NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 17 September 2025

    Cyber Security News
    1
    1
    15
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • Siemens RUGGEDCOM, SINEC NMS, And SINEMA
        "Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service, crash the product, or perform remote code execution."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-259-04
      • Delta Electronics DIALink
        "Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-259-07
      • OT Security Needs Continuous Operations, Not One-Time Fixes
        "Cyberattacks keep hitting the OT systems that critical infrastructure operators run, according to new research from Forrester. In a survey of 262 OT security decision-makers, 91% reported at least one breach or system failure caused by a cyberattack in the past 18 months. These attacks disrupted essential services, damaged reputations, and created regulatory and financial consequences."
        https://www.helpnetsecurity.com/2025/09/16/ciso-ot-cybersecurity-strategy/
      • Schneider Electric Altivar Products, ATVdPAC Module, ILC992 InterLink Converter
        "Successful exploitation of this vulnerability could allow an attacker to read or modify data."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-259-01
      • Hitachi Energy RTU500 Series
        "Successful exploitation of these vulnerabilities could cause a Denial-of-Service condition in RTU500 devices."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-259-02
      • Siemens SIMATIC NET CP, SINEMA, And SCALANCE
        "Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service (DoS) condition in the affected devices by exploiting integer overflow bugs."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-259-03
      • Siemens OpenSSL Vulnerability In Industrial Products
        "Successful exploitation of these vulnerabilities could allow an unauthenticated remote attacker to execute arbitrary code or to cause a denial-of-service condition."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-259-05
      • Siemens Multiple Industrial Products
        "Successful exploitation of this vulnerability could allow an attacker to create a denial-of-service condition."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-259-06

      Vulnerabilities

      • Chaotic Deputy: Critical Vulnerabilities In Chaos Mesh Lead To Kubernetes Cluster Takeover
        "JFrog Security Research recently discovered and disclosed multiple CVEs in the highly popular Chaos engineering platform – Chaos-Mesh. The discovered CVEs, which we’ve named Chaotic Deputy are CVE-2025-59358, CVE-2025-59360, CVE-2025-59361 and CVE-2025-59359. The last three Chaotic Deputy CVEs are critical severity (CVSS 9.8) vulnerabilities which can be easily exploited by in-cluster attackers to run arbitrary code on any pod in the cluster, even in the default configuration of Chaos-Mesh."
        https://jfrog.com/blog/chaotic-deputy-critical-vulnerabilities-in-chaos-mesh-lead-to-kubernetes-cluster-takeover/
        https://www.darkreading.com/cyber-risk/critical-bugs-chaos-mesh-cluster-takeover
        https://thehackernews.com/2025/09/chaos-mesh-critical-graphql-flaws.html
      • Apple Backports Zero-Day Patches To Older iPhones And iPads
        "Apple has released security updates to backport patches released last month to older iPhones and iPads, addressing a zero-day bug that was exploited in "extremely sophisticated" attacks. This security flaw is the same one Apple has patched for devices running iOS 18.6.2 and iPadOS 18.6.2, iPadOS 17.7.10, and macOS (Sequoia 15.6.1, Sonoma 14.7.8, and Ventura 13.7.8) on August 20. Tracked as CVE-2025-43300, this vulnerability was discovered by Apple security researchers and is caused by an out-of-bounds write weakness in the Image I/O framework, which enables apps to read and write image file formats."
        https://www.bleepingcomputer.com/news/security/apple-backports-zero-day-patches-to-older-iphones-and-ipads/
        https://thehackernews.com/2025/09/apple-backports-fix-for-cve-2025-43300.html
        https://www.theregister.com/2025/09/16/apple_0day_spy_attacks/
      • Apple Rolls Out iOS 26, MacOS Tahoe 26 With Patches For Over 50 Vulnerabilities
        "Apple on Monday announced the release of major iOS and macOS platform updates with fixes for a total of more than 50 vulnerabilities. iOS 26 and iPadOS 26 were released for the latest generation iPhone and iPad devices with fixes for 27 unique CVEs that could lead to memory corruption, information disclosure, crashes, and sandbox escapes. WebKit received the largest number of fixes, at five, for security defects that could lead to process crashes, Safari crashes, or could allow websites to access sensor information without consent."
        https://www.securityweek.com/apple-rolls-out-ios-26-macos-tahoe-26-with-patches-for-over-50-vulnerabilities/
        https://cyberscoop.com/apple-security-updates-september-2025/
        https://www.malwarebytes.com/blog/news/2025/09/update-your-apple-devices-to-fix-dozens-of-vulnerabilities
      • Bypassing AI Agent Defenses With Lies-In-The-Loop
        "Checkmarx Zero has identified a new type of attack against AI agents that use a “human-in-the-loop” safety net to try to avoid high-risk behaviors: we’re calling it “lies-in-the-loop” (LITL). It lets us fairly easily trick users into giving permission for AI agents to do extremely dangerous things, by convincing the AI to act as though those things are much safer than they are."
        https://checkmarx.com/zero-post/bypassing-ai-agent-defenses-with-lies-in-the-loop/
        https://www.darkreading.com/application-security/-lies-in-the-loop-attack-ai-coding-agents

      Malware

      • Self-Propagating Supply Chain Attack Hits 187 Npm Packages
        "Security researchers have identified at least 187 npm packages compromised in an ongoing supply chain attack, with a malicious self-propagating payload to infect other packages. The coordinated worm-style campaign dubbed 'Shai-Hulud' started yesterday with the compromise of the @ctrl/tinycolor npm package, which receives over 2 million weekly downloads. Since then, the campaign has expanded significantly and now includes packages published under CrowdStrike's npm namespace."
        https://www.bleepingcomputer.com/news/security/self-propagating-supply-chain-attack-hits-187-npm-packages/
        https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages
        https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages
        https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again
        https://www.darkreading.com/application-security/self-replicating-shai-hulud-worm-npm-packages
        https://thehackernews.com/2025/09/40-npm-packages-compromised-in-supply.html
        https://securityaffairs.com/182274/malware/new-supply-chain-attack-hits-npm-registry-compromising-40-packages.html
        https://www.helpnetsecurity.com/2025/09/16/self-replicating-worm-hits-180-npm-packages-in-largely-automated-supply-chain-attack/
        https://www.theregister.com/2025/09/16/npm_under_attack_again/
      • SmokeLoader Rises From The Ashes
        "Active since 2011, SmokeLoader (aka Smoke or Dofoil) is a popular malware loader that is designed to deliver second-stage payloads such as trojans, ransomware, and information stealers. Over the years, SmokeLoader has been updated and enhanced to evade detection and optimize payload delivery. SmokeLoader’s capabilities have also been expanded through a modular plugin framework that is capable of credential harvesting, browser hijacking, cryptocurrency mining, and more."
        https://www.zscaler.com/blogs/security-research/smokeloader-rises-ashes
      • Satori Threat Intelligence Alert: SlopAds Covers Fraud With Layers Of Obfuscation
        "HUMAN’s Satori Threat Intelligence and Research Team has uncovered and disrupted a sophisticated ad fraud and click fraud operation dubbed SlopAds. The threat actors behind SlopAds operate a collection of 224 apps and growing, collectively downloaded from Google Play more than 38 million times across 228 countries and territories. These apps deliver their fraud payload using steganography and create hidden WebViews to navigate to threat actor-owned cashout sites, generating fraudulent ad impressions and clicks. The threat actors’ infrastructure and many of the apps share an AI theme, contributing to the name of the operation."
        https://www.humansecurity.com/learn/blog/satori-threat-intelligence-alert-slopads-covers-fraud-with-layers-of-obfuscation/
        https://www.bleepingcomputer.com/news/security/google-nukes-224-android-malware-apps-behind-massive-ad-fraud-campaign/
        https://thehackernews.com/2025/09/slopads-fraud-ring-exploits-224-android.html
        https://www.bankinfosecurity.com/slopads-fraud-campaign-uses-novel-obfuscation-techniques-a-29450
      • FileFix In The Wild! New FileFix Campaign Goes Beyond POC And Leverages Steganography
        "Early last week, researchers from Acronis' Threat Research Unit discovered a rare in-the-wild example of a FileFix attack — a new variant of the now infamous ClickFix attack vector. The discovered attack not only leverages FileFix, but, to our knowledge, is the first example of such an attack that does not strictly adhere to the design of the original proof of concept (POC) demonstrated by Mr. d0x in July, 2025. Furthermore, the attack features a sophisticated phishing site and payload, in many ways ahead of what we’ve come to expect from ClickFix or FileFix attacks seen in the past (with some notable exceptions)."
        https://www.acronis.com/en/tru/posts/filefix-in-the-wild-new-filefix-campaign-goes-beyond-poc-and-leverages-steganography/
        https://www.bleepingcomputer.com/news/security/new-filefix-attack-uses-steganography-to-drop-stealc-malware/
        https://thehackernews.com/2025/09/new-filefix-variant-delivers-stealc.html
        https://hackread.com/filefix-attack-stealc-infostealer-fake-facebook-pages/
        https://www.theregister.com/2025/09/16/filefix_attacks_facebook_security_alert/
      • Microsoft Seizes 338 Websites To Disrupt Rapidly Growing ‘RaccoonO365’ Phishing Service
        "Microsoft’s Digital Crimes Unit (DCU) has disrupted RaccoonO365, the fastest-growing tool used by cybercriminals to steal Microsoft 365 usernames and passwords (“credentials”). Using a court order granted by the Southern District of New York, the DCU seized 338 websites associated with the popular service, disrupting the operation’s technical infrastructure and cutting off criminals’ access to victims. This case shows that cybercriminals don’t need to be sophisticated to cause widespread harm—simple tools like RaccoonO365 make cybercrime accessible to virtually anyone, putting millions of users at risk."
        https://blogs.microsoft.com/on-the-issues/2025/09/16/microsoft-seizes-338-websites-to-disrupt-rapidly-growing-raccoono365-phishing-service/
        https://therecord.media/microsoft-cloudflare-disrupt-raccoono365-credential-stealing-tool
        https://cyberscoop.com/microsoft-seizes-phishing-sites-raccoono365/
        https://www.theregister.com/2025/09/16/microsoft_cloudflare_shut_down_raccoono365/
      • Deniability By Design: DNS-Driven Insights Into a Malicious Ad Network
        "One typically imagines the digital underworld—trojans, malware droppers, fake dating sites, investment scams, and more—as operating in the dark corners of the internet. But increasingly, these threats are hiding in plain sight, camouflaged by the glossy veneer of mainstream digital advertising. In some cases, the adtech platforms are abused, but we have uncovered an increasing number of adtech companies that are either complicit or actively engaged in the distribution of malicious content. Cybercriminals aren’t just exploiting adtech platforms, sometimes, they are the adtech platforms."
        https://blogs.infoblox.com/threat-intelligence/deniability-by-design-dns-driven-insights-into-a-malicious-ad-network/
        https://www.darkreading.com/vulnerabilities-threats/vane-viper-threat-group-propellerads
      • Innovative FileFix Phishing Attack Proves Plenty Potent
        "The most widespread, customized, sophisticated FileFix campaign to date has recently emerged in the wild. Fewer than three months have passed since a red team researcher conceived of the FileFix social engineering technique, and attackers seem to be taking to it like ducks to water. Over the past couple of weeks, for instance, researchers from Acronis have observed the most mature FileFix campaign to date, combining convincing phishing, tough code obfuscation, robust steganography, and more."
        https://www.darkreading.com/cyberattacks-data-breaches/innovative-filefix-attack-potent
      • RevengeHotels: a New Wave Of Attacks Leveraging LLMs And VenomRAT
        "RevengeHotels, also known as TA558, is a threat group that has been active since 2015, stealing credit card data from hotel guests and travelers. RevengeHotels’ modus operandi involves sending emails with phishing links which redirect victims to websites mimicking document storage. These sites, in turn, download script files to ultimately infect the targeted machines. The final payloads consist of various remote access Trojan (RAT) implants, which enable the threat actor to issue commands for controlling compromised systems, stealing sensitive data, and maintaining persistence, among other malicious activities."
        https://securelist.com/revengehotels-attacks-with-ai-and-venomrat-across-latin-america/117493/
      • Going Underground: China-Aligned TA415 Conducts U.S.-China Economic Relations Targeting Using VS Code Remote Tunnels
        "Throughout July and August 2025, TA415 conducted spearphishing campaigns targeting United States government, think tank, and academic organizations utilizing U.S.-China economic-themed lures. In this activity, the group masqueraded as the current Chair of the Select Committee on Strategic Competition between the United States and the Chinese Communist Party (CCP), as well as the US-China Business Council, to target a range of individuals and organizations predominantly focused on U.S.-China relations, trade, and economic policy."
        https://www.proofpoint.com/us/blog/threat-insight/going-underground-china-aligned-ta415-conducts-us-china-economic-relations

      Breaches/Hacks/Leaks

      • 2 Eye Care Practice Hacks Affect 260,000 Patients, Staff
        "Two separate hacks on ophthalmology practices in South Dakota and Florida have affected more than a quarter-million patients. The cyberattacks were among the latest of several major data breaches reported in recent months by eye care providers. The incidents were reported by Black Hills Regional Eye Institute, which is based in Rapid City, South Dakota, and Retina Group of Florida, based in Fort Lauderdale, Florida."
        https://www.bankinfosecurity.com/2-eye-care-practice-hacks-affect-260000-patients-staff-a-29458

      General News

      • Building Security That Protects Customers, Not Just Auditors
        "In this Help Net Security interview, Nir Rothenberg, CISO at Rapyd, discusses global differences in payment security maturity and the lessons that can be learned from leading regions. He points out that good engineering usually leads to strong security, and cautions against just going through the motions to meet compliance requirements. Rothenberg also points to overlooked areas such as monitoring, account takeover prevention, and collaboration across the payments ecosystem."
        https://www.helpnetsecurity.com/2025/09/16/nir-rothenberg-rapyd-payment-security-maturity/
      • August 2025 Trends Report On Phishing Emails
        "This report provides the distribution quantity, statistics, trends, and case information on phishing emails and attachments collected and analyzed over the course of a month in August 2025. The following are some statistics and cases included in the original report."
        https://asec.ahnlab.com/en/90158/
      • August 2025 Threat Trend Report On Ransomware
        "This report provides the statistics and major ransomware-related issues in Korea and worldwide, as well as the number of affected systems and ransomware cases based on Dedicated Leak Sites (DLS) over the course of August 2025. Below is a summary of the report."
        https://asec.ahnlab.com/en/90159/
      • August 2025 APT Attack Trends Report (South Korea)
        "AhnLab has been using AhnLab Smart Defense (ASD) to monitor advanced persistent threat (APT) attacks against targets in South Korea. This report will cover the types and statistics of APT attacks in Korea during August 2025 as well as features for each type."
        https://asec.ahnlab.com/en/90152/
      • August 2025 Infostealer Trend Report
        "This report provides statistics, trends, and case information on Infostealer, including distribution volume, distribution methods, and disguises based on the data collected and analyzed in August 2025. The following is a summary of the original report."
        https://asec.ahnlab.com/en/90154/
      • BreachForums Hacking Forum Admin Resentenced To Three Years In Prison
        "Conor Brian Fitzpatrick, the 22-year-old behind the notorious BreachForums hacking forum, was resentenced today to three years in prison after a federal appeals court overturned his prior sentence of time served and 20 years of supervised release. Fitzpatrick, of New York, operated under the alias "Pompompurin" and created the BreachForums hacking forum in 2022 after the FBI took down RaidForums. Fitzpatrick was arrested on March 15, 2023, and charged with conspiracy to solicit individuals to sell unauthorized access devices. At the time of his arrest, he admitted to FBI agents that he was Pompompurin and the administrator of BreachForums."
        https://www.bleepingcomputer.com/news/security/breachforums-hacking-forum-admin-resentenced-to-three-years-in-prison/
        https://therecord.media/conor-fitzpatrick-pompompurin-three-year-sentence-breachforums-administrator
        https://www.bankinfosecurity.com/original-breachforums-admin-gets-3-year-prison-sentence-a-29459
        https://cyberscoop.com/conor-fitzpatrick-pompompurin-resetenced-breachforums/
      • Security Industry Skeptical Of Scattered Spider-ShinyHunters Retirement Claims
        "The notorious cybercrime groups Scattered Spider and ShinyHunters claim they are retiring, but the cybersecurity industry is skeptical and believes the hackers will continue to be active. Scattered Spider has been around for several years and it recently made many headlines for targeting the retail, insurance, and aviation industries. The threat group has also been in the spotlight for its widespread Salesforce hacking campaign, which impacted major companies such as Google. Several individuals with alleged ties to Scattered Spider have been arrested, charged and sentenced over the past year."
        https://www.securityweek.com/security-industry-skeptical-of-scattered-spider-shinyhunters-retirement-claims/
        https://www.infosecurity-magazine.com/news/fifteen-ransomware-gangs-retire/
      • API Threats Surge To 40,000 Incidents In 1H 2025
        "The financial services, telecoms and travel sectors were in the crosshairs of threat actors in the first half of the year, after Thales observed 40,000 incidents in the period alone. The firm’s Imperva business analyzed data from over 4000 environments worldwide to produce its API Threat Report (H1 2025). The report claimed that APIs now attract 44% of advanced bot traffic, which is generated by sophisticated software designed to mimic human behavior."
        https://www.infosecurity-magazine.com/news/api-threats-surge-40000-incidents/
        https://www.imperva.com/resources/resource-library/reports/imperva-api-threat-report/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 672f91ac-dd31-4074-b75f-50f6ac381cd8-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post