Cyber Threat Intelligence 10 September 2025

NCSA_THAICERT

Industrial Sector

Rockwell Automation ThinManager
"Successful exploitation of this vulnerability could expose the ThinServer service account NTLM hash."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-252-01
ABB Cylon Aspect BMS/BAS
"Successful exploitation of these vulnerabilities could allow an attacker to assume control of the target device or perform a denial-of-service (DoS) attack."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-252-02
Rockwell Automation Stratix IOS
"Successful exploitation of this vulnerability could allow an attacker to run malicious configurations without authentication."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-252-03
Rockwell Automation FactoryTalk Activation Manager
"Successful exploitation of this vulnerability could result in in data exposure, session hijacking, or full communication compromise."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-252-05
Rockwell Automation Analytics LogixAI
"Successful exploitation of this vulnerability could allow an attacker to access sensitive information."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-252-08
Rockwell Automation FactoryTalk Optix
"Successful exploitation of this vulnerability could result in an attacker achieving remote code execution."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-252-04
Rockwell Automation CompactLogix 5480
"Successful exploitation of this vulnerability could result in arbitrary code execution."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-252-06
Rockwell Automation ControlLogix 5580
"Successful exploitation of this vulnerability could result in a major nonrecoverable fault on the controller."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-252-07
Rockwell Automation 1783-NATR
"Successful exploitation of this vulnerability could allow an attacker to cause a memory corruption on the product."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-252-09

Vulnerabilities

SAP Fixes Maximum Severity NetWeaver Command Execution Flaw
"SAP has addressed 21 new vulnerabilities affecting its products, including three critical severity issues impacting the NetWeaver software solution. SAP NetWeaver is the foundation for SAP's business apps like ERP, CRM, SRM, and SCM, and acts as a modular middleware that is broadly deployed in large enterprise networks. In its security bulletin for September, the provider of enterprise resource planning (ERP) software lists a vulnerability with a maximum severity score of 10 out of 10 that is identified as CVE-2025-42944."
https://www.bleepingcomputer.com/news/security/sap-fixes-maximum-severity-netweaver-command-execution-flaw/
https://thehackernews.com/2025/09/sap-patches-critical-netweaver-cvss-up.html
https://www.securityweek.com/sap-patches-critical-netweaver-vulnerabilities/
https://securityaffairs.com/182040/security/sap-september-2025-patch-day-fixed-4-critical-flaws.html
Microsoft September 2025 Patch Tuesday Fixes 81 Flaws, Two Zero-Days
"Today is Microsoft's September 2025 Patch Tuesday, which includes security updates for 81 flaws, including two publicly disclosed zero-day vulnerabilities. This Patch Tuesday also fixes nine "Critical" vulnerabilities, five of which are remote code execution vulnerabilities, 1 is information disclosure, and 2 are elevation of privileges."
https://www.bleepingcomputer.com/news/microsoft/microsoft-september-2025-patch-tuesday-fixes-81-flaws-two-zero-days/
https://blog.talosintelligence.com/microsoft-patch-tuesday-september-2025/
https://www.darkreading.com/application-security/eop-flaws-again-lead-microsoft-patch-day
https://cyberscoop.com/microsoft-patch-tuesday-september-2025/
https://www.securityweek.com/microsoft-patches-86-vulnerabilities/
Adobe Patches Critical ColdFusion And Commerce Vulnerabilities
"Adobe has patched nearly two dozen vulnerabilities across nine of its products with its September 2025 Patch Tuesday updates, including critical flaws in ColdFusion and Commerce. The critical ColdFusion vulnerability, tracked as CVE-2025-54261 with a CVSS score of 9.0, has been described as a path traversal issue that can lead to an arbitrary file system write. It impacts ColdFusion 2021, 2023, and 2025 on all platforms. Adobe says it’s not aware of any in-the-wild exploitation of CVE-2025-54261, but assigned the flaw a priority rating of ‘1’, which indicates that it should be addressed as soon as possible (within 72 hours is recommended)."
https://www.securityweek.com/adobe-patches-critical-coldfusion-and-commerce-vulnerabilities/
https://www.bleepingcomputer.com/news/security/adobe-patches-critical-sessionreaper-flaw-in-magento-ecommerce-platform/
https://thehackernews.com/2025/09/adobe-commerce-flaw-cve-2025-54236-lets.html
Popeyes, Tim Hortons, Burger King Platforms Have “catastrophic” Vulnerabilities, Say Hackers
"Two ethical hackers say they have uncovered massive security vulnerabilities in the platforms hosted by Restaurant Brands International (RBI). RBI is one of the world’s largest quick service restaurant companies. It was formed in 2014 through a $12.5 billion merger of the American fast food chain Burger King and the Canadian coffee and restaurant chain Tim Hortons. Since then, RBI has expanded its brand portfolio to include Popeyes Louisiana Kitchen, acquired in 2017, and Firehouse Subs. It operates a global network of over 32,000 restaurants across more than 120 countries and territories."
https://www.malwarebytes.com/blog/news/2025/09/popeyes-tim-hortons-burger-king-platforms-have-catastrophic-vulnerabilities-say-hackers

Malware

LunaLock Ransomware Threatens Victims By Feeding Stolen Data To AI Models
"A new ransomware group, named LunaLock, appeared in the threat landscape with a unique cyber extortion technique, threatening to turn stolen art into AI training data. Recently, the LunaLock group targeted the website Artists&Clients and stole digital art. The group demanded $50K to the victims, threatening leaks and the use of the stolen data to train large language models (LLMs). “We have breached the website Artists&Clients to steal and encrypt all its data. If you are a user of this website, you are urged to contact the owners and insist that they pay our ransom. If the ransom is not paid, we will release all data publicly on this Tor site, including source code and personal data of users. Additionally, we will submit all artwork to AI companies to be added to training datasets.” reads the announcement published by the ransomware group on its Tor data leak site."
https://securityaffairs.com/182014/malware/lunalock-ransomware-threatens-victims-by-feeding-stolen-data-to-ai-models.html
Off Your Docker: Exposed APIs Are Targeted In New Malware Strain
"The more interconnected our digital ecosystems become, the more places attackers can hide, including by pivoting when they’re caught. When a new threat vector or malware strain is discovered and reported, it may only take hours or days for a threat actor to modify that malware to once again evade detection. The Akamai Hunt Team uncovered a new active campaign that targets exposed Docker APIs. This new strain seems to use similar tooling to the original, but may have a different end goal — including possibly setting up the foundation of a complex botnet. This blog post will dive into the technical details, attack chain, and mitigations of this malware variant."
https://www.akamai.com/blog/security-research/new-malware-targeting-docker-apis-akamai-hunt
https://www.bleepingcomputer.com/news/security/hackers-hide-behind-tor-in-exposed-docker-api-breaches/
https://thehackernews.com/2025/09/tor-based-cryptojacking-attack-expands.html
https://hackread.com/new-docker-malware-blocking-rivals-exposed-apis/
https://www.securityweek.com/exposed-docker-apis-likely-exploited-to-build-botnet/
Behind The Mask Of Madgicx Plus: A Chrome Extension Campaign Targeting Meta Advertisers
"Cybereason Security Services recently analyzed an investigation into a broader malicious Chrome extension campaign, part of which had been previously documented by DomainTools. While earlier iterations of this campaign involved the impersonation a variety of services, the latest version shifts focus to Meta (Facebook/Instagram) advertisers through a newly crafted lure: “Madgicx Plus,” a fake AI-driven ad optimization platform. Promoted as a tool to streamline campaign management and boost ROI using artificial intelligence, the extension instead delivers potentially malicious functionalities capable of hijacking business sessions, stealing credentials, and compromising Meta Business accounts."
https://www.cybereason.com/blog/chrome-extension-campaign-madgicx
LunoBotnet: A Self-Healing Linux Botnet With Modular DDoS And Cryptojacking Capabilities
"In a deep-dive analysis, Cyble Research and Intelligence Labs (CRIL) identified an ongoing in-the-wild Linux botnet campaign, which we have dubbed “Luno.” This campaign combines cryptocurrency mining, remote command execution, and modular DDoS attack capabilities. Additionally, it uses watchdog-based respawning and unusually strong anti-analysis defences into a single malware framework, indicating active professional threat actor involvement. Unlike conventional cryptominers or DDoS botnets, LunoC2 exhibits process masquerading, binary replacement, and a self-update system, suggesting the malware is designed as a long-term criminal infrastructure tool."
https://cyble.com/blog/lunobotnet-a-self-healing-linux-botnet/
Salty2FA: Multi-Stage Evasion In Modern Phishing
"The Ontinue Cyber Defence Center has discovered an ongoing sophisticated phishing campaign employing the Salty2FA phishing kit, revealing several notable technical innovations that demonstrate the evolving landscape of modern phishing operations. This research documents emerging evasion techniques that represent the continuous development in phishing kit capabilities and operational sophistication."
https://www.ontinue.com/resource/blog-salty2fa-multi-stage-evasion-phishing/
https://www.darkreading.com/cyberattacks-data-breaches/salty2fa-phishing-kits-enterprise-level
https://hackread.com/salty2fa-phishing-kit-bypasses-mfa-clone-login-pages/
https://www.infosecurity-magazine.com/news/salty2fa-phishing-kit/
Threat Spotlight: Speed, Scale, And Stealth: How Axios Powers Automated Phishing
"Axios user agent activity surged 241% from June to August 2025, dwarfing the 85% growth of all other flagged user agents combined. Attacks that paired Axios with Direct Send achieved a 70% success rate in recent campaigns, outpacing non-Axios campaigns with unparalleled efficiency. Attackers are highly likely to continue using Axios to automate and scale phishing campaigns. Organizations are encouraged to implement robust detection mechanisms to identify and mitigate suspicious user-agent activity, with particular attention to Axios related patterns."
https://reliaquest.com/blog/threat-spotlight-attackers-exploit-axios-for-automated-phishing/
https://thehackernews.com/2025/09/axios-abuse-and-salty-2fa-kits-fuel.html
https://www.infosecurity-magazine.com/news/axios-user-agent-automate-phishing/
How An Attacker’s Blunder Gave Us a Rare Look Inside Their Day-To-Day Operations
"What you're about to read is something that all endpoint detection and response (EDR) companies perform as a byproduct of investigating threats. Because these services are designed to monitor for and detect threats, EDR systems by nature need the capability to monitor system activity, as is outlined in our product documentation, Privacy Policy, and Terms of Service. On the heels of questions around how and why Huntress released this information, we wanted to clarify several important aspects of our investigation. We have an obligation to 1) research and respond to security threats and investigate malware and 2) educate the broader community about those threats. These dual objectives played into our decision to develop and publish this blog post."
https://www.huntress.com/blog/rare-look-inside-attacker-operation
https://www.infosecurity-magazine.com/news/threat-actor-exposes-operations/
Blurring The Lines: Intrusion Shows Connection With Three Major Ransomware Gangs
"The intrusion began in September 2024 with a download of a malicious file mimicking the EarthTime application by DeskSoft. Upon execution, SectopRAT was deployed which opened a connection to its command and control (C2) infrastructure. The threat actor established persistence by relocating the malicious file and placing a shortcut in the Startup folder, configured to trigger on user logon. They further elevated access by creating a new local account and assigning it local administrative privileges."
https://thedfirreport.com/2025/09/08/blurring-the-lines-intrusion-shows-connection-with-three-major-ransomware-gangs/
https://www.securityweek.com/threat-actor-connected-to-play-ransomhub-and-dragonforce-ransomware-operations/
The Rise Of RatOn: From NFC Heists To Remote Control And ATS
"Remote Access Trojans (RATs) are a popular commodity on the dark web, particularly when offering full remote control of infected devices. Key features typically sought after include visual access to the device’s screen (in other words: screen casting), as well as a text-based interface that presents a pseudo-screen with textual descriptions of on-screen elements. The latter method offers more responsive and efficient control, as transmitting text consumes significantly fewer resources than streaming graphical data."
https://www.threatfabric.com/blogs/the-rise-of-raton-from-nfc-heists-to-remote-control-and-ats
https://thehackernews.com/2025/09/raton-android-malware-detected-with-nfc.html
Unmasking The Gentlemen Ransomware: Tactics, Techniques, And Procedures Revealed
"In August 2025, we investigated a new ransomware campaign orchestrated by The Gentlemen, an emerging and previously undocumented threat group. This threat actor quickly established itself within the threat landscape by demonstrating advanced capabilities through their systematic compromise of enterprise environments. By adapting their tools mid-campaign—shifting from generic anti-AV utilities to highly targeted, specific variants—the attackers demonstrate versatility and determination, posing a significant threat to organizations regardless of their security defenses."
https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html

Breaches/Hacks/Leaks

Plex Tells Users To Reset Passwords After New Data Breach
"Media streaming platform Plex is warning customers to reset passwords after suffering a data breach in which a hacker was able to steal customer authentication data from one of its databases. In a data breach notification seen by BleepingComputer, Plex says the stolen data includes email addresses, usernames, securely hashed passwords, and authentication data. "An unauthorized third party accessed a limited subset of customer data from one of our databases," reads the Plex data breach notification."
https://www.bleepingcomputer.com/news/security/plex-tells-users-to-reset-passwords-after-new-data-breach/
https://www.securityweek.com/plex-urges-password-resets-following-data-breach/
https://www.helpnetsecurity.com/2025/09/09/plex-tells-users-to-change-passwords-due-to-data-breach-pushes-server-owners-to-upgrade/
Major Blood Center Says Thousands Had Data Leaked In January Ransomware Attack
"One of the largest independent blood centers serving over 75 million people across the U.S. began sending data breach notification letters to victims this week after suffering a ransomware attack in January. New York Blood Center submitted documents to regulators in Maine, Texas, New Hampshire and California that confirmed the cyberattack, which they said was first discovered on January 26."
https://therecord.media/blood-center-discloses-details-on--january-ransomware-attack
Brazil Lesbian Dating App Shuts Down After Security Flaw Exposes Sensitive User Data
"A Brazilian dating app marketed as a safe space for lesbian women shut down this week after several users uncovered a flaw that reportedly could expose sensitive data, including identity verification photos. Sapphos, which launched in early September, required users to verify their identity by submitting a selfie holding a government-issued ID. But on Monday, independent researchers revealed that the app’s application programming interface (API) reportedly contained a flaw that allowed outsiders to retrieve photos and personal details from other users’ accounts without authorization."
https://therecord.media/brazil-lesbian-dating-app-shuts-down-vulnerability
Gym Communications Platform Exposed 1.6 Million Calls And Voicemails Containing The PII Of Top Fitness Centers Members
"Cybersecurity Researcher Jeremiah Fowler discovered and reported to Website Planet about an unencrypted and non-password-protected database that contained 1.6 million audio files. These recordings included internal phone calls and messages that provided members’ names, phone numbers, and other potentially sensitive information."
https://www.websiteplanet.com/news/hello-gym-breach-report/
https://www.theregister.com/2025/09/09/gym_audio_recordings_exposed/

General News

Attackers Test The Limits Of Railway Cybersecurity
"Railway systems are the lifeblood of many economies, supporting everything from daily passenger transport to military and industrial operations, so the question arises: how secure are they from a cybersecurity perspective? Like all industries, the railway industry is undergoing its digital transformation. New technologies have improved safety and operational control over trains and tracks, but they have also introduced risks of sabotage that could lead to serious incidents, including collisions."
https://www.helpnetsecurity.com/2025/09/09/railway-systems-cybersecurity/
Employees Keep Feeding AI Tools Secrets They Can’t Take Back
"Employees are putting sensitive data into public AI tools, and many organizations don’t have the controls to stop it. A new report from Kiteworks finds that most companies are missing basic safeguards to manage this data. Only 17% of companies have technology in place to block or scan uploads to public AI tools. The other 83% depend on training sessions, email warnings, or guidelines. Some have no policies at all."
https://www.helpnetsecurity.com/2025/09/09/employees-ai-tools-sensitive-data/
Infostealers To Watch In 2025: Katz, Bee, Acreed, And More
"Flashpoint has observed a significant rise in the use and popularity of information-stealing malware. Also known as infostealers or stealers, these tools have fueled a surge in digital identity attacks, contributing to the theft of over 1.8 billion credentials—an 800% increase over the last four months—including over a billion corporate and personal email accounts, passwords, cookies, and other sensitive data."
https://flashpoint.io/blog/infostealers-2025-katz-bee-acreed-more/
Kosovo Hacker Pleads Guilty To Running BlackDB Cybercrime Marketplace
"Kosovo national Liridon Masurica has pleaded guilty to running BlackDB.cc, a cybercrime marketplace that has been active since 2018. Kosovar authorities arrested the 33-year-old defendant (also known online as @blackdb) on December 14, 2024. He was extradited to the United States on May 9, 2025, and detained following his court appearance in Tampa on May 12. Masurica was the lead administrator of the online criminal marketplace BlackDB.cc, which has been operating for almost seven years, between 2018 and 2025, according to court documents."
https://www.bleepingcomputer.com/news/security/kosovo-hacker-pleads-guilty-to-running-blackdb-cybercrime-marketplace/
US Charges Admin Of LockerGoga, MegaCortex, Nefilim Ransomware
"The U.S. Department of Justice has charged Ukrainian national Volodymyr Viktorovich Tymoshchuk for his role as the administrator of the LockerGoga, MegaCortex, and Nefilim ransomware operations. Also known online as deadforz, Boba, msfv, and farnetwork, Tymoshchuk was involved in ransomware attacks that led to the breach of hundreds of companies, resulting in millions of dollars in damages, according to a superseding indictment unsealed today. Between July 2019 and June 2020, Tymoshchuk and his accomplices allegedly breached the networks of over 250 companies across the United States and many more worldwide in LockerGoga and MegaCortex ransomware attacks."
https://www.bleepingcomputer.com/news/security/us-charges-admin-of-lockergoga-megacortex-nefilim-ransomware/
https://therecord.media/lockergoga-megacortex-nefilim-ransomware-ukrainian-indictment-unsealed
https://www.bankinfosecurity.com/us-feds-indict-lockergoga-megacortex-ransomware-hacker-a-29397
https://cyberscoop.com/nefilim-ransomware-indictment-volodymyr-tymoshchuk-department-of-justice/
Is The Browser Becoming The New Endpoint?
"Attackers prefer an easy target; currently, that appears to be the Web browser. It's time to shore up those defenses. The workday revolves around the browser. Employees use it to access Web and cloud applications, join virtual meetings, and for research purposes. Therefore, it holds highly sensitive data, including credentials and session information. Threat actors conduct browser attacks, whether that's by exploiting a vulnerability, through malicious browser extensions, or session hijacking. They steal that invaluable data that can be used for phishing attacks and may inevitably lead to a breach."
https://www.darkreading.com/endpoint-security/browser-becoming-new-endpoint
Ransomware Losses Climb As AI Pushes Phishing To New Heights
"Ransomware remains the primary digital threat to business. Phishing, often the initial point of failure, further expands into voice triggered transfer fraud. An analysis of risk based on cyberinsurance claims history provides an accurate overview of the true risk of cybercrime. It doesn’t provide a full global picture of risk since it can only be drawn from known cyberinsurance claims. Resilience is a cyberinsurance provider with a deep knowledge of cybersecurity. There are three major takeaways from the 2025 Midyear Cyber Risk Report produced by Resilience: vendor-related risk is down but still significant; ransomware remains the main threat; and phishing has leapt to clear prominence as the most common point of failure (aided in scale and sophistication by AI)."
https://www.securityweek.com/ransomware-losses-climb-as-ai-pushes-phishing-to-new-heights/
How Leading CISOs Are Getting Budget Approval
"It's budget season. Once again, security is being questioned, scrutinized, or deprioritized. If you're a CISO or security leader, you've likely found yourself explaining why your program matters, why a given tool or headcount is essential, and how the next breach is one blind spot away. But these arguments often fall short unless they're framed in a way the board can understand and appreciate. According to a Gartner analysis, 88% of Boards see cybersecurity as a business risk, rather than an IT issue, yet many security leaders still struggle to raise the profile of cybersecurity within the organization. For security issues to resonate amongst the Board you need to speak its language: business continuity, compliance, and cost impact."
https://thehackernews.com/2025/09/how-leading-cisos-are-getting-budget.html
Data Is The New Diamond: Latest Moves By Hackers And Defenders
"There have been several notable developments in recent weeks related to data theft activity from cybercriminals targeting Salesforce instances, including via the Salesloft Drift supply chain attack detailed in a recent Unit 42 Threat Brief. (To learn more about the history behind these Salesforce attacks and their impact to private sector organizations, please see my previous publication, “Heists in the Digital Age.”)"
https://unit42.paloaltonetworks.com/data-is-the-new-diamond-latest-moves-by-hackers-and-defenders/

อ้างอิง
Electronic Transactions Development Agency(ETDA)