NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 23 October 2025

    Cyber Security News
    1
    1
    25
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      New Tooling

      • OpenFGA: The Open-Source Engine Redefining Access Control
        "OpenFGA is an open-source, high-performance, and flexible authorization engine inspired by Google’s Zanzibar system for relationship-based access control. It helps developers model and enforce fine-grained access control in their applications. At its core, OpenFGA enables teams to define who can do what within their systems. Whether you’re building a startup app or managing an enterprise platform, it delivers authorization checks in milliseconds. That level of speed allows it to scale as your project grows without compromising performance or security."
        https://www.helpnetsecurity.com/2025/10/22/openfga-open-source-access-control/
        https://github.com/openfga/openfga

      Vulnerabilities

      • Oracle Releases October 2025 Patches
        "Oracle on Tuesday released 374 new security patches as part of its October 2025 Critical Patch Update (CPU), including over 230 fixes for vulnerabilities that are remotely exploitable without authentication. There appear to be roughly 260 unique CVEs in Oracle’s October 2025 CPU advisory, including a dozen critical-severity flaws. The October CPU was rolled out roughly a week after Oracle released patches for an E-Business Suite defect allowing access to sensitive data, and two weeks after the company warned of a zero-day in the product that was exploited by an extortion group."
        https://www.securityweek.com/oracle-releases-october-2025-patches/
        https://www.oracle.com/security-alerts/cpuoct2025.html
      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2025-61932 Motex LANSCOPE Endpoint Manager Improper Verification of Source of a Communication Channel Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/10/22/cisa-adds-one-known-exploited-vulnerability-catalog
      • Deep Analysis Of The Flaw In BetterBank Reward Logic
        "From August 26 to 27, 2025, BetterBank, a decentralized finance (DeFi) protocol operating on the PulseChain network, fell victim to a sophisticated exploit involving liquidity manipulation and reward minting. The attack resulted in an initial loss of approximately $5 million in digital assets. Following on-chain negotiations, the attacker returned approximately $2.7 million in assets, mitigating the financial damage and leaving a net loss of around $1.4 million. The vulnerability stemmed from a fundamental flaw in the protocol’s bonus reward system, specifically in the swapExactTokensForFavorAndTrackBonus function. This function was designed to mint ESTEEM reward tokens whenever a swap resulted in FAVOR tokens, but critically, it lacked the necessary validation to ensure that the swap occurred within a legitimate, whitelisted liquidity pool."
        https://securelist.com/betterbank-defi-protocol-esteem-token-bonus-minting/117822/

      Malware

      • Unmasking MuddyWater’s New Malware Toolkit Driving International Espionage
        "Group-IB Threat Intelligence has uncovered a sophisticated phishing campaign, attributed with high confidence to the Advanced Persistent Threat (APT) MuddyWater. The attack used a compromised mailbox to distribute Phoenix backdoor malware to international organizations and across the whole Middle East and North Africa region, targeting more than 100 government entities."
        https://www.group-ib.com/blog/muddywater-espionage/
        https://www.bleepingcomputer.com/news/security/iranian-hackers-targeted-over-100-govt-orgs-with-phoenix-backdoor/
        https://www.darkreading.com/cyberattacks-data-breaches/muddywater-100-gov-entites-mea-phoenix-backdoor
        https://thehackernews.com/2025/10/iran-linked-muddywater-targets-100.html
        https://www.infosecurity-magazine.com/news/muddywater-compromised-mailboxes/
      • Beyond Credentials: Weaponizing OAuth Applications For Persistent Cloud Access
        "Cloud account takeover (ATO) attacks have become a significant concern in recent years, with cybercriminals and state-sponsored actors increasingly adopting malicious OAuth applications as a means to gain persistent access within compromised environments. These attacks allow malicious actors to hijack user accounts, conduct reconnaissance, exfiltrate data, and launch further malicious activities. The security implications are particularly concerning. Once an attacker gains access to a cloud account they can create and authorize internal (second party) applications with custom-defined scopes and permissions. This capability enables persistent access to critical resources such as mailboxes and files, effectively circumventing traditional security measures like password changes."
        https://www.proofpoint.com/us/blog/threat-insight/beyond-credentials-weaponizing-oauth-applications-persistent-cloud-access
        https://www.helpnetsecurity.com/2025/10/22/attackers-turn-trusted-oauth-apps-into-cloud-backdoors/
      • SessionReaper Attacks Have Started, 3 In 5 Stores Still Vulnerable
        "Six weeks after Adobe's emergency patch for SessionReaper (CVE-2025-54236), the vulnerability has entered active exploitation. Sansec Shield detected and blocked the first real-world attacks today, which is bad news for the thousands of stores that remain unpatched. Security researchers at Assetnote published a detailed technical analysis of the vulnerability today, demo'ing the nested deserialization flaw that enables remote code execution. With proof-of-concept code circulating, the window for safe patching has effectively closed."
        https://sansec.io/research/sessionreaper-exploitation
        https://www.bleepingcomputer.com/news/security/hackers-exploiting-critical-sessionreaper-flaw-in-adobe-magento/
      • PhantomCaptcha | Multi-Stage WebSocket RAT Targets Ukraine In Single-Day Spearphishing Operation
        "SentinelLABS together with Digital Security Lab of Ukraine has uncovered a coordinated spearphishing campaign targeting individual members of the International Red Cross, Norwegian Refugee Council, UNICEF, and other NGOs involved in war relief efforts and Ukrainian regional government administration. Threat actors used emails impersonating the Ukrainian President’s Office carrying weaponized PDFs, luring victims into executing malware via a ‘ClickFix’-style fake Cloudflare captcha page. The final payload is a WebSocket RAT hosted on Russian-owned infrastructure that enables arbitrary remote command execution, data exfiltration, and potential deployment of additional malware."
        https://www.sentinelone.com/labs/phantomcaptcha-multi-stage-websocket-rat-targets-ukraine-in-single-day-spearphishing-operation/
        https://www.bleepingcomputer.com/news/security/phantomcaptcha-clickfix-attack-targets-ukraine-war-relief-orgs/
        https://thehackernews.com/2025/10/ukraine-aid-groups-targeted-through.html
        https://therecord.media/phantomcaptcha-spearphishing-campaign-ukraine-war-relief-groups
        https://www.infosecurity-magazine.com/news/phantomcaptcha-campaign-targets/
        https://securityaffairs.com/183720/apt/phantomcaptcha-targets-ukraine-relief-groups-with-websocket-rat.html
      • ToolShell Used To Compromise Telecoms Company In Middle East
        "China-based attackers used the ToolShell vulnerability (CVE-2025-53770) to compromise a telecoms company in the Middle East shortly after the vulnerability was publicly revealed and patched in July 2025. The same threat actors also compromised two government departments in the same African country during the same time period. Zingdoor, which was deployed on the networks of all three organizations, has in the past been associated with the Chinese group Glowworm (aka Earth Estries, FamousSparrow). Another tool used in this campaign, KrustyLoader, has also previously been linked to activity by a group called UNC5221, which has been described as a China-nexus group."
        https://www.security.com/blog-post/toolshell-china-zingdoor
        https://www.bleepingcomputer.com/news/security/sharepoint-toolshell-attacks-targeted-orgs-across-four-continents/
        https://thehackernews.com/2025/10/chinese-threat-actors-exploit-toolshell.html
        https://therecord.media/sharepoint-toolshell-bug-breaches-governments-africa-south-america
      • Unpacking The Phishing Script Behind a Server-Orchestrated Deception
        "A cunning new phishing attack is bypassing Secure Email Gateways (SEGs) and evading perimeter defences. It uses a rare, sophisticated phishing script with random domain selection and dynamic server-driven page replacement, making it highly effective at stealing credentials and evading detection. Understanding this threat is essential to improving defenses. Cofense Intelligence spotted this unusual tactic in early February 2025, and it is ongoing. The script, embedded in malicious web pages or email attachments, exemplifies advanced phishing tactics that prioritize speed, precision, and deception."
        https://cofense.com/blog/unpacking-the-phishing-script-behind-a-server-orchestrated-deception
      • Bitter (APT-Q-37) Uses Diverse Means To Deliver New Backdoor Components
        "The 蔓灵花 group, also known as Bitter and tracking number APT-Q-37, is widely believed to have a South Asian background and has long been targeting China, Pakistan, and other countries, with targeted attacks on units in the government, electric power, and military industries, with the intent of stealing sensitive information."
        https://ti.qianxin.com/blog/articles/bitter-uses-diverse-means-to-deliver-new-backdoor-components-en/
        https://hackread.com/bitter-apt-winrar-vulnerability-backdoor-attacks/
      • SocGholish: Turning Application Updates Into Vexing Infections
        "SocGholish, also known as FakeUpdates, has been in service since 2017. Distributed by the threat group TA569, SocGholish is best known for masquerading as a fake application update to trick users into downloading malicious files. TA569 has a tenuous connection to the Russian government through GRU Unit 29155, with Raspberry Robin as its payload. Additionally, TA569 offers Initial Access Broker (IAB) capabilities to those using the malware. The group’s motivation if primarily financial, as its business model revolves around enabling and profiting from follow-on compromises by other actors."
        https://www.trustwave.com/en-us/resources/blogs/trustwave-blog/socgholish-turning-application-updates-into-vexing-infections/
        https://hackread.com/socgholish-malware-compromised-sites-ransomware/
      • Jingle Thief: Inside a Cloud-Based Gift Card Fraud Campaign
        "We investigated a campaign waged by financially motivated threat actors operating out of Morocco. We refer to this campaign as Jingle Thief, due to the attackers’ modus operandi of conducting gift card fraud during festive seasons. Jingle Thief attackers use phishing and smishing to steal credentials, to compromise organizations that issue gift cards. Their operations primarily target global enterprises in the retail and consumer services sectors. Once they gain access to an organization, they pursue the type and level of access needed to issue unauthorized gift cards."
        https://unit42.paloaltonetworks.com/cloud-based-gift-card-fraud-campaign/
        https://www.helpnetsecurity.com/2025/10/22/cloud-based-techniques-gift-card-fraud/
      • The Rise Of Collaborative Tactics Among China-Aligned Cyber Espionage Campaigns
        "In the domain of cyberespionage, Trend™ Research has observed an emerging development in recent years: close collaboration between different advanced persistent threat (APT) groups of what looks like a single cyber campaign at first sight. This report highlights instances of such cooperation, where the APT group Earth Estries handed over a compromised asset to Earth Naga, another APT group also known as Flax Typhoon, RedJuliett, or Ethereal Panda. This phenomenon, which we have termed "Premier Pass," represents a new level of coordination in cyber campaigns, particularly among China-aligned APT actors."
        https://www.trendmicro.com/en_us/research/25/j/premier-pass-as-a-service.html

      Breaches/Hacks/Leaks

      • Ransomware Gang Steals Meeting Videos, Financial Secrets From Fence Wholesaler
        "A prominent producer of outdoor fence products told regulators on Tuesday evening that a ransomware gang stole images of video meetings and non-public financial documents. Oregon-based Jewett-Cameron Trading filed a notice with the Securities and Exchange Commission (SEC) warning investors that hackers breached its IT systems on October 15. An investigation found that the hackers encrypted parts of the company’s internal corporate systems and installed monitoring software. “The incident caused disruptions and limitation of access to portions of the Company’s business applications supporting aspects of the Company’s operations and corporate functions, which the Company voluntarily took offline as a precautionary measure,” Jewett-Cameron said in an 8-K filing."
        https://therecord.media/ransomware-gang-steals-meeting-video-fence-manufacturer
        https://www.securityweek.com/fencing-and-pet-company-jewett-cameron-hit-by-ransomware/
      • Cyber Incidents In Texas, Tennessee And Indiana Impacting Critical Government Services
        "A large suburb outside of Dallas, Texas, was one of multiple municipalities across the U.S. this week to report cyber incidents affecting public services. Kaufman County, home to nearly 200,000 people, said a cyberattack was discovered on Monday and forced county officials to notify state and federal agencies. The incident took down several county systems but the Sheriff’s Office and emergency services were not impacted. A local news outlet reported that computers at the county courthouse were affected by the attack."
        https://therecord.media/cyber-incidents-texas-tennessee-indiana
      • Cyber Monitoring Centre Statement On The Jaguar Land Rover Cyber Incident – October 2025
        "The Cyber Monitoring Centre (CMC) has categorised the recent malicious cyber incident affecting Jaguar Land Rover (JLR), as a Category 3 systemic event on the five-point Cyber Monitoring Centre scale. The CMC model estimates the event caused a UK financial impact of £1.9 billion and affected over 5,000 UK organisations. The modelled range of loss is £1.6 billion to £2.1 billion but this could be higher if operational technology has been significantly impacted or there are unexpected delays in bringing production back to pre-event levels. This estimate reflects the substantial disruption to JLR’s manufacturing, to its multi-tier manufacturing supply chain, and to downstream organisations including dealerships. The estimate is sensitive to key assumptions, including the date JLR is able to fully restore production and the profile of the recovery; this and other assumptions and limitations are discussed later in this document. At £1.9 billion of financial loss, this incident appears to be the most economically damaging cyber event to hit the UK, with the vast majority of the financial impact being due to the loss of manufacturing output at JLR and its suppliers."
        https://cybermonitoringcentre.com/2025/10/22/cyber-monitoring-centre-statement-on-the-jaguar-land-rovercyber-incident-october-2025/
        https://www.theregister.com/2025/10/22/jaguar_lander_rover_cost/
        https://www.infosecurity-magazine.com/news/jlr-hack-uk-costliest-ever-19bn/
        https://therecord.media/jaguar-land-rover-cyberattack-economic-impact
        https://www.bankinfosecurity.com/jaguar-land-rover-hack-costliest-ever-in-uk-a-29782

      General News

      • For Blind People, Staying Safe Online Means Working Around The Tools Designed To Help
        "Blind and low-vision users face the same password challenges as everyone else, but the tools meant to make security easier often end up getting in the way. A study from the CISPA Helmholtz Center for Information Security and DePaul University found that poor accessibility in password managers can lead people to risky habits such as reusing passwords."
        https://www.helpnetsecurity.com/2025/10/22/blind-users-passwords-problems/
      • Pwn2Own Day 2: Hackers Exploit 56 Zero-Days For $790,000
        "Security researchers collected $792,750 in cash after exploiting 56 unique zero-day vulnerabilities during the second day of the Pwn2Own Ireland 2025 hacking competition. Today's highlight was Ken Gannon of Mobile Hacking Lab and Dimitrios Valsamaras of Summoning Team hacking the Samsung Galaxy S25 with a chain of five security flaws, earning $50,000 and 5 Master of Pwn points. Also, while PHP Hooligans needed only a single second to hack the QNAP TS-453E NAS device, the vulnerability they exploited had already been used in the contest."
        https://www.bleepingcomputer.com/news/security/samsung-galaxy-s25-hacked-on-day-two-of-pwn2own-ireland-2025/
      • Too Many Secrets: Attackers Pounce On Sensitive Data Sprawl
        "Threat actors are having an easier time finding secrets today, as sensitive data leaks continue to spread beyond your average code repositories. Several high-profile attacks this year have illustrated the ongoing issue of leaked secrets, and experts say the problem is only getting worse as the sprawl of sensitive data continues to expand. While exposed secrets typically have been in the domain of code repositories and platforms like GitHub, security researchers have found that data is spilling onto to lesser-known avenues."
        https://www.darkreading.com/cyber-risk/too-many-secrets-attackers-sensitive-data-sprawl
      • Russia Pivots, Cracks Down On Resident Hackers
        "For the first time in history, the Russian government has been partially cracking down on its cybercriminal underground. Russian cybercriminals operate everywhere, but Russia has always been the world's epicenter, primarily thanks to the carte blanche they're afforded by the state. At best, Russia's oligarchy has turned a blind eye to cybercrime within its borders. In many cases, state institutions and powerful officials have actively collaborated with, recruited, and otherwise aided Internet criminals."
        https://www.darkreading.com/threat-intelligence/russia-cracks-down-low-level-hackers
      • Verizon: Mobile Blindspot Leads To Needless Data Breaches
        "Enterprise cybersecurity risks from employees using their personal phones for work are rising, but companies aren't adopting solutions quickly enough to account for them. The data collected in Verizon Business' 2025 Mobile Security Index (MSI) paints a clear picture of an often overlooked organizational security risk. People are being hacked on their personal phones, then transmitting those attacks to their employers. Their employers, though, aren't addressing the issue with the same verve they are desktop-borne risks."
        https://www.darkreading.com/threat-intelligence/verizon-mobile-blindspot-data-breaches
        https://www.verizon.com/business/resources/reports/mobile-security-index/#2025
        https://www.verizon.com/business/resources/reports/2025-mobile-security-index.pdf
      • What Makes a Great Field CXO: Lessons From The Front Lines
        "In recent years, Field CXO positions (e.g., Field CISO, Field CTO, etc.) have become commonplace across the industry. Like any professional position, the people filling these roles vary widely in their style, approach, and success level. If you are recruiting for one of these roles or are looking to leverage a resource at your company in one of these roles, what are some things you should be aware of?"
        https://www.securityweek.com/what-makes-a-great-field-cxo-lessons-from-the-front-lines/
      • Asian Nations Ramp Up Pressure On Cybercrime 'Scam Factories'
        "Human trafficking and forced-labor camps where the equivalent of indentured servants carry out scams, fraud, and other cybercrime activities have infested Cambodia, Laos, and Burma — and neighboring Asian nations are taking more stringent efforts to deal with the growing problem. Last week, South Korea banned travel to parts of Cambodia, stating that citizens can be prosecuted for violating the law and "strongly advised" them to cancel their trips, in what the government refers to as a "code black" travel ban. The South Korean government, which estimates that about 1,000 citizens are working or forced to work in the cyber-scam centers, is also reportedly readying sanctions against the groups operating in Cambodia and other cybercrime-friendly nations."
        https://www.darkreading.com/cyberattacks-data-breaches/asian-nations-ramp-up-legal-attacks-cybercrime-factories

      อ้างอิง
      Electronic Transactions Development Agency(ETDA)

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post