NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ
    1. หน้าแรก
    2. NCSA_THAICERT
    3. กระทู้
    • รายละเอียด
    • ติดตาม 0
    • คนติดตาม 2
    • กระทู้ 1,332
    • กระทู้ 1,333
    • ดีที่สุด 0
    • Controversial 0
    • กลุ่ม 2

    โพสต์ถูกสร้างโดย NCSA_THAICERT

    • แฮกเกอร์ใช้ข้อมูลล็อกอินจากพนักงานบริษัท C&M ขโมยเงินจากธนาคารในบราซิลกว่า 140 ล้านดอลลาร์

      58e13245-f72c-4831-8f4f-aca53e3eaa9e-image.png

      แฮกเกอร์ใช้ข้อมูลล็อกอินจากพนักงานบริษั.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 4ea3d7ec-feae-4443-9ec8-0318a7b57b7c-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • ระวังภัย SEO Poisoning แฮกเกอร์หลอกติดตั้งมัลแวร์ กลุ่ม SMB ตกเป็นเหยื่อแล้ว 8,500 ราย

      a663ac46-eb46-4bb3-a342-39208c1d1bb6-image.png

      ระวังภัย SEO Poisoning แฮกเกอร์หลอกติดตั้งมัลแวร์ .png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand aa7f99ee-393d-4a32-aeed-08a034d341a4-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 08 July 2025

      New Tooling

      • Aegis Authenticator: Free, Open-Source 2FA App For Android
        "Aegis Authenticator is an open-source 2FA app for Android that helps you manage login codes for your online accounts. The app features strong encryption and the ability to back up your data. It supports both HOTP and TOTP, so it works with thousands of services. It also allows the export or import from a wide variety of 2FA apps, with support for automatic backups."
        https://www.helpnetsecurity.com/2025/07/07/aegis-2fa-authenticator-free-open-source-android/
        https://github.com/beemdevelopment/Aegis

      Vulnerabilities

      • How Much More Must We Bleed? - Citrix NetScaler Memory Disclosure (CitrixBleed 2 CVE-2025-5777)
        "Before you dive into our latest diatribe, indulge us and join us on a journey. Sit in your chair, stand at your desk, lick your phone screen - close your eyes and imagine a world in which things are great. It’s sunny outside, the birds are chirping, and your Secure-by-Design promise ring feels great. You’ve decided to build a network over the weekend. Why, you ask? Because you can. Saturday morning comes, and you’re sitting there (naturally, Bambi is by your side) building your network. "What should I use to help secure my environment and access to it?” you ponder. Obviously, because you lack individual thought, you type your question into ChatGPT - “You’re in luck, there’s an entire industry that builds enterprise-grade, enterprise-priced secure remote access appliances!”"
        https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/
        https://horizon3.ai/attack-research/attack-blogs/cve-2025-5777-citrixbleed-2-write-up-maybe/
        https://www.bleepingcomputer.com/news/security/public-exploits-released-for-citrixbleed-2-netscaler-flaw-patch-now/
        https://www.infosecurity-magazine.com/news/citrixbleed-2-detection-analysis/
        https://www.theregister.com/2025/07/07/citrixbleed_2_exploits/
      • CISA Adds Four Known Exploited Vulnerabilities To Catalog
        "CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2014-3931 Multi-Router Looking Glass (MRLG) Buffer Overflow Vulnerability
        CVE-2016-10033 PHPMailer Command Injection Vulnerability
        CVE-2019-5418 Rails Ruby on Rails Path Traversal Vulnerability
        CVE-2019-9621 Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/07/07/cisa-adds-four-known-exploited-vulnerabilities-catalog

      Malware

      • XwormRAT Being Distributed Using Steganography
        "AhnLab SEcurity intelligence Center (ASEC) collects information on malware distributed through phishing emails by using its own “email honeypot system.” Based on this information, ASEC publishes the “Phishing Email Trend Report” and “Infostealer Trend Report” on the ASEC Blog every month. Recently, XwormRAT has been confirmed to be distributed using steganography. This malware starts with VBScript and JavaScript. It inserts malicious scripts into legitimate code, making it difficult for users to notice its malicious behavior. The script (VBScript or JavaScript) executed for the first time adds an embedded PowerShell script to call and download the final malware. This malware has been previously covered on the ASEC Blog. It is still being distributed in modified versions."
        https://asec.ahnlab.com/en/88885/
      • DRAT V2: Updated DRAT Emerges In TAG-140’s Arsenal
        "During an investigation into a recent TAG-140 campaign targeting Indian government organizations, Insikt Group identified a modified variant of the DRAT remote access trojan (RAT), which we designated as DRAT V2. TAG-140 has overlaps with SideCopy, an operational subgroup assessed to be a sub-cluster or operational affiliate of Transparent Tribe (also tracked as APT36, ProjectM, or MYTHIC LEOPARD). TAG-140 has consistently demonstrated iterative advancement and variety in its malware arsenal and delivery techniques. This latest campaign, which spoofed the Indian Ministry of Defence via a cloned press release portal, marks a slight but notable shift in both malware architecture and command-and-control (C2) functionality."
        https://www.recordedfuture.com/research/drat-v2-updated-drat-emerges-tag-140s-arsenal
        https://go.recordedfuture.com/hubfs/reports/cta-2025-0623.pdf
        https://thehackernews.com/2025/07/tag-140-deploys-drat-v2-rat-targeting.html
      • Atomic MacOS Stealer Now Includes a Backdoor For Persistent Access
        "Atomic macOS Stealer (AMOS), a popular piece of stealer malware for macOS, has just received a major update. For the first time, it’s being deployed with an embedded backdoor. This change allows attackers to maintain persistent access to a victim’s Mac, run arbitrary tasks from remote servers, and gain extended control over compromised machines. This represents the highest level of risk Moonlock, a cybersecurity division of MacPaw, has observed from AMOS so far. It is believed to be only the second known case — after North Korean threat actors — of backdoor deployment at a global scale targeting macOS users."
        https://moonlock.com/amos-backdoor-persistent-access
        https://www.bleepingcomputer.com/news/security/atomic-macos-infostealer-adds-backdoor-for-persistent-attacks/
      • Batavia Spyware Steals Data From Russian Organizations
        "Since early March 2025, our systems have recorded an increase in detections of similar files with names like договор-2025-5.vbe, приложение.vbe, and dogovor.vbe (translation: contract, attachment) among employees at various Russian organizations. The targeted attack begins with bait emails containing malicious links, sent under the pretext of signing a contract. The campaign began in July 2024 and is still ongoing at the time of publication. The main goal of the attack is to infect organizations with the previously unknown Batavia spyware, which then proceeds to steal internal documents. The malware consists of the following malicious components: a VBA script and two executable files, which we will describe in this article. Kaspersky solutions detect these components as HEUR:Trojan.VBS.Batavia.gen and HEUR:Trojan-Spy.Win32.Batavia.gen"
        https://securelist.com/batavia-spyware-steals-data-from-russian-organizations/116866/
        https://www.bleepingcomputer.com/news/security/batavia-windows-spyware-campaign-targets-dozens-of-russian-orgs/
        https://securityaffairs.com/179699/uncategorized/new-batavia-spyware-targets-russian-industrial-enterprises.html
      • Taking SHELLTER: a Commercial Evasion Framework Abused In- The- Wild
        "Elastic Security Labs is observing multiple campaigns that appear to be leveraging the commercial AV/EDR evasion framework, SHELLTER, to load malware. SHELLTER is marketed to the offensive security industry for sanctioned security evaluations, enabling red team operators to more effectively deploy their C2 frameworks against contemporary anti-malware solutions."
        https://www.elastic.co/security-labs/taking-shellter
        https://www.shellterproject.com/statement-regarding-recent-misuse-of-shellter-elite-and-elastic-security-labs-handling/
        https://www.bleepingcomputer.com/news/security/hackers-abuse-leaked-shellter-red-team-tool-to-deploy-infostealers/
      • Deploying NetSupport RAT Via WordPress & ClickFix
        "In May 2025, Cybereason Global Security Operations Center (GSOC) detected that threat actors have been hosting malicious WordPress websites to deliver malicious versions of the legitimate NetSupport Manager Remote Access Tool (RAT). This report analyzes the methods and tools used by threat actors to deploy the NetSupport RAT payload, focusing on the malicious JavaScript and associated techniques. It also includes relevant Indicators of Compromise (IOCs)."
        https://www.cybereason.com/blog/net-support-rat-wordpress-clickfix
      • Exposing Scattered Spider: New Indicators Highlight Growing Threat To Enterprises And Aviation
        "Scattered Spider, a sophisticated cyber threat group known for aggressive social engineering and targeted phishing, is broadening its scope, notably targeting aviation alongside enterprise environments. Check Point Research has uncovered specific phishing domain indicators, helping enterprises and aviation companies proactively defend against this emerging threat."
        https://blog.checkpoint.com/research/exposing-scattered-spider-new-indicators-highlight-growing-threat-to-enterprises-and-aviation/
      • Scattered Spider And Other Criminal Compromise Of Outsourcing Providers Increases Victim Attacks
        "Independent Halcyon research and open-source intelligence have identified several recent instances of cybercriminals, including Scattered Spider, compromising call centers and other third-party service companies—known as Business Process Outsourcing (BPO) providers—to facilitate their attacks against larger numbers of victims, often focused in one or a few sectors. In the first half of 2025, these compromises have enabled threat actors to steal hundreds of millions of dollars from a crypto firm, as well as Scattered Spider’s compromise of multiple victims in the retail and insurance industries."
        https://www.halcyon.ai/blog/scattered-spider-and-other-criminal-compromise-of-outsourcing-providers-increases-victim-attacks
        https://cyberscoop.com/scattered-spider-social-engineering-cybercrime/
      • Ongoing Phishing Campaign Utilizes LogoKit For Credential Harvesting
        "The initial phishing link we identified mimicked the Hungary CERT login page, with the victim’s email address prefilled in the username field to enhance credibility and increase the likelihood of credential submission. The phishing pages were hosted on Amazon S3 (AWS) to stay under the radar and increase credibility among potential victims. The phishing pages integrate Cloudflare Turnstile to create a false sense of security and legitimacy, increasing the success rate of credential harvesting."
        https://cyble.com/blog/logokit-being-leveraged-for-credential-theft/
      • BERT Ransomware Group Targets Asia And Europe On Multiple Platforms
        "In April, a new ransomware group known as BERT, has been observed targeting organizations across Asia and Europe. Trend™ Research telemetry has confirmed the emergence and activity of this ransomware. This blog entry examines BERT’s tools and tactics across multiple variants. By comparing its different iterations, we unpack how the ransomware group operates, how their methods have evolved, and the tactics they employed to evade detection and defenses."
        https://www.trendmicro.com/en_us/research/25/g/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms.html
        https://therecord.media/bert-ransomware-identified
        https://www.darkreading.com/cyber-risk/bert-blitzes-linux-windows-systems
      • NordDragonScan: Quiet Data-Harvester On Windows
        "FortiGuard Labs recently uncovered an active delivery site that hosts a weaponized HTA script and silently drops the infostealer “NordDragonScan” into victims’ environments. Once installed, NordDragonScan examines the host and copies documents, harvests entire Chrome and Firefox profiles, and takes screenshots. The package is then sent over TLS to its command-and-control server, “kpuszkiev.com,” which also serves as a heartbeat server to confirm the victim is still online and to request additional data when needed."
        https://www.fortinet.com/blog/threat-research/norddragonscan-quiet-data-harvester-on-windows
      • Malvertising Campaign Delivers Oyster/Broomstick Backdoor Via SEO Poisoning And Trojanized Tools
        "Since early June 2025, Arctic Wolf has observed a search engine optimisation (SEO) poisoning and malvertising campaign promoting malicious websites hosting Trojanized versions of legitimate IT tools such as PuTTY and WinSCP. These fake sites aim to trick unsuspecting users—often IT professionals—into downloading and executing Trojanized installers. Upon execution, a backdoor known as Oyster/Broomstick is installed. Persistence is established by creating a scheduled task that runs every three minutes, executing a malicious DLL (twain_96.dll) via rundll32.exe using the DllRegisterServer export, indicating the use of DLL registration as part of the persistence mechanism. While only Trojanized versions of PuTTY and WinSCP have been observed in this campaign, it is possible that additional tools may also be involved."
        https://arcticwolf.com/resources/blog-uk/malvertising-campaign-delivers-oyster-broomstick-backdoor-via-seo-poisoning-and-trojanized-tools/
        https://thehackernews.com/2025/07/seo-poisoning-campaign-targets-8500.html
      • Chrome Store Features Extension Poisoned With Sophisticated Spyware
        "Google has inadvertently been promoting sophisticated spyware that can hijack browser sessions with malicious redirects hidden in a legitimate Chrome extension. The extension, which offers a legitimate color picker, was poisoned with the malware via an update at the end of June. The extension, called "Color Picker, Eyedropper — Geco colorpick," has more than 100,000 downloads, a verified Google badge, and a featured placement in the Google Chrome Web Store. Its high status in the store is because it has been a legitimate extension for years — before it received the malicious update on June 27, Idan Dardikman from Koi Security tells Dark Reading."
        https://www.darkreading.com/endpoint-security/chrome-store-features-extension-poisoned-sophisticated-spyware

      Breaches/Hacks/Leaks

      • Qantas Is Being Extorted In Recent Data-Theft Cyberattack
        "Qantas has confirmed that it is now being extorted by threat actors following a cyberattack that potentially exposed the data for 6 million customers. "A potential cyber criminal has made contact, and we are currently working to validate this," Qantas shared in an updated statement. "As this is a criminal matter, we have engaged the Australian Federal Police and won't be commenting any further on the details of the contact.""
        https://www.bleepingcomputer.com/news/security/qantas-is-being-extorted-in-recent-data-theft-cyberattack/
        https://www.infosecurity-magazine.com/news/qantas-contacted-cybercriminal/
      • Nearly 300,000 People Were Impacted By Cyberattack On Nova Scotia Power
        "Canadian utility Nova Scotia Power is notifying about 280,000 people of a data breach that occurred following a cyberattack earlier this year. In letters to victims, the company said an investigation revealed that hackers had access to critical systems from March 19 to April 25, allowing them to steal names, addresses, driver's license numbers, Canadian Social Insurance numbers, bank account details and troves of information from the Nova Scotia Power program including power consumption, service requests, customer payment, billing and credit history, and customer correspondencе."
        https://therecord.media/thousands-impacted-cyber-nova-scotia

      General News

      • AI Built It, But Can You Trust It?
        "In this Help Net Security interview, John Morello, CTO at Minimus, discusses the security risks in AI-driven development, where many dependencies are pulled in quickly. He explains why it’s hard to secure software stacks that no one fully understands. He also shares what needs to change to keep development secure as AI becomes more common."
        https://www.helpnetsecurity.com/2025/07/07/john-morello-minimus-secure-ai-driven-development/
      • New Technique Detects Tampering Or Forgery Of a PDF Document
        "Researchers from the University of Pretoria presented a new technique for detecting tampering in PDF documents by analyzing the file’s page objects. The technique employs a prototype that can detect changes to a PDF document, such as changes made to the text, images, or metadata. With the PDF format being used as a formal means of communication in multiple industries, it has become a good target for criminals who wish to affect contracts or aid in misinformation."
        https://www.helpnetsecurity.com/2025/07/07/detect-pdf-tampering-forgery/
        https://arxiv.org/pdf/2507.00827
      • Employee Gets $920 For Credentials Used In $140 Million Bank Heist
        "Hackers stole nearly $140 million from six banks in Brazil by using an employee's credentials from C&M, a company that offers financial connectivity solutions. The incident reportedly occurred on June 30, after the attackers bribed the employee to give them his account credentials and perform specific actions that would help their operations."
        https://www.bleepingcomputer.com/news/security/employee-gets-920-for-credentials-used-in-140-million-bank-heist/
        https://therecord.media/brazil-police-arrest-worker-theft
        https://www.securityweek.com/police-in-brazil-arrest-a-suspect-over-100m-banking-hack/
      • Gamers Hacked Playing Call Of Duty: WWII—PC Version Temporarily Taken Offline
        "On Saturday, the Call of Duty team announced that the PC version of Call of Duty: WWII has been taken offline following “reports of an issue.” That issue seems to be a serious security problem, after reports surfaced about a remote code execution (RCE) vulnerability in the game. After Microsoft’s acquisition of Activision in 2023, Activision’s headline title, Call of Duty, has been slowly making its way over to Xbox and PC Game Pass. But only days after the 2017 Call of Duty: WWII arrived on Microsoft’s subscription service, the concerning reports started coming in. Players were using an RCE exploit to take over other players’ PCs during live multiplayer matches."
        https://www.malwarebytes.com/blog/news/2025/07/gamers-hacked-playing-call-of-duty-wwii-pc-version-temporarily-taken-offline
        https://cyberscoop.com/call-of-duty-remote-code-execution-pc-game-offline/
      • SatanLock Ransomware Ends Operations, Says Stolen Data Will Be Leaked
        "The newly formed SatanLock ransomware group has announced it is shutting down. Before disappearing, however, the group says it will leak all the data stolen from its victims later today. The announcement was made on the gang’s official Telegram channel and dark web leak site. It’s also worth noting that the group has deleted all victim listings that were visible just hours ago. Now, anyone visiting their .onion site sees a message reading, “SatanLock project will be shut down – The files will all be leaked today.”"
        https://hackread.com/satanlock-ransomware-ends-operations-stolen-data-leak/
      • Doctor Web’s Q2 2025 Review Of Virus Activity On Mobile Devices
        "According to detection statistics collected by Dr.Web Security Space for mobile devices, adware trojans from various families remained the most common malware. Members of the Android.HiddenAds trojan family were again the most active, despite the fact that users encountered them 8.62% less often. These were followed by Android.MobiDash adware trojans; the number of attacks involving them increased by 11.17%. Android.FakeApp malicious programs, used in various fraudulent schemes, ranked third; they were detected on protected devices 25.17% less frequently."
        https://news.drweb.com/show/review/?lng=en&i=15027
        https://hackread.com/android-malware-adware-trojan-crypto-theft-q2-threats/
      • Phishing Platforms, Infostealers Blamed As Identity Attacks Soar
        "A rise in advanced phishing kits and info-stealing malware are to blame for a 156 percent jump in cyberattacks targeting user logins, say researchers. Security shop eSentire says identity-based attacks have soared since last year, and now make up 59 percent of all investigations carried out by its experts. Organizations, it added, should be on high alert for financially motivated crimes. It's particularly worried about the increased likelihood that these identity attacks will lead to business email compromise (BEC) schemes and ransomware disasters."
        https://www.theregister.com/2025/07/07/phishing_platforms_infostealers_blamed_for/
        https://esentire-dot-com-assets.s3.amazonaws.com/assets/resourcefiles/eSentire_Report_Identity-Centric-Threats.pdf
        https://www.infosecurity-magazine.com/news/hackers-target-employee-credentials/
      • Cyberattack Deals Blow To Russian Firmware Used To Repurpose Civilian Drones For Ukraine War
        "Russian developers behind a custom firmware used to convert consumer drones for military use in Ukraine have reported a cyberattack on their infrastructure, disrupting the system that distributes the software. According to a statement posted on the Telegram channel Russian Hackers – To the Front, unidentified hackers breached servers responsible for delivering the “1001” firmware, displayed false messages on operator terminals, and then disabled the system. The developers said the firmware itself was not compromised, calling the risk of backdoors or malicious code “extremely low.” However, drone operators were advised to disconnect their terminals as a precaution."
        https://therecord.media/cyberattack-russia-firmware-blow-hackers
      • Alleged Chinese Hacker Tied To Silk Typhoon Arrested For Cyberespionage
        "A Chinese national was arrested in Milan, Italy, last week for allegedly being linked to the state-sponsored Silk Typhoon hacking group, which responsible for cyberattacks against American organizations and government agencies. According to Italian media ANSA, the 33-year-old man, Xu Zewei, was arrested at Milan's Malpensa Airport on July 3rd after arriving on a flight from China. Italian police arrested the suspect on an international warrant from the U.S. government. ANSA reports that Xu is accused of being linked to the Chinese state-sponsored Silk Typhoon hacking group, aka Hafnium, which has been responsible for a wide range of cyberespionage attacks against the U.S. and other countries."
        https://www.bleepingcomputer.com/news/security/alleged-chinese-hacker-tied-to-silk-typhoon-arrested-for-cyberespionage/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 98f4bfc9-d16b-4739-87e6-0b3c3215c19e-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • กลุ่มแฮกเกอร์ที่เชื่อมโยงกับเกาหลีเหนือแพร่มัลแวร์ NimDoor บน macOS ผ่าน Zoom ปลอม

      4a90634a-79c9-4e57-8bff-731d8f039655-image.png

      กลุ่มแฮกเกอร์ที่เชื่อมโยงกับเกาหลีเหนือ.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 7e811860-1265-4d9d-a1f7-ee3abc8115eb-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • นักช้อปต้องระวังวัน Prime Day หลังพบโดเมนปลอมกว่า 1,000 รายการเลียนแบบ Amazon

      13c2799e-3a7e-4c89-ac63-c354001482ea-image.png

      นักช้อปต้องระวังวัน Prime Day หลังพบโดเมนปลอมกว.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 7e625ceb-3b21-4c07-bd92-16a6d84cfdca-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 07 July 2025

      Industrial Sector

      • Exposed And Unaware? Smart Buildings Need Smarter Risk Controls
        "75% of organizations have building management systems (BMS) affected by known exploited vulnerabilities (KEVs), according to Claroty. Digging deeper into the KEV-affected organizations, 51% are affected by KEVs that are also linked to ransomware and are insecurely connected to the internet. Within those organizations, 2% of devices contain the same level of risk, meaning that devices essential to business operations are operating at the highest level of risk exposure. This combination of risk factors raises alarms given the widespread reliance on BMS in commercial real estate, retail, hospitality, and data center facilities to operate systems like HVAC, lighting, energy, elevators, security, and more."
        https://www.helpnetsecurity.com/2025/07/04/building-management-systems-bms-risk/

      Malware

      • NTLM Relay Attacks Are Back From The Dead
        "NTLM relay attacks are the easiest way for an attacker to compromise domain-joined hosts. While many security practitioners think NTLM relay is a solved problem, it is not – and, in fact, it may be getting worse. Anecdotally, they are used in most attacks seen by my employer’s consulting arm and have gotten much more common in the last few years. With most environments vulnerable, NTLM sets the stage for lateral movement and privilege escalation. These attacks originate from Authenticated Users and can often reach Tier Zero, resulting in a large exposure and a critical impact."
        https://www.helpnetsecurity.com/2025/07/04/ntlm-relay-attacks/
      • Exploiting Trust: How Signed Drivers Fuel Modern Kernel Level Attacks On Windows
        "Kernel-level malware, which operates in Windows’ ring 0, remains one of the most potent tools for cybercriminals. With access to the core of the operating system, attackers can disable defenses, maintain persistence, and remain hidden. Despite Microsoft’s evolving security mechanisms, attackers continue to adapt, leveraging signed drivers and underground services to bypass these protections. This blog delves into how attackers leverage Windows kernel loaders and abuse digitally signed drivers to gain privileged access, disable security tools, and stealthily maintain control—bypassing traditional defenses and enabling advanced threat operations."
        https://www.group-ib.com/blog/kernel-driver-threats/
      • NightEagle APT Exploits Microsoft Exchange Flaw To Target China's Military And Tech Sectors
        "Cybersecurity researchers have shed light on a previously undocumented threat actor called NightEagle (aka APT-Q-95) that has been observed targeting Microsoft Exchange servers as a part of a zero-day exploit chain designed to target government, defense, and technology sectors in China. According to QiAnXin's RedDrip Team, the threat actor has been active since 2023 and has switched network infrastructure at an extremely fast rate. The findings were presented at CYDES 2025, the third edition of Malaysia's National Cyber Defence & Security Exhibition and Conference held between July 1 and 3, 2025."
        https://thehackernews.com/2025/07/nighteagle-apt-exploits-microsoft.html
        https://github.com/RedDrip7/NightEagle_Disclose
      • Exposed JDWP Exploited In The Wild: What Happens When Debug Ports Are Left Open
        "During routine monitoring, the Wiz Research Team observed an exploitation attempt targeting one of our honeypot servers running TeamCity, a popular CI/CD tool. Our investigation determined that the attacker had gained remote code execution by abusing an exposed Java Debug Wire Protocol (JDWP) interface, ultimately deploying a cryptomining payload and setting up multiple persistence mechanisms."
        https://www.wiz.io/blog/exposed-jdwp-exploited-in-the-wild
        https://thehackernews.com/2025/07/alert-exposed-jdwp-interfaces-lead-to.html

      Breaches/Hacks/Leaks

      • Hacker Leaks Telefónica Data Allegedly Stolen In a New Breach
        "A hacker is threatening to leak 106GB of data allegedly stolen from Spanish telecommunications company Telefónica in a breach that the company did not acknowledge. The threat actor has leaked a 2.6GB archive that unpacks into five gigabytes of data with a little over 20,000 files to prove that the breach occurred."
        https://www.bleepingcomputer.com/news/security/hacker-leaks-telef-nica-data-allegedly-stolen-in-a-new-breach/
      • Ingram Micro Outage Caused By SafePay Ransomware Attack
        "An ongoing outage at IT giant Ingram Micro is caused by a SafePay ransomware attack that led to the shutdown of internal systems, BleepingComputer has learned. Ingram Micro is one of the world's largest business-to-business technology distributors and service providers, offering a range of solutions including hardware, software, cloud services, logistics, and training to resellers and managed service providers worldwide. Since Thursday, Ingram Micro's website and online ordering systems have been down, with the company not disclosing the cause of the issues."
        https://www.bleepingcomputer.com/news/security/ingram-micro-outage-caused-by-safepay-ransomware-attack/
        https://www.theregister.com/2025/07/06/ingram_micro_confirms_ransomware_behind/

      General News
      Africa’s Cybersecurity Crisis And The Push To Mobilizing Communities To Safeguard a Digital Future
      "While Africa hosts some of the fastest-growing digital economies globally, it also faces persistent challenges in cybersecurity preparedness. Many organizations and individuals remain unaware of the risks they face online. Phishing schemes and social engineering tactics continue to succeed at alarming rates, often due to limited awareness of basic digital hygiene practices. Compounding the threat is a severe shortage of trained professionals. Africa has a small share of certified professionals, fewer than 25,000 across a population of 1.4 billion. This shortage leaves both public and private sectors exposed, with limited capacity to detect, prevent, or respond to attacks."
      https://www.helpnetsecurity.com/2025/07/04/africa-cybersecurity-crisis/

      • Internet Outages Are Costing Companies Millions Every Month
        "To ensure resilience across the internet stack, organizations need to protect and manage four key areas: reachability, availability, reliability, and performance, according to Catchpoint. 51% report monthly losses of over $1 million due to internet outages or degradations, up from 43% in 2024. And 1 in 8 now lose over $10 million each month, a noticeable rise since last year."
        https://www.helpnetsecurity.com/2025/07/04/internet-stack-resilience/
      • AI Dilemma: Emerging Tech As Cyber Risk Escalates
        "AI is fundamentally transforming the modern world. It offers previously out-of-reach opportunities for business leaders to anticipate market trends and make better decisions. For organisations to intelligently automate mundane processes and free talent to work on higher value work. And for companies to reach customers in highly personalised ways, with innovative new products and services. It is also helping network defenders to get on the front foot against their adversaries in new ways—by seeing more and acting faster to neutralise threats and fill security gaps before the can be exploited."
        https://www.trendmicro.com/en_us/research/25/g/ai-cyber-risks.html
      • The EU’s Plan To Become a Global Leader In Quantum By 2030
        "The European Commission has put forward a strategy to make Europe a global leader in quantum technology by 2030. The strategy will help to develop the quantum sector, while maintaining Europe’s scientific leadership. This will also boost the EU’s competitiveness, tech sovereignty, and security. The strategy focuses on five areas: research and innovation, quantum infrastructures, ecosystem strengthening, space and dual-use technologies, and quantum skills."
        https://commission.europa.eu/news-and-media/news/eus-plan-become-global-leader-quantum-2030-2025-07-02_en
        https://www.infosecurity-magazine.com/news/eu-plan-quantum-secure/
      • Disrupting The Ransomware Attack Chain With Hybrid Mesh Security (Part 1)
        "In this three-part blog series, we explore how a hybrid mesh architecture can effectively break the ransomware attack chain. Part One examines the evolving state of ransomware in 2025, unpacks the stages of the ransomware attack chain, and explains why fragmented security architectures continue to fail. Part Two highlights five critical ways a hybrid mesh approach uniquely disrupts the ransomware lifecycle, from initial access to lateral movement and data exfiltration. Part Three features four key recommendations for CISOs from cyber security expert Pete Nicoletti and offers a concise overview of Check Point’s hybrid mesh architecture strategy."
        https://blog.checkpoint.com/securing-the-network/disrupting-the-ransomware-attack-chain-with-hybrid-mesh-security-part-1/
      • Task Scams: Why You Should Never Pay To Get Paid
        "Many of us have been experiencing a cost-of-living crisis for years, and the news headlines remain filled with doom-laden predictions of what the future might hold. Against this backdrop, it’s understandable why many of us are looking for a side hustle or for even a new, better-paid job. But the scammers know this, and are ready to take advantage. In 2024 alone, employment scams reported to the FBI made fraudsters over $264 million. Many of these are so-called “task scams,” where victims are actually tricked into paying a “deposit” in order to get paid. It might sound unbelievable. But it’s easier to fall for than you think."
        https://www.welivesecurity.com/en/scams/task-scams-why-you-should-never-pay-to-get-paid/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) e563a024-4d8a-4342-921d-31c9787ab73d-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Ingram Micro ถูกโจมตีด้วยแรนซัมแวร์ SafePay ส่งผลให้ระบบภายในล่มต่อเนื่อง

      f30a3c0e-ba10-43d1-9fc1-b3d804c8ee2d-image.png

      Ingram Micro ถูกโจมตีด้วยแรนซัมแวร์ SafePay ส่งผลให้ระ.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 729d1bd4-e00e-45ff-bfd5-5f8a19e8c3b1-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • แก๊งแรนซัมแวร์ Hunters International ปิดตัว เปลี่ยนชื่อใหม่เป็น World Leaks

      7a9ad6de-d680-41e9-9028-ee537581ca5b-image.png

      แก๊งแรนซัมแวร์ Hunters International ปิดตัว เปลี่ยนชื่อ.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand df1730a3-5961-4e65-8ccf-e8aafc63ee96-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • แคมเปญต่อเนื่องโดยกลุ่ม SCATTERED SPIDER

      เมื่อวันที่ 4 กรกฎาคม 2568 Cyber Security Agency of Singapore (CSA) ได้เผยแพร่เกี่ยวกับ กลุ่ม SCATTERED SPIDER เป็นกลุ่มอาชญากรไซเบอร์ที่มีแรงจูงใจทางการเงิน มุ่งเป้าโจมตีอุตสาหกรรมประกันภัยและการค้าปลีก โดยนับตั้งแต่เดือนมิถุนายน พ.ศ. 2568 กลุ่มดังกล่าวได้ขยายขอบเขตการปฏิบัติการไปยังอุตสาหกรรมการบิน
      มีรายงานว่ากลุ่ม SCATTERED SPIDER ซึ่งเป็นกลุ่มอาชญากรไซเบอร์ที่มีเป้าหมายเพื่อผลประโยชน์ทางการเงิน ได้ดำเนินการโจมตีต่ออุตสาหกรรมประกันภัยและการค้าปลีก โดยตั้งแต่เดือนมิถุนายน พ.ศ. 2568 กลุ่มนี้ได้ขยายการโจมตีไปยังภาคการบิน โดยทั่วไป กลุ่มนี้มักเลือกโจมตีองค์กรหลายแห่งภายในอุตสาหกรรมเดียวกันในช่วงเวลาสั้น ๆ แม้ว่ารูปแบบดังกล่าวจะมิได้ปฏิบัติตามอย่างเคร่งครัด
      กลยุทธ์ เทคนิค และขั้นตอนการปฏิบัติ
      กลุ่ม SCATTERED SPIDER ใช้เทคนิคการหลอกลวงทางโทรศัพท์ โดยปลอมตัวเป็นพนักงานเพื่อติดต่อฝ่ายสนับสนุนด้านเทคโนโลยีสารสนเทศ ในเกือบทุกเหตุการณ์ที่พบในปี พ.ศ. 2568 กลุ่มนี้ใช้กลวิธีดังกล่าวเพื่อบุกรุกบัญชี Microsoft Entra ID, ระบบการยืนยันตัวตนแบบครั้งเดียว (SSO) และโครงสร้างพื้นฐานเดสก์ท็อปเสมือน (VDI) โดยตอบคำถามยืนยันตัวตนได้อย่างถูกต้องเมื่อร้องขอการรีเซ็ตรหัสผ่านหรือการยืนยันตัวตนแบบหลายขั้นตอน
      การโจมตีบัญชีและซอฟต์แวร์ในรูปแบบบริการ
      หลังจากบุกรุกบัญชี Entra ID, SSO และ VDI ได้สำเร็จ กลุ่มนี้จะเข้าถึงแพลตฟอร์มซอฟต์แวร์ในรูปแบบบริการที่เชื่อมต่อกัน โดยมีวัตถุประสงค์เพื่อค้นหาข้อมูลที่เอื้อต่อการเคลื่อนย้ายภายในระบบ เช่น แผนผังเครือข่าย คำแนะนำการใช้งาน VPN หรือข้อมูลประจำตัวที่จัดเก็บไว้ เพื่อสนับสนุนการข่มขู่หรือแสวงหาผลประโยชน์ทางการเงิน
      การใช้ประโยชน์จากเครื่องมือภายในระบบ
      กลุ่มนี้ใช้เครื่องมือที่ถูกต้องตามกฎหมายภายในระบบเพื่อดำเนินกิจกรรมที่เป็นอันตราย ตัวอย่างเช่น

      • การสำรวจ Active Directory โดยใช้เครื่องมือ เช่น ADExplorer, ADRecon.ps1 และคำสั่ง PowerShell Get-ADUser
      • การเข้าถึง VMware vCenter เพื่อสร้างเครื่องเสมือนที่ไม่มีการจัดการและดึงฐานข้อมูล Active Directory (ntds.dit) จากดิสก์ของตัวควบคุมโดเมน
      • การติดตั้งเครื่องมือสร้างอุโมงค์หรือพร็อกซี เช่น Chisel (เชื่อมต่อกับ trycloudflare[.]com), MobaXterm, ngrok, Pinggy, Rsocx และ Teleport
      • การใช้คำสั่ง PowerShell เช่น HardDelete, SoftDelete, MoveToDeletedItems และกฎการขนส่งอีเมล (Set-TransportRule) เพื่อป้องกันการแจ้งเตือนกิจกรรมของบัญชี ในกรณีหนึ่ง อีเมลที่ส่งถึงผู้ใช้ที่ถูกบุกรุกถูกเปลี่ยนเส้นทางไปยังที่อยู่อีเมล googlemail[.]com ซึ่งควบคุมโดยผู้โจมตี
      • การใช้ S3 Browser เพื่อตรวจสอบและเข้าถึง AWS S3 buckets ผ่านเหตุการณ์ CloudTrail (ListBuckets, ListObjects) และถ่ายโอนข้อมูลไปยัง buckets ที่ควบคุมโดยผู้โจมตี

      แนวทางการป้องกัน
      เพื่อเสริมสร้างความมั่นคงปลอดภัยทางไซเบอร์และปกป้องข้อมูลขององค์กร ขอแนะนำให้องค์กรดำเนินการตามมาตรการต่อไปนี้

      • กำหนดให้ผู้ใช้ทุกคน โดยเฉพาะผู้ที่มีสิทธิ์เข้าถึงข้อมูลที่ละเอียดอ หรือมีบทบาทผู้ดูแลระบบ ต้องใช้การยืนยันตัวตนแบบหลายขั้นตอน
      • ใช้ระบบการจัดการข้อมูลประจำตัวและการเข้าถึงที่เข้มงวด เพื่อบังคับใช้การควบคุมการเข้าถึงตามบทบาทและหลักการให้สิทธิ์ขั้นต่ำ
      • เปิดใช้งานการบันทึกข้อมูลอย่างครอบคลุมและการวิเคราะห์พฤติกรรม
      • ตรวจสอบการใช้งานแอปพลิเคชันที่ผิดปกติ คำค้นหาที่น่าสงสัย และรูปแบบการเข้าถึงข้อมูลที่ผิดปกติ
      • ดำเนินการตรวจสอบบัญชีผู้ใช้ สิทธิ์ และแอปพลิเคชันที่เชื่อมต่ออย่างสม่ำเสมอ เพื่อระบุและกำจัดสิทธิ์ที่ไม่จำเป็นหรือมีความเสี่ยง
      • จัดให้มีการสำรองข้อมูลที่แยกออกจากระบบและพัฒนาแผนรับมือเหตุการณ์
      • จัดการฝึกอบรมพนักงานอย่างสม่ำเสมอเกี่ยวกับภัยคุกคาม เช่น การหลอกลวงทางสังคม ผ่านโปรแกรมสร้างความตระหนักรู้ด้านความปลอดภัยทางไซเบอร์

      ด้วยการปฏิบัติตามแนวทางเหล่านี้ องค์กรจะสามารถยกระดับการป้องกันและลดความเสี่ยงจากภัยคุกคามทางไซเบอร์ได้อย่างมีประสิทธิภาพ

      อ้างอิง
      https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-066

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 21f199fe-4fba-47cc-92d1-3dc1722e6071-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Google ออกแพตช์แก้ไขช่องโหว่ CVE-2025-6554 บน Chrome

      018ce1e1-05bb-497b-8f96-fb5d39c6fcb1-image.png
      Google ออกแพตช์แก้ไขช่องโหว่ CVE-2025-6554 บน Chrome.png
      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand c6725424-5a80-4252-a5fa-b4f247badd10-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • ช่องโหว่ในปลั๊กอิน Forminator เสี่ยงทำให้กว่า 400,000 เว็บไซต์ WordPress ถูกควบคุม

      3c3487ab-c05c-4b1d-9355-d0495454f4ca-image.png
      ช่องโหว่ในปลั๊กอิน Forminator เสี่ยงทำให้กว่า 400,000.png
      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 26b0f313-7a71-48c5-87b6-6cf15a9e5fff-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • CISA ออกคำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม 4 รายการ

      Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) 4 รายการ เมื่อวันที่ 3 กรกฎาคม 2568 ซึ่งคำแนะนำเหล่านี้ให้ข้อมูลที่ทันท่วงทีเกี่ยวกับปัญหาด้านความปลอดภัยช่องโหว่ และช่องโหว่ที่อยู่รอบ ๆ ICS ในปัจจุบัน มีดังต่อไปนี้

      • ICSA-25-184-01 Hitachi Energy Relion 670/650 and SAM600-IO Series
      • ICSA-25-184-02 Hitachi Energy MicroSCADA X SYS600
      • ICSA-25-184-03 Mitsubishi Electric MELSOFT Update Manager
      • ICSA-25-184-04 Mitsubishi Electric MELSEC iQ-F Series

      ทั้งนี้ CISA สนับสนุนให้ผู้ใช้และผู้ดูแลระบบตรวจสอบคำแนะนำ ICS ที่เผยแพร่ใหม่สำหรับรายละเอียดทางเทคนิคและการบรรเทาผลกระทบ รายละเอียดเพิ่มเติมที่ https://www.cisa.gov/news-events/alerts/2025/07/03/cisa-releases-four-industrial-control-systems-advisories

      อ้างอิง
      https://www.cisa.gov/news-events/alerts/2025/07/03/cisa-releases-four-industrial-control-systems-advisories
      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand ac4c0e83-460f-4788-91c7-c779e41341e2-image.png

      โพสต์ใน OT Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 04 July 2025

      Healthcare Sector

      • Healthcare CISOs Must Secure More Than What’s Regulated
        "In this Help Net Security interview, Henry Jiang, CISO at Ensora Health, discusses what it really takes to make DevSecOps work in healthcare. He explains how balancing speed and security isn’t easy and why aligning with regulations is key. Jiang also shares tips on working with engineering teams and how automation helps in DevSecOps."
        https://www.helpnetsecurity.com/2025/07/03/henry-jiang-ensora-health-healthcare-devsecops-strategy/

      Industrial Sector

      • Industrial Security Is On Shaky Ground And Leaders Need To Pay Attention
        "44% of industrial organizations claim to have strong real-time cyber visibility, but nearly 60% have low to no confidence in their OT and IoT threat detection capabilities, according to Forescout. Digitalization has increased connectivity across devices, transforming industrial environments, which in turn increases cyber risk. Rising geopolitical tensions further compound these challenges, demanding more nuanced, strategic and integrated security approaches to protect critical assets while maintaining operations."
        https://www.helpnetsecurity.com/2025/07/03/ot-iot-threat-detection-confidence/
      • Hitachi Energy Relion 670/650 And SAM600-IO Series
        "An authenticated user with file access privilege via FTP access can cause the Relion 670/650 and SAM600-IO series device to reboot due to improper disk space management."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-184-01
      • Hitachi Energy MicroSCADA X SYS600
        "Successful exploitation of these vulnerabilities could allow an attacker to tamper with the system file, overwrite files, create a denial-of-service condition, or leak file content."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-184-02
      • Mitsubishi Electric MELSOFT Update Manager
        "Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, disclose information, alter information, or cause a denial-of-service (DoS) condition."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-184-03
      • Mitsubishi Electric MELSEC iQ-F Series
        "Successful exploitation of this vulnerability could result in a denial-of-service condition for legitimate users for a certain period by repeatedly attempting to log in with incorrect passwords. When the product repeatedly receives unauthorized logins from an attacker, legitimate users will be unable to be authenticated until a certain period has passed after the lockout or until the product is reset."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-184-04
      • OT Security In Ports: Lessons From The Coast Guard's Latest Warning
        "The cranes that move goods in and out of America's busiest ports (some of the most essential components of our national logistics chain) are under growing scrutiny. In a newly issued MARSEC Directive 105-5, the U.S. Coast Guard has raised red flags about the cybersecurity risks that come with ship-to-shore (STS) cranes manufactured in China. These cranes, mostly produced by state-owned enterprises like Shanghai Zhenhua Heavy Industries (ZPMC), make up nearly 80% of the STS equipment at U.S. ports."
        https://www.tripwire.com/state-of-security/ot-security-ports-lessons-coast-guards-latest-warning

      New Tooling

      • GitPhish: Open-Source GitHub Device Code Flow Security Assessment Tool
        "GitPhish is an open-source security research tool built to replicate GitHub’s device code authentication flow. It features three core operating modes: an authentication server, automated landing page deployment, and an administrative management interface. GitPhish can be accessed via a command-line interface or a web dashboard, offering comprehensive features such as logging, analytics, and token management."
        https://www.helpnetsecurity.com/2025/07/03/gitphish-open-source-github-device-code-flow-security-assessment-tool/
        https://github.com/praetorian-inc/GitPhish

      Vulnerabilities

      • Grafana Releases Critical Security Update For Image Renderer Plugin
        "Grafana Labs has addressed four Chromium vulnerabilities in critical security updates for the Grafana Image Renderer plugin and Synthetic Monitoring Agent. Although the issues impact Chromium and were fixed by the open-source project two weeks ago, Grafana received a bug bounty submission from security researcher Alex Chapman proving their exploitability in the Grafana components. Grafana describes the update as a "critical severity security release" and advises users to apply the fixes for the vulnerabilities below as soon as possible:"
        https://www.bleepingcomputer.com/news/security/grafana-releases-critical-security-update-for-image-renderer-plugin/
      • Apache Under The Lens: Tomcat’s Partial PUT And Camel’s Header Hijack
        "In March 2025, Apache disclosed CVE-2025-24813, a vulnerability impacting Apache Tomcat. This is a widely used platform that allows Apache web servers to run Java-based web applications. The flaw allows remote code execution, affecting Apache Tomcat versions 9.0.0.M1 to 9.0.98, 10.1.0-M1 to 10.1.34 and 11.0.0-M1 to 11.0.2. The same month, Apache revealed two additional vulnerabilities in Apache Camel, a message routing middleware framework. These vulnerabilities are CVE-2025-27636 and CVE-2025-29891, two flaws that allow remote code execution, affecting Apache Camel versions 4.10.0 to 4.10.1, 4.8.0 to 4.8.4 and 3.10.0 to 3.22.3."
        https://unit42.paloaltonetworks.com/apache-cve-2025-24813-cve-2025-27636-cve-2025-29891/
      • Azure Machine Learning Escalation: When Pipelines Go Off The Rails
        "Orca has discovered a new privilege escalation vulnerability in the Azure Machine Learning service. We found that invoker scripts that are automatically created for each AML pipeline component and stored in a linked Storage Account can be abused to execute code with elevated privileges. While the severity varies based on the identity assigned to the compute instance, this enables multiple escalation paths when the instance runs under a highly privileged managed identity."
        https://orca.security/resources/blog/azure-machine-learning-privilege-escalation/
        https://www.infosecurity-magazine.com/news/privilege-escalation-flaw-azure-ml/

      Malware

      • Hunters International Ransomware Shuts Down, Releases Free Decryptors
        "The Hunters International Ransomware-as-a-Service (RaaS) operation announced today that it has officially closed down its operations and will offer free decryptors to help victims recover their data without paying a ransom. "After careful consideration and in light of recent developments, we have decided to close the Hunters International project. This decision was not made lightly, and we recognize the impact it has on the organizations we have interacted with," the cybercrime gang says in a statement published on its dark web leak earlier today. "As a gesture of goodwill and to assist those affected by our previous activities, we are offering free decryption software to all companies that have been impacted by our ransomware. Our goal is to ensure that you can recover your encrypted data without the burden of paying ransoms.""
        https://www.bleepingcomputer.com/news/security/hunters-international-ransomware-shuts-down-after-world-leaks-rebrand/
        https://therecord.media/hunters-international-ransomware-extortion-group-claims-shutdown
        https://www.bankinfosecurity.com/ransomware-group-hunters-international-announces-exit-a-28894
        https://www.theregister.com/2025/07/03/hunters_international_shutdown/
      • The SOC Case Files: XDR Contains Two Nearly Identical Attacks Leveraging ScreenConnect
        "Barracuda’s Managed XDR team recently helped two companies mitigate incidents where attackers had managed to compromise computers and install rogue ScreenConnect remote management software. The incidents were neutralized before the attackers were able to move laterally through the network."
        https://blog.barracuda.com/2025/07/02/soc-case-files-xdr-contains-two-attacks-screenconnect
      • RondoDox Unveiled: Breaking Down a New Botnet Threat
        "Over the past month, FortiGuard Labs has observed a significant increase in scanning activity, including a new botnet campaign that exploits two high-risk vulnerabilities: CVE-2024-3721 and CVE-2024-12856. Both have been publicly disclosed and are actively being targeted, posing serious risks to device security and overall network integrity."
        https://www.fortinet.com/blog/threat-research/rondobox-unveiled-breaking-down-a-botnet-threat
      • Satori Threat Intelligence Alert: IconAds Conceals Source Of Ad Fraud From Users
        "HUMAN’s Satori Threat Intelligence and Research Team has uncovered and disrupted an operation dubbed IconAds. This scheme centered on a collection of 352 apps which load out-of-context ads on a user’s screen and hide the app icons, making it difficult for a user to identify the culprit app and remove it. At its peak, IconAds accounted for 1.2 billion bid requests a day."
        https://www.humansecurity.com/learn/blog/satori-threat-intelligence-alert-iconads/
        https://thehackernews.com/2025/07/mobile-security-alert-352-iconads-fraud.html
      • Two New Pro-Russian Hacktivist Groups Target Ukraine, Recruit Insiders
        "Two new pro-Russian hacktivist groups have emerged in recent months to mount cyberattacks on Ukraine and its allies. The groups, calling themselves IT Army of Russia and TwoNet, use the Telegram messaging app to coordinate operations, recruit insiders and collect information about targets in Ukraine, according to a new report by cybersecurity firm Intel 471. Researchers said both groups appeared earlier this year and may be rebrands of previously known threat actors, though their exact links to past campaigns remain unclear."
        https://therecord.media/twonet-it-army-of-russia-new-hacktivist-groups-target-ukraine

      Breaches/Hacks/Leaks

      • IdeaLab Confirms Data Stolen In Ransomware Attack Last Year
        "IdeaLab is notifying individuals impacted by a data breach incident last October when hackers accessed sensitive information. Although the organization does not describe the type of attack, the Hunters International ransomware group has claimed the breach and leaked the stolen data on the dark web. IdeaLab is a California-based technology startup incubator that since 1996 has launched over 150 companies, including GoTo.com, CitySeach, eToys, Authy, Pet.net, Heliogen, and Energy Vault."
        https://www.bleepingcomputer.com/news/security/idealab-confirms-data-stolen-in-ransomware-attack-last-year/
      • Taking Over 60k Spyware User Accounts With SQL Injection
        "Recently I was looking through a database of known stalkerware services and found one I wasn’t familiar with: Catwatchful. It seemed to be a full-featured Android spy app, to actually be its own service as opposed to a millionth FlexiSpy reseller, and to offer a 3-day free trial. Aside from a boilerplate disclaimer to only use it with consent, it also pretty brazenly advertised itself as stalkerware in the FAQ:"
        https://ericdaigle.ca/posts/taking-over-60k-spyware-user-accounts/
        https://www.securityweek.com/undetectable-android-spyware-backfires-leaks-62000-user-logins/
        https://www.malwarebytes.com/blog/news/2025/07/catwatchful-child-monitoring-app-exposes-victims-data
      • Cybercriminals Target Brazil: 248,725 Exposed In CIEE One Data Breach
        "Yesterday, July 1, 2025 — the actor under the alias "888" published over 248,725 records containing sensitive PII stolen from CIEE (Centro de Integração Empresa-Escola). ONE CIEE is a personalized recruitment and selection service offered by CIEE Centro de Integração Empresa-Escola (Business-School Integration Center) for companies seeking candidates for internships and apprenticeship programs. It connects specialists and businesses, ranging from major international corporations to local entities in Brazil."
        https://www.resecurity.com/blog/article/cybercriminals-target-brazil-248725-exposed-in-ciee-one-data-breach
        https://securityaffairs.com/179609/data-breach/cybercriminals-target-brazil-248725-exposed-in-ciee-one-data-breach.html
      • Virginia County Says April Ransomware Attack Exposed Employee SSNs
        "Government employees working for the county of Gloucester in Virginia had Social Security numbers and other sensitive data stolen during a ransomware attack in April. The county sent 3,527 current and former employees notices this week warning that their personal information was accessed by hackers who breached county systems on April 22. In addition to Social Security numbers, names, driver’s license numbers, bank account information, health insurance numbers and medical information was also stolen during the incident."
        https://therecord.media/virginia-county-says-ransomware-attack-exposed-ssns
      • Young Consulting Finds Even More Folks Affected In Breach Mess – Now Over 1 Million
        "Young Consulting's cybersecurity woes continue after the number of affected individuals from last year's suspected ransomware raid passed the 1 million mark. The software vendor to stop-loss insurance carriers, now trading as Connexure, said the attack took place sometime between April 10 and 13, 2024, in a data breach notice that remains on its website homepage today. Young Consulting did not mention that ransomware was involved, although the BlackSuit group took credit for the attack, which was also widely reported as a ransomware incident."
        https://www.theregister.com/2025/07/03/young_consulting_breach_million/

      General News

      • Cyberattacks Are Draining Millions From The Hospitality Industry
        "Every day, millions of travelers share sensitive information like passports, credit card numbers, and personal details with hotels, restaurants, and travel services. This puts pressure on the hospitality sector to keep that information safe and private. The industry itself is booming. The hotel segment alone is expected to reach a new peak of $511.91 billion in 2029. It’s no surprise that cybercriminals are taking notice."
        https://www.helpnetsecurity.com/2025/07/03/hospitality-industry-cybersecurity-challenges/
      • AI Tools Are Everywhere, And Most Are Off Your Radar
        "80% of AI tools used by employees go unmanaged by IT or security teams, according to Zluri’s The State of AI in the Workplace 2025 report. AI is popping up all over the workplace, often without anyone noticing. If you’re a CISO, if you want to avoid blind spots and data risks, you need to know where AI is showing up and what it’s doing across the entire organization."
        https://www.helpnetsecurity.com/2025/07/03/shadow-ai-tools-workplace/
      • 90% Aren’t Ready For AI Attacks, Are You?
        "As AI reshapes business, 90% of organizations are not adequately prepared to secure their AI-driven future, according to a new report from Accenture. Globally, 63% of companies are in the “Exposed Zone,” indicating they lack both a cohesive cybersecurity strategy and necessary technical capabilities. The report reveals AI adoption has accelerated the speed, scale and sophistication of cyber threats, far outpacing current enterprise cyber defenses. For example, 77% of organizations lack the essential data and AI security practices needed to protect critical business models, data pipelines and cloud infrastructure."
        https://www.helpnetsecurity.com/2025/07/03/ai-cyber-defenses/
      • Police Dismantles Investment Fraud Ring Stealing €10 Million
        "The Spanish police have dismantled a large-scale investment fraud operation that caused cumulative damages exceeding $11.8 million (€10 million). During simultaneous raids in Barcelona, Madrid, Mallorca, and Alicante, coordinated by the Mossos d’Esquadra, Civil Guard, and the National Police, 21 individuals were arrested. Along with the arrests, the police agents also confiscated seven luxury vehicles and more than $1.5 million €1.3 million in cash and cryptocurrency."
        https://www.bleepingcomputer.com/news/legal/police-dismantles-investment-fraud-ring-stealing-10-million/
      • Amazon Prime Day 2025: Deals Await, But So Do The Cyber Criminals
        "Ahead of this year’s Amazon Prime Day 2025 on July 8th, shoppers worldwide are preparing their wish lists. So are cyber criminals. Phishing attacks are already targeting innocent shoppers. In June alone, over 1,000 new domains with names resembling Amazon appeared online. Alarmingly, 87% of these have already been flagged as malicious or suspicious. Many of the domains include the term “Amazon Prime”, with one in every 81 of the risky domains containing this phrase."
        https://blog.checkpoint.com/research/amazon-prime-day-2025-deals-await-but-so-do-the-cyber-criminals-2/
      • New Cyber Blueprint Aims To Guide Organizations On AI Journey
        "Executive leadership is pushing for rapid artificial intelligence (AI) adoption inside their organizations to offset cyber-workforce shortages or to enhance threat detection and incident response capabilities, but lack of preparation can introduce problems. To address the issue, Deloitte HAS published a new Cyber AI blueprint to provide organizations with a template how to design, build, and deploy AI tools. The blueprint consists of an AI operating model, a governance model, and a reference architecture to help organizations design and operate an AI-powered environment, including agentic AI applications. The blueprint also includes elements to help organizations update the workforce's skills to handle the changes posed by the new AI-enhanced environment."
        https://www.darkreading.com/cyber-risk/cyber-blueprint-guide-ai-journey
      • Criminals Sending QR Codes In Phishing, Malware Campaigns
        "That email advertising a great deal on an inflatable pool to cool off with during this sweltering July may come with a nifty QR code to simplify the buying process. Or you find a QR code touting a special sale on fireworks for the holiday weekend. These QR codes look harmless, but attackers are increasingly using them for malicious purposes. In an analysis of phishing and other malicious activities associated with identity theft between October 2024 and March 2025, the Anti-Phishing Working Group (APWG) found that criminals are sending millions of emails each day containing QR codes that lead victims to phishing sites, brand impersonation pages, and other fraudulent scam sites. Over this six-month period, email security company and APWG member Mimecast detected 1.7 million malicious QR codes and an average of 2.7 million emails with QR codes attached daily, according to APWG's "Phishing Activity Trends Report.""
        https://www.darkreading.com/endpoint-security/criminals-send-qr-codes-phishing
      • Dark Web Vendors Shift To Third Parties, Supply Chains
        "Cyberattackers continue to attack a variety of technology supply chains — from open source software components to managed service providers — and increasingly, they are advertising their windfalls on Dark Web forums. In March, for example, a threat actor posted details of an alleged compromise of Oracle Cloud to the BreachForums Dark Web site. The compromise — initially denied by Oracle — led to Oracle later notifying customers of a breach of two servers containing usernames and passwords. The hacker who originally posted information of the attack, "rose87169," had published some information in the hope of attracting collaborators to decrypt some of the data."
        https://www.darkreading.com/threat-intelligence/dark-web-vendors-third-parties-supply-chains
      • AI Tackles Binary Code Challenges To Fortify Supply Chain Security
        "Artificial intelligence (AI) can help improve binary code analysis and, in turn, make the software supply chain more secure. Effective binary code analysis is paramount as supply chain risks rise. Vendor and government-backed initiatives introduced over the past two years, such as the Cybersecurity and Infrastructure Security Agency's Secure by Design pledge, accentuate how pervasive software supply chain security threats have grown. It's a result of how digitally interconnected organizations have become. However, it's difficult to account for every link in the chain — some prioritize security, while others exhibit dangerous shortcomings."
        https://www.darkreading.com/application-security/ai-tackles-binary-code-challenges-fortify-supply-chain-security
      • Browser Extensions Pose Heightened, But Manageable, Security Risks
        "While browser extensions add useful functionality to Web browsers, such as blocking ads, managing passwords, and taking notes, they also increase the organization's security and privacy risks. Browser extensions require certain levels of permissions that are attractive to attackers. Some extensions need access to the user's location, browsing history, or the user's clipboard to see what data the user has copied. Some extensions go further, requesting access to nearly all of the data stored on the user's computer as well as the data accessed while visiting different websites. Attackers can exploit extensions with these heightened permissions to access potentially sensitive information, such as Web traffic, saved credentials, and session cookies."
        https://www.darkreading.com/cyber-risk/browser-extensions-heightened-manageable-security-risks
      • CVE Program Launches Two New Forums To Enhance CVE Utilization
        "The Board of the Common Vulnerabilities and Exposures (CVE) Program has launched two new forums to encourage more contributions and shape the future of the initiative. The CVE Program, run by the nonprofit MITRE and sponsored by the US Cybersecurity and Infrastructure Security Agency (CISA), faced uncertainty about its future in April after its contract expired. The contract was subsequently extended for 11 months, according to reports. While the longer-term future of the program remains uncertain beyond this period, the CVE Board appears to be willing to allow more stakeholders to have a voice and shape the program’s strategy."
      • **https://www.infosecurity-magazine.com/news/cve-program-new-user-researcher/
      • INTERPOL Releases New Information On Globalization Of Scam Centres**
        "Human trafficking-fueled scam centres have expanded their global footprint, according to a new crime trend update released by INTERPOL. As of March 2025, victims from 66 countries were trafficked into online scam centres, with no continent left untouched. Seventy-four percent of human trafficking victims were brought to centres in the original ‘hub’ region of Southeast Asia, according to analysis of the crime trend using data from relevant INTERPOL Notices issued in the past five years."
        https://www.interpol.int/en/News-and-Events/News/2025/INTERPOL-releases-new-information-on-globalization-of-scam-centres
        https://therecord.media/interpol-west-africa-cybercrime-compounds
      • Russia Jails Man For 16 Years Over Pro-Ukraine Cyberattacks On Critical Infrastructure
        "A Russian court has sentenced a man to 16 years in a high-security penal colony for launching cyberattacks that disrupted critical infrastructure, authorities said on Wednesday. Andrei Smirnov, a resident of the Siberian city of Belovo, was detained in October 2023 and charged with treason. Prosecutors said he held pro-Ukrainian views and joined a hacker group allegedly acting in the interests of Ukrainian intelligence. According to their investigation, Smirnov used malware to attack Russian information systems in 2022, blocking access to websites of several local companies and damaging critical infrastructure. Russian authorities did not specify which infrastructure or companies were affected."
        https://therecord.media/russia-jails-man-over-pro-ukraine-cyberattacks
      • Ransomware And Cyber Extortion In Q2 2025
        "The decline of legacy ransomware groups has created a vacuum that’s quickly been filled by emerging groups like “Qilin.” Nonetheless, this quarter still saw a 31% decrease in named victims compared to the previous quarter. Leading ransomware-as-a-service (RaaS) groups like Qilin and “Akira” rely on the mass exploitation of vulnerabilities to compromise organizations with speed and precision. Future ransomware leaders are likely to succeed by combining automated discovery tools with public proof-of-concept (POC) exploits, accelerating compromises and propelling them to the forefront of the ransomware race. To counter these threats, organizations must prioritize asset discovery and implement a strict patch management framework to ensure exposed and critical devices cannot be exploited by ransomware actors."
        https://reliaquest.com/blog/ransomware-cyber-extortion-threat-intel-q2-2025/
        https://www.infosecurity-magazine.com/news/automation-vulnerability/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) d56bbf83-43e3-4ef4-9dd4-b1feb78d94ec-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 03 July 2025

      Financial Sector

      • How FinTechs Are Turning GRC Into a Strategic Enabler
        "In this Help Net Security interview, Alexander Clemm, Corp GRC Lead, Group CISO, and BCO at Riverty, shares how the GRC landscape for FinTechs has matured in response to tighter regulations and global growth. He discusses the impact of frameworks like DORA and the EU AI Act, and reflects on building a culture where compliance supports, rather than slows, business progress."
        https://www.helpnetsecurity.com/2025/07/02/alexander-clemm-riverty-fintechs-grc-landscape/

      New Tooling

      • Secretless Broker: Open-Source Tool Connects Apps Securely Without Passwords Or Keys
        "Secretless Broker is an open-source connection broker that eliminates the need for client applications to manage secrets when accessing target services like databases, web services, SSH endpoints, or other TCP-based systems."
        https://www.helpnetsecurity.com/2025/07/02/secretless-broker-open-source-tool-connects-apps-securely/
        https://github.com/cyberark/secretless-broker

      Vulnerabilities

      • Cisco Warns That Unified CM Has Hardcoded Root SSH Credentials
        "Cisco has removed a backdoor account from its Unified Communications Manager (Unified CM), which would have allowed remote attackers to log in to unpatched devices with root privileges. Cisco Unified Communications Manager (CUCM), formerly known as Cisco CallManager, serves as the central control system for Cisco's IP telephony systems, handling call routing, device management, and telephony features. The vulnerability (tracked as CVE-2025-20309) was rated as maximum severity, and it is caused by static user credentials for the root account, which were intended for use during development and testing."
        https://www.bleepingcomputer.com/news/security/cisco-removes-unified-cm-callManager-backdoor-root-account/
        https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssh-m4UBdpE7
        https://securityaffairs.com/179577/security/cisco-removed-the-backdoor-account-from-its-unified-communications-manager.html
        https://www.theregister.com/2025/07/02/cisco_patch_cvss/
      • 600,000 WordPress Sites Affected By Arbitrary File Deletion Vulnerability In Forminator WordPress Plugin
        "On June 20th, 2025, we received a submission for an Arbitrary File Deletion vulnerability in Forminator, a WordPress plugin with more than 600,000 active installations. This vulnerability makes it possible for unauthenticated threat actors to specify arbitrary file paths in a form submission, and the file will be deleted when the submission is deleted. It can be leveraged to delete critical files like wp-config.php, which can lead to remote code execution. Props to Phat RiO – BlueRock who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $8,100.00 for this discovery, the top bounty awarded through our program so far."
        https://www.wordfence.com/blog/2025/07/600000-wordpress-sites-affected-by-arbitrary-file-deletion-vulnerability-in-forminator-wordpress-plugin/
        https://www.bleepingcomputer.com/news/security/forminator-plugin-flaw-exposes-wordpress-sites-to-takeover-attacks/
        https://www.securityweek.com/forminator-wordpress-plugin-vulnerability-exposes-400000-websites-to-takeover/
      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2025-6554 Google Chromium V8 Type Confusion Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/07/02/cisa-adds-one-known-exploited-vulnerability-catalog

      Malware

      • Analysis Of Attacks Targeting Linux SSH Servers For Proxy Installation
        "AhnLab SEcurity intelligence Center (ASEC) monitors attacks targeting Linux servers that are inappropriately managed using honeypots. One of the representative honeypots is the SSH service that uses weak credentials, which is targeted by a large number of DDoS and coinminer attackers. ASEC has identified cases where Linux servers were attacked to install proxies. In each case, TinyProxy or Sing-box was installed. No other attack logs were found except for the installation of TinyProxy or Sing-box. It appears that the attackers aim to use the infected systems as proxy nodes."
        https://asec.ahnlab.com/en/88749/
      • DCRAT Impersonating The Colombian Government
        "The FortiMail IR team recently uncovered a new email attack distributing a Remote Access Trojan called DCRAT. The threat actor is impersonating a Colombian government entity to target organizations in Colombia. The threat actor uses multiple techniques, such as a password protected archive, obfuscation, steganography, base64 encoding, and multiple file drops, to evade detection."
        https://www.fortinet.com/blog/threat-research/dcrat-impersonating-the-columbian-government
      • June's Dark Gift: The Rise Of Qwizzserial
        "Discovered by Group-IB in mid-2024, the Qwizzserial, which was initially not very active, began to spread strongly in Uzbekistan, masquerading as legitimate applications. The malware steals banking information and intercepts 2FA sms, transmitting it to fraudsters via Telegram bots."
        https://www.group-ib.com/blog/rise-of-qwizzserial/
        https://www.infosecurity-magazine.com/news/android-sms-stealer-100000/
      • Okta Observes v0 AI Tool Used To Build Phishing Sites
        "Okta Threat Intelligence has observed threat actors abusing v0, a breakthrough Generative Artificial Intelligence (GenAI) tool created by Vercel, to develop phishing sites that impersonate legitimate sign-in webpages. This observation signals a new evolution in the weaponization of Generative AI by threat actors who have demonstrated an ability to generate a functional phishing site from simple text prompts. Okta researchers were able to reproduce our observations."
        https://www.okta.com/newsroom/articles/okta-observes-v0-ai-tool-used-to-build-phishing-sites/
        https://thehackernews.com/2025/07/vercels-v0-ai-tool-weaponized-by.html
      • MacOS NimDoor | DPRK Threat Actors Target Web3 And Crypto Platforms With Nim-Based Malware
        "In April 2025, Huntabil.IT observed a targeted attack on a Web3 startup, attributing the incident to a DPRK threat actor group. Several reports on social media at the time described similar incidents at other Web3 and Crypto organizations. Analysis revealed an attack chain consisting of an eclectic mix of scripts and binaries written in AppleScript, C++ and Nim. Although the early stages of the attack follow a familiar DPRK pattern using social engineering, lure scripts and fake updates, the use of Nim-compiled binaries on macOS is a more unusual choice. A report by Huntress in mid-June described a similar initial attack chain as observed by Huntabil.IT, albeit using different later stage payloads."
        https://www.sentinelone.com/labs/macos-nimdoor-dprk-threat-actors-target-web3-and-crypto-platforms-with-nim-based-malware/
        https://www.bleepingcomputer.com/news/security/nimdoor-crypto-theft-macos-malware-revives-itself-when-killed/
        https://thehackernews.com/2025/07/north-korean-hackers-target-web3-with.html
      • FoxyWallet: 40+ Malicious Firefox Extensions Exposed
        "A large-scale malicious campaign has been uncovered involving dozens of fake Firefox extensions designed to steal cryptocurrency wallet credentials. These extensions impersonate legitimate wallet tools from widely-used platforms such as Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox. Once installed, the malicious extensions silently exfiltrate wallet secrets, putting users’ assets at immediate risk. So far, we were able to link to over 40 different extensions to this campaign, which is still ongoing and very much alive — some extensions are still available on the marketplace. The linkage was done through a meticulous effort of discovering shared TTPs and infrastructure."
        https://blog.koi.security/foxywallet-40-malicious-firefox-extensions-exposed-4c14419de486
        https://www.bleepingcomputer.com/news/security/dozens-of-fake-wallet-add-ons-flood-firefox-store-to-drain-crypto/
      • French Cybersecurity Agency Confirms Government Affected By Ivanti Hacks
        "France’s cybersecurity agency reported on Tuesday that a range of government, utility and private sector entities in the country were impacted by a hacking campaign last year exploiting multiple zero-day vulnerabilities in an Ivanti appliance. The campaign, which had prompted a warning in September by U.S. cybersecurity authorities, targeted the Ivanti Cloud Service Appliance — a bit of software that connects on-premise networks with cloud-based services. In France, the hacking campaign targeted “organizations from governmental, telecommunications, media, finance, and transport sectors,” stated the report from ANSSI — the Agence Nationale de la Sécurité des Systèmes d’Information (the National Agency for the Security of Information Systems) — exploiting bugs tracked as CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380."
        https://therecord.media/france-anssi-report-ivanti-bugs-exploited
        https://www.cert.ssi.gouv.fr/uploads/CERTFR-2025-CTI-009.pdf
        https://www.darkreading.com/cyber-risk/initial-access-broker-self-patches-zero-days
        https://www.bankinfosecurity.com/chinese-hackers-exploited-ivanti-flaw-in-france-a-28888
        https://www.infosecurity-magazine.com/news/chinese-hackers-france-ivanti/
      • PDFs: Portable Documents, Or Perfect Deliveries For Phish?
        "The portable document format (PDF) is a standard method for sharing information electronically. Files created in other applications (e.g., Microsoft Word) are often converted into this format, which can then be viewed using PDF rendering applications like Adobe Reader, commonly available on most OSs. Thanks to its excellent portability, this file format is widely used for the mass distribution of documents to large audiences. However, in recent months, it has also been exploited for illegitimate purposes, such as brand impersonation."
        https://blog.talosintelligence.com/pdfs-portable-documents-or-perfect-deliveries-for-phish/
        https://thehackernews.com/2025/07/hackers-using-pdfs-to-impersonate.html
      • Jasper Sleet: North Korean Remote IT Workers’ Evolving Tactics To Infiltrate Organizations
        "Since 2024, Microsoft Threat Intelligence has observed remote information technology (IT) workers deployed by North Korea leveraging AI to improve the scale and sophistication of their operations, steal data, and generate revenue for the Democratic People’s Republic of Korea (DPRK). Among the changes noted in the North Korean remote IT worker tactics, techniques, and procedures (TTPs) include the use of AI tools to replace images in stolen employment and identity documents and enhance North Korean IT worker photos to make them appear more professional. We’ve also observed that they’ve been utilizing voice-changing software."
        https://www.microsoft.com/en-us/security/blog/2025/06/30/jasper-sleet-north-korean-remote-it-workers-evolving-tactics-to-infiltrate-organizations/
        https://www.darkreading.com/cyberattacks-data-breaches/scope-scale-spurious-north-korean-it-workers
        Silent Push Uncovers Chinese Fake Marketplace e-Commerce Phishing Campaign Using Thousands Of Websites To * Spoof Popular Retail Brands
        "From a lead gained through a recent X/Twitter post by Mexican journalist Ignacio Gómez Villaseñor, Silent Push Threat Analysts have been investigating a new phishing e-commerce website scam campaign. The original campaign observed was targeting Spanish-language visitors shopping for the “Hot Sale 2025.” The research by Gómez Villaseñor focused on specific domains found on one IP address targeting Spanish-language audiences; however, it was but one slice of a much larger campaign."
        https://www.silentpush.com/blog/fake-marketplace/
        https://therecord.media/china-linked-hackers-website-phishing
      • Cl0p Cybercrime Gang's Data Exfiltration Tool Found Vulnerable To RCE Attacks
        "Security experts have uncovered a hole in Cl0p's data exfiltration tool that could potentially leave the cybercrime group vulnerable to attack. The vulnerability in the Python-based software, which was used in the 2023-2024 MOVEit mass data raids, was discovered by Italian researcher Lorenzo N and published by the Computer Incident Response Center Luxembourg (CIRCL). Classed as an improper input validation (CWE-20) bug, the flaw with an 8.9 severity score is underpinned by a lack of input sanitization, which results in the tool constructing OS commands by concatenating attacker-supplied strings."
        https://www.theregister.com/2025/07/02/cl0p_rce_vulnerability/
        https://vulnerability.circl.lu/vuln/gcve-1-2025-0002
      • Windows Shortcut (LNK) Malware Strategies
        "Attackers are increasingly exploiting Windows shortcut (LNK) files for malware delivery. Our telemetry revealed 21,098 malicious LNK samples in 2023, which surged to 68,392 in 2024. In this article, we present an in-depth investigation of LNK malware, based on analysis of 30,000 recent samples. Windows shortcut files use the .lnk file extension and function as a virtual link that allows people to easily access other files without having to navigate through multiple folders on a Windows host. The flexibility of LNK files makes them a powerful tool for attackers, as they can both execute malicious content and masquerade as legitimate files to deceive victims into unintentionally launching malware."
        https://unit42.paloaltonetworks.com/lnk-malware/
      • ESET Research: Russia’s Gamaredon APT Group Unleashed Spearphishing Campaigns Against Ukraine With An Evolved Toolset
        "ESET Research has released a white paper about Gamaredon’s updated cyberespionage toolset, new stealth-focused techniques, and aggressive spearphishing operations observed across the previous year. Gamaredon, attributed by the Security Service of Ukraine (SSU) to the 18th Center of Information Security of Russia’s Federal Security Service (FSB), has targeted Ukrainian governmental institutions since at least 2013. In 2024, Gamaredon exclusively attacked Ukrainian institutions. ESET’s latest research shows that the group remains highly active, consistently targeting Ukraine, but has notably adapted its tactics and tools. The group’s objective is cyberespionage aligned with Russian geopolitical interests. Last year, the group significantly increased the scale and frequency of spearphishing campaigns, employing new delivery methods, and one attack payload was used solely to spread Russian propaganda."
        https://www.eset.com/us/about/newsroom/research/eset-research-russias-gamaredon-apt-group-unleashed-spearphishing-campaigns-against-ukraine-with-an-evolved-toolset/
        https://www.welivesecurity.com/en/eset-research/gamaredon-2024-cranking-out-spearphishing-campaigns-ukraine-evolved-toolset/
        https://web-assets.esetstatic.com/wls/en/papers/white-papers/gamaredon-in-2024.pdf
        https://www.darkreading.com/cyberattacks-data-breaches/russian-apt-gamaredon-ukraine-phishing

      Breaches/Hacks/Leaks

      • US Calls Reported Threats By Pro-Iran Hackers To Release Trump-Tied Material a ‘Smear Campaign’
        "Pro-Iran hackers have threatened to release emails supposedly stolen from people connected to President Donald Trump, according to a news report, a move that federal authorities call a “calculated smear campaign.” The United States has warned of continued Iranian cyberattacks following American strikes on Iran’s nuclear facilities and the threats those could pose to services, economic systems and companies. The Cybersecurity and Infrastructure Security Agency said late Monday that the threat to expose emails about Trump is “nothing more than digital propaganda” meant to damage Trump and other federal officials."
        https://www.securityweek.com/us-calls-reported-threats-by-pro-iran-hackers-to-release-trump-tied-material-a-smear-campaign/
      • Medical Device Company Surmodics Reports Cyberattack, Says It’s Still Recovering
        "Minnesota-based company Surmodics said a cyberattack on June 5 forced the medical device manufacturer to shut down parts of its IT system. Surmodics is the largest U.S. provider of outsourced hydrophilic coatings used to reduce friction for objects such as intravascular medical devices. Last month its IT team discovered unauthorized access in its network and took systems offline, while using alternative methods to accept customer orders and ship products. Law enforcement has been notified, according to a filing with the U.S. Securities and Exchange Commission (SEC)."
        https://therecord.media/surmodics-medical-device-company-reports-cybersecurity-incident
      • Hacker With ‘political Agenda’ Stole Data From Columbia, University Says
        "A hacktivist with a “political agenda” broke into Columbia University IT systems and stole “targeted” student data in recent weeks, a university official said Tuesday. It is unclear how long the hacker was in university systems but a Columbia spokesperson said there has been no threat activity detected since June 24. Last week, the school said it was investigating a cyberattack and the university’s website and other systems were intermittently offline. “Our investigation has indicated the hackers are highly sophisticated and were very targeted in their theft of documents,” the university official said. “They broke in and stole student data with the apparent goal of furthering their political agenda.”"
        https://therecord.media/hacker-political-agenda-columbia-cyberattack
      • Ransomware Gang Attacks German Charity That Feeds Starving Children
        "Deutsche Welthungerhilfe (WHH), the German charity that aims to develop sustainable food supplies in some of the world’s most impoverished countries, has been attacked by a ransomware gang. The charity, whose name literally translates as World Hunger Help, reached 16.4 million people in 2023. It is currently providing emergency aid to people in Gaza, Ukraine, Sudan and other countries and regions where there is an urgent need for food, water, medicine and basic necessities. A spokesperson confirmed to Recorded Future News that WHH had been targeted by a ransomware-as-a-service (RaaS) group which recently listed the charity on its darknet leak site."
        https://therecord.media/welthungerhilfe-german-hunger-relief-charity-ransomware-attack
      • Hacktivists' Claimed Breach Of Nuclear Secrets Debunked
        "Security experts are dismissing a pro-Iranian hacktivist group's claim to have breached Indian nuclear secrets in reprisal for the country's support of Israel. The LulzSec Black group last week claimed to have hacked "the company responsible for Indian nuclear reactors" and to have stolen 80 databases, of which it was now selling 17 databases containing 5.2 gigabytes of data. The group claimed the information detailed the precise location of India's nuclear reactors, numerous chemical laboratories, employee personally identifiable information, industrial and engineering information, precise details of guard shifts and "other sensitive data related to infrastructure.""
        https://www.bankinfosecurity.com/hacktivists-claimed-breach-nuclear-secrets-debunked-a-28881

      General News

      • Cybersecurity Essentials For The Future: From Hype To What Works
        "Cybersecurity never stands still. One week it’s AI-powered attacks, the next it’s a new data breach, regulation, or budget cut. With all that noise, it’s easy to get distracted. But at the end of the day, the goal stays the same: protect the business. CISOs are being asked to juggle more, with tighter resources, more boardroom time, and threats that keep changing. Here are five areas that deserve your attention now and going forward."
        https://www.helpnetsecurity.com/2025/07/02/cybersecurity-essentials-best-practices/
      • Scammers Are Trick­ing Travelers Into Booking Trips That Don’t Exist
        "Not long ago, travelers worried about bad weather. Now, they’re worried the rental they booked doesn’t even exist. With AI-generated photos and fake reviews, scammers are creating fake listings so convincing, people are losing money before they even pack a bag. The FTC reported that Americans lost $274 million to vacation and travel fraud in 2024."
        https://www.helpnetsecurity.com/2025/07/02/ai-travel-scams/
      • DOJ Investigates Ex-Ransomware Negotiator Over Extortion Kickbacks
        "An ex-ransomware negotiator is under criminal investigation by the Department of Justice for allegedly working with ransomware gangs to profit from extortion payment deals. The suspect is a former employee of DigitalMint, a Chicago-based incident response and digital asset services company that specializes in ransomware negotiation and facilitating cryptocurrency payments to receive a decryptor or prevent stolen data from being publicly released. The company claims to have conducted over 2,000 ransomware negotiations since 2017. Bloomberg first reported that the DOJ is investigating whether the suspect worked with ransomware gangs to negotiate payments, then allegedly received a cut of the ransom that was charged to the customer."
        https://www.bleepingcomputer.com/news/security/doj-investigates-ex-ransomware-negotiator-over-extortion-kickbacks/
      • Spain Arrests Hackers Who Targeted Politicians And Journalists
        "The Spanish police have arrested two individuals in the province of Las Palmas for their alleged involvement in cybercriminal activity, including data theft from the country's government. The duo has been described as a "serious threat to national security" and focused their attacks on high-ranking state officials as well as journalists. They leaked samples of the stolen data online to build notoriety and inflate the selling price. "The investigation began when agents detected the leakage of personal data affecting high-level institutions of the State across various mass communication channels and social networks," reads the police announcement."
        https://www.bleepingcomputer.com/news/security/spain-arrests-hackers-who-targeted-politicians-and-journalists/
        https://therecord.media/spain-arrests-two-data-leaks-targeting-gov-officials-journalists
      • Spain TLD’s Recent Rise To Dominance
        "Threat actors use various Top-Level Domains (TLDs) to host malicious content and serve as Command and Control (C2) locations. Commonly abused TLDs used to host credential phishing include .ru and .com. More recently, Cofense Intelligence detected a meteoric increase in abuse of the .es TLD for malicious activity. From Q4 2024 to Q1 2025, .es TLD abuse increased 19x and became part of the top 10 abused TLDs in credential phishing. This increase applies to both first-stage URLs (links embedded in emails or attachments) and second-stage URLs (sites visited after the embedded URLs). These second-stage URLs typically host credential phishing pages or exfiltrate information. It is these second-stage URLs that have seen the greatest increase in .es TLD abuse."
        https://cofense.com/blog/spain-tld-s-recent-rise-to-dominance
      • 1 Year Later: Lessons Learned From The CrowdStrike Outage
        "One year after a buggy CrowdStrike update knocked IT systems offline, organizations seeking to strike the right balance between security and productivity have viewed the incident as a learning opportunity. The cost of the CrowdStrike outage was estimated at $5.4 billion, affecting payment systems, airline reservations, and a variety of other industries. The impact of the outage highlights why many operational technology (OT) teams are as sensitive to patches and other updates in their critical infrastructure, as they are highly averse to outages that can happen if such updates are defective."
        https://www.darkreading.com/vulnerabilities-threats/1-year-later-lessons-crowdstrike-outage
      • Rethinking Cyber-Risk As Traditional Models Fall Short
        "Rapidly advancing technology, increasingly sophisticated attackers, and a rise in supply chain threats make systemic cyber-risk difficult to assess. An influx of vulnerabilities that continue to amass each year, paired with faster exploit times, doesn't help. Risk models developed to measure systemic cyber-risk can help organizations determine the likelihood of a disruptive attack and expose security holes. Insurers use modeling to assess systemic cyber-risk, which influences underwriting, coverage, and policy pricing decisions."
        https://www.darkreading.com/cyber-risk/rethinking-cyber-risk-traditional-models-fall-short
      • Like Ransoming a Bike: Organizational Muscle Memory Drives The Most Effective Response
        "Ransomware has become an enterprise boogeyman experiencing 37 percent increase over 2024 according to the Verizon Data Breach Investigations Report (PDF), being present in nearly half of all breaches. It would seem that resistance is futile as all the technology and training put in place fail to repel attacks, and all the best practices in backups and redundancy provide only cold comfort. But in the old joke of a tiger pursuing two friends, there are lessons in survivability that translate in a business context. However, in this context It’s not just being the faster friend, it’s organizational athleticism and muscle memory fostering agility and quick, decisive thinking that can make a massive difference in impact. And as with athletic performance, that muscle memory is earned with proper training, form, and practice."
        https://www.securityweek.com/like-ransoming-a-bike-organizational-muscle-memory-drives-the-most-effective-response/
      • That Network Traffic Looks Legit, But It Could Be Hiding a Serious Threat
        "Where do you turn when firewalls and endpoint detection and response (EDR) fall short at detecting the most important threats to your organization? Breaches at edge devices and VPN gateways have risen from 3% to 22%, according to Verizon's latest Data Breach Investigations report. EDR solutions are struggling to catch zero-day exploits, living-off-the-land techniques, and malware-free attacks. Nearly 80% of detected threats use malware-free techniques that mimic normal user behavior, as highlighted in CrowdStrike's 2025 Global Threat Report. The stark reality is that conventional detection methods are no longer sufficient as threat actors adapt their strategies, using clever techniques like credential theft or DLL hijacking to avoid discovery."
        https://thehackernews.com/2025/07/that-network-traffic-looks-legit-but-it.html

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 51d6c0c0-666c-4e35-b278-36df6740f549-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • CISA ออกคำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม 7 รายการ

      Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) 7 รายการ เมื่อวันที่ 2 กรกฎาคม 2568 ซึ่งคำแนะนำเหล่านี้ให้ข้อมูลที่ทันท่วงทีเกี่ยวกับปัญหาด้านความปลอดภัยช่องโหว่ และช่องโหว่ที่อยู่รอบ ๆ ICS ในปัจจุบัน มีดังต่อไปนี้

      • ICSA-25-182-01 FESTO Didactic CP, MPS 200, and MPS 400 Firmware
      • ICSA-25-182-02 FESTO Automation Suite, FluidDraw, and Festo Didactic Products
      • ICSA-25-182-03 FESTO CODESYS
      • ICSA-25-182-04 FESTO Hardware Controller, Hardware Servo Press Kit
      • ICSA-25-182-05 Voltronic Power and PowerShield UPS Monitoring Software
      • ICSA-25-182-06 Hitachi Energy Relion 670/650 and SAM600-IO Series
      • ICSA-25-182-07 Hitachi Energy MSM

      ทั้งนี้ CISA สนับสนุนให้ผู้ใช้และผู้ดูแลระบบตรวจสอบคำแนะนำ ICS ที่เผยแพร่ใหม่สำหรับรายละเอียดทางเทคนิคและการบรรเทาผลกระทบ รายละเอียดเพิ่มเติมที่ https://www.cisa.gov/news-events/alerts/2025/07/01/cisa-releases-seven-industrial-control-systems-advisories

      อ้างอิง
      https://www.cisa.gov/news-events/alerts/2025/07/01/cisa-releases-seven-industrial-control-systems-advisories
      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 39cc33b7-071b-4233-ae19-563e2fa055cf-image.png

      โพสต์ใน OT Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 02 July 2025

      Energy Sector

      • Protecting The Core: Securing Protection Relays In Modern Substations
        "Substations are critical nexus points in the power grid, transforming high-voltage electricity to ensure its safe and efficient delivery from power plants to millions of end-users. At the core of a modern substation lies the protection relay: an intelligent electronic device (IED) that plays a critical role in maintaining the stability of the power grid by continuously monitoring voltage, current, frequency, and phase angle. Upon detecting a fault, it instantly isolates the affected zone by tripping circuit breakers, thus preventing equipment damage, fire hazards, and cascading power outages."
        https://cloud.google.com/blog/topics/threat-intelligence/securing-protection-relays-modern-substations

      Industrial Sector

      • FESTO Didactic CP, MPS 200, And MPS 400 Firmware
        "Successful exploitation of this vulnerability could allow an attacker to write arbitrary data and code to protected memory areas or read sensitive data to launch further attacks."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-182-01
      • FESTO Automation Suite, FluidDraw, And Festo Didactic Products
        "Successful exploitation of these vulnerabilities could allow an attacker to gain full control of the host system, including remote code execution."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-182-02
      • FESTO CODESYS
        "Successful exploitation of these vulnerabilities could allow an attacker to block legitimate user connections, crash the application, or authenticate without proper credentials."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-182-03
      • FESTO Hardware Controller, Hardware Servo Press Kit
        "Successful exploitation of these vulnerabilities could allow an attacker to execute unauthorized system commands with root privileges."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-182-04
      • Voltronic Power And PowerShield UPS Monitoring Software
        "Successful exploitation of these vulnerabilities could allow an unauthenticated attacker remotely to make configuration changes, resulting in shutting down UPS connected devices or execution of arbitrary code."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-182-05
      • Hitachi Energy Relion 670/650 And SAM600-IO Series
        "Successful exploitation of this vulnerability could allow attackers to cause a denial-of-service that disrupts critical functions in the device."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-182-06
      • Hitachi Energy MSM
        "Successful exploitation of this vulnerability could allow attackers to execute untrusted code, potentially leading to unauthorized actions or system compromise."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-182-07

      Vulnerabilities

      • Critical RCE Vulnerability In Anthropic MCP Inspector - CVE-2025-49596
        "Oligo Security Research reported a Remote Code Execution (RCE) vulnerability and DNS rebinding in the MCP Inspector project to Anthropic, leading to CVE-2025-49596 being issued, with a Critical CVSS Score of 9.4. This is one of the first critical RCEs in Anthropic’s MCP ecosystem, exposing a new class of browser-based attacks against AI developer tools. With code execution on a developer’s machine, attackers can steal data, install backdoors, and move laterally across networks - highlighting serious risks for AI teams, open-source projects, and enterprise adopters relying on MCP. When a victim visits a malicious website, the vulnerability allows attackers to run arbitrary code on the visiting host running the official MCP inspector tool that is used by default in many use cases."
        https://www.oligo.security/blog/critical-rce-vulnerability-in-anthropic-mcp-inspector-cve-2025-49596
        https://thehackernews.com/2025/07/critical-vulnerability-in-anthropics.html
      • Chrome Zero-Day, 'FoxyWallet' Firefox Attacks Threaten Browsers
        "Both the Google Chrome and Mozilla Firefox browsers currently are under separate attacks, the former from actors exploiting a zero-day bug and the latter from a list of malicious extensions that are actively compromising users. Google rushed out a stable channel update on Monday to patch the fourth zero-day flaw found in its browser this year, a high-severity type confusion flaw tracked as CVE-2025-6554, according to a Google security advisory. The flaw, which allows attackers to execute arbitrary code, is under active exploitation and should be patched immediately. Meanwhile, 45 malicious Firefox extensions impersonating legitimate cryptocurrency wallet add-ons are targeting Mozilla Firefox users, compromising their client devices."
        https://www.darkreading.com/cyberattacks-data-breaches/browsers-targeted-chrome-zero-day-malicious-firefox-extensions
        https://www.bleepingcomputer.com/news/security/google-fixes-fourth-actively-exploited-chrome-zero-day-of-2025/
        https://thehackernews.com/2025/07/google-patches-critical-zero-day-flaw.html
        https://www.securityweek.com/chrome-138-update-patches-zero-day-vulnerability/
        https://www.helpnetsecurity.com/2025/07/01/google-patches-actively-exploited-chrome-cve-2025-6554/
        https://www.infosecurity-magazine.com/news/google-patch-chrome-zero-day/
        https://www.malwarebytes.com/blog/news/2025/07/update-your-chrome-to-fix-new-actively-exploited-zero-day-vulnerability
      • CISA Adds Two Known Exploited Vulnerabilities To Catalog
        "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2025-48927 TeleMessage TM SGNL Initialization of a Resource with an Insecure Default Vulnerability
        CVE-2025-48928 TeleMessage TM SGNL Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/07/01/cisa-adds-two-known-exploited-vulnerabilities-catalog
      • Sudo Local Privilege Escalation Vulnerabilities Fixed (CVE-2025-32462, CVE-2025-32463)
        "If you haven’t recently updated the Sudo utility on your Linux box(es), you should do so now, to patch two local privilege escalation vulnerabilities (CVE-2025-32462, CVE-2025-32463) that have been disclosed on Monday. Sudo is command-line utility in Unix-like operating systems that allows a low-privilege user to execute a command as another user, typically the root/administrator user. The utility effectively grants temporary elevated privileges without requiring the user to log in as root."
        https://www.helpnetsecurity.com/2025/07/01/sudo-local-privilege-escalation-vulnerabilities-fixed-cve-2025-32462-cve-2025-32463/
      • Can You Trust That Verified Symbol? Exploiting IDE Extensions Is Easier Than It Should Be
        "Integrated Development Environments (IDEs) play a major role in today’s programming landscape. They provide comprehensive environments in which programmers can write, test, and debug code efficiently. However, OX’s research, conducted in May and June 2025, reveals critical security vulnerabilities in how popular IDEs handle extension verification. IDEs typically include basic built-in functionality, but their capabilities extend through a wide range of third-party extensions available on marketplaces and external websites. This means that any risk in the IDE could result in far-reaching consequences."
        https://www.ox.security/can-you-trust-that-verified-symbol-exploiting-ide-extensions-is-easier-than-it-should-be/
        https://thehackernews.com/2025/07/new-flaw-in-ides-like-visual-studio.html

      Malware

      • How Analyzing 700,000 Security Incidents Helped Our Understanding Of Living Off The Land Tactics
        "This article shares initial findings from internal Bitdefender Labs research into Living off the Land (LOTL) techniques. Our team at Bitdefender Labs, comprised of hundreds of security researchers with close ties to academia, conducted this analysis as foundational research during the development of our GravityZone Proactive Hardening and Attack Surface Reduction (PHASR) technology. The results reveal adversaries’ persistent and widespread use of trusted system tools in most significant security incidents. While this research was primarily for our internal development efforts, we believe these initial insights from Bitdefender Labs are valuable for broader understanding and we are sharing them now, ahead of a more comprehensive report."
        https://www.helpnetsecurity.com/2025/07/01/bitdefender-lotl-security-incidents-phasr/
      • FileFix (Part 2)
        "While analyzing Chrome & MS Edge’s behavior, I made an interesting observation. When an HTML page is saved using Ctrl+S or Right-click > “Save as” and either “Webpage, Single File” or “Webpage, Complete” types were selected, then the file downloaded does not have MOTW. Furthermore, this behaviour only applies if the webpage being saved has a MIME type of text/html or application/xhtml+xml. Other MIME types will result in the file being tagged with MOTW (e.g. image/png, image/svg+xml etc.)"
        https://mrd0x.com/filefix-part-2/
        https://www.bleepingcomputer.com/news/security/new-filefix-attack-runs-jscript-while-bypassing-windows-motw-alerts/
      • Stealthy WordPress Malware Drops Windows Trojan Via PHP Backdoor
        "Last month, we encountered a particularly interesting and complex malware case that stood out from the usual infections we see in compromised WordPress websites. At first glance, the site looked clean, no visible signs of defacement, no malicious redirects, and nothing suspicious in the plugin list. But beneath the surface, a hidden infection chain was quietly working to deliver a trojan to unsuspecting visitors. It was a layered attack involving PHP-based droppers, obfuscated code, IP-based evasion, auto-generated batch scripts, and a malicious ZIP archive containing a Windows-based trojan (client32.exe)."
        https://blog.sucuri.net/2025/06/stealthy-wordpress-malware-drops-windows-trojan-via-php-backdoor.html

      Breaches/Hacks/Leaks

      • Kelly Benefits Says 2024 Data Breach Impacts 550,000 Customers
        "Kelly & Associates Insurance Group (dba Kelly Benefits) is informing more than half a million people of a data breach that compromised their personal information. The Maryland-based health and life insurance agency has issued an update on a security incident it suffered last year between December 12-17, when unauthorized actors breached its IT systems and stole files. On April 9, 2025, the company stated that the incident impacted 32,234 individuals. The figure was revised multiple times until the final tally shared with authorities in the U.S. counted 553,660 individuals."
        https://www.bleepingcomputer.com/news/security/kelly-benefits-says-2024-data-breach-impacts-550-000-customers/
      • Esse Health Says Recent Data Breach Affects Over 263,000 Patients
        "Esse Health, a healthcare provider based in St. Louis, Missouri, is notifying over 263,000 patients that their personal and health information was stolen in an April cyberattack. As the largest independent physicians' group in the Greater St. Louis area, Esse Health operates 50 locations and employs over 100 physicians. The organization was made aware of a breach after the attackers took down some primary patient-facing network systems and its phone systems on April 21."
        https://www.bleepingcomputer.com/news/security/esse-health-says-recent-data-breach-affects-over-263-000-patients/
        https://www.securityweek.com/263000-impacted-by-esse-health-data-breach/
        https://securityaffairs.com/179520/data-breach/esse-health-data-breach-impacted-263000-individuals.html
      • Qantas Discloses Cyberattack Amid Scattered Spider Aviation Breaches
        "Australian airline Qantas disclosed that it detected a cyberattack on Monday after threat actors gained access to a third-party platform containing customer data. Qantas is Australia's largest airline, operating domestic and international flights across six continents and employing around 24,000 people. In a press release issued Monday night, the airline states that the attack has been contained, but a "significant" amount of data is believed to have been stolen. The breach began after a threat actor targeted a Qantas call centre and gained access to a third-party customer servicing platform."
        https://www.bleepingcomputer.com/news/security/qantas-discloses-cyberattack-amid-scattered-spider-aviation-breaches/
        https://www.itnews.com.au/news/qantas-facing-significant-data-theft-after-cyber-attack-618367
        https://www.theregister.com/2025/07/02/qantas_data_theft/

      General News

      • How Cybercriminals Are Weaponizing AI And What CISOs Should Do About It
        "In a recent case tracked by Flashpoint, a finance worker at a global firm joined a video call that seemed normal. By the end of it, $25 million was gone. Everyone on the call except the employee was a deepfake. Criminals had used AI-powered cybercrime tactics to impersonate executives convincingly enough to get the payment approved. Threat actors are building LLMs specifically for fraud and cybercrime. These are trained on stolen credentials, scam scripts, and hacking guides. Some generate phishing emails or fake invoices, others explain how to use malware or cash out stolen data, according to the AI and Threat Intelligence report from Flashpoint."
        https://www.helpnetsecurity.com/2025/07/01/defending-ai-powered-cybercrime/
      • GenAI Is Everywhere, But Security Policies Haven’t Caught Up
        "Nearly three out of four European IT and cybersecurity professionals say staff are already using generative AI at work, up ten points in a year, but just under a third of organizations have put formal policies in place, according to new ISACA research. The use of AI is becoming more prevalent within the workplace, and so regulating its use is best practice. Yet 31% of organizations have a formal, comprehensive AI policy in place, highlighting a disparity between how often AI is used versus how closely it’s regulated in workplaces."
        https://www.helpnetsecurity.com/2025/07/01/ai-work-policies-europe/
      • Federal Reserve System CISO On Aligning Cyber Risk Management With Transparency, Trust
        "In this Help Net Security interview, Tammy Hornsby-Fink, CISO at Federal Reserve System, shares how the Fed approaches cyber risk with a scenario-based, intelligence-driven strategy. She explains how the Fed assesses potential disruptions to financial stability and addresses third-party and cloud service risks. Hornsby-Fink also discusses how federal collaboration supports managing systemic threats and strengthens operational resilience."
        https://www.helpnetsecurity.com/2025/07/01/tammy-hornsby-fink-federal-reserve-system-cyber-risk/
      • Scam Centers Are Spreading, And So Is The Human Cost
        "Human trafficking tied to online scam centers is spreading across the globe, according to a new crime trend update from INTERPOL. By March 2025, people from 66 countries had been trafficked into these scam operations, with every continent affected. INTERPOL found that 74% of victims were taken to scam centers in Southeast Asia, the original hotspot for this type of crime. But these centers are now also showing up in other regions, including the Middle East, West Africa, which may be turning into a new hub, and Central America. Most of the traffickers, around 90%, came from Asia. Another 11% were from South America or Africa."
        https://www.helpnetsecurity.com/2025/07/01/interpol-human-trafficking-scam-centers/
        https://www.infosecurity-magazine.com/news/scam-centers-global-footprint/
      • Terrible Tales Of Opsec Oversights: How Cybercrooks Get Themselves Caught
        "They say that success breeds complacency, and complacency leads to failure. For cybercriminals, taking too many shortcuts when it comes to opsec delivers a little more than that. In these cases, failure might mean the criminal doesn't get access to the server with the most valuable data to copy, or fails to trick any of the victim org's staff members to execute a malicious remote access tool. Complacency, however, can get them caught, and all too often we hear about highly skilled individuals taking one too many shortcuts – the type that leads police to their doors."
        https://www.theregister.com/2025/07/01/terrible_tales_of_opsec_oversights/
      • Treasury Sanctions Global Bulletproof Hosting Service Enabling Cybercriminals And Technology Theft
        "Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) is designating Aeza Group, a bulletproof hosting (BPH) services provider, for its role in supporting cybercriminal activity targeting victims in the United States and around the world. BPH service providers sell access to specialized servers and other computer infrastructure designed to help cybercriminals like ransomware actors, personal information stealers, and drug vendors evade detection and resist law enforcement attempts to disrupt their malicious activities. OFAC is also designating two affiliated companies and four individuals who are Aeza Group leaders. Finally, in coordination with the United Kingdom’s (UK) National Crime Agency (NCA), OFAC is designating an Aeza Group front company in the UK."
        https://home.treasury.gov/news/press-releases/sb0185
        https://www.bleepingcomputer.com/news/security/aeza-group-sanctioned-for-hosting-ransomware-infostealer-servers/
        https://therecord.media/russia-bulletproof-hosting-aeza-group-us-sanctions
        https://www.bankinfosecurity.com/us-sanctions-aeza-group-for-hosting-infostealers-ransomware-a-28871
        https://cyberscoop.com/bulletproof-hosting-provider-aezagroup-sanctions/
      • Top Ransomware Groups June 2025: Qilin Reclaims Top Spot
        "Qilin was the top ransomware group for the second time in three months in June, suggesting that the group may be strongly benefiting from the turmoil that knocked RansomHub offline at the beginning of April. RansomHub was the top ransomware group for more than a year until rival DragonForce claimed to be taking over its infrastructure in what may have been an act of sabotage. Qilin took over the top spot in April, and after SafePay narrowly took the lead in May, Qilin returned to the top in June with a dominant showing."
        https://cyble.com/blog/top-ransomware-groups-june-2025-qilin-top-spot/
      • Like SEO, LLMs May Soon Fall Prey To Phishing Scams
        "Just as attackers have exploited search engine optimization (SEO) techniques to push phishing content in search engine results, expect to soon see them leverage AI-optimized content to influence the outputs of large language models (LLMs) for the same purpose. Making the task possible for them is the tendency by LLMs to often return incorrect domain information in response to simple natural language queries, according to a recent experiment by Netcraft."
        https://www.darkreading.com/cyber-risk/seo-llms-fall-prey-phishing-scams
      • Ransomware Reshaped How Cyber Insurers Perform Security Assessments
        "The ransomware scourge has forced cyber insurers to re-examine how they use security assessments. While the threat has been around for years, it's only fairly recently that cybercriminals realized how profitable ransomware attacks could be. As ransomware-as-a-service and double extortion tactics started to emerge, the threat landscape has shifted immensely, with more and more organizations seeing their data splashed online for all to see, acommpanied with payment countdown clocks. Cyber insurance helped organizations address the ransomware threat by providing services such as ransom reimbursement, incident response, and ransom negotiation. But that support came with a price, as policies and premiums fluctuated. In fact, insurance premiums surged in 2020 and 2021."
        https://www.darkreading.com/cybersecurity-operations/ransomware-reshaped-how-cyber-insurers-perform-security-assessments
      • We've All Been Wrong: Phishing Training Doesn't Work
        "A recent study suggests, contrary to popular belief, that most phishing awareness initiatives aren't having a material impact on employee cybersecurity. One of the most widely repeated, least examined memes in the cybersecurity industry is that, even more than technical solutions, organizations can best secure themselves by teaching cyber awareness among their employees. Building a "human firewall," to protect an organization's otherwise "weakest link.""
        https://www.darkreading.com/endpoint-security/phishing-training-doesnt-work
      • How Businesses Can Align Cyber Defenses With Real Threats
        "With escalating geopolitical tensions and highly publicized cyberattacks on critical infrastructure like Change Healthcare and Colonial Pipeline, businesses worldwide are grappling with increasingly sophisticated cybercriminal tactics. Cybercriminal groups are quickly adopting the highly complex tactics once limited to the most advanced state-backed operations. In parallel, heavily sanctioned nation-states are increasingly using ransomware and cryptocurrency scams through state backed threat actors to finance their regimes."
        https://www.darkreading.com/vulnerabilities-threats/how-businesses-can-align-cyber-defenses-real-threats
      • Crypto Hack Losses In First Half Of 2025 Exceed 2024 Total
        "Around $2.47bn in cryptocurrency has been stolen via scams, hacks and exploits in H1 2025, already exceeding the total amount lost during 2024, new data from CertiK has revealed. The surge in crypto losses in 2025 is largely the result of two major security incidents – the ByBit breach and Cetus Protocol incident. Collectively, these incidents cost $1.78bn, 72% of the total. In the ByBit incident, hackers stole $1.4bn in cryptocurrency from the Dubai-based exchange in February 2025. The notorious North Korean state actor Lazarus group is suspected of carrying out the Ethereum attack, which is the largest ever crypto theft to date."
        https://www.infosecurity-magazine.com/news/crypto-hack-losses-half-exceed-2024/
      • Cyberattack On Russian Independent Media Had Links To US-Sanctioned Institute, Researchers Find
        "A Russian hosting provider allegedly involved in a recent cyberattack against independent media organizations in the country is reportedly connected to a state-affiliated research center sanctioned by the U.S., according to new research. The hosting provider, Biterika, generated one-third of the junk traffic that flooded the websites of IStories and Verstka after they published an exposé on a child sex trafficking network in Russia that allegedly involved oligarchs and other powerful figures."
        https://therecord.media/cyberattack-on-russian-media-linked-to-sanctioned-institute
      • How To Build An Effective Security Awareness Program
        "Organizations invest in advanced tools to secure their assets, but humans are still the most persistent attack vector. Each year, this is reinforced by the overwhelming number of breaches that stem from human behaviour. Ultimately, employees are being asked to be hypervigilant all the time – despite their best efforts, everybody makes mistakes, and you can’t defend what you don’t know. By building a strong security awareness and training program, you can help your employees become your first line of defense against cyberattacks."
        https://www.trendmicro.com/en_us/research/25/f/security-awareness-program.html
      • Out-Of-Band, Part 1: The New Generation Of IP KVMs And How To Find Them
        "Welcome to the first post in Out-of-Band, a series exploring the security risks of out-of-band (OoB) management devices like baseboard management controllers, serial console servers, and IP-enabled KVMs. These tools often have weaker security than the systems they control, offering attackers a path to bypass monitoring and safeguards. In this installment, we focus on the latest wave of open-source, network-connected KVMs. We’ll cover where to find them in the wild, how to detect them via network and host signals (plus SIEM), and what their source code reveals about their security posture. Bonus: These devices have been used by North Korean threat actors to spoof in-country access. So if that’s a concern, read on."
        https://www.runzero.com/blog/oob-p1-ip-kvm/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) db824815-672e-41e2-95c6-dcd9651dbc5d-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 01 July 2025

      New Tooling

      • RIFT: New Open-Source Tool From Microsoft Helps Analyze Rust Malware
        "Microsoft’s Threat Intelligence Center has released a new tool called RIFT to help malware analysts identify malicious code hidden in Rust binaries. While Rust is becoming more popular for its speed and memory safety, those same qualities make malware written in Rust harder to analyze. RIFT is designed to cut through that complexity and make the job easier."
        https://www.helpnetsecurity.com/2025/06/30/rift-open-source-microsoft-tool-analyze-rust-malware/
        https://github.com/microsoft/RIFT

      Vulnerabilities

      • Over 1,200 Citrix Servers Unpatched Against Critical Auth Bypass Flaw
        "Over 1,200 Citrix NetScaler ADC and NetScaler Gateway appliances exposed online are unpatched against a critical vulnerability believed to be actively exploited, allowing threat actors to bypass authentication by hijacking user sessions. Tracked as CVE-2025-5777 and referred to as Citrix Bleed 2, this out-of-bounds memory read vulnerability results from insufficient input validation, enabling unauthenticated attackers to access restricted memory regions. A similar Citrix security flaw, dubbed "CitrixBleed," was exploited in ransomware attacks and breaches targeting governments in 2023 to hack NetScaler devices and move laterally across compromised networks."
        https://www.bleepingcomputer.com/news/security/over-1-200-citrix-servers-unpatched-against-critical-auth-bypass-flaw/
        https://www.helpnetsecurity.com/2025/06/30/citrixbleed-2-might-be-actively-exploited-cve-2025-5777/
      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2025-6543 Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/06/30/cisa-adds-one-known-exploited-vulnerability-catalog
        https://securityaffairs.com/179476/hacking/u-s-cisa-adds-citrix-netscaler-flaw-to-its-known-exploited-vulnerabilities-catalog.html

      Malware

      • International Criminal Court Hit By Cyber Attack
        "The International Criminal Court (ICC) has revealed it detected a "new, sophisticated and targeted" cybersecurity incident late last week, adding it has now been contained. The incident was the second of its type against the ICC in recent years, it said in a statement. In 2023, the ICC announced it had been hacked, and the court struggled with the aftermath for weeks as it was disconnected from most systems that can access the internet."
        https://www.itnews.com.au/news/international-criminal-court-hit-by-cyber-attack-618324
      • 10 Things I Hate About Attribution: RomCom Vs. TransferLoader
        "Most of the time, delineating activities from distinct clusters and separating cybercrime from espionage can be done based on differing tactics, techniques, and procedures (TTPs), tooling, volume/scale, and targeting. However, in the case of TA829 and a cluster Proofpoint dubbed “UNK_GreenSec”, there is more ambiguity. TA829 is a cybercriminal actor that occasionally also conducts espionage aligned with Russian state interests, while UNK_GreenSec is an unusual cybercriminal cluster. TA829 overlaps with activity tracked by third-parties as RomCom, Void Rabisu, Storm-0978, CIGAR, Nebulous Mantis, Tropical Scorpius. The UNK_GreenSec cybercriminal cluster does not appear to align with publicly reported activity sets."
        https://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader
      • Tracing Blind Eagle To Proton66
        "Trustwave SpiderLabs, which has been tracking Proton66 for the last several months, was able to make this connection by pivoting from Proton66-linked assets, which led to the identification of another active threat cluster relying on the same ASN infrastructure. Pivoting identified what is assessed to be one of its most recent and operationally active infrastructure clusters, characterized by strong interconnections across multiple domains and IP address clusters. This infrastructure exclusively leverages Visual Basic Script (VBS) files as its initial attack vector, relies heavily on free Dynamic DNS (DDNS) services, and deploys readily available Remote Access Trojans (RATs) as a second-stage malware."
        https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tracing-blind-eagle-to-proton66/
        https://thehackernews.com/2025/06/blind-eagle-uses-proton66-hosting-for.html
      • Hide Your RDP: Password Spray Leads To RansomHub Deployment
        "This intrusion began in November 2024 with a password spray attack targeting an internet-facing RDP server. Over the course of several hours, the threat actor attempted logins against multiple accounts using known malicious IPs (based on OSINT). Several hours later they then logged in via RDP with one of the previously compromised users and ran a series of discovery commands, including various net commands to enumerate users and computers. Credential access tools, specifically Mimikatz and Nirsoft CredentialsFileView, were used to extract stored credentials and interact with LSASS memory."
        https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-ransomhub-deployment/

      Breaches/Hacks/Leaks

      • Switzerland Says Government Data Stolen In Ransomware Attack
        "The government in Switzerland is informing that sensitive information from various federal offices has been impacted by a ransomware attack at the third-party organization Radix. The hackers have stolen data from Radix systems and later leaked it on the dark web, the Swiss government says. The exposed data is being analyzed with the help of the country’s National Cyber Security Centre (NCSC) to determine which government agencies are impacted and to what effect. “The foundation Radix has been targeted by a ransomware attack, during which data was stolen and encrypted,” announced the Swiss government."
        https://www.bleepingcomputer.com/news/security/switzerland-says-government-data-stolen-in-ransomware-attack/
      • Another Billing Software Vendor Hacked By Ransomware
        "Horizon Healthcare RCM is the latest revenue cycle management software vendor to report a health data breach involving ransomware and data theft. The firm's breach notification statement suggests that the company paid a ransom to prevent the disclosure of its stolen information. Horizon Healthcare RCM told Maine's attorney general in a breach report on June 27 that the incident affected six residents of that state."
        https://www.bankinfosecurity.com/another-billing-software-vendor-hacked-by-ransomware-a-28866
      • Norwegian Dam Valve Forced Open For Hours In Cyberattack
        "In a concerning incident this April, unidentified hackers managed to breach the control systems of a Norwegian dam. Reportedly, hackers breached the control systems of a Norwegian dam, causing its water valve to open fully. The incident occurred at the Lake Risevatnet dam, situated near the city of Svelgen in Southwest Norway. The valve remained open for four hours before the unauthorized activity was detected. According to the Norwegian energy news outlet, Energiteknikk, the hack did not pose a danger, as the water flow barely exceeded the dam’s minimum requirement. The valve released an additional 497 litres per second, but officials noted that the riverbed could handle a much larger volume, up to 20,000 litres per second."
        https://hackread.com/norwegian-dam-valve-forced-open-hours-in-cyberattack/
      • Swiss Nonprofit Health Organization Breached By Sarcoma Ransomware Group
        "The Swiss nonprofit health organization Radix has confirmed that its systems were breached by a ransomware group earlier this month. In a statement on Monday, the Zurich-based agency — which runs health promotion programs and online counseling services — said that the threat actor known as Sarcoma had published data stolen from its systems on a leak site. The Swiss government also issued a statement noting that "various federal offices" are among Radix's customers, and officials are evaluating what data was compromised. Radix has "no direct access" to government systems, the statement said."
        https://therecord.media/sarcoma-ransomware-breach-swiss-healthcare-nonprofit-radix

      General News

      • Third-Party Breaches Double, Creating Ripple Effects Across Industries
        "Supply chain risks remain top-of-mind for the vast majority of CISOs and cybersecurity leaders, according to SecurityScorecard. Their findings reveal that the way most organizations manage supply chain cyber risk isn’t keeping pace with expanding threats. Third-party involvement in breaches has doubled, rising from 15% to nearly 30%, according to the 2025 Verizon DBIR. A small group of third-party providers supports much of the world’s technology and infrastructure, creating an extreme concentration of risk. When even one of these providers is compromised, the ripple effects can disrupt thousands of organizations simultaneously."
        https://www.helpnetsecurity.com/2025/06/30/supply-chain-cyber-risks/
      • Are We Securing AI Like The Rest Of The Cloud?
        "In this Help Net Security interview, Chris McGranahan, Director of Security Architecture & Engineering at Backblaze, discusses how AI is shaping both offensive and defensive cybersecurity tactics. He talks about how AI is changing the threat landscape, the complications it brings to penetration testing, and what companies can do to stay ahead of AI-driven attacks. McGranahan also points out that human expertise remains essential, and we can’t depend on AI alone to protect cloud environments."
        https://www.helpnetsecurity.com/2025/06/30/chris-mcgranahan-backblaze-ai-cloud-security/
      • CISA And Partners Urge Critical Infrastructure To Stay Vigilant In The Current Geopolitical Environment
        "Today, CISA, in collaboration with the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and the National Security Agency (NSA), released a Fact Sheet urging organizations to remain vigilant against potential targeted cyber operations by Iranian state-sponsored or affiliated threat actors. Over the past several months, there has been increasing activity from hacktivists and Iranian government-affiliated actors, which is expected to escalate due to recent events. These cyber actors often exploit targets of opportunity based on the use of unpatched or outdated software with known Common Vulnerabilities and Exposures or the use of default or common passwords on internet-connected accounts and devices."
        https://www.cisa.gov/news-events/alerts/2025/06/30/cisa-and-partners-urge-critical-infrastructure-stay-vigilant-current-geopolitical-environment
        https://www.cisa.gov/resources-tools/resources/iranian-cyber-actors-may-target-vulnerable-us-networks-and-entities-interest
        https://www.cisa.gov/sites/default/files/2025-06/joint-fact-sheet-Iranian-cyber-actors-may-target-vulnerable-US-networks-and-entities-of-interest-508c-1.pdf
        https://www.ic3.gov/CSA/2025/250630.pdf
        https://www.bleepingcomputer.com/news/security/us-warns-of-iranian-cyber-threats-on-critical-infrastructure/
        https://thehackernews.com/2025/06/us-agencies-warn-of-rising-iranian.html
        https://therecord.media/defense-vigilant-cyber-iran-israel
        https://www.infosecurity-magazine.com/news/iranian-cyber-threats-us/
      • Crypto Investment Fraud Ring Dismantled In Spain After Defrauding 5 000 Victims Worldwide
        "On 25 June 2025, the Spanish Guardia Civil, with the support of Europol and law enforcement from Estonia, France and the United States of America, arrested five members of a criminal network engaged in cryptocurrency investment fraud. The investigation identified that the perpetrators had laundered EUR 460 million in illicit profits stolen through crypto investment fraud from over 5 000 victims from around the world."
        https://www.europol.europa.eu/media-press/newsroom/news/crypto-investment-fraud-ring-dismantled-in-spain-after-defrauding-5-000-victims-worldwide
        https://www.bleepingcomputer.com/news/security/europol-helps-disrupt-540-million-crypto-investment-fraud-ring/
        https://thehackernews.com/2025/06/europol-dismantles-540-million.html
        https://www.infosecurity-magazine.com/news/taskforce-dismantles-euro460m/
        https://www.helpnetsecurity.com/2025/06/30/spain-crypto-fraud-arrests-2025/
      • Hired Hacker Assists Drug Cartel In Finding, Killing FBI Sources
        "The notorious Sinaloa Mexican drug cartel hired a hacker to conduct surveillance on persons of interest in the El Chapo case, which the cartel used to intimidate and kill potential FBI sources and witnesses, according a government report. The US Department of Justice's Office of Inspector General (OIG) on Thursday published an audit of the FBI's efforts to mitigate what it calls "ubiquitous technical surveillance" (UTS) and the threat it poses to the bureau's operations and investigations. The OIG defines UTS as widespread data collection and analytics "for the purpose of connecting people to things, events, or locations.""
        https://www.darkreading.com/cyberattacks-data-breaches/hacker-drug-cartel-killing-fbi-sources
        https://oig.justice.gov/sites/default/files/reports/25-065_t.pdf
        https://www.bankinfosecurity.com/doj-cartel-hacked-phones-cameras-to-track-fbi-informants-a-28863
        https://www.theregister.com/2025/06/30/sinaloa_drug_cartel_hired_cybersnoop/
      • Why Cybersecurity Should Come Before AI In Schools
        "Artificial intelligence has become the hot new tech across schools, and why wouldn't it be? It's helping students digest dense historical texts and improve book reports, and it's helping teachers simplify complex math concepts. Academia wants to show students how to embrace this powerful technology safely — and in line with school rules — because unfortunately, we've already begun to see the dark side of AI in the "real" world. But that raises a very serious question: What are our students learning about cybersecurity?"
        https://www.darkreading.com/endpoint-security/cybersecurity-before-ai-schools
      • Android Threats Rise Sharply, With Mobile Malware Jumping By 151% Since Start Of Year
        "The Android threat landscape in the first half of 2025 has entered a new phase. An era marked not just by volume, but by coordination and precision. Attackers are no longer simply throwing malware at users and hoping for results. They’re building ecosystems. Recent Malwarebytes threat research data reveals a sharp rise in mobile threats across the board, with malware targeting Android devices up 151%. We’ve seen a 147% increase in spyware, a broad category of apps that collect user data without consent, with a notable spike in Feb and March. In fact, the February/March levels represent nearly a 4x multiplication of the baseline."
        https://www.malwarebytes.com/blog/news/2025/06/android-threats-rise-sharply-with-mobile-malware-jumping-by-151-since-start-of-year
      • Hacker Conversations: Rachel Tobac And The Art Of Social Engineering
        "Social engineering is the art of persuasion. Mostly, this is a good thing. Misused, it can have disastrous effects. Rachel Tobac is a cyber social engineer. She is skilled at persuading people to do what she wants, rather than what they know they ought to do. Does this make her a hacker? “Yes. I am a hacker. I hack people. I hack people over the phone, via email, by text message, across social media – and occasionally in person.” Social engineers hack people rather than computers. She is now co-founder and CEO of SocialProof Security."
        https://www.securityweek.com/hacker-conversations-rachel-tobac-and-the-art-of-social-engineering/
      • 'Disgruntled' British IT Worker Jailed For Hacking Employer After Being Suspended
        "A British IT worker who launched what police described as a cyberattack against his employer after being suspended from work has been jailed for seven months. According to West Yorkshire Police, within hours of his suspension in July 2022, Mohammed Umar Taj attempted to take revenge on his employer. The unidentified firm, which has clients in the United Kingdom as well as in Germany and Bahrain, said it suffered “significant disruption” and lost at least £200,000 (about $275,000) due to the attack, as well as suffered reputational harm."
        https://therecord.media/uk-it-worker-jailed-hacking-former-employer
        https://www.theregister.com/2025/06/30/british_rogue_admin/
        https://www.infosecurity-magazine.com/news/it-worker-jailed-revenge-attack/
      • DOJ Raids 29 ‘laptop Farms’ In Operation Against North Korean IT Worker Scheme
        "Nearly 30 “laptop farms” across 16 states have been raided by U.S. law enforcement in recent months for their suspected role in a long-running North Korean IT worker scheme. The Justice Department on Monday announced a coordinated action that involved three indictments, one arrest, the seizure of 29 financial accounts and the shutdown of 21 websites alongside the laptop farm raids. FBI officials said the laptop farms allowed an undisclosed number of North Koreans to illegally work at more than 100 U.S. companies. The farms host work devices sent by legitimate companies who unwittingly hired North Koreans, allowing the employees to appear as if they are working from the U.S."
        https://therecord.media/doj-raids-laptop-farms-crackdown
        https://regmedia.co.uk/2025/06/30/doj-release.pdf
        https://cyberscoop.com/arrest-seizures-north-korean-it-workers-june-2025/
        https://www.bankinfosecurity.com/us-announces-crackdown-on-north-koreans-posing-as-workers-a-28864
        https://www.theregister.com/2025/06/30/us_north_korea_workers/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) cd5f785d-0c41-495a-93fd-9332bed8cec0-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • CISA สหรัฐฯ เพิ่มช่องโหว่ Citrix NetScaler ลงใน Known Exploited Vulnerabilities Catalog

      1d6025df-a680-41b3-ac38-4ba6b1a1a8b0-image.png
      CISA สหรัฐฯ เพิ่มช่องโหว่ Citrix NetScaler ลงใน Known Exploited Vulnerabi.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 114cfc2c-fec0-467d-a678-057236bf30e0-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • แฮกเกอร์เจาะระบบเขื่อนในนอร์เวย์ เปิดวาล์วปล่อยน้ำนาน 4 ชั่วโมง เหตุเพราะใช้รหัสผ่านอ่อนแอ

      3be0ca5a-0333-4e70-8af0-ef385b5c402f-image.png

      แฮกเกอร์เจาะระบบเขื่อนในนอร์เวย์ เปิดวาล.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 13c2e311-95f0-4f41-ad5d-53684a510476-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • ประกาศแจ้งเตือนการโจมตีจากช่องโหว่ Zero-Day ในเบราว์เซอร์ Google Chrome

      เมื่อวันที่ 1 กรกฎาคม 2568 Cyber Security Agency of Singapore (CSA) ได้เผยแพร่เกี่ยวกับ บริษัท Google มีการอัปเดตด้านความปลอดภัยเพื่อแก้ไขช่องโหว่แบบ Zero-Day ในเบราว์เซอร์ Chrome ผู้ใช้งานและผู้ดูแลระบบของผลิตภัณฑ์ที่ได้รับผลกระทบควรดำเนินการอัปเดตเป็นเวอร์ชันล่าสุดโดยทันที

      โดยบริษัท Google ได้เผยแพร่การอัปเดตด้านความปลอดภัยเพื่อจัดการกับช่องโหว่แบบ Zero-Day ช่องโหว่หมายเลข CVE-2025-6554 ในเบราว์เซอร์ Chrome

      ผลกระทบ
      ช่องโหว่ดังกล่าวเป็นช่องโหว่ประเภท Type Confusion ที่เกิดขึ้นใน V8 JavaScript Engine ของ Google Chrome อาจทำให้ผู้โจมตีจากระยะไกลสามารถดำเนินการอ่าน/เขียนข้อมูลโดยไม่ได้รับอนุญาตผ่านหน้า HTML ที่ถูกสร้างขึ้นมา มีรายงานว่าช่องโหว่นี้กำลังถูกแสวงประโยชน์อย่างต่อเนื่อง

      ช่องโหว่ดังกล่าวส่งผลกระทบต่อ Google Chrome เวอร์ชันก่อนหน้า ดังต่อไปนี้

      • สำหรับระบบปฏิบัติการ Windows: เวอร์ชันก่อน 138.0.7204.96/.97
      • สำหรับระบบปฏิบัติการ Mac: เวอร์ชันก่อน 138.0.7204.92/.93
      • สำหรับระบบปฏิบัติการ Linux: เวอร์ชันก่อน 138.0.7204.96

      แนวทางการแก้ไข
      แนะนำให้ผู้ใช้งานเบราว์เซอร์ Chrome อัปเกรดเป็นเวอร์ชันล่าสุด นอกจากนี้ ควรเปิดใช้งานการอัปเดตอัตโนมัติในเบราว์เซอร์ Chrome เพื่อให้มั่นใจว่าโปรแกรมได้รับการอัปเดตอย่างทันท่วงที

      อ้างอิง
      https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-065/

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 83e16fb8-5c40-4914-b46a-399c76cb5302-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT