NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 28 April 2025

    Cyber Security News
    1
    1
    436
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Healthcare Sector

      • The Top Ransomware Groups Targeting The Healthcare Sector
        "In this post, we identify and analyze the top ransomware groups that have been actively targeting the healthcare sector between January and April 2025."
        Priority: 3 - Important
        Relevance: General, Trends and statistics
        https://flashpoint.io/blog/ransomware-groups-targeting-healthcare-sector/

      Industrial Sector

      • How We Discovered Planet Technology Network Device Vulnerabilities
        "I’ve recently been on a hardware bug-hunting kick, picking up new skills and learning or creating new tools with a focus on hardware reverse engineering for IoT and embedded devices (mainly routers, as they’re pretty easy to get hold of). I’ve also spent the last few months looking at operational technology (OT) and industrial control systems (ICSs) to create cyber ranges and training environments. These passions led to an unexpected cybersecurity discovery. Back in December, I spotted an advisory for a couple of vulnerabilities in a set of industrial network switches from a manufacturer in Taiwan, Planet Technology. There were no technical details at the time of the release, and I had no other active research as we wound into the festive period."
        https://www.immersivelabs.com/resources/blog/how-we-discovered-planet-technology-network-device-vulnerabilities
        https://hackread.com/planet-technology-industrial-switch-flaws-full-takeover/

      Vulnerabilities

      • ReliaQuest Uncovers New Vulnerability In SAP NetWeaver
        "On April 25, 2025, SAP assigned "CVE-2025-31324" to a critical vulnerability in SAP NetWeaver Visual Composer, with a severity score of 10. This is the same vulnerability we identified during this investigation. While we initially believed this to be a remote file inclusion (RFI) vulnerability, it was later identified as an unrestricted file upload vulnerability by SAP, enabling attackers to upload malicious files directly to the system without authorization. SAP has released a patch for this vulnerability, and the notes for this patch can be reviewed by SAP customers here. We strongly recommend updating SAP NetWeaver to the latest version to mitigate this vulnerability."
        https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
        https://thehackernews.com/2025/04/sap-confirms-critical-netweaver-flaw.html
        https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/
        https://www.securityweek.com/sap-zero-day-possibly-exploited-by-initial-access-broker/
        https://cyberscoop.com/sap-netweaver-zero-day-exploit-cve-2025-31324/
        https://www.infosecurity-magazine.com/news/sap-fixes-critical-vulnerability/
        https://securityaffairs.com/176983/hacking/sap-netweaver-zero-day-allegedly-exploited-by-an-initial-access-broker.html
        https://www.theregister.com/2025/04/25/sap_netweaver_patch/
        https://hackread.com/sap-netweaver-flaw-severity-hackers-deploy-web-shells/
      • All Major Gen-AI Models Vulnerable To ‘Policy Puppetry’ Prompt Injection Attack
        "A newly devised universal prompt injection technique can break the safety guardrails of all major generative AI models, AI security firm HiddenLayer says. Called Policy Puppetry, the attack relies on prompts crafted so that the target LLM would interpret them as policies, leading to instruction override and safety alignment bypass. Gen-AI models are trained to refuse user requests that would result in harmful output, such as those related to CBRN threats (chemical, biological, radiological, and nuclear), self-harm, or violence."
        https://www.securityweek.com/all-major-gen-ai-models-vulnerable-to-policy-puppetry-prompt-injection-attack/
      • Security Analysis Of Rack Ruby Framework: CVE-2025-25184, CVE-2025-27111, And CVE-2025-27610
        "Through a comprehensive security analysis conducted by OPSWAT's Red Team, security researchers Thai Do and Minh Pham identified multiple vulnerabilities impacting the Rack Ruby framework, specifically CVE-2025-25184, CVE-2025-27111, and CVE-2025-27610. This article provides a detailed overview of these vulnerabilities, with a particular focus on CVE-2025-27610. It examines the root causes, evaluates potential impacts, and outlines effective mitigation strategies to secure applications relying on the Rack framework."
        https://www.opswat.com/blog/security-analysis-of-rack-ruby-framework-cve-2025-25184-cve-2025-27111-and-cve-2025-27610
        https://thehackernews.com/2025/04/researchers-identify-rackstatic.html
        https://www.helpnetsecurity.com/2025/04/25/rack-ruby-vulnerability-could-reveal-secrets-to-attackers-cve-2025-27610/
      • Windows "inetpub" Security Fix Can Be Abused To Block Future Updates
        "A recent Windows security update that creates an ‘inetpub’ folder has introduced a new weakness allowing attackers to prevent the installation of future updates. After people installed this month's Microsoft Patch Tuesday security updates, Windows users suddenly found an "inetpub" folder owned by the SYSTEM account created in the root of the system drive, normally the 😄 drive. It was strange to see this folder created as it is normally used to hold files associated with Microsoft's Internet Information Service web server, which was not installed on these devices."
        https://www.bleepingcomputer.com/news/microsoft/windows-inetpub-security-fix-can-be-abused-to-block-future-updates/
      • Trust Me, I’m Local: Chrome Extensions, MCP, And The Sandbox Escape
        "Let’s talk about MCPs. You’ve probably heard of them, and maybe you’ve read the security risks associated with them. Sure, they sound worrying, but when you put them into a real-world context, they can quickly become far more concerning than you can ever imagine. Just last week, our system flagged a suspicious Chrome extension. It sent messages to a port on localhost — nothing too odd at first glance, but as we dug deeper, we found that this extension communicated with an MCP server running on the local machine."
        https://blog.extensiontotal.com/trust-me-im-local-chrome-extensions-mcp-and-the-sandbox-escape-1875a0ee4823
        https://www.infosecurity-magazine.com/news/chrome-extension-ai-engine-act-mcp/

      Malware

      • Triada Strikes Back
        "Older versions of Android contained various vulnerabilities that allowed gaining root access to the device. Many malicious programs exploited these to elevate their system privileges and gain persistence. The notorious Triada Trojan also used this attack vector. With time, the vulnerabilities were patched, and restrictions were added to the firmware. Specifically, system partitions in recent Android versions cannot be edited, even with superuser privileges. Ironically, this has inadvertently benefited malicious actors. While external malware now faces greater permission restrictions, pre-installed malware within system partitions has become impossible to remove. Attackers are leveraging this by embedding malicious software into Android device firmware."
        https://securelist.com/triada-trojan-modules-analysis/116380/
      • DslogdRAT Malware Installed In Ivanti Connect Secure
        "In a previous article of JPCERT/CC Eyes, we reported on SPAWNCHIMERA malware, which infects the target after exploiting the vulnerability in Ivanti Connect Secure. However, this is not the only malware observed in recent attacks. This time, we focus on another malware DslogdRAT and a web shell that were installed by exploiting a zero-day vulnerability at that time, CVE-2025-0282, during attacks against organizations in Japan around December 2024."
        https://blogs.jpcert.or.jp/en/2025/04/dslogdrat.html
        https://thehackernews.com/2025/04/dslogdrat-malware-deployed-via-ivanti.html
        https://securityaffairs.com/177002/malware/jpcert-warns-of-dslogdrat-malware-deployed-in-ivanti-connect-secure.html
      • Earth Kurma APT Campaign Targets Southeast Asian Government, Telecom Sectors
        "Since June 2024, we uncovered a sophisticated APT campaign targeting multiple countries in Southeast Asia, including the Philippines, Vietnam, and Malaysia. We have named the threat actors behind this campaign “Earth Kurma.” Our analysis revealed that they primarily focused on government sectors, showing particular interest in data exfiltration. Notably, this wave of attacks involved rootkits to maintain persistence and conceal their activities. In this research, we provide the intelligence on Earth Kurma and their ongoing activities. We’ll disclose technical details, including their tactics, techniques and procedures (TTPs), as well as specifics on their toolsets, such as TESDAT, SIMPOBOXSPY, KRNRAT, and MORIYA, among others."
        https://www.trendmicro.com/en_us/research/25/d/earth-kurma-apt-campaign.html
      • Investigating An In-The-Wild Campaign Using RCE In CraftCMS
        "In mid-February, Orange Cyberdefense’s CSIRT was tasked with investigating a server that had been hosting a now-unavailable website. The site had been built using CraftCMS running version 4.12.8. The forensic investigation and post-analysis with the Ethical Hacking team led to the discovery of two CVEs: CVE-2024-58136 and CVE-2025-32432."
        https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/
        https://www.bleepingcomputer.com/news/security/craft-cms-rce-exploit-chain-used-in-zero-day-attacks-to-steal-data/
        Contagious Interview (DPRK) Launches a New Campaign Creating Three Front Companies To Deliver a Trio Of Malware: * BeaverTail, InvisibleFerret, And OtterCookie
        "Silent Push Threat Analysts recently identified and mapped out a new campaign linked to the North Korean APT group Contagious Interview. Also known as “Famous Chollima,” Contagious Interview is a subgroup of the North Korean state-sponsored APT group, Lazarus. Contagious Interview has a history of launching sophisticated cyberattacks targeting individuals and organizations worldwide. In this new campaign, the threat actor group is using three front companies in the cryptocurrency consulting industry—BlockNovas LLC (blocknovas[.] com), Angeloper Agency (angeloper[.]com), and SoftGlide LLC (softglide[.]co)—to spread malware via “job interview lures.”"
        https://www.silentpush.com/blog/contagious-interview-front-companies/
        https://thehackernews.com/2025/04/north-korean-hackers-spread-malware-via.html
        https://hackread.com/north-korean-hackers-fake-crypto-firms-job-malware-scam/
      • 9X Surge In Ivanti Connect Secure Scanning Activity
        "On April 18, 2025, GreyNoise observed a 9X spike in suspicious scanning activity targeting Ivanti Connect Secure (ICS) or Ivanti Pulse Secure (IPS) VPN systems. More than 230 unique IPs probed ICS/IPS endpoints — a sharp rise from the usual daily baseline of fewer than 30. This surge may indicate coordinated reconnaissance and possible preparation for future exploitation."
        https://www.greynoise.io/blog/surge-ivanti-connect-secure-scanning-activity
        https://www.theregister.com/2025/04/25/more_ivanti_attacks_may_be/
      • Deepfake 'doctors' Take To TikTok To Peddle Bogus Cures
        "Once confined to research labs, generative AI is now available to anyone – including those with ill intentions, who use AI tools not to spark creativity, but to fuel deception instead. Deepfake technology, which can craft remarkably lifelike videos, images and audio, is increasingly becoming a go-to not just for celebrity impersonation stunts or efforts to sway public opinion, but also for identity theft and all manner of scams."
        https://www.welivesecurity.com/en/social-media/deepfake-doctors-tiktok-bogus-cures/
      • Fake Security Vulnerability Phishing Campaign Targets WooCommerce Users
        "The Patchstack team has been monitoring a large-scale phishing campaign using a sophisticated email and web-based phishing template to warn users of a supposed security vulnerability in their WooCommerce installation. This attack bears a very striking similarity to a phishing campaign we reported on previously, this time targeting WooCommerce users specifically, instead of WordPress users in general."
        https://patchstack.com/articles/fake-security-vulnerability-phishing-campaign-targets-woocommerce-users/
        https://www.bleepingcomputer.com/news/security/woocommerce-admins-targeted-by-fake-security-patches-that-hijack-sites/
      • Understanding The Threat Landscape For Kubernetes And Containerized Assets
        "The dynamic nature of containers can make it challenging for security teams to detect runtime anomalies or pinpoint the source of a security incident, presenting an opportunity for attackers to stay undetected. Microsoft Threat Intelligence has observed threat actors taking advantage of unsecured workload identities to gain access to resources, including containerized environments. Microsoft data showed that in the past year, 51% of workload identities were completely inactive, representing a potential attack vector for threat actors."
        https://www.microsoft.com/en-us/security/blog/2025/04/23/understanding-the-threat-landscape-for-kubernetes-and-containerized-assets/
        https://thehackernews.com/2025/04/storm-1977-hits-education-clouds-with.html
        https://securityaffairs.com/177067/hacking/storm-1977-targets-education-sector-with-password-spraying-microsoft-warns.html

      Breaches/Hacks/Leaks

      • Mobile Provider MTN Says Cyberattack Compromised Customer Data
        "African mobile giant MTN Group announced that a cybersecurity incident has compromised the personal information of some of its subscribers in certain countries. MTN Group (formerly M-Cell) is Africa's largest mobile network operator, with a strong Asian market presence. The company has nearly 300 million subscribers across 20 countries and an annual revenue surpassing $11 billion. The telecom giant noted that its network and billing systems weren't impacted by the attack, though an investigation to determine the exact scope and impact is ongoing."
        https://www.bleepingcomputer.com/news/security/mobile-provider-mtn-says-cyberattack-compromised-customer-data/
        https://therecord.media/largest-african-telecom-warns-of-data-exposure
        https://securityaffairs.com/177037/security/african-multinational-telco-giant-mtn-disclosed-a-data-breach.html
      • Baltimore City Public Schools Data Breach Affects Over 31,000 People
        "Baltimore City Public Schools notified tens of thousands of employees and students of a data breach following an incident in February when unknown attackers hacked into its network. Established in 1829, the public school district provides primary and secondary education to 76,841 enrolled students through 164 schools and programs."
        https://www.bleepingcomputer.com/news/security/baltimore-city-public-schools-data-breach-affects-over-31-000-people/

      General News

      • Flexible Working Models Fuel Surge In Device Theft
        "76% of respondents have been impacted by incidents of device theft in the past two years, with incidents more common in organizations with more flexible working models, according to Kensington. For instance, research revealed that 85% of organizations with flexible working models experienced an incident of theft in the last 2 years, compared to 71% of organizations whose employees are fully onsite. The study, which surveyed 1,000 IT decision-makers representing a variety of industries, revealed that device thefts resulted in significant financial and productivity impacts on their organizations."
        https://www.helpnetsecurity.com/2025/04/25/flexible-working-models-device-theft-impact/
      • Exposure Validation Emerges As Critical Cyber Defense Component
        "Organizations have implemented various aspects of threat exposure validation, including security control validation (51%) and filtering threat exposures based on the effectiveness of security controls to mitigate threats (48%), according to Cymulate. At the same time, nearly all respondents say they have implemented exposure validation in one or more areas, including cloud security (53%), security controls (49%), response (36%) and threats (34%)."
        https://www.helpnetsecurity.com/2025/04/25/exposure-validation-processes/
      • Popular LLMs Found To Produce Vulnerable Code By Default
        "Some of the world’s most popular large language models (LLMs) are producing insecure code by default, according to a new analysis by Backslash Security. The findings demonstrate the security risks relating to software developers using generative AI tools to create code, particularly using simple, “naïve” prompts. Even prompts that specify general or specific security requirements often result in code containing common vulnerabilities. These vulnerabilities include command injection, XSS backend and frontend, insecure file upload and path traversal."
        https://www.infosecurity-magazine.com/news/llms-vulnerable-code-default/
      • FBI Seeks Help To Unmask Salt Typhoon Hackers Behind Telecom Breaches
        "The FBI has asked the public for information on Chinese Salt Typhoon hackers behind widespread breaches of telecommunications providers in the United States and worldwide. In October, the FBI and CISA confirmed that the Chinese state hackers had breached multiple telecom providers (including AT&T, Verizon, Lumen, Charter Communications, Consolidated Communications, and Windstream) and many other telecom companies in dozens of countries. As revealed at the time, while they had access to the U.S. telecoms' networks, the attackers also accessed the U.S. law enforcement's wiretapping platform and gained access to the "private communications" of a "limited number" of U.S. government officials."
        https://www.bleepingcomputer.com/news/security/fbi-seeks-help-to-unmask-salt-typhoon-hackers-behind-telecom-breaches/
      • Mobile Applications: A Cesspool Of Security Issues
        "An analysis of more than half a million mobile applications found that nearly one in five had hardcoded encryption keys, nearly one in six used software components with known vulnerabilities, and nearly two-thirds used broken or weak encryption. Overall, the vast majority of mobile applications had a significant security weakness, despite user tendencies to trust the apps on their phones, says Andrew Hoog, co-founder and CEO at NowSecure, a mobile-device penetration testing firm. In a presentation next week at the RSA Conference, he will discuss the findings of the company's analysis of hundreds of thousands of applications."
        https://www.darkreading.com/remote-workforce/mobile-applications-cesspool-security-issues
      • How Organizations Can Leverage Cyber Insurance Effectively
        "It is not news that cyberattacks are considered a top global concern. In 2024, the average financial cost of cyber incidents worldwide was $4.88 million. In the US, the average was even higher: $9.36 million. The ramifications of a cyberattack are more than just the obvious ones. The damage to infrastructure, lost revenue, attorney fees, incident response, and the resulting security enhancements make up the other half of that impact."
        https://www.darkreading.com/cybersecurity-operations/organizations-leverage-cyber-insurance-effectively
      • Vehicles Face 45% More Attacks, 4 Times More Hackers
        "Security incidents affecting the automotive and mobility industries shot up nearly 50% in the first quarter of 2025. Recent analysis from Upstream Security indicates an accelerating rate of cyber threats to vehicles and their manufacturers. Upstream researchers tracked 148 publicly disclosed incidents through the first few months of the year — a run rate that, should it continue, will well outpace the 409 incidents seen throughout the entirety of 2024. Even this, though, represents only a fraction of the total threat landscape affecting the industry."
        https://www.darkreading.com/vulnerabilities-threats/vehicles-45-more-attacks-4-times-more-hackers
      • Gig-Work Platforms At Risk For Data Breaches, Fraud, Account Takeovers
        "Gig-work platforms have become household names, providing everything from meal and grocery delivery to ridesharing, dog walking, and other random tasks. And as gig economy companies have grown in popularity, they've become an attractive target for threat actors. Alongside other major gig-work platforms — including TaskRabbit, Uber, DoorDash, and Instacart — which have been vulnerable to breaches by cybercriminals, Grubhub is the latest to be hit by a data breach. In early February, the food delivery company confirmed that an attacker stole names, email addresses, phone numbers, customers' card types (including the last four digits of their cards), and hashed passwords."
        https://www.darkreading.com/remote-workforce/gig-worker-platforms-data-breach-fraud

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 276f4d85-abdb-411a-b7ab-af526275e61f-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post