NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 24 March 2025

    Cyber Security News
    1
    1
    443
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • Threat Landscape For Industrial Automation Systems In Q4 2024
        "In Q4 2024, the percentage of ICS computers on which malicious objects were blocked decreased by 0.1 pp from the previous quarter to 21.9%. Compared to Q4 2023, the percentage decreased by 2.8 pp. The percentage of ICS computers on which malicious objects were blocked during Q4 2024 was highest in October and lowest in November. In fact, the percentage in November 2024 was the lowest of any month in two years."
        https://securelist.com/ics-cert-q4-2024-report/115944/

      Malware

      • GitHub Actions Supply Chain Attack: A Targeted Attack On Coinbase Expanded To The Widespread Tj-Actions/changed-Files Incident: Threat Assessment
        "The recent compromise of the GitHub action tj-actions/changed-files and additional actions within the reviewdog organization has captured the attention of the GitHub community, marking another major software supply chain attack. Our team conducted an in-depth investigation into this incident and uncovered many more details about how the attack occurred and its timeline. These attackers compromised continuous integration/continuous delivery (CI/CD) pipelines of thousands of repositories, putting them at risk."
        https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack/
        https://www.bleepingcomputer.com/news/security/coinbase-was-primary-target-of-recent-github-actions-breaches/
        https://thehackernews.com/2025/03/github-supply-chain-breach-coinbase.html
        https://www.securityweek.com/impact-root-cause-of-github-actions-supply-chain-hack-revealed/
      • Steam Pulls Game Demo Infecting Windows With Info-Stealing Malware
        "Valve has removed from its Steam store the game title 'Sniper: Phantom's Resolution' following multiple users reporting that the demo installer infected their systems with information stealing malware. The game, published under the developer name 'Sierra Six Studios,' was supposed to be an early preview of the title with a release planned in the coming months."
        https://www.bleepingcomputer.com/news/security/steam-pulls-game-demo-infecting-windows-with-info-stealing-malware/
      • Cybercriminals Exploit Checkpoint’s Driver In a BYOVD Attack!
        "A sophisticated Cyber attack recently observed by Venak Security demonstrated how threat actors exploited vulnerabilities in vsdatant.sys, a kernel-level driver used by Checkpoint’s ZoneAlarm antivirus software. Originally released in 2016, this driver became the target of a Bring Your Own Vulnerable Driver (BYOVD) attack, allowing attackers to elevate privileges and bypass critical Windows security features such as Memory Integrity and extract sensitive data from compromised systems."
        https://venaksecurity.com/2025/03/20/cybercriminals-exploit-checkpoints-driver-in-a-byovd-attack/
        https://hackread.com/checkpoint-zonealarm-driver-flaw-user-credential-theft/
        https://www.infosecurity-magazine.com/news/cybercriminals-exploit-checkpoint/
      • Resurgence Of In-The-Wild Activity Targeting Critical ServiceNow Vulnerabilities
        "GreyNoise has identified a notable resurgence of in-the-wild activity targeting three ServiceNow vulnerabilities: CVE-2024-4879 (Critical), CVE-2024-5217 (Critical), and CVE-2024-5178 (Medium). All three vulnerabilities have seen attacker interest in the past 24 hours. Over 70% of sessions in the past week were directed at systems in Israel. Over the past week, targeted systems have been detected in Israel, Lithuania, Japan, and Germany, though only Israel and Lithuania saw activity in the past 24 hours. These vulnerabilities reportedly may be chained together for full database access."
        https://www.greynoise.io/blog/in-the-wild-activity-targeting-critical-servicenow-vulnerabilities
        https://hackread.com/attacks-exploit-servicenow-flaws-israel-hit-hardest/
      • Attackers Use Fake CAPTCHAs To Deploy Lumma Stealer RAT
        "HP's latest Threat Insights Report has revealed a surge in malicious CAPTCHA campaigns, where users are tricked into running PowerShell commands that install the Lumma Stealer remote access trojan (RAT). The campaigns show that attackers are capitalizing on growing click tolerance, whereby users are now accustomed to jumping through hoops to authenticate themselves online, according to HP."
        https://www.infosecurity-magazine.com/news/attackers-fake-captchas-lumma/
      • Shedding Light On The ABYSSWORKER Driver
        "Cybercriminals are increasingly bringing their own drivers — either exploiting a vulnerable legitimate driver or using a custom-built driver to disable endpoint detection and response (EDR) systems and evade detection or prevention capabilities. Elastic Security Labs has monitored a financially motivated campaign deploying MEDUSA ransomware through the use of a HEARTCRYPT-packed loader. This loader was deployed alongside a revoked certificate-signed driver from a Chinese vendor we named ABYSSWORKER, which it installs on the victim machine and then uses to target and silence different EDR vendors. This EDR-killer driver was first reported by ConnectWise in another campaign, using a different certificate and IO control codes, at which time some of its capabilities were discussed."
        https://www.elastic.co/security-labs/abyssworker
        https://thehackernews.com/2025/03/medusa-ransomware-uses-malicious-driver.html
      • Albabat Ransomware Group Potentially Expands Targets To Multiple OS, Uses GitHub To Streamline Operations
        "The group behind Albabat, a financially motivated ransomware, has recently been active and released a new version of their ransomware. Early versions were observed in late 2023 and early 2024. Our threat hunting team has recently encountered versions 2.0.0 and 2.5, which target not only Microsoft Windows but also gather system and hardware information on Linux and macOS. The team discovered multiple previously undetected variants of the Albabat ransomware. These new versions retrieve their configuration data through the GitHub REST API using a "User-Agent" string labelled "Awesome App." The configuration provides key details about the ransomware's behavior and operational parameters. Notably, it indicates that these variants belong to Albabat version 2.0."
        https://www.trendmicro.com/en_us/research/25/c/albabat-ransomware-group.html
        https://www.infosecurity-magazine.com/news/albabat-ransomware-linux-macos/
      • Microsoft Trusted Signing Service Abused To Code-Sign Malware
        "Cybercriminals are abusing Microsoft's Trusted Signing platform to code-sign malware executables with short-lived three-day certificates. Threat actors have long sought after code-signing certificates as they can be used to sign malware to appear like they are from a legitimate company. Signed malware also has the advantage of potentially bypassing security filters that would normally block unsigned executables, or at least treat them with less suspicion."
        https://www.bleepingcomputer.com/news/security/microsoft-trusted-signing-service-abused-to-code-sign-malware/

      Breaches/Hacks/Leaks

      • Oracle Denies Breach After Hacker Claims Theft Of 6 Million Data Records
        "Oracle denies it was breached after a threat actor claimed to be selling 6 million data records allegedly stolen from the company's Oracle Cloud federated SSO login servers. "There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data," the company told BleepingComputer."
        https://www.bleepingcomputer.com/news/security/oracle-denies-data-breach-after-hacker-claims-theft-of-6-million-data-records/
        https://hackread.com/oracle-denies-breach-hacker-access-6-million-records/
        https://www.theregister.com/2025/03/23/oracle_cloud_customers_keys_credentials/
      • Software Firm Notifying Patients, Practices Of Data Exposure
        "A vendor of cloud-based orthodontic practice software is notifying an undisclosed number of patients that their data was exposed to the internet for 10 days last November. But the security researcher who discovered the unsecured database alleges the exposure appears to have lasted longer than that and affected at least 200,000 patients. Georgia-based OrthoMinds in a public statement Thursday said it is notifying clients and individuals potentially affected by the data security breach."
        https://www.bankinfosecurity.com/software-firm-notifying-patients-practices-data-exposure-a-27805
      • Personal Data Revealed In Released JFK Files
        "Over 60,000 pages related to the 1963 assassination of US President John F. Kennedy were released as part of President Donald Trump’s directive on March 17, 2025, and while readers will not find a conclusive answer to the main question—nor will the files put an end to surrounding conspiracy theories—one unplanned consequence was the disclosure of 400 Social Security Numbers (SSNs) and other privacy sensitive information amongst the rest of the records."
        https://www.malwarebytes.com/blog/news/2025/03/personal-data-revealed-in-released-jfk-files
      • Ransomware Group Claims Attack On Virginia Attorney General’s Office
        "A ransomware group known as Cloak has claimed responsibility for a disrupting cyberattack on the Virginia Attorney General Office’s systems. The incident became public in mid-February, when the state’s top prosecutorial agency told employees that nearly all its computer systems, internal services and applications, and website were down, and that internet connectivity and VPN access were affected as well."
        https://www.securityweek.com/ransomware-group-claims-attack-on-virginia-attorney-generals-office/

      General News

      • Fake Out: Babuk2 Ransomware Group Claims Bogus Victims
        "It never hurts to be reminded: ransomware hackers are lying liars who continue to lie. An emerging ransomware group going by the name of Babuk or Babuk2 has been attempting to bolster its reputation by claiming dozens of new victims. "Hello World today we attacked 26 companies and stole some company information," the group said in a Thursday post to its data leak blog, naming just some of the supposed victims as Amazon.com, Cardinal Health, Delta, HSBC, Schwab and US Bank."
        https://www.bankinfosecurity.com/blogs/fake-out-babuk2-ransomware-group-claims-bogus-victims-p-3840
      • Why Cyber Quality Is The Key To Security
        "Data compromises in the US saw a dramatic spike from 2022 to 2023, rising from 1,802 incidents to 3,205. In 2024, the Identity Theft Resource Center (ITRC) continued to track data compromises, finding 3,158 incidents, resulting in more than 1.7 billion notices going to individuals. While the number of compromises is similar to last year, the number of victim notices increased by a whopping 312%."
        https://www.darkreading.com/cyberattacks-data-breaches/why-cyber-quality-key-security
      • 53% Of Security Teams Lack Continuous And Up-To-Date Visibility
        "Enterprises lack visibility into their own data, creating security risks that are compounding as organizations and their employees increase AI adoption, according to Bedrock Security. The majority of organizations struggle to track sensitive information across sprawling cloud environments, leaving them vulnerable to data breaches and compliance failures. The research also documents a significant shift in security roles, with nine in 10 professionals surveyed reporting their responsibilities have evolved in the past year, most notably in data governance and AI oversight."
        https://www.helpnetsecurity.com/2025/03/21/enterprises-data-visibility-security-risks/
      • The Hidden Risk In SaaS: Why Companies Need a Digital Identity Exit Strategy
        "In the face of sudden trade restrictions, sanctions, or policy shifts, relying on SaaS providers outside your region for identity services is a gamble that companies can no longer afford to take. With trade disputes set to escalate, a sudden policy change could result in SaaS providers pulling out of regions or being forced to comply with new regulations that render identity services inaccessible. While software companies have yet to be put in the crosshairs, such policies are not unprecedented."
        https://www.helpnetsecurity.com/2025/03/21/digital-identity-services-exit-strategy/
      • AI Will Make Ransomware Even More Dangerous
        "Ransomware is the top predicted threat for 2025, which is especially concerning given 38% of security professionals say ransomware will become even more dangerous when powered by AI, according to Ivanti. In comparison to the threat level, only 29% of security professionals say they are very prepared for ransomware attacks – leaving a significant gap in preparedness (29%), highlighting the need for more robust security measures."
        https://www.helpnetsecurity.com/2025/03/21/exposure-management-understanding-among-security-leaders/
      • Top Threats Of The 2024 Botnet Landscape
        "Our last post on botnets explored the terminology, architectures, and capabilities of these versatile attack tools. This post will take a closer look at the most dominant botnets of the last year. The largest known botnet was the 911 S5 botnet that was dismantled in 2024. At its peak it had about 19 million active bots operating in 190 countries. 911 S5 was spread through infected VPN applications, like MaskVPN, DewVPN, ShieldVPN, and a few more. A botnet might include personal computers, business servers, mobile devices, and Internet of Things (IoT) devices like smart thermostats, cameras, and routers. The composition of the botnet depends on the malware."
        https://blog.barracuda.com/2025/03/21/top-threats-of-the-2024-botnet-landscape
      • Follow The Adversary: The Top 3 Red Team Exploitation Paths From 2024
        "Though 2024 may be behind us, many of the security threats and vulnerabilities that organizations faced last year remain. The CrowdStrike Professional Services Red Team tracks them all in its efforts to defend organizations against adversaries."
        https://www.crowdstrike.com/en-us/blog/top-three-red-team-exploitation-paths-from-2024/
      • Russian Zero-Day Seller Is Offering Up To $4 Million For Telegram Exploits
        "Operation Zero, a company that acquires and sells zero-days exclusively to the Russian government and local Russian companies, announced on Thursday that it’s looking for exploits for the popular messaging app Telegram, and is willing to offer up to $4 million for them. The exploit broker is offering up to $500,000 for a “one-click” remote code execution (RCE) exploit; up to $1.5 million for a zero-click RCE exploit; and up to $4 million for a “full chain” of exploits, presumably referring to a series of bugs that allow hackers to go from accessing a target’s Telegram account to their whole operating system or device."
        https://techcrunch.com/2025/03/21/russian-zero-day-seller-is-offering-up-to-4-million-for-telegram-exploits/
        https://securityaffairs.com/175709/hacking/operation-zero-offers-4m-for-telegram-exploits.html

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 479aef36-abd1-4025-b220-f50ac3b1de90-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post