NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 12 December 2025

    Cyber Security News
    1
    1
    39
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Financial Sector

      • Fighting Credit Fraud In Uzbekistan: An Uphill Battle Against Social Engineering
        "Imagine you enter a bank with the intention of applying for a loan but your application gets rejected as the bank’s worker tells you that there has already been a loan taken out in your name and your credit limit has been maxed out. You have just found out that you’re a victim of credit fraud. Online lending is rapidly gaining popularity in Uzbekistan, and with it, the number of credit fraud cases is also on the rise. According to data from the Central Bank of Uzbekistan (CBU), there were 463 reported cases of remote online loans issued in someone’s name via apps or a fake identity, resulting in financial losses totaling approximately 15 billion UZS in 2024 alone."
        https://www.group-ib.com/blog/credit-fraud-in-uzbekistan/

      Industrial Sector

        • CISA Releases 12 Industrial Control Systems Advisories
          "CISA released 12 Industrial Control Systems (ICS) Advisories. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS."
          https://www.cisa.gov/news-events/alerts/2025/12/11/cisa-releases-12-industrial-control-systems-advisories
      • Threat Landscape For Industrial Automation Systems. Q3 2025
        "In Q3 2025, the percentage of ICS computers on which malicious objects were blocked continued to decrease, reaching its lowest level since 2022 — 20.1%. Regionally, the percentage ranged from 9.2% in Northern Europe to 27.4% in Africa. Increases were seen in five regions. East Asia was the leader in terms of growth for this indicator."
        https://ics-cert.kaspersky.com/publications/reports/2025/12/11/threat-landscape-for-industrial-automation-systems-q3-2025/

      Vulnerabilities

      • Google Patches Mysterious Chrome Zero-Day Exploited In The Wild
        "Google has released a security update for its Chrome browser, addressing a zero-day vulnerability that the company confirms is actively being exploited in the wild. Several exploited zero-day vulnerabilities were patched by the internet giant in Chrome this year. However, the company has always shared a brief description of the flaw when announcing patches. At the time of writing, the latest Chrome zero-day does not have a CVE identifier and it’s unclear which component of the browser it affects. The company is currently tracking it using a bug tracker ID (466192044) and marked it as ‘under coordination’."
        https://www.securityweek.com/google-patches-mysterious-chrome-zero-day-exploited-in-the-wild/
        https://www.bleepingcomputer.com/news/security/google-fixes-eighth-chrome-zero-day-exploited-in-attacks-in-2025/
        https://thehackernews.com/2025/12/chrome-targeted-by-active-in-wild.html
        https://www.infosecurity-magazine.com/news/google-chrome-security-update/
        https://securityaffairs.com/185566/hacking/google-fixed-a-new-actively-exploited-chrome-zero-day.html
        https://www.theregister.com/2025/12/11/google_fixes_supersecret_8th_chrome/
        https://www.malwarebytes.com/blog/news/2025/12/another-chrome-zero-day-under-attack-update-now
      • IBM Patches Over 100 Vulnerabilities
        "IBM this week announced fixes for more than 100 vulnerabilities across its products, including multiple critical-severity bugs. Most of them were in third-party dependencies. Storage Defender received patches for six critical-severity defects, all affecting third-party components in Data Protect (which is included in Storage Defender). The weaknesses could lead to denial-of-service (DoS) conditions, memory corruption, arbitrary file overwrite, and application crashes."
        https://www.securityweek.com/ibm-patches-over-100-vulnerabilities/
      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2025-58360 OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/12/11/cisa-adds-one-known-exploited-vulnerability-catalog
      • Notepad++ Fixes Flaw That Let Attackers Push Malicious Update Files
        "Notepad++ version 8.8.9 was released to fix a security weakness in its WinGUp update tool after researchers and users reported incidents in which the updater retrieved malicious executables instead of legitimate update packages. The first signs of this issue appeared in a Notepad++ community forum topic, where a user reported that Notepad++'s update tool, GUP.exe (WinGUp), spawned an unknown "%Temp%\AutoUpdater.exe" executable that executed commands to collect device information."
        https://www.bleepingcomputer.com/news/security/notepad-plus-plus-fixes-flaw-that-let-attackers-push-malicious-update-files/
        https://community.notepad-plus-plus.org/topic/27298/notepad-v8-8-9-vulnerability-fix
        https://doublepulsar.com/small-numbers-of-notepad-users-reporting-security-woes-371d7a3fd2d9?gi=a472651038c5

      Malware

      • Active Exploitation Of Gladinet CentreStack/Triofox Insecure Cryptography Vulnerability
        "The AES implementation of Gladinet’s CentreStack and Triofox products contains hardcoded cryptographic keys. Threat actors can potentially abuse this as a way to access the web.config file, opening the door for deserialization and remote code execution. We are seeing attackers target this flaw across our customer base; organizations that are using CentreStack/Triofox should update to the latest version, 16.12.10420.56791."
        https://www.huntress.com/blog/active-exploitation-gladinet-centrestack-triofox-insecure-cryptography-vulnerability
        https://thehackernews.com/2025/12/hard-coded-gladinet-keys-let-attackers.html
        https://www.bleepingcomputer.com/news/security/hackers-exploit-gladinet-centrestack-cryptographic-flaw-in-rce-attacks/
      • Malicious VSCode Marketplace Extensions Hid Trojan In Fake PNG File
        "A stealthy campaign with 19 extensions on the VSCode Marketplace has been active since February, targeting developers with malware hidden inside dependency folders. The malicious activity was uncovered recently, and security researchers found that the operator used a malicious file posing as a .PNG image. The VSCode Market is Microsoft’s official extensions portal for the widely used VSCode integrated development environment (IDE), allowing developers to extend its functionality or add visual customizations."
        https://www.bleepingcomputer.com/news/security/malicious-vscode-marketplace-extensions-hid-trojan-in-fake-png-file/
        https://www.infosecurity-magazine.com/news/malware-discovered-in-19-vs-code/
        https://hackread.com/malicious-vs-code-extensions-trojan-fake-png-files/
      • ConsentFix: Analysing a Browser-Native ClickFix-Style Attack That Hijacks OAuth Consent Grants
        "The Push browser agent recently detected and blocked a new attack technique seen targeting several Push customers. This is a new kind of browser-based attack technique that takes over user accounts with a simple copy and paste. If you’re already logged into the app in your browser, you don’t even need to supply creds, or pass an MFA check — meaning it effectively circumvents phishing-resistant auth like passkeys too. This is so different from the AiTM phish kits we usually come up against that we felt it deserved a new name."
        https://pushsecurity.com/blog/consentfix
        https://www.bleepingcomputer.com/news/security/new-consentfix-attack-hijacks-microsoft-accounts-via-azure-cli/
      • Hunting For Mythic In Network Traffic
        "Threat actors frequently employ post-exploitation frameworks in cyberattacks to maintain control over compromised hosts and move laterally within the organization’s network. While they once favored closed-source frameworks, such as Cobalt Strike and Brute Ratel C4, open-source projects like Mythic, Sliver, and Havoc have surged in popularity in recent years. Malicious actors are also quick to adopt relatively new frameworks, such as Adaptix C2."
        https://securelist.com/detecting-mythic-in-network-traffic/118291/
        • NANOREMOTE, Cousin Of FINALDRAFT
          "In October 2025, Elastic Security Labs discovered a newly-observed Windows backdoor in telemetry. The fully-featured backdoor we call NANOREMOTE shares characteristics with malware described in REF7707 and is similar to the FINALDRAFT implant. One of the malware’s primary features is centered around shipping data back and forth from the victim endpoint using the Google Drive API. This feature ends up providing a channel for data theft and payload staging that is difficult for detection. The malware includes a task management system used for file transfer capabilities that include queuing download/upload tasks, pausing/resuming file transfers, canceling file transfers, and generating refresh tokens."
          https://www.elastic.co/security-labs/nanoremote
          https://thehackernews.com/2025/12/nanoremote-malware-uses-google-drive.html
      • Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite
        "In recent months, we have been analyzing the activity of an advanced persistent threat (APT) known for its espionage activities against Arabic-speaking government entities. We track this Middle Eastern threat actor as Ashen Lepus (aka WIRTE). We share details of a long-running, elusive espionage campaign targeting governmental and diplomatic entities throughout the Middle East. We discovered that the group has created new versions of their previously documented custom loader, delivering a new malware suite that we have named AshTag. The group has also updated their command and control (C2) architecture to evade analysis and blend in with legitimate internet traffic."
        https://unit42.paloaltonetworks.com/hamas-affiliate-ashen-lepus-uses-new-malware-suite-ashtag/
        https://thehackernews.com/2025/12/wirte-leverages-ashenloader-sideloading.html
      • CyberVolk Returns | Flawed VolkLocker Brings New Features With Growing Pains
        "CyberVolk is a pro-Russia hacktivist persona we first documented in late 2024, tracking its use of multiple ransomware tools to conduct attacks aligned with Russian government interests. After seemingly lying dormant for most of 2025 due to Telegram enforcement actions, the group returned in August with a new RaaS offering called VolkLocker (aka CyberVolk 2.x). In this post, we examine the functionality of VolkLocker, including its Telegram-based automation, encryption mechanisms, and affiliate features."
        https://www.sentinelone.com/blog/cybervolk-returns-flawed-volklocker-brings-new-features-with-growing-pains/
        https://www.theregister.com/2025/12/11/cybervolk_ransomware_is_back/
      • SHADOW-VOID-042 Targets Multiple Industries With Void Rabisu-Like Tactics
        "In October and November 2025, campaigns targeting sectors such as energy, defence, pharmaceuticals, and cybersecurity shared characteristics with older campaigns attributed to Void Rabisu (also known as ROMCOM, Tropical Scorpius, Storm-0978). Void Rabisu is known to be associated with an actor group that has both financial and espionage motivations that are aligned with Russian interests. We are tracking these campaigns under a separate, temporary intrusion set, SHADOW-VOID-042, pending further data to support high-confidence attribution."
        https://www.trendmicro.com/en_us/research/25/l/SHADOW-VOID-042.html
      • Makop Ransomware: GuLoader And Privilege Escalation In Attacks Against Indian Businesses
        "Makop is a ransomware strain first observed around 2020 and is generally treated as a variant of the Phobos family. Recently, Acronis TRU researchers identified new activity and tooling associated with Makop, prompting a deeper investigation into several recent ransomware cases to better understand how its operators conduct their attacks."
        https://www.acronis.com/en/tru/posts/makop-ransomware-guloader-and-privilege-escalation-in-attacks-against-indian-businesses/

      Breaches/Hacks/Leaks

        • Pierce County Library Data Breach Impacts 340,000
          "Pierce County Library System (PCLS) is notifying over 340,000 people that their personal information was compromised in a data breach. Between April 15 and April 21, 2025, threat actors accessed PCLS’s network and stole certain data from its systems, the public library says. “Upon discovering the issue, PCLS immediately commenced an investigation to confirm the nature and scope, and to identify what information could have been affected,” PCLS says in an incident notice on its website."
          https://www.securityweek.com/pierce-county-library-data-breach-impacts-340000/
      • Hackers Reportedly Breach Developer Involved With Russia’s Military Draft Database
        "An anonymous hacker group has reportedly breached the servers of a little-known Russian tech firm alleged to be involved in building the country’s unified military registration database. According to Grigory Sverdlov, head of the Russian anti-war human rights group Idite Lesom (“Get Lost”), the hackers contacted him and handed over a trove of internal Mikord documents, including source code, technical and financial records, and internal correspondence."
        https://therecord.media/hackers-reportedly-breach-developer-involved-in-russian-military-database

      General News

      • LLM Vulnerability Patching Skills Remain Limited
        "Security teams are wondering whether LLMs can help speed up patching. A new study tests that idea and shows where the tools hold up and where they fall short. The researchers tested LLMs from OpenAI, Meta, DeepSeek, and Mistral to see how well they could fix vulnerable Java functions in a single attempt."
        https://www.helpnetsecurity.com/2025/12/11/llms-software-vulnerability-patching-study/
        https://arxiv.org/pdf/2511.23408
      • Teamwork Is Failing In Slow Motion And Security Feels It
        "Security leaders often track threats in code, networks, and policies. But a quieter risk is taking shape in the everyday work of teams. Collaboration is getting harder even as AI use spreads across the enterprise. That tension creates openings for mistakes, shadow tools, and uncontrolled data flows. A recent Forrester study shows how this break in teamwork forms and how leaders can respond before it grows."
        https://www.helpnetsecurity.com/2025/12/11/forrester-teamwork-security-gaps-report/
      • 2025 CWE Top 25 Most Dangerous Software Weaknesses
        "The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Homeland Security Systems Engineering and Development Institute (HSSEDI), operated by the MITRE Corporation, has released the 2025 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses. This annual list identifies the most critical weaknesses adversaries exploit to compromise systems, steal data, or disrupt services."
        https://www.cisa.gov/news-events/alerts/2025/12/11/2025-cwe-top-25-most-dangerous-software-weaknesses
        • OpenAI Braces For AI Models That Could Breach Defenses
          "OpenAI said Wednesday it is preparing for artificial intelligence models to reach "high" cybersecurity risk levels, marking an escalation in the dual-use capabilities that could strengthen defenses or enable sophisticated attacks. The ChatGPT maker said it is planning and evaluating as though each new model could achieve capabilities sufficient to develop working zero-day remote exploits against well-defended systems or meaningfully assist with complex, stealthy enterprise or industrial intrusion operations aimed at real-world effects."
          https://www.bankinfosecurity.com/openai-braces-for-ai-models-that-could-breach-defenses-a-30264
          https://www.infosecurity-magazine.com/news/openai-enhances-defensive-models/
      • Malicious Apprentice | How Two Hackers Went From Cisco Academy To Cisco CVEs
        "First publicly reported in September 2024, Salt Typhoon’s campaign is now known to have penetrated more than 80 telecommunications companies globally. The group’s campaign collected unencrypted calls and texts between US presidential candidates, key staffers, and many China-experts in Washington, DC. However, Salt Typhoon’s collection activity went beyond those intercepts. Systems embedded in telecommunications companies for CALEA, which facilitates lawful intercept of criminals’ communications, were also breached by Salt Typhoon. A recent Joint Cybersecurity Advisory published by the U.S. and more than 30 allies sheds light on how Salt Typhoon came to penetrate global telecommunications infrastructure."
        https://www.sentinelone.com/labs/malicious-apprentice-how-two-hackers-went-from-cisco-academy-to-cisco-cves/
        https://www.theregister.com/2025/12/11/salt_typhoon_cisco_training/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) fa57f2cd-ed3f-41d5-8f20-1407e7463234-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post