NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 25 April 2025

    Cyber Security News
    1
    1
    377
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Energy Sector

      • AI & Cybersecurity: The State Of Cyber In UK And US Energy Sectors
        "Darktrace’s Annual Threat Report 2024 revealed that our Threat Research team is conducting industry-specific research. The first of this series looks into the energy sector within the US and UK, analysing Darktrace observed incidents from across the sector, hypotheses-driven threat hunts, open source intelligence and interviews, to identify which APTs and attack vectors are targeting energy organizations, how technology (including AI) has transformed the threat landscape, and how security teams and policy makers are adapting."
        https://www.darktrace.com/resources/state-of-cyber-uk-us-energy-2025
        https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/6808b36d8fa4e967f6cc23f7_AI Cybersecurity in the Energy Sector_Web.pdf
        https://www.helpnetsecurity.com/2025/04/24/energy-sector-cyber-threats/

      Industrial Sector

      • Schneider Electric Modicon Controllers
        "Successful exploitation of these vulnerabilities may risk execution of unsolicited command on the PLC, which could result in a loss of availability of the controller."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-114-01
      • ALBEDO Telecom Net.Time - PTP/NTP Clock
        "Successful exploitation of this vulnerability could allow an attacker to transmit passwords over unencrypted connections, resulting in the product becoming vulnerable to interception."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-114-02
      • Vestel AC Charger
        "Successful exploitation of this vulnerability could allow an attacker access to sensitive information, such as credentials which could subsequently enable them to cause a denial of service or partial loss of integrity of the charger."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-114-03
      • Nice Linear eMerge E3
        "Successful exploitation of this vulnerability could allow an attacker to execute arbitrary OS commands."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-114-04
      • Johnson Controls ICU
        "Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-114-05
      • Planet Technology Network Products
        "Successful exploitation of these vulnerabilities could allow an attacker to read or manipulate device data, gain administrative privileges, or alter database entries."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-114-06

      New Tooling

      • Tyton – Kernel-Mode Rootkit Hunter For Linux
        "Tyton is a lightweight, open-source kernel-mode rootkit detection tool for Linux systems. Designed to identify stealthy kernel-level threats, Tyton offers a focused approach to uncovering hidden modules and system call table hooks."
        https://www.darknet.org.uk/2025/04/tyton-kernel-mode-rootkit-hunter-for-linux/
        https://github.com/nbulischeck/tyton/

      Vulnerabilities

      • Cisco Confirms Some Products Impacted By Critical Erlang/OTP Flaw
        "Cisco is investigating the impact of a recently disclosed Erlang/OTP vulnerability and it has confirmed that several of its products are affected by the critical remote code execution flaw. It came to light last week that a critical vulnerability allowing device takeover was discovered in the SSH implementation of Erlang/OTP, a collection of libraries, middleware and other tools designed for creating soft real-time systems that require high availability, such as banking, e-commerce, and communications applications."
        https://www.securityweek.com/cisco-confirms-some-products-impacted-by-critical-erlang-otp-flaw/
        https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-erlang-otp-ssh-xyZZy
        Fire In The Hole, We’re Breaching The Vault - Commvault Remote Code Execution (CVE-2025-34028)
        "As we pack our bags and prepare for the adult-er version of BlackHat (that apparently doesn’t require us to print out stolen mailspoolz to hand to people at their talks), we want to tell you about a recent adventure - a heist, if you will. No heist story is ever complete without a 10-metre thick steel door vault, silent pressure sensors beneath marble floors and laser grids slicing the air like spiderwebs — befitting of a crew reckless enough to think they can beat it all."
        https://labs.watchtowr.com/fire-in-the-hole-were-breaching-the-vault-commvault-remote-code-execution-cve-2025-34028/
        https://nvd.nist.gov/vuln/detail/CVE-2025-34028
        https://documentation.commvault.com/securityadvisories/CV_2025_04_1.html
        https://thehackernews.com/2025/04/critical-commvault-command-center-flaw.html
        https://www.darkreading.com/cyber-risk/max-severity-commvault-bug-researchers
        https://www.infosecurity-magazine.com/news/critical-vulnerability-commvault/
        https://www.helpnetsecurity.com/2025/04/24/critical-commvault-rce-vulnerability-fixed-poc-available-cve-2025-34028/
      • Io_uring Is Back, This Time As a Rootkit
        "ARMO researchers reveal a major blind spot in Linux runtime security tools caused by the io_uring interface—an asynchronous I/O mechanism that bypasses traditional system calls. Most tools, including Falco, Tetragon, and Microsoft Defender fail to detect rootkits using io_uring because they rely on syscall monitoring. ARMO’s proof-of-concept rootkit, Curing, operates fully via io_uring to demonstrate the threat. While some vendors responded with fixes or workarounds, the broader industry remains exposed."
        https://www.armosec.io/blog/io_uring-rootkit-bypasses-linux-security/
        https://thehackernews.com/2025/04/linux-iouring-poc-rootkit-bypasses.html
        https://www.bleepingcomputer.com/news/security/linux-io-uring-security-blindspot-allows-stealthy-rootkit-attacks/

      Malware

      • Operation SyncHole: Lazarus APT Goes Back To The Well
        "We have been tracking the latest attack campaign by the Lazarus group since last November, as it targeted organizations in South Korea with a sophisticated combination of a watering hole strategy and vulnerability exploitation within South Korean software. The campaign, dubbed “Operation SyncHole”, has impacted at least six organizations in South Korea’s software, IT, financial, semiconductor manufacturing, and telecommunications industries, and we are confident that many more companies have actually been compromised. We immediately took action by communicating meaningful information to the Korea Internet & Security Agency (KrCERT/CC) for rapid action upon detection, and we have now confirmed that the software exploited in this campaign has all been updated to patched versions."
        https://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/
        https://www.bleepingcomputer.com/news/security/lazarus-hackers-breach-six-companies-in-watering-hole-attacks/
        https://thehackernews.com/2025/04/lazarus-hits-6-south-korean-firms-via.html
      • Russian Infrastructure Plays Crucial Role In North Korean Cybercrime Operations
        "Internet access is scarce in North Korea; their national network only has 1,024 IP addresses assigned to it, yet the country’s role in cybercrime is significant. Multiple high-profile campaigns were publicly attributed to North Korean actors by international law enforcement, one of the latest being the US$1.5 billion Bybit hack. Naturally, to scale cybercrime to the levels attributed to North Korea, a lot more internet resources are needed than the 1,024 IP addresses. One way to achieve this is to send or hire significant numbers of IT workers abroad and let them work from there. Additionally, large-scale anonymization networks are being used to conceal campaigns linked to North Korea; these anonymization layers hide the origin of malicious traffic and make attribution harder."
        https://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html
        https://www.bankinfosecurity.com/north-korean-hackers-use-russian-ip-infrastructure-a-28082
      • Cyber Criminals Exploit Pope Francis Death To Launch Global Scams
        "Following Pope Francis’ death, as is common with global events of this nature, cyber criminals have launched a variety of malicious campaigns. This tactic isn’t new—cyber attackers have long exploited major world events, from the passing of Queen Elizabeth II to natural disasters and global crises like COVID-19, to drive scams, disinformation, and malware infections. Public curiosity and emotional reactions make these moments prime opportunities for attackers to strike."
        https://blog.checkpoint.com/research/cyber-criminals-exploit-pope-francis-death-to-launch-global-scams/
        https://securityaffairs.com/176917/cyber-crime/crooks-exploit-the-death-of-pope-francis.html
      • SessionShark Steals Session Tokens To Slip Past Office 365 MFA
        "Security researchers here at SlashNext recently uncovered a promotional image on a cybercrime network showcasing a service called “SessionShark O365 2FA/MFA.” SessionShark is a phishing-as-a-service toolkit built to bypass Microsoft Office 365 multi-factor authentication (MFA) protections. While the offering is clearly intended for threat actors, its creators attempt to frame it as “for educational purposes.” In this blog post, we break down the key messaging and features of SessionShark – from its MFA-bypassing capabilities to its stealth techniques and commercial pricing – and explore the implications for defenders."
        https://slashnext.com/blog/sessionshark-steals-session-tokens-to-slip-past-office-365-mfa/
        https://www.darkreading.com/remote-workforce/sessionshark-toolkit-microsoft-365-steal-tokens
        https://hackread.com/sessionshark-phishing-kit-bypass-mfa-steal-office-365-logins/
      • SEAL Releases Advisory On ELUSIVE COMET
        "SEAL is tracking an ongoing campaign against crypto users by a threat actor identified as ELUSIVE COMET, who employs sophisticated social engineering tactics with the goal of inducing victims into installing malware and ultimately stealing their crypto. SEAL is working closely with industry partners to proactively protect users. ELUSIVE COMET is known to operate Aureon Capital, which purports to be a legitimate venture capital firm, as well as related entities Aureon Press and The OnChain Podcast. ELUSIVE COMET is responsible for millions of dollars in stolen funds and poses a significant risk to users due to their carefully engineered backstory."
        https://www.securityalliance.org/news/2025-03-elusive-comet
        https://www.malwarebytes.com/blog/news/2025/04/zoom-attack-tricks-victims-into-allowing-remote-access-to-install-malware-and-steal-money
        https://hackread.com/elusive-comet-hackers-zoom-remote-control-steal-crypto/
      • AI-Enabled Darcula-Suite Makes Phishing Kits More Accessible, Easier To Deploy
        "Netcraft researchers have observed the cybercriminals behind darcula, the phishing-as-a-service (PhaaS) platform, have released a new update to their darcula-suite, accelerating phishing kit creation with AI, confirming the use of AI to more quickly create high-quality, customized phishing kits. We first covered darcula’s platform, which enables widespread and highly targeted smishing attacks, in March 2024 and February 2025. Darcula has continued to evolve into a sophisticated, subscription-based ecosystem with tooling and speed that rivals modern tech startups."
        https://www.netcraft.com/blog/ai-enabled-darcula-suite-makes-phishing-kits-more-accessible-easier-to-deploy/
        https://thehackernews.com/2025/04/darcula-adds-genai-to-phishing-toolkit.html
      • How AI Services Power The DPRK’s IT Contracting Scams
        "Over the past few months, Okta Threat Intelligence conducted in-depth research into online services used by individuals identified by US authorities and trusted third parties as agents for the Democratic People’s Republic of Korea (DPRK). Our research finds that generative artificial intelligence (GenAI) is playing an integral role in how North Korean nationals gain employment in remote technical roles around the globe, in what some researchers refer to as “DPRK IT Workers” or “Wagemole” campaigns. GenAI is used to create compelling personas at numerous stages of the job application and interview process. Once employed, GenAI tools are also used to assist in maintaining multiple simultaneous roles to earn revenue for the state."
        https://sec.okta.com/articles/2025/04/genaidprk/
        https://therecord.media/north-korean-it-workers-seen-using-ai-recruitment-scams
      • ELENOR-Corp Ransomware: A New Mimic Ransomware Variant Attacking The Healthcare Sector
        "Morphisec recently investigated an incident involving a new variant of one of the most aggressive ransomware families: Mimic version 7.5. First observed in 2022, Mimic remains relatively underreported in the public domain, aside from a detailed analysis of Mimic version 6.3 that was previously published by Cyfirma and Kaspersky."
        https://www.morphisec.com/blog/elenor-corp-mimic-ransomware-variant/
        https://www.infosecurity-magazine.com/news/elenor-corp-ransomware-targets/
      • How Fraudsters Abuse Google Forms To Spread Scams
        "When Google enters a particular market, it often means bad news for the incumbents. So it was with Google Forms, the tech giant’s form and quiz-building tool that launched in 2008. According to one estimate, it now has a market share of nearly 50%. However, with great market share comes greater scrutiny from nefarious elements. Threat actors are past masters at abusing popular technology for their own ends. And they are doing so with Google Forms to harvest sensitive information from their victims and even trick them into installing malware."
        https://www.welivesecurity.com/en/scams/how-fraudsters-abuse-google-forms-spread-scams/

      Breaches/Hacks/Leaks

      • 5.5 Million Patients Affected By Data Breach At Yale New Haven Health
        "Yale New Haven Health System (YNHHS), which operates several hospitals in Connecticut, recently disclosed a data breach impacting the personal information of millions of patients. The Yale University-affiliated healthcare organization revealed on April 11 that it detected unusual activity on its IT systems on March 8. While patient care was not impacted by the incident, an investigation showed that hackers managed to copy data from Yale New Haven Health systems on the day the intrusion was discovered."
        https://www.securityweek.com/5-5-million-patients-affected-by-data-breach-at-yale-new-haven-health/
        https://www.bleepingcomputer.com/news/security/yale-new-haven-health-data-breach-affects-55-million-patients/
        https://www.bankinfosecurity.com/yale-new-haven-health-notifying-55-million-march-hack-a-28081
        https://securityaffairs.com/176937/data-breach/yale-new-haven-health-ynhhs-data-breach-impacted-5-5-million-patients.html
        https://www.theregister.com/2025/04/24/yale_new_haven_health_breach/
      • Frederick Health Data Breach Impacts Nearly 1 Million Patients
        "A ransomware attack in January at Frederick Health Medical Group, a major healthcare provider in Maryland, has led to a data breach affecting nearly one million patients. With almost 4,000 employees and over 25 locations, Frederick Health is one of Frederick County's largest employers. As the health system revealed in a late March notification to patients, the ransomware attack was detected on January 27, which prompted Frederick Health to notify law enforcement and hire a third-party forensic firm to investigate the incident's impact."
        https://www.bleepingcomputer.com/news/security/frederick-health-data-breach-impacts-nearly-1-million-patients/
      • Interlock Ransomware Claims DaVita Attack, Leaks Stolen Data
        "The Interlock ransomware gang has claimed the cyberattack on DaVita kidney dialysis firm and leaked data allegedly stolen from the organization. DaVita is a Fortune 500 kidney care provider with more than 2,600 U.S. dialysis centers, 76,000 employees in 12 countries, and an annual revenue exceeding $12.8 billion. The healthcare company disclosed to the U.S. Securities and Exchange Commission (SEC) that on April 12 it suffered a ransomware attack that affected some operations. DaVita stated at the time that it was investigating the impact of the incident."
        https://www.bleepingcomputer.com/news/security/interlock-ransomware-claims-davita-attack-leaks-stolen-data/
        https://therecord.media/dialysis-davita-reviewing-data-leak
      • Nearly 500,000 Impacted By 2023 Cyberattack On Long Beach, California
        "More than a year after a cyberattack on the government of Long Beach, California, the city is informing residents that information on nearly half a million people was leaked. In breach notification documents filed in multiple states, the city said 470,060 people had sensitive data accessed by hackers who breached government systems during a cyberattack in November 2023. The city said it conducted an “extensive” forensic investigation and “manual document review” that lasted until March 18, 2025. The information stolen includes Social Security numbers, financial account information, credit and debit card numbers, biometric information, medical data, driver’s license numbers, passports, tax data and more."
        https://therecord.media/long-beach-california-data-breach-announcement
      • Cyberattack Hits Drinking Water Supplier In Spanish Town Near Barcelona
        "Aigües de Mataró, a Spanish water supplier responsible for both drinking water and sewage systems, announced on Wednesday that its corporate computer systems and website were hit by a cyberattack. The municipal company in Mataró, a coastal town in Catalonia with a population of around 130,000 approximately 19 miles north of Barcelona, said water supplies themselves and quality control systems were unaffected. In an official statement, Aigües de Mataró said the attack was uncovered on Monday, and has been reported to the Catalan police as well as the autonomous community’s own cybersecurity agency."
        https://therecord.media/cyberattack-water-supplier-barcelona-spain

      General News

      • Exposed And Unaware: The State Of Enterprise Security In 2025
        "The Edgescan 2025 Vulnerability Statistics Report offers a data-rich snapshot of the global cybersecurity landscape, drawing from thousands of assessments and penetration tests conducted in 2024. Now in its 10th year, the report analyzes full-stack security trends across industries, highlighting common vulnerabilities, patching delays, and risk hotspots. With insights into exploit availability, attack surface exposure, and remediation timelines, it equips organizations with the data they need to make smarter, risk-based decisions."
        https://www.helpnetsecurity.com/2025/04/24/edgescan-2025-vulnerability-statistics-report/
        https://www.edgescan.com/stats-report/
      • Coaching AI Agents: Why Your Next Security Hire Might Be An Algorithm
        "Security teams are drowning in alerts. The sheer volume of threats, suspicious activity, and false positives makes it nearly impossible for analysts to investigate everything effectively. Enter agentic AI, capable of completing hundreds of tasks simultaneously without tiring. Organizations increasingly turn to agentic AI to handle repetitive security tasks, such as alert triage, allowing human analysts to focus on the most critical threats. But while agentic AI may be fast, it isn’t infallible. It doesn’t inherently understand an organization’s unique risk landscape or security priorities."
        https://www.helpnetsecurity.com/2025/04/24/agentic-ai-onboarding/
      • One In Three Security Teams Trust AI To Act Autonomously
        "While AI adoption is widespread, its impact on productivity, trust, and team structure varies sharply by role and region, according to Exabeam. The findings confirm a critical divide: 71% of executives believe AI has significantly improved productivity across their security teams, yet only 22% of analysts — those closest to the tools — agree. This perception gap reveals more than a difference in opinion; it underscores a deeper issue with operational effectiveness and trust."
        https://www.helpnetsecurity.com/2025/04/24/ai-adoption-impact-on-organizations/
      • Scams 2.0: How Technology Is Powering The Next Generation Of Fraud
        "Technology is transforming the way financial scams operate, making them more sophisticated, automated, and harder to detect. From deepfake impersonations to cryptocurrency fraud and tech support scams, bad actors are leaving no stone unturned and are leveraging every advanced tool at their disposal to manipulate victims and steal their assets. This blog will look at how fraudsters are weaponizing artificial intelligence (AI), social engineering, and evolving digital tactics to exploit financial planning clients, and what can be done to combat these growing threats."
        https://www.tripwire.com/state-of-security/scams-how-technology-powering-next-generation-fraud
      • 2025 Q1 Trends In Vulnerability Exploitation
        "In Q1 2025, VulnCheck identified evidence of 159 CVEs publicly disclosed for the first time as exploited in the wild. The disclosure of known exploited vulnerabilities was from 50 different sources. We continue to see vulnerabilities being exploited at a fast pace with 28.3% of vulnerabilities being exploited within 1-day of their CVE disclosure. This trend continues from a similar pace we saw in 2024. This demonstrates the need for defenders to move fast on emerging threats while continuing to burn down their vulnerability debt."
        https://vulncheck.com/blog/exploitation-trends-q1-2025
        https://thehackernews.com/2025/04/159-cves-exploited-in-q1-2025-283.html
        https://cyberscoop.com/vulncheck-known-exploited-cves-q1-2025/
      • Navigating Regulatory Shifts & AI Risks
        "This year has already proven to be a pivotal one in cybersecurity, as the rapid adoption of artificial intelligence (AI) and regulatory changes present fresh challenges. Here are the key trends that I anticipate will shape the cybersecurity regulatory landscape, this year and beyond."
        https://www.darkreading.com/vulnerabilities-threats/navigating-regulatory-shifts-ai-risks
      • Ransomware Attacks Fall Sharply In March
        "Ransomware attacks plummeted by 32% month-over-month in March 2025, with a total of 600 claimed incidents, according to NCC Group’s latest Threat Pulse report. Despite the drop compared to February 2025, the firm noted that ransomware cases in March increased by 46% year-over-year. Commenting on the findings, Matt Hull, Head of Threat Intelligence at NCC described the month-over-month fall in March as a “red herring,” as it followed unprecedented levels of attacks in the preceding months."
        https://www.infosecurity-magazine.com/news/ransomware-fall-sharply-march/
      • ETSI Unveils New Baseline Requirements For Securing AI
        "European standards organization ETSI has released a new set of technical specifications designed to serve as an “international benchmark” for securing AI models and systems. ETSI TS 104 223 is titled Securing Artificial Intelligence (SAI); Baseline Cyber Security Requirements for AI Models and Systems. It describes a set of 13 core principles, expanding to a total of 72 trackable principles, across five lifecycle phases: secure design, development, deployment, maintenance and end of life."
        https://www.infosecurity-magazine.com/news/etsi-baseline-requirements/
      • Beyond The Inbox: ThreatLabz 2025 Phishing Report Reveals How Phishing Is Evolving In The Age Of GenAI
        "Gone are the days of mass phishing campaigns. Today’s attackers are leveraging generative AI (GenAI) to deliver hyper-targeted scams, transforming every email, text, or call into a calculated act of manipulation. With flawless lures and tactics designed to outsmart AI defenses, cybercriminals are zeroing in on HR, payroll, and finance teams—exploiting human vulnerabilities with precision. The Zscaler ThreatLabz 2025 Phishing Report dives deep into the rapidly evolving phishing landscape and uncovers the latest trends, including top phishing targets, real-world examples of AI-driven phishing attacks, and actionable best practices to defend against the next wave of AI-powered phishing threats."
        https://www.zscaler.com/blogs/security-research/beyond-inbox-threatlabz-2025-phishing-report-reveals-how-phishing-evolving
      • AI-Powered Polymorphic Phishing Is Changing The Threat Landscape
        "Our threat research team has observed a rise in polymorphic phishing campaigns being launched on a much larger scale than before. We found a 17% increase in phishing emails in February 2025 compared to the previous six months. Last year, at least one polymorphic feature was present in 76%of all phishing attacks."
        https://www.securityweek.com/ai-powered-polymorphic-phishing-is-changing-the-threat-landscape/
      • Remote Risks And Next-Door Networks: The Anatomy Of a Nearest Neighbor Attack
        "In February 2022 Russian state threat group APT28, also called Fancy Bear, Forest Blizzard, and GrusomeLarch, attacked a U.S. company with ties to Ukraine. The motive was familiar: intelligence gathering. The method, however, was novel — a new approach that combined remote risks with next-door networks. Known as a nearest neighbor attack, it's a wake-up call for companies that lock digital doors but leave Wi-Fi windows open. In this piece, we'll break down the basics of a nearest neighbor attack, explore the APT28 compromise, and offer tips to help companies stay safe."
        https://blog.barracuda.com/2025/04/24/next-door-networks-nearest-neighbor-attack

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) e5cbb001-9e6e-4ab9-abd3-1e73a8387767-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post