NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 17 June 2025

    Cyber Security News
    1
    1
    161
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Financial Sector

      • Why Banks’ Tech-First Approach Leaves Governance Gaps
        "In this Help Net Security interview, Rich Friedberg, CISO at Live Oak Bank, discusses how banks can better align cybersecurity efforts with broader cyber governance and risk priorities. Banking institutions often falter when cybersecurity is siloed as purely a technical or compliance issue. Cyber governance requires treating cybersecurity as a strategic business risk embedded across enterprise-wide decision-making."
        https://www.helpnetsecurity.com/2025/06/16/rich-friedberg-live-oak-bank-banking-cyber-governance/

      New Tooling

      • MDEAutomator: Open-Source Endpoint Management, Incident Response In MDE
        "Managing endpoints and responding to security incidents in Microsoft Defender for Endpoint (MDE) can be time-consuming and complex. MDEAutomator is an open-source tool designed to make that easier. MDEAutomator is a modular, serverless solution for IT and security teams looking to save time and reduce manual work. By using Azure Function Apps and a custom PowerShell module, MDEAutomator automates tasks like deploying MDE to new devices and responding to alerts, without needing to manage extra infrastructure."
        https://www.helpnetsecurity.com/2025/06/16/mdeautomator-open-source-automation-microsoft-defender-for-endpoint-mde/
        https://github.com/msdirtbag/MDEAutomator

      Vulnerabilities

      • High-Severity Vulnerabilities Patched In Tenable Nessus Agent
        "Tenable has released patches for three high-severity vulnerabilities in Nessus Agent for Windows that could be exploited to perform file operations and execute code with elevated privileges. Tracked as CVE-2025-36631 (CVSS score of 8.4), the first bug could allow users logged in to non-administrative accounts to overwrite arbitrary local system files with log content, with System privileges. The second flaw, CVE-2025-36632 (CVSS score of 7.8), allows non-administrative users to execute arbitrary code with System privileges."
        https://www.securityweek.com/high-severity-vulnerabilities-patched-in-tenable-nessus-agent/
        https://www.infosecurity-magazine.com/news/tenable-fixes-flaws-nessus/
        https://www.tenable.com/security/tns-2025-11
      • ASUS Armoury Crate Bug Lets Attackers Get Windows Admin Privileges
        "A high-severity vulnerability in ASUS Armoury Crate software could allow threat actors to escalate their privileges to SYSTEM level on Windows machines. The security issue is tracked as CVE-2025-3464 and received a severity score of 8.8 out of 10. It could be exploited to bypass authorization and affects the AsIO3.sys of the Armoury Crate system management software."l
        https://www.bleepingcomputer.com/news/security/asus-armoury-crate-bug-lets-attackers-get-windows-admin-privileges/
      • CISA Adds Two Known Exploited Vulnerabilities To Catalog
        "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2025-43200 Apple Multiple Products Unspecified Vulnerability
        CVE-2023-33538 TP-Link Multiple Routers Command Injection Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/06/16/cisa-adds-two-known-exploited-vulnerabilities-catalog

      Malware

      • Multi-Stage Malware Attack On PyPI: “chimera-Sandbox-Extensions” Malicious Package Threatens Chimera Sandbox Users
        "Open-source package repositories like the Python Package Index (PyPI) play a crucial role in software development. However, these platforms are also potential targets for malicious actors attempting to exploit application software vulnerabilities. The JFrog Security Research team regularly monitors open source software repositories using advanced automated tools, in order to detect malicious packages. In cases of potential software supply chain security threats, our research team reports any malicious packages that were discovered to the repository’s maintainers in order to have them removed."
        https://jfrog.com/blog/chimera-sandbox-extensions-malware-threatens-pypi-users/
        https://thehackernews.com/2025/06/malicious-pypi-package-masquerades-as.html
        https://www.darkreading.com/application-security/malicious-chimera-pypi
      • Warning Against Distribution Of Malware Disguised As Research Papers (Kimsuky Group)
        "Recently, the AhnLab SEcurity intelligence Center (ASEC) confirmed the phishing email attack case where the Kimsuky group disguised their attack as a request for paper review from a professor. The email prompted the recipient to open a HWP document file with a malicious OLE object attachment. The document was password-protected, and the recipient had to enter the password provided in the email body to view the document. Upon opening the document, six files were automatically created in the %TEMP% (temporary folder) path. To further prompt the user to check the content, the document body included a “More…” phrase, which contained a hyperlink that executed the “peice.bat” file, one of the six files created."
        https://asec.ahnlab.com/en/88465/
      • Malicious Loan App Removed From iOS And Google Play App Store Posed Severe Risks To Users
        "In February 2025, our detection engines identified a SpyLoan application on a victim’s device. The detected sample belonging to the “RapiPlata” application, which was available on Google Play (GP) and downloaded by over 100K victims. We estimate that around 150K victims have downloaded the app from both the Google Play Store and the Apple App Store, further highlighting the scale of the threat. This detection was made possible by Harmony Mobile’s machine learning model, which flagged the app as malicious."
        https://blog.checkpoint.com/research/malicious-loan-app-removed-from-ios-and-google-play-app-store-posed-severe-risks-to-users/
      • Hackers Switch To Targeting U.S. Insurance Companies
        "Threat intelligence researchers are warning of hackers breaching multiple U.S. companies in the insurance industry using all the tactics observed with Scattered Spider activity. Typically, the threat group has a sector-by-sector focus. Previously, they targeted retail organizations in the United Kingdom and then switched to targets in the same sector in the United States. “Google Threat Intelligence Group is now aware of multiple intrusions in the US which bear all the hallmarks of Scattered Spider activity. We are now seeing incidents in the insurance industry,” John Hultquist, Chief Analyst at Google Threat Intelligence Group (GTIG), told BleepingComputer."
        https://www.bleepingcomputer.com/news/security/google-warns-scattered-spider-hackers-now-target-us-insurance-companies/
        https://cyberscoop.com/scattered-spider-pivot-insurance-industry/
        https://www.theregister.com/2025/06/16/scattered_spider_targets_insurance_firms/
      • Clone, Compile, Compromise: Water Curse’s Open-Source Malware Trap On GitHub
        "Our Trend Micro™ Managed Detection and Response (MDR) team analyzed several incidents involving open-source project files hosted on GitHub. These tools, including an SMTP email bomber and Sakura-RAT, were presented as legitimate penetration testing utilities but were embedded with hidden malicious payloads within their Visual Studio project configuration files. The attackers exploited inherent trust in open-source software to deceive users — penetration testers, security professionals, or individuals who frequently rely on open-source tools in their work — into downloading and executing the tainted code."
        https://www.trendmicro.com/en_us/research/25/f/water-curse.html
        https://www.darkreading.com/cyberattacks-data-breaches/water-curse-targets-cybersecurity-pros-github-repos
      • Don't Get Caught In The Headlights - DeerStealer Analysis
        "Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes. We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware. Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team."
        https://www.esentire.com/blog/dont-get-caught-in-the-headlights-deerstealer-analysis
        https://www.infosecurity-magazine.com/news/hijackloader-deerstealer-target/
      • GrayAlpha Uses Diverse Infection Vectors To Deploy PowerNet Loader And NetSupport RAT
        "Insikt Group identified new infrastructure associated with GrayAlpha, a threat actor that overlaps with the financially motivated group commonly referred to as FIN7. This newly identified infrastructure includes domains used for payload distribution and additional IP addresses believed to be tied to GrayAlpha. Insikt Group discovered a custom PowerShell loader named PowerNet, which decompresses and executes NetSupport RAT. Insikt Group identified another custom loader, referred to as MaskBat, that has similarities to FakeBat but is obfuscated and contains strings linked to GrayAlpha. Overall, Insikt Group found three primary infection methods: fake browser update pages, fake 7-Zip download sites, and the traffic distribution system (TDS) TAG-124."
        https://www.recordedfuture.com/research/grayalpha-uses-diverse-infection-vectors-deploy-powernet-loader-netsupport-rat
        https://go.recordedfuture.com/hubfs/reports/cta-2025-0613.pdf

      Breaches/Hacks/Leaks

      • Asheville Eye Associates Says 147,000 Impacted By Data Breach
        "North Carolina eye care center Asheville Eye Associates (AEA) is notifying roughly 147,000 individuals that their personal information was stolen in a November 2024 data breach. The incident, the company says, was detected on November 18, after a threat actor gained access to its network and exfiltrated certain files from its systems. “We quickly engaged third-party specialists to assist us with securing the network environment and investigating the incident,” the company informed the impacted individuals."
        https://www.securityweek.com/asheville-eye-associates-says-147000-impacted-by-data-breach/
      • Zoomcar Says Hackers Accessed Data Of 8.4 Million Users
        "India-based car sharing marketplace Zoomcar learned recently that some of its systems were hacked, and an investigation showed that the information of millions of users was compromised as a result. Zoomcar connects vehicle owners with people seeking car rentals. Its services are available in India, Indonesia, Egypt and Vietnam. Zoomcar Holdings, Inc. has informed the US Securities and Exchange Commission (SEC) that it learned of unauthorized access to its IT systems on June 9."
        https://www.securityweek.com/zoomcar-says-hackers-accessed-data-of-8-4-million-users/
        https://www.bleepingcomputer.com/news/security/zoomcar-discloses-security-breach-impacting-84-million-users/
        https://therecord.media/8-million-affected-zoomcar-data-breach
      • 240,000 Impacted By Data Breach At Eyecare Tech Firm Ocuco
        "Ireland-based eyecare technology company Ocuco has informed the US Department of Health and Human Services that it has suffered a data breach impacting more than 240,000 individuals. Ocuco describes itself as the largest optical retail software company in the world, with its software and services being used at over 6,000 locations across 77 countries. The company does not appear to have published a data breach notice, but the incident is likely related to a hacker attack involving the KillSec ransomware group, which earlier this year claimed to have stolen a significant amount of files from Ocuco."
        https://www.securityweek.com/240000-impacted-by-data-breach-at-eyecare-tech-firm-ocuco/
      • Hackers Impersonating US Government Compromise Email Account Of Prominent Russia Researcher
        "Keir Giles, a prominent British researcher on Russia, announced this weekend that several of his email accounts had been targeted “with a sophisticated account takeover” by hackers impersonating the U.S. State Department. In a warning on LinkedIn, Giles — the author of “Russia's War on Everybody” and a consulting fellow at the Chatham House think tank — told his contacts to handle with caution any unexpected emails they received from him. “In our long collective experience with sophisticated account takeovers, there’s a likelihood that anything that the attackers acquired before they were locked out — including, potentially, messages you or others have sent me, may be included in a future tainted data dump,” he wrote."
        https://therecord.media/keir-giles-russia-researcher-email-hacked
      • Washington Post's Email System Hacked, Journalists' Accounts Compromised
        "Email accounts of several Washington Post journalists were compromised in a cyberattack believed to have been carried out by a foreign government. The incident was discovered on Thursday evening and the publication started an investigation. On Sunday, June 15, an internal memo was sent to employees, informing them of a “possible targeted unauthorized intrusion into their email system.” According to The Wall Street Journal, the memo was signed by Executive Editor Matt Murray and informed that Microsoft accounts of a limited number of journalists were affected."
        https://www.bleepingcomputer.com/news/security/washington-posts-email-system-hacked-journalists-accounts-compromised/
        https://www.darkreading.com/vulnerabilities-threats/washington-post-staffer-emails-targeted-cyber-breach
        https://www.bankinfosecurity.com/suspected-chinese-hackers-targeted-washington-post-a-28715
      • Remorseless Extortionists Claim To Have Stolen Thousands Of Files From Freedman HealthCare
        "An extortion gang claims to have breached Freedman HealthCare, a data and analytics firm whose customers include state agencies, health providers, and insurance companies, and is threatening to dump tens of thousands of sensitive files early Tuesday morning. According to a claim posted Sunday on the shame site belonging to World Leaks, formerly Hunters International, the data thieves alleged to have pilfered 52.4 GB of data containing 42,204 files, which they will release at 4 am EDT on Tuesday."
        https://www.theregister.com/2025/06/16/extortionists_claim_freedman_healthcare_hack/

      General News

      • May 2025 Threat Trend Report On Ransomware
        "This report provides statistics on the number of new ransomware samples collected, the number of affected systems, and affected companies in May 2025, as well as key ransomware issues in Korea and abroad. The following is a summary of the report. Disclaimer: The number of ransomware samples and damaged systems is based on the detection names assigned by AhnLab, and statistics on targeted companies are based on the information published on the dedicated leak sites (DLS) of the ransomware group, also referred to as ransomware PR sites or PR pages, collected by the ATIP infrastructure over time."
        https://asec.ahnlab.com/en/88474/
      • Virtual Kidnapping Scams Prey On Our Worst Fears
        "Getting a call saying a family member has been kidnapped is terrifying. Fear and panic take over, making it hard to think clearly. That’s exactly what criminals count on when they use a scam called virtual kidnapping."
        https://www.helpnetsecurity.com/2025/06/16/virtual-kidnapping-scams/
      • Why CISOs Need To Understand The AI Tech Stack
        "As AI spreads, so do the risks. Security leaders are being asked to protect systems they don’t fully understand yet, and that’s a problem. A new report from the Paladin Global Institute, The AI Tech Stack: A Primer for Tech and Cyber Policy, breaks down how AI systems are built and where the biggest security risks live. For CISOs, it offers a practical way to start thinking about how to secure AI in real-world environments."
        https://www.helpnetsecurity.com/2025/06/16/ciso-ai-tech-stack/
      • Europe-Wide Takedown Hits Longest-Standing Dark Web Drug Market
        "Law enforcement authorities across Europe have dismantled ‘Archetyp Market’, the most enduring dark web marketplace, following a large-scale operation involving six countries, supported by Europol and Eurojust. Between 11 and 13 June, a series of coordinated actions took place across Germany, the Netherlands, Romania, Spain, Sweden, targeting the platform’s administrator, moderators, key vendors, and technical infrastructure. Around 300 officers were deployed to carry out enforcement actions and secure critical evidence."
        https://www.europol.europa.eu/media-press/newsroom/news/europe-wide-takedown-hits-longest-standing-dark-web-drug-market
        https://www.bleepingcomputer.com/news/security/police-seizes-archetyp-market-drug-marketplace-arrests-admin/
        https://therecord.media/archetyp-market-dark-web-takedown-europol
        https://cyberscoop.com/archetyp-market-takedown-europe/
        https://hackread.com/archetyp-dark-web-market-seized-admin-arrested-spain/
        https://www.helpnetsecurity.com/2025/06/16/archetyp-drug-market-shut-down/
        https://www.infosecurity-magazine.com/news/archetyp-market-shut-europe/
        https://securityaffairs.com/179053/deep-web/europol-shut-down-archetyp-market-marketplace.html
        https://www.securityweek.com/archetyp-dark-web-market-shut-down-by-law-enforcement/
        https://www.theregister.com/2025/06/16/archetyp_takedown_eurocops_arrest_suspected/
      • Red Teaming AI: The Build Vs Buy Debate
        "Before deploying an AI system, there are a few basic but critical questions that too often go unasked: Where is the model deployed? What kinds of inputs will it process? What will the output format be? What are the obvious business risks, and more importantly, how do we revisit business risks over time? If you’re not thinking about these things up front, then you are missing a significant portion of understanding how AI fits into your organization. While many “out of the box” models have some form of protection trained into the model itself, these tend to be basic protections and are often focused on safety rather than security. “Model Cards” tend to offer some insights, however measurements are not standardized across the industry. In the absence of stronger security features in the models themselves, a wide range of products and tools have emerged to address the security of AI models and protect your most critical applications and data."
        https://www.securityweek.com/red-teaming-ai-the-build-vs-buy-debate/
      • May 2025 Trends Report On Phishing Emails
        "This report provides statistics, trends, and case details on the distribution volume and attachment threats of phishing emails collected and analyzed in May 2025. The following is a part of the statistics and cases included in the original report."
        https://asec.ahnlab.com/en/88471/
      • May 2025 APT Group Trends
        "The North Korean APT group has been targeting Ukrainian government agencies. This is different from the group’s typical attack targets, so further observation is required to determine whether this is a one-time attack or a strategic alliance with Russia. North Korea is also attempting to infiltrate organizations by disguising themselves and getting employed in the cybersecurity and other industries. In the recruitment process, they use various methods, including resume manipulation using AI and disguising themselves as women."
        https://asec.ahnlab.com/en/88473/
        https://asec.ahnlab.com/en/88472/
      • May 2025 Infostealer Trend Report
        "This report provides statistics, trends, and case information on the distribution of Infostealer malware, including the distribution volume, methods, and disguises, based on the data collected and analyzed in May 2025. The following is a summary of the report."
        https://asec.ahnlab.com/en/88476/
      • Rise In Financial Losses Reported To The NCSC
        "The National Cyber Security Centre’s Cyber Security Insights report for Q1 2025, released today, shows a 14.7% quarterly increase in financial loss reported by New Zealanders. For the period from 1 January to 31 March 2025, a total of 1,369 incidents were reported to the NCSC in Q1. Of these, 77 incidents were triaged for specialist support because they were of potential national significance. Financial losses of NZ$7.8 million were reported to the NCSC, compared with $6.8 million in the previous quarter."
        https://www.ncsc.govt.nz/news/rise-in-financial-losses-reported-to-the-ncsc
        https://www.cert.govt.nz/insights-and-research/quarterly-report/quarter-one-cyber-security-insights-2025/
      • Security Is Only As Strong As The Weakest Third-Party Link
        "Managing third-party risks has long been a challenge for companies, but recent changes in US trade policy are creating uncertainty with regard to supply chains and security. This uncertainty is prompting business leaders to reconsider their suppliers and partners, meaning chief information security officers (CISOs) also need to evolve their third-party risk monitoring to ensure they quickly understand and can mitigate any risks these new relationships bring. This means treating risks faced by third parties as if they were their own."
        https://www.darkreading.com/vulnerabilities-threats/security-strong-weakest-third-party-link
      • US Offering $10 Million For Info On Iranian Hackers Behind IOControl Malware
        "The U.S. State Department said they were seeking information on Iranian hackers who they accused of targeting critical infrastructure using a strain of malware deployed against industrial control systems. U.S. officials are offering up to $10 million for details on a hacker affiliated with the group called CyberAv3ngers that gained prominence in 2023 and 2024 for a string of cyberattacks on U.S. and Israeli water utilities. Law enforcement agencies eventually tied CyberAv3ngers to Iran's Islamic Revolutionary Guard Corps Cyber-Electronic Command, and in August offered a reward for information on at least six Iranian government hackers allegedly behind the effort and placing sanctions on the men."
        https://therecord.media/us-offers-reward-for-iran-hacker-iocontrol-malware
      • 5,100 Flashpoint Known Exploited Vulnerabilities (KEV): Another Major Milestone For VulnDB
        "Security teams need vulnerability intelligence they can trust. With tens of thousands of new CVEs disclosed each year, the challenge isn’t finding vulnerabilities, it’s understanding which ones truly matter. In this noise and fragmentation, prioritizing by known exploited vulnerabilities (vulnerabilities that have been observed by threat actors in real-world attacks), helps to filter out some of that noise. Reaching 5,100 KEV, just over 700 of which do not have a CVE ID, isn’t just a milestone, it’s a wake-up call. This isn’t a static achievement. It’s an ongoing signal of risks demanding immediate action, and how intelligence-driven security strategy can shift organizations from being overwhelmed to proactive."
        https://flashpoint.io/blog/5100-flashpoint-known-exploited-vulnerabilities-kev-vulndb/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 4ec8b476-aa76-4d53-9ca9-0b034295e78c-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post