สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
Global Moderators
Forum wide moderators
-
Adobe ปล่อยแพตช์แก้ไขช่องโหว่กว่า 39 รายการในหลายผลิตภัณฑ์
-
Ivanti ออกแพตช์แก้ไขช่องโหว่ร้ายแรงในระบบ EPMM หวั่นโจมตีแบบ Remote Code Execution
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 15 May 2025
Energy Sector
- Insight: Rogue Communication Devices Found In Chinese Solar Power Inverters
"U.S. energy officials are reassessing the risk posed by Chinese-made devices that play a critical role in renewable energy infrastructure after unexplained communication equipment was found inside some of them, two people familiar with the matter said. Power inverters, which are predominantly produced in China, are used throughout the world to connect solar panels and wind turbines to electricity grids. They are also found in batteries, heat pumps and electric vehicle chargers."
https://www.reuters.com/sustainability/climate-energy/ghost-machine-rogue-communication-devices-found-chinese-inverters-2025-05-14/
https://www.bangkokpost.com/world/3025432/ghost-in-the-machine-rogue-communication-devices-found-in-chinese-inverters
Industrial Sector
- ICS Patch Tuesday: Vulnerabilities Addressed By Siemens, Schneider, Phoenix Contact
"Industrial giants Siemens, Schneider Electric and Phoenix Contact have released ICS security advisories on the May 2025 Patch Tuesday. The cybersecurity agencies CISA and CERT@VDE have also published advisories. While most of the vulnerabilities described in the advisories have been patched, only mitigations and workarounds are currently available for some of the flaws. Siemens has published 18 new advisories, including four that cover critical-severity vulnerabilities. One of them describes an authentication bypass issue in the Redfish interface of the BMC controller used by Simatic industrial PCs. The flaw was disclosed by firmware security company Eclypsium in March."
https://www.securityweek.com/ics-patch-tuesday-vulnerabilities-addressed-by-siemens-schneider-phoenix-contact/
New Tooling
- Cerbos: Open-Source, Scalable Authorization Solution
"Cerbos is an open-source solution designed to simplify and modernize access control for cloud-native, microservice-based applications. Instead of hardcoding authorization logic into your application, Cerbos lets you write flexible, context-aware access policies using a YAML syntax. These policies are managed separately from your app and evaluated via simple API requests to Cerbos’ Policy Decision Point (PDP)."
https://www.helpnetsecurity.com/2025/05/14/cerbos-open-source-scalable-authorization-solution/
https://github.com/cerbos/cerbos
Vulnerabilities
- Samsung Patches CVE-2025-4632 Used To Deploy Mirai Botnet Via MagicINFO 9 Exploit
"Samsung has released software updates to address a critical security flaw in MagicINFO 9 Server that has been actively exploited in the wild. The vulnerability, tracked as CVE-2025-4632 (CVSS score: 9.8), has been described as a path traversal flaw. "Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to write arbitrary files as system authority," according to an advisory for the flaw."
https://thehackernews.com/2025/05/samsung-patches-cve-2025-4632-used-to.html
https://www.cve.org/CVERecord?id=CVE-2025-4632
https://www.huntress.com/blog/post-exploitation-activities-observed-from-samsung-magicinfo-9-server-flaw - Vulnerabilities Patched By Juniper, VMware And Zoom
"Juniper Networks, VMware, and Zoom have published a total of ten security advisories describing dozens of vulnerabilities patched across their product portfolios. Juniper on Tuesday announced fixes for nearly 90 bugs in third-party dependencies in Secure Analytics, the virtual appliance that collects security events from network devices, endpoints, and applications. Patches for these issues, most of which were disclosed last year, were included in Secure Analytics version 7.5.0 UP11 IF03. Some of the flaws are dated 2016, 2019, and 2020, and three of them are rated ‘critical severity’."
https://www.securityweek.com/vulnerabilities-patched-by-juniper-vmware-and-zoom/ - CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2025-32756 Fortinet Multiple Products Stack-Based Buffer Overflow Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/05/14/cisa-adds-one-known-exploited-vulnerability-catalog - Chipmaker Patch Tuesday: Intel, AMD, Arm Respond To New CPU Attacks
"Chip giants Intel, AMD and Arm each published Patch Tuesday security advisories to inform customers about vulnerabilities found recently in their products, including ones related to newly disclosed CPU attacks. One of the CPU attacks was disclosed this week by researchers at Swiss university ETH Zurich. The researchers discovered a branch privilege injection issue, tracked as CVE-2024-45332, that they claim “brings back the full might of branch target injection attacks (Spectre-BTI) on Intel”. The researchers claim that while Intel’s Spectre-BTI (aka Spectre v2) mitigations have worked for nearly six years, they have now found a way to break them due to a race condition impacting Intel CPUs."
https://www.securityweek.com/chipmaker-patch-tuesday-intel-amd-arm-respond-to-new-cpu-attacks/
Malware
-
Hackers Behind UK Retail Attacks Now Targeting US Companies
"Google warned today that hackers using Scattered Spider tactics against retail chains in the United Kingdom have also started targeting retailers in the United States. "The US retail sector is currently being targeted in ransomware and extortion operations that we suspect are linked to UNC3944, also known as Scattered Spider," John Hultquist, Chief Analyst at Google Threat Intelligence Group, told BleepingComputer. "The actor, which has reportedly targeted retail in the UK following a long hiatus, has a history of focusing their efforts on a single sector at a time, and we anticipate they will continue to target the sector in the near term. US retailers should take note.""
https://www.bleepingcomputer.com/news/security/google-scattered-spider-switches-targets-to-us-retail-chains/ -
**https://therecord.media/scattered-spider-suspected-retail-hackers-google-alert
-
Ransomware Gangs Join Ongoing SAP NetWeaver Attacks**
"Ransomware gangs have joined ongoing SAP NetWeaver attacks, exploiting a maximum-severity vulnerability that allows threat actors to gain remote code execution on vulnerable servers. SAP released emergency patches on April 24 to address this NetWeaver Visual Composer unauthenticated file upload security flaw (CVE-2025-31324), days after it was first tagged by cybersecurity company ReliaQuest as targeted in the wild. Successful exploitation lets threat actors upload malicious files without requiring login credentials, potentially leading to complete system compromise."
https://www.bleepingcomputer.com/news/security/ransomware-gangs-join-ongoing-sap-netweaver-attacks/
https://thehackernews.com/2025/05/bianlian-and-ransomexx-exploit-sap.html -
North Korea’s Hidden IT Workforce Exposed In New Report
"A cybersecurity firm is shedding light on how North Korea built an international cybercrime scheme involving fake information technology workers hired by major global businesses that siphon money to the Hermit kingdom and help fund its military ambitions. A report from DTEX shows that North Korean operatives, driven by survival rather than ideology, are trained from childhood to become military cyber agents or covert IT contractors. Researchers identified two operatives living in Russia using the falsified identities "Naoki Murano" and "Jenson Collins," each suspected of infiltrating Western firms and linked to a $6 million cryptocurrency heist."
https://www.bankinfosecurity.com/north-koreas-hidden-workforce-exposed-in-new-report-a-28401
https://dd80b675424c132b90b3-e48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/dtex-exposingdprkcybersyndicateandhiddenitworkforce.pdf -
Excel(ent) Obfuscation: Regex Gone Rogue
"Microsoft Office-based attacks have long been a favored tactic amongst cybercriminals— and for good reason. Attackers frequently use Office documents in cyberattacks because they are widely trusted. These files, such as Word or Excel docs, are commonly exchanged in business and personal settings. They are also capable of carrying hidden malicious code, embedded macros, and external links that execute code when opened, especially if users are tricked into enabling features like macros. Moreover, Office documents support advanced techniques like remote template injection, obfuscated macros, and legacy features like Excel 4.0 macros. These allow attackers to bypass antivirus detection and trigger multi-stage payloads such as ransomware or information-stealing malware."
https://www.deepinstinct.com/blog/excellent-obfuscation-regex-gone-rogue -
Diving Into The Talent Pool – Threat Actors Target Job Seekers With Complex Recruitment Scams
"Are you in the market for a new job? Talent scouts aren’t the only ones aggressively recruiting. Netcraft has observed a recent spike in recruitment scams, uncovering significant impact from three unique adversaries, each leveraging different tactics to target job seekers:"
https://www.netcraft.com/blog/diving-into-the-talent-pool-threat-actors-target-job-seekers-with-complex-recruitment-scams/
https://hackread.com/job-seekers-targeted-scammers-government-whatsapp/ -
Sit, Fetch, Steal - Chihuahua Stealer: A New Breed Of Infostealer
"Chihuahua Stealer is a newly discovered .NET-based infostealer that blends common malware techniques with unusually advanced features. It first came to our attention through a Reddit post made on April 9, where a user shared an obfuscated PowerShell script, they were tricked into executing via a Google Drive document. If this sounds vaguely familiar: You are not wrong - we have seen similar things in a fake recruiting campaign, and we also wrote about this. The script uses multi-stage payloads, achieving persistence through scheduled tasks and leading to the execution of the main stealer payload. This blog article breaks down each stage of the attack chain, beginning with the initial delivery method and ending in encrypted data exfiltration."
https://www.gdatasoftware.com/blog/2025/05/38199-chihuahua-infostealer
https://www.infosecurity-magazine.com/news/chihuahua-stealer-browser-crypto/ -
Technical Analysis Of TransferLoader
"Zscaler ThreatLabz has identified a new malware loader that we have named TransferLoader, which has been active since at least February 2025. ThreatLabz has identified three different components (a downloader, a backdoor, and a specialized loader for the backdoor) embedded in TransferLoader binaries. In addition, ThreatLabz has observed TransferLoader being used to deliver Morpheus ransomware. All components of TransferLoader share similarities including various anti-analysis techniques and code obfuscation."
https://www.zscaler.com/blogs/security-research/technical-analysis-transferloader -
The SOC Case Files: Python-Armed Ransomware Gang Reemerges To Face a Wall Of XDR Defenses
"Barracuda’s Managed XDR team recently contained a suspected ransomware attack where the attackers had gained access to a company’s network before it installed XDR, compromising several Windows machines and an administrator account. By the time the attackers returned to complete the attack, a suite of Barracuda Managed XDR solutions was in place — able to track, contain and neutralize the attack."
https://blog.barracuda.com/2025/05/14/soc-case-files-python-armed-ransomware-gang-reemerges -
Xinbi: The $8 Billion Colorado-Incorporated Marketplace For Pig-Butchering Scammers And North Korean Hackers
"Some of the earliest large-scale adopters of cryptocurrency were illicit online marketplaces such as the Silk Road and Alphabay. These darknet markets were accessed through Tor, the anonymous web browser. More recently, illicit marketplaces have transitioned to operating through the instant messaging app Telegram, which provides access to over a billion potential customers. In July 2024 Elliptic exposed one such Telegram-based market, known as Huione Guarantee, which sells goods and services to fraudsters in South East Asia, including those responsible for so-called “pig butchering” scams. Merchants on Huione Guarantee sell the key tools needed to perpetrate online fraud, including technology, personal data and money laundering services. With transactions totaling at least $27 billion (all in Tether’s USDT stablecoin), it is the largest illicit online marketplace to have ever operated."
https://www.elliptic.co/blog/xinbi-guarantee
https://thehackernews.com/2025/05/xinbi-telegram-market-tied-to-84b-in.html -
Meta Mirage
"Meta Mirage is a global phishing campaign targeting Meta Business Suite users with the intent to compromise high-value assets like verified brand pages, ad accounts, and administrator access. Unlike generic scams, this operation simulates Meta’s interface using over 14,000 phishing URLs and 24+ custom templates. Many of these phishing URLs are hosted on trusted cloud platforms such as GitHub Pages and Vercel, adding a layer of false legitimacy to the attacks. By combining fake policy violation alerts, session hijacking techniques, and third-party exfiltration services, Meta Mirage reflects a sophisticated abuse of trust at scale. This makes the campaign a serious threat to digital brand owners and businesses, as it manipulates victims into revealing critical credentials and session data."
https://www.ctm360.com/reports/meta-mirage-report
https://thehackernews.com/2025/05/ctm360-identifies-surge-in-phishing.html -
DarkCloud Stealer: Comprehensive Analysis Of a New Attack Chain That Employs AutoIt
"In January 2025, Unit 42 researchers identified a series of attacks distributing DarkCloud Stealer. The latest attack chain incorporated AutoIt to evade detection and used a file-sharing server to host the malware. This article explores the chain of events from these recent campaigns and analyzes the characteristics of these attacks. DarkCloud employs multi-stage payloads and obfuscated AutoIt scripting, making its detection challenging with traditional signature-based methods. Its ability to extract sensitive data and establish command and control (C2) communications highlights the importance of thorough detection and assessment."
https://unit42.paloaltonetworks.com/darkcloud-stealer-and-obfuscated-autoit-scripting/ -
Unveiling Swan Vector APT Targeting Taiwan And Japan With Varied DLL Implants
"Seqrite Labs APT-Team has recently uncovered a campaign which we have termed as Swan Vector, that has been targeting the nations across the East China sea such as Taiwan and Japan. The campaign is aimed at educational institutes and mechanical engineering industry with lures aiming to deliver fake resume of candidates which acts as a decoy. The entire malware ecosystem involved in this campaign comprises a total of four stages, the first being one being a malicious LNK, the second stage involves the shortcut file executing DLL implant Pterois via a very well-known LOLBin. It uses stealthy methods to execute and download the third stage containing multiple files including legitimate Windows executable that is further used to execute another implant Isurus via DLL-Sideloading. This further executes the fourth stage that is the malicious Cobalt Strike shellcode downloaded by Pterois."
https://www.seqrite.com/blog/swan-vector-apt-targeting-taiwan-japan-dll-implants/ -
Breaches/Hacks/Leaks
-
Australian Human Rights Commission Leaks Docs To Search Engines
"The Australian Human Rights Commission (AHRC) disclosed a data breach incident where private documents leaked online and were indexed by major search engines. Many of the hundreds of documents exposed online contained private, sensitive information, like names, contact information, health details, schooling, religion, employment info, and photographs. AHRC is an independent statutory body established by the Australian Government, with the primary role of promoting and protecting human rights in the country."
https://www.bleepingcomputer.com/news/security/australian-human-rights-commission-leaks-docs-to-search-engines/ -
Steel Giant Nucor Corporation Facing Disruptions After Cyberattack
"A cybersecurity incident on Nucor Corporation's systems, the largest steel producer in the U.S., forced the company to take offline parts of its networks and implement containment measures. The incident caused the company to temporarily suspend production at multiple locations, although the full impact on Nucor’s business remains unclear. Nucor is a major steel producer in the U.S. and scrap recycler in the North America. It is a primary supplier of reinforcing bar that is used extensively in the country’s buildings, bridges, roads, and infrastructure."
https://www.bleepingcomputer.com/news/security/steel-giant-nucor-corporation-facing-disruptions-after-cyberattack/
https://therecord.media/cyber-incident-forces-nucor-steel-to-take-systems-offline
https://www.theregister.com/2025/05/14/nucor_steel_attack/ -
Fashion Giant Dior Discloses Cyberattack, Warns Of Data Breach
"House of Dior, the French luxury fashion brand commonly referred to as Dior, has disclosed a cybersecurity incident that has exposed customer information. A spokesperson for the firm told BleepingComputer that the incident impacts Dior Fashion and Accessories customers. Currently, cybersecurity experts are investigating the incident to determine its scope. “The House of Dior recently discovered that an unauthorized external party accessed some of the data we hold for our Dior Fashion and Accessories customers,” stated the spokesperson."
https://www.bleepingcomputer.com/news/security/fashion-giant-dior-discloses-cyberattack-warns-of-data-breach/ -
Nova Scotia Power Says Customer Banking Details May Have Been Stolen By Hackers
"Nova Scotia’s largest electric utility said Wednesday that hackers stole sensitive information from customers in a recent cyberattack. Nova Scotia Power and its Halifax-based parent company Emera discovered on April 25 that an intruder had gained access to parts of its network, prompting the companies to isolate the affected servers. In an update on Wednesday, Nova Scotia Power said it is still investigating the incident and working to rebuild “impacted systems.” It determined that on March 19, more than a month before discovering the intrusion, customer information was accessed and stolen."
https://therecord.media/nova-scotia-power-data-breach-notice -
Alabama State Government Says Cyber Incident’s Effects Are Limited, But Response Continues
"Alabama’s technology office says a “cybersecurity event” first discovered May 9 has not caused major disruptions to state services, but incident responders are still working around the clock to contain its effects. In an update posted Tuesday, the Office of Information Technology (OIT) said it has called in two incident response teams from third-party firms, “maintaining 24 hours-a-day, 7 days-a-week mitigation activities as technical specialists work extended shifts to ensure a continuous, uninterrupted response to this event.”"
https://therecord.media/alabama-state-government-cyber-incident
General News
- Insider Risk Management Needs a Human Strategy
"Insider risk is not just about bad actors. Most of the time, it’s about mistakes. Someone sends a sensitive file to the wrong address, or uploads a document to their personal cloud to work from home. In many cases, there is no ill intent, since many insider incidents are caused by negligence, not malice. Still, malicious insiders can be devastating. Some steal intellectual property, others are bribed or pressured by outside groups to plant ransomware, exfiltrate trade secrets, or shut down operations. The impact of insider risk is being felt across an organization and is no longer limited to the cybersecurity team. 86% say an insider event would impact company culture, according to Code42."
https://www.helpnetsecurity.com/2025/05/14/insider-risk-management-human-strategy/ - Ransomware Spreads Faster, Not Smarter
"The fall of two of the most dominant ransomware syndicates, LockBit and AlphV, triggered a power vacuum across the cybercriminal landscape, acccording to a Black Kite survey. In their place, dozens of new actors emerged, many of them lacking the infrastructure, discipline, or credibility of their predecessors. The result was a surge in attack volume, a decline in coordination, and growing unpredictability in how, where, and why attacks occur."
https://www.helpnetsecurity.com/2025/05/14/ransomware-landscape-shift-2025/ - April 2025 Threat Trend Report On Ransomware
"This report provides statistics on the number of new ransomware samples collected, the number of affected systems, and affected companies in April 2025, as well as key ransomware issues in and out of Korea. Below is a summary of the report. Disclaimer: The number of ransomware samples and damaged systems is based on the detection names assigned by AhnLab, and statistics on targeted companies are based on the information published on the dedicated leak sites (DLS) of the ransomware group, also referred to as ransomware PR sites or PR pages, collected by the ATIP infrastructure over time."
https://asec.ahnlab.com/en/87946/ - April 2025 Threat Trend Report On APT Attacks (South Korea)
"AhnLab is monitoring Advanced Persistent Threat (APT) attacks in South Korea using its own infrastructure. This report covers the classification, statistics, and functions of APT attacks detected in South Korea over the course of one month in April 2025."
https://asec.ahnlab.com/en/87945/ - Southwest Airlines CISO On Tackling Cyber Risks In The Aviation Industry
"In this Help Net Security interview, Carrie Mills, VP and CISO, Southwest Airlines talks about the cybersecurity challenges facing the aviation industry. She explains how being part of critical infrastructure, a major consumer brand, and an airline each brings its own set of security issues."
https://www.helpnetsecurity.com/2025/05/14/carrie-mills-southwest-airlines-aviation-industry-cybersecurity-challenges/ - Ransomware Scum Have Put a Target On The No Man's Land Between IT And Operations
"Criminals who attempt to damage critical infrastructure are increasingly targeting the systems that sit between IT and operational tech. These in-between systems are no man's land, according to Tim Conway, the technical director of SANS Institute industrial control systems (ICS) programs. They're not classic IT systems that run core business applications, or operational tech (OT) that drives heavy industrial infrastructure. In the case of a petroleum pipeline, middle systems live in the facilities that store and distribute fuel, and separate home heating oil from gasoline, diesel, and jet fuel."
https://www.theregister.com/2025/05/14/ransomware_targets_middle_systems_sans/ - Kosovo Extradites BlackDB Admin To Face US Cybercrime Charges
"A Kosovo national has been extradited to the United States to face charges of running an online cybercrime marketplace active since 2018. Kosovar authorities arrested the 33-year-old Liridon Masurica (also known as @blackdb) on December 14th, 2024, and he was extradited to the United States earlier this month, on May 9th. Masurica was detained following his court appearance in Tampa on May 12th, where he was brought before United States Magistrate Judge Lindsay Saxe Griffin."
https://www.bleepingcomputer.com/news/security/kosovo-extradites-blackdb-admin-to-face-us-cybercrime-charges/
https://www.securityweek.com/kosovar-administrator-of-cybercrime-marketplace-extradited-to-us/ - The Forgotten Threat: How Supply Chain Attacks Are Targeting Small Businesses
"When people hear "supply chain attack," their minds often go to headline-grabbing breaches. But while analysts, CISOs, and journalists dissect those incidents, a more tactical and persistent wave of attacks has been unfolding in parallel; one that's laser-focused on small businesses as the point of entry. This isn't collateral damage. It's by design. Cybercriminals aren't always trying to figuratively kick down the front doors of well-defended enterprises. Instead, they're probing the digital perimeter for softer targets: under-resourced MSPs, niche SaaS providers, regional consultants, and third-party vendors."
https://www.tripwire.com/state-of-security/forgotten-threat-how-supply-chain-attacks-are-targeting-small-businesses - CVE Foundation Eyes Year-End Launch Following 11th-Hour Rescue Of MITRE Program
"In late March, the nonprofit research organization MITRE celebrated the 25th anniversary of the Common Vulnerability and Exposures (CVE) program, a widely hailed scientific achievement funded by the U.S. government and administered by MITRE. The CVE program is the global bedrock of contemporary vulnerability management, cataloging and assigning unique identifiers to software vulnerabilities. Until April 15, cybersecurity defenders and data scientists seemed unshakeable in embracing the program, which had already overcome challenges to achieve its silver anniversary."
https://cyberscoop.com/cve-program-funding-crisis-cve-foundation-mitre/ - AI Agents May Have a Memory Problem
"Memory-enabled artificial intelligence agents that can store and recall user data for more intelligent and personalized decision-making are vulnerable to memory injection attacks that can manipulate their behavior in future interactions, a new study has shown. These AI agents, such as those used in Mastercard's recently disclosed Agent Pay and PayPal's equally new Agent Toolkit, store user data — such as preferences, transaction histories, and conversational context — to deliver very personalized decisions on behalf of users. Mastercard envisions its Agent Pay, for instance, as proactively making purchase decisions and recommending payment options based on contextual knowledge of a user's preferences and feedback."
https://www.darkreading.com/cyber-risk/ai-agents-memory-problem
https://arxiv.org/pdf/2503.16248 - Why CVSS Is Failing Us And What We Can Do About It
"Two decades ago, CVSS revolutionized vulnerability management, enabling security teams to speak a common language when measuring and prioritizing risks posed by the vulnerability to the affected asset. However, today, the same tool that once guided us in the right direction is holding us back. In an environment where adversaries are faster, attack surfaces are broader, and resource constraints are tighter than ever, relying only on CVSS ratings to drive remediation efforts is no longer enough. Yet many organizations still patch vulnerabilities based on severity scores alone without asking the critical question necessary to determine real risk: Does this exposure actually pose a real risk in our environment?"
https://www.theregister.com/2025/05/14/picus_cvss/ - Go Ahead And Ignore Patch Tuesday – It Might Improve Your Security
"Patch Tuesday has rolled around again, but if you don't rush to implement the feast of fixes it delivered, your security won't be any worse off in the short term – and may improve in the future. That's the opinion of Craig Lawson, a Research Vice President at analyst Gartner, who on Wednesday told the firm's Infrastructure, Operations & Cloud Strategies Conference: "Nobody has ever out-patched threat actors at scale.""
https://www.theregister.com/2025/05/14/improve_patching_strategies/ - Maritime Cybersecurity: Threats & Regulations Loom
"The maritime industry is a large, complex ecosystem of carriers and port operators, with various pieces of information and operational technologies. Securing these systems is challenging but critical, as ports are at the center of the country’s supply chain. During the Maritime Cybersecurity: Risks and Best Practices webinar on April 9, experts discussed existing challenges and where stakeholders can focus on securing the supply chain and their maritime security infrastructure."
https://www.trendmicro.com/en_us/research/25/e/maritime-cybersecurity-threats-regulations.html
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Insight: Rogue Communication Devices Found In Chinese Solar Power Inverters
-
เตือนภัย! แฮกเกอร์ใช้เครื่องมือ AI ปลอมหลอกติดตั้งมัลแวร์ Noodlophile เพื่อขโมยข้อมูลและเข้าควบคุมเครื่อง
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA ปรับวิธีการแจ้งเตือนภัยไซเบอร์ใหม่ เน้นสื่อสารผ่านโซเชียลมีเดียและอีเมล
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
แจ้งเตือนกรณี Cisco ประกาศช่องโหว่จำนวน 28 รายการ
**สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand**
-
Cyber Threat Intelligence 14 May 2025
Healthcare Sector
- With The Right Tools, You Can Prevent This Healthcare Scam From Hurting Employees
"In 2024, ninety-two percent of healthcare organizations contended with at least one cyber attack. As a result, over 276 million patient records were compromised, translating to the compromise of roughly 758,000 records every single day. Victims of medical identity theft will spend an average of 210 hours and $2,500 (out-of-pocket) to reclaim their identities and resolve breach fallout."
https://blog.checkpoint.com/securing-user-and-access/with-the-right-tools-you-can-prevent-this-healthcare-scam-from-hurting-employees/
Government/Law/Policy
- UK Considers New Enterprise IoT Security Law
"The UK government has issued a Call for Views on proposed “policy interventions” designed to improve the security of enterprise IoT products, after new research revealed glaring vulnerabilities in many devices. The Department for Science, Innovation and Technology (DSIT) commissioned NCC Group to test a range of components: a “high-end” and “low-end” camera, VoIP device, meeting room panel and NAS device."
https://www.infosecurity-magazine.com/news/government-enterprise-iot-security/
Vulnerabilities
- Microsoft May 2025 Patch Tuesday Fixes 5 Exploited Zero-Days, 72 Flaws
"Today is Microsoft's May 2025 Patch Tuesday, which includes security updates for 72 flaws, including five actively exploited and two publicly disclosed zero-day vulnerabilities. This Patch Tuesday also fixes six "Critical" vulnerabilities, five being remote code execution vulnerabilities and another an information disclosure bug."
https://www.bleepingcomputer.com/news/microsoft/microsoft-may-2025-patch-tuesday-fixes-5-exploited-zero-days-72-flaws/
https://www.tripwire.com/state-of-security/may-2025-patch-tuesday-analysis
https://blog.talosintelligence.com/microsoft-patch-tuesday-for-may-2025-snort-rules-and-prominent-vulnerabilities/
https://www.darkreading.com/vulnerabilities-threats/windows-zero-day-bug-exploited-browser-rce
https://www.securityweek.com/zero-day-attacks-highlight-another-busy-microsoft-patch-tuesday/
https://cyberscoop.com/microsoft-patch-tuesday-may-2025/
https://www.helpnetsecurity.com/2025/05/13/patch-tuesday-microsoft-fixes-5-actively-exploited-zero-days/
https://www.theregister.com/2025/05/14/patch_tuesday_may/ - SAP Patches Second Zero-Day Flaw Exploited In Recent Attacks
"SAP has released patches to address a second vulnerability exploited in recent attacks targeting SAP NetWeaver servers as a zero-day. The company issued security updates for this security flaw (CVE-2025-42999) on Monday, May 12, saying it was discovered while investigating zero-day attacks involving another unauthenticated file upload flaw (tracked as CVE-2025-31324) in SAP NetWeaver Visual Composer that was fixed in April. "SAP is aware of and has been addressing vulnerabilities in SAP NETWEAVER Visual Composer," a SAP spokesperson told BleepingComputer. "We ask all customers using SAP NETWEAVER to install these patches to protect themselves. The Security Notes can be found here: 3594142 & 3604119."
https://www.bleepingcomputer.com/news/security/sap-patches-second-zero-day-flaw-exploited-in-recent-attacks/
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/may-2025.html - **https://www.securityweek.com/sap-patches-another-critical-netweaver-vulnerability/
- Fortinet Fixes Critical Zero-Day Exploited In FortiVoice Attacks**
"Fortinet released security updates to patch a critical remote code execution vulnerability exploited as a zero-day in attacks targeting FortiVoice enterprise phone systems. The security flaw is a stack-based overflow vulnerability tracked as CVE-2025-32756 that also impacts FortiMail, FortiNDR, FortiRecorder, and FortiCamera. As the company explains in a security advisory issued on Tuesday, successful exploitation can allow remote unauthenticated attackers to execute arbitrary code or commands via maliciously crafted HTTP requests."
https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-zero-day-exploited-in-fortivoice-attacks/
https://fortiguard.fortinet.com/psirt/FG-IR-25-254
https://www.helpnetsecurity.com/2025/05/13/zero-day-exploited-to-compromise-fortinet-fortivoice-systems-cve-2025-32756/ - Ivanti Fixes EPMM Zero-Days Chained In Code Execution Attacks
"Ivanti warned customers today to patch their Ivanti Endpoint Manager Mobile (EPMM) software against two security vulnerabilities chained in attacks to gain remote code execution. "Ivanti has released updates for Endpoint Manager Mobile (EPMM) which addresses one medium and one high severity vulnerability," the company said. "When chained together, successful exploitation could lead to unauthenticated remote code execution. We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure.""
https://www.bleepingcomputer.com/news/security/ivanti-fixes-epmm-zero-days-chained-in-code-execution-attacks/
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_US
https://www.helpnetsecurity.com/2025/05/13/ivanti-epmm-vulnerabilities-exploited-in-the-wild-cve-2025-4427-cve-2025-4428/ - Adobe Patches Big Batch Of Critical-Severity Software Flaws
"Software maker Adobe has released patches for at least 39 vulnerabilities across a range of products alongside warnings about remote code execution exploit risks. The Patch Tuesday rollout is headlined by a major Adobe ColdFusion update that addresses a wide swatch of code execution and privilege escalation attacks. The Adobe ColdFusion bulletin documents 7 distinct vulnerabilities marked as “critical” and Adobe warned that these “could lead to arbitrary file system read, arbitrary code execution and privilege escalation. The critical bugs carry a CVSS severity score of 9.1/10."
https://www.securityweek.com/adobe-patches-big-batch-of-critical-severity-software-flaws/ - CISA Adds Five Known Exploited Vulnerabilities To Catalog
"CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2025-30400 Microsoft Windows DWM Core Library Use-After-Free Vulnerability
CVE-2025-32701 Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability
CVE-2025-32706 Microsoft Windows Common Log File System (CLFS) Driver Heap-Based Buffer Overflow Vulnerability
CVE-2025-30397 Microsoft Windows Scripting Engine Type Confusion Vulnerability
CVE-2025-32709 Microsoft Windows Ancillary Function Driver for WinSock Use-After-Free Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/05/13/cisa-adds-five-known-exploited-vulnerabilities-catalog - Ivanti Warns Of Critical Neurons For ITSM Auth Bypass Flaw
"Ivanti has released security updates for its Neurons for ITSM IT service management solution that mitigate a critical authentication bypass vulnerability. Tracked as CVE-2025-22462, the security flaw can let unauthenticated attackers gain administrative access to unpatched systems in low-complexity attacks, depending on system configuration. As the company highlighted in a security advisory released today, organizations that followed its guidance are less exposed to attacks."
https://www.bleepingcomputer.com/news/security/ivanti-warns-of-critical-neurons-for-itsm-auth-bypass-flaw/ - New Intel CPU Flaws Leak Sensitive Data From Privileged Memory
"A new "Branch Privilege Injection" flaw in all modern Intel CPUs allows attackers to leak sensitive data from memory regions allocated to privileged software like the operating system kernel. Typically, these regions are populated with information like passwords, cryptographic keys, memory of other processes, and kernel data structures, so protecting them from leakage is crucial. According to ETH Zurich researchers Sandro Rüegge, Johannes Wikner, and Kaveh Razavi, Spectre v2 mitigations held for six years, but their latest "Branch Predictor Race Conditions" exploit effectively bypasses them."
https://www.bleepingcomputer.com/news/security/new-intel-cpu-flaws-leak-sensitive-data-from-privileged-memory/
https://comsec.ethz.ch/research/microarch/branch-privilege-injection/
https://comsec.ethz.ch/wp-content/files/bprc_sec25.pdf
https://www.theregister.com/2025/05/13/intel_spectre_race_condition/ - Radware Says Recently Disclosed WAF Bypasses Were Patched In 2023
"Cybersecurity and application delivery solutions provider Radware has clarified that the vulnerabilities disclosed last week were addressed back in 2023. An advisory published on May 7 by the CERT Coordination Center (CERT/CC) at Carnegie Mellon University revealed that the Radware Cloud Web Application Firewall (WAF) was vulnerable to a couple of filter bypass methods that could allow threat actors to conduct attacks without being blocked by the firewall."
https://www.securityweek.com/radware-says-recently-disclosed-waf-bypasses-were-patched-in-2023/ - Zoom Fixes High-Risk Flaw In Latest Update
"Zoom fixes multiple security bugs in Workplace Apps, including a high-risk flaw. Users are urged to update to the latest version released on May 13, 2025. Zoom pushed out a batch of security fixes today, addressing multiple vulnerabilities across its Workplace Apps. One of them has been marked high severity, while the others are rated medium. The updates affect both general app versions and Windows-specific builds. For anyone using Zoom in business or education settings, especially on Windows systems, these updates are worth attention."
https://hackread.com/zoom-fixes-high-risk-flaw-in-latest-update/
Malware
- Earth Ammit Disrupts Drone Supply Chains Through Coordinated Multi-Wave Attacks In Taiwan
"In July 2024, we disclosed the TIDRONE campaign, in which threat actors targeted Taiwan’s military and satellite industries. During our investigation, we discovered that multiple compromised entities were using the same enterprise resource planning (ERP) software. This led us to engage with the ERP vendor, through which we uncovered additional details that pointed to an earlier, related campaign – VENOM. Our findings were also presented at Black Hat Asia 2025 last month, where we discussed in depth Earth Ammit's tactics in the TIDRONE and VENOM campaigns, their targeted attacks on military sectors in Eastern Asia, and their possible ties to Chinese-speaking cyber-espionage groups."
https://www.trendmicro.com/en_us/research/25/e/earth-ammit.html
https://www.darkreading.com/cyberattacks-data-breaches/chinese-actor-taiwanese-drone-makers-supply-chains
https://therecord.media/chinese-hackers-target-taiwan-military-sector - TA406 Pivots To The Front
"In February 2025, TA406 began targeting government entities in Ukraine, delivering both credential harvesting and malware in its phishing campaigns. The aim of these campaigns is likely to collect intelligence on the trajectory of the Russian invasion. TA406 is a Democratic People's Republic of Korea (DPRK) state-sponsored actor that overlaps with activity publicly tracked by third parties as Opal Sleet and Konni. The group’s interest in Ukraine follows historical targeting of government entities in Russia for strategic intelligence gathering purposes. TA406 relies on freemail senders spoofing members of think tanks to convince the target to engage with the phishing email. The lure content is based heavily off recent events in Ukrainian domestic politics."
https://www.proofpoint.com/us/blog/threat-insight/ta406-pivots-front
https://www.darkreading.com/cyberattacks-data-breaches/north-koreas-ta406-targets-ukraine
https://therecord.media/north-korea-hackers-target-ukraine-to-understand-russian-war-efforts
https://www.bleepingcomputer.com/news/security/north-korea-ramps-up-cyberspying-in-ukraine-to-assess-war-risk/
https://thehackernews.com/2025/05/north-korean-konni-apt-targets-ukraine.html
https://www.bankinfosecurity.com/north-korea-targets-ukraine-cyberespionage-operations-a-28372
https://www.infosecurity-magazine.com/news/dprk-backed-ta406-targets-ukraine/ - Using a Mythic Agent To Optimize Penetration Testing
"The way threat actors use post-exploitation frameworks in their attacks is a topic we frequently discuss. It’s not just about analysis of artifacts for us, though. Our company’s deep expertise means we can study these tools to implement best practices in penetration testing. This helps organizations stay one step ahead. Being experts in systems security assessment and information security in general, we understand that a proactive approach always works better than simply responding to incidents that have already occurred. And when we say “proactive”, we imply learning new technologies and techniques that threat actors may adopt next. That is why we follow the latest research, analyze new tools, and advance our pentesting expertise."
https://securelist.com/agent-for-mythic-c2-with-beacon-object-files/115259/ - How Interlock Ransomware Affects The Defense Industrial Base Supply Chain
"Kinetic events, such as the Russia-Ukraine, Israel-Hamas, and Pakistan-India situations, along with non-kinetic or political turmoil events, have both a direct effect (participant 1 targeting participant 2) and an indirect effect (social sympathizer group targeting the participant they deem the aggressor), which drive ransomware and similar cyberattacks. The motivation behind these attacks can be to support an official action or to justify a criminal attack on a victim. However, it may also leverage the event as political cover for a cyberattack motivated by industrial or state espionage."
https://www.resecurity.com/blog/article/how-interlock-ransomware-affects-the-defense-industrial-base-supply-chain
https://securityaffairs.com/177792/malware/how-interlock-ransomware-affects-the-defense-industrial-base-supply-chain.html - China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) To Target Critical Infrastructures
"EclecticIQ analysts assess with high confidence that, in April 2025, China-nexus nation-state APTs (advanced persistent threat) launched high-temp exploitation campaigns against critical infrastructure networks by targeting SAP NetWeaver Visual Composer. Actors leveraged CVE-2025-31324 [1], an unauthenticated file upload vulnerability that enables remote code execution (RCE). This assessment is based on a publicly exposed directory (opendir) found on attacker-controlled infrastructure, which contained detailed event logs capturing operations across multiple compromised systems."
https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures
https://thehackernews.com/2025/05/china-linked-apts-exploit-sap-cve-2025.html - Same Name, Different Hack: PyPI Package Targets Solana Developers
"The ReversingLabs research team has written about the surge in recent years in software supply chain attacks that target cryptocurrency. RL’s 2025 Software Supply Chain Security Report documented 23 distinct malicious supply chain campaigns targeting cryptocurrency applications and infrastructure in 2024 alone. That trend continues. So far in 2025, RL researchers discovered a number of new campaigns that appear to target cryptocurrency assets. In April, for example, RL researcher Lucija Valentić wrote about the discovery of an npm package, pdf-to-office, that injected malicious code into legitimate, locally-installed files to steal funds stored in Atomic Wallet and Exodus crypto wallets."
https://www.reversinglabs.com/blog/same-name-different-hack-pypi-package-targets-solana-developers
https://thehackernews.com/2025/05/malicious-pypi-package-posing-as-solana.html - Analysis Of APT37 Attack Case Disguised As a Think Tank For National Security Strategy In South Korea (Operation. ToyBox Story)
"Disguised the content as an academic forum invitation from a South Korean national security think tank to attract attention. Lured targets by referencing an actual event titled “Trump 2.0 Era: Prospects and South Korea’s Response”. Delivered malicious LNK files via the Dropbox cloud platform. APT37 used Dropbox as a C2 server, following earlier use of pCloud and Yandex. EDR-based anomaly hunting required to improve detection of fileless threats"
https://www.genians.co.kr/en/blog/threat_intelligence/toybox-story
https://therecord.media/apt37-scarcruft-cyber-espionage-campaign-south-korea
Breaches/Hacks/Leaks
- M&S Confirms Customer Data Stolen In Cyber-Attack
"UK retailer Marks & Spencer (M&S) has confirmed that the personal details of customers were stolen during April’s suspected ransomware attack. M&S Chief Executive, Stuart Machin, made the announcement via the firm’s Instagram account on May 13. He wrote: “As we continue to manage the current cyber incident, we have written to customers today to let them know that unfortunately, some personal customer information has been taken.”"
https://www.infosecurity-magazine.com/news/ms-customer-data-stolen-attack/
https://www.theregister.com/2025/05/13/ms_confirms_customer_data_stolen/
https://www.securityweek.com/marks-spencer-says-data-stolen-in-ransomware-attack/
https://www.bleepingcomputer.com/news/security/mands-says-customer-data-stolen-in-cyberattack-forces-password-resets/
https://therecord.media/marks-spencer-confirms-customer-data-breach
https://securityaffairs.com/177784/data-breach/marks-and-spencer-confirms-data-breach-after-april-cyber-attack.html - Twilio Denies Breach Following Leak Of Alleged Steam 2FA Codes
"Twilio has denied in a statement for BleepingComputer that it was breached after a threat actor claimed to be holding over 89 million Steam user records with one-time access codes. The threat actor, using the alias Machine1337 (also known as EnergyWeaponsUser), advertised a trove of data allegedly pulled from Steam, offering to sell it for $5,000. When examining the leaked files, which contained 3,000 records, BleepingComputer found historic SMS text messages with one-time passcodes for Steam, including the recipient's phone number."
https://www.bleepingcomputer.com/news/security/twilio-denies-breach-following-leak-of-alleged-steam-2fa-codes/ - Over 3 Million Records, Including PII Of Student-Athletes And College Coaches Exposed In a Data Breach
"Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to vpnMentor about an unencrypted and non-password-protected database that contained 3,154,239 records presumably belonging to a platform designed to assist high school athletes in securing college sports scholarships."
https://www.vpnmentor.com/news/report-prephero-breach/
https://hackread.com/prephero-database-exposed-students-coaches-data/
General News
- Breaking Down Silos In Cybersecurity
"All organizations erect silos – silos between groups and departments, across functions and among technologies. Silos represent differences in practices, culture and operations. Their presence inhibits communication and collaboration. As companies scale from startup to mid-sized and beyond, silos multiply and ossify. As operations expand from one site to many, from on-premises to cloud, from legacy to emerging tech (e.g., cloud and AI), silos don’t topple; they persist and proliferate. Nowhere are silos more evident and more challenging than in cybersecurity. Industry pundits call for a unified approach and a holistic vision of attack surfaces, but the cybersecurity marketplace is awash with tools and architectures, each with its own approach and its own silos."
https://www.helpnetsecurity.com/2025/05/13/marc-gafan-ionix-tyson-kopczynski-cymetry-one-cybersecurity-silos/ - CISOs Must Speak Business To Earn Executive Trust
"In this Help Net Security interview, Pritesh Parekh, VP, CISO at PagerDuty talks about how CISOs can change perceptions of their role, build influence across the organization, communicate risk in business terms, and use automation to support business goals."
https://www.helpnetsecurity.com/2025/05/13/pritesh-parekh-pagerduty-cisos-business-leaders-conversations/ - AI Vs AI: How Cybersecurity Pros Can Use Criminals’ Tools Against Them
"For a while now, AI has played a part in cybersecurity. Now, agentic AI is taking center stage. Based on pre-programmed plans and objectives, agentic AI can make choices which optimize results without a need for developer intervention. As agentic AI can be programmed for various tasks, AI agents are set to create a labor revolution, from manufacturing to customer service. However, this comes at a cost, as they can also be programmed to conduct fraudulent activities, such as advanced social engineering attacks utilizing social media data and deepfakes for highly personalized phishing schemes. Because of this, Gartner warns that within two years AI agents will accelerate how long it takes to take over exposed accounts by 50%."
https://www.helpnetsecurity.com/2025/05/13/ai-proxies-cybersecurity/ - Consult The European Vulnerability Database To Enhance Your Digital Security!
"The European Union Agency for Cybersecurity (ENISA) has developed the European Vulnerability Database - EUVD as provided for by the NIS2 Directive. The EUVD service, to be maintained by ENISA, is now operational. The database provides aggregated, reliable, and actionable information such as mitigation measures and exploitation status on cybersecurity vulnerabilities affecting Information and Communication Technology (ICT) products and services."
https://www.enisa.europa.eu/news/consult-the-european-vulnerability-database-to-enhance-your-digital-security
https://euvd.enisa.europa.eu/
https://www.infosecurity-magazine.com/news/european-vulnerability-database-us/
https://www.theregister.com/2025/05/13/eu_security_bug_database/
https://therecord.media/eu-launches-vulnerability-database
https://www.darkreading.com/vulnerabilities-threats/eu-bug-database-vulnerability-tracking
https://www.bankinfosecurity.com/tracking-bugs-european-vulnerability-database-goes-live-a-28382 - Defining a New Methodology For Modeling And Tracking Compartmentalized Threats
"In the evolving cyberthreat landscape, Cisco Talos is witnessing a significant shift towards compartmentalized attack kill chains, where distinct stages — such as initial compromise and subsequent exploitation — are executed by multiple threat actors. This trend complicates traditional threat modeling and actor profiling, as it requires understanding the intricate relationships and interactions between various groups, explained in the previous blog."
https://blog.talosintelligence.com/compartmentalized-threat-modeling/ - Redefining IABs: Impacts Of Compartmentalization On Threat Tracking And Modeling
"Cisco Talos has observed a growing trend of attack kill chains being split into two stages — initial compromise and subsequent exploitation — executed by separate threat actors. This compartmentalization increases the complexity and difficulty of performing threat modeling and actor profiling. Initial access groups now include both traditional initial access brokers (IABs) as well as opportunistic and state-sponsored threat actors, whose characteristics, motivations and objectives differ significantly."
https://blog.talosintelligence.com/redefining-initial-access-brokers/ - DeepSeek, Deep Research Mean Deep Changes For AI Security
"The world of artificial intelligence can be divided into two epochs: ChatGPT and Deep Logic. Platforms like DeepSeek and Google and OpenAI's Deep Research, alongside other agentic systems and logic-based models, exemplify this shift with real-time reasoning, multistep decision-making, and dynamic data retrieval. These advanced systems can construct and refine a chain of thought during inference."
https://www.darkreading.com/vulnerabilities-threats/deepseek-deep-research-deep-changes-ai-security - Building Effective Security Programs Requires Strategy, Patience, And Clear Vision
"CISOs are facing a growing array of threats, including ransomware, business email compromise, identity-based attacks, phishing attacks, and data breaches. Patience and adaptability are required to build, implement, and maintain an effective security program that addresses the gamut of these risks. Many technologies and security measures are available to tackle the various problems organizations face, but they take time and resources to implement properly. One way to do so is to treat the organization's security program as a product, said Capital One cybersecurity CTO Mike Benjamin at last month's RSAC Conference in San Francisco."
https://www.darkreading.com/cyber-risk/building-effective-security-programs-strategy-patience-clear-vision - Sharing Intelligence Beyond CTI Teams, Across Wider Functions And Departments
"I read a recent Google Intelligence Report which highlighted a case uncovered last year involving a single North Korean worker deploying at least 12 personae across Europe and the US. The IT worker was seeking jobs within the defense industry and government sectors. Using this new tactic, bogus IT professionals have been threatening to release sensitive company data that they have exfiltrated before being fired. According to the report, North Korea has now turned to Europe, and the UK, after it became more difficult to implement its fake worker ploy in the US. As a result, companies are being urged to carry out job interviews for IT workers on video, or better still in-person, to head off the risk of giving jobs to fake North Korean employees."
https://www.securityweek.com/sharing-intelligence-beyond-cti-teams-across-wider-functions-and-departments/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - With The Right Tools, You Can Prevent This Healthcare Scam From Hurting Employees
-
South African Airways เผชิญเหตุไซเบอร์โจมตี กระทบเว็บไซต์และระบบภายในชั่วคราว แต่ยังคงให้บริการได้
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CERT-In ออกคำเตือนด่วน หลังแฮกทิวิสต์เปิดศึกไซเบอร์ถล่มระบบของอินเดีย
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 13 May 2025
New Tooling
- SPIRE: Toolchain Of APIs For Establishing Trust Between Software Systems
"SPIRE is a graduated project of the Cloud Native Computing Foundation (CNCF). It’s a production-ready implementation of the SPIFFE APIs that handles node and workload attestation to securely issue SVIDs to workloads and verify the SVIDs of other workloads, all based on a predefined set of conditions."
https://www.helpnetsecurity.com/2025/05/12/spire-apis-establishing-trust-between-software-systems/
https://github.com/spiffe/spire
Vulnerabilities
- Apple Patches Major Security Flaws In iOS, MacOS Platforms
"Apple on Monday pushed out patches for security vulnerabilities across the macOS, iPhone and iPad software stack, warning that code-execution bugs that could be triggered simply by opening a rigged image, video or website. The new iOS 18.5 update, rolled out alongside patches for iPadOS, covers critical bugs in AppleJPEG and CoreMedia with a major warning from Cupertino that attackers could craft malicious media files to run arbitrary code with the privileges of the targeted app. The company also documented serious file-parsing vulnerabilities patched in CoreAudio, CoreGraphics, and ImageIO, each capable of crashing apps or leaking data if booby-trapped content is opened."
https://www.securityweek.com/apple-patches-major-security-flaws-in-ios-macos-platforms/
https://support.apple.com/en-us/122404 - ASUS DriverHub Flaw Let Malicious Sites Run Commands With Admin Rights
"The ASUS DriverHub driver management utility was vulnerable to a critical remote code execution flaw that allowed malicious sites to execute commands on devices with the software installed. The flaw was discovered by an independent cybersecurity researcher from New Zealand named Paul (aka "MrBruh"), who found that the software had poor validation of commands sent to the DriverHub background service. This allowed the researcher to create an exploit chain utilizing flaws tracked as CVE-2025-3462 and CVE-2025-3463 that, when combined, achieve origin bypass and trigger remote code execution on the target."
https://www.bleepingcomputer.com/news/security/asus-driverhub-flaw-let-malicious-sites-run-commands-with-admin-rights/
https://thehackernews.com/2025/05/asus-patches-driverhub-rce-flaws.html
https://www.securityweek.com/asus-driverhub-vulnerabilities-expose-users-to-remote-code-execution-attacks/
https://securityaffairs.com/177731/hacking/researchers-found-one-click-rce-in-asus-s-pre-installed-software-driverhub.html - U.S. CISA Adds TeleMessage TM SGNL To Its Known Exploited Vulnerabilities Catalog
"The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a TeleMessage TM SGNL flaw, tracked as CVE-2025-47729 (CVSS score of 1.9), to its Known Exploited Vulnerabilities (KEV) catalog. “The TeleMessage archiving backend through 2025-05-05 holds cleartext copies of messages from TM SGNL (aka Archive Signal) app users, which is different functionality than described in the TeleMessage “End-to-End encryption from the mobile phone through to the corporate archive” documentation, as exploited in the wild in May 2025.” reads the advisory."
https://securityaffairs.com/177743/hacking/u-s-cisa-adds-telemessage-tm-sgnl-to-its-known-exploited-vulnerabilities-catalog.html
Malware
-
APT36-Style ClickFix Attack Spoofs Indian Ministry To Target Windows & Linux
"Threat actors continue to adopt recognizable branding and official imagery to lower suspicion and facilitate malware execution. Infrastructure spoofing India's Ministry of Defence was recently observed delivering cross-platform malware through a ClickFix-style infection chain. The site mimicked government press releases, staged payloads through a possibly compromised .in domain, and used visual deception to appear credible during execution. This activity mirrors patterns seen in other ClickFix cases-reuse of public-sector branding, staging malware in web asset directories, and targeting Windows and Linux to maximize effectiveness."
https://hunt.io/blog/apt36-clickfix-campaign-indian-ministry-of-defence
https://www.bleepingcomputer.com/news/security/hackers-now-testing-clickfix-attacks-against-linux-targets/ -
Marbled Dust Leverages Zero-Day In Output Messenger For Regional Espionage
"Since April 2024, the threat actor that Microsoft Threat Intelligence tracks as Marbled Dust has been observed exploiting user accounts that have not applied fixes to a zero-day vulnerability (CVE-2025-27920) in the messaging app Output Messenger, a multiplatform chat software. These exploits have resulted in collection of related user data from targets in Iraq. Microsoft Threat Intelligence assesses with high confidence that the targets of the attack are associated with the Kurdish military operating in Iraq, consistent with previously observed Marbled Dust targeting priorities."
https://www.microsoft.com/en-us/security/blog/2025/05/12/marbled-dust-leverages-zero-day-in-output-messenger-for-regional-espionage/
https://www.bleepingcomputer.com/news/security/output-messenger-flaw-exploited-as-zero-day-in-espionage-attacks/
https://therecord.media/microsoft-zero-day-spy-campaign -
Horabot Unleashed: A Stealthy Phishing Threat
"In April, FortiGuard Labs observed a threat actor using phishing emails with malicious HTML files to spread Horabot, malware that primarily targets Spanish-speaking users. It is known for using crafted emails that impersonate invoices or financial documents to trick victims into opening malicious attachments and can steal email credentials, harvest contact lists, and install banking trojans. Horabot leverages Outlook COM automation to send phishing messages from the victim’s mailbox, enabling it to propagate laterally within corporate or personal networks. The threat actor also executed a combination of VBScript, AutoIt, and PowerShell to conduct system reconnaissance, credential theft, and the installation of additional payloads."
https://www.fortinet.com/blog/threat-research/horabot-unleashed-a-stealthy-phishing-threat -
Brief Disruptions, Bold Claims: The Tactical Reality Behind The India-Pakistan Hacktivist Surge
"In May 2025, multiple Pakistan-linked hacktivist groups claimed over 100 cyberattacks on Indian government, education, and critical infrastructure websites. But CloudSEK’s investigation reveals most of these breaches were exaggerated or fake—ranging from recycled data leaks to defacements that left no real impact. While DDoS attacks barely caused a few minutes of disruption, the real threat came from APT36, which used Crimson RAT malware to target Indian defense networks after the Pahalgam terror attack. This report separates fact from fiction—unmasking the hype, tactics, and real risks behind the India-Pakistan cyber conflict. Read the full analysis to know what truly happened."
https://www.cloudsek.com/blog/brief-disruptions-bold-claims-the-tactical-reality-behind-the-india-pakistan-hacktivist-surge
https://www.infosecurity-magazine.com/news/hacktivist-attacks-india/ -
Flashpoint Investigation: Uncovering The DPRK’s Remote IT Worker Fraud Scheme
"On December 12, 2024, the United States indicted fourteen North Korean nationals for using stolen identities to get remote IT jobs at US-based companies and nonprofits. Over the last six years, this scheme has provided the North Korean government (DPRK) at least $88 million USD and ever since its discovery, Fortune 500 companies, technology and cryptocurrency industries have been reporting even more secret DPRK agents siphoning funds, intellectual property, and information."
https://flashpoint.io/blog/flashpoint-investigation-uncovering-the-dprks-remote-it-worker-fraud-scheme/ -
**Breaches/Hacks/Leaks
-
BianLian Claims Credit For Two Health Data Hacks**
"Cybercriminal gang BianLian claims to have stolen patient information in two recent hacks of an Alabama-based ophthalmology practice and a California dental clinic. The two incidents affected nearly 150,000 people and are among the extortion group's latest attacks on the healthcare sector. Alabama Ophthalmology Associates reported its breach to the U.S. Department of Health and Human Services on April 8 as a hacking incident involving a network server and desktop computer affecting nearly 132,000 people."
https://www.bankinfosecurity.com/bianlian-claims-credit-for-two-health-data-hacks-a-28374 -
US Deportation Airline GlobalX Confirms Hack
"Global Crossing Airlines, a US airline operating as GlobalX, has confirmed detecting a breach after hackers leaked data allegedly stolen from its systems. GlobalX was in the news recently for playing an important role in the Trump administration’s deportation campaign, particularly the controversial deportations of Venezuelan gang members to El Salvador. The charter airline’s systems were recently targeted by hackers claiming to be part of the Anonymous movement. The hacktivists defaced one of GlobalX’s subdomains, accusing the company over its role in the deportations. In addition, the hackers claimed to have obtained flight records and passenger lists, which they leaked to the media."
https://www.securityweek.com/us-deportation-airline-globalx-confirms-hack/
https://therecord.media/airline-carrying-out-deportation-flights-confirms-cyberattack-sec
https://hackread.com/anonymous-hackers-flight-data-us-deportation-airline-globalx/
https://www.theregister.com/2025/05/12/globalx_security_incident/ -
Fears 'hackers Still In The System' Leave Co-Op Shelves Running Empty Across UK
"Grocery shelves at the Co-op retail chain are increasingly depleted in spots across the United Kingdom as the company continues to respond to an attempted cyberattack detected two weeks ago. Recorded Future News understands that the company fears the hackers still have access to its network and is keeping some critical logistics systems offline, preventing shops from getting resupplied with many goods."
https://therecord.media/co-op-cyberattack-uk-company-fears-hackers-still-in-system
General News
- April 2025 Trends Report On Phishing Emails
"This report provides statistics, trends, and case details on the distribution volume and attachment threats of phishing emails collected and analyzed in April 2025. The following is a part of the statistics and cases included in the original report."
https://asec.ahnlab.com/en/87895/ - A Subtle Form Of Siege: DDoS Smokescreens As a Cover For Quiet Data Breaches
"DDoS attacks have long been dismissed as blunt instruments, favored by script kiddies and hacktivists for their ability to overwhelm and disrupt. But in today's fragmented, hybrid-cloud environments, they've evolved into something far more cunning: a smokescreen. What looks like digital vandalism may actually be a coordinated diversion, engineered to distract defenders from deeper breaches in progress."
https://www.tripwire.com/state-of-security/subtle-form-siege-ddos-smokescreens-cover-quiet-data-breaches - Why Security Teams Cannot Rely Solely On AI Guardrails
"In this Help Net Security interview, Dr. Peter Garraghan, CEO of Mindgard, discusses their research around vulnerabilities in the guardrails used to protect large AI models. The findings highlight how even billion-dollar LLMs can be bypassed using surprisingly simple techniques, including emojis. To defend against prompt injection, many LLMs are wrapped in guardrails that inspect and filter prompts. But these guardrails are typically AI-based classifiers themselves, and, as Mindgard’s study shows, they are just as vulnerable for certain types of attacks."
https://www.helpnetsecurity.com/2025/05/12/peter-garraghan-mindgard-ai-guardrails/ - How To Give Better Cybersecurity Presentations (without Sounding Like a Robot)
"Most people think great presenters are born with natural talent. Luka Krejci, a presentation expert, disagrees. “They are called presentation skills. Skills, not talent,” he says. “Any skill, be it dancing, football, or presenting, can be developed only if you commit and practice.” So, the first step is obvious: Quit avoiding presentations. The more you do them, the better you’ll get."
https://www.helpnetsecurity.com/2025/05/12/how-to-give-better-cybersecurity-presentations/ - Unending Ransomware Attacks Are a Symptom, Not The Sickness
"It's been a devastating few weeks for UK retail giants. Marks and Spencer, the Co-Op, and now uber-posh Harrods have had massive disruptions due to ransomware attacks taking systems down for prolonged periods. If the goods these people sold were one-tenth as shoddy as their corporate cybersecurity, they'd have been out of business years ago. It's a wake-up call, says the UK's National Center for Stating the Obvious. And what will happen? The industry will just press the snooze button again, as we hear reports that other retailers are "patching like crazy.""
https://www.theregister.com/2025/05/12/opinion_column_ransomware/ - Moldova Arrests Suspect Linked To DoppelPaymer Ransomware Attacks
"Moldovan authorities have detained a 45-year-old suspect linked to DoppelPaymer ransomware attacks targeting Dutch organizations in 2021. Police officers searched the suspect's home and car on May 6, seizing an electronic wallet, €84,800, two laptops, a mobile phone, a tablet, six bank cards, and multiple data storage devices. The suspect remains in custody, while Moldovan prosecutors have initiated legal procedures to extradite him to the Netherlands."
https://www.bleepingcomputer.com/news/security/moldova-arrests-suspect-linked-to-doppelpaymer-ransomware-attacks/
https://therecord.media/moldova-arrest-suspect-ransomware-attacks-netherlands - Ransomware Reloaded: Why 2025 Is The Most Dangerous Year Yet
"May 12 marks Anti-Ransomware Day, a global awareness initiative created by INTERPOL and Kaspersky to commemorate the 2017 WannaCry outbreak. That infamous ransomware campaign crippled hundreds of thousands of systems worldwide, from UK hospitals to global logistics networks, and its modern descendants are more dangerous, stealthier and relentlessly adaptive. While WannaCry marked a turning point, it was just the beginning of ransomware’s evolution into today’s multibillion dollar criminal enterprise. As we mark this year’s Anti-Ransomware Day, it’s time to look at how the threat has changed — and what lies ahead."
https://blog.checkpoint.com/security/ransomware-reloaded-why-2025-is-the-most-dangerous-year-yet-2/ - AI, Agents, And The Future Of Cyber Security
"In just a few short years, the breakneck speed of advancements in AI have transformed nearly every industry, including cyber security. The pace of acceleration has forced IT and business leaders to rethink approaches to some of the most sensitive areas of their business operations, including workload management, innovation and DevOps, workplace mobility, and security. Understanding how to plan and optimize for the continued evolution of AI and cloud deployments—as well as how to incorporate Agentic AI into cyber defenses and protect against malicious use—is now mission-critical for every modern business. Securing this new and shifting IT estate is a top priority not just for CIOs and CISOs, but the entire C-suite."
https://blog.checkpoint.com/artificial-intelligence/ai-agents-and-the-future-of-cyber-security/ - Measuring The US-China AI Gap
"China has stated its ambition to become the world leader in artificial intelligence (AI) by 2030, a goal that encompasses not only the performance of individual AI models that often attract significant media attention but also AI innovation broadly and widespread adoption of AI for economic and geopolitical benefit. Based on an analysis of key industry pillars informing the US-China competition for AI supremacy — including government and venture capital (VC) funding, industry regulation, talent, technology diffusion, model performance, and compute capacity — Insikt Group assesses that China is unlikely to sustainably surpass the United States (US) on its desired timeline."
https://www.recordedfuture.com/research/measuring-the-us-china-ai-gap
https://www.darkreading.com/cyber-risk/can-cybersecurity-keep-up-ai-arms-race - Software Code Of Practice: Building a Secure Digital Future
"There are many things commercial enterprises can do to make their technology products more secure. But in reality, we know cyber security is just one of multiple risks that modern businesses have to juggle. As we explained in the NCSC 2024 Annual Review, technology markets do not incentivise organisations to develop software that is ‘secure by default’. Many standard cyber security features (such as multi-factor authentication or single sign-on) are often deemed ‘premium add-ons', rather than being a fundamental component of the offering."
https://www.ncsc.gov.uk/blog-post/software-code-of-practice-building-a-secure-digital-future
https://www.ncsc.gov.uk/section/software-security-code-of-practice
https://www.darkreading.com/application-security/uk-security-guidelines-boost-software-development - NSO Group's Legal Loss May Do Little To Curtail Spyware
"A California jury's award of $168 million in punitive and compensatory damages to Meta-owned WhatsApp in its lawsuit against spyware purveyor NSO Group highlights that judges and juries have little tolerance for the increasingly popular hack-and-surveil tactics of governments and their commercial providers."
https://www.darkreading.com/endpoint-security/nso-groups-legal-loss-curtail-spyware - Russia’s ‘outsourced’ Bulgarian Spy Ring Sentenced To More Than 50 Years In UK
"Six members of an “outsourced” spy ring operating in Britain on behalf of the Kremlin were sentenced to a combined 50 years in prison on Monday for activities they’d engaged in under the direction of the Russian state. The sentences are the most significant to be handed down in recent years to proxies used by Russia’s intelligence services, a practice the Kremlin is believed to have doubled-down on following widespread disruption to its traditional intelligence activities in Europe after many of its spies with diplomatic cover were expelled from host nations following the invasion of Ukraine."
https://therecord.media/bulgarian-members-russian-spy-ring-sentenced-uk
อ้างอิง
Electronic Transactions Development Agency(ETDA) - SPIRE: Toolchain Of APIs For Establishing Trust Between Software Systems