NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 12 May 2025

    Cyber Security News
    1
    1
    38
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      New Tooling

      • Analyze Resource-Based Policy Dependencies Across Your AWS Organizations Accounts
        "Managing multiple AWS accounts in an organization can get complicated, especially when trying to understand how services and permissions are connected. The Account Assessment for AWS Organizations open-source tool helps simplify this process by giving you a central place to evaluate and manage all your accounts."
        https://www.helpnetsecurity.com/2025/05/09/aws-account-assessment/
        https://github.com/aws-solutions/account-assessment-for-aws-organizations

      Vulnerabilities

      • Commvault: Vulnerability Patch Works As Intended
        "Commvault has disputed a security researcher's claims that an exploit for a recently disclosed maximum severity vulnerability, tracked as CVE-2025-34028, in its Command Center Web-based management interface remains effective even in recently updated versions of the software. In comments to Dark Reading, Commvault spokesperson Ross Camp called researcher Will Dormann's observation earlier this week inaccurate. He attributed the issue to Dormann not being registered with Commvault, which prevented him from accessing and applying the appropriate update."
        https://www.darkreading.com/application-security/commvault-patch-works-as-intended

      Malware

      • AhnLab Detection Information On BPFDoor Exploited In Recent Hacking Attacks And KISA Hash Notice
        "BPFDoor is a Linux-based backdoor malware. AhnLab previously published their EDR detection information on this malware through the ASEC blog in October 2024. KISA recently shared threat information and warnings on BPFDoor, which has been exploited in hacking attacks. V3 detection information on the hash values shared by KISA in their first and second notices is as follows."
        https://asec.ahnlab.com/en/87863/
      • Threat Analysis: SAP Vulnerability Exploited In The Wild By Chinese Threat Actor
        "CVE-2025-31324 is a critical deserialization vulnerability affecting SAP NetWeaver Visual Composer 7.x that allows attackers to upload malicious binaries, such as web shells to vulnerable servers. This allows for full takeover of unpatched systems. The CVE is actively being exploited in the wild since at least April 29, when we noticed active scans on Forescout’s Adversary Engagement Environment (AEE) and it was added to CISA KEV."
        https://www.forescout.com/blog/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor/
        https://thehackernews.com/2025/05/chinese-hackers-exploit-sap-rce-flaw.html
        https://www.bleepingcomputer.com/news/security/chinese-hackers-behind-attacks-targeting-sap-netweaver-servers/
        https://www.securityweek.com/sap-zero-day-targeted-since-january-many-sectors-impacted/
      • India Experiences Surge In Hacktivist Group Activity Amid Military Tensions
        "More than 40 hacktivist groups conducted coordinated cyberattacks against India following the April 22 terror attack in Pahalgam in the Indian state of Jammu and Kashmir, which in turn prompted India to respond with targeted strikes aimed at alleged terrorist infrastructure across the border and the Pakistan-Occupied Kashmir region (PoK). Cyble Research & Intelligence Lab’s (CRIL) findings indicate that over the course of two weeks, several fundamentalist, pro-Pakistan, and Southeast Asian hacktivist groups launched a series of Distributed Denial-of-Service DDoS attacks and website defacements in isolation and in coordinated campaigns."
        https://cyble.com/blog/india-experience-hacktivist-group-activity/
        https://nsfocusglobal.com/two-battlegrounds-india-pakistan-conflicts-and-ddos-attacks/
        https://www.radware.com/security/threat-advisories-and-attack-reports/escalating-hacktivist-attacks-amidst-india-pakistan-tensions/
        https://www.darkreading.com/cyberattacks-data-breaches/pahalgam-attack-hacktivists-unite-opindia
      • The Legacy Loophole: How Attackers Are Exploiting Entra ID And What To Do About It
        "Between March 18 and April 7, 2025, Guardz Research tracked a targeted campaign exploiting legacy authentication protocols in Microsoft Entra ID. At the center of this operation was BAV2ROPC, a legacy login method that lets attackers sidestep modern defenses like Multi-Factor Authentication (MFA) and Conditional Access. These attacks were not random. They were systematic, automated, and coordinated across the global infrastructure. The only thing that stopped them was a strong configuration. If your environment still allows legacy authentication, you are a sitting target."
        https://guardz.com/blog/the-legacy-loophole-how-attackers-are-exploiting-entra-id-and-what-to-do-about-it/
        https://hackread.com/legacy-login-microsoft-entra-id-breach-cloud-accounts/
      • Backdooring The IDE: Malicious Npm Packages Hijack Cursor Editor On MacOS
        "The Socket Threat Research Team has identified three malicious npm packages — sw‑cur, its near-identical clone sw‑cur1, and aiide-cur — targeting the macOS version of the popular Cursor AI code editor. Disguised as developer tools offering “the cheapest Cursor API”, these packages steal user credentials, fetch an encrypted payload from threat actor-controlled infrastructure, overwrite Cursor’s main.js file, and disable auto-updates to maintain persistence."
        https://socket.dev/blog/malicious-npm-packages-hijack-cursor-editor-on-macos
        https://thehackernews.com/2025/05/malicious-npm-packages-infect-3200.html
        https://www.securityweek.com/malicious-npm-packages-target-cursor-ais-macos-users/
      • Additional Features Of OtterCookie Malware Used By WaterPlum
        "WaterPlum (also called as Famous Chollima or PurpleBravo) is reportedly a North Korea-linked attack group that targeting financial institutions, cryptocurrency operators and FinTech companies worldwide. They have been using malware called BeaverTail or InvisibleFerret in Contagious Interview campaign since around 2023, they started using new malware since September 2024. We named it "OtterCookie" and published a blog article in December 2024."
        https://jp.security.ntt/tech_blog/en-waterplum-ottercookie
        https://thehackernews.com/2025/05/ottercookie-v4-adds-vm-detection-and.html
      • Stealthy .NET Malware: Hiding Malicious Payloads As Bitmap Resources
        "This article highlights a new obfuscation technique threat actors are using to hide malware through steganography within bitmap resources embedded in otherwise benign 32-bit .NET applications. Upon execution, these files kick off a multi-stage chain of extracting, deobfuscating, loading and executing secondary payloads (dynamic-link libraries), eventually detonating the final payload (executable). We illustrate how to recover the final payload from the initial bitmap resource embedded in the original file using malware drawn from recent malicious spam (malspam) campaigns observed in our internal telemetry. Security practitioners can better defend against this technique by understanding the inner workings of it."
        https://unit42.paloaltonetworks.com/malicious-payloads-as-bitmap-resources-hide-net-malware/
      • Catching a Phish With Many Faces
        "Phishing remains a particularly stubborn threat in the cybersecurity landscape. It sticks around partly because even though the bad guys are always after the same prize – people’s login credentials and other sensitive information – they never cease to evolve and adapt their tactics. One technique that has gained traction in recent years is the use of dynamically generated phishing pages. Using dedicated phishing-as-a-service (PhaaS) toolkits, attackers can spin up authentic-looking phishing pages on the spot, all while customizing them for whoever they’re targeting."
        https://www.welivesecurity.com/en/scams/spotting-phish-many-faces/
      • iClicker Site Hack Targeted Students With Malware Via Fake CAPTCHA
        "The website of iClicker, a popular student engagement platform, was compromised in a ClickFix attack that used a fake CAPTCHA prompt to trick students and instructors into installing malware on their devices. iClicker is a subsidiary of Macmillan and is a digital classroom tool that allows instructors to take attendance, ask live questions or surveys, and track student engagement. It is widely used by 5,000 instructors and 7 million students at colleges and universities across the United States, including the University of Michigan, the University of Florida, and universities in California."
        https://www.bleepingcomputer.com/news/security/iclicker-hack-targeted-students-with-malware-via-fake-captcha/
        https://safecomputing.umich.edu/security-alerts/iclicker-fake-captcha-installs-malware

      Breaches/Hacks/Leaks

      • Ascension Says Recent Data Breach Affects Over 430,000 Patients
        "Ascension, one of the largest private healthcare systems in the United States, has revealed that the personal and healthcare information of over 430,000 patients was exposed in a data breach disclosed last month. As Ascension revealed in breach notification letters sent to affected individuals in April, their information was stolen in a data theft attack that impacted a former business partner in December."
        https://www.bleepingcomputer.com/news/security/ascension-says-recent-data-breach-affects-over-430-000-patients/
        https://securityaffairs.com/177676/data-breach/ascension-reveals-personal-data-of-437329-patients-exposed-in-cyberattack.html
      • 160,000 Impacted By Valsoft Data Breach
        "Canada-based vertical market software (VMS) firm Valsoft Corporation (dba AllTrust) is notifying over 160,000 people that their personal information was compromised in a data breach. The incident, discovered on February 14, involved unauthorized access to a non-production network of AllTrust subsidiary Aspire USA. “Aspire’s internal security team identified an in-progress file transfer which they were able to interrupt mid-transfer,” the company says in a notification letter to the impacted individuals, a copy of which was submitted to the Maine Attorney General’s Office."
        https://www.securityweek.com/160000-impacted-by-valsoft-data-breach/

      General News

      • Police Dismantles Botnet Selling Hacked Routers As Residential Proxies
        "Law enforcement authorities have dismantled a botnet that infected thousands of routers over the last 20 years to build two networks of residential proxies known as Anyproxy and 5socks. The U.S. Justice Department also indicted three Russian nationals (Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, and Aleksandr Aleksandrovich Shishkin) and a Kazakhstani (Dmitriy Rubtsov) for their involvement in operating, maintaining, and profiting from these two illegal services. During this joint action dubbed 'Operation Moonlander,' U.S. authorities worked with prosecutors and investigators from the Dutch National Police, the Netherlands Public Prosecution Service (Openbaar Ministerie), and the Royal Thai Police, as well as analysts with Lumen Technologies' Black Lotus Labs."
        https://www.bleepingcomputer.com/news/security/police-dismantles-botnet-selling-hacked-routers-as-residential-proxies/
        https://www.justice.gov/usao-ndok/pr/botnet-dismantled-international-operation-russian-and-kazakhstani-administrators
        https://blog.lumen.com/black-lotus-labs-helps-demolish-major-criminal-proxy-network/
        https://thehackernews.com/2025/05/breaking-7000-device-proxy-botnet-using.html
        https://www.bankinfosecurity.com/feds-seize-domains-in-global-proxy-botnet-crackdown-a-28359
        https://therecord.media/5socks-anyproxy-botnets-takedown-russians-kazakhstani-charged
        https://securityaffairs.com/177664/malware/operation-moonlander-dismantled-the-botnet-behind-anyproxy-and-5socks-cybercriminals-services.html
        https://www.theregister.com/2025/05/10/router_botnet_crashed/
      • Germany Takes Down eXch Cryptocurrency Exchange, Seizes Servers
        "The Federal police in Germany (BKA) seized the server infrastructure and shut down the 'eXch' cryptocurrency exchange platform for alleged money laundering cybercrime proceeds. During the law enforcement operation, the authorities also seized eight terabytes of data and cryptocurrency (Bitcoin, Ether, Litecoin, and Dash) worth approximately $38,000,000, making this the third largest seizure of digital assets in BKA's history. The BKA says the platform did not comply with 'know-your-customer' regulations, allowing money laundering by cybercrime and other illegal rings to bloom."
        https://www.bleepingcomputer.com/news/security/germany-takes-down-exch-cryptocurrency-exchange-seizes-servers/
        https://therecord.media/exch-cryptocurrency-mixer-germany-takedown
        https://thehackernews.com/2025/05/germany-shuts-down-exch-over-19b.html
      • April 2025 Malware Spotlight: FakeUpdates Dominates As Multi-Stage Campaigns Blend Commodity Malware With Stealth
        "Cyber criminals are raising the stakes. This month, researchers uncovered a sophisticated, multi-stage malware campaign delivering some of the most prevalent commodity malware—AgentTesla, Remcos, and XLoader—via stealthy techniques designed to evade detection. Meanwhile, FakeUpdates retains its top spot in the malware rankings, impacting 6% of organizations globally, and the education sector remains the most targeted industry."
        https://blog.checkpoint.com/research/april-2025-malware-spotlight-fakeupdates-dominates-as-multi-stage-campaigns-blend-commodity-malware-with-stealth/
      • How Security Has Changed The Hacker Marketplace
        "How can we spend so much on security and yet see such slow progress? Unlike most other infrastructure, we're not just fighting Murphy's law — our opposition is the creativity of other humans. Software exploitation isn't just a technical problem — it's a thriving, sophisticated marketplace with professional sellers, brokers, and buyers. While your security team focuses on vulnerability counts and compliance checklists, attackers are calculating their potential return on investment. What's the market rate for exploiting your company's software? I've spent more than a decade watching this market evolve, and the most effective defensive strategy I've seen isn't about eliminating every vulnerability — it's about making exploitation of your systems more costly than attacking alternative targets."
        https://www.darkreading.com/vulnerabilities-threats/how-security-changed-hacker-marketplace
      • Rising Tides: Kelley Misata On Bringing Cybersecurity To Nonprofits
        "I’ve often heard vendor leaders and salespeople complain about leads from nonprofits because “they don’t focus on cybersecurity.” Dr. Kelley Misata, Ph.D., CEO and founder of Sightline Security, has proven every single one of them wrong. Sightline Security is a nonprofit organization dedicated to truly understanding the priorities of nonprofits and, while they are mission-driven first, they absolutely do care about securing their sometimes life-saving missions. According to Misata, this is an important part of cybersecurity that too often gets overlooked or approached incorrectly because one cannot engage a nonprofit about security in a way that one would approach an enterprise."
        https://www.securityweek.com/rising-tides-kelley-misata-on-bringing-cybersecurity-to-nonprofits/
      • Introducing a New Framework To Analyze ICT Activities
        "Millions of malicious activities and cybersecurity-related responses occur daily in the information communication technologies (ICT) environment. While it is impossible to provide an exact figure, efforts to assess daily activity in the ICT environment estimate that around 600 million cyberattacks occur each day. For each offensive activity spotted, there is a corresponding defensive response triggered by its very detection. The number of malicious ICT activities is on the rise, and both the private sector and the international community have expressed preoccupation with this trend. In particular, Member States reiterated in a recent progress report of the Open-Ended Working Group on security of and in the use of ICTs 2021–2025, increasing concern that ICT threats in the international security context have intensified and evolved significantly in the current geopolitical environment."
        https://unidir.org/introducing-a-new-framework-to-analyze-ict-activities/
        https://www.infosecurity-magazine.com/news/un-cyber-assessment-framework/
      • You Think Ransomware Is Bad Now? Wait Until It Infects CPUs
        "If Rapid7's Christiaan Beek decided to change careers and become a ransomware criminal, he knows exactly how he'd innovate: CPU ransomware. The senior director of threat analytics for the cybersecurity company got the idea from a bad bug in AMD Zen chips that, if exploited by highly skilled attackers, would allow those intruders to load unapproved microcode into the processors, breaking encryption at the hardware level and modifying CPU behavior at will."
        https://www.theregister.com/2025/05/11/cpu_ransomware_rapid7/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 2b17b6a8-484f-4ff4-be4d-7842d6e965ce-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post