NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 03 September 2025

    Cyber Security News
    1
    1
    389
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • Frostbyte10 Bugs Put Thousands Of Refrigerators At Major Grocery Chains At Risk
        "Ten vulnerabilities in Copeland controllers, which are found in thousands of devices used by the world's largest supermarket chains and cold storage companies, could have allowed miscreants to manipulate temperatures and spoil food and medicine, leading to massive supply-chain disruptions. The flaws, collectively called Frostbyte10, affect Copeland E2 and E3 controllers, used to manage critical building and refrigeration systems, such as compressor groups, condensers, walk-in units, HVAC, and lighting systems. Three received critical-severity ratings."
        https://www.theregister.com/2025/09/02/frostbyte10_copeland_controller_bugs/

      Government/Law/Policy

      • NIST Enhances Security Controls For Improved Patching
        "Addressing the ongoing patch management problem requires more finessing, especially to protect the software supply chain. The US National Institute of Standards and Technology (NIST) revised its Security and Privacy Control catalog to help vendors and organizations improve software update and patch release protocols. Originally published in 2020, the Security and Privacy Control catalog details security and privacy safeguards to help organizations mitigate cyber-risks. Federal information systems are required to implement the controls, but the catalog is intended for the private and public sectors. It covers access, authentication, incident response, and supply chain risk management."
        https://www.darkreading.com/cybersecurity-operations/nist-enhances-security-controls-for-improved-patching
        https://www.nist.gov/news-events/news/2025/08/nist-revises-security-and-privacy-control-catalog-improve-software-update

      Vulnerabilities

      • CISA Adds Two Known Exploited Vulnerabilities To Catalog
        "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2020-24363 TP-link TL-WA855RE Missing Authentication for Critical Function Vulnerability
        CVE-2025-55177 Meta Platforms WhatsApp Incorrect Authorization Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/09/02/cisa-adds-two-known-exploited-vulnerabilities-catalog
      • Azure AD Client Secret Leak: The Keys To Cloud
        "During a cybersecurity assessment by Resecurity's HUNTER Team, Azure Active Directory (Azure AD) application credentials - namely the ClientId and ClientSecret - were discovered exposed in a publicly accessible Application Settings (appsettings.json) file. This type of leak is high-severity. With these credentials, an attacker can authenticate directly against Microsoft’s OAuth 2.0 endpoints, effectively masquerading as the trusted application. Depending on the app’s assigned permissions, this could enable: Retrieval of sensitive data from SharePoint, OneDrive, or Exchange Online, Enumeration of users, groups, and directory roles in Azure AD, Abuse of Graph API for privilege escalation or persistence, and Deployment of malicious applications under the organization’s tenant."
        https://www.resecurity.com/blog/article/azure-ad-client-secret-leak-the-keys-to-cloud
        https://www.darkreading.com/cybersecurity-operations/public-file-leaks-azure-activedirectory-credentials
        https://www.infosecurity-magazine.com/news/azure-ad-credentials-exposed/

      Malware

      • Wallet-Draining Npm Package Impersonates Nodemailer To Hijack Crypto Transactions
        "Socket’s Threat Research Team identified a malicious npm package, nodejs-smtp, that impersonates the popular email library nodemailer, which averages roughly 3.9 million weekly downloads, while implanting code into desktop cryptocurrency wallets on Windows. On import, the package uses Electron tooling to unpack Atomic Wallet’s app.asar, replace a vendor bundle with a malicious payload, repackage the application, and remove traces by deleting its working directory. Inside the wallet runtime, the injected code overwrites the recipient address with hardcoded wallets controlled by the threat actor, redirecting Bitcoin (BTC), Ethereum (ETH), Tether (USDT and TRX USDT), XRP (XRP), and Solana (SOL) transactions."
        https://socket.dev/blog/wallet-draining-npm-package-impersonates-nodemailer
        https://thehackernews.com/2025/09/malicious-npm-package-nodejs-smtp.html
        https://www.infosecurity-magazine.com/news/malicious-npm-package-email-library/
      • Hexstrike-AI: When LLMs Meet Zero-Day Exploitation
        "Newly released framework called Hexstrike-AI provides threat actors with an orchestration “brain” that can direct more than 150 specialized AI agents to autonomously scan, exploit, and persist inside targets. Within hours of its release, dark web chatter shows threat actors attempting to use HexStrike-AI to go after a recent zero day CVEs, with attackers dropping webshells for unauthenticated remote code execution. These vulnerabilities are complex and require advanced skills to exploit. With Hextrike-AI, threat actors claim to reduce the exploitation time from days to under 10 minutes."
        https://blog.checkpoint.com/executive-insights/hexstrike-ai-when-llms-meet-zero-day-exploitation/
      • Cookies And How To Bake Them: What They Are For, Associated Risks, And What Session Hijacking Has To Do With It
        "When you visit almost any website, you’ll see a pop-up asking you to accept, decline, or customize the cookies it collects. Sometimes, it just tells you that cookies are in use by default. We randomly checked 647 websites, and 563 of them displayed cookie notifications. Most of the time, users don’t even pause to think about what’s really behind the banner asking them to accept or decline cookies. We owe cookie warnings to the adoption of new laws and regulations, such as GDPR, that govern the collection of user information and protection of personal data. By adjusting your cookie settings, you can minimize the amount of information collected about your online activity. For example, you can decline to collect and store third-party cookies."
        https://securelist.com/cookies-and-session-hijacking/117390/
      • Three Lazarus RATs Coming For Your Cheese
        "In the past few years, Fox-IT and NCC Group have conducted multiple incident response cases involving a Lazarus subgroup that specifically targets organizations in the financial and cryptocurrency sector. This Lazarus subgroup overlaps with activity linked to AppleJeus1, Citrine Sleet2, UNC47363, and Gleaming Pisces4. This actor uses different remote access trojans (RATs) in their operations, known as PondRAT5, ThemeForestRAT and RemotePE. In this article, we analyse and discuss these three. First, we describe an incident response case from 2024, where we observed the three RATs. This gives insights into the tactics, techniques, and procedures (TTPs) of this actor. Then, we discuss PondRAT, ThemeForestRAT and RemotePE, respectively."
        https://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese/
        https://thehackernews.com/2025/09/lazarus-group-expands-malware-arsenal.html
      • MystRodX: The Covert Dual-Mode Backdoor Threat
        "On June 6, 2025, XLab's Cyber Threat Insight and Analysis System(CTIA) picked up activity from IP 139.84.156.79 distributing a suspicious ELF file—dst86.bin—with a low VirusTotal hit rate of only 4/65. While conventional scanners labeled it as Mirai, our AI module remained silent. That mismatch caught our attention. Turns out, it wasn’t Mirai. It was a dropper—and what it delivered was a brand-new backdoor, unrelated to known Mirai strains. We’ve named it MystRodX, based on its propagation filename dst, the internal class name cmy_, and its multi-layer XOR encryption schemes."
        https://blog.xlab.qianxin.com/mystrodx_covert_dual-mode_backdoor_en/
        https://thehackernews.com/2025/09/researchers-warn-of-mystrodx-backdoor.html
      • VAIZ, FDN3, TK-NET: A Nebula Of Ukrainian Networks Engaged In Brute Force And Password Spraying Attacks
        "Between June and July 2025, Ukraine-based autonomous system FDN3 – AS211736, allocated by the entity FOP Dmytro Nedilskyi, was used to launch multiple hundreds of thousands of brute force and password spraying attacks against SSL VPN and RDP devices, over a period of up to three days. We believe with a high level of confidence that FDN3 is part of a wider abusive infrastructure composed of two other Ukrainian networks, VAIZ-AS (AS61432) and ERISHENNYA-ASN (AS210950), and a Seychelles based autonomous system named TK-NET (AS210848). Those were all allocated in August 2021 and often exchange IPv4 prefixes with one another to evade blocklisting and continue hosting abusive activities."
        https://www.intrinsec.com/vaiz-fdn3-tk-net-a-nebula-of-ukrainian-networks-engaged-in-brute-force-and-password-spraying-attacks/
        https://thehackernews.com/2025/09/ukrainian-network-fdn3-launches-massive.html

      Breaches/Hacks/Leaks

      • Cloudflare Hit By Data Breach In Salesloft Drift Supply Chain Attack
        "Cloudflare is the latest company impacted in a recent string of Salesloft Drift breaches, part of a supply-chain attack disclosed last week. The internet giant revealed on Tuesday that the attackers gained access to a Salesforce instance it uses for internal customer case management and customer support, which contained 104 Cloudflare API tokens. Cloudflare was notified of the breach on August 23, and it alerted impacted customers of the incident on September 2. Before informing customers of the attack, it also rotated all 104 Cloudflare platform-issued tokens exfiltrated during the breach, even though it has yet to discover any suspicious activity linked to these tokens."
        https://www.bleepingcomputer.com/news/security/cloudflare-hit-by-data-breach-in-salesloft-drift-supply-chain-attack/
        https://cyberscoop.com/salesloft-drift-attacks-cloudflare-palo-alto-networks-zscaler/
        https://hackread.com/cloudflare-data-breach-salesforce-and-salesloft-drift/
        https://www.theregister.com/2025/09/02/cloudflare_salesloft_drift_breach/
      • Palo Alto Networks Data Breach Exposes Customer Info, Support Cases
        "Palo Alto Networks suffered a data breach that exposed customer data and support cases after attackers abused compromised OAuth tokens from the Salesloft Drift breach to access its Salesforce instance. The company states that it was one of hundreds of companies affected by a supply-chain attack disclosed last week, in which threat actors abused the stolen authentication tokens to exfiltrate data. BleepingComputer learned of the breach this weekend from Palo Alto Networks' customers, who expressed concern that the breach exposed sensitive information, such as IT information and passwords, shared in support cases."
        https://www.bleepingcomputer.com/news/security/palo-alto-networks-data-breach-exposes-customer-info-support-cases/
        https://www.paloaltonetworks.com/blog/2025/09/salesforce-third-party-application-incident-response/
        https://unit42.paloaltonetworks.com/threat-brief-compromised-salesforce-instances/
        https://securityaffairs.com/181819/data-breach/palo-alto-networks-disclose-a-data-breach-linked-to-salesloft-drift-incident.html
        https://www.theregister.com/2025/09/02/stolen_oauth_tokens_expose_palo/
      • Jaguar Land Rover Says Cyberattack ‘severely Disrupted’ Production
        "Jaguar Land Rover (JLR) announced that a cyberattack forced the company to shut down certain systems as part of the mitigation effort. Although the incident appears to have a significant impact on the automakers’ production and retail operations, the short statement published on the official website noted that customer data is most likely unaffected. “JLR has been impacted by a cyber incident. We took immediate action to mitigate its impact by proactively shutting down our systems,” reads the statement."
        https://www.bleepingcomputer.com/news/security/jaguar-land-rover-says-cyberattack-severely-disrupted-production/
        https://therecord.media/jaguar-land-rover-disruption-cyber-incident
        https://www.darkreading.com/cyberattacks-data-breaches/jaguar-land-rover-cyber-incident
        https://www.bankinfosecurity.com/cyberattack-disrupts-jaguar-land-rover-assembly-line-a-29345
        https://www.infosecurity-magazine.com/news/jaguar-cyber-incident-disrupts/
      • Hackers Breach Fintech Firm In Attempted $130M Bank Heist
        "Hackers tried to steal $130 million from Evertec’s Brazilian subsidiary Sinqia S.A.after gaining unauthorized access to its environment on the central bank’s real-time payment system (Pix). Evertec is a public financial technology giant that stands as a major full-service transaction processor in Latin America, Puerto Rico, and the Caribbean. Sinqia, acquired by Evertec in 2023, is a São Paulo-based public company operating in financial software and IT services for the banking and financial industry."
        https://www.bleepingcomputer.com/news/security/hackers-breach-fintech-firm-in-attempted-130m-bank-heist/
      • Pennsylvania AG Office Says Ransomware Attack Behind Recent Outage
        "The Office of the Pennsylvania Attorney General announced that a ransomware attack is behind the ongoing two-week service outage. In an official statement, Attorney General David W. Sunday Jr. said that the office refused to pay the attackers. “The interruption was caused by an outsider encrypting files in an effort to force the office to make a payment to restore operations. No payment has been made,” explained AG Sunday."
        https://www.bleepingcomputer.com/news/security/pennsylvania-ag-office-says-ransomware-attack-behind-recent-outage/
        https://therecord.media/pennsylvania-attorney-general-office-ransomware-attack-recovery
      • Hacks On Specialty Health Entities Affect Nearly 900,000
        "Specialty healthcare providers know what they're about when it comes to an irregular heartbeat or a wheezing lung. Cybersecurity, not so much - despite how hacks on specialty medical entities easily result in tens of thousands, if not hundreds of thousands, or even millions, of patient records being compromised."
        https://www.bankinfosecurity.com/hacks-on-specialty-health-entities-affect-nearly-900000-a-29349
      • ChatGPT Leaks: We Analyzed 1,000 Public AI Conversations—Here’s What We Found
        "The leak of thousands of ChatGPT conversations in August 2025 revealed two concerning realities. First, users are not fully aware of how the AI model handles and distributes their data. Second, people seem to have a high level of trust in their AI assistants—and many of their chats have now been made public. The problem came from a now-removed feature where, when sharing conversations, users have the option to “Make [the] chat discoverable.” And while the opt-in clearly said that enabling the feature “allows [the chat] to be shown in web searches,” perhaps not all users fully understood what this meant: that their chats would be crawled and indexed by search engines and become available to other users."
        https://www.safetydetectives.com/blog/chatgpt-leaks/
        https://hackread.com/leaked-chatgpt-chats-users-ai-therapist-lawyer-confidant/

      General News

      • Can AI Agents Catch What Your SOC Misses?
        "A new research project called NetMoniAI shows how AI agents might reshape network monitoring and security. Developed by a team at Texas Tech University, the framework brings together two ideas: distributed monitoring at the edge and AI-driven analysis at the center. The work is still research stage, but it gives CISOs a sense of what could be possible if agentic AI systems make their way into enterprise environments. The project is open source, so it is also something the community can test and build on."
        https://www.helpnetsecurity.com/2025/09/02/netmoniai-open-source-soc-ai-driven-network-defense/
        https://arxiv.org/pdf/2508.10052
      • Complexity And AI Put Identity Protection To The Test
        "Identity has become a core pillar of cybersecurity strategy. Remote work, cloud-first adoption, and distributed supply chains have moved identity from “a tactical IT consideration to a strategic pillar of cybersecurity,” according to Cisco Duo’s 2025 State of Identity Security report. The study is based on a survey of 650 IT and security leaders across North America and Europe. It points to rising AI-driven threats, weak adoption of phishing-resistant authentication, and growing financial risk as key factors shaping identity security priorities in 2025."
        https://www.helpnetsecurity.com/2025/09/02/cisco-duo-identity-security-2025-report/
      • Cloudflare Blocks Largest Recorded DDoS Attack Peaking At 11.5 Tbps
        "Internet infrastructure company Cloudflare said it recently blocked the largest recorded volumetric distributed denial-of-service (DDoS) attack, which peaked at 11.5 terabits per second (Tbps). In volumetric DDoS attacks, attackers overwhelm the target with massive amounts of data, consuming the bandwidth or exhausting system resources, leaving legitimate users with no access to the targeted servers and services. "Cloudflare's defenses have been working overtime. Over the past few weeks, we've autonomously blocked hundreds of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps," the company said in a Tuesday tweet."
        https://www.bleepingcomputer.com/news/security/cloudflare-blocks-record-breaking-115-tbps-ddos-attack/
        https://www.securityweek.com/cloudflare-blocks-record-11-5-tbps-ddos-attack/
        https://securityaffairs.com/181829/cyber-crime/cloudflare-blocked-a-record-11-5-tbps-ddos-attack.html
      • No, Google Did Not Warn 2.5 Billion Gmail Users To Reset Passwords
        "Google has disputed a widely reported story about the company warning all Gmail users to reset their passwords due to a recent data breach that also affected some Workspace accounts. This claim was covered by numerous news outlets, as well as cybersecurity firms, which published stories about the so-called "urgent warning" asking 2.5 billion Gmail users worldwide to enable two-step authentication and reset their passwords. However, as the company explained on a Monday blog post addressing these inaccurate stories, "Gmail's protections are strong and effective, and claims of a major Gmail security warning are false.""
        https://www.bleepingcomputer.com/news/technology/no-google-did-not-warn-25-billion-gmail-users-to-reset-passwords/
      • WordPress Woes Continue Amid ClickFix Attacks, TDS Threats
        "WordPress sites have long been frequent targets for cybercriminals, and recent campaigns show the wave of threats has yet to ebb. In recent weeks, different organizations have flagged malicious activity and vulnerabilities affecting the popular content management platform, once again illustrating its appeal to a wide range of threat actors. On Aug. 20, for example, the Israel National Digital Agency reported a ClickFix campaign it calls "ShadowCaptcha" that features fake Google/Cloudflare CAPTCHA pages. The agency said the large-scale campaign tricked victims into executing malicious commands on compromised WordPress websites."
        Priority: 3 - Important
        Relevance: General
        https://www.darkreading.com/vulnerabilities-threats/wordpress-woes-clickfix-attacks-tds-threats
        Hackers Are Sophisticated & Impatient — That Can Be Good
        "Imagine this. It's Monday at 9 a.m. The CEO of a major company receives a notification that all systems have been encrypted. The ransomware group behind the attack demands $30 million paid within 72 hours or else all that encrypted data will be released to the entire world. Before panic sets in, there are three things to remember about the criminals on the other end. First, at this scale, they're likely running a professional software-as-a-service (SaaS)-style operation. Second, they're on the hunt for any signs of weakness from their victims. Third, and most crucially, these hackers are on their own deadline."
        https://www.darkreading.com/cyberattacks-data-breaches/hackers-sophisticated-impatient-good
      • Who Watches The Watchmen? Surveillanceware Firms Make Bank, Avoid Oversight
        "Governments can't get enough of hacking services to use against their citizens, despite their protestations that elements of the trade need sanctioning. Only legitimate government agencies are supposed to use surveillanceware against criminal targets but governments and companies are widely abusing this, as we've covered many times in the past. Legal surveillanceware companies have targeted activists, journalists, and even political figures, and there's also evidence that the vulns are leaking into the malware sphere. An analysis [PDF] of the industry by security operations center specialist Sekoia shows that surveillanceware vendors are seeing business grow in leaps and bounds and prices are going up to match."
        https://www.theregister.com/2025/09/02/commercial_surveillanceware_safe/
        https://regmedia.co.uk/2025/09/02/surveillanceware-report1.pdf

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 7d71a02e-af57-4dab-8e48-65768db6349a-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post