NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 29 October 2025

    Cyber Security News
    1
    1
    617
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Healthcare Sector

      • Vertikal Systems Hospital Manager Backend Services
        "Successful exploitation of these vulnerabilities could allow an attacker to obtain unauthorized access to and disclose sensitive information."
        https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-301-01
      • Managing Legacy Medical Devices That Can No Longer Be Patched
        "In this Help Net Security interview, Patty Ryan, Senior Director and CISO at QuidelOrtho, discusses how the long lifecycles of medical devices impact cybersecurity in healthcare environments. She explains how organizations can protect legacy systems, collaborate with vendors, and adopt proactive, risk-based strategies. Ryan also shares insights on strengthening cyber resilience as AI-enabled and connected medical devices become more prevalent in healthcare."
        https://www.helpnetsecurity.com/2025/10/28/patty-ryan-quidelortho-legacy-medical-devices-cybersecurity/

      Industrial Sector

      • Schneider Electric EcoStruxure
        "Successful exploitation of this vulnerability could result in the loss of real-time process data from the Modicon Controller."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-301-01

      Vulnerabilities

      • Chain Of Security Weaknesses Found In Smart Air Compressor Model
        "Contractors and workshops often rely on air compressors to power their tools and keep projects running. But when those compressors are connected to the internet, convenience can introduce new risks. Researchers at George Mason University found that the California Air Tools CAT-10020SMHAD smart air compressor contains a chain of security vulnerabilities that could allow an attacker to disrupt operations or tamper with usage data."
        https://www.helpnetsecurity.com/2025/10/28/smart-air-compressor-risks-vulnerabilities/
      • CISA Adds Two Known Exploited Vulnerabilities To Catalog
        "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2025-6204 Dassault Systèmes DELMIA Apriso Code Injection Vulnerability
        CVE-2025-6205 Dassault Systèmes DELMIA Apriso Missing Authorization Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/10/28/cisa-adds-two-known-exploited-vulnerabilities-catalog
        https://www.bleepingcomputer.com/news/security/cisa-warns-of-two-more-actively-exploited-dassault-vulnerabilities/
        https://www.bankinfosecurity.com/delmia-apriso-systems-under-attack-a-29871
      • TEE.Fail Attack Breaks Confidential Computing On Intel, AMD, NVIDIA CPUs
        "Academic researchers developed a side-channel attack called TEE.Fail, which allows extracting secrets from the trusted execution environment in the CPU, the highly secure area of a system, such as Intel's SGX and TDX, and AMD's SEV-SNP. The method is a memory-bus interposition attack on DDR5 systems that could be successfully done by computer hobbyists a cost of less than $1,000. Trusted Execution Environments (TEEs) are “confidential computing” hardware within the main processor that ensure confidentiality and integrity of sensitive data, like cryptographic keys used for authentication and authorization."
        https://www.bleepingcomputer.com/news/security/teefail-attack-breaks-confidential-computing-on-intel-amd-nvidia-cpus/
        https://tee.fail/
        https://thehackernews.com/2025/10/new-teefail-side-channel-attack.html
      • PoC Code Drops For Remotely Exploitable BIND 9 DNS Flaw (CVE-2025-40778)
        "A high-severity vulnerability (CVE-2025-40778) affecting BIND 9 DNS resolvers could be leveraged by remote, unauthenticated attackers to manipulate DNS entries via cache poisoning, allowing them to redirect Internet traffic to potentially malicious sites, distribute malware, or intercept network traffic. While attackers have yet to be spotted exploiting the flaw, a proof-of-concept (PoC) exploit code has been published, making it critical for administrators to patch internet-facing resolvers."
        https://www.helpnetsecurity.com/2025/10/28/bind-9-vulnerability-cve-2025-40778-poc/

      Malware

      • Analysis Of Trigona Threat Actor’s Latest Attack Cases
        "AhnLab SEcurity intelligence Center (ASEC) has covered the case of Trigona threat actors attacking MS-SQL servers in the past post, “Trigona Ransomware Threat Actor Uses Mimic Ransomware.”[1] In the attack cases, both Trigona and Mimic ransomware were used. However, while the email address used by the threat actor in the ransom note of Mimic has not been identified in other attack cases, the email address used by the Trigona threat actor has been used since early 2023, so it is presumed that it is the same Trigona threat actor."
        https://asec.ahnlab.com/en/90793/
      • The Beast Ransomware Hidden In The GUI
        "The Beast ransomware group is a group that evolved from the Monster ransomware strain. They emerged as a Ransomware-as-a-Service (RaaS) in February 2025, and officially launched their Tor-based data leak site in July. As of August 2025, they have publicly disclosed 16 victim organizations from the United States, Europe, Asia, and Latin America. The victims come from various industries including manufacturing, construction, healthcare, business services, and education."
        https://asec.ahnlab.com/en/90792/
      • Analysis Of Gunra Ransomware Using Vulnerable Random Number Generation Function (Distributed For Linux Environments In ELF Format)
        "The Gunra ransomware group, which began its activities in April 2025, has been launching continuous attacks against various industries and companies around the world. Cases of damage have been reported in Korea as well. The distributed Gunra ransomware is available in two formats: an EXE file format for Windows environments and an ELF file format for Linux environments. This post will analyze the main features, encryption methods, and technical reasons that make decryption possible for the ELF version of the Gunra ransomware, so that readers can effectively respond to similar threats in the future."
        https://asec.ahnlab.com/en/90791/
      • Distribution Of Rhadamanthys Malware Disguised As a Game Developed With Ren’Py
        "AhnLab SEcurity intelligence Center (ASEC) has confirmed that the Infostealer malware Rhadamanthys is being distributed disguised as a game created with RenPy. RenPy is a game development tool based on Python that allows users to easily create stories, dialogues, images, and sounds with simple scripts. It is open-source and can be run on various operating systems, so it is widely used among indie developers. It is also popular enough to be used on major game platforms such as Steam."
        https://asec.ahnlab.com/en/90767/
      • Crypto Wasted: BlueNoroff’s Ghost Mirage Of Funding And Jobs
        "Primarily focused on financial gain since its appearance, BlueNoroff (aka. Sapphire Sleet, APT38, Alluring Pisces, Stardust Chollima, and TA444) has adopted new infiltration strategies and malware sets over time, but it still targets blockchain developers, C-level executives, and managers within the Web3/blockchain industry as part of its SnatchCrypto operation. Earlier this year, we conducted research into two malicious campaigns by BlueNoroff under the SnatchCrypto operation, which we dubbed GhostCall and GhostHire."
        https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842/
        https://thehackernews.com/2025/10/researchers-expose-ghostcall-and.html
        https://www.darkreading.com/threat-intelligence/north-korea-bluenoroff-expands-crypto-heists
      • SideWinder's Shifting Sands: Click Once For Espionage
        "In September 2025, the Trellix Advanced Research Center (ARC) detected a campaign targeting a European embassy located in New Delhi, India. Further investigation led to the discovery of multiple targeted institutions from various countries, including Sri Lanka, Pakistan, and Bangladesh."
        https://www.trellix.com/blogs/research/sidewinders-shifting-sands-click-once-for-espionage/
        https://thehackernews.com/2025/10/sidewinder-adopts-new-clickonce-based.html
      • Meet Atroposia: The Stealthy Feature-Packed RAT
        "Atroposia is a new remote access trojan (RAT) found by Varonis that uses encrypted command channels, hidden remote access, credential and wallet theft, and persistence. Atroposia isn’t an outlier. It’s the latest entry in a growing market of turnkey, plug-and-play criminal toolkits we recently found, alongside tools such as SpamGPT and MatrixPDF. SpamGPT is an AI-driven “spam-as-a-service” platform that automates phishing campaign creation, SMTP/IMAP cracking, and deliverability tooling, effectively packaging marketing-grade campaign features for criminals. MatrixPDF is a malicious PDF builder that weaponizes ordinary PDF files by adding overlays, redirects, and embedded actions that help attackers bypass email filters and deliver phishing or malware lures."
        https://www.varonis.com/blog/atroposia-rat
        https://www.bleepingcomputer.com/news/security/new-atroposia-malware-comes-with-a-local-vulnerability-scanner/
        https://www.darkreading.com/vulnerabilities-threats/attackers-sell-turnkey-remote-access-trojan-atroposia
      • New Android Malware Herodotus Mimics Human Behaviour To Evade Detection
        "During our usual monitoring activity of malicious distribution points, Mobile Threat Intelligence service observed unknown malicious samples distributed next to well-known malware variants like Hook and Octo. Despite the shared distribution infrastructure, these samples turned out to be closer to a different malware family previously discovered by ThreatFabric analysts – Brokewell. Nevertheless, the newly discovered malware, named Herodotus by its developers, does not seem to be a direct evolution of Brokewell, but a new threat with parts of Brokewell stitched together with original parts."
        https://www.threatfabric.com/blogs/new-android-malware-herodotus-mimics-human-behaviour-to-evade-detection
        https://www.bleepingcomputer.com/news/security/new-herodotus-android-malware-fakes-human-typing-to-avoid-detection/
        https://thehackernews.com/2025/10/new-android-trojan-herodotus-outsmarts.html
        https://therecord.media/android-malware-mimics-humans-avoid-detection
      • The Illusion Of Wealth: Inside The Engineered Reality Of Investment Scam Platforms
        "This blog details online investment scam campaigns, including fraudulent cryptocurrency, forex, and trading platforms, while offering a technical investigation guide for investigators, based on Group-IB’s technical investigation methodology. It outlines the social engineering tactics and victim manipulation models employed, describes the fraud actor structures behind these schemes, and highlights key infrastructure artifacts identified by Group-IB High-Tech Investigations analysts that can be leveraged by cybersecurity professionals for detection and disruption."
        https://www.group-ib.com/blog/illusion-wealth-investment-scams/
        https://www.infosecurity-magazine.com/news/investment-scams-spread-across-asia/
      • ASERT Threat Summary: Aisuru And Related TurboMirai Botnet DDoS Attack Mitigation And Suppression—October 2025—v1.0
        "In October 2025, multiple high-impact direct distributed denial-of-service (DDoS) demonstration attacks exceeding 20Tb/sec and/or 4gpps were publicly reported. These attacks, primarily targeting online internet gaming organizations, were launched using a Mirai-derivative Internet of Things (IoT) DDoS-capable botnet commonly referred to as “Aisuru.” The Aisuru DDoS botnet operates as a DDoS-for-hire service with restricted clientele; operators have reportedly implemented preventive measures to avoid attacking governmental, law enforcement, military, and other national security properties. Most observed Aisuru attacks to date appear to be related to online gaming. Multiple broadband access network operators have experienced significant operational impact due to outbound DDoS attacks in excess of 1.5Tb/sec launched from Aisuru botnet nodes residing on end-customer premises."
        https://www.netscout.com/blog/asert/asert-threat-summary-aisuru-and-related-turbomirai-botnet-ddos
        https://www.securityweek.com/turbomirai-class-aisuru-botnet-blamed-for-20-tbps-ddos-attacks/
        https://securityaffairs.com/183969/malware/aisuru-botnet-is-behind-record-20tb-sec-ddos-attacks.html
      • Bots, Bread And The Battle For The Web
        "Meet Sarah, an artisanal baker who opens Sarah’s Sourdough. To improve her search engine optimization (SEO), she builds a beautiful website and shares authentic baking content. By writing blog posts, earning local backlinks and telling her story, Sarah practices ethical SEO to help search engines understand her value. Soon, when users search “fresh sourdough near me,” her shop ranks at the top. This is how search is meant to work – connecting real people with real solutions."
        https://unit42.paloaltonetworks.com/malicious-seo-and-ai/
      • Help Wanted: Vietnamese Actors Using Fake Job Posting Campaigns To Deliver Malware And Steal Credentials
        "Google Threat Intelligence Group (GTIG) is tracking a cluster of financially motivated threat actors operating from Vietnam that leverages fake job postings on legitimate platforms to target individuals in the digital advertising and marketing sectors. The actor effectively uses social engineering to deliver malware and phishing kits, ultimately aiming to compromise high-value corporate accounts, in order to hijack digital advertising accounts. GTIG tracks parts of this activity as UNC6229."
        https://cloud.google.com/blog/topics/threat-intelligence/vietnamese-actors-fake-job-posting-campaigns/

      Breaches/Hacks/Leaks

      • Advertising Giant Dentsu Reports Data Breach At Subsidiary Merkle
        "Japanese advertising giant Dentsu has disclosed that its U.S.-based subsidiary Merkle suffered a cybersecurity incident that exposed staff and client data. The company states that the incident forced them to take certain systems offline as part of their response plan. “We detected abnormal activity within part of the network of Merkle, a company leading the CXM (Customer Experience Management) area of our group’s overseas business,” reads Dentsu’s announcement."
        https://www.bleepingcomputer.com/news/security/advertising-giant-dentsu-reports-data-breach-at-subsidiary-merkle/

      General News

      • September 2025 APT Group Trends
        "North Korea-linked APT groups have been intensively carrying out advanced spear-phishing and remote access attacks against the defense, military, and cryptocurrency sectors in South Korea. They have also introduced a new psychological deception technique using generative AI and deepfake technology."
        https://asec.ahnlab.com/en/90786/
      • BiDi Swap: The Bidirectional Text Trick That Makes Fake URLs Look Real
        "Varonis Threat Labs is shining a spotlight on a decade-old vulnerability that opens the door to URL spoofing. By exploiting how browsers handle Right-to-Left (RTL) and Left-to-Right (LTR) scripts, attackers can craft URLs that appear trustworthy but actually lead somewhere else, therefore this method, known as BiDi Swap, can be often abused in phishing attacks."
        https://www.bleepingcomputer.com/news/security/bidi-swap-the-bidirectional-text-trick-that-makes-fake-urls-look-real/
      • From Chef To CISO: An Empathy-First Approach To Cybersecurity Leadership
        "Welcome to Dark Reading's "Heard it From a CISO" video series, showcasing advice on breaking into and advancing within the cybersecurity field from those who have been there. In our latest installment, Dark Reading associate editor Kristina Beek interviews Myke Lyons, chief information security officer (CISO) at Cribl, who shares his unique background of working in the culinary world as a chef prior to pivoting to cybersecurity. His journey from culinary school graduate with dreams of becoming a food critic to leading cybersecurity at a major IT and security data pipeline company gave him a unique sense of discipline (mise en place, recipes, service culture), and shaped his approach to security strategy and crisis response."
        https://www.darkreading.com/cybersecurity-operations/chef-ciso-empathy-first-cybersecurity-leadership
      • Oracle EBS Attack Victims May Be More Numerous Than Expected
        "The list of enterprises targeted by recent Oracle EBS attacks may also include Schneider Electric, Pan American Steel, and Cox Enterprises. Earlier this month, the infamous ransomware-as-a-service gang Clop targeted customers affected by the critical Oracle E-Business Suite (EBS) zero-day vulnerability CVE-2025-61882. The flaw enables an unauthenticated attacker to remotely access and compromise Oracle Concurrent Processing. Exploiting this vulnerability can lead to follow-on activity such as data theft and possibly extortion. And in this case, early instances of extortion are part of the reason this zero-day came to light."
        https://www.darkreading.com/vulnerabilities-threats/oracle-ebs-attack-victims-more-numerous-expected
        https://www.securityweek.com/industrial-giants-schneider-electric-and-emerson-named-as-victims-of-oracle-hack/
      • Nation-State Cyber Ecosystems Weakened By Sanctions, Report Reveals
        "Cyber-related sanctions alone do not typically disrupt cyber malicious activities, but they can “toxify” networks of malicious actors, according to new research. A report, published on October 28 by the Royal United Services Institute (RUSI), builds from the first meeting of the RUSI Cyber Sanctions Taskforce in September. This meeting saw current and former government officials from the UK, the US and the EU, as well as other EU officials, discuss the role of sanctions in countering cyber state threats. The report concluded that sanctions form a growing part of government and intergovernmental cyber deterrence strategies."
        https://www.infosecurity-magazine.com/news/nation-state-cyber-weakened/
        https://www.rusi.org/explore-our-research/publications/insights-papers/rusi-cyber-sanctions-taskforce-countering-state-backed-cyber-threats
      • Email Breach Delays Can Multiply Ransomware Risk Eight-Fold
        "Email breaches affect almost all organizations. The new Email Security Breach Report 2025 reveals the worrying fact that 78% of organizations experienced an email breach in the last year. Only half of them detected the breach within an hour. Even fewer (41%) said they were able to respond to and mitigate an incident within an hour of its detection. This matters because email-based attacks can be frighteningly fast. Research shows that the median time it takes an employee to fall for a phishing email is less than 60 seconds: 21 seconds to click on the link, and then 28 seconds to enter the requested data. Armed with the stolen credentials and access, the attackers' next steps can be equally quick. For example, not long ago, a cybergang took just 54 minutes to get from breaching a victim’s network to encrypting the first file with Akira ransomware."
        https://blog.barracuda.com/2025/10/28/email-breach-delays-multiply-ransomware-risk
        https://www.barracuda.com/reports/email-security-breach-report-2025
      • AI Browsers Face a Security Flaw As Inevitable As Death And Taxes
        "With great power comes great vulnerability. Several new AI browsers, including OpenAI's Atlas, offer the ability to take actions on the user's behalf, such as opening web pages or even shopping. But these added capabilities create new attack vectors, particularly prompt injection. Prompt injection occurs when something causes text that the user didn't write to become commands for an AI bot. Direct prompt injection happens when unwanted text gets entered at the point of prompt input, while indirect injection happens when content, such as a web page or PDF that the bot has been asked to summarize, contains hidden commands that AI then follows as if the user had entered them."
        https://www.theregister.com/2025/10/28/ai_browsers_prompt_injection/
      • CrowdStrike 2025 APJ eCrime Landscape Report: A New Era Of Threats Emerges
        "The eCrime threat landscape in the Asia Pacific and Japan (APJ) region is quickly evolving, driven by a mix of regional and global adversaries. From Chinese-language underground marketplaces facilitating the sale of stolen data and illicit services, to a rise in AI-developed ransomware campaigns, threat actors across the region are seeking new ways to scale and accelerate their operations. The CrowdStrike 2025 APJ eCrime Landscape Report provides a definitive view of these threats, based on frontline intelligence from CrowdStrike’s elite threat hunters and intelligence analysts. The report combines analysis of adversary tradecraft, underground economies, and monetization trends with observations from CrowdStrike analysts who track malicious activity."
        https://www.crowdstrike.com/en-us/blog/2025-apj-ecrime-landscape-report-highlights/
        https://www.crowdstrike.com/en-us/resources/reports/2025-apj-ecrime-landscape-report/
        https://crowdstrike.com/explore/crowdstrike-content/APJ-ecrime-landscape-report

      อ้างอิง
      Electronic Transactions Development Agency(ETDA)

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post