Cyber Threat Intelligence 02 June 2025

NCSA_THAICERT

Vulnerabilities

• Don't Call That "Protected" Method: Dissecting An N-Day vBulletin RCE
  "vBulletin is one of the most widely used commercial forum solutions over the Internet, powering thousands of online communities ranging from niche hobbyist sites to large-scale tech forums. Developed primarily in PHP, it features a custom MVC-like framework and a proprietary API system designed to handle AJAX and mobile app interactions. Over the years, vBulletin has gained a reputation for both its ubiquity and its vulnerability surface — often becoming a prime target for web application exploits."
  https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce
  https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-critical-flaw-in-vbulletin-forum-software/
  https://securityaffairs.com/178481/security/two-flaws-in-vbulletin-forum-software-are-under-attack.html
• Cisco IOS XE WLC Arbitrary File Upload Vulnerability (CVE-2025-20188) Analysis
  "A recent Cisco disclosure detailed a vulnerability affecting Cisco IOS XE Wireless Controller Software version 17.12.03 and earlier. The issue was described as an unauthenticated arbitrary file upload, caused by the presence of a hard-coded JSON Web Token (JWT). Cisco IOS XE Wireless LAN Controller (WLC) is a widely deployed enterprise-grade solution used to manage and control large-scale wireless networks. Integrated into Cisco’s IOS XE operating system, it provides centralized management, policy enforcement, and seamless mobility for wireless access points across campus and branch environments."
  https://horizon3.ai/attack-research/attack-blogs/cisco-ios-xe-wlc-arbitrary-file-upload-vulnerability-cve-2025-20188-analysis/
  https://www.bleepingcomputer.com/news/security/exploit-details-for-max-severity-cisco-ios-xe-flaw-now-public/
• Qualys TRU Discovers Two Local Information Disclosure Vulnerabilities In Apport And Systemd-Coredump: CVE-2025-5054 And CVE-2025-4598
  "The Qualys Threat Research Unit (TRU) has discovered two local information-disclosure vulnerabilities in Apport and systemd-coredump. Both issues are race-condition vulnerabilities. The first (CVE-2025-5054) affects Ubuntu’s core-dump handler, Apport, and the second (CVE-2025-4598) targets systemd-coredump, which is the default core-dump handler on Red Hat Enterprise Linux 9 and the recently released 10, as well as on Fedora. These race conditions allow a local attacker to exploit a SUID program and gain read access to the resulting core dump."
  https://blog.qualys.com/vulnerabilities-threat-research/2025/05/29/qualys-tru-discovers-two-local-information-disclosure-vulnerabilities-in-apport-and-systemd-coredump-cve-2025-5054-and-cve-2025-4598
  https://thehackernews.com/2025/05/new-linux-flaws-allow-password-hash.html
  https://www.bankinfosecurity.com/linux-crash-dump-flaws-expose-passwords-encryption-keys-a-28560
  https://securityaffairs.com/178464/hacking/two-linux-flaws-can-lead-to-the-disclosure-of-sensitive-data.html
• Linux Zero-Day Vulnerability Discovered Using Frontier AI
  "A vulnerability researcher said large language models have taken a big step forward in their ability to help chase down code flaws. Veteran London-based bug hunter Sean Heelan said he's been reviewing frontier artificial intelligence models to see if they've got the chops to spot vulnerabilities, and found success in using OpenAI's o3 model, released in April. It discovered CVE-2025-37899, a remotely exploitable zero-day vulnerability in the Linux kernel's server message block protocol, a network communication protocol for sharing files, printers and other resources on a network."
  https://www.bankinfosecurity.com/linux-zero-day-vulnerability-discovered-using-frontier-ai-a-28559

Malware

• Analysis Of T-Rex CoinMiner Attacks Targeting Internet Cafés In Korea
  "AhnLab SEcurity intelligence Center (ASEC) has recently identified cases of attacks installing CoinMiners in Korean Internet cafés. The threat actor is believed to have been active since 2022, and the attacks against Internet cafés have been occurring since the second half of 2024. The method of initial access is unknown, and most attacks targeted systems with Internet café management programs installed. The attackers used Gh0st RAT to gain control over infected systems. Most of the identified malware are either Gh0st RAT or droppers that install it. The threat actor also used malware to patch the memory of the management software, and downloaders to download these malware."
  https://asec.ahnlab.com/en/88245/
• Mysterious Leaker GangExposed Outs Conti Kingpins In Massive Ransomware Data Dump
  "A mystery whistleblower calling himself GangExposed has exposed key figures behind the Conti and Trickbot ransomware crews, publishing a trove of internal files and naming names. The leaks include thousands of chat logs, personal videos, and ransom negotiations tied to some of the most notorious cyber-extortion gangs —believed to have raked in billions from companies, hospitals, and individuals worldwide."
  https://www.theregister.com/2025/05/31/gangexposed_coni_ransomware_leaks/
• Germany Doxxes Conti Ransomware And TrickBot Ring Leader
  "The Federal Criminal Police Office of Germany (Bundeskriminalamt or BKA) claims that Stern, the leader of the Trickbot and Conti cybercrime gangs, is a 36-year-old Russian named Vitaly Nikolaevich Kovalev. "The subject is suspected of having been the founder of the 'Trickbot' group, also known as 'Wizard Spider,'" BKA said last week [English PDF], after another round of seizures and charges part of Operation Endgame, a joint global law enforcement action targeting malware infrastructure and the threat actors behind it. "The group used the Trickbot malware as well as other malware variants such as Bazarloader, SystemBC, IcedID, Ryuk, Conti and Diavol.""
  https://www.bleepingcomputer.com/news/security/germany-doxxes-conti-ransomware-and-trickbot-ring-leader/
  https://www.bka.de/DE/IhreSicherheit/Fahndungen/Personen/BekanntePersonen/Endgame_2/KVN/Englisch.pdf?__blob=publicationFile&v=1
• Interlock Ransomware: What You Need To Know
  "Interlock is a relatively new strain of ransomware, that first emerged in late 2024. Unlike many other ransomware families it not only targets Windows PCs, but also systems running FreeBSD. If you are impacted, you will find that your files have not only been encrypted but have also had ".interlock" appended to their filenames. For example, a file named report.xlsx would become report.xlsx.interlock, visibly signaling that it has been encrypted by Interlock."
  https://www.tripwire.com/state-of-security/interlock-ransomware-what-you-need-know
• A Flyby On The CFO's Inbox: Spear-Phishing Campaign Targeting Financial Executives With NetBird Deployment
  "On May 15th, Trellix's email security products alerted on a highly targeted spear-phishing operation aimed at CFOs and finance executives at banks, energy companies, insurers, and investment firms across Europe, Africa, Canada, the Middle East, and South Asia. In what appears to be a multi-stage phishing operation, the attackers aimed to deploy NetBird, a legitimate wireguard based remote-access tool on the victim's computer. In recent years, adversaries have increasingly relied on remote-access applications like this to establish persistence and further their way into the victim's network. The initial call-to-action URL in the email is blocked by Trellix’s URL defense engine because of suspicious captcha behaviour rules."
  https://www.trellix.com/blogs/research/cfo-spear-phishing-netbird-attack/
  https://www.securityweek.com/firebase-google-apps-script-abused-in-fresh-phishing-campaigns/
• Chasing Eddies: New Rust- Based InfoStealer Used In CAPTCHA Campaigns
  "Elastic Security Labs has uncovered a novel Rust-based infostealer distributed via Fake CAPTCHA campaigns. This malware is hosted on multiple adversary-controlled web properties. This campaign leverages deceptive CAPTCHA verification pages that trick users into executing a malicious PowerShell script, which ultimately deploys the infostealer, harvesting sensitive data such as credentials, browser information, and cryptocurrency wallet details. We are calling this malware EDDIESTEALER."
  https://www.elastic.co/security-labs/eddiestealer
  https://thehackernews.com/2025/05/eddiestealer-malware-uses-clickfix.html
• DDoS Incident Disrupts Internet For Thousands In Moscow
  "Tens of thousands of people in Moscow and nearby areas lost internet access for several days after a major DDoS attack targeted the Russian provider ASVT — an incident the company called one of the most severe of the year. The attack, first detected on Tuesday, continued into Friday, disrupting ASVT’s mobile app, website and customer accounts. The provider serves mainly large residential complexes, where residents reported being unable to work remotely, pay at local shops using card terminals, or access their buildings due to disabled internet-based intercom systems."
  https://therecord.media/moscow-internet-provider-asvt-ddos-attack
• PureHVNC RAT Using Fake High-Level Job Offers From Fashion And Beauty Brands
  "In recent months, the Netskope Threat Labs team has observed several different campaigns delivering the PureHVNC RAT and its plugins. In 2024, the same malware was observed being delivered via a Python chain, and a few days ago, it was also observed using genAI sites to lure victims. In this blog post, we’ll describe an infection chain using different methods to lure the victim and successfully deliver the PureHVNC RAT."
  https://www.netskope.com/blog/purehvnc-rat-using-fake-high-level-job-offers-from-fashion-and-beauty-brands

Breaches/Hacks/Leaks

• Threat Actor Claims TikTok Breach, Puts 428 Million Records Up For Sale
  "Alleged TikTok Breach: Threat actor “Often9” claims to sell 428M user records, including emails, phones, and account details on dark web forum. TikTok is investigating!"
  https://hackread.com/threat-actor-tiktok-breach-428-million-records-sale/

General News

• Police Takes Down AVCheck Site Used By Cybercriminals To Scan Malware
  "An international law enforcement operation has taken down AVCheck, a service used by cybercriminals to test whether their malware is detected by commercial antivirus software before deploying it in the wild. The service's official domain at avcheck.net now displays a seizure banner with the crests of the U.S. Department of Justice, the FBI, the U.S. Secret Service, and the Dutch police (Politie). According to an announcement on the Politie website, AVCheck was one of the largest counter antivirus (CAV) services internationally, which helped cybercriminals assess the stealthiness and evasion of their malware."
  https://www.bleepingcomputer.com/news/security/police-takes-down-avcheck-antivirus-site-used-by-cybercriminals/
  https://www.justice.gov/usao-sdtx/pr/websites-selling-hacking-tools-cybercriminals-seized
  https://thehackernews.com/2025/05/us-doj-seizes-4-domains-supporting.html
  https://cyberscoop.com/avcheck-global-takedown/
• CISO Stature Rises, But Security Budgets Remain Tight
  "Chief information security officers (CISOs) are being paid better than ever, more likely to be an executive — or report directly to an executive — and have expanding responsibilities. Yet tight security budgets continue to be a major challenge. Overall, the top cybersecurity professional is doing well at large companies and has proven their value but continually has to work to link security to business opportunities rather than costs, according to two surveys published this week."
  https://www.darkreading.com/cybersecurity-operations/ciso-stature-rises-budgets-tight
  https://www.iansresearch.com/ciso-comp-survey
• From Code Red To Rust: Microsoft's Security Journey
  "Microsoft is reflecting back on security lessons learned over the past 25 years. As one of the most targeted digital estates in the world, the company sees threats against its products up close every single day. Cyberattacks in the early 2000s, such as Code Red and SQL Slammer, resulted in Microsoft prioritizing security in the Windows operating system and codebase. And a whole category of trivial memory corruption bugs has been eradicated, said Michael Howard, a senior director on Microsoft's Red Team, during Microsoft's Build developer conference last week. Secure coding initiatives have put safeguards around unsafe C library functions that caused buffer overflows. The memory corruption vulnerabilities still left are really complex and hard to find."
  https://www.darkreading.com/application-security/from-code-red-to-rust-microsoft-security-journey
• NSA’s AISC Releases Joint Guidance On The Risks And Best Practices In AI Data Security
  "The National Security Agency’s Artificial Intelligence Security Center (AISC) is releasing the joint Cybersecurity Information Sheet (CSI), “AI Data Security: Best Practices for Securing Data Used to Train & Operate AI Systems,” to provide best practices and recommendations for the data security of AI systems. The data utilized throughout the development, testing, and operation of an AI system is a vital element of the AI supply chain; protecting this data is critical in the successful development and deployment of AI systems. As organizations continue to increase their reliance on AI-driven outcomes, ensuring data security becomes increasingly crucial for maintaining accuracy, reliability, and integrity."
  https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/4192332/nsas-aisc-releases-joint-guidance-on-the-risks-and-best-practices-in-ai-data-se/
  https://www.darkreading.com/cyber-risk/nsa-cisa-gudnceai-secure-data-ai-models
• Why Privacy In Blockchain Must Start With Open Source
  "Traditionally, trust came from centralized institutions. Banks, payment networks, and clearinghouses are closed systems. Users cannot see the inner workings, but they rely on external audits, government regulation, and long histories of compliance to feel secure. It’s a model that has and continues to work, but it comes with trade-offs, namely: opacity, concentration of power, and limited innovation."
  https://www.helpnetsecurity.com/2025/05/30/open-source-blockchain-privacy/
• Using AI To Outsmart AI-Driven Phishing Scams
  "Phishing scams used to be filled with awkward wording and obvious grammar mistakes. Not anymore. AI is now making it harder to distinguish what is real. According to Cofense, email-based scams surged 70% year over year, driven by AI’s ability to automate lures, spoof internal conversations, and bypass spam filters with subtle text variations."
  https://www.helpnetsecurity.com/2025/05/30/ai-phishing-defense/
• AI Agents Have Access To Key Data Across The Enterprise
  "82% of organizations already use AI agents, but only 44% of organizations report having policies in place to secure them, according to SailPoint. While 53% are in the process of developing such policies, the reality is that most remain exposed today. 96% of technology professionals consider AI agents a growing risk, even as 98% of organizations plan to expand their use of them within the next year."
  https://www.helpnetsecurity.com/2025/05/30/ai-agents-organizations-risk/
• Exploits And Vulnerabilities In Q1 2025
  "The first quarter of 2025 saw the continued publication of vulnerabilities discovered and fixed in 2024, as some researchers were previously unable to disclose the details. This partially shifted the focus away from vulnerabilities that received new CVE-2025-NNNNN identifiers. The nature of the CVE assignment process can result in a notable delay between problem investigation and patch release, which is mitigated by reserving a CVE ID early in the process. As for trends in vulnerability exploitation, we are seeing increasing rates of attacks targeting older operating system versions. This is mainly driven by two factors: users not installing updates promptly, and the ongoing rollout of new OS versions that include improved protections against the exploitation of vulnerabilities in certain subsystems."
  https://securelist.com/vulnerabilities-and-exploits-in-q1-2025/116624/
• MITRE Publishes Post-Quantum Cryptography Migration Roadmap
  "The MITRE-founded Post-Quantum Cryptography Coalition (PQCC) this week published fresh guidance for organizations looking to ready themselves to transition to quantum-safe cryptography. Advancements in the development of advanced quantum computing represent threats to the systems currently ensuring authenticity and securing communications and sensitive data, making the migration to post-quantum cryptography (PQC) a necessity, PQCC says. Intended for CIOs and CISOs, the coalition’s PQC migration roadmap (PDF) provides an overview of four key stages of the migration process, namely preparation, baseline understanding, planning and execution, and monitoring and evaluation."
  https://www.securityweek.com/mitre-publishes-post-quantum-cryptography-migration-roadmap/
  https://pqcc.org/wp-content/uploads/2025/05/PQC-Migration-Roadmap-PQCC-2.pdf
• Integrity Reports, First Quarter 2025
  "We’re publishing our first quarter reports for 2025, including the Community Standards Enforcement Report, where following the changes announced in January we’ve cut enforcement mistakes in the U.S. in half, while during that same time period the low prevalence of violating content on platform remained largely unchanged for most problem areas. We have also released our Adversarial Threat Report, Widely Viewed Content Report and the biannual Transparency Report consisting of Government Requests for User Data and Content Restrictions Based on Local Law. All of the reports are available in our Transparency Center."
  https://transparency.meta.com/en-gb/integrity-reports-q1-2025/
  https://thehackernews.com/2025/05/meta-disrupts-influence-ops-targeting.html
  https://therecord.media/meta-influence-operations-takedown-china-iran-romania
  https://securityaffairs.com/178456/social-networks/meta-stopped-covert-operations-from-iran-china-romania.html
• U.S. Government Employee Arrested For Attempting To Provide Classified Information To Foreign Government
  "An IT specialist employed by the Defense Intelligence Agency (DIA) was arrested today for attempting to transmit national defense information to an officer or agent of a foreign government. Nathan Vilas Laatsch, 28, of Alexandria, Virginia, was arrested today in northern Virginia, and will make his initial court appearance in the Eastern District of Virginia tomorrow. “The conduct alleged in this case is a profound betrayal of the American people and a direct threat to our national security,” said Sue J. Bai, head of the Justice Department’s National Security Division. “When someone entrusted with access to classified information attempts to provide it to a foreign government, it jeopardizes our intelligence capabilities, our military advantage, and the safety of our nation. The National Security Division is committed to using every tool available to uncover, disrupt, and hold accountable those who seek to harm the United States.”"
  https://www.justice.gov/opa/pr/us-government-employee-arrested-attempting-provide-classified-information-foreign-government
  https://therecord.media/defense-intelligence-agency-it-specialist-suspected-leak-foreign-government
  https://cyberscoop.com/dia-employee-arrested-nathan-vilas-laatsch/
  https://www.theregister.com/2025/05/30/feds_nab_dod_techie_dumping/

อ้างอิง
Electronic Transactions Development Agency(ETDA)