NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 01 August 2025

    Cyber Security News
    1
    1
    255
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Healthcare Sector
      Why Rural Hospitals Are Losing The Cybersecurity Battle
      "Cyber threats are becoming more frequent and sophisticated, and rural hospitals and clinics are feeling the pressure from all sides: tight budgets, small teams, limited training, complex technology, and vendors that do not always offer much help. Often, they are left juggling security tools without the IT support to use them effectively, according to Paubox."
      https://www.helpnetsecurity.com/2025/07/31/rural-healthcare-cybersecurity-challenges/

      Industrial Sector

      • Güralp Systems Güralp FMUS Series
        "Successful exploitation of this vulnerability could allow an attacker to modify hardware configurations, manipulate data, or factory reset the device."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-212-01
      • Rockwell Automation Lifecycle Services With VMware
        "Successful exploitation of these vulnerabilities could lead to code execution on the host or leakage of memory from processes communicating with vSockets."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-212-02

      New Tooling

      • Thorium Platform Public Availability
        "Today, CISA, in partnership with Sandia National Laboratories, announced the public availability of Thorium, a scalable and distributed platform for automated file analysis and result aggregation. Thorium enhances cybersecurity teams' capabilities by automating analysis workflows through seamless integration of commercial, open-source, and custom tools. It supports various mission functions, including software analysis, digital forensics, and incident response, allowing analysts to efficiently assess complex malware threats. Thorium enables teams that frequently analyze files to achieve scalable automation and results indexing within a unified platform. Analysts can integrate command-line tools as Docker images, filter results using tags and full-text search, and manage access with strict group-based permissions."
        https://www.cisa.gov/news-events/alerts/2025/07/31/thorium-platform-public-availability
        https://github.com/cisagov/thorium
        https://www.bleepingcomputer.com/news/security/cisa-open-sources-thorium-platform-for-malware-forensic-analysis/
        https://therecord.media/cisa-unveils-free-malware-analysis-tool

      Vulnerabilities

      • Azure’s Weakest Link? How API Connections Spill Secrets
        "During a client engagement, I was checking out their Azure Resources looking for common vulnerabilities. They were utilizing a Logic App to post some messages to Slack. Usually, we can find some tokens or other sensitive information in the workflow run history of these apps, as it is common to not mark input (and output) as sensitive. I could not find anything of the sort in this case, so I moved on from the investigation. However, by chance I saw an odd response from a request automatically made from the portal when going into the API Connection resource."
        https://binarysecurity.no/posts/2025/03/api-connections
        https://www.darkreading.com/vulnerabilities-threats/low-code-tools-azure-allowed-unprivileged-access

      Malware

      • Frozen In Transit: Secret Blizzard’s AiTM Campaign Against Diplomats
        "Microsoft Threat Intelligence has uncovered a cyberespionage campaign by the Russian state actor we track as Secret Blizzard that has been targeting embassies located in Moscow using an adversary-in-the-middle (AiTM) position to deploy their custom ApolloShadow malware. ApolloShadow has the capability to install a trusted root certificate to trick devices into trusting malicious actor-controlled sites, enabling Secret Blizzard to maintain persistence on diplomatic devices, likely for intelligence collection. This campaign, which has been ongoing since at least 2024, poses a high risk to foreign embassies, diplomatic entities, and other sensitive organizations operating in Moscow, particularly to those entities who rely on local internet providers."
        https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/
        https://www.bleepingcomputer.com/news/security/microsoft-russian-hackers-use-isp-access-to-hack-embassies-in-aitm-attacks/
        https://thehackernews.com/2025/07/secret-blizzard-deploys-malware-in-isp.html
        https://www.darkreading.com/threat-intelligence/russia-secret-blizzard-apt-embassy-isps
        https://therecord.media/russia-fsb-turla-espionage-foreign-embassies-isp-level
        https://cyberscoop.com/russia-secret-blizzard-espionage-embassies-moscow/
        https://securityaffairs.com/180638/apt/russia-linked-apt-secret-blizzard-targets-foreign-embassies-in-moscow-with-apolloshadow-malware.html
        https://www.theregister.com/2025/07/31/kremlin_goons_caught_abusing_isps/
      • Spikes In Malicious Activity Precede New Security Flaws In 80% Of Cases
        "Researchers have found that in roughly 80% of cases, spikes in malicious activity like network reconnaissance, targeted scanning, and brute-forcing attempts targeting edge networking devices are a precursor to the disclosure of new security vulnerabilities (CVEs) within six weeks. This has been discovered by threat monitoring firm GreyNoise, which reports these occurrences are not random, but are rather characterized by repeatable and statistically significant patterns. GreyNoise bases this on data from its 'Global Observation Grid' (GOG) collected since September 2024, applying objective statistical thresholds to avoid results-skewing cherry-picking."
        https://www.bleepingcomputer.com/news/security/spikes-in-malicious-activity-precede-new-cves-in-80-percent-of-cases/
        https://www.greynoise.io/resources/early-warning-signals-attacker-behavior-precedes-new-vulnerabilities
      • Using LLMs As a Reverse Engineering Sidekick
        "As the adoption of LLMs accelerates across industries, concerns about their potential to replace human expertise have become widespread. However, rather than viewing it as a threat to human expertise, we can consider LLMs as powerful tools to help malware researchers in our work. We seek to show with this research that even by using low-cost tools and hardware, a malware researcher can take advantage of this technology to improve their work. This blog covers the different choices of client applications available to interact with LLMs and disassemblers, the features to consider when choosing the best language model and the available plugins to integrate these applications into a solid framework to help during a malware analysis session."
        https://blog.talosintelligence.com/using-llm-as-a-reverse-engineering-sidekick/
      • Threat Actors Lure Victims Into Downloading .HTA Files Using ClickFix To Spread Epsilon Red Ransomware
        "During routine infrastructure hunting, CloudSEK’s TRIAD uncovered a Clickfix-themed malware delivery site in active development, associated with the Epsilon Red ransomware. Unlike previous campaigns that copy commands to clipboards, this variant urges victims to visit a secondary page, where malicious shell commands are silently executed via ActiveX to download and run payloads from an attacker-controlled IP. Social engineering tactics, such as fake verification codes, are used to appear benign. Pivoting into related infrastructure revealed impersonation of services like Discord Captcha Bot, Kick, Twitch, and OnlyFans, as well as romance-themed lures. Epsilon Red was first observed in 2021 and is loosely inspired by REvil ransomware in ransom note styling, but otherwise appears distinct in its tactics and infrastructure."
        https://www.cloudsek.com/blog/threat-actors-lure-victims-into-downloading-hta-files-using-clickfix-to-spread-epsilon-red-ransomware
        https://hackread.com/onlyfans-discord-clickfix-pages-epsilon-red-ransomware/
      • Behind Random Words: DoubleTrouble Mobile Banking Trojan Revealed
        "Over the past few months, our zLabs team has been actively tracking a sophisticated banker trojan strain that has rapidly evolved in both its distribution methods and capabilities. Initially, this threat was spread through phishing websites impersonating well-known European banks. Early variants of the trojan primarily utilized overlays to steal banking credentials, captured lock screen information, and featured keylogging functionality."
        https://zimperium.com/blog/behind-random-words-doubletrouble-mobile-banking-trojan-revealed
        https://www.infosecurity-magazine.com/news/android-malware-targets-banks-via/
      • How North Korea-Backed Lazarus Group Is Weaponizing Open Source To Target Developers
        "Sonatype’s latest whitepaper delivers an in-depth analysis of a rapidly escalating campaign by the North Korea-backed Lazarus Group. In just the first half of 2025, Sonatype's automated threat detection uncovered 234 unique malware packages embedded in open source registries — all attributed to Lazarus and targeting software engineers, CI/CD pipelines, and developer environments. This campaign is not opportunistic. It is strategic."
        https://www.sonatype.com/resources/whitepapers/how-lazarus-group-is-weaponizing-open-source
        https://www.sonatype.com/hubfs/White_Papers/How-North-Korea-Backed-Lazarus-Group-is-Weaponizing-Open-Source-Whitepaper.pdf
        https://www.sonatype.com/blog/sonatype-uncovers-global-espionage-campaign-in-open-source-ecosystems
        https://therecord.media/north-korean-hackers-targeting-open-source-repositories
        https://www.infosecurity-magazine.com/news/200-malicious-open-source-lazarus/
      • Microsoft OAuth App Impersonation Campaign Leads To MFA Phishing
        "Proofpoint has identified a cluster of activity using Microsoft OAuth application creation and redirects that lead to malicious URLs enabling credential phishing. The fake Microsoft 365 applications impersonate various companies including RingCentral, SharePoint, Adobe, and DocuSign. Proofpoint first observed this activity in early 2025 and remains ongoing. The goal of the campaigns is to use OAuth applications as a gateway lure to conduct other activities, mostly to obtain access to Microsoft 365 accounts via MFA phishing. The phishing campaigns leverage multifactor authentication (MFA) attacker-in-the-middle (AiTM) phishing kits, predominately Tycoon. Such activity could be used for information gathering, lateral movement, follow-on malware installation, or to conduct additional phishing campaigns from compromised accounts."
        https://www.proofpoint.com/us/blog/threat-insight/microsoft-oauth-app-impersonation-campaign-leads-mfa-phishing
      • Attackers Abusing Proofpoint & Intermedia Link Wrapping To Deliver Phishing Payloads
        "From June 2025 through July 2025, the Cloudflare Email Security team has been tracking a cluster of cybercriminal threat activity leveraging Proofpoint and Intermedia link wrapping to mask phishing payloads, exploiting human trust and detection delays to bypass defenses. Link wrapping is designed by vendors like Proofpoint to protect users by routing all clicked URLs through a scanning service, allowing them to block known malicious destinations at the moment of click. For example, an email link to http://malicioussite[.]com might become https://urldefense[.]proofpoint[.]com/v2/url?u=httpp-3A__malicioussite[.]com. While this is effective against known threats, attacks can still succeed if the wrapped link hasn’t been flagged by the scanner at click time."
        https://www.cloudflare.com/threat-intelligence/research/report/attackers-abusing-proofpoint-intermedia-link-wrapping-to-deliver-phishing-payloads/
        https://thehackernews.com/2025/07/experts-detect-multi-layer-redirect.html
      • N. Korean Hackers Used Job Lures, Cloud Account Access, And Malware To Steal Millions In Crypto
        "The North Korea-linked threat actor known as UNC4899 has been attributed to attacks targeting two different organizations by approaching their employees via LinkedIn and Telegram. "Under the guise of freelance opportunities for software development work, UNC4899 leveraged social engineering techniques to successfully convince the targeted employees to execute malicious Docker containers in their respective workstations," Google's cloud division said [PDF] in its Cloud Threat Horizons Report for H2 2025. UNC4899 overlaps with activity tracked under the monikers Jade Sleet, PUKCHONG, Slow Pisces, and TraderTraitor. Active since at least 2020, the state-sponsored actor is known for its targeting of cryptocurrency and blockchain industries."
        https://thehackernews.com/2025/07/n-korean-hackers-used-job-lures-cloud.html
        https://services.google.com/fh/files/misc/cloud_threat_horizons_report_h22025.pdf

      Breaches/Hacks/Leaks

      • Everest Ransomware Claims Mailchimp As New Victim In Relatively Small Breach
        "The Everest ransomware group is claiming responsibility for breaching Mailchimp, the popular marketing platform used to create, send and manage email campaigns and newsletters. The group made the announcement earlier today on its dark web leak site, claiming to have stolen a 767 MB database containing 943,536 lines of data. According to Everest, the leak includes “internal company documents” and “a huge variety of personal documents and information of clients.”"
        https://hackread.com/everest-ransomware-claims-mailchimp-small-breach/

      General News

      • Why Stolen Credentials Remain Cybercriminals’ Tool Of Choice
        "It’s often the case that the simplest tools have the longest staying power, because they ultimately get the job done. Take duct tape, for example: it’s a sturdy household classic that wasn’t invented to be elegant or high tech. It was made to work whether dealing with a leaky tent or an inconvenient puncture – a reliable way to just get the job done in a sticky situation. Stolen credentials play a similar role in a threat actor’s playbook. It’s an old method that’s still effective."
        https://www.helpnetsecurity.com/2025/07/31/stolen-credentials/
      • AI Is Changing The vCISO Game
        "Virtual CISO (vCISO) services have moved from niche to mainstream, with vCISO services adoption 2025 data showing a more than threefold increase in just one year. According to Cynomi’s 2025 State of the Virtual CISO report, 67% of MSPs and MSSPs now offer vCISO services, up from just 21% in 2024. This sharp increase aligns with the previous year’s predictions, when nearly three-quarters of non-adopters stated they planned to launch these services by the end of 2025."
        https://www.helpnetsecurity.com/2025/07/31/vciso-services-adoption-2025/
      • Secrets Are Leaking Everywhere, And Bots Are To Blame
        "Secrets like API keys, tokens, and credentials are scattered across messaging apps, spreadsheets, CI/CD logs, and even support tickets. According to Entro Security’s NHI & Secrets Risk Report H1 2025, non-human identities (NHIs), including bots, service accounts, and automation tools, are now the fastest-growing source of security risk in enterprise environments."
        https://www.helpnetsecurity.com/2025/07/31/enterprise-non-human-identity-risk/
      • Internet Exchange Points Are Ignored, Vulnerable, And Absent From Infrastructure Protection Plans
        "Internet Exchange Points are an underappreciated resource that all internet users rely on, but governments have unfortunately ignored them, despite their status as critical infrastructure. So says Flavio Luciani, chief technology officer at Italian outfit Namex, which operates Roma IXP. His position isn’t just self-serving, because according to the Internet Society’s (ISOC’s) IXP tracker, 1,519 IXPs are currently active and have a collective capacity of 2,086,083 Gbps."
        https://www.theregister.com/2025/07/31/ixp_resilience_call/
      • CISA And USCG Issue Joint Advisory To Strengthen Cyber Hygiene In Critical Infrastructure
        "CISA, in partnership with the U.S. Coast Guard (USCG), released a joint Cybersecurity Advisory aimed at helping critical infrastructure organizations improve their cyber hygiene. This follows a proactive threat hunt engagement conducted at a U.S. critical infrastructure facility. During this engagement, CISA and USCG did not find evidence of malicious cyber activity or actor presence on the organization’s network but did identify several cybersecurity risks. CISA and USCG are sharing their findings and associated mitigations to assist other critical infrastructure organizations identify potential similar issues and take proactive measures to improve their cybersecurity posture. The mitigations include best practices such as not storing passwords or credentials in plaintext, avoiding sharing local administrator account credentials, and implementing comprehensive logging."
        https://www.cisa.gov/news-events/alerts/2025/07/31/cisa-and-uscg-issue-joint-advisory-strengthen-cyber-hygiene-critical-infrastructure
        https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-212a
      • Ransomware In Q2 2025: AI Joins The Crew, Cartels Rise, And Payment Rates Collapse
        "In Check Point Research’s latest Ransomware Threat Intelligence Report, we break down how the ransomware ecosystem is rapidly transforming. This quarter’s shift includes AI-generated malware, collapsing trust in decryption, affiliate-powered cartels, and a fragmented threat landscape that’s harder than ever to track. Here’s what every security leader should know now and why ransomware is still one of the most profitable and fastest-moving corners of the cyber crime world."
        https://blog.checkpoint.com/research/ransomware-in-q2-2025-ai-joins-the-crew-cartels-rise-and-payment-rates-collapse/
        https://www.darkreading.com/threat-intelligence/dragonforce-ransom-cartel-profits-rivals-demise
      • IR Trends Q2 2025: Phishing Attacks Persist As Actors Leverage Compromised Valid Accounts To Enhance Legitimacy
        "Phishing remained the top method of initial access this quarter, appearing in a third of all engagements – a decrease from 50 percent last quarter. Threat actors largely leveraged compromised internal or trusted business partner email accounts to deploy malicious emails, bypassing security controls and gaining targets’ trust. Interestingly, the objective of the majority of observed phishing attacks appeared to be credential harvesting, suggesting cybercriminals may consider brokering compromised credentials as simpler and more reliably profitable than other post-exploitation activities, such as engineering a financial payout or stealing proprietary data."
        https://blog.talosintelligence.com/ir-trends-q2-2025/
      • Gen Z Falls For Scams 2x More Than Older Generations
        "By some measures, young people are twice as likely to fall for cyberattacks than supposedly gullible old people are. Many assume that older people, by virtue of having less intimate knowledge of new technologies, are at proportionately greater risk of falling for online scams. However, recent data suggests that it's younger people who are at greater risk, due to their online habits and also broader economic pressures. Earlier this spring, in survey data shared with Dark Reading, CyberArk found 20% of Gen Zers said they'd never been hacked before. That was just half the rate reported by baby boomers (41%), despite their having lived literally fewer years during which they could have been hacked."
        https://www.darkreading.com/cyber-risk/gen-z-scams-2x-more-older-generations
      • 3 Things CFOs Need To Know About Mitigating Threats
        "Cybercrime is no longer just an IT concern. It's a direct threat to an organization's balance sheet and reputation. In 2024, the average cost of a data breach in the US rose to more than $9.36 million. Fortunately, business leaders already possess the tools to defend against these threats. They just need to know how to use them strategically"
        https://www.darkreading.com/vulnerabilities-threats/3-things-cfo-mitigating-threats
      • What The Coinbase Breach Says About Insider Risk
        "When your digital vault is compromised, the fallout isn't just financial — it cuts to the foundation of trust. That is the reality that Coinbase, one of the world's largest cryptocurrency exchanges, is facing in the wake of a data breach that reportedly led to losses of up to $400 million and exposed almost 70,000 customers' personal information. This breach also sparked serious questions about how well companies are managing data governance, internal security controls, and insider risk."
        https://www.darkreading.com/vulnerabilities-threats/coinbase-breach-insider-risk
      • Dark Reading Confidential: Funding The CVE Program Of The Future
        "Dark Reading Confidential Episode 8: Federal funding for the CVE Program expires in April 2026, and a trio of experts agree the industry isn't doing enough to deal with the looming crisis. Bugcrowd's Trey Ford, expert Adam Shostack, and vulnerability historian Brian Martin sit down with Dark Reading to help us figure out what a "good" future of the CVE Program would look like and how to get there."
        https://www.darkreading.com/cybersecurity-operations/funding-cve-program-future
      • Inside The FBI's Strategy For Prosecuting Ransomware
        "Think hacker and you may think of Ruslan Magomedovich Astamirov: Russian, skinny, and unshaven, with that blend of precociousness and recklessness common among teenagers. Astamirov was an affiliate of the LockBit ransomware gang when he crossed the border from Mexico into Arizona seeking asylum in the spring of 2023. As far as the US FBI was concerned, he might as well have dressed himself in gift wrap. Even so, Astamirov figured things couldn't be too bad because he "didn't think I was some big player — more like a small fish" in the grand scheme of LockBit's operations."
        https://www.darkreading.com/cybersecurity-operations/inside-fbi-strategy-prosecuting-ransomware
      • Ransomware Attacks Escalate To Physical Threats Against Executives
        "Ransomware actors are resorting to extreme measures to pressure victims into paying demands, including threats of physical harm to business executives. Over the past 12 months, executives were physically threatened in 40% of ransomware incidents, according to a new report by Semperis. This tactic increased to 46% of cases impacting US-based firms. On top of this, victims reported that threat actors threatened to file regulatory complaints against them if they refused to pay in around half (47%) of attacks."
        https://www.infosecurity-magazine.com/news/ransomware-attacks-escalate/
        https://www.semperis.com/ransomware-risk-report/
        https://www.theregister.com/2025/07/31/ransomware_physical_harm_threats/
      • That Seemingly Innocent Text Is Probably a Scam
        "Many of us have received texts like these. Often super short, some flirty, some with a business tone, or sometimes just a simple ‘hello.’ You don’t know the sender, and they look like an honest mistake. But they’re not. All the messages are carefully crafted to seem plausible—so you don’t immediately feel suspicious—and short—to trigger your curiosity. The intention of these messages are to get you to be confused enough that you will reply, perhaps by saying they have the wrong number."
        https://www.malwarebytes.com/blog/news/2025/07/that-seemingly-innocent-text-is-probably-a-scam
      • Who’s Really Behind The Mask? Combatting Identity Fraud
        "In our hyper-connected world, identity isn’t just personal, it’s vulnerable. Behind each login, each email, and each access request, there could be a legitimate user. Or a skilled impersonator. Unlike the physical world, where identity is anchored in faces and fingerprints, the digital world depends on credentials: fragile, fallible, and frequently stolen."
        https://www.securityweek.com/whos-really-behind-the-mask-combatting-identity-fraud/
      • Alert Fatigue, Data Overload, And The Fall Of Traditional SIEMs
        "Security Operations Centers (SOCs) are stretched to their limits. Log volumes are surging, threat landscapes are growing more complex, and security teams are chronically understaffed. Analysts face a daily battle with alert noise, fragmented tools, and incomplete data visibility. At the same time, more vendors are phasing out their on-premises SIEM solutions, encouraging migration to SaaS models. But this transition often amplifies the inherent flaws of traditional SIEM architectures."
        https://thehackernews.com/2025/07/alert-fatigue-data-overload-and-fall-of.html
      • Introducing Unit 42’s Attribution Framework
        "Threat actor attribution has traditionally been considered more art than science, often relying heavily on a few threat researchers to confirm observed activity. This approach is unsustainable and contributes to confusion in naming threat groups. We have addressed this by creating the Unit 42 Attribution Framework, while leveraging the excellent work of the Diamond Model of Intrusion Analysis."
        https://unit42.paloaltonetworks.com/unit-42-attribution-framework/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 21f0a02b-f506-46e6-a69e-c216e8357201-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post