Cyber Threat Intelligence 23 June 2025

NCSA_THAICERT

Financial Sector

Report Warns Of Sophisticated DDoS Campaigns Crippling Global Banks
"A new joint report released today by FS-ISAC, a non-profit organization focused on financial cybersecurity, and Akamai Technologies, a leading cybersecurity and cloud company, reveals a worrying trend: Distributed Denial-of-Service attacks (DDoS attacks) are increasingly targeting the global financial sector. These attacks aim to overwhelm online services, disrupting customer access and business operations, ultimately eroding trust and impacting profits. The report, shared with Hackread.com, emphasises the growing sophistication and strategic nature of these cyber threats."
https://hackread.com/sophisticated-ddos-campaigns-crippling-global-banks/
https://www.fsisac.com/ddos-akamai-2025

Vulnerabilities

Attackers Actively Exploiting Critical Vulnerability In Motors Theme
"On May 2nd, 2025, we received a submission for a Privilege Escalation vulnerability in Motors, a WordPress theme with more than 22,000 sales. This vulnerability makes it possible for an unauthenticated attacker to change the password of any user, including an administrator, which allows them to take over the account and the website. We originally disclosed this vulnerability on May 19th, 2025 and our records indicate that attackers started exploiting the issue the next day on May 20th, 2025. It appears mass exploitation started on June 7th, 2025. The Wordfence Firewall has already blocked over 23,100 exploit attempts targeting this vulnerability."
https://www.wordfence.com/blog/2025/06/attackers-actively-exploiting-critical-vulnerability-in-motors-theme/
https://www.bleepingcomputer.com/news/security/wordpress-motors-theme-flaw-mass-exploited-to-hijack-admin-accounts/
https://www.securityweek.com/motors-theme-vulnerability-exploited-to-hack-wordpress-websites/

Malware

What’s In An ASP? Creative Phishing Attack On Prominent Academics And Critics Of Russia
"In cooperation with external partners, Google Threat Intelligence Group (GTIG) observed a Russia state-sponsored cyber threat actor impersonating the U.S. Department of State. From at least April through early June 2025, this actor targeted prominent academics and critics of Russia, often using extensive rapport building and tailored lures to convince the target to set up application specific passwords (ASPs). Once the target shares the ASP passcode, the attackers establish persistent access to the victim’s mailbox. Two distinct campaigns are detailed in this post. This activity aligns with Citizen Lab’s recent research on social engineering attacks against ASPs, another useful resource for high risk users."
https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia?hl=en
https://www.infosecurity-magazine.com/news/russia-expert-elite-hackers-us/
FreeType Zero-Day Found By Meta Exploited In Paragon Spyware Attacks
"Meta-owned WhatsApp told SecurityWeek that a recent FreeType vulnerability, flagged as potentially exploited at the time of disclosure, has been linked to an exploit of Israeli surveillance solutions provider Paragon. In mid-March, Meta published an advisory on the Facebook security advisories page to inform users about CVE-2025-27363, an out-of-bounds vulnerability in the FreeType open source library that could lead to arbitrary code execution. The advisory said the vulnerability may have been exploited in the wild."
https://www.securityweek.com/freetype-zero-day-found-by-meta-exploited-in-paragon-spyware-attacks/
Defending The Internet: How Cloudflare Blocked a Monumental 7.3 Tbps DDoS Attack
"In mid-May 2025, Cloudflare blocked the largest DDoS attack ever recorded: a staggering 7.3 terabits per second (Tbps). This comes shortly after the publication of our DDoS threat report for 2025 Q1 on April 27, 2025, where we highlighted attacks reaching 6.5 Tbps and 4.8 billion packets per second (pps). The 7.3 Tbps attack is 12% larger than our previous record and 1 Tbps greater than a recent attack reported by cyber security reporter Brian Krebs at KrebsOnSecurity."
https://blog.cloudflare.com/defending-the-internet-how-cloudflare-blocked-a-monumental-7-3-tbps-ddos/
https://thehackernews.com/2025/06/massive-73-tbps-ddos-attack-delivers.html
https://www.bleepingcomputer.com/news/security/cloudflare-blocks-record-73-tbps-ddos-attack-against-hosting-provider/
https://securityaffairs.com/179181/hacking/cloudflare-blocked-record-breaking-7-3-tbps-ddos-attack.html
https://www.securityweek.com/record-breaking-ddos-attack-peaked-at-7-3-tbps/
Resurgence Of The Prometei Botnet
"In March 2025, Unit 42 researchers identified a wave of Prometei attacks. Prometei refers to both the botnet and the malware family used to operate it. This malware family, which includes both Linux and Windows variants, allows attackers to remotely control compromised systems for cryptocurrency mining (particularly Monero) and credential theft. This article focuses on the resurgence of the Linux variant. Prometei is under active development, incorporating new modules and methods into its capabilities. The latest Prometei versions feature a backdoor that enables a variety of malicious activities. Threat actors employ a domain generation algorithm (DGA) for their command-and-control (C2) infrastructure and integrate self-updating features for stealth and evasion."
https://unit42.paloaltonetworks.com/prometei-botnet-2025-activity/
Mocha Manakin Delivers Custom NodeJS Backdoor Via Paste And Run
"We started tracking Mocha Manakin activity in January 2025, one of several activity clusters we’ve observed leveraging paste and run as the initial access technique. Paste and run (aka Clickfix, fakeCAPTCHA) is an initial access technique that tricks users into executing a script that downloads follow-on payloads from adversary infrastructure. We’ve observed a number of payloads delivered following successful paste and run execution, including LummaC2, HijackLoader, Vidar, and more."
https://redcanary.com/blog/threat-intelligence/mocha-manakin-nodejs-backdoor/
https://hackread.com/mocha-manakin-malware-nodeinitrat-via-clickfix-attack/
An Investigation Of AWS Credential Exposure Via Overprivileged Containers
"Kubernetes-based container platforms play a critical role in the cloud for orchestrating and managing containerized applications efficiently and at scale. They automate deployment, scaling, and operations, making them ideal for microservices and various workloads. Among its key benefits include cloud portability, cost efficiency through better resource utility, accelerated development cycles via automation and self-healing, and simplified management of distributed systems, all of which enable resilient and scalable applications."
https://www.trendmicro.com/en_us/research/25/f/aws-credential-exposure-overprivileged-containers.html
Infostealer Disguised As Copyright Infringement Document Distributed In Korea
"AhnLab SEcurity intelligence Center (ASEC) has confirmed that Infostealer malware disguised as a document containing legal responsibilities and copyright infringement facts is continuously being distributed in Korea. It is mainly distributed through links in email attachments, and the email instructs the recipients to download the evidence related to the copyright infringement."
https://asec.ahnlab.com/en/88544/
BitoPro Exchange Links Lazarus Hackers To $11 Million Crypto Heist
"The Taiwanese cryptocurrency exchange BitoPro claims the North Korean hacking group Lazarus is behind a cyberattack that led to the theft of $11,000,000 worth of cryptocurrency on May 8, 2025. The company has attributed the attack to Lazarus based on the evidence recovered from its internal investigations. It notes that the attack patterns and methodology closely resemble those used in past cyberattacks. "The attack methodology bears resemblance to patterns observed in multiple past international major incidents, including illicit transfers from global bank SWIFT systems and asset theft incidents from major international cryptocurrency exchanges," reads the announcement."
https://www.bleepingcomputer.com/news/security/bitopro-exchange-links-lazarus-hackers-to-11-million-crypto-heist/
Israel-Iran Conflict Sparks Wider Cyber Conflict, New Malware
"The Israel-Iran conflict that began with Israeli attacks on Iranian nuclear and military targets on June 13 has sparked a wider cyber conflict in the region, including the launch of new malware campaigns. Cyble threat intelligence researchers documented cyberattacks by 74 hacktivist groups in the Middle East region between June 13 and 17. The vast majority of the hacktivist groups – more than 90% – are considered pro-Iran. Most of the cyberattacks have targeted Israeli organizations. Iran has been a target in several of the cyberattacks, and the regional cyber conflict has also spilled over into Egypt, Jordan, the UAE, Pakistan and Saudi Arabia."
https://thecyberexpress.com/israel-iran-conflict-hacktivism/
https://www.bankinfosecurity.com/israel-iran-war-hacktivist-groups-claimed-activity-surges-a-28765
The Jitter-Trap: How Randomness Betrays The Evasive
"Varonis Threat Labs developed Jitter-Trap, a new technique to detect one of the most evasive steps in the cyberattack lifecycle: post-exploitation and C2 communication. Beacons are being used by various threat actors, including state actors and criminal groups, and many of these cases stay undetected. Our analysis demonstrates how patterns of randomness, often employed for evasion, can be leveraged to uncover the presence of such traffic. By focusing on these identifiable patterns, security professionals can enhance their detection capabilities and bolster their defenses against advanced threats."
https://www.varonis.com/blog/jitter-trap
https://hackread.com/cyber-detection-hackers-jitter-patterns-against-them/
Iran's State TV Hijacked Mid-Broadcast Amid Geopolitical Tensions; $90M Stolen In Crypto Heist
"Iran's state-owned TV broadcaster was hacked Wednesday night to interrupt regular programming and air videos calling for street protests against the Iranian government, according to multiple reports. It's currently not known who is behind the attack, although Iran pointed fingers at Israel, per Iran International. "If you experience disruptions or irrelevant messages while watching various TV channels, it is due to enemy interference with satellite signals," the broadcaster was quoted as saying."
https://thehackernews.com/2025/06/irans-state-tv-hijacked-mid-broadcast.html

Breaches/Hacks/Leaks

A Ransomware Attack Pushed The German Napkin Firm Fasana Into Insolvency
"German napkin maker Fasana filed for insolvency after a major cyberattack on May 19 paralyzed its systems, halting over €250K in orders the next day. The napkin factory is located in Stotzheim, Germany, and has 240 employees. The company was forced to halt production and delay May salaries. The German napkin maker is estimated to have lost €2 million in two weeks following a cyberattack. Now insolvent, it is seeking a new buyer after being acquired in March. The insolvency administrator said the cyberattack left Fasana unable to print delivery notes, completely paralyzing business operations."
https://securityaffairs.com/179160/security/ransomware-attack-napkin-firm-fasana-insolvency.html
Hackers Access Legacy Systems In Oxford City Council Cyberattack
"Oxford City Council in the United Kingdom (UK) is notifying current and former employees that their personal information was likely compromised in a recent cyberattack. The incident, the council says, occurred over the weekend of June 7 and 8, when it detected suspicious activity within its network. “Our automated security systems kicked in, removed the presence and minimized the access the attackers had to our systems and databases,” the council said in an incident notice."
https://www.securityweek.com/hackers-access-legacy-systems-in-oxford-city-council-cyberattack/
https://www.theregister.com/2025/06/20/oxford_city_council_breach/
https://www.infosecurity-magazine.com/news/personal-data-oxford-council/
https://www.bleepingcomputer.com/news/security/oxford-city-council-suffers-breach-exposing-two-decades-of-data/
Aflac Discloses Breach Amidst Scattered Spider Insurance Attacks
"On Friday, American insurance giant Aflac disclosed that its systems were breached in a broader campaign targeting insurance companies across the United States by attackers who may have stolen personal and health information. Aflac (short for American Family Life Assurance Company) is the largest supplemental insurance provider in the U.S. and a Fortune 500 company that provides insurance services to millions of customers in the U.S. and Japan. In a press release earlier today, the insurance company added that its network was not affected by ransomware. It is unclear, though, if ransomware was deployed and blocked or if this was just a data theft attack."
https://www.bleepingcomputer.com/news/security/aflac-discloses-breach-amidst-scattered-spider-insurance-attacks/
https://therecord.media/aflac-cyberattack-potential-data-breach
https://www.bankinfosecurity.com/aflac-cybercrime-campaign-targeting-insurance-industry-a-28771
https://cyberscoop.com/aflac-cyberattack-insurance-sector-scattered-spider/
https://www.theregister.com/2025/06/20/aflac_scattered_spider/
https://www.securityweek.com/aflac-finds-suspicious-activity-on-us-network-that-may-impact-social-security-numbers-other-data/
Anubis Ransomware Lists Disneyland Paris As New Victim
"The infamous Anubis ransomware gang has listed Disneyland Paris as its latest victim. Hackread.com can confirm that the group posted details of the alleged breach on its dark web leak site, stating that the stolen data archive totals 64GB. Anubis is a ransomware-as-a-service (RaaS) operation that surfaced in December 2024, evolving from an earlier test version named “Sphinx.” It has no connection to the Android banking trojan or Python backdoor that share the same name."
https://hackread.com/anubis-ransomware-lists-disneyland-paris-new-victim/
Tonga Ministry Of Health Hit With Cyberattack Affecting Website, IT Systems
"Tonga’s top health official warned the island country’s residents that a ransomware attack has taken down its National Health Information System. The Ministry of Health published statements on Wednesday explaining that it is dealing with a cyberattack on its IT systems affecting the organization’s website and other tools. Minister of Health Ana ‘Akau’ola then told parliament on Thursday that an unnamed ransomware gang attacked the National Health Information System, demanding millions in ransom to restore the system."
https://therecord.media/tonga-ministry-of-health-hit-with-cyberattack
Russian Dairy Supply Disrupted By Cyberattack On Animal Certification System
"Russian dairy producers have reported supply disruptions following a cyberattack on the country’s digital system for certifying animal-based products. The Mercury platform, part of Russia’s Federal State Information System for Veterinary Surveillance (VetIS), was taken offline earlier this week due to the attack — the third such incident this year and the most severe to date, according to local media reports."
https://therecord.media/russia-dairy-supply-disrupted-cyberattack
CoinMarketCap Briefly Hacked To Drain Crypto Wallets Via Fake Web3 Popup
"CoinMarketCap, the popular cryptocurrency price tracking site, suffered a website supply chain attack that exposed site visitors to a wallet drainer campaign to steal visitors' crypto. On Friday evening, January 20, CoinMarketCap visitors began seeing Web3 popups asking them to connect their wallets to the site. However, when visitors connected their wallets, a malicious script drained cryptocurrency from them. The company later confirmed threat actors utilized a vulnerability in the site's homepage "doodle" image to inject malicious JavaScript into the site."
https://www.bleepingcomputer.com/news/security/coinmarketcap-briefly-hacked-to-drain-crypto-wallets-via-fake-web3-popup/
https://hackread.com/scammers-inferno-drainer-crypto-coinmarketcap-users/

General News

Strategies To Secure Long-Life IoT Devices
"In this Help Net Security interview, Rob ter Linden, CISO at Signify, discusses priorities for CISOs working on IoT security, including the need for compliant infrastructure, easy device management, and preparing for future tech like quantum computing and AI. He also covers challenges with IoT visibility, security, and new regulations."
https://www.helpnetsecurity.com/2025/06/20/rob-ter-linden-signify-iot-devices-network-security/
CISOs Flag Gaps In GenAI Strategy, Skills, And Infrastructure
"95% of C-suite leaders say that GenAI is driving a new level of innovation in their organizations, according to NTT DATA. While CEOs and business leaders are committed to GenAI adoption, CISOs and operational leaders lack the necessary guidance, clarity and resources to address security risks and infrastructure challenges associated with deployment."
https://www.helpnetsecurity.com/2025/06/20/cisos-genai-adoption/
Who’s Guarding The AI? Even Security Teams Are Bypassing Oversight
"Even security teams, the ones responsible for protecting the business, are adding to AI-related risk. A new survey by AI security company Mindgard, based on responses from over 500 cybersecurity professionals at RSAC 2025 Conference and Infosecurity Europe 2025, found that many security staff are using AI tools on the job without approval. This growing use of unapproved AI, often called shadow AI, is becoming a major blind spot inside the teams tasked with defending the organization. Similar to shadow IT, this kind of unofficial use goes around standard security checks. But the risks are higher with AI. These tools can process sensitive code, internal documents, and customer data, increasing the chances of leaks, privacy issues, and compliance violations."
https://www.helpnetsecurity.com/2025/06/20/shadow-ai-risk-security-teams/
AI Index 2025: What’s Changing And Why It Matters
"Stanford recently released its AI Index 2025, and it’s packed with insights on how AI is changing. For CISOs, it’s a solid check-in on where things stand. It covers what the tech can do now, how governments are responding, and where public opinion is heading. Here’s what’s worth knowing."
https://www.helpnetsecurity.com/2025/06/20/ai-index-2025/
How Cyber Warfare Changes The Face Of Geopolitical Conflict
"When Israeli hackers deleted data from Iran's state-owned Bank Sepah, disrupting financial services, the act represented another escalation of the use of cyberattacks during geopolitical conflicts, the largest since Russia downed the Viasat communications system during its initial invasion of Ukraine. The Israeli cyberattackers did not stop there: A second compromise, this time of Iran-based cryptocurrency exchange Nobitex, resulted in nearly $82 million in lost digital assets, according to a post on X by the hacktivist group Gonjeske Darande, or "Predatory Sparrow." For its part, more than 35 Iran-aligned hacktivists and state-sponsored actors had launched a coordinated attack against Israel's infrastructure, including distributed denial-of-service attacks and defacements."
https://www.darkreading.com/cyberattacks-data-breaches/cyberwarfare-changes-geopolitical-conflict
How To Lock Down The No-Code Supply Chain Attack Surface
"Modern enterprise software development increasingly relies on a vast and complex supply chain of third-party components, integrations, and frameworks. No-code development platforms are no exception, since their marketplaces aggregate a multitude of external connectors, APIs, and automation tools, often with limited security oversight."
https://www.darkreading.com/cyberattacks-data-breaches/how-lock-down-no-code-supply-chain-attack-surface
Scattered Spider Behind Cyberattacks On M&S And Co-Op, Causing Up To $592M In Damages
"The April 2025 cyber attacks targeting U.K. retailers Marks & Spencer and Co-op have been classified as a "single combined cyber event." That's according to an assessment from the Cyber Monitoring Centre (CMC), a U.K.-based independent, non-profit body set up by the insurance industry to categorize major cyber events. "Given that one threat actor claimed responsibility for both M&S and Co-op, the close timing, and the similar tactics, techniques, and procedures (TTPs), CMC has assessed the incidents as a single combined cyber event," the CMC said."
https://thehackernews.com/2025/06/scattered-spider-behind-cyberattacks-on.html
https://cybermonitoringcentre.com/2025/06/20/cyber-monitoring-centre-statement-on-ransomware-incidents-in-the-retail-sector-june-2025/
https://www.infosecurity-magazine.com/news/ms-coop-hacks-single-event/
LLMs Gone Bad: The Dark Side Of Generative AI
"Artificial intelligence (AI) has arrived. According to a recent Deloitte report, 78% of companies plan to increase their AI spending this year, with 74% saying that generative AI (GenAI) initiatives have met or exceeded expectations. Accessibility is the cornerstone of AI success. Large or small, digitally native or brick-and-mortar, any business can benefit from intelligent tools. But this accessibility isn't inherently ethical. Malicious actors are experiencing similar success with AI, using large language models (LLMs) to create and power new attack vectors."
https://blog.barracuda.com/2025/06/20/llms-gone-bad-dark-side-generative-ai

อ้างอิง
Electronic Transactions Development Agency(ETDA)