NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 18 March 2025

    Cyber Security News
    1
    1
    379
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • Threat Landscape For Industrial Automation Systems. Q4 2024
        "In the fourth quarter of 2024, the percentage of ICS computers on which malicious objects were blocked decreased by 0.1 pp from the previous quarter to 21.9%. Compared to the fourth quarter of 2023, the percentage decreased by 2.5 pp. The percentage of ICS computers on which malicious objects were blocked during the fourth quarter of 2024 was highest in October and lowest in November. In fact, the percentage in November 2024 was the lowest of any month in two years."
        https://ics-cert.kaspersky.com/publications/reports/2025/03/17/threat-landscape-for-industrial-automation-systems-q4-2024/
        https://ics-cert.kaspersky.com/publications/reports/2025/03/17/threat-landscape-for-industrial-automation-systems-regions-q4-2024/

      Vulnerabilities

      • One PUT Request To Own Tomcat: CVE-2025-24813 RCE Is In The Wild
        "A devastating new remote code execution (RCE) vulnerability, CVE-2025-24813, is now actively exploited in the wild. Attackers need just one PUT API request to take over vulnerable Apache Tomcat servers. The exploit, originally published by a Chinese forum user iSee857, is already available online: CVE-2025-24813 PoC by iSee857."
        https://lab.wallarm.com/one-put-request-to-own-tomcat-cve-2025-24813-rce-is-in-the-wild/
        https://access.redhat.com/security/cve/cve-2025-24813
        https://www.bleepingcomputer.com/news/security/critical-rce-flaw-in-apache-tomcat-actively-exploited-in-attacks/
        https://thehackernews.com/2025/03/apache-tomcat-vulnerability-comes-under.html
        https://www.darkreading.com/vulnerabilities-threats/apache-tomcat-rce-vulnerability-exploit
        https://www.securityweek.com/exploit-code-for-apache-tomcat-rce-vulnerability-published-on-chinese-forum/
        https://securityaffairs.com/175522/security/threat-actors-rapidly-exploit-new-apache-tomcat-flaw-following-poc-release.html
        https://www.theregister.com/2025/03/18/apache_tomcat_java_rce_flaw/
      • Nvidia Patches Vulnerabilities That Could Let Hackers Exploit AI Services
        "Nvidia recently patched a couple of Riva vulnerabilities that could allow hackers to abuse AI services. Riva is a set of GPU-accelerated multilingual speech and translation services designed for building customizable, real-time conversational AI for large language models (LLMs) and retrieval-augmented generation (RAG). A security advisory published by Nvidia on March 10 reveals that Riva is impacted by two improper access control issues. One of the flaws, tracked as CVE-2025-23242 and assigned a ‘high severity’ rating, can allow privilege escalation, data tapering, denial of service (DoS), and information disclosure."
        https://www.securityweek.com/nvidia-riva-vulnerabilities-allow-unauthorized-use-of-ai-services/
      • Tracking You From a Thousand Miles Away! Turning a Bluetooth Device Into An Apple AirTag Without Root Privileges
        "Imagine someone could turn your laptop, smartphone, or even your gaming console into a tracking device without your knowledge. Our research team discovered a way this can happen through Apple's Find My network - the same system that helps people find their lost iPhones and AirTags. The Find My network uses over a billion Apple devices worldwide. When an AirTag is lost, it sends out Bluetooth signals that nearby iPhones pick up. These iPhones then secretly report the AirTag's location to Apple's cloud, allowing the owner to see where their lost item is. We found a security problem that lets hackers use this system to track almost any device with Bluetooth capabilities - not just Apple products. We call this attack "nRootTag.""
        https://nroottag.github.io/

      Malware

      • Harden-Runner Detection: Tj-Actions/changed-Files Action Is Compromised
        "We are actively investigating a critical security incident involving the tj-actions/changed-files GitHub Action. While our investigation is ongoing, we want to alert users so they can take immediate corrective actions. We will keep this post updated as we learn more. ‍StepSecurity Harden-Runner detected this issue through anomaly detection when an unexpected endpoint appeared in the network traffic. Based on our analysis, the incident started around 9:00 AM March 14th, 2025 Pacific Time (PT) / 4:00 PM March 14th, 2025 UTC."
        https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
        https://thehackernews.com/2025/03/github-action-compromise-puts-cicd.html
        https://www.bleepingcomputer.com/news/security/supply-chain-attack-on-popular-github-action-exposes-ci-cd-secrets/
        https://therecord.media/github-restores-code-malicious-tj-actions-changes
        https://www.bankinfosecurity.com/supply-chain-attack-targets-github-repositories-secrets-a-27737
        https://www.securityweek.com/popular-github-action-targeted-in-supply-chain-attack/
        https://hackread.com/malicious-code-in-tj-actions-changed-files-github-repos/
        https://www.theregister.com/2025/03/17/supply_chain_attack_github/
        https://www.infosecurity-magazine.com/news/tjactions-supply-chain-attack/
      • Malicious HWP Document Disguised As Reunification Education Support Application
        "On March 5, AhnLab SEcurity intelligence Center (ASEC) found a post recruiting students for a unification-related course, which included a link to download a malicious HWP document. At the time of analysis, there were download links for JPG, HWP, and DOC files at the bottom of the post. The HWP file among them was identified as a malicious file disguised as an application form."
        https://asec.ahnlab.com/en/86841/
      • StilachiRAT Analysis: From System Reconnaissance To Cryptocurrency Theft
        "In November 2024, Microsoft Incident Response researchers uncovered a novel remote access trojan (RAT) we named StilachiRAT that demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data. Analysis of the StilachiRAT’s WWStartupCtrl64.dll module that contains the RAT capabilities revealed the use of various methods to steal information from the target system, such as credentials stored in the browser, digital wallet information, data stored in the clipboard, as well as system information."
        https://www.microsoft.com/en-us/security/blog/2025/03/17/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft/
        https://www.bleepingcomputer.com/news/security/microsoft-new-rat-malware-used-for-crypto-theft-reconnaissance/
        https://hackread.com/stilachirat-exploits-chrome-crypto-wallets-credentials/
      • OKX Suspends DEX Aggregator After Lazarus Hackers Try To Launder Funds
        "OKX Web3 has decided to suspend its DEX aggregator services to implement security upgrades following reports of abuse by the notorious North Korean Lazarus hackers, who recently conducted a $1.5 billion crypto heist. OKX is a leading global cryptocurrency exchange that offers a wide range of trading options, including spot and derivatives trading and decentralized finance (DeFi) services."
        https://www.bleepingcomputer.com/news/security/okx-suspends-dex-aggregator-after-lazarus-hackers-try-to-launder-funds/
        https://therecord.media/crypto-okx-shuts-down-exchange
      • Downloader Malware Written In JPHP Interpreter
        "AhnLab SEcurity intelligence Center (ASEC) recently discovered malware created using the aforementioned JPHP. JPHP is a PHP interpreter that runs on the Java Virtual Machine (JVM), and it was designed to allow PHP code to be used in a Java environment. It can convert PHP code into Java bytecode for execution, enabling direct calls to Java libraries. Additionally, it is faster than PHP because it uses a just-in-time (JIT) compilation method."
        https://asec.ahnlab.com/en/86859/
      • OpenAI Under Attack: CVE-2024-27564 Actively Exploited In The Wild
        "Attackers are actively targeting OpenAI, exploiting CVE-2024-27564, a Server-Side Request Forgery (SSRF) vulnerability in OpenAI’s ChatGPT infrastructure. Veriti’s latest research reveals that this vulnerability, despite being classified as medium severity, has already been weaponized in real world attacks."
        https://veriti.ai/blog/cve-2024-27564-actively-exploited/
        https://hackread.com/hackers-exploit-chatgpt-cve-2024-27564-10000-attacks/
      • Researchers Confirm BlackLock As Eldorado Rebrand
        "Cybersecurity researchers have uncovered a direct link between BlackLock and the notorious ransomware group Eldorado, and confirmed that BlackLock is a rebranded version of the earlier threat actor. After facing increased scrutiny from law enforcement and security experts, Eldorado resurfaced under the BlackLock name, adopting enhanced capabilities while continuing its ransomware-as-a-service (RaaS) operations. According to DarkAtlas, BlackLock executed 48 attacks in the first two months of the year. The attacks affected multiple sectors, with construction and real estate firms the most impacted."
        https://www.infosecurity-magazine.com/news/researchers-confirm-blacklock/
      • Warning Over Free Online File Converters That Actually Install Malware
        "The FBI Denver Field Office has warned of an increasing number of scammy websites offering free online file converter services. Instead of converting files, the tools actually load malware onto victims’ computers. The FBI warned specifically about that malware leading to ransomware attacks, but we’ve also seen similar sites that install browser hijackers, adware, and potentially unwanted programs (PUPs)."
        https://www.malwarebytes.com/blog/news/2025/03/warning-over-free-online-file-converters-that-actually-install-malware
      • Bogus ‘DeepSeek’ AI Installers Are Infecting Devices With Malware, Research Finds
        "In a digital landscape hungry for the next big thing in Artificial Intelligence, a new contender called DeepSeek recently burst onto the scene and has quickly gained traction for its advanced language models. Positioned as a low-cost alternative to industry giants like OpenAI and Meta, DeepSeek has drawn attention for its rapid growth, affordability, and potential to reshape the AI landscape. Unfortunately, a recent investigation by McAfee Labs found that the same hype is now fueling a barrage of malware attacks disguised as DeepSeek software and updates."
        https://www.mcafee.com/blogs/other-blogs/mcafee-labs/bogus-deepseek-ai-installers-are-infecting-devices-with-malware-research-finds/
      • Auto Dealership Supply Chain Attack
        "Over 100 auto dealerships were being abused compliments of a supply chain attack of a shared video service unique to dealerships. When active, the attack presented dealership visitors with a ClickFix webpage which led to a SectopRAT malware."
        https://rmceoin.github.io/malware-analysis/2025/03/13/supply-chain.html
        https://www.darkreading.com/cyberattacks-data-breaches/compromised-car-dealership-websites-clickfix-breach
        https://www.securityweek.com/100-car-dealerships-hit-by-supply-chain-attack/
      • Exposed Jupyter Notebooks Targeted To Deliver Cryptominer
        "Cado Security Labs have identified a novel cryptoming campaign exploiting Jupyter Notebooks, through Cado Labs honeypots. Jupyter Notebook is an interactive notebook that contains a Python IDE and is typically used by data scientists. The campaign identified by Cado Labs spreads through misconfigured Jupyter notebooks, targeting both Windows and Linux systems to deliver a cryptominer."
        https://www.cadosecurity.com/blog/jupyter-notebooks-cryptominer

      Breaches/Hacks/Leaks

      • Accounting Firm Notifying 217,000 Of Health Data Hack
        "A certified public accounting firm that provides services to labor unions, non-profits and other organizations for employee benefit plans is notifying nearly 217,000 people of a 2024 hack. The firm is already facing at least five proposed federal class action lawsuits related to the breach."
        https://www.bankinfosecurity.com/accounting-firm-notifying-217000-health-data-hack-a-27741

      General News

      • February 2025 Deep Web And Dark Web Trends Report
        "This trend report on the deep web and dark web of February 2025 is sectioned into Ransomware, Data Breach, DarkWeb, CyberAttack, and Threat Actor. We would like to state beforehand that some of the content has yet to be confirmed to be true."
        https://asec.ahnlab.com/en/86840/
      • How 'Open Innovation' Can Help Solve Problems Faster, Better & Cheaper
        "In 1970, when the Apollo 13 mission pilot said, "Houston, we've had a problem," he was asking NASA's Johnson Space Center for help. Fast forward four decades to 2010, and the Johnson Space Center was facing a different challenge, when its budgets were about to be slashed. In order to avoid painful cuts, staff needed to prove their ability to innovate, so they embraced the concept of "open innovation," enlisting employees to solve complex problems."
        https://www.darkreading.com/vulnerabilities-threats/how-open-innovation-can-help-solve-problems-faster-better-cheaper
      • How Economic Headwinds Influence The Ransomware Ecosystem
        "The financial strain caused by ransomware attacks is well-documented. Outside of the ransom demands themselves — which can now total tens of millions of dollars at the highest level — remediation and downtime costs can be even costlier. For example, eight months after cloud computing vendor Rackspace suffered a ransomware attack in December 2022, a filing with the Securities and Exchange Commission revealed the company spent more than $10 million on "costs to investigate and remediate, legal and other professional services, and supplemental staff resources that were deployed to provide support to customers.""
        https://www.darkreading.com/cyberattacks-data-breaches/how-economic-headwinds-influence-ransomware-ecosystem
      • What Is WikiLeaksV2 Doing With a Ransomware Gang? Spoiler Alert: It’s Not Extortion.
        "As previously reported on this site, in September 2023, Cardiovascular Consultants Ltd. (CVC) in Arizona experienced a ransomware attack. In October 2023, the Qilin ransomware group added CVC to its leak site, claiming to have exfiltrated 520,961 files and 206 GB of data. And in December 2023, CVC announced the breach in a substitute notice on its site and reported the incident to HHS as having impacted 484,000 patients. Those affected were offered two years of identity protection, credit monitoring, and fraud resolution services, but the notification made no mention of data being leaked anywhere."
        https://databreaches.net/2025/03/17/what-is-wikileaksv2-doing-with-a-ransomware-gang/
      • European Cyber Report 2025: 137% More DDoS Attacks Than Last Year – What Companies Need To Know
        "Cyberattacks are no longer an abstract threat – they dominate risk planning for companies worldwide. The latest Link11 European Cyber Report shows an alarming trend: the number of DDoS attacks has more than doubled, and they are shorter, more targeted, and more technically sophisticated. Organizations that do not continuously evolve their security strategies face significant financial losses and long-term reputational damage."
        https://hackread.com/european-cyber-report-2025-137-more-ddos-attacks/
        https://www.link11.com/en/download/cyber-report-2025/
      • State Of WordPress Security In 2025
        "In 2024 something happened that will fundamentally change the way open source software is built and maintained: on December 10th, the European Union’s Cyber Resilience Act (CRA) came into force. Its adoption went relatively unnoticed in WordPress circles, but in time it will prove to be a “GDPR moment” for software developers."
        https://patchstack.com/whitepaper/state-of-wordpress-security-in-2025/
        https://www.securityweek.com/8000-new-wordpress-vulnerabilities-reported-in-2024/
      • Microsoft Wouldn't Look At a Bug Report Without a Video. Researcher Maliciously Complied
        "A vulnerability analyst and prominent member of the infosec industry has blasted Microsoft for refusing to look at a bug report unless he submitted a video alongside a written explanation. Senior principal vulnerability analyst Will Dormann said last week he contacted Microsoft Security Response Center (MSRC) with a clear description of the bug and supporting screenshots, only to be told that his report wouldn't be looked at without a video."
        https://www.theregister.com/2025/03/17/microsoft_bug_report_troll/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 2eb2ccf5-65ce-42dc-8335-5d7d36a7247d-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post