Cyber Threat Intelligence 22 January 2025

NCSA_THAICERT

Healthcare Sector

European Action Plan On The Cybersecurity Of Hospitals And Healthcare Providers
"On 15 January 2024, the Commission launched a European action plan to strengthen the cybersecurity of hospitals and healthcare providers. Part of the Political Guidelines of the 2024-2029 Commission mandate, the action plan focuses on improving threat detection, preparedness, and crisis response in the healthcare sector. It aims to provide tailored guidance, tools, services, and training to hospitals and healthcare providers. Several specific actions will be rolled out progressively in 2025 and 2026, in collaboration with health providers, Member States, and the cybersecurity community. This initiative marks the first sector-specific initiative to deploy the full range of EU cybersecurity measures."
https://digital-strategy.ec.europa.eu/en/library/european-action-plan-cybersecurity-hospitals-and-healthcare-providers

Industrial Sector

Traffic Alert And Collision Avoidance System (TCAS) II
"Successful exploitation of these vulnerabilities could allow an attacker to manipulate safety systems and cause a denial-of-service condition."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-021-01
Siemens SIMATIC S7-1200 CPUs
"Successful exploitation of this vulnerability could allow an unauthenticated attacker to change the CPU mode by tricking a legitimate and authenticated user with sufficient permissions on the target CPU to click on a malicious link."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-021-02
ZF Roll Stability Support Plus (RSSPlus)
"Successful exploitation of this vulnerability could allow an unauthenticated attacker to remotely (proximal/adjacent with RF equipment) call diagnostic functions which could impact both the availability and integrity."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-021-03

New Tooling

Fleet: Open-Source Platform For IT And Security Teams
"Fleet is an open-source platform for IT and security teams managing thousands of computers. It’s designed to work seamlessly with APIs, GitOps, webhooks, and YAML configurations. Fleet provides a single platform to secure and maintain all computing devices over the air. It offers a centralized solution, from mobile device management (MDM) to patching and verifying systems. It’s trusted in production environments. Deployments range from tens of thousands of hosts to large-scale environments supporting over 400,000 hosts."
https://www.helpnetsecurity.com/2025/01/21/fleet-open-source-platform-it-security-teams/
https://github.com/fleetdm/fleet

Vulnerabilities

Oracle To Address 320 Vulnerabilities In January Patch Update
"Software giant Oracle is expected to release patches for 320 new security vulnerabilities affecting over 90 products and services across 27 categories. These categories include Oracle’s Communications applications and executives, Construction and Engineering appliances, middleware and servers, and products and services part of the Oracle E-Business Suite. According to a pre-release announcement, the concerned vulnerabilities range from low – with some being attributed CVSS scores between 4 and 6 – to critical severity."
https://www.infosecurity-magazine.com/news/oracle-320-vulnerabilities-january/
JoCERT Issues Warning On Exploitable Command Injection Flaws In HPE Aruba Products
"JoCERT has issued an alert regarding critical command injection vulnerabilities discovered in HPE Aruba’s 501 Wireless Client Bridge. The vulnerabilities, tracked as CVE-2024-54006 and CVE-2024-54007, allow authenticated attackers with administrative privileges to execute arbitrary commands on the device’s underlying operating system. These flaws have been rated as high severity (CVSS score: 7.2) and pose a significant risk if left unaddressed. A publicly released proof-of-concept (PoC) exploit further amplifies the urgency for organizations using affected devices to take immediate action."
https://cyble.com/blog/jocert-warns-of-hpe-aruba-command-injection-flaws/
https://jocert.ncsc.jo/EN/ListDetails/Security_Alerts__Advisorites/1203/87
7-Zip Fixes Bug That Bypasses Windows MoTW Security Warnings, Patch Now
"A high-severity vulnerability in the 7-Zip file archiver allows attackers to bypass the Mark of the Web (MotW) Windows security feature and execute code on users' computers when extracting malicious files from nested archives. 7-Zip added support for MotW in June 2022, starting with version 22.00. Since then, it has automatically added MotW flags (special 'Zone.Id' alternate data streams) to all files extracted from downloaded archives. This flag informs the operating system, web browsers, and other applications that files may come from untrusted sources and should be treated with caution."
https://www.bleepingcomputer.com/news/security/7-zip-fixes-bug-that-bypasses-the-windows-motw-security-mechanism-patch-now/

Malware

Medusa Ransomware: What You Need To Know
"Medusa is a ransomware-as-a-service (RaaS) platform that first came to prominence in 2023. The ransomware impacts organisations running Windows, predominantly exploiting vulnerable and unpatched systems and hijacking accounts through initial access brokers."
https://www.tripwire.com/state-of-security/medusa-ransomware-what-you-need-know
Sophos MDR Tracks Two Ransomware Campaigns Using “email Bombing,” Microsoft Teams “vishing”
"Sophos X-Ops’ Managed Detection and Response (MDR) is actively responding to incidents tied to two separate groups of threat actors, each of which have used the functionality of Microsoft’s Office 365 platform to gain access to targeted organizations with the likely goal of stealing data and deploying ransomware. Sophos MDR began investigating these two separate clusters of activity in response to customer incidents in November and December 2024. Sophos is tracking these threats as STAC5143 and STAC5777. Both threat actors operated their own Microsoft Office 365 service tenants as part of their attacks and took advantage of a default Microsoft Teams configuration that permits users on external domains to initiate chats or meetings with internal users."
https://news.sophos.com/en-us/2025/01/21/sophos-mdr-tracks-two-ransomware-campaigns-using-email-bombing-microsoft-teams-vishing/
https://therecord.media/fake-tech-support-russian-hackers-microsoft-teams
https://www.bleepingcomputer.com/news/security/ransomware-gangs-pose-as-it-support-in-microsoft-teams-phishing-attacks/
https://www.darkreading.com/cyberattacks-data-breaches/email-bombing-vishing-tactics-abound-microsoft-365-attacks
https://www.helpnetsecurity.com/2025/01/21/ransomware-attackers-are-vishing-organizations-via-microsoft-teams-email-bombing/
https://www.infosecurity-magazine.com/news/ransomware-email-bombing-teams/
https://cyberscoop.com/ransomware-groups-pose-as-fake-tech-support-over-teams/
https://www.securityweek.com/ransomware-groups-abuse-microsoft-services-for-initial-access/
Fake Homebrew Google Ads Target Mac Users With Malware
"Hackers are once again abusing Google ads to spread malware, using a fake Homebrew website to infect Macs and Linux devices with an infostealer that steals credentials, browser data, and cryptocurrency wallets. The malicious Google ads campaign was spotted by Ryan Chenkie, who warned on X about the risk of malware infection. The malware used in this campaign is AmosStealer (aka 'Atomic'), an infostealer designed for macOS systems and sold to cyber criminals as a subscription of $1,000/month."
https://www.bleepingcomputer.com/news/security/fake-homebrew-google-ads-target-mac-users-with-malware/
Mass Campaign Of Murdoc Botnet Mirai: A New Variant Of Corona Mirai
"The Qualys Threat Research Unit has uncovered a large-scale, ongoing operation within the Mirai campaign, dubbed Murdoc Botnet. This variant exploits vulnerabilities targeting AVTECH Cameras and Huawei HG532 routers. It demonstrates enhanced capabilities, exploiting vulnerabilities to compromise devices and establish expansive botnet networks. In this blog, we will explore Murdoc Botnet’s propagation methods and attack vectors."
https://blog.qualys.com/vulnerabilities-threat-research/2025/01/21/mass-campaign-of-murdoc-botnet-mirai-a-new-variant-of-corona-mirai
https://thehackernews.com/2025/01/murdocbotnet-found-exploiting-avtech-ip.html
https://www.darkreading.com/cyberattacks-data-breaches/mirai-botnet-spinoffs-global-wave-ddos-attacks
https://www.bankinfosecurity.com/new-mirai-variant-targets-flaws-in-cameras-routers-a-27343
https://hackread.com/mirai-variant-murdoc-botnet-ddos-attacks-iot-exploits/
https://securityaffairs.com/173294/cyber-crime/new-mirai-botnet-variant-murdoc-botnet-targets-avtech-ip-cameras-and-huawei-hg532-routers.html
https://www.infosecurity-magazine.com/news/mirai-variant-targets-cameras/
Facilitating Phishing And Pig Butchering Activities Using Zendesk Infrastructure [Bait & Switch Mode]
"Phishing campaigns and "pig butchering" scams have increasingly exploited Zendesk's SaaS infrastructure, leveraging its free trial subdomains to mimic legitimate brands and deceive unsuspecting users. By registering subdomains with brand-like names, attackers create authentic-looking interfaces to facilitate phishing, data theft, and financial fraud. This misuse is compounded by B2B marketing tools that assist in gathering employee emails, and by Zendesk's lack of email verification for ticket assignments, which allows phishing emails to bypass spam filters. To mitigate these risks, organizations must implement proactive measures such as blacklisting unknown Zendesk instances, utilizing detection tools like XVigil, and educating employees about phishing tactics."
https://www.cloudsek.com/blog/facilitating-phishing-and-pig-butchering-activities-using-zendesk-infrastructure-bait-switch-mode
https://www.infosecurity-magazine.com/news/zendesk-subdomains-facilitate/

Breaches/Hacks/Leaks

Government IT Contractor Conduent Says 'third-Party Compromise’ Caused Outages
"A recent outage affecting the government technology contractor Conduent was due to a cyberattack that compromised the company’s operating systems. A Conduent spokesperson told Recorded Future News the company recently “experienced an operational disruption due to a third-party compromise” of one of their operating systems. “This compromise was quickly contained and our technology environment is currently considered to be free of known malicious activity as confirmed by our third-party security experts,” the spokesperson said."
https://therecord.media/government-contractor-conduent-outage-compromise
Russian Telecom Giant Rostelecom Investigates Suspected Cyberattack On Contractor
"A major Russian telecommunications provider, Rostelecom, said that it is investigating a suspected cyberattack on one of its contractors after hackers claimed to have leaked the company's data. Earlier on Tuesday, the hacker group, which calls itself Silent Crow, published a data dump containing thousands of customer emails and phone numbers allegedly stolen from Rostelecom. The company stated that the contractor is responsible for maintaining Rostelecom’s corporate website and procurement portal, both of which were reportedly targeted by hackers."
https://therecord.media/rostelecom-russia-contractor-data-breach
Students, Educators Impacted By PowerSchool Data Breach
"California-based education tech giant PowerSchool is notifying students and educators that their personal information was compromised in a December 2024 data breach. The incident, the company says, was identified on December 28 and only involved its Student Information System (SIS) environments, which were accessed through the PowerSource community-focused customer support portal. According to PowerSchool, the incident did not cause operational disruption and no other products beyond PowerSchool SIS were affected."
https://www.securityweek.com/students-educators-impacted-by-powerschool-data-breach/
https://www.theregister.com/2025/01/22/powerschool_canada_lawsuits/

General News

Scam Yourself Attacks: How Social Engineering Is Evolving
"We’ve entered a new era where verification must come before trust, and for good reason. Cyber threats are evolving rapidly, and one of the trends getting a fresh reboot in 2025 is the “scam yourself” attacks. These aren’t your run-of-the-mill phishing scams. They are a sophisticated evolution of social engineering designed to deceive even the most tech-savvy users. Attackers exploit our routines, trust, and overconfidence, and complacency to manipulate us into becoming unwitting accomplices in our own compromise."
https://www.helpnetsecurity.com/2025/01/21/scam-yourself-attacks/
Addressing The Intersection Of Cyber And Physical Security Threats
"In this Help Net Security, Nicholas Jackson, Director of Cyber Operations at Bitdefender, discusses how technologies like AI, quantum computing, and IoT are reshaping cybersecurity. He shares his perspective on the new threats these advancements bring and offers practical advice for organizations to stay prepared."
https://www.helpnetsecurity.com/2025/01/21/nicholas-jackson-bitdefender-emerging-technologies-threats/
Record-Breaking 5.6 Tbps DDoS Attack And Global DDoS Trends For 2024 Q4
"Welcome to the 20th edition of the Cloudflare DDoS Threat Report, marking five years since our first report in 2020. Published quarterly, this report offers a comprehensive analysis of the evolving threat landscape of Distributed Denial of Service (DDoS) attacks based on data from the Cloudflare network. In this edition, we focus on the fourth quarter of 2024 and look back at the year as a whole."
https://blog.cloudflare.com/ddos-threat-report-for-2024-q4/
https://www.bleepingcomputer.com/news/security/cloudflare-mitigated-a-record-breaking-56-tbps-ddos-attack/
From Qualitative To Quantifiable: Transforming Cyber Risk Management For Critical Infrastructure
"Around the world, attacks against critical infrastructure have become increasingly common. More and more, these aggressions are carried out via mice and keyboards rather than bombs and missiles, such as with the 2021 ransomware attack on Colonial Pipeline. From a military strategy perspective, it’s easy to understand why, as cyberattacks against infrastructure can be executed remotely, cheaply, and with comparatively little risk, while having a debilitating effect across entire regions."
https://cyberscoop.com/from-qualitative-to-quantifiable-transforming-cyber-risk-management-for-critical-infrastructure/
Why CISOs Must Think Clearly Amid Regulatory Chaos
"In the high-stakes world of cybersecurity, the ground is shifting beneath the feet of those charged with protecting our digital infrastructure. First came the new Securities and Exchange Commission (SEC) rules and lawsuits related to cybersecurity. More recently, a US Supreme Court ruling promises to reshape the regulatory landscape, compelling federal officials to rethink their approach to cyber governance. Yet amid this whirlwind of change that has descended on the industry, it's critical for chief information security officers (CISOs) to remain steadfast and not be deterred — or discouraged — by this shift."
https://www.darkreading.com/cybersecurity-operations/cisos-must-think-clearly-amid-regulatory-chaos
Redline, Vidar And Raccoon Malware Stole 1 Billion Passwords In 2024
"Cybersecurity researchers at Specops are delivering a global wake-up call over a major password-related issue: over 1 billion passwords were stolen by malware in the past year. According to Specops Software’s 2025 Specops Breached Password Report shared with Hackread.com ahead of its publishing on Tuesday, millions of stolen passwords met standard complexity requirements. The report also highlights the prevalence of malware stolen credentials, with over a billion found in the last 12 months."
https://hackread.com/redline-vidar-raccoon-malware-stole-1-billion-passwords-2024/
Cyber Insights 2025: Attack Surface Management
"Business transformation is redefining attack surface management (ASM). We can no longer simply define the Attack Surface (AS); but without that definition, how can we Manage it? “The attack surface of an organization represents all of the assets (physical, virtual or human) that a malicious actor can potentially use to breach an organization,” says Alex Hoff, co-founder and chief strategy officer at Auvik Networks."
https://www.securityweek.com/cyber-insights-2025-attack-surface-management/
Under Lock And Key: Protecting Corporate Data From Cyberthreats In 2025
"There were over 3,200 data compromises in the United States in 2023, with 353 million victims, including those affected multiple times, according to the US Identity Theft Resource Center (ITRC). Each one of those individuals might be a customer that decides to take their business elsewhere as a result. Or an employee that reconsiders their position with your organization. That should be reason enough to prioritize data security efforts."
https://www.welivesecurity.com/en/business-security/under-lock-key-protecting-corporate-data-cyberthreats-2025/
BreachForums Admin Conor Fitzpatrick (Pompompurin) To Be Resentenced
"Conor Brian Fitzpatrick, the 21-year-old founder of BreachForums, a notorious marketplace for stolen personal data, is set to be resentenced following a federal appeals court decision to vacate his previous punishment. The ruling comes after concerns that the original 17-day sentence failed to adequately reflect the seriousness of his crimes or serve as a deterrent."
https://hackread.com/breachforums-admin-conor-fitzpatrick-pompompurin-resentenced/

อ้างอิง
Electronic Transactions Development Agency(ETDA)