NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 29 July 2025

    Cyber Security News
    1
    1
    788
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Vulnerabilities

      • 10,000 WordPress Sites Affected By Critical Vulnerabilities In HT Contact Form WordPress Plugin
        "On June 24th, 2025, we received a submission for an Arbitrary File Upload and an Arbitrary File Deletion vulnerability in HT Contact Form, a WordPress plugin with more than 10,000 active installations. The arbitrary file upload vulnerability can be used by unauthenticated attackers to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover. The arbitrary file deletion vulnerability can be used by unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can also make a site takeover possible. On July 4th, 2025, we also received a submission for an Arbitrary File Move vulnerability in HT Contact Form. This vulnerability can be used by unauthenticated attackers to move arbitrary files, including the wp-config.php file, which can also make a site takeover possible."
        https://www.wordfence.com/blog/2025/07/10000-wordpress-sites-affected-by-critical-vulnerabilities-in-ht-contact-form-wordpress-plugin/
        https://www.infosecurity-magazine.com/news/flaws-wordpress-plugin-expose/
      • CISA Adds Three Known Exploited Vulnerabilities To Catalog
        "CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2025-20281 Cisco Identity Services Engine Injection Vulnerability
        CVE-2025-20337 Cisco Identity Services Engine Injection Vulnerability
        CVE-2023-2533 PaperCut NG/MF Cross-Site Request Forgery (CSRF) Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/07/28/cisa-adds-three-known-exploited-vulnerabilities-catalog
        https://www.bleepingcomputer.com/news/security/cisa-flags-papercut-rce-bug-as-exploited-in-attacks-patch-now/
        https://securityaffairs.com/180494/security/u-s-cisa-adds-cisco-ise-and-papercut-ng-mf-flaws-to-its-known-exploited-vulnerabilities-catalog.html
      • Sploitlight: Analyzing a Spotlight-Based MacOS TCC Vulnerability
        "Microsoft Threat Intelligence has discovered a macOS vulnerability that could allow attackers to steal private data of files normally protected by Transparency, Consent, and Control (TCC), such as files in the Downloads folder, as well as caches utilized by Apple Intelligence. While similar to prior TCC bypasses like HM-Surf and powerdir, the implications of this vulnerability, which we refer to as “Sploitlight” for its use of Spotlight plugins, are more severe due to its ability to extract and leak sensitive information cached by Apple Intelligence, such as precise geolocation data, photo and video metadata, face and person recognition data, search history and user preferences, and more. These risks are further complicated and heightened by the remote linking capability between iCloud accounts, meaning an attacker with access to a user’s macOS device could also exploit the vulnerability to determine remote information of other devices linked to the same iCloud account."
        https://www.microsoft.com/en-us/security/blog/2025/07/28/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability/
        https://www.bleepingcomputer.com/news/security/microsoft-macos-sploitlight-flaw-leaks-apple-intelligence-data/
        https://hackread.com/macos-sploitlight-flaw-apple-intelligence-cached-data/
        https://www.theregister.com/2025/07/28/microsoft_spots_apple_bug/
        https://securityaffairs.com/180503/hacking/microsoft-uncovers-macos-flaw-allowing-bypass-tcc-protections-and-exposing-sensitive-data.html
      • Code Execution Through Deception: Gemini AI CLI Hijack
        "Tracebit discovered a silent attack on Gemini CLI where, through a toxic combination of improper validation, prompt injection and misleading UX, inspecting untrusted code consistently leads to silent execution of malicious commands."
        https://tracebit.com/blog/code-exec-deception-gemini-ai-cli-hijack
        https://www.bleepingcomputer.com/news/security/flaw-in-gemini-cli-ai-coding-assistant-allowed-stealthy-code-execution/
        https://cyberscoop.com/google-gemini-cli-prompt-injection-arbitrary-code-execution/

      Malware

      • Endgame Gear Mouse Config Tool Infected Users With Malware
        "Gaming peripherals maker Endgame Gear is warning that malware was hidden in its configuration tool for the OP1w 4k v2 mouse hosted on the official website between June 26 and July 9, 2025. The infected file was hosted on 'endgamegear.com/gaming-mice/op1w-4k-v2,' so users downloading the tool from that page during this period were infected. Endgame Gear is a German PC gaming peripherals firm known for its pro-gaming gear, including the XM and OP1 series mice, which are highly regarded among reviewers and competitive players. Although not as big as brands like Logitech, Razer, and HyperX, it is a respected entity in the space and one of the key emerging firms in the ultra-light gaming mouse segment."
        https://www.bleepingcomputer.com/news/security/endgame-gear-mouse-config-tool-infected-users-with-malware/
      • CVE-2025-20281: Cisco ISE API Unauthenticated Remote Code Execution Vulnerability
        "On January 25th, 2025, the Trend Zero Day Initiative (ZDI) received a report from Kentaro Kawane of GMO Cybersecurity by Ierae regarding a deserialization of untrusted data vulnerability in Cisco Identity Services Engine (ISE). This pre-authentication vulnerability existed in the enableStrongSwanTunnel method of the DescriptionRegistrationListener class. While analyzing this vulnerability, I noticed that the same function was also vulnerable to command injection as root. Cisco patched this initially as CVE-2025-20281(ZDI-25-609), but also released CVE-2025-20337 (ZDI-25-607) to fully address the vulnerability. You’ll see why below."
        https://www.zerodayinitiative.com/blog/2025/7/24/cve-2025-20281-cisco-ise-api-unauthenticated-remote-code-execution-vulnerability
        https://www.bleepingcomputer.com/news/security/exploit-available-for-critical-cisco-ise-bug-exploited-in-attacks/
      • RedHook: A New Android Banking Trojan Targeting Users In Vietnam
        "Cyble Research and Intelligence Labs (CRIL) discovered ‘RedHook’, a sophisticated Android banking trojan targeting Vietnamese users through spoofed government and financial websites. It communicates to the command-and-control (C2) server using WebSocket and supports over 30 remote commands, enabling complete control over compromised devices. Code artifacts, including Chinese-language strings, suggest development by a Chinese-speaking threat actor or group. Despite its capabilities, RedHook currently has low antivirus detection, making it an active and stealthy threat in the region."
        https://cyble.com/blog/redhook-new-android-banking-targeting-in-vietnam/
      • New Advanced Stealer (SHUYAL) Targets Credentials Across 19 Popular Browsers
        "Hybrid Analysis has analyzed a sophisticated new information stealer that combines extensive credential theft capabilities with advanced system reconnaissance and evasion tactics. Named SHUYAL based on unique identifiers discovered in the executable's PDB path, this previously undocumented stealer demonstrates comprehensive browser targeting, grabbing credentials from 19 different browsers ranging from mainstream applications like Chrome and Edge to privacy-focused options such as Tor."
        https://hybrid-analysis.blogspot.com/2025/07/new-advanced-stealer-shuyal-targets.html
        https://www.darkreading.com/endpoint-security/shuyal-stealer-targets-19-browsers-advanced-evasion
      • Keitaro TDS Abused To Deliver AutoIT-Based Loader Targeting German Speakers
        "Sublime recently identified an attack campaign targeting German speakers with a romance/adult-themed scam. The attack emails used explicit language, conflicting identity details, and redirects to malicious domains using a commercial Traffic Distribution Service (TDS) named Keitaro TDS to deliver a malicious payload. Here’s what one of the messages looked like:"
        https://sublime.security/blog/keitaro-tds-abused-to-delivery-autoit-based-loader-targeting-german-speakers/
        https://hackread.com/malicious-iso-file-romance-scam-on-german-speakers/
      • Revisiting UNC3886 Tactics To Defend Against Present Risk
        "On July 18, Singapore’s Coordinating Minister for National Security K. Shanmugam revealed that the country was facing a highly sophisticated threat actor targeting critical infrastructure—UNC3886. First reported in 2022, this advanced persistent threat (APT) group has been targeting essential services in Singapore, posing a severe risk to their national security. In this entry, we draw on observations and the tactics, techniques, and procedures (TTPs) from previously recorded UNC3886 attacks. Our aim is to get a good understanding of this threat group and enhance overall defensive posture against similar tactics."
        https://www.trendmicro.com/en_us/research/25/g/revisiting-unc3886-tactics-to-defend-against-present-risk.html
      • Cyber Stealer Analysis: When Your Malware Developer Has FOMO About Features
        "First identified by eSentire's Threat Response Unit (TRU) in May 2025, Cyber Stealer represents a new and actively developing threat. The malware authors are consistently updating the tool based on user feedback from hacking forums, indicating an agile development process and suggesting the threat will continue to evolve and become more sophisticated. The malware compresses stolen data into a zip archive and sends it to the Command & Control (C2) server via HTTP POST requests, including detailed statistics about the types and quantities of stolen data (passwords, credit cards, cookies, etc.). The malware maintains regular communication with its C2 server through various endpoints, including heartbeat checks, XMR miner configuration, task checks, configuration updates, and data exfiltration. The C2 URL can be dynamically updated through Pastebin, with a hardcoded backup URL if that fails."
        https://www.esentire.com/blog/cyber-stealer-analysis-when-your-malware-developer-has-fomo-about-features

      Breaches/Hacks/Leaks

      • Tea App Leak Worsens With Second Database Exposing User Chats
        "The Tea app data breach has grown into an even larger leak, with the stolen data now shared on hacking forums and a second database discovered that allegedly contains 1.1 million private messages exchanged between the app's members. The Tea app is a women-only dating safety platform where members can share reviews about men, with access to the platform only granted after providing a selfie and government ID verification. On Friday, an anonymous user posted on 4chan that Tea used an unsecured Firebase storage bucket to store drivers' licenses and selfies uploaded by members to verify they are women, as well as photos and images shared in comments."
        https://www.bleepingcomputer.com/news/security/tea-app-leak-worsens-with-second-database-exposing-user-chats/
        https://therecord.media/tea-app-data-breach-stolen-ids-leaked
        https://www.infosecurity-magazine.com/news/dating-app-breach-exposes-13000/
        https://hackread.com/tea-app-breach-women-dating-platform-user-images-leak/
      • France's Warship Builder Naval Group Investigates 1TB Data Breach
        "France's state-owned defense firm Naval Group is investigating a cyberattack after 1TB of allegedly stolen data was leaked on a hacking forum. The company characterized this as a "destabilization attempt" and a "reputational attack," to which it has responded by filing a complaint to protect its client's data. Meanwhile, Naval Group is investigating with the assistance of external experts to determine if the leaked data originated from them. Despite the gravity of the claims, the company maintains that it sees no signs of an IT systems breach, and its operations haven't been impacted."
        https://www.bleepingcomputer.com/news/security/frances-warship-builder-naval-group-investigates-1tb-data-breach/
        https://www.infosecurity-magazine.com/news/naval-group-denies-hack/
      • GLOBAL GROUP Ransomware Claims Breach Of Media Giant Albavisión
        "The GLOBAL GROUP ransomware gang is claiming responsibility for a breach of Albavisión (albavision.tv), a major Spanish-language media conglomerate based in Miami, Florida. The group also claims to have stolen 400 GB of data. GLOBAL GROUP is a newly emerged Ransomware-as-a-Service (RaaS) operation that has been active since early June 2025. The group has targeted multiple sectors globally, including media and healthcare, with Albavisión listed as its 29th claimed victim since its launch. What sets GLOBAL GROUP ransomware apart from other gangs is its use of an AI-driven negotiation tool. This system employs chatbots to handle negotiations with victims, particularly those who do not speak English."
        https://hackread.com/global-group-ransomware-media-giant-albavision-breach/
      • Cyberattack On Aeroflot Causing Mass Flight Disruptions, Russia Says
        "Russian authorities confirmed on Monday that Aeroflot, the country’s largest airline and national carrier, has been hit with a cyberattack causing widespread flight delays and cancellations. Aeroflot said a “technical failure” was to blame for the disruption, which began Monday morning and has forced the airline to cancel more than 50 flights, including on popular domestic routes such as Moscow, St. Petersburg and Sochi. Some flights planned for later in the week were also canceled. The company said it is working to restore normal operations and promised to refund passengers or rebook their tickets once its systems are back online. Aeroflot’s shares dropped nearly 4% on Monday. The disruptions also hit the company’s subsidiaries, Rossiya and Pobeda."
        https://therecord.media/cyberattack-aeroflot-russia-delays
        https://www.politico.com/news/2025/07/28/cyberattack-on-russian-airline-aeroflot-causes-the-cancellation-of-more-than-100-flights-00479963
        https://www.bankinfosecurity.com/russias-flag-carrier-cancels-flights-after-hack-attack-a-29065
        https://www.theregister.com/2025/07/28/aeroflot_system_compromise/
        https://www.securityweek.com/cyberattack-on-russian-airline-aeroflot-causes-the-cancellation-of-more-than-100-flights/

      General News

      • Your Supply Chain Security Strategy Might Be Missing The Biggest Risk
        "Third-party involvement in data breaches has doubled this year from 15 percent to nearly 30 percent. In response, many organizations have sharpened their focus on third-party risk management, carefully vetting the security practices of their vendors. However, a critical gap remains that many organizations overlook: fourth-party risk."
        https://www.helpnetsecurity.com/2025/07/28/vendor-risk-management/
      • The Legal Minefield Of Hacking Back
        "In this Help Net Security interview, Gonçalo Magalhães, Head of Security at Immunefi, discusses the legal and ethical implications of hacking back in cross-border cyber incidents. He warns that offensive cyber actions risk violating international law, escalating conflicts, and harming innocent third parties. Instead, Magalhães advocates for legally sanctioned frameworks, such as bug bounty programs, to strengthen security without crossing dangerous lines."
        https://www.helpnetsecurity.com/2025/07/28/goncalo-magalhaes-immunefi-hacking-back-concerns/
      • How To Spot Malicious AI Agents Before They Strike
        "Today's businesses know they have an artificial intelligence fraud problem — and as agentic AI becomes more widely deployed, it introduces a whole new dimension to the battle of the machines. Success won't come solely from fighting AI with AI, but by evolving people and processes, starting with tighter collaboration between security and fraud teams. Automated defenses are essential. But given how successful phishing and credential-based attacks still are, we must accept that malicious agents will often appear legitimate — and gain access. Defending against them requires speed, but not at the expense of paralyzing online commerce. It's the same old dilemma: security slowing down business. Only now, the stakes are far higher. Think of a Mirai-style botnet but powered by malicious AI agents. That's the kind of threat we want to stay ahead of."
        https://www.darkreading.com/vulnerabilities-threats/spot-malicious-ai-agents-strike
      • Too Many Threats, Too Much Data, Say Security And IT Leaders. Here’s How To Fix That
        "An overwhelming volume of threats and data combined with the shortage of skilled threat analysts has left many security and IT leaders believing that their organizations are vulnerable to cyberattacks and stuck in a reactive state. That’s according to the new Threat Intelligence Benchmark, a commissioned study conducted by Forrester Consulting on behalf of Google Cloud, on the threat intelligence practices of more than 1,500 IT and cybersecurity leaders from eight countries and across 12 industries. Operationalizing threat intelligence remains a major challenge, said a majority of the survey’s respondents."
        https://cloud.google.com/blog/products/identity-security/too-many-threats-too-much-data-new-survey-heres-how-to-fix-that
        https://cloud.google.com/resources/content/security-forrester-harness-ai-transform-threat-intelligence
        https://www.theregister.com/2025/07/28/security_pros_drowning_in_threatintel/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) c2621acc-3113-4a66-9341-2d0b2d81a333-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post