NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 26 March 2025

    Cyber Security News
    1
    1
    410
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Financial Sector

      • Financial Cyberthreats In 2024
        "As more and more financial transactions are conducted in digital form each year, financial threats comprise a large piece of the global cyberthreat landscape. That’s why Kaspersky researchers analyze the trends related to these threats and share an annual report highlighting the main dangers to corporate and consumer finances. This report contains key trends and statistics on financial phishing, mobile and PC banking malware, as well as offers actionable recommendations to bolster security measures and effectively mitigate emerging threats"
        https://securelist.com/financial-threat-report-2024/115966/

      Industrial Sector

      • ABB RMC-100
        "Successful exploitation of this vulnerability could allow an attacker to send a specially crafted message to the web UI, causing a temporary denial of service until the interface can be restarted."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-01
      • Rockwell Automation Verve Asset Manager
        "Successful exploitation of this vulnerability could allow an attacker with administrative access to run arbitrary commands in the context of the container running the service."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-02
      • Inaba Denki Sangyo CHOCO TEI WATCHER Mini
        "Successful exploitation of these vulnerabilities could allow an attacker to obtain the product's login password, gain unauthorized access, tamper with product's data, and/or modify product settings."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-04
      • Rockwell Automation 440G TLS-Z
        "Successful exploitation of this vulnerability could allow an attacker to take over the device."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-03
      • OT Systems Are Strategic Targets In Global Power Struggles
        "Compared to 2023, 2024 saw a smaller increase in cyberattacks that caused physical consequences on OT organizations, according to Waterfall Security. Nevertheless, there were sharp jumps in the number of sites affected by the hacks, as well as in the number of attacks by nation states. 2024 saw a 146% increase in sites suffering physical consequences of operations because of cyberattacks, rising from 412 sites in 2023 to 1,015 in 2024."
        https://www.helpnetsecurity.com/2025/03/25/cyberattacks-physical-consequences-ot-organizations/
      • APT And Financial Attacks On Industrial Organizations In Q4 2024
        "This summary provides an overview of the reports of APT and financial attacks on industrial enterprises disclosed in Q4 2024, as well as the related activities of groups that have been observed attacking industrial organizations and critical infrastructure facilities. For each topic, we summarize the key facts, findings and conclusions of researchers that we believe may be of use to professionals addressing practical issues of cybersecurity for industrial enterprises."
        https://ics-cert.kaspersky.com/publications/reports/2025/03/25/apt-and-financial-attacks-on-industrial-organizations-in-q4-2024/
      • Q4 2024 – a Brief Overview Of The Main Incidents In Industrial Cybersecurity
        "In Q4 2024, 107 incidents were publicly confirmed by victims. All of these incidents are included in the table at the end of the overview, with select incidents described in detail."
        https://ics-cert.kaspersky.com/publications/reports/2025/03/25/q4-2024-a-brief-overview-of-the-main-incidents-in-industrial-cybersecurity/

      Vulnerabilities

      • CrushFTP Warns Users To Patch Unauthenticated Access Flaw Immediately
        "CrushFTP warned customers of an unauthenticated HTTP(S) port access vulnerability and urged them to patch their servers immediately. As the company also explained in an email sent to customers on Friday (seen by BleepingComputer), the security flaw enables attackers to gain unauthenticated access to unpatched servers if they are exposed on the Internet over HTTP(S). "Please take immediate action to patch ASAP. A vulnerability has been addressed today (March 21st, 2025). All CrushFTP v11 versions were affected. (No earlier versions are affected.) A CVE will be generated soon," the company warned."
        https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-unauthenticated-access-flaw-immediately/
      • Broadcom Warns Of Authentication Bypass In VMware Windows Tools
        "Broadcom released security updates today to fix a high-severity authentication bypass vulnerability in VMware Tools for Windows. VMware Tools is a suite of drivers and utilities designed to improve performance, graphics, and overall system integration for guest operating systems running in VMware virtual machines. The vulnerability (CVE-2025-22230) is caused by an improper access control weakness and was reported by Sergey Bliznyuk of Positive Technologies (a sanctioned Russian cybersecurity company accused of trafficking hacking tools)."
        https://www.bleepingcomputer.com/news/security/broadcom-warns-of-authentication-bypass-in-vmware-windows-tools/
        https://www.securityweek.com/vmware-patches-authentication-bypass-flaw-in-windows-tools-suite/
      • New Windows Zero-Day Leaks NTLM Hashes, Gets Unofficial Patch
        "Free unofficial patches are available for a new Windows zero-day vulnerability that can let remote attackers steal NTLM credentials by tricking targets into viewing malicious files in Windows Explorer. NTLM has been widely exploited in NTLM relay attacks (where threat actors force vulnerable network devices to authenticate to attacker-controlled servers) and pass-the-hash attacks (where they exploit vulnerabilities to steal NTLM hashes, which are hashed passwords)."
        https://www.bleepingcomputer.com/news/security/new-windows-zero-day-leaks-ntlm-hashes-gets-unofficial-patch/

      Malware

      • New Android Malware Campaigns Evading Detection Using Cross-Platform Framework .NET MAUI
        "Cybercriminals are constantly evolving their techniques to bypass security measures. Recently, the McAfee Mobile Research Team discovered malware campaigns abusing .NET MAUI, a cross-platform development framework, to evade detection. These threats disguise themselves as legitimate apps, targeting users to steal sensitive information. This blog highlights how these malware operate, their evasion techniques, and key recommendations for staying protected."
        https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-android-malware-campaigns-evading-detection-using-cross-platform-framework-net-maui/
        https://www.bleepingcomputer.com/news/security/new-android-malware-uses-microsofts-net-maui-to-evade-detection/
        https://thehackernews.com/2025/03/hackers-use-net-maui-to-target-indian.html
        https://hackread.com/net-maui-exploited-in-advanced-malware-campaigns-mcafee-labs/
        https://www.infosecurity-magazine.com/news/android-malware-uses-net-maui/
        https://securityaffairs.com/175843/cyber-crime/android-malware-uses-net-maui-to-evade-detection.html
      • Warning Against Phishing Emails Distributing GuLoader Malware By Impersonating a Famous International Shipping Company
        "AhnLab SEcurity intelligence Center (ASEC) recently identified the distribution of GuLoader malware via a phishing email by impersonating a famous international shipping company. The phishing email was obtained through the email honeypot operated by ASEC. The mail body instructs users to check their post-paid customs tax and demands them to open the attachment."
        https://asec.ahnlab.com/en/87002/
      • CVE-2025-26633: How Water Gamayun Weaponizes MUIPath Using MSC EvilTwin
        "Trend Research uncovered a campaign by suspected Russian threat actor Water Gamayun, also known as EncryptHub and Larva-208, that abused a zero-day vulnerability in the Microsoft Management Console (mmc.exe) framework to execute malicious code on infected machines. We’ve named this technique MSC EvilTwin (CVE-2025-26633), which we track as ZDI-CAN-26371 (also known as ZDI-25-150)."
        https://www.trendmicro.com/en_us/research/25/c/cve-2025-26633-water-gamayun.html
        https://www.bleepingcomputer.com/news/security/encrypthub-linked-to-zero-day-attacks-targeting-windows-systems/
      • New Phishing Campaign Uses Browser-In-The-Browser Attacks To Target Video Gamers/Counter-Strike 2 Players
        "Our research team has discovered an active phishing campaign targeting players of the multi-player video game Counter-Strike 2. Along with attempts to compromise players’ Steam accounts, part of the campaign’s attack tactics also includes abusing the names of a professional eSports team called Navi. Built around the creation of seemingly convincing fake browser pop-up windows that prominently display the URL of the real website, the campaign’s goal is to make a visitor feel safe, believing the pop-up windows are part of the actual (real) sites. Once the potential victim tries to log into the fake Steam portal, the threat actor steals the credentials and likely attempts to take over the account for later resale."
        https://www.silentpush.com/blog/browser-in-the-browser-attacks/
        https://www.bleepingcomputer.com/news/security/browser-in-the-browser-attacks-target-cs2-players-steam-accounts/
      • The Curious Case Of PlayBoy Locker
        "Cybereason issues Threat Analysis reports to investigate emerging threats and provide practical recommendations for protecting against them. In this Threat Analysis report, Cybereason investigates the new Ransomware-as-a-Service (RaaS) known as PlayBoy Locker and how to defend against it through the Cybereason Defense Platform."
        https://www.cybereason.com/blog/threat-analysis-playboy-locker
      • Cyble Sensors Detect Exploit Attempts On Ivanti, AVTECH IP Cameras
        "Vulnerabilities in Ivanti products, AVTECH IP cameras, and WordPress plugins have recently been among the dozens of attempted exploits detected by Cyble honeypot sensors. The attack attempts were detailed in the threat intelligence company’s weekly sensor intelligence reports to clients. The Cyble reports have also examined persistent attacks against Linux systems and network and IoT devices, as threat actors scan for vulnerable devices for ransomware attacks and add to DDoS and crypto mining botnets. The reports have also examined banking malware, brute-force attacks, vulnerable ports, and phishing campaigns."
        https://cyble.com/blog/cyble-sensors-detect-exploit-attempts-on-ivanti-avtech-ip-cameras/
      • Raspberry Robin: Copy Shop USB Worm Evolves To Initial Access Broker Enabling Other Threat Actor Attacks
        "Raspberry Robin (also known as Roshtyak or Storm-0856) is a complex and evolving threat actor that provides initial access broker (IAB) services to numerous criminal groups, many of which have connections to Russia. Recently, it has also provided IAB services to the Russian GRU’s Unit 29155 cyber actors. Linked to some of the most serious threat actors active today (including SocGholish, Dridex, and LockBit), Raspberry Robin breaches enterprises and sells access to other threat actors, primarily based in Russia."
        https://www.silentpush.com/blog/raspberry-robin/
        https://thehackernews.com/2025/03/researchers-uncover-200-unique-c2.html
        https://www.darkreading.com/cyberattacks-data-breaches/access-broker-russian-state-cybercrime
      • RaaS Evolved: LockBit 3.0 Vs LockBit 4.0
        "LockBit is a sophisticated and notorious ransomware strain that has been targeting organizations across various industries since 2019. It operates by encrypting critical files and demanding hefty ransoms in exchange for decryption keys. The LockBit group operates on a Ransomware-as-a-Service (RaaS) model, providing its infamous LockBit malware to affiliates who carry out the attacks and return a percentage of ransom payments to the LockBit group."
        https://www.deepinstinct.com/blog/raas-evolved-lockbit-3-0-vs-lockbit-4-0
      • Cybercriminals Use Atlantis AIO To Target 140+ Platforms
        "Cybercriminals have been observed increasingly leveraging Atlantis AIO, a sophisticated tool designed to automate credential stuffing attacks across more than 140 platforms. This software enables attackers to systematically test many stolen username and password combinations, facilitating unauthorized access to various online services."
        https://www.infosecurity-magazine.com/news/cyber-criminals-atlantis-aio-140/
      • Operation ForumTroll: APT Attack With Google Chrome Zero-Day Exploit Chain
        "In mid-March 2025, Kaspersky technologies detected a wave of infections by previously unknown and highly sophisticated malware. In all cases, infection occurred immediately after the victim clicked on a link in a phishing email, and the attackers’ website was opened using the Google Chrome web browser. No further action was required to become infected. All malicious links were personalized and had a very short lifespan. However, Kaspersky’s exploit detection and protection technologies successfully identified the zero-day exploit that was used to escape Google Chrome’s sandbox."
        https://securelist.com/operation-forumtroll/115989/
        https://www.securityweek.com/google-patches-chrome-sandbox-escape-zero-day-caught-by-kaspersky/
      • Lengthy Disruption Of Russian Internet Provider Claimed By Ukrainian Hacker Group
        "A Ukrainian volunteer hacker group known as the IT Army has claimed responsibility for a cyberattack on Russian internet provider Lovit that disrupted services in Moscow and St. Petersburg for three days. The attack, which began on Friday, also prevented residents of apartment buildings using Lovit’s services from accessing their homes, as it disabled intercom systems. Businesses in affected buildings reported failures in payment terminals and loyalty programs, according to local media reports."
        https://therecord.media/russia-isp-lovit-outages-claimed-ukraine-it-army
      • IOCONTROL Malware: A New Threat Targeting Critical Infrastructure
        "Last year, threat actors compromised over 3.2 billion credentials, a 33% increase compared to the previous year. By leveraging this stolen data, attackers perpetuate the ongoing cycle of cybercrime, using it to fuel malicious campaigns, including the deployment of malware such as IOCONTROL. Deploying this malware, threat actors can achieve the following objectives:"
        https://flashpoint.io/blog/iocontrol-malware/
      • Rilide - An Information Stealing Browser Extension
        "Rilide is an example of an information stealer masquerading as a browser extension. First reported in April 2023, the malware targets Chromium-based browsers such as Google Chrome and Microsoft Edge. It is designed to take screenshots of information, log passwords, and collect credentials for cryptocurrency wallets."
        https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/

      Breaches/Hacks/Leaks

      • Numotion Data Breach Impacts Nearly 500,000 People
        "Tennessee-based Numotion, which advertises itself as the largest provider of wheelchairs and other mobility solutions in the United States, has suffered a data breach impacting nearly 500,000 people. According to a data security notice posted on its website, Numotion (United Seating and Mobility) learned recently that some of its employees’ email accounts were hacked into on several occasions between September 2, 2024, and November 18, 2024."
        https://www.securityweek.com/numotion-data-breach-impacts-nearly-500000-people/
      • Hacker Defaces NYU Website, Exposing Admissions Data On 1 Million Students
        "More than 1 million students at New York University had their personal information exposed by a hacker who took over the school’s website over the weekend. On Saturday, the hacker replaced the NYU homepage with charts and links to large student datasets categorizing standardized testing scores based on race. The hacker claimed personal information identifying students was redacted but linked to four different datasets that included personal information on NYU applicants, their citizenship status and more."
        https://therecord.media/hacker-nyu-website-admissions-race
      • Nearly $13 Million Stolen From Abracadabra Finance In Crypto Heist
        "The cryptocurrency platform Abracadabra Finance lost about $13 million worth of digital currency to hackers on Tuesday morning. The company did not respond to requests for comment confirming the amount of stolen cryptocurrency but acknowledged the incident in a message on social media. The crypto lending platform said the issue was sourced back to a product it calls “cauldrons” — isolated lending markets that allow users to borrow against a variety of cryptocurrencies."
        https://therecord.media/nearly-thirteen-million-stolen-abracadabra
      • Malaysia PM Says Country Rejected $10 Million Ransom Demand After Airport Outages
        "Computer outages at Malaysia’s Kuala Lumpur International Airport (KLIA) this weekend were attributed to a recent cyberattack, according to the country’s cybersecurity agency and aviation authority. Malaysia’s National Cyber Security Agency (NACSA) and Malaysia Airports released a joint statement Tuesday confirming that a cyberattack started causing disruptions on March 23."
        https://therecord.media/malaysia-pm-says-country-rejected-ransom-demand-airport-cyberattack
      • A Sneaky Phish Just Grabbed My Mailchimp Mailing List
        "You know when you're really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That's me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the mailing list for this blog. I'm deliberately keeping this post very succinct to ensure the message goes out to my impacted subscribers ASAP, then I'll update the post with more details. But as a quick summary, I woke up in London this morning to the following:"
        https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/
        https://www.theregister.com/2025/03/25/troy_hunt_mailchimp_phish/

      General News

      • Spring Clean Your Security Data: The Case For Cybersecurity Data Hygiene
        "Spring cleaning isn’t just for your closets; security teams should take the same approach to their security operations data, where years of unchecked log growth have created a bloated, inefficient and costly mess. The modern Security Operations Center (SOC) is drowning in security telemetry from endpoints, cloud, SaaS applications, identity platforms and a growing list of other sources. In practice, most of these are redundant, irrelevant, or just outright noise, and are affecting detection effectiveness, operational efficiency, and the ability to extract real insights."
        https://www.helpnetsecurity.com/2025/03/25/security-data-hygiene/
      • You Know That Generative AI Browser Assistant Extension Is Probably Beaming Everything To The Cloud, Right?
        "Generative AI assistants packaged up as browser extensions harvest personal data with minimal safeguards, researchers warn. Some of these extensions may violate their own privacy commitments and potentially run afoul of US regulations, such as HIPAA and FERPA, by collecting and funneling away health and student data."
        https://www.theregister.com/2025/03/25/generative_ai_browser_extensions_privacy/
        https://arxiv.org/abs/2503.16586
      • NIST Trustworthy And Responsible AI Report Adversarial Machine Learning: A Taxonomy And Terminology Of Attacks And Mitigations
        "Artificial Intelligence (AI) systems have been on a global expansion trajectory, with the pace of development and the adoption of AI systems accelerating in recent years. These systems are being developed by and widely deployed into economies across the globe—leading to the emergence of AI-based services across many spheres of people’s lives, both real and virtual. As AI systems permeate the digital economy and become essential parts of daily life, the need for their secure, robust, and resilient operation grows."
        https://csrc.nist.gov/News/2025/nist-ai-100-2-adversarial-machine-learning-taxonom
        https://www.infosecurity-magazine.com/news/nist-limitations-ai-ml-security/
      • Dark Web Mentions Of Malicious AI Tools Spike 200%
        "Chatter about jailbreaks and use of malicious AI tools on the cybercrime underground surged in 2024, according to an analysis by threat intelligence firm Kela. The firm monitored cybercrime forums throughout the year to compile its new study, 2025 AI Threat Report: How Cybercriminals are Weaponizing AI Technology. It revealed a 52% increase in discussions related to jailbreaking legitimate AI tools like ChatGPT, and a 219% increase in mentions of malicious AI tools and tactics."
        https://www.infosecurity-magazine.com/news/dark-web-mentions-malicious-ai/
        https://www.kelacyber.com/resources/research/2025-ai-threat-report/
      • Ransomware Shifts Tactics As Payouts Drop: Critical Infrastructure In The Crosshairs
        "A study by researchers at Ontinue describes four major evolutionary trends: malware delivery via browser extensions and malvertising; more advanced phishing and vishing techniques; increasing attacks against IoT and OT devices; and the continuing evolution of ransomware. Ransomware is noteworthy. Ontinue explains (PDF) that ransom payments decreased: from $1.25 billion in 2023 to $813.5 million in 2024. But while the payments received by criminals went down, the number of reported breaches went up. “This could indicate that ransomware groups are conducting more attacks to compensate for lower ransom success rates,” suggests Ontinue."
        https://www.securityweek.com/ransomware-shifts-tactics-as-payouts-drop-critical-infrastructure-in-the-crosshairs/
        https://www.ontinue.com/wp-content/uploads/2025/03/2025_2H-Threat-Intelligence-Report.pdf
      • Hacker Conversations: Frank Trezza – From Phreaker To Pentester
        "The history of Frank Trezza is not unusual among hackers – from a young prankster through growing exploration of potential attacking powers to a mature defender of security. In this edition of Hacker Conversations, we follow his path. SecuritWeek’s Hacker Conversations series discusses the mind and motivations of hackers. Many, like Trezza, have become important figures in today’s cybersecurity defense. To defend computers, it is useful to know how to attack them – and that’s where being a hacker becomes valuable."
        https://www.securityweek.com/hacker-conversations-frank-trezza-from-phreaker-to-pentester/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 1f0f6828-f351-4c7a-a400-e13326db7a71-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post