NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 19 June 2025

    Cyber Security News
    1
    1
    188
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Vulnerabilities

      • BeyondTrust Remote Support: How Template Injection Can Lead To Remote Code Execution
        "In April 2025, Jorren Geurts, an ethical hacker at Resillion, identified a vulnerability within BeyondTrust Remote Desktop that enabled attackers to leverage Server-Side Template Injection (SSTI) to gain both authenticated and unauthenticated Remote Code Execution (RCE) on the target system. The vulnerability was disclosed to BeyondTrust through their Responsible Disclosure program on 6 May 2025. A couple of weeks later, CVE-2025-5309 was reserved and later published on 16 June 2025. The following account, written by Jorren, details the processes he went through to identify these vulnerabilities."
        https://www.resillion.com/latest-news/beyondtrust-remote-support-how-template-injection-can-lead-to-remote-code-execution/
        https://www.beyondtrust.com/trust-center/security-advisories/bt25-04
        https://www.bleepingcomputer.com/news/security/beyondtrust-warns-of-pre-auth-rce-in-remote-support-software/
        https://www.securityweek.com/code-execution-vulnerabilities-patched-in-veeam-beyondtrust-products/
      • Critical Vulnerability Patched In Citrix NetScaler
        "Citrix on Tuesday announced patches for four vulnerabilities across three products, including a critical-severity issue in NetScaler ADC and NetScaler Gateway. The critical flaw, tracked as CVE-2025-5777 (CVSS score of 9.3), is described as an out-of-bounds memory read caused by insufficient input validation. Only NetScaler deployments configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as Authentication, Authorization, and Accounting (AAA) virtual server are affected, Citrix explains in its advisory."
        https://www.securityweek.com/critical-vulnerability-patched-in-citrix-netscaler/
        https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420&articleURL=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2025_5349_and_CVE_2025_5777
      • Chrome 137 Update Patches High-Severity Vulnerabilities
        "Google on Tuesday announced patches for three vulnerabilities in Chrome 137, including two high-severity issues reported by external researchers. The first of the externally reported bugs is CVE-2025-6191, described as an integer overflow defect in the V8 JavaScript engine. Google says it handed out a $7,000 reward to the reporting researcher. The second flaw, tracked as CVE-2025-6192, is a use-after-free vulnerability in Chrome’s Profiler component that earned the reporting researcher a $4,000 reward."
        https://www.securityweek.com/chrome-137-update-patches-high-severity-vulnerabilities/
      • Qualys TRU Uncovers Chained LPE: SUSE 15 PAM To Full Root Via Libblockdev/udisks
        "The Qualys Threat Research Unit (TRU) has discovered two linked local privilege escalation (LPE) flaws. The first (CVE-2025-6018) resides in the PAM configuration of openSUSE Leap 15 and SUSE Linux Enterprise 15. Using this vulnerability, an unprivileged local attacker—for example, via SSH—can elevate to the “allow_active” user and invoke polkit actions normally reserved for a physically present user. The second (CVE-2025-6019) affects libblockdev, is exploitable via the udisks daemon included by default on most Linux distributions, and allows an “allow_active” user to gain full root privileges. Although CVE-2025-6019 on its own requires existing allow_active context, chaining it with CVE-2025-6018 enables a purely unprivileged attacker to achieve full root access."
        https://blog.qualys.com/vulnerabilities-threat-research/2025/06/17/qualys-tru-uncovers-chained-lpe-suse-15-pam-to-full-root-via-libblockdev-udisks
        https://www.bleepingcomputer.com/news/linux/new-linux-udisks-flaw-lets-attackers-get-root-on-major-linux-distros/
        https://www.infosecurity-magazine.com/news/linux-flaws-allowing-root-access/
        https://www.securityweek.com/linux-security-new-flaws-allow-root-access-cisa-warns-of-old-bug-exploitation/
        https://www.helpnetsecurity.com/2025/06/18/chaining-two-lpes-to-get-root-most-linux-distros-vulnerable-cve-2025-6018-cve-2025-6019/
      • GerriScary: Hacking The Supply Chain Of Popular Google Products (ChromiumOS, Chromium, Bazel, Dart & More)
        "Tenable Cloud Research discovered a supply chain compromise vulnerability in Google's Gerrit code-collaboration platform which we dubbed GerriScary. GerriScary allowed unauthorized code submission to at least 18 Google projects including ChromiumOS (CVE-2025-1568), Chromium, Dart and Bazel, which are now remediated. Third-party organizations that use Gerrit may also be at risk from GerriScary."
        https://www.tenable.com/blog/gerriscary-hacking-the-supply-chain-of-popular-google-products-chromiumos-chromium-bazel-dart
        https://www.securityweek.com/gerrit-misconfiguration-exposed-google-projects-to-code-injection/

      Malware

      • Case Of Attacks Targeting MySQL Servers To Install RAT Malware
        "AhnLab SEcurity intelligence Center (ASEC) is monitoring attacks targeting poorly managed services, and has confirmed that MySQL servers have remained a continuous target of attacks. Threat actors are believed to be targeting various externally accessible systems, leading to the infection of multiple systems in Korea with malware."
        https://asec.ahnlab.com/en/88514/
      • North Korean Hackers Deepfake Execs In Zoom Call To Spread Mac Malware
        "The North Korean BlueNoroff hacking group is deepfaking company executives during Zoom calls to trick employees into installing custom malware on their macOS devices. BlueNoroff (aka Sapphire Sleet or TA444) is a North Korean advanced persistent threat (APT) group known for conducting cryptocurrency theft attacks using Windows and Mac malware. Huntress researchers uncovered a new BlueNoroff attack on June 11, 2025, when they were called to investigate a potential intrusion on a partner's network."
        https://www.bleepingcomputer.com/news/security/north-korean-hackers-deepfake-execs-in-zoom-call-to-spread-mac-malware/
      • Fake Minecraft Mods Distributed By The Stargazers Ghost Network To Steal Gamers’ Data
        "Minecraft is a popular video game with a massive global player base, with over 200 million monthly active players. The game has also sold over 300 million copies, making it one of the best-selling video games ever. Minecraft supports mods (user-created modifications), which enrich the user experience by improving gameplay, fixing bugs, enhancing graphics, and adding new content. It is estimated that more than 1 million players are actively involved in modding Minecraft. Check Point Research discovered malicious repositories distributing malware via the Stargazers Ghost Network, which operates as a Distribution as a Service (DaaS)."
        https://research.checkpoint.com/2025/minecraft-mod-malware-stargazers/
        https://blog.checkpoint.com/research/minecraft-players-targeted-in-sophisticated-malware-campaign/
        https://www.bleepingcomputer.com/news/security/stargazers-use-fake-minecraft-mods-to-steal-player-passwords/
        https://thehackernews.com/2025/06/1500-minecraft-players-infected-by-java.html
        https://www.theregister.com/2025/06/18/minecraft_mod_malware/
      • Your Mobile App, Their Playground: The Dark Side Of The Virtualization
        "Zimperium zLabs has uncovered a sophisticated evolution of the GodFather banking malware that leverages an advanced on-device virtualization technique to hijack several legitimate applications, with a focus on mobile banking and cryptocurrency applications. This method marks a significant leap in mobile threat capabilities, moving beyond traditional overlays to a more deceptive and effective form of attack."
        https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization
        https://www.darkreading.com/cloud-security/godfather-banking-trojan-debuts-virtualization-tactic
        https://www.bankinfosecurity.com/godfather-malware-turns-real-banking-apps-into-spy-tools-a-28740
        https://hackread.com/godfather-android-malware-apps-sandbox-steal-data/
        https://www.infosecurity-magazine.com/news/godfather-upgraded-hijack-mobile/
      • Ransomware Gangs Collapse As Qilin Seizes Control
        "The ransomware landscape is undergoing a turbulent realignment, marked by collapses, takeovers, and unexpected internal betrayals. Once-dominant groups such as RansomHub, LockBit, Everest, and BlackLock have recently suffered abrupt shutdowns, operational failures, and defacements of their dark web infrastructure, revealing deep instability in the cybercriminal ecosystem."
        https://www.cybereason.com/blog/threat-alert-qilin-seizes-control
        https://www.infosecurity-magazine.com/news/ransomware-qilin-offers-legal/
      • Famous Chollima Deploying Python Version Of GolangGhost RAT
        "Since mid-2024, the threat actor group Famous Chollima (aka Wagemole), a North Korean-aligned threat actor, has been very active through several well-documented campaigns. These campaigns include using variants of Contagious Interview (aka DeceptiveDevelopment) and creating fake job advertisements and skill-testing pages. In the latter, users are instructed to copy and paste (ClickFix) a malicious command line in order to install drivers necessary to conduct the final skill-testing stage. Toward the end of the year, researchers documented Famous Chollima’s remote access trojan (RAT) called “GolangGhost” in its source code format, which was frequently used as the final payload in the threat actor’s ClickFix campaigns."
        https://blog.talosintelligence.com/python-version-of-golangghost-rat/
        https://therecord.media/north-korea-india-crypto-applicants
      • Immunity Evasion: Defeating Security With Active Measures & Long-Lived Domains
        "Starting in Q1 2025, Cofense Intelligence detected a unique tactic combination for bypassing secure email gateways (SEGs). Threat actors have combined a long-lived domain with a unique CAPTCHA page and anti-automated analysis measures. Each technique is effective in hampering automated and manual analysis; however, the combination of techniques demonstrates remarkable sophistication from the threat actor."
        https://cofense.com/blog/immunity-evasion-defeating-security-with-active-measures-long-lived-domains
      • Same Sea, New Phish: Russian Government-Linked Social Engineering Targets App-Specific Passwords
        "In recent years, users’ familiarity with common phishing tactics, increasingly advanced detection and blocking by platforms, and the rise in use of Multi-Factor Authentication (MFA), have all contributed to changes in the ways that attackers phish accounts. The introduction of more secure forms of MFA, such as hardware security keys, has also closed off certain avenues of social engineering. These pressures, among others, are driving attackers towards more complex social-engineering tactics, and more technically sophisticated attack frameworks, including targeting MFA. For example, a recent analysis by Cisco’s Talos reported that nearly half of all recent incidents that their team responded to involved attackers trying to bypass MFA."
        https://citizenlab.ca/2025/06/russian-government-linked-social-engineering-targets-app-specific-passwords/
        https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia
        https://therecord.media/keir-giles-russia-expert-email-attack-gtig-citizen-lab-reports
        https://cyberscoop.com/russian-hackers-state-department-sophisticated-attacks-researchers-citizen-lab/
        https://www.securityweek.com/russian-hackers-bypass-gmail-mfa-with-app-specific-password-ruse/
      • Analyzing SERPENTINE#CLOUD: Threat Actors Abuse Cloudflare Tunnels To Infect Systems With Stealthy Python-Based Malware
        "Securonix threat researchers have been tracking a stealthy campaign involving (.lnk) files to deliver remote payloads hosted on attacker-controlled Cloudflare Tunnel subdomains. The infection chain ends in a Python-based shellcode loader that executes Donut-packed payloads entirely in memory."
        https://www.securonix.com/blog/analyzing_serpentinecloud-threat-actors-abuse-cloudflare-tunnels-threat-research/
        https://thehackernews.com/2025/06/new-malware-campaign-uses-cloudflare.html
        https://www.darkreading.com/cloud-security/serpentinecloud-cloudflare-tunnels-sneak-attacks
      • Half The Spam In Your Inbox Is Generated By AI – Its Use In Advanced Attacks Is At An Earlier Stage
        "Cyber attackers are leveraging the power of AI to boost their chances of success in email-based attacks. AI tools can help them to develop and launch more attacks, more frequently, and to make these attacks more evasive, convincing and targeted. But to what extent are they doing these things? Determining whether or how AI has been used in an email attack is not always straightforward, and this makes it harder to see what is really going on under the hood. We believe that to build effective defenses against AI-based email attacks, we need to have a better understanding of how attackers are using these tools today and what for and how that is evolving."
        https://blog.barracuda.com/2025/06/18/half-spam-inbox-ai-generated
        https://www.infosecurity-magazine.com/news/ai-generates-spam-malicious-emails/
      • Scammers Hijack Websites Of Bank Of America, Netflix, Microsoft, And More To Insert Fake Phone Number
        "Cybercriminals frequently use fake search engine listings to take advantage of our trust in popular brands, and then scam us. It often starts, as with so many attacks, with a sponsored search result on Google. In the latest example of this type of scam, we found tech support scammers hijacking the results of people looking for 24/7 support for Apple, Bank of America, Facebook, HP, Microsoft, Netflix, and PayPal."
        https://www.malwarebytes.com/blog/news/2025/06/scammers-hijack-websites-of-bank-of-america-netflix-microsoft-and-more-to-insert-fake-phone-number
      • Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication
        "Proofpoint has been closely monitoring a stealer malware formerly known as ACR Stealer. In 2025, Proofpoint analysts identified a new, unnamed malware exhibiting significant code overlap, shared features, and capabilities with ACR Stealer. Further investigation revealed that ACR Stealer was significantly updated and rebranded as Amatera Stealer. While Amatera Stealer retains the core of its predecessor, it has undergone enough development and enhancement to stand out as a distinct and noteworthy threat."
        https://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication

      Breaches/Hacks/Leaks

      • Pro-Israel Hackers Hit Iran's Nobitex Exchange, Burn $90M In Crypto
        "The pro-Israel "Predatory Sparrow" hacking group claims to have stolen over $90 million in cryptocurrency from Nobitex, Iran's largest crypto exchange, and burned the funds in a politically motivated cyberattack. The attack occurred on June 18, 2025, with Nobitex first reporting the breach on X at 2:24 AM EST. "This morning, June 19, our technical team detected signs of unauthorized access to a portion of our reporting infrastructure and hot wallet," reads Nobitex's post."
        https://www.bleepingcomputer.com/news/security/pro-israel-hackers-hit-irans-nobitex-exchange-burn-90m-in-crypto/
        https://cyberscoop.com/iran-nobitex-cyberattack-predatory-sparrow/
      • Healthcare SaaS Firm Says Data Breach Impacts 5.4 Million Patients
        "Episource warns of a data breach after hackers stole health information of over 5 million people in the United States in a January cyberattack. Episource is an American healthcare services company that provides risk adjustment, medical coding, data analytics, and technology solutions to health plans and providers. They help insurers optimize payments and compliance in government programs like Medicare Advantage. In a data breach notification on its website, Episource says it detected unusual activity on its systems on February 6, 2025. An investigation revealed that hackers accessed and exfiltrated sensitive data stored on these systems between January 27 and the time of the discovery."
        https://www.bleepingcomputer.com/news/security/episource-says-data-breach-impacts-54-million-patients/
        https://therecord.media/5-million-affected-episource-data-breach
        https://www.securityweek.com/data-breach-at-healthcare-services-firm-episource-impacts-5-4-million-people/
        https://securityaffairs.com/179115/data-breach/healthcare-services-company-episource-data-breach-impacts-5-4-million-people.html
      • Asana Warns MCP AI Feature Exposed Customer Data To Other Orgs
        "Work management platform Asana is warning users of its new Model Context Protocol (MCP) feature that a flaw in its implementation potentially led to data exposure from their instances to other users and vice versa. The data exposure was due to a logic flaw in the MCP system and not the result of a hack, but the risk that arises from the incident could still be significant in some cases. Asana is a project and task management SaaS platform used by organizations to plan, track, and manage work, assign tasks to team members, set deadlines, and collaborate from a centralized interface."
        https://www.bleepingcomputer.com/news/security/asana-warns-mcp-ai-feature-exposed-customer-data-to-other-orgs/
        https://www.theregister.com/2025/06/18/asana_mcp_server_bug/
      • World Leaks Claims Data Theft From State Agency Contractor
        "Cybercriminal gang World Leaks - formerly Hunters International - claims to have stolen 52.4 gigabytes of data containing 42,204 files from Massachusetts-based Freedman HealthCare, a contractor that provides data integration and analytics services to state health agencies. World Leaks reportedly threatened on Monday to begin leaking on Tuesday data allegedly stolen from FHC, media outlet The Register said. By Wednesday, World Leaks appeared to have leaked on its dark website some information, including management and user accounts and passwords and state contracts, but no protected health information, so far, The Register said."
        https://www.bankinfosecurity.com/world-leaks-claims-data-theft-from-state-agency-contractor-a-28746

      General News

      • When Legitimate Tools Go Rogue
        "Late one Tuesday night, Elena’s phone buzzed with an alert from her company’s SIEM. Her team had set up a rule to flag when certain system tools — whoami, nltest and nslookup—were run one after another in quick succession. That exact pattern had just triggered on a computer in the Finance Department. The time? 2:13 a.m. Concerned, Elena logged in from home to investigate. Almost immediately, two more alerts appeared. One signaled that Mimikatz (a tool popular with threat actors to steal credentials) had been used on the same Finance machine. The other reported a PsExec download (a command line tool used to execute processes) on a domain controller."
        https://blog.talosintelligence.com/when-legitimate-tools-go-rogue/
      • The Triple Threat Of Burnout: Overworked, Unsatisfied, Trapped
        "The stigma surrounding burnout among security staffers may be fading, but organizations need to continue expanding the conversations about managing a fast-moving list of stressors. From CISOs to new hires, cybersecurity professionals are being asked to do more to stay a step ahead of threats, but their job satisfaction and career prospects are not compensating for the stress. Many feel trapped in their jobs, and in critical fields like healthcare, lives can literally be on the line as a result."
        https://www.darkreading.com/cybersecurity-operations/triple-threat-burnout-overworked-unsatisfied-trapped
      • How CISOs Can Govern AI & Meet Evolving Regulations
        "Not long ago, the role of the chief information security officer (CISO) was well-defined: protect infrastructure, secure applications, safeguard customer data, manage risk, and ensure compliance across a growing partner ecosystem. But as artificial intelligence (AI) transforms how enterprises operate, a new mandate has emerged: Govern its use responsibly, end to end. AI unlocks powerful capabilities, but without governance and oversight, risk accelerates. It's like sending an F1 car onto the track without a pit crew — fast, but dangerously unsustainable."
        https://www.darkreading.com/vulnerabilities-threats/cisos-govern-ai-evolving-regulations
      • Employees Are Using AI Where They Know They Shouldn’t
        "Despite widespread anticipation about AI’s positive impact on workforce productivity, most employees feel they were overpromised on its potential, according to GoTo. In fact, 62% believe AI has been significantly overhyped. However, this is likely because employees aren’t making the most of what these tools have to offer. 86% admit they’re not using AI tools to their full potential, and 82% say they aren’t very familiar with how AI can be used practically in their day-to-day work."
        https://www.helpnetsecurity.com/2025/06/18/employees-ai-potential/
      • AI Is Changing Cybersecurity Roles, And Entry-Level Jobs Are At Risk
        "Will humans remain essential in cybersecurity, or is AI set to take over? According to Wipro, many CISOs are leveraging AI to improve threat detection and response times and to build enhanced incident response capabilities. AI systems can now perform a variety of tasks that were once handled by entry-level analysts, such as drafting reports, generating alerts, and assembling presentations for management."
        https://www.helpnetsecurity.com/2025/06/18/ai-humans-cybersecurity/
      • What’s Trending: Top Cyber Attacker Techniques, March–May 2025
        "In our latest quarterly analysis (March–May 2025, the “reporting period”), ReliaQuest analyzed new and prevalent attacker techniques, malware trends, and ransomware group activity. These findings reveal how adversaries are refining their tactics, techniques, and procedures (TTPs); adapting to defenses; and exploiting vulnerabilities to infiltrate organizations. This report examines emerging patterns through real-world attack methods, highlighting how attackers leverage trusted tools and target human weaknesses to achieve their goals. With insights relevant across industries, it provides actionable recommendations to help organizations strengthen defenses, anticipate threats, and stay ahead of increasingly sophisticated adversaries."
        https://reliaquest.com/blog/whats-trending-top-cyber-attacker-techniques-march-2025-may-2025/
        https://www.infosecurity-magazine.com/news/clickfix-infostealers-mhsta/
      • Mitigating AI Threats: Bridging The Gap Between AI And Legacy Security
        "The quantum leap in artificial intelligence is transforming sectors at an unparalleled pace, with large language models (LLMs) and agentic systems becoming critical to modern workflows. This rapid deployment has unveiled gaping vulnerabilities, as legacy tools such as firewalls, EDR, and SIEM are struggling to keep pace with AI-specific threats, including adaptive threat patterns, and covert prompt engineering."
        https://www.securityweek.com/mitigating-ai-threats-bridging-the-gap-between-ai-and-legacy-security/
      • Amazon CISO: Iranian Hacking Crews ‘on High Alert’ Since Israel Attack
        "Iran's state-sponsored cyber operatives and hacktivists have all increased their activities since the military conflict with Israel erupted last week – but not necessarily in the way that Amazon chief information security officer CJ Moses expected. Like most world powers and wannabes, Iran has a substantive crew of government-supported hackers who do all of the usual cyber dirty work for the state: espionage, meddling in elections , spear phishing, stealing data and credentials, deploying ransomware, and in some cases breaking into water utilities and other critical infrastructure."
        https://www.theregister.com/2025/06/18/amazon_ciso_agentic_acceleration/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 46176c8e-c26a-4e33-923a-ab460cac58c8-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post