สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Industrial Sector

• Unsophisticated Cyber Actor(s) Targeting Operational Technology
  "CISA is increasingly aware of unsophisticated cyber actor(s) targeting ICS/SCADA systems within U.S. critical Infrastructure sectors (Oil and Natural Gas), specifically in Energy and Transportation Systems. Although these activities often include basic and elementary intrusion techniques, the presence of poor cyber hygiene and exposed assets can escalate these threats, leading to significant consequences such as defacement, configuration changes, operational disruptions and, in severe cases, physical damage. CISA strongly urges Critical Infrastructure Asset Owners and Operators to review the following fact sheet for detailed guidance on reducing the risk of potential intrusions:"
  https://www.cisa.gov/news-events/alerts/2025/05/06/unsophisticated-cyber-actors-targeting-operational-technology
  https://www.cisa.gov/resources-tools/resources/primary-mitigations-reduce-cyber-threats-operational-technology
  https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-targeting-critical-oil-infrastructure/
  https://therecord.media/oil-gas-industries-cisa-warning-unsophisticated-cyberthreats
  https://www.securityweek.com/us-warns-of-hackers-targeting-ics-scada-at-oil-and-gas-organizations/
  https://securityaffairs.com/177551/security/unsophisticated-cyber-actors-are-targeting-the-u-s-energy-sector.html

Vulnerabilities

• Recently Disclosed SureTriggers Critical Privilege Escalation Vulnerability Under Active Exploitation
  "On May 2nd, 2025 the Wordfence Threat Intelligence team added a new critical vulnerability to the Wordfence Intelligence vulnerability database in the OttoKit: All-in-One Automation Platform (Formerly SureTriggers) plugin publicly disclosed by a third-party CNA on April 30th, 2025. This vulnerability makes it possible for unauthenticated attackers to gain administrative level access to vulnerable sites, where the site has never used an application password nor connected to OttoKit/SureTriggers using an application password, or by authenticated attackers with a valid application password."
  https://www.wordfence.com/blog/2025/05/recently-disclosed-suretriggers-critical-privilege-escalation-vulnerability-under-active-exploitation/
  https://www.securityweek.com/second-ottokit-vulnerability-exploited-to-hack-wordpress-sites/
  https://www.bleepingcomputer.com/news/security/hackers-exploit-ottokit-wordpress-plugin-flaw-to-add-admin-accounts/
  https://thehackernews.com/2025/05/ottokit-wordpress-plugin-with-100k.html
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
  CVE-2025-27363 FreeType Out-of-Bounds Write Vulnerability"
  https://www.cisa.gov/news-events/alerts/2025/05/06/cisa-adds-one-known-exploited-vulnerability-catalog
  https://securityaffairs.com/177537/hacking/u-s-cisa-adds-freetype-flaw-to-its-known-exploited-vulnerabilities-catalog.html
  CISA Adds Two Known Exploited Vulnerabilities To Catalog
  "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
  CVE-2024-6047 GeoVision Devices OS Command Injection Vulnerability
  CVE-2024-11120 GeoVision Devices OS Command Injection Vulnerability"
  https://www.cisa.gov/news-events/alerts/2025/05/07/cisa-adds-two-known-exploited-vulnerabilities-catalog

Malware

• Malicious PyPI Package Targets Discord Developers With Remote Access Trojan
  "On March 21, 2022, a Python package ‘discordpydebug’ was uploaded to the Python Package Index (PyPI) under the name "Discord py error logger." At first glance, it appeared to be a simple utility aimed at developers working on Discord bots using the Discord.py library. However, the package concealed a fully functional remote access trojan (RAT). Over time, the package reached over 11,000 downloads, placing thousands of developer systems at risk. The package targeted developers who build or maintain Discord bots, typically indie developers, automation engineers, or small teams who might install such tools without extensive scrutiny. Since PyPI doesn’t enforce deep security audits of uploaded packages, attackers often take advantage of this by using misleading descriptions, legitimate-sounding names, or even copying code from popular projects to appear trustworthy. In this case, the goal was to lure unsuspecting developers into installing a backdoor disguised as a debugging aid."
  https://socket.dev/blog/malicious-pypi-package-targets-discord-developers-with-RAT
  https://thehackernews.com/2025/05/researchers-uncover-malware-in-fake.html
• Agenda Ransomware Group Adds SmokeLoader And NETXLOADER To Their Arsenal
  "The Agenda ransomware group, known as Qilin, has been an active and evolving threat since its discovery in July 2022.The group has shown a remarkable ability to adapt and enhance its capabilities over time. The Agenda ransomware has transitioned from being developed in the Go programming language to Rust, incorporating advanced features such as remote execution, enhanced propagation within virtual environments, and sophisticated evasion techniques that bypass security measures."
  https://www.trendmicro.com/en_us/research/25/e/agenda-ransomware-group-adds-smokeloader-and-netxloader-to-their.html
• Atomic Stealer Malware Disguised As Crack Program (macOS)
  "AhnLab SEcurity intelligence Center (ASEC) has discovered the Atomic Stealer malware being distributed disguised as the Evernote Crack program. Atomic Stealer is an information-stealing malware for macOS. It steals data such as browser information, system keychain, wallet, and system information. It is mainly distributed through installation files such as pkg and dmg."
  https://asec.ahnlab.com/en/87797/
• Distribution Of IIS Malware Targeting Web Servers (Larva-25003)
  "In February 2025, AhnLab SEcurity intelligence Center (ASEC) identified a threat actor, believed to be Chinese-speaking, distributing a web server native module targeting a South Korean web server. The threat actor gained control over the web server by attempting initial access to poorly managed web servers and using a .NET loader malware (WebShell) and a backdoor to perform web shell functions. The threat actor then registered and executed a malicious IIS (Internet Information Service) native module that they had created on a Microsoft Windows IIS web server."
  https://asec.ahnlab.com/en/87804/
• Ransomware Attackers Leveraged Privilege Escalation Zero-Day
  "Attackers linked to the Play ransomware operation deployed a zero-day privilege escalation exploit during an attempted attack against an organization in the U.S. The attack occurred prior to the disclosure and patching of a Windows elevation of privilege zero-day vulnerability (CVE-2025-29824) in the Common Log File System Driver (clfs.sys) on April 8, 2025. Although no ransomware payload was deployed in the intrusion, the attackers deployed the Grixba infostealer, which is a custom tool associated with Balloonfly, the attackers behind the Play ransomware operation."
  https://www.security.com/threat-intelligence/play-ransomware-zero-day
  https://thehackernews.com/2025/05/play-ransomware-exploited-windows-cve.html
  https://www.bleepingcomputer.com/news/security/play-ransomware-exploited-windows-logging-flaw-in-zero-day-attacks/
  https://www.darkreading.com/cyberattacks-data-breaches/play-ransomware-group-windows-zero-day
  https://www.securityweek.com/second-ransomware-group-caught-exploiting-windows-flaw-as-zero-day/
  https://securityaffairs.com/177573/cyber-crime/play-ransomware-affiliate-leveraged-zero-day-to-deploy-malware.html
• Using Blob URLs To Bypass SEGs And Evade Analysis
  "Starting in mid-2022, Cofense Intelligence detected a new technique for successfully delivering a credential phishing page to a user’s inbox: blob URIs (Uniform Resource Identifier). Blob URIs are generated by a browser to display and work with temporary data that only that browser can access. No other browser can access a blob URI except the one that generated it. For example, YouTube uses blob URIs to temporarily store videos for a user’s browser."
  https://cofense.com/blog/using-blob-urls-to-bypass-segs-and-evade-analysis
• SysOwned, Your Friendly Support Ticket - SysAid On-Premise Pre-Auth RCE Chain (CVE-2025-2775 And Friends)
  "It’s… another week, and another vendor who is apparently experienced with ransomware gangs but yet struggles with email. In what we've seen others term "the watchTowr treatment", we are once again (surprise, surprise) disclosing vulnerability research that allowed us to gain pre-authenticated Remote Command Execution against yet another enterprise-targeting product - specifically, SysAid On-Premise (version 23.3.40) here-on referred to as “SysAid”."
  https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/
  https://thehackernews.com/2025/05/sysaid-patches-4-critical-flaws.html
  https://www.helpnetsecurity.com/2025/05/07/poc-exploit-for-sysaid-pre-auth-rce-released-upgrade-quickly/
• Iranian Cyber Actors Impersonate Model Agency In Suspected Espionage Operation
  "Unit 42 recently identified suspected covert Iranian infrastructure impersonating a German model agency. This infrastructure hosted a fraudulent website designed to mimic the authentic agency’s branding and content."
  https://unit42.paloaltonetworks.com/iranian-attackers-impersonate-model-agency/
• Inferno Drainer Reloaded: Deep Dive Into The Return Of The Most Sophisticated Crypto Drainer
  "In recent years, cryptocurrency scams have evolved into a highly organized business model known as “Drainer-as-a-Service.” Within this model, developers create specialized set of malicious scripts, smart contracts, and infrastructure enabling other cyber criminals to efficiently steal cryptocurrency from users’ wallets. Attackers simply need to set up a phishing website and embed the drainer script. One of the most notorious examples of this approach is Inferno Drainer, known for the scale and sophistication of its attacks. In November 2023, the creators of Inferno Drainer officially announced the service’s shutdown. However, it soon became clear that this was only a diversionary tactic. Evidence of continued operation emerged as early as the beginning of 2024. In addition, blockchain analysis indicates that critical smart contracts deployed on September 9, 2023, essential for the operation of the scheme, are still in use today."
  https://research.checkpoint.com/2025/inferno-drainer-reloaded-deep-dive-into-the-return-of-the-most-sophisticated-crypto-drainer/
  https://www.infosecurity-magazine.com/news/inferno-drainer-returns-stealing/
• Cyber Criminal Services Target End-Of-Life Routers To Launch Attacks And Hide Their Activities
  "The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with 5Socks and Anyproxy cyber criminal services' targeting malware that affects end-of-life (EOL) routers. Threat actors expxloit known vulnerabilities to compromise EOL routers, install malware, and use the routers in a botnet they control to launch coordinated attacks or sell access to the devices as proxy services. The FBI recommends users replace compromised devices with newer models or prevent infection by disabling remote administration and rebooting the router."
  https://www.ic3.gov/CSA/2025/250507.pdf

Breaches/Hacks/Leaks

• LockBit Ransomware Gang Hacked, Victim Negotiations Exposed
  "The LockBit ransomware gang has suffered a data breach after its dark web affiliate panels were defaced and replaced with a message linking to a MySQL database dump. All of the ransomware gang's admin panels now state. "Don't do crime CRIME IS BAD xoxo from Prague," with a link to download a "paneldb_dump.zip.""
  https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-hacked-victim-negotiations-exposed/
• PowerSchool Hacker Now Extorting Individual School Districts
  "PowerSchool is warning that the hacker behind its December cyberattack is now individually extorting schools, threatening to release the previously stolen student and teacher data if a ransom is not paid. "PowerSchool is aware that a threat actor has reached out to multiple school district customers in an attempt to extort them using data from the previously reported December 2024 incident," PowerSchool shared in a statement to BleepingComputer."
  https://www.bleepingcomputer.com/news/security/powerschool-hacker-now-extorting-individual-school-districts/
  https://databreaches.net/2025/05/07/powerschool-paid-a-hackers-extortion-demand-but-now-school-district-clients-are-being-extorted-anyway/
  https://therecord.media/despite-ransom-payment-powerschool-extorting
  https://cyberscoop.com/powerschool-customers-hit-by-downstream-extortion-threats/
  https://www.theregister.com/2025/05/08/powerschool_data_extortionist/
• Medical Device Maker Masimo Warns Of Cyberattack, Manufacturing Delays
  "Medical device company Masimo Corporation warns that a cyberattack is impacting production operations and causing delays in fulfilling customers' orders. Masimo Corporation is a California-based medical technology and consumer electronics maker. It's best known for its noninvasive patient monitoring products like pulse oximeters, brain function monitors, hemodynamic monitoring systems, capnography and gas monitoring solutions, and remote patient monitoring platforms."
  https://www.bleepingcomputer.com/news/security/medical-device-maker-masimo-warns-of-cyberattack-manufacturing-delays/
  https://therecord.media/masimo-medical-device-company-cyberattack
  https://www.bankinfosecurity.com/patient-monitor-manufacturer-still-recovering-from-attack-a-28346
• ClickFunnels Investigates Breach After Hackers Leak Business Data
  "ClickFunnels is investigating a data breach after hackers leaked detailed business data, including emails, phone numbers, and company profiles. A hacking group calling itself “Satanic” claims to have breached ClickFunnels, a popular US-based software platform used by marketers and entrepreneurs to build sales funnels. The group is known for using BreachForums to announce its breaches but since the forum is down; it made the announcement via Telegram, claiming that data from the company was stolen on April 29, 2025."
  https://hackread.com/clickfunnels-investigate-breach-hackers-leak-business-data/
• South African Airways Says Cyberattack Disrupted Operational Systems
  "South Africa’s state-owned airline said a cyberattack on Saturday temporarily disrupted its website and several internal operational systems. South African Airways (SAA) said the attack also affected its mobile application but noted the IT team was able to contain the incident and “minimize disruption to core flight operations.” “They also ensured the continued functionality of essential customer service channels, such as the airline's contact centers and sales offices,” the airline said in a statement published on Tuesday. “Normal system functionality across all affected platforms was restored later the same day.”"
  https://therecord.media/south-african-airways-cyberattack-disrupted

General News

• Rethinking AppSec: How DevOps, Containers, And Serverless Are Changing The Rules
  "Application security is changing fast. In this Help Net Security interview, Loris Gutic, Global CISO at Bright, talks about what it takes to keep up. Gutic explains how DevOps, containers, and serverless tools are shaping security, and shares views on the biggest risks, important controls, and why AI must be used carefully."
  https://www.helpnetsecurity.com/2025/05/07/loris-gutic-bright-rethinking-appsec/
• 1 In 3 Workers Keep AI Use a Secret
  "Employees are feeling heightened concerns around the use of technology to enhance productivity, as well as job dissatisfaction and a lack of motivation at work. In fact, 30% of employees who use GenAI tools at work worry their job may be cut and 27% experience AI-fueled imposter syndrome, saying they don’t want people to question their ability, according to Ivanti."
  https://www.helpnetsecurity.com/2025/05/07/secret-ai-use/
• Personal Data Of Top Executives Easily Found Online
  "The personal information of 75% of corporate directors can be found on people search sites, according to Incogni. People search sites claim to reveal a variety of personal details, including public records, phone numbers, and even property values. Home addresses and relatives are the two types of information potentially exposed across all the people search sites investigated."
  https://www.helpnetsecurity.com/2025/05/07/corporate-directors-personal-information-online/
• 41 Countries Taking Part In NATO’s Locked Shields 2025 Cyber Defense Exercise
  "The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia, is hosting this week the Locked Shields 2025 cyber defense exercise. Described as one of the world’s most complex cybersecurity exercises, Locked Shields 2025 has gathered nearly 4,000 experts representing 41 NATO ally and partner nations. The number of participants is roughly the same as in the previous year. The goal of Locked Shields is to test and improve the preparedness of national cybersecurity teams in defending national systems and critical infrastructure, including telecommunications networks and military infrastructure, through a realistic simulation."
  https://www.securityweek.com/41-countries-taking-part-in-natos-locked-shields-2025-cyber-defense-exercise/
• Digital Welfare Fraud: ALTSRUS Syndicate Exploits The Financially Vulnerable
  "A new report from bot defense firm Kasada has exposed the growing threat of ALTSRUS, a fraud syndicate targeting some of the most vulnerable corners of the digital economy. Researchers revealed how the group has scaled its operations to steal and resell accounts tied to Electronic Benefit Transfer (EBT), pharmacy prescriptions, and consumer rewards programs."
  https://www.helpnetsecurity.com/2025/05/07/altsrus-digital-welfare-fraud/
  https://www.kasada.io/wp-content/uploads/2025/05/Kasada-Quarterly-Threat-Report-2025-Q1.pdf
• DDoS-For-Hire Empire Brought Down: Poland Arrests 4 Administrators, US Seizes 9 Domains
  "In the latest blow to the criminal market for distributed denial of service (DDoS)-for-hire services, Polish authorities have arrested four individuals who allegedly ran a network of platforms used to launch thousands of cyberattacks worldwide. The suspects are believed to be behind six separate stresser/booter services that enabled paying customers to flood websites and servers with malicious traffic — knocking them offline for as little as EUR 10."
  https://www.europol.europa.eu/media-press/newsroom/news/ddos-for-hire-empire-brought-down-poland-arrests-4-administrators-us-seizes-9-domains
  https://www.bleepingcomputer.com/news/security/police-takes-down-six-ddos-for-hire-services-arrests-admins/
  https://thehackernews.com/2025/05/europol-shuts-down-six-ddos-for-hire.html
  https://therecord.media/poland-arrests-four-ddos-hire
  https://www.bankinfosecurity.com/poland-busts-4-as-part-stresserbooter-service-crackdown-a-28325
  https://www.infosecurity-magazine.com/news/ddos-hire-network-dismantled/
  https://cyberscoop.com/poland-ddos-arrests-europol-operation-poweroff/
  https://hackread.com/europol-poland-bust-ddos-for-hire-operation-arrest-4/
  https://flashpoint.io/blog/operation-poweroff-law-enforcement-seizes-ddos-webpages/
• Agentic AI: The Start Of a New Cybersecurity Career Path
  "Last week at RSAC Conference 2025, the message came through loud and clear: Agentic AI is no longer just a concept. It's being deployed today. AI-powered agents are streamlining workflows, helping with compliance and aiding in threat detection at scale. While much of the RSAC buzz focused on the potential performance gains and trust concerns related to AI agents, another story emerged - one that speaks directly to cybersecurity professionals and those entering the field: Agentic AI isn't here to take your job, but if you work in cybersecurity, you will be relying on AI agents to do a large part of your job."
  https://www.bankinfosecurity.com/blogs/agentic-ai-start-new-cybersecurity-career-path-p-3868
• Outsmarting AI Guardrails With Invisible Characters And Adversarial Prompts
  "This blog summarizes the key findings from our research paper, Bypassing Prompt Injection and Jailbreak Detection in LLM Guardrails (2025). For the first time, we present an empirical analysis of character injection and adversarial machine learning (AML) evasion attacks across multiple commercial and open-source guardrails."
  https://mindgard.ai/blog/outsmarting-ai-guardrails-with-invisible-characters-and-adversarial-prompts
  https://www.bankinfosecurity.com/jailbreakers-use-invisible-characters-to-beat-ai-guardrails-a-28338
• SpyCloud Analysis Reveals 94% Of Fortune 50 Companies Have Employee Data Exposed In Phishing Attacks
  "SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6 million phished data records recaptured from the criminal underground over the last six months. Phishing attacks have been growing in scale and sophistication, and SpyCloud’s research reveals that cybercriminals are increasingly targeting high-value identity data that can be used for follow-on attacks like ransomware, account takeover, and fraud."
  https://hackread.com/spycloud-analysis-reveals-94-of-fortune-50-companies-have-employee-data-exposed-in-phishing-attacks/
• UK Cyber Insurance Claims Second Highest On Record
  "UK companies filed more cyber insurance claims last year than any other bar 2023, with ransomware breaches largely to blame, according to Marsh. The global insurance broker’s 2024 UK cyber insurance claims trends report is based on an analysis of claims submitted by Marsh UK clients. It found that claims last year decreased 20% compared to 2023, but were still around one-third higher than in 2020, 2021 and 2022."
  https://www.infosecurity-magazine.com/news/uk-cyberinsurance-claims-second/
• State Of Ransomware In 2025
  "With the International Anti-Ransomware Day just around the corner on May 12, Kaspersky explores the ever-changing ransomware threat landscape and its implications for cybersecurity. According to Kaspersky Security Network data, the number of ransomware detections decreased by 18% from 2023 to 2024 – from 5,715,892 to 4,668,229. At the same time, the share of users affected by ransomware attacks increased by 0.02 p.p. to 0.44%. This smaller percentage compared to other cyberthreats is explained by the fact that attackers often don’t distribute this type of malware on a mass scale, but prioritize high-value targets, which reduces the overall number of incidents."
  https://securelist.com/state-of-ransomware-in-2025/116475/
• Britain Warns That China Is Becoming a ‘cyber Superpower’
  "China is “well on its way to becoming a cyber superpower” a senior British government minister warned on Wednesday, adding that it now simply wasn’t feasible to decouple from Beijing given the country’s role in global supply chains. Pat McFadden, the most senior minister in Britain’s Cabinet Office, told the CYBERUK conference that Beijing had “the sophistication, the scale and the seriousness” to pose an exceptional national security challenge. His comments were echoed by the head of the National Cyber Security Centre, Richard Horne, who said during the event that “the continued activity that we’re seeing from the Chinese system remains a cause for profound and profuse concern.”"
  https://therecord.media/britain-warns-china-is-becomming-a-cyber-superpower
  https://www.infosecurity-magazine.com/news/uk-retail-attacks-wakeup-call/
• Poland Accuses Russia Of ‘unprecedented’ Interference Ahead Of Presidential Election
  "Poland’s top cyber official warned this week that Russia is waging an “unprecedented” effort to disrupt the country’s upcoming presidential election through disinformation and hybrid cyberattacks. Speaking at a defense conference, digital affairs minister Krzysztof Gawkowski said Russian-linked actors are targeting Poland's critical infrastructure — including water and sewage systems, heat and power plants and government agencies — to destabilize the country."
  Priority: 3 - Important
  Relevance: General
  https://therecord.media/poland-elections-russia-hybrid-threats-disinformation

อ้างอิง
Electronic Transactions Development Agency(ETDA)

Financial Sector

• The Top Threat Actor Groups Targeting The Financial Sector
  "Between April 2024 and April 2025, Flashpoint analysts observed the financial sector as a top target of threat actors, with 406 publicly disclosed victims falling prey to ransomware attacks alone—representing seven percent of all ransomware victim listings during that period. However, ransomware is just one piece of the complex threat actor puzzle. The financial sector is also grappling with threats stemming from sophisticated Advanced Persistent Threat (APT) groups, the risks associated with third-party compromises, the illicit trade in initial access credentials, the ever-present danger of insider threats, and the emerging challenge of deepfake and impersonation fraud."
  https://flashpoint.io/blog/top-threat-actor-groups-targeting-financial-sector/

Industrial Sector

• Optigo Networks ONS NC600
  "Successful exploitation of this vulnerability could allow an attacker to establish an authenticated connection with the hard-coded credentials and perform OS command executions."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-126-01
• BrightSign Players
  "Successful exploitation of this vulnerability could allow for privilege escalation on the device, easily guessed passwords, or for arbitrary code to be executed on the underlying operating system."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-126-03
• Milesight UG65-868M-EA
  "Successful exploitation of this vulnerability could allow any user with admin privileges to inject arbitrary shell commands."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-126-02

Vulnerabilities

• Canary Exploit Tool For CVE-2025-30065 Apache Parquet Avro Vulnerability
  "On April 1st, 2025, CVE-2025-30065 was published, although rumors had been swirling on various platforms for several days before about a very high severity security issue with Apache Parquet, leading to much consternation within the IT community. F5 began receiving calls from worried customers asking questions about this vulnerability in their own systems as early as March 29th, three days before it was publicly disclosed. At this time very little was known about the issue, only that it was possibly very serious. As it turned out, CVE-2025-30065 was issued as a CVSS 10.0 (Critical) vulnerability in Apache Parquet Java. Patches were immediately issued, customers were able to assess their exposure, and the attention seen previously began to wane."
  https://www.f5.com/labs/articles/threat-intelligence/canary-exploit-tool-for-cve-2025-30065-apache-parquet-avro-vulnerability
  https://www.bleepingcomputer.com/news/security/apache-parquet-exploit-tool-detect-servers-vulnerable-to-critical-flaw/

Malware

• Smishing On a Massive Scale: "Panda Shop" Chinese Carding Syndicate
  "Resecurity was the first company to identify the Smishing Triad, a group of Chinese cybercriminals targeting consumers across the globe. In August 2023, our team was able to identify their activity and locate the smishing kit they were using, successfully exploiting a vulnerability, which exposed the threat actors and their infrastructure. Since then, the group has become stealthier and upgraded its tooling, tactics, and procedures (TTPs). A group of this scale is not limited to just one threat actor; it has numerous associates with different roles, blurring its public profile. Such groups leverage a "Crime-as-a-Service" model, enabling other cybercriminals to use their smishing kit and scale their operations targeting consumers in different countries."
  https://www.resecurity.com/blog/article/smishing-massive-scale-panda-shop-chinese-carding-syndicate
  https://securityaffairs.com/177502/cyber-crime/smishing-on-a-massive-scale-panda-shop-chinese-carding-syndicate.html
  https://www.infosecurity-magazine.com/news/smishing-triad-upgrades-tools/
• Arctic Wolf Observes Exploitation Of Path Traversal Vulnerability In Samsung MagicINFO 9 Server (CVE-2024-7399)
  "As of early May 2025, Arctic Wolf has observed exploitation in the wild of CVE-2024-7399 in Samsung MagicINFO 9 Server—a content management system (CMS) used to manage and remotely control digital signage displays. The vulnerability allows for arbitrary file writing by unauthenticated users, and may ultimately lead to remote code execution when the vulnerability is used to write specially crafted JavaServer Pages (JSP) files. This high-severity vulnerability had originally been made public by Samsung in August 2024 following responsible disclosure by security researchers, with no exploitation reported at the time. On April 30, 2025, a new research article was published along with technical details and a proof-of-concept (PoC) exploit. Exploitation was then observed within days of that publication."
  https://arcticwolf.com/resources/blog/cve-2024-7399/
  https://www.bleepingcomputer.com/news/security/samsung-magicinfo-9-server-rce-flaw-now-exploited-in-attacks/
  https://www.securityweek.com/samsung-magicinfo-vulnerability-exploited-days-after-poc-publication/
  https://www.helpnetsecurity.com/2025/05/06/exploited-vulnerability-software-managing-samsung-digital-displays-cve-2024-7399/
  https://securityaffairs.com/177529/hacking/samsung-magicinfo-vulnerability-exploited-after-poc-publication.html
• Defending Against UNC3944: Cybercrime Hardening Guidance From The Frontlines
  "UNC3944, which overlaps with public reporting on Scattered Spider, is a financially-motivated threat actor characterized by its persistent use of social engineering and brazen communications with victims. In early operations, UNC3944 largely targeted telecommunications-related organizations to support SIM swap operations. However, after shifting to ransomware and data theft extortion in early 2023, they impacted organizations in a broader range of industries. Since then, we have regularly observed UNC3944 conduct waves of targeting against a specific sector, such as financial services organizations in late 2023 and food services in May 2024. Notably, UNC3944 has also previously targeted prominent brands, possibly in an attempt to gain prestige and increased attention by news media."
  https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations
  https://www.bankinfosecurity.com/retail-sector-in-scattered-spider-crosshairs-a-28316
  https://www.infosecurity-magazine.com/news/dragonforce-goup-ms-coop-harrods/
• DragonForce Ransomware: Redefining Hybrid Extortion In 2025
  "The ransomware world isn’t just evolving—it’s fragmenting, decentralizing, and growing more dangerous. In this volatile landscape, DragonForce is emerging as one of the most intriguing and threatening actors of 2025. Born from possible hacktivist roots and now fully immersed in the economics of cyber crime, DragonForce represents a new era of hybrid threats: ideologically ambiguous, technologically agile, and fiercely opportunistic."
  https://blog.checkpoint.com/security/dragonforce-ransomware-redefining-hybrid-extortion-in-2025/
• Microsoft Dynamics 365 Customer Voice Phishing Scam
  "Check Point researchers have identified a new phishing campaign that exploits Microsoft’s “Dynamics 365 Customer Voice,” a customer relationship management software product. It’s often used to record customer calls, monitor customer reviews, share surveys and track feedback. Microsoft 365 is used by over 2 million organizations worldwide. At least 500,000 organizations use Dynamics 365 Customer Voice, including 97% of Fortune 500 companies."
  https://blog.checkpoint.com/research/microsoft-dynamics-365-customer-voice-phishing-scam/
• CoGUI Phish Kit Targets Japan With Millions Of Messages
  "Proofpoint has observed a notable increase in high-volume Japanese language campaigns targeting organizations in Japan to deliver a phishing kit that Proofpoint researchers refer to as CoGUI. Most of the observed campaigns abuse popular consumer or payment brands in phishing lures, including Amazon, PayPay, Rakuten, and others. The CoGUI phishing kit is a highly evasive phishing framework identified by Proofpoint researchers, primarily targeting users in Japan. Several campaigns were observed targeting users in Australia, New Zealand, Canada and the United States, but these occurred much less frequently than in Japan."
  https://www.proofpoint.com/us/blog/threat-insight/cogui-phish-kit-targets-japan-millions-messages
• Second Wave Of Attacks Hitting SAP NetWeaver After Zero-Day Compromise
  "Threat actors have been observed launching a second wave of attacks against SAP NetWeaver instances that were compromised via a recent zero-day vulnerability, enterprise application security firm Onapsis warns. The zero-day, tracked as CVE-2025-31324 (CVSS score of 10/10), was disclosed on April 24, after SAP updated its April 2025 Security Patch Day bulletin to add a fresh note addressing it. In-the-wild exploitation of the bug was observed by cybersecurity firm ReliaQuest on systems that had the latest patches installed and was associated with initial access brokers. According to Mandiant, the flaw had been exploited since at least mid-March 2025."
  https://www.securityweek.com/second-wave-of-attacks-hitting-sap-netweaver-after-zero-day-compromise/
  https://securityaffairs.com/177522/hacking/experts-warn-of-a-second-wave-of-attacks-targeting-sap-netweaver-bug-cve-2025-31324.html
• Here Comes Mirai: IoT Devices RSVP To Active Exploitation
  "Endpoints have been forcibly saying “I do” to Mirai since 2016, and some retired GeoVision devices are among the latest “proposals.” In early April 2025, the Akamai SIRT discovered activity targeting the URI /DateSetting.cgi in our global network of honeypots. After further investigation, we were able to attribute this activity to command injection vulnerabilities (CVE-2024-6047 and CVE-2024-11120) that were previously disclosed in GeoVision devices. Despite being “known” vulnerabilities, there was little more than the assigned CVE numbers actually known about them, at least publicly. Attribution — along with the scope of the threat, which is limited to retired GeoVision IoT devices — was ultimately validated directly by the vendor."
  https://www.akamai.com/blog/security-research/active-exploitation-mirai-geovision-iot-botnet
  https://thehackernews.com/2025/05/hackers-exploit-samsung-magicinfo.html
• Uncovering Actor TTP Patterns And The Role Of DNS In Investment Scams
  "According to the Federal Trade Commission (FTC), consumers lost more money to investment scams than any other kind in 2024. This equates to a 24 percent increase from 2023 to 2024 in the amount of money lost—a total of US$5.7 billion1. These threats take a variety of forms, including the so-called pig butchering scams, which generally start with generic text messages to ones advertised through social media. Sometimes human interaction is involved and sometimes it is not. We track several investment scam actors and we’ve previously published research on two of them, Savvy Seahorse and Horrid Hawk, who have distinctive DNS fingerprints."
  https://blogs.infoblox.com/threat-intelligence/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams/
  https://thehackernews.com/2025/05/new-investment-scams-use-facebook-ads.html
• Lampion Is Back With ClickFix Lures
  "Unit 42 researchers recently uncovered a highly focused malicious campaign targeting dozens of Portuguese organizations, particularly in the government, finance and transportation sectors. This campaign was orchestrated by the threat actors behind Lampion malware, an infostealer that focuses on sensitive banking information. This malware family has been active since at least 2019. During our investigation, we found that the group has added ClickFix lures to their arsenal. ClickFix is a social engineering technique that multiple malware families have adopted since late 2024, which lures victims to copy and execute malicious commands on their machine, under the guise of fixing computer problems."
  https://unit42.paloaltonetworks.com/lampion-malware-clickfix-lures/

Breaches/Hacks/Leaks

• UK Legal Aid Agency Investigates Cybersecurity Incident
  "The Legal Aid Agency (LAA), an executive agency of the UK's Ministry of Justice that oversees billions in legal funding, warned law firms of a security incident and said the attackers might have accessed financial information. Approximately 2,000 providers, including barristers, solicitor firms, and non-profit organizations, deliver civil and criminal legal aid services in England and Wales under contracts with the LAA. The agency employs around 1,250 staff and runs the country's Public Defender Service. In a letter sent to law firms, the agency said it cannot confirm if any data was accessed. Still, it acknowledged the risk that legal aid providers' payment information might have been compromised, as Sky News first reported."
  https://www.bleepingcomputer.com/news/security/uk-legal-aid-agency-investigates-cybersecurity-incident/
• “Your Privacy Is a Promise We Don’t Break”: Dating App Raw Exposes Sensitive User Data
  "Any app that hands over user data is a concern, but leaky dating apps are especially worrying given the sensitivity of the data involved. A relatively new app called Raw that aims to rewrite the rules of dating is the latest to trip over its coattails by exposing user data to…well, anyone who asked for it. Launched in 2023, Raw is a dating app that aims to solve some of the traditional problems in online dating, including fake or egregiously touched-up photos, and ghosting (where one person goes silent on each other). The company’s app shares user locations and asks them to post daily photos of themselves to create a more authentic matching experience."
  https://www.malwarebytes.com/blog/news/2025/05/your-privacy-is-a-promise-we-dont-break-dating-app-raw-exposes-sensitive-user-data
• Multiple iHeartRadio Stations Breached In December
  "Several radio stations owned by iHeartMedia were breached in December, exposing Social Security numbers, financial information and other personal details. The media conglomerate filed breach notices in several states but declined to say how many people were impacted or how many stations were attacked when reached for comment."
  https://therecord.media/iheart-radio-stations-breached-december
• Texas School District Notifies Over 47,000 People Of Major Data Breach
  "A data breach affecting Alvin Independent School District (AISD) in Texas has compromised sensitive personal information belonging to 47,606 individuals. The district confirmed the breach, which occurred in June 2024, and began notifying impacted people over the weekend. Exposed information includes names, Social Security numbers, state-issued IDs, credit and debit card details, financial account numbers, medical data and health insurance information. The incident was reported by the Texas attorney general on May 2 2025."
  https://www.infosecurity-magazine.com/news/texas-school-47000-people-data/

General News

• What It Really Takes To Build a Resilient Cyber Program
  "In this Help Net Security interview, Dylan Owen, CISO at Nightwing, talks about what it really takes to build an effective defense: choosing the right frameworks, setting up processes, and getting everyone on the same page. Drawing on both military and private sector experience, Owen explains how preparation, communication, and constant adjustment are key to building a more proactive security approach."
  https://www.helpnetsecurity.com/2025/05/06/dylan-owen-nightwing-cyber-defense-strategy/
• How Cybercriminals Exploit Psychological Triggers In Social Engineering Attacks
  "Most attacks don’t start with malware; they begin with a message that seems completely normal, whether it comes through email, a phone call, or a chat, and that is exactly what makes them so effective. These threats rely on psychological manipulation to bypass people, not firewalls. Pressure is applied, authority is faked, and communication is mimicked. Social engineering threats account for most cyberthreats faced by individuals in 2024, according to Avast."
  https://www.helpnetsecurity.com/2025/05/06/social-engineering-human-behavior/
• As Vishing Gains Momentum, It’s Time To Fight Back
  "The mechanisms and dangers of email phishing are well known, as are the best practices for hardening organizations against it. Its spin-off, called vishing, is nothing new, but it’s both rapidly evolving, and unlike the more mainstream counterpart, too often overlooked by security professionals. According to the CrowdStrike 2025 Global Threat Report, these offbeat attacks saw a 442% increase in the second half of 2024 compared to the first half of the year. This dramatic spike should be interpreted as a call to action in terms of countermeasures, especially in enterprise environments."
  https://www.tripwire.com/state-of-security/vishing-gains-momentum-its-time-fight-back
• Ransomware Attacks April 2025: Qilin Emerges From Chaos
  "Global ransomware attacks in April 2025 declined to 450 from 564 in March – the lowest level since November 2024 – as major changes among the leading Ransomware-as-a-Service (RaaS) groups caused many affiliates to align with new groups. Still, the long-term trend for ransomware attacks remains decidedly upward (chart below) so April’s decline could be reversed as soon as new RaaS leaders are established."
  https://cyble.com/blog/qilin-tops-april-2025-ransomware-report/
• Addressing The Top Cyber-Risks In Higher Education
  "As city-like microcosms, colleges and universities have become prime targets of cyberattacks. Their classrooms, student housing, athletics facilities and venues, retail locations, and, in some cases, public safety and clinical locations are all connected to the same network, creating a large and complex landscape for potential attacks."
  https://www.darkreading.com/vulnerabilities-threats/addressing-top-cyber-risks-higher-education
• And The Cloud Goes Wild: Looking At Vulnerabilities In Cloud Assets
  "We admit it – we’ve had our heads in the clouds recently. Since we started working with Wiz as one of their integration partners, we’ve been spending even more time thinking about cloud assets. And these assets are everywhere! Gartner predicts double digit growth across all cloud segments in 2025. More and more organizations are adopting multi-cloud strategies that spread their assets across multiple hosting providers and more and more IT infrastructure spending is shifting from on-premise hosting to cloud."
  https://www.cycognito.com/blog/and-the-cloud-goes-wild-looking-at-vulnerabilities-in-cloud-assets/
  https://hackread.com/cloud-vulnerability-data-google-cloud-leads-risk/
• What a Future Without CVEs Means For Cyber Defense
  "The importance of the MITRE-run Common Vulnerabilities and Exposures (CVE) Program shouldn’t be understated. For 25 years, it has acted as the point of reference for cybersecurity professionals to understand and mitigate security flaws. By providing a standardized method for naming and cataloguing known vulnerabilities, it offers defenders a shared language for understanding, prioritizing, and responding to real-world threats. The program has traditionally relied on US government funding to sustain operations and, unfortunately, and equivalent databases that operate on the same scale aren’t readily available. Thus, the decision from the US government to row back its guardianship of the program has been met with industry surprise and concern."
  https://www.helpnetsecurity.com/2025/05/06/cve-program-foundation/
• Applying The OODA Loop To Solve The Shadow AI Problem
  "With AI introducing efficiency, automation, and reduced operational costs, organizations are embracing AI tools and technology with open arms. At the user level, more employees resort to personal AI tools to save time, work smarter, and increase productivity. According to a study in October 2024, Seventy-five percent of knowledge workers currently use AI, with 46% stating they would not relinquish it even if their organization did not approve of its use. Organizations are confronting the challenge of shadow AI, as employees utilize unauthorized AI tools without company consent, leading to risks related to data exposure, compliance, and operations."
  https://www.securityweek.com/applying-the-ooda-loop-to-solve-the-shadow-ai-problem/
• Hacker Conversations: John Kindervag, a Making Not Breaking Hacker
  "Kindervag is a hacker – sort of. But he is not the sort of hacker we have come to expect. John Kindervag is best known for developing the Zero Trust Model in 2009 while he was a principal analyst at Forrester Research. In essence, zero trust is based on the principle of ‘never trust, always verify’. He is currently, since September 2023, Chief Evangelist at Illumio, where he is tasked with “driving the adoption of Zero Trust Segmentation through high-touch advocacy and forward-thinking thought leadership”. He is not the typical hacker in today’s terminology."
  https://www.securityweek.com/hacker-conversations-john-kindervag-a-making-not-breaking-hacker/
• Entra ID Data Protection: Essential Or Overkill?
  "Microsoft Entra ID (formerly Azure Active Directory) is the backbone of modern identity management, enabling secure access to the applications, data, and services your business relies on. As hybrid work and cloud adoption accelerate, Entra ID plays an even more central role — managing authentication, enforcing policy, and connecting users across distributed environments. That prominence also makes it a prime target. Microsoft reports over 600 million attacks on Entra ID every day. These aren't just random attempts, but include coordinated, persistent, and increasingly automated campaigns designed to exploit even small vulnerabilities."
  https://thehackernews.com/2025/05/entra-id-data-protectionessential-or.html

อ้างอิง
Electronic Transactions Development Agency(ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

เมื่อวันที่ 5 พฤษภาคม 2568 Cybersecurity and Infrastructure Security Agency (CISA) ได้มีการเผยแพร่การเพิ่มช่องโหว่ใหม่ 1 รายการในแค็ตตาล็อก ช่องโหว่อาจเป็นที่รู้จักของกลุ่มแฮกเกอร์ ซึ่งการเพิ่มนี้ขึ้นอยู่กับข้อมูลของการแสวงหาผลประโยชน์จากการโจมตีช่องโหว่ดังกล่าวนั้นได้ ช่องโหว่เหล่านี้เป็นการโจมตีบ่อยครั้งสำหรับผู้ที่ไม่ประสงค์ดีด้านภัยคุกคามทางไซเบอร์และก่อให้เกิดความเสี่ยงที่สำคัญต่อองค์กรนั้นได้ มีรายละเอียดดังนี

• CVE-2025-3248 Langflow Missing Authentication Vulnerability

อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/05/05/cisa-adds-one-known-exploited-vulnerability-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

เมื่อวันที่ 2 พฤษภาคม 2568 Cybersecurity and Infrastructure Security Agency (CISA) ได้มีการเผยแพร่การเพิ่มช่องโหว่ใหม่ 2 รายการในแค็ตตาล็อก ช่องโหว่อาจเป็นที่รู้จักของกลุ่มแฮกเกอร์ ซึ่งการเพิ่มนี้ขึ้นอยู่กับข้อมูลของการแสวงหาผลประโยชน์จากการโจมตีช่องโหว่ดังกล่าวนั้นได้ ช่องโหว่เหล่านี้เป็นการโจมตีบ่อยครั้งสำหรับผู้ที่ไม่ประสงค์ดีด้านภัยคุกคามทางไซเบอร์และก่อให้เกิดความเสี่ยงที่สำคัญต่อองค์กรนั้นได้ มีรายละเอียดดังนี

• CVE-2025-34028 Commvault Command Center Path Traversal Vulnerability
• CVE-2024-58136 Yiiframework Yii Improper Protection of Alternate Path Vulnerability

อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/05/02/cisa-adds-two-known-exploited-vulnerabilities-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

เมื่อวันที่ 1 พฤษภาคม 2568 Cybersecurity and Infrastructure Security Agency (CISA) ได้มีการเผยแพร่การเพิ่มช่องโหว่ใหม่ 2 รายการในแค็ตตาล็อก ช่องโหว่อาจเป็นที่รู้จักของกลุ่มแฮกเกอร์ ซึ่งการเพิ่มนี้ขึ้นอยู่กับข้อมูลของการแสวงหาผลประโยชน์จากการโจมตีช่องโหว่ดังกล่าวนั้นได้ ช่องโหว่เหล่านี้เป็นการโจมตีบ่อยครั้งสำหรับผู้ที่ไม่ประสงค์ดีด้านภัยคุกคามทางไซเบอร์และก่อให้เกิดความเสี่ยงที่สำคัญต่อองค์กรนั้นได้ มีรายละเอียดดังนี

• CVE-2024-38475 Apache HTTP Server Improper Escaping of Output Vulnerability
• CVE-2023-44221 SonicWall SMA100 Appliances OS Command Injection Vulnerability

อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/05/01/cisa-adds-two-known-exploited-vulnerabilities-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand