Cyber Threat Intelligence 04 June 2025

NCSA_THAICERT

Financial Sector

Bankers Association’s Attack On Cybersecurity Transparency
"A coalition of banking industry associations, including SIFA, the American Bankers Association (ABA), Bank Policy Institute (BPI), and several other lobbying groups have made a disgraceful appeal to the SEC to eliminate the rule requiring public disclosure of material cybersecurity incidents within four days of detection. This rule was established to ensure shareholders are properly informed and potential victims receive timely notice so they can take protective action, which wasn’t happening consistently before the rule took effect."
https://www.helpnetsecurity.com/2025/06/03/bankers-association-attack-on-cybersecurity-transparency/

Industrial Sector

Schneider Electric Wiser Home Automation
"Successful exploitation of this vulnerability could allow an attacker to inject code or bypass authentication."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-153-01
Mitsubishi Electric MELSEC iQ-F Series
"Successful exploitation of this vulnerability could allow an attacker to read confidential information, cause a denial-of-service condition, or stop operations by sending specially crafted packets."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-153-03
Schneider Electric EcoStruxure Power Build Rapsody
"Successful exploitation of this vulnerability could allow an attacker to achieve arbitrary code execution on the affected device."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-153-02

New Tooling

Vet: Open-Source Software Supply Chain Security Tool
"Vet is an open source tool designed to help developers and security engineers spot risks in their software supply chains. It goes beyond traditional software composition analysis by detecting known vulnerabilities and flagging malicious packages. Vet supports several ecosystems, including npm, PyPI, Maven, Go, Docker, and GitHub Actions, making it useful across many types of projects."
https://www.helpnetsecurity.com/2025/06/03/vet-open-source-software-supply-chain-security-tool/
https://github.com/safedep/vet

Vulnerabilities

Hewlett Packard Enterprise Warns Of Critical StoreOnce Auth Bypass
"Hewlett Packard Enterprise (HPE) has issued a security bulletin to warn about eight vulnerabilities impacting StoreOnce, its disk-based backup and deduplication solution. Among the flaws fixed this time is a critical severity (CVSS v3.1 score: 9.8) authentication bypass vulnerability tracked under CVE-2025-37093, three remote code execution bugs, two directory traversal problems, and a server-side request forgery issue. The flaws impact all versions of the HPE StoreOnce Software before v4.3.11, which is now the recommended upgrade version."
https://www.bleepingcomputer.com/news/security/hewlett-packard-enterprise-warns-of-critical-storeonce-auth-bypass/
Critical 10-Year-Old Roundcube Webmail Bug Allows Authenticated Users Run Malicious Code
"Cybersecurity researchers have disclosed details of a critical security flaw in the Roundcube webmail software that has gone unnoticed for a decade and could be exploited to take over susceptible systems and execute arbitrary code. The vulnerability, tracked as CVE-2025-49113, carries a CVSS score of 9.9 out of 10.0. It has been described as a case of post-authenticated remote code execution via PHP object deserialization. "Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization," reads the description of the flaw in the NIST's National Vulnerability Database (NVD)."
https://thehackernews.com/2025/06/critical-10-year-old-roundcube-webmail.html
https://fearsoff.org/research/roundcube
New Chrome Zero-Day Actively Exploited; Google Issues Emergency Out-Of-Band Patch
"Google on Monday released out-of-band fixes to address three security issues in its Chrome browser, including one that it said has come under active exploitation in the wild. The high-severity flaw is being tracked as CVE-2025-5419, and has been flagged as an out-of-bounds read and write vulnerability in the V8 JavaScript and WebAssembly engine. "Out of bounds read and write in V8 in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page," reads the description of the bug on the NIST's National Vulnerability Database (NVD)."
https://thehackernews.com/2025/06/new-chrome-zero-day-actively-exploited.html
https://www.bleepingcomputer.com/news/security/google-patches-new-chrome-zero-day-bug-exploited-in-attacks/
https://www.securityweek.com/google-researchers-find-new-chrome-zero-day/
https://securityaffairs.com/178560/hacking/google-fixed-the-second-actively-exploited-chrome-zero-day-since-the-start-of-the-year.html
https://www.theregister.com/2025/06/03/google_chrome_zero_day_emergency_fix/
Over 30 Vulnerabilities Patched In Android
"Google’s latest updates for the Android operating system patch more than 30 vulnerabilities, all classified as ‘high severity’. The June 2025 Android security bulletin reveals that the most serious flaw, according to Google, is CVE-2025-26443, a local privilege escalation issue in the System component. Exploitation does not require additional privileges, but user interaction is needed."
https://www.securityweek.com/over-30-vulnerabilities-patched-in-android/
https://cyberscoop.com/android-security-update-june-2025/
Lost In Resolution: Azure OpenAI's DNS Resolution Issue
"In late 2024, Unit 42 researchers discovered an issue with Azure OpenAI’s Domain Name System (DNS) resolution logic that could have enabled cross-tenant data leaks and meddler-in-the-middle (MitM) attacks. This issue stemmed from a misconfiguration in how the Azure OpenAI API handled domain assignments, versus how the user interface (UI) handled them. While the UI required unique custom domain names for each OpenAI instance, the API did not have this requirement for one specific custom domain. This allowed multiple tenants to share the same custom domain, potentially resolving to an incorrect, untrusted external IP address."
https://unit42.paloaltonetworks.com/azure-openai-dns-resolution/

Malware

Malicious Ruby Gems Exfiltrate Telegram Tokens And Messages Following Vietnam Ban
"Socket’s Threat Research Team has uncovered an ongoing supply chain attack targeting the RubyGems ecosystem. A threat actor using the aliases Bùi nam, buidanhnam, and si_mobile, published two malicious gems (i.e. packages) (fastlane-plugin-telegram-proxy and fastlane-plugin-proxy_teleram) designed to impersonate legitimate Fastlane plugins. These gems silently exfiltrate all data sent to the Telegram API by redirecting traffic through a command and control (C2) server controlled by the threat actor. This includes bot tokens, chat IDs, message content, and attached files."
https://socket.dev/blog/malicious-ruby-gems-exfiltrate-telegram-tokens-and-messages-following-vietnam-ban
https://www.bleepingcomputer.com/news/security/malicious-rubygems-pose-as-fastlane-to-steal-telegram-api-data/
Scattered Spider: Three Things The News Doesn’t Tell You
"With the recent attacks on UK retailers Marks & Spencer and Co-op, so-called Scattered Spider has been all over the media, with coverage spilling over into the mainstream news due to the severity of the disruption — currently looking like hundreds of millions in lost profits for M&S alone. This coverage is extremely valuable for the cyber security community as it raises awareness of the battles that security teams are fighting every day. But it’s also created a lot of noise that can make it tricky to understand the big picture. So here’s three things that you might have missed — some you probably know already, and others that you might not be aware of if you haven’t been tracking Scattered Spider beyond the recent attacks."
https://www.bleepingcomputer.com/news/security/scattered-spider-three-things-the-news-doesnt-tell-you/
https://thehackernews.com/2025/06/scattered-spider-understanding-help.html
Crocodilus Mobile Malware: Evolving Fast, Going Global
"In March 2025, the Mobile Threat Intelligence team discovered Crocodilus, a new device-takeover Android banking Trojan entering the threat landscape. The first observed samples were mostly related to test campaigns, with sporadic instances of live campaigns. Ongoing monitoring of the threat landscape revealed a growing number of campaigns and continuous development of the Trojan."
https://www.threatfabric.com/blogs/crocodilus-mobile-malware-evolving-fast-going-global
https://www.bleepingcomputer.com/news/security/android-malware-crocodilus-adds-fake-contacts-to-spoof-trusted-callers/
https://thehackernews.com/2025/06/android-trojan-crocodilus-now-active-in.html
https://therecord.media/crocodilus-android-malware-banking-fraud
https://www.darkreading.com/mobile-security/crocodilus-sharpens-teeth-android-users
https://securityaffairs.com/178578/malware/android-banking-trojan-crocodilus-evolves-fast-and-goes-global.html
Scammers Are Impersonating Interactive Brokers: Here’s What You Need To Know
"Interactive Brokers is warning customers to be on high alert due to a wave of scams involving fraudsters posing as company representatives. Interactive Brokers (IBKR) is a global brokerage firm that lets investors trade stocks, options, futures, and other assets on international markets. In a message sent to clients on June 2, the company said it is seeing more cases of criminals impersonating its employees, branding, and email addresses in order to trick people into sending money or giving up sensitive information."
https://www.helpnetsecurity.com/2025/06/03/ibkr-interactive-brokers-scams/
Host-Based Logs, Container-Based Threats: How To Tell Where An Attack Began
"Although containers provide an isolated runtime environment for applications, this isolation is often overestimated. While containers encapsulate dependencies and ensure consistency, the fact that they share the host system’s kernel introduces security risks. Based on our experience providing Compromise Assessment, SOC Consulting, and Incident Response services to our customers, we have repeatedly seen issues related to a lack of container visibility. Many organizations focus on monitoring containerized environments for operational health rather than security threats. Some lack the expertise to properly configure logging, while others rely on technology stacks that don’t support effective visibility of running containers."
https://securelist.com/host-based-logs-container-based-threats/116643/
How Threat Actors Exploit Human Trust: A Breakdown Of The 'Prove You Are Human' Malware Scheme
"This report details a malicious campaign that uses deceptive websites, including spoofed Gitcodes and fake Docusign verification pages, to trick users into running malicious PowerShell scripts on their Windows machines. Victims are lured into copying and pasting these scripts into their Windows Run prompt, which then download and execute multiple stages of additional scripts, ultimately leading to the installation of the NetSupport RAT (remote access trojan)."
https://dti.domaintools.com/how-threat-actors-exploit-human-trust/
https://thehackernews.com/2025/06/fake-docusign-gitcode-sites-spread.html
https://www.infosecurity-magazine.com/news/fake-docusign-pages-deliver-rat/

Breaches/Hacks/Leaks

Coinbase Breach Tied To Bribed TaskUs Support Agents In India
"A recently disclosed data breach at Coinbase has been linked to India-based customer support representatives from outsourcing firm TaskUs, who threat actors bribed to steal data from the crypto exchange. According to Reuters, who spoke to numerous TaskUs employees, the data breach was first discovered in January after a TaskUs employee was caught capturing photos of her computer screen using a personal device. Reportedly, the incident was witnessed by multiple TaskUs employees, and during the subsequent investigations, two admitted they were funneling sensitive Coinbase user data to external hackers in exchange for bribes."
https://www.bleepingcomputer.com/news/security/coinbase-breach-tied-to-bribed-taskus-support-agents-in-india/
The CEO Database Exposes Information On Over 1,000 Executives
"December 2024’s tragic shooting of United Healthcare CEO Brian Thompson marked a chilling inflection point in the online hostility towards corporate executives. Since the subsequent arrest of Luigi Mangione, Flashpoint analysts have observed a significant rise in ideologically motivated threats targeting CEOs and key personnel ranging from doxxing and location tracking, to targeted harassment, and threats of physical violence."
https://flashpoint.io/blog/ceo-database-exposes-information-on-executives/

General News

Development Vs. Security: The Friction Threatening Your Code
"Developers are driven to deliver new features quickly, while security teams prioritize risk mitigation, which often puts the two at odds. 61% of developers said that it’s critical that security doesn’t block or decelerate the development process or become a barrier to business success. Despite this, collaboration between development and security teams is essential to strengthen both software quality and security, especially given the rising number of data breaches and ransomware attacks."
https://www.helpnetsecurity.com/2025/06/03/developer-security-team-friction/
How Global Collaboration Is Hitting Cybercriminals Where It Hurts
"In this Help Net Security interview, William Lyne, Deputy Director of UK’s National Crime Agency, discusses the cybercrime ecosystem and the threats it enables. He explains how cybercrime is becoming more accessible and fragmented. Lyne also talks about key trends, recent disruptions, and collaboration between law enforcement and the private sector."
https://www.helpnetsecurity.com/2025/06/03/william-lyne-national-crime-agency-cybercrime-ecosystem-threats/
#Infosec2025: Half Of Firms Suffer Two Supply Chain Incidents In Past Year
"Nearly half (46%) of organizations have experienced at least two cybersecurity incidents in their supply chain over the past year, according to new research by Risk Ledger presented at Infosecurity Europe 2025. The survey also found that 90% of UK respondents view supply chain cyber incidents as a top concern for 2025. Despite this concern, many respondents believe that current approaches to third-party risk management (TPRM) are insufficient, with just 37% rating them as very effective."
https://www.infosecurity-magazine.com/news/half-supply-chain-incidents/
Future-Ready Cybersecurity: Lessons From The MITRE CVE Crisis
"The recent funding crisis surrounding MITRE’s Common Vulnerabilities and Exposures (CVE) program was more than just a bureaucratic hiccup — it was a wake-up call for an industry that has relied on CVEs for years to identify, categorize, and prioritize vulnerabilities. Out of the blue, we discovered the foundation was suddenly at risk. Worse still, we had a moment to ponder what might happen if the contract were not signed by the April 16 deadline."
https://cyberscoop.com/mitre-cve-vulnerability-database-morphisec-op-ed/
Ransomware Landscape May 2025: SafePay, DevMan Emerge As Major Threats
"SafePay took the top spot among ransomware groups in May 2025, solidifying the group’s status as a major threat. Overall, ransomware groups claimed 384 victims in May (chart below), the third straight monthly decline, as leadership continues to shift after RansomHub – the top group for more than a year – went offline at the end of March in what may have been an infrastructure compromise by rival DragonForce."
https://cyble.com/blog/top-ransomware-groups-may-2025-safepay-devman-rise/
Is Your CISO Navigating Your Flight Path?
"For too long, chief information security officers (CISOs) struggled to get a seat at the executive table because security teams were viewed as cost centers rather than value creators. That era is over, driven by necessity rather than choice. Today's threats move at dizzying speed, which has propelled CISOs into a strategic role, not focused only on security, but on business resilience. Increasing cyberattacks, coupled with regulatory demands and digitalization efforts like AI adoption, have forced a reckoning with the fact that cybersecurity is a core business imperative with existential consequences."
https://www.darkreading.com/cybersecurity-operations/ciso-navigating-your-flight-path
Open-Weight Chinese AI Models Drive Privacy Innovation In LLMs
"As cloud-served large language models (LLMs) flood the market, data privacy continues to be a big problem for end users because they have no control over their data once they've fed it into the models. In January, DeepSeek's open-weight LLM roiled global markets, followed just two months later by additional Chinese AI entrants — Manus AI and Baidu's ERNIE — both of which will be open weight later this year. Open weight means that the model's parameters are publicly accessible, allowing developers to modify the internals and more effectively build upon the model."
https://www.darkreading.com/cyber-risk/open-weight-chinese-ai-models-drive-privacy-innovation-llm
TOP 20 Not-So-Secret Business Passwords
"Together with NordStellar, we’ve analyzed the most common passwords used in corporate environments – and it’s clear that poor password habits are widespread. Across industries, weak credentials leave businesses vulnerable to data breaches. Let’s take a closer look."
https://nordpass.com/poor-company-passwords/
https://hackread.com/smart-cars-dumb-passwords-auto-industry-weak-passwords/
The Role Of Continuous Integration And Continuous Deployment (CI/CD) In DevOps
"Modern software development demands rapid delivery of high-quality applications that can adapt to changing business requirements and user expectations. Continuous Integration and Continuous Deployment (CI/CD) are fundamental in today’s DevOps practices because they allow organizations to streamline their development workflows, reduce deployment risks, and accelerate time-to-market, all while maintaining code quality and system reliability."
https://hackread.com/continuous-integration-continuous-deployment-ci-cd-devops/
Juice Jacking Warnings Are Back, With a New Twist
"Remember juice jacking? It’s a term that crops up every couple of years to worry travelers. This spring has seen another spate of stories, including a new, more sophisticated form of attack. But how much of a threat is it, really? Juice jacking is where an attacker uses a malicious public USB charger to install malware on, or steal information from, your phone. In theory, the victim plugs their phone into a USB charging port like those found in airports, restaurants or public transportation to top up their battery. The attacker has programmed the charger to start a data connection with the phone, allowing them to perhaps view files or control apps."
https://www.malwarebytes.com/blog/news/2025/06/juice-jacking-warnings-are-back-with-a-new-twist
Why Scamming Can’t Be Stopped—But It Can Be Managed
"Scams are no longer annoyances, tricking individuals but not damaging the economy. They have become big business, with Arkose Labs suggesting they could cost the global economy $1.03 trillion in 2024. The reason for this growth is complex but not complicated. Crime pays consistently more than legitimate work, and scamming is easy with the rise of crime-as-a-service (CaaS). Moral humans are easily fooled by immoral humans, and the prosecution of cybercriminals is difficult given the global nature of the crime and the fractured nature of geopolitics."
https://www.securityweek.com/why-scamming-cant-be-stopped-but-it-can-be-managed/

อ้างอิง
Electronic Transactions Development Agency(ETDA)