NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 25 June 2025

    Cyber Security News
    1
    1
    109
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • CISA Releases Eight Industrial Control Systems Advisories
        "CISA released eight Industrial Control Systems (ICS) advisories on June 24, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.<
        ICSA-25-175-01 Kaleris Navis N4 Terminal Operating System
        ICSA-25-175-02 Delta Electronics CNCSoft
        ICSA-25-175-03 Schneider Electric Modicon Controllers
        ICSA-25-175-04 Schneider Electric EVLink WallBox
        ICSA-25-175-05 ControlID iDSecure On-Premises
        ICSA-25-175-06 Parsons AccuWeather Widget
        ICSA-25-175-07 MICROSENS NMP Web+"
        https://www.cisa.gov/news-events/alerts/2025/06/24/cisa-releases-eight-industrial-control-systems-advisories
      • Siemens Notifies Customers Of Microsoft Defender Antivirus Issue
        "Siemens informed customers on Tuesday that it’s working with Microsoft to address an issue related to Microsoft Defender Antivirus (MDAV) and Simatic PCS products. According to the advisory published by the industrial giant, the problem is that Defender Antivirus currently does not provide ‘alert only’ functionality. Siemens’ documentation for Simatic PCS 7 and PCS Neo process control systems describes Microsoft Defender Antivirus configurations for specifying threat alert levels at which no default action is taken when a threat is detected."
        https://www.securityweek.com/siemens-notifies-customers-of-microsoft-defender-antivirus-issue/
        https://cert-portal.siemens.com/productcert/html/ssb-295699.html

      New Tooling

      • Reconmap: Open-Source Vulnerability Assessment, Pentesting Management Platform
        "Reconmap is an open source tool for vulnerability assessments and penetration testing. It helps security teams plan, carry out, and report on security tests from start to finish. The platform simplifies tasks and makes it easier for teams to work together, cutting down the time it takes to go from initial research to the final report without sacrificing the quality of the work."
        https://www.helpnetsecurity.com/2025/06/24/reconmap-open-source-vulnerability-assessment-pentesting-management-platform/
        https://github.com/reconmap/reconmap

      Vulnerabilities

      • RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability
        "This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of file paths within archive files. A crafted file path can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of the current user."
        https://www.zerodayinitiative.com/advisories/ZDI-25-409/
        https://www.helpnetsecurity.com/2025/06/24/high-risk-winrar-rce-flaw-patched-update-quickly-cve-2025-6218/
      • Why a Classic MCP Server Vulnerability Can Undermine Your Entire AI Agent
        "Trend™ Research uncovered a simple but dangerous flaw: a classic SQL injection (SQLi) vulnerability in Anthropic’s reference SQLite Model Context Protocol (MCP) server implementation. Although the GitHub repository was already archived on May 29, 2025, it had already been forked or copied more than 5000 times. It is important to note that the code is clearly advertised as a reference implementation and not intended for production use. Vulnerable code allows potential attackers to run unauthorized commands, inject malicious prompts, steal data, and hijack AI agent workflows. In this blog entry, we examine where the flaw resides, its impact, and how it can be mitigated."
        https://www.trendmicro.com/en_us/research/25/f/why-a-classic-mcp-server-vulnerability-can-undermine-your-entire-ai-agent.html

      Malware

      • Threat Actors Modify And Re-Create Commercial Software To Steal Users’ Information
        "In collaboration with Microsoft Threat Intelligence (MSTIC), SonicWall has identified a deceptive campaign to distribute a hacked and modified version of SonicWall’s SSL VPN NetExtender application that closely resembles the official SonicWall NetExtender software. NetExtender enables remote users to securely connect and run applications on the company network. Users can upload and download files, access network drives, and use other resources as if they were on the local network. Security solutions from SonicWall (GAV: Fake-NetExtender [Trojan]) and Microsoft (TrojanSpy:Win32/SilentRoute.A) will flag the installer as malicious and enable proactive defenses."
        https://www.sonicwall.com/blog/threat-actors-modify-and-re-create-commercial-software-to-steal-users-information
        https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-trojanized-netextender-stealing-vpn-logins/
        https://www.darkreading.com/identity-access-management-security/threat-actor-trojanizes-sonicwall-netextender-vpn
        https://www.helpnetsecurity.com/2025/06/24/trojanized-sonicwall-netextender-app-exfiltrates-vpn-credentials/
        https://www.theregister.com/2025/06/24/unknown_crims_using_hacked_sonicwall/
        Trezor’s Support Platform Abused In Crypto Theft Phishing Attacks
        "Trezor is alerting users about a phishing campaign that abuses its automated support system to send deceptive emails from its official platform. The company's support site allows anyone to open a ticket using any email address and subject line. The system then replies automatically, sending a case number and using the submitted ticket title as the email subject. Attackers abuse this feature by submitting tickets with titles containing urgent phishing messages, such as "[URGENT]: vault.trezor.guide - Create a Trezor Vault now in order to secure assets who may potentially be at risk.""
        https://www.bleepingcomputer.com/news/security/trezors-support-platform-abused-in-crypto-theft-phishing-attacks/
      • FileFix - A ClickFix Alternative
        "Over the past few weeks, I’ve been working on the upcoming update for the Offensive Phishing Operations Course. The update contains some modules related to ClickFix attack, which prompted me to dive deeper into the social engineering technique. If you’ve been living under a rock for the past year, ClickFix is a social engineering attack that prompts users to unknowingly execute malicious code, usually through the Run Dialog (Windows Key + R). The simplicity of this technique makes it funny, yet it’s been effective. I had written a blog post in mid-2022 about social engineering that mentioned initial access through copy-pasting malicious commands into the Run Dialog but ended up deleting it because I thought it was far too basic and impractical. I admit I was wrong."
        https://mrd0x.com/filefix-clickfix-alternative/
        https://www.bleepingcomputer.com/news/security/filefix-attack-weaponizes-windows-file-explorer-for-stealthy-powershell-commands/
      • ConnectUnwise: Threat Actors Abuse ConnectWise As Builder For Signed Malware
        "Since March 2025 there has been a noticeable increase in infections and fake applications using validly signed ConnectWise samples. We reveal how bad signing practices allow threat actors to abuse this legitimate software to build and distribute their own signed malware and what security vendors can do to detect them."
        https://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware
        https://www.bankinfosecurity.com/attackers-wield-signed-connectwise-installers-as-malware-a-28799
      • Hacktivists Launch DDoS Attacks At U.S. Following Iran Bombings
        "The U.S. has become a target in the hacktivist attacks that have embroiled several Middle Eastern countries since the start of the Israel-Iran conflict. Several hacktivist groups have claimed DDoS attacks against U.S. targets in the wake of U.S. airstrikes on Iranian nuclear sites on June 21. The attacks—most notably from hacktivist groups Mr Hamza, Team 313, Cyber Jihad, and Keymous+—targeted U.S. Air Force domains, major U.S. Aerospace and defense companies, and several banks and financial services companies."
        https://cyble.com/blog/hacktivists-launch-ddos-attacks-at-us-iran-bombings/
      • Dissecting a Malicious Havoc Sample
        "This analysis is a follow-up to the investigation titled ‘Intrusion into Middle East Critical National Infrastructure’ (full report here), led by the FortiGuard Incident Response Team (FGIR), which investigated a long-term cyber intrusion targeting critical national infrastructure (CNI) in the Middle East. That report revealed that the attacker added several pieces of malware to the system’s Task Scheduler to maintain persistence. In this report, we conduct a detailed analysis of one of the malicious Havoc variant samples."
        https://www.fortinet.com/blog/threat-research/dissecting-a-malicious-havoc-sample
      • Androxgh0st Continues Exploitation: Operators Compromise a US University For Hosting C2 Logger
        "CloudSEK’s recent investigation reveals that the Androxgh0st botnet has evolved significantly since its early activity in 2023, leveraging a wide range of Initial Access Vectors (IAVs). Misconfigured/vulnerable servers linked to academic institutions and public domains, such as University of California, San Diego's “USArhythms” subdomain, were found hosting command-and-control (C2)logger panels. The botnet exploits popular platforms (e.g., Apache Shiro, Spring framework, WordPress) and IoT devices (Lantronix), enabling remote code execution, sensitive data theft, and cryptomining. Evidence from the C2 logs highlight exploitation attempts using a plethora of command injection techniques. Webshells planted on compromised infrastructure facilitate persistent access and further payload deployment."
        https://www.cloudsek.com/blog/androxgh0st-continues-exploitation-operators-compromise-a-us-university-for-hosting-c2-logger
        https://hackread.com/androxgh0st-botnet-expand-exploit-us-university-servers/
      • Black Hat SEO Poisoning Search Engine Results For AI To Distribute Malware
        "Zscaler ThreatLabz researchers recently uncovered AI-themed websites designed to spread malware. The threat actors behind these attacks are exploiting the popularity of AI tools like ChatGPT and Luma AI. These websites are utilizing platforms such as WordPress and are designed to poison search engine rankings and increase the probability of unsuspecting users landing on these webpages."
        https://www.zscaler.com/blogs/security-research/black-hat-seo-poisoning-search-engine-results-ai-distribute-malware
      • Cryptominers’ Anatomy: Shutting Down Mining Botnets
        "Welcome to the final installment of our Cryptominers’ Anatomy blog series: In our first post, we discussed cryptocurrencies' fundamentals, their various attributes, and what makes some of them more attractive than others to threat actors. In the second part, we analyzed various cryptomining samples that we found abusing different mining topologies. In this third and final blog post in the series, we will explore two novel proactive techniques that can be used to defeat cryptominers."
        https://www.akamai.com/blog/security-research/cryptominers-anatomy-shutting-down-mining-botnets
        https://thehackernews.com/2025/06/researchers-find-way-to-shut-down.html
      • Cybercriminals Abuse Open-Source Tools To Target Africa’s Financial Sector
        "Unit 42 researchers have been monitoring a series of attacks targeting financial organizations across Africa. We assess that the threat actor may be gaining initial access to these financial institutions and then selling it to others on the dark web. Since at least July 2023, a cluster of activity we track as CL-CRI-1014 has targeted this sector. The attackers employ a consistent playbook, using a combination of open-source and publicly available tools to establish their attack framework. They also create tunnels for network communication and perform remote administration."
        https://unit42.paloaltonetworks.com/cybercriminals-attack-financial-sector-across-africa/
      • A Deep Dive Into a Modular Malware Family
        "The Wordfence Threat Intelligence Team recently identified an interesting malware family on May 16, 2025 during a site clean. This malware family shared a codebase but varied in features across different versions, including credit card skimming and WordPress credential theft. Most surprisingly, one variant incorporated a live backend system hosted directly on infected websites for attacker use – a previously unseen method – packaged and disguised as a rogue WordPress plugin. Further research uncovered evidence of this campaign in our Threat Intelligence platform dating back to September 2023, indicating a prolonged operation targeting multiple entities. Analysis of the malware’s growing codebase of over more than 20 samples provided unique insights into the evolution of this framework."
        https://www.wordfence.com/blog/2025/06/a-deep-dive-into-a-modular-malware-family/
        https://www.infosecurity-magazine.com/news/rogue-wordpress-plugin-skim-credit/

      General News

      • Middle East Cyber Escalation: From Hacktivism To Sophisticated Threat Operations
        "In light of the ongoing escalation in the Middle East, Group-IB Threat Intelligence unit has been closely monitoring cyber activity across the full spectrum of threat actors involved in the conflict—ranging from state-nexus operations to hacktivist networks. While hacktivist groups have generated significant noise through perception warfare and harassment campaigns, the first week of intensified hostilities has also revealed the presence of more sophisticated cyber operations with direct operational impact. These include electronic warfare activities such as GPS spoofing affecting regional navigation systems, the exploitation of internet-connected cameras for intelligence gathering, and the manipulation of emergency alert systems aimed at endangering civilians."
        https://www.group-ib.com/blog/middle-east-cyber-escalation/
      • Why Work-Life Balance In Cybersecurity Must Start With Executive Support
        "In this Help Net Security interview, Stacy Wallace, CISO at Arizona Department of Revenue, talks about the realities of work-life balance in cybersecurity leadership. She shares how her team handles constant pressure, sets boundaries, and deals with stress. Wallace also gives practical advice for those looking to build a lasting career in cybersecurity."
        https://www.helpnetsecurity.com/2025/06/24/stacy-wallace-arizona-department-of-revenue-cybersecurity-work-life-balance/
      • Cyber Intel Pros And Hobbyists Can Now Report Threats Anonymously
        "Imagine a world in which any cybersecurity professional, or even a cyber hobbyist or whistleblower, could report a new cluster of malicious cyber activity anonymously, without having to go through lengthy and formal cyber reporting disclosure processes. This is the mission that a group of European-based cybersecurity practitioners is trying to achieve with Draugnet, a new anonymous threat reporting platform built on Malware Information Sharing Platform (MISP), an open-source cyber threat intelligence (CTI) sharing platform. Trey Darley, a senior security manager at Accenture Belgium, and Alexandre Dulaunoy, the head of the Computer Incident Response Center Luxembourg (CIRCL), will launch and demonstrate Draugnet during FIRSTCON in Copenhagen on June 24."
        https://www.infosecurity-magazine.com/news/cyber-intel-report-threats/
      • Revenge, Fame, And Fun: The Motives Behind Modern Cyberattacks
        "Ever wondered what really drives today's cyberattacks? It's not always just about stealing data or demanding a ransom. Motives can vary widely depending on the attacker, their intent, and their capabilities. In the most simple terms, a cyberattack is a malicious intent to access, steal, expose, or destroy data and systems without authorized access. Every attack typically involves a motive or goal, a method of execution, and a vulnerability that's exploited to achieve the intended outcome. The motive or intent is where it all starts. It's what drives an attack from beginning to end. But not all motives are the same. Let's take a look at some common motives and the types of individuals and groups who act on them."
        https://www.tripwire.com/state-of-security/revenge-fame-and-fun-motives-behind-modern-cyberattacks
      • Lessons From Helsinki: NCSC-FI's Role In Mitigating a Major Data Breach
        "A 2024 data breach affecting Helsinki, Finland’s capital and largest employer, which exposed sensitive personal data of over 300,000 people, offers valuable lessons for cybersecurity professionals. The incident was the subject of a year-long investigation by the Safety Investigation Authority of Finland (SIAF/OTKES), which published its technical report on June 17, 2025. Matias Mesia, a senior specialist at Finland’s National Cyber Security Centre (NCSC-FI), led the agency’s task force that helped Helsinki recover from the breach."
        https://www.infosecurity-magazine.com/news/helsinki-ncscfi-major-data-breach/
      • Half Of Security Pros Want GenAI Deployment Pause
        "Around half (48%) of security professionals believe a “strategic pause” in generative AI deployment is needed to recalibrate defenses, according to a new report by offensive security firm Cobalt. Most (94%) of security leaders and practitioners surveyed said they have observed a significant increase in the adoption of genAI within their industry over the past 12 months. Worryingly, 36% of respondents admitted that the rate of genAI deployment is moving faster than their teams are able to manage."
        https://www.infosecurity-magazine.com/news/half-security-pros-genai-pause/
        https://resource.cobalt.io/state-of-llm-security
      • Reported Impersonation Scams Surge 148% As AI Takes Hold
        "The volume of impersonation scams has soared 148% year-on-year (YoY) thanks in part to AI tools making life easier for cybercriminals, according to the Identity Theft Resource Center (ITRC). The US non-profit’s new 2025 Trends in Identity Report is based on analysis of identity crimes (compromise, theft and misuse) reported to it by victims from April 1 2024 to March 31 2025. Overall, the number of these reports actually fell by 31 percentage points over the previous year, although the number of victims reporting multiple incidents increased from 15% to 24% over the same period."
        https://www.infosecurity-magazine.com/news/reported-impersonation-scams-surge/
      • Identity Is The New Perimeter: Why Proofing And Verification Are Business Imperatives
        "Digital transformation has unlocked new opportunities – not just for innovation and growth, but also for cybercriminals seeking to exploit personal and sensitive information. According to the Future of Global Identity Verification report (PDF), more than two-thirds (69%) of organizations have experienced an increase in fraud attempts. Among companies with over 5,000 employees, the average annual direct cost of identity fraud is $13 million. That figure rises sharply with organizational size; for enterprises with more than 10,000 employees, 20% report annual direct and indirect identity fraud costs exceeding $50 million."
        https://www.securityweek.com/identity-is-the-new-perimeter-why-proofing-and-verification-are-business-imperatives/
      • New Report: Major Developments And Trends On Terrorism In Europe In 2024
        "A total of 58 terrorist attacks were reported by 14 EU Member States in 2024. Of these, 34 were completed, 5 were failed and 19 were foiled. Overall, 449 individuals were arrested for terrorism-related offences across 20 Member States. These numbers are sourced from Europol’s European Union Terrorism Situation and Trend Report 2025 (TE-SAT), published today. This flagship report – the only one of its kind in Europe - describes the major developments and trends in the terrorism landscape in the EU in 2024, based on qualitative and quantitative information provided by EU Member States and other Europol partners."
        https://www.europol.europa.eu/media-press/newsroom/news/new-report-major-developments-and-trends-terrorism-in-europe-in-2024
        https://www.europol.europa.eu/publication-events/main-reports/european-union-terrorism-situation-and-trend-report-2025-eu-te-sat
        https://www.europol.europa.eu/cms/sites/default/files/documents/EU_TE-SAT_2025.pdf
      • Trusting The Tech: Using Password Managers And Passkeys To Help You Stay Secure Online
        "In today’s digital age, trust is the new currency. We entrust our devices with everything – our communications, our identities, our finances, and even our memories. But when it comes to online security, many of us hesitate, and ask: Should I really save my password in my browser? Is a password manager actually safe? What is a passkey? These are all valid questions. And the short answer is: Yes, you can trust the tech – but it’s important to understand what choices you’re making."
        https://www.ncsc.gov.uk/blog-post/trust-the-tech-using-password-managers-passkeys-to-help-you-stay-secure-online

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) c566c6d6-4fc5-4435-b7b5-c0e63cf47181-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post