Cyber Threat Intelligence 19 February 2025

NCSA_THAICERT

Vulnerabilities

Juniper Patches Critical Auth Bypass In Session Smart Routers
"Juniper Networks has patched a critical vulnerability that allows attackers to bypass authentication and take over Session Smart Router (SSR) devices. The security flaw (tracked as CVE-2025-21589) was found during internal product security testing, and it also affects Session Smart Conductor and WAN Assurance Managed Routers. "An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router may allow a network-based attacker to bypass authentication and take administrative control of the device," the American networking infrastructure company said in an out-of-cycle security advisory released last week."
https://www.bleepingcomputer.com/news/security/juniper-patches-critical-auth-bypass-in-session-smart-routers/
<https://supportportal.juniper.net/s/article/2025-02-Out-of-Cycle-Security-Bulletin-Session-Smart-* Router-Session-Smart-Conductor-WAN-Assurance-Router-API-Authentication-Bypass-Vulnerability-CVE-2025-21589?language=en_US
https://thehackernews.com/2025/02/juniper-session-smart-routers.html
https://securityaffairs.com/174365/security/juniper-networks-fixed-a-critical-flaw-in-session-smart-routers.html
https://www.securityweek.com/critical-vulnerability-patched-in-juniper-session-smart-router/
Qualys TRU Discovers Two Vulnerabilities In OpenSSH: CVE-2025-26465 & CVE-2025-26466
"The Qualys Threat Research Unit (TRU) has identified two vulnerabilities in OpenSSH. The first, tracked as CVE-2025-26465, allows an active machine-in-the-middle attack on the OpenSSH client when the VerifyHostKeyDNS option is enabled. The second, CVE-2025-26466, affects both the OpenSSH client and server, enabling a pre-authentication denial-of-service attack."
https://blog.qualys.com/vulnerabilities-threat-research/2025/02/18/qualys-tru-discovers-two-vulnerabilities-in-openssh-cve-2025-26465-cve-2025-26466
https://www.bleepingcomputer.com/news/security/new-openssh-flaws-expose-ssh-servers-to-mitm-and-dos-attacks/
https://thehackernews.com/2025/02/new-openssh-flaws-enable-man-in-middle.html
https://www.bankinfosecurity.com/proof-of-concept-exploits-published-for-2-new-openssh-bugs-a-27544
https://hackread.com/critical-openssh-flaws-expose-users-mitm-dos-attacks/
https://www.infosecurity-magazine.com/news/openssh-flaws-expose-systems/
https://www.theregister.com/2025/02/18/openssh_vulnerabilities_mitm_dos/
CISA Adds Two Known Exploited Vulnerabilities To Catalog
"CISA has added two vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2025-0108 Palo Alto PAN-OS Authentication Bypass Vulnerability
CVE-2024-53704 SonicWall SonicOS SSLVPN Improper Authentication Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/02/18/cisa-adds-two-known-exploited-vulnerabilities-catalog

Malware

Magento Credit Card Stealer Disguised In An Tag
"Recently, we had a client come to us concerned that their website was infected with credit card stealing malware, often referred to as MageCart. Their website was running on Magento, a popular eCommerce content management system that skilled attackers often target to steal as many credit card numbers as possible. The goal of attackers who are targeting platforms like Magento, WooCommerce, PrestaShop and others is to remain undetected as long as possible, and the malware they inject into sites is often more complex than the more commonly found pieces of malware impacting other sites."
https://blog.sucuri.net/2025/02/magento-credit-card-stealer-disguised-in-an-tag.html
https://thehackernews.com/2025/02/cybercriminals-exploit-onerror-event-in.html
StaryDobry Ruins New Year’s Eve, Delivering Miner Instead Of Presents
"On December 31, cybercriminals launched a mass infection campaign, aiming to exploit reduced vigilance and increased torrent traffic during the holiday season. Our telemetry detected the attack, which lasted for a month and affected individuals and businesses by distributing the XMRig cryptominer. This previously unidentified actor is targeting users worldwide—including in Russia, Brazil, Germany, Belarus and Kazakhstan—by spreading trojanized versions of popular games via torrent sites."
https://securelist.com/starydobry-campaign-spreads-xmrig-miner-via-torrents/115509/
https://www.bleepingcomputer.com/news/security/cracked-garrys-mod-beamngdrive-games-infect-gamers-with-miners/
Amazon Phish Hunts For Security Answers And Payment Information
"With today's dynamic and continuously evolving cyber environment, numerous services and platforms have emerged to enhance convenience for thousands of users in their daily lives. A great example is Amazon Prime which offers access to streaming services, a dependable shopping platform, and gaming content. However, users must subscribe to the service and pay a fee to enjoy these benefits."
https://cofense.com/blog/amazon-phish-hunts-for-security-answers-and-payment-information
Winnti APT41 Targets Japanese Firms In RevivalStone Cyber Espionage Campaign
"The China-linked threat actor known as Winnti has been attributed to a new campaign dubbed RevivalStone that targeted Japanese companies in the manufacturing, materials, and energy sectors in March 2024. The activity, detailed by Japanese cybersecurity company LAC, overlaps with a threat cluster tracked by Trend Micro as Earth Freybug, which has been assessed to be a subset within the APT41 cyber espionage group, by Cybereason under the name Operation CuckooBees, and by Symantec as Blackfly."
https://thehackernews.com/2025/02/winnti-apt41-targets-japanese-firms-in.html
https://www.darkreading.com/cyberattacks-data-breaches/china-linked-threat-group-japanese-orgs-servers
https://securityaffairs.com/174353/apt/china-linked-apt-group-winnti-targets-japanese-orgs.html
FortiSandbox 5.0 Detects Evolving Snake Keylogger Variant
"FortiGuard Labs leveraged the advanced capabilities of FortiSandbox v5.0 (FSAv5) to detect a new variant of the Snake Keylogger (also known as 404 Keylogger). This malware, identified as AutoIt/Injector.GTY!tr, has been responsible for over 280 million blocked infection attempts, highlighting its extensive reach across regions. The majority of these detections have been concentrated in China, Turkey, Indonesia, Taiwan, and Spain, suggesting a significant impact in these areas. This high volume of detections underscores the malware’s ongoing global threat and its potential to affect organizations and users worldwide. The recent surge in activity also highlights the continuous evolution of keylogger malware and the need for advanced detection mechanisms."
https://www.fortinet.com/blog/threat-research/fortisandbox-detects-evolving-snake-keylogger-variant
https://hackread.com/snake-keylogger-variant-windows-data-telegram-bots/
https://www.infosecurity-magazine.com/news/snake-keylogger-targets-windows/
https://www.theregister.com/2025/02/18/new_snake_keylogger_infects_windows/
Infostealing Malware Infections In The U.S. Military & Defense Sector: A Cybersecurity Disaster In The Making
"For years, the U.S. military and its defense contractors have been considered the gold standard of security — equipped with multi-billion-dollar budgets, classified intelligence networks, and the world’s most advanced cybersecurity measures. Yet, Global Infostealing Malware Data from Hudson Rock reveals an unsettling reality:"
https://www.infostealers.com/article/infostealing-malware-infections-in-the-u-s-military-defense-sector-a-cybersecurity-disaster-in-the-making/
https://hackread.com/infostealers-breach-us-security-military-fbi-hit/
Threat Spotlight: Inside The World’s Fastest Rising Ransomware Operator — BlackLock
"First observed in March 2024, “BlackLock” (aka El Dorado or Eldorado) has rapidly emerged as a major player in the ransomware-as-a-service (RaaS) ecosystem. By Q4 2024, it ranked as the 7th most prolific ransomware group on data-leak sites, fueled by a staggering 1,425% increase in activity from Q3. BlackLock uses a double extortion tactic—encrypting data while stealing sensitive information—to pressure victims with the threat of public exposure. Its ransomware is built to target Windows, VMWare ESXi, and Linux environments, though the Linux variant offers fewer features than its Windows counterpart."
https://www.reliaquest.com/blog/threat-spotlight-inside-the-worlds-fastest-rising-ransomware-operator-blacklock/
https://www.infosecurity-magazine.com/news/blacklock-2025s-most-prolific/
https://www.helpnetsecurity.com/2025/02/18/blacklock-ransomware-what-to-expect-how-to-fight-it/
An Update On Fake Updates: Two New Actors, And New Mac Malware
"The malicious website injects threat landscape is incredibly dynamic with multiple threat actors leveraging this malware delivery method. Typically, an attack chain will consist of three parts: the malicious injects served to website visitors, which are often malicious JavaScript scripts; a traffic distribution service (TDS) responsible for determining what user gets which payload based on a variety of filtering options; and the ultimate payload that is downloaded by the script. Sometimes each part of the attack chain is managed by the same threat actor, but frequently the different parts of the chain may be managed by different threat actors."
https://www.proofpoint.com/us/blog/threat-insight/update-fake-updates-two-new-actors-and-new-mac-malware
https://thehackernews.com/2025/02/new-frigidstealer-malware-targets-macos.html
https://www.infosecurity-magazine.com/news/proofpoint-frigidstealer-new-mac/
No, You’re Not Fired – But Beware Of Job Termination Scams
"Most of us are in a job or looking for one. Or both. That’s largely why employment and work-from-home scams are so popular among cybercriminals. They typically lure the user by offering amazing job or casual employment opportunities. But in reality, all the scammers usually want is your personal and financial information. In some cases, victims may even end up unwittingly receiving and re-shipping stolen goods, or allowing their bank accounts to be used for money laundering."
https://www.welivesecurity.com/en/scams/no-youre-not-fired-beware-job-termination-scams/
Unraveling The Many Stages And Techniques Used By RedCurl/EarthKapre APT
"Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes. We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware. Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team."
https://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt

Breaches/Hacks/Leaks

Venture Capital Giant Insight Partners Hit By Cyberattack
"New York-based venture capital and private equity firm Insight Partners has disclosed that its systems were breached in January following a social engineering attack. The company manages over $90 billion in regulatory assets and has invested in over 800 software and technology startups and companies worldwide during its 30 years of activity. In a statement released Tuesday, the firm said some of its information systems were breached on January 16 through "a sophisticated social engineering attack.""
https://www.bleepingcomputer.com/news/security/venture-capital-giant-insight-partners-hit-by-cyberattack/
1.6 Million Clinical Research Records With PII And Patient Medical Info Exposed In Data Breach
"Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to Website Planet about a non-password-protected database that contained over 1.6 million records belonging to DM Clinical Research — a Texas-based network of clinical trial sites that partners with pharmaceutical companies and medical organizations to conduct research studies and surveys."
https://www.websiteplanet.com/news/dmclinicalresearch-report-breach/
https://www.bankinfosecurity.com/clinical-trial-database-exposes-16m-records-to-web-a-27546
Ecuador's Legislature Says Hackers Attempted To Access Confidential Information
"Ecuador's legislature, the National Assembly, reported that it suffered two cyberattacks on Monday aimed at disrupting its systems and accessing sensitive data. The assembly said in a statement that it was able to quickly “identify and counteract the situation” but did not provide further details about the impact of the incident or the threat actor behind it. “We are alerting citizens and public institutions that these attacks attempt to breach confidential information,” the assembly said, adding that it would “take all necessary measures to protect it.”"
https://therecord.media/ecuador-national-assembly-cyberattack
Lee Enterprises Newspaper Disruptions Caused By Ransomware Attack
"Newspaper publishing giant Lee Enterprises has confirmed that a ransomware attack is behind ongoing disruptions impacting the group's operations for over two weeks. As a local news provider and one of the largest newspaper groups in the United States, Lee publishes 77 daily newspapers and 350 weekly and specialty publications across 26 states. Its newspapers have a daily circulation of over 1.2 million, and digital editions reach more than 44 million unique visitors. In a Friday filing with the U.S. Securities and Exchange Commission (SEC), the media giant said the attack triggered a systems outage on February 3. "Preliminary investigations indicate that threat actors unlawfully accessed the Company’s network, encrypted critical applications, and exfiltrated certain files," Lee said."
https://www.bleepingcomputer.com/news/security/lee-enterprises-newspaper-disruptions-caused-by-ransomware-attack/
https://therecord.media/cyberattack-lee-enterprises-news-media
https://www.theregister.com/2025/02/18/us_newspaper_publisher_exercises_linguistic/

General News

The Risks Of Autonomous AI In Machine-To-Machine Interactions
"In this Help Net Security, Oded Hareven, CEO of Akeyless Security, discusses how enterprises should adapt their cybersecurity strategies to address the growing need for machine-to-machine (M2M) security. According to Hareven, machine identities must be secured and governed similarly to human identities, focusing on automation and policy-as-code."
https://www.helpnetsecurity.com/2025/02/18/oded-hareven-akeyless-security-machine-to-machine-m2m-security/
Indian Authorities Seize Loot From Collapsed BitConnect Crypto Scam
"Indian authorities seize loot from BitConnect crypto-Ponzi scheme Devices containing crypto wallets tracked online, then in the real world India’s Directorate of Enforcement has found and seized over $200 million of loot it says are the proceeds of the BitConnect crypto-fraud scheme. BitConnect claimed it developed a bot capable of detecting and exploiting volatile cryptocurrency prices in ways that delivered investors monthly returns of 40 percent. To get those (spoiler alert) too-good-to-be-true returns, investors were asked to sign up for a “lending program” that required them to send cryptocurrency to BitConnect, which would run its amazing investo-bot and deliver astronomical returns."
https://www.theregister.com/2025/02/18/india_bitconnect_seizures/
6 Considerations For 2025 Cybersecurity Investment Decisions
"Cybersecurity professionals may be concerned about the constantly shifting threat landscape. From the increased use of artificial intelligence (AI) by malicious actors to the expanding attack surface, cybersecurity risks evolve, and defenders need to mitigate them. Despite a period of cybersecurity budget growth between 2021 and 2022, this growth has slowed in the last few years, meaning that cybersecurity leaders need to carefully consider how their purchases improve their current security and compliance posture."
https://www.helpnetsecurity.com/2025/02/18/2025-cybersecurity-investments-decisions/
Cybercriminals Shift Focus To Social Media As Attacks Reach Historic Highs
"A new report from Gen highlights a sharp rise in online threats, capping off a record-breaking 2024. Between October and December alone, 2.55 billion cyber threats were blocked – an astonishing rate of 321 per second. The risk of encountering a threat climbed to 27.7% in Q4, with social engineering attacks accounting for 86% of all blocked threats. This underscores the increasingly sophisticated psychological tactics cybercriminals are using to deceive victims."
https://www.helpnetsecurity.com/2025/02/18/cybercriminals-social-media-attacks/
Hard Drives Containing Sensitive Medical Data Found In Flea Market
"Somebody bought a batch of 15 GB hard drives from a flea market, and during a routine check of the contents they found medical data about hundreds of patients. After some more investigation in the Netherlands, it turned out the data came from a software provider in the medical industry which had gone bankrupt. Under Dutch law, storage media with medical data must be professionally erased with certification. The normal procedure is to have them destroyed by a professional company, but that costs money and by selling the hard drives off the company would have brought in a small amount of cash."
https://www.malwarebytes.com/blog/news/2025/02/hard-drives-containing-sensitive-medical-data-found-in-flea-market

อ้างอิง
Electronic Transactions Development Agency(ETDA)