สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 
โพสต์ถูกสร้างโดย NCSA_THAICERT
-
Meta เปิดตัวเครื่องมือป้องกันการหลอกลวงใหม่สำหรับ WhatsApp และ Messengerโพสต์ใน Cyber Security News
-
กลุ่มแฮกเกอร์ Salt Typhoon ที่เชื่อมโยงกับจีนเจาะระบบ Telecom ยุโรปผ่านช่องโหว่ Citrixโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
TP-Link เตือนภัยพบช่องโหว่ร้ายแรงใน Omada Gateway หลายสิบรุ่น ให้ผู้ใช้งานอัปเดตเฟิร์มแวร์ทันทีโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 24 October 2025โพสต์ใน Cyber Security News
Financial Sector
- September 2025 Security Issues In Korean & Global Financial Sector
"This report comprehensively covers real cyber threats and security issues that have occurred in financial corporations both in Korea and abroad. The post includes analysis of malware and phishing cases distributed to the financial sector, the top 10 malware strains targeting the financial sector, and statistics on the leaked Korean account credentials by industry through Telegram. A case of phishing emails distributed to the financial sector is also covered in detail."
https://asec.ahnlab.com/en/90687/
Healthcare Sector
- NIHON KOHDEN Central Monitor CNS-6201
"Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition."
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-296-01
Industrial Sector
- ASKI Energy ALS-Mini-S8 And ALS-Mini-S4
"Successful exploitation of this vulnerability could allow an attacker to gain full control over the device."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-296-02 - AutomationDirect Productivity Suite
"Successful exploitation of these vulnerabilities could enable an attacker to execute arbitrary code, disclose information, gain full-control access to projects, or obtain read and write access to files."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-296-01 - Veeder-Root TLS4B Automatic Tank Gauge System
"Successful exploitation of these vulnerabilities could allow attackers to execute system-level commands, gain full shell access, achieve remote command execution, move laterally within the network, trigger a denial of service condition, cause administrative lockout, and disrupt core system functionalities."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-296-03 - Delta Electronics ASDA-Soft
"Successful exploitation of these vulnerabilities could allow an attacker to write data outside of the allocated memory buffer."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-296-04
Vulnerabilities
- BIND Updates Address High-Severity Cache Poisoning Flaws
"Internet Systems Consortium (ISC) on Wednesday announced BIND 9 updates that resolve high-severity vulnerabilities, including cache poisoning flaws. The first issue is a weakness in the Pseudo Random Number Generator (PRNG) used by the popular DNS server software that, in certain circumstances, could allow an attacker to predict the source port and query ID that will be used. Attackers could abuse the security defect, tracked as CVE-2025-40780 (CVSS score of 8.6), in spoofing attacks that, if successful, could result in BIND caching attacker responses, ISC explains."
https://www.securityweek.com/bind-updates-address-high-severity-cache-poisoning-flaws/ - Shadow Escape 0-Click Attack In AI Assistants Puts Trillions Of Records At Risk
"Operant AI reveals Shadow Escape, a zero-click attack using the MCP flaw in ChatGPT, Gemini, and Claude to secretly steal trillions of SSNs and financial data. Traditional security is blind to this new AI threat."
https://hackread.com/shadow-escape-0-click-attack-ai-assistants-risk/
Malware
- Gotta Fly: Lazarus Targets The UAV Sector
"ESET researchers have recently observed a new instance of Operation DreamJob – a campaign that we track under the umbrella of North Korea-aligned Lazarus – in which several European companies active in the defense industry were targeted. Some of these are heavily involved in the unmanned aerial vehicle (UAV) sector, suggesting that the operation may be linked to North Korea’s current efforts to scale up its drone program. This blogpost discusses the broader geopolitical implications of the campaign, and provides a high-level overview of the toolset used by the attackers."
https://www.welivesecurity.com/en/eset-research/gotta-fly-lazarus-targets-uav-sector/
https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-targeted-european-defense-companies/
https://thehackernews.com/2025/10/north-korean-hackers-lure-defense.html
https://www.darkreading.com/cyberattacks-data-breaches/lazarus-group-hunts-european-drone-manufacturing-data
https://therecord.media/north-korea-hackers-target-europe-drone-makers
https://www.helpnetsecurity.com/2025/10/23/eset-lazarus-operation-dreamjob/
https://cyberscoop.com/north-korea-lazarus-attacks-drone-companies/
https://www.infosecurity-magazine.com/news/lazarus-groups-operation-dreamjob/
https://securityaffairs.com/183783/apt/lazarus-targets-european-defense-firms-in-uav-themed-operation-dreamjob.html - Malicious NuGet Packages Typosquat Nethereum To Exfiltrate Wallet Keys
"Socket’s Threat Research Team identified a live homoglyph typosquat on NuGet that impersonated the Nethereum project. The package, Netherеum.All, swaps a Cyrillic “e” (U+0435) into the name to pass casual inspection, then uses an XOR routine to decode a command and control (C2) endpoint (solananetworkinstance[.]info/api/gads). When invoked, the code sends an HTTPS POST with a single field form named message, which can carry mnemonics, private keys, keystore JSON, or signed transaction data. Nethereum is the standard .NET library for Ethereum, with tens of millions of NuGet downloads and widespread downstream dependencies, which makes it a high-value target for typosquats on NuGet."
https://socket.dev/blog/malicious-nuget-packages-typosquat-nethereum-to-exfiltrate-wallet-keys
https://thehackernews.com/2025/10/fake-nethereum-nuget-package-used.html - AI Sidebar Spoofing: Malicious Extensions Impersonates AI Browser Interface
"A few weeks ago, we released a series of attacks that tricked Comet into exfiltrating data, downloading malicious files and providing unauthorized access to enterprise apps, all without the victim’s knowledge. The research highlights the lack of security awareness AI browsers have, and the importance of reimagining security to take into account agentic identities and agentic workflows. The full tech blog for these attacks can be accessed here."
https://labs.sqrx.com/ai-sidebar-spoofing-720e0c91d290
https://www.bleepingcomputer.com/news/security/spoofed-ai-sidebars-can-trick-atlas-comet-users-into-dangerous-actions/
https://www.securityweek.com/ai-sidebar-spoofing-puts-chatgpt-atlas-perplexity-comet-and-other-browsers-at-risk/ - LockBit Returns — And It Already Has Victims
"Just months after being disrupted during Operation Cronos, the notorious LockBit ransomware group has reemerged — and it hasn’t wasted time. Check Point Research has confirmed that LockBit is back in operation and already extorting new victims. Throughout September 2025, Check Point Research identified a dozen organizations targeted by the revived operation, with half of them infected by the newly released LockBit 5.0 variant and the rest by LockBit Black. The attacks span Western Europe, the Americas, and Asia, affecting both Windows and Linux systems, a clear sign that LockBit’s infrastructure and affiliate network are once again active."
https://blog.checkpoint.com/research/lockbit-returns-and-it-already-has-victims/ - The YouTube Ghost Network: How Check Point Research Helped Take Down 3,000 Malicious Videos Spreading Malware
"Check Point Research uncovered a large-scale cyber network hiding in one of the internet’s most trusted spaces: YouTube. What appeared to be harmless tutorials and software demos turned out to be a sophisticated malware distribution network known as the YouTube Ghost Network. The operation used compromised and fake YouTube accounts to spread infostealers such as Rhadamanthys and Lumma, often disguised as cracked software or gaming cheats. After a months-long investigation, Check Point Research reported more than 3,000 malicious videos to Google, leading to their removal and disrupting a major malware distribution channel."
https://blog.checkpoint.com/research/the-youtube-ghost-network-how-check-point-research-helped-take-down-3000-malicious-videos-spreading-malware/
https://www.theregister.com/2025/10/23/youtube_ghost_network_malware/
https://www.helpnetsecurity.com/2025/10/23/youtube-malware-distribution-network-ghost/ - The Smishing Deluge: China-Based Campaign Flooding Global Text Messages
"We are attributing an ongoing smishing (phishing via text message) campaign of fraudulent toll violation and package misdelivery notices to a group widely known as the Smishing Triad. Our analysis indicates this campaign is a significantly more extensive and complex threat than previously reported. Attackers have impersonated international services across a wide array of critical sectors. The attackers have targeted U.S. residents in this campaign since April 2024. The threat actor is evolving their tactics by expanding their reach globally, improving the social engineering tactics used in smishing for delivery."
https://unit42.paloaltonetworks.com/global-smishing-campaign/
https://www.darkreading.com/threat-intelligence/unpaid-toll-texts-smishing-triad
https://cyberscoop.com/unit-42-chinese-language-phishing-operation-smishing-triad/ - TransparentTribe Targets Indian Military Organisations With DeskRAT
"In July 2025, CYFIRMA reported a phishing campaign attributed to TransparentTribe (also known as APT36 or Operation C-Major) targeting Linux-based operating systems of Indian governement entities with activity traced back to June 2025. TransparentTribe is a Pakistani-nexus intrusion set known to be active since at least 2013 and carrying out cyber espionage operations to support Pakistan military and strategic interests. Since the initial report, some researchers, including SinghSoodeep via X, have published indicators related to this activity. To track the evolution of this operation, the Threat Detection & Research (TDR) Team implemented several YARA rules. In August and September 2025, Sekoia.io YARA Trackers matched new samples, representing an updated infection chain ultimately delivering a Golang-based RAT which we dubbed DeskRAT. At that time, these results were only found on the PolySwarm platform and were not known by other editors we are dealing with."
https://blog.sekoia.io/transparenttribe-targets-indian-military-organisations-with-deskrat/
https://www.infosecurity-magazine.com/news/pakistani-hacker-group-targets/ - Hackers Posing As Kyrgyz Officials Target Russian Agencies In Cyber Espionage Campaign
"A hacker group known as Cavalry Werewolf has launched a months-long cyber espionage campaign against Russian government agencies and industrial firms, using phishing emails disguised as Kyrgyz government correspondence, researchers said. Between May and August 2025, the group — also tracked as YoroTrooper and Silent Lynx — targeted Russia’s public sector as well as energy, mining and manufacturing companies, according to a report by the Turkish cybersecurity firm Picus Security released this week."
https://therecord.media/hackers-pose-kyrgyz-officials-russia-cyber-espionage
https://www.picussecurity.com/resource/blog/cavalry-werewolf-apt - Agenda Ransomware Deploys Linux Variant On Windows Systems Through Remote Management Tools And BYOVD Techniques
"Trend
Research identified a sophisticated ransomware attack by the Agenda group that deployed their Linux ransomware variant on Windows systems. This follows a similar attack observed last June 2025, where MeshAgent and MeshCentral was used for deployment. In this recent incident, the threat actors utilized a novel deployment method combining WinSCP for secure file transfer and Splashtop Remote for executing the Linux ransomware binary on Windows machines."
https://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html - Apple Alerts Exploit Developer That His iPhone Was Targeted With Government Spyware
"Earlier this year, a developer was shocked by a message that appeared on his personal phone: “Apple detected a targeted mercenary spyware attack against your iPhone.” “I was panicking,” Jay Gibson, who asked that we don’t use his real name over fears of retaliation, told TechCrunch. Gibson, who until recently built surveillance technologies for Western government hacking tools maker Trenchant, may be the first documented case of someone who builds exploits and spyware being themselves targeted with spyware."
https://techcrunch.com/2025/10/21/apple-alerts-exploit-developer-that-his-iphone-was-targeted-with-government-spyware/
Breaches/Hacks/Leaks
- Toys “R” Us Canada Warns Customers' Info Leaked In Data Breach
"Toys “R” Us Canada has sent notices of a data breach to customers informing them of a security incident where threat actors leaked customer records they had previously stolen from its systems. The company discovered the data leak on July 30, 2025, when a threat actor posted on the dark web what they claimed to be Toys “R” Us customer data. Subsequent investigation of the threat actor’s claims, conducted with the help of third-party experts, confirmed that the information was indeed authentic."
https://www.bleepingcomputer.com/news/security/toys-r-us-canada-warns-customers-info-leaked-in-data-breach/
https://www.theregister.com/2025/10/23/toysrus_canada_data_leak/ - Medusa Ransomware Leaks 834 GB Of Comcast Data After $1.2M Demand
"The Medusa ransomware group has leaked 186.36 GB of compressed data it claimed to have stolen from Comcast Corporation, a global media and technology company. According to Hackread.com’s earlier report, the group stated that it breached Comcast in late September 2025 and obtained a total of 834 GB of data. The leaked 186 GB archive, once decompressed, should amount to around 834 GB of data, based on the group’s claims. The data trove was released on Sunday, October 19. The ransomware group had initially asked for $1.2 million from potential buyers to download it, the same amount it asked Comcast to pay for the data to be deleted instead of leaked or sold."
https://hackread.com/medusa-ransomware-comcast-data-leak/ - 183 Million Synthient Stealer Credentials Added To Have I Been Pwned
"A huge collection of stolen usernames and passwords, totalling over 183 million, has been added to a website called Have I Been Pwned (HIBP). This big pile of data, named the “Synthient Stealer Log Threat Data,” is not a regular leak from just one company but a massive collection of information stolen directly from people’s computers over time using malicious software commonly known as infostealers."
https://hackread.com/synthient-stealer-credentials-have-i-been-pwned/
https://synthient.com/blog/the-stealer-log-ecosystem
General News
- September 2025 Threat Trend Report On Ransomware
"This report provides information on the number of systems affected during the month of September 2025, statistics related to the DLS-based ransomware, and key ransomware issues from around the world. Below is a summary of the report. The statistics on the number of ransomware samples and affected systems are based on the diagnosis criteria given by AhnLab. The statistics on the number of affected companies are based on the information provided on the Dedicated Leak Sites (DLS) of the ransomware groups and the time when the information was collected by the ATIP infrastructure."
https://asec.ahnlab.com/en/90688/ - September 2025 Trends Report On Phishing Emails
"This report provides the statistics, trends, and case information on the distribution quantity, attachment-based threats, and phishing emails collected and analyzed for a month in September 2025. Below is a portion of the statistics and cases included in the original report."
https://asec.ahnlab.com/en/90689/ - September 2025 Infostealer Trend Report
"This report provides statistics, trends, and case information on Infostealer, including distribution volume, distribution methods, and disguises based on the data collected and analyzed in August 2025. The following is a summary of the original report."
https://asec.ahnlab.com/en/90709/ - September 2025 APT Attack Trends Report (South Korea)
"Ahnlabs is monitoring APT (Advanced Persistent Threat) attacks in South Korea by utilizing their own infrastructure. This report covers the classification, statistics, and features of APT attacks in South Korea that were identified in September 2025."
https://asec.ahnlab.com/en/90714/ - Welcome To SOCRadar’s 2025 MEA Threat Landscape Report!
"Discover the evolving cyber threats across the Middle East and Africa (MEA) with SOCRadar’s 2025 MEA Threat Landscape Report. This comprehensive analysis highlights the top attack trends, targeted sectors, and underground activities impacting organizations throughout the region—offering actionable intelligence to strengthen cybersecurity defenses. Download the full report now to gain comprehensive insights and safeguard your organization against MEA’s rapidly evolving cyber threats."
https://socradar.io/resources/report/mea-threat-landscape-report-2025/
https://www.darkreading.com/cybersecurity-analytics/mea-hackers-govts-finance-smb-retailers - Faster LLM Tool Routing Comes With New Security Considerations
"Large language models depend on outside tools to perform real-world tasks, but connecting them to those tools often slows them down or causes failures. A new study from the University of Hong Kong proposes a way to fix that. The research team developed a platform called NetMCP that adds network awareness to the Model Context Protocol (MCP), which is the interface that lets LLMs connect to external tools and data sources. The research focuses on improving how LLMs choose which external servers or tools to use. It introduces a new routing algorithm that accounts for semantic relevance and network performance. The goal is to make LLMs faster, more reliable, and better suited for large-scale environments where latency and outages are common."
https://www.helpnetsecurity.com/2025/10/23/netmcp-network-aware-mcp-platform/
https://arxiv.org/pdf/2510.13467 - Your Wearable Knows Your Heartbeat, But Who Else Does?
"Smartwatches, glucose sensors, and connected drug-monitoring devices are common in care programs. Remote monitoring helps detect changes early and supports personalized treatment and long-term condition management. They give clinicians valuable insight into patient health but also introduce new exposure points."
https://www.helpnetsecurity.com/2025/10/23/healthcare-wearable-devices-risks/ - The Next Cyber Crisis May Start In Someone Else’s Supply Chain
"Organizations are getting better at some aspects of risk management but remain underprepared for the threats reshaping the business landscape, according to a new Riskonnect report. The findings show a growing gap between awareness and action as technology, politics, and global markets shift faster than most companies can adapt."
https://www.helpnetsecurity.com/2025/10/23/geopolitics-drives-cyber-threats-report/ - Dark Covenant 3.0: Controlled Impunity And Russia’s Cybercriminals
"The Russian cybercriminal ecosystem is undergoing a period of profound transformation, shaped by unprecedented international law enforcement campaigns, shifting domestic enforcement priorities, and enduring ties between organized crime and the Russian state. Operation Endgame, launched in May 2024, targeted ransomware operators, money laundering services, and affiliate infrastructure across multiple Russian jurisdictions. In response, Russian law enforcement agencies have carried out a series of high-profile arrests and seizures. These events mark a departure from Russia’s traditional posture of near-total noninterference in domestic cybercrime, complicating the long-held perception of Russia as a blanket “safe haven” for cybercriminals."
https://www.recordedfuture.com/research/dark-covenant-3-controlled-impunity-and-russias-cybercriminals
https://assets.recordedfuture.com/insikt-report-pdfs/2025/cta-ru-2025-1022.pdf
https://www.bankinfosecurity.com/kremlin-shaping-cybercrime-into-deniable-geopolitical-tool-a-29803
https://www.securityweek.com/russian-government-now-actively-managing-cybercrime-groups-security-firm/ - Cybereason TTP Briefing Q3 2025: LOLBINs And CVE Exploits Dominate
"Explore the latest trends, techniques, and procedures (TTPs) our incident response (IR) experts are actively facing with the TTP Briefing Q3 2025, a report built on frontline threat intelligence from our global incident response investigations, enriched by noteworthy detections from our SOC. The TTP Briefing is grounded in real-world investigations led by Cybereason’s IR and SOC teams across industries and geographies. This edition of our TTP Briefing examines our data from Q3, and compares certain trends to our findings in H1 2025."
https://www.cybereason.com/blog/ttp-briefing-q3-2025 - IR Trends Q3 2025: ToolShell Attacks Dominate, Highlighting Criticality Of Segmentation And Rapid Response
"Threat actors predominately exploited public-facing applications for initial access this quarter, with this tactic appearing in over 60 percent of Cisco Talos Incident Response (Talos IR) engagements – a notable increase from less than 10 percent last quarter. This spike is largely attributable to a wave of engagements involving ToolShell, an attack chain that targets on-premises Microsoft SharePoint servers through exploitation of vulnerabilities that were publicly disclosed in July. We also saw an increase in post-exploitation phishing campaigns launched from compromised valid accounts this quarter, a trend we noted last quarter, with threat actors using this technique to expand their attack both within the compromised organizations as well as to external partner entities."
https://blog.talosintelligence.com/ir-trends-q3-2025/ - Pwn2Own Underscores Secure Development Concerns
"The real mystery behind this year's Pwn2Own isn't how many bugs hackers will find or how much money they'll earn. It's about one hacker in particular and whether the What'sApp zero-click exploit the person claims to have discovered is real. This week, security researchers descended upon Ireland to participate in Pwn2Own, where researchers compete to be the first to compromise various devices and win prizes. The hackathon, launched in 2007, is hosted by Trend Micro's Zero Day Initiative (ZDI) to promote coordinated vulnerability disclosure practices among researchers and vendors. ZDI acts as a broker, helping researchers disclose details of the vulnerabilities they used in the competition to the vendors."
https://www.darkreading.com/vulnerabilities-threats/pwn2own-underscores-secure-development-concerns - The Best End User Security Awareness Programs Aren't About Awareness Anymore
"Most successful cyberattacks target end users through social engineering. They also exploit systems left vulnerable due to user errors. This is why securing the human element is crucial to managing cyber-risks in the modern era. As recent headlines of data breaches, business disruptions, and threats demonstrate, the situation is dire. Despite the investment in security awareness training programs, many organizations are not receiving what they need. The average security awareness training program remains lackluster, at best, offering semi-annual cookie-cutter modules that drop a few factoids about security trends, hit users with a spot-the-phish game, or even surprise them with a simulation. As long as the click-through rates on phishing emails remain relatively low, the programs are considered successful."
https://www.darkreading.com/cyber-risk/best-end-user-security-awareness-programs-arent-about-awareness-anymore - Vibe Coding’s Real Problem Isn’t Bugs—It’s Judgment
"AI-generated code – vibe coding – is an exciting prospect: it turns anyone into a computer programmer. But that is precisely what is wrong with it… The problem is not that vibe coding introduces an excessive number of vulnerabilities. Comparative analysis shows AI vulnerabilities are at a similar density per line of code to those introduced by humans. Code quality is not the problem. It’s just there’s too much of it, too fast, and it lacks good judgment. OX Research, who undertook an analysis, finds two issues. Firstly, where vulnerabilities do exist, they “reach production at unprecedented speed” – too fast for accepted code review processes to find all vulnerabilities. Breaches have already occurred through vibe-produced code that has been missed in review."
https://www.securityweek.com/vibe-codings-real-problem-isnt-bugs-its-judgment/
https://www.ox.security/wp-content/uploads/2025/10/Army-of-Juniors-The-AI-Code-Security-Crisis.pdf
อ้างอิง
Electronic Transactions Development Agency(ETDA) - September 2025 Security Issues In Korean & Global Financial Sector
-
Cyber Threat Intelligence 23 October 2025โพสต์ใน Cyber Security News
New Tooling
- OpenFGA: The Open-Source Engine Redefining Access Control
"OpenFGA is an open-source, high-performance, and flexible authorization engine inspired by Google’s Zanzibar system for relationship-based access control. It helps developers model and enforce fine-grained access control in their applications. At its core, OpenFGA enables teams to define who can do what within their systems. Whether you’re building a startup app or managing an enterprise platform, it delivers authorization checks in milliseconds. That level of speed allows it to scale as your project grows without compromising performance or security."
https://www.helpnetsecurity.com/2025/10/22/openfga-open-source-access-control/
https://github.com/openfga/openfga
Vulnerabilities
- Oracle Releases October 2025 Patches
"Oracle on Tuesday released 374 new security patches as part of its October 2025 Critical Patch Update (CPU), including over 230 fixes for vulnerabilities that are remotely exploitable without authentication. There appear to be roughly 260 unique CVEs in Oracle’s October 2025 CPU advisory, including a dozen critical-severity flaws. The October CPU was rolled out roughly a week after Oracle released patches for an E-Business Suite defect allowing access to sensitive data, and two weeks after the company warned of a zero-day in the product that was exploited by an extortion group."
https://www.securityweek.com/oracle-releases-october-2025-patches/
https://www.oracle.com/security-alerts/cpuoct2025.html - CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2025-61932 Motex LANSCOPE Endpoint Manager Improper Verification of Source of a Communication Channel Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/10/22/cisa-adds-one-known-exploited-vulnerability-catalog - Deep Analysis Of The Flaw In BetterBank Reward Logic
"From August 26 to 27, 2025, BetterBank, a decentralized finance (DeFi) protocol operating on the PulseChain network, fell victim to a sophisticated exploit involving liquidity manipulation and reward minting. The attack resulted in an initial loss of approximately $5 million in digital assets. Following on-chain negotiations, the attacker returned approximately $2.7 million in assets, mitigating the financial damage and leaving a net loss of around $1.4 million. The vulnerability stemmed from a fundamental flaw in the protocol’s bonus reward system, specifically in the swapExactTokensForFavorAndTrackBonus function. This function was designed to mint ESTEEM reward tokens whenever a swap resulted in FAVOR tokens, but critically, it lacked the necessary validation to ensure that the swap occurred within a legitimate, whitelisted liquidity pool."
https://securelist.com/betterbank-defi-protocol-esteem-token-bonus-minting/117822/
Malware
- Unmasking MuddyWater’s New Malware Toolkit Driving International Espionage
"Group-IB Threat Intelligence has uncovered a sophisticated phishing campaign, attributed with high confidence to the Advanced Persistent Threat (APT) MuddyWater. The attack used a compromised mailbox to distribute Phoenix backdoor malware to international organizations and across the whole Middle East and North Africa region, targeting more than 100 government entities."
https://www.group-ib.com/blog/muddywater-espionage/
https://www.bleepingcomputer.com/news/security/iranian-hackers-targeted-over-100-govt-orgs-with-phoenix-backdoor/
https://www.darkreading.com/cyberattacks-data-breaches/muddywater-100-gov-entites-mea-phoenix-backdoor
https://thehackernews.com/2025/10/iran-linked-muddywater-targets-100.html
https://www.infosecurity-magazine.com/news/muddywater-compromised-mailboxes/ - Beyond Credentials: Weaponizing OAuth Applications For Persistent Cloud Access
"Cloud account takeover (ATO) attacks have become a significant concern in recent years, with cybercriminals and state-sponsored actors increasingly adopting malicious OAuth applications as a means to gain persistent access within compromised environments. These attacks allow malicious actors to hijack user accounts, conduct reconnaissance, exfiltrate data, and launch further malicious activities. The security implications are particularly concerning. Once an attacker gains access to a cloud account they can create and authorize internal (second party) applications with custom-defined scopes and permissions. This capability enables persistent access to critical resources such as mailboxes and files, effectively circumventing traditional security measures like password changes."
https://www.proofpoint.com/us/blog/threat-insight/beyond-credentials-weaponizing-oauth-applications-persistent-cloud-access
https://www.helpnetsecurity.com/2025/10/22/attackers-turn-trusted-oauth-apps-into-cloud-backdoors/ - SessionReaper Attacks Have Started, 3 In 5 Stores Still Vulnerable
"Six weeks after Adobe's emergency patch for SessionReaper (CVE-2025-54236), the vulnerability has entered active exploitation. Sansec Shield detected and blocked the first real-world attacks today, which is bad news for the thousands of stores that remain unpatched. Security researchers at Assetnote published a detailed technical analysis of the vulnerability today, demo'ing the nested deserialization flaw that enables remote code execution. With proof-of-concept code circulating, the window for safe patching has effectively closed."
https://sansec.io/research/sessionreaper-exploitation
https://www.bleepingcomputer.com/news/security/hackers-exploiting-critical-sessionreaper-flaw-in-adobe-magento/ - PhantomCaptcha | Multi-Stage WebSocket RAT Targets Ukraine In Single-Day Spearphishing Operation
"SentinelLABS together with Digital Security Lab of Ukraine has uncovered a coordinated spearphishing campaign targeting individual members of the International Red Cross, Norwegian Refugee Council, UNICEF, and other NGOs involved in war relief efforts and Ukrainian regional government administration. Threat actors used emails impersonating the Ukrainian President’s Office carrying weaponized PDFs, luring victims into executing malware via a ‘ClickFix’-style fake Cloudflare captcha page. The final payload is a WebSocket RAT hosted on Russian-owned infrastructure that enables arbitrary remote command execution, data exfiltration, and potential deployment of additional malware."
https://www.sentinelone.com/labs/phantomcaptcha-multi-stage-websocket-rat-targets-ukraine-in-single-day-spearphishing-operation/
https://www.bleepingcomputer.com/news/security/phantomcaptcha-clickfix-attack-targets-ukraine-war-relief-orgs/
https://thehackernews.com/2025/10/ukraine-aid-groups-targeted-through.html
https://therecord.media/phantomcaptcha-spearphishing-campaign-ukraine-war-relief-groups
https://www.infosecurity-magazine.com/news/phantomcaptcha-campaign-targets/
https://securityaffairs.com/183720/apt/phantomcaptcha-targets-ukraine-relief-groups-with-websocket-rat.html - ToolShell Used To Compromise Telecoms Company In Middle East
"China-based attackers used the ToolShell vulnerability (CVE-2025-53770) to compromise a telecoms company in the Middle East shortly after the vulnerability was publicly revealed and patched in July 2025. The same threat actors also compromised two government departments in the same African country during the same time period. Zingdoor, which was deployed on the networks of all three organizations, has in the past been associated with the Chinese group Glowworm (aka Earth Estries, FamousSparrow). Another tool used in this campaign, KrustyLoader, has also previously been linked to activity by a group called UNC5221, which has been described as a China-nexus group."
https://www.security.com/blog-post/toolshell-china-zingdoor
https://www.bleepingcomputer.com/news/security/sharepoint-toolshell-attacks-targeted-orgs-across-four-continents/
https://thehackernews.com/2025/10/chinese-threat-actors-exploit-toolshell.html
https://therecord.media/sharepoint-toolshell-bug-breaches-governments-africa-south-america - Unpacking The Phishing Script Behind a Server-Orchestrated Deception
"A cunning new phishing attack is bypassing Secure Email Gateways (SEGs) and evading perimeter defences. It uses a rare, sophisticated phishing script with random domain selection and dynamic server-driven page replacement, making it highly effective at stealing credentials and evading detection. Understanding this threat is essential to improving defenses. Cofense Intelligence spotted this unusual tactic in early February 2025, and it is ongoing. The script, embedded in malicious web pages or email attachments, exemplifies advanced phishing tactics that prioritize speed, precision, and deception."
https://cofense.com/blog/unpacking-the-phishing-script-behind-a-server-orchestrated-deception - Bitter (APT-Q-37) Uses Diverse Means To Deliver New Backdoor Components
"The 蔓灵花 group, also known as Bitter and tracking number APT-Q-37, is widely believed to have a South Asian background and has long been targeting China, Pakistan, and other countries, with targeted attacks on units in the government, electric power, and military industries, with the intent of stealing sensitive information."
https://ti.qianxin.com/blog/articles/bitter-uses-diverse-means-to-deliver-new-backdoor-components-en/
https://hackread.com/bitter-apt-winrar-vulnerability-backdoor-attacks/ - SocGholish: Turning Application Updates Into Vexing Infections
"SocGholish, also known as FakeUpdates, has been in service since 2017. Distributed by the threat group TA569, SocGholish is best known for masquerading as a fake application update to trick users into downloading malicious files. TA569 has a tenuous connection to the Russian government through GRU Unit 29155, with Raspberry Robin as its payload. Additionally, TA569 offers Initial Access Broker (IAB) capabilities to those using the malware. The group’s motivation if primarily financial, as its business model revolves around enabling and profiting from follow-on compromises by other actors."
https://www.trustwave.com/en-us/resources/blogs/trustwave-blog/socgholish-turning-application-updates-into-vexing-infections/
https://hackread.com/socgholish-malware-compromised-sites-ransomware/ - Jingle Thief: Inside a Cloud-Based Gift Card Fraud Campaign
"We investigated a campaign waged by financially motivated threat actors operating out of Morocco. We refer to this campaign as Jingle Thief, due to the attackers’ modus operandi of conducting gift card fraud during festive seasons. Jingle Thief attackers use phishing and smishing to steal credentials, to compromise organizations that issue gift cards. Their operations primarily target global enterprises in the retail and consumer services sectors. Once they gain access to an organization, they pursue the type and level of access needed to issue unauthorized gift cards."
https://unit42.paloaltonetworks.com/cloud-based-gift-card-fraud-campaign/
https://www.helpnetsecurity.com/2025/10/22/cloud-based-techniques-gift-card-fraud/ - The Rise Of Collaborative Tactics Among China-Aligned Cyber Espionage Campaigns
"In the domain of cyberespionage, Trend Research has observed an emerging development in recent years: close collaboration between different advanced persistent threat (APT) groups of what looks like a single cyber campaign at first sight. This report highlights instances of such cooperation, where the APT group Earth Estries handed over a compromised asset to Earth Naga, another APT group also known as Flax Typhoon, RedJuliett, or Ethereal Panda. This phenomenon, which we have termed "Premier Pass," represents a new level of coordination in cyber campaigns, particularly among China-aligned APT actors."
https://www.trendmicro.com/en_us/research/25/j/premier-pass-as-a-service.html
Breaches/Hacks/Leaks
- Ransomware Gang Steals Meeting Videos, Financial Secrets From Fence Wholesaler
"A prominent producer of outdoor fence products told regulators on Tuesday evening that a ransomware gang stole images of video meetings and non-public financial documents. Oregon-based Jewett-Cameron Trading filed a notice with the Securities and Exchange Commission (SEC) warning investors that hackers breached its IT systems on October 15. An investigation found that the hackers encrypted parts of the company’s internal corporate systems and installed monitoring software. “The incident caused disruptions and limitation of access to portions of the Company’s business applications supporting aspects of the Company’s operations and corporate functions, which the Company voluntarily took offline as a precautionary measure,” Jewett-Cameron said in an 8-K filing."
https://therecord.media/ransomware-gang-steals-meeting-video-fence-manufacturer
https://www.securityweek.com/fencing-and-pet-company-jewett-cameron-hit-by-ransomware/ - Cyber Incidents In Texas, Tennessee And Indiana Impacting Critical Government Services
"A large suburb outside of Dallas, Texas, was one of multiple municipalities across the U.S. this week to report cyber incidents affecting public services. Kaufman County, home to nearly 200,000 people, said a cyberattack was discovered on Monday and forced county officials to notify state and federal agencies. The incident took down several county systems but the Sheriff’s Office and emergency services were not impacted. A local news outlet reported that computers at the county courthouse were affected by the attack."
https://therecord.media/cyber-incidents-texas-tennessee-indiana - Cyber Monitoring Centre Statement On The Jaguar Land Rover Cyber Incident – October 2025
"The Cyber Monitoring Centre (CMC) has categorised the recent malicious cyber incident affecting Jaguar Land Rover (JLR), as a Category 3 systemic event on the five-point Cyber Monitoring Centre scale. The CMC model estimates the event caused a UK financial impact of £1.9 billion and affected over 5,000 UK organisations. The modelled range of loss is £1.6 billion to £2.1 billion but this could be higher if operational technology has been significantly impacted or there are unexpected delays in bringing production back to pre-event levels. This estimate reflects the substantial disruption to JLR’s manufacturing, to its multi-tier manufacturing supply chain, and to downstream organisations including dealerships. The estimate is sensitive to key assumptions, including the date JLR is able to fully restore production and the profile of the recovery; this and other assumptions and limitations are discussed later in this document. At £1.9 billion of financial loss, this incident appears to be the most economically damaging cyber event to hit the UK, with the vast majority of the financial impact being due to the loss of manufacturing output at JLR and its suppliers."
https://cybermonitoringcentre.com/2025/10/22/cyber-monitoring-centre-statement-on-the-jaguar-land-rovercyber-incident-october-2025/
https://www.theregister.com/2025/10/22/jaguar_lander_rover_cost/
https://www.infosecurity-magazine.com/news/jlr-hack-uk-costliest-ever-19bn/
https://therecord.media/jaguar-land-rover-cyberattack-economic-impact
https://www.bankinfosecurity.com/jaguar-land-rover-hack-costliest-ever-in-uk-a-29782
General News
- For Blind People, Staying Safe Online Means Working Around The Tools Designed To Help
"Blind and low-vision users face the same password challenges as everyone else, but the tools meant to make security easier often end up getting in the way. A study from the CISPA Helmholtz Center for Information Security and DePaul University found that poor accessibility in password managers can lead people to risky habits such as reusing passwords."
https://www.helpnetsecurity.com/2025/10/22/blind-users-passwords-problems/ - Pwn2Own Day 2: Hackers Exploit 56 Zero-Days For $790,000
"Security researchers collected $792,750 in cash after exploiting 56 unique zero-day vulnerabilities during the second day of the Pwn2Own Ireland 2025 hacking competition. Today's highlight was Ken Gannon of Mobile Hacking Lab and Dimitrios Valsamaras of Summoning Team hacking the Samsung Galaxy S25 with a chain of five security flaws, earning $50,000 and 5 Master of Pwn points. Also, while PHP Hooligans needed only a single second to hack the QNAP TS-453E NAS device, the vulnerability they exploited had already been used in the contest."
https://www.bleepingcomputer.com/news/security/samsung-galaxy-s25-hacked-on-day-two-of-pwn2own-ireland-2025/ - Too Many Secrets: Attackers Pounce On Sensitive Data Sprawl
"Threat actors are having an easier time finding secrets today, as sensitive data leaks continue to spread beyond your average code repositories. Several high-profile attacks this year have illustrated the ongoing issue of leaked secrets, and experts say the problem is only getting worse as the sprawl of sensitive data continues to expand. While exposed secrets typically have been in the domain of code repositories and platforms like GitHub, security researchers have found that data is spilling onto to lesser-known avenues."
https://www.darkreading.com/cyber-risk/too-many-secrets-attackers-sensitive-data-sprawl - Russia Pivots, Cracks Down On Resident Hackers
"For the first time in history, the Russian government has been partially cracking down on its cybercriminal underground. Russian cybercriminals operate everywhere, but Russia has always been the world's epicenter, primarily thanks to the carte blanche they're afforded by the state. At best, Russia's oligarchy has turned a blind eye to cybercrime within its borders. In many cases, state institutions and powerful officials have actively collaborated with, recruited, and otherwise aided Internet criminals."
https://www.darkreading.com/threat-intelligence/russia-cracks-down-low-level-hackers - Verizon: Mobile Blindspot Leads To Needless Data Breaches
"Enterprise cybersecurity risks from employees using their personal phones for work are rising, but companies aren't adopting solutions quickly enough to account for them. The data collected in Verizon Business' 2025 Mobile Security Index (MSI) paints a clear picture of an often overlooked organizational security risk. People are being hacked on their personal phones, then transmitting those attacks to their employers. Their employers, though, aren't addressing the issue with the same verve they are desktop-borne risks."
https://www.darkreading.com/threat-intelligence/verizon-mobile-blindspot-data-breaches
https://www.verizon.com/business/resources/reports/mobile-security-index/#2025
https://www.verizon.com/business/resources/reports/2025-mobile-security-index.pdf - What Makes a Great Field CXO: Lessons From The Front Lines
"In recent years, Field CXO positions (e.g., Field CISO, Field CTO, etc.) have become commonplace across the industry. Like any professional position, the people filling these roles vary widely in their style, approach, and success level. If you are recruiting for one of these roles or are looking to leverage a resource at your company in one of these roles, what are some things you should be aware of?"
https://www.securityweek.com/what-makes-a-great-field-cxo-lessons-from-the-front-lines/ - Asian Nations Ramp Up Pressure On Cybercrime 'Scam Factories'
"Human trafficking and forced-labor camps where the equivalent of indentured servants carry out scams, fraud, and other cybercrime activities have infested Cambodia, Laos, and Burma — and neighboring Asian nations are taking more stringent efforts to deal with the growing problem. Last week, South Korea banned travel to parts of Cambodia, stating that citizens can be prosecuted for violating the law and "strongly advised" them to cancel their trips, in what the government refers to as a "code black" travel ban. The South Korean government, which estimates that about 1,000 citizens are working or forced to work in the cyber-scam centers, is also reportedly readying sanctions against the groups operating in Cambodia and other cybercrime-friendly nations."
https://www.darkreading.com/cyberattacks-data-breaches/asian-nations-ramp-up-legal-attacks-cybercrime-factories
อ้างอิง
Electronic Transactions Development Agency(ETDA) - OpenFGA: The Open-Source Engine Redefining Access Control
-
Cyber Threat Intelligence 22 October 2025โพสต์ใน Cyber Security News
Healthcare Sector
- Oxford Nanopore Technologies MinKNOW
"Successful exploitation of these vulnerabilities could allow an attacker to disrupt sequencing operations and processes, exfiltrate and manipulate data, and bypass authentication controls."
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-294-01
Industrial Sector
- Rockwell Automation 1783-NATR
"Successful exploitation of these vulnerabilities could result in a denial-of-service, data modification, or in an attacker obtaining sensitive information."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-294-01 - Rockwell Automation Compact GuardLogix 5370
"Successful exploitation of this vulnerability could result in a denial-of-service."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-294-02 - Siemens SIMATIC S7-1200 CPU V1/V2 Devices
"Successful exploitation of these vulnerabilities could allow an unauthenticated remote attacker to trigger functions by record and playback of legitimate network communication, or place the controller in stop/defect state by causing a communications error."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-294-03 - CloudEdge Online Cameras And App
"Successful exploitation of this vulnerability could allow an attacker to gain access to live video feed and camera control."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-294-05 - Raisecomm RAX701-GC Series
"Successful exploitation of this vulnerability could allow a remote attacker to bypass authentication and gain unauthenticated root shell access to the affected devices."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-294-06 - Siemens RUGGEDCOM ROS Devices
"Successful exploitation of these vulnerabilities could allow attackers to perform man-in-the-middle attacks, cause denial of service, compromise encrypted communications, and gain unauthorized access to devices until a reboot occurs."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-294-04
Vulnerabilities
- TP-Link Warns Of Critical Command Injection Flaw In Omada Gateways
"TP-Link is warning of two command injection vulnerabilities in Omada gateway devices that could be exploited to execute arbitrary OS commands. Omada gateways are marketed as full-stack solutions (router, firewall, VPN gateway) for small to medium businesses, and are constantly increasing in popularity. Although the two security issues lead to the same result when triggered, only one of them, identified as CVE-2025-6542 with a critical severity rating of 9.3, can be exploited by a remote attacker without authentication."
https://www.bleepingcomputer.com/news/security/tp-link-warns-of-critical-command-injection-flaw-in-omada-gateways/
https://support.omadanetworks.com/en/document/108455/ - TARmageddon (CVE-2025-62518): RCE Vulnerability Highlights The Challenges Of Open Source Abandonware
"The Edera team has uncovered a critical boundary-parsing bug, dubbed TARmageddon (CVE-2025-62518), in the popular async-tar Rust library and its deep lineage of forks, including the widely used tokio-tar. In the worst-case scenario, this vulnerability has a severity of 8.1 (High) and can lead to Remote Code Execution (RCE) through file overwriting attacks, such as replacing configuration files or hijacking build backends."
https://edera.dev/stories/tarmageddon
https://cyberscoop.com/async-tar-rust-open-source-vulnerability/
Malware
- Forked And Forgotten: 94 Vulnerabilities In Cursor And Windsurf Put 1.8M Developers At Risk
"We successfully weaponized CVE-2025-7656 – a patched Chromium vulnerability – against the latest versions of Cursor and Windsurf, affecting 1.8 million developers. This is just 1 of 94+ known vulnerabilities these IDEs are exposed to due to their legacy Chromium builds. Developers are increasingly targeted for supply chain attacks, having highly sensitive company data on their devices."
https://www.ox.security/blog/94-Vulnerabilities-in-Cursor-and-Windsurf-Put-1-8M-Developers-at-Risk/
https://www.bleepingcomputer.com/news/security/cursor-windsurf-ides-riddled-with-94-plus-n-day-chromium-vulnerabilities/ - Fast, Broad, And Elusive: How Vidar Stealer 2.0 Upgrades Infostealer Capabilities
"On October 6, 2025, the developer known as "Loadbaks" announced the release of Vidar Stealer v2.0 on underground forums. This new version features a complete transition from C++ to a pure C implementation, allegedly enhancing performance and efficiency. Its release coincides with a decline in activity surrounding the Lumma Stealer, suggesting cybercriminals under its operation are exploring alternatives like Vidar and StealC. Vidar 2.0 is said to introduce a range of concerning features, including advanced anti-analysis measures, multithreaded data theft capabilities, and sophisticated methods for extracting browser credentials. With a consistent price point of US$300, it offers attackers powerful tools that are both cost-effective and efficient."
https://www.trendmicro.com/en_us/research/25/j/how-vidar-stealer-2-upgrades-infostealer-capabilities.html
https://www.bleepingcomputer.com/news/security/vidar-stealer-20-adds-multi-threaded-data-theft-better-evasion/ - PassiveNeuron: a Sophisticated Campaign Targeting Servers Of High-Profile Organizations
"Back in 2024, we gave a brief description of a complex cyberespionage campaign that we dubbed “PassiveNeuron”. This campaign involved compromising the servers of government organizations with previously unknown APT implants, named “Neursite” and “NeuralExecutor”. However, since its discovery, the PassiveNeuron campaign has been shrouded in mystery. For instance, it remained unclear how the implants in question were deployed or what actor was behind them. After we detected this campaign and prevented its spreading back in June 2024, we did not see any further malware deployments linked to PassiveNeuron for quite a long time, about six months."
https://securelist.com/passiveneuron-campaign-with-apt-implants-and-cobalt-strike/117745/
https://www.darkreading.com/cyberattacks-data-breaches/-passiveneuron-cyber-spies-target-industrial-financial-orgs
https://www.securityweek.com/government-industrial-servers-targeted-in-china-linked-passiveneuron-campaign/ - Exposing The Immediate Era Fraud In Singapore
"Group-IB has identified a large-scale scam operation that misappropriate the images and likeness of Singapore officials, including Prime Minister Lawrence Wong and Coordinating Minister for National Security K. Shanmugam, to deceive Singapore citizens and residents into engaging with a fraudulent investment platform. The scam campaign relies on paid Google Ads, intermediary redirect websites designed to conceal fraudulent and malicious activity, and highly convincing fake webpages. Group-IB’s analysis revealed that victims were ultimately directed to a forex investment platform registered in Mauritius, operating under a seemingly legitimate legal entity with an official investment license. This structure created an illusion of compliance while enabling cross-border fraudulent activity."
https://www.group-ib.com/blog/immediate-era-fraud-singapore/
https://www.infosecurity-magazine.com/news/singapore-officials-investment-scam/ - Facebook Credential Phishing With Job Scams Impersonating Well-Known Companies
"Scammers increase their chances of success by keeping their scams relevant. As the U.S. faces a slowed job market, a fake job opportunity from a reputable company is very relevant bait. Earlier this week, we looked at a Google Careers phishing scam. In this post, we'll be looking at another recent attack campaign in which we saw bad actors impersonate a wide variety of well-known companies in order to credential phish targets looking for social media manager jobs. While the brands varied per message, the intent and methodology remained the same, indicating the use of a phishing kit and/or LLM to quickly create and launch a varied attack."
https://sublime.security/blog/facebook-credential-phishing-with-job-scams-impersonating-well-known-companies/
https://hackread.com/phishing-emails-offer-jobs-steal-facebook-logins/ - The Evolving Landscape Of Email Phishing Attacks: How Threat Actors Are Reusing And Refining Established Techniques
"Cyberthreats are constantly evolving, and email phishing is no exception. Threat actors keep coming up with new methods to bypass security filters and circumvent user vigilance. At the same time, established – and even long-forgotten – tactics have not gone anywhere; in fact, some are getting a second life. This post details some of the unusual techniques malicious actors are employing in 2025."
https://securelist.com/email-phishing-techniques-2025/117801/
Breaches/Hacks/Leaks
- Official Xubuntu Website Compromised To Serve Malware
"The official website for Xubuntu, a community-maintained “flavour” of Ubuntu that ships with the Xfce desktop environment, has been compromised to serve Windows malware instead of the Linux distro. Reports about a potential compromise began popping up on Reddit on Sunday, with users saying that instead of pointing to .torrent files, the download page served Xubuntu-Safe-Download.zip, containing a suspicious executable (TestCompany.SafeDownloader.exe) and a text file (tos.txt). “The TOS starts with Copyright (c) 2026 Xubuntu.org which is sus, because it is 2025. I opened the .exe with file-roller and couldn’t find any .torrent inside,” one of the users who raised the alarm noted."
https://www.helpnetsecurity.com/2025/10/21/xubuntu-website-compromised-malware/
General News
- Hackers Exploit 34 Zero-Days On First Day Of Pwn2Own Ireland
"On the first day of Pwn2Own Ireland 2025, security researchers exploited 34 unique zero-days and collected $522,500 in cash awards. The highlight of the day was Bongeun Koo and Evangelos Daravigkas of Team DDOS chaining eight zero-day flaws to hack the QNAP Qhora-322 Ethernet wireless router via the WAN interface and gain access to a QNAP TS-453E NAS device. For this successful attempt, they won $100,000 and are now in second place on the Master of Pwn leaderboard with 8 points."
https://www.bleepingcomputer.com/news/security/hackers-exploit-34-zero-days-on-first-day-of-pwn2own-ireland/ - When Everything’s Connected, Everything’s At Risk
"In this Help Net Security interview, Ken Deitz, CISO at Brown & Brown, discusses how the definition of cyber risk has expanded beyond IT to include IoT, OT, and broader supply chain ecosystems. As organizations connect these assets through cloud and networked systems, the attack surface and dependencies have multiplied. Deitz also shares strategies for managing risk through visibility, segmentation, and resilient recovery planning."
https://www.helpnetsecurity.com/2025/10/21/ken-deitz-brown-brown-assets-cyber-risk/ - Your Smart Building Isn’t So Smart Without Security
"The lights switch on as you walk in. The air adjusts to your presence. Somewhere in the background, a server notes your arrival. It’s the comfort of a smart building, but that comfort might come with a cost. Smart buildings use digital systems that collect information about how people move and work. These networks make life easier but also create openings for misuse or attack. Cybercriminals can take control of heating systems, security cameras, or other automated devices."
https://www.helpnetsecurity.com/2025/10/21/smart-buildings-cybersecurity-risks/ - AI’s Split Personality: Solving Crimes While Helping Conceal Them
"What happens when investigators and cybercriminals start using the same technology? AI is now doing both, helping law enforcement trace attacks while also being tested for its ability to conceal them. A new study from the University of Cagliari digs into this double-edged role of AI, mapping out how it’s transforming cybercrime detection and digital forensics, and why that’s exciting and a little alarming."
https://www.helpnetsecurity.com/2025/10/21/ai-cybercrime-digital-forensics/ - Ransomware Payouts Surge To $3.6m Amid Evolving Tactics
"The average ransomware payment has increased to $3.6m this year, up from $2.5m in 2024 – a 44% surge despite a decline in the overall number of attacks. The 2025 Global Threat Landscape Report findings from ExtraHop point to a clear evolution in cybercriminal strategy: fewer, more targeted operations that aim for higher returns and longer-lasting impact."
https://www.infosecurity-magazine.com/news/ransomware-payouts-surge-dollar36m/ - Myanmar Military Shuts Down Major Cybercrime Center And Detains Over 2,000 People
"Myanmar’s military has shut down a major online scam operation near the border with Thailand, detaining more than 2,000 people and seizing dozens of Starlink satellite internet terminals, state media reported Monday. Myanmar is notorious for hosting cyberscam operations responsible for bilking people all over the world. These usually involve gaining victims’ confidence online with romantic ploys and bogus investment pitches. The centers are infamous for recruiting workers from other countries under false pretenses, promising them legitimate jobs and then holding them captive and forcing them to carry out criminal activities."
https://www.securityweek.com/myanmar-military-shuts-down-major-cybercrime-center-and-detains-over-2000-people/ - SOC Threat Radar — October 2025
"Over the last month, Barracuda Managed XDR’s security solutions, threat intelligence resources and SOC analysts observed the following notable attack behaviors: A rise in ransomware attacks targeting vulnerable SonicWall VPNs, Python scripts used to run malicious tools under the radar, and More Microsoft 365 accounts coming under attack."
https://blog.barracuda.com/2025/10/21/soc-threat-radar-october-2025 - Restructuring Risk Operations: Building a Business-Aligned Cyber Strategy
"As cyber risk continues to escalate, many organizations face a disconnect between cybersecurity investments and actual risk reduction. Despite increased security budgets, formal cyber risk programs, and adoption of new frameworks, recent data shows these efforts often fail to lower risk profiles. According to the Qualys State of Cyber Risk Report by Dark Reading, 71 percent of organizations report rising (51 percent) or consistent (20 percent) cyber risk levels, with only six percent experiencing a decrease. While nearly half (49 percent) of organizations have formal cyber risk programs, the industry remains in early maturity. Notably, 43 percent of these programs have been in place for two years or less, and 19 percent are still in the planning phase."
https://www.theregister.com/2025/10/21/restructuring_risk_operations_building/
https://www.qualys.com/forms/whitepapers/state-of-cyber-risk-report-and-roc-promotion/ - How Malware Vaccines Could Stop Ransomware's Rampage
"What's better, prevention or cure? For a long time the global cybersecurity industry has operated by reacting to attacks and computer viruses. But given that ransomware has continued to escalate, more proactive action is needed. Malware vaccines were a hot topic of discussion at the recent ONE Conference in The Hague, where Justin Grosfelt, senior manager for the Reversing, Emulation, and Testing team at global cybersecurity firm Recorded Future, presented new research showing it is possible to develop code that makes only cosmetic changes to a Windows PC in order to trick malware into not bothering to infect it."
https://www.theregister.com/2025/10/21/malware_vaccines/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Oxford Nanopore Technologies MinKNOW
-
Muji หยุดให้บริการร้านค้าออนไลน์ หลังบริษัทขนส่งคู่ค้าถูกโจมตีด้วยแรนซัมแวร์โพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
เตือนช่องโหว่ WatchGuard กระทบอุปกรณ์ Firebox กว่า 75,000 เครื่องทั่วโลกโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
นักวิจัยสาธิตการโจมตี "รถยนต์ส่วนตัว" (BYOC) อาจเป็นช่องทางให้แฮกเกอร์เจาะระบบองค์กรได้โพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
สายการบิน Envoy Air บริษัทในเครือ American Airlines ได้รับผลกระทบจากการโจมตี Oracle EBS โดยกลุ่มแรนซัมแวร์ Cl0pโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
ConnectWise ออกแพตช์แก้ไขช่องโหว่ใน Automate RMM Toolโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
แฮกเกอร์ใช้ TikTok เป็นช่องทางแพร่มัลแวร์ขโมยข้อมูลผ่านคลิปสอน “ปลดล็อกซอฟต์แวร์ฟรี”โพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 21 October 2025โพสต์ใน Cyber Security News
New Tooling
- Nodepass: Open-Source TCP/UDP Tunneling Solution
"When you think of network tunneling, “lightweight” and “enterprise-grade” rarely appear in the same sentence. NodePass, an open-source project, wants to change that. It’s a compact but powerful TCP/UDP tunneling solution built for DevOps teams and system administrators who need to manage complex network environments without wading through configuration files or rigid infrastructure setups."
https://www.helpnetsecurity.com/2025/10/20/nodepass-open-source-tcp-udp-tunneling-solution/
https://github.com/yosebyte/nodepass
Vulnerabilities
- Hard-Coded Credentials Found In Moxa Industrial Security Appliances, Routers (CVE-2025-6950)
"Moxa has fixed 5 vulnerabilities in its industrial network security appliances and routers, including a remotely exploitable flaw (CVE-2025-6950) that may result in complete system compromise. There’s no mention of these flaws being exploited in the wild, but due to their severity, the company has advised customers to apply the latest firmware updates immediately."
https://www.helpnetsecurity.com/2025/10/20/moxa-routers-hard-coded-credentials-cve-2025-6950/
https://www.moxa.com/en/support/product-support/security-advisory/mpsa-258121-cve-2025-6892%2C-cve-2025-6893%2C-cve-2025-6894%2C-cve-2025-6949%2C-cve-2025-6950-multiple-vulnerabilities-in-netwo - Vulnerability In Dolby Decoder Can Allow Zero-Click Attacks
"A high-severity vulnerability in Dolby’s Unified Decoder could be exploited for remote code execution, without user interaction in certain cases. Built on top of the Dolby Digital Plus (DD+) standard, the Unified Decoder is a software/hardware component used for processing DD+, Dolby AC-4, and other audio formats, converting them into formats that can be played back through speakers. The decoder, Google Project Zero’s Ivan Fratric and Natalie Silvanovich discovered, was impacted by an out-of-bounds write issue that could be triggered during the processing of evolution data."
https://www.securityweek.com/vulnerability-in-dolby-decoder-can-allow-zero-click-attacks/
https://project-zero.issues.chromium.org/issues/428075495 - CISA Adds Five Known Exploited Vulnerabilities To Catalog
"CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2022-48503 Apple Multiple Products Unspecified Vulnerability
CVE-2025-2746 Kentico Xperience Staging Sync Server Digest Password Authentication Bypass Vulnerability
CVE-2025-2747 Kentico Xperience Staging Sync Server None Password Type Authentication Bypass Vulnerability
CVE-2025-33073 Microsoft Windows SMB Client Improper Access Control Vulnerability
CVE-2025-61884 Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/10/20/cisa-adds-five-known-exploited-vulnerabilities-catalog
https://thehackernews.com/2025/10/five-new-exploited-bugs-land-in-cisas.html
https://www.bleepingcomputer.com/news/security/cisa-high-severity-windows-smb-flaw-now-exploited-in-attacks/ - Over 75,000 WatchGuard Security Devices Vulnerable To Critical RCE
"Nearly 76,000 WatchGuard Firebox network security appliances are exposed on the public web and still vulnerable to a critical issue (CVE-2025-9242) that could allow a remote attacker to execute code without authentication. Firebox devices act as a central defense hub that controls traffic between internal and external networks, providing protection through policy management, security services, VPN, and real-time real-time visibility through WatchGuard Cloud. Scans from The Shadowserver Foundation currently show that there are 75,835 vulnerable Firebox appliances across the world, most of them in Europe and North America."
https://www.bleepingcomputer.com/news/security/over-75-000-watchguard-security-devices-vulnerable-to-critical-rce/ - Is Your Car a BYOD Risk? Researchers Demonstrate How
"Bring your own device (BYOD) threats continue to expand, as researchers have demonstrated that even the car you drive to work can constitute an initial access vector into a corporate network. At BSides NYC on Oct. 18, Threatlight chief technology officer (CTO) and co-founder Tim Shipp detailed a proof-of-concept (PoC) attack chain that began in a parked car and ended in corporate Linux servers and ESXi hypervisors. Call it a BYOC — a bring-your-own-car attack. And it required only a few cheap gadgets. The key (pun intended) was the driver's phone — using the car to reach the phone, then using the phone to reach the company's network."
https://www.darkreading.com/vulnerabilities-threats/car-byod-risk - Denial Of Fuzzing: Rust In The Windows Kernel
"Check Point Research (CPR) identified a security vulnerability in January 2025 affecting the new Rust-based kernel component of the Graphics Device Interface (commonly known as GDI) in Windows. We promptly reported this issue to Microsoft and they fixed the vulnerability starting with OS Build 26100.4202 in the KB5058499 update preview released on May 28th 2025. In the following sections, we detail the methodology of our fuzzing campaign, which targeted the Windows graphics component via metafiles and led to the discovery of this security vulnerability, among others, whose technical analysis is published separately in Drawn to Danger: Bugs in Windows Graphics Lead to Remote Code Execution and Memory Exposure."
https://research.checkpoint.com/2025/denial-of-fuzzing-rust-in-the-windows-kernel/
Malware
- MSS Claims NSA Used 42 Cyber Tools In Multi-Stage Attack On Beijing Time Systems
"China on Sunday accused the U.S. National Security Agency (NSA) of carrying out a "premeditated" cyber attack targeting the National Time Service Center (NTSC), as it described the U.S. as a "hacker empire" and the "greatest source of chaos in cyberspace." The Ministry of State Security (MSS), in a WeChat post, said it uncovered "irrefutable evidence" of the agency's involvement in the intrusion that dated back to March 25, 2022. The attack was ultimately foiled, it added. Established in 1966 under the jurisdiction of the Chinese Academy of Sciences (CAS), NTSC is responsible for generating, maintaining, and transmitting the national standard of time (Beijing Time)."
https://thehackernews.com/2025/10/mss-claims-nsa-used-42-cyber-tools-in.html
https://therecord.media/china-attack-national-time-center
https://www.securityweek.com/china-accuses-us-of-cyberattack-on-national-time-center/
https://securityaffairs.com/183619/intelligence/china-finds-irrefutable-evidence-of-us-nsa-cyberattacks-on-time-authority.html
https://cyberscoop.com/china-mss-nsa-cyberattack-timekeeping-service/ - Salty Much: Darktrace’s View On a Recent Salt Typhoon Intrusion
"Salt Typhoon, a China-linked cyber espionage group, has been observed targeting global infrastructure using stealthy techniques such as DLL sideloading and zero-day exploits. Darktrace recently identified early-stage intrusion activity consistent with Salt Typhoon’s tactics, reinforcing the importance of anomaly-based detection over traditional signature-based methods when defending against persistent, state-sponsored threat."
https://www.infosecurity-magazine.com/news/salt-typhoon-citrix-flaw-cyber/
https://www.bankinfosecurity.com/salt-typhoon-targets-european-telecom-a-29766
https://www.helpnetsecurity.com/2025/10/20/salt-typhoon-apt-telecommunications-europe/ - Analysing ClickFix: 3 Reasons Why Copy/Paste Attacks Are Driving Security Breaches
"ClickFix, FileFix, fake CAPTCHA — whatever you call it, attacks where users interact with malicious scripts in their web browser are a fast-growing source of security breaches. ClickFix attacks prompt the user to solve some kind of problem or challenge in the browser — most commonly a CAPTCHA, but also things like fixing an error on a webpage. The name is a little misleading, though — the key factor in the attack is that they trick users into running malicious commands on their device by copying malicious code from the page clipboard and running it locally."
https://thehackernews.com/2025/10/analysing-clickfix-3-reasons-why.html - 131 Spamware Extensions Targeting WhatsApp Flood Chrome Web Store
"This cluster of Chrome extensions comprises 131 rebrands of a single tool, all sharing the same codebase, design patterns, and infrastructure. They are not classic malware, but they function as high-risk spam automation that abuses platform rules. The code injects directly into the WhatsApp Web page, running alongside WhatsApp’s own scripts, automates bulk outreach and scheduling in ways that aim to bypass WhatsApp anti-spam enforcement. Listings and marketing sites claim that their Chrome Web Store presence implies a rigorous audit and full privacy compliance. That claim is inaccurate and conflicts with Chrome and WhatsApp policies. At the supply chain level, this is policy abuse that enables spam at scale. Across listings with visible counts, these extensions account for at least 20,905 active users."
https://socket.dev/blog/131-spamware-extensions-targeting-whatsapp-flood-chrome-web-store
https://thehackernews.com/2025/10/131-chrome-extensions-caught-hijacking.html - GlassWorm: First Self-Propagating Worm Using Invisible Code Hits OpenVSX Marketplace
"A month after Shai Hulud became the first self-propagating worm in the npm ecosystem, we just discovered the world's first worm targeting VS Code extensions on OpenVSX marketplace. But GlassWorm isn't just another supply chain attack. It's using stealth techniques we've never seen before in the wild - invisible Unicode characters that make malicious code literally disappear from code editors. Combine that with blockchain-based C2 infrastructure that can't be taken down, Google Calendar as a backup command server, and a full remote access trojan that turns every infected developer into a criminal proxy node."
https://www.koi.ai/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace
https://www.bleepingcomputer.com/news/security/self-spreading-glassworm-malware-hits-openvsx-vs-code-registries/ - To Be (A Robot) Or Not To Be: New Malware Attributed To Russia State-Sponsored COLDRIVER
"COLDRIVER, a Russian state-sponsored threat group known for targeting high profile individuals in NGOs, policy advisors and dissidents, swiftly shifted operations after the May 2025 public disclosure of its LOSTKEYS malware, operationalizing new malware families five days later. It is unclear how long COLDRIVER had this malware in development, but GTIG has not observed a single instance of LOSTKEYS since publication. Instead, GTIG has seen new malware used more aggressively than any other previous malware campaigns we have attributed to COLDRIVER (also known as UNC4057, Star Blizzard, and Callisto)."
https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver/
https://www.darkreading.com/cyberattacks-data-breaches/coldriver-drops-fresh-malware-targets
Breaches/Hacks/Leaks
- Retail Giant Muji Halts Online Sales After Ransomware Attack On Supplier
"Japanese retail company Muji has taken offline its store due to a logistics outage caused by a ransomware attack at its delivery partner, Askul. On Sunday evening (Japan timezone), Muji said that the issue caused all retail services were affected, including browsing or making purchases on online stores, viewing order histories via the Muji app, and displaying some web content. Although the company did not specify a timeline for restoring the systems, an update on Monday afternoon stated that only purchases from the online store and applying for a monthly flat-rate service continued to be impacted."
https://www.bleepingcomputer.com/news/security/retail-giant-muji-halts-online-sales-after-ransomware-attack-on-supplier/ - Cyberattack Disrupts Services At 2 Massachusetts Hospitals
"A North Central Massachusetts nonprofit healthcare system with two community hospitals, a medical group and several other care facilities has taken its IT network offline and is diverting ambulance patients as it continues to respond to a cyberattack that hit last week. Heywood Healthcare said it is continuing to care for inpatients at its 134-bed Heywood Hospital in Gardner, Massachusetts and its 25-bed critical access community hospital, Athol Hospital, in nearby Athol. But the hospitals are not accepting emergency care patients transported by ambulance. Radiology and laboratory services are also affected."
https://www.bankinfosecurity.com/cyberattack-disrupts-services-at-2-massachusetts-hospitals-a-29765 - Japanese Retailer Askul Halts Online Orders, Shipments After Ransomware Attack
"Japanese office and household goods retailer Askul has halted online orders and product shipments after a ransomware attack crippled its systems, disrupting operations for several major retailers that rely on its logistics network. The Tokyo-based company said the cyberattack, discovered over the weekend, caused system failures that forced it to suspend operations across its three e-commerce sites — Askul for office supplies, Lohaco for household goods and Soloel Arena for corporate clients."
https://therecord.media/askul-japan-retailer-cyberattack-disruption - Home Security Firm Verisure Reports Data Breach At Swedish Subsidiary
"Home security company Verisure said it had detected unauthorized access to customer data linked to one of its subsidiaries. The breach affected systems belonging to Alert Alarm, a Swedish home security brand that Verisure acquired several years ago, the company said. The subsidiary’s IT infrastructure is managed separately from Verisure’s main network and hosted by an external billing partner. In a statement on Friday, Verisure said the intrusion was confined to that system and did not impact its broader operations in Europe and Latin America. Based in Sweden, the company has operations in 17 countries overall."
https://therecord.media/verisure-data-breach-sweden-alert-alarm-subsidiary
General News
- Evilginx’s Creator Reckons With The Dark Side Of Red-Team Tools
"Kuba Gretzky wanted to make the internet safer. Instead, he helped make it more dangerous. In 2017, from his home in Poland, the coder released a hacking tool called Evilginx – a program designed to help cybersecurity teams understand and defend against phishing attacks. It was meant as a teaching device, a way for companies to see how easily credentials could be stolen and to shore up their defenses before someone else did it for real.But once Evilginx went public, the line between defense and offense blurred. Hackers began using it to break into networks, steal passwords and sell access. Before long, even nation-state actors were folding Gretzky’s code into their operations."
https://therecord.media/evilginx-kuba-gretzky-interview-click-here-podcast - Flawed Vendor Guidance Exposes Enterprises To Avoidable Risk
"The fallout from Oracle's latest zero-day (CVE-2025-61882) continues to spread, with Harvard University recently disclosing it suffered a data leak stemming from an attack targeting the flaw. The vulnerability carries an "easily exploitable" CVSS score of 9.8 and enables unauthenticated Remote Code Execution (RCE). Targeting a fully integrated business application, such as Oracle's E-Business Suite, is debilitating because it grants attackers access to critical data and functionality. While this vulnerability is significant, Oracle's E-Business Suite should never have been exposed to the Internet, due to the nature of the service and the sensitivity of the data housed within it. The episode raises questions about deployment documents and the role it plays in exposing enterprise systems to avoidable risk."
https://www.darkreading.com/vulnerabilities-threats/oracle-s-flawed-waf-guidance-left-its-customers-vulnerable-to-ransomware-attack - From Ransomware To AI Risk: New ISACA Research Identifies What Will Keep Tech Pros Up At Night In 2026
"As they look ahead to 2026, more than half of digital trust professionals (59 percent) are expecting that AI-driven cyber threats and deepfakes will keep them up the most at night next year, according to ISACA’s 2026 Tech Trends & Priorities Pulse Poll. Also anticipated to keep them up at night are thoughts of irreparable harm caused by failure to detect/respond to a breach (36 percent) and insider threats and human error (35 percent), finds the inaugural pulse poll—which surveyed 2,963 professionals in digital trust fields such as cybersecurity, IT audit, governance, risk and compliance about their concerns and priorities in areas including technology, threats, regulation and talent."
https://www.isaca.org/about-us/newsroom/press-releases/2025/new-isaca-research-identifies--what-will-keep-tech-pros-up-at-night-in-2026
https://www.infosecurity-magazine.com/news/ai-social-engineering-top-cyber/ - The Golden Scale: Notable Threat Updates And Looking Ahead
"We recently published an Insights piece “The Golden Scale: Bling Libra and the Evolving Extortion Economy,” which primarily focused on the Salesforce data theft extortion activity. This was associated with the cybercriminal syndicate known as Scattered LAPSUS$ Hunters. Since early October 2025, we have observed several notable developments within a Telegram channel (SLSH 6.0 part 3) used by the threat actors. This activity may provide a glimpse into how the group plans to operate in the foreseeable future. We’re providing these insights so that organizations can better prepare for and defend against this evolving threat activity."
https://unit42.paloaltonetworks.com/scattered-lapsus-hunters-updates/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Nodepass: Open-Source TCP/UDP Tunneling Solution
-
Europol ทลายเครือข่าย SIM Farm สนับสนุนบัญชีปลอมกว่า 49 ล้านบัญชีทั่วโลกโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
กลุ่มแฮกเกอร์ Winos 4.0 ขยายการโจมตีสู่ญี่ปุ่นและมาเลเซีย ใช้มัลแวร์ HoldingHands RATโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Have I Been Pwned เผย! ข้อมูลผู้ใช้ Prosper แพลตฟอร์มกู้ยืมเงิน อาจรั่วไหลกว่า 17.6 ล้านรายโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 20 October 2025โพสต์ใน Cyber Security News
Healthcare Sector
- Inside Healthcare’s Quiet Cybersecurity Breakdown
"Hospitals, clinics, and care networks continue to treat cybersecurity as a back-office issue, according to the 2025 Healthcare IT Landscape Report from Omega Systems. Healthcare IT leaders are juggling competing demands. Rising costs, new privacy regulations, and expanding digital health services all fight for attention and budgets. As a result, cybersecurity often slips behind other operational concerns."
https://www.helpnetsecurity.com/2025/10/17/healthcare-organizations-cyber-attacks-reality-report/
Vulnerabilities
- ConnectWise Fixes Automate Bug Allowing AiTM Update Attacks
"ConnectWise released a security update to address vulnerabilities, one of them with critical severity, in Automate product that could expose sensitive communications to interception and modification. ConnectWise Automate is a remote monitoring and management (RMM) platform used by managed service providers (MSPs), IT service companies, and internal IT departments in large enterprises. In typical deployments, it acts as a central management hub with high priviliges to control thousands of client machines."
https://www.bleepingcomputer.com/news/security/connectwise-fixes-automate-bug-allowing-aitm-update-attacks/ - Researchers Uncover WatchGuard VPN Bug That Could Let Attackers Take Over Devices
"Cybersecurity researchers have disclosed details of a recently patched critical security flaw in WatchGuard Fireware that could allow unauthenticated attackers to execute arbitrary code. The vulnerability, tracked as CVE-2025-9242 (CVSS score: 9.3), is described as an out-of-bounds write vulnerability affecting Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1."
https://thehackernews.com/2025/10/researchers-uncover-watchguard-vpn-bug.html
https://securityaffairs.com/183548/security/a-critical-watchguard-fireware-flaw-could-allow-unauthenticated-code-execution.html - Over 266,000 F5 BIG-IP Instances Exposed To Remote Attacks
"Internet security nonprofit Shadowserver Foundation has found more than 266,000 F5 BIG-IP instances exposed online after the security breach disclosed by cybersecurity company F5 this week. The company revealed on Wednesday that nation-state hackers breached its network and stole source code and information on undisclosed BIG-IP security flaws, but found no evidence that the attackers had leaked or exploited the undisclosed vulnerabilities in attacks. The same day, F5 also issued patches to address 44 vulnerabilities (including the ones stolen in the cyberattack) and urged customers to update their devices as soon as possible."
https://www.bleepingcomputer.com/news/security/over-266-000-f5-big-ip-instances-exposed-to-remote-attacks/
Malware
- Odyssey Stealer And AMOS Campaign Targets MacOS Developers Through Fake Tools
"In recent months, our threat hunting team has observed a surge in macOS-targeted campaigns employing new social engineering tactics and persistent infrastructure. This operation stands out for its focus on the developer community, leveraging trust in common tools and open-source platforms to lure victims into executing malicious code. Rather than relying on brute force or zero-day exploits, the operators use finely crafted deception: fake download portals, clipboard manipulation, and command obfuscation."
https://hunt.io/blog/macos-odyssey-amos-malware-campaign
https://www.bleepingcomputer.com/news/security/google-ads-for-fake-homebrew-logmein-sites-push-infostealers/ - Tracking Malware And Attack Expansion: A Hacker Group’s Journey Across Asia
"In January 2025, FortiGuard Labs observed Winos 4.0 attacks targeting users in Taiwan. In February, it became clear the actor had changed malware families and expanded operations. What first appeared isolated was part of a broader campaign that shifted from China to Taiwan, then Japan, and most recently Malaysia. This article examines the methodologies employed to identify strategic connections between their campaigns, revealing how seemingly unrelated attacks are linked through shared infrastructure, code patterns, and operational tactics."
https://www.fortinet.com/blog/threat-research/tracking-malware-and-attack-expansion-a-hacker-groups-journey-across-asia
https://thehackernews.com/2025/10/silver-fox-expands-winos-40-attacks-to.html
https://www.bankinfosecurity.com/cross-border-phishing-attacks-spreads-across-asia-a-29758
https://securityaffairs.com/183580/security/winos-4-0-hackers-expand-to-japan-and-malaysia-with-new-malware.html - Malicious Perplexity Comet Browser Download Ads Push Malware Via Google
"A new malvertising campaign is taking advantage of the popularity of Perplexity’s recently released Comet browser, tricking users into downloading a malicious installer instead of the legitimate product. The fraudulent ads appear at the top of Google search results under domains such as cometswift.com and cometlearn.net, both promoting what looks like a productivity browser linked to Perplexity."
https://hackread.com/perplexity-comet-browser-download-ads-malware-google/ - Post-Exploitation Framework Now Also Delivered Via Npm
"The first version of the AdaptixC2 post-exploitation framework, which can be considered an alternative to the well-known Cobalt Strike, was made publicly available in early 2025. In spring of 2025, the framework was first observed being used for malicious means. In October 2025, Kaspersky experts found that the npm ecosystem contained a malicious package with a fairly convincing name: https-proxy-utils. It was posing as a utility for using proxies within projects. At the time of this post, the package had already been taken down."
https://securelist.com/adaptixc2-agent-found-in-an-npm-package/117784/ - SEO Spam And Hidden Links: How To Protect Your Website And Your Reputation
"When analyzing the content of websites in an attempt to determine what category it belongs to, we sometimes get an utterly unexpected result. It could be the official page of a metal structures manufacturer or online flower shop, or, say, a law firm website, with completely neutral content, but our solutions would place it squarely in the “Adult content” category. On the surface, it is completely unclear how our systems arrived at that verdict, but one look at the content categorization engine’s page analysis log clears it up."
https://securelist.com/seo-spam-hidden-links/117782/ - Operation MotorBeacon : Threat Actor Targets Russian Automotive Sector Using .NET Implant
"SEQRITE Labs Research Team has recently uncovered a campaign which involves targeting Russian Automobile-Commerce industry which involves commercial as well as automobile oriented transactions , we saw the use of unknown .NET malware which we have dubbed as CAPI Backdoor. In this blog, we will explore the technical details of this campaign we encountered during our initial analysis and examine the various stages of the infection chain, starting with a deep dive into the decoy document, to analyzing the CAPI Backdoor. we will then look into the infrastructure along with the common tactics , techniques and procedures (TTPs)."
https://www.seqrite.com/blog/seqrite-capi-backdoor-dotnet-stealer-russian-auto-commerce-oct-2025/
https://thehackernews.com/2025/10/new-net-capi-backdoor-targets-russian.html - Operation Silk Lure: Scheduled Tasks Weaponized For DLL Side-Loading (drops ValleyRAT)
"Seqrite Lab has been actively monitoring global cyber threat activity and has recently uncovered an ongoing campaign leveraging a Command and Control (C2) infrastructure hosted in the United States. The threat actors behind this operation are specifically targeting Chinese individuals seeking employment opportunities in the FinTech, cryptocurrency exchange, and trading platform sectors—particularly for engineering and technical roles."
https://www.seqrite.com/blog/operation-silk-lure-scheduled-tasks-weaponized-for-dll-side-loading-drops-valleyrat/ - TikTok Videos Continue To Push Infostealers In ClickFix Attacks
"Cybercriminals are using TikTok videos disguised as free activation guides for popular software like Windows, Spotify, and Netflix to spread information-stealing malware. ISC Handler Xavier Mertens spotted the ongoing campaign, which is largely the same as the one observed by Trend Micro in May. The TikTok videos seen by BleepingComputer pretend to offer instructions on how to activate legitimate products like Windows, Microsoft 365, Adobe Premiere, Photoshop, CapCut Pro, and Discord Nitro, as well as made-up services such as Netflix and Spotify Premium."
https://www.bleepingcomputer.com/news/security/tiktok-videos-continue-to-push-infostealers-in-clickfix-attacks/
Breaches/Hacks/Leaks
- American Airlines Subsidiary Envoy Confirms Oracle Data Theft Attack
"Envoy Air, a regional airline carrier owned by American Airlines, confirms that data was compromised from its Oracle E-Business Suite application after the Clop extortion gang listed American Airlines on its data leak site. "We are aware of the incident involving Envoy's Oracle E-Business Suite application," Envoy Air told BleepingComputer. "Upon learning of the matter, we immediately began an investigation and law enforcement was contacted. We have conducted a thorough review of the data at issue and have confirmed no sensitive or customer data was affected. A limited amount of business information and commercial contact details may have been compromised.""
https://www.bleepingcomputer.com/news/security/american-airlines-subsidiary-envoy-confirms-oracle-data-theft-attack/
https://therecord.media/regional-airline-envoy-oracle - Before Their Telegram Channel Was Banned Again, ScatteredLAPSUS$Hunters Dropped Files Doxing Government Employees
"On October 16 and 17, the ScatteredLAPSUS$Hunters Telegram channel repeatedly violated Telegram’s TOS by leaking personal information on people — and in this case, information on employees of the Department of Justice (DOJ/FBI), U.S. Attorneys Office (DOJ/USAO), the Department of Homeland Security (DHS), and the Federal Aviation Authority (FAA). DataBreaches did not report on it at the time precisely because the files were still exposed. Instead, DataBreaches contacted Telegram to inquire why the channel hadn’t been banned again for leaking sensitive information about government employees. Today, DataBreaches received a response from Telegram, stating that the channel had been removed for breaching their TOS. They added:"
https://databreaches.net/2025/10/18/before-their-telegram-channel-was-banned-again-scatteredlapsushunters-dropped-files-doxing-government-employees/ - From Airport Chaos To Cyber Intrigue: Everest Gang Takes Credit For Collins Aerospace Breach
"Do you remember the Collins Aerospace supply chain attack that disrupted operations at several major European airports, including Heathrow in London, Brussels, and Berlin? In September, a cyberattack on Collins Aerospace disrupted check-in and boarding systems at major European airports, heavily impacting Heathrow, Brussels, and Berlin. The outage caused numerous flight delays and cancellations, forcing manual operations."
https://securityaffairs.com/183567/breaking-news/from-airport-chaos-to-cyber-intrigue-everest-gang-takes-credit-for-collins-aerospace-breach.html - 'Catastrophic' Attack As Russians Hack Files On EIGHT MoD Bases And Post Them On The Dark Web
"Russian hackers have stolen hundreds of sensitive military documents containing details of eight RAF and Royal Navy bases as well as Ministry of Defence staff names and emails – and posted them on the dark web, The Mail on Sunday can reveal. In what has been described as a 'catastrophic' security breach, cybercriminals accessed the cache of files by hacking a maintenance and construction contractor used by the MoD. The 'gateway' attack – which targeted third party the Dodd Group – allowed cyber gangsters to circumvent the almost impenetrable cyber defences used by the Armed Forces."
https://www.dailymail.co.uk/news/article-15205213/Russians-hack-files-EIGHT-MoD-bases-dark-web.html
General News
- Cybercrime-As-a-Service Takedown: 7 Arrested
"An action day performed in Latvia on 10 October 2025 led to the arrest of five cybercriminals of Latvian nationality and the seizure of infrastructure used to enable crimes against thousands of victims across Europe. During the operation codenamed ‘SIMCARTEL’, law enforcement arrested two further suspects, took down five servers and seized 1 200 SIM box devices alongside 40 000 active SIM cards. Investigators from Austria, Estonia and Latvia, together with their colleagues at Europol und Eurojust, were able to attribute to the criminal network more than 1 700 individual cyber fraud cases in Austria and 1 500 in Latvia, with a total loss of several million euros. The financial loss in Austria alone amounts to around EUR 4.5 million, as well as EUR 420 000 in Latvia."
https://www.europol.europa.eu/media-press/newsroom/news/cybercrime-service-takedown-7-arrested
https://www.bleepingcomputer.com/news/security/europol-dismantles-sim-box-operation-renting-numbers-for-cybercrime/
https://therecord.media/europe-sim-farms-raided-latvia-austria-estonia
https://thehackernews.com/2025/10/europol-dismantles-sim-farm-network.html
https://cyberscoop.com/europol-dismantles-cybercime-network-sim-boxes-fraud/
https://securityaffairs.com/183556/security/simcartel-operation-europol-takes-down-sim-box-ring-linked-to-3200-scams.html - Madman Theory Spurs Crazy Scattered Lapsus$ Hunters Playbook
"Long the province of Russian criminals operating beyond the reach of law enforcement, numerous ransomware campaigns now trace to reckless Western teenagers who have adopted an ethos of "whatever works." Many organize under the banner of Scattered Lapsus$ Hunters, a loose collective that emerged from the cybercrime community The Com, and specialize in a variety of both technical and non-technical tactics. These include using social engineering and technical expertise against help desks, as well as a propensity for targeting enterprise applications built by the likes of Oracle, SAP and Salesforce."
https://www.bankinfosecurity.com/blogs/madman-theory-spurs-crazy-scattered-lapsus-hunters-playbook-p-3960 - Generative AI And Agentic Systems: The New Frontline In Phishing And Smishing Defense
"There’s a quiet revolution happening in cyber security. It isn’t unfolding in dark forums or exotic zero day markets. It’s happening in plain sight—inside large language models, voice cloning tools, and autonomous software agents. Generative AI and agentic systems are rewriting the playbook for phishing and smishing. What used to be crude, one-off scams are now precisely crafted, multilingual, and adaptive campaigns that target individuals and organizations with frightening efficiency."
https://blog.checkpoint.com/executive-insights/generative-ai-and-agentic-systems-the-new-frontline-in-phishing-and-smishing-defense/ - AI Agent Security: Whose Responsibility Is It?
"Agentic AI deployments are becoming an imperative for organizations of all sizes looking to boost productivity and streamline processes, especially as major platforms like Microsoft and Salesforce build agents into their offerings. In the rush to deploy and use these helpers, it's important that businesses understand that there's a shared security responsibility between vendor and customer that will be critical to the success of any agentic AI project."
https://www.darkreading.com/cybersecurity-operations/ai-agent-security-awareness-responsibility - An Arrested Man’s Lawyer Claims His Client Can’t Be ShinyHunters’ Leader. His Argument Wasn’t Persuasive.
"On October 14, the attorney for the man whom France claims to be the head of ShinyHunters held a press conference that included some statements on his client’s case. So far, neither France nor the attorney, Juan Branco, has disclosed the arrested man’s name, so we are not really sure who his client is. All we know is that France claims he is the head of ShinyHunters, and Branco claims he isn’t. The press conference was in French. Thankfully, Valéry Rieß-Marchive of LeMagIT reported on it, so I could check my understanding of what Branco was saying."
https://databreaches.net/2025/10/17/an-arrested-mans-lawyer-claims-his-client-cant-be-shinyhunters-leader-his-argument-wasnt-persuasive/ - A New Approach To Blockchain Spam: Local Reputation Over Global Rules
"Spam has long been a nuisance in blockchain networks, clogging transaction queues and driving up fees. A new research paper from Delft University of Technology introduces a decentralized solution called STARVESPAM that could help nodes in permissionless blockchains block spam without relying on central control or costly fee mechanisms."
https://www.helpnetsecurity.com/2025/10/17/new-approach-blockchain-spam-mitigation/ - Everyone’s Adopting AI, Few Are Managing The Risk
"AI is spreading across enterprise risk functions, but confidence in those systems remains uneven, according to AuditBoard. More than half of organizations report implementing AI-specific tools, and many are training teams in machine learning skills. Yet, few feel prepared for the governance requirements that will come with new AI regulations."
https://www.helpnetsecurity.com/2025/10/17/auditboard-report-enterprise-risk-maturity/ - Teen Tied To Russian Hackers In Dutch Cyber Espionage Probe
"In the Netherlands, three 17-year-olds are suspected of providing services to a foreign power with one said to be in contact with an unnamed Russian-government affiliated hacker group. It was also confirmed that the suspect with links to the Russian hacking group instructed the other two to map Wi-Fi networks in The Hague on multiple occasions. This is according to a statement published by the Netherland’s National Public Prosecution Service on October 17."
https://www.infosecurity-magazine.com/news/teen-russian-hacking-group-ties/ - Security Teams Must Deploy Anti-Infostealer Defenses Now
"Infostealers are driving today’s ransomware wave and stealer logs can be bought for as little as $10 on the dark web. At ISACA Europe 2025, Tony Gee, a principal cybersecurity consultant at 3B Data Security, urged security teams to deploy tactical defenses to protect against infostealers."
https://www.infosecurity-magazine.com/news/deploy-antiinfostealer-defenses/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Inside Healthcare’s Quiet Cybersecurity Breakdown
-
Capita ถูกปรับ 14 ล้านปอนด์ จากเหตุข้อมูลรั่วไหลกระทบประชาชนกว่า 6.6 ล้านคนโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
SAP ออกแพตช์แก้ไขช่องโหว่ใน NetWeaverโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
เตือนภัย! อีเมลปลอมอ้าง “LastPass” และ “Bitwarden” ถูกแฮก หลอกให้ติดตั้งโปรแกรมเพื่อยึดคอมพิวเตอร์โพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
