NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 08 September 2025

    Cyber Security News
    1
    1
    371
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      New Tooling

      • MeetC2 Is a PoC C2 Tool Using Google Calendar To Mimic Cloud Abuse, Helping Teams Test Detection, Logging, And Response.
        "Background: Modern adversaries increasingly hide command-and-control (C2) traffic inside cloud services. We built this proof of concept (PoC) to study and demonstrate those techniques in a controlled way, emulating those tactics so red and blue teams can exercise detection, telemetry, and response to cloud abuse scenarios. Storytime: During an internal purple-team exercise, we saw how easily traffic to trusted SaaS domains slipped. We built a lightweight, cross‑platform PoC that uses Google Calendar, giving teams a reproducible way to validate detections, logging, and third‑party app governance for cloud‑abuse C2 in a controlled environment."
        https://securityaffairs.com/181940/security/meetc2-a-serverless-c2-framework-that-leverages-google-calendar-apis-as-a-communication-channel.html
        https://github.com/deriv-security/MeetC2

      Vulnerabilities

      • Max Severity Argo CD API Flaw Leaks Repository Credentials
        "An Argo CD vulnerability allows API tokens with even low project-level get permissions to access API endpoints and retrieve all repository credentials associated with the project. The flaw, tracked under CVE-2025-55190, is rated with the maximum severity score of 10.0 in CVSS v3, and allows bypassing isolation mechanisms used to protect sensitive credential information. Attackers holding those credentials could then use them to clone private codebases, inject malicious manifests, attempt downstream compromise, or pivot to other resources where the same credentials are reused."
        https://www.bleepingcomputer.com/news/security/max-severity-argo-cd-api-flaw-leaks-repository-credentials/
        https://github.com/argoproj/argo-cd/security/advisories/GHSA-786q-9hcg-v9ff
      • Critical SAP S/4HANA Code Injection Vulnerability (CVE-2025-42957) Exploited In The Wild - Patch Immediately
        "The exploit was discovered by the SecurityBridge Threat Research Labs, which has also verified that the exploit is being used in the wild. Immediate patching is imperative. CVE-2025-42957 is a critical ABAP code injection vulnerability in SAP S/4HANA (CVSS 9.9) that allows a low-privileged user to take complete control of your SAP system."
        https://securitybridge.com/blog/critical-sap-s-4hana-code-injection-vulnerability-cve-2025-42957/
        https://www.bleepingcomputer.com/news/security/critical-sap-s-4hana-vulnerability-now-exploited-in-attacks/
        https://thehackernews.com/2025/09/sap-s4hana-critical-vulnerability-cve.html
        https://www.darkreading.com/vulnerabilities-threats/sap-4hana-vulnerability-under-attack
        https://www.securityweek.com/recent-sap-s-4hana-vulnerability-exploited-in-attacks/
        https://securityaffairs.com/181930/hacking/critical-sap-s-4hana-flaw-cve-2025-42957-under-active-exploitation.html
        https://www.theregister.com/2025/09/05/critical_sap_s4hana_bug_exploited/
        https://www.helpnetsecurity.com/2025/09/05/attackers-are-exploiting-critical-sap-s-4hana-vulnerability-cve-2025-42957/
        https://hackread.com/hackers-exploit-cve-2025-42957-sap-vulnerability/

      Malware

      • From CastleLoader To CastleRAT: TAG-150 Advances Operations With Multi-Tiered Infrastructure
        "Insikt Group has identified a new threat actor, TAG-150, active since at least March 2025, characterized by rapid development, technical sophistication, responsiveness to public reporting, and a large, evolving infrastructure. The infrastructure linked to TAG-150 includes both victim-facing Tier 1 components, such as IP addresses and domains used as command-and-control (C2) servers for multiple malware families, and higher-tier infrastructure composed of multiple layers. Since emerging in March 2025, TAG-150 has deployed multiple likely self-developed malware families, starting with CastleLoader and CastleBot, and most recently CastleRAT, a remote access trojan documented here for the first time. Additionally, Insikt Group has identified multiple services likely leveraged by TAG-150, including file-sharing platforms, anti-detection services, and others."
        https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations
        https://thehackernews.com/2025/09/tag-150-develops-castlerat-in-python.html
        https://www.darkreading.com/threat-intelligence/secretive-maas-group-tag-150-novel-castlerat
        https://www.theregister.com/2025/09/05/clickfix_castlerat_malware/
      • Uncovering a Colombian Malware Campaign With AI Code Analysis
        "VirusTotal Code Insight keeps adding new file formats. This time, we’re looking at two vector-based formats from very different eras: SWF and SVG. Curiously, right after we rolled out this update in production, one of the very first submitted files gave us a perfect, and unexpected, example of Code Insight in action: it uncovered an undetected malware campaign using SVG files that impersonated the Colombian justice system."
        https://blog.virustotal.com/2025/09/uncovering-colombian-malware-campaign.html
        https://thehackernews.com/2025/09/virustotal-finds-44-undetected-svg.html
        https://www.bleepingcomputer.com/news/security/virustotal-finds-hidden-malware-phishing-campaign-in-svg-files/
        https://securityaffairs.com/181917/malware/svg-files-used-in-hidden-malware-campaign-impersonating-colombian-authorities.html
      • s1ngularity's Aftermath: AI, TTPs, And Impact In The Nx Supply Chain Attack
        "Wiz Research has been responding to the s1ngularity incident since news first broke on August 26th. At this point, active attacks seem to have lulled. This gives us an opportunity to step back and share what we’ve discovered in this incident, and the work we’ve done in response. In this post, we’ll explore the impact of this attack to date, dissect the role of AI, and provide guidance on reviewing relevant GitHub logs based on novel TTPs. For a detailed account of the initial incident, refer to our previous blog post."
        https://www.wiz.io/blog/s1ngularitys-aftermath
        https://www.bleepingcomputer.com/news/security/ai-powered-malware-hit-2-180-github-accounts-in-s1ngularity-attack/
      • The GhostAction Campaign: 3,325 Secrets Stolen Through Compromised GitHub Workflows
        "On September 5, 2025, GitGuardian discovered GhostAction, a massive supply chain attack affecting 327 GitHub users across 817 repositories. Attackers injected malicious workflows that exfiltrated 3,325 secrets, including PyPI, npm, and DockerHub tokens via HTTP POST requests to a remote endpoint."
        https://blog.gitguardian.com/ghostaction-campaign-3-325-secrets-stolen/
        https://hackread.com/ghostaction-attack-steals-github-projects-secrets/
      • Operation BarrelFire: NoisyBear Targets Entities Linked To Kazakhstan’s Oil & Gas Sector
        "Seqrite Labs APT-Team has been tracking and uncovered a supposedly new threat group since April 2025, that we track by the name Noisy Bear as Noisy Bear. This threat group has targeted entities in Central Asia, such as targeting the Oil and Gas or energy sector of Kazakhstan. The campaign is targeted towards employees of KazMunaiGas or KMG where the threat entity delivered a fake document related to KMG IT department, mimicking official internal communication and leveraging themes such as policy updates, internal certification procedures, and salary adjustments."
        https://www.seqrite.com/blog/operation-barrelfire-noisybear-kazakhstan-oil-gas-sector/
        https://thehackernews.com/2025/09/noisy-bear-targets-kazakhstan-energy.html
      • Malicious Npm Packages Impersonate Flashbots SDKs, Targeting Ethereum Wallet Credentials
        "Socket’s Threat Research Team uncovered four malicious npm packages ethers-provide-bundle, flashbot-sdk-eth , sdk-ethers and gram-utilz published by a threat actor using the npm alias flashbotts (registration email: aning2028@gmail[.]com), designed to steal cryptocurrency wallet credentials from Web3 developers. The packages masquerade as legitimate cryptographic utilities and Flashbots MEV infrastructure while secretly exfiltrating private keys and mnemonic seeds to a Telegram bot controlled by the threat actor. All packages use identical command-and-control infrastructure (Telegram bot ID: 8083151136), confirming a coordinated supply chain attack targeting the Ethereum ecosystem. At the time of this writing, all the packages are live on the npm registry. We have petitioned for their removal."
        https://socket.dev/blog/malicious-npm-packages-impersonate-flashbots-sdks-targeting-ethereum-wallet-credentials
        https://thehackernews.com/2025/09/malicious-npm-packages-impersonate.html
      • iCloud Calendar Abused To Send Phishing Emails From Apple’s Servers
        "iCloud Calendar invites are being abused to send callback phishing emails disguised as purchase notifications directly from Apple's email servers, making them more likely to bypass spam filters to land in targets' inboxes. Earlier this month, a reader shared an email with BleepingComputer that claimed to be a payment receipt for $599 charged against the recipient's PayPal account. This email included a phone number if the recipient wanted to discuss the payment or make changes to it. "Hello Customer, Your PayPal account has been billed $599.00. We're confirming receipt of your recent payment," read the email."
        https://www.bleepingcomputer.com/news/security/icloud-calendar-abused-to-send-phishing-emails-from-apples-servers/
      • Threat Detection For SharePoint Vulnerabilities
        "The Canadian Centre for Cyber Security (Cyber Centre) is actively tracking multiple campaigns exploiting recently disclosed critical vulnerabilities in on-premises Microsoft SharePoint servers, including CVE-2025-49704, CVE-2025-49706, CVE-2025-53770 and CVE-2025-53771. These widespread campaigns leverage an exploit chain known as ToolShell. To help defenders combat attacks leveraging these vulnerabilities, the Cyber Centre has compiled a detailed analysis derived from recent investigations. This analysis outlines the full attack path, examines the evolution and use of the ToolShell exploit chain, and provides an in-depth characterization of the threat actor’s techniques, along with critical mitigation and detection guidance."
        https://www.cyber.gc.ca/en/news-events/threat-detection-sharepoint-vulnerabilities

      Breaches/Hacks/Leaks

      • Financial Services Firm Wealthsimple Discloses Data Breach
        "Wealthsimple, a leading Canadian online investment management service, has disclosed a data breach after attackers stole the personal data of an undisclosed number of customers in a recent incident. Founded in 2014 and headquartered in Toronto, the financial services firm holds over CAD$84.5 billion in assets (approximately $61 billion). It offers a wide range of financial products targeting investments, trading, cryptocurrency, tax filing, spending, and savings to over 3 million Canadians. Wealthsimple's Android app has over 1 million downloads on the Google Play Store, while its iOS app has collected over 126,000 ratings from Apple users."
        https://www.bleepingcomputer.com/news/security/financial-services-firm-wealthsimple-discloses-data-breach/
      • South Carolina School District Data Breach Affects 31,000 People
        "A South Carolina school district suffered a data breach that may have exposed personal information of over 31,000 people. In a filing sent to the Maine Attorney General on August 29, School District Five of Lexington & Richland Counties, South Carolina, stated that a June 2025 data breach may have affected 31,475 individuals."
        https://www.infosecurity-magazine.com/news/south-carolina-school-district/
      • Nexar Dashcam Video Database Hacked
        "A hacker cracked into a database of video recordings taken from Nexar-branded cameras, which are built to be placed drivers’ cars, according to a new report from 404 Media. Nexar is a dashcam company that promotes its products as “virtual CCTV cameras” and offers automatic cloud uploads of critical incidents, AI-driven insights, and real-time road alerts. It offers customers remote video streaming, live GPS tracking, and easy-to-share video-evidence."
        https://www.malwarebytes.com/blog/news/2025/09/nexar-dashcam-video-database-hacked
      • More Cybersecurity Firms Hit By Salesforce-Salesloft Drift Breach
        "Cybersecurity firms Proofpoint, SpyCloud, Tanium, and Tenable have confirmed that information in their Salesforce instances was compromised as part of the recent Salesforce–Salesloft Drift attack. The campaign was publicly disclosed on August 26, when Google’s threat intelligence team reported that a threat actor tracked as UNC6395 exported large volumes of data using compromised OAuth tokens for the third-party AI chatbot Salesloft Drift. The attackers, Google said, exploited the Salesforce-Salesloft Drift integration to steal data pertaining to hundreds of organizations, targeting sensitive information such as AWS access keys, passwords, and Snowflake-related access tokens."
        https://www.securityweek.com/more-cybersecurity-firms-hit-by-salesforce-salesloft-drift-breach/
      • Salesloft Drift Breach Traced To GitHub Compromise And Stolen OAuth Tokens
        "Heard about the recent data breaches where attackers used the Salesloft Drift application to access Salesforce data? There’s now a major update. The company has provided new details about the recent security incident involving its Drift application, confirming that the breach has been contained and customer protections are in place. The company brought in Google-owned cybersecurity firm Mandiant on August 28 to lead an investigation into the compromise. The scope of the engagement included identifying the root cause, assessing the damage, and validating that Salesloft’s core environment remained secure."
        https://hackread.com/salesloft-drift-breach-github-compromise-oauth-tokens/
        https://trust.salesloft.com/?uid=Update+on+Mandiant+Drift+and+Salesloft+Application+Investigations

      General News

      • Anyone Using Agentic AI Needs To Understand Toxic Flows
        "Today's business elite is breathless for agentic AI possibilities, as CEOs grasp AI as an efficiency lifeline. Risks of functional failures aside — and they're most surely a big elephant in the room — security researchers are concerned about the emerging cyber resilience risks that all of these agentic deployments add to the risk register. Toxic flows are one of the emerging classes of agentic AI risks that researchers say need to be on the radars of executives, engineers, and security people alike. Flows between AI agents, IT tools, and enterprise software are beset by a risky combination of exposure to untrusted input, excessive permissions, access to sensitive data, and external connections that can be used by attackers to steal data."
        https://www.darkreading.com/cyber-risk/anyone-using-agentic-ai-needs-understand-toxic-flows
      • How Has IoT Security Changed Over The Past 5 Years?
        "Internet of Things (IoT) usage has expanded across industries over the past five years and will only continue to do so, but has security grown with it? Experts say progress is not fast enough. While organizations increasingly use IoT devices and applications to improve operational efficiency or save money, the technology is inherently insecure. It makes everything more connected, leaving a treasure trove of internet-exposed data. On top of that, many IoT devices are not equipped to receive easy vulnerability patching updates, or even alerting users that any update is needed."
        https://www.darkreading.com/ics-ot-security/how-has-iot-security-changed-over-the-past-5-years-
      • File Security Risks Rise As Insiders, Malware, And AI Challenges Converge
        "Breaches tied to file access are happening often, and the costs add up quickly. Many organizations have faced multiple file-related incidents over the last two years, with financial losses stretching into the millions. The fallout often includes stolen customer data, reduced productivity, and exposure of intellectual property. A new study from Ponemon Institute shows that data leakage from insiders is a huge threat. Both negligence and malicious intent drive this risk, leaving organizations exposed when access controls are weak or file activity is not visible. Other top concerns include malicious files from vendors and poor oversight of file sharing."
        https://www.helpnetsecurity.com/2025/09/05/file-security-risks-challenges/
        https://www.opswat.com/resources/reports/ponemon-state-of-file-security
        https://www.infosecurity-magazine.com/news/us-companies-insider-data-breaches/
      • Connected Cars Are Smart, Convenient, And Open To Cyberattacks
        "Consumers are concerned about vulnerabilities in their vehicles, which directly impacts purchasing behavior and brand loyalty, according to RunSafe Security. Vehicles now run on over 100 million lines of code, which is more than most fighter jets, but they often lack the cybersecurity measures needed to keep them safe. These innovations bring plenty of convenience, from over-the-air (OTA) updates to smartphone integration, but they also create new opportunities for cybercriminals to exploit. 65% of drivers think remote hacking of their vehicle is possible. Even with that awareness, only 19% feel very confident their car is protected from hackers."
        https://www.helpnetsecurity.com/2025/09/05/connected-cars-cybersecurity-risk/
      • IT Threat Evolution In Q2 2025
        "The statistics in this report are based on detection verdicts returned by Kaspersky products unless otherwise stated. The information was provided by Kaspersky users who consented to sharing statistical data."
        https://securelist.com/malware-report-q2-2025-pc-iot-statistics/117421/
        https://securelist.com/malware-report-q2-2025-mobile-statistics/117349/
      • Academics Build AI-Powered Android Vulnerability Discovery And Validation Tool
        "Two academic researchers from Nanjing University and the University of Sydney have created a framework that relies on AI for the discovery and validation of vulnerabilities in Android applications. Called A2, the system mirrors human experts’ analysis and validation activities by first reasoning about an application’s security and then validating each potential flaw through exploitation attempts. During the Agentic Vulnerability Discovery phase, semantic code understanding is mixed with traditional security tools to create vulnerability hypotheses. The next phase, the Agentic Vulnerability Validation, involves the planning, execution, and verification of exploitation operations to validate each hypothesis."
        https://www.securityweek.com/academics-build-ai-powered-android-vulnerability-discovery-and-validation-tool/
        https://arxiv.org/pdf/2508.21579v1
      • Back To School, Back To Scams Part 2: Mitigation In Motion
        "As students and faculty return to campuses across the nation this fall, they’re not the only ones getting back into the swing of things. Cybercriminals are also sharpening their pencils – or rather, their phishing emails and ransomware attacks – ready to exploit the unique vulnerabilities that make schools such tempting targets. Last week, we talked about some common scams and threats. This week we’ll look at more mitigation methods for managed service providers (MSPs)."
        https://blog.barracuda.com/2025/09/05/back-school-back-scams-part-2-mitigation-motion
      • The Crazy, True Story Behind The First AI-Powered Ransomware
        "It all started as an idea for a research paper. Within a week, however, it nearly set the security industry on fire over what was believed to be the first-ever AI-powered ransomware. A group of New York University engineers who had been studying the newest, most sophisticated ransomware strains along with advances in large language models and AI decided to look at the intersection between the two, develop a proof-of-concept for a full-scale, AI-driven ransomware attack - and hopefully have their research selected for presentation at an upcoming security conference."
        https://www.theregister.com/2025/09/05/real_story_ai_ransomware_promptlock/
        https://arxiv.org/abs/2508.20444v1
        https://cyberscoop.com/ai-ransomware-promptlock-nyu-behind-code-discovered-by-security-researchers/
      • August’s Top Threat Actors: Ransomware, Espionage And Infostealers
        "Throughout the year we’ve observed ransomware attacks, data exfiltration and stealthy state-sponsored espionage. These are some of the most significant threats that surged in August 2025."
        https://blog.barracuda.com/2025/09/05/august-s-top-threat-actors--ransomware--espionage-and-infosteale

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 58c03b1a-2bba-4ee7-baa1-b7d1df1622b9-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post