สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Financial Sector

• Financial, Other Industries Urged To Prepare For Quantum Computers
  "Financial firms, government agencies, and other sectors with sensitive data need to worry about the arrival of quantum computers today, even though a cryptographically relevant quantum computer (CRQC) may be decades away, experts warn. In late September, the Financial Services Information Sharing and Analysis Center (FS-ISAC) warned that crypto-procrastination is resulting in financial firms being unprepared for the future threats and data risks posed by quantum computers. A variety of factors — from interdependencies between firms to the need to support standards — have slowed planning and hampered adoption of post-quantum encryption."
  https://www.darkreading.com/cybersecurity-operations/financial-industries-urged-prepare-quantum-computers

Healthcare Sector

• Building a Healthcare Cybersecurity Strategy That Works
  "In this Help Net Security interview, Wayman Cummings, CISO at Ochsner Health, talks about building a healthcare cybersecurity strategy, even when resources are tight. He explains how focusing on areas like vulnerability management and network segmentation can make the biggest difference. Cummings also shares how balancing investments across people, processes, and technology can strengthen both resilience and patient trust."
  https://www.helpnetsecurity.com/2025/10/13/wayman-cummings-ochsner-health-building-healthcare-cybersecurity-strategy/
• When Hackers Hit, Patient Safety Takes The Fall
  "93% of U.S. healthcare organizations experienced at least one cyberattack in the past year, with an average of 43 incidents per organization, according to Proofpoint. The study found that most of these attacks involved cloud account compromises, ransomware, supply chain intrusions, and business email compromise. 72% of respondents said at least one incident disrupted patient care."
  https://www.helpnetsecurity.com/2025/10/13/report-cyberattacks-disrupt-patient-care/

Industrial Sector

• Critical Infrastructure CISOs Can't Ignore 'Back-Office Clutter' Data
  "Security leaders in critical infrastructure traditionally have focused their defensive energy on operational technology (OT) and industrial control systems (ICS). Those remain the crown jewels for attackers. But while they've been patching programmable logic centers (PLCs) and segmenting control centers, sprawling collaboration platforms — SharePoint, Google Drive, Exchange, Gmail, Teams, Slack, Box, and old-fashioned file shares — have quietly become the single largest unmonitored attack surface in the enterprise."
  https://www.darkreading.com/cyberattacks-data-breaches/critical-infrastructure-back-office-data

Vulnerabilities

• Same Model, Different Hat
  "OpenAI recently released its Guardrails framework, a new set of safety tools designed to detect and block potentially harmful model behavior. Among these are “jailbreak” and “prompt injection” detectors that rely on large language models (LLMs) themselves to judge whether an input or output poses a risk. Our research shows that this approach is inherently flawed. If the same type of model used to generate responses is also used to evaluate safety, both can be compromised in the same way. Using a simple prompt injection technique, we were able to bypass OpenAI’s Guardrails and convince the system to generate harmful outputs and execute indirect prompt injections without triggering any alerts."
  https://hiddenlayer.com/innovation-hub/same-model-different-hat/
  https://hackread.com/openai-guardrails-bypass-prompt-injection-attack/
  https://www.malwarebytes.com/blog/news/2025/10/researchers-break-openai-guardrails

Malware

• New Rust Malware "ChaosBot" Uses Discord For Command And Control
  "Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes. We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware. Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team."
  https://www.esentire.com/blog/new-rust-malware-chaosbot-uses-discord-for-command-and-control
  https://thehackernews.com/2025/10/new-rust-based-malware-chaosbot-hijacks.html
• Larva-25010 – Analysis On The APT Down Threat Actor’s PC
  "This report covers the seven posts on the breach analysis of APT Down, which were published in “Threat Notes” of AhnLab TIP after the release of the “APT Down: the North Korea Files” report, along with additional analysis."
  https://asec.ahnlab.com/en/90498/
• Analysis On The Qilin Ransomware Using Selective Encryption Algorithm
  "Recently, Qilin ransomware has been launching continuous attacks on companies in various countries and industries around the world, and cases of damage have also been identified in South Korea. This post analyzes the key features and encryption methods of Qilin ransomware, as well as the technical reasons why decryption is impossible, to provide insights that can help organizations effectively respond to similar threats in the future."
  https://asec.ahnlab.com/en/90497/
• 100,000+ IP Botnet Launches Coordinated RDP Attack Wave Against US Infrastructure
  "Since October 8, 2025, GreyNoise has tracked a coordinated botnet operation involving over 100,000 unique IP addresses from more than 100 countries targeting Remote Desktop Protocol (RDP) services in the United States. The campaign employs two specific attack vectors — RD Web Access timing attacks and RDP web client login enumeration — with most participating IPs sharing one similar TCP fingerprint, indicating centralized control."
  https://www.greynoise.io/blog/botnet-launches-coordinated-rdp-attack-wave
  https://www.bleepingcomputer.com/news/security/massive-multi-country-botnet-targets-rdp-services-in-the-us/
• Suspicious ScreenConnect Abuse By Threat Actors
  "Recently observed an uptick in threat actors abusing RMM tools for initial access via phishing. I decided to investigate several popular RMMs — AnyDesk, ConnectWise ScreenConnect, and **Atera **— and published my findings on how APT groups abuse these platforms in my DarkAtlas research. If you’re tracking modern intrusion trends, these tools are worth watching closely."
  https://darkatlas.io/blog/screen-connect-full-analysis
  https://www.infosecurity-magazine.com/news/hackers-target-screenconnects/

Breaches/Hacks/Leaks

• SimonMed Says 1.2 Million Patients Impacted In January Data Breach
  "U.S. medical imaging provider SimonMed Imaging is notifying more than 1.2 million individuals of a data breach that exposed their sensitive information. SimonMed Imaging is an outpatient medical imaging and radiology services provider, including MRI and CT scans, X-ray, ultrasound, mammography, PET, nuclear medicine, bone density, and interventional radiology procedures. The radiology company operates about 170 medical centers 11 U.S. states, and has an annual revenue of more than $500 million."
  https://www.bleepingcomputer.com/news/security/simonmed-says-12-million-patients-impacted-in-january-data-breach/
  https://www.bankinfosecurity.com/2-radiology-practices-notifying-nearly-15-million-hacks-a-29711
  https://www.securityweek.com/simonmed-imaging-data-breach-impacts-1-2-million/
  https://securityaffairs.com/183342/uncategorized/simonmed-imaging-discloses-a-data-breach-impacting-over-1-2-million-people.html
• Months After Being Notified, a Software Vendor Is Still Exposing Confidential And Sealed Court Records
  "In a special edition of “No need to hack when it’s leaking,” DataBreaches reports on a software vendor that, despite multiple attempts by multiple parties, continues to expose confidential and sealed court records."
  https://databreaches.net/2025/10/13/months-after-being-notified-a-software-vendor-is-still-exposing-confidential-and-sealed-court-records/
• Invoicing And Billing Platform Exposed Nearly 180 Thousand Records Containing PII And Payment Information
  "Cybersecurity Researcher Jeremiah Fowler discovered and reported to Website Planet about an unencrypted and non-password-protected database that contained nearly 180k files. These included invoices, images of checks and banking information, tax documents, and more."
  https://www.websiteplanet.com/news/invoicely-breach-report/
  https://hackread.com/invoicely-database-leak-expose-sensitive-records/
• Malicious Code On Unity Website Skims Information From Hundreds Of Customers
  "Hundreds of users had sensitive information skimmed through a compromised website belonging to video game software development company Unity Technologies. Impacted individuals are being informed that threat actors compromised the website for Unity’s SpeedTree 3D vegetation modeling software. An investigation showed that the SpeedTree website, specifically its checkout page, contained malicious code between March 13 and August 26, 2025."
  https://www.securityweek.com/malicious-code-on-unity-website-skims-information-from-hundreds-of-customers/
  https://securityaffairs.com/183349/data-breach/customer-payment-data-stolen-in-unity-technologiess-speedtree-website-compromise.html

General News

• Attackers Don’t Linger, They Strike And Move On
  "Cyber attacks are happening faster than ever. Intrusions that once took weeks or months now unfold in minutes, leaving little time to react. Attackers move quickly once they gain access, aiming to run their payloads and get results before defenders can respond, according to Elastic. Global telemetry shows that on Windows systems, the “Execution” tactic now accounts for 32% of malicious activity, surpassing “Defense Evasion,” which led for three consecutive years. The shift suggests that many attackers now prioritize payload deployment over stealth. Instead of hiding to extend dwell time, they aim to act quickly, using automation and prebuilt code to achieve their goals before defenders can intervene."
  https://www.helpnetsecurity.com/2025/10/13/elastic-report-attackers-target-windows-systems/
• Scattered Lapsus$ Hunters Rage-Quit The Internet (again), Promise To Return Next Year
  "The Scattered Lapsus$ Hunters (SLSH) cybercrime collective - compriseed primarily of teenagers and twenty-somethings - announced it will go dark until 2026 following the FBI's seizure of its clearweb site. In characteristic fashion, the group issued a profanity-laden, xenophobic farewell message via Telegram, urging supporters to continue targeting countries that refuse ransom payments. The message also promised a retaliatory strike against the FBI upon their return."
  https://www.theregister.com/2025/10/13/scattered_lapsus_hunters_hiatus/
• UK Hit By Record Number Of ‘nationally Significant’ Cyberattacks
  "A record number of “nationally significant” cyberattacks hit the United Kingdom last year, the National Cyber Security Centre (NCSC) is to announce on Tuesday as it publishes its annual review for 2024. The cyber agency will reveal its staff were scrambled to assist with the response to 429 attacks between the beginning of September 2024 and the end of August this year. Of these, 204 were considered “nationally significant” — more than double the 89 in that category handled in the twelve months prior."
  https://therecord.media/uk-hit-by-record-number-significant-cyberattacks

อ้างอิง
Electronic Transactions Development Agency(ETDA)

Industrial Sector

• Pro-Russian Hackers Caught Bragging About Attack On Fake Water Utility
  "A pro-Russian hacker group has been caught boasting about a cyberattack that unfolded entirely inside a decoy system set up by researchers. The relatively new group, known as TwoNet, claimed in September that it had disrupted a Dutch water facility by hacking into its control systems. In reality, the hackers had infiltrated a honeypot — a decoy network designed by cybersecurity firm Forescout to lure attackers and study their behavior. According to the company, the threat actor, using the alias Barlati, defaced the login page with an message reading “HACKED BY BARLATI, FUCK.” The attacker also changed configuration settings and disabled alarms — actions that, if carried out on a real system, could have disrupted operations."
  https://therecord.media/fake-water-utility-honeypot-hacked-pro-russian-group
  https://www.infosecurity-magazine.com/news/russia-hacktivistsattack-water/

Vulnerabilities

• Active Exploitation Of Gladinet CentreStack And Triofox Local File Inclusion Flaw (CVE-2025-11371)
  "In April 2025, Huntress published its findings on the exploitation of CVE-2025-30406, a critical-severity flaw in Gladinet CentreStack and Triofox products. On September 27, 2025, the Huntress SOC received an alert from an internal detector for successful exploitation of Gladinet CentreStack software. However, the version of the software running was later than 16.4.10315.56368, which was no longer vulnerable to CVE-2025-30406. In earlier versions of CentreStack and Triofox vulnerable to CVE-2025-30406, a hardcoded machine key would allow a threat actor to perform remote code execution via a ViewState deserialization vulnerability."
  https://www.huntress.com/blog/gladinet-centrestack-triofox-local-file-inclusion-flaw
  https://www.bleepingcomputer.com/news/security/hackers-exploiting-zero-day-in-gladinet-file-sharing-software/
  https://thehackernews.com/2025/10/from-lfi-to-rce-active-exploitation.html
  https://www.bankinfosecurity.com/hackers-exploit-lfi-flaw-in-file-sharing-platforms-a-29708
  https://www.helpnetsecurity.com/2025/10/10/gladinet-centrestack-vulnerability-exploited-cve-2025-11371/
  https://securityaffairs.com/183259/hacking/cve-2025-11371-unpatched-zero-day-in-gladinet-centrestack-triofox-under-attack.html
• Juniper Networks Patches Critical Junos Space Vulnerabilities
  "Juniper Networks has announced patches for nearly 220 vulnerabilities in Junos OS, Junos Space, and Security Director, including nine critical-severity flaws affecting Junos Space. More than 200 security defects were resolved in Junos Space and Junos Space Security Director, Juniper’s October 2025 security advisories, published as part of the company’s predefined quarterly schedule, reveal."
  https://www.securityweek.com/juniper-networks-patches-critical-junos-space-vulnerabilities/
  https://securityaffairs.com/183229/security/juniper-patched-nine-critical-flaws-in-junos-space.html
• ZDI Drops 13 Unpatched Ivanti Endpoint Manager Vulnerabilities
  "Trend Micro’s Zero Day Initiative (ZDI) this week published 13 advisories describing unpatched vulnerabilities in Ivanti Endpoint Manager. One of the flaws allows local attackers to elevate their privileges and was reported to Ivanti in November 2024. The remaining 12 lead to remote code execution (RCE) and were reported in June 2025. While the vulnerabilities are technically not zero-days, ZDI flags all of the unpatched flaws it discloses as ‘0day’. ZDI’s advisories name the vulnerable component and provide a general description of the root cause, but do not contain any other technical details."
  https://www.securityweek.com/zdi-drops-13-unpatched-ivanti-endpoint-manager-vulnerabilities/
• Huntress Threat Advisory: Widespread SonicWall SSLVPN Compromise
  "As of October 10, Huntress has observed widespread compromise of SonicWall SSLVPN devices across multiple customer environments. Threat actors are authenticating into multiple accounts rapidly across compromised devices. The speed and scale of these attacks imply that the attackers appear to control valid credentials rather than brute-forcing. The bulk of the activity started on October 4, with clustered authentications occurring over the course of the following two days. So far, over 100 SonicWall SSLVPN accounts across 16 customer accounts have been impacted. In the cases observed, authentications on the SonicWall devices originated from 202.155.8[.]73."
  https://www.huntress.com/blog/sonicwall-sslvpn-compromise
  https://thehackernews.com/2025/10/experts-warn-of-widespread-sonicwall.html
  https://securityaffairs.com/183245/hacking/attackers-exploit-valid-logins-in-sonicwall-ssl-vpn-compromise.html
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2021-43798 Grafana Path Traversal Vulnerability"
  https://www.cisa.gov/news-events/alerts/2025/10/09/cisa-adds-one-known-exploited-vulnerability-catalog
• Summary Of The Investigation Related To CVE-2025-10035
  "On Sept. 11, 2025, we began investigating a potential vulnerability reported by a customer. After identifying the issue, Fortra developed and released hotfixes for supported versions and updated the product to further secure the affected component. We also notified all Fortra GoAnywhere MFT customers of the available updates and mitigation steps. The timeline below provides an overview of our investigation, remediation, and customer communications."
  https://www.fortra.com/blog/summary-investigation-related-cve-2025-10035
  https://thehackernews.com/2025/10/from-detection-to-patch-fortra-reveals.html
  https://www.bankinfosecurity.com/fortra-confirms-unauthorized-activity-hit-goanywhere-mft-a-29701
• Another Remotely Exploitable Oracle EBS Vulnerability Requires Your Attention (CVE-2025-61884)
  "Oracle has revealed the existence of yet another remotely exploitable Oracle E-Business Suite vulnerability (CVE-2025-61884). CVE-2025-61884 is a vulnerability in the Runtime user interface in the Oracle Configurator product of Oracle E-Business Suite (EBS). Like CVE-2025-61882 before it, it officially affects the ESB versions 12.2.3 through 12.2.14. According to the NIST national vulnerability database entry for CVE-2025-61884, this is an “easily exploitable vulnerability [that] allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data.”"
  https://www.helpnetsecurity.com/2025/10/12/another-remotely-exploitable-oracle-ebs-vulnerability-requires-your-attention-cve-2025-61884/
  https://archive.ph/nPs5O
  https://www.oracle.com/security-alerts/alert-cve-2025-61884.html
  https://thehackernews.com/2025/10/new-oracle-e-business-suite-bug-could.html

Malware

• New Stealit Campaign Abuses Node.js Single Executable Application
  "FortiGuard Labs has encountered a new and active Stealit malware campaign that leverages Node.js’ Single Executable Application (SEA) feature to distribute its payloads. This campaign was uncovered following a spike in detections of a particular Visual Basic script, which was later determined to be a component for persistence. Earlier Stealit campaigns were built using Electron, an open-source framework that packages Node.js scripts as NSIS installers for distribution. This new campaign has adopted Node.js' native Single Executable Application, which similarly bundles scripts and their assets into standalone binaries. Both approaches are effective for distributing Node.js-based malware, as they allow execution without requiring a pre-installed Node.js runtime or additional dependencies."
  https://www.fortinet.com/blog/threat-research/stealit-campaign-abuses-nodejs-single-executable-application
  https://thehackernews.com/2025/10/stealit-malware-abuses-nodejs-single.html
  https://hackread.com/stealit-malware-node-js-fake-game-vpn-installers/
• Astaroth: Banking Trojan Abusing GitHub For Resilience
  "Digital banking has made our lives easier, but it’s also handed cybercriminals a golden opportunity. Banking trojans are the invisible pickpockets of the digital age, silently stealing credentials while you browse your bank account or check your crypto wallet. Today, we’re breaking down a particularly nasty variant called Astaroth, and it’s doing something clever: abusing GitHub to stay resilient."
  https://www.mcafee.com/blogs/other-blogs/mcafee-labs/astaroth-banking-trojan-abusing-github-for-resilience/
• 175 Malicious Npm Packages Host Phishing Infrastructure Targeting 135+ Organizations
  "Socket's Threat Research Team uncovered 175 malicious npm packages which have collectively accumulated over 26,000 downloads, serving as infrastructure for a widespread phishing campaign targeting 135+ industrial, technology, and energy companies worldwide. While the packages' randomized names make accidental developer installation unlikely, the download counts likely include security researchers, automated scanners, and CDN infrastructure analyzing the packages after disclosure. The campaign, which we're calling "Beamglea" based on consistent artifacts across all packages, uses npm's public registry and unpkg.com's CDN to host redirect scripts that funnel victims to credential harvesting pages. The origin and meaning of "beamglea" remains unclear - it may be a codename, inside reference, or randomly chosen identifier by the threat actors."
  https://socket.dev/blog/175-malicious-npm-packages-host-phishing-infrastructure
  https://thehackernews.com/2025/10/175-malicious-npm-packages-with-26000.html
• The Golden Scale: Bling Libra And The Evolving Extortion Economy
  "In recent months, threat actors claiming to be part of a new conglomerate dubbed Scattered Lapsus$ Hunters (aka SP1D3R HUNTERS, SLSH) have asserted responsibility for laying siege to customer Salesforce tenants as part of a coordinated effort to steal data and hold it for ransom. At least one industry source refers to this criminal syndicate as the Trinity of Chaos. “Trinity” is used because the conglomerate is likely composed of individuals tied to three groups: Muddled Libra (aka Scattered Spider), Bling Libra (aka ShinyHunters), and LAPSUS$, all of which are likely representative of the broader cybercriminal community known as The Com."
  https://unit42.paloaltonetworks.com/scattered-lapsus-hunters/
• Fake 'Inflation Refund' Texts Target New Yorkers In New Scam
  "An ongoing smishing campaign is targeting New Yorkers with text messages posing as the Department of Taxation and Finance, claiming to offer "Inflation Refunds" in an attempt to steal victims' personal and financial data. The Inflation Refund is an initiative from New York State that automatically sends refund checks to eligible residents to help offset the effects of inflation. Those who qualify include taxpayers who filed a return, meet certain income thresholds, and were not claimed as dependents by another filer. New Yorkers do not need to apply, sign up, or provide any personal information to receive their checks, as they are automatically sent to qualified taxpayers."
  https://www.bleepingcomputer.com/news/security/fake-inflation-refund-texts-target-new-yorkers-in-new-scam/

Breaches/Hacks/Leaks

• Telstra Denies Scattered Spider Data Breach Claims Amid Ransom Threats
  "Telstra, one of Australia’s leading telecommunications companies, has denied claims made by the hacker group Scattered Spider that it suffered a massive data breach compromising nearly 19 million personal records. The company issued a statement clarifying that its internal systems remain secure and that the data in question was scraped from publicly available sources rather than stolen. In a post on X (formerly Twitter), Telstra emphasized that no passwords, banking details, or sensitive identification data such as driver’s licenses or Medicare numbers were included in the dataset."
  https://www.itsecuritynews.info/telstra-denies-scattered-spider-data-breach-claims-amid-ransom-threats/
• AI Girlfriend Can’t Keep a Secret: App Leaks Intimate Conversations Of 400K+ Users
  "Two AI character apps by the same developer, “Chattee Chat” and “GiMe Chat,” have exposed millions of intimate conversations, over 600K images, and other private data. Leaked purchase logs reveal that some users spend thousands of dollars on their AI girlfriends."
  https://cybernews.com/security/ai-girlfriend-app-leak-exposes-400k-users/
  https://www.malwarebytes.com/blog/news/2025/10/millions-of-very-private-chats-exposed-by-two-ai-companion-apps
• Houston Suburb Says Some Online Services Taken Down By Cyberattack
  "Officials in Sugar Land, Texas, said a cyberattack has impacted several online services after they reported technology outages on Thursday morning. The city published notices on social media and on its website saying it experienced a “cyber-event” and is working with state and federal law enforcement to investigate a breach of internal network infrastructure. “Critical infrastructure systems remain operational. Some online services, such as bill pay are impacted,” the city said, noting that police, fire and medical services are still available at 911."
  https://therecord.media/houston-suburb-cyberattack-services
• UK Techies' Union Warns Members After Breach Exposes Sensitive Personal Details
  "UK trade union Prospect is notifying members of a breach that involved data such as sexual orientation and disabilities. According to disclosure emails seen by The Register sent to union members who work as scientists, engineers, techies, and managers, the attack took place in June, yet members were only notified this week. Members include professionals working at organizations such as BT Group, the Met Office, BAE Systems, Rolls Royce, Siemens, Jacobs, the Ministry of Defence, the National Trust, and many more."
  https://www.theregister.com/2025/10/10/prospect_union_breach/
• From Sizzle To Drizzle To Fizzle: The Massive Data Leak That Wasn’t (1)
  "After days of endlessly urging Salesforce or companies to pay them so that their data would not be leaked, the deadline for Salesforce to pay came and went. And as it went, ScatteredLAPSUS$Hunters leaked data from six of the 39 companies listed on its dark web leak site. But that’s where the massive leak that many people stayed up late to watch ended."
  https://databreaches.net/2025/10/12/from-sizzle-to-drizzle-to-fizzle-the-massive-data-leak-that-wasnt/
• Clop Ransomware Group Claims The Hack Of Harvard University
  "The Clop Ransomware group announced the hack of the prestigious Harvard University. The cybercrime group created a page for the university on its Tor data leak site and announced it will leak the stolen data soon. “PAGE CREATED, DATA ARCHIVING IS IN PROGRESS… A TORRENT LINK WILL BE AVAILABLE SOON … !!!” reads the announcement on its leak site. “The company doesn’t care about its customers, it ignored their security!!!”"
  https://securityaffairs.com/183282/cyber-crime/clop-ransomware-group-claims-the-hack-of-harvard-university.html

General News

• Apple Now Offers $2 Million For Zero-Click RCE Vulnerabilities
  "Apple is announcing a major expansion and redesign of its bug bounty program, doubling maximum payouts, adding new research categories, and introducing a more transparent reward structure. Since the program launched in 2020, Apple has awarded $35 million to 800 security researchers, the company paying $500,000 for some of the submitted reports. The highest reward has been doubled to $2 million, for reporting vulnerabilities that can lead to zero-click (no user interaction) remote compromise, similar to mercenary spyware attacks. However, payouts can go as high as $5 million through the bonus system."
  https://www.bleepingcomputer.com/news/security/apple-now-offers-2-million-for-zero-click-rce-vulnerabilities/
  https://www.securityweek.com/apple-bug-bounty-update-top-payout-now-2-million-35-million-paid-to-date/
  https://securityaffairs.com/183235/security/apple-doubles-maximum-bug-bounty-to-2m-for-zero-click-rces.html
  https://www.helpnetsecurity.com/2025/10/10/apple-bug-bounty-rewards-zero-click/
• The Fight Against Ransomware Heats Up On The Factory Floor
  "Ransomware groups come and go, but one constant is that manufacturing remains a top target. The ransomware landscape is ever-evolving. New groups emerge and old ones dismantle or rebrand. Ransomware-as-a-service (RaaS) launched and lowered the barrier to entry. Even the name "ransomware" doesn't always apply now, as some groups rely solely on data extortion threats over encryption, to pressure victims into paying. And of course, attackers are increasingly using artificial intelligence (AI)."
  https://www.darkreading.com/ics-ot-security/ransomware-manufacturing-an-escalating-battle
  https://content.blackkite.com/ebook/manufacturing-tprm-report-2025/
• Don’t Breathe That Sigh Of Relief Just Yet: BreachForums Is Gone, But The Salesforce Leak Site Isn’t
  "As everyone expected, it was only a matter of time before the most recent version of BreachForums was seized, and last night, it happened. This time, though, there is no announcement from ShinyHunters about rebuilding the forum and making it stronger and better than ever. To the contrary, ShinyHunters says they are done with the forum. In response to the seizure of BreachForums last night, ShinyHunters posted a statement:"
  https://databreaches.net/2025/10/10/dont-breathe-that-sigh-of-relief-just-yet-breachforums-is-gone-but-a-leak-site-isnt/
• Your SOC Is Tired, AI Isn’t
  "Security teams have discussed AI in the SOC for years, but solid evidence of its impact has been limited. A recent benchmark study by Dropzone puts measurable evidence behind the idea, showing that AI agents can help analysts work faster and with greater accuracy during alert investigations, without major changes to existing workflows. Researchers measured how 148 security professionals performed under two conditions: using AI assistance or investigating manually."
  https://www.helpnetsecurity.com/2025/10/10/dropzone-report-soc-analysts-using-ai/
• Your Passwords Don’t Need So Many Fiddly Characters, NIST Says
  "It’s once again time to change your passwords, but if one government agency has its way, this might be the very last time you do it. After nearly four years of work to update and modernize its guidance for how companies, organizations, and businesses should protect their systems and their employees, the US National Institute of Standards and Technology has released its latest guidelines for password creation, and it comes with some serious changes."
  https://www.malwarebytes.com/blog/news/2025/10/your-passwords-dont-need-so-many-fiddly-characters-nist-says
  https://pages.nist.gov/800-63-4/sp800-63b.html
• Group-IB Intelligence Powers Spanish Guardia Civil Operation To Dismantle The “GXC Team” Cybercrime Syndicate
  "Group-IB, a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime, announced today its contribution to the Spanish Guardia Civil led operation that led to the dismantling of one of the country’s most active cybercrime networks. The operation resulted in the arrest of a 25-year-old Brazilian national known as “GoogleXcoder,” the mastermind behind the “GXC Team” – threat actor known to operate Crime-as-a-Service (CaaS) ecosystem providing AI-powered phishing kits and Android malware to cybercriminals targeting banks, transportation, and eCommerce, in Spain, Slovakia, the UK, US, and Brazil. Besides the mastermind, also the criminals who were running attacks with the usage of these tools were also identified and apprehended by Guardia Civil."
  https://www.group-ib.com/media-center/press-releases/guardia-civil-gxc-team-takedown/
  https://www.bleepingcomputer.com/news/security/spain-dismantles-gxc-team-cybercrime-syndicate-arrests-leader/
  https://securityaffairs.com/183252/cyber-crime/cybercrime-ring-gxc-team-dismantled-in-spain-25-year-old-leader-detained.html

อ้างอิง
Electronic Transactions Development Agency(ETDA)

Industrial Sector

• Hitachi Energy Asset Suite
  "Successful exploitation of this vulnerability could result in the manipulation of content or the injection of data with the potential of carrying out further malicious attacks."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-282-01
• Rockwell Automation Lifecycle Services With Cisco
  "Successful exploitation of this vulnerability could result in arbitrary code execution."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-282-02
• Rockwell Automation Stratix
  "Successful exploitation of this vulnerability could result in arbitrary code execution."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-282-03
• Anatomy Of a Hacktivist Attack: Russian-Aligned Group Targets OT/ICS
  "Part of the threat intelligence we provide to customers and the wider community comes from dedicated honeypots, decoy systems deliberately exposed to the internet to lure attackers and capture their tactics. Last year, one of our honeypots, designed as an AI-generated “healthcare clinic”, attracted cybercriminals who attempted to deploy ransomware. This time, we observed something even more significant: an emerging pro-Russian hacktivist group targeted our “water treatment utility” honeypot and then falsely claimed responsibility for a real-world attack on their Telegram channel."
  https://www.forescout.com/blog/anatomy-of-a-hacktivist-attack-russian-aligned-group-targets-otics/
  https://www.bleepingcomputer.com/news/security/hacktivists-target-critical-infrastructure-hit-decoy-plant/
• A Brief Overview Of The Main Incidents In Industrial Cybersecurity. Q2 2025
  "In Q2 2025, 135 incidents were publicly confirmed by victims. All of these incidents are included in the table at the end of the overview, with select incidents described in detail."
  https://ics-cert.kaspersky.com/publications/reports/2025/10/09/a-brief-overview-of-the-main-incidents-in-industrial-cybersecurity-q2-2025/

Vulnerabilities

• CamoLeak: Critical GitHub Copilot Vulnerability Leaks Private Source Code
  "In June 2025, I found a critical vulnerability in GitHub Copilot Chat (CVSS 9.6) that allowed silent exfiltration of secrets and source code from private repos, and gave me full control over Copilot’s responses, including suggesting malicious code or links. The attack combined a novel CSP bypass using GitHub’s own infrastructure with remote prompt injection. I reported it via HackerOne, and GitHub fixed it by disabling image rendering in Copilot Chat completely."
  https://www.legitsecurity.com/blog/camoleak-critical-github-copilot-vulnerability-leaks-private-source-code
  https://www.darkreading.com/application-security/github-copilot-camoleak-ai-attack-exfils-data
  https://www.bankinfosecurity.com/github-copilot-chat-flaw-let-private-code-leak-via-images-a-29699
  https://www.securityweek.com/github-copilot-chat-flaw-leaked-data-from-private-repositories/
• SquareX Shows AI Browsers Fall Prey To OAuth Attacks, Malware Downloads And Malicious Link Distribution
  "As AI Browsers rapidly gain adoption across enterprises, SquareX has released critical security research exposing major vulnerabilities that could allow attackers to exploit AI Browsers to exfiltrate sensitive data, distribute malware and gain unauthorized access to enterprise SaaS apps. The timing of this disclosure is particularly significant as major companies including OpenAI, Microsoft, Google and The Browser Company have announced or released their own AI browsers. With Chrome and Edge alone representing 70% of the browser market share, it is very likely that the majority of consumer browsers in the future will be AI Browsers. Thus, it is critical for organizations to prepare for these security risks associated with this fundamental change."
  https://hackread.com/squarex-shows-ai-browsers-fall-prey-to-oauth-attacks-malware-downloads-and-malicious-link-distribution/
  https://www.infosecurity-magazine.com/news/architectural-flaws-ai-browsers/
• A Cascade Of Insecure Architectures: Axis Plugin Design Flaw Expose Select Autodesk Revit Users To Supply Chain Risk
  "In July 2024, we uncovered Azure Storage Account credentials embedded within signed DLLs distributed as part of a plugin for Autodesk Revit, a widely used building information modelling (BIM) software. The accounts belonged to Axis Communications, a Swedish multinational company that specializes in network video solutions and surveillance technology, offering IP cameras, access control systems, audio equipment, and video analytics software for various commercial and public safety applications. Trend Zero Day Initiative (ZDI) has reported these findings to Axis Communications as ZDI-24-1181, initiating an exchange of fixes and additional reports over the succeeding months—ZDI-24-1328 and ZDI-24-1329 in October 2024, and ZDI-25-858 in March 2025."
  https://www.trendmicro.com/en_us/research/25/j/axis-plugin-flaw-autodesk-revit-supply-chain-risk.html
• When AI Remembers Too Much – Persistent Behaviors In Agents’ Memory
  "This article presents a proof of concept (PoC) that demonstrates how adversaries can use indirect prompt injection to silently poison the long-term memory of an AI Agent. We use Amazon Bedrock Agent for this demonstration. In this scenario, if agent memory is enabled, an attacker can insert malicious instructions into an agent's memory via prompt injection. This can occur when a victim user is tricked into accessing a malicious webpage or document via social engineering."
  https://unit42.paloaltonetworks.com/indirect-prompt-injection-poisons-ai-longterm-memory/

Malware

• ClayRat: A New Android Spyware Targeting Russia
  "Over the past few months, zLabs researchers have been tracking ClayRat, a rapidly evolving Android spyware campaign primarily targeting Russian users. Distributed through Telegram channels and phishing sites, ClayRat masquerades as popular apps such as WhatsApp, Google Photos, TikTok, and YouTube to lure victims into installation. Once active, the spyware can exfiltrate SMS messages, call logs, notifications, and device information; taking photos with the front camera; and even send SMS messages or place calls directly from the victim’s device. ClayRat also spreads aggressively by sending malicious links to every contact in the victim’s phone book, effectively turning each infected device into a distribution hub."
  https://zimperium.com/blog/clayrat-a-new-android-spyware-targeting-russia
  https://github.com/Zimperium/IOC/tree/master/2025-10-ClayRat
  https://www.bleepingcomputer.com/news/security/new-android-spyware-clayrat-imitates-whatsapp-tiktok-youtube/
  https://thehackernews.com/2025/10/new-clayrat-spyware-targets-android.html
  https://hackread.com/fake-tiktok-whatsapp-apps-android-clayrat-spyware/
  https://www.infosecurity-magazine.com/news/clayrat-spyware-targets-android/
  https://securityaffairs.com/183169/malware/clayrat-campaign-uses-telegram-and-phishing-sites-to-distribute-android-spyware.html
• Investigating Targeted “payroll Pirate” Attacks Affecting US Universities
  "Microsoft Threat Intelligence has observed a financially motivated threat actor that we track as Storm-2657 compromising employee accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts. These types of attacks have been dubbed “payroll pirate” by the industry. Storm-2657 is actively targeting a range of US-based organizations, particularly employees in sectors like higher education, to gain access to third-party human resources (HR) software as a service (SaaS) platforms like Workday."
  https://www.microsoft.com/en-us/security/blog/2025/10/09/investigating-targeted-payroll-pirate-attacks-affecting-us-universities/
  https://www.bleepingcomputer.com/news/security/hackers-target-university-hr-employees-in-payroll-pirate-attacks/
  https://therecord.media/universities-phishing-payroll-pirates
• Velociraptor Leveraged In Ransomware Attacks
  "In August 2025, Talos responded to a ransomware attack by actors who appeared to be affiliated with Warlock ransomware, based on their ransom note and use of Warlock’s data leak site (DLS). They deployed Warlock, LockBit, and Babuk ransomware to encrypt VMware ESXi virtual machines (VMs) and Windows servers. This severely impacted the customer’s IT environment."
  https://blog.talosintelligence.com/velociraptor-leveraged-in-ransomware-attacks/
  https://www.bleepingcomputer.com/news/security/hackers-now-use-velociraptor-dfir-tool-in-ransomware-attacks/
  https://www.helpnetsecurity.com/2025/10/09/velociraptor-nezha-attackers-misuse/
• RondoDox: From Targeting Pwn2Own Vulnerabilities To Shotgunning Exploits
  "The ZDI Threat Hunting and Trend Research teams have identified a significant RondoDox botnet campaign that targets a wide range of internet-exposed infrastructure. This campaign consists of over 50 exploits, including unpatched router flaws across over 30 vendors, targeting vulnerabilities found in routers, digital video recorders (DVRs), network video recorders (NVRs), CCTV systems, web servers, and various other network devices. While the exploits specifically exploit vulnerabilities in routers, DVRs, NVRs, CCTV systems, web servers, and networking equipment, the latest RondoDox campaign uses an "exploit shotgun", using multiple exploits and seeing what hits."
  https://www.trendmicro.com/en_us/research/25/j/rondodox.html
  https://www.bleepingcomputer.com/news/security/rondodox-botnet-targets-56-n-day-flaws-in-worldwide-attacks/
• From Infostealer To Full RAT: Dissecting The PureRAT Attack Chain
  "An investigation into what appeared at first glance to be a “standard” Python-based infostealer campaign took an interesting turn when it was discovered to culminate in the deployment of a full-featured, commercially available remote access trojan (RAT) known as PureRAT. This article analyses the threat actor’s combination of bespoke self-developed tooling with off-the-shelf malware. This campaign demonstrates a clear and deliberate progression, starting with a simple phishing lure and escalating through layers of in-memory loaders, defense evasion, and credential theft. The final payload, PureRAT, represents the culmination of this effort: a modular, professionally developed backdoor that gives the attacker complete control over a compromised host."
  https://www.bleepingcomputer.com/news/security/from-infostealer-to-full-rat-dissecting-the-purerat-attack-chain/
• Oracle E-Business Suite Zero-Day Exploited In Widespread Extortion Campaign
  "Beginning Sept. 29, 2025, Google Threat Intelligence Group (GTIG) and Mandiant began tracking a new, large-scale extortion campaign by a threat actor claiming affiliation with the CL0P extortion brand. The actor began sending a high volume of emails to executives at numerous organizations, alleging the theft of sensitive data from the victims' Oracle E-Business Suite (EBS) environments. On Oct. 2, 2025, Oracle reported that the threat actors may have exploited vulnerabilities that were patched in July 2025 and recommended that customers apply the latest critical patch updates. On Oct. 4, 2025, Oracle directed customers to apply emergency patches to address this vulnerability, reiterating their standing recommendation that customers stay current on all Critical Patch Updates."
  https://cloud.google.com/blog/topics/threat-intelligence/oracle-ebusiness-suite-zero-day-exploitation
  https://www.bankinfosecurity.com/clop-attacks-against-oracle-e-business-suite-trace-to-july-a-29692
  https://cyberscoop.com/oracle-customers-attacks-clop-google-mandiant/
• APT Meets GPT: Targeted Operations With Untamed LLMs
  "Starting in June 2025, Volexity detected a series of spear phishing campaigns targeting several customers and their users in North America, Asia, and Europe. The initially observed campaigns were tailored to the targets, and the messages purported to be sent by senior researchers and analysts from legitimate-sounding, completely fabricated organizations. The goal of these spear phishing campaigns was to socially engineer targets into clicking links that led to a remotely hosted archive containing a malicious payload. Volexity tracks the threat actor behind these campaigns under the alias UTA0388 and assesses with a high degree of confidence that this is a China-aligned threat actor. This assessment is based both on technical artifacts and the targeting profile of the campaigns."
  https://www.volexity.com/blog/2025/10/08/apt-meets-gpt-targeted-operations-with-untamed-llms/
  https://thehackernews.com/2025/10/from-healthkick-to-govershell-evolution.html

Breaches/Hacks/Leaks

• SonicWall: Firewall Configs Stolen For All Cloud Backup Customers
  "SonicWall has confirmed that all customers that used the company's cloud backup service are affected by the security breach last month. Previously, the vendor stated that the incident "exposed firewall configuration backup files stored in certain MySonicWall accounts," without sharing additional details. MySonicWall is an online customer portal used for managing product access, licensing, registration, firmware updates, support cases, and cloud backups of firewall configurations (.EXP files)."
  https://www.bleepingcomputer.com/news/security/sonicwall-firewall-configs-stolen-for-all-cloud-backup-customers/
  https://thehackernews.com/2025/10/hackers-access-sonicwall-cloud-firewall.html
  https://www.darkreading.com/cyberattacks-data-breaches/sonicwall-100-firewall-backups-breached
  https://www.infosecurity-magazine.com/news/sonicwall-cloud-firewall/
  https://cyberscoop.com/sonicwall-customer-firewall-configurations-exposed/
  https://hackread.com/sonicwall-hackers-breached-all-firewall-backups/
  https://www.securityweek.com/all-sonicwall-cloud-backup-users-had-firewall-configurations-stolen/
  https://securityaffairs.com/183154/security/threat-actors-steal-firewall-configs-impacting-all-sonicwall-cloud-backup-users.html
  https://www.theregister.com/2025/10/09/sonicwall_breach_hits_every_cloud/
  https://www.helpnetsecurity.com/2025/10/09/sonicwall-firewall-backup-compromised/
• Major Hospitals Hit By Cyberattacks, Patient Data Sold On Hacker Forums
  "At a recent seminar on the needs and organization of cybersecurity training in Vietnam, hosted by the Hanoi National University, experts noted that the use of cyberspace for criminal activities has increased in both the number of cases, their nature and severity, and carried out through sophisticated methods and tactics, resulting in victims losing vast sums of money. Cybercriminals target key agencies and organizations, including those in healthcare. Reports showed that cyberattacks to healthcare systems occurred at An Giang central general hospital, where the virtualized server system was hit by hackers, encrypting all data and halting operations."
  https://vietnamnet.vn/en/major-hospitals-hit-by-cyberattacks-patient-data-sold-on-hacker-forums-2449058.html

General News

• Australian Data Breaches Are Up 48% So Far This Year. What’s Behind The Eye-Popping Surge?
  "Australian data breaches have surged 48% so far this year, the latest data point that suggests that threat actors are finding rich targets Down Under. That figure is based on Cyble dark web researchers’ investigations of significant data breaches claimed by threat actors on data leak sites and is thus a proxy rather than a complete measure of all data breaches, which is almost certainly higher. Globally, claimed data breaches recorded by Cyble dark web researchers are up 18% so far in 2025 to 1,684 – a significant increase in itself, but one that makes Australia’s surge stand out all the more."
  https://cyble.com/blog/australian-data-breaches-2025-surge/
• Researchers Develop AI System To Detect Scam Websites In Search Results
  "Scam websites tied to online shopping, pet sales, and other e-commerce schemes continue to cause millions in losses each year. Security tools can accurately detect fraudulent sites once they are found, but identifying new ones remains difficult. To close that gap, researchers from Boston University created LOKI, a system that ranks search queries by how likely they are to reveal scams. Using a small seed set of 1,663 confirmed scam domains, LOKI discovered 52,493 previously unknown fraudulent websites and achieved a 20.58-fold improvement in detection across ten scam categories."
  https://www.helpnetsecurity.com/2025/10/09/loki-scam-websites-search-queries/
• Behind The Screens: Building Security Customers Appreciate
  "In this Help Net Security interview, Jess Vachon, CISO at PRA Group, discusses the company’s multi-layered defense against fraud and its commitment to protecting customer trust. Vachon explains how PRA Group balances identity verification with a seamless customer experience. Vachon also reflects on how AI is changing both the fight against fraud and the way security teams adapt to threats."
  https://www.helpnetsecurity.com/2025/10/09/jess-vachon-pra-group-defense-against-fraud/
• Six Metrics Policymakers Need To Track Cyber Resilience
  "Most countries are still making national cyber policy decisions without reliable numbers. Regulations often focus on incident reporting after damage is done, but they fail to give governments a forward-looking picture of resilience. A new report from Zurich Insurance Group argues that this gap leaves economies exposed and slows the ability to respond to systemic threats."
  https://www.helpnetsecurity.com/2025/10/09/zurich-governments-cyber-resilience-metrics/
• Global Cyber Threats September 2025: Attack Volumes Ease Slightly, But GenAI Risks Intensify As Ransomware Surges 46%
  "In September 2025, the global cyber threat landscape reflected a temporary stabilization in overall attack volumes — yet beneath the surface, ransomware activity and data risks linked to generative AI (GenAI) surged to new highs. Organizations worldwide faced an average of 1,900 cyber-attacks per organization per week, representing a 4% decrease compared to August, but still a 1% increase year-over-year. While total attack volumes may appear steady, the evolution of attack techniques, industries under fire, and the rapid expansion of GenAI-related risks underline a shifting and increasingly complex threat environment."
  https://blog.checkpoint.com/security/global-cyber-threats-september-2025-attack-volumes-ease-slightly-but-genai-risks-intensify-as-ransomware-surges-46/
• Take Note: Cyber-Risks With AI Notetakers
  "If you haven't seen an AI notetaking application as an "attendee" at a meeting, you haven't been paying attention. These tools are amazing, eliminating manual scribbling and automatically capturing action items. But like many tools, AI notetaking apps have sharp edges when they are not handled properly. AI scribes started as simulated meeting attendees, and most of today's popular video meeting platforms now offer them as a built-in feature. Users also are adopting tools like Granola (a desktop app) or Limitless (a wearable pendant) for notetaking tasks."
  https://www.darkreading.com/cyber-risk/take-note-cyber-risks-with-ai-notetakers
• X-Labs Q3 2025 Threat Brief: Obfuscated JavaScript & Steganography Enabling Malware Delivery
  "In Q3 2025, organizations across industries have seen a steep increase in JavaScript-attachment based campaigns that deliver a variety of information-stealing and RAT malware. Examples include DarkCloud, Remcos, Agent Tesla and Formbook. Attackers are cloaking their lures in everyday business communications with fake quotes, purchase orders, shipment alerts and even WeTransfer-style links to slip past conventional filters and take advantage of recipient’s trust. For this analysis. the X-labs team reviewed thousands of email subject lines and found similar social engineering tactics being used repeatedly."
  https://www.forcepoint.com/blog/x-labs/q3-2025-threat-brief-obfuscated-javascript-steganography
  https://hackread.com/your-shipment-notification-malware-dropper/
• BreachForums Seized — Again!
  "As predicted a few days ago, BreachForums was seized. The splash page is now up. It does not have any cute avatars with characters in handcuffs and no text about all the entities that cooperated. It simply says, “This Domain Has Been Seized,” and shows four shields: Department of Justice, FBI, BL2C, and JUNALCO. The latter two are the French agencies that have been heavily involved in trying to catch and thwart ShinyHunters. At the time the domain was seized, ScatteredLAPSUS$Hunters was getting ready to leak data from 39 Salesforce customers if Salesforce did not pay them an undisclosed ransom amount. The deadline for payment is October 10 at 11:59 PM Eastern."
  https://databreaches.net/2025/10/09/breachforums-seized-again/
• A Small Number Of Samples Can Poison LLMs Of Any Size
  "In a joint study with the UK AI Security Institute and the Alan Turing Institute, we found that as few as 250 malicious documents can produce a "backdoor" vulnerability in a large language model—regardless of model size or training data volume. Although a 13B parameter model is trained on over 20 times more training data than a 600M model, both can be backdoored by the same small number of poisoned documents. Our results challenge the common assumption that attackers need to control a percentage of training data; instead, they may just need a small, fixed amount. Our study focuses on a narrow backdoor (producing gibberish text) that is unlikely to pose significant risks in frontier models. Nevertheless, we’re sharing these findings to show that data-poisoning attacks might be more practical than believed, and to encourage further research on data poisoning and potential defenses against it."
  https://www.anthropic.com/research/small-samples-poison
  https://www.theregister.com/2025/10/09/its_trivially_easy_to_poison/
• Weaponized AI Assistants & Credential Thieves
  "Just weeks after the s1ngularity attack weaponized AI assistants, the NPM ecosystem was rocked by a far more dangerous threat: a self-propagating worm named Shai-Hulud. In a sobering demonstration of this rapid escalation in attack techniques, the worm has compromised over 187 packages, including several developer-facing tools published by cybersecurity firm CrowdStrike."
  https://www.trendmicro.com/en_us/research/25/j/weaponized-ai-assistants.html

อ้างอิง
Electronic Transactions Development Agency(ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand