NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 25 September 2025

    Cyber Security News
    1
    1
    395
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Vulnerabilities

      • Cisco Warns Of IOS Zero-Day Vulnerability Exploited In Attacks
        "Cisco has released security updates to address a high-severity zero-day vulnerability in Cisco IOS and IOS XE Software that is currently being exploited in attacks. Tracked as CVE-2025-20352, the flaw is due to a stack-based buffer overflow weakness found in the Simple Network Management Protocol (SNMP) subsystem of vulnerable IOS and IOS XE software, impacting all devices with SNMP enabled. Authenticated, remote attackers with low privileges can exploit this vulnerability to trigger denial-of-service (DoS) conditions on unpatched devices. High-privileged attackers, on the other hand, can gain complete control of systems running vulnerable Cisco IOS XE software by executing code as the root user."
        https://www.bleepingcomputer.com/news/security/cisco-warns-of-ios-zero-day-vulnerability-exploited-in-attacks/
        https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte

      Malware

      • YiBackdoor: A New Malware Family With Links To IcedID And Latrodectus
        "Zscaler ThreatLabz has identified a new malware family that we named YiBackdoor, which was first observed in June 2025. The malware is particularly interesting because it contains significant code overlaps with IcedID and Latrodectus. Similar to Zloader and Qakbot, IcedID was originally designed for facilitating banking and wire fraud. However, IcedID has since been repurposed to provide initial access for ransomware attacks. The exact connection to YiBackdoor is not yet clear, but it may be used in conjunction with Latrodectus and IcedID during attacks. YiBackdoor enables threat actors to collect system information, capture screenshots, execute arbitrary commands, and deploy plugins."
        https://www.zscaler.com/blogs/security-research/yibackdoor-new-malware-family-links-icedid-and-latrodectus
        https://thehackernews.com/2025/09/new-yibackdoor-malware-shares-major.html
      • IMDS Abused: Hunting Rare Behaviors To Uncover Exploits
        "In the world of cloud security, the Instance Metadata Service (IMDS) is a fundamental building block. It’s designed to provide virtual machines with a simple way to securely get temporary credentials and critical data without hardcoding secrets. But what happens when that convenience is turned against us? Over the years, threat actors have learned to turn IMDS into a stepping stone for credential theft, lateral movement, and privilege escalation. This post is about how we used a data-driven methodology to uncover and stop anomalous IMDS usage, and how that approach led us to discover a zero-day vulnerability being exploited in the wild in a popular web service."
        https://www.wiz.io/blog/imds-anomaly-hunting-zero-day
        https://thehackernews.com/2025/09/hackers-exploit-pandoc-cve-2025-51591.html
      • Widespread Supply Chain Compromise Impacting Npm Ecosystem
        "CISA is releasing this Alert to provide guidance in response to a widespread software supply chain compromise involving the world’s largest JavaScript registry, npmjs.com. A self-replicating worm—publicly known as “Shai-Hulud”—has compromised over 500 packages.[i] After gaining initial access, the malicious cyber actor deployed malware that scanned the environment for sensitive credentials. The cyber actor then targeted GitHub Personal Access Tokens (PATs) and application programming interface (API) keys for cloud services, including Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.[ii]"
        https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem
        https://therecord.media/cisa-urges-software-reviews-malicious-packages
      • Bypassing Mark Of The Web (MoTW) Via Windows Shortcuts (LNK): LNK Stomping Technique
        "While Windows shortcut (LNK) files are designed for user convenience, they have long been exploited as initial access vectors by threat actors. Since Microsoft strengthened its macro-blocking policies in 2022, attackers have increasingly turned to alternative formats such as ISO, RAR, and LNK files in their attacks. LNK files are commonly distributed via email attachments or embedded within compressed archives. When executed, they often invoke trusted system utilities like PowerShell, cmd.exe, or mshta.exe, making the payload execution appear as legitimate system activity."
        https://asec.ahnlab.com/en/90299/
      • Obscura, An Obscure New Ransomware Variant
        "On 29 August 2025, Huntress analysts encountered a previously unseen ransomware variant called “Obscura.” This name was taken from the ransom note (README_Obscura.txt), which also made several references to Obscura in its contents. While researching this ransomware variant, analysts did not find any public references to a ransomware variant named Obscura. The ransomware executable was first seen being executed across multiple hosts on the victim organization. This network had a limited deployment of the Huntress agent, which impacted both detection and response, inhibiting the SOC’s ability to respond effectively. This also limited our visibility into certain aspects of the attack, including the initial access vector."
        https://www.bleepingcomputer.com/news/security/obscura-an-obscure-new-ransomware-variant/
      • Another BRICKSTORM: Stealthy Backdoor Enabling Espionage Into Tech And Legal Sectors
        "Google Threat Intelligence Group (GTIG) is tracking BRICKSTORM malware activity, which is being used to maintain persistent access to victim organizations in the United States. Since March 2025, Mandiant Consulting has responded to intrusions across a range of industry verticals, most notably legal services, Software as a Service (SaaS) providers, Business Process Outsourcers (BPOs), and Technology. The value of these targets extends beyond typical espionage missions, potentially providing data to feed development of zero-days and establishing pivot points for broader access to downstream victims."
        https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign
        https://thehackernews.com/2025/09/unc5221-uses-brickstorm-backdoor-to.html
        https://www.bleepingcomputer.com/news/security/google-brickstorm-malware-used-to-steal-us-orgs-data-for-over-a-year/
        https://therecord.media/china-linked-hackers-brickstorm-backdoor-ip
        https://www.bankinfosecurity.com/mandiant-chinese-espionage-tool-embedded-in-us-systems-a-29544
        https://cyberscoop.com/chinese-cyberespionage-campaign-brickstorm-mandiant-google/
        https://www.theregister.com/2025/09/24/google_china_spy_report/
      • PyPI Urges Users To Reset Credentials After New Phishing Attacks
        "The Python Software Foundation has warned victims of a new wave of phishing attacks using a fake Python Package Index (PyPI) website to reset credentials. Accessible at pypi.org, PyPI is the default source for Python's package management tools, hosting hundreds of thousands of packages and providing developers with a centralized platform to distribute third-party software libraries. Python Software Foundation developer Seth Larson said the phishing emails request targets to "verify their email address" for "account maintenance and security procedures," threatening them with account suspensions and redirecting to a phishing landing page at pypi-mirror[.]org."
        https://www.bleepingcomputer.com/news/security/pypi-urges-users-to-reset-credentials-after-new-phishing-attacks/
        https://blog.pypi.org/posts/2025-09-23-plenty-of-phish-in-the-sea/
        https://hackread.com/psf-warn-fake-pypi-login-site-steal-credentials/
        https://www.theregister.com/2025/09/24/pypi_phishing_attacks/
      • GitHub Notifications Abused To Impersonate Y Combinator For Crypto Theft
        "A massive phishing campaign targeted GitHub users with cryptocurrency drainers, delivered via fake invitations to the Y Combinator (YC) W2026 program. Y Combinator is a startup accelerator that funds and mentors projects in their early stages, and connects founders with a network of alumni and venture capital firms. The attacker abused GitHub’s notification system to deliver the fraudulent messages, by creating issues across multiple repositories and tagging targeted users."
        https://www.bleepingcomputer.com/news/security/github-notifications-abused-to-impersonate-y-combinator-for-crypto-theft/
      • AI Vs. AI: Detecting An AI-Obfuscated Phishing Campaign
        "Microsoft Threat Intelligence recently detected and blocked a credential phishing campaign that likely used AI-generated code to obfuscate its payload and evade traditional defenses. Appearing to be aided by a large language model (LLM), the activity obfuscated its behavior within an SVG file, leveraging business terminology and a synthetic structure to disguise its malicious intent. In analyzing the malicious file, Microsoft Security Copilot assessed that the code was “not something a human would typically write from scratch due to its complexity, verbosity, and lack of practical utility.”"
        https://www.microsoft.com/en-us/security/blog/2025/09/24/ai-vs-ai-detecting-an-ai-obfuscated-phishing-campaign/
        https://www.bankinfosecurity.com/hackers-obfuscated-malware-verbose-ai-code-a-29541
      • Inside Vietnamese Threat Actor Lone None’s Copyright Takedown-Spoofing Campaign
        "Cofense Intelligence has been tracking a series of Copyright-themed campaigns conducted by the Lone None threat actor group, which has been seen delivering Pure Logs Stealer and a new Information Stealer that Cofense Intelligence is tracking as Lone None Stealer (also known as PXA Stealer). The campaign typically spoofs various legal firms claiming to request the takedown of copyright infringing content on the victim’s website or social media page. This campaign is notable for its novel use of a Telegram bot profile page to deliver its initial payload, obfuscated compiled Python script payloads, and evolving complexity as seen through multiple iterations of campaign samples. This Strategic Analysis will look at this campaign’s current TTPs (tactics, techniques, and procedures) and IOCs (indicators of compromise) while also highlighting how this campaign has evolved. While other similar Copyright-themed campaign samples seen delivering Pure Logs Stealer have been tracked by Cofense, this report will only cover those that are operated by Lone None."
        https://cofense.com/blog/inside-vietnamese-threat-actor-lone-none-s-copyright-takedown-spoofing-campaign
        RedNovember Targets Government, Defense, And Technology Organizations
        "In July 2024, Insikt Group publicly reported on TAG-100, a threat activity group conducting suspected cyber-espionage activity targeting high-profile government, intergovernmental, and private sector organizations globally using the open-source, multi-platform Go backdoor Pantegana. At the time, we did not attribute this activity to a particular country; however, after reviewing all available evidence, we assess that TAG-100 is highly likely a Chinese state-sponsored threat activity group. Accordingly, Insikt Group now tracks this group under the designation RedNovember."
        https://www.recordedfuture.com/research/rednovember-targets-government-defense-and-technology-organizations
        https://thehackernews.com/2025/09/chinese-hackers-rednovember-target.html
        https://www.darkreading.com/threat-intelligence/chinese-apt-oss-pocs-spy-countries
      • This Is How Your LLM Gets Compromised
        "Plainly speaking, Artificial intelligence is no longer a fringe technology. It has become a core component of modern business, from customer service chatbots to complex data analysis. We often treat the Large Language Models (LLMs) that are at the core of this technology as trusted black boxes. But like any software, they can be tampered with, manipulated, and turned against their creators. Understanding the ways an AI model can be compromised is the first step toward building a secure and resilient AI infrastructure."
        https://www.trendmicro.com/en_us/research/25/i/prevent-llm-compromise.html
      • Bookworm To Stately Taurus Using The Unit 42 Attribution Framework
        "In the complex landscape of threat intelligence and research, understanding the tools used by threat actors is just as critical as identifying the actors themselves. How do we link specific malware to its operators? We present a case study that demonstrates the process using the Unit 42 Attribution Framework to analyze well-known malware and its ties to a formally named threat group. We examine Bookworm, a notable malware family used by Stately Taurus, a Chinese advanced persistent threat (APT) group active since at least 2012. This group conducts cyberespionage campaigns targeting government and commercial entities across Europe and Asia."
        https://unit42.paloaltonetworks.com/bookworm-to-stately-taurus/

      Breaches/Hacks/Leaks

      • Auto Insurance Platform Exposed Over 5 Million Records Including Documents Containing PII
        "Cybersecurity Researcher Jeremiah Fowler discovered and reported to Website Planet about an unencrypted and non-password-protected database that contained 5.1 million files totaling 10 TB. These included powers of attorney, vehicle registrations, estimates, repair invoices, and images of damaged vehicles with visible license plates and VIN numbers."
        https://www.websiteplanet.com/news/claimpix-breach-report/
      • Ransomware Gang Known For Government Attacks Claims Maryland Transit Incident
        "One day after the Maryland Transit Administration confirmed that data was stolen during a cyberattack last month, a ransomware gang known for attacks on governments in the U.S. took credit for the incident. This week, the Maryland Transit Administration (MTA) provided an update on the situation, which came to light last month when Maryland officials said several state departments were dealing with a cyberattack affecting systems used to organize transportation for disabled people. On Monday, the MTA confirmed that data was lost during the cyberattack. MTA spokesperson Veronica Battisti would not say how many people were affected and told Recorded Future News the agency is “unable to disclose specific or additional details regarding what data has been lost because of the sensitivity of the ongoing investigation.”"
        https://therecord.media/maryland-transit-administration-data-breach-claimed-ransomware-gang

      General News

      • Building a Stronger SOC Through AI Augmentation
        "In this Help Net Security interview, Tim Bramble, Director of Threat Detection and Response at OpenText, discusses how SOC teams are gaining value from AI in detecting and prioritizing threats. By learning what “normal” looks like across users and systems, AI helps surface anomalies that rules-based methods often miss. Bramble explains that the greatest value comes from human-AI collaboration, with automation providing insights and analysts applying the judgment and context needed for action."
        https://www.helpnetsecurity.com/2025/09/24/tim-bramble-opentext-ai-soc-value/
      • APIs And Hardware Are Under Attack, And The Numbers Don’t Look Good
        "Attackers have a new favorite playground, and it’s not where many security teams are looking. According to fresh data from Bugcrowd, vulnerabilities in hardware and APIs are climbing fast, even as website flaws hold steady. The shift shows how attackers are adapting to infrastructure, going after the hidden systems that keep businesses running. “We are in a high-stakes innovation race, but with every AI advance, the security landscape becomes exponentially more complex. Attackers are exploiting this complexity, but still targeting foundational layers like hardware and APIs. No single CISO can win this race alone. To thrive, we must move beyond isolated efforts and cultivate a collective resilience of collaboration—pooling our knowledge of the hacker community to outpace emerging threats together,” said Nicholas McKenzie, CISO, Bugcrowd."
        https://www.helpnetsecurity.com/2025/09/24/api-hardware-vulnerabilities-attack/
      • A Look Inside 1,000 Cyber Range Events And What They Reveal About AppSec
        "Software powers almost every part of business, which means attackers have more chances than ever to exploit insecure code. A new report from CMD+CTRL Security looks at how teams are building their defenses through cyber range training. Based on more than 1,000 cyber range events and 600,000 completed challenges, the study shows where teams are improving and where important security skills are still missing."
      • **https://www.helpnetsecurity.com/2025/09/24/appsec-cyber-range-training/
      • USD 439 Million Recovered In Global Financial Crime Operation**
        "An INTERPOL-coordinated operation across 40 countries and territories has resulted in the recovery of USD 342 million in government-backed currencies, along with USD 97 million in physical and virtual assets. Operation HAECHI VI (April - August 2025), targeted seven types of cyber-enabled financial crimes: voice phishing, romance scams, online sextortion, investment fraud, money laundering associated with illegal online gambling, business email compromise and e-commerce fraud. Investigators worked together to detect and disrupt online fraud as well as money laundering activities, blocking over 68,000 associated bank accounts and freezing close to 400 cryptocurrency wallets."
        https://www.interpol.int/News-and-Events/News/2025/USD-439-million-recovered-in-global-financial-crime-operation
        https://www.bleepingcomputer.com/news/security/police-seizes-439-million-stolen-by-cybercrime-rings-worldwide/
        https://therecord.media/anti-fraud-interpol-crackdown-recovers-over-400-million
      • UK Arrest Following Aerospace Cyber Incident
        "A man has been arrested in the UK by the National Crime Agency as part of an investigation into a cyber incident impacting Collins Aerospace. The incident, which was reported on 19 September, affected flights at Heathrow and other European airports over the weekend. NCA officers, supported by the South East ROCU, arrested a man in his forties in West Sussex yesterday evening on suspicion of Computer Misuse Act offences. He has been released on conditional bail."
        https://www.nationalcrimeagency.gov.uk/news/uk-arrest-following-aerospace-cyber-incident
        https://www.securityweek.com/european-airport-cyberattack-linked-to-obscure-ransomware-suspect-arrested/
        https://www.bleepingcomputer.com/news/security/uk-arrests-suspect-for-rtx-ransomware-attack-causing-airport-disruptions/
        https://therecord.media/uk-arrest-cyberattack-disruption-european-airports
        https://www.bankinfosecurity.com/suspected-collins-aerospace-hacker-arrested-in-uk-a-29531
        https://hackread.com/uk-arrest-cyberattack-disrupts-european-airports/
        https://www.theregister.com/2025/09/24/uk_agency_makes_arrest_in/
      • Feds Tie ‘Scattered Spider’ Duo To $115M In Ransoms
        "U.S. prosecutors last week levied criminal hacking charges against 19-year-old U.K. national Thalha Jubair for allegedly being a core member of Scattered Spider, a prolific cybercrime group blamed for extorting at least $115 million in ransom payments from victims. The charges came as Jubair and an alleged co-conspirator appeared in a London court to face accusations of hacking into and extorting several large U.K. retailers, the London transit system, and healthcare providers in the United States. At a court hearing last week, U.K. prosecutors laid out a litany of charges against Jubair and 18-year-old Owen Flowers, accusing the teens of involvement in an August 2024 cyberattack that crippled Transport for London, the entity responsible for the public transport network in the Greater London area."
        https://krebsonsecurity.com/2025/09/feds-tie-scattered-spider-duo-to-115m-in-ransoms/
        https://databreaches.net/2025/09/24/feds-tie-scattered-spider-duo-to-115m-in-ransoms/
        https://cyberscoop.com/thalha-jubair-uk-teen-scattered-spider-leader/
      • The Ransomware Speed Crisis
        "The dramatic acceleration of ransomware attacks now occurs at machine speed, completing in minutes rather than days. This shift is driven by AI-powered tactics and multi extortion campaigns, rendering traditional human-driven security responses obsolete. There is a critical need for AI-powered detection, automated responses and eXtended Detection and Response (XDR) platforms to build speed-compatible defenses and protect against these evolving threats."
        https://www.paloaltonetworks.com/blog/2025/09/ransomware-speed-crisis/
      • Cyber Crooks Getting Younger — And More Dangerous
        "In recent years, we’ve been seeing a troubling trend: the rise of young and very young cybercriminals. This phenomenon has been brought into sharp focus by the recent activities of the hacking group known as Scattered Spider. This group, composed of individuals as young as 16, has been linked to several high-profile cyberattacks, raising alarms about the increasing sophistication and boldness of young hackers."
        https://blog.barracuda.com/2025/09/24/cyber-crooks-younger-more-dangerous
      • Iframe Security Exposed: The Blind Spot Fueling Payment Skimmer Attacks
        "Think payment iframes are secure by design? Think again. Sophisticated attackers have quietly evolved malicious overlay techniques to exploit checkout pages and steal credit card data by bypassing the very security policies designed to stop them. Payment iframes are being actively exploited by attackers using malicious overlays to skim credit card data. These pixel-perfect fake forms bypass traditional security, as proven by a recent Stripe campaign that has already compromised dozens of merchants."
        https://thehackernews.com/2025/09/iframe-security-exposed-blind-spot.html

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 26778713-c17d-4aa9-a16c-e33d83878433-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post