NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 27 November 2025

    Cyber Security News
    1
    1
    118
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Telecom Sector

      • Mobile Industry Warns Patchwork Cyber Regs Are Driving Up Costs
        "Mobile operators' core cybersecurity spending is projected to more than double by 2030 as threats evolve, while poorly designed and fragmented policy frameworks add extra compliance costs, according to industry group the GSMA. The lobbying organization has pushed out a report calling for national policymakers to simplify compliance and incident reporting to make the job of the network operators easier. It also wants to see greater international coordination between governments and regulators to build those frameworks around common standards."
        https://www.theregister.com/2025/11/26/gsma_global_standards_mobile_industry/
        https://www.gsma.com/solutions-and-impact/connectivity-for-good/public-policy/wp-content/uploads/2025/11/Impact-of-Cybersecurity-Regulation-on-Mobile-Operators.pdf

      New Tooling

      • DeepTeam: Open-Source LLM Red Teaming Framework
        "Security teams are pushing large language models into products faster than they can test them, which makes any new red teaming method worth paying attention to. DeepTeam is an open-source framework built to probe these systems before they reach users, and it takes a direct approach to exposing weaknesses. The tool runs on a local machine and uses language models to simulate attacks as well as evaluate the results. It applies techniques drawn from recent research on jailbreaking and prompt injection, which gives teams a way to uncover issues such as bias or exposure of personal data. Once DeepTeam finds a problem, it offers guardrails that can be added to production systems to block similar issues."
        https://www.helpnetsecurity.com/2025/11/26/deepteam-open-source-llm-red-teaming-framework/
        https://github.com/confident-ai/deepteam

      Vulnerabilities

      • Old Tech, New Vulnerabilities: NTLM Abuse, Ongoing Exploitation In 2025
        "Flip phones grew popular, Windows XP debuted on personal computers, Apple introduced the iPod, peer-to-peer file sharing via torrents was taking off, and MSN Messenger dominated online chat. That was the tech scene in 2001, the same year when Sir Dystic of Cult of the Dead Cow published SMBRelay, a proof-of-concept that brought NTLM relay attacks out of theory and into practice, demonstrating a powerful new class of authentication relay exploits."
        https://securelist.com/ntlm-abuse-in-2025/118132/
      • ASUS Warns Of New Critical Auth Bypass Flaw In AiCloud Routers
        "ASUS has released new firmware to patch nine security vulnerabilities, including a critical authentication bypass flaw in routers with AiCloud enabled. AiCloud is a cloud-based remote access feature that comes with many ASUS routers, turning them into private cloud servers for remote media streaming and cloud storage. As the Taiwanese electronics manufacturer explained, the CVE-2025-59366 vulnerability "can be triggered by an unintended side effect of the Samba functionality, potentially leading to allow execution of specific functions without proper authorization.""
        https://www.bleepingcomputer.com/news/security/asus-warns-of-new-critical-auth-bypass-flaw-in-aicloud-routers/
      • Popular Forge Library Gets Fix For Signature Verification Bypass Flaw
        "A vulnerability in the ‘node-forge’ package, a popular JavaScript cryptography library, could be exploited to bypass signature verifications by crafting data that appears valid. The flaw is tracked as CVE-2025-12816 and received a high severity rating. It arises from the library’s ASN.1 validation mechanism, which allows malformed data to pass checks even when it is cryptographically invalid."
        https://www.bleepingcomputer.com/news/security/popular-forge-library-gets-fix-for-signature-verification-bypass-flaw/
        Dell ControlVault, Lasso, GL.iNet Vulnerabilities
        "Cisco Talos’ Vulnerability Discovery & Research team recently disclosed five vulnerabilities in Dell ControlVault 3 firmware and its associated Windows software, four vulnerabilities in Entr'ouvert Lasso, and one vulnerability in GL.iNet Slate AX. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy. For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website."
        https://blog.talosintelligence.com/dell-controlvault-lasso-gl-inet-vulnerabilities/
      • B2B Guest Access Creates An Unprotected Attack Vector
        "Microsoft Teams is a core collaboration platform for Ontinue and for the organisations we protect. Our ability to engage directly with customers inside their own Teams environments is one of our most valued differentiators, and one they consistently highlight as a strength of our service. However, like all powerful collaboration tools, Teams depends on proper configuration and governance to ensure its security boundaries function as intended. Effective protection is not inherent to the platform; it emerges from how each tenant chooses to manage external access, identity boundaries, and integrated security controls."
        https://www.ontinue.com/resource/blog-microsoft-chat-with-anyone-understanding-phishing-risk/
        https://hackread.com/microsoft-teams-guest-chat-flaw-malware/

      Malware

      • Bloody Wolf: A Blunt Crowbar Threat To Justice
        "Bloody Wolf is an advanced persistent threat (APT) group active since late 2023. The group initially used commercial STRRAT malware. Later, the group switched to deploying the legitimate NetSupport remote administration tool (RAT) in campaigns targeting Kazakhstan and Russia previously described by BI.ZONE analysts. A joint investigation between Group-IB and UKUK has revealed that Bloody Wolf had been conducting a campaign in Kyrgyzstan since at least June 2025. Those threat actors would impersonate the country’s Ministry of Justice through official looking PDF documents and domain names, which in turn hosted malicious Java Archive (JAR) files designed to deploy the NetSupport RAT."
        https://www.group-ib.com/blog/bloody-wolf/
      • Dissecting a New Malspam Chain Delivering Purelogs Infostealer
        "The AISI Research Center’s Cybersecurity Observatory publishes the report “Dissecting a new malspam chain delivering Purelogs infostealer” – November 25, 2025. Organizational and personal security remains under constant threat from increasingly sophisticated attack vectors, with malspam continuing to represent one of the most widespread and effective initial infection vectors for distributing malware on a large scale. Despite advances in endpoint protection technologies, malicious campaigns effectively exploit human urgency, curiosity, and trust, often masquerading as legitimate communications, security alerts, or financial documents."
        https://securityaffairs.com/185066/cyber-crime/dissecting-a-new-malspam-chain-delivering-purelogs-infostealer.html
        https://dimanec.unipegaso.it/wp-content/uploads/sites/5/2025/11/Dissecting-a-new-malspam-chain-delivering-Purelogs-infostealer.pdf
      • Russian RomCom Utilizing SocGholish To Deliver Mythic Agent To U.S. Companies Supporting Ukraine
        "In September 2025, Arctic Wolf® Labs identified a U.S.-based company that was targeted by RomCom threat actors via SocGholish, operated by TA569. While the typical initial SocGholish infection chain was followed, roughly 10 minutes post-exploitation, RomCom’s targeted Mythic Agent loader was delivered to the system. This is the first time that a RomCom payload has been observed being distributed by SocGholish."
        https://arcticwolf.com/resources/blog/romcom-utilizing-socgholish-to-deliver-mythic-agent-to-usa-companies-supporting-ukraine/
        https://thehackernews.com/2025/11/romcom-uses-socgholish-fake-update.html
        https://securityaffairs.com/185084/security/for-the-first-time-a-romcom-payload-has-been-observed-being-distributed-via-socgholish.html
      • Fake Battlefield 6 Pirated Versions And Game Trainers Used To Deploy Stealers And C2 Agents
        "Bitdefender Labs has identified malware campaigns exploiting the popularity of EA's Battlefield 6 first-person shooter, distributed via supposedly pirated versions, game installers, and fake game trainers across torrent websites and other easily found domains. Electronic Arts' Battlefield 6, developed by DICE and published by Electronic Arts (EA), was released in October, and it's likely one of the most significant game launches of the year."
        https://www.bitdefender.com/en-us/blog/labs/fake-battlefield-6-pirated-games-trainers
        https://hackread.com/fake-battlefield-6-downloads-malware-data/
      • Malicious Chrome Extension Injects Hidden SOL Fees Into Solana Swaps
        "Socket’s Threat Research Team discovered a malicious Chrome extension Crypto Copilot, published on June 18, 2024, which markets itself as a tool to “execute trades instantly from your X feed.” Behind the interface, the extension injects an extra transfer into every Solana swap, siphoning a minimum of 0.0013 SOL or 0.05% of the trade amount to a hardcoded attacker-controlled wallet. The fee behavior is never disclosed on the Chrome Web Store listing, and the logic implementing it is buried inside heavily obfuscated code."
        https://socket.dev/blog/malicious-chrome-extension-injects-hidden-sol-fees-into-solana-swaps
        https://thehackernews.com/2025/11/chrome-extension-caught-injecting.html
      • ShadowV2 Casts a Shadow Over IoT Devices
        "At the end of October, during a global disruption of AWS connections, FortiGuard Labs observed malware named “ShadowV2” spreading via IoT vulnerabilities. These incidents affected multiple countries worldwide and spanned seven different industries. So far, the malware appears to have only been active during the time of the large-scale AWS outage. We believe this activity was likely a test run conducted in preparation for future attacks. The following sections provide a detailed analysis of these incidents and the ShadowV2 malware."
        https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices
        https://www.bleepingcomputer.com/news/security/new-shadowv2-botnet-malware-used-aws-outage-as-a-test-opportunity/
        https://www.theregister.com/2025/11/26/miraibased_botnet_shadowv2/
      • Shai Hulud Strikes Again (v2)
        "PostHog has published a detailed post mortem describing how one of its GitHub Actions workflows was abused as an initial access vector for Shai Hulud v2. An attacker briefly opened a pull request that modified a script executed via pull_request_target, exfiltrated a bot personal access token from CI, then used that access to steal additional GitHub secrets including an npm publish token and ship malicious versions of several PostHog SDKs. PostHog has since revoked credentials, tightened workflow reviews, moved to trusted publishing, and reworked its secrets management. Their write up highlights how subtle CI workflow choices can create a path from untrusted contributions to package release credentials."
        https://socket.dev/blog/shai-hulud-strikes-again-v2
        https://thehackernews.com/2025/11/shai-hulud-v2-campaign-spreads-from-npm.html
      • The Korean Leaks – Analyzing The Hybrid Geopolitical Campaign Targeting South Korean Financial Services With Qilin RaaS
        "The "Korean Leaks" campaign showcases a sophisticated supply chain attack against South Korea's financial sector. This operation combined the capabilities of a major Ransomware-as-a-Service (RaaS) group, Qilin, with potential involvement from North Korean state-affiliated actors (Moonstone Sleet) leveraging Managed Service Provider (MSP) compromise as the initial access vector."
        https://www.bitdefender.com/en-us/blog/businessinsights/korean-leaks-campaign-targets-south-korean-financial-services-qilin-ransomware
        https://thehackernews.com/2025/11/qilin-ransomware-turns-south-korean-msp.html

      Breaches/Hacks/Leaks

      • London Councils Hit By Serious Cyber “Incidents”
        "Multiple local authorities in London appear to be dealing with a serious cybersecurity incident, it has emerged. The Royal Borough of Kensington and Chelsea (RBKC) issued a statement on Tuesday revealing that it and Westminster City Council (WCC) were responding to an incident identified on Monday morning. The two have notified the UK Information Commissioner’s Office (ICO) and are working with the National Cyber Security Centre (NCSC) on incident response."
        https://www.infosecurity-magazine.com/news/london-councils-hit-by-serious/
        https://www.theregister.com/2025/11/26/cyberattack_london_councils/
        https://therecord.media/cyber-issue-london-councils-attack
        https://www.bleepingcomputer.com/news/security/multiple-london-councils-it-systems-disrupted-by-cyberattack/
        https://www.bankinfosecurity.com/multiple-london-councils-responding-to-cyberattack-a-30146
        https://securityaffairs.com/185086/security/multiple-london-councils-faced-a-cyberattack.html
      • Gainsight Cyber-Attack Affect More Salesforce Customers
        "The cyber-attack targeting Gainsight has affected more Salesforce customers than initially expected. In a customer FAQ, first posted on November 20 and regularly updated since, the customer support platform provider said Salesforce initially provided a list of three customers impacted by the breach. Gainsight later found that the number “has been expanded to a larger list.”"
        https://www.infosecurity-magazine.com/news/gainsight-cyberattack-more/
        https://www.theregister.com/2025/11/26/gainsight_ceos_handful_customers_data_stolen/
        https://www.helpnetsecurity.com/2025/11/26/gainsight-breach-salesforce-details-attack-window/

      General News

      • Heineken CISO Champions a New Risk Mindset To Unlock Innovation
        "In this Help Net Security interview, Marina Marceta, CISO at Heineken, discusses what it takes for CISOs to be seen as business-aligned leaders rather than technical overseers. She shares how connecting security to business impact can shift perceptions and strengthen partnerships across the company. Marceta focuses on the value of a security culture that supports innovation while keeping risk in check."
        https://www.helpnetsecurity.com/2025/11/26/marina-marceta-heineken-business-aligned-security/
      • Small Language Models Step Into The Fight Against Phishing Sites
        "Phishing sites keep rising, and security teams are searching for ways to sort suspicious pages at speed. A recent study explores whether small language models (SLMs) can scan raw HTML to catch these threats. The work reviews a range of model sizes and tests how they handle detection tasks while keeping compute demands in check."
        https://www.helpnetsecurity.com/2025/11/26/research-slms-website-phishing-detection/
        https://arxiv.org/pdf/2511.15434
      • Cybersecurity Is Now a Core Business Discipline
        "Cyber risk has become the background noise of modern business. We’re seeing nearly two thousand attacks per organization per week in the first quarter of 2025—a 47% rise year-on-year. That surge reflects two realities moving at once: attacks are genuinely increasing because it’s easier and cheaper than ever to mount them, and defenders are getting better at spotting what previously slipped under the radar. In other words, the problem is growing and we’re measuring it more honestly."
        https://www.securityweek.com/cybersecurity-is-now-a-core-business-discipline/
      • The Golden Scale: 'Tis The Season For Unwanted Gifts
        "In October 2025, we published two Insights blogs on threat activity affiliated with the cybercriminal alliance known as Scattered LAPSUS$ Hunters (SLSH). After a few weeks of apparent inactivity, the threat actors have returned with a vengeance based on open-source reporting and conversations obtained from a new Telegram channel (scattered LAPSUS$ hunters part 7). This latest Insights threat blog will detail several notable observations made by Unit 42 since mid-November, and prepares organizations as we head into the holiday season."
        https://unit42.paloaltonetworks.com/new-shinysp1d3r-ransomware/
      • Behind The Bargains: Why Phishing Peaks On Black Friday
        "Black Friday has evolved into one of the most active shopping periods of the year. No longer is it just one day of shopping after Thanksgiving; the sales have now turned into a full week of high-volume promotions, beginning before Thanksgiving and stretching through Black Friday and Cyber Monday, with many retailers extending deals even longer. Unsurprisingly, this surge in digital activity is very attractive for threat actors."
        https://cofense.com/blog/behind-the-bargains-why-phishing-peaks-on-black-friday
      • Sumsub’s Annual Report: Fraud Shifts To Complex Multi-Step Schemes In 2025, Agentic AI Scams Poised To Surge In 2026
        "Sumsub today released its Identity Fraud Report 2025–2026, analyzing millions of verification checks and 4,000,000+ fraud attempts between 2024–2025*. The study blends global and regional dynamics from internal data with findings from Sumsub’s Fraud Exposure Survey 2025, featuring responses from 300+ risk professionals and 1,200+ end users. In 2024, the rise of fraud-as-a-service platforms and ready-made toolkits “democratized” identity crime, making it widely accessible to non-tech-savvy fraudsters. In 2025, that trend matured into the Sophistication Shift: fewer but more professionalized operations designed for higher-impact damage."
        https://sumsub.com/newsroom/sumsubs-annual-report-fraud-shifts-to-complex-multi-step-schemes-in-2025-agentic-ai-scams-poised-to-surge-in-2026/
        https://sumsub.com/fraud-report-2025/
        https://www.darkreading.com/cyberattacks-data-breaches/digital-fraud-industrial-scale-2025
      • Prompt Injections Loom Large Over ChatGPT's Atlas Browser
        "As a new AI-powered Web browser brings agentics closer to the masses, questions remain regarding whether prompt injections, the signature LLM attack type, could get even worse. ChatGPT Atlas is OpenAI's large language model (LLM)-powered Web browser launched Oct. 21 and based on Chromium. Currently available for macOS (with other platforms to come), Atlas comes with native ChatGPT functionality including text generation, Web page summarization, and agent capabilities."
        https://www.darkreading.com/application-security/prompt-injections-loom-large-over-chatgpt-atlas-launch
      • Enterprises Aren't Confident They Can Secure Non-Human Identities (NHIs)
        "Non-human identities (NHIs) are poised to experience exponential growth and adoption throughout the coming year, fundamentally transforming how organizations approach cybersecurity. These digital entities, which include service accounts, system identities, machine identities, and other forms of automated identities, serve as the backbone of modern digital infrastructure by enabling communication and interaction between applications, services, and automated systems."
        https://www.darkreading.com/identity-access-management-security/enterprise-not-confident-secure-non-human-identities

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) afe04ed6-fd6c-4c80-b7f6-10c3b66f2f4a-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post