NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 08 July 2025

    Cyber Security News
    1
    1
    69
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      New Tooling

      • Aegis Authenticator: Free, Open-Source 2FA App For Android
        "Aegis Authenticator is an open-source 2FA app for Android that helps you manage login codes for your online accounts. The app features strong encryption and the ability to back up your data. It supports both HOTP and TOTP, so it works with thousands of services. It also allows the export or import from a wide variety of 2FA apps, with support for automatic backups."
        https://www.helpnetsecurity.com/2025/07/07/aegis-2fa-authenticator-free-open-source-android/
        https://github.com/beemdevelopment/Aegis

      Vulnerabilities

      • How Much More Must We Bleed? - Citrix NetScaler Memory Disclosure (CitrixBleed 2 CVE-2025-5777)
        "Before you dive into our latest diatribe, indulge us and join us on a journey. Sit in your chair, stand at your desk, lick your phone screen - close your eyes and imagine a world in which things are great. It’s sunny outside, the birds are chirping, and your Secure-by-Design promise ring feels great. You’ve decided to build a network over the weekend. Why, you ask? Because you can. Saturday morning comes, and you’re sitting there (naturally, Bambi is by your side) building your network. "What should I use to help secure my environment and access to it?” you ponder. Obviously, because you lack individual thought, you type your question into ChatGPT - “You’re in luck, there’s an entire industry that builds enterprise-grade, enterprise-priced secure remote access appliances!”"
        https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/
        https://horizon3.ai/attack-research/attack-blogs/cve-2025-5777-citrixbleed-2-write-up-maybe/
        https://www.bleepingcomputer.com/news/security/public-exploits-released-for-citrixbleed-2-netscaler-flaw-patch-now/
        https://www.infosecurity-magazine.com/news/citrixbleed-2-detection-analysis/
        https://www.theregister.com/2025/07/07/citrixbleed_2_exploits/
      • CISA Adds Four Known Exploited Vulnerabilities To Catalog
        "CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2014-3931 Multi-Router Looking Glass (MRLG) Buffer Overflow Vulnerability
        CVE-2016-10033 PHPMailer Command Injection Vulnerability
        CVE-2019-5418 Rails Ruby on Rails Path Traversal Vulnerability
        CVE-2019-9621 Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/07/07/cisa-adds-four-known-exploited-vulnerabilities-catalog

      Malware

      • XwormRAT Being Distributed Using Steganography
        "AhnLab SEcurity intelligence Center (ASEC) collects information on malware distributed through phishing emails by using its own “email honeypot system.” Based on this information, ASEC publishes the “Phishing Email Trend Report” and “Infostealer Trend Report” on the ASEC Blog every month. Recently, XwormRAT has been confirmed to be distributed using steganography. This malware starts with VBScript and JavaScript. It inserts malicious scripts into legitimate code, making it difficult for users to notice its malicious behavior. The script (VBScript or JavaScript) executed for the first time adds an embedded PowerShell script to call and download the final malware. This malware has been previously covered on the ASEC Blog. It is still being distributed in modified versions."
        https://asec.ahnlab.com/en/88885/
      • DRAT V2: Updated DRAT Emerges In TAG-140’s Arsenal
        "During an investigation into a recent TAG-140 campaign targeting Indian government organizations, Insikt Group identified a modified variant of the DRAT remote access trojan (RAT), which we designated as DRAT V2. TAG-140 has overlaps with SideCopy, an operational subgroup assessed to be a sub-cluster or operational affiliate of Transparent Tribe (also tracked as APT36, ProjectM, or MYTHIC LEOPARD). TAG-140 has consistently demonstrated iterative advancement and variety in its malware arsenal and delivery techniques. This latest campaign, which spoofed the Indian Ministry of Defence via a cloned press release portal, marks a slight but notable shift in both malware architecture and command-and-control (C2) functionality."
        https://www.recordedfuture.com/research/drat-v2-updated-drat-emerges-tag-140s-arsenal
        https://go.recordedfuture.com/hubfs/reports/cta-2025-0623.pdf
        https://thehackernews.com/2025/07/tag-140-deploys-drat-v2-rat-targeting.html
      • Atomic MacOS Stealer Now Includes a Backdoor For Persistent Access
        "Atomic macOS Stealer (AMOS), a popular piece of stealer malware for macOS, has just received a major update. For the first time, it’s being deployed with an embedded backdoor. This change allows attackers to maintain persistent access to a victim’s Mac, run arbitrary tasks from remote servers, and gain extended control over compromised machines. This represents the highest level of risk Moonlock, a cybersecurity division of MacPaw, has observed from AMOS so far. It is believed to be only the second known case — after North Korean threat actors — of backdoor deployment at a global scale targeting macOS users."
        https://moonlock.com/amos-backdoor-persistent-access
        https://www.bleepingcomputer.com/news/security/atomic-macos-infostealer-adds-backdoor-for-persistent-attacks/
      • Batavia Spyware Steals Data From Russian Organizations
        "Since early March 2025, our systems have recorded an increase in detections of similar files with names like договор-2025-5.vbe, приложение.vbe, and dogovor.vbe (translation: contract, attachment) among employees at various Russian organizations. The targeted attack begins with bait emails containing malicious links, sent under the pretext of signing a contract. The campaign began in July 2024 and is still ongoing at the time of publication. The main goal of the attack is to infect organizations with the previously unknown Batavia spyware, which then proceeds to steal internal documents. The malware consists of the following malicious components: a VBA script and two executable files, which we will describe in this article. Kaspersky solutions detect these components as HEUR:Trojan.VBS.Batavia.gen and HEUR:Trojan-Spy.Win32.Batavia.gen"
        https://securelist.com/batavia-spyware-steals-data-from-russian-organizations/116866/
        https://www.bleepingcomputer.com/news/security/batavia-windows-spyware-campaign-targets-dozens-of-russian-orgs/
        https://securityaffairs.com/179699/uncategorized/new-batavia-spyware-targets-russian-industrial-enterprises.html
      • Taking SHELLTER: a Commercial Evasion Framework Abused In- The- Wild
        "Elastic Security Labs is observing multiple campaigns that appear to be leveraging the commercial AV/EDR evasion framework, SHELLTER, to load malware. SHELLTER is marketed to the offensive security industry for sanctioned security evaluations, enabling red team operators to more effectively deploy their C2 frameworks against contemporary anti-malware solutions."
        https://www.elastic.co/security-labs/taking-shellter
        https://www.shellterproject.com/statement-regarding-recent-misuse-of-shellter-elite-and-elastic-security-labs-handling/
        https://www.bleepingcomputer.com/news/security/hackers-abuse-leaked-shellter-red-team-tool-to-deploy-infostealers/
      • Deploying NetSupport RAT Via WordPress & ClickFix
        "In May 2025, Cybereason Global Security Operations Center (GSOC) detected that threat actors have been hosting malicious WordPress websites to deliver malicious versions of the legitimate NetSupport Manager Remote Access Tool (RAT). This report analyzes the methods and tools used by threat actors to deploy the NetSupport RAT payload, focusing on the malicious JavaScript and associated techniques. It also includes relevant Indicators of Compromise (IOCs)."
        https://www.cybereason.com/blog/net-support-rat-wordpress-clickfix
      • Exposing Scattered Spider: New Indicators Highlight Growing Threat To Enterprises And Aviation
        "Scattered Spider, a sophisticated cyber threat group known for aggressive social engineering and targeted phishing, is broadening its scope, notably targeting aviation alongside enterprise environments. Check Point Research has uncovered specific phishing domain indicators, helping enterprises and aviation companies proactively defend against this emerging threat."
        https://blog.checkpoint.com/research/exposing-scattered-spider-new-indicators-highlight-growing-threat-to-enterprises-and-aviation/
      • Scattered Spider And Other Criminal Compromise Of Outsourcing Providers Increases Victim Attacks
        "Independent Halcyon research and open-source intelligence have identified several recent instances of cybercriminals, including Scattered Spider, compromising call centers and other third-party service companies—known as Business Process Outsourcing (BPO) providers—to facilitate their attacks against larger numbers of victims, often focused in one or a few sectors. In the first half of 2025, these compromises have enabled threat actors to steal hundreds of millions of dollars from a crypto firm, as well as Scattered Spider’s compromise of multiple victims in the retail and insurance industries."
        https://www.halcyon.ai/blog/scattered-spider-and-other-criminal-compromise-of-outsourcing-providers-increases-victim-attacks
        https://cyberscoop.com/scattered-spider-social-engineering-cybercrime/
      • Ongoing Phishing Campaign Utilizes LogoKit For Credential Harvesting
        "The initial phishing link we identified mimicked the Hungary CERT login page, with the victim’s email address prefilled in the username field to enhance credibility and increase the likelihood of credential submission. The phishing pages were hosted on Amazon S3 (AWS) to stay under the radar and increase credibility among potential victims. The phishing pages integrate Cloudflare Turnstile to create a false sense of security and legitimacy, increasing the success rate of credential harvesting."
        https://cyble.com/blog/logokit-being-leveraged-for-credential-theft/
      • BERT Ransomware Group Targets Asia And Europe On Multiple Platforms
        "In April, a new ransomware group known as BERT, has been observed targeting organizations across Asia and Europe. Trend™ Research telemetry has confirmed the emergence and activity of this ransomware. This blog entry examines BERT’s tools and tactics across multiple variants. By comparing its different iterations, we unpack how the ransomware group operates, how their methods have evolved, and the tactics they employed to evade detection and defenses."
        https://www.trendmicro.com/en_us/research/25/g/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms.html
        https://therecord.media/bert-ransomware-identified
        https://www.darkreading.com/cyber-risk/bert-blitzes-linux-windows-systems
      • NordDragonScan: Quiet Data-Harvester On Windows
        "FortiGuard Labs recently uncovered an active delivery site that hosts a weaponized HTA script and silently drops the infostealer “NordDragonScan” into victims’ environments. Once installed, NordDragonScan examines the host and copies documents, harvests entire Chrome and Firefox profiles, and takes screenshots. The package is then sent over TLS to its command-and-control server, “kpuszkiev.com,” which also serves as a heartbeat server to confirm the victim is still online and to request additional data when needed."
        https://www.fortinet.com/blog/threat-research/norddragonscan-quiet-data-harvester-on-windows
      • Malvertising Campaign Delivers Oyster/Broomstick Backdoor Via SEO Poisoning And Trojanized Tools
        "Since early June 2025, Arctic Wolf has observed a search engine optimisation (SEO) poisoning and malvertising campaign promoting malicious websites hosting Trojanized versions of legitimate IT tools such as PuTTY and WinSCP. These fake sites aim to trick unsuspecting users—often IT professionals—into downloading and executing Trojanized installers. Upon execution, a backdoor known as Oyster/Broomstick is installed. Persistence is established by creating a scheduled task that runs every three minutes, executing a malicious DLL (twain_96.dll) via rundll32.exe using the DllRegisterServer export, indicating the use of DLL registration as part of the persistence mechanism. While only Trojanized versions of PuTTY and WinSCP have been observed in this campaign, it is possible that additional tools may also be involved."
        https://arcticwolf.com/resources/blog-uk/malvertising-campaign-delivers-oyster-broomstick-backdoor-via-seo-poisoning-and-trojanized-tools/
        https://thehackernews.com/2025/07/seo-poisoning-campaign-targets-8500.html
      • Chrome Store Features Extension Poisoned With Sophisticated Spyware
        "Google has inadvertently been promoting sophisticated spyware that can hijack browser sessions with malicious redirects hidden in a legitimate Chrome extension. The extension, which offers a legitimate color picker, was poisoned with the malware via an update at the end of June. The extension, called "Color Picker, Eyedropper — Geco colorpick," has more than 100,000 downloads, a verified Google badge, and a featured placement in the Google Chrome Web Store. Its high status in the store is because it has been a legitimate extension for years — before it received the malicious update on June 27, Idan Dardikman from Koi Security tells Dark Reading."
        https://www.darkreading.com/endpoint-security/chrome-store-features-extension-poisoned-sophisticated-spyware

      Breaches/Hacks/Leaks

      • Qantas Is Being Extorted In Recent Data-Theft Cyberattack
        "Qantas has confirmed that it is now being extorted by threat actors following a cyberattack that potentially exposed the data for 6 million customers. "A potential cyber criminal has made contact, and we are currently working to validate this," Qantas shared in an updated statement. "As this is a criminal matter, we have engaged the Australian Federal Police and won't be commenting any further on the details of the contact.""
        https://www.bleepingcomputer.com/news/security/qantas-is-being-extorted-in-recent-data-theft-cyberattack/
        https://www.infosecurity-magazine.com/news/qantas-contacted-cybercriminal/
      • Nearly 300,000 People Were Impacted By Cyberattack On Nova Scotia Power
        "Canadian utility Nova Scotia Power is notifying about 280,000 people of a data breach that occurred following a cyberattack earlier this year. In letters to victims, the company said an investigation revealed that hackers had access to critical systems from March 19 to April 25, allowing them to steal names, addresses, driver's license numbers, Canadian Social Insurance numbers, bank account details and troves of information from the Nova Scotia Power program including power consumption, service requests, customer payment, billing and credit history, and customer correspondencе."
        https://therecord.media/thousands-impacted-cyber-nova-scotia

      General News

      • AI Built It, But Can You Trust It?
        "In this Help Net Security interview, John Morello, CTO at Minimus, discusses the security risks in AI-driven development, where many dependencies are pulled in quickly. He explains why it’s hard to secure software stacks that no one fully understands. He also shares what needs to change to keep development secure as AI becomes more common."
        https://www.helpnetsecurity.com/2025/07/07/john-morello-minimus-secure-ai-driven-development/
      • New Technique Detects Tampering Or Forgery Of a PDF Document
        "Researchers from the University of Pretoria presented a new technique for detecting tampering in PDF documents by analyzing the file’s page objects. The technique employs a prototype that can detect changes to a PDF document, such as changes made to the text, images, or metadata. With the PDF format being used as a formal means of communication in multiple industries, it has become a good target for criminals who wish to affect contracts or aid in misinformation."
        https://www.helpnetsecurity.com/2025/07/07/detect-pdf-tampering-forgery/
        https://arxiv.org/pdf/2507.00827
      • Employee Gets $920 For Credentials Used In $140 Million Bank Heist
        "Hackers stole nearly $140 million from six banks in Brazil by using an employee's credentials from C&M, a company that offers financial connectivity solutions. The incident reportedly occurred on June 30, after the attackers bribed the employee to give them his account credentials and perform specific actions that would help their operations."
        https://www.bleepingcomputer.com/news/security/employee-gets-920-for-credentials-used-in-140-million-bank-heist/
        https://therecord.media/brazil-police-arrest-worker-theft
        https://www.securityweek.com/police-in-brazil-arrest-a-suspect-over-100m-banking-hack/
      • Gamers Hacked Playing Call Of Duty: WWII—PC Version Temporarily Taken Offline
        "On Saturday, the Call of Duty team announced that the PC version of Call of Duty: WWII has been taken offline following “reports of an issue.” That issue seems to be a serious security problem, after reports surfaced about a remote code execution (RCE) vulnerability in the game. After Microsoft’s acquisition of Activision in 2023, Activision’s headline title, Call of Duty, has been slowly making its way over to Xbox and PC Game Pass. But only days after the 2017 Call of Duty: WWII arrived on Microsoft’s subscription service, the concerning reports started coming in. Players were using an RCE exploit to take over other players’ PCs during live multiplayer matches."
        https://www.malwarebytes.com/blog/news/2025/07/gamers-hacked-playing-call-of-duty-wwii-pc-version-temporarily-taken-offline
        https://cyberscoop.com/call-of-duty-remote-code-execution-pc-game-offline/
      • SatanLock Ransomware Ends Operations, Says Stolen Data Will Be Leaked
        "The newly formed SatanLock ransomware group has announced it is shutting down. Before disappearing, however, the group says it will leak all the data stolen from its victims later today. The announcement was made on the gang’s official Telegram channel and dark web leak site. It’s also worth noting that the group has deleted all victim listings that were visible just hours ago. Now, anyone visiting their .onion site sees a message reading, “SatanLock project will be shut down – The files will all be leaked today.”"
        https://hackread.com/satanlock-ransomware-ends-operations-stolen-data-leak/
      • Doctor Web’s Q2 2025 Review Of Virus Activity On Mobile Devices
        "According to detection statistics collected by Dr.Web Security Space for mobile devices, adware trojans from various families remained the most common malware. Members of the Android.HiddenAds trojan family were again the most active, despite the fact that users encountered them 8.62% less often. These were followed by Android.MobiDash adware trojans; the number of attacks involving them increased by 11.17%. Android.FakeApp malicious programs, used in various fraudulent schemes, ranked third; they were detected on protected devices 25.17% less frequently."
        https://news.drweb.com/show/review/?lng=en&i=15027
        https://hackread.com/android-malware-adware-trojan-crypto-theft-q2-threats/
      • Phishing Platforms, Infostealers Blamed As Identity Attacks Soar
        "A rise in advanced phishing kits and info-stealing malware are to blame for a 156 percent jump in cyberattacks targeting user logins, say researchers. Security shop eSentire says identity-based attacks have soared since last year, and now make up 59 percent of all investigations carried out by its experts. Organizations, it added, should be on high alert for financially motivated crimes. It's particularly worried about the increased likelihood that these identity attacks will lead to business email compromise (BEC) schemes and ransomware disasters."
        https://www.theregister.com/2025/07/07/phishing_platforms_infostealers_blamed_for/
        https://esentire-dot-com-assets.s3.amazonaws.com/assets/resourcefiles/eSentire_Report_Identity-Centric-Threats.pdf
        https://www.infosecurity-magazine.com/news/hackers-target-employee-credentials/
      • Cyberattack Deals Blow To Russian Firmware Used To Repurpose Civilian Drones For Ukraine War
        "Russian developers behind a custom firmware used to convert consumer drones for military use in Ukraine have reported a cyberattack on their infrastructure, disrupting the system that distributes the software. According to a statement posted on the Telegram channel Russian Hackers – To the Front, unidentified hackers breached servers responsible for delivering the “1001” firmware, displayed false messages on operator terminals, and then disabled the system. The developers said the firmware itself was not compromised, calling the risk of backdoors or malicious code “extremely low.” However, drone operators were advised to disconnect their terminals as a precaution."
        https://therecord.media/cyberattack-russia-firmware-blow-hackers
      • Alleged Chinese Hacker Tied To Silk Typhoon Arrested For Cyberespionage
        "A Chinese national was arrested in Milan, Italy, last week for allegedly being linked to the state-sponsored Silk Typhoon hacking group, which responsible for cyberattacks against American organizations and government agencies. According to Italian media ANSA, the 33-year-old man, Xu Zewei, was arrested at Milan's Malpensa Airport on July 3rd after arriving on a flight from China. Italian police arrested the suspect on an international warrant from the U.S. government. ANSA reports that Xu is accused of being linked to the Chinese state-sponsored Silk Typhoon hacking group, aka Hafnium, which has been responsible for a wide range of cyberespionage attacks against the U.S. and other countries."
        https://www.bleepingcomputer.com/news/security/alleged-chinese-hacker-tied-to-silk-typhoon-arrested-for-cyberespionage/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 98f4bfc9-d16b-4739-87e6-0b3c3215c19e-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post