NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 23 July 2025

    Cyber Security News
    1
    1
    437
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • Schneider Electric EcoStruxture IT Data Center Expert
        "Successful exploitation of these vulnerabilities could allow an attacker to disrupt operations and access system data."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-203-06
      • DuraComm DP-10iN-100-MU
        "Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information or cause a denial-of-service condition."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-203-01
      • Lantronix Provisioning Manager
        "Successful exploitation of this vulnerability could allow an attacker to perform a cross-site scripting attack, which could result in remote code execution."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-203-02
      • Schneider Electric EcoStruxure Power Operation
        "Successful exploitation of these vulnerabilities could result in the loss of system functionality or unauthorized access to system functions."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-203-04
      • Schneider Electric EcoStruxure
        "Successful exploitation of this vulnerability could provide other authenticated users with potentially inappropriate access to TGML diagrams."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-203-03
      • Schneider Electric System Monitor Application
        "Successful exploitation of this vulnerability could allow an attacker to execute untrusted code."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-203-05
      • Vulnerabilities Expose Helmholz Industrial Routers To Hacking
        "Several potentially serious vulnerabilities were recently found and patched in routers made by Germany-based industrial and automation solutions provider Helmholz. The existence of the security holes came to light last week, when Germany’s CERT@VDE published an advisory describing eight vulnerabilities discovered in Helmholz’s REX 100 router, which enables organizations to remotely access and manage industrial networks. Helmholz routers are used worldwide, distributed through a network of partners across 60 countries, including in North America, Europe and Asia."
        https://www.securityweek.com/vulnerabilities-expose-helmholz-industrial-routers-to-hacking/
        https://certvde.com/de/advisories/VDE-2025-059/

      Vulnerabilities

      • Cisco: Maximum-Severity ISE RCE Flaws Now Exploited In Attacks
        "Cisco is warning that three recently patched critical remote code execution vulnerabilities in Cisco Identity Services Engine (ISE) are now being actively exploited in attacks. Although the vendor did not specify how they were being exploited and whether they were successful, applying the security updates as soon as possible is now critical. “In July 2025, the Cisco PSIRT became aware of attempted exploitation of some of these vulnerabilities in the wild,” reads the updated advisory."
        https://www.bleepingcomputer.com/news/security/cisco-maximum-severity-ise-rce-flaws-now-exploited-in-attacks/
        https://thehackernews.com/2025/07/cisco-confirms-active-exploits.html
        https://securityaffairs.com/180260/hacking/cisco-confirms-active-exploitation-of-ise-and-ise-pic-flaws.html
      • CISA Adds Two Known Exploited Vulnerabilities To Catalog
        "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2025-49704 Microsoft SharePoint Code Injection Vulnerability
        CVE-2025-49706 Microsoft SharePoint Improper Authentication Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/07/22/cisa-adds-two-known-exploited-vulnerabilities-catalog
      • CISA Adds Four Known Exploited Vulnerabilities To Catalog
        "CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2025-54309 CrushFTP Unprotected Alternate Channel Vulnerability
        CVE-2025-6558 Google Chromium ANGLE and GPU Improper Input Validation Vulnerability
        CVE-2025-2776 SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
        CVE-2025-2775 SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/07/22/cisa-adds-four-known-exploited-vulnerabilities-catalog

      Malware

      • New Variant Of ACRStealer Actively Distributed With Modifications
        "ACRStealer is an Infostealer that has been distributed since last year. It began to be actively distributed from early this year. AhnLab SEcurity intelligence Center (ASEC) has previously covered ACRStealer, which utilizes Google Docs and Steam as a C2 via a Dead Drop Resolver (DDR) technique."
        https://asec.ahnlab.com/en/89128/
      • Joint Advisory Issued On Protecting Against Interlock Ransomware
        "CISA, in partnership with the Federal Bureau of Investigation (FBI), the Department of Health and Human Services, and the Multi-State Information Sharing and Analysis Center issued a joint Cybersecurity Advisory to help protect businesses and critical infrastructure organizations in North America and Europe against Interlock ransomware. This advisory highlights known Interlock ransomware indicators of compromise and tactics, techniques, and procedures identified through recent FBI investigations."
        https://www.cisa.gov/news-events/alerts/2025/07/22/joint-advisory-issued-protecting-against-interlock-ransomware
        https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-203a
        https://www.bleepingcomputer.com/news/security/cisa-and-fbi-warn-of-escalating-interlock-ransomware-attacks/
        https://therecord.media/fbi-vigilance-interlock-ransomware
      • RokRAT Malware Using Malicious Hangul (.HWP) Documents
        "AhnLab SEcurity intelligence Center (ASEC) recently discovered the distribution of RokRAT malware using a Hangul Word Processor document (.hwp). RokRAT is typically distributed by including a decoy file and malicious script inside a shortcut (LNK) file. However, ASEC found a case where the malware was distributed through HWP documents instead of an LNK file."
        https://asec.ahnlab.com/en/89130/
      • Disrupting Active Exploitation Of On-Premises SharePoint Vulnerabilities
        "On July 19, 2025, Microsoft Security Response Center (MSRC) published a blog addressing active attacks against on-premises SharePoint servers that exploit CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution vulnerability. These vulnerabilities affect on-premises SharePoint servers only and do not affect SharePoint Online in Microsoft 365. Microsoft has released new comprehensive security updates for all supported versions of SharePoint Server (Subscription Edition, 2019, and 2016) that protect customers against these new vulnerabilities. Customers should apply these updates immediately to ensure they are protected."
        https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
        https://www.bleepingcomputer.com/news/security/microsoft-sharepoint-toolshell-attacks-linked-to-chinese-hackers/
        https://thehackernews.com/2025/07/microsoft-links-ongoing-sharepoint.html
        https://therecord.media/microsoft-sharepoint-vulnerabilities-china-groups-exploiting
        https://www.darkreading.com/application-security/3-china-nation-state-actors-sharepoint-bugs
        https://cyberscoop.com/microsoft-sharepoint-zero-days-china-typhoon/
        https://www.infosecurity-magazine.com/news/sharepoint-toolshell-chinese/
        https://hackread.com/microsoft-chinese-state-hackers-exploit-sharepoint-flaws/
        https://www.securityweek.com/microsoft-says-chinese-apts-exploited-toolshell-zero-days-weeks-before-patch/
        https://www.theregister.com/2025/07/22/chinese_groups_attacking_microsoft_sharepoint/
        https://www.helpnetsecurity.com/2025/07/22/microsoft-pins-sharepoint-attacks-cve-2025-53770/
      • Coyote In The Wild: First-Ever Malware That Abuses UI Automation
        "In December 2024, we published a blog post that highlighted how attackers could abuse Microsoft’s UIA framework to steal credentials, execute code, and more. Exploitation was only a proof of concept (PoC) — until now. Approximately two months after the publication of that blog post, our concerns were validated when a variant of the banking trojan malware Coyote was observed abusing UIA in the wild — marking the first known case of such exploitation. This UIA abuse is the latest of these malicious Coyote tracks in their digital habitat since its discovery in February 2024. In this blog post, we take a closer look at the variant to better understand how UIA is being leveraged for malicious purposes, and what it means for defenders."
        https://www.akamai.com/blog/security-research/active-exploitation-coyote-malware-first-ui-automation-abuse-in-the-wild
        https://www.bleepingcomputer.com/news/security/coyote-malware-abuses-windows-accessibility-framework-for-data-theft/
        https://hackread.com/coyote-trojan-use-microsoft-ui-automation-bank-attacks/
      • Back To Business: Lumma Stealer Returns With Stealthier Methods
        "Following the sweeping law enforcement operation against Lumma Stealer in early 2025, which led to the seizure of over 2,300 malicious domains, initial signs pointed to a significant disruption of this notorious information-stealing malware. However, recent monitoring of Lumma Stealer reveals a steady and quiet resurgence in its activity. Despite the takedown of its core infrastructure and marketplaces, new campaigns have emerged, leveraging delivery techniques such as GitHub abuse and fake CAPTCHA sites. Notably, the operators have shifted away from public underground forums, opting instead for more covert channels and refined evasion tactics, allowing them to rebuild their operations while avoiding the spotlight"
        https://www.trendmicro.com/en_us/research/25/g/lumma-stealer-returns.html
        https://www.bleepingcomputer.com/news/security/lumma-infostealer-malware-returns-after-law-enforcement-disruption/
      • Tracking GLOBAL GROUP Ransomware From Mamona To Market Scale
        "In June 2025, a ransomware actor known by the alias $$$ publicly introduced a new brand, GLOBAL GROUP, on the Ramp4u cybercrime forum. Pitched as a fresh Ransomware-as-a-Service (RaaS) venture, the group claimed to offer a scalable platform with automated negotiations, cross-platform payloads, and generous affiliate profit-sharing. However, forensic evidence across malware samples, infrastructure configuration, and control logic reveals that GLOBAL is not new, it is a rebranded continuation of the Mamona RIP and Black Lock ransomware families."
        https://www.picussecurity.com/resource/blog/tracking-global-group-ransomware-from-mamona-to-market-scale
        https://www.infosecurity-magazine.com/news/ransomware-ai-chatbot-pressure/
      • NET RFQ: Request For Quote Scammers Casting Wide Net To Steal Real Goods
        "In this report, Proofpoint threat researchers take a deep dive into a widespread Request for Quote (RFQ) scam that involves leveraging common Net financing options (Net 15, 30, 45) to steal a variety of high value electronics and goods. Net financing of 15-90 days is the most common payment terms used by businesses. RFQ scams are a diverse category of business-oriented fraud and among the top five most frequently observed social engineering themes used by fraud actors. In RFQ campaigns, the actor reaches out to a business to ask for quotes for various products or services. The quotes they receive can be used to make very convincing lures to send malware, phishing links, and even additional business email compromise (BEC) and social engineering fraud."
        https://www.proofpoint.com/us/blog/threat-insight/net-rfq-request-quote-scammers-casting-wide-net-steal-real-goods
        https://www.infosecurity-magazine.com/news/net-rfq-scam-targets-high-value/
      • SharePoint ToolShell | Zero-Day Exploited In-The-Wild Targets Enterprise Servers
        "On July 19th, Microsoft confirmed that a 0-day vulnerability impacting on-premises Microsoft SharePoint Servers, dubbed “ToolShell” (by researcher Khoa Dinh @_l0gg), was being actively exploited in the wild. This flaw has since been assigned the identifier CVE‑2025‑53770, along with an accompanying bypass tracked as CVE‑2025‑53771. These two new CVEs are being used alongside the previously patched CVEs (49704/49706) which were patched on July 8th, with PoC code surfacing by July 14th. The advisory also confirmed emergency patches for on-prem SharePoint Subscription Edition and SharePoint Server  2019, with updates scheduled for version 2016 as well. We strongly recommend immediate patching, and following Microsoft’s recommendations of enabling AMSI detection, rotating ASP.NET machine keys, and isolating public-facing SharePoint servers until defenses are in place."
        https://www.sentinelone.com/blog/sharepoint-toolshell-zero-day-exploited-in-the-wild-targets-enterprise-servers/
        https://thehackernews.com/2025/07/hackers-exploit-sharepoint-zero-day.html
        https://www.securityweek.com/toolshell-zero-day-attacks-on-sharepoint-first-wave-linked-to-china-hit-high-value-targets/
        https://securityaffairs.com/180252/hacking/sharepoint-under-fire-new-toolshell-attacks-target-enterprises.html
      • Greedy Sponge Targets Mexico With AllaKore RAT And SystemBC
        "A financially-motivated threat actor, active since early 2021, has been targeting Mexican organizations with custom packaged installers that deliver a modified version of AllaKore RAT. Arctic Wolf® documented 2022 and 2023 campaign samples from this unidentified threat actor in a previous report. We are now referring to this group as Greedy Sponge, due to its financial focus and prior use of a popular “SpongeBob” meme on its C2. There have been a number of notable changes since we last reported on this threat group. The AllaKore RAT payload has been heavily modified to enable the threat actors to send select banking credentials and unique authentication information back to their command-and-control (C2) server, for the purpose of conducting financial fraud."
        https://arcticwolf.com/resources/blog/greedy-sponge-targets-mexico-with-allakore-rat-and-systembc/
        https://thehackernews.com/2025/07/credential-theft-and-remote-access.html
      • Russian-Speaking Hacker Group Disrupted By Local Researchers
        "Russian cybersecurity researchers have identified and dismantled a network of domains operated by a relatively obscure hacking group known as NyashTeam. The group has been selling malware and offering hosting services for cybercriminals since at least 2022, the Russia-based firm F6 said. In a report published Tuesday, analysts said they uncovered and began dismantling more than 110 domains used by NyashTeam. The takedown was carried out with support from Russia’s Coordination Center for national domain names. No detailed public reports on NyashTeam have been published previously, although other researchers first flagged some of the group’s associated domains in 2022."l
        https://therecord.media/russia-hacker-group-disrupted-local-researchers

      Breaches/Hacks/Leaks

      • Major European Healthcare Network Discloses Security Breach
        "AMEOS Group, an operator of a massive healthcare network in Central Europe, has announced it has suffered a security breach that may have exposed customer, employee, and partner information. The organization published a statement on its website, as required by Article 34 of the General Data Protection Regulation (GDPR), which mandates a public notice in the event of a data breach. AMEOS is a Zurich-based healthcare provider that employs 18,000 staff in over 100 hospitals, clinics, rehabilitation centers, and nursing homes located across Switzerland, Germany, and Austria. It is one of the largest private hospital groups in the broader DACH region, with over 10,000 beds and annual revenue exceeding $1.4 billion."
        https://www.bleepingcomputer.com/news/security/major-european-healthcare-network-discloses-security-breach/
      • 3.5 Million Records Exposed In Australian Global Fashion Brand Data Breach
        "Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to vpnMentor about an unencrypted and non-password-protected database that contained 3,587,960 records. The database, which presumably belongs to an Australian fashion brand, held invoices, shipping information, and return details. The documents contained names, physical and email addresses, phone numbers, and other potentially sensitive information."
        https://www.vpnmentor.com/news/report-sabo-breach/
        https://hackread.com/global-fashion-label-sabo-customer-records-leaked/

      General News

      • New Report Reveals Just 10% Of Employees Drive 73% Of Cyber Risk
        "Living Security, the global leader in Human Risk Management (HRM), today released the 2025 State of Human Cyber Risk Report, an independent study conducted by leading research firm Cyentia Institute. The report provides an unprecedented look at behavioral risk inside organizations and reveals how strategic HRM programs can reduce that risk 60% faster than traditional methods."
        https://hackread.com/new-report-reveals-just-10-of-employees-drive-73-of-cyber-risk/
        https://www.livingsecurity.com/2025-human-risk-report-key-cybersecurity-insights
      • As AI Tools Take Hold In Cybersecurity, Entry-Level Jobs Could Shrink
        "A new survey from ISC2 shows that nearly a third of cybersecurity professionals are already using AI security tools, and many others are close behind. So far, 30 percent of professionals say they’ve already integrated AI into their operations, while another 42 percent are currently testing or exploring it. Among those who have adopted AI tools, 70 percent say they’ve seen a positive impact on their team’s effectiveness."
        https://www.helpnetsecurity.com/2025/07/22/ai-in-cybersecurity-entry-level-jobs/
      • Phishing Trends Q2 2025: Microsoft Maintains Top Spot, Spotify Reenters As a Prime Target
        "Phishing continues to be a powerful tool in the cyber criminal arsenal. In the second quarter of 2025, attackers doubled down on impersonating the world’s most trusted brands—those that millions of people rely on every day. From tech giants to streaming services and travel platforms, no digital brand is immune to being spoofed. Below, we explore the latest data from Check Point Research’s Q2 2025 Brand Phishing report, uncovering key trends, industry targets, and the most alarming campaigns of the quarter."
        https://blog.checkpoint.com/research/phishing-trends-q2-2025-microsoft-maintains-top-spot-spotify-reenters-as-a-prime-target/
      • Critical Infrastructure Security Is a Critical Concern
        "Critical infrastructure doesn't look the same as it used to. Increased digitization over the past several decades has transformed these sectors into complex webs of operational technology (OT), industrial control systems (ICS), and connected devices, each with their own new capabilities and inherent risks. Despite this current revolution, security practices of critical infrastructure organizations have remained relatively unchanged. But this is not good enough for today's cyber environment."
        https://www.darkreading.com/vulnerabilities-threats/critical-infrastructure-security-critical-concern
      • Human Digital Twins Could Give Attackers a Dangerous Advantage
        "Human digital twins (HDTs) can provide a safer and less expensive way to study medicine, enhance engineering processes, and identify vulnerabilities. But attackers will also discover the advantages of adopting the rapidly developing technology, warn a pair of researchers. HDTs are trained on the core patterns of human individuals, from behavioral to psychological traits, and their avatars can mimic how real people look and sound. Reports of threat actors abusing deepfakes are already on the rise, and the threat may only worsen as AI advancements make digital twins even more realistic. This is especially concerning when considering their potential use in social engineering attacks."
        https://www.darkreading.com/threat-intelligence/human-digital-twins-attackers-dangerous-advantage
      • AI Adoption Is Driving SOC Role Reallocation Without Cutting Headcount
        "Most organizations plan to reallocate security operations center (SOC) roles as a result of broader AI adoption in these teams, according to new research by Abnormal AI. The survey found that 96% of security leaders have no plans to reduce the headcount in SOC teams amid growing utilization of AI. Instead, they are looking to reallocate professionals to higher-value activities. The findings suggest that AI is likely to enhance the role of security professionals working in SOCs, rather than remove jobs. Nearly half (44%) revealed they are developing plans to migrate Tier 1 SOC analysts to more senior Tier 2-3 roles."
        https://www.infosecurity-magazine.com/news/ai-soc-reallocation-headcount/
        https://abnormal.ai/resources/human-centered-ai-modern-soc
      • Startup Takes Personal Data Stolen By Malware And Sells It On To Other Companies
        "A tech startup is using personal data stolen by infostealer malware that it has found on the dark web, and then selling access to that data. And it claims to be working within the law. According to 404 Media, for as little as $50, Farnsworth Intelligence will give companies a look at records from infostealer logs. Infostealers are a type of malware that focus on harvesting as much data from a victim’s computer as possible. Criminals infect computers in various ways, including via malicious links and infected versions of pirated software or cheat add-ons."
        https://www.malwarebytes.com/blog/news/2025/07/startup-takes-personal-data-stolen-by-malware-and-sells-it-on-to-other-companies
      • Reclaiming Control: How Enterprises Can Fix Broken Security Operations
        "Not that long ago, say 15-20 years ago, security operations as a practice was a lot simpler. Not because it was easy to defend the enterprise, identify and investigate intrusions, or respond to and mitigate those intrusions. Those things, along with many others, were always a challenge and remain so today. Rather, 15-20 years ago, those in security operations at least had a fighting chance to be successful. What do I mean by this? Let’s examine this idea in more depth. Back then, the enterprise infrastructure was relatively well-known and well-defined. There were most often a number of data centers, along with an enterprise network inside a fairly well-understood perimeter. Over the last two decades, however, that model began to evolve and change."
        https://www.securityweek.com/reclaiming-control-how-enterprises-can-fix-broken-security-operations/
      • Hungarian Police Arrest Suspect In Cyberattacks On Independent Media
        "Hungarian police have arrested a man suspected of carrying out a prolonged series of cyberattacks against independent media outlets in Hungary and abroad, authorities said on Monday. The 23-year-old suspect from Budapest is accused of launching distributed denial-of-service (DDoS) attacks that disrupted access to at least half a dozen Hungarian news sites beginning in April 2023. The attacks also temporarily took down the website of the Vienna-based International Press Institute (IPI) in September last year, shortly after the organization published a report detailing similar incidents."
        https://therecord.media/hungary-arrest-suspect-hacking-independent-media
      • Humans Can Be Tracked With Unique 'fingerprint' Based On How Their Bodies Block Wi-Fi Signals
        "Researchers in Italy have developed a way to create a biometric identifier for people based on the way the human body interferes with Wi-Fi signal propagation. The scientists claim this identifier, a pattern derived from Wi-Fi Channel State Information, can re-identify a person in other locations most of the time when a Wi-Fi signal can be measured. Observers could therefore track a person as they pass through signals sent by different Wi-Fi networks – even if they’re not carrying a phone. In the past decade or so, scientists have found that Wi-Fi signals can be used for various sensing applications, such as seeing through walls, detecting falls, sensing the presence of humans, and recognizing gestures including sign language."
        https://www.theregister.com/2025/07/22/whofi_wifi_identifier/
        https://arxiv.org/html/2507.12869v1
      • Open Source's Superior Security Is a Matter Of Eyeballs: Be Kind To The Brains Behind Them
        "The speedrun is one of the internet's genuinely new artforms. At its best, it's akin to a virtuoso piano recital. Less emotional depth, more adrenalin. Watching an expert fly through a game creates an endorphin rush without the expense or time of doing it for yourself. Speedruns can be enlightening, too. The obvious use case is watching closely for the solution to something that's stumping you as a player. As opportunities to learn, speedruns closely resemble the debriefs that military aviators get after an exercise or which sports teams receive after matches. And now we have all sorts of video replay and analysis tools that can work in near-real time. The art form works for everyone, from solo casual gamers to the most highly trained and highly paid professionals there are. Could they work for, say, cyber security, where we need all the help we can get?"
        https://www.theregister.com/2025/07/22/open_source_windows_security_opinion_column/
      • Cloud Logging For Security And Beyond
        "This article aims to simplify cloud logging best practices for each major cloud service provider (CSP) while considering security, regulatory and business requirements. As more organizations migrate their business operations to the cloud, a crucial question arises: “What logging should we enable in order to monitor and secure our cloud environment?” To answer that question holistically, organizations must consider many factors, including:"
        https://unit42.paloaltonetworks.com/cloud-logging-for-security/
      • Fake E-Commerce Platforms As Attack Vectors & Threats In 2025
        "The landscape of fake online shops has evolved from crude phishing clones to sophisticated AI‑powered storefronts used for credential theft, card scraping, and brand impersonation. Security teams must measure risks, not just by site count, but by engagement metrics—click volume, data exfiltration rates, and financial losses."
        https://www.darknet.org.uk/2025/07/fake-e-commerce-platforms-as-attack-vectors-threats-in-2025/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 87131fcd-3fee-4e71-822d-793e0b1de86b-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post