NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 26 September 2025

    Cyber Security News
    1
    1
    556
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Vulnerabilities

      • Cisco Warns Of ASA Firewall Zero-Days Exploited In Attacks
        "Cisco warned customers today to patch two zero-day vulnerabilities that are actively being exploited in attacks and impact the company's firewall software. The first one (CVE-2025-20333) allows authenticated, remote attackers to execute arbitrary code on devices running vulnerable Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) software, while the second (CVE-2025-20362) enables remote attackers to access restricted URL endpoints without authentication. "The Cisco Product Security Incident Response Team (PSIRT) is aware of attempted exploitation of this vulnerability," the company warned in security advisories regarding the two zero-day flaws."
        https://www.bleepingcomputer.com/news/security/cisco-warns-of-asa-firewall-zero-days-exploited-in-attacks/
        https://thehackernews.com/2025/09/urgent-cisco-asa-zero-day-duo-under.html
      • CISA Directs Federal Agencies To Identify And Mitigate Potential Compromise Of Cisco Devices
        "Today, CISA issued Emergency Directive ED 25-03: Identify and Mitigate Potential Compromise of Cisco Devices to address vulnerabilities in Cisco Adaptive Security Appliances (ASA) and Cisco Firepower devices. CISA has added vulnerabilities CVE-2025-20333 and CVE-2025-20362 to the Known Exploited Vulnerabilities Catalog. The Emergency Directive requires federal agencies to identify, analyze, and mitigate potential compromises immediately."
        https://www.cisa.gov/news-events/alerts/2025/09/25/cisa-directs-federal-agencies-identify-and-mitigate-potential-compromise-cisco-devices
        https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices
        https://www.bleepingcomputer.com/news/security/cisa-orders-agencies-to-patch-cisco-flaws-exploited-in-zero-day-attacks/
        https://therecord.media/cisco-asa-firewall-bugs-cisa-federal-agencies-warning
        https://www.darkreading.com/vulnerabilities-threats/cisco-actively-exploited-zero-day-bugs-firewalls-ios
        https://www.bankinfosecurity.com/feds-isolate-cisco-firewalls-to-defend-against-arcane-door-a-29568
        https://cyberscoop.com/cisa-emergency-directive-cisco-zero-days/
        https://securityaffairs.com/182593/hacking/u-s-cisa-adds-cisco-secure-firewall-asa-and-secure-ftd-flaws-to-its-known-exploited-vulnerabilities-catalog.html
      • ForcedLeak: AI Agent Risks Exposed In Salesforce AgentForce
        "This research outlines how Noma Labs discovered ForcedLeak, a critical severity (CVSS 9.4) vulnerability chain in Salesforce Agentforce that could enable external attackers to exfiltrate sensitive CRM data through an indirect prompt injection attack. This vulnerability demonstrates how AI agents present a fundamentally different and expanded attack surface compared to traditional prompt-response systems. Upon being notified of the vulnerability, Salesforce acted immediately to investigate and has since released patches that prevent output in Agentforce agents from being sent to untrusted URLs."
        https://noma.security/blog/forcedleak-agent-risks-exposed-in-salesforce-agentforce/
        https://thehackernews.com/2025/09/salesforce-patches-critical-forcedleak.html
        https://www.infosecurity-magazine.com/news/critical-flaw-salesforce-agentforce/
        https://hackread.com/forcedleak-salesforce-agentforce-ai-agent-crm-data/
        https://www.securityweek.com/salesforce-ai-hack-enabled-crm-data-theft/

      Malware

      • Two Malicious Rust Crates Impersonate Popular Logger To Steal Wallet Keys
        "Socket’s Threat Research Team identified two malicious Rust crates, faster_log and async_println, that impersonate the legitimate fast_log library. Published by the threat actor under the aliases rustguruman and dumbnbased, the crates include working logging code for cover and embed routines that scan source files for Solana and Ethereum private keys, then exfiltrate matches via HTTP POST to a hardcoded command and control (C2) endpoint (https://mainnet[.]solana-rpc-pool[.]workers[.]dev/). Combined, the two crates were downloaded 8,424 times and were published on May 25, 2025."
        https://socket.dev/blog/two-malicious-rust-crates-impersonate-popular-logger-to-steal-wallet-keys
        https://thehackernews.com/2025/09/malicious-rust-crates-steal-solana-and.html
        https://www.bleepingcomputer.com/news/security/malicious-rust-packages-on-cratesio-steal-crypto-wallet-keys/
      • First Malicious MCP In The Wild: The Postmark Backdoor That's Stealing Your Emails
        "You know MCP servers, right? Those handy tools that let your AI assistant send emails, run database queries, basically handle all the tedious stuff we don't want to do manually anymore. Well, here's the thing not enough people talk about: we're giving these tools god-mode permissions. Tools built by people we've never met. People we have zero way to vet. And our AI assistants? We just... trust them. Completely. Which brings me to why I'm writing this. postmark-mcp - downloaded 1,500 times every single week, integrated into hundreds of developer workflows. Since version 1.0.16, it's been quietly copying every email to the developer's personal server. I'm talking password resets, invoices, internal memos, confidential documents - everything."
        https://www.koi.security/blog/postmark-mcp-npm-malicious-backdoor-email-theft
        https://www.bleepingcomputer.com/news/security/unofficial-postmark-mcp-npm-silently-stole-users-emails/
        https://www.infosecurity-magazine.com/news/malicious-ai-agent-server/
      • Microsoft Warns Of New XCSSET MacOS Malware Variant Targeting Xcode Devs
        "Microsoft Threat Intelligence reports that a new variant of the XCSSET macOS malware has been detected in limited attacks, incorporating several new features, including enhanced browser targeting, clipboard hijacking, and improved persistence mechanisms. XCSSET is a modular macOS malware that acts as an infostealer and cryptocurrency stealer, stealing Notes, cryptocurrency wallets, and browser data from infected devices. The malware spreads by searching for and infecting other Xcode projects found on the device, so that the malware is executed when the project is built. "The XCSSET malware is designed to infect Xcode projects, typically used by software developers, and run while an Xcode project is being built," explains Microsoft."
        https://www.bleepingcomputer.com/news/security/microsoft-warns-of-new-xcsset-macos-malware-variant-targeting-xcode-devs/
      • Playing Offside: How Threat Actors Are Warming Up For FIFA 2026
        "Every four years, the World Cup captures the attention of billions. With that attention comes opportunity – not only for sponsors, broadcasters, and legitimate merchants, but also for adversaries who see in this spectacle a marketplace of deception. As the 2026 FIFA World Cup approaches, the outlines of this parallel economy are already visible. In the span of two months since 1 August 2025, more than 4,300 newly registered domains bearing the language of FIFA, the World Cup, or its host cities have surfaced across the internet. On the surface, many of these domains appear innocuous. Yet, when examined collectively, they reveal something far more deliberate."
        https://blog.checkpoint.com/executive-insights/playing-offside-how-threat-actors-are-warming-up-for-fifa-2026/
      • Massive Npm Infection: The Shai-Hulud Worm And Patient Zero
        "The modern development world is almost entirely dependent on third-party modules. While this certainly speeds up development, it also creates a massive attack surface for end users, since anyone can create these components. It is no surprise that malicious modules are becoming more common. When a single maintainer account for popular modules or a single popular dependency is compromised, it can quickly turn into a supply chain attack. Such compromises are now a frequent attack vector trending among threat actors. In the last month alone, there have been two major incidents that confirm this interest in creating malicious modules, dependencies, and packages."
        https://securelist.com/shai-hulud-worm-infects-500-npm-packages-in-a-supply-chain-attack/117547/
      • COLDRIVER Updates Arsenal With BAITSWITCH And SIMPLEFIX
        "In September 2025, Zscaler ThreatLabz discovered a new multi-stage ClickFix campaign potentially targeting members of Russian civil society. Based on multiple overlapping tactics, techniques and procedures (TTPs), ThreatLabz attributes this campaign with moderate confidence to the Russia-linked advanced persistent threat (APT) group, COLDRIVER. COLDRIVER (also known as Star Blizzard, Callisto, and UNC4057) is a group known to leverage social-engineering techniques to target NGOs, think tanks, journalists, and human rights defenders, both in Western countries and in Russia. Historically, their primary attack vector is credential phishing. However, beginning in 2025, COLDRIVER added the ClickFix technique to their arsenal."
        https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix
      • The SOC Case Files: Akira Ransomware Turns Victim’s Remote Management Tool On Itself
        "Barracuda’s Managed XDR team recently mitigated an Akira ransomware attack that tried to evade detection by exploiting tools in the target’s infrastructure rather than bringing its own known arsenal, and disguising its malicious activity as everyday IT."
        https://blog.barracuda.com/2025/09/25/soc-case-files-akira-ransomware-remote-management-tool
      • DeceptiveDevelopment: From Primitive Crypto Theft To Sophisticated AI-Based Deception
        "This blogpost introduces our latest white paper, presented at Virus Bulletin 2025, where we detail the operations of the North Korea-aligned threat actor we call DeceptiveDevelopment and its connections to North Korean IT worker campaigns. The white paper provides full technical details, including malware analysis, infrastructure, and OSINT findings. Here, we summarize the key insights and highlight the broader implications of this hybrid threat."
        https://www.welivesecurity.com/en/eset-research/deceptivedevelopment-from-primitive-crypto-theft-to-sophisticated-ai-based-deception/
        https://thehackernews.com/2025/09/north-korean-hackers-use-new-akdoortea.html
        https://www.theregister.com/2025/09/25/lazarus_group_shares_malware_with_it_scammers/
        https://www.helpnetsecurity.com/2025/09/25/north-korea-fake-profiles-crypto-theft/
      • New LockBit 5.0 Targets Windows, Linux, ESXi
        "Trend™ Research has identified and analyzed the source binaries of a new LockBit version in the wild, which is the latest from the group’s activities following the February 2024 law enforcement operation (Operation Cronos) that disrupted their infrastructure. In early September, the LockBit ransomware group reportedly resurfaced for their sixth anniversary, announcing the release of "LockBit 5.0". Trend Research discovered a binary available in the wild and began analysis that initially discovered a Windows variant and confirmed the existence of Linux and ESXi variants of LockBit 5.0."
        https://www.trendmicro.com/en_us/research/25/i/lockbit-5-targets-windows-linux-esxi.html
      • From Custom Scripts To Commodity RATs: A Threat Actor’s Evolution To PureRAT
        "An investigation into what appeared at first glance to be a “standard” Python-based infostealer campaign took an interesting turn when it was discovered to culminate in the deployment of a full-featured, commercially available remote access trojan (RAT) known as PureRAT. This article analyses the threat actor’s combination of bespoke self-developed tooling with off-the-shelf malware. This campaign demonstrates a clear and deliberate progression, starting with a simple phishing lure and escalating through layers of in-memory loaders, defense evasion, and credential theft. The final payload, PureRAT, represents the culmination of this effort: a modular, professionally developed backdoor that gives the attacker complete control over a compromised host."
        https://www.huntress.com/blog/purerat-threat-actor-evolution
        https://www.infosecurity-magazine.com/news/vietnamese-threat-actor-python/

      Breaches/Hacks/Leaks

      • Home Healthcare Provider Exposed Nearly 150,000 Records Containing Patient Health Information
        "Cybersecurity Researcher Jeremiah Fowler discovered and reported to Website Planet about an unencrypted and non-password-protected database that contained approximately 145k files (totaling 23 GB). These included assessments, home health certifications, plan of care documents, discharge forms, and internal documents exposing PHI."
        https://www.websiteplanet.com/news/archer-health-breach-report/
        https://www.bankinfosecurity.com/150000-records-home-health-care-firm-exposed-on-web-a-29565
      • Volvo Group Employee Data Stolen In Ransomware Attack
        "Truck, bus and industrial equipment maker Volvo Group North America is notifying current and former employees of a data breach involving third-party supplier Miljödata. A Swedish IT company, Miljödata fell victim to a ransomware attack in August. During the attack, the hackers stole personal information from Adato, a support system for rehabilitation, and Novi, a support system for HR personnel notes. The incident impacted approximately 25 private companies, including large companies such as Scandinavian airline SAS and metals company Boliden, and roughly 200 Swedish municipalities, including the country’s capital Stockholm."
        https://www.securityweek.com/volvo-group-employee-data-stolen-in-ransomware-attack/
        https://securityaffairs.com/182577/data-breach/volvo-north-america-disclosed-a-data-breach-following-a-ransomware-attack-on-it-provider-miljodata.html
      • Callous Crims Break Into Preschool Network, Publish Toddlers' Data
        "A cyber criminal crew has targeted Kido International, a preschool and daycare organization, leaking sensitive details about its pupils and their parents. To verify the authenticity of the leak, we called affected parents who confirmed to us that the organization was aware of the situation, and that it had made parents aware too. The ransomware crims, a new face known as the Radiant Group, claimed responsibility for the attack and this is the first leak on its dark web-based site."
        https://www.theregister.com/2025/09/25/ransomware_gang_publishes_toddlers_images/

      General News

      • Teen Suspected Of Vegas Casino Cyberattacks Released To Parents
        "A 17-year-old hacker who surrendered to face charges over cyberattacks targeting Vegas casinos in 2023 has been released into the custody of his parents, a family court judge ruled. The teenage boy, who is suspected to be part of the Scattered Spier threat group, has been imposed some restrictions that include limited use of the internet, phone, and electronics. Although the Las Vegas Metropolitan Police Department did not name the casinos targeted, it noted that the attacks occurred between August and October 2023 and described them as "sophisticated network intrusions" attributed to Scattered Spider."
        https://www.bleepingcomputer.com/news/security/teen-suspected-of-vegas-casino-cyberattacks-released-to-parents/
        https://www.reviewjournal.com/crime/courts/judge-orders-release-of-teen-accused-in-2023-casino-cyber-attacks-3465089/
      • Co-Op Says It Lost $107 Million After Scattered Spider Attack
        "The Co-operative Group in the U.K. released its interim financial results report for the first half of 2025 with a massive loss in operating profit of £80 million ($107 million) due to the cyberattack it suffered last April. The impact is analyzed into two categories, namely £20 million in one-off incremental costs and £60 million from lost sales while systems were offline. The cybersecurity incident also caused a reduction in revenue of £206 million ($277 million). Co-op states that it expects another £20 million in losses for the second half of the year, as recovery will continue."
        https://www.bleepingcomputer.com/news/security/co-op-says-it-lost-107-million-after-scattered-spider-attack/
        https://www.theregister.com/2025/09/25/empty_shelves_empty_coffers_coop/
        https://www.infosecurity-magazine.com/news/co-op-206m-revenue-loss-cyber/
        https://therecord.media/retailer-the-co-op-cyberattack-lost-revenue
      • Contain Or Be Contained: The Security Imperative Of Controlling Autonomous AI
        "Artificial intelligence is no longer a future concept; it is being integrated into critical infrastructure, enterprise operations and security missions around the world. As we embrace AI’s potential and accelerate its innovation, we must also confront a new reality: the speed of cybersecurity conflict now exceeds human capacity. The timescale for effective threat response has compressed from months or days to mere seconds. This acceleration requires removing humans from the tactical security loop. To manage this profound shift responsibly, we must evolve our thinking from abstract debates on “AI safety” to the practical, architectural challenge of “AI security.” The only way to harness the power of probabilistic AI is to ground it with deterministic controls."
        https://cyberscoop.com/security-automonous-ai-threat-response/
      • Tech Overtakes Gaming As Top DDoS Attack Target, New Gcore Radar Report Finds
        "The latest Gcore Radar report analyzing attack data from Q1–Q2 2025, reveals a 41% year-on-year increase in total attack volume. The largest attack peaked at 2.2 Tbps, surpassing the 2 Tbps record in late 2024. Attacks are growing not only in scale but in sophistication, with longer durations, multi-layered strategies, and a shift in target industries. Technology now overtakes gaming as the most attacked sector, while the financial services industry continues to face heightened risks."
        https://thehackernews.com/2025/09/tech-overtakes-gaming-as-top-ddos.html
        https://gcore.com/resources/gcore-radar-attack-trends-q1-q2-2025
        https://hackread.com/gcore-radar-report-reveals-41-surge-in-ddos-attack-volumes/
      • Predicting DDoS Attacks: How Deep Learning Could Give Defenders An Early Warning
        "Distributed denial-of-service (DDoS) attacks remain one of the most common and disruptive forms of cybercrime. Defenders have traditionally focused on detecting these attacks once they are underway. New research suggests that predicting DDoS attacks in advance may be possible, giving security teams a head start in planning their defenses. A new study outlines an approach to forecasting DDoS activity using deep learning. The researchers from Universiti Malaya and Universiti Teknikal Malaysia Melaka analyzed 192,525 DDoS attacks that took place between 2019 and 2021. Their goal was to determine whether patterns in past activity could be used to forecast upcoming surges."
        https://www.helpnetsecurity.com/2025/09/25/deep-learning-predicting-ddos-attacks/
        https://arxiv.org/pdf/2509.02076
      • CSA Unveils SaaS Security Controls Framework To Ease Complexity
        "Software as a Service (SaaS) is an increasingly favored method for delivering security solutions, but also an increasingly favored attackers’ playground. The cause of the latter may be the shared security responsibility model. Security for SaaS is delivered by the shared responsibility model. The provider is responsible for the security of the cloud – it secures the core application and the infrastructure it runs on. The customer is responsible for security in the cloud – their own data, user accounts and access, and correctly configuring the security settings offered by the individual provider."
        https://www.securityweek.com/csa-unveils-saas-security-controls-framework-to-ease-complexity/
        https://cloudsecurityalliance.org/download/artifacts/saas-security-capability-framework-sscf
        https://www.helpnetsecurity.com/2025/09/25/csa-saas-security-capability-framework-sscf/
      • GenAI Is Exposing Sensitive Data At Scale
        "Sensitive data is everywhere and growing fast. A new report from Concentric AI highlights how unstructured data, duplicate files, and risky sharing practices are creating serious problems for security teams. The findings show how generative AI tools like Microsoft Copilot are adding complexity, while old problems like oversharing and poor data hygiene continue to create exposure."
        https://www.helpnetsecurity.com/2025/09/25/generative-ai-data-risk-exposure/
      • AI Is Rewriting The Rules Of Cyber Defense
        "Enterprise security teams are underprepared to detect new, adaptive AI-powered threats. The study, published by Lenovo, surveyed 600 IT leaders across major markets and shows widespread concern about external and internal risks, along with low confidence in current defenses. More than six in ten IT leaders see cybercriminals using AI as a growing risk. AI-enhanced campaigns can adapt to defenses in real time, imitate normal user behavior, and operate across cloud, devices, and applications. Respondents admit that they are not confident they can defend against these techniques, which may include polymorphic malware, deepfake social engineering, and AI-powered brute-force attempts."
        https://www.helpnetsecurity.com/2025/09/25/ai-powered-threats-protection/
      • The State Of Cyber Resilience In India’s Supply Chains
        "SecurityScorecard’s new research, Third-Party Cyber Risks to Global Supply Chains: An Assessment of Key Indian Suppliers, highlights the critical role India plays in powering global industries such as IT services, manufacturing, pharmaceuticals, and aerospace — and the heightened cyber risks these supplier ecosystems face."
        https://securityscorecard.com/research/the-state-of-cyber-resilience-in-indias-supply-chains/
        https://www.infosecurity-magazine.com/news/experts-global-breach-risk-indian/
      • Domino Effect: How One Vendor's AI App Breach Toppled Giants
        "The Salesloft-Drift breach wasn't just another data breach - it revealed how interconnected AI tools create cascading vulnerabilities across entire business ecosystems. What started as a compromise at a single AI chatbot provider triggered a devastating supply chain attack, impacting over 700 organizations globally, including cybersecurity industry leaders who sell the very solutions meant to prevent such incidents."
        https://www.trendmicro.com/en_us/research/25/i/ai-app-breach.html

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) c0b05183-9e3e-4c12-85a8-ff3c9a85641d-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post