NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 14 July 2025

    Cyber Security News
    1
    1
    64
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Financial Sector

      • Financial Firms Are Locking The Front Door But Leaving The Back Open
        "Financial institutions are building stronger defenses against direct cyberattacks, but they may be overlooking a growing problem: their vendors. According to Black Kite’s new report, third-party risk has become one of the biggest cybersecurity threats facing the financial sector."
        https://www.helpnetsecurity.com/2025/07/11/financial-firms-third-party-cyber-risk/
      • Factoring Cybersecurity Into Finance's Digital Strategy
        "The financial industry is witnessing a significant shift, fueled by artificial intelligence (AI) advancements to meet consumer demand for digital and personalized services. A recent Gartner report highlighted that the adoption of AI in financial functions surged by 21% in 2024 alone. With technological leaps transforming operations comes equal technological advancement for bad actors to breach financial institution infrastructures. As a result, financial institutions must undertake a critical responsibility to stay ahead of threats to safeguard their assets as well as customers' data and privacy. This requires implementing a combination of reactive defense mechanisms and designing proactive systems capable of anticipating and preventing emerging threats."
        https://www.darkreading.com/cyberattacks-data-breaches/factoring-cybersecurity-finances-digital-strategy

      Vulnerabilities

      • Pre-Auth SQL Injection To RCE - Fortinet FortiWeb Fabric Connector (CVE-2025-25257)
        "Welcome back to yet another day in this parallel universe of security. This time, we’re looking at Fortinet’s FortiWeb Fabric Connector. “What is that?” we hear you say. That's a great question; no one knows. For the uninitiated, or unjaded; Fortinet’s FortiWeb Fabric Connector is meant to be the glue between FortiWeb (their web application firewall) and other Fortinet ecosystem products, allowing for dynamic, policy-based security updates based on real-time changes in infrastructure or threat posture. Think of it as a fancy middleman - pulling metadata from sources like FortiGate firewalls, FortiManager, or even external services like AWS, and feeding that into FortiWeb so it can automatically adjust its protections. In theory, it should make things smarter and more responsive."
        https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/
        https://fortiguard.fortinet.com/psirt/FG-IR-25-151
        https://www.bleepingcomputer.com/news/security/exploits-for-pre-auth-fortinet-fortiweb-rce-flaw-released-patch-now/
        https://thehackernews.com/2025/07/fortinet-releases-patch-for-critical.html
        https://hackread.com/critical-vulnerability-fortinet-fortiweb-cve-2025-25257/
        https://securityaffairs.com/179874/security/patch-immediately-cve-2025-25257-poc-enables-remote-code-execution-on-fortinet-fortiweb.html
      • Wing FTP Server Remote Code Execution (CVE-2025-47812) Exploited In The Wild
        "Huntress saw active exploitation of Wing FTP Server remote code execution (CVE-2025-47812) on a customer on July 1, 2025. Organizations running Wing FTP Server should update to the fixed version, version 7.4.4, as soon as possible. CVE-2025-47812 is a null byte and Lua injection flaw that can lead to root/SYSTEM-level remote code execution if exploited. The vulnerability was first publicly disclosed on June 30 by Julien Ahrens in versions prior to 7.4.4 of the Wing FTP Server, its file transfer protocol software for Windows, Linux, and macOS. At a high level, CVE-2025-47812 stems from how null bytes are handled in the username parameter (specifically related to the loginok.html file, which handles the authentication process). This can allow remote attackers to perform Lua injection after using the null byte in the username parameter."
        https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild
        https://thehackernews.com/2025/07/critical-wing-ftp-server-vulnerability.html
        https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-critical-rce-flaw-in-wing-ftp-server/
        https://www.securityweek.com/critical-wing-ftp-server-vulnerability-exploited/
        https://www.theregister.com/2025/07/11/1010_wing_ftp_bug_exploited/
        https://www.helpnetsecurity.com/2025/07/11/critical-wing-ftp-server-vulnerability-exploited-in-the-wild-cve-2025-47812/
        https://securityaffairs.com/179861/hacking/wing-ftp-server-flaw-actively-exploited-shortly-after-technical-details-were-made-public.html
      • NVIDIA Shares Guidance To Defend GDDR6 GPUs Against Rowhammer Attacks
        "NVIDIA is warning users to activate System Level Error-Correcting Code mitigation to protect against Rowhammer attacks on graphical processors with GDDR6 memory. The company is reinforcing the recommendation as new research demonstrates a Rowhammer attack against an NVIDIA A6000 GPU (graphical processing unit). Rowhammer is a hardware fault that can be triggered through software processes and stems from memory cells being too close to each other. The attack was demonstrated on DRAM cells but it can affect GPU memory, too."
        https://www.bleepingcomputer.com/news/security/nvidia-shares-guidance-to-defend-gddr6-gpus-against-rowhammer-attacks/
        https://nvidia.custhelp.com/app/answers/detail/a_id/5671
        https://thehackernews.com/2025/07/gpuhammer-new-rowhammer-attack-variant.html
        https://www.securityweek.com/rowhammer-attack-demonstrated-against-nvidia-gpu/
      • Grok-4 Falls To a Jailbreak Two Days After Its Release
        "The latest release of the xAI LLM, Grok-4, has already fallen to a sophisticated jailbreak. The Echo Chamber jailbreak attack was described on June 23, 2025. xAI’a latest Grok-4 was released on July 9, 2025. Two days later it fell to a combined Echo Chamber and Crescendo jailbreak attack. Echo Chamber was developed by NeuralTrust. We describe it in New AI Jailbreak Bypasses Guardrails With Ease. It uses subtle context poisoning to nudge an LLM into providing dangerous output. The methodology is shown below."
        https://www.securityweek.com/grok-4-falls-to-a-jailbreak-two-days-after-its-release/
      • Google Gemini Flaw Hijacks Email Summaries For Phishing
        "Google Gemini for Workspace can be exploited to generate email summaries that appear legitimate but include malicious instructions or warnings that direct users to phishing sites without using attachments or direct links. Such an attack leverages indirect prompt injections that are hidden inside an email and obeyed by Gemini when generating the message summary. Despite similar prompt attacks being reported since 2024 and safeguards being implemented to block misleading responses, the technique remains successful."
        https://www.bleepingcomputer.com/news/security/google-gemini-flaw-hijacks-email-summaries-for-phishing/

      Malware

      • Malware Found In Official GravityForms Plugin Indicating Supply Chain Breach
        "The Patchstack team has been monitoring targeted supply chain attacks involving a vendor of a plugin or theme. At first, we noticed that Groundhogg was affected by this supply chain attack, and its plugins were compromised by malware that was injected. The full details can be viewed here. Today, we received information about a possible targeted supply chain attack against Gravity Forms. We are still actively investigating to better understand the scale and impact, but as we have proof of infected websites and IOCs to keep an eye on, we're sharing this information in this post so people could check if they have been affected."
        https://patchstack.com/articles/critical-malware-found-in-gravityforms-official-plugin-site/
        https://www.bleepingcomputer.com/news/security/wordpress-gravity-forms-developer-hacked-to-push-backdoored-plugins/
      • BlackSuit: A Hybrid Approach With Data Exfiltration And Encryption
        "Cybereason Security Services issue Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them. In this Threat Analysis report, Cybereason Security Services investigates a BlackSuit ransomware attack we recently observed that represents a significant threat to organizations, leveraging tools like Cobalt Strike for command and control (C2), rclone for data exfiltration, and BlackSuit ransomware for file encryption."
        https://www.cybereason.com/blog/blacksuit-data-exfil
      • Evolving Tactics Of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques
        "In late 2024, we discovered a malware variant related to the SLOW#TEMPEST campaign. In this research article, we explore the obfuscation techniques employed by the malware authors. We deep dive into these malware samples and highlight methods and code that can be used to detect and defeat the obfuscation techniques. Understanding these evolving tactics is essential for security practitioners to develop robust detection rules and strengthen defenses against increasingly sophisticated threats."
        https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/
      • SafePay Ransomware: The Fast-Rising Threat Targeting MSPs
        "In Q1 2025, one ransomware group surged rapidly from obscurity to become one of the most active and dangerous actors on the global threat landscape: SafePay. It has quietly and aggressively built momentum, striking over 200 victims worldwide, including managed service providers (MSPs) and small-to-midsize businesses (SMBs) across industries. Acronis Threat Research Unit (TRU) analyzed several SafePay samples and confirmed the group’s use of recycled — but highly efficient — tactics, including disabling endpoint protection, deleting shadow copies and clearing logs to suppress detection and response. Unlike many ransomware groups that rely on affiliates in a ransomware-as-a-service (RaaS) model, SafePay appears to operate with centralized control, managing its own operations, infrastructure and negotiations."
        https://www.acronis.com/en-us/tru/posts/safepay-ransomware-the-fast-rising-threat-targeting-msps/
      • Wipe, Leak, Extort: The Crazy Hybrid Playbook Of Anubis Ransomware
        "Anubis is a ransomware-as-a-service (RaaS) operation that emerged in December 2024, and quickly distinguished itself by integrating file-wiping capabilities alongside the traditional encryption and data exfiltration. The group operates multiple affiliate programs with revenue splits ranging from 50% to 80%, and targets multiple sectors in several countries, including Australia, Canada, Peru and the United States."
        https://blog.barracuda.com/2025/07/11/wipe--leak--extort--the-crazy-hybrid-playbook-of-anubis-ransomwa

      Breaches/Hacks/Leaks

      • Albemarle Latest Virginia County Hit With Ransomware
        "Phone and technology outages that plagued Albemarle County last month were caused by a ransomware attack, officials said in a statement on Friday. The county warned residents that it “appears likely” the hackers accessed the data of local government and public school employees — including their driver’s license numbers, Social Security numbers, passport numbers, military IDs and more. Some of the 112,000 residents of the county, home to the city of Charlottesville, also may have had their names, addresses and Social Security numbers exposed. The county said it is still conducting its investigation into the ransomware attack, which was initially discovered on the morning of June 11."
        https://therecord.media/albemarle-virginia-ransomware-attack
      • Hacker Returns Cryptocurrency Stolen From GMX Exchange After $5 Million Bounty Payment
        "The person behind a $42 million theft from decentralized exchange GMX has returned the stolen cryptocurrency in exchange for a $5 million bounty. After the theft came to light on Wednesday, GMX promised the hacker not to pursue litigation if the funds were returned. “You've successfully executed the exploit; your abilities in doing so are evident to anyone looking into the exploit transactions,” the company said in a subsequent note on Thursday."
        https://therecord.media/hacker-returns-stolen-gmx-bounty
      • Exploiting Public APP_KEY Leaks To Achieve RCE In Hundreds Of Laravel Applications
        "Laravel APP_KEY leaks enable RCE via deserialization attacks. Collaboration with Synacktiv scaled findings to 600 vulnerable applications using 260K exposed keys from GitHub. Analysis reveals 35% of exposures coincide with other critical secrets including database, cloud tokens, and API credentials."
        https://blog.gitguardian.com/exploiting-public-app_key-leaks/
        https://thehackernews.com/2025/07/over-600-laravel-apps-exposed-to-remote.html

      General News

      • Hacktivist Attacks On Critical Infrastructure Grow As New Groups Emerge
        "Hacktivists are increasingly targeting critical infrastructure as they expand beyond the DDoS attacks and website defacements typically associated with ideologically motivated cyberattacks. Cyble’s assessment of the hacktivism threat landscape in the second quarter of 2025 found that industrial control system (ICS) attacks, data breaches, and access-based attacks now comprise 31% of hacktivist attacks, up from 29% in the first quarter (chart below)."
        https://cyble.com/blog/hacktivists-attacks-on-critical-infrastructure/
      • Where Policy Meets Profit: Navigating The New Frontier Of Defense Tech Startups
        "In this Help Net Security interview, Thijs Povel, Managing Partner at Ventures.eu, discusses how the firm evaluates emerging technologies through the lens of defense and resilience. He explains how founders from both defense and adjacent sectors are addressing policy shifts, procurement cycles, and dual-use innovation. Povel also offers guidance for founders on handling slow-moving procurement cycles and proving the business case for resilience solutions."
        https://www.helpnetsecurity.com/2025/07/11/thijs-povel-ventures-eu-dual-use-tech/
      • Employees Are Quietly Bringing AI To Work And Leaving Security Behind
        "While IT departments race to implement AI governance frameworks, many employees have already opened a backdoor for AI, according to ManageEngine. Shadow AI has quietly infiltrated organizations across North America, creating blind spots that even the most careful IT leaders struggle to detect. Despite formal guidelines and sanctioned tools, shadow Al has become the norm rather than the exception. 70% of IT decision makers (ITDMs) have identified unauthorized AI use within their organizations."
        https://www.helpnetsecurity.com/2025/07/11/organizations-shadow-ai-risk/
      • Romania And UK Arrest 14 In British Tax Repayment Scam Probe
        "Police on Thursday arrested 13 individuals in Romania and one in England on suspicion of engaging in a massive tax fraud scheme against Great Britain. The arrests appear to be tied to an operation probing a gang that used phishing attacks against British taxpayers to steal 47 million pounds - $63 million - from His Majesty's Revenue and Customs, the U.K. government agency responsible for collecting taxes. Parliament's Treasury Committee, which oversees the tax collector, slammed HMRC top brass for failing to notify lawmakers about the 2024 losses, which only came to light in June when 100,000 taxpayers received notification that their online accounts had been breached."
        https://www.bankinfosecurity.com/romania-uk-arrest-14-in-british-tax-repayment-scam-probe-a-28943
        https://hackread.com/14-arrested-romania-47-million-uk-tax-phishing-scam/
      • As Cyber-Insurance Premiums Drop, Coverage Is Key To Resilience
        "The cyber-insurance market continues to generate profits for underwriters, but competition in the market and softening demand has led to a decline in the total revenue from premiums for the third straight year in a row — a situation that could work in businesses' favor. Overall, cyber-insurance experts expect premiums to continue to decline in 2025 and likely level off next year, as market economics balance supply and demand. Renewal rates for cyber-insurance policies have declined each quarter for the last three quarters, which is expected to continue, according to credit and economic firm Fitch Ratings."
        https://www.darkreading.com/vulnerabilities-threats/cyber-insurance-premiums-drop-coverage-key-resilience
      • Google Trackers: What You Can Actually Escape And What You Can’t
        "Google is everywhere — in your emails, documents, maps, phone, in your working hours, and even in your leisure time. It’s become a part of our daily lives, and getting out of its ecosystem can feel impossible. But can switching to more privacy-focused options really help an ordinary user break free? Even if you stop using Google products directly, your data might still pass through its servers without your knowledge. Many websites use tools like Google Analytics, embed YouTube videos, run Google ads, or rely on Google Cloud. One common example is reCAPTCHA — countless websites use this tool to verify you’re a human user, and (you guessed it) it belongs to Google, too."
        https://www.safetydetectives.com/blog/google-dependency-and-user-data-tracking/
        https://hackread.com/new-study-google-tracking-persists-privacy-tools/
      • Behind The Code: How Developers Work In 2025
        "How are developers working in 2025? Docker surveyed over 4,500 people to find out, and the answers are a mix of progress and ongoing pain points. AI is gaining ground but still unevenly used. Security is now baked into everyday workflows. Most devs have left local setups behind in favor of cloud environments. And while tools are improving, coordination, planning, and time estimation still slow teams down."
        https://www.helpnetsecurity.com/2025/07/11/docker-2025-developer-trends/
      • July 2025 Breaks a Decade Of Monthly Android Patches
        "Google this week announced that no security patches have been released for Android, Pixel devices, and other Android-based platforms this month, ending a decade-long streak of security updates. As customary in the first week of each month, security bulletins were published for the core Android operating system, as well as for Pixel devices, Android Automotive OS (AAOS), Wear OS, and Pixel Watch, but they all contain the same message: there are no security patches in the July 2025 bulletin. This is the first month without security updates since Google started rolling out monthly Android fixes in August 2015, looking to make the mobile operating system safer for both users and vendors."
        https://www.securityweek.com/july-2025-breaks-a-decade-of-monthly-android-patches/
      • You Have a Fake North Korean IT Worker Problem - Here's How To Stop It
        "By now, the North Korean fake IT worker problem is so ubiquitous that if you think you don't have any phony resumes or imposters in your interview queue, you're asleep at the wheel. "Almost every CISO of a Fortune 500 company that I've spoken to — I'll just characterize as dozens that I've spoken to — have admitted that they had a North Korean IT worker problem," said Mandiant Consulting CTO Charles Carmakal during a threat-intel roundtable, admitting that even Mandiant's parent company Google is not immune. "We have seen this in our own pipelines," added Iain Mulholland, Google Cloud's senior director of security engineering."
        https://www.theregister.com/2025/07/13/fake_it_worker_problem/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 3c510882-3c2c-495a-a933-93a38db9d167-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post