NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 02 April 2025

    Cyber Security News
    1
    1
    91
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • Rockwell Automation Lifecycle Services With Veeam Backup And Replication
        "Successful exploitation of this vulnerability could allow an attacker with administrative privileges to execute code on the target system."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-091-01

      New Tooling

      • GoResolver: Using Control-Flow Graph Similarity To Deobfuscate Golang Binaries, Automatically
        "In the course of its investigations, Volexity frequently encounters malware samples written in Golang. Binaries written in Golang are often challenging to analyze because of the embedded libraries and the sheer size of the resulting binaries. This issue is amplified when samples are obfuscated using tools such as Garble, an open-source Golang obfuscation tool. The popularity of Golang amongst malware developers, and the use of obfuscators to make reverse-engineering harder, raised the need for better tooling to assist in reverse-engineering efforts. Volexity developed GoResolver, an open-source tool that uses control-flow graph similarities to retrieve obfuscated functions names. GoResolver is available for download on GitHub here."
        https://www.volexity.com/blog/2025/04/01/goresolver-using-control-flow-graph-similarity-to-deobfuscate-golang-binaries-automatically/
        https://github.com/volexity/GoResolver

      Vulnerabilities

      • Apple Backports Zero-Day Patches To Older iPhones And Macs
        "Apple has released security updates that backport fixes for actively exploited vulnerabilities that were exploited as zero-days to older versions of its operating systems. At the same time, the consumer tech giant released security updates for the latest stable iOS, iPadOS, and macOS, addressing numerous security flaws."
        https://www.bleepingcomputer.com/news/security/apple-backports-zero-day-patches-to-older-iphones-and-macs/
        https://thehackernews.com/2025/04/apple-backports-critical-fixes-for-3.html
        https://www.securityweek.com/apple-patches-recent-zero-days-in-older-iphones/
        https://cyberscoop.com/apple-security-update-march-2025/
      • 20,000 WordPress Sites Affected By Arbitrary File Upload And Deletion Vulnerabilities In WP Ultimate CSV Importer WordPress Plugin
        "On March 5th, 2025, we received a submission for an Arbitrary File Upload and an Arbitrary File Deletion vulnerability in WP Ultimate CSV Importer, a WordPress plugin with more than 20,000 active installations. The arbitrary file upload vulnerability can be used by authenticated attackers, with subscriber-level access and above, to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover. The arbitrary file deletion vulnerability can be used by authenticated attackers to delete arbitrary files, including the wp-config.php file, which can also make a site takeover possible."
        https://www.wordfence.com/blog/2025/03/20000-wordpress-sites-affected-by-arbitrary-file-upload-and-deletion-vulnerabilities-in-wp-ultimate-csv-importer-wordpress-plugin/
        https://www.infosecurity-magazine.com/news/wp-ultimate-csv-importer-flaws/
      • Critical Vulnerability Found In Canon Printer Drivers
        "Microsoft’s offensive security team has warned Canon about a critical vulnerability affecting some printer drivers. According to an advisory published last week by Canon, drivers associated with several production printers, office multifunction printers, and laser printers are affected by an out-of-bounds vulnerability. The security hole is tracked as CVE-2025-1268 and it has a CVSS severity score of 9.4. The flaw impacts the EMF recode processing of Generic Plus PCL6, UFR II, LIPS4, LIPSXL, and PS printer drivers, specifically versions 3.12 and earlier."
        https://www.securityweek.com/critical-vulnerability-found-in-canon-printer-drivers/
        https://securityaffairs.com/176104/security/microsoft-warns-of-critical-flaw-in-canon-printer-drivers.html
        https://www.bankinfosecurity.com/canon-printer-flaw-enables-remote-code-execution-a-27894
      • ImageRunner: A Privilege Escalation Vulnerability Impacting GCP Cloud Run
        "Tenable Research discovered a privilege escalation vulnerability in Google Cloud Platform (GCP) that is now fixed and which we dubbed ImageRunner. At issue are identities that lack registry permissions but that have edit permissions on Google Cloud Run revisions. The vulnerability could have allowed such an identity to abuse its Google Cloud Run revision edit permissions in order to pull private Google Artifact Registry and Google Container Registry images in the same account."
        https://www.tenable.com/blog/imagerunner-a-privilege-escalation-vulnerability-impacting-gcp-cloud-run
        https://www.darkreading.com/cloud-security/google-imagerunner-bug-enabled-privilege-escalation
      • Hackers Could Unleash Chaos Through Backdoor In China-Made Robot Dogs
        "Security researchers this week raised an alarm after finding hidden remote access tunnel service pre-installed on the Unitree Go1 robot dog, warning that the backdoor activates once the device detects internet connectivity. According to documentation published by researchers Andreas Makris and Kevin Finisterre, the quadruped robot developed by the Chinese cvompany Unitree Robotics contains the undocumented tunnel service that automatically pings unitree.com to initiate its connection if a certain variable is enabled."
        https://www.securityweek.com/undocumented-remote-access-backdoor-found-in-unitree-go1-robot-dog/

      Malware

      • Remcos RAT Malware Disguised As Major Carrier’s Waybill
        "AhnLab SEcurity intelligence Center (ASEC) has recently discovered the Remcos malware disguised as a waybill from a major shipping company. This article details the distribution distribution flow from HTML, JavaScript, and AutoIt scripts leading to the execution of the final Remcos malware."
        https://asec.ahnlab.com/en/87106/
      • Surge In Palo Alto Networks Scanner Activity Indicates Possible Upcoming Threats
        "GreyNoise has observed a significant surge in login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect portals. Over the last 30 days, nearly 24,000 unique IP addresses have attempted to access these portals. The pattern suggests a coordinated effort to probe network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation."
        https://www.greynoise.io/blog/surge-palo-alto-networks-scanner-activity
        https://www.bleepingcomputer.com/news/security/nearly-24-000-ips-behind-wave-of-palo-alto-global-protect-scans/
        https://thehackernews.com/2025/04/nearly-24000-ips-target-pan-os.html
        https://www.darkreading.com/perimeter/scans-pan-globalprotect-vpns-attacks
        https://www.securityweek.com/hackers-looking-for-vulnerable-palo-alto-networks-globalprotect-portals/
        https://www.helpnetsecurity.com/2025/04/01/attackers-are-probing-palo-alto-networks-globalprotect-portals/
      • DPRK IT Workers Expanding In Scope And Scale
        "Since our September 2024 report outlining the Democratic People's Republic of Korea (DPRK) IT worker threat, the scope and scale of their operations has continued to expand. These individuals pose as legitimate remote workers to infiltrate companies and generate revenue for the regime. This places organizations that hire DPRK IT workers at risk of espionage, data theft, and disruption. In collaboration with partners, Google Threat Intelligence Group (GTIG) has identified an increase of active operations in Europe, confirming the threat's expansion beyond the United States. This growth is coupled with evolving tactics, such as intensified extortion campaigns and the move to conduct operations within corporate virtualized infrastructure."
        https://cloud.google.com/blog/topics/threat-intelligence/dprk-it-workers-expanding-scope-scale
        https://www.bleepingcomputer.com/news/security/north-korean-it-worker-army-expands-operations-in-europe/
      • We Smell a (DC)Rat: Revealing a Sophisticated Malware Delivery Chain
        "The Acronis Threat Research Unit (TRU) was presented with an interesting threat chain and malware sample for analysis that involved a known cyberthreat along with some interesting twists in targeting and obfuscation. In this article, we’ll dissect the complex malware delivery chain and tactics. The focus will be on a multi-stage infection process involving Visual Basic Script (VBS), a batch file, and a PowerShell script, ultimately leading to the deployment of high-profile malware like DCRat or Rhadamanthys infostealer."
        https://www.bleepingcomputer.com/news/security/we-smell-a-dcrat-revealing-a-sophisticated-malware-delivery-chain/
      • Critical Auth Bypass Bug In CrushFTP Now Exploited In Attacks
        "Attackers are now targeting a critical authentication bypass vulnerability in the CrushFTP file transfer software using exploits based on publicly available proof-of-concept code. The security vulnerability (CVE-2025-2825) was reported by Outpost24, and it allows remote attackers to gain unauthenticated access to devices running unpatched CrushFTP v10 or v11 software. "Please take immediate action to patch ASAP. The bottom line of this vulnerability is that an exposed HTTP(S) port could lead to unauthenticated access," CrushFTP warned in an email sent to customers on Friday, March 21, when it released patches to address the security flaw."
        https://www.bleepingcomputer.com/news/security/critical-auth-bypass-bug-in-crushftp-now-exploited-in-attacks/
        https://www.securityweek.com/hackers-attempting-to-exploit-crushftp-vulnerability/
        https://securityaffairs.com/176097/hacking/crushftp-cve-2025-2825-flaw-actively-exploited.html
        https://www.helpnetsecurity.com/2025/04/01/crushftp-vulnerability-exploitation-cve-2025-2825/
      • Signed. Sideloaded. Compromised!
        "During an incident observed by Ontinue’s Cyber Defence Centre (CDC), the team identified a sophisticated multi-stage attack leveraging vishing, remote access tooling, and living-off-the-land techniques to gain initial access and establish persistence. The threat actor exploited exposed communication channels by delivering a malicious PowerShell payload via a Microsoft Teams message, followed by the use of Quick Assist to remotely access the environment. This led to the deployment of signed binaries (e.g., TeamViewer.exe), a sideloaded malicious DLL (TV.dll), and ultimately a JavaScript-based C2 backdoor executed via Node.js."
        https://www.ontinue.com/resource/blog-signed-sideloaded-compromised/
        https://hackread.com/microsoft-teams-vishing-deploy-malware-via-teamviewer/
        https://www.infosecurity-magazine.com/news/phishing-attack-combines-vishing/
      • CPU_HU: Fileless Cryptominer Targeting Exposed PostgreSQL With Over 1.5K Victims
        "Wiz Threat Research identified a new variant of an ongoing malicious campaign targeting misconfigured and publicly exposed PostgreSQL servers. In the observed attack, the threat actor (tracked by Wiz as JINX-0126) abuses exposed PostgreSQL instances, configured with weak and guessable login credentials, to gain access and to deploy XMRig-C3 cryptominers. This campaign was first documented by Aqua Security, but the threat actor has since evolved, implementing defense evasion techniques such as deploying binaries with a unique hash per target and executing the miner payload filelessly—likely to evade detection by CWPP solutions that rely solely on file hash reputation."
        https://www.wiz.io/blog/postgresql-cryptomining
        https://thehackernews.com/2025/04/over-1500-postgresql-servers.html
      • Digital Disruptions Continue For Russian Transportation, This Time At State Railway
        "Russia’s state-owned railway, RZD, reported being the target of a cyberattack that temporarily disrupted its website and mobile application. It’s the second incident this week involving a Russian transportation agency, following disruptions with the app and website for Moscow’s subway system on Monday. In a statement on Tuesday, RZD confirmed that its online services were unavailable due to a distributed denial-of-service (DDoS) attack. However, ticket sales remained operational at physical offices across stations and terminals, the company added."
        https://therecord.media/russia-state-railway-rzd-ddos-website-app
      • Evolution Of Sophisticated Phishing Tactics: The QR Code Phenomenon
        "Since late 2024, Unit 42 researchers have observed attackers using several new tactics in phishing documents containing QR codes. One tactic involves attackers concealing the final phishing destination using legitimate websites' redirection mechanisms. Another tactic involves attackers adopting Cloudflare Turnstile for user verification, enabling them to evade security crawlers and convincingly redirect targets to a login page. We found that some of these phishing sites are specifically targeting the credentials of particular victims, suggesting pre-attack reconnaissance."
        https://unit42.paloaltonetworks.com/qr-code-phishing/
      • Analyzing New HijackLoader Evasion Tactics
        "HijackLoader (also known as IDAT Loader and GHOSTPULSE) is a malware loader initially discovered in 2023. The loader is not only capable of delivering second-stage payloads, but also offers a variety of modules to expand the malware’s capabilities. The modules are mainly used for configuration information and to evade security software, as well as inject and execute code. Recently, Zscaler ThreatLabz uncovered new HijackLoader modules with additional evasion techniques. In this blog, we analyze these modules that implement features including call stack spoofing to mask the origin of function calls from endpoint detection, virtual machine detection to identify analysis environments, and another module that establishes persistence via scheduled tasks."
        https://threatlabz.zscaler.com/blogs/security-research/analyzing-new-hijackloader-evasion-tactics

      Breaches/Hacks/Leaks

      • Ransomware Group Takes Credit For National Presto Industries Attack
        "The InterLock ransomware group over the weekend claimed responsibility for a disruptive cyberattack on National Presto Industries that occurred on March 1. The home appliance and ammunition company disclosed the incident in early March, in a regulatory filing with the SEC, saying that it was working on restoring systems, while temporary measures had been implemented to maintain critical functions."
        https://www.securityweek.com/ransomware-group-takes-credit-for-national-presto-industries-attack/

      General News

      • The Epochalypse Project
        "On 2038-01-19 03:14:08 UTC, millions of sensitive embedded and industrial computer systems worldwide will suddenly start behaving in unpredictable ways, unless we take coordinated action now. And what’s worse, with unsecured time protocols, attackers don’t need to wait until 2038. This is not science fiction. It’s a real technical vulnerability affecting systems we rely on daily—from hospital equipment to power grids, from banking systems to transportation networks. This vulnerability is embedded in the fundamental architecture of our digital infrastructure."
        https://epochalypse-project.org/
      • Why Global Tensions Are a Cybersecurity Problem For Every Business
        "With global tensions climbing, cyber attacks linked to nation-states and their allies are becoming more common, sophisticated, and destructive. For organizations, cybersecurity can’t be treated as separate from world events anymore, they’re closely connected. Conflict between countries is spilling into cyberspace. Whether it’s during military escalations, trade disputes, or diplomatic standoffs, governments are using cyber operations to exert pressure, gather intelligence, or disrupt systems. These attacks often hit private businesses, not just governments or critical infrastructure."
        https://www.helpnetsecurity.com/2025/04/01/global-tensions-cybersecurity-problem/
      • How To Build An Effective Cybersecurity Simulation
        "Most people groan at the prospect of security training. It’s typically delivered through dull online videos or uninspiring exercises that fail to capture real-world urgency. To make a real difference in cyber crisis readiness, personnel need the opportunity to test their mettle in a crisis, to build the muscle memory and decision-making skills that will make a difference when a real attack occurs."
        https://www.helpnetsecurity.com/2025/04/01/cybersecurity-simulations-exercise/
      • The Human Side Of Insider Threats: People, Pressure, And Payback
        "While cybercriminals are often in the spotlight, one of the most dangerous threats to your company might be hiding in plain sight, within your own team. Employees, contractors, or business partners who have access to sensitive information can use that access to cause harm, whether it’s stealing data, sabotaging systems, or leaking confidential details. But what makes someone inside a company decide to turn against it? There’s often a psychological aspect to it, whether it’s personal frustration, financial stress, or a sense of being wronged."
        https://www.helpnetsecurity.com/2025/04/01/insider-threats-why-people-turn-on-their-employers/
      • Generative AI Is Reshaping Financial Fraud. Can Security Keep Up?
        "In this Help Net Security interview, Yinglian Xie, CEO at DataVisor, explains how evolving fraud tactics require adaptive, AI-driven prevention strategies. With fraudsters using generative AI to launch sophisticated attacks, financial institutions must adopt adaptive AI solutions to stay ahead. Xie points out the role of real-time data orchestration, machine learning, and integrated security platforms in balancing fraud prevention with a seamless user experience."
        https://www.helpnetsecurity.com/2025/04/01/yinglian-xie-datavisor-fraud-prevention-strategies/
      • Building a Reasonable Cyber Defense Program
        "If you do business in the United States, especially across state lines, you probably know how difficult it is to comply with U.S. state data privacy laws. The federal government and many U.S. state governments require you to implement “reasonable” cybersecurity controls around how you handle data breach notification and the data privacy of your customers. But these mandates don’t discuss how you can meet the standard of reasonableness in your cybersecurity efforts. More specifically, they don’t identify frameworks to which you can align your controls implementation program."
        https://www.helpnetsecurity.com/2025/04/01/cis-reasonable-cyber-defense-program/
      • Cybercriminals Expand Use Of Lookalike Domains In Email Attacks
        "Cybercriminals have ramped up their use of lookalike domains to facilitate a variety of targeted email-based social engineering and financial fraud scams, according to a new report by BlueVoyant. These attacks are particularly challenging to detect and enable attackers to extend the types of organizations and individuals who are targeted in such scams. The researchers found that threat actors target a range of critical sectors via such domains, including finance, legal services, insurance and construction."
        https://www.infosecurity-magazine.com/news/criminals-lookalike-domains-email/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) dd66902b-ca1f-4d35-8169-f4b553927bba-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post