สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
Global Moderators
Forum wide moderators
-
CISA เตือนพบการโจมตีช่องโหว่ PaperCut เร่งอัปเดตแพตช์โดยด่วน
-
พบช่องโหว่ร้ายแรงในปลั๊กอิน Post SMTP บน WordPress เสี่ยงถูกยึดเว็บไซต์
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 29 July 2025
Vulnerabilities
- 10,000 WordPress Sites Affected By Critical Vulnerabilities In HT Contact Form WordPress Plugin
"On June 24th, 2025, we received a submission for an Arbitrary File Upload and an Arbitrary File Deletion vulnerability in HT Contact Form, a WordPress plugin with more than 10,000 active installations. The arbitrary file upload vulnerability can be used by unauthenticated attackers to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover. The arbitrary file deletion vulnerability can be used by unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can also make a site takeover possible. On July 4th, 2025, we also received a submission for an Arbitrary File Move vulnerability in HT Contact Form. This vulnerability can be used by unauthenticated attackers to move arbitrary files, including the wp-config.php file, which can also make a site takeover possible."
https://www.wordfence.com/blog/2025/07/10000-wordpress-sites-affected-by-critical-vulnerabilities-in-ht-contact-form-wordpress-plugin/
https://www.infosecurity-magazine.com/news/flaws-wordpress-plugin-expose/ - CISA Adds Three Known Exploited Vulnerabilities To Catalog
"CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2025-20281 Cisco Identity Services Engine Injection Vulnerability
CVE-2025-20337 Cisco Identity Services Engine Injection Vulnerability
CVE-2023-2533 PaperCut NG/MF Cross-Site Request Forgery (CSRF) Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/07/28/cisa-adds-three-known-exploited-vulnerabilities-catalog
https://www.bleepingcomputer.com/news/security/cisa-flags-papercut-rce-bug-as-exploited-in-attacks-patch-now/
https://securityaffairs.com/180494/security/u-s-cisa-adds-cisco-ise-and-papercut-ng-mf-flaws-to-its-known-exploited-vulnerabilities-catalog.html - Sploitlight: Analyzing a Spotlight-Based MacOS TCC Vulnerability
"Microsoft Threat Intelligence has discovered a macOS vulnerability that could allow attackers to steal private data of files normally protected by Transparency, Consent, and Control (TCC), such as files in the Downloads folder, as well as caches utilized by Apple Intelligence. While similar to prior TCC bypasses like HM-Surf and powerdir, the implications of this vulnerability, which we refer to as “Sploitlight” for its use of Spotlight plugins, are more severe due to its ability to extract and leak sensitive information cached by Apple Intelligence, such as precise geolocation data, photo and video metadata, face and person recognition data, search history and user preferences, and more. These risks are further complicated and heightened by the remote linking capability between iCloud accounts, meaning an attacker with access to a user’s macOS device could also exploit the vulnerability to determine remote information of other devices linked to the same iCloud account."
https://www.microsoft.com/en-us/security/blog/2025/07/28/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability/
https://www.bleepingcomputer.com/news/security/microsoft-macos-sploitlight-flaw-leaks-apple-intelligence-data/
https://hackread.com/macos-sploitlight-flaw-apple-intelligence-cached-data/
https://www.theregister.com/2025/07/28/microsoft_spots_apple_bug/
https://securityaffairs.com/180503/hacking/microsoft-uncovers-macos-flaw-allowing-bypass-tcc-protections-and-exposing-sensitive-data.html - Code Execution Through Deception: Gemini AI CLI Hijack
"Tracebit discovered a silent attack on Gemini CLI where, through a toxic combination of improper validation, prompt injection and misleading UX, inspecting untrusted code consistently leads to silent execution of malicious commands."
https://tracebit.com/blog/code-exec-deception-gemini-ai-cli-hijack
https://www.bleepingcomputer.com/news/security/flaw-in-gemini-cli-ai-coding-assistant-allowed-stealthy-code-execution/
https://cyberscoop.com/google-gemini-cli-prompt-injection-arbitrary-code-execution/
Malware
- Endgame Gear Mouse Config Tool Infected Users With Malware
"Gaming peripherals maker Endgame Gear is warning that malware was hidden in its configuration tool for the OP1w 4k v2 mouse hosted on the official website between June 26 and July 9, 2025. The infected file was hosted on 'endgamegear.com/gaming-mice/op1w-4k-v2,' so users downloading the tool from that page during this period were infected. Endgame Gear is a German PC gaming peripherals firm known for its pro-gaming gear, including the XM and OP1 series mice, which are highly regarded among reviewers and competitive players. Although not as big as brands like Logitech, Razer, and HyperX, it is a respected entity in the space and one of the key emerging firms in the ultra-light gaming mouse segment."
https://www.bleepingcomputer.com/news/security/endgame-gear-mouse-config-tool-infected-users-with-malware/ - CVE-2025-20281: Cisco ISE API Unauthenticated Remote Code Execution Vulnerability
"On January 25th, 2025, the Trend Zero Day Initiative (ZDI) received a report from Kentaro Kawane of GMO Cybersecurity by Ierae regarding a deserialization of untrusted data vulnerability in Cisco Identity Services Engine (ISE). This pre-authentication vulnerability existed in the enableStrongSwanTunnel method of the DescriptionRegistrationListener class. While analyzing this vulnerability, I noticed that the same function was also vulnerable to command injection as root. Cisco patched this initially as CVE-2025-20281(ZDI-25-609), but also released CVE-2025-20337 (ZDI-25-607) to fully address the vulnerability. You’ll see why below."
https://www.zerodayinitiative.com/blog/2025/7/24/cve-2025-20281-cisco-ise-api-unauthenticated-remote-code-execution-vulnerability
https://www.bleepingcomputer.com/news/security/exploit-available-for-critical-cisco-ise-bug-exploited-in-attacks/ - RedHook: A New Android Banking Trojan Targeting Users In Vietnam
"Cyble Research and Intelligence Labs (CRIL) discovered ‘RedHook’, a sophisticated Android banking trojan targeting Vietnamese users through spoofed government and financial websites. It communicates to the command-and-control (C2) server using WebSocket and supports over 30 remote commands, enabling complete control over compromised devices. Code artifacts, including Chinese-language strings, suggest development by a Chinese-speaking threat actor or group. Despite its capabilities, RedHook currently has low antivirus detection, making it an active and stealthy threat in the region."
https://cyble.com/blog/redhook-new-android-banking-targeting-in-vietnam/ - New Advanced Stealer (SHUYAL) Targets Credentials Across 19 Popular Browsers
"Hybrid Analysis has analyzed a sophisticated new information stealer that combines extensive credential theft capabilities with advanced system reconnaissance and evasion tactics. Named SHUYAL based on unique identifiers discovered in the executable's PDB path, this previously undocumented stealer demonstrates comprehensive browser targeting, grabbing credentials from 19 different browsers ranging from mainstream applications like Chrome and Edge to privacy-focused options such as Tor."
https://hybrid-analysis.blogspot.com/2025/07/new-advanced-stealer-shuyal-targets.html
https://www.darkreading.com/endpoint-security/shuyal-stealer-targets-19-browsers-advanced-evasion - Keitaro TDS Abused To Deliver AutoIT-Based Loader Targeting German Speakers
"Sublime recently identified an attack campaign targeting German speakers with a romance/adult-themed scam. The attack emails used explicit language, conflicting identity details, and redirects to malicious domains using a commercial Traffic Distribution Service (TDS) named Keitaro TDS to deliver a malicious payload. Here’s what one of the messages looked like:"
https://sublime.security/blog/keitaro-tds-abused-to-delivery-autoit-based-loader-targeting-german-speakers/
https://hackread.com/malicious-iso-file-romance-scam-on-german-speakers/ - Revisiting UNC3886 Tactics To Defend Against Present Risk
"On July 18, Singapore’s Coordinating Minister for National Security K. Shanmugam revealed that the country was facing a highly sophisticated threat actor targeting critical infrastructure—UNC3886. First reported in 2022, this advanced persistent threat (APT) group has been targeting essential services in Singapore, posing a severe risk to their national security. In this entry, we draw on observations and the tactics, techniques, and procedures (TTPs) from previously recorded UNC3886 attacks. Our aim is to get a good understanding of this threat group and enhance overall defensive posture against similar tactics."
https://www.trendmicro.com/en_us/research/25/g/revisiting-unc3886-tactics-to-defend-against-present-risk.html - Cyber Stealer Analysis: When Your Malware Developer Has FOMO About Features
"First identified by eSentire's Threat Response Unit (TRU) in May 2025, Cyber Stealer represents a new and actively developing threat. The malware authors are consistently updating the tool based on user feedback from hacking forums, indicating an agile development process and suggesting the threat will continue to evolve and become more sophisticated. The malware compresses stolen data into a zip archive and sends it to the Command & Control (C2) server via HTTP POST requests, including detailed statistics about the types and quantities of stolen data (passwords, credit cards, cookies, etc.). The malware maintains regular communication with its C2 server through various endpoints, including heartbeat checks, XMR miner configuration, task checks, configuration updates, and data exfiltration. The C2 URL can be dynamically updated through Pastebin, with a hardcoded backup URL if that fails."
https://www.esentire.com/blog/cyber-stealer-analysis-when-your-malware-developer-has-fomo-about-features
Breaches/Hacks/Leaks
- Tea App Leak Worsens With Second Database Exposing User Chats
"The Tea app data breach has grown into an even larger leak, with the stolen data now shared on hacking forums and a second database discovered that allegedly contains 1.1 million private messages exchanged between the app's members. The Tea app is a women-only dating safety platform where members can share reviews about men, with access to the platform only granted after providing a selfie and government ID verification. On Friday, an anonymous user posted on 4chan that Tea used an unsecured Firebase storage bucket to store drivers' licenses and selfies uploaded by members to verify they are women, as well as photos and images shared in comments."
https://www.bleepingcomputer.com/news/security/tea-app-leak-worsens-with-second-database-exposing-user-chats/
https://therecord.media/tea-app-data-breach-stolen-ids-leaked
https://www.infosecurity-magazine.com/news/dating-app-breach-exposes-13000/
https://hackread.com/tea-app-breach-women-dating-platform-user-images-leak/ - France's Warship Builder Naval Group Investigates 1TB Data Breach
"France's state-owned defense firm Naval Group is investigating a cyberattack after 1TB of allegedly stolen data was leaked on a hacking forum. The company characterized this as a "destabilization attempt" and a "reputational attack," to which it has responded by filing a complaint to protect its client's data. Meanwhile, Naval Group is investigating with the assistance of external experts to determine if the leaked data originated from them. Despite the gravity of the claims, the company maintains that it sees no signs of an IT systems breach, and its operations haven't been impacted."
https://www.bleepingcomputer.com/news/security/frances-warship-builder-naval-group-investigates-1tb-data-breach/
https://www.infosecurity-magazine.com/news/naval-group-denies-hack/ - GLOBAL GROUP Ransomware Claims Breach Of Media Giant Albavisión
"The GLOBAL GROUP ransomware gang is claiming responsibility for a breach of Albavisión (albavision.tv), a major Spanish-language media conglomerate based in Miami, Florida. The group also claims to have stolen 400 GB of data. GLOBAL GROUP is a newly emerged Ransomware-as-a-Service (RaaS) operation that has been active since early June 2025. The group has targeted multiple sectors globally, including media and healthcare, with Albavisión listed as its 29th claimed victim since its launch. What sets GLOBAL GROUP ransomware apart from other gangs is its use of an AI-driven negotiation tool. This system employs chatbots to handle negotiations with victims, particularly those who do not speak English."
https://hackread.com/global-group-ransomware-media-giant-albavision-breach/ - Cyberattack On Aeroflot Causing Mass Flight Disruptions, Russia Says
"Russian authorities confirmed on Monday that Aeroflot, the country’s largest airline and national carrier, has been hit with a cyberattack causing widespread flight delays and cancellations. Aeroflot said a “technical failure” was to blame for the disruption, which began Monday morning and has forced the airline to cancel more than 50 flights, including on popular domestic routes such as Moscow, St. Petersburg and Sochi. Some flights planned for later in the week were also canceled. The company said it is working to restore normal operations and promised to refund passengers or rebook their tickets once its systems are back online. Aeroflot’s shares dropped nearly 4% on Monday. The disruptions also hit the company’s subsidiaries, Rossiya and Pobeda."
https://therecord.media/cyberattack-aeroflot-russia-delays
https://www.politico.com/news/2025/07/28/cyberattack-on-russian-airline-aeroflot-causes-the-cancellation-of-more-than-100-flights-00479963
https://www.bankinfosecurity.com/russias-flag-carrier-cancels-flights-after-hack-attack-a-29065
https://www.theregister.com/2025/07/28/aeroflot_system_compromise/
https://www.securityweek.com/cyberattack-on-russian-airline-aeroflot-causes-the-cancellation-of-more-than-100-flights/
General News
- Your Supply Chain Security Strategy Might Be Missing The Biggest Risk
"Third-party involvement in data breaches has doubled this year from 15 percent to nearly 30 percent. In response, many organizations have sharpened their focus on third-party risk management, carefully vetting the security practices of their vendors. However, a critical gap remains that many organizations overlook: fourth-party risk."
https://www.helpnetsecurity.com/2025/07/28/vendor-risk-management/ - The Legal Minefield Of Hacking Back
"In this Help Net Security interview, Gonçalo Magalhães, Head of Security at Immunefi, discusses the legal and ethical implications of hacking back in cross-border cyber incidents. He warns that offensive cyber actions risk violating international law, escalating conflicts, and harming innocent third parties. Instead, Magalhães advocates for legally sanctioned frameworks, such as bug bounty programs, to strengthen security without crossing dangerous lines."
https://www.helpnetsecurity.com/2025/07/28/goncalo-magalhaes-immunefi-hacking-back-concerns/ - How To Spot Malicious AI Agents Before They Strike
"Today's businesses know they have an artificial intelligence fraud problem — and as agentic AI becomes more widely deployed, it introduces a whole new dimension to the battle of the machines. Success won't come solely from fighting AI with AI, but by evolving people and processes, starting with tighter collaboration between security and fraud teams. Automated defenses are essential. But given how successful phishing and credential-based attacks still are, we must accept that malicious agents will often appear legitimate — and gain access. Defending against them requires speed, but not at the expense of paralyzing online commerce. It's the same old dilemma: security slowing down business. Only now, the stakes are far higher. Think of a Mirai-style botnet but powered by malicious AI agents. That's the kind of threat we want to stay ahead of."
https://www.darkreading.com/vulnerabilities-threats/spot-malicious-ai-agents-strike - Too Many Threats, Too Much Data, Say Security And IT Leaders. Here’s How To Fix That
"An overwhelming volume of threats and data combined with the shortage of skilled threat analysts has left many security and IT leaders believing that their organizations are vulnerable to cyberattacks and stuck in a reactive state. That’s according to the new Threat Intelligence Benchmark, a commissioned study conducted by Forrester Consulting on behalf of Google Cloud, on the threat intelligence practices of more than 1,500 IT and cybersecurity leaders from eight countries and across 12 industries. Operationalizing threat intelligence remains a major challenge, said a majority of the survey’s respondents."
https://cloud.google.com/blog/products/identity-security/too-many-threats-too-much-data-new-survey-heres-how-to-fix-that
https://cloud.google.com/resources/content/security-forrester-harness-ai-transform-threat-intelligence
https://www.theregister.com/2025/07/28/security_pros_drowning_in_threatintel/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - 10,000 WordPress Sites Affected By Critical Vulnerabilities In HT Contact Form WordPress Plugin
-
Cyber Threat Intelligence 28 July 2025
Vulnerabilities
- Post SMTP Plugin Flaw Exposes 200K WordPress Sites To Hijacking Attacks
"More than 200,000 WordPress websites are using a vulnerable version of the Post SMTP plugin that allows hackers to take control of the administrator account. Post SMTP is a popular email delivery plugin for WordPress that counts more than 400,000 active installations. It’s marketed as a replacement of the default ‘wp_mail()’ function that is more reliable and feature-rich. On May 23, a security researcher reported the vulnerability to WordPress security firm PatchStack. The flaw is now identified as CVE-2025-24000 and received a medium severity score of 8.8."
https://www.bleepingcomputer.com/news/security/post-smtp-plugin-flaw-exposes-200k-wordpress-sites-to-hijacking-attacks/
Malware
- Rogue CAPTCHAs: Look Out For Phony Verification Pages Spreading Malware
"Bots have got a lot to answer for. They now make up over half of all internet traffic, and while some, such as Google’s web crawlers and fetchers, have legitimate purposes, nearly two-fifths are considered malicious. Their power can be harnessed for everything from posting inflammatory social media posts to launching distributed denial-of-service attacks and hijacking online accounts using, for example, previously breached passwords."
https://www.welivesecurity.com/en/cybersecurity/rogue-captchas-look-out-phony-verification-pages-spreading-malware/ - In-Depth Analysis Of An Obfuscated Web Shell Script
"This analysis is a follow-up to the investigation titled ‘Intrusion into Middle East Critical National Infrastructure’ (full report here), conducted by the FortiGuard Incident Response Team (FGIR), which investigated a long-term cyber intrusion targeting critical national infrastructure (CNI) in the Middle East. The report revealed that threat actors had installed numerous web shell servers on the compromised system. In this follow-up, we conducted a deep analysis of one of these web shell servers, named UpdateChecker.aspx, which was deployed on the Microsoft IIS (Internet Information Services) server of the compromised system."
https://www.fortinet.com/blog/threat-research/in-depth-analysis-of-an-obfuscated-web-shell-script - Inside The ToolShell Campaign
"FortiGuard Labs is currently tracking multiple threat actors targeting on-premises Microsoft SharePoint servers. This attack leverages a newly identified exploit chain dubbed "ToolShell." Threat actors are combining two previously patched vulnerabilities (CVE-2025-49704 and CVE-2025-49706) with two fresh, zero-day variants (CVE-2025-53770 and CVE-2025-53771) to achieve remote code execution. Given the escalating threat, CISA has already added these CVEs to its catalog of Known Exploited Vulnerabilities, and FortiGuard Labs has issued a detailed Threat Signal. Except for the known attack using “spinstall0.aspx”, exploitation in the wild is accelerating, and this blog post will delve into real-world incidents from this ongoing wave of attacks."
https://www.fortinet.com/blog/threat-research/inside-the-toolshell-campaign - ToolShell: a Story Of Five Vulnerabilities In Microsoft SharePoint
"On July 19–20, 2025, various security companies and national CERTs published alerts about active exploitation of on-premise SharePoint servers. According to the reports, observed attacks did not require authentication, allowed attackers to gain full control over the infected servers, and were performed using an exploit chain of two vulnerabilities: CVE-2025-49704 and CVE-2025-49706, publicly named “ToolShell”. Additionally, on the same dates, Microsoft released out-of-band security patches for the vulnerabilities CVE-2025-53770 and CVE-2025-53771, aimed at addressing the security bypasses of previously issued fixes for CVE-2025-49704 and CVE-2025-49706. The release of the new, “proper” updates has caused confusion about exactly which vulnerabilities attackers are exploiting and whether they are using zero-day exploits."
https://securelist.com/toolshell-explained/117045/ - Watch Out: Instagram Users Targeted In Novel Phishing Campaign
"A phishing campaign targeting Instagram users is doing the rounds. There are plenty of those around, but when we took a look at this particular email, it seemed a bit different to the normal phishing emails that point to scammy websites. The email looked like this, which is very similar to the one Instagram sends if it wants you to confirm your identity:"
https://www.malwarebytes.com/blog/news/2025/07/watch-out-instagram-users-targeted-in-novel-phishing-campaign - Safepay: Email Bombs, Phone Scams, And Really Big Ransoms
"When it comes to choosing a brand name, “SafePay” must be among the most boring of choices. It sounds more like a payment app than an organized crime group. There are no dragons or bugs or heads full of snakes, but the group behind the brand is skilled and ruthless. SafePay has been making a name for itself with strong encryption, data exfiltration and big ransom demands from a fast-growing list of victims. SafePay ransomware was first observed in October 2024, and later confirmed to have been active at least one month earlier. By the end of the first quarter of 2025, SafePay claimed over 200 victims, including managed service providers (MSPs) and small-to-midsize businesses (SMBs) across multiple sectors. The group has been relentless, claiming between 58-70 victims in May 2025, making it the most active ransomware group that month."
https://blog.barracuda.com/2025/07/25/safepay--email-bombs--phone-scams--and-really-big-ransoms
Dropping Elephant APT Group Targets Turkish Defense Industry With New Campaign And Capabilities: LOLBAS, VLC * Player, And Encrypted Shellcode
"The Arctic WolfLabs team has identified a new campaign by cyber-espionage group Dropping Elephant targeting Turkish defense contractors, specifically a manufacturer of precision-guided missile systems. The campaign employs a five-stage execution chain delivered via malicious LNK files disguised as conference invitations sent to targets interested in learning more about unmanned vehicle systems. The attack leverages legitimate binaries (VLC Media Player and Microsoft Task Scheduler) for defense evasion through DLL side-loading techniques. This represents a significant evolution of this threat actor’s capabilities, transitioning from the x64 DLL variants observed in November 2024, to the current x86 PE executables with enhanced command structures."
https://arcticwolf.com/resources/blog/dropping-elephant-apt-group-targets-turkish-defense-industry/
https://thehackernews.com/2025/07/patchwork-targets-turkish-defense-firms.html - Operation CargoTalon : UNG0901 Targets Russian Aerospace & Defense Sector Using EAGLET Implant.
"SEQRITE Labs APT-Team has recently found a campaign, which has been targeting Russian Aerospace Industry. The campaign is aimed at targeting employees of Voronezh Aircraft Production Association (VASO), one of the major aircraft production entities in Russia via using товарно-транспортная накладная (TTN) documents — critical to Russian logistics operations. The entire malware ecosystem involved in this campaign is based on usage of malicious LNK file EAGLET DLL implant, further executing malicious commands and exfiltration of data. In this blog, we will explore the technical details of the campaign. we encountered during our analysis. We will examine the various stages of this campaign, starting from deep dive into the initial infection chain to implant used in this campaign, ending with a final overview covering the campaign."
https://www.seqrite.com/blog/operation-cargotalon-ung0901-targets-russian-aerospace-defense-sector-using-eaglet-implant/
https://thehackernews.com/2025/07/cyber-espionage-campaign-hits-russian.html
https://securityaffairs.com/180378/intelligence/operation-cargotalon-targets-russias-aerospace-with-eaglet-malware.html - The Ηоmоgraph Illusion: Not Everything Is As It Seems
"Since the creation of the internet, email attacks have been the predominant attack vector for spreading malware and gaining initial access to systems and endpoints. One example of an effective email compromise technique is a homograph attack. Attackers use this content manipulation tactic to evade content analysis and trick users by replacing Latin characters with similar-looking characters from other Unicode blocks. This article provides rare insights into real homograph attacks, and demonstrates the full chain of events that can potentially lead to exploitation of targets. We outline three cases that we detected in the wild. In each scenario, threat actors used homograph attacks in different contexts within email messages, to avoid natural language detections and reach target inboxes."
https://unit42.paloaltonetworks.com/homograph-attacks/
Breaches/Hacks/Leaks
- NASCAR Confirms Medusa Ransomware Breach After $4M Demand
"In April 2025, Hackread.com exclusively reported that the Medusa ransomware group had claimed responsibility for breaching the National Association for Stock Car Auto Racing (NASCAR) and was demanding a $4 million ransom. NASCAR has now confirmed that its systems were indeed compromised, validating Hackread.com’s earlier reporting."
https://hackread.com/nascar-ransomware-confirm-medusa-ransomware-data-breach/
https://therecord.media/nascar-confirms-data-breach - Advisor To Brit Tech Contractors Qdos Confirms Client Data Leak
"Business insurance and employment status specialist Qdos has confirmed that an intruder has stolen some customers personal data, according to a communication to tech contractors that was seen by The Register. Qdos yesterday emailed clients on its database to confirm a "recent data security incident affecting one of our web applications: mygoqdos.com, that may have involved data relating to you and your business." It says it was alerted to the issue on June 19 and launched a probe with the help of third party cyber security expert."
https://www.theregister.com/2025/07/25/ir35_advisor_qdos_confirms_data_breach/ - Allianz Life Confirms Data Breach Impacts Majority Of 1.4 Million Customers
"Insurance company Allianz Life has confirmed that the personal information for the "majority" of its 1.4 million customers was exposed in a data breach that occurred earlier this month. "On July 16, 2025, a malicious threat actor gained access to a third-party, cloud-based CRM system used by Allianz Life Insurance Company of North America (Allianz Life)," an Allianz Life spokesperson told BleepingComputer. "The threat actor was able to obtain personally identifiable data related to the majority of Allianz Life's customers, financial professionals, and select Allianz Life employees, using a social engineering technique.""
https://www.bleepingcomputer.com/news/security/allianz-life-confirms-data-breach-impacts-majority-of-14-million-customers/
https://securityaffairs.com/180445/data-breach/allianz-life-data-breach-exposed-the-data-of-most-of-its-1-4m-customers.html
General News
- US Targets North Korea’s Illicit Funds: $15M Rewards Offered As American Woman Jailed In IT Worker Scam
"An Arizona woman was sentenced to prison for her role in a North Korean fake IT worker scheme that hit more than 300 companies and generated over $17 million in illicit revenue. The woman, Christina Marie Chapman, 50, of Litchfield Park, was charged in May last year with running a laptop farm to help North Koreans hide their location. She pleaded guilty in February 2025. According to court documents, between October 2020 and October 2023, she helped North Korean IT workers obtain employment at US companies using the stolen identities of Americans, and received and hosted laptops from the targeted companies at her home."
https://www.securityweek.com/us-targets-north-koreas-illicit-funds-15m-rewards-offered-as-american-woman-jailed-in-it-worker-scam/
https://www.theregister.com/2025/07/24/laptop_farmer_north_korean_it_scam_sentenced/
https://www.bleepingcomputer.com/news/security/us-woman-sentenced-to-8-years-in-prison-for-running-laptop-farm-helping-north-koreans-infiltrate-300-firms/
https://www.darkreading.com/remote-workforce/north-korea-it-worker-rampage-doj
https://thehackernews.com/2025/07/us-sanctions-firm-behind-n-korean-it.html
https://therecord.media/arizona-woman-sentenced-north-korean-laptop-farm
https://cyberscoop.com/state-department-reward-north-korea-it-worker-scheme/
https://securityaffairs.com/180398/intelligence/arizona-woman-sentenced-for-aiding-north-korea-in-u-s-it-job-fraud-scheme.html
https://hackread.com/arizona-woman-jailed-help-north-korea-it-job-scam/ - Cyber Career Opportunities: Weighing Certifications Vs. Degrees
"Welcome to Dark Reading's "Career Conversations with a CISO" video series, showcasing advice on breaking into and advancing within the cybersecurity field from those who have been there. In this conversation with Dark Reading Associate Editor Kristina Beek, longtime CISO Melina Scotto shares her journey from aspiring opera singer to cybersecurity leader, having served as a top security head for federal contractors and Fortune 500 companies. Throughout her 30-year career, she witnessed cybersecurity transform from basic border protection to a comprehensive approach addressing lateral movement, AI-enabled threats, the cloud, and a range of different critical business risks that place cyber at the core of any successful enterprise."
https://www.darkreading.com/cybersecurity-operations/cyber-career-opportunities-certifications-degrees - Why Security Nudges Took Off
"The appeal of nudging — that is, guiding users in the right direction — is clear: It meets users where they are. A timely reminder before accessing sensitive data, a pop-up when risky behavior is detected, a contextual security tip at login, a security issue about to reach its remediation deadline — these are all common examples. Done well, nudges can improve security awareness and encourage better behavior without blocking productivity. They offer a more human-centered alternative to strict enforcement or reactive controls."
https://www.darkreading.com/cybersecurity-operations/why-security-nudges-took-off - The Young And The Restless: Young Cybercriminals Raise Concerns
"Cybercriminal groups are attracting a significant number of tech-savvy minors, lured by money, a sense of community, or scoring online fame with little concern for the risks of prosecution, government and private-sector experts warn. In a July 23 alert, the FBI's Internet Crime Complaint Center (IC3) noted that one growing group, Hacker Com, has attracted a wide variety of English-speaking minors to "a broad community of technically sophisticated cyber criminals." In early July, the UK's National Crime Agency (NCA) arrested four people — a 20-year-old woman, two 19-year-old males, and a 17-year-old male — in connection with the cyberattacks against and disruption of two retailers, Marks & Spencer and the Co-op."
https://www.darkreading.com/cyber-risk/young-cybercriminals-raise-concerns - Can Security Culture Be Taught? AWS Says Yes
"Too many organizations lack what experts describe as a "strong security culture," which leaves them extremely vulnerable to repeated attacks and unacceptable risks. But can a security culture be built from scratch? Security culture is broadly defined as an organization's shared strategies, policies, and perspectives that serve as the foundation for its enterprise security program. For many years, infosec leaders have preached the importance of a strong culture and how it cannot only strengthen the organization's security posture but also spur increases in productivity and profitability."
https://www.darkreading.com/cybersecurity-operations/can-security-culture-be-taught-aws-says-yes - Predictive AI: The “Quiet Catalyst” Behind The Future Of Cybersecurity
"Patterned, predictive, and purposeful – the future of cybersecurity that Group-IB is helping envision and build. New and evolving cyberattacks are forcing us to move away from being random and reactive in our cyber defenses. Soon, traditional defenses won’t cut anymore. The shift toward predictive analytics marks a critical change: one where cyber defense becomes intentional, intelligence-led, and always a step ahead. But what exactly is predictive analytics in cybersecurity? And how does it power new-age defenses?"
https://www.group-ib.com/blog/predictive-ai/ - BreachForums Resurfaces On Original Dark Web (.onion) Address
"The notorious cybercrime and hacker platform BreachForums has mysteriously resurfaced on its original dark web .onion domain. The site appears to be fully restored, including its infrastructure, user-leaked databases, official breach listings and forum posts. For your information, in early April 2025, both the clearnet and dark web domains of BreachForums went offline without explanation. Members speculated about possible law enforcement action or a forum seizure."
https://hackread.com/breachforums-resurface-original-dark-web-onion-address/ - Digital Sovereignty Becomes a Matter Of Resilience For Europe
"In this Help Net Security interview, Benjamin Schilz, CEO of Wire, discusses Europe’s push for digital sovereignty through initiatives like Gaia-X and the EU AI Act. As the continent redefines its technological future, the focus shifts from regulation to building resilient, European-owned digital infrastructure. Schilz also discusses how open-source and decentralized technologies are key to securing Europe’s strategic autonomy."
https://www.helpnetsecurity.com/2025/07/25/benjamin-schilz-wire-european-digital-sovereignty/ - What 50 Companies Got Wrong About Cloud Identity Security
"Most organizations still miss basic identity security controls in the cloud, leaving them exposed to breaches, audit failures, and compliance violations. A new midyear benchmark from Unosecur found that nearly every company scanned had at least one high-risk issue, with an average of 40 control failures per organization. The report analyzed diagnostic scan data from 50 enterprises across industries and regions between January and June 2025. Unlike survey-based studies, the findings are based on direct control checks aligned with standards like ISO 27001/27002, PCI DSS, and SOC 2. The goal: provide a reproducible view of where cloud identity practices fall short and how to fix them."
https://www.helpnetsecurity.com/2025/07/25/organizations-cloud-identity-security/ - DNS Security Is Important But DNSSEC May Be a Failed Experiment
"Last week I turned on DNSSEC (Domain Name System Security Extensions) for the systemsapproach.org domain. No need to applaud; I was just trying to get an understanding of what the barriers to adoption might be while teaching myself about the technology. It turns out that, if you have your domain hosted by a big provider (we happen to use GoDaddy), it's easy to turn on DNSSEC. But I think it says a lot that it took us this long (and the stimulus of working on a new security book) to get us to turn on DNSSEC. By contrast, we would never think of running a website in 2025 without HTTPS."
https://www.theregister.com/2025/07/25/systems_approach_column_dns_security/ - Blame a Leak For Microsoft SharePoint Attacks, Researcher Insists
"A week after Microsoft told the world that its July software updates didn't fully fix a couple of bugs, which allowed miscreants to take over on-premises SharePoint servers and remotely execute code, researchers have assembled much of the puzzle — with one big missing piece. How did the attackers, who include Chinese government spies, data thieves, and ransomware operators, know how to exploit the SharePoint CVEs in such a way that would bypass the security fixes Microsoft released the following day?"
https://www.theregister.com/2025/07/26/microsoft_sharepoint_attacks_leak/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Post SMTP Plugin Flaw Exposes 200K WordPress Sites To Hijacking Attacks
-
Sophos แก้ไขช่องโหว่ร้ายแรงหลายรายการบน Sophos Firewall
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
แฮกเกอร์ใช้ช่องโหว่ใน Mu-Plugins ของ WordPress เพื่อรักษาสิทธิ์การเข้าถึงของผู้ดูแลระบบ
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 25 July 2025
Financial Sector
- The Bullseye On Banks: Why Financial Services Remain a Prime Target For Cyberattacks
"The frontlines of cybersecurity have long included the financial services sector, but today’s battlefield is increasingly asymmetric. Threat actors aren’t just going after the big-name banks with sprawling infrastructure and billion-dollar balance sheets. They’re targeting credit unions, wealth management firms, fintech startups, and insurance providers with the same determination and ferocity. What do these entities have that cybercriminals want? Plenty. They are united by their high-value data and direct pathways to financial gain. It’s no surprise then, that a recent report revealed that a staggering 39% of financial firms have experienced a breach."
https://www.tripwire.com/state-of-security/bullseye-banks-why-financial-services-remain-prime-target-cyberattacks - ATM Fraudsters Halted In Europol-Supported Operation Led By Romanian And British Authorities
"A highly organised criminal group involved in large-scale fraud in Western Europe has been dismantled in a coordinated operation led by authorities from Romania and the United Kingdom (UK), supported by Europol and Eurojust. The gang had travelled from Romania to several Western European countries, mainly the UK, and withdrew large sums of money from ATM machines. They later laundered the proceeds by investing in real estate, companies, vacations and luxury products, including cars and jewellery."
https://www.europol.europa.eu/media-press/newsroom/news/atm-fraudsters-halted-in-europol-supported-operation-led-romanian-and-british-authorities
https://www.infosecurity-magazine.com/news/uk-romania-crack-down-atm-fraudster/
Healthcare Sector
- Medtronic MyCareLink Patient Monitor
"Successful exploitation of these vulnerabilities could lead to system compromise, unauthorized access to sensitive data, and manipulation of the monitor's functionality."
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-205-01
Industrial Sector
- Network Thermostat X-Series WiFi Thermostats
"Successful exploitation of this vulnerability could allow an attacker to gain full administrative access to the device."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-205-02 - Honeywell Experion PKS
"Successful exploitation of these vulnerabilities could result in information exposure, denial of service, or remote code execution."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-205-03 - Mitsubishi Electric CNC Series
"Successful exploitation of this vulnerability could allow an attacker to execute malicious code by getting setup-launcher to load a malicious DLL."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-205-01 - LG Innotek Camera Model LNV5110R
"Successful exploitation of this vulnerability could allow an attacker to gain administrative access to the device."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-205-04 - Critical Infrastructure Leaders: Threat Level Remains High
"OT environments have long been bereft of their traditional shelter from cyberattacks made from hacker ignorance or disinterest. Industrial environments are forefronts for nation-state hacking, the risk heightened by global tensions and the convergence of operational technology with IT counterparts. For those who can hear, alarms have been sounding loudly for some time. Yet advocacy for the basics - public-private partnerships and information sharing, tightly focused objectives that extend to the smallest operators and resilience planning - is still essential, said a clutch of government and industry leaders assembled Wednesday in New York for a panel hosted at the Global Cyber Innovation Summit."
https://www.bankinfosecurity.com/blogs/critical-infrastructure-leaders-threat-level-remains-high-p-3918
New Tooling
- Autoswagger: Open-Source Tool To Expose Hidden API Authorization Flaws
"Autoswagger is a free, open-source tool that scans OpenAPI-documented APIs for broken authorization vulnerabilities. These flaws are still common, even at large enterprises with mature security teams, and are especially dangerous because they can be exploited with little technical skill. Autoswagger begins by detecting API schemas across a range of common formats and locations, starting with a list of an organization’s domains. It scans for OpenAPI and Swagger documentation pages, sending requests to each host to locate valid schemas. Once identified, it parses the API specifications and automatically generates a list of endpoints to test, taking into account each endpoint’s definition, required parameters, and expected data types."
https://www.helpnetsecurity.com/2025/07/24/autoswagger-open-source-tool-expose-hidden-api-authorization-flaws/
https://github.com/intruder-io/autoswagger/
Vulnerabilities
- Mitel Warns Of Critical MiVoice MX-ONE Authentication Bypass Flaw
"Mitel Networks has released security updates to patch a critical-severity authentication bypass vulnerability impacting its MiVoice MX-ONE enterprise communications platform. MX-ONE is the company's SIP-based communications system, which can scale to support hundreds of thousands of users. The critical security flaw is due to an improper access control weakness discovered in the MiVoice MX-ONE Provisioning Manager component and has yet to be assigned a CVE ID. Unauthenticated attackers can exploit it in low-complexity attacks that don't require user interaction to gain unauthorized access to administrator accounts on unpatched systems."
https://www.bleepingcomputer.com/news/security/mitel-warns-of-critical-mivoice-mx-one-authentication-bypass-flaw/
https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2025-0009
https://thehackernews.com/2025/07/critical-mitel-flaw-lets-hackers-bypass.html - SonicWall Urges Admins To Patch Critical RCE Flaw In SMA 100 Devices
"SonicWall urges customers to patch SMA 100 series appliances against a critical authenticated arbitrary file upload vulnerability that can let attackers gain remote code execution. The security flaw (tracked as CVE-2025-40599) is caused by an unrestricted file upload weakness in the devices' web management interfaces, which can allow remote threat actors with administrative privileges to upload arbitrary files to the system. "SonicWall strongly recommends that users of the SMA 100 series products (SMA 210, 410, and 500v) upgrade to the specified fixed release version to remediate this vulnerability," the company said. "This vulnerability does not affect SonicWall SSL VPN SMA1000 series products or SSL-VPN running on SonicWall firewalls.""
https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-critical-rce-flaw-in-sma-100-VPN-appliances/
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0014
https://thehackernews.com/2025/07/sophos-and-sonicwall-patch-critical-rce.html
https://www.securityweek.com/sonicwall-patches-critical-sma-100-vulnerability-warns-of-recent-malware-attack/
https://securityaffairs.com/180328/security/sonicwall-fixed-critical-flaw-in-sma-100-devices-exploited-in-overstep-malware-attacks.html
https://www.helpnetsecurity.com/2025/07/24/sonicwall-fixes-critical-flaw-sma-appliances-urges-customers-to-check-for-compromise-cve-2025-40599/ - Bloomberg Comdb2 Null Pointer Dereference And Denial-Of-Service Vulnerabilities
"Cisco Talos’ Vulnerability Discovery & Research team recently disclosed five vulnerabilities in Bloomberg Comdb2. Comdb2 is an open source, high-availability database developed by Bloomberg. It supports features such as clustering, transactions, snapshots, and isolation. The implementation of the database utilizes optimistic locking for concurrent operation. The vulnerabilities mentioned in this blog post have been patched by the vendor, all in adherence to Cisco’s third-party vulnerability disclosure policy."
https://blog.talosintelligence.com/bloomberg-comdb2-null-pointer-dereference-and-denial-of-service-vulnerabilities/ - Beyond Convenience: Exposing The Risks Of VMware vSphere Active Directory Integration
"Broadcom's VMware vSphere product remains a popular choice for private cloud virtualization, underpinning critical infrastructure. Far from fading, organizations continue to rely heavily on vSphere for stability and control. We're also seeing a distinct trend where critical workloads are being repatriated from public cloud services to these on-premises vSphere environments, influenced by strategies like bimodal IT and demands for more operational oversight."
https://cloud.google.com/blog/topics/threat-intelligence/vsphere-active-directory-integration-risks
https://cloud.google.com/blog/topics/threat-intelligence/defending-vsphere-from-unc3944/
Malware
- Storm-2603 Exploits SharePoint Flaws To Deploy Warlock Ransomware On Unpatched Systems
"Microsoft has revealed that one of the threat actors behind the active exploitation of SharePoint flaws is deploying Warlock ransomware on targeted systems. The tech giant, in an update shared Wednesday, said the findings are based on an "expanded analysis and threat intelligence from our continued monitoring of exploitation activity by Storm-2603." The threat actor attributed to the financially motivated activity is a suspected China-based threat actor that's known to drop Warlock and LockBit ransomware in the past. The attack chains entail the exploitation of CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution vulnerability, targeting unpatched on-premises SharePoint servers to deploy the spinstall0.aspx web shell payload."
https://thehackernews.com/2025/07/storm-2603-exploits-sharepoint-flaws-to.html
https://www.bleepingcomputer.com/news/security/microsoft-sharepoint-servers-also-targeted-in-ransomware-attacks/
https://therecord.media/microsoft-says-warlock-ransomware-deployed-in-sharepoint-attacks
https://www.darkreading.com/endpoint-security/ransomware-actors-toolshell-sharepoint-bugs
https://cyberscoop.com/microsoft-sharepoint-attacks-400-victims-us-agencies/
https://www.infosecurity-magazine.com/news/ransomware-compromised-sharepoint/
https://www.securityweek.com/toolshell-attacks-hit-400-sharepoint-servers-us-government-victims-named/
https://www.helpnetsecurity.com/2025/07/24/storm-2603-spotted-deploying-ransomware-on-exploited-sharepoint-servers/
https://www.theregister.com/2025/07/24/microsoft_sharepoint_ransomware/ - Gunra Ransomware Emerges With New DLS
"AhnLab TIP monitors the current ransomware group activities across dark web forums, marketplaces, and other sources. Through the Live View > Dark Web Watch menu, users can track the most active ransomware groups, uncover their collaborations, and gain insights into planned attacks and techniques—enabling user organizations to anticipate threats, prepare defenses, and prevent damage before it occurs."
https://asec.ahnlab.com/en/89206/ - Uncovering a Stealthy WordPress Backdoor In Mu-Plugins
"Recently, our team uncovered a particularly sneaky piece of malware tucked away in a place many WordPress users don’t even know exists: the mu-plugins folder. In fact, back in March, we saw a similar trend with hidden malware in this very directory, as detailed in our post Hidden Malware Strikes Again: MU-Plugins Under Attack. This current infection was designed to be quiet, persistent, and very hard to spot."
https://blog.sucuri.net/2025/07/uncovering-a-stealthy-wordpress-backdoor-in-mu-plugins.html
https://thehackernews.com/2025/07/hackers-deploy-stealth-backdoor-in.html
https://securityaffairs.com/180311/malware/stealth-backdoor-found-in-wordpress-mu-plugins-folder.html - AI-Generated Malware In Panda Image Hides Persistent Linux Threat
"The line between human and machine-generated threats is starting to blur. Aqua Nautilus recently uncovered a malware campaign that hints at this unsettling shift. Koske, a sophisticated Linux threat, shows clear signs of AI-assisted development, likely with help from a large language model. With modular payloads, evasive rootkits, and delivery through weaponized image files, Koske represents a new breed of persistent and adaptable malware built for one purpose: cryptomining. It is a warning of what is to come."
https://www.aquasec.com/blog/ai-generated-malware-in-panda-image-hides-persistent-linux-threat/
https://www.bleepingcomputer.com/news/security/new-koske-linux-malware-hides-in-cute-panda-images/ - Unmasking The New Chaos RaaS Group Attacks
"Cisco Talos Incident Response (Talos IR) recently observed attacks by Chaos, a relatively new ransomware-as-a-service (RaaS) group conducting big-game hunting and double extortion attacks. Chaos RaaS actors initiated low-effort spam flooding, escalating to voice-based social engineering for access, followed by RMM tool abuse for persistent connection and legitimate file-sharing software for data exfiltration. The ransomware utilizes multi-threaded rapid selective encryption, anti-analysis techniques, and targets both local and network resources, maximizing impact while hindering detection and recovery. Talos believes the new Chaos ransomware is unrelated to previous Chaos builder-generated variants, as the group uses the same name to create confusion."
https://blog.talosintelligence.com/new-chaos-ransomware/ - Hacker Sneaks Infostealer Malware Into Early Access Steam Game
"A threat actor called EncryptHub has compromised a game on Steam to distribute info-stealing malware to unsuspecting users downloading the title. A few days ago, the hacker (also tracked as Larva-208), injected malicious binaries into the Chemia game files hosted on Steam. Chemia is a survival crafting game from developer ‘Aether Forge Studios,’ which is currently offered as early access on Steam but has no public release date. According to threat intelligence company Prodaft, the initial compromise occurred on July 22, when EncryptHub added to the game files the HijackLoader malware (CVKRUTNP.exe), which establishes persistence on the victim device and downloads the Vidar infostealer (v9d9d.exe)."
https://www.bleepingcomputer.com/news/security/hacker-sneaks-infostealer-malware-into-early-access-steam-game/ - Toptal’s GitHub Organization Hijacked: 10 Malicious Packages Published
"Socket's Threat Research Team discovered this exact scenario when 73 repositories in Toptal's GitHub organization went public, with at least 10 of them containing malicious code designed to exfiltrate GitHub authentication tokens and destroy victim systems. Toptal, a global talent network that has served over 25,000 clients across 14+ countries since 2010, maintains the Picasso design system used by developers worldwide."
https://socket.dev/blog/toptal-s-github-organization-hijacked-10-malicious-packages-published
https://www.bleepingcomputer.com/news/security/hackers-breach-toptal-github-account-publish-malicious-npm-packages/ - Gamers, Get Ready: Scammers Disguise Cryptocurrency And Password-Stealing Scavenger Trojans As Cheats And Mods
"Doctor Web’s virus laboratory has detected Trojan.Scavenger—a family of malicious apps that threat actors use to steal confidential data from crypto wallets and password managers from Windows users. Threat actors chain together several trojans from this family, exploiting DLL Search Order Hijacking vulnerabilities to execute their payloads and exfiltrate data."
https://news.drweb.com/show/?i=15036&lng=en
https://hackread.com/scavenger-trojan-crypto-wallets-game-mods-browser-flaws/ - The Dark Side Of Romance: SarangTrap Extortion Campaign
"In recent weeks, our zLabs team uncovered a highly coordinated and emotionally manipulative malware campaign targeting mobile users on both Android and iOS platforms. This extensive campaign involved over 250 malicious Android applications and more than 80 malicious domains, all disguised as legitimate dating and social media applications. Threat actors used these domains to deceive users into installing malware designed to extract sensitive personal data, such as contact lists and private images, all while maintaining a convincing appearance of normalcy. These malicious apps specifically targeted a diverse audience, including dating app users, cloud file service seekers, and car service platforms (see Figure 1)."
https://zimperium.com/blog/the-dark-side-of-romance-sarangtrap-extortion-campaign
https://www.infosecurity-magazine.com/news/malware-campaign-dating-apps/ - Soco404: Multiplatform Cryptomining Campaign Uses Fake Error Pages To Hide Payload
"Wiz Research has identified a new iteration of a broader malicious cryptomining campaign, which we’ve dubbed Soco404 (based on the observed payload name, associated domain, and use of fake error pages). While previous activity tied to this campaign has been documented by Aqua and Imperva as targeting exposed Apache Tomcat services with weak credentials , as well as vulnerable Apache Struts and Atlassian Confluence servers, our investigation uncovered a distinct case in which the attacker also targets exposed PostgreSQL instances and leverages compromised Apache Tomcat servers to host payloads tailored for both Linux and Windows environments. We also found evidence that the attacker is maintaining a broader crypto-scam infrastructure, further suggesting this is part of a long-term, versatile, and opportunistic operation."
https://www.wiz.io/blog/soco404-multiplatform-cryptomining-campaign-uses-fake-error-pages-to-hide-payload
https://www.infosecurity-magazine.com/news/campaign-exploits-cloud/ - Fire Ant: A Deep-Dive Into Hypervisor-Level Espionage
"Since early 2025, Sygnia tracked and responded to incidents attributed to a threat actor we designate Fire Ant. The group demonstrates consistent targeting of virtualization and network infrastructure, using these systems as footholds for initial access, lateral movement, and long-term persistence. Fire Ant’s operations are characterized by infrastructure-centric TTPs, enabling activity beneath the detection threshold of traditional endpoint controls, highlighting critical blind spots of conventional security stacks."
https://www.sygnia.co/blog/fire-ant-a-deep-dive-into-hypervisor-level-espionage/
https://thehackernews.com/2025/07/fire-ant-exploits-vmware-flaw-to.html
https://therecord.media/stealthy-china-spies-fire-ant-virtualization-software - CastleLoader Malware Infects 469 Devices Using Fake GitHub Repos And ClickFix Phishing
"Cybersecurity researchers have shed light on a new versatile malware loader called CastleLoader that has been put to use in campaigns distributing various information stealers and remote access trojans (RATs). The activity employs Cloudflare-themed ClickFix phishing attacks and fake GitHub repositories opened under the names of legitimate applications, Swiss cybersecurity company PRODAFT said in a report shared with The Hacker News. The malware loader, first observed in the wild earlier this year, has been used to distribute DeerStealer, RedLine, StealC, NetSupport RAT, SectopRAT, and even other loaders like Hijack Loader."
https://thehackernews.com/2025/07/castleloader-malware-infects-469.html - FBI: Thousands Of People Involved In 'The Com' Targeting Victims With Ransomware, Swatting
"The FBI released a warning on Wednesday about a loosely-organized cybercriminal organization known as The Com that is launching cyberattacks to steal money and gain access to sensitive information. The agency released three bulletins about the group — which is composed primarily of English-speaking minors but has expanded to include thousands of people who engage in a variety of cybercriminal activity. The activities include ransomware attacks, swatting, extortion of minors, the distribution of child sexual abuse material, distributed denial-of-service (DDoS) attacks, SIM Swapping, cryptocurrency theft and more. “The motivations behind the criminal activity vary, but often fall within one of the following: financial gain, retaliation, ideology, sexual gratification, and notoriety,” the FBI said."
https://therecord.media/fbi-the-com-ransomware-swatting-alert
https://www.ic3.gov/PSA/2025/PSA250723-3
https://www.infosecurity-magazine.com/news/fbi-exposes-the-coms/ - Compromised Amazon Q Extension Told AI To Delete Everything – And It Shipped
"The official Amazon Q extension for Visual Studio Code (VS Code) was compromised to include a prompt to wipe the user's home directory and delete all their AWS resources. The bad extension was live on the VS Code marketplace for two days, though it appears that the intent was more to embarrass AWS and expose bad security rather than to cause immediate harm. A commit to the Amazon Q part of the AWS toolkit for VS Code includes a script that downloads an additional file, saved as extensionNode.ts. The source for this file includes a prompt instructing an AI agent to delete all non-hidden files from the user's home directory and then to "discover and use AWS profiles to list and delete cloud resources using AWS CLI commands.""
https://www.theregister.com/2025/07/24/amazon_q_ai_prompt/
https://aws.amazon.com/security/security-bulletins/rss/aws-2025-015/ - ToolShell: An All-You-Can-Eat Buffet For Threat Actors
"On July 19, 2025, Microsoft confirmed that a set of zero-day vulnerabilities in SharePoint Server called ToolShell is being exploited in the wild. ToolShell is comprised of CVE-2025-53770, a remote code execution vulnerability, and CVE‑2025‑53771, a server spoofing vulnerability. These attacks target on-premises Microsoft SharePoint servers, specifically those running SharePoint Subscription Edition, SharePoint 2019, or SharePoint 2016. SharePoint Online in Microsoft 365 is not impacted. Exploiting these vulnerabilities enables threat actors to gain entry to restricted systems and steal sensitive information."
https://www.welivesecurity.com/en/eset-research/toolshell-an-all-you-can-eat-buffet-for-threat-actors/
General News
- Why Outsourcing Cybersecurity Is Rising In The Adriatic Region
"In this Help Net Security interview, Aleksandar Stančin, Board Member Adriatics, Exclusive Networks, discusses the state of cybersecurity in the Adriatic region. He talks about how local markets often lag behind EU regulations, despite facing threats comparable to those in other parts of Europe. While adoption may be slower, progress is underway to strengthen cybersecurity across industries."
https://www.helpnetsecurity.com/2025/07/24/aleksandar-stancin-exclusive-networks-adriatic-region-cybersecurity/ - Your App Is Under Attack Every 3 Minutes
"Application-layer attacks have become one of the most common and consequential methods adversaries use to gain access and compromise organizations, according to Contrast Security. These attacks target the custom code, APIs, and logic that power applications, often slipping past detection tools such as Endpoint Detection and Response (EDR) and network-based defenses such as Web Application Firewalls (WAFs)."
https://www.helpnetsecurity.com/2025/07/24/adversaries-application-layer-attacks/ - BlackSuit Ransomware Extortion Sites Seized In Operation Checkmate
"Law enforcement has seized the dark web extortion sites of the BlackSuit ransomware operation, which has targeted and breached the networks of hundreds of organizations worldwide over the past several years. The U.S. Department of Justice confirmed the takedown in an email earlier today, saying the authorities involved in the action executed a court-authorized seizure of the BlackSuit domains. Earlier today, the websites on the BlackSuit .onion domains were replaced with seizure banners announcing that the ransomware gang's sites were taken down by the U.S. Homeland Security Investigations federal law enforcement agency as part of a joint international action codenamed Operation Checkmate."
https://www.bleepingcomputer.com/news/security/law-enforcement-seizes-blacksuit-ransomware-leak-sites/ - Translating Cyber-Risk For The Boardroom
"Cybersecurity is no longer just a technical problem in today's fast-evolving threat landscape, where cyberattacks are growing more frequent, sophisticated, and publicly damaging. Instead, it's an issue that demands enterprisewide alignment. Yet, many chief information security officers (CISOs) still find themselves speaking a technical language that fails to resonate with other leaders. Technical terms often fall flat in boardrooms more concerned with revenue growth and brand reputation. This disconnect is becoming increasingly risky as cyber incidents now directly affect stock prices, customer trust, and executive job security."
https://www.darkreading.com/cyber-risk/translating-cyber-risk-boardroom - What Makes Great Threat Intelligence?
"Fast-changing geopolitics is constantly altering the nature of threats, so CISOs must quickly adapt their approach to new risks and sources of intelligence. While the need for high-quality threat intelligence is undeniable, it is a discipline that can sprawl uncontrollably. It also requires a targeted response. Industry analysts at Frost & Sullivan calculated that organizations spent a weighty $1.6 billion on threat intelligence and threat intelligence platforms globally in 2023, and forecast that this figure will increase by a compound annual growth rate of 32.8% until 2028."
https://www.darkreading.com/threat-intelligence/what-makes-great-threat-intelligence - Cybercrime Forum XSS Returns On Mirror And Dark Web 1 Day After Seizure
"On July 23, 2025, as reported by Hackread.com, the cybercrime community lost one of its oldest and most notorious forums, XSS, after law enforcement authorities seized the site and arrested its suspected administrator in Ukraine. The arrest led to the seizure of the forum’s main domain, XSS.IS, which now displays a notice from Europol, French and Ukrainian authorities. However, the forum’s dark web (.onion) and mirror domains did not show a seizure notice but instead returned a 504 Gateway Timeout error. As of July 24, Hackread.com can confirm that the XSS forum is back online via both its mirror and .onion domains. While it is unclear whether this is a honeypot set up by authorities, one of the forum’s administrators has posted claiming the infrastructure was not affected by the seizure and that a replacement is in progress."
https://hackread.com/cybercrime-forum-xss-returns-mirror-dark-web-seizure/ - AI-Generated Image Watermarks Can Be Easily Removed, Say Researchers
"Now that AI can make fake images that look real, how can we know what’s legitimate and what isn’t? One of the primary ways has been the use of defensive watermarking, which means embedding invisible markers in AI-generated images to show they were made up. Now, researchers have broken that technology. Generative AI isn’t just for writing emails or suggesting recipes. It can generate entire images from scratch. While most people use that for fun (making cartoons of your dog) or practicality (envisioning a woodworking project, say) some use it irresponsibly. One example is creating images that look like real creators’ content (producing an image ‘in the style of’ a particular artist)."
https://www.malwarebytes.com/blog/news/2025/07/ai-generated-image-watermarks-can-be-easily-removed-say-researchers
https://github.com/andrekassis/ai-watermark
https://www.theregister.com/2025/07/24/ai_watermarks_unmarker/ - Email Threat Radar – July 2025
"During July, Barracuda threat analysts identified several notable email-based threats targeting organizations around the world. Many of them leveraged popular phishing-as-a-service (PhaaS) kits."
https://blog.barracuda.com/2025/07/24/email-threat-radar-july-2025 - US Hits Senior North Korean Officials With Sanctions, $3 Million Bounties
"Three senior North Korean officials involved in IT schemes have been sanctioned by the U.S. Treasury Department. Kim Se Un, Jo Kyong Hun and Myong Chol Min are accused of helping North Korea evade U.S. and United Nations sanctions through an IT worker plot that involved tricking companies into hiring North Koreans using stolen identities. U.S. law enforcement action centered on Korea Sobaeksu Trading Company — a North Korean company allegedly used as a front for the country’s Munitions Industry Department, which oversees the DPRK’s nuclear program and is involved in the development of ballistic missiles."
https://therecord.media/us-sanctions-north-korean-officers-it-worker-scheme
https://www.theregister.com/2025/07/24/laptop_farmer_north_korean_it_scam_sentenced/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - The Bullseye On Banks: Why Financial Services Remain a Prime Target For Cyberattacks
-
Cyber Threat Intelligence 24 July 2025
Industrial Sector
- Critical Vulnerabilities Found In Tridium Niagara Framework
"Tridium’s Niagara Frameworkis a leading software framework designed to connect, manage, and control diverse devices in building management, industrial automation, and smart infrastructure environments. It acts as a middleware platform that enables different systems — such as HVAC, lighting, energy management, and security — to interoperate seamlessly, making it a critical backbone for many internet of things (IoT) technologies across industries worldwide."
https://www.nozominetworks.com/blog/critical-vulnerabilities-found-in-tridium-niagara-framework
https://www.bankinfosecurity.com/honeywell-smart-building-middleware-vulnerable-a-29041 - CISO Conversations: How IT And OT Security Worlds Are Converging
"Dark Reading's Kelly Jackson Higgins interviews Carmine Valente, Deputy CISO at Con Edison, about his role at the New York-based electric utility and the state of IT and OT security. Valente highlights current threats like ransomware and supply chain attacks, as well as the impact of AI on both defense and threats."
https://www.darkreading.com/ics-ot-security/ciso-conversations-convergence-of-it-and-ot-security
New Tooling
- Cervantes: Open-Source, Collaborative Platform For Pentesters And Red Teams
"Cervantes is an open-source collaborative platform built for pentesters and red teams. It offers a centralized workspace to manage projects, clients, vulnerabilities, and reports, all in one place. By streamlining data organization and team coordination, it helps reduce the time and complexity involved in planning and executing penetration tests. As an open-source solution under the OWASP umbrella, it understands the specific needs of penetration testers from managing targets to organizing vulnerabilities, proof-of-concepts and remediation recommendations."
https://www.helpnetsecurity.com/2025/07/23/cervantes-open-source-collaborative-platform-pentesters-red-teams/
https://github.com/CervantesSec/cervantes
Vulnerabilities
- Critical Vulnerabilities Patched In Sophos Firewall
"Sophos this week announced the rollout of patches for five vulnerabilities in Sophos Firewall that could lead to remote code execution (RCE). The first issue, tracked as CVE-2025-6704 (CVSS score of 9.8), is a critical arbitrary file writing flaw in the Secure PDF eXchange (SPX) feature of the appliance that could allow remote, unauthenticated attackers to execute arbitrary code. According to Sophos’s advisory, the bug impacts only a fraction of firewall deployments, as it can only be triggered if a specific configuration of SPX is enabled and if the firewall is running in High Availability (HA) mode."
https://www.securityweek.com/critical-vulnerabilities-patched-in-sophos-firewall/
https://www.sophos.com/en-us/security-advisories/sophos-sa-20250721-sfos-rce
https://securityaffairs.com/180283/security/sophos-addressed-five-sophos-firewall-vulnerabilities.html - High-Severity Flaws Patched In Chrome, Firefox
"Google and Mozilla on Tuesday announced a fresh round of updates for Chrome and Firefox, including patches for several high-severity memory safety vulnerabilities. The newly announced Chrome 138 refresh is the third since the browser version was promoted to the stable channel. The previous updates Google rolled out resolved two exploited zero-days, namely CVE-2025-6558 and CVE-2025-6554. On Tuesday, Chrome received patches for three security defects, including two reported by security researcher Shaheen Fazim earlier this month. The two flaws, tracked as CVE-2025-8010 and CVE-2025-8011, are high-severity type confusion issues impacting the browser’s V8 JavaScript engine."
https://www.securityweek.com/high-severity-flaws-patched-in-chrome-firefox/
Malware
- Malicious LNK Disguised As Credit Card Security Email Authentication Pop-Up
"AhnLab SEcurity intelligence Center (ASEC) has recently identified a case where a malicious LNK file is disguised as the credit card security email authentication pop-up to steal user information. The identified malicious LNK file has the following file name, disguising itself as the credit card company."
https://asec.ahnlab.com/en/89156/ - China Warns Citizens To Beware Backdoored Devices, On Land And Under The Sea
"China’s Ministry of State Security has spent the week warning of backdoored devices on land and at sea. On Monday, the Ministry used its WeChat channel to publish a lengthy warning about backdoors in devices and supply chain attacks on software. The post explains that some developers and manufacturers install backdoors as innocent tools to allow maintenance, but that criminals later use them for nefarious purposes."
https://www.theregister.com/2025/07/23/china_backdoor_alerts/ - Signed, Sealed, Altered? Deepdive Into PDF Tempering
"PDFs are ubiquitous in today’s digital world. We trust them for important documents, contracts, and records. But what if the seemingly official PDF wasn’t what it appeared to be? The reality is, PDF files can be manipulated, and forgery is more common than you might think."
https://www.group-ib.com/blog/pdf-tempering/ - Npm ‘is’ Package Hijacked In Expanding Supply Chain Attack
"In the wake of the npm phishing campaign we reported on last Friday, which began with a typosquatted domain (npnjs[.]com) targeting developers, the situation has continued to escalate. Notably, This Week in React curator Sébastien Lorber pointed out that spoofed emails from npmjs.org slipped through due to missing DMARC and SPF records on the .org domain. Shortly after our initial warning, we alerted developers about popular compromised packages like eslint-config-prettier and eslint-plugin-prettier, which were published using stolen maintainer credentials."
https://socket.dev/blog/npm-is-package-hijacked-in-expanding-supply-chain-attack
https://www.bleepingcomputer.com/news/security/npm-package-is-with-28m-weekly-downloads-infected-devs-with-malware/ - Stopping Ransomware: How a Hybrid Mesh Architecture Disrupts The Attack Chain Part Three
"In parts one and two, we explored the ransomware attack chain, the shortcomings of fragmented defenses, and the advantages of a unified hybrid mesh approach. In part three, Pete Nicoletti joins us to share practical steps CISOs can take right now to start building a hybrid mesh architecture that effectively counters ransomware threats. Finally, we outline Check Point’s vision and strategy for delivering Hybrid Mesh Security."
https://blog.checkpoint.com/security/stopping-ransomware-how-a-hybrid-mesh-architecture-disrupts-the-attack-chain-part-three/ - Fake Zoom Call Lures For Zoom Workplace Credentials
"We’ve all been there — technical mishaps in a Zoom meeting that have you scrambling to rejoin. But what if that connection issue wasn’t real? The Cofense Phishing Defense Center (PDC) recently observed a new phishing campaign in which threat actors are leveraging these exact problems to harvest credentials of users via a Zoom-themed attack. Here’s how it works."
https://cofense.com/blog/fake-zoom-call-lures-for-zoom-workplace-credentials - No Tell Motel: Trustwave Exposes The Secrets Of Dark Web Travel Agencies
"Dark web travel agencies have emerged as one of the more sophisticated and lucrative operations within the underground economy. As mentioned in the Wall Street Journal's coverage of Trustwave’s research, these shadowy enterprises offer dramatically discounted flights, luxury hotel stays, rental vehicles, and entire vacation packages, all facilitated through stolen credit card information, compromised loyalty program accounts, and forged identification documents. However, what might appear to some to be cheap travel deals, are in fact the final link in a chain of digital crime."
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/no-tell-motel-trustwave-exposes-the-secrets-of-dark-web-travel-agencies/
https://www.darkreading.com/remote-workforce/dark-web-hackers-moonlight-travel-agents - Phishing Campaign Imitating U.S. Department Of Education (G5)
"PreCrimeLabs, the threat research team at BforeAI, identifies a phishing campaign currently targeting the U.S. Department of Education’s G5 portal, which is used for managing grants and federal education funding. Multiple lookalike domains have been observed spoofing the G5 login page in an attempt to harvest login credentials from legitimate users. These domains attempt to clone or imitate the official G5.gov interface and may be targeting education professionals, grant administrators, or vendors tied to the U.S. Department of Education. This activity is particularly alarming given the recent Trump Administration announcement of 1,400 layoffs at the Department of Education, which may create confusion and an opportunity for social engineering."
https://bfore.ai/report/phishing-campaign-imitating-united-states-department-of-education-g5/
https://www.darkreading.com/threat-intelligence/department-of-education-site-phishing-scheme
https://www.helpnetsecurity.com/2025/07/23/us-education-department-phishing-g5/ - A Special Mission To Nowhere
"On June 13, 2025, Israel launched a sweeping pre-emptive operation targeting Iran’s military leadership, conventional military sites, air defenses, and nuclear infrastructure. The campaign was dubbed Operation Rising Lion by the Israeli government and military. Last month, Fortinet published a blog detailing the new realities of cyber warfare highlighted by this recent conflict. What followed was a 12-day exchange of strikes and counterstrikes between the two countries, resulting in significant damage and widespread fear and uncertainty among civilians caught in the middle. Following US involvement through Operation Midnight Hammer, a ceasefire was announced and has so far been maintained."
https://www.fortinet.com/blog/threat-research/a-special-mission-to-nowhere - Illusory Wishes: China-Nexus APT Targets The Tibetan Community
"In June 2025, Zscaler ThreatLabz collaborated with TibCERT to investigate two cyberattack campaigns targeting the Tibetan community. Our analysis linked these attacks, dubbed Operation GhostChat and Operation PhantomPrayers, to a China-nexus APT group, which capitalized on increased online activity around the Dalai Lama's 90th birthday to distribute malware in multi-stage attacks. In this blog post, we outline how the attackers compromised a legitimate website, redirecting users via a malicious link and ultimately installing either the Ghost RAT or PhantomNet (SManager) backdoor onto victim systems."
https://www.zscaler.com/blogs/security-research/illusory-wishes-china-nexus-apt-targets-tibetan-community - Beyond Mimo’lette: Tracking Mimo's Expansion To Magento CMS And Docker
"Through investigations into a string of workload compromises involving ecommerce sites, the Datadog Security Research team discovered that the Mimo threat actor (also known as Mimo'lette), previously known for targeting the Craft content management system (CMS), has evolved its tactics to compromise the Magento ecommerce CMS platform through exploitation of an undetermined PFP-FPM vulnerability. In one instance, over a multi-day operation, we observed a threat actor employing sophisticated persistence mechanisms and evasion techniques. Based on these observables, IoCs, and activity described by Sekoia, we were able to attribute this intrusion to Mimo."
https://securitylabs.datadoghq.com/articles/beyond-mimolette-tracking-mimo-expansion-magento-cms-docker/
https://thehackernews.com/2025/07/threat-actor-mimo-targets-magento-and.html
Breaches/Hacks/Leaks
- US Nuclear Weapons Agency Hacked In Microsoft SharePoint Attacks
"Unknown threat actors have breached the National Nuclear Security Administration's network in attacks exploiting a recently patched Microsoft SharePoint zero-day vulnerability chain. NNSA is a semi-autonomous U.S. government agency part of the Energy Department that maintains the country's nuclear weapons stockpile and is also tasked with responding to nuclear and radiological emergencies within the United States and abroad. A Department of Energy spokesperson confirmed in a statement that hackers gained access to NNSA networks last week."
https://www.bleepingcomputer.com/news/security/us-nuclear-weapons-agency-hacked-in-microsoft-sharepoint-attacks/
https://www.darkreading.com/cyberattacks-data-breaches/us-nuclear-agency-hacked-microsoft-sharepoint
https://www.bankinfosecurity.com/us-nuclear-agency-breach-tied-to-sharepoint-zero-days-a-29037 - Another Medical Practice Closes Its Doors After Cyberattack
"Another small medical care provider has shut its doors forever as the result of a recent "devastating" cyberattack and data theft. Georgia-based Ascension Health Services LLC - which did business as Alpha Wellness & Alpha Medical Centre - decided to permanently pull the plug on its operations in April following an attack allegedly carried out by cybercriminal gang RansomHub, which lists the practices as a victim on its darkweb site. Alpha Medical Centre and Wellness on July 8 reported to the U.S. Department of Health and Human Services a HIPAA breach involving a hacking/IT incident on a network server, which affected 1,714 individuals."
https://www.bankinfosecurity.com/another-medical-practice-closes-its-doors-after-cyberattack-a-29034 - France: New Data Breach Could Affect 340,000 Jobseekers
"The French employment agency, France Travail, has suffered a data breach that could affect hundreds of thousands of jobseekers. The agency sent an email to its users on July 22, warning them of a data breach that was detected on July 13 on its “employment” portal, which is used by its partners. The breach could have exposed personal data of 340,000 users, including names, postal and email addresses, phone numbers, France Travail identifiers and jobseeker statuses. The agency assured that users’ passwords and bank details are not affected."
https://www.infosecurity-magazine.com/news/france-data-breach-jobseekers/
General News
- Phishing Simulations: What Works And What Doesn’t
"Phishing is one of the oldest and most effective scams used by cybercriminals. No one is immune to them, not even internet security experts, as seen in the case of Troy Hunt, who recently fell for a phishing email. Before AI became mainstream, phishing emails often gave themselves away. They were full of grammar mistakes and awkward wording, making them easier to spot. That’s changed. Today’s phishing attacks are much more convincing, often looking just like real messages."
https://www.helpnetsecurity.com/2025/07/23/phishing-simulations-effectiveness-in-organizations/ - Ports Are Getting Smarter And More Hackable
"A new policy brief from NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE) warns that critical port infrastructure, responsible for 80 percent of global trade, is increasingly under attack by threat actors tied to Russia, Iran, and China. These ports are essential to national economies and serve as key hubs in NATO’s logistics network. Many remain under civilian control with limited integration into military cybersecurity strategies, leaving serious gaps in defence coordination."
https://www.helpnetsecurity.com/2025/07/23/ccdcoe-maritime-port-cyber-attacks/ - The Fraud Trends Shaping 2025: Pressure Builds On Online Retailers
"Fraud is growing faster than revenue in eCommerce. That’s one of the first things PwC and Forter point out in their new report, and it’s a wake-up call for online retailers. Right now, eCommerce leaders are dealing with a mix of challenges: economic ups and downs, political uncertainty, more cyber threats, and new fraud rules kicking in on 1st September. The report focuses on what’s happening outside the business. These are things that fraud teams can’t always control but need to prepare for. The idea is to give retailers a picture of where fraud is coming from and what’s pushing it forward."
https://www.helpnetsecurity.com/2025/07/23/biggest-fraud-trends-2025/ - Global Ransomware Attacks Plummet 43% In Q2 2025
"Ransomware attacks fell by 43% globally in Q2 2025 compared to Q1, with law enforcement actions and internal conflicts having a major impact on the threat landscape, according to new findings from NCC Group. A total of 1180 attacks were recorded from April to June, which compares to 2074 attacks in Q1. The firm also observed that claimed ransomware attacks fell for the fourth consecutive month in June 2025, down by 6% from May to 371. The slowdown in Q2 followed a dramatic rise in attacks in the first three months of the year, which was driven by aggressive campaigns from dominant groups such as Clop, RansomHub and Akira."
https://www.infosecurity-magazine.com/news/ransomware-attacks-plummet-q2/ - Ukraine Arrests Suspected Admin Of XSS Russian Hacking Forum
"The suspected administrator of the Russian-speaking hacking forum XSS.is was arrested by the Ukrainian authorities yesterday at the request of the Paris public prosecutor's office. XSS.is is a Russian-speaking cybercrime forum that has been active since 2013 and is widely regarded as one of the major online hubs for cybercriminal activity, with over 50,000 registered users. The platform was used to sell malware, access to compromised systems, advertise ransomware-as-a-service (RaaS) platforms, and discuss illegal activities."
https://www.bleepingcomputer.com/news/security/ukraine-arrests-suspected-admin-of-xss-russian-hacking-forum/
https://therecord.media/suspected-xss-cybercrime-marketplace-admin-arrested
https://cyberscoop.com/xss-cybercrime-forum-admin-arrest/
https://www.infosecurity-magazine.com/news/suspected-xss-forum-admin-arrested/
https://hackread.com/suspected-xss-is-admin-cybercrime-forum-arrest-ukraine/
https://hackread.com/xss-is-cybercrime-forum-seized-ukraine-arrested-admin/
https://www.securityweek.com/france-says-administrator-of-cybercrime-forum-xss-arrested-in-ukraine/
https://securityaffairs.com/180278/cyber-crime/french-authorities-confirm-xss-is-admin-arrested-in-ukraine.html
https://www.helpnetsecurity.com/2025/07/23/europol-cybercrime-operation-xss-is-admin-arrest/ - Cyber First Responders: Once More Unto The Breach
"When disaster strikes, most people think of fire trucks, ambulances and emergency broadcast alerts. They don't picture a cybersecurity analyst rerouting traffic through a backup server. They don't imagine a SOC team scanning logs in the middle of the night while a hurricane makes landfall. They rarely need to think about how many lives depend on the stability and security of digital infrastructure."
https://www.bankinfosecurity.com/blogs/cyber-first-responders-once-more-unto-breach-p-3917 - Chinese Hackers' Evolution From Vandals To Strategists
"Chinese nation-state hackers share tools. Their techniques overlap. Observers of the Sino hacking scene can trace a web of intersecting contractors and businesses that underpin campaigns such as the hacking of U.S. telecoms by Salt Typhoon. There may be an even more fundamental reason why Beijing-linked cyber operations show recurring patterns: a group of 40 hackers who came up together in the "patriotic hacking" scene in the late 1990s and early 2000s, "whose leadership, technical skills and entrepreneurial ventures had a lasting impact on China's cybersecurity ecosystem," posits a study from Eugenio Benincasa, a senior security researcher at ETH Zurich."
https://www.bankinfosecurity.com/chinese-hackers-evolution-from-vandals-to-strategists-a-29033
https://www.research-collection.ethz.ch/handle/20.500.11850/743657 - Stop AI Bot Traffic: Protecting Your Organization's Website
"When Internet users are online shopping, paying their bills, or Googling answers to their questions, what they may not realize is there are others perusing the same website they are on. The difference between them is that while some may be human, others often are not. According to Imperva's "2024 Bad Bot Report," for the first time in a decade, automated traffic surpassed human activity online, accounting for 51% of all Web traffic last year. Compared with 2023, in which malicious bots made up for 32% of Internet traffic, this number has risen to 37% in 2025."
https://www.darkreading.com/threat-intelligence/stop-ai-bot-traffic-protecting-organizations - Should We Trust AI? Three Approaches To AI Fallibility
"The promise of agentic AI is compelling: increased operational speed, increased automation, and lower operational costs. But have we ever paused to seriously ask the question: can we trust this thing? Agentic AI is a class of large language model (LLM) AI that can respond to inputs, set its own goals, and interact with other tools to achieve those goals – without necessarily requiring human intervention. Such tools are generally built on top of major generative AI (gen-AI) models typified by ChatGPT; so, before asking if we can trust agentic AI, we should ask if we can trust gen-AI."
https://www.securityweek.com/should-we-trust-ai-three-approaches-to-ai-fallibility/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Critical Vulnerabilities Found In Tridium Niagara Framework
-
Cisco เตือนช่องโหว่ ISE RCE ที่มีความรุนแรงสูงสุดถูกนำไปใช้ในการโจมตี
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
FBI และ CISA เตือนถึงการโจมตีด้วยแรนซัมแวร์ Interlock ที่กำลังทวีความรุนแรงขึ้น โดยพุ่งเป้าโครงสร้างพื้นฐานสำคัญ
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand