NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 08 May 2025

    Cyber Security News
    1
    1
    132
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • Unsophisticated Cyber Actor(s) Targeting Operational Technology
        "CISA is increasingly aware of unsophisticated cyber actor(s) targeting ICS/SCADA systems within U.S. critical Infrastructure sectors (Oil and Natural Gas), specifically in Energy and Transportation Systems. Although these activities often include basic and elementary intrusion techniques, the presence of poor cyber hygiene and exposed assets can escalate these threats, leading to significant consequences such as defacement, configuration changes, operational disruptions and, in severe cases, physical damage. CISA strongly urges Critical Infrastructure Asset Owners and Operators to review the following fact sheet for detailed guidance on reducing the risk of potential intrusions:"
        https://www.cisa.gov/news-events/alerts/2025/05/06/unsophisticated-cyber-actors-targeting-operational-technology
        https://www.cisa.gov/resources-tools/resources/primary-mitigations-reduce-cyber-threats-operational-technology
        https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-targeting-critical-oil-infrastructure/
        https://therecord.media/oil-gas-industries-cisa-warning-unsophisticated-cyberthreats
        https://www.securityweek.com/us-warns-of-hackers-targeting-ics-scada-at-oil-and-gas-organizations/
        https://securityaffairs.com/177551/security/unsophisticated-cyber-actors-are-targeting-the-u-s-energy-sector.html

      Vulnerabilities

      • Recently Disclosed SureTriggers Critical Privilege Escalation Vulnerability Under Active Exploitation
        "On May 2nd, 2025 the Wordfence Threat Intelligence team added a new critical vulnerability to the Wordfence Intelligence vulnerability database in the OttoKit: All-in-One Automation Platform (Formerly SureTriggers) plugin publicly disclosed by a third-party CNA on April 30th, 2025. This vulnerability makes it possible for unauthenticated attackers to gain administrative level access to vulnerable sites, where the site has never used an application password nor connected to OttoKit/SureTriggers using an application password, or by authenticated attackers with a valid application password."
        https://www.wordfence.com/blog/2025/05/recently-disclosed-suretriggers-critical-privilege-escalation-vulnerability-under-active-exploitation/
        https://www.securityweek.com/second-ottokit-vulnerability-exploited-to-hack-wordpress-sites/
        https://www.bleepingcomputer.com/news/security/hackers-exploit-ottokit-wordpress-plugin-flaw-to-add-admin-accounts/
        https://thehackernews.com/2025/05/ottokit-wordpress-plugin-with-100k.html
      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
        CVE-2025-27363 FreeType Out-of-Bounds Write Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/05/06/cisa-adds-one-known-exploited-vulnerability-catalog
        https://securityaffairs.com/177537/hacking/u-s-cisa-adds-freetype-flaw-to-its-known-exploited-vulnerabilities-catalog.html
        CISA Adds Two Known Exploited Vulnerabilities To Catalog
        "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
        CVE-2024-6047 GeoVision Devices OS Command Injection Vulnerability
        CVE-2024-11120 GeoVision Devices OS Command Injection Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/05/07/cisa-adds-two-known-exploited-vulnerabilities-catalog

      Malware

      • Malicious PyPI Package Targets Discord Developers With Remote Access Trojan
        "On March 21, 2022, a Python package ‘discordpydebug’ was uploaded to the Python Package Index (PyPI) under the name "Discord py error logger." At first glance, it appeared to be a simple utility aimed at developers working on Discord bots using the Discord.py library. However, the package concealed a fully functional remote access trojan (RAT). Over time, the package reached over 11,000 downloads, placing thousands of developer systems at risk. The package targeted developers who build or maintain Discord bots, typically indie developers, automation engineers, or small teams who might install such tools without extensive scrutiny. Since PyPI doesn’t enforce deep security audits of uploaded packages, attackers often take advantage of this by using misleading descriptions, legitimate-sounding names, or even copying code from popular projects to appear trustworthy. In this case, the goal was to lure unsuspecting developers into installing a backdoor disguised as a debugging aid."
        https://socket.dev/blog/malicious-pypi-package-targets-discord-developers-with-RAT
        https://thehackernews.com/2025/05/researchers-uncover-malware-in-fake.html
      • Agenda Ransomware Group Adds SmokeLoader And NETXLOADER To Their Arsenal
        "The Agenda ransomware group, known as Qilin, has been an active and evolving threat since its discovery in July 2022.The group has shown a remarkable ability to adapt and enhance its capabilities over time. The Agenda ransomware has transitioned from being developed in the Go programming language to Rust, incorporating advanced features such as remote execution, enhanced propagation within virtual environments, and sophisticated evasion techniques that bypass security measures."
        https://www.trendmicro.com/en_us/research/25/e/agenda-ransomware-group-adds-smokeloader-and-netxloader-to-their.html
      • Atomic Stealer Malware Disguised As Crack Program (macOS)
        "AhnLab SEcurity intelligence Center (ASEC) has discovered the Atomic Stealer malware being distributed disguised as the Evernote Crack program. Atomic Stealer is an information-stealing malware for macOS. It steals data such as browser information, system keychain, wallet, and system information. It is mainly distributed through installation files such as pkg and dmg."
        https://asec.ahnlab.com/en/87797/
      • Distribution Of IIS Malware Targeting Web Servers (Larva-25003)
        "In February 2025, AhnLab SEcurity intelligence Center (ASEC) identified a threat actor, believed to be Chinese-speaking, distributing a web server native module targeting a South Korean web server. The threat actor gained control over the web server by attempting initial access to poorly managed web servers and using a .NET loader malware (WebShell) and a backdoor to perform web shell functions. The threat actor then registered and executed a malicious IIS (Internet Information Service) native module that they had created on a Microsoft Windows IIS web server."
        https://asec.ahnlab.com/en/87804/
      • Ransomware Attackers Leveraged Privilege Escalation Zero-Day
        "Attackers linked to the Play ransomware operation deployed a zero-day privilege escalation exploit during an attempted attack against an organization in the U.S. The attack occurred prior to the disclosure and patching of a Windows elevation of privilege zero-day vulnerability (CVE-2025-29824) in the Common Log File System Driver (clfs.sys) on April 8, 2025. Although no ransomware payload was deployed in the intrusion, the attackers deployed the Grixba infostealer, which is a custom tool associated with Balloonfly, the attackers behind the Play ransomware operation."
        https://www.security.com/threat-intelligence/play-ransomware-zero-day
        https://thehackernews.com/2025/05/play-ransomware-exploited-windows-cve.html
        https://www.bleepingcomputer.com/news/security/play-ransomware-exploited-windows-logging-flaw-in-zero-day-attacks/
        https://www.darkreading.com/cyberattacks-data-breaches/play-ransomware-group-windows-zero-day
        https://www.securityweek.com/second-ransomware-group-caught-exploiting-windows-flaw-as-zero-day/
        https://securityaffairs.com/177573/cyber-crime/play-ransomware-affiliate-leveraged-zero-day-to-deploy-malware.html
      • Using Blob URLs To Bypass SEGs And Evade Analysis
        "Starting in mid-2022, Cofense Intelligence detected a new technique for successfully delivering a credential phishing page to a user’s inbox: blob URIs (Uniform Resource Identifier). Blob URIs are generated by a browser to display and work with temporary data that only that browser can access. No other browser can access a blob URI except the one that generated it. For example, YouTube uses blob URIs to temporarily store videos for a user’s browser."
        https://cofense.com/blog/using-blob-urls-to-bypass-segs-and-evade-analysis
      • SysOwned, Your Friendly Support Ticket - SysAid On-Premise Pre-Auth RCE Chain (CVE-2025-2775 And Friends)
        "It’s… another week, and another vendor who is apparently experienced with ransomware gangs but yet struggles with email. In what we've seen others term "the watchTowr treatment", we are once again (surprise, surprise) disclosing vulnerability research that allowed us to gain pre-authenticated Remote Command Execution against yet another enterprise-targeting product - specifically, SysAid On-Premise (version 23.3.40) here-on referred to as “SysAid”."
        https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/
        https://thehackernews.com/2025/05/sysaid-patches-4-critical-flaws.html
        https://www.helpnetsecurity.com/2025/05/07/poc-exploit-for-sysaid-pre-auth-rce-released-upgrade-quickly/
      • Iranian Cyber Actors Impersonate Model Agency In Suspected Espionage Operation
        "Unit 42 recently identified suspected covert Iranian infrastructure impersonating a German model agency. This infrastructure hosted a fraudulent website designed to mimic the authentic agency’s branding and content."
        https://unit42.paloaltonetworks.com/iranian-attackers-impersonate-model-agency/
      • Inferno Drainer Reloaded: Deep Dive Into The Return Of The Most Sophisticated Crypto Drainer
        "In recent years, cryptocurrency scams have evolved into a highly organized business model known as “Drainer-as-a-Service.” Within this model, developers create specialized set of malicious scripts, smart contracts, and infrastructure enabling other cyber criminals to efficiently steal cryptocurrency from users’ wallets. Attackers simply need to set up a phishing website and embed the drainer script. One of the most notorious examples of this approach is Inferno Drainer, known for the scale and sophistication of its attacks. In November 2023, the creators of Inferno Drainer officially announced the service’s shutdown. However, it soon became clear that this was only a diversionary tactic. Evidence of continued operation emerged as early as the beginning of 2024. In addition, blockchain analysis indicates that critical smart contracts deployed on September 9, 2023, essential for the operation of the scheme, are still in use today."
        https://research.checkpoint.com/2025/inferno-drainer-reloaded-deep-dive-into-the-return-of-the-most-sophisticated-crypto-drainer/
        https://www.infosecurity-magazine.com/news/inferno-drainer-returns-stealing/
      • Cyber Criminal Services Target End-Of-Life Routers To Launch Attacks And Hide Their Activities
        "The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with 5Socks and Anyproxy cyber criminal services' targeting malware that affects end-of-life (EOL) routers. Threat actors expxloit known vulnerabilities to compromise EOL routers, install malware, and use the routers in a botnet they control to launch coordinated attacks or sell access to the devices as proxy services. The FBI recommends users replace compromised devices with newer models or prevent infection by disabling remote administration and rebooting the router."
        https://www.ic3.gov/CSA/2025/250507.pdf

      Breaches/Hacks/Leaks

      • LockBit Ransomware Gang Hacked, Victim Negotiations Exposed
        "The LockBit ransomware gang has suffered a data breach after its dark web affiliate panels were defaced and replaced with a message linking to a MySQL database dump. All of the ransomware gang's admin panels now state. "Don't do crime CRIME IS BAD xoxo from Prague," with a link to download a "paneldb_dump.zip.""
        https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-hacked-victim-negotiations-exposed/
      • PowerSchool Hacker Now Extorting Individual School Districts
        "PowerSchool is warning that the hacker behind its December cyberattack is now individually extorting schools, threatening to release the previously stolen student and teacher data if a ransom is not paid. "PowerSchool is aware that a threat actor has reached out to multiple school district customers in an attempt to extort them using data from the previously reported December 2024 incident," PowerSchool shared in a statement to BleepingComputer."
        https://www.bleepingcomputer.com/news/security/powerschool-hacker-now-extorting-individual-school-districts/
        https://databreaches.net/2025/05/07/powerschool-paid-a-hackers-extortion-demand-but-now-school-district-clients-are-being-extorted-anyway/
        https://therecord.media/despite-ransom-payment-powerschool-extorting
        https://cyberscoop.com/powerschool-customers-hit-by-downstream-extortion-threats/
        https://www.theregister.com/2025/05/08/powerschool_data_extortionist/
      • Medical Device Maker Masimo Warns Of Cyberattack, Manufacturing Delays
        "Medical device company Masimo Corporation warns that a cyberattack is impacting production operations and causing delays in fulfilling customers' orders. Masimo Corporation is a California-based medical technology and consumer electronics maker. It's best known for its noninvasive patient monitoring products like pulse oximeters, brain function monitors, hemodynamic monitoring systems, capnography and gas monitoring solutions, and remote patient monitoring platforms."
        https://www.bleepingcomputer.com/news/security/medical-device-maker-masimo-warns-of-cyberattack-manufacturing-delays/
        https://therecord.media/masimo-medical-device-company-cyberattack
        https://www.bankinfosecurity.com/patient-monitor-manufacturer-still-recovering-from-attack-a-28346
      • ClickFunnels Investigates Breach After Hackers Leak Business Data
        "ClickFunnels is investigating a data breach after hackers leaked detailed business data, including emails, phone numbers, and company profiles. A hacking group calling itself “Satanic” claims to have breached ClickFunnels, a popular US-based software platform used by marketers and entrepreneurs to build sales funnels. The group is known for using BreachForums to announce its breaches but since the forum is down; it made the announcement via Telegram, claiming that data from the company was stolen on April 29, 2025."
        https://hackread.com/clickfunnels-investigate-breach-hackers-leak-business-data/
      • South African Airways Says Cyberattack Disrupted Operational Systems
        "South Africa’s state-owned airline said a cyberattack on Saturday temporarily disrupted its website and several internal operational systems. South African Airways (SAA) said the attack also affected its mobile application but noted the IT team was able to contain the incident and “minimize disruption to core flight operations.” “They also ensured the continued functionality of essential customer service channels, such as the airline's contact centers and sales offices,” the airline said in a statement published on Tuesday. “Normal system functionality across all affected platforms was restored later the same day.”"
        https://therecord.media/south-african-airways-cyberattack-disrupted

      General News

      • Rethinking AppSec: How DevOps, Containers, And Serverless Are Changing The Rules
        "Application security is changing fast. In this Help Net Security interview, Loris Gutic, Global CISO at Bright, talks about what it takes to keep up. Gutic explains how DevOps, containers, and serverless tools are shaping security, and shares views on the biggest risks, important controls, and why AI must be used carefully."
        https://www.helpnetsecurity.com/2025/05/07/loris-gutic-bright-rethinking-appsec/
      • 1 In 3 Workers Keep AI Use a Secret
        "Employees are feeling heightened concerns around the use of technology to enhance productivity, as well as job dissatisfaction and a lack of motivation at work. In fact, 30% of employees who use GenAI tools at work worry their job may be cut and 27% experience AI-fueled imposter syndrome, saying they don’t want people to question their ability, according to Ivanti."
        https://www.helpnetsecurity.com/2025/05/07/secret-ai-use/
      • Personal Data Of Top Executives Easily Found Online
        "The personal information of 75% of corporate directors can be found on people search sites, according to Incogni. People search sites claim to reveal a variety of personal details, including public records, phone numbers, and even property values. Home addresses and relatives are the two types of information potentially exposed across all the people search sites investigated."
        https://www.helpnetsecurity.com/2025/05/07/corporate-directors-personal-information-online/
      • 41 Countries Taking Part In NATO’s Locked Shields 2025 Cyber Defense Exercise
        "The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia, is hosting this week the Locked Shields 2025 cyber defense exercise. Described as one of the world’s most complex cybersecurity exercises, Locked Shields 2025 has gathered nearly 4,000 experts representing 41 NATO ally and partner nations. The number of participants is roughly the same as in the previous year. The goal of Locked Shields is to test and improve the preparedness of national cybersecurity teams in defending national systems and critical infrastructure, including telecommunications networks and military infrastructure, through a realistic simulation."
        https://www.securityweek.com/41-countries-taking-part-in-natos-locked-shields-2025-cyber-defense-exercise/
      • Digital Welfare Fraud: ALTSRUS Syndicate Exploits The Financially Vulnerable
        "A new report from bot defense firm Kasada has exposed the growing threat of ALTSRUS, a fraud syndicate targeting some of the most vulnerable corners of the digital economy. Researchers revealed how the group has scaled its operations to steal and resell accounts tied to Electronic Benefit Transfer (EBT), pharmacy prescriptions, and consumer rewards programs."
        https://www.helpnetsecurity.com/2025/05/07/altsrus-digital-welfare-fraud/
        https://www.kasada.io/wp-content/uploads/2025/05/Kasada-Quarterly-Threat-Report-2025-Q1.pdf
      • DDoS-For-Hire Empire Brought Down: Poland Arrests 4 Administrators, US Seizes 9 Domains
        "In the latest blow to the criminal market for distributed denial of service (DDoS)-for-hire services, Polish authorities have arrested four individuals who allegedly ran a network of platforms used to launch thousands of cyberattacks worldwide. The suspects are believed to be behind six separate stresser/booter services that enabled paying customers to flood websites and servers with malicious traffic — knocking them offline for as little as EUR 10."
        https://www.europol.europa.eu/media-press/newsroom/news/ddos-for-hire-empire-brought-down-poland-arrests-4-administrators-us-seizes-9-domains
        https://www.bleepingcomputer.com/news/security/police-takes-down-six-ddos-for-hire-services-arrests-admins/
        https://thehackernews.com/2025/05/europol-shuts-down-six-ddos-for-hire.html
        https://therecord.media/poland-arrests-four-ddos-hire
        https://www.bankinfosecurity.com/poland-busts-4-as-part-stresserbooter-service-crackdown-a-28325
        https://www.infosecurity-magazine.com/news/ddos-hire-network-dismantled/
        https://cyberscoop.com/poland-ddos-arrests-europol-operation-poweroff/
        https://hackread.com/europol-poland-bust-ddos-for-hire-operation-arrest-4/
        https://flashpoint.io/blog/operation-poweroff-law-enforcement-seizes-ddos-webpages/
      • Agentic AI: The Start Of a New Cybersecurity Career Path
        "Last week at RSAC Conference 2025, the message came through loud and clear: Agentic AI is no longer just a concept. It's being deployed today. AI-powered agents are streamlining workflows, helping with compliance and aiding in threat detection at scale. While much of the RSAC buzz focused on the potential performance gains and trust concerns related to AI agents, another story emerged - one that speaks directly to cybersecurity professionals and those entering the field: Agentic AI isn't here to take your job, but if you work in cybersecurity, you will be relying on AI agents to do a large part of your job."
        https://www.bankinfosecurity.com/blogs/agentic-ai-start-new-cybersecurity-career-path-p-3868
      • Outsmarting AI Guardrails With Invisible Characters And Adversarial Prompts
        "This blog summarizes the key findings from our research paper, Bypassing Prompt Injection and Jailbreak Detection in LLM Guardrails (2025). For the first time, we present an empirical analysis of character injection and adversarial machine learning (AML) evasion attacks across multiple commercial and open-source guardrails."
        https://mindgard.ai/blog/outsmarting-ai-guardrails-with-invisible-characters-and-adversarial-prompts
        https://www.bankinfosecurity.com/jailbreakers-use-invisible-characters-to-beat-ai-guardrails-a-28338
      • SpyCloud Analysis Reveals 94% Of Fortune 50 Companies Have Employee Data Exposed In Phishing Attacks
        "SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6 million phished data records recaptured from the criminal underground over the last six months. Phishing attacks have been growing in scale and sophistication, and SpyCloud’s research reveals that cybercriminals are increasingly targeting high-value identity data that can be used for follow-on attacks like ransomware, account takeover, and fraud."
        https://hackread.com/spycloud-analysis-reveals-94-of-fortune-50-companies-have-employee-data-exposed-in-phishing-attacks/
      • UK Cyber Insurance Claims Second Highest On Record
        "UK companies filed more cyber insurance claims last year than any other bar 2023, with ransomware breaches largely to blame, according to Marsh. The global insurance broker’s 2024 UK cyber insurance claims trends report is based on an analysis of claims submitted by Marsh UK clients. It found that claims last year decreased 20% compared to 2023, but were still around one-third higher than in 2020, 2021 and 2022."
        https://www.infosecurity-magazine.com/news/uk-cyberinsurance-claims-second/
      • State Of Ransomware In 2025
        "With the International Anti-Ransomware Day just around the corner on May 12, Kaspersky explores the ever-changing ransomware threat landscape and its implications for cybersecurity. According to Kaspersky Security Network data, the number of ransomware detections decreased by 18% from 2023 to 2024 – from 5,715,892 to 4,668,229. At the same time, the share of users affected by ransomware attacks increased by 0.02 p.p. to 0.44%. This smaller percentage compared to other cyberthreats is explained by the fact that attackers often don’t distribute this type of malware on a mass scale, but prioritize high-value targets, which reduces the overall number of incidents."
        https://securelist.com/state-of-ransomware-in-2025/116475/
      • Britain Warns That China Is Becoming a ‘cyber Superpower’
        "China is “well on its way to becoming a cyber superpower” a senior British government minister warned on Wednesday, adding that it now simply wasn’t feasible to decouple from Beijing given the country’s role in global supply chains. Pat McFadden, the most senior minister in Britain’s Cabinet Office, told the CYBERUK conference that Beijing had “the sophistication, the scale and the seriousness” to pose an exceptional national security challenge. His comments were echoed by the head of the National Cyber Security Centre, Richard Horne, who said during the event that “the continued activity that we’re seeing from the Chinese system remains a cause for profound and profuse concern.”"
        https://therecord.media/britain-warns-china-is-becomming-a-cyber-superpower
        https://www.infosecurity-magazine.com/news/uk-retail-attacks-wakeup-call/
      • Poland Accuses Russia Of ‘unprecedented’ Interference Ahead Of Presidential Election
        "Poland’s top cyber official warned this week that Russia is waging an “unprecedented” effort to disrupt the country’s upcoming presidential election through disinformation and hybrid cyberattacks. Speaking at a defense conference, digital affairs minister Krzysztof Gawkowski said Russian-linked actors are targeting Poland's critical infrastructure — including water and sewage systems, heat and power plants and government agencies — to destabilize the country."
        Priority: 3 - Important
        Relevance: General
        https://therecord.media/poland-elections-russia-hybrid-threats-disinformation

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) dad6fb70-de29-4835-b9e6-a2aa884ee3a8-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post