Cyber Threat Intelligence 10 July 2025

NCSA_THAICERT

Financial Sector

• June 2025 Security Issues In Korean & Global Financial Sector
  "This report comprehensively covers actual cyber threats and security issues related to financial companies in South Korea and abroad. This article includes an analysis of malware and phishing cases distributed to the financial sector, the top 10 malware strains targeting the financial sector, and the industry statistics of leaked Korean accounts on Telegram. A detailed look into the phishing email distribution case targeting the financial sector is also covered."
  https://asec.ahnlab.com/en/88936/

Industrial Sector

• ICS Patch Tuesday: Vulnerabilities Addressed By Siemens, Schneider, Phoenix Contact
  "July 2025 Patch Tuesday ICS security advisories have been published by Siemens, Schneider Electric and Phoenix Contact. Siemens has released nine new advisories, as well as a security bulletin urging customers to take steps to secure their industrial control systems (ICS) amid an increasing threat to the operational technology (OT) landscape. The alert cites the current geopolitical situation and references a recent US government alert warning organizations about a potential surge in attacks by Iran. The industrial giant also informed customers that its Sentron Powermanager and Desigo CC devices are not affected by a recently disclosed remote code execution vulnerability in Apache Tomcat."
  https://www.securityweek.com/ics-patch-tuesday-vulnerabilities-addressed-by-siemens-schneider-phoenix-contact-2/
• Key Findings From The Fortinet 2025 Operational Technology Security Report
  "The IT/OT air gap is largely gone. Once isolated OT systems are now deeply interconnected with enterprise IT environments. And as these industrial systems continue to modernize, they have become increasingly vulnerable to threat actors. That reality has put OT cybersecurity squarely on the radar of executives, regulators, and adversaries alike. Fortinet’s 2025 State of Operational Technology and Cybersecurity Report provides a detailed examination of how organizations are addressing the increasing risks faced by today’s OT networks. Based on a global survey of more than 550 OT professionals across manufacturing, energy, transportation, and other critical sectors, the report captures the current state of OT security, including the progress made, the pressure OT teams still face, and the priorities shaping the future of OT environments. This seventh installment of the report includes four years of trending data to identify emerging trends in OT cybersecurity."
  https://www.fortinet.com/blog/business-and-technology/key-findings-from-the-fortinet-2025-operational-technology-security-report

New Tooling

• Kanvas: Open-Source Incident Response Case Management Tool
  "Kanvas is an open-source incident response case management tool with a simple desktop interface, built in Python. It gives investigators a place to work with SOD (Spreadsheet of Doom) or similar files, so they can handle key tasks without jumping between different programs. “At its core, the tool leverages Excel as the backend. It includes a note-taking features that uses Markdown, allowing investigators to write structured, portable notes. These notes can be easily exported or shared in .md format, ensuring that documentation remains accessible even without the tool,” Jinto Antony, the author of the tool and Senior Investigator, Incident Response at WithSecure, told Help Net Security."
  https://www.helpnetsecurity.com/2025/07/09/kanvas-open-source-incident-response-case-management-tool/
  https://github.com/WithSecureLabs/Kanvas

Vulnerabilities

• Critical RCE Vulnerability In Mcp-Remote: CVE-2025-6514 Threatens LLM Clients
  "The JFrog Security Research team has recently discovered and disclosed CVE-2025-6514 – a critical (CVSS 9.6) security vulnerability in the mcp-remote project – a popular tool used by Model Context Protocol clients. The vulnerability allows attackers to trigger arbitrary OS command execution on the machine running mcp-remote when it initiates a connection to an untrusted MCP server, posing a significant risk to users – a full system compromise. mcp-remote is a proxy that enables Large Language Model (LLM) hosts such as Claude Desktop to communicate with remote MCP servers, even if natively they only support communicating with local MCP servers."
  https://jfrog.com/blog/2025-6514-critical-mcp-remote-rce-vulnerability/
  https://www.bankinfosecurity.com/serious-flaws-patched-in-model-context-protocol-tools-a-28924
• Ivanti, Fortinet, Splunk Release Security Updates
  "Ivanti, Fortinet, and Splunk on Tuesday announced patches for dozens of vulnerabilities across their product portfolios, including critical- and high-severity flaws. Security updates released for Ivanti Connect Secure (ICS) and Policy Secure (IPS), Endpoint Manager Mobile (EPMM), and Endpoint Manager (EPM) resolve a total of 11 bugs that require authentication to be exploited. The EPM update resolves three high-severity defects that could allow attackers to decrypt other users’ passwords or read arbitrary data from the database, while the EPMM refresh fixes two high-severity OS command injection flaws leading to remote code execution."
  https://www.securityweek.com/ivanti-fortinet-splunk-release-security-updates/
• Ruckus Virtual SmartZone (vSZ) And Ruckus Network Director (RND) Contain Multiple Vulnerabilities
  "Multiple vulnerabilities have been identified in Ruckus Wireless management products, specifically Virtual SmartZone (vSZ) and Network Director (RND), including authentication bypass, hardcoded secrets, arbitrary file read by authenticated users, and unauthenticated remote code execution. These issues may allow full compromise of the environments managed by the affected software. At this time, we have not able to reach Ruckus Wireless or their parent company to include their response to these disclosed vulnerabilities, we recommend using these products only within isolated management networks accessible to trusted users."
  https://kb.cert.org/vuls/id/613753
  https://www.bleepingcomputer.com/news/security/ruckus-networks-leaves-severe-flaws-unpatched-in-management-devices/
  https://www.securityweek.com/unpatched-ruckus-vulnerabilities-allow-wireless-environment-hacking/
• Count(er) Strike – Data Inference Vulnerability In ServiceNow
  "Varonis Threat Labs discovered a high-severity vulnerability in ServiceNow’s platform that could lead to significant data exposure and exfiltration, including PII, credentials, and other sensitive information. ServiceNow is a widely used platform with 85% of its customer base being in the Fortune 500. Our researchers were able to exploit the record count UI element on list pages, using enumeration techniques and query filters to infer and expose sensitive data from various tables within ServiceNow."
  https://www.varonis.com/blog/counter-strike-servicenow
  https://www.bleepingcomputer.com/news/security/new-servicenow-flaw-lets-attackers-enumerate-restricted-data/
• An NVIDIA Container Bug & Chance To Harden Kubernetes
  "A once-dangerous NVIDIA Container Toolkit vulnerability showcases how to harden Kubernetes clusters against container escape. On Aug. 6 at Black Hat USA in Las Vegas, researchers from Wiz will host the session "Breaking Out of The AI Cage: Pwning AI Providers with NVIDIA Vulnerabilities." The talk expands on research the vendor published last September dedicated to CVE-2024-0132, a NVIDIA Container Toolkit time-of-check to time-of-use (TOCTOU) vulnerability that would have enabled container escapes for AI and cloud providers that use the popular open source component."
  https://www.darkreading.com/cloud-security/nvidia-container-bug-harden-kubernetes
• AMD Warns Of New Meltdown, Spectre-Like Bugs Affecting CPUs
  "AMD is warning users of a newly discovered form of side-channel attack affecting a broad range of its chips that could lead to information disclosure. Akin to Meltdown and Spectre, the Transient Scheduler Attack (TSA) comprises four vulnerabilities that AMD said it discovered while looking into a Microsoft report about microarchitectural leaks. The four bugs do not appear too venomous at face value – two have medium-severity ratings while the other two are rated "low." However, the low-level nature of the exploit's impact has nonetheless led Trend Micro and CrowdStrike to assess the threat as "critical.""
  https://www.theregister.com/2025/07/09/amd_tsa_side_channel/
  https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7029.html

Malware

• June 2025 Malware Spotlight: Discord Exploits Lead To Rising Threats
  "Cyber criminals continue to innovate, with a recent innovation involving the hijacking of expired Discord vanity invite links to silently deliver malicious payloads. This new campaign, discovered by Check Point Research, delivers AsyncRAT, now ranked number 3 among Top Malware for June. Using trusted platforms such as GitHub, Bitbucket, and Discord for payload delivery and data exfiltration, the attackers have devised an advanced multi-stage malware delivery system, including ClickFix phishing tactics and ChromeKatz to bypass encryption mechanisms. These developments underscore the ever-evolving nature of cyber threats, with SafePay remaining a top ransomware threat and the education sector continuing to face significant risks."
  https://blog.checkpoint.com/research/june-2025-malware-spotlight-discord-exploits-lead-to-rising-threats/
• New AI Malware PoC Reliably Evades Microsoft Defender
  "A soon-to-be-released security evasion tool will help red teamers and hackers consistently bypass Microsoft Defender for Endpoint. Since November 2023, doomsayers have foretold of a future where large language models (LLMs) would help hackers develop malware more quickly, at scale, with capabilities beyond what humans could probably design on their own. That future hasn't quite materialized yet; hackers thus far have used artificial intelligence (AI) to generate simple malware and phishing content, and to aid in supplementary tasks like target research."
  https://www.darkreading.com/endpoint-security/ai-malware-poc-evades-microsoft-defender
  From Click To Compromise: Unveiling The Sophisticated Attack Of DoNot APT Group On Southern European * * Government Entities
  "The DoNot APT group, also identified by various security vendors as APT-C-35, Mint Tempest, Origami Elephant, SECTOR02, and Viceroy Tiger, has been active since at least 2016, and has been attributed by several vendors to have links to India. The global cybersecurity landscape is continually challenged by state-sponsored threat actors conducting espionage operations. The DoNot APT group (also known as APT-C-35), is believed to operate with a focus on South Asian geopolitical interests. This threat group typically targets government entities, foreign ministries, defense organizations, and NGOs especially those in South Asia and Europe."
  https://www.trellix.com/blogs/research/from-click-to-compromise-unveiling-the-sophisticated-attack-of-donot-apt-group-on-southern-european-government-entities/
  https://thehackernews.com/2025/07/donot-apt-expands-operations-targets.html
  https://securityaffairs.com/179774/apt/donot-apt-is-expanding-scope-targeting-european-foreign-ministries.html
• Fake CNN And BBC Sites Used To Push Investment Scams
  "Cybercriminals are faking popular news websites such as CNN, BBC and CNBC to trick people into investing in fraudulent cryptocurrency schemes, according to a new report. Researchers at Bahrain-based cybersecurity firm CTM360 said they identified more than 17,000 such sites, which publish fake stories featuring prominent public figures, including national leaders and central bank governors. The articles falsely linked those figures to “fabricated investment schemes in order to build trust and get engagement from victims,” the researchers said."
  https://therecord.media/news-websites-faked-to-spread-investment-scams

Breaches/Hacks/Leaks

• Qantas Confirms Data Breach Impacts 5.7 Million Customers
  "Australian airline Qantas has confirmed that 5.7 million people have been impacted by a recent data breach, in which threat actors stole customers' data. On July 1st, Qantas disclosed that it had detected a cyberattack the previous day on a third-party platform used by a Qantas airline contact centre. While the company did not share any further details, BleepingComputer learned that the attack shared similarities with other attacks on the aviation industry linked to threat actors classified as Scattered Spider."
  https://www.bleepingcomputer.com/news/security/qantas-confirms-data-breach-impacts-57-million-customers/
  https://www.theregister.com/2025/07/09/qantas_begins_telling_customers_data/
• Bitcoin Depot Breach Exposes Data Of Nearly 27,000 Crypto Users
  "Bitcoin Depot, an operator of Bitcoin ATMs, is notifying customers of a data breach incident that has exposed their sensitive information. In the letter sent to affected individuals, the company informs that it first detected suspicious activity on its network last year on June 23. Although the internal investigation was completed on July 18, 2024, a parallel investigation by federal agencies dictated that public disclosure of the incident should be withheld until it was completed."
  https://www.bleepingcomputer.com/news/security/bitcoin-depot-breach-exposes-data-of-nearly-27-000-crypto-users/
  https://therecord.media/bitcoin-depot-cryptocurrency-atm-company-data-breach
• PII, ID Numbers, & SSNs Exposed In Tax Credit Consultancy Data Breach
  "Cybersecurity researcher Jeremiah Fowler discovered and reported to vpnMentor an unencrypted and non-password-protected database that contained 245,949 records. The database, which presumably belonged to a tax credit consulting agency, held PII, driver’s licenses, military discharge forms, documents containing Social Security numbers (SSNs), and other internal, potentially sensitive information."
  https://www.vpnmentor.com/news/report-rockerbox-breach/
  https://hackread.com/rockerbox-server-tax-firm-exposed-sensitive-records/
• More Than $40 Million Stolen From GMX Crypto Platform
  "Decentralized exchange GMX said more than $40 million worth of cryptocurrency was stolen during an incident on Wednesday morning. GMX, which allows users to purchase and speculate on many different cryptocurrencies, published a statement on social media saying the company “experienced an exploit” and is conducting an investigation on how it occurred. GMX added that its platform had previously undergone “numerous audits from top security specialists.” Several blockchain security companies confirmed the theft, tracking about $43 million in user funds exiting the platform. Trading on the platform has been disabled."
  https://therecord.media/gmx-exchange-cryptocurrency-stolen
• Nippon Steel Subsidiary Blames Data Breach On Zero-Day Attack
  "Japan-based Nippon Steel Solutions on Tuesday disclosed a data breach that resulted from the exploitation of a zero-day vulnerability. Nippon Steel Solutions, also called NS Solutions, offers cloud, cybersecurity and other IT solutions. The company is a subsidiary of Japanese steel giant Nippon Steel, which recently acquired US Steel in a controversial deal. Nippon Steel Solutions said in a statement posted on its Japanese-language website that it detected suspicious activity on some servers on March 7."
  https://www.securityweek.com/nippon-steel-subsidiary-blames-data-breach-on-zero-day-attack/
  https://securityaffairs.com/179766/data-breach/nippon-steel-solutions-data-breach.html

General News

• June 2025 Trend Report On The Deep Web & Dark Web
  "The June 2025 trend report on the Deep Web & Dark Web is composed of the following topics: Ransomware, Data Breach, DarkWeb, CyberAttack, and Threat Actor. Please note that some of the information in the report may not be verifiable."
  https://asec.ahnlab.com/en/88933/
• Why Your Security Team Feels Stuck
  "Cybersecurity friction usually gets framed as a user problem: password policies that frustrate employees, MFA that slows down logins, or blocked apps that send workers into the arms of shadow IT. But there’s a different kind of friction happening behind the scenes, and it’s hitting security teams themselves. It shows up during incident response, threat hunting, and day-to-day tasks. It’s the drag of too many tools, rigid approval chains, and a lack of clarity about who owns what. The irony is hard to ignore. In the name of securing the organization, security teams can end up slowed down by their own systems."
  https://www.helpnetsecurity.com/2025/07/09/why-cybersecurity-friction/
• Know Your Enemy: Understanding Dark Market Dynamics
  "In popular culture, content providers portray the Dark Web as a sinister, unorganized Internet forum run by shadowy figures in hoodies. By all accounts, it is a hub of illegal activity. Reports show that 56.8% of content found on the Dark Web is illegal, 20% of global drug sales occur on Dark Web markets, and 60% of Dark Web marketplaces focus on cybercrime-related activities."
  https://www.darkreading.com/vulnerabilities-threats/understanding-dark-market-dynamics
• Chatgpt Guessing Game Leads To Users Extracting Free Windows OS Keys & More
  "In a recent submission last year, researchers discovered a method to bypass AI guardrails designed to prevent sharing of sensitive or harmful information. The technique leverages the game mechanics of language models, such as GPT-4o and GPT-4o-mini, by framing the interaction as a harmless guessing game. By cleverly obscuring details using HTML tags and positioning the request as part of the game’s conclusion, the AI inadvertently returned valid Windows product keys. This case underscores the challenges of reinforcing AI models against sophisticated social engineering and manipulation tactics."
  https://0din.ai/blog/chatgpt-guessing-game-leads-to-users-extracting-free-windows-os-keys-more
  https://www.theregister.com/2025/07/09/chatgpt_jailbreak_windows_keys/

อ้างอิง
Electronic Transactions Development Agency(ETDA)