NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 10 June 2025

    Cyber Security News
    1
    1
    153
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      New Tooling

      • Fiddleitm: Open-Source Mitmproxy Add-On Identifies Malicious Web Traffic
        "fiddleitm is an open-source tool built on top of mitmproxy that helps find malicious web traffic. It works by checking HTTP requests and responses for known patterns that might point to malware, phishing, or other threats. “I created fiddleitm because I needed a replacement for a similar project I ran for years using Fiddler. It needed to be cross platform compatible and highly extensible. This is a web proxy and debugging tool by a security researcher, for security researchers,” Jérôme Segura, the creator of the tool, told Help Net Security."
        https://www.helpnetsecurity.com/2025/06/09/fiddleitm-open-source-mitmproxy-add-on-identify-malicious-web-traffic/
        https://github.com/jeromesegura/fiddleitm

      Vulnerabilities

      • PayU Plugin Flaw Allows Account Takeover On 5000 WordPress Sites
        "A critical vulnerability in the PayU CommercePro plugin has put thousands of WordPress sites at risk by allowing unauthenticated attackers to hijack user accounts, according to PatchStack. The flaw, discovered in version 3.8.5, stems from insecure logic in the /payu/v1/get-shipping-cost API route. Attackers can exploit this to impersonate any registered user, including site administrators, without needing login credentials."
        https://www.infosecurity-magazine.com/news/payu-plugin-flaw-wordpress-account/
        https://patchstack.com/database/wordpress/plugin/payu-india/vulnerability/wordpress-payu-india-plugin-3-8-5-account-takeover-vulnerability
      • Over 84,000 Roundcube Instances Vulnerable To Actively Exploited Flaw
        "Over 84,000 Roundcube webmail installations are vulnerable to CVE-2025-49113, a critical remote code execution (RCE) flaw with a public exploit. The flaw, which impacts Roundcube versions 1.1.0 through 1.6.10, spanning over a decade, was patched on June 1, 2025, following its discovery and reporting by security researcher Kirill Firsov. The bug stems from unsanitized $_GET['_from'] input, enabling PHP object deserialization and session corruption when session keys begin with an exclamation mark."
        https://www.bleepingcomputer.com/news/security/over-84-000-roundcube-instances-vulnerable-to-actively-exploited-flaw/
        https://www.helpnetsecurity.com/2025/06/09/roundcube-rce-dark-web-activity-signals-imminent-attacks-cve-2025-49113/
      • CISA Adds Two Known Exploited Vulnerabilities To Catalog
        "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2025-32433 Erlang Erlang/OTP SSH Server Missing Authentication for Critical Function Vulnerability
        CVE-2024-42009 RoundCube Webmail Cross-Site Scripting Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/06/09/cisa-adds-two-known-exploited-vulnerabilities-catalog
      • Google Patched Bug Leaking Phone Numbers Tied To Accounts
        "A vulnerability allowed researchers to brute-force any Google account's recovery phone number simply by knowing a their profile name and an easily retrieved partial phone number, creating a massive risk for phishing and SIM-swapping attacks. The attack method involves abusing a now-deprecated JavaScript-disabled version of the Google username recovery form, which lacked modern anti-abuse protections. The flaw was discovered by security researcher BruteCat, the same one who demonstrated in February that it's possible to expose the private email addresses of YouTube accounts."
        https://www.bleepingcomputer.com/news/security/google-patched-bug-leaking-phone-numbers-tied-to-accounts/

      Malware

      • Follow The Smoke | China-Nexus Threat Actors Hammer At The Doors Of Top Tier Targets
        "This research outlines threats that SentinelLABS observed and defended against in late 2024 and the first quarter of 2025. This post expands upon previous SentinelLABS research, which provides an overview of threats against cybersecurity vendors, including SentinelOne, ranging from financially motivated crimeware to targeted attacks by nation-state actors. This research focuses specifically on the subset of threats targeting SentinelOne and others that we attribute to China-nexus threat actors."
        https://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/
        https://www.bleepingcomputer.com/news/security/sentinelone-shares-new-details-on-china-linked-breach-attempt/
        https://thehackernews.com/2025/06/over-70-organizations-across-multiple.html
        https://www.darkreading.com/remote-workforce/china-hackers-target-sentinelone-purplehaze-attack
        https://www.bankinfosecurity.com/sentinelone-sees-no-breach-after-hardware-supplier-hacked-a-28626
        https://www.securityweek.com/chinese-espionage-crews-circle-sentinelone-in-year-long-reconnaissance-campaign/
        https://hackread.com/chinese-linked-hackers-targeted-global-organizations/
        https://www.theregister.com/2025/06/09/china_malware_flip_switch_sentinelone/
      • Ransomware Disguised As Password Cracker (Extension Changed To .NS1419)
        "The AhnLab SEcurity intelligence Center (ASEC) recently discovered ransomware being distributed disguised a password cracker tool. Such tools are typically used in brute force attacks. Brute force attacks involve by trying every possible combination to find the correct password. Attackers repeatedly attempt to breach a system’s authentication procedure to steal passwords."
        https://asec.ahnlab.com/en/88371/
      • Two Botnets, One Flaw: Mirai Spreads Through Wazuh Vulnerability
        "The Akamai SIRT discovered active exploitation of the remotely executable Wazuh unsafe deserialization vulnerability CVE-2025-24016 in late March 2025, just a few weeks after the vulnerability’s initial disclosure. Although the vulnerability has been public for months now, it has not yet been added to CISA’s Known Exploited Vulnerability (KEV) catalog, nor has active exploitation been previously reported. The Akamai SIRT identified two different botnets leveraging this exploit to spread variants of the Mirai malware to vulnerable target systems."
        https://www.akamai.com/blog/security-research/botnets-flaw-mirai-spreads-through-wazuh-vulnerability
        https://thehackernews.com/2025/06/botnet-wazuh-server-vulnerability.html
        https://www.bankinfosecurity.com/mirai-botnets-exploit-flaw-in-unpatched-wazuh-servers-a-28624
        https://www.securityweek.com/mirai-botnets-exploiting-wazuh-security-platform-vulnerability/
      • May 2025 Malware Spotlight: SafePay Surges To The Forefront Of Cyber Threats
        "Cyber criminals are becoming more brazen, and this month, research highlights the rise of SafePay, a relatively new but increasingly active ransomware group that has quickly established itself as a key player in the cyber crime ecosystem. Meanwhile, FakeUpdates remains a dominant force, continuing to impact global organizations at an alarming rate. The education sector remains the most targeted industry, illustrating persistent vulnerabilities across institutions."
        https://blog.checkpoint.com/research/may-2025-malware-spotlight-safepay-surges-to-the-forefront-of-cyber-threats/
      • Sleep With One Eye Open: How Librarian Ghouls Steal Data By Night
        "Librarian Ghouls, also known as “Rare Werewolf” and “Rezet”, is an APT group that targets entities in Russia and the CIS. Other security vendors are also monitoring this APT and releasing analyses of its campaigns. The group has remained active through May 2025, consistently targeting Russian companies. A distinctive feature of this threat is that the attackers favor using legitimate third-party software over developing their own malicious binaries. The malicious functionality of the campaign described in this article is implemented through command files and PowerShell scripts. The attackers establish remote access to the victim’s device, steal credentials, and deploy an XMRig crypto miner in the system."
        https://securelist.com/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto/116536/
        https://www.darkreading.com/cyberattacks-data-breaches/librarian-ghouls-cyberattackers-strike
      • DanaBleed: DanaBot C2 Server Memory Leak Bug
        "DanaBot is a Malware-as-a-Service (MaaS) platform that has been active since 2018. DanaBot operates on an affiliate model, where the malware developer sells access to customers who then distribute and use the malware for activities like credential theft and banking fraud. The developer is responsible for creating the malware, maintaining the command-and-control (C2) infrastructure, and providing operational support. DanaBot has been involved in several high-profile campaigns, such as a supply chain attack on popular NPM packages and a Distributed-denial-of-Service (DDoS) attack against the Ukrainian Ministry of Defense during the 2022 Russian invasion."
        https://www.zscaler.com/blogs/security-research/danableed-danabot-c2-server-memory-leak-bug
      • New Hacker Group Uses LockBit Ransomware Variant To Target Russian Companies
        "A financially motivated cybercrime group dubbed DarkGaboon has been targeting Russian companies in a series of ransomware attacks, researchers have found. The group was first identified by Russian cybersecurity firm Positive Technologies in January, but researchers have traced its operations back to 2023. Since then, DarkGaboon has targeted Russian organizations across various sectors, including banking, retail, tourism and public services. Positive Technologies was sanctioned by the U.S. in 2021 for allegedly providing IT support to Russia's civilian and military intelligence agencies."
        https://therecord.media/new-hacker-group-lockbit-target-russia

      Breaches/Hacks/Leaks

      • Stolen Ticketmaster Data From Snowflake Attacks Briefly For Sale Again
        "The Arkana Security extortion gang briefly listed over the weekend what appeared to be newly stolen Ticketmaster data but is instead the data stolen during the 2024 Snowflake data theft attacks. The extortion group posted screenshots of the allegedly stolen data, advertising over 569 GB of Ticketmaster data for sale, causing speculation that this was a new breach."
        https://www.bleepingcomputer.com/news/security/stolen-ticketmaster-data-from-snowflake-attacks-briefly-for-sale-again/
      • Sensata Technologies Says Personal Data Stolen By Ransomware Gang
        "Sensata Technologies is warning former and current employees it suffered a data breach after concluding an investigation into an April ransomware attack. Sensata is a global industrial tech firm specializing in mission‑critical sensors, controls, and electrical protection systems. It serves the automotive, aerospace, and defense industries, among others, and has an annual revenue of over $4 billion. In April, the company filed an 8-K filing with the U.S. Securities and Exchange Commission (SEC), disclosing that it suffered a ransomware attack on Sunday, April 6, which also included data theft."
        https://www.bleepingcomputer.com/news/security/sensata-technologies-says-personal-data-stolen-by-ransomware-gang/
      • Grocery Wholesale Giant United Natural Foods Hit By Cyberattack
        "United Natural Foods (UNFI), North America's largest publicly traded wholesale distributor, was forced to shut down some systems following a recent cyberattack. The Rhode Island-based company operates 53 distribution centers and delivers fresh and frozen products to over 30,000 locations across the United States and Canada, including supermarket chains, e-commerce providers, natural product superstores, independent retailers, and food service customers. UNFI, a primary distributor for Amazon's Whole Foods, reported $31 billion in annual revenues in August 2024, works with more than 11,000 suppliers, and has over 28,000 employees."
        https://www.bleepingcomputer.com/news/security/grocery-wholesale-giant-united-natural-foods-hit-by-cyberattack/
        https://therecord.media/major-food-wholesaler-cyberattack-impacting-distribution
        https://www.bankinfosecurity.com/whole-foods-supplier-faces-cyberattack-disrupting-operations-a-28629
        https://cyberscoop.com/united-natural-foods-whole-foods-distributor-cyberattack/
        https://www.theregister.com/2025/06/09/united_natural_foods_cyber_incident/
      • The Force That Surrounds Us: The AI Supply Chain From My Jedai To Canva
        "UpGuard can now report that it has secured a Chroma database belonging to My Jedai, an AI chatbot company based in Russia. The database contained 341 collections of documents, where each collection could be used to guide responses for different chatbots. Many of the collections contained non-sensitive public data, but some contained private information. Most significantly, one collection contained thousands of responses to a survey of 571 participants in the Canva Creators program, including their email address, country of residence, rating for different components of the Creators program, and descriptions of their specific experiences and challenges with the program."
        https://www.upguard.com/breaches/chroma-my-jedai-canva
        https://hackread.com/limited-canva-creator-data-expose-ai-chatbot-database/
      • Nearly 300,000 Crash Records Stolen From Texas Transportation Department
        "State agencies in Texas and Illinois released warnings in recent days about data breaches affecting the sensitive information of thousands of people. Texas said hackers compromised an account at the Department of Transportation (TxDOT) and discovered unusual activity on May 12 involving its Crash Records Information System (CRIS). An investigation found that the compromised account was used to access and download almost 300,000 crash reports. Texas is legally required to maintain CRIS, which tracks all details of crashes and the people involved."
        https://therecord.media/car-crash-records-stolen-texas-transportation-department

      General News

      • Balancing Cybersecurity And Client Experience For High-Net-Worth Clients
        "In this Help Net Security interview, Renana Friedlich-Barsky, EVP and CISO at LPL Financial, discusses how threat actors are targeting high-net-worth clients and exploiting digital touchpoints in wealth management. She explains why firms must embed security from the start to protect sensitive assets and ensure seamless, secure client experiences."
        https://www.helpnetsecurity.com/2025/06/09/renana-friedlich-barsky-lpl-financial-wealth-management-cybersecurity/
      • CISOs, Are You Ready For Cyber Threats In Biotech?
        "The threat landscape in the bioeconomy is different from what most CISOs are used to. It includes traditional risks like data breaches, but the consequences are more complex. A compromise of genomic databases, for example, does not just expose personal health data. It can also leak proprietary genetic sequences that represent years of research and investment. These are not just privacy violations; they are breaches that can cripple a business’s future R&D pipeline. One example is the breach at 23andMe, where attackers accessed genetic data of millions of users through credential stuffing."
        https://www.helpnetsecurity.com/2025/06/09/cyberbiosecurity-ciso-cyber-threats/
      • Enterprise SIEMs Miss 79% Of Known MITRE ATT&CK Techniques
        "Using the MITRE ATT&CK framework as a baseline, organizations are generally improving year-over-year in understanding security information and event management (SIEM) detection coverage and quality, but plenty of room for improvement remains, according to CardinalOps."
        https://www.helpnetsecurity.com/2025/06/09/siem-detection-coverage/
        https://cardinalops.com/white-papers/2025-state-of-siem-report-download/
        https://www.darkreading.com/cybersecurity-operations/siems-missing-mark-mitre-techniques
      • Employees Repeatedly Fall For Vendor Email Compromise Attacks
        "In just 12 months, attackers attempted to steal more than $300 million via vendor email compromise (VEC), with 7% of engagements coming from employees who had engaged with a previous attack, according to Abnormal AI. Employees struggle to differentiate between legitimate messages and attacks, especially when those emails appear to come from a trusted vendor. Employees in the largest organizations, with workforces of 50,000 or more, had the highest rate of second-step engagement with VEC."
        https://www.helpnetsecurity.com/2025/06/09/vendor-email-compromise-attacks-vec/
      • Disrupting Malicious Uses Of AI: June 2025
        "Our mission is to ensure that artificial general intelligence benefits all of humanity. We advance this mission by deploying our innovations to build AI tools that help people solve really hard problems. As we laid out in our submission⁠ to the Office of Science and Technology Policy’s U.S. AI Action Plan in March, we believe that making sure AI benefits the most people possible means enabling AI through common-sense rules aimed at protecting people from actual harms, and building democratic AI. This includes preventing the use of AI tools by authoritarian regimes to amass power and control their citizens, or to threaten or coerce other states; as well as activities such as covert influence operations (IO), child exploitation, scams, spam, and malicious cyber activity."
        https://openai.com/global-affairs/disrupting-malicious-uses-of-ai-june-2025/
        https://thehackernews.com/2025/06/openai-bans-chatgpt-accounts-used-by.html
        https://securityaffairs.com/178797/intelligence/openai-bans-chatgpt-accounts-linked-to-russian-chinese-cyber-ops.html
      • Next-Gen Developers Are a Cybersecurity Powder Keg
        "Media rumblings of industry disruption usually surface in the form of life-changing, convenient tech offerings that promise to add more convenience, comfort, or advancement to our lives. Companies like Amazon, OpenAI, and Uber have shaped their entire ethos around similar principles, and they are among the first disruptors that come to mind for many."
        https://www.darkreading.com/application-security/next-gen-developers-cybersecurity-powder-keg
      • EU Launches EU-Based, Privacy-Focused DNS Resolution Service
        "DNS4EU is an initiative co-funded by the European Union and supported by the European Union Agency for Cybersecurity (ENISA), though the service is expected to be commercialised, “since it has to be sustainable without operational costs from the EU after 2025.”"
        https://www.helpnetsecurity.com/2025/06/09/eu-launches-eu-based-privacy-focused-dns-resolution-service/
      • Chinese Hackers And User Lapses Turn Smartphones Into a ‘Mobile Security Crisis’
        "Cybersecurity investigators noticed a highly unusual software crash — it was affecting a small number of smartphones belonging to people who worked in government, politics, tech and journalism. The crashes, which began late last year and carried into 2025, were the tipoff to a sophisticated cyberattack that may have allowed hackers to infiltrate a phone without a single click from the user."
        https://www.securityweek.com/chinese-hackers-and-user-lapses-turn-smartphones-into-a-mobile-security-crisis/
      • Spyware Maker Cuts Ties With Italy After Government Refused Audit Into Hack Of Journalist’s Phone
        "The spyware manufacturer Paragon said Monday that it has ended its contract with Italy because a special government committee investigating alleged abuses there declined to let the company independently verify that Italian authorities did not hack into the phone of a well-known journalist. "The company offered both the Italian government and parliament a way to determine whether its system had been used against the journalist," Paragon said in a statement issued to the Israeli publication Haaretz. Because Italian authorities “chose not to proceed with this solution, Paragon terminated its contracts in Italy,” the company said."
        https://therecord.media/paragon-spyware-maker-cuts-ties-italy-government
      • Kazakhstan Detains Over 140 For Allegedly Selling Citizens’ Data Via Telegram Channels
        "Kazakh authorities said they busted a network that was using Telegram to illegally sell citizens’ personal data extracted from government databases. More than 140 suspects were arrested in connection with the scheme, including business owners and alleged administrators of Telegram channels used to trade the stolen information, officials said on Monday. Authorities reported that some of the extracted data was shared with debt collection agencies, several of which were searched during the operation. The government seized more than 400 computers and other electronic devices believed to have been used in the illegal activity."
        https://therecord.media/kazakhstan-arrests-suspects-stolen-data-network
      • Roles Here? Roles There? Roles Anywhere: Exploring The Security Of AWS IAM Roles Anywhere
        "As organizations depend more on applications, devices and services to interact across hybrid environments, non-human identities are becoming more common. To enable secure access for these identities within the organization, Amazon Web Services (AWS) has introduced the AWS Identity and Access Management (IAM) Roles Anywhere service that allows workloads outside of AWS to authenticate using digital certificates instead of traditional access keys."
        https://unit42.paloaltonetworks.com/aws-roles-anywhere/
      • DragonForce Ransomware Cartel Vs. Everybody
        "The story of the DragonForce Ransomware Cartel (DFRC, DragonForce) begins somewhere, but researchers can’t agree whether it started as a hacktivist group, a distinct new group, or a little of each. In fact, the more you dig into DFRC, the more obfuscated it becomes. It’s hard to find all the cool family history details in this story, and that’s exactly how they like it."
        https://blog.barracuda.com/2025/06/09/dragonforce-ransomware-cartel-vs--everybody

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 7f0b71ca-6411-4dc6-a248-4740bc8939a2-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post