Cyber Threat Intelligence 12 September 2025

NCSA_THAICERT

Industrial Sector

Siemens SIMATIC Virtualization As a Service (SIVaaS)
"Successful exploitation of this vulnerability could allow an attacker to access or alter sensitive data without proper authorization."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-254-02
Siemens Industrial Edge Management OS (IEM-OS)
"Successful exploitation of this vulnerability could allow a remote attacker to cause a denial-of-service condition."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-254-06
Siemens User Management Component (UMC)
"Successful exploitation of these vulnerabilities could allow an unauthenticated remote attacker to execute arbitrary code or to cause a denial-of-service condition."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-254-07
Daikin Security Gateway
"Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to the system."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-254-10
Siemens SIMOTION Tools
"Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code with SYSTEM privileges when a legitimate user installs an application that uses the affected setup component."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-254-01
Siemens SINAMICS Drives
"Successful exploitation of this vulnerability could allow users to escalate their privileges."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-254-03
Siemens SINEC OS
"Successful exploitation of these vulnerabilities could allow an attacker to access non-sensitive information without authentication or potentially cause a temporary denial of service."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-254-04
Siemens Apogee PXC And Talon TC Devices
"Successful exploitation of this vulnerability could allow an attacker to download the device's encrypted database file via BACnet."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-254-05
Schneider Electric EcoStruxure
"Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition or disclose sensitive credential data."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-254-08
Schneider Electric Modicon M340, BMXNOE0100, And BMXNOE0110
"Successful exploitation of this vulnerability could allow attackers to prevent firmware updates and disrupt the webserver's proper behavior by removing specific files or directories from the filesystem."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-254-09
Threat Landscape For Industrial Automation Systems. Q2 2025
"In Q2 2025, the percentage of ICS computers on which malicious objects were blocked decreased by 1.4 pp from the previous quarter to 20.5%. Compared to Q2 2024, the rate decreased by 3.0 pp."
https://ics-cert.kaspersky.com/publications/reports/2025/09/11/threat-landscape-for-industrial-automation-systems-q2-2025/

Vulnerabilities

Critical Chrome Vulnerability Earns Researcher $43,000
"Researchers have earned significant rewards from Google for reporting two potentially serious vulnerabilities found in the Chrome web browser. Google this week rolled out a Chrome update that fixes two security defects reported by external researchers, including a critical-severity bug in the browser’s Serviceworker component, for which a $43,000 bug bounty reward was paid. Tracked as CVE-2025-10200 and reported by Looben Yang, the critical flaw is described as a use-after-free issue. These types of memory corruption vulnerabilities appear when the program attempts to access memory that has been freed."
https://www.securityweek.com/critical-chrome-vulnerability-earns-researcher-43000/
https://securityaffairs.com/182107/security/google-fixes-critical-chrome-flaw-researcher-earns-43k.html
CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2025-5086 Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/09/11/cisa-adds-one-known-exploited-vulnerability-catalog
VMScape: Exposing And Exploiting Incomplete Branch Predictor Isolation In Cloud Environments
"VMScape (CVE-2025-40300) brings Spectre branch target injection (Spectre-BTI) to the cloud, revealing a critical gap in how branch predictor states are isolated in virtualized environments. Our systematic analysis of protection-domain isolation shows that current mechanisms are too coarse-grained: on all AMD Zen CPUs, including the latest Zen 5, the branch predictor cannot distinguish between host and guest execution, enabling practical cross-virtualization BTI (vBTI) attack primitives. Although Intel’s recent CPUs offer better isolation, gaps still exist."
https://comsec.ethz.ch/research/microarch/vmscape-exposing-and-exploiting-incomplete-branch-predictor-isolation-in-cloud-environments/
https://www.bleepingcomputer.com/news/security/new-vmscape-attack-breaks-guest-host-isolation-on-amd-intel-cpus/
https://www.theregister.com/2025/09/11/vmscape_spectre_vulnerability/
Pwn My Ride: Exploring The CarPlay Attack Surface
"At the recent DefCon conference, we had the opportunity to present Pwn My Ride, a comprehensive exploration of the Apple CarPlay attack surface. With vehicles becoming increasingly connected, the security of in-car systems like CarPlay is critical. Our talk focused on dissecting the protocols that enable CarPlay’s functionality and revealing multiple attack vectors that could be exploited against various CarPlay multimedia systems. A key focus was CVE-2025-24132, a stack buffer overflow vulnerability within the AirPlay protocol that is exposed when a device connects to the car’s multimedia system."
https://www.oligo.security/blog/pwn-my-ride-exploring-the-carplay-attack-surface
https://www.darkreading.com/vulnerabilities-threats/apple-carplay-rce-exploit
https://www.securityweek.com/remote-carplay-hack-puts-drivers-at-risk-of-distraction-and-surveillance/
When Typing Becomes Tracking: Study Reveals Widespread Silent Keystroke Interception
"You type your email address into a website form but never hit submit. Hours later, a marketing email shows up in your inbox. According to new research, that is not a coincidence. A team of researchers from UC Davis, Maastricht University, and other institutions has found that many websites collect keystrokes as users type, sometimes before a form is ever submitted. The study explores how third-party scripts capture and share this information in ways that may fit the legal definition of wiretapping under California law."
https://www.helpnetsecurity.com/2025/09/11/website-keystroke-tracking-privacy/
https://arxiv.org/pdf/2508.19825
Cisco Patches High-Severity IOS XR Vulnerabilities
"Cisco on Wednesday released patches for three vulnerabilities in IOS XR software, as part of its September 2025 security advisory bundled publication. Tracked as CVE-2025-20248 (CVSS score of 6), the first of the bugs is a high-severity issue in the IOS XR installation process that could allow attackers to bypass image signature verification. Successful exploitation of the flaw, Cisco explains, could lead to unsigned files being added to an ISO image, which could then be installed and activated on a device."
https://www.securityweek.com/cisco-patches-high-severity-ios-xr-vulnerabilities/
UAE’s K2 Think AI Jailbroken Through Its Own Transparency Features
"K2 Think, the recently launched AI system from the United Arab Emirates built for advanced reasoning, has been jailbroken by exploiting the quality of its own transparency. Transparency in AI is a quality urged, if not explicitly required, by numerous international regulations and guidelines. The EU AI Act, for example, has specific transparency requirements, including explainability – users must be able to understand how the model has arrived at its conclusion."
https://www.securityweek.com/uaes-k2-think-ai-jailbroken-through-its-own-transparency-features/

Malware

Trigona Rebranding Suspicions And Global Threats, And BlackNevas Ransomware Analysis
"BlackNevas has been continuously launching ransomware attacks against companies in various industries and countries, including South Korea. This post provides a technical analysis on the characteristics, encryption methods, and reasons why BlackNevas encrypts files in a way that makes them impossible to decrypt. It is hoped that this post will provide insights for defending against similar threats in the future."
https://asec.ahnlab.com/en/90080/
EvilAI Operators Use AI-Generated Code And Fake Apps For Far-Reaching Attacks
"In recent weeks, Trend Research has observed a new wave of malware campaigns that infiltrate systems by posing as legitimate AI tools and software – complete with realistic interfaces, code signing, and convincing utility features – making them appear legitimate to end users. Rather than relying on obviously malicious files, these trojans mimic the appearance of real software to go unnoticed into both corporate and personal environments, often gaining persistent access before raising any suspicion."
https://www.trendmicro.com/en_us/research/25/i/evilai.html
https://www.darkreading.com/cyberattacks-data-breaches/ai-backed-malware-hits-companies-worldwide
Vidar Infostealer Back With a Vengeance
"The long-running Vidar infostealer has evolved with new obfuscation techniques. That is according to researchers at cybersecurity vendor Aryaka, which published research last week dedicated to a fresh campaign involving the malware-as-a-service Vidar that has emerged in recent weeks. First tracked in late 2018, Vidar is an infostealer that enables affiliates to grab credentials, operating system details, cookies, sensitive financial data, various authentication tokens, and more from compromised environments."
https://www.darkreading.com/endpoint-security/vidar-infostealer-back-with-vengeance
https://www.aryaka.com/docs/reports/vidar-infostealer-in-action.pdf
PoisonGPT: Weaponizing AI For Disinformation
"Not all malicious AI tools are designed for immediate profit or hacking — some are crafted to twist the truth at scale. PoisonGPT is a prime example of this darker application of generative AI. Unlike the other tools we’ve explored in this series, PoisonGPT was not sold on forums but instead was developed as a proof-of-concept by security researchers in July 2023 to highlight the risks associated with AI-driven misinformation."
https://blog.barracuda.com/2025/09/11/poisongpt-weaponizing-ai-disinformation
Malicious Facebook Ads Push Fake ‘Meta Verified’ Browser Extensions To Steal Accounts
"Threat actors are at it again, targeting content creators and businesses with a new malvertising campaign on Meta. This time, the malicious ads are bundled with a video tutorial that guides viewers through the process of downloading and installing a so-called browser extension, which claims to unlock the blue verification tick on Facebook or other special features. At a glance, it looks legitimate, and maybe even helpful. After all, why would scammers go through the trouble of recording tutorials unless the tool really worked? But as the saying goes, “there's no such thing as a free lunch.” This software is nothing more than a malicious browser extension designed to steal your data."
https://www.bitdefender.com/en-us/blog/hotforsecurity/malicious-facebook-ads-push-fake-meta-verified-browser-extensions-to-steal-accounts
https://thehackernews.com/2025/09/fake-madgicx-plus-and-socialmetrics.html
Uncloaking VoidProxy: a Novel And Evasive Phishing-As-a-Service Framework
"Okta Threat Intelligence has published a detailed analysis on a previously unreported Phishing-as-a-Service (PhaaS) operation, which its authors name VoidProxy. VoidProxy is a novel and highly evasive service used by attackers to target Microsoft and Google accounts. The service is also capable of redirecting accounts protected by third-party single sign-on (SSO) providers like Okta to second-stage phishing pages. VoidProxy represents a mature, scalable and evasive threat to traditional email security and authentication controls."
https://sec.okta.com/articles/uncloakingvoidproxy/
https://www.theregister.com/2025/09/11/voidproxy_phishing_service/
Cyberspike Villager – Cobalt Strike’s AI-Native Successor
"Straiker’s AI Research (STAR) team recently uncovered Villager, an AI-native penetration testing framework in the wild by the Chinese-based group Cyberspike. Originally positioned as a red-team offering, Cyberspike has released an AI-enabled, MCP-supported automation tool called "Villager" that combines Kali Linux toolsets with DeepSeek AI models to fully automate testing workflows. The package is published in PyPI.org and has recorded ~10,000 downloads in two months. The rapid, public availability and automation capabilities create a realistic risk that Villager will follow the Cobalt Strike trajectory: commercially or legitimately developed tooling becoming widely adopted by threat actors for malicious campaigns."
https://www.straiker.ai/blog/cyberspike-villager-cobalt-strike-ai-native-successor
https://www.theregister.com/2025/09/11/cobalt_strikes_ai_successor_downloaded/

Breaches/Hacks/Leaks

Panama Ministry Of Economy Discloses Breach Claimed By INC Ransomware
"Panama's Ministry of Economy and Finance (MEF) has disclosed that one of its computers may have been compromised in a cyberattack.. The government noted that it activated the security procedures for these situations, stating that the incident has been contained and didn't impact core systems that are vital to its operations. "The Ministry of Economy and Finance informs the public that today an incident involving possible malicious software was detected on one of the Ministry's workstations," MEF says in an official statement."
https://www.bleepingcomputer.com/news/security/panama-ministry-of-economy-discloses-breach-claimed-by-inc-ransomware/
Exclusive: High-End Fashion Retailers Gucci, Balenciaga, Brioni, And Alexander McQueen Hit By Salesforce Attacks
"Those readers who aren’t A-listers (including yours truly) may never have heard of Kering, but you may have heard of their high-end fashion brands: Gucci. Yves Saint Laurent. Bottega Veneta. Balenciaga. Alexander McQueen. Brioni. It is some of those fashion brands that are the subject of this post as they fell prey to attacks by ShinyHunters. As far as DataBreaches.net can determine, Kering has yet to publicly acknowledge either of two attacks or to notify customers."
https://databreaches.net/2025/09/11/exclusive-high-end-fashion-retailers-gucci-balenciaga-brion-and-alexander-mcqueen-hit-by-salesforce-attacks/
LNER Reveals Supply Chain Attack Compromised Customer Information
"The operator of one of the UK’s busiest rail lines has admitted that an unauthorized third party has accessed customer details via a supplier. LNER, the government-owned company that runs east coast services between London and Scotland, revealed the incident in an online update yesterday. “We have been made aware of unauthorised access to files managed by a third-party supplier, which involves customer contact details and some information about previous journeys,” it said."
https://www.infosecurity-magazine.com/news/lner-supply-chain-attack-customer/
https://www.theregister.com/2025/09/11/lner_says_customer_data_stolen/
https://hackread.com/uk-rail-operator-lner-cyber-attack-passenger-data/
https://www.securityweek.com/uk-train-operator-lner-warns-customers-of-data-breach/
France: Three Regional Healthcare Agencies Targeted By Cyber-Attacks
"French regional healthcare agencies have been targeted by cyber-attacks compromising the personal data of patients across the country. On September 8, the regional healthcare agencies (ARS) for three regions, Hauts-de-France (Upper France), Normandy and Pays de la Loire (Lower Loire), issued security alerts warning about recent cyber-attacks carried out against the servers hosting the identity data of patients from public hospitals in the regions. All three agencies described a very similar incident with the same impact."
https://www.infosecurity-magazine.com/news/france-regional-healthcare/
100,000 Impacted By Cornwell Quality Tools Data Breach
"American mobile tools manufacturer Cornwell Quality Tools has informed authorities that a data breach discovered late last year impacts more than 100,000 people. According to notification letters sent out to the affected individuals, Cornwell Quality Tools discovered unusual activity on its network on December 20, 2024. An investigation completed recently showed that hackers had gained access to its systems and files a week earlier. The company is telling impacted people that information such as their name, Social Security number, medical information, and financial account number may have been compromised."
https://www.securityweek.com/100000-impacted-by-cornwell-quality-tools-data-breach/

General News

Apple Warns Customers Targeted In Recent Spyware Attacks
"Apple warned customers last week that their devices were targeted in a new series of spyware attacks, according to the French national Computer Emergency Response Team (CERT-FR). CERT-FR is operated by ANSSI, the National Cybersecurity Agency, and is responsible for preventing and mitigating cybersecurity-related incidents impacting public and critical organizations. According to a Thursday advisory, CERT-FR is aware of at least four instances of Apple threat notifications alerting the company's users about mercenary spyware attacks that have occurred since the beginning of the year."
https://www.bleepingcomputer.com/news/security/apple-warns-customers-targeted-in-recent-spyware-attacks/
https://cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-010/
Global Cyber Threats August 2025: Agriculture In The Crosshairs
"In August 2025, the global cyber threat landscape presented a complex interplay of stability and alarming new challenges. Organizations around the world confronted an average of nearly 2,000 cyber attacks each week—a slight 1% decrease from July but a stark 10% rise compared to the same month last year. Particularly concerning is the agricultural sector, which has seen a staggering 101% increase in cyber incidents since August 2024. Although the overall volume of attacks has somewhat stabilized, the evolving distribution of threats across industries, regions, and types of attacks suggests a troubling trend that demands our attention. As businesses navigate this new reality, understanding the nuances of the current cyber threat landscape is more critical than ever."
https://blog.checkpoint.com/research/global-cyber-threats-august-2025-agriculture-hit-hard/
How Attackers Weaponize Communications Networks
"In this Help Net Security interview, Gregory Richardson, Vice President, Advisory CISO Worldwide, at BlackBerry, talks about the growing risks to communications networks. He explains why attackers focus on these networks and how their motivations range from corporate espionage to geopolitical influence. The discussion also covers practical ways to secure networks and maintain reliable communication."
https://www.helpnetsecurity.com/2025/09/11/gregory-richardson-blackberry-securing-communication-networks/
AI Is Everywhere, But Scaling It Is Another Story
"AI is being adopted across industries, but many organizations are hitting the same obstacles, according to Tines. IT leaders say orchestration is the key to scaling AI. They point to governance, visibility, and collaboration as the critical areas executives need to watch. Organizations are pouring resources into AI, yet many initiatives remain isolated or slow-moving. Without a coordinated approach, AI deployments can become fragmented and harder to secure. Research shows that IT teams see orchestration (coordinating processes, systems, and workflows) as the missing link to scaling AI in a safe and compliant way."
https://www.helpnetsecurity.com/2025/09/11/ai-enterprise-orchestration-scaling/
Why Organizations Need a New Approach To Risk Management
"To succeed in the risk environment, risk, audit, and compliance leaders need to focus on what Gartner calls “reflexive risk ownership.” This is a future state where business leaders don’t just identify and manage risks after they occur, but instinctively recognize and respond to them as part of their daily decision-making. At the opening keynote of the Gartner Enterprise Risk, Audit & Compliance Conference, Gartner experts highlighted how risks are now emerging faster, overlapping, and becoming harder to classify. This makes it essential for organizations to rethink how they approach risk management."
https://www.helpnetsecurity.com/2025/09/11/gartner-organizational-risk-management-strategy/
AI Emerges As The Hope—and Risk—for Overloaded SOCs
"The problems faced by SOCs are well known, understood, and quantified – but not yet solved. SMEs get around 500 security alerts every day; larger enterprises receive nearer 3,000. Forty percent of these are never investigated, while 57% of companies suppress their detection rules to lessen the load. Most SOCs cannot cope with the existing alert load, while others seek to reduce it by consciously accepting unknown risk (often in the cloud and identity spheres). These figures come from a Prophet Security analysis (PDF) that canvassed 282 security leaders (CISOs, security directors, managers, and analysts) from companies with more than 1,000 employees, primarily in the United States."
https://www.securityweek.com/ai-emerges-as-the-hope-and-risk-for-overloaded-socs/
Cyberattacks Against Schools Driven By a Rise In Student Hackers, ICO Warns
"The U.K.’s Information Commissioner's Office (ICO) warned on Thursday that student hackers motivated by dares are driving an increasing number of cyberattacks and data breaches affecting schools. It advised parents to “to have regular conversations with their children about what they get up to online” and warned that children hacking into their school’s computer systems may be setting themselves up for lives of cybercrime."
https://therecord.media/cyberattacks-against-schools-driven-by-student-hackers
Going Dark: ShinyHunters/ScatteredSpider/LAPSUS$ Say Goodbye
"On September 8, the “scattered LAPSUS$ hunters 4.0” Telegram channel posted: FBI and French LE, great job for the third time arresting the wrong person in France once again. DOJ please stop wasting your budget by flying your agents to France every time to make the WRONG arrest, as it’s almost the end of the fiscal year, please save your money, and please do a better job at investigating us instead of arresting innocent individuals and stop falling for our (most obvious) each and all of our schemes and disinformation campaigns. That person who law enforcement allegedly arrested has been MIA for 6 hours and more. We have always been aware since the beginning. You can make as many arrests as you want and we’ll still be active with the same amount of efficiency as we always were."
https://databreaches.net/2025/09/11/going-dark-shinyhunters-scatteredspider-lapsus-say-goodbye/

อ้างอิง
Electronic Transactions Development Agency(ETDA)