NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 04 September 2025

    Cyber Security News
    1
    1
    397
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • SunPower PVS6
        "Successful exploitation of this vulnerability could allow attackers to gain full access to the device, enabling them to replace firmware, modify settings, disable the device, create SSH tunnels, and manipulate attached devices."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-245-03
      • Delta Electronics EIP Builder
        "Successful exploitation of this vulnerability could allow an attacker to potentially process dangerous external entities, resulting in disclosure of sensitive information."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-245-01
      • Fuji Electric FRENIC-Loader 4
        "Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-245-02

      New Tooling

      • BruteForceAI: Free AI-Powered Login Brute Force Tool
        "BruteForceAI is a penetration testing tool that uses LLMs to improve the way brute-force attacks are carried out. Instead of relying on manual setup, the tool can analyze HTML content, detect login form selectors, and prepare the attack process automatically. It is built to mimic realistic human behavior while running multi-threaded attacks, which makes testing more effective and accurate."
        https://www.helpnetsecurity.com/2025/09/03/bruteforceai-free-ai-powered-login-brute-force-tool
        https://github.com/MorDavid/BruteForceAI

      Vulnerabilities

      • Google Fixes Actively Exploited Android Flaws In September Update
        "Google has released the September 2025 security update for Android devices, addressing a total of 84 vulnerabilities, including two actively exploited flaws. The two flaws that were detected as exploited in zero-day attacks are CVE-2025-38352, an elevation of privilege in the Android kernel, and CVE-2025-48543, also an elevation of privilege problem in the Android Runtime component. Google noted in its bulletin that there are indications that those two flaws may be under limited, targeted exploitation, without sharing any more details."
        https://www.bleepingcomputer.com/news/security/google-fixes-actively-exploited-android-flaws-in-september-update/
        https://thehackernews.com/2025/09/android-security-alert-google-patches.html
        https://cyberscoop.com/android-security-update-september-2025/
        https://www.securityweek.com/google-patches-high-severity-chrome-vulnerability-in-latest-update/
        https://www.malwarebytes.com/blog/news/2025/09/update-your-android-google-patches-111-vulnerabilities-including-2-critical-flaws
        https://securityaffairs.com/181871/security/google-addressed-two-android-flaws-actively-exploited-in-targeted-attacks.html
        https://www.theregister.com/2025/09/03/android_patch_september/
      • CISA Adds Two Known Exploited Vulnerabilities To Catalog
        "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2023-50224 TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability
        CVE-2025-9377 TP-Link Archer C7(EU) and TL-WR841N/ND(MS) OS Command Injection Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/09/03/cisa-adds-two-known-exploited-vulnerabilities-catalog

      Malware

      • Dire Wolf Ransomware: Threat Combining Data Encryption And Leak Extortion
        "The DireWolf ransomware group made their first appearance in May 2025. On May 26 of the same month, they disclosed their first 6 victims on a darknet leak site, marking the beginning of their full-fledged activities. The group stated that their only goal is money and contacts their victims through the Tox messenger. Their targets come from a variety of industries, including manufacturing, IT, construction, and finance in Asia, Australia, Italy, and others. They use a double extortion technique that involves both encrypting data and threatening to leak it. So far, 16 organizations in 16 regions have fallen victim to their attacks, including the United States, Thailand, and Taiwan."
        https://asec.ahnlab.com/en/89944/
      • From Deepfakes To Dark LLMs: 5 Use-Cases Of How AI Is Powering Cybercrime
        "Artificial intelligence is no longer a buzzword reserved for Silicon Valley pitch decks. Over the past year, it’s been quietly and sometimes dramatically transforming the criminal underground. From deepfake CEOs ordering million-dollar transfers to scam call centers powered by synthetic voices, generative AI (genAI) is being tested, adopted, and in some cases operationalized by threat actors at scale. But beneath the headlines and breathless predictions lies a more complex reality. Our team spent months monitoring closed forums, scammer chats, and active campaigns to answer a simple question: Is genAI truly changing the game for cybercriminals? What we found is both reassuring and concerning. Fully autonomous AI-driven cybercrime isn’t here yet. But hybrid human AI operations are already reshaping how scams are run, phishing is crafted, and malicious campaigns are managed."
        Priority: 3 - Important
        Relevance: General
        https://www.group-ib.com/blog/ai-cybercrime-usecases/
      • Threat Actors Abuse X’s Grok AI To Spread Malicious Links
        "Threat actors are using Grok, X's built-in AI assistant, to bypass link posting restrictions that the platform introduced to reduce malicious advertising. As discovered by Guardio Labs' researcher Nati Tal, mavertisers often run sketchy video ads containing adult content baits and avoid including a link to the main body to avoid being blocked by X. Instead, they hide it in the small "From:" metadata field under the video card, which apparently isn't scanned by the social media platform for malicious links."
        https://www.bleepingcomputer.com/news/security/threat-actors-abuse-xs-grok-ai-to-spread-malicious-links/
      • Russia's APT28 Targets Microsoft Outlook With 'NotDoor' Malware
        "APT28, the state-sponsored threat group tied to Russian intelligence, is weaponizing Microsoft Outlook through a new backdoor researchers call "NotDoor." The backdoor malware was first identified by researchers from Lab52, the threat intelligence arm of Spanish cybersecurity firm S2 Grupo. In a blog post Wednesday, Lab52 explained how NotDoor allows threat actors to abuse Outlook as a covert communication, data exfiltration, and malware delivery channel. "The artifact, dubbed NotDoor due to the use of the word ‘nothing’ within the code, is a VBA macro for Outlook designed to monitor incoming emails for a specific trigger word," the blog post stated. "When such an email is detected, it enables an attacker to exfiltrate data, upload files, and execute commands on the victim's computer.""
        https://www.darkreading.com/endpoint-security/apt28-outlook-notdoor-backdoor
        https://lab52.io/blog/analyzing-notdoor-inside-apt28s-expanding-arsenal/
        https://www.infosecurity-magazine.com/news/russia-apt28-notdoor-outlook/
      • The ClickFix Attack That Wasn’t: From a Fake AnyDesk Installer To MetaStealer
        "ClickFix attacks have been ticking up for over a year now, as attackers find success in tricking users into executing malicious code on their computers using CAPTCHA-based lures. We’ve seen quite a bit of these types of attacks on our end - but we’ve also seen threat actors adopting ClickFix-esque techniques in attacks that don’t follow the exact ClickFix playbook. Recently, our very own John Hammond received an email from someone who had come across a fake AnyDesk installer while searching for the AnyDesk remote tool."
        https://www.huntress.com/blog/fake-anydesk-clickfix-metastealer-malware
        https://hackread.com/fake-anydesk-installer-metastealer-clickfix-scam/
      • Ethereum Smart Contracts Used To Push Malicious Code On Npm
        "Two, new pieces of open source malware discovered on the npm package repository by ReversingLabs researchers in July employ a novel and creative technique for loading malware on compromised devices: smart contracts for the Ethereum blockchain. The two npm packages abused smart contracts to conceal malicious commands that installed downloader malware on compromised systems. The packages are colortoolsv2, published on July 7, and mimelib2, a nearly identical package that was published in late July. They are part of a larger and sophisticated campaign impacting both npm and GitHub. It is a campaign that has seen malicious supply chain actors utilize sophisticated social engineering and deception techniques to fool developers into incorporating the malicious code into their projects."
        https://www.reversinglabs.com/blog/ethereum-contracts-malicious-code
        https://thehackernews.com/2025/09/malicious-npm-packages-exploit-ethereum.html
        https://www.infosecurity-magazine.com/news/malicious-npm-packages-exploit/
      • Threat Spotlight: Tycoon Phishing Kit Reveals New Techniques To Hide Malicious Links
        "Phishing emails often feature malicious links (URLs) that lead victims to fake websites where they are infected with harmful software or tricked into giving away personal information such as their account credentials. As security tools get better at detecting and blocking these dangerous links, attackers find devious new ways of hiding them to get past security systems. Barracuda’s threat analysts have reported previously on such evolving and increasingly sophisticated tactics. This article looks at some of the latest approaches the team is seeing in attacks involving the advanced phishing-as-a-service (PhaaS) kit, Tycoon."
        https://blog.barracuda.com/2025/09/03/threat-spotlight-tycoon-phishing-kit-hide-malicious-links
        https://www.infosecurity-magazine.com/news/tycoon-phishing-kit-hide-malicious/
      • From PowerShell To Payload: Darktrace’s Detection Of a Novel Cryptomining Malware
        "Cryptojacking remains one of the most persistent cyber threats in the digital age, showing no signs of slowing down. It involves the unauthorized use of a computer or device’s processing power to mine cryptocurrencies, often without the owner’s consent or knowledge, using cryptojacking scripts or cryptocurrency mining (cryptomining) malware [1]. Unlike other widespread attacks such as ransomware, which disrupt operations and block access to data, cryptomining malware steals and drains computing and energy resources for mining to reduce attacker’s personal costs and increase “profits” earned from mining [1]. The impact on targeted organizations can be significant, ranging from data privacy concerns and reduced productivity to higher energy bills."
        https://www.darktrace.com/blog/from-powershell-to-payload-darktraces-detection-of-a-novel-cryptomining-malware
        https://www.itnews.com.au/news/researchers-detail-novel-cryptomining-attack-620058
      • PayPal Users Targeted In Account Profile Scam
        "A co-worker forwarded this rather convincing PayPal scam to me. Thanks Elena. A highly sophisticated email scam is targeting PayPal users with the subject line of “Set up your account profile.” We decided to see what the scammers are after. First thing to do is to look at the headers:"
        https://www.malwarebytes.com/blog/news/2025/09/paypal-users-targeted-in-account-profile-scam
      • CTI Analysis: Malicious Email Campaign
        "In August 2025, as part of Dream’s threat intelligence agents’ ongoing monitoring of cyber activity, a spear-phishing campaign was identified leveraging a compromised mailbox of the Ministry of Foreign Affairs of Oman based on a tweet. Based on a forensic investigation, we attribute this campaign to Iranian-aligned operators connected to broader offensive cyber activity led by the Homeland Justice group associated with MOIS (Ministry of Intelligence and Security of Iran). Emails were sent to multiple government recipients worldwide, disguising legitimate diplomatic communication. The emails contained a malicious Microsoft Word attachment with a disguised registration form. The document embedded encoded content as numerical sequences, which were decoded using embedded VBA macro code. When executed, the macro converted each sequence of three numbers into ASCII characters, reconstructing and deploying the malware payload."
        https://dreamgroup.com/blog-cti/
        https://thehackernews.com/2025/09/iranian-hackers-exploit-100-embassy.html
      • Model Namespace Reuse: An AI Supply-Chain Attack Exploiting Model Name Trust
        "Our research uncovered a fundamental flaw in the AI supply chain that allows attackers to gain Remote Code Execution (RCE) and additional capabilities on major platforms like Microsoft’s Azure AI Foundry, Google’s Vertex AI and thousands of open-source projects. We refer to this issue as Model Namespace Reuse. Hugging Face is a platform that enables AI developers to build, share and deploy models and datasets. On that platform, namespaces are the identifiers of models, which are Git repositories that are stored on the Hugging Face hub. Hugging Face models contain configurations, weights, code and information to enable developers to use the models."
        https://unit42.paloaltonetworks.com/model-namespace-reuse/
      • Not Safe For Work: Tracking And Investigating Stealerium And Phantom Infostealers
        "Threat actors are increasingly turning to information stealers in malware delivery, and Proofpoint threat researchers have observed an increase in the variety of commodity information stealers regularly used by cybercriminal threat actors. While many threat actors prefer malware-as-a-service offerings like Lumma Stealer or Amatera Stealer, some actors prefer to use malware that can be purchased one time, or openly available on platforms like GitHub. Stealerium is a good example of this. In 2022, it emerged as a freely available open-source malware on GitHub, and is still available to download “for educational purposes only.” While open-source malware can be helpful for detection engineers and threat hunters to understand the patterns of behavior for which they can develop threat detection signatures, it also provides a different kind of education to malicious actors. These actors may adopt, modify, and possibly improve the open-source code, resulting in a proliferation of variants of the malware that are not so easy to detect or defend against."
        https://www.proofpoint.com/us/blog/threat-insight/not-safe-work-tracking-and-investigating-stealerium-and-phantom-infostealers
      • How Chinese State-Sponsored APT Actors Exploit Routers For Stealthy Cyber Espionage
        "Chinese state-sponsored cyber espionage campaigns have been reportedly targeting critical sectors across the globe. From telecommunications and government to transportation, lodging, and military operations, cyber actors linked to the People’s Republic of China (PRC) are conducting extensive, stealthy operations to infiltrate and control key network devices. This ongoing cyber onslaught has been documented by leading government agencies, revealing a complex web of tactics designed for long-term access and data extraction."
        https://cyble.com/blog/chinese-state-sponsored-group/
      • Malware Brief: Crafty Phishing, BYOVD And Android RATs
        "The malware news keeps on coming. Today we’ll look briefly at an attack that leverages Meta platforms to deliver RAT malware to Android systems; an attack technique called bring-your-own-vulnerable driver that’s targeting Windows users; and an advanced, multistage phishing technique used by a well-known Russia-based threat group."
        https://blog.barracuda.com/2025/09/03/malware-brief-crafty-phishing-byovd-android-rats

      Breaches/Hacks/Leaks

      • SaaS Giant Workiva Discloses Data Breach After Salesforce Attack
        "Workiva, a leading cloud-based SaaS (Software as a Service) provider, notified its customers that attackers who gained access to a third-party customer relationship management (CRM) system stole some of their data. The company's cloud software helps collect, connect, and share data for financial reports, compliance, and audits. It had 6,305 customers at the end of last year and reported revenues of $739 million in 2024. Its customer list includes 85% of the Fortune 500 companies and high-profile clients such as Google, T-Mobile, Delta Air Lines, Wayfair, Hershey, Slack, Cognizant, Santander, Nokia, Kraft Heinz, Wendy's, Paramount, Air France KLM, Mercedes-Benz, and more."
        https://www.bleepingcomputer.com/news/security/saas-giant-workiva-discloses-data-breach-after-salesforce-attack/
      • Internal Backup Files Of Credit Union Serving Armed Forces Exposed In Data Breach
        "Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to Website Planet about an unencrypted and non-password-protected database that contained 378 GB of backup data. The data contained references to the largest credit union serving military members and their families.The database held storage locations, keys, hashed passwords, and other internal potentially sensitive information."
        https://www.websiteplanet.com/news/navy-credit-union-breach-report/
        https://hackread.com/misconfigured-server-navy-federal-credit-union-data-leak/

      General News

      • AI Will Drive Purchases This Year, But Not Without Questions
        "AI is moving into security operations, but CISOs are approaching it with a mix of optimism and realism. A new report from Arctic Wolf shows that most organizations are exploring or adopting AI-driven tools, yet many still see risks that need management. The report found that 73 percent of organizations have already introduced some form of AI into their cybersecurity programs. Financial services leads adoption, with more than 80 percent using AI, while utilities remain hesitant. Nearly all respondents, 99 percent, said AI will influence at least some of their cybersecurity purchasing decisions over the next year. On average, about 39 percent of security technology purchases are now dependent on AI capabilities being part of the solution."
        https://www.helpnetsecurity.com/2025/09/03/report-ai-in-security-operations/
      • Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds Of Organizations
        "Salesloft on Tuesday announced that it's taking Drift temporarily offline "in the very near future," as multiple companies have been ensnared in a far-reaching supply chain attack spree targeting the marketing software-as-a-service product, resulting in the mass theft of authentication tokens. "This will provide the fastest path forward to comprehensively review the application and build additional resiliency and security in the system to return the application to full functionality," the company said. "As a result, the Drift chatbot on customer websites will not be available, and Drift will not be accessible.""
        https://thehackernews.com/2025/09/salesloft-takes-drift-offline-after.html
      • Internet Mapping And Research Outfit Censys Reveals State-Based Abuse, Harassment
        "Censys Inc, vendor of the popular Censys internet-mapping tool, has revealed that state-based actors are trying to abuse its services by hiding behind academic researchers. Censys started life in 2015 as an academic project that aimed to scan the internet and provide data to the research community. In 2017 the project formed a company that now provides a comprehensive map of the internet that it says can help cyber-defenders to find threats and respond before they create a problem."
        https://www.theregister.com/2025/09/03/censys_abuse_sigcomm_paper/
      • CISA, NSA, And Global Partners Release a Shared Vision Of Software Bill Of Materials (SBOM) Guidance
        "CISA, in collaboration with NSA and 19 international partners, released joint guidance outlining A Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity. This marks a significant step forward in strengthening software supply chain transparency and security worldwide. An SBOM is a formal record detailing the components and supply chain relationships used in building software. SBOMs act as a software “ingredients list” providing organizations with essential visibility into software dependencies, enabling them to identify components, assess risks, and take proactive measures to mitigate vulnerabilities."
        https://www.cisa.gov/news-events/alerts/2025/09/03/cisa-nsa-and-global-partners-release-shared-vision-software-bill-materials-sbom-guidance
        https://www.cisa.gov/resources-tools/resources/shared-vision-software-bill-materials-sbom-cybersecurity
        https://cyberscoop.com/cisa-guide-seeks-a-unified-approach-to-software-ingredients-lists/
      • US Offers $10 Million Bounty For Info On Russian FSB Hackers
        "The U.S. Department of State is offering a reward of up to $10 million for information on three Russian Federal Security Service (FSB) officers involved in cyberattacks targeting U.S. critical infrastructure organizations on behalf of the Russian government. The three individuals, Marat Valeryevich Tyukov, Mikhail Mikhailovich Gavrilov, and Pavel Aleksandrovich Akulov, are part of the FSB's Center 16 or Military Unit 71330, which is tracked as Berserk Bear, Blue Kraken, Crouching Yeti, Dragonfly, and Koala Team."
        https://www.bleepingcomputer.com/news/security/us-offers-10-million-bounty-for-info-on-russian-fsb-hackers/
      • Internet Archaeology: A Decade Of Defaced Routers?
        "They say nothing gold can stay, but defaced router device names certainly can stick around. Recently while exploring data in the Censys Platform, we identified roughly 330 hosts with banners prefixed with "HACKED-ROUTER-HELP-." While this is a relatively small number of hosts, a quick web search for this phrase took us down an unexpected rabbit hole. We identified multiple variants of this banner in our data, including "HACKED-ROUTER-HELP-SOS-HAD-DUPE-PASSWORD," "HACKED-ROUTER-HELP-SOS-DEFAULT-PASSWORD," and "HACKED-ROUTER-HELP-SOS-WAS-MFWORM-INFECTED," along with other variants whose existence stretch back nearly a decade."
        https://censys.com/blog/internet-archaeology-a-decade-of-defaced-routers
        https://www.darkreading.com/endpoint-security/hacked-routers-linger-on-the-internet-for-years-data-shows
      • Japan, South Korea Take Aim At North Korean IT Worker Scam
        "Japan, South Korea, and the United States are cooperating to fight against the growing threat of North Korean operatives posing as IT workers to embed themselves in companies and organizations throughout Asia and globally. The three countries held a joint forum on Aug. 26 in Tokyo to improve collaboration, with both Japan and South Korea issuing updated advisories on the threat, while the United States sanctioned four entities for their roles in the IT worker fraud schemes, accusing them of working to help the Democratic People's Republic of Korea (DPRK) to generate revenue. "Hiring, supporting, or outsourcing work to North Korean IT workers increasingly poses serious risks, ranging from theft of intellectual property, data, and funds to reputational harm and legal consequences," the three countries said in a joint statement."
        https://www.darkreading.com/cybersecurity-operations/japan-south-korea-north-korean-it-worker-scam
        https://www.meti.go.jp/press/2025/08/20250827004/20250827004-1.pdf
      • Hacker Conversations: McKenzie Wark, Author Of A Hacker Manifesto
        "An objective and academic view on hackers and hacking. TLDR: we are all Hackers. This series talks to computer hackers about their drive to hack. The result is a series of subjective, personal views on what makes a computer hacker. Now we seek an objective view, through the eyes of an academic. The academic is Mckenzie Wark, a professor of Media and Cultural Studies at The New School in New York City. She uses a blend of cultural and philosophical insights to explore change in social issues, and is possibly best known for her seminal book, A Hacker Manifesto."
        https://www.securityweek.com/hacker-conversations-mckenzie-wark-author-of-a-hacker-manifesto/
      • It Looks Like You’re Ransoming Data. Would You Like Some Help?
        "It's no secret that AI tools make it easier for cybercriminals to steal sensitive data and then extort victim organizations. But two recent developments illustrate exactly how much LLMs lower the bar for ransomware and other financially motivated cybercrime — and provide a glimpse to defenders about what's on the horizon. ESET malware researchers Anton Cherepanov and Peter Strýček recently sounded the alarm on what they called the "first known AI-powered ransomware," which they named PromptLock. While the malware doesn't appear to be fully functional — yet — "in theory, it could be used against organizations," Cherepanov told The Register. "But for now, it looks like proof-of-concept.""
        https://www.theregister.com/2025/09/03/ransomware_ai_abuse/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) c281b130-1c9b-40a6-8b98-82aceb54c211-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post