NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 29 September 2025

    Cyber Security News
    1
    1
    265
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      New Tooling

      • Delinea Releases Free Open-Source MCP Server To Secure AI Agents
        "AI agents are becoming more common in the workplace, but giving them access to sensitive systems can be risky. Credentials often get stored in plain text, added to prompts, or passed around without proper oversight. Delinea wants to fix that problem with its new open source Model Context Protocol (MCP) Server."
        https://www.helpnetsecurity.com/2025/09/26/delinea-free-open-source-mcp-server/
        https://github.com/DelineaXPM/delinea-mcp

      Malware

      • Is This Bad? This Feels Bad. (Fortra GoAnywhere CVE-2025-10035)
        "File transfer used to be simple fun - fire up your favourite FTP client, log in to a glFTPd site, and you were done. Fast forward to 2025, and the same act requires a procurement team, a web interface, and a vendor proudly waving their Secure by Design pledge. Ever seen the glFTPd developers on the list of pledge signers? Exactly. Welcome back to another watchTowr Labs analysis. This time, we are dissecting CVE-2025-10035, a perfect CVSS 10.0 vulnerability in Fortra’s GoAnywhere MFT. For the uninitiated, GoAnywhere is a "secure" managed file transfer solution that automates and protects data exchange across enterprises, trading partners, and critical applications."
        https://labs.watchtowr.com/is-this-bad-this-feels-bad-goanywhere-cve-2025-10035/
        https://labs.watchtowr.com/it-is-bad-exploitation-of-fortra-goanywhere-mft-cve-2025-10035-part-2/
        https://www.bleepingcomputer.com/news/security/maximum-severity-goanywhere-mft-flaw-exploited-as-zero-day/
        https://thehackernews.com/2025/09/fortra-goanywhere-cvss-10-flaw.html
        https://cyberscoop.com/goanywhere-vulnerability-active-exploitation-september-2025/
        https://www.securityweek.com/recent-fortra-goanywhere-mft-vulnerability-exploited-as-zero-day/
        https://securityaffairs.com/182647/hacking/hackers-exploit-fortra-goanywhere-flaw-before-public-alert.html
        https://www.theregister.com/2025/09/26/an_apts_playground_goanywhere_perfect10/
        https://www.helpnetsecurity.com/2025/09/26/fortra-goanywhere-zero-day-cve-2025-10035/
      • SVG Phishing Hits Ukraine With Amatera Stealer, PureMiner
        "FortiGuard Labs recently observed a phishing campaign designed to impersonate Ukrainian government agencies and deliver additional malware to targeted systems. The phishing emails contain malicious Scalable Vector Graphics (SVG) files designed to trick recipients into opening harmful attachments. When opened, the SVG initiates the download of a password-protected archive that contains a Compiled HTML Help (CHM) file. This CHM file triggers a chain of malicious actions through an HTML Application (HTA) CountLoader, ultimately installing multiple types of malware on the victim’s machine."
        https://www.fortinet.com/blog/threat-research/svg-phishing-hits-ukraine-with-amatera-stealer-pureminer
        https://thehackernews.com/2025/09/researchers-expose-svg-and-purerat.html
        https://www.bankinfosecurity.com/phishing-campaign-lobs-malicious-svg-attachments-at-ukraine-a-29575
        https://hackread.com/fake-ukraine-police-notices-amatera-stealer-pureminer/
      • The Scam That Won’t Quit: Malicious “TradingView Premium” Ads Jump From Meta To Google And YouTube
        "Over the past year, Bitdefender researchers have been monitoring a persistent malicious campaign that initially spread via Facebook Ads, promising “free access” to TradingView Premium and other trading or financial platforms. According to researchers at Bitdefender Labs, this campaign has now expanded beyond Meta platforms, infiltrating both YouTube and Google Ads, exposing content creators and regular users alike to increased risks."
        https://www.bitdefender.com/en-us/blog/labs/the-scam-that-wont-quit-malicious-tradingview-premium-ads-jump-from-meta-to-google-and-youtube
        https://hackread.com/tradingview-scam-expands-to-google-youtube/
      • NCSC Warns Of Persistent Malware Campaign Targeting Cisco Devices
        "Today (Thursday), the National Cyber Security Centre (NCSC) – a part of GCHQ – has issued further advice to help network defenders mitigate malicious targeting of certain Cisco devices. In a significant update on a previous malicious campaign exposed last year, Cisco has said the same threat actor has exploited new vulnerabilities in Cisco Adaptive Security Appliance (ASA) 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data from compromised devices. The NCSC is calling on network defenders using affected products to urgently investigate this activity and has published new analysis of the malware components – dubbed RayInitiator and LINE VIPER – to assist with detection and mitigation."
        https://www.ncsc.gov.uk/news/persistent-malicious-targeting-cisco-devices
        https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/RayInitiator-LINE-VIPER/ncsc-mar-rayinitiator-line-viper.pdf
        https://www.theregister.com/2025/09/26/cisco_firewall_flaws/
        https://securityaffairs.com/182639/hacking/uk-ncsc-warns-that-attackers-exploited-cisco-firewall-zero-days-to-deploy-rayinitiator-and-line-viper-malware.html
      • HeartCrypt’s Wholesale Impersonation Effort
        "Over the past year and a bit more, we’ve monitored a constellation of events that share a set of general attributes: Malware impersonating, subverting, and embedding itself in legitimate software applications, Position-independent loader code (PIC) injected near package entry points, overwriting the original code, Encrypted malicious payloads inserted as an additional resource, Use of a simple encryption algorithm (XOR), with a static key using ASCII characters, Payloads belonging to common RATs (remote-access Trojans) or credential/info stealer families, and Password-protected archives hosted in Google Drive (on a compromised account) and linked from email."
        https://news.sophos.com/en-us/2025/09/26/heartcrypts-wholesale-impersonation-effort/
      • Npm Account Hijacking And The Rise Of Supply Chain Attacks
        "Software supply chain attacks, like the npm account hijacking, have become an increasingly common and potent threat. This trend is driven by two key factors: the interconnected nature of the modern software development ecosystem and the high level of trust placed in open-source components. A single compromised package in a public registry, like npm, can lead to a cascading attack that infects countless downstream applications and systems. It’s a "one-to-many" model that offers a highly efficient and scalable attack vector for adversaries. The recent surge in these attacks, such as those involving the Shai-Hulud malware, is not a new tactic but rather a sophisticated evolution of a long-standing threat."
        https://www.trellix.com/blogs/research/npm-account-hijacking-and-the-rise-of-supply-chain-attacks/
      • Malicious Teams Installers Drop Oyster Malware
        "The Blackpoint SOC is tracking a new campaign where threat actors are abusing SEO poisoning and malvertising to lure users into downloading a fake Microsoft Teams installer. Victims searching for Teams online are redirected to rogue ads and fraudulent download pages, where they are offered a malicious MSTeamsSetup.exe instead of the legitimate client. This activity closely resembles tactics seen in earlier fake PuTTY campaigns, highlighting a recurring trend of adversaries weaponizing trusted software brands to gain initial access."
        https://blackpointcyber.com/blog/malicious-teams-installers-drop-oyster-malware/
        https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-installers-push-oyster-malware-via-malvertising/
      • XWorm RAT Delivered Via Shellcode: Multi-Stage Attack Analysis
        "Remote Access Trojans (RATs) often remain quiet in the wild employing increasingly stealthy methods to exfiltrate sensitive data. Latest trends show attackers follow either fileless or in-memory techniques (via shellcode or script loaders) to deliver and execute malware. This blog post drills into the trend of how attackers are using shellcode as an enabling technology for modern RAT campaigns. This example injects the XWorm RAT."
        https://www.forcepoint.com/blog/x-labs/xworm-rat-shellcode-multi-stage-analysis
        https://hackread.com/hackers-fake-invoices-xworm-rat-office-files/
      • Smash And Grab: Aggressive Akira Campaign Targets SonicWall VPNs, Deploys Ransomware In An Hour Or Less
        "In late July 2025, Arctic Wolf Labs began observing a surge of intrusions involving suspicious SonicWall SSL VPN activity. Malicious logins were followed within minutes by port scanning, Impacket SMB activity, and rapid deployment of Akira ransomware. Victims spanned across multiple sectors and organization sizes, suggesting opportunistic mass exploitation. This campaign has recently escalated, with new infrastructure linked to it observed as late as September 20, 2025."
        https://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/
        https://www.bleepingcomputer.com/news/security/akira-ransomware-breaching-mfa-protected-sonicwall-vpn-accounts/

      Breaches/Hacks/Leaks

      • Ransomware Attack On Ohio County Impacts Over 45,000 Residents, Employees
        "Ransomware hackers stole Social Security numbers, financial information and more during a recent cyberattack on Union County in Ohio. The county government began sending out breach notifications to 45,487 local residents and county employees this week. The letters say ransomware was detected on the county’s network on May 18, prompting officials to hire cybersecurity experts and notify federal law enforcement agencies. The hackers stole documents that had names, Social Security numbers, driver’s license numbers, financial account information, fingerprint data, medical information, passport numbers and more."
        https://therecord.media/ohio-ransomware-attack-impacts-45000
        https://securityaffairs.com/182689/uncategorized/ohios-union-county-suffers-ransomware-attack-impacting-45000-people.html
      • British Department Store Harrods Warns Customers That Some Personal Details Taken In Data Breach
        "Harrods, the luxury British department store, has warned some customers that their personal data may have been taken in a breach of its online systems. The company said late Friday that some names and contact details of its online customers were taken after one of its third-party provider systems was compromised. “We have informed affected customers that the impacted personal data is limited to basic personal identifiers including name and contact details, but does not include account passwords or payment details,” it said in a statement. It added that incident was “isolated” and has been contained, without providing more details."
        https://www.securityweek.com/british-department-store-harrods-warns-customers-that-some-personal-details-taken-in-data-breach/
      • Medusa Ransomware Claims Comcast Data Breach, Demands $1.2M
        "The Medusa ransomware group is claiming responsibility for a ransomware attack on Comcast Corporation, a global media and technology company best known for its broadband, television, and film businesses. According to the group’s dark web leak site, they exfiltrated 834.4 gigabytes of data and are demanding $1.2 million for interested buyers to download it. The same sum has been set as ransom for Comcast if the company wants the data deleted rather than leaked or sold."
        https://hackread.com/medusa-ransomware-comcast-data-breach/

      General News

      • Australia Ransomware Landscape 2025: Rich Targets Attract Ransomware Groups
        "Australia’s rich resources and high median wealth make the country an attractive target for threat groups, and ransomware groups have taken notice. Ransomware groups have claimed 71 attacks on Australian organizations thus far in 2025, compared to just nine in New Zealand. Both countries have experienced significant ransomware attacks this year, however, and some with supply chain implications, so we discuss 10 significant recent incidents below involving both Australia and New Zealand."
        https://cyble.com/blog/ransomware-groups-targets-australia-and-new-zealand/
      • Inside The Economy Built On Stolen Credentials
        "Instead of going after software flaws or network weaknesses, attackers are targeting something much easier to steal: identity credentials. A new report from BeyondID calls this growing black market the identity economy, where usernames, passwords, tokens, and access rights are bought and sold much like items on a regular online marketplace. For attackers, stolen credentials are a shortcut. They can skip firewalls and other defenses and go straight into corporate systems. This makes them the currency of choice in the cybercrime world and has created an underground market that is hard to shut down."
        https://www.helpnetsecurity.com/2025/09/26/stolen-identity-cybercrime-economy/
      • Ransomware Groups Are Multiplying, Raising The Stakes For Defenders
        "Ransomware activity is climbing again, with a steep increase in the number of victims and the number of groups launching attacks. A new mid-year report from Searchlight Cyber shows how quickly the threat landscape is shifting and why CISOs need to keep adjusting their defenses. From January through June, ransomware groups listed 3,734 victims on their public extortion sites. This is a 20% increase over the last half of 2024 and a 67% jump compared to the same period last year."
        https://www.helpnetsecurity.com/2025/09/26/report-2025-ransomware-attack-trends/
      • Confronting The Dark Side Of GenAI: Recommendations For Business Leaders, CISOs And Security Teams
        "As the threat landscape evolves with the emergence of malicious generative AI tools like Evil-GPT, WolfGPT, DarkBard and PoisonGPT, organizations must adopt a multi-pronged approach to confront AI-enabled threats. Here are strategic recommendations for security leaders to consider:"
        https://blog.barracuda.com/2025/09/25/confronting-dark-side-genai-recommendations
      • Detecting And Reducing Scheming In AI Models
        "Together with Apollo Research, we developed evaluations for hidden misalignment (“scheming”) and found behaviors consistent with scheming in controlled tests across frontier models. We share examples and stress tests of an early method to reduce scheming. AI scheming–pretending to be aligned while secretly pursuing some other agenda–is a significant risk that we’ve been studying. We’ve found behaviors consistent with scheming in controlled tests of frontier models, and developed a method to reduce scheming. Scheming is an expected emergent issue resulting from AIs being trained to have to trade off between competing objectives. The easiest way to understand scheming is through a human analogy."
        https://openai.com/index/detecting-and-reducing-scheming-in-ai-models/
        https://www.antischeming.ai/
        https://www.bankinfosecurity.com/lyin-cheatin-ai-models-playing-game-a-29579
      • 260 Suspected Scammers Arrested In Pan-African Cybercrime Operation
        "Authorities in 14 African countries have arrested 260 suspects and seized 1,235 electronic devices in a coordinated international operation against cyber-enabled crime. The crackdown targeted transnational criminal networks exploiting digital platforms, particularly social media, to manipulate victims and defraud them financially. Specifically, the operation focused on romance scams, where perpetrators build online relationships to extract money from victims, and sextortion, in which victims are blackmailed with explicit images or videos. During Operation Contender 3.0 (28 July - 11 August 2025), police identified IP addresses, digital infrastructures, domains and social media profiles linked to members of the scam syndicates. These leads and the subsequent arrests also resulted in the seizure of USB drives, SIM cards and forged documents, as well as the take down of 81 cybercrime infrastructures across Africa."
        https://www.interpol.int/News-and-Events/News/2025/260-suspected-scammers-arrested-in-pan-African-cybercrime-operation
        https://therecord.media/africa-cyber-fraud-crackdown-ghana-senegal-cote-divoire-angola-interpol
        https://www.infosecurity-magazine.com/news/interpol-african-scamming-networks/
        https://www.securityweek.com/interpol-says-260-suspects-in-online-romance-scams-have-been-arrested-in-africa/
      • Teens Arrested By Dutch Police Reportedly Suspected Of Spying For Russia
        "Two teenagers have been arrested in the Netherlands on suspicion of espionage, reportedly on behalf of pro-Russian hackers. The boys, both aged 17, were arrested on Monday. One has been remanded in custody while the other released on home bail. Dutch prosecution service spokesperson Brechtje van de Moosdijk said the arrests were related to laws regarding state-sponsored interference, but said additional details would not be provided due to the age of the suspects and the ongoing investigation."
        https://therecord.media/teens-arrested-netherlands-reportedly-suspected-cyber-espionage-russia
        https://www.bleepingcomputer.com/news/security/dutch-teens-arrested-for-trying-to-spy-on-europol-for-russia/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) e045e2fe-72df-452c-bb29-af77cbd34efd-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post