Cyber Threat Intelligence 11 August 2025

NCSA_THAICERT

Vulnerabilities

WinRAR Zero-Day Exploited To Plant Malware On Archive Extraction
"A recently fixed WinRAR vulnerability tracked as CVE-2025-8088 was exploited as a zero-day in phishing attacks to install the RomCom malware. The flaw is a directory traversal vulnerability that was fixed in WinRAR 7.13, which allows specially crafted archives to extract files into a file path selected by the attacker. "When extracting a file, previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code and UnRAR.dll can be tricked into using a path, defined in a specially crafted archive, instead of user specified path," reads the WinRAR 7.13 changelog."
https://www.bleepingcomputer.com/news/security/winrar-zero-day-flaw-exploited-by-romcom-hackers-in-phishing-attacks/
https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews[tt_news]=283&cHash=a64b4a8f662d3639dec8d65f47bc93c5
https://securityaffairs.com/180967/hacking/phishing-attacks-exploit-winrar-flaw-cve-2025-8088-to-install-romcom.html
https://hackread.com/winrar-zero-day-cve-2025-8088-spread-romcom-malware/
Command Injection In Jenkins Via Git Parameter (CVE-2025-53652)
"On July 9, Jenkins disclosed CVE-2025-53652 (aka SECURITY-34191), one of 31 plugin vulnerabilities announced that day. The vulnerability, affecting the Git Parameter plugin, was assigned a medium severity, and described as allowing attackers to "inject arbitrary values in Git parameters". That read to us as a parameter injection issue, something often dismissed as low-impact. But this involved Git, and Git is not your average binary. It’s a well-known and versatile GTFObin2. We suspected that we could turn the parameter injection into remote code execution. Given the opportunity to do some GTFObin golfing, and with the plugin’s sizable install base, we decided to dig deeper."
https://www.vulncheck.com/blog/git-parameter-rce
https://hackread.com/jenkins-servers-risk-rce-vulnerability-cve-2025-53652/
Free Wi-Fi Leaves Buses Vulnerable To Remote Hacking
"Researchers demonstrated that smart buses, the transportation vehicles that incorporate various systems to improve safety, efficiency, and passenger experience, can be remotely hacked. The findings were described on Friday at the DEF CON hacker convention by Chiao-Lin ‘Steven Meow’ Yu of Trend Micro Taiwan and Kai-Ching ‘Keniver’ Wang of CHT Security, a Taiwan-based MSSP. The researchers started digging into the cybersecurity of smart buses after noticing that free Wi-Fi was available for passengers."
https://www.securityweek.com/free-wi-fi-leaves-buses-vulnerable-to-remote-hacking/
BadCam: Now Weaponizing Linux Webcams
"Eclypsium researchers have discovered vulnerabilities in USB webcams that allow attackers to turn them into BadUSB attack tools. This allows remote attackers to inject keystrokes covertly and launch attacks independent of the host operating system. Principal security researchers Jesse Michael and Mickey Shkatov presented this research at DEF CON 2025."
https://eclypsium.com/blog/badcam-now-weaponizing-linux-webcams/
https://thehackernews.com/2025/08/linux-based-lenovo-webcams-flaw-can-be.html
https://securityaffairs.com/181005/hacking/badcam-linux-based-lenovo-webcam-bugs-enable-badusb-attacks.html
Researchers Uncover GPT-5 Jailbreak And Zero-Click AI Agent Attacks Exposing Cloud And IoT Systems
"Cybersecurity researchers have uncovered a jailbreak technique to bypass ethical guardrails erected by OpenAI in its latest large language model (LLM) GPT-5 and produce illicit instructions. Generative artificial intelligence (AI) security platform NeuralTrust said it combined a known technique called Echo Chamber with narrative-driven steering to trick the model into producing undesirable responses. "We use Echo Chamber to seed and reinforce a subtly poisonous conversational context, then guide the model with low-salience storytelling that avoids explicit intent signaling," security researcher Martí Jordà said. "This combination nudges the model toward the objective while minimizing triggerable refusal cues.""
https://thehackernews.com/2025/08/researchers-uncover-gpt-5-jailbreak-and.html
https://neuraltrust.ai/blog/gpt-5-jailbreak-with-echo-chamber-and-storytelling
AgentFlayer: ChatGPT Connectors 0click Attack
"Recently OpenAI added a new feature to ChatGPT called Connectors. Connectors let ChatGPT connect to third-party applications such as Google Drive, Sharepoint, Github, and more. Now your trustworthy AI companion can search files, pull live data, and give answers which are grounded in your personal business context. Let’s think of an example. Does your company’s HR upload all their manuals and guidelines to a specific Sharepoint site? Now, instead of scrolling through mountains of documents you can simply connect it to ChatGPT, ask what you want to know, and ChatGPT will give you the precise answer you were looking for immediately."
https://labs.zenity.io/p/agentflayer-chatgpt-connectors-0click-attack-5b41
https://hackread.com/agentflayer-0-click-exploit-chatgpt-connectors-steal-data/
New Win-DDoS Flaws Let Attackers Turn Public Domain Controllers Into DDoS Botnet Via RPC, LDAP
"A novel attack technique could be weaponized to rope thousands of public domain controllers (DCs) around the world to create a malicious botnet and use it to conduct power distributed denial-of-service (DDoS) attacks. The approach has been codenamed Win-DDoS by SafeBreach researchers Or Yair and Shahak Morag, who presented their findings at the DEF CON 33 security conference today. "As we explored the intricacies of the Windows LDAP client code, we discovered a significant flaw that allowed us to manipulate the URL referral process to point DCs at a victim server to overwhelm it," Yair and Morag said in a report shared with The Hacker News."
https://thehackernews.com/2025/08/new-win-ddos-flaws-let-attackers-turn.html
Researchers Detail Windows EPM Poisoning Exploit Chain Leading To Domain Privilege Escalation
"Cybersecurity researchers have presented new findings related to a now-patched security issue in Microsoft's Windows Remote Procedure Call (RPC) communication protocol that could be abused by an attacker to conduct spoofing attacks and impersonate a known server. The vulnerability, tracked as CVE-2025-49760 (CVSS score: 3.5), has been described by the tech giant as a Windows Storage spoofing bug. It was fixed in July 2025 as part of its monthly Patch Tuesday update. Details of the security defect were shared by SafeBreach researcher Ron Ben Yizhak at the DEF CON 33 security conference this week."
https://thehackernews.com/2025/08/researchers-detail-windows-epm.html

Malware

Data Dump From APT Actor Yields Clues To Attacker Capabilities
"In what may be biggest breach of a cyberthreat actor since last year's leak of documents from Chinese firm iSoon, a pair of hackers with unknown motives compromised and stole data from a nation-state operator who appears to work for China, and possibly, North Korea. In an analysis published in the latest issue of Phrack magazine handed out at the DEF CON conference in Las Vegas, the hackers — identified only as Saber and cyb0rg — claimed to have stolen data both from a virtual workstation and virtual private server (VPS) used by the APT operator."
https://www.darkreading.com/threat-intelligence/data-dump-apt-actor-attacker-capabilities
60 Malicious Ruby Gems Used In Targeted Credential Theft Campaign
"Socket’s Threat Research Team has uncovered a long-running supply chain attack in the RubyGems ecosystem. Since at least March 2023, a threat actor using the aliases zon, nowon, kwonsoonje, and soonje has published 60 malicious gems posing as automation tools for Instagram, Twitter/X, TikTok, WordPress, Telegram, Kakao, and Naver. These gems deliver their advertised functionality, such as bulk posting or engagement, but covertly exfiltrate credentials (usernames and passwords) to threat actor-controlled infrastructure, which classifies them as infostealer malware."
https://socket.dev/blog/60-malicious-ruby-gems-used-in-targeted-credential-theft-campaign
https://thehackernews.com/2025/08/rubygems-pypi-hit-by-malicious-packages.html
https://www.darkreading.com/threat-intelligence/60-rubygems-packages-steal-spammers
https://www.bleepingcomputer.com/news/security/60-malicious-ruby-gems-downloaded-275-000-times-steal-credentials/
Scammers Mass-Mailing The Efimer Trojan To Steal Crypto
"In June, we encountered a mass mailing campaign impersonating lawyers from a major company. These emails falsely claimed the recipient’s domain name infringed on the sender’s rights. The messages contained the Efimer malicious script, designed to steal cryptocurrency. This script also includes additional functionality that helps attackers spread it further by compromising WordPress sites and hosting malicious files there, among other techniques."
https://securelist.com/efimer-trojan/117148/
Help Desk At Risk: Scattered Spider Shines Light On Overlook Threat Vector
"In recent months, headlines have been dominated by the cybercrime collective known as Scattered Spider, also referred to as UNC3944, Scattered Swine, Octo Tempest, Storm-0875, and Muddled Libra. This loosely but highly organized group has launched a wave of attacks targeting retailers, insurers, and, most recently, airlines across multiple countries. Although British authorities arrested four suspects in July 2025, which led to a noticeable slowdown in activity, this may only be temporary. Scattered Spider is not a monolithic, state-sponsored operation. Rather, it is a decentralized collective, often composed of teenagers and young men emerging from online communities. The group first made headlines in 2023 with high-profile attacks on casino giants like MGM Resorts. Despite the consistency and visibility of their tactics, many organizations have failed to adequately strengthen their defenses. This raises the question: why have so few taken decisive actions to counter these persistent threats?"
https://www.securityweek.com/help-desk-at-risk-scattered-spider-shines-light-on-overlook-threat-vector/
ScarCruft’s New Language: Whispering In PubNub, Crafting Backdoor In Rust, Striking With Ransomware
"S2W’s Threat Intelligence Center, TALON, has released a detailed analysis report on a new malware campaign conducted by the ScarCruft group. This high-level threat intelligence report offers an in-depth examination of ScarCruft’s tactical evolution, focusing on a malware infection chain disguised as a postal-code update notice, as well as the group’s adoption of Rust-based backdoors and ransomware deployment."
https://s2w.inc/en/resource/detail/899
https://therecord.media/scarcruft-north-korea-hackers-add-ransomware
Attackers Target The Foundations Of Crypto: Smart Contracts
"While exploitation of security flaws in many smart contracts have become a perennial target of cyberattackers, more security firms are shining a spotlight on scams that use fraudulent or obfuscated smart contracts as a way to siphon off funds from cryptocurrency accounts. In the latest notable attack, one scammer stole more than $900,000 from victims looking to make money off of trading arbitrage by hiding transfer details in a smart contract, obfuscating it from non-tech-savvy users, according to an analysis published this week by cybersecurity firm SentinelOne."
https://www.darkreading.com/cyber-risk/attackers-target-crypto-smart-contracts
ReVault! When Your SoC Turns Against You… Deep Dive Edition
"For a high-level overview of this research, you can refer to our Vulnerability Spotlight. This is the in-depth version that shares many more technical details. In this post, we’ll be covering the entire research process as well as providing technical explanations of the exploits behind the attack scenarios. Dell ControlVault is “a hardware-based security solution that provides a secure bank that stores your passwords, biometric templates, and security codes within the firmware.” A daughter board provides this functionality and performs these security features in firmware. Dell refers to the daughter board as a Unified Security Hub (USH), as it is used as a hub to run ControlVault (CV), connecting various security peripherals such as a fingerprint reader, smart card reader and NFC reader."
https://blog.talosintelligence.com/revault-when-your-soc-turns-against-you-2/
Scattered Spider Has a New Telegram Channel To List Its Attacks
"Commenters on reading the new Telegram channel call it “schizo,” “complete chaos,” and “insane.” DataBreaches would just call it “overwhelming.” A new Telegram channel appeared on Friday afternoon with a name conflating three groups: Shiny Hunters, Scattered Spider, and Lapsus$. How long it will last before it gets banned remains to be seen, but in less than 24 hours, it has already revealed numerous breaches, proof of claims, and data. Unlike some leak/sales channels that provide a quick statement about a breach and then leak the data or post a sales link, initial posts on the channel were a mix of partial leaks, posts saying “HMU” (“hit me up”) if people were interested in buying the data, memes, commentary, and threats."
https://databreaches.net/2025/08/09/scattered-spider-has-a-new-telegram-channel-to-list-its-attacks/

Breaches/Hacks/Leaks

U.S. Judiciary Confirms Breach Of Court Electronic Records Service
"The U.S. Federal Judiciary confirms that it suffered a cyberattack on its electronic case management systems hosting confidential court documents and is strengthening cybersecurity measures. The organization stated that, while most documents in the system are public, certain sealed filings contain sensitive information that is now protected with stricter access controls aimed at blocking hackers. "The federal Judiciary is taking additional steps to strengthen protections for sensitive case documents in response to recent escalated cyberattacks of a sophisticated and persistent nature on its case management system," reads the announcement."
https://www.bleepingcomputer.com/news/security/us-judiciary-confirms-breach-of-court-electronic-records-service/
https://therecord.media/federal-judiciary-tightens-digital-security-escalated-cyberattack
https://www.infosecurity-magazine.com/news/us-judiciary-security-cyber-attacks/
Columbia University Data Breach Impacts Nearly 870,000 Individuals
"An unknown threat actor has stolen the sensitive personal, financial, and health information of nearly 870,000 Columbia University current and former students and employees after breaching the university's network in May. Established in 1767 as King's College, Columbia University is a private Ivy League research university with a budget of $6.6 billion in 2024, over 20,000 employees, including 4,700 academic staff, and over 35,000 enrolled students across 19 schools and special programs. The breach was discovered and reported to law enforcement authorities following an outage that affected some of its systems on June 24, following an investigation with support from external cybersecurity experts."
https://www.bleepingcomputer.com/news/security/columbia-university-data-breach-impacts-nearly-870-000-students-applicants-employees/
https://therecord.media/columbia-university-data-breach-cyberattack-notifications
https://www.darkreading.com/cyberattacks-data-breaches/columbia-university-data-breach
https://www.securityweek.com/columbia-university-data-breach-impacts-860000/
https://securityaffairs.com/180948/data-breach/columbia-university-data-breach-impacted-868969-people.html
ShinyHunters Sent Google An Extortion Demand; Shiny Comments On Current Activities
"Yesterday morning, DataBreaches woke up to a message on Telegram: Even the NSA can’t stop or identify us anymore. The FBI and everyone else is irrelevant and incompetent as far as we’re concerned :). When DataBreaches asked ShinyHunters if anything in particular had inspired that statement, “Shiny1” responded: I heard the NSA is investigating and analyzing voice call recordings from companies who were affected and attempts by us. The companies that are receiving SE calls are Scattered Spider then providing us the access to dump these companies if successful."
https://databreaches.net/2025/08/08/shinyhunters-sent-google-an-extortion-demand-shiny-comments-on-current-activities/

General News

False Alarm, Real Scam: How Scammers Are Stealing Older Adults’ Life Savings
"Reports to the FTC show a growing wave of scams aimed squarely at retirees’ life savings. These scammers pretend to be from known and trusted government agencies and businesses. And, in an ironic twist, recent scams use fake security alerts and other false alarms to prey on older adults’ vigilance about protecting their money and identity to steal from them.[1] Some people 60+ have reported emptying their bank accounts and even clearing out their 401ks."
https://www.ftc.gov/news-events/data-visualizations/data-spotlight/2025/08/false-alarm-real-scam-how-scammers-are-stealing-older-adults-life-savings
https://www.bleepingcomputer.com/news/security/ftc-older-adults-lost-record-700-million-to-scammers-in-2024/
ICE Washington, D.C. Leads International Takedown Of BlackSuit Ransomware Infrastructure
"ICE’s Homeland Security Investigations, in close coordination with U.S. and international law enforcement partners, has successfully dismantled critical infrastructure used by BlackSuit ransomware, a major cybercriminal operation and successor to Royal ransomware, responsible for attacks on essential services around the world. The operation resulted in the seizures of servers, domains and digital assets used to deploy ransomware, extort victims, and launder proceeds."
https://www.ice.gov/news/releases/ice-washington-dc-leads-international-takedown-blacksuit-ransomware-infrastructure
https://therecord.media/us-confirms-blacksuit-takedown
https://www.bleepingcomputer.com/news/security/royal-and-blacksuit-ransomware-gangs-hit-over-450-us-companies/
https://cyberscoop.com/blacksuit-royal-ransomware-450-us-victims/
The Alarming Surge In Compromised Credentials In 2025
"One of the most pressing cyber threats businesses face today is the rampant rise in compromised credentials. Data from Check Point External Risk Management (previously known as Cyberint), reveals a staggering 160% increase in compromised credentials so far in 2025 compared to 2024. This isn’t just a statistic; it’s a direct threat to your organization’s security. Late last year, we reported 14,000 cases in just 1 month where our customers’ employee credentials, even those adhering to company password policies, were exposed in data breaches – a clear indicator of real and present risk."
https://blog.checkpoint.com/security/the-alarming-surge-in-compromised-credentials-in-2025/
Microsoft: An Organization Without a Response Plan Will Be Hit Harder By a Security Incident
"Businesses that don’t treat security with the gravity it requires — exhibited by lackluster or nonexistent preparation, planning and exercise in the event of a cyberattack — typically suffer longer and unnecessarily, Microsoft threat intelligence, hunting and response leaders said Thursday at Black Hat. In the best- case scenarios in the wake of an attack, professionals across the impacted organization know their roles and responsibilities, said Aarti Borkar, corporate vice president of security customer success at Microsoft. “They know the moving parts. They know what their policies are. They know who to call in the middle of the night and wake them up, because incidents don’t happen on a Wednesday afternoon,” she said."
https://cyberscoop.com/microsoft-threat-intel-response-tips/
Research Reveals Possible Privacy Gaps In Apple Intelligence’s Data Handling
"One of the big worries during the generative AI boom is where exactly data is traveling when users enter queries or commands into the system. According to new research, those worries may also extend to one of the world’s most popular consumer technology companies. Apple’s artificial intelligence ecosystem, known as Apple Intelligence, routinely transmits sensitive user data to company servers beyond what its privacy policies indicate, according to Israeli cybersecurity firm Lumia Security."
https://cyberscoop.com/apple-intelligence-privacy-siri-whatsapp-lumia-security-black-hat-2025/
Who Are The Top Ransomware Threat Actors Of H1 2025
"If the first half of 2025 taught us anything, it’s that ransomware isn’t just back — it’s bigger, smarter, and far more coordinated. And at the heart of this surge, three names rose to the top. Together, they accounted for over a third of all reported ransomware attacks globally – more than 1,000 incidents. No sector was safe. No region is untouched. These threat actors are no longer operating in the dark shadows — they’re orchestrating global disruptions with surgical precision."
https://cyble.com/blog/top-ransomware-threat-actors-h1-2025/
https://cyble.com/resources/research-reports/global-threat-landscape-report-h1-2025/
Ransomware Attacks Fall By Almost Half In Q2
"Despite a record-breaking start to the year, June was the fourth month in a row in which ransomware attacks dropped globally, declining by 6% with 371 cases. Q2 as a whole experienced a 43% decline from Q1 due to seasonal slowdowns such as Easter and Ramadan, and increased law enforcement disruption of key operators. However, the decline created space for new threat actors to exploit global instability and, looking ahead to Q3, we can expect disrupted groups to return in collaboration with social engineering actors, conducting more advanced attacks."
https://www.darkreading.com/cyberattacks-data-breaches/ransomware-attacks-fall-almost-half-q2
Redefining The Role: What Makes a CISO Great
"Being a chief information security officer (CISO) today is a balancing act of strategic leadership, financial literacy, technical expertise, and human connection, regardless of whether a company has 100 employees or 100,000. The role is no longer about defending the perimeter, it's about driving the business forward with resiliency while managing risk with clarity, courage, and strategic intent. After years in the trenches, here's what I've learned about what it really takes to be an effective CISO. Everybody has a different journey, and every company is different. You may not need any of these tips, or you might get insights from all of them."
https://www.darkreading.com/cybersecurity-operations/redefining-role-ciso-great
From Fake CAPTCHAs To RATs: Inside 2025’s Cyber Deception Threat Trends
"Cybercriminals are getting better at lying. That’s the takeaway from a new LevelBlue report, which outlines how attackers are using social engineering and legitimate tools to quietly move through environments before they’re caught. In that short window, the number of customers affected by security incidents nearly tripled. The rate jumped from 6 percent in late 2024 to 17 percent in early 2025. More than half of those incidents began at the initial access stage. Once attackers were in, they moved quickly. The average time between compromise and lateral movement fell below 60 minutes. In some cases, it took less than 15."
https://www.helpnetsecurity.com/2025/08/08/cyber-deception-threat-trends-2025/
Fraud Controls Don’t Guarantee Consumer Trust
"Over a third of companies say they are using AI, including generative AI, to fight fraud, according to Experian. As fraud threats become more complex, companies are accelerating their investments with over half adopting new analytics and building AI models to enhance customer decision-making."
https://www.helpnetsecurity.com/2025/08/08/fraud-threats-become-more-complex/
The Gig Economy Of Cybercrime
"You’ve probably heard the term ‘gig economy,’ which refers to a labor market characterized by short-term jobs, or gigs. These gigs are project-based and arranged through digital platforms or informal networks. Workers take on assignments as needed, much like a designer might pick up a job through Fiverrr or Freelancer. A gig economy is built on agility, specialization and on-demand collaboration, and it’s working really well for the threat actors running ransomware and other criminal operations."
https://blog.barracuda.com/2025/08/08/the-gig-economy-of-cybercrime
Leaked Credentials Up 160%: What Attackers Are Doing With Them
"When an organization's credentials are leaked, the immediate consequences are rarely visible—but the long-term impact is far-reaching. Far from the cloak-and-dagger tactics seen in fiction, many real-world cyber breaches begin with something deceptively simple: a username and password. According to Verizon's 2025 Data Breach Investigations Report, leaked credentials accounted for 22% of breaches in 2024, outpacing phishing and even software exploitation. That's nearly a quarter of all incidents, initiated not through zero-days or advanced persistent threats, but by logging in through the front door."
https://thehackernews.com/2025/08/leaked-credentials-up-160-what.html
https://l.cyberint.com/leaked-credentials
Embargo Ransomware Gang Has Handled At Least $34 Million In About a Year, Report Says
"A cybercrime group that could be a successor to the BlackCat/Alphv ransomware operation is associated with about $34.2 million in cryptocurrency transactions since popping up in mid-2024, researchers said Friday. Blockchain intelligence company TRM Labs said the Embargo ransomware gang appears to be “well resourced and technically capable,” and its activity over such a short span underscores “the group’s growing financial footprint in the ransomware ecosystem.”"
https://therecord.media/embargo-ransomware-gang-blackcat-alphv-successor
https://securityaffairs.com/180981/cyber-crime/embargo-ransomware-nets-34-2m-in-crypto-since-april-2024.html
CISA Pledges To Continue Backing CVE Program After April Funding Fiasco
"Federal officials pledged Thursday to continue their stewardship of the CVE Program — which catalogs all public cybersecurity vulnerabilities — after a funding dispute in April led to industry concern about the effort’s future. At the Black Hat cybersecurity conference in Las Vegas, two leaders from the Cybersecurity and Infrastructure Security Agency (CISA) were asked about the CVE Program’s future — which was thrown into doubt amid a flurry of high-profile cybersecurity contract cancellations following President Donald Trump’s inauguration."
https://therecord.media/cisa-pledges-support-cve-program-black-hat

อ้างอิง
Electronic Transactions Development Agency(ETDA)