Cyber Threat Intelligence 03 October 2025

NCSA_THAICERT

Energy Sector

The Energy Sector Is Ground Zero For Global Cyber Activity
"A new study from the Karlsruhe Institute of Technology shows how geopolitical tensions shape cyberattacks on power grids, fuel systems, and other critical infrastructure. Researchers reviewed major cyber threat databases including MITRE ATT&CK Groups, CSIS, ThaiCERT, Malpedia, EuRepoC, and the AI Incident Database. Each source reports information differently. Some use structured formats like JSON or tables that are easy to analyze. Others rely on long descriptive text that is harder to process. In some cases, geography is missing entirely."
https://www.helpnetsecurity.com/2025/10/02/geopolitics-energy-sector-cyberattacks-target/

Industrial Sector

Raise3D Pro2 Series 3D Printers
"Successful exploitation of this vulnerability could result in data exfiltration and compromise of the target device."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-275-01
Hitachi Energy MSM Product
"Successful exploitation of these vulnerabilities could allow HTML injection via the name parameter or an assertion failure in fuzz_binary_decode, resulting in a crash."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-275-02

New Tooling

Chekov: Open-Source Static Code Analysis Tool
"Checkov is an open-source tool designed to help teams secure their cloud infrastructure and code. At its core, it’s a static code analysis tool for infrastructure as code (IaC), but it also goes a step further by providing software composition analysis (SCA) for container images and open source packages. With Checkov, you can scan just about any cloud infrastructure setup, whether you’re using Terraform, CloudFormation, AWS SAM, Kubernetes, Helm charts, Kustomize, Dockerfiles, Serverless, Bicep, OpenAPI, ARM templates, or OpenTofu. It uses graph-based scanning to uncover security risks and compliance misconfigurations before they make their way into production."
https://www.helpnetsecurity.com/2025/10/02/chekov-open-source-static-code-analysis-tool-iac/
https://github.com/bridgecrewio/checkov

Vulnerabilities

Insecure Mobile VPNs: The Hidden Danger
"Virtual Private Networks (VPNs) are trusted by millions to protect privacy, secure communications, and enable remote access on their mobile device. But what if the very apps designed to safeguard your data are riddled with flaws? While headlines have often highlighted the risks of VPNs linked to high-risk jurisdictions, a broad-scale security and privacy analysis by Zimperium zLabs of 800 free VPN apps for both Android and iOS reveals the threat is far more widespread."
https://zimperium.com/blog/insecure-mobile-vpns-the-hidden-danger
https://www.infosecurity-magazine.com/news/free-vpn-apps-security-flaws/
CISA Adds Five Known Exploited Vulnerabilities To Catalog
"CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2014-6278 GNU Bash OS Command Injection Vulnerability
CVE-2015-7755 Juniper ScreenOS Improper Authentication Vulnerability
CVE-2017-1000353 Jenkins Remote Code Execution Vulnerability
CVE-2025-4008 Smartbedded Meteobridge Command Injection Vulnerability
CVE-2025-21043 Samsung Mobile Devices Out-of-Bounds Write Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/10/02/cisa-adds-five-known-exploited-vulnerabilities-catalog
DrayTek Warns Of Remote Code Execution Bug In Vigor Routers
"Networking hardware maker DrayTek released an advisory to warn about a security vulnerability in several Vigor router models that could allow remote, unauthenticated actors to execute perform arbitrary code. The flaw, tracked identified as CVE-2025-10547, was reported to the vendor on July 22 by ChapsVision security researcher Pierre-Yves Maes. "The vulnerability can be triggered when unauthenticated remote attackers send crafted HTTP or HTTPS requests to the device's Web User Interface (WebUI)," reads DrayTek's security advisory."
https://www.bleepingcomputer.com/news/security/draytek-warns-of-remote-code-execution-bug-in-vigor-routers/
https://www.draytek.com/about/security-advisory/use-of-uninitialized-variable-vulnerabilities

Malware

New Spyware Campaigns Target Privacy-Conscious Android Users In The UAE
"ESET researchers have uncovered two Android spyware campaigns targeting individuals interested in secure communication apps, namely Signal and ToTok. These campaigns distribute malware through deceptive websites and social engineering and appear to target residents of the United Arab Emirates (UAE). Our investigation led to the discovery of two previously undocumented spyware families – Android/Spy.ProSpy, impersonating upgrades or plugins for the Signal and ToTok messaging apps; and Android/Spy.ToSpy, impersonating the ToTok app."
https://www.welivesecurity.com/en/eset-research/new-spyware-campaigns-target-privacy-conscious-android-users-uae/
https://github.com/eset/malware-ioc/tree/master/prospytospy
https://thehackernews.com/2025/10/warning-beware-of-android-spyware.html
https://www.bleepingcomputer.com/news/security/android-spyware-campaigns-impersonate-signal-and-totok-messengers/
https://www.darkreading.com/cyberattacks-data-breaches/android-spyware-uae-spyware
https://therecord.media/researchers-spyware-uae-infections
https://www.helpnetsecurity.com/2025/10/02/android-spyware-signal-totok/
https://cyberscoop.com/android-spyware-disguised-as-legitimate-messaging-apps-targets-uae-victims-researchers-reveal/
UAT-8099: Chinese-Speaking Cybercrime Group Targets High-Value IIS For SEO Fraud
"In April 2025, Cisco Talos identified a Chinese-speaking cybercrime group, tracked as UAT-8099, which targets a broad range of vulnerable IIS servers across specific regions. This group focuses on high-value IIS servers that have a good reputation within these areas to manipulate search engine results for financial gain. UAT-8099 operates as a cybercrime group conducting SEO fraud. Additionally, UAT-8099 uses Remote Desktop Protocol (RDP) to access IIS servers and search for valuable data such as logs, credentials, configuration files and sensitive certificates, which they package for possible resale or further exploitation."
https://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/
Amazon Prime Day 2025: The Dark Side Of Deals
"Amazon’s Fall Prime Day not only kicks off the holiday shopping season with deals too good to ignore, it also creates one of the biggest opportunities of the year for cyber criminals. As millions of consumers flock online for deals, attackers launch phishing scams, fake domains, and malicious emails designed to steal Amazon credentials and payment information. Check Point Research has uncovered a surge in Amazon Prime Day scams this September, showing how attackers continue to weaponize urgency and trust."
https://blog.checkpoint.com/research/amazon-prime-day-2025-the-dark-side-of-deals/
Confucius Espionage: From Stealer To Backdoor
"The Confucius group is a long-running cyber-espionage actor operating primarily across South Asia. First identified in 2013, the group is believed to have links to state-sponsored operations in the region. Over the past decade, Confucius has repeatedly targeted government agencies, military organizations, defense contractors, and critical industries—especially in Pakistan—using spear-phishing and malicious documents as initial access vectors. Recent campaigns have highlighted a sharp evolution in tactics, shifting from document stealers like WooperStealer to Python-based backdoors such as AnonDoor. This progression underscores Confucius’ adaptability and the growing sophistication of state-aligned malware campaigns in the region."
https://www.fortinet.com/blog/threat-research/confucius-espionage-from-stealer-to-backdoor
https://www.darkreading.com/threat-intelligence/south-asian-cyberspy-evolves-stealers-backdoors
https://thehackernews.com/2025/10/confucius-hackers-hit-pakistan-with-new.html
https://www.infosecurity-magazine.com/news/confucius-shifts-doc-stealers/
Check Your Socks - A Deep Dive Into Soopsocks PyPI Package
"JFrog's security research team actively monitors open-source repositories like PyPI for malicious packages, uncovering threats to protect the software supply chain. Our team found a package exhibiting malware-like behaviour, that may pose a threat to organizational security. Even though promising some of the capabilities up front, we suspected the package, which led us to investigate further. This report details its persistence mechanisms, network reconnaissance capabilities, and multiple deployment vectors shown in the different versions evolution of the package."
https://research.jfrog.com/post/check-your-socks-a-deep-dive-into-soopsocks-pypi/
https://thehackernews.com/2025/10/alert-malicious-pypi-package-soopsocks.html
Rhadamanthys 0.9.x – Walk Through The Updates
"Rhadamanthys is a complex, multi-modular malware sold on the underground market since September 2022. It was first advertised by the actor “kingcrete2022.” From the outset, its design showed the hallmarks of experienced developers, and analysis soon revealed that it drew heavily from an earlier project by the same authors, Hidden Bee [1]. This strong foundation helped Rhadamanthys quickly gain traction: from a niche product, it grew into one of the dominant stealers in cybercrime campaigns and has even attracted interest from more advanced threat actors."
https://research.checkpoint.com/2025/rhadamanthys-0-9-x-walk-through-the-updates/

Breaches/Hacks/Leaks

Clop Extortion Emails Claim Theft Of Oracle E-Business Suite Data
"Mandiant and Google are tracking a new extortion campaign where executives at multiple companies received emails claiming that sensitive data was stolen from their Oracle E-Business Suite systems. According to Genevieve Stark, Head of Cybercrime and Information Operations Intelligence Analysis at GTIG, the campaign began in late September. "This activity began on or before September 29, 2025, but Mandiant's experts are still in the early stages of multiple investigations, and have not yet substantiated the claims made by this group," Stark said. Charles Carmakal, CTO of Mandiant – Google Cloud, stated that the extortion emails are being sent from a large number of compromised email accounts."
https://www.bleepingcomputer.com/news/security/clop-extortion-emails-claim-theft-of-oracle-e-business-suite-data/
https://thehackernews.com/2025/10/google-mandiant-probes-new-oracle.html
https://therecord.media/possible-clop-campaign-extortion-executives-stolen-data
https://cyberscoop.com/clop-claims-oracle-customers-data-theft/
https://cyberscoop.com/extortion-email-clop-oracle-customers/
https://www.securityweek.com/cybercriminals-claim-theft-of-data-from-oracle-e-business-suite-customers/
https://www.helpnetsecurity.com/2025/10/02/oracle-ebs-data-theft-extortion/
https://www.theregister.com/2025/10/02/clop_oracle_extortion/
https://www.bankinfosecurity.com/extortionists-claim-mass-oracle-e-business-suite-data-theft-a-29620
https://www.infosecurity-magazine.com/news/extortion-emails-executives-clop/
Red Hat Confirms Security Incident After Hackers Breach GitLab Instance
"An extortion group calling itself the Crimson Collective claims to have stolen nearly 570GB of compressed data across 28,000 internal development respositories, with the company confirming it was a breach of one of its GitLab instances. This data allegedly includes approximately 800 Customer Engagement Reports (CERs), which can contain sensitive information about a customer's network and platforms. A CER is a consulting document prepared for clients that often contains infrastructure details, configuration data, authentication tokens, and other information that could be abused to breach customer networks."
https://www.bleepingcomputer.com/news/security/red-hat-confirms-security-incident-after-hackers-breach-gitlab-instance/
https://www.darkreading.com/application-security/red-hat-widespread-breaches-private-gitlab-repositories
https://securityaffairs.com/182866/data-breach/cybercrime-group-claims-to-have-breached-red-hat-s-private-github-repositories.html
https://www.theregister.com/2025/10/02/cybercrims_claim_raid_on_28000/
https://cyberscoop.com/red-hat-gitlab-attack-consulting-data/
https://www.helpnetsecurity.com/2025/10/02/hackers-red-hat-github-breached-customer-data-stolen/
Renault UK Customer Records Stolen In Third-Party Breach
"Renault UK is informing customers that their personal data may have been compromised following a cyberattack on one of its third-party service providers. In an email sent to customers and seen by Hackread.com, the automaker says that while its own systems were not breached, attackers gained access via the external provider."
https://hackread.com/renault-uk-customers-third-party-data-breach/

General News

Building a Mature Automotive Cybersecurity Program Beyond Checklists
"In this Help Net Security interview, Robert Sullivan, CIO & CISO at Agero, shares his perspective on automotive cybersecurity. He discusses strategies for developing mature security programs, meeting regulatory requirements, and addressing supply chain risks. Sullivan also looks ahead to how AI and other emerging technologies will shape the future of cybersecurity."
https://www.helpnetsecurity.com/2025/10/02/robert-sullivan-agero-automotive-cybersecurity-strategies/
Biotech Platforms Keep Missing The Mark On Security Fundamentals
"A new security posture report on the biotech sector shows how quickly attackers could reach sensitive health data with only basic reconnaissance. Researchers needed less than two hours per company to uncover exposed genomic records, unprotected APIs, and misconfigured systems, according to Sekurno."
https://www.helpnetsecurity.com/2025/10/02/biotech-security-gaps-report/
Small Businesses And Ransomware: Navigating The AI Era Threat
"Ransomware has evolved from a niche hacker tactic into a mainstream threat, and small businesses are increasingly in the crosshairs. While large enterprises have resources to invest in cybersecurity teams, threat intelligence, and AI-driven defence tools, many small businesses remain underprotected. In 2025, ransomware attacks will become faster, more automated, and more sophisticated thanks to artificial intelligence. This means that small business owners must understand the threat landscape and implement practical defences."
https://hackread.com/small-businesses-ransomware-the-ai-era-threat/
Forrester: Agentic AI-Powered Breach Will Happen In 2026
"An agentic AI deployment will cause a publicly disclosed data breach next year, leading to employee dismissals, Forrester has predicted. Senior analyst Paddy Harrington noted that generative AI (GenAI) has already been responsible for several breaches since it burst onto the scene three years ago. “As companies begin building agentic AI workflows, these issues will only become more prevalent,” he added in a blog post yesterday."
https://www.infosecurity-magazine.com/news/forrester-agentic-ai-breach-2026/
Phishing Is Moving From Email To Mobile. Is Your Security?
"Email security has long dominated the enterprise security conversation — and rightfully so. It remains a key vector for phishing, credential theft, and social engineering. But in 2025, the threat landscape has shifted. Quietly yet decisively, attackers increasingly are bypassing the inbox and expanding their reach across multiple channels. Recent data from TechMagic shows that 41% of phishing incidents now employ multichannel tactics, including SMS (smishing), voice calls (vishing), and QR codes (quishing). The trend is clear: While email still matters, adversaries are shifting to mobile-first platforms like text, iMessage, WhatsApp, and social direct messages. These attacks are harder to spot, more difficult to control, and more likely to succeed, because they target the most vulnerable point in the chain: the human behind the screen."
https://www.darkreading.com/cyber-risk/phishing-moving-email-mobile-is-your-security
There Are More CVEs, But Cyber Insurers Aren't Altering Policies
"The showman P.T. Barnum said, "There's a sucker born every minute." Had he been a cybersecurity expert, he might have changed that to say, "There's a cybersecurity vulnerability published every 12 minutes," and he'd not have been far off. When it comes to insuring against cyber risk, some insurance carriers and brokers take a proactive, collaborative approach to help policyholders mitigate their risk, while others opt for a more assertive stance by penalizing policyholders for not promptly patching vulnerabilities. Getting the right balance of risk and coverage is largely left to the companies themselves."
https://www.darkreading.com/cyber-risk/more-cves-cyber-insurers-arent-altering-policies
Silent Push Examines The Dark Side Of Dynamic DNS Providers
"New research developed by Silent Push Threat Analysts has been compiled into a set of exclusive exports, enabling organizations to track approximately 70,000 domains that rent subdomains, also referred to as “Dynamic DNS” providers. These types of web hosts can be of concern because they allow anyone—malicious or otherwise—to register subdomains and host their own content on them. Typically, DNS records are also automatically managed by the service that rents the subdomains, though this is not the case with all publicly rentable subdomains."
https://www.silentpush.com/blog/dynamic-dns-providers/

อ้างอิง
Electronic Transactions Development Agency(ETDA)