NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 23 December 2025

    Cyber Security News
    1
    1
    14
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย NCSA_THAICERT

      Industrial Sector

      • Threat Landscape For Industrial Automation Systems. Europe, Q3 2025
        "High levels of email threats (phishing) and spyware clearly indicate that industrial systems in the region are highly exposed to advanced attackers. In Eastern Europe, the percentage of ICS computers on which threats from email clients were blocked is 1.3 times higher than the global average. The percentage of ICS computers on which malicious documents are blocked also exceeds the global average by a factor of 1.3."
        https://ics-cert.kaspersky.com/publications/reports/2025/12/22/threat-landscape-for-industrial-automation-systems-europe-q3-2025/
      • Threat Landscape For Industrial Automation Systems. Russia, Q3 2025
        "The main categories of internet threats blocked on ICS computers include denylisted internet resources, malicious scripts and phishing pages, and miners. The list of denylisted internet resources is used to prevent initial infection attempts. In particular, the following threats on ICS computers are blocked with the aid of this list:"
        https://ics-cert.kaspersky.com/publications/reports/2025/12/22/threat-landscape-for-industrial-automation-systems-russia-q3-2025/

      New Tooling

      • Anubis: Open-Source Web AI Firewall To Protect From Scraper Bots
        "Anubis is an open-source tool designed to protect websites from automated scraping and abusive traffic by adding computational friction before a request is served. Maintained by TecharoHQ, the project targets a growing problem for site operators who want to keep content accessible to humans while limiting large scale automated collection."
        https://www.helpnetsecurity.com/2025/12/22/anubis-open-source-web-ai-firewall-protect-from-bots/
        https://github.com/TecharoHQ/anubis

      Vulnerabilities

      • Critical RCE Flaw Impacts Over 115,000 WatchGuard Firewalls
        "Over 115,000 WatchGuard Firebox devices exposed online remain unpatched against a critical remote code execution (RCE) vulnerability actively exploited in attacks. The security flaw, tracked as CVE-2025-14733, affects Firebox firewalls running Fireware OS 11.x and later (including 11.12.4_Update1), 12.x or later (including 12.11.5), and 2025.1 up to and including 2025.1.3. Successful exploitation enables unauthenticated attackers to execute arbitrary code remotely on vulnerable devices, following low-complexity attacks that don't require user interaction."
        https://www.bleepingcomputer.com/news/security/over-115-000-watchguard-firewalls-vulnerable-to-ongoing-rce-attacks/

      Malware

      • The Shadow Of JWT-Based Authentication: A Fatal Threat Behind The Convenience
        "JWT, which has become the standard for modern web applications and mobile apps, provides the convenience of stateless authentication. However, when operated and managed unsafely, it can become a single point of failure that collapses the entire authentication system. This post introduces the concept and authentication methods of JWT, analyzes its key vulnerabilities based on CVE cases, and suggests practical defense strategies for prevention and mitigation."
        https://asec.ahnlab.com/en/91676/
      • From ClickFix To Code Signed: The Quiet Shift Of MacSync Stealer Malware
        "While reviewing the detections of our in-house YARA rules, Jamf Threat Labs observed a signed and notarized stealer that did not follow the typical execution chains we have seen in the past. The sample in question looked highly similar to past variants of the increasingly active MacSync Stealer malware but was revamped in its design. Unlike earlier MacSync Stealer variants that primarily rely on drag-to-terminal or ClickFix-style techniques, this sample adopts a more deceptive, hands-off approach."
        https://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis/
        https://www.bleepingcomputer.com/news/security/new-macsync-malware-dropper-evades-macos-gatekeeper-checks/
        https://www.securityweek.com/macsync-macos-malware-distributed-via-signed-swift-application/
      • NPM Package With 56K Downloads Caught Stealing WhatsApp Messages
        "The lotusbail npm package presents itself as a WhatsApp Web API library - a fork of the legitimate @whiskeysockets/baileys package. With over 56,000 downloads and functional code that actually works as advertised, it's the kind of dependency developers install without a second thought. The package has been available on npm for 6 months and is still live at the time of writing. Behind that working functionality: sophisticated malware that steals your WhatsApp credentials, intercepts every message, harvests your contacts, installs a persistent backdoor, and encrypts everything before sending it to the threat actor's server."
        https://www.koi.ai/blog/npm-package-with-56k-downloads-malware-stealing-whatsapp-messages
        https://thehackernews.com/2025/12/fake-whatsapp-api-package-on-npm-steals.html
        https://www.bleepingcomputer.com/news/security/malicious-npm-package-steals-whatsapp-accounts-and-messages/
        https://www.theregister.com/2025/12/22/whatsapp_npm_package_message_steal/
      • Phishing Campaign Leverages Trusted Google Cloud Automation Capabilities To Evade Detection
        "This report describes a phishing campaign in which attackers impersonate legitimate Google generated messages by abusing Google Cloud Application Integration to distribute malicious emails that appear to originate from trusted Google infrastructure. The emails mimic routine enterprise notifications such as voicemail alerts and file access or permission requests, making them appear normal and trustworthy to recipients."
        https://blog.checkpoint.com/research/phishing-campaign-leverages-trusted-google-cloud-automation-capabilities-to-evade-detection/
      • Nezha: The Monitoring Tool That’s Also a Perfect RAT
        "Ontinue’s Cyber Defense Center discovered attackers using Nezha, a legitimate open-source monitoring tool, as a post-exploitation RAT. The agent provides SYSTEM/root level access, file management, and an interactive web terminal. VirusTotal shows 0/72 detections because it isn’t malware, it’s legitimate software pointed at attacker infrastructure. Installation is silent. Detection only occurs when attackers execute commands through the agent. Organisations should hunt for Nezha presence proactively and ensure behavioural monitoring is in place to catch post-exploitation activity."
        https://www.ontinue.com/resource/nezha-the-monitoring-tool-thats-also-a-perfect-rat/
        https://hackread.com/hackers-abuse-monitoring-tool-nezha-trojan/
        https://www.infosecurity-magazine.com/news/nezha-abused-post-exploitation/
      • DDoS Incident Disrupts France’s Postal And Banking Services Ahead Of Christmas
        "France’s national postal service, La Poste, confirmed that a suspected cyberattack disrupted its websites and mobile applications days before Christmas, slowing deliveries and knocking some online services offline. In a statement on Monday, La Poste said that a distributed denial-of-service (DDoS) incident knocked key digital systems offline. The company said there was no evidence that customer data had been compromised, but acknowledged that postal operations, including parcel distribution, had been affected."
        https://therecord.media/la-poste-france-ddos-disruption-days-before-christmas
      • I Am Not a Robot: ClickFix Used To Deploy StealC And Qilin
        "ClickFix is an increasingly common tactic used by threat actors to install malicious software on victims’ devices. It has gone through a number of evolutions but essentially relies on a victim following a series of instructions that masquerade as a human verification request. The actions result in the download of malware, typically an infostealer or remote access trojan (RAT)."
        https://www.sophos.com/en-us/blog/i-am-not-a-robot-clickfix-used-to-deploy-stealc-and-qilin
      • Inside DPRK Operations: New Lazarus And Kimsuky Infrastructure Uncovered Across Global Campaigns
        "Throughout the analysis, we surfaced clusters of operational assets that had not been connected publicly before, revealing active tool-staging servers, credential theft environments, FRP tunneling nodes, and certificate-linked infrastructure fabric controlled by DPRK operators. These findings help outline how different parts of the DPRK operational infrastructure continue to intersect across campaigns and provide defenders with clearer visibility into the infrastructure habits these actors rely on."
        https://hunt.io/blog/dprk-lazarus-kimsuky-infrastructure-uncovered

      Breaches/Hacks/Leaks

      • Nissan Says Thousands Of Customers Exposed In Red Hat Breach
        "Nissan Motor Co. Ltd. (Nissan) has confirmed that information of thousands of its customers has been compromised after the data breach at Red Hat in September. The Japanese multinational automobile manufacturer headquartered in Yokohama, Japan, produces more than 3.2 million cars a year. The company employs 120,000 people and has a strong presence in Japan, North America, Europe, and Asia. In an announcement yesterday, Nissan informed that it was indirectly impacted by a security breach incident at the U.S.-based enterprise software company Red Hat."
        https://www.bleepingcomputer.com/news/security/nissan-says-thousands-of-customers-exposed-in-red-hat-breach/
      • Romanian Water Authority Hit By Ransomware Attack Over Weekend
        "Romanian Waters (Administrația Națională Apele Române), the country's water management authority, was hit by a ransomware attack over the weekend. Officials with the National Cyber Security Directorate (DNSC) said Sunday that the incident impacted approximately 1,000 computer systems at the national water authority and 10 of its 11 regional offices. While the breach affected servers running geographic information systems, databases, email, and web services, as well as Windows workstations and domain name servers, operations and operational technology (OT) systems controlling water infrastructure are unaffected."
        https://www.bleepingcomputer.com/news/security/romanian-water-authority-hit-by-ransomware-attack-over-weekend/
        https://therecord.media/romania-national-water-agency-ransomware-attack
        https://securityaffairs.com/186010/cyber-crime/romanian-waters-confirms-cyberattack-critical-water-operations-unaffected.html
        https://www.theregister.com/2025/12/22/around_1000_systems_compromised_in/
      • University Of Phoenix Data Breach Impacts Nearly 3.5 Million Individuals
        "The Clop ransomware gang has stolen the data of nearly 3.5 million University of Phoenix (UoPX) students, staff, and suppliers after breaching the university's network in August. Headquartered in Phoenix, Arizona, UoPX is a private for-profit university founded in 1976 with 82,700 enrolled students and 3,400 employees (nearly 2,300 academic staff). In early December, the university disclosed the incident on its official website, and Phoenix Education Partners, its parent company, filed an 8-K with the U.S. Securities and Exchange Commission (SEC)."
        https://www.bleepingcomputer.com/news/security/university-of-phoenix-data-breach-impacts-nearly-35-million-individuals/
      • Coupang Breach Affecting 33.7 Million Users Raises Data Protection Questions
        "oupang, South Korea's leading e-commerce platform, recently disclosed a data breach affecting 33.7 million customer accounts which is equivalent to nearly two-thirds of the Korean population. This represents the largest e-commerce security incident in South Korea's history and could result in fines of up to $900 million (approximately 1.2 trillion KRW). This breach exposed vulnerabilities in data protection systems, particularly for e-commerce platforms that handle sensitive data including transaction histories, delivery addresses, and payment methods."
        https://www.bleepingcomputer.com/news/security/coupang-breach-affecting-337-million-users-raises-data-protection-questions/

      General News

      • Browser Agents Don’t Always Respect Your Privacy Choices
        "Browser agents promise to handle online tasks without constant user input. They can shop, book reservations, and manage accounts by driving a web browser through an AI model. A new academic study warns that this convenience comes with privacy risks that security teams should not ignore."
        https://www.helpnetsecurity.com/2025/12/22/browser-agents-privacy-risks-study/
        https://arxiv.org/pdf/2512.07725
      • 574 Arrests And USD 3 Million Recovered In Coordinated Cybercrime Operation Across Africa
        "Law enforcement in 19 countries have arrested 574 suspects and recovered approximately USD 3 million in a significant cybercrime operation across Africa. Operation Sentinel (27 October – 27 November) focused on three prevalent crime types: business email compromise (BEC), digital extortion and ransomware, all identified as growing threats in INTERPOL’s 2025 Africa Cyber Threat Assessment Report. During the INTERPOL-coordinated initiative, over 6,000 malicious links were taken down and six distinct ransomware variants were decrypted. The cases investigated during the month-long operation were linked to estimated financial losses exceeding USD 21 million."
        https://www.interpol.int/News-and-Events/News/2025/574-arrests-and-USD-3-million-recovered-in-coordinated-cybercrime-operation-across-Africa
        https://www.bleepingcomputer.com/news/security/interpol-led-action-decrypts-6-ransomware-strains-arrests-hundreds/
        https://www.helpnetsecurity.com/2025/12/22/europol-africa-cybercrime-arrests-2025/
      • Building Cyber Talent Through Competition, Residency, And Real-World Immersion
        "In this Help Net Security interview, Chrisma Jackson, Director of Cybersecurity & Mission Computing Center and CISO at Sandia National Laboratories, reflects on where the cyber talent pipeline breaks down and what it takes to fix it. She discusses skill gaps, hiring and retention realities, and how cybersecurity careers are evolving beyond traditional paths."
        https://www.helpnetsecurity.com/2025/12/22/chrisma-jackson-sandia-national-laboratories-recruiting-cybersecurity-professionals/
        86% Surge In Fake Delivery Websites Hits Shoppers During Holiday Rush
        "An 86% increase in malicious postal service websites over the past month has heightened the risk for consumers tracking holiday deliveries. Cybercriminals are reportedly capitalizing on the seasonal spike in online shopping by sending convincing messages that appear to come from legitimate delivery companies, often warning of delayed or suspended packages. The fake alerts typically arrive via text message or email and include links designed to steal personal or financial information. With shoppers expecting frequent updates, these scams are more likely to succeed during peak shipping periods."
        https://www.infosecurity-magazine.com/news/surge-fake-delivery-holidays/
      • Rising Tides: When Cybersecurity Becomes Personal – Inside The Work Of An OSINT Investigator
        "“All of us matter, or none of us do,” a strong statement from Shannon Miller, OSINT Investigator and Privacy Consultant. For those of us who know Miller, it’s not the first time we’ve heard that plea and it won’t be the last. Her significant career and non-profit work to help victims of domestic danger and other similar malice find safety, she’s seen first-hand how the dangers are amplified for marginalized and vulnerable groups who do not have as much access to tools, education, and other critical resources to protect themselves and their families."
        https://www.securityweek.com/rising-tides-when-cybersecurity-becomes-personal-inside-the-work-of-an-osint-investigator/
      • Spy Turned Startup CEO: 'The WannaCry Of AI Will Happen'
        "In my past life, it would take us 360 days to develop an amazing zero day," Zafran Security CEO Sanaz Yashar said. She's talking about the 15 years she spent working as a spy - she prefers "hacking architect" - inside the Israel Defense Forces' elite cyber group, Unit 8200. "Now, the volume and speed is changing so much that for the first time ever, we have a negative time-to-exploit, meaning it takes less than a day to see vulnerabilities being exploited, being weaponized before they were patched," Yashar told The Register. "That is not something you used to see."
        https://www.theregister.com/2025/12/22/zafran_security_ceo/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA)

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post