NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 14 April 2025

    Cyber Security News
    1
    1
    370
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Vulnerabilities

      • CVE-2025-27520 Critical RCE In BentoML Has Fewer Affected Versions Than Reported
        "A critical Remote Code Execution (RCE) vulnerability, CVE-2025-27520 with a CVSSv3 base score of 9.8, has been recently discovered in BentoML, an AI service helper Python library found on PyPI. This flaw allows unauthenticated attackers to execute arbitrary code by sending malicious data payloads as requests and potentially take control of the server. While the advisory specifies versions from 1.3.4 through 1.4.2 as affected, Checkmarx Zero’s analysis indicates that this issue affects versions 1.3.8 through 1.4.2 (see below for details). It is recommended that affected adopters upgrade to version 1.4.3 or later to repair the issue."
        https://checkmarx.com/zero-post/bentoml-rce-fewer-affected-versions-cve-2025-27520/
        https://hackread.com/bentoml-vulnerability-remote-code-execution-ai-servers/
      • 10 Bugs Found In Perplexity AI's Chatbot Android App
        "Researchers have identified ten security issues in the research-oriented AI chatbot Perplexity. Perplexity was released one week after ChatGPT, right as the maelstrom around artificial intelligence (AI) chatbots began, in late 2022. From the beginning, it distinguished itself for its accuracy — providing users with deeply researched answers with citations to queries."
        https://www.darkreading.com/application-security/11-bugs-found-perplexity-chatbots-android-app
      • Rapid7 Reveals RCE Path In Ivanti VPN Appliance After Silent Patch Debacle
        "Security researchers at Rapid7 are publicly documenting a path to remote code execution of a critical flaw in Ivanti’s Connect Secure VPN appliances, ramping up the urgency for organizations to apply available patches. The publication of exploit code comes less than a week after Mandiant flagged in-the-wild exploitation of the Ivanti bug (CVE-2025-22457) by a Chinese hacking gang notorious for hacking into edge network devices."
        https://www.securityweek.com/rapid7-reveals-rce-path-in-ivanti-vpn-appliance-after-silent-patch-debacle/
        https://attackerkb.com/topics/0ybGQIkHzR/cve-2025-22457/rapid7-analysis

      Malware

      • How Cyberattackers Exploit Domain Controllers Using Ransomware
        "In recent years, human-operated cyberattacks have undergone a dramatic transformation. These attacks, once characterized by sporadic and opportunistic attacks, have evolved into highly sophisticated, targeted campaigns aimed at causing maximum damage to organizations, with the average cost of a ransomware attack reaching $9.36 million in 2024.1 A key catalyst to this evolution is the rise of ransomware as a primary tool for financial extortion—an approach that hinges on crippling an organization’s operations by encrypting critical data and demanding a ransom for its release."
        https://www.microsoft.com/en-us/security/blog/2025/04/09/how-cyberattackers-exploit-domain-controllers-using-ransomware/
        https://www.bankinfosecurity.com/ransomware-hackers-target-active-directory-domain-controllers-a-27981
      • Malicious NPM Packages Targeting PayPal Users
        "FortiGuard Labs’ AI-driven OSS malware detection system has recently discovered a series of malicious NPM packages designed to steal sensitive information from compromised systems. These packages are believed to have been created between March 5 and March 14 by a threat actor known as tommyboy_h1 and tommyboy_h2 to target PayPal users."
        https://www.fortinet.com/blog/threat-research/malicious-npm-packages-targeting-paypal-users
      • Storm-2372: Russian APT Using Device Code Phishing In Advanced Attacks
        "A newly uncovered cyber campaign led by the Russian state-backed group Storm-2372 is exploiting device code phishing to bypass Multi-Factor Authentication (MFA) and infiltrate high-value targets. This highly targeted tactic represents an escalation in the use of social engineering to defeat even advanced security systems. The campaign underlines the critical need for modern organizations to embrace adaptive, context-aware defense mechanisms to counter identity-based threats that are increasingly evading conventional protections."
        https://socradar.io/storm-2372-russian-apt-using-device-code-phishing-in-advanced-attacks/
        https://hackread.com/russia-storm-2372-hit-mfa-bypass-device-code-phishing/
      • Stolen With a Click: The Booming Business Of PayPal Scams
        "In today’s digital age, online payment platforms like PayPal have become essential tools for our everyday transactions. Unfortunately, they’ve also become prime targets for cybercriminals looking to steal personal information and money. McAfee Labs has uncovered a concerning trend with a spike in PayPal-related scams, with February 2025 seeing a dramatic seven-fold increase in fraudulent emails compared to January."
        https://www.mcafee.com/blogs/other-blogs/mcafee-labs/stolen-with-a-click-the-booming-business-of-paypal-scams/
      • Palo Alto Networks Warns Of Brute-Force Attempts Targeting PAN-OS GlobalProtect Gateways
        "Palo Alto Networks has revealed that it's observing brute-force login attempts against PAN-OS GlobalProtect gateways, days after threat hunters warned of a surge in suspicious login scanning activity targeting its appliances. "Our teams are observing evidence of activity consistent with password-related attacks, such as brute-force login attempts, which does not indicate exploitation of a vulnerability," a spokesperson for the company told The Hacker News. "We continue to actively monitor this situation and analyze the reported activity to determine its potential impact and identify if mitigations are necessary.""
        https://thehackernews.com/2025/04/palo-alto-networks-warns-of-brute-force.html
        https://securityaffairs.com/176446/hacking/brute-force-login-attempts-on-pan-os-globalprotect.html
      • Tycoon2FA New Evasion Technique For 2025
        "The Tycoon 2FA phishing kit has adopted several new evasion techniques aimed at slipping past endpoints and detection systems. These include using a custom CAPTCHA rendered via HTML5 canvas, invisible Unicode characters in obfuscated JavaScript, and anti-debugging scripts to thwart inspection. This blog takes a closer look at these methods to better understand how this kit is evolving and what defenders should be aware of."
        https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tycoon2fa-new-evasion-technique-for-2025/
        https://www.bleepingcomputer.com/news/security/tycoon2fa-phishing-kit-targets-microsoft-365-with-new-tricks/

      Breaches/Hacks/Leaks

      • Western Sydney University Discloses Security Breaches, Data Leak
        "Western Sydney University (WSU) announced two security incidents that exposed personal information belonging to members of its community. WSU is a prominent Australian institution offering various undergraduate, postgraduate, and research programs across multiple disciplines. It serves a student body of 47,000 and employs over 4,500 permanent and seasonal staff, operating with an annual budget of approximately $600 million."
        https://www.bleepingcomputer.com/news/security/western-sydney-university-discloses-security-breaches-data-leak/
      • US Lab Testing Provider Exposed Health Data Of 1.6 Million People
        "Laboratory Services Cooperative (LSC) has released a statement informing it suffered a data breach where hackers stole sensitive information of roughly 1.6 million people from its systems. LSC is a Seattle-based nonprofit organization that provides centralized laboratory services to its member affiliates, including select Planned Parenthood centers. It plays a crucial role within its niche, supporting organizations in the reproductive health services across more than 35 U.S. states, handling sensitive lab testing, billing, and personal data."
        https://www.bleepingcomputer.com/news/security/us-lab-testing-provider-exposed-health-data-of-16-million-people/
        https://therecord.media/lab-provider-planned-parenthood-breach
        https://www.bankinfosecurity.com/medical-lab-hack-affects-planned-parenthood-patients-a-27980
        https://www.securityweek.com/1-6-million-people-impacted-by-data-breach-at-laboratory-services-cooperative/
        https://securityaffairs.com/176451/data-breach/laboratory-services-cooperative-data-breach.html
      • Ransomware Attack Cost IKEA Operator In Eastern Europe $23 Million
        "Fourlis Group, the operator of IKEA stores in Greece, Cyprus, Romania, and Bulgaria, has informed that the ransomware attack it suffered just before Black Friday on November 27, 2024, caused losses estimated to €20 million ($22.8 million). The security incident became public on December 3, 2024, when the group admitted that the technical problems IKEA online shops were facing were due to “malicious external action.” Although the company also operates Intersport, Foot Locker, and Holland & Barrett shops in the said countries, the impact of the attack affected mainly IKEA business operations."
        https://www.bleepingcomputer.com/news/security/ransomware-attack-cost-ikea-operator-in-eastern-europe-23-million/
      • No Need To Hack When It’s Leaking: SavantCare Edition
        "Today’s concerning leak is brought to you by SavantCare. The leak was discovered by an independent researcher who first reported it on his blog yesterday. In his report, @JayeLTee states that he found exposed data that included data from SavantCare employee chats. “Over two-thirds of the 308 users on the chat were for SavantCare, a Mental and Behaviour Health Clinic from the United States, and around 30 users were from OVLG (Oak View Law Group),” JayeLTee reported, noting that the chat was likely set up by Grmtech, a digital marketing and SEO company from India."
        https://databreaches.net/2025/04/11/no-need-to-hack-when-its-leaking-savantcare-edition/
      • SK.com Allegedly Hacked By Qilin
        "SK Inc. invests heavily in the U.S. It claims to be investing $50 billion in U.S. businesses, with investment in electric vehicle batteries, life sciences, technology solutions, semiconductors, and sustainable energy. The firm has a presence in more than 20 states at this time. On April 10, Qilin added SK.com to its dark web leak site with a claim that it had exfiltrated more than 1 TB of files from its servers. Qilin did not offer any proof of claims except for one photo of what appeared to be people meeting by video conference with then-President Biden. The background of the photo suggests that it was taken in the West Wing."
        https://databreaches.net/2025/04/12/sk-com-allegedly-hacked-by-qilin/

      General News

      • CISOs Top Order Of Business: Cyber Risk Reduction & Management
        "For modern CISOs, cyber risk management and reduction are nonstop challenges. But this blog offers exactly what you need to build a strategy that empowers you to manage and mitigate threats—cutting through the noise of an otherwise demanding role."
        https://www.group-ib.com/blog/ciso-risk-management/
      • Why Security Culture Is Crypto’s Strongest Asset
        "In this Help Net Security interview, Norah Beers, CISO at Grayscale, discusses key security challenges in managing crypto assets, adversary tactics, private key management, and securing both hot and cold wallets."
        https://www.helpnetsecurity.com/2025/04/11/norah-beers-grayscale-crypto-asset-management/
      • Financial Fraud, With a Third-Party Twist, Dominates Cyber Claims
        "While ransomware represented the most costly cyber-insurance claims in 2024, incidents of financial fraud continue to be far more numerous, with both often triggered by security failures at a third-party firm. That insight comes from the latest tranche of cyber-insurance data released this year, this time by cyber-insurance firm At-Bay. Financial fraud — most often following a phishing attack — remained the most common type of cyberattack leading to an insurance claim, according to At-Bay's "2025 InsurSec Report," released this week. While the cyber insurer saw 16% more claims in 2024 than the year before, the overall cost of each incident declined to $166,000, down from $213,000 in 2021."
        https://www.darkreading.com/threat-intelligence/financial-fraud-third-party-cyber-claims
        https://www.at-bay.com/2025-insursec-report/
        https://www.helpnetsecurity.com/2025/04/11/ransomware-incidents-frequency/
      • Why Remote Work Is a Security Minefield (and What You Can Do About It)
        "Remote work is seen as more than a temporary solution, it’s a long-term strategy for many organizations."
        https://www.helpnetsecurity.com/2025/04/11/remote-work-cybersecurity-challenges/
        iOS Devices Face Twice The Phishing Attacks Of Android
        "2024 brought about countless new cybersecurity challenges including significant growth of the mobile threat landscape, according to Lookout. Threat actors, ranging from nation-states to individuals, are increasingly targeting mobile devices for the onset of their attacks to steal credentials and infiltrate the enterprise cloud in a pathway known as the modern kill chain. More than ever, organizations of every size across every industry must view mobile targeting as a canary in the coal mine – an early indication that they could be under attack elsewhere in their infrastructure."
        https://www.helpnetsecurity.com/2025/04/11/mobile-cybersecurity-challenges/
      • Organizations Lack Incident Response Plans, But Answers Are On The Way
        "Ransomware attacks are on the rise, data breaches are exposing sensitive information belonging to millions of individuals, and businesses are experiencing significant disruptions to their operations. Yet for many organizations, their incident response (IR) plans are outdated and ineffective at handing the current threats."
        https://www.darkreading.com/cyberattacks-data-breaches/shortcomings-improvements-incident-response-plans
      • NVD Revamps Operations As Vulnerability Reporting Surges
        "After a tumultuous year marked by internal turmoil and a mounting vulnerability backlog, the National Vulnerability Database (NVD) team within the US National Institute of Standards and Technology (NIST) has finally stabilized. However, the NVD is now facing a new challenge: a surge in vulnerability reporting that has sent its backlog soaring, threatening to outpace the team's revitalized efforts. Tanya Brewer, the NVD Program Manager, and Matthew Scholl, Chief of the Computer Security Division at NIST, shared some of NVD’s latest updates on April 10, the final day of VulnCon, an event dedicated to vulnerability management in Raleigh, North Carolina."
        https://www.infosecurity-magazine.com/news/nvd-revamps-operations-cve-surge/
      • China Admitted To Volt Typhoon Cyberattacks On US Critical Infrastructure: Report
        "In a secret meeting that took place late last year between Chinese and American officials, the former confirmed that China had conducted cyberattacks against US infrastructure as part of the campaign known as Volt Typhoon, according to The Wall Street Journal. The meeting took place at a Geneva summit in December and involved members of the outgoing Biden administration. The US officials who were present were startled by China’s admission, people familiar with the matter told WSJ [paywalled article]."
        https://www.securityweek.com/china-admitted-to-us-that-it-conducted-volt-typhoon-attacks-report/
        https://securityaffairs.com/176485/apt/china-admitted-its-role-in-volt-typhoon-cyberattacks-on-u-s-infrastructure.html
      • Initial Access Brokers Shift Tactics, Selling More For Less
        "Initial Access Brokers (IABs) specialize in gaining unauthorized entry into computer systems and networks, then selling that access to other cybercriminals. This division of labor allows IABs to concentrate on their core expertise: exploiting vulnerabilities through methods like social engineering and brute-force attacks. By selling access, they significantly mitigate the risks associated with directly executing ransomware attacks or other complex operations. Instead, they capitalize on their skill in breaching networks, effectively streamlining the attack process for their clients."
        https://thehackernews.com/2025/04/initial-access-brokers-shift-tactics.html
      • March 2025 Infostealer Trend Report
        "This report provides statistics, trends, and case information on the distribution quantity, distribution methods, and disguise techniques of Infostealer collected and analyzed during March 2025. Below is a summary of the report."
        https://asec.ahnlab.com/en/87444/
      • March 2025 Threat Trend Report On Ransomware
        "This report provides statistics on the number of new ransomware samples, number of targeted systems, and targeted companies collected in March 2025, as well as major Korean and international ransomware issues worth noting. Below are the summarized details. The number of ransomware samples and number of damaged systems is based on the detection names assigned by AhnLab, and statistics on targeted companies is based on the information published on the Dedicated Leak Site (DLS) of the ransomware group, also referred to as ransomware PR sites or PR pages, collected by the ATIP infrastructure over time."
        https://asec.ahnlab.com/en/87445/
      • The Rise Of Slopsquatting: How AI Hallucinations Are Fueling a New Class Of Supply Chain Attacks
        "Large Language Models (LLMs) are becoming a staple in modern development workflows. AI-powered code assistant tools like Copilot, ChatGPT, and Cursor are now used to help write everything from web apps to automation scripts. They deliver industry-altering productivity gains but also introduce new risks, some of them entirely novel. One such risk is slopsquatting, a new term for a surprisingly effective type of software supply chain attack that emerges when LLMs “hallucinate” package names that don’t actually exist. If you’ve ever seen an AI recommend a package and thought, “Wait, is that real?”—you’ve already encountered the foundation of the problem. And now attackers are catching on."
        https://socket.dev/blog/slopsquatting-how-ai-hallucinations-are-fueling-a-new-class-of-supply-chain-attacks
        https://www.bleepingcomputer.com/news/security/ai-hallucinated-code-dependencies-become-new-supply-chain-risk/
        https://www.theregister.com/2025/04/12/ai_code_suggestions_sabotage_supply_chain/
      • Hacktivism Is Back – But Don't Be Fooled, It's Often State-Backed Goons In Masks
        "From triggering a water tank overflow in Texas to shutting down Russian state news services on Vladimir Putin's birthday, self-styled hacktivists have been making headlines. But don't let the Guy Fawkes avatars fool you. Today's "hacktivists," especially those going after critical infrastructure, often have less in common with just the digital vandals of the Nineties and Naughts than with government-backed cyber operators. Threat intel analysts say their tactics, targets, and timing suggest something calculated, and far more connected to nation-state interests."
        https://www.theregister.com/2025/04/13/hacktivism_is_having_a_resurgence/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) a7046495-37ec-457c-83d2-ddbb0721b396-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post