NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 24 October 2025

    Cyber Security News
    1
    1
    30
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Financial Sector

      • September 2025 Security Issues In Korean & Global Financial Sector
        "This report comprehensively covers real cyber threats and security issues that have occurred in financial corporations both in Korea and abroad. The post includes analysis of malware and phishing cases distributed to the financial sector, the top 10 malware strains targeting the financial sector, and statistics on the leaked Korean account credentials by industry through Telegram. A case of phishing emails distributed to the financial sector is also covered in detail."
        https://asec.ahnlab.com/en/90687/

      Healthcare Sector

      • NIHON KOHDEN Central Monitor CNS-6201
        "Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition."
        https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-296-01

      Industrial Sector

      • ASKI Energy ALS-Mini-S8 And ALS-Mini-S4
        "Successful exploitation of this vulnerability could allow an attacker to gain full control over the device."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-296-02
      • AutomationDirect Productivity Suite
        "Successful exploitation of these vulnerabilities could enable an attacker to execute arbitrary code, disclose information, gain full-control access to projects, or obtain read and write access to files."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-296-01
      • Veeder-Root TLS4B Automatic Tank Gauge System
        "Successful exploitation of these vulnerabilities could allow attackers to execute system-level commands, gain full shell access, achieve remote command execution, move laterally within the network, trigger a denial of service condition, cause administrative lockout, and disrupt core system functionalities."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-296-03
      • Delta Electronics ASDA-Soft
        "Successful exploitation of these vulnerabilities could allow an attacker to write data outside of the allocated memory buffer."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-296-04

      Vulnerabilities

      • BIND Updates Address High-Severity Cache Poisoning Flaws
        "Internet Systems Consortium (ISC) on Wednesday announced BIND 9 updates that resolve high-severity vulnerabilities, including cache poisoning flaws. The first issue is a weakness in the Pseudo Random Number Generator (PRNG) used by the popular DNS server software that, in certain circumstances, could allow an attacker to predict the source port and query ID that will be used. Attackers could abuse the security defect, tracked as CVE-2025-40780 (CVSS score of 8.6), in spoofing attacks that, if successful, could result in BIND caching attacker responses, ISC explains."
        https://www.securityweek.com/bind-updates-address-high-severity-cache-poisoning-flaws/
      • Shadow Escape 0-Click Attack In AI Assistants Puts Trillions Of Records At Risk
        "Operant AI reveals Shadow Escape, a zero-click attack using the MCP flaw in ChatGPT, Gemini, and Claude to secretly steal trillions of SSNs and financial data. Traditional security is blind to this new AI threat."
        https://hackread.com/shadow-escape-0-click-attack-ai-assistants-risk/

      Malware

      • Gotta Fly: Lazarus Targets The UAV Sector
        "ESET researchers have recently observed a new instance of Operation DreamJob – a campaign that we track under the umbrella of North Korea-aligned Lazarus – in which several European companies active in the defense industry were targeted. Some of these are heavily involved in the unmanned aerial vehicle (UAV) sector, suggesting that the operation may be linked to North Korea’s current efforts to scale up its drone program. This blogpost discusses the broader geopolitical implications of the campaign, and provides a high-level overview of the toolset used by the attackers."
        https://www.welivesecurity.com/en/eset-research/gotta-fly-lazarus-targets-uav-sector/
        https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-targeted-european-defense-companies/
        https://thehackernews.com/2025/10/north-korean-hackers-lure-defense.html
        https://www.darkreading.com/cyberattacks-data-breaches/lazarus-group-hunts-european-drone-manufacturing-data
        https://therecord.media/north-korea-hackers-target-europe-drone-makers
        https://www.helpnetsecurity.com/2025/10/23/eset-lazarus-operation-dreamjob/
        https://cyberscoop.com/north-korea-lazarus-attacks-drone-companies/
        https://www.infosecurity-magazine.com/news/lazarus-groups-operation-dreamjob/
        https://securityaffairs.com/183783/apt/lazarus-targets-european-defense-firms-in-uav-themed-operation-dreamjob.html
      • Malicious NuGet Packages Typosquat Nethereum To Exfiltrate Wallet Keys
        "Socket’s Threat Research Team identified a live homoglyph typosquat on NuGet that impersonated the Nethereum project. The package, Netherеum.All, swaps a Cyrillic “e” (U+0435) into the name to pass casual inspection, then uses an XOR routine to decode a command and control (C2) endpoint (solananetworkinstance[.]info/api/gads). When invoked, the code sends an HTTPS POST with a single field form named message, which can carry mnemonics, private keys, keystore JSON, or signed transaction data. Nethereum is the standard .NET library for Ethereum, with tens of millions of NuGet downloads and widespread downstream dependencies, which makes it a high-value target for typosquats on NuGet."
        https://socket.dev/blog/malicious-nuget-packages-typosquat-nethereum-to-exfiltrate-wallet-keys
        https://thehackernews.com/2025/10/fake-nethereum-nuget-package-used.html
      • AI Sidebar Spoofing: Malicious Extensions Impersonates AI Browser Interface
        "A few weeks ago, we released a series of attacks that tricked Comet into exfiltrating data, downloading malicious files and providing unauthorized access to enterprise apps, all without the victim’s knowledge. The research highlights the lack of security awareness AI browsers have, and the importance of reimagining security to take into account agentic identities and agentic workflows. The full tech blog for these attacks can be accessed here."
        https://labs.sqrx.com/ai-sidebar-spoofing-720e0c91d290
        https://www.bleepingcomputer.com/news/security/spoofed-ai-sidebars-can-trick-atlas-comet-users-into-dangerous-actions/
        https://www.securityweek.com/ai-sidebar-spoofing-puts-chatgpt-atlas-perplexity-comet-and-other-browsers-at-risk/
      • LockBit Returns — And It Already Has Victims
        "Just months after being disrupted during Operation Cronos, the notorious LockBit ransomware group has reemerged — and it hasn’t wasted time. Check Point Research has confirmed that LockBit is back in operation and already extorting new victims. Throughout September 2025, Check Point Research identified a dozen organizations targeted by the revived operation, with half of them infected by the newly released LockBit 5.0 variant and the rest by LockBit Black. The attacks span Western Europe, the Americas, and Asia, affecting both Windows and Linux systems, a clear sign that LockBit’s infrastructure and affiliate network are once again active."
        https://blog.checkpoint.com/research/lockbit-returns-and-it-already-has-victims/
      • The YouTube Ghost Network: How Check Point Research Helped Take Down 3,000 Malicious Videos Spreading Malware
        "Check Point Research uncovered a large-scale cyber network hiding in one of the internet’s most trusted spaces: YouTube. What appeared to be harmless tutorials and software demos turned out to be a sophisticated malware distribution network known as the YouTube Ghost Network. The operation used compromised and fake YouTube accounts to spread infostealers such as Rhadamanthys and Lumma, often disguised as cracked software or gaming cheats. After a months-long investigation, Check Point Research reported more than 3,000 malicious videos to Google, leading to their removal and disrupting a major malware distribution channel."
        https://blog.checkpoint.com/research/the-youtube-ghost-network-how-check-point-research-helped-take-down-3000-malicious-videos-spreading-malware/
        https://www.theregister.com/2025/10/23/youtube_ghost_network_malware/
        https://www.helpnetsecurity.com/2025/10/23/youtube-malware-distribution-network-ghost/
      • The Smishing Deluge: China-Based Campaign Flooding Global Text Messages
        "We are attributing an ongoing smishing (phishing via text message) campaign of fraudulent toll violation and package misdelivery notices to a group widely known as the Smishing Triad. Our analysis indicates this campaign is a significantly more extensive and complex threat than previously reported. Attackers have impersonated international services across a wide array of critical sectors. The attackers have targeted U.S. residents in this campaign since April 2024. The threat actor is evolving their tactics by expanding their reach globally, improving the social engineering tactics used in smishing for delivery."
        https://unit42.paloaltonetworks.com/global-smishing-campaign/
        https://www.darkreading.com/threat-intelligence/unpaid-toll-texts-smishing-triad
        https://cyberscoop.com/unit-42-chinese-language-phishing-operation-smishing-triad/
      • TransparentTribe Targets Indian Military Organisations With DeskRAT
        "In July 2025, CYFIRMA reported a phishing campaign attributed to TransparentTribe (also known as APT36 or Operation C-Major) targeting Linux-based operating systems of Indian governement entities with activity traced back to June 2025. TransparentTribe is a Pakistani-nexus intrusion set known to be active since at least 2013 and carrying out cyber espionage operations to support Pakistan military and strategic interests. Since the initial report, some researchers, including SinghSoodeep via X, have published indicators related to this activity. To track the evolution of this operation, the Threat Detection & Research (TDR) Team implemented several YARA rules. In August and September 2025, Sekoia.io YARA Trackers matched new samples, representing an updated infection chain ultimately delivering a Golang-based RAT which we dubbed DeskRAT. At that time, these results were only found on the PolySwarm platform and were not known by other editors we are dealing with."
        https://blog.sekoia.io/transparenttribe-targets-indian-military-organisations-with-deskrat/
        https://www.infosecurity-magazine.com/news/pakistani-hacker-group-targets/
      • Hackers Posing As Kyrgyz Officials Target Russian Agencies In Cyber Espionage Campaign
        "A hacker group known as Cavalry Werewolf has launched a months-long cyber espionage campaign against Russian government agencies and industrial firms, using phishing emails disguised as Kyrgyz government correspondence, researchers said. Between May and August 2025, the group — also tracked as YoroTrooper and Silent Lynx — targeted Russia’s public sector as well as energy, mining and manufacturing companies, according to a report by the Turkish cybersecurity firm Picus Security released this week."
        https://therecord.media/hackers-pose-kyrgyz-officials-russia-cyber-espionage
        https://www.picussecurity.com/resource/blog/cavalry-werewolf-apt
      • Agenda Ransomware Deploys Linux Variant On Windows Systems Through Remote Management Tools And BYOVD Techniques
        "Trend™ Research identified a sophisticated ransomware attack by the Agenda group that deployed their Linux ransomware variant on Windows systems. This follows a similar attack observed last June 2025, where MeshAgent and MeshCentral was used for deployment. In this recent incident, the threat actors utilized a novel deployment method combining WinSCP for secure file transfer and Splashtop Remote for executing the Linux ransomware binary on Windows machines."
        https://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html
      • Apple Alerts Exploit Developer That His iPhone Was Targeted With Government Spyware
        "Earlier this year, a developer was shocked by a message that appeared on his personal phone: “Apple detected a targeted mercenary spyware attack against your iPhone.” “I was panicking,” Jay Gibson, who asked that we don’t use his real name over fears of retaliation, told TechCrunch. Gibson, who until recently built surveillance technologies for Western government hacking tools maker Trenchant, may be the first documented case of someone who builds exploits and spyware being themselves targeted with spyware."
        https://techcrunch.com/2025/10/21/apple-alerts-exploit-developer-that-his-iphone-was-targeted-with-government-spyware/

      Breaches/Hacks/Leaks

      • Toys “R” Us Canada Warns Customers' Info Leaked In Data Breach
        "Toys “R” Us Canada has sent notices of a data breach to customers informing them of a security incident where threat actors leaked customer records they had previously stolen from its systems. The company discovered the data leak on July 30, 2025, when a threat actor posted on the dark web what they claimed to be Toys “R” Us customer data. Subsequent investigation of the threat actor’s claims, conducted with the help of third-party experts, confirmed that the information was indeed authentic."
        https://www.bleepingcomputer.com/news/security/toys-r-us-canada-warns-customers-info-leaked-in-data-breach/
        https://www.theregister.com/2025/10/23/toysrus_canada_data_leak/
      • Medusa Ransomware Leaks 834 GB Of Comcast Data After $1.2M Demand
        "The Medusa ransomware group has leaked 186.36 GB of compressed data it claimed to have stolen from Comcast Corporation, a global media and technology company. According to Hackread.com’s earlier report, the group stated that it breached Comcast in late September 2025 and obtained a total of 834 GB of data. The leaked 186 GB archive, once decompressed, should amount to around 834 GB of data, based on the group’s claims. The data trove was released on Sunday, October 19. The ransomware group had initially asked for $1.2 million from potential buyers to download it, the same amount it asked Comcast to pay for the data to be deleted instead of leaked or sold."
        https://hackread.com/medusa-ransomware-comcast-data-leak/
      • 183 Million Synthient Stealer Credentials Added To Have I Been Pwned
        "A huge collection of stolen usernames and passwords, totalling over 183 million, has been added to a website called Have I Been Pwned (HIBP). This big pile of data, named the “Synthient Stealer Log Threat Data,” is not a regular leak from just one company but a massive collection of information stolen directly from people’s computers over time using malicious software commonly known as infostealers."
        https://hackread.com/synthient-stealer-credentials-have-i-been-pwned/
        https://synthient.com/blog/the-stealer-log-ecosystem

      General News

      • September 2025 Threat Trend Report On Ransomware
        "This report provides information on the number of systems affected during the month of September 2025, statistics related to the DLS-based ransomware, and key ransomware issues from around the world. Below is a summary of the report. The statistics on the number of ransomware samples and affected systems are based on the diagnosis criteria given by AhnLab. The statistics on the number of affected companies are based on the information provided on the Dedicated Leak Sites (DLS) of the ransomware groups and the time when the information was collected by the ATIP infrastructure."
        https://asec.ahnlab.com/en/90688/
      • September 2025 Trends Report On Phishing Emails
        "This report provides the statistics, trends, and case information on the distribution quantity, attachment-based threats, and phishing emails collected and analyzed for a month in September 2025. Below is a portion of the statistics and cases included in the original report."
        https://asec.ahnlab.com/en/90689/
      • September 2025 Infostealer Trend Report
        "This report provides statistics, trends, and case information on Infostealer, including distribution volume, distribution methods, and disguises based on the data collected and analyzed in August 2025. The following is a summary of the original report."
        https://asec.ahnlab.com/en/90709/
      • September 2025 APT Attack Trends Report (South Korea)
        "Ahnlabs is monitoring APT (Advanced Persistent Threat) attacks in South Korea by utilizing their own infrastructure. This report covers the classification, statistics, and features of APT attacks in South Korea that were identified in September 2025."
        https://asec.ahnlab.com/en/90714/
      • Welcome To SOCRadar’s 2025 MEA Threat Landscape Report!
        "Discover the evolving cyber threats across the Middle East and Africa (MEA) with SOCRadar’s 2025 MEA Threat Landscape Report. This comprehensive analysis highlights the top attack trends, targeted sectors, and underground activities impacting organizations throughout the region—offering actionable intelligence to strengthen cybersecurity defenses. Download the full report now to gain comprehensive insights and safeguard your organization against MEA’s rapidly evolving cyber threats."
        https://socradar.io/resources/report/mea-threat-landscape-report-2025/
        https://www.darkreading.com/cybersecurity-analytics/mea-hackers-govts-finance-smb-retailers
      • Faster LLM Tool Routing Comes With New Security Considerations
        "Large language models depend on outside tools to perform real-world tasks, but connecting them to those tools often slows them down or causes failures. A new study from the University of Hong Kong proposes a way to fix that. The research team developed a platform called NetMCP that adds network awareness to the Model Context Protocol (MCP), which is the interface that lets LLMs connect to external tools and data sources. The research focuses on improving how LLMs choose which external servers or tools to use. It introduces a new routing algorithm that accounts for semantic relevance and network performance. The goal is to make LLMs faster, more reliable, and better suited for large-scale environments where latency and outages are common."
        https://www.helpnetsecurity.com/2025/10/23/netmcp-network-aware-mcp-platform/
        https://arxiv.org/pdf/2510.13467
      • Your Wearable Knows Your Heartbeat, But Who Else Does?
        "Smartwatches, glucose sensors, and connected drug-monitoring devices are common in care programs. Remote monitoring helps detect changes early and supports personalized treatment and long-term condition management. They give clinicians valuable insight into patient health but also introduce new exposure points."
        https://www.helpnetsecurity.com/2025/10/23/healthcare-wearable-devices-risks/
      • The Next Cyber Crisis May Start In Someone Else’s Supply Chain
        "Organizations are getting better at some aspects of risk management but remain underprepared for the threats reshaping the business landscape, according to a new Riskonnect report. The findings show a growing gap between awareness and action as technology, politics, and global markets shift faster than most companies can adapt."
        https://www.helpnetsecurity.com/2025/10/23/geopolitics-drives-cyber-threats-report/
      • Dark Covenant 3.0: Controlled Impunity And Russia’s Cybercriminals
        "The Russian cybercriminal ecosystem is undergoing a period of profound transformation, shaped by unprecedented international law enforcement campaigns, shifting domestic enforcement priorities, and enduring ties between organized crime and the Russian state. Operation Endgame, launched in May 2024, targeted ransomware operators, money laundering services, and affiliate infrastructure across multiple Russian jurisdictions. In response, Russian law enforcement agencies have carried out a series of high-profile arrests and seizures. These events mark a departure from Russia’s traditional posture of near-total noninterference in domestic cybercrime, complicating the long-held perception of Russia as a blanket “safe haven” for cybercriminals."
        https://www.recordedfuture.com/research/dark-covenant-3-controlled-impunity-and-russias-cybercriminals
        https://assets.recordedfuture.com/insikt-report-pdfs/2025/cta-ru-2025-1022.pdf
        https://www.bankinfosecurity.com/kremlin-shaping-cybercrime-into-deniable-geopolitical-tool-a-29803
        https://www.securityweek.com/russian-government-now-actively-managing-cybercrime-groups-security-firm/
      • Cybereason TTP Briefing Q3 2025: LOLBINs And CVE Exploits Dominate
        "Explore the latest trends, techniques, and procedures (TTPs) our incident response (IR) experts are actively facing with the TTP Briefing Q3 2025, a report built on frontline threat intelligence from our global incident response investigations, enriched by noteworthy detections from our SOC. The TTP Briefing is grounded in real-world investigations led by Cybereason’s IR and SOC teams across industries and geographies. This edition of our TTP Briefing examines our data from Q3, and compares certain trends to our findings in H1 2025."
        https://www.cybereason.com/blog/ttp-briefing-q3-2025
      • IR Trends Q3 2025: ToolShell Attacks Dominate, Highlighting Criticality Of Segmentation And Rapid Response
        "Threat actors predominately exploited public-facing applications for initial access this quarter, with this tactic appearing in over 60 percent of Cisco Talos Incident Response (Talos IR) engagements – a notable increase from less than 10 percent last quarter. This spike is largely attributable to a wave of engagements involving ToolShell, an attack chain that targets on-premises Microsoft SharePoint servers through exploitation of vulnerabilities that were publicly disclosed in July. We also saw an increase in post-exploitation phishing campaigns launched from compromised valid accounts this quarter, a trend we noted last quarter, with threat actors using this technique to expand their attack both within the compromised organizations as well as to external partner entities."
        https://blog.talosintelligence.com/ir-trends-q3-2025/
      • Pwn2Own Underscores Secure Development Concerns
        "The real mystery behind this year's Pwn2Own isn't how many bugs hackers will find or how much money they'll earn. It's about one hacker in particular and whether the What'sApp zero-click exploit the person claims to have discovered is real. This week, security researchers descended upon Ireland to participate in Pwn2Own, where researchers compete to be the first to compromise various devices and win prizes. The hackathon, launched in 2007, is hosted by Trend Micro's Zero Day Initiative (ZDI) to promote coordinated vulnerability disclosure practices among researchers and vendors. ZDI acts as a broker, helping researchers disclose details of the vulnerabilities they used in the competition to the vendors."
        https://www.darkreading.com/vulnerabilities-threats/pwn2own-underscores-secure-development-concerns
      • The Best End User Security Awareness Programs Aren't About Awareness Anymore
        "Most successful cyberattacks target end users through social engineering. They also exploit systems left vulnerable due to user errors. This is why securing the human element is crucial to managing cyber-risks in the modern era. As recent headlines of data breaches, business disruptions, and threats demonstrate, the situation is dire. Despite the investment in security awareness training programs, many organizations are not receiving what they need. The average security awareness training program remains lackluster, at best, offering semi-annual cookie-cutter modules that drop a few factoids about security trends, hit users with a spot-the-phish game, or even surprise them with a simulation. As long as the click-through rates on phishing emails remain relatively low, the programs are considered successful."
        https://www.darkreading.com/cyber-risk/best-end-user-security-awareness-programs-arent-about-awareness-anymore
      • Vibe Coding’s Real Problem Isn’t Bugs—It’s Judgment
        "AI-generated code – vibe coding – is an exciting prospect: it turns anyone into a computer programmer. But that is precisely what is wrong with it… The problem is not that vibe coding introduces an excessive number of vulnerabilities. Comparative analysis shows AI vulnerabilities are at a similar density per line of code to those introduced by humans. Code quality is not the problem. It’s just there’s too much of it, too fast, and it lacks good judgment. OX Research, who undertook an analysis, finds two issues. Firstly, where vulnerabilities do exist, they “reach production at unprecedented speed” – too fast for accepted code review processes to find all vulnerabilities. Breaches have already occurred through vibe-produced code that has been missed in review."
        https://www.securityweek.com/vibe-codings-real-problem-isnt-bugs-its-judgment/
        https://www.ox.security/wp-content/uploads/2025/10/Army-of-Juniors-The-AI-Code-Security-Crisis.pdf

      อ้างอิง
      Electronic Transactions Development Agency(ETDA)

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post