NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 14 February 2025

    Cyber Security News
    1
    1
    444
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • CISA Releases Twenty Industrial Control Systems Advisories
        "CISA released twenty Industrial Control Systems (ICS) advisories on February 13, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
        ICSA-25-044-01 Siemens SIMATIC S7-1200 CPU Family
        ICSA-25-044-02 Siemens SIMATIC
        ICSA-25-044-03 Siemens SIPROTEC 5
        ICSA-25-044-04 Siemens SIPROTEC 5
        ICSA-25-044-05 Siemens SIPROTEC 5 Devices
        ICSA-25-044-06 Siemens RUGGEDCOM APE1808 Devices
        ICSA-25-044-07 Siemens Teamcenter
        ICSA-25-044-08 Siemens OpenV2G
        ICSA-25-044-09 Siemens SCALANCE W700
        ICSA-25-044-10 Siemens Questa and ModelSim
        ICSA-25-044-11 Siemens APOGEE PXC and TALON TC Series
        ICSA-25-044-12 Siemens SIMATIC IPC DiagBase and SIMATIC IPC DiagMonitor
        ICSA-25-044-13 Siemens SIMATIC PCS neo and TIA Administrator
        ICSA-25-044-14 Siemens Opcenter Intelligence
        ICSA-25-044-15 ORing IAP-420
        ICSA-25-044-16 mySCADA myPRO Manager
        ICSA-25-044-17 Outback Power Mojave Inverter
        ICSA-25-044-18 Dingtian DT-R0 Series
        ICSA-24-030-02 Mitsubishi Electric FA Engineering Software Products (Update C)
        ICSMA-25-044-01 Qardio Heart Health IOS and Android Application and QardioARM A100"
        https://www.cisa.gov/news-events/alerts/2025/02/13/cisa-releases-twenty-industrial-control-systems-advisories

      Vulnerabilities

      • Rapid7 Flags New PostgreSQL Zero-Day Connected To BeyondTrust Exploitation
        "Security researchers at Rapid7 on Thursday flagged the discovery of a new zero-day vulnerability in PostgreSQL that appears to have been a critical component in a chain of attacks against a BeyondTrust Remote Support product. The vulnerability, tagged as CVE-2025-1094, affects the PostgreSQL interactive terminal psql and allows SQL statements containing untrusted but correctly escaped input to trigger SQL injection. In an interesting twist, Rapid7 is directly connecting the exploitation of the PostgreSQL bug to remote code execution attacks against BeyondTrust Remote Support systems. The hacks have successfully compromised machines at the US Treasury Department."
        https://www.securityweek.com/rapid7-flags-new-postgresql-zero-day-connected-to-beyondtrust-exploitation/
        https://www.postgresql.org/support/security/CVE-2025-1094/
        https://attackerkb.com/topics/G5s8ZWAbYH/cve-2024-12356/rapid7-analysis
      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
        CVE-2024-57727 SimpleHelp Path Traversal Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/02/13/cisa-adds-one-known-exploited-vulnerability-catalog
      • Palo Alto Networks Patches Potentially Serious Firewall Vulnerability
        "Palo Alto Networks on Wednesday published 10 new security advisories to inform customers about the impact of new and previously known vulnerabilities on its products. The most important advisory seems to be for a flaw tracked as CVE-2025-0108, which the vendor described as a PAN-OS issue that allows an unauthenticated attacker with network access to the targeted firewall’s management interface to bypass authentication and invoke certain PHP scripts. “While invoking these PHP scripts does not enable remote code execution, it can negatively impact integrity and confidentiality of PAN-OS,” Palo Alto Networks explained."
        https://www.securityweek.com/palo-alto-networks-patches-potentially-serious-firewall-vulnerability/
        https://thehackernews.com/2025/02/palo-alto-networks-patches.html
        https://www.helpnetsecurity.com/2025/02/13/pan-os-authentication-bypass-palo-alto-networks-poc-cve-2025-0108/

      Malware

      • RedMike (Salt Typhoon) Exploits Vulnerable Cisco Devices Of Global Telecommunications Providers
        "Between December 2024 and January 2025, Recorded Future’s Insikt Group identified a campaign exploiting unpatched internet-facing Cisco network devices primarily associated with global telecommunications providers. Victim organizations included a United States-based affiliate of a United Kingdom-based telecommunications provider and a South African telecommunications provider. Insikt Group attributes this activity to the Chinese state-sponsored threat activity group tracked by Insikt Group as RedMike, which aligns with the Microsoft-named group Salt Typhoon. Using Recorded Future® Network Intelligence, Insikt Group observed RedMike target and exploit unpatched Cisco network devices vulnerable to CVE-2023-20198, a privilege escalation vulnerability found in the web user interface (UI) feature in Cisco IOS XE software, for initial access before exploiting an associated privilege escalation vulnerability, CVE-2023-20273, to gain root privileges. RedMike reconfigures the device, adding a generic routing encapsulation (GRE) tunnel for persistent access."
        https://www.recordedfuture.com/research/redmike-salt-typhoon-exploits-vulnerable-devices
        https://go.recordedfuture.com/hubfs/reports/cta-cn-2025-0213.pdf
        https://therecord.media/china-salt-typhoon-cisco-devices
        https://cyberscoop.com/salt-typhoon-china-ongoing-telecom-attack-spree/
        https://www.bankinfosecurity.com/unpatched-cisco-devices-still-getting-popped-by-salt-typhoon-a-27512
        https://www.theregister.com/2025/02/13/salt_typhoon_pwned_7_more/
      • WhoAMI: A Cloud Image Name Confusion Attack
        "The attack described in this post is an instance of a name confusion attack, which is a subset of a supply chain attack. In a name confusion attack, an attacker publishes a malicious resource with the intention of tricking misconfigured software into using it instead of the intended resource. It is very similar to a dependency confusion attack, except that in the latter, the malicious resource is a software dependency (such as a pip package), whereas in the whoAMI name confusion attack, the malicious resource is a virtual machine image."
        https://securitylabs.datadoghq.com/articles/whoami-a-cloud-image-name-confusion-attack/
        https://www.bleepingcomputer.com/news/security/whoami-attacks-give-hackers-code-execution-on-amazon-ec2-instances/
      • China-Linked Espionage Tools Used In Ransomware Attacks
        "Tools that are usually associated with China-based espionage actors were recently deployed in an attack involving the RA World ransomware against an Asian software and services company. During the attack in late 2024, the attacker deployed a distinct toolset that had previously been used by a China-linked actor in classic espionage attacks. While tools associated with China-based espionage groups are often shared resources, many aren’t publicly available and aren’t usually associated with cybercrime activity."
        https://www.security.com/threat-intelligence/chinese-espionage-ransomware
        https://www.bleepingcomputer.com/news/security/chinese-espionage-tools-deployed-in-ra-world-ransomware-attack/
        https://thehackernews.com/2025/02/hackers-exploited-pan-os-flaw-to-deploy.html
        https://www.darkreading.com/cyberattacks-data-breaches/chinese-apt-emperor-dragonfly-ransomware-attack
        https://www.securityweek.com/chinese-cyberspy-possibly-launching-ransomware-attacks-as-side-job/
        https://securityaffairs.com/174189/apt/ra-world-ransomware-attack-china-apt-possible-link.html
      • Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication
        "Starting in mid-January 2025, Volexity identified several social-engineering and spear-phishing campaigns by Russian threat actors aimed at compromising Microsoft 365 (M365) accounts. These attack campaigns were highly targeted and carried out in a variety of ways. The majority of these attacks originated via spear-phishing emails with different themes. In one case, the eventual breach began with highly tailored outreach via Signal."
        https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/
      • January 2025’s Most Wanted Malware: FakeUpdates Continues To Dominate
        "Check Point Software’s latest threat index highlights that FakeUpdates continues to pose a significant threat in the cyber landscape, playing a crucial role in facilitating ransomware attacks. A recent investigation by security researchers revealed that an affiliate of RansomHub utilized a Python-based backdoor to maintain persistent access and deploy ransomware across various networks. Installed shortly after FakeUpdates gained initial access, this backdoor demonstrated advanced obfuscation techniques along with AI-assisted coding patterns. The attack involved lateral movement through remote desktop protocol (RDP) and established ongoing access by creating scheduled tasks."
        https://blog.checkpoint.com/research/january-2025s-most-wanted-malware-fakeupdates-continues-to-dominate-2/
      • Astaroth: A New 2FA Phishing Kit Targeting Gmail, Yahoo, AOL, O365, And 3rd-Party Logins
        "Phishing attacks continue to evolve, pushing even the most secure authentication methods to their limits. First advertised on cybercrime networks in late January 2025, Astaroth is a brand new phishing kit that bypasses two-factor authentication (2FA) through session hijacking and real-time credential interception. Astaroth utilizes an evilginx-style reverse proxy to intercept and manipulate traffic between victims and legitimate authentication services like Gmail, Yahoo, and Microsoft. Acting as a man-in-the-middle, it captures login credentials, tokens, and session cookies in real time, effectively bypassing 2FA."
        https://slashnext.com/blog/astaroth-a-new-2fa-phishing-kit-targeting-gmail-yahoo-aol-o365-and-3rd-party-logins/
        https://hackread.com/astaroth-phishing-kit-bypasses-2fa-hijack-gmail-microsoft/
        https://www.infosecurity-magazine.com/news/astaroth-phishing-kit-bypasses-2fa/
      • How AI Was Used In An Advanced Phishing Campaign Targeting Gmail Users
        "In May, 2024, the FBI warned about the increasing threat of cybercriminals using Artificial Intelligence (AI) in their scams. At the time, FBI Special Agent in Charge Robert Tripp said: “Attackers are leveraging AI to craft highly convincing voice or video messages and emails to enable fraud schemes against individuals and businesses alike. These sophisticated tactics can result in devastating financial losses, reputational damage, and compromise of sensitive data.”"
        https://www.malwarebytes.com/blog/news/2025/02/how-ai-was-used-in-an-advanced-phishing-campaign-targeting-gmail-users
      • The Rise Of Cyber Espionage: UAV And C-UAV Technologies As Targets
        "Unmanned Aerial Vehicles (UAVs), commonly known as drones, have become integral to modern military operations, particularly for intelligence, surveillance, and reconnaissance (ISR) missions. As their use has expanded, so has the focus on counter-UAV (C-UAV) technologies designed to detect and neutralize these aerial threats. Cybercriminal groups and foreign nation-state actors express a significant interest in these technologies."
        https://www.resecurity.com/blog/article/the-rise-of-cyber-espionage-uav-and-c-uav-technologies-as-targets
        https://securityaffairs.com/174199/intelligence/the-rise-of-cyber-espionage-uav-and-c-uav-technologies-as-targets.html
      • New Phishing Campaign Abuses Webflow, SEO, And Fake CAPTCHAs
        "Netskope Threat Labs is tracking a widespread phishing campaign affecting hundreds of Netskope customers and thousands of users. The campaign aims to steal credit card information to commit financial fraud, and has been ongoing since the second half of 2024. The attacker targets victims searching for documents on search engines, resulting in access to malicious PDF that contains a CAPTCHA image embedded with a phishing link, leading them to provide sensitive information. All malicious PDFs are hosted on the Webflow CDN."
        https://www.netskope.com/blog/new-phishing-campaign-abuses-webflow-seo-and-fake-captchas
        https://thehackernews.com/2025/02/hackers-use-captcha-trick-on-webflow.html
      • Analyzing DEEP#DRIVE: North Korean Threat Actors Observed Exploiting Trusted Platforms For Targeted Attacks
        "The Securonix Threat Research team has been monitoring an ongoing campaign attributed to Kimsuky targeting South Korean business and government sectors. The DEEP#DRIVE attack campaign represents a sophisticated and multi-stage operation targeting South Korean businesses, government entities and cryptocurrency users. Leveraging tailored phishing lures written in Korean and disguised as legitimate documents, the attackers successfully infiltrated targeted environments as evidenced by information we were able to obtain on the attacker’s C2 infrastructure (see: Attacker’s Infrastructure)."
        https://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/
        https://thehackernews.com/2025/02/north-korean-apt43-uses-powershell-and.html
      • From South America To Southeast Asia: The Fragile Web Of REF7707
        "Elastic Security Labs has been monitoring a campaign targeting the foreign ministry of a South American nation that has links to other compromises in Southeast Asia. We track this campaign as REF7707. While the REF7707 campaign is characterized by a well-engineered, highly capable, novel intrusion set, the campaign owners exhibited poor campaign management and inconsistent evasion practices. The intrusion set utilized by REF7707 includes novel malware families we refer to as FINALDRAFT, GUIDLOADER, and PATHLOADER. We have provided a detailed analysis of their functions and capabilities in the malware analysis report of REF7707 - You've Got Malware: FINALDRAFT Hides in Your Drafts."
        https://www.elastic.co/security-labs/fragile-web-ref7707
        https://www.elastic.co/security-labs/finaldraft
        https://thehackernews.com/2025/02/finaldraft-malware-exploits-microsoft.html
      • North Korea Targets Crypto Developers Via NPM Supply Chain Attack
        "North Korea has changed tack: its latest campaign targets the NPM registry and owners of Exodus and Atomic cryptocurrency wallets. Carrying out a financially motivated string of attacks isn't the news here – North Korea's primary objective has long been to siphon money from enemy economies. The fresh finding is a JavaScript implant that hides itself in GitHub repositories and node package manager (NPM) packages typically used by crypto devs. According to SecurityScorecard's research, 233 individual victims have been confirmed thus far after installing the new Marstech1 implant, many features of which demonstrate North Korea's evolving tradecraft. Asked for more details about the victims, the vendor said it had none."
        https://www.theregister.com/2025/02/13/north_korea_npm_crypto/
        https://www.infosecurity-magazine.com/news/north-korea-crypto-devs-npm/

      Breaches/Hacks/Leaks

      • Hacker Leaks Account Data Of 12 Million Zacks Investment Users
        "Zacks Investment Research (Zacks) last year reportedly suffered another data breach that exposed sensitive information related to roughly 12 million accounts. Zacks is an American investment research company that provides its customers data-driven insights through a proprietary stock performance assessment tool called ‘Zacks Rank’, to help with making informed financial decisions. In late January, a threat actor published data samples on a hacker forum, claiming a breach at Zacks in June 2024 that exposed data of millions of customers."
        https://www.bleepingcomputer.com/news/security/hacker-leaks-account-data-of-12-million-zacks-investment-users/
      • Doxbin Data Breach: Hackers Leak 136K User Records And Blacklist File
        "Doxbin Data Breach: Hackers leak 136,000+ user records, emails, and a ‘blacklist’ file, exposing those who paid to keep their info off the doxxing platform. Doxbin, a notorious platform associated with doxxing and the exposure of personal information, has been compromised by a hacker group known as Tooda. The attack, which appears a long-time rivalry between different groups, has resulted in the deletion of user accounts, a loss of administrative control, and a leak of a massive user database."
        https://hackread.com/doxbin-data-breach-hackers-leak-user-records-blacklist-file/

      General News

      • Over 3 Million Fortune 500 Employee Accounts Compromised Since 2022
        "More than three million employee-linked corporate accounts were compromised between 2022 and 2024 across Fortune 500 companies, according to Enzoic. This surge is fueled by the widespread use of corporate email addresses for personal accounts and the growing threat of infostealer malware, highlighting the need for stronger cybersecurity measures such as credential and password monitoring. Enzoic’s analysis found that 1 in 10 Fortune 500 employees had their credentials exposed in recent years, with each account exposed 5.7 times on average. These leaked credentials pose significant risks for account takeover (ATO), fraud, and data breaches."
        https://www.helpnetsecurity.com/2025/02/13/fortune-500-employee-accounts-compromised/
      • Making Sense Of Database Complexity
        "IT leaders are grappling with increasingly complex database environments. According to a new survey from Redgate, key concerns include protecting sensitive data, navigating regulatory compliance, and managing the rise of multi-database platforms. 38% of IT teams are concerned about data security and access controls when managing different technologies, an increase of 12% year-on-year. Despite their advantages, 21% say they won’t adopt more than one database type simply because they’re concerned about security and compliance issues."
        https://www.helpnetsecurity.com/2025/02/13/database-complexity/
      • Dutch Police Seizes 127 XHost Servers, Dismantles Bulletproof Hoster
        "The Dutch Police (Politie) dismantled the ZServers/XHost bulletproof hosting operation after taking offline 127 servers used by the illegal platform. Earlier this week, the authorities in the United States, Australia, and the United Kingdom, announced sanctions against the same bulletproof hosting provider for its involvement in cybercrime operations. Specifically, the operators of Zservers were accused of facilitating LockBit ransomware attacks and supporting the cybercriminals efforts to launder illegally obtained money."
        https://www.bleepingcomputer.com/news/legal/dutch-police-seizes-127-xhost-servers-dismantles-bulletproof-hoster/
        https://therecord.media/dutch-police-take-down-127-servers-sanctioned-host
      • How Public & Private Sectors Can Better Align Cyber Defense
        "Cybercrime isn't just an inconvenience — it's a serious threat capable of disrupting essential infrastructure, endangering public safety, and shaking the foundations of our financial systems and economy. We've all seen the headlines in recent years — from a cyberattack on an energy pipeline that disrupted the fuel supply across parts of the US to a large-scale ransomware attack on a health insurance provider that led to a massive leak of personal data. Uncovering and combating cybercrime remains a complex challenge for many reasons, but chief among them is the disconnect in data collection, sharing, and collaboration between the public and private sectors."
        https://www.darkreading.com/cyber-risk/how-public-private-sectors-better-align-cyber-defense

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 2ca1ddf2-75df-4d51-8e3f-1e02149aeaec-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post