Cyber Threat Intelligence 07 April 2025

NCSA_THAICERT

Vulnerabilities

CISA Adds One Vulnerability To The KEV Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2025-22457 Ivanti Connect Secure, Policy Secure and ZTA Gateways Stack-Based Buffer Overflow Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/04/04/cisa-adds-one-vulnerability-kev-catalog
https://therecord.media/cisa-ivanti-firewall-bug-exploitation
WinRAR Flaw Bypasses Windows Mark Of The Web Security Alerts
"A vulnerability in the WinRAR file archiver solution could be exploited to bypass the Mark of the Web (MotW) security warning and execute arbitrary code on a Windows machine. The security issue is tracked as CVE-2025-31334 and affects all WinRAR versions except the most recent release, which is currently 7.11. Mark of the Web is a security function in Windows in the form of a metadata value (an alternate data stream named ‘zone-identifier’) to tag as potentially unsafe files downloaded from the internet."
https://www.bleepingcomputer.com/news/security/winrar-flaw-bypasses-windows-mark-of-the-web-security-alerts/
https://jvn.jp/en/jp/JVN59547048/

Malware

PoisonSeed Campaign Targets CRM And Bulk Email Providers In Supply Chain Spam Operation
"Silent Push Threat Analysts are sharing our discoveries related to a cryptocurrency and bulk email provider phishing campaign targeting enterprise organizations and VIP individuals outside the cryptocurrency industry, along with a supply chain spam operation targeting individual crypto holders with a novel “crypto seed phrase” phishing effort. We are naming this new threat “PoisonSeed.”"
https://www.silentpush.com/blog/poisonseed/
https://www.bleepingcomputer.com/news/security/poisonseed-phishing-campaign-behind-emails-with-wallet-seed-phrases/
GitHub Action Tj-Actions/changed-Files Supply Chain Attack: What You Need To Know
"Yesterday, a malicious commit was discovered in the popular tj-actions/changed-files GitHub Action, which is used in over 23,000 repositories. The attackers modified the action’s code and retroactively updated multiple version tags to reference the malicious commit. The compromised Action now executes a malicious Python script that dumps CI/CD secrets, impacting thousands of CI pipelines. This blog post provides our assessment of the impact and guidance for Endor Labs customers, as well as general recommendations for anyone impacted."
https://www.endorlabs.com/learn/github-action-tj-actions-changed-files-supply-chain-attack-what-you-need-to-know
https://www.infosecurity-magazine.com/news/tj-actions-supply-chain-attack/
A Journey Into Forgotten Null Session And MS-RPC Interfaces, Part 2
"In the first part of our research, I demonstrated how we revived the concept of no authentication (null session) after many years. This involved enumerating domain information, such as users, without authentication. I walked you through the entire process, starting with the difference between no-auth in the MS-RPC interfaces and the well-known null session, and ending with the methodology used to achieve our goal. Today, as promised, we’ll dive into part two. Here, we’ll explore why Windows behaves the way it does – allowing domain information to be enumerated without authentication. I’ll also explain why this activity is difficult to prevent and monitor."
https://securelist.com/ms-rpc-security-mechanism-step-by-step/116036/
OH-MY-DC: OIDC Misconfigurations In CI/CD
"In the course of investigating the use of OpenID Connect (OIDC) within continuous integration and continuous deployment (CI/CD) environments, Unit 42 researchers discovered problematic patterns and implementations that could be leveraged by threat actors to gain access to restricted resources. One instance of such an implementation was identified in CircleCI’s OIDC."
https://unit42.paloaltonetworks.com/oidc-misconfigurations-in-ci-cd/
Maryland Pharmacist Used Keyloggers To Spy On Coworkers For a Decade, Victim Alleges
"A Maryland pharmacist installed spyware on hundreds of computers at a major teaching hospital and recorded videos over the course of a decade of staff pumping breastmilk and breastfeeding, a class-action lawsuit alleges. The suit, filed on March 27 and first reported by the Baltimore Banner, accuses pharmacist Matthew Bathula of implanting keyloggers — a type of software that records what someone types on a keyboard — on about 400 computers at the University of Maryland Medical Center (UMMC)."
https://therecord.media/maryland-pharmacist-keylogger-spying-lawsuit
Unmasking EncryptHub: Help From ChatGPT & OPSEC Blunders
"This is the second part of Outpost24’s KrakenLabs investigation into EncryptHub, an up-and-coming cybercriminal who has been gaining popularity in recent months and is heavily expanding and evolving operations at the time of writing. We’ve already published one article explaining EncryptHub’s campaigns and TPPs, infrastructure, infection methods, and targets. This article will follow a different approach. We’ll explore EncryptHub’s last decade online with a particular focus on his one-year-old foray into cybercrime, the OPSEC mistakes he’s made along the way, and how he used ChatGPT as a faithful accomplice throughout. This way, we hope to give you a human image beyond the amorphous dark entity that the generic tag of ‘Threat Actor’ usually gives."
https://outpost24.com/blog/unmasking-encrypthub-chatgpt-partner-crime/
https://thehackernews.com/2025/04/microsoft-credits-encrypthub-hacker.html
Lazarus Expands Malicious Npm Campaign: 11 New Packages Add Malware Loaders And Bitbucket Payloads
"North Korean threat actors behind the Contagious Interview operation have expanded their presence in the npm ecosystem, publishing additional malicious packages that deliver the previously identified BeaverTail malware and introducing new packages with remote access trojan (RAT) loader functionality. These latest samples employ hexadecimal string encoding to evade automated detection systems and manual code audits, signaling a variation in the threat actors’ obfuscation techniques."
https://socket.dev/blog/lazarus-expands-malicious-npm-campaign-11-new-packages-add-malware-loaders-and-bitbucket
https://thehackernews.com/2025/04/north-korean-hackers-deploy-beavertail.html
Malicious Python Packages Target Popular Bitcoin Library
"When it comes to the frequency and sophistication of software supply chain attacks, few industries can compare with cryptocurrency. As ReversingLabs' 2025 Software Supply Chain Security Report notes, 2024 saw close to two dozen sustained supply chain campaigns designed to compromise cryptocurrency applications, cryptocurrency owners’ wallets, and cryptocurrency trading platforms."
https://www.reversinglabs.com/blog/malicious-python-packages-target-popular-bitcoin-library
https://thehackernews.com/2025/04/malicious-python-packages-on-pypi.html
E-ZPass Toll Payment Texts Return In Massive Phishing Wave
"An ongoing phishing campaign impersonating E-ZPass and other toll agencies has surged recently, with recipients receiving multiple iMessage and SMS texts to steal personal and credit card information. The messages embed links that, if clicked, take the victim to a phishing site impersonating E-ZPass, The Toll Roads, FasTrak, Florida Turnpike, or another toll authority that attempts to steal their personal information including names, email addresses, physical addresses, and credit card information. This scam is not new, with the FBI warning about it in April 2024, but BleepingComputer has seen and received multiple reports of a surge in this mobile phishing campaign."
https://www.bleepingcomputer.com/news/security/toll-payment-text-scam-returns-in-massive-phishing-wave/
Malicious PyPI Package Targets WooCommerce Stores With Automated Carding Attacks
"The Socket research team recently discovered a malicious Python package on PyPI named disgrasya, which contains a fully automated carding script targeting WooCommerce stores. Unlike typical supply chain attacks that rely on deception or typosquatting, disgrasya made no attempt to appear legitimate. It was openly malicious, abusing PyPI as a distribution channel to reach a wider audience of fraudsters. The attack script we're investigating today specifically targets merchants using WooCommerce with CyberSource as their payment gateway."
https://socket.dev/blog/malicious-pypi-package-targets-woocommerce-stores-with-automated-carding-attacks
https://www.bleepingcomputer.com/news/security/carding-tool-abusing-woocommerce-api-downloaded-34k-times-on-pypi/

Breaches/Hacks/Leaks

Port Of Seattle Says Ransomware Breach Impacts 90,000 People
"Port of Seattle, the U.S. government agency overseeing Seattle's seaport and airport, is notifying roughly 90,000 individuals of a data breach after their personal information was stolen in an August 2024 ransomware attack. The agency disclosed the attack on August 24, saying the resulting IT outage disrupted multiple services and systems, including reservation check-in systems, passenger display boards, the Port of Seattle website, the flySEA app, and delayed flights at Seattle-Tacoma International Airport."
https://www.bleepingcomputer.com/news/security/port-of-seattle-says-ransomware-breach-impacts-90-000-people/
https://therecord.media/port-of-seattle-says-90000-impacted-in-2024-ransomware-attack
https://securityaffairs.com/176205/data-breach/port-of-seattle-august-data-breach-impacted-90000-people.html
Europcar GitLab Breach Exposes Data Of Up To 200,000 Customers
"A hacker breached the GitLab repositories of multinational car-rental company Europcar Mobility Group and stole source code for Android and iOS applications, as well as some personal information belonging to up to 200,000 customers. The actor tried to extort the company by threatening to publish 37GB of data that includes backups and details about the company’s cloud infrastructure and internal applications."
https://www.bleepingcomputer.com/news/security/europcar-gitlab-breach-exposes-data-of-up-to-200-000-customers/

General News

Forward-Thinking CISOs Are Shining a Light On Shadow IT
"In this Help Net Security interview, Curtis Simpson, CISO and Chief Advocacy Officer at Armis, discusses how CISOs can balance security and innovation while managing the risks of shadow IT. Rather than focusing on restrictive policies, fostering proactive partnerships with business leaders to identify secure alternatives for unsanctioned tools is essential. Simpson also discusses common misconceptions, security practices, and the role of AI and automation in ensuring asset visibility."
https://www.helpnetsecurity.com/2025/04/04/curtis-simpson-armis-shadow-it-risks/
Connected Cars Drive Into a Cybersecurity Crisis
"Technology has entered all areas of life, and our cars are no exception. They have become computers on wheels, equipped with sensors, software, and connectivity that provide safety and comfort. However, like all technological innovations, this one also brings risks, making cars vulnerable to cyberattacks."
https://www.helpnetsecurity.com/2025/04/04/cybersecurity-risks-cars/
Benefits From Privacy Investment Are Greater Than The Cost
"Cisco released its 2025 Data Privacy Benchmark Study. The report looks at global trends in data privacy and how they affect businesses. The study gathered responses from 2,600 privacy and security experts in 12 countries. It highlights the need for strong data privacy practices to fully benefit from AI. “Privacy and proper data governance are foundational to Responsible AI,” said Dev Stahlkopf, Cisco Chief Legal Officer. “For organizations working toward AI readiness, privacy investments establish essential groundwork, helping to accelerate effective AI governance.”"
https://www.helpnetsecurity.com/2025/04/04/privacy-investment-benefits/
https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/cisco-privacy-benchmark-study-2025.pdf
Capacity Is Critical In Riskier Threat Landscape
"The Pall Mall Process was launched Feb 2024 by the UK and France, building multistakeholder dialogue on the proliferation of Commercial Cyber-Intrusion Capabilities (CCICs). Work on this followed from other group initiatives including CyberTech Accord and the Paris Call for Trust and Security in Cyberspace, with from the Paris Peace Forum. Yet, spyware remains a growing concern, with increasing incidents reported globally. Combined with a growing rate of vulnerability discovery and increased fragmentation in disclosure reporting, policy makers are faced with the necessity to turn their commitments into action. On the eve of the Second Pall Mall Process Conference, it’s important to consider how the current state of the threat landscape informs the actions that will most impact the trade of CCICs."
https://www.trendmicro.com/en_us/research/25/d/threat-landscape-capacity.html
Q1 Goals To Gaps In Security: The Rise Of HR-Themed Phishing
"As organizations wrap up the first quarter of the year, many employees are gearing up for Q1 evaluations that highlight their progress or areas for improvement, while also planning for their goals in the upcoming Q2. These goals and achievements showcase a glimpse of what they can expect for their yearly reviews, bonuses, and future opportunities. Cybercriminals have been exploiting this anticipation by creating a themed phishing campaign camouflaged as official company-wide initiatives to follow toward the end of Q1."
https://cofense.com/blog/q1-goals-to-gaps-in-security-the-rise-of-hr-themed-phishing
Ransomware Attack Levels Remain High As Major Change Looms
"March saw notable events, including a potential change at the top of the ransomware world, persistently high attacks, and the emergence of new groups. March 2025 ended on a surprising note when the onion-based data leak site (DLS) of RansomHub – the largest ransomware group over the last year – went offline, fueling speculation of a possible takeover. A few days later, rival DragonForce claimed to have taken over RansomHub’s infrastructure, raising the potential for a major change in the ransomware landscape in the months ahead."
https://cyble.com/blog/ransomware-attack-levels-remain-high-as-major-change-looms/
Medusa Rides Momentum From Ransomware-As-a-Service Pivot
"In mid-2024, the Medusa ransomware group shifted its approach to cybercrime, moving from closed operations where all activities were performed by a small, insular group to the adoption of a ransomware-as-a-service (RaaS) model, bringing on affiliates and sharing revenue. Like companies that adopt a franchise model, the Medusa group saw business tack off. Attacks using the group's infrastructure jumped by 43% in 2024 and are on track to increase again by at least a third this year. Overall, the Medusa RaaS group has compromised 300 to 400 victims since mid-2024, and its tendency to target critical industries, such as healthcare and manufacturing, has resulted in an outsized impact."
https://www.darkreading.com/threat-intelligence/medusa-momentum-ransomware-as-a-service-pivot
Secure Communications Evolve Beyond End-To-End Encryption
"Recent news has shone a spotlight on secure communications. Late last year, China-linked threat actors Salt Typhoon and Liminal Panda compromised telecommunications and Internet-service providers, leading top US security agencies to recommend that Americans use encrypted messaging apps. In another incident, a US Army soldier allegedly stole data stores collected by 15 cellular and telecommunications carriers and posted the caches to Dark Web forums. And governments worldwide — from China and Russia, to Iran and Israel, to the UK and the US — have increased monitoring and espionage operations worrying activists, journalists, and businesses."
https://www.darkreading.com/cybersecurity-operations/secure-communications-evolve-beyond-end-to-end-encryption
30 Minutes To Pwn Town: Are Speedy Responses More Important Than Backups For Recovery?
"Maintaining good-quality backups is often seen as the spine of any organization's ability to recover from cyberattacks quickly. Naturally, given the emphasis placed on them by experts of all stripes, you'd be forgiven for thinking that prioritizing them over anything else would be the way to go. Small businesses looking for a steer on cybersecurity may find themselves perusing the UK NCSC's guide on that exact matter. Front and center, ahead of anything else, is the importance of backing up business-critical data and five top tips for doing it well."
https://www.theregister.com/2025/04/04/30_minutes_to_pwn_town/

อ้างอิง
Electronic Transactions Development Agency(ETDA)