Cyber Threat Intelligence 08 April 2025

NCSA_THAICERT

New Tooling

YES3 Scanner: Open-Source S3 Security Scanner For Public Access, Ransomware Protection
"YES3 Scanner is an open-source tool that scans and analyzes 10+ different configuration items for your S3 buckets in AWS. This includes access such as public access via ACLs and bucket policies – including the complex combinations of account and bucket settings that can make a S3 bucket effectively public. “We built this tool after realizing potential users needed a better way to scan their S3 resources for access and ransomware protection. We wanted to have a tool that not only scans for access issues with S3, but also checks for additional layers of security including helping to prevent against ransomware,” Jason Kao, Founder of Fog Security, told Help Net Security."
https://www.helpnetsecurity.com/2025/04/07/yes3-scanner-open-source-s3-security-scanner/
https://github.com/FogSecurity/yes3-scanner

Vulnerabilities

Google Fixes Android Zero-Days Exploited In Attacks, 60 Other Flaws
"Google has released patches for 62 vulnerabilities in Android's April 2025 security update, including two zero-days exploited in targeted attacks. One of the zero-days, a high-severity privilege escalation security vulnerability (CVE-2024-53197) in the Linux kernel's USB-audio driver for ALSA Devices, was reportedly exploited by Serbian authorities to unlock confiscated Android devices as part of a zero-day exploit chain developed by Israeli digital forensics company Cellebrite."
https://www.bleepingcomputer.com/news/security/google-fixes-android-zero-days-exploited-in-attacks-60-other-flaws/
https://source.android.com/docs/security/bulletin/2025-04-01
https://cyberscoop.com/android-security-update-april-2025/
IngressNightmare | Critical Unauthenticated RCE Vulnerabilities In Kubernetes Ingress NGINX
"As more organizations adopt containerization, Kubernetes adoption is at an all-time high. A key component to any Kubernetes cluster is allowing and managing external traffic to the services organizations are building. Enter, Ingress. As a powerful component and set of resources that expose services to the outside world, Ingress’ power and complexity lends itself to a considerable risk profile when compromised. In this post, we dive into a grouping of critical vulnerabilities dubbed IngressNightmare and share actionable mitigation and detection strategies, including multiple ways in which SentinelOne’s Singularity Platform can highlight both IngressNightmare vulnerability exposure and possible exploitation in runtime."
https://www.sentinelone.com/blog/ingressnightmare-critical-unauthenticated-rce-vulnerabilities-in-kubernetes-ingress-nginx/
MediaTek’s April 2025 Security Bulletin: Critical WLAN Vulnerability Exposes Chipsets
"MediaTek has released its April 2025 Product Security Bulletin, detailing a range of security vulnerabilities affecting its various chipsets. The bulletin covers vulnerabilities in chipsets used in smartphones, tablets, AIoT devices, smart displays, smart platforms, OTT devices, computer vision, audio, and TVs."
https://securityonline.info/mediateks-april-2025-security-bulletin-critical-wlan-vulnerability-exposes-chipsets/
CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2025-31161 CrushFTP Authentication Bypass Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/04/07/cisa-adds-one-known-exploited-vulnerability-catalog
Chrome To Patch Decades-Old Flaw That Let Sites Peek At Your History
"A 23-year-old side-channel attack for spying on people's web browsing histories will get shut down in the forthcoming Chrome 136, released last Thursday to the Chrome beta channel. At least that's the hope. The privacy attack, referred to as browser history sniffing, involves reading the color values of web links on a page to see if the linked pages have been visited previously."
https://www.theregister.com/2025/04/07/chrome_135_history_sniffing/

Malware

Mining In Plain Sight: The VS Code Extension Cryptojacking Campaign
"Developers targeted by sophisticated cryptomining campaign hiding in seemingly legitimate VS Code extensions, potentially reaching over one million installations as detected by ExtensionTotal. These fake extensions, published after April 4th by three different authors (mostly “Mark H”), secretly download a PowerShell script that disables Windows security, establishes persistence through scheduled tasks, and installs an XMRig cryptominer. The most successful fake extension (“Discord Rich Presence”) gained 189K installs alone. The attackers created a sophisticated multi-stage attack, even installing the legitimate extensions they impersonated to avoid raising suspicion while mining cryptocurrency in the background."
https://blog.extensiontotal.com/mining-in-plain-sight-the-vs-code-extension-cryptojacking-campaign-19ca12904b59?gi=602bb1b86757
https://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-infect-windows-with-cryptominers/
https://www.infosecurity-magazine.com/news/microsoft-vs-code-cryptojacking/
How ToddyCat Tried To Hide Behind AV Software
"To hide their activity in infected systems, APT groups resort to various techniques to bypass defenses. Most of these techniques are well known and detectable by both EPP solutions and EDR threat-monitoring and response tools. For example, to hide their activity in Windows systems, cybercriminals can use kernel-level rootkits, in particular malicious drivers. However, in the latest versions of Windows, kernel-mode drivers are loaded only if digitally signed by Microsoft. Attackers get round this protection mechanism by using legitimate drivers that have the right signature, but contain vulnerable functions that allow malicious actions in the context of the kernel."
https://securelist.com/toddycat-apt-exploits-vulnerability-in-eset-software-for-dll-proxying/116086/
https://therecord.media/eset-software-vulnerability-malware-toddycat-apt
https://www.darkreading.com/vulnerabilities-threats/toddycat-apt-eset-bug-silent-malware
Xanthorox AI – The Next Generation Of Malicious AI Threats Emerges
"A new player has entered the cybercrime AI landscape – Xanthorox AI, a malicious tool that brands itself as the “Killer of WormGPT and all EvilGPT variants.” First spotted in late Q1 2025, Xanthorox began circulating in cybercrime communities across darknet forums and encrypted channels. The system is promoted as a highly modular AI platform tailored specifically for offensive cyber operations and privacy-conscious exploitation. Unlike its predecessors, Xanthorox AI doesn’t rely on jailbreaks or tweaks to existing foundation models."
https://slashnext.com/blog/xanthorox-ai-the-next-generation-of-malicious-ai-threats-emerges/
https://www.darkreading.com/threat-intelligence/autonomous-genai-attacker-platform-chat
https://hackread.com/xanthorox-ai-dark-web-full-spectrum-hacking-assistant/
https://www.infosecurity-magazine.com/news/darknets-xanthorox-ai-hackers-tools/
When The Victimizers Become The Victims…. RansomHub The Victim Of a Takeover?
"In February, RansomHub was described as the leading Ransomware-as-a-Service group and as a pervasive threat to critical sectors. Weeks later, Trend Micro analyzed SocGholish’s MaaS framework and its role in deploying RansomHub ransomware. RansomHub was clearly developing and making a significant impact in the ransomware ecosystem. But in the blink of an eye, it seemed, RansomHub went offline on March 31. Days later, DragonForce claimed responsibility for a takeover. As of April 7, attempts to connect to RansomHub’s onion site will show you a page that says “RansomHub,” but it is not RansomHub in control of the site."
https://databreaches.net/2025/04/07/when-the-victimizers-become-the-victims-ransomhub-the-victim-of-a-takeover/
NEPTUNE RAT : An Advanced Windows RAT With System Destruction Capabilities And Password Exfiltration From 270+ Applications
"At CYFIRMA, we are committed to providing up-to-date insights into current threats and the tactics used by malicious actors targeting both organizations and individuals. In this report, we will take an in-depth look at the latest version of Neptune RAT, which has been shared on GitHub using a technique involving PowerShell commands:"
https://www.cyfirma.com/research/neptune-rat-an-advanced-windows-rat-with-system-destruction-capabilities-and-password-exfiltration-from-270-applications/
https://hackread.com/neptune-rat-variant-youtube-steal-windows-passwords/
Hackers Are Pretending To Be Drone Companies And State Agencies To Spy On Ukrainian Victims
"Hackers are impersonating Ukranian drone manufacturers and state agencies to infect targeted systems with information-stealing malware, according to new government research. The targets of these attacks include Ukraine’s armed forces, law enforcement agencies and local government bodies — especially those near the country’s eastern border, which is close to Russia. Ukraine’s computer emergency response team (CERT-UA), which has been tracking this activity since February, has not attributed the campaign to any known hacker group. They track the threat actor behind it as UAC-0226."
https://therecord.media/hackers-impersonate-drone-companies-state-agencies-spy-ukraine
Smishing Triad Is Now Targeting Toll Payment Services In a Massive Fraud Campaign Expansion
"The Smishing Triad, a China-based cybercriminal group, has been linked to a surge in smishing campaigns targeting US and UK consumers. These campaigns involve fraudulent text messages claiming unpaid toll bills or payment requests related to toll services like FasTrak, E-ZPass, and I-Pass, which is expected to expand to similar services worldwide as their earlier campaigns did."
https://www.resecurity.com/blog/article/smishing-triad-is-now-targeting-toll-payment-services-in-a-massive-fraud-campaign-expansion
https://www.infosecurity-magazine.com/news/smishing-triad-toll-payment-scams/
https://www.malwarebytes.com/blog/news/2025/04/toll-fee-scams-are-back-and-heading-your-way

Breaches/Hacks/Leaks

Everest Ransomware's Dark Web Leak Site Defaced, Now Offline
"The dark web leak site of the Everest ransomware gang has apparently been hacked over the weekend by an unknown attacker and is now offline. The unknown attacker replaced the website's contents with the following sarcastic message: "Don't do crime CRIME IS BAD xoxo from Prague." The Everest operation has since taken down its leak site, which no longer loads and now displays an "Onion site not found" error."
https://www.bleepingcomputer.com/news/security/everest-ransomwares-dark-web-leak-site-defaced-now-offline/
https://therecord.media/everest-ransomware-site-offline-following-defacement
Food Giant WK Kellogg Discloses Data Breach Linked To Clop Ransomware
"US food giant WK Kellogg Co is warning employees and vendors that company data was stolen during the 2024 Cleo data theft attacks. Cleo software is a managed file transfer utility that was targeted by the Clop ransomware gang en masse at the end of last year. This attack leveraged two zero-day flaws tracked as CVE-2024-50623 and CVE-2024-55956, allowing the threat actors to breach servers and steal data. "WK Kellogg learned on February 27, 2025, that a security incident may have occurred involving Cleo," reads the notice."
https://www.bleepingcomputer.com/news/security/food-giant-wk-kellogg-discloses-data-breach-linked-to-clop-ransomware/

General News

CISOs Battle Security Platform Fatigue
"It starts with good intentions. A tool to stop phishing. Another to monitor endpoints. One more for cloud workloads. Soon, a well-meaning CISO finds themselves managing dozens of products across teams, each with its own dashboard, alerts, and licensing headaches. Welcome to the age of security tool sprawl."
https://www.helpnetsecurity.com/2025/04/07/ciso-security-platform-fatigue/
The Shift To Identity-First Security And Why It Matters
"In this Help Net Security interview, Arun Shrestha, CEO at BeyondID, discusses how AI is transforming secure access management for both attackers and defenders. He discusses the shift toward identity-first security, and the role of contextual and continuous authentication in neutralizing AI-driven intrusions. Shrestha also offers strategic guidance for CISOs managing the adoption of AI responsibly while maintaining security and compliance."
https://www.helpnetsecurity.com/2025/04/07/arun-shrestha-beyondid-ai-access-management/
Six Arrested For AI-Powered Investment Scams That Stole $20 Million
"Spain's police arrested six individuals behind a large-scale cryptocurrency investment scam that used AI tools to generate deepfake ads featuring popular public figures to lure people. The scam was very successful, defrauding 19 million Euros ($20.9M) from 208 victims worldwide. The police operation, codenamed "COINBLACK – WENDMINE," started two years ago following the submission of a victim's complaint. The action led to the arrests of six individuals aged between 34 and 57 in the regions of Granada and Alicante."
https://www.bleepingcomputer.com/news/security/six-arrested-for-ai-powered-investment-scams-that-stole-20-million/
AI-Powered Phishing Outperforms Elite Red Teams In 2025
"AI agents can now out-phish elite human red teams, at scale. In an ongoing AI Spear Phishing Agent experiment from 2023 to 2025, AI’s performance vs. humans improved by 55%. Advances in AI are simultaneously disrupting the social engineering landscape and the cybersecurity training category. The co-evolution of attacks and protections must be considered when evaluating the rising threat of blackhat generative AI, and how to defend against it."
https://hoxhunt.com/blog/ai-powered-phishing-vs-humans
https://www.bankinfosecurity.com/ai-outsmarts-human-red-teams-in-phishing-tests-a-27945
NIST To Implement 'Deferred' Status To Dated Vulnerabilities
"The National institute of Standards and Technology (NIST) has announced that all CVEs published before Jan. 1, 2018, will be marked as "deferred" within the National Vulnerability Database (NVD). The NVD is a repository that providers user with information about security flaws in software and hardware products, which are tracked as Common Vulnerabilities and Exposures (CVEs). Going forward, CVEs will display a banner on their CVE detail pages with this deferred status. NIST made the move in order to "indicate that we do not plan to prioritize updating NVD enrichment or initial NVD enrichment data due to the CVE's age.""
https://www.darkreading.com/vulnerabilities-threats/nist-deferred-status-dated-vulnerabilities
https://www.securityweek.com/nist-puts-pre-2018-cves-on-back-burner-as-it-works-to-clear-backlog/
Scattered Spider's 'King Bob' Pleads Guilty To Cyber Charges
"Noah Urban, a 20-year-old linked to Scattered Spider, a major cybercrime ring, has pleaded guilty to the cybercrime charges against him and will pay millions in restitution. Urban, aka "King Bob," was arrested in January 2024 alongside four other members of the ring, which is known for recruiting young people while carrying out high-profile attacks, such as the ones that claimed MGM Resorts and Caesars Entertainment as its victims in September 2023."
https://www.darkreading.com/vulnerabilities-threats/scattered-spider-king-bob-pleads-guilty-charges
https://therecord.media/scattered-spider-member-noah-urban-guilty-plea
https://www.securityweek.com/suspected-scattered-spider-hacker-pleads-guilty/
https://securityaffairs.com/176323/cyber-crime/scattered-spider-cybercrime-group-member-pleaded-guilty.html
https://www.theregister.com/2025/04/07/scattered_spider_sim_swap/
Security Theater: Vanity Metrics Keep You Busy - And Exposed
"After more than 25 years of mitigating risks, ensuring compliance, and building robust security programs for Fortune 500 companies, I've learned that looking busy isn't the same as being secure. It's an easy trap for busy cybersecurity leaders to fall into. We rely on metrics that tell a story of the tremendous efforts we're expending - how many vulnerabilities we patched, how fast we responded - but often vulnerability management metrics get associated with operational metrics because traditional approaches to measuring and implementing vulnerability management does not actually reduce risk. So, we resort to various ways of reporting on how many patches were applied under the traditional 30/60/90-day patching method."
https://thehackernews.com/2025/04/security-theater-vanity-metrics-keep.html
Russia Arrests CEO Of Tech Company Linked To Doppelgänger Disinformation Campaign
"The chief executive of Russian tech company Aeza Group has been arrested in Moscow on suspicion of leading a criminal organization and involvement in large-scale drug trafficking. Yuri Bozoyan, who heads the St. Petersburg-based hosting provider, was placed in pretrial detention. Two other Aeza employees, Maxim Orel and Tatyana Zubova, were also detained on similar charges. The company is believed by cybersecurity researchers to have links to state-sponsored disinformation campaigns, as well as the country’s cybercriminal infrastructure."
https://therecord.media/doppelganger-ceo-arrests-russia-tech

อ้างอิง
Electronic Transactions Development Agency(ETDA)