NCSA_THAICERT

NCSA_THAICERT

FBI และ DOJ ยึดคริปโตจำนวน 8.2 ล้านดอลลาร์จากขบวน.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

เผยแพลตฟอร์ม Phishing-as-a-Service ตัวใหม่ ปลอมหน้าเข้า.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

Google แก้ไขช่องโหว่ Zero-Day แรกของ Chrome ในปีนี้.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

อังกฤษปรับเงินบริษัทผู้ให้บริการซอฟต์แว.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

Vulnerabilities

NetApp SnapCenter Flaw Could Let Users Gain Remote Admin Access On Plug-In Systems
"A critical security flaw has been disclosed in NetApp SnapCenter that, if successfully exploited, could allow privilege escalation. SnapCenter is an enterprise-focused software that's used to manage data protection across applications, databases, virtual machines, and file systems, offering the ability to backup, restore, and clone data resources. The vulnerability, tracked as CVE-2025-26512, carries a CVSS score of 9.9 out of a maximum of 10.0."
https://thehackernews.com/2025/03/netapp-snapcenter-flaw-could-let-users.html
https://security.netapp.com/advisory/ntap-20250324-0001/
Forescout Vedere Labs Uncovers Severe Systemic Security Risks In Global Solar Power Infrastructure
"Forescout Technologies, Inc., a global cybersecurity leader, today published its “SUN:DOWN – Destabilizing the Grid via Orchestrated Exploitation of Solar Power Systems” research report. Forescout Research – Vedere Labs discovered 46 new vulnerabilities across three of the world’s 10 leading solar inverter vendors. Additionally, Vedere Labs found that 80% of vulnerabilities in solar power systems disclosed in the last three years were classified as high or critical severity. These findings reveal severe systemic security weaknesses in the solar ecosystem that could impact power grid stability, utility operations, and consumer data privacy."
https://www.forescout.com/press-releases/forescout-vedere-labs-uncovers-severe-systemic-security-risks-in-global-solar-power-infrastructure/
https://www.bleepingcomputer.com/news/security/dozens-of-solar-inverter-flaws-could-be-exploited-to-attack-power-grids/
https://www.securityweek.com/more-solar-system-vulnerabilities-expose-power-grids-to-hacking/
Mozilla Warns Windows Users Of Critical Firefox Sandbox Escape Flaw
"Mozilla has released Firefox 136.0.4 to patch a critical security vulnerability that can let attackers escape the web browser's sandbox on Windows systems. Tracked as CVE-2025-2857, this flaw is described as an "incorrect handle could lead to sandbox escapes" and was reported by Mozilla developer Andrew McCreight. The vulnerability impacts the latest Firefox standard and extended support releases (ESR) designed for organizations that require extended support for mass deployments. Mozilla fixed the security flaw in Firefox 136.0.4 and Firefox ESR versions 115.21.1 and 128.8.1."
https://www.bleepingcomputer.com/news/security/mozilla-warns-windows-users-of-critical-firefox-sandbox-escape-flaw/
CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/03/27/cisa-adds-one-known-exploited-vulnerability-catalog
https://securityaffairs.com/175936/security/u-s-cisa-adds-google-chromium-mojo-flaw-to-its-known-exploited-vulnerabilities-catalog.html
Splunk Patches Dozens Of Vulnerabilities
"Splunk on Wednesday announced patches for dozens of vulnerabilities across its products, including two high-severity flaws in Splunk Enterprise and Secure Gateway App. The enterprise monitoring solution received patches for a remote code execution (RCE) bug that could be exploited by low-privileged users by uploading a file to the ‘$SPLUNK_HOME/var/run/splunk/apptemp’ directory."
https://www.securityweek.com/splunk-patches-dozens-of-vulnerabilities/

Malware

Over 150K Websites Hit By Full-Page Hijack Linking To Chinese Gambling Sites
"In February, we uncovered a threat actor targeting over 35,000 websites with a malicious full-page hijack injection. We’ve continued to monitor this actor’s activities and have identified new tactics and techniques. They’ve scaled up their operations significantly, as we now estimate that approximately 150,000 websites have been impacted by this campaign."
https://cside.dev/blog/over-150k-websites-hit-by-full-page-hijack-linking-to-chinese-gambling-sites
https://thehackernews.com/2025/03/150000-sites-compromised-by-javascript.html
Hijacked Microsoft Stream Classic Domain "spams" SharePoint Sites
"The legacy domain for Microsoft Stream was hijacked to show a fake Amazon site promoting a Thailand casino, causing all SharePoint sites with old embedded videos to display it as spam. Microsoft Stream is an enterprise video streaming service that allows organizations to upload and share videos in Microsoft 365 apps, such as Teams and SharePoint. Video content hosted on Microsoft Stream was accessed or embedded through a portal at microsoftstream.com."
https://www.bleepingcomputer.com/news/microsoft/hijacked-microsoft-stream-classic-domain-spams-sharepoint-sites/
Multiple Crypto Packages Hijacked, Turned Into Info-Stealers
"Sonatype has identified multiple npm cryptocurrency packages, latest versions of which have been hijacked and altered to steal sensitive information such as environment variables from the target victims. Some of these packages have lived on npmjs.com for over 9 years, and provide legitimate functionality to blockchain developers. However, our automated malware detection systems detected that the latest versions of each of these packages were laden with obfuscated scripts, raising alarms."
https://www.sonatype.com/blog/multiple-crypto-packages-hijacked-turned-into-info-stealers
https://www.bleepingcomputer.com/news/security/infostealer-campaign-compromises-10-npm-packages-targets-devs/
Snow White — Beware The Bad Apple In The Torrent
"As the new Snow White movie arrives in theaters with lackluster audience attendance, the absence of streaming options on platforms like Disney+ has nudged many users to seek pirated versions online. From our perspective, this kind of consumer behavior isn’t new, every high-profile movie release without a digital option becomes an opportunity for attackers to exploit users eager to watch from home."
https://veriti.ai/blog/beware-the-bad-apple-in-the-torrent/
https://hackread.com/fake-snow-white-movie-torrent-infects-device-malware/
A Phishing Tale Of DoH And DNS MX Abuse
"Threat actors are increasingly adept at leveraging DNS to enhance the effectiveness of their cyber campaigns. We recently discovered a DNS technique used to tailor content to victims. We have discovered a phishing kit that creatively employs DNS mail exchange (MX) records to dynamically serve fake, tailored, login pages, spoofing over 100 brands. The threat actor behind the campaigns often exploits open redirects on adtech infrastructure, compromises domains for phishing distribution, and distributes stolen credentials through several mechanisms, including Telegram. We have found many variations of this phishing kit and assessed that they likely stem from a phishing-as-a-service (PhaaS) platform."
https://blogs.infoblox.com/threat-intelligence/a-phishing-tale-of-doh-and-dns-mx-abuse/
https://thehackernews.com/2025/03/new-morphing-meerkat-phishing-kit.html
Turning Aid Into Attack: Exploitation Of Pakistan's Youth Laptop Scheme To Target India
"In this report, CYFIRMA examines the tactics employed by a Pakistan-based APT group, assessed with medium confidence as APT36, who created a fake IndiaPost website to target and infect both Windows and Android users. We analysed the dropped Android executable and also revealed metadata indicating that the PDF was created in same time zone that Pakistan is in. Additionally, the laptop used to generate the file is part of Pakistan’s Prime Minister Youth Laptop Scheme. Further investigation into the IP resolution uncovered a domain associated with tactics commonly used by Pakistani APT groups."
https://www.cyfirma.com/research/turning-aid-into-attack-exploitation-of-pakistans-youth-laptop-scheme-to-target-india/
https://thehackernews.com/2025/03/apt36-spoofs-india-post-website-to.html
Serbia: BIRN Journalists Targeted With Pegasus Spyware
"Two journalists from Balkan Investigative Reporting Network (BIRN), an award-winning Serbian network of investigative journalists, were targeted with NSO Group’s Pegasus spyware last month, a new Amnesty International investigation reveals. Journalists Bogdana (not her real name) and Jelena Veljkovic received suspicious messages on the Viber messaging app from an unknown Serbian number linked to Telekom Srbija, the state-telecommunications operator. Suspecting that their smartphones were being targeted by a spyware attack, they approached Amnesty International’s Security Lab, whose forensic analysis confirmed their suspicions."
https://www.amnesty.org/en/latest/news/2025/03/serbia-birn-journalists-targeted-with-pegasus-spyware/
https://therecord.media/two-serbian-journalists-targeted-with-pegasus-spyware
PJobRAT Makes a Comeback, Takes Another Crack At Chat Apps
"In 2021, researchers reported that PJobRAT – an Android RAT first observed in 2019 – was targeting Indian military personnel by imitating various dating and instant messaging apps. Since then, there’s been little news about PJobRAT – until, during a recent threat hunt, Sophos X-Ops researchers uncovered a new campaign – now seemingly over – that appeared to target users in Taiwan. PJobRAT can steal SMS messages, phone contacts, device and app information, documents, and media files from infected Android devices."
https://news.sophos.com/en-us/2025/03/27/pjobrat-makes-a-comeback-takes-another-crack-at-chat-apps/
https://www.infosecurity-magazine.com/news/pjobrat-malware-targets-taiwan-via/

Breaches/Hacks/Leaks

Thousands Of Driver’s Licenses, Bank Documents & PII Exposed In Australian Fintech Data Breach
"Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to Website Planet about a non-password-protected database that contained 27,000 records belonging to Vroom by YouX — an Australia-based Fintech company that facilitates automotive financing."
https://www.websiteplanet.com/news/vroom-report-breach/
https://hackread.com/aussie-fintech-vroom-pii-records-aws-misconfiguration/

General News

Navigating Cybercrime Currents In Latin America: Strengthening The Region’s Defenses
"Gather all, gather ye! Group-IB experts are here to uncover trade secrets from the dark side—cybercrime insights on unseen TTPs, hidden infrastructures, and strategies of the most nefarious threat actors. The fight against cybercrime is a constant ordeal, but the shadows grow weaker with each shore we conquer. Group-IB’s two-decade-long perseverance, technological and human expertise know no bounds — from shore to shore, land to land, we extend and stand with people, governments, and businesses as their shield against evolving crime."
https://www.group-ib.com/blog/navigating-cybercrime-latin-america/
The Hidden Costs Of Security Tool Bloat And How To Fix It
"In this Help Net Security interview, Shane Buckley, President and CEO at Gigamon, discusses why combating tool bloat is a top priority for CISOs as they face tighter budgets and expanding security stacks. Buckley shares insights on how deep observability can streamline security operations, optimize costs, and strengthen a defense-in-depth strategy."
https://www.helpnetsecurity.com/2025/03/27/shane-buckley-gigamon-deep-observability-tool-stacks/
Cyber Insurance Isn’t Always What It Seems
"Many companies think cyber insurance will protect them from financial losses after an attack. But many policies have gaps. Some claims get denied. Others cover less than expected. CISOs must understand the risks before an attack happens."
https://www.helpnetsecurity.com/2025/03/27/cyber-insurance-ciso/
New Year, New Threats: Q1 2025’s Most Exploited WordPress Vulnerabilities
"WordPress remains the backbone of millions of websites, offering flexibility and scalability through its extensive library of plugins and themes. However, this same openness also makes it a frequent target for cyber threats. Attackers are constantly scanning for outdated software, unpatched vulnerabilities, and misconfigurations that can be exploited to gain unauthorized access. The reality is clear: many WordPress sites remain vulnerable long after security flaws are disclosed, simply because updates are delayed or neglected. In this environment, relying solely on developer-issued patches isn’t enough—proactive security measures are essential."
https://patchstack.com/articles/new-year-new-threats-q1-2025s-most-exploited-wordpress-vulnerabilities/
https://www.bleepingcomputer.com/news/security/the-four-wordpress-flaws-hackers-targeted-the-most-in-q1-2025/
Hacktivists Increasingly Target France For Its Diplomatic Efforts
"According to a Cyble report sent to clients recently, France is increasingly becoming a target of hacktivists for its active role in international diplomacy and in ongoing conflicts in Ukraine and the Middle East. France’s role in those conflicts “has drawn the ire of pro-Russian and pro-Palestinian hacktivist groups,” Cyble said, as those hacktivists have found ideological alignment and a common adversary in France."
https://cyble.com/blog/hacktivists-france-for-its-diplomatic-efforts/
New Security Requirements Adopted By HTTPS Certificate Industry
"The Chrome Root Program launched in 2022 as part of Google’s ongoing commitment to upholding secure and reliable network connections in Chrome. We previously described how the Chrome Root Program keeps users safe, and described how the program is focused on promoting technologies and practices that strengthen the underlying security assurances provided by Transport Layer Security (TLS). Many of these initiatives are described on our forward looking, public roadmap named “Moving Forward, Together.”"
https://security.googleblog.com/2025/03/new-security-requirements-adopted-by.html
Good Security Practice For Domain Registrars
"This guidance is for domain registrars and operators of Domain Name System (DNS) services. It sets out outcomes and recommendations to promote good practice in a set of principles, and aims to reduce the prevalence of malicious and abusive domain registrations. It builds on existing industry good practice from international bodies such as ICANN and the NetBeacon Institute. It is consistent with other UK government guidance issued to registrars and other infrastructure service providers to tackle other issues such as fraud, extremist and illegal content."
https://www.ncsc.gov.uk/collection/security-practice-domain-registrars
https://www.infosecurity-magazine.com/news/ncsc-urges-domain-registrars/
https://www.helpnetsecurity.com/2025/03/27/ncsc-offers-security-guidance-for-domain-and-dns-registrars/
A Closer Look At The Ultimate Cybersecurity Careers Guide
"In this Help Net Security interview, Kim Crawley, cybersecurity expert and Professor at the Open Institute of Technology, discusses her latest book, The Ultimate Cybersecurity Careers Guide. She shares insights on how aspiring professionals can break into the field and explores the importance of continuous learning."
https://www.helpnetsecurity.com/2025/03/27/kim-crawley-ultimate-cybersecurity-careers-guide/
National Strategic Assessment 2025 Of Serious And Organised Crime
"Serious and organised crime (SOC) continues to cause more harm to more people than any other national security threat. It is responsible for danger in our homes and on our streets, stunting our economy, and damaging our communities. The purpose of this assessment is to understand these threats, so that we can better address them. The National Strategic Assessment of Serious and Organised Crime 2025 builds on last year’s comprehensive baseline and draws out the trends and themes of the last 12 months."
https://www.nationalcrimeagency.gov.uk/nsa-2025
https://www.infosecurity-magazine.com/news/nca-warns-of-sadistic-online-com/
Russia Arrests Three For Allegedly Creating Mamont Malware, Tied To Over 300 Cybercrimes
"Russian authorities have arrested three individuals suspected of developing the Mamont malware, a recently identified banking trojan targeting Android devices. The suspects, whose identities remain undisclosed, were apprehended in the Saratov region. A video released by the Russian Ministry of Internal Affairs (MVD) shows the arrested individuals in handcuffs, being escorted by police officers. According to the MVD, the trio is linked to over 300 cybercrime incidents. Authorities also seized computers, storage devices, communication tools and bank cards."
https://therecord.media/mamont-banking-malware-arrests-russia
Cloud Threats On The Rise: Alert Trends Show Intensified Attacker Focus On IAM, Exfiltration
"The attacks against cloud-hosted infrastructure are increasing, and the proof is in the analysis of security alert trends. Recent research reveals that organizations saw nearly five times as many daily cloud-based alerts at the end of 2024 compared to the start of the year. This means attackers have significantly intensified their focus on targeting and breaching cloud infrastructure. These alerts aren’t simply noise. We’ve seen the greatest increases in high severity alerts, meaning indicators of attacks are successfully targeting critical cloud resources as explained in Table 1."
https://unit42.paloaltonetworks.com/2025-cloud-security-alert-trends/
https://www.darkreading.com/cyber-risk/high-severity-cloud-security-alerts-tripled-2024

อ้างอิง
Electronic Transactions Development Agency(ETDA)

NCSA_THAICERT

New Tooling

Malwoverview: First Response Tool For Threat Hunting
"Malwoverview is an open-source threat hunting tool designed for the initial triage of malware samples, URLs, IP addresses, domains, malware families, IOCs, and hashes. “Malwoverview is simple and direct, integrating multiple public sandboxes to retrieve and display only relevant information. It enables professionals to gather broad insights into a threat before analyzing it. The tool pulls data from sources like VirusTotal, Hybrid Analysis, Malshare, URLHaus, Polyswarm, AlienVault, Malpedia, Malware Bazaar, Triage, InQuest, and Virus Exchange."
https://www.helpnetsecurity.com/2025/03/26/malwoverview-first-response-tool-threat-hunting/
https://github.com/alexandreborges/malwoverview
Cybertron Reshapes AI Security As “Cyber Brain” Grows
"Trend Micro is excited to introduce Trend Cybertron — a groundbreaking advancement that is transforming cybersecurity in an increasingly AI-driven world. While Trend Vision One customers benefit from the fully integrated Trend Cybertron "cyber brain," Trend Micro has now made select components of Trend Cybertron available as open-source. These offerings include cybersecurity-focused LLMs, extensive training datasets, and practical tools like the Cloud Risk Assessment AI Agent."
https://www.trendmicro.com/en_us/research/25/c/cybertron-ai-security.html

Vulnerabilities

CISA Adds Two Known Exploited Vulnerabilities To Catalog
"CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/03/26/cisa-adds-two-known-exploited-vulnerabilities-catalog

Malware

Report On Ransomware Attacks Targeting Korean Companies
"In recent years, ransomware attacks have been increasing worldwide, with Korean companies also experiencing a rise in cases. Especially since 2023, there has been a sharp surge in ransomware incidents targeting the Asia region, highlighting the need for a systematic analysis of this trend and its impact."
https://asec.ahnlab.com/en/87009/
Unmasking The Classiscam In Central Asia
"With the rapid development of technology and the widespread digitalization of businesses and services, online platforms have become popular in developing countries. These platforms offer greater convenience for business owners and local communities. In Central Asia, the use of such online markets began after 2015, enabling the trade of a wide range of products, from used electronics to brand-new items."
https://www.group-ib.com/blog/unmasking-the-classiscam-in-central-asia/
RedCurl's Ransomware Debut: A Technical Deep Dive
"This research, conducted by Bitdefender Labs, presents the first documented analysis of a ransomware campaign attributed to the RedCurl group (also known as Earth Kapre or Red Wolf). RedCurl has historically maintained a low profile, relying heavily on Living-off-the-Land (LOTL) techniques for corporate cyber espionage and data exfiltration. This shift to ransomware marks a significant evolution in their tactics. This new ransomware, which we have named QWCrypt based on a self-reference 'qwc' found within the executable, is previously undocumented and distinct from known ransomware families."
https://www.bitdefender.com/en-us/blog/businessinsights/redcurl-qwcrypt-ransomware-technical-deep-dive
https://www.bleepingcomputer.com/news/security/redcurl-cyberspies-create-ransomware-to-encrypt-hyper-v-servers/
https://thehackernews.com/2025/03/redcurl-shifts-from-espionage-to.html
https://www.bankinfosecurity.com/mercenary-hacking-group-appears-to-embrace-ransomware-a-27834
Malware Found On Npm Infecting Local Package With Reverse Shell
"Unlike some other public repositories, the npm package repository is never really quiet. And, while there has been some decline in malware numbers between 2023 and 2024, this year's numbers don’t seem to continue that downward trend. Still, while RL has detected some interesting npm malware so far this year, none of it warranted a detailed writeup. Then March rolled around, and two very interesting packages were published on npm: ethers-provider2 and ethers-providerz."
https://www.reversinglabs.com/blog/malicious-npm-patch-delivers-reverse-shell
https://thehackernews.com/2025/03/malicious-npm-package-modifies-local.html
https://www.bleepingcomputer.com/news/security/new-npm-attack-poisons-local-packages-with-backdoors/
https://hackread.com/npm-malware-infects-ethereum-library-with-backdoor/
https://www.infosecurity-magazine.com/news/malicious-npm-packages-deliver/
'Lucid' Phishing-As-a-Service Exploits Faults In iMessage, Android RCS
"Chinese phishing operatives are spreading remarkably effective scams by exploiting mobile messaging protocols. iMessage and Rich Communication Services (RCS) are the preferred ways to message others using your iPhone or Android, respectively. Unlike the Short and Multimedia Messaging Services (SMS/MMS), they offer end-to-end encryption, read-receipts messages, higher-quality media, and looser character and file-size limits. But now, Chinese malware developers have figured out how to undermine their more advanced features."
https://www.darkreading.com/threat-intelligence/lucid-phishing-exploits-imessage-android-rcs
https://catalyst.prodaft.com/public/report/lucid/overview
Booking.com Phish Uses Fake CAPTCHAs To Trick Hotel Staff Into Downloading Malware
"A new phishing campaign that uses the fake CAPTCHA websites we reported about recently is targeting hotel staff in a likely attempt to access customer data, according to research from ThreatDown. Here’s how it works: Cybercriminals send a fake Booking.com email to a hotel’s email address, asking them to confirm a booking."
https://www.malwarebytes.com/blog/news/2025/03/fake-booking-com-phish-uses-fake-captchas-to-trick-hotel-staff-into-downloading-malware
DeepSeek Users Targeted With Fake Sponsored Google Ads That Deliver Malware
"DeepSeek’s rising popularity has not only raised concerns and questions about privacy implications, but cybercriminals are also using it as a lure to trap unsuspecting Google searchers. Unfortunately, we are getting so used to sponsored Google search results being abused by criminals that we advise people not to click on them. So, it was to be expected that DeepSeek would show up in our monitoring of fake Google ads."
https://www.malwarebytes.com/blog/news/2025/03/deepseek-users-targeted-with-fake-sponsored-google-ads-that-deliver-malware
ReaderUpdate Reforged | Melting Pot Of MacOS Malware Adds Go To Crystal, Nim And Rust Variants
"ReaderUpdate is a macOS malware loader platform that, despite having been in the wild since at least 2020, has passed relatively unnoticed by many vendors and remains widely undetected. A report in 2023 observed that ReaderUpdate infections were contiguous with but distinct from WizardUpdate (aka UpdateAgent, Silver Toucan) infections and seen to deliver Genieo (aka DOLITTLE) adware. The loader seems to have been largely dormant since then until the latter half of 2024, when several vendors began reporting on previously unseen macOS malware samples written in the Crystal programming language. Variants written in Nim and Rust were also identified."
https://www.sentinelone.com/blog/readerupdate-reforged-melting-pot-of-macos-malware-adds-go-to-crystal-nim-and-rust-variants/
https://www.securityweek.com/macos-users-warned-of-new-versions-of-readerupdate-malware/
https://securityaffairs.com/175891/malware/readerupdate-malware-variants-targets-macos.html
Blacklock Ransomware: A Late Holiday Gift With Intrusion Into The Threat Actor's Infrastructure
"Dubbed “BlackLock” (aka "El Dorado" or "Eldorado"), the ransomware-as-a-service (RaaS) outfit has existed since March 2024. In Q4 of last year, it increased its number of data leak posts by a staggering 1,425% quarter-on-quarter. According to independent reporting, a relatively new group has rapidly accelerated attacks and could become the most dominant RaaS group in 2025."
https://www.resecurity.com/blog/article/blacklock-ransomware-a-late-holiday-gift-with-intrusion-into-the-threat-actors-infrastructure
https://securityaffairs.com/175877/cyber-crime/blacklock-ransomware-targeted-by-cybersecurity-firm.html
CoffeeLoader: A Brew Of Stealthy Techniques
"Zscaler ThreatLabz has identified a new sophisticated malware family that we named CoffeeLoader, which originated around September 2024. The purpose of the malware is to download and execute second-stage payloads while evading detection by endpoint-based security products. The malware uses numerous techniques to bypass security solutions, including a specialized packer that utilizes the GPU, call stack spoofing, sleep obfuscation, and the use of Windows fibers. ThreatLabz has observed CoffeeLoader being distributed via SmokeLoader, and both malware families share some behavioral similarities."
https://www.zscaler.com/blogs/security-research/coffeeloader-brew-stealthy-techniques
You Will Always Remember This As The Day You Finally Caught FamousSparrow
"In July 2024, ESET Research noticed suspicious activity on the system of a trade group in the United States that operates in the financial sector. While helping the affected entity remediate the compromise, we made an unexpected discovery in the victim’s network: malicious tools belonging to FamousSparrow, a China-aligned APT group. There had been no publicly documented FamousSparrow activity since 2022, so the group was thought to be inactive. Not only was FamousSparrow still active during this period, it must have also been hard at work developing its toolset, since the compromised network revealed not one, but two previously undocumented versions of SparrowDoor, FamousSparrow’s flagship backdoor."
https://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/
https://thehackernews.com/2025/03/new-sparrowdoor-backdoor-variants-found.html
https://therecord.media/china-famous-sparrow-back-eset
https://www.helpnetsecurity.com/2025/03/26/famoussparrow-cyberespionage-attacks-united-states/
Shifting The Sands Of RansomHub’s EDRKillShifter
"ESET researchers take a look back at the significant changes in the ransomware ecosystem in 2024 and focus on the newly emerged and currently dominating ransomware-as-a-service (RaaS) gang, RansomHub. We share previously unpublished insights into RansomHub’s affiliate structure and uncover clear connections between this newly emerged giant and well-established gangs Play, Medusa, and BianLian. We also emphasize the emerging threat of EDR killers, unmasking EDRKillShifter, a custom EDR killer developed and maintained by RansomHub. We have observed an increase in ransomware affiliates using code derived from publicly available proofs of concept, while the set of drivers being abused is largely fixed."
https://www.welivesecurity.com/en/eset-research/shifting-sands-ransomhub-edrkillshifter/
https://www.helpnetsecurity.com/2025/03/26/ransomhub-edrkillshifter-tool/
Inside Kimsuky’s Latest Cyberattack: Analyzing Malicious Scripts And Payloads
"Kimsuky, also known as “Black Banshee,” a North Korean APT group active at least from 2012, is believed to be state-sponsored. Their cyber espionage targets countries like South Korea, Japan, and the U.S. Their tactics include phishing, malware infections (RATs, backdoors, wiper malware), supply chain attacks, lateral movement within networks and data exfiltration. Recently , we came across IOCs of this APT’s latest attack shared in a tweet, which pointed to a ZIP file containing the actual payloads. In this blog, we will analyse the infection chain and conduct a deep dive into the examination of these payloads. We will also explore how the malware operates, its behaviour, and the techniques used to execute the attack."
https://labs.k7computing.com/index.php/inside-kimsukys-latest-cyberattack-analyzing-malicious-scripts-and-payloads/

Breaches/Hacks/Leaks

Oracle Customers Confirm Data Stolen In Alleged Cloud Breach Is Valid
"Despite Oracle denying a breach of its Oracle Cloud federated SSO login servers and the theft of account data for 6 million people, BleepingComputer has confirmed with multiple companies that associated data samples shared by the threat actor are valid. Last week, a person named ‘rose87168’ claimed to have breached Oracle Cloud servers and began selling the alleged authentication data and encrypted passwords of 6 million users. The threat actor also said that stolen SSO and LDAP passwords could be decrypted using the info in the stolen files and offered to share some of the data with anyone who could help recover them."
https://www.bleepingcomputer.com/news/security/oracle-customers-confirm-data-stolen-in-alleged-cloud-breach-is-valid/
StreamElements Discloses Third-Party Data Breach After Hacker Leaks Data
"Cloud-based streaming company StreamElements confirms it suffered a data breach at a third-party service provider after a threat actor leaked samples of stolen data on a hacking forum. The platform has reassured users that the attack didn't impact its servers, though older data at a third-party provider they stopped working with last year was still exposed. "We recently became aware of a data security incident involving a third-party service provider we stopped working with last year," the company tweeted on X."
https://www.bleepingcomputer.com/news/security/streamelements-discloses-third-party-data-breach-after-hacker-leaks-data/
New Ransomware Group Claims Attack On US Telecom Firm WideOpenWest
"A new ransomware group claims to have hacked the systems of US telecommunications provider WideOpenWest (WOW!), and to have taken control of critical systems, in addition to stealing customer information. Calling itself Arkana Security, the threat actor claims to be performing penetration testing, hacking into organizations’ networks by exploiting vulnerabilities in corporate systems. They also steal the victims’ data to coerce them into paying a so-called “fee”."
https://www.securityweek.com/new-ransomware-group-claims-attack-on-us-telecom-firm-wideopenwest/
Thousands Of NSW Court Documents Downloaded In "major Data Breach"
"Thousands of “sensitive” NSW court filings have been downloaded by unknown threat actors after a breach of the NSW Online Registry website. The website provides online court services for the NSW Supreme, District and Local Courts, and is overseen by the state’s Department of Communities and Justice (DCJ). NSW Police said they were alerted to the “major data breach” of the website on Tuesday. Cybercrime detectives are investigating the incident under what they are calling ‘Strike Force Pardey’."
https://www.itnews.com.au/news/thousands-of-nsw-court-documents-downloaded-in-major-data-breach-615999
https://www.theregister.com/2025/03/26/nsw_police_investigating_court_system/

General News

How Does Your Data End Up On The Dark Web?
"The dark web is a hidden corner of the internet where people can remain anonymous. It’s often confused with the deep web, but they’re not quite the same thing. The deep web is just everything online that’s not indexed by search engines. This includes things like email accounts, private databases, and paid services. It’s not illegal, it’s just not meant to be found with a simple Google search. The dark web, however, is a specific, hidden section of the deep web. To access it, you need special software like Tor."
https://www.helpnetsecurity.com/2025/03/26/how-dark-web-works/
Threat Actors Abuse Trust In Cloud Collaboration Platforms
"Threat actors constantly evolve with new mechanisms to bypass multiple secure email gateways (SEGs). A specific mechanism to evade detection is using online documents, such as Adobe, DocuSign, Dropbox, Canva, and Zoho. These services are often used internally and externally by companies, making the domains a trusted source when it comes to SEG automation. Some of these services will even email the recipient of the document directly, allowing threat actors to put little effort into their campaigns. These document websites took up 8.8% of all credential phishing campaigns in 2024, showing the growing significance of this method."
https://cofense.com/blog/threat-actors-abuse-trust-in-cloud-collaboration-platforms
https://www.infosecurity-magazine.com/news/threat-actors-abuse-cloud-platforms/
Cybersecurity Gaps Leave Doors Wide Open
"Cybercriminals don't always need cutting-edge hacks to breach organizations when they can just waltz in through the front door. Despite pouring millions into advanced cybersecurity technologies, many organizations continue to overlook essential security practices — such as timely patching, vulnerability scanning, and penetration testing — leaving them susceptible to pricey and often very preventable breaches."
https://www.darkreading.com/cyberattacks-data-breaches/cybersecurity-gaps-leave-doors-wide-open
https://www.horizon3.ai/downloads/research/annual-insights-report-the-state-of-cybersecurity-in-2025/
Beyond STIX: Next-Level Cyber-Threat Intelligence
"Cybersecurity has become central to every enterprise's digital strategy, but to stay ahead of evolving cyber threats, organizations need a common language that turns complex threat data into something universally understandable and actionable. This is where Structured Threat Information Expression (STIX) comes in — a standardized language for sharing, storing, and analyzing cyber threat intelligence."
https://www.darkreading.com/threat-intelligence/beyond-stix-next-level-cyber-threat-intelligence
Security Tech That Can Make a Difference During An Attack
"When the FBI contacted Massachusetts-based Littleton Electric Light and Water Departments (LELWD) about Volt Typhoon, the small public utility was not aware the Chinese attack group had already been in the company's network for more than 300 days. While the utility had security controls protecting the perimeter, there were some gaps in its security technology and policy. A more rigorous update strategy for its network and security appliances would have prevented the initial compromise. In addition, monitoring internal traffic — the "east-west" traffic — could have potentially detected anomalies in how the attackers were using the administrator tools, says John Burns, director of OT threat hunting for Dragos, an operational-technology security firm."
https://www.darkreading.com/cybersecurity-operations/east-west-monitoring-visibility-critical-apt-detection
SecurityScorecard Observes Surge In Third-Party Breaches
"Cyber-attacks leveraging third-party vulnerabilities are on the rise, according to a new SecurityScorecard report. The cyber risk assessment provider released its 2025 Global Third-Party Breach Report on March 26. In the report, SecurityScorecard’s STRIKE Threat Intelligence Unit analyzed 1000 cyber breaches across industries and regions in 2024. It found that 35.5% of breaches were third-party related, up from 29% the previous year, representing a 6.5% increase."
https://www.infosecurity-magazine.com/news/securityscorecard-surge-third/
https://securityscorecard.com/resource/global-third-party-breach-report/
ETSI Launches New Standard For Quantum-Safe Hybrid Key Exchanges To Secure Future Post-Quantum Encryption
"Today, ETSI announces the launch of its post-quantum security standard to guarantee the protection of critical data and communications in the future. The specification “Efficient Quantum-Safe Hybrid Key Exchanges with Hidden Access Policies” (ETSI TS 104 015) has been developed to enhance security mechanisms, ensuring that only authorized users with the correct permissions can access sensitive data to decrypt them."
https://www.etsi.org/newsroom/press-releases/2513-etsi-launches-new-standard-for-quantum-safe-hybrid-key-exchanges-to-secure-future-post-quantum-encryption
https://www.etsi.org/deliver/etsi_ts/104000_104099/104015/01.01.01_60/ts_104015v010101p.pdf
https://www.infosecurity-magazine.com/news/etsi-quantum-safe-encryption/
ENISA Space Threat Landscape 2025
"The primary objective of this report is to identify and assess the cybersecurity threat landscape for commercial satellites – exploring both existing and emerging challenges for the industry. This is achieved by focusing on cybersecurity aspects at each phase of the satellite lifecycle – development, deployment, operations, and decommissioning, and the stakeholders involved."
https://www.enisa.europa.eu/publications/enisa-space-threat-landscape-2025
https://www.enisa.europa.eu/sites/default/files/2025-03/Space_Threat_Landscape_Report_fin.pdf
https://www.infosecurity-magazine.com/news/enisa-probes-space-threat/
PERSPECTIVE: 25 Years Of Evolving Information Sharing Into Actionable Intelligence
"The IT-ISAC is celebrating its 25th Anniversary this year. This has caused me to reflect on the new challenges we continue to face as a cybersecurity community. When I first joined the IT-ISAC in 2005, a leader of another ISAC (information sharing and analysis center) commented to me that his team would have a party every time a member shared information. In those early days, there was a dearth of even basic information about threat actors and attacks. Today, the challenge is reversed. So much information is available to analysts that it’s hard to keep track of it all and understand what is accurate and relevant. Rather than scouring any source possible for any type of threat intelligence, a key role of our analytic team is now to turn the vast amount of available information into curated intelligence our members can use."
https://www.hstoday.us/perspective/perspective-25-years-of-evolving-information-sharing-into-actionable-intelligence/