สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

โพสต์ถูกสร้างโดย NCSA_THAICERT
-
CISA เตือนมัลแวร์ RESURGE เจาะช่องโหว่ Ivanti Connect Secure
-
มัลแวร์โทรจัน Crocodilus โจมตีผู้ใช้ Android เพื่อเจาะระบบธนาคารและกระเป๋าเงินดิจิทัล
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 31 March 2025
Healthcare Sector
- Claroty’s State Of CPS Security Report: Healthcare Exposures 2025
"Hospitals and healthcare delivery organizations must manage a barrage of risks to connected medical devices and critical OT systems, protecting them from disruptions that could impact patient safety and the uninterrupted availability of patient care. This is the backdrop for Claroty’s latest State of CPS Security Report: Healthcare Exposures 2025. The goal of this report is to shed light on the riskiest exposures facing healthcare devices and networks—as well as OT within hospitals—provide some context to help identify those assets most in jeopardy, and demonstrate the number of devices burdened not only by known and exploited vulnerabilities, but those that are most at risk to ransomware and extortion attacks, and insecurely connected to the internet."
https://claroty.com/blog/clarotys-state-of-cps-security-report-healthcare-exposures-2025
https://claroty.com/resources/reports/state-of-cps-security-healthcare-exposures-2025
https://www.securityweek.com/critical-condition-legacy-medical-devices-remain-easy-targets-for-ransomware/
https://www.infosecurity-magazine.com/news/healthcare-vulnerable-iot-devices/
https://www.helpnetsecurity.com/2025/03/28/healthcare-devices-vulnerabilities/
New Tooling
- Cloudflare Open Sources OPKSSH To Bring Single Sign-On To SSH
"OPKSSH (OpenPubkey SSH) makes it easy to authenticate to servers over SSH using OpenID Connect (OIDC), allowing developers to ditch manually configured SSH keys in favor of identity provider-based access. By tightly integrating with identity providers (IdPs) and avoiding any additional trusted third party, OPKSSH offers a streamlined and secure way to manage SSH authentication. This week, OPKSSH was officially open-sourced under the umbrella of the OpenPubkey project. While OpenPubkey itself became a Linux Foundation open-source initiative in 2023, OPKSSH remained closed-source until now."
https://www.helpnetsecurity.com/2025/03/28/opkssh-sso-ssh/
https://github.com/openpubkey/opkssh/
Vulnerabilities
- Qualys TRU Discovers Three Bypasses Of Ubuntu Unprivileged User Namespace Restrictions
"Qualys TRU uncovered three distinct bypasses of these namespace restrictions, each enabling local attackers to create user namespaces with full administrative capabilities. These bypasses facilitate exploiting vulnerabilities in kernel components requiring powerful administrative privileges within a confined environment. The restrictions on unprivileged user namespaces were initially introduced in Ubuntu 23.10 and enabled by default in Ubuntu 24.04. It is important to note that these bypasses alone do not enable complete system takeover; however, they become dangerous when combined with other vulnerabilities, typically kernel-related."
https://blog.qualys.com/vulnerabilities-threat-research/2025/03/27/qualys-tru-discovers-three-bypasses-of-ubuntu-unprivileged-user-namespace-restrictions
https://www.bleepingcomputer.com/news/security/new-ubuntu-linux-security-bypasses-require-manual-mitigations/
Malware
- CISA Releases Malware Analysis Report On RESURGE Malware Associated With Ivanti Connect Secure
"CISA has published a Malware Analysis Report (MAR) with analysis and associated detection signatures on a new malware variant CISA has identified as RESURGE. RESURGE contains capabilities of the SPAWNCHIMERA[1] malware variant, including surviving reboots; however, RESURGE contains distinctive commands that alter its behavior."
https://www.cisa.gov/news-events/alerts/2025/03/28/cisa-releases-malware-analysis-report-resurge-malware-associated-ivanti-connect-secure
https://www.cisa.gov/news-events/analysis-reports/ar25-087a
https://thehackernews.com/2025/03/resurge-malware-exploits-ivanti-flaw.html
https://securityaffairs.com/176040/breaking-news/cisa-warns-of-resurge-malware-exploiting-ivanti-flaw.html - Gamaredon Campaign Abuses LNK Files To Distribute Remcos Backdoor
"The invasion of Ukraine is a common theme used by the Gamaredon group in their phishing campaigns and this campaign continues the use of this technique. The actor distributes LNK files compressed inside ZIP archives, usually disguising the file as an Office document and using names that are related to the invasion. Although Talos was not able to pinpoint the exact method by which these files are distributed, it is likely that Gamaredon continues to send phishing e-mails with either the ZIP file directly attached to it or containing a URL link to download the file from a remote host."
https://blog.talosintelligence.com/gamaredon-campaign-distribute-remcos/ - TsarBot: A New Android Banking Trojan Targeting Over 750 Banking, Finance, And Cryptocurrency Applications
"Cyble Research and Intelligence Labs (CRIL) discovered a new Android banking trojan that uses an overlay attack to target over 750 applications, including banking, finance, cryptocurrency, payment, social media, and e-commerce applications, across multiple regions. While the malware mainly utilizes overlay attacks to steal credentials, it also carries out various other malicious actions. It is capable of recording and remotely controlling the screen, enabling attackers to monitor and manipulate the device. Additionally, it employs lock-grabbing techniques, keylogging, and intercepting SMS messages."
https://cyble.com/blog/tsarbot-using-overlay-attacks-targeting-bfsi-sector/ - Stealing User Credentials With Evilginx
"Evilginx, a tool based on the legitimate (and widely used) open-source nginx web server, can be used to steal usernames, passwords, and session tokens, allowing an attacker to potentially bypass multifactor authentication (MFA). In this post, we’ll demonstrate how evilginx works and what information it is able to acquire; we also have advice for detecting this tool in use, as well as potential mitigations against its use."
https://news.sophos.com/en-us/2025/03/28/stealing-user-credentials-with-evilginx/
https://www.darkreading.com/endpoint-security/evilginx-bypasses-mfa - Russian Intelligence Service-Backed Campaigns Impersonate The CIA To Target Ukraine Sympathizers, Russian Citizens And Informants
"The rise in cyberattacks during ongoing conflicts of war has become a significant concern in recent years, especially as cyber capabilities are increasingly being leveraged as a form of modern warfare. Motivations behind these cyberattacks vary, from disrupting an opponent’s operations and causing widespread panic to gathering intelligence and creating strategic advantages. Silent Push Threat Researchers have identified phishing pages on a known bulletproof hosting provider, Nybula LLC, ASN 401116, but a financial motive has not yet been found for the threat actor group. The phishing pages appear to impersonate the official websites of multiple organizations, including the U.S. Central Intelligence Agency (CIA), the Russian Volunteer Corps (RVC), Legion Liberty, and the appeals hotline group Hochuzhit."
https://www.silentpush.com/blog/russian-intelligence-phishing/
https://hackread.com/russia-phishing-fake-cia-sites-anti-war-ukraine-supporters/ - Grandoreiro Trojan Distributed Via Contabo-Hosted Servers In Phishing Campaigns
"Cybercriminals are reviving the Grandoreiro banking trojan. It is actively being used in large-scale phishing campaigns, primarily targeting banking users in Latin America and Europe. Cybercriminals are leveraging VPS hosting providers and obfuscation techniques to evade detection. The malware continuously adapts, using dynamic URLs and social engineering to maximize its reach and effectiveness."
https://www.forcepoint.com/blog/x-labs/grandoreiro-trojan-targets-mexico-argentina-spain
https://www.securityweek.com/fresh-grandoreiro-banking-trojan-campaigns-target-latin-america-europe/
https://securityaffairs.com/175964/malware/crooks-are-reviving-the-grandoreiro-banking-trojan.html - A Deep Dive Into Water Gamayun’s Arsenal And Infrastructure
"Water Gamayun, a suspected Russian threat actor also known as EncryptHub and Larva-208, has been exploiting the MSC EvilTwin (CVE-2025-26633), a zero-day vulnerability that was patched on March 11. In the first installment of this two-part series, Trend Research discussed in depth its discovery of an Water Gamayun campaign exploiting this vulnerability. In this blog entry, we will cover the various delivery methods, custom payloads and techniques used by Water Gamayun to compromise victim systems and exfiltrate sensitive data."
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html - Iran's MOIS-Linked APT34 Spies On Allies Iraq & Yemen
"Hackers believed to be working on behalf of Iranian government intelligence have been spying on organizations in Iraq and Yemen. In many other respects — religiously, politically, economically, etc. — these countries might be considered allies. But as it is with friends of the US, North Korea, and other major cyber powers, diplomatic ties with Iran do not preclude attempts at cyberespionage."
https://www.darkreading.com/cyberattacks-data-breaches/irans-mois-linked-apt34-spies-allies-iraq-yemen - SnakeKeylogger: A Multistage Info Stealer Malware Campaign
"Info-stealer malware has become a growing threat, with attackers constantly refining their techniques to evade detection. Among these threats, SnakeKeylogger has emerged as one of the highly active credential-stealing malware, targeting individuals and businesses. Known for its multi-stage infection chain and stealthy in-memory execution, SnakeKeylogger is designed to harvest sensitive data while remaining undetected. Recently, at Seqrite Labs, we observed an interesting malicious campaign delivering SnakeKeylogger as a final payload to compromised systems."
https://www.seqrite.com/blog/snakekeylogger-a-multistage-info-stealer-malware-campaign/ - SquareX Discloses Browser-Native Ransomware That Puts Millions At Risk
"From WannaCry to the MGM Resorts Hack, ransomware remains one of the most damaging cyberthreats to plague enterprises. Chainalysis estimates that corporations spend nearly $1 billion dollars on ransom each year, but the greater cost often comes from the reputational damage and operational disruption caused by the attack."
https://hackread.com/squarex-discloses-browser-native-ransomware-that-puts-millions-at-risk/
https://sqrx.com/browser-native-ransomware - Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices
"The mobile threat landscape has been shaped over the years by well-established banking Trojan families such as Anatsa, Octo, Hook, each evolving to introduce new techniques for evading detection and maximising financial gain. These malware strains have demonstrated how effective mobile-focused threats can be, particularly when equipped with capabilities like overlay attacks, keylogging, and abuse of Android’s Accessibility Services. Their success has not only impacted banks and crypto platforms globally, but also has inspired a growing underground market hungry for similar or improved tools."
https://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices
https://thehackernews.com/2025/03/new-android-trojan-crocodilus-abuses.html
https://www.bleepingcomputer.com/news/security/new-crocodilus-malware-steals-android-users-crypto-wallet-keys/
https://securityaffairs.com/175976/malware/new-sophisticate-crocodilus-mobile-banking-trojan.html
Breaches/Hacks/Leaks
- Twitter (X) Hit By 2.8 Billion Profile Data Leak In Alleged Insider Job
"A data leak involving a whopping 2.87 billion Twitter (X) users has surfaced on the infamous Breach Forums. According to a post by a user named ThinkingOne, the leak is the result of a disgruntled X employee who allegedly stole the data during a period of mass layoffs. If true, this would be the largest social media data leak in history, but surprisingly, neither X nor the broader public appears to be aware of it."
https://hackread.com/twitter-x-of-2-8-billion-data-leak-an-insider-job/ - Retail Giant Sam’s Club Investigates Clop Ransomware Breach Claims
"Sam's Club, an American warehouse supermarket chain owned by U.S. retail giant Walmart, is investigating claims of a Clop ransomware breach. The Walmart division operates over 600 warehouse clubs with millions of members across the United States and Puerto Rico and almost 200 additional locations in Mexico and China. Sam's Club has over 2.3 million employees and reported a total revenue of $84.3 billion for the fiscal year ending January 31, 2023."
https://www.bleepingcomputer.com/news/security/retail-giant-sams-club-investigates-clop-ransomware-breach-claims/
https://securityaffairs.com/175999/cyber-crime/sams-club-investigates-alleged-cl0p-ransomware-breach.html - Oracle Health Breach Compromises Patient Data At US Hospitals
"A breach at Oracle Health impacts multiple US healthcare organizations and hospitals after a threat actor stole patient data from legacy servers. Oracle Health has not yet publicly disclosed the incident, but in private communications sent to impacted customers and from conversations with those involved, BleepingComputer confirmed that patient data was stolen in the attack."
https://www.bleepingcomputer.com/news/security/oracle-health-breach-compromises-patient-data-at-us-hospitals/ - Cardiff's Children's Chief Confirms Data Leak 2 Months After Cyber Risk Was 'escalated'
"Cardiff City Council's director of children's services says data was leaked or stolen from the organization, although she did not clarify how or what was pilfered. Deborah Driffield confirmed a "data breach" while giving an update to the Welsh council's Governance and Audit Committee, which assembled on Tuesday. "We have had a data breach that we are currently managing, and drawing up new arrangements in relation to this world of people stealing data and sharing it on the dark web, and trying to understand how we can mitigate against that."
https://www.theregister.com/2025/03/28/cardiff_childrens_chief_says_city/
General News
- Navigating Cyber-Risks And New Defenses
"Cyberattacks on critical infrastructure are on the rise, driven by supply chain vulnerabilities, bad actors exploiting small and midsize businesses (SMBs) as entry points into larger organizations, and the rapid pace of digitalization. Internet of Things (IoT) devices have connected industrial settings and physical environments to digital networks, enhancing monitoring and management. But this connectivity has also introduced new entry points for cyber threats. In 2025, the threat of cyberattacks on critical infrastructure most likely will remain significant. However, continued advancements and adoption of technologies like artificial intelligence (AI) and private networks can serve as powerful countermeasures."
https://www.darkreading.com/vulnerabilities-threats/navigating-cyber-risks-new-defenses - Student-Powered SOCs Train Security's Next Generation
"Higher educational institutions are among the most common targets of cyberattacks in the US, but universities increasingly see a silver lining to the threat landscape: Defending against such attacks can be a good training opportunity for the next generation of cybersecurity professionals. The cybersecurity incidents are usually fairly simple — a phishing attack, a bad password, or suspicious network traffic — and can be handled by student analysts, such as Ellen Hoffman, an industrial engineering student at Louisiana State University."
https://www.darkreading.com/cybersecurity-operations/student-powered-socs-train-security-next-generation - Android Financial Threats: What Businesses Need To Know To Protect Themselves And Their Customers
"The rise of mobile banking has changed how businesses and customers interact. It brought about increased convenience and efficiency, but has also opened new doors for cybercriminals, particularly on the Android platform, which dominates the global smartphone market. According to ESET research, Android financial threats, targeting banking apps and cryptocurrency wallets, grew by 20% in H2 of 2024 compared to the first half of the year."
https://www.helpnetsecurity.com/2025/03/28/android-financial-threats/ - Cybersecurity Spending Set To Jump 12.2% In 2025
"Global cybersecurity spending is expected to grow by 12.2% in 2025, according to the latest forecast from the IDC Worldwide Security Spending Guide. The rise in cyber threats is pushing organizations to invest more in their defenses. AI tools are making these threats more sophisticated, which is adding to the urgency. IDC says this steady climb in spending will continue through 2028, hitting $377 billion by then."
https://www.helpnetsecurity.com/2025/03/28/idc-cybersecurity-spending-2025/ - U.S. Seized $8.2 Million In Crypto Linked To 'Romance Baiting' Scams
"The U.S. Department of Justice (DOJ) has seized over $8.2 million worth of USDT (Tether) cryptocurrency that was stolen via 'romance baiting' scams. Previously referred to as 'pig butchering,' in this type of financial fraud victims are manipulated into making investments on fraudulent websites/apps that showcase massive returns. Convinced they're making a profit, the victims invest increasing amounts, but when they attempt to make any significant withdrawals, they hit various problems that prevent them from completing the action."
https://www.bleepingcomputer.com/news/cryptocurrency/us-seized-82-million-in-crypto-linked-to-romance-baiting-scams/
https://securityaffairs.com/175990/cyber-crime/fbi-and-doj-seize-8-2-million-in-romance-baiting-crypto-fraud-scheme.html - Malware In Lisp? Now You're Just Being Cruel
"Malware authors looking to evade analysis are turning to less popular programming languages like Delphi or Haskell. Computer scientists affiliated with the University of Piraeus and Athena Research Center in Greece and Delft University of Technology in the Netherlands have taken a look at recent malware to better understand why some of it gets missed by static analysis – a software testing technique for understanding code without executing it."
https://www.theregister.com/2025/03/29/malware_obscure_languages/
https://arxiv.org/abs/2503.19058
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Claroty’s State Of CPS Security Report: Healthcare Exposures 2025
-
CISA เผยแพร่รายงานการวิเคราะห์มัลแวร์เกี่ยวกับมัลแวร์ RESURGE ที่เกี่ยวข้องกับ Ivanti Connect Secure
Cybersecurity and Infrastructure Security Agency (CISA) ได้มีการเผยแพร่เมื่อวันที่ 28 มีนาคม 2568 เกี่ยวกับมัลแวร์ "Resurge" ที่เชื่อมโยงกับ Ivanti Connect Secure มีรายละเอียดเพิ่มเติมดังนี้ มัลแวร์นี้ถูกออกแบบมาเพื่อใช้ประโยชน์จากช่องโหว่ในระบบ VPN ของ Ivanti โดยเฉพาะ โดยมีเป้าหมายเพื่อเข้าถึงเครือข่ายขององค์กรอย่างลับ ๆ รายงานระบุว่า "Resurge" มีความสามารถในการคงอยู่ในระบบ (persistence) หลบเลี่ยงการตรวจจับ และขโมยข้อมูลที่ละเอียดอ่อน เช่น ข้อมูลการรับรองตัวตน (credentials) และข้อมูลส่วนตัวอื่น ๆ
CISA ยังได้ให้ข้อมูลเชิงเทคนิค เช่น Indicators of Compromise (IOCs) และเทคนิคที่มัลแวร์ใช้ รวมถึงคำแนะนำในการลดความเสี่ยง เช่น การติดตั้งแพตช์ล่าสุดจาก Ivanti การตรวจสอบบันทึก (logs) เพื่อหาสัญญาณการบุกรุก และการใช้การยืนยันตัวตนแบบหลายขั้นตอน (multi-factor authentication) รายงานนี้เน้นย้ำถึงความสำคัญของการตอบสนองอย่างรวดเร็วต่อภัยคุกคาม และเรียกร้องให้องค์กรที่ใช้ Ivanti Connect Secure ดำเนินการตรวจสอบและป้องกันทันทีเพื่อลดความเสียหายที่อาจเกิดขึ้นจากการโจมตีนี้
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA ออกคำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม 1 รายการ
Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) 1 รายการ เมื่อวันที่ 27 มีนาคม 2568 ซึ่งคำแนะนำเหล่านี้ให้ข้อมูลที่ทันท่วงทีเกี่ยวกับปัญหาด้านความปลอดภัยช่องโหว่ และช่องโหว่ที่อยู่รอบ ๆ ICS ในปัจจุบัน มีดังต่อไปนี้
- ICSA-25-037-01 Schneider Electric EcoStruxure Power Monitoring Expert (PME) (Update A)
CVSS เวอร์ชัน 4 7.3
หมายเหตุ : สามารถใช้ประโยชน์ได้จากระยะไกล
อุปกรณ์ : EcoStruxure Power Monitoring Expert (PME)
ช่องโหว่ : การแยกข้อมูลที่ไม่น่าเชื่อถือออกจากกัน
การใช้ประโยชน์จากช่องโหว่นี้สำเร็จอาจทำให้ผู้โจมตีสามารถรันโค้ดจากระยะไกลได้
ผลิตภัณฑ์ที่ได้รับผลกระทบ
Schneider Electric รายงานว่าผลิตภัณฑ์ต่อไปนี้ได้รับผลกระทบ ดังนี้
EcoStruxure Power Monitoring Expert (PME): เวอร์ชัน 2022 และก่อนหน้า
ทั้งนี้ CISA สนับสนุนให้ผู้ใช้และผู้ดูแลระบบตรวจสอบคำแนะนำ ICS ที่เผยแพร่ใหม่สำหรับรายละเอียดทางเทคนิคและการบรรเทาผลกระทบ รายละเอียดเพิ่มเติมที่ https://www.cisa.gov/news-events/alerts/2025/03/25/cisa-releases-four-industrial-control-systems-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
- ICSA-25-037-01 Schneider Electric EcoStruxure Power Monitoring Expert (PME) (Update A)
-
FBI และ DOJ ยึดคริปโตจำนวน 8.2 ล้านดอลลาร์จากขบวนการ Romance Baiting Fraud
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
เผยแพลตฟอร์ม Phishing-as-a-Service ตัวใหม่ ปลอมหน้าเข้าสู่ระบบกว่า 114 แบรนด์
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Google แก้ไขช่องโหว่ Zero-Day แรกของ Chrome ในปีนี้
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
อังกฤษปรับเงินบริษัทผู้ให้บริการซอฟต์แวร์ 135 ล้านบาท หลังข้อมูลรั่วไหลจากการถูกโจมตีด้วยแรนซัมแวร์
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 28 March 2025
Vulnerabilities
- NetApp SnapCenter Flaw Could Let Users Gain Remote Admin Access On Plug-In Systems
"A critical security flaw has been disclosed in NetApp SnapCenter that, if successfully exploited, could allow privilege escalation. SnapCenter is an enterprise-focused software that's used to manage data protection across applications, databases, virtual machines, and file systems, offering the ability to backup, restore, and clone data resources. The vulnerability, tracked as CVE-2025-26512, carries a CVSS score of 9.9 out of a maximum of 10.0."
https://thehackernews.com/2025/03/netapp-snapcenter-flaw-could-let-users.html
https://security.netapp.com/advisory/ntap-20250324-0001/ - Forescout Vedere Labs Uncovers Severe Systemic Security Risks In Global Solar Power Infrastructure
"Forescout Technologies, Inc., a global cybersecurity leader, today published its “SUN:DOWN – Destabilizing the Grid via Orchestrated Exploitation of Solar Power Systems” research report. Forescout Research – Vedere Labs discovered 46 new vulnerabilities across three of the world’s 10 leading solar inverter vendors. Additionally, Vedere Labs found that 80% of vulnerabilities in solar power systems disclosed in the last three years were classified as high or critical severity. These findings reveal severe systemic security weaknesses in the solar ecosystem that could impact power grid stability, utility operations, and consumer data privacy."
https://www.forescout.com/press-releases/forescout-vedere-labs-uncovers-severe-systemic-security-risks-in-global-solar-power-infrastructure/
https://www.bleepingcomputer.com/news/security/dozens-of-solar-inverter-flaws-could-be-exploited-to-attack-power-grids/
https://www.securityweek.com/more-solar-system-vulnerabilities-expose-power-grids-to-hacking/ - Mozilla Warns Windows Users Of Critical Firefox Sandbox Escape Flaw
"Mozilla has released Firefox 136.0.4 to patch a critical security vulnerability that can let attackers escape the web browser's sandbox on Windows systems. Tracked as CVE-2025-2857, this flaw is described as an "incorrect handle could lead to sandbox escapes" and was reported by Mozilla developer Andrew McCreight. The vulnerability impacts the latest Firefox standard and extended support releases (ESR) designed for organizations that require extended support for mass deployments. Mozilla fixed the security flaw in Firefox 136.0.4 and Firefox ESR versions 115.21.1 and 128.8.1."
https://www.bleepingcomputer.com/news/security/mozilla-warns-windows-users-of-critical-firefox-sandbox-escape-flaw/ - CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/03/27/cisa-adds-one-known-exploited-vulnerability-catalog
https://securityaffairs.com/175936/security/u-s-cisa-adds-google-chromium-mojo-flaw-to-its-known-exploited-vulnerabilities-catalog.html - Splunk Patches Dozens Of Vulnerabilities
"Splunk on Wednesday announced patches for dozens of vulnerabilities across its products, including two high-severity flaws in Splunk Enterprise and Secure Gateway App. The enterprise monitoring solution received patches for a remote code execution (RCE) bug that could be exploited by low-privileged users by uploading a file to the ‘$SPLUNK_HOME/var/run/splunk/apptemp’ directory."
https://www.securityweek.com/splunk-patches-dozens-of-vulnerabilities/
Malware
- Over 150K Websites Hit By Full-Page Hijack Linking To Chinese Gambling Sites
"In February, we uncovered a threat actor targeting over 35,000 websites with a malicious full-page hijack injection. We’ve continued to monitor this actor’s activities and have identified new tactics and techniques. They’ve scaled up their operations significantly, as we now estimate that approximately 150,000 websites have been impacted by this campaign."
https://cside.dev/blog/over-150k-websites-hit-by-full-page-hijack-linking-to-chinese-gambling-sites
https://thehackernews.com/2025/03/150000-sites-compromised-by-javascript.html - Hijacked Microsoft Stream Classic Domain "spams" SharePoint Sites
"The legacy domain for Microsoft Stream was hijacked to show a fake Amazon site promoting a Thailand casino, causing all SharePoint sites with old embedded videos to display it as spam. Microsoft Stream is an enterprise video streaming service that allows organizations to upload and share videos in Microsoft 365 apps, such as Teams and SharePoint. Video content hosted on Microsoft Stream was accessed or embedded through a portal at microsoftstream.com."
https://www.bleepingcomputer.com/news/microsoft/hijacked-microsoft-stream-classic-domain-spams-sharepoint-sites/ - Multiple Crypto Packages Hijacked, Turned Into Info-Stealers
"Sonatype has identified multiple npm cryptocurrency packages, latest versions of which have been hijacked and altered to steal sensitive information such as environment variables from the target victims. Some of these packages have lived on npmjs.com for over 9 years, and provide legitimate functionality to blockchain developers. However, our automated malware detection systems detected that the latest versions of each of these packages were laden with obfuscated scripts, raising alarms."
https://www.sonatype.com/blog/multiple-crypto-packages-hijacked-turned-into-info-stealers
https://www.bleepingcomputer.com/news/security/infostealer-campaign-compromises-10-npm-packages-targets-devs/ - Snow White — Beware The Bad Apple In The Torrent
"As the new Snow White movie arrives in theaters with lackluster audience attendance, the absence of streaming options on platforms like Disney+ has nudged many users to seek pirated versions online. From our perspective, this kind of consumer behavior isn’t new, every high-profile movie release without a digital option becomes an opportunity for attackers to exploit users eager to watch from home."
https://veriti.ai/blog/beware-the-bad-apple-in-the-torrent/
https://hackread.com/fake-snow-white-movie-torrent-infects-device-malware/ - A Phishing Tale Of DoH And DNS MX Abuse
"Threat actors are increasingly adept at leveraging DNS to enhance the effectiveness of their cyber campaigns. We recently discovered a DNS technique used to tailor content to victims. We have discovered a phishing kit that creatively employs DNS mail exchange (MX) records to dynamically serve fake, tailored, login pages, spoofing over 100 brands. The threat actor behind the campaigns often exploits open redirects on adtech infrastructure, compromises domains for phishing distribution, and distributes stolen credentials through several mechanisms, including Telegram. We have found many variations of this phishing kit and assessed that they likely stem from a phishing-as-a-service (PhaaS) platform."
https://blogs.infoblox.com/threat-intelligence/a-phishing-tale-of-doh-and-dns-mx-abuse/
https://thehackernews.com/2025/03/new-morphing-meerkat-phishing-kit.html - Turning Aid Into Attack: Exploitation Of Pakistan's Youth Laptop Scheme To Target India
"In this report, CYFIRMA examines the tactics employed by a Pakistan-based APT group, assessed with medium confidence as APT36, who created a fake IndiaPost website to target and infect both Windows and Android users. We analysed the dropped Android executable and also revealed metadata indicating that the PDF was created in same time zone that Pakistan is in. Additionally, the laptop used to generate the file is part of Pakistan’s Prime Minister Youth Laptop Scheme. Further investigation into the IP resolution uncovered a domain associated with tactics commonly used by Pakistani APT groups."
https://www.cyfirma.com/research/turning-aid-into-attack-exploitation-of-pakistans-youth-laptop-scheme-to-target-india/
https://thehackernews.com/2025/03/apt36-spoofs-india-post-website-to.html - Serbia: BIRN Journalists Targeted With Pegasus Spyware
"Two journalists from Balkan Investigative Reporting Network (BIRN), an award-winning Serbian network of investigative journalists, were targeted with NSO Group’s Pegasus spyware last month, a new Amnesty International investigation reveals. Journalists Bogdana (not her real name) and Jelena Veljkovic received suspicious messages on the Viber messaging app from an unknown Serbian number linked to Telekom Srbija, the state-telecommunications operator. Suspecting that their smartphones were being targeted by a spyware attack, they approached Amnesty International’s Security Lab, whose forensic analysis confirmed their suspicions."
https://www.amnesty.org/en/latest/news/2025/03/serbia-birn-journalists-targeted-with-pegasus-spyware/
https://therecord.media/two-serbian-journalists-targeted-with-pegasus-spyware - PJobRAT Makes a Comeback, Takes Another Crack At Chat Apps
"In 2021, researchers reported that PJobRAT – an Android RAT first observed in 2019 – was targeting Indian military personnel by imitating various dating and instant messaging apps. Since then, there’s been little news about PJobRAT – until, during a recent threat hunt, Sophos X-Ops researchers uncovered a new campaign – now seemingly over – that appeared to target users in Taiwan. PJobRAT can steal SMS messages, phone contacts, device and app information, documents, and media files from infected Android devices."
https://news.sophos.com/en-us/2025/03/27/pjobrat-makes-a-comeback-takes-another-crack-at-chat-apps/
https://www.infosecurity-magazine.com/news/pjobrat-malware-targets-taiwan-via/
Breaches/Hacks/Leaks
- Thousands Of Driver’s Licenses, Bank Documents & PII Exposed In Australian Fintech Data Breach
"Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to Website Planet about a non-password-protected database that contained 27,000 records belonging to Vroom by YouX — an Australia-based Fintech company that facilitates automotive financing."
https://www.websiteplanet.com/news/vroom-report-breach/
https://hackread.com/aussie-fintech-vroom-pii-records-aws-misconfiguration/
General News
- Navigating Cybercrime Currents In Latin America: Strengthening The Region’s Defenses
"Gather all, gather ye! Group-IB experts are here to uncover trade secrets from the dark side—cybercrime insights on unseen TTPs, hidden infrastructures, and strategies of the most nefarious threat actors. The fight against cybercrime is a constant ordeal, but the shadows grow weaker with each shore we conquer. Group-IB’s two-decade-long perseverance, technological and human expertise know no bounds — from shore to shore, land to land, we extend and stand with people, governments, and businesses as their shield against evolving crime."
https://www.group-ib.com/blog/navigating-cybercrime-latin-america/ - The Hidden Costs Of Security Tool Bloat And How To Fix It
"In this Help Net Security interview, Shane Buckley, President and CEO at Gigamon, discusses why combating tool bloat is a top priority for CISOs as they face tighter budgets and expanding security stacks. Buckley shares insights on how deep observability can streamline security operations, optimize costs, and strengthen a defense-in-depth strategy."
https://www.helpnetsecurity.com/2025/03/27/shane-buckley-gigamon-deep-observability-tool-stacks/ - Cyber Insurance Isn’t Always What It Seems
"Many companies think cyber insurance will protect them from financial losses after an attack. But many policies have gaps. Some claims get denied. Others cover less than expected. CISOs must understand the risks before an attack happens."
https://www.helpnetsecurity.com/2025/03/27/cyber-insurance-ciso/ - New Year, New Threats: Q1 2025’s Most Exploited WordPress Vulnerabilities
"WordPress remains the backbone of millions of websites, offering flexibility and scalability through its extensive library of plugins and themes. However, this same openness also makes it a frequent target for cyber threats. Attackers are constantly scanning for outdated software, unpatched vulnerabilities, and misconfigurations that can be exploited to gain unauthorized access. The reality is clear: many WordPress sites remain vulnerable long after security flaws are disclosed, simply because updates are delayed or neglected. In this environment, relying solely on developer-issued patches isn’t enough—proactive security measures are essential."
https://patchstack.com/articles/new-year-new-threats-q1-2025s-most-exploited-wordpress-vulnerabilities/
https://www.bleepingcomputer.com/news/security/the-four-wordpress-flaws-hackers-targeted-the-most-in-q1-2025/ - Hacktivists Increasingly Target France For Its Diplomatic Efforts
"According to a Cyble report sent to clients recently, France is increasingly becoming a target of hacktivists for its active role in international diplomacy and in ongoing conflicts in Ukraine and the Middle East. France’s role in those conflicts “has drawn the ire of pro-Russian and pro-Palestinian hacktivist groups,” Cyble said, as those hacktivists have found ideological alignment and a common adversary in France."
https://cyble.com/blog/hacktivists-france-for-its-diplomatic-efforts/ - New Security Requirements Adopted By HTTPS Certificate Industry
"The Chrome Root Program launched in 2022 as part of Google’s ongoing commitment to upholding secure and reliable network connections in Chrome. We previously described how the Chrome Root Program keeps users safe, and described how the program is focused on promoting technologies and practices that strengthen the underlying security assurances provided by Transport Layer Security (TLS). Many of these initiatives are described on our forward looking, public roadmap named “Moving Forward, Together.”"
https://security.googleblog.com/2025/03/new-security-requirements-adopted-by.html - Good Security Practice For Domain Registrars
"This guidance is for domain registrars and operators of Domain Name System (DNS) services. It sets out outcomes and recommendations to promote good practice in a set of principles, and aims to reduce the prevalence of malicious and abusive domain registrations. It builds on existing industry good practice from international bodies such as ICANN and the NetBeacon Institute. It is consistent with other UK government guidance issued to registrars and other infrastructure service providers to tackle other issues such as fraud, extremist and illegal content."
https://www.ncsc.gov.uk/collection/security-practice-domain-registrars
https://www.infosecurity-magazine.com/news/ncsc-urges-domain-registrars/
https://www.helpnetsecurity.com/2025/03/27/ncsc-offers-security-guidance-for-domain-and-dns-registrars/ - A Closer Look At The Ultimate Cybersecurity Careers Guide
"In this Help Net Security interview, Kim Crawley, cybersecurity expert and Professor at the Open Institute of Technology, discusses her latest book, The Ultimate Cybersecurity Careers Guide. She shares insights on how aspiring professionals can break into the field and explores the importance of continuous learning."
https://www.helpnetsecurity.com/2025/03/27/kim-crawley-ultimate-cybersecurity-careers-guide/ - National Strategic Assessment 2025 Of Serious And Organised Crime
"Serious and organised crime (SOC) continues to cause more harm to more people than any other national security threat. It is responsible for danger in our homes and on our streets, stunting our economy, and damaging our communities. The purpose of this assessment is to understand these threats, so that we can better address them. The National Strategic Assessment of Serious and Organised Crime 2025 builds on last year’s comprehensive baseline and draws out the trends and themes of the last 12 months."
https://www.nationalcrimeagency.gov.uk/nsa-2025
https://www.infosecurity-magazine.com/news/nca-warns-of-sadistic-online-com/ - Russia Arrests Three For Allegedly Creating Mamont Malware, Tied To Over 300 Cybercrimes
"Russian authorities have arrested three individuals suspected of developing the Mamont malware, a recently identified banking trojan targeting Android devices. The suspects, whose identities remain undisclosed, were apprehended in the Saratov region. A video released by the Russian Ministry of Internal Affairs (MVD) shows the arrested individuals in handcuffs, being escorted by police officers. According to the MVD, the trio is linked to over 300 cybercrime incidents. Authorities also seized computers, storage devices, communication tools and bank cards."
https://therecord.media/mamont-banking-malware-arrests-russia - Cloud Threats On The Rise: Alert Trends Show Intensified Attacker Focus On IAM, Exfiltration
"The attacks against cloud-hosted infrastructure are increasing, and the proof is in the analysis of security alert trends. Recent research reveals that organizations saw nearly five times as many daily cloud-based alerts at the end of 2024 compared to the start of the year. This means attackers have significantly intensified their focus on targeting and breaching cloud infrastructure. These alerts aren’t simply noise. We’ve seen the greatest increases in high severity alerts, meaning indicators of attacks are successfully targeting critical cloud resources as explained in Table 1."
https://unit42.paloaltonetworks.com/2025-cloud-security-alert-trends/
https://www.darkreading.com/cyber-risk/high-severity-cloud-security-alerts-tripled-2024
อ้างอิง
Electronic Transactions Development Agency(ETDA) - NetApp SnapCenter Flaw Could Let Users Gain Remote Admin Access On Plug-In Systems
-
Cyber Threat Intelligence 27 March 2025
New Tooling
- Malwoverview: First Response Tool For Threat Hunting
"Malwoverview is an open-source threat hunting tool designed for the initial triage of malware samples, URLs, IP addresses, domains, malware families, IOCs, and hashes. “Malwoverview is simple and direct, integrating multiple public sandboxes to retrieve and display only relevant information. It enables professionals to gather broad insights into a threat before analyzing it. The tool pulls data from sources like VirusTotal, Hybrid Analysis, Malshare, URLHaus, Polyswarm, AlienVault, Malpedia, Malware Bazaar, Triage, InQuest, and Virus Exchange."
https://www.helpnetsecurity.com/2025/03/26/malwoverview-first-response-tool-threat-hunting/
https://github.com/alexandreborges/malwoverview - Cybertron Reshapes AI Security As “Cyber Brain” Grows
"Trend Micro is excited to introduce Trend Cybertron — a groundbreaking advancement that is transforming cybersecurity in an increasingly AI-driven world. While Trend Vision One customers benefit from the fully integrated Trend Cybertron "cyber brain," Trend Micro has now made select components of Trend Cybertron available as open-source. These offerings include cybersecurity-focused LLMs, extensive training datasets, and practical tools like the Cloud Risk Assessment AI Agent."
https://www.trendmicro.com/en_us/research/25/c/cybertron-ai-security.html
Vulnerabilities
- CISA Adds Two Known Exploited Vulnerabilities To Catalog
"CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/03/26/cisa-adds-two-known-exploited-vulnerabilities-catalog
Malware
- Report On Ransomware Attacks Targeting Korean Companies
"In recent years, ransomware attacks have been increasing worldwide, with Korean companies also experiencing a rise in cases. Especially since 2023, there has been a sharp surge in ransomware incidents targeting the Asia region, highlighting the need for a systematic analysis of this trend and its impact."
https://asec.ahnlab.com/en/87009/ - Unmasking The Classiscam In Central Asia
"With the rapid development of technology and the widespread digitalization of businesses and services, online platforms have become popular in developing countries. These platforms offer greater convenience for business owners and local communities. In Central Asia, the use of such online markets began after 2015, enabling the trade of a wide range of products, from used electronics to brand-new items."
https://www.group-ib.com/blog/unmasking-the-classiscam-in-central-asia/ - RedCurl's Ransomware Debut: A Technical Deep Dive
"This research, conducted by Bitdefender Labs, presents the first documented analysis of a ransomware campaign attributed to the RedCurl group (also known as Earth Kapre or Red Wolf). RedCurl has historically maintained a low profile, relying heavily on Living-off-the-Land (LOTL) techniques for corporate cyber espionage and data exfiltration. This shift to ransomware marks a significant evolution in their tactics. This new ransomware, which we have named QWCrypt based on a self-reference 'qwc' found within the executable, is previously undocumented and distinct from known ransomware families."
https://www.bitdefender.com/en-us/blog/businessinsights/redcurl-qwcrypt-ransomware-technical-deep-dive
https://www.bleepingcomputer.com/news/security/redcurl-cyberspies-create-ransomware-to-encrypt-hyper-v-servers/
https://thehackernews.com/2025/03/redcurl-shifts-from-espionage-to.html
https://www.bankinfosecurity.com/mercenary-hacking-group-appears-to-embrace-ransomware-a-27834 - Malware Found On Npm Infecting Local Package With Reverse Shell
"Unlike some other public repositories, the npm package repository is never really quiet. And, while there has been some decline in malware numbers between 2023 and 2024, this year's numbers don’t seem to continue that downward trend. Still, while RL has detected some interesting npm malware so far this year, none of it warranted a detailed writeup. Then March rolled around, and two very interesting packages were published on npm: ethers-provider2 and ethers-providerz."
https://www.reversinglabs.com/blog/malicious-npm-patch-delivers-reverse-shell
https://thehackernews.com/2025/03/malicious-npm-package-modifies-local.html
https://www.bleepingcomputer.com/news/security/new-npm-attack-poisons-local-packages-with-backdoors/
https://hackread.com/npm-malware-infects-ethereum-library-with-backdoor/
https://www.infosecurity-magazine.com/news/malicious-npm-packages-deliver/ - 'Lucid' Phishing-As-a-Service Exploits Faults In iMessage, Android RCS
"Chinese phishing operatives are spreading remarkably effective scams by exploiting mobile messaging protocols. iMessage and Rich Communication Services (RCS) are the preferred ways to message others using your iPhone or Android, respectively. Unlike the Short and Multimedia Messaging Services (SMS/MMS), they offer end-to-end encryption, read-receipts messages, higher-quality media, and looser character and file-size limits. But now, Chinese malware developers have figured out how to undermine their more advanced features."
https://www.darkreading.com/threat-intelligence/lucid-phishing-exploits-imessage-android-rcs
https://catalyst.prodaft.com/public/report/lucid/overview - Booking.com Phish Uses Fake CAPTCHAs To Trick Hotel Staff Into Downloading Malware
"A new phishing campaign that uses the fake CAPTCHA websites we reported about recently is targeting hotel staff in a likely attempt to access customer data, according to research from ThreatDown. Here’s how it works: Cybercriminals send a fake Booking.com email to a hotel’s email address, asking them to confirm a booking."
https://www.malwarebytes.com/blog/news/2025/03/fake-booking-com-phish-uses-fake-captchas-to-trick-hotel-staff-into-downloading-malware - DeepSeek Users Targeted With Fake Sponsored Google Ads That Deliver Malware
"DeepSeek’s rising popularity has not only raised concerns and questions about privacy implications, but cybercriminals are also using it as a lure to trap unsuspecting Google searchers. Unfortunately, we are getting so used to sponsored Google search results being abused by criminals that we advise people not to click on them. So, it was to be expected that DeepSeek would show up in our monitoring of fake Google ads."
https://www.malwarebytes.com/blog/news/2025/03/deepseek-users-targeted-with-fake-sponsored-google-ads-that-deliver-malware - ReaderUpdate Reforged | Melting Pot Of MacOS Malware Adds Go To Crystal, Nim And Rust Variants
"ReaderUpdate is a macOS malware loader platform that, despite having been in the wild since at least 2020, has passed relatively unnoticed by many vendors and remains widely undetected. A report in 2023 observed that ReaderUpdate infections were contiguous with but distinct from WizardUpdate (aka UpdateAgent, Silver Toucan) infections and seen to deliver Genieo (aka DOLITTLE) adware. The loader seems to have been largely dormant since then until the latter half of 2024, when several vendors began reporting on previously unseen macOS malware samples written in the Crystal programming language. Variants written in Nim and Rust were also identified."
https://www.sentinelone.com/blog/readerupdate-reforged-melting-pot-of-macos-malware-adds-go-to-crystal-nim-and-rust-variants/
https://www.securityweek.com/macos-users-warned-of-new-versions-of-readerupdate-malware/
https://securityaffairs.com/175891/malware/readerupdate-malware-variants-targets-macos.html - Blacklock Ransomware: A Late Holiday Gift With Intrusion Into The Threat Actor's Infrastructure
"Dubbed “BlackLock” (aka "El Dorado" or "Eldorado"), the ransomware-as-a-service (RaaS) outfit has existed since March 2024. In Q4 of last year, it increased its number of data leak posts by a staggering 1,425% quarter-on-quarter. According to independent reporting, a relatively new group has rapidly accelerated attacks and could become the most dominant RaaS group in 2025."
https://www.resecurity.com/blog/article/blacklock-ransomware-a-late-holiday-gift-with-intrusion-into-the-threat-actors-infrastructure
https://securityaffairs.com/175877/cyber-crime/blacklock-ransomware-targeted-by-cybersecurity-firm.html - CoffeeLoader: A Brew Of Stealthy Techniques
"Zscaler ThreatLabz has identified a new sophisticated malware family that we named CoffeeLoader, which originated around September 2024. The purpose of the malware is to download and execute second-stage payloads while evading detection by endpoint-based security products. The malware uses numerous techniques to bypass security solutions, including a specialized packer that utilizes the GPU, call stack spoofing, sleep obfuscation, and the use of Windows fibers. ThreatLabz has observed CoffeeLoader being distributed via SmokeLoader, and both malware families share some behavioral similarities."
https://www.zscaler.com/blogs/security-research/coffeeloader-brew-stealthy-techniques - You Will Always Remember This As The Day You Finally Caught FamousSparrow
"In July 2024, ESET Research noticed suspicious activity on the system of a trade group in the United States that operates in the financial sector. While helping the affected entity remediate the compromise, we made an unexpected discovery in the victim’s network: malicious tools belonging to FamousSparrow, a China-aligned APT group. There had been no publicly documented FamousSparrow activity since 2022, so the group was thought to be inactive. Not only was FamousSparrow still active during this period, it must have also been hard at work developing its toolset, since the compromised network revealed not one, but two previously undocumented versions of SparrowDoor, FamousSparrow’s flagship backdoor."
https://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/
https://thehackernews.com/2025/03/new-sparrowdoor-backdoor-variants-found.html
https://therecord.media/china-famous-sparrow-back-eset
https://www.helpnetsecurity.com/2025/03/26/famoussparrow-cyberespionage-attacks-united-states/ - Shifting The Sands Of RansomHub’s EDRKillShifter
"ESET researchers take a look back at the significant changes in the ransomware ecosystem in 2024 and focus on the newly emerged and currently dominating ransomware-as-a-service (RaaS) gang, RansomHub. We share previously unpublished insights into RansomHub’s affiliate structure and uncover clear connections between this newly emerged giant and well-established gangs Play, Medusa, and BianLian. We also emphasize the emerging threat of EDR killers, unmasking EDRKillShifter, a custom EDR killer developed and maintained by RansomHub. We have observed an increase in ransomware affiliates using code derived from publicly available proofs of concept, while the set of drivers being abused is largely fixed."
https://www.welivesecurity.com/en/eset-research/shifting-sands-ransomhub-edrkillshifter/
https://www.helpnetsecurity.com/2025/03/26/ransomhub-edrkillshifter-tool/ - Inside Kimsuky’s Latest Cyberattack: Analyzing Malicious Scripts And Payloads
"Kimsuky, also known as “Black Banshee,” a North Korean APT group active at least from 2012, is believed to be state-sponsored. Their cyber espionage targets countries like South Korea, Japan, and the U.S. Their tactics include phishing, malware infections (RATs, backdoors, wiper malware), supply chain attacks, lateral movement within networks and data exfiltration. Recently , we came across IOCs of this APT’s latest attack shared in a tweet, which pointed to a ZIP file containing the actual payloads. In this blog, we will analyse the infection chain and conduct a deep dive into the examination of these payloads. We will also explore how the malware operates, its behaviour, and the techniques used to execute the attack."
https://labs.k7computing.com/index.php/inside-kimsukys-latest-cyberattack-analyzing-malicious-scripts-and-payloads/
Breaches/Hacks/Leaks
- Oracle Customers Confirm Data Stolen In Alleged Cloud Breach Is Valid
"Despite Oracle denying a breach of its Oracle Cloud federated SSO login servers and the theft of account data for 6 million people, BleepingComputer has confirmed with multiple companies that associated data samples shared by the threat actor are valid. Last week, a person named ‘rose87168’ claimed to have breached Oracle Cloud servers and began selling the alleged authentication data and encrypted passwords of 6 million users. The threat actor also said that stolen SSO and LDAP passwords could be decrypted using the info in the stolen files and offered to share some of the data with anyone who could help recover them."
https://www.bleepingcomputer.com/news/security/oracle-customers-confirm-data-stolen-in-alleged-cloud-breach-is-valid/ - StreamElements Discloses Third-Party Data Breach After Hacker Leaks Data
"Cloud-based streaming company StreamElements confirms it suffered a data breach at a third-party service provider after a threat actor leaked samples of stolen data on a hacking forum. The platform has reassured users that the attack didn't impact its servers, though older data at a third-party provider they stopped working with last year was still exposed. "We recently became aware of a data security incident involving a third-party service provider we stopped working with last year," the company tweeted on X."
https://www.bleepingcomputer.com/news/security/streamelements-discloses-third-party-data-breach-after-hacker-leaks-data/ - New Ransomware Group Claims Attack On US Telecom Firm WideOpenWest
"A new ransomware group claims to have hacked the systems of US telecommunications provider WideOpenWest (WOW!), and to have taken control of critical systems, in addition to stealing customer information. Calling itself Arkana Security, the threat actor claims to be performing penetration testing, hacking into organizations’ networks by exploiting vulnerabilities in corporate systems. They also steal the victims’ data to coerce them into paying a so-called “fee”."
https://www.securityweek.com/new-ransomware-group-claims-attack-on-us-telecom-firm-wideopenwest/ - Thousands Of NSW Court Documents Downloaded In "major Data Breach"
"Thousands of “sensitive” NSW court filings have been downloaded by unknown threat actors after a breach of the NSW Online Registry website. The website provides online court services for the NSW Supreme, District and Local Courts, and is overseen by the state’s Department of Communities and Justice (DCJ). NSW Police said they were alerted to the “major data breach” of the website on Tuesday. Cybercrime detectives are investigating the incident under what they are calling ‘Strike Force Pardey’."
https://www.itnews.com.au/news/thousands-of-nsw-court-documents-downloaded-in-major-data-breach-615999
https://www.theregister.com/2025/03/26/nsw_police_investigating_court_system/
General News
- How Does Your Data End Up On The Dark Web?
"The dark web is a hidden corner of the internet where people can remain anonymous. It’s often confused with the deep web, but they’re not quite the same thing. The deep web is just everything online that’s not indexed by search engines. This includes things like email accounts, private databases, and paid services. It’s not illegal, it’s just not meant to be found with a simple Google search. The dark web, however, is a specific, hidden section of the deep web. To access it, you need special software like Tor."
https://www.helpnetsecurity.com/2025/03/26/how-dark-web-works/ - Threat Actors Abuse Trust In Cloud Collaboration Platforms
"Threat actors constantly evolve with new mechanisms to bypass multiple secure email gateways (SEGs). A specific mechanism to evade detection is using online documents, such as Adobe, DocuSign, Dropbox, Canva, and Zoho. These services are often used internally and externally by companies, making the domains a trusted source when it comes to SEG automation. Some of these services will even email the recipient of the document directly, allowing threat actors to put little effort into their campaigns. These document websites took up 8.8% of all credential phishing campaigns in 2024, showing the growing significance of this method."
https://cofense.com/blog/threat-actors-abuse-trust-in-cloud-collaboration-platforms
https://www.infosecurity-magazine.com/news/threat-actors-abuse-cloud-platforms/ - Cybersecurity Gaps Leave Doors Wide Open
"Cybercriminals don't always need cutting-edge hacks to breach organizations when they can just waltz in through the front door. Despite pouring millions into advanced cybersecurity technologies, many organizations continue to overlook essential security practices — such as timely patching, vulnerability scanning, and penetration testing — leaving them susceptible to pricey and often very preventable breaches."
https://www.darkreading.com/cyberattacks-data-breaches/cybersecurity-gaps-leave-doors-wide-open
https://www.horizon3.ai/downloads/research/annual-insights-report-the-state-of-cybersecurity-in-2025/ - Beyond STIX: Next-Level Cyber-Threat Intelligence
"Cybersecurity has become central to every enterprise's digital strategy, but to stay ahead of evolving cyber threats, organizations need a common language that turns complex threat data into something universally understandable and actionable. This is where Structured Threat Information Expression (STIX) comes in — a standardized language for sharing, storing, and analyzing cyber threat intelligence."
https://www.darkreading.com/threat-intelligence/beyond-stix-next-level-cyber-threat-intelligence - Security Tech That Can Make a Difference During An Attack
"When the FBI contacted Massachusetts-based Littleton Electric Light and Water Departments (LELWD) about Volt Typhoon, the small public utility was not aware the Chinese attack group had already been in the company's network for more than 300 days. While the utility had security controls protecting the perimeter, there were some gaps in its security technology and policy. A more rigorous update strategy for its network and security appliances would have prevented the initial compromise. In addition, monitoring internal traffic — the "east-west" traffic — could have potentially detected anomalies in how the attackers were using the administrator tools, says John Burns, director of OT threat hunting for Dragos, an operational-technology security firm."
https://www.darkreading.com/cybersecurity-operations/east-west-monitoring-visibility-critical-apt-detection - SecurityScorecard Observes Surge In Third-Party Breaches
"Cyber-attacks leveraging third-party vulnerabilities are on the rise, according to a new SecurityScorecard report. The cyber risk assessment provider released its 2025 Global Third-Party Breach Report on March 26. In the report, SecurityScorecard’s STRIKE Threat Intelligence Unit analyzed 1000 cyber breaches across industries and regions in 2024. It found that 35.5% of breaches were third-party related, up from 29% the previous year, representing a 6.5% increase."
https://www.infosecurity-magazine.com/news/securityscorecard-surge-third/
https://securityscorecard.com/resource/global-third-party-breach-report/ - ETSI Launches New Standard For Quantum-Safe Hybrid Key Exchanges To Secure Future Post-Quantum Encryption
"Today, ETSI announces the launch of its post-quantum security standard to guarantee the protection of critical data and communications in the future. The specification “Efficient Quantum-Safe Hybrid Key Exchanges with Hidden Access Policies” (ETSI TS 104 015) has been developed to enhance security mechanisms, ensuring that only authorized users with the correct permissions can access sensitive data to decrypt them."
https://www.etsi.org/newsroom/press-releases/2513-etsi-launches-new-standard-for-quantum-safe-hybrid-key-exchanges-to-secure-future-post-quantum-encryption
https://www.etsi.org/deliver/etsi_ts/104000_104099/104015/01.01.01_60/ts_104015v010101p.pdf
https://www.infosecurity-magazine.com/news/etsi-quantum-safe-encryption/ - ENISA Space Threat Landscape 2025
"The primary objective of this report is to identify and assess the cybersecurity threat landscape for commercial satellites – exploring both existing and emerging challenges for the industry. This is achieved by focusing on cybersecurity aspects at each phase of the satellite lifecycle – development, deployment, operations, and decommissioning, and the stakeholders involved."
https://www.enisa.europa.eu/publications/enisa-space-threat-landscape-2025
https://www.enisa.europa.eu/sites/default/files/2025-03/Space_Threat_Landscape_Report_fin.pdf
https://www.infosecurity-magazine.com/news/enisa-probes-space-threat/ - PERSPECTIVE: 25 Years Of Evolving Information Sharing Into Actionable Intelligence
"The IT-ISAC is celebrating its 25th Anniversary this year. This has caused me to reflect on the new challenges we continue to face as a cybersecurity community. When I first joined the IT-ISAC in 2005, a leader of another ISAC (information sharing and analysis center) commented to me that his team would have a party every time a member shared information. In those early days, there was a dearth of even basic information about threat actors and attacks. Today, the challenge is reversed. So much information is available to analysts that it’s hard to keep track of it all and understand what is accurate and relevant. Rather than scouring any source possible for any type of threat intelligence, a key role of our analytic team is now to turn the vast amount of available information into curated intelligence our members can use."
https://www.hstoday.us/perspective/perspective-25-years-of-evolving-information-sharing-into-actionable-intelligence/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Malwoverview: First Response Tool For Threat Hunting
-
Astral Foods สูญเงินกว่า 1 ล้านดอลลาร์จากการถูกโจมตีทางไซเบอร์ที่กระทบการผลิตและจัดส่ง
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
แฮกเกอร์กำลังใช้ .NET MAUI ของ Microsoft เพื่อแพร่กระจายมัลแวร์ Android
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
การโจมตีทางไซเบอร์ส่งผลให้ระบบขายตั๋วออนไลน์ของการรถไฟยูเครนล่ม กระทบผู้โดยสารทั่วยูเครน
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
แคมเปญฟิชชิ่งใหม่ที่พุ่งเป้าไปยังผู้ใช้ macOS ด้วยการแจ้งเตือนความปลอดภัยปลอม
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA เพิ่มช่องโหว่ที่ถูกใช้ประโยชน์ที่ทราบแล้ว 1 รายการลงในแค็ตตาล็อก
เมื่อวันที่ 24 มีนาคม 2568 Cybersecurity and Infrastructure Security Agency (CISA) ได้มีการเผยแพร่การเพิ่มช่องโหว่ใหม่ 1 รายการในแค็ตตาล็อก ช่องโหว่อาจเป็นที่รู้จักของกลุ่มแฮกเกอร์ ซึ่งการเพิ่มนี้ขึ้นอยู่กับข้อมูลของการแสวงหาผลประโยชน์จากการโจมตีช่องโหว่ดังกล่าวนั้นได้ ช่องโหว่เหล่านี้เป็นการโจมตีบ่อยครั้งสำหรับผู้ที่ไม่ประสงค์ดีด้านภัยคุกคามทางไซเบอร์และก่อให้เกิดความเสี่ยงที่สำคัญต่อองค์กรนั้นได้ มีรายละเอียดดังนี้
- CVE-2025-30154 reviewdog action-setup GitHub Action Embedded Malicious Code Vulnerability
อ้างอิง
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA ออกคำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม 4 รายการ
Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) 4 รายการ เมื่อวันที่ 25 มีนาคม 2568 ซึ่งคำแนะนำเหล่านี้ให้ข้อมูลที่ทันท่วงทีเกี่ยวกับปัญหาด้านความปลอดภัยช่องโหว่ และช่องโหว่ที่อยู่รอบ ๆ ICS ในปัจจุบัน มีดังต่อไปนี้
- ICSA-25-084-01 ABB RMC-100
- ICSA-25-084-02 Rockwell Automation Verve Asset Manager
- ICSA-25-084-03 Rockwell Automation 440G TLS-Z
- ICSA-25-084-04 Inaba Denki Sangyo CHOCO TEI WATCHER Mini
ทั้งนี้ CISA สนับสนุนให้ผู้ใช้และผู้ดูแลระบบตรวจสอบคำแนะนำ ICS ที่เผยแพร่ใหม่สำหรับรายละเอียดทางเทคนิคและการบรรเทาผลกระทบ รายละเอียดเพิ่มเติมที่ https://www.cisa.gov/news-events/alerts/2025/03/25/cisa-releases-four-industrial-control-systems-advisories
อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/03/25/cisa-releases-four-industrial-control-systems-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA ออกคำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม 5 รายการ
Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) 5 รายการ เมื่อวันที่ 20 มีนาคม 2568 ซึ่งคำแนะนำเหล่านี้ให้ข้อมูลที่ทันท่วงทีเกี่ยวกับปัญหาด้านความปลอดภัยช่องโหว่ และช่องโหว่ที่อยู่รอบ ๆ ICS ในปัจจุบัน มีดังต่อไปนี้
- ICSA-25-079-01 Schneider Electric EcoStruxure
- ICSA-25-079-02 Schneider Electric Enerlin’X IFE and eIFE
- ICSA-25-079-03 Siemens Simcenter Femap
- ICSA-25-079-04 SMA Sunny Portal
- ICSMA-25-079-01 Santesoft Sante DICOM Viewer Pro
ทั้งนี้ CISA สนับสนุนให้ผู้ใช้และผู้ดูแลระบบตรวจสอบคำแนะนำ ICS ที่เผยแพร่ใหม่สำหรับรายละเอียดทางเทคนิคและการบรรเทาผลกระทบ รายละเอียดเพิ่มเติมที่ https://www.cisa.gov/news-events/alerts/2025/03/20/cisa-releases-five-industrial-control-systems-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
- ICSA-25-079-01 Schneider Electric EcoStruxure
-
Cyber Threat Intelligence 26 March 2025
Financial Sector
- Financial Cyberthreats In 2024
"As more and more financial transactions are conducted in digital form each year, financial threats comprise a large piece of the global cyberthreat landscape. That’s why Kaspersky researchers analyze the trends related to these threats and share an annual report highlighting the main dangers to corporate and consumer finances. This report contains key trends and statistics on financial phishing, mobile and PC banking malware, as well as offers actionable recommendations to bolster security measures and effectively mitigate emerging threats"
https://securelist.com/financial-threat-report-2024/115966/
Industrial Sector
- ABB RMC-100
"Successful exploitation of this vulnerability could allow an attacker to send a specially crafted message to the web UI, causing a temporary denial of service until the interface can be restarted."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-01 - Rockwell Automation Verve Asset Manager
"Successful exploitation of this vulnerability could allow an attacker with administrative access to run arbitrary commands in the context of the container running the service."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-02 - Inaba Denki Sangyo CHOCO TEI WATCHER Mini
"Successful exploitation of these vulnerabilities could allow an attacker to obtain the product's login password, gain unauthorized access, tamper with product's data, and/or modify product settings."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-04 - Rockwell Automation 440G TLS-Z
"Successful exploitation of this vulnerability could allow an attacker to take over the device."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-03 - OT Systems Are Strategic Targets In Global Power Struggles
"Compared to 2023, 2024 saw a smaller increase in cyberattacks that caused physical consequences on OT organizations, according to Waterfall Security. Nevertheless, there were sharp jumps in the number of sites affected by the hacks, as well as in the number of attacks by nation states. 2024 saw a 146% increase in sites suffering physical consequences of operations because of cyberattacks, rising from 412 sites in 2023 to 1,015 in 2024."
https://www.helpnetsecurity.com/2025/03/25/cyberattacks-physical-consequences-ot-organizations/ - APT And Financial Attacks On Industrial Organizations In Q4 2024
"This summary provides an overview of the reports of APT and financial attacks on industrial enterprises disclosed in Q4 2024, as well as the related activities of groups that have been observed attacking industrial organizations and critical infrastructure facilities. For each topic, we summarize the key facts, findings and conclusions of researchers that we believe may be of use to professionals addressing practical issues of cybersecurity for industrial enterprises."
https://ics-cert.kaspersky.com/publications/reports/2025/03/25/apt-and-financial-attacks-on-industrial-organizations-in-q4-2024/ - Q4 2024 – a Brief Overview Of The Main Incidents In Industrial Cybersecurity
"In Q4 2024, 107 incidents were publicly confirmed by victims. All of these incidents are included in the table at the end of the overview, with select incidents described in detail."
https://ics-cert.kaspersky.com/publications/reports/2025/03/25/q4-2024-a-brief-overview-of-the-main-incidents-in-industrial-cybersecurity/
Vulnerabilities
- CrushFTP Warns Users To Patch Unauthenticated Access Flaw Immediately
"CrushFTP warned customers of an unauthenticated HTTP(S) port access vulnerability and urged them to patch their servers immediately. As the company also explained in an email sent to customers on Friday (seen by BleepingComputer), the security flaw enables attackers to gain unauthenticated access to unpatched servers if they are exposed on the Internet over HTTP(S). "Please take immediate action to patch ASAP. A vulnerability has been addressed today (March 21st, 2025). All CrushFTP v11 versions were affected. (No earlier versions are affected.) A CVE will be generated soon," the company warned."
https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-unauthenticated-access-flaw-immediately/ - Broadcom Warns Of Authentication Bypass In VMware Windows Tools
"Broadcom released security updates today to fix a high-severity authentication bypass vulnerability in VMware Tools for Windows. VMware Tools is a suite of drivers and utilities designed to improve performance, graphics, and overall system integration for guest operating systems running in VMware virtual machines. The vulnerability (CVE-2025-22230) is caused by an improper access control weakness and was reported by Sergey Bliznyuk of Positive Technologies (a sanctioned Russian cybersecurity company accused of trafficking hacking tools)."
https://www.bleepingcomputer.com/news/security/broadcom-warns-of-authentication-bypass-in-vmware-windows-tools/
https://www.securityweek.com/vmware-patches-authentication-bypass-flaw-in-windows-tools-suite/ - New Windows Zero-Day Leaks NTLM Hashes, Gets Unofficial Patch
"Free unofficial patches are available for a new Windows zero-day vulnerability that can let remote attackers steal NTLM credentials by tricking targets into viewing malicious files in Windows Explorer. NTLM has been widely exploited in NTLM relay attacks (where threat actors force vulnerable network devices to authenticate to attacker-controlled servers) and pass-the-hash attacks (where they exploit vulnerabilities to steal NTLM hashes, which are hashed passwords)."
https://www.bleepingcomputer.com/news/security/new-windows-zero-day-leaks-ntlm-hashes-gets-unofficial-patch/
Malware
- New Android Malware Campaigns Evading Detection Using Cross-Platform Framework .NET MAUI
"Cybercriminals are constantly evolving their techniques to bypass security measures. Recently, the McAfee Mobile Research Team discovered malware campaigns abusing .NET MAUI, a cross-platform development framework, to evade detection. These threats disguise themselves as legitimate apps, targeting users to steal sensitive information. This blog highlights how these malware operate, their evasion techniques, and key recommendations for staying protected."
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-android-malware-campaigns-evading-detection-using-cross-platform-framework-net-maui/
https://www.bleepingcomputer.com/news/security/new-android-malware-uses-microsofts-net-maui-to-evade-detection/
https://thehackernews.com/2025/03/hackers-use-net-maui-to-target-indian.html
https://hackread.com/net-maui-exploited-in-advanced-malware-campaigns-mcafee-labs/
https://www.infosecurity-magazine.com/news/android-malware-uses-net-maui/
https://securityaffairs.com/175843/cyber-crime/android-malware-uses-net-maui-to-evade-detection.html - Warning Against Phishing Emails Distributing GuLoader Malware By Impersonating a Famous International Shipping Company
"AhnLab SEcurity intelligence Center (ASEC) recently identified the distribution of GuLoader malware via a phishing email by impersonating a famous international shipping company. The phishing email was obtained through the email honeypot operated by ASEC. The mail body instructs users to check their post-paid customs tax and demands them to open the attachment."
https://asec.ahnlab.com/en/87002/ - CVE-2025-26633: How Water Gamayun Weaponizes MUIPath Using MSC EvilTwin
"Trend Research uncovered a campaign by suspected Russian threat actor Water Gamayun, also known as EncryptHub and Larva-208, that abused a zero-day vulnerability in the Microsoft Management Console (mmc.exe) framework to execute malicious code on infected machines. We’ve named this technique MSC EvilTwin (CVE-2025-26633), which we track as ZDI-CAN-26371 (also known as ZDI-25-150)."
https://www.trendmicro.com/en_us/research/25/c/cve-2025-26633-water-gamayun.html
https://www.bleepingcomputer.com/news/security/encrypthub-linked-to-zero-day-attacks-targeting-windows-systems/ - New Phishing Campaign Uses Browser-In-The-Browser Attacks To Target Video Gamers/Counter-Strike 2 Players
"Our research team has discovered an active phishing campaign targeting players of the multi-player video game Counter-Strike 2. Along with attempts to compromise players’ Steam accounts, part of the campaign’s attack tactics also includes abusing the names of a professional eSports team called Navi. Built around the creation of seemingly convincing fake browser pop-up windows that prominently display the URL of the real website, the campaign’s goal is to make a visitor feel safe, believing the pop-up windows are part of the actual (real) sites. Once the potential victim tries to log into the fake Steam portal, the threat actor steals the credentials and likely attempts to take over the account for later resale."
https://www.silentpush.com/blog/browser-in-the-browser-attacks/
https://www.bleepingcomputer.com/news/security/browser-in-the-browser-attacks-target-cs2-players-steam-accounts/ - The Curious Case Of PlayBoy Locker
"Cybereason issues Threat Analysis reports to investigate emerging threats and provide practical recommendations for protecting against them. In this Threat Analysis report, Cybereason investigates the new Ransomware-as-a-Service (RaaS) known as PlayBoy Locker and how to defend against it through the Cybereason Defense Platform."
https://www.cybereason.com/blog/threat-analysis-playboy-locker - Cyble Sensors Detect Exploit Attempts On Ivanti, AVTECH IP Cameras
"Vulnerabilities in Ivanti products, AVTECH IP cameras, and WordPress plugins have recently been among the dozens of attempted exploits detected by Cyble honeypot sensors. The attack attempts were detailed in the threat intelligence company’s weekly sensor intelligence reports to clients. The Cyble reports have also examined persistent attacks against Linux systems and network and IoT devices, as threat actors scan for vulnerable devices for ransomware attacks and add to DDoS and crypto mining botnets. The reports have also examined banking malware, brute-force attacks, vulnerable ports, and phishing campaigns."
https://cyble.com/blog/cyble-sensors-detect-exploit-attempts-on-ivanti-avtech-ip-cameras/ - Raspberry Robin: Copy Shop USB Worm Evolves To Initial Access Broker Enabling Other Threat Actor Attacks
"Raspberry Robin (also known as Roshtyak or Storm-0856) is a complex and evolving threat actor that provides initial access broker (IAB) services to numerous criminal groups, many of which have connections to Russia. Recently, it has also provided IAB services to the Russian GRU’s Unit 29155 cyber actors. Linked to some of the most serious threat actors active today (including SocGholish, Dridex, and LockBit), Raspberry Robin breaches enterprises and sells access to other threat actors, primarily based in Russia."
https://www.silentpush.com/blog/raspberry-robin/
https://thehackernews.com/2025/03/researchers-uncover-200-unique-c2.html
https://www.darkreading.com/cyberattacks-data-breaches/access-broker-russian-state-cybercrime - RaaS Evolved: LockBit 3.0 Vs LockBit 4.0
"LockBit is a sophisticated and notorious ransomware strain that has been targeting organizations across various industries since 2019. It operates by encrypting critical files and demanding hefty ransoms in exchange for decryption keys. The LockBit group operates on a Ransomware-as-a-Service (RaaS) model, providing its infamous LockBit malware to affiliates who carry out the attacks and return a percentage of ransom payments to the LockBit group."
https://www.deepinstinct.com/blog/raas-evolved-lockbit-3-0-vs-lockbit-4-0 - Cybercriminals Use Atlantis AIO To Target 140+ Platforms
"Cybercriminals have been observed increasingly leveraging Atlantis AIO, a sophisticated tool designed to automate credential stuffing attacks across more than 140 platforms. This software enables attackers to systematically test many stolen username and password combinations, facilitating unauthorized access to various online services."
https://www.infosecurity-magazine.com/news/cyber-criminals-atlantis-aio-140/ - Operation ForumTroll: APT Attack With Google Chrome Zero-Day Exploit Chain
"In mid-March 2025, Kaspersky technologies detected a wave of infections by previously unknown and highly sophisticated malware. In all cases, infection occurred immediately after the victim clicked on a link in a phishing email, and the attackers’ website was opened using the Google Chrome web browser. No further action was required to become infected. All malicious links were personalized and had a very short lifespan. However, Kaspersky’s exploit detection and protection technologies successfully identified the zero-day exploit that was used to escape Google Chrome’s sandbox."
https://securelist.com/operation-forumtroll/115989/
https://www.securityweek.com/google-patches-chrome-sandbox-escape-zero-day-caught-by-kaspersky/ - Lengthy Disruption Of Russian Internet Provider Claimed By Ukrainian Hacker Group
"A Ukrainian volunteer hacker group known as the IT Army has claimed responsibility for a cyberattack on Russian internet provider Lovit that disrupted services in Moscow and St. Petersburg for three days. The attack, which began on Friday, also prevented residents of apartment buildings using Lovit’s services from accessing their homes, as it disabled intercom systems. Businesses in affected buildings reported failures in payment terminals and loyalty programs, according to local media reports."
https://therecord.media/russia-isp-lovit-outages-claimed-ukraine-it-army - IOCONTROL Malware: A New Threat Targeting Critical Infrastructure
"Last year, threat actors compromised over 3.2 billion credentials, a 33% increase compared to the previous year. By leveraging this stolen data, attackers perpetuate the ongoing cycle of cybercrime, using it to fuel malicious campaigns, including the deployment of malware such as IOCONTROL. Deploying this malware, threat actors can achieve the following objectives:"
https://flashpoint.io/blog/iocontrol-malware/ - Rilide - An Information Stealing Browser Extension
"Rilide is an example of an information stealer masquerading as a browser extension. First reported in April 2023, the malware targets Chromium-based browsers such as Google Chrome and Microsoft Edge. It is designed to take screenshots of information, log passwords, and collect credentials for cryptocurrency wallets."
https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
Breaches/Hacks/Leaks
- Numotion Data Breach Impacts Nearly 500,000 People
"Tennessee-based Numotion, which advertises itself as the largest provider of wheelchairs and other mobility solutions in the United States, has suffered a data breach impacting nearly 500,000 people. According to a data security notice posted on its website, Numotion (United Seating and Mobility) learned recently that some of its employees’ email accounts were hacked into on several occasions between September 2, 2024, and November 18, 2024."
https://www.securityweek.com/numotion-data-breach-impacts-nearly-500000-people/ - Hacker Defaces NYU Website, Exposing Admissions Data On 1 Million Students
"More than 1 million students at New York University had their personal information exposed by a hacker who took over the school’s website over the weekend. On Saturday, the hacker replaced the NYU homepage with charts and links to large student datasets categorizing standardized testing scores based on race. The hacker claimed personal information identifying students was redacted but linked to four different datasets that included personal information on NYU applicants, their citizenship status and more."
https://therecord.media/hacker-nyu-website-admissions-race - Nearly $13 Million Stolen From Abracadabra Finance In Crypto Heist
"The cryptocurrency platform Abracadabra Finance lost about $13 million worth of digital currency to hackers on Tuesday morning. The company did not respond to requests for comment confirming the amount of stolen cryptocurrency but acknowledged the incident in a message on social media. The crypto lending platform said the issue was sourced back to a product it calls “cauldrons” — isolated lending markets that allow users to borrow against a variety of cryptocurrencies."
https://therecord.media/nearly-thirteen-million-stolen-abracadabra - Malaysia PM Says Country Rejected $10 Million Ransom Demand After Airport Outages
"Computer outages at Malaysia’s Kuala Lumpur International Airport (KLIA) this weekend were attributed to a recent cyberattack, according to the country’s cybersecurity agency and aviation authority. Malaysia’s National Cyber Security Agency (NACSA) and Malaysia Airports released a joint statement Tuesday confirming that a cyberattack started causing disruptions on March 23."
https://therecord.media/malaysia-pm-says-country-rejected-ransom-demand-airport-cyberattack - A Sneaky Phish Just Grabbed My Mailchimp Mailing List
"You know when you're really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That's me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the mailing list for this blog. I'm deliberately keeping this post very succinct to ensure the message goes out to my impacted subscribers ASAP, then I'll update the post with more details. But as a quick summary, I woke up in London this morning to the following:"
https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/
https://www.theregister.com/2025/03/25/troy_hunt_mailchimp_phish/
General News
- Spring Clean Your Security Data: The Case For Cybersecurity Data Hygiene
"Spring cleaning isn’t just for your closets; security teams should take the same approach to their security operations data, where years of unchecked log growth have created a bloated, inefficient and costly mess. The modern Security Operations Center (SOC) is drowning in security telemetry from endpoints, cloud, SaaS applications, identity platforms and a growing list of other sources. In practice, most of these are redundant, irrelevant, or just outright noise, and are affecting detection effectiveness, operational efficiency, and the ability to extract real insights."
https://www.helpnetsecurity.com/2025/03/25/security-data-hygiene/ - You Know That Generative AI Browser Assistant Extension Is Probably Beaming Everything To The Cloud, Right?
"Generative AI assistants packaged up as browser extensions harvest personal data with minimal safeguards, researchers warn. Some of these extensions may violate their own privacy commitments and potentially run afoul of US regulations, such as HIPAA and FERPA, by collecting and funneling away health and student data."
https://www.theregister.com/2025/03/25/generative_ai_browser_extensions_privacy/
https://arxiv.org/abs/2503.16586 - NIST Trustworthy And Responsible AI Report Adversarial Machine Learning: A Taxonomy And Terminology Of Attacks And Mitigations
"Artificial Intelligence (AI) systems have been on a global expansion trajectory, with the pace of development and the adoption of AI systems accelerating in recent years. These systems are being developed by and widely deployed into economies across the globe—leading to the emergence of AI-based services across many spheres of people’s lives, both real and virtual. As AI systems permeate the digital economy and become essential parts of daily life, the need for their secure, robust, and resilient operation grows."
https://csrc.nist.gov/News/2025/nist-ai-100-2-adversarial-machine-learning-taxonom
https://www.infosecurity-magazine.com/news/nist-limitations-ai-ml-security/ - Dark Web Mentions Of Malicious AI Tools Spike 200%
"Chatter about jailbreaks and use of malicious AI tools on the cybercrime underground surged in 2024, according to an analysis by threat intelligence firm Kela. The firm monitored cybercrime forums throughout the year to compile its new study, 2025 AI Threat Report: How Cybercriminals are Weaponizing AI Technology. It revealed a 52% increase in discussions related to jailbreaking legitimate AI tools like ChatGPT, and a 219% increase in mentions of malicious AI tools and tactics."
https://www.infosecurity-magazine.com/news/dark-web-mentions-malicious-ai/
https://www.kelacyber.com/resources/research/2025-ai-threat-report/ - Ransomware Shifts Tactics As Payouts Drop: Critical Infrastructure In The Crosshairs
"A study by researchers at Ontinue describes four major evolutionary trends: malware delivery via browser extensions and malvertising; more advanced phishing and vishing techniques; increasing attacks against IoT and OT devices; and the continuing evolution of ransomware. Ransomware is noteworthy. Ontinue explains (PDF) that ransom payments decreased: from $1.25 billion in 2023 to $813.5 million in 2024. But while the payments received by criminals went down, the number of reported breaches went up. “This could indicate that ransomware groups are conducting more attacks to compensate for lower ransom success rates,” suggests Ontinue."
https://www.securityweek.com/ransomware-shifts-tactics-as-payouts-drop-critical-infrastructure-in-the-crosshairs/
https://www.ontinue.com/wp-content/uploads/2025/03/2025_2H-Threat-Intelligence-Report.pdf - Hacker Conversations: Frank Trezza – From Phreaker To Pentester
"The history of Frank Trezza is not unusual among hackers – from a young prankster through growing exploration of potential attacking powers to a mature defender of security. In this edition of Hacker Conversations, we follow his path. SecuritWeek’s Hacker Conversations series discusses the mind and motivations of hackers. Many, like Trezza, have become important figures in today’s cybersecurity defense. To defend computers, it is useful to know how to attack them – and that’s where being a hacker becomes valuable."
https://www.securityweek.com/hacker-conversations-frank-trezza-from-phreaker-to-pentester/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Financial Cyberthreats In 2024
-
Cyber Threat Intelligence 25 March 2025
New Tooling
- Finders Keypers: Open-Source AWS KMS Key Usage Finder
"Finders Keypers is an open-source tool for analyzing the current usage of AWS KMS keys. It supports both AWS customer managed KMS keys and AWS Managed KMS keys."
https://www.helpnetsecurity.com/2025/03/24/finders-keypers-open-source-aws-kms-key-usage-finder/
https://github.com/FogSecurity/finders-keypers
Vulnerabilities
- IngressNightmare: 9.8 Critical Unauthenticated Remote Code Execution Vulnerabilities In Ingress NGINX
"Wiz Research discovered CVE-2025-1097, CVE-2025-1098, CVE-2025-24514 and CVE-2025-1974, a series of unauthenticated Remote Code Execution vulnerabilities in Ingress NGINX Controller for Kubernetes dubbed #IngressNightmare. Exploitation of these vulnerabilities leads to unauthorized access to all secrets stored across all namespaces in the Kubernetes cluster by attackers, which can result in cluster takeover. This attack vector has been assigned a CVSS v3.1 base score of 9.8."
https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
https://thehackernews.com/2025/03/critical-ingress-nginx-controller.html
https://www.darkreading.com/application-security/critical-ingressnightmare-vulns-kubernetes-environments
https://www.bankinfosecurity.com/kubernetes-patch-43-clusters-face-remote-takeover-risk-a-27810 - Next.js And The Corrupt Middleware: The Authorizing Artifact
"Recently, Yasser Allam, known by the pseudonym inzo_, and I, decided to team up for some research. We discussed potential targets and chose to begin by focusing on Next.js (130K stars on github, currently downloaded + 9,4 million times per week), a framework I know quite well and with which I already have fond memories, as evidenced by my previous work. Therefore, the “we” throughout this paper will naturally refer to the two of us."
https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware
https://nextjs.org/blog/cve-2025-29927
https://thehackernews.com/2025/03/critical-nextjs-vulnerability-allows.html
https://www.bleepingcomputer.com/news/security/critical-flaw-in-nextjs-lets-hackers-bypass-authorization/
https://cyberscoop.com/nextjs-critical-vulnerability-open-source-vercel/
https://securityaffairs.com/175775/security/next-js-react-framework-critical-issue.html
https://www.helpnetsecurity.com/2025/03/24/critical-next-js-auth-bypass-vulnerability-opens-web-apps-to-compromise-cve-2025-29927/ - CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2025-30154 reviewdog action-setup GitHub Action Embedded Malicious Code Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/03/24/cisa-adds-one-known-exploited-vulnerability-catalog
Malware
- Weaver Ant, The Web Shell Whisperer: Tracking a Live China-Nexus Operation
"Suspicious activity triggered multiple alerts during the final phase of a forensic investigation, multiple alerts were triggered by suspicious activities. Specifically, an account previously used by the threat actor was disabled as part of remediation efforts but was subsequently re-enabled by a service account. Notably, the activity originated from a server that had not been previously identified as compromised."
https://www.sygnia.co/threat-reports-and-advisories/weaver-ant-tracking-a-china-nexus-cyber-espionage-operation/
https://www.bleepingcomputer.com/news/security/chinese-weaver-ant-hackers-spied-on-telco-network-for-4-years/
https://therecord.media/chinese-hackers-spent-years-telco
https://www.darkreading.com/cyberattacks-data-breaches/china-nexus-apt-weaver-ant-caught-yearslong-web-shell-attack
https://securityaffairs.com/175800/apt/chinese-apt-weaver-ant-infiltrated-a-telco-for-over-four-years.html - The Rise Of VanHelsing RaaS: A New Player In The Ransomware Landscape
"VanHelsing RaaS, a new ransomware-as-a-service (RaaS), was launched on March 7, 2025, and its rapid growth is raising alarms across the cyber security community. Within just two weeks of its introduction, VanHelsingRaaS has already managed to infect three known victims and create a more sophisticated variant, highlighting its potential to become a major player in the ransomware game."
https://blog.checkpoint.com/research/the-rise-of-vanhelsing-raas-a-new-player-in-the-ransomware-landscape/
https://research.checkpoint.com/2025/vanhelsing-new-raas-in-town/
https://www.bleepingcomputer.com/news/security/new-vanhelsing-ransomware-targets-windows-arm-esxi-systems/
https://thehackernews.com/2025/03/vanhelsing-raas-launch-3-victims-5k.html
https://www.infosecurity-magazine.com/news/vanhelsing-raas-expands-rapidly/ - Decoding Fake US ESTA Emails: Scam Or Real Deal?
"The Cofense Phishing Defense Center (PDC) has observed an uptick in malicious emails attempting to take advantage of the recent uncertainty and confusion surrounding immigration services in the United States of America. The malicious emails pose as notifications from US Customs and Border Protection. They warn users about the need to submit a new application for the Electronic System for Travel Authorization (ESTA), attempting to instill a level of panic or fear that the loss or misplacement of this documentation may hinder travel or immigration plans, exploiting the complicated process that the application can entail."
https://cofense.com/blog/decoding-fake-us-esta-emails-scam-or-real-deal - FizzBuzz To FogDoor: Targeted Malware Campaign Exploits Job-Seeking Developers
"Threat Actor (TA) is deploying a targeted social engineering campaign against Polish-speaking developers by disguising malware as a technical coding challenge on GitHub. Using a fake recruitment test named “FizzBuzz“, the TA tricks victims into downloading an ISO file containing a seemingly harmless JavaScript exercise and a malicious LNK shortcut."
https://cyble.com/blog/fake-coding-challenges-steal-sensitive-data-via-fogdoor/ - VSCode Marketplace Removes Two Extensions Deploying Early-Stage Ransomware
"Cybersecurity researchers have uncovered two malicious extensions in the Visual Studio Code (VSCode) Marketplace that are designed to deploy ransomware that's under development to its users. The extensions, named "ahban.shiba" and "ahban.cychelloworld," have since been taken down by the marketplace maintainers. Both the extensions, per ReversingLabs, incorporate code that's designed to invoke a PowerShell command, which then grabs a PowerShell-script payload from a command-and-control (C2) server and executes it."
https://thehackernews.com/2025/03/vscode-marketplace-removes-two.html
Breaches/Hacks/Leaks
- Cyberattack Takes Down Ukrainian State Railway’s Online Services
"Ukrzaliznytsia, Ukraine’s national railway operator, has been hit by a massive cyberattack that disrupted online services for buying tickets both through mobile apps and the website. The incident forced people to booths to buy physical tickets, causing overcrowding, delays, long waiting times, and frustration. With trains being the only reliable and relatively safe means for people to travel within Ukraine and internationally, the cyberattack is having a significant impact, Daryna Antoniuk reports."
https://www.bleepingcomputer.com/news/security/cyberattack-takes-down-ukrainian-state-railways-online-services/
https://therecord.media/ukraine-railway-ukrzaliznytsia-cyberattack-online-ticket-system
https://www.infosecurity-magazine.com/news/ukraine-railway-systems-targeted/ - Part 2: Validating The Breach Oracle Cloud Denied – CloudSEK’s Follow-Up Analysis
"On March 21, 2025, CloudSEK’s XVigil platform flagged a significant threat—a threat actor offering 6 million exfiltrated records from Oracle Cloud for sale. Despite Oracle’s public denial, our deep-dive investigation reveals a compromised production SSO endpoint, affecting over 140,000 tenants and exposing sensitive SSO and LDAP data. Our report outlines verified evidence of the breach. At CloudSEK, we prioritize transparency and preparedness. This detailed follow-up not only challenges initial denials but equips enterprises with actionable steps to assess and secure their environments. Read the full report to uncover the evidence, understand the impact, and strengthen your defenses."
https://www.cloudsek.com/blog/part-2-validating-the-breach-oracle-cloud-denied-cloudseks-follow-up-analysis
https://www.darkreading.com/cyberattacks-data-breaches/oracle-denies-claim-oracle-cloud-breach-6m-records
https://hackread.com/cloudsek-disputes-oracle-data-breach-denial-evidence/ - Hackers Steal Sensitive Data From Pennsylvania County During Ransomware Attack
"Personal information from Union County, Pennsylvania, residents was stolen during a ransomware attack on government systems 10 days ago. The county published a notice on Friday warning its more than 40,000 residents that the ransomware attack was discovered on March 13. Federal law enforcement was notified and cybersecurity experts were hired to help with the recovery process. On March 13, the county learned that the hackers took personal information from its network."
https://therecord.media/union-county-pennsylvania-ransomware-attack - Cyberattack Causes Delays For South Africa’s Largest Chicken Producer
"South Africa’s largest chicken producer lost more than $1 million due to a recent cyberattack that caused delivery delays and other issues. Astral Foods told investors on Monday that it suffered a cyberattack on March 16 that required the company to implement all of its disaster recovery protocols and preparedness plans. The company controls multiple chicken businesses that produce and sell chickens and eggs, as well as manufacture animal feed and other products."
https://therecord.media/cyberattack-delays-south-african-chicken-producer
General News
- Is The Middle East's Race To Digitize a Threat To Infrastructure?
"The Middle East is a cautionary tale of digitization's opportunity and risk. As Gulf countries embrace widespread public and private sector digital transformation, cybercriminal activity is surging. Today, the average cost of a data breach in the region is almost $9 million per case, nearly double the global average and a figure surpassed only by the US."
https://www.darkreading.com/cyberattacks-data-breaches/middle-easts-race-digitize-threat-infrastructure - Cloud Providers Aren’t Delivering On Security Promises
"Security concerns around cloud environments has prompted 44% of CISOs to change cloud service provider, according to Arctic Wolf. This is being driven by the fact that 24% don’t believe their cloud environment is secure, and 43% think cloud service providers overpromised the security protection they would receive."
https://www.helpnetsecurity.com/2025/03/24/cloud-environments-security-concerns/ - More Than 300 Arrests As African Countries Clamp Down On Cyber Threats
"Authorities in seven African countries have arrested 306 suspects and seized 1,842 devices in an international operation targeting cyber attacks and cyber-enabled scams. The arrests were made as part of Operation Red Card (November 2024 – February 2025) which aims to disrupt and dismantle cross-border criminal networks which cause significant harm to individuals and businesses. In particular, the operation targeted mobile banking, investment and messaging app scams. The cases uncovered during the operation involved more than 5,000 victims."
https://www.interpol.int/en/News-and-Events/News/2025/More-than-300-arrests-as-African-countries-clamp-down-on-cyber-threats
https://therecord.media/300-arrested-africa-crackdown-cyber-scams
https://www.bleepingcomputer.com/news/security/police-arrests-300-suspects-linked-to-african-cybercrime-rings/
https://www.infosecurity-magazine.com/news/interpol-seize-1842-devices-africa/ - Despite Challenges, The CVE Program Is a Public-Private Partnership That Has Shown Resilience
"In 1999, Dave Mann and Steve Christey, two researchers from the nonprofit R&D corporation MITRE, debuted a concept for security vulnerabilities that laid the groundwork for the common vulnerability and exposures framework (CVE) that organizes information around computer vulnerabilities."
https://cyberscoop.com/cve-program-history-mitre-nist-1999-2024/
https://www.securityweek.com/nist-still-struggling-to-clear-vulnerability-submissions-backlog-in-nvd/ - Hunting Rituals #5: Why Hypothesis-Based Threat Hunting Is Essential In Cybersecurity
"Proactive threat hunting is essential if you want to counter sophisticated threats that evade conventional security tools. Many advanced attackers use techniques that blend into normal network activity, avoiding detection and bypassing automated alerts. This blog post showcases a real-life example of how hypothesis-based threat hunting can uncover hidden threats."
https://www.group-ib.com/blog/hunting-rituals-5/ - Report: Fortune 500 Employee-Linked Account Exposure
"A backbone of our economy, Fortune 500 companies employ more than 31 million people worldwide. According to data analyzed by the Enzoic research team, over the past three years of 2022, 2023, and 2024, more than three million employee-linked accounts became newly compromised by cybercriminals."
https://www.helpnetsecurity.com/2025/03/24/report-fortune-500-employee-linked-account-exposure/
https://resources.enzoic.com/fortune-500-report/ - Encrypted Messaging Apps Promise Privacy. Government Transparency Is Often The Price
"As a devastating wildfire burned through a Maui town, killing more than 100 people, emergency management employees traded dozens of text messages, creating a record that would later help investigators piece together the government’s response to the 2023 tragedy. One text exchange hinted officials might also be using a second, untraceable messaging service. “That’s what Signal was supposed to be for,” then-Maui Emergency Management Agency Administrator Herman Andaya texted a colleague."
https://www.securityweek.com/encrypted-messaging-apps-promise-privacy-government-transparency-is-often-the-price/ - As Nation-State Hacking Becomes 'more In Your Face,' Are Supply Chains Secure?
"Former US Air Force cyber officer Sarah Cleveland worries about the threat of a major supply-chain attack from China or another adversarial nation. So she installed solar panels on her house: "Because what if the electric grid goes down?" The home solar system was Cleveland's personal answer to the question of where to begin securing against the kind of potentially destructive attacks that government agencies and intel analysts warn are on the horizon from groups like Beijing's Silk Typhoon."
https://www.theregister.com/2025/03/24/nation_state_supply_chain_attack/ - From The Digital Trenches: Exclusive Interview With Z-Pentest
"Z-Pentest is a pro-Russian Serbian hacktivist group that has carried out various attacks against NATO countries. This actor specializes in industrial environments and poses a challenge to organizations around the world. Rafa Lopez, former CTO of Miólnir, reached out to Z-Pentest thanks to Noname057(16), finding Z-Pentest very receptive, or at least their spokesperson. He discussed with them the possibility of understanding their perspective on the current geopolitical landscape. He also wanted to learn more about their motivation, techniques, and tactics."
https://miolnir.es/from-the-digital-trenches-exclusive-interview-with-z-pentest/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Finders Keypers: Open-Source AWS KMS Key Usage Finder