NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 09 September 2025

    Cyber Security News
    1
    1
    320
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      New Tooling

      • InterceptSuite: Open-Source Network Traffic Interception Tool
        "InterceptSuite is an open-source, cross-platform network traffic interception tool designed for TLS/SSL inspection, analysis, and manipulation at the network level. “InterceptSuite is designed primarily for non-HTTP protocols, although it does support HTTP/1 and HTTP/2. It offers support for databases, SMTP, and custom protocols, and can manage unknown protocols and their TLS connections. Developed in C, it ensures efficient memory management and performance, utilising native SOCKS5 proxy support on Linux, Mac, and Windows, with OpenSSL for TLS,” Sourav Kalal, the creator of the tool, told Help Net Security."
        https://www.helpnetsecurity.com/2025/09/08/interceptsuite-open-source-network-traffic-interception-tool/
        https://github.com/InterceptSuite/InterceptSuite

      Malware

      • 25,000 IPs Scanned Cisco ASA Devices — New Vulnerability Potentially Incoming
        "GreyNoise observed two scanning surges against Cisco Adaptive Security Appliance (ASA) devices in late August. The first involved more than 25,000 unique IPs in a single burst; the second, smaller but related, followed days later. This activity represents a significant elevation above baseline, typically registering at less than 500 IPs per day. Both events targeted the ASA web login path (/+CSCOE+/logon.html), a common reconnaissance marker for exposed devices. Subsets of the same IPs also probed GreyNoise’s Cisco Telnet/SSH and ASA software personas, signaling a Cisco-focused campaign rather than purely opportunistic scanning."
        https://www.greynoise.io/blog/scanning-surge-cisco-asa-devices
        https://www.bleepingcomputer.com/news/security/surge-in-networks-scans-targeting-cisco-asa-devices-raise-concerns/
      • Hackers Hijack Npm Packages With 2 Billion Weekly Downloads In Supply Chain Attack
        "In a supply chain attack, attackers have injected malware into NPM packages with over 2.6 billion weekly downloads after compromising a maintainer's account in a phishing attack. Josh Junon (qix), the package maintainer whose accounts were hijacked in this supply-chain attack, confirmed the incident earlier today, stating that he was aware of the compromise and adding that the phishing email came from support [at] npmjs [dot] help, a domain that hosts a website impersonating the legitimate npmjs.com domain. In the emails, the attackers threatened that the targeted maintainers' accounts would be locked on September 10th, 2025, as a scare tactic to get them to click on the link redirecting them to the phishing sites."
        https://www.bleepingcomputer.com/news/security/hackers-hijack-npm-packages-with-2-billion-weekly-downloads-in-supply-chain-attack/
        https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised
        https://hackread.com/npm-packages-2-billion-downloads-hacked-attack/
        https://www.theregister.com/2025/09/08/dev_falls_for_phishing_email/
      • Salt Typhoon And UNC4841: Silent Push Discovers New Domains; Urges Defenders To Check Telemetry And Log Data
        "Silent Push Threat Analysts have identified a group of previously unreported domains used by a group of closely linked Chinese APT actors, including Salt Typhoon. Active since at least 2019, this APT group is best known for a series of international hacking campaigns targeting telecom infrastructure and ISPs, primarily in the U.S. and across more than 80 other countries. Our team has identified key domain registration patterns in the publicly reported command and control (C2) infrastructure, which enabled us to discover additional domains that we assess, with high confidence, were set up for either Salt Typhoon or another closely related China-backed threat actor. We found a total of 45 domain names, the majority of which have not been previously linked to APT activity."
        https://www.silentpush.com/blog/salt-typhoon-2025/
        https://www.darkreading.com/threat-intelligence/new-domains-salt-typhoon-unc4841
        https://www.theregister.com/2025/09/08/salt_typhoon_domains/
      • MostereRAT Deployed AnyDesk/TightVNC For Covert Full Access
        "FortiGuard Labs recently discovered a phishing campaign that employs multiple advanced evasion techniques. These include the use of an Easy Programming Language (EPL) to develop a staged payload, concealing malicious operations and disabling security tools to prevent alert triggers, securing Command and Control (C2) communications using mutual TLS (mTLS), supporting various methods for deploying additional payloads, and even installing popular remote access tools to grant attackers complete control over the compromised system. Figure 1 shows the attack chain."
        https://www.fortinet.com/blog/threat-research/mostererat-deployed-anydesk-tightvnc-for-covert-full-access
        https://www.darkreading.com/cyberattacks-data-breaches/mostererat-blocks-security-tools
        https://hackread.com/mostererat-windows-anydesk-tightvnc-access/
        https://www.infosecurity-magazine.com/news/rat-targets-windows-users-stealth/
      • Addressing The Unauthorized Issuance Of Multiple TLS Certificates For 1.1.1.1
        "Over the past few days Cloudflare has been notified through our vulnerability disclosure program and the certificate transparency mailing list that unauthorized certificates were issued by Fina CA for 1.1.1.1, one of the IP addresses used by our public DNS resolver service. From February 2024 to August 2025, Fina CA issued twelve certificates for 1.1.1.1 without our permission. We did not observe unauthorized issuance for any properties managed by Cloudflare other than 1.1.1.1."
        https://blog.cloudflare.com/unauthorized-issuance-of-certificates-for-1-1-1-1/
      • APT37 Targets Windows With Rust Backdoor And Python Loader
        "APT37 (also known as ScarCruft, Ruby Sleet, and Velvet Chollima) is a North Korean-aligned threat actor active since at least 2012. APT37 primarily targets South Korean individuals connected to the North Korean regime or involved in human rights activism, leveraging custom malware and adopting emerging technologies. In recent campaigns, APT37 utilizes a single command-and-control (C2) server to orchestrate all components of their malware arsenal, including a Rust-based backdoor that ThreatLabz dubbed Rustonotto (also known as CHILLYCHINO), a PowerShell-based malware known as Chinotto, and FadeStealer. Rustonotto is a newly identified backdoor in use since June 2025."
        https://www.zscaler.com/blogs/security-research/apt37-targets-windows-rust-backdoor-and-python-loader
      • Chinese Spies Impersonated US Lawmaker To Deliver Malware To Trade Groups: Report
        "Chinese hackers are believed to be behind a recent attempt to spy on trade groups and other organizations ahead of US-China trade talks, the Wall Street Journal reported. The publication learned from documents and people familiar with the matter that US trade groups, law firms and government agencies received an email purporting to come from Rep. John Moolenaar, chairman of the House Committee on the Chinese Communist Party. The messages, coming from a non-government email address, urged recipients to provide feedback on proposed sanctions against China, telling them that their “insights are essential”."
        https://www.securityweek.com/chinese-spies-impersonated-us-lawmaker-to-deliver-malware-to-trade-groups-report/
      • GPUGate Malware: Malicious GitHub Desktop Implants Use Hardware-Specific Decryption, Abuse Google Ads To Target Western Europe
        "Arctic Wolf has uncovered a sophisticated delivery chain: a threat actor abused GitHub’s repository structure and Google Ads to redirect users to a malicious download, while a GPU-gated decryption routine keeps the payload encrypted on systems without a GPU. We have named this new attack technique “GPUGate”."
        https://arcticwolf.com/resources/blog/gpugate-malware-malicious-github-desktop-implants-use-hardware-specific-decryption-abuse-google-ads-target-western-europe/
        https://thehackernews.com/2025/09/gpugate-malware-uses-google-ads-and.html

      Breaches/Hacks/Leaks

      • Lovesac Confirms Data Breach After Ransomware Attack Claims
        "American furniture brand Lovesac is warning that it suffered a data breach impacting an undisclosed number of individuals, stating their personal data was exposed in a cybersecurity incident. Lovesac is a furniture designer, manufacturer, and retailer, operating 267 showrooms across the United States, and having annual net sales of $750 million. They are best known for their modular couch systems called 'sactionals,' as well as their bean bags called 'sacs.'"
        https://www.bleepingcomputer.com/news/security/lovesac-confirms-data-breach-after-ransomware-attack-claims/
      • Georgia Hospital Notifying 163,000 Of 2024 Ransomware Hack
        "A public Georgia community hospital is notifying more than 163,000 people that their sensitive personal and health information was compromised in a June 2024 ransomware attack. The cybercriminal gang Monti on its dark website last summer claimed Wayne Memorial Hospital as one of its victims. In a report filed to Maine's attorney general on Sept. 5, WMH - the 84-bed community hospital operated by the Wayne County Hospital Authority - said the cyberattack on June 3, 2024, affected 163,440 people and included ransomware encryption of some of the hospital's data."
        https://www.bankinfosecurity.com/georgia-hospital-notifying-163000-2024-ransomware-hack-a-29388
      • Vietnam’s National Credit Registration And Reporting Agency Hacked; Most Of The Population Affected
        "Some data breaches make headlines for the number of people affected globally, such as a Facebook scraping incident in 2019 that affected 553 million people worldwide. Then there are breaches that affect a country’s entire population or much of it, such as a misconfigured database that exposed almost the entire population of Ecuador in 2019, an insider breach that compromised the information of almost all Israelis in 2006, a misconfigured voter database that exposed more than 75% of Mexican voters in 2016, and the UnitedHealth Change Healthcare ransomware incident in 2024 that affected more than 190 million Americans."
        https://databreaches.net/2025/09/08/vietnams-national-credit-registration-and-reporting-agency-hacked-most-of-the-population-affected/

      General News

      • Cybersecurity Research Is Getting New Ethics Rules, Here’s What You Need To Know
        "Top cybersecurity conferences are introducing new rules that require researchers to formally address ethics in their work. Starting with the 2026 USENIX Security Symposium, all submissions must include a stakeholder-based ethics analysis. Other major venues such as IEEE Security and Privacy, and ACM CCS have also emphasized the importance of ethical review in recent calls for papers. This change reflects a growing concern that cybersecurity research can unintentionally cause harm. Research that exposes vulnerabilities, collects user data, or publishes attack methods might also create opportunities for adversaries or damage trust in critical systems."
        https://www.helpnetsecurity.com/2025/09/08/cybersecurity-research-ethics/
      • Cyber Defense Cannot Be Democratized
        "The democratization of AI has fundamentally lowered the barrier for threat actors, creating a bigger pool of people who can carry out sophisticated attacks. The so-called democratization of security, on the other hand, has resulted in chaos. In an earnest attempt to shift left, security teams deputized developers to own remediation. While development teams have legitimately become more security-focused, it’s created a dynamic in which security is still accountable for risk but has no authority over the environment."
        https://www.helpnetsecurity.com/2025/09/08/threat-validation-devops/
      • Identity Management Was Hard, AI Made It Harder
        "Identity security is becoming a core part of cybersecurity operations, but many organizations are falling behind. A new report from SailPoint shows that as AI-driven identities and machine accounts grow, most security teams are not prepared to manage them at scale. This gap creates new risks and makes identity security harder to deploy across global enterprises. The study, based on a global survey of 375 identity and access management (IAM) leaders, found that the majority of organizations are still in the early stages of building mature identity programs. Sixty-three percent remain in the two lowest maturity categories, relying on manual processes and basic tools to manage user access."
        https://www.helpnetsecurity.com/2025/09/08/ai-driven-identity-management-report/
      • AI Moves Fast, But Data Security Must Move Faster
        "Generative AI is showing up everywhere in the enterprise, from customer service chatbots to marketing campaigns. It promises speed and innovation, but it also brings new and unfamiliar security risks. As companies rush to adopt these tools, many are discovering that their data protection strategies are not ready for the challenges AI creates. The 2025 Thales Data Threat Report, based on a survey of more than 3,000 IT and security professionals, highlights how quickly AI is reshaping enterprise security priorities. It also shows why digital sovereignty is becoming more important as organizations operate across borders and in the cloud."
        https://www.helpnetsecurity.com/2025/09/08/ai-data-security-risks-report/
      • Flattery Can Make AI Chatbots Break The Rules
        "Simple strategies for buttering up humans popularized in psychology textbooks can also nudge large language models into ignoring their built-in refusal policies, found researchers. A preprint paper demonstrates how persuasion can override digital guardrails in ways that differ from more direct jailbreaking methods. Jailbreaking refers to forcing a model to break its safety rules, often by crafting prompts that trick it into ignoring its system instructions. Unlike technical jailbreaks, which use elaborate workarounds, researchers at the University of Pennsylvania's Wharton School tested whether straightforward persuasion using techniques like invoking authority or appealing to reciprocity could get GPT-4o-Mini to comply with disallowed requests."
        https://www.bankinfosecurity.com/flattery-make-ai-chatbots-break-rules-a-29386
        https://papers.ssrn.com/sol3/papers.cfm?abstract_id=5357179
      • Stopping Ransomware Before It Starts: Lessons From Cisco Talos Incident Response
        "Over the past two and a half years (January 2023 through June 2025), Cisco Talos Incident Response (Talos IR) has responded to numerous engagements that we classified as pre-ransomware incidents. Talos looked back to analyze what key security measures were credited with deterring ransomware deployment in each pre-ransomware engagement, finding that the top two factors were swift engagement with the incident response team and rapid actioning of alerts from security solutions (predominantly within two hours of the alert). We also classified almost two dozen observed pre-ransomware indicators in these engagements, as the top observed tactics provide insight into what malicious activity frequently preempts a more severe attack. Finally, we analyzed Talos IR’s most frequent recommendations to customers to ascertain common security gaps."
        https://blog.talosintelligence.com/stopping-ransomware-before-it-starts/
        https://www.infosecurity-magazine.com/news/remote-access-abuse-pre-ransomware/
      • Treasury Sanctions Southeast Asian Networks Targeting Americans With Cyber Scams
        "Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) implemented sanctions against large network of scam centers across Southeast Asia that steal billions of dollars from Americans using forced labor and violence. The action includes nine targets operating in Shwe Kokko, Burma, a notorious hub for virtual currency investment scams under the protection of the OFAC-designated Karen National Army (KNA), as well as ten targets based in Cambodia. “Southeast Asia’s cyber scam industry not only threatens the well-being and financial security of Americans, but also subjects thousands of people to modern slavery,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence John K. Hurley."
        https://home.treasury.gov/news/press-releases/sb0237
        https://therecord.media/us-sanctions-companies-southeast-asia-scam-compounds
        https://cyberscoop.com/southeast-asia-scam-hubs-sanctions/
      • The Critical Failure In Vulnerability Management
        "Business has slowed considerably in the vulnerability management market segment, yet there are more vulnerabilities to contend with than ever before. When security mainstays experience the same harsh conditions, it's worth paying attention. Through rose-colored glasses, it's a success story; they've reached the top of their intended mountain. More realistically, it's a final warning that the industry needs to reshape itself quickly to climb the next mountain and deliver more value. So, why are we seeing challenges with vulnerability management today? The market segment is folding under its own weight for three main reasons."
        https://www.darkreading.com/vulnerabilities-threats/the-critical-failure-in-vulnerability-management
      • You Didn't Get Phished — You Onboarded The Attacker
        "What if the star engineer you just hired isn't actually an employee, but an attacker in disguise? This isn't phishing; it's infiltration by onboarding. Meet "Jordan from Colorado," who has a strong resume, convincing references, a clean background check, even a digital footprint that checks out. On day one, Jordan logs into email and attends the weekly standup, getting a warm welcome from the team. Within hours, they have access to repos, project folders, even some copy/pasted dev keys to use in their pipeline."
        https://thehackernews.com/2025/09/you-didnt-get-phished-you-onboarded.html

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 9f91fef1-64ef-4361-9b1a-53bf78e4362b-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post