NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 01 May 2025

    Cyber Security News
    1
    1
    610
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      New Tooling

      • Villain: Open-Source Framework For Managing And Enhancing Reverse Shells
        "Villain is an open-source Stage 0/1 command-and-control (C2) framework designed to manage multiple reverse TCP and HoaxShell-based shells. Beyond simply handling connections, Villain enhances these shells with added functionality, offering commands and utilities, and allowing for shell sessions sharing across Villain instances running on different machines (sibling servers)."
        https://www.helpnetsecurity.com/2025/04/30/villain-managing-enhancing-shells/
        https://github.com/t3l3machus/Villain
      • LlamaFirewall: An Open Source Guardrail System For Building Secure AI Agents
        "Large language models (LLMs) have evolved from simple chatbots into autonomous agents capable of performing complex tasks such as editing production code, orchestrating workflows, and taking higher-stakes actions based on untrusted inputs like webpages and emails. These capabilities introduce new security risks that existing security measures, such as model fine-tuning or chatbot-focused guardrails, do not fully address. Given the higher stakes and the absence of deterministic solutions to mitigate these risks, there is a critical need for a real-time guardrail monitor to serve as a final layer of defense, and support system level, use case specific safety policy definition and enforcement. We introduce LlamaFirewall, an open-source security focused guardrail framework designed to serve as a final layer of defense against security risks associated with AI Agents."
        https://ai.meta.com/research/publications/llamafirewall-an-open-source-guardrail-system-for-building-secure-ai-agents/
        https://thehackernews.com/2025/04/meta-launches-llamafirewall-framework.html
        https://www.securityweek.com/meta-releases-llama-ai-open-source-protection-tools/

      Vulnerabilities

      • Chrome 136, Firefox 138 Patch High-Severity Vulnerabilities
        "Google and Mozilla on Tuesday announced the promotion of Chrome 136 and Firefox 138 to their stable channels with patches for over a dozen vulnerabilities, including multiple high-severity bugs. Chrome 136 was rolled out with eight security fixes, four of which address flaws reported by external researchers. The most severe of the externally reported security defects is CVE-2025-4096, a high-severity heap buffer overflow issue in HTML that earned the reporting researcher a $5,000 bug bounty reward."
        https://www.securityweek.com/chrome-136-firefox-138-patch-high-severity-vulnerabilities/
      • SonicWall: SMA100 VPN Vulnerabilities Now Exploited In Attacks
        "Cybersecurity company SonicWall has warned customers that several vulnerabilities impacting its Secure Mobile Access (SMA) appliances are now being actively exploited in attacks. On Tuesday, SonicWall updated security advisories for the CVE-2023-44221 and CVE-2024-38475 security flaws to tag the two vulnerabilities as "potentially being exploited in the wild." CVE-2023-44221 is described as a high-severity command injection vulnerability caused by improper neutralization of special elements in the SMA100 SSL-VPN management interface that enables attackers with admin privileges to inject arbitrary commands as a 'nobody' user."
        https://www.bleepingcomputer.com/news/security/sonicwall-sma100-vpn-vulnerabilities-now-exploited-in-attacks/

      Malware

      • Ransomware Debris: An Analysis Of The RansomHub Operation
        "As threat Intelligence experts and vendors, we all know that intelligence must be accurate and timely. However, despite our awareness of how volatile and dynamic the cyber underground is, we are sometimes still surprised by how quickly things change in just a few days. For example, when we began this research, we didn’t expect the RansomHub operation to experience a significant outage. Despite the uncertainty surrounding the RansomHub outage, this blog aims to present information not only about the group itself, but also insights into the strategies used by the group’s administrator, which could eventually be employed by any ransomware operator. In addition, we present information on recent activities related to Qilin."
        https://www.group-ib.com/blog/ransomware-debris/
        https://thehackernews.com/2025/04/ransomhub-went-dark-april-1-affiliates.html
        https://www.darkreading.com/cyber-risk/prolific-ransomhub-operation-goes-dark
        https://www.infosecurity-magazine.com/news/ransomhub-refines-extortion/
      • Earth Kasha Updates TTPs In Latest Campaign Targeting Taiwan And Japan
        "In our monitoring of advanced persistent threats, we observed a new campaign targeting Taiwan and Japan that can be attributed to Earth Kasha. We detected campaign activity in March 2025, and found that it uses spear-phishing to deliver a new version of the ANEL backdoor. Earth Kasha, believed to be a part of the larger APT10 umbrella, has been conducting espionage campaigns since at least 2017 and are known to shift their techniques, tactics and toolsets frequently. Prior activity from the group was recorded in 2024, where they targeted individuals affiliated with political organizations, research institutions, thinktanks, and organizations related to international relations in Japan via spear-phishing. It appears that the group is expanding targets in their new spear-phishing campaign this year to include government agencies and public institutions in Taiwan and Japan."
        https://www.trendmicro.com/en_us/research/25/d/earth-kasha-updates-ttps.html
      • FBI Shares Massive List Of 42,000 LabHost Phishing Domains
        "The FBI has shared 42,000 phishing domains tied to the LabHost cybercrime platform, one of the largest global phishing-as-a-service (PhaaS) platforms that was dismantled in April 2024. The published domains were registered between November 2021 and April 2024, the time of its seizure, and are being shared to increase awareness and provide indicators of compromise."
        https://www.bleepingcomputer.com/news/security/fbi-shares-massive-list-of-42-000-labhost-phishing-domains/
        https://www.ic3.gov/CSA/2025/250429.pdf
      • Spain And Portugal Power Outages Spark a Surge In Phishing Attacks
        "Cofense Intelligence has seen an email campaign spoofing TAP Air Portugal, the Portuguese national airline. This specific campaign takes advantage of a headline about the April 28, 2025 nationwide power outage that occurred in Spain and Portugal. The emails were received while the power outage was ongoing. The link embedded in the email directs to a credential phishing page designed to steal victims' personally identifiable information (PII) and credit card details. The campaign appears to target both Portuguese-speaking and Spanish-speaking victims with two separate email subject lines (“Atualização de compensação: atraso em seu voo recente”, “Compensación por su vuelo: Complete su solicitud ahora”)."
        https://cofense.com/blog/spain-and-portugal-power-outages-spark-a-surge-in-phishing-attacks
        https://www.darkreading.com/cyberattacks-data-breaches/phishers-take-advantage-iberian-blackout
      • TheWizards APT Group Uses SLAAC Spoofing To Perform Adversary-In-The-Middle Attacks
        "In this blogpost, ESET researchers provide an analysis of Spellbinder, a lateral movement tool for performing adversary-in-the-middle attacks, used by the China-aligned threat actor that we have named TheWizards. Spellbinder enables adversary-in-the-middle (AitM) attacks, through IPv6 stateless address autoconfiguration (SLAAC) spoofing, to move laterally in the compromised network, intercepting packets and redirecting the traffic of legitimate Chinese software so that it downloads malicious updates from a server controlled by the attackers."
        https://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/
        https://thehackernews.com/2025/04/chinese-hackers-abuse-ipv6-slaac-for.html
        https://www.bleepingcomputer.com/news/security/hackers-abuse-ipv6-networking-feature-to-hijack-software-updates/
        https://www.darkreading.com/cloud-security/thewizards-apt-asian-gamblers-attack
      • Fake Social Security Statement Emails Trick Users Into Installing Remote Tool
        "Fake emails pretending to come from the US Social Security Administration (SSA) try to get targets to install ScreenConnect, a remote access tool. ScreenConnect, formerly known as ConnectWise Control, is a remote support and remote access platform widely used by businesses to facilitate IT support and troubleshooting. It allows technicians to remotely connect to users’ computers to perform tasks such as software installation, system configuration, and to resolve issues."
        https://www.malwarebytes.com/blog/news/2025/04/fake-social-security-statement-emails-trick-users-into-installing-remote-tool
      • A Closer Look At Fog Ransomware
        "Fog ransomware emerged in April 2024 as a sophisticated cyberthreat that combined rapid encryption with double extortion tactics. Fog threat actors initially targeted educational institutions through compromised VPN accounts. They soon expanded their scope to government agencies and business sectors. As of February 2025, the top five sectors victimized by Fog are business services, technology, education, manufacturing, and government. Most of Fog’s victims are based in the United States. Researchers suspect that Fog threat actors operate from Russia or other former Soviet nations, because they conspicuously avoid targeting the Eastern European countries and the People’s Republic of China. In a 2024 attack, researchers traced the origin of Fog-related IP address to Moscow."
        https://blog.barracuda.com/2025/04/29/a-closer-look-at-fog-ransomware-
      • MCP Prompt Injection: Not Just For Evil
        "Over the last few months, there has been a lot of activity in the Model Context Protocol (MCP) space, both in terms of adoption as well as security. Developed by Anthropic, MCP has been rapidly gaining traction across the AI ecosystem. MCP allows Large Language Models (LLMs) to interface with tools and for those interfaces to be rapidly created. MCP tools allow for the rapid development of “agentic” systems, or AI systems that autonomously perform tasks. Beyond adoption, new attack techniques have been shown to allow prompt injection via MCP tool descriptions and responses, MCP tool poisoning, rug pulls and more."
        https://www.tenable.com/blog/mcp-prompt-injection-not-just-for-evil
        https://thehackernews.com/2025/04/experts-uncover-critical-mcp-and-a2a.html
      • Nebulous Mantis Targets NATO-Linked Entities With Multi-Stage Malware Attacks
        "Cybersecurity researchers have shed light on a Russian-speaking cyber espionage group called Nebulous Mantis that has deployed a remote access trojan called RomCom RAT since mid-2022. RomCom "employs advanced evasion techniques, including living-off-the-land (LOTL) tactics and encrypted command and control (C2) communications, while continuously evolving its infrastructure – leveraging bulletproof hosting to maintain persistence and evade detection," Swiss cybersecurity company PRODAFT said in a report shared with The Hacker News. Nebulous Mantis, also tracked by the cybersecurity community under the names CIGAR, Cuba, Storm-0978, Tropical Scorpius, UNC2596, and Void Rabisu, is known to target critical infrastructure, government agencies, political leaders, and NATO-related defense organizations."
        https://thehackernews.com/2025/04/nebulous-mantis-targets-nato-linked.html
        https://catalyst.prodaft.com/public/report/inside-the-latest-espionage-campaign-of-nebulous-mantis/overview#heading-1000
        https://securityaffairs.com/177255/intelligence/nebulous-mantis-targets-nato-related-defense-organizations.html
      • DarkWatchman Cybercrime Malware Returns On Russian Networks
        "A financially motivated hacker group has targeted Russian companies across several industries in a new phishing campaign using a modified version of the DarkWatchman malware, researchers have found. The group, known as Hive0117, has attacked firms in sectors including media, tourism, biotechnology, finance, energy and telecommunications, according to Russian cybersecurity firm F6. In 2023, Western researchers spotted the group spoofing Russian government communications and sending phishing emails disguised as military conscription notices. DarkWatchman was part of that campaign."
        https://therecord.media/darkwatchman-malware-russia-cybercrime-hive0117
      • Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting
        "MintsLoader, a malicious loader, was first observed in multiple phishing and drive-by download campaigns as early as 2024. The loader commonly deploys second-stage payloads such as GhostWeaver, StealC, and a modified BOINC (Berkeley Open Infrastructure for Network Computing) client. MintsLoader operates through a multi-stage infection chain involving obfuscated JavaScript and PowerShell scripts. The malware employs sandbox and virtual machine evasion techniques, a domain generation algorithm (DGA), and HTTP-based command-and-control (C2) communications."
        https://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting

      Breaches/Hacks/Leaks

      • Commvault Says Recent Breach Didn't Impact Customer Backup Data
        "Commvault, a leading provider of data protection solutions, says a nation-state threat actor who breached its Azure environment didn't gain access to customer backup data. Listed on NASDAQ since March 2006, Commvault is included in the S&P MidCap 400 Index and provides cyber resilience services to over 100,000 organizations. As the company first revealed on March 7, 2025, Commvault discovered the incident after being notified by Microsoft on February 20 of suspicious activity within its Azure environment. A follow-up investigation into the breach found that the incident only affected a small number of Commvault customers and had not impacted the company's operations."
        https://www.bleepingcomputer.com/news/security/commvault-says-recent-breach-didnt-impact-customer-backup-data/
        https://www.commvault.com/blogs/notice-security-advisory-update
      • UK Retailer Co-Op Shuts Down Some IT Systems After Hack Attempt
        "British supermarket chain Co-op shut down parts of its IT systems after detecting an attempted intrusion into its network, disrupting back office and call center services. While A Co-op spokesperson confirmed the hacking attempts to BleepingComputer, they have not shared whether these attempts were successful. "We have recently experienced attempts to gain unauthorized access to some of our systems," stated a Co-op spokesperson."
        https://www.bleepingcomputer.com/news/security/uk-retailer-co-op-shuts-down-some-it-systems-after-hack-attempt/
        https://therecord.media/co-op-uk-retailer-announces-attempted-cyber-incident
        https://hackread.com/uk-retail-co-op-shuts-down-it-systems-cyberattack/
        https://www.infosecurity-magazine.com/news/co-op-confirms-hack-small-impact/
      • Ascension Discloses New Data Breach After Third-Party Hacking Incident
        "Ascension, one of the largest private healthcare systems in the United States, is notifying patients that their personal and health information was stolen in a December 2024 data theft attack, which affected a former business partner. The health network operates 142 hospitals nationwide, has over 142,000 employees, and has reported a total revenue of $28.3 billion in 2023."
        https://www.bleepingcomputer.com/news/security/ascension-discloses-new-data-breach-after-third-party-hacking-incident/
      • Japanese Global Logistics Company Confirms Ransomware Attack
        "A major Japanese logistics provider confirmed this week that it had fallen victim to a ransomware attack, disrupting some of its systems. The Tokyo-based Kintetsu World Express (KWE), which offers air and sea cargo services globally, has not yet identified the specific threat actor behind the attack. In a statement on Wednesday, the company said it is in the process of restoring affected systems. "We will notify customers immediately if we determine their data has been compromised," it added."
        https://therecord.media/kintetsu-world-express-ransomware-attack-japan

      General News

      • Securing The Invisible: Supply Chain Security Trends
        "Adversaries are infiltrating upstream software, hardware, and vendor relationships to quietly compromise downstream targets. Whether it’s a malicious update injected into a CI/CD pipeline, a rogue dependency hidden in open-source code, or tampered hardware components, these attacks bypass traditional defenses by weaponizing trusted channels."
        https://www.helpnetsecurity.com/2025/04/30/supply-chain-security-trends/
      • Why Cyber Resilience Must Be Part Of Every Organization’s DNA
        "As AI brings about excitement and transformative potential, the report reveals that organizations are forging ahead with innovations despite increased security concerns, according to LevelBlue’s 2025 Futures Report. In fact, just 29% of executives surveyed say they are reluctant to implement AI tools and technologies because of cybersecurity ramifications."
        https://www.helpnetsecurity.com/2025/04/30/rethink-cyber-resilience/
      • DARPA Believes AI Cyber Challenge Could Upend Patching As The Industry Knows It
        "Leaders of various federal research agencies and departments outlined a vision Tuesday for the future of critical infrastructure security, emphasizing the promise of combining formal software development methods with large language models (LLMs). Acting DARPA Director Rob McHenry told an audience at the RSAC 2025 Conference that such a combination could “virtually eliminate software vulnerabilities” across foundational system infrastructures, a departure from the traditionally accepted risks of software flaws."
        https://cyberscoop.com/darpa-ai-grand-challenge-rsac-2025-patching/
        https://www.darkreading.com/cyber-risk/darpa-highlights-critical-infrastructure-security-challenges
      • AI Security Report 2025: Understanding Threats And Building Smarter Defenses
        "As artificial intelligence becomes more deeply embedded in business operations, it’s also reshaping how cyber threats evolve. The same technologies helping organizations improve efficiency and automate decision-making are now being co-opted and weaponized by threat actors. The inaugural edition of the Check Point Research AI Security Report explores how cyber criminals are not only exploiting mainstream AI platforms, but also building and distributing tools specifically designed for malicious use. The findings highlight five growing threat categories that defenders must now account for when securing systems and users in an AI-driven world."
        https://blog.checkpoint.com/research/ai-security-report-2025-understanding-threats-and-building-smarter-defenses/
      • The Account And Session Takeover Economy
        "Session hijacking has emerged as the preeminent way for cybercriminals to execute account takeover attacks (ATO) and they enable the bypassing of traditional security measures like multi-factor authentication (MFA). This research report explores the prevalence of session hijacking across industries, highlighting its increasing role in ATO incidents and the economic impact it poses for organizations."
        https://flare.io/learn/resources/the-account-and-session-takeover-economy/
        https://thehackernews.com/2025/04/customer-account-takeovers-multi.html
      • Leaders Of 764 Arrested And Charged For Operating Global Child Exploitation Enterprise
        "Leonidas Varagiannis, also known as War, 21, a citizen of the United States residing in Thessaloniki, Greece, and Prasan Nepal, also known as Trippy, 20, of High Point, North Carolina, are charged for their crimes operating an international child exploitation enterprise in connection with a nihilistic violent extremist (NVE) network known as 764. Nepal was arrested on April 22 in North Carolina. Varagiannis was arrested yesterday in Greece. According to the affidavit unsealed today in the District of Columbia, 764 is a violent online network that seeks to destroy civilized society through the corruption and exploitation of vulnerable populations, which often include minors. The 764 network’s accelerationist goals include social unrest and the downfall of the current world order, including the U.S. Government."
        https://www.justice.gov/opa/pr/leaders-764-arrested-and-charged-operating-global-child-exploitation-enterprise
        https://therecord.media/two-charged-with-crimes-connected-to-online-extremist-group
        https://hackread.com/child-exploitation-network-764-busted-leaders-arrested/
      • Polish Police Dismantle Cybercrime Gang Accused Of Impersonation Scams, Arrest Nine Suspects
        "Polish police dismantled an international cybercrime group accused of defrauding dozens of victims out of nearly $665,000, authorities said Tuesday. Nine people were detained in connection with the case. Investigators said the suspects, who ranged in age from 19 to 51 years old, posed as bank employees and law enforcement officers to trick victims into transferring funds to fraudulent accounts. In total, at least 55 people were targeted."
        https://therecord.media/poland-cybercrime-gang-dismantle-impersonation
      • The FBI's Brett Leatherman Gives The Latest ‘Typhoon’ Forecast
        "The discovery that Chinese state-backed hackers had burrowed into U.S. critical infrastructure with the aim of causing mass disruption continues to reverberate nearly two years after the hacking group behind the attacks was first publicly disclosed. Several similar entities have emerged since the group, known as Volt Typhoon, was unveiled by Microsoft and U.S. officials in May 2023. They range from Salt Typhoon, which broke into U.S. telecom firms in a sweeping espionage campaign, to Silk Typhoon, which breached the Treasury Department, to Flax Typhoon, which targeted Taiwan. For the latest on where U.S. efforts against these groups stand, Recorded Future News sat down with Brett Leatherman, FBI deputy assistant director of cyber operations, at the RSA Conference on Tuesday."
        https://therecord.media/fbi-interview-china-hacking-volt-salt-flax-typhoon
      • North Korean Operatives Have Infiltrated Hundreds Of Fortune 500 Companies
        "North Korean nationals have infiltrated the employee ranks at top global companies more so than previously thought, maintaining a pervasive and potentially widening threat against IT infrastructure and sensitive data. “There are hundreds of Fortune 500 organizations that have hired these North Korean IT workers,” Mandiant Consulting CTO Charles Carmakal said Tuesday during a media briefing at the RSAC 2025 Conference. “Literally every Fortune 500 company has at least dozens, if not hundreds, of applications for North Korean IT workers,” Carmakal said. “Nearly every CISO that I’ve spoken to about the North Korean IT worker problem has admitted they’ve hired at least one North Korean IT worker, if not a dozen or a few dozen.”"
        https://cyberscoop.com/north-korea-workers-infiltrate-fortune-500/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 32743131-4514-43dc-a41c-cc97983f61dc-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post