NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 17 July 2025

    Cyber Security News
    1
    1
    160
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • Overcoming The Myths About 5G And OT Security
        "The field of operational technology security is full of myths that persist throughout the industry. One widely held belief that OT systems are air-gapped and immune to cyberthreats. But digital transformation programs are adding potential attack vectors in unexpected places such as AI-enabled devices, digital twins and 5G-connected autonomous mobile robots. "We are fundamentally challenging the traditional air gap," said Suresh Venkat, head of IoT/OT, Asia Pacific, at Palo Alto Networks, speaking on the second day of the 5G OT Security Summit in Malaysia."
        https://www.bankinfosecurity.com/overcoming-myths-about-5g-ot-security-a-28987

      New Tooling

      • Falco: Open-Source Cloud-Native Runtime Security Tool For Linux
        "Falco is an open-source runtime security tool for Linux systems, built for cloud-native environments. It monitors the system in real time to spot unusual activity and possible security threats. Falco is a graduated project from the Cloud Native Computing Foundation (CNCF) and is used in production by many organizations."
        https://www.helpnetsecurity.com/2025/07/16/falco-open-source-cloud-native-runtime-linux-security-tool/
        https://github.com/falcosecurity/falco

      Vulnerabilities

      • Chrome Update Patches Fifth Zero-Day Of 2025
        "Google on Tuesday announced a fresh set of Chrome security updates that resolve six vulnerabilities, including one exploited in the wild. The zero-day bug, tracked as CVE-2025-6558, is described as an incorrect validation of untrusted input in the browser’s ANGLE and GPU components. ANGLE, short for Almost Native Graphics Layer Engine, is an open source, cross-platform graphics engine used as the default WebGL backend in both Chrome and Firefox on Windows. Chrome primarily uses the GPU component to render graphics and video content on webpages. According to a NIST advisory, successful exploitation of the flaw could allow remote attackers to escape the browser’s sandbox via crafted HTML pages."
        https://www.securityweek.com/chrome-update-patches-fifth-zero-day-of-2025/
        https://www.bleepingcomputer.com/news/security/google-fixes-actively-exploited-sandbox-escape-zero-day-in-chrome/
        https://thehackernews.com/2025/07/urgent-google-releases-critical-chrome.html
        https://securityaffairs.com/180001/hacking/cve-2025-6554-marks-the-fifth-actively-exploited-chrome-zero-day-patched-by-google-in-2025.html
        https://www.helpnetsecurity.com/2025/07/16/update-google-chrome-to-fix-actively-exploited-zero-day-cve-2025-6558/
      • OCI, Oh My: Remote Code Execution On Oracle Cloud Shell And Code Editor Integrated Services
        "Tenable Research discovered a Remote Code Execution (RCE) vulnerability (now remediated) in Oracle Cloud Infrastructure (OCI) Code Editor. We demonstrated how an attacker could silently 1-click hijack a victim’s Cloud Shell environment and potentially pivot across OCI services. The vulnerability also affected Code Editor’s integrated services such as Resource Manager, Functions and Data Science."
        https://www.tenable.com/blog/remote-code-execution-on-oracle-cloud-shell-and-code-editor-integrated-services
        https://www.darkreading.com/application-security/oracle-fixes-critical-bug-cloud-code-editor
        https://www.bankinfosecurity.com/drive-by-attack-vector-patched-in-oracle-code-editor-a-28978
      • Golden dMSA: What Is dMSA Authentication Bypass?
        "Microsoft’s Windows Server 2025 delivers significant security innovations, including the introduction of delegated Managed Service Accounts (dMSAs) designed to revolutionize service account management. Unlike static password-based accounts that can fall victim to Kerberoasting attacks, dMSAs bind authentication directly to authorized machines in Active Directory (AD). This machine-centric approach eliminates credential theft by tying authentication to device identity rather than user-managed passwords. Only explicitly authorized machines can access the dMSA. This article reveals a new attack against delegated Managed Service Accounts called the Golden DMSA attack. The technique allows attackers to bypass the intended machine-managed authentication and generate passwords for all associated dMSAs offline."
        https://www.semperis.com/blog/golden-dmsa-what-is-dmsa-authentication-bypass/
        https://thehackernews.com/2025/07/critical-golden-dmsa-attack-in-windows.html

      Malware

      • Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign Using The OVERSTEP Backdoor
        "Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances. GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates. Evidence for the initial infection vector was limited, as the actor's malware is designed to selectively remove log entries, hindering forensic investigation; however, it is likely this was through the exploitation of known vulnerabilities."
        https://cloud.google.com/blog/topics/threat-intelligence/sonicwall-secure-mobile-access-exploitation-overstep-backdoor
        https://thehackernews.com/2025/07/unc6148-backdoors-fully-patched.html
        https://therecord.media/sonicwall-sma-100-series-overstep-malware-unc6148
        https://www.bleepingcomputer.com/news/security/sonicwall-sma-devices-hacked-with-overstep-rootkit-tied-to-ransomware/
        https://www.bankinfosecurity.com/hackers-use-backdoor-to-steal-data-from-sonicwall-appliance-a-28979
        https://cyberscoop.com/sonicwall-sma100-attacks/
        https://www.securityweek.com/sonicwall-sma-appliances-targeted-with-new-overstep-malware/
        https://www.theregister.com/2025/07/16/sonicwall_vpn_hijack/
        https://www.helpnetsecurity.com/2025/07/16/sonicwall-sma-devices-persistently-infected-with-stealthy-overstep-backdoor-rootkit/
      • New Fortinet FortiWeb Hacks Likely Linked To Public RCE Exploits
        "Multiple Fortinet FortiWeb instances recently infected with web shells are believed to have been compromised using public exploits for a recently patched remote code execution (RCE) flaw tracked as CVE-2025-25257. News of the exploitation activity comes from threat monitoring platform The Shadowserver Foundation, which observed 85 infections on July 14 and 77 on the next day. The researchers reported that these Fortinet FortiWeb instances are believed to be compromised through the CVE-2025-25257 flaw."
        https://www.bleepingcomputer.com/news/security/new-fortinet-fortiweb-hacks-likely-linked-to-public-rce-exploits/
      • FileFix: The New Social Engineering Attack Building On ClickFix Tested In The Wild
        "Check Point Research identifies how the new social engineering technique, FileFix, is being actively tested by threat actors in the wild. Attackers have long exploited human trust as a primary attack surface, and they’re doing it again with a new technique called FileFix. FileFix is a recently uncovered social engineering attack that builds on the widely abused ClickFix tactic. Unlike ClickFix, which tricks users into running malicious commands via the Windows Run dialog, FileFix takes a subtler approach: it opens a legitimate Windows File Explorer window from a webpage and silently loads a disguised PowerShell command into the user’s clipboard."
        https://blog.checkpoint.com/research/filefix-the-new-social-engineering-attack-building-on-clickfix-tested-in-the-wild/
      • Talos IR Ransomware Engagements And The Significance Of Timeliness In Incident Response
        "As ransomware threat actors continuously decrease their dwell time — here defined as the duration between initial access and encryption — it is increasingly imperative to be mindful of timeliness in incident response engagements (Infosecurity Magazine, CyberScoop, Orca, ThreatDown). Early intervention and remediation can significantly mitigate or even wholly prevent repercussions of ransomware attacks, such as financial loss, reputational damage and legal repercussions, as exemplified by a comparison of two recent Talos IR engagements."
        https://blog.talosintelligence.com/talos-ir-ransomware-engagements-and-the-significance-of-timeliness-in-incident-response/
      • Next Gen TTPs In The Threat Actor's Playbook
        "Cofense Intelligence tracks advanced Tactics, Techniques, and Procedures (TTPs) in credential phishing and malware reporting. These tracked advanced TTPs consist of individual techniques such as steganography or reversing a filename and file extension with a special character. They also include overall campaign characteristics, such as Spanish language emails delivering Remote Access Trojans (RATs) via embedded links to password protected archive files hosted on Google Drive or Google Docs. Luckily, advanced TTPs such as these are not as common and only account for a small fraction of the campaigns observed by Cofense. This report will cover the individual TTPs that account for over 5% of all tracked TTPs in 2024."
        https://cofense.com/blog/next-gen-ttps-in-the-threat-actor-s-playbook
      • From a Teams Call To a Ransomware Threat: Matanbuchus 3.0 MaaS Levels Up
        "Over the past nine months, Matanbuchus has been used in highly targeted campaigns that have potentially led to ransomware compromises. Recently, Matanbuchus 3.0 was introduced with significant updates to its arsenal. In one of the most recent cases (July 2025), a Morphisec customer was targeted through external Microsoft Teams calls impersonating an IT helpdesk. During this engagement, Quick Assist was activated, and employees were instructed to execute a script that deployed the Matanbuchus Loader."
        https://www.morphisec.com/blog/ransomware-threat-matanbuchus-3-0-maas-levels-up/
        https://www.darkreading.com/threat-intelligence/matanbuchus-loader-ransomware-infections
        https://thehackernews.com/2025/07/hackers-leverage-microsoft-teams-to.html
      • DIANNA Explains 2: Agent Tesla—A Better RAT
        "Hey there, humans. DIANNA here with another malware breakdown that will make you double-check your security stack. Today, we’re revisiting a particularly stealthy variant of Agent Tesla we uncovered last year—highlighting how much earlier the deep learning-driven DSX Brain detected it compared to competitors. First things first: If you are not familiar with this malware family—Agent Tesla is a sophisticated Remote Access Trojan (RAT) that has plagued security teams since 2014, engineered to fly under the radar while systematically stealing sensitive data from infected systems. The version we caught last year shows that bad actors are still finding new ways to obscure it and make it more dangerous."
        https://www.deepinstinct.com/blog/dianna-explains-2-agent-tesla-a-better-rat
      • Old Miner, New Tricks
        "The FortiCNAPP team, part of FortiGuard Labs, recently investigated a cluster of virtual private servers (VPS) used for Monero mining. The identified samples are associated with prior H2miner campaigns that we documented in 2020 and have since been updated with new configurations. H2Miner is a Crypto mining botnet that has been active since late 2019. We also identified a new variant of the Lcryx ransomware, called Lcrypt0rx. Lcryx is a relatively new VBScript-based ransomware strain first observed in November 2024. This family exhibits several unusual characteristics that suggest it may have been generated using AI."
        https://www.fortinet.com/blog/threat-research/old-miner-new-tricks
      • BADBOX 2.0: A Global IoT Botnet Threat Targeting Consumer Devices
        "A dangerous malware family known as BADBOX 2.0 has been flagged by the FBI as a global cybersecurity threat. This Android-based malware infiltrates cheap IoT devices—such as smart TVs, streaming boxes, tablets, and IoT gadgets—turning them into malicious proxies and part of a residential proxy botnet used for criminal operations. Over 1 million devices are already compromised worldwide. BADBOX 2.0 is stealthy and highly effective in its infection strategy. Unlike traditional malware, BADBOX is frequently pre-installed in the firmware of low-cost devices. This means users can be compromised right out of the box without taking any direct action."
        https://www.pointwild.com/threat-intelligence/badbox-2-0-a-global-iot-botnet-threat
        https://hackread.com/badbox-2-0-preinstalled-android-iot-devices-worldwide/
      • SquidLoader Malware Campaign Targets Hong Kong Financial Sector
        "A new wave of malware targeting financial institutions in Hong Kong has been identified, featuring SquidLoader. This stealthy loader deploys the Cobalt Strike Beacon and boasts advanced anti-analysis tactics. In a new advisory published on Monday, security researchers at Trellix said the malware has been observed evading nearly all detection, making it particularly dangerous for its intended victims."
        https://www.infosecurity-magazine.com/news/squidloader-malware-targets-hong/
      • China’s Salt Typhoon Hacked US National Guard
        "Chinese state-sponsored hackers compromised the network of a state’s Army National Guard unit, collected configuration information, and tapped into its communication with other units, a Department of Defense report shows. The nation-state threat actor, tracked as Salt Typhoon, was previously accused of hacking US telecommunications giants AT&T and Verizon, along with Lumen Technologies and other service providers in the US and abroad, to compromise wiretap systems. Last month, the Canadian Centre for Cyber Security and the FBI warned that the APT had also targeted telecom providers in Canada, stealing call records and private communications."
        https://www.securityweek.com/chinas-salt-typhoon-hacked-us-national-guard/
        https://securityaffairs.com/180018/intelligence/salt-typhoon-breach-chinese-apt-compromises-u-s-army-national-guard-network.html
      • UNG0002: Regional Threat Operations Tracked Across Multiple Asian Jurisdictions
        "Seqrite Labs APT-Team has identified and tracked UNG0002 also known as Unknown Group 0002, a bunch of espionage-oriented operations which has been grouped under the same cluster conducting campaigns across multiple Asian jurisdictions including China, Hong Kong, and Pakistan. This threat entity demonstrates a strong preference for using shortcut files (LNK), VBScript, and post-exploitation tools such as Cobalt Strike and Metasploit, while consistently deploying CV-themed decoy documents to lure victims."
        https://www.seqrite.com/blog/ung0002-espionage-campaigns-south-asia/

      Breaches/Hacks/Leaks

      • Louis Vuitton Says Regional Data Breaches Tied To Same Cyberattack
        "Luxury fashion giant Louis Vuitton confirmed that breaches impacting customers in the UK, South Korea, and Turkey stem from the same security incident, which is believed to be linked to the ShinyHunters extortion group. Since last week, the retailer has been notifying customers that their info was exposed in a data breach, first in South Korea, then in Turkey, and on Friday in the United Kingdom. "Despite all security measures in place, on July 2, 2025, we became aware of a personal data breach resulting from the exfiltration of certain personal data of some of our clients following an unauthorized access to our system," reads Louis Vuitton's data breach notifications sent to customers."
        https://www.bleepingcomputer.com/news/security/louis-vuitton-says-regional-data-breaches-tied-to-same-cyberattack/
      • Co-Op Confirms Data Of 6.5 Million Members Stolen In Cyberattack
        "UK retailer Co-op has confirmed that personal data of 6.5 million members was stolen in the massive cyberattack in April that shut down systems and caused food shortages in its grocery stores. Co-op (short for the Co-operative Group) is one of the United Kingdom's largest consumer co-operatives, operating food stores, funeral services, insurance, and legal services. It is owned by millions of members who receive discounts on services and share in the company's governance. Co-op's CEO, Shirine Khoury-Haq, apologized today on the BBC Breakfast show, confirming that the attackers successfully stole the data for all of its 6.5 million members."
        https://www.bleepingcomputer.com/news/security/co-op-confirms-data-of-65-million-members-stolen-in-cyberattack/
        https://www.theregister.com/2025/07/16/coop_data_stolen/
      • UnitedHealth-Linked Health Tech Firm Episource Breach Hits 5.4M Patients
        "Episource, a company specialising in medical billing, is currently informing more than 5.4 million individuals across the United States that their personal and health information was stolen in a cyberattack earlier this year. This incident, impacting a significant number of Americans, stands as a major healthcare data breach reported in 2025 so far, according to data from the US Department of Health and Human Services."
        https://hackread.com/unitedhealth-health-tech-firm-episource-breach/
        https://www.infosecurity-magazine.com/news/54-million-affected-episource/
      • Compumedics Ransomware Attack Led To Data Breach Impacting 318,000
        "Compumedics was recently targeted in a ransomware attack that resulted in the personal information of hundreds of thousands of individuals getting stolen. Compumedics makes medical technologies for the diagnosis of sleep and neurological disorders. The company’s global headquarters are in Australia, but it also has a presence in the United States and Europe. The company informed customers in a data security notice that its systems were accessed by hackers between February 15 and March 23, 2025. The breach was discovered on March 22."
        https://www.securityweek.com/compumedics-ransomware-attack-led-to-data-breach-impacting-318000/
      • Ukraine-Aligned Hackers Claim Cyberattack On Major Russian Drone Supplier
        "Ukrainian military intelligence and allied hacker groups said they carried out a large-scale cyberattack against a major Russian drone supplier, disrupting its operations. In a statement on Telegram, two well-known Ukrainian volunteer hacker groups — the Ukrainian Cyber Alliance (UAC) and Black Owl (BO Team) — claimed to have accessed and destroyed terabytes of technical data from Gaskar Group, a Russian developer and manufacturer of unmanned aerial vehicles, including those reportedly used to attack Ukraine. Ukraine’s military intelligence agency (HUR) confirmed the attack and its involvement in a statement sent to local media. The agency claimed that the operation had paralyzed Gaskar’s accounting systems, production software and internet infrastructure."
        https://therecord.media/ukraine-hackers-claim-attack-russia-gaskar-group-drone-maker
        https://www.theregister.com/2025/07/16/ukrainian_drone_attack/
      • Turbulence At Air Serbia, The Latest Airline Under Cyber Siege
        "Aviation insiders say Serbia's national airline, Air Serbia, was forced to delay issuing payslips to staff as a result of a cyberattack it is battling. Internal memos, seen by The Register, dated July 10 told staff: "Given the current situation and the ongoing cyberattacks, for security reasons, we will postpone the distribution of the June 2025 payslips. "The IT department is working to resolve the issue as a priority, and once the conditions allow, the payslips will be sent to your email addresses." Staff were reportedly paid their monthly salaries, but access to their payslip PDF was unavailable."
        https://www.theregister.com/2025/07/16/air_serbia_cyberattack/

      General News

      • Experts Unpack The Biggest Cybersecurity Surprises Of 2025
        "2025 has been a busy year for cybersecurity. From unexpected attacks to new tactics by threat groups, a lot has caught experts off guard. We asked cybersecurity leaders to share the biggest surprises they’ve seen so far this year and what those surprises might mean for the rest of us. The biggest cybersecurity surprise of 2025 has been the speed and sophistication of AI-powered Business Email Compromise, specifically the pivot away from email alone."
        https://www.helpnetsecurity.com/2025/07/16/biggest-cybersecurity-surprises-2025/
      • Real-World Numbers For Estimating Security Audit Costs
        "At the end of Star Wars: A New Hope, Luke Skywalker races through the Death Star trench, hearing the ghostly voice of Obi-Wan Kenobi telling him to trust him. Luke places blind trust in an intangible energy that surrounds him, he defeats Darth Vader and blows up the dreaded Death Star. While this story works for science fiction, real-world customers can no longer afford to place blind trust in their vendors – they need documented assurance that their business partners and vendors are secure. To obtain this assurance, most companies engage in third-party audits, especially those operating within highly regulated industries. However, as organizations plan their budgets, many have little to no insight into how much the security audits really cost."
        https://www.helpnetsecurity.com/2025/07/16/estimating-security-audit-costs/
      • Most Cybersecurity Risk Comes From Just 10% Of Employees
        "A new report from Living Security and the Cyentia Institute sheds light on the real human element behind cybersecurity threats, and it’s not what most organizations expect. The Risky Business: Who Protects & Who Puts You at Risk report analyzes data from over 100 organizations and challenges conventional thinking by revealing that a small portion of users, just 10 percent, are responsible for nearly 73 percent of all risky behavior in the enterprise."
        https://www.helpnetsecurity.com/2025/07/16/human-cybersecurity-risk-employees/
      • Global Operation Targets NoName057(16) Pro-Russian Cybercrime Network
        "Between 14 and 17 July, a joint international operation, known as Eastwood and coordinated by Europol and Eurojust, targeted the cybercrime network NoName057(16). Law enforcement and judicial authorities from Czechia, France, Finland, Germany, Italy, Lithuania, Poland, Spain, Sweden, Switzerland, the Netherlands and the United States took simultaneous actions against offenders and infrastructure belonging to the pro-Russian cybercrime network. The investigation was also supported by ENISA, as well as Belgium, Canada, Estonia, Denmark, Latvia, Romania and Ukraine. The private parties ShadowServer and abuse.ch also assisted in the technical part of the operation."
        https://www.europol.europa.eu/media-press/newsroom/news/global-operation-targets-noname05716-pro-russian-cybercrime-network
        https://www.bleepingcomputer.com/news/security/europol-disrupts-pro-russian-noname05716-ddos-hacktivist-group/
        https://therecord.media/international-police-takedown-noname-hacker
        https://www.darkreading.com/remote-workforce/fully-patched-sonicwall-gear-zero-day-attack
        https://www.bankinfosecurity.com/eu-authorities-take-down-pro-russian-hacktivist-collective-a-28985
        https://cyberscoop.com/noname05716-disruption-operation-eastwood-europol/
        https://www.infosecurity-magazine.com/news/prorussian-cybercrime-network/
        https://www.securityweek.com/europol-coordinated-global-operation-takes-down-pro-russian-cybercrime-network/
        https://securityaffairs.com/180027/cyber-crime/operation-eastwood-disrupted-operations-of-pro-russian-hacker-group-noname05716.html
        https://www.theregister.com/2025/07/16/russian_hacktivist_bust/
        https://www.helpnetsecurity.com/2025/07/16/pro-russian-cybercrime-crackdown-noname05716/
      • Retail Ransomware Attacks Jump 58% Globally In Q2 2025
        "Publicly disclosed ransomware attacks targeting the retail sector globally have surged by 58% in Q2 2025 compared to Q1, with UK-based firms bearing the brunt of this targeting, according to new data from BlackFog. The findings follow a spate of high-profile retailers reporting attacks during April-June 2025. This includes the trio of ransomware attacks on UK brands Marks & Spencer (M&S), The Co-op and Harrods in late April, which have been linked to the Scattered Spider threat actor. These incidents have caused significant operational disruption and financial costs for the victims."
        https://www.infosecurity-magazine.com/news/retail-ransomware-jump-globally-q2/
      • Education Sector Is Most Exposed To Remote Attacks
        "The education sector tops the list of industries with the most vulnerable cloud assets, APIs and web applications, according to a new study from CyCognito. The security vendor analyzed a random sample of two million internet-exposed assets between January and June, simulating real-world attacker behavior including:"
        https://www.infosecurity-magazine.com/news/education-sector-most-exposed-to/
      • Amid Border Dispute, Thailand Goes After Cambodian Tycoon Over Alleged Cyber Scam Ties
        "Thai police raided seven properties on Tuesday allegedly connected to a prominent Cambodian senator and tycoon accused of involvement in the online scamming industry. The raids were the latest action taken against the politically connected businessman, Kok An, amid a deepening diplomatic row between Cambodia and Thailand that began over a border spat and has led to the suspension of Thai Prime Minister Paetongtarn Shinawatra. According to the Bangkok Post, police raided two houses in Sa Kaeo province belonging to two women who authorities say help manage a high-rise scam compound in the Cambodian border city of Poipet. The compound is run by one of Kok’s daughters, Juree Khlongkijjakol, the authorities allege."
        https://therecord.media/thailand-goes-after-cambodian-tycoon-cyber-scams

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 0139abb5-3846-4b92-a114-a7fd5c8a89b0-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post