NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 18 December 2025

    Cyber Security News
    1
    1
    54
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Financial Sector

      • Banks Built Rules For Yesterday’s Crime And RegTech Is Trying To Fix That
        "Criminals are moving money across borders faster, and financial institutions are feeling the squeeze. Compliance teams feel this strain every day as they try to keep up with schemes that shift through accounts, intermediaries, and digital channels. A new academic review of regulatory technology, or RegTech, shows how this pressure is reshaping compliance work and why research in this field is gaining new weight."
        https://www.helpnetsecurity.com/2025/12/17/regulatory-technology-financial-crime-study/

      New Tooling

      • Zabbix: Open-Source IT And OT Observability Solution
        "Zabbix is an open source monitoring platform designed to track the availability, performance, and integrity of IT environments. It monitors networks along with servers, virtual machines, applications, services, databases, websites, and cloud resources. For cybersecurity professionals, this visibility matters because operational issues and security incidents often overlap. Early signs of compromise can surface as performance changes, service failures, or unusual system behavior that monitoring tools detect first."
        https://www.helpnetsecurity.com/2025/12/17/zabbix-open-source-it-ot-observability-solution/
        https://github.com/zabbix/zabbix

      Vulnerabilities

      • UAT-9686 Actively Targets Cisco Secure Email Gateway And Secure Email And Web Manager
        "Cisco Talos is tracking the active targeting of Cisco AsyncOS Software for Cisco Secure Email Gateway, formerly known as Cisco Email Security Appliance (ESA), and Cisco Secure Email and Web Manager, formerly known as Cisco Content Security Management Appliance (SMA), enabling attackers to execute system-level commands and deploy a persistent Python-based backdoor, AquaShell. Cisco became aware of this activity on December 10, which has been ongoing since at least late November 2025. Additional tools observed include AquaTunnel (reverse SSH tunnel), chisel (another tunneling tool), and AquaPurge (log-clearing utility). Talos' analysis indicates that appliances with non-standard configurations, as described in Cisco's advisory, are what we have observed as being compromised by the attack."
        https://blog.talosintelligence.com/uat-9686/
        https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4
        https://www.bleepingcomputer.com/news/security/cisco-warns-of-unpatched-asyncos-zero-day-exploited-in-attacks/
        https://www.theregister.com/2025/12/17/attacks_pummeling_cisco_0day/
        https://www.helpnetsecurity.com/2025/12/17/cisco-secure-email-cve-2025-20393/
      • Critical Arbitrary File Upload Vulnerability In Motors Theme Affecting 20k+ Sites
        "This blog post is about a Subscriber+ arbitrary file upload vulnerability in the Motors theme. If you're a Motors theme user, please update to at least version 5.6.82. This vulnerability was discovered and reported by Patchstack Alliance community member Denver Jackson."
        https://patchstack.com/articles/critical-arbitrary-file-upload-vulnerability-in-motors-theme-affecting-20k-sites/
        https://www.infosecurity-magazine.com/news/motors-wordpress-flaw-takeover/
      • Sonicwall Warns Of New SMA1000 Zero-Day Exploited In Attacks
        "SonicWall warned customers today to patch a vulnerability in the SonicWall SMA1000 Appliance Management Console (AMC) that was chained in zero-day attacks to escalate privileges. According to SonicWall, this medium-severity local privilege escalation security flaw (CVE-2025-40602) was reported by Clément Lecigne and Zander Work of the Google Threat Intelligence Group, and doesn't affect SSL-VPN running on SonicWall firewalls. "SonicWall PSIRT strongly advises users of the SMA1000 product to upgrade to the latest hotfix release version to address the vulnerability," the company said in a Wednesday advisory."
        https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-new-sma1000-zero-day-exploited-in-attacks/
        https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0019
        https://thehackernews.com/2025/12/sonicwall-fixes-actively-exploited-cve.html
        https://securityaffairs.com/185809/hacking/sonicwall-warns-of-actively-exploited-flaw-in-sma-100-amc.html
        https://www.helpnetsecurity.com/2025/12/17/sonicwall-cve-2025-40602/
      • Libbiosig, Grassroot DiCoM, Smallstep Step-Ca Vulnerabilities
        "Cisco Talos’ Vulnerability Discovery & Research team recently disclosed vulnerabilities in Biosig Project Libbiosig, Grassroot DiCoM, and Smallstep step-ca. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy, except for Grassroot, as the DiCoM vulnerabilities are zero-days."
        https://blog.talosintelligence.com/libbiosig-grassroot-dicom-smallstep-step-ca-vulnerabilities/
      • Defending Against The CVE-2025-55182 (React2Shell) Vulnerability In React Server Components
        "CVE-2025-55182 (also referred to as React2Shell and includes CVE-2025-66478, which was merged into it) is a critical pre-authentication remote code execution (RCE) vulnerability affecting React Server Components, Next.js, and related frameworks. With a CVSS score of 10.0, this vulnerability could allow attackers to execute arbitrary code on vulnerable servers through a single malicious HTTP request. Exploitation activity related to this vulnerability was detected as early as December 5, 2025."
        https://www.microsoft.com/en-us/security/blog/2025/12/15/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components/
        https://cyberscoop.com/react2shell-vulnerability-fallout-spreads/
      • Turning AI Safeguards Into Weapons With HITL Dialog Forging
        "This article provides a deeper technical analysis of the novel agentic AI attack vector: the LITL attack, which we recently developed and documented in Bypassing AI Agent Defenses With Lies-In-The-Loop. The LITL attack directly targets the HITL component, causing the agent to prompt the user with a seemingly benign HITL dialog that can deceive users into approving a remote code execution attack originating from indirect prompt injections."
        https://checkmarx.com/zero-post/turning-ai-safeguards-into-weapons-with-hitl-dialog-forging/
        https://www.infosecurity-magazine.com/news/lies-loop-attack-ai-safety-dialogs/

      Malware

      • GhostPairing Attacks: From Phone Number To Full Access In WhatsApp
        "Gen has discovered a novel WhatsApp account takeover campaign that we refer to as GhostPairing Attack. On the surface it looks very simple. Victims receive a message from one of their contacts, usually something along the lines of: “Hey, I just found your photo!” The message includes a link that appears as a Facebook style preview. When users open it, they see a page that imitates a Facebook viewer and asks them to “verify” before they can see the content."
        https://www.gendigital.com/blog/insights/research/ghostpairing-whatsapp-attack
        https://www.bleepingcomputer.com/news/security/whatsapp-device-linking-abused-in-account-hijacking-attacks/
      • React2Shell Used As Initial Access Vector For Weaxor Ransomware Deployment
        "S-RM has responded to an incident where a threat actor used the recently disclosed critical vulnerability known as React2Shell (CVE-2025-55182) to gain access to a corporate network and deploy ransomware. The deployment of ransomware in S-RM’s cases appears to have been automated, and the scope of compromise remained limited to the server which was vulnerable to React2Shell."
        https://www.s-rminform.com/latest-thinking/react2shell-used-as-initial-access-vector-for-weaxor-ransomware-deployment
        https://www.bleepingcomputer.com/news/security/critical-react2shell-flaw-exploited-in-ransomware-attacks/
      • Windows Persistence Explained: Techniques, Risks, And What Defenders Should Know
        "Modern Windows systems include many built-in features that help applications run smoothly and support everyday user activity. Unfortunately, many of these built-in functionalities can be exploited by threat actors in order to have malware payloads remain on a system and run without user interaction. These different features can be abused to be what security researchers call “persistence mechanisms.”"
        https://cofense.com/blog/windows-persistence-explained-techniques,-risks,-and-what-defenders-should-know
      • NuGet Malware Targets Nethereum Tools
        "This year, ReversingLabs (RL) researchers have discovered malware on various open-source software (OSS) platforms that target crypto users and developers. This is an attack trend RL saw explode in 2024, and it has continued in 2025 with crypto among threat actors favored prey. This past year alone, RL researchers have identified crypto-focused malware on:"
        https://www.reversinglabs.com/blog/nuget-malware-crypto-oauth-tokens
        https://hackread.com/nuget-malicious-packages-steal-crypto-ad-data/
      • ClickFix: DarkGate
        "“ClickFix” is a form of social engineering rather than an autonomous malware. It represents a fast-growing method of initial system compromise, where attackers deceive users into executing harmful commands themselves, typically disguised as routine troubleshooting steps or verification procedures ultimately leading to the unintentional installation of malware."
        https://www.pointwild.com/threat-intelligence/clickfix-darkgate
        https://hackread.com/clickfix-attack-fake-browser-install-darkgate-malware/
      • Inside a Purchase Order PDF Phishing Campaign
        "A customer contacted me when Malwarebytes blocked the link inside a “purchase order” email they had received. When I examined the attachment, it soon became clear why we blocked it. The visible content of the PDF showed a button prompting the recipient to view the purchase order. Hovering over the button revealed a long URL that included a reference to a PDF viewer. While this might fool some people at first glance, a closer look raised red flags:"
        https://www.malwarebytes.com/blog/threat-intel/2025/12/inside-a-purchase-order-pdf-phishing-campaign
      • Operation ForumTroll Continues: Russian Political Scientists Targeted Using Plagiarism Reports
        "In March 2025, we discovered Operation ForumTroll, a series of sophisticated cyberattacks exploiting the CVE-2025-2783 vulnerability in Google Chrome. We previously detailed the malicious implants used in the operation: the LeetAgent backdoor and the complex spyware Dante, developed by Memento Labs (formerly Hacking Team). However, the attackers behind this operation didn’t stop at their spring campaign and have continued to infect targets within the Russian Federation."
        https://securelist.com/operation-forumtroll-new-targeted-campaign/118492/
        https://thehackernews.com/2025/12/new-forumtroll-phishing-attacks-target.html
      • Kimwolf Exposed: The Massive Android Botnet With 1.8 Million Infected Devices
        "On October 24, 2025, a trusted partner in the security community provided us with a brand-new botnet sample. The most distinctive feature of this sample was its C2 domain, 14emeliaterracewestroxburyma02132[.]su, which at the time ranked 2nd in the Cloudflare Domain Rankings. A week later, it even surpassed Google to claim the number one spot in Cloudflare's global domain popularity rankings. There is no doubt that this is a hyper-scale botnet. Based on the information output during runtime and its use of the wolfSSL library, we have named it Kimwolf."
        https://blog.xlab.qianxin.com/kimwolf-botnet-en/
        https://thehackernews.com/2025/12/kimwolf-botnet-hijacks-18-million.html
      • BlueDelta’s Persistent Campaign Against UKR.NET
        "Between June 2024 and April 2025, Recorded Future’s Insikt Group identified a sustained credential-harvesting campaign targeting users of UKR.NET, a widely used Ukrainian webmail and news service. The activity is attributed to the Russian state-sponsored threat group BlueDelta (also known as APT28, Fancy Bear, and Forest Blizzard). This campaign builds on BlueDelta’s earlier operations detailed in the May 2024 Insikt Group report “GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns,” which documented GRU-linked credential theft and espionage activity. While this campaign does not reveal specific targets, BlueDelta’s historical focus on credential theft to enable intelligence collection provides strong indicators of likely intent to collect sensitive information from Ukrainian users in support of broader GRU intelligence requirements."
        https://www.recordedfuture.com/research/bluedeltas-persistent-campaign-against-ukrnet
        https://assets.recordedfuture.com/insikt-report-pdfs/2025/cta-ru-2025-1217.pdf
        https://therecord.media/russian-bluedelta-hackers-ran-phishing-ukraine-webmail
        https://thehackernews.com/2025/12/apt28-targets-ukrainian-ukr-net-users.html
      • Exclusive: RSF Uncovers New Spyware From Belarus
        "Reporters Without Borders (RSF)’s Digital Security Lab (DSL), working with the Eastern European organisation RESIDENT.NGO, has uncovered a previously unknown spyware tool used by the State Security Committee (KGB) of Belarus to target, among others, journalists and media workers. RSF assesses that this exposure is a serious setback for the KGB’s operations, not least because the software appears to have been in use for several years."
        https://rsf.org/en/exclusive-rsf-uncovers-new-spyware-belarus
        https://therecord.media/spyware-belarus-journalist-rsf
      • From Linear To Complex: An Upgrade In RansomHouse Encryption
        "RansomHouse is a ransomware-as-a-service (RaaS) operation run by a group that we track as Jolly Scorpius. Recent samples of the associated binaries used in RansomHouse operations reveal a significant upgrade in encryption. This article explores the upgrade of RansomHouse encryption and the potential impact for defenders. Jolly Scorpius uses a double extortion strategy. This strategy combines stealing and encrypting a victim's data with threats to leak the stolen data."
        https://unit42.paloaltonetworks.com/ransomhouse-encryption-upgrade/

      Breaches/Hacks/Leaks

      • Auto Parts Giant LKQ Confirms Oracle EBS Breach
        "Automotive parts giant LKQ Corporation has confirmed that it has been impacted by the recent cybercrime campaign targeting customers of the Oracle E-Business Suite (EBS) solution. The Fortune 500 company provides recycled, refurbished, and aftermarket components for cars and other types of vehicles. LKQ was one of the first victims of the Oracle EBS hack named on the Cl0p ransomware website, where the cybercriminals behind the campaign have been listing targeted organizations."
        https://www.securityweek.com/auto-parts-giant-lkq-confirms-oracle-ebs-breach/
        https://www.infosecurity-magazine.com/news/lkq-confirms-oracle-ebs-breach/
      • GNV Ferry Fantastic Under Cyberattack Probe Amid Remote Hijack Fears
        "French prosecutors are investigating a suspected cyberattack on the GNV ferry Fantastic, raising fears of a potential remote hijack. The ferry Fantastic sails between Sète and North Africa, and French authorities are investigating a suspected attempt to compromise the ship’s IT systems. Italian intelligence, prompted by GNV, alerted French authorities about two sailors, a Latvian and a Bulgarian, suspected of spying for a foreign power. The Paris prosecutor’s cybercrime unit is investigating an organized attack on automated data systems, allegedly to serve a foreign power."
        https://securityaffairs.com/185800/hacking/gnv-ferry-fantastic-under-cyberattack-probe-amid-remote-hijack-fears.html

      General News

      • November 2025 APT Attack Trends Report (South Korea)
        "AhnLab is monitoring APT (Advanced Persistent Threat) attacks in South Korea using our own infrastructure. This report covers the classification and statistics of APT attacks in South Korea that were identified over the course of one month in November 2025. It also provides an overview of the features of each attack type."
        https://asec.ahnlab.com/en/91587/
      • AI Breaks The Old Security Playbook
        "AI has moved into enterprise operations faster than many security programs expected. It is embedded in workflows, physical systems, and core infrastructure. Some AI tools reach hundreds of millions of users each week. Inference costs have fallen 280 fold, but overall spending is still rising because usage keeps growing. Attackers are using the same tools. CISOs manage a broader attack surface driven by automation, new data paths, and machine led decisions. Deloitte’s Tech Trends 2026 shows how this shift is changing what CISOs and other technology leaders are responsible for."
        https://www.helpnetsecurity.com/2025/12/17/deloitte-enterprise-ai-defense-report/
      • Strengthening Cyber Resilience As AI Capabilities Advance
        "Cyber capabilities in AI models are advancing rapidly, bringing meaningful benefits for cyberdefense as well as new dual-use risks that must be managed carefully. For example, capabilities assessed through capture-the-flag (CTF) challenges have improved from 27% on GPT‑5⁠(opens in a new window) in August 2025 to 76% on GPT‑5.1-Codex-Max⁠(opens in a new window) in November 2025."
        https://openai.com/index/strengthening-cyber-resilience/
        https://blog.barracuda.com/2025/12/16/openai-ai-model-cybersecurity-warning
      • Zeroday Cloud Hacking Event Awards $320,0000 For 11 Zero Days
        "The Zeroday Cloud hacking competition in London has awarded researchers $320,000 for demonstrating critical remote code execution vulnerabilities in components used in cloud infrastructure. The first hacking event focused on cloud systems, the competition is hosted by Wiz Research in partnership with Amazon Web Services, Microsoft, and Google Cloud. The researchers were successful in 85% of the hacking attempts across 13 hacking sessions, demonstrating 11 zero-day vulnerabilities."
        https://www.bleepingcomputer.com/news/security/zeroday-cloud-hacking-event-awards-320-0000-for-11-zero-days/
      • France Arrests Suspect Tied To Cyberattack On Interior Ministry
        "French authorities arrested a 22-year-old suspect on Tuesday for a cyberattack that targeted France's Ministry of the Interior earlier this month. In a statement issued by Public Prosecutor Laure Beccuau, officials said the suspected hacker was arrested on December 17, 2025, as part of an investigation into the attack. "A person was arrested on December 17, 2025, as part of the investigation opened by the cybercrime unit of the Paris public prosecutor's office, on charges including unauthorized access to an automated personal data processing system implemented by the State, committed by an organized group, following the cyberattack against the Ministry of the Interior," reads the statement translated into English."
        https://www.bleepingcomputer.com/news/security/france-arrests-suspect-tied-to-cyberattack-on-interior-ministry/
        https://therecord.media/france-interior-ministry-email-breach-investigation
        https://hackread.com/france-arrests-hacker-interior-ministry-systems/
      • 'I Quit!' - When CISOs Need To Take Charge Of Their Careers
        "A recent LinkedIn post has been circulating in cybersecurity circles, written as a CISO's resignation letter - "effective immediately." It resonates with security leaders who know the pattern - budget requests denied, risks that are documented and escalated, and a breach that follows a known vulnerability. Then the CISO was hit by inevitable question: "Why didn't you prevent this?""
        https://www.bankinfosecurity.com/blogs/i-quit-when-cisos-need-to-take-charge-their-careers-p-4002
      • In Cybersecurity, Claude Leaves Other LLMs In The Dust
        "New sobering data confirms what many in cybersecurity already know: that while large language models (LLMs) are improving significantly in ways that generate profits for their developers, they're missing the improvements that would keep them safe and secure. In its second Potential Harm Assessment & Risk Evaluation (PHARE) LLM benchmark report, researchers at Giskard tested brand name models from OpenAI, Anthropic, xAI, Meta, Google, and others on their ability to resist jailbreaks, avoid hallucinations and biases, and more. Two things immediately pop out in the data: how little progress is being made across the industry, and how much of it is being carried by Anthropic alone."
        https://www.darkreading.com/cybersecurity-analytics/cybersecurity-claude-llms
      • Why You Should Train Your SOC Like a Triathlete
        "Triathletes learn a simple truth early. Fancy gear cannot overcome a junk food diet. The same holds for security operations. AI has become an integral part of daily security operations center work, but its performance is capped by the quality of the evidence it consumes. Thin or noisy inputs slow investigations, increase fatigue, and create doubt."
        https://www.darkreading.com/cybersecurity-operations/why-you-should-train-your-soc-like-triathlete
      • AI Is Reshaping Modern Cybercrime
        "Fortinet has been working closely with UC Berkeley’s Center for Long-Term Cybersecurity (CLTC), the Berkeley Risk and Security Lab (BRSL), and public- and private-sector partners, including academia, as part of the AI-Enabled Cybercrime Initiative. This effort uses global tabletop exercises (TTXs), research, and policy analysis to understand how AI is shaping cybercrime and how defenders can stay ahead. As part of this coordinated work, CLTC has published an academic analysis of the Singapore TTX, From Automation to Autonomy: The Next Leap in AI-Enabled Cybercrimes, authored by Dr. Gil Baram, Helena Huang, and me."
        https://www.fortinet.com/blog/industry-trends/ai-is-reshaping-modern-cybercrime
        https://cltc.berkeley.edu/publication/from-automation-to-autonomy-the-next-leap-in-ai-enabled-cybercrimes/
      • Why Vulnerability Reports Stall Inside Shared Hosting Companies
        "Security teams keep sending vulnerability notifications, and the same pattern keeps repeating. Many alerts land, few lead to fixes. A new qualitative study digs into what happens after those reports arrive and explains why remediation so often stops short. The research comes from the Center for Information Security Saarbrücken and is based on in depth interviews with 24 hosting provider organizations across shared hosting, VPS services, and web agencies. The researchers focused on how providers receive, process, and act on vulnerability notifications, rather than testing new notification formats or channels."
        https://www.helpnetsecurity.com/2025/12/17/hosting-provider-vulnerability-notifications-remediation/
      • NMFTA Warns Of Surge And Sophistication Of Cyber-Enabled Cargo Theft
        "The National Motor Freight Traffic Association (NMFTA) has issued another warning to the logistics and transportation industry as traditional cargo theft is being rapidly replaced by sophisticated, cyber-enabled heists. CargoNet reported in October that it recorded over 700 cargo thefts in the US and Canada in the third quarter of 2025, with the value of the stolen goods totaling more than $111 million. According to the American Trucking Associations, thieves targeting freight shipments cost the US economy up to $35 billion per year. While in the past thieves would in most cases rob truck drivers at gunpoint or break into trailers, this type of crime has become increasingly sophisticated, mainly driven by criminals’ reliance on hacker tactics."
        https://www.securityweek.com/nmfta-warns-of-surge-and-sophistication-of-cyber-enabled-cargo-theft/
      • Five Cybersecurity Predictions For 2026: Identity, AI, And The Collapse Of Perimeter Thinking
        "Cybersecurity has always evolved in response to attacker innovation, but the pace of change over the last few years has been unprecedented—particularly with the emergence of weaponized AI to scale phishing, deepfakes, and voice cloning. As we head toward 2026, several structural shifts are becoming impossible to ignore. Traditional security assumptions are breaking down, threat actors are scaling faster than defenders, and identity—not infrastructure—has become the primary battleground. Here are five predictions that will shape the cybersecurity landscape in 2026:"
        https://www.securityweek.com/five-cybersecurity-predictions-for-2026-identity-ai-and-the-collapse-of-perimeter-thinking/
      • FBI Disrupts Virtual Money Laundering Service Used To Facilitate Criminal Activity
        "The United States Attorney’s Office for the Eastern District of Michigan announced today a coordinated action with international partners and the Michigan State Police to disrupt and take down the online infrastructure used to operate E-Note, a cryptocurrency exchange that allegedly facilitated money laundering by transnational cyber-criminal organizations, including those targeting U.S. healthcare and critical infrastructure. Since 2017, the FBI identified more than $70,000,000 of illicit proceeds of ransomware attacks and account takeovers transferred via E-Note payment service and money mule network, including laundered funds stolen or extorted from U.S. victims."
        https://www.justice.gov/usao-edmi/pr/fbi-disrupts-virtual-money-laundering-service-used-facilitate-criminal-activity
        https://therecord.media/fbi-takes-down-alleged-money-laundering-operation
      • ESET Threat Report H2 2025
        "The second half of the year underscored just how quickly attackers adapt and innovate, with rapid changes sweeping across the threat landscape. AI-powered malware moved from theory to reality in H2 2025, as ESET discovered PromptLock, the first known AI-driven ransomware, capable of generating malicious scripts on the fly. While AI is still mainly used for crafting convincing phishing and scam content, PromptLock – and the handful of other AI-driven threats identified to this day – signal a new era of threats."
        https://www.welivesecurity.com/en/eset-research/eset-threat-report-h2-2025/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) e267cbcb-7088-46df-a860-2a12dfc0d132-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post