NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 04 November 2025

    Cyber Security News
    1
    1
    284
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Energy Sector

      • Let's Get Physical: A New Convergence For Electrical Grid Security
        "US energy industry regulators and analysts are increasingly repeating the same message: Grid operators need to unify their cybersecurity and physical security strategies. Power plants and transmission/distribution system operators (TSOs and DSOs) have long focused on maintaining uptime and enhancing the resilience of their services; keeping the lights on is always the goal. That's especially true as the past few years have seen the rise of OT/OT convergence, wherein formerly siloed equipment that runs physical processes for critical infrastructure (operational technology, or OT) has been hooked up to the IT network and the Internet in some cases, exposing it to more cyberthreats. Now, another type of convergence been forcing a new conversation."
        https://www.darkreading.com/cybersecurity-operations/physical-convergence-electrical-grid-cybersecurity
      • The Race To Shore Up Europe’s Power Grids Against Cyberattacks And Sabotage
        "It was a sunny morning in late April when a massive power outage suddenly rippled across Spain, Portugal, and parts of southwestern France, leaving tens of millions of people without electricity for hours. Cities were plunged into darkness. Trains stopped and metro lines had to be evacuated. Flights were cancelled. Mobile networks and internet providers went down. Roads were gridlocked as traffic lights stopped working. It took 10 hours for power to be restored and 23 hours before the entire national grid in Spain was back up and running, with the incident being deemed the most severe blackout to have affected Europe in the last two decades."
        https://www.theregister.com/2025/11/03/europe_power_grid_security/

      Industrial Sector

      • Hackers Are Attacking Britain’s Drinking Water Suppliers
        "Hackers have launched five cyberattacks against Britain's drinking water suppliers since the beginning of last year, according to reports filed with the drinking water watchdog and partially disclosed to Recorded Future News under freedom of information laws. None of the attacks impacted the safe supply of drinking water itself, but instead affected the organizations behind those supplies. The incidents, a record number in any two-year period, highlight what British intelligence warns is an increasing threat posed by malicious cyber actors to the country’s critical infrastructure."
        https://therecord.media/britain-water-supply-cybersecurity-incident-reports-dwi-nis

      New Tooling

      • Heisenberg: Open-Source Software Supply Chain Health Check Tool
        "Heisenberg is an open-source tool that checks the health of a software supply chain. It analyzes dependencies using data from deps.dev, Software Bills of Materials (SBOMs), and external advisories to measure package health, detect risks, and generate reports for individual dependencies or entire projects. “We wanted a practical way to catch and block risky changes before they reached the main branch,” Max Feldman, Head of Application Security at AppOmni, told Help Net Security. “The turning point was when we stopped treating SBOMs as static paperwork and started using them as live, actionable data.”"
        https://www.helpnetsecurity.com/2025/11/03/heisenberg-open-source-software-supply-chain-health-check-tool/
        https://github.com/AppOmni-Labs/heisenberg-ssc-health-check

      Vulnerabilities

      • Microsoft: Patch For WSUS Flaw Disabled Windows Server Hotpatching
        "An out-of-band (OOB) security update that patches an actively exploited Windows Server Update Service (WSUS) vulnerability has broken hotpatching on some Windows Server 2025 devices. KB5070881, the emergency update causing this issue, was released on the same day that several cybersecurity companies confirmed the critical-severity CVE-2025-59287 remote code execution (RCE) flaw was being exploited in the wild. The Netherlands National Cyber Security Centre (NCSC-NL) confirmed the companies' findings, warning IT admins of the increased risk given that a PoC exploit is already available."
        https://www.bleepingcomputer.com/news/microsoft/microsoft-patch-for-wsus-flaw-disabled-windows-server-hotpatching/
      • Drawn To Danger: Windows Graphics Vulnerabilities Lead To Remote Code Execution And Memory Exposure
        "Check Point Research (CPR) identified three security vulnerabilities in the Graphics Device Interface (GDI) in Windows. We promptly reported these issues to Microsoft, and they were addressed in the Patch Tuesday updates in May, July, and August 2025. Vulnerability disclosures such as these highlight the need for proactive measures to mitigate potential risks. Our purpose in publishing this blog after security fixes were implemented is to further raise awareness of these vulnerabilities and provide Windows users with defensive insights and mitigation recommendations. In the following sections, we detail the findings of our fuzzing campaign, which targeted Windows GDI using the EMF format and led to the discovery of these security vulnerabilities."
        https://research.checkpoint.com/2025/drawn-to-danger-windows-graphics-vulnerabilities-lead-to-remote-code-execution-and-memory-exposure/
        https://www.infosecurity-magazine.com/news/gdi-flaws-enable-rce-windows/
      • Claude Pirate: Abusing Anthropic's File API For Data Exfiltration
        "Recently, Anthropic added the capability for Claude’s Code Interpreter to perform network requests. This is obviously very dangerous as we will see in this post. At a high level, this post is about a data exfiltration attack chain, where an adversary (either the model or third-party attacker via indirect prompt injection) can exfiltrate data the user has access to. The interesting part is that this is not via hyperlink rendering as we often see, but by leveraging the built-in Anthropic Claude APIs! Let’s explore."
        https://embracethered.com/blog/posts/2025/claude-abusing-network-access-and-anthropic-api-for-data-exfiltration/
        https://www.securityweek.com/claude-ai-apis-can-be-abused-for-data-exfiltration/

      Malware

      • SesameOp: Novel Backdoor Uses OpenAI Assistants API For Command And Control
        "Microsoft Incident Response – Detection and Response Team (DART) researchers uncovered a new backdoor that is notable for its novel use of the OpenAI Assistants Application Programming Interface (API) as a mechanism for command-and-control (C2) communications. Instead of relying on more traditional methods, the threat actor behind this backdoor abuses OpenAI as a C2 channel as a way to stealthily communicate and orchestrate malicious activities within the compromised environment. To do this, a component of the backdoor uses the OpenAI Assistants API as a storage or relay mechanism to fetch commands, which the malware then runs."
        https://www.microsoft.com/en-us/security/blog/2025/11/03/sesameop-novel-backdoor-uses-openai-assistants-api-for-command-and-control/
        https://www.bleepingcomputer.com/news/security/microsoft-sesameop-malware-abuses-openai-assistants-api-in-attacks/
      • Hacker Steals Over $120 Million From Balancer DeFi Crypto Protocol
        "The Balancer Protocol announced that hackers had targeted its v2 pools, with losses reportedly estimated to be more than $128 million. Balancer is a decentralized finance (DeFi) protocol built on the Ethereum blockchain as an automated market maker and liquidity infrastructure layer. It provides flexible pools with custom token mixes, allowing users to deposit assets, earn fees, and let traders swap assets, and it is governed by the BAL token, which had a market cap of $65 million right before the incident."
        https://www.bleepingcomputer.com/news/cryptocurrency/hacker-steals-over-120-million-from-balancer-defi-crypto-protocol/
        https://therecord.media/crypto-heist-balancer-exploit
      • SleepyDuck Malware Invades Cursor Through Open VSX
        "A new remote access trojan called SleepyDuck has appeared in the Open VSX IDE extension marketplace, the registry which code editors like Cursor and Windsurf install extensions from, squatting on the same name as another well known solidity extension. The extension juan-bianco.solidity-vlang version 0.0.7 was originally published on October 31st as a harmless extension and only later updated to version 0.0.8 on November 1st to include new malicious capabilities after 14,000 downloads. The malware includes sandbox evasion techniques and utilizes an Ethereum contract to update its command and control address in case the original address is taken down."
        https://secureannex.com/blog/sleepyduck-malware/
        https://www.bleepingcomputer.com/news/security/fake-solidity-vscode-extension-on-open-vsx-backdoors-developers/
        https://thehackernews.com/2025/11/malicious-vsx-extension-sleepyduck-uses.html
      • Remote Access, Real Cargo: Cybercriminals Targeting Trucking And Logistics
        "Proofpoint is tracking a cluster of cybercriminal activity that targets trucking and logistics companies and infects them with RMM tooling for financial gain. Based on our ongoing investigations paired with open-source information, Proofpoint assesses with high confidence that the threat actors are working with organized crime groups to compromise entities in the surface transportation industry — in particular trucking carriers and freight brokers — to hijack cargo freight, leading to the theft of physical goods. The stolen cargo most likely is sold online or shipped overseas. Such crimes can create massive disruptions to supply chains and cost companies millions, with criminals stealing everything from energy drinks to electronics."
        https://www.proofpoint.com/us/blog/threat-insight/remote-access-real-cargo-cybercriminals-targeting-trucking-and-logistics
        https://www.bleepingcomputer.com/news/security/hackers-use-rmm-tools-to-breach-freighters-and-steal-cargo-shipments/
        https://thehackernews.com/2025/11/cybercriminals-exploit-remote.html
        https://www.darkreading.com/identity-access-management-security/hackers-weaponize-remote-tools-hijack-cargo-freight
        https://therecord.media/cargo-theft-hackers-remote-monitoring-tools
        https://www.infosecurity-magazine.com/news/hackers-organized-crime-cargo/
        https://www.theregister.com/2025/11/03/cybercriminals_team_up_with_ocgs/
      • Cracking XLoader With AI: How Generative Models Accelerate Malware Analysis
        "XLoader has been evolving since 2020 as a successor to the FormBook malware family. It specializes in stealing information, hiding its code behind multiple encryption layers, and constantly morphing to evade antivirus tools and sandboxes. Traditional malware analysis is slow and manual—requiring experts to unpack binaries, trace functions, and build decryption scripts by hand. Even sandboxing (running malware in a controlled environment) doesn’t help much, because XLoader decrypts itself only while running and detects when it’s being monitored, keeping its real code hidden."
        https://blog.checkpoint.com/research/cracking-xloader-with-ai-how-generative-models-accelerate-malware-analysis/
      • Investigation Report: Android/BankBot-YNRK Mobile Banking Trojan
        "This report covers the analysis and findings related to three Android application packages (APKs) assessed for malicious behavior. The objective of this assessment was to determine whether the samples exhibited any malicious functionality, assess their potential impact on mobile devices or user data, and identify indicators of compromise (IOCs) relevant to the client’s environment. Each sample was examined using static and dynamic analysis techniques. Detailed behavioral findings and technical indicators are provided in the subsequent sections of this report."
        https://www.cyfirma.com/research/investigation-report-android-bankbot-ynrk-mobile-banking-trojan/
        https://thehackernews.com/2025/11/researchers-uncover-bankbot-ynrk-and.html
        https://www.darkreading.com/vulnerabilities-threats/android-malware-mutes-alerts-drains-crypto-wallets
      • Interview With The Chollima III
        "We all picture the future in different ways, some more optimistic, others not so much. Many people wrote about it, some foretelling great inventions or warning about social problems, whilst others chose more unrealistic fiction (at least for that time), like Philip K. Dick. He wrote about “andys”, androids whose synthetic existence mimicked that of natural humans, trying to deceive observers into accepting them as such. I know for sure that many would have giggled at the idea at the time, but that future eventually caught up with us in a certain way. Today, it’s become commonplace to see AI being abused to generate deepfakes of influential people and to use them as puppets to promote scams or to video call their employees asking for gift cards or wire transfers."
        https://quetzal.bitso.com/p/interview-with-the-chollima-iii
        https://hackread.com/north-korean-hackers-video-ai-filter-fake-job-interview/
      • DPRK’s Playbook: Kimsuky’s HttpTroy And Lazarus’s New BLINDINGCAN Variant
        "In recent weeks, our Threat Labs researchers have uncovered two new toolsets that show just how adaptive the DPRK’s operations have become. Kimsuky, known for its espionage-style campaigns, deployed a new backdoor we’ve named HttpTroy, while Lazarus introduced an upgraded version of its BLINDINGCAN remote access tool. Both attacks reveal the same underlying pattern: stealthy code and layered obfuscation. In this post, we’ll break down how these tools work, what they target and what defenders can learn from the latest moves inside the DPRK playbook."
        https://www.gendigital.com/blog/insights/research/dprk-kimsuky-lazarus-analysis
        https://thehackernews.com/2025/11/new-httptroy-backdoor-poses-as-vpn.html
      • SnakeStealer: How It Preys On Personal Data – And How You Can Protect Yourself
        "Infostealers remain one of the most persistent threats on today’s threat landscape. They’re built to quietly siphon off valuable information, typically login credentials and financial and cryptocurrency details, from compromised systems and send it to adversaries. And they do so with great success. ESET researchers have tracked numerous campaigns recently where an infostealer was the final payload. Agent Tesla, Lumma Stealer, FormBook and HoudRAT continue to make the rounds in large numbers, but according to the ESET Threat Report H1 2025, one family surged ahead of the rest in the first half of this year: SnakeStealer."
        https://www.welivesecurity.com/en/malware/snakestealer-personal-data-stay-safe/
      • Operation SkyCloak: Tor Campaign Targets Military Of Russia & Belarus
        "SEQRITE Labs has identified a campaign targeting military personnel of both Russia and Belarus, especially the Russian Airborne Forces and Belarusian Special Forces. The infection chain leads to exposing multiple local services via Tor using obfs4 bridges, allowing the attacker to anonymously communicate via an onion address. In this blog, we will explore the infection chain that uses multiple stages through PowerShell, decoys used to lure the victims, and exposing SSH as a hidden service to unblock traffic for Tor while maintaining persistence."
        https://www.seqrite.com/blog/operation-skycloak-tor-campaign-targets-military-of-russia-belarus/
      • Tycoon 2FA Phishing Kit Analysis
        "The Tycoon 2FA phishing kit is a sophisticated Phishing-as-a-Service (PhaaS) platform that emerged in August 2023, designed to bypass two-factor authentication (2FA) and multi-factor authentication (MFA) protections, primarily targeting Microsoft 365 and Gmail accounts. Utilizing an Adversary-in-the-Middle (AiTM) approach, it employs a reverse proxy server to host deceptive phishing pages that mimic legitimate login interfaces, capturing user credentials and session cookies in real-time. According to the Any.run malware trends tracker, Tycoon 2FA leads with over 64,000 reported incidents this year."
        https://www.cybereason.com/blog/tycoon-phishing-kit-analysis

      Breaches/Hacks/Leaks

      • Data Theft Hits Behavioral Health Network In 3 States
        "A Florida-based firm that operates in-patient mental health and addiction recovery treatment facilities in three states is notifying more than 92,000 patients that their personal and sensitive health information may have been compromised in a data theft hack discovered in June. Oglethorpe Inc., which on Friday reported the data security incident to the Maine attorney general, on its website describes itself as a provider of management solutions for health centers, wellness clinics and hospitals that specialize in psychiatric services, drug and alcohol detoxification and rehabilitation, eating disorder therapy and behavioral health counseling."
        https://www.bankinfosecurity.com/data-theft-hits-behavioral-health-network-in-3-states-a-29920
      • Japanese Retailer Askul Confirms Data Leak After Cyberattack Claimed By Russia-Linked Group
        "Japanese office and household goods retailer Askul confirmed that customer and supplier data was leaked following a ransomware attack earlier in October, which disrupted operations across its e-commerce platforms. The company said the breach exposed contact information and inquiry details from users of its online stores — Askul, Lohaco and Soloel Arena — as well as supplier data stored on its internal servers. “We sincerely apologize for the inconvenience and concern caused to our customers, business partners, and other related parties,” Askul said in a statement on Friday."
        https://therecord.media/askul-confirms-data-breach-ransomware-incident

      General News

      • Securing Real-Time Payments Without Slowing Them Down
        "In this Help Net Security interview, Arun Singh, CISO at Tyro, discusses what it takes to secure real-time payments without slowing them down. He explains how analytics, authentication, and better industry cooperation can help stay ahead of fraud. Singh also touches on how digital identity and accountability are transforming how trust is built in payments."
        https://www.helpnetsecurity.com/2025/11/03/arun-singh-tyro-securing-real-time-payments/
      • Employees Keep Finding New Ways Around Company Access Controls
        "AI, SaaS, and personal devices are changing how people get work done, but the tools that protect company systems have not kept up, according to 1Password. Tools like SSO, MDM, and IAM no longer align with how employees and AI agents access data. The result is what researchers call the “access-trust gap,” a growing distance between what organizations think they can control and how employees and AI systems access company data. The survey tracks four areas where this gap is widening: AI governance, SaaS and shadow IT, credentials, and endpoint security. Each shows the same pattern of rapid adoption and limited oversight."
        https://www.helpnetsecurity.com/2025/11/03/1password-access-trust-gap-report/
      • US Cybersecurity Experts Indicted For BlackCat Ransomware Attacks
        "Three former employees of cybersecurity incident response companies DigitalMint and Sygnia have been indicted for allegedly hacking the networks of five U.S. companies in BlackCat (ALPHV) ransomware attacks between May 2023 and November 2023. 28-year-old Kevin Tyler Martin of Roanoke, Texas (who pleaded not guilty), 33-year-old Ryan Clifford Goldberg of Watkinsville, Georgia (in federal custody since September 2023), and an unnamed accomplice face charges of conspiracy to interfere with interstate commerce by extortion, and intentional damage to protected computers. If convicted, the defendants could face up to 20 years in prison for extortion and 10 years for damage to computer systems."
        https://www.bleepingcomputer.com/news/security/us-cybersecurity-experts-indicted-for-blackcat-ransomware-attacks/
        https://cyberscoop.com/incident-response-ransomware-professionals-charged-attacks/
        https://www.theregister.com/2025/11/03/rogue_ransomware_negotiators/
      • Nation-State, Cyber And Hacktivist Threats Pummel Europe
        "Cyberattacks targeting European organizations shape and are shaped by geopolitical events, whether they involve nation-state hackers, financially motivated cybercriminals or opportunistic hacktivists. Many attacks stem from Russia's invasion of Ukraine in February 2022, lately including coordinated operations with North Korea, says cybersecurity firm CrowdStrike in an assessment of continental cyberthreats over a 21-month period from January 2024 through September."
        https://www.bankinfosecurity.com/nation-state-cyber-hacktivist-threats-pummel-europe-a-29914
        https://www.crowdstrike.com/en-us/resources/reports/2025-european-threat-landscape-report/
        https://www.infosecurity-magazine.com/news/leak-site-ransomware-victims-spike/
      • A New Way To Think About Zero Trust For Workloads
        "Static credentials have been a weak point in cloud security for years. A new paper by researchers from SentinelOne takes direct aim at that issue with a practical model for authenticating workloads without long-lived secrets. Instead of relying on static keys, the team proposes using temporary, verifiable tokens that expire within minutes."
        https://www.helpnetsecurity.com/2025/11/03/research-zero-trust-workload-authentication/
        https://arxiv.org/pdf/2510.16067
      • Alleged Jabber Zeus Coder ‘MrICQ’ In U.S. Custody
        "A Ukrainian man indicted in 2012 for conspiring with a prolific hacking group to steal tens of millions of dollars from U.S. businesses was arrested in Italy and is now in custody in the United States, KrebsOnSecurity has learned. Sources close to the investigation say Yuriy Igorevich Rybtsov, a 41-year-old from the Russia-controlled city of Donetsk, Ukraine, was previously referenced in U.S. federal charging documents only by his online handle “MrICQ.” According to a 13-year-old indictment (PDF) filed by prosecutors in Nebraska, MrICQ was a developer for a cybercrime group known as “Jabber Zeus.”"
        https://krebsonsecurity.com/2025/11/alleged-jabber-zeus-coder-mricq-in-u-s-custody/
        https://securityaffairs.com/184158/cyber-crime/jabber-zeus-developer-mricq-extradited-to-us-from-italy.html
        https://www.securityweek.com/ukrainian-extradited-to-us-faces-charges-in-jabber-zeus-cybercrime-case/
      • How Software Development Teams Can Securely And Ethically Deploy AI Tools
        "At this point, artificial intelligence (AI)/large language models (LLMs) have emerged as a superpower of sorts for software developers, enabling them to work faster and more prolifically. But teams deploying these tech tools should keep in mind that – regardless of the supersized boost in capabilities – human oversight must take the lead when it comes to security accountability."
        https://www.securityweek.com/how-software-development-teams-can-securely-and-ethically-deploy-ai-tools/
      • CISO Burnout – Epidemic, Endemic, Or Simply Inevitable?
        "CISO burnout is increasing. Are we simply more aware of the condition? Or have demands on the CISO grown and burnout is now the inevitable result? In 2019, burnout was defined by the World Health Organization as an occupational phenomenon rather than a medical condition. In 2025, this non-medical condition, initially given the same symptoms as a bad headache (exhaustion, negativism, and reduced efficacy) has become endemic within cybersecurity, affecting team members and CISOs alike."
        https://www.securityweek.com/ciso-burnout-epidemic-endemic-or-simply-inevitable/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 4a9b3896-4fdc-414c-80b8-c39f459e1434-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post