สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
โพสต์ถูกสร้างโดย NCSA_THAICERT
-
UnitedHealth เผย 190 ล้านคนได้รับผลกระทบจากเหตุข้อมูลรั่วไหลครั้งใหญ่ในปี 2024
-
MintsLoader ตัวโหลดมัลแวร์ StealC และ BOINC มีเป้าหมายเพื่อโจมตีหน่วยงานด้านพลังงาน
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
ช่องโหว่ของ Subaru Starlink สามารถแฮกรถยนต์จากระยะไกลได้
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Microsoft ประกาศยกเลิกการซิงโครไนซ์ไดรเวอร์ผ่าน WSUS ภายในเดือนเมษายน 2025
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA เพิ่มช่องโหว่ที่ถูกใช้ประโยชน์ 1 รายการลงในแค็ตตาล็อก
Cybersecurity and Infrastructure Security Agency (CISA) ได้มีการเผยแพร่การเพิ่มช่องโหว่ใหม่ 1 รายการในแค็ตตาล็อก ช่องโหว่อาจเป็นที่รู้จักของกลุ่มแฮกเกอร์ ช่องโหว่ประเภทเหล่านี้มักเป็นช่องทางโจมตีสำหรับผู้กระทำความผิดทางไซเบอร์ และก่อให้เกิดความเสี่ยงอย่างมากต่อหน่วยงานของรัฐบาล
CVE-2025-23006 SonicWall SMA1000 Appliances Deserialization Vulnerability
เป็นช่องโหว่ในการแปลงข้อมูลที่ไม่ได้รับการยืนยันตัวตน (Pre-authentication deserialization of untrusted data vulnerability) ได้ถูกตรวจพบใน SMA1000 Appliance Management Console (AMC) และ Central Management Console (CMC) ซึ่งในสถานการณ์เฉพาะอาจเปิดโอกาสให้ผู้โจมตีที่ไม่ได้รับการยืนยันตัวตนจากระยะไกลสามารถรันคำสั่งระบบปฏิบัติการ (OS commands) ใดๆ ได้ตามต้องการ.สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
พบช่องโหว่ใน 7-Zip เสี่ยงต่อการหลบเลี่ยงฟีเจอร์ Mark of the Web (MotW)
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cloudflare บล็อกการโจมตี DDoS ของ Mirai Botnet ที่มีความเร็วสูงถึง 5.6 Tbps
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA เพิ่มช่องโหว่ที่ถูกใช้ประโยชน์ 1 รายการลงในแค็ตตาล็อก
Cybersecurity and Infrastructure Security Agency (CISA) ได้มีการเผยแพร่การเพิ่มช่องโหว่ใหม่ 1 รายการในแค็ตตาล็อก ช่องโหว่อาจเป็นที่รู้จักของกลุ่มแฮกเกอร์ ช่องโหว่ประเภทเหล่านี้มักเป็นช่องทางโจมตีสำหรับผู้กระทำความผิดทางไซเบอร์ และก่อให้เกิดความเสี่ยงอย่างมากต่อหน่วยงานของรัฐบาล
CVE-2020-11023 JQuery Cross-Site Scripting (XSS) Vulnerability
ใน jQuery เวอร์ชัน 1.0.3 ขึ้นไป และก่อนเวอร์ชัน 3.5.0 การส่ง HTML ที่มีจากแหล่งข้อมูลที่ไม่น่าเชื่อถือ แม้จะผ่านการทำความสะอาด (sanitize) แล้ว ไปยังหนึ่งในเมธอดจัดการ DOM ของ jQuery (เช่น .html(), .append() และอื่นๆ) อาจทำให้โค้ดที่ไม่น่าเชื่อถือถูกเรียกใช้งานได้ ปัญหานี้ได้รับการแก้ไขใน jQuery เวอร์ชัน 3.5.0สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 24 January 2025
Industrial Sector
- MySCADA MyPRO Manager
"Successful exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary commands or disclose sensitive information."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-023-01 - Hitachi Energy RTU500 Series Product
"Successful exploitation of this vulnerability could allow an attacker to to update the RTU500 with unsigned firmware."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-023-02 - Schneider Electric EVlink Home Smart And Schneider Charge
"Successful exploitation of this vulnerability may expose test credentials in the firmware binary."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-023-03 - Schneider Electric Easergy Studio
"Successful exploitation of this vulnerability may risk unauthorized access to the installation directory for Easergy Studio, which could allow an attacker with access to the file system to elevate privileges."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-023-04 - Schneider Electric EcoStruxure Power Build Rapsody
"Successful exploitation of this vulnerability could allow local attackers to potentially execute arbitrary code when opening a malicious project file."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-023-05 - HMS Networks Ewon Flexy 202
"Successful exploitation of this vulnerability could allow an attacker to disclose sensitive user credentials."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-023-06
New Tooling
- Web Cache Vulnerability Scanner: Open-Source Tool For Detecting Web Cache Poisoning
"The Web Cache Vulnerability Scanner (WCVS) is an open-source command-line tool for detecting web cache poisoning and deception. The scanner, developed by Maximilian Hildebrand, offers extensive support for various web cache poisoning and deception techniques. It features a built-in crawler to discover additional URLs for testing. The tool is designed to adapt to specific web caches for enhanced testing efficiency, is customizable, and integrates into existing CI/CD pipelines."
https://www.helpnetsecurity.com/2025/01/23/web-cache-vulnerability-scanner-detecting-web-cache-poisoning/
https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner
Vulnerabilities
- SonicWall Warns Of SMA1000 RCE Flaw Exploited In Zero-Day Attacks
"SonicWall is warning about a pre-authentication deserialization vulnerability in SonicWall SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), with reports that it has been exploited as a zero-day in attacks. The flaw, tracked as CVE-2025-23006 and rated critical (CVSS v3 score: 9.8), could allow remote unauthenticated attackers to execute arbitrary OS commands under specific conditions. The vulnerability affects all firmware versions of the SMA100 appliance up to 12.4.3-02804 (platform-hotfix)."
https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-sma1000-rce-flaw-exploited-in-zero-day-attacks/
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0002
https://thehackernews.com/2025/01/sonicwall-urges-immediate-patch-for.html
https://cyberscoop.com/sonicwall-sma-zero-day-patch/
https://www.securityweek.com/sonicwall-learns-from-microsoft-about-potentially-exploited-zero-day/
https://www.helpnetsecurity.com/2025/01/23/sonicwall-sma-1000-exploited-zero-day-cve-2025-23006/
https://www.theregister.com/2025/01/23/sonicwall_critical_bug/ - Cisco Fixes Critical Vulnerability In Meeting Management
"Cisco has warned about a new privilege escalation vulnerability in its Meeting Management tool that could allow a remote attacker to gain administrator privileges on exposed instances. The vulnerability, CVE-2025-20156, was disclosed by Cisco on January 22 and is awaiting further analysis by the US National Vulnerability Database (NVD). Cisco also issued a security advisory the same day, allocating the flaw a severity score (CVSS) of 9.9, meaning it is a critical vulnerability."
https://www.infosecurity-magazine.com/news/cisco-critical-vulnerability/
- Cisco Fixes Critical Privilege Escalation Flaw In Meeting Management (CVSS 9.9)
"Cisco has released software updates to address a critical security flaw impacting Meeting Management that could permit a remote, authenticated attacker to gain administrator privileges on susceptible instances. The vulnerability, tracked as CVE-2025-20156, carries a CVSS score of 9.9 out 10.0. It has been described as a privilege escalation flaw in the REST API of Cisco Meeting Management. "This vulnerability exists because proper authorization is not enforced upon REST API users," the company said in a Wednesday advisory. "An attacker could exploit this vulnerability by sending API requests to a specific endpoint.""
https://thehackernews.com/2025/01/cisco-fixes-critical-privilege.html
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmm-privesc-uy2Vf8pc
https://www.securityweek.com/cisco-patches-critical-vulnerability-in-meeting-management/
https://securityaffairs.com/173361/security/cisco-meeting-management-critical-flaw.html
https://www.theregister.com/2025/01/23/cisco_fixes_critical_bug/ - CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2020-11023 JQuery Cross-Site Scripting (XSS) Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/01/23/cisa-adds-one-known-exploited-vulnerability-catalog
https://securityaffairs.com/173388/uncategorized/u-s-cisa-adds-jquery-flaw-known-exploited-vulnerabilities-catalog.html - QNAP Fixes Six Rsync Vulnerabilities In NAS Backup, Recovery App
"QNAP has fixed six rsync vulnerabilities that could let attackers gain remote code execution on unpatched Network Attached Storage (NAS) devices. Rsync is an open-source file synchronization tool that supports direct file syncing via its daemon, SSH transfers via SSH, and incremental transfers that save time and bandwidth. It's widely used by many backup solutions like Rclone, DeltaCopy, and ChronoSync, as well as in cloud and server management operations and public file distribution."
https://www.bleepingcomputer.com/news/security/qnap-fixes-six-rsync-vulnerabilities-in-hbs-nas-backup-recovery-app/ - PANdora's Box: Vulnerabilities Found In NGFW
"Security appliances, such as firewalls, VPNs, and secure web gateways, are designed to protect organizations from cyber threats. However, these assets designed to protect enterprises are increasingly the target of attackers who exploit vulnerabilities in security appliances to gain access, evade security teams, and maintain persistence within target organizations. The issue is that security appliances, ironically, are often very poor regarding their own supply chain security and device integrity."
https://eclypsium.com/blog/pandoras-box-vulns-in-security-appliances/
https://thehackernews.com/2025/01/palo-alto-firewalls-found-vulnerable-to.html
Malware
- Hundreds Of Fake Reddit Sites Push Lumma Stealer Malware
"Hackers are distributing close to 1,000 web pages mimicking Reddit and the WeTransfer file sharing service that lead to downloading the Lumma Stealer malware. On the fake pages, the threat actor is abusing the Reddit brand by showing a fake discussion thread on a specific topic. The thread creator asks for help to download a specific tool, another user offers to help by uploading it to WeTransfer and sharing the link, and a third thanks him to make everything appear legitimate."
https://www.bleepingcomputer.com/news/security/hundreds-of-fake-reddit-sites-push-lumma-stealer-malware/ - FBI: North Korean IT Workers Steal Source Code To Extort Employers
"The FBI warned today that North Korean IT workers are abusing their access to steal source code and extort U.S. companies that have been tricked into hiring them. The security service alerted public and private sector organizations in the United States and worldwide that North Korea's IT army will facilitate cyber-criminal activities and demand ransoms not to leak online exfiltrated sensitive data stolen from their employers' networks."
https://www.bleepingcomputer.com/news/security/fbi-north-korean-it-workers-steal-source-code-to-extort-employers/
https://www.ic3.gov/PSA/2025/PSA250123 - The J-Magic Show: Magic Packets And Where To Find Them
"The Black Lotus Labs team at Lumen Technologies has been tracking the use of a backdoor attack tailored for use against enterprise-grade Juniper routers. This backdoor is opened by a passive agent that continuously monitors for a “magic packet,” sent by the attacker in TCP traffic. We have dubbed this campaign J-magic, it is a recent operation with the earliest sample uploaded to VirusTotal in September 2023. At present, we are unable to determine the initial access method, however once in place it installs the agent – a variant of cd00r – which passively scans for five different predefined parameters before activating. If any of these parameters or “magic packets” are received, the agent sends back a secondary challenge. Once that challenge is complete, J-magic establishes a reverse shell on the local file system, allowing the operators to control the device, steal data, or deploy malicious software."
https://blog.lumen.com/the-j-magic-show-magic-packets-and-where-to-find-them/
https://www.bleepingcomputer.com/news/security/stealthy-magic-packet-malware-targets-juniper-vpn-gateways/
https://thehackernews.com/2025/01/custom-backdoor-exploiting-magic-packet.html
https://www.darkreading.com/endpoint-security/black-magic-enterprise-juniper-routers-backdoor
https://cyberscoop.com/jmagic-juniper-networks-backdoor-freebsd-vpn/
https://www.helpnetsecurity.com/2025/01/23/juniper-enterprise-routers-backdoor-malware-j-magic/ - How GhostGPT Empowers Cybercriminals With Uncensored AI
"Artificial intelligence (AI) tools have changed the way we tackle day-to-day tasks, but cybercriminals are twisting that same technology for illegal activities. In 2023, WormGPT made headlines as an uncensored chatbot specifically designed for malicious purposes. Soon after, we started seeing other so-called “variants” pop up, like WolfGPT and EscapeGPT. Unlike traditional AI models that are constrained by guidelines to ensure safe and responsible interactions, uncensored AI chatbots operate without such guardrails, raising serious concerns about their potential misuse. Most recently, Abnormal Security researchers uncovered GhostGPT, a new uncensored chatbot that further pushes the boundaries of ethical AI use."
https://abnormalsecurity.com/blog/ghostgpt-uncensored-ai-chatbot
https://hackread.com/ghostgpt-malicious-ai-chatbot-fuel-cybercrime-scams/
https://www.infosecurity-magazine.com/news/ghostgpt-ai-chatbot-malware/ - HellCat And Morpheus | Two Brands, One Payload As Ransomware Affiliates Drop Identical Code
"The previous six months have seen heightened activity around new and emerging ransomware operations. Across the tail-end of 2024 and into 2025, we have seen the rise of groups such as FunkSec, Nitrogen and Termite. In addition, we have seen the return of Cl0p and a new version of LockBit (aka LockBit 4.0). Within this period of accelerated activity, the Ransomware-as-a-Service offerings HellCat and Morpheus have gained additional momentum and notoriety. Operators behind HellCat, in particular, have been vocal in their efforts to establish the RaaS as a ‘reputable’ brand and service within the crimeware economy."
https://www.sentinelone.com/blog/hellcat-and-morpheus-two-brands-one-payload-as-ransomware-affiliates-drop-identical-code/
https://thehackernews.com/2025/01/experts-find-shared-codebase-linking.html - Lumma Stealer: Fake CAPTCHAs & New Techniques To Evade Detection
"In January, Netskope Threat Labs observed a new malware campaign using fake CAPTCHAs to deliver Lumma Stealer. Lumma is a malware that works in the malware-as-a-service (MaaS) model and has existed since at least 2022. The campaign is global, with Netskope Threat Labs tracking victims targeted in Argentina, Colombia, the United States, the Philippines, and other countries around the world. The campaign also spans multiple industries, including healthcare, banking, and marketing, with the telecom industry having the highest number of organizations targeted."
https://www.netskope.com/blog/lumma-stealer-fake-captchas-new-techniques-to-evade-detection
https://thehackernews.com/2025/01/beware-fake-captcha-campaign-spreads.html - Qbot Is Back.Connect
"QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active since around 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 (Command and Control) servers for payload targeting and execution. On May 30th, 2024 Law Enforcement action[1] was taken against the Qbot operators in a coordinated effort to disrupt their activities. But like most things, while the actions taken did disrupt the activity, new signs are showing off a re-emergence of the operators."
https://medium.com/walmartglobaltech/qbot-is-back-connect-2d774052369f
https://thehackernews.com/2025/01/qakbot-linked-bc-malware-adds-enhanced.html - TRIPLESTRENGTH Hits Cloud For Cryptojacking, On-Premises Systems For Ransomware
"Google on Wednesday shed light on a financially motivated threat actor named TRIPLESTRENGTH for its opportunistic targeting of cloud environments for cryptojacking and on-premise ransomware attacks. "This actor engaged in a variety of threat activity, including cryptocurrency mining operations on hijacked cloud resources and ransomware activity," the tech giant's cloud division said in its 11th Threat Horizons Report."
https://thehackernews.com/2025/01/triplestrength-targets-cloud-platforms.html - Hackers Imitate Kremlin-Linked Group To Target Russian Entities
"A little-known hacking group has been mimicking the tactics of a prominent Kremlin-linked threat actor to target Russian-speaking victims, according to new research. In its latest campaign, the group being dubbed GamaCopy used phishing documents disguised as official reports about the location of Russian armed forces’ facilities in Ukraine. It also deployed an open-source software called UltraVNC to remotely access victims’ systems."
https://therecord.media/hacker-imitates-gamaredon-to-target-russia - Salt Typhoon: An Analysis Of Vulnerabilities Exploited By This State-Sponsored Actor
"Salt Typhoon, a state-sponsored actor linked to the People’s Republic of China, has breached at least nine U.S.-based telecommunications companies with the intent to target high profile government and political figures. Tenable Research examines the tactics, techniques and procedures of this threat actor."
https://www.tenable.com/blog/salt-typhoon-an-analysis-of-vulnerabilities-exploited-by-this-state-sponsored-actor
https://www.theregister.com/2025/01/23/proxylogon_flaw_salt_typhoons_open/
Breaches/Hacks/Leaks
- Oxfam Hong Kong Data Leak: Watchdog Rules Charity Violated Privacy Law
"The local arm of international charity Oxfam violated the data protection law following a leak in July that potentially affected 550,000 people, Hong Kong’s privacy watchdog ruled in an investigation report on Thursday. The Office of the Privacy Commissioner for Personal Data also revealed there had been a nearly 30 per cent year-on-year increase in breach notifications in 2024. It said the number of doxxing cases fell 42 per cent year on year."
https://www.scmp.com/news/hong-kong/law-and-crime/article/3295957/oxfam-hong-kong-data-leak-watchdog-rules-charity-violated-privacy-law - FortiGate Config Leaks: Victims' Email Addresses Published Online
"Thousands of email addresses included in the Belsen Group's dump of FortiGate configs last week are now available online, revealing which organizations may have been impacted by the 2022 zero-day exploits. Infosec expert Kevin Beaumont uploaded the IP and email addresses associated with the leaked FortiGate configs to GitHub, while fellow researcher Florian Roth separately extracted them and grouped them via top-level domains (TLDs)."
https://www.theregister.com/2025/01/23/fortigate_config_leaks_infoseccers_list_victim_emails/
General News
- Tesla EV Charger Hacked Twice On Second Day Of Pwn2Own Tokyo
"Security researchers hacked Tesla's Wall Connector electric vehicle charger twice on the second day of the Pwn2Own Automotive 2025 hacking contest. They also exploited 23 more zero-day vulnerabilities in WOLFBOX, ChargePoint Home Flex, Autel MaxiCharger, Phoenix Contact CHARX, and EMPORIA EV chargers, as well as in the Alpine iLX-507, Kenwood DMX958XR, Sony XAV-AX8500 In-Vehicle Infotainment (IVI) systems."
https://www.bleepingcomputer.com/news/security/tesla-ev-charger-hacked-twice-on-second-day-of-pwn2own-tokyo/
https://www.darkreading.com/vulnerabilities-threats/tesla-gear-hacked-multiple-times-pwn2own-contests
https://www.securityweek.com/tesla-charger-exploits-earn-hackers-129000-at-pwn2own/
https://securityaffairs.com/173376/hacking/pwn2own-automotive-2025-day-2.html - Two North Korean Nationals And Three Facilitators Indicted For Multi-Year Fraudulent Remote Information Technology Worker Scheme That Generated Revenue For The Democratic People’s Republic Of Korea
"The Justice Department today announced the indictment of North Korean nationals Jin Sung-Il (진성일) and Pak Jin-Song (박진성), Mexican national Pedro Ernesto Alonso De Los Reyes, and U.S. nationals Erick Ntekereze Prince and Emanuel Ashtor for a fraudulent scheme to obtain remote information technology (IT) work with U.S. companies that generated revenue for the Democratic People’s Republic of Korea (DPRK or North Korea)."
https://www.justice.gov/opa/pr/two-north-korean-nationals-and-three-facilitators-indicted-multi-year-fraudulent-remote
https://therecord.media/doj-indicts-americans-for-running-laptop-farm-north-korea-scheme
https://cyberscoop.com/doj-indicts-five-in-north-korean-fake-it-worker-scheme/ - The Security Risk Of Rampant Shadow AI
"The rapid rise of artificial intelligence (AI) has cast a long shadow, but its immense promise comes with a significant risk: shadow AI. Shadow AI refers to the use of AI technologies, including AI models and generative AI (GenAI) tools outside of a company's IT-sanctioned governance. As more people use tools like ChatGPT to increase their efficiency at work, many organizations are banning publicly available GenAI for internal use. Among the organizations looking to prevent unnecessary security risks are those in the financial services and healthcare sectors, as well as technology companies like Apple, Amazon, and Samsung."
https://www.darkreading.com/vulnerabilities-threats/security-risk-rampant-shadow-ai - Security Needs To Start Saying 'No' Again
"For years, cybersecurity was frequently (and derisively) referred to as the "Department of No." Business executives griped that in the face of innovation, cybersecurity teams would slap down ideas, list reasons why the project was insecure, and why what they wanted to do was not feasible. Then came a mindset change. As more security leaders were tasked with demonstrating a return on investment for security budgets, security departments started finding ways to say "yes" more often."
https://www.darkreading.com/cyber-risk/security-needs-start-saying-no-again - Beyond Flesh And Code: Building An LLM-Based Attack Lifecycle With a Self-Guided Malware Agent
"Large Language Models (LLMs) are rapidly evolving, and their capabilities are attracting the attention of threat actors. This blog explores how malicious actors are utilizing LLMs to enhance their cyber operations and then delves into LLM-based tools and an advanced stealer managed by artificial intelligence (AI). While LLMs hold immense potential for improving cybersecurity through threat detection and analysis, their power can also be wielded for malicious purposes. Recent reports suggest that cybercriminals and nation-state actors are actively exploring LLMs for different tasks such as code generation, phishing emails, scripts, and more. We’ll elaborate on just a few examples in this blog."
https://www.deepinstinct.com/blog/beyond-flesh-and-code-building-an-llm-based-attack-lifecycle-with-a-self-guided-agent - Defense Strategies To Counter Escalating Hybrid Attacks
"In this Help Net Security interview, Tomer Shloman, Sr. Security Researcher at Trellix, talks about attack attribution, outlines solutions for recognizing hybrid threats, and offers advice on how organizations can protect themselves against hybrid attacks."
https://www.helpnetsecurity.com/2025/01/23/tomer-shloman-trellix-hybrid-attacks/ - CISOs Dramatically Increase Boardroom Influence But Still Lack Soft Skills
"CISOs are gaining ground in the boardroom, but many of their C-suite peers believe there’s still work to be done to improve their business and soft skills, according new research by to Splunk. The Cisco company surveyed 500 CISOs or equivalent and 100 board members globally to compile The CISO Report 2025. It revealed that 82% of security leaders now report directly to the CEO, up from 47% in 2023. A further 83% said they participate in board meetings “somewhat often” or “most of the time.”"
https://www.infosecurity-magazine.com/news/cisos-increase-boardroom-influence/ - Record Number Of Ransomware Attacks In December 2024
"NCC Group on Wednesday published its cyber threat intelligence report for December 2024 and pointed out that the number of ransomware attacks seen at the end of the year is the highest of any month since it started tracking such activity in 2021. The cybersecurity firm saw 574 ransomware attacks in December 2024, with a new threat group named FunkSec accounting for more than 100 attacks, or 18% of the total. The group, whose members are likely inexperienced hackers, appears to be involved in both hacktivism and cybercrime."
https://www.securityweek.com/record-number-of-ransomware-attacks-in-december-2024/
<https://insights.nccgroup.com/l/898251/2025-01-* **15/31km7v7/898251/1736933471Luh7mq1o/Dec_Monthly_Threat_Pulse_Freemium_V4.pdf> - Cyber Insights 2025: Malware Directions**
"Cyber Insights 2025 examines expert opinions on the expected evolution of more than a dozen areas of cybersecurity interest over the next 12 months. We spoke to hundreds of individual experts to gain their expert opinions. Here we discuss what to expect with Malware Directions."
https://www.securityweek.com/cyber-insights-2025-malware-directions/ - New Research: The State Of Web Exposure 2025
"New research by web exposure management specialist Reflectiz reveals several alarming findings about the high number of website vulnerabilities organizations across many industries are needlessly exposing themselves to. For instance, one standout statistic from the report is that 45% of third-party applications access sensitive user information without good reason. Although third-party apps may be essential for marketing and functionality purposes, not all of them need access to the kind of personal and financial user information that cybercriminals are hunting for. It's safer to limit apps' access to it on a need-to-know basis."
https://thehackernews.com/2025/01/new-research-state-of-web-exposure-2025.html
https://www.reflectiz.com/learning-hub/web-exposure-management-report/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - MySCADA MyPRO Manager
-
Cyber Threat Intelligence 23 January 2025
Healthcare Sector
- Account Compromise And Phishing Top Healthcare Security Incidents
"The vast majority (84%) of healthcare organizations (HCOs) detected a cyber-attack or intrusion in 2024, with account hijacking and phishing the most common incidents, according to Netwrix. The cybersecurity software vendor polled IT and security professionals working in the sector globally as part of a wider study into hybrid cloud trends. It revealed that certain threats are more likely than others, depending on the IT environment."
https://www.infosecurity-magazine.com/news/account-compromise-phishing/
New Tooling
- Stratoshark: Wireshark For The Cloud – Now Available!
"Stratoshark is an innovative open-source tool that brings Wireshark’s detailed network visibility to the cloud, providing users with a standardized approach to cloud observability. Stratoshark incorporates much of Wireshark’s codebase, including its user interface elements. The interface and workflows will feel instantly recognizable for those already acquainted with Wireshark."
https://www.helpnetsecurity.com/2025/01/22/stratoshark-wireshark-cloud/
https://stratoshark.org/
Vulnerabilities
- Unauthenticated Privilege Escalation Vulnerability In RH – Real Estate Theme
"This blog post discusses about the findings on the RealHome theme and the plugin that is installed with it Easy Real Estate. Currently there are no known updates to fix this issue so if you are a user of the theme and plugin disabling them temporarily is recommended until the issues are fixed."
https://patchstack.com/articles/unauthenticated-privilege-escalation-vulnerability-patched-in-real-home-theme/
https://www.bleepingcomputer.com/news/security/critical-zero-days-impact-premium-wordpress-real-estate-plugins/ - Researcher Says ABB Building Control Products Affected By 1,000 Vulnerabilities
"A researcher claims to have found over 1,000 vulnerabilities in products made by electrification and automation solutions provider ABB, including flaws that can expose facilities to remote hacking. The vendor has released patches. The vulnerabilities were discovered by Gjoko Krstic, who is known for security research aimed at building management and access control systems, in ABB Cylon FLXeon and ABB Cylon Aspect building energy management and control solutions. Krstic told SecurityWeek that he uncovered just over 1,000 vulnerabilities in the Aspect product (including many with ‘critical’ and ‘high’ severity ratings), and 35 security holes in the FLXeon product."
https://www.securityweek.com/researcher-says-abb-building-control-products-affected-by-1000-vulnerabilities/ - 48,000+ Internet-Facing Fortinet Firewalls Still Open To Attack
"Despite last week’s confirmation of and warnings about long-standing exploitation of CVE-2024-55591, a critical vulnerability affecting Fortinet Fortigate firewalls, too many vulnerable devices are still accessible from the Internet and open to attack: over 48,000, according to data from the Shadowserver Foundation."
https://www.helpnetsecurity.com/2025/01/22/48000-internet-facing-fortinet-firewalls-still-open-to-attack/ - Cloudflare CDN Flaw Leaks User Location Data, Even Through Secure Chat Apps
"A security researcher discovered a flaw in Cloudflare's content delivery network (CDN), which could expose a person's general location by simply sending them an image on platforms like Signal and Discord. While the geo-locating capability of the attack is not precise enough for street-level tracking, it can provide enough data to infer what geographic region a person lives in and monitor their movements. Daniel's finding is particularly concerning for people who are highly concerned about their privacy, like journalists, activists, dissidents, and even cybercriminals."
https://www.bleepingcomputer.com/news/security/cloudflare-cdn-flaw-leaks-user-location-data-even-through-secure-chat-apps/
https://gist.github.com/hackermondev/45a3cdfa52246f1d1201c1e8cdef6117 - Cisco Warns Of Denial Of Service Flaw With PoC Exploit Code
"Cisco has released security updates to patch a ClamAV denial-of-service (DoS) vulnerability, which has proof-of-concept (PoC) exploit code. Tracked as CVE-2025-20128, the vulnerability is caused by a heap-based buffer overflow weakness in the Object Linking and Embedding 2 (OLE2) decryption routine, allowing unauthenticated, remote attackers to trigger a DoS condition on vulnerable devices. If this vulnerability is successfully exploited, it could cause the ClamAV antivirus scanning process to crash, preventing or delaying further scanning operations."
https://www.bleepingcomputer.com/news/security/cisco-warns-of-denial-of-service-flaw-with-poc-exploit-code/
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-ole2-H549rphA - Invisible Prompt Injection: A Threat To AI Security
"Large language models (LLMs) are vulnerable to prompt injection, where users can manipulate inputs to redirect the model's behavior, potentially leading to misleading information, guideline violations, or exposure of sensitive data. To illustrate, consider the conversation with an LLM shown below. Why can’t the LLM provide an adequate response to such a simple question? This happens because it is attacked by invisible prompt injection."
https://www.trendmicro.com/en_us/research/25/a/invisible-prompt-injection-secure-ai.html
Malware
- PlushDaemon Compromises Supply Chain Of Korean VPN Service
"ESET researchers provide details on a previously undisclosed China-aligned APT group that we track as PlushDaemon and one of its cyberespionage operations: the supply-chain compromise in 2023 of VPN software developed by a South Korean company, where the attackers replaced the legitimate installer with one that also deployed the group’s signature implant that we have named SlowStepper – a feature-rich backdoor with a toolkit of more than 30 components."
https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/
https://thehackernews.com/2025/01/plushdaemon-apt-targets-south-korean.html
https://www.bleepingcomputer.com/news/security/ipany-vpn-breached-in-supply-chain-attack-to-push-custom-malware/
https://www.darkreading.com/threat-intelligence/chinese-cyberspies-target-south-korean-vpn-supply-chain-attack
https://therecord.media/china-hacker-group-vpns-backdoor
https://www.helpnetsecurity.com/2025/01/22/plushdaemon-apt-slowstepper-supply-chain-compromise/
https://www.infosecurity-magazine.com/news/plushdaemon-apt-targeted-south/ - CISA And FBI Release Advisory On How Threat Actors Chained Vulnerabilities In Ivanti Cloud Service Applications
"CISA, in partnership with the Federal Bureau of Investigation (FBI), released Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications. This advisory was crafted in response to active exploitation of vulnerabilities—CVE-2024-8963, an administrative bypass vulnerability; CVE-2024-9379, a SQL injection vulnerability; and CVE-2024-8190 and CVE-2024-9380, remote code execution vulnerabilities—in Ivanti Cloud Service Appliances (CSA) in September 2024."
https://www.cisa.gov/news-events/alerts/2025/01/22/cisa-and-fbi-release-advisory-how-threat-actors-chained-vulnerabilities-ivanti-cloud-service
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-022a
https://www.securityweek.com/fbi-cisa-share-details-on-ivanti-exploits-chains-what-network-defenders-need-to-know/ - Telegram Captcha Tricks You Into Running Malicious PowerShell Scripts
"Threat actors on X are exploiting the news around Ross Ulbricht to direct unsuspecting users to a Telegram channel that tricks them into run PowerShell code that infects them with malware. The attack, spotted by vx-underground, is a new variant of the "Click-Fix" tactic that has become very popular among threat actors to distribute malware over the past year. However, instead of being fixes for common errors, this variant pretends to be a captcha or verification system that users must run to join the channel."
https://www.bleepingcomputer.com/news/security/telegram-captcha-tricks-you-into-running-malicious-powershell-scripts/ - Threat Spotlight: Tycoon 2FA Phishing Kit Updated To Evade Inspection
"Phishing-as-a-Service (PhaaS) provides attackers with advanced toolsets and templates that enable them to quickly deploy phishing campaigns. The rapid rise and evolution of PhaaS is driving a fundamental change in the phishing ecosystem, making the threat increasingly complex and sophisticated. The developers behind these phishing kits invest considerable resources in their creation and continuous enhancement. According to Barracuda threat analysts, around 30% of the credential attacks seen in 2024 made use of PhaaS, and this is expected to rise to 50% in 2025."
https://blog.barracuda.com/2025/01/22/threat-spotlight-tycoon-2fa-phishing-kit
https://www.infosecurity-magazine.com/news/tycoon-2fa-phishing-kit-upgraded/ - Botnets Never Die: An Analysis Of The Large Scale Botnet AIRASHI
"In August 2024, XLab observed a premeditated large-scale DDoS attack targeting the distribution platforms of the chinese game Black Myth: Wukong, namely Steam and Perfect World.This attack operation was divided into four waves, with the attackers carefully selecting the peak online hours of gamers in various time zones to launch sustained attacks lasting several hours. They simultaneously targeted hundreds of servers distributed across 13 global regions belonging to Steam and Perfect World, aiming to achieve maximum destructive impact. The botnet involved in this attack operation referred to itself as AISURU at the time. This article will analyze the variants of the AISURU botnet, known as AIRASHI."
https://blog.xlab.qianxin.com/large-scale-botnet-airashi-en/
https://thehackernews.com/2025/01/hackers-exploit-zero-day-in-cnpilot.html - Supply Chain Attack Hits Chrome Extensions, Could Expose Millions
"Cybersecurity outfit Sekoia is warning Chrome users of a supply chain attack targeting browser extension developers that has potentially impacted hundreds of thousands of individuals already. Dozens of Chrome extension developers have fallen victim to the attacks thus far, which aimed to lift API keys, session cookies, and other authentication tokens from websites such as ChatGPT and Facebook for Business."
https://www.theregister.com/2025/01/22/supply_chain_attack_chrome_extension/
Breaches/Hacks/Leaks
- Cyble Finds Thousands Of Security Vendor Credentials On Dark Web
"Account credentials from some of the largest cybersecurity vendors can be found on the dark web, a result of the growing problem of infostealers, according to an analysis of Cyble threat intelligence data. The credentials – available for as little as $10 in cybercrime marketplaces – span internal accounts and customer access across web and cloud environments, including internal security company enterprise and development environments that could pose substantial risks."
https://cyble.com/blog/thousands-of-security-vendor-credentials-found-on-dark-web/
https://www.infosecurity-magazine.com/news/cybersecurity-vendors-credentials/
General News
- Acronis CISO On Why Backup Strategies Fail And How To Make Them Resilient
"In this Help Net Security interview, Gerald Beuchelt, CISO at Acronis, discusses common backup strategy pitfalls, reasons for backup failures, and offers actionable advice for organizations looking to improve their backup and recovery processes."
https://www.helpnetsecurity.com/2025/01/22/gerald-beuchelt-acronis-backup-strategy/ - Privacy Professionals Feel More Stressed Than Ever
"Despite progress made in privacy staffing and strategy alignment, privacy professionals are feeling increasingly stressed on the job within a complex compliance and risk landscape, according to new research from ISACA. ISACA’s State of Privacy 2025 survey report, reflecting insights from more than 1,600 global professionals worldwide, found that 63% of privacy professionals say their role is more stressful now than it was five years ago, with 34% indicating it is significantly more stressful."
https://www.helpnetsecurity.com/2025/01/22/privacy-professionals-job-stress/ - Understanding Microsoft's CVSS v3.1 Ratings And Severity Scores
"Recently, I looked at Microsoft’s assigned CVSS v3.1 scores for Patch Tuesday vulnerabilities alongside the Microsoft assigned severity ratings. I wanted to revisit these numbers and see just how closely CVSS aligns with Microsoft’s opinion of severity. Disclaimer: I’m aware that CVSS v4.0 exists. However, Microsoft has not yet adopted it, and I wanted an apples-to-apples comparison."
https://www.tripwire.com/state-of-security/understanding-microsofts-cvss-v31-ratings-and-severity-scores - Government Battles Against Tech Could Leave Consumers Less Secure
"Regulators around the globe are seeing the market power of consumer-facing tech companies and bringing cases against some of the industry’s biggest household names. They portray these legal fights as the conflicts of giants: the companies versus government regulators. Regulators have an essential mission to ensure companies play by the rules, preserving competition and giving people choices within those markets. Companies counter that they need to constantly innovate to create new products that capture consumer attention, while avoiding any perception they’re abusing their size."
https://cyberscoop.com/federal-government-regulators-tech-companies-consumers/ - Exploring Q4 2024 Brand Phishing Trends: Microsoft Remains The Top Target As LinkedIn Makes a Comeback
"Cyber criminals continue to refine their phishing tactics, targeting trusted global brands to deceive users and steal sensitive information. Check Point Research (CPR), the intelligence arm of Check Point Software, has unveiled its latest findings for Q4 2024, revealing key trends in brand phishing attacks."
https://blog.checkpoint.com/research/exploring-q4-2024-brand-phishing-trends-microsoft-remains-the-top-target-as-linkedin-makes-a-comeback/ - Cisco Previews AI Defenses To Cloud Security Platform
"Cisco is expanding its cloud security platform with new technology that will let developers detect and mitigate vulnerabilities in AI applications and their underlying models. The new Cisco AI Defense offering, introduced Jan. 15, is also designed to prevent data leakage by employees who use services like ChatGPT, Anthropic and Copilot. The networking giant already offers AI Defense to early access customers and plans to release it for general availability in March."
https://www.darkreading.com/cloud-security/cisco-previews-ai-defense-cloud-security - Ransomware Attacks Surge To Record High In December 2024
"The highest monthly volume of global ransomware attacks ever recorded occurred in December 2024, according to NCC Group’s latest Threat Pulse report. The security firm detected 574 ransomware attacks during the month, which is the highest number since it began monitoring ransomware activity in 2021. NCC Group noted that there is traditionally a drop-off in the ransomware attacks in December, likely due to the holiday season."
https://www.infosecurity-magazine.com/news/ransomware-record-high-december/ - Questions Grow Over Whether Baltic Sea Cable Damage Was Sabotage Or Accidental
"Reports citing anonymous intelligence officials have suggested Western authorities are assessing the recent spate of cable breakages in the Baltic Sea to be accidents rather than acts of sabotage, despite widespread concern to the contrary. These assessments, which were revealed by The Washington Post and Norwegian newspaper Verdens Gang, have prompted strong criticisms from onlookers who argue that the nature of the incidents and their repeat occurrence indicate a pattern of behavior."
https://therecord.media/finland-eagle-s-tanker-questions-over-alleged-sabotage - Hackers Exploit 16 Zero-Days On First Day Of Pwn2Own Automotive 2025
"On the first day of Pwn2Own Automotive 2025, security researchers exploited 16 unique zero-days and collected $382,750 in cash awards. Fuzzware.io is leading the competition after hacking the Autel MaxiCharger and Phoenix Contact CHARX SEC-3150 electric vehicle chargers using a stack-based buffer overflow and an origin validation error bug. This earned them $50,000 and 10 Master of Pwn points. Sina Kheirkhah of Summoning Team also earned $91,750 and 9.25 Master of Pwn points after hacking the Ubiquiti and Phoenix Contact CHARX SEC-3150 EV chargers using a hard-coded cryptographic key bug and a combo of three zero-days (one of them previously known)."
https://www.bleepingcomputer.com/news/security/hackers-exploit-16-zero-days-on-first-day-of-pwn2own-automotive-2025/
https://securityaffairs.com/173344/hacking/pwn2own-automotive-2025-day-1.html
https://www.securityweek.com/over-380000-paid-out-on-first-day-of-pwn2own-automotive-2025/ - Will 2025 See a Rise Of NHI Attacks?
"A look back at 2024's top non-human identity (NHI) attacks and their year-end explosion sends a worrying signal that 2025 is going to be a tough year for machine-to-machine identity theft. One year ago, NHI burst onto the scene with a big warning flare, when Cloudflare disclosed that NHI mismanagement caused a massive breach, stemming from the failure to rotate an access token and account credentials exposed in the 2023 Okta compromise."
https://www.darkreading.com/vulnerabilities-threats/will-2025-see-rise-nhi-attacks - 73% Of UK Education Sector Hit By Cyber-Attacks In Past Five Years
"The UK education sector is a key target for cyber-attacks, with 73% of institutions having experienced at least one cyber-attack or breach in the past five years, according to new ESET research. The cybersecurity firm said that a fifth of institutions surveyed reported three or more cyber incidents. This comes as a UK school in Cheshier, Blacon High School, was forced to temporarily close after falling victim to a ransomware attack on January 17."
https://www.infosecurity-magazine.com/news/schools-hit-by-cyberattacks-in/ - Cyber Insights 2025: APIs – The Threat Continues
"APIs are easy to develop, simple to implement, and frequently attacked. They are prime and lucrative targets for cybercriminals. If this is the connected world, it is APIs that provide the connection points. Application programming interfaces allow different applications to share and reuse data. Since both connecting and sharing are increasing, so too is the use of APIs."
https://www.securityweek.com/cyber-insights-2025-apis-the-threat-continues/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Account Compromise And Phishing Top Healthcare Security Incidents
-
CISA ออกคำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม 6 รายการ
Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม(ICS) 2 รายการ เมื่อวันที่ 23 มกราคม 2568 ซึ่งคำแนะนำเหล่านี้ให้ข้อมูลที่ทันท่วงทีเกี่ยวกับปัญหาด้านความปลอดภัยช่องโหว่ และช่องโหว่ที่อยู่รอบ ๆ ICS ในปัจจุบัน มีดังต่อไปนี้
- ICSA-25-023-01 mySCADA myPRO Manager
- ICSA-25-023-02 Hitachi Energy RTU500 Series Product
- ICSA-25-023-03 Schneider Electric EVlink Home Smart and Schneider Charge
- ICSA-25-023-04 Schneider Electric Easergy Studio
- ICSA-25-023-05 Schneider Electric EcoStruxure Power Build Rapsody
- ICSA-25-023-06 HMS Networks Ewon Flexy 202
ทั้งนี้ CISA สนับสนุนให้ผู้ใช้และผู้ดูแลระบบตรวจสอบคำแนะนำ ICS ที่เผยแพร่ใหม่สำหรับรายละเอียดทางเทคนิคและการบรรเทาผลกระทบ รายละเอียดเพิ่มเติมที่ https://www.cisa.gov/news-events/alerts/2025/01/23/cisa-releases-six-industrial-control-systems-advisories
อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/01/23/cisa-releases-six-industrial-control-systems-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand -
แคมเปญต่อเนื่องที่กําหนดเป้าหมายบัคเก็ต Amazon Web Services S3
Cyber Security Agency of Singapore (CSA) มีรายงานเกี่ยวกับแคมเปญแรนซัมแวร์ที่กําหนดเป้าหมายฟังก์ชัน Amazon Web Services S3 Bucket ผู้ใช้'koและผู้ดูแลระบบควรทําตามขั้นตอนต่อไปนี้เพื่อป้องกัน โดยการใช้ประโยชน์จากคุณสมบัติการจัดเก็บเวอร์ชัน (versioning) และการเข้ารหัส (encryption) แฮกเกอร์สามารถเข้าถึงข้อมูลโดยไม่ได้รับอนุญาตผ่านการโจมตีข้อมูลระบุตัวตนและการจัดการการเข้าถึง (IAM) ที่ถูกขโมย หรือการใช้บทบาท IAM ที่ตั้งค่าการอนุญาตไว้มากเกินไป หลังจากได้รับสิทธิ์เข้าถึงแล้ว ข้อมูลต้นฉบับจะถูกทำให้ไม่สามารถใช้งานได้จนกว่าจะจ่ายค่าไถ่ หรือมีการเปิดใช้งานฟีเจอร์ S3 versioning ซึ่งช่วยให้เหยื่อสามารถกู้คืนข้อมูลได้ วิธีนี้ใช้ประโยชน์จากการใช้งาน AWS อย่างแพร่หลายในองค์กร ทำให้กระบวนการกู้คืนข้อมูลมีความซับซ้อนมากขึ้น และส่งผลกระทบหนักหน่วงในกรณีที่มีการตั้งค่าความปลอดภัยที่อ่อนแอ
วิธีการที่แฮกเกอร์เข้าถึงข้อมูล
-
การเข้าถึงในขั้นต้นมักเกิดจาก:
ข้อมูล IAM ที่ถูกขโมย
บทบาท IAM ที่กำหนดสิทธิ์การเข้าถึงมากเกินไป
แฮกเกอร์อาจใช้วิธีการโจมตีแบบฟิชชิง (phishing) วิศวกรรมสังคม (social engineering) หรือใช้ประโยชน์จากการตั้งค่าที่ผิดพลาดเพื่อเข้าถึงบัญชี AWS และเมื่อพวกเขาได้สิทธิ์เข้าถึงแล้ว จะใช้ฟีเจอร์ใน AWS เองเพื่อดำเนินการโจมตี
ผลกระทบจากการโจมตี -
องค์กรที่ได้รับผลกระทบจากแรนซัมแวร์นี้จะต้องเผชิญกับ:
การหยุดชะงักทางปฏิบัติการอย่างรุนแรง เนื่องจากข้อมูลใน S3 bucket ถูกเข้ารหัสและไม่สามารถเข้าถึงได้
ความเสียหายทางการเงิน ซึ่งอาจรวมถึงค่าไถ่ เวลากู้คืนที่ยืดเยื้อ และความเสียหายต่อชื่อเสียง
การพึ่งพาพื้นที่จัดเก็บข้อมูลบนคลาวด์ทำให้ผลกระทบของการโจมตีรุนแรงขึ้น โดยเฉพาะในกรณีที่ไม่มีแผนสำรองข้อมูลทางเลือก
ขั้นตอนในการป้องกันระบบของคุณ -
ตรวจสอบและปรับปรุงนโยบาย IAM:
ใช้หลักการกำหนดสิทธิ์ที่จำเป็นเท่านั้น (least privilege) เพื่อลดสิทธิ์การเข้าถึง
ตรวจสอบการอนุญาตของ IAM เป็นประจำและเพิกถอนสิทธิ์ที่ไม่จำเป็น
เปิดใช้งานการยืนยันตัวตนแบบหลายขั้นตอน (MFA):
บังคับใช้ MFA สำหรับบัญชีผู้ใช้และบัญชี root ทั้งหมดเพื่อเพิ่มความปลอดภัย
-
ตรวจสอบสภาพแวดล้อมของ AWS:
ใช้ AWS CloudTrail เพื่อล็อกและติดตามกิจกรรมบัญชีทั้งหมด
เปิดใช้งาน AWS GuardDuty เพื่อตรวจจับพฤติกรรมที่น่าสงสัยและภัยคุกคามที่อาจเกิดขึ้น -
สำรองข้อมูลและกู้คืนข้อมูล:
จัดเก็บข้อมูลสำรองที่ไม่สามารถแก้ไขได้เป็นประจำ เช่น ใช้ S3 Object Lock เพื่อป้องกันไม่ให้ข้อมูลถูกลบหรือเขียนทับ
เปิดใช้งาน S3 versioning เพื่อเก็บข้อมูลหลายเวอร์ชันใน bucket
ทดสอบกระบวนการกู้คืนข้อมูลเป็นระยะเพื่อเตรียมพร้อมรับมือ -
จำกัดการเข้าถึง S3 Bucket:
ตั้งค่านโยบาย bucket เพื่อจำกัดการเข้าถึงให้เข้มงวด
บังคับใช้การเข้ารหัสข้อมูลทั้งหมดที่จัดเก็บไว้ -
จำกัดการใช้ SSE-C:
หลีกเลี่ยงการใช้ Server-Side Encryption with Customer-Provided Keys (SSE-C) ซึ่งผู้โจมตีอาจใช้เพื่อเข้ารหัสข้อมูลด้วยกุญแจของตนเองและปิดกั้นเหยื่อ
อ้างอิง
https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-006สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
-
CISA และ FBI ออกคำแนะนำเกี่ยวกับวิธีการที่ผู้คุกคามสร้างช่องโหว่แบบต่อเนื่องในแอปพลิเคชัน Ivanti Cloud Service
เมื่อวันที่ 22 มกราคม 2568 Cybersecurity and Infrastructure Security Agency (CISA) และสำนักงานสืบสวนกลางแห่งสหรัฐอเมริกา (FBI) ได้ร่วมกันเผยแพร่Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applicationsคำแนะนำนี้จัดทำขึ้นเพื่อตอบสนองต่อการโจมตีช่องโหว่ต่างๆ ได้แก่CVE-2024-8963ซึ่งเป็นช่องโหว่สำหรับการหลีกเลี่ยงการดำเนินการทางปกครองCVE-2024-9379ซึ่งเป็นช่องโหว่การแทรก SQL และCVE-2024-8190และCVE-2024-9380ซึ่งเป็นช่องโหว่การเรียกใช้โค้ดจากระยะไกลใน Ivanti Cloud Service Appliances (CSA) ในเดือนกันยายน 2024
CISA และการใช้ข้อมูลการตอบสนองต่อเหตุการณ์ของบุคคลที่สามที่เชื่อถือได้ พบว่าผู้ก่อให้เกิดภัยคุกคามเชื่อมโยงช่องโหว่ที่ระบุไว้เพื่อรับการเข้าถึงเบื้องต้น ดำเนินการรันโค้ดจากระยะไกล (RCE) รับข้อมูลประจำตัว และฝังเว็บเชลล์บนเครือข่ายของเหยื่อ
ทั้งนี้ CISA และ FBI แนะนำให้ผู้ดูแลระบบเครือข่ายและผู้ป้องกันระบบอัปเกรดเป็นเวอร์ชันล่าสุดที่รองรับของ Ivanti CSA และตรวจสอบกิจกรรมที่เป็นอันตรายในเครือข่ายของตน โดยใช้วิธีการตรวจจับและตัวชี้วัดการถูกโจมตี (IOCs) ที่ให้ไว้ในคำแนะนำดังกล่าว นอกจากนี้ สมาชิกในชุมชนด้านความมั่นคงปลอดภัยไซเบอร์ทุกคนยังควรเข้าไปที่แค็ตตาล็อกช่องโหว่ที่ถูกใช้งานของ CISA เพื่อช่วยบริหารจัดการช่องโหว่ให้ดีขึ้นและตามทันกิจกรรมของภัยคุกคาม สำหรับข้อมูลเพิ่มเติมและคำแนะนำเกี่ยวกับการป้องกันภัยคุกคามที่พบบ่อยและส่งผลกระทบมากที่สุด รวมถึงกลยุทธ์ เทคนิค และกระบวนการ สามารถเยี่ยมชมเป้าหมายด้านประสิทธิภาพความมั่นคงปลอดภัยไซเบอร์ข้ามภาคส่วนของ CISA ได้
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CERT-UA เตือนภัยมิจฉาชีพแอบอ้างหน่วยงาน ส่งคำขอ AnyDesk ปลอมหลอกลวง
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
พบข้อมูลบัญชีของบริษัทผู้จำหน่ายระบบรักษาความปลอดภัยไซเบอร์รายใหญ่รั่วไหลใน Dark Web
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 22 January 2025
Healthcare Sector
- European Action Plan On The Cybersecurity Of Hospitals And Healthcare Providers
"On 15 January 2024, the Commission launched a European action plan to strengthen the cybersecurity of hospitals and healthcare providers. Part of the Political Guidelines of the 2024-2029 Commission mandate, the action plan focuses on improving threat detection, preparedness, and crisis response in the healthcare sector. It aims to provide tailored guidance, tools, services, and training to hospitals and healthcare providers. Several specific actions will be rolled out progressively in 2025 and 2026, in collaboration with health providers, Member States, and the cybersecurity community. This initiative marks the first sector-specific initiative to deploy the full range of EU cybersecurity measures."
https://digital-strategy.ec.europa.eu/en/library/european-action-plan-cybersecurity-hospitals-and-healthcare-providers
Industrial Sector
- Traffic Alert And Collision Avoidance System (TCAS) II
"Successful exploitation of these vulnerabilities could allow an attacker to manipulate safety systems and cause a denial-of-service condition."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-021-01 - Siemens SIMATIC S7-1200 CPUs
"Successful exploitation of this vulnerability could allow an unauthenticated attacker to change the CPU mode by tricking a legitimate and authenticated user with sufficient permissions on the target CPU to click on a malicious link."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-021-02 - ZF Roll Stability Support Plus (RSSPlus)
"Successful exploitation of this vulnerability could allow an unauthenticated attacker to remotely (proximal/adjacent with RF equipment) call diagnostic functions which could impact both the availability and integrity."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-021-03
New Tooling
- Fleet: Open-Source Platform For IT And Security Teams
"Fleet is an open-source platform for IT and security teams managing thousands of computers. It’s designed to work seamlessly with APIs, GitOps, webhooks, and YAML configurations. Fleet provides a single platform to secure and maintain all computing devices over the air. It offers a centralized solution, from mobile device management (MDM) to patching and verifying systems. It’s trusted in production environments. Deployments range from tens of thousands of hosts to large-scale environments supporting over 400,000 hosts."
https://www.helpnetsecurity.com/2025/01/21/fleet-open-source-platform-it-security-teams/
https://github.com/fleetdm/fleet
Vulnerabilities
- Oracle To Address 320 Vulnerabilities In January Patch Update
"Software giant Oracle is expected to release patches for 320 new security vulnerabilities affecting over 90 products and services across 27 categories. These categories include Oracle’s Communications applications and executives, Construction and Engineering appliances, middleware and servers, and products and services part of the Oracle E-Business Suite. According to a pre-release announcement, the concerned vulnerabilities range from low – with some being attributed CVSS scores between 4 and 6 – to critical severity."
https://www.infosecurity-magazine.com/news/oracle-320-vulnerabilities-january/ - JoCERT Issues Warning On Exploitable Command Injection Flaws In HPE Aruba Products
"JoCERT has issued an alert regarding critical command injection vulnerabilities discovered in HPE Aruba’s 501 Wireless Client Bridge. The vulnerabilities, tracked as CVE-2024-54006 and CVE-2024-54007, allow authenticated attackers with administrative privileges to execute arbitrary commands on the device’s underlying operating system. These flaws have been rated as high severity (CVSS score: 7.2) and pose a significant risk if left unaddressed. A publicly released proof-of-concept (PoC) exploit further amplifies the urgency for organizations using affected devices to take immediate action."
https://cyble.com/blog/jocert-warns-of-hpe-aruba-command-injection-flaws/
https://jocert.ncsc.jo/EN/ListDetails/Security_Alerts__Advisorites/1203/87 - 7-Zip Fixes Bug That Bypasses Windows MoTW Security Warnings, Patch Now
"A high-severity vulnerability in the 7-Zip file archiver allows attackers to bypass the Mark of the Web (MotW) Windows security feature and execute code on users' computers when extracting malicious files from nested archives. 7-Zip added support for MotW in June 2022, starting with version 22.00. Since then, it has automatically added MotW flags (special 'Zone.Id' alternate data streams) to all files extracted from downloaded archives. This flag informs the operating system, web browsers, and other applications that files may come from untrusted sources and should be treated with caution."
https://www.bleepingcomputer.com/news/security/7-zip-fixes-bug-that-bypasses-the-windows-motw-security-mechanism-patch-now/
Malware
- Medusa Ransomware: What You Need To Know
"Medusa is a ransomware-as-a-service (RaaS) platform that first came to prominence in 2023. The ransomware impacts organisations running Windows, predominantly exploiting vulnerable and unpatched systems and hijacking accounts through initial access brokers."
https://www.tripwire.com/state-of-security/medusa-ransomware-what-you-need-know - Sophos MDR Tracks Two Ransomware Campaigns Using “email Bombing,” Microsoft Teams “vishing”
"Sophos X-Ops’ Managed Detection and Response (MDR) is actively responding to incidents tied to two separate groups of threat actors, each of which have used the functionality of Microsoft’s Office 365 platform to gain access to targeted organizations with the likely goal of stealing data and deploying ransomware. Sophos MDR began investigating these two separate clusters of activity in response to customer incidents in November and December 2024. Sophos is tracking these threats as STAC5143 and STAC5777. Both threat actors operated their own Microsoft Office 365 service tenants as part of their attacks and took advantage of a default Microsoft Teams configuration that permits users on external domains to initiate chats or meetings with internal users."
https://news.sophos.com/en-us/2025/01/21/sophos-mdr-tracks-two-ransomware-campaigns-using-email-bombing-microsoft-teams-vishing/
https://therecord.media/fake-tech-support-russian-hackers-microsoft-teams
https://www.bleepingcomputer.com/news/security/ransomware-gangs-pose-as-it-support-in-microsoft-teams-phishing-attacks/
https://www.darkreading.com/cyberattacks-data-breaches/email-bombing-vishing-tactics-abound-microsoft-365-attacks
https://www.helpnetsecurity.com/2025/01/21/ransomware-attackers-are-vishing-organizations-via-microsoft-teams-email-bombing/
https://www.infosecurity-magazine.com/news/ransomware-email-bombing-teams/
https://cyberscoop.com/ransomware-groups-pose-as-fake-tech-support-over-teams/
https://www.securityweek.com/ransomware-groups-abuse-microsoft-services-for-initial-access/ - Fake Homebrew Google Ads Target Mac Users With Malware
"Hackers are once again abusing Google ads to spread malware, using a fake Homebrew website to infect Macs and Linux devices with an infostealer that steals credentials, browser data, and cryptocurrency wallets. The malicious Google ads campaign was spotted by Ryan Chenkie, who warned on X about the risk of malware infection. The malware used in this campaign is AmosStealer (aka 'Atomic'), an infostealer designed for macOS systems and sold to cyber criminals as a subscription of $1,000/month."
https://www.bleepingcomputer.com/news/security/fake-homebrew-google-ads-target-mac-users-with-malware/ - Mass Campaign Of Murdoc Botnet Mirai: A New Variant Of Corona Mirai
"The Qualys Threat Research Unit has uncovered a large-scale, ongoing operation within the Mirai campaign, dubbed Murdoc Botnet. This variant exploits vulnerabilities targeting AVTECH Cameras and Huawei HG532 routers. It demonstrates enhanced capabilities, exploiting vulnerabilities to compromise devices and establish expansive botnet networks. In this blog, we will explore Murdoc Botnet’s propagation methods and attack vectors."
https://blog.qualys.com/vulnerabilities-threat-research/2025/01/21/mass-campaign-of-murdoc-botnet-mirai-a-new-variant-of-corona-mirai
https://thehackernews.com/2025/01/murdocbotnet-found-exploiting-avtech-ip.html
https://www.darkreading.com/cyberattacks-data-breaches/mirai-botnet-spinoffs-global-wave-ddos-attacks
https://www.bankinfosecurity.com/new-mirai-variant-targets-flaws-in-cameras-routers-a-27343
https://hackread.com/mirai-variant-murdoc-botnet-ddos-attacks-iot-exploits/
https://securityaffairs.com/173294/cyber-crime/new-mirai-botnet-variant-murdoc-botnet-targets-avtech-ip-cameras-and-huawei-hg532-routers.html
https://www.infosecurity-magazine.com/news/mirai-variant-targets-cameras/ - Facilitating Phishing And Pig Butchering Activities Using Zendesk Infrastructure [Bait & Switch Mode]
"Phishing campaigns and "pig butchering" scams have increasingly exploited Zendesk's SaaS infrastructure, leveraging its free trial subdomains to mimic legitimate brands and deceive unsuspecting users. By registering subdomains with brand-like names, attackers create authentic-looking interfaces to facilitate phishing, data theft, and financial fraud. This misuse is compounded by B2B marketing tools that assist in gathering employee emails, and by Zendesk's lack of email verification for ticket assignments, which allows phishing emails to bypass spam filters. To mitigate these risks, organizations must implement proactive measures such as blacklisting unknown Zendesk instances, utilizing detection tools like XVigil, and educating employees about phishing tactics."
https://www.cloudsek.com/blog/facilitating-phishing-and-pig-butchering-activities-using-zendesk-infrastructure-bait-switch-mode
https://www.infosecurity-magazine.com/news/zendesk-subdomains-facilitate/
Breaches/Hacks/Leaks
- Government IT Contractor Conduent Says 'third-Party Compromise’ Caused Outages
"A recent outage affecting the government technology contractor Conduent was due to a cyberattack that compromised the company’s operating systems. A Conduent spokesperson told Recorded Future News the company recently “experienced an operational disruption due to a third-party compromise” of one of their operating systems. “This compromise was quickly contained and our technology environment is currently considered to be free of known malicious activity as confirmed by our third-party security experts,” the spokesperson said."
https://therecord.media/government-contractor-conduent-outage-compromise - Russian Telecom Giant Rostelecom Investigates Suspected Cyberattack On Contractor
"A major Russian telecommunications provider, Rostelecom, said that it is investigating a suspected cyberattack on one of its contractors after hackers claimed to have leaked the company's data. Earlier on Tuesday, the hacker group, which calls itself Silent Crow, published a data dump containing thousands of customer emails and phone numbers allegedly stolen from Rostelecom. The company stated that the contractor is responsible for maintaining Rostelecom’s corporate website and procurement portal, both of which were reportedly targeted by hackers."
https://therecord.media/rostelecom-russia-contractor-data-breach - Students, Educators Impacted By PowerSchool Data Breach
"California-based education tech giant PowerSchool is notifying students and educators that their personal information was compromised in a December 2024 data breach. The incident, the company says, was identified on December 28 and only involved its Student Information System (SIS) environments, which were accessed through the PowerSource community-focused customer support portal. According to PowerSchool, the incident did not cause operational disruption and no other products beyond PowerSchool SIS were affected."
https://www.securityweek.com/students-educators-impacted-by-powerschool-data-breach/
https://www.theregister.com/2025/01/22/powerschool_canada_lawsuits/
General News
- Scam Yourself Attacks: How Social Engineering Is Evolving
"We’ve entered a new era where verification must come before trust, and for good reason. Cyber threats are evolving rapidly, and one of the trends getting a fresh reboot in 2025 is the “scam yourself” attacks. These aren’t your run-of-the-mill phishing scams. They are a sophisticated evolution of social engineering designed to deceive even the most tech-savvy users. Attackers exploit our routines, trust, and overconfidence, and complacency to manipulate us into becoming unwitting accomplices in our own compromise."
https://www.helpnetsecurity.com/2025/01/21/scam-yourself-attacks/ - Addressing The Intersection Of Cyber And Physical Security Threats
"In this Help Net Security, Nicholas Jackson, Director of Cyber Operations at Bitdefender, discusses how technologies like AI, quantum computing, and IoT are reshaping cybersecurity. He shares his perspective on the new threats these advancements bring and offers practical advice for organizations to stay prepared."
https://www.helpnetsecurity.com/2025/01/21/nicholas-jackson-bitdefender-emerging-technologies-threats/ - Record-Breaking 5.6 Tbps DDoS Attack And Global DDoS Trends For 2024 Q4
"Welcome to the 20th edition of the Cloudflare DDoS Threat Report, marking five years since our first report in 2020. Published quarterly, this report offers a comprehensive analysis of the evolving threat landscape of Distributed Denial of Service (DDoS) attacks based on data from the Cloudflare network. In this edition, we focus on the fourth quarter of 2024 and look back at the year as a whole."
https://blog.cloudflare.com/ddos-threat-report-for-2024-q4/
https://www.bleepingcomputer.com/news/security/cloudflare-mitigated-a-record-breaking-56-tbps-ddos-attack/ - From Qualitative To Quantifiable: Transforming Cyber Risk Management For Critical Infrastructure
"Around the world, attacks against critical infrastructure have become increasingly common. More and more, these aggressions are carried out via mice and keyboards rather than bombs and missiles, such as with the 2021 ransomware attack on Colonial Pipeline. From a military strategy perspective, it’s easy to understand why, as cyberattacks against infrastructure can be executed remotely, cheaply, and with comparatively little risk, while having a debilitating effect across entire regions."
https://cyberscoop.com/from-qualitative-to-quantifiable-transforming-cyber-risk-management-for-critical-infrastructure/ - Why CISOs Must Think Clearly Amid Regulatory Chaos
"In the high-stakes world of cybersecurity, the ground is shifting beneath the feet of those charged with protecting our digital infrastructure. First came the new Securities and Exchange Commission (SEC) rules and lawsuits related to cybersecurity. More recently, a US Supreme Court ruling promises to reshape the regulatory landscape, compelling federal officials to rethink their approach to cyber governance. Yet amid this whirlwind of change that has descended on the industry, it's critical for chief information security officers (CISOs) to remain steadfast and not be deterred — or discouraged — by this shift."
https://www.darkreading.com/cybersecurity-operations/cisos-must-think-clearly-amid-regulatory-chaos - Redline, Vidar And Raccoon Malware Stole 1 Billion Passwords In 2024
"Cybersecurity researchers at Specops are delivering a global wake-up call over a major password-related issue: over 1 billion passwords were stolen by malware in the past year. According to Specops Software’s 2025 Specops Breached Password Report shared with Hackread.com ahead of its publishing on Tuesday, millions of stolen passwords met standard complexity requirements. The report also highlights the prevalence of malware stolen credentials, with over a billion found in the last 12 months."
https://hackread.com/redline-vidar-raccoon-malware-stole-1-billion-passwords-2024/ - Cyber Insights 2025: Attack Surface Management
"Business transformation is redefining attack surface management (ASM). We can no longer simply define the Attack Surface (AS); but without that definition, how can we Manage it? “The attack surface of an organization represents all of the assets (physical, virtual or human) that a malicious actor can potentially use to breach an organization,” says Alex Hoff, co-founder and chief strategy officer at Auvik Networks."
https://www.securityweek.com/cyber-insights-2025-attack-surface-management/ - Under Lock And Key: Protecting Corporate Data From Cyberthreats In 2025
"There were over 3,200 data compromises in the United States in 2023, with 353 million victims, including those affected multiple times, according to the US Identity Theft Resource Center (ITRC). Each one of those individuals might be a customer that decides to take their business elsewhere as a result. Or an employee that reconsiders their position with your organization. That should be reason enough to prioritize data security efforts."
https://www.welivesecurity.com/en/business-security/under-lock-key-protecting-corporate-data-cyberthreats-2025/ - BreachForums Admin Conor Fitzpatrick (Pompompurin) To Be Resentenced
"Conor Brian Fitzpatrick, the 21-year-old founder of BreachForums, a notorious marketplace for stolen personal data, is set to be resentenced following a federal appeals court decision to vacate his previous punishment. The ruling comes after concerns that the original 17-day sentence failed to adequately reflect the seriousness of his crimes or serve as a deterrent."
https://hackread.com/breachforums-admin-conor-fitzpatrick-pompompurin-resentenced/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - European Action Plan On The Cybersecurity Of Hospitals And Healthcare Providers
-
Hewlett Packard Enterprise ตรวจสอบข้อกล่าวอ้างจากกลุ่มแฮกเกอร์ IntelBroker
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
กลุ่ม APT "DoNot Team" ใช้มัลแวร์ Tanzeem โจมตีองค์กรในเอเชียใต้
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
ช่องโหว่ใน 7-Zip
Cyber Security Agency of Singapore (CSA)ได้เผยแพร่เกี่ยวกับ 7-Zip ได้ออกการอัพเดทด้านความปลอดภัยเพื่อแก้ไขช่องโหว่ 2 รายการ คือ CVE-2025-0411 และ CVE-2024-11477 ในซอฟต์แวร์
ช่องโหว่นี้ทำให้ผู้โจมตีจากระยะไกลสามารถหลีกเลี่ยงกลไกการป้องกัน Mark-of-the-Web ในการติดตั้ง 7-Zip ที่ได้รับผลกระทบได้ จำเป็นต้องมีการโต้ตอบจากผู้ใช้งานเพื่อใช้ประโยชน์จากช่องโหว่นี้ โดยเป้าหมายจะต้องไปที่หน้าที่เป็นอันตรายหรือเปิดไฟล์ที่เป็นอันตราย
ซึ่งข้อบกพร่องเฉพาะนี้มีอยู่ในกระบวนการจัดการไฟล์ที่เก็บถาวร เมื่อแยกไฟล์ออกจากไฟล์เก็บถาวรที่สร้างขึ้นซึ่งมี Mark-of-the-Web โปรแกรม 7-Zip จะไม่เผยแพร่ Mark-of-the-Web ไปยังไฟล์ที่แยกออกมา ทำให้ผู้โจมตีจากระยะไกลสามารถรันโค้ดที่เป็นอันตรายผ่านไฟล์เก็บถาวรที่สร้างขึ้นเป็นพิเศษและเปิดขึ้น
ช่องโหว่เหล่านี้ได้รับการแก้ไขใน
Fixed in 7-Zip version 24.09แนะนำให้ผู้ใช้งานและผู้ดูแลระบบทำการอัปเดตเป็นเวอร์ชันล่าสุด
อ้างอิง
https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-005สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA ออกคำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม 3 รายการ
Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม(ICS) 2 รายการ เมื่อวันที่ 21 มกราคม 2568 ซึ่งคำแนะนำเหล่านี้ให้ข้อมูลที่ทันท่วงทีเกี่ยวกับปัญหาด้านความปลอดภัยช่องโหว่ และช่องโหว่ที่อยู่รอบ ๆ ICS ในปัจจุบัน มีดังต่อไปนี้
ICSA-25-021-01 Traffic Alert and Collision Avoidance System (TCAS) II
ICSA-25-021-02 Siemens SIMATIC S7-1200 CPUs
ICSA-25-021-03 ZF Roll Stability Support Plus (RSSPlus)ทั้งนี้ CISA สนับสนุนให้ผู้ใช้และผู้ดูแลระบบตรวจสอบคำแนะนำ ICS ที่เผยแพร่ใหม่สำหรับรายละเอียดทางเทคนิคและการบรรเทาผลกระทบ รายละเอียดเพิ่มเติมที่ https://www.cisa.gov/news-events/alerts/2025/01/21/cisa-releases-three-industrial-control-systems-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand