NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 14 May 2025

    Cyber Security News
    1
    1
    133
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Healthcare Sector

      • With The Right Tools, You Can Prevent This Healthcare Scam From Hurting Employees
        "In 2024, ninety-two percent of healthcare organizations contended with at least one cyber attack. As a result, over 276 million patient records were compromised, translating to the compromise of roughly 758,000 records every single day. Victims of medical identity theft will spend an average of 210 hours and $2,500 (out-of-pocket) to reclaim their identities and resolve breach fallout."
        https://blog.checkpoint.com/securing-user-and-access/with-the-right-tools-you-can-prevent-this-healthcare-scam-from-hurting-employees/

      Government/Law/Policy

      • UK Considers New Enterprise IoT Security Law
        "The UK government has issued a Call for Views on proposed “policy interventions” designed to improve the security of enterprise IoT products, after new research revealed glaring vulnerabilities in many devices. The Department for Science, Innovation and Technology (DSIT) commissioned NCC Group to test a range of components: a “high-end” and “low-end” camera, VoIP device, meeting room panel and NAS device."
        https://www.infosecurity-magazine.com/news/government-enterprise-iot-security/

      Vulnerabilities

      • Microsoft May 2025 Patch Tuesday Fixes 5 Exploited Zero-Days, 72 Flaws
        "Today is Microsoft's May 2025 Patch Tuesday, which includes security updates for 72 flaws, including five actively exploited and two publicly disclosed zero-day vulnerabilities. This Patch Tuesday also fixes six "Critical" vulnerabilities, five being remote code execution vulnerabilities and another an information disclosure bug."
        https://www.bleepingcomputer.com/news/microsoft/microsoft-may-2025-patch-tuesday-fixes-5-exploited-zero-days-72-flaws/
        https://www.tripwire.com/state-of-security/may-2025-patch-tuesday-analysis
        https://blog.talosintelligence.com/microsoft-patch-tuesday-for-may-2025-snort-rules-and-prominent-vulnerabilities/
        https://www.darkreading.com/vulnerabilities-threats/windows-zero-day-bug-exploited-browser-rce
        https://www.securityweek.com/zero-day-attacks-highlight-another-busy-microsoft-patch-tuesday/
        https://cyberscoop.com/microsoft-patch-tuesday-may-2025/
        https://www.helpnetsecurity.com/2025/05/13/patch-tuesday-microsoft-fixes-5-actively-exploited-zero-days/
        https://www.theregister.com/2025/05/14/patch_tuesday_may/
      • SAP Patches Second Zero-Day Flaw Exploited In Recent Attacks
        "SAP has released patches to address a second vulnerability exploited in recent attacks targeting SAP NetWeaver servers as a zero-day. The company issued security updates for this security flaw (CVE-2025-42999) on Monday, May 12, saying it was discovered while investigating zero-day attacks involving another unauthenticated file upload flaw (tracked as CVE-2025-31324) in SAP NetWeaver Visual Composer that was fixed in April. "SAP is aware of and has been addressing vulnerabilities in SAP NETWEAVER Visual Composer," a SAP spokesperson told BleepingComputer. "We ask all customers using SAP NETWEAVER to install these patches to protect themselves. The Security Notes can be found here: 3594142 & 3604119."
        https://www.bleepingcomputer.com/news/security/sap-patches-second-zero-day-flaw-exploited-in-recent-attacks/
        https://support.sap.com/en/my-support/knowledge-base/security-notes-news/may-2025.html
      • **https://www.securityweek.com/sap-patches-another-critical-netweaver-vulnerability/
      • Fortinet Fixes Critical Zero-Day Exploited In FortiVoice Attacks**
        "Fortinet released security updates to patch a critical remote code execution vulnerability exploited as a zero-day in attacks targeting FortiVoice enterprise phone systems. The security flaw is a stack-based overflow vulnerability tracked as CVE-2025-32756 that also impacts FortiMail, FortiNDR, FortiRecorder, and FortiCamera. As the company explains in a security advisory issued on Tuesday, successful exploitation can allow remote unauthenticated attackers to execute arbitrary code or commands via maliciously crafted HTTP requests."
        https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-zero-day-exploited-in-fortivoice-attacks/
        https://fortiguard.fortinet.com/psirt/FG-IR-25-254
        https://www.helpnetsecurity.com/2025/05/13/zero-day-exploited-to-compromise-fortinet-fortivoice-systems-cve-2025-32756/
      • Ivanti Fixes EPMM Zero-Days Chained In Code Execution Attacks
        "Ivanti warned customers today to patch their Ivanti Endpoint Manager Mobile (EPMM) software against two security vulnerabilities chained in attacks to gain remote code execution. "Ivanti has released updates for Endpoint Manager Mobile (EPMM) which addresses one medium and one high severity vulnerability," the company said. "When chained together, successful exploitation could lead to unauthenticated remote code execution. We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure.""
        https://www.bleepingcomputer.com/news/security/ivanti-fixes-epmm-zero-days-chained-in-code-execution-attacks/
        https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_US
        https://www.helpnetsecurity.com/2025/05/13/ivanti-epmm-vulnerabilities-exploited-in-the-wild-cve-2025-4427-cve-2025-4428/
      • Adobe Patches Big Batch Of Critical-Severity Software Flaws
        "Software maker Adobe has released patches for at least 39 vulnerabilities across a range of products alongside warnings about remote code execution exploit risks. The Patch Tuesday rollout is headlined by a major Adobe ColdFusion update that addresses a wide swatch of code execution and privilege escalation attacks. The Adobe ColdFusion bulletin documents 7 distinct vulnerabilities marked as “critical” and Adobe warned that these “could lead to arbitrary file system read, arbitrary code execution and privilege escalation. The critical bugs carry a CVSS severity score of 9.1/10."
        https://www.securityweek.com/adobe-patches-big-batch-of-critical-severity-software-flaws/
      • CISA Adds Five Known Exploited Vulnerabilities To Catalog
        "CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
        CVE-2025-30400 Microsoft Windows DWM Core Library Use-After-Free Vulnerability
        CVE-2025-32701 Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability
        CVE-2025-32706 Microsoft Windows Common Log File System (CLFS) Driver Heap-Based Buffer Overflow Vulnerability
        CVE-2025-30397 Microsoft Windows Scripting Engine Type Confusion Vulnerability
        CVE-2025-32709 Microsoft Windows Ancillary Function Driver for WinSock Use-After-Free Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/05/13/cisa-adds-five-known-exploited-vulnerabilities-catalog
      • Ivanti Warns Of Critical Neurons For ITSM Auth Bypass Flaw
        "Ivanti has released security updates for its Neurons for ITSM IT service management solution that mitigate a critical authentication bypass vulnerability. Tracked as CVE-2025-22462, the security flaw can let unauthenticated attackers gain administrative access to unpatched systems in low-complexity attacks, depending on system configuration. As the company highlighted in a security advisory released today, organizations that followed its guidance are less exposed to attacks."
        https://www.bleepingcomputer.com/news/security/ivanti-warns-of-critical-neurons-for-itsm-auth-bypass-flaw/
      • New Intel CPU Flaws Leak Sensitive Data From Privileged Memory
        "A new "Branch Privilege Injection" flaw in all modern Intel CPUs allows attackers to leak sensitive data from memory regions allocated to privileged software like the operating system kernel. Typically, these regions are populated with information like passwords, cryptographic keys, memory of other processes, and kernel data structures, so protecting them from leakage is crucial. According to ETH Zurich researchers Sandro Rüegge, Johannes Wikner, and Kaveh Razavi, Spectre v2 mitigations held for six years, but their latest "Branch Predictor Race Conditions" exploit effectively bypasses them."
        https://www.bleepingcomputer.com/news/security/new-intel-cpu-flaws-leak-sensitive-data-from-privileged-memory/
        https://comsec.ethz.ch/research/microarch/branch-privilege-injection/
        https://comsec.ethz.ch/wp-content/files/bprc_sec25.pdf
        https://www.theregister.com/2025/05/13/intel_spectre_race_condition/
      • Radware Says Recently Disclosed WAF Bypasses Were Patched In 2023
        "Cybersecurity and application delivery solutions provider Radware has clarified that the vulnerabilities disclosed last week were addressed back in 2023. An advisory published on May 7 by the CERT Coordination Center (CERT/CC) at Carnegie Mellon University revealed that the Radware Cloud Web Application Firewall (WAF) was vulnerable to a couple of filter bypass methods that could allow threat actors to conduct attacks without being blocked by the firewall."
        https://www.securityweek.com/radware-says-recently-disclosed-waf-bypasses-were-patched-in-2023/
      • Zoom Fixes High-Risk Flaw In Latest Update
        "Zoom fixes multiple security bugs in Workplace Apps, including a high-risk flaw. Users are urged to update to the latest version released on May 13, 2025. Zoom pushed out a batch of security fixes today, addressing multiple vulnerabilities across its Workplace Apps. One of them has been marked high severity, while the others are rated medium. The updates affect both general app versions and Windows-specific builds. For anyone using Zoom in business or education settings, especially on Windows systems, these updates are worth attention."
        https://hackread.com/zoom-fixes-high-risk-flaw-in-latest-update/

      Malware

      • Earth Ammit Disrupts Drone Supply Chains Through Coordinated Multi-Wave Attacks In Taiwan
        "In July 2024, we disclosed the TIDRONE campaign, in which threat actors targeted Taiwan’s military and satellite industries. During our investigation, we discovered that multiple compromised entities were using the same enterprise resource planning (ERP) software. This led us to engage with the ERP vendor, through which we uncovered additional details that pointed to an earlier, related campaign – VENOM. Our findings were also presented at Black Hat Asia 2025 last month, where we discussed in depth Earth Ammit's tactics in the TIDRONE and VENOM campaigns, their targeted attacks on military sectors in Eastern Asia, and their possible ties to Chinese-speaking cyber-espionage groups."
        https://www.trendmicro.com/en_us/research/25/e/earth-ammit.html
        https://www.darkreading.com/cyberattacks-data-breaches/chinese-actor-taiwanese-drone-makers-supply-chains
        https://therecord.media/chinese-hackers-target-taiwan-military-sector
      • TA406 Pivots To The Front
        "In February 2025, TA406 began targeting government entities in Ukraine, delivering both credential harvesting and malware in its phishing campaigns. The aim of these campaigns is likely to collect intelligence on the trajectory of the Russian invasion. TA406 is a Democratic People's Republic of Korea (DPRK) state-sponsored actor that overlaps with activity publicly tracked by third parties as Opal Sleet and Konni. The group’s interest in Ukraine follows historical targeting of government entities in Russia for strategic intelligence gathering purposes. TA406 relies on freemail senders spoofing members of think tanks to convince the target to engage with the phishing email. The lure content is based heavily off recent events in Ukrainian domestic politics."
        https://www.proofpoint.com/us/blog/threat-insight/ta406-pivots-front
        https://www.darkreading.com/cyberattacks-data-breaches/north-koreas-ta406-targets-ukraine
        https://therecord.media/north-korea-hackers-target-ukraine-to-understand-russian-war-efforts
        https://www.bleepingcomputer.com/news/security/north-korea-ramps-up-cyberspying-in-ukraine-to-assess-war-risk/
        https://thehackernews.com/2025/05/north-korean-konni-apt-targets-ukraine.html
        https://www.bankinfosecurity.com/north-korea-targets-ukraine-cyberespionage-operations-a-28372
        https://www.infosecurity-magazine.com/news/dprk-backed-ta406-targets-ukraine/
      • Using a Mythic Agent To Optimize Penetration Testing
        "The way threat actors use post-exploitation frameworks in their attacks is a topic we frequently discuss. It’s not just about analysis of artifacts for us, though. Our company’s deep expertise means we can study these tools to implement best practices in penetration testing. This helps organizations stay one step ahead. Being experts in systems security assessment and information security in general, we understand that a proactive approach always works better than simply responding to incidents that have already occurred. And when we say “proactive”, we imply learning new technologies and techniques that threat actors may adopt next. That is why we follow the latest research, analyze new tools, and advance our pentesting expertise."
        https://securelist.com/agent-for-mythic-c2-with-beacon-object-files/115259/
      • How Interlock Ransomware Affects The Defense Industrial Base Supply Chain
        "Kinetic events, such as the Russia-Ukraine, Israel-Hamas, and Pakistan-India situations, along with non-kinetic or political turmoil events, have both a direct effect (participant 1 targeting participant 2) and an indirect effect (social sympathizer group targeting the participant they deem the aggressor), which drive ransomware and similar cyberattacks. The motivation behind these attacks can be to support an official action or to justify a criminal attack on a victim. However, it may also leverage the event as political cover for a cyberattack motivated by industrial or state espionage."
        https://www.resecurity.com/blog/article/how-interlock-ransomware-affects-the-defense-industrial-base-supply-chain
        https://securityaffairs.com/177792/malware/how-interlock-ransomware-affects-the-defense-industrial-base-supply-chain.html
      • China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) To Target Critical Infrastructures
        "EclecticIQ analysts assess with high confidence that, in April 2025, China-nexus nation-state APTs (advanced persistent threat) launched high-temp exploitation campaigns against critical infrastructure networks by targeting SAP NetWeaver Visual Composer. Actors leveraged CVE-2025-31324 [1], an unauthenticated file upload vulnerability that enables remote code execution (RCE). This assessment is based on a publicly exposed directory (opendir) found on attacker-controlled infrastructure, which contained detailed event logs capturing operations across multiple compromised systems."
        https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures
        https://thehackernews.com/2025/05/china-linked-apts-exploit-sap-cve-2025.html
      • Same Name, Different Hack: PyPI Package Targets Solana Developers
        "The ReversingLabs research team has written about the surge in recent years in software supply chain attacks that target cryptocurrency. RL’s 2025 Software Supply Chain Security Report documented 23 distinct malicious supply chain campaigns targeting cryptocurrency applications and infrastructure in 2024 alone. That trend continues. So far in 2025, RL researchers discovered a number of new campaigns that appear to target cryptocurrency assets. In April, for example, RL researcher Lucija Valentić wrote about the discovery of an npm package, pdf-to-office, that injected malicious code into legitimate, locally-installed files to steal funds stored in Atomic Wallet and Exodus crypto wallets."
        https://www.reversinglabs.com/blog/same-name-different-hack-pypi-package-targets-solana-developers
        https://thehackernews.com/2025/05/malicious-pypi-package-posing-as-solana.html
      • Analysis Of APT37 Attack Case Disguised As a Think Tank For National Security Strategy In South Korea (Operation. ToyBox Story)
        "Disguised the content as an academic forum invitation from a South Korean national security think tank to attract attention. Lured targets by referencing an actual event titled “Trump 2.0 Era: Prospects and South Korea’s Response”. Delivered malicious LNK files via the Dropbox cloud platform. APT37 used Dropbox as a C2 server, following earlier use of pCloud and Yandex. EDR-based anomaly hunting required to improve detection of fileless threats"
        https://www.genians.co.kr/en/blog/threat_intelligence/toybox-story
        https://therecord.media/apt37-scarcruft-cyber-espionage-campaign-south-korea

      Breaches/Hacks/Leaks

      • M&S Confirms Customer Data Stolen In Cyber-Attack
        "UK retailer Marks & Spencer (M&S) has confirmed that the personal details of customers were stolen during April’s suspected ransomware attack. M&S Chief Executive, Stuart Machin, made the announcement via the firm’s Instagram account on May 13. He wrote: “As we continue to manage the current cyber incident, we have written to customers today to let them know that unfortunately, some personal customer information has been taken.”"
        https://www.infosecurity-magazine.com/news/ms-customer-data-stolen-attack/
        https://www.theregister.com/2025/05/13/ms_confirms_customer_data_stolen/
        https://www.securityweek.com/marks-spencer-says-data-stolen-in-ransomware-attack/
        https://www.bleepingcomputer.com/news/security/mands-says-customer-data-stolen-in-cyberattack-forces-password-resets/
        https://therecord.media/marks-spencer-confirms-customer-data-breach
        https://securityaffairs.com/177784/data-breach/marks-and-spencer-confirms-data-breach-after-april-cyber-attack.html
      • Twilio Denies Breach Following Leak Of Alleged Steam 2FA Codes
        "Twilio has denied in a statement for BleepingComputer that it was breached after a threat actor claimed to be holding over 89 million Steam user records with one-time access codes. The threat actor, using the alias Machine1337 (also known as EnergyWeaponsUser), advertised a trove of data allegedly pulled from Steam, offering to sell it for $5,000. When examining the leaked files, which contained 3,000 records, BleepingComputer found historic SMS text messages with one-time passcodes for Steam, including the recipient's phone number."
        https://www.bleepingcomputer.com/news/security/twilio-denies-breach-following-leak-of-alleged-steam-2fa-codes/
      • Over 3 Million Records, Including PII Of Student-Athletes And College Coaches Exposed In a Data Breach
        "Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to vpnMentor about an unencrypted and non-password-protected database that contained 3,154,239 records presumably belonging to a platform designed to assist high school athletes in securing college sports scholarships."
        https://www.vpnmentor.com/news/report-prephero-breach/
        https://hackread.com/prephero-database-exposed-students-coaches-data/

      General News

      • Breaking Down Silos In Cybersecurity
        "All organizations erect silos – silos between groups and departments, across functions and among technologies. Silos represent differences in practices, culture and operations. Their presence inhibits communication and collaboration. As companies scale from startup to mid-sized and beyond, silos multiply and ossify. As operations expand from one site to many, from on-premises to cloud, from legacy to emerging tech (e.g., cloud and AI), silos don’t topple; they persist and proliferate. Nowhere are silos more evident and more challenging than in cybersecurity. Industry pundits call for a unified approach and a holistic vision of attack surfaces, but the cybersecurity marketplace is awash with tools and architectures, each with its own approach and its own silos."
        https://www.helpnetsecurity.com/2025/05/13/marc-gafan-ionix-tyson-kopczynski-cymetry-one-cybersecurity-silos/
      • CISOs Must Speak Business To Earn Executive Trust
        "In this Help Net Security interview, Pritesh Parekh, VP, CISO at PagerDuty talks about how CISOs can change perceptions of their role, build influence across the organization, communicate risk in business terms, and use automation to support business goals."
        https://www.helpnetsecurity.com/2025/05/13/pritesh-parekh-pagerduty-cisos-business-leaders-conversations/
      • AI Vs AI: How Cybersecurity Pros Can Use Criminals’ Tools Against Them
        "For a while now, AI has played a part in cybersecurity. Now, agentic AI is taking center stage. Based on pre-programmed plans and objectives, agentic AI can make choices which optimize results without a need for developer intervention. As agentic AI can be programmed for various tasks, AI agents are set to create a labor revolution, from manufacturing to customer service. However, this comes at a cost, as they can also be programmed to conduct fraudulent activities, such as advanced social engineering attacks utilizing social media data and deepfakes for highly personalized phishing schemes. Because of this, Gartner warns that within two years AI agents will accelerate how long it takes to take over exposed accounts by 50%."
        https://www.helpnetsecurity.com/2025/05/13/ai-proxies-cybersecurity/
      • Consult The European Vulnerability Database To Enhance Your Digital Security!
        "The European Union Agency for Cybersecurity (ENISA) has developed the European Vulnerability Database - EUVD as provided for by the NIS2 Directive. The EUVD service, to be maintained by ENISA, is now operational. The database provides aggregated, reliable, and actionable information such as mitigation measures and exploitation status on cybersecurity vulnerabilities affecting Information and Communication Technology (ICT) products and services."
        https://www.enisa.europa.eu/news/consult-the-european-vulnerability-database-to-enhance-your-digital-security
        https://euvd.enisa.europa.eu/
        https://www.infosecurity-magazine.com/news/european-vulnerability-database-us/
        https://www.theregister.com/2025/05/13/eu_security_bug_database/
        https://therecord.media/eu-launches-vulnerability-database
        https://www.darkreading.com/vulnerabilities-threats/eu-bug-database-vulnerability-tracking
        https://www.bankinfosecurity.com/tracking-bugs-european-vulnerability-database-goes-live-a-28382
      • Defining a New Methodology For Modeling And Tracking Compartmentalized Threats
        "In the evolving cyberthreat landscape, Cisco Talos is witnessing a significant shift towards compartmentalized attack kill chains, where distinct stages — such as initial compromise and subsequent exploitation — are executed by multiple threat actors. This trend complicates traditional threat modeling and actor profiling, as it requires understanding the intricate relationships and interactions between various groups, explained in the previous blog."
        https://blog.talosintelligence.com/compartmentalized-threat-modeling/
      • Redefining IABs: Impacts Of Compartmentalization On Threat Tracking And Modeling
        "Cisco Talos has observed a growing trend of attack kill chains being split into two stages — initial compromise and subsequent exploitation — executed by separate threat actors. This compartmentalization increases the complexity and difficulty of performing threat modeling and actor profiling. Initial access groups now include both traditional initial access brokers (IABs) as well as opportunistic and state-sponsored threat actors, whose characteristics, motivations and objectives differ significantly."
        https://blog.talosintelligence.com/redefining-initial-access-brokers/
      • DeepSeek, Deep Research Mean Deep Changes For AI Security
        "The world of artificial intelligence can be divided into two epochs: ChatGPT and Deep Logic. Platforms like DeepSeek and Google and OpenAI's Deep Research, alongside other agentic systems and logic-based models, exemplify this shift with real-time reasoning, multistep decision-making, and dynamic data retrieval. These advanced systems can construct and refine a chain of thought during inference."
        https://www.darkreading.com/vulnerabilities-threats/deepseek-deep-research-deep-changes-ai-security
      • Building Effective Security Programs Requires Strategy, Patience, And Clear Vision
        "CISOs are facing a growing array of threats, including ransomware, business email compromise, identity-based attacks, phishing attacks, and data breaches. Patience and adaptability are required to build, implement, and maintain an effective security program that addresses the gamut of these risks. Many technologies and security measures are available to tackle the various problems organizations face, but they take time and resources to implement properly. One way to do so is to treat the organization's security program as a product, said Capital One cybersecurity CTO Mike Benjamin at last month's RSAC Conference in San Francisco."
        https://www.darkreading.com/cyber-risk/building-effective-security-programs-strategy-patience-clear-vision
      • Sharing Intelligence Beyond CTI Teams, Across Wider Functions And Departments
        "I read a recent Google Intelligence Report which highlighted a case uncovered last year involving a single North Korean worker deploying at least 12 personae across Europe and the US. The IT worker was seeking jobs within the defense industry and government sectors. Using this new tactic, bogus IT professionals have been threatening to release sensitive company data that they have exfiltrated before being fired. According to the report, North Korea has now turned to Europe, and the UK, after it became more difficult to implement its fake worker ploy in the US. As a result, companies are being urged to carry out job interviews for IT workers on video, or better still in-person, to head off the risk of giving jobs to fake North Korean employees."
        https://www.securityweek.com/sharing-intelligence-beyond-cti-teams-across-wider-functions-and-departments/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) a3f6e2b9-a410-4fbe-9442-f64cedde04d6-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post