NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 16 April 2025

    Cyber Security News
    1
    1
    245
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • CISA Releases Nine Industrial Control Systems Advisories
        "CISA released nine Industrial Control Systems (ICS) advisories on April 15, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
        ICSA-25-105-01 Siemens Mendix Runtime
        ICSA-25-105-02 Siemens Industrial Edge Device Kit
        ICSA-25-105-03 Siemens SIMOCODE, SIMATIC, SIPLUS, SIDOOR, SIWAREX
        ICSA-25-105-04 Growatt Cloud Applications
        ICSA-25-105-05 Lantronix Xport
        ICSA-25-105-06 National Instruments LabVIEW
        ICSA-25-105-07 Delta Electronics COMMGR
        ICSA-25-105-08 ABB M2M Gateway
        ICSA-25-105-09 Mitsubishi Electric Europe B.V. smartRTU"
        https://www.cisa.gov/news-events/alerts/2025/04/15/cisa-releases-nine-industrial-control-systems-advisories
      • “Security By Design Helps You Stay One Step Ahead”
        "Ekaterina Rudina, Security Analysis Group Manager at Kaspersky, discusses the challenges of assessing the security of industrial facilities and the role of the professional community in their protection, the reasons behind security issues in rapidly evolving industries, and the impact of digitalization on society."
        https://ics-cert.kaspersky.com/publications/blog/2025/04/15/security-by-design-helps-you-stay-one-step-ahead/

      Vulnerabilities

      • Max Severity Bug In Apache Roller Enabled Persistent Access
        "The maintainers of the Apache Roller open source blogging platform patched a maximum severity bug that allowed continued access to the app even after a user changed their password. The issue had to do with insufficient session expiration, a vulnerability that occurs when a system or app fails to invalidate an existing user's active session after a password change. The Apache Software Foundation (ASF) has implemented a new centralized session management feature that correctly invalidates all active user sessions when a password is changed, or a user disables their account."
        https://www.darkreading.com/vulnerabilities-threats/max-severity-bug-apache-roller-persistent-access
        https://lists.apache.org/thread/4j906k16v21kdx8hk87gl7663sw7lg7f
        https://thehackernews.com/2025/04/critical-apache-roller-vulnerability.html
        https://securityaffairs.com/176577/security/critical-apache-roller-flaw-allows-to-retain-unauthorized-access-even-after-a-password-change.html
      • Critical Flaws Fixed In Nagios Log Server
        "The Nagios Security Team has fixed three critical vulnerabilities affecting popular enterprise log management and analysis platform Nagios Log Server."
        https://www.helpnetsecurity.com/2025/04/15/critical-flaws-fixed-in-nagios-log-server/

      Malware

      • Unmasking APT29: The Sophisticated Phishing Campaign Targeting European Diplomacy
        "Check Point Research (CPR) identified a significant wave of targeted phishing attacks beginning in January 2025. These attacks specifically target government officials and diplomats across Europe, employing sophisticated techniques, tactics, and procedures (TTPs) that closely resemble those associated with a previous phishing campaign called Wineloader, which was previously connected to APT29, a Russia-linked threat actor."
        https://blog.checkpoint.com/research/unmasking-apt29-the-sophisticated-phishing-campaign-targeting-european-diplomacy/
        https://research.checkpoint.com/2025/apt29-phishing-campaign/
        https://www.bleepingcomputer.com/news/security/midnight-blizzard-deploys-new-grapeloader-malware-in-embassy-phishing/
        https://www.darkreading.com/cyberattacks-data-breaches/wine-inspired-phishing-eu-diplomats
      • UNC5174’s Evolution In China’s Ongoing Cyber Warfare: From SNOWLIGHT To VShell
        "After a year of operating under the radar, the Sysdig Threat Research Team (TRT) identified a new campaign from Chinese state-sponsored threat actor UNC5174. We found that the threat actor was using a new open source tool and command and control (C2) infrastructure in late January 2025. We first discovered a malicious bash script responsible for downloading multiple executable files for persistence. One of the binaries downloaded is a variant of UNC5174’s SNOWLIGHT malware, previously identified by Mandiant in a campaign against F5 devices and recently mentioned in the French Cyber Threat Overview report released in March 2025 by the French National Agency for Information Systems Security (ANSSI)."
        https://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/
        https://thehackernews.com/2025/04/chinese-hackers-target-linux-systems.html
        https://www.darkreading.com/cyberattacks-data-breaches/china-threat-actor-unc5174-open-source-stealthy-attacks
        https://www.bankinfosecurity.com/chinese-hackers-deploy-stealthy-fileless-vshell-rat-a-28012
        https://cyberscoop.com/chinese-espionage-group-unc5174-open-source-tools/
        https://www.theregister.com/2025/04/15/chinese_spies_backdoored_us_orgs/
      • NVISO Analyzes BRICKSTORM Espionage Backdoor
        "NVISO recently identified new information related to BRICKSTORM, a backdoor linked to the China-nexus cluster UNC5221. Through its Digital Forensics & Incident Response activities, NVISO observed BRICKSTORM's usage as part of an active espionage campaign targeting European industries since at least 2022."
        https://www.nviso.eu/blog/nviso-analyzes-brickstorm-espionage-backdoor
        https://www.bankinfosecurity.com/european-companies-infected-new-chinese-nexus-backdoor-a-28009
      • From Shadow To Spotlight: The Evolution Of LummaStealer And Its Hidden Secrets
        "This article is a continuation of the previous research published on the malware LummaStealer: "Your Data Is Under New Lummanagement: The Rise of LummaStealer". LummaStealer (aka LummaC2, Lummac, and Lumma Stealer) is a sophisticated malware that is spread as Malware-as-a-Service (MaaS). It was originally observed in 2022 and known to be developed by Russian-speaking adversaries. It targets a wide range of Windows systems. The developers of LummaStealer have shown a lot of agility to ensure their malware remains undetected and that the potential host-based detection rules put in place for a given sample do not apply to the new ones."
        https://www.cybereason.com/blog/threat-analysis-lummastealer-2.0
      • Hacktivists Target Critical Infrastructure, Move Into Ransomware
        "According to a new Cyble report, hacktivists are increasingly moving beyond traditional activities like DDoS attacks and website defacements into more sophisticated critical infrastructure and ransomware attacks. In a report for clients, Cyble said hacktivism has “transformed into a complex instrument of hybrid warfare” with the rise of groups that have adopted more sophisticated attack techniques more typically associated with nation-state actors and financially motivated threat groups."
        https://cyble.com/blog/hacktivists-infrastructure-move-into-ransomware/
      • Multi-Stage Phishing Attack Exploits Gamma, An AI-Powered Presentation Tool
        "AI-powered content generation platforms are reshaping how we work—and how threat actors launch attacks. In this newly uncovered campaign, attackers weaponize Gamma, a relatively new AI-based presentation tool, to deliver a link to a fraudulent Microsoft SharePoint login portal. Capitalizing on the fact that employees may not be as familiar with the platform (and thus not aware of its potential for exploitation), threat actors create a phishing flow so polished it feels legitimate at every step."
        https://abnormalsecurity.com/blog/multi-stage-phishing-attack-gamma-presentation
        https://www.darkreading.com/threat-intelligence/ai-powered-presentation-tool-leveraged-phishing-attacks
      • “Follow Me” To This Fake Crypto Exchange To Claim $500
        "A type of crypto scam that we reported about in 2024 has ported over to a new platform and changed tactics—a bit. Where the old scams mostly reached me on WhatsApp, the same group of scammers is now using Direct Messages on X. However, the same old trick of “accidentally” sending you login details to a supposedly well-funded financial account is still being used by at least one cybercriminal gang."
        https://www.malwarebytes.com/blog/news/2025/04/follow-me-to-this-fake-crypto-exchange-to-claim-500
      • Byte Bandits: How Fake PDF Converters Are Stealing More Than Just Your Documents
        "What looks like a harmless online file conversion could be a trap set by cybercriminals. CloudSEK’s latest investigation uncovers a stealthy malware campaign where fake PDF-to-DOCX converters, mimicking the popular PDFCandy.com, trick users into running malicious PowerShell commands. The endgame? A powerful information stealer that hijacks browser credentials, crypto wallets, and more. Dive into our detailed breakdown of this social engineering scam, its technical anatomy, and how to stay a step ahead of such byte bandits."
        https://www.cloudsek.com/blog/byte-bandits-how-fake-pdf-converters-are-stealing-more-than-just-your-documents
        https://hackread.com/fake-pdfcandy-websites-spread-malware/
      • Attack Upgraded: Disclosure Of DarkHotel Organization's Latest RPC Attack Components
        "The DarkHotel organization was disclosed by foreign security vendors in 2014, reportedly dating back to 2010. The group got its name from targeting business executives and state dignitaries staying in luxury hotels. Their attack targets range across China, North Korea, Japan, Myanmar, India, and a few European countries, and they are considered an APT group with a Korean Peninsula government background. In recent years, we have observed that their attack targets have moved beyond the hotel industry represented by the DarkHotel name, now including foreign trade, government agencies, research institutions, military industries, and other sectors, making them one of the APT groups that frequently launch attacks against neighboring countries in recent years."
        https://paper.seebug.org/3315/

      Breaches/Hacks/Leaks

      • Infamous Message Board 4chan Taken Down Following Major Hack
        "4chan, an infamous online forum, was taken offline earlier today after what appears to be a significant hack and has since been loading intermittently. Members of the Soyjak.party imageboard (also known as The Party) have since claimed to be behind the attack. They also leaked screenshots of admin panels and a list of emails allegedly belonging to 4chan admins, moderators, and janitors (less privileged mods who help moderate the forums).""
        https://www.bleepingcomputer.com/news/security/infamous-message-board-4chan-taken-down-following-major-hack/
        https://hackread.com/4chan-breached-soyjak-forum-hacker-source-code-leak/
        https://www.theregister.com/2025/04/15/4chan_breached/
      • Landmark Admin Data Breach Impact Now Reaches 1.6 Million People
        "Landmark Admin has issued an update to its investigation of a cyberattack it suffered in May 2024, increasing the number of impacted individuals to 1.6 million. Landmark is a Texas-based third-party administrator (TPA) handling policy accounting, regulatory reporting, reinsurance support, and IT systems for major insurers nationwide like Liberty Bankers Life and American Benefit Life. In October 2024, the company warned that it detected suspicious activity on its networks on May 13th, 2024."
        https://www.bleepingcomputer.com/news/security/landmark-admin-data-breach-impact-now-reaches-16-million-people/
        https://www.securityweek.com/2-6-million-impacted-by-landmark-admin-young-consulting-data-breaches/
        https://www.theregister.com/2025/04/15/landmark_admin_data_loss/
      • Texas Pediatric Orthopedics Clinic Says Hack Affects 140,000
        "Ransomware group Qilin posted at least 42 gigabytes of data stolen from a Texas pediatric orthopedic practice for sale on its darkweb leak site in February. In recent days, Central Texas Pediatric Orthopedics began notifying more than 140,000 people that their data was compromised by hackers."
        https://www.bankinfosecurity.com/texas-pediatric-orthopedics-clinic-says-hack-affects-140000-a-28010
      • Millions Of Documents & UK Healthcare Workers’ PII Exposed In Staff Management Software Data Breach
        "Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to vpnMentor about a non-password-protected database that contained nearly 8 million records belonging to a UK-based software company that facilitates employee data management, compliance, timesheets, and payroll."
        https://www.vpnmentor.com/news/report-logezy-breach/
        https://hackread.com/uk-software-firm-exposed-healthcare-worker-records/

      General News

      • China Pursuing 3 Alleged US Operatives Over Cyberattacks During Asian Games
        "China said Tuesday it is pursuing three alleged U.S. operatives accused of carrying out cyberattacks on Chinese infrastructure during the Asian Games held in the city of Harbin in February. A notice from the Harbin police headquarters named them as Katheryn A. Wilson, Robert J. Snelling, and Stephen W. Johnson and said they worked through the National Security Agency. The police said nothing about how they obtained the names or where the three were believed to be at present."
        https://www.securityweek.com/china-pursuing-3-alleged-us-operatives-over-cyberattacks-during-asian-games/
        https://therecord.media/china-accuses-nsa-hack-asian-winter-games
        https://www.itnews.com.au/news/china-accuses-us-of-launching-advanced-cyberattacks-616592
        https://cyberscoop.com/chinese-law-enforcement-places-nsa-operatives-on-wanted-list-over-alleged-cyberattacks/
        https://www.theregister.com/2025/04/15/china_nsa_winter_games/
      • MITRE Impact Report 2024: Strengthening Threat-Informed Defenses
        "In today’s volatile cyberthreat landscape, clarity can be as elusive as it is essential. Cyber defenders face adversaries who adapt and hide effortlessly; and the difference between a secure environment and one that opens the door to a vulnerability often hinges on how well we understand those adversaries."
        https://www.fortinet.com/blog/industry-trends/mitre-impact-report-2024-strengthening-threat-informed-defenses
      • Encrypted App Intelligence Exposes Sprawling Criminal Networks Across Europe
        "Law enforcement authorities across Europe and Türkiye have dismantled four major criminal networks responsible for fuelling the flow of drugs into the EU and Türkiye, following a series of coordinated raids supported by Europol. These results were made possible by the continued exploitation of encrypted communication platforms, including Sky ECC and ANOM, which remain powerful tools in the hands of investigators."
        https://www.europol.europa.eu/media-press/newsroom/news/encrypted-app-intelligence-exposes-sprawling-criminal-networks-across-europe
        https://hackread.com/operation-bulut-encrypted-chats-sky-ecc-anom-arrests/
      • Cybercriminal Groups Embrace Corporate Structures To Scale, Sustain Operations
        "In this Help Net Security interview, Sandy Kronenberg, CEO of Netarx, discusses how cybercriminal groups are adopting corporate structures and employee incentives to scale operations, retain talent, and evade detection. He covers the strategic collaborations behind major attacks, business-like parallels, and the implications of these shifts as these groups grow more sophisticated."
        https://www.helpnetsecurity.com/2025/04/15/sandy-kronenberg-netarx-cybercriminal-groups-corporate-structures/
      • Key Takeaways From The State Of Pentesting Report 2025
        "At Cobalt, we conduct over 5,000 pentests annually, a number that is growing every year, across web, API, LLM, network, and cloud tests. This vast set of data and learnings gives us unique insight that we analyze to produce industry-leading research. The result is our State of Pentesting Report 2025, which we released today. This is the seventh year we’ve produced this report, and we’ve come a long way since our first State of Pentesting Report in 2019. For the 2025 report we looked back further than the past year to go all the way back to 2015, aggregating 10 years of data, so we could more thoroughly study trends."
        https://www.cobalt.io/blog/key-takeaways-state-of-pentesting-report-2025
        https://resource.cobalt.io/state-of-pentesting-2025
        https://www.infosecurity-magazine.com/news/organizations-fix-half/
        https://www.helpnetsecurity.com/2025/04/15/regular-pentesting-strategy-for-organizations/
      • Bot Traffic Overtakes Human Activity As Threat Actors Turn To AI
        "Automated traffic now accounts for the majority of activity on the web, with the share of bad bot traffic surging from 32% to 37% annually last year, according to Thales. The French defense giant’s 2025 Imperva Bad Bot Report is now in its 12th year, and based as always on data collected by Imperva’s global network, which apparently blocked 13 trillion bad bot requests across thousands of domains and industries last year."
        https://www.infosecurity-magazine.com/news/bot-traffic-human-activity-threat/
        https://www.imperva.com/resources/resource-library/reports/2025-bad-bot-report/
        https://www.darkreading.com/vulnerabilities-threats/ai-bad-bots-are-taking-over-web
      • LabHost Phishing Mastermind Sentenced To 8.5 Years
        "A Huddersfield man has been handed an eight-and-a-half-year sentence for masterminding what became one of the world’s largest phishing-as-a-service (PhaaS) platforms. Zak Coyne, 23, of Woodbine Road, Huddersfield, was sentenced in Manchester Crown Court on Monday after admitting his crimes in September 2024. These included: making or supplying articles for use in frauds; encouraging or assisting the commission of an offense believing it would be committed; and transferring criminal property."
        https://www.infosecurity-magazine.com/news/labhost-phishing-mastermind/
      • CISO Conversations: Maarten Van Horenbeeck, SVP & Chief Security Officer At Adobe
        "Maarten Van Horenbeeck was inspired by a movie – he watched WarGames as a child. He became fascinated by the potential of interconnected, communicating computers and the security issues that come with them. “Deep inside, I immediately felt this is what I would do,” he said, “it really motivated me. When I got a bit older, I realized there’s a whole community of people finding and exploiting security bugs, and another community finding and fixing them. It just drew me in. and I’ve never really done anything else since I started my very first job.”"
        https://www.securityweek.com/ciso-conversations-maarten-van-horenbeeck-svp-chief-security-officer-at-adobe/
      • Majority Of Browser Extensions Can Access Sensitive Enterprise Data, New Report Finds
        "Everybody knows browser extensions are embedded into nearly every user's daily workflow, from spell checkers to GenAI tools. What most IT and security people don't know is that browser extensions' excessive permissions are a growing risk to organizations. LayerX today announced the release of the Enterprise Browser Extension Security Report 2025, This report is the first and only report to merge public extension marketplace statistics with real-world enterprise usage telemetry. By doing so, it sheds light on one of the most underestimated threat surfaces in modern cybersecurity: browser extensions."
        https://thehackernews.com/2025/04/majority-of-browser-extensions-can.html
        https://go.layerxsecurity.com/enterprise-browser-extension-security-report-2025
      • ZDI-23-1527 And ZDI-23-1528: The Potential Impact Of Overly Permissive SAS Tokens On PC Manager Supply Chains
        "In this blog entry, we look at overly permissive cloud service credentials in Microsoft’s public-facing assets and assess their potential implications on software supply chain and software integrity. We do this by exploring two scenarios involving PC Manager, a tool designed to help optimize and manage Windows computers. PC Manager includes features for cleaning up temporary files, managing startup programs, monitoring system health, and improving overall performance, and aims to provide users with a straightforward method for maintaining their machine’s efficiency and security."
        https://www.trendmicro.com/en_us/research/25/d/zdi-23-1527-and-zdi-23-1528-the-potential-impact-of-overly-permi.html
      • Attacks On The Education Sector Are Surging: How Can Cyber-Defenders Respond?
        "We all want the best possible education for our children. But even the best-laid plans can come unstuck when confronted with an agile, persistent and devious adversary. Nation state-aligned actors and cybercriminals represent one of the biggest threats to schools, colleges and universities today. The education sector was the third–most targeted in Q2 2024, according to Microsoft. And ESET threat researchers have observed sophisticated APT groups targeting institutions across the globe. In the period from April to September 2024, the education sector was in the top three most attacked industries by China-aligned APT groups, the top two for North Korea, and in the top six both for Iran- and Russia-aligned actors."
        https://www.welivesecurity.com/en/business-security/attacks-education-sector-surging-cyber-defenders-respond/
      • MITRE Warns Of Lapse With CVE Program As Contract With US Set To Expire
        "The MITRE Corporation said on Tuesday that its stewardship of the CVE program — which catalogs all public cybersecurity vulnerabilities — may be ending this week because the federal government has decided not to renew its contract with the nonprofit. Yosry Barsoum, MITRE’s vice president and director of the Center for Securing the Homeland, told Recorded Future News in a statement that on Wednesday, April 16, funding to “develop, operate, and modernize the [CVE] Program and related programs, such as the Common Weakness Enumeration (CWE) Program, will expire.”"
        https://therecord.media/mitre-warns-of-cve-program-lapse-contract-expires
        https://www.securityweek.com/mitre-signals-potential-cve-program-deterioration-as-us-gov-funding-expires/
        https://www.theregister.com/2025/04/16/homeland_security_funding_for_cve/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) d6164e69-66cb-493c-8376-5e3e95202ec8-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post