NCSA_THAICERT

NCSA_THAICERT

Operation WrtHug โจมตีเราเตอร์ ASUS กว่า 50,000 เครื่องเพื่อ.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

แฮกเกอร์กำลังใช้ประโยชน์จากช่องโหว่ RCE ของ.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

เครื่องมือโจมตี Sneaky2FA อัปเกรดเทคนิค Browser-in-the-Browser .png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 6 รายการ เมื่อวันที่ 20 พฤศจิกายน 2025 พื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

ICSA-25-324-01 Automated Logic WebCTRL Premium Server
ICSA-25-324-02 ICAM365 CCTV Camera Multiple Models
ICSA-25-324-03 Opto 22 GRV-EPIC and GRV-RIO
ICSA-25-324-04 Festo MSE6-C2M/D2M/E2M
ICSA-25-324-05 Festo Didactic products
ICSA-25-324-06 Emerson Appleton UPSMON-PRO

CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)

อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/11/20/cisa-releases-six-industrial-control-systems-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

เมื่อวันที่ 19 พฤศจิกายน 2025 Cybersecurity and Infrastructure Security Agency (CISA) เผยแพร่คู่มือแนวทางลดความเสี่ยงจากผู้ให้บริการโฮสติ้งแบบ Bulletproof

CISA ร่วมกับสำนักงานความมั่นคงแห่งชาติของสหรัฐอเมริกา (NSA), ศูนย์อาชญากรรมไซเบอร์ของกระทรวงกลาโหมสหรัฐฯ (DoD Cyber Crime Center), สำนักงานสืบสวนกลางแห่งสหรัฐฯ (FBI) และพันธมิตรระหว่างประเทศ ได้เผยแพร่คู่มือ Bulletproof Defense: Mitigating Risks from Bulletproof Hosting Providers เพื่อช่วยผู้ให้บริการอินเทอร์เน็ต (ISPs) และผู้ดูแลเครือข่ายในการลดความเสี่ยงจากการถูกโจมตีทางด้านไซเบอร์ที่เป็นอาชญากรรมที่อาศัยโครงสร้างพื้นฐานของผู้ให้บริการ Bulletproof Hosting (BPH)

องค์กรที่มีระบบซึ่งไม่ได้รับการป้องกันหรือมีการตั้งค่าที่ไม่ถูกต้องยังคงมีความเสี่ยงสูงต่อการถูกเจาะระบบ เนื่องจากผู้ไม่ประสงค์ดีมักใช้โครงสร้างพื้นฐานของ BPH เพื่อทำการบุกรุก เช่น การโจมตีด้วยแรนซัมแวร์ การฟิชชิง การส่งมัลแวร์ และการโจมตีแบบปฏิเสธการให้บริการ (DoS) ผู้ให้บริการ BPH จึงเป็นภัยคุกคามสำคัญต่อความมั่นคงและความทนทานของระบบและบริการที่มีความสำคัญยิ่ง

CISA และพันธมิตรจึงขอเรียกร้องให้ผู้ให้บริการอินเทอร์เน็ตและผู้ดูแลความมั่นคงปลอดภัยเครือข่ายนำคำแนะนำในคู่มือนี้ไปปฏิบัติเพื่อลดความเสี่ยงที่เกิดจากผู้ให้บริการ BPH การลดประสิทธิภาพของโครงสร้างพื้นฐาน BPH จะช่วยบีบให้ผู้ก่ออาชญากรรมไซเบอร์จำเป็นต้องใช้ผู้ให้บริการที่ปฏิบัติตามกระบวนการทางกฎหมายแทน

อ้างอิง
https://www.cisa.gov/resources-tools/resources/bulletproof-defense-mitigating-risks-bulletproof-hosting-providers?utm_source=https://www.cisa.gov/resources-tools/resources/bulletproof-defense-mitigating-risks-bulletproof-hosting-providers&utm_medium=GovDelivery
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

เมื่อวันที่ 19 พฤศจิกายน 2025 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว ดังนี้

CVE-2025-13223 Google Chromium V8 Type Confusion Vulnerability

ช่องโหว่ประเภทนี้มักถูกใช้เป็นช่องทางการโจมตีโดยผู้ไม่หวังดี และก่อให้เกิดความเสี่ยงร้ายแรงต่อเครือข่ายของหน่วยงานรัฐบาลกลาง

ทั้งนี้ คำสั่ง BOD 22-01 ของ CISA กำหนดให้มี แคตตาล็อก Known Exploited Vulnerabilities (KEV) เพื่อรวบรวมช่องโหว่ (CVEs) ที่มีความเสี่ยงสูงและถูกใช้งานโจมตีจริง หน่วยงาน Federal Civilian Executive Branch (FCEB) ต้องดำเนินการแก้ไขช่องโหว่ที่ระบุภายในเวลาที่กำหนด เพื่อปกป้องเครือข่ายจากภัยคุกคาม

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/11/19/cisa-adds-one-known-exploited-vulnerability-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

New Tooling

Metis: Open-Source, AI-Driven Tool For Deep Security Code Review
"Metis is an open source tool that uses AI to help engineers run deep security reviews on code. Arm’s product security team built Metis to spot subtle flaws that are often buried in large or aging codebases where traditional tools struggle. Metis relies on LLMs that can analyze code with semantic reasoning instead of fixed rules. Arm says this gives the tool an edge over linters and other static analysis systems that depend on signatures or pattern matching. The goal is to help engineers find issues that might otherwise slip through manual review, while also cutting down on review fatigue."
https://www.helpnetsecurity.com/2025/11/19/metis-open-source-code-review/
https://github.com/arm/metis

Vulnerabilities

W3 Total Cache WordPress Plugin Vulnerable To PHP Command Injection
"A critical flaw in the W3 Total Cache (W3TC) WordPress plugin can be exploited to run PHP commands on the server by posting a comment that contains a malicious payload. The vulnerability, tracked as CVE-2025-9501, affects all versions of the W3TC plugin prior to 2.8.13 and is described as an unauthenticated command injection. W3TC is installed on more than one million websites to increase performance and reduce load times."
https://www.bleepingcomputer.com/news/security/w3-total-cache-wordpress-plugin-vulnerable-to-php-command-injection/
https://wpscan.com/vulnerability/6697a2c9-63ae-42f0-8931-f2e5d67d45ae/
From Prompt To Pwn: Cline Bot AI Coding Agent Vulnerabilities
"Pair programming can be a useful methodology, but normally you have agency in vetting your partner. As far as teammates go, AI coding assistants are like the golden retrievers of development: endlessly eager, wildly helpful, and perhaps a little too trusting. In this post, we’ll show how a clever attacker can slip prompt injections into your source files turning your helpful partner into a hazard."
https://mindgard.ai/resources/cline-coding-agent-vulnerabilities
https://hackread.com/cline-bot-ai-agent-vulnerable-data-theft-code-execution/
When AI Turns On Its Team: Exploiting Agent-To-Agent Discovery Via Prompt Injection
"Earlier this year, I discovered a combination of behaviors within ServiceNow’s Now Assist AI implementation that can facilitate a unique kind of second-order prompt injection attack. Through this behavior, I instructed a seemingly benign Now Assist agent to recruit more powerful agents in fulfilling a malicious and unintended task. This included performing Create, Read, Update, and Delete (CRUD) actions on record data and sending external emails containing contents of other records, all while the ServiceNow prompt injection protection feature was enabled."
https://appomni.com/ao-labs/ai-agent-to-agent-discovery-prompt-injection/
https://thehackernews.com/2025/11/servicenow-ai-agents-can-be-tricked.html
https://www.bankinfosecurity.com/misconfigured-ai-agents-let-attacks-slip-past-controls-a-30068
CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2025-58034 Fortinet FortiWeb OS Command Code Injection Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/11/18/cisa-adds-one-known-exploited-vulnerability-catalog
https://www.bleepingcomputer.com/news/security/cisa-gives-govt-agencies-7-days-to-patch-new-fortinet-flaw/
https://securityaffairs.com/184832/hacking/u-s-cisa-adds-a-new-fortinet-fortiweb-flaw-to-its-known-exploited-vulnerabilities-catalog.html
CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2025-13223 Google Chromium V8 Type Confusion Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/11/19/cisa-adds-one-known-exploited-vulnerability-catalog
https://securityaffairs.com/184856/hacking/u-s-cisa-adds-a-google-chromium-v8-flaw-to-its-known-exploited-vulnerabilities-catalog.html
Comet’s MCP API Allows AI Browsers To Execute Local Commands
"SquareX has discovered a critical security vulnerability in Comet, Perplexity’s AI browser, that fundamentally compromises user trust and device security. Our research reveals that Comet has implemented an MCP API that allows its embedded extensions to execute arbitrary local commands on host devices without explicit user permission, capabilities that traditional browsers explicitly prohibit to confine the damage web threats can do to the browser."
https://labs.sqrx.com/comet-mcp-api-allows-ai-browsers-to-execute-local-commands-dec185fb524b

Malware

PlushDaemon Compromises Network Devices For Adversary-In-The-Middle Attacks
"ESET researchers provide insights into how PlushDaemon performs adversary-in-the-middle attacks using a previously undocumented network implant that we have named EdgeStepper, which redirects all DNS queries to an external, malicious hijacking node, effectively rerouting the traffic from legitimate infrastructure used for software updates to attacker-controlled infrastructure."
https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/
https://www.bleepingcomputer.com/news/security/plushdaemon-hackers-hijack-software-updates-in-supply-chain-attacks/
https://thehackernews.com/2025/11/edgestepper-implant-reroutes-dns.html
https://therecord.media/china-aligned-threat-actor-espionage-network-devices
https://www.infosecurity-magazine.com/news/plushdaemon-new-malware-china-spy/
https://www.helpnetsecurity.com/2025/11/19/eset-plushdaemon-dns-hijacking/
WrtHug Exploits Six ASUS WRT Flaws To Hijack Tens Of Thousands Of EoL Routers Worldwide
"newly discovered campaign has compromised tens of thousands of outdated or end-of-life (EoL) ASUS routers worldwide, predominantly in Taiwan, the U.S., and Russia, to rope them into a massive network. The router hijacking activity has been codenamed Operation WrtHug by SecurityScorecard's STRIKE team. Southeast Asia and European countries are some of the other regions where infections have been recorded. The attacks likely involve the exploitation of six known security flaws in end-of-life ASUS WRT routers to take control of susceptible devices. All the infected routers have been found to share a unique self-signed TLS certificate with an expiration date set for 100 years from April 2022."
https://thehackernews.com/2025/11/wrthug-exploits-six-asus-wrt-flaws-to.html
https://www.bleepingcomputer.com/news/security/new-wrthug-campaign-hijacks-thousands-of-end-of-life-asus-routers/
https://www.infosecurity-magazine.com/news/chinal-operation-wrthug-thousands/
https://www.theregister.com/2025/11/19/thousands_more_asus_routers_pwned/
https://www.bankinfosecurity.com/asus-routers-hacked-in-wrthug-campaign-a-30064
https://securityaffairs.com/184841/cyber-crime/operation-wrthug-hijacks-50000-asus-routers-to-build-a-global-botnet.html
Meet ShinySp1d3r: New Ransomware-As-a-Service Created By ShinyHunters
"An in-development build of the upcoming ShinySp1d3r ransomware-as-a-service platform has surfaced, offering a preview of the upcoming extortion operation. ShinySp1d3r is the name of an emerging RaaS created by threat actors associated with the ShinyHunters and Scattered Spider extortion groups. These threat actors have traditionally used other ransomware gangs' encryptors in attacks, including ALPHV/BlackCat, Qilin, RansomHub, and DragonForce, but are now creating their own operation to deploy attacks themselves and their affiliates."
https://www.bleepingcomputer.com/news/security/meet-shinysp1d3r-new-ransomware-as-a-service-created-by-shinyhunters/
New Amazon Threat Intelligence Findings: Nation-State Actors Bridging Cyber And Kinetic Warfare
"The line between cyber warfare and traditional kinetic operations is rapidly blurring. Recent investigations by Amazon threat intelligence teams have uncovered a new trend that they’re calling cyber-enabled kinetic targeting in which nation-state threat actors systematically use cyber operations to enable and enhance physical operations. Traditional cybersecurity frameworks often treat digital and physical threats as separate domains. However, research by Amazon demonstrates that this separation is increasingly artificial. Multiple nation-state threat groups are pioneering a new operational model where cyber reconnaissance directly enables kinetic targeting."
https://aws.amazon.com/blogs/security/new-amazon-threat-intelligence-findings-nation-state-actors-bridging-cyber-and-kinetic-warfare/
https://cyberscoop.com/amazon-cyber-enabled-kinetic-targeting/
https://www.securityweek.com/amazon-details-irans-cyber-enabled-kinetic-attacks-linking-digital-spying-to-physical-strikes/
https://www.theregister.com/2025/11/19/amazon_cso_warfare_cyber_kinetic/
Hackers Actively Exploiting 7-Zip Symbolic Link–Based RCE Vulnerability (CVE-2025-11001)
"A recently disclosed security flaw impacting 7-Zip has come under active exploitation in the wild, according to an advisory issued by the U.K. NHS England Digital on Tuesday. The vulnerability in question is CVE-2025-11001 (CVSS score: 7.0), which allows remote attackers to execute arbitrary code. It has been addressed in 7-Zip version 25.00 released in July 2025. "The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories," Trend Micro's Zero Day Initiative (ZDI) said in an alert released last month. "An attacker can leverage this vulnerability to execute code in the context of a service account.""
https://thehackernews.com/2025/11/hackers-actively-exploiting-7-zip.html
https://digital.nhs.uk/cyber-alerts/2025/cc-4719
https://securityaffairs.com/184850/security/7-zip-rce-flaw-cve-2025-11001-actively-exploited-in-attacks-in-the-wild.html
https://www.helpnetsecurity.com/2025/11/19/7-zip-vulnerability-is-being-actively-exploited-nhs-england-warns-cve-2025-11001/
SpiderLabs IDs New Banking Trojan Distributed Through WhatsApp
"Trustwave SpiderLabs researchers have recently identified a banking Trojan we dubbed Eternidade Stealer, which is distributed through WhatsApp hijacking and social engineering lures. In this blog post, we will break down the techniques used in the campaign and highlight the new tools employed by the threat group."
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/spiderlabs-ids-new-banking-trojan-distributed-through-whatsapp/
https://thehackernews.com/2025/11/python-based-whatsapp-worm-spreads.html
https://www.infosecurity-magazine.com/news/eternidade-stealer-trojan-brazil/

Breaches/Hacks/Leaks

Researchers Claim 'largest Leak Ever' After Uncovering WhatsApp Enumeration Flaw
"Researchers in Austria used a flaw in WhatsApp to gather the personal data of more than 3.5 billion users in what they believe amounts to the "largest data leak in history." The messaging platform allows users to look up others' details by inputting their phone numbers. The feature, which has been part of the platform for years, can be abused to enumerate user data, including phone number, name, and in some cases their profile image if they have one set."
https://www.theregister.com/2025/11/19/whatsapp_enumeration_flaw/
https://github.com/sbaresearch/whatsapp-census/blob/main/Hey_there_You_are_using_WhatsApp.pdf
Hacker Selling Alleged Samsung Medison Data Stolen In 3rd Party Breach
"A hacker using the alias 888 on a cybercrime forum is offering internal records and data they claim belong to Samsung. In a post dated 13 November 2025, the hacker says the breach came from an attack on a third-party contractor, giving them access to data from several companies, including Samsung. The hacker says the files include source code, private keys, SMTP credentials, configuration files, hardcoded credentials and user PII taken from a healthcare backup. The post also lists access to MSSQL and AWS S3. In a note, the hacker adds that the MSSQL and AWS S3 data were already exported and dumped, and that the access itself was an extra item they were offering."
https://hackread.com/hacker-samsung-medison-data-breach-3rd-party/
Major Russian Insurer Facing Widespread Outages After Cyberattack
"Russian insurer VSK has spent a week attempting to restore services after a major cyberattack damaged its systems, knocking offline its website, mobile app and other services used by millions of customers. One of Russia’s largest universal insurers, Moscow-based VSK serves about 33 million people and more than 500,000 businesses and provides property, transport, health, travel, cargo and corporate insurance."
https://therecord.media/russia-vsk-cyberattack-outages

General News

The Long Conversations That Reveal How Scammers Work
"Online scammers often take weeks to build trust before making a move, which makes their work hard to study. A research team from UC San Diego built a system that does the patient work of talking to scammers at scale, and the result offers a look into how long game fraud unfolds. Their system, called CHATTERBOX, uses synthetic personas, an LLM driven conversational engine, and human oversight to gather conversations that stretch across platforms and formats."
https://www.helpnetsecurity.com/2025/11/19/research-how-scammers-work/
https://arxiv.org/pdf/2510.23927
California Man Admits To Laundering Crypto Stolen In $230M Heist
"A 45-year-old from Irvine, California, has pleaded guilty to laundering at least $25 million stolen in a massive $230 million cryptocurrency heist. Kunal Mehta (also known as "Papa," "The Accountant," and “Shrek") is the eighth defendant to plead guilty for his participation in this scheme following charges brought by the Department of Justice in May 2025. According to court documents, the defendant was part of a large group that, through social engineering, gained access to victims' cryptocurrency accounts between October 2023 and March 2025 and transferred funds into crypto wallets under their control."
https://www.bleepingcomputer.com/news/security/california-man-admits-to-laundering-crypto-stolen-in-230m-heist/
Cloudflare Blames This Week's Massive Outage On Database Issues
"On Tuesday, Cloudflare experienced its worst outage in 6 years, blocking access to many websites and online platforms for almost 6 hours after a change to database access controls triggered a cascading failure across its Global Network. The company's Global Network is a distributed infrastructure of servers and data centers across more than 120 countries, providing content delivery, security, and performance optimization services and connecting Cloudflare to over 13,000 networks, including every major ISP, cloud provider, and enterprise worldwide. Matthew Prince, the company's CEO, said in a post-mortem published after the outage was mitigated that the service disruptions were not caused by a cyberattack."
https://www.bleepingcomputer.com/news/technology/cloudflare-blames-this-weeks-massive-outage-on-database-issues/
https://www.darkreading.com/cyber-risk/cloudflare-blames-outage-internal-error
The 6 URL Shorteners You Didn't Know Were Helping Hackers
"Threat actors are constantly evolving and adapting by discovering new, unique ways to bypass email-based security controls. One key method they exploit is the abuse of URL shortening services (also known as URL shorteners or link shorteners). These legitimate online tools allow users and businesses to make short aliases of longer URLs for a variety of reasons including aesthetics, easier sharing, gathering analytics, or improving perceived legitimacy. Threat actors take advantage of the tools offered by link shortening services to deliver malware and credential phishing. Cofense Intelligence has identified the most commonly abused legitimate URL shortening services, as shown in Table 1."
https://cofense.com/blog/the-6-url-shorteners-you-didn-t-know-were-helping-hackers
IT Threat Evolution In Q3 2025. Non-Mobile Statistics
"The UK’s National Crime Agency (NCA) arrested the first suspect in connection with a ransomware attack that caused disruptions at numerous European airports in September 2025. Details of the arrest have not been published as the investigation remains ongoing. According to security researcher Kevin Beaumont, the attack employed the HardBit ransomware, which he described as primitive and lacking its own data leak site."
https://securelist.com/malware-report-q3-2025-pc-iot-statistics/118020/
https://securelist.com/malware-report-q3-2025-mobile-statistics/118013/
AI Is Supercharging Phishing: Here’s How To Fight Back
"Phishing continues to be one of the most widespread and effective tactics, techniques, and procedures (TTPs) in today’s cyber threat landscape. It often serves as a gateway to data breaches that can have devastating consequences for organizations and individuals alike. For example, General Dynamics, a leading aerospace and defense contractor, reported in late 2024 that a phishing attack targeting its personnel resulted in threat actors compromising dozens of employee benefits accounts."
https://www.securityweek.com/ai-is-supercharging-phishing-heres-how-to-fight-back/
Selling Technology Investments To The Board: a Strategic Guide For CISOs And CIOs
"In today's enterprise environment, technology investments are no longer judged solely by their technical sophistication. Approval depends on their ability to support business goals, mitigate risk, and create value for shareholders. CIOs and CISOs are expected to present their strategies not as technical upgrades but as business enablers. The challenge is not just making the right investments, but framing them in ways that resonate at the boardroom level."
https://www.theregister.com/2025/11/19/zscaler-selling-technology-investments/
Half Of Ransomware Access Due To Hijacked VPN Credentials
"Ransomware surged in Q3 2025, with just three groups accounting for the majority of cases (65%), and initial access most commonly achieved via compromised VPN credentials, according to Beazley Security. The Beazley Insurance subsidiary said Akira, Qilin and INC Ransomware were the most prolific groups in the third quarter, which saw 11% more leak posts than the previous three months. As per Q2, the use of valid credentials to access VPNs was the most common method of initial access, accounting for half (48%) of breaches – up from 38% the prior quarter. External service exploits was the second most popular technique, comprising 23% of cases."
https://www.infosecurity-magazine.com/news/half-ransomware-access-hijacked/
CISA Releases Guide To Mitigate Risks From Bulletproof Hosting Providers
"Today, Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the U.S. National Security Agency, U.S. Department of Defense Cyber Crime Center, U.S. Federal Bureau of Investigation, and international partners, released the guide Bulletproof Defense: Mitigating Risks from Bulletproof Hosting Providers to help Internet Service Providers (ISPs) and network defenders mitigate cybercriminal activity enabled by Bulletproof Hosting (BPH) providers."
https://www.cisa.gov/news-events/alerts/2025/11/19/cisa-releases-guide-mitigate-risks-bulletproof-hosting-providers
https://www.cisa.gov/resources-tools/resources/bulletproof-defense-mitigating-risks-bulletproof-hosting-providers
United States, Australia, And United Kingdom Sanction Russian Cybercrime Infrastructure Supporting Ransomware
"Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC), Australia’s Department of Foreign Affairs and Trade, and the United Kingdom’s Foreign Commonwealth and Development Office are announcing coordinated sanctions targeting Media Land, a Russia-based bulletproof hosting (BPH) service provider, for its role in supporting ransomware operations and other forms of cybercrime. OFAC is also designating three members of Media Land’s leadership team and three of its sister companies in coordination with the Federal Bureau of Investigation."
https://home.treasury.gov/news/press-releases/sb0319
https://www.bleepingcomputer.com/news/security/us-sanctions-russian-bulletproof-hosting-provider-media-land-over-ransomware-ties/
https://therecord.media/bulletproof-hosting-sanctions-ransomware
https://www.bankinfosecurity.com/us-allies-sanction-russian-bulletproof-ransomware-host-a-30067
https://cyberscoop.com/bulletproof-hosting-providers-sanctions-mitigation-media-land/
https://hackread.com/uk-bulletproof-hosting-operator-lockbit-evil-corp/
https://www.theregister.com/2025/11/20/russian_bph_medialand_sanctioned/
The AI Attack Surface: How Agents Raise The Cyber Stakes
"Agentic AI tools are susceptible to the same risks as large language model (LLM) chatbots, but their autonomous capabilities may make their capacity to leak data and compromise organizations even worse. AI agents have taken the world by storm in recent months, as companies have bought and sold these tools under the premise that an advanced LLM could autonomously reason and complete tasks at a professional level, without much human interaction. But as time progresses, security concerns in the new AI age have grown more complex."
https://www.darkreading.com/application-security/ai-attack-surface-agents-cyber-stakes
Critical Railway Braking Systems Open To Tampering
"Researchers have figured out how to spoof the signals that tell train conductors to brake, opening the door to any number of dangerous attack scenarios. When a large, moving train is rolling down the tracks toward an oncoming obstacle, one can't rely solely on a conductor to handle what's ahead. To account for human error, in emergency circumstances, you need a system built into the train itself that can automatically bring the stock to a halt."
https://www.darkreading.com/ics-ot-security/critical-railway-braking-systems-tampering
Stop Of The Month: How Threat Actors Weaponize AI Assistants With Indirect Prompt Injection
"AI is increasingly being used across workplaces to improve operational efficiencies and get work done faster. And just as organizations are adopting it for improved productivity, threat actors are using it to launch more sophisticated, hyper-personalized attacks at a massive scale. A new and dangerous attack vector has emerged that targets the AI models themselves: prompt injection. It’s already ranked as the No. 1 vulnerability on the OWASP Top 10 for Large Language Model (LLM) Applications, and for good reason."
https://www.proofpoint.com/us/blog/email-and-cloud-threats/stop-month-how-threat-actors-weaponize-ai-assistants-indirect-prompt