Cyber Threat Intelligence 22 July 2025

NCSA_THAICERT

Aviation Sector

• Cyber Turbulence Ahead As Airlines Strap In For a Security Crisis
  "Aircraft systems are getting more connected and ground operations increasingly integrated, and attackers are taking notice. They’re shifting from minor disruptions to targeting critical systems with serious intent. Any time an aircraft transmits data, whether it’s flight position updates or maintenance alerts, it is vulnerable to interception by third parties. In several recent cases, cyber incidents have grounded flights, exposed sensitive data, and led to significant financial losses. The main threat actors behind these attacks are nation-state APT groups, organized cybercriminals, and hacktivists."
  https://www.helpnetsecurity.com/2025/07/21/aviation-industry-cybersecurity-crisis/

Financial Sector

• Michigan ‘ATM Jackpotting’: Florida Men Allegedly Forced Machines To Dispense $107K
  "Two Florida men allegedly spent a September day burglarizing ATMs in four Michigan counties, making off with more than $100,000. The next month, police found them in a Minnesota hotel amid stacks of cash. The duo is now facing federal charges for allegedly engaging in a lucrative, tech-savvy scam known as “ATM jackpotting.” Robert R. Rosales Rivero, 43, on July 10 appeared before U.S. District Magistrate Judge Patricia T. Morris to learn he had been charged with single counts of bank theft and conspiracy to commit that crime. The charges are 10- and five-year felonies, respectively."
  https://www.mlive.com/news/saginaw-bay-city/2025/07/michigan-atm-jackpotting-florida-men-allegedly-forced-machines-to-dispense-107k.html

Healthcare Sector

• World Health Organization CISO On Securing Global Health Emergencies
  "In this Help Net Security interview, Flavio Aggio, CISO at the World Health Organization (WHO), explains how the organization prepares for and responds to cyber threats during global health emergencies. These crises often lead to an increase in phishing scams, ransomware attacks, and disinformation campaigns, with vaccine research and public trust among the primary targets. WHO’s cybersecurity team fights threats by removing fake websites, issuing public warnings, and securing data sharing with global partners."
  https://www.helpnetsecurity.com/2025/07/21/flavio-aggio-world-health-organization-health-emergencies-cybersecurity/

Telecom Sector

• The Good, The Bad, And The Encoding: An SS7 Bypass Attack
  "There are two kinds of SS7 commands, my friend: the harmless ones… and the ones that can blow things up… … Okay, that may be an exaggeration, however just like the characters in Spaghetti Westerns, the commands encountered in the SS7 landscape come in a wide range of shapes and sizes and can sometimes be difficult to interpret (or most importantly, process safely). SS7 commands (or PDUs) that are not processed correctly pose significant risks, potentially resulting in the equivalent of a signaling “zero-day” enabling any of the wide range of attacks possible via SS7."
  https://www.enea.com/insights/the-good-the-bad-and-the-encoding-an-ss7-bypass-attack/
  https://www.securityweek.com/surveillance-firm-bypasses-ss7-protections-to-retrieve-user-location/

New Tooling

• Calico: Open-Source Solution For Kubernetes Networking, Security, And Observability
  "Calico is an open-source unified platform that brings together networking, security, and observability for Kubernetes, whether you’re running in the cloud, on-premises, or at the edge. The solution uses the lowest amount of processing resources, which is especially important in edge environments where compute resources are limited. “Calico is the only Kubernetes networking technology with a pluggable data plane. Calico can be used with iptables, nftables, eBPF, VPP, and Windows, giving practitioners flexibility and portability to move from one environment to another simply,” Peter Kelly, VP of Engineering at Tigera, the creators of Calico, told Help Net Security."
  https://www.helpnetsecurity.com/2025/07/21/open-source-kubernetes-networking-security-observability/
  https://github.com/projectcalico/calico

Vulnerabilities

• Microsoft Releases Emergency Patches For SharePoint RCE Flaws Exploited In Attacks
  "Microsoft has released emergency SharePoint security updates for two zero-day vulnerabilities tracked as CVE-2025-53770 and CVE-2025-53771 that have compromised services worldwide in "ToolShell" attacks. In May, during the Berlin Pwn2Own hacking contest, researchers exploited a zero-day vulnerability chain called "ToolShell," which enabled them to achieve remote code execution in Microsoft SharePoint. These flaws were fixed as part of the July Patch Tuesday updates; However, threat actors were able to discover two zero-day vulnerabilities that bypassed Microsoft's patches for the previous flaws."
  https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergency-patches-for-sharepoint-rce-flaws-exploited-in-attacks/
  https://thehackernews.com/2025/07/microsoft-releases-urgent-patch-for.html
  https://www.darkreading.com/remote-workforce/microsoft-rushes-emergency-fix-exploited-sharepoint-toolshell-flaw
  https://blog.checkpoint.com/research/sharepoint-zero-day-cve-2025-53770-actively-exploited-what-security-teams-need-to-know/
  https://blog.talosintelligence.com/toolshell-affecting-sharepoint-servers/
  https://cyberscoop.com/microsoft-sharepoint-zero-day-attack-spree/
  https://hackread.com/microsoft-hackers-exploit-sharepoint-flaws-patch-now/
  https://www.securityweek.com/microsoft-patches-toolshell-zero-days-exploited-to-hack-sharepoint-servers/
  https://securityaffairs.com/180197/hacking/microsoft-issues-emergency-patches-for-sharepoint-zero-days-exploited-in-toolshell-attacks.html
• Over 1,000 CrushFTP Servers Exposed To Ongoing Hijack Attacks
  "Over 1,000 CrushFTP instances currently exposed online are vulnerable to hijack attacks that exploit a critical security bug, providing admin access to the web interface. The security vulnerability (CVE-2025-54309) is due to mishandled AS2 validation and impacts all CrushFTP versions below 10.8.5 and 11.3.4_23. The vendor tagged the flaw as actively exploited in the wild on July 19th, noting that attacks may have begun earlier, although it has yet to find evidence to confirm this. "July 18th, 9AM CST there is a 0-day exploit seen in the wild. Possibly it has been going on for longer, but we saw it then. Hackers apparently reverse engineered our code and found some bug which we had already fixed," reads CrushFTP's advisory"
  https://www.bleepingcomputer.com/news/security/over-1-000-crushftp-servers-exposed-to-ongoing-hijack-attacks/
• ExpressVPN Bug Leaked User IPs In Remote Desktop Sessions
  "ExpressVPN has fixed a flaw in its Windows client that caused Remote Desktop Protocol (RDP) traffic to bypass the virtual private network (VPN) tunnel, exposing the users' real IP addresses. One of the key premises of a VPN is masking a user's IP address, allowing users to stay anonymous online, and in some cases, bypass censorship. Failing to do so is a severe technical failure for a VPN product. ExpressVPN is a leading VPN service provider, consistently rated among the top VPN services, and used by millions worldwide. It utilizes RAM-only servers that don't retain user data and adheres to an audited no-logs policy."
  https://www.bleepingcomputer.com/news/security/expressvpn-bug-leaked-user-ips-in-remote-desktop-sessions/
  https://www.expressvpn.com/blog/expressvpn-rdp-leak-fixed/

Malware

• Active Exploitation Of Microsoft SharePoint Vulnerabilities: Threat Brief
  "Unit 42 is tracking high-impact, ongoing threat activity targeting on-premises Microsoft SharePoint servers. While cloud environments remain unaffected, on-premises SharePoint deployments — particularly within government, schools, healthcare (including hospitals) and large enterprise companies — are at immediate risk. CVE-2025-49704, CVE-2025-49706, CVE-2025-53770 and CVE-2025-53771 are a set of vulnerabilities that impact Microsoft SharePoint. When chained together, they can allow unauthenticated threat actors to access functionality that's normally restricted, to run arbitrary commands on vulnerable instances of Microsoft SharePoint. In addition to the CVE reports, Microsoft has released further guidance on these vulnerabilities. The vulnerabilities, their CVSS scores and their descriptions are detailed in Table 1."
  https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/
• CryptoJacking Is Dead: Long Live CryptoJacking
  "It was 2017 when Coinhive burst onto the scene, embedding a Monero miner directly into websites. Users would unknowingly mine cryptocurrency while browsing, turning their devices into silent profit engines for site owners. For a brief moment, it seemed like a win-win: websites earned revenue without ads, and users avoided intrusive pop-ups. But as Coinhive’s hash rate soared to 12% of Monero’s total network power, device slowdowns and battery drain sparked public outrage. By 2019, browsers like Chrome and Firefox began blocking crypto miners, and Coinhive shut down. Crypto jacking, it seemed, was dead. But in cybersecurity, death is rarely permanent…"
  https://cside.dev/blog/cryptojacking-is-dead-long-live-cryptojacking
  https://thehackernews.com/2025/07/3500-websites-hijacked-to-secretly-mine.html
• Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict
  "DCHSpy is an Android surveillanceware family that Lookout customers have been protected from since 2024. It is likely developed and maintained by MuddyWater, which is a cyber espionage group believed to be affiliated with Iran's Ministry of Intelligence and Security (MOIS). This group targets diverse government and private entities in various sectors, such as telecommunications, local government, defense, and oil and natural gas, across the Middle East, Asia, Africa, Europe, and North America. In light of the recent conflict in Iran, it appears that new versions of DCHSpy are being deployed against adversaries. It uses political lures and disguises as legitimate apps like VPNs or banking applications."
  https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware
  https://thehackernews.com/2025/07/iran-linked-dchspy-android-malware.html
  https://therecord.media/malware-exfiltrates-whatsapp-iran-muddywater
  https://www.infosecurity-magazine.com/news/iran-hackers-new-android-spyware/
  https://www.securityweek.com/new-variants-of-dchspy-spyware-used-by-iranian-apt-to-target-android-users/
  https://securityaffairs.com/180220/apt/muddywater-deploys-new-dchspy-variants-amid-iran-israel-conflict.html
  https://www.theregister.com/2025/07/21/muddywaters_android_iran/
• The SOC Files: Rumble In The Jungle Or APT41’s New Target In Africa
  "Some time ago, Kaspersky MDR analysts detected a targeted attack against government IT services in the African region. The attackers used hardcoded names of internal services, IP addresses, and proxy servers embedded within their malware. One of the C2s was a captive SharePoint server within the victim’s infrastructure. During our incident analysis, we were able to determine that the threat actor behind the activity was APT41. This is a Chinese-speaking cyberespionage group known for targeting organizations across multiple sectors, including telecom and energy providers, educational institutions, healthcare organizations and IT energy companies in at least 42 countries. It’s worth noting that, prior to the incident, Africa had experienced the least activity from this APT."
  https://securelist.com/apt41-in-africa/116986/
  https://thehackernews.com/2025/07/china-linked-hackers-launch-targeted.html
• Malware Brief: A Malware Foursome Working Together
  "In today’s Malware Brief we’ll take a quick look at four different examples of malware that have all emerged at about the same time. They demonstrate the complex chain of threats being used together, sometimes by different groups for disparate purposes. In this case, all four — RomCom RAT, TransferLoader, MeltingClaw and DustyHammock — were identified in the early 2020s following the Russian invasion of Ukraine. They were, and are, extensively used by Russian-speaking groups against Ukrainian, Polish and some Russian targets."
  https://blog.barracuda.com/2025/07/21/malware-brief-foursome-working-together
• Ghost Crypt Powers PureRAT With Hypnosis
  "Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes. We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware. Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team. In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward."
  https://www.esentire.com/blog/ghost-crypt-powers-purerat-with-hypnosis
  https://www.infosecurity-magazine.com/news/crypter-malware-targets-accounting/

Breaches/Hacks/Leaks

• Ring Denies Breach After Users Report Suspicious Logins
  "Ring is warning that a backend update bug is responsible for customers seeing a surge in unauthorized devices logged into their account on May 28th. On May 28th, many Ring customers reported seeing unusual devices logged into their accounts from various locations worldwide, leading them to believe their accounts had been hacked. Last week, Ring posted to Facebook stating that they are aware "of a bug that incorrectly displays prior login dates as May 28, 2025." Ring also updated its status page to say that these unauthorized logins are caused by a bug in a backend update that was released."
  https://www.bleepingcomputer.com/news/security/ring-denies-breach-after-users-report-suspicious-logins/
  https://www.malwarebytes.com/blog/news/2025/07/ring-cameras-hacked-amazon-says-no-users-not-so-sure
• Dior Begins Sending Data Breach Notifications To U.S. Customers
  "The House of Dior (Dior) is sending data breach notifications to U.S. customers informing them that a May cybersecurity incident compromised their personal information. Dior is a French luxury fashion house, part of the LVMH (Moët Hennessy Louis Vuitton) group, which is the world's largest luxury conglomerate. The Dior brand alone generates an annual revenue of over $12 billion, operating hundreds of boutiques worldwide."
  https://www.bleepingcomputer.com/news/security/dior-begins-sending-data-breach-notifications-to-us-customers/
• Dell Confirms Breach Of Test Lab Platform By World Leaks Extortion Group
  "A newly rebranded extortion gang known as "World Leaks" breached one of Dell's product demonstration platforms earlier this month and is now trying to extort the company into paying a ransom. Dell acknowledged the incident to BleepingComputer, confirming that the threat actor had breached its Customer Solution Centers platform, which is used to demonstrate Dell products and solutions to customers. "A threat actor recently gained access to our Solution Center, an environment designed to demonstrate our products and test proofs-of-concept for Dell's commercial customers," Dell told BleepingComputer."
  https://www.bleepingcomputer.com/news/security/dell-confirms-breach-of-test-lab-platform-by-world-leaks-extortion-group/
  https://therecord.media/hackers-hit-dell-product-demo-platform-limited-impact
  https://hackread.com/world-leaks-dell-data-breach-leaks-1-3-tb-of-files/
  https://www.theregister.com/2025/07/21/dell_scoffs_at_breach/
• Marketing, Law Firms Say Data Breaches Impact Over 200,000 People
  "Marketing software and services company Cierant Corporation and law firm Zumpano Patricios have independently disclosed data breaches, each impacting more than 200,000 individuals. What the Cierant and Zumpano Patricios incidents have in common is that the number of impacted people was brought to light in recent days by the healthcare data breach tracker maintained by the US Department of Health and Human Services (HHS). The Zumpano Patricios breach impacts nearly 280,000 individuals. The law firm, which has offices in several major US cities, is representing healthcare providers in disputes with health insurance companies over medical service payments to patients."
  https://www.securityweek.com/marketing-law-firms-say-data-breaches-impact-over-200000-people/
• 750,000 Impacted By Data Breach At The Alcohol & Drug Testing Service
  "The Alcohol & Drug Testing Service (TADTS) is notifying roughly 750,000 people that their personal information was compromised in a July 2024 data breach. TADTS is based in Texas and was until recently known as the Texas Alcohol and Drug Testing Service. It provides workplace and individual alcohol and drug testing services in Texas and other states. The incident, TADTS says, was identified on July 9, 2024, and involved unauthorized access to and the theft of data maintained in its systems."
  https://www.securityweek.com/750000-impacted-by-data-breach-at-the-alcohol-drug-testing-service/
• Indian Crypto Exchange CoinDCX Says $44 Million Stolen From Reserves
  "More than $44 million worth of cryptocurrency was stolen from the Indian exchange CoinDCX over the weekend. Company cofounders Neeraj Khandelwal and Sumit Gupta announced issues on social media Saturday afternoon before confirming that funds had been stolen from one of the company’s internal operational accounts. CoinDCX customers were not impacted and user funds were not stolen or accessed, the cofounders said. India’s emergency response team was notified of the theft."
  https://therecord.media/indian-crypto-dcx-millions-stolen

General News

• Malicious Implants Are Coming To AI Components, Applications
  "The next generation of malicious implants may live in the AI application back end. Security researcher Hariharan Shanmugam will publish research next month focused on a security issue he discovered regarding how AI models are uniquely vulnerable to injected code. Though much of security research for AI risks right now concerns prompt injections — using prompts to get LLM models to do things like write malware or leak privileged data — Shanmugam's findings join a growing body of research dedicated to more technical flaws in LLM models."
  https://www.darkreading.com/application-security/malicious-implants-ai-components-applications
• Containment As a Core Security Strategy
  "In nuclear safety design, isolation is everything. When containment fails, so does the system. At Chernobyl, isolation protocols were bypassed to achieve a performance goal. When the reactor overheated, there was no effective barrier to prevent cascading failure. The event was not just a technical malfunction but a systemic failure in enforcing hard limits. The Fukushima disaster was similarly escalated not by the initial earthquake but by a loss of containment. Flooded backup generators disabled cooling systems, causing overheating that breached the core."
  https://www.darkreading.com/vulnerabilities-threats/containment-core-security-strategy
• Primary Attack Vectors Persist
  "The speed and innovation of our cloud and AI age is undeniable. However, opportunity comes paired with responsibility and risk. The duality of the cloud security challenge is that these two opposing forces are markedly different. To keep cloud environments safe and secure, we need to introspectively examine how we can improve our internal people, processes and technology charged with cloud defense. We also need to understand the external threat landscape, including new and persistent threat actor capabilities and innovations."
  https://www.sentinelone.com/blog/primary-attack-vectors-persist/

อ้างอิง
Electronic Transactions Development Agency(ETDA)