NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 22 December 2025

    Cyber Security News
    1
    1
    77
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Healthcare Sector

      • Identity Fraud Among Home-Care Workers Puts Patients At Risk
        "Cases of healthcare fraud are rising. Some involve misusing patients' and caregivers' personally identifiable information or manipulating billing services for financial gain, but a growing concern is home-care workers sending unqualified friends or relatives to work shifts in their place under false identities. Impersonation is not a new threat, says Conor White, president of strategic initiatives at biometrics company Daon. But it is a recurring theme he has observed after talking with CISOs and healthcare leaders."
        https://www.darkreading.com/identity-access-management-security/identity-fraud-among-home-care-workers-puts-patients-at-risk

      Vulnerabilities

      • Over 25,000 FortiCloud SSO Devices Exposed To Remote Attacks
        "Internet security watchdog Shadowserver has found over 25,000 Fortinet devices exposed online with FortiCloud SSO enabled, amid ongoing attacks targeting a critical authentication bypass vulnerability. Fortinet noted on December 9th, when it patched the security flaw tracked as CVE-2025-59718 (FortiOS, FortiProxy, FortiSwitchManager) and CVE-2025-59719 (FortiWeb), that the vulnerable FortiCloud SSO login feature is not enabled until admins register the device with the company's FortiCare support service. As cybersecurity company Arctic Wolf reported on Monday, the vulnerability is now actively exploited to compromise admin accounts via malicious single sign-on (SSO) logins."
        https://www.bleepingcomputer.com/news/security/over-25-000-forticloud-sso-devices-exposed-to-remote-attacks/
      • New Critical WatchGuard Firebox Firewall Flaw Exploited In Attacks
        "WatchGuard has warned customers to patch a critical, actively exploited remote code execution (RCE) vulnerability in its Firebox firewalls. Tracked as CVE-2025-14733, this security flaw affects firewalls running Fireware OS 11.x and later (including 11.12.4_Update1), 12.x or later (including 12.11.5), and 2025.1 up to and including 2025.1.3. The vulnerability is due to an out-of-bounds write weakness that enables unauthenticated attackers to execute malicious code remotely on unpatched devices, following successful exploitation in low-complexity attacks that don't require user interaction."
        https://www.bleepingcomputer.com/news/security/watchguard-warns-of-new-rce-flaw-in-firebox-firewalls-exploited-in-attacks/
        https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00027
        https://www.cisa.gov/news-events/alerts/2025/12/19/cisa-adds-one-known-exploited-vulnerability-catalog
        https://thehackernews.com/2025/12/watchguard-warns-of-active-exploitation.html
        https://www.theregister.com/2025/12/19/watchguard_firebox/
        https://securityaffairs.com/185896/hacking/u-s-cisa-adds-a-flaw-in-watchguard-fireware-os-to-its-known-exploited-vulnerabilities-catalog.html
      • “Ask Gordon, Meet The Attacker” - Prompt Injection In Docker’s Built-In AI Assistant
        "Generative AI keeps expanding into every developer tool. Docker, one of the cornerstones of modern development, is no exception — and its new built-in assistant, Ask Gordon, is a prime example of that evolution. While experimenting with Docker Desktop, we encountered this new beta feature that promised natural-language help right inside Docker Desktop and CLI. Naturally, that caught our attention. What we discovered was a prompt injection vulnerability that enables attackers to hijack the assistant and exfiltrate sensitive data by poisoning Docker Hub repository metadata with malicious instructions."
        https://www.pillar.security/blog/ask-gordon-meet-the-attacker-prompt-injection-in-dockers-built-in-ai-assistant
        https://hackread.com/docker-ask-gordon-ai-flaw-metadata-attacks/

      Malware

      • Distribution Of EtherRAT Malware Exploiting React2Shell Vulnerability (CVE-2025-55182)
        "AhnLab SEcurity intelligence Center (ASEC) recently discovered an advanced malware distribution campaign using Node.js while tracking the recently disclosed React2Shell vulnerability. This attack installs EtherRAT through multiple stages, with the ultimate goal of gaining a foothold, stealing information, and stealing cryptocurrency."
        https://asec.ahnlab.com/en/91658/
      • Stealth In Layers: Unmasking The Loader Used In Targeted Email Campaigns
        "CRIL (Cyble Research and Intelligence Labs) has been tracking a sophisticated commodity loader utilized by multiple high-capability threat actors. The campaign demonstrates a high degree of regional and sectoral specificity, primarily targeting Manufacturing and Government organizations across Italy, Finland, and Saudi Arabia. This campaign utilizes advanced tradecraft, employing a diverse array of infection vectors including weaponized Office documents (exploiting CVE-2017-11882), malicious SVG files, and ZIP archives containing LNK shortcuts. Despite the variety of delivery methods, all vectors leverage a unified commodity loader."
        https://cyble.com/blog/stealth-in-layers-unmasking-loader-in-targeted-email-campaigns/
      • Choose Your Fighter: A New Stage In The Evolution Of Android SMS Stealers In Uzbekistan
        "In October 2025, Group-IB specialists detected a new wave of malware attacks targeting users in Uzbekistan. This research provides an in-depth overview of the findings: how the malware is evolving, which distribution schemes are being used by threat actors, and how they are adapting to modern Android protection mechanisms."
        https://www.group-ib.com/blog/mobile-malware-uzbekistan/
      • Tracing a Paper Werewolf Campaign Through AI-Generated Decoys And Excel XLLs
        "An XLL is a native Windows DLL that Excel loads as an add-in, allowing it to execute arbitrary code through exported functions like xlAutoOpen. Since at least mid-2017, threat actors began abusing Microsoft Excel add-ins via the .XLL format, the earliest documented misuse is by the threat group APT10 (aka Stone Panda / Potassium) injecting backdoor payloads via XLLs. Since 2021, a growing number of commodity malware families and cyber-crime actors have added XLL-based delivery to their arsenals. Notable examples include Agent Tesla and Dridex, researchers observed an increase of these malware being dropped via malicious XLL add-ins."
        https://intezer.com/blog/tracing-a-paper-werewolf-campaign-through-ai-generated-decoys-and-excel-xlls/
      • Cloud Atlas Activity In The First Half Of 2025: What Changed
        "Known since 2014, the Cloud Atlas group targets countries in Eastern Europe and Central Asia. Infections occur via phishing emails containing a malicious document that exploits an old vulnerability in the Microsoft Office Equation Editor process (CVE-2018-0802) to download and execute malicious code. In this report, we describe the infection chain and tools that the group used in the first half of 2025, with particular focus on previously undescribed implants."
        https://securelist.com/cloud-atlas-h1-2025-campaign/118517/
      • Yet Another DCOM Object For Lateral Movement
        "If you’re a penetration tester, you know that lateral movement is becoming increasingly difficult, especially in well-defended environments. One common technique for remote command execution has been the use of DCOM objects. Over the years, many different DCOM objects have been discovered. Some rely on native Windows components, others depend on third-party software such as Microsoft Office, and some are undocumented objects found through reverse engineering. While certain objects still work, others no longer function in newer versions of Windows."
        https://securelist.com/lateral-movement-via-dcom-abusing-control-panel/118232/
      • From Loader To Looter: ACR Stealer Rides On Upgraded CountLoader
        "The Howler Cell Threat Intelligence team has uncovered a new malware campaign leveraging cracked software distribution sites to deploy an upgraded variant of CountLoader. Below are the key findings:"
        https://www.cyderes.com/howler-cell/acr-stealer-rides-on-upgraded-countloader
        https://thehackernews.com/2025/12/cracked-software-and-youtube-videos.html
      • Phantom 3.5: Initial Vector Analysis & Forensics
        "Phantom, a stealer malware, sends back sensitive data like passwords, browser cookies, credit card information, crypto wallet credentials, victim’s IP addresses, etc to the attacker. This can be used in identity theft, account takeovers or even worse the infected machine can be used as a tool to orchestrate bigger malware attacks. With the increased use and vast amount of files that are available on the internet, most oblivious users fail to differentiate between safe and malicious content they are downloading. In this blog, we will delve into a stealer named Phantom version 3.5 and its initial vector."
        https://labs.k7computing.com/index.php/phantom-3-5-initial-vector-analysis-forensics/
      • Zscaler Threat Hunting Catches Evasive SideWinder APT Campaign
        "Zscaler Threat Hunting has identified a sophisticated espionage campaign targeting Indian entities by masquerading as the Income Tax Department of India. By reconstructing the complete attack lifecycle from a deceptive “Inspection” lure to a reflectively loaded resident implant, Zscaler Threat Hunting has observed activity which is typically associated with SideWinder APT (also known as Rattlesnake or APT-C-17). Recently, Zscaler Threat Hunting has observed an evolution in the threat actor’s toolkit in an attempt to evade detection by mimicking Chinese enterprise software. This discovery underscores Zscaler’s ability to detect subtle, state-sponsored tradecraft within cloud-scale telemetry before it causes critical damage."
        https://www.zscaler.com/blogs/security-research/zscaler-threat-hunting-catches-evasive-sidewinder-apt-campaign

      Breaches/Hacks/Leaks

      • UK Confirms Foreign Office Hacked, Says ‘low Risk’ Of Impact To Individuals
        "The British government confirmed on Friday morning that data held on a Foreign Office system was compromised in a cyber incident earlier this year, although it said the incident was only considered to pose a “low risk” to individuals. The incident was first reported by The Sun newspaper, which attributed the attack to the China-based group Storm-1849. It said the hackers “accessed personal information, understood to possibly include tens of thousands of visa details.” The month the government spotted the incident, the group had been said to be exploiting vulnerabilities in a popular line of Cisco firewalls used by governments in Asia, Europe and the United States. The British government did not say which threat actor was involved in the Foreign Office incident or the method of access."
        https://therecord.media/uk-foreign-office-hacked-china
        https://www.theregister.com/2025/12/19/uk_foreign_office_hack/
        https://www.bankinfosecurity.com/uk-foreign-office-targeted-by-hackers-a-30354

      General News

      • Nigeria Arrests Dev Of Microsoft 365 'Raccoon0365' Phishing Platform
        "The Nigerian police arrested three individuals linked to targeted Microsoft 365 cyberattacks via Raccoon0365 phishing platform. The attacks led to business email compromise, data breaches, and financial losses affecting organizations worldwide. The law enforcement operation was possible thanks to intelligence from Microsoft, shared with the Nigeria Police Force National Cybercrime Centre (NPF–NCCC) via the FBI."
        https://www.bleepingcomputer.com/news/security/nigeria-arrests-dev-of-microsoft-365-raccoon0365-phishing-platform/
        https://thehackernews.com/2025/12/nigeria-arrests-raccoono365-phishing.html
        https://therecord.media/nigeria-raccoon-developer-tip
      • Denmark Blames Russia For Destructive Cyberattack On Water Utility
        "Danish intelligence officials blamed Russia for orchestrating cyberattacks against Denmark's critical infrastructure, as part of Moscow's hybrid attacks against Western nations. In a Thursday statement, the Danish Defence Intelligence Service (DDIS) identified two groups operating on behalf of the Russian state: Z-Pentest, linked to the destructive water-utility attack, and NoName057(16), flagged as responsible for the DDoS assaults ahead of November's local elections in Denmark before the 2025 elections."
        https://www.bleepingcomputer.com/news/security/denmark-blames-russia-for-destructive-cyberattack-on-water-utility/
        https://therecord.media/denmark-summons-russian-ambassador-cyberattack-elections
        https://www.infosecurity-magazine.com/news/denmark-blames-russia-for/
        https://www.securityweek.com/denmark-blames-russia-for-cyberattacks-ahead-of-elections-and-on-water-utility/
        https://securityaffairs.com/185885/hacking/russia-was-behind-a-destructive-cyber-attack-on-a-water-utility-in-2024-denmark-says.html
      • AI-Generated Code Ships Faster, But Crashes Harder
        "Artificial intelligence coding assistants write code faster than humans. They also write buggier code, though nobody puts that in the marketing materials. Researchers at code review tool CodeRabbit analyzed 470 open-source pull requests on GitHub, analyzing AI-coauthored submissions against human-only contributions for their logic, maintainability, security and performance."
        https://www.bankinfosecurity.com/ai-generated-code-ships-faster-but-crashes-harder-a-30352
        https://www.coderabbit.ai/whitepapers/state-of-AI-vs-human-code-generation-report
      • Scam Centers Fueling Thailand's Border War With Cambodia
        "Thailand is recasting a flaring conflict with neighboring Cambodia as a fight over cybercriminal compounds spread alongside the two Southeast Asian nations' contested border. Fighting including artillery and air strikes resumed earlier this month after a lull in fighting that broke out in July, sparked by long-standing territorial disputes. Thailand now says air strikes this month against Cambodian casino and hotel complexes are part of a "war against the scam army.""
        https://www.bankinfosecurity.com/scam-centers-fueling-thailands-border-war-cambodia-a-30347
      • Cyber Criminals Are Recruiting Insiders In Banks, Telecoms, And Tech
        "Cyber criminals are no longer relying solely on brute force, social engineering, or exploiting vulnerabilities. Increasingly, they are recruiting insiders within organizations to gain access to corporate networks, user devices, and cloud environments. Across darknet forums, employees are being approached, or even volunteering, to sell access or sensitive information for lucrative rewards. This trend poses a major blind spot for security teams."
        https://blog.checkpoint.com/research/cyber-criminals-are-recruiting-insiders-in-banks-telecoms-and-tech/
      • Ukrainian National Pleads Guilty To Conspiracy To Use Ransomware
        "Earlier today, in federal court in Brooklyn, Artem Stryzhak pleaded guilty to conspiracy to commit fraud and related activity, including extortion, in connection with computers, for his role in a series of international ransomware attacks. Stryzhak, a Ukrainian citizen, was arrested in Spain in June 2024 and extradited to the United States on April 30, 2025. When sentenced, Stryzhak faces up to 10 years’ imprisonment. His co-conspirator, Volodymyr Tymoshchuk, remains at large and is the subject of a $11 million reward offered by the United States Department of State."
        https://www.justice.gov/usao-edny/pr/ukrainian-national-pleads-guilty-conspiracy-use-ransomware-0
        https://cyberscoop.com/nefilim-ransomware-artem-stryzhak-guilty-plea/
      • A Cybersecurity Playbook For AI Adoption
        "Artificial intelligence has become an ally in cybersecurity by 2025, with 60% of organizations reporting using it in their IT infrastructures. AI can process massive volumes of data, correlate signals in seconds, and surface hidden patterns no human could detect manually. This analytical speed makes it a powerful tool for defense teams. Yet, speed does not equal certainty, which is crucial for a reliable security architecture. Decisions that determine access, privileges, or evidence must still follow predictable, auditable logic."
        https://www.darkreading.com/cyber-risk/cybersecurity-playbook-ai-adoption
      • AI Isn’t One System, And Your Threat Model Shouldn’t Be Either
        "In this Help Net Security interview, Naor Penso, CISO at Cerebras Systems, explains how to threat model modern AI stacks without treating them as a single risk. He discusses why partitioning AI systems by function and impact matters, how to frame threat modeling for business leaders, and which assumptions break down as AI becomes core infrastructure."
        https://www.helpnetsecurity.com/2025/12/19/naor-penso-cerebras-systems-threat-modeling-al-optimized-infrastructure/
      • Identity Risk Is Changing Faster Than Most Security Teams Expect
        "Security leaders are starting to see a shift in digital identity risk. Fraud activity is becoming coordinated, automated, and self-improving. Synthetic personas, credential replay, and high speed onboarding attempts now operate through shared infrastructures that behave less like scattered threats and more like systems that learn as they run, according to a report by AU10TIX. This trend is shaping how fraud teams, risk executives, and identity product owners will need to prepare for 2026."
        https://www.helpnetsecurity.com/2025/12/19/au10tix-automated-fraud-detection-report/
      • Tren De Aragua Members And Leaders Indicted In Multi-Million Dollar ATM Jackpotting Scheme
        "United States Attorney Lesley A. Woods announced that a federal grand jury in the District of Nebraska has returned two indictments charging 54 individuals for their roles in a large conspiracy to deploy malware and steal millions of dollars from ATMs in the United States, a crime commonly referred to as “ATM jackpotting.” An indictment returned on December 9, 2025, charges 22 defendants with offenses corresponding to their role in the conspiracy, including conspiracy to provide material support to terrorists, conspiracy to commit bank fraud, conspiracy to commit bank burglary and fraud and related activity in connection with computers, and conspiracy to commit money laundering. The indictment also alleges that Tren de Aragua (“TdA”) has used jackpotting to steal millions of dollars in the United States and then transferred the proceeds among its members and associates to conceal the illegally obtained cash."
        https://www.justice.gov/usao-ne/pr/tren-de-aragua-members-and-leaders-indicted-multi-million-dollar-atm-jackpotting-scheme
        https://therecord.media/doj-charges-gang-malware-ploutus
        https://thehackernews.com/2025/12/us-doj-charges-54-in-atm-jackpotting.html
        https://www.infosecurity-magazine.com/news/us-charges-54-atm-jackpotting/
        https://www.theregister.com/2025/12/19/tren_de_aragua_atm/
        https://securityaffairs.com/185908/cyber-crime/atm-jackpotting-ring-busted-54-indicted-by-doj.html
      • Thailand Conference Launches International Initiative To Fight Online Scams
        "Thailand on Thursday helped launch a global effort to fight the spread of online scams that include criminal enterprises based largely in Southeast Asia estimated to bilk billions of dollars annually from victims around the world. Thailand’s Ministry of Foreign Affairs and the United Nations Office on Drugs and Crime hosted a conference in Bangkok on Wednesday and Thursday culminating in the announcement of the new initiative called the Global Partnership Against Online Scams."
        https://www.securityweek.com/thailand-conference-launches-international-initiative-to-fight-online-scams/
      • Former Incident Responders Plead Guilty To Ransomware Attack Spree
        "Former cybersecurity professionals Ryan Clifford Goldberg and Kevin Tyler Martin pleaded guilty Thursday to participating in a series of ransomware attacks in 2023 while they were employed at cybersecurity companies tasked with helping organizations respond to ransomware attacks. Goldberg, who was a manager of incident response at Sygnia, and Martin, a ransomware negotiator at DigitalMint at the time, collaborated with an unnamed co-conspirator to attack victim computers and networks and use ALPHV, also known as BlackCat, ransomware to extort payments."
        https://cyberscoop.com/incident-responders-plead-guilty-ransomware-digitalmint/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) ab1c3e7e-74a1-4975-8e15-bfd72786a8ba-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post