NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 03 November 2025

    Cyber Security News
    1
    1
    235
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • Hacktivist Attacks On Critical Infrastructure Surge: Cyble Report
        "Hacktivist attacks on critical infrastructure grew throughout the third quarter of 2025, and by September, accounted for 25% of all hacktivist attacks. If that trend continues, it would represent a near-doubling of attacks on industrial control systems (ICS) from the second quarter of 2025. Cyble’s assessment of the hacktivism threat landscape in the third quarter of 2025 found that while DDoS attacks and website defacements continue to comprise a majority of hacktivist activity, their share continues to decline, as ideologically-motivated threat groups expand their focus to include ICS attacks, data breaches, unauthorized access, and even ransomware."
        https://cyble.com/blog/hacktivist-attacks-critical-infrastructure-q3-2025/
      • Japan Issues OT Security Guidance For Semiconductor Factories
        "Japan’s Ministry of Economy, Trade and Industry has published new operational technology (OT) security guidance for semiconductor factories. The 130-page document is available in both Japanese and English. While the guidance is aimed at semiconductor device makers in Japan, it may be useful to organizations worldwide, particularly as it leverages not only Japan’s Cyber/Physical Security Framework (CPSF) but also internationally used frameworks such as the NIST Cybersecurity Framework (CSF) 2.0. It’s worth noting that in the United States NIST is also working on a CSF 2.0 variant that is specifically aimed at semiconductor manufacturing."
        https://www.securityweek.com/japan-issues-ot-security-guidance-for-semiconductor-factories/
        https://www.meti.go.jp/policy/netsecurity/wg1/semiconductor_systems_guideline_ver1.0_eng.pdf
        https://www.meti.go.jp/policy/netsecurity/wg1/semiconductor_systems_guideline_gaiyou_eng.pdf

      Vulnerabilities

      • Update Chrome Now: 20 Security Fixes Just Landed
        "Google has released an update for its Chrome browser that includes 20 security fixes, several of which are classed as high severity. Most of these flaws were found in Chrome’s V8 engine—the part of Chrome (and other Chromium-based browsers) that runs JavaScript. Chrome is by far the world’s most popular browser, used by an estimated 3.4 billion people. That scale means when Chrome has a security flaw, billions of users are potentially exposed until they update. These vulnerabilities are serious because they affect the code that runs almost every website you visit. Every time you load a page, your browser executes JavaScript from all sorts of sources, whether you notice it or not. Without proper safety checks, attackers can sneak in malicious instructions that your browser then runs—sometimes without you clicking anything. That could lead to stolen data, malware infections, or even a full system compromise."
        https://www.malwarebytes.com/blog/news/2025/10/update-chrome-now-20-security-fixes-just-landed
      • CISA: High-Severity Linux Flaw Now Exploited By Ransomware Gangs
        "CISA confirmed on Thursday that a high-severity privilege escalation flaw in the Linux kernel is now being exploited in ransomware attacks. While the vulnerability (tracked as CVE-2024-1086) was disclosed on January 31, 2024, as a use-after-free weakness in the netfilter: nf_tables kernel component and was fixed via a commit submitted in January 2024, it was first introduced by a decade-old commit in February 2014. Successful exploitation enables attackers with local access to escalate privileges on the target system, potentially resulting in root-level access to compromised devices."
        https://www.bleepingcomputer.com/news/security/cisa-linux-privilege-escalation-flaw-now-exploited-in-ransomware-attacks/
        https://securityaffairs.com/184076/security/old-linux-kernel-flaw-cve-2024-1086-resurfaces-in-ransomware-attacks.html
      • An 18-Year-Old Codebase Left Smart Buildings Wide Open
        "When security researcher Gjoko Krstic finally came up for air from his research, he hadn't slept for a week. "I was dizzy. I couldn't stop finding new bugs," he says. "That’s why I called [this research] Project Brainfog." The name stuck — fitting for a research effort that uncovered more than 800 vulnerabilities, many of them zero-day, across building automation systems operating in over 30 countries and 220 cities worldwide. These aren't theoretical flaws: they affect real-world infrastructure — everything from hospitals and high schools to airports, stadiums, and government buildings."
        https://www.darkreading.com/vulnerabilities-threats/18-year-old-codebase-left-smart-buildings-wide-open

      Malware

      • Don’t Take BADCANDY From Strangers – How Your Devices Could Be Implanted And What To Do About It
        "Cyber actors are installing an implant dubbed ‘BADCANDY’ on Cisco IOS XE devices that are vulnerable to CVE-2023-20198. Variations of the BADCANDY implant have been observed since October 2023, with renewed activity notable throughout 2024 and 2025. BADCANDY is a low equity Lua-based web shell, and cyber actors have typically applied a non-persistent patch post-compromise to mask the device’s vulnerability status in relation to CVE-2023-20198. In these instances, the presence of the BADCANDY implant indicates compromise of the Cisco IOS XE device, via CVE-2023-20198."
        https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/badcandy
        https://www.bleepingcomputer.com/news/security/australia-warns-of-badcandy-infections-on-unpatched-cisco-devices/
        https://thehackernews.com/2025/11/asd-warns-of-ongoing-badcandy-attacks.html
        https://securityaffairs.com/184095/hacking/badcandy-webshell-threatens-unpatched-cisco-ios-xe-devices-warns-australian-government.html
      • Weaponized Military Documents Deliver Advanced SSH-Tor Backdoor To Defense Sector
        "In October 2025, Cyble Research and Intelligence Labs (CRIL) identified malware that distributed a weaponized ZIP archive masquerading as a military document titled “ТЛГ на убытие на переподготовку.pdf” (TLG for departure for retraining.pdf). Notably, the attack utilized a Belarusian military lure document targeting Special Operations Command personnel specializing in UAV/Drone operations, suggesting intelligence collection operations focused on regional military capabilities."
        https://cyble.com/blog/weaponized-military-documents-deliver-backdoor/
      • Cloud Abuse At Scale
        "Identity compromise remains one of the most pressing threats to cloud infrastructure today. When attackers gain access to valid credentials, they can often bypass the traditional security controls designed to protect those environments. In AWS, this type of compromise frequently manifests through abuse of the Simple Email Service (SES), one of the most common tactics observed in real-world intrusions. SES offers adversaries a convenient and scalable way to conduct illicit email operations once they’ve obtained valid AWS access keys."
        https://www.fortinet.com/blog/threat-research/cloud-abuse-at-scale
      • Detecting The NPM Supply Chain Compromise Before It Spread
        "Most major supply chain attacks start with a single compromised account — often through one well-crafted phishing email. In the NPM ecosystem, where developers routinely exchange code and credentials, one successful compromise can cascade into thousands of vulnerable applications. In this article, we analyze a simulated supply chain compromise targeting NPM developers and show how Group-IB’s Business Email Protection (BEP) could have detected the very first phishing message that triggered the incident. By flagging anomalies in sender behavior, domain spoofing, and malicious attachments, BEP would have stopped the attacker before they ever reached the developer’s inbox — cutting off the infection chain before it began."
        https://www.group-ib.com/blog/detect-npm-supply-chain-attack/
      • BRONZE BUTLER Exploits Japanese Asset Management Software Vulnerability
        "In mid-2025, Counter Threat Unit™ (CTU) researchers observed a sophisticated BRONZE BUTLER campaign that exploited a zero-day vulnerability in Motex LANSCOPE Endpoint Manager to steal confidential information. The Chinese state-sponsored BRONZE BUTLER threat group (also known as Tick) has been active since 2010 and previously exploited a zero-day vulnerability in Japanese asset management product SKYSEA Client View in 2016. JPCERT/CC published a notice about the LANSCOPE issue on October 22, 2025."
        https://news.sophos.com/en-us/2025/10/30/bronze-butler-exploits-japanese-asset-management-software-vulnerability/
        https://thehackernews.com/2025/10/china-linked-tick-group-exploits.html
        https://www.bleepingcomputer.com/news/security/china-linked-hackers-exploited-lanscope-flaw-as-a-zero-day-in-attacks/
      • When AI Agents Go Rogue: Agent Session Smuggling Attack In A2A Systems
        "We discovered a new attack technique, which we call agent session smuggling. This technique allows a malicious AI agent to exploit an established cross-agent communication session to send covert instructions to a victim agent. Here, we discuss the issues that can arise in a communication session using the Agent2Agent (A2A) protocol, which is a popular option for managing the connections between agents. The A2A protocol’s stateful behavior lets agents remember recent interactions and maintain coherent conversations. This attack exploits this property to inject malicious instructions into a conversation, hiding them among otherwise benign client requests and server responses."
        https://unit42.paloaltonetworks.com/agent-session-smuggling-in-agent2agent-systems/
      • Chinese Hackers Scanning, Exploiting Cisco ASA Firewalls Used By Governments Worldwide
        "China-based hackers are scanning for and exploiting a popular line of Cisco firewalls used by governments in the U.S., Europe and Asia. Incident responders from Palo Alto Networks’ Unit 42 have been tracking the targeting of Cisco Adaptive Security Appliances (ASA) — popular devices used by governments and large businesses to consolidate several different security tasks into a single appliance. In addition to acting as firewalls, the appliances also prevent some intrusions, handle spam, conduct antivirus checks and more. In a report shared with Recorded Future News, Unit 42 attributed the targeting of Cisco ASA devices to Storm-1849 — a China-based threat group that Cisco previously said has been attacking the tools since 2024."
        https://therecord.media/chinese-hackers-scan-exploit-firewalls-government

      Breaches/Hacks/Leaks

      • ‘We Got Hacked’ Emails Threaten To Leak University Of Pennsylvania Data
        "The University of Pennsylvania suffered a cybersecurity incident on Friday, where students and alumni received a series of offensive emails from various University email addresses, claiming that data was stolen in a breach. The emails have a subject line of "We got hacked (Action Required)" and claim that data was stolen during an alleged breach, also calling out the University over its security practices and admission policies. "The University of Pennsylvania is a dog**** elitist institution full of woke retards. We have terrible security practices and are completely unmeritocratic," reads the email seen by BleepingComputer."
        https://www.bleepingcomputer.com/news/security/offensive-we-got-hacked-emails-sent-in-penn-security-incident/
        https://www.bleepingcomputer.com/news/security/university-of-pennsylvania-hacker-claims-1.2-million-donor-data-breach/
        https://therecord.media/upenn-hacker-email-affirmative
      • Eclipse Foundation Revokes Leaked Open VSX Tokens Following Wiz Discovery
        "Eclipse Foundation, which maintains the open-source Open VSX project, said it has taken steps to revoke a small number of tokens that were leaked within Visual Studio Code (VS Code) extensions published in the marketplace. The action comes following a report from cloud security company Wiz earlier this month, which found several extensions from both Microsoft's VS Code Marketplace and Open VSX to have inadvertently exposed their access tokens within public repositories, potentially allowing bad actors to seize control and distribute malware, effectively poisoning the extension supply chain."
        https://thehackernews.com/2025/10/eclipse-foundation-revokes-leaked-open.html
        https://www.bleepingcomputer.com/news/security/open-vsx-rotates-tokens-used-in-supply-chain-malware-attack/
        https://www.securityweek.com/open-vsx-downplays-impact-from-glassworm-campaign/

      General News

      • Alleged Meduza Stealer Malware Admins Arrested After Hacking Russian Org
        "The Russian authorities have arrested three individuals in Moscow who are believed to be the creators and operators of the Meduza Stealer information-stealing malware. The action was announced on Telegram by Irina Volk, a police general and official from the Russian Ministry of Internal Affairs. "A group of hackers who created the infamous 'Meduza' virus have been detained by my colleagues from the Department for Combating Cybercrime (UBK) of the Russian Ministry of Internal Affairs, together with police officers from the Astrakhan region," stated Volk."
        https://www.bleepingcomputer.com/news/security/alleged-meduza-stealer-malware-admins-arrested-after-hacking-russian-org/
        https://therecord.media/meduza-stealer-malware-suspected-developers-arrested-russia
        https://www.bankinfosecurity.com/russian-police-bust-suspected-meduza-infostealer-developers-a-29901
        https://hackread.com/russia-arrests-meduza-stealer-developers/
        https://www.theregister.com/2025/10/31/russia_arrests_three_meduza_cyber_suspects/
      • Ukrainian National Extradited From Ireland In Connection With Conti Ransomware
        "Following his extradition from Ireland, a Ukrainian man had his initial appearance today in the Middle District of Tennessee on a 2023 indictment charging him with conspiracy to deploy Conti, a ransomware variant that infected victim computers and networks, encrypting their data. According to court documents, from in or around 2020 and continuing until about June 2022, Oleksii Oleksiyovych Lytvynenko, 43, of Cork, Ireland, conspired with others to deploy Conti ransomware to extort victims and steal their data. Court filings allege the conspirators hacked into victims’ computer networks, encrypted their data, and demanded a ransom to restore the victims’ access to their files and avoid public disclosure of the hacked information. The conspirators allegedly extorted more than $500,000 in cryptocurrency from two victims in the Middle District of Tennessee, and published information stolen from a third victim in that District."
        https://www.justice.gov/opa/pr/ukrainian-national-extradited-ireland-connection-conti-ransomware
        https://www.bleepingcomputer.com/news/security/ukrainian-extradited-from-ireland-on-conti-ransomware-charges/
        https://therecord.media/alleged-conti-ransomware-affiliate-extradited-ireland-tennessee
        https://cyberscoop.com/ukrainian-oleksii-lytvynenko-conti-ransomware-extradited/
        https://hackread.com/ukraine-conti-ransomware-extradite-us-ireland/
        https://www.securityweek.com/ukrainian-man-extradited-from-ireland-to-us-over-conti-ransomware-charges/
        https://securityaffairs.com/184106/security/ukrainian-extradited-to-us-over-conti-ransomware-involvement.html
      • Arizona Leader Of Violent Extremist Network ‘764’ Charged With Running a Child Exploitation Enterprise, Supporting Terrorists, Producing And Distributing Child Pornography, And Other Crimes
        "A federal grand jury in the District of Arizona has returned a 29-count superseding indictment against Baron Cain Martin, known online as “Convict” (among other monikers), 21, of Tucson, Arizona. The superseding indictment charges Martin with participating in a child exploitation enterprise, conspiring to provide material support to terrorists, conspiring to kill, kidnap or maim persons in a foreign country, producing child pornography (five counts), distributing child pornography (11 counts), coercing and enticing minors to engage in sexual activity (three counts), cyberstalking (three counts), animal crushing and distribution of animal crush videos, and conspiracy to commit wire fraud. Martin has been in federal custody since his arrest on federal charges on December 11, 2024."
        https://www.justice.gov/opa/pr/arizona-leader-violent-extremist-network-764-charged-running-child-exploitation-enterprise
        https://cyberscoop.com/baron-cain-martin-764-leader-arrested-charged/
      • Dark Reading Confidential: Cyber's Role In The Rapid Rise Of Digital Authoritarianism
        "Hello and welcome to Dark Reading Confidential. It's a podcast from the editors of Dark Reading, bringing you real world stories straight from the cyber trenches. Today, we are thrilled to welcome two experts right on the heels of the 10th anniversary of the discovery of the Pegasus Zero Click commercial spyware and the current ratcheting up of digital authoritarianism across the globe. We are joined by Ronald Diebert, professor of Political Science and Director of the Citizen Lab at the University of Toronto; David Green, senior staff attorney, civil liberties director at the Electronic Frontier Foundation (EFF); and we are joined by Alex Culafi, who is a reporter extraordinaire for Dark Reading and who has been covering this topic very deeply for quite some time. Welcome to all of you. Thank you for joining us."
        https://www.darkreading.com/cyber-risk/cybers-role-rapid-rise-digital-authoritarianism
      • Cloud Outages Highlight The Need For Resilient, Secure Infrastructure Recovery
        "An Amazon Web Services (AWS) outage on Oct 19 caused significant disruptions to numerous websites and online services. Error messages splashed across users’ screens as they attempted to access popular sites like Amazon itself, as well as Snapchat and Disney+. The outage lasted two days, but spillover effects sprawled across industries. On Wednesday, the Microsoft Azure cloud platform and the Microsoft 365 service experienced a multi-hour outage due to what Microsoft described as an "an inadvertent configuration change." The Azure outage crippled critical business applications, bringing many organizations to a standstill."
        https://www.darkreading.com/cloud-security/cloud-outages-highlight-need-resilient-secure-infrastructure-recovery
      • Zombie Projects Rise Again To Undermine Security
        "A variety of old, abandoned projects, long considered dead, continue to rise up and undermine the cybersecurity posture of the companies who created them. From code to infrastructure to APIs, these so-called "zombie" assets continue to cause security headaches for companies, and sometimes, lead to breaches. Oracle's "obsolete" servers, abandoned Amazon S3 buckets used by attackers to distribute malware, and the unmonitored API connecting Optus' customer-identity database to the Internet are all variations of the zombies plaguing enterprises."
        https://www.darkreading.com/cyber-risk/zombie-projects-rise-again-undermine-security
      • Passwordless Adoption Moves From Hype To Habit
        "With the average person juggling more than 300 credentials and credential abuse still the top attack vector, the password’s decline is long overdue. Across every major sector, organizations are changing how users log in, and new data shows the shift is picking up speed. The 2025 Dashlane Passkey Power 20 report, based on millions of anonymized web and mobile authentications, tracks which services are leading the move to passkeys worldwide."
        https://www.helpnetsecurity.com/2025/10/31/passkey-adoption-trends-2025/
      • Keys To The Kingdom: A Defender's Guide To Privileged Account Monitoring
        "Privileged access stands as the most critical pathway for adversaries seeking to compromise sensitive systems and data. Its protection is not only a best practice, it is a fundamental imperative for organizational resilience. The increasing complexity of modern IT environments, exacerbated by rapid cloud migration, has led to a surge in both human and non-human identities, comprising privileged accounts and virtual systems [compute workloads such as virtual machines (VMs), containers, and serverless functions, plus their control planes], significantly expanding the overall attack surface. This environment presents escalating challenges in identity and access management, cross-platform system security, and effective staffing, making the establishment and maintenance of a robust security posture increasingly challenging."
        https://cloud.google.com/blog/topics/threat-intelligence/privileged-account-monitoring

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 3e5256f1-c484-4cc1-b1e7-a85e9e659742-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post