NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 30 April 2025

    Cyber Security News
    1
    1
    389
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Financial Sector

      • New Framework Targets Rising Financial Crime Threats
        "Experts are warning about a rise in online fraud using some of same techniques as cybercriminals. For example, a recent FBI report found that cryptocurrency scams have surged in the past year, resulting in $9.3 billion losses. Meanwhile, Google issued an urgent warning to 3 billion Gmail users about a sophisticated phishing attack exploiting a vulnerability in the company's infrastructure."
        https://www.bankinfosecurity.com/new-framework-targets-rising-financial-crime-threats-a-28112
        https://www.fsisac.com/newsroom/fsisac-releases-cyber-fraud-prevention-framework-to-strengthen-collaboration-between-fraud-and-cybersecurity-teams
      • Infostealers Harvest Over 30,000 Australian Banking Credentials
        "The banking credentials of more than 30,000 Australians have been harvested by infostealers, according to Dvuln researchers. The pen-testing firm conducted an analysis of infostealer logs between 2021 and 2025, which identified the individual banking credentials for customers across four major Australian banks. For each of the banks, which Dvuln has not named, a steady increase in the number of stolen credentials was observed from 2021 to 2023, before a small decline in 2024."
        https://www.infosecurity-magazine.com/news/infostealers-harvest-banking/

      Industrial Sector

      • Rockwell Automation ThinManager
        "Successful exploitation of these vulnerabilities could allow an attacker to escalate privileges and cause a denial-of-service condition."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-119-01
      • Delta Electronics ISPSoft
        "Successful exploitation of these vulnerabilities could result in an attacker executing arbitrary code."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-119-02
      • Many Fuel Tank Monitoring Systems Vulnerable To Disruption
        "Internet-connected automatic tank gauges (ATGs) pose a serious but often overlooked cyber-risk to the thousands of gas stations, fuel depots, and facilities that rely on these devices to monitor tank levels, temperatures, leaks, and other critical operational parameters. Pedro Umbelino, principal research scientist at Bitsight, is sounding the alarm on the issue at the 2025 RSAC Conference this week, warning that hackers could cause considerable chaos by tampering with ATGs."
        https://www.darkreading.com/ics-ot-security/fuel-tank-monitoring-systems-vulnerable-disruption
      • US Critical Infrastructure Still Struggles With OT Security
        "Just a week shy of the four-year anniversary of the Colonial Pipeline attack, cybersecurity across US critical infrastructure, particularly operational technology, is lagging woefully behind the country's adversaries. A bit of good news came out of the infamous incident, according to Michael Garcia, associate chief of policy with the US Cybersecurity and Infrastructure Security Agency. During a panel discussion yesterday on securing critical infrastructure at RSAC Conference 2025, he said the attack jolted the collective conscience of the country awake to the fact that ransomware was a true threat, and that a cyberattack could have real-world operational technology consequences. But beyond awareness, little has improved across critical infrastructure networks."
        https://www.darkreading.com/remote-workforce/critical-infrastructure-struggles-ot-security

      Telecom Sector

      • SK Telecom Cyberattack: Free SIM Replacements For 25 Million Customers
        "South Korean mobile provider SK Telecom has announced free SIM card replacements to its 25 million mobile customers following a recent USIM data breach, but only 6 million cards are available through May. SK Telecom is the country's largest mobile network operator, serving roughly half of the domestic mobile phone market. On April 19, the company detected a malware running on its network that allowed threat actors to steal customers' Universal Subscriber Identity Module (USIM) data, typically including International Mobile Subscriber Identity (IMSI), Mobile Station ISDN Number (MSISDN), authentication keys, network usage data, and SMS or contacts if stored on the SIM."
        https://www.bleepingcomputer.com/news/security/sk-telecom-cyberattack-free-sim-replacements-for-25-million-customers/

      Vulnerabilities

      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
        CVE-2025-31324 SAP NetWeaver Unrestricted File Upload Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/04/29/cisa-adds-one-known-exploited-vulnerability-catalog
        https://securityaffairs.com/177218/hacking/u-s-cisa-adds-sap-netweaver-flaw-to-its-known-exploited-vulnerabilities-catalog.html
      • Wormable Zero-Click Remote Code Execution (RCE) In AirPlay Protocol Puts Apple & IoT Devices At Risk
        "Oligo Security Research has discovered a new set of vulnerabilities in Apple’s AirPlay Protocol and the AirPlay Software Development Kit (SDK), which is used by third-party vendors to integrate AirPlay into third-party devices."
        https://www.oligo.security/blog/airborne
        https://www.bleepingcomputer.com/news/security/apple-airborne-flaws-can-lead-to-zero-click-airplay-rce-attacks/
        https://www.bankinfosecurity.com/airborne-dangerous-hacking-through-soundwaves-a-28118
      • Various GPT Services Are Vulnerable To Two Systemic Jailbreaks, Allows For Bypass Of Safety Guardrails
        "Two systemic jailbreaks, affecting a number of generative AI services, were discovered. These jailbreaks can result in the bypass of safety protocols and allow an attacker to instruct the corresponding LLM to provide illicit or dangerous content. The first jailbreak, called “Inception,” is facilitated through prompting the AI to imagine a fictitious scenario. The scenario can then be adapted to another one, wherein the AI will act as though it does not have safety guardrails. The second jailbreak is facilitated through requesting the AI for information on how not to reply to a specific request. Both jailbreaks, when provided to multiple AI models, will result in a safety guardrail bypass with almost the exact same syntax. This indicates a systemic weakness within many popular AI systems."
        https://kb.cert.org/vuls/id/667211
        https://thehackernews.com/2025/04/new-reports-uncover-jailbreaks-unsafe.html

      Malware

      • Security Brief: French BEC Threat Actor Targets Property Payments
        "Proofpoint identified and named a new financially motivated, business email compromise (BEC) threat actor conducting fraud, TA2900. This actor sends French language emails using rental payment themes to target people in France and occasionally in Canada. In these campaigns, messages purport to inform the recipient that the rental installment for their property has not been received and to submit payment immediately. Additionally, the messages state that the rental company’s bank account details have changed and instructs them to send their next rent payment to a new account using the International Bank Account Number (IBAN) details provided by the attacker."
        https://www.proofpoint.com/us/blog/threat-insight/security-brief-french-bec-threat-actor-targets-property-payments
      • XLoader Info-Stealer Distributed Using MS Equation Editor Vulnerability (CVE-2017-11882)
        "AhnLab Security Intelligence Center (ASEC) publishes the information of phishing emails to AhnLab TIP monthly under the title “Trends Report on Phishing Emails.” There are various keywords/topics disguised as phishing, and this blog will cover cases where emails disguised as emails for checking purchases and order confirmations are used to distribute the XLoader info-stealer. The email body asks to check if the purchase order is correct and contact back with the attached DOCX file to be executed."
        https://asec.ahnlab.com/en/87724/
      • France Ties Russian APT28 Hackers To 12 Cyberattacks On French Orgs
        "Today, the French foreign ministry blamed the APT28 hacking group linked to Russia's military intelligence service (GRU) for targeting or breaching a dozen French entities over the last four years. "France condemns in the strongest terms the use by the Russian military intelligence service (GRU) of the APT28 attack procedure, which has led to several cyber attacks against French interests," a statement released on Tuesday says. "These destabilizing activities are unacceptable and unworthy of a permanent member of the UN Security Council. They are also contrary to the United Nations standards on the responsible behaviour of states in cyberspace, to which Russia has subscribed.""
        https://www.bleepingcomputer.com/news/security/france-ties-russian-apt28-hackers-to-12-cyberattacks-on-french-orgs/
        https://therecord.media/france-blames-russian-military-intelligence-for-hacks-against-local-orgs
      • Spike In Git Config Crawling Highlights Risk Of Codebase Exposure
        "GreyNoise observed a significant increase in crawling activity targeting Git configuration files on April 20-21, 2025. While the crawling itself is reconnaissance, successful discovery of exposed Git configuration files can lead to exposure of internal codebases, developer workflows, and potentially sensitive credentials. This activity is tracked under the GreyNoise Git Config Crawler tag, which identifies IPs crawling the internet for sensitive Git configuration files."
        https://www.greynoise.io/blog/spike-git-configuration-crawling-risk-codebase-exposure
        https://www.bleepingcomputer.com/news/security/hackers-ramp-up-scans-for-leaked-git-tokens-and-secrets/
      • Grinex Emerges As Likely Garantex Rebrand
        "On March 6, 2025 global law enforcement conducted one of the most significant international crackdowns on illicit cryptocurrency operations to date as it dismantled notorious exchange Garantex. Since its takedown a new exchange, Grinex, has emerged as a likely replacement. TRM Labs analyzes this exchange’s links to Garantex and its use of stablecoin A7A5 potentially to evade sanctions, and examines other high-risk platforms that are positioning themselves to fill Garantex’s large void."
        https://www.trmlabs.com/resources/blog/grinex-emerges-as-likely-garantex-rebrand
        https://www.bleepingcomputer.com/news/cryptocurrency/grinex-exchange-suspected-rebrand-of-sanctioned-garantex-crypto-firm/
      • Pro-Russian Hackers Strike Dutch Municipalities With Coordinated DDoS Attack
        "A large-scale cyberattack hit multiple Dutch municipalities and provinces on Monday morning, rendering the websites of more than twenty local governments inaccessible for several hours. The attack, claimed by the pro-Russian hacker group NoName, caused significant disruption but did not compromise critical infrastructure or steal any data, according to AD."
        https://nltimes.nl/2025/04/28/pro-russian-hackers-strike-dutch-municipalities-coordinated-ddos-attack
      • Interesting WordPress Malware Disguised As Legitimate Anti-Malware Plugin
        "The Wordfence Threat Intelligence team recently discovered an interesting malware variant that appears in the file system as a normal WordPress plugin, often with the name ‘WP-antymalwary-bot.php’, and contains several functions that allow attackers to maintain access to your site, hide the plugin from the dashboard, and execute remote code. Pinging functionality that can report back to a Command & Control (C&C) server is also included, as is code that helps spread malware into other directories and inject malicious JavaScript responsible for serving ads."
        https://www.wordfence.com/blog/2025/04/interesting-wordpress-malware-disguised-as-legitimate-anti-malware-plugin/
        https://www.infosecurity-magazine.com/news/wordpress-malware-masquerades/
      • Gremlin Stealer: New Stealer On Sale In Underground Forum
        "Unit 42 researchers have identified new information-stealing malware written in C#, called Gremlin Stealer. This stealer’s authors have actively advertised it on a Telegram group since mid-March 2025. This information-stealing malware exfiltrates data from its victims and uploads this information to its web server for publication. It can capture data from browsers, the clipboard and the local disk to steal sensitive data such as credit card details, browser cookies, crypto wallet information, File Transfer Protocol (FTP) and virtual private network (VPN) credentials."
        https://unit42.paloaltonetworks.com/new-malware-gremlin-stealer-for-sale-on-telegram/
        https://www.infosecurity-magazine.com/news/new-gremlin-infostealer/
      • Outlaw Cybergang Attacking Targets Worldwide
        "In a recent incident response case in Brazil, we dealt with a relatively simple, yet very effective threat focused on Linux environments. Outlaw (also known as “Dota”) is a Perl-based crypto mining botnet that typically takes advantage of weak or default SSH credentials for its operations. Previous research ([1], [2]) described Outlaw samples obtained from honeypots. In this article, we provide details from a real incident contained by Kaspersky, as well as publicly available telemetry data about the countries and territories most frequently targeted by the threat actor. Finally, we provide TTPs and best practices that security practitioners can adopt to protect their infrastructures against this type of threat."
        https://securelist.com/outlaw-botnet/116444/
      • Top Tier Target | What It Takes To Defend a Cybersecurity Company From Today’s Adversaries
        "At SentinelOne, defending against real-world threats isn’t just part of the job, it’s the reality of operating as a cybersecurity company in today’s landscape. We don’t just study attacks, we experience them firsthand, levied against us. Our teams face the same threats we help others prepare for, and that proximity to the front lines shapes how we think, and how we operate. Real-world attacks against our own environment serve as constant pressure tests, reinforcing what works, revealing what doesn’t, and driving continuous improvement across our products and operations. When you’re a high-value target for some of the most capable and persistent adversaries out there, nothing less will do."
        https://www.sentinelone.com/labs/top-tier-target-what-it-takes-to-defend-a-cybersecurity-company-from-todays-adversaries/
        https://thehackernews.com/2025/04/sentinelone-uncovers-chinese-espionage.html
        https://securityaffairs.com/177205/security/sentinelone-warns-threat-actors-targeting-its-systems-and-high-value-clients.html

      Breaches/Hacks/Leaks

      • Ukraine's Largest Home Improvement Retailer Disrupted By Cyberattack
        "Ukraine’s largest home improvement retailer, Epicentr, said it had fallen victim to a large-scale cyberattack that disrupted operations at dozens of its stores across the country and crippled key IT systems, including sales registers and logistics services. On Monday, customers at Epicentr stores across Ukraine cities couldn’t make purchases because the checkout systems were down. Many also said they couldn’t get their orders delivered or access the company’s app and website. In a statement on Tuesday, Epicentr, which operates more than 70 shopping centers spanning more than 2.2 million square meters, confirmed it had suffered a targeted attack."
        https://therecord.media/epicentr-ukraine-home-improvement-cyberattack
      • Nova Scotia Energy Provider Takes Some Servers Offline Following Cyber Incident
        "Nova Scotia Power and its parent company Emera said a cyberattack has affected parts of its Canadian network and servers supporting portions of its business. The company says it provides 95% of the power for Nova Scotia and serves more than 500,000 homes and facilities across the province. On Friday, Nova Scotia Power discovered a cyber incident involving unauthorized access to its systems. In an FAQ on the Nova Scotia Power website, the company said the cyberattack impacted the customer care phone line and the online customer portal known as MyAccount."
        https://therecord.media/nova-scotia-energy-provider-takes-servers-offline

      General News

      • Want Faster Products And Stronger Trust? Build Security In, Not Bolt It On
        "In this Help Net Security interview, Christopher Kennedy, CISO at Group 1001, discusses how cybersecurity initiatives are reshaping enterprise cybersecurity strategy. He explains why security must be embedded across IT, business lines, and product development, how automation and risk discovery can drive competitive advantage, and why security leaders need to play a central role in shaping business outcomes."
        https://www.helpnetsecurity.com/2025/04/29/christopher-kennedy-group-1001-enterprise-cybersecurity-strategy/
      • Investing In Security? It’s Not Helping You Fix What Matters Faster
        "Automation and structured collaboration have a strong, positive influence on the efficiency of vulnerability management, according to Seemplicity. However, manual processes, unstructured workflows, and excessive noise from vulnerability scanning tools continue to slow remediation efforts, leading to delays and security risks. Despite advancements in automation, a significant portion of vulnerability management remains manual, increasing operational inefficiencies and contributing to alert fatigue."
        https://www.helpnetsecurity.com/2025/04/29/vulnerability-management-automation-efficiency/
      • Eyes, Ears, And Now Arms: IoT Is Alive
        "I’ve never quite seen anything like this in my two decades of working in the Internet of Things (IoT) space. In just a few years, devices at home and work started including cameras to see and microphones to hear. Now, with new lines of vacuums and emerging humanoid robots, devices have appendages to manipulate the world around them. They’re not only able to collect information about their environment but can touch, “feel”, and move it. This is equal parts exciting and concerning. Cheap and unregulated devices are imminently hackable with horror stories of bad actors accessing media feeds and spying on users. Armed with, well, arms, this evolution interconnects cybersecurity with physical security."
        https://www.helpnetsecurity.com/2025/04/29/humanoid-robots-security/
      • What’s Worth Automating In Cyber Hygiene, And What’s Not
        "Cyber hygiene sounds simple. Patch your systems, remove old accounts, update your software. But for large organizations, this gets messy fast. Systems number in the thousands. Teams are scattered. Some machines haven’t been rebooted in months. Automation can help. But not everything should be automated, and not every automation pays off. For CISOs, the real question isn’t “can we automate it?” It’s “should we?” Here’s what’s worth automating in cyber hygiene today, and where to draw the line."
        https://www.helpnetsecurity.com/2025/04/29/automating-cyber-hygiene/
      • The One Interview Question That Will Protect You From North Korean Fake Workers
        "Concerned a new recruit might be a North Korean stooge out to steal intellectual property and then hit an org with malware? There is an answer, for the moment at least. According to Adam Meyers, CrowdStrike's senior veep in the counter adversary division, North Korean infiltrators are bagging roles worldwide throughout the year. Thousands are said to have infiltrated the Fortune 500. They're masking IPs, exporting laptop farms to America so they can connect into those machines and appear to be working from the USA, and they are using AI – but there's a question during job interviews that never fails to catch them out and forces them to drop out of the recruitment process."
        https://www.theregister.com/2025/04/29/north_korea_worker_interview_questions/
      • From Mission-Centric To People-Centric: Competitive Leadership In Cyber
        "For most companies, cyber organizations are mission-centric; that is, their day-to-day is guided by a military-style focus on building successful defenses, deploying the right "troops" in the SOC and incident-response trenches, and ultimately defeating the enemy. Though of course, the enemy is never fully eliminated, so said troops are locked in a never-ending war. By any estimation, the concept of everlasting war is … exhausting. And no wonder, then, that high turnover rates and burnout remain a significant drain on cyber resources at organizations of all sizes."
        https://www.darkreading.com/remote-workforce/mission-people-competitive-leadership-cyber
      • Hacking In Space: Not As Tough As You Might Think
        "Space assets like satellites are more vulnerable to threat actors than you might think, with even script kiddies having an opportunity to take a whack at an orbiting object. That's according to Barbara Grofe, space asset security architect at engineering and cybersecurity services firm Spartan Corp. In an RSAC Conference 2025 session yesterday, "Space Assets Resiliency: Protecting Against Current Attack Techniques," she discussed how space assets such as satellites and planned energy weapons could be vulnerable to cyberattacks — as well as what all defenders can take away from this emerging technological reality."
        https://www.darkreading.com/cloud-security/hacking-space-not-tough
      • Risks Of Using AI Models Developed By Competing Nations
        "As AI adoption accelerates across industries, organizations are increasingly turning to open and offline large language models (LLMs) for privacy and intellectual property protection in tasks like source code reviews and assisted coding. But there are significant risks beneath the surface — especially when using models developed or distilled by other nations, governments, or communities. These concerns go far beyond the obvious security risks and privacy issues."
        https://www.darkreading.com/vulnerabilities-threats/risks-using-ai-models-developed-competing-nations
      • Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis
        "Google Threat Intelligence Group (GTIG) tracked 75 zero-day vulnerabilities exploited in the wild in 2024, a decrease from the number we identified in 2023 (98 vulnerabilities), but still an increase from 2022 (63 vulnerabilities). We divided the reviewed vulnerabilities into two main categories: end-user platforms and products (e.g., mobile devices, operating systems, and browsers) and enterprise-focused technologies, such as security software and appliances. Vendors continue to drive improvements that make some zero-day exploitation harder, demonstrated by both dwindling numbers across multiple categories and reduced observed attacks against previously popular targets. At the same time, commercial surveillance vendors (CSVs) appear to be increasing their operational security practices, potentially leading to decreased attribution and detection."
        https://cloud.google.com/blog/topics/threat-intelligence/2024-zero-day-trends
        https://www.darkreading.com/vulnerabilities-threats/vulnerability-exploitation-shifting-2024-25
        https://thehackernews.com/2025/04/google-reports-75-zero-days-exploited.html
        https://www.bleepingcomputer.com/news/security/google-97-zero-days-exploited-in-2024-over-50-percent-in-spyware-attacks/
        https://therecord.media/google-zero-day-report-2024
        https://www.infosecurity-magazine.com/news/zeroday-exploitation-surges-19-two/
        https://www.securityweek.com/google-tracked-75-zero-days-in-2024/
        https://securityaffairs.com/177180/hacking/google-threat-intelligence-group-gtig-tracked-75-actively-exploited-zero-day-flaws-in-2024.html
        https://www.helpnetsecurity.com/2025/04/29/44-of-the-zero-days-exploited-in-2024-were-in-enterprise-solutions/
        https://www.theregister.com/2025/04/29/enterprise_tech_zeroday_google/
      • Email Threat Radar – April 2025
        "Over the last month, Barracuda threat analysts identified several notable email-based threats targeting organizations around the world and designed to evade detection and boost the chances of success, including: Email attacks targeting victims with toxic calendar invites, Phishing kits abusing a trusted file-sharing platform, Voicemail phishing returning after several months of decline"
        https://blog.barracuda.com/2025/04/29/email-threat-radar-april-2025
      • China Is Using AI To Sharpen Every Link In Its Attack Chain, FBI Warns
        "The biggest threat to US critical infrastructure, according to FBI Deputy Assistant Director Cynthia Kaiser, can be summed up in one word: "China." In an interview with The Register during RSA Conference, she said Chinese government-backed crews are testing out AI in every stage of the attack chain. This isn't to say that they're succeeding, but it does make them "more efficient, or might make them a little faster," Kaiser added. The ongoing threat from Beijing-backed digital intruders burrowing into America's critical facilities likely isn't a huge shock to anyone who can name at least two of the Typhoons that have come to light between last year's RSAC and this year's infosec event."
        https://www.theregister.com/2025/04/29/fbi_china_ai/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 0c5f8700-efcb-416d-8be9-6f3492cd7b01-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post