Cyber Threat Intelligence 18 April 2025

NCSA_THAICERT

Industrial Sector

Schneider Electric Sage Series
"Successful exploitation of this vulnerability could allow an attacker to compromise the impacted device, leading to loss of data, loss of operation, or impacts to the performance of the device."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-107-02
Schneider Electric ConneXium Network Manager
"Successful exploitation of these vulnerabilities could allow an attacker to access sensitive data, escalate privileges, or perform remote code execution."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-107-03
Yokogawa Recorder Products
"Successful exploitation of this vulnerability could allow an attacker to manipulate information on the affected products."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-107-04
Schneider Electric Trio Q Licensed Data Radio
"Successful exploitation of these vulnerabilities could allow an attacker to access confidential information, compromise the integrity, or affect the availability of the affected product."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-107-01

New Tooling

Nebula – Autonomous AI Pentesting Tool
"Another cutting-edge tool from 2024 is Nebula, an open-source AI-powered penetration testing assistant. If PentestGPT is like an AI advisor, Nebula attempts to automate parts of the pentest process itself. It was released as a beta-phase project in late 2024 by security researchers at Beryllium."
https://www.darknet.org.uk/2025/04/nebula-autonomous-ai-pentesting-tool/
https://github.com/berylliumsec/nebula

Vulnerabilities

Critical Erlang/OTP SSH Pre-Auth RCE Is 'Surprisingly Easy' To Exploit, Patch Now
"A critical vulnerability in the Erlang/OTP SSH, tracked as CVE-2025-32433, has been disclosed that allows for unauthenticated remote code execution on vulnerable devices. The flaw was discovered by Fabian Bäumer, Marcus Brinkmann, Marcel Maehren, and Jörg Schwenk of the Ruhr University Bochum in Germany and given a maximum severity score of 10.0. All devices running the Erlang/OTP SSH daemon are impacted by the vulnerability and are advised to upgrade to versions 25.3.2.10 and 26.2.4 to fix the flaw."
https://www.bleepingcomputer.com/news/security/critical-erlang-otp-ssh-pre-auth-rce-is-surprisingly-easy-to-exploit-patch-now/
https://www.openwall.com/lists/oss-security/2025/04/16/2
https://thehackernews.com/2025/04/critical-erlangotp-ssh-vulnerability.html
https://hackread.com/researchers-cvss-severity-rce-vulnerability-erlang-otp-ssh/
https://www.securityweek.com/critical-erlang-otp-ssh-flaw-exposes-many-servers-to-remote-hacking/
Vulnerabilities Patched In Atlassian, Cisco Products
"Atlassian and Cisco this week announced patches for multiple high-severity vulnerabilities in their products, including flaws leading to remote code execution. Atlassian released seven updates that address four high-severity flaws impacting third-party dependencies in Bamboo, Confluence, and Jira, including some that were publicly disclosed nearly six years ago."
https://www.securityweek.com/vulnerabilities-patched-in-atlassian-cisco-products/
CISA Adds Three Known Exploited Vulnerabilities To Catalog
"CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2025-31200 Apple Multiple Products Memory Corruption Vulnerability
CVE-2025-31201 Apple Multiple Products Arbitrary Read and Write Vulnerability
CVE-2025-24054 Microsoft Windows NTLM Hash Disclosure Spoofing Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/04/17/cisa-adds-three-known-exploited-vulnerabilities-catalog
**Malware
IronHusky Updates The Forgotten MysterySnail RAT To Target Russia And Mongolia**
"Day after day, threat actors create new malware to use in cyberattacks. Each of these new implants is developed in its own way, and as a result gets its own destiny – while the use of some malware families is reported for decades, information about others disappears after days, months or several years. We observed the latter situation with an implant that we dubbed MysterySnail RAT. We discovered it back in 2021, when we were investigating the CVE-2021-40449 zero-day vulnerability. At that time, we identified this backdoor as related to the IronHusky APT, a Chinese-speaking threat actor operating since at least 2017. Since we published a blogpost on this implant, there have been no public reports about it, and its whereabouts have remained unknown."
https://securelist.com/mysterysnail-new-version/116226/
Searching For Something Unknow
"After the release of the Secure Annex ‘Monitor’ feature, I wanted to help evaluate a list of extensions an organization I was working with had configured for monitoring. Notifications when new changes occur is great, but in security, baselines are everything! To cut down a list of 132 extensions in use, I identified a couple extensions that stuck out because they were ‘unlisted’ in the Chrome Web Store. Unlisted extensions are not indexed by search engines and do not show up when searching the Chrome Web Store. The only way to access the extension is by knowing the URL."
https://secureannex.com/blog/searching-for-something-unknow/
https://www.bleepingcomputer.com/news/security/chrome-extensions-with-6-million-installs-have-hidden-tracking-code/
Unmasking The New XorDDoS Controller And Infrastructure
"The XorDDoS trojan is a well-known DDoS malware that targets Linux machines, turning them into "zombie bots" that carry out attacks. First identified in 2014, its sub-controller was uncovered in 2015. Based on the simplified Chinese user interface and instructions of the XorDDoS controllers and builder, Talos assess with high confidence that the operators are Chinese-speaking individuals. From 2020 to 2023, the XorDDoS trojan has increased significantly in prevalence. This trend is not only due to the widespread global distribution of the XorDDoS trojan but also an uptick in malicious DNS requests linked to its command-and-control (C2) infrastructure."
https://blog.talosintelligence.com/unmasking-the-new-xorddos-controller-and-infrastructure/
Exploiting SMS: Threat Actors Use Social Engineering To Target Companies
"Phishing attacks continue to target businesses in increasingly sophisticated ways. One common method used by threat actors is smishing—an SMS-based phishing tactic that often serves as a gateway to credential harvesting. The Cofense Phishing Defense Center (PDC) has observed an uptick in SMS-based attacks attempting to send malicious fake websites through fake/unknown phone numbers. Smishing uses social engineering to manipulate recipients by creating a sense of urgency or fear."
https://cofense.com/blog/exploiting-sms-threat-actors-use-social-engineering-to-target-companies
Around The World In 90 Days: State-Sponsored Actors Try ClickFix
"A major trend in the threat landscape is the fluidity of tactics, techniques, and procedures (TTPs). Threat actors share, copy, steal, adopt, and test TTPs from publicly exposed tradecraft or interaction with other threat groups. Specifically, state-sponsored actors have often leveraged techniques first developed and deployed by cybercriminal actors. For example, North Korean threat actors copying techniques from cybercrime to steal cryptocurrency on behalf of the government, or Chinese groups mimicking cybercrime infection chains to deliver malware in espionage operations."
https://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix
https://thehackernews.com/2025/04/state-sponsored-hackers-weaponize.html
Cases Studies And Countermeasures Of Credential Stuffing Attacks Using Leaked Accounts
"Credential stuffing attacks using leaked passwords have been rapidly increasing. These attacks that began with a simple technique has evolved—through advances in automation tools and the vulnerability of credential reuse—into large-scale account breaches and financial damages. Previously, the threats could be identified simply by detecting the large number of login attempts. However, attackers today attempt to evade detection by mimicking legitimate user traffic through methods such as web proxies, user-agent spoofing, and distributed login requests. As these attack techniques become more sophisticated, traditional defenses like firewalls or detection methods based solely on failed login attempts face limitations."
https://asec.ahnlab.com/en/87535/

Breaches/Hacks/Leaks

Entertainment Services Giant Legends International Discloses Data Breach
"Entertainment venue management firm Legends International warns it suffered a data breach in November 2024, which has impacted employees and people who visited venues under its management. In a notification letter shared with the authorities, the company informs that it detected unauthorized activity in its IT systems on November 9, 2024, prompting an investigation carried out with the help of external cybersecurity experts."
https://www.bleepingcomputer.com/news/security/entertainment-services-giant-legends-international-discloses-data-breach/
Ahold Delhaize Confirms Data Theft After INC Ransomware Claims Attack
"Food retail giant Ahold Delhaize confirms that data was stolen from its U.S. business systems during a November 2024 cyberattack. "Based on our investigation to date, certain files were taken from some of our internal U.S. business systems," a spokesperson confirmed to BleepingComputer. "Since the incident was detected, our teams have been working diligently to determine what information may have been affected.""
https://www.bleepingcomputer.com/news/security/ahold-delhaize-confirms-data-theft-after-inc-ransomware-claims-attack/
https://therecord.media/dutch-cyberattack-stolen-hannafords-grocery
Huge Ransomware Campaign Targets AWS S3 Storage: Attackers Have Thousands Of Keys
"A massive database of over 1,200 unique Amazon Web Services (AWS) access keys has been amassed and exploited in a ransomware campaign. Administrators of exposed AWS S3 buckets are finding their files encrypted except for a ransom note demanding payment in bitcoin. Security researchers discovered a publicly accessible server containing over 158 million AWS secret key records. Most of the keys were duplicate entries replicated across different regional endpoints and configurations. However, further investigation unveiled a malicious campaign involving scraping and otherwise collecting AWS keys, encrypting the storage buckets, and demanding ransom payments."
https://cybernews.com/security/aws-cloud-storage-bucket-ransomware-attacks/
https://hackread.com/mass-ransomware-campaign-s3-buckets-stolen-aws-keys/

General News

When AI Agents Go Rogue, The Fallout Hits The Enterprise
"In this Help Net Security interview, Jason Lord, CTO at AutoRABIT, discusses the cybersecurity risks posed by AI agents integrated into real-world systems. Issues like hallucinations, prompt injections, and embedded biases can turn these systems into vulnerable targets. Lord calls for oversight, continuous monitoring, and human-in-the-loop controls to combat these threats."
https://www.helpnetsecurity.com/2025/04/17/jason-lord-autorabit-ai-agents-risks/
Microsoft Vulnerabilities: What’s Improved, What’s At Risk
"Microsoft reported a record 1,360 vulnerabilities in 2024, according to the latest BeyondTrust Microsoft Vulnerabilities Report. The volume marks an 11% increase from the previous record in 2022 and fits within a broader post-pandemic trend: more vulnerabilities, more products, and more complex ecosystems. But one of the more telling metrics for CISOs is not just how many bugs were found — it’s how dangerous they were. In that regard, the data offers some good news. The number of critical vulnerabilities dropped to 78 in 2024, down from 84 the year before and less than half the 196 logged in 2020. It’s the lowest critical count since the report began."
https://www.helpnetsecurity.com/2025/04/17/beyondtrust-microsoft-vulnerabilities-report-2024/
Network Edge Devices The Biggest Entry Point For Attacks On SMBs
"Compromised network edge devices accounted for initial compromise in 30% of incidents impacting small and medium-sized businesses (SMBs) in 2024. These devices, which include VPN appliances, firewalls and other remote access appliances, collectively made up the largest single source of initial compromise of networks in intrusions tracked by Sophos Managed Detection and Response (MDR). VPN exploitation alone was the most frequent compromise point across all cases, at 19%."
https://www.infosecurity-magazine.com/news/network-edge-devices-entry-smb/
Abusing Data In The Middle: Surveillance Risks In China’s State-Owned Mobile Ecosystem
"Mobile communication is at the core of daily life, powering everything from casual chats to corporate strategies and even national defense. What’s often overlooked is the intricate web of mobile interconnect providers operating behind the scenes, enabling international calls, texts and data transfers. While this infrastructure is built for efficiency, it also creates security vulnerabilities, especially when state-controlled organizations are in the mix. This is precisely what our latest report, Data in the Middle, explores: the hidden dangers posed by China’s state-controlled mobile interconnect providers and the implications for global cybersecurity."
https://iverify.io/blog/abusing-data-in-the-middle-surveillance-risks-in-china-s-state-owned-mobile-ecosystem
https://40052983.fs1.hubspotusercontent-na1.net/hubfs/40052983/iVerify-Abusing-Data-in-the-Middle.pdf
https://cyberscoop.com/35-countries-use-chinese-networks-for-transporting-mobile-user-traffic-posing-cyber-risks/
https://www.bankinfosecurity.com/report-warns-us-allies-are-using-chinese-owned-mobile-routes-a-28034
NIST Updates Privacy Framework With AI And Governance Revisions
"The US National Institute of Standards and Technology (NIST) has updated its Privacy Framework to better align with its Cybersecurity Framework as the two become increasingly intertwined. The Cybersecurity Framework received its own update in February 2024. Organizations are increasingly using, storing, and sharing personal information — including highly sensitive data. NIST's Privacy Framework provides guidelines for how to protect that data, manage privacy risks, and build a program that adheres to global laws and regulations. The widely used framework consists of three components: the core, implementation tiers, and profiles. NIST is accepting feedback to the draft Privacy Framework version 1.1 through June 13."
https://www.darkreading.com/data-privacy/nist-updates-privacy-framework-ai-governance
IBM X-Force 2025 Threat Intelligence Index
"Manufacturing is the #1-targeted industry, four years in a row. Manufacturing organizations continued to experience significant impacts from attacks, including extortion (29%) and data theft (24%), targeting financial assets and intellectual property. Defying the declining trend in malware, manufacturing had the highest number of ransomware cases in 2024 as attackers continue to exploit outdated legacy technology in this industry."
https://www.ibm.com/thought-leadership/institute-business-value/report/2025-threat-intelligence-index
https://www.infosecurity-magazine.com/news/identity-attacks-now-comprise/
Why ‘One Community’ Resonates In Cybersecurity
"The annual 2025 RSA Conference is fast approaching and as we prepare for the biggest event impacting cybersecurity professionals, I couldn’t fail to notice how the key themes over the past few years, including this year, really resonate with what we are seeing across the cybersecurity industry."
https://www.securityweek.com/why-one-community-resonates-in-cybersecurity/
Artificial Intelligence – What's All The Fuss?
"Almost daily now we watch the hallowed milestone of the "Turing Test" slip farther and farther into an almost naïve irrelevance, as computer interfaces have evolved from being comparable to human language, to similar, to indistinguishable, to arguably superior [1]. The development of large language models (LLMs) began with natural language processing (NLP) advancements in the early 2000s, but the major breakthrough came with Ashish Vaswani's 2017 paper, "Attention is All You Need." This allowed for training larger models on vast datasets, greatly improving language understanding and generation."
https://thehackernews.com/2025/04/artificial-intelligence-whats-all-fuss.html
They’re Coming For Your Data: What Are Infostealers And How Do I Stay Safe?
"In the world of cybercrime, information is a means to an end. And that end, more often than not, is to make money. That’s why information-stealing (infostealer) malware has risen to become a major driver of identity fraud, account takeover and digital currency theft. But there are also plenty of people that live much of their daily lives online and manage to stay safe. The key is to understand how to manage digital risk effectively. Here’s what you need to know to keep your personal and financial information out of harm’s way."
https://www.welivesecurity.com/en/malware/theyre-coming-data-infostealers-how-stay-safe/
Cyber Signals Issue 9 | AI-Powered Deception: Emerging Fraud Threats And Countermeasures
"Microsoft maintains a continuous effort to protect its platforms and customers from fraud and abuse. From blocking imposters on Microsoft Azure and adding anti-scam features to Microsoft Edge, to fighting tech support fraud with new features in Windows Quick Assist, this edition of Cyber Signals takes you inside the work underway and important milestones achieved that protect customers."
https://www.microsoft.com/en-us/security/blog/2025/04/16/cyber-signals-issue-9-ai-powered-deception-emerging-fraud-threats-and-countermeasures/
https://www.infosecurity-magazine.com/news/microsoft-thwarts-4bn-in-fraud/
GPS Spoofing Attacks Spike In Middle East, Southeast Asia
"Spoofing attacks on the global positioning system (GPS) continue to widely impact air and sea transportation in 2025, following a significant surge during the summer of 2024, when airline flights suffered frequent jamming in conflict zones, especially in Eastern Europe and Russia, the Middle East, and most recently Myanmar and Southeast Asia. Last week, the Indian military revealed that flights bringing humanitarian aid to Myanamar in the wake of a strong March 28 earthquake had encountered GPS spoofing and had to use backup systems to navigate. A year ago, the number of flights affected by GPS spoofing peaked at more than 1,500 per day in the Middle East alone and to more than 2,000 worldwide. Since then, GPS spoofing attacks have declined significantly, only to pick up at the end of last year and into 2025."
https://www.darkreading.com/cyberattacks-data-breaches/gps-spoofing-attacks-spike-middle-east-southeast-asia

อ้างอิง
Electronic Transactions Development Agency(ETDA)