Cyber Threat Intelligence 29 April 2025

NCSA_THAICERT

New Tooling

GoSearch: Open-Source OSINT Tool For Uncovering Digital Footprints
"GoSearch is an open-source OSINT tool built to uncover digital footprints linked to specific usernames. Designed for speed and accuracy, it lets users quickly track someone’s online presence across multiple platforms. GoSearch incorporates data from Hudson Rock’s Cybercrime Database, offering detailed insights into potential cybercrime connections. It also draws from BreachDirectory.org and ProxyNova databases, providing extensive access to breached data, including plain-text and hashed passwords associated with usernames. For investigators who need reliable results without unnecessary complexity, GoSearch fits the bill."
https://www.helpnetsecurity.com/2025/04/28/gosearch-open-source-osint/
https://github.com/ibnaleem/gosearch

Vulnerabilities

Over 1,200 SAP NetWeaver Servers Vulnerable To Actively Exploited Flaw
"Over 1,200 internet-exposed SAP NetWeaver instances are vulnerable to an actively exploited maximum severity unauthenticated file upload vulnerability that allows attackers to hijack servers. SAP NetWeaver is an application server and development platform that runs and connects SAP and non-SAP applications across different technologies. Last week, SAP disclosed an unauthenticated file upload vulnerability, tracked as CVE-2025-31324, in SAP NetWeaver Visual Composer, specifically the Metadata Uploader component."
https://www.bleepingcomputer.com/news/security/over-1-200-sap-netweaver-servers-vulnerable-to-actively-exploited-flaw/
https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
https://www.darkreading.com/cyberattacks-data-breaches/sap-netweaver-visual-composer-flaw-active-exploitation
https://www.helpnetsecurity.com/2025/04/28/sap-netweaver-cve-2025-31324-exploited/
CISA Adds Three Known Exploited Vulnerabilities To Catalog
"CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2025-1976 Broadcom Brocade Fabric OS Code Injection Vulnerability
CVE-2025-42599 Qualitia Active! Mail Stack-Based Buffer Overflow Vulnerability
CVE-2025-3928 Commvault Web Server Unspecified Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/04/28/cisa-adds-three-known-exploited-vulnerabilities-catalog
NVIDIA Riva Vulnerabilities Leave AI-Powered Speech And Translation Services At Risk
"NVIDIA Riva represents a breakthrough in AI speech recognition, translation, and synthesis, which enables companies to integrate high-performance models into various applications including transcription, voice assistants, and conversational AI. However, its implementation brings new and unique security challenges. The rush to harness advanced speech recognition capabilities can expose enterprises to security risks, as the complex nature of the deployment architecture and intricate layers of AI models and APIs create an expansive attack surface that demands careful consideration."
https://www.trendmicro.com/en_us/research/25/d/nvidia-riva-vulnerabilities.html

Malware

Weaponized Words: Uyghur Language Software Hijacked To Deliver Malware
"In mid-March 2025, members of the World Uyghur Congress (WUC) living in exile received Google notifications warning that their accounts had been the subject of government-backed attacks. As frequent targets of hacking attempts by Chinese state and state-affiliated actors, they immediately reached out to reporters from Paper Trail Media, who are part of the “China Targets” project led by the International Consortium of Investigative Journalists investigating transnational repression, as well as researchers at the Citizen Lab."
https://citizenlab.ca/2025/04/uyghur-language-software-hijacked-to-deliver-malware/
https://therecord.media/uyghurs-spearphishing-campaign-citizen-lab
https://www.infosecurity-magazine.com/news/uyghur-diaspora-surveillance/
Iran Claims It Stopped Large Cyberattack On Country’s Infrastructure
"Iran repelled a “widespread and complex” cyberattack targeting the country’s infrastructure on Sunday, according to a senior official who spoke to the Islamic Revolutionary Guard Corps-linked Tasnim News Agency. The incident, which was not described in detail, was revealed by Behzad Akbari, the head of the government’s Telecommunication Infrastructure Company (TIC). “One of the most widespread and complex cyber attacks against the country's infrastructure was identified and preventive measures were taken,” Akbari said. The TIC did not immediately respond to a request for more information."
https://therecord.media/iran-cyberattack-national-infrastructure
Sock(et) Puppet: How RansomHub Affiliates Pull The Strings
"Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes. We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware. Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team."
https://www.esentire.com/blog/socket-puppet-how-ransomhub-affiliates-pull-the-strings
Phishing Despite FIDO, Leveraging a Novel Technique Based On The Device Code Flow
"This is a novel technique that leverages the well-known Device Code phishing approach. It dynamically initiates the flow as soon as the victim opens the phishing link and instantly redirects them to the authentication page. A headless browser automates this by directly entering the generated Device Code into the webpage behind the scenes. This defeats the 10-minute token validity limitation and eliminates the need for the victim to manually perform these steps, elevating the efficiency of the attack to a new level. What makes Device Code phishing especially dangerous is that no authentication method, not even FIDO, is able to protect against this type of attack. Additionally, the victim interacts with the original website they expect, making it impossible to detect the attack based on a suspicious URL."
https://denniskniep.github.io/posts/09-device-code-phishing/

Breaches/Hacks/Leaks

Marks & Spencer Breach Linked To Scattered Spider Ransomware Attack
"Ongoing outages at British retail giant Marks & Spencer are caused by a ransomware attack believed to be conducted by a hacking collective known as "Scattered Spider" BleepingComputer has learned from multiple sources. Marks & Spencer (M&S) is a British multinational retailer that employs 64,000 employees and sells various products, including clothing, food, and home goods in over 1,400 stores worldwide. Last Tuesday, M&S confirmed it suffered a cyberattack that caused widespread disruption, including to its contactless payment system and online ordering. Today, Sky News reported that the disruption continues, with around 200 warehouse workers told to stay home as the company responds to the attack."
https://www.bleepingcomputer.com/news/security/marks-and-spencer-breach-linked-to-scattered-spider-ransomware-attack/
Hitachi Vantara Takes Servers Offline After Akira Ransomware Attack
"Hitachi Vantara, a subsidiary of Japanese multinational conglomerate Hitachi, was forced to take servers offline over the weekend to contain an Akira ransomware attack. The company provides data storage, infrastructure systems, cloud management, and ransomware recovery services to government entities and some of the world's biggest brands, including BMW, Telefónica, T-Mobile, and China Telecom. In a statement shared with BleepingComputer, Hitachi Vantara confirmed the ransomware attack, saying it hired external cybersecurity experts to investigate the incident's impact and is now working on getting all affected systems online."
https://www.bleepingcomputer.com/news/security/hitachi-vantara-takes-servers-offline-after-akira-ransomware-attack/
VeriSource Now Says February Data Breach Impacts 4 Million People
"Employee benefits administration firm VeriSource Services is warning that a data breach exposed the personal information of four million people. VeriSource is a Texas-based employee benefits administration and HR outsourcing solutions provider with diverse clients across the U.S. The firm has begun data breach notifications to impacted individuals about a cybersecurity incident that occurred in February 2024, but the impact of which it took them until April 2025 to evaluate."
https://www.bleepingcomputer.com/news/security/verisource-now-says-february-data-breach-impacts-4-million-people/
https://www.securityweek.com/4-million-affected-by-data-breach-at-verisource-services/
https://www.theregister.com/2025/04/28/verisource_data_spill_estimate_up/
The Turmoil Following BreachForums Shutdown: Confusion, Risks, And a New Beginning
"On April 15, BreachForums, one of the top marketplaces for stolen data, abruptly shut down, fueling widespread speculation. Rumors ranged from FBI raids and the arrest of the administrator. In the aftermath, several alternative forums emerged, some demanded entry fees, fueling confusion and raising the risk of scams or government-run honeypots. BreachForums was an English-language cybercrime forum that emerged in March 2022 as a successor to the dismantled RaidForums. It served as a marketplace for threat actors to buy and sell stolen data, hacking tools, and compromised credentials. The forum was founded by Conor Brian Fitzpatrick, known online as “pompompurin,” who had previously claimed responsibility for the 2021 FBI email hack."
https://securityaffairs.com/177146/hacking/the-turmoil-following-breachforums-shutdown-confusion-risks-and-a-new-beginning.html
https://hackread.com/breachforums-displays-message-shutdown-mybb-0day-flaw/
Employee Monitoring App Leaks 21 Million Screenshots In Real Time
"Your boss watching your screen isn't the end of the story. Everyone else might be watching, too. Researchers at Cybernews have uncovered a major privacy breach involving WorkComposer, a workplace surveillance app used by over 200,000 people across countless companies. The app, designed to track productivity by logging activity and snapping regular screenshots of employees’ screens, left over 21 million images exposed in an unsecured Amazon S3 bucket, broadcasting how workers go about their day frame by frame."
https://cybernews.com/security/employee-monitoring-app-leaks-millions-screenshots/
https://www.malwarebytes.com/blog/news/2025/04/employee-monitoring-app-exposes-users-leaks-21-million-screenshots
Media Firm Urban One Confirms Data Breach After Cybercriminals Claim February Attack
"Media conglomerate Urban One reported a data breach in recent days involving the personal information of employees and more. In breach notification letters filed in Texas and Massachusetts, the Maryland-based media company said the cyberattack began on February 13 and was initiated through “a sophisticated social engineering campaign.” The hackers were able to exfiltrate company data but the company only discovered the incident on March 15. The incident did not impact the company’s operations but by March 30, a forensic investigation confirmed that data was stolen by the hackers."
https://therecord.media/urban-one-data-breach-african-amercian-media

General News

Ransomware Attacks Are Getting Smarter, Harder To Stop
"Ransomware attacks are becoming more refined and pervasive, posing significant challenges to organizations globally. A Veeam report reveals that while the percentage of companies impacted by ransomware attacks has slightly declined from 75% to 69%, the threat remains substantial. This decrease is attributed to improved preparation and resilience practices, as well as increased collaboration between IT and security teams. However, as ransomware attacks from both established groups and “lone wolf” actors proliferate, organizations must adopt proactive cyber resilience strategies to mitigate risks and recover more swiftly and effectively from incidents."
https://www.helpnetsecurity.com/2025/04/28/companies-impacted-ransomware-attacks/
Most Critical Vulnerabilities Aren’t Worth Your Attention
"Web applications face a wide range of risks, including known-exploitable vulnerabilities, supply chain attacks, and insecure identity configurations in CI/CD, according to the Datadog State of DevSecOps 2025 report. By analyzing a dataset of applications to identify known third-party vulnerabilities, it was found that 15% of services are vulnerable to known-exploited vulnerabilities, affecting 30% of organizations."
https://www.helpnetsecurity.com/2025/04/28/datadog-state-of-devsecops-2025/
Targeted By 20.5 Million DDoS Attacks, Up 358% Year-Over-Year: Cloudflare’s 2025 Q1 DDoS Threat Report
"Welcome to the 21st edition of the Cloudflare DDoS Threat Report. Published quarterly, this report offers a comprehensive analysis of the evolving threat landscape of Distributed Denial of Service (DDoS) attacks based on data from the Cloudflare network. In this edition, we focus on the first quarter of 2025. To view previous reports, visit www.ddosreport.com. While this report primarily focuses on 2025 Q1, it also includes late-breaking data from a hyper-volumetric DDoS campaign observed in April 2025, featuring some of the largest attacks ever publicly disclosed. In a historic surge of activity, we blocked the most intense packet rate attack on record, peaking at 4.8 billion packets per second (Bpps), 52% higher than the previous benchmark, and separately defended against a massive 6.5 terabits-per-second (Tbps) flood, matching the highest bandwidth attacks ever reported."
https://blog.cloudflare.com/ddos-threat-report-for-2025-q1/
https://www.bleepingcomputer.com/news/security/cloudflare-mitigates-record-number-of-ddos-attacks-in-2025/
IR Trends Q1 2025: Phishing Soars As Identity-Based Attacks Persist
"Phishing attacks spiked this quarter as threat actors leveraged this method of initial access in half of all engagements, a vast increase from previous quarters. Conversely, the use of valid accounts for initial access was rarely seen this quarter, despite being the top observed method in 2024, according to our Year in Review report. Nevertheless, valid accounts played a prominent role in the attack chains Cisco Talos Incident Response (Talos IR) observed as actors predominately used phishing to gain access to a user account, then leveraged this access to establish persistence in targeted networks."
https://blog.talosintelligence.com/ir-trends-q1-2025/
2025 Global Threat Landscape Report
"Our latest global threat landscape report uncovers how automation, AI, and stolen credentials are fueling faster, more scalable cyberattacks—outpacing defenders across industries and geographies. Organizations are facing a perfect storm of cyber risk: accelerated reconnaissance, widespread exploitation, and a surge in credential theft. Legacy defenses can’t keep up with automated attacks that hit faster and are spreading further than ever before."
https://www.fortinet.com/resources/reports/threat-landscape-report#2025
https://www.fortinet.com/blog/threat-research/key-takeaways-from-the-2025-global-threat-landscape-report
https://www.darkreading.com/remote-workforce/ai-automation-dark-web-fuel-evolving-threat-landscape
https://www.infosecurity-magazine.com/news/increase-automated-scanning/
Forget The Stack; Focus On Control
"Cybersecurity debt isn't new. But it's finally being recognized for what it is: a hidden driver of risk, waste, and burnout. And in today's tightening economy, it's become impossible to ignore. As businesses brace for budget cuts, security leaders are being asked to do more with less. Meanwhile, attackers aren't slowing down, and tool sprawl is leaving teams overwhelmed, out of sync, and overexposed. This debt doesn't happen overnight. It builds slowly: outdated tools, incomplete configurations, and assumptions that controls are working because they exist. It's not caused by negligence. It's the cost of business priorities moving faster than security can adapt."
https://www.darkreading.com/vulnerabilities-threats/forget-stack-focus-control
Half Of Mobile Devices Run Outdated Operating Systems
"Half of all mobile devices are operating on outdated operating systems, leaving them highly vulnerable to cyber-attacks, according to new research. The figure comes from the 2025 Global Mobile Threat Report by Zimperium, which also highlights a surge in mobile-targeted attacks and app vulnerabilities, as threat actors increasingly exploit the widespread use of smartphones in corporate environments. Smishing – phishing attacks conducted via SMS – has grown significantly and now accounts for 69.3% of all mobile phishing incidents. Meanwhile, vishing and smishing attacks rose by 28% and 22% overall, respectively."
https://www.infosecurity-magazine.com/news/50-mobile-devices-run-outdated/
https://lp.zimperium.com/hubfs/Reports/2025 Global Mobile Threat Report.pdf
ISACA Highlights Critical Lack Of Quantum Threat Mitigation Strategies
"Most organizations have no defined strategy to defend against quantum-enabled threats, according to a new survey by ISACA. Just 5% of IT professionals said such a strategy is currently in place at their organization, while only 3% believe it is a high business priority for the near future. More than half (59%) of respondents admitted that no steps have been taken to prepare for quantum computing. Experts have warned that quantum computers will be capable of breaking all current encryption protocols, such as RSA and AES. This will require computing power of 10,000 qubits or more."
https://www.infosecurity-magazine.com/news/isaca-lack-quantum-threat/
The Rising Threat Of Email Attachments: Insights From Barracuda’s 2025 Email Threats Report
"In an era of increasingly sophisticated cyberthreats, understanding the evolving landscape of email-based attacks is crucial for organizations of all sizes. The new Barracuda 2025 Email Threats Report shines light on attackers’ tactics with valuable insights to help you stay ahead of today’s most pressing email security threats."
https://blog.barracuda.com/2025/04/28/rising-threat-email-attachments-barracuda-2025-email-threats-report
https://www.barracuda.com/reports/2025-email-threats-report
https://assets.barracuda.com/assets/docs/dms/2025-email-threats-report.pdf
How To Survive As a CISO Aka 'chief Scapegoat Officer'
"Chief security officers should negotiate personal liability insurance and a golden parachute when they start a new job – in case things go sideways and management tries to scapegoat them for a network breach. And if they blow the whistle, it's best not to sue their employer as well, lest they get blacklisted. Those were among the nuggets of advice given at an RSA Conference panel on CISO whistleblowing Monday. Dd Budiharto, a former CISO at Marathon Oil and Philips 66, told her audience one past unnamed employer fired her for refusing to sign off on bogus invoices. Preparation, relationships, and choosing not to sue helped her get out of the situation with her reputation intact."
https://www.theregister.com/2025/04/28/ciso_rsa_whistleblowing/
JokerOTP Dismantled After 28,000 Phishing Attacks, 2 Arrested
"Two individuals have been arrested in a joint international operation dismantling JokerOTP, a sophisticated phishing tool used to intercept 2FA codes and steal over £7.5 million. Learn how this scam worked, the charges involved, and the ongoing efforts to combat this cybercrime network. In a coordinated effort, law enforcement agencies have busted a large-scale cyber fraud operation leading to the arrest of a 24-year-old man in Middlesbrough, England on Tuesday, April 22nd, while simultaneously, a 30-year-old man was arrested by Dutch authorities in the Oost-Brabant, the Netherlands. These arrests are the result of a three-year probe led by the Cyber Crime Unit of Cleveland Police in the UK connected to the dismantling of a phishing tool known as JokerOTP."
https://hackread.com/jokerotp-dismantled-28000-phishing-attacks-2-arrested/

อ้างอิง
Electronic Transactions Development Agency(ETDA)