NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 09 May 2025

    Cyber Security News
    1
    1
    39
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Healthcare Sector

      • Pixmeo OsiriX MD
        "Successful exploitation of these vulnerabilities could allow an attacker to cause memory corruption, resulting in a denial-of-service condition or to steal credentials."
        https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-128-01
      • Healthcare Workers Regularly Upload Sensitive Data To GenAI, Cloud Accounts
        "Healthcare organizations are facing a growing data security challenge from within, according to a new report from Netskope Threat Labs. The analysis reveals that employees in the sector are frequently attempting to upload sensitive information, including potentially protected health data, to unauthorized websites and cloud services. Among the most common destinations are AI tools like ChatGPT and Gemini."
        https://www.helpnetsecurity.com/2025/05/08/healthcare-workers-upload-sensitive-data-genai/

      Industrial Sector

      • Horner Automation Cscape
        "Successful exploitation of this vulnerability could allow an attacker to disclose information and execute arbitrary code."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-128-01
      • Hitachi Energy RTU500 Series
        "Successful exploitation of these vulnerabilities could allow an attacker to execute cross-site scripting or trigger a denial-of-service condition on the affected device."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-128-02
      • Mitsubishi Electric CC-Link IE TSN
        "Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition on the affected products."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-128-03

      Vulnerabilities

      • Cisco Patches CVE-2025-20188 (10.0 CVSS) In IOS XE That Enables Root Exploits Via JWT
        "Cisco has released software fixes to address a maximum-severity security flaw in its IOS XE Wireless Controller that could enable an unauthenticated, remote attacker to upload arbitrary files to a susceptible system. The vulnerability, tracked as CVE-2025-20188, has been rated 10.0 on the CVSS scoring system. "This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system," the company said in a Wednesday advisory."
        https://thehackernews.com/2025/05/cisco-patches-cve-2025-20188-100-cvss.html
        https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC
        https://www.bleepingcomputer.com/news/security/cisco-fixes-max-severity-ios-xe-flaw-letting-attackers-hijack-devices/
        https://www.securityweek.com/cisco-patches-35-vulnerabilities-across-several-products/
        https://securityaffairs.com/177609/security/cisco-fixed-a-critical-flaw-in-its-ios-xe-wireless-controller.html
      • SonicWall Urges Admins To Patch VPN Flaw Exploited In Attacks
        "SonicWall has urged its customers to patch three security vulnerabilities affecting its Secure Mobile Access (SMA) appliances, one of them tagged as exploited in attacks. Discovered and reported by Rapid7 cybersecurity researcher Ryan Emmons, the three security flaws (CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821) can be chained by attackers to gain remote code execution as root and compromise vulnerable instances. The vulnerabilities impact SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices and are patched in firmware version 10.2.1.15-81sv and higher."
        https://www.bleepingcomputer.com/news/security/sonicwall-urges-admins-to-patch-vpn-flaw-exploited-in-attacks/
        https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0011
        https://thehackernews.com/2025/05/sonicwall-patches-3-flaws-in-sma-100.html
        https://www.darkreading.com/endpoint-security/sonicwall-patch-exploit-chain-sma-devices
        https://www.securityweek.com/possible-zero-day-patched-in-sonicwall-sma-appliances/
        https://www.helpnetsecurity.com/2025/05/08/sonicwall-sma100-vulnerability-exploited-cve-2025-32819/
      • Sudo-Rs Make Me a Sandwich, Hold The Buffer Overflows
        "Canonical's Ubuntu 25.10 is set to make sudo-rs, a Rust-based rework of the classic sudo utility, the default – part of a push to cut memory-related security bugs and lock down core system components. When it arrives on October 9, 2025, those interacting with Ubuntu Linux software should enjoy a reduced attack surface and perhaps a bit more peace of mind about system security. Sudo is a command-line utility on Unix-like systems that allows authorized users to run commands with elevated privileges, typically as root. Its reincarnation using the Rust programming language aims to make the utility memory-safe."
        https://www.theregister.com/2025/05/08/ubuntu_2510_makes_rusk_sudo_default/

      Malware

      • COLDRIVER Using New Malware To Steal Documents From Western Targets And NGOs
        "Google Threat Intelligence Group (GTIG) has identified a new piece of malware called LOSTKEYS, attributed to the Russian government-backed threat group COLDRIVER (also known as UNC4057, Star Blizzard, and Callisto). LOSTKEYS is capable of stealing files from a hard-coded list of extensions and directories, along with sending system information and running processes to the attacker. Observed in January, March, and April 2025, LOSTKEYS marks a new development in the toolset of COLDRIVER, a group primarily known for credential phishing against high-profile targets like NATO governments, non-governmental organizations (NGOs), and former intelligence and diplomatic officers. GTIG has been tracking COLDRIVER for many years, including their SPICA malware in 2024."
        https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos
        https://thehackernews.com/2025/05/russian-hackers-using-clickfix-fake.html
        https://www.bleepingcomputer.com/news/security/google-links-new-lostkeys-data-theft-malware-to-russian-cyberspies/
        https://therecord.media/coldriver-russia-cyber-espionage-lostkeys-malware
        https://www.infosecurity-magazine.com/news/russian-group-lostkeys-malware/
        https://www.securityweek.com/google-finds-data-theft-malware-used-by-russian-apt-in-select-cases/
        https://www.helpnetsecurity.com/2025/05/08/clickfix-social-engineering-tactic-variants/
      • RATatouille: A Malicious Recipe Hidden In Rand-User-Agent (Supply Chain Compromise)
        "On 5 May, 16:00 GMT+0, our automated malware analysis pipeline detected a suspicious package released, rand-user-agent@1.0.110. It detected unusual code in the package, and it wasn’t wrong. It detected signs of a supply chain attack against this legitimate package, which has about ~45.000 weekly downloads."
        https://www.aikido.dev/blog/catching-a-rat-remote-access-trojian-rand-user-agent-supply-chain-compromise
        https://www.bleepingcomputer.com/news/security/supply-chain-attack-hits-npm-package-with-45-000-weekly-downloads/
      • Case Study: How Hunters International And Friends Target Your Hypervisors
        "Hunters International is a Ransomware-as-a-Service (RaaS) operation that surfaced in October 2023, after acquiring the source code and infrastructure of the late Hive ransomware group. Today, according to publicly available statistics, Hunters International and its affiliates have 'hunted' at least 280 organizations, exfiltrating or encrypting data (or both). This article will describe their capabilities in a ransomware case we encountered, with a focus on the large-scale deployment of a VMWare ESXi encryptor."
        https://www.synacktiv.com/en/publications/case-study-how-hunters-international-and-friends-target-your-hypervisors
        https://www.varonis.com/blog/seo-poisoning
        https://www.bleepingcomputer.com/news/security/kickidler-employee-monitoring-software-abused-in-ransomware-attacks/
      • Spam Campaign Targeting Brazil Abuses Remote Monitoring And Management Tools
        "Talos recently observed a spam campaign targeting Portuguese-speaking users in Brazil with the intention of installing commercial remote monitoring and management (RMM) tools. The initial infection occurs via specially crafted spam messages purporting to be from financial institutions or cell phone carriers with an overdue bill or electronic receipt of payment issued as an NF-e (see Figures 1 and 2)."
        https://blog.talosintelligence.com/spam-campaign-targeting-brazil-abuses-rmm-tools/
      • Multilayered Email Attack: How a PDF Invoice And Geo-Fencing Led To RAT Malware
        "The FortiMail IR team recently uncovered a new email campaign distributing a Remote Access Trojan (RAT) using multiple evasion techniques to target organizations in Spain, Italy, and Portugal. The campaign leverages the serviciodecorreo email service provider, which is configured as an authorized sender for various domains and successfully passes SPF validation."
        https://www.fortinet.com/blog/threat-research/multilayered-email-attack-how-a-pdf-invoice-and-geofencing-led-to-rat-malware
      • Weaponizing Facebook Ads: Inside The Multi-Stage Malware Campaign Exploiting Cryptocurrency Brands
        "A persistent malvertising campaign is plaguing Facebook, leveraging the reputations of well-known cryptocurrency exchanges to lure victims into a maze of malware. Since Bitdefender Labs started investigating, this evolving threat has posed a serious risk by deploying cleverly disguised front-end scripts and custom payloads on users’ devices, all under the guise of legitimate cryptocurrency platforms and influencers. This report unveils how the attackers use advanced evasion tactics, mass brand impersonation, and sophisticated user-tracking methods to bypass conventional defenses and maintain a large pool of victims."
        https://www.bitdefender.com/en-us/blog/labs/weaponizing-facebook-ads-inside-the-multi-stage-malware-campaign-exploiting-cryptocurrency-brands
        https://hackread.com/fake-crypto-exchange-ads-facebook-spread-malware/
      • New Noodlophile Stealer Distributes Via Fake AI Video Generation Platforms
        "In an unprecedented shift, attackers are weaponizing public enthusiasm for AI to deliver malware. Instead of relying on traditional phishing or cracked software sites, they build convincing AI-themed platforms—often advertised via legitimate-looking Facebook groups and viral social media campaigns. These groups, boasting over 62,000 views on a single post, attract users eager for free AI tools for video and image editing. But behind the promise of instant AI-generated videos lies something much darker: malware disguised as AI output, delivered after users upload their own images for processing."
        https://www.morphisec.com/blog/new-noodlophile-stealer-fake-ai-video-generation-platforms/
        https://hackread.com/fake-ai-tools-noodlophile-stealer-facebook-ads/
      • Cyber Criminals Impersonate Payroll, HR And Benefits Platforms To Steal Information And Funds
        "The relentless battle against online fraud is a constant evolution, a digital chase where security teams and malicious actors continually adapt. The increasing sophistication of attacks is blurring the lines between legitimate user behavior and impersonation attempts. The campaign we are exposing today is a reminder that even the most advanced security technologies do not dissuade threat actors. We discovered a new phishing kit targeting payroll and payment platforms that aims to not only steal victims’ credentials but also to commit wire fraud."
        https://www.malwarebytes.com/blog/news/2025/05/cyber-criminals-impersonate-payroll-hr-and-benefits-platforms-to-steal-information-and-funds
      • 38,000+ FreeDrain Subdomains Found Exploiting SEO To Steal Crypto Wallet Seed Phrases
        "Cybersecurity researchers have exposed what they say is an "industrial-scale, global cryptocurrency phishing operation" engineered to steal digital assets from cryptocurrency wallets for several years. The campaign has been codenamed FreeDrain by threat intelligence firms SentinelOne and Validin. "FreeDrain uses SEO manipulation, free-tier web services (like gitbook.io, webflow.io, and github.io), and layered redirection techniques to target cryptocurrency wallets," security researchers Kenneth Kinion, Sreekar Madabushi, and Tom Hegel said in a technical report shared with The Hacker News."
        https://thehackernews.com/2025/05/38000-freedrain-subdomains-found.html
      • Beware Of Phone Scams Demanding Money For ‘missed Jury Duty’
        "Jury duty is one of the key civic duties you may be called upon to serve. But in your haste to fulfil this obligation, you may be targeted by malicious actors preying on your fear of arrest, penalties or other legal trouble. Indeed, jury duty cons have been a long-running scheme where fraudsters pretend to be the government. As always, awareness is the best defense against these persistent attempts to steal your hard-earned money or personal information. So take a few minutes to arm yourself with some essential knowledge."
        https://www.welivesecurity.com/en/scams/phone-scams-demanding-money-missed-jury-duty/

      Breaches/Hacks/Leaks

      • Education Giant Pearson Hit By Cyberattack Exposing Customer Data
        "Education giant Pearson suffered a cyberattack, allowing threat actors to steal corporate data and customer information, BleepingComputer has learned. Pearson is a UK-based education company and one of the world’s largest providers of academic publishing, digital learning tools, and standardized assessments. The company works with schools, universities, and individuals in over 70 countries through its print and online services."
        https://www.bleepingcomputer.com/news/security/education-giant-pearson-hit-by-cyberattack-exposing-customer-data/
      • VC Giant Insight Partners Confirms Investor Data Stolen In Breach
        "Venture capital firm Insight Partners has confirmed that sensitive data for employees and limited partners was stolen in a January 2025 cyberattack. Insight Partners is a prominent global venture capital and private equity firm specializing in high-growth technology, software, and internet companies, managing over $90 billion in regulatory assets. The company has significant investments in more than 800 companies worldwide, including Twitter, HelloFresh, and Veeam Software."
        https://www.bleepingcomputer.com/news/security/vc-giant-insight-partners-confirms-investor-data-stolen-in-breach/
      • Indiana Health System Notifies 263,000 Of Oracle Hack
        "An Indiana integrated health system is among the first healthcare organizations notifying federal regulators and hundreds of thousands of affected individuals of a January hacking incident that compromised legacy patient data hosted by Cerner servers that were set to migrate to Oracle's cloud environment. Terre Haute, Ind.-based Union Health System, which operates two hospitals and a medical group, reported the breach to the U.S. Department of Health and Human Services on April 21 as affecting nearly 263,000 individuals."
        https://www.bankinfosecurity.com/indiana-health-system-notifies-263000-oracle-hack-a-28353

      General News

      • Wave Of Tech Layoffs Leads To More Job Scams
        "The tech industry is experiencing significant layoffs, leaving thousands of IT and cybersecurity professionals in search of new employment opportunities. Unfortunately, as these individuals search for new opportunities, scammers are actively preying on them. Losing a job, especially when you can’t afford to be without income, is emotionally stressful, and desperation can make you vulnerable to these types of scams."
        https://www.helpnetsecurity.com/2025/05/08/job-employment-scams/
      • Global Cybersecurity Readiness Remains Critically Low
        "Only 4% of organizations worldwide have achieved the ‘mature’ level of readiness required to withstand cybersecurity threats, according to Cisco’s 2025 Cybersecurity Readiness Index. This is a slight increase from last year’s index, in which 3% of organizations worldwide were designated as mature. This demonstrates that despite a slight improvement from last year, global cybersecurity preparedness remains low as hyperconnectivity and AI introduce new complexities for security practitioners."
        https://www.helpnetsecurity.com/2025/05/08/cybersecurity-readiness-level-across-organizations/
      • Understanding Credential Harvesting Via PAM: A Real-World Threat
        "In our previous blog “Duality of the Pluggable Authentication Module (PAM)”, we explored the dual capabilities of Pluggable Authentication Modules (PAM). Today, we delve into one of the key security concerns surrounding PAM—credential harvesting. When PAM is compromised, it can be altered to capture and store authentication credentials. These credentials can later be exfiltrated to an attacker-controlled system (C2 server) or manually retrieved by a threat actor."
        https://www.group-ib.com/blog/pam-harvesting-insight/
      • Even The Best Safeguards Can’t Stop LLMs From Being Fooled
        "In this Help Net Security interview, Michael Pound, Associate Professor at the University of Nottingham shares his insights on the cybersecurity risks associated with LLMs. He discusses common organizational mistakes and the necessary precautions for securing sensitive data when integrating LLMs into business operations."
        https://www.helpnetsecurity.com/2025/05/08/michael-pound-university-of-nottingham-llms-prompts-risks/
      • Silence Is Golden For Breach Prevention, Not Reporting
        "Two decades after California introduced the world to data breach notifications, organizations have collectively battened down their cybersecurity hatches and fixed the problem once and for all. Welcome to our bright, new post-breach age, where everyone's information remains safe from prying eyes not just in the Golden State but far beyond, and organizations never have to notify individuals that they've exposed their personal information."
        https://www.bankinfosecurity.com/blogs/silence-golden-for-breach-prevention-reporting-p-3870
      • Coalition 2025 Cyber Claims Report Finds Ransomware Stabilized But Remains Costly For Businesses
        "Coalition, the world's first Active Insurance provider designed to prevent digital risk before it strikes, today published its 2025 Cyber Claims Report, which details emerging cyber trends and their impact on Coalition policyholders throughout the full year of 2024. The report found that ransomware claims stabilized in 2024 despite remaining the most costly and disruptive type of cyberattack. The majority of 2024 claims (60%) originated from business email compromise (BEC) and funds transfer fraud (FTF) incidents, with 29% of BEC events resulting in FTF."
        https://www.coalitioninc.com/announcements/2025-cyber-claims-report
        https://web.coalitioninc.com/download-2025-cyber-claims-report.html
        https://www.darkreading.com/cyber-risk/email-based-attacks-cyber-insurance-claims
      • Life Without CVEs? It's Time To Act
        "The cybersecurity community is quite familiar with "Oh, my God!" moments. However, what transpired recently regarding MITRE's support of the Common Vulnerabilities and Exposures database was earth-moving on a different level. In a single day, we witnessed a foundational structure for communication between cyber defenders go from "It's going dark tomorrow!" to "Oh, whew, we have an 11-month extension.""
        https://www.darkreading.com/vulnerabilities-threats/life-without-cves-time-act
      • New Whitepaper Outlines The Taxonomy Of Failure Modes In AI Agents
        "We are releasing a taxonomy of failure modes in AI agents to help security professionals and machine learning engineers think through how AI systems can fail and design them with safety and security in mind. The taxonomy continues Microsoft AI Red Team’s work to lead the creation of systematization of failure modes in AI; in 2019, we published one of the earliest industry efforts enumerating the failure modes of traditional AI systems. In 2020, we partnered with MITRE and 11 other organizations to codify the security failures in AI systems as Adversarial ML Threat Matrix, which has now evolved into MITRE ATLAS™. This effort is another step in helping the industry think through what the safety and security failures in the fast-moving and highly impactful agentic AI space are."
        https://www.microsoft.com/en-us/security/blog/2025/04/24/new-whitepaper-outlines-the-taxonomy-of-failure-modes-in-ai-agents/
        https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/Taxonomy-of-Failure-Mode-in-Agentic-AI-Systems-Whitepaper.pdf
        https://www.darkreading.com/vulnerabilities-threats/ai-agents-fail-novel-put-businesses-at-risk
      • Separating Fact From Fiction: Here’s How AI Is Transforming Cybercrime
        "In today’s fast-changing cybersecurity landscape, “artificial intelligence” is the buzz phrase that dominates industry conversations, boardroom discussions, and media headlines. Some proclaim that AI is a silver bullet for cybersecurity, while others believe it’s poised to slowly destroy our digital society as we know it. When it comes to emerging technologies, these hype cycles and the bold claims that accompany them often don’t fully align with reality. While threat actors are certainly incorporating AI into their attack toolboxes, the sensational, doomsday scenarios that are frequently discussed remain largely theoretical."
        https://www.fortinet.com/blog/industry-trends/separating-fact-from-fiction-how-ai-is-transforming-cybercrime
      • Just 5% Of Enterprises Have Deployed Quantum-Safe Encryption
        "The vast majority of businesses in the US, UK and Australia have not yet deployed post-quantum cryptography (PQC), despite a majority believing that quantum computing will break current encryption within five years, according to DigiCert. The TLS/SSL certificate authority (CA) polled around 1000 senior and C-level cybersecurity managers in the three countries, in organizations of various sizes, nearly half of which had over 1000 employees."
        https://www.infosecurity-magazine.com/news/just-5-enterprises-quantumsafe/
      • SOC Threat Radar — May 2025
        "Over the last month, Barracuda Managed XDR’s security solutions, threat intelligence and SOC analysts identified developments that organizations should be aware of, including:
      • A 38% rise in attacks targeting FortiGate Firewall VPN services
      • A 26% rise in attempted data exfiltration
      • A 47% rise in the detection of “packed” malware
      • Security warnings for the CrushFTP and Next.js vulnerabilities"
        https://blog.barracuda.com/2025/05/08/soc-threat-radar-may-2025

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 7fceb719-0ad7-420e-a399-e2cfbb9bf8f7-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post