NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 15 August 2025

    Cyber Security News
    1
    1
    476
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Financial Sector

      • July 2025 Security Issues In Korean & Global Financial Sector
        "This report comprehensively covers actual cyber threats and security issues that have taken place targeting financial companies in Korea and abroad. This report includes an analysis of malware and phishing cases distributed to the financial industry, the top 10 malware strains targeting the financial sector, and statistics on the industries of the leaked Korean accounts. It also covers a case of phishing emails being distributed to the financial industry."
        https://asec.ahnlab.com/en/89575/

      Industrial Sector

      • CISA Releases Thirty-Two Industrial Control Systems Advisories
        "CISA released thirty-two Industrial Control Systems (ICS) advisories on August 14, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS."
        https://www.cisa.gov/news-events/alerts/2025/08/14/cisa-releases-thirty-two-industrial-control-systems-advisories

      New Tooling

      • Detection Script For Citrix NetScaler Appliances
        "These scripts are provided without any guarantees regarding its effectiveness. The detection capabilities of these scripts are based on a limited set of detection rules. Make sure to follow instructions from the vendor and information listed in advisories regarding vulnerabilities. Make sure no sensitive information is disclosed when sharing the output of these scripts."
        https://github.com/NCSC-NL/citrix-2025
        https://www.ncsc.nl/actueel/nieuws/2025/07/22/casus-citrix-kwetsbaarheid

      Vulnerabilities

      • Passkey Login Bypassed Via WebAuthn Process Manipulation
        "Researchers at enterprise browser security firm SquareX have demonstrated an attack method that can be used to gain access to an account protected by passkeys. Passkeys are designed to provide a more secure alternative to passwords, enabling users to log into their account based on a private key stored on the device. Users can sign in using various authentication methods, including PIN, facial recognition, or fingerprint scan. Passkeys are increasingly adopted and recommended by major tech companies such as Microsoft, Amazon, and Google."
        https://www.securityweek.com/passkey-login-bypassed-via-webauthn-process-manipulation/
      • The Root(ing) Of All Evil: Security Holes That Could Compromise Your Mobile Device
        "Rooting and jailbreaking frameworks are constantly evolving, often maintained by independent developers without formal security oversight. As a result, they frequently introduce unpredictable risks that pose a serious and ongoing threat to enterprise security by enabling malware infections, app compromise, and even full system takeovers. At Zimperium’s zLabs, tracking these tools is a key part of our threat analysis workflow. This continuous monitoring helps us stay ahead of emerging vulnerabilities and maintain real-time awareness of the evolving mobile threat landscape, as cybercriminals move to a mobile-first attack strategy."
        https://zimperium.com/blog/the-rooting-of-all-evil-security-holes-that-could-compromise-your-mobile-device
        https://hackread.com/kernelsu-android-rooting-tool-flaw-device-takeover/
        https://www.infosecurity-magazine.com/news/kernelsu-flaw-android-apps-root/
      • HTTP/2 Implementations Are Vulnerable To "MadeYouReset" DoS Attack Through HTTP/2 Control Frames
        "A vulnerability has been discovered within many HTTP/2 implementations allowing for denial of service (DoS) attacks through HTTP/2 control frames. This vulnerability is colloquially known as "MadeYouReset" and is tracked as CVE-2025-8671. Some vendors have assigned a specific CVE to their products to describe the vulnerability, such as CVE-2025-48989, which is used to identify Apache Tomcat products affected by the vulnerability. MadeYouReset exploits a mismatch caused by stream resets between HTTP/2 specifications and the internal architectures of many real-world web servers. This results in resource exhaustion, and a threat actor can leverage this vulnerability to perform a distributed denial of service attack (DDoS)."
        https://kb.cert.org/vuls/id/767506
        https://thehackernews.com/2025/08/new-http2-madeyoureset-vulnerability.html
        https://www.securityweek.com/madeyoureset-http2-vulnerability-enables-massive-ddos-attacks/
        https://www.theregister.com/2025/08/14/madeyoureset_http2_flaw_lets_attackers/

      Malware

      • Proxyware Malware Being Distributed On YouTube Video Download Site
        "AhnLab SEcurity intelligence Center (ASEC) introduced a case of threat actors distributing proxyware through the advertising page of a freeware software site in the past blog post “DigitalPulse Proxyware Being Distributed Through Ad Pages” [1]. The same threat actor has been continuously distributing proxyware, and multiple infection cases have been found in South Korea. This report shares the latest attack cases and indicators of compromise (IoCs). The proxyware that is ultimately installed is mostly the one from DigitalPulse used in the past proxyjacking attack campaigns. However, there have also been cases where Honeygain’s proxyware is being distributed."
        https://asec.ahnlab.com/en/89574/
      • Crypto24 Ransomware Group Blends Legitimate Tools With Custom Malware For Stealth Attacks
        "In this blog entry, we analyze the Crypto24 ransomware to offer insights into its operator’s ongoing attack campaigns. Our analysis reveals that the threat actor operates with a high level of coordination, frequently launching attacks during off-peak hours to evade detection and maximize impact. Crypto24 has been targeting high-profile entities within large corporations and enterprise-level organizations. The scale and sophistication of recent attacks indicate a deliberate focus on organizations possessing substantial operational and financial assets. The group has concentrated its efforts on organizations in Asia, Europe, and the USA, with targets spanning the financial services, manufacturing, entertainment, and technology sectors."
        https://www.trendmicro.com/en_us/research/25/h/crypto24-ransomware-stealth-attacks.html
        https://www.bleepingcomputer.com/news/security/crypto24-ransomware-hits-large-orgs-with-custom-edr-evasion-tool/
        https://www.theregister.com/2025/08/14/edr_killers_ransomware/
      • Booking.com Phishing Campaign Uses Sneaky 'ん' Character To Trick You
        "Threat actors are leveraging a Unicode character to make phishing links appear like legitimate Booking.com links in a new campaign distributing malware. The attack makes use of the Japanese hiragana character, ん, which can, on some systems, appear as a forward slash and make a phishing URL appear realistic to a person at a casual glance. BleepingComputer has further come across an Intuit phishing campaign using a lookalike domain using the letter L instead of 'i' in Intuit."
        https://www.bleepingcomputer.com/news/security/bookingcom-phishing-campaign-uses-sneaky-character-to-trick-you/
      • This 'SAP Ariba Quote' Isn't What It Seems—It's Ransomware
        "Ransomware has long been a staple among threat actors, and the attacks often garner large media coverage. Ransomwares such as WannaCry and NotPetya dominated both the cyber news and broader reporting landscape for months on end. With this came a huge push within every industry to both raise awareness and train their employees to practice due diligence when interacting with unknown email senders. As users have become more advanced in their understanding, threat actors have developed more sophisticated delivery methods. Email lures, sender spoofing, and impersonation of legitimate software vendors have become popular methods of increasing ransomware delivery efficacy. The Cofense Phishing Defense Center (PDC) team has recently uncovered and investigated a compromised sender account acting as a delivery vector for LeeMe Ransomware."
        https://cofense.com/blog/this-sap-ariba-quote-isn-t-what-it-seems-it-s-ransomware
      • Netflix Scammers Target Jobseekers To Trick Them Into Handing Over Their Facebook Logins
        "In what seems a phishing attack targeted at a certain audience, scammers are impersonating Netflix and reaching out to marketing staff. The initial mail looks like what you might expect from a headhunter or a human resources (HR) recruitment specialist. “I hope this note finds you well,” the email begins. “Your reputation as a visionary marketing leader has caught out attention, and I’d like to share an extraordinary opportunity with you at Netflix.”"
        https://www.malwarebytes.com/blog/news/2025/08/netflix-scammers-target-jobseekers-to-trick-them-into-handing-over-their-facebook-logins
        https://hackread.com/netflix-job-phishing-scam-steals-facebook-login-data/
      • Home Office Phishing Scam Target UK Visa Sponsorship System
        "Fake Home Office emails target the UK Visa Sponsorship System, stealing logins to issue fraudulent visas and run costly immigration scams. Scammers targeted unsuspecting companies with emails that looked like something straight from the Home Office, complete with urgent compliance warnings and account suspension threats. According to cybersecurity firm Mimecast, those messages were anything but genuine. However, in reality, these messages were part of a sophisticated phishing campaign targeting UK organisations that hold sponsor licences, a direct attempt to steal logins for the government’s Sponsorship Management System (SMS)."
        https://hackread.com/home-office-phishing-scam-uk-visa-sponsorship-system/
      • CrossC2 Expanding Cobalt Strike Beacon To Cross-Platform Attacks
        "From September to December 2024, JPCERT/CC has confirmed incidents involving CrossC2, the extension tool to create Cobalt Strike Beacon for Linux OS. The attacker employed CrossC2 as well as other tools such as PsExec, Plink, and Cobalt Strike in attempts to penetrate AD. Further investigation revealed that the attacker used custom malware (hereafter referred to as "ReadNimeLoader") as a loader for Cobalt Strike. Information submitted to VirusTotal suggests that this attack campaign may have been observed across multiple countries, not only in Japan. This article explains CrossC2 and Cobalt Strike, the malware used in the campaign, as well as other tools employed by the attacker. A tool released by JPCERT/CC to support the analysis of CrossC2 is also introduced at the end."
        https://blogs.jpcert.or.jp/en/2025/08/crossc2.html
        https://thehackernews.com/2025/08/researchers-warn-crossc2-expands-cobalt.html
      • PhantomCard: New NFC-Driven Android Malware Emerging In Brazil
        "Our Mobile Threat Intelligence service is monitoring NFC-relay threats and tactics since the discovery of NFSkate (aka NGate) in March 2024. Ghost Tap became another milestone on the evolution of NFC-based attacks, where cybercriminals are using NFC relay for cash-out purposes. Since then, mobile threat landscape has been invaded by several threat actor groups introducing their own tools to perform malicious relay of NFC data of victim’s card to fraudster’s device. The appearance of different malicious implementations serves as an indicator of rising interest and demand amongst cybercriminals for the tools capable of NFC relay fraud."
        https://www.threatfabric.com/blogs/phantomcard-new-nfc-driven-android-malware-emerging-in-brazil
        https://thehackernews.com/2025/08/new-android-malware-wave-hits-banking.html
      • FBI Shares Tips To Spot Fake Lawyer Schemes Targeting Crypto Scam Victims
        "The FBI has updated its alert about fake lawyers defrauding victims of cryptocurrency scams, adding due diligence measures to help victims. The FBI’s Internet Crime Complaint Center (IC3) has previously warned that fraudsters were posing as lawyers from fictitious law firms and using social media and messaging services to defraud victims of cryptocurrency scams. In this sophisticated scheme, the malicious actors target vulnerable populations, particularly the elderly, and offer to recover funds from a previous scam but instead steal personal information and sometimes money from them."
        https://www.infosecurity-magazine.com/news/fbi-spot-fake-lawyer-schemes/
      • A Mega Malware Analysis Tutorial Featuring Donut-Generated Shellcode
        "We created an in-depth malware analysis tutorial featuring shellcode generated by a tool named Donut. The tutorial walks through a single infection chain from end to end, starting with a sample, and assuming no prior knowledge of the malware in question. By the end of the tutorial, readers will better understand many components of the infection chain and identify the family of the final payload. The tutorial is designed to be a beginner-friendly lesson for those who understand the basics of malware analysis but have yet to analyze many samples in the wild on their own."
        https://unit42.paloaltonetworks.com/donut-malware-analysis-tutorial/

      Breaches/Hacks/Leaks

      • Norwegian Police Say Pro-Russian Hackers Were Likely Behind Suspected Sabotage At a Dam
        "Russian hackers are likely behind suspected sabotage at a dam in Norway in April that affected water flows, police officials told Norwegian media on Wednesday. The director of the Norwegian Police Security Service, Beate Gangås, said cyberattacks are increasingly being carried out against Western nations to stoke fear and unrest. The Associated Press has plotted more than 70 incidents on a map tracking a campaign of disruption across Europe blamed on Russia, which Western officials have described as “reckless.” Since Moscow’s invasion of Ukraine, Western officials have accused Russia and its proxies of staging dozens of attacks and other incidents, ranging from vandalism to arson and attempted assassination."
        https://www.securityweek.com/norwegian-police-say-pro-russian-hackers-were-likely-behind-suspected-sabotage-at-a-dam/
        https://www.bleepingcomputer.com/news/security/pro-russian-hackers-blamed-for-water-dam-sabotage-in-norway/
        https://therecord.media/norway-police-suspect-pro-russian-hackers-dam-sabotage
        https://hackread.com/norway-blames-pro-russian-hackers-for-dam-cyberattack/
        https://securityaffairs.com/181143/hacktivism/norway-confirms-dam-intrusion-by-pro-russian-hackers.html
        https://www.theregister.com/2025/08/14/law_and_water_russia_blamed/
      • Canada’s House Of Commons Investigating Data Breach After Cyberattack
        "The House of Commons of Canada is currently investigating a data breach after a threat actor reportedly stole employee information in a cyberattack on Friday. While the lower house of the Parliament of Canada has yet to issue a public statement regarding this incident, CBC News reports that House of Commons staff were notified of a breach on Monday via email. The alert states that the attacker exploited a recent Microsoft vulnerability to gain access to a database containing sensitive information used to manage House of Commons computers and mobile devices. During the breach, the threat actor also stole some employee data that isn't publicly available, including their names, job titles, office locations, and email addresses."
        https://www.bleepingcomputer.com/news/security/canadas-house-of-commons-investigating-data-breach-after-cyberattack/
        https://therecord.media/hackers-compromise-canada-house-of-commons
        https://www.bankinfosecurity.com/hackers-breach-canadian-government-via-microsoft-exploit-a-29228
        https://securityaffairs.com/181155/hacking/hackers-exploit-microsoft-flaw-to-breach-canada-s-house-of-commons.html
      • The Dark Web Economy For Compromised Government And Police Email Accounts
        "Threat actors are selling active law enforcement and government email accounts on underground forums, turning institutional trust into a commodity available for as little as $40 per account. In recent weeks, Abnormal researchers have uncovered cybercriminals selling access to law enforcement and government email accounts from the US, UK, India, Brazil, and Germany on underground forums. Unlike dormant or spoofed accounts, these are active, trusted inboxes that attackers have compromised for immediate malicious use."
        https://abnormal.ai/blog/compromised-police-government-email-accounts
        https://www.darkreading.com/threat-intelligence/government-email-sale-dark-web
        https://www.infosecurity-magazine.com/news/law-enforcement-government-emails/
        https://www.helpnetsecurity.com/2025/08/14/stolen-government-email-accounts/
        https://www.theregister.com/2025/08/14/fbi_email_accounts_for_sale/
      • Turkish Crypto Exchange BTCTurk Warns Of Security Incident After $49 Million Leaves Platform
        "A popular cryptocurrency platform in Turkey temporarily suspended deposits and withdrawals after security firms tracked $49 million worth of coins leaving the platform in transactions on Thursday morning. BTCTurk confirmed that it is experiencing a security incident in a statement, writing that an investigation was initiated after they discovered unusual activity in the company’s hot wallets. The platform said it plans to reopen deposits and withdrawals once the investigation is completed."
        https://therecord.media/turkish-crypto-exchange-warns-cyber-incident
        https://www.theregister.com/2025/08/14/btcturk_suspends_operations_amid_49m/
      • Tens Of Thousands Of Italian Hotel Guests May Be Hit By Cyber Heist
        "The Italian government warned on Wednesday that identity documents belonging to tens of thousands of people who had stayed at hotels in the country allegedly have been stolen and are being illegally sold online. According to the computer emergency response team at the Agency for Digital Italy (CERT-AGID), at the last count a cybercriminal going by the handle “mydocs” had offered more than 90,000 documents for sale. The documents, allegedly obtained from 10 different Italian hotels, are high-resolution scans of identity-confirming materials used during check-ins, including passports and other forms of official ID cards. The “mydocs” account has attempted to sell these in several tranches starting last week on what CERT-AGID called “a well-known underground forum.”"
        https://therecord.media/italy-hotel-guests-possible-data-breach-ids
        https://www.theregister.com/2025/08/14/italian_hotels_breached_en_masse/
      • Stock In The Channel Pulls Website Amid Cyberattack
        "A UK-based multinational that provides tech stock availability tools is telling customers that its website outage is due to a cyber attack. Stock in the Channel (STIC) provides a "digital platform" that lets users - mostly managed service providers and resellers - "view accurate stock and prices for over 3.1m IT products from 34 distributors." The organization's servers were taken down late into Tuesday evening, and at the time of writing its website remains unreachable. As of Wednesday, its email and phone lines were still operational."
        https://www.theregister.com/2025/08/14/stock_in_the_channel_pulls/

      General News

      • AI Security Governance Converts Disorder Into Deliberate Innovation
        "AI security governance provides a stable compass, channeling efforts and transforming AI from an experimental tool to a reliable, enterprise-class solution. With adequate governance built at the center of AI efforts, business leaders can shape AI plans with intention, while keeping data secure, safeguarding privacy, and reinforcing the strength and stability of the entire system."
        https://www.helpnetsecurity.com/2025/08/14/ai-security-governance/
      • AI Is Changing Kubernetes Faster Than Most Teams Can Keep Up
        "AI is changing how enterprises approach Kubernetes operations, strategy, and scale. The 2025 State of Production Kubernetes report from Spectro Cloud paints a picture of where the industry is heading: AI is shaping decisions around infrastructure cost, tooling, and edge deployment. “This year’s data shows organizations doubling down on AI and edge, even while wrestling legacy VMs into their clusters. The companies that master scale and complexity fastest will create an unbeatable platform for innovation,” said Tenry Fu, CEO, Spectro Cloud."
        https://www.helpnetsecurity.com/2025/08/14/ai-in-kubernetes-operations/
      • T3 Financial Crime Unit Launches “T3+” Global Collaborator Program; Over $250M In Criminal Assets Frozen As Binance Becomes First Member
        "The T3 Financial Crime Unit (T3 FCU)—a joint initiative by TRON, Tether, and TRM Labs—today announced the launch of “T3+,” a global collaborator program made up of some of the largest and most influential players in the crypto ecosystem. It is designed to expand public-private collaboration to combat illicit activities on the blockchain. Binance has joined as the program’s first official member. In parallel, Justin Sun, Founder of TRON, announced a significant milestone: since launching less than a year ago, T3 FCU has frozen over $250 million USD in illicit assets globally, including almost $6M frozen in a successful coordinated first effort with Binance via T3+ to thwart the proceeds of a pig butchering scam."
        https://www.trmlabs.com/resources/blog/t3-financial-crime-unit-launches-t3-global-collaborator-program-over-250m-in-criminal-assets-frozen-as-binance-becomes-first-member
        https://www.bleepingcomputer.com/news/security/over-300-million-in-cybercrime-crypto-seized-in-anti-fraud-effort/
      • Legislated Sanctions Evasion: How The Garantex Rebrand, Grinex, And The Ruble-Backed Token, A7A5 Have Shaped Russia’s Shadow Crypto Economy
        "A7A5 is a Russian ruble-backed token issued by the Kyrgyzstani company Old Vector, which was sanctioned today. It is backed by deposits at sanctioned Russian bank Promsvyazbank (PSB) and has seen significant trading volume increases since inception, processing over $51.17 billion. Grinex, which was also designated by OFAC in today’s action, has been the primary platform facilitating A7A5 trades. The token operates within a narrow ecosystem of Russian-linked financial services and platforms, with trades occurring most frequently between Monday and Friday, suggesting it is intended as an internal medium of exchange for businesses, rather than a retail token designed for mainstream use."
        https://www.chainalysis.com/blog/a7a5-grinex-russian-crypto-economy-ofac-sanctions-august-2025/
        https://therecord.media/treasury-department-renews-sanctions-garantex-grinex
        https://www.bankinfosecurity.com/us-sanctions-crypto-exchange-tied-to-russian-ransomware-a-29230
        https://cyberscoop.com/garantex-grinex-russian-crypto-exchange-sanctions/
      • The Brain Behind Next-Generation Cyber Attacks
        "Last week, researchers at Carnegie Mellon University (CMU) revealed a finding that caught the attention of both the AI and cybersecurity worlds. Their work tackled a lingering challenge: whether today’s leading large language models (LLMs) can independently carry out complex, multi-host cyber-attacks from start to finish. In their raw form, when asked to execute multi-step cyber-attacks from start to finish, these models routinely fail. They wander off-task, choose the wrong tools, or supply flawed parameters that derail the operation."
        https://blog.checkpoint.com/executive-insights/the-brain-behind-next-generation-cyber-attacks/
      • Cybersecurity Spending Slows & Security Teams Shrink
        "Cybersecurity spending is beginning to slow this year, with average security budgets growing 4% year over year, just half of the recorded growth in 2024 and the lowest rate in five years. That's according to the 2025 Security Budget Benchmark Report released by IANS Research and Artico Search, which surveyed more than 580 chief information security officers (CISOs) across multiple industries throughout the US and Canada. Many CISOs confessed they are grappling with flat or reduced budgets, indicating a growing challenge in the industry."
        https://www.darkreading.com/cybersecurity-operations/cybersecurity-spending-slows-teams-shrink
      • Navigating The Cybersecurity Budget Tug-Of-War
        "Organizations large and small are facing mounting pressure to strengthen defenses around their data. The logic around that idea is straightforward. The challenge in increasing cyber defenses lies not just in technology acquisition but in managing the internal budget battles between cybersecurity, data protection, and cyber-resilience initiatives. Even with heavy investments in security tools and protocols, breaches and ransomware attacks continue to expose critical vulnerabilities every day."
        https://www.darkreading.com/cybersecurity-operations/navigating-cybersecurity-budget-tug-of-war

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) abac3672-05bb-4ec9-adfb-7a3502d3777d-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post