Cyber Threat Intelligence 27 February 2025

NCSA_THAICERT

New Tooling

Dalfox: Open-Source XSS Scanner
"DalFox is an open-source tool for automating the detection of XSS vulnerabilities. With powerful testing capabilities and a wide range of features, it makes scanning, analyzing parameters, and verifying vulnerabilities faster and easier. “The uniqueness of Dalfox lies in its speed and ability to easily integrate into pipelines. When designing Dalfox, my primary focus was reducing unnecessary requests to save time for testers and minimize server load. This approach has proven to be a significant strength, mainly when utilized in scenarios like Shell Pipelines,” HyunHwan Lee, the creator of DalFox, told Help Net Security."
https://www.helpnetsecurity.com/2025/02/26/dalfox-open-source-xss-scanner/
https://github.com/hahwul/dalfox

Vulnerabilities

CVE-2024-21966: Critical AMD Ryzen Master Utility Flaw Exposes Systems To Attacks
"A high-severity security vulnerability (CVE-2024-21966) has been identified in AMD Ryzen Master Utility, a widely used tool designed for overclocking and optimizing AMD Ryzen processors. This vulnerability, categorized as DLL hijacking, could allow attackers to escalate privileges and execute arbitrary code, potentially leading to a full system compromise."
https://cyble.com/blog/cve-2024-21966-amd-flaw/
The Best Security Is When We All Agree To Keep Everything Secret (Except The Secrets) - NAKIVO Backup & Replication (CVE-2024-48248)
"As an industry, we believe that we’ve come to a common consensus after 25 years of circular debates - disclosure is terrible, information is actually dangerous, it’s best that it’s not shared, and the only way to really to ensure that no one ever uses information in a way that you don’t like (this part is key) is to make up terms for your way of doing things. We have actively petitioned vendors to be more transparent, and we’re currently investing a lot of R&D time in the development of the best, thickest and tastiest crayons to sign a pledge (the name of which we haven't decided yet). We're thinking something like, Responsible Development Practices. We've also invested in a camera."
https://labs.watchtowr.com/the-best-security-is-when-we-all-agree-to-keep-everything-secret-except-the-secrets-nakivo-backup-replication-cve-2024-48248/
Wallbleed: A Memory Disclosure Vulnerability In The Great Firewall Of China
"We present Wallbleed, a buffer over-read vulnerability that existed in the DNS injection subsystem of the Great Firewall of China. Wallbleed caused certain nation-wide censorship middleboxes to reveal up to 125 bytes of their memory when censoring a crafted DNS query. It afforded a rare insight into one of the Great Firewall’s well-known network attacks, namely DNS injection, in terms of its internal architecture and the censor’s operational behaviors."
https://gfw.report/publications/ndss25/en/
https://www.theregister.com/2025/02/27/wallbleed_vulnerability_great_firewall/

Malware

A Wolf In Dark Mode: The Malicious VS Code Theme That Fooled Millions
"Hey there, how long has it been? A month since the last time we had millions of developers exposed to malware through a marketplace? Well, here we go again. Say hello to the wolf in dark mode, “Material Theme”, an extremely popular VSCode theme extension, found to be containing malware underneath it’s beautiful color scheme."
https://medium.com/@amitassaraf/a-wolf-in-dark-mode-the-malicious-vs-code-theme-that-fooled-millions-85ed92b4bd26
https://www.bleepingcomputer.com/news/security/vscode-extensions-with-9-million-installs-pulled-over-security-risks/
GrassCall Malware Campaign Drains Crypto Wallets Via Fake Job Interviews
"A recent social engineering campaign targeted job seekers in the Web3 space with fake job interviews through a malicious "GrassCall" meeting app that installs information-stealing malware to steal cryptocurrency wallets. Hundreds of people have been impacted by the scam, with some reporting having their wallets drained in the attacks. A Telegram group has been created to discuss the attack and for those impacted to help each other remove the malware infections from Mac and Windows devices."
https://www.bleepingcomputer.com/news/security/grasscall-malware-campaign-drains-crypto-wallets-via-fake-job-interviews/
Malicious PyPI Package Exploits Deezer API For Coordinated Music Piracy
"Socket researchers have uncovered a malicious PyPI package automslc, which enables coordinated, unauthorized music downloads from Deezer — a popular streaming service founded in France in 2007. Although automslc, which has been downloaded over 100,000 times, purports to offer music automation and metadata retrieval, it covertly bypasses Deezer’s access restrictions by embedding hardcoded credentials and communicating with an external command and control (C2) server."
https://socket.dev/blog/malicious-pypi-package-exploits-deezer-api-for-coordinated-music-piracy
https://www.bleepingcomputer.com/news/security/pypi-package-with-100k-installs-pirated-music-from-deezer-for-years/
https://thehackernews.com/2025/02/malicious-pypi-package-automslc-enables.html
EncryptHub Breaches 618 Orgs To Deploy Infostealers, Ransomware
"A threat actor tracked as 'EncryptHub,' aka Larva-208, has been targeting organizations worldwide with spear-phishing and social engineering attacks to gain access to corporate networks. According to a report by Prodaft, which was published internally last week and made public yesterday, since June 2024, when EncryptHub initiated operations, it has compromised at least 618 organizations. After gaining access, the threat actors install Remote Monitoring and Management (RMM) software, followed by the deployment of information stealers like Stealc and Rhadamanthys. In many observed cases, EncryptHub also deploys ransomware on compromised systems."
https://www.bleepingcomputer.com/news/security/encrypthub-breaches-618-orgs-to-deploy-infostealers-ransomware/
https://catalyst.prodaft.com/public/report/larva-208/overview
Job Application Spear Phishing
"Starting in Q3 2024, Cofense Intelligence detected an ongoing campaign targeting employees working in social media and marketing positions. In this campaign, marked employees were encouraged to apply to a social media manager position in a Fortune 500 company. Meta, Coca-Cola, PayPal, and other brand name companies were spoofed to send fake job applications to prospects. Unlike other credential phishing campaigns, this one also stole job application details. This includes work experience from previous employers and higher education obtained through formal institutions."
https://cofense.com/blog/job-application-spear-phishing
Anubis: A New Ransomware Threat
"Recently, a new ransomware group, dubbed Anubis, emerged. Their official X (formerly known as Twitter) profile suggests they have been active since the beginning of December 2024. At the time of writing, KELA has observed representatives of Anubis on both RAMP (using the moniker ‘superSonic’) and XSS (using the moniker ‘Anubis__media’). Both users’ posts are written in Russian. According to the statement from one of their victims regarding a ‘cyber security incident’ on November 13, 2024, it may suggest that the group has been active since at least then."
https://www.kelacyber.com/blog/anubis-a-new-ransomware-threat/
https://www.darkreading.com/cyber-risk/anubis-threat-group-seeks-out-critical-industry-victims
https://www.securityweek.com/new-ransomware-anubis-could-pose-major-threat-to-organizations/
Fake Toll Road Scam Texts Are Everywhere. These Cities Are The Most Targeted.
"Look both ways for a new form of scam that’s on the rise, especially if you live in Dallas, Atlanta, Los Angeles, Chicago, or Orlando — fake toll road scams. They’re the top five cities getting targeted by scammers. We’ve uncovered plenty of these scams, and our research team at McAfee Labs has revealed a major uptick in them over the past few weeks. Fake toll road scams have nearly quadrupled at the end of February compared to where they were in January."
https://www.mcafee.com/blogs/internet-security/fake-toll-road-scam-texts-are-everywhere-these-cities-are-the-most-targeted/
360XSS: Mass Website Exploitation Via Virtual Tour Framework For SEO Poisoning
"My story begins in a way that many readers of technical blogs might find familiar—just another uneventful evening alone at the computer. For purely educational purposes, I opened a Chrome incognito window, went to Google, and typed the word “porn.” Thanks to my ongoing research in this area, I’m quite familiar with the usual search results. But this time, something unusual caught my eye—a new website appearing in the third row, listed under Yale University’s domain with the title: “++[S*X@Porn-xnxx-Videos!…] Tamil sexy student.” It piqued my curiosity, but not for the reasons you might think."
https://olegzay.com/360xss/
https://thehackernews.com/2025/02/hackers-exploited-krpano-framework-flaw.html
CERT-UA Warns Of UAC-0173 Attacks Deploying DCRat To Compromise Ukrainian Notaries
"The Computer Emergency Response Team of Ukraine (CERT-UA) on Tuesday warned of renewed activity from an organized criminal group it tracks as UAC-0173 that involves infecting computers with a remote access trojan named DCRat (aka DarkCrystal RAT). The Ukrainian cybersecurity authority said it observed the latest attack wave starting in mid-January 2025. The activity is designed to target the Notary of Ukraine."
https://thehackernews.com/2025/02/cert-ua-warns-of-uac-0173-attacks.html
https://therecord.media/hackers-ukraine-notaries-manipulate-registries
RustDoor And Koi Stealer For MacOS Used By North Korea-Linked Threat Actor To Target The Cryptocurrency Sector
"Malware targeting macOS systems is increasingly pervasive in our current threat landscape. Most of the associated threats are cybercrime-related, ranging from information stealers to cryptocurrency mining. Over the past year, we have witnessed an increase in cybercrime activity linked to North Korean nation-state APT groups. In line with the public service announcement issued by the FBI regarding North Korean social engineering attacks, we have also witnessed several such social engineering attempts, targeting job-seeking software developers in the cryptocurrency sector."
https://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/
Breaches/Hacks/Leaks
Lazarus Hacked Bybit Via Breached Safe{Wallet} Developer Machine
"Forensic investigators have found that North Korean Lazarus hackers stole $1.5 billion from Bybit after hacking a developer's device at the multisig wallet platform Safe{Wallet}. Bybit CEO Ben Zhou shared the conclusions of two investigations by Sygnia and Verichains, which both found that the attack originated from Safe{Wallet}'s infrastructure. "The attack specifically targeted Bybit by injecting malicious JavaScript into app.safe.global, which was accessed by Bybit's signers. The payload was designed to activate only when certain conditions were met. This selective execution ensured that the backdoor remained undetected by regular users while compromising high-value targets," Verichains said."
https://www.bleepingcomputer.com/news/security/lazarus-hacked-bybit-via-breached-safe-wallet-developer-machine/
Pump.fun X Account Hacked To Promote Scam Governance Token
"The immensely popular memecoin generator Pump.fun had its X account hacked to promote a fake "PUMP" token cryptocurrency scam. Pump.fun is a Solana-based cryptocurrency platform that allows users to create and trade memecoins. Launched in January 2024, it has become a quick and easy way for users to launch their own Solana tokens, but it has also faced scrutiny for its use to conduct pump-and-dump schemes. Today, the X account for Pump.fun (@pumpdotfun) was compromised to promote a fake Pumpfun governance token called "PUMP.""
https://www.bleepingcomputer.com/news/security/pumpfun-x-account-hacked-to-promote-scam-governance-token/
Australian IVF Giant Genea Breached By Termite Ransomware Gang
"The Termite ransomware gang has claimed responsibility for stealing sensitive healthcare data in a recent breach of Genea, one of Australia's largest fertility services providers. The IVF (in vitro fertilization) provider has been operating since 1986 (when it was known as Sydney IVF). It offers a wide range of services, including fertility treatments, tests, genetic services, preservation options, and donor programs, in 22 fertility clinics in New South Wales, South Australia, Western Australia, Melbourne, Canberra, and Queensland."
https://www.bleepingcomputer.com/news/security/australian-ivf-giant-genea-breached-by-termite-ransomware-gang/
https://therecord.media/genea-australia-confirms-hackers-accessed-patient-data
https://www.infosecurity-magazine.com/news/ransomware-genea-ivf-patient-data/
Medusa Unveils 50TB Of Stolen Data From HCRG’s Network, Gaining Full Control – HCRG Labeled Liars By The Ransomware Group
"After publishing our first article on February 23, we are now releasing this second piece with new and exclusive details about the cyberattack that recently targeted HCRG Care Group, a private provider of healthcare and social services based in Runcorn, United Kingdom. The incident has proven to be far more severe than initially suggested by the amount of data claimed by the Medusa group on its .onion blog."
https://www.suspectfile.com/exclusive-medusa-unveils-50tb-of-stolen-data-from-hcrgs-network-gaining-full-control-hcrg-labeled-liars-by-the-ransomware-group/
‘Cyber Incident’ Shuts Down Cleveland Municipal Court For Third Straight Day
"Cleveland Municipal Court is closed for the third straight day this week due to a cybersecurity incident. The court has posted the same statement about the event to its Facebook page every day since Monday, saying they “have not confirmed its nature and scope” and that “all internal systems and software platforms will be shut down until further notice.” “As a precautionary measure, the Court has shut down the affected systems while we focus on securing and restoring services safely,” they said. “These systems will remain offline until we have a better understanding of the situation.”"
https://therecord.media/cyber-incident-shuts-down-cleveland-municipal-court

General News

Machine Unlearning: The Lobotomization Of LLMs
"The digital age has ushered in a new era of data collection, with companies amassing vast quantities of personal and sensitive information. For years, this data was gathered and stored without much concern for privacy or the right to be forgotten. But in 2018, the European Union's General Data Protection Regulation (GDPR) introduced a fundamental shift, granting individuals the right to request that their personal data be deleted. On its face, this seems simple. With the press of a button, companies just delete the requested data. In reality, it's anything but simple."
https://www.darkreading.com/vulnerabilities-threats/machine-unlearning-lobotomization-llms
The Compliance Illusion: Why Your Company Might Be At Risk Despite Passing Audits
"For many CISOs, compliance can feel like a necessary evil and a false sense of security. While frameworks like ISO 27001, SOC 2, and PCI DSS offer structured guidelines, they don’t automatically equate to strong cybersecurity. The challenge? Many organizations focus on checking the compliance box rather than ensuring their controls are effective."
https://www.helpnetsecurity.com/2025/02/26/compliance-security-illustion/
99% Of Organizations Report API-Related Security Issues
"A growing reliance on APIs has fueled security concerns, with nearly all organizations (99%) reporting API-related security issues in the past year. According to the Q1 2025 State of API Security Report by Salt Security, the rapid expansion of API ecosystems—driven by cloud migration, platform integration and data monetization—is outpacing security measures and exposing organizations to increased risk."
https://www.infosecurity-magazine.com/news/99-organizations-report-api/
Group-IB’s High-Tech Crime Trends Report 2025 Exposes How Global Events Fuel Regional And Local Threats
"Group-IB, a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime, announced today the launch of its highly anticipated High-Tech Crime Trends Report 2025, offering a comprehensive analysis of the evolving cyber threat landscape. The report highlights how state-sponsored espionage, ransomware, underground marketplaces, and AI-driven cybercrime are feeding into one another, creating a self-sustaining cycle of digital threats."
https://www.group-ib.com/media-center/press-releases/high-tech-crime-trends-report-2025/
https://www.group-ib.com/landing/high-tech-crime-trends-2025/
https://www.infosecurity-magazine.com/news/geopolitical-tension-fuels-apt/
Exploits And Vulnerabilities In Q4 2024
"Q4 2024 saw fewer published exploits for Windows and Linux compared to the first three quarters. Although the number of registered vulnerabilities continued to rise, the total number of Proof of Concept (PoC) instances decreased compared to 2023. Among notable techniques in Q4, attackers leveraged undocumented RPC interfaces and targeted the Windows authentication mechanism."
https://securelist.com/vulnerabilities-and-exploits-in-q4-2024/115761/
OpenSSF Releases Security Baseline For Open Source Projects
"The Linux Foundation’s Open Source Security Foundation (OpenSSF) on Tuesday announced the initial release of a project designed to establish minimum security requirements for open source software. Named Open Source Project Security Baseline, or OSPS Baseline, the initiative aims to enhance the security of open source projects by providing guidance on implementing a minimum set of best practices aimed at reducing the risk of vulnerabilities and improving a project’s trustworthiness."
https://www.securityweek.com/openssf-releases-security-baseline-for-open-source-projects/

อ้างอิง
Electronic Transactions Development Agency(ETDA)