NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 16 July 2025

    Cyber Security News
    1
    1
    184
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • Hitachi Energy Asset Suite
        "Successful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access to the target equipment, perform remote code executions, or escalate privileges."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-196-01
      • LITEON IC48A And IC80A EV Chargers
        "Successful exploitation of this vulnerability could allow an attacker to access sensitive information when accessing the Liteon EV chargers."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-196-03
      • ABB RMC-100
        "Successful exploitation of these vulnerabilities could allow an attacker to gain unauthenticated access to the MQTT configuration data, cause a denial-of-service condition on the MQTT configuration web server (REST interface), or decrypt encrypted MQTT broker credentials."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-196-02

      Vulnerabilities

      • Preventing Zero-Click AI Threats: Insights From EchoLeak
        "EchoLeak (CVE-2025-32711) is a newly identified vulnerability in Microsoft 365 Copilot, made more nefarious by its zero-click nature, meaning it requires no user interaction to succeed. It demonstrates how helpful systems can open the door to entirely new forms of attack— no malware, no phishing required—just the unquestioning obedience of an AI agent. This new threat has even been classified by the team behind the disclosure as a new form of large language model (LLM) exploitation called “Scope Violation.” In this entry, we break down these new terms and risks—and how Trend Micro can help users stay ahead, equipped and aware of these tactics, especially when AI assistants aren’t."
        https://www.trendmicro.com/en_us/research/25/g/preventing-zero-click-ai-threats-insights-from-echoleak.html

      Malware

      • Fake Android Money Transfer App Targeting Bengali-Speaking Users
        "McAfee’s Mobile Research Team discovered a new and active Android malware campaign targeting Bengali-speaking users, mainly Bangladeshi people living abroad. The app poses as popular financial services like TapTap Send and AlimaPay. It is distributed through phishing sites and FacebookFacekbook pages, and the app steals users’ personal and financial information. The campaign remains highly active, with the command-and-control (C2) server operational and connected to multiple evolving domains. While the attack techniques are not new, the campaign’s cultural targeting and sustained activity reflect how cybercriminals continue to adapt their strategies to reach specific communities. McAfee Mobile Security already detects this threat as Android/FakeApp. For more information, visit McAfee Mobile Security."
        https://www.mcafee.com/blogs/other-blogs/mcafee-labs/fake-android-money-transfer-app-targeting-bengali-speaking-users/
      • Contagious Interview Campaign Escalates With 67 Malicious Npm Packages And New Malware Loader
        "The Socket Threat Research Team has uncovered a new North Korean software supply chain attack involving a previously unreported malware loader we call XORIndex. This activity is an expansion of the campaign we reported in June 2025, which deployed the HexEval Loader. In this latest wave, the North Korean threat actors behind the Contagious Interview operation infiltrated the npm ecosystem with 67 malicious packages, collectively downloaded more than 17,000 times. 27 of these packages remain live on the npm registry. We have submitted takedown requests to the npm security team and petitioned for the suspension of the associated accounts."
        https://socket.dev/blog/contagious-interview-campaign-escalates-67-malicious-npm-packages
        https://thehackernews.com/2025/07/north-korean-hackers-flood-npm-registry.html
        https://www.bleepingcomputer.com/news/security/north-korean-xorindex-malware-hidden-in-67-malicious-npm-packages/
        https://www.infosecurity-magazine.com/news/north-korean-contagious-interview/
        https://securityaffairs.com/179950/hacking/north-korea-linked-actors-spread-xorindex-malware-via-67-malicious-npm-packages.html
      • Konfety Returns: Classic Mobile Threat With New Evasion Techniques
        "As part of our ongoing mission to identify emerging threats to mobile security, our zLabs team has been actively tracking a new, sophisticated variant of a well-known malware previously reported by Human. This Android-targeted malware, named Konfety, employs an “evil-twin” method to conduct fraudulent activities. Notably, two distinct variants of this application share the same Package Name, a tactic designed to enhance its evasiveness and impact:"
        https://zimperium.com/blog/konfety-returns-classic-mobile-threat-with-new-evasion-techniques
        https://www.bleepingcomputer.com/news/security/android-malware-konfety-uses-malformed-apks-to-evade-detection/
        https://securityaffairs.com/179969/malware/android-malware-konfety-evolves-with-zip-manipulation-and-dynamic-loading.html
      • Unmasking AsyncRAT: Navigating The Labyrinth Of Forks
        "AsyncRAT has cemented its place as a cornerstone of modern malware and as a pervasive threat that has evolved into a sprawling network of forks and variants. While its capabilities are not that impressive on their own, it is the open-source nature of AsyncRAT that has truly amplified its impact. This blogpost provides an overview and analysis of the most relevant forks of AsyncRAT, drawing connections between them and showing how they have evolved."
        https://www.welivesecurity.com/en/eset-research/unmasking-asyncrat-navigating-labyrinth-forks/
        https://thehackernews.com/2025/07/asyncrats-open-source-code-sparks-surge.html
        https://www.darkreading.com/remote-workforce/async-rat-labyrinth-forks
        https://cyberscoop.com/asyncrat-malware-variants-eset/
        https://www.helpnetsecurity.com/2025/07/15/asyncrat-forks-eset-research/
      • SVG Smuggling – Image Embedded JavaScript Redirect Attacks
        "Threat actors are increasingly leveraging Scalable Vector Graphics (SVG) files as a delivery vector for JavaScript-based redirect attacks. SVGs, commonly treated as harmless image formats, can contain embedded script elements. In these campaigns, adversaries embed obfuscated JavaScript within SVG files to initiate browser redirects at runtime. The final redirect destinations are attacker-controlled infrastructure, with appended Base64-encoded strings used for victim tracking or correlation, while the payload is carefully structured for evasive purposes. The phishing themes vary between “ToDoList”, “Missed Call” and “Payment” related topics."
        https://www.ontinue.com/resource/blog-svg-smuggling/
        https://hackread.com/attackers-hide-javascript-svg-images-malicious-sites/
        https://www.infosecurity-magazine.com/news/hackers-svg-files-javascript/
        https://www.securityweek.com/threat-actors-use-svg-smuggling-for-browser-native-redirection/
      • GLOBAL GROUP: Emerging Ransomware-As-a-Service, Supporting AI Driven Negotiation And Mobile Control Panel For Their Affiliates
        "On June 2, 2025, EclecticIQ analysts observed the emergence of GLOBAL GROUP, a new Ransomware-as-a-Service (RaaS) brand promoted on the Ramp4u forum by the threat actor known as “$$$”. The same actor controls the Black Lock RaaS [1] and previously managed Mamona [2] ransomware operations. GLOBAL GROUP targets a wide range of sectors across the United States and Europe. EclecticIQ assesses with medium confidence that GLOBAL GROUP was likely established as a rebranding of the BlackLock RaaS operation. This rebranding aims to rebuild trust and expand the affiliate network by giving 80% of extorted ransom money to affiliates."
        https://blog.eclecticiq.com/global-group-emerging-ransomware-as-a-service
        https://thehackernews.com/2025/07/newly-emerged-global-group-raas-expands.html
      • Octalyn Stealer Unmasked
        "The Octalyn Forensic Toolkit, publicly hosted on GitHub, presents itself as a research-oriented tool for digital forensics and red teaming. It consists of a C++-based payload module supported by a Delphi-based builder interface, which simplifies payload generation and allows even low-skilled actors to produce fully functional binaries with minimal effort. The builder requires only a Telegram bot token and chat ID to configure a payload capable of real-time data exfiltration via Telegram."
        https://www.cyfirma.com/research/octalyn-stealer-unmasked/
      • Malicious Telegram APK Campaign Advisory
        "Over the past month, the team at PreCrime™ Labs, the threat research division at BforeAI, has identified a large malicious campaign of 607 domains actively distributing application files (“APKs”), claiming to be Telegram Messenger. These domains, linked to a large-scale phishing and malware campaign, were registered through the Gname registrar, and are primarily hosted in the Chinese language."
        https://bfore.ai/report/malicious-telegram-apk-campaign-advisory/
        https://www.darkreading.com/cyberattacks-data-breaches/telegram-app-chinese-users-android-data
        https://hackread.com/fake-telegram-apps-domains-android-malware-attack/

      Breaches/Hacks/Leaks

      • Seychelles Commercial Bank Confirms Customer Data Breach
        "A hacker claims to have stolen and sold the personal data of clients of Seychelles Commercial Bank. The bank, which provides personal and corporate services on Seychelles, one of the world's smallest countries, notified customers of a hack, but said only personal information - not money - was stolen. The archipelago nation in the Indian Ocean, located northeast of Madagascar, sports 98,000 inhabitants, ranks as the richest country in Africa and has a reputation for being a tax haven."
        https://www.bankinfosecurity.com/seychelles-commercial-bank-confirms-customer-data-breach-a-28972
      • Data Breach At Debt Settlement Firm Impacts 160,000 People
        "Pennsylvania-based debt settlement company Next Level Finance Partners (dba Century Support Services) has disclosed a data breach impacting a significant number of individuals. The company has started sending out data security incident notifications informing impacted individuals that its systems were hacked in November 2024. An investigation launched in response to the cyberattack revealed in late May that the files potentially accessed or taken by the hackers stored personal information."
        https://www.securityweek.com/data-breach-at-debt-settlement-firm-impacts-160000-people/
      • Ransomware Group Claims Attack On Belk
        "The DragonForce ransomware gang has claimed responsibility for a disruptive cyberattack on US department store chain Belk. The incident was identified on May 8 and prompted Belk to disconnect affected systems, restrict network access, reset passwords, and rebuild impacted systems, which disrupted the chain’s online and physical operations for several days. The company’s online store is still offline at the time of publication. Belk’s investigation into the attack determined that hackers had access to its network between May 7 and May 11, and that they exfiltrated certain documents, including files containing personal information."
        https://www.securityweek.com/ransomware-group-claims-attack-on-belk/
        https://securityaffairs.com/179958/data-breach/belk-hit-by-may-cyberattack-dragonforce-stole-150gb-of-data.html

      General News

      • June 2025 Threat Trend Report On Ransomware
        "This report provides statistics on the number of new ransomware samples and affected systems, and affected companies that were collected in June 2025, as well as major ransomware issues in and out of Korea. Below is a summary of the information. The statistics on the number of ransomware samples and affected systems were based on the detection names given by AhnLab. Additionally, the statistics on affected companies by ransomware were based on the time when the information was collected from the Dedicated Leak Sites (DLS) of the ransomware group, which are PR sites or pages for ransomware, in the ATIP infrastructure."
        https://asec.ahnlab.com/en/89032/
      • June 2025 APT Attack Trends Report (South Korea)
        "AhnLab is monitoring APT (Advanced Persistent Threat) attacks in South Korea using its own infrastructure. This report covers the classification and statistics of APT attacks in South Korea that were identified in June 2025, as well as the features of each type."
        https://asec.ahnlab.com/en/89028/
      • Stop Settling For Check-The-Box Cybersecurity Policies
        "After every breach, people ask: How did this happen if there were cybersecurity policies in place? The truth is, just having them doesn’t stop attacks. They only work if people know them and follow them when it matters. That’s where things often break down. Policies fail when they don’t match how work gets done, get outdated, or focus too much on rules instead of real risks. When security rules are full of legal jargon or written for everyone in the same way, employees have a hard time knowing what they mean or how to follow them."
        https://www.helpnetsecurity.com/2025/07/15/stop-settling-for-check-the-box-cybersecurity-policies/
      • Abacus Market Conducts Likely Exit Scam Amid Increasingly Unstable Western Darknet Marketplace Landscape
        "In early July, 2025, Abacus Market, the largest Bitcoin-enabled Western darknet marketplace (DNM), went offline, rendering all internet-facing infrastructure, including its clearnet mirror, inaccessible. TRM Labs assesses that the marketplace’s operators have likely conducted an exit scam, shutting down operations and disappearing with users’ funds. However, law enforcement may also have covertly seized the marketplace. Abacus’s exit follows the June 16, 2025 law enforcement seizure of Archetyp Market, marking the latest in a series of shutdowns in the Western DNM ecosystem."
        https://www.trmlabs.com/resources/blog/abacus-market-conducts-likely-exit-scam-amid-increasingly-unstable-western-darknet-marketplace-landscape
        https://www.bleepingcomputer.com/news/security/abacus-dark-web-drug-market-goes-offline-in-suspected-exit-scam/
        https://www.infosecurity-magazine.com/news/abacus-market-shutters-exit-scam/
      • Police Disrupt “Diskstation” Ransomware Gang Attacking NAS Devices
        "An international law enforcement action dismantled a Romanian ransomware gang known as 'Diskstation,' which encrypted the systems of several companies in the Lombardy region, paralyzing their businesses. The law enforcement operation codenamed 'Operation Elicius' was coordinated by Europol and also involved police forces in France and Romania. Diskstation is a ransomware operation that targets Synology Network-Attached Storage (NAS) devices, which are commonly used by companies for centralized file storage and sharing, data backup and recovery, and general content hosting."
        https://www.bleepingcomputer.com/news/security/police-disrupt-diskstation-ransomware-gang-attacking-nas-devices/
      • Former U.S. Soldier Pleads Guilty To Hacking And Extortion Scheme Involving Telecommunications Companies
        "A former Army soldier, who was most recently stationed in Texas, pleaded guilty today to conspiring to hack into telecommunications companies’ databases, access sensitive records, and extort the telecommunications companies by threatening to release the stolen data unless ransoms were paid. According to court documents, between April 2023 and Dec. 18, 2024, Cameron John Wagenius, 21, used online accounts associated with the nickname “kiberphant0m” and conspired with others to defraud at least 10 victim organizations by obtaining login credentials for the organizations’ protected computer networks. The conspirators obtained these credentials using a hacking tool that they called SSH Brute, among other means."
        https://www.justice.gov/opa/pr/former-us-soldier-pleads-guilty-hacking-and-extortion-scheme-involving-telecommunications
        https://cyberscoop.com/cameron-wagenius-att-snowflake-guilty-plea/
        https://www.theregister.com/2025/07/15/solider_hacking_guilty/
      • How Criminal Networks Exploit Insider Vulnerabilities
        "When you hear "insider threat," what comes to mind? A rogue employee stealing files before quitting? Think bigger. The reality is far more alarming. Today's insider threats aren't lone wolves acting out of spite — they're pawns in the hands of sophisticated, organized criminal networks. These groups don't just exploit vulnerabilities in your systems; they exploit your people, turning trusted team members into unwitting accomplices or deliberate collaborators in their schemes. This is the current reality security leaders must face. Criminal networks are embedding operatives, coercing employees, and using cutting-edge tactics to infiltrate organizations from the inside."
        https://www.darkreading.com/vulnerabilities-threats/criminal-networks-exploit-insider-vulnerabilities
      • Lessons Learned From McDonald's Big AI Flub
        "McDonald's experienced a major security incident in June that resulted in the exposure of data belonging to approximately 64 million job applicants. Earlier this month, security researchers Ian Carroll and Sam Curry detailed how they found major flaws within McDonald's hiring platform, McHire. The platform features an AI chatbot named Olivia, created by the company Paradox.ai."
        https://www.darkreading.com/application-security/lessons-learned-mcdonalds-ai-flub
      • Inorganic DNA: How Nanoparticles Could Be The Future Of Anti-Counterfeiting Tech
        "For decades, manufacturers and security professionals have been playing a high-stakes game of cat and mouse with counterfeiters. From holograms and QR codes to RFID tags and serial numbers, the industry’s toolkit has evolved, but so have the threats. Now, Italian startup Particular Materials is taking a radically different approach: tagging physical goods at the molecular level using engineered nanomaterials."
        https://www.helpnetsecurity.com/2025/07/15/inorganic-dna-nanoparticles-anti-counterfeiting-tech/
      • Securing Vehicles As They Become Platforms For Code And Data
        "In this Help Net Security interview, Robert Knoblauch, CISO at Element Fleet Management, discusses how the rise of connected vehicles and digital operations is reshaping fleet management cybersecurity. He points to growing risks like API breaches, tampering with onboard diagnostics, and over-the-air update attacks, and explains how a layered zero-trust model and practical use of AI help tackle them. Knoblauch also shares how predictive analytics and real-time data are driving proactive security and safety across both digital and physical fleet assets."
        https://www.helpnetsecurity.com/2025/07/15/robert-knoblauch-element-fleet-management-operations-security/
      • SaaS Security Adoption Grows Amid Rising Breach Rates
        "A new report has revealed a striking gap between how secure organizations believe their SaaS environments are and the reality of recent incidents. While 91% of teams expressed confidence in their SaaS data protection, 75% said they experienced a SaaS-related security incident in the past year, marking a 44-point increase over 2024. The AppOmni study, based on input from 803 IT and security professionals worldwide, found that confidence often stems from trust in SaaS providers rather than internal validation. “Confidence must be earned, not assumed,” the report warns, pointing to a growing need for proactive configuration management and real-time monitoring."
        https://www.infosecurity-magazine.com/news/saas-security-adoption-grows/
      • Hyper-Volumetric DDoS Attacks Skyrocket: Cloudflare’s 2025 Q2 DDoS Threat Report
        "Welcome to the 22nd edition of the Cloudflare DDoS Threat Report. Published quarterly, this report offers a comprehensive analysis of the evolving threat landscape of Distributed Denial of Service (DDoS) attacks based on data from the Cloudflare network. In this edition, we focus on the second quarter of 2025. To view previous reports, visit www.ddosreport.com. June was the busiest month for DDoS attacks in 2025 Q2, accounting for nearly 38% of all observed activity. One notable target was an independent Eastern European news outlet protected by Cloudflare, which reported being attacked following its coverage of a local Pride parade during LGBTQ Pride Month."
        https://blog.cloudflare.com/ddos-threat-report-for-2025-q2/
        https://thehackernews.com/2025/07/hyper-volumetric-ddos-attacks-reach.html
        https://www.securityweek.com/ddos-attacks-blocked-by-cloudflare-in-2025-already-surpass-2024-total/
      • Fake Websites Are Wreaking Phishing Havoc
        "Phishing attacks involving fake Web sites that impersonate well-known brands are now occurring at a level of scale that once seemed unimaginable. Cybersecurity researchers at NordVPN earlier this month revealed they have been able to identify more than 120,000 malicious websites impersonating Amazon, that were set up in the last two months. In total, security researchers have seen 92,000 phishing sites with an Amazon name, with 21,000 fake Amazon websites attempting to install malware. Another 11,000 sites were selling fake goods."
        https://blog.barracuda.com/2025/07/15/fake-websites-are-wreaking-phishing-havoc
      • A Summer Of Security: Empowering Cyber Defenders With AI
        "AI provides an unprecedented opportunity for building a new era of American innovation. We can use these new tools to grow the U.S. economy, create jobs, accelerate scientific advances and give the advantage back to security defenders. And when it comes to security opportunities — we’re thrilled to be driving progress in three key areas ahead of the summer’s biggest cybersecurity conferences like Black Hat USA and DEF CON 33: agentic capabilities, next-gen security model and platform advances, and public-private partnerships focused on putting these tools to work."
        https://blog.google/technology/safety-security/cybersecurity-updates-summer-2025/
        https://therecord.media/google-big-sleep-ai-tool-found-bug
      • NSA: Volt Typhoon Was ‘not Successful’ At Persisting In Critical Infrastructure
        "Senior cybersecurity officials at the National Security Agency and FBI said the agencies have been successful in addressing some of the Chinese cyber campaigns targeting critical infrastructure in the U.S. During the International Conference on Cyber Security at Fordham University in New York City on Tuesday, experts spoke at length about Beijing’s so-called Typhoon campaigns — which have involved Chinese government and private sector groups launching attacks on U.S. government agencies and companies."
        https://therecord.media/china-typhoon-hackers-nsa-fbi-response

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 12746812-9d65-413f-abfc-0d3335b2de44-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post