claims are completely false. A significant number of “threat actors” are not hackers at all—but scammers who never conducted an attack, provided fabricated evidence or old data, and misled the public, capitalizing on public fear and the cybersecurity community’s eagerness to uncover the next big breach."
https://www.group-ib.com/blog/dark-web-fraud/ - When Companies Merge, So Do Their Cyber Threats
"For CISOs, mergers and acquisitions (M&A) bring both potential and risk. These deals can drive growth, but they also open the door to serious cybersecurity threats that may derail the transaction. Strong due diligence, smart risk planning, and a shared security mindset can help keep deals on track and protect the business."
https://www.helpnetsecurity.com/2025/04/16/mergers-and-acquisitions-cybersecurity/ - Strategic AI Readiness For Cybersecurity: From Hype To Reality
"AI readiness in cybersecurity involves more than just possessing the latest tools and technologies; it is a strategic necessity. Many companies could encounter serious repercussions, such as increased volumes of advanced cyber threats, if they fail to exploit AI due to a lack of clear objectives, inadequate data readiness or misalignment with business priorities. Foundational concepts are vital for constructing a robust AI-readiness framework for cybersecurity. These concepts encompass the organization’s technology, data, security, governance and operational processes."
https://www.helpnetsecurity.com/2025/04/16/ai-readiness-framework/ - The Future Of Authentication: Why Passwordless Is The Way Forward
"By now, most CISOs agree: passwords are the weakest link in the authentication chain. They’re easy to guess, hard to manage, and constantly reused. Even the most complex password policies don’t stop phishing or credential stuffing. That’s why passwordless authentication is gaining serious ground. Adopting passwordless authentication comes with challenges, including resistance to change, integration with legacy systems, and initial costs. Organizations may also have concerns about security, user experience, accessibility, compliance, and data privacy."
https://www.helpnetsecurity.com/2025/04/16/passwordless-authentication-security/ - Streamlining Detection Engineering In Security Operation Centers
"Security operations centers (SOCs) exist to protect organizations from cyberthreats by detecting and responding to attacks in real time. They play a crucial role in preventing security breaches by detecting adversary activity at every stage of an attack, working to minimize damage and enabling an effective response. To accomplish this mission, SOC operations can be broken down into four operating phases:"
https://securelist.com/streamlining-detection-engineering/116186/ - Our 2024 Ads Safety Report Shows How We Use AI To Safeguard Consumers.
"Our latest Ads Safety Report highlights a key trend from 2024: how AI is improving our ability to prevent fraudsters from ever showing ads to people. For years, we've deployed our most advanced technologies to safeguard our ads platforms from bad actors. In 2024, we launched over 50 enhancements to our LLMs, which enabled more efficient and precise enforcement at scale. These updates sped up complex investigations, helping us identify bad actors and fraud signals — like illegitimate payment information — during account setup. This kept billions of policy-violating ads from ever showing to a consumer, while ensuring legitimate businesses can show ads to customers faster."
https://blog.google/products/ads-commerce/google-ads-safety-report-2024/
https://services.google.com/fh/files/misc/ads_safety_report_2024.pdf
https://thehackernews.com/2025/04/google-blocked-51b-harmful-ads-and.html
https://www.bleepingcomputer.com/news/google/google-blocked-over-5-billion-ads-in-2024-amid-rise-in-ai-powered-scams/ - From Third-Party Vendors To U.S. Tariffs: The New Cyber Risks Facing Supply Chains
"Cyber threats targeting supply chains have become a growing concern for businesses across industries. As companies continue to expand their reliance on third-party vendors, cloud-based services, and global logistics networks, cybercriminals are exploiting vulnerabilities within these interconnected systems to launch attacks. By first infiltrating a third-party vendor with undetected security gaps, attackers can establish a foothold, leveraging these weaknesses to penetrate the primary business partners' network. From there, they move laterally through critical systems, ultimately gaining access to sensitive data, financial assets, intellectual property, or even operational controls."
https://thehackernews.com/2025/04/from-third-party-vendors-to-us-tariffs.html - Guess What Happens When Ransomware Fiends Find 'insurance' 'policy' In Your Files
"Ransomware operators jack up their ransom demands by a factor of 2.8x if they detect a victim has cyber-insurance, a study highlighted by the Netherlands government has confirmed. For his PhD thesis [PDF], defended in January, Dutch cop Tom Meurs looked at 453 ransomware attacks between 2019 and 2021. He found one of the first actions intruders take is to search for documents with the keywords "insurance" and "policy." If the crooks find evidence that the target has a relevant policy, the ransom more than doubles on average."
https://www.theregister.com/2025/04/16/dutch_ransomware_study/
อ้างอิง
Electronic Transactions Development Agency(ETDA)
- Cyber Threats Against Energy Sector Surge As Global Tensions Mount
-
พบช่องโหว่ใน Apache Roller (CVSS 10.0) เสี่ยงถูกเข้าถึงระบบแม้เปลี่ยนรหัสผ่านแล้วโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
เตือนภัย! เว็บไซต์แปลงไฟล์ปลอม ทำเลียนแบบ PDFCandyโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 16 April 2025โพสต์ใน Cyber Security News
Industrial Sector
- CISA Releases Nine Industrial Control Systems Advisories
"CISA released nine Industrial Control Systems (ICS) advisories on April 15, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
ICSA-25-105-01 Siemens Mendix Runtime
ICSA-25-105-02 Siemens Industrial Edge Device Kit
ICSA-25-105-03 Siemens SIMOCODE, SIMATIC, SIPLUS, SIDOOR, SIWAREX
ICSA-25-105-04 Growatt Cloud Applications
ICSA-25-105-05 Lantronix Xport
ICSA-25-105-06 National Instruments LabVIEW
ICSA-25-105-07 Delta Electronics COMMGR
ICSA-25-105-08 ABB M2M Gateway
ICSA-25-105-09 Mitsubishi Electric Europe B.V. smartRTU"
https://www.cisa.gov/news-events/alerts/2025/04/15/cisa-releases-nine-industrial-control-systems-advisories - “Security By Design Helps You Stay One Step Ahead”
"Ekaterina Rudina, Security Analysis Group Manager at Kaspersky, discusses the challenges of assessing the security of industrial facilities and the role of the professional community in their protection, the reasons behind security issues in rapidly evolving industries, and the impact of digitalization on society."
https://ics-cert.kaspersky.com/publications/blog/2025/04/15/security-by-design-helps-you-stay-one-step-ahead/
Vulnerabilities
- Max Severity Bug In Apache Roller Enabled Persistent Access
"The maintainers of the Apache Roller open source blogging platform patched a maximum severity bug that allowed continued access to the app even after a user changed their password. The issue had to do with insufficient session expiration, a vulnerability that occurs when a system or app fails to invalidate an existing user's active session after a password change. The Apache Software Foundation (ASF) has implemented a new centralized session management feature that correctly invalidates all active user sessions when a password is changed, or a user disables their account."
https://www.darkreading.com/vulnerabilities-threats/max-severity-bug-apache-roller-persistent-access
https://lists.apache.org/thread/4j906k16v21kdx8hk87gl7663sw7lg7f
https://thehackernews.com/2025/04/critical-apache-roller-vulnerability.html
https://securityaffairs.com/176577/security/critical-apache-roller-flaw-allows-to-retain-unauthorized-access-even-after-a-password-change.html - Critical Flaws Fixed In Nagios Log Server
"The Nagios Security Team has fixed three critical vulnerabilities affecting popular enterprise log management and analysis platform Nagios Log Server."
https://www.helpnetsecurity.com/2025/04/15/critical-flaws-fixed-in-nagios-log-server/
Malware
- Unmasking APT29: The Sophisticated Phishing Campaign Targeting European Diplomacy
"Check Point Research (CPR) identified a significant wave of targeted phishing attacks beginning in January 2025. These attacks specifically target government officials and diplomats across Europe, employing sophisticated techniques, tactics, and procedures (TTPs) that closely resemble those associated with a previous phishing campaign called Wineloader, which was previously connected to APT29, a Russia-linked threat actor."
https://blog.checkpoint.com/research/unmasking-apt29-the-sophisticated-phishing-campaign-targeting-european-diplomacy/
https://research.checkpoint.com/2025/apt29-phishing-campaign/
https://www.bleepingcomputer.com/news/security/midnight-blizzard-deploys-new-grapeloader-malware-in-embassy-phishing/
https://www.darkreading.com/cyberattacks-data-breaches/wine-inspired-phishing-eu-diplomats - UNC5174’s Evolution In China’s Ongoing Cyber Warfare: From SNOWLIGHT To VShell
"After a year of operating under the radar, the Sysdig Threat Research Team (TRT) identified a new campaign from Chinese state-sponsored threat actor UNC5174. We found that the threat actor was using a new open source tool and command and control (C2) infrastructure in late January 2025. We first discovered a malicious bash script responsible for downloading multiple executable files for persistence. One of the binaries downloaded is a variant of UNC5174’s SNOWLIGHT malware, previously identified by Mandiant in a campaign against F5 devices and recently mentioned in the French Cyber Threat Overview report released in March 2025 by the French National Agency for Information Systems Security (ANSSI)."
https://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/
https://thehackernews.com/2025/04/chinese-hackers-target-linux-systems.html
https://www.darkreading.com/cyberattacks-data-breaches/china-threat-actor-unc5174-open-source-stealthy-attacks
https://www.bankinfosecurity.com/chinese-hackers-deploy-stealthy-fileless-vshell-rat-a-28012
https://cyberscoop.com/chinese-espionage-group-unc5174-open-source-tools/
https://www.theregister.com/2025/04/15/chinese_spies_backdoored_us_orgs/ - NVISO Analyzes BRICKSTORM Espionage Backdoor
"NVISO recently identified new information related to BRICKSTORM, a backdoor linked to the China-nexus cluster UNC5221. Through its Digital Forensics & Incident Response activities, NVISO observed BRICKSTORM's usage as part of an active espionage campaign targeting European industries since at least 2022."
https://www.nviso.eu/blog/nviso-analyzes-brickstorm-espionage-backdoor
https://www.bankinfosecurity.com/european-companies-infected-new-chinese-nexus-backdoor-a-28009 - From Shadow To Spotlight: The Evolution Of LummaStealer And Its Hidden Secrets
"This article is a continuation of the previous research published on the malware LummaStealer: "Your Data Is Under New Lummanagement: The Rise of LummaStealer". LummaStealer (aka LummaC2, Lummac, and Lumma Stealer) is a sophisticated malware that is spread as Malware-as-a-Service (MaaS). It was originally observed in 2022 and known to be developed by Russian-speaking adversaries. It targets a wide range of Windows systems. The developers of LummaStealer have shown a lot of agility to ensure their malware remains undetected and that the potential host-based detection rules put in place for a given sample do not apply to the new ones."
https://www.cybereason.com/blog/threat-analysis-lummastealer-2.0 - Hacktivists Target Critical Infrastructure, Move Into Ransomware
"According to a new Cyble report, hacktivists are increasingly moving beyond traditional activities like DDoS attacks and website defacements into more sophisticated critical infrastructure and ransomware attacks. In a report for clients, Cyble said hacktivism has “transformed into a complex instrument of hybrid warfare” with the rise of groups that have adopted more sophisticated attack techniques more typically associated with nation-state actors and financially motivated threat groups."
https://cyble.com/blog/hacktivists-infrastructure-move-into-ransomware/ - Multi-Stage Phishing Attack Exploits Gamma, An AI-Powered Presentation Tool
"AI-powered content generation platforms are reshaping how we work—and how threat actors launch attacks. In this newly uncovered campaign, attackers weaponize Gamma, a relatively new AI-based presentation tool, to deliver a link to a fraudulent Microsoft SharePoint login portal. Capitalizing on the fact that employees may not be as familiar with the platform (and thus not aware of its potential for exploitation), threat actors create a phishing flow so polished it feels legitimate at every step."
https://abnormalsecurity.com/blog/multi-stage-phishing-attack-gamma-presentation
https://www.darkreading.com/threat-intelligence/ai-powered-presentation-tool-leveraged-phishing-attacks - “Follow Me” To This Fake Crypto Exchange To Claim $500
"A type of crypto scam that we reported about in 2024 has ported over to a new platform and changed tactics—a bit. Where the old scams mostly reached me on WhatsApp, the same group of scammers is now using Direct Messages on X. However, the same old trick of “accidentally” sending you login details to a supposedly well-funded financial account is still being used by at least one cybercriminal gang."
https://www.malwarebytes.com/blog/news/2025/04/follow-me-to-this-fake-crypto-exchange-to-claim-500 - Byte Bandits: How Fake PDF Converters Are Stealing More Than Just Your Documents
"What looks like a harmless online file conversion could be a trap set by cybercriminals. CloudSEK’s latest investigation uncovers a stealthy malware campaign where fake PDF-to-DOCX converters, mimicking the popular PDFCandy.com, trick users into running malicious PowerShell commands. The endgame? A powerful information stealer that hijacks browser credentials, crypto wallets, and more. Dive into our detailed breakdown of this social engineering scam, its technical anatomy, and how to stay a step ahead of such byte bandits."
https://www.cloudsek.com/blog/byte-bandits-how-fake-pdf-converters-are-stealing-more-than-just-your-documents
https://hackread.com/fake-pdfcandy-websites-spread-malware/ - Attack Upgraded: Disclosure Of DarkHotel Organization's Latest RPC Attack Components
"The DarkHotel organization was disclosed by foreign security vendors in 2014, reportedly dating back to 2010. The group got its name from targeting business executives and state dignitaries staying in luxury hotels. Their attack targets range across China, North Korea, Japan, Myanmar, India, and a few European countries, and they are considered an APT group with a Korean Peninsula government background. In recent years, we have observed that their attack targets have moved beyond the hotel industry represented by the DarkHotel name, now including foreign trade, government agencies, research institutions, military industries, and other sectors, making them one of the APT groups that frequently launch attacks against neighboring countries in recent years."
https://paper.seebug.org/3315/
Breaches/Hacks/Leaks
- Infamous Message Board 4chan Taken Down Following Major Hack
"4chan, an infamous online forum, was taken offline earlier today after what appears to be a significant hack and has since been loading intermittently. Members of the Soyjak.party imageboard (also known as The Party) have since claimed to be behind the attack. They also leaked screenshots of admin panels and a list of emails allegedly belonging to 4chan admins, moderators, and janitors (less privileged mods who help moderate the forums).""
https://www.bleepingcomputer.com/news/security/infamous-message-board-4chan-taken-down-following-major-hack/
https://hackread.com/4chan-breached-soyjak-forum-hacker-source-code-leak/
https://www.theregister.com/2025/04/15/4chan_breached/ - Landmark Admin Data Breach Impact Now Reaches 1.6 Million People
"Landmark Admin has issued an update to its investigation of a cyberattack it suffered in May 2024, increasing the number of impacted individuals to 1.6 million. Landmark is a Texas-based third-party administrator (TPA) handling policy accounting, regulatory reporting, reinsurance support, and IT systems for major insurers nationwide like Liberty Bankers Life and American Benefit Life. In October 2024, the company warned that it detected suspicious activity on its networks on May 13th, 2024."
https://www.bleepingcomputer.com/news/security/landmark-admin-data-breach-impact-now-reaches-16-million-people/
https://www.securityweek.com/2-6-million-impacted-by-landmark-admin-young-consulting-data-breaches/
https://www.theregister.com/2025/04/15/landmark_admin_data_loss/ - Texas Pediatric Orthopedics Clinic Says Hack Affects 140,000
"Ransomware group Qilin posted at least 42 gigabytes of data stolen from a Texas pediatric orthopedic practice for sale on its darkweb leak site in February. In recent days, Central Texas Pediatric Orthopedics began notifying more than 140,000 people that their data was compromised by hackers."
https://www.bankinfosecurity.com/texas-pediatric-orthopedics-clinic-says-hack-affects-140000-a-28010 - Millions Of Documents & UK Healthcare Workers’ PII Exposed In Staff Management Software Data Breach
"Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to vpnMentor about a non-password-protected database that contained nearly 8 million records belonging to a UK-based software company that facilitates employee data management, compliance, timesheets, and payroll."
https://www.vpnmentor.com/news/report-logezy-breach/
https://hackread.com/uk-software-firm-exposed-healthcare-worker-records/
General News
- China Pursuing 3 Alleged US Operatives Over Cyberattacks During Asian Games
"China said Tuesday it is pursuing three alleged U.S. operatives accused of carrying out cyberattacks on Chinese infrastructure during the Asian Games held in the city of Harbin in February. A notice from the Harbin police headquarters named them as Katheryn A. Wilson, Robert J. Snelling, and Stephen W. Johnson and said they worked through the National Security Agency. The police said nothing about how they obtained the names or where the three were believed to be at present."
https://www.securityweek.com/china-pursuing-3-alleged-us-operatives-over-cyberattacks-during-asian-games/
https://therecord.media/china-accuses-nsa-hack-asian-winter-games
https://www.itnews.com.au/news/china-accuses-us-of-launching-advanced-cyberattacks-616592
https://cyberscoop.com/chinese-law-enforcement-places-nsa-operatives-on-wanted-list-over-alleged-cyberattacks/
https://www.theregister.com/2025/04/15/china_nsa_winter_games/ - MITRE Impact Report 2024: Strengthening Threat-Informed Defenses
"In today’s volatile cyberthreat landscape, clarity can be as elusive as it is essential. Cyber defenders face adversaries who adapt and hide effortlessly; and the difference between a secure environment and one that opens the door to a vulnerability often hinges on how well we understand those adversaries."
https://www.fortinet.com/blog/industry-trends/mitre-impact-report-2024-strengthening-threat-informed-defenses - Encrypted App Intelligence Exposes Sprawling Criminal Networks Across Europe
"Law enforcement authorities across Europe and Türkiye have dismantled four major criminal networks responsible for fuelling the flow of drugs into the EU and Türkiye, following a series of coordinated raids supported by Europol. These results were made possible by the continued exploitation of encrypted communication platforms, including Sky ECC and ANOM, which remain powerful tools in the hands of investigators."
https://www.europol.europa.eu/media-press/newsroom/news/encrypted-app-intelligence-exposes-sprawling-criminal-networks-across-europe
https://hackread.com/operation-bulut-encrypted-chats-sky-ecc-anom-arrests/ - Cybercriminal Groups Embrace Corporate Structures To Scale, Sustain Operations
"In this Help Net Security interview, Sandy Kronenberg, CEO of Netarx, discusses how cybercriminal groups are adopting corporate structures and employee incentives to scale operations, retain talent, and evade detection. He covers the strategic collaborations behind major attacks, business-like parallels, and the implications of these shifts as these groups grow more sophisticated."
https://www.helpnetsecurity.com/2025/04/15/sandy-kronenberg-netarx-cybercriminal-groups-corporate-structures/ - Key Takeaways From The State Of Pentesting Report 2025
"At Cobalt, we conduct over 5,000 pentests annually, a number that is growing every year, across web, API, LLM, network, and cloud tests. This vast set of data and learnings gives us unique insight that we analyze to produce industry-leading research. The result is our State of Pentesting Report 2025, which we released today. This is the seventh year we’ve produced this report, and we’ve come a long way since our first State of Pentesting Report in 2019. For the 2025 report we looked back further than the past year to go all the way back to 2015, aggregating 10 years of data, so we could more thoroughly study trends."
https://www.cobalt.io/blog/key-takeaways-state-of-pentesting-report-2025
https://resource.cobalt.io/state-of-pentesting-2025
https://www.infosecurity-magazine.com/news/organizations-fix-half/
https://www.helpnetsecurity.com/2025/04/15/regular-pentesting-strategy-for-organizations/ - Bot Traffic Overtakes Human Activity As Threat Actors Turn To AI
"Automated traffic now accounts for the majority of activity on the web, with the share of bad bot traffic surging from 32% to 37% annually last year, according to Thales. The French defense giant’s 2025 Imperva Bad Bot Report is now in its 12th year, and based as always on data collected by Imperva’s global network, which apparently blocked 13 trillion bad bot requests across thousands of domains and industries last year."
https://www.infosecurity-magazine.com/news/bot-traffic-human-activity-threat/
https://www.imperva.com/resources/resource-library/reports/2025-bad-bot-report/
https://www.darkreading.com/vulnerabilities-threats/ai-bad-bots-are-taking-over-web - LabHost Phishing Mastermind Sentenced To 8.5 Years
"A Huddersfield man has been handed an eight-and-a-half-year sentence for masterminding what became one of the world’s largest phishing-as-a-service (PhaaS) platforms. Zak Coyne, 23, of Woodbine Road, Huddersfield, was sentenced in Manchester Crown Court on Monday after admitting his crimes in September 2024. These included: making or supplying articles for use in frauds; encouraging or assisting the commission of an offense believing it would be committed; and transferring criminal property."
https://www.infosecurity-magazine.com/news/labhost-phishing-mastermind/ - CISO Conversations: Maarten Van Horenbeeck, SVP & Chief Security Officer At Adobe
"Maarten Van Horenbeeck was inspired by a movie – he watched WarGames as a child. He became fascinated by the potential of interconnected, communicating computers and the security issues that come with them. “Deep inside, I immediately felt this is what I would do,” he said, “it really motivated me. When I got a bit older, I realized there’s a whole community of people finding and exploiting security bugs, and another community finding and fixing them. It just drew me in. and I’ve never really done anything else since I started my very first job.”"
https://www.securityweek.com/ciso-conversations-maarten-van-horenbeeck-svp-chief-security-officer-at-adobe/ - Majority Of Browser Extensions Can Access Sensitive Enterprise Data, New Report Finds
"Everybody knows browser extensions are embedded into nearly every user's daily workflow, from spell checkers to GenAI tools. What most IT and security people don't know is that browser extensions' excessive permissions are a growing risk to organizations. LayerX today announced the release of the Enterprise Browser Extension Security Report 2025, This report is the first and only report to merge public extension marketplace statistics with real-world enterprise usage telemetry. By doing so, it sheds light on one of the most underestimated threat surfaces in modern cybersecurity: browser extensions."
https://thehackernews.com/2025/04/majority-of-browser-extensions-can.html
https://go.layerxsecurity.com/enterprise-browser-extension-security-report-2025 - ZDI-23-1527 And ZDI-23-1528: The Potential Impact Of Overly Permissive SAS Tokens On PC Manager Supply Chains
"In this blog entry, we look at overly permissive cloud service credentials in Microsoft’s public-facing assets and assess their potential implications on software supply chain and software integrity. We do this by exploring two scenarios involving PC Manager, a tool designed to help optimize and manage Windows computers. PC Manager includes features for cleaning up temporary files, managing startup programs, monitoring system health, and improving overall performance, and aims to provide users with a straightforward method for maintaining their machine’s efficiency and security."
https://www.trendmicro.com/en_us/research/25/d/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permi.html - Attacks On The Education Sector Are Surging: How Can Cyber-Defenders Respond?
"We all want the best possible education for our children. But even the best-laid plans can come unstuck when confronted with an agile, persistent and devious adversary. Nation state-aligned actors and cybercriminals represent one of the biggest threats to schools, colleges and universities today. The education sector was the third–most targeted in Q2 2024, according to Microsoft. And ESET threat researchers have observed sophisticated APT groups targeting institutions across the globe. In the period from April to September 2024, the education sector was in the top three most attacked industries by China-aligned APT groups, the top two for North Korea, and in the top six both for Iran- and Russia-aligned actors."
https://www.welivesecurity.com/en/business-security/attacks-education-sector-surging-cyber-defenders-respond/ - MITRE Warns Of Lapse With CVE Program As Contract With US Set To Expire
"The MITRE Corporation said on Tuesday that its stewardship of the CVE program — which catalogs all public cybersecurity vulnerabilities — may be ending this week because the federal government has decided not to renew its contract with the nonprofit. Yosry Barsoum, MITRE’s vice president and director of the Center for Securing the Homeland, told Recorded Future News in a statement that on Wednesday, April 16, funding to “develop, operate, and modernize the [CVE] Program and related programs, such as the Common Weakness Enumeration (CWE) Program, will expire.”"
https://therecord.media/mitre-warns-of-cve-program-lapse-contract-expires
https://www.securityweek.com/mitre-signals-potential-cve-program-deterioration-as-us-gov-funding-expires/
https://www.theregister.com/2025/04/16/homeland_security_funding_for_cve/
อ้างอิง
Electronic Transactions Development Agency(ETDA)
- CISA Releases Nine Industrial Control Systems Advisories
-
Cyber Threat Intelligence 15 April 2025โพสต์ใน Cyber Security News
New Tooling
- PentestGPT – AI-Powered Penetration Testing Assistant
"PentestGPT is a new AI-driven tool that acts as a virtual penetration testing assistant. Released in 2024 by a security researcher (GreyDGL), it leverages OpenAI’s GPT-4 model to interactively guide penetration testers through hacking tasks. In simple terms, PentestGPT lets you have a “ChatGPT-like” conversation where it suggests recon steps, exploitation commands, and even helps analyze results during a pentest."
https://www.darknet.org.uk/2025/04/pentestgpt-ai-powered-penetration-testing-assistant/
https://github.com/GreyDGL/PentestGPT - Tirreno: Open-Source Fraud Prevention Platform
"Tirreno is an open-source fraud prevention platform designed as a universal analytics tool to monitor online platforms, web applications, SaaS products, digital communities, mobile apps, intranets, and e-commerce websites. “Our aim is to liberate online fraud protection technologies, making them widely available for organizations of any size. Tirreno is designed to be as easy to set up as typical website analytics tools. Unlike most cyberfraud prevention services, Tirreno is not solely focused on transactions or e-commerce. Instead, it can provide protection for any user-facing web application,” Olga Degros, the project’s founder, told Help Net Security."
https://www.helpnetsecurity.com/2025/04/14/tirreno-open-source-fraud-prevention-platform/
https://github.com/TirrenoTechnologies/tirreno
Malware
- CVE-2025-30406 - Critical Gladinet CentreStack & Triofox Vulnerability Exploited In The Wild
"On Friday, 11 April 2025, the Huntress SOC received an alert from one of our own internal detectors known to catch 0-day exploitation. While this is a simple detection to see suspicious outbound connections from an irregular child process, it indicates there may be more to uncover against the software served by the web service worker. In this case, the suspect software was Gladinet CentreStack, which was just recently added to CISA’s Known Exploited Vulnerabilities database with CVE-2025-30406. At the time of writing, Huntress has seen seven different organizations compromised via this attack vector."
https://www.huntress.com/blog/cve-2025-30406-critical-gladinet-centrestack-triofox-vulnerability-exploited-in-the-wild
https://www.securityweek.com/huntress-documents-in-the-wild-exploitation-of-critical-gladinet-vulnerabilities/ - Goodbye HTA, Hello MSI: New TTPs And Clusters Of An APT Driven By Multi-Platform Attacks
"Seqrite Labs APT team has uncovered new tactics of Pakistan-linked SideCopy APT deployed since the last week of December 2024. The group has expanded its scope of targeting beyond Indian government, defence, maritime sectors, and university students to now include entities under railway, oil & gas, and external affairs ministries. One notable shift in recent campaigns is the transition from using HTML Application (HTA) files to adopting Microsoft Installer (MSI) packages as a primary staging mechanism."
https://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/
https://thehackernews.com/2025/04/pakistan-linked-hackers-expand-targets.html - New Malware Variant Identified: ResolverRAT Enters The Maze
"ResolverRAT is a newly identified remote access trojan that combines advanced in-memory execution, API and resource resolution at runtime, and layered evasion techniques. Morphisec researchers have coined it ‘Resolver’ due to its heavy reliance on runtime resolution mechanisms and dynamic resource handling, which make static and behavioral analysis significantly more difficult."
https://www.morphisec.com/blog/new-malware-variant-identified-resolverrat-enters-the-maze/
https://www.bleepingcomputer.com/news/security/new-resolverrat-malware-targets-pharma-and-healthcare-orgs-worldwide/
https://thehackernews.com/2025/04/resolverrat-campaign-targets-healthcare.html
https://www.darkreading.com/cloud-security/it-rat-stealthy-resolver-malware
https://www.infosecurity-magazine.com/news/malware-resolverrat-targets/
https://www.securityweek.com/new-resolverrat-targeting-healthcare-pharmaceutical-organizations/
https://securityaffairs.com/176537/malware/new-malware-resolverrat-targets-healthcare-pharmaceutical-firms.html - Possible Russian Hackers Targeted UK Ministry Of Defense
"A phishing campaign wielding malware previously associated with Russian-speaking hackers targeted the U.K. Ministry of Defense in late 2024, the British government said Friday. Hackers spear-phished civil servants with emails purporting to originate from a news organization, later also deploying financially themed bait that directed users to a commercial file sharing site. The ministry and the National Cyber Security Centre disclosed the campaign on Friday. Anyone who clicked on the links in the phishing emails ultimately ended up with a malicious downloader known as Damascened Peacock on their computer, they said."
https://www.bankinfosecurity.com/possible-russian-hackers-targeted-uk-ministry-defense-a-27993
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/damascened-peacock/ncsc-mar-damascened-peacock.pdf - DOGE “Big Balls” Ransomware And The False Connection To Edward Coristine
"A recent ransomware operation has revealed a blend of technical sophistication and psychological manipulation, setting it apart from conventional attacks. Disguised under a finance-themed ZIP file, the campaign employs deceptive shortcut files and multi-stage PowerShell scripts to deliver custom payloads, including a kernel-mode exploit tool and reconnaissance modules. This layered approach allows attackers to gather in-depth system data while evading conventional defenses."
https://cyble.com/blog/doge-big-balls-ransomware-edward-coristine/ - Nice Chatting With You: What Connects Cheap Android Smartphones, WhatsApp And Cryptocurrency Theft?
"Every year, cryptocurrencies become more and more common as a payment method. According to the data for 2023, in developed countries about 20% of the population has at some time used such a means of payment, and in developing countries, where the banking sector does not meet the needs of the population, the number of cryptocurrency users is even higher. In cryptocurrency adoption rankings, Russia is among the top ten countries in terms of number of users. Anonymity, fast transactions, global accessibility and low transfer fees are the main advantages that attract ordinary users."
https://news.drweb.com/show/?i=15002&lng=en
https://hackread.com/pre-installed-malware-cheap-android-phones-crypto-fake-whatsapp/ - BPFDoor’s Hidden Controller Used Against Asia, Middle East Targets
"The stealthy rootkit-like malware known as BPFDoor (detected as Backdoor.Linux.BPFDOOR) is a backdoor with strong stealth capabilities, most of them related to its use of Berkeley Packet Filtering (BPF). In a previous article, we covered how BPFDoor and BPF-enabled malware work. BPF is a technology for executing code in the operating system’s kernel virtual machine. It has been around for more than 20 years and received a lot of attention after 2014 when the eBPF (short for extended BPF at the time) was released."
https://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.html - Slow Pisces Targets Developers With Coding Challenges And Introduces New Customized Python Malware
"Slow Pisces (aka Jade Sleet, TraderTraitor, PUKCHONG) is a North Korean state-sponsored threat group primarily focused on generating revenue for the DPRK regime, typically by targeting large organizations in the cryptocurrency sector. This article analyzes their campaign that we believe is connected to recent cryptocurrency heists. In this campaign, Slow Pisces engaged with cryptocurrency developers on LinkedIn, posing as potential employers and sending malware disguised as coding challenges. These challenges require developers to run a compromised project, infecting their systems using malware we have named RN Loader and RN Stealer."
https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/
Breaches/Hacks/Leaks
- Govtech Giant Conduent Confirms Client Data Stolen In January Cyberattack
"American business services giant and government contractor Conduent disclosed today that client data was stolen in a January 2025 cyberattack. Conduent is a business services company that provides digital platforms and solutions for government and commercial clients in transportation, healthcare, customer experience, and human resources. The company has over 33,000 employees and provides services to half of Fortune 100 companies and over 600 government and transportation agencies."
https://www.bleepingcomputer.com/news/security/govtech-giant-conduent-confirms-client-data-stolen-in-january-cyberattack/ - Kidney Dialysis Firm DaVita Hit By Weekend Ransomware Attack
"Kidney dialysis firm DaVita disclosed Monday it suffered a weekend ransomware attack that encrypted parts of its network and impacted some of its operations. DaVita is a major provider of kidney care services in the United States, operating over 2,600 outpatient treatment centers that provide dialysis to those suffering from kidney disease. It is a Fortune 500 organization with 76,000 employees in 12 countries and an annual revenue that surpasses $12.8 billion."
https://www.bleepingcomputer.com/news/security/kidney-dialysis-firm-davita-hit-by-weekend-ransomware-attack/
https://therecord.media/davita-kidney-dialysis-company-ransomware-attack
https://www.bankinfosecurity.com/ransomware-attack-disrupts-global-dialysis-provider-divita-a-27995 - Insurance Firm Lemonade Says Breach Exposed Driver’s License Numbers
"A recent data breach at the insurance firm Lemonade exposed the driver’s license numbers of thousands of people over the course of 17 months. The New York-based company began sending breach notification letters in multiple states last week following the discovery of an incident in 2023 and 2024 involving its online application process. Users typically enter their name and address into the Lemonade insurance policy application and a third-party vendor automatically populates a person’s driver’s license number."
https://therecord.media/lemonade-insrance-breach-numbers-license - Hertz Confirms Customer Info, Drivers' Licenses Stolen In Data Breach
"Car rental giant Hertz Corporation warns it suffered a data breach after customer data for its Hertz, Thrifty, and Dollar brands was stolen in the Cleo zero-day data theft attacks. "On February 10, 2025, we confirmed that Hertz data was acquired by an unauthorized third party that we understand exploited zero-day vulnerabilities within Cleo's platform in October 2024 and December 2024," reads the Hertz data breach notification."
https://www.bleepingcomputer.com/news/security/hertz-confirms-customer-info-drivers-licenses-stolen-in-data-breach/
General News
- Sector By Sector: How Data Breaches Are Wrecking Bottom Lines
"Data breaches are rising across industries, hitting healthcare, finance, and retail especially hard. The damage goes beyond lost data, as it’s financial, operational, and reputational. A recent report conducted by the Ponemon Institute found that third-party data breaches have severe consequences across critical sectors, with data theft and loss posing the greatest risk. Each industry faces different costs and risks. Understanding these differences helps organizations prepare. Hospitals may face regulatory fines and a loss of patient trust. Banks risk customer attrition and increased scrutiny from regulators."
https://www.helpnetsecurity.com/2025/04/14/data-breaches-costs/ - Organizations Can’t Afford To Be Non-Compliant
"Non-compliance can cost organizations 2.71 times more than maintaining compliance programs, according to Secureframe. That’s because non-compliance can result in business disruption, productivity losses, fines, penalties, and settlement costs, among other factors that come with a hefty price tag. Even data breaches are more expensive if an organization is non-compliant."
https://www.helpnetsecurity.com/2025/04/14/regulatory-non-compliance-penalties/ - The Quiet Data Breach Hiding In AI Workflows
"As AI becomes embedded in daily business workflows, the risk of data exposure increases. Prompt leaks are not rare exceptions. They are a natural outcome of how employees use large language models. CISOs cannot treat this as a secondary concern. To reduce risk, security leaders should focus on policy, visibility, and culture. Set clear rules about what data can and cannot be entered into AI systems. Monitor usage to identify shadow AI before it becomes a problem. Make sure employees understand that convenience should not override confidentiality."
https://www.helpnetsecurity.com/2025/04/14/quiet-data-breach-ai-workflows/ - SSL/TLS Certificate Lifespans Reduced To 47 Days By 2029
"The CA/Browser Forum has voted to significantly reduce the lifespan of SSL/TLS certificates over the next 4 years, with a final lifespan of just 47 days starting in 2029. The CA/Browser Forum is a group of certificate authorities (CAs) and software vendors, including browser developers, working together to establish and maintain security standards for digital certificates used in Internet communications. Its members include major CAs like DigiCert and GlobalSign, as well as browser vendors such as Google, Apple, Mozilla, and Microsoft."
https://www.bleepingcomputer.com/news/security/ssl-tls-certificate-lifespans-reduced-to-47-days-by-2029/
https://www.infosecurity-magazine.com/news/digital-certificate-lifespans-fall/
https://www.theregister.com/2025/04/14/ssl_tls_certificates/ - Cybersecurity Firm Buying Hacker Forum Accounts To Spy On Cybercriminals
"Swiss cybersecurity firm Prodaft has launched a new initiative called 'Sell your Source' where the company purchases verified and aged accounts on hacking forums to to spy on cybercriminals. The goal is to use these accounts to infiltrate cybercrime spaces and communities, collecting valuable intelligence that could lead to the exposure of malicious operations and platforms. "As a threat intelligence company, we specialize in obtaining visibility into the infrastructures of cybercriminals, searching for patterns, tactics, techniques, and procedures that help us understand adversarial networks and detect and mitigate potential cyberattacks," explains Prodaft."
https://www.bleepingcomputer.com/news/security/cybersecurity-firm-buying-hacker-forum-accounts-to-spy-on-cybercriminals/
https://sys.prodaft.com/
https://www.darkreading.com/threat-intelligence/threat-intel-firm-crypto-dark-web-accounts
https://www.infosecurity-magazine.com/news/prodaft-buy-dark-web-cybercrime/ - Google Cloud: China Achieves “Cyber Superpower” Status
"China has reached a “cyber superpower” status, which makes it extremely challenging to stop, according to Sandra Joyce, Vice President of Google Threat Intelligence Group. Speaking to the press during the Google Cloud Next 2025 event, Joyce said that we are looking at a major increase in China’s cyber capability. This includes an ongoing growth in zero-day vulnerability exploitations in the wild by Chinese state hackers, which has risen exponentially since 2021."
https://www.infosecurity-magazine.com/news/google-cloud-china-cyber/
https://www.darkreading.com/threat-intelligence/chinese-apt-exploit-edr-visibility-gap-cyber-espionage
อ้างอิง
Electronic Transactions Development Agency(ETDA)
- PentestGPT – AI-Powered Penetration Testing Assistant
-
Cyber Threat Intelligence 14 April 2025โพสต์ใน Cyber Security News
Vulnerabilities
- CVE-2025-27520 Critical RCE In BentoML Has Fewer Affected Versions Than Reported
"A critical Remote Code Execution (RCE) vulnerability, CVE-2025-27520 with a CVSSv3 base score of 9.8, has been recently discovered in BentoML, an AI service helper Python library found on PyPI. This flaw allows unauthenticated attackers to execute arbitrary code by sending malicious data payloads as requests and potentially take control of the server. While the advisory specifies versions from 1.3.4 through 1.4.2 as affected, Checkmarx Zero’s analysis indicates that this issue affects versions 1.3.8 through 1.4.2 (see below for details). It is recommended that affected adopters upgrade to version 1.4.3 or later to repair the issue."
https://checkmarx.com/zero-post/bentoml-rce-fewer-affected-versions-cve-2025-27520/
https://hackread.com/bentoml-vulnerability-remote-code-execution-ai-servers/ - 10 Bugs Found In Perplexity AI's Chatbot Android App
"Researchers have identified ten security issues in the research-oriented AI chatbot Perplexity. Perplexity was released one week after ChatGPT, right as the maelstrom around artificial intelligence (AI) chatbots began, in late 2022. From the beginning, it distinguished itself for its accuracy — providing users with deeply researched answers with citations to queries."
https://www.darkreading.com/application-security/11-bugs-found-perplexity-chatbots-android-app - Rapid7 Reveals RCE Path In Ivanti VPN Appliance After Silent Patch Debacle
"Security researchers at Rapid7 are publicly documenting a path to remote code execution of a critical flaw in Ivanti’s Connect Secure VPN appliances, ramping up the urgency for organizations to apply available patches. The publication of exploit code comes less than a week after Mandiant flagged in-the-wild exploitation of the Ivanti bug (CVE-2025-22457) by a Chinese hacking gang notorious for hacking into edge network devices."
https://www.securityweek.com/rapid7-reveals-rce-path-in-ivanti-vpn-appliance-after-silent-patch-debacle/
https://attackerkb.com/topics/0ybGQIkHzR/cve-2025-22457/rapid7-analysis
Malware
- How Cyberattackers Exploit Domain Controllers Using Ransomware
"In recent years, human-operated cyberattacks have undergone a dramatic transformation. These attacks, once characterized by sporadic and opportunistic attacks, have evolved into highly sophisticated, targeted campaigns aimed at causing maximum damage to organizations, with the average cost of a ransomware attack reaching $9.36 million in 2024.1 A key catalyst to this evolution is the rise of ransomware as a primary tool for financial extortion—an approach that hinges on crippling an organization’s operations by encrypting critical data and demanding a ransom for its release."
https://www.microsoft.com/en-us/security/blog/2025/04/09/how-cyberattackers-exploit-domain-controllers-using-ransomware/
https://www.bankinfosecurity.com/ransomware-hackers-target-active-directory-domain-controllers-a-27981 - Malicious NPM Packages Targeting PayPal Users
"FortiGuard Labs’ AI-driven OSS malware detection system has recently discovered a series of malicious NPM packages designed to steal sensitive information from compromised systems. These packages are believed to have been created between March 5 and March 14 by a threat actor known as tommyboy_h1 and tommyboy_h2 to target PayPal users."
https://www.fortinet.com/blog/threat-research/malicious-npm-packages-targeting-paypal-users - Storm-2372: Russian APT Using Device Code Phishing In Advanced Attacks
"A newly uncovered cyber campaign led by the Russian state-backed group Storm-2372 is exploiting device code phishing to bypass Multi-Factor Authentication (MFA) and infiltrate high-value targets. This highly targeted tactic represents an escalation in the use of social engineering to defeat even advanced security systems. The campaign underlines the critical need for modern organizations to embrace adaptive, context-aware defense mechanisms to counter identity-based threats that are increasingly evading conventional protections."
https://socradar.io/storm-2372-russian-apt-using-device-code-phishing-in-advanced-attacks/
https://hackread.com/russia-storm-2372-hit-mfa-bypass-device-code-phishing/ - Stolen With a Click: The Booming Business Of PayPal Scams
"In today’s digital age, online payment platforms like PayPal have become essential tools for our everyday transactions. Unfortunately, they’ve also become prime targets for cybercriminals looking to steal personal information and money. McAfee Labs has uncovered a concerning trend with a spike in PayPal-related scams, with February 2025 seeing a dramatic seven-fold increase in fraudulent emails compared to January."
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/stolen-with-a-click-the-booming-business-of-paypal-scams/ - Palo Alto Networks Warns Of Brute-Force Attempts Targeting PAN-OS GlobalProtect Gateways
"Palo Alto Networks has revealed that it's observing brute-force login attempts against PAN-OS GlobalProtect gateways, days after threat hunters warned of a surge in suspicious login scanning activity targeting its appliances. "Our teams are observing evidence of activity consistent with password-related attacks, such as brute-force login attempts, which does not indicate exploitation of a vulnerability," a spokesperson for the company told The Hacker News. "We continue to actively monitor this situation and analyze the reported activity to determine its potential impact and identify if mitigations are necessary.""
https://thehackernews.com/2025/04/palo-alto-networks-warns-of-brute-force.html
https://securityaffairs.com/176446/hacking/brute-force-login-attempts-on-pan-os-globalprotect.html - Tycoon2FA New Evasion Technique For 2025
"The Tycoon 2FA phishing kit has adopted several new evasion techniques aimed at slipping past endpoints and detection systems. These include using a custom CAPTCHA rendered via HTML5 canvas, invisible Unicode characters in obfuscated JavaScript, and anti-debugging scripts to thwart inspection. This blog takes a closer look at these methods to better understand how this kit is evolving and what defenders should be aware of."
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tycoon2fa-new-evasion-technique-for-2025/
https://www.bleepingcomputer.com/news/security/tycoon2fa-phishing-kit-targets-microsoft-365-with-new-tricks/
Breaches/Hacks/Leaks
- Western Sydney University Discloses Security Breaches, Data Leak
"Western Sydney University (WSU) announced two security incidents that exposed personal information belonging to members of its community. WSU is a prominent Australian institution offering various undergraduate, postgraduate, and research programs across multiple disciplines. It serves a student body of 47,000 and employs over 4,500 permanent and seasonal staff, operating with an annual budget of approximately $600 million."
https://www.bleepingcomputer.com/news/security/western-sydney-university-discloses-security-breaches-data-leak/ - US Lab Testing Provider Exposed Health Data Of 1.6 Million People
"Laboratory Services Cooperative (LSC) has released a statement informing it suffered a data breach where hackers stole sensitive information of roughly 1.6 million people from its systems. LSC is a Seattle-based nonprofit organization that provides centralized laboratory services to its member affiliates, including select Planned Parenthood centers. It plays a crucial role within its niche, supporting organizations in the reproductive health services across more than 35 U.S. states, handling sensitive lab testing, billing, and personal data."
https://www.bleepingcomputer.com/news/security/us-lab-testing-provider-exposed-health-data-of-16-million-people/
https://therecord.media/lab-provider-planned-parenthood-breach
https://www.bankinfosecurity.com/medical-lab-hack-affects-planned-parenthood-patients-a-27980
https://www.securityweek.com/1-6-million-people-impacted-by-data-breach-at-laboratory-services-cooperative/
https://securityaffairs.com/176451/data-breach/laboratory-services-cooperative-data-breach.html - Ransomware Attack Cost IKEA Operator In Eastern Europe $23 Million
"Fourlis Group, the operator of IKEA stores in Greece, Cyprus, Romania, and Bulgaria, has informed that the ransomware attack it suffered just before Black Friday on November 27, 2024, caused losses estimated to €20 million ($22.8 million). The security incident became public on December 3, 2024, when the group admitted that the technical problems IKEA online shops were facing were due to “malicious external action.” Although the company also operates Intersport, Foot Locker, and Holland & Barrett shops in the said countries, the impact of the attack affected mainly IKEA business operations."
https://www.bleepingcomputer.com/news/security/ransomware-attack-cost-ikea-operator-in-eastern-europe-23-million/ - No Need To Hack When It’s Leaking: SavantCare Edition
"Today’s concerning leak is brought to you by SavantCare. The leak was discovered by an independent researcher who first reported it on his blog yesterday. In his report, @JayeLTee states that he found exposed data that included data from SavantCare employee chats. “Over two-thirds of the 308 users on the chat were for SavantCare, a Mental and Behaviour Health Clinic from the United States, and around 30 users were from OVLG (Oak View Law Group),” JayeLTee reported, noting that the chat was likely set up by Grmtech, a digital marketing and SEO company from India."
https://databreaches.net/2025/04/11/no-need-to-hack-when-its-leaking-savantcare-edition/ - SK.com Allegedly Hacked By Qilin
"SK Inc. invests heavily in the U.S. It claims to be investing $50 billion in U.S. businesses, with investment in electric vehicle batteries, life sciences, technology solutions, semiconductors, and sustainable energy. The firm has a presence in more than 20 states at this time. On April 10, Qilin added SK.com to its dark web leak site with a claim that it had exfiltrated more than 1 TB of files from its servers. Qilin did not offer any proof of claims except for one photo of what appeared to be people meeting by video conference with then-President Biden. The background of the photo suggests that it was taken in the West Wing."
https://databreaches.net/2025/04/12/sk-com-allegedly-hacked-by-qilin/
General News
- CISOs Top Order Of Business: Cyber Risk Reduction & Management
"For modern CISOs, cyber risk management and reduction are nonstop challenges. But this blog offers exactly what you need to build a strategy that empowers you to manage and mitigate threats—cutting through the noise of an otherwise demanding role."
https://www.group-ib.com/blog/ciso-risk-management/ - Why Security Culture Is Crypto’s Strongest Asset
"In this Help Net Security interview, Norah Beers, CISO at Grayscale, discusses key security challenges in managing crypto assets, adversary tactics, private key management, and securing both hot and cold wallets."
https://www.helpnetsecurity.com/2025/04/11/norah-beers-grayscale-crypto-asset-management/ - Financial Fraud, With a Third-Party Twist, Dominates Cyber Claims
"While ransomware represented the most costly cyber-insurance claims in 2024, incidents of financial fraud continue to be far more numerous, with both often triggered by security failures at a third-party firm. That insight comes from the latest tranche of cyber-insurance data released this year, this time by cyber-insurance firm At-Bay. Financial fraud — most often following a phishing attack — remained the most common type of cyberattack leading to an insurance claim, according to At-Bay's "2025 InsurSec Report," released this week. While the cyber insurer saw 16% more claims in 2024 than the year before, the overall cost of each incident declined to $166,000, down from $213,000 in 2021."
https://www.darkreading.com/threat-intelligence/financial-fraud-third-party-cyber-claims
https://www.at-bay.com/2025-insursec-report/
https://www.helpnetsecurity.com/2025/04/11/ransomware-incidents-frequency/ - Why Remote Work Is a Security Minefield (and What You Can Do About It)
"Remote work is seen as more than a temporary solution, it’s a long-term strategy for many organizations."
https://www.helpnetsecurity.com/2025/04/11/remote-work-cybersecurity-challenges/
iOS Devices Face Twice The Phishing Attacks Of Android
"2024 brought about countless new cybersecurity challenges including significant growth of the mobile threat landscape, according to Lookout. Threat actors, ranging from nation-states to individuals, are increasingly targeting mobile devices for the onset of their attacks to steal credentials and infiltrate the enterprise cloud in a pathway known as the modern kill chain. More than ever, organizations of every size across every industry must view mobile targeting as a canary in the coal mine – an early indication that they could be under attack elsewhere in their infrastructure."
https://www.helpnetsecurity.com/2025/04/11/mobile-cybersecurity-challenges/ - Organizations Lack Incident Response Plans, But Answers Are On The Way
"Ransomware attacks are on the rise, data breaches are exposing sensitive information belonging to millions of individuals, and businesses are experiencing significant disruptions to their operations. Yet for many organizations, their incident response (IR) plans are outdated and ineffective at handing the current threats."
https://www.darkreading.com/cyberattacks-data-breaches/shortcomings-improvements-incident-response-plans - NVD Revamps Operations As Vulnerability Reporting Surges
"After a tumultuous year marked by internal turmoil and a mounting vulnerability backlog, the National Vulnerability Database (NVD) team within the US National Institute of Standards and Technology (NIST) has finally stabilized. However, the NVD is now facing a new challenge: a surge in vulnerability reporting that has sent its backlog soaring, threatening to outpace the team's revitalized efforts. Tanya Brewer, the NVD Program Manager, and Matthew Scholl, Chief of the Computer Security Division at NIST, shared some of NVD’s latest updates on April 10, the final day of VulnCon, an event dedicated to vulnerability management in Raleigh, North Carolina."
https://www.infosecurity-magazine.com/news/nvd-revamps-operations-cve-surge/ - China Admitted To Volt Typhoon Cyberattacks On US Critical Infrastructure: Report
"In a secret meeting that took place late last year between Chinese and American officials, the former confirmed that China had conducted cyberattacks against US infrastructure as part of the campaign known as Volt Typhoon, according to The Wall Street Journal. The meeting took place at a Geneva summit in December and involved members of the outgoing Biden administration. The US officials who were present were startled by China’s admission, people familiar with the matter told WSJ [paywalled article]."
https://www.securityweek.com/china-admitted-to-us-that-it-conducted-volt-typhoon-attacks-report/
https://securityaffairs.com/176485/apt/china-admitted-its-role-in-volt-typhoon-cyberattacks-on-u-s-infrastructure.html - Initial Access Brokers Shift Tactics, Selling More For Less
"Initial Access Brokers (IABs) specialize in gaining unauthorized entry into computer systems and networks, then selling that access to other cybercriminals. This division of labor allows IABs to concentrate on their core expertise: exploiting vulnerabilities through methods like social engineering and brute-force attacks. By selling access, they significantly mitigate the risks associated with directly executing ransomware attacks or other complex operations. Instead, they capitalize on their skill in breaching networks, effectively streamlining the attack process for their clients."
https://thehackernews.com/2025/04/initial-access-brokers-shift-tactics.html - March 2025 Infostealer Trend Report
"This report provides statistics, trends, and case information on the distribution quantity, distribution methods, and disguise techniques of Infostealer collected and analyzed during March 2025. Below is a summary of the report."
https://asec.ahnlab.com/en/87444/ - March 2025 Threat Trend Report On Ransomware
"This report provides statistics on the number of new ransomware samples, number of targeted systems, and targeted companies collected in March 2025, as well as major Korean and international ransomware issues worth noting. Below are the summarized details. The number of ransomware samples and number of damaged systems is based on the detection names assigned by AhnLab, and statistics on targeted companies is based on the information published on the Dedicated Leak Site (DLS) of the ransomware group, also referred to as ransomware PR sites or PR pages, collected by the ATIP infrastructure over time."
https://asec.ahnlab.com/en/87445/ - The Rise Of Slopsquatting: How AI Hallucinations Are Fueling a New Class Of Supply Chain Attacks
"Large Language Models (LLMs) are becoming a staple in modern development workflows. AI-powered code assistant tools like Copilot, ChatGPT, and Cursor are now used to help write everything from web apps to automation scripts. They deliver industry-altering productivity gains but also introduce new risks, some of them entirely novel. One such risk is slopsquatting, a new term for a surprisingly effective type of software supply chain attack that emerges when LLMs “hallucinate” package names that don’t actually exist. If you’ve ever seen an AI recommend a package and thought, “Wait, is that real?”—you’ve already encountered the foundation of the problem. And now attackers are catching on."
https://socket.dev/blog/slopsquatting-how-ai-hallucinations-are-fueling-a-new-class-of-supply-chain-attacks
https://www.bleepingcomputer.com/news/security/ai-hallucinated-code-dependencies-become-new-supply-chain-risk/
https://www.theregister.com/2025/04/12/ai_code_suggestions_sabotage_supply_chain/ - Hacktivism Is Back – But Don't Be Fooled, It's Often State-Backed Goons In Masks
"From triggering a water tank overflow in Texas to shutting down Russian state news services on Vladimir Putin's birthday, self-styled hacktivists have been making headlines. But don't let the Guy Fawkes avatars fool you. Today's "hacktivists," especially those going after critical infrastructure, often have less in common with just the digital vandals of the Nineties and Naughts than with government-backed cyber operators. Threat intel analysts say their tactics, targets, and timing suggest something calculated, and far more connected to nation-state interests."
https://www.theregister.com/2025/04/13/hacktivism_is_having_a_resurgence/
อ้างอิง
Electronic Transactions Development Agency(ETDA)
- CVE-2025-27520 Critical RCE In BentoML Has Fewer Affected Versions Than Reported
-
OCC ของกระทรวงการคลังสหรัฐฯ เผยเหตุข้อมูลรั่วไหลจากบัญชีแอดมินนานกว่า 1 ปีโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
