สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 
โพสต์ถูกสร้างโดย NCSA_THAICERT
-
Mozilla แพตช์ช่องโหว่ Zero-Day 2 รายการในงาน Pwn2Own Berlin พร้อมจ่ายเงินรางวัลรวม $100,000โพสต์ใน Cyber Security News
-
พบโปรแกรม KeePass ปลอม แพร่มัลแวร์ ลอบขโมยรหัสผ่าน และติดตั้งแรนซัมแวร์โพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 21 May 2025โพสต์ใน Cyber Security News
Industrial Sector
- CISA Releases Thirteen Industrial Control Systems Advisories
"CISA released thirteen Industrial Control Systems (ICS) advisories on May 20, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS."
https://www.cisa.gov/news-events/alerts/2025/05/20/cisa-releases-thirteen-industrial-control-systems-advisories
Vulnerabilities
- Motors <= 5.6.67 - Unauthenticated Privilege Escalation Via Password Update/Account Takeover
"The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.6.67. This is due to the theme not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user passwords, including those of administrators, and leverage that to gain access to their account."
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/motors/motors-5667-unauthenticated-privilege-escalation-via-password-updateaccount-takeover
https://www.bleepingcomputer.com/news/security/premium-wordpress-motors-theme-vulnerable-to-admin-takeover-attacks/ - NATO-Flagged Vulnerability Tops Latest VMware Security Patch Batch
"Broadcom-owned VMware on Tuesday rolled out urgent patches for two sets of flaws that expose its flagship infrastructure software to data leakage, command execution and denial-of-service attacks, with no temporary workarounds available. The virtualization technology giant pushed out two separate bulletins documenting at least 7 vulnerabilities in the VMware Cloud Foundation, VMware ESXi, vCenter Server, Workstation, and Fusion product lines."
https://www.securityweek.com/nato-flagged-vulnerability-tops-latest-vmware-security-patch-batch/
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25733
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25717 - Freshly Discovered Bug In OpenPGP.js Undermines Whole Point Of Encrypted Comms
"Security researchers are sounding the alarm over a fresh flaw in the JavaScript implementation of OpenPGP (OpenPGP.js) that allows both signed and encrypted messages to be spoofed. Discovered by Codean Labs' Edoardo Geraci and Thomas Rinsma, the vulnerability essentially undermines the core purpose of using public key cryptography to secure communications."
https://www.theregister.com/2025/05/20/openpgp_js_flaw/
https://github.com/openpgpjs/openpgpjs/security/advisories/GHSA-8qff-qr5q-5pr8
Malware
- Ivanti EPMM RCE Vulnerability Chain Exploited In The Wild
"On March 13th, 2025, Ivanti disclosed that Endpoint Manager Mobile (EPMM) is affected by a vulnerability chain combining an authentication bypass (CVE-2025-4427) and a post-authentication remote code execution vulnerability (CVE-2025-4428). These flaws, which stem from unsafe use of Java Expression Language in error messages and misconfigured routing, can be exploited together to achieve unauthenticated RCE. Therefore, while neither of these vulnerabilities have been assigned critical severity (their CVSS scores are 5.3 and 7.2, respectively), in combination they should certainly be treated as critical. Ivanti has confirmed limited exploitation in-the-wild of these vulnerabilities as 0-days prior to their disclosure, and Wiz can now confirm ongoing exploitation in-the-wild of these vulnerabilities."
https://www.wiz.io/blog/ivanti-epmm-rce-vulnerability-chain-cve-2025-4427-cve-2025-4428
https://www.theregister.com/2025/05/21/ivanti_rce_attacks_ongoing/ - Malicious ‘Checker’ Packages On PyPI Probe TikTok And Instagram For Valid Accounts
"We often hear about the importance of secure data. Have I Been Pwned and similar websites exist to see if passwords or emails are listed online. However, many people do not understand the ramifications of their own leaked data. Obtaining valid credentials, even just emails, can initiate an exploit chain. Compromised credentials have been responsible for many cyber incidents, including the 2015 Ukraine electric power attack. A lot of cyber threat actors, from the Lazarus Group to Volt Typhoon, have collected personal emails before initiating an exploit. By ensuring that the email they have is associated with an account, threat actors can target their exploits."
https://socket.dev/blog/malicious-checker-packages-on-pypi-probe-tiktok-and-instagram
https://thehackernews.com/2025/05/malicious-pypi-packages-exploit.html - RedisRaider: Weaponizing Misconfigured Redis To Mine Cryptocurrency At Scale
"Datadog Security Researchers recently discovered an emerging cryptojacking malware campaign targeting Redis on Linux. The threat actor behind this campaign deploys a sophisticated Linux worm that we’ve named RedisRaider. RedisRaider uses custom scanning logic to identify publicly accessible Redis servers across the internet, before exploiting them in an attempt to propagate a fork of the XMRig miner."
https://securitylabs.datadoghq.com/articles/redisraider-weaponizing-misconfigured-redis/
https://thehackernews.com/2025/05/go-based-malware-deploys-xmrig-miner-on.html - Sarcoma Ransomware Unveiled: Anatomy Of a Double Extortion Gang
"It is with great pleasure and honor that I present the first report produced by the Malware Analysis Lab, led by Luigi Martire. The lab was established within the Cybersecurity Observatory of the Unipegaso University, which I have the privilege of directing. Our mission is to analyze the main malware threats affecting systems worldwide, dissect major malicious codes, and share our findings with the international community. This is an open project, so if you are interested, feel free to contact me and contribute to future analyses. Our first report focuses on a very dangerous threat, the Sarcoma Ransomware."
https://securityaffairs.com/178072/malware/sarcoma-ransomware-unveiled-anatomy-of-a-double-extortion-gang.html
https://securityaffairs.com/wp-content/uploads/2025/05/Sarcoma-Ransomware.pdf - VanHelsing Ransomware Builder Leaked On Hacking Forum
"The VanHelsing ransomware-as-a-service operation published the source code for its affiliate panel, data leak blog, and Windows encryptor builder after an old developer tried to sell it on the RAMP cybercrime forum. VanHelsing is a RaaS operation launched in March 2025, promoting the ability to target Windows, Linux, BSD, ARM, and ESXi systems. Since then, the operation has shown some success, with Ransomware.live stating that there are eight known victims for the ransomware gang."
https://www.bleepingcomputer.com/news/security/vanhelsing-ransomware-builder-leaked-on-hacking-forum/ - Cloudy With a Chance Of Hijacking Forgotten DNS Records Enable Scam Actor
"Hazy Hawk is a DNS-savvy threat actor that hijacks abandoned cloud resources of high-profile organizations. By “cloud resources” we mean things like S3 buckets and Azure endpoints. You might have read about domain hijacking; we and other security vendors have written about different techniques for grabbing control of forgotten domain names several times over the past year. While domain names can be hijacked through stolen accounts, we think the most interesting hijacks leverage DNS misconfigurations. Because DNS is not widely understood as a threat vector, these kinds of attacks can run undetected for long periods of time. At the same time, these attacks require a technical sophistication that isn’t commonplace in the cybercriminal world. Hazy Hawk finds gaps in DNS records that are quite challenging to identify, and we believe they must have access to commercial passive DNS services to do so."
https://blogs.infoblox.com/threat-intelligence/cloudy-with-a-chance-of-hijacking-forgotten-dns-records-enable-scam-actor/
https://www.bleepingcomputer.com/news/security/hazy-hawk-gang-exploits-dns-misconfigs-to-hijack-trusted-domains/
https://www.darkreading.com/cloud-security/hazy-hawk-cybercrime-gang-cloud-resources
https://thehackernews.com/2025/05/hazy-hawk-exploits-dns-records-to.html
https://hackread.com/hazy-hawk-attack-abandoned-cloud-assets-since-2023/ - Exploiting The AI Boom: How Threat Actors Are Targeting Trust In Generative Platforms Like Kling AI
"As generative AI continues to capture global attention, threat actors are quick to exploit AI’s capabilities and popularity. From deepfake scams to impersonation attacks, the rising trust in AI-powered platforms has created new openings for cyber criminals. In early 2025, Check Point Research began tracking a sophisticated threat campaign that capitalized on this trend, specifically by impersonating Kling AI, a widely used image and video synthesis tool with over 6 million users."
https://blog.checkpoint.com/security/exploiting-the-ai-boom-how-threat-actors-are-targeting-trust-in-generative-platforms-like-kling-ai/
https://www.darkreading.com/threat-intelligence/fake-kling-ai-malvertisements-lure-victims - Duping Cloud Functions: An Emerging Serverless Attack Vector
"Google Cloud Platform (GCP) Cloud Functions are event-triggered, serverless functions that automatically scale and execute code in response to specific events like Hypertext Transfer Protocol (HTTP) requests or data changes. Tenable Research published an article discussing a vulnerability they discovered within GCP’s Cloud Functions serverless compute service and its Cloud Build continuous integration and continuous delivery or deployment (CI/CD) pipeline service."
https://blog.talosintelligence.com/duping-cloud-functions-an-emerging-serverless-attack-vector/ - Phishing In The Multiverse: Analyzing a Malicious Email Targeting Apple And Yahoo Users
"Apple Pay is a mobile payment and digital wallet service that allows users to make payments using their Apple devices. Digital wallets are now widely embraced, and Apple Pay is considered one of the most trusted and secure platforms. However, even the most secure systems cannot protect against user deception. Cybercriminals are also exploiting these platforms for phishing attacks. In this article, we will break down a recent phishing strategy that cleverly mimics an Apple Pay invoice to steal sensitive user data, including credit card details and their Yahoo Mail account."
https://cofense.com/blog/phishing-in-the-multiverse-analyzing-a-malicious-email-targeting-apple-and-yahoo-users - Large Retailers Land In Scattered Spider's Ransomware Web
"Large retailers across the UK and US experiencing a high volume of calls into IT help desks regarding password resets might want to consider that they have a Scattered Spider cyberattack on their hands. Fancy French fashion house Dior has joined the growing list of retailers falling victim to cyberattacks in recent weeks. The hack comes on the stilettos of previous breaches of Harrods, the Co-Op Group, and Marks & Spencer. Dior was compromised on May 7, and the attackers made off with the sensitive data of an undisclosed number of customers across China and South Korea."
https://www.darkreading.com/threat-intelligence/large-retailers-scattered-spider-ransomware-web - Threat Analysis: Malicious NPM Package Leveraged In O365 Phishing Attack
"In early April 2025, a novel and sophisticated phishing attempt targeting our clients was identified by Fortra’s Suspicious Email Analysis (SEA) team. The threat actor’s main goal was to harvest Microsoft O365 credentials. While phishing attacks are not new, nor a rare occurrence, the approach employed in this case is notable due to its complexity and creative use of modern technologies, including the linking of an .htm file, use of AES, calling to a well-known Content Delivery Network (CDN) and a npm package containing the malicious code. All of these tactics have been observed before, however this is the first time Fortra has documented them being used together to deliver a Microsoft O365 phish."
https://www.fortra.com/blog/threat-analysis-malicious-npm-package-leveraged-o365-phishing-attack
https://www.darkreading.com/threat-intelligence/novel-phishing-attack-combines-aes-npm-packages - New Nitrogen Ransomware Targets Financial Firms In The US, UK And Canada
"Nitrogen, a ransomware strain, has emerged as a major threat to organizations worldwide, with a particular focus on the financial sector. First identified in September 2024, Nitrogen has rapidly gained notoriety for its sophisticated attack methods and devastating impact. This ransomware encrypts critical data and demands substantial payments for decryption. It has targeted industries such as finance, construction, manufacturing, and technology, primarily in the United States, Canada, and the United Kingdom."
https://hackread.com/nitrogen-ransomware-targets-financial-firms-us-uk-canada/ - Hidden Threats Of Dual-Function Malware Found In Chrome Extensions
"An unknown actor has been continuously creating malicious Chrome Browser extensions since approximately February, 2024. The actor creates websites that masquerade as legitimate services, productivity tools, ad and media creation or analysis assistants, VPN services, Crypto, banking and more to direct users to install corresponding malicious extensions on Google’s Chrome Web Store (CWS). The extensions typically have a dual functionality, in which they generally appear to function as intended, but also connect to malicious servers to send user data, receive commands, and execute arbitrary code."
https://dti.domaintools.com/dual-function-malware-chrome-extensions/
https://thehackernews.com/2025/05/100-fake-chrome-extensions-found.html - From Banks To Battalions: SideWinder’s Attacks On South Asia’s Public Sector
"This campaign aligns with previous reporting on SideWinder’s evolving tactics, toolset updates and expanding geographic focus. Earlier analyses have documented the group’s interest in high-value sectors such as nuclear research and maritime infrastructure [1] and its consistent use of legacy Microsoft Office exploits [2] and server-side polymorphism to evade detection [3]. These patterns are also visible in the current campaign, which leverages similar delivery mechanisms alongside credential theft components to maintain persistent access in government environments across South Asia. SideWinder has demonstrated consistent activity over time, maintaining a steady pace of operations without prolonged inactivity — a pattern that reflects organizational continuity and sustained intent."
https://www.acronis.com/en-us/cyber-protection-center/posts/from-banks-to-battalions-sidewinders-attacks-on-south-asias-public-sector/
https://thehackernews.com/2025/05/south-asian-ministries-hit-by.html - Major Russian State Services Disrupted, Reportedly Due To Cyberattack
"Access to several major Russian state services was disrupted on Tuesday, reportedly due to a distributed denial-of-service (DDoS) attack “originating from abroad.” As of the time of writing, outage monitoring site Downdetector showed ongoing disruptions to Russia's tax service (FNS), as well as services for managing secure digital keys (Goskey) and documents (Saby), among others."
https://therecord.media/major-russian-state-services-disrupted-ddos - KrebsOnSecurity Hit With Near-Record 6.3 Tbps DDoS
"KrebsOnSecurity last week was hit by a near record distributed denial-of-service (DDoS) attack that clocked in at more than 6.3 terabits of data per second (a terabit is one trillion bits of data). The brief attack appears to have been a test run for a massive new Internet of Things (IoT) botnet capable of launching crippling digital assaults that few web destinations can withstand. Read on for more about the botnet, the attack, and the apparent creator of this global menace."
https://krebsonsecurity.com/2025/05/krebsonsecurity-hit-with-near-record-6-3-tbps-ddos/
Breaches/Hacks/Leaks
- Mobile Carrier Cellcom Confirms Cyberattack Behind Extended Outages
"Wisconsin wireless provider Cellcom has confirmed that a cyberattack is responsible for the widespread service outage and disruptions that began on the evening of May 14, 2025. The incident disrupted voice and SMS services for customers across Wisconsin and Upper Michigan, leaving subscribers unable to make phone calls or send text messages. Today, after days of just calling it a technical outage, Cellcom CEO Brighid Riordan has confirmed what was already suspected: that the company suffered a cyberattack."
https://www.bleepingcomputer.com/news/security/mobile-carrier-cellcom-confirms-cyberattack-behind-extended-outages/ - SK Telecom Says Malware Breach Lasted 3 Years, Impacted 27 Million Numbers
"SK Telecom says that a recently disclosed cybersecurity incident in April, first occurred all the way back in 2022, ultimately exposing the USIM data of 27 million subscribers. SK Telecom is the largest mobile network operator in South Korea, holding roughly half of the national market. On April 19, 2025, the company detected malware on its networks and responded by isolating the equipment suspected of being hacked."
https://www.bleepingcomputer.com/news/security/sk-telecom-says-malware-breach-lasted-3-years-impacted-27-million-numbers/ - Inside LockBit: The Inner Workings Of a Ransomware Giant
"In May 2025, reports emerged indicating that the LockBit ransomware group had themselves suffered a data breach. This incident revealed a trove of sensitive information, including ransomware build records, chat transcripts between affiliates and victims, and configuration data. The leak offers an unprecedented glimpse into the daily operations of one of the most notorious ransomware-as-a-service (RaaS) ecosystems to date. The exposed data was made available via the Tor network hidden service, appearing on what seemed to be a LockBit ‘onion URL’."
https://www.ontinue.com/resource/inside-lockbit-inner-workings-of-ransomware-giant/
https://hackread.com/lockbit-leak-affiliates-pressure-tactics-rarely-paid/ - Ohio’s Kettering Health System Facing Widespread Outages After Cyberattack
"A cyberattack has disrupted hospitals and medical facilities in Ohio that are run by Kettering Health. A spokesperson told Recorded Future News that the nonprofit hospital network is “currently experiencing a cybersecurity incident resulting from unauthorized access.” In a message on its website and on social media, the network said the incident began on Tuesday morning and caused a system-wide technology outage that limited workers’ ability to access certain patient care systems."
https://therecord.media/kettering-health-system-ohio-cyberattack - Ransomware Attack On Food Distributor Spells More Pain For UK Supermarkets
"It's more bad news for UK supermarkets with chilled and frozen food distribution business Peter Green Chilled confirming a ransomware attack with customers. According to UK public broadcaster the BBC, which saw emails to the customers, the ransomware attack took hold on May 14 and by the following day customers were informed via email. Managing director Tom Binks said "the transport activities of the business" were continuing to run unchanged, although at the time of the emails sent on May 15, the company had said it wouldn't be processing new orders on that day."
https://www.theregister.com/2025/05/20/ransomware_attack_on_food_distributor/
https://therecord.media/peter-green-chilled-ransomware-uk-logistics-company
General News
- Containers Are Just Processes: The Illusion Of Namespace Security
"In the early days of commercial open source, major vendors cast doubt on its security, claiming transparency was a flaw. In fact, that openness fueled strong communities and faster security improvements, making OSS often more secure than proprietary code. Today, a new kind of misinformation has emerged, the opposite of FUD: it downplays real open source security risks that should raise concern. The biggest security fallacy today is that Linux namespaces are security boundaries."
https://www.helpnetsecurity.com/2025/05/20/containers-namespaces-security/ - Why Legal Must Lead On AI Governance Before It’s Too Late
"In this Help Net Security interview, Brooke Johnson, Chief Legal Counsel and SVP of HR and Security, Ivanti, explores the legal responsibilities in AI governance, highlighting how cross-functional collaboration enables safe, ethical AI use while mitigating risk and ensuring compliance."
https://www.helpnetsecurity.com/2025/05/20/brooke-johnson-ivanti-ai-governance/ - AI Voice Hijacking: How Well Can You Trust Your Ears?
"How sure are you that you can recognize an AI-cloned voice? If you think you’re completely certain, you might be wrong. With only three seconds of audio, criminals can now clone a person’s voice, which can easily be obtained from videos shared online or on social media. An American mother almost fell victim to a virtual kidnapping scam, where a cloned voice convincingly mimicked her daughter’s cries for help. This case shows the level of ruthlessness criminals are willing to resort to."
https://www.helpnetsecurity.com/2025/05/20/ai-voice-hijacking-threat/ - Rising Cybersecurity Costs Will Force Organizations To Revisit Strategies
"While spending on cybersecurity continues to increase, it’s not clear to what degree that level of spending is sustainable. Some might argue that after not spending enough on cybersecurity for decades, organizations are starting to realize, and cybersecurity is now finally getting its due. However, there are others who argue that as a percentage of overall IT spending, the amount allocated to cybersecurity is coming at the expense of other strategic imperatives."
https://blog.barracuda.com/2025/05/19/rising-cybersecurity-costs-revisit-strategies - ESET APT Activity Report Q4 2024–Q1 2025
"ESET APT Activity Report Q4 2024–Q1 2025 summarizes notable activities of selected advanced persistent threat (APT) groups that were documented by ESET researchers from October 2024 until the end of March 2025. The highlighted operations are representative of the broader landscape of threats we investigated during this period, illustrating the key trends and developments, and contain only a fraction of the cybersecurity intelligence data provided to customers of ESET’s private APT reports."
https://www.welivesecurity.com/en/eset-research/eset-apt-activity-report-q4-2024-q1-2025/
https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-apt-activity-report-q4-2024-q1-2025.pdf
https://www.eset.com/us/about/newsroom/research/eset-research-apt-report-russian-cyberattacks-in-ukraine-intensify-sandworm-unleashes-new-destructive-wiper/
https://thehackernews.com/2025/05/chinese-hackers-deploy-marssnake.html
https://www.darkreading.com/cyber-risk/asia-apt-actors-focus-expands-globally
https://securityaffairs.com/178105/malware/china-linked-unsolicitedbooker-used-new-backdoor-marssnake.html
https://www.infosecurity-magazine.com/news/russian-apt-intensify-cyber/ - Closing Security Gaps In Multi-Cloud And SaaS Environments
"In this Help Net Security interview, Kunal Modasiya, SVP, Product Management, GTM, and Growth at Qualys, discusses recent Qualys research on the state of cloud and SaaS security. He talks about how siloed visibility, fragmented tools, and a lack of incident response skills leave organizations vulnerable to misconfigurations, account hijacking, and other threats. Modasiya explains that only a unified, context-aware security strategy can consolidate risk insights, close remediation gaps, and align with how businesses build and operate applications."
https://www.helpnetsecurity.com/2025/05/20/kunal-modasiya-qualys-cloud-saas-security-strategy/ - Half Of Consumers Targeted By Social Media Fraud Ads
"Around half of consumers on both sides of the Atlantic have been targeted by social media advertising promoting retail fraud guides and services, and thinly disguised ‘refund hacks,’ according to new research from Netacea. The UK-based cybersecurity specialist polled over 2000 consumers in the UK and US to compile its 2025 Cyberfraud in Retail report. The study warned that fraud is increasingly normalized via high-profile ads on the surface web, designed to encourage consumers to participate in scams."
https://www.infosecurity-magazine.com/news/half-consumers-targeted-social/ - PowerSchool Hacker Pleads Guilty To Student Data Extortion Scheme
"A 19-year-old college student from Worcester, Massachusetts, has agreed to plead guilty to a massive cyberattack on PowerSchool that extorted millions of dollars in exchange for not leaking the personal data of millions of students and teachers. According to the U.S. Department of Justice, Matthew D. Lane pleaded guilty to four federal charges of one count each of cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers, and aggravated identity theft."
https://www.bleepingcomputer.com/news/security/powerschool-hacker-pleads-guilty-to-student-data-extortion-scheme/
https://cyberscoop.com/massachusetts-man-will-plead-guilty-in-powerschool-hack-case/ - Account Takeover Scams Are Bypassing Fraud Defenses
"Scammers are increasingly turning to account takeover fraud, as financial institutions ramp up their defenses. Instead of luring victims into making authorized transactions, cybercriminals are bypassing them altogether, hijacking their digital identities and draining accounts from within."
https://www.bankinfosecurity.com/account-takeover-scams-are-bypassing-fraud-defenses-a-28438 - Why Rigid Security Programs Keep Failing
"Attackers don't care about your rules — so why are we still building security programs around them? On paper, everything looks solid: documented steps, escalation flows, and approval gates. But when things go sideways, I've watched those same plans crumble in minutes, especially in organizations obsessed with doing everything by the book."
https://www.darkreading.com/vulnerabilities-threats/rigid-security-programs-fail - Uncensored AI Tool Raises Cybersecurity Alarms
"A new AI chatbot called Venice.ai has gained popularity in underground hacking forums due to its lack of content restrictions. According to a recent investigation by Certo, the platform offers subscribers uncensored access to advanced language models for just $18 a month, significantly undercutting other dark web AI tools like WormGPT and FraudGPT, which typically sell for hundreds or even thousands of dollars. What sets Venice.ai apart is its minimal oversight. The platform stores chat histories only in users’ browsers, not on external servers, and markets itself as “private and permissionless.”"
https://www.infosecurity-magazine.com/news/uncensored-ai-tool-cybersecurity/ - Mounting GenAI Cyber Risks Spur Investment In AI Security
"Around three-quarters (73%) of organizations are investing in AI-specific security tools, amid growing concern about GenAI cyber risks, according to Thales 2025 Data Threat Report. This investment comes either through new budgets or by reallocating existing resources. Over two-thirds have acquired such tools from their cloud providers, three in five are leveraging established security vendors and around half are turning to new or emerging startups."
https://www.infosecurity-magazine.com/news/genai-cyber-risks-investment/ - Vulnerability Exploitation Probability Metric Proposed By NIST, CISA Researchers
"Researchers from CISA and NIST have proposed a new cybersecurity metric designed to calculate the likelihood that a vulnerability has been exploited in the wild. Peter Mell of NIST and Jonathan Spring of CISA have published a paper describing equations for what they call Likely Exploited Vulnerabilities, or LEV. Thousands of vulnerabilities are discovered every year in software and hardware, but only a small percentage are ever exploited in the wild."
https://www.securityweek.com/vulnerability-exploitation-probability-metric-proposed-by-nist-cisa-researchers/
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.41.pdf
อ้างอิง
Electronic Transactions Development Agency(ETDA)
- CISA Releases Thirteen Industrial Control Systems Advisories
-
Cyber Threat Intelligence 20 May 2025โพสต์ใน Cyber Security News
Telecom Sector
- O2 UK Patches Bug Leaking Mobile User Location From Call Metadata
"A flaw in O2 UK's implementation of VoLTE and WiFi Calling technologies could allow anyone to expose the general location of a person and other identifiers by calling the target. The problem was discovered by security researcher Daniel Williams, who says the flaw existed on O2 UK's network since March 27, 2017, and was resolved yesterday. O2 UK is a British telecommunications service provider owned by Virgin Media O2. As of March 2025, the company reported having nearly 23 million mobile customers and 5.8 million broadband clients across the UK, positioning it as one of the major providers in the country."
https://www.bleepingcomputer.com/news/security/o2-uk-patches-bug-leaking-mobile-user-location-from-call-metadata/
New Tooling
- Hanko: Open-Source Authentication And User Management
"Hanko is an open-source, API-first authentication solution purpose-built for the passwordless era. “We focus on helping developers and organizations modernize their authentication flows by migrating users towards passkeys, while still supporting all common authentication methods like email/password, MFA, OAuth, as well as SAML SSO,” Felix Magedanz, CEO at Hanko, told Help Net Security."
https://www.helpnetsecurity.com/2025/05/19/hanko-open-source-authentication-user-management/
https://github.com/teamhanko/hanko
Vulnerabilities
- CISA Adds Six Known Exploited Vulnerabilities To Catalog
"CISA has added six new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2025-4427 Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability
CVE-2025-4428 Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
CVE-2024-11182 MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability
CVE-2025-27920 Srimax Output Messenger Directory Traversal Vulnerability
CVE-2024-27443 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
CVE-2023-38950 ZKTeco BioTime Path Traversal Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/05/19/cisa-adds-six-known-exploited-vulnerabilities-catalog - Mozilla Fixes Firefox Zero-Days Exploited At Hacking Contest
"Mozilla released emergency security updates to address two Firefox zero-day vulnerabilities demonstrated in the recent Pwn2Own Berlin 2025 hacking competition. The fixes, which include the Firefox on Desktop and Android and two Extended Support Releases (ESR), came mere hours after the conclusion of Pwn2Own, on Saturday, where the second vulnerability was demonstrated. The first flaw, tracked under CVE-2025-4918, is an out-of-bounds read/write issue in the JavaScript engine when resolving Promise objects."
https://www.bleepingcomputer.com/news/security/mozilla-fixes-firefox-zero-days-exploited-at-hacking-contest/
https://thehackernews.com/2025/05/firefox-patches-2-zero-days-exploited.html
https://securityaffairs.com/178064/security/mozilla-fixed-zero-days-demonstrated-at-pwn2own-berlin-2025.html
Malware
- Fake KeePass Password Manager Leads To ESXi Ransomware Attack
"Threat actors have been distributing trojanized versions of the KeePass password manager for at least eight months to install Cobalt Strike beacons, steal credentials, and ultimately, deploy ransomware on the breached network. WithSecure's Threat Intelligence team discovered the campaign after they were brought in to investigate a ransomware attack. The researchers found that the attack started with a malicious KeePass installer promoted through Bing advertisements that promoted fake software sites."
https://www.bleepingcomputer.com/news/security/fake-keepass-password-manager-leads-to-esxi-ransomware-attack/
https://labs.withsecure.com/content/dam/labs/docs/W_Intel_Research_KeePass_Trojanised_Malware_Campaign.pdf - RVTools Bumblebee Malware Attack – How a Trusted IT Tool Became a Malware Delivery Vector
"The RVTools Bumblebee Malware Attack earlier this week serves as a real-world example of a supply chain compromise that briefly turned a trusted tool into a malware delivery vector. On May 13 2025, our security operations team responded to a high-confidence alert from Microsoft Defender for Endpoint. An employee had attempted to install RVTools—a trusted VMware environment reporting utility. Within moments of launching the installer, Defender flagged a suspicious file: version.dll, which was attempting to execute from within the same directory as the installer itself. RVTools has long been regarded as a legitimate and safe tool used across many enterprises. However, this incident triggered immediate concern, as this behavior is highly atypical for the installer and hinted at a potential compromise. A hash check and upload to VirusTotal revealed 33 out of 71 antivirus engines detecting it as malicious, identifying it as a variant of the Bumblebee loader malware."
https://zerodaylabs.net/rvtools-bumblebee-malware/
https://thehackernews.com/2025/05/rvtools-official-site-hacked-to-deliver.html
https://www.helpnetsecurity.com/2025/05/19/rvtools-installer-malware/ - CTM360 Maps Out Real-Time Phishing Infrastructure Targeting Corporate Banking Worldwide
"A phishing operation that targets corporate banking accounts across the globe has been analyzed in a new report by CTM360. The campaign uses fake Google ads, advanced filtering techniques, to steal sensitive login credentials and bypass MFA. Researchers uncovered more than 12,000 malicious redirector URLs spread across 35 unique potential phishing redirector templates. The infrastructure supports two distinct phishing techniques, both of which are difficult to detect and designed to evade automated scanning tools."
https://www.helpnetsecurity.com/2025/05/19/ctm360-cyberheist-phish-report/
https://www.ctm360.com/reports/cyberheist-phish-report
Breaches/Hacks/Leaks
- Legal Aid Agency Admits Major Breach Of Applicant Data
"An April breach at the UK’s Legal Aid Agency resulted in the theft of a large volume of personal information belonging to applicants, including criminal records, the Ministry of Justice (MoJ) has admitted. The agency, which provides citizens with access to vital civil and criminal legal services, first became aware of the attack on April 23. However, on Friday it discovered the extent of the breach was much greater than at first thought and has temporarily shut down its online services. “We believe the group has accessed and downloaded a significant amount of personal data from those who applied for legal aid through our digital service since 2010,” it admitted."
https://www.infosecurity-magazine.com/news/legal-aid-agency-admits-major/
https://www.theregister.com/2025/05/19/legal_aid_agency_data_theft/
https://therecord.media/uk-legal-aid-agency-data-breach
https://www.bleepingcomputer.com/news/security/uk-legal-aid-agency-confirms-applicant-data-stolen-in-data-breach/
https://www.darkreading.com/remote-workforce/legal-aid-agency-data-breach
https://www.bankinfosecurity.com/hackers-nab-15-years-uk-legal-aid-applicant-data-a-28431
https://hackread.com/uk-legal-aid-agency-cyberattack-sensitive-data-stolen/
https://www.securityweek.com/uk-legal-aid-agency-finds-data-breach-following-cyberattack/ - Arla Foods Confirms Cyberattack Disrupts Production, Causes Delays
"Arla Foods has confirmed to BleepingComputer that it was targeted by a cyberattack that has disrupted its production operations. The Danish food giant clarified that the attack only affected its production unit in Upahl, Germany, though it expects this will result in product delivery delays or even cancellations. "We can confirm that we have identified suspicious activity at our dairy site in Upahl that impacted the local IT network," stated an Arla spokesperson. "Due to the safety measures initiated as a result of the incident, production was temporarily affected.""
https://www.bleepingcomputer.com/news/security/arla-foods-confirms-cyberattack-disrupts-production-causes-delays/ - DDoSecrets Adds 410GB Of TeleMessage Breach Data To Index
"On the 4th of May 2025, TeleMessage, an Israeli company providing modified versions of encrypted messaging apps like Signal, suffered a major data breach. The breach exposed archived messages, contact information of government officials, and backend login credentials. The hacker, whose identity is still unknown, exploited a vulnerability in the company’s system, accessing a publicly exposed Java heap dump file that contained sensitive information. This incident raised serious concerns about the security of communications at the highest levels of the United States government, especially since former National Security Advisor Mike Waltz was seen using TeleMessage’s TM SGNL app during a cabinet meeting."
https://hackread.com/ddosecrets-adds-410gb-telemessage-breach-data-index/ - 200,000 Harbin Clinic Patients Impacted By NRS Data Breach
"Georgia healthcare provider Harbin Clinic is notifying over 200,000 people that their personal information was stolen in a July 2024 data breach at debt collector Nationwide Recovery Services (NRS). The incident was discovered after suspicious activity on NRS’s internal systems resulted in a network outage. The third-party collection agency discovered that the attackers accessed its network between July 5 and July 11, and stole certain data."
https://www.securityweek.com/200000-harbin-clinic-patients-impacted-by-nrs-data-breach/
https://www.bankinfosecurity.com/debt-collector-hack-affects-long-list-clients-patients-a-28429 - Official UK Records Confirm Cyberattacks Put NHS Patients At Risk Of Clinical Harm
"Two cyberattacks affecting Britain’s National Health Service (NHS) last year put patients at risk of clinical harm, according to official data obtained by Recorded Future News. The data, recorded by the government under the Network and Information Systems (NIS) Regulations and obtained under the Freedom of Information Act, does not identify specific incidents but highlights the growing threat that financially motivated cyber incidents pose to public safety. It follows the head of the National Cyber Security Centre, Richard Horne, telling cybersecurity practitioners earlier this month that their work was “not just about protecting systems, it’s about protecting our people, our economy, our society, from harm.”"
https://therecord.media/uk-nhs-data-two-cyberattacks-clinical-harm-2024
General News
- AI Hallucinations And Their Risk To Cybersecurity Operations
"AI systems can sometimes produce outputs that are incorrect or misleading, a phenomenon known as hallucinations. These errors can range from minor inaccuracies to misrepresentations that can misguide decision-making processes."
https://www.helpnetsecurity.com/2025/05/19/ai-hallucinations-risk-cybersecurity-operations/ - Why EU Encryption Policy Needs Technical And Civil Society Input
"In this Help Net Security interview, Full Professor at University of Leuven, unpacks the European Commission’s encryption agenda, urging a balanced, technically informed approach to lawful access that safeguards privacy, security, and fundamental rights across the EU."
https://www.helpnetsecurity.com/2025/05/19/bart-preneel-university-of-leuven-eu-encryption-policy/ - Dead Man’s Scripts: The Security Risk Of Forgotten Scheduled Tasks In Legacy Systems
"There are ghosts in the machine. Not the poetic kind. I mean literal, running-code-with-root-access kind. The kind that was set up ten years ago by an admin who retired five jobs ago. The kind that still wakes up every night at 3:30 a.m.; processes something no one remembers, and then quietly vanishes into the system logs. Until, of course, something goes wrong—or someone takes advantage of it. Welcome to the world of dead man's scripts: outdated, unsupervised scheduled tasks buried deep inside legacy systems."
https://www.tripwire.com/state-of-security/dead-mans-scripts-security-risk-forgotten-scheduled-tasks-legacy-systems - #Infosec2025: How CISOs Can Stay Ahead Of Evolving Cloud Threats
"Cloud environments have become a lucrative target for cyber-threat actors, a subject that will be discussed by experts during the upcoming Infosecurity Europe conference. Research has shown that nearly half of all data breaches now originate in the cloud, with 80% of organizations experiencing a cloud security breach in the past year. This is a result of organizations moving their key applications and data from on-prem to cloud environments to improve efficiency."
https://www.infosecurity-magazine.com/news/infosec2025-cisos-evolving-cloud/ - Hackers Earn Over $1 Million At Pwn2Own Berlin 2025
"More than $1 million were paid out at the Pwn2Own Berlin 2025 hacking competition organized last week by Trend Micro’s Zero Day Initiative (ZDI) in Berlin, Germany. ZDI announced that white hat hackers have been awarded a total of $1,078,750 for 28 previously unknown vulnerabilities across operating systems, AI products, container software, browsers, virtualization software, and servers. Of the total amount, $140,000 was earned for AI hacks, including ones targeting the Chroma open source AI application database, and NVIDIA’s Triton Inference Server and Container Toolkit. This was the first Pwn2Own to include the AI category."
https://www.securityweek.com/hackers-earn-over-1-million-at-pwn2own-berlin-2025/
https://www.bleepingcomputer.com/news/security/hackers-earn-1-078-750-for-28-zero-days-at-pwn2own-berlin/
https://securityaffairs.com/178040/hacking/pwn2own-berlin-2025-total-prize-money-reached-1078750.html - From Classrooms To Code Red: 3,000+ Cyber Threats Hit U.S. Schools And Universities Weekly
"Classrooms and campuses have gone fully digital — and continue to innovate – while cyber criminals are exploiting every gap in that transformation. Schools, colleges, and universities are rapidly digitalizing, but with limited cyber security infrastructure and strained IT resources, they are increasingly vulnerable to cyber attacks. According to new data from Check Point Research, the education sector has seen an alarming surge in cyber threats over the past 18 months. In January 2024, the average number of weekly attacks per education organization stood at 1,176. By April 2025, that number had nearly tripled to 3,323. This steady and significant rise paints a clear picture: education is one of the most targeted sectors in today’s cyber threat landscape."
https://blog.checkpoint.com/security/from-classrooms-to-code-red-3000-cyber-threats-hit-u-s-schools-and-universities-weekly/ - CVE Disruption Threatens Foundations Of Defensive Security
"The Common Vulnerabilities and Exposures (CVE) program has been a constant for the cybersecurity community for more than 25 years. Operating behind the scenes, the program has consistently connected the dots between threat research, patching, incident response, and training. Today, it remains fundamental to many of the cybersecurity tools and strategies keeping organizations and critical national infrastructure protected. But now, as its future hangs on a temporary 11-month funding extension, this once-reliable backbone is under pressure."
https://www.darkreading.com/threat-intelligence/cve-disruption-threatens-foundations-defensive-security - Preventing Malicious Mobile Apps From Taking Over iOS Through App Vetting
"Mobile devices, particularly those running iOS, are widely assumed to have robust security and privacy features. However, no operating system is foolproof, and one of the most significant vulnerabilities arises not from the system itself but from the apps users install. Most organizations fail to recognize that the non-work related apps on corporate devices may inadvertently open the door to attackers to steal sensitive data, including corporate credentials. Malicious mobile apps can exploit permissions, introduce malware, or exfiltrate sensitive data, often without users realizing the extent of their access. While Apple’s App Store has good review processes, sideloaded apps or apps from less reputable sources pose a particularly high risk. In an era where mobile devices are integral to business operations, neglecting app vetting can lead to severe consequences, including data breaches, compliance failures, and reputational harm."
https://zimperium.com/blog/preventing-malicious-mobile-apps-from-taking-over-ios-through-app-vetting
https://hackread.com/40000-ios-apps-found-exploiting-private-entitlements/
อ้างอิง
Electronic Transactions Development Agency(ETDA)
- O2 UK Patches Bug Leaking Mobile User Location From Call Metadata
-
FBI เตือนภัย! ข้าราชการสหรัฐฯ ถูกโจมตีด้วยข้อความและเสียงปลอมจาก AI เลียนแบบเจ้าหน้าที่ระดับสูงโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
พบอุปกรณ์ต้องสงสัยในอินเวอร์เตอร์ที่ผลิตจากจีน หวั่นถูกใช้ปิดระบบไฟฟ้าระยะไกลโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
ช่องโหว่ร้ายแรงในปลั๊กอิน WordPress Crawlomaticโพสต์ใน Cyber Security News
Cyber Security Agency of Singapore (CSA)ได้เผยแพร่เกี่ยวกับ Wordfence ได้ออกอัปเดตความปลอดภัยเพื่อแก้ไขช่องโหว่ร้ายแรงที่พบในปลั๊กอิน Crawlomatic ของ WordPress ซึ่งช่องโหว่นี้มีรหัส CVE-2025-4389 และได้รับคะแนนความรุนแรงจากระบบ CVSSv3.1 สูงถึง 9.8 จาก 10
ผลกระทบจากช่องโหว่
ช่องโหว่ดังกล่าวเปิดโอกาสให้ผู้โจมตีที่ไม่ได้รับการยืนยันตัวตนสามารถอัปโหลดไฟล์อันตราย และดำเนินการรันโค้ดจากระยะไกลบนเว็บไซต์ที่ใช้ปลั๊กอินนี้ได้ผลิตภัณฑ์ที่ได้รับผลกระทบ
ช่องโหว่นี้ส่งผลกระทบต่อปลั๊กอิน WordPress Crawlomatic เวอร์ชัน 2.6.8.1 และเวอร์ชันก่อนหน้านั้นแนวทางป้องกัน
ผู้ดูแลระบบและผู้ใช้งานปลั๊กอินที่ได้รับผลกระทบควรรีบดำเนินการอัปเดตเป็นเวอร์ชันล่าสุดโดยทันที เพื่อป้องกันความเสี่ยงจากการถูกโจมตีอ้างอิง
https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-046สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA สหรัฐฯ เพิ่มช่องโหว่ของ Google Chromium, ของเราเตอร์ DrayTek และ SAP NetWeaver ลงใน Known Exploited Vulnerabilities Catalogโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Dynamic DNS เครื่องมือในมือของอาชญากรไซเบอร์ที่ใช้เพื่อปกปิดกิจกรรมของพวกเขาและปลอมแปลงตัวตนโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 19 May 2025โพสต์ใน Cyber Security News
Healthcare Sector
- Healthcare Cyber-Attacks Intensify, Sector Now Prime Target
"Cyber-attacks targeting healthcare have “noticeably increased” in intensity, with the sector suffering more incidents than other key industries in 2024, according to new data from Darktrace. The cybersecurity vendor revealed it responded to 45 cybersecurity incidents impacting healthcare organizations last year. This was higher than finance (37), energy (22), insurance (14) and telecoms (12)."
https://www.infosecurity-magazine.com/news/healthcare-cyber-attacks-intensify/
https://www.darktrace.com/resources/state-of-cyber-uk-us-brazil-healthcare-2025
Malware
- Printer Company Provided Infected Software Downloads For Half a Year
"When Cameron Coward, the Youtuber behind the channel Serial Hobbyism, wanted to review a $6k UV printer and plugged in the USB flash drive with the printer software, the Antivirus software alerted him of a USB-spreading worm and a Floxif infection. Floxif is a file infector that attaches itself to Portable Executable files, so it can spread to network shares, removable drives like USB flash drives or backup storage systems. The printer company Procolored assured him at first that these were false positives. Nevertheless, Cameron turned to Reddit in the hopes of finding a professional malware analyst who can figure out the truth."
https://www.gdatasoftware.com/blog/2025/05/38200-printer-infected-software-downloads
https://www.bleepingcomputer.com/news/security/printer-maker-procolored-offered-malware-laced-drivers-for-months/ - Ransomware Gangs Increasingly Use Skitnet Post-Exploitation Malware
"Ransomware gang members increasingly use a new malware called Skitnet ("Bossnet") to perform stealthy post-exploitation activities on breached networks. The malware has been offered for sale on underground forums like RAMP since April 2024, but according to Prodaft researchers, it started gaining significant traction among ransomware gangs since early 2025. Prodaft told BleepingComputer they have observed multiple ransomware operations deploying Skitnet in real-world attacks, including BlackBasta in Microsoft Teams phishing attacks against the enterprise, and Cactus. The malware promoted on underground forums"
https://www.bleepingcomputer.com/news/security/ransomware-gangs-increasingly-use-skitnet-post-exploitation-malware/
https://catalyst.prodaft.com/public/report/skitnet/overview - FDD Uncovers Likely Chinese Intelligence Operation Targeting Recently Laid-Off U.S. Government Employees
"Chinese intelligence moved quickly to take advantage of the mass layoffs of federal workers that began right after the Trump administration took office. On Craigslist.org, a post advertising “Job Opportunities for Recently Laid-Off U.S. Government Employees” appeared on February 6 on the website’s Washington, DC, jobs board.1 The post links to the website of what is supposedly a consulting services company located in Singapore.2 Yet peering beneath the surface reveals that this company is part of a broader network of websites, LinkedIn pages, and job advertisements that appear to be a Chinese intelligence operation."
https://www.fdd.org/analysis/2025/05/16/fdd-uncovers-likely-chinese-intelligence-operation-targeting-recently-laid-off-u-s-government-employees/
https://www.bankinfosecurity.com/former-us-govt-employees-targeted-by-chinese-intelligence-a-28425
https://www.theregister.com/2025/05/16/attn_fired_us_govt_workers/ - Ransomware Roundup – VanHelsing
"FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This edition of the Ransomware Roundup covers the VanHelsing ransomware."
https://www.fortinet.com/blog/threat-research/ransomware-roundup-vanhelsing - Backdoor Implant Discovered On PyPI Posing As Debugging Utility
"Threat actors have all kinds of motivations for targeting open-source software (OSS) repositories like the Python Package Index (PyPI). Financial gain is one of them. As ReversingLabs (RL) 2025 Software Supply Chain Security Report noted, there were close to two dozen software supply chain campaigns in 2024 alone that targeted developers working on cryptocurrency applications. But financial gain is just one motivation. Geopolitical tensions and political activism are another, as can be seen in a new malicious campaign that RL researchers detected on the PyPI this week, which may be linked to a threat actor that works in support of Ukraine since the Russian invasion of that country in 2022."
https://www.reversinglabs.com/blog/backdoor-implant-discovered-on-pypi-posing-as-debugging-utility
https://hackread.com/ukraine-group-russian-developers-python-backdoor/ - High Risk Warning For Windows Ecosystem: New Botnet Family HTTPBot Is Expanding
"In April 2025, the Global Threat Hunting system of NSFOCUS Fuying Lab detected a significant increase in the activity of a new Botnet Trojan developed based on Go language. Given that many of its built-in DDoS attack methods are HTTP-based, Fuying Lab named it HTTPBot. The HTTPBot Botnet family first came into our monitoring scope in August 2024. Over the past few months, it has expanded aggressively, continuously leveraging infected devices to launch external attacks. Monitoring data indicates that its attack targets are primarily concentrated in the domestic gaming industry. Additionally, some technology companies and educational institutions have also been affected. The attack of this Botnet family is highly targeted, with attackers employing a periodical and multi-stage attack strategy to conduct continuous saturation attacks on selected targets."
https://nsfocusglobal.com/high-risk-warning-for-windows-ecosystem-new-botnet-family-httpbot-is-expanding/
https://thehackernews.com/2025/05/new-httpbot-botnet-launches-200.html
https://securityaffairs.com/177930/malware/new-botnet-httpbot-targets-gaming-and-tech-industries-with-surgical-attacks.html - New 'Defendnot' Tool Tricks Windows Into Disabling Microsoft Defender
"A new tool called 'Defendnot' can disable Microsoft Defender on Windows devices by registering a fake antivirus product, even when no real AV is installed. The trick utilizes an undocumented Windows Security Center (WSC) API that antivirus software uses to tell Windows it is installed and is now managing the real-time protection for the device. When an antivirus program is registered, Windows automatically disables Microsoft Defender to avoid conflicts from running multiple security applications on the same device."
https://www.bleepingcomputer.com/news/microsoft/new-defendnot-tool-tricks-windows-into-disabling-microsoft-defender/ - Cl0p Ransomware: The Skeezy Invader That Bites While You Sleep
"Cl0p ransomware is a private ransomware operation run by an organized cybercrime group known as TA505. The Cl0p operation is just one of several units of the TA505 criminal enterprise, and it is thought to be the most profitable. Since its emergence in 2019, Cl0p has extorted over $500 million in ransom payments and has directly affected thousands of organizations and tens of millions of individuals globally. In the final quarter of 2024, Cl0p outpaced Akira and overtook RansomHub to become the most active ransomware group in the landscape. In the first quarter of 2025, Cl0p surpassed LockBit as the most prolific ransomware group, based on publicly disclosed breaches."
https://blog.barracuda.com/2025/05/16/cl0p-ransomware--the-skeezy-invader-that-bites-while-you-sleep - DBatLoader (ModiLoader) Being Distributed To Turkish Users
"Recently, AhnLab SEcurity intelligence Center (ASEC) has identified cases of the ModiLoader (DBatLoader) malware being distributed via email. ModiLoader ultimately executes SnakeKeylogger. SnakeKeylogger is an Infostealer-type malware developed in .NET. It is known for its data exfiltration methods using emails, FTP, SMTP, or Telegram. Figure 1 shows the email being distributed. The email is written in Turkish and is being distributed by impersonating a Turkish bank. Users are prompted to open the malicious attachment to check their transaction history."
https://asec.ahnlab.com/en/88025/ - Etherhide Technique Using Blockchain As C&C Infrastructure
"Threat actors have been utilizing various techniques and channels to evade tracking and blocking of their Command and Control (C&C) infrastructures. For example, they use Fast-Flux to rapidly change IP addresses and maintain domains, Bulletproof Hosting to use infrastructures located in countries where legal measures are difficult, and public platforms such as Telegram, Pastebin, and Twitter. Recently, there have been cases of threat actors utilizing the anonymity and censorship resistance of blockchain technology. This post will examine Etherhide, a technique that uses smart contracts as C&C infrastructures, and introduce cases of its abuse."
https://asec.ahnlab.com/en/88009/
Breaches/Hacks/Leaks
- Agentic AI Tech Firm Says Health Data Leak Affects 483,000
"Serviceaide, a provider of agentic artificial intelligence-based IT management and workflow software, reported to regulators that an inadvertent exposure of data on the web has affected more than 483,000 patients of client Catholic Health, a network of six hospitals and dozens of other facilities in western New York. California-based Serviceaide reported the incident as an unauthorized access/disclosure breach to the U.S. Department of Health and Human Services on May 9. As of Friday, several class action law firms had already issued public notices saying they are investigating the breach for potential lawsuits."
https://www.bankinfosecurity.com/agentic-ai-tech-firm-says-health-data-leak-affects-483000-a-28424 - Russian Hospital Faces Multi-Day Shutdown As Pro-Ukraine Group Claims Cyberattack
"A private hospital in the Russian republic of Chuvashia experienced a multi-day disruption this week likely linked to a cyberattack claimed by a pro-Ukraine hacker group. On Tuesday, Lecardo Clinic announced a "technical failure" that led to a three-day shutdown of its operations. "We're doing everything we can to restore our operations, but it's taking longer than expected,” they said. “Once our software is fully restored, we'll notify you.""
https://therecord.media/russia-hospital-shutdown-lecardo - Broadcom Employee Data Stolen By Ransomware Crooks Following Hit On Payroll Provider
"A ransomware attack at a Middle Eastern business partner of payroll company ADP has led to customer data theft at Broadcom, The Register has learned. It's understood Broadcom's HR department has begun the process of informing current and former staff who are affected by the September ransomware attack at Business Systems House (BSH). Broadcom no longer uses ADP or by extension BSH for payroll in the Middle East, the internal email confirmed, and at the time of the incident the company was in the process of switching payroll providers."
https://www.theregister.com/2025/05/16/broadcom_employee_data_stolen_by/
General News
- Cyble Detects 200 Billion Files Exposed In Cloud Buckets
"Cyble’s ODIN vulnerability search tool has detected more than 200 billion exposed files in cloud buckets across seven major cloud providers. The 200 billion exposed files reflect the sheer scale of accidental data exposure on the internet, data that’s often left publicly accessible due to misconfigurations. The files include data ranging from documents and credentials to source code and internal backups. The ODIN platform scans cloud buckets at scale and classifies exposed content using machine learning-based detection. ODIN has also detected more than 660,000 exposed buckets, in addition to more than 91 million exposed hosts. Cyble monitors and classifies these datasets to help organizations reduce their attack surface."
https://cyble.com/blog/detects-200-billion-files-exposed-in-cloud-buckets/ - Deepfake Attacks Could Cost You More Than Money
"In this Help Net Security interview, Camellia Chan, CEO at X-PHY, discusses the dangers of deepfakes in real-world incidents, including their use in financial fraud and political disinformation. She explains AI-driven defense strategies and recommends updating incident response plans and internal policies, integrating detection tools, and ensuring compliance with regulations like the EU’s DORA to mitigate liability."
https://www.helpnetsecurity.com/2025/05/16/camellia-chan-x-phy-defending-against-deepfakes/ - Cybersecurity Skills Framework Connects The Dots Between IT Job Roles And The Practical Skills Needed
"The Linux Foundation, in collaboration with OpenSSF and Linux Foundation Education, has released the Cybersecurity Skills Framework, a global reference guide that helps organizations identify and address critical cybersecurity competencies across a broad range of IT job families. “Cybersecurity is now a leadership issue, not just a technical one,” said Steve Fernandez, General Manager at OpenSSF. “Our framework gives organizations a straightforward way to identify gaps and prioritize the security skills that matter most, based on role and responsibility—not just checklists. It’s about building real-world resilience.”"
https://www.helpnetsecurity.com/2025/05/16/cybersecurity-skills-framework-linux-foundation/ - How Working In a Stressful Environment Affects Cybersecurity
"Stressful work environments don’t just erode morale, they can quietly undermine cybersecurity. When employees feel overworked, unsupported, or mistreated, their judgment and decision-making suffer. “From an organizational perspective, a toxic culture often leads to increased errors, missed threats, decreased productivity, and higher turnover rates,” said Rob Lee, Chief of Research and Head of Faculty at SANS Institute. According to CyberArk, 65% of office workers admit they’ve bypassed cybersecurity policies to stay productive. Frustration and anger can also drive impulsive behavior, including actions that intentionally or unintentionally put company systems at risk."
https://www.helpnetsecurity.com/2025/05/16/stressful-environment-cybersecurity/ - Polymorphic Phishing Attacks Flood Inboxes
"AI is transforming the phishing threat landscape at a pace many security teams are struggling to match, according to Cofense. In 2024, researchers tracked one malicious email every 42 seconds. Many of the 42-second attacks were part of polymorphic phishing attacks. Unlike traditional phishing methods, polymorphic phishing attacks rely on dynamic changes to the appearance and structure of malicious emails or links. Attackers use sophisticated algorithms to alter subject lines, sender addresses, and email content in real time, effectively bypassing static signature-based email filters."
https://www.helpnetsecurity.com/2025/05/16/polymorphic-phishing-attacks-cofense/ - Additional 12 Defendants Charged In RICO Conspiracy For Over $263 Million Cryptocurrency Thefts, Money Laundering, Home Break-Ins
"A four-count superseding indictment, unsealed today in U.S. District Court, charges 12 additional people – Americans and foreign nationals – for allegedly participating in a cyber-enabled racketeering conspiracy throughout the United States and abroad that netted them more than $263 million. Several were arrested this week in California, while two remain abroad and are believed to be living in Dubai. The superseding indictment and the arrests were announced by U.S. Attorney Jeanine Ferris Pirro, FBI Special Agent in Charge Sean Ryan of the Washington Field Office Criminal and Cyber Division, and Executive Special Agent in Charge Kareem A. Carter of the Internal Revenue Service – Criminal Investigation Washington, D.C. Field Office."
https://www.justice.gov/usao-dc/pr/additional-12-defendants-charged-rico-conspiracy-over-263-million-cryptocurrency-thefts
https://www.bleepingcomputer.com/news/security/us-charges-12-more-suspects-linked-to-230-million-crypto-theft/
https://therecord.media/feds-charge-12-suspects-in-rico-crypto-heist - AI In The Cloud: The Rising Tide Of Security And Privacy Risks
"Over half of firms adopted AI in 2024, but cloud tools like Azure OpenAI raise growing concerns over data security and privacy risks. As enterprises embrace artificial intelligence (AI) to streamline operations and accelerate decision-making, a growing number are turning to cloud-based platforms like Azure OpenAI, AWS Bedrock, and Google Bard. In 2024 alone, over half of organizations adopted AI to build custom applications. While these tools deliver clear productivity gains, they also expose businesses to complex new risks, particularly around data security and privacy."
https://securityaffairs.com/177911/uncategorized/ai-in-the-cloud-the-rising-tide-of-security-and-privacy-risks.html - Key Suspect In $190M Nomad Bridge Exploit Extradited To The United States
"Last week, Israeli authorities — acting on a request from the US Department of Justice (DOJ) — arrested and approved the extradition of an individual suspected of playing a central role in the USD 190 million exploit of Nomad Bridge in August 2022. The arrest marks a milestone in the global effort to hold accountable actors who exploit cross-chain infrastructure for financial crime. TRM Labs is proud to support Nomad and law enforcement partners in combating complex crypto-enabled threats. The suspect, Russian-Israeli dual national Alexander Gurevich, was arrested in Jerusalem by Israeli police working in coordination with the DOJ, the FBI, and Interpol. According to publicly available court filings and law enforcement statements, Morrell allegedly conspired with others to execute the exploit and launder the resulting proceeds through a sophisticated, multi-layered operation involving privacy coins, mixers, and offshore financial entities."
https://www.trmlabs.com/resources/blog/key-suspect-in-190m-nomad-bridge-exploit-extradited-to-the-united-states
https://www.bleepingcomputer.com/news/legal/israel-arrests-new-suspect-behind-nomad-bridge-190m-crypto-hack/ - Hackers Exploit VMware ESXi, Microsoft SharePoint Zero-Days At Pwn2Own
"During the second day of Pwn2Own Berlin 2025, competitors earned $435,000 after exploiting zero-day bugs in multiple products, including Microsoft SharePoint, VMware ESXi, Oracle VirtualBox, Red Hat Enterprise Linux, and Mozilla Firefox. The highlight was a successful attempt from Nguyen Hoang Thach of STARLabs SG against the VMware ESXi, which earned him $150,000 for an integer overflow exploit. Dinh Ho Anh Khoa of Viettel Cyber Security was awarded $100,000 for hacking Microsoft SharePoint by leveraging an exploit chain combining an auth bypass and an insecure deserialization flaw."
https://www.bleepingcomputer.com/news/security/hackers-exploit-vmware-esxi-microsoft-sharepoint-zero-days-at-pwn2own/
https://securityaffairs.com/177943/hacking/pwn2own-berlin-2025-day-two-researcher-earned-150k-hacking-vmware-esxi.html
https://hackread.com/pwn2own-berlin-2025-windows-11-vmware-firefox-hacked/ - LockBit Got Hacked. Again: Uncovering Insights Into The Leaked Data
"LockBit ransomware has been having a rough time over the past year. Following the heavy blow dealt by Operation Cronos, the group attempted a comeback, aiming to reclaim its previous status as one of the dominant players in the ransomware landscape. As LockBit was trying to recover, it hit another bump in the road. It didn’t take long before yet another breach of its infrastructure occurred."
https://analyst1.com/lockbit-got-hacked-again-uncovering-insights-into-the-leaked-data/
https://www.bankinfosecurity.com/lockbit-leaks-reveal-drive-to-recruit-ransomware-newbies-a-28421 - Preparing For The Post-Quantum Era: a CIO’s Guide To Securing The Future Of Encryption
"Quantum computing is on the verge of revolutionizing the technology landscape, much like AI did in 2024. By the end of 2025, quantum computing will emerge as a defining force, ushering in a new era filled with both unprecedented opportunities and significant challenges in securing digital assets. While state-of-the-art quantum computers aren’t yet capable of threatening cryptographic systems, predictions suggest the quantum computing threat could become a reality by the early 2030s. This timeline, paired with the steady advancements in this technology over the past few years, signals a rapidly approaching disruption on a global scale and a warning call that any business leader should heed."
https://cyberscoop.com/quantum-computing-cio-pqc-preparation-2025/ - How To Develop And Communicate Metrics For CSIRPs
"Security and risk management (SRM) leaders face mounting pressure from executives to ensure that security incidents are managed effectively, minimizing disruptions to enterprise performance and profitability. It's crucial to assess incident response processes in terms of quality, speed, and effort to guide improvements and show business leaders the value of these enhancements, while providing transparency."
https://www.darkreading.com/cybersecurity-operations/develop-communicate-metrics-csirps - From 60 To 4,000: NATO’s Locked Shields Reflects Cyber Defense Growth
"The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia, last week hosted the 15th edition of the Locked Shields cyber defense exercise. Roughly 4,000 experts from 41 nations took part in Locked Shields 2025, which is designed to test and improve the preparedness of cybersecurity teams in defending national systems and critical infrastructure through a realistic simulation. While today it is the world’s largest and most complex cyber defense exercise, Locked Shields had humble beginnings."
https://www.securityweek.com/from-60-to-4000-natos-locked-shields-reflects-cyber-defense-growth/ - Ex-NSA Bad-Guy Hunter Listened To Scattered Spider's Fake Help-Desk Calls: 'Those Guys Are Good'
"The call came into the help desk at a large US retailer. An employee had been locked out of their corporate accounts. But the caller wasn't actually a company employee. He was a Scattered Spider criminal trying to break into the retailer's systems - and he was really good, according to Jon DiMaggio, a former NSA analyst who now works as a chief security strategist at Analyst1. Scattered Spider is a cyber gang linked to SIM swapping, fake IT calls, and ransomware crews like ALPHV. They've breached big names like MGM and Caesars, and despite arrests, keep evolving. They're tracked by Mandiant as UNC3944, also known as Octo Tempest."
https://www.theregister.com/2025/05/18/ex_nsa_scattered_spider_call/ - Fast Flux Technique For Concealing Command And Control (C&C) And Evading Detection
"In April 2025, the U.S. National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) jointly released a cybersecurity advisory (Fast Flux: A National Security Threat), in which the Fast-Flux Network was again designated as a key threat. Since the technique was first detected in the Storm botnet in 2007, it has been used as a key means to hide and evade the detection of Command and Control (C2) servers in numerous malware campaigns."
https://asec.ahnlab.com/en/88008/
April 2025 Infostealer Trend Report
"This report provides statistics, trends, and case information on the distribution of Infostealer malware, including the distribution volume, methods, and disguises, based on the data collected and analyzed in April 2025. The following is a summary of the report."
https://asec.ahnlab.com/en/88062/ - April 2025 APT Group Trends
"Since November 2024, the North Korean APT group has been exploiting the vulnerability of South Korean Internet financial security software. Similar attacks have been carried out in the past, and the threat actors have been launching attacks based on their understanding of the South Korean software ecosystem."
https://asec.ahnlab.com/en/88063/
อ้างอิง
Electronic Transactions Development Agency(ETDA)
- Healthcare Cyber-Attacks Intensify, Sector Now Prime Target
-
Fortinet ออกแพตช์ช่องโหว่ Zero-Day บน FortiVoiceโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
ภัยเงียบบน Android จากการโจมตีด้วยโฆษณาที่กดข้ามไม่ได้โพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
การใช้ประโยชน์อย่างแข็งขันของตัวอัปโหลดข้อมูลเมตา NetWeaver Visual Composer ของ SAPโพสต์ใน Cyber Security News
Cyber Security Agency of Singapore (CSA)ได้เผยแพร่เกี่ยวกับ SAP ได้ออกการอัปเดตความปลอดภัยนอกแผน (Out-of-band) เพื่อแก้ไขช่องโหว่ร้ายแรงในผลิตภัณฑ์ NetWeaver Visual Composer Metadata Uploader ขอแนะนำให้ผู้ใช้งานและผู้ดูแลระบบของผลิตภัณฑ์ที่ได้รับผลกระทบอัปเดตเป็นเวอร์ชันล่าสุดโดยทันที
อัปเดต ณ วันที่ 8 พฤษภาคม 2025
มีเครื่องมือโอเพนซอร์สที่พัฒนาโดย Onapsis และ Mandiant สำหรับช่วยให้ลูกค้า SAP ตรวจสอบการถูกโจมตีที่อาจเกี่ยวข้องกับ CVE-2025-31324 ซึ่งสามารถใช้งานได้ที่:
https://github.com/Onapsis/Onapsis-Mandiant-CVE-2025-31324-Vuln-Compromise-AssessmentSAP ได้ระบุว่าช่องโหว่นี้ (CVE-2025-31324) มีคะแนน CVSSv3.1(10 คะแนน) และกำลังถูกแฮกเกอร์ใช้โจมตีอยู่ในขณะนี้
หากถูกโจมตีสำเร็จ อาจทำให้ผู้โจมตีที่ไม่ได้รับการยืนยันตัวตนสามารถอัปโหลดไฟล์ที่เป็นอันตรายเพื่อ รันโค้ดจากระยะไกล (Remote Code Execution - RCE) ได้
ช่องโหว่นี้ส่งผลกระทบต่อ Visual Composer Framework 7.50 วิธีตรวจสอบว่าระบบของคุณมีช่องโหว่นี้หรือไม่:
ลองเข้าลิงก์นี้โดยไม่ล็อกอิน:
https://[your-sap-server]/developmentserver/metadatauploader
หากสามารถเข้าถึงได้โดยไม่ต้องกรอกชื่อผู้ใช้/รหัสผ่าน แสดงว่าระบบของคุณอาจมีความเสี่ยงคำแนะนำเร่งด่วนหากยังไม่สามารถอัปเดตได้:
- จำกัดการเข้าถึง endpoint /developmentserver/metadatauploader
- หากไม่ได้ใช้งาน Visual Composer ให้พิจารณาปิดการใช้งาน
- ส่ง log ไปยังระบบ SIEM และสแกนหาไฟล์ที่ไม่ได้รับอนุญาตในเส้นทาง servlet
ดำเนินการโดยเร็วที่สุดเพื่อความปลอดภัยของระบบ
อ้างอิง
https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-040/สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 16 May 2025โพสต์ใน Cyber Security News
Financial Sector
- April 2025 Security Issues In Korean And Global Financial Industries
"This report comprehensively covers actual cyber threats and security issues that have occurred in financial institutions in Korea and abroad. This includes an analysis of malware and phishing cases distributed to the financial sector, the top 10 malware strains targeting the financial sector, and industry statistics of leaked Korean accounts on Telegram. A case of phishing emails distributed to the financial sector is also covered in detail."
https://asec.ahnlab.com/en/87975/
Industrial Sector
- CISA Releases Twenty-Two Industrial Control Systems Advisories
"CISA released twenty-two Industrial Control Systems (ICS) advisories on May 15, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS."
https://www.cisa.gov/news-events/alerts/2025/05/15/cisa-releases-twenty-two-industrial-control-systems-advisories - Threat Landscape For Industrial Automation Systems. Q1 2025
"Relative stability from quarter to quarter. The percentage of ICS computers on which malicious objects were blocked remained unchanged from Q4 2024 at 21.9%. Over the last three quarters, the value has ranged from 22.0% to 21.9%. The quarterly figures are decreasing from year to year. Since Q2 2023, the percentage of ICS computers on which malicious objects were blocked has been lower than the indicator of the same quarter of the previous year. Compared to Q1 2024, the figure decreased by 2.5 pp."
https://ics-cert.kaspersky.com/publications/reports/2025/05/15/threat-landscape-for-industrial-automation-systems-q1-2025/
https://securelist.com/industrial-threat-report-q1-2025/116505/ - Critical Infrastructure Under Siege: OT Security Still Lags
"Operational technology and critical infrastructure are under attack, according to new warnings from the US federal government. Last week, the Cybersecurity and Infrastructure Security (CISA), the FBI, the Environmental Protection Agency (EPA), and the Department of Energy (DoE) warned that they were "aware of cyber incidents affecting the operational technology (OT) and industrial control systems (ICS) of critical infrastructure entities in the United States.""
https://www.darkreading.com/ics-ot-security/critical-infrastructure-ot-security-still-lags
New Tooling
- Introducing Oniux: Kernel-Level Tor Isolation For Any Linux App
"When launching privacy-critical apps and services, developers want to make sure that every packet really only goes through Tor. One mistyped proxy setting–or a single system-call outside the SOCKS wrapper–and your data is suddenly on the line. That's why today, we are excited to introduce oniux: a small command-line utility providing Tor network isolation for third-party applications using Linux namespaces. Built on Arti, and onionmasq, oniux drop-ships any Linux program into its own network namespace to route it through Tor and strips away the potential for data leaks. If your work, activism, or research demands rock-solid traffic isolation, oniux delivers it."
https://blog.torproject.org/introducing-oniux-tor-isolation-using-linux-namespaces/
https://www.bleepingcomputer.com/news/security/new-tor-oniux-tool-anonymizes-any-linux-apps-network-traffic/
Vulnerabilities
- New Chrome Vulnerability Enables Cross-Origin Data Leak Via Loader Referrer Policy
"Google on Wednesday released updates to address four security issues in its Chrome web browser, including one for which it said there exists an exploit in the wild. The high-severity vulnerability, tracked as CVE-2025-4664 (CVSS score: 4.3), has been characterized as a case of insufficient policy enforcement in a component called Loader. "Insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.113 allowed a remote attacker to leak cross-origin data via a crafted HTML page," according to a description of the flaw."
https://thehackernews.com/2025/05/new-chrome-vulnerability-enables-cross.html
https://www.cve.org/CVERecord?id=CVE-2025-4664
https://www.bleepingcomputer.com/news/security/google-fixes-high-severity-chrome-flaw-with-public-exploit/
https://www.securityweek.com/chrome-136-update-patches-vulnerability-with-exploit-in-the-wild/ - CISA Adds Three Known Exploited Vulnerabilities To Catalog
"CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2024-12987 DrayTek Vigor Routers OS Command Injection Vulnerability
CVE-2025-4664 Google Chromium Loader Insufficient Policy Enforcement Vulnerability
CVE-2025-42999 SAP NetWeaver Deserialization Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/05/15/cisa-adds-three-known-exploited-vulnerabilities-catalog
Malware
- Disguised Cyber Risks On The Colombian Shore: The Insurance Trap
"scheme awaited us—a crafty operation targeting car insurance. This scam relies on fake websites to deceive users, leveraging publicly available vehicle registration numbers to add a layer of credibility. Since the beginning of 2024, we have identified over 100 fraudulent websites linked to this scheme, each crafted with guile, meticulousness, and precision to be a digital double of legitimate services and exploit unsuspecting victims. These sites represent a widespread and systematic effort to target individuals seeking damage-precautionary and mandatory vehicle insurance. The journey customers may take for a sense of security becomes the criminal means of entrapment, which starts with ads on social media platforms like Facebook."
https://www.group-ib.com/blog/colombian-cybertrap/ - Operation RoundPress
"This blogpost introduces an operation that we named RoundPress, targeting high-value webmail servers with XSS vulnerabilities, and that we assess with medium confidence is run by the Sednit cyberespionage group. The ultimate goal of this operation is to steal confidential data from specific email accounts."
https://www.welivesecurity.com/en/eset-research/operation-roundpress/
https://www.bleepingcomputer.com/news/security/government-webmail-hacked-via-xss-bugs-in-global-spy-campaign/
https://thehackernews.com/2025/05/russia-linked-apt28-exploited-mdaemon.html
https://therecord.media/kremlin-linked-hackers-target-webmail-eastern-europe-governments
https://cyberscoop.com/russia-fancy-bear-gru-ukrainian-military-contractors/
https://www.helpnetsecurity.com/2025/05/15/espionage-operation-roundpress-webmail-servers/ - FBI: US Officials Targeted In Voice Deepfake Attacks Since April
"The FBI warned that cybercriminals using AI-generated audio deepfakes to target U.S. officials in voice phishing attacks that started in April. This warning is part of a public service announcement issued on Thursday that also provides mitigation measures to help the public spot and block attacks using audio deepfakes (also known as voice deepfakes). "Since April 2025, malicious actors have impersonated senior US officials to target individuals, many of whom are current or former senior US federal or state government officials and their contacts. If you receive a message claiming to be from a senior US official, do not assume it is authentic," the FBI warned."
https://www.bleepingcomputer.com/news/security/fbi-us-officials-targeted-in-voice-deepfake-attacks-since-april/
https://www.ic3.gov/Media/News/2021/210310-2.pdf
https://cyberscoop.com/fbi-warns-of-ai-deepfake-phishing-impersonating-government-officials/ - Sophisticated NPM Attack Leveraging Unicode Steganography And Google Calendar C2
"Our security monitoring systems recently flagged a suspicious npm package, os-info-checker-es6, which represents a sophisticated and evolving threat within the npm ecosystem. What initially appeared as a simple OS information utility quickly unraveled into a sophisticated multi-stage malware attack. This campaign employs clever Unicode-based steganography to hide its initial malicious code and utilizes a Google Calendar event short link as a dynamic dropper for its final payload."
https://www.veracode.com/resources/sophisticated-npm-attack-leveraging-unicode-steganography-and-google-calendar-c2
https://thehackernews.com/2025/05/malicious-npm-package-leverages-unicode.html
https://www.bleepingcomputer.com/news/security/malicious-npm-package-uses-unicode-steganography-to-evade-detection/ - Phishing Campaign Mimics Email Quarantine Notifications: 32,000 Emails Target 6,358 Customers
"In a recent discovery, Check Point researchers have identified a large-scale phishing campaign that exploits the guise of email quarantine notifications. This campaign, consisting of 32,000 emails, has targeted 6,358 customers across various regions. The primary objective of the attackers is to deceive recipients into providing their login credentials through a fake login page."
https://blog.checkpoint.com/securing-user-and-access/phishing-campaign-mimics-email-quarantine-notifications-32000-emails-target-6358-customers/ - Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT
"Cybercriminals are progressively turning PowerShell to launch stealthy attacks that evade traditional antivirus and endpoint defenses. By running code directly in memory, these threats leave minimal evidence on disk, making them particularly challenging to detect. A recent example is Remcos RAT, a well-known remote access trojan recognized for its persistence and stealth. It provides attackers with full control over compromised systems, making it a preferred go-to tool for cyber espionage and data theft. In a recent campaign, threat actors delivered malicious LNK files embedded within ZIP archives, often disguised as Office documents. The attack chain leverages mshta.exe for proxy execution during the initial stage. Unconfirmed reports suggest this new sample is named “K-Loader,” although no conclusive findings have been made."
https://blog.qualys.com/vulnerabilities-threat-research/2025/05/15/fileless-execution-powershell-based-shellcode-loader-executes-remcos-rat
https://hackread.com/fileless-remcos-rat-attack-antivirus-powershell-scripts/
https://www.infosecurity-magazine.com/news/powershell-loader-deploys-remcos/ - Detecting FrigidStealer Malware With Wazuh
"FrigidStealer is an information-stealing malware that emerged in January 2025. It targets macOS endpoints to steal sensitive user data through deceptive tactics. Unlike traditional malware, FrigidStealer exploits user trust in routine software updates, making it particularly insidious. As a significant threat, it underscores the need for extended security measures on macOS endpoints. The malware’s financial motivations, potentially linked to the EvilCorp syndicate, underscore its threat to both individual users and enterprises, with stolen data including credentials and cryptocurrency wallets posing risks of identity theft and financial fraud. In this blog post, we explore the behavior of FrigidStealer and demonstrate how Wazuh, an open source SIEM and XDR platform, can be configured to detect this threat."
https://wazuh.com/blog/detecting-frigidstealer-malware-with-wazuh/
https://hackread.com/frigidstealer-malware-macos-fake-safari-browser-update/
Breaches/Hacks/Leaks
- Coinbase Data Breach Exposes Customer Info And Government IDs
"Coinbase, a cryptocurrency exchange with over 100 million customers, has disclosed that cybercriminals working with rogue support agents stole customer data and demanded a $20 million ransom not to publish the stolen information. The company said it would not pay the ransom but would establish a $20 million reward fund for any leads that could help find the attackers who coordinated this attack. The disclosure comes after the criminals behind the breach emailed Coinbase on May 11, demanding a $20 million ransom to prevent public disclosure of stolen information about certain customer accounts and internal documentation."
https://www.bleepingcomputer.com/news/security/coinbase-discloses-breach-faces-up-to-400-million-in-losses/
https://thehackernews.com/2025/05/coinbase-agents-bribed-data-of-1-users.html
https://therecord.media/coinbase-extortion-attempt-company-offers-20million-reward
https://www.securityweek.com/coinbase-rejects-20m-ransom-after-rogue-contractors-bribed-to-leak-customer-data/
https://hackread.com/coinbase-customer-info-stolen-bribed-overseas-agents/
https://www.helpnetsecurity.com/2025/05/15/coinbase-suffers-data-breach-gets-extorted/
https://www.infosecurity-magazine.com/news/coinbase-offers-20m-bounty/
https://securityaffairs.com/177878/cyber-crime/coinbase-disclosed-a-data-breach-after-an-extortion-attempt.html
https://www.theregister.com/2025/05/15/coinbase_extorted_for_20m_support/ - Attack Claimed By Pro-Ukraine Hackers Reportedly Erases a Third Of Russian Court Case Archive
"A cyberattack on Russia's national case management and electronic court filing system wiped out about a third of its case archive, according to a report by the Russian Audit Chamber. The system, known as “Pravosudiye” (meaning “justice” in Russian), was hacked last October and was down for a month, disrupting the operation of Russian court websites, communication networks, and email services. The attack was claimed by the pro-Ukraine hacking group BO Team, which has previously collaborated with Ukrainian military intelligence in operations against Russian entities. Ukrainian authorities have not publicly confirmed any official military intelligence participation in this incident."
https://therecord.media/russia-court-system-hack-third-of-case-files-deleted
General News
- Building Cybersecurity Culture In Science-Driven Organizations
"In this Help Net Security interview, Anne Sofie Roed Rasmussen, CISO at Novonesis, discusses how a science-driven organization approaches cybersecurity, aligning innovation with protection, measuring cultural progress, managing shadow IT, and earning trust from scientific leaders."
https://www.helpnetsecurity.com/2025/05/15/anne-sofie-roed-rasmussen-novonesis-science-driven-organization-cybersecurity/ - New Blockchain Security Standards Target Safer Ecosystems
"The Blockchain Security Standards Council (BSSC) launched its first four security standards, marking a significant milestone in the journey towards a more secure and trustworthy blockchain ecosystem. These standards are designed to address critical aspects of blockchain security, elevating trust in digital assets and confidence in blockchain networks."
https://www.helpnetsecurity.com/2025/05/15/new-blockchain-security-standards/
https://blockchain-ssc-9943b9b517-dd2be16b8b7bb.webflow.io/standards - #Infosec2025: Ransomware Enters ‘Post-Trust Ecosystem,’ NCA Cyber Expert Says
"The ransomware landscape has entered a “post-trust ecosystem,” where fragmented and increasingly mistrustful cybercrime groups operate in a climate of heightened law enforcement scrutiny, according to William Lyne of the UK’s National Crime Agency (NCA). The result is a more unpredictable and potentially more perilous threat environment for organizations worldwide. In recent years, a series of high-profile law enforcement takedowns has disrupted some of the most notorious ransomware groups. Now the dust is settling and a cybercrime landscape that's more splintered than ever is emerging."
https://www.infosecurity-magazine.com/news/ransomware-enters-posttrust/ - Here's What We Know About The DragonForce Ransomware That Hit Marks & Spencer
"DragonForce, a new-ish ransomware-as-a-service operation, has given organizations another cyber threat to worry about — unless they’re in Russia, which is off limits to the would-be extortionists. The gang started operations in August 2023 but its ransomware didn't gain much traction until the following year, when DragonForce operators began advertising for affiliates on dark web forums. The gang has since claimed many victims and drawn the attention of the FBI, which found it was one of 2024’s most prolific ransomware sources."
https://www.theregister.com/2025/05/15/dragonforce_ransomware_uk_retail_attacks/ - Fraud Losses Hit $11m Per Company As Customer Abuse Soars
"Online merchants lost an average of nearly $11m each to fraud last year, with the risk from first-party fraud growing significantly, according to Ravelin. The London-headquartered fraud prevention firm surveyed 1466 global fraud and payments professionals in the retail, travel & hospitality, digital goods, and marketplaces sectors to produce its Global Fraud Trends 2025 report. It found that 77% of respondents recorded a rise in the volume of fraud over the past year, with marketplaces hit particularly hard, and 64% expect it to increase in the coming 12 months."
https://www.infosecurity-magazine.com/news/fraud-losses-11m-customer-abuse/ - Windows 11 And Red Hat Linux Hacked On First Day Of Pwn2Own
"On the first day of Pwn2Own Berlin 2025, security researchers were awarded $260,000 after successfully demonstrating zero-day exploits for Windows 11, Red Hat Linux, and Oracle VirtualBox. Red Hat Enterprise Linux for Workstations was the first to fall in the local privilege escalation category after DEVCORE Research Team's Pumpkin exploited an integer overflow vulnerability to earn $20,000. Hyunwoo Kim and Wongi Lee also got root on a Red Hat Linux device by chaining a use-after-free and an information leak, but one of the exploited flaws was an N-day, which led to a bug collision."
https://www.bleepingcomputer.com/news/security/windows-11-and-red-hat-linux-virtualbox-hacked-on-first-day-of-pwn2own/ - Beyond The Kill Chain: What Cybercriminals Do With Their Money (Part 1)
"You’re having a day off work. You wake up and enjoy some breakfast: toast with honey. You relax in your apartment, and go online. You see some internet ads, do a bit of shopping (perhaps ordering a pair of discounted sneakers), have a quick look on a dating site, see if there’s any new real estate in your area, think about applying for an online education course, and search for a plumber to fix that dripping tap in the kitchen. You head out to a sandwich bar for lunch and grab a coffee, before dropping off some laundry at the dry cleaners and getting the screen fixed on your mobile phone. In the evening, you visit a new restaurant with some friends, and treat yourself to an ice cream afterward, before getting a taxi home."
https://news.sophos.com/en-us/2025/05/15/beyond-the-kill-chain-what-cybercriminals-do-with-their-money-part-1/
https://cyberscoop.com/what-cybercriminals-do-with-their-money-sophos/ - Cyber-Risk Calculator Takes The Guesswork Out Of Assessment
"Organizations need to understand their risk profiles to implement more proactive security measures as attacks increase in both number and severity, but that measuring cyber risk can be difficult because there are so many variables to account for. Assessments depend on several evolving variables, such as an organization's number of employees, financial records or personally identifiable information (PII), security controls already in place, and threats that pose the highest risk. Is it ransomware that will encrypt critical systems, or is it business email compromise that can quickly drain financial accounts?"
https://www.darkreading.com/cyber-risk/calculator-guesswork-measure-cyber-risk - International Crackdown Dismantles Multimillion-Euro Investment Scam
"An organised crime group responsible for defrauding more than 100 victims of over EUR 3 million through a fake online investment platform has been dismantled following an international law enforcement operation. The investigation, led by German authorities and supported by Europol and Eurojust, saw coordinated actions in Albania, Cyprus and Israel, resulting in the dismantling of the criminal group and the arrest of a suspect in Cyprus."
https://www.europol.europa.eu/media-press/newsroom/news/international-crackdown-dismantles-multimillion-euro-investment-scam
https://hackread.com/police-shut-down-fake-trading-platform-scammed-users/ - New Linux Vulnerabilities Surge 967% In a Year
"The number of newly discovered Linux and macOS vulnerabilities increased dramatically in 2024, according to new analysis from Action1. The cybersecurity vendor’s 2025 Software Vulnerability Ratings Report is based on in-depth analysis of the National Vulnerability Database (NVD) and SecurityScorecard’s CVEdetails.com site. By its reckoning, the total number of vulnerabilities discovered in 2024 rose by 61% annually to 6761, with Linux bugs increasing by an “unprecedented” 967% to 3329 for the year. Vulnerabilities in the macOS platform also recorded a significant annual surge, of 95%, to reach 508 in total."
https://www.infosecurity-magazine.com/news/new-linux-vulnerabilities-surge/ - "Endemic" Ransomware Prompts NHS To Demand Supplier Action On Cybersecurity
"England’s National Health Service (NHS) has urged its suppliers to commit to strong cybersecurity practices amid increased cyber threats to patients and services. The voluntary cybersecurity charter aims to better protect the NHS from growing cyber threats via its supply chain, including ransomware. The open letter to current and prospective NHS suppliers noted that the ransomware threat is “endemic.” “We have experienced several significant ransomware attacks on our supply chain in recent years,” it read."
https://www.infosecurity-magazine.com/news/endemic-ransomware-nhs-supplier/ - How An Alleged Russian Hacker Slipped Away
"On Jan. 5, 2024, Андрей Владимирович Тарасов (Eng. Andrei Vladimirovich Tarasov), a 33-year-old Russian man, was released from Moabit Prison in Berlin. He’d been held there for about six months. Originally from Russia, he’d been living in Berlin when police arrested him July 18, 2023, related to computer crime charges in the U.S. Tarasov was indicted by a grand jury in New Jersey in June 2023 along with Maksim Silnikau, Belarusian and Ukrainian dual national, and Volodymyr Kadariya of Belarus. They were charged with conspiracy to commit wire fraud, conspiracy to commit computer fraud and abuse and two counts of wire fraud. The indictment alleges the three men ran an expansive scheme from October 2013 through March 2022 to infect computers with malware via fake advertisements, or malvertisements, and then sell the stolen data and access. The computers were attacked using a potent tool called the Angler exploit kit, which was designed to quickly probe a computer for vulnerabilities and then silently deliver malware. This scheme was believed to have been used to attack millions of computers worldwide."
https://intel471.com/blog/how-an-alleged-russian-hacker-slipped-away
https://www.securityweek.com/andrei-tarasov-inside-the-journey-of-a-russian-hacker-on-the-fbis-most-wanted-list/ - Stop Imagining Threats, Start Mitigating Them: A Practical Guide To Threat Modeling
"When building a software-intensive system, a key part in creating a secure and robust solution is to develop a cyber threat model. This is a model that expresses who might be interested in attacking your system, what effects they might want to achieve, when and where attacks could manifest, and how attackers might go about accessing the system. Threat models are important because they guide requirements, system design, and operational choices. Effects can include, for example, compromise of confidential information, modification of information contained in the system, and disruption of operations. There are diverse purposes for achieving these kinds of effects, ranging from espionage to ransomware."
https://insights.sei.cmu.edu/blog/stop-imagining-threats-start-mitigating-them-a-practical-guide-to-threat-modeling/ - Snowflake CISO On The Power Of 'shared Destiny' And 'yes And'
"Being the chief information security officer at Snowflake is never an easy job, but last spring it was especially challenging. In May 2024, some of the cloud storage and data analytics firm's major customers, including Ticketmaster and banking giant Santander, disclosed significant data breaches. Attackers, the companies reported, had accessed their Snowflake-hosted environments and exfiltrated terabytes of data affecting hundreds of millions of individuals."
https://www.theregister.com/2025/05/15/snowflake_ciso_interview/ - April 2025 Deep Web And Dark Web Trends Report
"This trend report on the deep web and dark web of March 2025 is sectioned into Ransomware, Data Breach, DarkWeb, CyberAttack, and Threat Actor. Please note that there are some parts of the content that cannot be verified for ac"
https://asec.ahnlab.com/en/87974/ - RaaS Explained: How Cybercriminals Are Scaling Attacks Like Startups
"There is a lot of money in cyberattacks like ransomware, and unfortunately for organizations of all sizes, the cybercrime business is booming. Ransomware has come a long way since the days of using floppy disks at health conventions to spread malicious files. Now, this previously rare endeavour has become a thriving business in the form of Ransomware-as-a-Service (RaaS), which involves hackers selling ransomware kits to others. But it’s not all doom and gloom. Businesses are successfully fighting back, with better IT management and incident readiness, which involves proactive approaches to identify vulnerabilities to fix them before attacks happen."
https://hackread.com/raas-explained-cybercriminals-scaling-attacks-startups/
อ้างอิง
Electronic Transactions Development Agency(ETDA)
- April 2025 Security Issues In Korean And Global Financial Industries
-
Adobe ปล่อยแพตช์แก้ไขช่องโหว่กว่า 39 รายการในหลายผลิตภัณฑ์โพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Ivanti ออกแพตช์แก้ไขช่องโหว่ร้ายแรงในระบบ EPMM หวั่นโจมตีแบบ Remote Code Executionโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 15 May 2025โพสต์ใน Cyber Security News
Energy Sector
- Insight: Rogue Communication Devices Found In Chinese Solar Power Inverters
"U.S. energy officials are reassessing the risk posed by Chinese-made devices that play a critical role in renewable energy infrastructure after unexplained communication equipment was found inside some of them, two people familiar with the matter said. Power inverters, which are predominantly produced in China, are used throughout the world to connect solar panels and wind turbines to electricity grids. They are also found in batteries, heat pumps and electric vehicle chargers."
https://www.reuters.com/sustainability/climate-energy/ghost-machine-rogue-communication-devices-found-chinese-inverters-2025-05-14/
https://www.bangkokpost.com/world/3025432/ghost-in-the-machine-rogue-communication-devices-found-in-chinese-inverters
Industrial Sector
- ICS Patch Tuesday: Vulnerabilities Addressed By Siemens, Schneider, Phoenix Contact
"Industrial giants Siemens, Schneider Electric and Phoenix Contact have released ICS security advisories on the May 2025 Patch Tuesday. The cybersecurity agencies CISA and CERT@VDE have also published advisories. While most of the vulnerabilities described in the advisories have been patched, only mitigations and workarounds are currently available for some of the flaws. Siemens has published 18 new advisories, including four that cover critical-severity vulnerabilities. One of them describes an authentication bypass issue in the Redfish interface of the BMC controller used by Simatic industrial PCs. The flaw was disclosed by firmware security company Eclypsium in March."
https://www.securityweek.com/ics-patch-tuesday-vulnerabilities-addressed-by-siemens-schneider-phoenix-contact/
New Tooling
- Cerbos: Open-Source, Scalable Authorization Solution
"Cerbos is an open-source solution designed to simplify and modernize access control for cloud-native, microservice-based applications. Instead of hardcoding authorization logic into your application, Cerbos lets you write flexible, context-aware access policies using a YAML syntax. These policies are managed separately from your app and evaluated via simple API requests to Cerbos’ Policy Decision Point (PDP)."
https://www.helpnetsecurity.com/2025/05/14/cerbos-open-source-scalable-authorization-solution/
https://github.com/cerbos/cerbos
Vulnerabilities
- Samsung Patches CVE-2025-4632 Used To Deploy Mirai Botnet Via MagicINFO 9 Exploit
"Samsung has released software updates to address a critical security flaw in MagicINFO 9 Server that has been actively exploited in the wild. The vulnerability, tracked as CVE-2025-4632 (CVSS score: 9.8), has been described as a path traversal flaw. "Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to write arbitrary files as system authority," according to an advisory for the flaw."
https://thehackernews.com/2025/05/samsung-patches-cve-2025-4632-used-to.html
https://www.cve.org/CVERecord?id=CVE-2025-4632
https://www.huntress.com/blog/post-exploitation-activities-observed-from-samsung-magicinfo-9-server-flaw - Vulnerabilities Patched By Juniper, VMware And Zoom
"Juniper Networks, VMware, and Zoom have published a total of ten security advisories describing dozens of vulnerabilities patched across their product portfolios. Juniper on Tuesday announced fixes for nearly 90 bugs in third-party dependencies in Secure Analytics, the virtual appliance that collects security events from network devices, endpoints, and applications. Patches for these issues, most of which were disclosed last year, were included in Secure Analytics version 7.5.0 UP11 IF03. Some of the flaws are dated 2016, 2019, and 2020, and three of them are rated ‘critical severity’."
https://www.securityweek.com/vulnerabilities-patched-by-juniper-vmware-and-zoom/ - CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2025-32756 Fortinet Multiple Products Stack-Based Buffer Overflow Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/05/14/cisa-adds-one-known-exploited-vulnerability-catalog - Chipmaker Patch Tuesday: Intel, AMD, Arm Respond To New CPU Attacks
"Chip giants Intel, AMD and Arm each published Patch Tuesday security advisories to inform customers about vulnerabilities found recently in their products, including ones related to newly disclosed CPU attacks. One of the CPU attacks was disclosed this week by researchers at Swiss university ETH Zurich. The researchers discovered a branch privilege injection issue, tracked as CVE-2024-45332, that they claim “brings back the full might of branch target injection attacks (Spectre-BTI) on Intel”. The researchers claim that while Intel’s Spectre-BTI (aka Spectre v2) mitigations have worked for nearly six years, they have now found a way to break them due to a race condition impacting Intel CPUs."
https://www.securityweek.com/chipmaker-patch-tuesday-intel-amd-arm-respond-to-new-cpu-attacks/
Malware
-
Hackers Behind UK Retail Attacks Now Targeting US Companies
"Google warned today that hackers using Scattered Spider tactics against retail chains in the United Kingdom have also started targeting retailers in the United States. "The US retail sector is currently being targeted in ransomware and extortion operations that we suspect are linked to UNC3944, also known as Scattered Spider," John Hultquist, Chief Analyst at Google Threat Intelligence Group, told BleepingComputer. "The actor, which has reportedly targeted retail in the UK following a long hiatus, has a history of focusing their efforts on a single sector at a time, and we anticipate they will continue to target the sector in the near term. US retailers should take note.""
https://www.bleepingcomputer.com/news/security/google-scattered-spider-switches-targets-to-us-retail-chains/ -
**https://therecord.media/scattered-spider-suspected-retail-hackers-google-alert
-
Ransomware Gangs Join Ongoing SAP NetWeaver Attacks**
"Ransomware gangs have joined ongoing SAP NetWeaver attacks, exploiting a maximum-severity vulnerability that allows threat actors to gain remote code execution on vulnerable servers. SAP released emergency patches on April 24 to address this NetWeaver Visual Composer unauthenticated file upload security flaw (CVE-2025-31324), days after it was first tagged by cybersecurity company ReliaQuest as targeted in the wild. Successful exploitation lets threat actors upload malicious files without requiring login credentials, potentially leading to complete system compromise."
https://www.bleepingcomputer.com/news/security/ransomware-gangs-join-ongoing-sap-netweaver-attacks/
https://thehackernews.com/2025/05/bianlian-and-ransomexx-exploit-sap.html -
North Korea’s Hidden IT Workforce Exposed In New Report
"A cybersecurity firm is shedding light on how North Korea built an international cybercrime scheme involving fake information technology workers hired by major global businesses that siphon money to the Hermit kingdom and help fund its military ambitions. A report from DTEX shows that North Korean operatives, driven by survival rather than ideology, are trained from childhood to become military cyber agents or covert IT contractors. Researchers identified two operatives living in Russia using the falsified identities "Naoki Murano" and "Jenson Collins," each suspected of infiltrating Western firms and linked to a $6 million cryptocurrency heist."
https://www.bankinfosecurity.com/north-koreas-hidden-workforce-exposed-in-new-report-a-28401
https://dd80b675424c132b90b3-e48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/dtex-exposingdprkcybersyndicateandhiddenitworkforce.pdf -
Excel(ent) Obfuscation: Regex Gone Rogue
"Microsoft Office-based attacks have long been a favored tactic amongst cybercriminals— and for good reason. Attackers frequently use Office documents in cyberattacks because they are widely trusted. These files, such as Word or Excel docs, are commonly exchanged in business and personal settings. They are also capable of carrying hidden malicious code, embedded macros, and external links that execute code when opened, especially if users are tricked into enabling features like macros. Moreover, Office documents support advanced techniques like remote template injection, obfuscated macros, and legacy features like Excel 4.0 macros. These allow attackers to bypass antivirus detection and trigger multi-stage payloads such as ransomware or information-stealing malware."
https://www.deepinstinct.com/blog/excellent-obfuscation-regex-gone-rogue -
Diving Into The Talent Pool – Threat Actors Target Job Seekers With Complex Recruitment Scams
"Are you in the market for a new job? Talent scouts aren’t the only ones aggressively recruiting. Netcraft has observed a recent spike in recruitment scams, uncovering significant impact from three unique adversaries, each leveraging different tactics to target job seekers:"
https://www.netcraft.com/blog/diving-into-the-talent-pool-threat-actors-target-job-seekers-with-complex-recruitment-scams/
https://hackread.com/job-seekers-targeted-scammers-government-whatsapp/ -
Sit, Fetch, Steal - Chihuahua Stealer: A New Breed Of Infostealer
"Chihuahua Stealer is a newly discovered .NET-based infostealer that blends common malware techniques with unusually advanced features. It first came to our attention through a Reddit post made on April 9, where a user shared an obfuscated PowerShell script, they were tricked into executing via a Google Drive document. If this sounds vaguely familiar: You are not wrong - we have seen similar things in a fake recruiting campaign, and we also wrote about this. The script uses multi-stage payloads, achieving persistence through scheduled tasks and leading to the execution of the main stealer payload. This blog article breaks down each stage of the attack chain, beginning with the initial delivery method and ending in encrypted data exfiltration."
https://www.gdatasoftware.com/blog/2025/05/38199-chihuahua-infostealer
https://www.infosecurity-magazine.com/news/chihuahua-stealer-browser-crypto/ -
Technical Analysis Of TransferLoader
"Zscaler ThreatLabz has identified a new malware loader that we have named TransferLoader, which has been active since at least February 2025. ThreatLabz has identified three different components (a downloader, a backdoor, and a specialized loader for the backdoor) embedded in TransferLoader binaries. In addition, ThreatLabz has observed TransferLoader being used to deliver Morpheus ransomware. All components of TransferLoader share similarities including various anti-analysis techniques and code obfuscation."
https://www.zscaler.com/blogs/security-research/technical-analysis-transferloader -
The SOC Case Files: Python-Armed Ransomware Gang Reemerges To Face a Wall Of XDR Defenses
"Barracuda’s Managed XDR team recently contained a suspected ransomware attack where the attackers had gained access to a company’s network before it installed XDR, compromising several Windows machines and an administrator account. By the time the attackers returned to complete the attack, a suite of Barracuda Managed XDR solutions was in place — able to track, contain and neutralize the attack."
https://blog.barracuda.com/2025/05/14/soc-case-files-python-armed-ransomware-gang-reemerges -
Xinbi: The $8 Billion Colorado-Incorporated Marketplace For Pig-Butchering Scammers And North Korean Hackers
"Some of the earliest large-scale adopters of cryptocurrency were illicit online marketplaces such as the Silk Road and Alphabay. These darknet markets were accessed through Tor, the anonymous web browser. More recently, illicit marketplaces have transitioned to operating through the instant messaging app Telegram, which provides access to over a billion potential customers. In July 2024 Elliptic exposed one such Telegram-based market, known as Huione Guarantee, which sells goods and services to fraudsters in South East Asia, including those responsible for so-called “pig butchering” scams. Merchants on Huione Guarantee sell the key tools needed to perpetrate online fraud, including technology, personal data and money laundering services. With transactions totaling at least $27 billion (all in Tether’s USDT stablecoin), it is the largest illicit online marketplace to have ever operated."
https://www.elliptic.co/blog/xinbi-guarantee
https://thehackernews.com/2025/05/xinbi-telegram-market-tied-to-84b-in.html -
Meta Mirage
"Meta Mirage is a global phishing campaign targeting Meta Business Suite users with the intent to compromise high-value assets like verified brand pages, ad accounts, and administrator access. Unlike generic scams, this operation simulates Meta’s interface using over 14,000 phishing URLs and 24+ custom templates. Many of these phishing URLs are hosted on trusted cloud platforms such as GitHub Pages and Vercel, adding a layer of false legitimacy to the attacks. By combining fake policy violation alerts, session hijacking techniques, and third-party exfiltration services, Meta Mirage reflects a sophisticated abuse of trust at scale. This makes the campaign a serious threat to digital brand owners and businesses, as it manipulates victims into revealing critical credentials and session data."
https://www.ctm360.com/reports/meta-mirage-report
https://thehackernews.com/2025/05/ctm360-identifies-surge-in-phishing.html -
DarkCloud Stealer: Comprehensive Analysis Of a New Attack Chain That Employs AutoIt
"In January 2025, Unit 42 researchers identified a series of attacks distributing DarkCloud Stealer. The latest attack chain incorporated AutoIt to evade detection and used a file-sharing server to host the malware. This article explores the chain of events from these recent campaigns and analyzes the characteristics of these attacks. DarkCloud employs multi-stage payloads and obfuscated AutoIt scripting, making its detection challenging with traditional signature-based methods. Its ability to extract sensitive data and establish command and control (C2) communications highlights the importance of thorough detection and assessment."
https://unit42.paloaltonetworks.com/darkcloud-stealer-and-obfuscated-autoit-scripting/ -
Unveiling Swan Vector APT Targeting Taiwan And Japan With Varied DLL Implants
"Seqrite Labs APT-Team has recently uncovered a campaign which we have termed as Swan Vector, that has been targeting the nations across the East China sea such as Taiwan and Japan. The campaign is aimed at educational institutes and mechanical engineering industry with lures aiming to deliver fake resume of candidates which acts as a decoy. The entire malware ecosystem involved in this campaign comprises a total of four stages, the first being one being a malicious LNK, the second stage involves the shortcut file executing DLL implant Pterois via a very well-known LOLBin. It uses stealthy methods to execute and download the third stage containing multiple files including legitimate Windows executable that is further used to execute another implant Isurus via DLL-Sideloading. This further executes the fourth stage that is the malicious Cobalt Strike shellcode downloaded by Pterois."
https://www.seqrite.com/blog/swan-vector-apt-targeting-taiwan-japan-dll-implants/ -
Breaches/Hacks/Leaks
-
Australian Human Rights Commission Leaks Docs To Search Engines
"The Australian Human Rights Commission (AHRC) disclosed a data breach incident where private documents leaked online and were indexed by major search engines. Many of the hundreds of documents exposed online contained private, sensitive information, like names, contact information, health details, schooling, religion, employment info, and photographs. AHRC is an independent statutory body established by the Australian Government, with the primary role of promoting and protecting human rights in the country."
https://www.bleepingcomputer.com/news/security/australian-human-rights-commission-leaks-docs-to-search-engines/ -
Steel Giant Nucor Corporation Facing Disruptions After Cyberattack
"A cybersecurity incident on Nucor Corporation's systems, the largest steel producer in the U.S., forced the company to take offline parts of its networks and implement containment measures. The incident caused the company to temporarily suspend production at multiple locations, although the full impact on Nucor’s business remains unclear. Nucor is a major steel producer in the U.S. and scrap recycler in the North America. It is a primary supplier of reinforcing bar that is used extensively in the country’s buildings, bridges, roads, and infrastructure."
https://www.bleepingcomputer.com/news/security/steel-giant-nucor-corporation-facing-disruptions-after-cyberattack/
https://therecord.media/cyber-incident-forces-nucor-steel-to-take-systems-offline
https://www.theregister.com/2025/05/14/nucor_steel_attack/ -
Fashion Giant Dior Discloses Cyberattack, Warns Of Data Breach
"House of Dior, the French luxury fashion brand commonly referred to as Dior, has disclosed a cybersecurity incident that has exposed customer information. A spokesperson for the firm told BleepingComputer that the incident impacts Dior Fashion and Accessories customers. Currently, cybersecurity experts are investigating the incident to determine its scope. “The House of Dior recently discovered that an unauthorized external party accessed some of the data we hold for our Dior Fashion and Accessories customers,” stated the spokesperson."
https://www.bleepingcomputer.com/news/security/fashion-giant-dior-discloses-cyberattack-warns-of-data-breach/ -
Nova Scotia Power Says Customer Banking Details May Have Been Stolen By Hackers
"Nova Scotia’s largest electric utility said Wednesday that hackers stole sensitive information from customers in a recent cyberattack. Nova Scotia Power and its Halifax-based parent company Emera discovered on April 25 that an intruder had gained access to parts of its network, prompting the companies to isolate the affected servers. In an update on Wednesday, Nova Scotia Power said it is still investigating the incident and working to rebuild “impacted systems.” It determined that on March 19, more than a month before discovering the intrusion, customer information was accessed and stolen."
https://therecord.media/nova-scotia-power-data-breach-notice -
Alabama State Government Says Cyber Incident’s Effects Are Limited, But Response Continues
"Alabama’s technology office says a “cybersecurity event” first discovered May 9 has not caused major disruptions to state services, but incident responders are still working around the clock to contain its effects. In an update posted Tuesday, the Office of Information Technology (OIT) said it has called in two incident response teams from third-party firms, “maintaining 24 hours-a-day, 7 days-a-week mitigation activities as technical specialists work extended shifts to ensure a continuous, uninterrupted response to this event.”"
https://therecord.media/alabama-state-government-cyber-incident
General News
- Insider Risk Management Needs a Human Strategy
"Insider risk is not just about bad actors. Most of the time, it’s about mistakes. Someone sends a sensitive file to the wrong address, or uploads a document to their personal cloud to work from home. In many cases, there is no ill intent, since many insider incidents are caused by negligence, not malice. Still, malicious insiders can be devastating. Some steal intellectual property, others are bribed or pressured by outside groups to plant ransomware, exfiltrate trade secrets, or shut down operations. The impact of insider risk is being felt across an organization and is no longer limited to the cybersecurity team. 86% say an insider event would impact company culture, according to Code42."
https://www.helpnetsecurity.com/2025/05/14/insider-risk-management-human-strategy/ - Ransomware Spreads Faster, Not Smarter
"The fall of two of the most dominant ransomware syndicates, LockBit and AlphV, triggered a power vacuum across the cybercriminal landscape, acccording to a Black Kite survey. In their place, dozens of new actors emerged, many of them lacking the infrastructure, discipline, or credibility of their predecessors. The result was a surge in attack volume, a decline in coordination, and growing unpredictability in how, where, and why attacks occur."
https://www.helpnetsecurity.com/2025/05/14/ransomware-landscape-shift-2025/ - April 2025 Threat Trend Report On Ransomware
"This report provides statistics on the number of new ransomware samples collected, the number of affected systems, and affected companies in April 2025, as well as key ransomware issues in and out of Korea. Below is a summary of the report. Disclaimer: The number of ransomware samples and damaged systems is based on the detection names assigned by AhnLab, and statistics on targeted companies are based on the information published on the dedicated leak sites (DLS) of the ransomware group, also referred to as ransomware PR sites or PR pages, collected by the ATIP infrastructure over time."
https://asec.ahnlab.com/en/87946/ - April 2025 Threat Trend Report On APT Attacks (South Korea)
"AhnLab is monitoring Advanced Persistent Threat (APT) attacks in South Korea using its own infrastructure. This report covers the classification, statistics, and functions of APT attacks detected in South Korea over the course of one month in April 2025."
https://asec.ahnlab.com/en/87945/ - Southwest Airlines CISO On Tackling Cyber Risks In The Aviation Industry
"In this Help Net Security interview, Carrie Mills, VP and CISO, Southwest Airlines talks about the cybersecurity challenges facing the aviation industry. She explains how being part of critical infrastructure, a major consumer brand, and an airline each brings its own set of security issues."
https://www.helpnetsecurity.com/2025/05/14/carrie-mills-southwest-airlines-aviation-industry-cybersecurity-challenges/ - Ransomware Scum Have Put a Target On The No Man's Land Between IT And Operations
"Criminals who attempt to damage critical infrastructure are increasingly targeting the systems that sit between IT and operational tech. These in-between systems are no man's land, according to Tim Conway, the technical director of SANS Institute industrial control systems (ICS) programs. They're not classic IT systems that run core business applications, or operational tech (OT) that drives heavy industrial infrastructure. In the case of a petroleum pipeline, middle systems live in the facilities that store and distribute fuel, and separate home heating oil from gasoline, diesel, and jet fuel."
https://www.theregister.com/2025/05/14/ransomware_targets_middle_systems_sans/ - Kosovo Extradites BlackDB Admin To Face US Cybercrime Charges
"A Kosovo national has been extradited to the United States to face charges of running an online cybercrime marketplace active since 2018. Kosovar authorities arrested the 33-year-old Liridon Masurica (also known as @blackdb) on December 14th, 2024, and he was extradited to the United States earlier this month, on May 9th. Masurica was detained following his court appearance in Tampa on May 12th, where he was brought before United States Magistrate Judge Lindsay Saxe Griffin."
https://www.bleepingcomputer.com/news/security/kosovo-extradites-blackdb-admin-to-face-us-cybercrime-charges/
https://www.securityweek.com/kosovar-administrator-of-cybercrime-marketplace-extradited-to-us/ - The Forgotten Threat: How Supply Chain Attacks Are Targeting Small Businesses
"When people hear "supply chain attack," their minds often go to headline-grabbing breaches. But while analysts, CISOs, and journalists dissect those incidents, a more tactical and persistent wave of attacks has been unfolding in parallel; one that's laser-focused on small businesses as the point of entry. This isn't collateral damage. It's by design. Cybercriminals aren't always trying to figuratively kick down the front doors of well-defended enterprises. Instead, they're probing the digital perimeter for softer targets: under-resourced MSPs, niche SaaS providers, regional consultants, and third-party vendors."
https://www.tripwire.com/state-of-security/forgotten-threat-how-supply-chain-attacks-are-targeting-small-businesses - CVE Foundation Eyes Year-End Launch Following 11th-Hour Rescue Of MITRE Program
"In late March, the nonprofit research organization MITRE celebrated the 25th anniversary of the Common Vulnerability and Exposures (CVE) program, a widely hailed scientific achievement funded by the U.S. government and administered by MITRE. The CVE program is the global bedrock of contemporary vulnerability management, cataloging and assigning unique identifiers to software vulnerabilities. Until April 15, cybersecurity defenders and data scientists seemed unshakeable in embracing the program, which had already overcome challenges to achieve its silver anniversary."
https://cyberscoop.com/cve-program-funding-crisis-cve-foundation-mitre/ - AI Agents May Have a Memory Problem
"Memory-enabled artificial intelligence agents that can store and recall user data for more intelligent and personalized decision-making are vulnerable to memory injection attacks that can manipulate their behavior in future interactions, a new study has shown. These AI agents, such as those used in Mastercard's recently disclosed Agent Pay and PayPal's equally new Agent Toolkit, store user data — such as preferences, transaction histories, and conversational context — to deliver very personalized decisions on behalf of users. Mastercard envisions its Agent Pay, for instance, as proactively making purchase decisions and recommending payment options based on contextual knowledge of a user's preferences and feedback."
https://www.darkreading.com/cyber-risk/ai-agents-memory-problem
https://arxiv.org/pdf/2503.16248 - Why CVSS Is Failing Us And What We Can Do About It
"Two decades ago, CVSS revolutionized vulnerability management, enabling security teams to speak a common language when measuring and prioritizing risks posed by the vulnerability to the affected asset. However, today, the same tool that once guided us in the right direction is holding us back. In an environment where adversaries are faster, attack surfaces are broader, and resource constraints are tighter than ever, relying only on CVSS ratings to drive remediation efforts is no longer enough. Yet many organizations still patch vulnerabilities based on severity scores alone without asking the critical question necessary to determine real risk: Does this exposure actually pose a real risk in our environment?"
https://www.theregister.com/2025/05/14/picus_cvss/ - Go Ahead And Ignore Patch Tuesday – It Might Improve Your Security
"Patch Tuesday has rolled around again, but if you don't rush to implement the feast of fixes it delivered, your security won't be any worse off in the short term – and may improve in the future. That's the opinion of Craig Lawson, a Research Vice President at analyst Gartner, who on Wednesday told the firm's Infrastructure, Operations & Cloud Strategies Conference: "Nobody has ever out-patched threat actors at scale.""
https://www.theregister.com/2025/05/14/improve_patching_strategies/ - Maritime Cybersecurity: Threats & Regulations Loom
"The maritime industry is a large, complex ecosystem of carriers and port operators, with various pieces of information and operational technologies. Securing these systems is challenging but critical, as ports are at the center of the country’s supply chain. During the Maritime Cybersecurity: Risks and Best Practices webinar on April 9, experts discussed existing challenges and where stakeholders can focus on securing the supply chain and their maritime security infrastructure."
https://www.trendmicro.com/en_us/research/25/e/maritime-cybersecurity-threats-regulations.html
อ้างอิง
Electronic Transactions Development Agency(ETDA)
- Insight: Rogue Communication Devices Found In Chinese Solar Power Inverters
-
เตือนภัย! แฮกเกอร์ใช้เครื่องมือ AI ปลอมหลอกติดตั้งมัลแวร์ Noodlophile เพื่อขโมยข้อมูลและเข้าควบคุมเครื่องโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA ปรับวิธีการแจ้งเตือนภัยไซเบอร์ใหม่ เน้นสื่อสารผ่านโซเชียลมีเดียและอีเมลโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
แจ้งเตือนกรณี Cisco ประกาศช่องโหว่จำนวน 28 รายการโพสต์ใน Cyber Security News
**สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand**