NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 06 October 2025

    Cyber Security News
    1
    1
    145
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • 180,000 ICS/OT Devices And Counting: The Unforgivable Exposure
        "Remember when ICS malware was “rare”? Last year we got two new families built for one thing: disruption. FrostyGoop and Fuxnet are not Mirai with a wrench taped on or your typical DDoS botnet. They were built to target and disable devices that use Meter-bus and Modbus protocols, inflicting maximum damage. If you still believe that “our PLCs aren’t on the Internet,” then this is your nudge to actually go and check."
        https://www.bitsight.com/blog/the-growing-exposure-of-ics-ot-devices
        https://hackread.com/180000-ics-ot-devices-safety-concerns/

      Vulnerabilities

      • Chrome 141 And Firefox 143 Patches Fix High-Severity Vulnerabilities
        "Google and Mozilla this week released Chrome and Firefox browser updates that address multiple high-severity vulnerabilities. Google promoted Chrome 141 to the stable channel with 21 security fixes, including 12 for security defects reported by external researchers, who earned a total of $50,000 for their findings. Two of the externally reported bugs, tracked as CVE-2025-11205 and CVE-2025-11206, are high-severity heap buffer overflow issues impacting Chrome’s WebGPU and Video components."
        https://www.securityweek.com/chrome-141-and-firefox-143-patches-fix-high-severity-vulnerabilities/
      • CommetJacking Attack Tricks Comet Browser Into Stealing Emails
        "A new attack called 'CometJacking' exploits URL parameters to pass to Perplexity's Comet AI browser hidden instructions that allow access to sensitive data from connected services, like email and calendar. In a realistic scenario, no credentials or user interaction are required and a threat actor can leverage the attack by simply exposing a maliciously crafted URL to targeted users. Comet is an agentic AI browser that can autonomously browse the web and, depending on the access it has, assist users with various tasks, such as managing emails, shopping for specific products, filling forms, or booking tickets."
        https://www.bleepingcomputer.com/news/security/commetjacking-attack-tricks-comet-browser-into-stealing-emails/
        https://thehackernews.com/2025/10/cometjacking-one-click-can-turn.html

      Malware

      • Palo Alto Scanning Surges ~500% In 48 Hours, Marking 90-Day High
        "On October 3, 2025, GreyNoise observed a ~500% increase in IPs scanning Palo Alto Networks login portals, the highest level recorded in the past 90 days."
        https://www.greynoise.io/blog/palo-alto-scanning-surges
        https://www.bleepingcomputer.com/news/security/massive-surge-in-scans-targeting-palo-alto-networks-login-portals/
        https://thehackernews.com/2025/10/scanning-activity-on-palo-alto-networks.html
        https://securityaffairs.com/182939/hacking/greynoise-detects-500-surge-in-scans-targeting-palo-alto-networks-portals.html
      • Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users
        "Trend™ Research is currently investigating an aggressive malware campaign that leverages online instant messaging platform WhatsApp as its primary infection vector. Unlike traditional attacks focused on theft or ransomware, this campaign is engineered for speed and propagation, abusing social trust and automation to spread among Windows users. Trend Research analysis identifies the campaign as Water Saci, with the WhatsApp malware identified as SORVEPOTEL. Currently, it is most active in Brazil."
        https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html
        https://thehackernews.com/2025/10/researchers-warn-of-self-spreading.html
      • Cavalry Werewolf Raids Russia’s Public Sector With Trusted Relationship Attacks
        "BI.ZONE Threat Intelligence recorded Cavalry Werewolf activity from May to August 2025. In order to gain initial access, the attackers sent out targeted phishing emails disguising them as official correspondence from Kyrgyz government officials. The main targets of the attacks were Russian state agencies, as well as energy, mining, and manufacturing enterprises. Cavalry Werewolf relied on the malware of its own design: FoalShell reverse shells and StallionRAT (remote access trojans) controlled via Telegram."
        https://bi.zone/eng/expertise/blog/cavalry-werewolf-atakuet-rossiyu-cherez-doveritelnye-otnosheniya-mezhdu-gosudarstvami/
        https://thehackernews.com/2025/10/new-cavalry-werewolf-attack-hits.html
      • WARMCOOKIE One Year Later: New Features And Fresh Insights
        "Elastic Security Labs continues to track developments in the WARMCOOKIE codebase, uncovering new infrastructure tied to the backdoor. Since our original post, we have been observing ongoing updates to the code family and continued activity surrounding the backdoor, including new infections and its use with emerging loaders. A recent finding by the IBM X-Force team highlighted a new Malware-as-a-Service (MaaS) loader, dubbed CASTLEBOT, distributing WARMCOOKIE. In this article, we will review new features added to WARMCOOKIE since its initial publication. Following this, we’ll present the extracted configuration information from various samples."
        https://www.elastic.co/security-labs/revisiting-warmcookie
      • 0day .ICS Attack In The Wild
        "Earlier in 2025, an apparent sender from 193.29.58.37 spoofed the Libyan Navy’s Office of Protocol to send a then-zero-day exploit in Zimbra’s Collaboration Suite, CVE-2025-27915, targeting Brazil’s military. This leveraged a malicious .ICS file, a popular calendar format. The exploitation of Zimbra, Roundcube, and similar open-source collaboration tools, directly over email, is rare. Although actors do compromise the servers in broad campaigns, and attackers frequently leverage these tools as lures, actually exploiting a vulnerability in them with an email attachment is a thread worth pulling on."
        https://strikeready.com/blog/0day-ics-attack-in-the-wild/
        https://www.bleepingcomputer.com/news/security/hackers-exploited-zimbra-flaw-as-zero-day-using-icalendar-files/
      • Ghost In The Cloud: Weaponizing AWS X-Ray For Command & Control
        "I’ve been using MeetC2 in my RedTeam campaigns for months now, and with the amazing feedback from the community, I planned to publish a new toolkit (XRayC2). I always enjoy working on initial access evasion against traditional network defenses. In this, we used AWS X-Ray Amazon’s distributed application tracing service as a covert communication channel. This technique leverages legitimate cloud monitoring infrastructure to establish bidirectional C2 communication."
        https://securityaffairs.com/182968/hacking/ghost-in-the-cloud-weaponizing-aws-x-ray-for-command-control.html

      Breaches/Hacks/Leaks

      • Discord Discloses Data Breach After Hackers Steal Support Tickets
        "Hackers stole partial payment information and personally identifiable data, including names and government-issued IDs, from some Discord users after compromising a third-party customer service provider. The attack occurred on September 20 and affected “a limited number of users” who interacted with Discord’s customer support and/or Trust and Safety teams. Discord was created as a communication platform for gamers, who represent more than 90% of the userbase, but expanded to various other communities, allowing text messages, voice chats, and video calls."
        https://www.bleepingcomputer.com/news/security/discord-discloses-data-breach-after-hackers-steal-support-tickets/
        https://hackread.com/discord-data-breach-hackers-ids-billing-support-chats/
      • Japanese Beer Giant Asahi Confirms Ransomware Attack
        "Japanese beer-making giant Asahi has disclosed today that a ransomware attack caused the IT disruptions that forced it to shut down factories this week. The Tokyo-based beverage holding company is the largest beer brewer in Japan, employing 30,000 people and producing 100 million hectoliters of beverages. The company also owns the Peroni, Pilsner Urquell, Grolsch, and Fullers brands, and it reported an annual revenue of nearly $20 billion in 2024. Asahi revealed in a statement today that a cyberattack disclosed on Monday led to the deployment of ransomware on its network and that a subsequent investigation has also found evidence of data theft from compromised devices."
        https://www.bleepingcomputer.com/news/security/japanese-beer-giant-asahi-confirms-ransomware-attack/
      • ShinyHunters Launches Salesforce Data Leak Site To Extort 39 Victims
        "An extortion group has launched a new data leak site to publicly extort dozens of companies impacted by a wave of Salesforce breaches, leaking samples of data stolen in the attacks. The threat actors responsible for these attacks claim to be part of the ShinyHunters, Scattered Spider, and Lapsus$ groups, collectively referring to themselves as "Scattered Lapsus$ Hunters." Today, they launched a new data leak site containing 39 companies impacted by the attacks. Each entry includes samples of data allegedly stolen from victims' Salesforce instances, and warns the victims to reach out to "prevent public disclosure" of their data before the October 10 deadline is reached."
        https://www.bleepingcomputer.com/news/security/shinyhunters-starts-leaking-data-stolen-in-salesforce-attacks/
        https://databreaches.net/2025/10/03/more-salesforce-customer-attacks-revealed-in-new-leak-site-by-scattered-lapsus-hunters/
        https://therecord.media/salesforce-scattered-spider-extortion-site
        https://www.darkreading.com/cyberattacks-data-breaches/scattered-lapsus-hunters-returns-salesforce-leak-site
        https://www.bankinfosecurity.com/ransomware-group-debuts-salesforce-customer-data-leak-site-a-29636
        https://hackread.com/scattered-lapsus-hunters-salesforce-breach/
        https://securityaffairs.com/182918/cyber-crime/shinyhunters-launches-data-leak-site-trinity-of-chaos-announces-new-ransomware-victims.html
      • Oracle Links Clop Extortion Attacks To July 2025 Vulnerabilities
        "Oracle has linked an ongoing extortion campaign claimed by the Clop ransomware gang to E-Business Suite (EBS) vulnerabilities that were patched in July 2025. While the company has yet to attribute the attack to this ransomware operation, Rob Duhart, the Chief Security Officer of Oracle, confirmed that customers had received extortion emails from the gang. Duhart also urged Oracle customers to update their software and advised those requiring further assistance to contact the Oracle support team."
        https://www.bleepingcomputer.com/news/security/oracle-links-clop-extortion-attacks-to-july-security-flaws/
        https://therecord.media/oracle-links-extortion-campaign-to-patched-vulnerabilities
        https://www.cybereason.com/blog/oracle-ebs-extortion-cl0p
        https://www.bankinfosecurity.com/oracle-sees-no-zero-day-exploits-tied-to-customer-extortion-a-29633
        https://www.infosecurity-magazine.com/news/hackers-flaws-oracle-ebs/
        https://www.securityweek.com/oracle-says-known-vulnerabilities-possibly-exploited-in-recent-extortion-attacks/
        https://www.theregister.com/2025/10/03/oracle_ebs_clop_extortion/
      • From Threats To Apology, Hackers Pull Child Data Offline After Public Backlash
        "Last week we yelled at some “hackers” that threatened parents after stealing data from their children’s nursery. This followed a BBC report that a group calling itself “Radiant” claimed to have stolen sensitive data related to around 8,000 children from nursery chain Kido, which operates in the UK, US, China, and India. To prove their possession of the data, the criminals posted samples on their darknet website, including pictures and profiles of ten children. They then issued a ransom demand to Kido, threatening to release more sensitive data unless they were paid."
        https://www.malwarebytes.com/blog/news/2025/10/from-threats-to-apology-hackers-pull-child-data-offline-after-public-backlash

      General News

      • When Loading a Model Means Loading An Attacker
        "You probably think twice before downloading a random app or opening an unfamiliar email attachment. But how often do you stop to consider what happens when your team downloads and loads a machine learning model? A recent study shows why you should. Researchers from Politecnico di Milano found that loading a shared model can be just as risky as running untrusted code. In their tests, they uncovered six previously unknown flaws in popular machine learning tools. Each one could let an attacker take control of a system the moment a model is loaded."
        https://www.helpnetsecurity.com/2025/10/03/research-ai-model-security-risks/
        https://arxiv.org/pdf/2509.06703
      • 4 Ways To Use Time To Level Up Your Security Monitoring
        "SIEMs excel at correlating events and firing alerts, but their ingest pipelines can get overwhelmed when scaled. And because most SIEMs rely on general-purpose log storage platforms, even with lower-cost archive tiers, long-term retention at full fidelity remains expensive, forcing teams to choose between visibility and budget. With AI making the threat landscape more complex and the government issuing mandates requiring companies to report incidents quickly, defenders need tools that help them spot and interpret events faster. The key to doing this is speaking a universal language: time. Time isn’t just a dimension of data. It’s the organizing principle of security operations, turning raw telemetry into a narrative that both humans and machine learning models can reason about."
        https://www.helpnetsecurity.com/2025/10/03/security-monitoring-system/
      • Passkeys Rise, But Scams Still Hit Hard In 2025
        "Americans are dealing with a growing wave of digital scams, and many are losing money in the process. According to the fourth annual Consumer Cyber Readiness Report, nearly half of U.S. adults have been targeted by cyberattacks or scams, and one in ten lost money as a result. The survey found that text and messaging apps have become a growing source of scams. Three in ten people who experienced a cyberattack or scam said it began with a text message or a messaging app like WhatsApp or iMessage. That is up sharply from 20 percent last year."
        https://www.helpnetsecurity.com/2025/10/03/digital-scam-trends-2025/
      • AI Hype Hits a Wall When The Data Doesn’t Deliver
        "Companies are pouring money into AI for IT operations, but most projects are still far from maturity. A global survey of 1,200 business leaders, IT leaders, and technical specialists found that while spending and confidence are rising, only 12% of AI initiatives have been fully deployed. The report, authored by Riverbed, suggests that optimism at the executive level is colliding with challenges in data quality, tool complexity, and everyday IT performance."
        https://www.helpnetsecurity.com/2025/10/03/it-operations-ai-strategies/
      • Manufacturing Under Fire: Strengthening Cyber-Defenses Amid Surging Threats
        "Manufacturers face a unique mix of risk: they have an extremely low tolerance for downtime, they sit at the heart of extensive and often complex supply chains, and their competitive advantage is often built on high-value intellectual property (IP), including proprietary designs and trade secrets. That’s a combination that should be ringing alarm bells for IT and security leaders working in the sector. Meanwhile, the nature of modern attacks has also become increasingly complex, sophisticated and relentless. Threat actors often combine technical exploits with social engineering and credential theft, and aim to remain undetected for long periods, gathering intelligence and mapping systems before striking."
        https://www.welivesecurity.com/en/business-security/manufacturing-fire-strengthening-cyber-defenses-surging-threats/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 3e28c024-41e3-40ee-9c7d-7bea11315ae0-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post