NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 08 August 2025

    Cyber Security News
    1
    1
    389
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Energy Sector

      • Energy Companies Are Blind To Thousands Of Exposed Services
        "Many of America’s largest energy providers are exposed to known and exploitable vulnerabilities, and most security teams may not even see them, according to a new report from SixMap. Researchers assessed the external attack surface of 21 major energy companies, analyzing nearly 40,000 IP addresses and scanning all 65,535 ports per host. The findings paint a picture of persistent risk, blind spots, and outdated tools."
        https://www.helpnetsecurity.com/2025/08/07/us-energy-sector-cybersecurity-vulnerabilities/

      Healthcare Sector

      • Exposed To The Bare Bone: When Private Medical Scans Surface On The Internet
        "You’ve just had an MRI. Naturally, you assume that your results will remain confidential and protected. What happens if there is a vulnerability in the medical system made to aid your doctor with their evaluation and your most sensitive scan, diagnosis, even your personally identifiable information (PII) can be accessed online? New research by European cybersecurity company Modat reveals that misconfigured internet-connected devices are resulting in private information that can be accessed online. Confidential medical images, including MRI scans, X-rays, and even blood work results of hospital patients worldwide, are being exposed online due to cybersecurity vulnerabilities in healthcare networks and devices."
        https://www.modat.io/post/1-million-healthcare-devices-exposed
        https://hackread.com/1-2-million-healthcare-devices-systems-exposed-modat/

      Industrial Sector

      • Delta Electronics DIAView
        "Successful exploitation of this vulnerability may allow a remote attacker to read or write files on the affected device."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-01
      • Burk Technology ARC Solo
        "Successful exploitation of this vulnerability could result in an attacker gaining access to the device, locking out authorized users, or disrupting operations."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-03
      • Packet Power EMX And EG
        "Successful exploitation of this vulnerability could allow an attacker to gain full access to the device without authentication."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-05
      • Dreame Technology iOS And Android Mobile Applications
        "Successful exploitation of this vulnerability could result in unauthorized information disclosure."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-06
      • EG4 Electronics EG4 Inverters
        "Successful exploitation of these vulnerabilities could allow an attacker to intercept and manipulate critical data, install malicious firmware, hijack device access, and gain unauthorized control over the system."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-07
      • Johnson Controls FX80 And FX90
        "Successful exploitation of this vulnerability could allow an attacker to compromise the device's configuration files."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-02
      • Rockwell Automation Arena
        "Successful exploitation of these vulnerabilities could allow an attacker to disclose information and execute arbitrary code."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-04
      • Yealink IP Phones And RPS (Redirect And Provisioning Service)
        "Successful exploitation of these vulnerabilities could result in an information disclosure."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-08

      Vulnerabilities

      • CISA Issues ED 25-02: Mitigate Microsoft Exchange Vulnerability
        "Today, CISA issued Emergency Directive (ED) 25-02: Mitigate Microsoft Exchange Vulnerability in response to CVE-2025-53786, a vulnerability in Microsoft Exchange server hybrid deployments. ED 25-02 directs all Federal Civilian Executive Branch (FCEB) agencies with Microsoft Exchange hybrid environments to implement required mitigations by 9:00 AM EDT on Monday, August 11, 2025."
        https://www.cisa.gov/news-events/alerts/2025/08/07/cisa-issues-ed-25-02-mitigate-microsoft-exchange-vulnerability
        https://www.cisa.gov/news-events/directives/ed-25-02-mitigate-microsoft-exchange-vulnerability
        https://www.bleepingcomputer.com/news/security/cisa-orders-fed-agencies-to-patch-new-cve-2025-53786-exchange-flaw/
        https://www.bankinfosecurity.com/microsoft-warns-hybrid-exchange-deployment-flaw-a-29147
        https://cyberscoop.com/cisa-microsoft-exchange-vulnerability/
        https://www.theregister.com/2025/08/07/microsoft_cisa_warn_yet_another/
      • SonicWall Confirms Patched Vulnerability Behind Recent VPN Attacks, Not a Zero-Day
        "SonicWall has revealed that the recent spike in activity targeting its Gen 7 and newer firewalls with SSL VPN enabled is related to an older, now-patched bug and password reuse. "We now have high confidence that the recent SSL VPN activity is not connected to a zero-day vulnerability," the company said. "Instead, there is a significant correlation with threat activity related to CVE-2024-40766." CVE-2024-40766 (CVSS score: 9.3) was first disclosed by SonicWall in August 2024, calling it an improper access control issue that could allow malicious actors unauthorized access to the devices."
        https://thehackernews.com/2025/08/sonicwall-confirms-patched.html
        https://www.bleepingcomputer.com/news/security/sonicwall-finds-no-sslvpn-zero-day-links-ransomware-attacks-to-2024-flaw/
        https://www.infosecurity-magazine.com/news/sonicwall-attacks-legacy-bug/
        https://www.helpnetsecurity.com/2025/08/07/sonicwall-gen-7-firewalls-exploit-vulnerability/
        https://www.securityweek.com/sonicwall-says-recent-attacks-dont-involve-zero-day-vulnerability/

      Malware

      • Invitation Is All You Need: Invoking Gemini For Workspace Agents With a Simple Google Calendar Invite
        "Over the last two years, various systems and applications have been integrated with generative artificial intelligence (gen AI) capabilities, turning regular applications into gen-AI powered applications. In addition, retrieval augmented generation (RAG)-which is the process of connecting gen-AI and large language models (LLMs) to external knowledge sources-and other agents have been incorporated into such systems, making them more effective, accurate, and updated."
        https://www.safebreach.com/blog/invitation-is-all-you-need-hacking-gemini/
        https://hackread.com/promptware-attack-hijack-gemini-ai-google-calendar-invite/
      • CVE-2025-32094: HTTP Request Smuggling Via OPTIONS + Obsolete Line Folding
        "In March 2025, Akamai received a bug bounty report identifying an HTTP Request Smuggling vulnerability. We quickly resolved the issue for all customers via a platform-wide fix with no evidence of any successful exploitation of the attack vector known to us. We provided our customers with regular updates about this vulnerability; however, as per our agreement with the bug bounty reporter, James Kettle from PortSwigger, we delayed sharing the full details publicly to align with the reporter's plans for publication of related research at BlackHat 2025."
        https://www.akamai.com/blog/security/2025/aug/cve-2025-32094-http-request-smuggling
        https://www.securityweek.com/new-http-request-smuggling-attacks-impacted-cdns-major-orgs-millions-of-websites/
      • New Infection Chain And ConfuserEx-Based Obfuscation For DarkCloud Stealer
        "Unit 42 researchers recently observed a shift in the delivery method in the distribution of DarkCloud Stealer and the obfuscation techniques used to complicate analysis. First seen in early April 2025, these new methods and techniques include an additional infection chain for DarkCloud Stealer. This chain involves obfuscation by ConfuserEx and a final payload written in Visual Basic 6 (VB6)."
        https://unit42.paloaltonetworks.com/new-darkcloud-stealer-infection-chain/
      • Facebook Users Targeted In ‘login’ Phish
        "A few weeks ago we warned our readers of a phishing campaign targeting Instagram users that didn’t resort to the usual links to phishing websites, but used mailto: links instead. Now, it seems that these scammers have turned their attention to Facebook users. It works like this: The target receives an email saying that your Facebook account was logged into from a new device. Even though the subject line says “We’ve Received a request to Reset your password for Facebook Account !”"
        https://www.malwarebytes.com/blog/news/2025/08/facebook-users-targeted-in-login-phish
      • Shared Secret: EDR Killer In The Kill Chain
        "In today’s multi-stage attacks, neutralizing endpoint security solutions is a critical step in the process, allowing threat actors to operate undetected. Since 2022, we’ve seen an increase in the sophistication of malware designed to disable EDR systems on an infected system. Some of these tools are developed by ransomware groups. Others are purchased from underground marketplaces – evidence of this was found in the leaked chat logs of the Black Basta group. In many cases, packer-as-a-service offerings such as HeartCrypt are used to obfuscate the tools."
        https://news.sophos.com/en-us/2025/08/06/shared-secret-edr-killer-in-the-kill-chain/
        https://www.bleepingcomputer.com/news/security/new-edr-killer-tool-used-by-eight-different-ransomware-groups/
      • GreedyBear: 650 Attack Tools, One Coordinated Campaign
        "What happens when cybercriminals stop thinking small and start thinking like a Fortune 500 company? You get GreedyBear, the attack group that just redefined industrial-scale crypto theft. 150 weaponized Firefox extensions. nearly 500 malicious executables. Dozens of phishing websites. One coordinated attack infrastructure. According to user reports, over $1 million stolen."
        https://blog.koi.security/greedy-bear-massive-crypto-wallet-attack-spans-across-multiple-vectors-3e8628831a05
        https://www.bleepingcomputer.com/news/security/wave-of-150-crypto-draining-extensions-hits-firefox-add-on-store/
      • Malicious Npm Packages Target WhatsApp Developers With Remote Kill Switch
        "Socket's Threat Research Team discovered two malicious npm packages specifically targeting developers building WhatsApp API integrations with a remote-controlled destruction mechanism. Published by npm user nayflore using email idzzcch@gmail[.]com, both naya-flore and nvlore-hsc masquerade as WhatsApp socket libraries while implementing a phone number-based kill switch that can remotely wipe developers' systems. The packages have accumulated over 1,110 downloads in a month and remain active on the npm registry. We have submitted takedown requests to the npm security team and petitioned for the suspension of the associated account."
        https://socket.dev/blog/malicious-npm-packages-target-whatsapp-developers-with-remote-kill-switch
        https://www.bleepingcomputer.com/news/security/fake-whatsapp-developer-libraries-hide-destructive-data-wiping-code/
      • Unveiling a New Variant Of The DarkCloud Campaign
        "In early July 2025, a new DarkCloud campaign was observed in the wild by Fortinet’s FortiGuard Labs team. It began with a phishing email containing an attached RAR archive. I subsequently investigated this campaign and conducted a step-by-step analysis. DarkCloud is a known stealthy Windows-based information-stealer malware that was first identified in 2022. It is designed to steal sensitive information from the victim’s computer, including saved login credentials, financial data, contacts, and more."
        https://www.fortinet.com/blog/threat-research/unveiling-a-new-variant-of-the-darkcloud-campaign
      • Adult Sites Trick Users Into Liking Facebook Posts Using a Clickjack Trojan
        "As the use of age verification to access adult websites increases in various countries around the world, shady websites with adult content have started a timely malware-fueled campaign to promote links to their own websites. During our daily rounds on Facebook, looking for the latest scams, we noticed something odd about some posts pointing to adult websites. We found that several of the sites promoted in this way were hosted on blogspot[.]com, and that these sites linked to other similar sites."
        https://www.malwarebytes.com/blog/news/2025/08/adult-sites-trick-users-into-liking-facebook-posts-using-a-clickjack-trojan
      • Unmasking SocGholish: Silent Push Untangles The Malware Web Behind The “Pioneer Of Fake Updates” And Its Operator, TA569
        "Silent Push Threat Analysts have been rigorously tracking SocGholish and its operators, TA569, since 2024. This evolving threat most commonly masquerades as legitimate software updates, fooling users into unknowingly compromising their systems. The core of their operation is a sophisticated Malware-as-a-Service (MaaS) model, where infected systems are sold as initial access points to other cybercriminal organizations."
        https://www.silentpush.com/blog/socgholish/
        https://thehackernews.com/2025/08/socgholish-malware-spread-via-ad-tools.html
      • 11 Malicious Go Packages Distribute Obfuscated Remote Payloads
        "Socket’s Threat Research Team uncovered eleven malicious Go packages, ten of which are still live on the Go Module and eight of which are typosquats, that conceal an identical index-based string obfuscation routine. At runtime the code silently spawns a shell, pulls a second-stage payload from an interchangeable set of .icu and .tech command and control (C2) endpoints, and executes it in memory. Most of the C2 endpoints share the path /storage/de373d0df/a31546bf, and six of the ten URLs are still reachable, giving the threat actor on-demand access to any developer or CI system that imports the packages."
        https://socket.dev/blog/11-malicious-go-packages-distribute-obfuscated-remote-payloads
        https://thehackernews.com/2025/08/malicious-go-npm-packages-deliver-cross.html
      • Silver Fox APT Blurs The Line Between Espionage & Cybercrime
        "A Chinese threat actor has been performing both intelligence-oriented and financially motivated attacks against a wide variety of primarily Chinese-speaking organizations. Compared to most, Silver Fox has a wide span of tactics, techniques, and procedures (TTPs) at its disposal. It might gain initial access to victims by impersonating major organizations in phishing emails with malicious attachments. Or it will spread fake applications, or Trojanized versions of legitimate applications, through Telegram channels or websites boosted by search engine optimization (SEO) poisoning. Post-compromise, you can expect a remote access Trojan (RAT), such as ValleyRAT, Winos 4.0, or Gh0stCringe or the HoldingHands RAT, two variants of Gh0st RAT. Or, perhaps, there'll be a keylogger waiting for you, with a cryptominer using your machine resources to earn money."
        https://www.darkreading.com/threat-intelligence/silver-fox-apt-espionage-cybercrime

      Breaches/Hacks/Leaks

      • Cyberattack Hits France’s Third-Largest Mobile Operator, Millions Of Customers Affected
        "Bouygues Telecom, one of France’s largest telecom companies and its third-largest mobile operator, announced on Wednesday being hit by a cyberattack that compromised the data of millions of customers. The nature of the attack was not disclosed, and the company said the “situation was resolved as quickly as possible” by its technical teams, and that “all necessary measures were put in place.” According to its corporate statement, the attack “allowed unauthorized access to certain personal data from 6.4 million customer accounts.”"
        https://therecord.media/bouygues-telecom-france-cyberattack-data-breach
        https://www.bleepingcomputer.com/news/security/bouygues-telecom-confirms-data-breach-impacting-64-million-customers/

      General News

      • Beyond PQC: Building Adaptive Security Programs For The Unknown
        "In this Help Net Security interview, Jordan Avnaim, CISO at Entrust, discusses how to communicate the quantum computing threat to executive teams using a risk-based approach. He explains why post-quantum cryptography (PQC) is an urgent and long-term priority. Avnaim also outlines practical steps CISOs can take to build crypto agility and maintain digital trust."
        https://www.helpnetsecurity.com/2025/08/07/jordan-avnaim-entrust-pqc-trust/
      • Cybercriminals Are Getting Personal, And It’s Working
        "Cybercriminals are deploying unidentifiable phishing kits (58% of phishing sites) to propagate malicious campaigns at scale, indicating a trend towards custom-made or obfuscated deployments, according to VIPRE Security. These phishing kits can’t easily be reverse-engineered, tracked, or caught. AI makes them affordable, too. Among the most prevalent are Evilginx (20%), Tycoon 2FA (10%), 16shop (7%), with another 5% attributed to other generic kits."
        https://www.helpnetsecurity.com/2025/08/07/email-attacks-q2-2025/
      • Cryptomixer Founders Pled Guilty To Laundering Money For Cybercriminals
        "The founders of the Samourai Wallet (Samourai) cryptocurrency mixer have pleaded guilty to laundering over $200 million for criminals. Samourai CEO Keonne Rodriguez and CTO William Lonergan Hill admitted to their involvement in the Samourai money laundering operation, pleading guilty to conspiracy for operating a money transmitting business that handled criminal proceeds, and are now facing a maximum sentence of five years in prison. As part of their plea agreements, Rodriguez and Hill have also agreed to forfeit $237,832,360.55."
        https://www.bleepingcomputer.com/news/security/samourai-cryptomixer-founders-pled-guilty-to-laundering-money-for-cybercriminals/
        https://www.darkreading.com/threat-intelligence/cryptomixer-founders-guilty-money-laundering
      • The AI-Powered Security Shift: What 2025 Is Teaching Us About Cloud Defense
        "Now that we are well into 2025, cloud attacks are evolving faster than ever and artificial intelligence (AI) is both a weapon and a shield. As AI rapidly changes how enterprises innovate, security teams are now tasked with a triple burden:"
        https://thehackernews.com/2025/08/the-ai-powered-security-shift-what-2025.html
      • The Critical Flaw In CVE Scoring
        "Today's software supply chain is under relentless pressure, as new vulnerabilities emerge at a record pace. In 2024 alone, more than 33,000 new Common Vulnerabilities and Exposures (CVEs) were reported. This sheer volume of threats has left security teams and developers stretched thin as they're forced to triage which threats require immediate action, all while juggling their core responsibilities. While many of these vulnerabilities may seem critical on paper, taking a closer look often reveals a different story. In fact, recent research found that only 12% of these CVEs deemed "critical" by government organizations truly warranted such a severity rating."
        https://www.darkreading.com/vulnerabilities-threats/critical-flaw-cve-scoring

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) aa0fe301-2b36-4038-8a0f-67b6c39e0bce-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post