Cyber Threat Intelligence 20 June 2025

NCSA_THAICERT

Industrial Sector

APT And Financial Attacks On Industrial Organizations In Q1 2025
"This summary provides an overview of the reports of APT and financial attacks on industrial enterprises disclosed in Q1 2025, as well as the related activities of groups that have been observed attacking industrial organizations and critical infrastructure facilities. For each topic, we summarize the key facts, findings and conclusions of researchers that we believe may be of use to professionals addressing practical issues of cybersecurity for industrial enterprises."
https://ics-cert.kaspersky.com/publications/reports/2025/06/19/apt-and-financial-attackson-industrial-organizations-in-q1-2025/

Vulnerabilities

High-Severity Vulnerabilities Patched By Cisco, Atlassian
"Cisco and Atlassian on Wednesday announced the rollout of patches for multiple high-severity vulnerabilities in their products, many leading to denial-of-service (DoS) conditions. Cisco released firmware updates for Meraki devices to resolve a high-severity flaw allowing attackers to cause the AnyConnect VPN server on these products to restart, leading to a DoS condition. Tracked as CVE-2025-20271 (CVSS score of 8.6), the bug can be exploited remotely."
https://www.securityweek.com/high-severity-vulnerabilities-patched-by-cisco-atlassian/

Malware

TxTag Takedown: Busting Phishing Email Schemes
"Have you received any alerts in your inbox recently telling you that your account will be suspended unless you pay the balance immediately? Interacting with emails like this could jeopardize not only your personal info but also your company's reputation. As summer approaches, threat actors are ramping up their phishing efforts, launching numerous targeted campaigns. Below, we highlight an example to help you recognize these tactics and empower you to be the first line of defense against phishing threats."
https://cofense.com/blog/txtag-takedown-busting-phishing-email-schemes
Iran-Israel War Triggers a Maelstrom In Cyberspace
"As they trade missile strikes, Iran and Israel have also faced heavy waves of cyberattacks this past week. On June 13, Israel initiated a military offensive it called "Operation Rising Lion," aimed at crippling Iran's nuclear weapons program. The two countries' covert war has become overt since then, shifting power in the region and causing dozens of civilian deaths in Israel and hundreds in Iran along the way. As expected, hacktivists have flocked to the scene like vultures. Analysts are now tracking more than 100 different threat actors carrying out, or at least claiming to carry out, cyberattacks against either Iran or, more often, Israel."
https://www.darkreading.com/threat-intelligence/iran-israel-war-maelstrom-cyberspace
Declaration Trap: Crypto Drainers Masquerading As European Tax Authorities
"Crypto isn’t just for tech enthusiasts anymore – it’s becoming part of everyday financial life. More people are investing, more businesses are accepting crypto payments, the market keeps growing, and with it, so does the number of people involved. But where there’s money, scammers are watching and inventing new methods to steal it. They know the ecosystem is still full of confusion, especially around regulation and taxes. And they’ve found ways to use that to their advantage."
https://www.group-ib.com/blog/declaration-trap/
Threat Actor Banana Squad Exploits GitHub Repos In New Campaign
"Trends in open-source software supply chain attacks – ones that exploit the public platforms developers rely on for software development – have changed quite a bit in recent years. While the number of malicious packages uploaded to open-source repositories like npm and the Python Package Index (PyPI) has decreased, the stealth and sophistication of threat actors to pull off less obvious attacks on platforms like GitHub is increasing."
https://www.reversinglabs.com/blog/threat-actor-banana-squad-exploits-github-repos-in-new-campaign
https://hackread.com/banana-squad-data-stealing-malware-github-repositories/
https://www.infosecurity-magazine.com/news/banana-squads-github-malware/
https://www.securityweek.com/new-campaigns-distribute-malware-via-open-source-hacking-tools/
Cato CTRL Threat Research: PoC Attack Targeting Atlassian’s Model Context Protocol (MCP) Introduces New “Living Off AI” Risk
"Most organizations assume a clear boundary between external users, who submit support tickets or service requests, and internal users, who handle them using privileged access. However, when an internal user triggers an AI action from a model context protocol (MCP) tool, such as summarizing a ticket, that boundary can break. The AI action is executed with the internal user’s permissions (whether a human agent, a bot, or an automated integration), meaning a malicious ticket submitted by an external threat actor can be used to inject harmful instructions."
https://www.catonetworks.com/blog/cato-ctrl-poc-attack-targeting-atlassians-mcp/
https://www.infosecurity-magazine.com/news/atlassian-ai-agent-mcp-attack/
AntiDot
"AntiDot is an Android botnet malware that lets cybercriminals control their victim devices with high capability. LARVA-398 operates and sells this botnet as a Malware as a Service (MaaS) on underground forums. The malware is promoted as a "3-in-1" tool, incorporating its own loader, packer, and botnet infrastructure. It features a range of capabilities, including screen recording and interface cloning through abuse of Android’s accessibility services. Additionally, it can intercept SMS messages and harvest logs from other applications to exfiltrate user data. Campaign activity indicates that threat actors are selectively targeting victims based on language and geographic location, suggesting the malware is likely distributed via malicious advertising networks or through highly tailored phishing campaigns. Our analysis uncovered at least 11 active command-and-control (C2) servers currently in operation."
https://catalyst.prodaft.com/public/report/antidot
https://thehackernews.com/2025/06/new-android-malware-surge-hits-devices.html

Breaches/Hacks/Leaks

The 16-Billion-Record Data Breach That No One’s Ever Heard Of
"Unnecessarily compiling sensitive information can be as damaging as actively trying to steal it. For example, the Cybernews research team discovered a plethora of supermassive datasets, housing billions upon billions of login credentials. From social media and corporate platforms to VPNs and developer portals, no stone was left unturned. Our team has been closely monitoring the web since the beginning of the year. So far, they’ve discovered 30 exposed datasets containing from tens of millions to over 3.5 billion records each. In total, the researchers uncovered an unimaginable 16 billion records."
https://cybernews.com/security/billions-credentials-exposed-infostealers-data-leak/
https://www.bleepingcomputer.com/news/security/no-the-16-billion-credentials-leak-is-not-a-new-data-breach/
https://www.malwarebytes.com/blog/news/2025/06/billions-of-logins-for-apple-google-facebook-telegram-and-more-found-exposed-online
https://securityaffairs.com/179149/data-breach/researchers-discovered-the-largest-data-breach-ever-exposing-16-billion-login-credentials.html
Telecom Giant Viasat Breached By China's Salt Typhoon Hackers
"Satellite communications company Viasat is the latest victim of China's Salt Typhoon cyber-espionage group, which has previously hacked into the networks of multiple other telecom providers in the United States and worldwide. Viasat provides satellite broadband services to governments worldwide and aviation, military, energy, maritime, and enterprise customers. Last month, the telecom giant told shareholders that it had approximately 189,000 broadband subscribers in the United States. The company discovered the Salt Typhoon breach earlier this year and has been working with federal authorities to investigate the attack, as Bloomberg first reported."
https://www.bleepingcomputer.com/news/security/telecom-giant-viasat-breached-by-chinas-salt-typhoon-hackers/
https://securityaffairs.com/179146/security/china-linked-group-salt-typhoon-breached-satellite-firm-viasat.html
Krispy Kreme Says November Data Breach Impacts Over 160,000 People
"U.S. doughnut chain Krispy Kreme confirmed that attackers stole the personal information of over 160,000 individuals in a November 2024 cyberattack. The American multinational coffeehouse chain employed 22,800 people in 40 countries as of December 2023 and operates 1,521 shops and 15,800 points of access. It also manages four "Doughnut Factories" in the United States and 37 others internationally, and it partners with McDonald's to have its products sold in thousands of McDonald's locations worldwide."
https://www.bleepingcomputer.com/news/security/krispy-kreme-says-november-data-breach-impacts-over-160-000-people/
https://www.infosecurity-magazine.com/news/krispy-kreme-data-breach-financial/
https://www.securityweek.com/krispy-kreme-confirms-data-breach-after-ransomware-attack/
https://www.theregister.com/2025/06/19/krispy_kreme_reveals_staggering_breadth/
Chain IQ, UBS Data Stolen In Ransomware Attack
"Swiss procurement service provider Chain IQ has confirmed falling victim to a cyberattack that led to the theft of customer data. The Zug, Switzerland-based firm says it learned of the incident after a threat actor published data allegedly stolen from its systems on the dark web. “On June 12, 2025, Chain IQ, along with 19 other companies, was the target of a cyberattack that had never before been seen on a global scale. This cyberattack resulted in data theft. Data from some Chain IQ customers was published on the dark web,” the company says in an incident notice."
https://www.securityweek.com/chain-iq-ubs-data-stolen-in-ransomware-attack/
https://www.infosecurity-magazine.com/news/ubs-employee-data-exposed-third/

General News

US Recovers $225 Million Of Crypto Stolen In Investment Scams
"The U.S. Department of Justice has seized more than $225 million in cryptocurrency linked to investment fraud and money laundering operations, the largest crypto seizure in the history of the U.S. Secret Service. The state's investigators used blockchain analysis to trace the funds stolen from over 400 victims, which were then laundered through a complex network of cryptocurrency addresses to obscure their origin."
https://www.bleepingcomputer.com/news/legal/us-recovers-225-million-of-crypto-stolen-in-investment-scams/
https://therecord.media/doj-moves-to-seize-225-million-in-stolen-crypto
Ryuk Ransomware’s Initial Access Expert Extradited To The U.S.
"A member of the notorious Ryuk ransomware operation who specialized in gaining initial access to corporate networks has been extradited to the United States. The suspect is a 33-year-old foreign man who was arrested in April 2025 in his home in Kyiv at the request of the FBI. He was extradited to the United States yesterday, June 18. In 2023, the Ukrainian cyber police, the National Police, and international law enforcement partners began investigating a ransomware operation whose members carried out attacks on companies in France, Norway, Germany, the Netherlands, Canada, and the USA."
https://www.bleepingcomputer.com/news/security/ryuk-ransomwares-initial-access-expert-extradited-to-the-us/
https://therecord.media/alleged-ryuk-member-arrest-ukraine-extradited-us
https://www.bankinfosecurity.com/ukraine-extradites-suspected-ransomware-group-member-to-us-a-28754
https://www.infosecurity-magazine.com/news/alleged-ryuk-initial-access-broker/
The Hidden AI Threat To Your Software Supply Chain
"AI-powered coding assistants like GitHub’s Copilot, Cursor AI and ChatGPT have swiftly transitioned from intriguing gadgets to indispensable sidekicks for modern developers. A recent survey by Stack Overflow revealed that over 76% of developers now rely on these assistants, with more than 80% reporting significant productivity improvements by using AI code generators & augmented code editors. These “virtual teammates” simplify complex tasks, streamline development workflows, and significantly accelerate project timelines."
https://blog.checkpoint.com/research/the-hidden-ai-threat-to-your-software-supply-chain/
Security Evolution: From Pothole Repair To Road Building
"There are three categories of security controls, generally speaking: preventive (stop the adversary), detective (notice the adversary), and corrective (fix what the adversary broke). Implicitly, all three of these assume that the adversary can exploit your environment, and you're trying to defeat them. But why do we assume adversaries have that capability? Because, like an escort mission in a real-time strategy game, we have no control over the actions of the party we're defending. Instead of a courier on a secret mission, it's our business partner, deploying apps at lightning speed to make our businesses successful."
https://www.darkreading.com/cloud-security/security-evolution-pothole-repair-road-building
Why AI Code Assistants Need a Security Reality Check
"In this Help Net Security interview, Silviu Asandei, Security Specialist and Security Governance at Sonar, discusses how AI code assistants are transforming development workflows and impacting security. He explains how these tools can boost productivity but may also propagate vulnerabilities if not properly reviewed."
https://www.helpnetsecurity.com/2025/06/19/silviu-asandei-sonar-ai-code-assistants-security/
Thieves Don’t Need Your Car Keys, Just a Wireless Signal
"A recent study by researchers at the University of Padova reveals that despite the rise in car thefts involving Remote Keyless Entry (RKE) systems, the auto industry has made little progress in strengthening security. Since RKE’s introduction in the early 1980s, automakers have worked to improve security by adding features such as immobilizers, which prevent the engine from starting without proper authentication."
https://www.helpnetsecurity.com/2025/06/19/keyless-car-theft-research/
https://arxiv.org/pdf/2505.02713
91% Noise: A Look At What’s Wrong With Traditional SAST Tools
"Traditional static application security testing (SAST) tools are falling short. That’s the key takeaway from a recent report that tested these tools against nearly 3,000 open-source code repositories. The results: more than 91% of flagged vulnerabilities were false positives. The Exorcising the SAST Demons report comes from Ghost Security, which scanned public GitHub projects in Go, Python, and PHP. The study focused on three vulnerability types commonly found in real-world apps: SQL injection, command injection, and arbitrary file upload."
https://www.helpnetsecurity.com/2025/06/19/traditional-sast-tools/
https://reports.ghostsecurity.com/cast.pdf
How C-Suite Roles Are Shaping The Future Of Tech Leadership
"As companies accelerate towards technology-driven business models, the tech C-suite is embracing new skills, greater influence, and a unified approach to business transformation, according to Deloitte. With insights from a range of C-level tech leaders, including more than 600 US CIOs, CTOs, CDAOs and CISOs, the Deloitte survey found that evolving roles and responsibilities, the rise of AI, and an imperative for cross-functional collaboration are providing a new platform to expand their influence and impact."
https://www.helpnetsecurity.com/2025/06/19/deloitte-tech-c-suite-roles/
Encryption Backdoors: The Security Practitioners’ View
"Backdoors don’t just let law enforcement in—they open the door to attackers, insider threats, and broken trust. When government demands something, ‘No’ is not an acceptable response. Government simply waits, rephrases the demand, and then demands again. The debate over law enforcement access to encrypted content is not new – it has been almost continuous since the 1970s. We hear much about the views of government (favorable), vendors (disapproval), and civil liberty groups (total rejection of the idea). But we hear little of the views of the security professionals who are tasked with navigating regulations and maintaining the security of IP, PII, and business continuity."
https://www.securityweek.com/encryption-backdoors-the-security-practitioners-view/
Choosing a Clear Direction In The Face Of Growing Cybersecurity Demands
"For years, Chief Information Security Officers (CISOs) have faced an uphill battle in securing the resources they need to protect their organizations. Often, security budgets are only increased when a data breach happens or after a significant compliance failure, when the damage has already been done. This approach leaves organizations vulnerable and security leaders struggling to justify proactive investments."
https://www.securityweek.com/choosing-a-clear-direction-in-the-face-of-growing-cybersecurity-demands/
Argentina Uncovers Suspected Russian Spy Ring Behind Disinformation Campaigns
"Argentina’s intelligence service reportedly has uncovered a group of suspected Russian spies accused of spreading disinformation to promote Moscow's interests in the region. Local media, citing sources at Argentina’s State Intelligence Secretariat (SIDE), reported that Russian citizens collaborated with Argentines to interfere in the country’s domestic affairs through propaganda and disinformation campaigns. The group was allegedly part of an organization called “The Company,” which is reportedly linked to the Kremlin and Project Lakhta — a Russian interference operation targeting citizens in the U.S., Europe and Ukraine."
https://therecord.media/argentina-russia-spies-disinformation-project-lakhta

อ้างอิง
Electronic Transactions Development Agency(ETDA)