Cyber Threat Intelligence 02 September 2025

NCSA_THAICERT

New Tooling

• AIDEFEND: Free AI Defense Framework
  "AIDEFEND (Artificial Intelligence Defense Framework) is an open knowledge base dedicated to AI security, providing defensive countermeasures and best practices to help security pros safeguard AI and machine learning systems. Practicality is at the core of AIDEFEND. The framework is designed to be “highly actionable,” with the goal of not only raising awareness of threats but also providing clear playbooks to defend against them."
  https://www.helpnetsecurity.com/2025/09/01/aidefend-free-ai-defense-framework/
  https://github.com/edward-playground/aidefense-framework'
• Hidden Commands In Images Exploit AI Chatbots And Steal Data
  "Hidden commands in images can exploit AI chatbots, leading to data theft on platforms like Gemini through a new image scaling attack. A newly discovered vulnerability in AI systems could allow hackers to steal private information by hiding commands in ordinary images. This discovery came from cybersecurity researchers at Trail of Bits, according to which they have found a way to trick AI models by exploiting a common feature: image downscaling. This attack, which has been named an “image scaling attack.”"
  https://hackread.com/hidden-commands-images-exploit-ai-chatbots-steal-data/
  https://github.com/trailofbits/anamorpher

Vulnerabilities

• SQL Injection Vulnerability Patched In Paid Membership Subscriptions Plugin
  "This blog post is about an unauthenticated SQL injection vulnerability in the Paid Membership Subscriptions plugin. If you're a Paid Membership Subscriptions plugin user, please update the plugin to version 2.15.2."
  https://patchstack.com/articles/sql-injection-vulnerability-patched-in-paid-membership-subscriptions-plugin/
  https://www.infosecurity-magazine.com/news/sqli-threat-wordpress-memberships/

Malware

• Chasing The Silver Fox: Cat & Mouse In Kernel Shadows
  "While Microsoft Windows has steadily strengthened its security model—through features like Protected Processes (PP/PPL) and enhanced driver verification—threat actors have adapted by shifting their tactics to exploit lower-level weaknesses that bypass these protections without triggering defenses. Among the most effective of these techniques is the abuse of vulnerable kernel-mode drivers, particularly those capable of arbitrary process termination. These drivers, when exploited, can disable or neutralize endpoint protection products, creating a clear path for malware deployment and persistence."
  https://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/
  https://www.infosecurity-magazine.com/news/silver-fox-deploy-valleyrat/
• Android Droppers: The Silent Gatekeepers Of Malware
  "Droppers have long been a cornerstone of Android malware campaigns. They’re small, seemingly harmless apps whose real job is to fetch and install a malicious payload. Historically, they were most widely used in families like banking trojans and, at times, Remote Access Trojans (RATs). Especially after Android 13 restricted permissions and APIs, these threats leaned on droppers to slip past upfront scanning and later request powerful permissions (such as Accessibility Services) upon installing payload, without drawing attention."
  https://www.threatfabric.com/blogs/android-droppers-the-silent-gatekeepers-of-malware
  https://thehackernews.com/2025/09/android-droppers-now-deliver-sms.html
• When Browsers Become The Attack Surface: Rethinking Security For Scattered Spider
  "As enterprises continue to shift their operations to the browser, security teams face a growing set of cyber challenges. In fact, over 80% of security incidents now originate from web applications accessed via Chrome, Edge, Firefox, and other browsers. One particularly fast-evolving adversary, Scattered Spider, has made it their mission to wreak havoc on enterprises by specifically targeting sensitive data on these browsers."
  https://thehackernews.com/2025/09/when-browsers-become-attack-surface.html

Breaches/Hacks/Leaks

• Zscaler Data Breach Exposes Customer Info After Salesloft Drift Compromise
  "Cybersecurity company Zscaler warns it suffered a data breach after threat actors gained access to its Salesforce instance and stole customer information, including the contents of support cases. This warning follows the compromise of Salesloft Drift, an AI chat agent that integrates with Salesforce, in which attackers stole OAuth and refresh tokens, enabling them to gain access to customer Salesforce environments and exfiltrate sensitive data. In an advisory, Zscaler says that its Salesforce instance was impacted by this supply-chain attack, exposing customers' information."
  https://www.bleepingcomputer.com/news/security/zscaler-data-breach-exposes-customer-info-after-salesloft-drift-compromise/
  https://securityaffairs.com/181801/data-breach/supply-chain-attack-hits-zscaler-via-salesloft-drift-leaking-customer-info.html
• Austria's Interior Ministry Says 100 Email Accounts Breached
  "The Austrian government said attackers breached 100 government email accounts and stole data. Austria's Ministry of the Interior, known as the BMI, said the breach traced to a "targeted and professional cyberattack" against it, perpetrated several weeks ago. The BMI, which is chiefly responsible for safeguarding the country's public security, said its IT operations unit "detected signs of irregularities in one of the ministry's office IT systems" that it's been investigating, and recently determined that these irregularities were traced to a hack attack and the theft of an unspecified type and quantity of data."
  https://www.bankinfosecurity.com/austrias-interior-ministry-says-100-email-accounts-breached-a-29340

General News

• Boards Are Being Told To Rethink Their Role In Cybersecurity
  "Boards of directors are being told that cybersecurity is now central to business resilience and growth, and that they must engage more directly in the way their organizations manage risk. A new report from Google Cloud’s Office of the CISO lays out three areas where board oversight is becoming especially important: ransomware, cyber-enabled fraud, and the intersection of innovation and cybersecurity."
  https://www.helpnetsecurity.com/2025/09/01/google-board-cybersecurity-oversight/
• Cybersecurity Signals: Connecting Controls And Incident Outcomes
  "There is constant pressure on security leaders to decide which controls deserve the most attention and budget. A new study offers evidence on which measures are most closely linked to lower breach risk and how organizations should think about deploying them. Marsh McLennan’s Cyber Risk Intelligence Center (CRIC) analyzed thousands of organizations’ responses to its Cyber Self-Assessment and compared them with claims data. The findings highlight which controls matter most for lowering breach likelihood."
  https://www.helpnetsecurity.com/2025/09/01/cric-cybersecurity-signals/
• GenAI Is Fueling Smarter Fraud, But Broken Teamwork Is The Real Problem
  "More than 80 percent of large U.S. companies were targeted by socially engineered fraud in the past year, according to Trustmi’s 2025 Socially Engineered Fraud & Risk Report. Nearly half of those organizations reported a direct financial loss, with many incidents costing more than $500,000. The findings show that these attacks are recurring problems that disrupt operations, trigger audits, and shake trust across the business. CISOs who treat fraud as a rare finance problem may be missing its broader impact."
  https://www.helpnetsecurity.com/2025/09/01/ciso-fraud-prevention-genai/
• The Digital Roads To Government Services: Uncovering Consolidation And Exposure
  "People who access government websites and their associated domains often assume the service is hosted domestically. If so, their data is generally expected to take a direct and local route to the hosting server. In reality, even when a government domain is hosted locally, the path our data takes can be surprisingly indirect, weaving through foreign networks, crossing international borders, and passing through infrastructure owned by entities in other jurisdictions."
  https://pulse.internetsociety.org/blog/the-digital-roads-to-government-services-uncovering-consolidation-and-exposure
  https://www.theregister.com/2025/09/01/isoc_government_domain_traffic_measurement/
• Supply Chain Attacks Have Doubled. What’s Driving The Increase?
  "Software supply chain attacks have been occurring at twice their long-term average in recent months and have shown no sign of slowing down. The uptick in supply chain attacks began in April 2025, when Cyble dark web researchers observed claims of 31 such attacks. Since then, cyberattacks with supply chain implications have averaged 26 a month, twice the rate seen from early 2024 through March 2025 (chart below)."
  https://cyble.com/blog/supply-chain-attacks-double-in-2025/
• KillChainGraph: Researchers Test Machine Learning Framework For Mapping Attacker Behavior
  "A team of researchers from Frondeur Labs, DistributedApps.ai, and OWASP has developed a new machine learning framework designed to help defenders anticipate attacker behavior across the stages of the Cyber Kill Chain. The work explores how machine learning models can forecast adversary techniques and generate structured attack paths. The Cyber Kill Chain, introduced by Lockheed Martin, breaks down attacks into seven stages: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. The MITRE ATT&CK framework, now widely used in the industry, catalogs real-world tactics and techniques used by adversaries. The researchers combined the two models to study how attackers move step by step through an intrusion."
  https://www.helpnetsecurity.com/2025/09/01/killchaingraph-predictive-cyber-kill-chain/
  https://arxiv.org/pdf/2508.18230
• DDoS Is The Neglected Cybercrime That's Getting Bigger. Let's Kill It Off
  "Agatha Christie stuck a dagger in the notion that crime doesn't pay. With sales of between two and four billion books – fittingly, the exact number is a mystery – she built a career out of murder that out-bloodied Jack the Ripper. It's a fair bet that had she chosen to write about accountancy fraud instead, her sales would be between two and four billion fewer. Some crime is sexy. Some is not."
  https://www.theregister.com/2025/09/01/ddos_opinion/
• Detecting Exposed LLM Servers: A Shodan Case Study On Ollama
  "The rapid deployment of large language models (LLMs) has introduced significant security vulnerabilities due to misconfigurations and inadequate access controls. This paper presents a systematic approach to identifying publicly exposed LLM servers, focusing on instances running the Ollama framework. Utilizing Shodan, a search engine for internet-connected devices, we developed a Python-based tool to detect unsecured LLM endpoints. Our study uncovered over 1,100 exposed Ollama servers, with approximately 20% actively hosting models susceptible to unauthorized access. These findings highlight the urgent need for security baselines in LLM deployments and provide a practical foundation for future research into LLM threat surface monitoring."
  https://blogs.cisco.com/security/detecting-exposed-llm-servers-shodan-case-study-on-ollama

อ้างอิง
Electronic Transactions Development Agency(ETDA)