NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 23 May 2025

    Cyber Security News
    1
    1
    100
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Healthcare Sector

      • Health-ISAC 2025 Report: Ransomware Still Reigns As #1 Threat To Healthcare
        "Health-ISAC recently released their 2025 Health Sector Cyber Threat Landscape Report, a comprehensive outline of the malicious activity aimed at healthcare in the previous year. Not surprisingly, ransomware was cited by security professionals in the industry as the number one threat of 2024 and the top area of concern coming into 2025 (followed by third-party breaches, supply chain attacks, and zero-day exploits). Some things never change. However, when it comes to ransomware, they do evolve. Take a look at some of the reasons ransomware maintains its top spot as the primary plague of healthcare organizations as we move into another threat-filled year."
        https://www.tripwire.com/state-of-security/health-isac-report-ransomware-still-reigns-threat-healthcare
        https://health-isac.org/wp-content/uploads/Health-ISAC_2025-Annual-Threat-Report.pdf

      Industrial Sector

      • Rockwell Automation FactoryTalk Historian ThingWorx
        "Successful exploitation of this vulnerability could allow an attacker to launch XXE-based attacks on applications that accept malicious log4net configuration files."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-142-02
      • Lantronix Device Installer
        "Successful exploitation of this vulnerability could allow an attacker to gain access to the host machine running the Device Installer software."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-142-01

      Vulnerabilities

      • Unpatched Critical Bugs In Versa Concerto Lead To Auth Bypass, RCE
        "Critical vulnerabilities in Versa Concerto that are still unpatched could allow remote attackers to bypass authentication and execute arbitrary code on affected systems. Three security issues, two of them critical, were publicly disclosed by researchers at the vulnerability management firm ProjectDiscovery after reporting them to the vendor and receiving no confirmation of the bugs being addressed. Versa Concerto is the centralized management and orchestration platform for Versa Networks' SD-WAN and SASE (Secure Access Service Edge) solutions."
        https://www.bleepingcomputer.com/news/security/unpatched-critical-bugs-in-versa-concerto-lead-to-auth-bypass-rce/
        https://thehackernews.com/2025/05/unpatched-versa-concerto-flaws-let.html
        https://www.infosecurity-magazine.com/news/critical-zerodays-versa-networks/
      • GitLab, Atlassian Patch High-Severity Vulnerabilities
        "GitLab and Atlassian this week announced the release of patches for over a dozen vulnerabilities across their product portfolios, including multiple high-severity bugs. On Tuesday, Atlassian published eight advisories detailing six high-severity flaws in Bamboo, Confluence, Fisheye/Crucible, and Jira. All security defects were identified in third-party dependencies used by these products. Their exploitation could allow attackers to cause denial of service (DoS) conditions or elevate their privileges on a vulnerable system."
        https://www.securityweek.com/gitlab-atlassian-patch-high-severity-vulnerabilities/
      • Cisco Patches High-Severity DoS, Privilege Escalation Vulnerabilities
        "Cisco on Wednesday published 10 security advisories detailing over a dozen vulnerabilities across its products, including two high-severity flaws in its Identity Services Engine (ISE) and Unified Intelligence Center. The ISE bug, tracked as CVE-2025-20152, impacts the RADIUS message processing feature and could be exploited remotely, without authentication, to cause ISE to reload, leading to a denial of service (DoS) condition."
        https://www.securityweek.com/cisco-patches-high-severity-dos-privilege-escalation-vulnerabilities/
      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
        CVE-2025-4632 Samsung MagicINFO 9 Server Path Traversal Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/05/22/cisa-adds-one-known-exploited-vulnerability-catalog
        https://securityaffairs.com/178194/hacking/cisa-adds-a-samsung-magicinfo-9-server-flaw-known-exploited-vulnerabilities-catalog.html
      • GitLab's AI Assistant Opened Devs To Code Theft
        "An indirect prompt injection flaw in GitLab's artificial intelligence (AI) assistant could have allowed attackers to steal source code, direct victims to malicious websites, and more. "Duo" is a built-in tool that users of the open source (OSS) repository can use to analyze and suggest changes to their code, automate some aspects of writing, testing, and merging code, and other functions, equivalent to GitHub's Copilot. But as researchers from Legit Security recently discovered, Duo wasn't built to be too discerning about what goes in and out of it. Attackers could have manipulated it by sneaking secret prompts into their code, allowing them to perform phishing attacks, drop malware, and exfiltrate sensitive data."
        https://www.darkreading.com/application-security/gitlab-ai-assistant-opened-devs-to-code-theft

      Malware

      • UAT-6382 Exploits Cityworks Zero-Day Vulnerability To Deliver Malware
        "Talos has found intrusions in enterprise networks of local governing bodies in the United States (U.S.), beginning January 2025 when initial exploitation first took place. UAT-6382 successfully exploited CVE-2025-0944, conducted reconnaissance and rapidly deployed a variety of web shells and custom-made malware to maintain long-term access. Upon gaining access, UAT-6382 expressed a clear interest in pivoting to systems related to utilities management."
        https://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/
        https://www.bleepingcomputer.com/news/security/chinese-hackers-breach-us-local-governments-using-cityworks-zero-day/
        https://thehackernews.com/2025/05/chinese-hackers-exploit-trimble.html
        https://therecord.media/chinese-speaking-hackers-target-municipalities-cityworks
        https://www.theregister.com/2025/05/22/chinese_crew_us_city_utilities/
      • Fake CAPTCHA Attacks Deploy Infostealers And RATs In a Multistage Payload Chain
        "In recent months, there has been a notable surge in fake CAPTCHA cases in Trend Micro™ Managed Detection and Response (MDR) investigations. These fake CAPTCHAs arrive via phishing emails, URL redirection or malvertisement, or SEO poisoning. All observed cases exhibit similar behavior of instructing users to copy and paste a malicious command in the Windows run dialog. The script then uses Microsoft HTML Application Host (mshta) or base64-encoded PowerShell to execute a highly obfuscated command, which, in turn, connects to another site and executes multistage encoded scripts directly to the memory."
        https://www.trendmicro.com/en_us/research/25/e/unmasking-fake-captcha-cases.html
      • Advisory Update On Cyber Threat Activity Targeting Commvault’s SaaS Cloud Application (Metallic)
        "Commvault is monitoring cyber threat activity targeting their applications hosted in their Microsoft Azure cloud environment. Threat actors may have accessed client secrets for Commvault’s (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) solution, hosted in Azure. This provided the threat actors with unauthorized access to Commvault’s customers’ M365 environments that have application secrets stored by Commvault."
        https://www.cisa.gov/news-events/alerts/2025/05/22/advisory-update-cyber-threat-activity-targeting-commvaults-saas-cloud-application-metallic
      • “Anti-Ledger” Malware: The Battle For Ledger Live Seed Phrases
        "Hackers are increasingly exploiting the trust that crypto owners place in cold wallets, turning the very tools meant to secure assets into attack surfaces. The recent ByBit heist has shaken the crypto industry and is unlikely to be the last. However, more low-profile heists are already underway. Since August 2024, Moonlock Lab has been tracking a malware campaign distributing a malicious clone of Ledger Live — a widely used app for managing crypto through Ledger cold wallets. Initially, attackers could use the clone to steal passwords, notes, and wallet details to get a glimpse of the wallet’s assets, but they had no way to extract the funds. Now, within a year, they have learned to steal seed phrases and empty the wallets of their victims."
        https://moonlock.com/anti-ledger-malware
        https://www.bleepingcomputer.com/news/security/hackers-use-fake-ledger-apps-to-steal-mac-users-seed-phrases/
      • China-Nexus Threat Actor Actively Exploiting Ivanti Endpoint Manager Mobile (CVE-2025-4428) Vulnerability
        "On Thursday, May 15, 2025, Ivanti disclosed two critical vulnerabilities - CVE-2025-4427 and CVE-2025-4428 - affecting Ivanti Endpoint Manager Mobile (EPMM) version 12.5.0.0 and earlier. [1] These vulnerabilities can be chained to achieve unauthenticated remote code execution (RCE) on exposed systems. EclecticIQ analysts observed active exploitation of this vulnerability chain in the wild, targeting internet-facing Ivanti EPMM deployments. The earliest observed exploitation activity dates back to May 15, 2025. Targeted organizations span critical sectors including healthcare, telecommunications, aviation, municipal government, finance, and defense across Europe, North America, and the Asia-Pacific region."
        https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability
        https://www.bleepingcomputer.com/news/security/ivanti-epmm-flaw-exploited-by-chinese-hackers-to-breach-govt-agencies/
        https://thehackernews.com/2025/05/chinese-hackers-exploit-ivanti-epmm.html
        https://www.theregister.com/2025/05/23/ivanti_chinese_spies_attack/
      • Russia-Aligned TAG-110 Targets Tajikistan With Macro-Enabled Word Templates
        "From January to February 2025, Insikt Group detected a phishing campaign targeting Tajikistan that Insikt Group attributes to TAG-110, a Russia-aligned threat actor that overlaps with UAC-0063 and has been linked to APT28 (BlueDelta) with medium confidence by CERT-UA. In this campaign, TAG-110 leveraged Tajikistan government-themed documents as lure material, consistent with its historical use of trojanized legitimate government documents, though the authenticity of the current samples could not be independently verified."
        https://www.recordedfuture.com/research/russia-aligned-tag-110-targets-tajikistan-with-macro-enabled
        https://go.recordedfuture.com/hubfs/reports/cta-2025-0522.pdf
        https://therecord.media/russia-hackers-target-tajikistan-espionage
        https://www.darkreading.com/threat-intelligence/russian-threat-actor-tag-110-phishing-tajikistan
      • Russian Hacker Group Killnet Returns With New Identity
        "The Russian hacker group Killnet, once known for its noisy pro-Kremlin cyberattacks, has reappeared after months of silence — but not as the group it once was. Earlier this month, Killnet claimed it had hacked Ukraine’s drone-tracking system, providing geolocation data that allegedly helped Russian forces destroy several radar stations. The claim, alongside unverified footage and maps, was heavily promoted by Russian media but remains unconfirmed by independent analysts."
        https://therecord.media/russian-hacker-group-killnet-returns-with-new-identity
      • TikTok Videos Promise Pirated Apps, Deliver Vidar And StealC Infostealers Instead
        "Trend Research has uncovered a novel social engineering campaign using TikTok’s vast user base to distribute information-stealing malware, specifically Vidar and StealC. Unlike the prevalent Fake CAPTCHA campaign — which relies on fake CAPTCHA pages and clipboard hijacking to trick users into running malicious scripts — this new campaign pivots to exploiting the popularity and viral nature of TikTok. Threat actors are now using TikTok videos that are potentially generated using AI-powered tools to socially engineer users into executing PowerShell commands under the guise of guiding them to activate legitimate software or unlock premium features. This campaign highlights how attackers are ready to weaponize whichever social media platforms are currently popular to distribute malware."
        https://www.trendmicro.com/en_us/research/25/e/tiktok-videos-infostealers.html
        https://www.infosecurity-magazine.com/news/ai-tiktok-videos-infostealer/

      Breaches/Hacks/Leaks

      • Sensitive Personal Data Stolen In West Lothian Ransomware Attack
        "West Lothian Council has confirmed that ransomware actors have stolen “personal and sensitive” information stored on its education network. The Scottish local authority said in a May 21 update that it is now in the process of contacting parents and carers at every school in West Lothian to inform them of the breach. It is also offering advice to those impacted, warning them to be vigilant of phishing attacks and changing passwords for online accounts."
        https://www.infosecurity-magazine.com/news/personal-data-stolen-west-lothian/
        https://www.theregister.com/2025/05/22/west_lothian_school_ransomware/
      • Stalkerware Apps Go Dark After Data Breach
        "A stalkerware company that recently leaked millions of users’ personal information online has taken all of its assets offline without any explanation. Now Malwarebytes has learned that the company has taken down other apps too. Back in February, news emerged of a stalkerware app compromise. Reporters at Techcrunch revealed a vulnerability in three such apps: Spyzie, Cocospy, and Spyic. The flaw exposed data from the victim’s devices, rendering their messages, photos, and location data visible to whomever wanted them. It also gave up approximately 3.2 million email addresses entered by the customers that bought and installed these apps on their targets’ devices."
        https://www.malwarebytes.com/blog/news/2025/05/stalkerware-apps-go-dark-after-data-breach
        https://www.darkreading.com/threat-intelligence/following-data-breach-stalkerware-apps-offline
      • Coca-Cola, Bottling Partner Named In Separate Ransomware And Data Breach Claims
        "Coca-Cola and its bottling partner, Coca-Cola Europacific Partners (CCEP), are facing separate cyberattack claims from two distinct threat groups. The Everest ransomware gang says it has breached Coca-Cola’s systems, while another group named Gehenna (aka GHNA) is offering what it claims is a massive database stolen from CCEP’s Salesforce environment."
        https://hackread.com/coca-cola-bottling-partner-ransomware-data-breach/
      • Suspected InfoStealer Malware Data Breach Exposed 184 Million Logins And Passwords
        "The publicly exposed database was not password-protected or encrypted. It contained 184,162,718 unique logins and passwords, totaling a massive 47.42 GB of raw credential data. In a limited sampling of the exposed documents, I saw thousands of files that included emails, usernames, passwords, and the URL links to the login or authorization for the accounts. The database contained login and password credentials for a wide range of services, applications, and accounts, including email providers, Microsoft products, Facebook, Instagram, Snapchat, Roblox, and many more. I also saw credentials for bank and financial accounts, health platforms, and government portals from numerous countries that could put exposed individuals at significant risk."
        https://www.websiteplanet.com/news/infostealer-breach-report/
        https://hackread.com/database-leak-184-million-infostealer-emails-passwords/
      • Marlboro-Chesterfield Pathology Data Breach Impacts 235,000 People
        "Marlboro-Chesterfield Pathology (MCP), a full service anatomic pathology lab in North Carolina, was recently targeted in a ransomware attack that resulted in many personal information records getting stolen. In a data breach notice published on its website, Marlboro-Chesterfield Pathology said it discovered unauthorized activity on some internal IT systems on January 16, 2025. An investigation revealed that the hackers had stolen some files. The compromised data includes personal information such as name, address, date of birth, medical treatment information, and health insurance information. The stolen information varies by individual."
        https://www.securityweek.com/marlboro-chesterfield-pathology-data-breach-impacts-235000-people/
      • Decentralized Crypto Platform Cetus Hit With $223 Million Hack
        "About $223 million was stolen from the Cetus decentralized cryptocurrency exchange in an attack on Thursday morning. The company initially announced an incident early in the day, telling customers on social media they paused the platform for safety reasons and were investigating the issue before confirming later that an attacker had stolen the funds. “We took immediate action to lock our contract preventing further theft of funds,” the company said, adding that $162 million of the compromised funds have been successfully “paused.”"
        https://therecord.media/decentralized-crypto-platform-cetus-theft

      General News

      • Be Careful What You Share With GenAI Tools At Work
        "We use GenAI at work to make tasks easier, but are we aware of the risks? According to Netskope, the average organization now shares more than 7.7GB of data with AI tools per month, and 75% of enterprise users are accessing applications with GenAI features. The fact that 89% of organizations have zero visibility into AI usage reveals a gap in oversight and control. On top of that, 71% of GenAI tools are accessed with personal, non-work accounts. Even when company accounts are used, 58% of logins skip Single Sign-On (SSO). This means security teams have no view of the tools employees use or the information being shared."
        https://www.helpnetsecurity.com/2025/05/22/genai-workplace-risks/
      • The Hidden Gaps In Your Asset Inventory, And How To Close Them
        "In this Help Net Security interview, Tim Grieveson, CSO at ThingsRecon, breaks down the first steps security teams should take to regain visibility, the most common blind spots in asset discovery, and why context should drive risk prioritization."
        https://www.helpnetsecurity.com/2025/05/22/tim-grieveson-thingsrecon-asset-inventory-gaps/
      • CTM360 Report: Ransomware Exploits Trust More Than Tech
        "A recent wave of ransomware attacks has disrupted major retailers across the UK. According to a new report from CTM360, the attackers didn’t need to break down the door, they were invited in through misplaced trust and weak identity safeguards. This wasn’t about advanced malware or zero-day vulnerabilities. The attackers used common tactics: impersonating IT staff, tricking employees into handing over credentials, and intercepting multi-factor authentication codes. From there, they moved across networks."
        https://www.helpnetsecurity.com/2025/05/22/ctm360-report-ransomware-attacks/
      • Taming The Hacker Storm: Why Millions In Cybersecurity Spending Isn’t Enough
        "According to the AV-TEST Institute, more than 450,000 new malicious applications are found every day, illustrating the rapid rate of malware spread. Despite substantial investments in cybersecurity, why are malware and hackers so ubiquitous? Because we cannot stop what we cannot see or identify. With AI-driven deepfakes, attackers can assume anyone’s identity to create convincing impersonations and execute successful attacks. Our inability to discover their true identities has worked in favor of threat actors, enabling them to easily evade arrest."
        https://www.securityweek.com/taming-the-hacker-storm-why-millions-in-cybersecurity-spending-isnt-enough/
      • New Best Practices Guide For Securing AI Data Released
        "Today, CISA, the National Security Agency, the Federal Bureau of Investigation, and international partners released a joint Cybersecurity Information Sheet on AI Data Security: Best Practices for Securing Data Used to Train & Operate AI Systems. This information sheet highlights the critical role of data security in ensuring the accuracy, integrity, and trustworthiness of AI outcomes. It outlines key risks that may arise from data security and integrity issues across all phases of the AI lifecycle, from development and testing to deployment and operation."
        https://www.cisa.gov/news-events/alerts/2025/05/22/new-best-practices-guide-securing-ai-data-released
        https://media.defense.gov/2025/May/22/2003720601/-1/-1/0/CSI_AI_DATA_SECURITY.PDF
      • US Indicts Leader Of Qakbot Botnet Linked To Ransomware Attacks
        "The U.S. government has indicted Russian national Rustam Rafailevich Gallyamov, the leader of the Qakbot botnet malware operation that compromised over 700,000 computers and enabled ransomware attacks. As per court documents, Gallyamov started to develop Qakbot (also known as Qbot and Pinkslipbot) in 2008 and deployed it to create a network of thousands of infected computers. Over time, a team of developers was formed around Qakbot but the indictment notes that other malware was also created under Gallyamov’s leadership."
        https://www.bleepingcomputer.com/news/security/us-indicts-leader-of-qakbot-botnet-linked-to-ransomware-attacks/
        https://therecord.media/doj-charges-man-allegedly-behind-qakbot-malware
        https://www.theregister.com/2025/05/22/qakbot_criminal_mastermind_charged/
      • 270 Arrested In Global Dark Web Crackdown Targeting Online Drug And Criminal Networks
        "A global law enforcement operation coordinated by Europol has struck a major blow to the criminal underground, with 270 arrests of dark web vendors and buyers across ten countries. Known as Operation RapTor, this international sweep has dismantled networks trafficking in drugs, weapons, and counterfeit goods, sending a clear signal to criminals hiding behind the illusion of anonymity."
        https://www.europol.europa.eu/media-press/newsroom/news/270-arrested-in-global-dark-web-crackdown-targeting-online-drug-and-criminal-networks
        https://www.bleepingcomputer.com/news/security/police-arrests-270-dark-web-vendors-buyers-in-global-crackdown/
        https://hackread.com/operation-raptor-police-arrests-270-dark-web-vendors/
      • CrowdStrike Collaborates With U.S. Department Of Justice On DanaBot Takedown
        "Effective collaboration is essential when confronting today's sophisticated cyber adversaries, particularly those operating with state tolerance or direction. At CrowdStrike, we routinely work alongside law enforcement agencies and industry partners to identify, monitor, and mitigate cyber threats. Recently, we provided technical assistance to the U.S. Department of Justice as part of a coordinated effort to disrupt the activities of individuals involved in developing, administering, and operating the DanaBot malware, tracked by CrowdStrike as SCULLY SPIDER."
        https://www.crowdstrike.com/en-us/blog/crowdstrike-partners-with-doj-disrupt-danabot-malware-operators/
        https://www.justice.gov/usao-cdca/pr/16-defendants-federally-charged-connection-danabot-malware-scheme-infected-computers
        https://cyberscoop.com/danabot-malware-botnet-seizure-takedown/
        https://www.bankinfosecurity.com/us-takes-down-danabot-malware-indicts-developers-a-28466
        https://flashpoint.io/blog/operation-endgame-danabot-malware/
        https://www.theregister.com/2025/05/23/300000_machine_danabot_endgame/
      • Blurring Lines Between Scattered Spider & Russian Cybercrime
        "Law enforcement actions in 2024 were supposed to disrupt Scattered Spider. Instead, the notorious cybercrime group re-emerged this year and is trending in a direction that has alarmed some infosec experts. The arrests of several alleged members of Scattered Spider last year, including the group's supposed ringleader, may have led to a temporary dip in malicious activity. But not only have Scattered Spider's high-profile attacks continued this year, but the group has seemingly shifted further into the Russian ransomware ecosystem."
        https://www.darkreading.com/cyberattacks-data-breaches/blurring-lines-scattered-spider-russian-cybercrime
      • Security Threats Of Open Source AI Exposed By DeepSeek
        "With its best-in-class performance and purportedly much lower development costs, DeepSeek's R1 model shocked the global AI community earlier this year and sent Nvidia's stock price tumbling. Thanks to intense media buzz, the hype led many users to rapidly deploy it, breaking records in the process. The AI assistant app, based on DeepSeek-V3 (a similar model), quickly topped the charts for most downloads from the Apple App Store, with 16 million downloads in the first 18 days, compared to nine million downloads of the ChatGPT app from US-based rival Open AI during the same period. It was also the most downloaded free app on Google's app store."
        https://www.darkreading.com/vulnerabilities-threats/security-threats-open-source-ai-deepseek
      • Security Theater Or Real Defense? The KPIs That Tell The Truth
        "A critical step in maturing any cybersecurity program is the ability to measure and report on its performance. Yet measuring cybersecurity remains notoriously difficult, often bordering on impossible, due to an ever-expanding attack surface and overwhelming data volumes."
        https://www.securityweek.com/security-theater-or-real-defense-the-kpis-that-tell-the-truth/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) b849ac4c-97c1-439a-ae27-489e3c616019-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post