Cyber Threat Intelligence 14 October 2025

NCSA_THAICERT

Financial Sector

Financial, Other Industries Urged To Prepare For Quantum Computers
"Financial firms, government agencies, and other sectors with sensitive data need to worry about the arrival of quantum computers today, even though a cryptographically relevant quantum computer (CRQC) may be decades away, experts warn. In late September, the Financial Services Information Sharing and Analysis Center (FS-ISAC) warned that crypto-procrastination is resulting in financial firms being unprepared for the future threats and data risks posed by quantum computers. A variety of factors — from interdependencies between firms to the need to support standards — have slowed planning and hampered adoption of post-quantum encryption."
https://www.darkreading.com/cybersecurity-operations/financial-industries-urged-prepare-quantum-computers

Healthcare Sector

Building a Healthcare Cybersecurity Strategy That Works
"In this Help Net Security interview, Wayman Cummings, CISO at Ochsner Health, talks about building a healthcare cybersecurity strategy, even when resources are tight. He explains how focusing on areas like vulnerability management and network segmentation can make the biggest difference. Cummings also shares how balancing investments across people, processes, and technology can strengthen both resilience and patient trust."
https://www.helpnetsecurity.com/2025/10/13/wayman-cummings-ochsner-health-building-healthcare-cybersecurity-strategy/
When Hackers Hit, Patient Safety Takes The Fall
"93% of U.S. healthcare organizations experienced at least one cyberattack in the past year, with an average of 43 incidents per organization, according to Proofpoint. The study found that most of these attacks involved cloud account compromises, ransomware, supply chain intrusions, and business email compromise. 72% of respondents said at least one incident disrupted patient care."
https://www.helpnetsecurity.com/2025/10/13/report-cyberattacks-disrupt-patient-care/

Industrial Sector

Critical Infrastructure CISOs Can't Ignore 'Back-Office Clutter' Data
"Security leaders in critical infrastructure traditionally have focused their defensive energy on operational technology (OT) and industrial control systems (ICS). Those remain the crown jewels for attackers. But while they've been patching programmable logic centers (PLCs) and segmenting control centers, sprawling collaboration platforms — SharePoint, Google Drive, Exchange, Gmail, Teams, Slack, Box, and old-fashioned file shares — have quietly become the single largest unmonitored attack surface in the enterprise."
https://www.darkreading.com/cyberattacks-data-breaches/critical-infrastructure-back-office-data

Vulnerabilities

Same Model, Different Hat
"OpenAI recently released its Guardrails framework, a new set of safety tools designed to detect and block potentially harmful model behavior. Among these are “jailbreak” and “prompt injection” detectors that rely on large language models (LLMs) themselves to judge whether an input or output poses a risk. Our research shows that this approach is inherently flawed. If the same type of model used to generate responses is also used to evaluate safety, both can be compromised in the same way. Using a simple prompt injection technique, we were able to bypass OpenAI’s Guardrails and convince the system to generate harmful outputs and execute indirect prompt injections without triggering any alerts."
https://hiddenlayer.com/innovation-hub/same-model-different-hat/
https://hackread.com/openai-guardrails-bypass-prompt-injection-attack/
https://www.malwarebytes.com/blog/news/2025/10/researchers-break-openai-guardrails

Malware

New Rust Malware "ChaosBot" Uses Discord For Command And Control
"Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes. We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware. Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team."
https://www.esentire.com/blog/new-rust-malware-chaosbot-uses-discord-for-command-and-control
https://thehackernews.com/2025/10/new-rust-based-malware-chaosbot-hijacks.html
Larva-25010 – Analysis On The APT Down Threat Actor’s PC
"This report covers the seven posts on the breach analysis of APT Down, which were published in “Threat Notes” of AhnLab TIP after the release of the “APT Down: the North Korea Files” report, along with additional analysis."
https://asec.ahnlab.com/en/90498/
Analysis On The Qilin Ransomware Using Selective Encryption Algorithm
"Recently, Qilin ransomware has been launching continuous attacks on companies in various countries and industries around the world, and cases of damage have also been identified in South Korea. This post analyzes the key features and encryption methods of Qilin ransomware, as well as the technical reasons why decryption is impossible, to provide insights that can help organizations effectively respond to similar threats in the future."
https://asec.ahnlab.com/en/90497/
100,000+ IP Botnet Launches Coordinated RDP Attack Wave Against US Infrastructure
"Since October 8, 2025, GreyNoise has tracked a coordinated botnet operation involving over 100,000 unique IP addresses from more than 100 countries targeting Remote Desktop Protocol (RDP) services in the United States. The campaign employs two specific attack vectors — RD Web Access timing attacks and RDP web client login enumeration — with most participating IPs sharing one similar TCP fingerprint, indicating centralized control."
https://www.greynoise.io/blog/botnet-launches-coordinated-rdp-attack-wave
https://www.bleepingcomputer.com/news/security/massive-multi-country-botnet-targets-rdp-services-in-the-us/
Suspicious ScreenConnect Abuse By Threat Actors
"Recently observed an uptick in threat actors abusing RMM tools for initial access via phishing. I decided to investigate several popular RMMs — AnyDesk, ConnectWise ScreenConnect, and **Atera **— and published my findings on how APT groups abuse these platforms in my DarkAtlas research. If you’re tracking modern intrusion trends, these tools are worth watching closely."
https://darkatlas.io/blog/screen-connect-full-analysis
https://www.infosecurity-magazine.com/news/hackers-target-screenconnects/

Breaches/Hacks/Leaks

SimonMed Says 1.2 Million Patients Impacted In January Data Breach
"U.S. medical imaging provider SimonMed Imaging is notifying more than 1.2 million individuals of a data breach that exposed their sensitive information. SimonMed Imaging is an outpatient medical imaging and radiology services provider, including MRI and CT scans, X-ray, ultrasound, mammography, PET, nuclear medicine, bone density, and interventional radiology procedures. The radiology company operates about 170 medical centers 11 U.S. states, and has an annual revenue of more than $500 million."
https://www.bleepingcomputer.com/news/security/simonmed-says-12-million-patients-impacted-in-january-data-breach/
https://www.bankinfosecurity.com/2-radiology-practices-notifying-nearly-15-million-hacks-a-29711
https://www.securityweek.com/simonmed-imaging-data-breach-impacts-1-2-million/
https://securityaffairs.com/183342/uncategorized/simonmed-imaging-discloses-a-data-breach-impacting-over-1-2-million-people.html
Months After Being Notified, a Software Vendor Is Still Exposing Confidential And Sealed Court Records
"In a special edition of “No need to hack when it’s leaking,” DataBreaches reports on a software vendor that, despite multiple attempts by multiple parties, continues to expose confidential and sealed court records."
https://databreaches.net/2025/10/13/months-after-being-notified-a-software-vendor-is-still-exposing-confidential-and-sealed-court-records/
Invoicing And Billing Platform Exposed Nearly 180 Thousand Records Containing PII And Payment Information
"Cybersecurity Researcher Jeremiah Fowler discovered and reported to Website Planet about an unencrypted and non-password-protected database that contained nearly 180k files. These included invoices, images of checks and banking information, tax documents, and more."
https://www.websiteplanet.com/news/invoicely-breach-report/
https://hackread.com/invoicely-database-leak-expose-sensitive-records/
Malicious Code On Unity Website Skims Information From Hundreds Of Customers
"Hundreds of users had sensitive information skimmed through a compromised website belonging to video game software development company Unity Technologies. Impacted individuals are being informed that threat actors compromised the website for Unity’s SpeedTree 3D vegetation modeling software. An investigation showed that the SpeedTree website, specifically its checkout page, contained malicious code between March 13 and August 26, 2025."
https://www.securityweek.com/malicious-code-on-unity-website-skims-information-from-hundreds-of-customers/
https://securityaffairs.com/183349/data-breach/customer-payment-data-stolen-in-unity-technologiess-speedtree-website-compromise.html

General News

Attackers Don’t Linger, They Strike And Move On
"Cyber attacks are happening faster than ever. Intrusions that once took weeks or months now unfold in minutes, leaving little time to react. Attackers move quickly once they gain access, aiming to run their payloads and get results before defenders can respond, according to Elastic. Global telemetry shows that on Windows systems, the “Execution” tactic now accounts for 32% of malicious activity, surpassing “Defense Evasion,” which led for three consecutive years. The shift suggests that many attackers now prioritize payload deployment over stealth. Instead of hiding to extend dwell time, they aim to act quickly, using automation and prebuilt code to achieve their goals before defenders can intervene."
https://www.helpnetsecurity.com/2025/10/13/elastic-report-attackers-target-windows-systems/
Scattered Lapsus$ Hunters Rage-Quit The Internet (again), Promise To Return Next Year
"The Scattered Lapsus$ Hunters (SLSH) cybercrime collective - compriseed primarily of teenagers and twenty-somethings - announced it will go dark until 2026 following the FBI's seizure of its clearweb site. In characteristic fashion, the group issued a profanity-laden, xenophobic farewell message via Telegram, urging supporters to continue targeting countries that refuse ransom payments. The message also promised a retaliatory strike against the FBI upon their return."
https://www.theregister.com/2025/10/13/scattered_lapsus_hunters_hiatus/
UK Hit By Record Number Of ‘nationally Significant’ Cyberattacks
"A record number of “nationally significant” cyberattacks hit the United Kingdom last year, the National Cyber Security Centre (NCSC) is to announce on Tuesday as it publishes its annual review for 2024. The cyber agency will reveal its staff were scrambled to assist with the response to 429 attacks between the beginning of September 2024 and the end of August this year. Of these, 204 were considered “nationally significant” — more than double the 89 in that category handled in the twelve months prior."
https://therecord.media/uk-hit-by-record-number-significant-cyberattacks

อ้างอิง
Electronic Transactions Development Agency(ETDA)