Cyber Threat Intelligence 04 August 2025

NCSA_THAICERT

Healthcare Sector

Security Gaps Still Haunt Shared Mobile Device Use In Healthcare
"Shared mobile devices are becoming the standard in hospitals and health systems. While they offer cost savings and workflow improvements, many organizations are still struggling to manage the security risks that come with them, according to Imprivata’s 2025 State of Shared Mobile Devices in Healthcare report. Shared-use devices are everywhere, and their use will only grow. 99% of respondents expect shared device programs to expand over the next two years. The model saves money, with an average of $1.1 million saved each year compared to one-to-one or BYOD approaches. It also helps care teams communicate, access clinical apps, and treat patients more efficiently."
https://www.helpnetsecurity.com/2025/08/01/shared-mobile-device-security-healthcare/

Vulnerabilities

When Public Prompts Turn Into Local Shells: ‘CurXecute’ – RCE In Cursor Via MCP Auto‑Start
"In June we disclosed EchoLeak, the first zero‑click exfiltration chain against Microsoft 365 Copilot. It proved that untrusted content (a single inbound e‑mail) could hijack an LLM’s inner loop and leak whatever data the model could see - without user action. (Aim Security) EchoLeak underscored another critical lesson: if outside context can steer an AI-agent, any agent can have its control flow hijacked and its privileges misused - including those running on a developer’s own machine - and the popularity of such developer‑oriented agents is growing daily."
https://www.aim.security/lp/aim-labs-curxecute-blogpost
https://www.bleepingcomputer.com/news/security/ai-powered-cursor-ide-vulnerable-to-prompt-injection-attacks/
https://thehackernews.com/2025/08/cursor-ai-code-editor-fixed-flaw.html
https://cyberscoop.com/cursor-ai-prompt-injection-attack-remote-code-privileges-aimlabs/
New 'Shade BIOS' Technique Beats Every Kind Of Security
"Researchers have developed a method for running malware in a computer's BIOS — a place where no security software can reach. At Black Hat 2025, Kazuki Matsuo, a security researcher at FFRI Security, will detail the technique he and his colleagues call "Shade BIOS." Unlike with traditional UEFI rootkits and bootkits, Shade BIOS distinguishes itself by requiring essentially zero interaction with an operating system (OS). Thus, it allows an attacker to perform malicious functions from beyond where any antivirus, endpoint or extended detection and response (EDR/XDR), or operating system security tools can see or touch."
https://www.darkreading.com/endpoint-security/shade-bios-technique-beats-security

Malware

Arctic Wolf Observes July 2025 Uptick In Akira Ransomware Activity Targeting SonicWall SSL VPN
"In late July 2025, Arctic Wolf observed an increase in ransomware activity targeting SonicWall firewall devices for initial access. In the intrusions reviewed, multiple pre-ransomware intrusions were observed within a short period of time, each involving VPN access through SonicWall SSL VPNs. While credential access through brute force, dictionary attacks, and credential stuffing have not yet been definitively ruled out in all cases, available evidence points to the existence of a zero-day vulnerability. In some instances, fully patched SonicWall devices were affected following credential rotation. Despite TOTP MFA being enabled, accounts were still compromised in some instances. Arctic Wolf Labs is currently conducting research into this campaign and will share additional details as they become available."
https://arcticwolf.com/resources/blog/arctic-wolf-observes-july-2025-uptick-in-akira-ransomware-activity-targeting-sonicwall-ssl-vpn/
https://www.bleepingcomputer.com/news/security/surge-of-akira-ransomware-attacks-hits-sonicwall-firewall-devices/
https://thehackernews.com/2025/08/akira-ransomware-exploits-sonicwall.html
https://securityaffairs.com/180724/cyber-crime/akira-ransomware-targets-sonicwall-vpns-in-likely-zero-day-attacks.html
China Accuses US Of Exploiting Microsoft Zero-Day In Cyberattack
"U.S. intelligence agencies launched cyberattacks on two Chinese military enterprises dating back to 2022, in one case exploiting a Microsoft zero-day, China alleged Friday. The Cyber Security Association of China said that in the first case, U.S. agencies from July of 2022 to July of 2023 “exploited a zero-day vulnerability in Microsoft Exchange Mail to attack and control the mail server of a major Chinese military enterprise for nearly a year,” according to a Google translation of the statement. They then used that access to steal data, the statement continues."
https://cyberscoop.com/china-accuses-us-of-exploiting-microsoft-zero-day-in-cyberattack/
https://www.theregister.com/2025/08/01/china_us_intel_attacks/
Threat Actor Uses AI To Create a Better Crypto Wallet Drainer
"Safety's malicious package detection technology has discovered an AI-generated malicious NPM package that functions as a sophisticated cryptocurrency wallet drainer, highlighting how threat actors are leveraging AI to create more convincing and dangerous malware."
https://getsafety.com/blog-posts/threat-actor-uses-ai-to-create-a-better-crypto-wallet-drainer
https://thehackernews.com/2025/08/ai-generated-malicious-npm-package.html
https://securityaffairs.com/180680/malware/malicious-ai-generated-npm-package-hits-solana-users.html
Before ToolShell: Exploring Storm-2603’s Previous Ransomware Operations
"Check Point Research (CPR) has been closely monitoring the ongoing exploitation of a group of Microsoft SharePoint Server vulnerabilities collectively referred to as “ToolShell.” These active attacks leverage four vulnerabilities—CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771—and are attributed to multiple China affiliated threat actors. Among the threat groups identified by Microsoft, two are known APTs: Linen Typhoon (aka APT27) and Violet Typhoon (aka APT31). Another group is a newly observed, previously undocumented cluster called Storm-2603. While Microsoft linked this cluster’s activity to potential ransomware deployment, it was unable to assess the group’s objectives."
https://research.checkpoint.com/2025/before-toolshell-exploring-storm-2603s-previous-ransomware-operations/
https://thehackernews.com/2025/08/storm-2603-exploits-sharepoint-flaws-to.html
https://securityaffairs.com/180657/apt/toolshell-under-siege-check-point-analyzes-chinese-apt-storm-2603.html
Luxembourg Probes Reported Attack On Huawei Tech That Caused Nationwide Telecoms Outage
"Luxembourg’s government announced on Thursday it was formally investigating a nationwide telecommunications outage caused last week by a cyberattack reportedly targeting Huawei equipment inside its national telecoms infrastructure. The outage on July 23 left the country’s 4G and 5G mobile networks unavailable for more than three hours. Officials are concerned that large parts of the population were unable to call the emergency services as the fallback 2G system became overloaded. Internet access and electronic banking services were also inaccessible. According to government statements issued to the country’s parliament, the attack was intentionally disruptive rather than an attempt to compromise the telecoms network that accidentally led to a system failure."
https://therecord.media/luxembourg-telecom-outage-reported-cyberattack-huawei-tech
New Attack Uses Windows Shortcut Files To Install REMCOS Backdoor
"A new and deceptive multi-stage malware campaign has been identified by the Lat61 Threat Intelligence team at security firm Point Wild. The attack uses a clever technique involving malicious Windows Shortcut, or LNK, files, a simple pointer to a program or file, to deliver a dangerous remote-access trojan (RAT) known as REMCOS. The research, led by Dr. Zulfikar Ramzan, the CTO of Point Wild, and shared with Hackread.com, reveals that the campaign starts with a seemingly harmless shortcut file, possibly attached to an email, with a filename like “ORDINE-DI-ACQUIST-7263535.”"
https://hackread.com/attack-windows-shortcut-files-install-remcos-backdoor/
https://www.pointwild.com/threat-intelligence/trojan-winlnk-powershell-runner
Plague: A Newly Discovered PAM-Based Backdoor For Linux
"As part of our ongoing threat hunting efforts, we identified a stealthy Linux backdoor that appears to have gone publicly unnoticed so far. We named it Plague. The implant is built as a malicious PAM (Pluggable Authentication Module), enabling attackers to silently bypass system authentication and gain persistent SSH access. What caught our attention: although several variants of this backdoor have been uploaded to VirusTotal over the past year, not a single antivirus engine flags them as malicious (see screenshot). To our knowledge, there are no public reports or detection rules available for this threat, suggesting that it has quietly evaded detection across multiple environments."
https://www.nextron-systems.com/2025/08/01/plague-a-newly-discovered-pam-based-backdoor-for-linux/
https://thehackernews.com/2025/08/new-plague-pam-backdoor-exposes.html
https://securityaffairs.com/180701/malware/new-linux-backdoor-plague-bypasses-auth-via-malicious-pam-module.html

Breaches/Hacks/Leaks

Pi-Hole Discloses Data Breach Triggered By WordPress Plugin Flaw
"Pi-hole, a popular network-level ad-blocker, has disclosed that donor names and email addresses were exposed through a security vulnerability in the GiveWP WordPress donation plugin. Pi-hole acts as a DNS sinkhole, filtering out unwanted content before it reaches the users' devices. While initially designed to run on Raspberry Pi single-board computers, it now supports various Linux systems on dedicated hardware or virtual machines. The organization stated that they first learned of the incident on Monday, July 28, after donors began reporting that they were receiving suspicious emails at addresses used exclusively for donations."
https://www.bleepingcomputer.com/news/security/pi-hole-discloses-data-breach-via-givewp-wordpress-plugin-flaw/
https://pi-hole.net/blog/2025/07/30/compromised-donor-emails-a-post-mortem/
Hackers Leak Purported Aeroflot Data As Russia Denies Breach
"Hackers have leaked flight records allegedly belonging to the CEO of the Russian airline Aeroflot following a major cyberattack that grounded flights, as Moscow denies any data breach occurred. Russia’s internet watchdog Roskomnadzor said there was no confirmation that data had been leaked from Aeroflot after the company was hit by a large-scale cyber incident earlier this week that caused mass flight disruptions. “Information about a possible data leak from the company has not been confirmed,” the agency told local media on Thursday, without elaborating."
https://therecord.media/hackers-leak-purported-aeroflot-data

General News

LLMs' AI-Generated Code Remains Wildly Insecure
"The code generated by large language models (LLMs) has improved some over time — with more modern LLMs producing code that has a greater chance of compiling — but at the same time, it's stagnating in other ways: Security in particular continues fall short, especially for AI-generated Java code. Aside from introducing vulnerabilities, LLMs remain prone to errors, such as hallucinating software libraries that don't exist, and are susceptible to problems like the malicious poisoning of their datasets. In a study of more than 100 LLMs published this week, application security firm Veracode tested whether AI chatbots could produce code using the correct syntax of four languages, and then scanned the code for vulnerabilities to see if the produced code was secure."
https://www.darkreading.com/application-security/llms-ai-generated-code-wildly-insecure
https://www.veracode.com/wp-content/uploads/2025_GenAI_Code_Security_Report_Final.pdf
https://www.bankinfosecurity.com/ai-still-writing-vulnerable-code-a-29106
SIEMs: Dying a Slow Death Or Poised For AI Rebirth?
"Infosec professionals generally agree the SIEM market is undergoing a major shakeup — they're just not clear where it's going. In a recent online poll, Dark Reading asked readers about the future of security information and event management (SIEM) platforms in security operations. With more than 1,400 responses, 40% said SIEMs should be folded into extended detection and response (XDR) and endpoint detection and response (EDR) platforms or other security tools, while 35% said the product category still has legs as it incorporates AI and modernizes."
https://www.darkreading.com/cybersecurity-analytics/siems-dying-slow-death-ai-rebirth
Building The Perfect Post-Security Incident Review Playbook
"In an era where cyber threats are increasingly sophisticated and pervasive, the importance of post-incident security reviews cannot be overstated. Cyberattacks are not only technical failures, but organizational challenges. Conducting post-incident reviews provides an opportunity to analyze the effectiveness of existing security measures, identify weaknesses and implement improvements to prevent future breaches. By learning from past incidents and continuously refining security protocols, organizations can transform cyber crises into catalysts for strengthening their defense mechanisms."
https://www.darkreading.com/cybersecurity-operations/perfect-post-security-incident-review-playbook
Smart Steps To Keep Your AI Future-Ready
"In this Help Net Security interview, Rohan Sen, Principal, Cyber, Data, and Tech Risk, PwC US, discusses how organizations can design autonomous AI agents with strong governance from day one. As AI becomes more embedded in business ecosystems, overlooking agent-level security can open the door to reputational, operational, and compliance risks."
https://www.helpnetsecurity.com/2025/08/01/rohan-sen-pwc-us-ai-ecosystems-security/
It’s Time To Sound The Alarm On Water Sector Cybersecurity
"A cyberattack on a water facility can put entire communities and businesses at risk. Even a short disruption in clean water supply can have serious public health and safety consequences, and threat actors know the damage they can cause. Water utilities have been moving away from isolated OT and toward more digitally connected systems that integrate with IT. This shift helps them get more accurate, real-time data. While these technologies improve efficiency and performance, they also open the door to new cyber risks."
https://www.helpnetsecurity.com/2025/08/01/water-sector-cybersecurity-risk/
Staggering 800% Rise In Infostealer Credential Theft
"Security experts have warned of a huge surge in identity-based attacks, after revealing that 1.8 billion credentials were stolen in the first half of 2025, an 800% increase compared to the previous six months. Flashpoint’s Global Threat Intelligence Index: 2025 Midyear Edition is based on over 3.6 petabytes of data analyzed by the threat intelligence firm. The credentials were stolen from 5.8 million infected hosts and devices, it claimed."
https://www.infosecurity-magazine.com/news/staggering-800-rise-infostealer/
The Polyworking Gen Z: New Victims Of Cybercrime
"The stereotype of Gen Z as lazy, uncommitted employees averse to hard work, and prone to job-hopping is quite common. But the statistics tell a different story. Nearly half of Zoomers juggle multiple gigs: a full-time job, freelancing, and various side hustles. And cybercriminals have identified these polyworking young professionals as convenient targets. Our experts dug into this trend and uncovered some non-obvious threats. This article explores how Gen Z can navigate their multi-job lifestyles without putting their cybersecurity at risk."
https://www.kaspersky.com/blog/polyworking-genz-scams/54010/
https://www.securityweek.com/gen-z-in-the-crosshairs-cybercriminals-shift-focus-to-young-digital-savvy-workers/
Top Spy Says LinkedIn Profiles That List Defense Work 'recklessly Invite Attention Of Foreign Intelligence Services'
"The Director-General of Security at the Australian Security Intelligence Organization (ASIO) has lamented the fact that many people list their work in the intelligence community or on sensitive military projects in their LinkedIn profiles. In a speech delivered on Thursday, Director-General Mike Burgess observed that “Nation states are spying at unprecedented levels, with unprecedented sophistication. ASIO is seeing more Australians targeted – more aggressively – than ever before.” “Foreign intelligence services are proactive, creative and opportunistic in their targeting of current and former defence employees: relentless cyber espionage, in-person targeting and technical collection,” he added, before sharing some examples of their work."
https://www.theregister.com/2025/08/01/asio_espionage_social_media_warning/
Threat Actor Groups Tracked By Palo Alto Networks Unit 42 (Updated Aug. 1, 2025)
"This article lists selected threat actors tracked by Palo Alto Networks Unit 42, using our specific designators for these groups. We've organized them in alphabetical order of their assigned constellation. The information presented here is a list of threat actors, along with key information like the category of threat actor, industries typically impacted and a summary of the overall threat. We intend this to be a centralized destination for readers to review the breadth of our research on these notable cyber threats. For more information on the attribution process, read about Unit 42’s Attribution Framework."
https://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/
Are Scattered Spider And ShinyHunters One Group Or Two? And Who Did France Arrest?
"When DataBreaches was a kid, the “new math” they were experimenting with had us learning binary and other systems. It didn’t go over well with us, our teachers, or our parents back then. Now the “new math” for me is UNCs — specifically 6040, 5537, 3944, and 6240."
https://databreaches.net/2025/08/03/are-scattered-spider-and-shinyhunters-one-group-or-two-and-who-did-france-arrest/

อ้างอิง
Electronic Transactions Development Agency(ETDA)