Cyber Threat Intelligence 07 July 2025

NCSA_THAICERT

Industrial Sector

• Exposed And Unaware? Smart Buildings Need Smarter Risk Controls
  "75% of organizations have building management systems (BMS) affected by known exploited vulnerabilities (KEVs), according to Claroty. Digging deeper into the KEV-affected organizations, 51% are affected by KEVs that are also linked to ransomware and are insecurely connected to the internet. Within those organizations, 2% of devices contain the same level of risk, meaning that devices essential to business operations are operating at the highest level of risk exposure. This combination of risk factors raises alarms given the widespread reliance on BMS in commercial real estate, retail, hospitality, and data center facilities to operate systems like HVAC, lighting, energy, elevators, security, and more."
  https://www.helpnetsecurity.com/2025/07/04/building-management-systems-bms-risk/

Malware

• NTLM Relay Attacks Are Back From The Dead
  "NTLM relay attacks are the easiest way for an attacker to compromise domain-joined hosts. While many security practitioners think NTLM relay is a solved problem, it is not – and, in fact, it may be getting worse. Anecdotally, they are used in most attacks seen by my employer’s consulting arm and have gotten much more common in the last few years. With most environments vulnerable, NTLM sets the stage for lateral movement and privilege escalation. These attacks originate from Authenticated Users and can often reach Tier Zero, resulting in a large exposure and a critical impact."
  https://www.helpnetsecurity.com/2025/07/04/ntlm-relay-attacks/
• Exploiting Trust: How Signed Drivers Fuel Modern Kernel Level Attacks On Windows
  "Kernel-level malware, which operates in Windows’ ring 0, remains one of the most potent tools for cybercriminals. With access to the core of the operating system, attackers can disable defenses, maintain persistence, and remain hidden. Despite Microsoft’s evolving security mechanisms, attackers continue to adapt, leveraging signed drivers and underground services to bypass these protections. This blog delves into how attackers leverage Windows kernel loaders and abuse digitally signed drivers to gain privileged access, disable security tools, and stealthily maintain control—bypassing traditional defenses and enabling advanced threat operations."
  https://www.group-ib.com/blog/kernel-driver-threats/
• NightEagle APT Exploits Microsoft Exchange Flaw To Target China's Military And Tech Sectors
  "Cybersecurity researchers have shed light on a previously undocumented threat actor called NightEagle (aka APT-Q-95) that has been observed targeting Microsoft Exchange servers as a part of a zero-day exploit chain designed to target government, defense, and technology sectors in China. According to QiAnXin's RedDrip Team, the threat actor has been active since 2023 and has switched network infrastructure at an extremely fast rate. The findings were presented at CYDES 2025, the third edition of Malaysia's National Cyber Defence & Security Exhibition and Conference held between July 1 and 3, 2025."
  https://thehackernews.com/2025/07/nighteagle-apt-exploits-microsoft.html
  https://github.com/RedDrip7/NightEagle_Disclose
• Exposed JDWP Exploited In The Wild: What Happens When Debug Ports Are Left Open
  "During routine monitoring, the Wiz Research Team observed an exploitation attempt targeting one of our honeypot servers running TeamCity, a popular CI/CD tool. Our investigation determined that the attacker had gained remote code execution by abusing an exposed Java Debug Wire Protocol (JDWP) interface, ultimately deploying a cryptomining payload and setting up multiple persistence mechanisms."
  https://www.wiz.io/blog/exposed-jdwp-exploited-in-the-wild
  https://thehackernews.com/2025/07/alert-exposed-jdwp-interfaces-lead-to.html

Breaches/Hacks/Leaks

• Hacker Leaks Telefónica Data Allegedly Stolen In a New Breach
  "A hacker is threatening to leak 106GB of data allegedly stolen from Spanish telecommunications company Telefónica in a breach that the company did not acknowledge. The threat actor has leaked a 2.6GB archive that unpacks into five gigabytes of data with a little over 20,000 files to prove that the breach occurred."
  https://www.bleepingcomputer.com/news/security/hacker-leaks-telef-nica-data-allegedly-stolen-in-a-new-breach/
• Ingram Micro Outage Caused By SafePay Ransomware Attack
  "An ongoing outage at IT giant Ingram Micro is caused by a SafePay ransomware attack that led to the shutdown of internal systems, BleepingComputer has learned. Ingram Micro is one of the world's largest business-to-business technology distributors and service providers, offering a range of solutions including hardware, software, cloud services, logistics, and training to resellers and managed service providers worldwide. Since Thursday, Ingram Micro's website and online ordering systems have been down, with the company not disclosing the cause of the issues."
  https://www.bleepingcomputer.com/news/security/ingram-micro-outage-caused-by-safepay-ransomware-attack/
  https://www.theregister.com/2025/07/06/ingram_micro_confirms_ransomware_behind/

General News
Africa’s Cybersecurity Crisis And The Push To Mobilizing Communities To Safeguard a Digital Future
"While Africa hosts some of the fastest-growing digital economies globally, it also faces persistent challenges in cybersecurity preparedness. Many organizations and individuals remain unaware of the risks they face online. Phishing schemes and social engineering tactics continue to succeed at alarming rates, often due to limited awareness of basic digital hygiene practices. Compounding the threat is a severe shortage of trained professionals. Africa has a small share of certified professionals, fewer than 25,000 across a population of 1.4 billion. This shortage leaves both public and private sectors exposed, with limited capacity to detect, prevent, or respond to attacks."
https://www.helpnetsecurity.com/2025/07/04/africa-cybersecurity-crisis/

• Internet Outages Are Costing Companies Millions Every Month
  "To ensure resilience across the internet stack, organizations need to protect and manage four key areas: reachability, availability, reliability, and performance, according to Catchpoint. 51% report monthly losses of over $1 million due to internet outages or degradations, up from 43% in 2024. And 1 in 8 now lose over $10 million each month, a noticeable rise since last year."
  https://www.helpnetsecurity.com/2025/07/04/internet-stack-resilience/
• AI Dilemma: Emerging Tech As Cyber Risk Escalates
  "AI is fundamentally transforming the modern world. It offers previously out-of-reach opportunities for business leaders to anticipate market trends and make better decisions. For organisations to intelligently automate mundane processes and free talent to work on higher value work. And for companies to reach customers in highly personalised ways, with innovative new products and services. It is also helping network defenders to get on the front foot against their adversaries in new ways—by seeing more and acting faster to neutralise threats and fill security gaps before the can be exploited."
  https://www.trendmicro.com/en_us/research/25/g/ai-cyber-risks.html
• The EU’s Plan To Become a Global Leader In Quantum By 2030
  "The European Commission has put forward a strategy to make Europe a global leader in quantum technology by 2030. The strategy will help to develop the quantum sector, while maintaining Europe’s scientific leadership. This will also boost the EU’s competitiveness, tech sovereignty, and security. The strategy focuses on five areas: research and innovation, quantum infrastructures, ecosystem strengthening, space and dual-use technologies, and quantum skills."
  https://commission.europa.eu/news-and-media/news/eus-plan-become-global-leader-quantum-2030-2025-07-02_en
  https://www.infosecurity-magazine.com/news/eu-plan-quantum-secure/
• Disrupting The Ransomware Attack Chain With Hybrid Mesh Security (Part 1)
  "In this three-part blog series, we explore how a hybrid mesh architecture can effectively break the ransomware attack chain. Part One examines the evolving state of ransomware in 2025, unpacks the stages of the ransomware attack chain, and explains why fragmented security architectures continue to fail. Part Two highlights five critical ways a hybrid mesh approach uniquely disrupts the ransomware lifecycle, from initial access to lateral movement and data exfiltration. Part Three features four key recommendations for CISOs from cyber security expert Pete Nicoletti and offers a concise overview of Check Point’s hybrid mesh architecture strategy."
  https://blog.checkpoint.com/securing-the-network/disrupting-the-ransomware-attack-chain-with-hybrid-mesh-security-part-1/
• Task Scams: Why You Should Never Pay To Get Paid
  "Many of us have been experiencing a cost-of-living crisis for years, and the news headlines remain filled with doom-laden predictions of what the future might hold. Against this backdrop, it’s understandable why many of us are looking for a side hustle or for even a new, better-paid job. But the scammers know this, and are ready to take advantage. In 2024 alone, employment scams reported to the FBI made fraudsters over $264 million. Many of these are so-called “task scams,” where victims are actually tricked into paying a “deposit” in order to get paid. It might sound unbelievable. But it’s easier to fall for than you think."
  https://www.welivesecurity.com/en/scams/task-scams-why-you-should-never-pay-to-get-paid/

อ้างอิง
Electronic Transactions Development Agency(ETDA)