Cyber Threat Intelligence 19 August 2025

NCSA_THAICERT

Telecom Sector

Novel 5G Attack Bypasses Need For Malicious Base Station
"A team of researchers from the Singapore University of Technology and Design has disclosed the details of a new 5G attack that does not require the use of a malicious base station. As part of the project, the researchers have released a framework named Sni5Gect that can be used to sniff messages and perform message injection in 5G communications. The attack targets the 5G New Radio (NR) radio access technology that powers 5G networks. Previously demonstrated 5G attacks involved the use of a rogue base station that the victim needs to connect to, which can limit the practicality of an attack, the researchers said."
Priority: 3 - Important
Relevance: General
https://www.securityweek.com/novel-5g-attack-bypasses-need-for-malicious-base-station/
https://www.theregister.com/2025/08/18/sni5gect/

New Tooling

Buttercup: Open-Source AI-Driven System Detects And Patches Vulnerabilities
"Buttercup is a free, automated, AI-powered platform that finds and fixes vulnerabilities in open-source software. Developed by Trail of Bits, it recently earned second place in DARPA’s AI Cyber Challenge (AIxCC). Buttercup is made up of four main components, each playing a different role in finding and fixing vulnerabilities."
https://www.helpnetsecurity.com/2025/08/18/buttercup-ai-vulnerability-scanner-open-source/
https://github.com/trailofbits/buttercup

Vulnerabilities

Over 800 N-Able Servers Left Unpatched Against Critical Flaws
"Over 800 N-able N-central servers remain unpatched against a pair of critical security vulnerabilities tagged as actively exploited last week. N-central is a popular platform used by many managed services providers (MSPs) and IT departments to monitor and manage networks and devices from a centralized web-based console. Tracked as CVE-2025-8875 and CVE-2025-8876, the two flaws can let authenticated attackers to inject commands due to improper sanitization of user input and execute commands on unpatched devices by exploiting an insecure deserialization weakness, respectively."
https://www.bleepingcomputer.com/news/security/over-800-n-able-servers-left-unpatched-against-critical-flaws/
https://www.securityweek.com/hundreds-of-n-able-n-central-instances-affected-by-exploited-vulnerabilities/
CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2025-54948 Trend Micro Apex One OS Command Injection Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/08/18/cisa-adds-one-known-exploited-vulnerability-catalog

Malware

Infostealer Targets Russian Crypto Developers
"A new threat campaign “Solana-Scan” includes multiple malicious NPM packages targeting the Solana cryptocurrency ecosystem. These packages include a new infostealer malware that appears to target Russian cryptocurrency developers"
https://getsafety.com/blog-posts/infostealer-targets-russian-crypto-developers
https://www.theregister.com/2025/08/18/solana_infostealer_npm_malware/
2025 State Of The Internet: Digging Into Residential Proxy Infrastructure
"So far in our State of the Internet research series, we’ve explored everything from the lifespans of prominent C2 servers to the infrastructure of long-running malware campaigns. This time, we turn our attention to a hot topic in the world of proxy threats: residential proxies. Beneath the hum of everyday Internet traffic, millions of home and small business devices quietly pull double duty, functioning for their legitimate owners while also – either knowingly or unknowingly – relaying traffic for entirely separate purposes. These devices form the backbone of residential proxy networks, which route traffic through ordinary consumer equipment."
https://censys.com/blog/2025-state-of-the-internet-digging-into-residential-proxy-infrastructure
https://www.bankinfosecurity.com/ballooning-polaredge-botnet-suspected-cyberespionage-op-a-29246
EchoLink And The Rise Of Zero-Click AI Exploits
"In an increasingly AI-powered enterprise landscape, the recent discovery of a zero-click vulnerability in Microsoft 365 Copilot, dubbed EchoLink, should come as a stark warning for cyber security leaders. This isn’t just another flaw – it’s a new class of threat. One that doesn’t require a single click, a download, or any user interaction to trigger. EchoLink is invisible, fast-moving, and capable of silently leaking sensitive enterprise data."
https://blog.checkpoint.com/email-security/echolink-and-the-rise-of-zero-click-ai-exploits/
Noodlophile Stealer Evolves: Targeted Copyright Phishing Hits Enterprises With Social Media Footprints
"The Noodlophile Stealer, first detailed in our previous analysis (New Noodlophile Stealer Distributes Via Fake AI Video Generation Platforms), has evolved into a highly targeted threat exploiting enterprises with significant Facebook footprints. This blog dissects the upgraded phishing tactics, delivery methods, and enhanced Noodlophile capabilities, offering security leaders actionable insights to protect against this sophisticated threat."
https://www.morphisec.com/blog/noodlophile-stealer-evolves-targeted-copyright-phishing-hits-enterprises-with-social-media-footprints/
https://engage.morphisec.com/hubfs/2025_PDFs/Noodlophile_Stealer_Evolves.pdf
https://thehackernews.com/2025/08/noodlophile-malware-campaign-expands.html
https://www.darkreading.com/threat-intelligence/noodlophile-stealer-bogus-copyright-complaints
https://hackread.com/phishing-scam-fake-copyright-notice-noodlophile-stealer/
https://www.helpnetsecurity.com/2025/08/18/noodlophile-infostealer-spear-phishing-campaign-copyright-infingement/
Dissecting PipeMagic: Inside The Architecture Of a Modular Backdoor Framework
"Among the plethora of advanced attacker tools that exemplify how threat actors continuously evolve their tactics, techniques, and procedures (TTPs) to evade detection and maximize impact, PipeMagic, a highly modular backdoor used by Storm-2460 masquerading as a legitimate open-source ChatGPT Desktop Application, stands out as particularly advanced."
https://www.microsoft.com/en-us/security/blog/2025/08/18/dissecting-pipemagic-inside-the-architecture-of-a-modular-backdoor-framework/
https://therecord.media/ransomware-gang-masking-pipemagic-backdoor
https://hackread.com/fake-chatgpt-desktop-app-pipemagic-backdoor-microsoft/
Evolution Of The PipeMagic Backdoor: From The RansomExx Incident To CVE-2025-29824
"In April 2025, Microsoft patched 121 vulnerabilities in its products. According to the company, only one of them was being used in real-world attacks at the time the patch was released: CVE-2025-29824. The exploit for this vulnerability was executed by the PipeMagic malware, which we first discovered in December 2022 in a RansomExx ransomware campaign. In September 2024, we encountered it again in attacks on organizations in Saudi Arabia. Notably, it was the same version of PipeMagic as in 2022. We continue to track the malware’s activity. Most recently, in 2025 our solutions prevented PipeMagic infections at organizations in Brazil and Saudi Arabia."
https://securelist.com/pipemagic/117270/
https://thehackernews.com/2025/08/microsoft-windows-vulnerability.html
Cryptomining Group Kinsing Expands Operations To Russia, Researchers Warn
"Russian cybersecurity researchers said the Kinsing hacker group has launched a large-scale wave of cyberattacks aimed at hijacking Russian computers for cryptocurrency mining. In a report last week, Russia-based cybersecurity firm F6 said the attacks began in April and infected devices with Kinsing and XMRig malware, tools commonly used to mine the cryptocurrency Monero. F6 did not disclose which companies were targeted. Kinsing, also known as H2Miner and Resourceful Wolf, has been active since 2019 and is one of the most prolific groups engaged in so-called cryptojacking. Instead of phishing, the hackers scan company networks for vulnerabilities in widely-used software and exploit them to install malicious code."
https://therecord.media/cryptomining-group-kinsing-hits-russia
Uncovering a Multi-Stage USB Cryptomining Attack
"CyberProof MDR analysts alerted Threat Hunters on an incident originating from an infected USB device that could lead to a backdoor infection and cyptomining through a multi-stage attack leveraging DLL search order hijacking and PowerShell to bypass security. Upon further investigation, we were able to confirm the malware involved, was linked to an earlier reported cryptominer (XMRig or Zephyr) attack kill chain. While investing we also were able to confirm that the malware was blocked by the organizations EDR during the final stages of the miner attack."
https://www.cyberproof.com/blog/uncovering-a-multi-stage-usb-cryptomining-attack/
https://www.infosecurity-magazine.com/news/usb-malware-spreads-cryptominer/
Compromised Npm Package Threatens Developer Projects
"ReversingLabs’ automated threat detection system discovered a compromise of a popular npm package, eslint-config-prettier, on July 18. The package has more than 3.5 billion downloads and 12,000 dependencies. Several other packages published by the same maintainer were also affected, and malicious versions of eslint-config-prettier were published from the maintainer’s account that was compromised in a well-crafted phishing campaign. The campaign was reported by the Socket research team on the same day as RL’s detection."
https://www.reversinglabs.com/blog/eslint-hack
https://www.infosecurity-magazine.com/news/popular-npm-package-compromised-in/
APT Sidewinder Spoofs Government And Military Institutions To Target South Asian Countries With Credential Harvesting Techniques
"APT Sidewinder, a persistent APT group believed to originate from South Asia, has consistently targeted military and government entities across Bangladesh, Srilanka, Turkey, Nepal, Pakistan, and other neighboring countries. Sidewinder frequently leverages spear-phishing techniques involving weaponized documents and malicious links. These campaigns mimic official communication to trick victims into entering credentials on fake login pages."
https://hunt.io/blog/apt-sidewinder-netlify-government-phishing
Lazarus Stealer : Android Malware For Russian Bank Credential Theft Through Overlay And SMS Manipulation
"At CYFIRMA, we deliver actionable intelligence on emerging cyber threats impacting both individuals and organizations. This report analyzes a sophisticated Android banking malware known as “Lazarus Stealer” not to be mistaken for the DPRK-linked Lazarus Group. The name “Lazarus Stealer” stems solely from how it is labeled in its control panel by the developer and bears no relation to the nation-state actor. Disguised as a harmless application called “GiftFlipSoft“, the malware specifically targets multiple Russian banking apps, extracting card numbers, PINs, and other sensitive credentials while remaining completely hidden from the device’s interface."
https://www.cyfirma.com/research/lazarus-stealer-android-malware-for-russian-bank-credential-theft-through-overlay-and-sms-manipulation/
A DNS Exploration Of The Latest Educated Manticore Attack
"Check Point Research published an in-depth analysis of the recent spearphishing attack launched by Iranian threat group Educated Manticore. The attackers targeted Israeli journalists, high-profile cybersecurity experts, and computer science professors from leading Israeli universities. The threat actors directed victims who engaged with them to fake Gmail login pages or Google Meet invitations. The credentials the victims entered on phishing pages were sent to the attackers, enabling them to intercept passwords and two-factor authentication (2FA) codes and gain unauthorized access to the victims’ accounts."
https://circleid.com/posts/a-dns-exploration-of-the-latest-educated-manticore-attack
Android Malware Promises Energy Subsidy To Steal Financial Data
"Recently, we identified an active Android phishing campaign targeting Indian users. The attackers impersonate a government electricity subsidy service to lure victims into installing a malicious app. In addition to stealing financial information, the malicious app also steals text messages, uses the infected device to send smishing messages to user’s contact list, can be remotely controlled using Firebase and phishing website and malware was hosted in GitHub. This attack chain leverages YouTube videos, a fake government-like website, and a GitHub-hosted APK file—forming a well-orchestrated social engineering operation. The campaign involves fake subsidy promises, user data theft, and remote-control functionalities, posing a substantial threat to user privacy and financial security."
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/android-malware-promises-energy-subsidy-to-steal-financial-data/

Breaches/Hacks/Leaks

HR Giant Workday Discloses Data Breach Amid Salesforce Attacks
"Human resources giant Workday has disclosed a data breach after attackers gained access to a third-party customer relationship management (CRM) platform in a recent social engineering attack. Headquartered in Pleasanton, California, Workday has over 19,300 employees in offices across North America, EMEA, and APJ. Workday's customer list comprises over 11,000 organizations across a diverse range of industries, including more than 60% of the Fortune 500 companies. As the company revealed in a Friday blog, the attackers gained access to some of the information stored on the compromised CRM systems, adding that no customer tenants were impacted."
https://www.bleepingcomputer.com/news/security/hr-giant-workday-discloses-data-breach-amid-salesforce-attacks/
https://therecord.media/workday-social-engineering-data-breach
https://www.darkreading.com/application-security/workday-breach-shinyhunters-salesforce-attacks
https://www.bankinfosecurity.com/workday-breached-as-ransomware-group-seeks-salesforce-data-a-29242
https://www.infosecurity-magazine.com/news/workday-reveals-crm-breach/
https://www.securityweek.com/workday-data-breach-bears-signs-of-widespread-salesforce-hack/
https://securityaffairs.com/181271/data-breach/human-resources-firm-workday-disclosed-a-data-breach.html
https://www.theregister.com/2025/08/18/workday_crm_breach/
Casino Gaming Company Bragg Says Hackers Accessed ‘internal Computer Environment’
"One of the leading casino game producers said hackers breached their systems and accessed internal environments during an incident discovered on Saturday morning. Bragg Gaming Group said on Monday that it “believes that the data breach was limited to Bragg’s internal computer environment” based on its preliminary investigation. “At the present time, there is no indication that any personal information was affected,” the company said. “Additionally, the breach has had no impact on the ability of the Company to continue its operations, nor has it been restricted from accessing any data that has been subject to the breach.”"
https://therecord.media/casino-gaming-company-cyber-incident-bragg
How We Found TeaOnHer Spilling Users’ Driver’s Licenses In Less Than 10 Minutes
"For an app all about spilling the beans on who you’re allegedly dating, it’s ironic that TeaOnHer was spilling the personal information of thousands of its users to the open web. TeaOnHer was designed for men to share photos and information about women they claim to have been dating. But much like Tea, the dating-gossip app for women it was trying to replicate, TeaOnHer had gaping holes in its security that exposed its users’ personal information, including photos of their driver’s licenses and other government-issued identity documents, as TechCrunch reported last week."
https://techcrunch.com/2025/08/13/how-we-found-teaonher-spilling-users-drivers-licenses-in-less-than-10-minutes/

General News

How Security Teams Are Putting AI To Work Right Now
"AI is moving from proof-of-concept into everyday security operations. In many SOCs, it is now used to cut down alert noise, guide analysts during investigations, and speed up incident response. What was once seen as experimental technology is starting to deliver results that CISOs can measure."
https://www.helpnetsecurity.com/2025/08/18/ai-in-security-operations/
Weak Alerting And Slipping Prevention Raise Risk Levels For CISOs
"Prevention effectiveness is falling, detection gaps remain wide, and attackers are exploiting weaknesses in data protection and credentials. Data theft prevention has dropped to 3 percent, password cracking success rates have nearly doubled, and new threat groups are bypassing defenses. The latest Blue Report from Picus Security shows that prevention effectiveness against cyberattacks has dropped for the first time in two years, falling from 69% in 2024 to 62% in 2025. Detection capabilities remain weak, with less than one in seven simulated attacks triggering an alert."
https://www.helpnetsecurity.com/2025/08/18/ciso-cybersecurity-prevention-effectiveness/
Bridging The AI Model Governance Gap: Key Findings For CISOs
"While most organizations understand the need for strong AI model governance, many are still struggling to close gaps that could slow adoption and increase risk. The findings of a new Anaconda survey of more than 300 AI practitioners and decision-makers highlight security concerns in open-source tools, inconsistent model monitoring, and the operational challenges caused by fragmented AI toolchains."
https://www.helpnetsecurity.com/2025/08/18/ciso-ai-model-governance/
UK Sentences “serial Hacker” Of 3,000 Sites To 20 Months In Prison
"A 26-year old in the UK who claimed to have hacked thousands of websites was sentenced to 20 months in prison after pleading guilty earlier this year. Al-Tahery Al-Mashriky of Rotherham, UK, was arrested in 2022 based on information received from U.S. law enforcement and charged for stealing log in details of millions of Facebook users, and hacking websites belonging to the government in Yemen, an Israeli news outlet, and organizations in the U.S. and Canada. Al-Mashriky pleaded guilty to the charges this year on March 17. He was linked to extremist groups such as ‘Spider Team’ and ‘Yemen Cyber Army’"
https://www.bleepingcomputer.com/news/legal/uk-sentences-serial-hacker-of-3-000-sites-to-20-months-in-prison/
https://www.infosecurity-magazine.com/news/man-jailed-20-months-millions-of/
How Evolving RATs Are Redefining Enterprise Security Threats
"Remote access Trojans (RATs) are no longer just blunt instruments for cybercriminals. They've become more elusive, quietly shaping a new chapter in enterprise threats. Recent strains like StilachiRAT and SnowDog RAT are using corrupted DOS and PE headers to hide in plain sight, persisting undetected on enterprise systems for extended periods."
https://www.darkreading.com/cyberattacks-data-breaches/evolving-rats-redefine-enterprise-security-threats
Defending Against Cloud Threats Across Multicloud Environments
"Late last year, a threat group — tracked by Microsoft as Storm-0501 — compromised hybrid cloud environments in an opportunistic campaign targeting the government, manufacturing, transportation, and law enforcement sectors. The group aimed to generate cash through a ransomware affiliate scheme."
https://www.darkreading.com/cloud-security/defending-against-cloud-threats-across-multi-cloud-environments
New Quantum-Safe Alliance Aims To Accelerate PQC Implementation
"IBM Consulting, Keyfactor, Quantinuum and Thales are pooling their respective resources to provide enterprises with unified post-quantum cryptography (PQC) technology and services with the new Quantum-Safe 360 Alliance, launched on Thursday. The alliance aims to provide complete and compatible PQC assessment and migration capabilities. Much of their technical integration work is well in place because the four companies already have various established partnerships with one another."
https://www.darkreading.com/cybersecurity-operations/new-quantum-safe-alliance-accelerate-pqc-implementation
7 Things I Wish I Knew Before Becoming a CISO
"Last week, I was joined on a Black Hat panel “To Be or Not to Be... a CISO” by fellow esteemed CISOs, Gursev Kalra from Salesforce, Vercel’s Ty Sbano, and host Shubham Mittal from RedHunt Labs to discuss our career progressions. Afterward, the discussions continued with several people asking for more information and advice. I’ve distilled that discussion in this blog and hope it will be useful to aspiring or new CISOs."
https://www.fortinet.com/blog/ciso-collective/things-i-wish-i-knew-before-becoming-a-ciso
AI For Cybersecurity: Building Trust In Your Workflows
"In cybersecurity, speed matters. But speed without trust can be just as dangerous – if not more so – as no action at all. A hasty, inaccurate decision can disrupt critical systems, cause unnecessary downtimes, and erode confidence in your security operations. That’s why AI in cybersecurity is about more than just faster detection and response; it’s about building trust into every decision the system and analysts make."
https://securityaffairs.com/181278/security/ai-for-cybersecurity-building-trust-in-your-workflows.html
Thai Police Arrest SMS Blasting Scammers Allegedly Hired By Chinese Boss
"A white Suzuki driving through Bangkok looked like a normal rental car — until police officers trailing it began receiving fake bank alerts on their own phones. When officers pulled it over, they found a portable SMS blaster inside, capable of sending thousands of phishing messages a day. Thai police said they arrested two men, ages 23 and 25, on August 15 after finding the illegal telecom setup hidden in the car. It included a false base station, router, power unit, and a shark-fin antenna on the roof disguising the signal hardware. Officials said the system allowed scammers to impersonate trusted networks and send messages that appeared to come from banks or government agencies."
https://therecord.media/bangkok-police-sms-scammers-blasting
Every Question You Ask, Every Comment You Make, I'll Be Recording You
"Recently, OpenAI ChatGPT users were shocked – shocked, I tell you! – to discover that their searches were appearing in Google search. You morons! What do you think AI chatbots are doing? Doing all your homework for free or a mere $20 a month? I think not! When you ask an AI chatbot for an answer, whether it's about the role of tariffs in decreasing prices (spoiler: tariffs increase them,); whether your girlfriend is really that into you; or, my particular favorite, "How to Use a Microwave Without Summoning Satan," OpenAI records your questions. And, until recently, Google kept the records for anyone who is search savvy to find them."
https://www.theregister.com/2025/08/18/opinion_column_ai_surveillance/

อ้างอิง
Electronic Transactions Development Agency(ETDA)