NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 27 October 2025

    Cyber Security News
    1
    1
    257
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Financial Sector

      • AI For The Financial Sector: How Strategy Consulting Helps You Navigate Risk
        "The financial industry is transforming as artificial intelligence (AI) is becoming an integral tool for managing operations, improving decision-making, and mitigating risks. AI for finance is rapidly changing how financial institutions operate, offering opportunities to streamline processes, enhance customer service, and manage risks more effectively. With the rise of AI in finance, financial institutions can now leverage data-driven insights and sophisticated algorithms to make better decisions, detect fraudulent activity, and improve overall efficiency."
        https://hackread.com/ai-financial-sector-consulting-navigate-risk/

      New Tooling

      • Proofpoint Releases Innovative Detections For Threat Hunting: PDF Object Hashing
        "The PDF format is widely used by threat actors to kickstart malicious activity. In email campaigns, Proofpoint researchers observe PDFs distributed in many ways. For example, threat actors often distribute PDFs that contain URLs leading to malware or credential phishing; PDFs with QR codes leading to malicious web pages; or PDFs with fake banking details or invoices to enable business email compromise (BEC) activity."
        https://www.proofpoint.com/us/blog/threat-insight/proofpoint-releases-innovative-detections-threat-hunting-pdf-object-hashing
        https://github.com/EmergingThreats/pdf_object_hashing

      Vulnerabilities

      • Windows Server Emergency Patches Fix WSUS Bug With PoC Exploit
        "Microsoft released an update to address a critical remote code execution vulnerability impacting Windows Server Update Service (WSUS) in Windows Server (2012, 2016, 2019, 2022, and 2025), CVE-2025-59287, that a prior update did not fully mitigate."
        https://www.bleepingcomputer.com/news/security/microsoft-releases-windows-server-emergency-updates-for-critical-wsus-rce-flaw/
        https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287
        https://thehackernews.com/2025/10/microsoft-issues-emergency-patch-for.html
        https://www.darkreading.com/vulnerabilities-threats/microsoft-emergency-patch-windows-server-bug
        https://www.cisa.gov/news-events/alerts/2025/10/24/microsoft-releases-out-band-security-update-mitigate-windows-server-update-service-vulnerability-cve
        https://www.securityweek.com/critical-windows-server-wsus-vulnerability-exploited-in-the-wild/
        https://www.helpnetsecurity.com/2025/10/24/wsus-vulnerability-cve-2025-59287-exploited/
        https://www.theregister.com/2025/10/24/windows_server_patch/
        https://securityaffairs.com/183830/security/cve-2025-59287-microsoft-fixes-critical-wsus-flaw-under-active-attack.html
      • CISA Adds Two Known Exploited Vulnerabilities To Catalog
        "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2025-54236 Adobe Commerce and Magento Improper Input Validation Vulnerability
        CVE-2025-59287 Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/10/24/cisa-adds-two-known-exploited-vulnerabilities-catalog
        https://securityaffairs.com/183815/security/u-s-cisa-adds-microsoft-wsus-and-adobe-commerce-and-magento-open-source-flaws-to-its-known-exploited-vulnerabilities-catalog.html
      • Sneaky Mermaid Attack In Microsoft 365 Copilot Steals Data
        "Microsoft fixed a security hole in Microsoft 365 Copilot that allowed attackers to trick the AI assistant into stealing sensitive tenant data – like emails – via indirect prompt injection attacks. But the researcher who found and reported the bug to Redmond won't get a bug bounty payout, as Microsoft determined that M365 Copilot isn't in-scope for the vulnerability reward program. The attack uses indirect prompt injection – embedding malicious instructions into a prompt that the model can act upon, as opposed to direct prompt injection, which involves someone directly submitting malicious instructions to an AI system."
        https://www.theregister.com/2025/10/24/m365_copilot_mermaid_indirect_prompt_injection/
        https://www.adamlogue.com/microsoft-365-copilot-arbitrary-data-exfiltration-via-mermaid-diagrams-fixed/
      • OpenAI Atlas Omnibox Prompt Injection: URLs That Become Jailbreaks
        "Agentic browsing is powerful—and risky—when user intent and untrusted content collide. In OpenAI Atlas, the omnibox (combined address/search bar) interprets input either as a URL to navigate to, or as a natural-language command to the agent. We’ve identified a prompt injection technique that disguises malicious instructions to look like a URL, but that Atlas treats as high-trust “user intent” text, enabling harmful actions. The core failure mode in agentic browsers is the lack of strict boundaries between trusted user input and untrusted content. Here we show how a crafted, URL-like string can cross that boundary and turn the omnibox into a jailbreak vector."
        https://neuraltrust.ai/blog/openai-atlas-omnibox-prompt-injection
        https://www.securityweek.com/chatgpt-atlas-omnibox-is-vulnerable-to-jailbreaks/

      Malware

      • Mass Exploit Campaign Targeting Arbitrary Plugin Installation Vulnerabilities
        "On September 25th, 2024, and on October 3rd, 2024, we received submissions through our Bug Bounty Program for Arbitrary Plugin Installation vulnerabilities in the GutenKit and Hunk Companion WordPress plugins, which have over 40,000 and 8,000 active installations, respectively. These vulnerabilities make it possible for unauthenticated threat actors to install and activate arbitrary plugins, which can be leveraged to achieve remote code execution. Our records indicate that attackers most recently started mass exploiting the issues again on October 8th, 2025 (approximately one year later), following several earlier incidents of large-scale exploitation. The Wordfence Firewall has already blocked over 8,755,000 exploit attempts targeting these vulnerabilities."
        https://www.wordfence.com/blog/2025/10/mass-exploit-campaign-targeting-arbitrary-plugin-installation-vulnerabilities/
        https://www.bleepingcomputer.com/news/security/hackers-launch-mass-attacks-exploiting-outdated-wordpress-plugins/
      • Critical WSUS Flaw In Windows Server Now Exploited In Attacks
        "Attackers are now exploiting a critical-severity Windows Server Update Service (WSUS) vulnerability, which already has publicly available proof-of-concept exploit code. Tracked as CVE-2025-59287, this remote code execution (RCE) flaw affects only Windows servers with the WSUS Server role enabled to act as an update source for other WSUS servers within the organization (a feature that isn't enabled by default). Threat actors can exploit this vulnerability remotely in low-complexity attacks that don't require privileges or user interaction, allowing them to run malicious code with SYSTEM privileges. Under these conditions, the security flaw could also be potentially wormable between WSUS servers."
        https://www.bleepingcomputer.com/news/security/hackers-now-exploiting-critical-windows-server-wsus-flaw-in-attacks/
      • Possible CryptoChameleon Social Engineering Campaign Targeting LastPass Customers, Crypto Exchange Customers, Passkeys, And More
        "LastPass would like to alert our customers of a current phishing campaign that began in mid-October targeting our users, which has been associated with crypto theft. These phishing emails are being spoofed to appear as if they are coming from the email address “alerts@lastpass[.]com” with the subject line “Legacy Request Opened (URGENT IF YOU ARE NOT DECEASED).”"
        https://blog.lastpass.com/posts/possible-cryptochameleon-social-engineering-campaign-targeting-lastpass-customers-and-more
        https://www.bleepingcomputer.com/news/security/fake-lastpass-death-claims-used-to-breach-password-vaults/
      • Baohuo, The Gray Eminence. Android Backdoor Hijacks Telegram Accounts, Gaining Complete Control Over Them
        "Doctor Web has identified a dangerous backdoor, Android.Backdoor.Baohuo.1.origin, in maliciously modified versions of the Telegram X messenger. In addition to being able to steal confidential data, including user logins and passwords, as well as chat histories, this malware has a number of unique features. For example, to prevent itself from being detected and to cover up the fact that an account has been compromised, Android.Backdoor.Baohuo.1.origin can conceal connections from third-party devices in the list of active Telegram sessions. Moreover, it can add and remove the user from Telegram channels and also join and leave chats on behalf of the victim, also concealing these actions."
        https://news.drweb.com/show/?i=15076&lng=en
        https://hackread.com/baohuo-android-malware-telegram-x-hijacks-accounts/
      • Cyberattack On Russia’s Food Safety Agency Reportedly Disrupts Product Shipments
        "A cyberattack on Russia’s agricultural and food safety watchdog earlier this week disrupted food shipments across the country, local media reported. The state agency, Rosselkhoznadzor, said it was targeted by a large-scale distributed denial-of-service (DDoS) attack on Wednesday that affected its online infrastructure, including “VetIS” and “Saturn” — systems that track the movement of agricultural products and chemicals."
        https://therecord.media/russia-food-safety-agency-rosselkhoznadzor-ddos-attack
        https://securityaffairs.com/183845/security/russian-rosselkhoznadzor-hit-by-ddos-attack-food-shipments-delayed.html
      • Warlock Ransomware: Old Actor, New Tricks?
        "The Warlock ransomware first appeared in June 2025 and made an impact weeks later, after attackers deploying it were discovered exploiting the ToolShell zero-day vulnerability in Microsoft SharePoint (CVE-2025-53770) on July 19, 2025. Warlock is an unusual threat. Unlike many ransomware operations, which are headquartered in Russia or other countries in the Commonwealth of Independent States, Warlock appears to be used by a group based in China. And, while its name is new, its origins appear to date back much further, with links to a diverse range of activity."
        https://www.security.com/threat-intelligence/warlock-ransomware-origins
      • CoPhish: Using Microsoft Copilot Studio As a Wrapper For OAuth Phishing
        "Copilot Studio links look benign, but they can host content to redirect users to arbitrary URLs. One example of this is the built-in "Login" button, which allows delivery of OAuth phishing attacks. Copilot Studio also makes it easier for attackers to perform malicious actions or exfiltrate tokens. For example, a Copilot Studio agent can exfiltrate the user's token to a malicious URL after an OAuth phishing attack. This scenario is an example of why it’s important to treat new cloud services with caution, especially when they include content that end users can modify."
        https://securitylabs.datadoghq.com/articles/cophish-using-microsoft-copilot-studio-as-a-wrapper/
        https://www.bleepingcomputer.com/news/security/new-cophish-attack-steals-oauth-tokens-via-copilot-studio-agents/

      Breaches/Hacks/Leaks

      • Everest Ransomware Claims AT&T Careers Breach With 576K Records
        "A listing on the dark web data leak site run by the Everest ransomware group claims it holds 576,686 personal records linked to AT&T Careers, the telecom giant’s official job and recruitment platform, where applicants and employees apply for roles, submit resumes, and manage career-related information. The listing appeared on October 21, and the group claims there are four days remaining before the data is publicly released. Uniquely, the entry is locked behind a password and instructs the company representative to “follow instructions” before time runs out."
        https://hackread.com/everest-ransomware-att-careers-breach/
      • Everest Ransomware Says It Stole 1.5M Dublin Airport Passenger Records
        "Today, the Everest ransomware group published listings for two new victims, Dublin Airport and Air Arabia, on its dark web leak site. This announcement comes just days after the group claimed responsibility for breaching AT&T Careers, alleging the theft of 576,000 records containing personal details of applicants and employees. Like the AT&T listing, both the Dublin Airport and Air Arabia entries are password-protected. This means the information is locked behind a password and instructs company representatives to “follow instructions” before a deadline expires. The password protection suggests that the full dataset is not yet available for public download or preview and that Everest is restricting access under certain conditions."
        https://hackread.com/everest-ransomware-dublin-airport-passenger-data/
      • Safepay Ransomware Group Claims The Hack Of Professional Video Surveillance Provider Xortec
        "The Safepay group claimed responsibility for hacking German video surveillance provider Xortec and listed the company on its data leak site. The ransomware payment deadline is October 27, 2025. Xortec GmbH, based in Frankfurt with offices across Germany, is a value-added distributor and systems integrator specializing in video surveillance, IP networking, and security solutions. It provides cameras, NVRs, access control, cabling, and consulting for enterprise and installer clients. Acquired by Beyond Capital Partners in 2021, Xortec is a fast-growing B2B firm with several dozen employees and an annual revenue of over €7.5 million, driven by large installation projects."
        https://securityaffairs.com/183868/malware/safepay-ransomware-group-claims-the-hack-of-professional-video-surveillance-provider-xortec.html

      General News

      • Hackers Earn $1,024,750 For 73 Zero-Days At Pwn2Own Ireland
        "The Pwn2Own Ireland 2025 hacking competition has ended with security researchers collecting $1,024,750 in cash awards after exploiting 73 zero-day vulnerabilities. At Pwn2Own Ireland 2025, competitors targeted products in eight categories, including printers, network storage systems, messaging apps, smart home devices, surveillance equipment, home networking equipment, flagship smartphones (Apple iPhone 16, Samsung Galaxy S25, and Google Pixel 9), and wearable technology (including Meta's Ray-Ban Smart Glasses and Quest 3/3S headsets)."
        https://www.bleepingcomputer.com/news/security/hackers-earn-1-024-750-for-73-zero-days-at-pwn2own-ireland/
        https://www.securityweek.com/pwn2own-whatsapp-hacker-says-exploit-privately-reported-to-meta/
        https://www.securityweek.com/1m-whatsapp-hack-flops-only-low-risk-bugs-disclosed-to-meta-after-pwn2own-withdrawal/
        https://securityaffairs.com/183810/hacking/summoning-team-won-master-of-pwn-as-pwn2own-ireland-rewards-1024750.html
        https://hackread.com/pwn2own-ireland-2025-hacks-winners-payouts/
      • Infostealers Run Wild
        "Credential theft driven by infostealers is reaching epidemic proportions as hackers adapt to more robust countermeasures by infecting corporations with malware that steals session cookies, allowing threat actors to bypass multifactor authentication. Threat intelligence firm Flashpoint estimated 5.8 million hosts and devices were infected by infostealers and over 1.8 billion credentials harvested during the first half of this year. Those credentials now circulate on illicit marketplaces and fuel identity-based attacks."
        https://www.bankinfosecurity.com/infostealers-run-wild-a-29823
      • AI 2030: The Coming Era Of Autonomous Cyber Crime
        "Organizations around the world are rapidly adopting AI, including across the enterprise, where it is already providing significant efficiency gains. As a result, cyber security is entering a turning point where AI fights AI. The phishing scams and deepfakes of today are only precursors to a coming era of autonomous, self-optimizing AI threat actors. Systems that can plan, execute, and refine attacks with limited human oversight or even none at all."
        https://blog.checkpoint.com/executive-insights/ai-2030-the-coming-era-of-autonomous-cyber-crime/
      • Shifting From Reactive To Proactive: Cyber Resilience Amid Nation-State Espionage
        "In recent years, the cybersecurity industry has made significant strides in securing endpoints with advanced Endpoint Detection and Response (EDR) solutions, and we have been successful in making life more difficult for our adversaries. While this progress is a victory, it has also produced a predictable and dangerous consequence where threat actors are shifting their focus to the network perimeter, a domain often plagued by technical debt and forgotten hardware."
        https://cyberscoop.com/proactive-cyber-defense-forgotten-devices-op-ed/
      • Newcomers Fuel Ransomware Explosion In 2025 As Old Groups Fade
        "Despite major changes in the leading ransomware groups, ransomware attacks have surged 50% in 2025, as cybercriminals have proven adept at finding new opportunities and exploiting vulnerabilities. Ransomware attacks were up 50% in 2025 through October 21, according to Cyble data, rising to 5,010 from 3,335 in the same period of 2024. Cyble’s data is based on ransomware group claims on their dark web data leak sites. From the decline of RansomHub to the rise of Qilin and newcomers like Sinobi and The Gentlemen, ransomware group leadership has been in flux for much of 2025, but affiliates have been quick to find new opportunities, and a steady supply of critical vulnerabilities has helped fuel attacks."
        https://cyble.com/blog/ransomware-attacks-surge-50-percent/
      • When AI Writes Code, Humans Clean Up The Mess
        "AI coding tools are reshaping how software is written, tested, and secured. They promise speed, but that speed comes with a price. A new report from Aikido Security shows that most organizations now use AI to write production code, and many have seen new vulnerabilities appear because of it. The study surveyed 450 professionals across the US and Europe, including developers, application security engineers, and security leaders. The results show that AI is moving fast inside software teams, but the security guardrails have not caught up."
        https://www.helpnetsecurity.com/2025/10/24/ai-written-software-security-report/
      • Counter Ransomware Initiative Stresses Importance Of Supply-Chain Security
        "Companies should improve the resilience of their software supply chains against ransomware, according to guidance the International Counter Ransomware Initiative (CRI) published on Friday after its fifth annual summit in Singapore. The new guidance, developed by the United Kingdom and Singapore as the CRI’s policy leads, aims to raise awareness of the ransomware threat across supply chains, as well as promote good cyber hygiene that will see supply chain vulnerabilities factored into organizations’ risk assessments."
        https://therecord.media/counter-ransomware-initiative-software-supply-chain-guidance
        https://isomer-user-content.by.gov.sg/36/3041f169-6cef-44a9-9d03-fac92a0ff9f6/Guidance for Organisations to Build Supply Chain Resilience Against Ransomware.pdf
      • What Microsoft’s 2025 Report Reveals About The New Rules Of Engagement In Cyberdefense
        "Adversaries are using AI to sharpen attacks, automate operations, and challenge long-standing defenses, according to a new Microsoft report. Researchers describe a year in which criminal and state-backed actors blurred the lines between cybercrime, espionage, and disruption, targeting public and private sectors."
        https://www.helpnetsecurity.com/2025/10/24/microsoft-ai-cyber-attacks-report/
      • US Crypto Bust Offers Hope In Battle Against Cybercrime Syndicates
        "A massive seizure by the US government of cryptocurrency from a sprawling Southeast Asia cybercrime syndicate has raised hopes that coordinated actions against cybercriminal groups can help undermine their profits. On Oct. 14, the US Department of Justice — along with the Drug Enforcement Agency, the Department of State, and other agencies — announced the seizure of 127,271 bitcoin kept in "unhosted wallets" and the indictment of Chen Zhi, the founder and chairman of the Prince Holding Group, on charges of conspiracy to commit wire fraud and money laundering. The seized bitcoin, stored in 25 wallets, are worth more than $14 billion, and were valued at nearly $15 billion on the day of the announcement."
        https://www.darkreading.com/cyberattacks-data-breaches/us-crypto-bust-hope-battle-against-cybercrime-syndicates

      อ้างอิง
      Electronic Transactions Development Agency(ETDA)

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post