สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
โพสต์ถูกสร้างโดย NCSA_THAICERT
-
แฮกเกอร์ปล่อยข้อมูลการตั้งค่าและรหัสผ่าน VPN ของอุปกรณ์ FortiGate กว่า 15,000 เครื่องทั่วโลก
-
FTC กล่าวหา GoDaddy ล้มเหลวด้านความปลอดภัยทางไซเบอร์ ยาวนานเป็นเวลาหลายปี
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA ออกคำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม 12 รายการ
Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) 12 รายการ เมื่อวันที่ 16 มกราคม 2568 ซึ่งคำแนะนำเหล่านี้ให้ข้อมูลที่ทันท่วงทีเกี่ยวกับปัญหาด้านความปลอดภัยช่องโหว่ และช่องโหว่ที่อยู่รอบ ๆ ICS ในปัจจุบัน มีดังต่อไปนี้
- ICSA-25-016-01 Siemens Mendix LDAP
- ICSA-25-016-02 Siemens Industrial Edge Management
- ICSA-25-016-03 Siemens Siveillance Video Camera
- ICSA-25-016-04 Siemens SIPROTEC 5 Products
- ICSA-25-016-05 Fuji Electric Alpha5 SMART
- ICSA-25-016-06 Hitachi Energy FOX61x, FOXCST, and FOXMAN-UN Products
- ICSA-25-016-07 Hitachi Energy FOX61x Products
- ICSA-25-016-08 Schneider Electric Data Center Expert
- ICSA-24-058-01 Mitsubishi Electric Multiple Factory Automation Products (Update A)
- ICSA-25-010-03 Delta Electronics DRASimuCAD (Update A)
- ICSA-24-191-05 Johnson Controls Inc. Software House C●CURE 9000 (Update A)
- ICSA-24-030-02 Mitsubishi Electric FA Engineering Software Products (Update B)
ทั้งนี้ CISA สนับสนุนให้ผู้ใช้และผู้ดูแลระบบตรวจสอบคำแนะนำ ICS ที่เผยแพร่ใหม่สำหรับรายละเอียดทางเทคนิคและการบรรเทาผลกระทบ รายละเอียดเพิ่มเติมที่ https://www.cisa.gov/news-events/alerts/2025/01/16/cisa-releases-twelve-industrial-control-systems-advisories
อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/01/16/cisa-releases-twelve-industrial-control-systems-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand -
CISA เพิ่มช่องโหว่ที่ถูกใช้ประโยชน์ 1 รายการลงในแค็ตตาล็อก
CISA ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงใน แคตตาล็อกช่องโหว่ที่ถูกใช้ประโยชน์ที่ทราบแล้วโดยอ้างอิงจากหลักฐานการใช้ประโยชน์อย่างต่อเนื่อง
- CVE-2024-50603 ช่องโหว่การแทรกคำสั่ง OS ของตัวควบคุม Aviatrix
ช่องโหว่ประเภทเหล่านี้มักเป็นช่องทางโจมตีของผู้ไม่หวังดีทางไซเบอร์ และก่อให้เกิดความเสี่ยงอย่างมากต่อองค์กรของรัฐบาลกลาง
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities Catalog ได้จัดทำ Known Exploited Vulnerabilities Catalog ขึ้นเป็นรายการช่องโหว่และความเสี่ยงทั่วไป (CVE) ที่ทราบและมีความเสี่ยงสูงต่อองค์กรของรัฐบาลกลาง BOD 22-01 กำหนดให้หน่วยงาน Federal Civilian Executive Branch (FCEB) ต้องแก้ไขช่องโหว่ที่ระบุภายในกำหนดเวลาเพื่อปกป้องเครือข่าย FCEB จากภัยคุกคามที่เกิดขึ้น ดู ข้อมูลเพิ่มเติมได้ ใน BOD 22-01 Fact Sheet
แม้ว่า BOD 22-01 จะใช้ได้กับหน่วยงาน FCEB เท่านั้น อย่างไรก็ตาม ผู้ใช้งานและผู้ดูแลระบบของผลิตภัณฑ์ที่ได้รับผลกระทบซึ่งโฮสต์ด้วยตนเองยังคงมีความเสี่ยง และขอแนะนำให้ทำการอัปเดตเป็นเวอร์ชันล่าสุดทันที
-
Cyber Threat Intelligence 17 January 2025
Healthcare Sector
- 183M Patient Records Exposed: Fortified Health Security Releases 2025 Healthcare Cybersecurity Report
"Fortified Health Security (Fortified), a Best in KLAS managed security services provider (MSSP) specializing in healthcare cybersecurity, today released the 2025 Horizon Report, a semiannual publication on cybersecurity news, trends, guidance and solutions for healthcare organizations. Analyzing data from the Office for Civil Rights (OCR), the Horizon Report has served as a free resource for healthcare professionals since 2017. The 2025 edition includes contributions from experts—including internationally recognized cybersecurity expert Paul Connelly—on solutions for some of the acute cybersecurity issues facing healthcare organizations today."
https://www.darkreading.com/cyberattacks-data-breaches/183m-patient-records-exposed-fortified-health-security-releases-2025-healthcare-cybersecurity-report
https://fortifiedhealthsecurity.com/horizon-reports/ - 2024 US Healthcare Data Breaches: 585 Incidents, 180 Million Compromised User Records
"In 2024, organizations informed the US government about more than 580 healthcare data breaches affecting a total of nearly 180 million user records. SecurityWeek has conducted an analysis of the healthcare breach database maintained by the US Department of Health and Human Services Office for Civil Rights (HHS OCR), which stores information on incidents impacting the protected health information of over 500 individuals. The OCR was informed about 585 incidents between January 1, 2024, and December 31, 2024. Adding up the numbers from each breach suggests that roughly 180 million people are impacted."
https://www.securityweek.com/2024-us-healthcare-data-breaches-585-incidents-180-million-compromised-user-records/
Industrial Sector
- CISA Releases Twelve Industrial Control Systems Advisories
"CISA released twelve Industrial Control Systems (ICS) advisories on January 16, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS."
https://www.cisa.gov/news-events/alerts/2025/01/16/cisa-releases-twelve-industrial-control-systems-advisories
Vulnerabilities
- W3 Total Cache <= 2.8.1 - Authenticated (Subscriber+) Missing Authorization To Server-Side Request Forgery
"The W3 Total Cache plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the is_w3tc_admin_page function in all versions up to, and including, 2.8.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain the plugin's nonce value and perform unauthorized actions, resulting in information disclosure, service plan limits consumption as well as making web requests to arbitrary locations originating from the web application that can be used to query information from internal services, including instance metadata on cloud-based applications."
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/w3-total-cache/w3-total-cache-281-authenticated-subscriber-missing-authorization-to-server-side-request-forgery
https://www.bleepingcomputer.com/news/security/w3-total-cache-plugin-flaw-exposes-1-million-wordpress-sites-to-attacks/ - Under The Cloak Of UEFI Secure Boot: Introducing CVE-2024-7344
"ESET researchers have discovered a vulnerability that allows bypassing UEFI Secure Boot, affecting the majority of UEFI-based systems. This vulnerability, assigned CVE-2024-7344, was found in a UEFI application signed by Microsoft’s Microsoft Corporation UEFI CA 2011 third-party UEFI certificate. Exploitation of this vulnerability leads to the execution of untrusted code during system boot, enabling potential attackers to easily deploy malicious UEFI bootkits (such as Bootkitty or BlackLotus) even on systems with UEFI Secure Boot enabled, regardless of the installed operating system."
https://www.welivesecurity.com/en/eset-research/under-cloak-uefi-secure-boot-introducing-cve-2024-7344/
https://www.bleepingcomputer.com/news/security/new-uefi-secure-boot-flaw-exposes-systems-to-bootkits-patch-now/
https://thehackernews.com/2025/01/new-uefi-secure-boot-vulnerability.html
https://www.darkreading.com/vulnerabilities-threats/trusted-apps-bug-uefi-boot-process
https://www.bankinfosecurity.com/researchers-spot-serious-uefi-secure-boot-bypass-flaw-a-27306
https://www.helpnetsecurity.com/2025/01/16/uefi-secure-boot-bypass-vulnerability-cve-2024-7344/ - CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2024-50603 Aviatrix Controllers OS Command Injection Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/01/16/cisa-adds-one-known-exploited-vulnerability-catalog - If You Think You Blocked NTLMv1 In Your Org, Think Again
"News: Silverfort’s research team discovered a new way for attackers to use NTLMv1 in attacks, despite efforts to disable it. Using a misconfiguration in on-prem applications, attackers can bypass the Group Policy designed to stop NTLMv1 authentications. Why it matters: 64% of Active Directory user accounts regularly authenticate with NTLM, despite its known weaknesses and being deprecated by Microsoft. Many organizations attempted to solve the NTLMv1 problem with an Active Directory Group Policy. However, we discovered that this policy is flawed and allows NLTMv1 authentications to persist, creating a false sense of security and leaving organizations vulnerable. Attackers know NTLMv1 is a weak authentication protocol and actively seek it out as a method to move laterally or escalate privileges."
https://www.silverfort.com/blog/ntlmv1-bypass-in-active-directory-technical-deep-dive/
https://thehackernews.com/2025/01/researchers-find-exploit-allowing.html - CISA Warns Of Exploited Fortinet Bugs As Microsoft Issues Its Biggest Patch Tuesday In Years
"The federal government and multiple cybersecurity firms warned of a zero-day vulnerability in FortiGate firewalls that hackers are actively exploiting. In a sign of the bug’s severity, the Cybersecurity and Infrastructure Security Agency (CISA) ordered all federal civilian agencies to patch the vulnerability by January 21 — one of the shortest deadlines it has ever issued. Fortinet said in an advisory that the bug is being exploited in the wild but did not say how many customers have been impacted. The company said threat actors attacking organizations with the vulnerability are creating administrative accounts on targeted devices and changing settings related to firewall policies."
https://therecord.media/cisa-warns-fortinet-bugs-microsoft-patch-tuesday
Malware
- DigitalPulse Proxyware Being Distributed Through Ad Pages
"AhnLab SEcurity intelligence Center (ASEC) has recently confirmed that proxyware is being installed through advertisement pages of freeware software sites. The proxyware that is ultimately installed is signed with a Netlink Connect certificate, but according to the AhnLab analysis, it is identical to the DigitalPulse proxyware that was abused in past Proxyjacking attack campaigns. While installing legitimate programs, users may install a disguised program called AutoClicker through ad pages and ultimately have their network bandwidth involuntarily hijacked by the installed proxyware."
https://asec.ahnlab.com/en/85798/ - RansomHub Affiliate Leverages Python-Based Backdoor
"In an incident response in Q4 of 2024, GuidePoint Security identified evidence of a threat actor utilizing a Python-based backdoor to maintain access to compromised endpoints. The threat actor later leveraged this access to deploy RansomHub encryptors throughout the entire impacted network. ReliaQuest documented an earlier version of this malware on their website in February 2024."
https://www.guidepointsecurity.com/blog/ransomhub-affiliate-leverage-python-based-backdoor/
https://thehackernews.com/2025/01/python-based-malware-powers-ransomhub.html - Cyber Threats Amid Disaster: California Fires Spark New Phishing Scams
"As California grapples with devastating wildfires, communities rally to protect lives and property. Unfortunately, these disasters also serve as fertile ground for cybercriminals seeking to exploit chaos and uncertainty. The Veriti Research team has identified alarming trends in phishing scams linked to the ongoing disaster, highlighting the need for heightened cybersecurity awareness during these vulnerable times."
https://veriti.ai/blog/california-fires-spark-new-phishing-scams/
https://hackread.com/scammers-exploit-california-wildfires-fire-relief-services/ - Threat Bulletin: Weaponized Software Targets Chinese-Speaking Organizations
"Our research team has identified a series of attacks targeting organizations in Chinese-speaking regions like Hong Kong, Taiwan, and China itself. These attacks utilize a multi-stage loader—that we named PNGPlug—to deliver the ValleyRAT payload. A similar attack chain is documented in this report, which sheds light on the infection vector and the method of delivering the malicious files. According to the report, the attack begins with a phishing webpage designed to encourage victims to download a malicious MSI (Microsoft Installer) package disguised as legitimate software."
https://intezer.com/blog/malware-analysis/weaponized-software-targets-chinese/ - New Star Blizzard Spear-Phishing Campaign Targets WhatsApp Accounts
"In mid-November 2024, Microsoft Threat Intelligence observed the Russian threat actor we track as Star Blizzard sending their typical targets spear-phishing messages, this time offering the supposed opportunity to join a WhatsApp group. This is the first time we have identified a shift in Star Blizzard’s longstanding tactics, techniques, and procedures (TTPs) to leverage a new access vector. Star Blizzard’s targets are most commonly related to government or diplomacy (both incumbent and former position holders), defense policy or international relations researchers whose work touches on Russia, and sources of assistance to Ukraine related to the war with Russia."
https://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/
https://thehackernews.com/2025/01/russian-star-blizzard-shifts-tactics-to.html
https://cyberscoop.com/star-blizzard-fsb-whatsapp-microsoft-threat-intel/
https://www.securityweek.com/russian-cyberspies-caught-spear-phishing-with-qr-codes-whatsapp-groups/
https://www.theregister.com/2025/01/16/russia_star_blizzard_whatsapp/
Breaches/Hacks/Leaks
- Wolf Haldenstein Law Firm Says 3.5 Million Impacted By Data Breach
"Wolf Haldenstein Adler Freeman & Herz LLP ("Wolf Haldenstein") reports it has suffered a data breach that exposed the personal information of nearly 3.5 million individuals to hackers. The incident took place on December 13, 2023, but the firm says data analysis and digital forensic complications severely delayed the completion of its investigation. Last Friday, Wolf Haldenstein published a data breach notice on its website, while an entry on Maine AG's data breach portal sets the total number of persons affected by it to 3,445,537."
https://www.bleepingcomputer.com/news/security/wolf-haldenstein-law-firm-says-35-million-impacted-by-data-breach/
https://securityaffairs.com/173150/data-breach/us-law-firm-wolf-haldenstein-data-breach.html
https://www.bankinfosecurity.com/law-office-wolf-haldenstein-says-hack-affected-34-million-a-27314 - Clop Ransomware Exploits Cleo File Transfer Flaw: Dozens Of Claims, Disputed Breaches
"The Clop ransomware group added 59 new companies to its leak site, the gain claims to have breached them by exploiting a vulnerability in Cleo file transfer products. “We have data of many companies who use cleo. Our teams are reaching and calling your company and provide your special secret chat. If you are not sure if we have your data. emails us here” reads the Cl0p announcement published on its Tor leak site."
https://securityaffairs.com/173135/cyber-crime/clop-ransomware-gang-claims-hack-of-cleo-file-transfer-customers.html - Infoseccer: Private Security Biz Let Guard Down, Exposed 120K+ Files
"A London-based private security company allegedly left more than 120,000 files available online via an unsecured server, an infoseccer told The Register. The independent security researcher claimed they had found 124,035 exposed files back in October, totalling 46.48 GB in size and containing details such as PII, payroll data, job application forms, TrustID validated documents, Security Industry Authority (SIA) cards, and more."
https://www.theregister.com/2025/01/16/private_security_biz_lets_guard/
General News
- NoName057 Interview «We Can Access Any System In The World.»
"NoName057 is a pro-Russian hacktivist group active since March 2022, known for carrying out distributed denial-of-service (DDoS) attacks against countries that support Ukraine, especially NATO members. Rafa López, CTO of Miólnir and a member of FIRST, has established contact with the group NoName057 and conducted an interview to gain insight into the motivations behind their actions. This is a unique and exclusive interview, unprecedented in the sector, as no professional has previously managed to interview a threat actor as significant as NoName057."
https://miolnir.es/noname057-interview/ - How CISOs Can Elevate Cybersecurity In Boardroom Discussions
"Ross Young is the CISO in residence at Team8 and the creator of the OWASP Threat and Safeguard Matrix (TaSM). In this interview, he shares his perspective on how cybersecurity professionals can tailor their presentations to the board, aligning security strategies with business priorities. He also discusses common misconceptions that boards have about cybersecurity and offers practical advice on building lasting relationships with executives to ensure cybersecurity stays front and center in ongoing business discussions."
https://www.helpnetsecurity.com/2025/01/16/ross-young-team8-cybersecurity-boardroom-discussions/ - A Humble Proposal: The InfoSec CIA Triad Should Be Expanded
"The inconsistent and incomplete definitions of essential properties in information security create confusion within the InfoSec community, gaps in security controls, and may elevate the costs of incidents. In this article, I will analyze the CIA triad, point out its deficiencies, and propose to standardize the terminology involved and expand it by introducing two additional elements."
https://www.helpnetsecurity.com/2025/01/16/infosec-cia-triad/ - Critical Vulnerabilities Remain Unresolved Due To Prioritization Gaps
"Fragmented data from multiple scanners, siloed risk scoring and poor cross-team collaboration are leaving organizations increasingly exposed to breaches, compliance failures and costly penalties, according to Swimlane. The relentless surge of vulnerabilities is pushing security teams to their limits, forcing them to manage overwhelming volumes of risk with tools and processes that are no longer adequate."
https://www.helpnetsecurity.com/2025/01/16/vulnerability-management-complexity/ - CISA And Partners Release Call To Action To Close The National Software Understanding Gap
"Today, CISA—in partnership with the Defense Advanced Research Projects Agency (DARPA), the Office of the Under Secretary of Defense for Research and Engineering (OUSD R&E), and the National Security Agency (NSA)—published Closing the Software Understanding Gap. This report urgently implores the U.S. government to take decisive and coordinated action."
https://www.cisa.gov/news-events/alerts/2025/01/16/cisa-and-partners-release-call-action-close-national-software-understanding-gap
https://www.cisa.gov/resources-tools/resources/closing-software-understanding-gap - Treasury Targets IT Worker Network Generating Revenue For DPRK Weapons Programs
"Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) is sanctioning two individuals and four entities for generating illicit revenue for the Democratic People’s Republic of Korea (DPRK) government. The DPRK dispatches thousands of highly skilled information technology (IT) workers around the world with orders to generate revenue for the DPRK government to circumvent U.S. and United Nations (UN) sanctions. These IT workers obfuscate their identities and locations to fraudulently obtain freelance employment contracts from clients around the world for IT projects, such as software and mobile application development."
https://home.treasury.gov/news/press-releases/jy2790
https://www.bleepingcomputer.com/news/security/us-cracks-down-on-north-korean-it-worker-army-with-more-sanctions/
https://therecord.media/us-issues-sanctions-laos-china-north-korean-worker-scheme
https://www.bankinfosecurity.com/us-sanctions-north-korean-remote-worker-front-companies-a-27310
https://cyberscoop.com/treasury-sanctions-north-korea-over-remote-it-worker-schemes/ - FunkSec: The Rising Yet Controversial Ransomware Threat Actor Dominating December 2024
"As 2024 ended, a new name surged to the top of the cyber threat charts: FunkSec. Emerging as a leading ransomware-as-a-service (RaaS) actor, FunkSec made waves in December by publishing over 85 victim profiles on its Data Leak Site (DLS). However, beneath its apparent dominance lies a more complex and controversial story, as uncovered in Check Point Research’s (CPR) Global Threat Index for December 2024."
https://blog.checkpoint.com/research/funksec-the-rising-yet-controversial-ransomware-threat-actor-dominating-december-2024/ - Strategic Approaches To Threat Detection, Investigation & Response
"The digital era has revolutionized how businesses operate, bringing unprecedented opportunities and challenges. Among the most pressing challenges are the ever-growing and sophisticated cyber threats. From crippling ransomware attacks to insidious phishing campaigns, organizations face a mounting need to defend their digital assets effectively."
https://www.darkreading.com/vulnerabilities-threats/strategic-approaches-threat-detection-investigation-response - Risk, Reputational Scores Enjoy Mixed Success As Security Tools
"As companies seek to improve their cybersecurity postures, they are increasingly using a variety of metrics, scoring systems, and reputational rankings to measure their efforts. But in many cases, businesses are asking too much of the various systems that attempt to measure security. The old saw says that you need to measure something to manage it, but many systems that have flourished — from the Common Vulnerability Scoring System (CVSS) to organizational security posture scoring and ratings for software development projects — are sometimes only successful at expressing measurable risk."
https://www.darkreading.com/cyber-risk/risk-reputational-scoring-services-enjoy-mixed-success - The Reality Of Deception: Real Estate Scams Uncovered In The Middle East
"Real estate scams are growing in popularity due to the trust people place in online listings and the urgency often involved in securing a home. With the expansion of digital platforms for property searches, users are overlooking essential verification steps in their rush to close a deal, making them easy targets. Scammers usually target specific groups like expatriates or people relocating to new cities, as they tend to be less familiar with local practices and may skip critical background checks. The ease of online transactions, the anonymity provided by messaging apps, and the quick transfer of funds make it easier for fraudsters to exploit their victims."
https://www.group-ib.com/blog/the-reality-of-deception-real-estate-scams/
https://www.infosecurity-magazine.com/news/middle-east-real-estate-fraud-grows/ - HP Wolf Security Threat Insights Report: January 2025
"Welcome to the January 2025 edition of the HP Wolf Security Threat Insights Report. In the report, we review notable malware campaigns, trends and techniques identified from HP Wolf Security’s customer telemetry in calendar Q3 2024."
https://threatresearch.ext.hp.com/hp-wolf-security-threat-insights-report-january-2025/
https://threatresearch.ext.hp.com/wp-content/uploads/2025/01/HP_Wolf_Security_Threat_Insights_Report_January_2025.pdf
https://thehackernews.com/2025/01/hackers-hide-malware-in-images-to.html
https://www.infosecurity-magazine.com/news/hackers-image-malware-genai-evade/ - Cyber Insights 2025: Identities
"Strictly speaking, the identity is the entity, while credentials are proof of the identity. In practice, there is little distinction between the two terms and their use, and we will use them indiscriminately in our discussion here. The foundational purpose of security is to ensure that only authorized and authenticated identities should access computers, their functions and their data. It is not a stretch to suggest that secure computing is based on secure identities, and that failure to secure identities is the root cause of most computer compromise."
https://www.securityweek.com/cyber-insights-2025-identities/ - Cybersecurity And AI: What Does 2025 Have In Store?
"AI has supercharged the cybersecurity arms race over the past year. And the coming 12 months will provide no respite. This has major implications for corporate cybersecurity teams and their employers, as well as everyday web users. While AI technology helps defenders to improve security, malicious actors are wasting no time in tapping into AI-powered tools, so we can expect an uptick in scams, social engineering, account fraud, disinformation and other threats. Here’s what you can expect from 2025."
https://www.welivesecurity.com/en/cybersecurity/cybersecurity-ai-what-2025-have-store/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - 183M Patient Records Exposed: Fortified Health Security Releases 2025 Healthcare Cybersecurity Report
-
ช่องโหว่สำคัญใน FortiOS และ FortiProxy
Cyber Security Agency of Singapore (CSA)ได้เผยแพร่เกี่ยวกับ Fortinet ได้เผยแพร่การอัปเดตด้านความปลอดภัยเพื่อแก้ไขช่องโหว่การหลีกเลี่ยงการตรวจสอบสิทธิ์ที่สำคัญ หมายเลขช่องโหว่ CVE-2024-55591 ที่ส่งผลกระทบต่อผลิตภัณฑ์ FortiOS และ FortiProxy มีรายงานว่าช่องโหว่ดังกล่าวถูกใช้ประโยชน์อย่างแพร่หลาย
หากการโจมตีช่องโหว่นี้ประสบความสำเร็จ ผู้โจมตีอาจสามารถเข้าถึงสิทธิ์ Super-Admin ได้โดยการส่งคำขอที่ถูกสร้างขึ้นเป็นพิเศษไปยังโมดูล Node.js WebSocket
- ตัวบ่งชี้ของการถูกโจมตี (Indicators of Compromise - IOCs)
Fortinet ได้ให้ข้อมูลบันทึก (log entries) และที่อยู่ IP บางส่วนซึ่งอาจเป็น IOCs ที่เกี่ยวข้อง ผู้ดูแลระบบควรตรวจสอบบันทึกของระบบเพื่อตรวจหาสัญญาณของ IOCs เช่น บัญชีผู้ดูแลระบบที่ไม่ได้รับอนุญาต การเปลี่ยนแปลงการตั้งค่าที่ไม่รู้จัก หรือการเชื่อมต่อ SSL VPN ที่น่าสงสัย
Log Entries:
- type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1733486785" user="admin" ui="jsconsole" method="jsconsole" srcip=1.1.1.1 dstip=1.1.1.1 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from jsconsole"
- type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="jsconsole(127.0.0.1)" action="Add" cfgtid=1411317760 cfgpath="system.admin" cfgobj="vOcep" cfgattr="password[*]accprofile[super_admin]vdom[root]" msg="Add system.admin vOcep"
หมายเหตุ: Fortinet ได้แนะนำว่า sn และ cfgtid ไม่เกี่ยวข้องกับการโจมตีนี้
IP Addresses:
- 45.55.158.47 (most common)
- 87.249.138.47
- 155.133.4.175
- 37.19.196.65
- 149.22.94.37
ช่องโหว่นี้ส่งผลกระทบต่อผลิตภัณฑ์ดังต่อไปนี้: - FortiOS versions 7.0.0 through 7.0.16
- FortiProxy versions 7.0.0 through 7.0.19
- FortiProxy versions 7.2.0 through 7.2.12
ผู้ใช้งานและผู้ดูแลระบบของเวอร์ชันผลิตภัณฑ์ที่ได้รับผลกระทบควรอัปเดตเป็นเวอร์ชันล่าสุดทันที นอกจากนี้ แนะนำให้ผู้ใช้งานดำเนินการมาตรการป้องกันต่อไปนี้ใน
กรณีที่ไม่สามารถอัปเดตได้ทันที- ปิดการใช้งานอินเทอร์เฟซการจัดการ HTTP/HTTPS เพื่อลดความเสี่ยงในการถูกโจมตี
- จำกัดการเข้าถึงผ่านนโยบาย local-in โดยอนุญาตเฉพาะการเข้าถึงของผู้ดูแลระบบจาก IP ที่เชื่อถือได้เท่านั้น
อ้างอิง
https://www.csa.gov.sg/alerts-advisories/alerts/2025/al-2025-004สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
- ตัวบ่งชี้ของการถูกโจมตี (Indicators of Compromise - IOCs)
-
Cyber Threat Intelligence 16 January 2025
Industrial Sector
- ICS Patch Tuesday: Security Advisories Published By Schneider, Siemens, Phoenix Contact, CISA
"Schneider Electric, Siemens, Phoenix Contact and CISA have released ICS product security advisories on the January 2025 Patch Tuesday. Schneider Electric published nine new advisories this month. Six of them describe high-severity vulnerabilities affecting PowerLogic HDPM6000 High-Density Metering System (privilege escalation), RemoteConnect and SCADAPackTM x70 utilities (potential remote code execution), Modicon M340 and BMXNO communication modules (information disclosure and DoS), Web Designer for Modicon communication modules (information disclosure and remote code execution), and Pro-face GP-Pro EX and Remote HMI (information exposure and operational failures)."
https://www.securityweek.com/ics-patch-tuesday-security-advisories-published-by-schneider-siemens-phoenix-contact-cisa/
New Tooling
- Contextal Platform: Open-Source Threat Detection And Intelligence
"Contextal Platform is an open-source cybersecurity solution for contextual threat detection and intelligence. Developed by the original authors of ClamAV, it offers advanced features such as contextual threat analysis, custom detection scenarios through the ContexQL language, and AI-powered data processing—all operating locally to ensure data privacy."
https://www.helpnetsecurity.com/2025/01/15/contextal-platform-open-source-threat-detection/
https://github.com/contextal/platform
Vulnerabilities
-
Ivanti Releases Security Updates For Multiple Products
"Ivanti released security updates to address vulnerabilities in Ivanti Avalanche, Ivanti Application Control Engine, and Ivanti EPM."
https://www.cisa.gov/news-events/alerts/2025/01/14/ivanti-releases-security-updates-multiple-products
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-6-4-7-Multiple-CVEs
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Application-Control-Engine-CVE-2024-10630
https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6
https://www.securityweek.com/ivanti-patches-critical-vulnerabilities-in-endpoint-manager-2/ -
Critical Vulnerabilities In SimpleHelp Remote Support Software
"2024 was bookended by notable zero-day vulnerabilities affecting popular remote support/access software: CVE-2024-1708 and CVE-2024-1709 affecting ConnectWise ScreenConnect and CVE-2024-12356 and CVE-2024-12686 affecting BeyondTrust products. These vulnerabilities were exploited in the wild and are on CISA’s list of Known Exploited Vulnerabilities. We were curious to see what other remote support software was out there and came across a tool called SimpleHelp. While we hadn’t heard of it before, we found it being used by a number of our users, and it has a decent presence on the Internet."
https://www.horizon3.ai/attack-research/disclosures/critical-vulnerabilities-in-simplehelp-remote-support-software/
https://thehackernews.com/2025/01/critical-simplehelp-flaws-allow-file.html -
Chrome 132 Patches 16 Vulnerabilities
"Google on Tuesday announced the release of Chrome 132 to the stable channel with 16 security fixes, including 13 that resolve vulnerabilities reported by external researchers. Of the externally reported flaws, five are high-severity bugs affecting browser components such as the V8 JavaScript engine, Navigation, the open source 2D graphics library Skia, Metrics, and Tracing."
https://www.securityweek.com/chrome-132-patches-16-vulnerabilities/ -
Nvidia, Zoom, Zyxel Patch High-Severity Vulnerabilities
"Nvidia, Zoom, and Zyxel this week announced fixes for multiple high-severity vulnerabilities in their products, urging users to update devices as soon as possible. Nvidia released patches for three security defects in Container Toolkit and GPU Operator for Linux, including two high-severity improper isolation bugs that could be exploited using crafted container images. The first issue, tracked as CVE-2024-0135, could lead to the modification of a host binary, while the second, tracked as CVE-2024-0136, could lead to untrusted code gaining read and write access to host devices."
https://www.securityweek.com/nvidia-zoom-zyxel-patch-high-severity-vulnerabilities/ -
Over 660,000 Rsync Servers Exposed To Code Execution Attacks
"Over 660,000 exposed Rsync servers are potentially vulnerable to six new vulnerabilities, including a critical-severity heap-buffer overflow flaw that allows remote code execution on servers. Rsync is an open-source file synchronization and data transferring tool valued for its ability to perform incremental transfers, reducing data transfer times and bandwidth usage. It supports local file systems transfers, remote transfers over secure protocols like SSH, and direct file syncing via its own daemon."
https://www.bleepingcomputer.com/news/security/over-660-000-rsync-servers-exposed-to-code-execution-attacks/
https://kb.cert.org/vuls/id/952657
https://www.openwall.com/lists/oss-security/2025/01/14/3
https://thehackernews.com/2025/01/google-cloud-researchers-uncover-flaws.html
https://www.helpnetsecurity.com/2025/01/15/rsync-vulnerabilities-allow-remote-code-execution-on-servers-patch-quickly/ -
Slew Of WavLink Vulnerabilities
"Forty-four vulnerabilities and sixty-three CVEs were discovered across ten .cgi and three .sh files, as well as the static login page, of the Wavlink AC3000 wireless router web application. The Wavlink AC3000 wireless router is one of the most popular gigabit routers in the US, in part due to both its potential speed capabilities and low price point. Talos is releasing these advisories in accordance with Cisco’s third-party vulnerability disclosure policy. Wavlink has declined to release a patch for these vulnerabilities."
https://blog.talosintelligence.com/slew-of-wavlink-vulnerabilities/ -
New Tunneling Protocol Vulnerabilities
"New vulnerabilities in multiple tunneling protocols allow attackers to hijack affected internet hosts to perform anonymous attacks and gain unauthorized network access. A large-scale internet scan has identified 4.2 million open tunneling hosts, measuring the extent of these new vulnerabilities, along with that of a previously-known flaw in a related tunneling protocol, for the first time. Top10VPN has again collaborated with leading security researcher Mathy Vanhoef to share this discovery ahead of its presentation at the USENIX 2025 conference in Seattle."
https://www.top10vpn.com/research/tunneling-protocol-vulnerability/
https://papers.mathyvanhoef.com/usenix2025-tunnels.pdf
https://github.com/vanhoefm/tunneltester -
Malware
-
Investigating A Web Shell Intrusion With Trend Micro Managed XDR
"This incident response by Trend Micro Managed XDR was triggered by Trend Vision One after our endpoint sensors detected suspicious binary being executed by the IIS Worker process (w3wp.exe) executing a suspicious binary. This behavior is indicative of potential exploitation of the web server, possibly involving unauthorized activities or a compromised environment. Our investigation revealed that the attackers used a reverse TCP shell to establish command-and-control, as discovered by further filters triggered by the IIS Worker Process Spawning Suspicious PowerShell Command model. After containing the threat, Managed XDR conducted an investigation that uncovered multiple payloads downloaded in the directory C:\Users\Public, which we will discuss in this blog entry."
https://www.trendmicro.com/en_us/research/25/a/investigating-a-web-shell-intrusion-with-trend-micro--managed-xd.html -
The Great Google Ads Heist: Criminals Ransack Advertiser Accounts Via Fake Google Ads
"Online criminals are targeting individuals and businesses that advertise via Google Ads by phishing them for their credentials — ironically — via fraudulent Google ads. The scheme consists of stealing as many advertiser accounts as possible by impersonating Google Ads and redirecting victims to fake login pages. We believe their goal is to resell those accounts on blackhat forums, while also keeping some to themselves to perpetuate these campaigns."
https://www.malwarebytes.com/blog/news/2025/01/the-great-google-ads-heist-criminals-ransack-advertiser-accounts-via-fake-google-ads
https://www.bleepingcomputer.com/news/security/hackers-use-google-search-ads-to-steal-google-ads-accounts/
https://www.darkreading.com/vulnerabilities-threats/attackers-hijack-google-advertiser-accounts-malware
https://thehackernews.com/2025/01/google-ads-users-targeted-in.html -
One Mikro Typo: How a Simple DNS Misconfiguration Enables Malware Delivery By a Russian Botnet
"Not too long ago Infoblox Threat Intel discovered a botnet delivering malware via spam campaigns using spoofed sender domains. This is different from the email spoofing that we recently reported on Muddling Malspam: The Use of Spoofed Domains in Malicious Spam, in that these take advantage of misconfigured DNS records to pass email protection techniques. Botnets, which are built out of actor-controlled compromised devices, are extremely difficult to disrupt and represent a persistent threat in the cyber landscape. This botnet uses a global network of Mikrotik routers to send malicious emails that are designed to appear to come from legitimate domains. The spam we observed delivered trojan malware, but the botnet is likely used for a wide range of malicious activities. We continue to track this botnet via DNS."
https://blogs.infoblox.com/threat-intelligence/one-mikro-typo-how-a-simple-dns-misconfiguration-enables-malware-delivery-by-a-russian-botnet/
https://www.bleepingcomputer.com/news/security/mikrotik-botnet-uses-misconfigured-spf-dns-records-to-spread-malware/ -
Operation 99: North Korea’s Cyber Assault On Software Developers
"On January 9, the SecurityScorecard STRIKE team uncovered Operation 99, a cyberattack by the Lazarus Group, North Korea’s state-sponsored hacking unit. This campaign targets software developers looking for freelance Web3 and cryptocurrency work. If you thought fake job offers from the group’s Operation Dream Job campaign were bad, this latest move is a masterclass in deception, sophistication, and malicious intent. Here’s why Operation 99 demands your attention."
https://securityscorecard.com/blog/operation-99-north-koreas-cyber-assault-on-software-developers/
https://securityscorecard.com/wp-content/uploads/2025/01/Report_011325_Strike_Operation99.pdf
https://thehackernews.com/2025/01/lazarus-group-targets-web3-developers.html
https://www.darkreading.com/threat-intelligence/north-korea-lazarus-apt-developer-recruitment-attacks -
Inside a 90-Minute Attack: Breaking Ground With All-New AI Defeating Black Basta Tactics
"Have you ever had your lunch interrupted by a sudden barrage of security alerts? That’s exactly what happened to one of our clients when a frantic call from their Security Operations Center revealed a flood of suspicious emails. The culprit? A brand-new cyberattack mimicking the notorious Black Basta group’s latest technique—and it hit with lightning speed."
https://slashnext.com/blog/inside-90-minute-attack-breaking-ground-with-all-new-ai-defeating-black-basta-tactics/
https://hackread.com/black-basta-cyberattack-hits-inboxes-with-1165-emails/ -
NICKEL TAPESTRY Infrastructure Associated With Crowdfunding Scheme
"Secureworks Counter Threat Unit (CTU) researchers are investigating network infrastructure links between North Korean IT worker schemes and a 2016 crowdfunding scam. The CTU research team attributes the IT worker schemes to the NICKEL TAPESTRY threat group. In September 2018, the U.S. Department of Treasury's Office of Foreign Asset Control (OFAC) designated two information technology companies as violating sanctions, including operating as front companies to facilitate employment of North Korean IT workers and channeling illicit revenue to North Korea (officially the Democratic People's Republic of Korea (DPRK)) from overseas IT workers."
https://www.secureworks.com/blog/nickel-tapestry-infrastructure-associated-with-crowdfunding-scheme
https://thehackernews.com/2025/01/north-korean-it-worker-fraud-linked-to.html
https://www.infosecurity-magazine.com/news/north-korean-links-fraudulent/ -
Suspected Ukrainian Hackers Impersonating Russian Ministries To Spy On Industry
"A suspected Ukraine-linked hacker group is targeting Russian scientific and industrial enterprises in a new cyber-espionage campaign, researchers have found. Russian cybersecurity firm F.A.C.C.T. intercepted fraudulent emails purportedly from Russia's Ministry of Industry and Trade. These emails, described in a report released Wednesday by the firm, instructed local defense industry companies to place orders with correctional facilities and suggested collaborating with prisoners who have a mechanical and engineering background."
https://therecord.media/suspected-ukraine-hackers-russian-phishing -
Russian Espionage And Financial Theft Campaigns Have Ramped Up, Ukraine Cyber Agency Says
"Threat actors are using increasingly sophisticated attack methods to target Ukrainian systems and exploit legitimate services, making it harder to prevent malicious activity, one of Ukraine’s top cyber agencies said on Tuesday. Most of the cyberattacks targeting Ukraine over the past year were for espionage, financial theft, or to inflict psychological damage, researchers at Ukraine’s State Service for Special Communications and Information Protection found. The majority of these campaigns were attributed to three Russia-linked hacker groups, tracked as UAC-0010, UAC-0006, and UAC-0050."
https://therecord.media/russian-espionage-financial-theft-campaign
Breaches/Hacks/Leaks
- Label Giant Avery Says Website Hacked To Steal Credit Cards
"Avery Products Corporation is warning it suffered a data breach after its website was hacked to steal customers' credit cards and personal information. Avery is an American company that produces and sells self-adhesive labels, apparel branding elements, and printing services. In a data breach notification sent to impacted customers, Avery discovered they were attacked on December 9, 2024. Following an internal investigation by digital forensic experts, it was discovered that threat actors had planted a card skimmer on 'avery.com,' the company's online shop domain, on July 18, 2024."
https://www.bleepingcomputer.com/news/security/label-giant-avery-says-website-hacked-to-steal-credit-cards/ - University Of Oklahoma Isolates Systems After ‘unusual Activity’ On IT Network
"The University of Oklahoma said it is taking steps to address unusual cyber activity it discovered on its network. The school, which has more than 34,000 students, appeared on the leak site of a ransomware gang on Tuesday, with the group claiming to have stolen 91 GB of data that allegedly includes employee data, financial information and more. “The University recently identified unusual activity on our IT network. Upon discovery, we isolated certain systems and are investigating the matter,” a spokesperson told Recorded Future News. “As part of this ongoing process, measures are being implemented across our network.”"
https://therecord.media/university-of-oklahoma-isolates-systems-unusual-activity - Unknown Group Releases Fortinet Config Files And VPN Passwords To The Darknet
"VPN access data and complete configuration files of thousands of FortiNet appliances have surfaced on the darknet, where a previously unknown attacker group is giving them away. The data is apparently not related to recently published vulnerabilities in the FortiOS appliance operating system. heise security had a first look at the data. Usually, you'll get only small gifts in darknet forums: To prove their quality, underground traders will give out samples of their goods for free – a procedure that may have been copied from the legal data trading industry. But complete leaks of thousands of configuration and password files are not commonplace. A new entity called the "Belsen Group" has now given away over 15,000 data records that were apparently extracted from Fortinet firewalls via a security vulnerability."
https://www.heise.de/en/news/Unknown-group-releases-Fortinet-config-files-and-VPN-passwords-to-the-darknet-10244238.html
https://securityaffairs.com/173111/cyber-crime/fortinet-fortigate-devices-data-leak.html
General News
- As Tensions Mount With China, Taiwan Sees Surge In Cyberattacks
"Using phishing emails and zero-day exploits, China's cyber-operations groups targeted Taiwanese organizations — including government agencies, telecommunications firms, and transportation — with significantly higher volumes of attacks in 2024. On average, Taiwan saw more than 2.4 million attack attempts per day, double the 1.2 million average daily attacks in 2023, with the vast majority of activity targeting the Taiwanese government, according to an annual analysis published by Taiwan's National Security Bureau (NSB). Like many other countries, Taiwan has also detected a surge in attacks targeting its telecommunications sector, with the number of security events rising by more than sixfold, the analysis stated."
https://www.darkreading.com/cyber-risk/as-tensions-with-china-mount-taiwan-sees-surge-in-cyberattacks - Using Cognitive Diversity For Stronger, Smarter Cyber Defense
"In this Help Net Security interview, Mel Morris, CEO of Corpora.ai, discusses how cognitive biases affect decision-making during cybersecurity incidents. Morris shares insights on the challenges of designing user-friendly cybersecurity tools that consider human cognitive processes."
https://www.helpnetsecurity.com/2025/01/15/mel-morris-corpora-ai-cognitive-diversity-cybersecurity/ - CISA Releases Microsoft Expanded Cloud Logs Implementation Playbook
"Today, CISA released the Microsoft Expanded Cloud Logs Implementation Playbook to help organizations get the most out of Microsoft’s newly introduced logs in Microsoft Purview Audit (Standard). This step-by-step guide enables technical personnel to better detect and defend against advanced intrusion techniques by operationalizing expanded cloud logs."
https://www.cisa.gov/news-events/alerts/2025/01/15/cisa-releases-microsoft-expanded-cloud-logs-implementation-playbook
https://www.cisa.gov/resources-tools/resources/microsoft-expanded-cloud-logs-implementation-playbook
https://www.bleepingcomputer.com/news/security/cisa-shares-guidance-for-microsoft-expanded-logging-capabilities/ - Strengthening America’s Resilience Against The PRC Cyber Threats
"As America’s Cyber Defense Agency and the National Coordinator for critical infrastructure security and resilience, CISA’s mission is to safeguard America’s critical infrastructure and enhance our nation’s collective resilience. We help protect and defend the critical services Americans rely on every day against threats from anyone, anywhere, anytime. China’s sophisticated and well-resourced cyber program represents the most serious and significant cyber threat to our nation, and in particular, U.S. critical infrastructure. Last year, I testified about these threats before the House Select Committee on the Chinese Communist Party."
https://www.cisa.gov/news-events/news/strengthening-americas-resilience-against-prc-cyber-threats
https://www.bankinfosecurity.com/cisa-first-spotted-salt-typhoon-hackers-in-federal-networks-a-27302
https://www.theregister.com/2025/01/15/salt_typhoon_us_govt_networks/
https://cyberscoop.com/salt-typhoon-us-government-jen-easterly-cisa/ - Ransomware And Cyber Extortion In Q4 2024
"The last quarter of 2024 proved to be a pivotal period for ransomware activity, marked by emerging threats and unexpected shifts among established groups."
https://www.reliaquest.com/blog/ransomware-and-cyber-extortion-in-q4-2024/
https://www.bankinfosecurity.com/ransomware-leak-sites-suggest-attacks-reached-record-high-a-27299 - AI Alone Is Not Bulletproof: Weaknesses In AI/ML Email Security
"Despite modern secure email gateways (SEGs) embracing AI capabilities, many phishing emails still reach users' inboxes. Therefore, employees need proper training to be able to identify attacks. This is necessary because artificial intelligence and machine learning (AI/ML) models are trained on past data, which may not relate to future threats. Also, most threat actors are creative and able to identify working strategies to bypass SEG security—and they are using AI offensively."
https://cofense.com/blog/ai-alone-is-not-bulletproof-weaknesses-in-ai-ml-email-security - Extension Poisoning Campaign Highlights Gaps In Browser Security
"A Christmas Eve phishing attack resulted in an unknown party taking over a Cyberhaven employee's Google Chrome Web Store account and publishing a malicious version of Cyberhaven's Chrome extension. While the problematic extension was removed within an hour of its discovery, the malicious activity highlights gaps in browser security that exist at most organizations and the necessity of getting a handle on the problem now, as extension poisoning is expected to be a persistent issue."
https://www.darkreading.com/endpoint-security/extension-poisoning-campaign-gaps-browser-security - OWASP's New LLM Top 10 Shows Emerging AI Threats
"The advent of artificial intelligence (AI) coding tools undoubtedly signifies a new chapter in modern software development. With 63% of organizations currently piloting or deploying AI coding assistants into their development workflows, the genie is well and truly out of the bottle, and the industry must now make careful moves to integrate it as safely and efficiently as possible."
https://www.darkreading.com/vulnerabilities-threats/owasps-llm-top-10-shows-emerging-ai-threats - Cyber Insights 2025: Open Source And Software Supply Chain Security
"Attacking the OSS supply chain is a no-brainer for malicious actors: protecting it is hard. Open source software (OSS) has become a major threat vector over the last decade. The reason is simple mathematics. “There are over 5 million OSS packages available,” explains Mehran Farimani, CEO at RapidFort. Chris Hughes, chief security advisor at Endor Labs, adds, “Adoption [of OSS] has grown exponentially in the last decade and shows no signs of slowing down. It is now found in nearly 90% of modern code bases and makes up 70-80% of those code bases.”"
https://www.securityweek.com/cyber-insights-2025-open-source-and-the-software-supply-chain/ - UN Security Council Members Meet On Spyware For First Time
"Members of the U.N. Security Council for the first time gathered Tuesday to discuss the threat posed by commercial spyware at an informal meeting where a senior U.S. diplomat called for enhanced efforts to obtain justice for victims of the technology, and other nations pledged to take action. The meeting — known as an Arria-formula, to discuss pressing problems outside the full council — comes at a time when increasing attention is being paid to how spyware is infecting devices belonging to diplomats."
https://therecord.media/commercial-spyware-meeting-un-security-council-members - Navigating Today’s Cloud Security Challenges
"Cloud adoption lies at the heart of digital transformation, providing organizations with the agility and flexibility they need to stay competitive in today’s rapidly changing marketplace. Competing in a digital-first economy requires developing personalized customer experiences, embracing a more prominent hybrid workforce strategy, streamlining workflows, and optimizing distributed operations for greater efficiency and scalability. However, while the power of the cloud certainly enables enterprises to adapt to today’s evolving demands quickly, it also introduces unique challenges that security teams must recognize and manage. These include safeguarding sensitive data, ensuring regulatory compliance, and maintaining visibility and control across increasingly complex hybrid and multi-cloud environments."
https://www.fortinet.com/blog/business-and-technology/navigating-todays-cloud-security-challenges
https://www.infosecurity-magazine.com/news/multicloud-surges-rising-security/ - Turning Curiosity Into a Career: The Power Of OSINT
"I had a dear friend whose mother used to asked us to "get on the clacker and use the goggles" to find information for her. Back then, people were just learning how to "Google-fu" searches to answer obscure questions. Now Google is an incredibly powerful tool used by cybersecurity experts and bad actors around the globe."
https://www.bankinfosecurity.com/blogs/turning-curiosity-into-career-power-osint-p-3795
อ้างอิง
Electronic Transactions Development Agency(ETDA) - ICS Patch Tuesday: Security Advisories Published By Schneider, Siemens, Phoenix Contact, CISA
-
มัลแวร์ WP3.XYZ โจมตีเว็บไซต์ WordPress กว่า 5,000 เว็บไซต์ แอบสร้างบัญชีผู้ดูแลระบบปลอม
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
ไบเดนลงนามคำสั่งฝ่ายบริหารเพื่อสนับสนุนการพัฒนาโครงสร้างพื้นฐาน AI ในสหรัฐฯ
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA เพิ่มช่องโหว่ BeyondTrust และ Qlik Sense ในรายการ Known Exploited Vulnerabilities (KEV)
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
แฮกเกอร์ ซ่อนมัลแวร์ขโมยข้อมูลไว้ในช่องแสดงความคิดเห็นบน YouTube
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 15 January 2025
Industrial Sector
- Hitachi Energy FOXMAN-UN
"Successful exploitation of these vulnerabilities could allow an unauthenticated malicious user to interact with the services and the post-authentication attack surface."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-014-01 - Belledonne Communications Linphone-Desktop
"Successful exploitation of this vulnerability could could result in a remote attacker causing a denial-of-service condition on the affected devices."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-014-04 - Schneider Electric Vijeo Designer
"Successful exploitation of these vulnerabilities could cause a non-admin authenticated user to perform privilege escalation by tampering with the binaries."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-014-02 - Schneider Electric EcoStruxure
"Successful exploitation of these vulnerabilities could allow an attacker to tamper with folder names within the context of the product."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-014-03
Vulnerabilities
- SAP Patches Critical Vulnerabilities In NetWeaver
"Enterprise software maker SAP on Tuesday announced the release of 14 new security notes as part of its January 2025 Patch Day. The most important of the notes are marked ‘hot news’ (the highest SAP severity rating) and address two critical vulnerabilities in NetWeaver AS for ABAP and ABAP Platform, both with a CVSS score of 9.9. Tracked as CVE-2025-0070, the first of the security defects is described as an improper authentication bug. It could allow an attacker to steal credentials from the internal RFC communication between an HTTP client and a server of the same system."
https://www.securityweek.com/sap-patches-critical-vulnerabilities-in-netweaver/ - Microsoft January 2025 Patch Tuesday Fixes 8 Zero-Days, 159 Flaws
"Today is Microsoft's January 2025 Patch Tuesday, which includes security updates for 159 flaws, including eight zero-day vulnerabilities, with three actively exploited in attacks. This Patch Tuesday also fixes twelve "Critical" vulnerabilities, including information disclosure, privileges elevation, and remote code execution flaws."
https://www.bleepingcomputer.com/news/microsoft/microsoft-january-2025-patch-tuesday-fixes-8-zero-days-159-flaws/
https://blog.talosintelligence.com/january-patch-tuesday-release/
https://www.tripwire.com/state-of-security/vert-threat-alert-january-2025-patch-tuesday-analysis
https://www.darkreading.com/application-security/microsoft-january-2025-record-security-update
https://cyberscoop.com/microsoft-patch-tuesday-january-2025/
https://www.securityweek.com/microsoft-patches-trio-of-exploited-windows-hyper-v-zero-days/
https://www.helpnetsecurity.com/2025/01/14/january-2025-patch-tuesday-microsoft-hyper-v-zero-day-cve-2025-21333-cve-2025-21334-cve-2025-21335/
https://www.theregister.com/2025/01/15/patch_tuesday_january_2025/ - Adobe: Critical Code Execution Flaws In Photoshop
"Software maker Adobe on Tuesday rolled out fixes for more than a dozen security defects in multiple products and warned that malicious hackers can exploit these bugs in remote code execution attacks. The company said the vulnerabilities affect Adobe Photoshop, Substance 3D Stager, Illustrator for iPad, Adobe Animate, and the Adobe Substance 3D Designer. According to Adobe’s documentation, the Photoshop update is available for Windows and macOS and should be treated with urgency because of the risk of code execution exploitation via booby-trapped files."
https://www.securityweek.com/adobe-critical-code-execution-flaws-in-photoshop/ - CISA Adds Four Known Exploited Vulnerabilities To Catalog
"CISA has added four vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2024-55591 Fortinet FortiOS Authorization Bypass Vulnerability
CVE-2025-21333 Microsoft Windows Hyper-V NT Kernel Integration VSP Heap-based Buffer Overflow Vulnerability
CVE-2025-21334 Microsoft Windows Hyper-V NT Kernel Integration VSP Use-After-Free Vulnerability
CVE-2025-21335 Microsoft Windows Hyper-V NT Kernel Integration VSP Use-After-Free Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/01/14/cisa-adds-four-known-exploited-vulnerabilities-catalog - Millions Of Accounts Vulnerable Due To Google’s OAuth Flaw
"Millions of Americans can have their data stolen right now because of a deficiency in Google’s “Sign in with Google” authentication flow. If you’ve worked for a startup in the past - especially one that has since shut down - you might be vulnerable. I demonstrated this flaw by logging into accounts I didn’t own, and Google responded that this behavior was ‘working as intended’."
https://trufflesecurity.com/blog/millions-at-risk-due-to-google-s-oauth-flaw
https://www.bleepingcomputer.com/news/security/google-oauth-flaw-lets-attackers-gain-access-to-abandoned-accounts/
https://thehackernews.com/2025/01/google-oauth-vulnerability-exposes.html
Malware
- Over 5,000 WordPress Sites Caught In WP3.XYZ Malware Attack
"We’ve uncovered a widespread malware campaign targeting WordPress websites, affecting over 5,000 sites globally. The malicious domain: https://wp3[.]xyz/td.js. One of our users was affected. c/side caught and stopped the attack."
https://cside.dev/blog/over-5k-wordpress-sites-caught-in-wp3xyz-malware-attack
https://www.bleepingcomputer.com/news/security/wp3xyz-malware-attacks-add-rogue-admins-to-5-000-plus-wordpress-sites/ - FBI Wipes Chinese PlugX Malware From Over 4,000 US Computers
"The U.S. Department of Justice announced today that the FBI has deleted Chinese PlugX malware from over 4,200 computers in networks across the United States. The malware, controlled by the Chinese cyber espionage group Mustang Panda (also tracked as Twill Typhoon), infected thousands of systems using a PlugX variant with a wormable component that allowed it to spread through USB flash drives. According to court documents, the list of victims targeted using this malware includes "European shipping companies in 2024, several European Governments from 2021 to 2023, worldwide Chinese dissident groups, and governments throughout the Indo-Pacific (e.g., Taiwan, Hong Kong, Japan, South Korea, Mongolia, India, Myanmar, Indonesia, Philippines, Thailand, Vietnam, and Pakistan).""
https://www.bleepingcomputer.com/news/security/fbi-wipes-chinese-plugx-malware-from-over-4-000-us-computers/
https://therecord.media/doj-deletes-china-linked-plugx-malware
https://www.darkreading.com/cybersecurity-operations/fbi-wraps-up-eradication-chinese-plugx-malware
https://www.bankinfosecurity.com/fbi-deletes-more-than-4000-plugx-malware-instances-a-27285
https://cyberscoop.com/plugx-malware-mustang-panda-doj-takedown/
https://securityaffairs.com/173073/malware/fbi-deleted-china-linked-plugx-malware-from-over-4200-us-computers.html
https://www.theregister.com/2025/01/14/fbi_french_cops_boot_chinas/
https://www.itnews.com.au/news/us-removes-malware-allegedly-planted-on-computers-by-chinese-backed-hackers-614338 - Fasthttp Used In New Bruteforce Campaign
"On January 13th, the SpearTip Security Operations Center, in collaboration with the Managed SaaS Alerts team, identified an emerging threat leveraging the fasthttp library. Fasthttp is a high-performance HTTP server and client library for the Go programming language, designed to handle HTTP requests more efficiently than Go’s standard net/http package. It offers improved throughput and lower latency, particularly under high load."
https://www.speartip.com/fasthttp-used-in-new-bruteforce-campaign/
https://www.bleepingcomputer.com/news/security/hackers-use-fasthttp-in-new-high-speed-microsoft-365-password-attacks/ - Hackers Using Fake YouTube Links To Steal Login Credentials
"Cybercriminals exploit fake YouTube links to redirect users to phishing pages, stealing login credentials via URI manipulation and layered obfuscation techniques. According to a recent discovery by cybersecurity analysts at ANY.RUN, cybercriminals have been leveraging fake YouTube links to redirect unsuspecting users to phishing pages, stealing login credentials in the process. This attack employs Uniform Resource Identifier (URI) manipulation to obscure malicious intent while maintaining the appearance of authenticity."
https://hackread.com/hackers-fake-youtube-links-steal-login-credentials/ - Malicious Kong Ingress Controller Image Found On DockerHub
"A critical security breach in the software supply chain has been detected. An attacker accessed Kong’s DockerHub account and replaced the legitimate Kong Ingress Controller v.3.4.0 image with a malicious version."
https://hackread.com/malicious-kong-ingress-controller-image-dockerhub/ - Snyk Security Researcher Deploys Malicious NPM Packages Targeting Cursor.com
"Every morning I get up and check what malicious packages my detector had found the night before. It’s like someone checking their fishing nets to see what fish they caught. As I was looking at last nights malicious packages I noticed something strange: Someone from Snyk had deployed several packages to NPM. Even weirder, the names of those packages appeared to show they were targeting Cursor, the hot new AI coding company."
https://sourcecodered.com/snyk-malicious-npm-package/
https://www.securityweek.com/snyk-says-malicious-npm-packages-part-of-research-project/
https://www.theregister.com/2025/01/14/snyk_npm_deployment_removed/ - One Step Ahead In Cyber Hide-And-Seek: Automating Malicious Infrastructure Discovery With Graph Neural Networks
"When launching and persisting attacks at scale, threat actors can inadvertently leave behind traces of information. They often reuse, rotate and share portions of their infrastructure when automating their campaign’s setup before launching an attack. Defenders can leverage this behavior by pivoting on a few known indicators to uncover newer infrastructure. This article describes the benefits of automated pivoting and uses three case studies to show how we can discover new indicators. Using a network crawler leveraging relationships among domains, we discovered network artifacts around known indicators and trained a graph neural network (GNN) to detect additional malicious domains."
https://unit42.paloaltonetworks.com/graph-neural-networks/
Breaches/Hacks/Leaks
- Tennessee-Based Mortgage Lender Confirms December Cyberattack
"One of the largest mortgage lenders in the Southeast U.S. said it suffered a cybersecurity incident last month that exposed troves of customer information. Tennessee-based Mortgage Investors Group (MIG) did not outline how many customers were impacted by the attack but said they have hired a vendor to identify the affected individuals. The company said it expects to notify those customers directly once the process is completed in several weeks."
https://therecord.media/tennessee-mortgage-lender-confirms-cyberattack - Connecticut City Of West Haven Assessing Impact Of Cyberattack
"The government of West Haven, Connecticut, says it is investigating a cyberattack that recently forced it to temporarily shut down all of its IT systems. In an update on January 11, Mayor Dorinda Borer said “an IT system security incident” on an unspecified day had forced the shutdown. The city initially said in a Facebook post on December 26 that the government was “experiencing a network disruption.” The city is still assessing what data might have been affected by the incident, the update said."
https://therecord.media/west-haven-connecticut-city-government-cyberattack - Russia's Largest Platform For State Procurement Hit By Cyberattack From Pro-Ukraine Group
"Russia’s main electronic trading platform for government and corporate procurement confirmed on Monday that it had been targeted by a cyberattack after initially claiming that outages were caused by “maintenance work.” Roseltorg is one of the largest electronic trading operators selected by the Russian government to conduct public procurement, including contracts in the defense and construction industries. The platform also offers tools for electronic document management and procurement planning."
https://therecord.media/russian-platform-for-state-procurement-hit-cyberattack
General News
- December 2024 Deep Web And Dark Web Trend Report
"This trend report on the deep web and dark web of December 2024 is sectioned into Ransomware, Forums & Black Markets, and Threat Actor. We would like to state beforehand that some of the content has yet to be confirmed to be true."
https://asec.ahnlab.com/en/85733/ - This Is The Year CISOs Unlock AI’s Full Potential
"In 2025, CISOs will have powerful new capabilities as generative artificial intelligence (GenAI) continues to mature. Evolving beyond providing answers to questions, GenAI will provide proactive recommendations, take action, and communicate in a personalized manner. This transition will enable CISOs and their teams to unlock the true impact of GenAI to bolster cybersecurity defenses."
https://www.helpnetsecurity.com/2025/01/14/genai-cisos/ - How AI And ML Are Transforming Digital Banking Security
"In this Help Net Security interview, Nuno Martins da Silveira Teodoro, VP of Group Cybersecurity at Solaris, discusses the latest advancements in digital banking security. He talks about how AI and ML are reshaping fraud detection, the growing trend of passwordless authentication, and the security risks facing mobile banking apps. Nuno also discusses the balance between ensuring security and providing a seamless, user-friendly experience for customers."
https://www.helpnetsecurity.com/2025/01/14/nuno-martins-da-silveira-teodoro-solaris-ai-digital-banking-security/ - CISA Releases The JCDC AI Cybersecurity Collaboration Playbook And Fact Sheet
"Today, CISA released the JCDC AI Cybersecurity Collaboration Playbook and Fact Sheet to foster operational collaboration among government, industry, and international partners and strengthen artificial intelligence (AI) cybersecurity. The playbook provides voluntary information-sharing processes that, if adopted, can help protect organizations from emerging AI threats."
https://www.cisa.gov/news-events/alerts/2025/01/14/cisa-releases-jcdc-ai-cybersecurity-collaboration-playbook-and-fact-sheet
https://cisa.gov/resources-tools/resources/ai-cybersecurity-collaboration-playbook
https://www.bankinfosecurity.com/new-federal-playbook-aims-to-boost-ai-cyber-incident-sharing-a-27293 - Joint Statement On Cryptocurrency Thefts By The Democratic People’s Republic Of Korea And Public-Private Collaboration
"The United States, Japan, and the Republic of Korea join together to provide a new warning to the blockchain technology industry regarding the ongoing targeting and compromise of a range of entities across the globe by Democratic People’s Republic of Korea (DPRK) cyber actors. The DPRK’s cyber program threatens our three countries and the broader international community and, in particular, poses a significant threat to the integrity and stability of the international financial system. Our three governments strive together to prevent thefts, including from private industry, by the DPRK and to recover stolen funds with the ultimate goal of denying the DPRK illicit revenue for its unlawful weapons of mass destruction and ballistic missile programs."
https://www.state.gov/office-of-the-spokesperson/releases/2025/01/joint-statement-on-cryptocurrency-thefts-by-the-democratic-peoples-republic-of-korea-and-public-private-collaboration
https://www.bleepingcomputer.com/news/security/us-govt-says-north-korea-stole-over-659-million-in-crypto-last-year/ - Cyber Threat Alliance Publishes 2025 Cybersecurity In The Age Of Generative AI
"The Cyber Threat Alliance (CTA) today announced the publication of its Cybersecurity in the Age of Generative AI Joint Analytic Report (JAR). This report is broken into two parts. Part I, Combating GenAI Assisted Cyber Threats, addresses the use of GenAI tools for malicious purposes. Part II, Navigating Cyber Threats to GenAI Systems, examines cyber threats to these tools. The rise of GenAI represents both opportunities and challenges in cybersecurity, empowering the community to leverage AI for innovation, efficiency, and enhanced defenses, while also enabling malicious actors to exploit the technology for a new dimension of AI-assisted threats. While GenAI lowers barriers to entry for adversaries and makes them more efficient, the foundational principles of cybersecurity remain integral to combating these threats effectively."
https://www.cyberthreatalliance.org/cyber-threat-alliance-publishes-2025-cybersecurity-in-the-age-of-generative-ai/
https://www.cyberthreatalliance.org/resources/assets/cybersecurity-in-the-age-of-generative-ai-joint-analytic-report-part-i-combating-genai-assisted-cyber-threats/
https://www.cyberthreatalliance.org/resources/assets/cybersecurity-in-the-age-of-generative-ai-joint-analytic-report-part-ii-navigating-cyber-threats-to-genai-systems/
https://www.helpnetsecurity.com/2025/01/14/malicious-actors-genai-use-hype-deepfakes-phishing-scams/ - Browser-Based Cyber-Threats Surge As Email Malware Declines
"Browser-based cyber-threats have surged throughout 2024, marking a significant shift in the tactics employed by malicious actors. According to new findings from the 2024 Threat Data Trends report by the eSentire Threat Response Unit (TRU), while malware delivered via email declined last year, browser-sourced threats, including drive-by downloads and malicious advertisements, rose sharply. These techniques are being increasingly used to deliver malware, such as Lumma Stealer and NetSupport Manager RAT, with attackers favoring them due to their ability to bypass traditional email filters and security controls."
https://www.infosecurity-magazine.com/news/browser-cyberthreats-surge-email/ - How To Eliminate “Shadow AI” In Software Development
"In a recent column, I wrote about the nearly ubiquitous state of artificial intelligence (AI) in software development, with a GitHub survey showing 92 percent of U.S.-based developers using AI coding tools both in and outside of work. Seeing a subsequent surge in their productivity, many are taking part in what’s called “shadow AI” by leveraging the technology without the knowledge or approval of their organization’s IT department and/or chief information security officer (CISO)."
https://www.securityweek.com/how-to-eliminate-shadow-ai-in-software-development/ - Cyber Insights 2025: Cyber Threat Intelligence
"SecurityWeek’s Cyber Insights 2025 examines expert opinions on the expected evolution of more than a dozen areas of cybersecurity interest over the next 12 months. We spoke to hundreds of individual experts to gain their expert opinions. Here we discuss what to expect with Cyber Threat Intelligence (CTI). CTI is valuable and beneficial to cybersecurity, but only if it is complete, accurate, and actionable."
https://www.securityweek.com/cyber-insights-2025-cyber-threat-intelligence/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Hitachi Energy FOXMAN-UN
-
Cyber Threat Intelligence 14 January 2025
Industrial Sector
- CISA And US And International Partners Publish Guidance On Priority Considerations In Product Selection For OT Owners And Operators
"Today, CISA—along with U.S. and international partners—released joint guidance Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products. As part of CISA’s Secure by Demand series, this guidance focuses on helping customers identify manufacturers dedicated to continuous improvement and achieving a better cost balance, as well as how Operational Technology (OT) owners and operators should integrate secure by design elements into their procurement process."
https://www.cisa.gov/news-events/alerts/2025/01/13/cisa-and-us-and-international-partners-publish-guidance-priority-considerations-product-selection-ot
https://www.cisa.gov/resources-tools/resources/secure-demand-priority-considerations-operational-technology-owners-and-operators-when-selecting
New Tooling
- Chainsaw: Open-Source Tool For Hunting Through Windows Forensic Artefacts
"Chainsaw is an open-source first-response tool for quickly detecting threats in Windows forensic artefacts, including Event Logs and the MFT file. It enables fast keyword searches through event logs and identifies threats using built-in Sigma detection and custom detection rules."
https://www.helpnetsecurity.com/2025/01/13/chainsaw-open-source-tool-hunting-through-windows-forensic-artefacts/
https://github.com/WithSecureLabs/chainsaw
Vulnerabilities
- Wiz Research Identifies Exploitation In The Wild Of Aviatrix Controller RCE (CVE-2024-50603)
"CVE-2024-50603 is a critical code execution vulnerability impacting Aviatrix Controller with the maximum CVSS score of 10.0. This command injection flaw allows unauthenticated attackers to execute arbitrary commands on the system remotely. The vulnerability stems from the improper neutralization of user-supplied input, and has been addressed in patched versions 7.1.4191 and 7.2.4996."
https://www.wiz.io/blog/wiz-research-identifies-exploitation-in-the-wild-of-aviatrix-cve-2024-50603
https://thehackernews.com/2025/01/hackers-exploit-aviatrix-controller.html
https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-aviatrix-controller-rce-flaw-in-attacks/
https://www.darkreading.com/cloud-security/cloud-attackers-exploit-max-critical-aviatrix-rce-flaw
https://www.theregister.com/2025/01/13/severe_aviatrix_controller_vulnerability/ - Juniper Networks Fixes High-Severity Vulnerabilities In Junos OS
"Juniper Networks kicked off 2025 with security updates that address dozens of vulnerabilities in the Junos OS platform, including multiple high-severity bugs. Patches were released last week to resolve a high-severity out-of-bounds read flaw in the routing protocol daemon (RPD) of Junos OS and Junos OS Evolved that could lead to denial-of-service (DoS) when processing a malformed BGP packet. Tracked as CVE-2025-21598, the issue affects systems that have packet receive trace options enabled and “can propagate and multiply through multiple ASes until reaching vulnerable devices”, Juniper says."
https://www.securityweek.com/juniper-networks-fixes-high-severity-vulnerabilities-in-junos-os/ - Analyzing CVE-2024-44243, a MacOS System Integrity Protection Bypass Through Kernel Extensions
"Microsoft Threat Intelligence discovered a new macOS vulnerability that could allow attackers to bypass Apple’s System Integrity Protection (SIP) in macOS by loading third party kernel extensions. SIP is a security technology that restricts the performance of operations that may compromise system integrity; thus, a SIP bypass affects the overall security of the operating system. Bypassing SIP could lead to serious consequences, such as increasing the potential for attackers and malware authors to successfully install rootkits, create persistent malware, bypass Transparency, Consent and Control (TCC), and expand the attack surface for additional techniques and exploits."
https://www.microsoft.com/en-us/security/blog/2025/01/13/analyzing-cve-2024-44243-a-macos-system-integrity-protection-bypass-through-kernel-extensions/
https://www.bleepingcomputer.com/news/security/microsoft-macos-bug-lets-hackers-install-malicious-kernel-drivers/ - CISA Orders Agencies To Patch BeyondTrust Bug Exploited In Attacks
"CISA has tagged a command injection vulnerability (CVE-2024-12686) in BeyondTrust's Privileged Remote Access (PRA) and Remote Support (RS) as actively exploited in attacks. As mandated by the Binding Operational Directive (BOD) 22-01, after being added to CISA's Known Exploited Vulnerabilities catalog, U.S. federal agencies must secure their networks against ongoing attacks targeting the flaw within three weeks by February 3. On December 19, the U.S. cybersecurity agency also added a critical command injection security bug (CVE-2024-12356) in the same BeyondTrust software products."
https://www.bleepingcomputer.com/news/security/cisa-orders-agencies-to-patch-beyondtrust-bug-exploited-in-attacks/
https://securityaffairs.com/173031/security/u-s-cisa-adds-beyondtrust-pra-and-rs-and-qlik-sense-flaws-to-its-known-exploited-vulnerabilities-catalog.html
Malware
- Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces On Fortinet FortiGate Firewalls
"In early December, Arctic Wolf Labs began observing a campaign involving suspicious activity on Fortinet FortiGate firewall devices. By gaining access to management interfaces on affected firewalls, threat actors were able to alter firewall configurations. In compromised environments, threat actors were observed extracting credentials using DCSync. While the initial access vector used in this campaign is not yet confirmed, Arctic Wolf Labs assesses with high confidence that mass exploitation of a zero-day vulnerability is likely given the compressed timeline across affected organizations as well as firmware versions affected."
https://arcticwolf.com/resources/blog/console-chaos-targets-fortinet-fortigate-firewalls/
https://threats.wiz.io/all-incidents/campaign-targeting-publicly-exposed-management-interfaces-on-fortinet-fortigate-firewalls
https://www.theregister.com/2025/01/14/miscreants_mass_exploited_fortinet_firewalls/ - Abusing AWS Native Services: Ransomware Encrypting S3 Buckets With SSE-C
"The Halcyon RISE Team has identified a concerning new ransomware campaign targeting Amazon S3 buckets. This attack leverages AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data, demanding ransom payments for the symmetric AES-256 keys required to decrypt it. It is important to note that this attack does not require the exploitation of any AWS vulnerability but instead relies on the threat actor first obtaining an AWS customer’s account credentials. With no known method to recover the data without paying the ransom, this tactic represents a significant evolution in ransomware capabilities."
https://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c
https://www.bleepingcomputer.com/news/security/ransomware-abuses-amazon-aws-feature-to-encrypt-s3-buckets/
https://therecord.media/hackers-encrypting-amazon-cloud-buckets
https://www.helpnetsecurity.com/2025/01/13/codefinger-encrypting-aws-s3-data-without-ransomware-sse-c/
https://www.theregister.com/2025/01/13/ransomware_crew_abuses_compromised_aws/ - Double-Tap Campaign: Russia-Nexus APT Possibly Related To APT28 Conducts Cyber Espionage On Central Asia And Kazakhstan Diplomatic Relations
"On Wednesday, 27 November 2024, Russian President Putin was on a 2-day state visit in Kazakhstan to discuss with local representatives the implementation of energy projects and to counter Chinese and Western influence. Putin said he was visiting his “true ally”, yet Sekoia investigated an ongoing cyber espionage campaign using legitimate Office documents assessed to originate from the Ministry of Foreign Affairs of the Republic of Kazakhstan, that were further weaponized and likely used to collect strategic intelligence in Central Asia, including Kazakhstan and its diplomatic and economic relations with Asian and Western countries. We assess it is possible that this campaign was conducted by a Russia-nexus intrusion set, UAC-0063, sharing overlaps with APT28."
https://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/
https://therecord.media/hackers-kremlin-kazakhstan-espionage-campaign
https://cyberscoop.com/fancy-bear-kazakhstan-russia-sekoia/
https://www.infosecurity-magazine.com/news/russian-malware-campaign-hits/ - Deep Dive Into a Linux Rootkit Malware
"This is a follow-up analysis to a previous blog about a zero day exploit where the FortiGuard Incident Response (FGIR) team examined how remote attackers exploited multiple vulnerabilities in an appliance to gain control of a customer’s system. At the end of that blog, we revealed that the remote attacker had deployed a rootkit (a loadable kernel module, sysinitd.ko) and a user-space binary file (sysinitd) on the affected system by executing a shell script (Install.sh). Additionally, to establish rootkit persistence, entries for the rootkit malware were added in the /etc/rc.local and /etc/rc.d/rc.local files so the rootkit malware is loaded during system startup."
https://www.fortinet.com/blog/threat-research/deep-dive-into-a-linux-rootkit-malware - Stealthy Credit Card Skimmer Targets WordPress Checkout Pages Via Database Injection
"Recently, we released an article where a credit card skimmer was targeting checkout pages on a Magento site. Now we’ve come across sophisticated credit card skimmer malware while investigating a compromised WordPress website. This credit card skimmer malware targeting WordPress websites silently injects malicious JavaScript into database entries to steal sensitive payment details. The malware activates specifically on checkout pages, either by hijacking existing payment fields or injecting a fake credit card form."
https://blog.sucuri.net/2025/01/stealthy-credit-card-skimmer-targets-wordpress-checkout-pages-via-database-injection.html
https://thehackernews.com/2025/01/wordpress-skimmers-evade-detection-by.html
https://securityaffairs.com/173010/malware/stealthy-credit-card-skimmer-targets-wordpress.html
Breaches/Hacks/Leaks
- OneBlood Confirms Personal Data Stolen In July Ransomware Attack
"Blood-donation not-for-profit OneBlood confirms that donors' personal information was stolen in a ransomware attack last summer. OneBlood first notified the public about the attack on July 31, 2024, noting that ransomware actors had encrypted its virtual machines, forcing the healthcare organization to fall back to using manual processes. OneBlood is a supplier of blood to over 250 hospitals across the United States with the attack causing delays in blood collection, testing, and distribution, leading to 'critical blood shortage' protocols in some clinics."
https://www.bleepingcomputer.com/news/security/oneblood-confirms-personal-data-stolen-in-july-ransomware-attack/ - Stolen Path Of Exile 2 Admin Account Used To Hack Player Accounts
"Path of Exile 2 developers confirmed that a hacked admin account allowed a threat actor to change the password and access at least 66 accounts, finally explaining how PoE 2 accounts have been breached since November. The breached admin account allowed the threat actors to change the passwords of other accounts, with many losing their in-game purchases, including valuable items that took hundreds of hours to acquire. However, a time limit in log retention prevents the full scope of the incident from being determined, potentially meaning more accounts were compromised in the breach."
https://www.bleepingcomputer.com/news/security/stolen-path-of-exile-2-admin-account-used-to-hack-player-accounts/ - UK Domain Registry Nominet Confirms Breach Via Ivanti Zero-Day
"Nominet, the official .UK domain registry and one of the largest country code registries, has confirmed that its network was breached two weeks ago using an Ivanti VPN zero-day vulnerability. The company manages and operates over 11 million .uk, .co.uk, and .gov .uk domain names and other top-level domains, including .cymru and .wales. It also ran the U.K.'s Protective Domain Name Service (PDNS) on behalf of the country's National Cyber Security Centre (NCSC) until September 2024, protecting over 1,200 organizations and over 7 million end users."
https://www.bleepingcomputer.com/news/security/uk-domain-registry-nominet-confirms-breach-via-ivanti-zero-day-vulnerability/
https://www.theregister.com/2025/01/13/nominet_ivanti_zero_day/
https://www.helpnetsecurity.com/2025/01/13/uk-domain-registry-nominet-breached-via-ivanti-zero-day-cve-2025-0282/ - EU Law Enforcement Training Agency Data Breach: Data Of 97,000 Individuals Compromised
"Personal data of nearly 100,000 individuals that have participated in trainings organized by CEPOL, the European Union (EU) Agency for Law Enforcement Training, has potentially been compromised due to the cyberattack suffered by the agency in May 2024. “Starting in October 2024, until 31 December 2024, over 97 000 notifications were sent to people whose personal data were processed in the 31 processing activities identified as high risk in the context of the data breach were contacted via email,” the agency shared on Friday."
https://www.helpnetsecurity.com/2025/01/13/eu-law-enforcement-training-agency-data-breach-cepol/ - Major Location Data Broker Reports Hack To Norwegian Authorities
"A major player in the location data broker market has confirmed to Norway’s Data Protection Authority that it was breached by a hacker who obtained an unknown number of files. The Norwegian news outlet NRK on Friday published a copy of the breach notice sent to Norwegian authorities by the location data broker Unacast, the parent company of Gravy Analytics. It is unclear when the breach was reported. While the breach report contains few details of the incident, hackers have claimed on a Russian cybercrime forum to have stolen a vast trove of data. The news outlet 404 Media was the first publication to reveal news of the breach."
https://therecord.media/location-data-broker-gravy-breach - Cyberattack Forces Dutch University To Cancel Lectures
"Eindhoven University of Technology has cancelled “lectures and other educational activities” following a cyberattack, although it is expected to have only a limited impact as teaching is reduced while students prepare for exams. In a statement on Sunday, the Dutch university said it had shut down its network after detecting the attack at around 9 p.m. on Saturday but stressed its IT staff still have access to all systems and are investigating. Students have been told the disruption would last on Monday and an update would be provided on Tuesday."
https://therecord.media/tu-eindhoven-cyberattack-lectures-canceled - EXCLUSIVE: Scholastic, Education Giant And ‘Harry Potter’ Publisher, Breached By ‘furry’ Hacker
"A “furry” hacker breached the education and publishing company Scholastic this month and stole data on 8 million people, the Daily Dot has learned. Scholastic is a leading global provider of educational materials for pre-K to grade 12, offering both print and digital resources to support student learning. In addition to its educational offerings, Scholastic publishes popular children’s book series, including Harry Potter, The Hunger Games, Clifford the Big Red Dog, and Goosebumps. The hacker, who goes by the moniker “Parasocial,” presented the data to the Daily Dot after purportedly exfiltrating it from an employee portal."
https://www.dailydot.com/debug/furry-hacks-scholastic-8-million-records-stolen/
General News
- GitHub CISO On Security Strategy And Collaborating With The Open-Source Community
"In this Help Net Security, Alexis Wales, CISO at GitHub, discusses how GitHub embeds security into every aspect of its platform to protect millions of developers and repositories, ensuring it remains a trustworthy platform for building secure software."
https://www.helpnetsecurity.com/2025/01/13/alexis-wales-github-ciso-security-strategy/ - The Shifting Landscape Of Open Source Security
"As we move into 2025, open source software (OSS) remains central to digital innovation across industries. However, its widespread adoption brings heightened security challenges and evolving regulatory demands. In the coming year, we expect a rise in targeted OSS supply chain attacks, a greater reliance on AI in cybersecurity — with both positive and negative implications — and a stronger push for global regulatory standards promoting responsible OSS practices."
https://www.darkreading.com/vulnerabilities-threats/shifting-landscape-open-source-security - WEF Warns Of Growing Cyber Inequity Amid Escalating Complexities In Cyberspace
"Cyber inequity has widened in the past year amid increasing complexities in cyberspace and geopolitical uncertainties, to the World Economic Forum (WEF)’s Global Cybersecurity Outlook 2025 has found. The WEF found that there is substantial disparity in the capabilities of different businesses, sectors and regions to effectively respond to cyber-attacks. There is a considerable gap between large and small organizations’ cybersecurity capabilities, the report, which was published on January 13, 2025, found."
https://www.infosecurity-magazine.com/news/wef-cyber-inequity-complexities/ - AI Won’t Take This Job: Microsoft Says Human Ingenuity Crucial To Red-Teaming
"As security pros worry about AI taking their jobs, researchers at Microsoft insist that effective red-teaming still relies on human expertise, cultural awareness, and emotional intelligence — qualities that can’t be replicated by machines. The software giant says its AI red team rigorously tested more than 100 generative AI products and determined that human ingenuity remains crucial to uncovering vulnerabilities and anticipating how hackers might exploit these systems."
https://www.securityweek.com/ai-wont-take-this-job-microsoft-says-human-ingenuity-crucial-to-red-teaming/
https://airedteamwhitepapers.blob.core.windows.net/lessonswhitepaper/MS_AIRT_Lessons_eBook.pdf
อ้างอิง
Electronic Transactions Development Agency(ETDA) - CISA And US And International Partners Publish Guidance On Priority Considerations In Product Selection For OT Owners And Operators
-
CISA ออกคำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม 4 รายการ
Cybersecurity and Infrastructure Security Agency (CISA) CISA ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม(ICS) 4 รายการ เมื่อวันที่ 10 มกราคม 2568 ซึ่งคำแนะนำเหล่านี้ให้ข้อมูลที่ทันท่วงทีเกี่ยวกับปัญหาด้านความปลอดภัยช่องโหว่ และช่องโหว่ที่อยู่รอบ ๆ ICS ในปัจจุบัน มีดังต่อไปนี้
- ICSA-25-010-01 Schneider Electric PowerChute Serial Shutdown
- ICSA-25-010-02 Schneider Electric Harmony HMI and Pro-face HMI Products
- ICSA-25-010-03 Delta Electronics DRASimuCAD
- ICSA-24-345-06 Rockwell Automation Arena (Update A)
ทั้งนี้ CISA สนับสนุนให้ผู้ใช้และผู้ดูแลระบบตรวจสอบคำแนะนำ ICS ที่เผยแพร่ใหม่สำหรับรายละเอียดทางเทคนิคและการบรรเทาผลกระทบ รายละเอียดเพิ่มเติมที่ https://www.cisa.gov/news-events/alerts/2025/01/10/cisa-releases-four-industrial-control-systems-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA เพิ่มช่องโหว่หนึ่งรายการลงในแค็ตตาล็อก KEV
Cybersecurity and Infrastructure Security Agency (CISA) ได้มีการเผยแพร่การเพิ่มช่องโหว่ใหม่ 1 รายการในแค็ตตาล็อก ช่องโหว่อาจเป็นที่รู้จักของกลุ่มแฮกเกอร์ ช่องโหว่ประเภทเหล่านี้มักเป็นช่องทางโจมตีสำหรับผู้กระทำความผิดทางไซเบอร์ และก่อให้เกิดความเสี่ยงอย่างมากต่อหน่วยงานของรัฐบาล
- CVE-2025-0282 Ivanti Connect Secure Vulnerability
ช่องโหว่นี้เปิดโอกาสให้นักโจมตีที่ไม่ได้รับการรับรองสิทธิ์ (unauthenticated attacker) สามารถดำเนินการ Remote Code Execution (RCE) ได้จากระยะไกล ซึ่งอาจส่งผลให้ระบบถูกบุกรุกหรือถูกควบคุมโดยไม่ได้รับอนุญาต
ควรอัปเดตผลิตภัณฑ์ที่ได้รับผลกระทบเป็นเวอร์ชันที่ปลอดภัยโดยเร็วที่สุดเพื่อป้องกันความเสี่ยงดังกล่าว โดยช่องโหว่การโจมตีแบบ Stack-Based Buffer Overflow ในผลิตภัณฑ์ดังต่อไปนี้:
- Ivanti Connect Secure (เวอร์ชันก่อน 22.7R2.5)
- Ivanti Policy Secure (เวอร์ชันก่อน 22.7R1.2)
- Ivanti Neurons for ZTA gateways (เวอร์ชันก่อน 22.7R2.3)
อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/01/08/cisa-adds-one-vulnerability-kev-catalogสามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
- CVE-2025-0282 Ivanti Connect Secure Vulnerability
-
CISA ออกคำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม 2 รายการ
Cybersecurity and Infrastructure Security Agency (CISA) CISA ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม(ICS) 2 รายการ เมื่อวันที่ 7 มกราคม 2568 ซึ่งคำแนะนำเหล่านี้ให้ข้อมูลที่ทันท่วงทีเกี่ยวกับปัญหาด้านความปลอดภัยช่องโหว่ และช่องโหว่ที่อยู่รอบ ๆ ICS ในปัจจุบัน มีดังต่อไปนี้
- ICSA-25-007-01 ABB ASPECT-Enterprise, NEXUS, and MATRIX Series Products
- ICSA-25-007-02 Nedap Librix Ecoreader
ทั้งนี้ CISA สนับสนุนให้ผู้ใช้และผู้ดูแลระบบตรวจสอบคำแนะนำ ICS ที่เผยแพร่ใหม่สำหรับรายละเอียดทางเทคนิคและการบรรเทาผลกระทบ รายละเอียดเพิ่มเติมที่ https://www.cisa.gov/news-events/alerts/2025/01/07/cisa-releases-two-industrial-control-systems-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
กลุ่มแฮกเกอร์ Pro-Russia โจมตีอิตาลีอีกครั้งหลัง "เซเลนสกี" เยือนประเทศ
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
เตือนภัย การส่งข้อความหลอกผู้ใช้ Apple iMessage ให้ปิดระบบการป้องกันฟิชชิ่ง
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Telefónica ยืนยันการละเมิดระบบตั๋วภายในหลังจากการรั่วไหลของข้อมูล
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
โปรดระวัง แคมเปญฟิชชิ่งเลียนแบบ PayPal หลอกเข้าถึงบัญชีของผู้ใช้งาน
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand