Cyber Threat Intelligence 02 May 2025

NCSA_THAICERT

Healthcare Sector

MicroDicom DICOM Viewer
"Successful exploitation of these vulnerabilities could allow an attacker to disclose information, cause memory corruption, and execute arbitrary code."
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-121-01

Industrial Sector

KUNBUS GmbH Revolution Pi
"Successful exploitation of these vulnerabilities could allow attackers to bypass authentication, gain unauthorized access to critical functions, and execute malicious server-side includes (SSI) within a web page."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-121-01

Vulnerabilities

Exploring PLeak: An Algorithmic Method For System Prompt Leakage
"In the second article of our series on attacking artificial intelligence (AI), let us explore an algorithmic technique designed to induce system prompt leakage in LLMs, which is called PLeak. System Prompt Leakage pertains to the risk that preset system prompts or instructions meant to be followed by the model can reveal sensitive data when exposed. For organizations, this means that private information such as internal rules, functionalities, filtering criteria, permissions, and user roles can be leaked. This could give attackers opportunities to exploit system weaknesses, potentially leading to data breaches, disclosure of trade secrets, regulatory violations, and other unfavorable outcomes."
https://www.trendmicro.com/en_us/research/25/e/exploring-pleak.html
CISA Adds Two Known Exploited Vulnerabilities To Catalog
"CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2024-38475 Apache HTTP Server Improper Escaping of Output Vulnerability
CVE-2023-44221 SonicWall SMA100 Appliances OS Command Injection Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/05/01/cisa-adds-two-known-exploited-vulnerabilities-catalog
AI Agents Are Here. So Are The Threats.
"Agentic applications are programs that leverage AI agents — software designed to autonomously collect data and take actions toward specific objectives — to drive their functionality. As AI agents are becoming more widely adopted in real-world applications, understanding their security implications is critical. This article investigates ways attackers can target agentic applications, presenting nine concrete attack scenarios that result in outcomes such as information leakage, credential theft, tool exploitation and remote code execution."
https://unit42.paloaltonetworks.com/agentic-ai-threats/

Malware

Using Trusted Protocols Against You: Gmail As a C2 Mechanism
"Socket’s Threat Research Team uncovered malicious Python packages designed to create a tunnel via Gmail. The threat actor’s email is the only potential clue as to their motivation, but once the tunnel is created, the threat actor can exfiltrate data or execute commands that we may not know about through these packages."
https://socket.dev/blog/using-trusted-protocols-against-you-gmail-as-a-c2-mechanism
https://www.bleepingcomputer.com/news/security/malicious-pypi-packages-abuse-gmail-websockets-to-hijack-systems/
State-Of-The-Art Phishing: MFA Bypass
"For the past thirty years, phishing has been a staple in many cybercriminals' arsenals. All cybersecurity professionals are familiar with phishing attacks: Criminals impersonate a trusted site in an attempt to social engineer victims into divulging personal or private information such as account usernames and passwords. In the early days of phishing, it was often enough for cybercriminals to create fake landing pages matching the official site, harvest authentication credentials and use them to access victims’ accounts."
https://blog.talosintelligence.com/state-of-the-art-phishing-mfa-bypass/
FortiGuard Incident Response Team Detects Intrusion Into Middle East Critical National Infrastructure
"The FortiGuard Incident Response (FGIR) team recently investigated a long-term cyber intrusion targeting critical national infrastructure (CNI) in the Middle East, attributed to an Iranian state-sponsored threat group. The attack involved extensive espionage operations and suspected network prepositioning—a tactic often used to maintain persistent access for future strategic advantage. Full Report Available: The following article provides key findings, but a full report of this activity is available here. The report includes an analysis of novel malware deployed throughout the intrusion, a detailed breakdown of adversary TTPs across different attack stages, Indicators of Compromise (IOCs) to assist defenders, and attribution considerations for deeper insight."
https://www.fortinet.com/blog/threat-research/fortiguard-incident-response-team-detects-intrusion-into-middle-east-critical-national-infrastructure
https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf
Revived CryptoJS Library Is a Crypto Stealer In Disguise
"An illicit npm package called 'crypto-encrypt-ts' may appear to revive the unmaintained but vastly popular CryptoJS library, but what it actually does is peek into your crypto wallet and exfiltrate your secrets to threat actors. Discovered by Sonatype's automated malware detection systems, the counterfeit 'crypto-encrypt-ts' has been downloaded more than 1,928 times already since its publication."
https://www.sonatype.com/blog/revived-cryptojs-library-is-a-crypto-stealer-in-disguise
https://hackread.com/npm-malware-crypto-wallets-mongodb-turkey-code/
Detecting And Countering Malicious Uses Of Claude: March 2025
"We are committed to preventing misuse of our Claude models by adversarial actors while maintaining their utility for legitimate users. While our safety measures successfully prevent many harmful outputs, threat actors continue to explore methods to circumvent these protections. We are continuously using learnings to upgrade our safeguards. This report outlines several case studies on how actors have misused our models, as well as the steps we have taken to detect and counter such misuse. By sharing these insights, we hope to protect the safety of our users, prevent abuse or misuse of our services, enforce our Usage Policy and other terms, and share our learnings for the benefit of the wider online ecosystem."
https://www.anthropic.com/news/detecting-and-countering-malicious-uses-of-claude-march-2025
https://thehackernews.com/2025/05/claude-ai-exploited-to-operate-100-fake.html
https://www.infosecurity-magazine.com/news/claude-chatbot-political-messaging/
Apple Notifies Victims In 100 Countries Of Likely Spyware Targeting
"Apple this week sent threat notifications advising users in 100 countries that their phones had been targeted by advanced commercial spyware, according to a victim of the attacks. Cyrus Pellegrino, an Italian journalist who received a notification, came forward in a column published Wednesday. A second victim, right-wing Dutch author and pundit Eva Vlaardingerbroek, posted on X Wednesday that she too received the Apple notification."
https://therecord.media/apple-spyware-victims-notified-countries
Active Subscription Scam Campaigns Flooding The Internet
"Bitdefender researchers have uncovered a surge in subscription scams, both in scale and sophistication, spurred by a massive campaign involving hundreds of fraudulent websites. What sets this campaign apart is the significant investment cybercriminals have undertaken to make these fake sites look convincingly legitimate. Gone are the days when a suspicious email, SMS, or basic phishing link could easily fool users. As people grow more cautious and cyber-aware, scammers are stepping up their game. They have already begun crafting more complex and convincing schemes to bypass skepticism and lure victims into handing over sensitive information, especially credit card data."
https://www.bitdefender.com/en-au/blog/labs/active-subscription-scam-campaigns-flooding-the-internet
https://www.infosecurity-magazine.com/news/mystery-box-scams-credit-card-data/

Breaches/Hacks/Leaks

Harrods The Next UK Retailer Targeted In a Cyberattack
"London's iconic department store, Harrods, has confirmed it was targeted in a cyberattack, becoming the third major UK retailer to report cyberattacks in a week following incidents at M&S and the Co-op. In a statement shared with BleepingComputer, Harrods says threat actors recently attempted to hack into their systems, causing the company to restrict access to sites. "We recently experienced attempts to gain unauthorised access to some of our systems," Harrods told BleepingComputer."
https://www.bleepingcomputer.com/news/security/harrods-the-next-uk-retailer-targeted-in-a-cyberattack/
Over 500k Records Including Customer PII Exposed In Ticket Reseller Data Breach
"Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to vpnMentor about a non-password-protected database that contained 520,054 records belonging to an event ticket resale platform. The publicly exposed database was not password-protected or encrypted. It contained 520,054 records with a total size of 200 GB. The name of the database indicated that it contained customer inventory files in PDF, JPG, PNG, and JSON formats. In a limited sampling of the exposed documents, I saw thousands of concert and live event tickets, proof of ticket transfers, user-submitted screenshots of receipts, and more. Some of these documents contained partial credit card numbers, full names, email addresses, and home addresses."
https://www.vpnmentor.com/news/report-tickettocash-breach/
https://hackread.com/ticket-resale-platform-tickettocash-exposed-user-data/
Poland’s State Registry Temporarily Blocked By Cyber Incident
"A suspected cyberattack disrupted Poland’s state registry systems on Wednesday, hampering access to key government services, local media reported. The incident temporarily blocked access to the country’s PESEL registry, a central database that stores personal information such as names, birthdates and addresses, and is used to verify identities across healthcare, taxation and other public services. Poland’s digital ministry confirmed the disruption but did not specify the cause. The ministry said that while access to some services was affected, no data had been compromised. PESEL assigns a unique number to all Polish citizens and foreign residents."
https://therecord.media/poland-pesel-system-state-registry-cyber-incident

General News

Why SMEs Can No Longer Afford To Ignore Cyber Risk
"In this Help Net Security interview, Steven Furnell, Professor of Cyber Security at the University of Nottingham, illustrates how small and medium-sized businesses (SMEs) must reassess their risk exposure and prioritize resilience to safeguard their long-term growth and stability. Learn how SMEs can better protect themselves, adapt to regulations, and build stronger cyber resilience."
https://www.helpnetsecurity.com/2025/05/01/steven-furnell-university-of-nottingham-smes-risk-exposure/
Preparing For The Next Wave Of Machine Identity Growth
"Machine identities are multiplying fast, and many organizations are struggling to keep up. In this Help Net Security interview, Wendy Wu, CMO at SailPoint, explains why machine identity security matters, where most companies go wrong, how automation can help, and what the rise of AI agents means for the future of identity management."
https://www.helpnetsecurity.com/2025/05/01/wendy-wu-sailpoint-machine-identity-security/
Low-Tech Phishing Attacks Are Gaining Ground
"Cybercriminals are increasingly favoring low-tech, human-centric attacks to bypass email scanning technologies, according to VIPRE Security. The report is based on an analysis of global real-world data and highlights the most significant email security trends from the first quarter of 2025."
https://www.helpnetsecurity.com/2025/05/01/cybercriminals-email-attacks/
Hacker 'NullBulge' Pleads Guilty To Stealing Disney's Slack Data
"A California man who used the alias "NullBulge" has pleaded guilty to illegally accessing Disney's internal Slack channels and stealing over 1.1 terabytes of internal company data. According to the U.S. Department of Justice, a 25-year-old named Ryan Kramer created a malicious program in early 2024 that was promoted as an AI image generation tool on GitHub and other platforms. However, the DOJ says this program was actually malware that allowed Kramer to access the computer of those who installed it to steal data and passwords from the device."
https://www.bleepingcomputer.com/news/security/hacker-nullbulge-pleads-guilty-to-stealing-disneys-slack-data/
Ukrainian National Extradited From Spain To Face Conspiracy To Use Ransomware Charge
"Earlier today, in federal court in Brooklyn, a superseding indictment was unsealed charging Artem Stryzhak with conspiracy to commit fraud and related activity, including extortion, in connection with computers, for his role in a series of international attacks using the Nefilim ransomware. Stryzhak, a Ukrainian citizen, was arrested in Spain in June 2024 and extradited to the United States on April 30, 2025. The arraignment will be held later today before United States Magistrate Judge Robert M. Levy."
https://www.justice.gov/usao-edny/pr/ukrainian-national-extradited-spain-face-conspiracy-use-ransomware-charge
https://www.bleepingcomputer.com/news/security/ukrainian-extradited-to-us-for-nefilim-ransomware-attacks/
https://therecord.media/nefilim-ransomware-extradited-spain
https://cyberscoop.com/nefilim-ransomware-artem-stryzhak-extradited/
SANS Top 5: Cyber Has Busted Out Of The SOC
"Each year, top SANS faculty joins the RSAC conference to present what their community of practitioners and researchers see as the most pressing challenges facing the cybersecurity community for the year to come. This year's list of top-five threats aren't merely technical, and tackling them will demand coordinated leadership from the very top of the organization, and beyond. "The attack techniques outlined in the SANS RSAC 2025 keynote underscore a common theme: cybersecurity is no longer confined to the security operations center — it’s a leadership issue that impacts every layer of the enterprise," according to a SANS media statement. "The threats of tomorrow demand a strategic, integrated response rooted in visibility, agility, and cross-functional alignment.""
https://www.darkreading.com/cloud-security/sans-top5-cyber-broken-out-soc
https://www.darkreading.com/cyberattacks-data-breaches/enterprises-need-beware-five-threats
When Threat Actors Behave Like Managed Service Providers
"Cyber incidents and ransomware hacks happen every day, and my company has responded to its fair share. Over the years, I've seen several business owners who were out of their element when faced with the possibility of becoming a victim of cybercriminal activity. A recent breach we responded to is a perfect example of what not to do when your network is controlled by a threat actor. The company's systems were completely down, and no business was able to be conducted. According to the owners, their customers were leaving in droves, so there was an urgent need to become operational again."
https://www.darkreading.com/vulnerabilities-threats/threat-actors-behave-managed-service-providers
Russian Cyber Operations: Attack Automation, Espionage Against Defense Sector, And New Tactics. Analysis For The Second Half Of 2024
"Experts from the CERT-UA team, operating within The State Cyber Protection Centre of the State Service of Special Communications and Information Protection of Ukraine (SSSCIP), have prepared an analytical report titled "russian Cyber Operations" H2'2024. The study is based on a systematic analysis of cyber threats identified during the second half of 2024 and highlights the evolving tactics and priorities of Russian hacking groups."
https://cip.gov.ua/en/news/russian-cyber-operations-attack-automation-espionage-against-defense-sector-and-new-tactics-analysis-for-the-second-half-of-2024
https://www.darkreading.com/threat-intelligence/putin-cyberattacks-ukraine-rise-little-effect
Debunking Security 'Myths' To Address Common Gaps
"Organizations struggling to implement and maintain a basic security foundation need to start rethinking compliance checklists. Following industry best practices generally includes managing authentication, compliance, and risk management issues. However, it can be difficult to know what items to prioritize and even more challenging to know which ones are necessary."
https://www.darkreading.com/cyber-risk/debunking-security-myths-common-gaps
The 3 Biggest Cybersecurity Threats To Small Businesses
"In an online world filled with extraordinarily sophisticated cyberattacks—including organized assaults on software supply chains, state-directed exploitations of undiscovered vulnerabilities, and the novel and malicious use of artificial intelligence (AI)—small businesses are forced to prioritize a different type of cyberattack: The type that gets through. Without robust IT budgets or fully staffed cybersecurity departments, small businesses often rely on their own small stable of workers (including sole proprietors with effectively zero employees) to stay safe online. That means that what worries these businesses most in cybersecurity is what is most likely to work against them."
https://www.malwarebytes.com/blog/news/2025/05/the-3-biggest-cybersecurity-threats-to-small-businesses
Year Of The Twin Dragons: Developers Must Slay The Complexity And Security Issues Of AI Coding Tools
"For software developers working at breakneck speeds to keep up with a growing list of demands and obligations, the arrival of artificial intelligence (AI) coding assistants several years ago was a blessing. Developers quickly became avid users of the generative AI models that accelerated the code-creation process and speed of delivery. But on the heels of that undeniable initial benefit, the other shoe has fallen, adding layers of complexity to an increasingly complex environment. Securing the attack surface was already a Sisyphean task; AI coding is making it even more insurmountable."
https://www.securityweek.com/year-of-the-twin-dragons-developers-must-slay-the-complexity-and-security-issues-of-ai-coding-tools/
Actions Over Words: Career Lessons For The Security Professional
"The French philosopher, Rene Descartes, noted: “To know what people really think, pay attention to what they do, rather than what they say.” Over the course of my career, I have found this quote to be quite accurate and poignant. What people say can be both distracting and tempting at the same time. Yet, it is through their actions that people show who they really are."
https://www.securityweek.com/actions-over-words-career-lessons-for-the-security-professional/
New Research Reveals: 95% Of AppSec Fixes Don't Reduce Risk
"For over a decade, application security teams have faced a brutal irony: the more advanced the detection tools became, the less useful their results proved to be. As alerts from static analysis tools, scanners, and CVE databases surged, the promise of better security grew more distant. In its place, a new reality took hold—one defined by alert fatigue and overwhelmed teams. According to OX Security's 2025 Application Security Benchmark Report, a staggering 95–98% of AppSec alerts do not require action - and may, in fact, be harming organizations more than helping."
https://thehackernews.com/2025/05/new-research-reveals-95-of-appsec-fixes.html
https://www.ox.security/ox-2025-application-security-benchmark-report/
How Amazon Red-Teamed Alexa+ To Keep Your Kids From Ordering 50 Pizzas
"If Amazon's Alexa+ works as intended, it could show how an AI assistant helps with everyday tasks like making dinner reservations or arranging an oven repair. Or things could go terribly wrong: it might turn on the oven and turn dinner plans into a house fire. This is why the e-commerce giant brought in security engineers, including both red teams and penetration testers, to work alongside product developers from the beginning, according to Amazon CISO Amy Herzog. Their job was to anticipate what could go wrong and ensure safety and security guardrails were in place to prevent Alexa+ from jumping the track."
https://www.theregister.com/2025/05/01/amazon_red_teamed_alexaplus_interview/
Quantum Computer Threat Spurring Quiet Overhaul Of Internet Security
"Cryptography experts say the race to fend off future quantum-computer attacks has entered a decisive but measured phase, with companies quietly replacing the internet plumbing that the majority of the industry once considered unbreakable. Speaking at Cloudflare’s Trust Forward Summit on Wednesday, encryption leaders at IBM Research, Amazon Web Services and Cloudflare outlined how organizations are refitting cryptographic tools that safeguard online banking, medical data and government communications. The aim is to stay ahead of quantum machines that, once powerful enough, could decode the math protecting today’s digital traffic."
https://cyberscoop.com/cloudflare-ibm-quantum-security-cryptography-migration/

อ้างอิง
Electronic Transactions Development Agency(ETDA)