โพสต์ถูกสร้างโดย NCSA_THAICERT

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Industrial Sector

• Siemens RUGGEDCOM, SINEC NMS, And SINEMA
  "Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service, crash the product, or perform remote code execution."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-259-04
• Delta Electronics DIALink
  "Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-259-07
• OT Security Needs Continuous Operations, Not One-Time Fixes
  "Cyberattacks keep hitting the OT systems that critical infrastructure operators run, according to new research from Forrester. In a survey of 262 OT security decision-makers, 91% reported at least one breach or system failure caused by a cyberattack in the past 18 months. These attacks disrupted essential services, damaged reputations, and created regulatory and financial consequences."
  https://www.helpnetsecurity.com/2025/09/16/ciso-ot-cybersecurity-strategy/
• Schneider Electric Altivar Products, ATVdPAC Module, ILC992 InterLink Converter
  "Successful exploitation of this vulnerability could allow an attacker to read or modify data."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-259-01
• Hitachi Energy RTU500 Series
  "Successful exploitation of these vulnerabilities could cause a Denial-of-Service condition in RTU500 devices."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-259-02
• Siemens SIMATIC NET CP, SINEMA, And SCALANCE
  "Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service (DoS) condition in the affected devices by exploiting integer overflow bugs."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-259-03
• Siemens OpenSSL Vulnerability In Industrial Products
  "Successful exploitation of these vulnerabilities could allow an unauthenticated remote attacker to execute arbitrary code or to cause a denial-of-service condition."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-259-05
• Siemens Multiple Industrial Products
  "Successful exploitation of this vulnerability could allow an attacker to create a denial-of-service condition."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-259-06

Vulnerabilities

• Chaotic Deputy: Critical Vulnerabilities In Chaos Mesh Lead To Kubernetes Cluster Takeover
  "JFrog Security Research recently discovered and disclosed multiple CVEs in the highly popular Chaos engineering platform – Chaos-Mesh. The discovered CVEs, which we’ve named Chaotic Deputy are CVE-2025-59358, CVE-2025-59360, CVE-2025-59361 and CVE-2025-59359. The last three Chaotic Deputy CVEs are critical severity (CVSS 9.8) vulnerabilities which can be easily exploited by in-cluster attackers to run arbitrary code on any pod in the cluster, even in the default configuration of Chaos-Mesh."
  https://jfrog.com/blog/chaotic-deputy-critical-vulnerabilities-in-chaos-mesh-lead-to-kubernetes-cluster-takeover/
  https://www.darkreading.com/cyber-risk/critical-bugs-chaos-mesh-cluster-takeover
  https://thehackernews.com/2025/09/chaos-mesh-critical-graphql-flaws.html
• Apple Backports Zero-Day Patches To Older iPhones And iPads
  "Apple has released security updates to backport patches released last month to older iPhones and iPads, addressing a zero-day bug that was exploited in "extremely sophisticated" attacks. This security flaw is the same one Apple has patched for devices running iOS 18.6.2 and iPadOS 18.6.2, iPadOS 17.7.10, and macOS (Sequoia 15.6.1, Sonoma 14.7.8, and Ventura 13.7.8) on August 20. Tracked as CVE-2025-43300, this vulnerability was discovered by Apple security researchers and is caused by an out-of-bounds write weakness in the Image I/O framework, which enables apps to read and write image file formats."
  https://www.bleepingcomputer.com/news/security/apple-backports-zero-day-patches-to-older-iphones-and-ipads/
  https://thehackernews.com/2025/09/apple-backports-fix-for-cve-2025-43300.html
  https://www.theregister.com/2025/09/16/apple_0day_spy_attacks/
• Apple Rolls Out iOS 26, MacOS Tahoe 26 With Patches For Over 50 Vulnerabilities
  "Apple on Monday announced the release of major iOS and macOS platform updates with fixes for a total of more than 50 vulnerabilities. iOS 26 and iPadOS 26 were released for the latest generation iPhone and iPad devices with fixes for 27 unique CVEs that could lead to memory corruption, information disclosure, crashes, and sandbox escapes. WebKit received the largest number of fixes, at five, for security defects that could lead to process crashes, Safari crashes, or could allow websites to access sensor information without consent."
  https://www.securityweek.com/apple-rolls-out-ios-26-macos-tahoe-26-with-patches-for-over-50-vulnerabilities/
  https://cyberscoop.com/apple-security-updates-september-2025/
  https://www.malwarebytes.com/blog/news/2025/09/update-your-apple-devices-to-fix-dozens-of-vulnerabilities
• Bypassing AI Agent Defenses With Lies-In-The-Loop
  "Checkmarx Zero has identified a new type of attack against AI agents that use a “human-in-the-loop” safety net to try to avoid high-risk behaviors: we’re calling it “lies-in-the-loop” (LITL). It lets us fairly easily trick users into giving permission for AI agents to do extremely dangerous things, by convincing the AI to act as though those things are much safer than they are."
  https://checkmarx.com/zero-post/bypassing-ai-agent-defenses-with-lies-in-the-loop/
  https://www.darkreading.com/application-security/-lies-in-the-loop-attack-ai-coding-agents

Malware

• Self-Propagating Supply Chain Attack Hits 187 Npm Packages
  "Security researchers have identified at least 187 npm packages compromised in an ongoing supply chain attack, with a malicious self-propagating payload to infect other packages. The coordinated worm-style campaign dubbed 'Shai-Hulud' started yesterday with the compromise of the @ctrl/tinycolor npm package, which receives over 2 million weekly downloads. Since then, the campaign has expanded significantly and now includes packages published under CrowdStrike's npm namespace."
  https://www.bleepingcomputer.com/news/security/self-propagating-supply-chain-attack-hits-187-npm-packages/
  https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages
  https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages
  https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again
  https://www.darkreading.com/application-security/self-replicating-shai-hulud-worm-npm-packages
  https://thehackernews.com/2025/09/40-npm-packages-compromised-in-supply.html
  https://securityaffairs.com/182274/malware/new-supply-chain-attack-hits-npm-registry-compromising-40-packages.html
  https://www.helpnetsecurity.com/2025/09/16/self-replicating-worm-hits-180-npm-packages-in-largely-automated-supply-chain-attack/
  https://www.theregister.com/2025/09/16/npm_under_attack_again/
• SmokeLoader Rises From The Ashes
  "Active since 2011, SmokeLoader (aka Smoke or Dofoil) is a popular malware loader that is designed to deliver second-stage payloads such as trojans, ransomware, and information stealers. Over the years, SmokeLoader has been updated and enhanced to evade detection and optimize payload delivery. SmokeLoader’s capabilities have also been expanded through a modular plugin framework that is capable of credential harvesting, browser hijacking, cryptocurrency mining, and more."
  https://www.zscaler.com/blogs/security-research/smokeloader-rises-ashes
• Satori Threat Intelligence Alert: SlopAds Covers Fraud With Layers Of Obfuscation
  "HUMAN’s Satori Threat Intelligence and Research Team has uncovered and disrupted a sophisticated ad fraud and click fraud operation dubbed SlopAds. The threat actors behind SlopAds operate a collection of 224 apps and growing, collectively downloaded from Google Play more than 38 million times across 228 countries and territories. These apps deliver their fraud payload using steganography and create hidden WebViews to navigate to threat actor-owned cashout sites, generating fraudulent ad impressions and clicks. The threat actors’ infrastructure and many of the apps share an AI theme, contributing to the name of the operation."
  https://www.humansecurity.com/learn/blog/satori-threat-intelligence-alert-slopads-covers-fraud-with-layers-of-obfuscation/
  https://www.bleepingcomputer.com/news/security/google-nukes-224-android-malware-apps-behind-massive-ad-fraud-campaign/
  https://thehackernews.com/2025/09/slopads-fraud-ring-exploits-224-android.html
  https://www.bankinfosecurity.com/slopads-fraud-campaign-uses-novel-obfuscation-techniques-a-29450
• FileFix In The Wild! New FileFix Campaign Goes Beyond POC And Leverages Steganography
  "Early last week, researchers from Acronis' Threat Research Unit discovered a rare in-the-wild example of a FileFix attack — a new variant of the now infamous ClickFix attack vector. The discovered attack not only leverages FileFix, but, to our knowledge, is the first example of such an attack that does not strictly adhere to the design of the original proof of concept (POC) demonstrated by Mr. d0x in July, 2025. Furthermore, the attack features a sophisticated phishing site and payload, in many ways ahead of what we’ve come to expect from ClickFix or FileFix attacks seen in the past (with some notable exceptions)."
  https://www.acronis.com/en/tru/posts/filefix-in-the-wild-new-filefix-campaign-goes-beyond-poc-and-leverages-steganography/
  https://www.bleepingcomputer.com/news/security/new-filefix-attack-uses-steganography-to-drop-stealc-malware/
  https://thehackernews.com/2025/09/new-filefix-variant-delivers-stealc.html
  https://hackread.com/filefix-attack-stealc-infostealer-fake-facebook-pages/
  https://www.theregister.com/2025/09/16/filefix_attacks_facebook_security_alert/
• Microsoft Seizes 338 Websites To Disrupt Rapidly Growing ‘RaccoonO365’ Phishing Service
  "Microsoft’s Digital Crimes Unit (DCU) has disrupted RaccoonO365, the fastest-growing tool used by cybercriminals to steal Microsoft 365 usernames and passwords (“credentials”). Using a court order granted by the Southern District of New York, the DCU seized 338 websites associated with the popular service, disrupting the operation’s technical infrastructure and cutting off criminals’ access to victims. This case shows that cybercriminals don’t need to be sophisticated to cause widespread harm—simple tools like RaccoonO365 make cybercrime accessible to virtually anyone, putting millions of users at risk."
  https://blogs.microsoft.com/on-the-issues/2025/09/16/microsoft-seizes-338-websites-to-disrupt-rapidly-growing-raccoono365-phishing-service/
  https://therecord.media/microsoft-cloudflare-disrupt-raccoono365-credential-stealing-tool
  https://cyberscoop.com/microsoft-seizes-phishing-sites-raccoono365/
  https://www.theregister.com/2025/09/16/microsoft_cloudflare_shut_down_raccoono365/
• Deniability By Design: DNS-Driven Insights Into a Malicious Ad Network
  "One typically imagines the digital underworld—trojans, malware droppers, fake dating sites, investment scams, and more—as operating in the dark corners of the internet. But increasingly, these threats are hiding in plain sight, camouflaged by the glossy veneer of mainstream digital advertising. In some cases, the adtech platforms are abused, but we have uncovered an increasing number of adtech companies that are either complicit or actively engaged in the distribution of malicious content. Cybercriminals aren’t just exploiting adtech platforms, sometimes, they are the adtech platforms."
  https://blogs.infoblox.com/threat-intelligence/deniability-by-design-dns-driven-insights-into-a-malicious-ad-network/
  https://www.darkreading.com/vulnerabilities-threats/vane-viper-threat-group-propellerads
• Innovative FileFix Phishing Attack Proves Plenty Potent
  "The most widespread, customized, sophisticated FileFix campaign to date has recently emerged in the wild. Fewer than three months have passed since a red team researcher conceived of the FileFix social engineering technique, and attackers seem to be taking to it like ducks to water. Over the past couple of weeks, for instance, researchers from Acronis have observed the most mature FileFix campaign to date, combining convincing phishing, tough code obfuscation, robust steganography, and more."
  https://www.darkreading.com/cyberattacks-data-breaches/innovative-filefix-attack-potent
• RevengeHotels: a New Wave Of Attacks Leveraging LLMs And VenomRAT
  "RevengeHotels, also known as TA558, is a threat group that has been active since 2015, stealing credit card data from hotel guests and travelers. RevengeHotels’ modus operandi involves sending emails with phishing links which redirect victims to websites mimicking document storage. These sites, in turn, download script files to ultimately infect the targeted machines. The final payloads consist of various remote access Trojan (RAT) implants, which enable the threat actor to issue commands for controlling compromised systems, stealing sensitive data, and maintaining persistence, among other malicious activities."
  https://securelist.com/revengehotels-attacks-with-ai-and-venomrat-across-latin-america/117493/
• Going Underground: China-Aligned TA415 Conducts U.S.-China Economic Relations Targeting Using VS Code Remote Tunnels
  "Throughout July and August 2025, TA415 conducted spearphishing campaigns targeting United States government, think tank, and academic organizations utilizing U.S.-China economic-themed lures. In this activity, the group masqueraded as the current Chair of the Select Committee on Strategic Competition between the United States and the Chinese Communist Party (CCP), as well as the US-China Business Council, to target a range of individuals and organizations predominantly focused on U.S.-China relations, trade, and economic policy."
  https://www.proofpoint.com/us/blog/threat-insight/going-underground-china-aligned-ta415-conducts-us-china-economic-relations

Breaches/Hacks/Leaks

• 2 Eye Care Practice Hacks Affect 260,000 Patients, Staff
  "Two separate hacks on ophthalmology practices in South Dakota and Florida have affected more than a quarter-million patients. The cyberattacks were among the latest of several major data breaches reported in recent months by eye care providers. The incidents were reported by Black Hills Regional Eye Institute, which is based in Rapid City, South Dakota, and Retina Group of Florida, based in Fort Lauderdale, Florida."
  https://www.bankinfosecurity.com/2-eye-care-practice-hacks-affect-260000-patients-staff-a-29458

General News

• Building Security That Protects Customers, Not Just Auditors
  "In this Help Net Security interview, Nir Rothenberg, CISO at Rapyd, discusses global differences in payment security maturity and the lessons that can be learned from leading regions. He points out that good engineering usually leads to strong security, and cautions against just going through the motions to meet compliance requirements. Rothenberg also points to overlooked areas such as monitoring, account takeover prevention, and collaboration across the payments ecosystem."
  https://www.helpnetsecurity.com/2025/09/16/nir-rothenberg-rapyd-payment-security-maturity/
• August 2025 Trends Report On Phishing Emails
  "This report provides the distribution quantity, statistics, trends, and case information on phishing emails and attachments collected and analyzed over the course of a month in August 2025. The following are some statistics and cases included in the original report."
  https://asec.ahnlab.com/en/90158/
• August 2025 Threat Trend Report On Ransomware
  "This report provides the statistics and major ransomware-related issues in Korea and worldwide, as well as the number of affected systems and ransomware cases based on Dedicated Leak Sites (DLS) over the course of August 2025. Below is a summary of the report."
  https://asec.ahnlab.com/en/90159/
• August 2025 APT Attack Trends Report (South Korea)
  "AhnLab has been using AhnLab Smart Defense (ASD) to monitor advanced persistent threat (APT) attacks against targets in South Korea. This report will cover the types and statistics of APT attacks in Korea during August 2025 as well as features for each type."
  https://asec.ahnlab.com/en/90152/
• August 2025 Infostealer Trend Report
  "This report provides statistics, trends, and case information on Infostealer, including distribution volume, distribution methods, and disguises based on the data collected and analyzed in August 2025. The following is a summary of the original report."
  https://asec.ahnlab.com/en/90154/
• BreachForums Hacking Forum Admin Resentenced To Three Years In Prison
  "Conor Brian Fitzpatrick, the 22-year-old behind the notorious BreachForums hacking forum, was resentenced today to three years in prison after a federal appeals court overturned his prior sentence of time served and 20 years of supervised release. Fitzpatrick, of New York, operated under the alias "Pompompurin" and created the BreachForums hacking forum in 2022 after the FBI took down RaidForums. Fitzpatrick was arrested on March 15, 2023, and charged with conspiracy to solicit individuals to sell unauthorized access devices. At the time of his arrest, he admitted to FBI agents that he was Pompompurin and the administrator of BreachForums."
  https://www.bleepingcomputer.com/news/security/breachforums-hacking-forum-admin-resentenced-to-three-years-in-prison/
  https://therecord.media/conor-fitzpatrick-pompompurin-three-year-sentence-breachforums-administrator
  https://www.bankinfosecurity.com/original-breachforums-admin-gets-3-year-prison-sentence-a-29459
  https://cyberscoop.com/conor-fitzpatrick-pompompurin-resetenced-breachforums/
• Security Industry Skeptical Of Scattered Spider-ShinyHunters Retirement Claims
  "The notorious cybercrime groups Scattered Spider and ShinyHunters claim they are retiring, but the cybersecurity industry is skeptical and believes the hackers will continue to be active. Scattered Spider has been around for several years and it recently made many headlines for targeting the retail, insurance, and aviation industries. The threat group has also been in the spotlight for its widespread Salesforce hacking campaign, which impacted major companies such as Google. Several individuals with alleged ties to Scattered Spider have been arrested, charged and sentenced over the past year."
  https://www.securityweek.com/security-industry-skeptical-of-scattered-spider-shinyhunters-retirement-claims/
  https://www.infosecurity-magazine.com/news/fifteen-ransomware-gangs-retire/
• API Threats Surge To 40,000 Incidents In 1H 2025
  "The financial services, telecoms and travel sectors were in the crosshairs of threat actors in the first half of the year, after Thales observed 40,000 incidents in the period alone. The firm’s Imperva business analyzed data from over 4000 environments worldwide to produce its API Threat Report (H1 2025). The report claimed that APIs now attract 44% of advanced bot traffic, which is generated by sophisticated software designed to mimic human behavior."
  https://www.infosecurity-magazine.com/news/api-threats-surge-40000-incidents/
  https://www.imperva.com/resources/resource-library/reports/imperva-api-threat-report/

อ้างอิง
Electronic Transactions Development Agency(ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

New Tooling

• Arkime: Open-Source Network Analysis And Packet Capture System
  "Arkime is an open-source system for large-scale network analysis and packet capture. It works with your existing security tools to store and index network traffic in standard PCAP format, making it easy to search and access. The solution includes a simple web interface for browsing, searching, and exporting PCAP files. Arkime also provides APIs for downloading PCAP data and session data in JSON format. Because Arkime uses standard PCAP files, you can analyze the data with other tools, such as Wireshark."
  https://www.helpnetsecurity.com/2025/09/15/arkime-open-source-network-analysis-packet-capture-system/
  https://github.com/arkime/arkime

Vulnerabilities

• New Phoenix Attack Bypasses Rowhammer Defenses In DDR5 Memory
  "Academic researchers have devised a new variant of Rowhammer attacks that bypass the latest protection mechanisms on DDR5 memory chips from SK Hynix. A Rowhammer attack works by repeatedly accessing specific rows of memory cells at high-speed read/write operations to cause enough electrical interference to alter the value of the nearby bits from one to zero and vice-versa (bit flipping). An attacker could potentialluy corrupt data, increase their privileges on the system, execute malicious code, or gain access to sensitive data."
  https://www.bleepingcomputer.com/news/security/new-phoenix-attack-bypasses-rowhammer-defenses-in-ddr5-memory/
  https://comsec-files.ethz.ch/papers/phoenix_sp26.pdf
  https://github.com/comsec-group/phoenix
  https://security.googleblog.com/2025/09/supporting-rowhammer-research-to.html

Malware

• Hive0154, Aka Mustang Panda, Drops Updated Toneshell Backdoor And Novel SnakeDisk USB Worm
  "In July 2025, IBM X-Force discovered new malware attributed to China-aligned threat actor Hive0154. This includes an updated Toneshell variant evading detections and supporting several new features, as well as a novel USB worm called SnakeDisk discovered in mid-August. The worm only executes on devices with Thailand-based IP addresses and drops the Yokai backdoor, discovered by Netskope in December 2024."
  https://www.ibm.com/think/x-force/hive0154-drops-updated-toneshell-backdoor
  https://thehackernews.com/2025/09/mustang-panda-deploys-snakedisk-usb.html
• Inside Maranhão Stealer: Node.js-Powered InfoStealer Using Reflective DLL Injection
  "CRIL identified an active Maranhão Stealer campaign that is being distributed through social engineering websites hosted on cloud platforms. Current intelligence indicates that the malware has been active since May 2025 and is actively being developed. The threat actors primarily target gaming users by distributing gaming-related links, cheats, and pirated software downloads. (e.g., hxxps://derelictsgame[.]in/DerelictSetup.zip). The ZIP archives include an Inno Setup installer, which launches a Node.js-compiled binary responsible for exfiltrating credentials."
  https://cyble.com/blog/inside-maranhao-stealer-node-js-powered-infostealer/
• AI-Driven Deepfake Military ID Fraud Campaign By Kimsuky APT
  "On July 17, 2025, the Genians Security Center (GSC) detected a spear-phishing attack attributed to the Kimsuky group. This was classified as an APT attack impersonating a South Korean defense-related institution, disguised as if it were handling ID issuance tasks for military-affiliated officials. The threat actor used ChatGPT, a generative AI, to produce sample ID card images, which were then leveraged in the attack. This is a real case demonstrating the Kimsuky group’s application of deepfake technology."
  https://www.genians.co.kr/en/blog/threat_intelligence/deepfake
  https://www.infosecurity-magazine.com/news/ai-military-ids-north-korea/
  https://hackread.com/north-korea-kimsuky-group-ai-generated-military-ids/
  https://www.theregister.com/2025/09/15/north_korea_chatgpt_fake_id/
• You’re Invited: Four Phishing Lures In Campaigns Dropping RMM Tools
  "Red Canary Intelligence and Zscaler threat hunters have identified multiple campaigns utilizing the RMM tools ITarian (aka Comodo), PDQ, SimpleHelp, and Atera for remote access. Remote monitoring and management (RMM) tools continue to be a favorite tool for adversaries because they offer a veneer of legitimacy as the solutions are often used by IT professionals for remote access, system monitoring, and managing machines."
  https://redcanary.com/blog/threat-intelligence/phishing-rmm-tools/
  https://www.infosecurity-magazine.com/news/phishing-campaigns-rmm-tools/
  https://hackread.com/hackers-rmm-installs-fake-chrome-updates-teams-invite/
• Shiny Tools, Shallow Checks: How The AI Hype Opens The Door To Malicious MCP Servers
  "In this article, we explore how the Model Context Protocol (MCP) — the new “plug-in bus” for AI assistants — can be weaponized as a supply chain foothold. We start with a primer on MCP, map out protocol-level and supply chain attack paths, then walk through a hands-on proof of concept: a seemingly legitimate MCP server that harvests sensitive data every time a developer runs a tool. We break down the source code to reveal the server’s true intent and provide a set of mitigations for defenders to spot and stop similar threats."
  https://securelist.com/model-context-protocol-for-ai-integration-abused-in-supply-chain-attacks/117473/
• Ukraine Claims Cyberattacks On Russian Election Systems; Moscow Confirms Disruptions
  "Ukraine’s military intelligence agency (HUR) said on Sunday it hacked Russia’s Central Election Commission and other government services in response to voting in occupied Ukrainian regions. The operation coincided with Russia’s “unified voting day,” when regional and local elections are held simultaneously across the country. This year, ballots were also cast in Crimea and other occupied parts of Ukraine. Kyiv and its allies say those elections are illegal."
  https://therecord.media/ukraine-claims-ddos-attack-russian-election-system
• Phishing Campaign Targets Rust Developers
  "Developers publishing crates (binaries and libraries written in Rust) on crates.io, Rust’s main public package registry, have been targeted with emails echoing the recent npm phishing campaign. The emails started hitting developers’ inboxes on Friday, minutes after they published a (new) crate on the registry. The emails – titled “Important: Breach notification regarding crates.io” and made to look like they’ve been sent by the Rust Foundation – claimed that an attacker compromised the crates.io infrastructure and accessed some user information."
  https://www.helpnetsecurity.com/2025/09/15/phishing-campaign-targets-rust-developers/
• Inside The 2025 Energy Phishing Wave: Chevron, Conoco, PBF, Phillips 66
  "Phishing continues to hit critical industries hard, and in 2025 we’ve tracked a sharp rise in domains built to impersonate major U.S. energy companies. The sector is an obvious target: its brands are globally recognized, widely trusted, and therefore valuable to attackers looking to run credential theft or fraud at scale. Drawing on Hunt.io data, this report highlights how adversaries cloned the websites of Chevron, ConocoPhillips, PBF Energy, and Phillips 66. We detail the tactics uncovered, including HTTrack-based site copying, exposed directories, and investment scam templates, and show why so many of these domains slip past vendor detections. The following key takeaways summarize the most important patterns observed across this activity."
  https://hunt.io/blog/us-energy-phishing-wave-report

Breaches/Hacks/Leaks

• Google Confirms Fraudulent Account Created In Law Enforcement Portal
  "Google has confirmed that hackers created a fraudulent account in its Law Enforcement Request System (LERS) platform that law enforcement uses to submit official data requests to the company. "We have identified that a fraudulent account was created in our system for law enforcement requests and have disabled the account," Google told BleepingComputer. "No requests were made with this fraudulent account, and no data was accessed." The FBI declined to comment on the threat actor's claims."
  https://www.bleepingcomputer.com/news/security/google-confirms-fraudulent-account-created-in-law-enforcement-portal/
  https://databreaches.net/2025/09/15/hackers-claim-access-to-law-enforcement-portals-but-do-they-really-have-access/
• FinWise Insider Breach Impacts 689K American First Finance Customers
  "FinWise Bank is warning on behalf of corporate customers that it suffered a data breach after a former employee accessed sensitive files after the end of their employment. "On May 31, 2024, FinWise experienced a data security incident involving a former employee who accessed FinWise data after the end of their employment," reads a data breach notification sent by FinWise on behalf of American First Finance (AFF). American First Finance (AFF) is a company that offers consumer financing products, including installment loans and lease-to-own programs, for a diverse range of products and services. Customers use AFF to apply for and manage the loans, with the company handling the services, account setup, repayment process, and customer support."
  https://www.bleepingcomputer.com/news/security/finwise-insider-breach-impacts-689k-american-first-finance-customers/
  https://www.securityweek.com/689000-affected-by-insider-breach-at-finwise-bank/
  https://www.theregister.com/2025/09/15/finwise_insider_data_breach/
• Update: Kering Confirms Gucci And Other Brands Hacked; Claims No Conversations With Hackers?
  "On September 11, DataBreaches broke the story that customers of several high-end fashion brands owned by Paris-headquartered Kering had their personal information acquired by ShinyHunters as part of two Salesforce attacks. As we reported, a spokesperson for ShinyHunters claimed to have acquired more than 43 million customer records from Gucci and almost 13 million records from Balenciaga, Brioni, and Alexander McQueen combined."
  https://databreaches.net/2025/09/15/update-kering-confirms-gucci-and-other-brands-hacked-claims-no-conversations-with-hackers/
  https://www.bbc.com/news/articles/crl5j8ld615o
  https://securityaffairs.com/182236/cyber-crime/hackers-steal-millions-of-gucci-balenciaga-and-alexander-mcqueen-customer-records.html
• West Virginia Credit Union Notifying 187,000 People Impacted By 2023 Data Breach
  "Fairmont Federal Credit Union is notifying over 187,000 individuals that their personal and financial information was stolen in a two-year-old data breach. A not-for-profit financial organization, Fairmont Federal Credit Union offers services such as business and home mortgage loans, financial first aid, and personal checking. It operates nine regional branches in West Virginia. The organization discovered the cybersecurity incident on January 23, 2024 and launched a prompt and thorough forensic investigation, concluding on August 17, 2025, that files stolen from its network contained personal information."
  https://www.securityweek.com/west-virginia-credit-union-notifying-187000-people-impacted-by-2023-data-breach/
  https://securityaffairs.com/182217/data-breach/fairmont-federal-credit-union-2023-data-breach-impacted-187k-people.html
• Uvalde School District Says Ransomware Attack Forcing Closure Until Thursday
  "A ransomware attack has forced the public school district in Uvalde, Texas, to shut down for most of the week as officials attempt to restore systems. The Uvalde Consolidated Independent School District serves about 5,000 students in Uvalde County as well as parts of Zavala and Real counties. Anne Marie Espinoza, chief of communications for the school district, said on social media this weekend that they are dealing with a “significant technology incident.” “Ransomware has been detected within our district’s servers, severely affecting access to essential systems like phones, AC controls, camera monitoring, visitor management, Skyward, and more,” she said."
  https://therecord.media/uvalde-texas-school-district-temporarily-closing-ransomware

General News

• Most Enterprise AI Use Is Invisible To Security Teams
  "Most enterprise AI activity is happening without the knowledge of IT and security teams. According to Lanai, 89% of AI use inside organizations goes unseen, creating risks around data privacy, compliance, and governance. This blind spot is growing as AI features are built directly into business tools. Employees often connect personal AI accounts to work devices or use unsanctioned services, making it difficult for security teams to monitor usage. Lanai says this lack of visibility leaves companies exposed to data leaks and regulatory violations."
  https://www.helpnetsecurity.com/2025/09/15/lanai-enterprise-ai-visibility-tools/
• Static Feeds Leave Intelligence Teams Reacting To Irrelevant Or Late Data
  "Boards and executives are not asking for another feed of indicators. They want to know whether their organization is being targeted, how exposed they are, and what steps need to be taken. A new report from Flashpoint argues that most current intelligence models cannot keep up with these demands and that primary source collection (PSC) should become the standard approach."
  https://www.helpnetsecurity.com/2025/09/15/primary-source-collection-intelligence-model/
• When ‘minimal Impact’ Isn’t Reassuring: Lessons From The Largest Npm Supply Chain Compromise
  "Earlier this week, Aikido Security disclosed what is being described as the largest npm supply chain compromise to date. Attackers successfully injected malicious code into 18 popular npm packages, collectively accounting for more than 2.6 billion weekly downloads. The entire campaign began not with a technical exploit, but with a single, well-trained maintainer clicking on a convincingly crafted phishing email."
  https://cyberscoop.com/npm-supply-chain-compromise-brian-fox-sonatype-op-ed/
• Building Resilient IT Infrastructure From The Start
  "For years, the cybersecurity industry has put an emphasis on protecting network infrastructure. But as innovations have focused on firewalls and intrusion detection systems, other forms of IT infrastructure — which are mission-critical to operations — were left exposed. Beyond the perimeter, IT infrastructure remains one of the most overlooked attack surfaces in the enterprise. Increasing complexity in hybrid environments has complicated matters, both impeding zero-trust adoption and creating a target for adversaries."
  https://www.darkreading.com/vulnerabilities-threats/building-resilient-it-infrastructure
• Zero Trust Is 15 Years Old — Why Full Adoption Is Worth The Struggle
  "The implementation of zero trust is essential for cybersecurity: but after 15 years, we’re still not there. Implementation is like the curate’s egg: good in parts. Zero Trust turned fifteen years old on September 14, 2025. Its invention was announced with Forrester’s publication of John Kindervag’s paper, No More Chewy Centers: Introducing The Zero Trust Model of Information Security, on that date in 2010 (archived here)."
  https://www.securityweek.com/zero-trust-is-15-years-old-why-full-adoption-is-worth-the-struggle/
• New Zealand Sanctions Russian Military Hackers Over Cyberattacks On Ukraine
  "New Zealand has imposed sanctions on Russian military intelligence hackers accused of cyberattacks on Ukraine, including members of a notorious hacking unit previously tied to destructive malware campaigns. The sanctions announced Friday target Unit 29155 of Russia’s GRU intelligence agency. Western security agencies say the unit — also tracked by researchers as Cadet Blizzard and Ember Bear — has been involved in espionage, sabotage, and assassination plots across Europe. It was behind the 2022 WhisperGate malware attack on Ukrainian government networks ahead of Moscow’s full-scale invasion."
  https://therecord.media/new-zealand-russia-gru-ukraine
• Huntress Threat Advisory: The Dangers Of Storing Unencrypted Passwords
  "This is an offshoot of our other blog, "Huntress Threat Advisory: Active Exploitation of SonicWall VPNs," which allowed initial access and was followed by the rapid deployment of Akira ransomware across the victim environment. This blog outlines an interesting individual case from within that timeframe. TL;DR: The threat actor entered through the organization’s SonicWall device. When searching through the host, the threat actor found a plaintext file on the user’s desktop that contained the client's Huntress recovery codes. The threat actor then used these codes to enter the client’s Huntress portal and began remediating reports and uninstalling hosts isolated by Huntress."
  https://www.huntress.com/blog/dangers-of-storing-unencrypted-passwords
  https://www.theregister.com/2025/09/15/ransomware_recovery_codes_plaintext/
• The Risks Of Code Assistant LLMs: Harmful Content, Misuse And Deception
  "We recently looked into AI code assistants that connect with integrated development environments (IDEs) as a plugin, much like GitHub Copilot. We found that both users and threat actors could misuse code assistant features like chat, auto-completion and writing unit tests for harmful purposes. This misuse includes injecting backdoors, leaking sensitive information and generating harmful content."
  https://unit42.paloaltonetworks.com/code-assistant-llms/

อ้างอิง
Electronic Transactions Development Agency(ETDA)

Financial Sector

• August 2025 Security Issues In Korean & Global Financial Sector
  "This report comprehensively covers actual cyber threats and security issues related to financial companies in South Korea and abroad. This article includes an analysis of malware and phishing cases distributed to the financial sector, the top 10 malware strains targeting the financial sector, and the industry statistics of leaked Korean accounts on Telegram. A detailed look into the phishing email distribution case targeting the financial sector is also covered."
  https://asec.ahnlab.com/en/90110/

Healthcare Sector

• Attackers Are Coming For Drug Formulas And Patient Data
  "In the pharmaceutical industry, clinical trial data, patient records, and proprietary drug formulas are prime targets for cybercriminals. These high-value assets make the sector a constant focus for attacks. Disruptions to research or medicine distribution can have life-threatening consequences. “During global health crises, cyber attackers swiftly exploit vulnerabilities. The COVID-19 pandemic saw a fivefold increase in phishing attempts targeting WHO, with attackers impersonating leadership to distribute malware,” said Flavio Aggio, CISO at the World Health Organization."
  https://www.helpnetsecurity.com/2025/09/12/ciso-pharma-cybersecurity-risks/

Vulnerabilities

• Samsung Patches Actively Exploited Zero-Day Reported By WhatsApp
  "Samsung has patched a remote code execution vulnerability that was exploited in zero-day attacks targeting its Android devices. Tracked as CVE-2025-21043, this critical security flaw affects Samsung devices running Android 13 or later and was reported by the security teams of Meta and WhatsApp on August 13. As Samsung explains in a recently updated advisory, this vulnerability was discovered in libimagecodec.quram.so (a closed-source image parsing library developed by Quramsoft that implements support for various image formats) and is caused by an out-of-bounds write weakness that allows attackers to execute malicious code on vulnerable devices remotely."
  https://www.bleepingcomputer.com/news/security/samsung-patches-actively-exploited-zero-day-reported-by-whatsapp/
  https://thehackernews.com/2025/09/samsung-fixes-critical-zero-day-cve.html
  https://securityaffairs.com/182135/hacking/samsung-fixed-actively-exploited-zero-day.html
  https://www.theregister.com/2025/09/12/samsung_fixes_android_0day/
  https://hackread.com/samsung-android-image-parsing-vulnerability-attacks/
• NFC Card Vulnerability Exploitation Leading To Free Top-Up In KioSoft "Stored Value" Unattended Payment Solution (Mifare)
  "Some KioSoft customers currently use outdated MiFare Classic cards in "Stored Value" Unattended Payment Solutions from KioSoft. A new detection algorithm has been rolled out through firmware according to KioSoft. As a long-term fix, hardware changes with a new reader and secure cards are planned as well. KioSoft understands that its customers continually take steps to track suspicious activity as routine. Mifare Classic cards have been found to be vulnerable to attacks in the past, allowing these cards to be modified or copied. A short-term solution may be to transition away from the Stored Value Payment System to the Online Payment System of KioSoft, which does not have this vulnerability according to the vendor."
  https://sec-consult.com/vulnerability-lab/advisory/nfc-card-vulnerability-exploitation-leading-to-free-top-up-kiosoft-payment-solution/
  https://www.securityweek.com/payment-system-vendor-took-year-to-patch-infinite-card-top-up-hack-security-firm/

Malware

• Introducing HybridPetya: Petya/NotPetya Copycat With UEFI Secure Boot Bypass
  "ESET Research has discovered HybridPetya, on the VirusTotal sample sharing platform. It is a copycat of the infamous Petya/NotPetya malware, adding the capability of compromising UEFI-based systems and weaponizing CVE‑2024‑7344 to bypass UEFI Secure Boot on outdated systems."
  https://www.welivesecurity.com/en/eset-research/introducing-hybridpetya-petya-notpetya-copycat-uefi-secure-boot-bypass/
  https://www.bleepingcomputer.com/news/security/new-hybridpetya-ransomware-can-bypass-uefi-secure-boot/
  https://thehackernews.com/2025/09/new-hybridpetya-ransomware-bypasses.html
  https://www.bankinfosecurity.com/hybridpetya-crypto-locker-outsmarts-uefi-secure-boot-a-29437
  https://www.helpnetsecurity.com/2025/09/12/hybridpetya-ransomware-secure-boot-bypass/
  https://www.theregister.com/2025/09/12/hopefully_just_a_poc_hybridpetya/
  https://securityaffairs.com/182149/malware/hybridpetya-ransomware-bypasses-uefi-secure-boot-echoing-petya-notpetya.html
• Meet Yurei: The New Ransomware Group Rising From Open-Source Code
  "A new ransomware group calling itself Yurei has appeared on the cyber crime scene, and it wasted no time in making headlines. First observed on September 5 by Check Point Research, the group listed its first victim, a food manufacturing company in Sri Lanka, on its darknet site. Within just a few days, two more victims, one in India and one in Nigeria, were added. Yurei’s quick rise illustrates a growing challenge: how easily cyber criminals can turn open-source malware into real-world ransomware operations, even with limited skills and effort."
  https://blog.checkpoint.com/research/meet-yurei-the-new-ransomware-group-rising-from-open-source-code/
• SEO Poisoning Attack Targets Chinese-Speaking Users With Fake Software Sites
  "In August 2025, FortiGuard Labs identified an SEO poisoning campaign aimed at Chinese-speaking users. The attackers manipulated search rankings with SEO plugins and registered lookalike domains that closely mimicked legitimate software sites. By using convincing language and small character substitutions, they tricked victims into visiting spoofed pages and downloading malware"
  https://www.fortinet.com/blog/threat-research/seo-poisoning-attack-targets-chinese-speaking-users-with-fake-software-sites
  https://hackread.com/seo-poisoning-attack-windows-hiddengh0st-winos-malware/
• Massive L7 DDoS Botnet Expands To 5.76M Devices, Qrator Labs Reports
  "On September 1, 2025, Qrator.AntiDDoS detected and mitigated another large-scale attack carried out by the largest L7 DDoS botnet observed to date. The target was an organization in the government sector. In total, 5.76 million IP addresses were blocked during the incident. Qrator Labs has been monitoring this botnet for several months. The first attack, recorded on March 26, targeted an organization in the online betting sector. It involved about 1.33 million IP addresses, mostly from Brazil, Argentina, Russia, Iraq, and Mexico. A second incident followed on May 16, this time hitting an organization in the government sector, with the botnet already grown to 4.6 million devices. Most of the traffic originated from IP addresses in Brazil, the United States, Vietnam, India, and Argentina."
  https://qrator.net/blog/details/massive-l7-ddos-botnet-expands-to-576m-devices-qra
  https://hackread.com/qrator-labs-mitigate-l7-ddos-attack-5-76m-botnet/
• FBI Warns Of UNC6040 And UNC6395 Targeting Salesforce Platforms In Data Theft Attacks
  "The U.S. Federal Bureau of Investigation (FBI) has issued a flash alert to release indicators of compromise (IoCs) associated with two cybercriminal groups tracked as UNC6040 and UNC6395 for a string of data theft and extortion attacks. "Both groups have recently been observed targeting organizations' Salesforce platforms via different initial access mechanisms," the FBI said."
  https://thehackernews.com/2025/09/fbi-warns-of-unc6040-and-unc6395.html
  https://www.ic3.gov/CSA/2025/250912.pdf
  https://www.bleepingcomputer.com/news/security/fbi-warns-of-unc6040-unc6395-hackers-stealing-salesforce-data/
  https://securityaffairs.com/182159/cyber-crime/fbi-warns-of-salesforce-attacks-by-unc6040-and-unc6395-groups.html
• WhiteCobra's Playbook Exposed: Critical Mistake Reveals 24-Extension Campaign Targeting VS Code And Cursor
  "A new wave 24 of malicious extensions targeting VSCode, Cursor and Windsurf users have infiltrated the VSCode and OpenVSX marketplaces over the past month, and now we now know exactly how they did it. Today we unveil a coordinated campaign by a threat actor group nicknamed WhiteCobra, that we’ve been tracking for over a year. This is the same group behind the $500K crypto theft revealed two months ago, a slew of malicious extensions published on the VSCode and OpenVSX marketplaces in 2024 and 2025, and now they're back with evolved tactics."
  https://www.koi.security/blog/whitecobra-vscode-cursor-extensions-malware
  https://www.bleepingcomputer.com/news/security/whitecobra-floods-vscode-market-with-crypto-stealing-extensions/

Breaches/Hacks/Leaks

• Vietnam, Panama Governments Suffer Incidents Leaking Citizen Data
  "Data from the government organizations in Vietnam and Panama was stolen by hackers in multiple cyber incidents that came to light this week. Vietnam’s state news outlet said the country’s Cyber Emergency Response Team (VNCERT) confirmed that it received a report of an incident impacting the National Credit Information Center (CIC), which is run by the State Bank of Vietnam and manages credit information for the country’s citizens and businesses. VNCERT said initial reports show that personal data was leaked as a result of the attack. The organization is now coordinating with multiple agencies and state-owned telecom Viettel on the investigation."
  https://therecord.media/vietnam-cic-panama-finance-ministry-cyberattacks
  https://securityaffairs.com/182189/cyber-crime/shinyhunters-attack-national-credit-information-center-of-vietnam.html
• China’s Great Firewall Suffers Its Biggest Leak Ever As 500GB Of Source Code And Docs Spill Online — Censorship Tool Has Been Sold To Three Different Countries
  "Chinese censorship sprang a major leak on September 11, when researchers confirmed that more than 500GB of internal documents, source code, work logs, and internal communications from the so-called Great Firewall were dumped online, including packaging repos and operational runbooks used to build and maintain China’s national traffic filtering system. The files appear to originate from Geedge Networks, a company that has long been linked to Fang Binxing — widely described as the “father” of the Great Firewall — and from the MESA lab at the Institute of Information Engineering, a research arm of the Chinese Academy of Sciences."
  https://www.tomshardware.com/tech-industry/chinas-great-firewall-springs-huge-leak
  https://gfw.report/blog/geedge_and_mesa_leak/en/
  https://hackread.com/great-firewall-of-china-data-published-largest-leak/

General News

• August 2025 APT Group Trends
  "North Korea-linked APT groups have been intensively launching advanced cyber attacks targeting the areas of diplomacy, finance, technology, media, and policy research in South Korea. They have been highly active in their sophisticated spear-phishing campaigns employing various malware strains, social engineering techniques, and cloud-based C2 infrastructures. They have been combining various infiltration techniques such as LNK and PowerShell-based loaders, steganography (JPEG image concealment), and fileless techniques to distribute RATs and data exfiltration malware."
  https://asec.ahnlab.com/en/90104/
• Exclusive: US Warns Hidden Radios May Be Embedded In Solar-Powered Highway Infrastructure
  "U.S. officials say solar-powered highway infrastructure including chargers, roadside weather stations, and traffic cameras should be scanned for the presence of rogue devices – such as hidden radios – secreted inside batteries and inverters. The advisory, disseminated late last month by the U.S. Department of Transportation’s Federal Highway Administration, comes amid escalating government action over the presence of Chinese technology in America's transportation infrastructure."
  https://www.reuters.com/legal/government/us-warns-hidden-radios-may-be-embedded-solar-powered-highway-infrastructure-2025-09-10/
  https://www.darkreading.com/ics-ot-security/undocumented-radios-found-solar-powered-devices
• Your Heartbeat Could Reveal Your Identity, Even In Anonymized Datasets
  "A new study has found that electrocardiogram (ECG) signals, often shared publicly for medical research, can be linked back to individuals. Researchers were able to re-identify people in anonymous datasets with surprising accuracy, raising questions about how health data is protected and shared."
  https://www.helpnetsecurity.com/2025/09/12/heartbeat-ecg-data-privacy-risk/
• CISOs Brace For a New Kind Of AI Chaos
  "AI is being added to business processes faster than it is being secured, creating a wide gap that attackers are already exploiting, according to the SANS Institute. Attackers are using AI to work at speeds that humans cannot match. Phishing messages are more convincing, privilege escalation happens faster, and automated scripts can adjust mid-attack to avoid detection. The report highlights research showing that AI-driven attacks can move more than 40 times faster than traditional methods. This means a breach can happen before a defender even sees the first alert."
  https://www.helpnetsecurity.com/2025/09/12/sans-ai-security-blueprint/
• HP Wolf Security Threat Insights Report: September 2025
  "Welcome to the September 2025 edition of the HP Wolf Security Threat Insights Report. In the report, we review notable malware campaigns, trends and techniques identified from HP Wolf Security’s customer telemetry in calendar Q2 2025. In Q2 2025, the HP Threat Research team identified attackers refining their use of living-off-the-land (LOTL) tools to evade detection. In one campaign that targeted businesses, threat actors chained together multiple LOTL tools, including lesser-known ones, to deliver XWorm malware. The final payload was hidden in the pixels of an image (T1027.003) downloaded from a trusted website, decoded via PowerShell (T1059.001), and executed through MSBuild (T1127.001), enabling remote access and data theft."
  https://threatresearch.ext.hp.com/hp-wolf-security-threat-insights-report-september-2025/
  https://threatresearch.ext.hp.com/wp-content/uploads/2025/09/HP_Wolf_Security_Threat_Insights_Report_September_2025.pdf
  https://www.infosecurity-magazine.com/news/attackers-novel-lotl-detection/
• Trusted Connections, Hidden Risks: Token Management In The Third-Party Supply Chain
  "You are about to log off for the weekend when a high-severity alert flashes on your cloud security tool’s dashboard. A single, unfamiliar OAuth token is making hundreds of connections from three different IP addresses, two of which are flagged as belonging to an unknown VPN service. The token belongs to a third-party application integrated with the company's Salesforce instance, one of those forgotten dormant integrations. A threat actor has stolen an OAuth token to bypass traditional defenses and is enumerating CRM accounts and exfiltrating sensitive data. A pit forms in your stomach; you are experiencing a supply chain attack."
  https://unit42.paloaltonetworks.com/third-party-supply-chain-token-management/
• Are Cybercriminals Hacking Your Systems – Or Just Logging In?
  "Why break a door down and set the house alarm off when you have a key and a code to walk in silently? This is the rationale behind a trend in cybersecurity where adversaries are increasingly looking to steal passwords, and even authentication tokens and session cookies to bypass MFA codes so they can access networks by masquerading as legitimate users. According to Verizon, “use of stolen credentials” has been one of the most popular methods for gaining initial access over recent years. The use of stolen credentials appeared in a third (32%) of data breaches last year, its report notes. However, while there are several ways threat actors can get hold of credentials, there are also plenty of opportunities to stop them."
  https://www.welivesecurity.com/en/business-security/cybercriminals-hacking-systems-logging-in/

อ้างอิง
Electronic Transactions Development Agency(ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Industrial Sector

• Siemens SIMATIC Virtualization As a Service (SIVaaS)
  "Successful exploitation of this vulnerability could allow an attacker to access or alter sensitive data without proper authorization."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-254-02
• Siemens Industrial Edge Management OS (IEM-OS)
  "Successful exploitation of this vulnerability could allow a remote attacker to cause a denial-of-service condition."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-254-06
• Siemens User Management Component (UMC)
  "Successful exploitation of these vulnerabilities could allow an unauthenticated remote attacker to execute arbitrary code or to cause a denial-of-service condition."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-254-07
• Daikin Security Gateway
  "Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to the system."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-254-10
• Siemens SIMOTION Tools
  "Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code with SYSTEM privileges when a legitimate user installs an application that uses the affected setup component."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-254-01
• Siemens SINAMICS Drives
  "Successful exploitation of this vulnerability could allow users to escalate their privileges."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-254-03
• Siemens SINEC OS
  "Successful exploitation of these vulnerabilities could allow an attacker to access non-sensitive information without authentication or potentially cause a temporary denial of service."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-254-04
• Siemens Apogee PXC And Talon TC Devices
  "Successful exploitation of this vulnerability could allow an attacker to download the device's encrypted database file via BACnet."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-254-05
• Schneider Electric EcoStruxure
  "Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition or disclose sensitive credential data."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-254-08
• Schneider Electric Modicon M340, BMXNOE0100, And BMXNOE0110
  "Successful exploitation of this vulnerability could allow attackers to prevent firmware updates and disrupt the webserver's proper behavior by removing specific files or directories from the filesystem."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-254-09
• Threat Landscape For Industrial Automation Systems. Q2 2025
  "In Q2 2025, the percentage of ICS computers on which malicious objects were blocked decreased by 1.4 pp from the previous quarter to 20.5%. Compared to Q2 2024, the rate decreased by 3.0 pp."
  https://ics-cert.kaspersky.com/publications/reports/2025/09/11/threat-landscape-for-industrial-automation-systems-q2-2025/

Vulnerabilities

• Critical Chrome Vulnerability Earns Researcher $43,000
  "Researchers have earned significant rewards from Google for reporting two potentially serious vulnerabilities found in the Chrome web browser. Google this week rolled out a Chrome update that fixes two security defects reported by external researchers, including a critical-severity bug in the browser’s Serviceworker component, for which a $43,000 bug bounty reward was paid. Tracked as CVE-2025-10200 and reported by Looben Yang, the critical flaw is described as a use-after-free issue. These types of memory corruption vulnerabilities appear when the program attempts to access memory that has been freed."
  https://www.securityweek.com/critical-chrome-vulnerability-earns-researcher-43000/
  https://securityaffairs.com/182107/security/google-fixes-critical-chrome-flaw-researcher-earns-43k.html
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2025-5086 Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability"
  https://www.cisa.gov/news-events/alerts/2025/09/11/cisa-adds-one-known-exploited-vulnerability-catalog
• VMScape: Exposing And Exploiting Incomplete Branch Predictor Isolation In Cloud Environments
  "VMScape (CVE-2025-40300) brings Spectre branch target injection (Spectre-BTI) to the cloud, revealing a critical gap in how branch predictor states are isolated in virtualized environments. Our systematic analysis of protection-domain isolation shows that current mechanisms are too coarse-grained: on all AMD Zen CPUs, including the latest Zen 5, the branch predictor cannot distinguish between host and guest execution, enabling practical cross-virtualization BTI (vBTI) attack primitives. Although Intel’s recent CPUs offer better isolation, gaps still exist."
  https://comsec.ethz.ch/research/microarch/vmscape-exposing-and-exploiting-incomplete-branch-predictor-isolation-in-cloud-environments/
  https://www.bleepingcomputer.com/news/security/new-vmscape-attack-breaks-guest-host-isolation-on-amd-intel-cpus/
  https://www.theregister.com/2025/09/11/vmscape_spectre_vulnerability/
• Pwn My Ride: Exploring The CarPlay Attack Surface
  "At the recent DefCon conference, we had the opportunity to present Pwn My Ride, a comprehensive exploration of the Apple CarPlay attack surface. With vehicles becoming increasingly connected, the security of in-car systems like CarPlay is critical. Our talk focused on dissecting the protocols that enable CarPlay’s functionality and revealing multiple attack vectors that could be exploited against various CarPlay multimedia systems. A key focus was CVE-2025-24132, a stack buffer overflow vulnerability within the AirPlay protocol that is exposed when a device connects to the car’s multimedia system."
  https://www.oligo.security/blog/pwn-my-ride-exploring-the-carplay-attack-surface
  https://www.darkreading.com/vulnerabilities-threats/apple-carplay-rce-exploit
  https://www.securityweek.com/remote-carplay-hack-puts-drivers-at-risk-of-distraction-and-surveillance/
• When Typing Becomes Tracking: Study Reveals Widespread Silent Keystroke Interception
  "You type your email address into a website form but never hit submit. Hours later, a marketing email shows up in your inbox. According to new research, that is not a coincidence. A team of researchers from UC Davis, Maastricht University, and other institutions has found that many websites collect keystrokes as users type, sometimes before a form is ever submitted. The study explores how third-party scripts capture and share this information in ways that may fit the legal definition of wiretapping under California law."
  https://www.helpnetsecurity.com/2025/09/11/website-keystroke-tracking-privacy/
  https://arxiv.org/pdf/2508.19825
• Cisco Patches High-Severity IOS XR Vulnerabilities
  "Cisco on Wednesday released patches for three vulnerabilities in IOS XR software, as part of its September 2025 security advisory bundled publication. Tracked as CVE-2025-20248 (CVSS score of 6), the first of the bugs is a high-severity issue in the IOS XR installation process that could allow attackers to bypass image signature verification. Successful exploitation of the flaw, Cisco explains, could lead to unsigned files being added to an ISO image, which could then be installed and activated on a device."
  https://www.securityweek.com/cisco-patches-high-severity-ios-xr-vulnerabilities/
• UAE’s K2 Think AI Jailbroken Through Its Own Transparency Features
  "K2 Think, the recently launched AI system from the United Arab Emirates built for advanced reasoning, has been jailbroken by exploiting the quality of its own transparency. Transparency in AI is a quality urged, if not explicitly required, by numerous international regulations and guidelines. The EU AI Act, for example, has specific transparency requirements, including explainability – users must be able to understand how the model has arrived at its conclusion."
  https://www.securityweek.com/uaes-k2-think-ai-jailbroken-through-its-own-transparency-features/

Malware

• Trigona Rebranding Suspicions And Global Threats, And BlackNevas Ransomware Analysis
  "BlackNevas has been continuously launching ransomware attacks against companies in various industries and countries, including South Korea. This post provides a technical analysis on the characteristics, encryption methods, and reasons why BlackNevas encrypts files in a way that makes them impossible to decrypt. It is hoped that this post will provide insights for defending against similar threats in the future."
  https://asec.ahnlab.com/en/90080/
• EvilAI Operators Use AI-Generated Code And Fake Apps For Far-Reaching Attacks
  "In recent weeks, Trend Research has observed a new wave of malware campaigns that infiltrate systems by posing as legitimate AI tools and software – complete with realistic interfaces, code signing, and convincing utility features – making them appear legitimate to end users. Rather than relying on obviously malicious files, these trojans mimic the appearance of real software to go unnoticed into both corporate and personal environments, often gaining persistent access before raising any suspicion."
  https://www.trendmicro.com/en_us/research/25/i/evilai.html
  https://www.darkreading.com/cyberattacks-data-breaches/ai-backed-malware-hits-companies-worldwide
• Vidar Infostealer Back With a Vengeance
  "The long-running Vidar infostealer has evolved with new obfuscation techniques. That is according to researchers at cybersecurity vendor Aryaka, which published research last week dedicated to a fresh campaign involving the malware-as-a-service Vidar that has emerged in recent weeks. First tracked in late 2018, Vidar is an infostealer that enables affiliates to grab credentials, operating system details, cookies, sensitive financial data, various authentication tokens, and more from compromised environments."
  https://www.darkreading.com/endpoint-security/vidar-infostealer-back-with-vengeance
  https://www.aryaka.com/docs/reports/vidar-infostealer-in-action.pdf
• PoisonGPT: Weaponizing AI For Disinformation
  "Not all malicious AI tools are designed for immediate profit or hacking — some are crafted to twist the truth at scale. PoisonGPT is a prime example of this darker application of generative AI. Unlike the other tools we’ve explored in this series, PoisonGPT was not sold on forums but instead was developed as a proof-of-concept by security researchers in July 2023 to highlight the risks associated with AI-driven misinformation."
  https://blog.barracuda.com/2025/09/11/poisongpt-weaponizing-ai-disinformation
• Malicious Facebook Ads Push Fake ‘Meta Verified’ Browser Extensions To Steal Accounts
  "Threat actors are at it again, targeting content creators and businesses with a new malvertising campaign on Meta. This time, the malicious ads are bundled with a video tutorial that guides viewers through the process of downloading and installing a so-called browser extension, which claims to unlock the blue verification tick on Facebook or other special features. At a glance, it looks legitimate, and maybe even helpful. After all, why would scammers go through the trouble of recording tutorials unless the tool really worked? But as the saying goes, “there's no such thing as a free lunch.” This software is nothing more than a malicious browser extension designed to steal your data."
  https://www.bitdefender.com/en-us/blog/hotforsecurity/malicious-facebook-ads-push-fake-meta-verified-browser-extensions-to-steal-accounts
  https://thehackernews.com/2025/09/fake-madgicx-plus-and-socialmetrics.html
• Uncloaking VoidProxy: a Novel And Evasive Phishing-As-a-Service Framework
  "Okta Threat Intelligence has published a detailed analysis on a previously unreported Phishing-as-a-Service (PhaaS) operation, which its authors name VoidProxy. VoidProxy is a novel and highly evasive service used by attackers to target Microsoft and Google accounts. The service is also capable of redirecting accounts protected by third-party single sign-on (SSO) providers like Okta to second-stage phishing pages. VoidProxy represents a mature, scalable and evasive threat to traditional email security and authentication controls."
  https://sec.okta.com/articles/uncloakingvoidproxy/
  https://www.theregister.com/2025/09/11/voidproxy_phishing_service/
• Cyberspike Villager – Cobalt Strike’s AI-Native Successor
  "Straiker’s AI Research (STAR) team recently uncovered Villager, an AI-native penetration testing framework in the wild by the Chinese-based group Cyberspike. Originally positioned as a red-team offering, Cyberspike has released an AI-enabled, MCP-supported automation tool called "Villager" that combines Kali Linux toolsets with DeepSeek AI models to fully automate testing workflows. The package is published in PyPI.org and has recorded ~10,000 downloads in two months. The rapid, public availability and automation capabilities create a realistic risk that Villager will follow the Cobalt Strike trajectory: commercially or legitimately developed tooling becoming widely adopted by threat actors for malicious campaigns."
  https://www.straiker.ai/blog/cyberspike-villager-cobalt-strike-ai-native-successor
  https://www.theregister.com/2025/09/11/cobalt_strikes_ai_successor_downloaded/

Breaches/Hacks/Leaks

• Panama Ministry Of Economy Discloses Breach Claimed By INC Ransomware
  "Panama's Ministry of Economy and Finance (MEF) has disclosed that one of its computers may have been compromised in a cyberattack.. The government noted that it activated the security procedures for these situations, stating that the incident has been contained and didn't impact core systems that are vital to its operations. "The Ministry of Economy and Finance informs the public that today an incident involving possible malicious software was detected on one of the Ministry's workstations," MEF says in an official statement."
  https://www.bleepingcomputer.com/news/security/panama-ministry-of-economy-discloses-breach-claimed-by-inc-ransomware/
• Exclusive: High-End Fashion Retailers Gucci, Balenciaga, Brioni, And Alexander McQueen Hit By Salesforce Attacks
  "Those readers who aren’t A-listers (including yours truly) may never have heard of Kering, but you may have heard of their high-end fashion brands: Gucci. Yves Saint Laurent. Bottega Veneta. Balenciaga. Alexander McQueen. Brioni. It is some of those fashion brands that are the subject of this post as they fell prey to attacks by ShinyHunters. As far as DataBreaches.net can determine, Kering has yet to publicly acknowledge either of two attacks or to notify customers."
  https://databreaches.net/2025/09/11/exclusive-high-end-fashion-retailers-gucci-balenciaga-brion-and-alexander-mcqueen-hit-by-salesforce-attacks/
• LNER Reveals Supply Chain Attack Compromised Customer Information
  "The operator of one of the UK’s busiest rail lines has admitted that an unauthorized third party has accessed customer details via a supplier. LNER, the government-owned company that runs east coast services between London and Scotland, revealed the incident in an online update yesterday. “We have been made aware of unauthorised access to files managed by a third-party supplier, which involves customer contact details and some information about previous journeys,” it said."
  https://www.infosecurity-magazine.com/news/lner-supply-chain-attack-customer/
  https://www.theregister.com/2025/09/11/lner_says_customer_data_stolen/
  https://hackread.com/uk-rail-operator-lner-cyber-attack-passenger-data/
  https://www.securityweek.com/uk-train-operator-lner-warns-customers-of-data-breach/
• France: Three Regional Healthcare Agencies Targeted By Cyber-Attacks
  "French regional healthcare agencies have been targeted by cyber-attacks compromising the personal data of patients across the country. On September 8, the regional healthcare agencies (ARS) for three regions, Hauts-de-France (Upper France), Normandy and Pays de la Loire (Lower Loire), issued security alerts warning about recent cyber-attacks carried out against the servers hosting the identity data of patients from public hospitals in the regions. All three agencies described a very similar incident with the same impact."
  https://www.infosecurity-magazine.com/news/france-regional-healthcare/
• 100,000 Impacted By Cornwell Quality Tools Data Breach
  "American mobile tools manufacturer Cornwell Quality Tools has informed authorities that a data breach discovered late last year impacts more than 100,000 people. According to notification letters sent out to the affected individuals, Cornwell Quality Tools discovered unusual activity on its network on December 20, 2024. An investigation completed recently showed that hackers had gained access to its systems and files a week earlier. The company is telling impacted people that information such as their name, Social Security number, medical information, and financial account number may have been compromised."
  https://www.securityweek.com/100000-impacted-by-cornwell-quality-tools-data-breach/

General News

• Apple Warns Customers Targeted In Recent Spyware Attacks
  "Apple warned customers last week that their devices were targeted in a new series of spyware attacks, according to the French national Computer Emergency Response Team (CERT-FR). CERT-FR is operated by ANSSI, the National Cybersecurity Agency, and is responsible for preventing and mitigating cybersecurity-related incidents impacting public and critical organizations. According to a Thursday advisory, CERT-FR is aware of at least four instances of Apple threat notifications alerting the company's users about mercenary spyware attacks that have occurred since the beginning of the year."
  https://www.bleepingcomputer.com/news/security/apple-warns-customers-targeted-in-recent-spyware-attacks/
  https://cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-010/
• Global Cyber Threats August 2025: Agriculture In The Crosshairs
  "In August 2025, the global cyber threat landscape presented a complex interplay of stability and alarming new challenges. Organizations around the world confronted an average of nearly 2,000 cyber attacks each week—a slight 1% decrease from July but a stark 10% rise compared to the same month last year. Particularly concerning is the agricultural sector, which has seen a staggering 101% increase in cyber incidents since August 2024. Although the overall volume of attacks has somewhat stabilized, the evolving distribution of threats across industries, regions, and types of attacks suggests a troubling trend that demands our attention. As businesses navigate this new reality, understanding the nuances of the current cyber threat landscape is more critical than ever."
  https://blog.checkpoint.com/research/global-cyber-threats-august-2025-agriculture-hit-hard/
• How Attackers Weaponize Communications Networks
  "In this Help Net Security interview, Gregory Richardson, Vice President, Advisory CISO Worldwide, at BlackBerry, talks about the growing risks to communications networks. He explains why attackers focus on these networks and how their motivations range from corporate espionage to geopolitical influence. The discussion also covers practical ways to secure networks and maintain reliable communication."
  https://www.helpnetsecurity.com/2025/09/11/gregory-richardson-blackberry-securing-communication-networks/
• AI Is Everywhere, But Scaling It Is Another Story
  "AI is being adopted across industries, but many organizations are hitting the same obstacles, according to Tines. IT leaders say orchestration is the key to scaling AI. They point to governance, visibility, and collaboration as the critical areas executives need to watch. Organizations are pouring resources into AI, yet many initiatives remain isolated or slow-moving. Without a coordinated approach, AI deployments can become fragmented and harder to secure. Research shows that IT teams see orchestration (coordinating processes, systems, and workflows) as the missing link to scaling AI in a safe and compliant way."
  https://www.helpnetsecurity.com/2025/09/11/ai-enterprise-orchestration-scaling/
• Why Organizations Need a New Approach To Risk Management
  "To succeed in the risk environment, risk, audit, and compliance leaders need to focus on what Gartner calls “reflexive risk ownership.” This is a future state where business leaders don’t just identify and manage risks after they occur, but instinctively recognize and respond to them as part of their daily decision-making. At the opening keynote of the Gartner Enterprise Risk, Audit & Compliance Conference, Gartner experts highlighted how risks are now emerging faster, overlapping, and becoming harder to classify. This makes it essential for organizations to rethink how they approach risk management."
  https://www.helpnetsecurity.com/2025/09/11/gartner-organizational-risk-management-strategy/
• AI Emerges As The Hope—and Risk—for Overloaded SOCs
  "The problems faced by SOCs are well known, understood, and quantified – but not yet solved. SMEs get around 500 security alerts every day; larger enterprises receive nearer 3,000. Forty percent of these are never investigated, while 57% of companies suppress their detection rules to lessen the load. Most SOCs cannot cope with the existing alert load, while others seek to reduce it by consciously accepting unknown risk (often in the cloud and identity spheres). These figures come from a Prophet Security analysis (PDF) that canvassed 282 security leaders (CISOs, security directors, managers, and analysts) from companies with more than 1,000 employees, primarily in the United States."
  https://www.securityweek.com/ai-emerges-as-the-hope-and-risk-for-overloaded-socs/
• Cyberattacks Against Schools Driven By a Rise In Student Hackers, ICO Warns
  "The U.K.’s Information Commissioner's Office (ICO) warned on Thursday that student hackers motivated by dares are driving an increasing number of cyberattacks and data breaches affecting schools. It advised parents to “to have regular conversations with their children about what they get up to online” and warned that children hacking into their school’s computer systems may be setting themselves up for lives of cybercrime."
  https://therecord.media/cyberattacks-against-schools-driven-by-student-hackers
• Going Dark: ShinyHunters/ScatteredSpider/LAPSUS$ Say Goodbye
  "On September 8, the “scattered LAPSUS$ hunters 4.0” Telegram channel posted: FBI and French LE, great job for the third time arresting the wrong person in France once again. DOJ please stop wasting your budget by flying your agents to France every time to make the WRONG arrest, as it’s almost the end of the fiscal year, please save your money, and please do a better job at investigating us instead of arresting innocent individuals and stop falling for our (most obvious) each and all of our schemes and disinformation campaigns. That person who law enforcement allegedly arrested has been MIA for 6 hours and more. We have always been aware since the beginning. You can make as many arrests as you want and we’ll still be active with the same amount of efficiency as we always were."
  https://databreaches.net/2025/09/11/going-dark-shinyhunters-scatteredspider-lapsus-say-goodbye/

อ้างอิง
Electronic Transactions Development Agency(ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

**สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Financial Sector

• Money Mule Networks Surge 168% Fueling Digital Banking Fraud
  "Organized crime groups have industrialized digital banking fraud operations in the United States, with money mule networks surging 168% in the first half of 2025. Money mules are being recruited at an unprecedented scale, and they're using stablecoins to transfer funds to crypto exchanges. The surge in fraud reflects a fundamental transformation in how criminals launder proceeds from account takeover attacks, investment scams and social engineering schemes before detection systems can intervene, according to BioCatch's 2025 Digital Banking Fraud Trends report."
  https://www.bankinfosecurity.com/money-mule-networks-surge-168-fueling-digital-banking-fraud-a-29406
  https://www.biocatch.com/report-2025-digital-banking-fraud-trends-in-the-united-states

Healthcare Sector

• Feds Release Updated HIPAA Security Risk Analysis Tool
  "Federal regulators have updated their HIPAA security risk assessment tool that's long been aimed at helping small and midsized providers and business associates with risk analysis - an activity that many healthcare organizations can't seem to get right. The U.S. Department of Health and Human Services Office for Civil Rights and its Assistant Secretary for Technology Policy - formerly known as the Office of the National Coordinator for Health IT - jointly released version 3.6 of the Security Risk Assessment tool on Tuesday, saying the latest update contains "enhancements and improvements based on current cybersecurity guidance and user feedback from previous versions.""
  https://www.bankinfosecurity.com/feds-release-updated-hipaa-security-risk-analysis-tool-a-29411
  https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool

Industrial Sector

• ICS Patch Tuesday: Rockwell Automation Leads With 8 Security Advisories
  "Several industrial control systems (ICS) giants have published new security advisories this Patch Tuesday, including Rockwell Automation, Siemens, Schneider Electric, and Phoenix Contact. Rockwell Automation published the highest number of new advisories this Patch Tuesday. The company released eight new advisories, all of them covering high-severity vulnerabilities found recently in the company’s products."
  https://www.securityweek.com/ics-patch-tuesday-rockwell-automation-leads-with-8-security-advisories/
• Dynamics Of External And Internal Threats To Industrial Control Systems. Q2 2025
  "In Q2 2025, the balance of power in the fight against cyberthreats continued to shift in favor of industrial enterprises — primarily due to the implementation of proactive protection measures and the blocking of threats at early stages. The percentage of ICS computers on which malicious objects were blocked decreased to 20.5% — the lowest level in the past several years."
  https://ics-cert.kaspersky.com/publications/reports/2025/09/10/dynamics-of-external-and-internal-threats-to-industrial-control-systems-q2-2025/

New Tooling

• Garak: Open-Source LLM Vulnerability Scanner
  "LLMs can make mistakes, leak data, or be tricked into doing things they were not meant to do. Garak is a free, open-source tool designed to test these weaknesses. It checks for problems like hallucinations, prompt injections, jailbreaks, and toxic outputs. By running different tests, it helps developers understand where a model might fail and how to make it safer."
  https://www.helpnetsecurity.com/2025/09/10/garak-open-source-llm-vulnerability-scanner/
  https://github.com/NVIDIA/garak

Vulnerabilities

• Fortinet, Ivanti, Nvidia Release Security Updates
  "Fortinet, Ivanti, and Nvidia on Tuesday announced security updates that address over a dozen high- and medium-severity vulnerabilities across their product portfolios. Ivanti resolved two high-severity insufficient filename validation issues in Endpoint Manager (EPM) that could be exploited remotely, without authentication, to execute arbitrary code. The exploitation of both defects, however, require user interaction. Additionally, the company announced patches for five high- and six medium-severity vulnerabilities in Connect Secure, Policy Secure, ZTA Gateways, and Neurons for Secure Access."
  https://www.securityweek.com/fortinet-ivanti-nvidia-release-security-updates/

Malware

• FastNetMon Detects a Record-Scale DDoS Attack
  "FastNetMon today announced that it detected a record-scale distributed denial-of-service (DDoS) attack targeting the website of a leading DDoS scrubbing vendor in Western Europe. The attack reached 1.5 billion packets per second (1.5 Gpps) — one of the largest packet-rate floods publicly disclosed. The malicious traffic was primarily a UDP flood launched from compromised customer-premises equipment (CPE), including IoT devices and routers, across more than 11,000 unique networks worldwide. The disclosure comes only days after Cloudflare reported mitigating an 11.5 Tbps DDoS attack, showing how attackers are pushing both packet and bandwidth volumes to unprecedented levels."
  https://fastnetmon.com/2025/09/09/press-release-fastnetmon-detects-a-record-scale-ddos-attack/
  https://www.bleepingcomputer.com/news/security/ddos-defender-targeted-in-15-bpps-denial-of-service-attack/
• Dual Threat: Threat Actors Combine Credential Phishing And Malware
  "Credential phishing and malware are often considered mutually exclusive; it is generally assumed that an email either delivers credential phishing or malware. While this is typically the case, several recent high-impact campaigns have combined credential phishing and malware delivery. These campaigns are noteworthy as they indicate threat actors diversifying and attempting to gather credentials in multiple ways. This method ensures that if a company has invested heavily in malware detection and response at the cost of credential phishing protection or vice versa, the threat actor will be able to gather credentials."
  https://cofense.com/blog/dual-threat-threat-actors-combine-credential-phishing-and-malware
• ChillyHell: A Deep Dive Into a Modular MacOS Backdoor
  "During routine sample analysis on VirusTotal, Jamf Threat Labs discovered a file that stood out due to a notable method of process reconnaissance being used. Despite the malware family having been documented in the past, it remains unflagged by antivirus vendors. The sample is developer-signed and successfully passed Apple’s notarization process in 2021. Its notarization status remained active until these recent findings."
  https://www.jamf.com/blog/chillyhell-a-modular-macos-backdoor/
  https://thehackernews.com/2025/09/chillyhell-macos-backdoor-and-zynorrat.html
  https://www.darkreading.com/endpoint-security/dormant-macos-backdoor-chillyhell-resurfaces
  https://www.theregister.com/2025/09/10/chillyhell_modular_macos_malware/
• EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company
  "A Chinese APT group compromised a Philippine military company using a new, fileless malware framework called EggStreme. This multi-stage toolset achieves persistent, low-profile espionage by injecting malicious code directly into memory and leveraging DLL sideloading to execute payloads. The core component, EggStremeAgent, is a full-featured backdoor that enables extensive system reconnaissance, lateral movement, and data theft via an injected keylogger."
  https://businessinsights.bitdefender.com/eggstreme-fileless-malware-cyberattack-apac
  https://thehackernews.com/2025/09/chinese-apt-deploys-eggstreme-fileless.html
  https://hackread.com/chinese-apt-philippine-military-eggstreme-fileless-malware/
• AsyncRAT In Action: Fileless Malware Techniques And Analysis Of a Remote Access Trojan
  "Fileless malware continues to evade modern defenses due to its stealthy nature and reliance on legitimate system tools for execution. This approach bypasses traditional disk-based detection by operating in memory, making these threats harder to detect, analyze, and eradicate. A recent incident culminated in the deployment of AsyncRAT, a powerful Remote Access Trojan (RAT), through a multi-stage fileless loader. In this blog, we share some of the key takeaways from this investigation. For an in-depth analysis and full list of identified indicators of compromise (IOCs), download the full report here."
  https://levelblue.com/blogs/security-essentials/asyncrat-in-action-fileless-malware-techniques-and-analysis-of-a-remote-access-trojan
  https://hackread.com/fileless-malware-attack-asyncrat-credential-theft/
• Analysis Of Backdoor.WIN32.Buterat
  "Backdoor malware is a covert type of malicious software designed to bypass standard authentication mechanisms and provide persistent, unauthorized access to compromised systems. Unlike conventional malware that prioritizes immediate damage or data theft, backdoors focus on stealth and longevity, enabling attackers to control infected endpoints remotely, deploy additional payloads, exfiltrate sensitive information, and move laterally across networks with minimal detection. The Buterat backdoor is a notable example of this threat class, known for its sophisticated persistence techniques and adaptive communication methods with remote command-and-control (C2) servers. First identified in targeted attacks against enterprise and government networks, Buterat commonly spreads through phishing campaigns, malicious attachments, or trojanized software downloads."
  https://www.pointwild.com/threat-intelligence/analysis-of-backdoor-win32-buterat
  https://hackread.com/buterat-backdoor-malware-enterprise-govt-networks/
• Open Repo, Get Pwned (Cursor RCE)
  "Oasis Security’s research team uncovered a vulnerability in Cursor, the popular AI Code Editor, that allows a maliciously crafted code repository to execute code as soon as it's opened using Cursor, no trust prompt. Cursor ships with Workspace Trust disabled by default, so VS Code-style tasks configured with runOptions.runOn: "folderOpen" auto-execute the moment a developer browses a project. A malicious .vscode/tasks.json turns a casual “open folder” into silent code execution in the user’s context. You can read the Oasis Security Research team’s full report and PoC here."
  https://www.oasis.security/blog/cursor-security-flaw
  https://www.oasis.security/resources/cursor-workspace-trust-vulnerability
  https://www.infosecurity-magazine.com/news/cursor-autorun-flaw-repos-execute/
• Frankenstein Variant Of The ToneShell Backdoor Targeting Myanmar
  "ToneShell is a lightweight backdoor tied to the China-nexus group Mustang Panda. Typically delivered via DLL sideloading inside compressed archives with legitimate signed executables and often spread through cloud-hosted lures. Zscaler’s 2025 analysis described updates to its FakeTLS C2 (shifting from TLS 1.2- to 1.3-style headers), use of GUID-based host IDs, a rolling-XOR scheme, and a minimal command set for file staging and interactive shell access. Notably, some of this activity was observed in Myanmar, a region of strategic importance to China. Targeting Myanmar is particularly interesting as it reflects China’s broader geopolitical interests, spanning border security, infrastructure projects, and political developments, and highlights how cyber operations are leveraged to maintain influence in neighboring states."
  https://intezer.com/blog/frankenstein-variant-of-the-toneshell-backdoor-targeting-myanmar/
• Notes Of Cyber Inspector: Three Clusters Of Threat In Cyberspace
  "Hacktivism and geopolitically motivated APT groups have become a significant threat to many regions of the world in recent years, damaging infrastructure and important functions of government, business, and society. In late 2022 we predicted that the involvement of hacktivist groups in all major geopolitical conflicts from now on will only increase and this is what we’ve been observing throughout the years. With regard to the Ukrainian-Russian conflict, this has led to a sharp increase of activities carried out by groups that identify themselves as either pro-Ukrainian or pro-Russian."
  https://securelist.com/three-hacktivist-apt-clusters-tools-and-ttps/117324/
• KillSec Ransomware Is Attacking Healthcare Institutions In Brazil
  "On September 8, 2025, the notorious ransomware group KillSec claimed responsibility for a cyberattack on MedicSolution, a software solutions provider for the healthcare industry in Brazil. The group has threatened to leak sensitive data unless negotiations are initiated promptly. The attack scenario via a critical supply chain IT vendor may put many healthcare organizations in Brazil at risk, especially their patients, as such systems aggregate massive amounts of sensitive personally identifiable information (PII). Hackers attack supply chain because it allows them to compromise multiple targets efficiently and generate more profit through large-scale data theft, ransom demands, and payment diversion."
  https://www.resecurity.com/blog/article/killsec-ransomware-is-attacking-healthcare-institutions-in-brazil
  https://securityaffairs.com/182063/cyber-crime/killsec-ransomware-is-attacking-healthcare-institutions-in-brazil.html
  https://www.infosecurity-magazine.com/news/killsec-ransomware-hits-brazilian/
• Technical Analysis Of KkRAT
  "Zscaler ThreatLabz has identified a malware campaign targeting Chinese-speaking users, which has been active since early May 2025. The campaign delivers three types of malware: ValleyRAT, FatalRAT, and a new Remote Access Trojan (RAT) that ThreatLabz named kkRAT. The latter shares code similarities with both Ghost RAT and Big Bad Wolf (大灰狼), a RAT typically leveraged by China-based cybercriminals. In this blog post, ThreatLabz examines the attack chain used in the malware campaign and provides a technical analysis of the kkRAT including its core features, network communication protocol, commands, and plugins."
  https://www.zscaler.com/blogs/security-research/technical-analysis-kkrat
• Researchers Find Spyware On Phones Belonging To Kenyan Filmmakers
  "Digital forensic researchers on Wednesday accused Kenyan authorities of installing spyware on the phones of two filmmakers who helped produce a documentary about the country’s youth uprising. The filmmakers Bryan Adagala and Nicholas Wambugu were arrested on May 2 and released a day later, but authorities held their phones until July 10. The Kenyan government is believed to have installed the spyware FlexiSPY while authorities had custody of the devices, according to Ian Mutiso, a lawyer representing the filmmakers."
  https://therecord.media/researchers-spyware-kenya-filmmaker-phone
• Akira Ransomware Group Utilizing SonicWall Devices For Initial Access
  "Last month, an Akira ransomware campaign kicked off targeting SonicWall devices. SonicWall followed up with a security advisory. Initially, this was believed to be a new emerging threat, but SonicWall has since disclosed that this is related to the August 2024 CVE (SNWLID-2024-0015), in which remediation steps were not successfully completed. Rapid7 responded by sending emergent threat communications to our customers alerting them to this threat and advising them to prioritize patching. Since that time, the Rapid7 Incident Response (IR) team has observed an uptick in intrusions involving SonicWall appliances."
  https://www.rapid7.com/blog/post/dr-akira-ransomware-group-utilizing-sonicwall-devices-for-initial-access/
  https://www.theregister.com/2025/09/10/akira_ransomware_abusing_sonicwall/
• AdaptixC2: A New Open-Source Framework Leveraged In Real-World Attacks
  "In early May 2025, Unit 42 researchers observed that AdaptixC2 was used to infect several systems. AdaptixC2 is a recently identified, open-source post-exploitation and adversarial emulation framework made for penetration testers that threat actors are using in campaigns. Unlike many well-known C2 frameworks, AdaptixC2 has remained largely under the radar. There is limited public documentation available demonstrating its use in real-world attacks. Our research looks at what AdaptixC2 can do, helping security teams to defend against it. AdaptixC2 is a versatile post-exploitation framework. Threat actors use it to execute commands, transfer files and perform data exfiltration on compromised systems. Because it’s open-source, threat actors can easily customize and adapt it for their specific objectives. This makes it a highly flexible and dangerous tool."
  https://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/
• CyberVolk Ransomware: Analysis Of Double Encryption Structure And Disguised Decryption Logic
  "The CyberVolk ransomware, which first emerged in May 2024, has been launching attacks on public institutions and key infrastructures of various countries, posing a continuous threat. The ransomware is particularly notable for its pro-Russia nature, as it primarily targets anti-Russian countries, making it a geopolitically significant cyber threat. This post provides a technical analysis of the internal workings, encryption structure, and reasons why decryption is not possible in order to offer insights for preparing against similar threats in the future."
  https://asec.ahnlab.com/en/90077/

Breaches/Hacks/Leaks

• Jaguar Land Rover Confirms Data Theft After Recent Cyberattack
  "Jaguar Land Rover (JLR) confirmed today that attackers also stole "some data" during a recent cyberattack that forced it to shut down systems and instruct staff not to report to work. JRL functions as a standalone entity under Tata Motors India after its purchase from Ford in 2008. With an annual revenue of over $38 billion (£29 billion), JLR employs approximately 39,000 people and makes more than 400,000 vehicles each year. The automobile manufacturer disclosed the attack on September 2, stating that its "production activities have been severely disrupted." JLR has been working to restart its operations and investigating the incident since then with the help of the U.K. National Cyber Security Centre (NCSC)."
  https://www.bleepingcomputer.com/news/security/jaguar-land-rover-jlr-confirms-data-theft-after-recent-cyberattack/
  https://www.bankinfosecurity.com/jaguar-land-rover-hackers-stole-data-a-29407
  https://www.securityweek.com/jaguar-land-rover-admits-data-breach-caused-by-recent-cyberattack/
  https://www.theregister.com/2025/09/10/jaguar_land_rover_breach/

General News

• Deepfakes Are Rewriting The Rules Of Geopolitics
  "Deception and media manipulation have always been part of warfare, but AI has taken them to a new level. Entrust reports that deepfakes were created every five minutes in 2024, while the European Parliament estimates that 8 million will circulate across the EU this year. Technologies are capable of destabilizing a country without a single shot being fired. Humans respond faster to bad news and are more likely to spread it. On top of that, they are very bad at detecting fake information. The anti-immigrant riots in the UK show just how fast false claims on social media can spin out of control and turn into real-world violence."
  https://www.helpnetsecurity.com/2025/09/10/deepfakes-and-misinformation-in-geopolitics/
• Fixing Silent Failures In Security Controls With Adversarial Exposure Validation
  "Organizations often operate as if their security controls are fully effective simply because they’re deployed, configured, and monitored. Firewalls are in place, endpoints are protected, and SIEM rules are running. All good, right? Not so fast. Appearances can be deceiving. And deception can be devastating. Picus Security’s Blue Report 2025 shows that even well-configured environments continue to miss a substantial portion of attacks. In fact, across more than 160 million attack simulations, Picus Labs found that organizations are detecting only 1 out of 7 attacks, exposing a serious gap between perceived and actual security effectiveness."
  https://www.helpnetsecurity.com/2025/09/10/picus-blue-report-security-controls/
  https://picussecurity.com/hubfs/Blue-Report-2025/Blue-Report-2025.pdf
• AI Agents Are Here, Now Comes The Hard Part For CISOs
  "AI agents are being deployed inside enterprises today to handle tasks across security operations. This shift creates new opportunities for security teams but also introduces new risks. Google Cloud’s new report, The ROI of AI 2025, shows that 52% of organizations using generative AI have moved to agentic AI. These agents are more than chatbots. They can make decisions, execute tasks, and interact with other systems under human oversight. For CISOs, this means security includes managing the behavior and outputs of autonomous systems that directly affect business processes."
  https://www.helpnetsecurity.com/2025/09/10/google-ai-security-roi/
• CISOs, Stop Chasing Vulnerabilities And Start Managing Human Risk
  "Breaches continue to grow in scale and speed, yet the weakest point remains unchanged: people. According to Dune Security’s 2025 CISO Risk Intelligence Survey, over 90 percent of incidents still originate from user behavior rather than technical flaws. The survey results show that attackers have shifted their methods and that enterprise defenses are struggling to keep pace."
  https://www.helpnetsecurity.com/2025/09/10/ciso-human-centric-risk/
• Hackers Left Empty-Handed After Massive NPM Supply-Chain Attack
  "The largest supply-chain compromise in the history of the NPM ecosystem has impacted roughly 10% of all cloud environments, but the attacker made little profit off it. The attack occurred earlier this week after maintainer Josh Junon (qix) fell for a password reset phishing lure and compromised multiple highly popular NPM packages, among them chalk and degub-js, that cumulatively have more than 2.6 billion weekly downloads. After gaining access to Junon’s account, the attackers pushed malicious updates with a malicious module that stole cryptocurrency by redirecting transactions to the threat actor."
  https://www.bleepingcomputer.com/news/security/hackers-left-empty-handed-after-massive-npm-supply-chain-attack/
  https://www.wiz.io/blog/widespread-npm-supply-chain-attack-breaking-down-impact-scope-across-debug-chalk
  https://www.securityalliance.org/news/2025-09-npm-supply-chain
  https://www.darkreading.com/application-security/huge-npm-supply-chain-attack-whimper
  https://cyberscoop.com/open-source-npm-package-attack/
  https://www.securityweek.com/highly-popular-npm-packages-poisoned-in-new-supply-chain-attack/
• Maturing The Cyber Threat Intelligence Program
  "The familiar idiom “walk before you run” summarizes a fundamental truth about skill acquisition: you must master certain foundational capabilities before you can successfully execute more complex activities. This principle applies universally, from learning a new sport to developing highly specialized technical skills. Any area will have foundational skills, activities that anyone competent in the domain can perform, and characteristics that show that an individual (or team) has reached the highest levels of mastery. Capability maturity models (CMMs) outline the hierarchy of skills and activities that may be required within a particular area. The capabilities and characteristics are listed for teams of different levels of maturity operating within a domain. These descriptions can be used to evaluate the current level of a team or to identify the capabilities that must be acquired in order to improve."
  https://blog.talosintelligence.com/maturing-the-cyber-threat-intelligence-program/
• The Quiet Revolution In Kubernetes Security
  "Security in Kubernetes often feels like a battle fought with legacy assumptions. Even as we push toward ephemeral workloads and container-native applications, most organizations still anchor their clusters on traditional, bloated base operating systems (Ubuntu, CentOS, RHEL), with all the complexity and risk that comes with them. The prevailing security tooling expects (and, in many cases, requires) a shell, a mutable file system, and a general-purpose OS that can run arbitrary agents and scripts. This legacy assumption bleeds into everything: monitoring tools, vulnerability scanners, compliance checks, and even incident response playbooks. Ironically, it also creates an attack surface that contradicts the very security goals these tools aim to achieve."
  https://www.darkreading.com/vulnerabilities-threats/quiet-revolution-kubernetes-security
• Ransomware Payments Plummet In Education Amid Enhanced Resiliency
  "Ransomware demands and payments have plummeted in the education sector in the past year amid improved resilience and recovery capabilities, according to a new Sophos study. The average ransom demand issued by attackers to lower education providers fell by 74% compared to 2024, from $3.85m to $1.02m. The fall was even more significant in higher education, from $3.55m to $697,000, an 80% decline."
  https://www.infosecurity-magazine.com/news/ransomware-payments-plummet/
  https://www.sophos.com/en-us/whitepaper/state-of-ransomware-in-education
• Mythical Beasts: Diving Into The Depths Of The Global Spyware Market
  "Lurking in the murky depths of the global marketplace for offensive cyber capabilities sits a particularly dangerous capability—spyware.1 Spyware’s danger stems from its acute contribution to human rights abuses and national security risks. Most recently, NSO Group, a notorious spyware vendor known to have contributed to the surveillance of journalists, diplomats, and civil society actors across the globe, was fined $168 million in punitive damages by a US court for targeting WhatsApp’s infrastructure with Pegasus spyware. This most recent case reasserts the threat of spyware proliferation to national security and human rights. These risks and harms, coupled with a lack of market transparency, demand ongoing attention to the market’s structure and how actors circumvent accountability."
  https://www.atlanticcouncil.org/in-depth-research-reports/issue-brief/mythical-beasts-diving-into-the-depths-of-the-global-spyware-market/
  https://www.atlanticcouncil.org/in-depth-research-reports/report/mythical-beasts-and-where-to-find-them-mapping-the-global-spyware-market-and-its-threats-to-national-security-and-human-rights/
  https://therecord.media/us-investors-in-spyware-tripled-in-2024
• CISA Presents Vision For The Common Vulnerabilities And Exposures (CVE) Program
  "The Cybersecurity and Infrastructure Security Agency (CISA) released CISA Strategic Focus: CVE Quality for a Cyber Secure Future. The detailed roadmap identifies priorities that will elevate the program to meet the needs of the global cybersecurity community. The roadmap and priorities are informed by feedback the agency received from a broad spectrum of domestic and international partners and CISA’s years of program sponsorship. It marks the transition from the CVE Program’s Growth Era to its Quality Era, a strategic focus that will enhance trust, boost responsiveness and improve the caliber of vulnerability data."
  https://www.cisa.gov/news-events/news/cisa-presents-vision-common-vulnerabilities-and-exposures-cve-program
  https://www.cisa.gov/resources-tools/resources/cisa-strategic-focus-cve-quality-cyber-secure-future
• Students Pose Inside Threat To Education Sector
  "K-12 institutions face an onslaught of attacks, especially ones attributed to ransomware gangs. But insider threats are just as prevalent—and they often originate from students. Today's K-12 students grew up with technology at their fingertips. They know how to watch videos, play games, scroll social media, communicate with friends, and create content. They also know how to hack. And they're using that skill to circumvent schools' security protocols."
  https://www.darkreading.com/insider-threats/students-inside-threat-education-sector

อ้างอิง
Electronic Transactions Development Agency(ETDA)

เมื่อวันที่ 10 กันยายน 2568 Cyber Security Agency of Singapore (CSA) รายงานเกี่ยวกับ Microsoft มีการออกแพตช์ด้านความปลอดภัยเพื่อแก้ไขช่องโหว่หลายรายการในซอฟต์แวร์และผลิตภัณฑ์ของ Microsoft ซึ่งช่องโหว่ที่ถูกจัดระดับความรุนแรงเป็น Critical แสดงไว้ในตารางด้านล่าง

ช่องโหว่ที่มีความรุนแรงระดับ Critical

สำหรับรายการแพตช์ด้านความปลอดภัยทั้งหมดที่ Microsoft เผยแพร่ สามารถดูได้ที่
Microsoft Security Update Guide

อ้างอิง
https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-089/

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand