Cyber Threat Intelligence 16 May 2025

NCSA_THAICERT

Financial Sector

April 2025 Security Issues In Korean And Global Financial Industries
"This report comprehensively covers actual cyber threats and security issues that have occurred in financial institutions in Korea and abroad. This includes an analysis of malware and phishing cases distributed to the financial sector, the top 10 malware strains targeting the financial sector, and industry statistics of leaked Korean accounts on Telegram. A case of phishing emails distributed to the financial sector is also covered in detail."
https://asec.ahnlab.com/en/87975/

Industrial Sector

CISA Releases Twenty-Two Industrial Control Systems Advisories
"CISA released twenty-two Industrial Control Systems (ICS) advisories on May 15, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS."
https://www.cisa.gov/news-events/alerts/2025/05/15/cisa-releases-twenty-two-industrial-control-systems-advisories
Threat Landscape For Industrial Automation Systems. Q1 2025
"Relative stability from quarter to quarter. The percentage of ICS computers on which malicious objects were blocked remained unchanged from Q4 2024 at 21.9%. Over the last three quarters, the value has ranged from 22.0% to 21.9%. The quarterly figures are decreasing from year to year. Since Q2 2023, the percentage of ICS computers on which malicious objects were blocked has been lower than the indicator of the same quarter of the previous year. Compared to Q1 2024, the figure decreased by 2.5 pp."
https://ics-cert.kaspersky.com/publications/reports/2025/05/15/threat-landscape-for-industrial-automation-systems-q1-2025/
https://securelist.com/industrial-threat-report-q1-2025/116505/
Critical Infrastructure Under Siege: OT Security Still Lags
"Operational technology and critical infrastructure are under attack, according to new warnings from the US federal government. Last week, the Cybersecurity and Infrastructure Security (CISA), the FBI, the Environmental Protection Agency (EPA), and the Department of Energy (DoE) warned that they were "aware of cyber incidents affecting the operational technology (OT) and industrial control systems (ICS) of critical infrastructure entities in the United States.""
https://www.darkreading.com/ics-ot-security/critical-infrastructure-ot-security-still-lags

New Tooling

Introducing Oniux: Kernel-Level Tor Isolation For Any Linux App
"When launching privacy-critical apps and services, developers want to make sure that every packet really only goes through Tor. One mistyped proxy setting–or a single system-call outside the SOCKS wrapper–and your data is suddenly on the line. That's why today, we are excited to introduce oniux: a small command-line utility providing Tor network isolation for third-party applications using Linux namespaces. Built on Arti, and onionmasq, oniux drop-ships any Linux program into its own network namespace to route it through Tor and strips away the potential for data leaks. If your work, activism, or research demands rock-solid traffic isolation, oniux delivers it."
https://blog.torproject.org/introducing-oniux-tor-isolation-using-linux-namespaces/
https://www.bleepingcomputer.com/news/security/new-tor-oniux-tool-anonymizes-any-linux-apps-network-traffic/

Vulnerabilities

New Chrome Vulnerability Enables Cross-Origin Data Leak Via Loader Referrer Policy
"Google on Wednesday released updates to address four security issues in its Chrome web browser, including one for which it said there exists an exploit in the wild. The high-severity vulnerability, tracked as CVE-2025-4664 (CVSS score: 4.3), has been characterized as a case of insufficient policy enforcement in a component called Loader. "Insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.113 allowed a remote attacker to leak cross-origin data via a crafted HTML page," according to a description of the flaw."
https://thehackernews.com/2025/05/new-chrome-vulnerability-enables-cross.html
https://www.cve.org/CVERecord?id=CVE-2025-4664
https://www.bleepingcomputer.com/news/security/google-fixes-high-severity-chrome-flaw-with-public-exploit/
https://www.securityweek.com/chrome-136-update-patches-vulnerability-with-exploit-in-the-wild/
CISA Adds Three Known Exploited Vulnerabilities To Catalog
"CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2024-12987 DrayTek Vigor Routers OS Command Injection Vulnerability
CVE-2025-4664 Google Chromium Loader Insufficient Policy Enforcement Vulnerability
CVE-2025-42999 SAP NetWeaver Deserialization Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/05/15/cisa-adds-three-known-exploited-vulnerabilities-catalog

Malware

Disguised Cyber Risks On The Colombian Shore: The Insurance Trap
"scheme awaited us—a crafty operation targeting car insurance. This scam relies on fake websites to deceive users, leveraging publicly available vehicle registration numbers to add a layer of credibility. Since the beginning of 2024, we have identified over 100 fraudulent websites linked to this scheme, each crafted with guile, meticulousness, and precision to be a digital double of legitimate services and exploit unsuspecting victims. These sites represent a widespread and systematic effort to target individuals seeking damage-precautionary and mandatory vehicle insurance. The journey customers may take for a sense of security becomes the criminal means of entrapment, which starts with ads on social media platforms like Facebook."
https://www.group-ib.com/blog/colombian-cybertrap/
Operation RoundPress
"This blogpost introduces an operation that we named RoundPress, targeting high-value webmail servers with XSS vulnerabilities, and that we assess with medium confidence is run by the Sednit cyberespionage group. The ultimate goal of this operation is to steal confidential data from specific email accounts."
https://www.welivesecurity.com/en/eset-research/operation-roundpress/
https://www.bleepingcomputer.com/news/security/government-webmail-hacked-via-xss-bugs-in-global-spy-campaign/
https://thehackernews.com/2025/05/russia-linked-apt28-exploited-mdaemon.html
https://therecord.media/kremlin-linked-hackers-target-webmail-eastern-europe-governments
https://cyberscoop.com/russia-fancy-bear-gru-ukrainian-military-contractors/
https://www.helpnetsecurity.com/2025/05/15/espionage-operation-roundpress-webmail-servers/
FBI: US Officials Targeted In Voice Deepfake Attacks Since April
"The FBI warned that cybercriminals using AI-generated audio deepfakes to target U.S. officials in voice phishing attacks that started in April. This warning is part of a public service announcement issued on Thursday that also provides mitigation measures to help the public spot and block attacks using audio deepfakes (also known as voice deepfakes). "Since April 2025, malicious actors have impersonated senior US officials to target individuals, many of whom are current or former senior US federal or state government officials and their contacts. If you receive a message claiming to be from a senior US official, do not assume it is authentic," the FBI warned."
https://www.bleepingcomputer.com/news/security/fbi-us-officials-targeted-in-voice-deepfake-attacks-since-april/
https://www.ic3.gov/Media/News/2021/210310-2.pdf
https://cyberscoop.com/fbi-warns-of-ai-deepfake-phishing-impersonating-government-officials/
Sophisticated NPM Attack Leveraging Unicode Steganography And Google Calendar C2
"Our security monitoring systems recently flagged a suspicious npm package, os-info-checker-es6, which represents a sophisticated and evolving threat within the npm ecosystem. What initially appeared as a simple OS information utility quickly unraveled into a sophisticated multi-stage malware attack. This campaign employs clever Unicode-based steganography to hide its initial malicious code and utilizes a Google Calendar event short link as a dynamic dropper for its final payload."
https://www.veracode.com/resources/sophisticated-npm-attack-leveraging-unicode-steganography-and-google-calendar-c2
https://thehackernews.com/2025/05/malicious-npm-package-leverages-unicode.html
https://www.bleepingcomputer.com/news/security/malicious-npm-package-uses-unicode-steganography-to-evade-detection/
Phishing Campaign Mimics Email Quarantine Notifications: 32,000 Emails Target 6,358 Customers
"In a recent discovery, Check Point researchers have identified a large-scale phishing campaign that exploits the guise of email quarantine notifications. This campaign, consisting of 32,000 emails, has targeted 6,358 customers across various regions. The primary objective of the attackers is to deceive recipients into providing their login credentials through a fake login page."
https://blog.checkpoint.com/securing-user-and-access/phishing-campaign-mimics-email-quarantine-notifications-32000-emails-target-6358-customers/
Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT
"Cybercriminals are progressively turning PowerShell to launch stealthy attacks that evade traditional antivirus and endpoint defenses. By running code directly in memory, these threats leave minimal evidence on disk, making them particularly challenging to detect. A recent example is Remcos RAT, a well-known remote access trojan recognized for its persistence and stealth. It provides attackers with full control over compromised systems, making it a preferred go-to tool for cyber espionage and data theft. In a recent campaign, threat actors delivered malicious LNK files embedded within ZIP archives, often disguised as Office documents. The attack chain leverages mshta.exe for proxy execution during the initial stage. Unconfirmed reports suggest this new sample is named “K-Loader,” although no conclusive findings have been made."
https://blog.qualys.com/vulnerabilities-threat-research/2025/05/15/fileless-execution-powershell-based-shellcode-loader-executes-remcos-rat
https://hackread.com/fileless-remcos-rat-attack-antivirus-powershell-scripts/
https://www.infosecurity-magazine.com/news/powershell-loader-deploys-remcos/
Detecting FrigidStealer Malware With Wazuh
"FrigidStealer is an information-stealing malware that emerged in January 2025. It targets macOS endpoints to steal sensitive user data through deceptive tactics. Unlike traditional malware, FrigidStealer exploits user trust in routine software updates, making it particularly insidious. As a significant threat, it underscores the need for extended security measures on macOS endpoints. The malware’s financial motivations, potentially linked to the EvilCorp syndicate, underscore its threat to both individual users and enterprises, with stolen data including credentials and cryptocurrency wallets posing risks of identity theft and financial fraud. In this blog post, we explore the behavior of FrigidStealer and demonstrate how Wazuh, an open source SIEM and XDR platform, can be configured to detect this threat."
https://wazuh.com/blog/detecting-frigidstealer-malware-with-wazuh/
https://hackread.com/frigidstealer-malware-macos-fake-safari-browser-update/

Breaches/Hacks/Leaks

Coinbase Data Breach Exposes Customer Info And Government IDs
"Coinbase, a cryptocurrency exchange with over 100 million customers, has disclosed that cybercriminals working with rogue support agents stole customer data and demanded a $20 million ransom not to publish the stolen information. The company said it would not pay the ransom but would establish a $20 million reward fund for any leads that could help find the attackers who coordinated this attack. The disclosure comes after the criminals behind the breach emailed Coinbase on May 11, demanding a $20 million ransom to prevent public disclosure of stolen information about certain customer accounts and internal documentation."
https://www.bleepingcomputer.com/news/security/coinbase-discloses-breach-faces-up-to-400-million-in-losses/
https://thehackernews.com/2025/05/coinbase-agents-bribed-data-of-1-users.html
https://therecord.media/coinbase-extortion-attempt-company-offers-20million-reward
https://www.securityweek.com/coinbase-rejects-20m-ransom-after-rogue-contractors-bribed-to-leak-customer-data/
https://hackread.com/coinbase-customer-info-stolen-bribed-overseas-agents/
https://www.helpnetsecurity.com/2025/05/15/coinbase-suffers-data-breach-gets-extorted/
https://www.infosecurity-magazine.com/news/coinbase-offers-20m-bounty/
https://securityaffairs.com/177878/cyber-crime/coinbase-disclosed-a-data-breach-after-an-extortion-attempt.html
https://www.theregister.com/2025/05/15/coinbase_extorted_for_20m_support/
Attack Claimed By Pro-Ukraine Hackers Reportedly Erases a Third Of Russian Court Case Archive
"A cyberattack on Russia's national case management and electronic court filing system wiped out about a third of its case archive, according to a report by the Russian Audit Chamber. The system, known as “Pravosudiye” (meaning “justice” in Russian), was hacked last October and was down for a month, disrupting the operation of Russian court websites, communication networks, and email services. The attack was claimed by the pro-Ukraine hacking group BO Team, which has previously collaborated with Ukrainian military intelligence in operations against Russian entities. Ukrainian authorities have not publicly confirmed any official military intelligence participation in this incident."
https://therecord.media/russia-court-system-hack-third-of-case-files-deleted

General News

Building Cybersecurity Culture In Science-Driven Organizations
"In this Help Net Security interview, Anne Sofie Roed Rasmussen, CISO at Novonesis, discusses how a science-driven organization approaches cybersecurity, aligning innovation with protection, measuring cultural progress, managing shadow IT, and earning trust from scientific leaders."
https://www.helpnetsecurity.com/2025/05/15/anne-sofie-roed-rasmussen-novonesis-science-driven-organization-cybersecurity/
New Blockchain Security Standards Target Safer Ecosystems
"The Blockchain Security Standards Council (BSSC) launched its first four security standards, marking a significant milestone in the journey towards a more secure and trustworthy blockchain ecosystem. These standards are designed to address critical aspects of blockchain security, elevating trust in digital assets and confidence in blockchain networks."
https://www.helpnetsecurity.com/2025/05/15/new-blockchain-security-standards/
https://blockchain-ssc-9943b9b517-dd2be16b8b7bb.webflow.io/standards
#Infosec2025: Ransomware Enters ‘Post-Trust Ecosystem,’ NCA Cyber Expert Says
"The ransomware landscape has entered a “post-trust ecosystem,” where fragmented and increasingly mistrustful cybercrime groups operate in a climate of heightened law enforcement scrutiny, according to William Lyne of the UK’s National Crime Agency (NCA). The result is a more unpredictable and potentially more perilous threat environment for organizations worldwide. In recent years, a series of high-profile law enforcement takedowns has disrupted some of the most notorious ransomware groups. Now the dust is settling and a cybercrime landscape that's more splintered than ever is emerging."
https://www.infosecurity-magazine.com/news/ransomware-enters-posttrust/
Here's What We Know About The DragonForce Ransomware That Hit Marks & Spencer
"DragonForce, a new-ish ransomware-as-a-service operation, has given organizations another cyber threat to worry about — unless they’re in Russia, which is off limits to the would-be extortionists. The gang started operations in August 2023 but its ransomware didn't gain much traction until the following year, when DragonForce operators began advertising for affiliates on dark web forums. The gang has since claimed many victims and drawn the attention of the FBI, which found it was one of 2024’s most prolific ransomware sources."
https://www.theregister.com/2025/05/15/dragonforce_ransomware_uk_retail_attacks/
Fraud Losses Hit $11m Per Company As Customer Abuse Soars
"Online merchants lost an average of nearly $11m each to fraud last year, with the risk from first-party fraud growing significantly, according to Ravelin. The London-headquartered fraud prevention firm surveyed 1466 global fraud and payments professionals in the retail, travel & hospitality, digital goods, and marketplaces sectors to produce its Global Fraud Trends 2025 report. It found that 77% of respondents recorded a rise in the volume of fraud over the past year, with marketplaces hit particularly hard, and 64% expect it to increase in the coming 12 months."
https://www.infosecurity-magazine.com/news/fraud-losses-11m-customer-abuse/
Windows 11 And Red Hat Linux Hacked On First Day Of Pwn2Own
"On the first day of Pwn2Own Berlin 2025, security researchers were awarded $260,000 after successfully demonstrating zero-day exploits for Windows 11, Red Hat Linux, and Oracle VirtualBox. Red Hat Enterprise Linux for Workstations was the first to fall in the local privilege escalation category after DEVCORE Research Team's Pumpkin exploited an integer overflow vulnerability to earn $20,000. Hyunwoo Kim and Wongi Lee also got root on a Red Hat Linux device by chaining a use-after-free and an information leak, but one of the exploited flaws was an N-day, which led to a bug collision."
https://www.bleepingcomputer.com/news/security/windows-11-and-red-hat-linux-virtualbox-hacked-on-first-day-of-pwn2own/
Beyond The Kill Chain: What Cybercriminals Do With Their Money (Part 1)
"You’re having a day off work. You wake up and enjoy some breakfast: toast with honey. You relax in your apartment, and go online. You see some internet ads, do a bit of shopping (perhaps ordering a pair of discounted sneakers), have a quick look on a dating site, see if there’s any new real estate in your area, think about applying for an online education course, and search for a plumber to fix that dripping tap in the kitchen. You head out to a sandwich bar for lunch and grab a coffee, before dropping off some laundry at the dry cleaners and getting the screen fixed on your mobile phone. In the evening, you visit a new restaurant with some friends, and treat yourself to an ice cream afterward, before getting a taxi home."
https://news.sophos.com/en-us/2025/05/15/beyond-the-kill-chain-what-cybercriminals-do-with-their-money-part-1/
https://cyberscoop.com/what-cybercriminals-do-with-their-money-sophos/
Cyber-Risk Calculator Takes The Guesswork Out Of Assessment
"Organizations need to understand their risk profiles to implement more proactive security measures as attacks increase in both number and severity, but that measuring cyber risk can be difficult because there are so many variables to account for. Assessments depend on several evolving variables, such as an organization's number of employees, financial records or personally identifiable information (PII), security controls already in place, and threats that pose the highest risk. Is it ransomware that will encrypt critical systems, or is it business email compromise that can quickly drain financial accounts?"
https://www.darkreading.com/cyber-risk/calculator-guesswork-measure-cyber-risk
International Crackdown Dismantles Multimillion-Euro Investment Scam
"An organised crime group responsible for defrauding more than 100 victims of over EUR 3 million through a fake online investment platform has been dismantled following an international law enforcement operation. The investigation, led by German authorities and supported by Europol and Eurojust, saw coordinated actions in Albania, Cyprus and Israel, resulting in the dismantling of the criminal group and the arrest of a suspect in Cyprus."
https://www.europol.europa.eu/media-press/newsroom/news/international-crackdown-dismantles-multimillion-euro-investment-scam
https://hackread.com/police-shut-down-fake-trading-platform-scammed-users/
New Linux Vulnerabilities Surge 967% In a Year
"The number of newly discovered Linux and macOS vulnerabilities increased dramatically in 2024, according to new analysis from Action1. The cybersecurity vendor’s 2025 Software Vulnerability Ratings Report is based on in-depth analysis of the National Vulnerability Database (NVD) and SecurityScorecard’s CVEdetails.com site. By its reckoning, the total number of vulnerabilities discovered in 2024 rose by 61% annually to 6761, with Linux bugs increasing by an “unprecedented” 967% to 3329 for the year. Vulnerabilities in the macOS platform also recorded a significant annual surge, of 95%, to reach 508 in total."
https://www.infosecurity-magazine.com/news/new-linux-vulnerabilities-surge/
"Endemic" Ransomware Prompts NHS To Demand Supplier Action On Cybersecurity
"England’s National Health Service (NHS) has urged its suppliers to commit to strong cybersecurity practices amid increased cyber threats to patients and services. The voluntary cybersecurity charter aims to better protect the NHS from growing cyber threats via its supply chain, including ransomware. The open letter to current and prospective NHS suppliers noted that the ransomware threat is “endemic.” “We have experienced several significant ransomware attacks on our supply chain in recent years,” it read."
https://www.infosecurity-magazine.com/news/endemic-ransomware-nhs-supplier/
How An Alleged Russian Hacker Slipped Away
"On Jan. 5, 2024, Андрей Владимирович Тарасов (Eng. Andrei Vladimirovich Tarasov), a 33-year-old Russian man, was released from Moabit Prison in Berlin. He’d been held there for about six months. Originally from Russia, he’d been living in Berlin when police arrested him July 18, 2023, related to computer crime charges in the U.S. Tarasov was indicted by a grand jury in New Jersey in June 2023 along with Maksim Silnikau, Belarusian and Ukrainian dual national, and Volodymyr Kadariya of Belarus. They were charged with conspiracy to commit wire fraud, conspiracy to commit computer fraud and abuse and two counts of wire fraud. The indictment alleges the three men ran an expansive scheme from October 2013 through March 2022 to infect computers with malware via fake advertisements, or malvertisements, and then sell the stolen data and access. The computers were attacked using a potent tool called the Angler exploit kit, which was designed to quickly probe a computer for vulnerabilities and then silently deliver malware. This scheme was believed to have been used to attack millions of computers worldwide."
https://intel471.com/blog/how-an-alleged-russian-hacker-slipped-away
https://www.securityweek.com/andrei-tarasov-inside-the-journey-of-a-russian-hacker-on-the-fbis-most-wanted-list/
Stop Imagining Threats, Start Mitigating Them: A Practical Guide To Threat Modeling
"When building a software-intensive system, a key part in creating a secure and robust solution is to develop a cyber threat model. This is a model that expresses who might be interested in attacking your system, what effects they might want to achieve, when and where attacks could manifest, and how attackers might go about accessing the system. Threat models are important because they guide requirements, system design, and operational choices. Effects can include, for example, compromise of confidential information, modification of information contained in the system, and disruption of operations. There are diverse purposes for achieving these kinds of effects, ranging from espionage to ransomware."
https://insights.sei.cmu.edu/blog/stop-imagining-threats-start-mitigating-them-a-practical-guide-to-threat-modeling/
Snowflake CISO On The Power Of 'shared Destiny' And 'yes And'
"Being the chief information security officer at Snowflake is never an easy job, but last spring it was especially challenging. In May 2024, some of the cloud storage and data analytics firm's major customers, including Ticketmaster and banking giant Santander, disclosed significant data breaches. Attackers, the companies reported, had accessed their Snowflake-hosted environments and exfiltrated terabytes of data affecting hundreds of millions of individuals."
https://www.theregister.com/2025/05/15/snowflake_ciso_interview/
April 2025 Deep Web And Dark Web Trends Report
"This trend report on the deep web and dark web of March 2025 is sectioned into Ransomware, Data Breach, DarkWeb, CyberAttack, and Threat Actor. Please note that there are some parts of the content that cannot be verified for ac"
https://asec.ahnlab.com/en/87974/
RaaS Explained: How Cybercriminals Are Scaling Attacks Like Startups
"There is a lot of money in cyberattacks like ransomware, and unfortunately for organizations of all sizes, the cybercrime business is booming. Ransomware has come a long way since the days of using floppy disks at health conventions to spread malicious files. Now, this previously rare endeavour has become a thriving business in the form of Ransomware-as-a-Service (RaaS), which involves hackers selling ransomware kits to others. But it’s not all doom and gloom. Businesses are successfully fighting back, with better IT management and incident readiness, which involves proactive approaches to identify vulnerabilities to fix them before attacks happen."
https://hackread.com/raas-explained-cybercriminals-scaling-attacks-startups/

อ้างอิง
Electronic Transactions Development Agency(ETDA)