NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 16 January 2025

    Cyber Security News
    1
    1
    174
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • ICS Patch Tuesday: Security Advisories Published By Schneider, Siemens, Phoenix Contact, CISA
        "Schneider Electric, Siemens, Phoenix Contact and CISA have released ICS product security advisories on the January 2025 Patch Tuesday. Schneider Electric published nine new advisories this month. Six of them describe high-severity vulnerabilities affecting PowerLogic HDPM6000 High-Density Metering System (privilege escalation), RemoteConnect and SCADAPackTM x70 utilities (potential remote code execution), Modicon M340 and BMXNO communication modules (information disclosure and DoS), Web Designer for Modicon communication modules (information disclosure and remote code execution), and Pro-face GP-Pro EX and Remote HMI (information exposure and operational failures)."
        https://www.securityweek.com/ics-patch-tuesday-security-advisories-published-by-schneider-siemens-phoenix-contact-cisa/

      New Tooling

      • Contextal Platform: Open-Source Threat Detection And Intelligence
        "Contextal Platform is an open-source cybersecurity solution for contextual threat detection and intelligence. Developed by the original authors of ClamAV, it offers advanced features such as contextual threat analysis, custom detection scenarios through the ContexQL language, and AI-powered data processing—all operating locally to ensure data privacy."
        https://www.helpnetsecurity.com/2025/01/15/contextal-platform-open-source-threat-detection/
        https://github.com/contextal/platform

      Vulnerabilities

      • Ivanti Releases Security Updates For Multiple Products
        "Ivanti released security updates to address vulnerabilities in Ivanti Avalanche, Ivanti Application Control Engine, and Ivanti EPM."
        https://www.cisa.gov/news-events/alerts/2025/01/14/ivanti-releases-security-updates-multiple-products
        https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-6-4-7-Multiple-CVEs
        https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Application-Control-Engine-CVE-2024-10630
        https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6
        https://www.securityweek.com/ivanti-patches-critical-vulnerabilities-in-endpoint-manager-2/

      • Critical Vulnerabilities In SimpleHelp Remote Support Software
        "2024 was bookended by notable zero-day vulnerabilities affecting popular remote support/access software: CVE-2024-1708 and CVE-2024-1709 affecting ConnectWise ScreenConnect and CVE-2024-12356 and CVE-2024-12686 affecting BeyondTrust products. These vulnerabilities were exploited in the wild and are on CISA’s list of Known Exploited Vulnerabilities. We were curious to see what other remote support software was out there and came across a tool called SimpleHelp. While we hadn’t heard of it before, we found it being used by a number of our users, and it has a decent presence on the Internet."
        https://www.horizon3.ai/attack-research/disclosures/critical-vulnerabilities-in-simplehelp-remote-support-software/
        https://thehackernews.com/2025/01/critical-simplehelp-flaws-allow-file.html

      • Chrome 132 Patches 16 Vulnerabilities
        "Google on Tuesday announced the release of Chrome 132 to the stable channel with 16 security fixes, including 13 that resolve vulnerabilities reported by external researchers. Of the externally reported flaws, five are high-severity bugs affecting browser components such as the V8 JavaScript engine, Navigation, the open source 2D graphics library Skia, Metrics, and Tracing."
        https://www.securityweek.com/chrome-132-patches-16-vulnerabilities/

      • Nvidia, Zoom, Zyxel Patch High-Severity Vulnerabilities
        "Nvidia, Zoom, and Zyxel this week announced fixes for multiple high-severity vulnerabilities in their products, urging users to update devices as soon as possible. Nvidia released patches for three security defects in Container Toolkit and GPU Operator for Linux, including two high-severity improper isolation bugs that could be exploited using crafted container images. The first issue, tracked as CVE-2024-0135, could lead to the modification of a host binary, while the second, tracked as CVE-2024-0136, could lead to untrusted code gaining read and write access to host devices."
        https://www.securityweek.com/nvidia-zoom-zyxel-patch-high-severity-vulnerabilities/

      • Over 660,000 Rsync Servers Exposed To Code Execution Attacks
        "Over 660,000 exposed Rsync servers are potentially vulnerable to six new vulnerabilities, including a critical-severity heap-buffer overflow flaw that allows remote code execution on servers. Rsync is an open-source file synchronization and data transferring tool valued for its ability to perform incremental transfers, reducing data transfer times and bandwidth usage. It supports local file systems transfers, remote transfers over secure protocols like SSH, and direct file syncing via its own daemon."
        https://www.bleepingcomputer.com/news/security/over-660-000-rsync-servers-exposed-to-code-execution-attacks/
        https://kb.cert.org/vuls/id/952657
        https://www.openwall.com/lists/oss-security/2025/01/14/3
        https://thehackernews.com/2025/01/google-cloud-researchers-uncover-flaws.html
        https://www.helpnetsecurity.com/2025/01/15/rsync-vulnerabilities-allow-remote-code-execution-on-servers-patch-quickly/

      • Slew Of WavLink Vulnerabilities
        "Forty-four vulnerabilities and sixty-three CVEs were discovered across ten .cgi and three .sh files, as well as the static login page, of the Wavlink AC3000 wireless router web application. The Wavlink AC3000 wireless router is one of the most popular gigabit routers in the US, in part due to both its potential speed capabilities and low price point. Talos is releasing these advisories in accordance with Cisco’s third-party vulnerability disclosure policy. Wavlink has declined to release a patch for these vulnerabilities."
        https://blog.talosintelligence.com/slew-of-wavlink-vulnerabilities/

      • New Tunneling Protocol Vulnerabilities
        "New vulnerabilities in multiple tunneling protocols allow attackers to hijack affected internet hosts to perform anonymous attacks and gain unauthorized network access. A large-scale internet scan has identified 4.2 million open tunneling hosts, measuring the extent of these new vulnerabilities, along with that of a previously-known flaw in a related tunneling protocol, for the first time. Top10VPN has again collaborated with leading security researcher Mathy Vanhoef to share this discovery ahead of its presentation at the USENIX 2025 conference in Seattle."
        https://www.top10vpn.com/research/tunneling-protocol-vulnerability/
        https://papers.mathyvanhoef.com/usenix2025-tunnels.pdf
        https://github.com/vanhoefm/tunneltester

      • Malware

      • Investigating A Web Shell Intrusion With Trend Micro™ Managed XDR
        "This incident response by Trend Micro™ Managed XDR was triggered by Trend Vision One™ after our endpoint sensors detected suspicious binary being executed by the IIS Worker process (w3wp.exe) executing a suspicious binary. This behavior is indicative of potential exploitation of the web server, possibly involving unauthorized activities or a compromised environment. Our investigation revealed that the attackers used a reverse TCP shell to establish command-and-control, as discovered by further filters triggered by the IIS Worker Process Spawning Suspicious PowerShell Command model. After containing the threat, Managed XDR conducted an investigation that uncovered multiple payloads downloaded in the directory C:\Users\Public, which we will discuss in this blog entry."
        https://www.trendmicro.com/en_us/research/25/a/investigating-a-web-shell-intrusion-with-trend-micro--managed-xd.html

      • The Great Google Ads Heist: Criminals Ransack Advertiser Accounts Via Fake Google Ads
        "Online criminals are targeting individuals and businesses that advertise via Google Ads by phishing them for their credentials — ironically — via fraudulent Google ads. The scheme consists of stealing as many advertiser accounts as possible by impersonating Google Ads and redirecting victims to fake login pages. We believe their goal is to resell those accounts on blackhat forums, while also keeping some to themselves to perpetuate these campaigns."
        https://www.malwarebytes.com/blog/news/2025/01/the-great-google-ads-heist-criminals-ransack-advertiser-accounts-via-fake-google-ads
        https://www.bleepingcomputer.com/news/security/hackers-use-google-search-ads-to-steal-google-ads-accounts/
        https://www.darkreading.com/vulnerabilities-threats/attackers-hijack-google-advertiser-accounts-malware
        https://thehackernews.com/2025/01/google-ads-users-targeted-in.html

      • One Mikro Typo: How a Simple DNS Misconfiguration Enables Malware Delivery By a Russian Botnet
        "Not too long ago Infoblox Threat Intel discovered a botnet delivering malware via spam campaigns using spoofed sender domains. This is different from the email spoofing that we recently reported on Muddling Malspam: The Use of Spoofed Domains in Malicious Spam, in that these take advantage of misconfigured DNS records to pass email protection techniques. Botnets, which are built out of actor-controlled compromised devices, are extremely difficult to disrupt and represent a persistent threat in the cyber landscape. This botnet uses a global network of Mikrotik routers to send malicious emails that are designed to appear to come from legitimate domains. The spam we observed delivered trojan malware, but the botnet is likely used for a wide range of malicious activities. We continue to track this botnet via DNS."
        https://blogs.infoblox.com/threat-intelligence/one-mikro-typo-how-a-simple-dns-misconfiguration-enables-malware-delivery-by-a-russian-botnet/
        https://www.bleepingcomputer.com/news/security/mikrotik-botnet-uses-misconfigured-spf-dns-records-to-spread-malware/

      • Operation 99: North Korea’s Cyber Assault On Software Developers
        "On January 9, the SecurityScorecard STRIKE team uncovered Operation 99, a cyberattack by the Lazarus Group, North Korea’s state-sponsored hacking unit. This campaign targets software developers looking for freelance Web3 and cryptocurrency work. If you thought fake job offers from the group’s Operation Dream Job campaign were bad, this latest move is a masterclass in deception, sophistication, and malicious intent. Here’s why Operation 99 demands your attention."
        https://securityscorecard.com/blog/operation-99-north-koreas-cyber-assault-on-software-developers/
        https://securityscorecard.com/wp-content/uploads/2025/01/Report_011325_Strike_Operation99.pdf
        https://thehackernews.com/2025/01/lazarus-group-targets-web3-developers.html
        https://www.darkreading.com/threat-intelligence/north-korea-lazarus-apt-developer-recruitment-attacks

      • Inside a 90-Minute Attack: Breaking Ground With All-New AI Defeating Black Basta Tactics
        "Have you ever had your lunch interrupted by a sudden barrage of security alerts? That’s exactly what happened to one of our clients when a frantic call from their Security Operations Center revealed a flood of suspicious emails. The culprit? A brand-new cyberattack mimicking the notorious Black Basta group’s latest technique—and it hit with lightning speed."
        https://slashnext.com/blog/inside-90-minute-attack-breaking-ground-with-all-new-ai-defeating-black-basta-tactics/
        https://hackread.com/black-basta-cyberattack-hits-inboxes-with-1165-emails/

      • NICKEL TAPESTRY Infrastructure Associated With Crowdfunding Scheme
        "Secureworks® Counter Threat Unit™ (CTU) researchers are investigating network infrastructure links between North Korean IT worker schemes and a 2016 crowdfunding scam. The CTU™ research team attributes the IT worker schemes to the NICKEL TAPESTRY threat group. In September 2018, the U.S. Department of Treasury's Office of Foreign Asset Control (OFAC) designated two information technology companies as violating sanctions, including operating as front companies to facilitate employment of North Korean IT workers and channeling illicit revenue to North Korea (officially the Democratic People's Republic of Korea (DPRK)) from overseas IT workers."
        https://www.secureworks.com/blog/nickel-tapestry-infrastructure-associated-with-crowdfunding-scheme
        https://thehackernews.com/2025/01/north-korean-it-worker-fraud-linked-to.html
        https://www.infosecurity-magazine.com/news/north-korean-links-fraudulent/

      • Suspected Ukrainian Hackers Impersonating Russian Ministries To Spy On Industry
        "A suspected Ukraine-linked hacker group is targeting Russian scientific and industrial enterprises in a new cyber-espionage campaign, researchers have found. Russian cybersecurity firm F.A.C.C.T. intercepted fraudulent emails purportedly from Russia's Ministry of Industry and Trade. These emails, described in a report released Wednesday by the firm, instructed local defense industry companies to place orders with correctional facilities and suggested collaborating with prisoners who have a mechanical and engineering background."
        https://therecord.media/suspected-ukraine-hackers-russian-phishing

      • Russian Espionage And Financial Theft Campaigns Have Ramped Up, Ukraine Cyber Agency Says
        "Threat actors are using increasingly sophisticated attack methods to target Ukrainian systems and exploit legitimate services, making it harder to prevent malicious activity, one of Ukraine’s top cyber agencies said on Tuesday. Most of the cyberattacks targeting Ukraine over the past year were for espionage, financial theft, or to inflict psychological damage, researchers at Ukraine’s State Service for Special Communications and Information Protection found. The majority of these campaigns were attributed to three Russia-linked hacker groups, tracked as UAC-0010, UAC-0006, and UAC-0050."
        https://therecord.media/russian-espionage-financial-theft-campaign

      Breaches/Hacks/Leaks

      • Label Giant Avery Says Website Hacked To Steal Credit Cards
        "Avery Products Corporation is warning it suffered a data breach after its website was hacked to steal customers' credit cards and personal information. Avery is an American company that produces and sells self-adhesive labels, apparel branding elements, and printing services. In a data breach notification sent to impacted customers, Avery discovered they were attacked on December 9, 2024. Following an internal investigation by digital forensic experts, it was discovered that threat actors had planted a card skimmer on 'avery.com,' the company's online shop domain, on July 18, 2024."
        https://www.bleepingcomputer.com/news/security/label-giant-avery-says-website-hacked-to-steal-credit-cards/
      • University Of Oklahoma Isolates Systems After ‘unusual Activity’ On IT Network
        "The University of Oklahoma said it is taking steps to address unusual cyber activity it discovered on its network. The school, which has more than 34,000 students, appeared on the leak site of a ransomware gang on Tuesday, with the group claiming to have stolen 91 GB of data that allegedly includes employee data, financial information and more. “The University recently identified unusual activity on our IT network. Upon discovery, we isolated certain systems and are investigating the matter,” a spokesperson told Recorded Future News. “As part of this ongoing process, measures are being implemented across our network.”"
        https://therecord.media/university-of-oklahoma-isolates-systems-unusual-activity
      • Unknown Group Releases Fortinet Config Files And VPN Passwords To The Darknet
        "VPN access data and complete configuration files of thousands of FortiNet appliances have surfaced on the darknet, where a previously unknown attacker group is giving them away. The data is apparently not related to recently published vulnerabilities in the FortiOS appliance operating system. heise security had a first look at the data. Usually, you'll get only small gifts in darknet forums: To prove their quality, underground traders will give out samples of their goods for free – a procedure that may have been copied from the legal data trading industry. But complete leaks of thousands of configuration and password files are not commonplace. A new entity called the "Belsen Group" has now given away over 15,000 data records that were apparently extracted from Fortinet firewalls via a security vulnerability."
        https://www.heise.de/en/news/Unknown-group-releases-Fortinet-config-files-and-VPN-passwords-to-the-darknet-10244238.html
        https://securityaffairs.com/173111/cyber-crime/fortinet-fortigate-devices-data-leak.html

      General News

      • As Tensions Mount With China, Taiwan Sees Surge In Cyberattacks
        "Using phishing emails and zero-day exploits, China's cyber-operations groups targeted Taiwanese organizations — including government agencies, telecommunications firms, and transportation — with significantly higher volumes of attacks in 2024. On average, Taiwan saw more than 2.4 million attack attempts per day, double the 1.2 million average daily attacks in 2023, with the vast majority of activity targeting the Taiwanese government, according to an annual analysis published by Taiwan's National Security Bureau (NSB). Like many other countries, Taiwan has also detected a surge in attacks targeting its telecommunications sector, with the number of security events rising by more than sixfold, the analysis stated."
        https://www.darkreading.com/cyber-risk/as-tensions-with-china-mount-taiwan-sees-surge-in-cyberattacks
      • Using Cognitive Diversity For Stronger, Smarter Cyber Defense
        "In this Help Net Security interview, Mel Morris, CEO of Corpora.ai, discusses how cognitive biases affect decision-making during cybersecurity incidents. Morris shares insights on the challenges of designing user-friendly cybersecurity tools that consider human cognitive processes."
        https://www.helpnetsecurity.com/2025/01/15/mel-morris-corpora-ai-cognitive-diversity-cybersecurity/
      • CISA Releases Microsoft Expanded Cloud Logs Implementation Playbook
        "Today, CISA released the Microsoft Expanded Cloud Logs Implementation Playbook to help organizations get the most out of Microsoft’s newly introduced logs in Microsoft Purview Audit (Standard). This step-by-step guide enables technical personnel to better detect and defend against advanced intrusion techniques by operationalizing expanded cloud logs."
        https://www.cisa.gov/news-events/alerts/2025/01/15/cisa-releases-microsoft-expanded-cloud-logs-implementation-playbook
        https://www.cisa.gov/resources-tools/resources/microsoft-expanded-cloud-logs-implementation-playbook
        https://www.bleepingcomputer.com/news/security/cisa-shares-guidance-for-microsoft-expanded-logging-capabilities/
      • Strengthening America’s Resilience Against The PRC Cyber Threats
        "As America’s Cyber Defense Agency and the National Coordinator for critical infrastructure security and resilience, CISA’s mission is to safeguard America’s critical infrastructure and enhance our nation’s collective resilience. We help protect and defend the critical services Americans rely on every day against threats from anyone, anywhere, anytime. China’s sophisticated and well-resourced cyber program represents the most serious and significant cyber threat to our nation, and in particular, U.S. critical infrastructure. Last year, I testified about these threats before the House Select Committee on the Chinese Communist Party."
        https://www.cisa.gov/news-events/news/strengthening-americas-resilience-against-prc-cyber-threats
        https://www.bankinfosecurity.com/cisa-first-spotted-salt-typhoon-hackers-in-federal-networks-a-27302
        https://www.theregister.com/2025/01/15/salt_typhoon_us_govt_networks/
        https://cyberscoop.com/salt-typhoon-us-government-jen-easterly-cisa/
      • Ransomware And Cyber Extortion In Q4 2024
        "The last quarter of 2024 proved to be a pivotal period for ransomware activity, marked by emerging threats and unexpected shifts among established groups."
        https://www.reliaquest.com/blog/ransomware-and-cyber-extortion-in-q4-2024/
        https://www.bankinfosecurity.com/ransomware-leak-sites-suggest-attacks-reached-record-high-a-27299
      • AI Alone Is Not Bulletproof: Weaknesses In AI/ML Email Security
        "Despite modern secure email gateways (SEGs) embracing AI capabilities, many phishing emails still reach users' inboxes. Therefore, employees need proper training to be able to identify attacks. This is necessary because artificial intelligence and machine learning (AI/ML) models are trained on past data, which may not relate to future threats. Also, most threat actors are creative and able to identify working strategies to bypass SEG security—and they are using AI offensively."
        https://cofense.com/blog/ai-alone-is-not-bulletproof-weaknesses-in-ai-ml-email-security
      • Extension Poisoning Campaign Highlights Gaps In Browser Security
        "A Christmas Eve phishing attack resulted in an unknown party taking over a Cyberhaven employee's Google Chrome Web Store account and publishing a malicious version of Cyberhaven's Chrome extension. While the problematic extension was removed within an hour of its discovery, the malicious activity highlights gaps in browser security that exist at most organizations and the necessity of getting a handle on the problem now, as extension poisoning is expected to be a persistent issue."
        https://www.darkreading.com/endpoint-security/extension-poisoning-campaign-gaps-browser-security
      • OWASP's New LLM Top 10 Shows Emerging AI Threats
        "The advent of artificial intelligence (AI) coding tools undoubtedly signifies a new chapter in modern software development. With 63% of organizations currently piloting or deploying AI coding assistants into their development workflows, the genie is well and truly out of the bottle, and the industry must now make careful moves to integrate it as safely and efficiently as possible."
        https://www.darkreading.com/vulnerabilities-threats/owasps-llm-top-10-shows-emerging-ai-threats
      • Cyber Insights 2025: Open Source And Software Supply Chain Security
        "Attacking the OSS supply chain is a no-brainer for malicious actors: protecting it is hard. Open source software (OSS) has become a major threat vector over the last decade. The reason is simple mathematics. “There are over 5 million OSS packages available,” explains Mehran Farimani, CEO at RapidFort. Chris Hughes, chief security advisor at Endor Labs, adds, “Adoption [of OSS] has grown exponentially in the last decade and shows no signs of slowing down. It is now found in nearly 90% of modern code bases and makes up 70-80% of those code bases.”"
        https://www.securityweek.com/cyber-insights-2025-open-source-and-the-software-supply-chain/
      • UN Security Council Members Meet On Spyware For First Time
        "Members of the U.N. Security Council for the first time gathered Tuesday to discuss the threat posed by commercial spyware at an informal meeting where a senior U.S. diplomat called for enhanced efforts to obtain justice for victims of the technology, and other nations pledged to take action. The meeting — known as an Arria-formula, to discuss pressing problems outside the full council — comes at a time when increasing attention is being paid to how spyware is infecting devices belonging to diplomats."
        https://therecord.media/commercial-spyware-meeting-un-security-council-members
      • Navigating Today’s Cloud Security Challenges
        "Cloud adoption lies at the heart of digital transformation, providing organizations with the agility and flexibility they need to stay competitive in today’s rapidly changing marketplace. Competing in a digital-first economy requires developing personalized customer experiences, embracing a more prominent hybrid workforce strategy, streamlining workflows, and optimizing distributed operations for greater efficiency and scalability. However, while the power of the cloud certainly enables enterprises to adapt to today’s evolving demands quickly, it also introduces unique challenges that security teams must recognize and manage. These include safeguarding sensitive data, ensuring regulatory compliance, and maintaining visibility and control across increasingly complex hybrid and multi-cloud environments."
        https://www.fortinet.com/blog/business-and-technology/navigating-todays-cloud-security-challenges
        https://www.infosecurity-magazine.com/news/multicloud-surges-rising-security/
      • Turning Curiosity Into a Career: The Power Of OSINT
        "I had a dear friend whose mother used to asked us to "get on the clacker and use the goggles" to find information for her. Back then, people were just learning how to "Google-fu" searches to answer obscure questions. Now Google is an incredibly powerful tool used by cybersecurity experts and bad actors around the globe."
        https://www.bankinfosecurity.com/blogs/turning-curiosity-into-career-power-osint-p-3795

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) d80078ab-5ec4-4159-8e56-b139470b1ae4-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post