NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 11 December 2025

    Cyber Security News
    1
    1
    91
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

        • ICS Patch Tuesday: Vulnerabilities Fixed By Siemens, Rockwell, Schneider
          "Industrial giants Siemens, Rockwell Automation, Schneider Electric, and Phoenix Contact have published Patch Tuesday advisories informing customers about vulnerabilities found in their ICS/OT products. Siemens has published 14 new advisories. An overall severity rating of ‘critical’ has been assigned to three advisories covering dozens of third-party component vulnerabilities affecting Comos, Sicam T, and Ruggedcom ROX products."
          https://www.securityweek.com/ics-patch-tuesday-vulnerabilities-fixed-by-siemens-rockwell-schneider/

      New Tooling

      • UTMStack: Open-Source Unified Threat Management Platform
        "UTMStack is an open-source unified threat management platform that brings SIEM and XDR features into one system. The project focuses on real time correlation of log data, threat intelligence, and malware activity patterns gathered from different sources. The goal is to help organizations identify and halt complex threats that rely on stealthy techniques."
        https://www.helpnetsecurity.com/2025/12/10/utmstack-open-source-unified-threat-management-platform/
        https://github.com/utmstack/UTMStack

      Vulnerabilities

      • Vulnerabilities Identified In PCIe Integrity And Data Encryption (IDE) Protocol Specification
        "PCI Express Integrity and Data Encryption (PCIe IDE), introduced in the PCIe 6.0 standard, provides link-level encryption and integrity protection for data transferred across PCIe connections. Several issues were identified in the IDE specification that could allow an attacker with local access to influence data consumed on the link. The PCIe 6.0 IDE Erratum provides corrective guidance, and firmware and hardware updates are expected to address these concerns."
        https://kb.cert.org/vuls/id/404544
        https://thehackernews.com/2025/12/three-pcie-encryption-weaknesses-expose.html
        https://www.securityweek.com/intel-amd-processors-affected-by-pcie-vulnerabilities/
      • CISA Adds Two Known Exploited Vulnerabilities To Catalog
        "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2025-6218 RARLAB WinRAR Path Traversal Vulnerability
        CVE-2025-62221 Microsoft Windows Use After Free Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/12/09/cisa-adds-two-known-exploited-vulnerabilities-catalog
        https://thehackernews.com/2025/12/warning-winrar-vulnerability-cve-2025.html
        https://securityaffairs.com/185523/security/u-s-cisa-adds-microsoft-windows-and-winrar-flaws-to-its-known-exploited-vulnerabilities-catalog.html
      • SOAPwn: Pwning .NET Framework Applications Through HTTP Client Proxies And WSDL
        "Welcome back! As we near the end of 2025, we are, of course, waiting for the next round of SSLVPN exploitation to occur in January (as it did in 2024 and 2025). Weeeeeeeee. Before then, we want to clear the decks and see how much research we can publish. This year at Black Hat Europe, Piotr Bazydlo presented “SOAPwn: Pwning .NET Framework Applications Through HTTP Client Proxies And WSDL”. This research ultimately led to the identification of new primitives in the .NET Framework that, while Microsoft decided deserved DONOTFIX (repeatedly), were successfully weaponized against enterprise-grade appliances to achieve Remote Code Execution."
        https://labs.watchtowr.com/soapwn-pwning-net-framework-applications-through-http-client-proxies-and-wsdl/
        https://thehackernews.com/2025/12/net-soapwn-flaw-opens-door-for-file.html
        https://www.theregister.com/2025/12/10/microsoft_wont_fix_net_rce/

      Malware

      • Opportunistic Pro-Russia Hacktivists Attack US And Global Critical Infrastructure
        "CISA, in partnership with Federal Bureau of Investigation, the National Security Agency, Department of Energy, Environmental Protection Agency, the Department of Defense Cyber Crime Center, and other international partners published a joint cybersecurity advisory, Pro-Russia Hacktivists Create Opportunistic Attacks Against US and Global Critical Infrastructure."
        https://www.cisa.gov/news-events/alerts/2025/12/09/opportunistic-pro-russia-hacktivists-attack-us-and-global-critical-infrastructure
        https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-343a
        https://www.darkreading.com/threat-intelligence/hactivists-target-critical-infrastructure
        https://therecord.media/doj-cisa-warn-russia-hackers-targeting-critical-infrastructure
        https://www.infosecurity-magazine.com/news/russia-hackers-target-us-critical/
      • Infostealer Has Entered The Chat
        "Infostealers — malware that steals passwords, cookies, documents, and/or other valuable data from computers — have become 2025’s fastest-growing cyberthreat. This is a critical problem for all operating systems and all regions. To spread their infection, criminals use every possible trick to use as bait. Unsurprisingly, AI tools have become one of their favorite luring mechanisms this year. In a new campaign discovered by Kaspersky experts, the attackers steer their victims to a website that supposedly contains user guides for installing OpenAI’s new Atlas browser for macOS. What makes the attack so convincing is that the bait link leads to… the official ChatGPT website! But how?"
        https://www.kaspersky.co.uk/blog/share-chatgpt-chat-clickfix-macos-amos-infostealer/29796/
        https://www.bleepingcomputer.com/news/security/google-ads-for-shared-chatgpt-grok-guides-push-macos-infostealer-malware/
        • Phishers Get Creative: The NoteGPT Twist You Didn’t See Coming
          "NoteGPT is an AI-generated tool that converts lengthy lectures, meetings, or videos into concise, easy-to-read notes in just seconds. While seemingly useful, threat actors are now exploiting it to host fake files and lure victims. They upload malicious content to NoteGPT, then share what appears to be a harmless “document” or “note”. Because NoteGPT is a legitimate platform, many users let their guard down. Once victims click through, they’re redirected to credential phishing pages disguised as familiar login portals like Microsoft or Google. At this point, users are asked to sign in to access the file, unknowingly handing their credentials straight to threat actors."
          https://cofense.com/blog/phishers-get-creative-the-notegpt-twist-you-didn-t-see-coming
      • AMOS Stealer Exploits AI Trust: Malware Delivered Through ChatGPT And Grok
        "On December 5, 2025, Huntress triaged an Atomic macOS Stealer (AMOS) alert that initially appeared routine: data exfiltration, standard AMOS persistence, and no unusual infection chain indicators in the telemetry. We expected to find the standard delivery vectors: a phishing link, a trojanized installer, maybe a ClickFix lure. None of those were present: no phishing email, no malicious installer, and no familiar ClickFix-style lure."
        https://www.huntress.com/blog/amos-stealer-chatgpt-grok-ai-trust
        https://www.darkreading.com/vulnerabilities-threats/clickfix-style-attack-grok-chatgpt-malware
        • Fake Leonardo DiCaprio Movie Torrent Drops Agent Tesla Through Layered PowerShell Chain
          "After noticing a spike in detections involving what looked like a movie torrent for One Battle After Another, Bitdefender researchers started an investigation and discovered that it was a complex infection chain. The film, Leonardo DiCaprio's latest, has quickly gained notoriety, making it an attractive lure for cybercriminals seeking to infect as many devices as possible."
          https://www.bitdefender.com/en-us/blog/labs/fake-leonardo-dicaprio-movie-torrent-agent-tesla-powershell
          https://hackread.com/dicaprio-one-battle-after-another-torrent-agent-tesla/
      • PeerBlight Linux Backdoor Exploits React2Shell CVE-2025-55182
        "Huntress is seeing threat actors exploit a vulnerability in React Server Components (CVE-2025-55182) across several organizations in our customer base. Attackers have attempted to deploy cryptominer malware, a Linux backdoor we're tracking as PeerBlight, a reverse proxy tunnel we call CowTunnel, and a Go-based post-exploitation implant dubbed ZinFoq as part of their post-exploitation activity. We also observed a Kaiji botnet variant being distributed through this campaign. We recommend immediate patching due to the feasibility of exploitation."
        https://www.huntress.com/blog/peerblight-linux-backdoor-exploits-react2shell
        https://thehackernews.com/2025/12/react2shell-exploitation-delivers.html
        • Gogs 0-Day Exploited In The Wild
          "On July 10th, the Wiz Threat Research team observed malware findings on public-facing instances of Gogs, a popular self-hosted Git service. What began as a routine investigation into an infected machine turned into the accidental discovery of a live zero-day vulnerability. During our analysis of the exploitation attempts, we identified that the threat actor was leveraging a previously unknown flaw to compromise instances. We responsibly disclosed this vulnerability to the maintainers. They are currently working on a fix, but active exploitation continues in the wild."
          https://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit
          https://www.theregister.com/2025/12/10/gogs_0day_under_active_exploitation/
      • 01flip: Multi-Platform Ransomware Written In Rust
        "In June 2025, we observed a new ransomware family named 01flip targeting a limited set of victims in the Asia-Pacific region. 01flip ransomware is fully written in the Rust programming language and supports multi-platform architectures by leveraging the cross-compilation feature of Rust. These financially motivated attackers likely carried this out through manual means. We have confirmed an alleged data leak from an affected organization on a dark web forum shortly after the attack. We are currently tracking this activity as CL-CRI-1036, signifying a cluster of malicious activity that is likely related to cybercrime."
        https://unit42.paloaltonetworks.com/new-ransomware-01flip-written-in-rust/
        • ClickFix Social Engineering Sparks Rise Of CastleLoader Attacks
          "A new malware campaign using a Python-based delivery chain to deploy the emerging CastleLoader family has been discovered by cybersecurity researchers. According to Blackpoint, the activity revolves around the use of ClickFix social engineering prompts that convince users to open the Windows Run dialog and execute a command that appears to be part of a harmless verification step. That single action initiates a multi-stage sequence that quietly downloads, decrypts and runs an attacker-controlled payload in memory."
          https://www.infosecurity-magazine.com/news/clickfix-rise-castleloader-attacks/
      • Total Takeover: DroidLock Hijacks Your Device
        "The zLabs research team has identified a new threat campaign targeting Spanish Android users. DroidLock, a malware more accurately classified as ransomware, propagates via phishing websites. It has the ability to lock device screens with a ransomware-like overlay and illegally acquire app lock credentials, leading to a total takeover of the compromised device. It employs deceptive system update screens to trick victims and can stream and remotely control devices via VNC. The malware also exploits device administrator privileges to lock or erase data, capture the victim's image with the front camera, and silence the device. Overall, it utilizes 15 distinct commands to interact with its C2 panel."
        https://zimperium.com/blog/total-takeover-droidlock-hijacks-your-device
        https://www.bleepingcomputer.com/news/security/new-droidlock-malware-locks-android-devices-and-demands-a-ransom/
      • Operation FrostBeacon: Multi-Cluster Cobalt Strike Campaign Targets Russia
        "Seqrite Labs has identified a targeted malware campaign, tracked as Operation FrostBeacon, which is delivering Cobalt Strike beacons to companies within the Russian Federation. The phishing emails indicat that the threat group is financially motivated which targets organization responsible for payments, contracts, reconciliation, legal risk. More than 20 initial infection files have been observed where the intrusion relies on a multi-layered infection chain with two different clusters; one infects through phishing archive files that contain malicious shortcut files. The second cluster leverages the legacy CVE-2017-0199 template injection vulnerability and even chains it with another old Equation Editor vulnerability CVE-2017-11882."
        https://www.seqrite.com/blog/operation-frostbeacon-multi-cluster-cobalt-strike-campaign-targets-russia/

      Breaches/Hacks/Leaks

      • Thousands Of Exposed Secrets Found On Docker Hub, Putting Organizations At Risk
        "For years, there’s been a saying in the security world: hackers don’t need to hack anymore – the keys are handed to them on a silver platter. But is that really true? That question is what sparked our research into exposed secrets on Docker Hub. We designed a methodology to analyze leaked credentials, validate which were real, and investigate their origin: who they belonged to, the environments they granted access to, and the potential blast radius to both the affected organizations and the wider ecosystem."
        https://flare.io/learn/resources/docker-hub-secrets-exposed/
        https://www.bleepingcomputer.com/news/security/over-10-000-docker-hub-images-found-leaking-credentials-auth-keys/
      • Russia’s Flagship Airline Hacked Through Little-Known Tech Vendor, According To New Report
        "A cyberattack that forced Russia’s flagship airline to cancel dozens of flights this summer was linked to a little-known Moscow software developer that had maintained access to the carrier’s internal systems, according to a new investigation. The report by the independent outlet The Bell, which is designated a “foreign agent” in Russia, is based on interviews with anonymous sources close to the company and involved in the incident’s investigation. It offers the most detailed account to date of what has become one of the largest cyberattacks in Russia since the full-scale invasion of Ukraine began."
        https://therecord.media/russia-flagship-airline-hacked-through-little-known-vendor

      General News

      • Stranger Threats Are Coming: Group-IB Cyber Predictions For 2026 And Beyond
        "The speed, nature, and intent of cybercrime have been evolving faster than we can keep up with. With the use of AI, we’ve all been anticipating it, but the extent has been underestimated. The cybersecurity landscape is becoming hyperactive – AI, evolving adversary ambitions, geopolitical shifts, and changing business dynamics, all combine to play a role in this acceleration."
        https://www.group-ib.com/blog/cyber-predictions-2026/

      • Henkel CISO On The Messy Truth Of Monitoring Factories Built Across Decades
        "In this Help Net Security interview, Stefan Braun, CISO at Henkel, discusses how smart manufacturing environments introduce new cybersecurity risks. He explains where single points of failure hide, how attackers exploit legacy systems, and why monitoring must adapt to mixed-generation equipment. His insights show why resilience depends on visibility, autonomy, and disciplined vendor accountability."
        https://www.helpnetsecurity.com/2025/12/10/stefan-braun-henkel-smart-manufacturing-cybersecurity/

      • The Hidden Dynamics Shaping Who Produces Influential Cybersecurity Research
        "Cybersecurity leaders spend much of their time watching how threats and tools change. A new study asks a different question, how has the research community itself changed over the past two decades. Researchers from the University of Southampton examined two long running conference communities, SOUPS and Financial Cryptography and Data Security, to see how teams form, who contributes, and which kinds of work gain attention. The result is a rare look at the structure behind the papers that influence security practice."
        https://www.helpnetsecurity.com/2025/12/10/interesting-cybersecurity-research-trends/

      • LLMs Are Everywhere In Your Stack And Every Layer Brings New Risk
        "LLMs are moving deeper into enterprise products and workflows, and that shift is creating new pressure on security leaders. A new guide from DryRun Security outlines how these systems change long standing assumptions about data handling, application behavior, and internal boundaries. It is built around the OWASP Top 10 for LLM Applications, which the company uses as the structure for a full risk model and a reference architecture for teams building with LLMs."
        https://www.helpnetsecurity.com/2025/12/10/enterprise-llm-security-risks-analysis/

      • UK Sanctions Russian And Chinese Firms Suspected Of Being ‘Malign Actors’ In Information Warfare
        "Britain announced sanctions against Russian media and ideas outlets on Tuesday as the U.K’s top diplomat warned Western nations must raise their game to combat information warfare from “malign foreign states. Foreign Secretary Yvette Cooper said the U.K. was imposing sanctions on the microblogging Telegram channel Rybar and its co-owner Mikhail Sergeevich Zvinchuk, the Foundation for the Support and Protection of the Rights of Compatriots Living Abroad — also known as Pravfond and described by Estonian intelligence as a front for the GRU spy agency — and the Center for Geopolitical Expertise, a think-tank run by Russian ultranationalist ideologue Alexander Dugin."
        https://www.securityweek.com/uk-sanctions-russian-and-chinese-firms-suspected-of-being-malign-actors-in-information-warfare/
        https://therecord.media/uk-sanctions-russia-china-entities-information-warfare

      • The Big Catch: How Whaling Attacks Target Top Executives
        "When a hedge fund manager opened up an innocuous Zoom meeting invite, he had little idea of the corporate carnage that was to follow. That invite was booby-trapped with malware, enabling threat actors to hijack his email account. From there they moved swiftly, authorizing money transfers on Fagan’s behalf for fake invoices they sent to the hedge fund. In total, they approved $8.7 million worth of invoices in this way. The incident was ultimately the undoing of Levitas Capital, after it forced the exit of one of the firm’s biggest clients."
        https://www.welivesecurity.com/en/business-security/big-catch-how-whaling-attacks-target-top-executives/

        • Ukrainian Hacker Charged With Helping Russian Hacktivist Groups
          "U.S. prosecutors have charged a Ukrainian national for her role in cyberattacks targeting critical infrastructure worldwide, including U.S. water systems, election systems, and nuclear facilities, on behalf of Russian state-backed hacktivist groups. On Tuesday, 33-year-old Victoria Eduardovna Dubranova (also known as Vika, Tory, and SovaSonya) was arraigned on charges related to her alleged role in NoName057(16), after being extradited to the U.S. earlier this year for supporting CyberArmyofRussia_Reborn (CARR)."
          https://www.bleepingcomputer.com/news/security/ukrainian-hacker-charged-with-helping-russian-hacktivist-groups/
          https://therecord.media/us-extradites-member-of-russian-hacking-groups-critical-infrastructure
          https://cyberscoop.com/us-charges-russian-backed-hacker-critical-infrastructure-attacks-carr-noname05716/
          https://hackread.com/ukraine-woman-us-custody-russia-noname057-hackers/
          https://www.securityweek.com/us-indicts-extradited-ukrainian-on-charges-of-aiding-russian-hacking-groups/
          https://www.theregister.com/2025/12/10/pro_russia_hacktivist_charged/
        • Experience Really Matters - But Now You're Fighting AI Hacks
          "When Anthropic disclosed a cyberespionage campaign conducted largely through an artificial intelligence system, it provided a detailed view of how offensive operations can unfold when an autonomous tool performs most of the technical work. The Cumberland County, Pennsylvania, intrusion still needed human direction, but the operational tasks were executed by an AI system that performed reconnaissance, generated exploits, escalated privileges and moved laterally through the network."
          https://www.bankinfosecurity.com/blogs/experience-really-matters-but-now-youre-fighting-ai-hacks-p-3996
        • Ransomware Victim Warning: The Streisand Effect May Apply
          "Paying off ransomware hackers to avoid notoriety is a losing proposition, finds a study of LockBit victims that identified a correlation between unwanted attention and succumbing to extortionists, as opposed to standing firm. "It seems that paying the ransom doesn't at all appear to reduce public exposure - if anything, it increases it," Max Smeets, co-director of Virtual Routes - formerly known as the European Cyber Conflict Research Initiative - said in a keynote presentation at the Black Hat Europe conference in London."
          https://www.bankinfosecurity.com/ransomware-victim-warning-streisand-effect-may-apply-a-30247

      • Global Cyber Attacks Increase In November 2025 Driven By Ransomware Surge And GenAI Risks
        "In November 2025, global cyber activity continued its upward trend, with organizations experiencing an average of 2,003 cyber-attacks per week. This represents a 3% increase from October, and a 4% rise compared to November 2024. Check Point Research data shows that this steady escalation reflects a threat landscape shaped by intensified ransomware activity, expanded attack surfaces, and the growing exposure risks associated with generative AI tools inside organizations."
        https://blog.checkpoint.com/research/global-cyber-attacks-increase-in-november-2025-driven-by-ransomware-surge-and-genai-risks/

        • list itemOverconfident And Underprepared: IT Leaders Misjudge AI Cyber Risk
          "AI-generated malware is exploding in volume and sophistication. Legacy cyber tools, built on signatures, heuristics, and aging machine learning, are failing spectacularly in this new era of Dark AI. Yet confidence in these legacy cyber tools remains remarkably high, creating a widening disconnect between perception and reality. In this blog, we dig into the results from our new study of 500 U.S. IT professionals, which clearly highlights that IT professionals, especially in management positions, don’t realize just how quickly the new AI-driven threat landscape is shifting beneath their feet."
          https://www.deepinstinct.com/blog/overconfident-and-underprepared-it-leaders-misjudge-ai-cyber-risk
        • HTTPS Certificate Industry Phasing Out Less Secure Domain Validation Methods
          "Secure connections are the backbone of the modern web, but a certificate is only as trustworthy as the validation process and issuance practices behind it. Recently, the Chrome Root Program and the CA/Browser Forum have taken decisive steps toward a more secure internet by adopting new security requirements for HTTPS certificate issuers."
          https://security.googleblog.com/2025/12/https-certificate-industry-phasing-out.html

      • Log4Shell Downloaded 40 Million Times In 2025
        "Tens of millions of downloads of the popular Java logging library Log4j this year were vulnerable to a CVSS 10.0-rated vulnerability that first surfaced four years ago, according to Sonatype. The security vendor claimed 13% of Log4j downloads in 2025 were still vulnerable to Log4Shell, hinting at the challenge of persistent risks in the open source ecosystem. “On one side, there’s unfixed risk: vulnerabilities that never get patched upstream. On the other, there’s corrosive risk: vulnerabilities that do have fixes, but continue to spread because consumers don’t move,” it explained."
        https://www.infosecurity-magazine.com/news/log4shell-downloaded-40-million/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) f0944bb2-f14f-4bc6-8733-d445a2f189de-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post