NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 23 April 2025

    Cyber Security News
    1
    1
    362
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • Siemens TeleControl Server Basic SQL
        "Successful exploitation of these vulnerabilities could allow an attacker to read and write to the application's database, cause a denial-of-service condition, and execute code in an OS shell."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-112-01
      • Schneider Electric Wiser Home Controller WHC-5918A
        "Successful exploitation of this vulnerability could allow an attacker to disclose sensitive credentials."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-112-03
      • ABB MV Drives
        "Successful exploitation of these vulnerabilities could allow an attacker to gain full access to the drive or cause a denial-of-service condition."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-112-04
      • Siemens TeleControl Server Basic
        "Successful exploitation of this vulnerability could allow an attacker to cause the application to allocate exhaustive amounts of memory and subsequently create a denial-of-service condition."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-112-02

      Vulnerabilities

      • Active! Mail RCE Flaw Exploited In Attacks On Japanese Orgs
        "An Active! Mail zero-day remote code execution vulnerability is actively exploited in attacks on large organizations in Japan. Active! mail is a web-based email client developed initially by TransWARE and later acquired by Qualitia, both Japanese companies. While it's not widely used worldwide like Gmail or Outlook, Active! is often used as a groupware component in Japanese-language environments of large corporations, universities, government agencies, and banks."
        https://www.bleepingcomputer.com/news/security/active-mail-rce-flaw-exploited-in-attacks-on-japanese-orgs/
        https://jvn.jp/en/jp/JVN22348866/index.html
      • Bug Hunter Tricked SSL.com Into Issuing Cert For Alibaba Cloud Domain In 5 Steps
        "Certificate issuer SSL.com’s domain validation system had an unfortunate bug that was exploited by miscreants to obtain, without authorization, digital certs for legit websites. With those certificates in hand, said fraudsters could set up more-convincing malicious copies of those sites for things like credential phishing, or decrypt intercepted HTTPS traffic between those sites and their visitors. And since learning of that flaw, SSL.com has revoked 11 wrongly issued certificates – one of them for Alibaba."
        https://www.theregister.com/2025/04/22/ssl_com_validation_flaw/
        https://www.securityweek.com/ssl-com-scrambles-to-patch-certificate-issuance-vulnerability/
        https://hackread.com/ssl-com-vulnerability-fraud-ssl-certificates-domains/
      • CVE-2025-3248: RCE Vulnerability In Langflow
        "CVE-2025-3248, a critical remote code execution (RCE) vulnerability with a CVSS score of 9.8, has been discovered in Langflow, an open-source platform for visually composing AI-driven agents and workflows. The issue resides in the platform’s /api/v1/validate/code endpoint, which improperly invokes Python’s built-in exec() function on user-supplied code without authentication or sandboxing. This flaw allows attackers to exploit the API and execute arbitrary commands on the server, thus posing a significant risk to organizations using Langflow in their AI development workflows."
        https://www.zscaler.com/blogs/security-research/cve-2025-3248-rce-vulnerability-langflow
      • ConfusedComposer: A Privilege Escalation Vulnerability Impacting GCP Composer
        "Tenable Research discovered a privilege-escalation vulnerability in Google Cloud Platform (GCP) that is now fixed and which we dubbed ConfusedComposer. The vulnerability could have allowed an identity with permission (composer.environments.update) to edit a Cloud Composer environment to escalate privileges to the default Cloud Build service account. The default Cloud Build service account includes permissions to Cloud Build itself, as well as to Cloud Storage, Artifact Registry, and more."
        https://www.tenable.com/blog/confusedcomposer-a-privilege-escalation-vulnerability-impacting-gcp-composer
        https://thehackernews.com/2025/04/gcp-cloud-composer-bug-let-attackers.html

      Malware

      • Case Of Attacks Targeting MS-SQL Servers To Install Ammyy Admin
        "AhnLab SEcurity intelligence Center (ASEC) recently identified cases of attacks installing Ammyy Admin on poorly managed MS-SQL servers. Ammyy Admin is a remote control tool used to control systems remotely along with AnyDesk, ToDesk, TeamViewer, etc."
        https://asec.ahnlab.com/en/87606/
      • Billbug: Intrusion Campaign Against Southeast Asia Continues
        "The Billbug espionage group (aka Lotus Blossom, Lotus Panda, Bronze Elgin) compromised multiple organizations in a single Southeast Asian country during an intrusion campaign that ran between August 2024 and February 2025. Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company. In addition to this, the group staged an intrusion against a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country."
        https://www.security.com/threat-intelligence/billbug-china-espionage
        https://thehackernews.com/2025/04/lotus-panda-hacks-se-asian-governments.html
        https://therecord.media/billbug-china-linked-apt-southeast-asian-country-multiple-orgs-hacked
        https://www.infosecurity-magazine.com/news/billbug-espionage-group-new-tools/
      • SK Telecom Warns Customer USIM Data Exposed In Malware Attack
        "South Korea's largest mobile operator, SK Telecom, is warning that a malware infection allowed threat actors to access sensitive USIM-related information for customers. SK Telecom is the largest mobile network operator in South Korea, holding approximately 48.4% of the mobile phone service market in the country, corresponding to 34 million subscribers. The company says they detected malware on their systems at 11 PM local time on Saturday, April 19, 2025, in a weekend cyberattack when most organizations are understaffed."
        https://www.bleepingcomputer.com/news/security/sk-telecom-warns-customer-usim-data-exposed-in-malware-attack/
        https://securityaffairs.com/176802/data-breach/sk-telecom-data-breach.html
      • Ripple's Recommended XRP Library Xrpl.js Hacked To Steal Wallets
        "The recommended Ripple cryptocurrency NPM JavaScript library named "xrpl.js" was compromised to steal XRP wallet seeds and private keys and transfer them to an attacker-controlled server, allowing threat actors to steal all the funds stored in the wallets. Malicious code was added to versions 2.14.2, 4.2.1, 4.2.2, 4.2.3, and 4.2.4 of the xrpl NPM package and published to the NPM registry yesterday between 4:46 PM and 5:49 PM ET. These compromised versions have since been removed, and a clean 4.2.5 release is now available that all users should upgrade to immediately."
        https://www.bleepingcomputer.com/news/security/ripples-recommended-xrp-library-xrpljs-hacked-to-steal-wallets/
      • Cookie-Bite: How Your Digital Crumbs Let Threat Actors Bypass MFA And Maintain Access To Cloud Environments
        "Silent and undetectable initial access is the cornerstone of a successful cyberattack. MFA is designed to thwart such unauthorized access, but attackers are constantly evolving their techniques to bypass these defenses. Varonis Threat Labs researchers uncovered techniques that attackers are using to bypass MFA using stolen browser cookies. By leveraging custom-made malicious browser extensions and automation scripts, attackers can extract and reuse authentication cookies to impersonate users without needing credentials, while keeping persistence."
        https://www.varonis.com/blog/cookie-bite
        https://www.bleepingcomputer.com/news/security/cookie-bite-attack-poc-uses-chrome-extension-to-steal-session-tokens/
        https://www.darkreading.com/remote-workforce/cookie-bite-entra-id-attack-exposes-microsoft-365
      • Phishing For Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows
        "Since early March 2025, Volexity has observed multiple suspected Russian threat actors conducting highly targeted social engineering operations aimed at gaining access to the Microsoft 365 (M365) accounts of targeted individuals. This activity comes on the heels of attacks Volexity reported on back in February 2025, where Russian threat actors were discovered targeting users and organizations through Device Code Authentication phishing."
        https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/
        https://therecord.media/russia-linked-phishing-microsoft365-ukraine-ngos
      • Infostealer Malware FormBook Spread Via Phishing Campaign – Part I
        "Fortinet’s FortiGuard Labs observed a phishing campaign in the wild that delivered a malicious Word document as an attachment. This document contained crafted data designed to exploit the vulnerability CVE-2017-11882. After conducting an in-depth analysis, I discovered that the campaign was spreading a new variant of Formbook. Formbook is information-stealing malware targeting Windows users. It steals sensitive data from compromised systems, including stored credentials from popular software, the victim’s keystrokes, screenshots, and system clipboard data."
        https://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign-part-i
      • Android Spyware Trojan Targets Russian Military Personnel Who Use Alpine Quest Mapping Software
        "Doctor Web’s experts have discovered Android.Spy.1292.origin, spyware whose main target is Russian military personnel. The attackers hide this trojan inside modified Alpine Quest mapping software and distribute it in various ways, including through one of the Russian Android app catalogs. Among other things, the malware sends the attackers phonebook contact information and the infected device’s geolocation. Moreover, this spyware collects data about the files stored on the devices and, when commanded by threat actors, can download additional modules possessing the functionality needed to steal the files."
        https://news.drweb.com/show/?i=15006&lng=en
        https://hackread.com/fake-alpine-quest-mapping-app-spying-russian-military/
      • Phishers Exploit Google Sites And DKIM Replay To Send Signed Emails, Steal Credentials
        "In what has been described as an "extremely sophisticated phishing attack," threat actors have leveraged an uncommon approach that allowed bogus emails to be sent via Google's infrastructure and redirect message recipients to fraudulent sites that harvest their credentials. "The first thing to note is that this is a valid, signed email – it really was sent from no-reply@google.com," Nick Johnson, the lead developer of the Ethereum Name Service (ENS), said in a series of posts on X. "It passes the DKIM signature check, and Gmail displays it without any warnings – it even puts it in the same conversation as other, legitimate security alerts.""
        https://thehackernews.com/2025/04/phishers-exploit-google-sites-and-dkim.html
        https://www.malwarebytes.com/blog/news/2025/04/all-gmail-users-at-risk-by-clever-replay-attack
        https://www.securityweek.com/legacy-google-service-abused-in-phishing-attacks/
      • Russian Organizations Targeted By Backdoor Masquerading As Secure Networking Software Updates
        "As we were looking into a cyberincident in April 2025, we uncovered a rather sophisticated backdoor. It targeted various large organizations in Russia, spanning the government, finance, and industrial sectors. While our investigation into the attack associated with the backdoor is still ongoing, we believe it is crucial to share our preliminary findings with the community. This will enable organizations that may be at risk of infection from the backdoor to take swift action to protect themselves from this threat."
        https://securelist.com/new-backdoor-mimics-security-software-update/116246/
      • Obfuscation Overdrive: Next-Gen Cryptojacking With Layers
        "Out of all the services honeypotted by Darktrace, Docker is the most commonly attacked, with new strains of malware emerging daily. This blog will analyze a novel malware campaign with a unique obfuscation technique and a new cryptojacking technique."
        https://www.darktrace.com/blog/obfuscation-overdrive-next-gen-cryptojacking-with-layers
        https://thehackernews.com/2025/04/docker-malware-exploits-teneo-web3-node.html
        https://www.infosecurity-magazine.com/news/cryptojacking-malware-docker-novel/

      Breaches/Hacks/Leaks

      • Marks & Spencer Confirms a Cyberattack As Customers Face Delayed Orders
        "Marks & Spencer (M&S) has disclosed that it is responding to a cyberattack over the past few days that has impacted operations, including its Click and Collect service. The company is a British multinational retailer known for selling various products, including clothing, food, and home goods. Marks & Spencer operates over 1,400 stores and employs 64,000 employees globally. The company confirmed the cybersecurity incident in a press release on the London Stock Exchange, stating that they are working with cybersecurity experts to manage and resolve the situation."
        https://www.bleepingcomputer.com/news/security/marks-and-spencer-confirms-a-cyberattack-as-customers-face-delayed-orders/
        https://therecord.media/british-retailer-MS-confirms-cyber-incident-store-delays
        https://www.theregister.com/2025/04/22/marks_spencer_cyber_incident/
      • Two Healthcare Orgs Hit By Ransomware Confirm Data Breaches Impacting Over 100,000
        "Two healthcare organizations have each confirmed suffering data breaches impacting more than 100,000 people after being targeted in ransomware attacks. One of them is Milwaukee, WI-based Bell Ambulance, which provides ambulance services in the area. The company revealed last week in a data security notice that it detected a network intrusion on February 13, 2025. An investigation showed that hackers gained access to files containing information such as name, date of birth, SSN, and driver’s license number, as well as financial, medical and health insurance information."
        https://www.securityweek.com/two-healthcare-orgs-hit-by-ransomware-confirm-data-breaches-impacting-over-100000/
        https://www.darkreading.com/cyberattacks-data-breaches/healthcare-orgs-hit-ransomeware-attacks
      • Thousands Of Baltimore Students, Teachers Affected By Data Breach Following February Ransomware Attack
        "Thousands of students, teachers and administrators had information stolen from the Baltimore City Public Schools system during a ransomware attack in February. Officials at Baltimore City Public Schools published a breach notice on Tuesday warning that a cyber incident on February 13 exposed certain IT systems within the network. The statement said an investigation revealed that “certain documents may have been compromised by criminal actors, which contained information belonging to some current and former employees, volunteers, and contractors, as well as files related to less than 1.5% of our student population.”"
        https://therecord.media/baltimore-public-schools-data-breach-ransomware

      General News

      • The Legal Blind Spot Of Shadow IT
        "Shadow IT isn’t just a security risk, it’s a legal one. When teams use unsanctioned tools, they can trigger compliance violations, expose sensitive data, or break contracts. Let’s look at where the legal landmines are and what CISOs can do to stay ahead of them."
        https://www.helpnetsecurity.com/2025/04/22/shadow-it-legal-blind-spot/
      • The C-Suite Gap That’s Putting Your Company At Risk
        "New research from EY US shows that cyber attacks are creating serious financial risks. C-suite leaders don’t always agree on how exposed their companies are or where the biggest threats come from. In EY US’s latest C-suite cybersecurity study, 84% of executives said their company had faced a cyber incident in the past three years. Another EY US review of Russell 3000 companies found that after a cyber attack, a company’s stock price drops by an average of 1.5% over the next 90 days. This shows how much these attacks can hurt a company’s value."
        https://www.helpnetsecurity.com/2025/04/22/c-suite-gap-risk/
      • What School IT Admins Are Up Against, And How To Help Them Win
        "School IT admins are doing tough, important work under difficult conditions. From keeping Wi-Fi stable during exams to locking down systems from phishing emails, their job is part technician, part strategist, part firefighter. But they’re stretched thin. The tools are outdated, the support is missing, and the pressure never stops. Here’s a look at what they’re dealing with and how we can help."
        https://www.helpnetsecurity.com/2025/04/22/what-school-it-admins-are-up-against/
      • Compliance Weighs Heavily On Security And GRC Teams
        "Only 29% of all organizations say their compliance programs consistently meet internal and external standards, according to Swimlane. Their report reveals that fragmented workflows, manual evidence gathering and poor collaboration between security and governance, risk and compliance (GRC) teams are leaving organizations vulnerable to audit failures, regulatory penalties and security gaps."
        https://www.helpnetsecurity.com/2025/04/22/security-grc-teams-compliance/
      • CVE Controversy Creates Opportunity To Improve
        "An intense debate over how best to administer the tracking of common vulnerabilities and exposures (CVEs) is now underway following a last-minute decision by the Trump administration to continue funding this effort for the next 11 months. Today, CVEs are each given a unique name under a federally funded program administered by the MITRE Corporation. Any new vulnerability that is discovered can be reported to a CVE Numbering Authority (CNA) that helps administer the program. That data is then widely shared with cybersecurity vendors that use that information to alert customers and, if available, help remediate the root cause of the issue."
        https://blog.barracuda.com/2025/04/21/cve-controversy-opportunity-improve
      • Russia Attempting Cyber Sabotage Attacks Against Dutch Critical Infrastructure
        "Russian state-sponsored hackers have attempted to sabotage Dutch critical infrastructure in attacks this year and last, according to the Dutch Military Intelligence and Security Service’s annual public report, published Tuesday. Although the impact was said to be “minimal”, last year’s incident appeared to be “the first time that a group like this has carried out a cyber sabotage attack against such a control system in the Netherlands,” warned the service, known as the MIVD. The incidents were not detailed further in the MIVD’s public annual report, but mark an uptick in activity since 2023 when Hans de Vries — then the director of the country’s National Cyber Security Centre, and now the head at the EU’s cybersecurity agency — told Recorded Future News the Netherlands was not observing attacks directly targeting its own infrastructure."
        https://therecord.media/dutch-mivd-report-russian-cyber-sabotage
        https://www.bankinfosecurity.com/russian-chinese-hackers-targeted-dutch-government-a-28064
      • The State Of Ransomware In The First Quarter Of 2025: Record-Breaking 126% Spike In Public Extortion Cases
        "Ransomware remains one of the most persistent and damaging cyber threats facing organizations globally. The first quarter of 2025 marked an unprecedented surge in activity, with 74 distinct ransomware groups publicly claiming victims on data leak sites (DLS). These groups collectively reported 2,289 victims—more than double the number disclosed in the same period last year, which saw 1,011 published cases – a year-over-year increase of 126%."
        https://blog.checkpoint.com/research/the-state-of-ransomware-in-the-first-quarter-of-2025-a-126-increase-in-ransomware-yoy/
      • IBM X-Force 2025 Threat Intelligence Index
        "This year, we’ve seen shape-shifting cyber adversaries gain more access, move across networks more easily, and create new outposts in relative obscurity. Equipped with advanced tools, threat actors are increasingly using compromised log-in credentials rather than brute-force hacking. The damage they inflict continues to grow as the global average cost of a data breach hit a record $4.88 million in 2024. What’s even more concerning is that data breaches are often only the start of larger and more coordinated campaigns. Threat actors openly trade exploits on the dark web to target critical infrastructure such as power grids, health networks, and industrial systems."
        https://www.ibm.com/thought-leadership/institute-business-value/en-us/report/2025-threat-intelligence-index
        https://cyberscoop.com/ibm-x-force-threat-intelligence-index-2025/
      • DeepSeek Breach Opens Floodgates To Dark Web
        "The recent DeepSeek security breach has once again highlighted the significant vulnerabilities in artificial intelligence (AI) systems and raises alarming questions about where the exposed data may have ended up. Shortly after DeepSeek's release, security researchers uncovered extensive vulnerabilities in the system's infrastructure. Publicly exposed sensitive user data and proprietary information like this often makes its way to the Dark Web — a thriving underground market where stolen data is routinely traded, sold, and exploited."
        https://www.darkreading.com/cyberattacks-data-breaches/deepseek-breach-opens-floodgates-dark-web
      • 54% Of Tech Hiring Managers Expect Layoffs In 2025
        "54% of tech hiring managers say their companies are likely to conduct layoffs within the next year, and 45% say employees whose roles can be replaced by AI are most likely to be let go, according to a new study by General Assembly. “We’re on the precipice of an unprecedented skills crisis,” said Daniele Grassi, CEO of General Assembly. “Businesses are ramping up AI investments and reducing headcount in the name of productivity, but they are creating a widening skills gap that will ultimately slow transformation. It’s time to get AI skills to every employee.”"
        https://www.helpnetsecurity.com/2025/04/22/tech-layoffs-2025/
      • Cybersecurity In 2025- Real-World Threats And Lessons Learned
        "As cyber threats evolve, understanding their real-world impact is crucial. This article explores four significant cybersecurity threats shaping 2025—each illustrated by an actual incident that caused material losses—and the key lessons organisations can take from them."
        https://www.darknet.org.uk/2025/04/cybersecurity-in-2025-real-world-threats-and-lessons-learned/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 433a44ec-d6f8-431d-a24e-a4c0ebb9aad5-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post