Cyber Threat Intelligence 13 June 2025

NCSA_THAICERT

Financial Sector

May 2025 Security Issues In Korean & Global Financial Sector
"This report comprehensively covers actual cyber threats and security issues that have taken place targeting financial companies in Korea and abroad. This report includes an analysis of malware and phishing cases distributed to the financial industry, the top 10 malware strains targeting the financial sector, and statistics on the industries of the leaked Korean accounts. It also covers a case of phishing emails being distributed to the financial industry."
https://asec.ahnlab.com/en/88437/

Healthcare Sector

Email Security Risks Healthcare IT Can’t Afford To Ignore
"92% of healthcare IT leaders say they’re confident in their ability to prevent email-based data breaches, but according to Paubox, they’re not. Email remains one of the biggest security risks in healthcare. Outdated systems and frustrating tools often lead staff to bypass security measures, leaving patient data exposed."
https://www.helpnetsecurity.com/2025/06/12/healthcare-it-email-security/

Industrial Sector

CISA Releases Ten Industrial Control Systems Advisories
"CISA released ten Industrial Control Systems (ICS) advisories on June 12, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
ICSA-25-162-01 Siemens Tecnomatix Plant Simulation
ICSA-25-162-02 Siemens RUGGEDCOM APE1808
ICSA-25-162-03 Siemens SCALANCE and RUGGEDCOM
ICSA-25-162-04 Siemens SCALANCE and RUGGEDCOM
ICSA-25-162-05 Siemens SIMATIC S7-1500 CPU Family
ICSA-25-162-06 Siemens Energy Services
ICSA-25-162-07 AVEVA PI Data Archive
ICSA-25-162-08 AVEVA PI Web API
ICSA-25-162-09 AVEVA PI Connector for CygNet
ICSA-25-162-10 PTZOptics and Other Pan-Tilt-Zoom Cameras"
https://www.cisa.gov/news-events/alerts/2025/06/12/cisa-releases-ten-industrial-control-systems-advisories

Vulnerabilities

Trend Micro Fixes Critical Vulnerabilities In Multiple Products
"Trend Micro has released security updates to address multiple critical-severity remote code execution and authentication bypass vulnerabilities that impact its Apex Central and Endpoint Encryption (TMEE) PolicyServer products. The security vendor underlines that it has seen no evidence of active exploitation in the wild for any of them. However, immediate application of the security updates is recommended to address the risks. Trend Micro Endpoint Encryption PolicyServer is a central management server for Trend Micro Endpoint Encryption (TMEE), providing full disk encryption and removable media encryption for Windows-based endpoints."
https://www.bleepingcomputer.com/news/security/trend-micro-fixes-six-critical-flaws-on-apex-central-endpoint-encryption-policyserver/
Palo Alto Networks Patches Series Of Vulnerabilities
"Cybersecurity giant Palo Alto Networks issued a series of patches on June 11 for vulnerabilities across its range of products, including GlobalProtect App, Cortex XDR, PAN-OS, and the Prisma Access Browser. Six flaws are in Palo Alto’s products, ranging from low – with CVSS scores of 0.3, 1 and 2.3 – to high severity. The most critical vulnerability, tracked as CVE-2025-4232, is an authenticated code injection affecting GlobalProtect App versions 6.0 to 6.3 on macOS. It was attributed a high-severity CVSS score of 7.1 and should be patched with “moderate” urgency, according to Palo Alto."
https://www.infosecurity-magazine.com/news/palo-alto-networks-patches-series/
https://www.securityweek.com/palo-alto-networks-patches-privilege-escalation-vulnerabilities/
GitLab Patches High Severity Account Takeover, Missing Auth Issues
"GitLab has released security updates to address multiple vulnerabilities in the company's DevSecOps platform, including ones enabling attackers to take over accounts and inject malicious jobs in future pipelines. The company released GitLab Community and Enterprise versions 18.0.2, 17.11.4, and 17.10.8 to address these security flaws and urged all admins to upgrade immediately. "These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately," the company warned. "GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.""
https://www.bleepingcomputer.com/news/security/gitlab-patches-high-severity-account-takeover-missing-auth-issues/

Malware

Graphite Caught: First Forensic Confirmation Of Paragon’s iOS Mercenary Spyware Finds Journalists Targeted
"On April 29, 2025, a select group of iOS users were notified by Apple that they were targeted with advanced spyware. Among the group were two journalists that consented for the technical analysis of their cases. The key findings from our forensic analysis of their devices are summarized below: Our analysis finds forensic evidence confirming with high confidence that both a prominent European journalist (who requests anonymity), and Italian journalist Ciro Pellegrino, were targeted with Paragon’s Graphite mercenary spyware. We identify an indicator linking both cases to the same Paragon operator."
https://citizenlab.ca/2025/06/first-forensic-confirmation-of-paragons-ios-mercenary-spyware-finds-journalists-targeted/
https://www.bleepingcomputer.com/news/security/graphite-spyware-used-in-apple-ios-zero-click-attacks-on-journalists/
https://therecord.media/paragon-graphite-spyware-journalists-apple-devices-citizen-lab
https://cyberscoop.com/paragon-spyware-citizen-lab-italy-journalists/
https://www.securityweek.com/paragon-graphite-spyware-linked-to-zero-click-hacks-on-newest-iphones/
https://securityaffairs.com/178940/mobile-2/paragon-graphite-spyware-used-a-zero-day-exploit.html
Fog Ransomware: Unusual Toolset Used In Recent Attack
"A May 2025 attack on a financial institution in Asia saw the Fog ransomware deployed, alongside an unusual toolset, including some dual-use and open-source pentesting tools we have not observed being used in ransomware attacks previously. The attackers used a legitimate employee monitoring software called Syteca (formerly Ekran), which is highly unusual and not something we have seen used in a ransomware attack chain before. They also deployed several open-source pentesting tools – GC2, Adaptix, and Stowaway – which are not commonly used during ransomware attacks."
https://www.security.com/threat-intelligence/fog-ransomware-attack
https://www.bleepingcomputer.com/news/security/fog-ransomware-attack-uses-unusual-mix-of-legitimate-and-open-source-tools/
https://therecord.media/fog-ransomware-incident-asia-financial-org-employee-monitoring
Inside The LockBit's Admin Panel Leak: Affiliates, Victims And Millions In Crypto
"On May 7, 2025, the LockBit admin panel was hacked by an anonymous actor who replaced their TOR website with the text ‘Don’t do crime CRIME IS BAD xoxo from Prague’ and shared a SQL dump of their admin panel database in an archived file ‘paneldb_dump.zip’:"
https://www.trellix.com/blogs/research/inside-the-lockbits-admin-panel-leak-affiliates-victims-and-millions-in-crypto/
https://www.bankinfosecurity.com/lockbits-new-reality-out-control-affiliates-a-28666
https://www.helpnetsecurity.com/2025/06/12/lockbit-data-leak-targets-ransoms/
Hijacked Trust: How Malicious Actors Exploited Discord’s Invite System To Launch Global Multi-Stage Attacks
"Discord is a widely used and trusted platform favored by gamers, communities, businesses, and others who need to connect securely and quickly. In our recent research, Check Point Research (CPR) uncovered a flaw in Discord’s invitation system that allows attackers to hijack expired or deleted invite links and secretly redirect unsuspecting users to malicious servers. Invitation links posted by trusted communities months ago on forums, social media, or official websites could now quietly lead users into the hands of cyber criminals."
https://blog.checkpoint.com/research/hijacked-trust-how-malicious-actors-exploited-discords-invite-system-to-launch-global-multi-stage-attacks/
Predator Still Active, With New Client And Corporate Links Identified
"Following major public exposures by Insikt Group and others throughout the last two years, alongside US government sanctions targeting the Intellexa Consortium — the organizational structure behind the Predator mobile spyware — Insikt Group observed a significant decline in Predator-related activity. This apparent decline raised questions about whether the combination of US sanctions, public exposure, and broader international efforts to curb spyware proliferation, such as the UK and France-led Pall Mall process, had dealt a lasting blow to Intellexa’s operations. Yet, Predator activity has not stopped, and in recent months, Insikt Group has observed a resurgence of activity, reflecting the operators’ continued persistence. While much of the identified infrastructure is tied to known Predator operators in countries previously identified by Insikt Group, a new customer has also been identified in Mozambique — a country not previously publicly linked to the spyware."
https://www.recordedfuture.com/research/predator-still-active-new-links-identified
https://therecord.media/predator-spyware-mozambique
https://cyberscoop.com/predator-spyware-activity-surfaces-in-new-places-with-new-tricks/
Vexing And Vicious: The Eerie Relationship Between WordPress Hackers And An Adtech Cabal
"What started out as an observational study—perturb VexTrio and see how they adapt—led to a series of surprising revelations. When their traffic distribution system (TDS) was disrupted, multiple malware actors that depended on it all migrated to a “new” TDS, but it was the same TDS! Originally thought to be an independent TDS, we found evidence that suggested otherwise. Several commercial TDSs were discovered to share software elements with VexTrio and benefited from VexTrio’s long, exclusive relationship with website malware actors. Finally, it became clear that the use of malicious adtech could be the downfall of dominant malware campaign operators, as the VexTrio cabal can identify them."
https://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/
https://thehackernews.com/2025/06/wordpress-sites-turned-weapon-how.html
The TokenBreak Attack
"Do you know which model is protecting each LLM you have in production? HiddenLayer’s security research team has discovered a novel way to bypass models built to detect malicious text input, opening the door for a new prompt injection technique. The TokenBreak attack targets a text classification model’s tokenization strategy to induce false negatives, leaving end targets vulnerable to attacks that the implemented protection model was put in place to prevent. Models using certain tokenizers are susceptible to this attack, whilst others are not, meaning susceptibility can be determined by model family."
https://hiddenlayer.com/innovation-hub/the-tokenbreak-attack/
https://thehackernews.com/2025/06/new-tokenbreak-attack-bypasses-ai.html
Belarusian Hackers Taunt Kaspersky Over Report Detailing Their Attacks
"A Belarusian hacktivist group known as the Cyber Partisans is no stranger to scrutiny from cybersecurity researchers. So when Kaspersky, a Moscow-based cybersecurity firm, published a detailed report last week dissecting the group’s alleged tools and tactics, the hackers were unfazed. “We are not surprised that Kaspersky is aware of some of our attack techniques,” the group said in a statement to Recorded Future News. What did catch them off guard was the level of attention the firm devoted to their operations. “A detailed article plus two conference presentations,” the hackers added."
https://therecord.media/belarusian-hackers-taunt-kaspersky-ver-report
JSFireTruck: Exploring Malicious JavaScript Using JSF*ck As An Obfuscation Technique
"We recently discovered a large-scale campaign that has been compromising legitimate websites with injected, obfuscated JavaScript code. Threat actors commonly use this type of campaign to invisibly redirect victims from legitimate websites to malicious pages that serve malware, exploits and spam. The campaign uses a JavaScript obfuscation technique known as JSF*ck (profanity masked). Due to the profanity in the term, we refer to the method in the remainder of this article by using the nickname JSFireTruck."
https://unit42.paloaltonetworks.com/malicious-javascript-using-jsfiretruck-as-obfuscation/
Understanding CyberEYE RAT Builder: Capabilities And Implications
"CyberEye (also distributed under names like TelegramRAT) is a modular, .NET-based Remote Access Trojan (RAT) that provides a wide array of surveillance and data theft capabilities. Its use of Telegram for Command and Control (C2) eliminates the need for attackers to maintain their own infrastructure, making it more evasive and accessible. The malware is deployed through a builder GUI that allows attackers to customize payloads by injecting credentials, modifying metadata, and bundling features such as keyloggers, file grabbers, clipboard hijackers, and persistence mechanisms. CyberEye exhibits advanced defense evasion by disabling Windows Defender using PowerShell and registry manipulations. Its modules harvest browser credentials, Wi-Fi passwords, gaming profiles, and session data from applications like Telegram and Discord. All stolen information is exfiltrated using Telegram’s Bot API."
https://www.cyfirma.com/research/understanding-cybereye-rat-builder-capabilities-and-implications/

Breaches/Hacks/Leaks

Phishing Alert As Erie Insurance Reveals Cyber “Event”
"One of America’s largest home and auto insurers has notified regulators and customers of a cybersecurity incident and related network outage. Fortune 500 business Erie Insurance employs over 7000 staff and 14,000 agents, with parent company Erie Indemnity Company posting revenue of close to $4bn last year. It currently boasts over six million active policies. However, the firm warned customers yesterday of an “ongoing network outage” related to a confirmed “information security event” which was discovered last weekend."
https://www.infosecurity-magazine.com/news/phishing-alert-erie-insurance/
Ransomware Attack On Ticketing Platform Upends South Korean Entertainment Industry
"A ransomware attack on one of South Korea’s largest ticketing platforms and online book retailers has disrupted the country’s entertainment industry — forcing event cancellations and postponements as organizers scramble to manage the ongoing service outage, according to local media reports. The attack on Yes24, which struck early on Monday, has left the company’s website and services offline for four consecutive days, crippling online bookings for concerts, e-book access and community forums. The company said it aims to restore full operations by June 15."
https://therecord.media/yes24-south-korea-ransomware-attack
'Major Compromise' At NHS Temping Arm Exposed Gaping Security Holes
"Cybercriminals broke into systems belonging to the UK's NHS Professionals body in May 2024, stealing its Active Directory database, but the healthcare organization never publicly disclosed it, The Register can reveal. NHS Professionals (NHSP) is a private organization owned by the Department of Health and Social Care (DHSC), tasked with providing temporary clinical and non-clinical staff to National Health Service trusts across England. According to the latest available data obtained from its website, it has 190,000 healthcare professionals registered with it, plus over 1,000 employees working for the organization itself."
https://www.theregister.com/2025/06/12/compromise_nhs_professionals/

General News

Cybercriminals Are Turning Stolen Data Into a Thriving Black Market
"Cybercriminals are stealing data and running full-scale businesses around it. Europol’s latest Internet Organised Crime Threat Assessment (IOCTA) report reveals how personal data is now a core currency in the underground economy. Cybercriminals go after everything from login credentials to credit card numbers, medical records, and social media accounts. The data criminals collect helps them access accounts, impersonate users, or sell that access to others. Europol stresses that access to an account is often the first step in a wider attack. Once inside, attackers can move laterally through a network, steal more data, and carry out scams using the victim’s identity."
https://www.helpnetsecurity.com/2025/06/12/europol-internet-organised-crime-threat-assessment-iocta-2025/
https://www.europol.europa.eu/cms/sites/default/files/documents/Steal-deal-repeat-IOCTA_2025.pdf
https://www.infosecurity-magazine.com/news/europol-criminal-demand-data/
Want Fewer Security Fires To Fight? Start With Threat Modeling
"CISOs understand that threat modeling helps teams identify risks early and build safer systems. But outside the security org, the value isn’t always clear. When competing for budget or board attention, threat modeling often loses out to more visible efforts like new tools or headline-driven response plans. The problem isn’t the practice. It’s the framing. To win support, CISOs need to show how threat modeling connects to bottom-line outcomes: fewer vulnerabilities, faster incident response, and less rework during development. In short, it needs to be positioned not as a nice-to-have activity but as an investment in resilience."
https://www.helpnetsecurity.com/2025/06/12/start-with-threat-modeling/
CISOs Call For Operational Threat Intelligence Integration
"98% of CISOs face challenges when using threat intelligence, according to Trellix. The biggest problems are keeping up with changing threats, integration difficulties, and regulatory rules. As a result, threat intelligence defaults to a reactive function within a workstream, rather than an embedded, proactive strategy to build resilience, accelerate response, and stay ahead of threats. “Global threat detection volume from APT actors rose 45% at the beginning of this year, and CISOs are now tasked with staying ahead of these adversaries who are becoming more organized, well-resourced, and faster, partially due to the growing use of AI,” said John Fokker, Head of Threat Intelligence, Trellix."
https://www.helpnetsecurity.com/2025/06/12/cisos-operational-threat-intelligence/
With Retail Cyberattacks On The Rise, Customers Find Orders Blocked And Shelves Empty
"A string of recent cyberattacks and data breaches involving the systems of major retailers have started affecting shoppers. United Natural Foods, a wholesale distributor that supplies Whole Foods and other grocers, said this week that a breach of its systems was disrupting its ability to fulfill orders — leaving many stores without certain items. In the U.K., consumers could not order from the website of Marks & Spencer for more than six weeks — and found fewer in-store options after hackers targeted the British clothing, home goods and food retailer. A cyberattack on Co-op, a U.K. grocery chain, also led to empty shelves in some stores."
https://www.securityweek.com/with-retail-cyberattacks-on-the-rise-customers-find-orders-blocked-and-shelves-empty/
CISA Releases Cybersecurity Advisory On SimpleHelp RMM Vulnerability
"Today, CISA released Cybersecurity Advisory: Ransomware Actors Exploit Unpatched SimpleHelp Remote Monitoring and Management to Compromise Utility Billing Software Provider. This advisory is in response to ransomware actors targeting customers of a utility billing software provider through unpatched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM). This incident is part of a broader trend of ransomware actors exploiting unpatched versions of SimpleHelp RMM since January 2025."
https://www.cisa.gov/news-events/alerts/2025/06/12/cisa-releases-cybersecurity-advisory-simplehelp-rmm-vulnerability
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-163a
https://www.theregister.com/2025/06/12/cisa_simplehelp_flaw_exploit_warning/
Foundations Of Cybersecurity: Reassessing What Matters
"In the fast-paced world of cybersecurity, it's easy to get caught up in the hype of the latest technology trends or the panic of a high-profile data breach. With the landscape growing increasingly complex, threats are becoming more sophisticated and pervasive. In 2024 alone, more than 3,158 publicly reported data breaches occurred globally, marking a 211% year-over-year increase in victims. Zero-trust solutions, third-party risk management platforms, and cloud access security brokers can be useful additions — but they cannot replace the enduring, fundamental practices at the heart of any successful security program. Risk management, vendor relationships, and personnel decisions are still the key to future-proofing security programs."
https://www.darkreading.com/cyber-risk/foundations-cybersecurity-reassessing-what-matters
Identifying High-Risk APIs Across Thousands Of Code Repositories
"In this Help Net Security interview, Joni Klippert, CEO of StackHawk, discusses why API visibility is a major blind spot for security teams, how legacy tools fall short, and how StackHawk identifies risky APIs and sensitive data directly from code before anything is deployed."
https://www.helpnetsecurity.com/2025/06/12/joni-klippert-stackhawk-apis-sensitive-data-detection/
NIST Publishes New Zero Trust Implementation Guidance
"The US National Institute of Standards and Technology (NIST) has published new practical guidance on implementing zero trust architecture (ZTA). While previous NIST guidance on zero trust in 2020 described the approach at a conceptual level, the new publication is designed to help organizations overcome implementation challenges. The agency noted that ZTA adoption is increasing, partly as a result of regulatory requirements for some organizations."
https://www.infosecurity-magazine.com/news/nist-zero-trust-implementation/
https://www.nccoe.nist.gov/projects/implementing-zero-trust-architecture
The AI Arms Race: Deepfake Generation Vs. Detection
"If deepfakes were a disease, this would be a pandemic. Artificial Intelligence (AI) now generates deepfake voice at a scale and quality that has bridged the uncanny valley. Fraud is increasingly being fueled by voice deepfakes. An analysis by Pindrop (using a ‘liveness detection tool’) examined 130 million calls in Q4 2024 and found an increase of 173% in the use of synthetic voice compared to Q1. This growth is expected to continue with AI models like Respeecher (legitimately used in movies, video games and documentaries) able to change pitch, timbre, and accent in real time – effectively adding emotion to a mechanically produced voice. Synthesized voice has successfully crossed the so-called uncanny valley."
https://www.securityweek.com/deepfakes-and-the-ai-battle-between-generation-and-detection/
The ZTNA Blind Spot: Why Unmanaged Devices Threaten Your Hybrid Workforce
"As hybrid work cements itself as the new norm, enterprises are making meaningful strides in adopting Zero Trust Network Access (ZTNA) to replace legacy VPNs. But there’s a major blind spot in how most organizations implement ZTNA: unmanaged devices. ZTNA adoption tends to focus almost exclusively on corporate-managed laptops and desktops. The assumption is that every employee works on a hardened device, with security tools installed and configurations locked down by IT. But that assumption is outdated—and dangerous."
https://www.securityweek.com/the-ztna-blind-spot-why-unmanaged-devices-threaten-your-hybrid-workforce/
Project Galileo 11th Anniversary
"To mark the 11th anniversary of Project Galileo, we want to understand the types of attacks faced by the organizations it protects. Our goal is to better support researchers, civil society, and vulnerable groups with best practices for securing their websites and internal data. With that, we have created a dashboard highlighting organizations that were at the heart of public discourse over the past year."
https://radar.cloudflare.com/reports/project-galileo-11th-anniv
https://www.securityweek.com/surge-in-cyberattacks-targeting-journalists-cloudflare/
The $200,000 Zoom Call
"Jake Gallen used to think the best stories in Las Vegas happened behind velvet ropes. Between 2010 and 2020, he lived the Strip’s hustle — poolside service as a model cabana host at Planet Hollywood, then navigating the bottle-fueled chaos as a beverage runner at Omnia Nightclub. Initially, he saw those jobs as a possible forever thing — a grown-up extension of his Greek life at University of Nevada, Las Vegas, just with better lighting and bigger tips. But bottle service, it turns out, has a shelf life. “After a year or two you're like, man, this kind of sucks,” Gallen said. He was missing birthdays. Missing weekends. Making endless small talk with tourists in flip-flops."
https://therecord.media/crypto-scam-zoom-call-click-here

อ้างอิง
Electronic Transactions Development Agency(ETDA)