NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 24 January 2025

    Cyber Security News
    1
    1
    409
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • MySCADA MyPRO Manager
        "Successful exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary commands or disclose sensitive information."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-023-01
      • Hitachi Energy RTU500 Series Product
        "Successful exploitation of this vulnerability could allow an attacker to to update the RTU500 with unsigned firmware."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-023-02
      • Schneider Electric EVlink Home Smart And Schneider Charge
        "Successful exploitation of this vulnerability may expose test credentials in the firmware binary."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-023-03
      • Schneider Electric Easergy Studio
        "Successful exploitation of this vulnerability may risk unauthorized access to the installation directory for Easergy Studio, which could allow an attacker with access to the file system to elevate privileges."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-023-04
      • Schneider Electric EcoStruxure Power Build Rapsody
        "Successful exploitation of this vulnerability could allow local attackers to potentially execute arbitrary code when opening a malicious project file."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-023-05
      • HMS Networks Ewon Flexy 202
        "Successful exploitation of this vulnerability could allow an attacker to disclose sensitive user credentials."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-023-06

      New Tooling

      • Web Cache Vulnerability Scanner: Open-Source Tool For Detecting Web Cache Poisoning
        "The Web Cache Vulnerability Scanner (WCVS) is an open-source command-line tool for detecting web cache poisoning and deception. The scanner, developed by Maximilian Hildebrand, offers extensive support for various web cache poisoning and deception techniques. It features a built-in crawler to discover additional URLs for testing. The tool is designed to adapt to specific web caches for enhanced testing efficiency, is customizable, and integrates into existing CI/CD pipelines."
        https://www.helpnetsecurity.com/2025/01/23/web-cache-vulnerability-scanner-detecting-web-cache-poisoning/
        https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner

      Vulnerabilities

      • SonicWall Warns Of SMA1000 RCE Flaw Exploited In Zero-Day Attacks
        "SonicWall is warning about a pre-authentication deserialization vulnerability in SonicWall SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), with reports that it has been exploited as a zero-day in attacks. The flaw, tracked as CVE-2025-23006 and rated critical (CVSS v3 score: 9.8), could allow remote unauthenticated attackers to execute arbitrary OS commands under specific conditions. The vulnerability affects all firmware versions of the SMA100 appliance up to 12.4.3-02804 (platform-hotfix)."
        https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-sma1000-rce-flaw-exploited-in-zero-day-attacks/
        https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0002
        https://thehackernews.com/2025/01/sonicwall-urges-immediate-patch-for.html
        https://cyberscoop.com/sonicwall-sma-zero-day-patch/
        https://www.securityweek.com/sonicwall-learns-from-microsoft-about-potentially-exploited-zero-day/
        https://www.helpnetsecurity.com/2025/01/23/sonicwall-sma-1000-exploited-zero-day-cve-2025-23006/
        https://www.theregister.com/2025/01/23/sonicwall_critical_bug/
      • Cisco Fixes Critical Vulnerability In Meeting Management
        "Cisco has warned about a new privilege escalation vulnerability in its Meeting Management tool that could allow a remote attacker to gain administrator privileges on exposed instances. The vulnerability, CVE-2025-20156, was disclosed by Cisco on January 22 and is awaiting further analysis by the US National Vulnerability Database (NVD). Cisco also issued a security advisory the same day, allocating the flaw a severity score (CVSS) of 9.9, meaning it is a critical vulnerability."

      https://www.infosecurity-magazine.com/news/cisco-critical-vulnerability/

      • Cisco Fixes Critical Privilege Escalation Flaw In Meeting Management (CVSS 9.9)
        "Cisco has released software updates to address a critical security flaw impacting Meeting Management that could permit a remote, authenticated attacker to gain administrator privileges on susceptible instances. The vulnerability, tracked as CVE-2025-20156, carries a CVSS score of 9.9 out 10.0. It has been described as a privilege escalation flaw in the REST API of Cisco Meeting Management. "This vulnerability exists because proper authorization is not enforced upon REST API users," the company said in a Wednesday advisory. "An attacker could exploit this vulnerability by sending API requests to a specific endpoint.""
        https://thehackernews.com/2025/01/cisco-fixes-critical-privilege.html
        https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmm-privesc-uy2Vf8pc
        https://www.securityweek.com/cisco-patches-critical-vulnerability-in-meeting-management/
        https://securityaffairs.com/173361/security/cisco-meeting-management-critical-flaw.html
        https://www.theregister.com/2025/01/23/cisco_fixes_critical_bug/
      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
        CVE-2020-11023 JQuery Cross-Site Scripting (XSS) Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/01/23/cisa-adds-one-known-exploited-vulnerability-catalog
        https://securityaffairs.com/173388/uncategorized/u-s-cisa-adds-jquery-flaw-known-exploited-vulnerabilities-catalog.html
      • QNAP Fixes Six Rsync Vulnerabilities In NAS Backup, Recovery App
        "QNAP has fixed six rsync vulnerabilities that could let attackers gain remote code execution on unpatched Network Attached Storage (NAS) devices. Rsync is an open-source file synchronization tool that supports direct file syncing via its daemon, SSH transfers via SSH, and incremental transfers that save time and bandwidth. It's widely used by many backup solutions like Rclone, DeltaCopy, and ChronoSync, as well as in cloud and server management operations and public file distribution."
        https://www.bleepingcomputer.com/news/security/qnap-fixes-six-rsync-vulnerabilities-in-hbs-nas-backup-recovery-app/
      • PANdora's Box: Vulnerabilities Found In NGFW
        "Security appliances, such as firewalls, VPNs, and secure web gateways, are designed to protect organizations from cyber threats. However, these assets designed to protect enterprises are increasingly the target of attackers who exploit vulnerabilities in security appliances to gain access, evade security teams, and maintain persistence within target organizations. The issue is that security appliances, ironically, are often very poor regarding their own supply chain security and device integrity."
        https://eclypsium.com/blog/pandoras-box-vulns-in-security-appliances/
        https://thehackernews.com/2025/01/palo-alto-firewalls-found-vulnerable-to.html

      Malware

      • Hundreds Of Fake Reddit Sites Push Lumma Stealer Malware
        "Hackers are distributing close to 1,000 web pages mimicking Reddit and the WeTransfer file sharing service that lead to downloading the Lumma Stealer malware. On the fake pages, the threat actor is abusing the Reddit brand by showing a fake discussion thread on a specific topic. The thread creator asks for help to download a specific tool, another user offers to help by uploading it to WeTransfer and sharing the link, and a third thanks him to make everything appear legitimate."
        https://www.bleepingcomputer.com/news/security/hundreds-of-fake-reddit-sites-push-lumma-stealer-malware/
      • FBI: North Korean IT Workers Steal Source Code To Extort Employers
        "The FBI warned today that North Korean IT workers are abusing their access to steal source code and extort U.S. companies that have been tricked into hiring them. The security service alerted public and private sector organizations in the United States and worldwide that North Korea's IT army will facilitate cyber-criminal activities and demand ransoms not to leak online exfiltrated sensitive data stolen from their employers' networks."
        https://www.bleepingcomputer.com/news/security/fbi-north-korean-it-workers-steal-source-code-to-extort-employers/
        https://www.ic3.gov/PSA/2025/PSA250123
      • The J-Magic Show: Magic Packets And Where To Find Them
        "The Black Lotus Labs team at Lumen Technologies has been tracking the use of a backdoor attack tailored for use against enterprise-grade Juniper routers. This backdoor is opened by a passive agent that continuously monitors for a “magic packet,” sent by the attacker in TCP traffic. We have dubbed this campaign J-magic, it is a recent operation with the earliest sample uploaded to VirusTotal in September 2023. At present, we are unable to determine the initial access method, however once in place it installs the agent – a variant of cd00r – which passively scans for five different predefined parameters before activating. If any of these parameters or “magic packets” are received, the agent sends back a secondary challenge. Once that challenge is complete, J-magic establishes a reverse shell on the local file system, allowing the operators to control the device, steal data, or deploy malicious software."
        https://blog.lumen.com/the-j-magic-show-magic-packets-and-where-to-find-them/
        https://www.bleepingcomputer.com/news/security/stealthy-magic-packet-malware-targets-juniper-vpn-gateways/
        https://thehackernews.com/2025/01/custom-backdoor-exploiting-magic-packet.html
        https://www.darkreading.com/endpoint-security/black-magic-enterprise-juniper-routers-backdoor
        https://cyberscoop.com/jmagic-juniper-networks-backdoor-freebsd-vpn/
        https://www.helpnetsecurity.com/2025/01/23/juniper-enterprise-routers-backdoor-malware-j-magic/
      • How GhostGPT Empowers Cybercriminals With Uncensored AI
        "Artificial intelligence (AI) tools have changed the way we tackle day-to-day tasks, but cybercriminals are twisting that same technology for illegal activities. In 2023, WormGPT made headlines as an uncensored chatbot specifically designed for malicious purposes. Soon after, we started seeing other so-called “variants” pop up, like WolfGPT and EscapeGPT. Unlike traditional AI models that are constrained by guidelines to ensure safe and responsible interactions, uncensored AI chatbots operate without such guardrails, raising serious concerns about their potential misuse. Most recently, Abnormal Security researchers uncovered GhostGPT, a new uncensored chatbot that further pushes the boundaries of ethical AI use."
        https://abnormalsecurity.com/blog/ghostgpt-uncensored-ai-chatbot
        https://hackread.com/ghostgpt-malicious-ai-chatbot-fuel-cybercrime-scams/
        https://www.infosecurity-magazine.com/news/ghostgpt-ai-chatbot-malware/
      • HellCat And Morpheus | Two Brands, One Payload As Ransomware Affiliates Drop Identical Code
        "The previous six months have seen heightened activity around new and emerging ransomware operations. Across the tail-end of 2024 and into 2025, we have seen the rise of groups such as FunkSec, Nitrogen and Termite. In addition, we have seen the return of Cl0p and a new version of LockBit (aka LockBit 4.0). Within this period of accelerated activity, the Ransomware-as-a-Service offerings HellCat and Morpheus have gained additional momentum and notoriety. Operators behind HellCat, in particular, have been vocal in their efforts to establish the RaaS as a ‘reputable’ brand and service within the crimeware economy."
        https://www.sentinelone.com/blog/hellcat-and-morpheus-two-brands-one-payload-as-ransomware-affiliates-drop-identical-code/
        https://thehackernews.com/2025/01/experts-find-shared-codebase-linking.html
      • Lumma Stealer: Fake CAPTCHAs & New Techniques To Evade Detection
        "In January, Netskope Threat Labs observed a new malware campaign using fake CAPTCHAs to deliver Lumma Stealer. Lumma is a malware that works in the malware-as-a-service (MaaS) model and has existed since at least 2022. The campaign is global, with Netskope Threat Labs tracking victims targeted in Argentina, Colombia, the United States, the Philippines, and other countries around the world. The campaign also spans multiple industries, including healthcare, banking, and marketing, with the telecom industry having the highest number of organizations targeted."
        https://www.netskope.com/blog/lumma-stealer-fake-captchas-new-techniques-to-evade-detection
        https://thehackernews.com/2025/01/beware-fake-captcha-campaign-spreads.html
      • Qbot Is Back.Connect
        "QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active since around 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 (Command and Control) servers for payload targeting and execution. On May 30th, 2024 Law Enforcement action[1] was taken against the Qbot operators in a coordinated effort to disrupt their activities. But like most things, while the actions taken did disrupt the activity, new signs are showing off a re-emergence of the operators."
        https://medium.com/walmartglobaltech/qbot-is-back-connect-2d774052369f
        https://thehackernews.com/2025/01/qakbot-linked-bc-malware-adds-enhanced.html
      • TRIPLESTRENGTH Hits Cloud For Cryptojacking, On-Premises Systems For Ransomware
        "Google on Wednesday shed light on a financially motivated threat actor named TRIPLESTRENGTH for its opportunistic targeting of cloud environments for cryptojacking and on-premise ransomware attacks. "This actor engaged in a variety of threat activity, including cryptocurrency mining operations on hijacked cloud resources and ransomware activity," the tech giant's cloud division said in its 11th Threat Horizons Report."
        https://thehackernews.com/2025/01/triplestrength-targets-cloud-platforms.html
      • Hackers Imitate Kremlin-Linked Group To Target Russian Entities
        "A little-known hacking group has been mimicking the tactics of a prominent Kremlin-linked threat actor to target Russian-speaking victims, according to new research. In its latest campaign, the group being dubbed GamaCopy used phishing documents disguised as official reports about the location of Russian armed forces’ facilities in Ukraine. It also deployed an open-source software called UltraVNC to remotely access victims’ systems."
        https://therecord.media/hacker-imitates-gamaredon-to-target-russia
      • Salt Typhoon: An Analysis Of Vulnerabilities Exploited By This State-Sponsored Actor
        "Salt Typhoon, a state-sponsored actor linked to the People’s Republic of China, has breached at least nine U.S.-based telecommunications companies with the intent to target high profile government and political figures. Tenable Research examines the tactics, techniques and procedures of this threat actor."
        https://www.tenable.com/blog/salt-typhoon-an-analysis-of-vulnerabilities-exploited-by-this-state-sponsored-actor
        https://www.theregister.com/2025/01/23/proxylogon_flaw_salt_typhoons_open/

      Breaches/Hacks/Leaks

      • Oxfam Hong Kong Data Leak: Watchdog Rules Charity Violated Privacy Law
        "The local arm of international charity Oxfam violated the data protection law following a leak in July that potentially affected 550,000 people, Hong Kong’s privacy watchdog ruled in an investigation report on Thursday. The Office of the Privacy Commissioner for Personal Data also revealed there had been a nearly 30 per cent year-on-year increase in breach notifications in 2024. It said the number of doxxing cases fell 42 per cent year on year."
        https://www.scmp.com/news/hong-kong/law-and-crime/article/3295957/oxfam-hong-kong-data-leak-watchdog-rules-charity-violated-privacy-law
      • FortiGate Config Leaks: Victims' Email Addresses Published Online
        "Thousands of email addresses included in the Belsen Group's dump of FortiGate configs last week are now available online, revealing which organizations may have been impacted by the 2022 zero-day exploits. Infosec expert Kevin Beaumont uploaded the IP and email addresses associated with the leaked FortiGate configs to GitHub, while fellow researcher Florian Roth separately extracted them and grouped them via top-level domains (TLDs)."
        https://www.theregister.com/2025/01/23/fortigate_config_leaks_infoseccers_list_victim_emails/

      General News

      • Tesla EV Charger Hacked Twice On Second Day Of Pwn2Own Tokyo
        "Security researchers hacked Tesla's Wall Connector electric vehicle charger twice on the second day of the Pwn2Own Automotive 2025 hacking contest. They also exploited 23 more zero-day vulnerabilities in WOLFBOX, ChargePoint Home Flex, Autel MaxiCharger, Phoenix Contact CHARX, and EMPORIA EV chargers, as well as in the Alpine iLX-507, Kenwood DMX958XR, Sony XAV-AX8500 In-Vehicle Infotainment (IVI) systems."
        https://www.bleepingcomputer.com/news/security/tesla-ev-charger-hacked-twice-on-second-day-of-pwn2own-tokyo/
        https://www.darkreading.com/vulnerabilities-threats/tesla-gear-hacked-multiple-times-pwn2own-contests
        https://www.securityweek.com/tesla-charger-exploits-earn-hackers-129000-at-pwn2own/
        https://securityaffairs.com/173376/hacking/pwn2own-automotive-2025-day-2.html
      • Two North Korean Nationals And Three Facilitators Indicted For Multi-Year Fraudulent Remote Information Technology Worker Scheme That Generated Revenue For The Democratic People’s Republic Of Korea
        "The Justice Department today announced the indictment of North Korean nationals Jin Sung-Il (진성일) and Pak Jin-Song (박진성), Mexican national Pedro Ernesto Alonso De Los Reyes, and U.S. nationals Erick Ntekereze Prince and Emanuel Ashtor for a fraudulent scheme to obtain remote information technology (IT) work with U.S. companies that generated revenue for the Democratic People’s Republic of Korea (DPRK or North Korea)."
        https://www.justice.gov/opa/pr/two-north-korean-nationals-and-three-facilitators-indicted-multi-year-fraudulent-remote
        https://therecord.media/doj-indicts-americans-for-running-laptop-farm-north-korea-scheme
        https://cyberscoop.com/doj-indicts-five-in-north-korean-fake-it-worker-scheme/
      • The Security Risk Of Rampant Shadow AI
        "The rapid rise of artificial intelligence (AI) has cast a long shadow, but its immense promise comes with a significant risk: shadow AI. Shadow AI refers to the use of AI technologies, including AI models and generative AI (GenAI) tools outside of a company's IT-sanctioned governance. As more people use tools like ChatGPT to increase their efficiency at work, many organizations are banning publicly available GenAI for internal use. Among the organizations looking to prevent unnecessary security risks are those in the financial services and healthcare sectors, as well as technology companies like Apple, Amazon, and Samsung."
        https://www.darkreading.com/vulnerabilities-threats/security-risk-rampant-shadow-ai
      • Security Needs To Start Saying 'No' Again
        "For years, cybersecurity was frequently (and derisively) referred to as the "Department of No." Business executives griped that in the face of innovation, cybersecurity teams would slap down ideas, list reasons why the project was insecure, and why what they wanted to do was not feasible. Then came a mindset change. As more security leaders were tasked with demonstrating a return on investment for security budgets, security departments started finding ways to say "yes" more often."
        https://www.darkreading.com/cyber-risk/security-needs-start-saying-no-again
      • Beyond Flesh And Code: Building An LLM-Based Attack Lifecycle With a Self-Guided Malware Agent
        "Large Language Models (LLMs) are rapidly evolving, and their capabilities are attracting the attention of threat actors. This blog explores how malicious actors are utilizing LLMs to enhance their cyber operations and then delves into LLM-based tools and an advanced stealer managed by artificial intelligence (AI). While LLMs hold immense potential for improving cybersecurity through threat detection and analysis, their power can also be wielded for malicious purposes. Recent reports suggest that cybercriminals and nation-state actors are actively exploring LLMs for different tasks such as code generation, phishing emails, scripts, and more. We’ll elaborate on just a few examples in this blog."
        https://www.deepinstinct.com/blog/beyond-flesh-and-code-building-an-llm-based-attack-lifecycle-with-a-self-guided-agent
      • Defense Strategies To Counter Escalating Hybrid Attacks
        "In this Help Net Security interview, Tomer Shloman, Sr. Security Researcher at Trellix, talks about attack attribution, outlines solutions for recognizing hybrid threats, and offers advice on how organizations can protect themselves against hybrid attacks."
        https://www.helpnetsecurity.com/2025/01/23/tomer-shloman-trellix-hybrid-attacks/
      • CISOs Dramatically Increase Boardroom Influence But Still Lack Soft Skills
        "CISOs are gaining ground in the boardroom, but many of their C-suite peers believe there’s still work to be done to improve their business and soft skills, according new research by to Splunk. The Cisco company surveyed 500 CISOs or equivalent and 100 board members globally to compile The CISO Report 2025. It revealed that 82% of security leaders now report directly to the CEO, up from 47% in 2023. A further 83% said they participate in board meetings “somewhat often” or “most of the time.”"
        https://www.infosecurity-magazine.com/news/cisos-increase-boardroom-influence/
      • Record Number Of Ransomware Attacks In December 2024
        "NCC Group on Wednesday published its cyber threat intelligence report for December 2024 and pointed out that the number of ransomware attacks seen at the end of the year is the highest of any month since it started tracking such activity in 2021. The cybersecurity firm saw 574 ransomware attacks in December 2024, with a new threat group named FunkSec accounting for more than 100 attacks, or 18% of the total. The group, whose members are likely inexperienced hackers, appears to be involved in both hacktivism and cybercrime."
        https://www.securityweek.com/record-number-of-ransomware-attacks-in-december-2024/
        <https://insights.nccgroup.com/l/898251/2025-01-* **15/31km7v7/898251/1736933471Luh7mq1o/Dec_Monthly_Threat_Pulse_Freemium_V4.pdf>
      • Cyber Insights 2025: Malware Directions**
        "Cyber Insights 2025 examines expert opinions on the expected evolution of more than a dozen areas of cybersecurity interest over the next 12 months. We spoke to hundreds of individual experts to gain their expert opinions. Here we discuss what to expect with Malware Directions."
        https://www.securityweek.com/cyber-insights-2025-malware-directions/
      • New Research: The State Of Web Exposure 2025
        "New research by web exposure management specialist Reflectiz reveals several alarming findings about the high number of website vulnerabilities organizations across many industries are needlessly exposing themselves to. For instance, one standout statistic from the report is that 45% of third-party applications access sensitive user information without good reason. Although third-party apps may be essential for marketing and functionality purposes, not all of them need access to the kind of personal and financial user information that cybercriminals are hunting for. It's safer to limit apps' access to it on a need-to-know basis."
        https://thehackernews.com/2025/01/new-research-state-of-web-exposure-2025.html
        https://www.reflectiz.com/learning-hub/web-exposure-management-report/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 1cd20f09-b416-41c3-ac29-d6a389659588-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post