NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 09 October 2025

    Cyber Security News
    1
    1
    376
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      New Tooling

      • DefectDojo: Open-Source DevSecOps Platform
        "DefectDojo is an open-source tool for DevSecOps, application security posture management (ASPM), and vulnerability management. It helps teams manage security testing, track and remove duplicate findings, handle remediation, and generate reports. Whether you’re a solo security practitioner or a CISO managing multiple teams, DefectDojo helps you organize your security work and report your organization’s security posture. At its core, it functions as a bug tracker for security vulnerabilities. It is designed to collect, organize, and standardize data from many different security tools."
        https://www.helpnetsecurity.com/2025/10/08/defectdojo-open-source-devsecops-platform/
        https://github.com/DefectDojo/django-DefectDojo

      Vulnerabilities

      • Attackers Actively Exploiting Critical Vulnerability In Service Finder Bookings Plugin
        "On June 8th, 2025, we received a submission through our Bug Bounty Program for an Authentication Bypass vulnerability in Service Finder Bookings, a WordPress plugin bundled with the Service Finder theme. This theme has been sold to approximately 6,000 customers. This vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site including accounts with the ‘administrator’ role. The vendor released the patched version on July 17, 2025, and we publicly disclosed this vulnerability on July 31, 2025. Our records indicate that attackers started exploiting the issue the next day on August 1, 2025. The Wordfence Firewall has already blocked over 13,800 exploit attempts targeting this vulnerability."
        https://www.wordfence.com/blog/2025/10/attackers-actively-exploiting-critical-vulnerability-in-service-finder-bookings-plugin/
        https://www.bleepingcomputer.com/news/security/hackers-exploit-auth-bypass-in-service-finder-wordpress-theme/
      • Framelink Figma MCP Server Opens Orgs To Agentic AI Compromise
        "Model Context Protocol (MCP) servers, which are the glue that links AI agents with other enterprise systems, continue to pop up as potential chinks in the proverbial organizational armor. This week, researchers found a high-severity command injection bug in Framelink's MCP server for Figma that could lead to system compromise through remote code execution (RCE), especially in development environments where design tools are integrated with broader systems."
        https://www.darkreading.com/vulnerabilities-threats/figma-mcp-server-agentic-ai-compromise
        https://github.com/advisories/GHSA-gxw4-4fc5-9gr5
        https://thehackernews.com/2025/10/severe-figma-mcp-vulnerability-lets.html
      • How Your AI Chatbot Can Become a Backdoor
        "Generative AI (GenAI), particularly large language model (LLM) chatbots, transformed how businesses interact with customers. These AI systems offer unprecedented efficiency and personalization. However, this power comes with a significant risk: they represent a sophisticated new attack surface that adversaries are actively exploiting. A compromised AI application can quickly escalate from a simple tool to a critical backdoor into your most sensitive data and infrastructure."
        https://www.trendmicro.com/en_us/research/25/j/ai-chatbot-backdoor.html

      Malware

      • Cache Smuggling: When a Picture Isn’t a Thousand Words
        "We observed a recent campaign innovating on the ClickFix attack formula. This campaign leveraged cache smuggling, which avoids explicitly downloading any malicious files in an attempt to reduce detection. The lure in this campaign is designed to look like a VPN compliance checking tool."
        https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/
        https://www.bleepingcomputer.com/news/security/new-filefix-attack-uses-cache-smuggling-to-evade-security-software/
        https://www.helpnetsecurity.com/2025/10/08/clickfix-themed-phishing-kit/
      • Crimson Collective: A New Threat Group Observed Operating In The Cloud
        "Over the past few weeks, Rapid7 has observed increased activity of a new threat group attacking AWS cloud environments with the goal of data exfiltration and subsequent extortion of the victim. This threat group refers to itself as ‘Crimson Collective’ and has recently announced that it is behind an attack on Red Hat, wherein it claims to have stolen private repositories from Red Hat’s GitLab. Rapid7 observed the Crimson Collective in two cases in September. The threat group’s activity has been observed to start with compromising long-term access keys and leveraging privileges attached to the compromised IAM (Identity & Access Management) accounts. The threat group was observed creating new users and escalating privileges by attaching policies. When successful, the Crimson Collective performed reconnaissance to identify valuable data and exfiltrated them via AWS services. In case of the successful exfiltration of data, an extortion note is received by the victim."
        https://www.rapid7.com/blog/post/tr-crimson-collective-a-new-threat-group-observed-operating-in-the-cloud/
        https://www.bleepingcomputer.com/news/security/crimson-collective-hackers-target-aws-cloud-instances-for-data-theft/
        https://www.darkreading.com/threat-intelligence/red-hat-hackers-team-up-scattered-lapsus-hunters
      • The Crown Prince, Nezha: A New Tool Favored By China-Nexus Threat Actors
        "If you have a web application online, you’re likely going to be attacked at some point. Threat actors exploit publicly-facing web applications for several reasons, including: Gaining initial access to targeted environments, Defacing websites, and Performing strategic website compromises that are then used to target a specific set of individuals"
        https://www.huntress.com/blog/nezha-china-nexus-threat-actor-tool
        https://thehackernews.com/2025/10/chinese-hackers-weaponize-open-source.html
        https://www.darkreading.com/cyberattacks-data-breaches/china-nexus-actors-nezha-open-source-tool
        https://therecord.media/china-linked-hackers-target-asian-orgs-monitoring-tool
        https://www.infosecurity-magazine.com/news/nezha-tool-used-new-cyber-campaign/
      • The Evolution Of Chaos Ransomware: Faster, Smarter, And More Dangerous
        "In 2025, Chaos ransomware resurfaced with a C++ variant. We believe this marks the first time it was not written in .NET. Beyond encryption and ransom demands, it adds destructive extortion tactics and clipboard hijacking for cryptocurrency theft. This evolution underscores Chaos's shift toward more aggressive methods, amplifying both its operational impact and the financial risk it poses to victims."
        https://www.fortinet.com/blog/threat-research/evolution-of-chaos-ransomware-faster-smarter-and-more-dangerous
      • Shuyal Stealer: Advanced Infostealer Targeting 19 Browsers
        "Shuyal Stealer is a recently uncovered Infostealer that pushes the boundaries of traditional browser-targeted malware. Unlike most variants that zero in on popular platforms like Chrome and Edge, Shuyal dramatically widens its scope by targeting 19 different browsers, making it far more versatile and dangerous in its data-harvesting capabilities. Beyond the usual theft of browser stored credentials, Shuyal Stealer takes a more invasive approach by conducting deep system reconnaissance. It collects granular details about disk drives, input peripherals, and display setups. On top of that, it captures screenshots and clipboard contents, adding layers of context to the stolen data. All of this, including Discord tokens, is funneled out through a Telegram bot infrastructure, making Shuyal a highly efficient and stealthy data-exfiltration tool."
        https://www.pointwild.com/threat-intelligence/shuyal-stealer-advanced-infostealer-targeting-19-browsers
        https://hackread.com/shuyal-stealer-web-browsers-login-data-discord-tokens/
      • Malvertising Campaign Hides In Plain Sight On WordPress Websites
        "Recently, one of our customers noticed suspicious JavaScript loading across their WordPress website. Visitors were being served third-party scripts that the site owner never installed. After investigation, we discovered the infection originated from a malicious modification in the active theme’s functions.php file. This injected PHP code silently fetched external JavaScript from attacker-controlled domains and inserted it into the site’s front-end."
        https://blog.sucuri.net/2025/10/malvertising-campaign-hides-in-plain-sight-on-wordpress-websites.html
        https://thehackernews.com/2025/10/hackers-exploit-wordpress-themes-to.html
      • Russian Hackers Turn To AI As Old Tactics Fail, Ukrainian CERT Says
        "Russian hackers are increasingly using artificial intelligence and adopting new tactics in cyberattacks against Ukraine as Kyiv’s defenses grow stronger, Ukrainian government researchers said in a new report. Since Russia’s invasion in 2022, cyberattacks on Ukraine have continued to rise, surpassing 3,000 cases in the first half of this year — about 20 percent more than the same period last year. At the same time, the number of high-impact incidents has declined as Ukraine’s defenses improve. That progress has forced Russian hackers to abandon outdated tactics, automate more of their operations and increasingly experiment with AI-generated malware, according to Ukraine’s computer emergency response team, CERT-UA."
        https://therecord.media/russian-hackers-turn-to-ai-ukraine-cert
      • The ClickFix Factory: First Exposure Of IUAM ClickFix Generator
        "Attackers are packaging a highly effective social engineering technique known as ClickFix into easy-to-use phishing kits, making it accessible to a wider range of threat actors. This technique tricks victims into bypassing security measures by manually executing malware, typically information stealers and remote access Trojans (RATs). The commoditization of this technique follows the trend of phishing-as-a-service, lowering the skill and effort required to conduct successful attacks."
        https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/

      Breaches/Hacks/Leaks

      • Major US Law Firm Says Hackers Broke Into Attorneys’ Emails Accounts
        "Law firm Williams & Connolly on Tuesday said that suspected nation-state hackers recently used a zero-day attack to break into email accounts belonging to a small number of attorneys. The threat actor involved is believed to be the same one who has recently attacked other law firms and companies, Williams & Connolly said in a statement. While the firm did not specify which nation-state it believes the hacker is affiliated with, The New York Times reported that sources have said it is China."
        https://therecord.media/us-law-firm-hackers-breached-email
      • Hackers Claim Discord Breach Exposed Data Of 5.5 Million Users
        "Discord says they will not be paying threat actors who claim to have stolen the data of 5.5 million unique users from the company's Zendesk support system instance, including government IDs and partial payment information for some people. The company is also pushing back on claims that 2.1 million photos of government IDs were disclosed in the breach, stating that approximately 70,000 users had their government ID photos exposed. While the attackers claim the breach occurred through Discord's Zendesk support instance, the company has not confirmed this and only described it as involving a third-party service used for customer support."
        https://www.bleepingcomputer.com/news/security/hackers-claim-discord-breach-exposed-data-of-55-million-users/

      General News

      • Rethinking AI Security Architectures Beyond Earth
        "If you think managing cloud security is complex, try doing it across hundreds of satellites orbiting the planet. Each one is a moving endpoint that must stay secure while communicating through long, delay-prone links. A new study explores how AI could automate security for space systems and whether the best approach is to centralize control or spread it out."
        https://www.helpnetsecurity.com/2025/10/08/centralized-vs-decentralized-security-space/
      • Developing Economies Are Falling Behind In The Fight Against Cybercrime
        "Cybercrime is a global problem, but not every country is equally equipped to fight it. In many developing economies, cybersecurity is still seen as a luxury, something nice to have when budgets allow. That means little investment in tools, training, or talent. At the same time, limited job opportunities and high unemployment make cybercrime an appealing alternative for some. When income matters more than how it’s earned, online crime can look like an easy way out."
        https://www.helpnetsecurity.com/2025/10/08/developing-countries-fight-cybercrime/
      • London Police Arrests Suspects Linked To Nursery Breach, Child Doxing
        "The UK Metropolitan Police has arrested two suspects following an investigation into the doxing of children online after a ransomware attack on a chain of London-based nurseries. The 17-year-old suspects were taken into custody at their homes in Bishop's Stortford, Hertfordshire, on suspicion of blackmail and computer misuse. While the Met didn't share more details on the cyberattack, the details align with a September 25 attack that targeted the systems of the Kido nursery chain in Greater London. Kido International's nurseries and preschools are trusted by over 15,000 families across the United Kingdom, the United States, India, and China."
        https://www.bleepingcomputer.com/news/security/london-police-arrests-suspects-linked-to-nursery-breach-child-doxing/
        https://therecord.media/kido-nursery-school-chain-hack-arrests-britain
        https://www.infosecurity-magazine.com/news/met-police-arrest-two-teens-kido/
        https://hackread.com/uk-police-arrest-teens-kido-nursery-ransomware-attack/
      • Ransomware And Cyber Extortion In Q3 2025
        "Ransomware threats reached a tipping point in Q3 2025, driven by major developments across the ecosystem. The hacking collective “Scattered Spider” teased its first ransomware-as-a-service (RaaS) offering, while long-standing ransomware operator “LockBit” announced its intent to target critical infrastructure through its new affiliate program. Meanwhile, a powerful alliance between leading ransomware groups has raised the stakes for organizations worldwide. Adding to the tumult, the number of data-leak sites hit a record high, with emerging groups expanding into new regions and industries."
        https://reliaquest.com/blog/threat-spotlight-ransomware-and-cyber-extortion-in-q3-2025
        https://thehackernews.com/2025/10/lockbit-qilin-and-dragonforce-join.html
        https://www.darkreading.com/cyberattacks-data-breaches/extortion-gangs-join-forces-ransomware-cartel
        https://securityaffairs.com/183119/cyber-crime/dragonforce-lockbit-and-qilin-a-new-triad-aims-to-dominate-the-ransomware-landscape.html
      • Digital Fraud Costs Companies Worldwide 7.7% Of Annual Revenue
        "A sharp rise in digital fraud is costing companies worldwide an average of 7.7% of annual revenue, according to TransUnion’s H2 2025 Update: Top Fraud Trends report. The study, published today, estimates that businesses lost a combined $534bn over the past year, based on surveys of 1200 business leaders across six countries."
        https://www.infosecurity-magazine.com/news/digital-fraud-costs-companies/
      • What To Do When You Click On a Suspicious Link
        "October is Cybersecurity Awareness Month, and as the tech-savvy friend or family member, people probably come to you for advice. One of the most common questions is: “I clicked a suspicious link. What do I do now?” Don’t worry — panic won’t help, but a calm, step-by-step response will. Share this guide with your loved ones so everyone knows exactly how to respond and stay safe. If you clicked the link on a work device, immediately contact IT support and follow their instructions. Companies often have specific policies and tools to investigate and remediate security incidents. Quick reporting helps protect both you and your organization."
        https://blog.talosintelligence.com/what-to-do-when-you-click-on-a-suspicious-link/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 06090df3-637c-4ae0-a736-f0238cecb7f8-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post