Cyber Threat Intelligence 06 June 2025

NCSA_THAICERT

Healthcare Sector

Healthcare Organizations Are At a Turning Point With AI
"32% of healthcare executives say their organization suffered a breach in the past 12 months, and 46% say they are experiencing a higher volume of attacks, according to LevelBlue. As AI promises healthcare organizations efficiency, optimized processes, and enhanced automation, the report reveals that only 29% of healthcare executives say they are prepared for AI-powered threats despite 41% believing they will happen. 32% feel their organization is prepared for deepfake attacks, even though 49% are expecting them."
https://www.helpnetsecurity.com/2025/06/05/healthcare-ai-powered-threats/

Industrial Sector

Hitachi Energy Relion 670, 650 Series And SAM600-IO Product
"Successful exploitation of these vulnerabilities could allow an attacker to cause memory corruption on the products."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-155-02
CyberData 011209 SIP Emergency Intercom
"Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, cause a denial-of-service condition, or achieve code execution."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-155-01
Turning Off The (Information) Flow: Working With The EPA To Secure Hundreds Of Exposed Water HMIs
"Many like to discuss internet-connected Industrial Control Systems (ICS) as the pinnacle of high-value targets, given that it is often the infrastructure we all rely on to live. In internet terms, “ICS” is typically used interchangeably with “Critical Infrastructure” because we tend to categorize these types of services and hosts based on the underlying protocols they run. The reality is much more nuanced than this; sure, around fifty thousand hosts may be running a well-known ICS protocol like Modbus, but that doesn’t make all of the hosts running Modbus “critical infrastructure”. For all we know, those services may just be some person’s Lego Mindstorm project connected to an Arduino via a serial adapter. To classify a host with an ICS service as critical infrastructure, one needs context regarding that service."
https://censys.com/blog/turning-off-the-information-flow-working-with-the-epa-to-secure-hundreds-of-exposed-water-hmis
https://www.securityweek.com/misconfigured-hmis-expose-us-water-systems-to-anyone-with-a-browser/

New Tooling

Meta Open-Sources AI Tool To Automatically Classify Sensitive Documents
"Meta has released an open source AI tool called Automated Sensitive Document Classification. It was originally built for internal use and is designed to find sensitive information in documents and apply security labels automatically. The tool uses customizable classification rules and works with files that contain readable text. Once labeled, the documents can be protected from unauthorized access or excluded from AI systems that use retrieval-augmented generation (RAG)."
https://www.helpnetsecurity.com/2025/06/05/meta-open-source-automated-sensitive-document-classification-tool/
https://github.com/meta-llama/PurpleLlama/tree/main/SensitiveDocClassification

Vulnerabilities

AI Kept 15-Year-Old Zombie Vuln Alive, But Its Time Is Drawing Near
"A security bug that surfaced fifteen years ago in a public post on GitHub has survived developers' attempts on its life. Despite multiple developer warnings about the 2010 GitHub Gist containing the path traversal vulnerability in 2012, 2014, and 2018, the flaw appeared in MDN Web Docs documentation and a Stack Overflow snippet. From there, it took up residence in large language models (LLMs) trained on the flawed examples."
https://www.theregister.com/2025/06/05/llm_kept_persistent_path_traversal_bug_alive/
https://arxiv.org/abs/2505.20186
CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2025-5419 Google Chromium V8 Out-of-Bounds Read and Write Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/06/05/cisa-adds-one-known-exploited-vulnerability-catalog
https://securityaffairs.com/178678/security/u-s-cisa-google-chromium-v8-flaw-known-exploited-vulnerabilities-catalog.html
Questions Swirl Around ConnectWise Flaw Used In Attacks
"A week after ConnectWise disclosed that a threat actor had gained access to its environment and targeted customers, questions remain about the vulnerability used by the attacker, and confusion remains as to the timeline of the attacks. Last week, ConnectWise revealed that its environment had been breached by a suspected nation-state actor. "ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation state actor, which affected a very small number of ScreenConnect customers," the company said in a May 28 advisory."
https://www.darkreading.com/remote-workforce/questions-swirl-connectwise-flaw-attacks

Malware

Hacker Selling Critical Roundcube Webmail Exploit As Tech Info Disclosed
"Hackers are likely starting to exploit CVE-2025-49113, a critical vulnerability in the widely used Roundcube open-source webmail application that allows remote execution. The security issue has been present in Roundcube for over a decade and impacts versions of Roundcube webmail 1.1.0 through 1.6.10. It received a patch on June 1st. It took attackers just a couple of days to reverse engineer the fix, weaponize the vulnerability, and start selling a working exploit on at least one hacker forum."
https://www.bleepingcomputer.com/news/security/hacker-selling-critical-roundcube-webmail-exploit-as-tech-info-disclosed/
FBI: BADBOX 2.0 Android Malware Infects Millions Of Consumer Devices
"The FBI is warning that the BADBOX 2.0 malware campaign has infected over 1 million home Internet-connected devices, converting consumer electronics into residential proxies that are used for malicious activity. The BADBOX botnet is commonly found on Chinese Android-based smart TVs, streaming boxes, projectors, tablets, and other Internet of Things (IoT) devices. "The BADBOX 2.0 botnet consists of millions of infected devices and maintains numerous backdoors to proxy services that cyber criminal actors exploit by either selling or providing free access to compromised home networks to be used for various criminal activity," warns the FBI."
https://www.bleepingcomputer.com/news/security/fbi-badbox-20-android-malware-infects-millions-of-consumer-devices/
https://www.ic3.gov/PSA/2025/PSA250605
BladedFeline: Whispering In The Dark
"In 2024, ESET researchers discovered several malicious tools in the systems used by Kurdish and Iraqi government officials. The APT group behind the attacks is BladedFeline, an Iranian threat actor that has been active since at least 2017, when it compromised officials within the Kurdistan Regional Government (KRG). This group develops malware for maintaining and expanding access within organizations in Iraq and the KRG. While this is our first blogpost covering BladedFeline, we discovered the group in 2023, after it targeted Kurdish diplomatic officials with the Shahmaran backdoor, and previously reported on its activities in ESET APT Activity reports Q4 2023-Q1 2024 and Q2 2024-Q3 2024."
https://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/
https://www.darkreading.com/threat-intelligence/iranian-apt-bladedfeline-hides-network-8-years
https://thehackernews.com/2025/06/iran-linked-bladedfeline-hits-iraqi-and.html
https://therecord.media/iran-linked-hackers-target-kurdish-iraq-cyber-espionage
https://www.bankinfosecurity.com/iranian-espionage-group-caught-spying-on-kurdish-officials-a-28602
Newly Identified Wiper Malware “PathWiper” Targets Critical Infrastructure In Ukraine
"Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper we are calling “PathWiper”. The attack was instrumented via a legitimate endpoint administration framework, indicating that the attackers likely had access to the administrative console, that was then used to issue malicious commands and deploy PathWiper across connected endpoints. Talos attributes this disruptive attack and the associated wiper to a Russia-nexus advanced persistent threat (APT) actor. Our assessment is made with high confidence based on tactics, techniques and procedures (TTPs) and wiper capabilities overlapping with destructive malware previously seen targeting Ukrainian entities."
https://blog.talosintelligence.com/pathwiper-targets-ukraine/
https://www.darkreading.com/cyberattacks-data-breaches/pathwiper-attack-critical-infrastructure-ukraine
How a Malicious Excel File (CVE-2017-0199) Delivers The FormBook Payload
"FortiGuard Labs recently observed a high-severity phishing campaign targeting old version Office Application users through malicious email attachments. The emails deliver an Excel file designed to exploit the CVE-2017-0199 vulnerability, a known flaw in old version Microsoft Office's OLE (Object Linking and Embedding) functionality. The malware being spread in this campaign is FormBook, an information-stealing malware known for its ability to capture sensitive data, including login credentials, keystrokes, and clipboard information. Upon opening the malicious Excel file, the malware performs a series of operations, ultimately running the FormBook payload."
https://www.fortinet.com/blog/threat-research/how-a-malicious-excel-file-cve-2017-0199-delivers-the-formbook-payload
TTPs Of Cyber Partisans Activity Aimed At Espionage And Disruption
"Cyber Partisans is a hacktivist group that has become known back in 2020. The group is very active in the media, claiming multiple attacks on government agencies and industrial enterprises, the purpose of which is to steal confidential information and destabilize the IT infrastructure of the targeted organization. Kaspersky ICS CERT experts managed to identify the attack vector, as well as find and analyze the malware and utilities most probably used by the actors in the recent series of attacks on industrial enterprises and government agencies in Russia and Belarus."
https://ics-cert.kaspersky.com/publications/reports/2025/06/05/ttps-of-cyber-partisans-activity-aimed-at-espionage-and-disruption/
Decoding ‘ClickFix’: Lessons From The Latest Browser-Based Phish
"ClickFix is a social engineering attack that tricks users into running malicious commands on their own devices – all under the guise of a routine security check. Disguised as something familiar, like a Cloudflare CAPTCHA, it convinces users to copy and paste dangerous code without realizing the risk. We’ll break down how ClickFix works, examine a real-world example, and explore why this surprisingly simple tactic remains effective."
https://slashnext.com/blog/decoding-clickfix-lessons-from-the-latest-browser-based-phish/
https://www.securityweek.com/clickfix-attack-exploits-fake-cloudflare-turnstile-to-deliver-malware/
Unmasking Insecure HTTP Data Leaks In Popular Chrome Extensions
"Many users assume that popular Chrome extensions adhere to strong security practices, especially when the extensions themselves promise functionality related to privacy, ranking analytics, or convenient new tab features. However, recent findings show that several widely used extensions—SEMRush Rank, PI Rank, MSN New Tab/Homepage, DualSafe Password Manager, and Browsec VPN—unintentionally transmit sensitive data over simple HTTP. By doing so, they expose browsing domains, machine IDs, operating system details, usage analytics, and even uninstall information, in plaintext. Because the traffic is unencrypted, a Man-in-the-Middle (MITM) attacker on the same network can intercept and, in some cases, even modify this data, leading to far more dangerous scenarios than simple eavesdropping."
https://www.security.com/threat-intelligence/chrome-extension-leaks
https://thehackernews.com/2025/06/popular-chrome-extensions-leak-api-keys.html
IBM X-Force Threat Analysis: DCRat Presence Growing In Latin America
"In early May 2025, IBM X-Force observed Hive0131 conducting email campaigns targeting users in Colombia with electronic notifications of criminal proceedings, purporting to be from The Judiciary of Colombia. Hive0131 is a financially motivated group likely originating from South America that routinely conducts campaigns largely in Latin America (LATAM) to deliver a wide array of commodity payloads. The current campaigns imitate official correspondence and contain either an embedded link or a PDF lure with an embedded link. Clicking on the embedded link will initiate the infection chain to execute the banking trojan "DCRat" in memory."
https://www.ibm.com/think/x-force/dcrat-presence-growing-in-latin-america

Breaches/Hacks/Leaks

Over 3 Million Records, Including PII Exposed In App-Building Platform Data Breach
"Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to vpnMentor about an unencrypted and non-password-protected database that contained 3,637,107 records that presumably belong to a no-coding app-building platform."
https://www.vpnmentor.com/news/report-passionapps-breach/
https://hackread.com/unsecured-database-exposes-passion-io-creators-data/

General News

The Cloud Security Crisis No One’s Talking About
"Security teams are overwhelmed by a flood of alerts, most of which lack the context needed to accurately assess and espond to threats, according to ARMO. Respondents report receiving an average of 4,080 security alerts per month – or 136 alerts per day – related to potential cloud-based attacks, with 61% handling between 1,001 and 5,000 alerts monthy. Yet despite this deluge, the average number of true security incidents per year is just 7, meaning it takes an average of 6,994 alerts to uncover one bona fide incident."
https://www.helpnetsecurity.com/2025/06/05/cloud-threats-detection/
Google Survey Shows Americans Are Changing How They Fight Scams
"If it seems like scams are popping up everywhere lately, you’re not wrong. A new survey from Google shows most Americans feel the same, and they’re starting to change how they handle things online because of it. But different age groups are responding in different ways, and the tools people trust to stay safe vary more than you might expect."
https://www.helpnetsecurity.com/2025/06/05/google-survey-fight-scams/
China Accuses Taiwan Of Running Five Feeble APT Gangs, With US Help
"Beijing complains it’s under relentless attack by the equivalent of an ant trying to shake a tree China’s National Computer Virus Emergency Response Center on Thursday published a report in which it claims Taiwan targeted it with a years-long but feeble cyber offensive, backed by the USA. In a report [PDF] titled “Operation Futile: Investigation report on Cyberattacks launched by ICEFCOM of Taiwan and its affiliated [advanced persistent threat] APT actors”"
https://www.theregister.com/2025/06/05/china_taiwan_us_apt_report/
https://www.cverc.org.cn/head/zhaiyao/Investigation_report_on_Cyberattacks_launched_by_Taiwan_ICEFCOM_EN.pdf
https://www.securityweek.com/china-issues-warrants-for-alleged-taiwanese-hackers-and-bans-a-business-for-pro-independence-links/
US Offers $10M For Tips On State Hackers Tied To RedLine Malware
"The U.S. Department of State has announced a reward of up to $10 million for any information on government-sponsored hackers with ties to the RedLine infostealer malware operation and its suspected creator, Russian national Maxim Alexandrovich Rudometov. The same bounty covers leads on state hackers' use of this malware in cyber operations targeting critical infrastructure organizations in the United States."
https://www.bleepingcomputer.com/news/security/us-offers-10m-for-tips-on-state-hackers-tied-to-redline-malware/
https://rewardsforjustice.net/rewards/maxim-alexandrovich-rudometov-redline/
https://www.theregister.com/2025/06/05/rewards_for_justice_maxim_rudometov/
ViLE Gang Members Sentenced For DEA Portal Breach, Extortion
"Two members of a group of cybercriminals named ViLE were sentenced this week for hacking into a federal law enforcement web portal in an extortion scheme. According to court documents, ViLE specializes in obtaining personal information about targets to harass, threaten, or extort them, a practice known as "doxing." To collect sensitive information on their victims, they use methods such as tricking customer service employees, submitting fraudulent legal requests to social media companies, bribing corporate insiders, and searching public and private online databases."
https://www.bleepingcomputer.com/news/security/vile-gang-members-sentenced-for-breaching-law-enforcement-portal/
https://www.securityweek.com/men-who-hacked-law-enforcement-database-for-doxing-sentenced-to-prison/
SecOps Need To Tackle AI Hallucinations To Improve Accuracy
"While Artificial Intelligence (AI) benefits security operations (SecOps) by speeding up threat detection and response processes, hallucinations can generate false alerts and lead teams on a wild goose chase. AI hallucinations, which largely affect large language models (LLMs), produce incorrect, misleading, or biased information. However, unsuspecting users may accept those responses as legitimate and confidently make decisions based on them. Many examples of AI hallucinations exist, such as made-up law cases in legal filings, fictional book titles, and non-existent research studies. AI experts have repeatedly warned about the effect hallucinations can have, whether they are average users running casual ChatGPT queries or skilled developers using AI to write code."
https://www.darkreading.com/vulnerabilities-threats/secops-tackle-ai-hallucinations-improve-accuracy
Sticky Fingers In The Cookie Jar: Research Reveals The Risks Of Web Cookies
"Most of us barely pause before clicking away the cookie consent banner. It’s a routine, a forgettable part of using the internet, meant to make our online lives easier. After all, the internet is built on convenience. But that convenience has a cost, and that cost is often paid in the form of your data. In our latest study, researchers from NordStellar, a threat exposure management platform, analyzed a set of 93.7 billion cookies circulating on the dark web to uncover how they were stolen and what risks they pose. Read on and learn what that means for your privacy and security and what you can do to protect yourself."
https://nordvpn.com/blog/cookies-research/
https://hackread.com/nearly-94-billion-stolen-cookies-on-dark-web/
#Infosec2025: Cybersecurity Lessons From Maersk’s Former CISO
"The 2017 ransomware attack on shipping company A P Moller Maersk marked a turning point for the cybersecurity industry, according to its former CISO Adam Banks. The attack is estimated to have cost Maersk $700m, excluding any revenue losses. Following the attack, it was three months before the business was fully back online, Banks told an audience at Infosecurity Europe 2025. But, he said, it could well have been worse. The $700m figure was, Banks said, the cost of the attack and the recovery. A stroke of luck, in the form of a power cut in Lagos, cut the firm’s recovery time by as much as four weeks."
https://www.infosecurity-magazine.com/news/infosec2025-lessons-maersk-ciso/
#Infosec2025: Ransomware Victims Urged To Engage To Take Back Control
"Opening lines of communication with ransomware actors is the best way to deliver a positive outcome from an event that will be “the worst day of the IT team’s lives,” a leading negotiator has claimed. Dan Saunders, director of incident response EMEA at Kivu Consulting, revealed that just 30% of the firm’s negotiations with threat actors over the past year have actually led to the victim paying. “There’s a common misconception around engaging threat actors and that is if ‘we’re going to engage them, we’re going to reach a financial settlement.’ But that is not the case,” he said."
https://www.infosecurity-magazine.com/news/infosec2025-ransomware-victims/
#Infosec2025: Know Your Audience To Make An Impact, CISOs Tell Their Peers
"Security leaders must focus and adapt their message to their audience if they are to successfully use risk management to tame a chaotic cyber landscape, a panel of CISOs has argued. On the final day of Infosecurity Europe, security bosses from across LexisNexis and RX Global discussed how CISOs play a vital role as business enablers, and “translators” of risk for senior leadership. This role has added importance given a landscape in which AI-driven threats, insider risk, growing business demands and fast-evolving technology proliferate."
https://www.infosecurity-magazine.com/news/infosec2025-know-your-audience/
#Infosec2025: Threat Actors Weaponizing Hardware Devices To Exploit Fortified Environments
"Threat actors are weaponizing legitimate hardware devices to compromise even the most fortified targets, warned Bentsi Benatar, CMO and Co-Founder of Sepio during a talk at Infosecurity Europe 2025. Despite a lack of reporting of such incidents, this approach is being utilized by sophisticated nation-state and financially motivated attackers to target sensitive targets such as banks and energy carriers."
https://www.infosecurity-magazine.com/news/threat-actors-weaponizing-hardware/
#Infosec2025: Defenders And Attackers Are Locked In An AI Arms Race
"Malicious actors are using AI tools to fine-tune cyber-attacks, even as governments race to encourage AI investment. National programs to bolster AI expertise and R&D should be seen in the context of the growing use of AI tools by criminal hackers, advised Brett Taylor, UK sales engineering director at SentinelOne, in his talk at Infosecurity Europe 2025. Just as enterprises and public-sector bodies are looking to AI to improve productivity and drive economic growth, so criminal groups are using AI-based tools to develop malware and find vulnerabilities. Additionally, hackers are actively looking for any weak spots in AI deployments."
https://www.infosecurity-magazine.com/news/infosec2025-arms-race-ai/
#Infosec2025: Seven Steps To Building a Mature Vulnerability Management Program
"For the past two years, cybersecurity teams have been facing an explosion of publicly reported vulnerabilities in software and hardware products, making it increasingly challenging to prioritize patch management. Speaking at Infosecurity Europe 2025, Jon Ridyard, Senior Sales Engineer at Axonius, proposed seven best practices for building mature vulnerability management processes and avoiding burnout."
https://www.infosecurity-magazine.com/news/infosec2025-seven-steps/
#Infosec2025: Securing Endpoints Is Still Vital Amid Changing Threats
"Endpoint devices, including PCs, mobile phones and connected IoT equipment continue to pose security risks, even as malicious actors ramp up their attacks on other areas of enterprise technology. Endpoint security might be less of a focus for CISOs struggling with a growing attack surface and increasingly sophisticated malicious actors harnessing AI tools and weaknesses in supply chain security. However, endpoints and networks remain critical layers of IT infrastructure that organizations still need to protect."
https://www.infosecurity-magazine.com/news/infosec2025-securing-endpoints/
IT Threat Evolution In Q1 2025
"According to Kaspersky Security Network, in the first quarter of 2025: A total of 12 million attacks on mobile devices involving malware, adware, or unwanted apps were blocked. Trojans, the most common mobile threat, accounted for 39.56% of total detected threats. More than 180,000 malicious and potentially unwanted installation packages were detected, which included: 49,273 packages related to mobile bankers and 1520 mobile ransomware Trojans."
https://securelist.com/malware-report-q1-2025-mobile-statistics/116676/
https://securelist.com/malware-report-q1-2025-pc-iot-statistics/116686/

อ้างอิง
Electronic Transactions Development Agency(ETDA)