Cyber Threat Intelligence 06 February 2025

NCSA_THAICERT

Financial Sector

More Destructive Cyberattacks Target Financial Institutions
"Financial institutions will continue to be the ultimate targets for criminals and threat actors, as a successful attack offers a significant payoff, according to Contrast Security. Contrast Security has surveyed 35 of the world’s leading financial institutions to better understand their cyber threat landscape and the extent to which they are — or are not — addressing key threats."
https://www.helpnetsecurity.com/2025/02/05/financial-institutions-cybersecurity-incidents/
https://www.contrastsecurity.com/modern-bank-heists-report-2025-adr
https://www.infosecurity-magazine.com/news/destructive-attacks-banks-surge-13/

Industrial Sector

Cyber Insights 2025: OT Security
"SecurityWeek’s Cyber Insights 2025 examines expert opinions on the expected evolution of more than a dozen areas of cybersecurity interest over the next 12 months. We spoke to hundreds of individual experts to gain their expert opinions. Here we discuss what to expect with operational technology (OT) cybersecurity. OT risk is more extreme than IT risk. It could lead to social chaos, harm to individuals, damage to the national economy, and threats to national security. Welcome to OT security."
https://www.securityweek.com/cyber-insights-2025-ot-security/

New Tooling

OpenNHP: Cryptography-Driven Zero Trust Protocol
"OpenNHP is the open-source implementation of NHP (Network-resource Hiding Protocol), a cryptography-based zero trust protocol for safeguarding servers and data."
https://www.helpnetsecurity.com/2025/02/05/opennhp-cryptography-driven-zero-trust-protocol/
https://github.com/OpenNHP/opennhp
Microsoft Script Updates Bootable Media For BlackLotus Bootkit Fixes
"Microsoft has released a PowerShell script to help Windows users and admins update bootable media so it utilizes the new "Windows UEFI CA 2023" certificate before the mitigations of the BlackLotus UEFI bootkit are enforced later this year. BlackLotus is a UEFI bootkit that can bypass Secure Boot and gain control over the operating system's boot process. Once in control, BlackLotus can disable Windows security features, such as BitLocker, Hypervisor-Protected Code Integrity (HVCI), and Microsoft Defender Antivirus, allowing it to deploy malware at the highest privilege level while remaining undetected."
https://www.bleepingcomputer.com/news/microsoft/microsoft-script-updates-bootable-media-for-blacklotus-bootkit-fixes/

Vulnerabilities

Chrome 133, Firefox 135 Patch High-Severity Vulnerabilities
"Google and Mozilla on Tuesday announced the rollout of updates for the Chrome and Firefox browsers that address multiple high-severity memory safety vulnerabilities. Chrome 133 was promoted to the stable channel with 12 security fixes, including three for flaws reported by external researchers. Two of these bugs, tracked as CVE-2025-0444 and CVE-2025-0445, are use-after-free defects in the open source 2D graphics library Skia and the V8 JavaScript engine. The third issue is a medium-severity inappropriate implementation flaw in the Extensions API component."
https://www.securityweek.com/chrome-133-firefox-135-patch-high-severity-vulnerabilities/
New Veeam Flaw Allows Arbitrary Code Execution Via Man-In-The-Middle Attack
"Veeam has released patches to address a critical security flaw impacting its Backup software that could allow an attacker to execute arbitrary code on susceptible systems. The vulnerability, tracked as CVE-2025-23114, carries a CVSS score of 9.0 out of 10.0. "A vulnerability within the Veeam Updater component that allows an attacker to utilize a Man-in-the-Middle attack to execute arbitrary code on the affected appliance server with root-level permissions," Veeam said in an advisory."
https://thehackernews.com/2025/02/new-veeam-flaw-allows-arbitrary-code.html
https://www.veeam.com/kb4712
CISA Adds Four Known Exploited Vulnerabilities To Catalog
"CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2024-45195 Apache OFBiz Forced Browsing Vulnerability
CVE-2024-29059 Microsoft .NET Framework Information Disclosure Vulnerability
CVE-2018-9276 Paessler PRTG Network Monitor OS Command Injection Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/02/04/cisa-adds-four-known-exploited-vulnerabilities-catalog
https://thehackernews.com/2025/02/cisa-adds-four-actively-exploited.html
https://www.bleepingcomputer.com/news/security/cisa-tags-microsoft-net-and-apache-ofbiz-bugs-as-exploited-in-attacks/
https://www.securityweek.com/cisa-issues-exploitation-warning-for-net-vulnerability/
https://securityaffairs.com/173889/security/u-s-cisa-adds-microsoft-net-framework-apache-ofbiz-paessler-prtg-network-monitor-flaws-known-exploited-vulnerabilities-catalog.html
CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2024-53104 Linux Kernel Out-of-Bounds Write Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/02/05/cisa-adds-one-known-exploited-vulnerability-catalog
https://www.bleepingcomputer.com/news/security/cisa-orders-agencies-to-patch-linux-kernel-bug-exploited-in-attacks/
https://securityaffairs.com/173897/hacking/u-s-cisa-adds-linux-kernel-flaw-to-its-known-exploited-vulnerabilities-catalog.html

Malware

Persistent Threats From The Kimsuky Group Using RDP Wrapper
"AhnLab SEcurity intelligence Center (ASEC) has previously analyzed cases of attacks by the Kimsuky group, which utilized the PebbleDash backdoor and their custom-made RDP Wrapper. The Kimsuky group has been continuously launching attacks of the same type, and this post will cover additional malware that have been identified."
https://asec.ahnlab.com/en/86098/
When Data Tools Become Dangerous: MS Power BI Links Used In Phishing Campaigns
"Phishing scams are evolving rapidly, and a recent campaign highlights just how inventive these attacks can be. The Cofense Phishing Defense Center (PDC) has spotted a phishing scheme that uses SharePoint links to lead unsuspecting employees to what looks like a legitimate Power BI report. The catch? These links are designed to steal users’ credentials, preying on those who trust their workplace tools."
https://cofense.com/blog/when-data-tools-become-dangerous-ms-power-bi-links-used-in-phishing-campaigns
Mobile Indian Cyber Heist: FatBoyPanel And His Massive Data Breach
"The zLabs research team has discovered a mobile malware campaign consisting of almost 900 malware samples primarily targeting users of Indian banks. Analysis of the collected samples reveals shared code structures, user interface elements, and app logos, suggesting a coordinated effort by a single threat actor targeting mobile devices running the Android OS. Zimperium’s dynamic, on-device detection engine successfully detected multiple instances of this malware, categorizing them as Trojan Bankers specifically designed to target financial institutions in India."
https://www.zimperium.com/blog/mobile-indian-cyber-heist-fatboypanel-and-his-massive-data-breach/
https://hackread.com/banking-malware-live-numbers-hijack-otp-50000-victims/
https://www.infosecurity-magazine.com/news/mobile-malware-indian-banks/
Take My Money: OCR Crypto Stealers In Google Play And App Store
"In March 2023, researchers at ESET discovered malware implants embedded into various messaging app mods. Some of these scanned users’ image galleries in search of crypto wallet access recovery phrases. The search employed an OCR model which selected images on the victim’s device to exfiltrate and send to the C2 server. The campaign, which targeted Android and Windows users, saw the malware spread through unofficial sources. In late 2024, we discovered a new malware campaign we dubbed “SparkCat”, whose operators used similar tactics while attacking Android and iOS users through both official and unofficial app stores."
https://securelist.com/sparkcat-stealer-in-app-store-and-google-play/115385/
https://www.bleepingcomputer.com/news/mobile/crypto-stealing-apps-found-in-apple-app-store-for-the-first-time/
https://securityaffairs.com/173873/malware/sparkcat-campaign-target-crypto-wallets.html
https://www.helpnetsecurity.com/2025/02/05/crypto-stealing-ios-android-malware-found-on-app-store-google-play-sparkcat-malicious-sdk/
Lazarus Group Targets Organizations With Sophisticated LinkedIn Recruiting Scam
"Bitdefender Labs warns of an active campaign by the North Korea-linked Lazarus Group, targeting organizations by capturing credentials and delivering malware through fake LinkedIn job offers. LinkedIn may be a vital tool for job seekers and professionals, but it has also become a playground for cybercriminals exploiting its credibility. From fake job offers and elaborate phishing schemes to scams and even state-sponsored threat actors who prey on people’s career aspirations and trust in professional networks. To shed light on such scenarios, this article delves into the deceptive tactics of a failed "recruitment" operation on LinkedIn, where the attackers made one critical mistake: they targeted a Bitdefender researcher who quickly uncovered their malicious intent."
https://www.bitdefender.com/en-us/blog/labs/lazarus-group-targets-organizations-with-sophisticated-linkedin-recruiting-scam
https://thehackernews.com/2025/02/cross-platform-javascript-stealer.html
https://securityaffairs.com/173902/apt/lazarus-cross-platform-javascript-stealer-crypto-wallets.html
Silent Lynx APT Targets Various Entities Across Kyrgyzstan & Neighbouring Nations
"Seqrite Labs APT-Team has recently uncovered two fresh campaigns of a new threat group, which we have dubbed as Silent Lynx. This threat group has previously targeted entities around Eastern Europe and Central Asian government think tanks involved in economic decision making & banking sector. The campaign is targeted towards one of the nations which is a part of SPECA (Special Programme for the Economies of Central Asia) aka Kyrgyzstan, where the threat group delivered UN-Themed lure targeting the government entities of National Bank of Kyrgyz Republic, while the second campaign targets Ministry of Finance of Kyrgyzstan."
https://www.seqrite.com/blog/silent-lynx-apt-targeting-central-asian-entities/
https://thehackernews.com/2025/02/silent-lynx-using-powershell-golang-and.html
AsyncRAT Reloaded: Using Python And TryCloudflare For Malware Delivery Again
"The Forcepoint X-Labs research team recently identified another AsyncRAT malware campaign that leverages malicious payloads delivered through suspicious TryCloudflare quick tunnels and Python packages. This campaign bears similarities to the attack we discovered and analysed back in August. This blog serves as a continuation of our earlier findings, offering deeper insights into this evolving threat. The use of TryCloudflare in this campaign reinforces our X-Labs prediction from the 2025 Future Insights series, which anticipated that legitimate infrastructure would be exploited in malicious campaigns."
https://www.forcepoint.com/blog/x-labs/asyncrat-reloaded-python-trycloudflare-malware
https://thehackernews.com/2025/02/asyncrat-campaign-uses-python-payloads.html
GetSmoked: UAC-0006 Returns With SmokeLoader Targeting Ukraine's Largest State-Owned Bank
"UAC-0006, a financially motivated cyber threat group, has resurfaced with a sophisticated phishing campaign targeting customers of Ukraine’s largest state-owned bank, PrivatBank. This campaign exploits password-protected archives containing malicious JavaScript, VBScript, and LNK files to bypass detection and deploy the SmokeLoader malware via process injection and PowerShell execution. With strong overlaps in tactics, techniques, and procedures (TTPs) with the notorious FIN7 and other Russian APTs, UAC-0006 aims to steal credentials and financial data while maintaining persistent access to compromised systems. Organizations must stay vigilant, enhance security awareness, and implement robust threat intelligence to counteract this growing cyber threat."
https://www.cloudsek.com/blog/getsmoked-uac-0006-returns-with-smokeloader-targeting-ukraines-largest-state-owned-bank
https://www.infosecurity-magazine.com/news/phishing-campaign-targets-ukraines/

Breaches/Hacks/Leaks

Small Business Owners, Secure Your Web Shop
"An online shop is more than just another way to sell your products. It comes with a responsibility to keep the web shop secure. Cybercriminals are looking to steal your customers’ credit card details, their personal data, and even your revenue. And it’s not as if using a platform that is used by major retailers makes it safe. Platforms like Shopify, Wix, and Magento are always under scrutiny of cybercriminals that are looking for a vulnerability that allows them to insert skimmers or get access to your database."
https://www.malwarebytes.com/blog/news/2025/02/small-business-owners-secure-your-web-shop
Thousands Of McKinney, Texas, Residents Impacted By October Data Breach
"A large suburb of Dallas informed thousands of residents that a cyberattack in October exposed sensitive information. The city of McKinney, about 35 minutes outside of Dallas, said its government systems were breached on October 31 but security systems only discovered the attack on November 14. City officials did not respond to requests for comment about whether it was a ransomware attack or if the hackers identified themselves. After the incident was discovered, the city’s IT team “severed any unauthorized activity” and contacted the FBI, Department of Homeland Security, and Texas Department of Information."
https://therecord.media/thousands-mckinney-texas-residents-impacted
International Civil Aviation Organization (ICAO) And ACAO Breached: Cyberespionage Groups Targeting Aviation Safety Specialists
"The International Civil Aviation Organization (ICAO), a specialized agency of the United Nations, is investigating a significant data breach that has raised concerns about the security of its systems and employees data. In the updated statement published by ICAO, the agency said it is “actively investigating reports of a potential information security incident allegedly linked to a threat actor known for targeting international organizations.” This comes after an individual claimed in a January 5 post on a popular hacking forum to have accessed 42,000 documents from ICAO, including personal information (PII)."
https://securityaffairs.com/173863/data-breach/icao-and-acao-breached-cyberespionage-groups-targeting-aviation-safety-specialists.html

General News

Spain Arrests Suspected Hacker Of US And Spanish Military Agencies
"The Spanish police have arrested a suspected hacker in Alicante for allegedly conducting 40 cyberattacks targeting critical public and private organizations, including the Guardia Civil, the Ministry of Defense, NATO, the US Army, and various universities. Spanish media reports that the suspect was brought before a court and subsequently released after having his passport confiscated to prevent him from leaving the country. The investigation into the suspect's activities was launched in early 2024 following a report about a data leak from a Madrid business association, pointing to leaks on dark web forums where the suspect used various aliases to obfuscate his trace."
https://www.bleepingcomputer.com/news/legal/spain-arrests-suspected-hacker-of-us-and-spanish-military-agencies/
https://therecord.media/spanish-police-hacker-army-nato
35% Year-Over-Year Decrease In Ransomware Payments, Less Than Half Of Recorded Incidents Resulted In Victim Payments
"The ransomware landscape experienced significant changes in 2024, with cryptocurrency continuing to play a central role in extortion. However, the total volume of ransom payments decreased year-over-year (YoY) by approximately 35%, driven by increased law enforcement actions, improved international collaboration, and a growing refusal by victims to pay."
https://www.chainalysis.com/blog/crypto-crime-ransomware-victim-extortion-2025/
https://therecord.media/ransomware-payments-drop-2024-chainalysis-report
https://www.bleepingcomputer.com/news/security/ransomware-payments-fell-by-35-percent-in-2024-totalling-813-550-000/
https://cyberscoop.com/ransomware-payments-drop-35-percent-2024-chainalysis/
https://www.infosecurity-magazine.com/news/ransomware-payments-decline/
Will Law Enforcement Success Against Ransomware Continue In 2025?
"Throughout 2024, law enforcement agencies worldwide intensified their fight against cybercrime, leading to significant arrests and takedowns of major cybercriminal groups. Q4 alone saw a substantial flurry of actions. On October 1, 2024, authorities arrested four individuals linked to the notorious LockBit ransomware gang, including a developer, a bulletproof hosting service administrator, and two other affiliates. This followed formal sanctions imposed by the U.S. Treasury Department on LockBit members, marking a major step in disrupting the group's global operations. Later in the month, on October 28, Dutch law enforcement executed Operation Magnus, successfully seizing the infrastructure of Redline and Meta Infostealer, two malware-as-a-service platforms used to steal sensitive credentials."
https://www.coveware.com/blog/2025/1/31/q4-report
https://www.bankinfosecurity.com/blogs/ransomware-victims-who-pay-ransom-drops-to-all-time-low-p-3806
Thailand Cuts Power Supply To Myanmar Scam Hubs
"Thailand cut off power supply on Wednesday to three areas in Myanmar where online scamming hubs are concentrated. The cuts to fuel, internet and electricity target the scam hubs of Myawaddy, Payathonzu and Tachileik, where criminal syndicates have set up enclaves devoted to fraud. Last week, China’s Assistant Minister of Public Security Liu Zhongyi met with the Thai commissioner of the Cyber Crime Investigation Bureau where he reportedly called on the Thai government to do more to stop scamming activity in Myanmar. Thailand is a frequent transit route for people trafficked and forced to work in the compounds."
https://therecord.media/thailand-cuts-power-scam-compounds-myanmar
https://www.bankinfosecurity.com/blogs/thailand-to-cut-off-power-to-scam-centers-will-work-p-3807
Infosec Pros: We Need CVSS, Warts And All
"A key pillar of a strong cybersecurity program is identifying vulnerabilities in the complex mix of software programs, packages, apps, and snippets driving all activities across an organization’s digital infrastructure. At the heart of spotting and fixing these flaws is the widely used Common Vulnerability Scoring System (CVSS), maintained by a nonprofit called the Forum of Incident Response and Security Teams (FIRST). CVSS is currently in its fourth iteration since its launch in 2005."
https://cyberscoop.com/cvss-criticism-cve-nvd-nist-epss/
Why Cybersecurity Needs Probability — Not Predictions
"Many cybersecurity leaders kick off each new year with predictions for the year to come. You may have seen a deluge of them over the last month or so: "Cyberattacks will continue to be a problem." "This certain country will ban ransom payments." But as a cybersecurity company founder and CEO, as well as a licensed insurance broker, I believe that, instead of predictions, what we really need to protect ourselves is a better understanding of probability. Why? Predictions do not inspire solutions. Probabilities do."
https://www.darkreading.com/cyberattacks-data-breaches/why-cybersecurity-needs-probability-not-predictions
How Are Modern Fraud Groups Using GenAI And Deepfakes?
"Question: How are modern fraud groups using generative artificial intelligence (GenAI) and deepfakes to steal millions of dollars? Answer: If you imagine a fake identity document, what springs to mind? Is it a faded World War II-era identity card with a false name written in neat script next to a black and white photo? Is it a driver's license from a state you had never actually been to with your photo and a fake name, address, and birthday that you showed to the bars in your college town so you could drink when you were underage? Sometimes those documents worked. Sometimes they didn't."
https://www.darkreading.com/vulnerabilities-threats/how-are-modern-fraud-groups-using-gen-ai-and-deepfakes
Nigeria Touts Cyber Success, Even As Cybercrime Rises In Africa
"Nigeria's government has taken a tougher stance against financial fraud and cybercrime, arresting more than 1,000 people in the past year and successfully prosecuting 152 cases related to cyber-related fraud and scams. On Feb. 3, Nigeria's Economic and Financial Crimes Commission (EFCC) arraigned 42 foreign nationals — mainly Chinese and Filipino — on charges related to alleged cryptocurrency investment and romance fraud, part of a massive raid conducted in December 2024 against a purported cybercriminal syndicate of nearly 800 people."
https://www.darkreading.com/cyber-risk/nigeria-touts-cyber-success-african-cybercrime-rises
Investors, Trump And The Illuminati: What The “Nigerian Prince” Scams Became In 2024
"“Nigerian” spam is a collective term for messages designed to entice victims with alluring offers and draw them into an email exchange with scammers, who will try to defraud them of their money. The original “Nigerian” spam emails were sent in the name of influential and wealthy individuals from Nigeria, hence the name of the scam. The themes of these phishing emails evolved over time, with cybercriminals leveraging contemporary events and popular trends to pique the interest of their targets. However, the distinctive characteristics of the messages that placed them in the “Nigerian” scam category remained unchanged:"
https://securelist.com/nigerian-scams-2024/115388/
How Agentic AI Will Be Weaponized For Social Engineering Attacks
"Social engineering is the most common initial access vector cybercriminals exploit to breach organizations. With each passing year, social engineering attacks are becoming bigger and bolder thanks to rapid advancements in artificial intelligence. How is AI Advancing Social Engineering Attacks?"
https://www.securityweek.com/how-agentic-ai-will-be-weaponized-for-social-engineering-attacks/
Hacker Conversations: David Kennedy – An Atypical Typical Hacker
"David Kennedy exhibits many characteristics that are typical of a hacker; but he is by no means a typical hacker. He started very young by taking apart his Teddy Ruxpin (an early electronic bear-like toy animal known as an ‘Illiop’) to see how it worked. He went on to fail high school, joined the Marines, nearly died in Iraq, worked for the NSA, was a core developer of Metasploit, wrote the Social-Engineer Toolkit, and is now founder and CEO of TrustedSec and co-founder and chief hacking officer at Binary Defense. Throughout this hacker evolution and career runs an infectious sense of humor and the almost obligatory neurodiversity."
https://www.securityweek.com/hacker-conversations-david-kennedy-an-atypical-typical-hacker/

อ้างอิง
Electronic Transactions Development Agency(ETDA)