Cyber Threat Intelligence 15 May 2025

NCSA_THAICERT

Energy Sector

Insight: Rogue Communication Devices Found In Chinese Solar Power Inverters
"U.S. energy officials are reassessing the risk posed by Chinese-made devices that play a critical role in renewable energy infrastructure after unexplained communication equipment was found inside some of them, two people familiar with the matter said. Power inverters, which are predominantly produced in China, are used throughout the world to connect solar panels and wind turbines to electricity grids. They are also found in batteries, heat pumps and electric vehicle chargers."
https://www.reuters.com/sustainability/climate-energy/ghost-machine-rogue-communication-devices-found-chinese-inverters-2025-05-14/
https://www.bangkokpost.com/world/3025432/ghost-in-the-machine-rogue-communication-devices-found-in-chinese-inverters

Industrial Sector

ICS Patch Tuesday: Vulnerabilities Addressed By Siemens, Schneider, Phoenix Contact
"Industrial giants Siemens, Schneider Electric and Phoenix Contact have released ICS security advisories on the May 2025 Patch Tuesday. The cybersecurity agencies CISA and CERT@VDE have also published advisories. While most of the vulnerabilities described in the advisories have been patched, only mitigations and workarounds are currently available for some of the flaws. Siemens has published 18 new advisories, including four that cover critical-severity vulnerabilities. One of them describes an authentication bypass issue in the Redfish interface of the BMC controller used by Simatic industrial PCs. The flaw was disclosed by firmware security company Eclypsium in March."
https://www.securityweek.com/ics-patch-tuesday-vulnerabilities-addressed-by-siemens-schneider-phoenix-contact/

New Tooling

Cerbos: Open-Source, Scalable Authorization Solution
"Cerbos is an open-source solution designed to simplify and modernize access control for cloud-native, microservice-based applications. Instead of hardcoding authorization logic into your application, Cerbos lets you write flexible, context-aware access policies using a YAML syntax. These policies are managed separately from your app and evaluated via simple API requests to Cerbos’ Policy Decision Point (PDP)."
https://www.helpnetsecurity.com/2025/05/14/cerbos-open-source-scalable-authorization-solution/
https://github.com/cerbos/cerbos

Vulnerabilities

Samsung Patches CVE-2025-4632 Used To Deploy Mirai Botnet Via MagicINFO 9 Exploit
"Samsung has released software updates to address a critical security flaw in MagicINFO 9 Server that has been actively exploited in the wild. The vulnerability, tracked as CVE-2025-4632 (CVSS score: 9.8), has been described as a path traversal flaw. "Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to write arbitrary files as system authority," according to an advisory for the flaw."
https://thehackernews.com/2025/05/samsung-patches-cve-2025-4632-used-to.html
https://www.cve.org/CVERecord?id=CVE-2025-4632
https://www.huntress.com/blog/post-exploitation-activities-observed-from-samsung-magicinfo-9-server-flaw
Vulnerabilities Patched By Juniper, VMware And Zoom
"Juniper Networks, VMware, and Zoom have published a total of ten security advisories describing dozens of vulnerabilities patched across their product portfolios. Juniper on Tuesday announced fixes for nearly 90 bugs in third-party dependencies in Secure Analytics, the virtual appliance that collects security events from network devices, endpoints, and applications. Patches for these issues, most of which were disclosed last year, were included in Secure Analytics version 7.5.0 UP11 IF03. Some of the flaws are dated 2016, 2019, and 2020, and three of them are rated ‘critical severity’."
https://www.securityweek.com/vulnerabilities-patched-by-juniper-vmware-and-zoom/
CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2025-32756 Fortinet Multiple Products Stack-Based Buffer Overflow Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/05/14/cisa-adds-one-known-exploited-vulnerability-catalog
Chipmaker Patch Tuesday: Intel, AMD, Arm Respond To New CPU Attacks
"Chip giants Intel, AMD and Arm each published Patch Tuesday security advisories to inform customers about vulnerabilities found recently in their products, including ones related to newly disclosed CPU attacks. One of the CPU attacks was disclosed this week by researchers at Swiss university ETH Zurich. The researchers discovered a branch privilege injection issue, tracked as CVE-2024-45332, that they claim “brings back the full might of branch target injection attacks (Spectre-BTI) on Intel”. The researchers claim that while Intel’s Spectre-BTI (aka Spectre v2) mitigations have worked for nearly six years, they have now found a way to break them due to a race condition impacting Intel CPUs."
https://www.securityweek.com/chipmaker-patch-tuesday-intel-amd-arm-respond-to-new-cpu-attacks/

Malware

Hackers Behind UK Retail Attacks Now Targeting US Companies
"Google warned today that hackers using Scattered Spider tactics against retail chains in the United Kingdom have also started targeting retailers in the United States. "The US retail sector is currently being targeted in ransomware and extortion operations that we suspect are linked to UNC3944, also known as Scattered Spider," John Hultquist, Chief Analyst at Google Threat Intelligence Group, told BleepingComputer. "The actor, which has reportedly targeted retail in the UK following a long hiatus, has a history of focusing their efforts on a single sector at a time, and we anticipate they will continue to target the sector in the near term. US retailers should take note.""
https://www.bleepingcomputer.com/news/security/google-scattered-spider-switches-targets-to-us-retail-chains/
**https://therecord.media/scattered-spider-suspected-retail-hackers-google-alert
Ransomware Gangs Join Ongoing SAP NetWeaver Attacks**
"Ransomware gangs have joined ongoing SAP NetWeaver attacks, exploiting a maximum-severity vulnerability that allows threat actors to gain remote code execution on vulnerable servers. SAP released emergency patches on April 24 to address this NetWeaver Visual Composer unauthenticated file upload security flaw (CVE-2025-31324), days after it was first tagged by cybersecurity company ReliaQuest as targeted in the wild. Successful exploitation lets threat actors upload malicious files without requiring login credentials, potentially leading to complete system compromise."
https://www.bleepingcomputer.com/news/security/ransomware-gangs-join-ongoing-sap-netweaver-attacks/
https://thehackernews.com/2025/05/bianlian-and-ransomexx-exploit-sap.html
North Korea’s Hidden IT Workforce Exposed In New Report
"A cybersecurity firm is shedding light on how North Korea built an international cybercrime scheme involving fake information technology workers hired by major global businesses that siphon money to the Hermit kingdom and help fund its military ambitions. A report from DTEX shows that North Korean operatives, driven by survival rather than ideology, are trained from childhood to become military cyber agents or covert IT contractors. Researchers identified two operatives living in Russia using the falsified identities "Naoki Murano" and "Jenson Collins," each suspected of infiltrating Western firms and linked to a $6 million cryptocurrency heist."
https://www.bankinfosecurity.com/north-koreas-hidden-workforce-exposed-in-new-report-a-28401
https://dd80b675424c132b90b3-e48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/dtex-exposingdprkcybersyndicateandhiddenitworkforce.pdf
Excel(ent) Obfuscation: Regex Gone Rogue
"Microsoft Office-based attacks have long been a favored tactic amongst cybercriminals— and for good reason. Attackers frequently use Office documents in cyberattacks because they are widely trusted. These files, such as Word or Excel docs, are commonly exchanged in business and personal settings. They are also capable of carrying hidden malicious code, embedded macros, and external links that execute code when opened, especially if users are tricked into enabling features like macros. Moreover, Office documents support advanced techniques like remote template injection, obfuscated macros, and legacy features like Excel 4.0 macros. These allow attackers to bypass antivirus detection and trigger multi-stage payloads such as ransomware or information-stealing malware."
https://www.deepinstinct.com/blog/excellent-obfuscation-regex-gone-rogue
Diving Into The Talent Pool – Threat Actors Target Job Seekers With Complex Recruitment Scams
"Are you in the market for a new job? Talent scouts aren’t the only ones aggressively recruiting. Netcraft has observed a recent spike in recruitment scams, uncovering significant impact from three unique adversaries, each leveraging different tactics to target job seekers:"
https://www.netcraft.com/blog/diving-into-the-talent-pool-threat-actors-target-job-seekers-with-complex-recruitment-scams/
https://hackread.com/job-seekers-targeted-scammers-government-whatsapp/
Sit, Fetch, Steal - Chihuahua Stealer: A New Breed Of Infostealer
"Chihuahua Stealer is a newly discovered .NET-based infostealer that blends common malware techniques with unusually advanced features. It first came to our attention through a Reddit post made on April 9, where a user shared an obfuscated PowerShell script, they were tricked into executing via a Google Drive document. If this sounds vaguely familiar: You are not wrong - we have seen similar things in a fake recruiting campaign, and we also wrote about this. The script uses multi-stage payloads, achieving persistence through scheduled tasks and leading to the execution of the main stealer payload. This blog article breaks down each stage of the attack chain, beginning with the initial delivery method and ending in encrypted data exfiltration."
https://www.gdatasoftware.com/blog/2025/05/38199-chihuahua-infostealer
https://www.infosecurity-magazine.com/news/chihuahua-stealer-browser-crypto/
Technical Analysis Of TransferLoader
"Zscaler ThreatLabz has identified a new malware loader that we have named TransferLoader, which has been active since at least February 2025. ThreatLabz has identified three different components (a downloader, a backdoor, and a specialized loader for the backdoor) embedded in TransferLoader binaries. In addition, ThreatLabz has observed TransferLoader being used to deliver Morpheus ransomware. All components of TransferLoader share similarities including various anti-analysis techniques and code obfuscation."
https://www.zscaler.com/blogs/security-research/technical-analysis-transferloader
The SOC Case Files: Python-Armed Ransomware Gang Reemerges To Face a Wall Of XDR Defenses
"Barracuda’s Managed XDR team recently contained a suspected ransomware attack where the attackers had gained access to a company’s network before it installed XDR, compromising several Windows machines and an administrator account. By the time the attackers returned to complete the attack, a suite of Barracuda Managed XDR solutions was in place — able to track, contain and neutralize the attack."
https://blog.barracuda.com/2025/05/14/soc-case-files-python-armed-ransomware-gang-reemerges
Xinbi: The $8 Billion Colorado-Incorporated Marketplace For Pig-Butchering Scammers And North Korean Hackers
"Some of the earliest large-scale adopters of cryptocurrency were illicit online marketplaces such as the Silk Road and Alphabay. These darknet markets were accessed through Tor, the anonymous web browser. More recently, illicit marketplaces have transitioned to operating through the instant messaging app Telegram, which provides access to over a billion potential customers. In July 2024 Elliptic exposed one such Telegram-based market, known as Huione Guarantee, which sells goods and services to fraudsters in South East Asia, including those responsible for so-called “pig butchering” scams. Merchants on Huione Guarantee sell the key tools needed to perpetrate online fraud, including technology, personal data and money laundering services. With transactions totaling at least $27 billion (all in Tether’s USDT stablecoin), it is the largest illicit online marketplace to have ever operated."
https://www.elliptic.co/blog/xinbi-guarantee
https://thehackernews.com/2025/05/xinbi-telegram-market-tied-to-84b-in.html
Meta Mirage
"Meta Mirage is a global phishing campaign targeting Meta Business Suite users with the intent to compromise high-value assets like verified brand pages, ad accounts, and administrator access. Unlike generic scams, this operation simulates Meta’s interface using over 14,000 phishing URLs and 24+ custom templates. Many of these phishing URLs are hosted on trusted cloud platforms such as GitHub Pages and Vercel, adding a layer of false legitimacy to the attacks. By combining fake policy violation alerts, session hijacking techniques, and third-party exfiltration services, Meta Mirage reflects a sophisticated abuse of trust at scale. This makes the campaign a serious threat to digital brand owners and businesses, as it manipulates victims into revealing critical credentials and session data."
https://www.ctm360.com/reports/meta-mirage-report
https://thehackernews.com/2025/05/ctm360-identifies-surge-in-phishing.html
DarkCloud Stealer: Comprehensive Analysis Of a New Attack Chain That Employs AutoIt
"In January 2025, Unit 42 researchers identified a series of attacks distributing DarkCloud Stealer. The latest attack chain incorporated AutoIt to evade detection and used a file-sharing server to host the malware. This article explores the chain of events from these recent campaigns and analyzes the characteristics of these attacks. DarkCloud employs multi-stage payloads and obfuscated AutoIt scripting, making its detection challenging with traditional signature-based methods. Its ability to extract sensitive data and establish command and control (C2) communications highlights the importance of thorough detection and assessment."
https://unit42.paloaltonetworks.com/darkcloud-stealer-and-obfuscated-autoit-scripting/
Unveiling Swan Vector APT Targeting Taiwan And Japan With Varied DLL Implants
"Seqrite Labs APT-Team has recently uncovered a campaign which we have termed as Swan Vector, that has been targeting the nations across the East China sea such as Taiwan and Japan. The campaign is aimed at educational institutes and mechanical engineering industry with lures aiming to deliver fake resume of candidates which acts as a decoy. The entire malware ecosystem involved in this campaign comprises a total of four stages, the first being one being a malicious LNK, the second stage involves the shortcut file executing DLL implant Pterois via a very well-known LOLBin. It uses stealthy methods to execute and download the third stage containing multiple files including legitimate Windows executable that is further used to execute another implant Isurus via DLL-Sideloading. This further executes the fourth stage that is the malicious Cobalt Strike shellcode downloaded by Pterois."
https://www.seqrite.com/blog/swan-vector-apt-targeting-taiwan-japan-dll-implants/
Breaches/Hacks/Leaks
Australian Human Rights Commission Leaks Docs To Search Engines
"The Australian Human Rights Commission (AHRC) disclosed a data breach incident where private documents leaked online and were indexed by major search engines. Many of the hundreds of documents exposed online contained private, sensitive information, like names, contact information, health details, schooling, religion, employment info, and photographs. AHRC is an independent statutory body established by the Australian Government, with the primary role of promoting and protecting human rights in the country."
https://www.bleepingcomputer.com/news/security/australian-human-rights-commission-leaks-docs-to-search-engines/
Steel Giant Nucor Corporation Facing Disruptions After Cyberattack
"A cybersecurity incident on Nucor Corporation's systems, the largest steel producer in the U.S., forced the company to take offline parts of its networks and implement containment measures. The incident caused the company to temporarily suspend production at multiple locations, although the full impact on Nucor’s business remains unclear. Nucor is a major steel producer in the U.S. and scrap recycler in the North America. It is a primary supplier of reinforcing bar that is used extensively in the country’s buildings, bridges, roads, and infrastructure."
https://www.bleepingcomputer.com/news/security/steel-giant-nucor-corporation-facing-disruptions-after-cyberattack/
https://therecord.media/cyber-incident-forces-nucor-steel-to-take-systems-offline
https://www.theregister.com/2025/05/14/nucor_steel_attack/
Fashion Giant Dior Discloses Cyberattack, Warns Of Data Breach
"House of Dior, the French luxury fashion brand commonly referred to as Dior, has disclosed a cybersecurity incident that has exposed customer information. A spokesperson for the firm told BleepingComputer that the incident impacts Dior Fashion and Accessories customers. Currently, cybersecurity experts are investigating the incident to determine its scope. “The House of Dior recently discovered that an unauthorized external party accessed some of the data we hold for our Dior Fashion and Accessories customers,” stated the spokesperson."
https://www.bleepingcomputer.com/news/security/fashion-giant-dior-discloses-cyberattack-warns-of-data-breach/
Nova Scotia Power Says Customer Banking Details May Have Been Stolen By Hackers
"Nova Scotia’s largest electric utility said Wednesday that hackers stole sensitive information from customers in a recent cyberattack. Nova Scotia Power and its Halifax-based parent company Emera discovered on April 25 that an intruder had gained access to parts of its network, prompting the companies to isolate the affected servers. In an update on Wednesday, Nova Scotia Power said it is still investigating the incident and working to rebuild “impacted systems.” It determined that on March 19, more than a month before discovering the intrusion, customer information was accessed and stolen."
https://therecord.media/nova-scotia-power-data-breach-notice
Alabama State Government Says Cyber Incident’s Effects Are Limited, But Response Continues
"Alabama’s technology office says a “cybersecurity event” first discovered May 9 has not caused major disruptions to state services, but incident responders are still working around the clock to contain its effects. In an update posted Tuesday, the Office of Information Technology (OIT) said it has called in two incident response teams from third-party firms, “maintaining 24 hours-a-day, 7 days-a-week mitigation activities as technical specialists work extended shifts to ensure a continuous, uninterrupted response to this event.”"
https://therecord.media/alabama-state-government-cyber-incident

General News

Insider Risk Management Needs a Human Strategy
"Insider risk is not just about bad actors. Most of the time, it’s about mistakes. Someone sends a sensitive file to the wrong address, or uploads a document to their personal cloud to work from home. In many cases, there is no ill intent, since many insider incidents are caused by negligence, not malice. Still, malicious insiders can be devastating. Some steal intellectual property, others are bribed or pressured by outside groups to plant ransomware, exfiltrate trade secrets, or shut down operations. The impact of insider risk is being felt across an organization and is no longer limited to the cybersecurity team. 86% say an insider event would impact company culture, according to Code42."
https://www.helpnetsecurity.com/2025/05/14/insider-risk-management-human-strategy/
Ransomware Spreads Faster, Not Smarter
"The fall of two of the most dominant ransomware syndicates, LockBit and AlphV, triggered a power vacuum across the cybercriminal landscape, acccording to a Black Kite survey. In their place, dozens of new actors emerged, many of them lacking the infrastructure, discipline, or credibility of their predecessors. The result was a surge in attack volume, a decline in coordination, and growing unpredictability in how, where, and why attacks occur."
https://www.helpnetsecurity.com/2025/05/14/ransomware-landscape-shift-2025/
April 2025 Threat Trend Report On Ransomware
"This report provides statistics on the number of new ransomware samples collected, the number of affected systems, and affected companies in April 2025, as well as key ransomware issues in and out of Korea. Below is a summary of the report. Disclaimer: The number of ransomware samples and damaged systems is based on the detection names assigned by AhnLab, and statistics on targeted companies are based on the information published on the dedicated leak sites (DLS) of the ransomware group, also referred to as ransomware PR sites or PR pages, collected by the ATIP infrastructure over time."
https://asec.ahnlab.com/en/87946/
April 2025 Threat Trend Report On APT Attacks (South Korea)
"AhnLab is monitoring Advanced Persistent Threat (APT) attacks in South Korea using its own infrastructure. This report covers the classification, statistics, and functions of APT attacks detected in South Korea over the course of one month in April 2025."
https://asec.ahnlab.com/en/87945/
Southwest Airlines CISO On Tackling Cyber Risks In The Aviation Industry
"In this Help Net Security interview, Carrie Mills, VP and CISO, Southwest Airlines talks about the cybersecurity challenges facing the aviation industry. She explains how being part of critical infrastructure, a major consumer brand, and an airline each brings its own set of security issues."
https://www.helpnetsecurity.com/2025/05/14/carrie-mills-southwest-airlines-aviation-industry-cybersecurity-challenges/
Ransomware Scum Have Put a Target On The No Man's Land Between IT And Operations
"Criminals who attempt to damage critical infrastructure are increasingly targeting the systems that sit between IT and operational tech. These in-between systems are no man's land, according to Tim Conway, the technical director of SANS Institute industrial control systems (ICS) programs. They're not classic IT systems that run core business applications, or operational tech (OT) that drives heavy industrial infrastructure. In the case of a petroleum pipeline, middle systems live in the facilities that store and distribute fuel, and separate home heating oil from gasoline, diesel, and jet fuel."
https://www.theregister.com/2025/05/14/ransomware_targets_middle_systems_sans/
Kosovo Extradites BlackDB Admin To Face US Cybercrime Charges
"A Kosovo national has been extradited to the United States to face charges of running an online cybercrime marketplace active since 2018. Kosovar authorities arrested the 33-year-old Liridon Masurica (also known as @blackdb) on December 14th, 2024, and he was extradited to the United States earlier this month, on May 9th. Masurica was detained following his court appearance in Tampa on May 12th, where he was brought before United States Magistrate Judge Lindsay Saxe Griffin."
https://www.bleepingcomputer.com/news/security/kosovo-extradites-blackdb-admin-to-face-us-cybercrime-charges/
https://www.securityweek.com/kosovar-administrator-of-cybercrime-marketplace-extradited-to-us/
The Forgotten Threat: How Supply Chain Attacks Are Targeting Small Businesses
"When people hear "supply chain attack," their minds often go to headline-grabbing breaches. But while analysts, CISOs, and journalists dissect those incidents, a more tactical and persistent wave of attacks has been unfolding in parallel; one that's laser-focused on small businesses as the point of entry. This isn't collateral damage. It's by design. Cybercriminals aren't always trying to figuratively kick down the front doors of well-defended enterprises. Instead, they're probing the digital perimeter for softer targets: under-resourced MSPs, niche SaaS providers, regional consultants, and third-party vendors."
https://www.tripwire.com/state-of-security/forgotten-threat-how-supply-chain-attacks-are-targeting-small-businesses
CVE Foundation Eyes Year-End Launch Following 11th-Hour Rescue Of MITRE Program
"In late March, the nonprofit research organization MITRE celebrated the 25th anniversary of the Common Vulnerability and Exposures (CVE) program, a widely hailed scientific achievement funded by the U.S. government and administered by MITRE. The CVE program is the global bedrock of contemporary vulnerability management, cataloging and assigning unique identifiers to software vulnerabilities. Until April 15, cybersecurity defenders and data scientists seemed unshakeable in embracing the program, which had already overcome challenges to achieve its silver anniversary."
https://cyberscoop.com/cve-program-funding-crisis-cve-foundation-mitre/
AI Agents May Have a Memory Problem
"Memory-enabled artificial intelligence agents that can store and recall user data for more intelligent and personalized decision-making are vulnerable to memory injection attacks that can manipulate their behavior in future interactions, a new study has shown. These AI agents, such as those used in Mastercard's recently disclosed Agent Pay and PayPal's equally new Agent Toolkit, store user data — such as preferences, transaction histories, and conversational context — to deliver very personalized decisions on behalf of users. Mastercard envisions its Agent Pay, for instance, as proactively making purchase decisions and recommending payment options based on contextual knowledge of a user's preferences and feedback."
https://www.darkreading.com/cyber-risk/ai-agents-memory-problem
https://arxiv.org/pdf/2503.16248
Why CVSS Is Failing Us And What We Can Do About It
"Two decades ago, CVSS revolutionized vulnerability management, enabling security teams to speak a common language when measuring and prioritizing risks posed by the vulnerability to the affected asset. However, today, the same tool that once guided us in the right direction is holding us back. In an environment where adversaries are faster, attack surfaces are broader, and resource constraints are tighter than ever, relying only on CVSS ratings to drive remediation efforts is no longer enough. Yet many organizations still patch vulnerabilities based on severity scores alone without asking the critical question necessary to determine real risk: Does this exposure actually pose a real risk in our environment?"
https://www.theregister.com/2025/05/14/picus_cvss/
Go Ahead And Ignore Patch Tuesday – It Might Improve Your Security
"Patch Tuesday has rolled around again, but if you don't rush to implement the feast of fixes it delivered, your security won't be any worse off in the short term – and may improve in the future. That's the opinion of Craig Lawson, a Research Vice President at analyst Gartner, who on Wednesday told the firm's Infrastructure, Operations & Cloud Strategies Conference: "Nobody has ever out-patched threat actors at scale.""
https://www.theregister.com/2025/05/14/improve_patching_strategies/
Maritime Cybersecurity: Threats & Regulations Loom
"The maritime industry is a large, complex ecosystem of carriers and port operators, with various pieces of information and operational technologies. Securing these systems is challenging but critical, as ports are at the center of the country’s supply chain. During the Maritime Cybersecurity: Risks and Best Practices webinar on April 9, experts discussed existing challenges and where stakeholders can focus on securing the supply chain and their maritime security infrastructure."
https://www.trendmicro.com/en_us/research/25/e/maritime-cybersecurity-threats-regulations.html

อ้างอิง
Electronic Transactions Development Agency(ETDA)