NCSA_THAICERT

NCSA_THAICERT

Infy APT กลับมาเคลื่อนไหว ใช้ Foudre – Tonnerre ลอบจารกรรม.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

Waymo ระงับให้บริการชั่วคราว หลังเหตุไฟฟ้าดั.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

รัฐบาลอังกฤษถูกโจมตีทางไซเบอร์ ข้อมูลวีซ.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

️ ThaiCERT ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ และพบการแจ้งเตือนช่องโหว่ระดับวิกฤตในซอฟต์แวร์ Hewlett Packard Enterprise OneView (HPE OneView) หากไม่ดำเนินการแก้ไขผู้โจมตีสามารถรันไฟล์ที่เป็นอันตรายจากระยะไกล

รายละเอียดช่องโหว่ที่สำคัญ
• CVE-2025-37164 มีคะแนน CVSS: 10.0 ซึ่งส่งผลกระทบต่อซอฟต์แวร์ OneView และเป็นช่องโหว่ประเภท Remote Code Execution (RCE) โดยช่องโหว่นี้ผู้โจมตีสามารถรันไฟล์ที่เป็นอันตรายจากระยะไกล โดยไม่ผ่านการยืนยันตัวตน

ผลิตภัณฑ์และเวอร์ชันที่ได้รับผลกระทบ
• HPE OneView ทุกเวอร์ชันจนถึงเวอร์ชัน 10.20
️ แนะนำให้หน่วยงานที่ใช้งานเวอร์ชันที่ได้รับผลกระทบ เร่งดำเนินการตรวจสอบและแก้ไขทันที

แนวทางการตรวจสอบและการป้องกัน

แนวทางการตรวจสอบ
• ตรวจสอบ HPE OneView ที่ใช้งานว่าเป็นเวอร์ชันใด
• เฝ้าระวังพฤติกรรมการทำงานผิดปกติของระบบบริหารจัดการ เช่น การรันคำสั่งที่ผิดปกติ, การเชื่อมต่อเครือข่ายที่ไม่คุ้นเคย หรือกระบวนการที่ถูกสร้างโดย process ที่ไม่รู้จัก
• ใช้เครื่องมือความมั่นคงปลอดภัย เช่น IDS/IPS, EDR หรือ SIEM เพื่อวิเคราะห์และแจ้งเตือนกิจกรรมที่ผิดปกติบนระบบ HPE OneView
• หลีกเลี่ยงการเปิดเผยบริการ HPE OneView ไปยังอินเทอร์เน็ตโดยตรง หากไม่จำเป็น ควรใช้ VPN หรือควบคุมการเข้าถึงจากเครือข่ายภายในเท่านั้น
แนวทางการป้องกัน
• ดำเนินการอัปเดตซอฟต์แวร์ HPE OneView ให้เป็นเวอร์ชัน 11.00 หรือสูงกว่า
• จำกัดการเข้าถึงบริการ HPE OneView จากเครือข่ายภายนอก และอนุญาตเฉพาะแหล่งที่เชื่อถือได้เท่านั้น
• สแกนหาช่องโหว่ (Vulnerability Scanning) และ Penetration Testing เพื่อประเมินความเสี่ยงที่อาจเกิดขึ้นในระบบภายในขององค์กร
• เฝ้าติดตามประกาศจาก HPE และหน่วยงานความปลอดภัยไซเบอร์ เพื่อรับทราบข้อมูลอัปเดตและคำแนะนำเพิ่มเติม
มาตรการชั่วคราว กรณียังไม่สามารถอัปเดตได้ทันที
• จำกัดการเข้าถึงบริการจากเครือข่ายภายนอก และอนุญาตให้เข้าถึงเฉพาะจาก IP Addresss หรือเครือข่ายที่เชื่อถือได้
• กำหนดไฟร์วอลล์ให้อนุญาตเฉพาะ IP Address หรือเครือข่ายที่จำเป็นต่อการปฏิบัติงาน และปิดกั้นการเข้าถึงจากแหล่งที่ไม่เกี่ยวข้องหรือไม่สามารถยืนยันความน่าเชื่อถือ
• แยกระบบบริหารจัดการออกจากเครือข่ายหลักของหน่วยงาน เพื่อจำกัดขอบเขตและผลกระทบที่อาจเกิดขึ้น
• กำหนดค่าการเข้าถึงระบบตามหลักการ Least Privilege และจำกัดแหล่งที่มาของการเชื่อมต่อให้เฉพาะที่มีความจำเป็น
• จัดทำและทบทวนแผนตอบสนองเหตุการณ์ด้านความมั่นคงปลอดภัยไซเบอร์ (Incident Response Plan) เพื่อให้สามารถดำเนินการได้อย่างรวดเร็ว หากตรวจพบการโจมตี

อ้างอิง:

ด้วยความปรารถนาดี

สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT

HPE OneView.png

NCSA_THAICERT

เมื่อวันที่ 22 ธันวาคม 2025 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว ดังนี้

CVE-2023-52163 Digiever DS-2105 Pro Missing Authorization Vulnerability

ทั้งนี้ คำสั่ง BOD 22-01 ของ CISA กำหนดให้มี แคตตาล็อก Known Exploited Vulnerabilities (KEV) เพื่อรวบรวมช่องโหว่ (CVEs) ที่มีความเสี่ยงสูงและถูกใช้งานโจมตีจริง หน่วยงาน Federal Civilian Executive Branch (FCEB) ต้องดำเนินการแก้ไขช่องโหว่ที่ระบุภายในเวลาที่กำหนด เพื่อปกป้องเครือข่ายจากภัยคุกคาม

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/12/22/cisa-adds-one-known-exploited-vulnerability-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

Industrial Sector

Threat Landscape For Industrial Automation Systems. Europe, Q3 2025
"High levels of email threats (phishing) and spyware clearly indicate that industrial systems in the region are highly exposed to advanced attackers. In Eastern Europe, the percentage of ICS computers on which threats from email clients were blocked is 1.3 times higher than the global average. The percentage of ICS computers on which malicious documents are blocked also exceeds the global average by a factor of 1.3."
https://ics-cert.kaspersky.com/publications/reports/2025/12/22/threat-landscape-for-industrial-automation-systems-europe-q3-2025/
Threat Landscape For Industrial Automation Systems. Russia, Q3 2025
"The main categories of internet threats blocked on ICS computers include denylisted internet resources, malicious scripts and phishing pages, and miners. The list of denylisted internet resources is used to prevent initial infection attempts. In particular, the following threats on ICS computers are blocked with the aid of this list:"
https://ics-cert.kaspersky.com/publications/reports/2025/12/22/threat-landscape-for-industrial-automation-systems-russia-q3-2025/

New Tooling

Anubis: Open-Source Web AI Firewall To Protect From Scraper Bots
"Anubis is an open-source tool designed to protect websites from automated scraping and abusive traffic by adding computational friction before a request is served. Maintained by TecharoHQ, the project targets a growing problem for site operators who want to keep content accessible to humans while limiting large scale automated collection."
https://www.helpnetsecurity.com/2025/12/22/anubis-open-source-web-ai-firewall-protect-from-bots/
https://github.com/TecharoHQ/anubis

Vulnerabilities

Critical RCE Flaw Impacts Over 115,000 WatchGuard Firewalls
"Over 115,000 WatchGuard Firebox devices exposed online remain unpatched against a critical remote code execution (RCE) vulnerability actively exploited in attacks. The security flaw, tracked as CVE-2025-14733, affects Firebox firewalls running Fireware OS 11.x and later (including 11.12.4_Update1), 12.x or later (including 12.11.5), and 2025.1 up to and including 2025.1.3. Successful exploitation enables unauthenticated attackers to execute arbitrary code remotely on vulnerable devices, following low-complexity attacks that don't require user interaction."
https://www.bleepingcomputer.com/news/security/over-115-000-watchguard-firewalls-vulnerable-to-ongoing-rce-attacks/

Malware

The Shadow Of JWT-Based Authentication: A Fatal Threat Behind The Convenience
"JWT, which has become the standard for modern web applications and mobile apps, provides the convenience of stateless authentication. However, when operated and managed unsafely, it can become a single point of failure that collapses the entire authentication system. This post introduces the concept and authentication methods of JWT, analyzes its key vulnerabilities based on CVE cases, and suggests practical defense strategies for prevention and mitigation."
https://asec.ahnlab.com/en/91676/
From ClickFix To Code Signed: The Quiet Shift Of MacSync Stealer Malware
"While reviewing the detections of our in-house YARA rules, Jamf Threat Labs observed a signed and notarized stealer that did not follow the typical execution chains we have seen in the past. The sample in question looked highly similar to past variants of the increasingly active MacSync Stealer malware but was revamped in its design. Unlike earlier MacSync Stealer variants that primarily rely on drag-to-terminal or ClickFix-style techniques, this sample adopts a more deceptive, hands-off approach."
https://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis/
https://www.bleepingcomputer.com/news/security/new-macsync-malware-dropper-evades-macos-gatekeeper-checks/
https://www.securityweek.com/macsync-macos-malware-distributed-via-signed-swift-application/
NPM Package With 56K Downloads Caught Stealing WhatsApp Messages
"The lotusbail npm package presents itself as a WhatsApp Web API library - a fork of the legitimate @whiskeysockets/baileys package. With over 56,000 downloads and functional code that actually works as advertised, it's the kind of dependency developers install without a second thought. The package has been available on npm for 6 months and is still live at the time of writing. Behind that working functionality: sophisticated malware that steals your WhatsApp credentials, intercepts every message, harvests your contacts, installs a persistent backdoor, and encrypts everything before sending it to the threat actor's server."
https://www.koi.ai/blog/npm-package-with-56k-downloads-malware-stealing-whatsapp-messages
https://thehackernews.com/2025/12/fake-whatsapp-api-package-on-npm-steals.html
https://www.bleepingcomputer.com/news/security/malicious-npm-package-steals-whatsapp-accounts-and-messages/
https://www.theregister.com/2025/12/22/whatsapp_npm_package_message_steal/
Phishing Campaign Leverages Trusted Google Cloud Automation Capabilities To Evade Detection
"This report describes a phishing campaign in which attackers impersonate legitimate Google generated messages by abusing Google Cloud Application Integration to distribute malicious emails that appear to originate from trusted Google infrastructure. The emails mimic routine enterprise notifications such as voicemail alerts and file access or permission requests, making them appear normal and trustworthy to recipients."
https://blog.checkpoint.com/research/phishing-campaign-leverages-trusted-google-cloud-automation-capabilities-to-evade-detection/
Nezha: The Monitoring Tool That’s Also a Perfect RAT
"Ontinue’s Cyber Defense Center discovered attackers using Nezha, a legitimate open-source monitoring tool, as a post-exploitation RAT. The agent provides SYSTEM/root level access, file management, and an interactive web terminal. VirusTotal shows 0/72 detections because it isn’t malware, it’s legitimate software pointed at attacker infrastructure. Installation is silent. Detection only occurs when attackers execute commands through the agent. Organisations should hunt for Nezha presence proactively and ensure behavioural monitoring is in place to catch post-exploitation activity."
https://www.ontinue.com/resource/nezha-the-monitoring-tool-thats-also-a-perfect-rat/
https://hackread.com/hackers-abuse-monitoring-tool-nezha-trojan/
https://www.infosecurity-magazine.com/news/nezha-abused-post-exploitation/
DDoS Incident Disrupts France’s Postal And Banking Services Ahead Of Christmas
"France’s national postal service, La Poste, confirmed that a suspected cyberattack disrupted its websites and mobile applications days before Christmas, slowing deliveries and knocking some online services offline. In a statement on Monday, La Poste said that a distributed denial-of-service (DDoS) incident knocked key digital systems offline. The company said there was no evidence that customer data had been compromised, but acknowledged that postal operations, including parcel distribution, had been affected."
https://therecord.media/la-poste-france-ddos-disruption-days-before-christmas
I Am Not a Robot: ClickFix Used To Deploy StealC And Qilin
"ClickFix is an increasingly common tactic used by threat actors to install malicious software on victims’ devices. It has gone through a number of evolutions but essentially relies on a victim following a series of instructions that masquerade as a human verification request. The actions result in the download of malware, typically an infostealer or remote access trojan (RAT)."
https://www.sophos.com/en-us/blog/i-am-not-a-robot-clickfix-used-to-deploy-stealc-and-qilin
Inside DPRK Operations: New Lazarus And Kimsuky Infrastructure Uncovered Across Global Campaigns
"Throughout the analysis, we surfaced clusters of operational assets that had not been connected publicly before, revealing active tool-staging servers, credential theft environments, FRP tunneling nodes, and certificate-linked infrastructure fabric controlled by DPRK operators. These findings help outline how different parts of the DPRK operational infrastructure continue to intersect across campaigns and provide defenders with clearer visibility into the infrastructure habits these actors rely on."
https://hunt.io/blog/dprk-lazarus-kimsuky-infrastructure-uncovered

Breaches/Hacks/Leaks

Nissan Says Thousands Of Customers Exposed In Red Hat Breach
"Nissan Motor Co. Ltd. (Nissan) has confirmed that information of thousands of its customers has been compromised after the data breach at Red Hat in September. The Japanese multinational automobile manufacturer headquartered in Yokohama, Japan, produces more than 3.2 million cars a year. The company employs 120,000 people and has a strong presence in Japan, North America, Europe, and Asia. In an announcement yesterday, Nissan informed that it was indirectly impacted by a security breach incident at the U.S.-based enterprise software company Red Hat."
https://www.bleepingcomputer.com/news/security/nissan-says-thousands-of-customers-exposed-in-red-hat-breach/
Romanian Water Authority Hit By Ransomware Attack Over Weekend
"Romanian Waters (Administrația Națională Apele Române), the country's water management authority, was hit by a ransomware attack over the weekend. Officials with the National Cyber Security Directorate (DNSC) said Sunday that the incident impacted approximately 1,000 computer systems at the national water authority and 10 of its 11 regional offices. While the breach affected servers running geographic information systems, databases, email, and web services, as well as Windows workstations and domain name servers, operations and operational technology (OT) systems controlling water infrastructure are unaffected."
https://www.bleepingcomputer.com/news/security/romanian-water-authority-hit-by-ransomware-attack-over-weekend/
https://therecord.media/romania-national-water-agency-ransomware-attack
https://securityaffairs.com/186010/cyber-crime/romanian-waters-confirms-cyberattack-critical-water-operations-unaffected.html
https://www.theregister.com/2025/12/22/around_1000_systems_compromised_in/
University Of Phoenix Data Breach Impacts Nearly 3.5 Million Individuals
"The Clop ransomware gang has stolen the data of nearly 3.5 million University of Phoenix (UoPX) students, staff, and suppliers after breaching the university's network in August. Headquartered in Phoenix, Arizona, UoPX is a private for-profit university founded in 1976 with 82,700 enrolled students and 3,400 employees (nearly 2,300 academic staff). In early December, the university disclosed the incident on its official website, and Phoenix Education Partners, its parent company, filed an 8-K with the U.S. Securities and Exchange Commission (SEC)."
https://www.bleepingcomputer.com/news/security/university-of-phoenix-data-breach-impacts-nearly-35-million-individuals/
Coupang Breach Affecting 33.7 Million Users Raises Data Protection Questions
"oupang, South Korea's leading e-commerce platform, recently disclosed a data breach affecting 33.7 million customer accounts which is equivalent to nearly two-thirds of the Korean population. This represents the largest e-commerce security incident in South Korea's history and could result in fines of up to $900 million (approximately 1.2 trillion KRW). This breach exposed vulnerabilities in data protection systems, particularly for e-commerce platforms that handle sensitive data including transaction histories, delivery addresses, and payment methods."
https://www.bleepingcomputer.com/news/security/coupang-breach-affecting-337-million-users-raises-data-protection-questions/

General News

Browser Agents Don’t Always Respect Your Privacy Choices
"Browser agents promise to handle online tasks without constant user input. They can shop, book reservations, and manage accounts by driving a web browser through an AI model. A new academic study warns that this convenience comes with privacy risks that security teams should not ignore."
https://www.helpnetsecurity.com/2025/12/22/browser-agents-privacy-risks-study/
https://arxiv.org/pdf/2512.07725
574 Arrests And USD 3 Million Recovered In Coordinated Cybercrime Operation Across Africa
"Law enforcement in 19 countries have arrested 574 suspects and recovered approximately USD 3 million in a significant cybercrime operation across Africa. Operation Sentinel (27 October – 27 November) focused on three prevalent crime types: business email compromise (BEC), digital extortion and ransomware, all identified as growing threats in INTERPOL’s 2025 Africa Cyber Threat Assessment Report. During the INTERPOL-coordinated initiative, over 6,000 malicious links were taken down and six distinct ransomware variants were decrypted. The cases investigated during the month-long operation were linked to estimated financial losses exceeding USD 21 million."
https://www.interpol.int/News-and-Events/News/2025/574-arrests-and-USD-3-million-recovered-in-coordinated-cybercrime-operation-across-Africa
https://www.bleepingcomputer.com/news/security/interpol-led-action-decrypts-6-ransomware-strains-arrests-hundreds/
https://www.helpnetsecurity.com/2025/12/22/europol-africa-cybercrime-arrests-2025/
Building Cyber Talent Through Competition, Residency, And Real-World Immersion
"In this Help Net Security interview, Chrisma Jackson, Director of Cybersecurity & Mission Computing Center and CISO at Sandia National Laboratories, reflects on where the cyber talent pipeline breaks down and what it takes to fix it. She discusses skill gaps, hiring and retention realities, and how cybersecurity careers are evolving beyond traditional paths."
https://www.helpnetsecurity.com/2025/12/22/chrisma-jackson-sandia-national-laboratories-recruiting-cybersecurity-professionals/
86% Surge In Fake Delivery Websites Hits Shoppers During Holiday Rush
"An 86% increase in malicious postal service websites over the past month has heightened the risk for consumers tracking holiday deliveries. Cybercriminals are reportedly capitalizing on the seasonal spike in online shopping by sending convincing messages that appear to come from legitimate delivery companies, often warning of delayed or suspended packages. The fake alerts typically arrive via text message or email and include links designed to steal personal or financial information. With shoppers expecting frequent updates, these scams are more likely to succeed during peak shipping periods."
https://www.infosecurity-magazine.com/news/surge-fake-delivery-holidays/
Rising Tides: When Cybersecurity Becomes Personal – Inside The Work Of An OSINT Investigator
"“All of us matter, or none of us do,” a strong statement from Shannon Miller, OSINT Investigator and Privacy Consultant. For those of us who know Miller, it’s not the first time we’ve heard that plea and it won’t be the last. Her significant career and non-profit work to help victims of domestic danger and other similar malice find safety, she’s seen first-hand how the dangers are amplified for marginalized and vulnerable groups who do not have as much access to tools, education, and other critical resources to protect themselves and their families."
https://www.securityweek.com/rising-tides-when-cybersecurity-becomes-personal-inside-the-work-of-an-osint-investigator/
Spy Turned Startup CEO: 'The WannaCry Of AI Will Happen'
"In my past life, it would take us 360 days to develop an amazing zero day," Zafran Security CEO Sanaz Yashar said. She's talking about the 15 years she spent working as a spy - she prefers "hacking architect" - inside the Israel Defense Forces' elite cyber group, Unit 8200. "Now, the volume and speed is changing so much that for the first time ever, we have a negative time-to-exploit, meaning it takes less than a day to see vulnerabilities being exploited, being weaponized before they were patched," Yashar told The Register. "That is not something you used to see."
https://www.theregister.com/2025/12/22/zafran_security_ceo/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

NCSA_THAICERT

Healthcare Sector

Identity Fraud Among Home-Care Workers Puts Patients At Risk
"Cases of healthcare fraud are rising. Some involve misusing patients' and caregivers' personally identifiable information or manipulating billing services for financial gain, but a growing concern is home-care workers sending unqualified friends or relatives to work shifts in their place under false identities. Impersonation is not a new threat, says Conor White, president of strategic initiatives at biometrics company Daon. But it is a recurring theme he has observed after talking with CISOs and healthcare leaders."
https://www.darkreading.com/identity-access-management-security/identity-fraud-among-home-care-workers-puts-patients-at-risk

Vulnerabilities

Over 25,000 FortiCloud SSO Devices Exposed To Remote Attacks
"Internet security watchdog Shadowserver has found over 25,000 Fortinet devices exposed online with FortiCloud SSO enabled, amid ongoing attacks targeting a critical authentication bypass vulnerability. Fortinet noted on December 9th, when it patched the security flaw tracked as CVE-2025-59718 (FortiOS, FortiProxy, FortiSwitchManager) and CVE-2025-59719 (FortiWeb), that the vulnerable FortiCloud SSO login feature is not enabled until admins register the device with the company's FortiCare support service. As cybersecurity company Arctic Wolf reported on Monday, the vulnerability is now actively exploited to compromise admin accounts via malicious single sign-on (SSO) logins."
https://www.bleepingcomputer.com/news/security/over-25-000-forticloud-sso-devices-exposed-to-remote-attacks/
New Critical WatchGuard Firebox Firewall Flaw Exploited In Attacks
"WatchGuard has warned customers to patch a critical, actively exploited remote code execution (RCE) vulnerability in its Firebox firewalls. Tracked as CVE-2025-14733, this security flaw affects firewalls running Fireware OS 11.x and later (including 11.12.4_Update1), 12.x or later (including 12.11.5), and 2025.1 up to and including 2025.1.3. The vulnerability is due to an out-of-bounds write weakness that enables unauthenticated attackers to execute malicious code remotely on unpatched devices, following successful exploitation in low-complexity attacks that don't require user interaction."
https://www.bleepingcomputer.com/news/security/watchguard-warns-of-new-rce-flaw-in-firebox-firewalls-exploited-in-attacks/
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00027
https://www.cisa.gov/news-events/alerts/2025/12/19/cisa-adds-one-known-exploited-vulnerability-catalog
https://thehackernews.com/2025/12/watchguard-warns-of-active-exploitation.html
https://www.theregister.com/2025/12/19/watchguard_firebox/
https://securityaffairs.com/185896/hacking/u-s-cisa-adds-a-flaw-in-watchguard-fireware-os-to-its-known-exploited-vulnerabilities-catalog.html
“Ask Gordon, Meet The Attacker” - Prompt Injection In Docker’s Built-In AI Assistant
"Generative AI keeps expanding into every developer tool. Docker, one of the cornerstones of modern development, is no exception — and its new built-in assistant, Ask Gordon, is a prime example of that evolution. While experimenting with Docker Desktop, we encountered this new beta feature that promised natural-language help right inside Docker Desktop and CLI. Naturally, that caught our attention. What we discovered was a prompt injection vulnerability that enables attackers to hijack the assistant and exfiltrate sensitive data by poisoning Docker Hub repository metadata with malicious instructions."
https://www.pillar.security/blog/ask-gordon-meet-the-attacker-prompt-injection-in-dockers-built-in-ai-assistant
https://hackread.com/docker-ask-gordon-ai-flaw-metadata-attacks/

Malware

Distribution Of EtherRAT Malware Exploiting React2Shell Vulnerability (CVE-2025-55182)
"AhnLab SEcurity intelligence Center (ASEC) recently discovered an advanced malware distribution campaign using Node.js while tracking the recently disclosed React2Shell vulnerability. This attack installs EtherRAT through multiple stages, with the ultimate goal of gaining a foothold, stealing information, and stealing cryptocurrency."
https://asec.ahnlab.com/en/91658/
Stealth In Layers: Unmasking The Loader Used In Targeted Email Campaigns
"CRIL (Cyble Research and Intelligence Labs) has been tracking a sophisticated commodity loader utilized by multiple high-capability threat actors. The campaign demonstrates a high degree of regional and sectoral specificity, primarily targeting Manufacturing and Government organizations across Italy, Finland, and Saudi Arabia. This campaign utilizes advanced tradecraft, employing a diverse array of infection vectors including weaponized Office documents (exploiting CVE-2017-11882), malicious SVG files, and ZIP archives containing LNK shortcuts. Despite the variety of delivery methods, all vectors leverage a unified commodity loader."
https://cyble.com/blog/stealth-in-layers-unmasking-loader-in-targeted-email-campaigns/
Choose Your Fighter: A New Stage In The Evolution Of Android SMS Stealers In Uzbekistan
"In October 2025, Group-IB specialists detected a new wave of malware attacks targeting users in Uzbekistan. This research provides an in-depth overview of the findings: how the malware is evolving, which distribution schemes are being used by threat actors, and how they are adapting to modern Android protection mechanisms."
https://www.group-ib.com/blog/mobile-malware-uzbekistan/
Tracing a Paper Werewolf Campaign Through AI-Generated Decoys And Excel XLLs
"An XLL is a native Windows DLL that Excel loads as an add-in, allowing it to execute arbitrary code through exported functions like xlAutoOpen. Since at least mid-2017, threat actors began abusing Microsoft Excel add-ins via the .XLL format, the earliest documented misuse is by the threat group APT10 (aka Stone Panda / Potassium) injecting backdoor payloads via XLLs. Since 2021, a growing number of commodity malware families and cyber-crime actors have added XLL-based delivery to their arsenals. Notable examples include Agent Tesla and Dridex, researchers observed an increase of these malware being dropped via malicious XLL add-ins."
https://intezer.com/blog/tracing-a-paper-werewolf-campaign-through-ai-generated-decoys-and-excel-xlls/
Cloud Atlas Activity In The First Half Of 2025: What Changed
"Known since 2014, the Cloud Atlas group targets countries in Eastern Europe and Central Asia. Infections occur via phishing emails containing a malicious document that exploits an old vulnerability in the Microsoft Office Equation Editor process (CVE-2018-0802) to download and execute malicious code. In this report, we describe the infection chain and tools that the group used in the first half of 2025, with particular focus on previously undescribed implants."
https://securelist.com/cloud-atlas-h1-2025-campaign/118517/
Yet Another DCOM Object For Lateral Movement
"If you’re a penetration tester, you know that lateral movement is becoming increasingly difficult, especially in well-defended environments. One common technique for remote command execution has been the use of DCOM objects. Over the years, many different DCOM objects have been discovered. Some rely on native Windows components, others depend on third-party software such as Microsoft Office, and some are undocumented objects found through reverse engineering. While certain objects still work, others no longer function in newer versions of Windows."
https://securelist.com/lateral-movement-via-dcom-abusing-control-panel/118232/
From Loader To Looter: ACR Stealer Rides On Upgraded CountLoader
"The Howler Cell Threat Intelligence team has uncovered a new malware campaign leveraging cracked software distribution sites to deploy an upgraded variant of CountLoader. Below are the key findings:"
https://www.cyderes.com/howler-cell/acr-stealer-rides-on-upgraded-countloader
https://thehackernews.com/2025/12/cracked-software-and-youtube-videos.html
Phantom 3.5: Initial Vector Analysis & Forensics
"Phantom, a stealer malware, sends back sensitive data like passwords, browser cookies, credit card information, crypto wallet credentials, victim’s IP addresses, etc to the attacker. This can be used in identity theft, account takeovers or even worse the infected machine can be used as a tool to orchestrate bigger malware attacks. With the increased use and vast amount of files that are available on the internet, most oblivious users fail to differentiate between safe and malicious content they are downloading. In this blog, we will delve into a stealer named Phantom version 3.5 and its initial vector."
https://labs.k7computing.com/index.php/phantom-3-5-initial-vector-analysis-forensics/
Zscaler Threat Hunting Catches Evasive SideWinder APT Campaign
"Zscaler Threat Hunting has identified a sophisticated espionage campaign targeting Indian entities by masquerading as the Income Tax Department of India. By reconstructing the complete attack lifecycle from a deceptive “Inspection” lure to a reflectively loaded resident implant, Zscaler Threat Hunting has observed activity which is typically associated with SideWinder APT (also known as Rattlesnake or APT-C-17). Recently, Zscaler Threat Hunting has observed an evolution in the threat actor’s toolkit in an attempt to evade detection by mimicking Chinese enterprise software. This discovery underscores Zscaler’s ability to detect subtle, state-sponsored tradecraft within cloud-scale telemetry before it causes critical damage."
https://www.zscaler.com/blogs/security-research/zscaler-threat-hunting-catches-evasive-sidewinder-apt-campaign

Breaches/Hacks/Leaks

UK Confirms Foreign Office Hacked, Says ‘low Risk’ Of Impact To Individuals
"The British government confirmed on Friday morning that data held on a Foreign Office system was compromised in a cyber incident earlier this year, although it said the incident was only considered to pose a “low risk” to individuals. The incident was first reported by The Sun newspaper, which attributed the attack to the China-based group Storm-1849. It said the hackers “accessed personal information, understood to possibly include tens of thousands of visa details.” The month the government spotted the incident, the group had been said to be exploiting vulnerabilities in a popular line of Cisco firewalls used by governments in Asia, Europe and the United States. The British government did not say which threat actor was involved in the Foreign Office incident or the method of access."
https://therecord.media/uk-foreign-office-hacked-china
https://www.theregister.com/2025/12/19/uk_foreign_office_hack/
https://www.bankinfosecurity.com/uk-foreign-office-targeted-by-hackers-a-30354

General News

Nigeria Arrests Dev Of Microsoft 365 'Raccoon0365' Phishing Platform
"The Nigerian police arrested three individuals linked to targeted Microsoft 365 cyberattacks via Raccoon0365 phishing platform. The attacks led to business email compromise, data breaches, and financial losses affecting organizations worldwide. The law enforcement operation was possible thanks to intelligence from Microsoft, shared with the Nigeria Police Force National Cybercrime Centre (NPF–NCCC) via the FBI."
https://www.bleepingcomputer.com/news/security/nigeria-arrests-dev-of-microsoft-365-raccoon0365-phishing-platform/
https://thehackernews.com/2025/12/nigeria-arrests-raccoono365-phishing.html
https://therecord.media/nigeria-raccoon-developer-tip
Denmark Blames Russia For Destructive Cyberattack On Water Utility
"Danish intelligence officials blamed Russia for orchestrating cyberattacks against Denmark's critical infrastructure, as part of Moscow's hybrid attacks against Western nations. In a Thursday statement, the Danish Defence Intelligence Service (DDIS) identified two groups operating on behalf of the Russian state: Z-Pentest, linked to the destructive water-utility attack, and NoName057(16), flagged as responsible for the DDoS assaults ahead of November's local elections in Denmark before the 2025 elections."
https://www.bleepingcomputer.com/news/security/denmark-blames-russia-for-destructive-cyberattack-on-water-utility/
https://therecord.media/denmark-summons-russian-ambassador-cyberattack-elections
https://www.infosecurity-magazine.com/news/denmark-blames-russia-for/
https://www.securityweek.com/denmark-blames-russia-for-cyberattacks-ahead-of-elections-and-on-water-utility/
https://securityaffairs.com/185885/hacking/russia-was-behind-a-destructive-cyber-attack-on-a-water-utility-in-2024-denmark-says.html
AI-Generated Code Ships Faster, But Crashes Harder
"Artificial intelligence coding assistants write code faster than humans. They also write buggier code, though nobody puts that in the marketing materials. Researchers at code review tool CodeRabbit analyzed 470 open-source pull requests on GitHub, analyzing AI-coauthored submissions against human-only contributions for their logic, maintainability, security and performance."
https://www.bankinfosecurity.com/ai-generated-code-ships-faster-but-crashes-harder-a-30352
https://www.coderabbit.ai/whitepapers/state-of-AI-vs-human-code-generation-report
Scam Centers Fueling Thailand's Border War With Cambodia
"Thailand is recasting a flaring conflict with neighboring Cambodia as a fight over cybercriminal compounds spread alongside the two Southeast Asian nations' contested border. Fighting including artillery and air strikes resumed earlier this month after a lull in fighting that broke out in July, sparked by long-standing territorial disputes. Thailand now says air strikes this month against Cambodian casino and hotel complexes are part of a "war against the scam army.""
https://www.bankinfosecurity.com/scam-centers-fueling-thailands-border-war-cambodia-a-30347
Cyber Criminals Are Recruiting Insiders In Banks, Telecoms, And Tech
"Cyber criminals are no longer relying solely on brute force, social engineering, or exploiting vulnerabilities. Increasingly, they are recruiting insiders within organizations to gain access to corporate networks, user devices, and cloud environments. Across darknet forums, employees are being approached, or even volunteering, to sell access or sensitive information for lucrative rewards. This trend poses a major blind spot for security teams."
https://blog.checkpoint.com/research/cyber-criminals-are-recruiting-insiders-in-banks-telecoms-and-tech/
Ukrainian National Pleads Guilty To Conspiracy To Use Ransomware
"Earlier today, in federal court in Brooklyn, Artem Stryzhak pleaded guilty to conspiracy to commit fraud and related activity, including extortion, in connection with computers, for his role in a series of international ransomware attacks. Stryzhak, a Ukrainian citizen, was arrested in Spain in June 2024 and extradited to the United States on April 30, 2025. When sentenced, Stryzhak faces up to 10 years’ imprisonment. His co-conspirator, Volodymyr Tymoshchuk, remains at large and is the subject of a $11 million reward offered by the United States Department of State."
https://www.justice.gov/usao-edny/pr/ukrainian-national-pleads-guilty-conspiracy-use-ransomware-0
https://cyberscoop.com/nefilim-ransomware-artem-stryzhak-guilty-plea/
A Cybersecurity Playbook For AI Adoption
"Artificial intelligence has become an ally in cybersecurity by 2025, with 60% of organizations reporting using it in their IT infrastructures. AI can process massive volumes of data, correlate signals in seconds, and surface hidden patterns no human could detect manually. This analytical speed makes it a powerful tool for defense teams. Yet, speed does not equal certainty, which is crucial for a reliable security architecture. Decisions that determine access, privileges, or evidence must still follow predictable, auditable logic."
https://www.darkreading.com/cyber-risk/cybersecurity-playbook-ai-adoption
AI Isn’t One System, And Your Threat Model Shouldn’t Be Either
"In this Help Net Security interview, Naor Penso, CISO at Cerebras Systems, explains how to threat model modern AI stacks without treating them as a single risk. He discusses why partitioning AI systems by function and impact matters, how to frame threat modeling for business leaders, and which assumptions break down as AI becomes core infrastructure."
https://www.helpnetsecurity.com/2025/12/19/naor-penso-cerebras-systems-threat-modeling-al-optimized-infrastructure/
Identity Risk Is Changing Faster Than Most Security Teams Expect
"Security leaders are starting to see a shift in digital identity risk. Fraud activity is becoming coordinated, automated, and self-improving. Synthetic personas, credential replay, and high speed onboarding attempts now operate through shared infrastructures that behave less like scattered threats and more like systems that learn as they run, according to a report by AU10TIX. This trend is shaping how fraud teams, risk executives, and identity product owners will need to prepare for 2026."
https://www.helpnetsecurity.com/2025/12/19/au10tix-automated-fraud-detection-report/
Tren De Aragua Members And Leaders Indicted In Multi-Million Dollar ATM Jackpotting Scheme
"United States Attorney Lesley A. Woods announced that a federal grand jury in the District of Nebraska has returned two indictments charging 54 individuals for their roles in a large conspiracy to deploy malware and steal millions of dollars from ATMs in the United States, a crime commonly referred to as “ATM jackpotting.” An indictment returned on December 9, 2025, charges 22 defendants with offenses corresponding to their role in the conspiracy, including conspiracy to provide material support to terrorists, conspiracy to commit bank fraud, conspiracy to commit bank burglary and fraud and related activity in connection with computers, and conspiracy to commit money laundering. The indictment also alleges that Tren de Aragua (“TdA”) has used jackpotting to steal millions of dollars in the United States and then transferred the proceeds among its members and associates to conceal the illegally obtained cash."
https://www.justice.gov/usao-ne/pr/tren-de-aragua-members-and-leaders-indicted-multi-million-dollar-atm-jackpotting-scheme
https://therecord.media/doj-charges-gang-malware-ploutus
https://thehackernews.com/2025/12/us-doj-charges-54-in-atm-jackpotting.html
https://www.infosecurity-magazine.com/news/us-charges-54-atm-jackpotting/
https://www.theregister.com/2025/12/19/tren_de_aragua_atm/
https://securityaffairs.com/185908/cyber-crime/atm-jackpotting-ring-busted-54-indicted-by-doj.html
Thailand Conference Launches International Initiative To Fight Online Scams
"Thailand on Thursday helped launch a global effort to fight the spread of online scams that include criminal enterprises based largely in Southeast Asia estimated to bilk billions of dollars annually from victims around the world. Thailand’s Ministry of Foreign Affairs and the United Nations Office on Drugs and Crime hosted a conference in Bangkok on Wednesday and Thursday culminating in the announcement of the new initiative called the Global Partnership Against Online Scams."
https://www.securityweek.com/thailand-conference-launches-international-initiative-to-fight-online-scams/
Former Incident Responders Plead Guilty To Ransomware Attack Spree
"Former cybersecurity professionals Ryan Clifford Goldberg and Kevin Tyler Martin pleaded guilty Thursday to participating in a series of ransomware attacks in 2023 while they were employed at cybersecurity companies tasked with helping organizations respond to ransomware attacks. Goldberg, who was a manager of incident response at Sygnia, and Martin, a ransomware negotiator at DigitalMint at the time, collaborated with an unnamed co-conspirator to attack victim computers and networks and use ALPHV, also known as BlackCat, ransomware to extort payments."
https://cyberscoop.com/incident-responders-plead-guilty-ransomware-digitalmint/