Cyber Threat Intelligence 03 June 2025

NCSA_THAICERT

Vulnerabilities

Qualcomm Fixes Three Adreno GPU Zero-Days Exploited In Attacks
"Qualcomm has released security patches for three zero-day vulnerabilities in the Adreno Graphics Processing Unit (GPU) driver that impact dozens of chipsets and are actively exploited in targeted attacks. The company says two critical flaws (tracked as CVE-2025-21479 and CVE-2025-21480) were reported through the Google Android Security team in late January, and a third high-severity vulnerability (CVE-2025-27038) was reported in March."
https://www.bleepingcomputer.com/news/security/qualcomm-fixes-three-adreno-gpu-zero-days-exploited-in-attacks/
https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.html
https://thehackernews.com/2025/06/qualcomm-fixes-3-zero-days-used-in.html
https://www.securityweek.com/qualcomm-flags-exploitation-of-adreno-gpu-flaws-urges-oems-to-patch-urgently/
https://securityaffairs.com/178532/hacking/qualcomm-fixed-three-zero-days-exploited-in-limited-targeted-attacks.html
50,000+ Azure AD Users Exposed Via Unsecured API: BeVigil Uncovers Critical Flaw
"An unsecured API endpoint buried inside a JavaScript file gave attackers the keys to the kingdom—direct access to sensitive Microsoft Graph data of thousands of employees, including top executives. CloudSEK’s BeVigil platform uncovered how this silent slip could lead to identity theft, phishing attacks, and regulatory nightmares. Here’s how it unfolded—and what your organization must do to stay safe."
https://www.cloudsek.com/blog/50-000-azure-ad-users-exposed-via-unsecured-api-bevigil-uncovers-critical-flaw
CISA Adds Five Known Exploited Vulnerabilities To Catalog
"CISA added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2021-32030 ASUS Routers Improper Authentication Vulnerability
CVE-2023-39780 ASUS RT-AX55 Routers OS Command Injection Vulnerability
CVE-2024-56145 Craft CMS Code Injection Vulnerability
CVE-2025-3935 ConnectWise ScreenConnect Improper Authentication Vulnerability
CVE-2025-35939 Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/06/02/cisa-adds-five-known-exploited-vulnerabilities-catalog
Preinstalled Apps On Ulefone, Krüger&Matz Phones Let Any App Reset Device, Steal PIN
"Three security vulnerabilities have been disclosed in preloaded Android applications on smartphones from Ulefone and Krüger&Matz that could enable any app installed on the device to perform a factory reset and encrypt an application."
https://thehackernews.com/2025/06/preinstalled-apps-on-ulefone-kruger.html

Malware

‘Russian Market’ Emerges As a Go-To Shop For Stolen Credentials
"The "Russian Market" cybercrime marketplace has emerged as one of the most popular platforms for buying and selling credentials stolen by information stealer malware. Although the marketplace has been active for roughly six years and became relatively popular by 2022, ReliaQuest reports that the Russian Market has recently reached new heights. Part of this surge in popularity is due to the takedown of the Genesis Market, which created a large vacuum in the field. Although the majority (85%) of credentials sold on the Russian Market are "recycled" from existing sources, it has still won massive cybercrime audiences thanks to its wide selection of items of sale and availability of logs at prices as low as $2."
https://www.bleepingcomputer.com/news/security/russian-market-emerges-as-a-go-to-shop-for-stolen-credentials/
https://reliaquest.com/resources/research-reports/stolen-credential-attacks-russian-marketplace/
https://www.infosecurity-magazine.com/news/acreed-dominant-infostealer-lumma/
Beyond The Pond Phish: Unraveling Lazarus Group’s Evolving Tactics
"The Lazarus Group is a prominent hacking group associated with the North Korean government with a long history of targeting companies and individuals within the cryptocurrency space. They have been linked to the breaches of Phemex, WazirX, Bybit, Stake, among others. Our security team frequently responds to attempts to attack us, many of which use techniques or infrastructure that have been tied to the Lazarus Group by other researchers. A common pattern in their major operations is the use of relatively unsophisticated methods, often starting with phishing, to gain a foothold in their target’s systems."
https://blog.bitmex.com/bitmex-busts-lazarus-group/
Akira Doesn’t Keep Its Promises To Victims — SuspectFile
"Over on SuspectFile, @amvinfe has been busy exposing Akira’s false promises to its victims. In two posts this week, he reports on what happened with one business in New Jersey and one in Germany that decided to pay Akira’s ransom demands. He was able to report on it all because Akira failed to secure its negotiations chat server. Anyone who knows where to look can follow along if a victim contacts Akira to try to negotiate any payment for a decryptor or data deletion."
https://databreaches.net/2025/06/02/akira-doesnt-keep-its-promises-to-victims-suspectfile/
PyPI Supply Chain Attack Uncovered: Colorama And Colorizr Name Confusion
"Checkmarx Zero researcher Ariel Harush has discovered evidence of a malicious package campaign that is consistent with live adversarial activity and adversarial research and testing. This campaign targets Python and NPM users on Windows and Linux via typo-squatting and name-confusion attacks against colorama (a widely-used Python package for colorizing terminal output) on PyPI and the similar colorizr JavaScript package on NPM. These malicious packages were uploaded to PyPI."
https://checkmarx.com/zero-post/python-pypi-supply-chain-attack-colorama/
https://hackread.com/backdoors-python-npm-packages-windows-linux/
Victims Risk AsyncRAT Infection After Being Redirected To Fake Booking.com Sites
"Cybercriminals have started a campaign of redirecting links placed on gaming sites and social media—and as sponsored ads—that lead to fake websites posing as Booking.com. According to Malwarebytes research, 40% of people book travel through a general online search, creating a lot of opportunities for scammers. The first signs of the campaign showed up mid-May and the final redirect destination changes every two to three days. Following the links brings visitors to a familiar strategy where fake CAPTCHA websites hijack your clipboard and try to trick visitors into infecting their own device."
https://www.malwarebytes.com/blog/news/2025/06/victims-risk-asyncrat-infection-after-being-redirected-to-fake-booking-sites
DevOps Tools Targeted For Cryptojacking
"Wiz Threat Research has identified a broad cryptojacking campaign targeting publicly accessible DevOps web servers including exposed Nomad, Consul, Docker and Gitea applications. In the course of investigating this campaign, we observed attackers exploiting a range of known misconfigurations and vulnerabilities across various technologies to deploy their mining software. Notably, this campaign marks what we believe to be the first publicly documented instance of Nomad misconfigurations being exploited as an attack vector in the wild. We have designated the threat actor responsible for these activities as JINX-0132."
https://www.wiz.io/blog/jinx-0132-cryptojacking-campaign
https://thehackernews.com/2025/06/cryptojacking-campaign-exploits-devops.html
https://www.securityweek.com/cryptojackers-caught-mining-monero-via-exposed-devops-infrastructure/
https://www.infosecurity-magazine.com/news/cryptojacking-campaign-devops/
Pro-Ukraine Hacker Group Black Owl Poses ‘major Threat’ To Russia, Kaspersky Says
"A little-known hacking group has emerged as a major threat to Russian state institutions and critical industries, carrying out attacks aimed at causing maximum disruption and extracting financial gain, according to a new report. BO Team, also known as Black Owl, has been active since early 2024 and appears to operate independently, with its own arsenal of tools and tactics, researchers at Russian cybersecurity firm Kaspersky said."
https://therecord.media/pro-ukraine-hacker-group-black-owl-major-threat-russia
Attacker Exploits Misconfigured AI Tool To Run AI-Generated Payload
"The Sysdig Threat Research Team (TRT) recently observed a malicious threat actor targeting a misconfigured system hosting Open WebUI, a popular application (95k stars on GitHub) that provides an extensible, self-hosted AI interface used to enhance large language models (LLMs). With access, the attacker was able to inject malicious code and download cryptominers. In this blog, we explore the detailed analysis of the attack and provide multiple means of behavioral and IoC-based detection."
https://sysdig.com/blog/attacker-exploits-misconfigured-ai-tool-to-run-ai-generated-payload/
https://www.infosecurity-magazine.com/news/malware-campaign-targets-windows/

Breaches/Hacks/Leaks

The North Face Warns Customers Of April Credential Stuffing Attack
"Outdoor apparel retailer The North Face is warning customers that their personal information was stolen in credential stuffing attacks targeting the company's website in April. The North Face is a major American outdoor apparel and equipment brand owned by VF Corporation that also controls Vans, Timberland, and Dickies. The North Face generates over $3 billion in annual revenue, making it one of the largest outdoor brands in the world, with its e-commerce accounting for approximately 42% of its total sales volumes."
https://www.bleepingcomputer.com/news/security/the-north-face-warns-customers-of-april-credential-stuffing-attack/
Cartier Discloses Data Breach Amid Fashion Brand Cyberattacks
"Luxury fashion brand Cartier is warning customers it suffered a data breach that exposed customers' personal information after its systems were compromised. In notification letters sent today and shared by recipients on social media, Cartier revealed that hackers breached its systems and stole a limited amount of customer information. "We are writing to inform you that an unauthorized-party gained temporary access to our system and obtained limited client information," Cartier stated in the data breach notification."
https://www.bleepingcomputer.com/news/security/cartier-discloses-data-breach-amid-fashion-brand-cyberattacks/
https://www.securityweek.com/cartier-data-breach-jewelry-maker-warns-customers-that-personal-data-was-exposed/
MainStreet Bank Reports Vendor Cyber Incident That Leaked Customer Info
"MainStreet Bank said a cyberattack affecting one of its vendors exposed the sensitive information of about 5% of its customers. In regulatory filings with the Securities and Exchange Commission (SEC) on Friday afternoon, MainStreet Bancshares said it was informed in March that the vendor was compromised. “Although each vendor undergoes a thorough security vetting process, we swiftly ceased all activity with this provider,” the company said, adding that they concluded a review of the scope of the incident in late April."
https://therecord.media/Main-street-cyber-incident-bank
https://www.theregister.com/2025/06/02/mainstreet_bancshares_says_thirdparty_breach/
Malaysian Home Minister’s WhatsApp Hacked, Used To Scam Contacts
"Malaysia’s home minister had his WhatsApp account hacked and then abused to send malicious links to his contacts, according to police. The attacker reportedly used a virtual private network (VPN) to compromise the account of Datuk Seri Saifuddin Nasution Ismail, authorities said at a press conference on Friday, adding that no victims have reported financial losses so far. They did not elaborate on how the hack was carried out."
https://therecord.media/malaysia-hack-scam-whatsapp-minister

General News

Google Chrome To Distrust Chunghwa Telecom, Netlock Certificates In August
"Google says it will no longer trust root CA certificates signed by Chunghwa Telecom and Netlock in the Chrome Root Store due to a pattern of compliance failures and failure to make improvements. The change will come in Google Chrome version 139, which is scheduled for release on August 1, 2025. The tech giant cites ongoing compliance failures, broken improvement commitments, and lack of measurable progress as the reasons for this action. "Chrome's confidence in the reliability of Chunghwa Telecom and Netlock as CA Owners included in the Chrome Root Store has diminished due to patterns of concerning behavior observed over the past year," reads the announcement."
https://www.bleepingcomputer.com/news/security/google-chrome-to-distrust-chunghwa-telecom-netlock-certificates-in-august/
https://security.googleblog.com/2025/05/sustaining-digital-certificate-security-chrome-root-store-changes.html
https://www.securityweek.com/chrome-to-distrust-chunghwa-telecom-and-netlock-certificates/
CrowdStrike And Microsoft Unite To Harmonize Cyber Threat Attribution
"In cybersecurity, understanding an adversary’s identity, capabilities, and intent is critical to intelligent cyber defense. Attribution matters. Despite cyber threat intelligence tracking a multitude of threat actors for many decades, accurately attributing malicious activity continues to be difficult. Vendors and researchers often see different parts of the same puzzle — or entirely different puzzles — due to differences in telemetry. Organizations also have different standards and analytic maturity, which results in varying levels of visibility into threat activity and divergent perspectives on what’s being tracked."
https://www.crowdstrike.com/en-us/blog/crowdstrike-and-microsoft-unite-to-deconflict-cyber-threat-attribution/
https://learn.microsoft.com/en-us/unified-secops-platform/microsoft-threat-actor-naming
https://www.bleepingcomputer.com/news/security/microsoft-and-crowdstrike-partner-to-link-hacking-group-names/
Dutch Minister Warns Of Heightened Chinese Espionage Threats
"Chinese nation state groups ramped up espionage campaigns against Dutch critical infrastructure in recent months, said a state official who added that discussions are underway in the European Union on how to minimize Chinese threats. Speaking on the sidelines of the Shangri-La Dialogue security meeting in Singapore on Saturday, Dutch Defense Minister Ruben Brekelmans told Reuters that Chinese hacks against the country's semiconductor sector that began last year are ongoing, with attacks "intensifying" in recent months."
https://www.bankinfosecurity.com/dutch-minister-warns-heightened-chinese-espionage-threats-a-28574
The Evolution Of Phishing Attacks: Why Traditional Detection Methods Are Failing
"If they weren't so harmful to both businesses and consumers, the sophistication of modern phishing would be quite impressive. Today's most invasive cybercriminals have moved beyond the old strategies of generic mass-email scams. They're now leveraging advanced technologies like Artificial Intelligence (AI,) deepfake media, and real-time behavioral analytics to craft highly personalized and nearly undetectable attacks."
https://www.tripwire.com/state-of-security/evolution-phishing-attacks-why-traditional-detection-methods-are-failing
CISO 3.0: Leading AI Governance And Security In The Boardroom
"In this Help Net Security interview, Aaron McCray, Field CISO at CDW, discusses how AI is transforming the CISO role from a tactical cybersecurity guardian into a strategic enterprise risk advisor. With AI now embedded across business functions, CISOs are leading enterprise-wide governance and risk management efforts. He also shares insights on practical challenges, new skillsets, and building AI-fluent security cultures."
https://www.helpnetsecurity.com/2025/06/02/aaron-mccray-cdw-cisos-ai-security/
48% Of Security Pros Are Falling Behind Compliance Requirements
"32% of security professionals think they can deliver zero-vulnerability software despite rising threats and compliance regulations, according to Lineaje. Meanwhile, 68% are more realistic, noting they feel uncertain about achieving this near impossible outcome. While Software Bill of Material (SBOM) regulations and guidelines continue to increase, organizations vary in their level of adoption. Notably, some organizations do not have enough visibility, while others struggle with insufficient tools and processes."
https://www.helpnetsecurity.com/2025/06/02/software-compliance-regulations-requirements/
New Global Business Research Shows How Security Sprawl Increases Risk
"According to new international research commissioned by Barracuda from Vanson Bourne, the security complexity of a modern organization keeps over a third (38%) of security professionals awake at night. This is even higher for respondents in companies with 1,000 to 2,000 employees (42%), and in the education (48%) and healthcare (42%) industries. The study polled 2,000 senior security decision-makers in IT and finance/business roles in the U.S., UK, France, DACH, Benelux, the Nordics, Australia, India and Japan — across a wide range of industries and in companies with between 50 and 2,000 employees."
https://blog.barracuda.com/2025/06/02/new-global-business-research-security-sprawl-increases-risk
The Secret Defense Strategy Of Four Critical Industries Combating Advanced Cyber Threats
"The evolution of cyber threats has forced organizations across all industries to rethink their security strategies. As attackers become more sophisticated — leveraging encryption, living-off-the-land techniques, and lateral movement to evade traditional defenses — security teams are finding more threats wreaking havoc before they can be detected. Even after an attack has been identified, it can be hard for security teams to prove to auditors that they have fully mitigated the issues that allowed the attackers in."
https://thehackernews.com/2025/06/the-secret-defense-strategy-of-four.html
How Good Are The LLM Guardrails On The Market? A Comparative Study On The Effectiveness Of LLM Content Filtering Across Major GenAI Platforms
"We conducted a comparative study of the built-in guardrails offered by three major cloud-based large language model (LLM) platforms. We examined how each platform's guardrails handle a broad range of prompts, from benign queries to malicious instructions. This examination included evaluating both false positives (FPs), where safe content is erroneously blocked, and false negatives (FNs), where harmful content slips through these guardrails."
https://unit42.paloaltonetworks.com/comparing-llm-guardrails-across-genai-platforms/
Don’t Let Dormant Accounts Become a Doorway For Cybercriminals
"The longer our digital lives, the more online accounts we’re likely to accrue. Can you even remember all the services you’ve signed up to over the years? It could be that free trial you started and never cancelled. Or that app you used on holiday once and never returned to. Account sprawl is real. According to one estimate, the average person has 168 passwords for personal accounts. Yet inactive accounts are also a security risk, both from a personal and a work perspective. They represent a potentially attractive target for opportunistic criminals, so it’s worth considering a bit of spring cleaning once in a while to keep them under control."
https://www.welivesecurity.com/en/cybersecurity/dont-let-dormant-accounts-become-doorway-cybercriminals/

อ้างอิง
Electronic Transactions Development Agency(ETDA)