โพสต์ถูกสร้างโดย NCSA_THAICERT

NCSA_THAICERT

Citrix ออกแพตช์แก้ไขช่องโหว่ 3 รายการใน NetScaler .png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

พบ “PromptLock” แรนซัมแวร์ตัวแรกที่ใช้ AI ช่วยเข้า.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

Energy Sector

The Energy Sector Has No Time To Wait For The Next Cyberattack
"The energy sector remains a major target for cybercriminals. Beyond disrupting daily routines, a power outage can undermine economic stability and public safety. Rising demand for electricity, fueled by technology and digital growth, only adds to the sector’s vulnerability. A major driver of that demand is artificial intelligence: Goldman Sachs predicts that data center power consumption could rise by 160% by 2030, as AI’s enormous energy appetite strains already fragile grids."
https://www.helpnetsecurity.com/2025/08/26/energy-sector-cyber-risks/

Industrial Sector

INVT VT-Designer And HMITool
"Successful exploitation of these vulnerabilities could allow attackers to execute arbitrary code in the context of the current process."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-238-01
Schneider Electric Modicon M340 Controller And Communication Modules
"Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-238-03

Vulnerabilities

Citrix Fixes Critical NetScaler RCE Flaw Exploited In Zero-Day Attacks
"Citrix fixed three NetScaler ADC and NetScaler Gateway flaws today, including a critical remote code execution flaw tracked as CVE-2025-7775 that was actively exploited in attacks as a zero-day vulnerability. The CVE-2025-7775 flaw is a memory overflow bug that can lead to unauthenticated, remote code execution on vulnerable devices. In an advisory released today, Citrix states that this flaw was observed being exploited in attacks on unpatched devices."
https://www.bleepingcomputer.com/news/security/citrix-fixes-critical-netscaler-rce-flaw-exploited-in-zero-day-attacks/
https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938
https://thehackernews.com/2025/08/citrix-patches-three-netscaler-flaws.html
https://www.darkreading.com/vulnerabilities-threats/citrix-zero-day-under-active-attack
https://www.bankinfosecurity.com/citrix-netscaler-devices-yet-again-under-attack-a-29301
https://cyberscoop.com/citrix-netscaler-zero-day-exploited-august-2025/
https://securityaffairs.com/181567/hacking/citrix-fixed-three-netscaler-flaws-one-of-them-actively-exploited-in-the-wild.html
https://www.helpnetsecurity.com/2025/08/26/netscaler-adc-gateway-zero-day-exploited-by-attackers-cve-2025-7775/
CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2025-7775 Citrix NetScaler Memory Overflow Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/08/26/cisa-adds-one-known-exploited-vulnerability-catalog

Malware

Underground Ransomware Being Distributed Worldwide, Including In South Korea
"The Underground ransomware gang is launching continuous ransomware attacks against companies in various countries and industries, including South Korea. This post describes the analysis and characteristics of the Underground ransomware."
https://asec.ahnlab.com/en/89835/
Nearly 2,000 Malicious IPs Probe Microsoft Remote Desktop In Single-Day Surge
"On August 21, GreyNoise observed a sharp surge in scanning against Microsoft Remote Desktop (RDP) services. Nearly 2,000 IPs — the vast majority previously observed and tagged as malicious — simultaneously probed both Microsoft RD Web Access and Microsoft RDP Web Client authentication portals. The wave’s aim was clear: test for timing flaws that reveal valid usernames, laying the groundwork for credential-based intrusions."
https://www.greynoise.io/blog/surge-malicious-ips-probe-microsoft-remote-desktop
https://www.bleepingcomputer.com/news/security/surge-in-coordinated-scans-targets-microsoft-rdp-auth-servers/
https://www.darkreading.com/cyber-risk/malicious-scanning-remote-desktop-services
Hook Version 3: The Banking Trojan With The Most Advanced Capabilities
"Zimperium’s zLabs research team has uncovered a new variant of the Hook Android banking trojan, now featuring some of the most advanced capabilities we’ve seen to date. This version introduces: Ransomware-style overlays that display extortion messages, Fake NFC overlays to trick victims into sharing sensitive data, Lockscreen bypass via deceptive PIN and pattern prompts, Transparent overlays to silently capture user gestures, and Stealthy screen-streaming sessions for real-time monitoring."
https://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities
https://thehackernews.com/2025/08/hook-android-trojan-adds-ransomware.html
https://www.darkreading.com/endpoint-security/hook-android-trojan-ransomware-attacks
https://hackread.com/android-hook-malware-variant-locks-devices-ransomware/
https://www.infosecurity-magazine.com/news/android-trojan-expands-ransomware/
ZipLine Campaign: Advanced Social Engineering Phishing Targets U.S. Manufacturing
"Check Point Research has identified ZipLine as one of the most advanced phishing campaigns of recent years. Instead of sending unsolicited phishing emails, the attackers initiate contact through a company’s “Contact Us” form. This reversal forces the victim to send the first email, making the exchange appear legitimate and bypassing reputation-based filters. Gain a deeper understanding of the ZipLine campaign by reading Check Point Research’s full technical analysis."
https://blog.checkpoint.com/research/zipline-campaign-advanced-social-engineering-phishing-targets-u-s-manufacturing/
https://research.checkpoint.com/2025/zipline-phishing-campaign/
https://thehackernews.com/2025/08/mixshell-malware-delivered-via-contact.html
https://www.theregister.com/2025/08/26/zipline_phishing_campaign/
Widespread Data Theft Targets Salesforce Instances Via Salesloft Drift
"Google Threat Intelligence Group (GTIG) is issuing an advisory to alert organizations about a widespread data theft campaign, carried out by the actor tracked as UNC6395. Beginning as early as Aug. 8, 2025 through at least Aug. 18, 2025, the actor targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application. The actor systematically exported large volumes of data from numerous corporate Salesforce instances. GTIG assesses the primary intent of the threat actor is to harvest credentials. After the data was exfiltrated, the actor searched through the data to look for secrets that could be potentially used to compromise victim environments."
https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift
https://www.bleepingcomputer.com/news/security/silk-typhoon-hackers-hijack-network-captive-portals-in-diplomat-attacks/
https://cyberscoop.com/salesforce-salesloft-drift-attack-spree-google/
Israel National Digital Agency Uncovers Global Cyberattack Campaign “ShadowCaptcha”
"Researchers identified a large-scale campaign leveraging the ClickFix technique and fake Google/Cloudflare CAPTCHA pages, active for at least a year and exploiting hundreds of compromised WordPress sites. The attack combines social engineering, abuse of legitimate tools, and multi-stage malware delivery to steal sensitive data, deploy cryptominers, and even trigger ransomware outbreaks."
https://www.gov.il/en/pages/shadowcaptch-campaign
https://thehackernews.com/2025/08/shadowcaptcha-exploits-wordpress-sites.html
Researchers Flag Code That Uses AI Systems To Carry Out Ransomware Attacks
"Researchers at cybersecurity firm ESET claim to have identified the first piece of AI-powered ransomware in the wild. The malware, called PromptLock, essentially functions as a hard-coded prompt injection attack on a large language model, causing the model to assist in carrying out a ransomware attack. Written in Golang programming code, the malware sends its requests through Ollama, an open-source API for interfacing with large language models, and a local version of an open-weights model (gpt-oss:20b) from OpenAI to execute tasks."
https://cyberscoop.com/prompt-lock-eset-ransomware-research-ai-powered-prompt-injection/
https://www.theregister.com/2025/08/26/first_aipowered_ransomware_spotted_by/

Breaches/Hacks/Leaks

Salesloft Breached To Steal OAuth Tokens For Salesforce Data-Theft Attacks
"Hackers breached sales automation platform Salesloft to steal OAuth and refresh tokens from its Drift chat agent integration with Salesforce to pivot to customer environments and exfiltrate data. The ShinyHunters extortion group claims responsibility for these additional Salesforce attacks. Salesloft's SalesDrift is a third-party platform that connects the Drift AI chat agent with a Salesforce instance, allowing organizations to sync conversations, leads, and support cases into their CRM."
https://www.bleepingcomputer.com/news/security/salesloft-breached-to-steal-oauth-tokens-for-salesforce-data-theft-attacks/
Healthcare Services Group Data Breach Impacts 624,000
"Healthcare Services Group is notifying over 624,000 individuals that their personal information was stolen in a data breach. The incident, the organization says, was identified on October 7, 2024, and involved unauthorized access to its systems between September 27, 2024, and October 3, 2024. During the timeframe, the hackers copied certain files from the compromised machines, including files containing personal information. The compromised data, Healthcare Services Group says, includes names, Social Security numbers, driver’s license numbers, state identification numbers, financial account details, and credentials."
https://www.securityweek.com/healthcare-services-group-data-breach-impacts-624000/
Nissan Confirms Design Studio Data Breach Claimed By Qilin Ransomware
"Nissan Japan has confirmed to BleepingComputer that it suffered a data breach following unauthorized access to a server of one of its subsidiaries, Creative Box Inc. (CBI). This came in response to the Qilin ransomware group's claims that they had stolen four terabytes of data from CBI, including 3D vehicle design models, internal reports, financial documents, VR design workflows, and photos. "On August 16, 2025, suspicious access was detected on the data server of Creative Box Inc. (CBI), a company contracted by Nissan for design work," stated a Nissan spokesperson to BleepingComputer."
https://www.bleepingcomputer.com/news/security/nissan-confirms-design-studio-data-breach-claimed-by-qilin-ransomware/

General News

The Silent Data Leak Crisis In Australia’s Supply Chains
"Australia is experiencing an unprecedented cybercrime epidemic that is reshaping the digital threat landscape. As artificial intelligence becomes more sophisticated and accessible, cybercriminals are leveraging these technologies to launch increasingly sophisticated attacks, while supply chain vulnerabilities continue to expose organizations to devastating data breaches. The statistics paint a sobering picture of a nation under digital siege."
https://cyble.com/blog/australia-supply-chain-vulnerabilities/
Protecting Farms From Hackers: A Q&A With John Deere’s Deputy CISO
"Agriculture is a connected, software-driven industry where cybersecurity is just as essential as tractors and harvesters. From embedded hardware in smart fleets to defending against advanced persistent threats, protecting the agricultural supply chain requires a layered, collaborative approach. In this Help Net Security interview, Carl Kubalsky, Director and Deputy CISO at John Deere discusses the most pressing security challenges in agriculture, how his team is working with partners and ethical hackers to stay ahead of adversaries, and what priorities will define the next 12-18 months."
https://www.helpnetsecurity.com/2025/08/26/carl-kubalsky-john-deere-smart-agriculture-cybersecurity/
LLMs At The Edge: Rethinking How IoT Devices Talk And Act
"Anyone who has set up a smart home knows the routine: one app to dim the lights, another to adjust the thermostat, and a voice assistant that only understands exact phrasing. These systems call themselves smart, but in practice they are often rigid and frustrating. A new paper by Alakesh Kalita, IEEE Senior Member, suggests a different path. By combining LLMs with IoT networks at the edge, devices could respond to natural language commands in a way that feels intuitive and coordinated. Instead of managing each device separately, a user could issue one broad command and let the system figure out the details."
https://www.helpnetsecurity.com/2025/08/26/llm-iot-integration/
CIISec: Most Security Professionals Want Stricter Regulations
"More than two-thirds (69%) of industry professionals have argued that current cybersecurity laws still aren’t strict enough, according to a new survey by the Chartered Institute of Information Security (CIISec). The organization’s annual State of the Security Profession survey is compiled from interviews with CIISec members and the wider security community. Some early findings were shared in a blog post last week by CEO Amanda Finch, who revealed that the report focuses heavily on regulation this year."
https://www.infosecurity-magazine.com/news/ciisec-security-professionals/
Google To Verify All Android Developers In 4 Countries To Block Malicious Apps
"Google has announced plans to begin verifying the identity of all developers who distribute apps on Android, even for those who distribute their software outside the Play Store. "Android will require all apps to be registered by verified developers in order to be installed by users on certified Android devices," the company said. "This creates crucial accountability, making it much harder for malicious actors to quickly distribute another harmful app after we take the first one down.""
https://thehackernews.com/2025/08/google-to-verify-all-android-developers.html
https://android-developers.googleblog.com/2025/08/elevating-android-security.html
https://www.bleepingcomputer.com/news/security/google-to-verify-all-android-devs-to-block-malware-on-google-play/
The Hidden Risk Of Consumer Devices In The Hybrid Workforce
"The recent addition of D-Link camera and video recorders to the Known Exploited Vulnerabilities Catalog (KEV) points to a broader and persistent threat: Consumer devices are increasingly putting businesses at risk. In the hybrid work era, home networks now serve as an extension of the corporate environment, yet they are often built on outdated, insecure devices that lack proper patching or support life cycles. These weaknesses have become a fertile attack surface for threat actors who aim to compromise enterprise systems from the outside in."
https://www.darkreading.com/cyberattacks-data-breaches/hidden-risk-consumer-devices-hybrid-workforce
Beyond The Prompt: Building Trustworthy Agent Systems
"We’re witnessing the quiet rise of the agent ecosystem – systems built not just to answer questions, but to plan, reason, and execute complex tasks. Tools like GPT-4, Claude, and Gemini are the engines. But building reliable, secure, and effective agent systems demand more than just plugging in an API. It demands deliberate architecture and a focus on best practices."
https://www.securityweek.com/beyond-the-prompt-building-trustworthy-agent-systems/
Governments, Tech Companies Meet In Tokyo To Share Tips On Fighting North Korea IT Worker Scheme
"Multiple governments and companies held a forum in Tokyo on Tuesday to discuss ways of combating a years-long campaign by North Korea to have its citizens illicitly hired in information technology roles. The U.S. State Department said it worked with the Ministries of Foreign Affairs in Japan and South Korea to organize the forum, which had more than 130 attendees from freelance work platforms, payment service providers, cryptocurrency companies, AI firms and more."
https://therecord.media/japan-us-south-korea-forum-north-korea-it-worker-scheme

อ้างอิง
Electronic Transactions Development Agency(ETDA)

NCSA_THAICERT

Docker ออกแพตช์แก้ไขช่องโหว่ CVE-2025-9074 บน Docker Desktop.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

เตือนอีเมล Voicemail ปลอม หลอกติดตั้งมัลแวร์ UpCrypter .png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

Industrial Sector

Smart Manufacturing Demands Workers With AI And Cybersecurity Skills
"The manufacturing sector is entering a new phase of digital transformation. According to Rockwell Automation’s 10th Annual State of Smart Manufacturing Report, 56% of manufacturers are piloting smart manufacturing initiatives, 20% have deployed them at scale, and another 20% are planning future investments. While energy costs have become less of a concern for manufacturers, cybersecurity risks, competition, and workforce challenges have risen in prominence. Alongside inflation and economic uncertainty, these factors are now among the top obstacles manufacturers expect to face over the next year."
https://www.helpnetsecurity.com/2025/08/25/ai-powered-smart-manufacturing/

New Tooling

Kopia: Open-Source Encrypted Backup Tool For Windows, MacOS, Linux
"Kopia is an open-source backup and restore tool that lets you create encrypted snapshots of your files and store them in cloud storage, on a remote server, on network-attached storage, or on your own computer. It doesn’t create a full image of your machine. Instead, you pick the files and folders you want to back up or restore. Kopia comes with both a command-line interface (CLI) and a graphical user interface (GUI), so it works well for experienced users and beginners alike. Its features include compression, deduplication, end-to-end encryption, and error correction."
https://www.helpnetsecurity.com/2025/08/25/kopia-open-source-encrypted-backup-tool-windows-macos-linux/
https://github.com/kopia/kopia

Vulnerabilities

Critical Docker Desktop Flaw Lets Attackers Hijack Windows Hosts
"A critical vulnerability in Docker Desktop for Windows and macOS allows compromising the host by running a malicious container, even if the Enhanced Container Isolation (ECI) protection is active. The security issue is a server-side request forgery (SSRF) now identified as CVE-2025-9074, and it received a critical severity rating of 9.3. “A malicious container running on Docker Desktop could access the Docker Engine and launch additional containers without requiring the Docker socket to be mounted,” reads Docker’s bulletin."
https://www.bleepingcomputer.com/news/security/critical-docker-desktop-flaw-lets-attackers-hijack-windows-hosts/
https://blog.qwertysecurity.com/Articles/blog3
https://thehackernews.com/2025/08/docker-fixes-cve-2025-9074-critical.html
CISA Adds Three Known Exploited Vulnerabilities To Catalog
"CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2024-8069 Citrix Session Recording Deserialization of Untrusted Data Vulnerability
CVE-2024-8068 Citrix Session Recording Improper Privilege Management Vulnerability
CVE-2025-48384 Git Link Following Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/08/25/cisa-adds-three-known-exploited-vulnerabilities-catalog
OneFlip: An Emerging Threat To AI That Could Make Vehicles Crash And Facial Recognition Fail
"Autonomous vehicles and many other automated systems are controlled by AI; but the AI could be controlled by malicious attackers taking over the AI’s weights. Weights within AI’s deep neural networks represent the models’ learning and how it is used. A weight is usually defined in a 32-bit word, and there can be hundreds of billions of bits involved in this AI ‘reasoning’ process. It is a no-brainer that if an attacker controls the weights, the attacker controls the AI. A research team from George Mason University, led by associate professor Qiang Zeng, presented a paper (PDF) at this year’s August USENIX Security Symposium describing a process that can flip a single bit to alter a targeted weight. The effect could change a benign and beneficial outcome to a potentially dangerous and disastrous outcome."
https://www.securityweek.com/oneflip-an-emerging-threat-to-ai-that-could-make-vehicles-crash-and-facial-recognition-fail/
https://www.usenix.org/system/files/usenixsecurity25-li-xiang.pdf

Malware

New Android Malware Poses As Antivirus From Russian Intelligence Agency
"A new Android malware posing as an antivirus tool software created by Russia's Federal Security Services agency (FSB) is being used to target executives of Russian businesses. In a new report from Russian mobile security firm Dr. Web, researchers track the new spyware as 'Android.Backdoor.916.origin,' finding no links to known malware families. Among its various capabilities, the malware can snoop on conversations, stream from the phone's camera, log user input with a keylogger, or exfiltrate communication data from messenger apps."
https://www.bleepingcomputer.com/news/security/new-android-malware-poses-as-antivirus-from-russian-intelligence-agency/
https://securityaffairs.com/181503/malware/android-backdoor-916-origin-malware-targets-russian-business-executives.html
Trust Issues: How Email Threats Hide Behind Your Partners
"The most widely used email security tools still focus on yesterday’s threats. Meanwhile, attackers have moved on. By hijacking legitimate business relationships and embedding infostealers in familiar-sounding, well-written emails, cybercriminals bypass conventional defenses. The only way to keep up is by using a behavioral approach."
https://www.group-ib.com/blog/how-email-threats-hide-behind-your-partners/
Arch Linux Project Responding To Week-Long DDoS Attack
"For more than a week, the Arch Linux Project’s maintainers have been responding to a sustained distributed denial-of-service (DDoS) attack that impacted most of the project’s resources. The project’s maintainers first confirmed that the outage was caused by a DDoS attack on August 16, noting that the Arch User Repository (AUR), the Arch Linux main webpage, and the forums were down. “As you might be aware some of our services (AUR, Forums, main website) are currently affected by a DDoS attack. We are aware of the issue and are actively working on mitigation efforts,” the maintainers said."
https://www.securityweek.com/arch-linux-project-responding-to-week-long-ddos-attack/
Phishing In The Classroom: 115,000 Emails Exploit Google Classroom To Target 13,500 Organizations
"Check Point researchers have uncovered a large-scale active phishing campaign abusing Google Classroom, a platform trusted by millions of students and educators worldwide. Over the course of just one week, attackers launched five coordinated waves, distributing more than 115,000 phishing emails aimed at 13,500 organizations across multiple industries. Organizations in Europe, North America, the Middle East and Asia are being targeted."
https://blog.checkpoint.com/email-security/phishing-in-the-classroom-115000-emails-exploit-google-classroom-to-target-13500-organizations/
Hackers Lay In Wait, Then Knocked Out Iran Ship Comms
"A shadowy hacktivist crew known for outing Iran's state-run hackers is claiming credit for knocking out communications aboard dozens of Iranian oil tankers and cargo ships, leaving critical onboard systems completely bricked. UK-based Iran International on Friday described it as one of the largest cyberattacks ever on Iran's maritime sector, disrupting some 25 cargo ships and 39 tankers operated by the National Iranian Tanker Company (NITC) and the Islamic Republic of Iran Shipping Lines (IRISL). Both companies have been sanctioned by the US Treasury Department for various violations linked to the Iranian government."
https://www.darkreading.com/cyber-risk/hackers-knocked-out-iran-ship-comms
Trusted My Summarizer, Now My Fridge Is Encrypted — How Threat Actors Could Weaponize AI Summarizers With CSS-Based ClickFix Attacks
"A novel adaptation of the ClickFix social engineering technique has been identified, leveraging invisible prompt injection to weaponize AI summarization systems. This approach targets summarizers embedded in applications such as email clients, browser extensions, and productivity platforms. By exploiting the trust users place in AI-generated summaries, the method covertly delivers malicious step-by-step instructions that can facilitate ransomware deployment. The attack is achieved by embedding payloads within HTML content using CSS-based obfuscation methods, including zero-width characters, white-on-white text, tiny font rendering, and off-screen positioning."
https://www.cloudsek.com/blog/trusted-my-summarizer-now-my-fridge-is-encrypted----how-threat-actors-could-weaponize-ai-summarizers-with-css-based-clickfix-attacks
https://www.darkreading.com/vulnerabilities-threats/clickfix-attack-ai-summaries-pushing-malware
Phishing Campaign Targeting Companies Via UpCrypter
"FortiGuard Labs recently identified a phishing campaign leveraging carefully crafted emails to deliver malicious URLs linked to convincing phishing pages. These pages are designed to entice recipients into downloading JavaScript files that act as droppers for UpCrypter, malware that ultimately deploys various remote access tools (RATs). The attack chain begins with a small, obfuscated script that redirects victims to a spoofed site personalized with the target’s email domain, enhancing credibility. In this blog post, we’ll describe an infection chain using different methods to lure the victim and successfully deliver several RATs, including PureHVNC, DCRat, and Babylon RAT."
https://www.fortinet.com/blog/threat-research/phishing-campaign-targeting-companies-via-upcrypter
https://www.darkreading.com/cyberattacks-data-breaches/fast-spreading-phishing-installs-rats
https://thehackernews.com/2025/08/phishing-campaign-uses-upcrypter-in.html
https://hackread.com/fake-voicemail-emails-install-upcrypter-malware-windows/
Deception In Depth: PRC-Nexus Espionage Campaign Hijacks Web Traffic To Target Diplomats
"In March 2025, Google Threat Intelligence Group (GTIG) identified a complex, multifaceted campaign attributed to the PRC-nexus threat actor UNC6384. The campaign targeted diplomats in Southeast Asia and other entities globally. GTIG assesses this was likely in support of cyber espionage operations aligned with the strategic interests of the People's Republic of China (PRC). The campaign hijacks target web traffic, using a captive portal redirect, to deliver a digitally signed downloader that GTIG tracks as STATICPLUGIN."
https://cloud.google.com/blog/topics/threat-intelligence/prc-nexus-espionage-targets-diplomats/
https://thehackernews.com/2025/08/unc6384-deploys-plugx-via-captive.html
ScreenConnect Super Admin Credential Harvesting
"Samantha Clarke and the Mimecast Threat Research team have identified an ongoing credential harvesting campaign (designated MCTO3030) that specifically targets ScreenConnect cloud administrators. This sophisticated operation has maintained consistent tactics, techniques, and procedures since 2022, demonstrating remarkable operational security through low-volume distribution that has allowed it to operate largely undetected. The campaign employs spear phishing emails delivered through Amazon Simple Email Service (SES) accounts, targeting senior IT professionals including directors, managers, and security personnel with elevated privileges in ScreenConnect environments. The attackers specifically seek super administrator credentials, which provide comprehensive control over remote access infrastructure across entire organizations."
https://www.mimecast.com/threat-intelligence-hub/screenconnect-super-admin-credential/
https://www.helpnetsecurity.com/2025/08/25/screenconnect-admins-targeted-with-spoofed-suspicious-login-alerts/
Examining The Tactics Of BQTLOCK Ransomware & Its Variants
"Ransomware-as-a-Service (RaaS), marketed on dark web forums or Telegram channels, is a growing model in the cybercrime ecosystem where ransomware developers offer their malicious tools and infrastructure to affiliates in a subscription model or a profit share. Affiliates who are responsible for the distribution need not have any coding experience. They can simply purchase or subscribe to a RaaS, which handles the payload generation, encryption mechanisms, victim communication portals, and even automated payment collection via cryptocurrency."
https://labs.k7computing.com/index.php/examining-the-tactics-of-bqtlock-ransomware-its-variants/

Breaches/Hacks/Leaks

Farmers Insurance Data Breach Impacts 1.1M People After Salesforce Attack
"U.S. insurance giant Farmers Insurance has disclosed a data breach impacting 1.1 million customers, with BleepingComputer learning that the data was stolen in the widespread Salesforce attacks. Farmers Insurance is a U.S.-based insurer that provides auto, home, life, and business insurance products. It operates through a network of agents and subsidiaries, serving more than 10 million households nationwide. The company disclosed the data breach in an advisory on its website, saying that its database at a third-party vendor was breached on May 29, 2025."
https://www.bleepingcomputer.com/news/security/farmers-insurance-data-breach-impacts-11m-people-after-salesforce-attack/
https://therecord.media/farmers-insurance-million-data-breach
https://www.securityweek.com/farmers-insurance-data-breach-impacts-over-1-million-people/
https://www.bankinfosecurity.com/farmers-insurance-aflac-report-data-breaches-to-regulators-a-29289
Auchan Retailer Data Breach Impacts Hundreds Of Thousands Of Customers
"French retailer Auchan is informing that some sensitive data associated with loyalty accounts of several hundred thousand of its customers was exposed in a cyberattack. The company is sending data breach notifications to customers affected by the incident. "We are writing to inform you that Auchan has been the victim of a cyberattack. This attack resulted in unauthorized access to certain personal data associated with your loyalty account," reads the retailer's notification."
https://www.bleepingcomputer.com/news/security/auchan-retailer-data-breach-impacts-hundreds-of-thousands-of-customers/
Nevada State Offices Halts Services After Cyber Incident
"Nevada state offices suspended some in-person services Monday after a network security incident disrupted local agency systems, officials confirmed. Emergency services and 911 remained fully operational statewide, but the disruption knocked out access to certain state websites, online portals and office phone lines, according to a release from the governor’s office. The governor’s website was offline at publication time and the state’s media office did not immediately respond to a request for comment."
https://www.bankinfosecurity.com/nevada-state-offices-halts-services-after-cyber-incident-a-29290
Maryland Investigating Cyberattack Impacting Transit Service For Disabled People
"Several state departments in Maryland are dealing with a cyberattack affecting systems used to organize transportation for disabled people. On Sunday, the Maryland Transit Administration (MTA) published warnings on social media and on its website about a cyber incident involving unauthorized access to some systems. While the MTA’s core transportation services — which include bus lines, subways and a light rail system — were not affected, some real-time information systems and other tools used for the specialized transit service called Mobility were impacted."
https://therecord.media/maryland-cyberattack-transit-disabled-people

General News

Why a New AI Tool Could Change How We Test Insider Threat Defenses
"Insider threats are among the hardest attacks to detect because they come from people who already have legitimate access. Security teams know the risk well, but they often lack the data needed to train systems that can spot subtle patterns of malicious behavior. A research team has introduced Chimera, a system that uses LLM agents to simulate both normal and malicious employee activity in enterprise settings. The goal is to solve one of the main problems in insider threat detection: the lack of realistic and shareable datasets."
https://www.helpnetsecurity.com/2025/08/25/ai-insider-threat-simulation/
Why Satellite Cybersecurity Threats Matter To Everyone
"Satellites play a huge role in our daily lives, supporting everything from global communications to navigation, business, and national security. As space becomes more crowded and commercial satellite use grows, these systems are facing new cyber threats. The challenge is even greater because many satellites still in service were designed decades ago, at a time when cybersecurity wasn’t a focus, which leaves them with limited defenses."
https://www.helpnetsecurity.com/2025/08/25/brett-loubert-deloitte-satellite-cybersecurity-threats/
Why SIEM Rules Fail And How To Fix Them: Insights From 160 Million Attack Simulations
"Security Information and Event Management (SIEM) systems act as the primary tools for detecting suspicious activity in enterprise networks, helping organizations identify and respond to potential attacks in real time. However, the new Picus Blue Report 2025, based on over 160 million real-world attack simulations, revealed that organizations are only detecting 1 out of 7 simulated attacks, showing a critical gap in threat detection and response."
https://thehackernews.com/2025/08/why-siem-rules-fail-and-how-to-fix-them.html
Securing The Cloud In An Age Of Escalating Cyber Threats
"As cloud environments become increasingly complex and attackers become more sophisticated, organizations must rethink their approach to securing infrastructure. Recent cyberattacks in Singapore serve as a critical wake-up call. In a recent report, Rubrick found that nearly 20% of organizations in Singapore experienced more than 25 cyberattacks in 2024, averaging at least one attack every two weeks."
https://www.darkreading.com/cyberattacks-data-breaches/securing-cloud-age-escalating-cyber-threats
AI Browsers Could Leave Users Penniless: A Prompt Injection Warning
"Artificial Intelligence (AI) browsers are gaining traction, which means we may need to start worrying about the potential dangers of something called “prompt injection.” Large language models (LLMs)—like the ones that power AI chatbots including ChatGPT, Claude, and Gemini—are designed to follow “prompts,” which are the instructions and questions that people provide when looking up info or getting help with a topic. In a chatbot, the questions you ask the AI are the “prompts.” But AI models aren’t great at telling apart the types of commands that are meant for their eyes only (for example, hidden background rules that come directly from developers, like “don’t write ransomware“) from the types of requests that come from users."
https://www.malwarebytes.com/blog/news/2025/08/ai-browsers-could-leave-users-penniless-a-prompt-injection-warning

อ้างอิง
Electronic Transactions Development Agency(ETDA)

NCSA_THAICERT

Vulnerabilities

MITRE Updates List Of Most Common Hardware Weaknesses
"The non-profit MITRE Corporation this week published a revised CWE Most Important Hardware Weaknesses (MIHW) to align it with the evolution of the hardware security landscape. Initially released in 2021, the CWE MIHW list includes frequent errors that lead to critical hardware vulnerabilities, and is meant to raise awareness within the community, to help eradicate hardware flaws from the start. The updated list includes 11 entries and comes with new classes, categories, and base weaknesses, but retains five of the entries that were included in the 2021 CWE MIHW list. It shows a focus on resource reuse, debug mode bugs, and fault injection."
https://www.securityweek.com/mitre-updates-list-of-most-common-hardware-weaknesses/
https://cwe.mitre.org/topHW/archive/2025/2025_CWE_MIHW.html

Malware

Proxyware Malware Being Distributed On YouTube Video Download Site – 2
"AhnLab SEcurity intelligence Center (ASEC) has covered cases where Proxyware malware is distributed by sites posing as YouTube video download pages. Although the attack methods and malware installed are similar, the same attacker continues to distribute the malware, leading to the infection of numerous systems."
https://asec.ahnlab.com/en/89787/
Mistrusted Advisor: Evading Detection With Public S3 Buckets And Potential Data Exfiltration In AWS
"In May 2025, we uncovered multiple undocumented techniques to evade detection by bypassing AWS Trusted Advisor’s S3 Security Checks. Leveraging these methods, we were able to bypass detection by Trusted Advisor’s S3 security scans and configure buckets with public and anonymous permissions via bucket policies and ACLs which permit data access open to the world and potential data exfiltration - all without triggering a single alert."
https://www.fogsecurity.io/blog/mistrusted-advisor-public-s3-buckets
https://www.securityweek.com/aws-trusted-advisor-tricked-into-showing-unprotected-s3-buckets-as-secure/
Falcon Platform Prevents COOKIE SPIDER’s SHAMOS Delivery On MacOS
"Between June and August 2025, the CrowdStrike Falcon platform successfully blocked a sophisticated malware campaign that attempted to compromise over 300 customer environments. The campaign deployed SHAMOS, a variant of Atomic macOS Stealer (AMOS) developed by the cybercriminal group COOKIE SPIDER. Operating as malware-as-a-service, COOKIE SPIDER rents this information stealer to cybercriminals who deploy it to harvest sensitive information and cryptocurrency assets from victims. The campaign utilized malvertising to direct users to fraudulent macOS help websites where victims were instructed to execute a malicious one-line installation command."
https://www.crowdstrike.com/en-us/blog/falcon-prevents-cookie-spider-shamos-delivery-macos/
https://www.bleepingcomputer.com/news/security/fake-mac-fixes-trick-users-into-installing-new-shamos-infostealer/
https://www.securityweek.com/hundreds-targeted-in-new-atomic-macos-stealer-campaign/
https://hackread.com/cookie-spider-malvertising-new-shamos-macos-malware/
https://securityaffairs.com/181441/malware/over-300-entities-hit-by-a-variant-of-atomic-macos-stealer-in-recent-campaign.html
APT36: Targets Indian BOSS Linux Systems With Weaponized AutoStart Files
"CYFIRMA has identified an ongoing cyber-espionage campaign orchestrated by APT36 (Transparent Tribe), a Pakistan-based threat actor with a sustained focus on Indian Government entities. This operation reflects the group’s increasing sophistication and flexibility; leveraging tailored malware, aimed at Boss operating systems. Initial access is achieved through spear phishing emails. Linux BOSS environments are targeted via weaponized .desktop shortcut files that, once opened, download and execute malicious payloads. APT36’s capability to customize its delivery mechanisms according to the victim’s operating environment thereby increases its chances of success while maintaining persistent access to critical government infrastructure and evading traditional security controls."
https://www.cyfirma.com/research/apt36-targets-indian-boss-linux-systems-with-weaponized-autostart-files/
https://www.bleepingcomputer.com/news/security/apt36-hackers-abuse-linux-desktop-files-to-install-malware/
The Resurgence Of IoT Malware: Inside The Mirai-Based “Gayfemboy” Botnet Campaign
"Over the past year, FortiGuard Labs has been tracking a stealthy malware strain exploiting a range of vulnerabilities to infiltrate systems. Initially disclosed by a Chinese cybersecurity firm under the name “Gayfemboy,” the malware resurfaced this past July with new activity, this time targeting vulnerabilities in products from vendors such as DrayTek, TP-Link, Raisecom, and Cisco, and exhibiting signs of evolution in both form and behavior. This article presents an in-depth analysis of Gayfemboy, revealing its technical details and exploring the implications of its evolving behavior."
https://www.fortinet.com/blog/threat-research/iot-malware-gayfemboy-mirai-based-botnet-campaign
https://securityaffairs.com/181480/cyber-crime/iot-under-siege-the-return-of-the-mirai-based-gayfemboy-botnet.html
Android Document Readers And Deception: Tracking The Latest Updates To Anatsa
"The Zscaler ThreatLabz team continually monitors and analyzes malicious applications distributed by threat actors via the Google Play Store. Last year, ThreatLabz reported on Anatsa malware (a.k.a. TeaBot) that attacks Android devices and targets financial applications. Anatsa, first discovered in 2020, is capable of stealing credentials, monitoring keystrokes, and facilitating fraudulent transactions. In this blog post, ThreatLabz dives into Anatsa’s latest malware developments and provides insights into overall malware distribution trends in the Google Play Store."
https://www.zscaler.com/blogs/security-research/android-document-readers-and-deception-tracking-latest-updates-anatsa
The Silent, Fileless Threat Of VShell
"Linux environments are often seen as bastions of security, favored by developers, sysadmins, and security professionals for their stability, transparency, and resistance to malware. Compared to Windows, the attack surface is perceived to be smaller, and users typically enjoy a greater degree of control. But this trust has led to a blind spot: assumptions of safety based on the operating system alone. The Trellix Advanced Research Center recently uncovered a new attack that challenges these assumptions. Today’s attackers are innovating around traditional security models."
https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/
https://thehackernews.com/2025/08/linux-malware-delivered-via-malicious.html
Think Before You Click(Fix): Analyzing The ClickFix Social Engineering Technique
"Over the past year, Microsoft Threat Intelligence and Microsoft Defender Experts have observed the ClickFix social engineering technique growing in popularity, with campaigns targeting thousands of enterprise and end-user devices globally every day. Since early 2024, we’ve helped multiple customers across various industries address such campaigns attempting to deliver payloads like the prolific Lumma Stealer malware. These payloads affect Windows and macOS devices and typically lead to information theft and data exfiltration."
https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/
https://www.theregister.com/2025/08/22/clickfix_report/
Fake CoinMarketCap Journalists Targeting Crypto Executives In Spear-Phishing Campaign
"Fake CoinMarketCap journalist profiles used in spear-phishing target crypto execs via Zoom interviews, risking malware, data theft, and wallet loss. A new spear-phishing campaign is targeting executives in the crypto industry through fake interview requests. The attackers impersonate journalists affiliated with CoinMarketCap, using their active profiles on the company’s website to appear legitimate."
https://hackread.com/fake-coinmarketcap-journalists-crypto-executives-spear-phishing/
Malicious Go Module Disguised As SSH Brute Forcer Exfiltrates Credentials Via Telegram
"Socket’s Threat Research Team identified a malicious Go module package, golang-random-ip-ssh-bruteforce, that poses as a fast SSH brute forcer but covertly exfiltrates credentials to its author. On the first successful login, the package sends the target IP address, username, and password to a hardcoded Telegram bot controlled by the threat actor. The package is designed to continuously scan random IPv4 addresses for exposed SSH services on TCP port 22, attempt authentication using a local username-password wordlist, and exfiltrate any successful credentials via Telegram. As a result, anyone who runs the package hands over their initial access wins to the Russian-speaking threat actor, known as IllDieAnyway on GitHub and within the Go Module ecosystem."
https://socket.dev/blog/malicious-go-module-disguised-as-ssh-brute-forcer-exfiltrates-credentials
https://thehackernews.com/2025/08/malicious-go-module-poses-as-ssh-brute.html

Breaches/Hacks/Leaks

DaVita Says Ransomware Gang Stole Data Of Nearly 2.7 Million People
"Kidney dialysis firm DaVita has confirmed that a ransomware gang that breached its network stole the personal and health information of nearly 2.7 million individuals. DaVita serves over 265,400 patients across 3,113 outpatient dialysis centers, 2,660 in the United States, and 453 centers in 13 other countries worldwide. The company reported revenues of over $12 billion in 2024 and of $3.3 billion for the second quarter of 2025. In April, the healthcare provider revealed in a filing with the U.S. Securities and Exchange Commission (SEC) that its operations were disrupted after attackers partially encrypted its network over the weekend."
https://www.bleepingcomputer.com/news/security/davita-ransomware-attack-exposed-data-of-nearly-27-million-people/
https://www.bankinfosecurity.com/dialysis-chain-tells-feds-hack-affects-nearly-27-million-a-29277
https://www.theregister.com/2025/08/22/davita_ransomware_infection/
https://securityaffairs.com/181458/data-breach/kidney-dialysis-firm-davita-confirms-ransomware-attack-compromised-data-of-2-7m-people.html
Rural Health System In Michigan Notifying 140,000 Of Hack
"A health system in rural Michigan is notifying nearly 140,000 people that their information was potentially compromised in a data theft incident occurring between November 2024 and January 2025. Cybercriminal gang BianLian lists Aspire Rural Health System as a victim on its dark website. In a breach report submitted Thursday to Maine's attorney general, Marlette, Mich.-based Aspire said the external system hacking incident affected 138,386 people."
https://www.bankinfosecurity.com/rural-health-system-in-michigan-notifying-140000-hack-a-29279
CPAP Medical Data Breach Impacts 90,000 People
"Healthcare services provider CPAP Medical Supplies and Services is informing tens of thousands of people that their personal and health information has been compromised. Florida-based CPAP Medical provides sleep apnea equipment, including to members of the US military and their families. The organization said in a data security incident notice posted on its website that its systems were accessed by hackers in mid-December 2024."
https://www.securityweek.com/cpap-medical-data-breach-impacts-90000-people/
Electronics Manufacturer Data I/O Reports Ransomware Attack To SEC
"Tech manufacturer Data I/O reported a ransomware attack to federal regulators on Thursday evening, writing that the incident has taken down critical operational systems. The Redmond, Washington-based company said the ransomware attack began on August 16 and prompted outages of the technology used for shipping, manufacturing, production and other support functions. Data I/O produces electronics used in vehicles and consumer devices. More than 65% of its business in the second quarter came from automotive electronic production, including through recent contracts with Chinese electric vehicle makers producing technology for charging stations. Its website lists major companies like Tesla, Panasonic, Amazon, Google and Microsoft as customers."
https://therecord.media/electronics-manufacturer-dataio-ransomware
https://www.theregister.com/2025/08/22/data_io_ransomware_attack_temporarily/
Criminal Background Checker APCS Faces Data Breach
"A leading UK provider of criminal record checks for employers is handling a data breach stemming from a third-party development company. Access Personal Checking Services (APCS) has written to customers to notify them that their data has been compromised, according to emails seen by The Register, and it confirmed to us that Hull-based Intradev was the organization initially attacked. APCS describes itself as the UK's fastest service for carrying out Disclosure and Barring Service (DBS) checks, which were known as Criminal Record Bureau checks prior to 2012. Organizations use them for roles that require background screening, such as jobs that involve working with children or vulnerable individuals, as well as in the healthcare and financial services sectors."
https://www.theregister.com/2025/08/22/apcs_breach/

General News

The New Era Of Cybercrime In Australia — AI-Powered Attacks And How To Stay Ahead
"AI is driving a rapid increase in sophisticated cyberattacks, and Australia’s high median wealth, abundant resources, and geopolitical influence make it a prime target for both cybercrime groups and advanced persistent threats (APTs). Cyble has documented more than 50 threat groups active in Australia in 2025, including ransomware and cybercrime groups, hacktivists, and APTs linked to China, Russia, Iran, and North Korea."
https://cyble.com/blog/ai-powered-cyberattacks-surge-in-australia/
African Authorities Dismantle Massive Cybercrime And Fraud Networks, Recover Millions
"In a sweeping INTERPOL-coordinated operation, authorities across Africa have arrested 1,209 cybercriminals targeting nearly 88,000 victims. The crackdown recovered USD 97.4 million and dismantled 11,432 malicious infrastructures, underscoring the global reach of cybercrime and the urgent need for cross-border cooperation. Operation Serengeti 2.0 (June to August 2025) brought together investigators from 18 African countries and the United Kingdom to tackle high-harm and high-impact cybercrimes including ransomware, online scams and business email compromise (BEC). These were all identified as prominent threats in the recent INTERPOL Africa Cyberthreat Assessment Report."
https://www.interpol.int/News-and-Events/News/2025/African-authorities-dismantle-massive-cybercrime-and-fraud-networks-recover-millions
https://www.bleepingcomputer.com/news/security/massive-anti-cybercrime-operation-leads-to-over-1-200-arrests-in-africa/
https://thehackernews.com/2025/08/interpol-arrests-1209-cybercriminals.html
https://therecord.media/africa-interpol-cybercrime-crackdown
https://www.darkreading.com/cyberattacks-data-breaches/interpol-operation-serengeti-2-0
https://www.fortinet.com/blog/industry-trends/fortinet-assists-interpol-in-disrupting-cybercrime-networks-through-operation-serengeti
https://www.theregister.com/2025/08/22/interpol_serengeti_20/
https://cyberscoop.com/interpol-operation-serengeti-2-africa/
https://www.helpnetsecurity.com/2025/08/22/interpol-africa-cybercrime-crackdown/
https://www.infosecurity-magazine.com/news/interpol-african-cybercrime/
https://www.securityweek.com/large-interpol-cybercrime-crackdown-in-africa-leads-to-the-arrest-of-over-1200-suspects/
https://securityaffairs.com/181434/cyber-crime/operation-serengeti-2-0-interpol-nabs-1209-cybercriminals-in-africa-seizes-97m.html
Five Ways OSINT Helps Financial Institutions To Fight Money Laundering
"Here are five key ways OSINT tools can help financial firms develop advanced strategies to fight money laundering criminals. Money launderers often use layered networks of offshore entities and shell companies to mask the true ultimate beneficial owner (UBO) of a company. Without technology, the manual process of trying to understand ownership and identify UBOs can be very time-consuming and inefficient – insights can even be missed altogether."
https://www.helpnetsecurity.com/2025/08/22/financial-institutions-osint-tools/
AI Gives Ransomware Gangs a Deadly Upgrade
"Ransomware continues to be the major threat to large and medium-sized businesses, with numerous ransomware gangs abusing AI for automation, according to Acronis. From January to June 2025, the number of publicly reported ransomware victims jumped 70% compared to the same period in both 2023 and 2024. February stood out as the worst month, with 955 reported cases."
https://www.helpnetsecurity.com/2025/08/22/ransomware-gangs-ai/
The New Battleground For CISOs Is Human Behavior
"Attackers don’t always need a technical flaw. More often, they just trick your people. Social engineering works, and AI makes it harder to catch.” A new LevelBlue report shows how this problem is growing worldwide. Forty-one percent of organizations say they are experiencing more cyberattacks than a year ago, rising to 49% in Asia-Pacific. Employees are struggling to tell the difference between real and fake communications. Globally, 59% of respondents report this problem, and in Latin America it climbs to 66%."
https://www.helpnetsecurity.com/2025/08/22/social-engineering-threats-2025/
Local Governments Struggle To Defend Critical Infrastructure As Threats Grow
"A small-town water system, a county hospital, and a local school district may not seem like front-line targets in global conflict, but they are. These organizations face daily cyber attacks, from ransomware to foreign adversaries probing for weak points. What happens to them can ripple into national security, disrupting everything from healthcare to transportation. That is the warning in a new report from the Multi-State Information Sharing and Analysis Center (MS-ISAC), which reviews the current threat environment, recent successes, and the top needs identified by state, local, tribal, and territorial (SLTT) organizations."
https://www.helpnetsecurity.com/2025/08/22/critical-infrastructure-sltt-cybersecurity-priorities/
"What Happens Online Stays Online" And Other Cyberbullying Myths, Debunked
"Cyberbullying, unfortunately, is on the rise. Data from the Cyberbullying Research Center reveals that just over 58% of middle- and high-school students in the US have experienced online harassment of some sort in their lives. That’s compared to 37% in 2019 and just a quarter (24%) a decade before that. Separate data claims that over two-fifths (43%) of teen video game players have been bullied. Some were called offensive names. Others were physically threatened, while many were sent sexually explicit content."
https://www.welivesecurity.com/en/kids-online/what-happens-online-stays-online-and-other-cyberbullying-myths-debunked/
The Growing Challenge Of AI Agent And NHI Management
"AI agents have risen dramatically in popularity and awareness over the past year, as we've enabled AI models to take actions (and thus become agents). And non-human identities (NHI) have been rapidly growing for years. CyberArk's latest identity report says that machine identities outnumber human identities 82:1. NHIs have become key components of automation projects, as companies modernize their architectures to include microservices, containerization, and serverless cloud computing. More automations require more machine identities. As we add agentic AI into the mix, the number of identities required shifts exponentially."
https://www.darkreading.com/cybersecurity-operations/growing-challenge-ai-agent-nhi-management
Insurers May Limit Payments In Cases Of Unpatched CVEs
"Cyber insurers are testing out new ways to hold policyholders accountable for outdated security, limiting payouts when policyholders fall prey to attacks that use older vulnerabilities or take advantage of holes in the organizations' defenses. Potential risk-limiting approaches include a sliding scale of accountability — and payouts — based on an unpatched vulnerability's half-life, or whether a company failed to fix a critical vulnerability within a certain number of days, according to a blog post penned by cyber insurer Coalition, which does not support such approaches. Dubbed CVE exclusions, after the Common Vulnerabilities and Exposures (CVE) system widely used to assign identifiers to software security issues, the tactic is not yet widely adopted, and most examples are from insurers outside the US, the firm stated."
https://www.darkreading.com/cyber-risk/cyber-insurers-may-limit-payments-breaches-unpatched-cve
Do Claude Code Security Reviews Pass The Vibe Check?
"If there's anything that gives a seasoned application security professional indigestion these days, it is the thought of AI-assisted coding layered on top of an already insecure development pipeline. The cherry on top of it all is that an increasing amount of this work is being done to support agentic artificial intelligence (AI) and other AI-centered applications — all of which are introducing novel vulnerabilities via new attack surfaces like modern context protocol (MCP)."
https://www.darkreading.com/application-security/do-claude-code-security-reviews-pass-vibe-check
Personal Liability, Security Becomes Bigger Issues For CISOs
"Chuck Norton had only been on the job as the chief information security officer at Western Michigan University for a few months when a jury found another CISO — of ride-hailing app Uber — guilty of covering up a compromise. Norton was concerned about the potential to be held criminally liable for a breach — or the response to a compromise — and sought to make legal protections part of his contract. While he received verbal assurances, he realized that those promises would not be in writing."
https://www.darkreading.com/cybersecurity-operations/personal-liability-security-becomes-bigger-issues-cisos
ReVault Flaw Exposed Millions Of Dell Laptops To Malicious Domination
"In this interview from Black Hat USA 2025, Philippe Laulheret, a senior vulnerability researcher at Cisco Talos, discusses his discovery of the "ReVault" vulnerability affecting millions of Dell business laptops. Laulheret found that the Control Vault (also called a unified secure hub) — a control board connecting peripherals like fingerprint readers and smart card readers to Dell Latitude and Precision laptops — contained multiple security flaws that allow any user to communicate with the board through undocumented APIs, potentially leading to memory corruption, code execution, extraction of secret keys, and permanent firmware modification."
https://www.darkreading.com/endpoint-security/revault-compromised-secure-soc
Apple Intelligence Is Picking Up More User Data Than Expected, Researcher Finds
"In this Dark Reading News Desk interview at Black Hat USA 2025, Yoav Magid, senior security researcher for Lumia Security, explains that Apple Intelligence, which powers various AI applications including an enhanced Siri, presents a privacy risk to users. His research revealed that Apple collects surprising amounts of contextual data even for simple queries; for example, when asking about weather, Siri might capture and send to Apple servers information about what music a person is currently listening to. More concerning, he discovered that when using Siri to send messages through supposedly end-to-end encrypted apps like WhatsApp, the content and contact information are sent to Apple's servers unnecessarily."
https://www.darkreading.com/endpoint-security/apple-intelligence-more-data-than-expected-researchers
New Ransomware-As-a-Service (RaaS) Groups To Watch In 2025
"Despite significant advancements in cybersecurity defenses, ransomware continues to be one of the greatest financial and operational risks facing organizations worldwide—with Flashpoint finding that ransomware attacks increased by 179% compared to the 2024 midyear. This continuous growth of ransomware is driven by ransomware-as-a-service (RaaS) operators and affiliates. In this post, we take a deeper look into the ransomware landscape, highlighting new emerging RaaS that every organization should be paying attention to in 2025."
https://flashpoint.io/blog/new-ransomware-as-a-service-raas-groups-to-watch-in-2025/
CISA Requests Public Comment For Updated Guidance On Software Bill Of Materials
"CISA released updated guidance for the Minimum Elements for a Software Bill of Materials (SBOM) for public comment—comment period begins today and concludes on October 3, 2025. These updates build on the 2021 version of the National Telecommunications and Information Administration SBOM Minimum Elements to reflect advancements in tooling and implementation. An SBOM serves as a vital inventory of software components, enabling organizations to identify vulnerabilities, manage dependencies, and mitigate risks. The update refines data fields, automation support, and operational practices to ensure SBOMs are scalable, interoperable, and comprehensive."
https://www.cisa.gov/news-events/alerts/2025/08/22/cisa-requests-public-comment-updated-guidance-software-bill-materials
https://www.cisa.gov/resources-tools/resources/2025-minimum-elements-software-bill-materials-sbom
https://www.bankinfosecurity.com/cisa-seeks-input-on-sbom-update-to-tackle-real-world-gaps-a-29280
Bug Bounties: The Good, The Bad, And The Frankly Ridiculous Ways To Do It
"Thirty years ago, Netscape kicked off the first commercial bug bounty program. Since then, companies large and small have bought into the idea, with mixed results. Bug bounties seem simple: a flaw finder spots a vulnerability, responsibly discloses it, and then gets a reward for their labor. But over the past decades, they've morphed into a variety of forms for commercial and government systems, using different payment techniques and platforms, and some setups are a lot more effective than others. Commercial bug bounties spread slowly at first, and the idea was initially fraught with danger for researchers. Some companies sued outsiders who found problems with their software."
https://www.theregister.com/2025/08/24/bug_bounty_advice/
CTM360 Report Explains How Emotions Fuel Modern Fraud
"CTM360 research reveals how scammers hook their victims through manipulative traps built on AI, stolen data, and brand impersonation. These campaigns go far beyond simple phishing, exploiting trust, emotions, urgency, fake support accounts, and counterfeit offers to trick victims into engaging with fraud. Scam hooks are the first domino in today’s fraud chains: the lure, prompt, or trigger that gets someone to click, reply, pay, or share access. They’re the opening move of modern fraud disguised as alerts, invoices, login pages, QR codes, DMs, or “urgent” requests."
https://hackread.com/ctm360-report-explains-how-emotions-fuel-modern-fraud/
https://www.ctm360.com/reports/scam-hooks-report

อ้างอิง
Electronic Transactions Development Agency(ETDA)

NCSA_THAICERT

[TLP_CLEAR] แจ้งเตือน แคมเปญการโจมตี Dire Wolf Ransomware v4.jpg

NCSA_THAICERT

Apple ออกแพตช์แก้ไขช่องโหว่ Zero-Day CVE-2025-43300 ใน iOS, iPadOS แล.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

ผู้เชี่ยวชาญพบช่องโหว่ “DOM-Based Extension Clickjacking” เสี่.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

Healthcare Sector

FUJIFILM Healthcare Americas Synapse Mobility
"Successful exploitation of this vulnerability could allow an attacker to access information beyond their assigned roles."
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-233-01

Industrial Sector

Modern Vehicle Cybersecurity Trends
"Modern vehicles are actively evolving into full-fledged gadgets on wheels. They offer users a wide range of options: some represent traditional functionality, now available in new formats, such as subscriptions for seat heating, while others provide lifestyle-related services, like purchasing theater or movie tickets. The array of intelligent systems and services designed to ensure road safety is also expanding — from now basic driver assistance systems such as electronic stability control (ESC), anti-lock braking system (ABS), and brake assist system (BAS), to a set of increasingly popular next-generation intelligent features like collision avoidance system (CAS), slippery road alert (SRA), the eCall emergency call system, and autonomous emergency braking (AEB), among others. All of these systems, intended to make driving more convenient and safe, are implemented using digital technologies, which expand the vehicle’s attack surface."
https://ics-cert.kaspersky.com/publications/reports/2025/08/21/modern-vehicle-cybersecurity-trends/
Mitsubishi Electric Corporation MELSEC iQ-F Series CPU Module
"Successful exploitation of this vulnerability could result in a remote attacker being able to delay the processing of the Web server function and prevent legitimate users from utilizing the Web server function by sending a specially crafted HTTP request."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-233-01

Vulnerabilities

CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2025-43300 Apple iOS, iPadOS, and macOS Out-of-Bounds Write Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/08/21/cisa-adds-one-known-exploited-vulnerability-catalog

Malware

Phishing In The Cloud: SendGrid Campaign Exploits Account Security
"The Cofense Phishing Defense Center (PDC) has recently observed a new wave of credential harvesting attacks involving phishing emails sent via SendGrid. The campaign exploits the trusted reputation of SendGrid, a legitimate cloud-based email service used by businesses to send transactional and marketing emails. By impersonating SendGrid’s platform, attackers can deliver phishing emails that appear authentic and bypass common email security gateways. The campaign delivers the attack through three differently themed emails, each crafted to create a sense of urgency in both the subject line and body. The emails also use spoofed sender addresses, making them appear as if they genuinely originated from SendGrid."
https://cofense.com/blog/phishing-in-the-cloud-sendgrid-campaign-exploits-account-security
MURKY PANDA: A Trusted-Relationship Threat In The Cloud
"Since 2023, CrowdStrike Services and CrowdStrike Counter Adversary Operations have investigated multiple intrusions conducted by MURKY PANDA, a sophisticated adversary leveraging advanced tradecraft to compromise high-profile targets. MURKY PANDA, active since at least 2023, is a cloud-conscious adversary with a broad targeting scope; the adversary’s operations have particularly focused on government, technology, academia, legal, and professional services entities in North America. MURKY PANDA is likely motivated by intelligence-collection requirements to gain access to sensitive information; the adversary’s activity aligns with China-nexus targeted intrusion activity tracked by industry sources as Silk Typhoon."
https://www.crowdstrike.com/en-us/blog/murky-panda-trusted-relationship-threat-in-cloud/
https://cyberscoop.com/crowdstrike-silk-typhoon-murky-panda-china-espionage/
From VPS To Phishing: How Darktrace Uncovered SaaS Hijacks Through Virtual Infrastructure Abuse
"Darktrace identified coordinated SaaS account compromises across multiple customer environments. The incidents involved suspicious logins from VPS-linked infrastructure followed by unauthorized inbox rule creation and deletion of phishing-related emails. These consistent behaviors across devices point to a targeted phishing campaign leveraging virtual infrastructure for access and concealment. Discover how Darktrace uncovered this activity and what it means for the future of SaaS security."
https://www.darktrace.com/blog/from-vps-to-phishing-how-darktrace-uncovered-saas-hijacks-through-virtual-infrastructure-abuse
https://www.darkreading.com/application-security/hackers-abuse-vps-infrastructure-stealth-speed
Evil-GPT: The “Enemy Of ChatGPT”
"In the ever-evolving landscape of cybercrime, one tool has emerged as a particularly insidious player: Evil-GPT. Marketed on hacker forums on the dark web as the “ultimate enemy of ChatGPT” and the “best alternative to WormGPT,” this malicious AI chatbot has quickly gained notoriety among cybercriminals. Evil-GPT is designed to help attackers execute a range of nefarious activities, from crafting malware to generating phishing attacks."
https://blog.barracuda.com/2025/08/21/evil-gpt-enemhy-chatgpt
A Cereal Offender: Analyzing The CORNFLAKE.V3 Backdoor
"Straight from Mandiant Threat Defense, the "Frontline Bulletin" series brings you the latest on the most intriguing compromises we are seeing in the wild right now, equipping our community to understand and respond to the most compelling threats we observe. This edition dissects an infection involving two threat groups, UNC5518 and UNC5774, leading to the deployment of CORNFLAKE.V3."
https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflake-v3-backdoor
https://thehackernews.com/2025/08/cybercriminals-deploy-cornflakev3.html
IBM X-Force Threat Analysis: QuirkyLoader - A New Malware Loader Delivering Infostealers And RATs
"Since November 2024, IBM X-Force has observed a new loader, QuirkyLoader, being used to deliver additional payloads to infected systems. Some of the well-known malware families that use QuirkyLoader include:"
https://www.ibm.com/think/x-force/ibm-x-force-threat-analysis-quirkyloader
https://thehackernews.com/2025/08/hackers-using-new-quirkyloader-malware.html
Weaponizing Image Scaling Against Production AI Systems
"Picture this: you send a seemingly harmless image to an LLM and suddenly it exfiltrates all of your user data. By delivering a multi-modal prompt injection not visible to the user, we achieved data exfiltration on systems including the Google Gemini CLI. This attack works because AI systems often scale down large images before sending them to the model: when scaled, these images can reveal prompt injections that are not visible at full resolution."
https://blog.trailofbits.com/2025/08/21/weaponizing-image-scaling-against-production-ai-systems/
https://www.theregister.com/2025/08/21/google_gemini_image_scaling_attack/
Your Connection, Their Cash: Threat Actors Misuse SDKs To Sell Your Bandwidth
"We have detected a campaign aimed at gaining access to victims’ machines and monetizing access to their bandwidth. It functions by exploiting the CVE-2024-36401 vulnerability in the GeoServer geospatial database. This Critical-severity remote code execution vulnerability has a CVSS score of 9.8. Criminals have used the vulnerability to deploy legitimate software development kits (SDKs) or modified apps to gain passive income via network sharing or residential proxies."
https://unit42.paloaltonetworks.com/attackers-sell-your-bandwidth-using-sdks/
APT MuddyWater Deploys Multi-Stage Phishing To Target CFOs
"A sophisticated spear-phishing campaign is actively targeting CFOs and finance executives across multiple continents, leveraging legitimate remote-access tools, such as NetBird, to maintain persistent control over compromised systems. Masquerading as a Rothschild & Co recruiter, the attackers employ Firebase-hosted phishing pages with custom CAPTCHA challenges, malicious VBS scripts, and multi-stage payload delivery to silently deploy remote management capabilities."
https://hunt.io/blog/apt-muddywater-deploys-multi-stage-phishing-to-target-cfos

Breaches/Hacks/Leaks

Colt Confirms Customer Data Stolen As Warlock Ransomware Auctions Files
"UK-based telecommunications company Colt Technology Services confirms that customer documentation was stolen as Warlock ransomware gang auctions files. The British telecommunications and network services provider previously disclosed it suffered an attack on August 12, but this is the first time they confirmed data had been stolen. "A criminal group has accessed certain files from our systems that may contain information related to our customers and posted the document titles on the dark web," reads an updated security incident advisory on Colt's site."
https://www.bleepingcomputer.com/news/security/colt-confirms-customer-data-stolen-as-warlock-ransomware-auctions-files/
https://www.infosecurity-magazine.com/news/colt-customer-data-likely-stolen/
https://www.theregister.com/2025/08/21/colt_warlock_auction/
https://www.securityweek.com/telecom-firm-colt-confirms-data-breach-as-ransomware-group-auctions-files/
Qilin Ransomware Gang Claims 4TB Data Breach At Nissan CBI
"Qilin ransomware claims a 4TB data breach at Nissan CBI, leaking car design files, financial data, 3D models, and VR design images as proof. The Qilin ransomware group says it has compromised Nissan’s Creative Box Inc. (CBI), a Tokyo-based design subsidiary of Nissan Motor Co., Ltd, and is threatening to release sensitive files unless its demands are met. On its dark web leak site, the group claimed it had copied more than 4 terabytes of data, including 405882 files, from Nissan CBI. The post alleged that the stolen material includes 3D design data, reports, photos, videos, and various internal documents linked to Nissan automobile projects."
https://hackread.com/qilin-ransomware-gang-4tb-data-breach-nissan-cbi/
Nearly a Million Records, Including Identification Documents And Health Data Exposed In Medical Marijuana Data Breach
"Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to Website Planet about an unencrypted and non-password-protected database that contained 957,434 records. The database belongs to an Ohio-based organization that helps individuals obtain physician‑certified medical marijuana cards. The database held PII, drivers licenses, medical records, documents containing SSNs, and other internal potentially sensitive information."
https://www.websiteplanet.com/news/ohio-medical-alliance-breach-report/
https://hackread.com/ssns-health-records-exposed-marijuana-patient-database/

General News

Scattered Spider Hacker Gets Sentenced To 10 Years In Prison
"Noah Michael Urban, a key member of the Scattered Spider cybercrime collective, was sentenced to 10 years in prison on Wednesday after pleading guilty to charges of wire fraud and conspiracy in April. He was arrested in January 2024, and in November, the U.S. Justice Department charged Urban (also known as King Bob, Gustavo Fring, Elijah, and Sosa), along with four other suspects linked to the same financially motivated cybercrime group. The charges included wire fraud, conspiracy to commit wire fraud, and aggravated identity theft."
https://www.bleepingcomputer.com/news/security/scattered-spider-hacker-gets-sentenced-to-10-years-in-prison/
https://thehackernews.com/2025/08/scattered-spider-hacker-gets-10-years.html
https://databreaches.net/2025/08/21/noah-urban-aka-king-bob-of-scattered-spider-sentenced-to-10-years-in-prison-13-million-restitution/
https://www.darkreading.com/cyberattacks-data-breaches/scattered-spider-member-prison
https://therecord.media/scattered-spider-affiliate-sentenced-10-years
https://securityaffairs.com/181383/cyber-crime/a-scattered-spider-member-gets-10-years-in-prison.html
https://cyberscoop.com/scattered-spider-noah-urban-sentence-10-years/
https://www.infosecurity-magazine.com/news/cybercriminal-scattered-spider/
https://www.securityweek.com/scattered-spider-hacker-sentenced-to-prison/
Fake Employees Pose Real Security Risks
"That IT staffer you just hired may not be who you think. They may not even exist. Gartner recently projected that by 2028, one in four job candidates will be artificial intelligence-generated. These fake individuals could be the work of state-sponsored hackers, cybercriminals, or simply fraudsters lining up multiple jobs to collect paychecks while performing little or no work."
https://www.darkreading.com/cyberattacks-data-breaches/fake-employees-pose-real-security-risks
Using Lightweight LLMs To Cut Incident Response Times And Reduce Hallucinations
"Researchers from the University of Melbourne and Imperial College London have developed a method for using LLMs to improve incident response planning with a focus on reducing the risk of hallucinations. Their approach uses a smaller, fine-tuned LLM combined with retrieval-augmented generation and decision-theoretic planning."
https://www.helpnetsecurity.com/2025/08/21/lightweight-llm-incident-response/
https://arxiv.org/pdf/2508.05188
Fractional Vs. Full-Time CISO: Finding The Right Fit For Your Company
"In this Help Net Security interview, Nikoloz Kokhreidze, Fractional CISO at Mandos, discusses why many early- and growth-stage B2B companies hire full-time CISOs before it’s needed. He breaks down common founder misconceptions, explains the right approach to security leadership, and shares when a full-time CISO makes sense."
https://www.helpnetsecurity.com/2025/08/21/nikoloz-kokhreidze-mandos-fractional-full-time-ciso/
URL-Based Threats Become a Go-To Tactic For Cybercriminals
"Cybercriminals are using advanced social engineering and AI-generated content to make malicious URLs difficult for users to identify, according to Proofpoint. Whether through email, text messages, or collaboration apps, URL-based threats now dominate the cyber threat landscape. Attackers are not just impersonating trusted brands, they are abusing legitimate services, tricking users with fake error prompts, and bypassing traditional security by embedding threats in QR codes and SMS messages."
https://www.helpnetsecurity.com/2025/08/21/phishing-url-based-threats/
CISOs Need To Think About Risks Before Rushing Into AI
"Organizations are increasing investments in cloud, AI, and emerging technologies, but their infrastructure and security strategies often lag behind. A recent Unisys survey of 1,000 senior executives shows that business and IT leaders are not always aligned on what needs to be in place before the next wave of technology arrives."
https://www.helpnetsecurity.com/2025/08/21/cloud-ai-security-readiness-2025/
NIST Unveils Guidelines To Help Spot Face Morphing Attempts
"The US National Institute of Standards and Technology (NIST) has published new guidelines it claims will help organizations optimize their efforts to detect face morphing software. Face morphing is a type of deepfake technology that enables threat actors to blend the photos of two people into a single image. In doing so, it simplifies identity fraud by tricking face recognition systems into erroneously identifying an image as belonging to both original individuals. In this way, individual A can assume the identity of individual B and vice versa, NIST said. The new report, Face Analysis Technology Evaluation (FATE) MORPH 4B: Considerations for Implementing Morph Detection in Operations (NISTIR 8584), offers an introduction to the topic and key detection methods."
https://www.infosecurity-magazine.com/news/nist-unveils-guidelines-spot-face/
https://pages.nist.gov/frvt/reports/morph/fate_morph_4B_NISTIR_8584.pdf
Europol Says Qilin Ransomware Reward Fake
"Europol says a reward offered for information on two members of the Qilin ransomware group is fake. Several news websites reported in recent days that Europol is offering a reward of up to $50,000 for information on “two primary administrators” of the ransomware gang. The message, reportedly posted on a Telegram channel run by Europol, says the suspects, known online as Haise and XORacle, coordinate affiliates and oversee extortion activities. Europol told SecurityWeek that it’s a “scam” and the message does not come from the law enforcement agency."
https://www.securityweek.com/europol-says-qilin-ransomware-reward-fake/
https://www.bleepingcomputer.com/news/security/europol-confirms-that-qilin-ransomware-reward-is-fake/
https://hackread.com/europol-denies-qilin-ransomware-reward-scam/
Insider Threats And Employee Turnover: What You Need To Know
"There are plenty of reasons why you should work to retain employees as long as they’re being reasonably productive and contributing to the bottom line. The main reason is that it’s really costly, in both time and money, to replace folks who have left. This is something all business owners know, just like they know that no matter how much they try to retain people, there will still be turnover. But too many business owners neglect the elevated risk of insider threats that are related to employee turnover. And all too often they leave themselves more vulnerable to these risks than necessary."
https://blog.barracuda.com/2025/08/20/insider-threats-employee-turnover
AI Crawlers And Fetchers Are Blowing Up Websites, With Meta And OpenAI The Worst Offenders
"Cloud services giant Fastly has released a report claiming AI crawlers are putting a heavy load on the open web, slurping up sites at a rate that accounts for 80 percent of all AI bot traffic, with the remaining 20 percent used by AI fetchers. Bots and fetchers can hit websites hard, demanding data from a single site in thousands of requests per minute. According to the report [PDF], Facebook owner Meta's AI division accounts for more than half of those crawlers, while OpenAI accounts for the overwhelming majority of on-demand fetch requests."
https://www.theregister.com/2025/08/21/ai_crawler_traffic/
https://learn.fastly.com/rs/025-XKO-469/images/Fastly-Threat-Insights-Report.pdf
Weak Passwords And Compromised Accounts: Key Findings From The Blue Report 2025
"As security professionals, it's easy to get caught up in a race to counter the latest advanced adversary techniques. Yet the most impactful attacks often aren't from cutting-edge exploits, but from cracked credentials and compromised accounts. Despite widespread awareness of this threat vector, Picus Security's Blue Report 2025 shows that organizations continue to struggle with preventing password cracking attacks and detecting the malicious use of compromised accounts. With the first half of 2025 behind us, compromised valid accounts remain the most underprevented attack vector, highlighting the urgent need for a proactive approach focused on the threats that are evading organizations' defenses."
https://thehackernews.com/2025/08/weak-passwords-and-compromised-accounts.html
https://www.picussecurity.com/blue-report
K-12 School Incident Response Plans Fall Short
"This year's back-to-school essentials aren't all about books and backpacks. Effective incident response (IR) planning is becoming a must-have for K-12 educational institutions in light of increasing attacks, especially ransomware. The education sector is a popular target for attackers because K-12 schools often operate with outdated systems and hold highly sensitive and vulnerable student data. Attackers know that schools have limited IT resources and security staff and can't afford the downtime ransomware and other incidents can cause, increasing the likelihood that they would concede to attacker demands and pay the ransom. Effective IR plans must address student and staff safety, data privacy risks, and ongoing communication with concerned parents."
https://www.darkreading.com/endpoint-security/without-preparedness-k-12-school-incident-plans-fall-short
System Shocks? EV Smart Charging Tech Poses Cyber-Risks
"In this Dark Reading interview at Black Hat USA 2025, Salvatore Gariuolo, senior threat researcher at Trend Micro, discusses ISO 15118, a global communication standard reshaping electric vehicle charging. Projections suggest that more than 600 million electric vehicles will be on roads by 2040, representing more than 30% of global vehicle volume. To cope with that, the standard supports smart charging and vehicle-to-grid communications to help manage grid strain."
https://www.darkreading.com/iot/ev-smart-charging-cyber-risks
How Architectural Controls Help Can Fill The AI Security Gap
"In this Dark Reading News Desk interview from Blackhat USA 2025, David Brauchler, technical director and AI/ML security practice lead at NCC Group, discusses critical flaws in current AI security approaches. He explains that organizations are overly reliant on guardrails as their primary security control for large language models, which is insufficient against sophisticated attacks. Through penetration testing, his team has demonstrated how AI systems with inadequate security boundaries can be manipulated to execute arbitrary code, exfiltrate passwords, and even dump entire databases."
https://www.darkreading.com/cybersecurity-operations/architectural-controls-ai-security-gap
Why Video Game Anti-Cheat Systems Are a Cybersecurity Goldmine
"In this Dark Reading interview from Black Hat USA 2025, Dark Reading senior news director Rob Wright speaks with Sam Collins and Marius Muench from the University of Birmingham about their research on video game anti-cheat systems, "Watching the Watchers: Exploring and Testing Defenses of Anti-Cheat Systems." The researchers explain that even the best anti-cheat systems only stop cheating about 50% of the time, but they serve an important economic function by increasing costs for cheaters — costing up to $200 monthly for premium cheats."
https://www.darkreading.com/cyberattacks-data-breaches/video-game-anti-cheat-systems-cybersecurity-goldmine
Tree Of AST: A Bug-Hunting Framework Powered By LLMs
"In this News Desk interview with Dark Reading senior editor Alex Culafi from Black Hat USA 2025, high school students Sasha Zyuzin and Ruikai Peng discuss their innovative framework for vulnerability discovery, which combines traditional static analysis with artificial intelligence capabilities. Their approach, "Thinking Outside the Sink: How Tree of AST Redefines the Boundaries of Data Flow Analysis," aims to automate the repetitive manual processes involved in vulnerability hunting while maintaining necessary human oversight."
https://www.darkreading.com/vulnerabilities-threats/tree-ast-bug-hunting-framework-llms
Prepping The Front Line For MFA Social Engineering Attacks
"Recent alerts from the FBI about groups like Scattered Spider have reinforced a growing reality: Today's most dangerous cyberattacks often begin with a phone call, not a phishing email. Threat actors are executing multistage, high-touch social engineering campaigns targeting the soft underbelly of enterprise defense: people. The most effective tactics bypass traditional perimeter controls altogether, exploiting urgency, familiarity, and human instinct to get network access. Among their most valuable targets are the people who hold the keys to password resets and multifactor authentication (MFA) overrides."
https://www.darkreading.com/cyberattacks-data-breaches/prepping-front-line-mfa-social-engineering-attacks
“Cleanup In Aisle 4:” Telegram Is a Mess Of Fake ShinyHunters Channels
"On August 9, DataBreaches reported on a Telegram channel with a name that combined the names of three groups: ShinyHunters, Scattered Spider, and Lapsus$. At the time, DataBreaches noted: Commenters on reading the new Telegram channel call it “schizo,” “complete chaos,” and “insane.” DataBreaches would just call it “overwhelming.” Today, DataBreaches would just call it “deleted.” But there is so much confusion about what happened between the time that the Telegram channel opened and now that it may help others to know what channels are acknowledged ShinyHunters’ channel(s), and what channels may appear to be ShinyHunters’ channels or chats but are allegedly scammers or imposters."
https://databreaches.net/2025/08/21/cleanup-in-aisle-4-telegram-is-a-mess-of-fake-shinyhunters-channels/
Threat Spotlight | Cybercrime Is Hiring: Recruiting AI, IoT, And Cloud Experts To Fuel Future Campaigns
"Adversaries are increasingly recruiting AI experts to automate entire attack workflows, allowing for faster, scalable operations and freeing resources for other objectives. Recruitment of ClickFix experts to distribute malware triggered a 200% spike in ClickFix activity between March and April 2025, while mentions of Azure and Entra quadrupled from 2023 to mid-2025, reflecting growing interest in cloud exploitation."
https://reliaquest.com/blog/threat-spotlight-cybercrime-is-hiring-recruiting-ai-iot-and-cloud-experts/
https://www.theregister.com/2025/08/21/impersonation_as_a_service/
Unmasking DPRK IT Workers: Email Address Patterns As Hiring Red Flags
"DPRK (North Korea) actors have been using pseudo-identities to secure remote work from foreign companies, funneling the earnings back to North Korea — including funding its missile programs. These DPRK IT workers, classified by Microsoft under the “Jasper Sleet” threat actor group, primarily target the DApp, Web3, blockchain, and cryptocurrency sectors when applying for jobs overseas."
https://theravenfile.com/2025/08/19/unmasking-dprk-it-workers-email-address-patterns-as-hiring-red-flags/
Dev Gets 4 Years For Creating Kill Switch On Ex-Employer's Systems
"A software developer has been sentenced to four years in prison for sabotaging his ex-employer's Windows network with custom malware and a kill switch that locked out employees when his account was disabled. Davis Lu, 55, a Chinese national living legally in Houston, worked for an Ohio-based company, reportedly Eaton Corporation, from 2007 until his termination in 2019. After a corporate restructuring and subsequent demotion in 2018, the DOJ says that Lu retaliated by embedding malicious code throughout the company's Windows production environment."
https://www.bleepingcomputer.com/news/security/dev-gets-4-years-for-creating-kill-switch-on-ex-employers-systems/

อ้างอิง
Electronic Transactions Development Agency(ETDA)

NCSA_THAICERT

Industrial Sector

Siemens Mendix SAML Module
"Successful exploitation of this vulnerability could allow unauthenticated remote attackers to hijack an account in specific SSO configurations."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-231-02
Siemens Desigo CC Product Family And SENTRON Powermanager
"Successful exploitation of this vulnerability could allow privilege escalation."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-231-01

Vulnerabilities

New Research Links VPN Apps, Highlights Security Deficiencies
"Nearly two dozen VPN applications in Google Play contain security weaknesses impacting the privacy of their users, exposing transmitted data to decryption, a new Citizen Lab report shows. Furthermore, the VPN providers that offer these applications can be linked to one another, although they claim to be separate entities and use various means to hide their true identities. Starting from previous reports linking Innovative Connecting, Autumn Breeze, and Lemon Clove, three VPN providers claiming to be based in Singapore, to a Chinese national, Citizen Lab’s analysis identified additional connections between their applications, and linked other VPN apps and their providers."
https://www.securityweek.com/new-research-links-vpn-apps-highlights-security-deficiencies/
https://www.petsymposium.org/foci/2025/foci-2025-0008.pdf
https://hackread.com/citizen-lab-vpn-networks-sharing-ownership-security-flaws/
https://www.helpnetsecurity.com/2025/08/19/android-vpn-apps-used-by-millions-are-covertly-connected-and-insecure/
Elastic Response To Blog ‘EDR 0-Day Vulnerability’
"On August 16, 2025, Elastic’s Information Security team became aware of a blog and social media posts suggesting an alleged vulnerability in Elastic Defend. Having conducted a thorough investigation, Elastic’s Security Engineering team has found no evidence supporting the claims of a vulnerability that bypasses EDR monitoring and enables remote code execution. While the researcher claims to be able to trigger a crash/BSOD in the Elastic Endpoint driver from an unprivileged process, the only demonstration they have provided does so from another kernel driver."
https://www.elastic.co/blog/elastic-response-edr-0-day-vulnerability-blog
https://www.bleepingcomputer.com/news/security/elastic-rejects-claims-of-a-zero-day-rce-flaw-in-defend-edr/
Don't Want Drive-By Ollama Attackers Snooping On Your Local Chats? Patch Now
"A now-patched flaw in popular AI model runner Ollama allows drive-by attacks in which a miscreant uses a malicious website to remotely target people's personal computers, spy on their local chats, and even control the models the victim's app talks to, in extreme cases by serving poisoned models. GitLab's Security Operations senior manager Chris Moberly found and reported the flaw in Ollama Desktop v0.10.0 to the project's maintainers on July 31. According to Moberly, the team fixed the issue within hours and released the patched software in v0.10.1 — so make sure you've applied the update because Moberly on Tuesday published a technical writeup about the attack along with proof-of-concept exploit code."
https://www.theregister.com/2025/08/19/ollama_driveby_attack/

Malware

New Exploit For Critical SAP Vulnerability CVE-2025-31324 Released In The Wild
"Today on X (formerly Twitter), VX Underground published1 a working and weaponized exploit for the critical SAP vulnerability, CVE-2025-31324. This exploit was allegedly released by “Scattered LAPSUS$ Hunters – ShinyHunters” on a Telegram group. This vulnerability has been recently exploited as a zero-day by multiple sophisticated threat actor groups and later patched by SAP in Security Note 3594142 for CVE-2025-31324 and Security Note 3604119 for CVE-2025-42999."
https://onapsis.com/blog/new-exploit-for-cve-2025-31324/
https://thehackernews.com/2025/08/public-exploit-for-chained-sap-flaws.html
https://www.securityweek.com/new-exploit-poses-threat-to-sap-netweaver-instances/
https://www.infosecurity-magazine.com/news/sap-netweaver-flaw-exploit-released/
The Coordinated Embassy Hunt: Unmasking The DPRK-Linked GitHub C2 Espionage Campaign
"The Trellix Advanced Research Center uncovered a sophisticated espionage operation targeting diplomatic missions across several regions in South Korea during early 2025. Between March and July 2025, DPRK-linked actors are believed to have carried out at least 19 spear-phishing email attacks against embassies worldwide, impersonating trusted diplomatic contacts and luring embassy staff with credible meeting invites, official letters, and event invitations."
https://www.trellix.com/blogs/research/dprk-linked-github-c2-espionage-campaign/
https://www.bleepingcomputer.com/news/security/xenorat-malware-campaign-hits-multiple-embassies-in-south-korea/
https://therecord.media/north-korean-hackers-target-foreign-embassies
GodRAT – New RAT Targeting Financial Institutions
"In September 2024, we detected malicious activity targeting financial (trading and brokerage) firms through the distribution of malicious .scr (screen saver) files disguised as financial documents via Skype messenger. The threat actor deployed a newly identified Remote Access Trojan (RAT) named GodRAT, which is based on the Gh0st RAT codebase. To evade detection, the attackers used steganography to embed shellcode within image files. This shellcode downloads GodRAT from a Command-and-Control (C2) server."
https://securelist.com/godrat/117119/
https://thehackernews.com/2025/08/new-godrat-trojan-targets-trading-firms.html
SpyVPN: The Google-Featured VPN That Secretly Captures Your Screen
"Most people turn to a VPN for one reason: privacy. And with its verified badge, featured placement, and 100k+ installs, FreeVPN.One looked like a safe choice. But once it’s in your browser, it’s not working to keep you safe, it’s continuously watching you. Think about your own daily browsing like opening a Google Sheet with sensitive company information, logging into your bank account, browsing a dating app, or viewing private family photos."
https://koi-security.webflow.io/blog/spyvpn-the-vpn-that-secretly-captures-your-screen#heading-3
https://www.infosecurity-magazine.com/news/chrome-vpn-extension-spyware/
Patching For Persistence: How DripDropper Linux Malware Moves Through The Cloud
"Red Canary detected an adversary exploiting CVE-2023-46604 in Apache ActiveMQ to gain persistent access on cloud Linux systems, patching the exploited vulnerability after securing initial access to secure their foothold and evade detection."
https://redcanary.com/blog/threat-intelligence/dripdropper-linux-malware/
https://thehackernews.com/2025/08/apache-activemq-flaw-exploited-to.html
https://www.darkreading.com/cyberattacks-data-breaches/dripdropper-hackers-patch-own-exploit
https://www.infosecurity-magazine.com/news/attacker-patches-vulnerability/
https://www.theregister.com/2025/08/19/apache_activemq_patch_malware/
RingReaper Linux Malware: EDR Evasion Tactics And Technical Analysis
"RingReaper is a sophisticated post-exploitation agent designed for Linux environments, built to facilitate covert operations while evading Endpoint Detection and Response (EDR) solutions. It exploits the Linux kernel’s modern asynchronous I/O interface, io_uring, to minimize reliance on conventional system calls that security tools frequently monitor or hook. Instead of invoking standard functions such as read, write, recv, send, or connect, RingReaper employs io_uringprimitives (e.g., io_uring_prep_*) to execute equivalent operations asynchronously. This method helps bypass hook-based detection mechanisms and reduces the visibility of malicious activity in telemetry commonly gathered by EDR platforms."
https://www.picussecurity.com/resource/blog/ringreaper-linux-malware-edr-evasion-tactics-and-technical-analysis
https://www.darkreading.com/cyber-risk/ringreaper-sneaks-past-linux-edrs
Proactive Security Insights For SharePoint Attacks (CVE-2025-53770 And CVE-2025-53771)
"CVE-2025-53770 and CVE-2025-53771 are a pair of vulnerabilities affecting Microsoft SharePoint Servers. Attacks exploiting CVE-2025-53770 in the wild were first reported by Eye Security on July 18; these vulnerabilities are currently being actively exploited to compromise on-premises SharePoint environments worldwide. Trend Research has independently verified these findings. Both of these flaws build on CVE-2025-49706 and CVE-2025-49704, the initial vulnerabilities in Microsoft SharePoint that were disclosed during Pwn2Own Berlin 2025 by Viettel Cyber Security as part of a chained attack. These were patched as part of the July 2025 Patch Tuesday cycle. However, further analysis revealed that the initial patches were not fully complete, which necessitated the release of CVE-2025-53770 and CVE-2025-53771."
https://www.trendmicro.com/en_us/research/25/g/cve-2025-53770-and-cve-2025-53771-sharepoint-attacks.html

Breaches/Hacks/Leaks

Massive Allianz Life Data Breach Impacts 1.1 Million People
"Hackers have stolen the personal information of 1.1 million individuals in a Salesforce data theft attack, which impacted U.S. insurance giant Allianz Life in July. Allianz Life has nearly 2,000 employees in the United States and is a subsidiary of Allianz SE, which has over 128 million customers worldwide and ranks as the world's 82nd largest company based on revenue. As the company disclosed last month, information belonging to the "majority" of its 1.4 million customers was stolen by attackers who gained access to a third-party cloud CRM system on July 16th."
https://www.bleepingcomputer.com/news/security/massive-allianz-life-data-breach-impacts-11-million-people/
https://securityaffairs.com/181294/data-breach/allianz-life-security-breach-impacted-1-1-million-customers.html
https://www.securityweek.com/1-1-million-unique-records-identified-in-allianz-life-data-leak/
https://www.darkreading.com/cyberattacks-data-breaches/millions-allianz-insurance-breach
https://www.infosecurity-magazine.com/news/allianz-life-breach-exposes/
Australian ISP IiNet Suffers Breach Of 280,000+ Records
"Australia’s second-largest internet service provider (ISP) has revealed a major data breach impacting hundreds of thousands of customers. Parent company TPG Telecom notified the Australian Securities Exchange of the incident today. It said an “unknown third party” managed to gain unauthorized access to an order management system at subsidiary iiNet, in a breach discovered on Saturday. “Upon confirmation of the incident on Saturday, 16 August 2025, we enacted our incident response plan and removed the unauthorized access to the system. TPG Telecom has engaged external IT and cybersecurity experts to assist with our response to the incident,” noted the letter."
https://www.infosecurity-magazine.com/news/aussie-isp-iinet-breach-280000/
https://www.securityweek.com/australias-tpg-telecom-investigating-iinet-hack/
https://hackread.com/australia-isp-iinet-data-breach-customer-accounts-stolen/
NY Business Council Discloses Data Breach Affecting 47,000 People
"The Business Council of New York State (BCNYS) has revealed that attackers who breached its network in February stole the personal, financial, and health information of over 47,000 individuals. As the state's largest statewide employer association, BCNYS represents over 3,000 member organizations, including chambers of commerce, professional and trade associations, and other local and regional business organizations, as well as some of the largest corporations worldwide, which employ more than 1.2 million New Yorkers."
https://www.bleepingcomputer.com/news/security/business-council-of-new-york-state-discloses-data-breach-affecting-47-000-people/
When a Deal Is Not a Done Deal: Nova Demands Higher Payment From Clinical Diagnostics
"Last week, it appeared that Clinical Diagnostics (“Eurofins”) had paid a gang’s demands not to leak patient data that Nova had exfiltrated during a ransomware attack in July. Clinical Diagnostics in the Netheralands held patient data on 485,000 Dutch women in a cervical cancer screening program. Nova confirmed the payment to a Dutch news outlet. But yesterday, the attackers posted a new message and warning to the firm. The listing on Nova’s dark web leak site changed to “you break the deal, you will pay”. In an expanded post, Nova seemed to be saying they would leak the data in 10 days because the company had contacted the police (although DataBreaches notes that understanding their English is difficult and DataBreaches may have misunderstood something).. From the post’s broken English, they appeared to also be saying that they had received a higher offer than what the firm had offered."
https://databreaches.net/2025/08/19/when-a-deal-is-not-a-done-deal-nova-demands-higher-payment-from-clinical-diagnostics/
Drug Development Company Inotiv Reports Ransomware Attack To SEC
"An Indiana-based drug research company said a recent ransomware attack has disrupted its business operations and forced a shutdown of critical systems. Inotiv told regulators at the Securities Exchange Commission that the cybersecurity incident was discovered on August 8 and a subsequent investigation found that threat actors had encrypted certain systems. The company does not have a timeline for when restoration is expected but said the incident is impacting “the availability of and access to certain of the Company’s networks and systems, including access to portions of internal data storage and certain internal business applications.”"
https://therecord.media/drug-development-innotiv-ransomware-sec
https://www.bleepingcomputer.com/news/security/pharma-firm-inotiv-says-ransomware-attack-impacted-operations/
Russian Hacktivists Take Aim At Polish Power Plant, Again
"Russian hackers targeted a Polish hydropower plant again, this time disrupting its control systems and turbines. The power plant — located in Tczew, near Gdańsk — was previously targeted in May. Now the hacktivists have released a video, which at first appeared to be a recording of the earlier attack. However, upon closer inspection, it's clear that the same hacktivists targeted the same facility again. According to the collected data from the plant's turbines, Polish analysts believe that the hack disrupted operations, making this attack more destructive than the previous one, which allegedly occurred when the plant was offline."
https://www.darkreading.com/cyberattacks-data-breaches/russian-hacktivists-polish-power-plant-attack
Canadian Financial Regulator Hacked, Exposing Personal Data From Member Organizations
"A Canadian financial regulator has disclosed a cybersecurity incident, which has breached the personal information of member firms and their employees. The Canadian Investment Regulatory Organization (CIRO), a national self-regulatory organization covering all investment dealers, mutual fund dealers and trading activity on Canada’s debt and equity marketplaces, revealed it identified the cybersecurity threat on August 11. In response, the regulator shut down some of its systems to ensure their safety before launching an investigation to determine the extent of the attacker’s activities."
https://www.infosecurity-magazine.com/news/canadian-financial-regulator-hacked/
Business Council Of New York State Says Nearly 50,000 Had Data Leaked In February Cyberattack
"A cyberattack on the Business Council of New York State gave hackers access to sensitive information on more than 47,000 people. The business advocacy organization told regulators in multiple states that it suffered a cyberattack in February. An investigation was completed on August 4 and revealed that 47,329 people had some combination of information leaked that includes names, Social Security numbers, state ID numbers, financial account and routing numbers, payment card numbers, PINs as well as expiration dates, taxpayer identification numbers and electronic signature information."
https://therecord.media/new-york-business-council-data-breach

General News

July 2025 APT Attack Trends Report (South Korea)
"Ahnlabs is monitoring APT (Advanced Persistent Threat) attacks in South Korea using its own infrastructure. This report covers the classification, statistics, and features of the APT attacks that were identified during the month of July 2025."
https://asec.ahnlab.com/en/89639/
July 2025 Threat Trend Report On Ransomware
"This report provides statistics on the number of new ransomware samples and affected systems, and affected companies that were collected over the course of July 2025, as well as major ransomware issues in and out of Korea. Below is a summary of the information. Disclaimer: The number of ransomware samples and damaged systems is based on the detection names assigned by AhnLab, and statistics on targeted companies are based on the information published on the dedicated leak sites (DLS) of the ransomware group, also referred to as ransomware PR sites or PR pages, collected by the ATIP infrastructure over time."
https://asec.ahnlab.com/en/89646/
Nebraska Man Gets 1 Year In Prison For $3.5M Cryptojacking Scheme
"A Nebraska man was sentenced to one year in prison for defrauding cloud computing providers of over $3.5 million to mine cryptocurrency worth nearly $1 million. Charles O. Parks III (also known as "CP3O") was arrested and charged in April with wire fraud, money laundering, and engaging in unlawful monetary transactions. He was facing up to 20 years in prison in December after admitting that he didn't pay a $3.5 million bill after renting cloud computing time from two providers for his cryptojacking operation."
https://www.bleepingcomputer.com/news/security/nebraska-man-gets-1-year-in-prison-for-35m-cryptojacking-scheme/
What Happens When Penetration Testing Goes Virtual And Gets An AI Coach
"Cybersecurity training often struggles to match the complexity of threats. A new approach combining digital twins and LLMs aims to close that gap. Researchers from the University of Bari Aldo Moro propose using Cyber Digital Twins (CDTs) and generative AI to create realistic, interactive environments for cybersecurity education. Their framework simulates IT, OT, and IoT systems in a controlled virtual space and layers AI-driven feedback on top. The goal is to improve penetration testing skills and strengthen understanding of the full cyberattack lifecycle."
https://www.helpnetsecurity.com/2025/08/19/digital-twins-cybersecurity-training/
The Cybersecurity Myths Companies Can’t Seem To Shake
"Cybersecurity myths are like digital weeds: pull one out, and another quickly sprouts in its place. You’ve probably heard them before: Macs don’t get viruses, we’re too small to be a target, or changing passwords often keeps us safer. Experts have been busting these myths for years, yet they still stick around and shape bad strategies while giving people a false sense of security."
https://www.helpnetsecurity.com/2025/08/19/cybersecurity-myths/
Hijacked Satellites And Orbiting Space Weapons: In The 21st Century, Space Is The New Battlefield
"As Russia held its Victory Day parade this year, hackers backing the Kremlin hijacked an orbiting satellite that provides television service to Ukraine. Instead of normal programing, Ukrainian viewers saw parade footage beamed in from Moscow: waves of tanks, soldiers and weaponry. The message was meant to intimidate and was an illustration that 21st-century war is waged not just on land, sea and air but also in cyberspace and the reaches of outer space. Disabling a satellite could deal a devastating blow without one bullet, and it can be done by targeting the satellite’s security software or disrupting its ability to send or receive signals from Earth."
https://www.securityweek.com/hijacked-satellites-and-orbiting-space-weapons-in-the-21st-century-space-is-the-new-battlefield/
PyPI Blocks 1,800 Expired-Domain Emails To Prevent Account Takeovers And Supply Chain Attacks
"The maintainers of the Python Package Index (PyPI) repository have announced that the package manager now checks for expired domains to prevent supply chain attacks. "These changes improve PyPI's overall account security posture, making it harder for attackers to exploit expired domain names to gain unauthorized access to accounts," Mike Fiedler, PyPI safety and security engineer at the Python Software Foundation (PSF), said."
https://thehackernews.com/2025/08/pypi-blocks-1800-expired-domain-emails.html
https://blog.pypi.org/posts/2025-08-18-preventing-domain-resurrections/
https://www.bleepingcomputer.com/news/security/pypi-now-blocks-domain-resurrection-attacks-used-for-hijacking-accounts/
Inside The Australian Dark Web: What Hackers Are Selling About Your Business Right Now
"Despite being tucked in the bottom corner of the world map, Australia is high up on the threat map for cybercriminals. The Australian dark web game has evolved over the years, and now it is a thriving economy for hackers, criminals, and hacktivist groups. This economy now sells and purchases stolen corporate data, personal records, and privileged credentials that are openly traded. What was once a niche underground network now powers a shadow industry worth millions, exploiting every stolen byte from Australian businesses."
https://cyble.com/blog/australian-dark-web-cybercrime-threats-2025/
Ransomware Incidents In Japan During The First Half Of 2025
"In the first half of 2025, the number of ransomware attacks in Japan increased by approximately 1.4 times compared to the previous year. Ransomware attackers continue to primarily target small and medium-sized enterprises in Japan. The most affected industry remains manufacturing, unchanged from last year. The ransomware group causing the most damage in Japan is "Qilin." In late June, a new ransomware group called "Kawa4096" emerged and might have attacked two Japanese companies."
https://blog.talosintelligence.com/ransomware_incidents_in_japan_during_the_first_half_of_2025/
Secure AI Use Without The Blind Spots
"Trey Ford has seen it before: The engineering team is off to the races, exploring the latest AI tools, while the security side is still trying to catch its breath. "Security teams are never overstaffed," says Ford, CISO, Americas, with Bugcrowd. "And out of nowhere, we have this new thing that is a game-changer. But there's this whole sudden mindset where 'we're going to go do this thing.'""
https://www.darkreading.com/cyber-risk/secure-ai-use-without-blind-spots
Fashionable Phishing Bait: GenAI On The Hook
"The rapid expansion of generative AI (GenAI) has led to a diverse set of web-based platforms offering capabilities such as code assistance, natural language generation, chatbot interaction and automated website creation. This article uses insights from our telemetry to show trends in how the GenAI web is evolving. Because of its growing prevalence, GenAI also opens new vectors for threat actors to misuse. Adversaries are increasingly leveraging GenAI platforms to create realistic phishing content, clone trusted brands and automate large-scale deployment using services like low-code site builders. The threats are getting harder to detect."
https://unit42.paloaltonetworks.com/genai-phishing-bait/
US Spy Chief Claims UK Backed Down Over Apple Backdoor Demand
"The UK government has reportedly abandoned its attempt to strong-arm Apple into weakening iPhone encryption after the White House forced Blighty into a quiet climb-down. US Director of National Intelligence Tulsi Gabbard broke the news on X, boasting that she'd been working "closely with our partners in the UK, alongside @POTUS and @VP, to ensure Americans' private data remains private and our Constitutional rights and civil liberties are protected." "As a result," she added, "the UK has agreed to drop its mandate for Apple to provide a 'backdoor' that would have enabled access to the protected encrypted data of American citizens and encroached on our civil liberties.""
https://www.theregister.com/2025/08/19/uk_apple_backdoor_uturn/
https://thehackernews.com/2025/08/uk-government-drops-apple-encryption.html
https://therecord.media/uk-agrees-drop-apple-encryption
https://cyberscoop.com/uk-abandons-apple-backdoor-demand-after-us-diplomatic-pressure/
Automation Alert Sounds As Certificates Set To Expire Faster
"The future of managing digital certificates is already here - it's just not evenly distributed yet. Keen to reduce risks to the web public key infrastructure ecosystem, as well as get the automation ball rolling faster, the industry's Certification Authority Browser Forum on April 11 approved a motion to reduce the maximum validity of public TLS certificates from 398 days to 47 days. That TLS Baseline Requirement change, meaning it applies to "authenticating servers accessible through the internet," will begin in March 2026 and come into full effect in March 2029."
https://www.bankinfosecurity.com/automation-alert-sounds-as-certificates-set-to-expire-faster-a-29253
Oregon Man Charged With Administering “Rapper Bot” DDoS-For-Hire Botnet
"An Oregon man was charged by a federal criminal complaint today in the District of Alaska on charges related to his alleged development and administration of the “Rapper Bot” DDoS-for-hire Botnet that has conducted large-scale cyber-attacks since at least 2021. According to court documents, investigators identified Ethan Foltz, 22, of Eugene, Oregon, as the alleged administrator of Rapper Bot. Rapper Bot, aka “Eleven Eleven Botnet” and “CowBot,” is a Botnet that primarily compromises devices like Digital Video Recorders (DVRS) or WiFi routers at scale by infecting those devices with specialized malware. Clients of Rapper Bot then issue commands to those infected victim devices, forcing them to send large volumes of “Distributed Denial of Service” (DDoS) traffic to different victim computers and servers located throughout the world."
https://www.justice.gov/usao-ak/pr/oregon-man-charged-administering-rapper-bot-ddos-hire-botnet
https://cyberscoop.com/rapper-bot-ddos-botnet-disrupted/
AI Agents Access Everything, Fall To Zero-Click Exploit
"In this Black Hat USA 2025 interview, Michael Bargury, Zenity CTO, discusses his alarming "AgentFlayer" research on AI enterprise compromise methods with Dark Reading's Rob Wright, senior news director. Bargury explains that modern AI assistants have "grown arms and legs," gaining the ability to access emails, documents, and calendars and perform actions on users' behalf through integrations with enterprise environments like Microsoft, Google Workspace, and Salesforce. The critical zero-click exploit that Bargury uncovered means external attackers need only a user's email address to completely take over enterprise AI agents, accessing sensitive data and manipulating users through what they perceive as trusted AI advisers."
https://www.darkreading.com/application-security/ai-agents-access-everything-zero-click-exploit
10 Major GitHub Risk Vectors Hidden In Plain Sight
"GitHub has evolved from simple version control to the backbone of modern software development. While organizations diligently scan packaged dependencies from npm or PyPI, they often overlook a more pervasive danger: the numerous ways GitHub-hosted code infiltrates systems throughout the entire software development life cycle. These hidden risk vectors create blind spots that sophisticated attackers actively exploit, as demonstrated in incidents like the tj-actions GitHub Action and XZ Utils compromises."
https://www.darkreading.com/cyberattacks-data-breaches/10-github-risk-vectors

อ้างอิง
Electronic Transactions Development Agency(ETDA)

NCSA_THAICERT

Xerox แก้ไขช่องโหว่ Path Traversal และ XXE Injection ใน FreeFlow Core .png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

มิจฉาชีพหลอกผู้ใช้ Gmail ด้วย “แจ้งเตือนความป.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

Industrial Sector

Siemens Mendix SAML Module
"Successful exploitation of this vulnerability could allow unauthenticated remote attackers to hijack an account in specific SSO configurations."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-231-02
Siemens Desigo CC Product Family And SENTRON Powermanager
"Successful exploitation of this vulnerability could allow privilege escalation."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-231-01

Vulnerabilities

New Research Links VPN Apps, Highlights Security Deficiencies
"Nearly two dozen VPN applications in Google Play contain security weaknesses impacting the privacy of their users, exposing transmitted data to decryption, a new Citizen Lab report shows. Furthermore, the VPN providers that offer these applications can be linked to one another, although they claim to be separate entities and use various means to hide their true identities. Starting from previous reports linking Innovative Connecting, Autumn Breeze, and Lemon Clove, three VPN providers claiming to be based in Singapore, to a Chinese national, Citizen Lab’s analysis identified additional connections between their applications, and linked other VPN apps and their providers."
https://www.securityweek.com/new-research-links-vpn-apps-highlights-security-deficiencies/
https://www.petsymposium.org/foci/2025/foci-2025-0008.pdf
https://hackread.com/citizen-lab-vpn-networks-sharing-ownership-security-flaws/
https://www.helpnetsecurity.com/2025/08/19/android-vpn-apps-used-by-millions-are-covertly-connected-and-insecure/
Elastic Response To Blog ‘EDR 0-Day Vulnerability’
"On August 16, 2025, Elastic’s Information Security team became aware of a blog and social media posts suggesting an alleged vulnerability in Elastic Defend. Having conducted a thorough investigation, Elastic’s Security Engineering team has found no evidence supporting the claims of a vulnerability that bypasses EDR monitoring and enables remote code execution. While the researcher claims to be able to trigger a crash/BSOD in the Elastic Endpoint driver from an unprivileged process, the only demonstration they have provided does so from another kernel driver."
https://www.elastic.co/blog/elastic-response-edr-0-day-vulnerability-blog
https://www.bleepingcomputer.com/news/security/elastic-rejects-claims-of-a-zero-day-rce-flaw-in-defend-edr/
Don't Want Drive-By Ollama Attackers Snooping On Your Local Chats? Patch Now
"A now-patched flaw in popular AI model runner Ollama allows drive-by attacks in which a miscreant uses a malicious website to remotely target people's personal computers, spy on their local chats, and even control the models the victim's app talks to, in extreme cases by serving poisoned models. GitLab's Security Operations senior manager Chris Moberly found and reported the flaw in Ollama Desktop v0.10.0 to the project's maintainers on July 31. According to Moberly, the team fixed the issue within hours and released the patched software in v0.10.1 — so make sure you've applied the update because Moberly on Tuesday published a technical writeup about the attack along with proof-of-concept exploit code."
https://www.theregister.com/2025/08/19/ollama_driveby_attack/

Malware

New Exploit For Critical SAP Vulnerability CVE-2025-31324 Released In The Wild
"Today on X (formerly Twitter), VX Underground published1 a working and weaponized exploit for the critical SAP vulnerability, CVE-2025-31324. This exploit was allegedly released by “Scattered LAPSUS$ Hunters – ShinyHunters” on a Telegram group. This vulnerability has been recently exploited as a zero-day by multiple sophisticated threat actor groups and later patched by SAP in Security Note 3594142 for CVE-2025-31324 and Security Note 3604119 for CVE-2025-42999."
https://onapsis.com/blog/new-exploit-for-cve-2025-31324/
https://thehackernews.com/2025/08/public-exploit-for-chained-sap-flaws.html
https://www.securityweek.com/new-exploit-poses-threat-to-sap-netweaver-instances/
https://www.infosecurity-magazine.com/news/sap-netweaver-flaw-exploit-released/
The Coordinated Embassy Hunt: Unmasking The DPRK-Linked GitHub C2 Espionage Campaign
"The Trellix Advanced Research Center uncovered a sophisticated espionage operation targeting diplomatic missions across several regions in South Korea during early 2025. Between March and July 2025, DPRK-linked actors are believed to have carried out at least 19 spear-phishing email attacks against embassies worldwide, impersonating trusted diplomatic contacts and luring embassy staff with credible meeting invites, official letters, and event invitations."
https://www.trellix.com/blogs/research/dprk-linked-github-c2-espionage-campaign/
https://www.bleepingcomputer.com/news/security/xenorat-malware-campaign-hits-multiple-embassies-in-south-korea/
https://therecord.media/north-korean-hackers-target-foreign-embassies
GodRAT – New RAT Targeting Financial Institutions
"In September 2024, we detected malicious activity targeting financial (trading and brokerage) firms through the distribution of malicious .scr (screen saver) files disguised as financial documents via Skype messenger. The threat actor deployed a newly identified Remote Access Trojan (RAT) named GodRAT, which is based on the Gh0st RAT codebase. To evade detection, the attackers used steganography to embed shellcode within image files. This shellcode downloads GodRAT from a Command-and-Control (C2) server."
https://securelist.com/godrat/117119/
https://thehackernews.com/2025/08/new-godrat-trojan-targets-trading-firms.html
SpyVPN: The Google-Featured VPN That Secretly Captures Your Screen
"Most people turn to a VPN for one reason: privacy. And with its verified badge, featured placement, and 100k+ installs, FreeVPN.One looked like a safe choice. But once it’s in your browser, it’s not working to keep you safe, it’s continuously watching you. Think about your own daily browsing like opening a Google Sheet with sensitive company information, logging into your bank account, browsing a dating app, or viewing private family photos."
https://koi-security.webflow.io/blog/spyvpn-the-vpn-that-secretly-captures-your-screen#heading-3
https://www.infosecurity-magazine.com/news/chrome-vpn-extension-spyware/
Patching For Persistence: How DripDropper Linux Malware Moves Through The Cloud
"Red Canary detected an adversary exploiting CVE-2023-46604 in Apache ActiveMQ to gain persistent access on cloud Linux systems, patching the exploited vulnerability after securing initial access to secure their foothold and evade detection."
https://redcanary.com/blog/threat-intelligence/dripdropper-linux-malware/
https://thehackernews.com/2025/08/apache-activemq-flaw-exploited-to.html
https://www.darkreading.com/cyberattacks-data-breaches/dripdropper-hackers-patch-own-exploit
https://www.infosecurity-magazine.com/news/attacker-patches-vulnerability/
https://www.theregister.com/2025/08/19/apache_activemq_patch_malware/
RingReaper Linux Malware: EDR Evasion Tactics And Technical Analysis
"RingReaper is a sophisticated post-exploitation agent designed for Linux environments, built to facilitate covert operations while evading Endpoint Detection and Response (EDR) solutions. It exploits the Linux kernel’s modern asynchronous I/O interface, io_uring, to minimize reliance on conventional system calls that security tools frequently monitor or hook. Instead of invoking standard functions such as read, write, recv, send, or connect, RingReaper employs io_uringprimitives (e.g., io_uring_prep_*) to execute equivalent operations asynchronously. This method helps bypass hook-based detection mechanisms and reduces the visibility of malicious activity in telemetry commonly gathered by EDR platforms."
https://www.picussecurity.com/resource/blog/ringreaper-linux-malware-edr-evasion-tactics-and-technical-analysis
https://www.darkreading.com/cyber-risk/ringreaper-sneaks-past-linux-edrs
Proactive Security Insights For SharePoint Attacks (CVE-2025-53770 And CVE-2025-53771)
"CVE-2025-53770 and CVE-2025-53771 are a pair of vulnerabilities affecting Microsoft SharePoint Servers. Attacks exploiting CVE-2025-53770 in the wild were first reported by Eye Security on July 18; these vulnerabilities are currently being actively exploited to compromise on-premises SharePoint environments worldwide. Trend Research has independently verified these findings. Both of these flaws build on CVE-2025-49706 and CVE-2025-49704, the initial vulnerabilities in Microsoft SharePoint that were disclosed during Pwn2Own Berlin 2025 by Viettel Cyber Security as part of a chained attack. These were patched as part of the July 2025 Patch Tuesday cycle. However, further analysis revealed that the initial patches were not fully complete, which necessitated the release of CVE-2025-53770 and CVE-2025-53771."
https://www.trendmicro.com/en_us/research/25/g/cve-2025-53770-and-cve-2025-53771-sharepoint-attacks.html

Breaches/Hacks/Leaks

Massive Allianz Life Data Breach Impacts 1.1 Million People
"Hackers have stolen the personal information of 1.1 million individuals in a Salesforce data theft attack, which impacted U.S. insurance giant Allianz Life in July. Allianz Life has nearly 2,000 employees in the United States and is a subsidiary of Allianz SE, which has over 128 million customers worldwide and ranks as the world's 82nd largest company based on revenue. As the company disclosed last month, information belonging to the "majority" of its 1.4 million customers was stolen by attackers who gained access to a third-party cloud CRM system on July 16th."
https://www.bleepingcomputer.com/news/security/massive-allianz-life-data-breach-impacts-11-million-people/
https://securityaffairs.com/181294/data-breach/allianz-life-security-breach-impacted-1-1-million-customers.html
https://www.securityweek.com/1-1-million-unique-records-identified-in-allianz-life-data-leak/
https://www.darkreading.com/cyberattacks-data-breaches/millions-allianz-insurance-breach
https://www.infosecurity-magazine.com/news/allianz-life-breach-exposes/
Australian ISP IiNet Suffers Breach Of 280,000+ Records
"Australia’s second-largest internet service provider (ISP) has revealed a major data breach impacting hundreds of thousands of customers. Parent company TPG Telecom notified the Australian Securities Exchange of the incident today. It said an “unknown third party” managed to gain unauthorized access to an order management system at subsidiary iiNet, in a breach discovered on Saturday. “Upon confirmation of the incident on Saturday, 16 August 2025, we enacted our incident response plan and removed the unauthorized access to the system. TPG Telecom has engaged external IT and cybersecurity experts to assist with our response to the incident,” noted the letter."
https://www.infosecurity-magazine.com/news/aussie-isp-iinet-breach-280000/
https://www.securityweek.com/australias-tpg-telecom-investigating-iinet-hack/
https://hackread.com/australia-isp-iinet-data-breach-customer-accounts-stolen/
NY Business Council Discloses Data Breach Affecting 47,000 People
"The Business Council of New York State (BCNYS) has revealed that attackers who breached its network in February stole the personal, financial, and health information of over 47,000 individuals. As the state's largest statewide employer association, BCNYS represents over 3,000 member organizations, including chambers of commerce, professional and trade associations, and other local and regional business organizations, as well as some of the largest corporations worldwide, which employ more than 1.2 million New Yorkers."
https://www.bleepingcomputer.com/news/security/business-council-of-new-york-state-discloses-data-breach-affecting-47-000-people/
When a Deal Is Not a Done Deal: Nova Demands Higher Payment From Clinical Diagnostics
"Last week, it appeared that Clinical Diagnostics (“Eurofins”) had paid a gang’s demands not to leak patient data that Nova had exfiltrated during a ransomware attack in July. Clinical Diagnostics in the Netheralands held patient data on 485,000 Dutch women in a cervical cancer screening program. Nova confirmed the payment to a Dutch news outlet. But yesterday, the attackers posted a new message and warning to the firm. The listing on Nova’s dark web leak site changed to “you break the deal, you will pay”. In an expanded post, Nova seemed to be saying they would leak the data in 10 days because the company had contacted the police (although DataBreaches notes that understanding their English is difficult and DataBreaches may have misunderstood something).. From the post’s broken English, they appeared to also be saying that they had received a higher offer than what the firm had offered."
https://databreaches.net/2025/08/19/when-a-deal-is-not-a-done-deal-nova-demands-higher-payment-from-clinical-diagnostics/
Drug Development Company Inotiv Reports Ransomware Attack To SEC
"An Indiana-based drug research company said a recent ransomware attack has disrupted its business operations and forced a shutdown of critical systems. Inotiv told regulators at the Securities Exchange Commission that the cybersecurity incident was discovered on August 8 and a subsequent investigation found that threat actors had encrypted certain systems. The company does not have a timeline for when restoration is expected but said the incident is impacting “the availability of and access to certain of the Company’s networks and systems, including access to portions of internal data storage and certain internal business applications.”"
https://therecord.media/drug-development-innotiv-ransomware-sec
https://www.bleepingcomputer.com/news/security/pharma-firm-inotiv-says-ransomware-attack-impacted-operations/
Russian Hacktivists Take Aim At Polish Power Plant, Again
"Russian hackers targeted a Polish hydropower plant again, this time disrupting its control systems and turbines. The power plant — located in Tczew, near Gdańsk — was previously targeted in May. Now the hacktivists have released a video, which at first appeared to be a recording of the earlier attack. However, upon closer inspection, it's clear that the same hacktivists targeted the same facility again. According to the collected data from the plant's turbines, Polish analysts believe that the hack disrupted operations, making this attack more destructive than the previous one, which allegedly occurred when the plant was offline."
https://www.darkreading.com/cyberattacks-data-breaches/russian-hacktivists-polish-power-plant-attack
Canadian Financial Regulator Hacked, Exposing Personal Data From Member Organizations
"A Canadian financial regulator has disclosed a cybersecurity incident, which has breached the personal information of member firms and their employees. The Canadian Investment Regulatory Organization (CIRO), a national self-regulatory organization covering all investment dealers, mutual fund dealers and trading activity on Canada’s debt and equity marketplaces, revealed it identified the cybersecurity threat on August 11. In response, the regulator shut down some of its systems to ensure their safety before launching an investigation to determine the extent of the attacker’s activities."
https://www.infosecurity-magazine.com/news/canadian-financial-regulator-hacked/
Business Council Of New York State Says Nearly 50,000 Had Data Leaked In February Cyberattack
"A cyberattack on the Business Council of New York State gave hackers access to sensitive information on more than 47,000 people. The business advocacy organization told regulators in multiple states that it suffered a cyberattack in February. An investigation was completed on August 4 and revealed that 47,329 people had some combination of information leaked that includes names, Social Security numbers, state ID numbers, financial account and routing numbers, payment card numbers, PINs as well as expiration dates, taxpayer identification numbers and electronic signature information."
https://therecord.media/new-york-business-council-data-breach

General News

July 2025 APT Attack Trends Report (South Korea)
"Ahnlabs is monitoring APT (Advanced Persistent Threat) attacks in South Korea using its own infrastructure. This report covers the classification, statistics, and features of the APT attacks that were identified during the month of July 2025."
https://asec.ahnlab.com/en/89639/
July 2025 Threat Trend Report On Ransomware
"This report provides statistics on the number of new ransomware samples and affected systems, and affected companies that were collected over the course of July 2025, as well as major ransomware issues in and out of Korea. Below is a summary of the information. Disclaimer: The number of ransomware samples and damaged systems is based on the detection names assigned by AhnLab, and statistics on targeted companies are based on the information published on the dedicated leak sites (DLS) of the ransomware group, also referred to as ransomware PR sites or PR pages, collected by the ATIP infrastructure over time."
https://asec.ahnlab.com/en/89646/
Nebraska Man Gets 1 Year In Prison For $3.5M Cryptojacking Scheme
"A Nebraska man was sentenced to one year in prison for defrauding cloud computing providers of over $3.5 million to mine cryptocurrency worth nearly $1 million. Charles O. Parks III (also known as "CP3O") was arrested and charged in April with wire fraud, money laundering, and engaging in unlawful monetary transactions. He was facing up to 20 years in prison in December after admitting that he didn't pay a $3.5 million bill after renting cloud computing time from two providers for his cryptojacking operation."
https://www.bleepingcomputer.com/news/security/nebraska-man-gets-1-year-in-prison-for-35m-cryptojacking-scheme/
What Happens When Penetration Testing Goes Virtual And Gets An AI Coach
"Cybersecurity training often struggles to match the complexity of threats. A new approach combining digital twins and LLMs aims to close that gap. Researchers from the University of Bari Aldo Moro propose using Cyber Digital Twins (CDTs) and generative AI to create realistic, interactive environments for cybersecurity education. Their framework simulates IT, OT, and IoT systems in a controlled virtual space and layers AI-driven feedback on top. The goal is to improve penetration testing skills and strengthen understanding of the full cyberattack lifecycle."
https://www.helpnetsecurity.com/2025/08/19/digital-twins-cybersecurity-training/
The Cybersecurity Myths Companies Can’t Seem To Shake
"Cybersecurity myths are like digital weeds: pull one out, and another quickly sprouts in its place. You’ve probably heard them before: Macs don’t get viruses, we’re too small to be a target, or changing passwords often keeps us safer. Experts have been busting these myths for years, yet they still stick around and shape bad strategies while giving people a false sense of security."
https://www.helpnetsecurity.com/2025/08/19/cybersecurity-myths/
Hijacked Satellites And Orbiting Space Weapons: In The 21st Century, Space Is The New Battlefield
"As Russia held its Victory Day parade this year, hackers backing the Kremlin hijacked an orbiting satellite that provides television service to Ukraine. Instead of normal programing, Ukrainian viewers saw parade footage beamed in from Moscow: waves of tanks, soldiers and weaponry. The message was meant to intimidate and was an illustration that 21st-century war is waged not just on land, sea and air but also in cyberspace and the reaches of outer space. Disabling a satellite could deal a devastating blow without one bullet, and it can be done by targeting the satellite’s security software or disrupting its ability to send or receive signals from Earth."
https://www.securityweek.com/hijacked-satellites-and-orbiting-space-weapons-in-the-21st-century-space-is-the-new-battlefield/
PyPI Blocks 1,800 Expired-Domain Emails To Prevent Account Takeovers And Supply Chain Attacks
"The maintainers of the Python Package Index (PyPI) repository have announced that the package manager now checks for expired domains to prevent supply chain attacks. "These changes improve PyPI's overall account security posture, making it harder for attackers to exploit expired domain names to gain unauthorized access to accounts," Mike Fiedler, PyPI safety and security engineer at the Python Software Foundation (PSF), said."
https://thehackernews.com/2025/08/pypi-blocks-1800-expired-domain-emails.html
https://blog.pypi.org/posts/2025-08-18-preventing-domain-resurrections/
https://www.bleepingcomputer.com/news/security/pypi-now-blocks-domain-resurrection-attacks-used-for-hijacking-accounts/
Inside The Australian Dark Web: What Hackers Are Selling About Your Business Right Now
"Despite being tucked in the bottom corner of the world map, Australia is high up on the threat map for cybercriminals. The Australian dark web game has evolved over the years, and now it is a thriving economy for hackers, criminals, and hacktivist groups. This economy now sells and purchases stolen corporate data, personal records, and privileged credentials that are openly traded. What was once a niche underground network now powers a shadow industry worth millions, exploiting every stolen byte from Australian businesses."
https://cyble.com/blog/australian-dark-web-cybercrime-threats-2025/
Ransomware Incidents In Japan During The First Half Of 2025
"In the first half of 2025, the number of ransomware attacks in Japan increased by approximately 1.4 times compared to the previous year. Ransomware attackers continue to primarily target small and medium-sized enterprises in Japan. The most affected industry remains manufacturing, unchanged from last year. The ransomware group causing the most damage in Japan is "Qilin." In late June, a new ransomware group called "Kawa4096" emerged and might have attacked two Japanese companies."
https://blog.talosintelligence.com/ransomware_incidents_in_japan_during_the_first_half_of_2025/
Secure AI Use Without The Blind Spots
"Trey Ford has seen it before: The engineering team is off to the races, exploring the latest AI tools, while the security side is still trying to catch its breath. "Security teams are never overstaffed," says Ford, CISO, Americas, with Bugcrowd. "And out of nowhere, we have this new thing that is a game-changer. But there's this whole sudden mindset where 'we're going to go do this thing.'""
https://www.darkreading.com/cyber-risk/secure-ai-use-without-blind-spots
Fashionable Phishing Bait: GenAI On The Hook
"The rapid expansion of generative AI (GenAI) has led to a diverse set of web-based platforms offering capabilities such as code assistance, natural language generation, chatbot interaction and automated website creation. This article uses insights from our telemetry to show trends in how the GenAI web is evolving. Because of its growing prevalence, GenAI also opens new vectors for threat actors to misuse. Adversaries are increasingly leveraging GenAI platforms to create realistic phishing content, clone trusted brands and automate large-scale deployment using services like low-code site builders. The threats are getting harder to detect."
https://unit42.paloaltonetworks.com/genai-phishing-bait/
US Spy Chief Claims UK Backed Down Over Apple Backdoor Demand
"The UK government has reportedly abandoned its attempt to strong-arm Apple into weakening iPhone encryption after the White House forced Blighty into a quiet climb-down. US Director of National Intelligence Tulsi Gabbard broke the news on X, boasting that she'd been working "closely with our partners in the UK, alongside @POTUS and @VP, to ensure Americans' private data remains private and our Constitutional rights and civil liberties are protected." "As a result," she added, "the UK has agreed to drop its mandate for Apple to provide a 'backdoor' that would have enabled access to the protected encrypted data of American citizens and encroached on our civil liberties.""
https://www.theregister.com/2025/08/19/uk_apple_backdoor_uturn/
https://thehackernews.com/2025/08/uk-government-drops-apple-encryption.html
https://therecord.media/uk-agrees-drop-apple-encryption
https://cyberscoop.com/uk-abandons-apple-backdoor-demand-after-us-diplomatic-pressure/
Automation Alert Sounds As Certificates Set To Expire Faster
"The future of managing digital certificates is already here - it's just not evenly distributed yet. Keen to reduce risks to the web public key infrastructure ecosystem, as well as get the automation ball rolling faster, the industry's Certification Authority Browser Forum on April 11 approved a motion to reduce the maximum validity of public TLS certificates from 398 days to 47 days. That TLS Baseline Requirement change, meaning it applies to "authenticating servers accessible through the internet," will begin in March 2026 and come into full effect in March 2029."
https://www.bankinfosecurity.com/automation-alert-sounds-as-certificates-set-to-expire-faster-a-29253
Oregon Man Charged With Administering “Rapper Bot” DDoS-For-Hire Botnet
"An Oregon man was charged by a federal criminal complaint today in the District of Alaska on charges related to his alleged development and administration of the “Rapper Bot” DDoS-for-hire Botnet that has conducted large-scale cyber-attacks since at least 2021. According to court documents, investigators identified Ethan Foltz, 22, of Eugene, Oregon, as the alleged administrator of Rapper Bot. Rapper Bot, aka “Eleven Eleven Botnet” and “CowBot,” is a Botnet that primarily compromises devices like Digital Video Recorders (DVRS) or WiFi routers at scale by infecting those devices with specialized malware. Clients of Rapper Bot then issue commands to those infected victim devices, forcing them to send large volumes of “Distributed Denial of Service” (DDoS) traffic to different victim computers and servers located throughout the world."
https://www.justice.gov/usao-ak/pr/oregon-man-charged-administering-rapper-bot-ddos-hire-botnet
https://cyberscoop.com/rapper-bot-ddos-botnet-disrupted/
AI Agents Access Everything, Fall To Zero-Click Exploit
"In this Black Hat USA 2025 interview, Michael Bargury, Zenity CTO, discusses his alarming "AgentFlayer" research on AI enterprise compromise methods with Dark Reading's Rob Wright, senior news director. Bargury explains that modern AI assistants have "grown arms and legs," gaining the ability to access emails, documents, and calendars and perform actions on users' behalf through integrations with enterprise environments like Microsoft, Google Workspace, and Salesforce. The critical zero-click exploit that Bargury uncovered means external attackers need only a user's email address to completely take over enterprise AI agents, accessing sensitive data and manipulating users through what they perceive as trusted AI advisers."
https://www.darkreading.com/application-security/ai-agents-access-everything-zero-click-exploit
10 Major GitHub Risk Vectors Hidden In Plain Sight
"GitHub has evolved from simple version control to the backbone of modern software development. While organizations diligently scan packaged dependencies from npm or PyPI, they often overlook a more pervasive danger: the numerous ways GitHub-hosted code infiltrates systems throughout the entire software development life cycle. These hidden risk vectors create blind spots that sophisticated attackers actively exploit, as demonstrated in incidents like the tj-actions GitHub Action and XZ Utils compromises."
https://www.darkreading.com/cyberattacks-data-breaches/10-github-risk-vectors

อ้างอิง
Electronic Transactions Development Agency(ETDA)

NCSA_THAICERT

Telecom Sector

Novel 5G Attack Bypasses Need For Malicious Base Station
"A team of researchers from the Singapore University of Technology and Design has disclosed the details of a new 5G attack that does not require the use of a malicious base station. As part of the project, the researchers have released a framework named Sni5Gect that can be used to sniff messages and perform message injection in 5G communications. The attack targets the 5G New Radio (NR) radio access technology that powers 5G networks. Previously demonstrated 5G attacks involved the use of a rogue base station that the victim needs to connect to, which can limit the practicality of an attack, the researchers said."
Priority: 3 - Important
Relevance: General
https://www.securityweek.com/novel-5g-attack-bypasses-need-for-malicious-base-station/
https://www.theregister.com/2025/08/18/sni5gect/

New Tooling

Buttercup: Open-Source AI-Driven System Detects And Patches Vulnerabilities
"Buttercup is a free, automated, AI-powered platform that finds and fixes vulnerabilities in open-source software. Developed by Trail of Bits, it recently earned second place in DARPA’s AI Cyber Challenge (AIxCC). Buttercup is made up of four main components, each playing a different role in finding and fixing vulnerabilities."
https://www.helpnetsecurity.com/2025/08/18/buttercup-ai-vulnerability-scanner-open-source/
https://github.com/trailofbits/buttercup

Vulnerabilities

Over 800 N-Able Servers Left Unpatched Against Critical Flaws
"Over 800 N-able N-central servers remain unpatched against a pair of critical security vulnerabilities tagged as actively exploited last week. N-central is a popular platform used by many managed services providers (MSPs) and IT departments to monitor and manage networks and devices from a centralized web-based console. Tracked as CVE-2025-8875 and CVE-2025-8876, the two flaws can let authenticated attackers to inject commands due to improper sanitization of user input and execute commands on unpatched devices by exploiting an insecure deserialization weakness, respectively."
https://www.bleepingcomputer.com/news/security/over-800-n-able-servers-left-unpatched-against-critical-flaws/
https://www.securityweek.com/hundreds-of-n-able-n-central-instances-affected-by-exploited-vulnerabilities/
CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2025-54948 Trend Micro Apex One OS Command Injection Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/08/18/cisa-adds-one-known-exploited-vulnerability-catalog

Malware

Infostealer Targets Russian Crypto Developers
"A new threat campaign “Solana-Scan” includes multiple malicious NPM packages targeting the Solana cryptocurrency ecosystem. These packages include a new infostealer malware that appears to target Russian cryptocurrency developers"
https://getsafety.com/blog-posts/infostealer-targets-russian-crypto-developers
https://www.theregister.com/2025/08/18/solana_infostealer_npm_malware/
2025 State Of The Internet: Digging Into Residential Proxy Infrastructure
"So far in our State of the Internet research series, we’ve explored everything from the lifespans of prominent C2 servers to the infrastructure of long-running malware campaigns. This time, we turn our attention to a hot topic in the world of proxy threats: residential proxies. Beneath the hum of everyday Internet traffic, millions of home and small business devices quietly pull double duty, functioning for their legitimate owners while also – either knowingly or unknowingly – relaying traffic for entirely separate purposes. These devices form the backbone of residential proxy networks, which route traffic through ordinary consumer equipment."
https://censys.com/blog/2025-state-of-the-internet-digging-into-residential-proxy-infrastructure
https://www.bankinfosecurity.com/ballooning-polaredge-botnet-suspected-cyberespionage-op-a-29246
EchoLink And The Rise Of Zero-Click AI Exploits
"In an increasingly AI-powered enterprise landscape, the recent discovery of a zero-click vulnerability in Microsoft 365 Copilot, dubbed EchoLink, should come as a stark warning for cyber security leaders. This isn’t just another flaw – it’s a new class of threat. One that doesn’t require a single click, a download, or any user interaction to trigger. EchoLink is invisible, fast-moving, and capable of silently leaking sensitive enterprise data."
https://blog.checkpoint.com/email-security/echolink-and-the-rise-of-zero-click-ai-exploits/
Noodlophile Stealer Evolves: Targeted Copyright Phishing Hits Enterprises With Social Media Footprints
"The Noodlophile Stealer, first detailed in our previous analysis (New Noodlophile Stealer Distributes Via Fake AI Video Generation Platforms), has evolved into a highly targeted threat exploiting enterprises with significant Facebook footprints. This blog dissects the upgraded phishing tactics, delivery methods, and enhanced Noodlophile capabilities, offering security leaders actionable insights to protect against this sophisticated threat."
https://www.morphisec.com/blog/noodlophile-stealer-evolves-targeted-copyright-phishing-hits-enterprises-with-social-media-footprints/
https://engage.morphisec.com/hubfs/2025_PDFs/Noodlophile_Stealer_Evolves.pdf
https://thehackernews.com/2025/08/noodlophile-malware-campaign-expands.html
https://www.darkreading.com/threat-intelligence/noodlophile-stealer-bogus-copyright-complaints
https://hackread.com/phishing-scam-fake-copyright-notice-noodlophile-stealer/
https://www.helpnetsecurity.com/2025/08/18/noodlophile-infostealer-spear-phishing-campaign-copyright-infingement/
Dissecting PipeMagic: Inside The Architecture Of a Modular Backdoor Framework
"Among the plethora of advanced attacker tools that exemplify how threat actors continuously evolve their tactics, techniques, and procedures (TTPs) to evade detection and maximize impact, PipeMagic, a highly modular backdoor used by Storm-2460 masquerading as a legitimate open-source ChatGPT Desktop Application, stands out as particularly advanced."
https://www.microsoft.com/en-us/security/blog/2025/08/18/dissecting-pipemagic-inside-the-architecture-of-a-modular-backdoor-framework/
https://therecord.media/ransomware-gang-masking-pipemagic-backdoor
https://hackread.com/fake-chatgpt-desktop-app-pipemagic-backdoor-microsoft/
Evolution Of The PipeMagic Backdoor: From The RansomExx Incident To CVE-2025-29824
"In April 2025, Microsoft patched 121 vulnerabilities in its products. According to the company, only one of them was being used in real-world attacks at the time the patch was released: CVE-2025-29824. The exploit for this vulnerability was executed by the PipeMagic malware, which we first discovered in December 2022 in a RansomExx ransomware campaign. In September 2024, we encountered it again in attacks on organizations in Saudi Arabia. Notably, it was the same version of PipeMagic as in 2022. We continue to track the malware’s activity. Most recently, in 2025 our solutions prevented PipeMagic infections at organizations in Brazil and Saudi Arabia."
https://securelist.com/pipemagic/117270/
https://thehackernews.com/2025/08/microsoft-windows-vulnerability.html
Cryptomining Group Kinsing Expands Operations To Russia, Researchers Warn
"Russian cybersecurity researchers said the Kinsing hacker group has launched a large-scale wave of cyberattacks aimed at hijacking Russian computers for cryptocurrency mining. In a report last week, Russia-based cybersecurity firm F6 said the attacks began in April and infected devices with Kinsing and XMRig malware, tools commonly used to mine the cryptocurrency Monero. F6 did not disclose which companies were targeted. Kinsing, also known as H2Miner and Resourceful Wolf, has been active since 2019 and is one of the most prolific groups engaged in so-called cryptojacking. Instead of phishing, the hackers scan company networks for vulnerabilities in widely-used software and exploit them to install malicious code."
https://therecord.media/cryptomining-group-kinsing-hits-russia
Uncovering a Multi-Stage USB Cryptomining Attack
"CyberProof MDR analysts alerted Threat Hunters on an incident originating from an infected USB device that could lead to a backdoor infection and cyptomining through a multi-stage attack leveraging DLL search order hijacking and PowerShell to bypass security. Upon further investigation, we were able to confirm the malware involved, was linked to an earlier reported cryptominer (XMRig or Zephyr) attack kill chain. While investing we also were able to confirm that the malware was blocked by the organizations EDR during the final stages of the miner attack."
https://www.cyberproof.com/blog/uncovering-a-multi-stage-usb-cryptomining-attack/
https://www.infosecurity-magazine.com/news/usb-malware-spreads-cryptominer/
Compromised Npm Package Threatens Developer Projects
"ReversingLabs’ automated threat detection system discovered a compromise of a popular npm package, eslint-config-prettier, on July 18. The package has more than 3.5 billion downloads and 12,000 dependencies. Several other packages published by the same maintainer were also affected, and malicious versions of eslint-config-prettier were published from the maintainer’s account that was compromised in a well-crafted phishing campaign. The campaign was reported by the Socket research team on the same day as RL’s detection."
https://www.reversinglabs.com/blog/eslint-hack
https://www.infosecurity-magazine.com/news/popular-npm-package-compromised-in/
APT Sidewinder Spoofs Government And Military Institutions To Target South Asian Countries With Credential Harvesting Techniques
"APT Sidewinder, a persistent APT group believed to originate from South Asia, has consistently targeted military and government entities across Bangladesh, Srilanka, Turkey, Nepal, Pakistan, and other neighboring countries. Sidewinder frequently leverages spear-phishing techniques involving weaponized documents and malicious links. These campaigns mimic official communication to trick victims into entering credentials on fake login pages."
https://hunt.io/blog/apt-sidewinder-netlify-government-phishing
Lazarus Stealer : Android Malware For Russian Bank Credential Theft Through Overlay And SMS Manipulation
"At CYFIRMA, we deliver actionable intelligence on emerging cyber threats impacting both individuals and organizations. This report analyzes a sophisticated Android banking malware known as “Lazarus Stealer” not to be mistaken for the DPRK-linked Lazarus Group. The name “Lazarus Stealer” stems solely from how it is labeled in its control panel by the developer and bears no relation to the nation-state actor. Disguised as a harmless application called “GiftFlipSoft“, the malware specifically targets multiple Russian banking apps, extracting card numbers, PINs, and other sensitive credentials while remaining completely hidden from the device’s interface."
https://www.cyfirma.com/research/lazarus-stealer-android-malware-for-russian-bank-credential-theft-through-overlay-and-sms-manipulation/
A DNS Exploration Of The Latest Educated Manticore Attack
"Check Point Research published an in-depth analysis of the recent spearphishing attack launched by Iranian threat group Educated Manticore. The attackers targeted Israeli journalists, high-profile cybersecurity experts, and computer science professors from leading Israeli universities. The threat actors directed victims who engaged with them to fake Gmail login pages or Google Meet invitations. The credentials the victims entered on phishing pages were sent to the attackers, enabling them to intercept passwords and two-factor authentication (2FA) codes and gain unauthorized access to the victims’ accounts."
https://circleid.com/posts/a-dns-exploration-of-the-latest-educated-manticore-attack
Android Malware Promises Energy Subsidy To Steal Financial Data
"Recently, we identified an active Android phishing campaign targeting Indian users. The attackers impersonate a government electricity subsidy service to lure victims into installing a malicious app. In addition to stealing financial information, the malicious app also steals text messages, uses the infected device to send smishing messages to user’s contact list, can be remotely controlled using Firebase and phishing website and malware was hosted in GitHub. This attack chain leverages YouTube videos, a fake government-like website, and a GitHub-hosted APK file—forming a well-orchestrated social engineering operation. The campaign involves fake subsidy promises, user data theft, and remote-control functionalities, posing a substantial threat to user privacy and financial security."
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/android-malware-promises-energy-subsidy-to-steal-financial-data/

Breaches/Hacks/Leaks

HR Giant Workday Discloses Data Breach Amid Salesforce Attacks
"Human resources giant Workday has disclosed a data breach after attackers gained access to a third-party customer relationship management (CRM) platform in a recent social engineering attack. Headquartered in Pleasanton, California, Workday has over 19,300 employees in offices across North America, EMEA, and APJ. Workday's customer list comprises over 11,000 organizations across a diverse range of industries, including more than 60% of the Fortune 500 companies. As the company revealed in a Friday blog, the attackers gained access to some of the information stored on the compromised CRM systems, adding that no customer tenants were impacted."
https://www.bleepingcomputer.com/news/security/hr-giant-workday-discloses-data-breach-amid-salesforce-attacks/
https://therecord.media/workday-social-engineering-data-breach
https://www.darkreading.com/application-security/workday-breach-shinyhunters-salesforce-attacks
https://www.bankinfosecurity.com/workday-breached-as-ransomware-group-seeks-salesforce-data-a-29242
https://www.infosecurity-magazine.com/news/workday-reveals-crm-breach/
https://www.securityweek.com/workday-data-breach-bears-signs-of-widespread-salesforce-hack/
https://securityaffairs.com/181271/data-breach/human-resources-firm-workday-disclosed-a-data-breach.html
https://www.theregister.com/2025/08/18/workday_crm_breach/
Casino Gaming Company Bragg Says Hackers Accessed ‘internal Computer Environment’
"One of the leading casino game producers said hackers breached their systems and accessed internal environments during an incident discovered on Saturday morning. Bragg Gaming Group said on Monday that it “believes that the data breach was limited to Bragg’s internal computer environment” based on its preliminary investigation. “At the present time, there is no indication that any personal information was affected,” the company said. “Additionally, the breach has had no impact on the ability of the Company to continue its operations, nor has it been restricted from accessing any data that has been subject to the breach.”"
https://therecord.media/casino-gaming-company-cyber-incident-bragg
How We Found TeaOnHer Spilling Users’ Driver’s Licenses In Less Than 10 Minutes
"For an app all about spilling the beans on who you’re allegedly dating, it’s ironic that TeaOnHer was spilling the personal information of thousands of its users to the open web. TeaOnHer was designed for men to share photos and information about women they claim to have been dating. But much like Tea, the dating-gossip app for women it was trying to replicate, TeaOnHer had gaping holes in its security that exposed its users’ personal information, including photos of their driver’s licenses and other government-issued identity documents, as TechCrunch reported last week."
https://techcrunch.com/2025/08/13/how-we-found-teaonher-spilling-users-drivers-licenses-in-less-than-10-minutes/

General News

How Security Teams Are Putting AI To Work Right Now
"AI is moving from proof-of-concept into everyday security operations. In many SOCs, it is now used to cut down alert noise, guide analysts during investigations, and speed up incident response. What was once seen as experimental technology is starting to deliver results that CISOs can measure."
https://www.helpnetsecurity.com/2025/08/18/ai-in-security-operations/
Weak Alerting And Slipping Prevention Raise Risk Levels For CISOs
"Prevention effectiveness is falling, detection gaps remain wide, and attackers are exploiting weaknesses in data protection and credentials. Data theft prevention has dropped to 3 percent, password cracking success rates have nearly doubled, and new threat groups are bypassing defenses. The latest Blue Report from Picus Security shows that prevention effectiveness against cyberattacks has dropped for the first time in two years, falling from 69% in 2024 to 62% in 2025. Detection capabilities remain weak, with less than one in seven simulated attacks triggering an alert."
https://www.helpnetsecurity.com/2025/08/18/ciso-cybersecurity-prevention-effectiveness/
Bridging The AI Model Governance Gap: Key Findings For CISOs
"While most organizations understand the need for strong AI model governance, many are still struggling to close gaps that could slow adoption and increase risk. The findings of a new Anaconda survey of more than 300 AI practitioners and decision-makers highlight security concerns in open-source tools, inconsistent model monitoring, and the operational challenges caused by fragmented AI toolchains."
https://www.helpnetsecurity.com/2025/08/18/ciso-ai-model-governance/
UK Sentences “serial Hacker” Of 3,000 Sites To 20 Months In Prison
"A 26-year old in the UK who claimed to have hacked thousands of websites was sentenced to 20 months in prison after pleading guilty earlier this year. Al-Tahery Al-Mashriky of Rotherham, UK, was arrested in 2022 based on information received from U.S. law enforcement and charged for stealing log in details of millions of Facebook users, and hacking websites belonging to the government in Yemen, an Israeli news outlet, and organizations in the U.S. and Canada. Al-Mashriky pleaded guilty to the charges this year on March 17. He was linked to extremist groups such as ‘Spider Team’ and ‘Yemen Cyber Army’"
https://www.bleepingcomputer.com/news/legal/uk-sentences-serial-hacker-of-3-000-sites-to-20-months-in-prison/
https://www.infosecurity-magazine.com/news/man-jailed-20-months-millions-of/
How Evolving RATs Are Redefining Enterprise Security Threats
"Remote access Trojans (RATs) are no longer just blunt instruments for cybercriminals. They've become more elusive, quietly shaping a new chapter in enterprise threats. Recent strains like StilachiRAT and SnowDog RAT are using corrupted DOS and PE headers to hide in plain sight, persisting undetected on enterprise systems for extended periods."
https://www.darkreading.com/cyberattacks-data-breaches/evolving-rats-redefine-enterprise-security-threats
Defending Against Cloud Threats Across Multicloud Environments
"Late last year, a threat group — tracked by Microsoft as Storm-0501 — compromised hybrid cloud environments in an opportunistic campaign targeting the government, manufacturing, transportation, and law enforcement sectors. The group aimed to generate cash through a ransomware affiliate scheme."
https://www.darkreading.com/cloud-security/defending-against-cloud-threats-across-multi-cloud-environments
New Quantum-Safe Alliance Aims To Accelerate PQC Implementation
"IBM Consulting, Keyfactor, Quantinuum and Thales are pooling their respective resources to provide enterprises with unified post-quantum cryptography (PQC) technology and services with the new Quantum-Safe 360 Alliance, launched on Thursday. The alliance aims to provide complete and compatible PQC assessment and migration capabilities. Much of their technical integration work is well in place because the four companies already have various established partnerships with one another."
https://www.darkreading.com/cybersecurity-operations/new-quantum-safe-alliance-accelerate-pqc-implementation
7 Things I Wish I Knew Before Becoming a CISO
"Last week, I was joined on a Black Hat panel “To Be or Not to Be... a CISO” by fellow esteemed CISOs, Gursev Kalra from Salesforce, Vercel’s Ty Sbano, and host Shubham Mittal from RedHunt Labs to discuss our career progressions. Afterward, the discussions continued with several people asking for more information and advice. I’ve distilled that discussion in this blog and hope it will be useful to aspiring or new CISOs."
https://www.fortinet.com/blog/ciso-collective/things-i-wish-i-knew-before-becoming-a-ciso
AI For Cybersecurity: Building Trust In Your Workflows
"In cybersecurity, speed matters. But speed without trust can be just as dangerous – if not more so – as no action at all. A hasty, inaccurate decision can disrupt critical systems, cause unnecessary downtimes, and erode confidence in your security operations. That’s why AI in cybersecurity is about more than just faster detection and response; it’s about building trust into every decision the system and analysts make."
https://securityaffairs.com/181278/security/ai-for-cybersecurity-building-trust-in-your-workflows.html
Thai Police Arrest SMS Blasting Scammers Allegedly Hired By Chinese Boss
"A white Suzuki driving through Bangkok looked like a normal rental car — until police officers trailing it began receiving fake bank alerts on their own phones. When officers pulled it over, they found a portable SMS blaster inside, capable of sending thousands of phishing messages a day. Thai police said they arrested two men, ages 23 and 25, on August 15 after finding the illegal telecom setup hidden in the car. It included a false base station, router, power unit, and a shark-fin antenna on the roof disguising the signal hardware. Officials said the system allowed scammers to impersonate trusted networks and send messages that appeared to come from banks or government agencies."
https://therecord.media/bangkok-police-sms-scammers-blasting
Every Question You Ask, Every Comment You Make, I'll Be Recording You
"Recently, OpenAI ChatGPT users were shocked – shocked, I tell you! – to discover that their searches were appearing in Google search. You morons! What do you think AI chatbots are doing? Doing all your homework for free or a mere $20 a month? I think not! When you ask an AI chatbot for an answer, whether it's about the role of tariffs in decreasing prices (spoiler: tariffs increase them,); whether your girlfriend is really that into you; or, my particular favorite, "How to Use a Microwave Without Summoning Satan," OpenAI records your questions. And, until recently, Google kept the records for anyone who is search savvy to find them."
https://www.theregister.com/2025/08/18/opinion_column_ai_surveillance/