NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 21 February 2025

    Cyber Security News
    1
    1
    103
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Healthcare Sector

      • Medixant RadiAnt DICOM Viewer
        "Successful exploitation of this vulnerability could allow an attacker to perform a machine-in-the-middle attack (MITM), resulting in malicious updates being delivered to the user."
        https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-051-01

      Industrial Sector

      • ABB ASPECT-Enterprise, NEXUS, And MATRIX Series
        "Successful exploitation of this vulnerability could allow an attacker to obtain access to devices without proper authentication."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-051-01
      • ABB FLXEON Controllers
        "Successful exploitation of these vulnerabilities could allow an attacker to send unauthorized HTTPS requests, access sensitive information from HTTPS responses, or use network access to execute remote code."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-051-02
      • Siemens SiPass Integrated
        "Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the application server, if a specially crafted backup set is used for a restore."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-051-04
      • Elseta Vinci Protocol Analyzer
        "Successful exploitation of this vulnerability could allow an attacker to escalate privileges and perform code execution on the affected system."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-051-06
      • Rapid Response Monitoring My Security Account App
        "Successful exploitation of this vulnerability could allow attacker to access sensitive information of other users."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-051-05
      • Carrier Block Load
        "Successful exploitation of this vulnerability could allow a malicious actor to execute arbitrary code with escalated privileges ."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-051-03

      New Tooling

      • Guard Your Codebase: Practical Steps And Tools To Prevent Malicious Code
        "Malicious code is widespread and easy to use against any target. This year, our security research and data science teams detected and analyzed thousands of malicious code instances in repositories and packages, with new ones emerging every day. For instance, we published findings on how millions of GitHub repositories were cloned and infected with malware loaders – read more about it here."
        https://apiiro.com/blog/guard-your-codebase-practical-steps-and-tools-to-prevent-malicious-code/
        https://github.com/apiiro/malicious-code-ruleset
        https://github.com/apiiro/PRevent
        https://www.bleepingcomputer.com/news/security/apiiro-unveils-free-scanner-to-detect-malicious-code-merges/
        https://www.helpnetsecurity.com/2025/02/20/prevent-open-source-tool-to-detect-malicious-code-in-pull-requests/

      Vulnerabilities

      • Atlassian Patches Critical Vulnerabilities In Confluence, Crowd
        "Atlassian this week announced the rollout of patches for 12 critical- and high-severity vulnerabilities in its Bamboo, Bitbucket, Confluence, Crowd, and Jira products. The company released fixes for five critical-severity issues in Confluence Data Center and Server and Crowd Data Center and Server that were discovered in third-party dependencies used within the two products. Updates released for Confluence Data Center and Server address two critical flaws in Apache Tomcat. Tracked as CVE-2024-50379 and CVE-2024-56337 (CVSS score of 9.8), the two issues could be exploited by unauthenticated attackers to achieve remote code execution (RCE), the company warns."
        https://www.securityweek.com/atlassian-patches-critical-vulnerabilities-in-confluence-crowd/
        https://confluence.atlassian.com/security/security-bulletin-february-18-2025-1510670627.html
      • CVE-2024-12284: High-Severity Security Update For NetScaler Console
        "On February 18, 2025, Cloud Software Group released builds to fix CVE-2024-12284, which affects NetScaler Console. This vulnerability has been discovered in NetScaler Console (formerly NetScaler ADM) and NetScaler Console Agent and has been assigned a CVSS score of 8.8."
        https://www.netscaler.com/blog/news/cve-2024-12284-high-severity-security-update-for-netscaler-console/
        https://thehackernews.com/2025/02/citrix-releases-security-fix-for.html
        https://securityaffairs.com/174425/security/citrix-addressed-netscaler-console-privilege-escalation-flaw.html
      • Microsoft Patches Actively Exploited Power Pages Privilege Escalation Vulnerability
        "Microsoft has released security updates to address two Critical-rated flaws impacting Bing and Power Pages, including one that has come under active exploitation in the wild."
        https://thehackernews.com/2025/02/microsoft-patches-actively-exploited.html
        https://www.bleepingcomputer.com/news/security/microsoft-fixes-power-pages-zero-day-bug-exploited-in-attacks/
        https://www.securityweek.com/microsoft-patches-exploited-power-pages-vulnerability/
        https://securityaffairs.com/174430/security/microsoft-fixed-actively-exploited-flaw-in-power-pages.html
        https://www.theregister.com/2025/02/20/microsoft_patch_power_pages/
      • Ivanti Endpoint Manager – Multiple Credential Coercion Vulnerabilities
        "Back in October of 2024, we were investigating one of the many Ivanti vulnerabilities and found ourselves without a patch to “patch diff” with – leading us to audit the code base at mach speed. This led to the discovery of four critical vulnerabilities in Ivanti Endpoint Manager (EPM). These vulnerabilities were patched last month in Ivanti’s January patch rollup. The vulnerabilities discovered allow an unauthenticated attacker to coerce the Ivanti EPM machine account credential to be used in relay attacks, potentially allowing for server compromise."
        https://www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities/
        https://www.securityweek.com/poc-exploit-published-for-critical-ivanti-epm-vulnerabilities/
      • Critical Flaws In Mongoose Library Expose MongoDB To Data Thieves, Code Execution
        "Security sleuths found two critical vulnerabilities in a third-party library that MongoDB relies on, which means bad guys can potentially steal data and run code. Mongoose is an Object Data Modeling (ODM) library for MongoDB to enable database integrations in Node.js applications. It allows JavaScript objects to be mapped to MongoDB documents, providing an abstraction layer to help with the management and validation of structured data. Mongoose has 19,593 dependents, according to its Node Package Manager page, and over 27,000 stars on GitHub."
        https://www.theregister.com/2025/02/20/mongoose_flaws_mongodb/
      • CISA Adds Two Known Exploited Vulnerabilities To Catalog
        "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
        CVE-2025-23209 Craft CMS Code Injection Vulnerability
        CVE-2025-0111 Palo Alto Networks PAN-OS File Read Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/02/20/cisa-adds-two-known-exploited-vulnerabilities-catalog

      Malware

      • Weathering The Storm: In The Midst Of a Typhoon
        "Cisco Talos has been closely monitoring reports of widespread intrusion activity against several major U.S. telecommunications companies. The activity, initially reported in late 2024 and later confirmed by the U.S. government, is being carried out by a highly sophisticated threat actor dubbed Salt Typhoon. This blog highlights our observations on this campaign and identifies recommendations for detection and prevention of the actor’s activities."
        https://blog.talosintelligence.com/salt-typhoon-analysis/
        https://www.bleepingcomputer.com/news/security/salt-typhoon-uses-jumbledpath-malware-to-spy-on-us-telecom-networks/
        https://cyberscoop.com/cisco-talos-salt-typhoon-initial-access/
        https://securityaffairs.com/174460/apt/salt-typhoon-custom-malware-jumbledpath-to-spy-u-s-telecom-providers.html
      • The Bleeding Edge Of Phishing: Darcula-Suite 3.0 Enables DIY Phishing Of Any Brand
        "The criminals at darcula are back for more blood, and they mean business with one of the more impactful innovations in phishing in recent years. The new version of their “Phishing-as-a-Service” (PhaaS) platform, darcula-suite adds first-of-its-kind personalization capabilities to the previously built darcula V2 platform, using Puppeteer-style tools to allow criminals to build advanced phishing kits that can now target any brand with the click of a button."
        https://www.netcraft.com/blog/darcula-v3-phishing-kits-targeting-any-brand/
        https://www.bleepingcomputer.com/news/security/darcula-phaas-can-now-auto-generate-phishing-kits-for-any-brand/
        https://www.darkreading.com/threat-intelligence/darcula-phishing-kit-impersonate-brand
        https://www.helpnetsecurity.com/2025/02/20/darcula-allows-tech-illiterate-crooks-to-create-deploy-diy-phishing-kits-targeting-any-brand/
      • Meet NailaoLocker: a Ransomware Distributed In Europe By ShadowPad And PlugX Backdoors
        "Last year, Orange Cyberdefense’s CERT investigated a series of incidents from an unknown threat actor leveraging both ShadowPad and PlugX. Tracked as Green Nailao (“Nailao” meaning “cheese” in Chinese – a topic our World Watch CTI team holds in high regard), the campaign impacted several European organizations, including in the healthcare vertical, during the second half of 2024. We believe this campaign has targeted a larger panel of organizations across the world throughout multiple sectors."
        https://www.orangecyberdefense.com/global/blog/cert-news/meet-nailaolocker-a-ransomware-distributed-in-europe-by-shadowpad-and-plugx-backdoors
        https://www.bleepingcomputer.com/news/security/new-nailaolocker-ransomware-used-against-eu-healthcare-orgs/
        https://thehackernews.com/2025/02/chinese-linked-attackers-exploit-check.html
        https://therecord.media/china-linked-hackers-target-european-health-orgs
        https://securityaffairs.com/174440/malware/nailaolocker-ransomware-targets-eu-healthcare-related-entities.html
      • DeceptiveDevelopment Targets Freelance Developers
        "Cybercriminals have been known to approach their targets under the guise of company recruiters, enticing them with fake employment offers. After all, what better time to strike than when the potential victim is distracted by the possibility of getting a job? Since early 2024, ESET researchers have observed a series of malicious North Korea-aligned activities, where the operators, posing as headhunters, try to serve their targets with software projects that conceal infostealing malware. We call this activity cluster DeceptiveDevelopment."
        https://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/
        https://thehackernews.com/2025/02/north-korean-hackers-target-freelance.html
        https://www.infosecurity-magazine.com/news/malicious-ads-target-freelance/
        https://www.helpnetsecurity.com/2025/02/20/deceptivedevelopment-fake-job-offers/
      • SecTopRAT Bundled In Chrome Installer Distributed Via Google Ads
        "Criminals are once again abusing Google Ads to trick users into downloading malware. Ironically, this time the bait is a malicious ad for Google Chrome, the world’s most popular browser. Victims who click the ad land on a fraudulent Google Sites page designed as a intermediary portal, similar to what we saw earlier this year with the massive Google accounts phishing campaign. The final redirect eventually downloads a large executable disguised as Google Chrome which does install the aforementioned but also surreptitiously drops a malware payload known as SecTopRAT."
        https://www.malwarebytes.com/blog/news/2025/02/sectoprat-bundled-in-chrome-installer-distributed-via-google-ads
      • Updated Shadowpad Malware Leads To Ransomware Deployment
        "In November 2024, we had two incident response cases in Europe with similar C&C servers and other TTPs, suggesting a single threat actor behind both operations. Both incidents involved Shadowpad, a malware family that has been used by multiple advanced Chinese threat actors to perform espionage. Hunting for similar TTPs, we found a total of 21 companies being targeted with similar malware toolkit in the last 7 months. Nine of them in Europe, eight in Asia, three in the Middle East, and one in South America. We found eight different industries being affected, with more than half of the targets being in the Manufacturing industry. They are listed in the Victimology section."
        https://www.trendmicro.com/en_us/research/25/b/updated-shadowpad-malware-leads-to-ransomware-deployment.html
        https://www.securityweek.com/chinese-apt-tools-found-in-ransomware-schemes-blurring-attribution-lines/
      • Stately Taurus Activity In Southeast Asia Links To Bookworm Malware
        "While analyzing infrastructure related to Stately Taurus activity targeting organizations in countries affiliated with the Association of Southeast Asian Nations (ASEAN), Unit 42 researchers observed overlaps with infrastructure used by a variant of the Bookworm malware. We also found open-source intelligence that revealed additional Stately Taurus activity in the region during the same timeframe, including a January 2024 CSIRT CTI post detailing attacks in Myanmar."
        https://unit42.paloaltonetworks.com/stately-taurus-uses-bookworm-malware/

      Breaches/Hacks/Leaks

      • Black Basta Ransomware Gang's Internal Chat Logs Leak Online
        "An unknown leaker has released what they claim to be an archive of internal Matrix chat logs belonging to the Black Basta ransomware operation. ExploitWhispers, the individual who previously uploaded the stolen messages to the MEGA file-sharing platform, which are now removed, has uploaded it to a dedicated Telegram channel. It's not yet clear if ExploitWhispers is a security researcher who gained access to the gang's internal chat server or a disgruntled member. While they never shared the reason behind this move, cyber threat intelligence company PRODAFT said today that the leak could directly result from the ransomware gang's alleged attacks targeting Russian banks."
        https://www.bleepingcomputer.com/news/security/black-basta-ransomware-gang-s-internal-chat-logs-leak-online/
      • Mining Company NioCorp Loses $500,000 In BEC Hack
        "US-based mining company NioCorp Developments informed the SEC on Wednesday that it recently lost a significant amount of money after its systems were hacked. NioCorp, which is currently developing a critical minerals project in the United States, revealed that it discovered a cybersecurity incident on February 14. The incident involved a breach of its information systems, including a portion of its email systems."
        https://www.securityweek.com/mining-company-niocorp-loses-500000-in-bec-hack/
        https://www.theregister.com/2025/02/20/niocorp_bec_scam/
      • Medusa Ransomware Gang Demands $2M From UK Private Health Services Provider
        "HCRG Care Group, a private health and social services provider, has seemingly fallen victim to the Medusa ransomware gang, which is threatening to leak what's claimed to be stolen internal records unless a substantial ransom is paid. Previously known as Virgin Care and now owned by Twenty20 Capital, HCRG runs child and family health and social services across the UK for the NHS and local authorities, with a workforce said to number 5,000. Its annual turnover to March 2023, its latest available figure, was just shy of £250 million ($315 million)."
        https://www.theregister.com/2025/02/20/medusa_hcrg_ransomware/

      General News

      • Unknown And Unsecured: The Risks Of Poor Asset Visibility
        "In this Help Net Security interview, Juliette Hudson, CTO of CybaVerse, discusses why asset visibility remains a critical cybersecurity challenge. She explains how to maintain security without slowing down operations, shares ways to improve visibility in OT environments, and explains how AI can be both a solution and a challenge. Hudson also provides actionable advice for security leaders seeking to enhance their organization’s security posture."
        https://www.helpnetsecurity.com/2025/02/20/juliette-hudson-cybaverse-asset-visibility/
      • 300% Increase In Endpoint Malware Detections
        "The third quarter of 2024 saw a dramatic shift in the types of malware detected at network perimeters, according to a new WatchGuard report. The report’s key findings include a 300% increase quarter over quarter of endpoint malware detections, highlighted by growing threats that exploit legitimate websites or documents for malicious purposes as threat actors turn to more social engineering tactics to execute their attacks."
        https://www.helpnetsecurity.com/2025/02/20/endpoint-malware-increase-watchguard-q3-2024-internet-security-report/
      • “Script Kiddies” Get Hacked—what It Means About The Cybercrime Economy
        "The discovery of a Trojan disguised as software to help low-skill hackers build XWorm RAT malware indicates the maturity and complexity of the thriving cybercrime economy—and it reminds us that there’s no honor among thieves. Imagine that you are an ambitious young wannabe hacker. You’re no expert coder. Instead, you’ve found your way to the dark web’s marketplace for cybercrime tools and services. There, you’re like a kid in a candy shop. For very reasonable prices, you can buy or rent paint-by-numbers software that makes it easy to build and deploy a cyber attack. A small extra fee adds 24-hour technical support."
        https://blog.barracuda.com/2025/02/19/Script-Kiddies-get-hacked-what-it-means-about-the-cybercrime-economy
      • When Brand Loyalty Trumps Data Security
        "I'm a Marriott guy. I have been for a long time, and it's hard to imagine making a change at this point. So when I read about the Federal Trade Commission (FTC) ordering Marriott to overhaul its data security strategy recently, it got me thinking. Despite the US government making it crystal clear that this company I trusted with my data did a poor job protecting it, I still knew it would keep my business."
        https://www.darkreading.com/cyberattacks-data-breaches/when-brand-loyalty-trumps-data-security
      • Signs Your Organization's Culture Is Hurting Your Cybersecurity
        "These days, the word "toxic" gets thrown around a lot in many contexts, but when used to describe organizational culture, it poses an actual threat. When employees are constantly overworked, undervalued, or forced to operate in high-stress, blame-heavy environments, mistakes are inevitable. Fatigue leads to oversight, disengagement breeds carelessness, and a lack of psychological safety prevents people from speaking up about vulnerabilities or potential risks. In an industry where even the smallest errors can have massive consequences, this kind of dysfunction can be dangerous."
        https://www.darkreading.com/cybersecurity-operations/signs-organization-culture-hurting-cybersecurity
      • Mobile Phishing Attacks Surge With 16% Of Incidents In US
        "Security researchers have observed a sharp rise in mobile phishing attacks, known as “mishing,” with activity peaking in August 2024 at over 1000 daily attack records. The report, published by Zimperium zLabs, also found that 16% of all mobile phishing incidents occurred in the US."
        https://www.infosecurity-magazine.com/news/mobile-phishing-attacks-surge-16/
      • Over 330 Million Credentials Compromised By Infostealers
        "Infostealers became one of the “most significant initial access vectors” in the threat landscape last year, with one threat intelligence company claiming to find over 330 million compromised credentials linked to the malware. Israeli firm Kela revealed the findings in its latest report, The State of Cybercrime 2024, published today and based on its own analysis of the threat landscape. The hundreds of millions of compromised credentials it found were linked to infostealer activity on at least 4.3 million machines. Although both figures represent just a slight increase on 2023, the direction of travel is clear."
        https://www.infosecurity-magazine.com/news/330-million-credentials/
        https://www.kelacyber.com/resources/research/state-of-cybercrime-2024/
      • Managed Detection And Response In 2024
        "Kaspersky Managed Detection and Response service (MDR) provides round-the-clock monitoring and threat detection, based on Kaspersky technologies and expertise. The annual MDR analyst report presents insights based on the analysis of incidents detected by Kaspersky’s SOC team. It sheds light on the most prevalent attacker tactics, techniques, and tools, as well as the characteristics of identified incidents and their distribution across regions and industry sectors among MDR customers."
        https://securelist.com/kaspersky-managed-detection-and-response-report-2024/115635/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 9051e554-bdf7-476f-a522-e1087b6ee28d-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post