NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 18 September 2025

    Cyber Security News
    1
    1
    372
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • How a Fake ICS Network Can Reveal Real Cyberattacks
        "Researchers have introduced a new way to study and defend against ICS threats. Their project, called ICSLure, is a honeynet built to closely mimic a real industrial environment. Honeypots are systems designed to attract attackers so that security teams can study their behavior without putting production equipment at risk. Most ICS honeypots today are low interaction, using software to simulate devices like programmable logic controllers (PLCs)."
        https://www.helpnetsecurity.com/2025/09/17/icslure-ics-threat-detection/

      New Tooling

      • Rayhunter: EFF Releases Open-Source Tool To Detect Cellular Spying
        "The Electronic Frontier Foundation (EFF) has released Rayhunter, a new open-source tool designed to detect cell site simulators (CSS). These devices, also known as IMSI catchers or Stingrays, mimic cell towers to trick phones into connecting so they can collect data. Rayhunter gives researchers, journalists, and privacy advocates a way to identify suspicious cellular activity. EFF group developed it to work on a common, low-cost mobile hotspot device. At launch, they used an Orbic hotspot, which could be purchased for around $30 at some retailers. This hardware is important because it keeps the barrier to entry low for anyone interested in tracking potential surveillance activity."
        https://www.helpnetsecurity.com/2025/09/17/rayhunter-eff-open-source-tool-detect-cellular-spying/
        https://github.com/EFForg/rayhunter

      Vulnerabilities

      • Many Networking Devices Are Still Vulnerable To Pixie Dust Attack
        "Despite having been discovered and reported in 2014, the vulnerability that allows pixie dust attacks still impacts consumer and SOHO networking equipment around the world, NetRise researchers have confirmed. Wi-Fi Protected Setup (WPS) allows users to connect to their network by using an eight-digit pin instead of a password. “[A pixie dust attack] targets weaknesses in the Wi-Fi Protected Setup protocol, exploiting poor entropy in key generation,” the company explains."
        https://www.helpnetsecurity.com/2025/09/17/many-networking-devices-are-still-vulnerable-to-pixie-dust-attack/
        https://www.netrise.io/hubfs/Pixie-Dust-Report.pdf
        https://www.securityweek.com/decade-old-pixie-dust-wi-fi-hack-still-impacts-many-devices/

      Malware

      • ShinyHunters Claims 1.5 Billion Salesforce Records Stolen In Drift Hacks
        "The ShinyHunters extortion group claims to have stolen over 1.5 billion Salesforce records from 760 companies using compromised Salesloft Drift OAuth tokens. For the past year, the threat actors have been targeting Salesforce customers in data theft attacks using social engineering and malicious OAuth applications to breach Salesforce instances and download data. The stolen data is then used to extort companies into paying a ransom to prevent the data from being publicly leaked. These attacks have been claimed by threat actors stating they are part of the ShinyHunters, Scattered Spider, and Lapsus$ extortion groups, now calling themselves "Scattered Lapsus$ Hunters." Google tracks this activity as UNC6040 and UNC6395."
        https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billion-salesforce-records-stolen-in-drift-hacks/
      • From ClickFix To MetaStealer: Dissecting Evolving Threat Actor Techniques
        "During the past fifteen business days, Huntress analysts have observed increased threat activity involving several notable techniques. One case involved a malicious AnyDesk installer, which initially mimicked a standard ClickFix attack through a fake Cloudflare verification page but then utilized Windows File Explorer and an MSI package masked as a PDF to deploy MetaStealer malware. Additionally, two incidents involving the Cephalus ransomware variant were detected."
        https://www.bleepingcomputer.com/news/security/from-clickfix-to-metastealer-dissecting-evolving-threat-actor-techniques/
      • Mapping The Infrastructure And Malware Ecosystem Of MuddyWater
        "Since early 2025, Group-IB analysts have observed that MuddyWater, known as an Iranian state-sponsored Advanced Persistent Threat (APT) group, remains active across the Middle East and Europe, with a notable surge in activity within the European region. Our latest analysis of the group’s activities has revealed new intelligence regarding recent shifts in their operational characteristics and arsenal. The group has significantly reduced its widespread Remote Monitoring and Management based intrusions (RMM), reverting to a more targeted operational approach. Although RMM software continues to be employed, the group has increasingly relied on custom-developed backdoors such as Phoenix and StealthCache in addition to PowerShell-based backdoors."
        https://www.group-ib.com/blog/muddywater-infrastructure-malware/
        https://www.bankinfosecurity.com/whats-old-new-again-as-iranian-hackers-exploit-macros-a-29465
      • Raven Stealer
        "Raven Stealer is a contemporary, lightweight information-stealing malware developed primarily in Delphi and C++. Designed for stealth and efficiency, it operates with minimal user interaction while maintaining a high level of operational concealment. This malware steals credentials from various applications, harvests browser data such as cookies, autofill entries, and browsing history, and performs real-time data exfiltration via Telegram bot integration."
        https://www.pointwild.com/threat-intelligence/raven-stealer
        https://www.darkreading.com/vulnerabilities-threats/raven-stealer-scavenges-chrome-data-telegram
        https://hackread.com/raven-stealer-malware-browsers-passwords-payment-data/
      • Malicious PyPI Packages Deliver SilentSync RAT
        "Zscaler ThreatLabz regularly monitors for threats in the popular Python Package Index (PyPI), which contains open source libraries that are frequently used by many Python developers. In July 2025, a malicious Python package named termncolor was identified by ThreatLabz. Just a few weeks later, on August 4, 2025, ThreatLabz uncovered two more malicious Python packages named sisaws and secmeasure. The former Python package leverages typosquatting for the legitimate sisa package, which integrates with the public APIs for Sistema Integrado de Información Sanitaria Argentino (SISA), which is Argentina's national health information system. Interestingly, ThreatLabz discovered another malicious package named secmeasure, which was created by the same author. Both Python packages deliver a Remote Access Trojan (RAT) that ThreatLabz dubbed SilentSync, which is retrieved from Pastebin. SilentSync’s capabilities include remote command execution, file exfiltration, screen capturing, and web browser data theft."
        https://www.zscaler.com/blogs/security-research/malicious-pypi-packages-deliver-silentsync-rat
      • GOLD SALEM’s Warlock Operation Joins Busy Ransomware Landscape
        "Counter Threat Unit™ (CTU) researchers are monitoring a threat group that refers to itself as Warlock Group. The group, which CTU™ researchers track as GOLD SALEM, has compromised networks and deployed its Warlock ransomware since March 2025. Microsoft refers to this threat group as Storm-2603 and characterizes it “with moderate confidence to be a China-based threat actor,” but CTU researchers have insufficient evidence to corroborate this attribution."
        https://news.sophos.com/en-us/2025/09/17/gold-salems-warlock-operation-joins-busy-ransomware-landscape/
      • From El Dorado To BlackLock: Inside a Fast-Rising RaaS Threat
        "BlackLock is a relatively new ransomware group that is believed to have been established around March 2024. Their existence was publicly revealed in June 2024 when the Dedicated Leak Site (DLS) was identified. At that time, information on multiple affected companies had already been posted, suggesting that the gang had been active in secret for several months. The group initially operated under the name El Dorado and rebranded to BlackLock around September 2024. This post provides a summary of AhnLab SEcurity intelligence Center (ASEC) report that analyzes the characteristics, encryption methods, and technologies used by the threat actors to decrypt files, providing insights to help readers prepare for similar threats in the future."
        https://asec.ahnlab.com/en/90175/

      Breaches/Hacks/Leaks

      • SonicWall Warns Customers To Reset Credentials After Breach
        "SonicWall warned customers today to reset credentials after their firewall configuration backup files were exposed in a security breach that impacted MySonicWall accounts. After detecting the incident, SonicWall has cut off the attackers' access to its systems and has been collaborating with cybersecurity and law enforcement agencies to investigate the attack's impact. "As part of our commitment to transparency, we are notifying you of an incident that exposed firewall configuration backup files stored in certain MySonicWall accounts," the cybersecurity company said on Wednesday. "Access to the exposed firewall configuration files contain information that could make exploitation of firewalls significantly easier for threat actors.""
        https://www.bleepingcomputer.com/news/security/sonicwall-warns-customers-to-reset-credentials-after-MySonicWall-breach/
        https://cyberscoop.com/sonicwall-cyberattack-customer-firewall-configurations/
      • VC Giant Insight Partners Warns Thousands After Ransomware Breach
        "New York-based venture capital and private equity firm Insight Partners is notifying thousands of individuals whose personal information was stolen in a ransomware attack. The company disclosed the cybersecurity incident in February, when it said that a threat actor gained access to its network following a "sophisticated social engineering attack." Two months later, Insight Partners confirmed that the attackers had also stolen sensitive data during the breach, including banking and tax information, personal information of current and former employees, information related to limited partners, as well as fund, management company, and portfolio company information."
        https://www.bleepingcomputer.com/news/security/vc-giant-insight-partners-warns-thousands-after-ransomware-breach/
      • Tiffany Discloses Data Breach Involving Gift Cards — Second Breach Disclosure In Recent Months (1)
        "In May, Tiffany & Co. confirmed a data breach affecting an unspecified number of customers in South Korea. Tiffany is one of LVMH Moët Hennessy Louis Vuitton’s 75 high-end brands in six different sectors. On May 26, Tiffany Korea emailed select customers to notify them of a cybersecurity breach involving unauthorized access to a vendor platform used for managing customer data. The incident reportedly occurred on April 8, and although the vendor was not named, it seemed likely that this was part of the ShinyHunters Salesforce campaign tracked by Google’s Threat Intelligence Group as UNC6040."
        https://databreaches.net/2025/09/17/tiffany-discloses-data-breach-involving-gift-cards-second-breach-disclosure-in-recent-months/

      General News

      • Creating a Compliance Strategy That Works Across Borders
        "In this Help Net Security interview, Marco Goldberg, Managing Director at EQS Group, discusses how compliance and regulation are evolving worldwide. He talks about how organizations can stay compliant with international rules while keeping their systems practical and user-friendly. Goldberg points out that getting compliance right goes beyond avoiding penalties and helps build trust with customers, partners, and regulators everywhere."
        https://www.helpnetsecurity.com/2025/09/17/marco-goldberg-eqs-group-world-compliance-regulation/
      • When It Comes To Breaches, Boards Can’t Hide Behind CISOs Any Longer
        "A trend that has long been on the rise is finally having its day. A recent industry report revealed that 91% of security professionals believe that ultimate accountability for cybersecurity incidents lies with the board itself, not with CISOs or security managers. If the security discussion hadn’t fully made its way into C-suite conversations before, it has now. The Chartered Institute of Information Security (CIISEC)’s new State of the Security Profession survey checks the pulse of the industry where cybersecurity regulation is concerned. It emerges with one clear, overarching sentiment: “the buck stops with the board.”"
        https://www.tripwire.com/state-of-security/breaches-boards-cant-hide-behind-cisos
      • A Quarter Of UK And US Firms Suffer Data Poisoning Attacks
        "British and American cybersecurity leaders are increasingly concerned about their expanding AI attack surface, particularly unsanctioned use of AI tools and attempts to corrupt training data, according to new IO research. The security and compliance specialist polled 3000 IT security leaders on both side of the Atlantic to compile its third annual State of Information Security Report, which was published this morning. It revealed that just over a quarter (26%) have suffered a data poisoning attack, which occurs when threat actors seek to interfere with model training data in order to alter its behavior."
        https://www.infosecurity-magazine.com/news/quarter-uk-us-firms-data-poisoning/
        https://www.isms.online/the-state-of-information-security-report-2025/
        https://email.isms.online/hubfs/Brochures%2C guides and White Papers/IO Materials/IO Reports/IO State of Information Security Report 2025 V1.0.pdf

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 62fb75cf-8e9b-4783-8926-3170026be627-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post