NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 31 October 2025

    Cyber Security News
    1
    1
    720
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย NCSA_THAICERT

      Industrial Sector

      • Hitachi Energy TropOS
        "Successful exploitation of these vulnerabilities could allow command injections and privilege escalation."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-303-02
      • Breaching The OT-Perimeter: Authentication Bypass In Claroty Secure Remote Access (CVE-2025-54603)
        "Remote access solutions represent one of the most critical attack vectors in OT environments. While organizations use solutions ranging from simple jump hosts to dedicated OT-aware platforms, the security of these gateways directly impacts the security of industrial components and networks. Claroty Secure Remote Access (SRA) is a premium solution specifically designed for OT environments, managing access to critical industrial assets. During a routine security assessment, Limes Security discovered CVE-2025-54603 – a critical authentication bypass vulnerability in the OpenID Connect (OIDC) implementation affecting on-premise deployments."
        https://limessecurity.com/en/breaching-the-ot-perimeter-authentication-bypass-in-claroty-secure-remote-access-cve-2025-54603/
        https://www.darkreading.com/ics-ot-security/claroty-patches-authentication-bypass-flaw
      • International Standards Organization ISO 15118-2
        "Successful exploitation of this vulnerability could result in man-in-the-middle attacks."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-303-01
      • “Security Researchers Are The Main Factor Motivating Automakers To Invest In Protecting Their Products”
        "Industrial system vulnerability research experts Sergey Anufrienko and Alexander Kozlov discuss threats associated with over-the-air data transmission technologies, attack vectors targeting electric vehicles specifically, the evolution of transportation systems from a cybersecurity perspective, and the role of artificial intelligence in ensuring cybersecurity."
        https://ics-cert.kaspersky.com/publications/blog/2025/10/30/security-researchers-are-the-main-factor-motivating-automakers-to-invest-in-protecting-their-products/

      Vulnerabilities

      • King Addons For Elementor <= 51.1.36 - Unauthenticated Arbitrary File Upload
        "The King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 51.1.36. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible."
        https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/king-addons/king-addons-for-elementor-51136-unauthenticated-arbitrary-file-upload
        https://www.infosecurity-magazine.com/news/critical-flaws-elementor-king/
      • Attackers Actively Exploiting Critical Vulnerability In WP Freeio Plugin
        "On September 25th, 2025, we received a submission for a Privilege Escalation vulnerability in WP Freeio, a WordPress plugin bundled in the Freeio premium theme with more than 1,700 sales. This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by specifying user role during registration. The vendor released the patched version on October 9th, 2025, and we originally disclosed this vulnerability in the Wordfence Intelligence vulnerability database on October 10th, 2025. Our records indicate that attackers started exploiting the issue on the same day, on October 10th, 2025. The Wordfence Firewall has already blocked over 33,200 exploit attempts targeting this vulnerability."
        https://www.wordfence.com/blog/2025/10/attackers-actively-exploiting-critical-vulnerability-in-wp-freeio-plugin/
      • CVE-2025-62725: From “docker Compose Ps” To System Compromise
        "Docker Compose powers millions of workflows, from CI/CD runners and local development stacks to cloud workspaces and enterprise build pipelines. It’s trusted by developers as the friendly layer above Docker Engine that turns a few YAML lines into a running application. In early October 2025, while exploring Docker Compose’s new support for OCI-based Compose artifacts, I discovered a high-severity path traversal vulnerability. The flaw allowed attackers to escape Compose’s cache directory and write arbitrary files on the host system, simply by tricking a user into referencing a malicious remote artifact. The issue was patched by the Docker team and assigned CVE-2025-62725, rated High (CVSS 8.9)."
        https://www.imperva.com/blog/cve-2025-62725-from-docker-compose-ps-to-system-compromise/
        https://www.theregister.com/2025/10/30/docker_compose_desktop_flaws/
      • CISA Adds Two Known Exploited Vulnerabilities To Catalog
        "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2025-24893 XWiki Platform Eval Injection Vulnerability
        CVE-2025-41244 Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/10/30/cisa-adds-two-known-exploited-vulnerabilities-catalog
        https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-vmware-tools-flaw-exploited-since-october-2024/
        https://securityaffairs.com/184051/hacking/u-s-cisa-adds-xwiki-platform-and-broadcom-vmware-aria-operations-and-vmware-tools-flaws-to-its-known-exploited-vulnerabilities-catalog.html

      Malware

      • Case Of ActiveMQ Vulnerability Exploitation To Install Sharpire (Kinsing)
        "AhnLab SEcurity intelligence Center (ASEC) has confirmed that the Kinsing threat actor is still distributing malware by exploiting known vulnerabilities. Since the disclosure of the CVE-2023-46604 vulnerability in ActiveMQ, the threat actor has been exploiting it to install malware on both Linux and Windows systems. [1] Aside from the well-known XMRig and Stager, the latest attack cases also involved Sharpire. Sharpire is a .NET backdoor that supports PowerShell Empire. During the process of taking control of the infected system, the threat actor uses CobaltStrike, Meterpreter, and PowerShell Empire together."
        https://asec.ahnlab.com/en/90811/
      • New Phishing Campaign Identified Targeting LinkedIn Users
        "Push recently detected and blocked a high-risk LinkedIn phishing attack that demonstrated a number of crafty (and increasingly common) detection evasion techniques. Phishing via LinkedIn is increasingly common, although it often goes undetected and unreported. This is to be expected when most of the industry’s data on phishing attacks comes from email security vendors and tools."
        https://pushsecurity.com/blog/new-phishing-campaign-identified-targeting-linkedin-users
        https://www.bleepingcomputer.com/news/security/linkedin-phishing-targets-finance-execs-with-fake-board-invites/
      • Hezi Rash: Rising Kurdish Hacktivist Group Targets Global Sites
        "A new ideologically-motivated threat actor has emerged and growing technical capabilities: Hezi Rash. This Kurdish nationalist hacktivist group, founded in 2023, has rapidly escalated its presence through a series of distributed denial-of-service (DDoS) attacks targeting countries perceived as hostile to Kurdish or Muslim communities."
        https://blog.checkpoint.com/research/hezi-rash-rising-kurdish-hacktivist-group-targets-global-sites/
      • Dynamic Binary Instrumentation (DBI) With DynamoRio
        "Binary instrumentation involves inserting code into compiled executables to monitor, analyze, or modify their behavior — either at runtime (dynamic) or before execution (static) — without altering the original source code. Tools like DynamoRIO, Intel PIN, Valgrind, Frida, and QDBI are commonly used in the field. Static binary instrumentation (SBI) injects code before a binary runs, typically by modifying the file on disk, whereas dynamic binary instrumentation (DBI) operates in memory while the program runs. These techniques are widely used for profiling, debugging, tracing, security analysis, and reverse engineering."
        https://blog.talosintelligence.com/dynamic-binary-instrumentation-dbi-with-dynamorio/
      • LotL Attack Hides Malware In Windows Native AI Stack
        "A researcher has demonstrated that Windows' native artificial intelligence (AI) stack can serve as a vector for malware delivery. In a year where clever and complex prompt injection techniques have been growing on trees, security researcher hxr1 identified a much more traditional way of weaponizing rampant AI. In a proof-of-concept (PoC) shared exclusively with Dark Reading, he described a living-off-the-land attack (LotL) using trusted files from the Open Neural Network Exchange (ONNX) to bypass security engines."
        https://www.darkreading.com/vulnerabilities-threats/lotl-attack-malware-windows-native-ai-stack
      • All Clones Aren't Equal: Harmless ChatGPT Wrappers Vs. Malicious Fakes
        "A quick search for “ChatGPT” or “DALL·E” on a mobile app store today reveals dozens of lookalikes. Each promises “AI chat,” “image generation,” or “smart assistance.” Yet beneath these polished logos lies a troubling truth — not all clones are created equal. Some are harmless wrappers that simply connect to genuine APIs. Others are opportunistic adware disguised as AI tools. And a few conceal sophisticated spyware, capable of stealing data and surveilling users."
        https://www.appknox.com/blog/fake-ai-apps-vs-legit-clones
        https://hackread.com/spyware-chatgpt-dalle-whatsapp-apps-us-users/
      • Silent Push Unearths AdaptixC2's Ties To Russian Criminal Underworld, Tracks Threat Actors Harnessing Open-Source Tool For Malicious Payloads
        "AdaptixC2 is a new and emerging extensible post-exploitation and adversarial emulation framework designed for penetration testers. Security researchers and red teams (groups of security experts authorized to act as adversaries, performing simulated attacks against an organization to identify vulnerabilities and test defensive capabilities) frequently utilize this open-source tool, which can be downloaded for free from GitHub."
        https://www.silentpush.com/blog/adaptix-c2/
        https://thehackernews.com/2025/10/russian-ransomware-gangs-weaponize-open.html
        https://therecord.media/open-source-adaptixc2-red-teaming-tool-russian-cybercrime
        https://www.infosecurity-magazine.com/news/adaptixc2-malicious-payload/
        https://hackread.com/russian-hackers-adaptix-pentest-ransomware/
      • Attackers Exploiting WSUS Vulnerability Drop Skuld Infostealer (CVE-2025-59287)
        "Attackers have been spotted exploiting the recently patched WSUS vulnerability (CVE-2025-59287) to deploy infostealer malware on unpatched Windows servers. Last week’s release of an emergency fix for CVE-2025-59287, a Windows Server Update Services (WSUS) remote code execution vulnerability, was almost immediately followed by reports of in-the-wild exploitation. With a PoC exploit that’s been made public a few days before the fix and a patch that could be reverse-engineered, attackers had enough to create exploits of their own and start targeting unpatched internet-facing Windows Server machines with the WSUS Server role enabled."
        https://www.helpnetsecurity.com/2025/10/30/wsus-vulnerability-infostealer-cve-2025-59287/
      • Fake PayPal Invoice From Geek Squad Is a Tech Support Scam
        "One of our employees received this suspicious email and showed it to me. Although it’s a pretty straightforward attempt to lure targets into calling the scammers, it’s worth writing up because it looks like it was sent out in bulk. Let’s look at the red flags."
        https://www.malwarebytes.com/blog/news/2025/10/fake-paypal-invoice-from-geek-squad-is-a-tech-support-scam
      • New "Brash" Exploit Crashes Chromium Browsers Instantly With a Single Malicious URL
        "A severe vulnerability disclosed in Chromium's Blink rendering engine can be exploited to crash many Chromium-based browsers within a few seconds. Security researcher Jose Pino, who disclosed details of the flaw, has codenamed it Brash. "It allows any Chromium browser to collapse in 15-60 seconds by exploiting an architectural flaw in how certain DOM operations are managed," Pino said in a technical breakdown of the shortcoming."
        https://thehackernews.com/2025/10/new-brash-exploit-crashes-chromium.html
        https://github.com/jofpin/brash
        https://securityaffairs.com/184035/hacking/brush-exploit-can-cause-any-chromium-browser-to-collapse-in-15-60-seconds.html
      • UNC6384 Weaponizes ZDI-CAN-25373 Vulnerability To Deploy PlugX Against Hungarian And Belgian Diplomatic Entities
        "Arctic Wolf Labs has identified an active cyber espionage campaign by Chinese-affiliated threat actor UNC6384 targeting European diplomatic entities in Hungary, Belgium, and additional European nations during September and October 2025. The campaign represents a tactical evolution incorporating the exploitation of ZDI-CAN-25373, a Windows shortcut vulnerability disclosed in March 2025, alongside refined social engineering leveraging authentic diplomatic conference themes."
        https://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/
        https://therecord.media/belgium-hungary-diplomatic-entities-hacked-unc6384
        https://www.theregister.com/2025/10/30/suspected_chinese_snoops_abuse_unpatched/

      Breaches/Hacks/Leaks

      • Major Telecom Services Provider Ribbon Breached By State Hackers
        "Ribbon Communications, a provider of telecommunications services to the U.S. government and telecom companies worldwide, revealed that nation-state hackers breached its IT network as early as December 2024. Ribbon provides networking solutions and secure cloud communications services to telecommunications companies and critical infrastructure organizations worldwide. The company has over 3,100 employees in 68 global offices, and its list of customers includes the City of Los Angeles, the Los Angeles Public Library, the University of Texas at Austin, government customers (such as the U.S. Department of Defense), and telecom providers like Verizon, CenturyLink, BT, Deutsche Telekom, Softbank, and TalkTalk."
        https://www.bleepingcomputer.com/news/security/major-telecom-services-provider-ribbon-breached-by-state-hackers/
        https://hackread.com/nation-state-hack-us-telecom-ribbon-communications/
        https://www.securityweek.com/major-us-telecom-backbone-firm-hacked-by-nation-state-actors/
      • Akira Ransomware Claims It Stole 23GB From Apache OpenOffice
        "The Akira ransomware group claims to have breached Apache OpenOffice and stolen 23GB of data. Apache OpenOffice, for those unfamiliar, is a free and open-source office software suite developed by the Apache Software Foundation. It includes tools similar to Microsoft Office, serving as a free alternative available on Windows, Linux, and macOS. The suite offers Writer for word processing, Calc for spreadsheets, Impress for presentations, Draw for graphics and diagrams, Base for databases, and Math for creating mathematical formulas."
        https://hackread.com/akira-ransomware-stole-apache-openoffice-data/

      General News

      • New Guidance Released On Microsoft Exchange Server Security Best Practices
        "Today, CISA, in partnership with the National Security Agency and international cybersecurity partners, released Microsoft Exchange Server Security Best Practices, a guide to help network defenders harden on-premises Exchange servers against exploitation by malicious actors. Threat activity targeting Exchange continues to persist, and organizations with unprotected or misconfigured Exchange servers remain at high risk of compromise."
        https://www.cisa.gov/news-events/alerts/2025/10/30/new-guidance-released-microsoft-exchange-server-security-best-practices
        https://www.cisa.gov/resources-tools/resources/microsoft-exchange-server-security-best-practices
        https://www.nsa.gov/Portals/75/documents/resources/cybersecurity-professionals/CSI_Microsoft_Exchange_Server_Security_Best_Practices.pdf
        https://www.bleepingcomputer.com/news/security/cisa-and-nsa-share-tips-on-securing-microsoft-exchange-servers/
        https://www.bankinfosecurity.com/cisa-issues-guidance-to-curb-microsoft-exchange-exploits-a-29892
        https://cyberscoop.com/cisa-nsa-microsoft-exchange-server-guidance/
      • The AI Trust Paradox: Why Security Teams Fear Automated Remediation
        "With the volume of threats and the complexity of the modern digital attack surface, it's no surprise that cybersecurity teams are overwhelmed. Risk has outstripped the human capacity required to remediate. As attackers embrace automation via AI, the quantity of vulnerabilities has skyrocketed, and the number of unique tools required to detect and eradicate threats and exposures in the enterprise has become untenable."
        https://www.darkreading.com/cybersecurity-operations/ai-trust-paradox-security-teams-fear-automated-remediation
      • Stolen Credentials And Valid Account Abuse Remain Integral To Financially Motivated Intrusions
        "Throughout the first half of 2025, the FortiGuard Incident Response team responded to dozens of engagements across multiple industries that we attribute broadly to financially motivated threats. Each case we investigated had unique circumstances, but several consistent themes stand out: attackers are continuing to rely on valid accounts and legitimate remote access tools instead of “implant-heavy” intrusions. Industry representation aligns closely with findings from the FortiRecon Threat Intelligence Report (H1 2025), indicating that credential exposure trends observed externally mirror those seen during FortiGuard IR engagements."
        https://www.fortinet.com/blog/threat-research/stolen-credentials-and-valid-account-abuse-remain-integral-financially-motivated-intrusions
      • How The City Of Toronto Embeds Security Across Governance And Operations
        "In this Help Net Security interview, Andree Noel, Deputy CISO at City of Toronto, discusses how the municipality strengthens its cyber defense by embedding security into strategic objectives and digital governance. She outlines the City’s approach to addressing evolving threats and modernizing legacy systems. Noel also shares how data-driven metrics guide leadership in advancing municipal cyber resilience."
        https://www.helpnetsecurity.com/2025/10/30/andree-noel-city-of-toronto-municipal-cyber-defense/
      • Proton Claims 300 Million Records Compromised So Far This Year
        "Researchers have uncovered hundreds of millions of compromised records on the dark web, linked to nearly 800 individual data breaches so far this year. The findings come from a new monitoring and reporting service launched today by email and VPN provider Proton, in partnership with Constella Intelligence. The Data Breach Observatory is built on real-time dark web monitoring which scours cybercrime sites for evidence of breached records up for sale."
        https://www.infosecurity-magazine.com/news/proton-300-million-records/
        https://www.theregister.com/2025/10/30/proton_data_breach_observatory/
      • Former US Defense Contractor Executive Admits To Selling Exploits To Russia
        "An Australian national pleaded guilty in a US court to stealing trade secrets from a US defense contractor and selling them to a Russian broker of cyber exploits, the US Department of Justice announced. While an employee of the victim company, the individual, Peter Williams, 39, stole at least eight “cyber-exploit components” of software associated with national security, which constituted trade secrets, the DoJ says. The exploits were stolen between April 2022 and June 2025, and sold to a Russian broker that provides cybersecurity exploits to various customers, including the Russian government, court documents show."
        https://www.securityweek.com/former-defense-contractor-executive-admits-to-selling-exploits-to-russia/
        https://www.infosecurity-magazine.com/news/defense-contractor-guilty-selling/
        https://securityaffairs.com/184025/security/ex-defense-contractor-exec-pleads-guilty-to-selling-cyber-exploits-to-russia.html
      • National Cyber Incident Classification Handbook
        "This handbook is intended to guide participating States of the Organization for Security and Cooperation in Europe (OSCE) and other interested parties in developing and implementing a national cyber incident classification system. After an introduction and context-setting section explaining the benefits and challenges of cyber incident classification, the handbook divides the process of setting up a national system into six steps:"
        https://www.osce.org/secretariat/600455
        https://www.osce.org/files/f/documents/e/a/600455.pdf

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) d2ba7aaa-b446-43aa-9b9d-85428d78235d-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post