Cyber Threat Intelligence 21 March 2025

NCSA_THAICERT

Healthcare Sector

• Santesoft Sante DICOM Viewer Pro
  "Successful exploitation of this vulnerability could allow an attacker to cause memory corruption that would result in execution of arbitrary code."
  https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-079-01
• How Healthcare CISOs Can Balance Security And Accessibility Without Compromising Care
  "In this Help Net Security interview, Sunil Seshadri, EVP and CSO at HealthEquity, talks about the growing risks to healthcare data and what organizations can do to stay ahead. He shares insights on vendor management, zero trust, and securing the software supply chain, along with practical steps to tackle legacy system vulnerabilities. His advice helps organizations strengthen security without disrupting patient care."
  https://www.helpnetsecurity.com/2025/03/20/sunil-seshadri-healthequity-healthcare-data-risk/
• Authorities Warn Of Security Terror Threats To Hospitals
  "Threats transmitted on social media intimating coordinated terrorist attacks on hospitals in mid-tier U.S. cities have industry authorities warning the healthcare sector to shore up physical and cybersecurity, as well as emergency management response plans. The Health Information Sharing and Analysis Center and the American Hospital Association in a joint alert published late Wednesday said they are working with the FBI and awaiting any additional details that can be shared with their members. Foreign terrorists generally don't advertise upcoming attacks, but social media posts threatening a wave of violence against hospitals in cities with 100,000 and 500,000 residents "may encourage others to engage in malicious activity directed toward the health sector.""
  https://www.bankinfosecurity.com/authorities-warn-security-terror-threats-to-hospitals-a-27789
  https://dd80b675424c132b90b3-e48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/tlpwhite-aa319249-potential-terror-threat-targeted-at-health-sector-aha-health-isac-joint-threa.pdf

Industrial Sector

• Schneider Electric EcoStruxure
  "Successful exploitation of this vulnerability could allow an attacker to cause a local privilege escalation, which could result in loss of confidentiality, integrity and availability of the engineering workstation."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-079-01
• Schneider Electric Enerlin’X IFE And eIFE
  "Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition which would require the device to need to be manually rebooted."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-079-02
• Siemens Simcenter Femap
  "Successful exploitation of this vulnerability could allow an attacker to execute code within the current process of the product."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-079-03
• SMA Sunny Portal
  "Successful exploitation of this vulnerability could allow an attacker to upload and remotely execute code."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-079-04

Vulnerabilities

• By Executive Order, We Are Banning Blacklists - Domain-Level RCE In Veeam Backup & Replication (CVE-2025-23120)
  "It’s us again! Once again, we hear the collective groans - but we're back and with yet another merciless pwnage of an inspired and clearly comprehensive RCE solution - no, wait, it's another vuln in yet another backup and replication solution.. While we would enjoy a world in which we could be a little merciful - today we'll explore the painful world of blacklist-based security mechanisms. You can treat this post as a natural continuation of our CVE-2024-40711 writeup, which was written by fellow watchTowr Labs team member Sina Kheirkhah (@SinSinology)."
  https://labs.watchtowr.com/by-executive-order-we-are-banning-blacklists-domain-level-rce-in-veeam-backup-replication-cve-2025-23120/
  https://www.veeam.com/kb4724
  https://www.bleepingcomputer.com/news/security/veeam-rce-bug-lets-domain-users-hack-backup-servers-patch-now/
  https://thehackernews.com/2025/03/veeam-and-ibm-release-patches-for-high.html
  https://www.bankinfosecurity.com/veeam-update-patches-critical-backup-software-vulnerability-a-27782
  https://www.securityweek.com/veeam-patches-critical-vulnerability-in-backup-replication/
  https://securityaffairs.com/175674/slider/veeam-critical-backup-replication-vulnerability.html
  https://www.helpnetsecurity.com/2025/03/20/critical-veeam-backup-replication-rce-vulnerability-cve-2025-23120/
  https://www.theregister.com/2025/03/20/infoseccers_criticize_veeam_over_critical/
• Critical LFI To RCE Vulnerability In WP Ghost Plugin Affecting 200k+ Sites
  "This blog post is about the WP Ghost plugin vulnerability. If you’re a WP Ghost user, please update the plugin to at least version 5.4.02."
  https://patchstack.com/articles/critical-lfi-to-rce-vulnerability-in-wp-ghost-plugin-affecting-200k-sites/
• Critical Cisco Smart Licensing Utility Flaws Now Exploited In Attacks
  "Attackers have started targeting Cisco Smart Licensing Utility (CSLU) instances unpatched against a vulnerability exposing a built-in backdoor admin account. The CSLU Windows application allows admins to manage licenses and linked products on-premises without connecting them to Cisco's cloud-based Smart Software Manager solution. Cisco patched this security flaw (tracked as CVE-2024-20439) in September, describing it as "an undocumented static user credential for an administrative account" that can let unauthenticated attackers log into unpatched systems remotely with admin privileges over the API of the CSLU app."
  https://www.bleepingcomputer.com/news/security/critical-cisco-smart-licensing-utility-flaws-now-exploited-in-attacks/
  https://isc.sans.edu/diary/rss/31782
  https://www.securityweek.com/hackers-target-cisco-smart-licensing-utility-vulnerabilities/

Malware

• VSCode Extensions Found Downloading Early-Stage Ransomware
  "Two malicious VSCode Marketplace extensions were found deploying in-development ransomware, exposing critical gaps in Microsoft's review process. The extensions, named "ahban.shiba" and "ahban.cychelloworld," were downloaded seven and eight times, respectively, before they were eventually removed from the store. It is notable that the extensions were uploaded onto the VSCode Marketplace on October 27, 2024 (ahban.cychelloworld) and February 17, 2025 (ahban.shiba), bypassing safety review processes and remaining on Microsoft's store for an extensive period of time."
  https://www.bleepingcomputer.com/news/security/vscode-extensions-found-downloading-early-stage-ransomware/
• Custom Betruger Backdoor Deployed By RansomHub Affiliate
  "The Symantec Threat Hunter team has observed activity from a custom backdoor that can be tied to a RansomHub affiliate. RansomHub is a Ransomware-as-a-Service offering and the backdoor has been named Betruger. This is a multi-function backdoor which appears to have been developed specifically for carrying out ransomware attacks. Betruger incorporates functionality typically seen across multiple tools leveraged during ransomware attacks. It is believed this could have been done in an effort to reduce the footprint during an attack by reducing the number of different tools required."
  https://www.broadcom.com/support/security-center/protection-bulletin/custom-betruger-backdoor-deployed-by-ransomhub-affiliate
  https://www.bleepingcomputer.com/news/security/ransomhub-ransomware-uses-new-betruger-multi-function-backdoor/
  https://www.helpnetsecurity.com/2025/03/20/ransomhub-affiliate-leverages-multi-function-betruger-backdoor/
• Blast Radius Of The Tj-Actions/changed-Files Supply Chain Attack
  "The recent attack on the GitHub Action tj-actions/changed-files raised a lot of attention in regard to software supply chain attacks – specifically regarding the security of CI/CD pipelines. The general theme of many blog posts and comments is that tens of thousands of repositories use the GitHub Action. However, not all of them are necessarily affected, so we set out to better understand the actual damage caused by the attack, i.e. the number and type of secrets leaked."
  https://www.endorlabs.com/learn/blast-radius-of-the-tj-actions-changed-files-supply-chain-attack
  https://www.bleepingcomputer.com/news/security/github-action-supply-chain-attack-exposed-secrets-in-218-repos/
• Jaguar Land Rover Breached By HELLCAT Ransomware Group Using Its Infostealer Playbook—Then a Second Hacker Strikes
  "In a repeat of a now-familiar playbook, the HELLCAT ransomware group has claimed responsibility for a massive data breach targeting Jaguar Land Rover (JLR), leaking gigabytes of sensitive information including proprietary documents, source codes, and employee and partner data. The breach, executed by a threat actor known as “Rey,” mirrors a pattern of attacks Hudson Rock researchers have previously detected against high-profile victims like Telefónica, Schneider Electric, and Orange. At the heart of this latest incident lies a technique that has become HELLCAT’s signature: exploiting Jira credentials harvested from compromised employees that were infected by Infostealers."
  https://www.infostealers.com/article/jaguar-land-rover-breached-by-hellcat-ransomware-using-its-infostealer-playbook-then-a-second-hacker-strikes/
  https://www.bleepingcomputer.com/news/security/hellcat-hackers-go-on-a-worldwide-jira-hacking-spree/
• BlackLock Ransomware: What You Need To Know
  "BlackLock is a relatively new ransomware group. First seen in March 2024, the ransomware operation initially operated under the name El Dorado, before rebranding as BlackLock late last year. BlackLock follows a RaaS (ransomware-as-a-service) business model, leasing its tools and infrastructure to affiliates who launch attacks, sharing a proportion of the proceeds with BlackLock."
  https://www.tripwire.com/state-of-security/blacklock-ransomware-what-you-need-know
• UAT-5918 Targets Critical Infrastructure Entities In Taiwan
  "Talos assesses with high confidence that UAT-5918 is an advanced persistent threat (APT) group that targets entities in Taiwan to establish long-term persistent access in victim environments. UAT-5918 usually obtains initial access by exploiting N-day vulnerabilities in unpatched web and application servers exposed to the internet. The threat actor will subsequently use a plethora of open-source tools for network reconnaissance to move through the compromised enterprise."
  https://blog.talosintelligence.com/uat-5918-targets-critical-infra-in-taiwan/
  https://therecord.media/taiwan-critical-infrastructure-hacking-uat-5918
• Clickbait To Catastrophe: How a Fake Meta Email Leads To Password Plunder
  "Social media is widely used in marketing, helping businesses to generate ads that attract potential customers. But what if you received an email stating, "YOUR ADS ARE TEMPORARILY SUSPENDED"? What steps would you take? The urgency of the email instantly grabs your attention, and your first thought might be to click and investigate, hoping to get it fixed promptly. However, instead of fixing things, you could end up with your business account getting hacked. The Cofense Phishing Defense Center (PDC) has discovered a new phishing campaign that tricks users into giving out access to their Meta Business accounts. While social media phishing attempts are prevalent, this one went above and beyond by employing fake chat support, providing detailed instructions, and attempting to add itself as a secure login method."
  https://cofense.com/blog/clickbait-to-catastrophe-how-a-fake-meta-email-leads-to-password-plunder
• Semrush Impersonation Scam Hits Google Ads
  "Criminals are highly interested in online marketing and advertising tools that they can leverage as part of their ongoing malware campaigns. In particular, we have previously detailed how Google advertiser accounts can be hijacked to create new malicious ads and perpetuate a vicious cycle leading to more compromised accounts. As part of our investigations, we uncovered a new operation going after Semrush, a visibility management SaaS platform that offers SEO, advertising, and market research, amongst other things."
  https://www.malwarebytes.com/blog/news/2025/03/semrush-impersonation-scam-hits-google-ads
• The SOC Case Files: RansomHub Exploits FortiGate Bug In Attack Blocked By XDR
  "Barracuda’s Managed XDR team recently contained a determined and complex attack by a ransomware gang. The attackers had been trying to find a way into a manufacturing company’s network since December 2024 and finally succeeded by exploiting an exposed firewall vulnerability."
  https://blog.barracuda.com/2025/03/20/soc-case-files-ransomhub-fortigate-bug
• Operation FishMedley
  "On March 5th, 2025, the US DOJ unsealed an indictment against employees of the Chinese contractor I‑SOON for their involvement in multiple global espionage operations. Those include attacks that we previously documented and attributed to the FishMonger APT group – I‑SOON’s operational arm – including the compromise of seven organizations that we identified as being targeted in a 2022 campaign that we named Operation FishMedley."
  https://www.welivesecurity.com/en/eset-research/operation-fishmedley/
  https://www.infosecurity-magazine.com/news/fishmonger-apt-group-linked-isoon/

Breaches/Hacks/Leaks

• Data Breach At Stalkerware SpyX Affects Close To 2 Million, Including Thousands Of Apple Users
  "A consumer-grade spyware operation called SpyX was hit by a data breach last year, TechCrunch has learned. The breach reveals that SpyX and two other related mobile apps had records on almost 2 million people at the time of the breach, including thousands of Apple users. The data breach dates back to June 2024 but had not been previously reported, and there is no indication that SpyX’s operators ever notified its customers or those targeted by the spyware. The SpyX family of mobile spyware is now, by our count, the 25th mobile surveillance operation since 2017 known to have experienced a data breach, or otherwise spilled or exposed their victims’ or users’ data, showing that the consumer-grade spyware industry continues to proliferate and put people’s private data at risk."
  https://techcrunch.com/2025/03/19/data-breach-at-stalkerware-spyx-affects-close-to-2-million-including-thousands-of-apple-users/

General News

• 5 Pitfalls That Can Delay Cyber Incident Response And Recovery
  "The responsibility of cyber incident response falls squarely on the shoulders of the CISO. And many CISOs invest heavily in technical response procedures, tabletop exercises and theoretical plans only to find out that when an actual breach strikes the organization is not as prepared as it should be. Every event is unique and can introduce unforeseen complications, and the chaos of the moment can quickly derail even the best laid plans. But CISOs can improve their team’s response and reduce damage by avoiding these common pitfalls:"
  https://www.helpnetsecurity.com/2025/03/20/incident-response-pitfalls/
• Cisco Introduces The State Of AI Security Report For 2025: Key Developments, Trends, And Predictions In AI Security
  "As one of the defining technologies of this century, artificial intelligence (AI) seems to witness daily advancements with new entrants to the field, technological breakthroughs, and creative and innovative applications. The landscape for AI security shares the same breakneck pace with streams of newly proposed legislation, novel vulnerability discoveries, and emerging threat vectors. While the speed of change is exciting, it creates practical barriers for enterprise AI adoption. As our Cisco 2024 AI Readiness Index points out, concerns about AI security are frequently cited by business leaders as a primary roadblock to embracing the full potential of AI in their organizations."
  https://blogs.cisco.com/security/cisco-introduces-the-state-of-ai-security-report-for-2025
  https://www.cisco.com/c/en/us/products/security/state-of-ai-security.html
• Catch Me If You Can: Rooting Tools Vs The Mobile Security Industry
  "Rooting and jailbreaking, once widespread for enabling deeper customization and removing OS limitations on mobile devices, are increasingly becoming primarily the domain of power users, as manufacturers have made significant strides to reduce this practice from two different approaches. First, by adding more customization options so users feel less restrained. Second, by introducing tighter security protocols into stock Android and iOS versions."
  https://www.zimperium.com/blog/catch-me-if-you-can-rooting-tools-vs-the-mobile-security-industry/
  https://www.darkreading.com/endpoint-security/mobile-jailbreaks-corporate-risk
  https://hackread.com/rooted-androids-breached-even-iphones-not-safe/
  https://www.infosecurity-magazine.com/news/rooted-devices-250x-vulnerable/
  https://www.helpnetsecurity.com/2025/03/20/rooting-jailbreaking-threat/
• The Cybercriminal With Four Faces: Revealing Group-IB's Investigation Into ALTDOS, DESORDEN, GHOSTR And 0mid16B
  "Following the arrest of the cybercriminal behind the aliases ALTDOS, DESORDEN, GHOSTR, and 0mid16B, Group-IB provides a deep dive into his activities, uncovering striking similarities and unmasking the cybercriminal that breached more than 90 instances of data leaks worldwide over the span of four years in operation."
  https://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/
• AI In The Enterprise: Key Findings From The ThreatLabz 2025 AI Security Report
  "Artificial intelligence (AI) has rapidly shifted from buzz to business necessity over the past year—something Zscaler has seen firsthand while pioneering AI-powered solutions and tracking enterprise AI/ML activity in the world’s largest security cloud. As enterprises embrace AI to boost productivity, accelerate decision-making, and automate workflows, to name a few benefits, cybercriminals are using the same technology to automate and scale more sophisticated attacks. From hyper-realistic deepfakes to advanced vishing scams, AI-generated threats have quickly raised the stakes for enterprise security."
  https://www.zscaler.com/blogs/security-research/threatlabz-ai-security-report-key-findings
• Too Many Software Supply Chain Defense Bibles? Boffins Distill Advice
  "Organizations concerned about software supply chain attacks should focus on role-based access control, system monitoring, and boundary protection, according to a new preprint paper on the topic. The software supply chain refers to the interconnected ecosystem of open source and third-party software, each with its own web of dependencies that may trigger the download of additional components. It’s possible that developers contributing to those components and libraries could, through errors or malicious activity, include dangerous vulnerabilities."
  https://www.theregister.com/2025/03/20/software_supply_chain_defense/
  https://arxiv.org/abs/2503.12192

อ้างอิง
Electronic Transactions Development Agency(ETDA)