NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 10 October 2025

    Cyber Security News
    1
    1
    282
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • Hitachi Energy Asset Suite
        "Successful exploitation of this vulnerability could result in the manipulation of content or the injection of data with the potential of carrying out further malicious attacks."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-282-01
      • Rockwell Automation Lifecycle Services With Cisco
        "Successful exploitation of this vulnerability could result in arbitrary code execution."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-282-02
      • Rockwell Automation Stratix
        "Successful exploitation of this vulnerability could result in arbitrary code execution."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-282-03
      • Anatomy Of a Hacktivist Attack: Russian-Aligned Group Targets OT/ICS
        "Part of the threat intelligence we provide to customers and the wider community comes from dedicated honeypots, decoy systems deliberately exposed to the internet to lure attackers and capture their tactics. Last year, one of our honeypots, designed as an AI-generated “healthcare clinic”, attracted cybercriminals who attempted to deploy ransomware. This time, we observed something even more significant: an emerging pro-Russian hacktivist group targeted our “water treatment utility” honeypot and then falsely claimed responsibility for a real-world attack on their Telegram channel."
        https://www.forescout.com/blog/anatomy-of-a-hacktivist-attack-russian-aligned-group-targets-otics/
        https://www.bleepingcomputer.com/news/security/hacktivists-target-critical-infrastructure-hit-decoy-plant/
      • A Brief Overview Of The Main Incidents In Industrial Cybersecurity. Q2 2025
        "In Q2 2025, 135 incidents were publicly confirmed by victims. All of these incidents are included in the table at the end of the overview, with select incidents described in detail."
        https://ics-cert.kaspersky.com/publications/reports/2025/10/09/a-brief-overview-of-the-main-incidents-in-industrial-cybersecurity-q2-2025/

      Vulnerabilities

      • CamoLeak: Critical GitHub Copilot Vulnerability Leaks Private Source Code
        "In June 2025, I found a critical vulnerability in GitHub Copilot Chat (CVSS 9.6) that allowed silent exfiltration of secrets and source code from private repos, and gave me full control over Copilot’s responses, including suggesting malicious code or links. The attack combined a novel CSP bypass using GitHub’s own infrastructure with remote prompt injection. I reported it via HackerOne, and GitHub fixed it by disabling image rendering in Copilot Chat completely."
        https://www.legitsecurity.com/blog/camoleak-critical-github-copilot-vulnerability-leaks-private-source-code
        https://www.darkreading.com/application-security/github-copilot-camoleak-ai-attack-exfils-data
        https://www.bankinfosecurity.com/github-copilot-chat-flaw-let-private-code-leak-via-images-a-29699
        https://www.securityweek.com/github-copilot-chat-flaw-leaked-data-from-private-repositories/
      • SquareX Shows AI Browsers Fall Prey To OAuth Attacks, Malware Downloads And Malicious Link Distribution
        "As AI Browsers rapidly gain adoption across enterprises, SquareX has released critical security research exposing major vulnerabilities that could allow attackers to exploit AI Browsers to exfiltrate sensitive data, distribute malware and gain unauthorized access to enterprise SaaS apps. The timing of this disclosure is particularly significant as major companies including OpenAI, Microsoft, Google and The Browser Company have announced or released their own AI browsers. With Chrome and Edge alone representing 70% of the browser market share, it is very likely that the majority of consumer browsers in the future will be AI Browsers. Thus, it is critical for organizations to prepare for these security risks associated with this fundamental change."
        https://hackread.com/squarex-shows-ai-browsers-fall-prey-to-oauth-attacks-malware-downloads-and-malicious-link-distribution/
        https://www.infosecurity-magazine.com/news/architectural-flaws-ai-browsers/
      • A Cascade Of Insecure Architectures: Axis Plugin Design Flaw Expose Select Autodesk Revit Users To Supply Chain Risk
        "In July 2024, we uncovered Azure Storage Account credentials embedded within signed DLLs distributed as part of a plugin for Autodesk® Revit®, a widely used building information modelling (BIM) software. The accounts belonged to Axis Communications, a Swedish multinational company that specializes in network video solutions and surveillance technology, offering IP cameras, access control systems, audio equipment, and video analytics software for various commercial and public safety applications. Trend Zero Day Initiative™ (ZDI) has reported these findings to Axis Communications as ZDI-24-1181, initiating an exchange of fixes and additional reports over the succeeding months—ZDI-24-1328 and ZDI-24-1329 in October 2024, and ZDI-25-858 in March 2025."
        https://www.trendmicro.com/en_us/research/25/j/axis-plugin-flaw-autodesk-revit-supply-chain-risk.html
      • When AI Remembers Too Much – Persistent Behaviors In Agents’ Memory
        "This article presents a proof of concept (PoC) that demonstrates how adversaries can use indirect prompt injection to silently poison the long-term memory of an AI Agent. We use Amazon Bedrock Agent for this demonstration. In this scenario, if agent memory is enabled, an attacker can insert malicious instructions into an agent's memory via prompt injection. This can occur when a victim user is tricked into accessing a malicious webpage or document via social engineering."
        https://unit42.paloaltonetworks.com/indirect-prompt-injection-poisons-ai-longterm-memory/

      Malware

      • ClayRat: A New Android Spyware Targeting Russia
        "Over the past few months, zLabs researchers have been tracking ClayRat, a rapidly evolving Android spyware campaign primarily targeting Russian users. Distributed through Telegram channels and phishing sites, ClayRat masquerades as popular apps such as WhatsApp, Google Photos, TikTok, and YouTube to lure victims into installation. Once active, the spyware can exfiltrate SMS messages, call logs, notifications, and device information; taking photos with the front camera; and even send SMS messages or place calls directly from the victim’s device. ClayRat also spreads aggressively by sending malicious links to every contact in the victim’s phone book, effectively turning each infected device into a distribution hub."
        https://zimperium.com/blog/clayrat-a-new-android-spyware-targeting-russia
        https://github.com/Zimperium/IOC/tree/master/2025-10-ClayRat
        https://www.bleepingcomputer.com/news/security/new-android-spyware-clayrat-imitates-whatsapp-tiktok-youtube/
        https://thehackernews.com/2025/10/new-clayrat-spyware-targets-android.html
        https://hackread.com/fake-tiktok-whatsapp-apps-android-clayrat-spyware/
        https://www.infosecurity-magazine.com/news/clayrat-spyware-targets-android/
        https://securityaffairs.com/183169/malware/clayrat-campaign-uses-telegram-and-phishing-sites-to-distribute-android-spyware.html
      • Investigating Targeted “payroll Pirate” Attacks Affecting US Universities
        "Microsoft Threat Intelligence has observed a financially motivated threat actor that we track as Storm-2657 compromising employee accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts. These types of attacks have been dubbed “payroll pirate” by the industry. Storm-2657 is actively targeting a range of US-based organizations, particularly employees in sectors like higher education, to gain access to third-party human resources (HR) software as a service (SaaS) platforms like Workday."
        https://www.microsoft.com/en-us/security/blog/2025/10/09/investigating-targeted-payroll-pirate-attacks-affecting-us-universities/
        https://www.bleepingcomputer.com/news/security/hackers-target-university-hr-employees-in-payroll-pirate-attacks/
        https://therecord.media/universities-phishing-payroll-pirates
      • Velociraptor Leveraged In Ransomware Attacks
        "In August 2025, Talos responded to a ransomware attack by actors who appeared to be affiliated with Warlock ransomware, based on their ransom note and use of Warlock’s data leak site (DLS). They deployed Warlock, LockBit, and Babuk ransomware to encrypt VMware ESXi virtual machines (VMs) and Windows servers. This severely impacted the customer’s IT environment."
        https://blog.talosintelligence.com/velociraptor-leveraged-in-ransomware-attacks/
        https://www.bleepingcomputer.com/news/security/hackers-now-use-velociraptor-dfir-tool-in-ransomware-attacks/
        https://www.helpnetsecurity.com/2025/10/09/velociraptor-nezha-attackers-misuse/
      • RondoDox: From Targeting Pwn2Own Vulnerabilities To Shotgunning Exploits
        "The ZDI Threat Hunting and Trend™ Research teams have identified a significant RondoDox botnet campaign that targets a wide range of internet-exposed infrastructure. This campaign consists of over 50 exploits, including unpatched router flaws across over 30 vendors, targeting vulnerabilities found in routers, digital video recorders (DVRs), network video recorders (NVRs), CCTV systems, web servers, and various other network devices. While the exploits specifically exploit vulnerabilities in routers, DVRs, NVRs, CCTV systems, web servers, and networking equipment, the latest RondoDox campaign uses an "exploit shotgun", using multiple exploits and seeing what hits."
        https://www.trendmicro.com/en_us/research/25/j/rondodox.html
        https://www.bleepingcomputer.com/news/security/rondodox-botnet-targets-56-n-day-flaws-in-worldwide-attacks/
      • From Infostealer To Full RAT: Dissecting The PureRAT Attack Chain
        "An investigation into what appeared at first glance to be a “standard” Python-based infostealer campaign took an interesting turn when it was discovered to culminate in the deployment of a full-featured, commercially available remote access trojan (RAT) known as PureRAT. This article analyses the threat actor’s combination of bespoke self-developed tooling with off-the-shelf malware. This campaign demonstrates a clear and deliberate progression, starting with a simple phishing lure and escalating through layers of in-memory loaders, defense evasion, and credential theft. The final payload, PureRAT, represents the culmination of this effort: a modular, professionally developed backdoor that gives the attacker complete control over a compromised host."
        https://www.bleepingcomputer.com/news/security/from-infostealer-to-full-rat-dissecting-the-purerat-attack-chain/
      • Oracle E-Business Suite Zero-Day Exploited In Widespread Extortion Campaign
        "Beginning Sept. 29, 2025, Google Threat Intelligence Group (GTIG) and Mandiant began tracking a new, large-scale extortion campaign by a threat actor claiming affiliation with the CL0P extortion brand. The actor began sending a high volume of emails to executives at numerous organizations, alleging the theft of sensitive data from the victims' Oracle E-Business Suite (EBS) environments. On Oct. 2, 2025, Oracle reported that the threat actors may have exploited vulnerabilities that were patched in July 2025 and recommended that customers apply the latest critical patch updates. On Oct. 4, 2025, Oracle directed customers to apply emergency patches to address this vulnerability, reiterating their standing recommendation that customers stay current on all Critical Patch Updates."
        https://cloud.google.com/blog/topics/threat-intelligence/oracle-ebusiness-suite-zero-day-exploitation
        https://www.bankinfosecurity.com/clop-attacks-against-oracle-e-business-suite-trace-to-july-a-29692
        https://cyberscoop.com/oracle-customers-attacks-clop-google-mandiant/
      • APT Meets GPT: Targeted Operations With Untamed LLMs
        "Starting in June 2025, Volexity detected a series of spear phishing campaigns targeting several customers and their users in North America, Asia, and Europe. The initially observed campaigns were tailored to the targets, and the messages purported to be sent by senior researchers and analysts from legitimate-sounding, completely fabricated organizations. The goal of these spear phishing campaigns was to socially engineer targets into clicking links that led to a remotely hosted archive containing a malicious payload. Volexity tracks the threat actor behind these campaigns under the alias UTA0388 and assesses with a high degree of confidence that this is a China-aligned threat actor. This assessment is based both on technical artifacts and the targeting profile of the campaigns."
        https://www.volexity.com/blog/2025/10/08/apt-meets-gpt-targeted-operations-with-untamed-llms/
        https://thehackernews.com/2025/10/from-healthkick-to-govershell-evolution.html

      Breaches/Hacks/Leaks

      • SonicWall: Firewall Configs Stolen For All Cloud Backup Customers
        "SonicWall has confirmed that all customers that used the company's cloud backup service are affected by the security breach last month. Previously, the vendor stated that the incident "exposed firewall configuration backup files stored in certain MySonicWall accounts," without sharing additional details. MySonicWall is an online customer portal used for managing product access, licensing, registration, firmware updates, support cases, and cloud backups of firewall configurations (.EXP files)."
        https://www.bleepingcomputer.com/news/security/sonicwall-firewall-configs-stolen-for-all-cloud-backup-customers/
        https://thehackernews.com/2025/10/hackers-access-sonicwall-cloud-firewall.html
        https://www.darkreading.com/cyberattacks-data-breaches/sonicwall-100-firewall-backups-breached
        https://www.infosecurity-magazine.com/news/sonicwall-cloud-firewall/
        https://cyberscoop.com/sonicwall-customer-firewall-configurations-exposed/
        https://hackread.com/sonicwall-hackers-breached-all-firewall-backups/
        https://www.securityweek.com/all-sonicwall-cloud-backup-users-had-firewall-configurations-stolen/
        https://securityaffairs.com/183154/security/threat-actors-steal-firewall-configs-impacting-all-sonicwall-cloud-backup-users.html
        https://www.theregister.com/2025/10/09/sonicwall_breach_hits_every_cloud/
        https://www.helpnetsecurity.com/2025/10/09/sonicwall-firewall-backup-compromised/
      • Major Hospitals Hit By Cyberattacks, Patient Data Sold On Hacker Forums
        "At a recent seminar on the needs and organization of cybersecurity training in Vietnam, hosted by the Hanoi National University, experts noted that the use of cyberspace for criminal activities has increased in both the number of cases, their nature and severity, and carried out through sophisticated methods and tactics, resulting in victims losing vast sums of money. Cybercriminals target key agencies and organizations, including those in healthcare. Reports showed that cyberattacks to healthcare systems occurred at An Giang central general hospital, where the virtualized server system was hit by hackers, encrypting all data and halting operations."
        https://vietnamnet.vn/en/major-hospitals-hit-by-cyberattacks-patient-data-sold-on-hacker-forums-2449058.html

      General News

      • Australian Data Breaches Are Up 48% So Far This Year. What’s Behind The Eye-Popping Surge?
        "Australian data breaches have surged 48% so far this year, the latest data point that suggests that threat actors are finding rich targets Down Under. That figure is based on Cyble dark web researchers’ investigations of significant data breaches claimed by threat actors on data leak sites and is thus a proxy rather than a complete measure of all data breaches, which is almost certainly higher. Globally, claimed data breaches recorded by Cyble dark web researchers are up 18% so far in 2025 to 1,684 – a significant increase in itself, but one that makes Australia’s surge stand out all the more."
        https://cyble.com/blog/australian-data-breaches-2025-surge/
      • Researchers Develop AI System To Detect Scam Websites In Search Results
        "Scam websites tied to online shopping, pet sales, and other e-commerce schemes continue to cause millions in losses each year. Security tools can accurately detect fraudulent sites once they are found, but identifying new ones remains difficult. To close that gap, researchers from Boston University created LOKI, a system that ranks search queries by how likely they are to reveal scams. Using a small seed set of 1,663 confirmed scam domains, LOKI discovered 52,493 previously unknown fraudulent websites and achieved a 20.58-fold improvement in detection across ten scam categories."
        https://www.helpnetsecurity.com/2025/10/09/loki-scam-websites-search-queries/
      • Behind The Screens: Building Security Customers Appreciate
        "In this Help Net Security interview, Jess Vachon, CISO at PRA Group, discusses the company’s multi-layered defense against fraud and its commitment to protecting customer trust. Vachon explains how PRA Group balances identity verification with a seamless customer experience. Vachon also reflects on how AI is changing both the fight against fraud and the way security teams adapt to threats."
        https://www.helpnetsecurity.com/2025/10/09/jess-vachon-pra-group-defense-against-fraud/
      • Six Metrics Policymakers Need To Track Cyber Resilience
        "Most countries are still making national cyber policy decisions without reliable numbers. Regulations often focus on incident reporting after damage is done, but they fail to give governments a forward-looking picture of resilience. A new report from Zurich Insurance Group argues that this gap leaves economies exposed and slows the ability to respond to systemic threats."
        https://www.helpnetsecurity.com/2025/10/09/zurich-governments-cyber-resilience-metrics/
      • Global Cyber Threats September 2025: Attack Volumes Ease Slightly, But GenAI Risks Intensify As Ransomware Surges 46%
        "In September 2025, the global cyber threat landscape reflected a temporary stabilization in overall attack volumes — yet beneath the surface, ransomware activity and data risks linked to generative AI (GenAI) surged to new highs. Organizations worldwide faced an average of 1,900 cyber-attacks per organization per week, representing a 4% decrease compared to August, but still a 1% increase year-over-year. While total attack volumes may appear steady, the evolution of attack techniques, industries under fire, and the rapid expansion of GenAI-related risks underline a shifting and increasingly complex threat environment."
        https://blog.checkpoint.com/security/global-cyber-threats-september-2025-attack-volumes-ease-slightly-but-genai-risks-intensify-as-ransomware-surges-46/
      • Take Note: Cyber-Risks With AI Notetakers
        "If you haven't seen an AI notetaking application as an "attendee" at a meeting, you haven't been paying attention. These tools are amazing, eliminating manual scribbling and automatically capturing action items. But like many tools, AI notetaking apps have sharp edges when they are not handled properly. AI scribes started as simulated meeting attendees, and most of today's popular video meeting platforms now offer them as a built-in feature. Users also are adopting tools like Granola (a desktop app) or Limitless (a wearable pendant) for notetaking tasks."
        https://www.darkreading.com/cyber-risk/take-note-cyber-risks-with-ai-notetakers
      • X-Labs Q3 2025 Threat Brief: Obfuscated JavaScript & Steganography Enabling Malware Delivery
        "In Q3 2025, organizations across industries have seen a steep increase in JavaScript-attachment based campaigns that deliver a variety of information-stealing and RAT malware. Examples include DarkCloud, Remcos, Agent Tesla and Formbook. Attackers are cloaking their lures in everyday business communications with fake quotes, purchase orders, shipment alerts and even WeTransfer-style links to slip past conventional filters and take advantage of recipient’s trust. For this analysis. the X-labs team reviewed thousands of email subject lines and found similar social engineering tactics being used repeatedly."
        https://www.forcepoint.com/blog/x-labs/q3-2025-threat-brief-obfuscated-javascript-steganography
        https://hackread.com/your-shipment-notification-malware-dropper/
      • BreachForums Seized — Again!
        "As predicted a few days ago, BreachForums was seized. The splash page is now up. It does not have any cute avatars with characters in handcuffs and no text about all the entities that cooperated. It simply says, “This Domain Has Been Seized,” and shows four shields: Department of Justice, FBI, BL2C, and JUNALCO. The latter two are the French agencies that have been heavily involved in trying to catch and thwart ShinyHunters. At the time the domain was seized, ScatteredLAPSUS$Hunters was getting ready to leak data from 39 Salesforce customers if Salesforce did not pay them an undisclosed ransom amount. The deadline for payment is October 10 at 11:59 PM Eastern."
        https://databreaches.net/2025/10/09/breachforums-seized-again/
      • A Small Number Of Samples Can Poison LLMs Of Any Size
        "In a joint study with the UK AI Security Institute and the Alan Turing Institute, we found that as few as 250 malicious documents can produce a "backdoor" vulnerability in a large language model—regardless of model size or training data volume. Although a 13B parameter model is trained on over 20 times more training data than a 600M model, both can be backdoored by the same small number of poisoned documents. Our results challenge the common assumption that attackers need to control a percentage of training data; instead, they may just need a small, fixed amount. Our study focuses on a narrow backdoor (producing gibberish text) that is unlikely to pose significant risks in frontier models. Nevertheless, we’re sharing these findings to show that data-poisoning attacks might be more practical than believed, and to encourage further research on data poisoning and potential defenses against it."
        https://www.anthropic.com/research/small-samples-poison
        https://www.theregister.com/2025/10/09/its_trivially_easy_to_poison/
      • Weaponized AI Assistants & Credential Thieves
        "Just weeks after the s1ngularity attack weaponized AI assistants, the NPM ecosystem was rocked by a far more dangerous threat: a self-propagating worm named Shai-Hulud. In a sobering demonstration of this rapid escalation in attack techniques, the worm has compromised over 187 packages, including several developer-facing tools published by cybersecurity firm CrowdStrike."
        https://www.trendmicro.com/en_us/research/25/j/weaponized-ai-assistants.html

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) b020c294-b613-43f2-858e-27f46570a9bc-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post