NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 20 November 2025

    Cyber Security News
    1
    1
    135
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      New Tooling

      • Metis: Open-Source, AI-Driven Tool For Deep Security Code Review
        "Metis is an open source tool that uses AI to help engineers run deep security reviews on code. Arm’s product security team built Metis to spot subtle flaws that are often buried in large or aging codebases where traditional tools struggle. Metis relies on LLMs that can analyze code with semantic reasoning instead of fixed rules. Arm says this gives the tool an edge over linters and other static analysis systems that depend on signatures or pattern matching. The goal is to help engineers find issues that might otherwise slip through manual review, while also cutting down on review fatigue."
        https://www.helpnetsecurity.com/2025/11/19/metis-open-source-code-review/
        https://github.com/arm/metis

      Vulnerabilities

      • W3 Total Cache WordPress Plugin Vulnerable To PHP Command Injection
        "A critical flaw in the W3 Total Cache (W3TC) WordPress plugin can be exploited to run PHP commands on the server by posting a comment that contains a malicious payload. The vulnerability, tracked as CVE-2025-9501, affects all versions of the W3TC plugin prior to 2.8.13 and is described as an unauthenticated command injection. W3TC is installed on more than one million websites to increase performance and reduce load times."
        https://www.bleepingcomputer.com/news/security/w3-total-cache-wordpress-plugin-vulnerable-to-php-command-injection/
        https://wpscan.com/vulnerability/6697a2c9-63ae-42f0-8931-f2e5d67d45ae/
      • From Prompt To Pwn: Cline Bot AI Coding Agent Vulnerabilities
        "Pair programming can be a useful methodology, but normally you have agency in vetting your partner. As far as teammates go, AI coding assistants are like the golden retrievers of development: endlessly eager, wildly helpful, and perhaps a little too trusting. In this post, we’ll show how a clever attacker can slip prompt injections into your source files turning your helpful partner into a hazard."
        https://mindgard.ai/resources/cline-coding-agent-vulnerabilities
        https://hackread.com/cline-bot-ai-agent-vulnerable-data-theft-code-execution/
      • When AI Turns On Its Team: Exploiting Agent-To-Agent Discovery Via Prompt Injection
        "Earlier this year, I discovered a combination of behaviors within ServiceNow’s Now Assist AI implementation that can facilitate a unique kind of second-order prompt injection attack. Through this behavior, I instructed a seemingly benign Now Assist agent to recruit more powerful agents in fulfilling a malicious and unintended task. This included performing Create, Read, Update, and Delete (CRUD) actions on record data and sending external emails containing contents of other records, all while the ServiceNow prompt injection protection feature was enabled."
        https://appomni.com/ao-labs/ai-agent-to-agent-discovery-prompt-injection/
        https://thehackernews.com/2025/11/servicenow-ai-agents-can-be-tricked.html
        https://www.bankinfosecurity.com/misconfigured-ai-agents-let-attacks-slip-past-controls-a-30068
      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2025-58034 Fortinet FortiWeb OS Command Code Injection Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/11/18/cisa-adds-one-known-exploited-vulnerability-catalog
        https://www.bleepingcomputer.com/news/security/cisa-gives-govt-agencies-7-days-to-patch-new-fortinet-flaw/
        https://securityaffairs.com/184832/hacking/u-s-cisa-adds-a-new-fortinet-fortiweb-flaw-to-its-known-exploited-vulnerabilities-catalog.html
      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2025-13223 Google Chromium V8 Type Confusion Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/11/19/cisa-adds-one-known-exploited-vulnerability-catalog
        https://securityaffairs.com/184856/hacking/u-s-cisa-adds-a-google-chromium-v8-flaw-to-its-known-exploited-vulnerabilities-catalog.html
      • Comet’s MCP API Allows AI Browsers To Execute Local Commands
        "SquareX has discovered a critical security vulnerability in Comet, Perplexity’s AI browser, that fundamentally compromises user trust and device security. Our research reveals that Comet has implemented an MCP API that allows its embedded extensions to execute arbitrary local commands on host devices without explicit user permission, capabilities that traditional browsers explicitly prohibit to confine the damage web threats can do to the browser."
        https://labs.sqrx.com/comet-mcp-api-allows-ai-browsers-to-execute-local-commands-dec185fb524b

      Malware

      • PlushDaemon Compromises Network Devices For Adversary-In-The-Middle Attacks
        "ESET researchers provide insights into how PlushDaemon performs adversary-in-the-middle attacks using a previously undocumented network implant that we have named EdgeStepper, which redirects all DNS queries to an external, malicious hijacking node, effectively rerouting the traffic from legitimate infrastructure used for software updates to attacker-controlled infrastructure."
        https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/
        https://www.bleepingcomputer.com/news/security/plushdaemon-hackers-hijack-software-updates-in-supply-chain-attacks/
        https://thehackernews.com/2025/11/edgestepper-implant-reroutes-dns.html
        https://therecord.media/china-aligned-threat-actor-espionage-network-devices
        https://www.infosecurity-magazine.com/news/plushdaemon-new-malware-china-spy/
        https://www.helpnetsecurity.com/2025/11/19/eset-plushdaemon-dns-hijacking/
      • WrtHug Exploits Six ASUS WRT Flaws To Hijack Tens Of Thousands Of EoL Routers Worldwide
        "newly discovered campaign has compromised tens of thousands of outdated or end-of-life (EoL) ASUS routers worldwide, predominantly in Taiwan, the U.S., and Russia, to rope them into a massive network. The router hijacking activity has been codenamed Operation WrtHug by SecurityScorecard's STRIKE team. Southeast Asia and European countries are some of the other regions where infections have been recorded. The attacks likely involve the exploitation of six known security flaws in end-of-life ASUS WRT routers to take control of susceptible devices. All the infected routers have been found to share a unique self-signed TLS certificate with an expiration date set for 100 years from April 2022."
        https://thehackernews.com/2025/11/wrthug-exploits-six-asus-wrt-flaws-to.html
        https://www.bleepingcomputer.com/news/security/new-wrthug-campaign-hijacks-thousands-of-end-of-life-asus-routers/
        https://www.infosecurity-magazine.com/news/chinal-operation-wrthug-thousands/
        https://www.theregister.com/2025/11/19/thousands_more_asus_routers_pwned/
        https://www.bankinfosecurity.com/asus-routers-hacked-in-wrthug-campaign-a-30064
        https://securityaffairs.com/184841/cyber-crime/operation-wrthug-hijacks-50000-asus-routers-to-build-a-global-botnet.html
      • Meet ShinySp1d3r: New Ransomware-As-a-Service Created By ShinyHunters
        "An in-development build of the upcoming ShinySp1d3r ransomware-as-a-service platform has surfaced, offering a preview of the upcoming extortion operation. ShinySp1d3r is the name of an emerging RaaS created by threat actors associated with the ShinyHunters and Scattered Spider extortion groups. These threat actors have traditionally used other ransomware gangs' encryptors in attacks, including ALPHV/BlackCat, Qilin, RansomHub, and DragonForce, but are now creating their own operation to deploy attacks themselves and their affiliates."
        https://www.bleepingcomputer.com/news/security/meet-shinysp1d3r-new-ransomware-as-a-service-created-by-shinyhunters/
      • New Amazon Threat Intelligence Findings: Nation-State Actors Bridging Cyber And Kinetic Warfare
        "The line between cyber warfare and traditional kinetic operations is rapidly blurring. Recent investigations by Amazon threat intelligence teams have uncovered a new trend that they’re calling cyber-enabled kinetic targeting in which nation-state threat actors systematically use cyber operations to enable and enhance physical operations. Traditional cybersecurity frameworks often treat digital and physical threats as separate domains. However, research by Amazon demonstrates that this separation is increasingly artificial. Multiple nation-state threat groups are pioneering a new operational model where cyber reconnaissance directly enables kinetic targeting."
        https://aws.amazon.com/blogs/security/new-amazon-threat-intelligence-findings-nation-state-actors-bridging-cyber-and-kinetic-warfare/
        https://cyberscoop.com/amazon-cyber-enabled-kinetic-targeting/
        https://www.securityweek.com/amazon-details-irans-cyber-enabled-kinetic-attacks-linking-digital-spying-to-physical-strikes/
        https://www.theregister.com/2025/11/19/amazon_cso_warfare_cyber_kinetic/
      • Hackers Actively Exploiting 7-Zip Symbolic Link–Based RCE Vulnerability (CVE-2025-11001)
        "A recently disclosed security flaw impacting 7-Zip has come under active exploitation in the wild, according to an advisory issued by the U.K. NHS England Digital on Tuesday. The vulnerability in question is CVE-2025-11001 (CVSS score: 7.0), which allows remote attackers to execute arbitrary code. It has been addressed in 7-Zip version 25.00 released in July 2025. "The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories," Trend Micro's Zero Day Initiative (ZDI) said in an alert released last month. "An attacker can leverage this vulnerability to execute code in the context of a service account.""
        https://thehackernews.com/2025/11/hackers-actively-exploiting-7-zip.html
        https://digital.nhs.uk/cyber-alerts/2025/cc-4719
        https://securityaffairs.com/184850/security/7-zip-rce-flaw-cve-2025-11001-actively-exploited-in-attacks-in-the-wild.html
        https://www.helpnetsecurity.com/2025/11/19/7-zip-vulnerability-is-being-actively-exploited-nhs-england-warns-cve-2025-11001/
      • SpiderLabs IDs New Banking Trojan Distributed Through WhatsApp
        "Trustwave SpiderLabs researchers have recently identified a banking Trojan we dubbed Eternidade Stealer, which is distributed through WhatsApp hijacking and social engineering lures. In this blog post, we will break down the techniques used in the campaign and highlight the new tools employed by the threat group."
        https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/spiderlabs-ids-new-banking-trojan-distributed-through-whatsapp/
        https://thehackernews.com/2025/11/python-based-whatsapp-worm-spreads.html
        https://www.infosecurity-magazine.com/news/eternidade-stealer-trojan-brazil/

      Breaches/Hacks/Leaks

      • Researchers Claim 'largest Leak Ever' After Uncovering WhatsApp Enumeration Flaw
        "Researchers in Austria used a flaw in WhatsApp to gather the personal data of more than 3.5 billion users in what they believe amounts to the "largest data leak in history." The messaging platform allows users to look up others' details by inputting their phone numbers. The feature, which has been part of the platform for years, can be abused to enumerate user data, including phone number, name, and in some cases their profile image if they have one set."
        https://www.theregister.com/2025/11/19/whatsapp_enumeration_flaw/
        https://github.com/sbaresearch/whatsapp-census/blob/main/Hey_there_You_are_using_WhatsApp.pdf
      • Hacker Selling Alleged Samsung Medison Data Stolen In 3rd Party Breach
        "A hacker using the alias 888 on a cybercrime forum is offering internal records and data they claim belong to Samsung. In a post dated 13 November 2025, the hacker says the breach came from an attack on a third-party contractor, giving them access to data from several companies, including Samsung. The hacker says the files include source code, private keys, SMTP credentials, configuration files, hardcoded credentials and user PII taken from a healthcare backup. The post also lists access to MSSQL and AWS S3. In a note, the hacker adds that the MSSQL and AWS S3 data were already exported and dumped, and that the access itself was an extra item they were offering."
        https://hackread.com/hacker-samsung-medison-data-breach-3rd-party/
      • Major Russian Insurer Facing Widespread Outages After Cyberattack
        "Russian insurer VSK has spent a week attempting to restore services after a major cyberattack damaged its systems, knocking offline its website, mobile app and other services used by millions of customers. One of Russia’s largest universal insurers, Moscow-based VSK serves about 33 million people and more than 500,000 businesses and provides property, transport, health, travel, cargo and corporate insurance."
        https://therecord.media/russia-vsk-cyberattack-outages

      General News

      • The Long Conversations That Reveal How Scammers Work
        "Online scammers often take weeks to build trust before making a move, which makes their work hard to study. A research team from UC San Diego built a system that does the patient work of talking to scammers at scale, and the result offers a look into how long game fraud unfolds. Their system, called CHATTERBOX, uses synthetic personas, an LLM driven conversational engine, and human oversight to gather conversations that stretch across platforms and formats."
        https://www.helpnetsecurity.com/2025/11/19/research-how-scammers-work/
        https://arxiv.org/pdf/2510.23927
      • California Man Admits To Laundering Crypto Stolen In $230M Heist
        "A 45-year-old from Irvine, California, has pleaded guilty to laundering at least $25 million stolen in a massive $230 million cryptocurrency heist. Kunal Mehta (also known as "Papa," "The Accountant," and “Shrek") is the eighth defendant to plead guilty for his participation in this scheme following charges brought by the Department of Justice in May 2025. According to court documents, the defendant was part of a large group that, through social engineering, gained access to victims' cryptocurrency accounts between October 2023 and March 2025 and transferred funds into crypto wallets under their control."
        https://www.bleepingcomputer.com/news/security/california-man-admits-to-laundering-crypto-stolen-in-230m-heist/
      • Cloudflare Blames This Week's Massive Outage On Database Issues
        "On Tuesday, Cloudflare experienced its worst outage in 6 years, blocking access to many websites and online platforms for almost 6 hours after a change to database access controls triggered a cascading failure across its Global Network. The company's Global Network is a distributed infrastructure of servers and data centers across more than 120 countries, providing content delivery, security, and performance optimization services and connecting Cloudflare to over 13,000 networks, including every major ISP, cloud provider, and enterprise worldwide. Matthew Prince, the company's CEO, said in a post-mortem published after the outage was mitigated that the service disruptions were not caused by a cyberattack."
        https://www.bleepingcomputer.com/news/technology/cloudflare-blames-this-weeks-massive-outage-on-database-issues/
        https://www.darkreading.com/cyber-risk/cloudflare-blames-outage-internal-error
      • The 6 URL Shorteners You Didn't Know Were Helping Hackers
        "Threat actors are constantly evolving and adapting by discovering new, unique ways to bypass email-based security controls. One key method they exploit is the abuse of URL shortening services (also known as URL shorteners or link shorteners). These legitimate online tools allow users and businesses to make short aliases of longer URLs for a variety of reasons including aesthetics, easier sharing, gathering analytics, or improving perceived legitimacy. Threat actors take advantage of the tools offered by link shortening services to deliver malware and credential phishing. Cofense Intelligence has identified the most commonly abused legitimate URL shortening services, as shown in Table 1."
        https://cofense.com/blog/the-6-url-shorteners-you-didn-t-know-were-helping-hackers
      • IT Threat Evolution In Q3 2025. Non-Mobile Statistics
        "The UK’s National Crime Agency (NCA) arrested the first suspect in connection with a ransomware attack that caused disruptions at numerous European airports in September 2025. Details of the arrest have not been published as the investigation remains ongoing. According to security researcher Kevin Beaumont, the attack employed the HardBit ransomware, which he described as primitive and lacking its own data leak site."
        https://securelist.com/malware-report-q3-2025-pc-iot-statistics/118020/
        https://securelist.com/malware-report-q3-2025-mobile-statistics/118013/
      • AI Is Supercharging Phishing: Here’s How To Fight Back
        "Phishing continues to be one of the most widespread and effective tactics, techniques, and procedures (TTPs) in today’s cyber threat landscape. It often serves as a gateway to data breaches that can have devastating consequences for organizations and individuals alike. For example, General Dynamics, a leading aerospace and defense contractor, reported in late 2024 that a phishing attack targeting its personnel resulted in threat actors compromising dozens of employee benefits accounts."
        https://www.securityweek.com/ai-is-supercharging-phishing-heres-how-to-fight-back/
      • Selling Technology Investments To The Board: a Strategic Guide For CISOs And CIOs
        "In today's enterprise environment, technology investments are no longer judged solely by their technical sophistication. Approval depends on their ability to support business goals, mitigate risk, and create value for shareholders. CIOs and CISOs are expected to present their strategies not as technical upgrades but as business enablers. The challenge is not just making the right investments, but framing them in ways that resonate at the boardroom level."
        https://www.theregister.com/2025/11/19/zscaler-selling-technology-investments/
      • Half Of Ransomware Access Due To Hijacked VPN Credentials
        "Ransomware surged in Q3 2025, with just three groups accounting for the majority of cases (65%), and initial access most commonly achieved via compromised VPN credentials, according to Beazley Security. The Beazley Insurance subsidiary said Akira, Qilin and INC Ransomware were the most prolific groups in the third quarter, which saw 11% more leak posts than the previous three months. As per Q2, the use of valid credentials to access VPNs was the most common method of initial access, accounting for half (48%) of breaches – up from 38% the prior quarter. External service exploits was the second most popular technique, comprising 23% of cases."
        https://www.infosecurity-magazine.com/news/half-ransomware-access-hijacked/
      • CISA Releases Guide To Mitigate Risks From Bulletproof Hosting Providers
        "Today, Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the U.S. National Security Agency, U.S. Department of Defense Cyber Crime Center, U.S. Federal Bureau of Investigation, and international partners, released the guide Bulletproof Defense: Mitigating Risks from Bulletproof Hosting Providers to help Internet Service Providers (ISPs) and network defenders mitigate cybercriminal activity enabled by Bulletproof Hosting (BPH) providers."
        https://www.cisa.gov/news-events/alerts/2025/11/19/cisa-releases-guide-mitigate-risks-bulletproof-hosting-providers
        https://www.cisa.gov/resources-tools/resources/bulletproof-defense-mitigating-risks-bulletproof-hosting-providers
      • United States, Australia, And United Kingdom Sanction Russian Cybercrime Infrastructure Supporting Ransomware
        "Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC), Australia’s Department of Foreign Affairs and Trade, and the United Kingdom’s Foreign Commonwealth and Development Office are announcing coordinated sanctions targeting Media Land, a Russia-based bulletproof hosting (BPH) service provider, for its role in supporting ransomware operations and other forms of cybercrime. OFAC is also designating three members of Media Land’s leadership team and three of its sister companies in coordination with the Federal Bureau of Investigation."
        https://home.treasury.gov/news/press-releases/sb0319
        https://www.bleepingcomputer.com/news/security/us-sanctions-russian-bulletproof-hosting-provider-media-land-over-ransomware-ties/
        https://therecord.media/bulletproof-hosting-sanctions-ransomware
        https://www.bankinfosecurity.com/us-allies-sanction-russian-bulletproof-ransomware-host-a-30067
        https://cyberscoop.com/bulletproof-hosting-providers-sanctions-mitigation-media-land/
        https://hackread.com/uk-bulletproof-hosting-operator-lockbit-evil-corp/
        https://www.theregister.com/2025/11/20/russian_bph_medialand_sanctioned/
      • The AI Attack Surface: How Agents Raise The Cyber Stakes
        "Agentic AI tools are susceptible to the same risks as large language model (LLM) chatbots, but their autonomous capabilities may make their capacity to leak data and compromise organizations even worse. AI agents have taken the world by storm in recent months, as companies have bought and sold these tools under the premise that an advanced LLM could autonomously reason and complete tasks at a professional level, without much human interaction. But as time progresses, security concerns in the new AI age have grown more complex."
        https://www.darkreading.com/application-security/ai-attack-surface-agents-cyber-stakes
      • Critical Railway Braking Systems Open To Tampering
        "Researchers have figured out how to spoof the signals that tell train conductors to brake, opening the door to any number of dangerous attack scenarios. When a large, moving train is rolling down the tracks toward an oncoming obstacle, one can't rely solely on a conductor to handle what's ahead. To account for human error, in emergency circumstances, you need a system built into the train itself that can automatically bring the stock to a halt."
        https://www.darkreading.com/ics-ot-security/critical-railway-braking-systems-tampering
      • Stop Of The Month: How Threat Actors Weaponize AI Assistants With Indirect Prompt Injection
        "AI is increasingly being used across workplaces to improve operational efficiencies and get work done faster. And just as organizations are adopting it for improved productivity, threat actors are using it to launch more sophisticated, hyper-personalized attacks at a massive scale. A new and dangerous attack vector has emerged that targets the AI models themselves: prompt injection. It’s already ranked as the No. 1 vulnerability on the OWASP Top 10 for Large Language Model (LLM) Applications, and for good reason."
        https://www.proofpoint.com/us/blog/email-and-cloud-threats/stop-month-how-threat-actors-weaponize-ai-assistants-indirect-prompt

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) 0bae10e1-1fc6-447f-9978-7ba339006d02-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post