NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 28 May 2025

    Cyber Security News
    1
    1
    482
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • Johnson Controls iSTAR Configuration Utility (ICU) Tool
        "Successful exploitation of this vulnerability may allow an attacker to gain access to memory leaked from the ICU."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-146-01

      Vulnerabilities

      • Remote Prompt Injection In GitLab Duo Leads To Source Code Theft
        "GitLab Duo, the AI assistant integrated into GitLab and powered by Anthropic’s Claude, is designed to help developers with tasks like code suggestions, security reviews, and merge request analysis. But what if the same AI meant to secure your code could be manipulated into leaking it? That’s exactly what we uncovered: a remote prompt injection vulnerability that allows attackers to steal source code from private projects, manipulate code suggestions shown to other users, and even exfiltrate confidential, undisclosed zero-day vulnerabilities — all through GitLab Duo Chat. In this blog post, we break down how the attack works — from prompt injection to HTML injection — and walk through a real-world end-to-end exploit scenario."
        https://www.legitsecurity.com/blog/remote-prompt-injection-in-gitlab-duo
        https://www.bankinfosecurity.com/patched-gitlab-duo-flaws-risked-code-leak-malicious-content-a-28499
      • NASA’s Software Security Vulnerabilities Found For Fun, Not Profit
        "Long time ago, in a galaxy far, far away, fifteen years ago (in 2009), I was a 25 year old hacker and cofounder of my first cybersecurity startup Infigo and just finished a one year long side project security research collaboration with NASA Goddard Space Flight Center. During the security research I discovered 12 dangerous security vulnerabilities in Common Data Format (CDF) software library (some of them critical severity). NASA’s CDF software library (https://cdf.gsfc.nasa.gov/) is according to its documentation developed and used by NASA and hundreds other government agencies, academic community and various organizations for the purpose (in very simple words) - of tracking objects locations in space."
        https://threatleap.com/publications/NASAs-Software-Security-Vulnerabilities-Found-For-Fun-Not-Profit
        https://www.helpnetsecurity.com/2025/05/27/nasa-open-source-software-vulnerabilities/

      Malware

      • DragonForce Actors Target SimpleHelp Vulnerabilities To Attack MSP, Customers
        "Sophos MDR recently responded to a targeted attack involving a Managed Service Provider (MSP). In this incident, a threat actor gained access to the MSP’s remote monitoring and management (RMM) tool, SimpleHelp, and then used it to deploy DragonForce ransomware across multiple endpoints. The attackers also exfiltrated sensitive data, leveraging a double extortion tactic to pressure victims into paying the ransom."
        https://news.sophos.com/en-us/2025/05/27/dragonforce-actors-target-simplehelp-vulnerabilities-to-attack-msp-customers/
        https://www.bleepingcomputer.com/news/security/dragonforce-ransomware-abuses-simplehelp-in-msp-supply-chain-attack/
        https://www.darkreading.com/application-security/dragonforce-ransomware-msp-supply-chain-attack
        https://www.infosecurity-magazine.com/news/dragonforce-ransomware-msp-attack/
        https://www.securityweek.com/dragonforce-ransomware-hackers-exploiting-simplehelp-vulnerabilities/
        https://securityaffairs.com/178350/cyber-crime/dragonforce-operator-chained-simplehelp-flaws-to-target-an-msp.html
      • Russian Laundry Bear Cyberspies Linked To Dutch Police Hack
        "A previously unknown Russian-backed cyberespionage group tracked as Laundry Bear has been linked to a September 2024 Dutch police security breach. As the Dutch national police (Politie) revealed last year, the attackers stole work-related contact information of multiple officers, including names, email addresses, phone numbers, and, in some cases, private details. The Netherlands General Intelligence and Security Service (AIVD) and the Netherlands Defence Intelligence and Security Service (MIVD) on Tuesday linked Laundry Bear to this breach in a joint advisory issued on Tuesday, warning that it is highly probable that these Russian hackers also breached other Dutch organizations."
        https://www.bleepingcomputer.com/news/security/russian-void-blizzard-cyberspies-linked-to-dutch-police-breach/
        https://www.aivd.nl/binaries/aivd_nl/documenten/publicaties/2025/05/27/aivd-en-mivd-onderkennen-nieuwe-russische-cyberactor/Advisory+AIVD+en+MIVD+Public+report+on+new+cyber+actor.pdf
        https://therecord.media/laundry-bear-void-blizzard-russia-hackers-netherlands
        https://www.bankinfosecurity.com/nato-countries-targeted-by-new-russian-espionage-group-a-28492
        https://cyberscoop.com/laundry-bear-void-blizzard-russia-apt/
        https://www.securityweek.com/dutch-intelligence-agencies-say-russian-hackers-stole-police-data-in-cyberattack/
        https://securityaffairs.com/178338/apt/russia-linked-apt-laundry-bear-linked-to-2024-dutch-police-attack.html
        https://www.theregister.com/2025/05/27/new_russian_cyberspy_crew_laundry_bear/
      • New Russia-Affiliated Actor Void Blizzard Targets Critical Sectors For Espionage
        "Void Blizzard is a new threat actor Microsoft Threat Intelligence has observed conducting espionage operations primarily targeting organizations that are important to Russian government objectives. These include organizations in government, defense, transportation, media, NGOs, and healthcare, especially in Europe and North America. They often use stolen sign-in details that they likely buy from online marketplaces to gain access to organizations. Once inside, they steal large amounts of emails and files. In April 2025, Microsoft Threat Intelligence observed Void Blizzard begin using more direct methods to steal passwords, such as sending fake emails designed to trick people into giving away their login information."
        https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/
        https://thehackernews.com/2025/05/russian-hackers-breach-20-ngos-using.html
        https://www.securityweek.com/russian-government-hackers-caught-buying-passwords-from-cybercriminals/
        https://www.helpnetsecurity.com/2025/05/27/microsoft-dutch-security-agencies-lift-veil-on-laundry-bear-void-blizzard-cyber-espionage-group/
      • Text-To-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites
        "Since November 2024, Mandiant Threat Defense has been investigating an UNC6032 campaign that weaponizes the interest around AI tools, in particular those tools which can be used to generate videos based on user prompts. UNC6032 utilizes fake “AI video generator” websites to distribute malware leading to the deployment of payloads such as Python-based infostealers and several backdoors. Victims are typically directed to these fake websites via malicious social media ads that masquerade as legitimate AI video generator tools like Luma AI, Canva Dream Lab, and Kling AI, among others."
        https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites/
        https://www.bankinfosecurity.com/fake-ai-tools-lure-users-in-year-long-malware-campaign-a-28494
        https://cyberscoop.com/ai-video-generator-malware-mandiant-unc5032-vietnam/
        https://www.theregister.com/2025/05/27/fake_social_media_ads_ai_tool/
      • Infostealer Malware FormBook Spread Via Phishing Campaign – Part II
        "This is part II of the FormBook analysis blog. In the previous post (Part I), I covered the campaign’s initialization via a phishing email, the CVE-2017-11882 vulnerability it exploited to execute an extracted 64-bit DLL, and the download and decryption of a FormBook variant hidden in a fake PNG file. Finally, I elaborated on how the 64-bit DLL mapped the FormBook payload in a target process (ImagingDevices.exe) and executed it using the process hollowing technique."
        https://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign
      • Threat Spotlight: Hijacked Routers And Fake Searches Fueling Payroll Heist
        "In May 2025, ReliaQuest uncovered a unique search engine optimization (SEO) poisoning attack that led to payroll fraud affecting a customer in the manufacturing sector. SEO poisoning is a highly deceptive tactic where attackers create fake authentication portals mimicking legitimate organizations. The malicious sites rank at the top of search results, tricking employees into unknowingly handing over their credentials. In this attack, the adversary specifically targeted employee mobile devices with a fake website impersonating the organization’s login page. Armed with stolen credentials, the adversary gained access to the organization’s payroll portal, changed direct deposit information, and redirected employees’ paychecks into their own accounts."
        https://reliaquest.com/blog/threat-spotlight-payroll-fraud-attackers-stealing-paychecks-seo-poisoning/
        https://thehackernews.com/2025/05/employees-searching-payroll-portals-on.html
      • China Accuses Taiwan-Linked Group Of Cyberattack On Local Tech Company
        "Chinese authorities have accused a hacker group allegedly backed by Taiwan of carrying out a cyberattack on a local technology company and targeting sensitive infrastructure across the mainland, state media reported. According to police in Guangzhou, the group — allegedly linked to Taiwan’s ruling Democratic Progressive Party (DPP) — has targeted more than 1,000 key networks in over 10 Chinese provinces, including military, energy, transportation and government systems. Authorities said the campaign involved large-scale espionage efforts, crude hacking tools and a range of low-sophistication tactics such as phishing emails, exploitation of known software vulnerabilities and brute-force password attacks."
        https://therecord.media/china-accuses-taiwan-linked-group-of-cyberattacks
      • Earth Lamia Develops Custom Arsenal To Target Multiple Industries
        "We have been tracking an active intrusion set that primarily targets organizations located in countries including Brazil, India, and Southeast Asia since 2023. The threat actor mainly targets the SQL injection vulnerabilities discovered on web applications to access the SQL servers of targeted organizations. The actor also takes advantage of various known vulnerabilities to exploit public-facing servers. Research reports have also mentioned their aggressive operations, including REF0657, STAC6451, and CL-STA-0048. Evidence we collected during our research indicates this group is a China-nexus intrusion set, which we now track as Earth Lamia."
        https://www.trendmicro.com/en_us/research/25/e/earth-lamia.html
      • Malicious Attack Method On Hosted ML Models Now Targets PyPI
        "Artificial intelligence (AI) and machine learning (ML) are now inextricably linked to the software supply chain. ML models, which are based on large language models (LLMs), are powering the enterprise — and offer an infinite number of solutions to organizations’ mission-critical needs. The widespread and increasing use of generative AI tools like OpenAI’s ChatGPT, in addition to developer community resources like Hugging Face – a platform dedicated to collaboration and sharing of ML projects – show how software, coding and AI/ML are now one and the same."
        https://www.reversinglabs.com/blog/malicious-attack-method-on-hosted-ml-models-now-targets-pypi
        https://www.infosecurity-magazine.com/news/malicious-machine-learning-model/

      Breaches/Hacks/Leaks

      • Adidas Warns Of Data Breach After Customer Service Provider Hack
        "German sportswear giant Adidas disclosed a data breach after attackers hacked a customer service provider and stole some customers' data. "adidas recently became aware that an unauthorized external party obtained certain consumer data through a third-party customer service provider," the company said. "We immediately took steps to contain the incident and launched a comprehensive investigation, collaborating with leading information security experts.""
        https://www.bleepingcomputer.com/news/security/adidas-warns-of-data-breach-after-customer-service-provider-hack/
        https://www.darkreading.com/vulnerabilities-threats/adidas-victim-third-party-data-breach
        https://hackread.com/adidas-confirms-cyber-attack-customer-data-stolen/
        https://www.theregister.com/2025/05/27/adidas_confirms_data_theft/
      • MATLAB Dev Confirms Ransomware Attack Behind Service Outage
        "MathWorks, a leading developer of mathematical computing and simulation software, has revealed that a recent ransomware attack is behind an ongoing service outage. Headquartered in Natick, Massachusetts, and founded in 1984, MathWorks now has over 6,500 employees in 34 offices worldwide. MathWorks develops the MATLAB numeric computing platform and the Simulink simulation, which are used by over 100,000 organizations and over 5 million customers. "MathWorks experienced a ransomware attack. We have notified federal law enforcement of this matter. The attack affected our IT systems," the company disclosed in an incident report published on its official status page."
        https://www.bleepingcomputer.com/news/security/mathworks-blames-ransomware-attack-for-ongoing-outages/
        https://www.darkreading.com/vulnerabilities-threats/mathworks-confirms-ransomware-attack
        https://therecord.media/matlab-developer-bringing-systems-online-ransomware
        https://www.theregister.com/2025/05/27/mathworks_ransomware_attack_leaves_ondeadline/
      • Nearly 70,000 Impacted By Ransomware Attack On Sheboygan, Wisconsin
        "The Wisconsin city of Sheboygan warned about 67,000 people that a ransomware attack in October gave hackers access to their personal information. The city filed breach notification letters with regulators on Friday explaining that Social Security numbers, state IDs and license plate numbers were taken when hackers breached the city’s systems on October 31, 2024. Officials in Sheboygan hired a cybersecurity firm to conduct an investigation that concluded on May 14 and confirmed that data was stolen."
        https://therecord.media/ransomware-sheboygan-breach-notice

      General News

      • Why App Modernization Can Leave You Less Secure
        "Enterprises typically “modernize” access patterns for an application by enabling industry standard protocols like OIDC or SAML to provide single sign-on (SSO) for legacy apps via a cloud identity provider (IDP). That’s a major step towards better user experience, improved credential hygiene, and centralized authentication, but it is not enough. Most modernization projects stop at the authentication layer, believing that identity transformation is complete once SAML or OIDC is wired up. What’s often overlooked is one of the most critical components of application security: session management."
        https://www.helpnetsecurity.com/2025/05/27/application-identity-modernization-risks/
      • How AI Agents Reshape Industrial Automation And Risk Management
        "In this Help Net Security interview, Michael Metzler, Vice President Horizontal Management Cybersecurity for Digital Industries at Siemens, discusses the cybersecurity implications of deploying AI agents in industrial environments. He talks about the risks that come with AI agents making semi-autonomous decisions, and why a layered security approach like Defense-in-Depth is key to keeping industrial systems safe."
        https://www.helpnetsecurity.com/2025/05/27/michael-metzler-siemens-ai-agents-industrial-environments/
      • How Well Do You Know Your Remote IT Worker?
        "Is the remote IT worker you recently hired really who he says he is? Fake IT workers are slipping into companies around the world, gaining access to sensitive data. Recently, more of these schemes have been linked to North Korea. They don’t just steal crypto or deliver malware. Now, they log into your systems as employees. This is no longer just a cybersecurity issue, it’s a growing geopolitical threat."
        https://www.helpnetsecurity.com/2025/05/27/fake-it-workers-cybersecurity-threat/
      • 4.5% Of Breaches Now Extend To Fourth Parties
        "Security teams can no longer afford to treat third-party security as a compliance checkbox, according to SecurityScorecard. Traditional vendor risk assessments, conducted annually or quarterly, are too slow to detect active threats. 35.5% of all breaches in 2024 were third-party related, a 6.5% increase from 2023. This figure is likely conservative due to underreporting and misclassification. So while you’re updating your firewall rules, somewhere in your supply chain a vendor might be inadvertently letting in the very attackers you’ve been working to keep out."
        https://www.helpnetsecurity.com/2025/05/27/third-party-breaches-increase/
      • New Guidance For SIEM And SOAR Implementation
        "Today, CISA, in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) and other international and U.S. partners, released new guidance for organizations seeking to procure Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) platforms."
        https://www.cisa.gov/news-events/alerts/2025/05/27/new-guidance-siem-and-soar-implementation
        https://www.cisa.gov/resources-tools/resources/guidance-siem-and-soar-implementation
        https://www.infosecurity-magazine.com/news/governments-prioritize-siem-soar/
      • Iranian Man Pleaded Guilty To Role In Robbinhood Ransomware
        "An Iranian national pleaded guilty today to participating in an international ransomware and extortion scheme involving the Robbinhood ransomware. According to court documents and statements made in court, Sina Gholinejad, 37, and his co-conspirators compromised the computer networks of cities, corporations, health care organizations, and other entities around the United States, and encrypted files on these victim networks with the Robbinhood ransomware variant to extort ransom payments. These cyber attacks caused significant disruptions and tens of millions in losses, including to the City of Greenville, North Carolina, and the City of Baltimore, Maryland."
        https://www.justice.gov/opa/pr/iranian-man-pleaded-guilty-role-robbinhood-ransomware
        https://www.bleepingcomputer.com/news/security/iranian-pleads-guilty-to-robbinhood-ransomware-attacks-faces-30-years/
        https://therecord.media/iranian-years-decades-guilty-ransomware
        https://www.bankinfosecurity.com/robbinhood-ransomware-hacker-pleads-guilty-in-us-court-a-28498
        https://cyberscoop.com/iranian-man-pleads-guilty-in-robbinhood-ransomware-scheme/
      • **https://www.securityweek.com/iranian-man-pleads-guilty-to-role-in-baltimore-ransomware-attack/
      • How The New Hacker Millionaire Class Was Built**
        "HackerOne recently announced that over the past six years, the bug bounty platform has minted 50 fresh million-dollar bounty hunters by providing them an easily accessible platform to help companies ferret out security vulnerabilities in software, for big cash payouts. But it wasn't always this easy to make a whole hustle out of ethical hacking. There's been a shift in the culture, from "fringe activity to financially viable profession," according to HackerOne. That change didn't happen by chance. It was intentionally crafted by the will of infosec's earliest pioneers."
        Priority: 3 - Important
        Relevance: General
        https://www.darkreading.com/remote-workforce/hacker-millionaire-class-built
      • CVE Uncertainty Underlines Importance Of Cyber Resilience
        "The tumult triggered by news that MITRE funding to support the Common Vulnerabilities and Exposures (CVE) program was at risk has been a wake-up call for the security community. However, this evolving, active, fragile ecosystem has never been simple; challenges to its operation have persisted for quite some time. In 2024, a record-breaking 40,009 CVEs were published. That's a 38% increase from 2023. According to the National Institute of Standards and Technology (NIST), the surge in CVEs and the lack of support contributed to a backlog in processing new CVEs beginning in February 2024. As a result, some CVEs aren't enriched with the necessary context to enable prioritization and response."
        https://www.darkreading.com/vulnerabilities-threats/cve-uncertainty-underlines-importance-cyber-resilience
      • Why Quiet Expertise No Longer Wins Cybersecurity Clients
        "There’s a graveyard of brilliant cybersecurity companies that no one has ever heard of. These firms had incredible technical talent, were able to spot vulnerabilities others missed, and poured blood, sweat, and tears into building elegant solutions to complex problems. In other words, they knew their stuff. And yet, they failed. Meanwhile, there are plenty of companies out there with decent but not amazing technology that are thriving, growing, and still gathering plenty of investment. So what is happening here?"
        https://hackread.com/why-quiet-expertise-no-win-cybersecurity-clients/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) fbfaf036-e2cc-469b-bee8-2b485785d390-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post