NCSA_THAICERT

NCSA_THAICERT

พบช่องโหว่ Microsoft Teams เปิดทางผู้โจมตีปลอมตัวเป.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

Google ออกอัปเดตแก้ไขช่องโหว่ใน Android ที่เสี่ยงถ.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

Google เพิ่มระบบ Autofill ให้จำข้อมูลพาสปอร์ต ใบขับ.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

Industrial Sector

Operational Technology Security Poses Inherent Risks For Manufacturers
"From supply chain risks and breaches to employees' physical safety, the manufacturing industry is no stranger to operational technology (OT) security challenges. The good news? Experts say awareness has increased among manufacturers. But whether that will lead to improvements is difficult to say. OT controls the processes and equipment necessary for manufacturers. It's built to last, but that also means there's legacy technology — unsupported and difficult to update — on the factory floor. A lack of visibility around an overwhelming number of assets presents heightened concerns as well. And then comes the human factor."
https://www.darkreading.com/ics-ot-security/operational-technology-security-poses-inherent-risks-for-manufacturers

New Tooling

Decrypted: Midnight Ransomware
"In the ever-evolving landscape of cyber threats, a new ransomware strain known as Midnight has emerged, echoing the notorious tactics of its predecessor, Babuk. First detected by Gen researchers, Midnight blends familiar ransomware mechanics with novel cryptographic modifications – some of which unintentionally open the door to file recovery. This blog dives into the technical anatomy of Midnight, its lineage from Babuk, and the critical indicators of infection. Most importantly, it offers a practical guide to decrypting affected files, empowering victims with a rare opportunity to reclaim their data without paying a ransom."
https://www.gendigital.com/blog/insights/research/midnight-ransomware
https://hackread.com/norton-midnight-ransomware-free-decryptor/
VulnRisk: Open-Source Vulnerability Risk Assessment Platform
"VulnRisk is an open-source platform for vulnerability risk assessment. It goes beyond basic CVSS scoring by adding context-aware analysis that reduces noise and highlights what matters. The tool is free to use and designed for local development and testing. The platform’s scoring engine cuts up to 90 percent of noise by applying contextual factors such as exploit likelihood and asset importance. Every score comes with a full calculation breakdown, so users can see exactly how each risk level is determined. VulnRisk’s transparent methodology makes it easier for teams to trust the results and adjust their security priorities."
https://www.helpnetsecurity.com/2025/11/05/vulnrisk-open-source-vulnerability-risk-assessment-platform/
https://github.com/GurkhaShieldForce/VulnRisk_Public

Vulnerabilities

PromptJacking: The Critical RCEs In Claude Desktop That Turn Questions Into Exploits
"Hi again. This is a reminder that while we often write about malicious extensions from unknown developers, or large scale supply chain compromises, sometimes, even the most trusted developers can make mistakes that may wreak havoc on your enterprise... We’ve identified severe RCE vulnerabilities in three extensions that were written, published, and promoted by Anthropic themselves - the Chrome, iMessage, and Apple Notes connectors, and are sitting at the very top of Claude Desktop's extension marketplace."
https://www.koi.ai/blog/promptjacking-the-critical-rce-in-claude-desktop-that-turn-questions-into-exploits
https://www.infosecurity-magazine.com/news/claude-desktop-extensions-prompt/
AMD Red-Faced Over Random-Number Bug That Kills Cryptographic Security
"AMD will issue a microcode patch for a high-severity vulnerability that could weaken cryptographic keys across Epyc and Ryzen CPUs. The flaw, tracked as CVE-2025-62626 (7.2), affects Zen 5 chips with the 16-bit and 32-bit instruction variants. The bug involves RDSEED, a function that generates high-quality random numbers used by security keys. RDSEED provides the true entropy that's required by apps generating high-strength cryptographic keys."
https://www.theregister.com/2025/11/05/amd_promises_to_fix_chips/

Malware

Gootloader Is Back (Back Again)
"Before I start, I have to give credit, where it’s due. A Major shout-out to RussianPanda and the team at Huntress for catching this new Gootloader campaign in the wild. As the title suggests — yes, Gootloader is back. Back again. I was (like many others) hoping that after the disruptions my April blog caused, they’d finally hang up their hats and retire. But here we are. For over five years, the threat actor behind Gootloader has been using legal-themed bait — terms like “contract”, “form” and “agreement” — to draw victims into their traps. (There was that brief detour into PDF converters.)"
https://gootloader.wordpress.com/2025/11/05/gootloader-is-back-back-again/
https://www.bleepingcomputer.com/news/security/gootloader-malware-is-back-with-new-tricks-after-7-month-break/
International Threats – Infection URLs Used In Regional Phishing Campaigns
"Cofense Intelligence relies on over 35 million trained employees from around the world, and a considerable number of analyzed campaigns are written in languages other than English. This report focuses on the URLs embedded in emails that bypassed email security controls like secure email gateways (SEGs) to deliver malware. The URLs that are the focus of this report are commonly referred to as “infection URLs” as they are the source for an infection by malware. Infection URLs, especially the services hosting them, are important as they represent the first step in a chain of events that can be broken with proper preparations and tools. This report is part of a series of reports covering different trends in phishing campaigns that are delivered by the top five non-English languages that Cofense sees. Other topics include the malware families and delivery mechanisms seen in different languages, as well as the themes seen in various languages."
https://cofense.com/blog/international-threats-infection-urls-used-in-regional-phishing-campaigns
Crossed Wires: a Case Study Of Iranian Espionage And Attribution
"In June, Proofpoint Threat Research began investigating a benign email discussing economic uncertainty and domestic political unrest in Iran. While coinciding with the escalations in the Iran-Israel conflict, there was no indication that the observed activity was directly correlated with Israel’s attacks on Iranian nuclear facilities or Iran’s actions in response. Initial analysis of the activity found tactics, techniques, and procedures (TTP) overlaps with multiple Iranian aligned groups, including TA455 (C5 Agent, Smoke Sandstorm), TA453 (Mint Sandstorm, Charming Kitten), and TA450 (MuddyWater, Mango Sandstorm). Given a lack of high confidence links to any one established threat group, we designated the activity as a temporary cluster called UNK_SmudgedSerpent."
https://www.proofpoint.com/us/blog/threat-insight/crossed-wires-case-study-iranian-espionage-and-attribution
https://thehackernews.com/2025/11/mysterious-smudgedserpent-hackers.html
https://www.darkreading.com/cyberattacks-data-breaches/iranian-apt-phishes-us-policy-wonks
https://www.infosecurity-magazine.com/news/unksmudgedserpent-targets-academics/
Voice Of SecOps Spotlight: Tis The Season For Online Sales — And AI-Fueled Cyberattacks
"With Black Friday, Cyber Monday, and peak holiday shopping just weeks away, retailers anticipate record-breaking sales volumes — paired with a sharp surge in cyber risk. The massive flow of sensitive data, cloud file transfers, and third-party integrations makes this the most dangerous time of year. Deep Instinct recently released the sixth edition of its Voice of SecOps Report, Cybersecurity & AI – Promises, Pitfalls, and Prevention Paradise, which sheds light on how leaders across seven industries, including the retail and eCommerce sector, are bracing for this challenge. The report reveals a clear warning: while AI is driving unprecedented productivity gains for retail security teams, it’s also exposing new vulnerabilities that legacy defenses can’t handle."
https://www.deepinstinct.com/blog/voice-of-secops-spotlight-tis-the-season-for-online-sales-and-ai-fueled-cyberattacks
Ghosts In /proc: Manipulation And Timeline Corruption
"In our previous blog, “Hiding in plain sight: Techniques and defenses against /proc filesystem manipulation in Linux” we explored techniques for concealing malicious processes from forensics triage tools. Forensic analysts often rely on the Linux virtual filesystem /proc to enumerate processes, reconstruct timelines, and attribute activity to specific executables. Utilities such as ps, top, and various triage scripts extract process metadata from files located under /proc//, including cmdline and stat. The integrity of these files is therefore critical to many incident response workflows."
https://www.group-ib.com/blog/ghosts-in-proc/
HackedGPT: Novel AI Vulnerabilities Open The Door For Private Data Leakage
"Tenable Research has discovered seven vulnerabilities and attack techniques in ChatGPT, including unique indirect prompt injections, exfiltration of personal user information, persistence, evasion, and bypass of safety mechanisms. Prompt injections are a weakness in how large language models (LLMs) process input data. An attacker can manipulate the LLM by injecting instructions into any data it ingests, which can cause the LLM to ignore the original instructions and perform unintended or malicious actions instead. Specifically, indirect prompt injection occurs when an LLM finds unexpected instructions in an external source, such as a document or website, rather than a direct prompt from the user."
https://www.tenable.com/blog/hackedgpt-novel-ai-vulnerabilities-open-the-door-for-private-data-leakage
https://thehackernews.com/2025/11/researchers-find-chatgpt.html
PHP Cryptomining Campaign: October/November 2025
"From August through October 2025, we observed (GreyNoise Visualizer) a clear ramp-up in exploitation attempts against PHP and PHP-based frameworks as actors push to deploy cryptominers. The query below captures a range of attempts (ThinkPHP, PHP CGI, PHPUnit, the recent PHP CVE-2024-4577, etc.), and the telemetry shows seven distinct attack patterns that move in parallel: steady in August–September, then spiking into October and November."
https://www.greynoise.io/blog/php-cryptomining-campaign

Breaches/Hacks/Leaks

Hyundai AutoEver America Data Breach Exposes SSNs, Drivers Licenses
"Hyundai AutoEver America is notifying individuals that hackers breached the company's IT environment and gained access to personal information. The company discovered the intrusion on March 1 but the investigation revealed that the attacker had access to the systems since February 22nd. Hyundai AutoEver America (HAEA) is an affiliate of Hyundai Motor Group that provides IT consulting, managed services, and helpdesk support for the entire lifecycle of automotive IT from production to retirement."
https://www.bleepingcomputer.com/news/security/hyundai-autoever-america-data-breach-exposes-ssns-drivers-licenses/
SonicWall Says State-Sponsored Hackers Behind September Security Breach
"SonicWall's investigation into the September security breach that exposed customers' firewall configuration backup files concludes that state-sponsored hackers were behind the attack. The network security company says that incident responders from Mandiant confirmed that the malicious activity had no impact on SonicWall's products, firmware, systems, tools, source code, or customer networks. “The Mandiant investigation is now complete. Their findings confirm that the malicious activity – carried out by a state-sponsored threat actor - was isolated to the unauthorized access of cloud backup files from a specific cloud environment using an API call,” SonicWall states."
https://www.bleepingcomputer.com/news/security/sonicwall-says-state-sponsored-hackers-behind-security-breach-in-september/
https://www.sonicwall.com/blog/cloud-backup-security-incident-investigation-complete-and-strengthened-cyber-resilience
https://securityaffairs.com/184258/security/sonicwall-blames-state-sponsored-hackers-for-september-security-breach.html

General News

GTIG AI Threat Tracker: Advances In Threat Actor Usage Of AI Tools
"Based on recent analysis of the broader threat landscape, Google Threat Intelligence Group (GTIG) has identified a shift that occurred within the last year: adversaries are no longer leveraging artificial intelligence (AI) just for productivity gains, they are deploying novel AI-enabled malware in active operations. This marks a new operational phase of AI abuse, involving tools that dynamically alter behavior mid-execution. This report serves as an update to our January 2025 analysis, "Adversarial Misuse of Generative AI," and details how government-backed threat actors and cyber criminals are integrating and experimenting with AI across the industry throughout the entire attack lifecycle. Our findings are based on the broader threat landscape."
https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools
https://www.bleepingcomputer.com/news/security/google-warns-of-new-ai-powered-malware-families-deployed-in-the-wild/
https://thehackernews.com/2025/11/google-uncovers-promptflux-malware-that.html
https://therecord.media/new-malware-uses-ai-to-adapt
https://www.bankinfosecurity.com/malware-developers-test-ai-for-adaptive-code-generation-a-29932
https://www.securityweek.com/malware-now-uses-ai-during-execution-to-mutate-and-collect-data-google-warns/
https://www.helpnetsecurity.com/2025/11/05/malware-using-llms/
https://www.theregister.com/2025/11/05/attackers_experiment_with_gemini_ai/
Operation Chargeback: 4.3 Million Cardholders Affected, EUR 300 Million In Damages
"On 4 November 2025, an international coordinated action day targeted three major fraud and money laundering networks as part of Operation “Chargeback.” Led by the Cybercrime Department (Landeszentralstelle Cybercrime) of the General Prosecutor's Office (Generalstaatsanwaltschaft) in Koblenz, Germany, and the German Federal Criminal Police Office (Bundeskriminalamt), the operation has been investigating these networks since December 2020. More than 60 house searches were conducted and a total of 18 arrest warrants executed. The criminal networks are suspected of misusing credit card data from over 4.3 million cardholders across 193 countries. In total, the estimated damage from the fraud scheme exceeds EUR 300 million, with attempted damages amounting to over EUR 750 million."
https://www.europol.europa.eu/media-press/newsroom/news/operation-chargeback-43-million-cardholders-affected-eur-300-million-in-damages
https://www.eurojust.europa.eu/news/eurojust-coordinates-major-operation-against-eur-300-million-global-credit-card-fraud-18
https://www.bleepingcomputer.com/news/security/europol-credit-card-fraud-rings-stole-eur-300-million-from-43-million-cardholders/
https://therecord.media/europe-police-bust-global-fraud-ring-payment-firms
https://www.bankinfosecurity.com/cops-cuff-18-suspects-over-345m-credit-card-fraud-scheme-a-29935
https://www.infosecurity-magazine.com/news/operation-chargeback-uncovers/
https://www.helpnetsecurity.com/2025/11/05/global-credit-card-fraud-arrests/
Closing The AI Execution Gap In Cybersecurity — A CISO Framework
"Artificial intelligence (AI) is a present-day reality reshaping the cybersecurity landscape. For chief information security officers (CISOs), the integration of AI into security frameworks is a double-edged sword. AI promises enhanced efficiency, predictive capabilities, and automation for internal security teams. Simultaneously, it also endows bad actors with new tools to exploit vulnerabilities across complex ICT supply chains."
https://www.darkreading.com/cybersecurity-operations/closing-ai-execution-gap-cybersecurity-ciso-framework
Risk 'Comparable' To SolarWinds Incident Lurks In Popular Software Update Tool
"Researchers have discovered a supply chain risk in a popular installer authoring tool, which they've described as potentially leading to cyberattacks "comparable in scope to supply chain incidents like SolarWinds." Its developers, however, say it's working as intended. The tool, Advanced Installer, is used for building application installers. After developing their software, vendors turn to it to bundle all the many files, dependencies, drivers, configurations, and so on that allow their software to install smoothly on customers' systems."
https://www.darkreading.com/application-security/risk-solarwinds-popular-software-tool-update
Threat Spotlight: How Automation, Customization, And Tooling Signal Next Ransomware Front Runners
"In the competitive ransomware-as-a-service (RaaS) ecosystem, a group’s success—defined here as victim count on its data-leak sitei—depends on the sophistication of its platform and its unique offerings. Such bespoke platforms attract the most skilled affiliates, who can often bypass stronger defenses to compromise higher-revenue organizations, increasing the likelihood of a successful extortion payment."
https://reliaquest.com/blog/threat-spotlight-how-automation-customization-and-tooling-signal-ransomware
https://www.darkreading.com/cyberattacks-data-breaches/inside-the-playbook-of-ransomware-s-most-profitable-players
Credentials And Misconfigurations Behind Most Cloud Breaches, Says AWS
"Businesses are rapidly moving into the public cloud, a change confirmed by the “Building Cloud Trust” report from Amazon Web Services (AWS) and UK-based research firm Vanson Bourne. This report is based on a survey of 2,800 technology and security firms across 13 countries conducted during September and October. The findings show that while the public cloud is now central to how organisations operate, given its agility, they are simultaneously facing unexpected threats that demand continuous caution."
https://hackread.com/aws-credentials-misconfigurations-cloud-breaches/
https://d1.awsstatic.com/onedam/marketing-channels/website/aws/en_US/whitepapers/compliance/Cloud_Trust_Report.pdf
PortGPT: How Researchers Taught An AI To Backport Security Patches Automatically
"Keeping older software versions secure often means backporting patches from newer releases. It is a routine but tedious job, especially for large open-source projects such as the Linux kernel. A new research effort has built a tool that uses a large language model to do that work automatically. A team of researchers from China, the United States, and Canada created PortGPT, an AI system designed to automate the process of migrating security patches from mainline branches to older versions of software. They describe their method as an attempt to replicate the reasoning steps that developers use when they manually adapt patches."
https://www.helpnetsecurity.com/2025/11/05/portgpt-ai-backport-security-patches-automatically/
AI Can Flag The Risk, But Only Humans Can Close The Loop
"In this Help Net Security interview, Dilek Çilingir, Global Forensic & Integrity Services Leader at EY, discusses how AI is transforming third-party assessments and due diligence. She explains how machine learning and behavioral analytics help organizations detect risks earlier, improve compliance, and strengthen accountability. As oversight grows, Çilingir explains why human judgment still matters in every AI-supported decision."
https://www.helpnetsecurity.com/2025/11/05/dilek-cilingir-ey-ai-third-party-assessments/

อ้างอิง
Electronic Transactions Development Agency(ETDA)

NCSA_THAICERT

Industrial Sector

Cyber Physical Systems Face Rising Geopolitical Risks
"Global conflicts, civil unrest and tariff wars provide new opportunities for cyber adversaries, especially those targeting operational technology systems. Attackers are now focusing on fragile supply chains affected by geopolitical conflicts. Researchers predict this heightened threat environment will result in at least one major cyber-physical breach in the next 12 months. Geopolitical risks are creating instability in the sourcing, manufacturing and delivery of critical hardware and software components, said Sean Tufts, field CTO at Claroty, which recently released Global State of CPS Security 2025, a report based on a global survey of 1,100 cybersecurity professionals responsible for the protection of cyber-physical systems."
https://www.bankinfosecurity.com/cyber-physical-systems-face-rising-geopolitical-risks-a-29931
https://claroty.com/resources/reports/the-global-state-of-cps-security-2025-navigating-risk-in-an-uncertain-economic-landscape

Vulnerabilities

Jobmonster - Job Board WordPress Theme <= 4.8.1 - Authentication Bypass
"The Noo JobMonster theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 4.8.1. This is due to the check_login() function not properly verifying a user's identity prior to successfully authenticating them This makes it possible for unauthenticated attackers to bypass standard authentication and access administrative user accounts. Please note social login needs to be enabled in order for a site to be impacted by this vulnerability."
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/noo-jobmonster/jobmonster-job-board-wordpress-theme-481-authentication-bypass
https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-auth-bypass-flaw-in-jobmonster-wordpress-theme/
Radiometrics VizAir
"Successful exploitation of these vulnerabilities could allow attackers to manipulate critical weather parameters and runway settings, mislead air traffic control and pilots, extract sensitive meteorological data, and cause significant disruption to airport operations, leading to hazardous flight conditions."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-04
400,000 WordPress Sites Affected By Account Takeover Vulnerability In Post SMTP WordPress Plugin
"On October 11th, 2025, we received a submission for an Account Takeover via Email Log Disclosure vulnerability in Post SMTP, a WordPress plugin with more than 400,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to view email logs, including password reset emails, and change the password of any user, including an administrator, which allows them to take over the account and the website."
https://www.wordfence.com/blog/2025/11/400000-wordpress-sites-affected-by-account-takeover-vulnerability-in-post-smtp-wordpress-plugin/
https://www.bleepingcomputer.com/news/security/hackers-exploit-wordpress-plugin-post-smtp-to-hijack-admin-accounts/
Critical RCE Vulnerability CVE-2025-11953 Puts React Native Developers At Risk
"The JFrog Security Research team recently discovered and disclosed CVE-2025-11953 – a critical (CVSS 9.8) security vulnerability affecting the extremely popular @react-native-community/cli NPM package that has approximately 2M weekly downloads. The vulnerability allows remote unauthenticated attackers to easily trigger arbitrary OS command execution on the machine running react-native-community/cli’s development server, posing a significant risk to developers."
https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability/
https://thehackernews.com/2025/11/critical-react-native-cli-flaw-exposed.html
https://www.securityweek.com/critical-flaw-in-popular-react-native-npm-package-exposes-developers-to-attacks/
Android Update Patches Critical Remote Code Execution Flaw
"Google on Monday announced a fresh set of security updates for the Android platform, to address two vulnerabilities in the System component. The November 2025 Android fixes mark another shift from the monthly updates the internet giant has been rolling out since 2015, as they come with a single security patch level, the 2025-11-01 patch level. For nearly a decade, the update was split into two security patch levels, to make it easier for vendors to address vulnerabilities specific to their devices. The second security patch level of each month contained patches for all the bugs described in that month’s security bulletin."
https://www.securityweek.com/android-update-patches-critical-remote-code-execution-flaw/
https://securityaffairs.com/184208/security/google-fixed-a-critical-remote-code-execution-in-android.html
Survision License Plate Recognition Camera
"Successful exploitation of this vulnerability could allow an attacker to fully access the system without requiring authentication."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-02
Delta Electronics CNCSoft-G2
"Successful exploitation of this vulnerability could allow attackers to execute arbitrary code in the context of the current process."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-03
IDIS ICM Viewer
"Successful exploitation of this vulnerability could result in an attacker executing arbitrary code."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-05
Apple Patches 19 WebKit Vulnerabilities
"Apple on Monday announced the release of security updates for iOS and macOS to resolve over 100 vulnerabilities. iOS 26.1 and iPadOS 26.1 were rolled out with patches for 56 security defects, including 19 issues that affect the WebKit browser engine. Successful exploitation of the flaws, Apple notes in its advisory, could allow websites to exfiltrate data cross-origin, could lead to unexpected process crashes and memory corruption, and could allow applications to monitor keystrokes."
https://www.securityweek.com/apple-patches-19-webkit-vulnerabilities/
https://thehackernews.com/2025/11/googles-ai-big-sleep-finds-5-new.html
https://securityaffairs.com/184184/security/google-big-sleep-found-five-vulnerabilities-in-safari.html
https://cyberscoop.com/apple-security-update-november-2025/
CISA Adds Two Known Exploited Vulnerabilities To Catalog
"CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2025-11371 Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability
CVE-2025-48703 CWP Control Web Panel OS Command Injection Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/11/04/cisa-adds-two-known-exploited-vulnerabilities-catalog
Fuji Electric Monitouch V-SFT-6
"Successful exploitation of these vulnerabilities could crash the accessed device; a buffer overflow condition may allow remote code execution."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-01
Exploiting Trust In Collaboration: Microsoft Teams Vulnerabilities Uncovered
"Trust alone isn’t a security strategy. That’s the key lesson from new research by Check Point Research, which uncovered multiple vulnerabilities in Microsoft Teams that could allow attackers to impersonate executives, manipulate messages, and spoof notifications. With more than 320 million monthly active users, Microsoft Teams has become the backbone of modern workplace communication. From boardroom meetings to quick one-to-one chats, it powers the daily interactions of enterprises, small businesses, and governments worldwide. But Check Point Research’s latest findings show how attackers can twist the very trust mechanisms that make Teams effective, turning collaboration into an attack vector."
https://blog.checkpoint.com/research/exploiting-trust-in-collaboration-microsoft-teams-vulnerabilities-uncovered/
https://thehackernews.com/2025/11/microsoft-teams-bugs-let-attackers.html
https://www.theregister.com/2025/11/04/microsoft_teams_bugs_could_let/
TruffleHog, Fade In And BSAFE Crypto-C Vulnerabilities
"Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three vulnerabilities in Dell BSAFE, two in Fade In screenwriting software, and one in Trufflehog. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy. For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website."
https://blog.talosintelligence.com/trufflehog-fade-in-and-bsafe-crypto-c-vulnerabilities/
Zscaler Discovers Vulnerability In Keras Models Allowing Arbitrary File Access And SSRF (CVE-2025-12058)
"Zscaler uncovered a vulnerability in Keras that exposed AI and machine learning environments to file access and network exploitation risks, highlighting the urgent need to secure the AI model supply chain. Through responsible disclosure and ongoing research, Zscaler helps enterprises stay protected from emerging AI threats with a Zero Trust approach."
https://www.zscaler.com/blogs/security-research/zscaler-discovers-vulnerability-keras-models-allowing-arbitrary-file-access

Malware

Curly COMrades: Evasion And Persistence Via Hidden Hyper-V Virtual Machines
"This investigation, conducted with support from the Georgian CERT functioning under the Operative-Technical Agency of Georgia, uncovered new tools and techniques used by the Curly COMrades threat actor. They established covert, long-term access to victim networks by abusing virtualization features (Hyper-V) on compromised Windows 10 machines to create a hidden remote operating environment. We first documented the Curly COMrades threat actor, operating to support Russian interests in geopolitical hotbeds, in August 2025. Since that initial discovery, subsequent forensics and incident response efforts have revealed critical new tools and techniques."
https://businessinsights.bitdefender.com/curly-comrades-evasion-persistence-hidden-hyper-v-virtual-machines
https://www.bleepingcomputer.com/news/security/russian-hackers-abuse-hyper-v-to-hide-malware-in-linux-vms/
https://www.darkreading.com/endpoint-security/pro-russian-hackers-linux-vms-hide-windows
https://www.theregister.com/2025/11/04/russian_spies_pack_custom_malware/
Inside The Rise Of AI-Powered Pharmaceutical Scams
"Over the past few months, we identified an emerging online threat that combines fraud, social engineering, and genuine health risks. Scammers are now impersonating licensed physicians and medical clinics to promote counterfeit or unsafe medications, frequently leveraging AI and deepfake technology to generate convincing fake photos, videos, and endorsements. The stakes extend beyond financial theft. Victims are persuaded to purchase and consume unapproved or potentially dangerous substances marketed as legitimate prescriptions. This convergence of digital deception and physical harm makes the threat particularly insidious – Criminals exploit the trust inherent in healthcare relationships to generate revenue while amplifying their reach through fraudulent social proof."
https://blog.checkpoint.com/healthcare/inside-the-rise-of-ai-powered-pharmaceutical-scams/
Scattered LAPSUS$ Hunters: Anatomy Of a Federated Cybercriminal Brand
"Trustwave SpiderLabs’ Cyber Threat Intelligence team is tracking the recent emergence of what appears to be the consolidation of three well-known threat groups into a “federated alliance” that offers, among its activities, Extortion-as-a-Service (EaaS). The collective comprises Scattered Spider, ShinyHunters, and LAPSUS$. The group heavily uses a public encryption communication service as its primary operating base and allows its EaaS affiliates to use the member’s very well-known names to create fear, which it claims will generate a higher financial return."
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/scattered-lapsuss-hunters-anatomy-of-a-federated-cybercriminal-brand/
https://thehackernews.com/2025/11/a-cybercrime-merger-like-no-other.html
https://www.infosecurity-magazine.com/news/scattered-spider-shinyhunters/
The DragonForce Cartel: Scattered Spider At The Gate
"Acronis Threat Research Unit (TRU) analyzed recent activity linked to the DragonForce ransomware group and identified a new malware variant in the wild. The latest sample uses vulnerable drivers such as truesight.sys and rentdrv2.sys to disable security software, terminate protected processes and correct encryption flaws previously associated with Akira ransomware. The updated encryption scheme addresses weaknesses publicly detailed in a Habr article cited on DragonForce’s leak site."
https://www.acronis.com/en/tru/posts/the-dragonforce-cartel-scattered-spider-at-the-gate/
https://www.infosecurity-magazine.com/news/dragonforce-cartel-conti-derived/
LABScon25 Replay | LLM-Enabled Malware In The Wild
"This presentation explores the emerging threat of LLM-enabled malware, where adversaries embed Large Language Model capabilities directly into malicious payloads. Unlike traditional malware, these threats generate malicious code at runtime rather than embedding it statically, creating significant detection challenges for security teams. SentinelLABS’ Alex Delamotte and Gabriel Bernadett-Shapiro present their team’s research on how LLMs are weaponized in the wild, distinguishing between various adversarial uses, from AI-themed lures to genuine LLM-embedded malware. The research focused on malware that leverages LLM capabilities as a core operational component, exemplified by notable cases like PromptLock ransomware and APT28’s LameHug/PROMPTSTEAL campaigns."
https://www.sentinelone.com/labs/labscon25-replay-llm-enabled-malware-in-the-wild/

Breaches/Hacks/Leaks

Apache OpenOffice Disputes Data Breach Claims By Ransomware Gang
"The Apache Software Foundation disputes claims that its OpenOffice project suffered an Akira ransomware attack, after the threat actors claimed to have stolen 23 GB of corporate documents. Apache OpenOffice is a free, open-source office suite that includes word processing, spreadsheets, presentations, graphics, and database tools. It's compatible with major file formats, such as Word and Excel, and runs on multiple operating systems. On October 30th, the Akira ransomware gang claimed it had breached Apache OpenOffice and stolen 23 GB of data, including employee and financial information, as well as internal files."
https://www.bleepingcomputer.com/news/security/apache-openoffice-disputes-data-breach-claims-by-ransomware-gang/
Data Breach At Major Swedish Software Supplier Impacts 1.5 Million
"The Swedish Authority for Privacy Protection (IMY) is investigating a cyberattack on IT systems supplier Miljödata that exposed data belonging to 1.5 million people. Miljödata is an IT systems supplier for roughly 80% of Sweden's municipalities. The company disclosed the incident on August 25, saying that the attackers stole data and demanded 1.5 Bitcoin to not leak it. The attack caused operational disruptions that affected citizens in multiple regions in the country, including Halland, Gotland, Skellefteå, Kalmar, Karlstad, and Mönsterås."
https://www.bleepingcomputer.com/news/security/data-breach-at-major-swedish-software-supplier-impacts-15-million/
Media Giant Nikkei Reports Data Breach Impacting 17,000 People
"Japanese publishing giant Nikkei announced earlier today that its Slack messaging platform had been compromised, exposing the personal information of over 17,000 employees and business partners. Nikkei is one of the largest media corporations worldwide, owns the Financial Times and The Nikkei, the world's largest financial newspaper. It has approximately 3.7 million digital paid subscriptions, as well as over 40 affiliated companies involved in publishing, broadcasting, events, database services, and the index business."
https://www.bleepingcomputer.com/news/security/media-giant-nikkei-reports-data-breach-impacting-17-000-people/
Polish Loan Platform Hacked; Mobile Payment System And Other Businesses Disrupted
"Polish authorities are investigating a series of cyberattacks that disrupted digital services and exposed personal data from several major companies, including a leading online lender and the country’s top mobile payment system. Digital Affairs Minister Krzysztof Gawkowski said cyberattacks targeting Poland’s public and private infrastructure are becoming “commonplace.” “We’re seeing thousands of incidents reported daily,” he added."
https://therecord.media/poland-hacks-loan-platform-mobile-payments-system-travel-agency

General News

How Nations Build And Defend Their Cyberspace Capabilities
"In this Help Net Security interview, Dr. Bernhards Blumbergs, Lead Cyber Security Expert at CERT.LV, discusses how cyberspace has become an integral part of national and military operations. He explains how countries develop capabilities to act and defend in this domain, often in coordination with activities in other areas of conflict. Dr. Blumbergs also explains that, despite progress in forensics and AI, identifying who is responsible for cyberspace operations remains difficult and often uncertain."
https://www.helpnetsecurity.com/2025/11/04/bernhards-blumbergs-cert-lv-cyberspace-operations-attribution/
Cybercriminals Have Built a Business On YouTube’s Blind Spots
"The days when YouTube was just a place for funny clips and music videos are behind us. With 2.53 billion active users, it has become a space where entertainment, information, and deception coexist. Alongside everyday videos, the site has seen more scams, deepfakes, and promotions hiding harmful links behind familiar logos. Malware found in tutorials, hijacked creator accounts, and fraudulent investment content have become recurring issues."
https://www.helpnetsecurity.com/2025/11/04/youtube-video-scams-cybercrime/
https://www.arxiv.org/abs/2509.23418
Financial Services Can’t Shake Security Debt
"In financial services, application security risk is becoming a long game. Fewer flaws appear in new code, but old ones linger longer, creating a kind of software “interest” that keeps growing, according to Veracode’s 2025 State of Software Security report. Researchers analyzed data from more than 1.3 million applications and 126 million security findings. Financial institutions perform better than average at preventing severe vulnerabilities, but they are slower to fix them and carry more long-term security debt than most other sectors."
https://www.helpnetsecurity.com/2025/11/04/veracode-financial-services-security-debt/
https://www.veracode.com/resources/analyst-reports/state-of-software-security-2025/
Decisive Actions Against Cryptocurrency Scammers Earning Over EUR 600 Million
"Nine people suspected of money laundering have been arrested during a synchronised operation that took place in three countries at the same time. The suspects set up a cryptocurrency money laundering network that scammed victims out of over EUR 600 million. Eurojust, the EU’s judicial cooperation hub, ensured that French, Belgian, Cypriot, German and Spanish authorities worked together to take the network down."
https://www.eurojust.europa.eu/news/decisive-actions-against-cryptocurrency-scammers-earning-over-eur-600-million
https://www.bleepingcomputer.com/news/security/european-police-dismantles-600-million-crypto-investment-fraud-ring/
https://therecord.media/9-arrested-europe-crypto-platform-takedown
https://thehackernews.com/2025/11/europol-and-eurojust-dismantle-600.html
https://www.infosecurity-magazine.com/news/french-police-seize-16m-euros/
https://www.helpnetsecurity.com/2025/11/04/europe-crypto-scam-arrests/
Treasury Sanctions DPRK Bankers And Institutions Involved In Laundering Cybercrime Proceeds And IT Worker Funds
"Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned eight individuals and two entities for their role in laundering funds derived from a variety of illicit Democratic People’s Republic of Korea (DPRK) schemes, including cybercrime and information technology (IT) worker fraud. “North Korean state-sponsored hackers steal and launder money to fund the regime’s nuclear weapons program,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence John K. Hurley. “By generating revenue for Pyongyang’s weapons development, these actors directly threaten U.S. and global security. Treasury will continue to pursue the facilitators and enablers behind these schemes to cut off the DPRK’s illicit revenue streams.”"
https://home.treasury.gov/news/press-releases/sb0302
https://therecord.media/north-korea-us-sanctions-it-worker-scams-cybercrime
https://cyberscoop.com/north-korean-companies-people-sanctioned-for-money-laundering-from-cybercrime-it-worker-schemes/
Software Supply Chain Attacks Surge To Record High In October 2025
"Software supply chain attacks hit a new record in October that was more than 30% higher than the previous record set in April 2025. Cyble’s data – based on attacks claimed by threat actors on dark web data leak sites – shows that threat actors claimed 41 supply chain attacks in October, 10 more than the previous high seen in April. Supply chain attacks have remained elevated since April, averaging more than 28 a month since then, a rate that is more than twice as high as the 13 attacks per month seen between early 2024 and March 2025 (chart below)."
https://cyble.com/blog/record-surge-in-software-supply-chain-attacks/
CISO Predictions For 2026
"At the end of every year, Fortinet publishes the Global Threat Landscape Report, which details the year’s activity and makes cybersecurity predictions for the coming year. This year will be no different. However, as part of our CISO Collective, we have also inaugurated an annual CISO Predictions Report for 2026 this year. Here is a selection of issues we expect CISOs to be dealing with in 2026 and beyond."
https://www.fortinet.com/blog/ciso-collective/ciso-predictions-for-2026
2025 INSIDER RISK REPORT – The Shift To Predictive Whole-Person Insider Risk Management
"The new 2025 Insider Risk Report [download], produced by Cybersecurity Insiders in collaboration with Cogility, highlights that nearly all security leaders (93%) say insider threats are as difficult or harder to detect than external cyberattacks. Yet only 23% express strong confidence in stopping them before serious damage occurs. The report warns that most organizations remain reactive despite a surge in AI-driven risks and the increasing prevalence of decentralized workforces."
https://www.cybersecurity-insiders.com/2025-insider-risk-report-the-shift-to-predictive-whole-person-insider-risk-management/
Malicious Android Apps On Google Play Downloaded 42 Million Times
"Hundreds of malicious Android apps on Google Play were downloaded more than 40 million times between June 2024 and May 2025, notes a report from cloud security company Zscaler. During the same period, the company observed a 67% year-over-year growth in malware targeting mobile devices, with spyware and banking trojans being a prevalent risk. Telemetry data shows that threat actors are shifting from traditional card fraud to exploiting mobile payments using phishing, smishing, SIM-swapping, and payment scams."
https://www.bleepingcomputer.com/news/security/malicious-android-apps-on-google-play-downloaded-42-million-times/
Preparing For Threats To Come: Cybersecurity Forecast 2026
"Every November, we make it our mission to equip organizations with the knowledge needed to stay ahead of threats we anticipate in the coming year. The Cybersecurity Forecast 2026 report, released today, provides comprehensive insights to help security leaders and teams prepare for those challenges. This report does not contain "crystal ball" predictions. Instead, our forecasts are built on real-world trends and data we are observing right now. The information contained in the report comes directly from Google Cloud security leaders, and dozens of experts, analysts, researchers, and responders directly on the frontlines."
https://cloud.google.com/blog/topics/threat-intelligence/cybersecurity-forecast-2026