NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 01 July 2025

    Cyber Security News
    1
    1
    303
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      New Tooling

      • RIFT: New Open-Source Tool From Microsoft Helps Analyze Rust Malware
        "Microsoft’s Threat Intelligence Center has released a new tool called RIFT to help malware analysts identify malicious code hidden in Rust binaries. While Rust is becoming more popular for its speed and memory safety, those same qualities make malware written in Rust harder to analyze. RIFT is designed to cut through that complexity and make the job easier."
        https://www.helpnetsecurity.com/2025/06/30/rift-open-source-microsoft-tool-analyze-rust-malware/
        https://github.com/microsoft/RIFT

      Vulnerabilities

      • Over 1,200 Citrix Servers Unpatched Against Critical Auth Bypass Flaw
        "Over 1,200 Citrix NetScaler ADC and NetScaler Gateway appliances exposed online are unpatched against a critical vulnerability believed to be actively exploited, allowing threat actors to bypass authentication by hijacking user sessions. Tracked as CVE-2025-5777 and referred to as Citrix Bleed 2, this out-of-bounds memory read vulnerability results from insufficient input validation, enabling unauthenticated attackers to access restricted memory regions. A similar Citrix security flaw, dubbed "CitrixBleed," was exploited in ransomware attacks and breaches targeting governments in 2023 to hack NetScaler devices and move laterally across compromised networks."
        https://www.bleepingcomputer.com/news/security/over-1-200-citrix-servers-unpatched-against-critical-auth-bypass-flaw/
        https://www.helpnetsecurity.com/2025/06/30/citrixbleed-2-might-be-actively-exploited-cve-2025-5777/
      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2025-6543 Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/06/30/cisa-adds-one-known-exploited-vulnerability-catalog
        https://securityaffairs.com/179476/hacking/u-s-cisa-adds-citrix-netscaler-flaw-to-its-known-exploited-vulnerabilities-catalog.html

      Malware

      • International Criminal Court Hit By Cyber Attack
        "The International Criminal Court (ICC) has revealed it detected a "new, sophisticated and targeted" cybersecurity incident late last week, adding it has now been contained. The incident was the second of its type against the ICC in recent years, it said in a statement. In 2023, the ICC announced it had been hacked, and the court struggled with the aftermath for weeks as it was disconnected from most systems that can access the internet."
        https://www.itnews.com.au/news/international-criminal-court-hit-by-cyber-attack-618324
      • 10 Things I Hate About Attribution: RomCom Vs. TransferLoader
        "Most of the time, delineating activities from distinct clusters and separating cybercrime from espionage can be done based on differing tactics, techniques, and procedures (TTPs), tooling, volume/scale, and targeting. However, in the case of TA829 and a cluster Proofpoint dubbed “UNK_GreenSec”, there is more ambiguity. TA829 is a cybercriminal actor that occasionally also conducts espionage aligned with Russian state interests, while UNK_GreenSec is an unusual cybercriminal cluster. TA829 overlaps with activity tracked by third-parties as RomCom, Void Rabisu, Storm-0978, CIGAR, Nebulous Mantis, Tropical Scorpius. The UNK_GreenSec cybercriminal cluster does not appear to align with publicly reported activity sets."
        https://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader
      • Tracing Blind Eagle To Proton66
        "Trustwave SpiderLabs, which has been tracking Proton66 for the last several months, was able to make this connection by pivoting from Proton66-linked assets, which led to the identification of another active threat cluster relying on the same ASN infrastructure. Pivoting identified what is assessed to be one of its most recent and operationally active infrastructure clusters, characterized by strong interconnections across multiple domains and IP address clusters. This infrastructure exclusively leverages Visual Basic Script (VBS) files as its initial attack vector, relies heavily on free Dynamic DNS (DDNS) services, and deploys readily available Remote Access Trojans (RATs) as a second-stage malware."
        https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tracing-blind-eagle-to-proton66/
        https://thehackernews.com/2025/06/blind-eagle-uses-proton66-hosting-for.html
      • Hide Your RDP: Password Spray Leads To RansomHub Deployment
        "This intrusion began in November 2024 with a password spray attack targeting an internet-facing RDP server. Over the course of several hours, the threat actor attempted logins against multiple accounts using known malicious IPs (based on OSINT). Several hours later they then logged in via RDP with one of the previously compromised users and ran a series of discovery commands, including various net commands to enumerate users and computers. Credential access tools, specifically Mimikatz and Nirsoft CredentialsFileView, were used to extract stored credentials and interact with LSASS memory."
        https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-ransomhub-deployment/

      Breaches/Hacks/Leaks

      • Switzerland Says Government Data Stolen In Ransomware Attack
        "The government in Switzerland is informing that sensitive information from various federal offices has been impacted by a ransomware attack at the third-party organization Radix. The hackers have stolen data from Radix systems and later leaked it on the dark web, the Swiss government says. The exposed data is being analyzed with the help of the country’s National Cyber Security Centre (NCSC) to determine which government agencies are impacted and to what effect. “The foundation Radix has been targeted by a ransomware attack, during which data was stolen and encrypted,” announced the Swiss government."
        https://www.bleepingcomputer.com/news/security/switzerland-says-government-data-stolen-in-ransomware-attack/
      • Another Billing Software Vendor Hacked By Ransomware
        "Horizon Healthcare RCM is the latest revenue cycle management software vendor to report a health data breach involving ransomware and data theft. The firm's breach notification statement suggests that the company paid a ransom to prevent the disclosure of its stolen information. Horizon Healthcare RCM told Maine's attorney general in a breach report on June 27 that the incident affected six residents of that state."
        https://www.bankinfosecurity.com/another-billing-software-vendor-hacked-by-ransomware-a-28866
      • Norwegian Dam Valve Forced Open For Hours In Cyberattack
        "In a concerning incident this April, unidentified hackers managed to breach the control systems of a Norwegian dam. Reportedly, hackers breached the control systems of a Norwegian dam, causing its water valve to open fully. The incident occurred at the Lake Risevatnet dam, situated near the city of Svelgen in Southwest Norway. The valve remained open for four hours before the unauthorized activity was detected. According to the Norwegian energy news outlet, Energiteknikk, the hack did not pose a danger, as the water flow barely exceeded the dam’s minimum requirement. The valve released an additional 497 litres per second, but officials noted that the riverbed could handle a much larger volume, up to 20,000 litres per second."
        https://hackread.com/norwegian-dam-valve-forced-open-hours-in-cyberattack/
      • Swiss Nonprofit Health Organization Breached By Sarcoma Ransomware Group
        "The Swiss nonprofit health organization Radix has confirmed that its systems were breached by a ransomware group earlier this month. In a statement on Monday, the Zurich-based agency — which runs health promotion programs and online counseling services — said that the threat actor known as Sarcoma had published data stolen from its systems on a leak site. The Swiss government also issued a statement noting that "various federal offices" are among Radix's customers, and officials are evaluating what data was compromised. Radix has "no direct access" to government systems, the statement said."
        https://therecord.media/sarcoma-ransomware-breach-swiss-healthcare-nonprofit-radix

      General News

      • Third-Party Breaches Double, Creating Ripple Effects Across Industries
        "Supply chain risks remain top-of-mind for the vast majority of CISOs and cybersecurity leaders, according to SecurityScorecard. Their findings reveal that the way most organizations manage supply chain cyber risk isn’t keeping pace with expanding threats. Third-party involvement in breaches has doubled, rising from 15% to nearly 30%, according to the 2025 Verizon DBIR. A small group of third-party providers supports much of the world’s technology and infrastructure, creating an extreme concentration of risk. When even one of these providers is compromised, the ripple effects can disrupt thousands of organizations simultaneously."
        https://www.helpnetsecurity.com/2025/06/30/supply-chain-cyber-risks/
      • Are We Securing AI Like The Rest Of The Cloud?
        "In this Help Net Security interview, Chris McGranahan, Director of Security Architecture & Engineering at Backblaze, discusses how AI is shaping both offensive and defensive cybersecurity tactics. He talks about how AI is changing the threat landscape, the complications it brings to penetration testing, and what companies can do to stay ahead of AI-driven attacks. McGranahan also points out that human expertise remains essential, and we can’t depend on AI alone to protect cloud environments."
        https://www.helpnetsecurity.com/2025/06/30/chris-mcgranahan-backblaze-ai-cloud-security/
      • CISA And Partners Urge Critical Infrastructure To Stay Vigilant In The Current Geopolitical Environment
        "Today, CISA, in collaboration with the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and the National Security Agency (NSA), released a Fact Sheet urging organizations to remain vigilant against potential targeted cyber operations by Iranian state-sponsored or affiliated threat actors. Over the past several months, there has been increasing activity from hacktivists and Iranian government-affiliated actors, which is expected to escalate due to recent events. These cyber actors often exploit targets of opportunity based on the use of unpatched or outdated software with known Common Vulnerabilities and Exposures or the use of default or common passwords on internet-connected accounts and devices."
        https://www.cisa.gov/news-events/alerts/2025/06/30/cisa-and-partners-urge-critical-infrastructure-stay-vigilant-current-geopolitical-environment
        https://www.cisa.gov/resources-tools/resources/iranian-cyber-actors-may-target-vulnerable-us-networks-and-entities-interest
        https://www.cisa.gov/sites/default/files/2025-06/joint-fact-sheet-Iranian-cyber-actors-may-target-vulnerable-US-networks-and-entities-of-interest-508c-1.pdf
        https://www.ic3.gov/CSA/2025/250630.pdf
        https://www.bleepingcomputer.com/news/security/us-warns-of-iranian-cyber-threats-on-critical-infrastructure/
        https://thehackernews.com/2025/06/us-agencies-warn-of-rising-iranian.html
        https://therecord.media/defense-vigilant-cyber-iran-israel
        https://www.infosecurity-magazine.com/news/iranian-cyber-threats-us/
      • Crypto Investment Fraud Ring Dismantled In Spain After Defrauding 5 000 Victims Worldwide
        "On 25 June 2025, the Spanish Guardia Civil, with the support of Europol and law enforcement from Estonia, France and the United States of America, arrested five members of a criminal network engaged in cryptocurrency investment fraud. The investigation identified that the perpetrators had laundered EUR 460 million in illicit profits stolen through crypto investment fraud from over 5 000 victims from around the world."
        https://www.europol.europa.eu/media-press/newsroom/news/crypto-investment-fraud-ring-dismantled-in-spain-after-defrauding-5-000-victims-worldwide
        https://www.bleepingcomputer.com/news/security/europol-helps-disrupt-540-million-crypto-investment-fraud-ring/
        https://thehackernews.com/2025/06/europol-dismantles-540-million.html
        https://www.infosecurity-magazine.com/news/taskforce-dismantles-euro460m/
        https://www.helpnetsecurity.com/2025/06/30/spain-crypto-fraud-arrests-2025/
      • Hired Hacker Assists Drug Cartel In Finding, Killing FBI Sources
        "The notorious Sinaloa Mexican drug cartel hired a hacker to conduct surveillance on persons of interest in the El Chapo case, which the cartel used to intimidate and kill potential FBI sources and witnesses, according a government report. The US Department of Justice's Office of Inspector General (OIG) on Thursday published an audit of the FBI's efforts to mitigate what it calls "ubiquitous technical surveillance" (UTS) and the threat it poses to the bureau's operations and investigations. The OIG defines UTS as widespread data collection and analytics "for the purpose of connecting people to things, events, or locations.""
        https://www.darkreading.com/cyberattacks-data-breaches/hacker-drug-cartel-killing-fbi-sources
        https://oig.justice.gov/sites/default/files/reports/25-065_t.pdf
        https://www.bankinfosecurity.com/doj-cartel-hacked-phones-cameras-to-track-fbi-informants-a-28863
        https://www.theregister.com/2025/06/30/sinaloa_drug_cartel_hired_cybersnoop/
      • Why Cybersecurity Should Come Before AI In Schools
        "Artificial intelligence has become the hot new tech across schools, and why wouldn't it be? It's helping students digest dense historical texts and improve book reports, and it's helping teachers simplify complex math concepts. Academia wants to show students how to embrace this powerful technology safely — and in line with school rules — because unfortunately, we've already begun to see the dark side of AI in the "real" world. But that raises a very serious question: What are our students learning about cybersecurity?"
        https://www.darkreading.com/endpoint-security/cybersecurity-before-ai-schools
      • Android Threats Rise Sharply, With Mobile Malware Jumping By 151% Since Start Of Year
        "The Android threat landscape in the first half of 2025 has entered a new phase. An era marked not just by volume, but by coordination and precision. Attackers are no longer simply throwing malware at users and hoping for results. They’re building ecosystems. Recent Malwarebytes threat research data reveals a sharp rise in mobile threats across the board, with malware targeting Android devices up 151%. We’ve seen a 147% increase in spyware, a broad category of apps that collect user data without consent, with a notable spike in Feb and March. In fact, the February/March levels represent nearly a 4x multiplication of the baseline."
        https://www.malwarebytes.com/blog/news/2025/06/android-threats-rise-sharply-with-mobile-malware-jumping-by-151-since-start-of-year
      • Hacker Conversations: Rachel Tobac And The Art Of Social Engineering
        "Social engineering is the art of persuasion. Mostly, this is a good thing. Misused, it can have disastrous effects. Rachel Tobac is a cyber social engineer. She is skilled at persuading people to do what she wants, rather than what they know they ought to do. Does this make her a hacker? “Yes. I am a hacker. I hack people. I hack people over the phone, via email, by text message, across social media – and occasionally in person.” Social engineers hack people rather than computers. She is now co-founder and CEO of SocialProof Security."
        https://www.securityweek.com/hacker-conversations-rachel-tobac-and-the-art-of-social-engineering/
      • 'Disgruntled' British IT Worker Jailed For Hacking Employer After Being Suspended
        "A British IT worker who launched what police described as a cyberattack against his employer after being suspended from work has been jailed for seven months. According to West Yorkshire Police, within hours of his suspension in July 2022, Mohammed Umar Taj attempted to take revenge on his employer. The unidentified firm, which has clients in the United Kingdom as well as in Germany and Bahrain, said it suffered “significant disruption” and lost at least £200,000 (about $275,000) due to the attack, as well as suffered reputational harm."
        https://therecord.media/uk-it-worker-jailed-hacking-former-employer
        https://www.theregister.com/2025/06/30/british_rogue_admin/
        https://www.infosecurity-magazine.com/news/it-worker-jailed-revenge-attack/
      • DOJ Raids 29 ‘laptop Farms’ In Operation Against North Korean IT Worker Scheme
        "Nearly 30 “laptop farms” across 16 states have been raided by U.S. law enforcement in recent months for their suspected role in a long-running North Korean IT worker scheme. The Justice Department on Monday announced a coordinated action that involved three indictments, one arrest, the seizure of 29 financial accounts and the shutdown of 21 websites alongside the laptop farm raids. FBI officials said the laptop farms allowed an undisclosed number of North Koreans to illegally work at more than 100 U.S. companies. The farms host work devices sent by legitimate companies who unwittingly hired North Koreans, allowing the employees to appear as if they are working from the U.S."
        https://therecord.media/doj-raids-laptop-farms-crackdown
        https://regmedia.co.uk/2025/06/30/doj-release.pdf
        https://cyberscoop.com/arrest-seizures-north-korean-it-workers-june-2025/
        https://www.bankinfosecurity.com/us-announces-crackdown-on-north-koreans-posing-as-workers-a-28864
        https://www.theregister.com/2025/06/30/us_north_korea_workers/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) cd5f785d-0c41-495a-93fd-9332bed8cec0-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post