NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 28 August 2025

    Cyber Security News
    1
    1
    258
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Healthcare Sector

      • When One Hospital Gets Ransomware, Others Feel The Pain
        "When a healthcare organization is hit by ransomware, the crisis extends far beyond the initially targeted institution. The chaos and confusion that arise because systems and applications are offline are bad enough for the victim organization, but surrounding hospitals and entities often have to deal with the spillover effects, as well. Diverted ambulances drop off patients at their emergency doors. Unscheduled walk-ins increase. Patient volume overall can reach unmanageable heights, especially for a organizations working with limited resources and tight funding."
        https://www.darkreading.com/cybersecurity-operations/hospital-gets-ransomware-others-feel-pain

      Vulnerabilities

      • Over 28,000 Citrix Devices Vulnerable To New Exploited RCE Flaw
        "More than 28,200 Citrix instances are vulnerable to a critical remote code execution vulnerability tracked as CVE-2025-7775 that is already being exploited in the wild. The vulnerability affects NetScaler ADC and NetScaler Gateway and the vendor addressed it in updates released yesterday. According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Citrix, the security issue has been exploited as a zero-day vulnerability."
        https://www.bleepingcomputer.com/news/security/over-28-200-citrix-instances-vulnerable-to-actively-exploited-rce-bug/
        https://securityaffairs.com/181614/hacking/over-28000-citrix-instances-remain-exposed-to-critical-rce-flaw-cve-2025-7775.html
      • FreePBX Servers Hacked Via Zero-Day, Emergency Fix Released
        "The Sangoma FreePBX Security Team is warning about an actively exploited FreePBX zero-day vulnerability that impacts systems with the Administrator Control Panel (ACP) is exposed to the internet. FreePBX is an open-source PBX (Private Branch Exchange) platform built on top of Asterisk, widely used by businesses, call centers, and service providers to manage voice communications, extensions, SIP trunks, and call routing. In an advisory posted to the FreePBX forums, the Sangoma FreePBX Security Team warned that since August 21, hackers have been exploiting a zero-day vulnerability in exposed FreePBX administrator control panels."
        https://www.bleepingcomputer.com/news/security/freepbx-servers-hacked-via-zero-day-emergency-fix-released/
      • Libbiosig, Tenda, SAIL, PDF XChange, Foxit Vulnerabilities
        "Cisco Talos’ Vulnerability Discovery & Research team recently disclosed ten vulnerabilities in BioSig Libbiosig, nine in Tenda AC6 Router, eight in SAIL, two in PDF-XChange Editor, and one in a Foxit PDF Reader. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy."
        https://blog.talosintelligence.com/libbiosig-tenda-sail-pdf-xchange-foxit-vulnerabilities/
      • August 22 Advisory: Plex Warns Users To Patch Security Vulnerability In Plex Media Server
        "Plex has addressed an unknown security vulnerability affecting Plex Media Server versions 1.41.7.x to 1.42.0.x that was discovered through their bug bounty program. The company has released an updated version (1.42.1.10060 or later) that resolves the security issue and is strongly recommending all users update their Plex Media Servers immediately."
        https://censys.com/advisory/plex-media-server-vulnerability
        https://www.helpnetsecurity.com/2025/08/27/plex-media-server-cve-2025-34158-attack/
      • A New Security Flaw In TheTruthSpy Phone Spyware Is Putting Victims At Risk
        "A stalkerware maker with a history of multiple data leaks and breaches now has a critical security vulnerability that allows anyone to take over any user account and steal their victim’s sensitive personal data, TechCrunch has confirmed. Independent security researcher Swarang Wade found the vulnerability, which allows anyone to reset the password of any user of the stalkerware app TheTruthSpy and its many companion Android spyware apps, leading to the hijacking of any account on the platform. Given the nature of TheTruthSpy, it’s likely that many of its customers are operating it without the consent of their targets, who are unaware that their phone data is being siphoned off to somebody else."
        https://techcrunch.com/2025/08/25/a-new-security-flaw-in-thetruthspy-phone-spyware-is-putting-victims-at-risk/
        https://www.malwarebytes.com/blog/news/2025/08/more-vulnerable-stalkerware-victims-data-exposed-in-new-thetruthspy-flaw

      Malware

      • ShadowSilk: A Cross-Border Binary Union For Data Exfiltration
        "This blog describes attacks on victims in Central Asia and APAC. Research into the attack has identified a group also called YoroTrooper. We also identified profiles of attackers on hacker forums, their malicious web-panels, test infections of attackers' own machines, and screenshots of attackers' desktops."
        https://www.group-ib.com/blog/shadowsilk/
        https://thehackernews.com/2025/08/shadowsilk-hits-36-government-targets.html
        https://www.infosecurity-magazine.com/news/shadowsilk-targets-central-asian/
      • New Phishing Campaign Abuses ConnectWise ScreenConnect To Take Over Devices
        "A novel phishing campaign attempts to trick victims into downloading ConnectWise ScreenConnect remote monitoring and management (RMM) software, enabling attackers to take complete control over end-user devices. A report by Abnormal AI found that the legitimate RMM tool is abused by the threat actors to achieve remote system control and facilitate follow-on attacks, including account takeovers and lateral phishing."
        https://www.infosecurity-magazine.com/news/phishing-abuses-connectwise-take/
        https://intelligence.abnormal.ai/resources/screenconnect-attack-videoconferencing-impersonation-ai
        https://files.abnormalsecurity.com/production/files/Weaponizing-Workplace-Communications.pdf
        https://www.securityweek.com/hackers-weaponize-trust-with-ai-crafted-emails-to-deploy-screenconnect/
      • TAG-144’s Persistent Grip On South American Organizations
        "Insikt Group has identified five distinct activity clusters linked to TAG-144 (also known as Blind Eagle). These clusters have operated at various times throughout 2024 and 2025, targeting a significant number of victims, primarily within the Colombian government across local, municipal, and federal levels. Although the clusters share similar tactics, techniques, and procedures (TTPs) such as leveraging open-source and cracked remote access trojans (RATs), dynamic domain providers, and legitimate internet services (LIS) for staging, they differ significantly in infrastructure, malware deployment, and other operational methods. Insikt Group also found further evidence linking TAG-144 to Red Akodon and identified various compromised Colombian government email accounts likely used in spearphishing campaigns."
        https://www.recordedfuture.com/research/tag-144s-persistent-grip-on-south-american-organizations
        https://thehackernews.com/2025/08/blind-eagles-five-clusters-target.html
        CISA And Partners Release Joint Advisory On Countering Chinese State-Sponsored Actors Compromise Of Networks * Worldwide To Feed Global Espionage Systems
        "CISA, along with the National Security Agency, Federal Bureau of Investigation, and international partners, released a joint Cybersecurity Advisory on People’s Republic of China (PRC) state-sponsored Advanced Persistent Threat (APT) actors targeting critical infrastructure across sectors and continents to maintain persistent, long-term access to networks. This advisory builds on previous reporting and is based on real-world investigations conducted across multiple countries through July 2025. While the activity observed overlaps with industry reporting on the group known as Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor, among others, the advisory refers to them generically as APT actors to focus on the behavior, not the alias."
        https://www.cisa.gov/news-events/alerts/2025/08/27/cisa-and-partners-release-joint-advisory-countering-chinese-state-sponsored-actors-compromise
        https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a
        https://media.defense.gov/2025/Aug/22/2003786665/-1/-1/0/CSA_COUNTERING_CHINA_STATE_ACTORS_COMPROMISE_OF_NETWORKS.PDF
        https://www.bleepingcomputer.com/news/security/global-salt-typhoon-hacking-campaigns-linked-to-chinese-tech-firms/
        https://therecord.media/allied-spy-agencies-blame-chinese-companies-salt-typhoon
        https://www.bankinfosecurity.com/chinese-telecom-hackers-strike-worldwide-a-29308
        https://cyberscoop.com/salt-typhoon-hacking-campaign-goes-beyond-previously-disclosed-targets-world-cyber-agencies-say/
      • Phishing Kits Uncovered: Methods And Tactics Used To Evade SEGs, Sandboxes, And Analysts
        "Threat actors use many methods to avoid detection and complicate the analysis of their credential phishing pages and campaigns. Many of these are built into the kits that threat actors purchase, while others must be manually implemented. This report covers some tactics, techniques, and procedures (TTPs) used by threat actors in phishing kits to prevent and delay detection of their credential phishing pages, email phishing campaigns, and related resources."
        https://cofense.com/blog/phishing-kits-uncovered-methods-and-tactics-used-to-evade-segs,-sandboxes,-and-analysts
      • Storm-0501’s Evolving Techniques Lead To Cloud-Based Ransomware
        "Microsoft Threat Intelligence has observed financially motivated threat actor Storm-0501 continuously evolving their campaigns to achieve sharpened focus on cloud-based tactics, techniques, and procedures (TTPs). While the threat actor has been known for targeting hybrid cloud environments, their primary objective has shifted from deploying on-premises endpoint ransomware to using cloud-based ransomware tactics."
        https://www.microsoft.com/en-us/security/blog/2025/08/27/storm-0501s-evolving-techniques-lead-to-cloud-based-ransomware/
        https://www.darkreading.com/cloud-security/storm-0501-cloud-based-ransomware-attack
        https://thehackernews.com/2025/08/storm-0501-exploits-entra-id-to.html
        https://www.bleepingcomputer.com/news/security/storm-0501-hackers-shift-to-ransomware-attacks-in-the-cloud/
        https://cyberscoop.com/storm-0501-ransomware-microsoft-threat-intelligence/
        https://www.theregister.com/2025/08/27/storm0501_ransomware_azure_teams/
      • Boxing Clever: The Million-Dollar Task Scam Cluster
        "Netcraft recently discovered DeltaAirlineiVIP[.]com, a task scam exploiting the US airline’s branding. It was the introduction to a cluster with more than $1M of attributable crypto transactions using an API-driven, templated approach to convince victim to make advance payments. The scam template is multipurpose, with a particular focus on American brands, including Delta, AMC Theatres, Universal Studios and Epic Records."
        https://www.netcraft.com/blog/boxing-clever-the-million-dollar-task-scam-cluster
        https://hackread.com/scammers-steal-crypto-using-fake-delta-and-amc-sites/
      • s1ngularity: Supply Chain Attack Leaks Secrets On GitHub: Everything You Need To Know
        "On August 26, 2025, multiple malicious versions of the widely used Nx build system package were published to the npm registry. These versions contained a post-installation malware script designed to harvest sensitive developer assets, including cryptocurrency wallets, GitHub and npm tokens, SSH keys, and more. The malware leveraged AI command-line tools (including Claude, Gemini, and Q) to aid in their reconnaissance efforts, and then exfiltrated the stolen data to publicly accessible attacker-created repositories within victims’ GitHub accounts."
        https://www.wiz.io/blog/s1ngularity-supply-chain-attack
        https://www.theregister.com/2025/08/27/nx_npm_supply_chain_attack/

      Breaches/Hacks/Leaks

      • IT System Supplier Cyberattack Impacts 200 Municipalities In Sweden
        "A cyberattack on Miljödata, an IT systems supplier for roughly 80% of Sweden’s municipal systems, has caused accessibility problems in more than 200 regions of the country. In addition to the service disruption, there are concerns that attackers also stole sensitive data. Local media report that the threat actor demanded a ransom of 1.5 (currently around $168,000) Bitcoins from Miljödata in exchange for not leaking stolen information. Miljödata is a Swedish software company that develops and provides work environment and HR management systems for municipalities, regions, and organizations."
        https://www.bleepingcomputer.com/news/security/it-system-supplier-cyberattack-impacts-200-municipalities-in-sweden/
        https://therecord.media/sweden-municipalities-ransomware-software

      General News

      • July 2025 APT Group Trends
        "North Korea’s APT group actively utilized the ClickFix technique and performed the DLL side-loading technique through OLE objects inserted in Hangul (HWP) documents."
        https://asec.ahnlab.com/en/89875/
      • Mitigating Security Risks In Low-Code Development Environments
        "I still remember the soft whir of the server room fans and that faint smell of ozone when we, a team of cybersecurity analysts, traced a spike in traffic to a “harmless” low-code workflow. A store manager had built a nifty dashboard to pull sales numbers. It looked tidy, almost playful – boxes, arrows, green check marks. Under the hood, it was hitting an internal API without proper authentication. We caught it before anything went sideways, but the feeling in my gut was the same one you get when you realize a door you thought was locked has been open all night."
        https://www.tripwire.com/state-of-security/mitigating-security-risks-low-code-development-environments
      • Philippines Power Election Security With Zero-Knowledge Proofs
        "While claims of election fraud in the 202 US presidential elections have been proven false in the legal system (through numerous lawsuits and settlements), secure voting and election cybersecurity are increasingly becoming an electoral issue. Thirty-four countries worldwide—including countries with large populations, such as India and Mexico—already use some form of e-voting in their elections. In the U.S., a number of states allow military personnel, disabled citizens and other special categories to vote online, but the practice remains limited."
        https://www.darkreading.com/identity-access-management-security/philippines-rely-on-zero-knowledge-proofs-for-election-security
      • How Compliance Teams Can Turn AI Risk Into Opportunity
        "AI is moving faster than regulation, and that creates opportunities and risks for compliance teams. While governments work on new rules, businesses cannot sit back and wait. In this Help Net Security interview, Matt Hillary, CISO at Drata, look at how AI is changing the role of governance, risk, and compliance, from handling sensitive data to making compliance a continuous, adaptive process."
        https://www.helpnetsecurity.com/2025/08/27/matt-hillary-drata-ai-regulatory-compliance/
      • Exploits And Vulnerabilities In Q2 2025
        "Vulnerability registrations in Q2 2025 proved to be quite dynamic. Vulnerabilities that were published impact the security of nearly every computer subsystem: UEFI, drivers, operating systems, browsers, as well as user and web applications. Based on our analysis, threat actors continue to leverage vulnerabilities in real-world attacks as a means of gaining access to user systems, just like in previous periods. This report also describes known vulnerabilities used with popular C2 frameworks during the first half of 2025."
        https://securelist.com/vulnerabilities-and-exploits-in-q2-2025/117333/
      • Who Are You Again? Infosec Experiencing 'Identity Crisis' Amid Rising Login Attacks
        "Infosec pros are losing confidence in their identity providers' ability to keep attackers out, with Cisco-owned Duo warning that the industry is facing what it calls "an identity crisis." Only a third (33 percent) of the 650 cybersecurity leaders in North America and Europe said they were unconcerned about the security their vendor offered against phishing and AI-assisted attacks, according to Duo. The identity and access management (IAM) biz thinks this can be explained by a number of factors, such as overly complex security solutions, a lack of visibility into potential weaknesses, and perhaps chief among all of them is that identity security is treated as an afterthought."
        https://www.theregister.com/2025/08/27/ciscos_duo_identity_crisis/
      • BGP’s Security Problems Are Notorious. Attempts To Fix That Are a Work In Progress
        "I’ve been working on a chapter about infrastructure security for our network security book. The core of the Internet is notoriously vulnerable to attacks, with Border Gateway Protocol (BGP) and DNS being particular weak points. So I set out to learn enough about what has been done to secure these components of the Internet’s "core infrastructure” to be able to write something useful for our book."
        https://www.theregister.com/2025/08/27/systems_approach_securing_internet_infrastructure/
      • Data Is The New Diamond: Heists In The Digital Age
        "Heists in the digital world may seem fundamentally different from heists in the physical world, but I see a common tie — financially motivated criminals of all types often use social engineering and intensive reconnaissance to achieve their goals. In February 2023, the “heist of the century” occurred when more than $100 million worth of diamonds, gold, silver and other jewelry were stolen from the Antwerp Diamond Centre in Belgium by five criminals. This heist involved significant time spent on reconnaissance and social engineering by the mastermind of the operation, Leonardo Notarbartolo. He used these tactics to better understand and bypass various layers of physical security implemented at the site."
        https://unit42.paloaltonetworks.com/retail-hospitality-heists-in-the-digital-age/
      • The Career Delta: Navigating AI, Cybersecurity And Change
        "When a river meets the sea, the delta becomes a place of convergence: messy, dynamic and fertile. Careers are in a similar delta today as artificial intelligence reshapes business operations and cybersecurity at the same time. This isn't about buzzwords. It's about where real opportunities are emerging and how you can position yourself to take advantage of them."
        https://www.bankinfosecurity.com/blogs/career-delta-navigating-ai-cybersecurity-change-p-3930
      • Detecting And Countering Misuse Of AI: August 2025
        "We’ve developed sophisticated safety and security measures to prevent the misuse of our AI models. But cybercriminals and other malicious actors are actively attempting to find ways around them. Today, we’re releasing a report that details how. Our Threat Intelligence report discusses several recent examples of Claude being misused, including a large-scale extortion operation using Claude Code, a fraudulent employment scheme from North Korea, and the sale of AI-generated ransomware by a cybercriminal with only basic coding skills. We also cover the steps we’ve taken to detect and counter these abuses."
        https://www.anthropic.com/news/detecting-countering-misuse-aug-2025
        https://www.darkreading.com/cyberattacks-data-breaches/anthropic-ai-automate-data-extortion-campaign
        https://www.helpnetsecurity.com/2025/08/27/anthropic-ai-powered-cybercrime/
        https://thehackernews.com/2025/08/anthropic-disrupts-ai-powered.html
        https://www.theregister.com/2025/08/27/anthropic_security_report_flags_rogue/
      • Infostealers: The Silent Smash-And-Grab Driving Modern Cybercrime
        "Infostealers have become the fulcrum of modern cybercrime. They enter silently, steal in stealth, and vanish. The evolution of this malware over the last ten years is a feature of the increasing professionalism of the criminal underground and the rise of cybercrime-as-a-service. The logs they provide are the starting point for many of today’s breaches, identity theft, and fraud."
        https://www.securityweek.com/infostealers-the-silent-smash-and-grab-driving-modern-cybercrime/
      • Back To School, Back To Scams
        "As August fades into September, certain sights and sounds return like clockwork: bright yellow school buses rumbling down the roads, playgrounds echoing with the squeals of energetic children, and the slow shift of the seasons. As schools ease into their autumn rhythms, cyberthreats do the same — hackers return each academic year armed with a fresh arsenal of tricks. Rajiv Kohli, John N. Dalton Memorial Professor of Business at William & Mary’s Mason School of Business, warns: “As students, faculty and staff return to the new school year, new cybersecurity threats await.” He adds that, in addition to the classic fake email from the dean or a professor asking to send gift cards, new threats will be targeted and timed. “Managed service providers (MSPs) should be on the lookout for email or text traffic originating from servers of foreign or unverifiable origins, especially when they are mass mailings, and flag them as spam or unknown.”"
        https://blog.barracuda.com/2025/08/27/back-school-back-scams
      • The 5 Golden Rules Of Safe AI Adoption
        "Employees are experimenting with AI at record speed. They are drafting emails, analyzing data, and transforming the workplace. The problem is not the pace of AI adoption, but the lack of control and safeguards in place. For CISOs and security leaders like you, the challenge is clear: you don't want to slow AI adoption down, but you must make it safe. A policy sent company-wide will not cut it. What's needed are practical principles and technological capabilities that create an innovative environment without an open door for a breach. Here are the five rules you cannot afford to ignore."
        https://thehackernews.com/2025/08/the-5-golden-rules-of-safe-ai-adoption.html
      • US Sanctions Russian National And Chinese Company Over North Korean IT Worker Schemes
        "The U.S. Treasury Department announced new sanctions on Wednesday targeting key players in North Korea’s ongoing scheme to siphon money from companies through IT workers posing as Americans. The Office of Foreign Assets Control (OFAC) said it is sanctioning Vitaliy Sergeyevich Andreyev, Kim Ung Sun and two companies — Shenyang Geumpungri Network Technology and Korea Sinjin Trading Corporation. U.S. officials said the sanctions are part of an ongoing effort to punish organizations in the network of Chinyong Information Technology Cooperation, an IT company that employs many of the North Korean IT workers who work in Russia and Laos."
        https://therecord.media/us-sanctions-company-national-north
        https://home.treasury.gov/news/press-releases/sb0230
        https://www.theregister.com/2025/08/27/us_treasury_korea_sanctions/
        https://cyberscoop.com/treasury-department-sanctions-north-korea-worker-scheme/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) ecf21be5-b154-4c5c-b124-2ef814c7b6fc-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post