Cyber Threat Intelligence 21 October 2025

NCSA_THAICERT

New Tooling

Nodepass: Open-Source TCP/UDP Tunneling Solution
"When you think of network tunneling, “lightweight” and “enterprise-grade” rarely appear in the same sentence. NodePass, an open-source project, wants to change that. It’s a compact but powerful TCP/UDP tunneling solution built for DevOps teams and system administrators who need to manage complex network environments without wading through configuration files or rigid infrastructure setups."
https://www.helpnetsecurity.com/2025/10/20/nodepass-open-source-tcp-udp-tunneling-solution/
https://github.com/yosebyte/nodepass

Vulnerabilities

Hard-Coded Credentials Found In Moxa Industrial Security Appliances, Routers (CVE-2025-6950)
"Moxa has fixed 5 vulnerabilities in its industrial network security appliances and routers, including a remotely exploitable flaw (CVE-2025-6950) that may result in complete system compromise. There’s no mention of these flaws being exploited in the wild, but due to their severity, the company has advised customers to apply the latest firmware updates immediately."
https://www.helpnetsecurity.com/2025/10/20/moxa-routers-hard-coded-credentials-cve-2025-6950/
https://www.moxa.com/en/support/product-support/security-advisory/mpsa-258121-cve-2025-6892%2C-cve-2025-6893%2C-cve-2025-6894%2C-cve-2025-6949%2C-cve-2025-6950-multiple-vulnerabilities-in-netwo
Vulnerability In Dolby Decoder Can Allow Zero-Click Attacks
"A high-severity vulnerability in Dolby’s Unified Decoder could be exploited for remote code execution, without user interaction in certain cases. Built on top of the Dolby Digital Plus (DD+) standard, the Unified Decoder is a software/hardware component used for processing DD+, Dolby AC-4, and other audio formats, converting them into formats that can be played back through speakers. The decoder, Google Project Zero’s Ivan Fratric and Natalie Silvanovich discovered, was impacted by an out-of-bounds write issue that could be triggered during the processing of evolution data."
https://www.securityweek.com/vulnerability-in-dolby-decoder-can-allow-zero-click-attacks/
https://project-zero.issues.chromium.org/issues/428075495
CISA Adds Five Known Exploited Vulnerabilities To Catalog
"CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2022-48503 Apple Multiple Products Unspecified Vulnerability
CVE-2025-2746 Kentico Xperience Staging Sync Server Digest Password Authentication Bypass Vulnerability
CVE-2025-2747 Kentico Xperience Staging Sync Server None Password Type Authentication Bypass Vulnerability
CVE-2025-33073 Microsoft Windows SMB Client Improper Access Control Vulnerability
CVE-2025-61884 Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/10/20/cisa-adds-five-known-exploited-vulnerabilities-catalog
https://thehackernews.com/2025/10/five-new-exploited-bugs-land-in-cisas.html
https://www.bleepingcomputer.com/news/security/cisa-high-severity-windows-smb-flaw-now-exploited-in-attacks/
Over 75,000 WatchGuard Security Devices Vulnerable To Critical RCE
"Nearly 76,000 WatchGuard Firebox network security appliances are exposed on the public web and still vulnerable to a critical issue (CVE-2025-9242) that could allow a remote attacker to execute code without authentication. Firebox devices act as a central defense hub that controls traffic between internal and external networks, providing protection through policy management, security services, VPN, and real-time real-time visibility through WatchGuard Cloud. Scans from The Shadowserver Foundation currently show that there are 75,835 vulnerable Firebox appliances across the world, most of them in Europe and North America."
https://www.bleepingcomputer.com/news/security/over-75-000-watchguard-security-devices-vulnerable-to-critical-rce/
Is Your Car a BYOD Risk? Researchers Demonstrate How
"Bring your own device (BYOD) threats continue to expand, as researchers have demonstrated that even the car you drive to work can constitute an initial access vector into a corporate network. At BSides NYC on Oct. 18, Threatlight chief technology officer (CTO) and co-founder Tim Shipp detailed a proof-of-concept (PoC) attack chain that began in a parked car and ended in corporate Linux servers and ESXi hypervisors. Call it a BYOC — a bring-your-own-car attack. And it required only a few cheap gadgets. The key (pun intended) was the driver's phone — using the car to reach the phone, then using the phone to reach the company's network."
https://www.darkreading.com/vulnerabilities-threats/car-byod-risk
Denial Of Fuzzing: Rust In The Windows Kernel
"Check Point Research (CPR) identified a security vulnerability in January 2025 affecting the new Rust-based kernel component of the Graphics Device Interface (commonly known as GDI) in Windows. We promptly reported this issue to Microsoft and they fixed the vulnerability starting with OS Build 26100.4202 in the KB5058499 update preview released on May 28th 2025. In the following sections, we detail the methodology of our fuzzing campaign, which targeted the Windows graphics component via metafiles and led to the discovery of this security vulnerability, among others, whose technical analysis is published separately in Drawn to Danger: Bugs in Windows Graphics Lead to Remote Code Execution and Memory Exposure."
https://research.checkpoint.com/2025/denial-of-fuzzing-rust-in-the-windows-kernel/

Malware

MSS Claims NSA Used 42 Cyber Tools In Multi-Stage Attack On Beijing Time Systems
"China on Sunday accused the U.S. National Security Agency (NSA) of carrying out a "premeditated" cyber attack targeting the National Time Service Center (NTSC), as it described the U.S. as a "hacker empire" and the "greatest source of chaos in cyberspace." The Ministry of State Security (MSS), in a WeChat post, said it uncovered "irrefutable evidence" of the agency's involvement in the intrusion that dated back to March 25, 2022. The attack was ultimately foiled, it added. Established in 1966 under the jurisdiction of the Chinese Academy of Sciences (CAS), NTSC is responsible for generating, maintaining, and transmitting the national standard of time (Beijing Time)."
https://thehackernews.com/2025/10/mss-claims-nsa-used-42-cyber-tools-in.html
https://therecord.media/china-attack-national-time-center
https://www.securityweek.com/china-accuses-us-of-cyberattack-on-national-time-center/
https://securityaffairs.com/183619/intelligence/china-finds-irrefutable-evidence-of-us-nsa-cyberattacks-on-time-authority.html
https://cyberscoop.com/china-mss-nsa-cyberattack-timekeeping-service/
Salty Much: Darktrace’s View On a Recent Salt Typhoon Intrusion
"Salt Typhoon, a China-linked cyber espionage group, has been observed targeting global infrastructure using stealthy techniques such as DLL sideloading and zero-day exploits. Darktrace recently identified early-stage intrusion activity consistent with Salt Typhoon’s tactics, reinforcing the importance of anomaly-based detection over traditional signature-based methods when defending against persistent, state-sponsored threat."
https://www.infosecurity-magazine.com/news/salt-typhoon-citrix-flaw-cyber/
https://www.bankinfosecurity.com/salt-typhoon-targets-european-telecom-a-29766
https://www.helpnetsecurity.com/2025/10/20/salt-typhoon-apt-telecommunications-europe/
Analysing ClickFix: 3 Reasons Why Copy/Paste Attacks Are Driving Security Breaches
"ClickFix, FileFix, fake CAPTCHA — whatever you call it, attacks where users interact with malicious scripts in their web browser are a fast-growing source of security breaches. ClickFix attacks prompt the user to solve some kind of problem or challenge in the browser — most commonly a CAPTCHA, but also things like fixing an error on a webpage. The name is a little misleading, though — the key factor in the attack is that they trick users into running malicious commands on their device by copying malicious code from the page clipboard and running it locally."
https://thehackernews.com/2025/10/analysing-clickfix-3-reasons-why.html
131 Spamware Extensions Targeting WhatsApp Flood Chrome Web Store
"This cluster of Chrome extensions comprises 131 rebrands of a single tool, all sharing the same codebase, design patterns, and infrastructure. They are not classic malware, but they function as high-risk spam automation that abuses platform rules. The code injects directly into the WhatsApp Web page, running alongside WhatsApp’s own scripts, automates bulk outreach and scheduling in ways that aim to bypass WhatsApp anti-spam enforcement. Listings and marketing sites claim that their Chrome Web Store presence implies a rigorous audit and full privacy compliance. That claim is inaccurate and conflicts with Chrome and WhatsApp policies. At the supply chain level, this is policy abuse that enables spam at scale. Across listings with visible counts, these extensions account for at least 20,905 active users."
https://socket.dev/blog/131-spamware-extensions-targeting-whatsapp-flood-chrome-web-store
https://thehackernews.com/2025/10/131-chrome-extensions-caught-hijacking.html
GlassWorm: First Self-Propagating Worm Using Invisible Code Hits OpenVSX Marketplace
"A month after Shai Hulud became the first self-propagating worm in the npm ecosystem, we just discovered the world's first worm targeting VS Code extensions on OpenVSX marketplace. But GlassWorm isn't just another supply chain attack. It's using stealth techniques we've never seen before in the wild - invisible Unicode characters that make malicious code literally disappear from code editors. Combine that with blockchain-based C2 infrastructure that can't be taken down, Google Calendar as a backup command server, and a full remote access trojan that turns every infected developer into a criminal proxy node."
https://www.koi.ai/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace
https://www.bleepingcomputer.com/news/security/self-spreading-glassworm-malware-hits-openvsx-vs-code-registries/
To Be (A Robot) Or Not To Be: New Malware Attributed To Russia State-Sponsored COLDRIVER
"COLDRIVER, a Russian state-sponsored threat group known for targeting high profile individuals in NGOs, policy advisors and dissidents, swiftly shifted operations after the May 2025 public disclosure of its LOSTKEYS malware, operationalizing new malware families five days later. It is unclear how long COLDRIVER had this malware in development, but GTIG has not observed a single instance of LOSTKEYS since publication. Instead, GTIG has seen new malware used more aggressively than any other previous malware campaigns we have attributed to COLDRIVER (also known as UNC4057, Star Blizzard, and Callisto)."
https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver/
https://www.darkreading.com/cyberattacks-data-breaches/coldriver-drops-fresh-malware-targets

Breaches/Hacks/Leaks

Retail Giant Muji Halts Online Sales After Ransomware Attack On Supplier
"Japanese retail company Muji has taken offline its store due to a logistics outage caused by a ransomware attack at its delivery partner, Askul. On Sunday evening (Japan timezone), Muji said that the issue caused all retail services were affected, including browsing or making purchases on online stores, viewing order histories via the Muji app, and displaying some web content. Although the company did not specify a timeline for restoring the systems, an update on Monday afternoon stated that only purchases from the online store and applying for a monthly flat-rate service continued to be impacted."
https://www.bleepingcomputer.com/news/security/retail-giant-muji-halts-online-sales-after-ransomware-attack-on-supplier/
Cyberattack Disrupts Services At 2 Massachusetts Hospitals
"A North Central Massachusetts nonprofit healthcare system with two community hospitals, a medical group and several other care facilities has taken its IT network offline and is diverting ambulance patients as it continues to respond to a cyberattack that hit last week. Heywood Healthcare said it is continuing to care for inpatients at its 134-bed Heywood Hospital in Gardner, Massachusetts and its 25-bed critical access community hospital, Athol Hospital, in nearby Athol. But the hospitals are not accepting emergency care patients transported by ambulance. Radiology and laboratory services are also affected."
https://www.bankinfosecurity.com/cyberattack-disrupts-services-at-2-massachusetts-hospitals-a-29765
Japanese Retailer Askul Halts Online Orders, Shipments After Ransomware Attack
"Japanese office and household goods retailer Askul has halted online orders and product shipments after a ransomware attack crippled its systems, disrupting operations for several major retailers that rely on its logistics network. The Tokyo-based company said the cyberattack, discovered over the weekend, caused system failures that forced it to suspend operations across its three e-commerce sites — Askul for office supplies, Lohaco for household goods and Soloel Arena for corporate clients."
https://therecord.media/askul-japan-retailer-cyberattack-disruption
Home Security Firm Verisure Reports Data Breach At Swedish Subsidiary
"Home security company Verisure said it had detected unauthorized access to customer data linked to one of its subsidiaries. The breach affected systems belonging to Alert Alarm, a Swedish home security brand that Verisure acquired several years ago, the company said. The subsidiary’s IT infrastructure is managed separately from Verisure’s main network and hosted by an external billing partner. In a statement on Friday, Verisure said the intrusion was confined to that system and did not impact its broader operations in Europe and Latin America. Based in Sweden, the company has operations in 17 countries overall."
https://therecord.media/verisure-data-breach-sweden-alert-alarm-subsidiary

General News

Evilginx’s Creator Reckons With The Dark Side Of Red-Team Tools
"Kuba Gretzky wanted to make the internet safer. Instead, he helped make it more dangerous. In 2017, from his home in Poland, the coder released a hacking tool called Evilginx – a program designed to help cybersecurity teams understand and defend against phishing attacks. It was meant as a teaching device, a way for companies to see how easily credentials could be stolen and to shore up their defenses before someone else did it for real.But once Evilginx went public, the line between defense and offense blurred. Hackers began using it to break into networks, steal passwords and sell access. Before long, even nation-state actors were folding Gretzky’s code into their operations."
https://therecord.media/evilginx-kuba-gretzky-interview-click-here-podcast
Flawed Vendor Guidance Exposes Enterprises To Avoidable Risk
"The fallout from Oracle's latest zero-day (CVE-2025-61882) continues to spread, with Harvard University recently disclosing it suffered a data leak stemming from an attack targeting the flaw. The vulnerability carries an "easily exploitable" CVSS score of 9.8 and enables unauthenticated Remote Code Execution (RCE). Targeting a fully integrated business application, such as Oracle's E-Business Suite, is debilitating because it grants attackers access to critical data and functionality. While this vulnerability is significant, Oracle's E-Business Suite should never have been exposed to the Internet, due to the nature of the service and the sensitivity of the data housed within it. The episode raises questions about deployment documents and the role it plays in exposing enterprise systems to avoidable risk."
https://www.darkreading.com/vulnerabilities-threats/oracle-s-flawed-waf-guidance-left-its-customers-vulnerable-to-ransomware-attack
From Ransomware To AI Risk: New ISACA Research Identifies What Will Keep Tech Pros Up At Night In 2026
"As they look ahead to 2026, more than half of digital trust professionals (59 percent) are expecting that AI-driven cyber threats and deepfakes will keep them up the most at night next year, according to ISACA’s 2026 Tech Trends & Priorities Pulse Poll. Also anticipated to keep them up at night are thoughts of irreparable harm caused by failure to detect/respond to a breach (36 percent) and insider threats and human error (35 percent), finds the inaugural pulse poll—which surveyed 2,963 professionals in digital trust fields such as cybersecurity, IT audit, governance, risk and compliance about their concerns and priorities in areas including technology, threats, regulation and talent."
https://www.isaca.org/about-us/newsroom/press-releases/2025/new-isaca-research-identifies--what-will-keep-tech-pros-up-at-night-in-2026
https://www.infosecurity-magazine.com/news/ai-social-engineering-top-cyber/
The Golden Scale: Notable Threat Updates And Looking Ahead
"We recently published an Insights piece “The Golden Scale: Bling Libra and the Evolving Extortion Economy,” which primarily focused on the Salesforce data theft extortion activity. This was associated with the cybercriminal syndicate known as Scattered LAPSUS$ Hunters. Since early October 2025, we have observed several notable developments within a Telegram channel (SLSH 6.0 part 3) used by the threat actors. This activity may provide a glimpse into how the group plans to operate in the foreseeable future. We’re providing these insights so that organizations can better prepare for and defend against this evolving threat activity."
https://unit42.paloaltonetworks.com/scattered-lapsus-hunters-updates/

อ้างอิง
Electronic Transactions Development Agency(ETDA)