NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 25 March 2025

    Cyber Security News
    1
    1
    358
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      New Tooling

      • Finders Keypers: Open-Source AWS KMS Key Usage Finder
        "Finders Keypers is an open-source tool for analyzing the current usage of AWS KMS keys. It supports both AWS customer managed KMS keys and AWS Managed KMS keys."
        https://www.helpnetsecurity.com/2025/03/24/finders-keypers-open-source-aws-kms-key-usage-finder/
        https://github.com/FogSecurity/finders-keypers

      Vulnerabilities

      • IngressNightmare: 9.8 Critical Unauthenticated Remote Code Execution Vulnerabilities In Ingress NGINX
        "Wiz Research discovered CVE-2025-1097, CVE-2025-1098, CVE-2025-24514 and CVE-2025-1974, a series of unauthenticated Remote Code Execution vulnerabilities in Ingress NGINX Controller for Kubernetes dubbed #IngressNightmare. Exploitation of these vulnerabilities leads to unauthorized access to all secrets stored across all namespaces in the Kubernetes cluster by attackers, which can result in cluster takeover. This attack vector has been assigned a CVSS v3.1 base score of 9.8."
        https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
        https://thehackernews.com/2025/03/critical-ingress-nginx-controller.html
        https://www.darkreading.com/application-security/critical-ingressnightmare-vulns-kubernetes-environments
        https://www.bankinfosecurity.com/kubernetes-patch-43-clusters-face-remote-takeover-risk-a-27810
      • Next.js And The Corrupt Middleware: The Authorizing Artifact
        "Recently, Yasser Allam, known by the pseudonym inzo_, and I, decided to team up for some research. We discussed potential targets and chose to begin by focusing on Next.js (130K stars on github, currently downloaded + 9,4 million times per week), a framework I know quite well and with which I already have fond memories, as evidenced by my previous work. Therefore, the “we” throughout this paper will naturally refer to the two of us."
        https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware
        https://nextjs.org/blog/cve-2025-29927
        https://thehackernews.com/2025/03/critical-nextjs-vulnerability-allows.html
        https://www.bleepingcomputer.com/news/security/critical-flaw-in-nextjs-lets-hackers-bypass-authorization/
        https://cyberscoop.com/nextjs-critical-vulnerability-open-source-vercel/
        https://securityaffairs.com/175775/security/next-js-react-framework-critical-issue.html
        https://www.helpnetsecurity.com/2025/03/24/critical-next-js-auth-bypass-vulnerability-opens-web-apps-to-compromise-cve-2025-29927/
      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
        CVE-2025-30154 reviewdog action-setup GitHub Action Embedded Malicious Code Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/03/24/cisa-adds-one-known-exploited-vulnerability-catalog

      Malware

      • Weaver Ant, The Web Shell Whisperer: Tracking a Live China-Nexus Operation
        "Suspicious activity triggered multiple alerts during the final phase of a forensic investigation, multiple alerts were triggered by suspicious activities. Specifically, an account previously used by the threat actor was disabled as part of remediation efforts but was subsequently re-enabled by a service account. Notably, the activity originated from a server that had not been previously identified as compromised."
        https://www.sygnia.co/threat-reports-and-advisories/weaver-ant-tracking-a-china-nexus-cyber-espionage-operation/
        https://www.bleepingcomputer.com/news/security/chinese-weaver-ant-hackers-spied-on-telco-network-for-4-years/
        https://therecord.media/chinese-hackers-spent-years-telco
        https://www.darkreading.com/cyberattacks-data-breaches/china-nexus-apt-weaver-ant-caught-yearslong-web-shell-attack
        https://securityaffairs.com/175800/apt/chinese-apt-weaver-ant-infiltrated-a-telco-for-over-four-years.html
      • The Rise Of VanHelsing RaaS: A New Player In The Ransomware Landscape
        "VanHelsing RaaS, a new ransomware-as-a-service (RaaS), was launched on March 7, 2025, and its rapid growth is raising alarms across the cyber security community. Within just two weeks of its introduction, VanHelsingRaaS has already managed to infect three known victims and create a more sophisticated variant, highlighting its potential to become a major player in the ransomware game."
        https://blog.checkpoint.com/research/the-rise-of-vanhelsing-raas-a-new-player-in-the-ransomware-landscape/
        https://research.checkpoint.com/2025/vanhelsing-new-raas-in-town/
        https://www.bleepingcomputer.com/news/security/new-vanhelsing-ransomware-targets-windows-arm-esxi-systems/
        https://thehackernews.com/2025/03/vanhelsing-raas-launch-3-victims-5k.html
        https://www.infosecurity-magazine.com/news/vanhelsing-raas-expands-rapidly/
      • Decoding Fake US ESTA Emails: Scam Or Real Deal?
        "The Cofense Phishing Defense Center (PDC) has observed an uptick in malicious emails attempting to take advantage of the recent uncertainty and confusion surrounding immigration services in the United States of America. The malicious emails pose as notifications from US Customs and Border Protection. They warn users about the need to submit a new application for the Electronic System for Travel Authorization (ESTA), attempting to instill a level of panic or fear that the loss or misplacement of this documentation may hinder travel or immigration plans, exploiting the complicated process that the application can entail."
        https://cofense.com/blog/decoding-fake-us-esta-emails-scam-or-real-deal
      • FizzBuzz To FogDoor: Targeted Malware Campaign Exploits Job-Seeking Developers
        "Threat Actor (TA) is deploying a targeted social engineering campaign against Polish-speaking developers by disguising malware as a technical coding challenge on GitHub. Using a fake recruitment test named “FizzBuzz“, the TA tricks victims into downloading an ISO file containing a seemingly harmless JavaScript exercise and a malicious LNK shortcut."
        https://cyble.com/blog/fake-coding-challenges-steal-sensitive-data-via-fogdoor/
      • VSCode Marketplace Removes Two Extensions Deploying Early-Stage Ransomware
        "Cybersecurity researchers have uncovered two malicious extensions in the Visual Studio Code (VSCode) Marketplace that are designed to deploy ransomware that's under development to its users. The extensions, named "ahban.shiba" and "ahban.cychelloworld," have since been taken down by the marketplace maintainers. Both the extensions, per ReversingLabs, incorporate code that's designed to invoke a PowerShell command, which then grabs a PowerShell-script payload from a command-and-control (C2) server and executes it."
        https://thehackernews.com/2025/03/vscode-marketplace-removes-two.html

      Breaches/Hacks/Leaks

      • Cyberattack Takes Down Ukrainian State Railway’s Online Services
        "Ukrzaliznytsia, Ukraine’s national railway operator, has been hit by a massive cyberattack that disrupted online services for buying tickets both through mobile apps and the website. The incident forced people to booths to buy physical tickets, causing overcrowding, delays, long waiting times, and frustration. With trains being the only reliable and relatively safe means for people to travel within Ukraine and internationally, the cyberattack is having a significant impact, Daryna Antoniuk reports."
        https://www.bleepingcomputer.com/news/security/cyberattack-takes-down-ukrainian-state-railways-online-services/
        https://therecord.media/ukraine-railway-ukrzaliznytsia-cyberattack-online-ticket-system
        https://www.infosecurity-magazine.com/news/ukraine-railway-systems-targeted/
      • Part 2: Validating The Breach Oracle Cloud Denied – CloudSEK’s Follow-Up Analysis
        "On March 21, 2025, CloudSEK’s XVigil platform flagged a significant threat—a threat actor offering 6 million exfiltrated records from Oracle Cloud for sale. Despite Oracle’s public denial, our deep-dive investigation reveals a compromised production SSO endpoint, affecting over 140,000 tenants and exposing sensitive SSO and LDAP data. Our report outlines verified evidence of the breach. At CloudSEK, we prioritize transparency and preparedness. This detailed follow-up not only challenges initial denials but equips enterprises with actionable steps to assess and secure their environments. Read the full report to uncover the evidence, understand the impact, and strengthen your defenses."
        https://www.cloudsek.com/blog/part-2-validating-the-breach-oracle-cloud-denied-cloudseks-follow-up-analysis
        https://www.darkreading.com/cyberattacks-data-breaches/oracle-denies-claim-oracle-cloud-breach-6m-records
        https://hackread.com/cloudsek-disputes-oracle-data-breach-denial-evidence/
      • Hackers Steal Sensitive Data From Pennsylvania County During Ransomware Attack
        "Personal information from Union County, Pennsylvania, residents was stolen during a ransomware attack on government systems 10 days ago. The county published a notice on Friday warning its more than 40,000 residents that the ransomware attack was discovered on March 13. Federal law enforcement was notified and cybersecurity experts were hired to help with the recovery process. On March 13, the county learned that the hackers took personal information from its network."
        https://therecord.media/union-county-pennsylvania-ransomware-attack
      • Cyberattack Causes Delays For South Africa’s Largest Chicken Producer
        "South Africa’s largest chicken producer lost more than $1 million due to a recent cyberattack that caused delivery delays and other issues. Astral Foods told investors on Monday that it suffered a cyberattack on March 16 that required the company to implement all of its disaster recovery protocols and preparedness plans. The company controls multiple chicken businesses that produce and sell chickens and eggs, as well as manufacture animal feed and other products."
        https://therecord.media/cyberattack-delays-south-african-chicken-producer

      General News

      • Is The Middle East's Race To Digitize a Threat To Infrastructure?
        "The Middle East is a cautionary tale of digitization's opportunity and risk. As Gulf countries embrace widespread public and private sector digital transformation, cybercriminal activity is surging. Today, the average cost of a data breach in the region is almost $9 million per case, nearly double the global average and a figure surpassed only by the US."
        https://www.darkreading.com/cyberattacks-data-breaches/middle-easts-race-digitize-threat-infrastructure
      • Cloud Providers Aren’t Delivering On Security Promises
        "Security concerns around cloud environments has prompted 44% of CISOs to change cloud service provider, according to Arctic Wolf. This is being driven by the fact that 24% don’t believe their cloud environment is secure, and 43% think cloud service providers overpromised the security protection they would receive."
        https://www.helpnetsecurity.com/2025/03/24/cloud-environments-security-concerns/
      • More Than 300 Arrests As African Countries Clamp Down On Cyber Threats
        "Authorities in seven African countries have arrested 306 suspects and seized 1,842 devices in an international operation targeting cyber attacks and cyber-enabled scams. The arrests were made as part of Operation Red Card (November 2024 – February 2025) which aims to disrupt and dismantle cross-border criminal networks which cause significant harm to individuals and businesses. In particular, the operation targeted mobile banking, investment and messaging app scams. The cases uncovered during the operation involved more than 5,000 victims."
        https://www.interpol.int/en/News-and-Events/News/2025/More-than-300-arrests-as-African-countries-clamp-down-on-cyber-threats
        https://therecord.media/300-arrested-africa-crackdown-cyber-scams
        https://www.bleepingcomputer.com/news/security/police-arrests-300-suspects-linked-to-african-cybercrime-rings/
        https://www.infosecurity-magazine.com/news/interpol-seize-1842-devices-africa/
      • Despite Challenges, The CVE Program Is a Public-Private Partnership That Has Shown Resilience
        "In 1999, Dave Mann and Steve Christey, two researchers from the nonprofit R&D corporation MITRE, debuted a concept for security vulnerabilities that laid the groundwork for the common vulnerability and exposures framework (CVE) that organizes information around computer vulnerabilities."
        https://cyberscoop.com/cve-program-history-mitre-nist-1999-2024/
        https://www.securityweek.com/nist-still-struggling-to-clear-vulnerability-submissions-backlog-in-nvd/
      • Hunting Rituals #5: Why Hypothesis-Based Threat Hunting Is Essential In Cybersecurity
        "Proactive threat hunting is essential if you want to counter sophisticated threats that evade conventional security tools. Many advanced attackers use techniques that blend into normal network activity, avoiding detection and bypassing automated alerts. This blog post showcases a real-life example of how hypothesis-based threat hunting can uncover hidden threats."
        https://www.group-ib.com/blog/hunting-rituals-5/
      • Report: Fortune 500 Employee-Linked Account Exposure
        "A backbone of our economy, Fortune 500 companies employ more than 31 million people worldwide. According to data analyzed by the Enzoic research team, over the past three years of 2022, 2023, and 2024, more than three million employee-linked accounts became newly compromised by cybercriminals."
        https://www.helpnetsecurity.com/2025/03/24/report-fortune-500-employee-linked-account-exposure/
        https://resources.enzoic.com/fortune-500-report/
      • Encrypted Messaging Apps Promise Privacy. Government Transparency Is Often The Price
        "As a devastating wildfire burned through a Maui town, killing more than 100 people, emergency management employees traded dozens of text messages, creating a record that would later help investigators piece together the government’s response to the 2023 tragedy. One text exchange hinted officials might also be using a second, untraceable messaging service. “That’s what Signal was supposed to be for,” then-Maui Emergency Management Agency Administrator Herman Andaya texted a colleague."
        https://www.securityweek.com/encrypted-messaging-apps-promise-privacy-government-transparency-is-often-the-price/
      • As Nation-State Hacking Becomes 'more In Your Face,' Are Supply Chains Secure?
        "Former US Air Force cyber officer Sarah Cleveland worries about the threat of a major supply-chain attack from China or another adversarial nation. So she installed solar panels on her house: "Because what if the electric grid goes down?" The home solar system was Cleveland's personal answer to the question of where to begin securing against the kind of potentially destructive attacks that government agencies and intel analysts warn are on the horizon from groups like Beijing's Silk Typhoon."
        https://www.theregister.com/2025/03/24/nation_state_supply_chain_attack/
      • From The Digital Trenches: Exclusive Interview With Z-Pentest
        "Z-Pentest is a pro-Russian Serbian hacktivist group that has carried out various attacks against NATO countries. This actor specializes in industrial environments and poses a challenge to organizations around the world. Rafa Lopez, former CTO of Miólnir, reached out to Z-Pentest thanks to Noname057(16), finding Z-Pentest very receptive, or at least their spokesperson. He discussed with them the possibility of understanding their perspective on the current geopolitical landscape. He also wanted to learn more about their motivation, techniques, and tactics."
        https://miolnir.es/from-the-digital-trenches-exclusive-interview-with-z-pentest/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 323e7d8d-b917-454f-8290-ae16d8d2e1af-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post