เมื่อวันที่ 4 กรกฎาคม 2568 Cyber Security Agency of Singapore (CSA) ได้เผยแพร่เกี่ยวกับ กลุ่ม SCATTERED SPIDER เป็นกลุ่มอาชญากรไซเบอร์ที่มีแรงจูงใจทางการเงิน มุ่งเป้าโจมตีอุตสาหกรรมประกันภัยและการค้าปลีก โดยนับตั้งแต่เดือนมิถุนายน พ.ศ. 2568 กลุ่มดังกล่าวได้ขยายขอบเขตการปฏิบัติการไปยังอุตสาหกรรมการบิน
มีรายงานว่ากลุ่ม SCATTERED SPIDER ซึ่งเป็นกลุ่มอาชญากรไซเบอร์ที่มีเป้าหมายเพื่อผลประโยชน์ทางการเงิน ได้ดำเนินการโจมตีต่ออุตสาหกรรมประกันภัยและการค้าปลีก โดยตั้งแต่เดือนมิถุนายน พ.ศ. 2568 กลุ่มนี้ได้ขยายการโจมตีไปยังภาคการบิน โดยทั่วไป กลุ่มนี้มักเลือกโจมตีองค์กรหลายแห่งภายในอุตสาหกรรมเดียวกันในช่วงเวลาสั้น ๆ แม้ว่ารูปแบบดังกล่าวจะมิได้ปฏิบัติตามอย่างเคร่งครัด
กลยุทธ์ เทคนิค และขั้นตอนการปฏิบัติ
กลุ่ม SCATTERED SPIDER ใช้เทคนิคการหลอกลวงทางโทรศัพท์ โดยปลอมตัวเป็นพนักงานเพื่อติดต่อฝ่ายสนับสนุนด้านเทคโนโลยีสารสนเทศ ในเกือบทุกเหตุการณ์ที่พบในปี พ.ศ. 2568 กลุ่มนี้ใช้กลวิธีดังกล่าวเพื่อบุกรุกบัญชี Microsoft Entra ID, ระบบการยืนยันตัวตนแบบครั้งเดียว (SSO) และโครงสร้างพื้นฐานเดสก์ท็อปเสมือน (VDI) โดยตอบคำถามยืนยันตัวตนได้อย่างถูกต้องเมื่อร้องขอการรีเซ็ตรหัสผ่านหรือการยืนยันตัวตนแบบหลายขั้นตอน
การโจมตีบัญชีและซอฟต์แวร์ในรูปแบบบริการ
หลังจากบุกรุกบัญชี Entra ID, SSO และ VDI ได้สำเร็จ กลุ่มนี้จะเข้าถึงแพลตฟอร์มซอฟต์แวร์ในรูปแบบบริการที่เชื่อมต่อกัน โดยมีวัตถุประสงค์เพื่อค้นหาข้อมูลที่เอื้อต่อการเคลื่อนย้ายภายในระบบ เช่น แผนผังเครือข่าย คำแนะนำการใช้งาน VPN หรือข้อมูลประจำตัวที่จัดเก็บไว้ เพื่อสนับสนุนการข่มขู่หรือแสวงหาผลประโยชน์ทางการเงิน
การใช้ประโยชน์จากเครื่องมือภายในระบบ
กลุ่มนี้ใช้เครื่องมือที่ถูกต้องตามกฎหมายภายในระบบเพื่อดำเนินกิจกรรมที่เป็นอันตราย ตัวอย่างเช่น

• การสำรวจ Active Directory โดยใช้เครื่องมือ เช่น ADExplorer, ADRecon.ps1 และคำสั่ง PowerShell Get-ADUser
• การเข้าถึง VMware vCenter เพื่อสร้างเครื่องเสมือนที่ไม่มีการจัดการและดึงฐานข้อมูล Active Directory (ntds.dit) จากดิสก์ของตัวควบคุมโดเมน
• การติดตั้งเครื่องมือสร้างอุโมงค์หรือพร็อกซี เช่น Chisel (เชื่อมต่อกับ trycloudflare[.]com), MobaXterm, ngrok, Pinggy, Rsocx และ Teleport
• การใช้คำสั่ง PowerShell เช่น HardDelete, SoftDelete, MoveToDeletedItems และกฎการขนส่งอีเมล (Set-TransportRule) เพื่อป้องกันการแจ้งเตือนกิจกรรมของบัญชี ในกรณีหนึ่ง อีเมลที่ส่งถึงผู้ใช้ที่ถูกบุกรุกถูกเปลี่ยนเส้นทางไปยังที่อยู่อีเมล googlemail[.]com ซึ่งควบคุมโดยผู้โจมตี
• การใช้ S3 Browser เพื่อตรวจสอบและเข้าถึง AWS S3 buckets ผ่านเหตุการณ์ CloudTrail (ListBuckets, ListObjects) และถ่ายโอนข้อมูลไปยัง buckets ที่ควบคุมโดยผู้โจมตี

แนวทางการป้องกัน
เพื่อเสริมสร้างความมั่นคงปลอดภัยทางไซเบอร์และปกป้องข้อมูลขององค์กร ขอแนะนำให้องค์กรดำเนินการตามมาตรการต่อไปนี้

• กำหนดให้ผู้ใช้ทุกคน โดยเฉพาะผู้ที่มีสิทธิ์เข้าถึงข้อมูลที่ละเอียดอ หรือมีบทบาทผู้ดูแลระบบ ต้องใช้การยืนยันตัวตนแบบหลายขั้นตอน
• ใช้ระบบการจัดการข้อมูลประจำตัวและการเข้าถึงที่เข้มงวด เพื่อบังคับใช้การควบคุมการเข้าถึงตามบทบาทและหลักการให้สิทธิ์ขั้นต่ำ
• เปิดใช้งานการบันทึกข้อมูลอย่างครอบคลุมและการวิเคราะห์พฤติกรรม
• ตรวจสอบการใช้งานแอปพลิเคชันที่ผิดปกติ คำค้นหาที่น่าสงสัย และรูปแบบการเข้าถึงข้อมูลที่ผิดปกติ
• ดำเนินการตรวจสอบบัญชีผู้ใช้ สิทธิ์ และแอปพลิเคชันที่เชื่อมต่ออย่างสม่ำเสมอ เพื่อระบุและกำจัดสิทธิ์ที่ไม่จำเป็นหรือมีความเสี่ยง
• จัดให้มีการสำรองข้อมูลที่แยกออกจากระบบและพัฒนาแผนรับมือเหตุการณ์
• จัดการฝึกอบรมพนักงานอย่างสม่ำเสมอเกี่ยวกับภัยคุกคาม เช่น การหลอกลวงทางสังคม ผ่านโปรแกรมสร้างความตระหนักรู้ด้านความปลอดภัยทางไซเบอร์

ด้วยการปฏิบัติตามแนวทางเหล่านี้ องค์กรจะสามารถยกระดับการป้องกันและลดความเสี่ยงจากภัยคุกคามทางไซเบอร์ได้อย่างมีประสิทธิภาพ

อ้างอิง
https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-066

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) 4 รายการ เมื่อวันที่ 3 กรกฎาคม 2568 ซึ่งคำแนะนำเหล่านี้ให้ข้อมูลที่ทันท่วงทีเกี่ยวกับปัญหาด้านความปลอดภัยช่องโหว่ และช่องโหว่ที่อยู่รอบ ๆ ICS ในปัจจุบัน มีดังต่อไปนี้

• ICSA-25-184-01 Hitachi Energy Relion 670/650 and SAM600-IO Series
• ICSA-25-184-02 Hitachi Energy MicroSCADA X SYS600
• ICSA-25-184-03 Mitsubishi Electric MELSOFT Update Manager
• ICSA-25-184-04 Mitsubishi Electric MELSEC iQ-F Series

ทั้งนี้ CISA สนับสนุนให้ผู้ใช้และผู้ดูแลระบบตรวจสอบคำแนะนำ ICS ที่เผยแพร่ใหม่สำหรับรายละเอียดทางเทคนิคและการบรรเทาผลกระทบ รายละเอียดเพิ่มเติมที่ https://www.cisa.gov/news-events/alerts/2025/07/03/cisa-releases-four-industrial-control-systems-advisories

อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/07/03/cisa-releases-four-industrial-control-systems-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Healthcare Sector

• Healthcare CISOs Must Secure More Than What’s Regulated
  "In this Help Net Security interview, Henry Jiang, CISO at Ensora Health, discusses what it really takes to make DevSecOps work in healthcare. He explains how balancing speed and security isn’t easy and why aligning with regulations is key. Jiang also shares tips on working with engineering teams and how automation helps in DevSecOps."
  https://www.helpnetsecurity.com/2025/07/03/henry-jiang-ensora-health-healthcare-devsecops-strategy/

Industrial Sector

• Industrial Security Is On Shaky Ground And Leaders Need To Pay Attention
  "44% of industrial organizations claim to have strong real-time cyber visibility, but nearly 60% have low to no confidence in their OT and IoT threat detection capabilities, according to Forescout. Digitalization has increased connectivity across devices, transforming industrial environments, which in turn increases cyber risk. Rising geopolitical tensions further compound these challenges, demanding more nuanced, strategic and integrated security approaches to protect critical assets while maintaining operations."
  https://www.helpnetsecurity.com/2025/07/03/ot-iot-threat-detection-confidence/
• Hitachi Energy Relion 670/650 And SAM600-IO Series
  "An authenticated user with file access privilege via FTP access can cause the Relion 670/650 and SAM600-IO series device to reboot due to improper disk space management."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-184-01
• Hitachi Energy MicroSCADA X SYS600
  "Successful exploitation of these vulnerabilities could allow an attacker to tamper with the system file, overwrite files, create a denial-of-service condition, or leak file content."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-184-02
• Mitsubishi Electric MELSOFT Update Manager
  "Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, disclose information, alter information, or cause a denial-of-service (DoS) condition."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-184-03
• Mitsubishi Electric MELSEC iQ-F Series
  "Successful exploitation of this vulnerability could result in a denial-of-service condition for legitimate users for a certain period by repeatedly attempting to log in with incorrect passwords. When the product repeatedly receives unauthorized logins from an attacker, legitimate users will be unable to be authenticated until a certain period has passed after the lockout or until the product is reset."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-184-04
• OT Security In Ports: Lessons From The Coast Guard's Latest Warning
  "The cranes that move goods in and out of America's busiest ports (some of the most essential components of our national logistics chain) are under growing scrutiny. In a newly issued MARSEC Directive 105-5, the U.S. Coast Guard has raised red flags about the cybersecurity risks that come with ship-to-shore (STS) cranes manufactured in China. These cranes, mostly produced by state-owned enterprises like Shanghai Zhenhua Heavy Industries (ZPMC), make up nearly 80% of the STS equipment at U.S. ports."
  https://www.tripwire.com/state-of-security/ot-security-ports-lessons-coast-guards-latest-warning

New Tooling

• GitPhish: Open-Source GitHub Device Code Flow Security Assessment Tool
  "GitPhish is an open-source security research tool built to replicate GitHub’s device code authentication flow. It features three core operating modes: an authentication server, automated landing page deployment, and an administrative management interface. GitPhish can be accessed via a command-line interface or a web dashboard, offering comprehensive features such as logging, analytics, and token management."
  https://www.helpnetsecurity.com/2025/07/03/gitphish-open-source-github-device-code-flow-security-assessment-tool/
  https://github.com/praetorian-inc/GitPhish

Vulnerabilities

• Grafana Releases Critical Security Update For Image Renderer Plugin
  "Grafana Labs has addressed four Chromium vulnerabilities in critical security updates for the Grafana Image Renderer plugin and Synthetic Monitoring Agent. Although the issues impact Chromium and were fixed by the open-source project two weeks ago, Grafana received a bug bounty submission from security researcher Alex Chapman proving their exploitability in the Grafana components. Grafana describes the update as a "critical severity security release" and advises users to apply the fixes for the vulnerabilities below as soon as possible:"
  https://www.bleepingcomputer.com/news/security/grafana-releases-critical-security-update-for-image-renderer-plugin/
• Apache Under The Lens: Tomcat’s Partial PUT And Camel’s Header Hijack
  "In March 2025, Apache disclosed CVE-2025-24813, a vulnerability impacting Apache Tomcat. This is a widely used platform that allows Apache web servers to run Java-based web applications. The flaw allows remote code execution, affecting Apache Tomcat versions 9.0.0.M1 to 9.0.98, 10.1.0-M1 to 10.1.34 and 11.0.0-M1 to 11.0.2. The same month, Apache revealed two additional vulnerabilities in Apache Camel, a message routing middleware framework. These vulnerabilities are CVE-2025-27636 and CVE-2025-29891, two flaws that allow remote code execution, affecting Apache Camel versions 4.10.0 to 4.10.1, 4.8.0 to 4.8.4 and 3.10.0 to 3.22.3."
  https://unit42.paloaltonetworks.com/apache-cve-2025-24813-cve-2025-27636-cve-2025-29891/
• Azure Machine Learning Escalation: When Pipelines Go Off The Rails
  "Orca has discovered a new privilege escalation vulnerability in the Azure Machine Learning service. We found that invoker scripts that are automatically created for each AML pipeline component and stored in a linked Storage Account can be abused to execute code with elevated privileges. While the severity varies based on the identity assigned to the compute instance, this enables multiple escalation paths when the instance runs under a highly privileged managed identity."
  https://orca.security/resources/blog/azure-machine-learning-privilege-escalation/
  https://www.infosecurity-magazine.com/news/privilege-escalation-flaw-azure-ml/

Malware

• Hunters International Ransomware Shuts Down, Releases Free Decryptors
  "The Hunters International Ransomware-as-a-Service (RaaS) operation announced today that it has officially closed down its operations and will offer free decryptors to help victims recover their data without paying a ransom. "After careful consideration and in light of recent developments, we have decided to close the Hunters International project. This decision was not made lightly, and we recognize the impact it has on the organizations we have interacted with," the cybercrime gang says in a statement published on its dark web leak earlier today. "As a gesture of goodwill and to assist those affected by our previous activities, we are offering free decryption software to all companies that have been impacted by our ransomware. Our goal is to ensure that you can recover your encrypted data without the burden of paying ransoms.""
  https://www.bleepingcomputer.com/news/security/hunters-international-ransomware-shuts-down-after-world-leaks-rebrand/
  https://therecord.media/hunters-international-ransomware-extortion-group-claims-shutdown
  https://www.bankinfosecurity.com/ransomware-group-hunters-international-announces-exit-a-28894
  https://www.theregister.com/2025/07/03/hunters_international_shutdown/
• The SOC Case Files: XDR Contains Two Nearly Identical Attacks Leveraging ScreenConnect
  "Barracuda’s Managed XDR team recently helped two companies mitigate incidents where attackers had managed to compromise computers and install rogue ScreenConnect remote management software. The incidents were neutralized before the attackers were able to move laterally through the network."
  https://blog.barracuda.com/2025/07/02/soc-case-files-xdr-contains-two-attacks-screenconnect
• RondoDox Unveiled: Breaking Down a New Botnet Threat
  "Over the past month, FortiGuard Labs has observed a significant increase in scanning activity, including a new botnet campaign that exploits two high-risk vulnerabilities: CVE-2024-3721 and CVE-2024-12856. Both have been publicly disclosed and are actively being targeted, posing serious risks to device security and overall network integrity."
  https://www.fortinet.com/blog/threat-research/rondobox-unveiled-breaking-down-a-botnet-threat
• Satori Threat Intelligence Alert: IconAds Conceals Source Of Ad Fraud From Users
  "HUMAN’s Satori Threat Intelligence and Research Team has uncovered and disrupted an operation dubbed IconAds. This scheme centered on a collection of 352 apps which load out-of-context ads on a user’s screen and hide the app icons, making it difficult for a user to identify the culprit app and remove it. At its peak, IconAds accounted for 1.2 billion bid requests a day."
  https://www.humansecurity.com/learn/blog/satori-threat-intelligence-alert-iconads/
  https://thehackernews.com/2025/07/mobile-security-alert-352-iconads-fraud.html
• Two New Pro-Russian Hacktivist Groups Target Ukraine, Recruit Insiders
  "Two new pro-Russian hacktivist groups have emerged in recent months to mount cyberattacks on Ukraine and its allies. The groups, calling themselves IT Army of Russia and TwoNet, use the Telegram messaging app to coordinate operations, recruit insiders and collect information about targets in Ukraine, according to a new report by cybersecurity firm Intel 471. Researchers said both groups appeared earlier this year and may be rebrands of previously known threat actors, though their exact links to past campaigns remain unclear."
  https://therecord.media/twonet-it-army-of-russia-new-hacktivist-groups-target-ukraine

Breaches/Hacks/Leaks

• IdeaLab Confirms Data Stolen In Ransomware Attack Last Year
  "IdeaLab is notifying individuals impacted by a data breach incident last October when hackers accessed sensitive information. Although the organization does not describe the type of attack, the Hunters International ransomware group has claimed the breach and leaked the stolen data on the dark web. IdeaLab is a California-based technology startup incubator that since 1996 has launched over 150 companies, including GoTo.com, CitySeach, eToys, Authy, Pet.net, Heliogen, and Energy Vault."
  https://www.bleepingcomputer.com/news/security/idealab-confirms-data-stolen-in-ransomware-attack-last-year/
• Taking Over 60k Spyware User Accounts With SQL Injection
  "Recently I was looking through a database of known stalkerware services and found one I wasn’t familiar with: Catwatchful. It seemed to be a full-featured Android spy app, to actually be its own service as opposed to a millionth FlexiSpy reseller, and to offer a 3-day free trial. Aside from a boilerplate disclaimer to only use it with consent, it also pretty brazenly advertised itself as stalkerware in the FAQ:"
  https://ericdaigle.ca/posts/taking-over-60k-spyware-user-accounts/
  https://www.securityweek.com/undetectable-android-spyware-backfires-leaks-62000-user-logins/
  https://www.malwarebytes.com/blog/news/2025/07/catwatchful-child-monitoring-app-exposes-victims-data
• Cybercriminals Target Brazil: 248,725 Exposed In CIEE One Data Breach
  "Yesterday, July 1, 2025 — the actor under the alias "888" published over 248,725 records containing sensitive PII stolen from CIEE (Centro de Integração Empresa-Escola). ONE CIEE is a personalized recruitment and selection service offered by CIEE Centro de Integração Empresa-Escola (Business-School Integration Center) for companies seeking candidates for internships and apprenticeship programs. It connects specialists and businesses, ranging from major international corporations to local entities in Brazil."
  https://www.resecurity.com/blog/article/cybercriminals-target-brazil-248725-exposed-in-ciee-one-data-breach
  https://securityaffairs.com/179609/data-breach/cybercriminals-target-brazil-248725-exposed-in-ciee-one-data-breach.html
• Virginia County Says April Ransomware Attack Exposed Employee SSNs
  "Government employees working for the county of Gloucester in Virginia had Social Security numbers and other sensitive data stolen during a ransomware attack in April. The county sent 3,527 current and former employees notices this week warning that their personal information was accessed by hackers who breached county systems on April 22. In addition to Social Security numbers, names, driver’s license numbers, bank account information, health insurance numbers and medical information was also stolen during the incident."
  https://therecord.media/virginia-county-says-ransomware-attack-exposed-ssns
• Young Consulting Finds Even More Folks Affected In Breach Mess – Now Over 1 Million
  "Young Consulting's cybersecurity woes continue after the number of affected individuals from last year's suspected ransomware raid passed the 1 million mark. The software vendor to stop-loss insurance carriers, now trading as Connexure, said the attack took place sometime between April 10 and 13, 2024, in a data breach notice that remains on its website homepage today. Young Consulting did not mention that ransomware was involved, although the BlackSuit group took credit for the attack, which was also widely reported as a ransomware incident."
  https://www.theregister.com/2025/07/03/young_consulting_breach_million/

General News

• Cyberattacks Are Draining Millions From The Hospitality Industry
  "Every day, millions of travelers share sensitive information like passports, credit card numbers, and personal details with hotels, restaurants, and travel services. This puts pressure on the hospitality sector to keep that information safe and private. The industry itself is booming. The hotel segment alone is expected to reach a new peak of $511.91 billion in 2029. It’s no surprise that cybercriminals are taking notice."
  https://www.helpnetsecurity.com/2025/07/03/hospitality-industry-cybersecurity-challenges/
• AI Tools Are Everywhere, And Most Are Off Your Radar
  "80% of AI tools used by employees go unmanaged by IT or security teams, according to Zluri’s The State of AI in the Workplace 2025 report. AI is popping up all over the workplace, often without anyone noticing. If you’re a CISO, if you want to avoid blind spots and data risks, you need to know where AI is showing up and what it’s doing across the entire organization."
  https://www.helpnetsecurity.com/2025/07/03/shadow-ai-tools-workplace/
• 90% Aren’t Ready For AI Attacks, Are You?
  "As AI reshapes business, 90% of organizations are not adequately prepared to secure their AI-driven future, according to a new report from Accenture. Globally, 63% of companies are in the “Exposed Zone,” indicating they lack both a cohesive cybersecurity strategy and necessary technical capabilities. The report reveals AI adoption has accelerated the speed, scale and sophistication of cyber threats, far outpacing current enterprise cyber defenses. For example, 77% of organizations lack the essential data and AI security practices needed to protect critical business models, data pipelines and cloud infrastructure."
  https://www.helpnetsecurity.com/2025/07/03/ai-cyber-defenses/
• Police Dismantles Investment Fraud Ring Stealing €10 Million
  "The Spanish police have dismantled a large-scale investment fraud operation that caused cumulative damages exceeding $11.8 million (€10 million). During simultaneous raids in Barcelona, Madrid, Mallorca, and Alicante, coordinated by the Mossos d’Esquadra, Civil Guard, and the National Police, 21 individuals were arrested. Along with the arrests, the police agents also confiscated seven luxury vehicles and more than $1.5 million €1.3 million in cash and cryptocurrency."
  https://www.bleepingcomputer.com/news/legal/police-dismantles-investment-fraud-ring-stealing-10-million/
• Amazon Prime Day 2025: Deals Await, But So Do The Cyber Criminals
  "Ahead of this year’s Amazon Prime Day 2025 on July 8th, shoppers worldwide are preparing their wish lists. So are cyber criminals. Phishing attacks are already targeting innocent shoppers. In June alone, over 1,000 new domains with names resembling Amazon appeared online. Alarmingly, 87% of these have already been flagged as malicious or suspicious. Many of the domains include the term “Amazon Prime”, with one in every 81 of the risky domains containing this phrase."
  https://blog.checkpoint.com/research/amazon-prime-day-2025-deals-await-but-so-do-the-cyber-criminals-2/
• New Cyber Blueprint Aims To Guide Organizations On AI Journey
  "Executive leadership is pushing for rapid artificial intelligence (AI) adoption inside their organizations to offset cyber-workforce shortages or to enhance threat detection and incident response capabilities, but lack of preparation can introduce problems. To address the issue, Deloitte HAS published a new Cyber AI blueprint to provide organizations with a template how to design, build, and deploy AI tools. The blueprint consists of an AI operating model, a governance model, and a reference architecture to help organizations design and operate an AI-powered environment, including agentic AI applications. The blueprint also includes elements to help organizations update the workforce's skills to handle the changes posed by the new AI-enhanced environment."
  https://www.darkreading.com/cyber-risk/cyber-blueprint-guide-ai-journey
• Criminals Sending QR Codes In Phishing, Malware Campaigns
  "That email advertising a great deal on an inflatable pool to cool off with during this sweltering July may come with a nifty QR code to simplify the buying process. Or you find a QR code touting a special sale on fireworks for the holiday weekend. These QR codes look harmless, but attackers are increasingly using them for malicious purposes. In an analysis of phishing and other malicious activities associated with identity theft between October 2024 and March 2025, the Anti-Phishing Working Group (APWG) found that criminals are sending millions of emails each day containing QR codes that lead victims to phishing sites, brand impersonation pages, and other fraudulent scam sites. Over this six-month period, email security company and APWG member Mimecast detected 1.7 million malicious QR codes and an average of 2.7 million emails with QR codes attached daily, according to APWG's "Phishing Activity Trends Report.""
  https://www.darkreading.com/endpoint-security/criminals-send-qr-codes-phishing
• Dark Web Vendors Shift To Third Parties, Supply Chains
  "Cyberattackers continue to attack a variety of technology supply chains — from open source software components to managed service providers — and increasingly, they are advertising their windfalls on Dark Web forums. In March, for example, a threat actor posted details of an alleged compromise of Oracle Cloud to the BreachForums Dark Web site. The compromise — initially denied by Oracle — led to Oracle later notifying customers of a breach of two servers containing usernames and passwords. The hacker who originally posted information of the attack, "rose87169," had published some information in the hope of attracting collaborators to decrypt some of the data."
  https://www.darkreading.com/threat-intelligence/dark-web-vendors-third-parties-supply-chains
• AI Tackles Binary Code Challenges To Fortify Supply Chain Security
  "Artificial intelligence (AI) can help improve binary code analysis and, in turn, make the software supply chain more secure. Effective binary code analysis is paramount as supply chain risks rise. Vendor and government-backed initiatives introduced over the past two years, such as the Cybersecurity and Infrastructure Security Agency's Secure by Design pledge, accentuate how pervasive software supply chain security threats have grown. It's a result of how digitally interconnected organizations have become. However, it's difficult to account for every link in the chain — some prioritize security, while others exhibit dangerous shortcomings."
  https://www.darkreading.com/application-security/ai-tackles-binary-code-challenges-fortify-supply-chain-security
• Browser Extensions Pose Heightened, But Manageable, Security Risks
  "While browser extensions add useful functionality to Web browsers, such as blocking ads, managing passwords, and taking notes, they also increase the organization's security and privacy risks. Browser extensions require certain levels of permissions that are attractive to attackers. Some extensions need access to the user's location, browsing history, or the user's clipboard to see what data the user has copied. Some extensions go further, requesting access to nearly all of the data stored on the user's computer as well as the data accessed while visiting different websites. Attackers can exploit extensions with these heightened permissions to access potentially sensitive information, such as Web traffic, saved credentials, and session cookies."
  https://www.darkreading.com/cyber-risk/browser-extensions-heightened-manageable-security-risks
• CVE Program Launches Two New Forums To Enhance CVE Utilization
  "The Board of the Common Vulnerabilities and Exposures (CVE) Program has launched two new forums to encourage more contributions and shape the future of the initiative. The CVE Program, run by the nonprofit MITRE and sponsored by the US Cybersecurity and Infrastructure Security Agency (CISA), faced uncertainty about its future in April after its contract expired. The contract was subsequently extended for 11 months, according to reports. While the longer-term future of the program remains uncertain beyond this period, the CVE Board appears to be willing to allow more stakeholders to have a voice and shape the program’s strategy."
• **https://www.infosecurity-magazine.com/news/cve-program-new-user-researcher/
• INTERPOL Releases New Information On Globalization Of Scam Centres**
  "Human trafficking-fueled scam centres have expanded their global footprint, according to a new crime trend update released by INTERPOL. As of March 2025, victims from 66 countries were trafficked into online scam centres, with no continent left untouched. Seventy-four percent of human trafficking victims were brought to centres in the original ‘hub’ region of Southeast Asia, according to analysis of the crime trend using data from relevant INTERPOL Notices issued in the past five years."
  https://www.interpol.int/en/News-and-Events/News/2025/INTERPOL-releases-new-information-on-globalization-of-scam-centres
  https://therecord.media/interpol-west-africa-cybercrime-compounds
• Russia Jails Man For 16 Years Over Pro-Ukraine Cyberattacks On Critical Infrastructure
  "A Russian court has sentenced a man to 16 years in a high-security penal colony for launching cyberattacks that disrupted critical infrastructure, authorities said on Wednesday. Andrei Smirnov, a resident of the Siberian city of Belovo, was detained in October 2023 and charged with treason. Prosecutors said he held pro-Ukrainian views and joined a hacker group allegedly acting in the interests of Ukrainian intelligence. According to their investigation, Smirnov used malware to attack Russian information systems in 2022, blocking access to websites of several local companies and damaging critical infrastructure. Russian authorities did not specify which infrastructure or companies were affected."
  https://therecord.media/russia-jails-man-over-pro-ukraine-cyberattacks
• Ransomware And Cyber Extortion In Q2 2025
  "The decline of legacy ransomware groups has created a vacuum that’s quickly been filled by emerging groups like “Qilin.” Nonetheless, this quarter still saw a 31% decrease in named victims compared to the previous quarter. Leading ransomware-as-a-service (RaaS) groups like Qilin and “Akira” rely on the mass exploitation of vulnerabilities to compromise organizations with speed and precision. Future ransomware leaders are likely to succeed by combining automated discovery tools with public proof-of-concept (POC) exploits, accelerating compromises and propelling them to the forefront of the ransomware race. To counter these threats, organizations must prioritize asset discovery and implement a strict patch management framework to ensure exposed and critical devices cannot be exploited by ransomware actors."
  https://reliaquest.com/blog/ransomware-cyber-extortion-threat-intel-q2-2025/
  https://www.infosecurity-magazine.com/news/automation-vulnerability/

อ้างอิง
Electronic Transactions Development Agency(ETDA)

Financial Sector

• How FinTechs Are Turning GRC Into a Strategic Enabler
  "In this Help Net Security interview, Alexander Clemm, Corp GRC Lead, Group CISO, and BCO at Riverty, shares how the GRC landscape for FinTechs has matured in response to tighter regulations and global growth. He discusses the impact of frameworks like DORA and the EU AI Act, and reflects on building a culture where compliance supports, rather than slows, business progress."
  https://www.helpnetsecurity.com/2025/07/02/alexander-clemm-riverty-fintechs-grc-landscape/

New Tooling

• Secretless Broker: Open-Source Tool Connects Apps Securely Without Passwords Or Keys
  "Secretless Broker is an open-source connection broker that eliminates the need for client applications to manage secrets when accessing target services like databases, web services, SSH endpoints, or other TCP-based systems."
  https://www.helpnetsecurity.com/2025/07/02/secretless-broker-open-source-tool-connects-apps-securely/
  https://github.com/cyberark/secretless-broker

Vulnerabilities

• Cisco Warns That Unified CM Has Hardcoded Root SSH Credentials
  "Cisco has removed a backdoor account from its Unified Communications Manager (Unified CM), which would have allowed remote attackers to log in to unpatched devices with root privileges. Cisco Unified Communications Manager (CUCM), formerly known as Cisco CallManager, serves as the central control system for Cisco's IP telephony systems, handling call routing, device management, and telephony features. The vulnerability (tracked as CVE-2025-20309) was rated as maximum severity, and it is caused by static user credentials for the root account, which were intended for use during development and testing."
  https://www.bleepingcomputer.com/news/security/cisco-removes-unified-cm-callManager-backdoor-root-account/
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssh-m4UBdpE7
  https://securityaffairs.com/179577/security/cisco-removed-the-backdoor-account-from-its-unified-communications-manager.html
  https://www.theregister.com/2025/07/02/cisco_patch_cvss/
• 600,000 WordPress Sites Affected By Arbitrary File Deletion Vulnerability In Forminator WordPress Plugin
  "On June 20th, 2025, we received a submission for an Arbitrary File Deletion vulnerability in Forminator, a WordPress plugin with more than 600,000 active installations. This vulnerability makes it possible for unauthenticated threat actors to specify arbitrary file paths in a form submission, and the file will be deleted when the submission is deleted. It can be leveraged to delete critical files like wp-config.php, which can lead to remote code execution. Props to Phat RiO – BlueRock who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $8,100.00 for this discovery, the top bounty awarded through our program so far."
  https://www.wordfence.com/blog/2025/07/600000-wordpress-sites-affected-by-arbitrary-file-deletion-vulnerability-in-forminator-wordpress-plugin/
  https://www.bleepingcomputer.com/news/security/forminator-plugin-flaw-exposes-wordpress-sites-to-takeover-attacks/
  https://www.securityweek.com/forminator-wordpress-plugin-vulnerability-exposes-400000-websites-to-takeover/
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2025-6554 Google Chromium V8 Type Confusion Vulnerability"
  https://www.cisa.gov/news-events/alerts/2025/07/02/cisa-adds-one-known-exploited-vulnerability-catalog

Malware

• Analysis Of Attacks Targeting Linux SSH Servers For Proxy Installation
  "AhnLab SEcurity intelligence Center (ASEC) monitors attacks targeting Linux servers that are inappropriately managed using honeypots. One of the representative honeypots is the SSH service that uses weak credentials, which is targeted by a large number of DDoS and coinminer attackers. ASEC has identified cases where Linux servers were attacked to install proxies. In each case, TinyProxy or Sing-box was installed. No other attack logs were found except for the installation of TinyProxy or Sing-box. It appears that the attackers aim to use the infected systems as proxy nodes."
  https://asec.ahnlab.com/en/88749/
• DCRAT Impersonating The Colombian Government
  "The FortiMail IR team recently uncovered a new email attack distributing a Remote Access Trojan called DCRAT. The threat actor is impersonating a Colombian government entity to target organizations in Colombia. The threat actor uses multiple techniques, such as a password protected archive, obfuscation, steganography, base64 encoding, and multiple file drops, to evade detection."
  https://www.fortinet.com/blog/threat-research/dcrat-impersonating-the-columbian-government
• June's Dark Gift: The Rise Of Qwizzserial
  "Discovered by Group-IB in mid-2024, the Qwizzserial, which was initially not very active, began to spread strongly in Uzbekistan, masquerading as legitimate applications. The malware steals banking information and intercepts 2FA sms, transmitting it to fraudsters via Telegram bots."
  https://www.group-ib.com/blog/rise-of-qwizzserial/
  https://www.infosecurity-magazine.com/news/android-sms-stealer-100000/
• Okta Observes v0 AI Tool Used To Build Phishing Sites
  "Okta Threat Intelligence has observed threat actors abusing v0, a breakthrough Generative Artificial Intelligence (GenAI) tool created by Vercel, to develop phishing sites that impersonate legitimate sign-in webpages. This observation signals a new evolution in the weaponization of Generative AI by threat actors who have demonstrated an ability to generate a functional phishing site from simple text prompts. Okta researchers were able to reproduce our observations."
  https://www.okta.com/newsroom/articles/okta-observes-v0-ai-tool-used-to-build-phishing-sites/
  https://thehackernews.com/2025/07/vercels-v0-ai-tool-weaponized-by.html
• MacOS NimDoor | DPRK Threat Actors Target Web3 And Crypto Platforms With Nim-Based Malware
  "In April 2025, Huntabil.IT observed a targeted attack on a Web3 startup, attributing the incident to a DPRK threat actor group. Several reports on social media at the time described similar incidents at other Web3 and Crypto organizations. Analysis revealed an attack chain consisting of an eclectic mix of scripts and binaries written in AppleScript, C++ and Nim. Although the early stages of the attack follow a familiar DPRK pattern using social engineering, lure scripts and fake updates, the use of Nim-compiled binaries on macOS is a more unusual choice. A report by Huntress in mid-June described a similar initial attack chain as observed by Huntabil.IT, albeit using different later stage payloads."
  https://www.sentinelone.com/labs/macos-nimdoor-dprk-threat-actors-target-web3-and-crypto-platforms-with-nim-based-malware/
  https://www.bleepingcomputer.com/news/security/nimdoor-crypto-theft-macos-malware-revives-itself-when-killed/
  https://thehackernews.com/2025/07/north-korean-hackers-target-web3-with.html
• FoxyWallet: 40+ Malicious Firefox Extensions Exposed
  "A large-scale malicious campaign has been uncovered involving dozens of fake Firefox extensions designed to steal cryptocurrency wallet credentials. These extensions impersonate legitimate wallet tools from widely-used platforms such as Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox. Once installed, the malicious extensions silently exfiltrate wallet secrets, putting users’ assets at immediate risk. So far, we were able to link to over 40 different extensions to this campaign, which is still ongoing and very much alive — some extensions are still available on the marketplace. The linkage was done through a meticulous effort of discovering shared TTPs and infrastructure."
  https://blog.koi.security/foxywallet-40-malicious-firefox-extensions-exposed-4c14419de486
  https://www.bleepingcomputer.com/news/security/dozens-of-fake-wallet-add-ons-flood-firefox-store-to-drain-crypto/
• French Cybersecurity Agency Confirms Government Affected By Ivanti Hacks
  "France’s cybersecurity agency reported on Tuesday that a range of government, utility and private sector entities in the country were impacted by a hacking campaign last year exploiting multiple zero-day vulnerabilities in an Ivanti appliance. The campaign, which had prompted a warning in September by U.S. cybersecurity authorities, targeted the Ivanti Cloud Service Appliance — a bit of software that connects on-premise networks with cloud-based services. In France, the hacking campaign targeted “organizations from governmental, telecommunications, media, finance, and transport sectors,” stated the report from ANSSI — the Agence Nationale de la Sécurité des Systèmes d’Information (the National Agency for the Security of Information Systems) — exploiting bugs tracked as CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380."
  https://therecord.media/france-anssi-report-ivanti-bugs-exploited
  https://www.cert.ssi.gouv.fr/uploads/CERTFR-2025-CTI-009.pdf
  https://www.darkreading.com/cyber-risk/initial-access-broker-self-patches-zero-days
  https://www.bankinfosecurity.com/chinese-hackers-exploited-ivanti-flaw-in-france-a-28888
  https://www.infosecurity-magazine.com/news/chinese-hackers-france-ivanti/
• PDFs: Portable Documents, Or Perfect Deliveries For Phish?
  "The portable document format (PDF) is a standard method for sharing information electronically. Files created in other applications (e.g., Microsoft Word) are often converted into this format, which can then be viewed using PDF rendering applications like Adobe Reader, commonly available on most OSs. Thanks to its excellent portability, this file format is widely used for the mass distribution of documents to large audiences. However, in recent months, it has also been exploited for illegitimate purposes, such as brand impersonation."
  https://blog.talosintelligence.com/pdfs-portable-documents-or-perfect-deliveries-for-phish/
  https://thehackernews.com/2025/07/hackers-using-pdfs-to-impersonate.html
• Jasper Sleet: North Korean Remote IT Workers’ Evolving Tactics To Infiltrate Organizations
  "Since 2024, Microsoft Threat Intelligence has observed remote information technology (IT) workers deployed by North Korea leveraging AI to improve the scale and sophistication of their operations, steal data, and generate revenue for the Democratic People’s Republic of Korea (DPRK). Among the changes noted in the North Korean remote IT worker tactics, techniques, and procedures (TTPs) include the use of AI tools to replace images in stolen employment and identity documents and enhance North Korean IT worker photos to make them appear more professional. We’ve also observed that they’ve been utilizing voice-changing software."
  https://www.microsoft.com/en-us/security/blog/2025/06/30/jasper-sleet-north-korean-remote-it-workers-evolving-tactics-to-infiltrate-organizations/
  https://www.darkreading.com/cyberattacks-data-breaches/scope-scale-spurious-north-korean-it-workers
  Silent Push Uncovers Chinese Fake Marketplace e-Commerce Phishing Campaign Using Thousands Of Websites To * Spoof Popular Retail Brands
  "From a lead gained through a recent X/Twitter post by Mexican journalist Ignacio Gómez Villaseñor, Silent Push Threat Analysts have been investigating a new phishing e-commerce website scam campaign. The original campaign observed was targeting Spanish-language visitors shopping for the “Hot Sale 2025.” The research by Gómez Villaseñor focused on specific domains found on one IP address targeting Spanish-language audiences; however, it was but one slice of a much larger campaign."
  https://www.silentpush.com/blog/fake-marketplace/
  https://therecord.media/china-linked-hackers-website-phishing
• Cl0p Cybercrime Gang's Data Exfiltration Tool Found Vulnerable To RCE Attacks
  "Security experts have uncovered a hole in Cl0p's data exfiltration tool that could potentially leave the cybercrime group vulnerable to attack. The vulnerability in the Python-based software, which was used in the 2023-2024 MOVEit mass data raids, was discovered by Italian researcher Lorenzo N and published by the Computer Incident Response Center Luxembourg (CIRCL). Classed as an improper input validation (CWE-20) bug, the flaw with an 8.9 severity score is underpinned by a lack of input sanitization, which results in the tool constructing OS commands by concatenating attacker-supplied strings."
  https://www.theregister.com/2025/07/02/cl0p_rce_vulnerability/
  https://vulnerability.circl.lu/vuln/gcve-1-2025-0002
• Windows Shortcut (LNK) Malware Strategies
  "Attackers are increasingly exploiting Windows shortcut (LNK) files for malware delivery. Our telemetry revealed 21,098 malicious LNK samples in 2023, which surged to 68,392 in 2024. In this article, we present an in-depth investigation of LNK malware, based on analysis of 30,000 recent samples. Windows shortcut files use the .lnk file extension and function as a virtual link that allows people to easily access other files without having to navigate through multiple folders on a Windows host. The flexibility of LNK files makes them a powerful tool for attackers, as they can both execute malicious content and masquerade as legitimate files to deceive victims into unintentionally launching malware."
  https://unit42.paloaltonetworks.com/lnk-malware/
• ESET Research: Russia’s Gamaredon APT Group Unleashed Spearphishing Campaigns Against Ukraine With An Evolved Toolset
  "ESET Research has released a white paper about Gamaredon’s updated cyberespionage toolset, new stealth-focused techniques, and aggressive spearphishing operations observed across the previous year. Gamaredon, attributed by the Security Service of Ukraine (SSU) to the 18th Center of Information Security of Russia’s Federal Security Service (FSB), has targeted Ukrainian governmental institutions since at least 2013. In 2024, Gamaredon exclusively attacked Ukrainian institutions. ESET’s latest research shows that the group remains highly active, consistently targeting Ukraine, but has notably adapted its tactics and tools. The group’s objective is cyberespionage aligned with Russian geopolitical interests. Last year, the group significantly increased the scale and frequency of spearphishing campaigns, employing new delivery methods, and one attack payload was used solely to spread Russian propaganda."
  https://www.eset.com/us/about/newsroom/research/eset-research-russias-gamaredon-apt-group-unleashed-spearphishing-campaigns-against-ukraine-with-an-evolved-toolset/
  https://www.welivesecurity.com/en/eset-research/gamaredon-2024-cranking-out-spearphishing-campaigns-ukraine-evolved-toolset/
  https://web-assets.esetstatic.com/wls/en/papers/white-papers/gamaredon-in-2024.pdf
  https://www.darkreading.com/cyberattacks-data-breaches/russian-apt-gamaredon-ukraine-phishing

Breaches/Hacks/Leaks

• US Calls Reported Threats By Pro-Iran Hackers To Release Trump-Tied Material a ‘Smear Campaign’
  "Pro-Iran hackers have threatened to release emails supposedly stolen from people connected to President Donald Trump, according to a news report, a move that federal authorities call a “calculated smear campaign.” The United States has warned of continued Iranian cyberattacks following American strikes on Iran’s nuclear facilities and the threats those could pose to services, economic systems and companies. The Cybersecurity and Infrastructure Security Agency said late Monday that the threat to expose emails about Trump is “nothing more than digital propaganda” meant to damage Trump and other federal officials."
  https://www.securityweek.com/us-calls-reported-threats-by-pro-iran-hackers-to-release-trump-tied-material-a-smear-campaign/
• Medical Device Company Surmodics Reports Cyberattack, Says It’s Still Recovering
  "Minnesota-based company Surmodics said a cyberattack on June 5 forced the medical device manufacturer to shut down parts of its IT system. Surmodics is the largest U.S. provider of outsourced hydrophilic coatings used to reduce friction for objects such as intravascular medical devices. Last month its IT team discovered unauthorized access in its network and took systems offline, while using alternative methods to accept customer orders and ship products. Law enforcement has been notified, according to a filing with the U.S. Securities and Exchange Commission (SEC)."
  https://therecord.media/surmodics-medical-device-company-reports-cybersecurity-incident
• Hacker With ‘political Agenda’ Stole Data From Columbia, University Says
  "A hacktivist with a “political agenda” broke into Columbia University IT systems and stole “targeted” student data in recent weeks, a university official said Tuesday. It is unclear how long the hacker was in university systems but a Columbia spokesperson said there has been no threat activity detected since June 24. Last week, the school said it was investigating a cyberattack and the university’s website and other systems were intermittently offline. “Our investigation has indicated the hackers are highly sophisticated and were very targeted in their theft of documents,” the university official said. “They broke in and stole student data with the apparent goal of furthering their political agenda.”"
  https://therecord.media/hacker-political-agenda-columbia-cyberattack
• Ransomware Gang Attacks German Charity That Feeds Starving Children
  "Deutsche Welthungerhilfe (WHH), the German charity that aims to develop sustainable food supplies in some of the world’s most impoverished countries, has been attacked by a ransomware gang. The charity, whose name literally translates as World Hunger Help, reached 16.4 million people in 2023. It is currently providing emergency aid to people in Gaza, Ukraine, Sudan and other countries and regions where there is an urgent need for food, water, medicine and basic necessities. A spokesperson confirmed to Recorded Future News that WHH had been targeted by a ransomware-as-a-service (RaaS) group which recently listed the charity on its darknet leak site."
  https://therecord.media/welthungerhilfe-german-hunger-relief-charity-ransomware-attack
• Hacktivists' Claimed Breach Of Nuclear Secrets Debunked
  "Security experts are dismissing a pro-Iranian hacktivist group's claim to have breached Indian nuclear secrets in reprisal for the country's support of Israel. The LulzSec Black group last week claimed to have hacked "the company responsible for Indian nuclear reactors" and to have stolen 80 databases, of which it was now selling 17 databases containing 5.2 gigabytes of data. The group claimed the information detailed the precise location of India's nuclear reactors, numerous chemical laboratories, employee personally identifiable information, industrial and engineering information, precise details of guard shifts and "other sensitive data related to infrastructure.""
  https://www.bankinfosecurity.com/hacktivists-claimed-breach-nuclear-secrets-debunked-a-28881

General News

• Cybersecurity Essentials For The Future: From Hype To What Works
  "Cybersecurity never stands still. One week it’s AI-powered attacks, the next it’s a new data breach, regulation, or budget cut. With all that noise, it’s easy to get distracted. But at the end of the day, the goal stays the same: protect the business. CISOs are being asked to juggle more, with tighter resources, more boardroom time, and threats that keep changing. Here are five areas that deserve your attention now and going forward."
  https://www.helpnetsecurity.com/2025/07/02/cybersecurity-essentials-best-practices/
• Scammers Are Trick­ing Travelers Into Booking Trips That Don’t Exist
  "Not long ago, travelers worried about bad weather. Now, they’re worried the rental they booked doesn’t even exist. With AI-generated photos and fake reviews, scammers are creating fake listings so convincing, people are losing money before they even pack a bag. The FTC reported that Americans lost $274 million to vacation and travel fraud in 2024."
  https://www.helpnetsecurity.com/2025/07/02/ai-travel-scams/
• DOJ Investigates Ex-Ransomware Negotiator Over Extortion Kickbacks
  "An ex-ransomware negotiator is under criminal investigation by the Department of Justice for allegedly working with ransomware gangs to profit from extortion payment deals. The suspect is a former employee of DigitalMint, a Chicago-based incident response and digital asset services company that specializes in ransomware negotiation and facilitating cryptocurrency payments to receive a decryptor or prevent stolen data from being publicly released. The company claims to have conducted over 2,000 ransomware negotiations since 2017. Bloomberg first reported that the DOJ is investigating whether the suspect worked with ransomware gangs to negotiate payments, then allegedly received a cut of the ransom that was charged to the customer."
  https://www.bleepingcomputer.com/news/security/doj-investigates-ex-ransomware-negotiator-over-extortion-kickbacks/
• Spain Arrests Hackers Who Targeted Politicians And Journalists
  "The Spanish police have arrested two individuals in the province of Las Palmas for their alleged involvement in cybercriminal activity, including data theft from the country's government. The duo has been described as a "serious threat to national security" and focused their attacks on high-ranking state officials as well as journalists. They leaked samples of the stolen data online to build notoriety and inflate the selling price. "The investigation began when agents detected the leakage of personal data affecting high-level institutions of the State across various mass communication channels and social networks," reads the police announcement."
  https://www.bleepingcomputer.com/news/security/spain-arrests-hackers-who-targeted-politicians-and-journalists/
  https://therecord.media/spain-arrests-two-data-leaks-targeting-gov-officials-journalists
• Spain TLD’s Recent Rise To Dominance
  "Threat actors use various Top-Level Domains (TLDs) to host malicious content and serve as Command and Control (C2) locations. Commonly abused TLDs used to host credential phishing include .ru and .com. More recently, Cofense Intelligence detected a meteoric increase in abuse of the .es TLD for malicious activity. From Q4 2024 to Q1 2025, .es TLD abuse increased 19x and became part of the top 10 abused TLDs in credential phishing. This increase applies to both first-stage URLs (links embedded in emails or attachments) and second-stage URLs (sites visited after the embedded URLs). These second-stage URLs typically host credential phishing pages or exfiltrate information. It is these second-stage URLs that have seen the greatest increase in .es TLD abuse."
  https://cofense.com/blog/spain-tld-s-recent-rise-to-dominance
• 1 Year Later: Lessons Learned From The CrowdStrike Outage
  "One year after a buggy CrowdStrike update knocked IT systems offline, organizations seeking to strike the right balance between security and productivity have viewed the incident as a learning opportunity. The cost of the CrowdStrike outage was estimated at $5.4 billion, affecting payment systems, airline reservations, and a variety of other industries. The impact of the outage highlights why many operational technology (OT) teams are as sensitive to patches and other updates in their critical infrastructure, as they are highly averse to outages that can happen if such updates are defective."
  https://www.darkreading.com/vulnerabilities-threats/1-year-later-lessons-crowdstrike-outage
• Rethinking Cyber-Risk As Traditional Models Fall Short
  "Rapidly advancing technology, increasingly sophisticated attackers, and a rise in supply chain threats make systemic cyber-risk difficult to assess. An influx of vulnerabilities that continue to amass each year, paired with faster exploit times, doesn't help. Risk models developed to measure systemic cyber-risk can help organizations determine the likelihood of a disruptive attack and expose security holes. Insurers use modeling to assess systemic cyber-risk, which influences underwriting, coverage, and policy pricing decisions."
  https://www.darkreading.com/cyber-risk/rethinking-cyber-risk-traditional-models-fall-short
• Like Ransoming a Bike: Organizational Muscle Memory Drives The Most Effective Response
  "Ransomware has become an enterprise boogeyman experiencing 37 percent increase over 2024 according to the Verizon Data Breach Investigations Report (PDF), being present in nearly half of all breaches. It would seem that resistance is futile as all the technology and training put in place fail to repel attacks, and all the best practices in backups and redundancy provide only cold comfort. But in the old joke of a tiger pursuing two friends, there are lessons in survivability that translate in a business context. However, in this context It’s not just being the faster friend, it’s organizational athleticism and muscle memory fostering agility and quick, decisive thinking that can make a massive difference in impact. And as with athletic performance, that muscle memory is earned with proper training, form, and practice."
  https://www.securityweek.com/like-ransoming-a-bike-organizational-muscle-memory-drives-the-most-effective-response/
• That Network Traffic Looks Legit, But It Could Be Hiding a Serious Threat
  "Where do you turn when firewalls and endpoint detection and response (EDR) fall short at detecting the most important threats to your organization? Breaches at edge devices and VPN gateways have risen from 3% to 22%, according to Verizon's latest Data Breach Investigations report. EDR solutions are struggling to catch zero-day exploits, living-off-the-land techniques, and malware-free attacks. Nearly 80% of detected threats use malware-free techniques that mimic normal user behavior, as highlighted in CrowdStrike's 2025 Global Threat Report. The stark reality is that conventional detection methods are no longer sufficient as threat actors adapt their strategies, using clever techniques like credential theft or DLL hijacking to avoid discovery."
  https://thehackernews.com/2025/07/that-network-traffic-looks-legit-but-it.html

อ้างอิง
Electronic Transactions Development Agency(ETDA)

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) 7 รายการ เมื่อวันที่ 2 กรกฎาคม 2568 ซึ่งคำแนะนำเหล่านี้ให้ข้อมูลที่ทันท่วงทีเกี่ยวกับปัญหาด้านความปลอดภัยช่องโหว่ และช่องโหว่ที่อยู่รอบ ๆ ICS ในปัจจุบัน มีดังต่อไปนี้

• ICSA-25-182-01 FESTO Didactic CP, MPS 200, and MPS 400 Firmware
• ICSA-25-182-02 FESTO Automation Suite, FluidDraw, and Festo Didactic Products
• ICSA-25-182-03 FESTO CODESYS
• ICSA-25-182-04 FESTO Hardware Controller, Hardware Servo Press Kit
• ICSA-25-182-05 Voltronic Power and PowerShield UPS Monitoring Software
• ICSA-25-182-06 Hitachi Energy Relion 670/650 and SAM600-IO Series
• ICSA-25-182-07 Hitachi Energy MSM

ทั้งนี้ CISA สนับสนุนให้ผู้ใช้และผู้ดูแลระบบตรวจสอบคำแนะนำ ICS ที่เผยแพร่ใหม่สำหรับรายละเอียดทางเทคนิคและการบรรเทาผลกระทบ รายละเอียดเพิ่มเติมที่ https://www.cisa.gov/news-events/alerts/2025/07/01/cisa-releases-seven-industrial-control-systems-advisories

อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/07/01/cisa-releases-seven-industrial-control-systems-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Energy Sector

• Protecting The Core: Securing Protection Relays In Modern Substations
  "Substations are critical nexus points in the power grid, transforming high-voltage electricity to ensure its safe and efficient delivery from power plants to millions of end-users. At the core of a modern substation lies the protection relay: an intelligent electronic device (IED) that plays a critical role in maintaining the stability of the power grid by continuously monitoring voltage, current, frequency, and phase angle. Upon detecting a fault, it instantly isolates the affected zone by tripping circuit breakers, thus preventing equipment damage, fire hazards, and cascading power outages."
  https://cloud.google.com/blog/topics/threat-intelligence/securing-protection-relays-modern-substations

Industrial Sector

• FESTO Didactic CP, MPS 200, And MPS 400 Firmware
  "Successful exploitation of this vulnerability could allow an attacker to write arbitrary data and code to protected memory areas or read sensitive data to launch further attacks."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-182-01
• FESTO Automation Suite, FluidDraw, And Festo Didactic Products
  "Successful exploitation of these vulnerabilities could allow an attacker to gain full control of the host system, including remote code execution."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-182-02
• FESTO CODESYS
  "Successful exploitation of these vulnerabilities could allow an attacker to block legitimate user connections, crash the application, or authenticate without proper credentials."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-182-03
• FESTO Hardware Controller, Hardware Servo Press Kit
  "Successful exploitation of these vulnerabilities could allow an attacker to execute unauthorized system commands with root privileges."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-182-04
• Voltronic Power And PowerShield UPS Monitoring Software
  "Successful exploitation of these vulnerabilities could allow an unauthenticated attacker remotely to make configuration changes, resulting in shutting down UPS connected devices or execution of arbitrary code."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-182-05
• Hitachi Energy Relion 670/650 And SAM600-IO Series
  "Successful exploitation of this vulnerability could allow attackers to cause a denial-of-service that disrupts critical functions in the device."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-182-06
• Hitachi Energy MSM
  "Successful exploitation of this vulnerability could allow attackers to execute untrusted code, potentially leading to unauthorized actions or system compromise."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-182-07

Vulnerabilities

• Critical RCE Vulnerability In Anthropic MCP Inspector - CVE-2025-49596
  "Oligo Security Research reported a Remote Code Execution (RCE) vulnerability and DNS rebinding in the MCP Inspector project to Anthropic, leading to CVE-2025-49596 being issued, with a Critical CVSS Score of 9.4. This is one of the first critical RCEs in Anthropic’s MCP ecosystem, exposing a new class of browser-based attacks against AI developer tools. With code execution on a developer’s machine, attackers can steal data, install backdoors, and move laterally across networks - highlighting serious risks for AI teams, open-source projects, and enterprise adopters relying on MCP. When a victim visits a malicious website, the vulnerability allows attackers to run arbitrary code on the visiting host running the official MCP inspector tool that is used by default in many use cases."
  https://www.oligo.security/blog/critical-rce-vulnerability-in-anthropic-mcp-inspector-cve-2025-49596
  https://thehackernews.com/2025/07/critical-vulnerability-in-anthropics.html
• Chrome Zero-Day, 'FoxyWallet' Firefox Attacks Threaten Browsers
  "Both the Google Chrome and Mozilla Firefox browsers currently are under separate attacks, the former from actors exploiting a zero-day bug and the latter from a list of malicious extensions that are actively compromising users. Google rushed out a stable channel update on Monday to patch the fourth zero-day flaw found in its browser this year, a high-severity type confusion flaw tracked as CVE-2025-6554, according to a Google security advisory. The flaw, which allows attackers to execute arbitrary code, is under active exploitation and should be patched immediately. Meanwhile, 45 malicious Firefox extensions impersonating legitimate cryptocurrency wallet add-ons are targeting Mozilla Firefox users, compromising their client devices."
  https://www.darkreading.com/cyberattacks-data-breaches/browsers-targeted-chrome-zero-day-malicious-firefox-extensions
  https://www.bleepingcomputer.com/news/security/google-fixes-fourth-actively-exploited-chrome-zero-day-of-2025/
  https://thehackernews.com/2025/07/google-patches-critical-zero-day-flaw.html
  https://www.securityweek.com/chrome-138-update-patches-zero-day-vulnerability/
  https://www.helpnetsecurity.com/2025/07/01/google-patches-actively-exploited-chrome-cve-2025-6554/
  https://www.infosecurity-magazine.com/news/google-patch-chrome-zero-day/
  https://www.malwarebytes.com/blog/news/2025/07/update-your-chrome-to-fix-new-actively-exploited-zero-day-vulnerability
• CISA Adds Two Known Exploited Vulnerabilities To Catalog
  "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2025-48927 TeleMessage TM SGNL Initialization of a Resource with an Insecure Default Vulnerability
  CVE-2025-48928 TeleMessage TM SGNL Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability"
  https://www.cisa.gov/news-events/alerts/2025/07/01/cisa-adds-two-known-exploited-vulnerabilities-catalog
• Sudo Local Privilege Escalation Vulnerabilities Fixed (CVE-2025-32462, CVE-2025-32463)
  "If you haven’t recently updated the Sudo utility on your Linux box(es), you should do so now, to patch two local privilege escalation vulnerabilities (CVE-2025-32462, CVE-2025-32463) that have been disclosed on Monday. Sudo is command-line utility in Unix-like operating systems that allows a low-privilege user to execute a command as another user, typically the root/administrator user. The utility effectively grants temporary elevated privileges without requiring the user to log in as root."
  https://www.helpnetsecurity.com/2025/07/01/sudo-local-privilege-escalation-vulnerabilities-fixed-cve-2025-32462-cve-2025-32463/
• Can You Trust That Verified Symbol? Exploiting IDE Extensions Is Easier Than It Should Be
  "Integrated Development Environments (IDEs) play a major role in today’s programming landscape. They provide comprehensive environments in which programmers can write, test, and debug code efficiently. However, OX’s research, conducted in May and June 2025, reveals critical security vulnerabilities in how popular IDEs handle extension verification. IDEs typically include basic built-in functionality, but their capabilities extend through a wide range of third-party extensions available on marketplaces and external websites. This means that any risk in the IDE could result in far-reaching consequences."
  https://www.ox.security/can-you-trust-that-verified-symbol-exploiting-ide-extensions-is-easier-than-it-should-be/
  https://thehackernews.com/2025/07/new-flaw-in-ides-like-visual-studio.html

Malware

• How Analyzing 700,000 Security Incidents Helped Our Understanding Of Living Off The Land Tactics
  "This article shares initial findings from internal Bitdefender Labs research into Living off the Land (LOTL) techniques. Our team at Bitdefender Labs, comprised of hundreds of security researchers with close ties to academia, conducted this analysis as foundational research during the development of our GravityZone Proactive Hardening and Attack Surface Reduction (PHASR) technology. The results reveal adversaries’ persistent and widespread use of trusted system tools in most significant security incidents. While this research was primarily for our internal development efforts, we believe these initial insights from Bitdefender Labs are valuable for broader understanding and we are sharing them now, ahead of a more comprehensive report."
  https://www.helpnetsecurity.com/2025/07/01/bitdefender-lotl-security-incidents-phasr/
• FileFix (Part 2)
  "While analyzing Chrome & MS Edge’s behavior, I made an interesting observation. When an HTML page is saved using Ctrl+S or Right-click > “Save as” and either “Webpage, Single File” or “Webpage, Complete” types were selected, then the file downloaded does not have MOTW. Furthermore, this behaviour only applies if the webpage being saved has a MIME type of text/html or application/xhtml+xml. Other MIME types will result in the file being tagged with MOTW (e.g. image/png, image/svg+xml etc.)"
  https://mrd0x.com/filefix-part-2/
  https://www.bleepingcomputer.com/news/security/new-filefix-attack-runs-jscript-while-bypassing-windows-motw-alerts/
• Stealthy WordPress Malware Drops Windows Trojan Via PHP Backdoor
  "Last month, we encountered a particularly interesting and complex malware case that stood out from the usual infections we see in compromised WordPress websites. At first glance, the site looked clean, no visible signs of defacement, no malicious redirects, and nothing suspicious in the plugin list. But beneath the surface, a hidden infection chain was quietly working to deliver a trojan to unsuspecting visitors. It was a layered attack involving PHP-based droppers, obfuscated code, IP-based evasion, auto-generated batch scripts, and a malicious ZIP archive containing a Windows-based trojan (client32.exe)."
  https://blog.sucuri.net/2025/06/stealthy-wordpress-malware-drops-windows-trojan-via-php-backdoor.html

Breaches/Hacks/Leaks

• Kelly Benefits Says 2024 Data Breach Impacts 550,000 Customers
  "Kelly & Associates Insurance Group (dba Kelly Benefits) is informing more than half a million people of a data breach that compromised their personal information. The Maryland-based health and life insurance agency has issued an update on a security incident it suffered last year between December 12-17, when unauthorized actors breached its IT systems and stole files. On April 9, 2025, the company stated that the incident impacted 32,234 individuals. The figure was revised multiple times until the final tally shared with authorities in the U.S. counted 553,660 individuals."
  https://www.bleepingcomputer.com/news/security/kelly-benefits-says-2024-data-breach-impacts-550-000-customers/
• Esse Health Says Recent Data Breach Affects Over 263,000 Patients
  "Esse Health, a healthcare provider based in St. Louis, Missouri, is notifying over 263,000 patients that their personal and health information was stolen in an April cyberattack. As the largest independent physicians' group in the Greater St. Louis area, Esse Health operates 50 locations and employs over 100 physicians. The organization was made aware of a breach after the attackers took down some primary patient-facing network systems and its phone systems on April 21."
  https://www.bleepingcomputer.com/news/security/esse-health-says-recent-data-breach-affects-over-263-000-patients/
  https://www.securityweek.com/263000-impacted-by-esse-health-data-breach/
  https://securityaffairs.com/179520/data-breach/esse-health-data-breach-impacted-263000-individuals.html
• Qantas Discloses Cyberattack Amid Scattered Spider Aviation Breaches
  "Australian airline Qantas disclosed that it detected a cyberattack on Monday after threat actors gained access to a third-party platform containing customer data. Qantas is Australia's largest airline, operating domestic and international flights across six continents and employing around 24,000 people. In a press release issued Monday night, the airline states that the attack has been contained, but a "significant" amount of data is believed to have been stolen. The breach began after a threat actor targeted a Qantas call centre and gained access to a third-party customer servicing platform."
  https://www.bleepingcomputer.com/news/security/qantas-discloses-cyberattack-amid-scattered-spider-aviation-breaches/
  https://www.itnews.com.au/news/qantas-facing-significant-data-theft-after-cyber-attack-618367
  https://www.theregister.com/2025/07/02/qantas_data_theft/

General News

• How Cybercriminals Are Weaponizing AI And What CISOs Should Do About It
  "In a recent case tracked by Flashpoint, a finance worker at a global firm joined a video call that seemed normal. By the end of it, $25 million was gone. Everyone on the call except the employee was a deepfake. Criminals had used AI-powered cybercrime tactics to impersonate executives convincingly enough to get the payment approved. Threat actors are building LLMs specifically for fraud and cybercrime. These are trained on stolen credentials, scam scripts, and hacking guides. Some generate phishing emails or fake invoices, others explain how to use malware or cash out stolen data, according to the AI and Threat Intelligence report from Flashpoint."
  https://www.helpnetsecurity.com/2025/07/01/defending-ai-powered-cybercrime/
• GenAI Is Everywhere, But Security Policies Haven’t Caught Up
  "Nearly three out of four European IT and cybersecurity professionals say staff are already using generative AI at work, up ten points in a year, but just under a third of organizations have put formal policies in place, according to new ISACA research. The use of AI is becoming more prevalent within the workplace, and so regulating its use is best practice. Yet 31% of organizations have a formal, comprehensive AI policy in place, highlighting a disparity between how often AI is used versus how closely it’s regulated in workplaces."
  https://www.helpnetsecurity.com/2025/07/01/ai-work-policies-europe/
• Federal Reserve System CISO On Aligning Cyber Risk Management With Transparency, Trust
  "In this Help Net Security interview, Tammy Hornsby-Fink, CISO at Federal Reserve System, shares how the Fed approaches cyber risk with a scenario-based, intelligence-driven strategy. She explains how the Fed assesses potential disruptions to financial stability and addresses third-party and cloud service risks. Hornsby-Fink also discusses how federal collaboration supports managing systemic threats and strengthens operational resilience."
  https://www.helpnetsecurity.com/2025/07/01/tammy-hornsby-fink-federal-reserve-system-cyber-risk/
• Scam Centers Are Spreading, And So Is The Human Cost
  "Human trafficking tied to online scam centers is spreading across the globe, according to a new crime trend update from INTERPOL. By March 2025, people from 66 countries had been trafficked into these scam operations, with every continent affected. INTERPOL found that 74% of victims were taken to scam centers in Southeast Asia, the original hotspot for this type of crime. But these centers are now also showing up in other regions, including the Middle East, West Africa, which may be turning into a new hub, and Central America. Most of the traffickers, around 90%, came from Asia. Another 11% were from South America or Africa."
  https://www.helpnetsecurity.com/2025/07/01/interpol-human-trafficking-scam-centers/
  https://www.infosecurity-magazine.com/news/scam-centers-global-footprint/
• Terrible Tales Of Opsec Oversights: How Cybercrooks Get Themselves Caught
  "They say that success breeds complacency, and complacency leads to failure. For cybercriminals, taking too many shortcuts when it comes to opsec delivers a little more than that. In these cases, failure might mean the criminal doesn't get access to the server with the most valuable data to copy, or fails to trick any of the victim org's staff members to execute a malicious remote access tool. Complacency, however, can get them caught, and all too often we hear about highly skilled individuals taking one too many shortcuts – the type that leads police to their doors."
  https://www.theregister.com/2025/07/01/terrible_tales_of_opsec_oversights/
• Treasury Sanctions Global Bulletproof Hosting Service Enabling Cybercriminals And Technology Theft
  "Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) is designating Aeza Group, a bulletproof hosting (BPH) services provider, for its role in supporting cybercriminal activity targeting victims in the United States and around the world. BPH service providers sell access to specialized servers and other computer infrastructure designed to help cybercriminals like ransomware actors, personal information stealers, and drug vendors evade detection and resist law enforcement attempts to disrupt their malicious activities. OFAC is also designating two affiliated companies and four individuals who are Aeza Group leaders. Finally, in coordination with the United Kingdom’s (UK) National Crime Agency (NCA), OFAC is designating an Aeza Group front company in the UK."
  https://home.treasury.gov/news/press-releases/sb0185
  https://www.bleepingcomputer.com/news/security/aeza-group-sanctioned-for-hosting-ransomware-infostealer-servers/
  https://therecord.media/russia-bulletproof-hosting-aeza-group-us-sanctions
  https://www.bankinfosecurity.com/us-sanctions-aeza-group-for-hosting-infostealers-ransomware-a-28871
  https://cyberscoop.com/bulletproof-hosting-provider-aezagroup-sanctions/
• Top Ransomware Groups June 2025: Qilin Reclaims Top Spot
  "Qilin was the top ransomware group for the second time in three months in June, suggesting that the group may be strongly benefiting from the turmoil that knocked RansomHub offline at the beginning of April. RansomHub was the top ransomware group for more than a year until rival DragonForce claimed to be taking over its infrastructure in what may have been an act of sabotage. Qilin took over the top spot in April, and after SafePay narrowly took the lead in May, Qilin returned to the top in June with a dominant showing."
  https://cyble.com/blog/top-ransomware-groups-june-2025-qilin-top-spot/
• Like SEO, LLMs May Soon Fall Prey To Phishing Scams
  "Just as attackers have exploited search engine optimization (SEO) techniques to push phishing content in search engine results, expect to soon see them leverage AI-optimized content to influence the outputs of large language models (LLMs) for the same purpose. Making the task possible for them is the tendency by LLMs to often return incorrect domain information in response to simple natural language queries, according to a recent experiment by Netcraft."
  https://www.darkreading.com/cyber-risk/seo-llms-fall-prey-phishing-scams
• Ransomware Reshaped How Cyber Insurers Perform Security Assessments
  "The ransomware scourge has forced cyber insurers to re-examine how they use security assessments. While the threat has been around for years, it's only fairly recently that cybercriminals realized how profitable ransomware attacks could be. As ransomware-as-a-service and double extortion tactics started to emerge, the threat landscape has shifted immensely, with more and more organizations seeing their data splashed online for all to see, acommpanied with payment countdown clocks. Cyber insurance helped organizations address the ransomware threat by providing services such as ransom reimbursement, incident response, and ransom negotiation. But that support came with a price, as policies and premiums fluctuated. In fact, insurance premiums surged in 2020 and 2021."
  https://www.darkreading.com/cybersecurity-operations/ransomware-reshaped-how-cyber-insurers-perform-security-assessments
• We've All Been Wrong: Phishing Training Doesn't Work
  "A recent study suggests, contrary to popular belief, that most phishing awareness initiatives aren't having a material impact on employee cybersecurity. One of the most widely repeated, least examined memes in the cybersecurity industry is that, even more than technical solutions, organizations can best secure themselves by teaching cyber awareness among their employees. Building a "human firewall," to protect an organization's otherwise "weakest link.""
  https://www.darkreading.com/endpoint-security/phishing-training-doesnt-work
• How Businesses Can Align Cyber Defenses With Real Threats
  "With escalating geopolitical tensions and highly publicized cyberattacks on critical infrastructure like Change Healthcare and Colonial Pipeline, businesses worldwide are grappling with increasingly sophisticated cybercriminal tactics. Cybercriminal groups are quickly adopting the highly complex tactics once limited to the most advanced state-backed operations. In parallel, heavily sanctioned nation-states are increasingly using ransomware and cryptocurrency scams through state backed threat actors to finance their regimes."
  https://www.darkreading.com/vulnerabilities-threats/how-businesses-can-align-cyber-defenses-real-threats
• Crypto Hack Losses In First Half Of 2025 Exceed 2024 Total
  "Around $2.47bn in cryptocurrency has been stolen via scams, hacks and exploits in H1 2025, already exceeding the total amount lost during 2024, new data from CertiK has revealed. The surge in crypto losses in 2025 is largely the result of two major security incidents – the ByBit breach and Cetus Protocol incident. Collectively, these incidents cost $1.78bn, 72% of the total. In the ByBit incident, hackers stole $1.4bn in cryptocurrency from the Dubai-based exchange in February 2025. The notorious North Korean state actor Lazarus group is suspected of carrying out the Ethereum attack, which is the largest ever crypto theft to date."
  https://www.infosecurity-magazine.com/news/crypto-hack-losses-half-exceed-2024/
• Cyberattack On Russian Independent Media Had Links To US-Sanctioned Institute, Researchers Find
  "A Russian hosting provider allegedly involved in a recent cyberattack against independent media organizations in the country is reportedly connected to a state-affiliated research center sanctioned by the U.S., according to new research. The hosting provider, Biterika, generated one-third of the junk traffic that flooded the websites of IStories and Verstka after they published an exposé on a child sex trafficking network in Russia that allegedly involved oligarchs and other powerful figures."
  https://therecord.media/cyberattack-on-russian-media-linked-to-sanctioned-institute
• How To Build An Effective Security Awareness Program
  "Organizations invest in advanced tools to secure their assets, but humans are still the most persistent attack vector. Each year, this is reinforced by the overwhelming number of breaches that stem from human behaviour. Ultimately, employees are being asked to be hypervigilant all the time – despite their best efforts, everybody makes mistakes, and you can’t defend what you don’t know. By building a strong security awareness and training program, you can help your employees become your first line of defense against cyberattacks."
  https://www.trendmicro.com/en_us/research/25/f/security-awareness-program.html
• Out-Of-Band, Part 1: The New Generation Of IP KVMs And How To Find Them
  "Welcome to the first post in Out-of-Band, a series exploring the security risks of out-of-band (OoB) management devices like baseboard management controllers, serial console servers, and IP-enabled KVMs. These tools often have weaker security than the systems they control, offering attackers a path to bypass monitoring and safeguards. In this installment, we focus on the latest wave of open-source, network-connected KVMs. We’ll cover where to find them in the wild, how to detect them via network and host signals (plus SIEM), and what their source code reveals about their security posture. Bonus: These devices have been used by North Korean threat actors to spoof in-country access. So if that’s a concern, read on."
  https://www.runzero.com/blog/oob-p1-ip-kvm/

อ้างอิง
Electronic Transactions Development Agency(ETDA)

New Tooling

• RIFT: New Open-Source Tool From Microsoft Helps Analyze Rust Malware
  "Microsoft’s Threat Intelligence Center has released a new tool called RIFT to help malware analysts identify malicious code hidden in Rust binaries. While Rust is becoming more popular for its speed and memory safety, those same qualities make malware written in Rust harder to analyze. RIFT is designed to cut through that complexity and make the job easier."
  https://www.helpnetsecurity.com/2025/06/30/rift-open-source-microsoft-tool-analyze-rust-malware/
  https://github.com/microsoft/RIFT

Vulnerabilities

• Over 1,200 Citrix Servers Unpatched Against Critical Auth Bypass Flaw
  "Over 1,200 Citrix NetScaler ADC and NetScaler Gateway appliances exposed online are unpatched against a critical vulnerability believed to be actively exploited, allowing threat actors to bypass authentication by hijacking user sessions. Tracked as CVE-2025-5777 and referred to as Citrix Bleed 2, this out-of-bounds memory read vulnerability results from insufficient input validation, enabling unauthenticated attackers to access restricted memory regions. A similar Citrix security flaw, dubbed "CitrixBleed," was exploited in ransomware attacks and breaches targeting governments in 2023 to hack NetScaler devices and move laterally across compromised networks."
  https://www.bleepingcomputer.com/news/security/over-1-200-citrix-servers-unpatched-against-critical-auth-bypass-flaw/
  https://www.helpnetsecurity.com/2025/06/30/citrixbleed-2-might-be-actively-exploited-cve-2025-5777/
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2025-6543 Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability"
  https://www.cisa.gov/news-events/alerts/2025/06/30/cisa-adds-one-known-exploited-vulnerability-catalog
  https://securityaffairs.com/179476/hacking/u-s-cisa-adds-citrix-netscaler-flaw-to-its-known-exploited-vulnerabilities-catalog.html

Malware

• International Criminal Court Hit By Cyber Attack
  "The International Criminal Court (ICC) has revealed it detected a "new, sophisticated and targeted" cybersecurity incident late last week, adding it has now been contained. The incident was the second of its type against the ICC in recent years, it said in a statement. In 2023, the ICC announced it had been hacked, and the court struggled with the aftermath for weeks as it was disconnected from most systems that can access the internet."
  https://www.itnews.com.au/news/international-criminal-court-hit-by-cyber-attack-618324
• 10 Things I Hate About Attribution: RomCom Vs. TransferLoader
  "Most of the time, delineating activities from distinct clusters and separating cybercrime from espionage can be done based on differing tactics, techniques, and procedures (TTPs), tooling, volume/scale, and targeting. However, in the case of TA829 and a cluster Proofpoint dubbed “UNK_GreenSec”, there is more ambiguity. TA829 is a cybercriminal actor that occasionally also conducts espionage aligned with Russian state interests, while UNK_GreenSec is an unusual cybercriminal cluster. TA829 overlaps with activity tracked by third-parties as RomCom, Void Rabisu, Storm-0978, CIGAR, Nebulous Mantis, Tropical Scorpius. The UNK_GreenSec cybercriminal cluster does not appear to align with publicly reported activity sets."
  https://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader
• Tracing Blind Eagle To Proton66
  "Trustwave SpiderLabs, which has been tracking Proton66 for the last several months, was able to make this connection by pivoting from Proton66-linked assets, which led to the identification of another active threat cluster relying on the same ASN infrastructure. Pivoting identified what is assessed to be one of its most recent and operationally active infrastructure clusters, characterized by strong interconnections across multiple domains and IP address clusters. This infrastructure exclusively leverages Visual Basic Script (VBS) files as its initial attack vector, relies heavily on free Dynamic DNS (DDNS) services, and deploys readily available Remote Access Trojans (RATs) as a second-stage malware."
  https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tracing-blind-eagle-to-proton66/
  https://thehackernews.com/2025/06/blind-eagle-uses-proton66-hosting-for.html
• Hide Your RDP: Password Spray Leads To RansomHub Deployment
  "This intrusion began in November 2024 with a password spray attack targeting an internet-facing RDP server. Over the course of several hours, the threat actor attempted logins against multiple accounts using known malicious IPs (based on OSINT). Several hours later they then logged in via RDP with one of the previously compromised users and ran a series of discovery commands, including various net commands to enumerate users and computers. Credential access tools, specifically Mimikatz and Nirsoft CredentialsFileView, were used to extract stored credentials and interact with LSASS memory."
  https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-ransomhub-deployment/

Breaches/Hacks/Leaks

• Switzerland Says Government Data Stolen In Ransomware Attack
  "The government in Switzerland is informing that sensitive information from various federal offices has been impacted by a ransomware attack at the third-party organization Radix. The hackers have stolen data from Radix systems and later leaked it on the dark web, the Swiss government says. The exposed data is being analyzed with the help of the country’s National Cyber Security Centre (NCSC) to determine which government agencies are impacted and to what effect. “The foundation Radix has been targeted by a ransomware attack, during which data was stolen and encrypted,” announced the Swiss government."
  https://www.bleepingcomputer.com/news/security/switzerland-says-government-data-stolen-in-ransomware-attack/
• Another Billing Software Vendor Hacked By Ransomware
  "Horizon Healthcare RCM is the latest revenue cycle management software vendor to report a health data breach involving ransomware and data theft. The firm's breach notification statement suggests that the company paid a ransom to prevent the disclosure of its stolen information. Horizon Healthcare RCM told Maine's attorney general in a breach report on June 27 that the incident affected six residents of that state."
  https://www.bankinfosecurity.com/another-billing-software-vendor-hacked-by-ransomware-a-28866
• Norwegian Dam Valve Forced Open For Hours In Cyberattack
  "In a concerning incident this April, unidentified hackers managed to breach the control systems of a Norwegian dam. Reportedly, hackers breached the control systems of a Norwegian dam, causing its water valve to open fully. The incident occurred at the Lake Risevatnet dam, situated near the city of Svelgen in Southwest Norway. The valve remained open for four hours before the unauthorized activity was detected. According to the Norwegian energy news outlet, Energiteknikk, the hack did not pose a danger, as the water flow barely exceeded the dam’s minimum requirement. The valve released an additional 497 litres per second, but officials noted that the riverbed could handle a much larger volume, up to 20,000 litres per second."
  https://hackread.com/norwegian-dam-valve-forced-open-hours-in-cyberattack/
• Swiss Nonprofit Health Organization Breached By Sarcoma Ransomware Group
  "The Swiss nonprofit health organization Radix has confirmed that its systems were breached by a ransomware group earlier this month. In a statement on Monday, the Zurich-based agency — which runs health promotion programs and online counseling services — said that the threat actor known as Sarcoma had published data stolen from its systems on a leak site. The Swiss government also issued a statement noting that "various federal offices" are among Radix's customers, and officials are evaluating what data was compromised. Radix has "no direct access" to government systems, the statement said."
  https://therecord.media/sarcoma-ransomware-breach-swiss-healthcare-nonprofit-radix

General News

• Third-Party Breaches Double, Creating Ripple Effects Across Industries
  "Supply chain risks remain top-of-mind for the vast majority of CISOs and cybersecurity leaders, according to SecurityScorecard. Their findings reveal that the way most organizations manage supply chain cyber risk isn’t keeping pace with expanding threats. Third-party involvement in breaches has doubled, rising from 15% to nearly 30%, according to the 2025 Verizon DBIR. A small group of third-party providers supports much of the world’s technology and infrastructure, creating an extreme concentration of risk. When even one of these providers is compromised, the ripple effects can disrupt thousands of organizations simultaneously."
  https://www.helpnetsecurity.com/2025/06/30/supply-chain-cyber-risks/
• Are We Securing AI Like The Rest Of The Cloud?
  "In this Help Net Security interview, Chris McGranahan, Director of Security Architecture & Engineering at Backblaze, discusses how AI is shaping both offensive and defensive cybersecurity tactics. He talks about how AI is changing the threat landscape, the complications it brings to penetration testing, and what companies can do to stay ahead of AI-driven attacks. McGranahan also points out that human expertise remains essential, and we can’t depend on AI alone to protect cloud environments."
  https://www.helpnetsecurity.com/2025/06/30/chris-mcgranahan-backblaze-ai-cloud-security/
• CISA And Partners Urge Critical Infrastructure To Stay Vigilant In The Current Geopolitical Environment
  "Today, CISA, in collaboration with the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and the National Security Agency (NSA), released a Fact Sheet urging organizations to remain vigilant against potential targeted cyber operations by Iranian state-sponsored or affiliated threat actors. Over the past several months, there has been increasing activity from hacktivists and Iranian government-affiliated actors, which is expected to escalate due to recent events. These cyber actors often exploit targets of opportunity based on the use of unpatched or outdated software with known Common Vulnerabilities and Exposures or the use of default or common passwords on internet-connected accounts and devices."
  https://www.cisa.gov/news-events/alerts/2025/06/30/cisa-and-partners-urge-critical-infrastructure-stay-vigilant-current-geopolitical-environment
  https://www.cisa.gov/resources-tools/resources/iranian-cyber-actors-may-target-vulnerable-us-networks-and-entities-interest
  https://www.cisa.gov/sites/default/files/2025-06/joint-fact-sheet-Iranian-cyber-actors-may-target-vulnerable-US-networks-and-entities-of-interest-508c-1.pdf
  https://www.ic3.gov/CSA/2025/250630.pdf
  https://www.bleepingcomputer.com/news/security/us-warns-of-iranian-cyber-threats-on-critical-infrastructure/
  https://thehackernews.com/2025/06/us-agencies-warn-of-rising-iranian.html
  https://therecord.media/defense-vigilant-cyber-iran-israel
  https://www.infosecurity-magazine.com/news/iranian-cyber-threats-us/
• Crypto Investment Fraud Ring Dismantled In Spain After Defrauding 5 000 Victims Worldwide
  "On 25 June 2025, the Spanish Guardia Civil, with the support of Europol and law enforcement from Estonia, France and the United States of America, arrested five members of a criminal network engaged in cryptocurrency investment fraud. The investigation identified that the perpetrators had laundered EUR 460 million in illicit profits stolen through crypto investment fraud from over 5 000 victims from around the world."
  https://www.europol.europa.eu/media-press/newsroom/news/crypto-investment-fraud-ring-dismantled-in-spain-after-defrauding-5-000-victims-worldwide
  https://www.bleepingcomputer.com/news/security/europol-helps-disrupt-540-million-crypto-investment-fraud-ring/
  https://thehackernews.com/2025/06/europol-dismantles-540-million.html
  https://www.infosecurity-magazine.com/news/taskforce-dismantles-euro460m/
  https://www.helpnetsecurity.com/2025/06/30/spain-crypto-fraud-arrests-2025/
• Hired Hacker Assists Drug Cartel In Finding, Killing FBI Sources
  "The notorious Sinaloa Mexican drug cartel hired a hacker to conduct surveillance on persons of interest in the El Chapo case, which the cartel used to intimidate and kill potential FBI sources and witnesses, according a government report. The US Department of Justice's Office of Inspector General (OIG) on Thursday published an audit of the FBI's efforts to mitigate what it calls "ubiquitous technical surveillance" (UTS) and the threat it poses to the bureau's operations and investigations. The OIG defines UTS as widespread data collection and analytics "for the purpose of connecting people to things, events, or locations.""
  https://www.darkreading.com/cyberattacks-data-breaches/hacker-drug-cartel-killing-fbi-sources
  https://oig.justice.gov/sites/default/files/reports/25-065_t.pdf
  https://www.bankinfosecurity.com/doj-cartel-hacked-phones-cameras-to-track-fbi-informants-a-28863
  https://www.theregister.com/2025/06/30/sinaloa_drug_cartel_hired_cybersnoop/
• Why Cybersecurity Should Come Before AI In Schools
  "Artificial intelligence has become the hot new tech across schools, and why wouldn't it be? It's helping students digest dense historical texts and improve book reports, and it's helping teachers simplify complex math concepts. Academia wants to show students how to embrace this powerful technology safely — and in line with school rules — because unfortunately, we've already begun to see the dark side of AI in the "real" world. But that raises a very serious question: What are our students learning about cybersecurity?"
  https://www.darkreading.com/endpoint-security/cybersecurity-before-ai-schools
• Android Threats Rise Sharply, With Mobile Malware Jumping By 151% Since Start Of Year
  "The Android threat landscape in the first half of 2025 has entered a new phase. An era marked not just by volume, but by coordination and precision. Attackers are no longer simply throwing malware at users and hoping for results. They’re building ecosystems. Recent Malwarebytes threat research data reveals a sharp rise in mobile threats across the board, with malware targeting Android devices up 151%. We’ve seen a 147% increase in spyware, a broad category of apps that collect user data without consent, with a notable spike in Feb and March. In fact, the February/March levels represent nearly a 4x multiplication of the baseline."
  https://www.malwarebytes.com/blog/news/2025/06/android-threats-rise-sharply-with-mobile-malware-jumping-by-151-since-start-of-year
• Hacker Conversations: Rachel Tobac And The Art Of Social Engineering
  "Social engineering is the art of persuasion. Mostly, this is a good thing. Misused, it can have disastrous effects. Rachel Tobac is a cyber social engineer. She is skilled at persuading people to do what she wants, rather than what they know they ought to do. Does this make her a hacker? “Yes. I am a hacker. I hack people. I hack people over the phone, via email, by text message, across social media – and occasionally in person.” Social engineers hack people rather than computers. She is now co-founder and CEO of SocialProof Security."
  https://www.securityweek.com/hacker-conversations-rachel-tobac-and-the-art-of-social-engineering/
• 'Disgruntled' British IT Worker Jailed For Hacking Employer After Being Suspended
  "A British IT worker who launched what police described as a cyberattack against his employer after being suspended from work has been jailed for seven months. According to West Yorkshire Police, within hours of his suspension in July 2022, Mohammed Umar Taj attempted to take revenge on his employer. The unidentified firm, which has clients in the United Kingdom as well as in Germany and Bahrain, said it suffered “significant disruption” and lost at least £200,000 (about $275,000) due to the attack, as well as suffered reputational harm."
  https://therecord.media/uk-it-worker-jailed-hacking-former-employer
  https://www.theregister.com/2025/06/30/british_rogue_admin/
  https://www.infosecurity-magazine.com/news/it-worker-jailed-revenge-attack/
• DOJ Raids 29 ‘laptop Farms’ In Operation Against North Korean IT Worker Scheme
  "Nearly 30 “laptop farms” across 16 states have been raided by U.S. law enforcement in recent months for their suspected role in a long-running North Korean IT worker scheme. The Justice Department on Monday announced a coordinated action that involved three indictments, one arrest, the seizure of 29 financial accounts and the shutdown of 21 websites alongside the laptop farm raids. FBI officials said the laptop farms allowed an undisclosed number of North Koreans to illegally work at more than 100 U.S. companies. The farms host work devices sent by legitimate companies who unwittingly hired North Koreans, allowing the employees to appear as if they are working from the U.S."
  https://therecord.media/doj-raids-laptop-farms-crackdown
  https://regmedia.co.uk/2025/06/30/doj-release.pdf
  https://cyberscoop.com/arrest-seizures-north-korean-it-workers-june-2025/
  https://www.bankinfosecurity.com/us-announces-crackdown-on-north-koreans-posing-as-workers-a-28864
  https://www.theregister.com/2025/06/30/us_north_korea_workers/

อ้างอิง
Electronic Transactions Development Agency(ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand