Cyber Threat Intelligence 03 March 2025

NCSA_THAICERT

Vulnerabilities

• Attackers Could Hack Smart Solar Systems And Cause Serious Damages
  "DW investigated the risks of cyber attacks exploiting vulnerabilities in smart solar systems while the demand for solar energy grows. The German news outlet DW interviewed hackers who’ve exposed security flaws in rooftop installations and solar power plants worldwide. One of these experts, the white hat hacker Aditya K Sood, demonstrated how weak or default passwords expose solar plants to cyber threats, allowing remote control over power systems, risking grid security."
  https://securityaffairs.com/174769/hacking/attackers-could-hack-smart-solar-systems.html
  Paragon Partition Manager Contains Five Memory Vulnerabilities Within Its BioNTdrv.sys Driver That * Allow For Privilege Escalation And Denial-Of-Service (DoS) Attacks
  "Paragon Partition Manager's BioNTdrv.sys driver, versions prior to 2.0.0, contains five vulnerabilities. These include arbitrary kernel memory mapping and write vulnerabilities, a null pointer dereference, insecure kernel resource access, and an arbitrary memory move vulnerability. An attacker with local access to a device can exploit these vulnerabilities to escalate privileges or cause a denial-of-service (DoS) scenario on the victim's machine. Additionally, as the attack involves a Microsoft-signed Driver, an attacker can leverage a Bring Your Own Vulnerable Driver (BYOVD) technique to exploit systems even if Paragon Partition Manager is not installed."
  https://kb.cert.org/vuls/id/726882
  https://www.bleepingcomputer.com/news/security/ransomware-gangs-exploit-paragon-partition-manager-bug-in-byovd-attacks/
  https://securityaffairs.com/174789/cyber-crime/ransomware-gangs-paragon-partition-manager-biontdrv-sys-driver-zero-day-attacks.html

Malware

• Phishing Email Attacks By The Larva-24005 Group Targeting Japan
  "AhnLab SEcurity intelligence Center (ASEC) has identified the behavior of Larva-24005 breaching servers in Korea and then establishing a web server, database, and PHP environment for sending phishing emails. Larva-24005 is using the attack base to target not only South Korea but also Japan. The main targets are those who are involved in North Korea and university professors who are researching the North Korean regime. They have set up a C2 server for their phishing email attacks and are disguising the email body as a ZOOM meeting link or a web portal login page to prompt users to click on them."
  https://asec.ahnlab.com/en/86535/
• PayPal’s “no-Code Checkout” Abused By Scammers
  "We recently identified a new scam targeting PayPal customers with very convincing ads and pages. Crooks are abusing both Google and PayPal’s infrastructure in order to trick victims calling for assistance to speak with fraudsters instead. Combining official-looking Google search ads with specially-crafted PayPal pay links, makes this scheme particularly dangerous on mobile devices due to their screen size limitation and likelihood of not having security software."
  https://www.malwarebytes.com/blog/scams/2025/02/paypals-no-code-checkout-abused-by-scammers
• The SOC Files: Chasing The Web Shell
  "Web shells have evolved far beyond their original purpose of basic remote command execution, and many now function more like lightweight exploitation frameworks. These tools often include features such as in-memory module execution and encrypted command-and-control (C2) communication, giving attackers flexibility while minimizing their footprint."
  https://securelist.com/soc-files-web-shell-chase/115714/
• Cellebrite Zero-Day Exploit Used To Target Phone Of Serbian Student Activist
  "Amnesty International’s Security Lab, in collaboration with Amnesty’s European Regional Office, has uncovered a new case of misuse of a Cellebrite product to break into the phone of a youth activist in Serbia. The attack closely matches the form of attack that we previously documented in a report, ‘A Digital Prison’, published in December 2024. This new case provides further evidence that the authorities in Serbia have continued their campaign of surveillance of civil society in the aftermath of our report, despite widespread calls for reform, from both inside Serbia and beyond, as well as an investigation into the misuse of its product, announced by Cellebrite."
  https://securitylab.amnesty.org/latest/2025/02/cellebrite-zero-day-exploit-used-to-target-phone-of-serbian-student-activist/
  https://www.bleepingcomputer.com/news/security/serbian-police-used-cellebrite-zero-day-hack-to-unlock-android-phones/
  https://thehackernews.com/2025/02/amnesty-finds-cellebrites-zero-day.html
  https://www.securityweek.com/amnesty-reveals-cellebrite-zero-day-android-exploit-on-serbian-student-activist/
• Fake CAPTCHAs, Malicious PDFs, SEO Traps Leveraged For User Manual Searches
  "On February 12, 2025, Netskope Threat Labs reported a widespread phishing campaign using fake CAPTCHA images via Webflow CDN to trick victims searching for PDF documents on search engines. These PDF files lead to phishing sites designed to pilfer victims’ credit card and personal information. As we hunted for similar phishing campaigns, we discovered many more phishing PDF files with fake CAPTCHAs distributed across multiple domains."
  https://www.netskope.com/blog/fake-captchas-malicious-pdfs-seo-traps-leveraged-for-user-manual-searches
  https://thehackernews.com/2025/02/5000-phishing-pdfs-on-260-domains.html
• JavaGhost’s Persistent Phishing Attacks From The Cloud
  "Unit 42 researchers have observed phishing activity that we track as TGR-UNK-0011. We assess with high confidence that this cluster overlaps with the threat actor group JavaGhost. The threat actor group JavaGhost has been active for over five years and continues to target cloud environments to send out phishing campaigns to unsuspecting targets. According to website defacement lists such as DefacerID, the group focused historically on defacing websites. However, according to our telemetry, in 2022, they pivoted to sending out phishing emails for financial gain."
  https://unit42.paloaltonetworks.com/javaghost-cloud-phishing/
• U.S. Authorities Seize $31 Million Related To Uranium Finance Hack
  "This week, the U.S. Attorney's Office for the Southern District of New York (SDNY) and Homeland Security Investigations (HSI) San Diego successfully seized approximately USD 31 million in stolen assets, marking a significant breakthrough in the Uranium Finance exploits case. Nearly four years after hackers drained USD 53.7 million from the Binance Smart Chain-based decentralized finance (DeFi) protocol, law enforcement, with the support of TRM Labs, was able to track, recover, and disrupt the illicit financial flows linked to the attack. The case highlights the increasing effectiveness of blockchain intelligence in long-term investigations and asset recovery."
  https://www.trmlabs.com/post/u-s-authorities-seize-31-million-in-uranium-finance-exploits-investigation
  https://www.bleepingcomputer.com/news/cryptocurrency/us-recovers-31-million-stolen-in-2021-uranium-finance-hack/
• DeepSeek Lure Using CAPTCHAs To Spread Malware
  "The rapid rise of generative AI tools has created opportunities and challenges for cybercriminals. In an instant, industries are being reshaped while new attack surfaces are being exposed. DeepSeek AI chatbot that launched on January 20, 2025, quickly gained international attention, making it a prime target for abuse. Leveraging a tactic known as brand impersonation, threat actors craft fraudulent websites designed to impersonate DeepSeek and mislead unsuspecting users into divulging sensitive information and/or executing harmful malware. Zscaler ThreatLabz has highlighted concerns about open source generative AI tools, like DeepSeek, being misused by threat actors to enhance exploitation and data theft strategies."
  https://threatlabz.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware

Breaches/Hacks/Leaks

• Qilin Ransomware Claims Attack At Lee Enterprises, Leaks Stolen Data
  "The Qilin ransomware gang has claimed responsibility for the attack at Lee Enterprises that disrupted operations on February 3, leaking samples of data they claim was stolen from the company. The threat actors have now threatened to leak all the allegedly stolen data on March 5, 2025, unless a ransom demand is paid. Lee Enterprises is a US-based media company that owns and operates over 77 daily newspapers, 350 publications, digital media platforms, and marketing services. The company's primary focus is local news and advertising, with its digital audience reaches tens of millions monthly."
  https://www.bleepingcomputer.com/news/security/qilin-ransomware-claims-attack-at-lee-enterprises-leaks-stolen-data/
  https://www.securityweek.com/ransomware-group-takes-credit-for-lee-enterprises-attack/
  https://securityaffairs.com/174831/data-breach/qilin-ransomware-group-claims-responsibility-lee-enterprises-attack.html
• Millions Of Stalkerware Users Exposed Again
  "There are many reasons not to use stalkerware, but the risk of getting exposed yourself seems to be a recurring deterrent, according to a new investigaton. As we have reported many times before, stalkerware-type apps are coded so badly that it’s possible to gain access to the back-end databases and retrieve data about everyone that has the app on their device—and those are not just the victims."
  https://www.malwarebytes.com/blog/news/2025/02/millions-of-stalkerware-users-exposed-again
• Research Finds 12,000 ‘Live’ API Keys And Passwords In DeepSeek's Training Data
  "Last month, we published a post about Large Language Models (LLMs) instructing developers to hardcode API keys. That got us wondering: why is this happening at scale and across different LLMs? A logical starting point: the training data itself. While we can’t access proprietary datasets, many are publicly available. Popular LLMs, including DeepSeek, are trained on Common Crawl, a massive dataset containing website snapshots. Given our experience finding exposed secrets on the public internet, we suspected that hardcoded credentials might be present in the training data, potentially influencing model behavior."
  https://trufflesecurity.com/blog/research-finds-12-000-live-api-keys-and-passwords-in-deepseek-s-training-data
  https://thehackernews.com/2025/02/12000-api-keys-and-passwords-found-in.html

General News

• Understanding The AI Act And Its Compliance Challenges
  "In this Help Net Security interview, David Dumont, Partner at Hunton Andrews Kurth, discusses the implications of the EU AI Act and how organizations can leverage existing GDPR frameworks while addressing new obligations such as conformity assessments and transparency requirements. Dumont also outlines strategies for mitigating risks from national-level enforcement variations and third-party AI vendors."
  https://www.helpnetsecurity.com/2025/02/28/david-dumont-hunton-andrews-kurth-eu-ai-act-compliance/
• U.S. Ransomware Attacks Surged Again In February
  "U.S. ransomware incidents in February have surged well beyond January’s totals despite the significantly shorter month. According to Cyble data, ransomware attacks started in 2025, up 150% from the year-ago period, likely driven by the perception among ransomware groups that U.S. organizations are more likely to pay ransom. Canada, too, continues to experience elevated ransomware attacks, while other global regions have remained largely stable (chart below). That trend has continued through the month of February."
  https://cyble.com/blog/u-s-ransomware-attacks-surged-again-in-february/
• U.S. Soldier Charged In AT&T Hack Searched “Can Hacking Be Treason”
  "A U.S. Army soldier who pleaded guilty last week to leaking phone records for high-ranking U.S. government officials searched online for non-extradition countries and for an answer to the question “can hacking be treason?” prosecutors in the case said Wednesday. The government disclosed the details in a court motion to keep the defendant in custody until he is discharged from the military."
  https://krebsonsecurity.com/2025/02/u-s-soldier-charged-in-att-hack-searched-can-hacking-be-treason/
  https://www.darkreading.com/cyber-risk/us-soldier-admits-hacking-15-telecom-carriers
• Third-Party Attacks Drive Major Financial Losses In 2024
  "Third-party attacks emerged as a significant driver of material financial losses from cyber incidents in 2024, according to cyber risk management firm Resilience. Third-party risks made up 31% of all client insurance claims and 23% of material losses last year. This marks a significant change from 2023, when no third-party claims led to material losses for Resilience clients. “This shift underscores the growing vulnerabilities created by interconnected systems and reliance on external vendors in 2023,” the firm wrote in a report dated February 27."
  https://www.infosecurity-magazine.com/news/third-party-financial-losses/
• Old Vulnerabilities Among The Most Widely Exploited
  "In their quest for network access, cyber threat actors are leveraging a broad spectrum of vulnerabilities, from the most recently disclosed to those left unpatched for over two decades. In its 2025 Mass Internet Exploitation Report, released on February 27, GreyNoise found that 40% of vulnerabilities exploited by attackers in 2024 were from 2020 or earlier and 10% from 2016 or earlier. Some even date back to the late 1990s, like CVE-1999-0526 – an X server vulnerability."
  https://www.infosecurity-magazine.com/news/old-vulnerabilities-widely/
  https://www.greynoise.io/blog/2025-mass-internet-exploitation-report
  https://www.theregister.com/2025/02/28/cisa_kev_list_ransomware/

อ้างอิง
Electronic Transactions Development Agency(ETDA)