โพสต์ถูกสร้างโดย NCSA_THAICERT

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

เมื่อวันที่ 31 กรกฎาคม 2025 Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำเตือนเกี่ยวกับช่องโหว่ความปลอดภัยที่ตรวจพบในอุปกรณ์ตรวจวัดแผ่นดินไหว Güralp FMUS Series ซึ่งเป็นผลิตภัณฑ์ของบริษัท Güralp Systems โดยช่องโหว่ดังกล่าวมีระดับความรุนแรงสูงมาก และสามารถถูกโจมตีจากระยะไกลได้โดยไม่ต้องใช้ความซับซ้อนหรือสิทธิ์เข้าถึงใด ๆ

ช่องโหว่หมายเลข CVE-2025-8286 เกิดจากการไม่มีการยืนยันตัวตนในการเข้าถึงฟังก์ชันที่สำคัญ (Missing Authentication for Critical Function - CWE-306) โดยผลิตภัณฑ์ดังกล่าวเปิดให้เข้าถึงผ่าน Telnet command line interface (CLI) โดยไม่ต้องยืนยันตัวตน ซึ่งอาจทำให้ผู้โจมตีสามารถเปลี่ยนแปลงการตั้งค่าฮาร์ดแวร์ แก้ไขหรือปลอมแปลงข้อมูล และสั่งรีเซ็ตอุปกรณ์กลับสู่ค่าเริ่มต้นจากโรงงาน (factory reset)
ช่องโหว่นี้มีระดับความรุนแรง(CVSS) v3 = 9.8 และ (CVSS) v4 = 9.3 ซึ่งถือว่าอยู่ในระดับร้ายแรงมาก

แนวทางการป้องกันและลดความเสี่ยง
บริษัท Güralp Systems ยังไม่ตอบสนองต่อความพยายามของ CISA ในการประสานงานแก้ไขช่องโหว่ อย่างเป็นทางการ ทาง CISA แนะนำให้ผู้ใช้งานดำเนินการตามแนวทางดังต่อไปนี้เพื่อบรรเทาความเสี่ยง ดังนี้
1.ลดการเปิดเผยอุปกรณ์ควบคุมต่ออินเทอร์เน็ต
2.วางระบบควบคุมไว้หลังไฟร์วอลล์ และแยกออกจากเครือข่ายภายในองค์กร
3.หากจำเป็นต้องเข้าถึงจากระยะไกล ให้ใช้วิธีที่ปลอดภัย เช่น VPN ที่ได้รับการอัปเดตล่าสุด
4.ดำเนินการวิเคราะห์ผลกระทบ (impact analysis) และประเมินความเสี่ยง (risk assessment) ก่อนใช้งานมาตรการป้องกันใด ๆ

ทั้งนี้ CISA ยังแนะนำให้องค์กรศึกษาแนวทางความมั่นคงปลอดภัยเพิ่มเติมได้ที่เว็บไซต์ CISA cisa.gov/ics ซึ่งมีเอกสารให้ดาวน์โหลด เช่น

• Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies
• ICS-TIP-12-146-01B – Targeted Cyber Intrusion Detection and Mitigation Strategies

อ้างอิง
https://www.cisa.gov/news-events/ics-advisories/icsa-25-212-01

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

เมื่อวันที่ 31 กรกฎาคม 2025 Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำด้านความปลอดภัยสำหรับผลิตภัณฑ์ Rockwell Automation ที่ให้บริการในลักษณะ Lifecycle Services ซึ่งมีการใช้งานร่วมกับซอฟต์แวร์ของ VMware โดยตรวจพบช่องโหว่ความปลอดภัยหลายรายการที่มีความรุนแรงสูง ซึ่งหากถูกนำไปใช้ประโยชน์โดยผู้ไม่หวังดี อาจส่งผลให้สามารถรันคำสั่งบนเครื่องแม่ข่าย (host) ได้ หรือก่อให้เกิดการรั่วไหลของข้อมูลจากหน่วยความจำของโปรเซสที่ติดต่อกับ vSockets

ผลิตภัณฑ์ที่ได้รับผลกระทบ
Rockwell Automation ระบุว่าผลิตภัณฑ์ที่ได้รับผลกระทบมีดังนี้:
Industrial Data Center (IDC) รุ่นที่ 1 ถึง 4
VersaVirtual Appliance (VVA) ซีรีส์ A และ B
Threat Detection Managed Services (TDMS) ทุกรุ่น
Endpoint Protection Service (เฉพาะที่ใช้งานร่วมกับ Rockwell Automation Proxy และ VMware)
Engineered and Integrated Solutions ที่ใช้ VMware ทุกรุ่น

รายละเอียดช่องโหว่ที่ตรวจพบ 4 รายการ ได้แก่

• CVE-2025-41236: ช่องโหว่ integer overflow ใน VMXNET3 ซึ่งอาจนำไปสู่การเขียนข้อมูลเกินขอบเขตหน่วยความจำ และรันคำสั่งบนเครื่องโฮสต์
• CVE-2025-41237: ช่องโหว่ integer underflow ใน VMCI ซึ่งอาจทำให้เกิด heap-based out-of-bounds write
• CVE-2025-41238: ช่องโหว่ heap overflow ใน PVSCSI controller
• CVE-2025-41239: การใช้หน่วยความจำที่ยังไม่ได้กำหนดค่าใน vSockets ส่งผลให้เกิดการรั่วไหลของข้อมูลหน่วยความจำ

ทั้งนี้ ช่องโหว่ทั้งสามรายการแรกมีคะแนน CVSS v4 เท่ากันที่ 9.4 ซึ่งถือว่ามีความรุนแรงในระดับสูงมาก ส่วนช่องโหว่สุดท้ายมีคะแนน 8.2 ถือว่ารุนแรงเช่นกัน

แนวทางการป้องกันและบรรเทาผลกระทบ
Rockwell Automation จะแจ้งผู้ใช้งานที่มีสัญญาบริการแบบ Infrastructure Managed Service หรือ Threat Detection Managed Service ให้ทราบแนวทางการแก้ไขที่เหมาะสม โดยสำหรับผู้ใช้งานที่ไม่ได้อยู่ภายใต้สัญญาดังกล่าว บริษัทแนะนำให้ศึกษาข้อมูลจาก Broadcom ซึ่งเป็นผู้ดูแล VMware ปัจจุบัน ผ่านทางเอกสารแพตช์และอัปเดตที่เผยแพร่ในเว็บไซต์ Broadcom

CISA ยังแนะนำแนวทางปฏิบัติเพื่อเพิ่มความปลอดภัย ดังนี้

• ลดการเปิดเผยระบบควบคุมต่อเครือข่ายภายนอก
• วางระบบควบคุมหลังไฟร์วอลล์และแยกออกจากเครือข่ายสำนักงาน
• ใช้งาน VPN ที่ทันสมัยและปลอดภัยสำหรับการเข้าถึงจากระยะไกล
• ดำเนินการประเมินความเสี่ยงและผลกระทบก่อนนำมาตรการใด ๆ ไปใช้
• ศึกษาเอกสารแนวทางจาก CISA อาทิ ICS-TIP-12-146-01B และแนวทาง Defense-in-Depth

อ้างอิง
https://www.cisa.gov/news-events/ics-advisories/icsa-25-212-02

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 2 รายการ เมื่อวันที่ 31 กรกฎาคม 2025 โดยคำแนะนำเหล่านี้ให้ข้อมูลล่าสุดเกี่ยวกับประเด็นด้านความปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับ ICS

• ICSA-25-212-01: อุปกรณ์ตรวจวัดแผ่นดินไหวซีรีส์ Güralp FMUS
  CVSS v4 คะแนน 9.3 (ระดับร้ายแรงมาก) และ CVSS v3.1 คะแนน 9.8
  ผู้จำหน่าย: Güralp Systems
  ผลิตภัณฑ์: อุปกรณ์ตรวจวัดแผ่นดินไหว Güralp FMUS Series ทุกเวอร์ชัน
  ช่องโหว่ (CWE-306): อุปกรณ์เปิดให้ผู้ไม่ประสงค์ดีเข้าถึงผ่าน Telnet CLI โดยไม่ต้องยืนยันตัวตน
  วึ่งผู้โจมตีสามารถเข้ามา แก้ไขการตั้งค่าฮาร์ดแวร์, แก้ไขหรือปลอมข้อมูล, หรือ สั่ง factory reset อุปกรณ์ได้ โดยไม่ต้องมีสิทธิ์ใด ๆ
• ICSA-25-212-02: Rockwell Automation Lifecycle Services ที่ทำงานร่วมกับ VMware
  ผลิตภัณฑ์ของ Rockwell Automation Lifecycle Services ที่ใช้ระบบ VMware มีความเสี่ยงจากช่องโหว่จำนวนมากที่ถูกเปิดเผยโดย VMware เอง
  ผลิตภัณฑ์ VMware ที่ได้รับผลกระทบ
• vCenter Server
• ESXi
• Workstation
• Fusion
• Cloud Foundation

เวอร์ชัน Rockwell Automation ที่ได้รับผลกระทบ
ระบบที่มีการติดตั้งหรือใช้งานผลิตภัณฑ์ VMware ตามรายการด้านบน และไม่ได้อัปเดตแพตช์ล่าสุด

CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบทำการตรวจสอบคำแนะนำ ICS ที่เผยแพร่ใหม่นี้เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง.

อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/07/31/cisa-releases-two-industrial-control-systems-advisories

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

เมื่อวันที่ 1 สิงหาคม 2568 Cyber Security Agency of Singapore (CSA) ได้เผยแพร่เกี่ยวกับการพบช่องโหว่ระดับร้ายแรงในธีม WordPress "Alone"

บริษัท Bearsthemes ได้ออกแพตช์อัปเดตเพื่อแก้ไขช่องโหว่ระดับร้ายแรงในธีม WordPress ที่มีชื่อว่า Alone พร้อมแนะนำให้ผู้ใช้งานและผู้ดูแลระบบที่ใช้ธีมดังกล่าวดำเนินการอัปเดตเป็นเวอร์ชันล่าสุดโดยเร็วที่สุด ซึ่งช่องโหว่ดังกล่าวเป็นช่องโหว่หมายเลข CVE-2025-5394 มีคะแนนความรุนแรง CVSS เวอร์ชัน 3.1 อยู่ที่ระดับ 9.8 จัดอยู่ในกลุ่มความเสี่ยงระดับร้ายแรง (Critical)

ผลกระทบ
หากช่องโหว่ถูกใช้ประโยชน์โดยผู้ไม่หวังดี อาจทำให้ผู้โจมตีที่ไม่ได้รับการยืนยันตัวตนสามารถอัปโหลดไฟล์อันตรายเข้าสู่เว็บไซต์ที่ใช้ธีมดังกล่าว และนำไปสู่การควบคุมระบบจากระยะไกล (Remote Code Execution) รวมถึงการเข้าควบคุมเว็บไซต์ทั้งหมด มีรายงานว่าช่องโหว่นี้กำลังถูกใช้โจมตีอยู่ในขณะนี้

ผลิตภัณฑ์ที่ได้รับผลกระทบ
ช่องโหว่นี้ส่งผลกระทบต่อธีม WordPress Alone เวอร์ชัน 7.8.3 และเวอร์ชันก่อนหน้า

จึงแนะนำให้ผู้ใช้งานและผู้ดูแลระบบที่ใช้งานธีม Alone ดำเนินการอัปเดตเป็นเวอร์ชันล่าสุดโดยทันที เพื่อป้องกันความเสี่ยงจากการถูกโจมตีและรักษาความมั่นคงปลอดภัยของระบบเว็บไซต์

อ้างอิง
https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-076/

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Vulnerabilities

• 10,000 WordPress Sites Affected By Critical Vulnerabilities In HT Contact Form WordPress Plugin
  "On June 24th, 2025, we received a submission for an Arbitrary File Upload and an Arbitrary File Deletion vulnerability in HT Contact Form, a WordPress plugin with more than 10,000 active installations. The arbitrary file upload vulnerability can be used by unauthenticated attackers to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover. The arbitrary file deletion vulnerability can be used by unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can also make a site takeover possible. On July 4th, 2025, we also received a submission for an Arbitrary File Move vulnerability in HT Contact Form. This vulnerability can be used by unauthenticated attackers to move arbitrary files, including the wp-config.php file, which can also make a site takeover possible."
  https://www.wordfence.com/blog/2025/07/10000-wordpress-sites-affected-by-critical-vulnerabilities-in-ht-contact-form-wordpress-plugin/
  https://www.infosecurity-magazine.com/news/flaws-wordpress-plugin-expose/
• CISA Adds Three Known Exploited Vulnerabilities To Catalog
  "CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2025-20281 Cisco Identity Services Engine Injection Vulnerability
  CVE-2025-20337 Cisco Identity Services Engine Injection Vulnerability
  CVE-2023-2533 PaperCut NG/MF Cross-Site Request Forgery (CSRF) Vulnerability"
  https://www.cisa.gov/news-events/alerts/2025/07/28/cisa-adds-three-known-exploited-vulnerabilities-catalog
  https://www.bleepingcomputer.com/news/security/cisa-flags-papercut-rce-bug-as-exploited-in-attacks-patch-now/
  https://securityaffairs.com/180494/security/u-s-cisa-adds-cisco-ise-and-papercut-ng-mf-flaws-to-its-known-exploited-vulnerabilities-catalog.html
• Sploitlight: Analyzing a Spotlight-Based MacOS TCC Vulnerability
  "Microsoft Threat Intelligence has discovered a macOS vulnerability that could allow attackers to steal private data of files normally protected by Transparency, Consent, and Control (TCC), such as files in the Downloads folder, as well as caches utilized by Apple Intelligence. While similar to prior TCC bypasses like HM-Surf and powerdir, the implications of this vulnerability, which we refer to as “Sploitlight” for its use of Spotlight plugins, are more severe due to its ability to extract and leak sensitive information cached by Apple Intelligence, such as precise geolocation data, photo and video metadata, face and person recognition data, search history and user preferences, and more. These risks are further complicated and heightened by the remote linking capability between iCloud accounts, meaning an attacker with access to a user’s macOS device could also exploit the vulnerability to determine remote information of other devices linked to the same iCloud account."
  https://www.microsoft.com/en-us/security/blog/2025/07/28/sploitlight-analyzing-a-spotlight-based-macos-tcc-vulnerability/
  https://www.bleepingcomputer.com/news/security/microsoft-macos-sploitlight-flaw-leaks-apple-intelligence-data/
  https://hackread.com/macos-sploitlight-flaw-apple-intelligence-cached-data/
  https://www.theregister.com/2025/07/28/microsoft_spots_apple_bug/
  https://securityaffairs.com/180503/hacking/microsoft-uncovers-macos-flaw-allowing-bypass-tcc-protections-and-exposing-sensitive-data.html
• Code Execution Through Deception: Gemini AI CLI Hijack
  "Tracebit discovered a silent attack on Gemini CLI where, through a toxic combination of improper validation, prompt injection and misleading UX, inspecting untrusted code consistently leads to silent execution of malicious commands."
  https://tracebit.com/blog/code-exec-deception-gemini-ai-cli-hijack
  https://www.bleepingcomputer.com/news/security/flaw-in-gemini-cli-ai-coding-assistant-allowed-stealthy-code-execution/
  https://cyberscoop.com/google-gemini-cli-prompt-injection-arbitrary-code-execution/

Malware

• Endgame Gear Mouse Config Tool Infected Users With Malware
  "Gaming peripherals maker Endgame Gear is warning that malware was hidden in its configuration tool for the OP1w 4k v2 mouse hosted on the official website between June 26 and July 9, 2025. The infected file was hosted on 'endgamegear.com/gaming-mice/op1w-4k-v2,' so users downloading the tool from that page during this period were infected. Endgame Gear is a German PC gaming peripherals firm known for its pro-gaming gear, including the XM and OP1 series mice, which are highly regarded among reviewers and competitive players. Although not as big as brands like Logitech, Razer, and HyperX, it is a respected entity in the space and one of the key emerging firms in the ultra-light gaming mouse segment."
  https://www.bleepingcomputer.com/news/security/endgame-gear-mouse-config-tool-infected-users-with-malware/
• CVE-2025-20281: Cisco ISE API Unauthenticated Remote Code Execution Vulnerability
  "On January 25th, 2025, the Trend Zero Day Initiative (ZDI) received a report from Kentaro Kawane of GMO Cybersecurity by Ierae regarding a deserialization of untrusted data vulnerability in Cisco Identity Services Engine (ISE). This pre-authentication vulnerability existed in the enableStrongSwanTunnel method of the DescriptionRegistrationListener class. While analyzing this vulnerability, I noticed that the same function was also vulnerable to command injection as root. Cisco patched this initially as CVE-2025-20281(ZDI-25-609), but also released CVE-2025-20337 (ZDI-25-607) to fully address the vulnerability. You’ll see why below."
  https://www.zerodayinitiative.com/blog/2025/7/24/cve-2025-20281-cisco-ise-api-unauthenticated-remote-code-execution-vulnerability
  https://www.bleepingcomputer.com/news/security/exploit-available-for-critical-cisco-ise-bug-exploited-in-attacks/
• RedHook: A New Android Banking Trojan Targeting Users In Vietnam
  "Cyble Research and Intelligence Labs (CRIL) discovered ‘RedHook’, a sophisticated Android banking trojan targeting Vietnamese users through spoofed government and financial websites. It communicates to the command-and-control (C2) server using WebSocket and supports over 30 remote commands, enabling complete control over compromised devices. Code artifacts, including Chinese-language strings, suggest development by a Chinese-speaking threat actor or group. Despite its capabilities, RedHook currently has low antivirus detection, making it an active and stealthy threat in the region."
  https://cyble.com/blog/redhook-new-android-banking-targeting-in-vietnam/
• New Advanced Stealer (SHUYAL) Targets Credentials Across 19 Popular Browsers
  "Hybrid Analysis has analyzed a sophisticated new information stealer that combines extensive credential theft capabilities with advanced system reconnaissance and evasion tactics. Named SHUYAL based on unique identifiers discovered in the executable's PDB path, this previously undocumented stealer demonstrates comprehensive browser targeting, grabbing credentials from 19 different browsers ranging from mainstream applications like Chrome and Edge to privacy-focused options such as Tor."
  https://hybrid-analysis.blogspot.com/2025/07/new-advanced-stealer-shuyal-targets.html
  https://www.darkreading.com/endpoint-security/shuyal-stealer-targets-19-browsers-advanced-evasion
• Keitaro TDS Abused To Deliver AutoIT-Based Loader Targeting German Speakers
  "Sublime recently identified an attack campaign targeting German speakers with a romance/adult-themed scam. The attack emails used explicit language, conflicting identity details, and redirects to malicious domains using a commercial Traffic Distribution Service (TDS) named Keitaro TDS to deliver a malicious payload. Here’s what one of the messages looked like:"
  https://sublime.security/blog/keitaro-tds-abused-to-delivery-autoit-based-loader-targeting-german-speakers/
  https://hackread.com/malicious-iso-file-romance-scam-on-german-speakers/
• Revisiting UNC3886 Tactics To Defend Against Present Risk
  "On July 18, Singapore’s Coordinating Minister for National Security K. Shanmugam revealed that the country was facing a highly sophisticated threat actor targeting critical infrastructure—UNC3886. First reported in 2022, this advanced persistent threat (APT) group has been targeting essential services in Singapore, posing a severe risk to their national security. In this entry, we draw on observations and the tactics, techniques, and procedures (TTPs) from previously recorded UNC3886 attacks. Our aim is to get a good understanding of this threat group and enhance overall defensive posture against similar tactics."
  https://www.trendmicro.com/en_us/research/25/g/revisiting-unc3886-tactics-to-defend-against-present-risk.html
• Cyber Stealer Analysis: When Your Malware Developer Has FOMO About Features
  "First identified by eSentire's Threat Response Unit (TRU) in May 2025, Cyber Stealer represents a new and actively developing threat. The malware authors are consistently updating the tool based on user feedback from hacking forums, indicating an agile development process and suggesting the threat will continue to evolve and become more sophisticated. The malware compresses stolen data into a zip archive and sends it to the Command & Control (C2) server via HTTP POST requests, including detailed statistics about the types and quantities of stolen data (passwords, credit cards, cookies, etc.). The malware maintains regular communication with its C2 server through various endpoints, including heartbeat checks, XMR miner configuration, task checks, configuration updates, and data exfiltration. The C2 URL can be dynamically updated through Pastebin, with a hardcoded backup URL if that fails."
  https://www.esentire.com/blog/cyber-stealer-analysis-when-your-malware-developer-has-fomo-about-features

Breaches/Hacks/Leaks

• Tea App Leak Worsens With Second Database Exposing User Chats
  "The Tea app data breach has grown into an even larger leak, with the stolen data now shared on hacking forums and a second database discovered that allegedly contains 1.1 million private messages exchanged between the app's members. The Tea app is a women-only dating safety platform where members can share reviews about men, with access to the platform only granted after providing a selfie and government ID verification. On Friday, an anonymous user posted on 4chan that Tea used an unsecured Firebase storage bucket to store drivers' licenses and selfies uploaded by members to verify they are women, as well as photos and images shared in comments."
  https://www.bleepingcomputer.com/news/security/tea-app-leak-worsens-with-second-database-exposing-user-chats/
  https://therecord.media/tea-app-data-breach-stolen-ids-leaked
  https://www.infosecurity-magazine.com/news/dating-app-breach-exposes-13000/
  https://hackread.com/tea-app-breach-women-dating-platform-user-images-leak/
• France's Warship Builder Naval Group Investigates 1TB Data Breach
  "France's state-owned defense firm Naval Group is investigating a cyberattack after 1TB of allegedly stolen data was leaked on a hacking forum. The company characterized this as a "destabilization attempt" and a "reputational attack," to which it has responded by filing a complaint to protect its client's data. Meanwhile, Naval Group is investigating with the assistance of external experts to determine if the leaked data originated from them. Despite the gravity of the claims, the company maintains that it sees no signs of an IT systems breach, and its operations haven't been impacted."
  https://www.bleepingcomputer.com/news/security/frances-warship-builder-naval-group-investigates-1tb-data-breach/
  https://www.infosecurity-magazine.com/news/naval-group-denies-hack/
• GLOBAL GROUP Ransomware Claims Breach Of Media Giant Albavisión
  "The GLOBAL GROUP ransomware gang is claiming responsibility for a breach of Albavisión (albavision.tv), a major Spanish-language media conglomerate based in Miami, Florida. The group also claims to have stolen 400 GB of data. GLOBAL GROUP is a newly emerged Ransomware-as-a-Service (RaaS) operation that has been active since early June 2025. The group has targeted multiple sectors globally, including media and healthcare, with Albavisión listed as its 29th claimed victim since its launch. What sets GLOBAL GROUP ransomware apart from other gangs is its use of an AI-driven negotiation tool. This system employs chatbots to handle negotiations with victims, particularly those who do not speak English."
  https://hackread.com/global-group-ransomware-media-giant-albavision-breach/
• Cyberattack On Aeroflot Causing Mass Flight Disruptions, Russia Says
  "Russian authorities confirmed on Monday that Aeroflot, the country’s largest airline and national carrier, has been hit with a cyberattack causing widespread flight delays and cancellations. Aeroflot said a “technical failure” was to blame for the disruption, which began Monday morning and has forced the airline to cancel more than 50 flights, including on popular domestic routes such as Moscow, St. Petersburg and Sochi. Some flights planned for later in the week were also canceled. The company said it is working to restore normal operations and promised to refund passengers or rebook their tickets once its systems are back online. Aeroflot’s shares dropped nearly 4% on Monday. The disruptions also hit the company’s subsidiaries, Rossiya and Pobeda."
  https://therecord.media/cyberattack-aeroflot-russia-delays
  https://www.politico.com/news/2025/07/28/cyberattack-on-russian-airline-aeroflot-causes-the-cancellation-of-more-than-100-flights-00479963
  https://www.bankinfosecurity.com/russias-flag-carrier-cancels-flights-after-hack-attack-a-29065
  https://www.theregister.com/2025/07/28/aeroflot_system_compromise/
  https://www.securityweek.com/cyberattack-on-russian-airline-aeroflot-causes-the-cancellation-of-more-than-100-flights/

General News

• Your Supply Chain Security Strategy Might Be Missing The Biggest Risk
  "Third-party involvement in data breaches has doubled this year from 15 percent to nearly 30 percent. In response, many organizations have sharpened their focus on third-party risk management, carefully vetting the security practices of their vendors. However, a critical gap remains that many organizations overlook: fourth-party risk."
  https://www.helpnetsecurity.com/2025/07/28/vendor-risk-management/
• The Legal Minefield Of Hacking Back
  "In this Help Net Security interview, Gonçalo Magalhães, Head of Security at Immunefi, discusses the legal and ethical implications of hacking back in cross-border cyber incidents. He warns that offensive cyber actions risk violating international law, escalating conflicts, and harming innocent third parties. Instead, Magalhães advocates for legally sanctioned frameworks, such as bug bounty programs, to strengthen security without crossing dangerous lines."
  https://www.helpnetsecurity.com/2025/07/28/goncalo-magalhaes-immunefi-hacking-back-concerns/
• How To Spot Malicious AI Agents Before They Strike
  "Today's businesses know they have an artificial intelligence fraud problem — and as agentic AI becomes more widely deployed, it introduces a whole new dimension to the battle of the machines. Success won't come solely from fighting AI with AI, but by evolving people and processes, starting with tighter collaboration between security and fraud teams. Automated defenses are essential. But given how successful phishing and credential-based attacks still are, we must accept that malicious agents will often appear legitimate — and gain access. Defending against them requires speed, but not at the expense of paralyzing online commerce. It's the same old dilemma: security slowing down business. Only now, the stakes are far higher. Think of a Mirai-style botnet but powered by malicious AI agents. That's the kind of threat we want to stay ahead of."
  https://www.darkreading.com/vulnerabilities-threats/spot-malicious-ai-agents-strike
• Too Many Threats, Too Much Data, Say Security And IT Leaders. Here’s How To Fix That
  "An overwhelming volume of threats and data combined with the shortage of skilled threat analysts has left many security and IT leaders believing that their organizations are vulnerable to cyberattacks and stuck in a reactive state. That’s according to the new Threat Intelligence Benchmark, a commissioned study conducted by Forrester Consulting on behalf of Google Cloud, on the threat intelligence practices of more than 1,500 IT and cybersecurity leaders from eight countries and across 12 industries. Operationalizing threat intelligence remains a major challenge, said a majority of the survey’s respondents."
  https://cloud.google.com/blog/products/identity-security/too-many-threats-too-much-data-new-survey-heres-how-to-fix-that
  https://cloud.google.com/resources/content/security-forrester-harness-ai-transform-threat-intelligence
  https://www.theregister.com/2025/07/28/security_pros_drowning_in_threatintel/

อ้างอิง
Electronic Transactions Development Agency(ETDA)

Vulnerabilities

• Post SMTP Plugin Flaw Exposes 200K WordPress Sites To Hijacking Attacks
  "More than 200,000 WordPress websites are using a vulnerable version of the Post SMTP plugin that allows hackers to take control of the administrator account. Post SMTP is a popular email delivery plugin for WordPress that counts more than 400,000 active installations. It’s marketed as a replacement of the default ‘wp_mail()’ function that is more reliable and feature-rich. On May 23, a security researcher reported the vulnerability to WordPress security firm PatchStack. The flaw is now identified as CVE-2025-24000 and received a medium severity score of 8.8."
  https://www.bleepingcomputer.com/news/security/post-smtp-plugin-flaw-exposes-200k-wordpress-sites-to-hijacking-attacks/

Malware

• Rogue CAPTCHAs: Look Out For Phony Verification Pages Spreading Malware
  "Bots have got a lot to answer for. They now make up over half of all internet traffic, and while some, such as Google’s web crawlers and fetchers, have legitimate purposes, nearly two-fifths are considered malicious. Their power can be harnessed for everything from posting inflammatory social media posts to launching distributed denial-of-service attacks and hijacking online accounts using, for example, previously breached passwords."
  https://www.welivesecurity.com/en/cybersecurity/rogue-captchas-look-out-phony-verification-pages-spreading-malware/
• In-Depth Analysis Of An Obfuscated Web Shell Script
  "This analysis is a follow-up to the investigation titled ‘Intrusion into Middle East Critical National Infrastructure’ (full report here), conducted by the FortiGuard Incident Response Team (FGIR), which investigated a long-term cyber intrusion targeting critical national infrastructure (CNI) in the Middle East. The report revealed that threat actors had installed numerous web shell servers on the compromised system. In this follow-up, we conducted a deep analysis of one of these web shell servers, named UpdateChecker.aspx, which was deployed on the Microsoft IIS (Internet Information Services) server of the compromised system."
  https://www.fortinet.com/blog/threat-research/in-depth-analysis-of-an-obfuscated-web-shell-script
• Inside The ToolShell Campaign
  "FortiGuard Labs is currently tracking multiple threat actors targeting on-premises Microsoft SharePoint servers. This attack leverages a newly identified exploit chain dubbed "ToolShell." Threat actors are combining two previously patched vulnerabilities (CVE-2025-49704 and CVE-2025-49706) with two fresh, zero-day variants (CVE-2025-53770 and CVE-2025-53771) to achieve remote code execution. Given the escalating threat, CISA has already added these CVEs to its catalog of Known Exploited Vulnerabilities, and FortiGuard Labs has issued a detailed Threat Signal. Except for the known attack using “spinstall0.aspx”, exploitation in the wild is accelerating, and this blog post will delve into real-world incidents from this ongoing wave of attacks."
  https://www.fortinet.com/blog/threat-research/inside-the-toolshell-campaign
• ToolShell: a Story Of Five Vulnerabilities In Microsoft SharePoint
  "On July 19–20, 2025, various security companies and national CERTs published alerts about active exploitation of on-premise SharePoint servers. According to the reports, observed attacks did not require authentication, allowed attackers to gain full control over the infected servers, and were performed using an exploit chain of two vulnerabilities: CVE-2025-49704 and CVE-2025-49706, publicly named “ToolShell”. Additionally, on the same dates, Microsoft released out-of-band security patches for the vulnerabilities CVE-2025-53770 and CVE-2025-53771, aimed at addressing the security bypasses of previously issued fixes for CVE-2025-49704 and CVE-2025-49706. The release of the new, “proper” updates has caused confusion about exactly which vulnerabilities attackers are exploiting and whether they are using zero-day exploits."
  https://securelist.com/toolshell-explained/117045/
• Watch Out: Instagram Users Targeted In Novel Phishing Campaign
  "A phishing campaign targeting Instagram users is doing the rounds. There are plenty of those around, but when we took a look at this particular email, it seemed a bit different to the normal phishing emails that point to scammy websites. The email looked like this, which is very similar to the one Instagram sends if it wants you to confirm your identity:"
  https://www.malwarebytes.com/blog/news/2025/07/watch-out-instagram-users-targeted-in-novel-phishing-campaign
• Safepay: Email Bombs, Phone Scams, And Really Big Ransoms
  "When it comes to choosing a brand name, “SafePay” must be among the most boring of choices. It sounds more like a payment app than an organized crime group. There are no dragons or bugs or heads full of snakes, but the group behind the brand is skilled and ruthless. SafePay has been making a name for itself with strong encryption, data exfiltration and big ransom demands from a fast-growing list of victims. SafePay ransomware was first observed in October 2024, and later confirmed to have been active at least one month earlier. By the end of the first quarter of 2025, SafePay claimed over 200 victims, including managed service providers (MSPs) and small-to-midsize businesses (SMBs) across multiple sectors. The group has been relentless, claiming between 58-70 victims in May 2025, making it the most active ransomware group that month."
  https://blog.barracuda.com/2025/07/25/safepay--email-bombs--phone-scams--and-really-big-ransoms
  Dropping Elephant APT Group Targets Turkish Defense Industry With New Campaign And Capabilities: LOLBAS, VLC * Player, And Encrypted Shellcode
  "The Arctic Wolf Labs team has identified a new campaign by cyber-espionage group Dropping Elephant targeting Turkish defense contractors, specifically a manufacturer of precision-guided missile systems. The campaign employs a five-stage execution chain delivered via malicious LNK files disguised as conference invitations sent to targets interested in learning more about unmanned vehicle systems. The attack leverages legitimate binaries (VLC Media Player and Microsoft Task Scheduler) for defense evasion through DLL side-loading techniques. This represents a significant evolution of this threat actor’s capabilities, transitioning from the x64 DLL variants observed in November 2024, to the current x86 PE executables with enhanced command structures."
  https://arcticwolf.com/resources/blog/dropping-elephant-apt-group-targets-turkish-defense-industry/
  https://thehackernews.com/2025/07/patchwork-targets-turkish-defense-firms.html
• Operation CargoTalon : UNG0901 Targets Russian Aerospace & Defense Sector Using EAGLET Implant.
  "SEQRITE Labs APT-Team has recently found a campaign, which has been targeting Russian Aerospace Industry. The campaign is aimed at targeting employees of Voronezh Aircraft Production Association (VASO), one of the major aircraft production entities in Russia via using товарно-транспортная накладная (TTN) documents — critical to Russian logistics operations. The entire malware ecosystem involved in this campaign is based on usage of malicious LNK file EAGLET DLL implant, further executing malicious commands and exfiltration of data. In this blog, we will explore the technical details of the campaign. we encountered during our analysis. We will examine the various stages of this campaign, starting from deep dive into the initial infection chain to implant used in this campaign, ending with a final overview covering the campaign."
  https://www.seqrite.com/blog/operation-cargotalon-ung0901-targets-russian-aerospace-defense-sector-using-eaglet-implant/
  https://thehackernews.com/2025/07/cyber-espionage-campaign-hits-russian.html
  https://securityaffairs.com/180378/intelligence/operation-cargotalon-targets-russias-aerospace-with-eaglet-malware.html
• The Ηоmоgraph Illusion: Not Everything Is As It Seems
  "Since the creation of the internet, email attacks have been the predominant attack vector for spreading malware and gaining initial access to systems and endpoints. One example of an effective email compromise technique is a homograph attack. Attackers use this content manipulation tactic to evade content analysis and trick users by replacing Latin characters with similar-looking characters from other Unicode blocks. This article provides rare insights into real homograph attacks, and demonstrates the full chain of events that can potentially lead to exploitation of targets. We outline three cases that we detected in the wild. In each scenario, threat actors used homograph attacks in different contexts within email messages, to avoid natural language detections and reach target inboxes."
  https://unit42.paloaltonetworks.com/homograph-attacks/

Breaches/Hacks/Leaks

• NASCAR Confirms Medusa Ransomware Breach After $4M Demand
  "In April 2025, Hackread.com exclusively reported that the Medusa ransomware group had claimed responsibility for breaching the National Association for Stock Car Auto Racing (NASCAR) and was demanding a $4 million ransom. NASCAR has now confirmed that its systems were indeed compromised, validating Hackread.com’s earlier reporting."
  https://hackread.com/nascar-ransomware-confirm-medusa-ransomware-data-breach/
  https://therecord.media/nascar-confirms-data-breach
• Advisor To Brit Tech Contractors Qdos Confirms Client Data Leak
  "Business insurance and employment status specialist Qdos has confirmed that an intruder has stolen some customers personal data, according to a communication to tech contractors that was seen by The Register. Qdos yesterday emailed clients on its database to confirm a "recent data security incident affecting one of our web applications: mygoqdos.com, that may have involved data relating to you and your business." It says it was alerted to the issue on June 19 and launched a probe with the help of third party cyber security expert."
  https://www.theregister.com/2025/07/25/ir35_advisor_qdos_confirms_data_breach/
• Allianz Life Confirms Data Breach Impacts Majority Of 1.4 Million Customers
  "Insurance company Allianz Life has confirmed that the personal information for the "majority" of its 1.4 million customers was exposed in a data breach that occurred earlier this month. "On July 16, 2025, a malicious threat actor gained access to a third-party, cloud-based CRM system used by Allianz Life Insurance Company of North America (Allianz Life)," an Allianz Life spokesperson told BleepingComputer. "The threat actor was able to obtain personally identifiable data related to the majority of Allianz Life's customers, financial professionals, and select Allianz Life employees, using a social engineering technique.""
  https://www.bleepingcomputer.com/news/security/allianz-life-confirms-data-breach-impacts-majority-of-14-million-customers/
  https://securityaffairs.com/180445/data-breach/allianz-life-data-breach-exposed-the-data-of-most-of-its-1-4m-customers.html

General News

• US Targets North Korea’s Illicit Funds: $15M Rewards Offered As American Woman Jailed In IT Worker Scam
  "An Arizona woman was sentenced to prison for her role in a North Korean fake IT worker scheme that hit more than 300 companies and generated over $17 million in illicit revenue. The woman, Christina Marie Chapman, 50, of Litchfield Park, was charged in May last year with running a laptop farm to help North Koreans hide their location. She pleaded guilty in February 2025. According to court documents, between October 2020 and October 2023, she helped North Korean IT workers obtain employment at US companies using the stolen identities of Americans, and received and hosted laptops from the targeted companies at her home."
  https://www.securityweek.com/us-targets-north-koreas-illicit-funds-15m-rewards-offered-as-american-woman-jailed-in-it-worker-scam/
  https://www.theregister.com/2025/07/24/laptop_farmer_north_korean_it_scam_sentenced/
  https://www.bleepingcomputer.com/news/security/us-woman-sentenced-to-8-years-in-prison-for-running-laptop-farm-helping-north-koreans-infiltrate-300-firms/
  https://www.darkreading.com/remote-workforce/north-korea-it-worker-rampage-doj
  https://thehackernews.com/2025/07/us-sanctions-firm-behind-n-korean-it.html
  https://therecord.media/arizona-woman-sentenced-north-korean-laptop-farm
  https://cyberscoop.com/state-department-reward-north-korea-it-worker-scheme/
  https://securityaffairs.com/180398/intelligence/arizona-woman-sentenced-for-aiding-north-korea-in-u-s-it-job-fraud-scheme.html
  https://hackread.com/arizona-woman-jailed-help-north-korea-it-job-scam/
• Cyber Career Opportunities: Weighing Certifications Vs. Degrees
  "Welcome to Dark Reading's "Career Conversations with a CISO" video series, showcasing advice on breaking into and advancing within the cybersecurity field from those who have been there. In this conversation with Dark Reading Associate Editor Kristina Beek, longtime CISO Melina Scotto shares her journey from aspiring opera singer to cybersecurity leader, having served as a top security head for federal contractors and Fortune 500 companies. Throughout her 30-year career, she witnessed cybersecurity transform from basic border protection to a comprehensive approach addressing lateral movement, AI-enabled threats, the cloud, and a range of different critical business risks that place cyber at the core of any successful enterprise."
  https://www.darkreading.com/cybersecurity-operations/cyber-career-opportunities-certifications-degrees
• Why Security Nudges Took Off
  "The appeal of nudging — that is, guiding users in the right direction — is clear: It meets users where they are. A timely reminder before accessing sensitive data, a pop-up when risky behavior is detected, a contextual security tip at login, a security issue about to reach its remediation deadline — these are all common examples. Done well, nudges can improve security awareness and encourage better behavior without blocking productivity. They offer a more human-centered alternative to strict enforcement or reactive controls."
  https://www.darkreading.com/cybersecurity-operations/why-security-nudges-took-off
• The Young And The Restless: Young Cybercriminals Raise Concerns
  "Cybercriminal groups are attracting a significant number of tech-savvy minors, lured by money, a sense of community, or scoring online fame with little concern for the risks of prosecution, government and private-sector experts warn. In a July 23 alert, the FBI's Internet Crime Complaint Center (IC3) noted that one growing group, Hacker Com, has attracted a wide variety of English-speaking minors to "a broad community of technically sophisticated cyber criminals." In early July, the UK's National Crime Agency (NCA) arrested four people — a 20-year-old woman, two 19-year-old males, and a 17-year-old male — in connection with the cyberattacks against and disruption of two retailers, Marks & Spencer and the Co-op."
  https://www.darkreading.com/cyber-risk/young-cybercriminals-raise-concerns
• Can Security Culture Be Taught? AWS Says Yes
  "Too many organizations lack what experts describe as a "strong security culture," which leaves them extremely vulnerable to repeated attacks and unacceptable risks. But can a security culture be built from scratch? Security culture is broadly defined as an organization's shared strategies, policies, and perspectives that serve as the foundation for its enterprise security program. For many years, infosec leaders have preached the importance of a strong culture and how it cannot only strengthen the organization's security posture but also spur increases in productivity and profitability."
  https://www.darkreading.com/cybersecurity-operations/can-security-culture-be-taught-aws-says-yes
• Predictive AI: The “Quiet Catalyst” Behind The Future Of Cybersecurity
  "Patterned, predictive, and purposeful – the future of cybersecurity that Group-IB is helping envision and build. New and evolving cyberattacks are forcing us to move away from being random and reactive in our cyber defenses. Soon, traditional defenses won’t cut anymore. The shift toward predictive analytics marks a critical change: one where cyber defense becomes intentional, intelligence-led, and always a step ahead. But what exactly is predictive analytics in cybersecurity? And how does it power new-age defenses?"
  https://www.group-ib.com/blog/predictive-ai/
• BreachForums Resurfaces On Original Dark Web (.onion) Address
  "The notorious cybercrime and hacker platform BreachForums has mysteriously resurfaced on its original dark web .onion domain. The site appears to be fully restored, including its infrastructure, user-leaked databases, official breach listings and forum posts. For your information, in early April 2025, both the clearnet and dark web domains of BreachForums went offline without explanation. Members speculated about possible law enforcement action or a forum seizure."
  https://hackread.com/breachforums-resurface-original-dark-web-onion-address/
• Digital Sovereignty Becomes a Matter Of Resilience For Europe
  "In this Help Net Security interview, Benjamin Schilz, CEO of Wire, discusses Europe’s push for digital sovereignty through initiatives like Gaia-X and the EU AI Act. As the continent redefines its technological future, the focus shifts from regulation to building resilient, European-owned digital infrastructure. Schilz also discusses how open-source and decentralized technologies are key to securing Europe’s strategic autonomy."
  https://www.helpnetsecurity.com/2025/07/25/benjamin-schilz-wire-european-digital-sovereignty/
• What 50 Companies Got Wrong About Cloud Identity Security
  "Most organizations still miss basic identity security controls in the cloud, leaving them exposed to breaches, audit failures, and compliance violations. A new midyear benchmark from Unosecur found that nearly every company scanned had at least one high-risk issue, with an average of 40 control failures per organization. The report analyzed diagnostic scan data from 50 enterprises across industries and regions between January and June 2025. Unlike survey-based studies, the findings are based on direct control checks aligned with standards like ISO 27001/27002, PCI DSS, and SOC 2. The goal: provide a reproducible view of where cloud identity practices fall short and how to fix them."
  https://www.helpnetsecurity.com/2025/07/25/organizations-cloud-identity-security/
• DNS Security Is Important But DNSSEC May Be a Failed Experiment
  "Last week I turned on DNSSEC (Domain Name System Security Extensions) for the systemsapproach.org domain. No need to applaud; I was just trying to get an understanding of what the barriers to adoption might be while teaching myself about the technology. It turns out that, if you have your domain hosted by a big provider (we happen to use GoDaddy), it's easy to turn on DNSSEC. But I think it says a lot that it took us this long (and the stimulus of working on a new security book) to get us to turn on DNSSEC. By contrast, we would never think of running a website in 2025 without HTTPS."
  https://www.theregister.com/2025/07/25/systems_approach_column_dns_security/
• Blame a Leak For Microsoft SharePoint Attacks, Researcher Insists
  "A week after Microsoft told the world that its July software updates didn't fully fix a couple of bugs, which allowed miscreants to take over on-premises SharePoint servers and remotely execute code, researchers have assembled much of the puzzle — with one big missing piece. How did the attackers, who include Chinese government spies, data thieves, and ransomware operators, know how to exploit the SharePoint CVEs in such a way that would bypass the security fixes Microsoft released the following day?"
  https://www.theregister.com/2025/07/26/microsoft_sharepoint_attacks_leak/

อ้างอิง
Electronic Transactions Development Agency(ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand