Cyber Threat Intelligence 02 October 2025

NCSA_THAICERT

Vulnerabilities

Red Hat OpenShift AI Flaw Exposes Hybrid Cloud Infrastructure To Full Takeover
"A severe security flaw has been disclosed in the Red Hat OpenShift AI service that could allow attackers to escalate privileges and take control of the complete infrastructure under certain conditions. OpenShift AI is a platform for managing the lifecycle of predictive and generative artificial intelligence (GenAI) models at scale and across hybrid cloud environments. It also facilitates data acquisition and preparation, model training and fine-tuning, model serving and model monitoring, and hardware acceleration. The vulnerability, tracked as CVE-2025-10725, carries a CVSS score of 9.9 out of a maximum of 10.0. It has been classified by Red Hat as "Important" and not "Critical" in severity owing to the need for a remote attacker to be authenticated in order to compromise the environment."
https://thehackernews.com/2025/10/critical-red-hat-openshift-ai-flaw.html
https://access.redhat.com/security/cve/cve-2025-10725
https://www.theregister.com/2025/10/01/critical_red_hat_openshift_ai_bug/
TOTOLINK X6000R: Three New Vulnerabilities Uncovered
"We have uncovered three vulnerabilities in the firmware of the TOTOLINK X6000R router, version V9.4.0cu.1360_B20241207, released on March 28, 2025"
https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/
OpenSSL Vulnerabilities Allow Private Key Recovery, Code Execution, DoS Attacks
"The OpenSSL Project has announced the availability of several new versions of the open source SSL/TLS toolkit, which include patches for three vulnerabilities. Versions 3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18, 1.0.2zm and 1.1.1zd of the OpenSSL Library have been released. Most of them fix all three vulnerabilities, tracked as CVE-2025-9230, CVE-2025-9231 and CVE-2025-9232. Two of the vulnerabilities have been assigned a ‘moderate severity’ rating. One of them is CVE-2025-9231, which may allow an attacker to recover the private key."
https://www.securityweek.com/openssl-vulnerabilities-allow-private-key-recovery-code-execution-dos-attacks/
https://openssl-library.org/news/secadv/20250930.txt
https://securityaffairs.com/182845/security/openssl-patches-3-vulnerabilities-urging-immediate-updates.html
OneLogin, Many Secrets: Clutch Uncovers Critical API Vulnerability Exposing Client Credentials
"Clutch Security has identified a critical security vulnerability in OneLogin's API that exposed sensitive OIDC (OpenID Connect) application client secrets through the standard application listing endpoint. This vulnerability, tracked as with a CVSS base score of 7.7 (High severity), allowed attackers with valid API credentials to enumerate and retrieve client secrets for all OIDC applications within an organization's OneLogin tenant."
https://www.clutch.security/blog/onelogin-many-secrets-clutch-uncovers-vulnerability-exposing-client-credentials
https://thehackernews.com/2025/10/onelogin-bug-let-attackers-use-api-keys.html
Nvidia And Adobe Vulnerabilities
"Cisco Talos’ Vulnerability Discovery & Research team recently disclosed five vulnerabilities in Nvidia and one in Adobe Acrobat. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy. For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website."
https://blog.talosintelligence.com/nvidia-and-adobe-vulnerabilities/
New WireTap Attack Extracts Intel SGX ECDSA Key Via DDR4 Memory-Bus Interposer
"In yet another piece of research, academics from Georgia Institute of Technology and Purdue University have demonstrated that the security guarantees offered by Intel's Software Guard eXtensions (SGX) can be bypassed on DDR4 systems to passively decrypt sensitive data. SGX is designed as a hardware feature in Intel server processors that allows applications to be run in a Trusted Execution Environment (TEE). It essentially isolates trusted code and resources within what's called enclaves, preventing attackers from viewing their memory or CPU state. In doing so, the mechanism ensures that the data stays confidential even when the underlying operating system has been tampered with or compromised by other means. However, the latest findings show the limitations of SGX."
https://thehackernews.com/2025/10/new-wiretap-attack-extracts-intel-sgx.html
https://wiretap.fail/

Malware

Forensic Journey: Hunting Evil Within AmCache
"When it comes to digital forensics, AmCache plays a vital role in identifying malicious activities in Windows systems. This artifact allows the identification of the execution of both benign and malicious software on a machine. It is managed by the operating system, and at the time of writing this article, there is no known way to modify or remove AmCache data. Thus, in an incident response scenario, it could be the key to identifying lost artifacts (e.g., ransomware that auto-deletes itself), allowing analysts to search for patterns left by the attacker, such as file names and paths. Furthermore, AmCache stores the SHA-1 hashes of executed files, which allows DFIR professionals to search public threat intelligence feeds — such as OpenTIP and VirusTotal — and generate rules for blocking this same file on other systems across the network."
https://securelist.com/amcache-forensic-artifact/117622/
Ukraine Warns Of CABINETRAT Backdoor + XLL Add-Ins Spread Via Signal ZIPs
"The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of new targeted cyber attacks in the country using a backdoor called CABINETRAT. The activity, observed in September 2025, has been attributed to a threat cluster it tracks as UAC-0245. The agency said it spotted the attack following the discovery of software tools taking the form of XLL files, which refer to Microsoft Excel add-ins that are typically used to extend the functionality of Excel with custom functions. Further investigation has uncovered that the XLL files are distributed within ZIP archives shared on the Signal messaging app, disguised as a document concerning the detention of individuals who had attempted to cross the Ukrainian border."
https://thehackernews.com/2025/10/ukraine-warns-of-cabinetrat-backdoor.html
Detour Dog: DNS Malware Powers Strela Stealer Campaigns
"Tens of thousands of websites worldwide are infected with malware that utilizes the Domain Name System (DNS) to conditionally redirect visitors to malicious content. These DNS requests are made server-side, meaning from the website itself, and are not visible to the visitor. We have tracked the threat actor that operates this malware since August 2023. The malicious name server conditionally instructs the website to redirect the visitor based on their location and device type. While traditionally these redirects led to scams, the malware has evolved recently to execute remote content through the DNS-based command-and-control (C2) system. We are tracking the threat actor who controls this malware as Detour Dog."
https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/
https://hackread.com/detour-dog-dns-hijacking-websites-strela-stealer/
Cybercrime Observations From The Frontlines: UNC6040 Proactive Hardening Recommendations
"Protecting software-as-a-service (SaaS) platforms and applications requires a comprehensive security strategy. Drawing from analysis of UNC6040’s specific attack methodologies, this guide presents a structured defensive framework encompassing proactive hardening measures, comprehensive logging protocols, and advanced detection capabilities. While emphasizing Salesforce-specific security recommendations, these strategies provide organizations with actionable approaches to safeguard their SaaS ecosystem against current threats."
https://cloud.google.com/blog/topics/threat-intelligence/unc6040-proactive-hardening-recommendations/
https://www.darkreading.com/threat-intelligence/google-sheds-light-shinyhunters-salesforce-tactics
Paperwork To Payload: From Shortcut Clicks To Rundll32 Execution
"The Blackpoint SOC is tracking a new campaign that uses identity themed phishing archives to deliver malicious Windows shortcuts. Victims receive a ZIP of “certified” documents that contains .lnk files which, when clicked, silently launch obfuscated PowerShell in a minimized window. The script downloads a payload from hp05[.]com/gwt/ with filenames that appear to be PowerPoint slides, then writes a randomly named DLL to the user profile. This mirrors tactics seen in prior shortcut-based delivery chains that weaponize familiar document themes to gain initial access."
https://blackpointcyber.com/blog/paperwork-to-payload-from-shortcut-clicks-to-rundll32-execution/
https://www.infosecurity-magazine.com/news/shortcut-credential-lures-deliver/

Breaches/Hacks/Leaks

Adobe Analytics Bug Leaked Customer Tracking Data To Other Tenants
"Adobe is warning its Analytics customers that an ingestion bug caused data from some organizations to appear in the analytics instances of others for approximately one day. Adobe disclosed the issue on its status page, stating that it began on September 17, 2025, at 12:20 UTC, when a performance optimization change introduced a bug in Analytics Edge data collection. The status page states that the flaw caused "errant values" to appear in Analysis Workspace reports and that Adobe engineering teams are working to cleanse impacted datasets."
https://www.bleepingcomputer.com/news/security/adobe-analytics-bug-leaked-customer-tracking-data-to-other-tenants/
Data Breach At Dealership Software Provider Impacts 766k Clients
"A ransomware attack at Motility Software Solutions, a provider of dealer management software (DMS), has exposed the sensitive data of 766,000 customers. Motility (formerly known as Systems 2000/Sys2K) is a provider of DMS software used by 7,000 dealerships (automotive, powersports, marine, heavy-duty, and RV retail) across the United States. Its products cover customer relationship management (CRM), inventory management, sales, accounting, financials, service operations, rental and fleet tracking, as well as mobile or web access to control dashboards."
https://www.bleepingcomputer.com/news/security/data-breach-at-dealership-software-provider-impacts-766k-clients/
Allianz Life Says July Data Breach Impacts 1.5 Million People
"Allianz Life has completed the investigation into the cyberattack it suffered in July and determined that nearly 1.5 million individuals are impacted. The American insurance giant has notified all potentially affected individuals that their names, addresses, dates of birth, and social security numbers (SSN) has been compromised. Allianz Life is part of Allianz SE and provides annuities and life insurance for more than 1.4 million Americans. Allianz SE, which is a global giant with over 125 million customers, was not impacted."
https://www.bleepingcomputer.com/news/security/allianz-life-says-july-data-breach-impacts-15-million-people/
https://therecord.media/millions-impacted-by-data-breaches-insurance-car-dealership-software
Air Force Admits SharePoint Privacy Issue As Reports Trickle Out Of Possible Breach
"The US Air Force confirmed it's investigating a "privacy-related issue" amid reports of a Microsoft SharePoint-related breach and subsequent service-wide shutdown, rendering mission files and other critical tools potentially unavailable to service members. "The Department of the Air Force is aware of a privacy-related issue," an Air Force spokesperson told The Register on Wednesday, while declining to answer specific questions about the alleged digital intrusion. The Air Force's confirmation follows what looks like a breach notification, shared with The Register and on social media, that purports to come from the Air Force Personnel Center Directorate of Technology and Information."
https://www.theregister.com/2025/10/01/us_air_force_investigates_breach/

General News

Inside Dark Web Exploit Markets In 2025: Pricing, Access & Active Sellers
"Exploit marketplaces are the backbone of cybercrime infrastructure. In 2025, these underground markets don’t just sell stolen data, they also broker zero-day exploits, don’t-patch tools, and access credentials, offering them with sliding pricing. For threat hunters and defenders, understanding how exploit sellers price, distribute, and rotate access is as vital as knowing their malware families. Strategies and marketplaces overlap with themes explored previously in Dark Web Search Engines in 2025 – Rankings, Risks & Ethical Trade-offs."
https://www.darknet.org.uk/2025/10/inside-dark-web-exploit-markets-in-2025-pricing-access-active-sellers/
A2AS Framework Targets Prompt Injection And Agentic AI Security Risks
"AI systems are now deeply embedded in business operations, and this introduces new security risks that traditional controls are not built to handle. The newly released A2AS framework is designed to protect AI agents at runtime and prevent real-world incidents like fraud, data theft, and malware spread. Many companies are still figuring out how to secure AI systems, often with mixed results. Eugene Neelou, project leader for A2AS, told Help Net Security that defenses are both fragmented and fragile."
https://www.helpnetsecurity.com/2025/10/01/a2as-framework-agentic-ai-security-risks/
Biometric Spoofing Isn’t As Complex As It Sounds
"Biometric technologies were originally designed to improve security and streamline authentication, but they’re often misused in ways most people don’t notice. Like any system, biometrics has weaknesses that attackers can exploit. Biometric spoofing isn’t as complex as it sounds. It’s basically when someone imitates your biometric traits to fool a system. This could be a printed photo, a 3D-printed fingerprint, or even a recorded voice. Basic facial recognition systems can be fooled with images from social media, and AI-generated voices can mimic people with surprising accuracy."
https://www.helpnetsecurity.com/2025/10/01/biometric-spoofing/
Ransomware Remains The Leading Cause Of Costly Cyber Claims
"Cyber threats are shifting in 2025, and while large companies are still targets, attackers are turning their attention to smaller and mid-sized firms. According to Allianz’s Cyber Security Resilience 2025 report, hardened defenses at major corporates have pushed criminals to go after easier prey. The data shows ransomware was involved in 88% of breaches at small and medium firms compared to 39% at larger enterprises."
https://www.helpnetsecurity.com/2025/10/01/insurance-claims-ransomware-h1-2025/
https://www.theregister.com/2025/10/01/north_american_data_breaches/
NIST Publishes Guide For Protecting ICS Against USB-Borne Threats
"NIST has published a new guide designed to help organizations reduce cybersecurity risks associated with the use of removable media devices in operational technology (OT) environments. NIST Special Publication (SP) 1334 was authored by the National Cybersecurity Center of Excellence (NCCoE) and it focuses on the use of USB flash drives, but also mentions other types of removable media such as external hard drives and CD/DVD drives. USB flash drives are often used in OT environments to conduct firmware updates or to retrieve data for diagnostics purposes, but such devices are also often a source of malware infections."
https://www.securityweek.com/nist-publishes-guide-for-protecting-ics-against-usb-borne-threats/
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1334.pdf
Cybersecurity Awareness Month 2025: Prioritizing Identity To Safeguard Critical Infrastructure
"This October marks the 22nd anniversary of Cybersecurity Awareness Month, an initiative launched under the guidance of the U.S. Department of Homeland Security. Its purpose is to highlight the importance of taking daily action to reduce risks when online and when using connected devices. This year’s theme focuses on government entities and small and medium-sized businesses that are vital to protecting the systems and services that keep our communities running. These organizations play a central role in safeguarding the nation’s critical infrastructure. Under the Cybersecurity and Infrastructure Security Agency’s (CISA) banner of “Building a Cyber Strong America,” state, local, tribal, and territorial governments, as well as private companies that own and operate critical infrastructure, are urged to strengthen their defenses against cyber threats to improve resilience and security."
https://www.securityweek.com/cybersecurity-awareness-month-2025prioritizing-identity-to-safeguard-critical-infrastructure/
2025 Cybersecurity Reality Check: Breaches Hidden, Attack Surfaces Growing, And AI Misperceptions Rising
"Bitdefender's 2025 Cybersecurity Assessment Report paints a sobering picture of today's cyber defense landscape: mounting pressure to remain silent after breaches, a gap between leadership and frontline teams, and a growing urgency to shrink the enterprise attack surface. The annual research combines insights from over 1,200 IT and security professionals across six countries, along with an analysis of 700,000 cyber incidents by Bitdefender Labs. The results reveal hard truths about how organizations are grappling with threats in an increasingly complex environment."
https://thehackernews.com/2025/10/2025-cybersecurity-reality-check.html
https://www.bitdefender.com/en-us/business/campaign/2025-cybersecurity-assessment?cid=ref|b|-CORE-EPP-Gartner-THN-AR
Gartner Survey Finds Just 15% Of IT Application Leaders Are Considering, Piloting, Or Deploying Fully Autonomous AI Agents
"Only 15% of IT application leaders said they are currently considering, piloting, or deploying fully autonomous AI agents (goal driven AI tools that do not require human oversight), according to a survey by Gartner, Inc., a business and technology insights company. In May and June 2025, Gartner conducted an industry-wide survey of 360 IT application leaders from organizations with at least 250 full-time employees in North America, Europe and Asia/Pacific, with the aim of understanding the impact of generative AI (GenAI) and agentic AI across enterprise applications."
https://www.gartner.com/en/newsroom/press-releases/2025-09-30-gartner-survey-finds-just-15-percent-of-it-application-leaders-are-considering-piloting-or-deploying-fully-autonomous-ai-agents
https://www.theregister.com/2025/10/01/gartner_ai_agents/
Findings From The 2025 Unit 42 Global Incident Response Report
"Cyberattacks rarely follow a linear path. While security teams often zero-in on initial access vectors, like phishing emails, exposed services and credential abuse, these only mark the starting point. What happens next is far more complex. According to the 2025 Global Incident Response Report, 84% of investigated cases involved activity across multiple attack fronts, with 70% spanning at least three vectors and some touching as many as six. These are not isolated incidents; they're coordinated campaigns. Today’s attackers move laterally, escalating privileges, targeting identities, exploiting cloud misconfigurations and exfiltrating data, sometimes simultaneously. That level of sophistication and the multipronged approach makes for a strong case against operating in silos. Tools that only monitor one domain or that lack integration can leave critical threat signals buried under alert noise or trapped in disconnected logs."
https://www.paloaltonetworks.com/blog/2025/10/case-for-multidomain-visibility/
https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report
EU Consistently Targeted By Diverse Yet Convergent Threat Groups
"Through a more threat-centric approach and further contextual analysis, this latest edition of the ENISA Threat Landscape analyses 4875 incidents over a period spanning from 1 July 2024 to 30 June 2025. At its core, this report provides an overview of the most prominent cybersecurity threats and trends the EU faces in the current cyber threat ecosystem."
https://www.enisa.europa.eu/news/etl-2025-eu-consistently-targeted-by-diverse-yet-convergent-threat-groups
https://www.enisa.europa.eu/publications/enisa-threat-landscape-2025
https://www.bankinfosecurity.com/russia-chinese-hacking-buffets-europe-a-29616
Undead By Design: Benchmarking End-Of-Life Operating Systems
"End-of-life (EOL) operating systems remain an underestimated risk for enterprise networks. This study analyzes millions of assets across hundreds of U.S.-based enterprises to quantify how prevalent unsupported OSes are today, how different industries fare, and what lies ahead as major platforms enter the Sunless Lands. Across all enterprises studied, 8.56% of assets are running an EOL OS, with 5% of all observed assets already beyond security support unable to receive timely, critical patches. These “undead” systems are disproportionately visible to threat actors, provide unique opportunities for routine exploitation, and often indicate broader gaps in maintenance and IT hygiene."
https://www.runzero.com/resources/undead-by-design-report/
https://www.darkreading.com/endpoint-security/undead-operating-systems-haunt-enterprise-security-networks

อ้างอิง
Electronic Transactions Development Agency(ETDA)