NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 21 April 2025

    Cyber Security News
    1
    1
    23
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • If Boards Don't Fix OT Security, Regulators Will
        "Lviv, Ukraine. Arkansas City, United States. Drum, Ireland. In each case, hackers broke in through exposed IT systems and found operational technology (OT) environments wide open: a pump controller or heating utility linked directly to the business network with no segmentation in sight. As sophisticated threat groups worm their way into critical infrastructure and lay the groundwork for physical disruptions, corporate boards need to get serious on OT security risk. If they don't, tightening security regulations like the UK's Cyber Security and Resilience Bill will force their hand."
        https://www.darkreading.com/ics-ot-security/boards-fix-ot-security-regulators

      Vulnerabilities

      • Critical Erlang/OTP SSH RCE Bug Now Has Public Exploits, Patch Now
        "Public exploits are now available for a critical Erlang/OTP SSH vulnerability tracked as CVE-2025-32433, allowing unauthenticated attackers to remotely execute code on impacted devices. Researchers at the Ruhr University Bochum in Germany disclosed the flaw on Wednesday, warning that all devices running the daemon were vulnerable. "The issue is caused by a flaw in the SSH protocol message handling which allows an attacker to send connection protocol messages prior to authentication," reads a disclosure on the OpenWall vulnerability mailing list."
        https://www.bleepingcomputer.com/news/security/public-exploits-released-for-critical-erlang-otp-ssh-flaw-patch-now/
      • ASUS Warns Of Critical Auth Bypass Flaw In Routers Using AiCloud
        "ASUS is warning about an authentication bypass vulnerability in routers with AiCloud enabled that could allow remote attackers to perform unauthorized execution of functions on the device. The vulnerability, tracked under CVE-2025-2492 and rated critical (CVSS v4 score: 9.2), is remotely exploitable via a specially crafted request and requires no authentication, making it particularly dangerous. "An improper authentication control vulnerability exists in certain ASUS router firmware series," reads the vendor's bulletin."
        https://www.bleepingcomputer.com/news/security/asus-warns-of-critical-auth-bypass-flaw-in-routers-using-aicloud/
        https://thehackernews.com/2025/04/asus-confirms-critical-flaw-in-aicloud.html
        https://securityaffairs.com/176697/security/asus-warns-of-a-router-authentication-bypass-flaw.html

      Malware

      • Interlock Ransomware Evolving Under The Radar
        "Interlock is a ransomware intrusion set first observed in September 2024 that conducts Big Game Hunting and double extortion campaigns. Interlock cannot be classified as a “Ransomware-as-a-Service” (RaaS) group, as no advertisements for recruiting affiliates or information about affiliates have been found as of March 2025. As many other ransomware groups, Interlock has a Data Leak Site (DLS) called “Worldwide Secrets Blog” exposing victim’s data, and providing a way to negotiate the ransom price to the victims."
        https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/
        https://www.bleepingcomputer.com/news/security/interlock-ransomware-gang-pushes-fake-it-tools-in-clickfix-attacks/
      • FBI: Scammers Pose As FBI IC3 Employees To 'help' Recover Lost Funds
        "The FBI warns that scammers impersonating FBI Internet Crime Complaint Center (IC3) employees offer to "help" fraud victims recover money lost to other scammers. Over the last two years, between December 2023 and February 2025, the FBI said it has received over 100 reports of fraudsters using this tactic. "Complainants report initial contact from the scammers can vary. Some individuals received an email or a phone call, while others were approached via social media or forums," the law enforcement agency warned in a Friday public service announcement."
        https://www.bleepingcomputer.com/news/security/fbi-scammers-pose-as-fbi-ic3-employees-to-help-recover-lost-funds/
        https://www.ic3.gov/PSA/2025/PSA250418
      • Credential Access Campaign Targeting SonicWall SMA Devices Potentially Linked To Exploitation Of CVE-2021-20035
        "On April 15, 2025, SonicWall published a product notice regarding CVE-2021-20035, a vulnerability impacting SonicWall SMA 100 series appliances. In an updated security advisory for the vulnerability, SonicWall indicated on April 15, 2025 that the vulnerability was being exploited in the wild. The vulnerability was added to CISA’s known exploited vulnerabilities (KEV) catalog the following day. Prior to these updates, Arctic Wolf had been tracking a campaign targeting VPN credential access on SonicWall SMA devices. This credential access campaign is thought to be related to the vulnerability mentioned in the advisory recently updated by SonicWall."
        https://arcticwolf.com/resources/blog/credential-access-campaign-targeting-sonicwall-sma-devices-potentially-linked-to-exploitation-of-cve-2021-20035/
        https://www.bleepingcomputer.com/news/security/sonicwall-sma-vpn-devices-targeted-in-attacks-since-january/
        https://securityaffairs.com/176706/security/attackers-exploited-sonicwall-sma-appliances-since-january-2025.html
      • SuperCard X: Exposing a Chinese-Speaker MaaS For NFC Relay Fraud Operation
        "The Cleafy Threat Intelligence team has identified a new and sophisticated Android malware campaign, dubbed 'SuperCard X’. This campaign employs a novel NFC-relay technique, enabling Threat Actors (TAs) to fraudulently authorize Point-of-Sale (POS) payments and Automated Teller Machine (ATM) withdrawals by intercepting and relaying NFC communications from compromised devices. The malware is distributed through Social Engineering tactics, deceiving victims into installing the malicious application and subsequently “tapping” their payment cards on their infected phones. Preliminary analysis suggests that TAs are leveraging a Chinese-speaking Malware-as-a-Service (MaaS) platform promoted as SuperCard X. This malware exhibits significant code overlap with the previously documented NGate malware discovered by ESET in 2024."
        https://www.cleafy.com/cleafy-labs/supercardx-exposing-chinese-speaker-maas-for-nfc-relay-fraud-operation
        https://therecord.media/new-payment-card-scam-involves-malware-tap
        https://www.bleepingcomputer.com/news/security/supercard-x-android-malware-use-stolen-cards-in-nfc-relay-attacks/
      • CapCut Copycats Are On The Prowl
        "The craze around generative AI tools isn’t just reshaping industries – it also provides fertile ground for cybercriminals, who are always quick to piggyback on the allure of the latest big thing in tech. So what if, instead of downloading an AI‑generated video from CapCut or another similar tool, you had your data stolen or gave control of your computer to a stranger? The threat isn’t hypothetical – security researchers have previously observed campaigns that exploited CapCut’s popularity to distribute multiple infostealers and other malware. Let’s now look briefly at another campaign that’s targeting people interested in AI-powered content by promising premium versions of popular software such as CapCut, Adobe Express and Canva."
        https://www.welivesecurity.com/en/scams/capcut-copycats-prowl/
      • Inside Gamaredon’s PteroLNK: Dead Drop Resolvers And Evasive Infrastructure
        "Proactively hunting for Russian-nexus threats, we identified samples from the Pterodo malware family, commonly associated with Gamaredon, uploaded to a public malware analysis platform between late 2024 and mid-March 2025. Notably, related Gamaredon Dead Drop Resolvers (DDR) are still being updated daily, indicating active operations. The Pterodo malware ecosystem has been previously documented by ESET in 2024, covering the years 2022-2023. Broader coverage of Gamaredon is inversely proportional to the group’s proliferation and impact. Existing publications on Gamaredon often focus on samples that are not publicly available, which limits the ability of the security community to conduct further analysis and research. Importantly, we found no publicly available analysis of the specific malware samples discussed in this report."
        https://harfanglab.io/insidethelab/gamaredons-pterolnk-analysis/
      • APT Group Profiles – Larva-24005
        "During the breach investigation process, the AhnLab SEcurity intelligence Center (ASEC) discovered a new operation related to the Kimsuky group and named it Larva-24005.1 The threat actors exploited the RDP vulnerability to infiltrate the system. They then changed the system configuration by installing the MySpy malware and RDPWrap to create a continuous remote access environment. They also infected the system with a keylogger that records the user’s keyboard inputs."
        https://asec.ahnlab.com/en/87554/
      • Npm Malware Targets Telegram Bot Developers With Persistent SSH Backdoors
        "Socket’s Threat Research Team has uncovered a new supply chain attack: typosquatted Telegram bot libraries delivering SSH backdoors and data exfiltration routines. Telegram is one of the most popular messaging platforms in the world and increasingly a major target for attackers. Its open ecosystem and bot-friendly architecture make it appealing to developers, but also ripe for abuse. Telegram now boasts over 1 billion monthly active users as of 2025, including more than 12 million paying subscribers."
        https://socket.dev/blog/npm-malware-targets-telegram-bot-developers
        https://thehackernews.com/2025/04/rogue-npm-packages-mimic-telegram-bot.html
      • Case Of Injection Attack Using Legitimate MS Utility Mavinject.exe
        "Mavinject.exe is a legitimate utility provided by Microsoft. It is used to inject DLLs into specific processes in an Application Virtualization (App-V) environment. It has been included in the operating system by default since Windows 10 version 1607, and it is a trusted executable file signed by Microsoft. As a result, most security solutions tend to include this process in their list of trusted applications (whitelist)."
        https://asec.ahnlab.com/en/87559/

      Breaches/Hacks/Leaks

      • Minnesota Dental Clinic Notifying 135,000 Of 2024 Hack
        "Minnesota's largest nonprofit Medicaid dental practice is notifying nearly 135,000 people of a December 2024 data theft incident that potentially compromised their health and personal information, ranging from medical information to passport numbers. Community Dental Care reported the hack to U.S. federal regulators on March 28 as affecting 134,903 people and involving a network server."
        https://www.bankinfosecurity.com/minnesota-dental-clinic-notifying-135000-2024-hack-a-28042
      • Baltimore City State’s Attorney’s Office Hacked; Data Leaked
        "One of the many cyberattacks that has escaped recent media attention is an incident involving the Baltimore City State’s Attorney’s Office in Maryland. Yesterday, data from the incident was leaked. The group known as Kairos added stattorney[.]org to its leak site on March 31, 2025. At that time, Kairos claimed that they had acquired 325 GB of files and provided a number of screenshots as proof of their claims. The screenshots, which they partially redacted to mask sensitive information, suggested that they had acquired some really sensitive information on victims of crimes and perpetrators. One of the screenshots appeared to be the body of a man murdered as part of a gang war."
        https://databreaches.net/2025/04/19/baltimore-city-states-attorneys-office-hacked-data-leaked/

      General News

      • Securing Digital Products Under The Cyber Resilience Act
        "In this Help Net Security interview, Dr. Dag Flachet, co-founder at Codific, explains what the Cyber Resilience Act (CRA) means for companies and how it compares to GDPR in terms of regulatory complexity and impact on organizations. He discusses the technical and procedural challenges posed by CRA, particularly in secure software development, and highlights the role of frameworks like OWASP SAMM in conducting readiness assessments."
        https://www.helpnetsecurity.com/2025/04/18/dag-flachet-codific-cyber-resilience-act-regulatory-standards-for-organizations/
      • When Ransomware Strikes, What’s Your Move?
        "Should we negotiate? Should we pay? These are the questions every organization faces when cybercriminals lock their data. By the time attackers have encrypted your systems, the focus shifts from prevention to response. It’s no longer about how it happened, it’s about what you’re willing to do next. Ransomware gangs are becoming more organized and aggressive, and many now operate like businesses. They have customer service, payment portals, and negotiation playbooks. No organization is off-limits. Hospitals, schools, critical infrastructure, and global companies have all been hit."
        https://www.helpnetsecurity.com/2025/04/18/ciso-ransomware-negotiations/
      • Could Ransomware Survive Without Cryptocurrency?
        "Ransomware has become synonymous with cryptocurrency, but factors such as poor cyber hygiene and organizations' willingness to pay ransoms are what fuel the threat. The number of recorded attacks and victims continues to climb following record-setting years for ransomware activity throughout 2023 and 2024. And the first few months of 2025 are on track to continue the upward trajectory. The pervasive threat has evolved significantly since the first recorded ransomware attack in 1989. Back then, attackers demanded ransom payments via traceable methods, such as standard mail and sending gift cards via SMS text messages. Nowadays, cryptocurrency — specifically Bitcoin — allows ransomware groups to request and receive ransoms in a far more anonymous and easier way."
        https://www.darkreading.com/cyber-risk/ransomware-would-adapt-without-cryptocurrency
      • Attackers And Defenders Lean On AI In Identity Fraud Battle
        "As more attackers move to adopt artificial intelligence (AI) to conduct fraud, keeping up with the techniques is a challenge. Synthetic identities created by deep-fake AI algorithms often result in faces that appear too perfect, with no blemishes or too symmetrical, making them fairly easy to detect. Increasingly, however, that is not the case, says Hal Lonas, chief technology officer at identity verification firm Trulioo. "The [algorithms] insert the blemishes or they insert the slight imperfections, and so it always takes work to stay ahead of those things and get better at detection," he says. "It's definitely a cat-and-mouse game.""
        https://www.darkreading.com/cyber-risk/fraudsters-increasingly-use-ai-companies-look-ai
      • Text Scams Grow To Steal Hundreds Of Millions Of Dollars
        "Text scams alone cost US citizens at least $470 million in 2024, according to new data from the US Federal Trade Commission (FTC). Because many scams go unreported, though, this dollar amount might be considerably more. The FTC illustrated this with a graph comparing the reported losses to the number of reports."
        https://www.malwarebytes.com/blog/news/2025/04/text-scams-grow-to-steal-hundreds-of-millions-of-dollars
      • The Shadow AI Surge: Study Finds 50% Of Workers Use Unapproved AI Tools
        "An October 2024 study by Software AG suggests that half of all employees are Shadow AI users, and most of them wouldn’t stop even if it was banned. The problem is the ease of access to AI tools, and a work environment that increasingly advocates the use of AI to improve corporate efficiency. It is little wonder that employees seek their own AI tools to improve their personal efficiency and maximize the potential for promotion."
        https://www.securityweek.com/the-shadow-ai-surge-study-finds-50-of-workers-use-unapproved-ai-tools/
        https://www.harmonic.security/resources/the-ai-tightrope-balancing-innovation-and-exposure
      • Alleged SmokeLoader Malware Operator Facing Federal Charges In Vermont
        "An alleged operator of the SmokeLoader malware is now facing federal hacking charges in Vermont after accusations that he stole personal information on more than 65,000 people. Nicholas Moses initially had charges filed in North Carolina this week, but the case was transferred to federal prosecutors in Vermont on Wednesday. Court documents accuse Moses, operating under the alias “scrublord,” of operating “a computer malware program known as SmokeLoader.”"
        https://therecord.media/alleged-smokeloader-operator-charged-in-vermont
      • CVE Fallout: The Splintering Of The Standard Vulnerability Tracking System Has Begun
        "The splintering of the global system for identifying and tracking security bugs in technology products has begun. Earlier this week, the widely used Common Vulnerabilities and Exposures (CVE) program faced doom as the US government discontinued funding for MITRE, the non-profit that operates the program. Uncle Sam U-turned at the very last minute, and promised another 11 months of cash to keep the program going. Meanwhile, the EU is rolling its own. The European Union Agency for Cybersecurity (ENISA) developed and maintains this alternative, which is known as the EUVD, or the European Union Vulnerability Database. The EU mandated its creation under the Network and Information Security 2 Directive, and ENISA announced it last June."
        https://www.theregister.com/2025/04/18/splintering_cve_bug_tracking/
      • March 2025 Deep Web And Dark Web Trends Report
        "This trend report on the deep web and dark web of March 2025 is sectioned into Ransomware, Data Breach, DarkWeb, CyberAttack, and Threat Actor. Please note that there are some parts of the content that cannot be verified for accuracy."
        https://asec.ahnlab.com/en/87553/
      • Cybersecurity 2025 Trends: GenAI And Supply Chains Top Of The Threat List
        "It is hard to believe that we are now over three months into 2025. With Q1 in the books, we have approached the one-third of the year mark. This is a good time to pause and survey stakeholders and cybersecurity experts about the emerging trends observed so far this year. Gartner released its list recently of the emerging cybersecurity trends of 2025, and then we surveyed a few of our own experts."
        https://blog.barracuda.com/2025/04/18/cybersecurity-2025-trends-GenAI-and-supply-chains-top-of-the-threat-list

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 4bdb9c74-3515-4b21-b395-c5a015a9c86d-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post