NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ
    1. หน้าแรก
    2. NCSA_THAICERT
    3. กระทู้
    • รายละเอียด
    • ติดตาม 0
    • คนติดตาม 2
    • กระทู้ 1,547
    • กระทู้ 1,548
    • ดีที่สุด 0
    • Controversial 0
    • กลุ่ม 2

    โพสต์ถูกสร้างโดย NCSA_THAICERT

    • Cyber Threat Intelligence 07 October 2025

      Vulnerabilities

      • Oracle Patches EBS Zero-Day Exploited In Clop Data Theft Attacks
        "Oracle is warning about a critical E-Business Suite zero-day vulnerability tracked as CVE-2025-61882 that allows attackers to perform unauthenticated remote code execution, with the flaw actively exploited in Clop data theft attacks. The flaw is within the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration) and has a CVSS base score of 9.8, due to its lack of authentication and ease of exploitation. "This Security Alert addresses vulnerability CVE-2025-61882 in Oracle E-Business Suite," reads a new Oracle advisory."
        https://www.bleepingcomputer.com/news/security/oracle-patches-ebs-zero-day-exploited-in-clop-data-theft-attacks/
        https://www.oracle.com/security-alerts/alert-cve-2025-61882.html
        https://thehackernews.com/2025/10/oracle-rushes-patch-for-cve-2025-61882.html
        https://www.darkreading.com/application-security/clop-ransomware-oracle-customers-zero-day-flaw
        https://therecord.media/fbi-uk-urge-orgs-to-patch-after-clop-campaign
        https://www.securityweek.com/oracle-e-business-suite-zero-day-exploited-in-cl0p-attacks/
        https://www.theregister.com/2025/10/06/clop_oracle_ebs_zeroday/
        https://www.helpnetsecurity.com/2025/10/06/cl0p-oracle-data-theft-extortion-cve-2025-61882/
        https://cyberscoop.com/oracle-zero-day-clop/
        https://securityaffairs.com/183029/security/oracle-patches-critical-e-business-suite-flaw-exploited-by-cl0p-hackers.html
      • Redis Warns Of Critical Flaw Impacting Thousands Of Instances
        "The Redis security team has released patches for a maximum severity vulnerability that could allow attackers to gain remote code execution on thousands of vulnerable instances. Redis (short for Remote Dictionary Server) is an open-source data structure store used in approximately 75% of cloud environments, functioning like a database, cache, and message broker, and storing data in RAM for ultra-fast access. The security flaw (tracked as CVE-2025-49844) is caused by a 13-year-old use-after-free weakness found in the Redis source code and can be exploited by authenticated threat actors using a specially crafted Lua script (a feature enabled by default)."
        https://www.bleepingcomputer.com/news/security/redis-warns-of-max-severity-flaw-impacting-thousands-of-instances/
      • It's Never Simple Until It Is (Dell UnityVSA Pre-Auth Command Injection CVE-2025-36604)
        "Welcome back, and what a week! We’re glad that happened for you and/or sorry that happened to you. It will get better and/or worse, and you will likely survive. Today, we’re walking down the garden path and digging into the archives, publishing our analysis of a vulnerability we discovered and disclosed to Dell in March 2025 within their UnityVSA solution. As part of our continued enhancement of our Preemptive Exposure Management technology within the watchTowr Platform, we perform zero-day vulnerability research in technology that we see across the attack surfaces of organisations leveraging the watchTowr Platform. This enables proactive defence for our clients and provides forward visibility of vulnerabilities while we liaise with vendors and projects for suitable fixes."
        https://labs.watchtowr.com/its-never-simple-until-it-is-dell-unityvsa-pre-auth-command-injection-cve-2025-36604/
        https://hackread.com/dell-unityvsa-flaw-command-execution-without-login/
      • CVE-2025-59489: Arbitrary Code Execution In Unity Runtime
        "Hello, I’m RyotaK (@ryotkak ), a security engineer at GMO Flatt Security Inc In May 2025, I participated in the Meta Bug Bounty Researcher Conference 2025. During this event, I discovered a vulnerability (CVE-2025-59489) in the Unity Runtime that affects games and applications built on Unity 2017.1 and later. In this article, I will explain the technical aspects of this vulnerability and its impact. This vulnerability was disclosed to Unity following responsible disclosure practices."
        https://flatt.tech/research/posts/arbitrary-code-execution-in-unity-runtime/
        https://therecord.media/unity-game-engine-vulnerability-android-windows-linux-macos
        https://www.bleepingcomputer.com/news/security/steam-and-microsoft-warn-of-unity-flaw-exposing-gamers-to-attacks/
        https://www.securityweek.com/microsoft-and-steam-take-action-as-unity-vulnerability-puts-games-at-risk/
      • CISA Adds Seven Known Exploited Vulnerabilities To Catalog
        "CISA has added seven new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2010-3765 Mozilla Multiple Products Remote Code Execution Vulnerability
        CVE-2010-3962 Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability
        CVE-2011-3402 Microsoft Windows Remote Code Execution Vulnerability
        CVE-2013-3918 Microsoft Windows Out-of-Bounds Write Vulnerability
        CVE-2021-22555 Linux Kernel Heap Out-of-Bounds Write Vulnerability
        CVE-2021-43226 Microsoft Windows Privilege Escalation Vulnerability
        CVE-2025-61882 Oracle E-Business Suite Unspecified Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/10/06/cisa-adds-seven-known-exploited-vulnerabilities-catalog

      Malware

      • XWorm’s Evolving Infection Chain: From Predictable To Deceptive
        "A sophisticated and evolving prevalent XWorm backdoor campaign has recently been identified by the Trellix Advanced Research Center, marking a significant strategic shift in the malware's deployment. Previously, XWorm campaigns often relied on more predictable and somewhat discernible distribution mechanisms. However, the current campaign reveals a deliberate move towards more deceptive and intricate methods, designed to evade detection and increase the success rate of the malware."
        https://www.trellix.com/blogs/research/xworms-evolving-infection-chain-from-predictable-to-deceptive/
        https://www.bleepingcomputer.com/news/security/xworm-malware-resurfaces-with-ransomware-module-over-35-plugins/
      • How We Trained An ML Model To Detect DLL Hijacking
        "DLL hijacking is a common technique in which attackers replace a library called by a legitimate process with a malicious one. It is used by both creators of mass-impact malware, like stealers and banking Trojans, and by APT and cybercrime groups behind targeted attacks. In recent years, the number of DLL hijacking attacks has grown significantly."
        https://securelist.com/building-ml-model-to-detect-dll-hijacking/117565/
      • Detecting DLL Hijacking With Machine Learning: Real-World Cases
        "Our colleagues from the AI expertise center recently developed a machine-learning model that detects DLL-hijacking attacks. We then integrated this model into the Kaspersky Unified Monitoring and Analysis Platform SIEM system. In a separate article, our colleagues shared how the model had been created and what success they had achieved in lab environments. Here, we focus on how it operates within Kaspersky SIEM, the preparation steps taken before its release, and some real-world incidents it has already helped us uncover."
        https://securelist.com/detecting-dll-hijacking-with-machine-learning-in-kaspersky-siem/117567/
      • Investigating Active Exploitation Of CVE-2025-10035 GoAnywhere Managed File Transfer Vulnerability
        "On September 18, 2025, Fortra published a security advisory regarding a critical deserialization vulnerability in GoAnywhere MFT’s License Servlet, which is tracked as CVE-2025-10035 and has a CVSS score of 10.0. The vulnerability could allow a threat actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection and potential remote code execution (RCE). A cybercriminal group tracked by Microsoft Threat Intelligence as Storm-1175, known for deploying Medusa ransomware and exploiting public-facing applications for initial access, was observed exploiting the vulnerability."
        https://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/
        https://www.bleepingcomputer.com/news/security/microsoft-critical-goanywhere-bug-exploited-in-ransomware-attacks/
        https://therecord.media/medusa-ransomware-exploited-file-transfer
      • Phishers Target 1Password Users With Convincing Fake Breach Alert
        "In a very recent and well-targeted phishing attempt, scammers tried to get hold of the 1Password credentials belonging to a Malwarebytes’ employee. Stealing someone’s 1Password login would be like hitting the jackpot for cybercriminals, because they potentially export all the saved logins the target stored in the password manager. The phishing email looked like this:"
        https://www.malwarebytes.com/blog/news/2025/10/phishers-target-1password-users-with-convincing-fake-breach-alert
      • BIETA: A Technology Enablement Front For China's MSS
        "The Beijing Institute of Electronics Technology and Application (BIETA), a communications technology and information security research organization previously unexplored in public reporting, is almost certainly affiliated with China’s principal civilian intelligence service, the Ministry of State Security (MSS). Based on publicly available sources, it is very likely led by the MSS and likely a public front for the MSS First Research Institute. BIETA and its subsidiary, Beijing Sanxin Times Technology Co., Ltd. (CIII), research, develop, import, and sell technologies that almost certainly support intelligence, counterintelligence, military, and other missions relevant to China’s national development and security. Their activities include researching methods of steganography that can likely support covert communications (COVCOM) and malware deployment; developing and selling forensic investigation and counterintelligence equipment; and acquiring foreign technologies for steganography, network penetration testing, and military communications and planning."
        https://www.recordedfuture.com/research/bieta-technology-enablement-front-for-chinas-mss
        https://thehackernews.com/2025/10/new-report-links-research-firms-bieta.html
        https://www.darkreading.com/threat-intelligence/chinese-govt-fronts-cyber-tech
      • CN APT Targets Serbian Government
        "Last week, a targeted spearphish was sent to a governmental department in Serbia related to aviation. Upon further pivoting, we found similar activity at other European nations from the same threat actor. A core infosec truth, often overlooked, is that only CN threat actors leverage the sogu/plugx/korplug toolset for live intrusions, with rare exceptions of red teams/researchers playing around with builders on VT. Occasionally, an outlier motivation is financial, but the vast majority of the time it is espionage. These linkages have been reliable for over a decade."
        https://strikeready.com/blog/cn-apt-targets-serbian-government/
        https://therecord.media/suspected-chinese-spies-serbia
      • Scattered Lapsus$ Hunters Offering $10 In Bitcoin To 'endlessly Harass' Execs
        "Scattered Lapsus$ Hunters has launched an unusual crowdsourced extortion scheme, offering $10 in Bitcoin to anyone willing to help pressure their alleged victims into paying ransoms. The cybercrime collective is encouraging followers to email senior executives at organizations it claims to have breached, urging them to pay up and avoid publicity about the group's new data leak site. Those who contact executives through personal email accounts will receive higher rewards, and participants who perform "an exceptionally well job" [sic] may be considered for "a much larger sum," according to the group's announcement."
        https://www.theregister.com/2025/10/06/scattered_lapsus_bitcoin_reward/
      • FlipSwitch: a Novel Syscall Hooking Technique
        "Syscall hooking, particularly by overwriting pointers to syscall handlers, has been a cornerstone of Linux rootkits like Diamorphine and PUMAKIT, enabling them to hide their presence and control the flow of information. While other hooking mechanisms exist, such as ftrace and eBPF, each has its own pros and cons, and most have some form of limitation. Function pointer overwrites remain the most effective and simple way of hooking syscalls in the kernel."
        https://www.elastic.co/security-labs/flipswitch-linux-rootkit
      • TamperedChef: Malvertising To Credential Theft
        "TamperedChef is a sophisticated malware campaign that leveraged a convincing advertising campaign strategy and a fully functional decoy application to target European organizations. Disguised as a legitimate application such as a PDF editor, the malware operated with expected functionality for nearly two months before activating its payload to harvest browser credentials, impacting a significant number of systems. This campaign demonstrates how even well-defined organizations can be compromised by convincing, legitimate-looking software. The consequences are severe: credential theft, potential backdoor access, and the need for full remediation. Organizations must act quickly to identify and remove this threat."
        https://labs.withsecure.com/publications/tamperedchef
      • The Exploitation Of Legitimate Remote Access Tools In Modern Ransomware Campaigns
        "Ransomware is one of the most disruptive cyber threats, encrypting critical organizational data and demanding ransom payments for restoration. While early campaigns relied on mass phishing or opportunistic malware distribution, modern ransomware operations have evolved into highly sophisticated, targeted attacks. Today’s adversaries not only infect machines but also move laterally across networks, harvest credentials, neutralize defences, and maintain persistent control—all while remaining stealthy and evading detection."
        https://www.seqrite.com/blog/exploiting-legitimate-remote-access-tools-in-ransomware-campaigns/
      • Beware Of Threats Lurking In Booby-Trapped PDF Files
        "PDF files have become a staple of our daily digital lives, both at work and at home. They work seamlessly across operating systems and devices, and they couldn’t be easier to create and share. Every day, countless PDF (Portable Document Format) files are exchanged across inboxes and messaging platforms, and chances are, you’ve opened one today without a second thought. However, this all is also partly what makes PDFs the perfect disguise for all manner of threats. At first glance, PDF files seem about as benign as digital files get. To the naked eye, a malware-laced PDF or, indeed, another file type spreading under the guise of a PDF doesn’t necessarily look much different from an ordinary invoice, resume or government form."
        https://www.welivesecurity.com/en/malware/threats-lurking-pdf-files/

      Breaches/Hacks/Leaks

      • Data Breach At Doctors Imaging Group Impacts 171,000 People
        "Doctors Imaging Group, a radiology practice with locations in Palatka and Gainesville, Florida, is informing customers about a data breach that occurred nearly one year ago. According to a data breach notice posted on its website, hackers had access to Doctors Imaging Group’s network between November 5 and November 11, 2024. The attackers copied some files from compromised systems and the organization has been working on determining what type of information was stolen and who is impacted."
        https://www.securityweek.com/data-breach-at-doctors-imaging-group-impacts-171000-people/
      • Red Hat Data Breach Escalates As ShinyHunters Joins Extortion
        "Enterprise software giant Red Hat is now being extorted by the ShinyHunters gang, with samples of stolen customer engagement reports (CERs) leaked on their data leak site. News of the Red Hat data breach broke last week when a hacking group known as the Crimson Collective claimed to have stolen nearly 570GB of compressed data across 28,000 internal development repositories. This data allegedly includes approximately 800 Customer Engagement Reports (CERs), which can contain sensitive information about a customer's network, infrastructure, and platforms."
        https://www.bleepingcomputer.com/news/security/red-hat-data-breach-escalates-as-shinyhunters-joins-extortion/
      • I Called American Income Life Insurance To Alert Them To a Data Breach Involving 150,000 Customers. Here’s Why They Didn’t Find Out.
        "Paging the Federal Trade Commission to Aisle 5…. The Federal Trade Commission has repeatedly emphasized the importance of having a mechanism in place to receive data security alerts or concerns. American Income Life Insurance (“AILife”), headquartered in Waco, Texas, does not provide such information on its home page or anywhere else on the site that I could find. So I called their 800-number."
        https://databreaches.net/2025/10/06/i-called-american-income-life-insurance-to-alert-them-to-a-data-breach-involving-150000-customers-heres-why-they-didnt-find-out/
      • Pet Insurance Provider Exposed PII Of Humans And Pets In Data Breach
        "Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to Website Planet about an unencrypted and non-password-protected database that contained 158 GB of data. The data included pet insurance claims, veterinary bills, and customer communications that detailed names, physical and email addresses, phone numbers, and partial credit card numbers."
        https://www.websiteplanet.com/news/rainwalk-pet-insurance-breach-report/
        https://hackread.com/rainwalk-pet-insurance-158-gb-customer-pet-data/

      General News

      • Old Authentication Habits Die Hard
        "Many organizations still rely on weak authentication methods while workers’ personal habits create additional risks, according to Yubico. 40% of employees said they have never received cybersecurity training. Even among those who have, the guidance is often outdated because many organizations wait months before updating their security policies. This delay leaves people unprepared. Employees who do not understand current risks are more likely to fall back on familiar habits, which attackers can exploit."
        https://www.helpnetsecurity.com/2025/10/06/weak-authentication-risks-in-organizations/
      • Phishing Is Old, But AI Just Gave It New Life
        "The volume of cyberattacks has reached staggering levels, with new tactics that blur the line between legitimate and malicious activity. A new threat report from Comcast, based on 34.6 billion cybersecurity events analyzed over the past year, shows what adversaries are doing and what this means for enterprise leaders. Attackers are no longer choosing between quick, noisy campaigns and careful, targeted ones. They are doing both at once. Automated scans and phishing runs create constant background pressure, while more skilled operators test defenses and move laterally inside networks."
        https://www.helpnetsecurity.com/2025/10/06/phishing-ai-enterprise-resilience-security/
      • Security Leaders At Okta And Zscaler Share Lessons From Salesloft Drift Attacks
        "When security researchers issued warnings about the Salesloft Drift issues last month, two prominent cybersecurity companies found themselves facing the same threat — but their stories ended up unfolding in different ways. Okta and Zscaler, among the larger players in the identity management space, were among the more than 700 Drift customers targeted in what has become one of the most significant supply chain attacks of the year. Within a week of Google security researchers’ warning about the incident, which targeted the widespread theft of Salesforce customer data, both companies went to work in figuring out how bad the damage would be."
        https://cyberscoop.com/okta-zscaler-security-leaders-salesloft-drift-attacks/
      • What To Look For In a Fractional CISO
        "Demand for fractional CISOs is growing, which is directly driven by the everyday security challenges businesses of all sizes and industries face. Organizations are finally becoming aware that threats are not only increasing but also growing in sophistication. Small and mid-sized businesses in particular are learning - sometimes the hard way - that opportunistic attackers will target them whenever they spot vulnerabilities in their defenses."
        https://www.bankinfosecurity.com/blogs/what-to-look-for-in-fractional-ciso-p-3947

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) d7b4fc28-0bc3-469b-85f4-d9a16211439c-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • กลุ่มอาชญากรไซเบอร์ UAT-8099 ใช้เซิร์ฟเวอร์ IIS ที่ถูกแฮกทั่วโลกทำ SEO Fraud และขโมยข้อมูลสำคัญ

      bde7f928-03c9-4039-a892-323b3e2dcd59-image.png กลุ่มอาชญากรไซเบอร์ UAT-8099 ใช้เซิร์ฟเวอร์ IIS ท_0.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand c29e2793-8649-45da-a380-58210da8e168-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • พบ Spyware ปลอมตัวเป็นแอป Signal และ ToTok มุ่งเป้าโจมตีผู้ใช้ Android ในสหรัฐอาหรับเอมิเรตส์

      fe1af5eb-01c8-4262-b4fc-d31f4f12ef8b-image.png พบ Spyware ปลอมตัวเป็นแอป Signal และ ToTok มุ่งเป้าโจมต.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 5279b9d7-97d1-4af8-b0a6-45ca31b945b1-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Microsoft เตือนช่องโหว่ร้ายแรงใน GoAnywhere MFT ถูกใช้โจมตีด้วยแรนซัมแวร์ Medusa แล้ว

      3b0ec619-39e0-49ec-bf34-d457fa782105-image.png

      Microsoft เตือนช่องโหว่ร้ายแรงใน GoAnywhere MFT ถูกใช้โจม.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 44872ca7-d71b-47c2-b215-ac798b36c52c-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Oracle ยืนยันกลุ่มแรนซัมแวร์ Cl0p โจมตีลูกค้า E-Business Suite ผ่านช่องโหว่ Zero-Day (CVE-2025-61882)

      62e40638-9918-4b8b-a4c8-95fccc8c91e3-image.png Oracle ยืนยันกลุ่มแรนซัมแวร์ Cl0p โจมตีลูกค้า E-Busines.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 50630ef8-65b4-4d1b-90c4-204eefa3b777-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • พบการใช้ช่องโหว่ Zero-Day ใน Zimbra โจมตีกองทัพบราซิลผ่านไฟล์ ICS อันตราย

      0af77e7b-fd7f-44bc-ab3f-d8c4de4c657e-image.png พบการใช้ช่องโหว่ Zero-Day ใน Zimbra โจมตีกองทัพบราซ.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 343e599f-ea29-477f-8c44-3937f0c10caa-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • พบการสแกนพุ่งพรวดกว่า 500% มุ่งเป้าเว็บล็อกอิน Palo Alto Networks

      da81a777-c2f5-4bb9-a729-3bdfb01add65-image.png

      พบการสแกนพุ่งพรวดกว่า 500_ มุ่งเป้าเว็บล็อก.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand dc7ccf50-a7d3-4556-bb92-b6656313a70f-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • นักวิจัยเตือนช่องโหว่ “CometJacking” บนเบราว์เซอร์ AI ของ Perplexity เพียงคลิกเดียวอาจถูกขโมยข้อมูล

      c7de5c50-fea6-48d1-ba79-a78bc9e54356-image.png นักวิจัยเตือนช่องโหว่ “CometJacking” บนเบราว์เซอร.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 9df3824c-dd7e-443a-afa0-32a358b7b45d-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Discord เปิดเผยเหตุ Data Breach หลังแฮกเกอร์ขโมยข้อมูลจากระบบ Customer Support

      f967dfc9-b14f-45d4-92b5-6b8d51163dd3-image.png Discord เปิดเผยเหตุ Data Breach หลังแฮกเกอร์ขโมยข้อมู.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 06cc8c8e-e7f5-4027-8271-d10cd5503d41-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • รายงานชี้ “VPN ฟรี” บน iOS และ Android มีความเสี่ยงรั่วข้อมูลผู้ใช้งาน

      775357f7-2134-4bff-a47d-23dafa692361-image.png รายงานชี้ “VPN ฟรี” บน iOS และ Android มีความเสี่ยงรั.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 9205631b-8541-4edc-9139-f8742dfd9419-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 06 October 2025

      Industrial Sector

      • 180,000 ICS/OT Devices And Counting: The Unforgivable Exposure
        "Remember when ICS malware was “rare”? Last year we got two new families built for one thing: disruption. FrostyGoop and Fuxnet are not Mirai with a wrench taped on or your typical DDoS botnet. They were built to target and disable devices that use Meter-bus and Modbus protocols, inflicting maximum damage. If you still believe that “our PLCs aren’t on the Internet,” then this is your nudge to actually go and check."
        https://www.bitsight.com/blog/the-growing-exposure-of-ics-ot-devices
        https://hackread.com/180000-ics-ot-devices-safety-concerns/

      Vulnerabilities

      • Chrome 141 And Firefox 143 Patches Fix High-Severity Vulnerabilities
        "Google and Mozilla this week released Chrome and Firefox browser updates that address multiple high-severity vulnerabilities. Google promoted Chrome 141 to the stable channel with 21 security fixes, including 12 for security defects reported by external researchers, who earned a total of $50,000 for their findings. Two of the externally reported bugs, tracked as CVE-2025-11205 and CVE-2025-11206, are high-severity heap buffer overflow issues impacting Chrome’s WebGPU and Video components."
        https://www.securityweek.com/chrome-141-and-firefox-143-patches-fix-high-severity-vulnerabilities/
      • CommetJacking Attack Tricks Comet Browser Into Stealing Emails
        "A new attack called 'CometJacking' exploits URL parameters to pass to Perplexity's Comet AI browser hidden instructions that allow access to sensitive data from connected services, like email and calendar. In a realistic scenario, no credentials or user interaction are required and a threat actor can leverage the attack by simply exposing a maliciously crafted URL to targeted users. Comet is an agentic AI browser that can autonomously browse the web and, depending on the access it has, assist users with various tasks, such as managing emails, shopping for specific products, filling forms, or booking tickets."
        https://www.bleepingcomputer.com/news/security/commetjacking-attack-tricks-comet-browser-into-stealing-emails/
        https://thehackernews.com/2025/10/cometjacking-one-click-can-turn.html

      Malware

      • Palo Alto Scanning Surges ~500% In 48 Hours, Marking 90-Day High
        "On October 3, 2025, GreyNoise observed a ~500% increase in IPs scanning Palo Alto Networks login portals, the highest level recorded in the past 90 days."
        https://www.greynoise.io/blog/palo-alto-scanning-surges
        https://www.bleepingcomputer.com/news/security/massive-surge-in-scans-targeting-palo-alto-networks-login-portals/
        https://thehackernews.com/2025/10/scanning-activity-on-palo-alto-networks.html
        https://securityaffairs.com/182939/hacking/greynoise-detects-500-surge-in-scans-targeting-palo-alto-networks-portals.html
      • Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users
        "Trend™ Research is currently investigating an aggressive malware campaign that leverages online instant messaging platform WhatsApp as its primary infection vector. Unlike traditional attacks focused on theft or ransomware, this campaign is engineered for speed and propagation, abusing social trust and automation to spread among Windows users. Trend Research analysis identifies the campaign as Water Saci, with the WhatsApp malware identified as SORVEPOTEL. Currently, it is most active in Brazil."
        https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html
        https://thehackernews.com/2025/10/researchers-warn-of-self-spreading.html
      • Cavalry Werewolf Raids Russia’s Public Sector With Trusted Relationship Attacks
        "BI.ZONE Threat Intelligence recorded Cavalry Werewolf activity from May to August 2025. In order to gain initial access, the attackers sent out targeted phishing emails disguising them as official correspondence from Kyrgyz government officials. The main targets of the attacks were Russian state agencies, as well as energy, mining, and manufacturing enterprises. Cavalry Werewolf relied on the malware of its own design: FoalShell reverse shells and StallionRAT (remote access trojans) controlled via Telegram."
        https://bi.zone/eng/expertise/blog/cavalry-werewolf-atakuet-rossiyu-cherez-doveritelnye-otnosheniya-mezhdu-gosudarstvami/
        https://thehackernews.com/2025/10/new-cavalry-werewolf-attack-hits.html
      • WARMCOOKIE One Year Later: New Features And Fresh Insights
        "Elastic Security Labs continues to track developments in the WARMCOOKIE codebase, uncovering new infrastructure tied to the backdoor. Since our original post, we have been observing ongoing updates to the code family and continued activity surrounding the backdoor, including new infections and its use with emerging loaders. A recent finding by the IBM X-Force team highlighted a new Malware-as-a-Service (MaaS) loader, dubbed CASTLEBOT, distributing WARMCOOKIE. In this article, we will review new features added to WARMCOOKIE since its initial publication. Following this, we’ll present the extracted configuration information from various samples."
        https://www.elastic.co/security-labs/revisiting-warmcookie
      • 0day .ICS Attack In The Wild
        "Earlier in 2025, an apparent sender from 193.29.58.37 spoofed the Libyan Navy’s Office of Protocol to send a then-zero-day exploit in Zimbra’s Collaboration Suite, CVE-2025-27915, targeting Brazil’s military. This leveraged a malicious .ICS file, a popular calendar format. The exploitation of Zimbra, Roundcube, and similar open-source collaboration tools, directly over email, is rare. Although actors do compromise the servers in broad campaigns, and attackers frequently leverage these tools as lures, actually exploiting a vulnerability in them with an email attachment is a thread worth pulling on."
        https://strikeready.com/blog/0day-ics-attack-in-the-wild/
        https://www.bleepingcomputer.com/news/security/hackers-exploited-zimbra-flaw-as-zero-day-using-icalendar-files/
      • Ghost In The Cloud: Weaponizing AWS X-Ray For Command & Control
        "I’ve been using MeetC2 in my RedTeam campaigns for months now, and with the amazing feedback from the community, I planned to publish a new toolkit (XRayC2). I always enjoy working on initial access evasion against traditional network defenses. In this, we used AWS X-Ray Amazon’s distributed application tracing service as a covert communication channel. This technique leverages legitimate cloud monitoring infrastructure to establish bidirectional C2 communication."
        https://securityaffairs.com/182968/hacking/ghost-in-the-cloud-weaponizing-aws-x-ray-for-command-control.html

      Breaches/Hacks/Leaks

      • Discord Discloses Data Breach After Hackers Steal Support Tickets
        "Hackers stole partial payment information and personally identifiable data, including names and government-issued IDs, from some Discord users after compromising a third-party customer service provider. The attack occurred on September 20 and affected “a limited number of users” who interacted with Discord’s customer support and/or Trust and Safety teams. Discord was created as a communication platform for gamers, who represent more than 90% of the userbase, but expanded to various other communities, allowing text messages, voice chats, and video calls."
        https://www.bleepingcomputer.com/news/security/discord-discloses-data-breach-after-hackers-steal-support-tickets/
        https://hackread.com/discord-data-breach-hackers-ids-billing-support-chats/
      • Japanese Beer Giant Asahi Confirms Ransomware Attack
        "Japanese beer-making giant Asahi has disclosed today that a ransomware attack caused the IT disruptions that forced it to shut down factories this week. The Tokyo-based beverage holding company is the largest beer brewer in Japan, employing 30,000 people and producing 100 million hectoliters of beverages. The company also owns the Peroni, Pilsner Urquell, Grolsch, and Fullers brands, and it reported an annual revenue of nearly $20 billion in 2024. Asahi revealed in a statement today that a cyberattack disclosed on Monday led to the deployment of ransomware on its network and that a subsequent investigation has also found evidence of data theft from compromised devices."
        https://www.bleepingcomputer.com/news/security/japanese-beer-giant-asahi-confirms-ransomware-attack/
      • ShinyHunters Launches Salesforce Data Leak Site To Extort 39 Victims
        "An extortion group has launched a new data leak site to publicly extort dozens of companies impacted by a wave of Salesforce breaches, leaking samples of data stolen in the attacks. The threat actors responsible for these attacks claim to be part of the ShinyHunters, Scattered Spider, and Lapsus$ groups, collectively referring to themselves as "Scattered Lapsus$ Hunters." Today, they launched a new data leak site containing 39 companies impacted by the attacks. Each entry includes samples of data allegedly stolen from victims' Salesforce instances, and warns the victims to reach out to "prevent public disclosure" of their data before the October 10 deadline is reached."
        https://www.bleepingcomputer.com/news/security/shinyhunters-starts-leaking-data-stolen-in-salesforce-attacks/
        https://databreaches.net/2025/10/03/more-salesforce-customer-attacks-revealed-in-new-leak-site-by-scattered-lapsus-hunters/
        https://therecord.media/salesforce-scattered-spider-extortion-site
        https://www.darkreading.com/cyberattacks-data-breaches/scattered-lapsus-hunters-returns-salesforce-leak-site
        https://www.bankinfosecurity.com/ransomware-group-debuts-salesforce-customer-data-leak-site-a-29636
        https://hackread.com/scattered-lapsus-hunters-salesforce-breach/
        https://securityaffairs.com/182918/cyber-crime/shinyhunters-launches-data-leak-site-trinity-of-chaos-announces-new-ransomware-victims.html
      • Oracle Links Clop Extortion Attacks To July 2025 Vulnerabilities
        "Oracle has linked an ongoing extortion campaign claimed by the Clop ransomware gang to E-Business Suite (EBS) vulnerabilities that were patched in July 2025. While the company has yet to attribute the attack to this ransomware operation, Rob Duhart, the Chief Security Officer of Oracle, confirmed that customers had received extortion emails from the gang. Duhart also urged Oracle customers to update their software and advised those requiring further assistance to contact the Oracle support team."
        https://www.bleepingcomputer.com/news/security/oracle-links-clop-extortion-attacks-to-july-security-flaws/
        https://therecord.media/oracle-links-extortion-campaign-to-patched-vulnerabilities
        https://www.cybereason.com/blog/oracle-ebs-extortion-cl0p
        https://www.bankinfosecurity.com/oracle-sees-no-zero-day-exploits-tied-to-customer-extortion-a-29633
        https://www.infosecurity-magazine.com/news/hackers-flaws-oracle-ebs/
        https://www.securityweek.com/oracle-says-known-vulnerabilities-possibly-exploited-in-recent-extortion-attacks/
        https://www.theregister.com/2025/10/03/oracle_ebs_clop_extortion/
      • From Threats To Apology, Hackers Pull Child Data Offline After Public Backlash
        "Last week we yelled at some “hackers” that threatened parents after stealing data from their children’s nursery. This followed a BBC report that a group calling itself “Radiant” claimed to have stolen sensitive data related to around 8,000 children from nursery chain Kido, which operates in the UK, US, China, and India. To prove their possession of the data, the criminals posted samples on their darknet website, including pictures and profiles of ten children. They then issued a ransom demand to Kido, threatening to release more sensitive data unless they were paid."
        https://www.malwarebytes.com/blog/news/2025/10/from-threats-to-apology-hackers-pull-child-data-offline-after-public-backlash

      General News

      • When Loading a Model Means Loading An Attacker
        "You probably think twice before downloading a random app or opening an unfamiliar email attachment. But how often do you stop to consider what happens when your team downloads and loads a machine learning model? A recent study shows why you should. Researchers from Politecnico di Milano found that loading a shared model can be just as risky as running untrusted code. In their tests, they uncovered six previously unknown flaws in popular machine learning tools. Each one could let an attacker take control of a system the moment a model is loaded."
        https://www.helpnetsecurity.com/2025/10/03/research-ai-model-security-risks/
        https://arxiv.org/pdf/2509.06703
      • 4 Ways To Use Time To Level Up Your Security Monitoring
        "SIEMs excel at correlating events and firing alerts, but their ingest pipelines can get overwhelmed when scaled. And because most SIEMs rely on general-purpose log storage platforms, even with lower-cost archive tiers, long-term retention at full fidelity remains expensive, forcing teams to choose between visibility and budget. With AI making the threat landscape more complex and the government issuing mandates requiring companies to report incidents quickly, defenders need tools that help them spot and interpret events faster. The key to doing this is speaking a universal language: time. Time isn’t just a dimension of data. It’s the organizing principle of security operations, turning raw telemetry into a narrative that both humans and machine learning models can reason about."
        https://www.helpnetsecurity.com/2025/10/03/security-monitoring-system/
      • Passkeys Rise, But Scams Still Hit Hard In 2025
        "Americans are dealing with a growing wave of digital scams, and many are losing money in the process. According to the fourth annual Consumer Cyber Readiness Report, nearly half of U.S. adults have been targeted by cyberattacks or scams, and one in ten lost money as a result. The survey found that text and messaging apps have become a growing source of scams. Three in ten people who experienced a cyberattack or scam said it began with a text message or a messaging app like WhatsApp or iMessage. That is up sharply from 20 percent last year."
        https://www.helpnetsecurity.com/2025/10/03/digital-scam-trends-2025/
      • AI Hype Hits a Wall When The Data Doesn’t Deliver
        "Companies are pouring money into AI for IT operations, but most projects are still far from maturity. A global survey of 1,200 business leaders, IT leaders, and technical specialists found that while spending and confidence are rising, only 12% of AI initiatives have been fully deployed. The report, authored by Riverbed, suggests that optimism at the executive level is colliding with challenges in data quality, tool complexity, and everyday IT performance."
        https://www.helpnetsecurity.com/2025/10/03/it-operations-ai-strategies/
      • Manufacturing Under Fire: Strengthening Cyber-Defenses Amid Surging Threats
        "Manufacturers face a unique mix of risk: they have an extremely low tolerance for downtime, they sit at the heart of extensive and often complex supply chains, and their competitive advantage is often built on high-value intellectual property (IP), including proprietary designs and trade secrets. That’s a combination that should be ringing alarm bells for IT and security leaders working in the sector. Meanwhile, the nature of modern attacks has also become increasingly complex, sophisticated and relentless. Threat actors often combine technical exploits with social engineering and credential theft, and aim to remain undetected for long periods, gathering intelligence and mapping systems before striking."
        https://www.welivesecurity.com/en/business-security/manufacturing-fire-strengthening-cyber-defenses-surging-threats/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 3e28c024-41e3-40ee-9c7d-7bea11315ae0-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 03 October 2025

      Energy Sector

      • The Energy Sector Is Ground Zero For Global Cyber Activity
        "A new study from the Karlsruhe Institute of Technology shows how geopolitical tensions shape cyberattacks on power grids, fuel systems, and other critical infrastructure. Researchers reviewed major cyber threat databases including MITRE ATT&CK Groups, CSIS, ThaiCERT, Malpedia, EuRepoC, and the AI Incident Database. Each source reports information differently. Some use structured formats like JSON or tables that are easy to analyze. Others rely on long descriptive text that is harder to process. In some cases, geography is missing entirely."
        https://www.helpnetsecurity.com/2025/10/02/geopolitics-energy-sector-cyberattacks-target/

      Industrial Sector

      • Raise3D Pro2 Series 3D Printers
        "Successful exploitation of this vulnerability could result in data exfiltration and compromise of the target device."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-275-01
      • Hitachi Energy MSM Product
        "Successful exploitation of these vulnerabilities could allow HTML injection via the name parameter or an assertion failure in fuzz_binary_decode, resulting in a crash."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-275-02

      New Tooling

      • Chekov: Open-Source Static Code Analysis Tool
        "Checkov is an open-source tool designed to help teams secure their cloud infrastructure and code. At its core, it’s a static code analysis tool for infrastructure as code (IaC), but it also goes a step further by providing software composition analysis (SCA) for container images and open source packages. With Checkov, you can scan just about any cloud infrastructure setup, whether you’re using Terraform, CloudFormation, AWS SAM, Kubernetes, Helm charts, Kustomize, Dockerfiles, Serverless, Bicep, OpenAPI, ARM templates, or OpenTofu. It uses graph-based scanning to uncover security risks and compliance misconfigurations before they make their way into production."
        https://www.helpnetsecurity.com/2025/10/02/chekov-open-source-static-code-analysis-tool-iac/
        https://github.com/bridgecrewio/checkov

      Vulnerabilities

      • Insecure Mobile VPNs: The Hidden Danger
        "Virtual Private Networks (VPNs) are trusted by millions to protect privacy, secure communications, and enable remote access on their mobile device. But what if the very apps designed to safeguard your data are riddled with flaws? While headlines have often highlighted the risks of VPNs linked to high-risk jurisdictions, a broad-scale security and privacy analysis by Zimperium zLabs of 800 free VPN apps for both Android and iOS reveals the threat is far more widespread."
        https://zimperium.com/blog/insecure-mobile-vpns-the-hidden-danger
        https://www.infosecurity-magazine.com/news/free-vpn-apps-security-flaws/
      • CISA Adds Five Known Exploited Vulnerabilities To Catalog
        "CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2014-6278 GNU Bash OS Command Injection Vulnerability
        CVE-2015-7755 Juniper ScreenOS Improper Authentication Vulnerability
        CVE-2017-1000353 Jenkins Remote Code Execution Vulnerability
        CVE-2025-4008 Smartbedded Meteobridge Command Injection Vulnerability
        CVE-2025-21043 Samsung Mobile Devices Out-of-Bounds Write Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/10/02/cisa-adds-five-known-exploited-vulnerabilities-catalog
      • DrayTek Warns Of Remote Code Execution Bug In Vigor Routers
        "Networking hardware maker DrayTek released an advisory to warn about a security vulnerability in several Vigor router models that could allow remote, unauthenticated actors to execute perform arbitrary code. The flaw, tracked identified as CVE-2025-10547, was reported to the vendor on July 22 by ChapsVision security researcher Pierre-Yves Maes. "The vulnerability can be triggered when unauthenticated remote attackers send crafted HTTP or HTTPS requests to the device's Web User Interface (WebUI)," reads DrayTek's security advisory."
        https://www.bleepingcomputer.com/news/security/draytek-warns-of-remote-code-execution-bug-in-vigor-routers/
        https://www.draytek.com/about/security-advisory/use-of-uninitialized-variable-vulnerabilities

      Malware

      • New Spyware Campaigns Target Privacy-Conscious Android Users In The UAE
        "ESET researchers have uncovered two Android spyware campaigns targeting individuals interested in secure communication apps, namely Signal and ToTok. These campaigns distribute malware through deceptive websites and social engineering and appear to target residents of the United Arab Emirates (UAE). Our investigation led to the discovery of two previously undocumented spyware families – Android/Spy.ProSpy, impersonating upgrades or plugins for the Signal and ToTok messaging apps; and Android/Spy.ToSpy, impersonating the ToTok app."
        https://www.welivesecurity.com/en/eset-research/new-spyware-campaigns-target-privacy-conscious-android-users-uae/
        https://github.com/eset/malware-ioc/tree/master/prospytospy
        https://thehackernews.com/2025/10/warning-beware-of-android-spyware.html
        https://www.bleepingcomputer.com/news/security/android-spyware-campaigns-impersonate-signal-and-totok-messengers/
        https://www.darkreading.com/cyberattacks-data-breaches/android-spyware-uae-spyware
        https://therecord.media/researchers-spyware-uae-infections
        https://www.helpnetsecurity.com/2025/10/02/android-spyware-signal-totok/
        https://cyberscoop.com/android-spyware-disguised-as-legitimate-messaging-apps-targets-uae-victims-researchers-reveal/
      • UAT-8099: Chinese-Speaking Cybercrime Group Targets High-Value IIS For SEO Fraud
        "In April 2025, Cisco Talos identified a Chinese-speaking cybercrime group, tracked as UAT-8099, which targets a broad range of vulnerable IIS servers across specific regions. This group focuses on high-value IIS servers that have a good reputation within these areas to manipulate search engine results for financial gain. UAT-8099 operates as a cybercrime group conducting SEO fraud. Additionally, UAT-8099 uses Remote Desktop Protocol (RDP) to access IIS servers and search for valuable data such as logs, credentials, configuration files and sensitive certificates, which they package for possible resale or further exploitation."
        https://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/
      • Amazon Prime Day 2025: The Dark Side Of Deals
        "Amazon’s Fall Prime Day not only kicks off the holiday shopping season with deals too good to ignore, it also creates one of the biggest opportunities of the year for cyber criminals. As millions of consumers flock online for deals, attackers launch phishing scams, fake domains, and malicious emails designed to steal Amazon credentials and payment information. Check Point Research has uncovered a surge in Amazon Prime Day scams this September, showing how attackers continue to weaponize urgency and trust."
        https://blog.checkpoint.com/research/amazon-prime-day-2025-the-dark-side-of-deals/
      • Confucius Espionage: From Stealer To Backdoor
        "The Confucius group is a long-running cyber-espionage actor operating primarily across South Asia. First identified in 2013, the group is believed to have links to state-sponsored operations in the region. Over the past decade, Confucius has repeatedly targeted government agencies, military organizations, defense contractors, and critical industries—especially in Pakistan—using spear-phishing and malicious documents as initial access vectors. Recent campaigns have highlighted a sharp evolution in tactics, shifting from document stealers like WooperStealer to Python-based backdoors such as AnonDoor. This progression underscores Confucius’ adaptability and the growing sophistication of state-aligned malware campaigns in the region."
        https://www.fortinet.com/blog/threat-research/confucius-espionage-from-stealer-to-backdoor
        https://www.darkreading.com/threat-intelligence/south-asian-cyberspy-evolves-stealers-backdoors
        https://thehackernews.com/2025/10/confucius-hackers-hit-pakistan-with-new.html
        https://www.infosecurity-magazine.com/news/confucius-shifts-doc-stealers/
      • Check Your Socks - A Deep Dive Into Soopsocks PyPI Package
        "JFrog's security research team actively monitors open-source repositories like PyPI for malicious packages, uncovering threats to protect the software supply chain. Our team found a package exhibiting malware-like behaviour, that may pose a threat to organizational security. Even though promising some of the capabilities up front, we suspected the package, which led us to investigate further. This report details its persistence mechanisms, network reconnaissance capabilities, and multiple deployment vectors shown in the different versions evolution of the package."
        https://research.jfrog.com/post/check-your-socks-a-deep-dive-into-soopsocks-pypi/
        https://thehackernews.com/2025/10/alert-malicious-pypi-package-soopsocks.html
      • Rhadamanthys 0.9.x – Walk Through The Updates
        "Rhadamanthys is a complex, multi-modular malware sold on the underground market since September 2022. It was first advertised by the actor “kingcrete2022.” From the outset, its design showed the hallmarks of experienced developers, and analysis soon revealed that it drew heavily from an earlier project by the same authors, Hidden Bee [1]. This strong foundation helped Rhadamanthys quickly gain traction: from a niche product, it grew into one of the dominant stealers in cybercrime campaigns and has even attracted interest from more advanced threat actors."
        https://research.checkpoint.com/2025/rhadamanthys-0-9-x-walk-through-the-updates/

      Breaches/Hacks/Leaks

      • Clop Extortion Emails Claim Theft Of Oracle E-Business Suite Data
        "Mandiant and Google are tracking a new extortion campaign where executives at multiple companies received emails claiming that sensitive data was stolen from their Oracle E-Business Suite systems. According to Genevieve Stark, Head of Cybercrime and Information Operations Intelligence Analysis at GTIG, the campaign began in late September. "This activity began on or before September 29, 2025, but Mandiant's experts are still in the early stages of multiple investigations, and have not yet substantiated the claims made by this group," Stark said. Charles Carmakal, CTO of Mandiant – Google Cloud, stated that the extortion emails are being sent from a large number of compromised email accounts."
        https://www.bleepingcomputer.com/news/security/clop-extortion-emails-claim-theft-of-oracle-e-business-suite-data/
        https://thehackernews.com/2025/10/google-mandiant-probes-new-oracle.html
        https://therecord.media/possible-clop-campaign-extortion-executives-stolen-data
        https://cyberscoop.com/clop-claims-oracle-customers-data-theft/
        https://cyberscoop.com/extortion-email-clop-oracle-customers/
        https://www.securityweek.com/cybercriminals-claim-theft-of-data-from-oracle-e-business-suite-customers/
        https://www.helpnetsecurity.com/2025/10/02/oracle-ebs-data-theft-extortion/
        https://www.theregister.com/2025/10/02/clop_oracle_extortion/
        https://www.bankinfosecurity.com/extortionists-claim-mass-oracle-e-business-suite-data-theft-a-29620
        https://www.infosecurity-magazine.com/news/extortion-emails-executives-clop/
      • Red Hat Confirms Security Incident After Hackers Breach GitLab Instance
        "An extortion group calling itself the Crimson Collective claims to have stolen nearly 570GB of compressed data across 28,000 internal development respositories, with the company confirming it was a breach of one of its GitLab instances. This data allegedly includes approximately 800 Customer Engagement Reports (CERs), which can contain sensitive information about a customer's network and platforms. A CER is a consulting document prepared for clients that often contains infrastructure details, configuration data, authentication tokens, and other information that could be abused to breach customer networks."
        https://www.bleepingcomputer.com/news/security/red-hat-confirms-security-incident-after-hackers-breach-gitlab-instance/
        https://www.darkreading.com/application-security/red-hat-widespread-breaches-private-gitlab-repositories
        https://securityaffairs.com/182866/data-breach/cybercrime-group-claims-to-have-breached-red-hat-s-private-github-repositories.html
        https://www.theregister.com/2025/10/02/cybercrims_claim_raid_on_28000/
        https://cyberscoop.com/red-hat-gitlab-attack-consulting-data/
        https://www.helpnetsecurity.com/2025/10/02/hackers-red-hat-github-breached-customer-data-stolen/
      • Renault UK Customer Records Stolen In Third-Party Breach
        "Renault UK is informing customers that their personal data may have been compromised following a cyberattack on one of its third-party service providers. In an email sent to customers and seen by Hackread.com, the automaker says that while its own systems were not breached, attackers gained access via the external provider."
        https://hackread.com/renault-uk-customers-third-party-data-breach/

      General News

      • Building a Mature Automotive Cybersecurity Program Beyond Checklists
        "In this Help Net Security interview, Robert Sullivan, CIO & CISO at Agero, shares his perspective on automotive cybersecurity. He discusses strategies for developing mature security programs, meeting regulatory requirements, and addressing supply chain risks. Sullivan also looks ahead to how AI and other emerging technologies will shape the future of cybersecurity."
        https://www.helpnetsecurity.com/2025/10/02/robert-sullivan-agero-automotive-cybersecurity-strategies/
      • Biotech Platforms Keep Missing The Mark On Security Fundamentals
        "A new security posture report on the biotech sector shows how quickly attackers could reach sensitive health data with only basic reconnaissance. Researchers needed less than two hours per company to uncover exposed genomic records, unprotected APIs, and misconfigured systems, according to Sekurno."
        https://www.helpnetsecurity.com/2025/10/02/biotech-security-gaps-report/
      • Small Businesses And Ransomware: Navigating The AI Era Threat
        "Ransomware has evolved from a niche hacker tactic into a mainstream threat, and small businesses are increasingly in the crosshairs. While large enterprises have resources to invest in cybersecurity teams, threat intelligence, and AI-driven defence tools, many small businesses remain underprotected. In 2025, ransomware attacks will become faster, more automated, and more sophisticated thanks to artificial intelligence. This means that small business owners must understand the threat landscape and implement practical defences."
        https://hackread.com/small-businesses-ransomware-the-ai-era-threat/
      • Forrester: Agentic AI-Powered Breach Will Happen In 2026
        "An agentic AI deployment will cause a publicly disclosed data breach next year, leading to employee dismissals, Forrester has predicted. Senior analyst Paddy Harrington noted that generative AI (GenAI) has already been responsible for several breaches since it burst onto the scene three years ago. “As companies begin building agentic AI workflows, these issues will only become more prevalent,” he added in a blog post yesterday."
        https://www.infosecurity-magazine.com/news/forrester-agentic-ai-breach-2026/
      • Phishing Is Moving From Email To Mobile. Is Your Security?
        "Email security has long dominated the enterprise security conversation — and rightfully so. It remains a key vector for phishing, credential theft, and social engineering. But in 2025, the threat landscape has shifted. Quietly yet decisively, attackers increasingly are bypassing the inbox and expanding their reach across multiple channels. Recent data from TechMagic shows that 41% of phishing incidents now employ multichannel tactics, including SMS (smishing), voice calls (vishing), and QR codes (quishing). The trend is clear: While email still matters, adversaries are shifting to mobile-first platforms like text, iMessage, WhatsApp, and social direct messages. These attacks are harder to spot, more difficult to control, and more likely to succeed, because they target the most vulnerable point in the chain: the human behind the screen."
        https://www.darkreading.com/cyber-risk/phishing-moving-email-mobile-is-your-security
      • There Are More CVEs, But Cyber Insurers Aren't Altering Policies
        "The showman P.T. Barnum said, "There's a sucker born every minute." Had he been a cybersecurity expert, he might have changed that to say, "There's a cybersecurity vulnerability published every 12 minutes," and he'd not have been far off. When it comes to insuring against cyber risk, some insurance carriers and brokers take a proactive, collaborative approach to help policyholders mitigate their risk, while others opt for a more assertive stance by penalizing policyholders for not promptly patching vulnerabilities. Getting the right balance of risk and coverage is largely left to the companies themselves."
        https://www.darkreading.com/cyber-risk/more-cves-cyber-insurers-arent-altering-policies
      • Silent Push Examines The Dark Side Of Dynamic DNS Providers
        "New research developed by Silent Push Threat Analysts has been compiled into a set of exclusive exports, enabling organizations to track approximately 70,000 domains that rent subdomains, also referred to as “Dynamic DNS” providers. These types of web hosts can be of concern because they allow anyone—malicious or otherwise—to register subdomains and host their own content on them. Typically, DNS records are also automatically managed by the service that rents the subdomains, though this is not the case with all publicly rentable subdomains."
        https://www.silentpush.com/blog/dynamic-dns-providers/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 897df879-92c2-464d-a1e4-275066b60298-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 02 October 2025

      Vulnerabilities

      • Red Hat OpenShift AI Flaw Exposes Hybrid Cloud Infrastructure To Full Takeover
        "A severe security flaw has been disclosed in the Red Hat OpenShift AI service that could allow attackers to escalate privileges and take control of the complete infrastructure under certain conditions. OpenShift AI is a platform for managing the lifecycle of predictive and generative artificial intelligence (GenAI) models at scale and across hybrid cloud environments. It also facilitates data acquisition and preparation, model training and fine-tuning, model serving and model monitoring, and hardware acceleration. The vulnerability, tracked as CVE-2025-10725, carries a CVSS score of 9.9 out of a maximum of 10.0. It has been classified by Red Hat as "Important" and not "Critical" in severity owing to the need for a remote attacker to be authenticated in order to compromise the environment."
        https://thehackernews.com/2025/10/critical-red-hat-openshift-ai-flaw.html
        https://access.redhat.com/security/cve/cve-2025-10725
        https://www.theregister.com/2025/10/01/critical_red_hat_openshift_ai_bug/
      • TOTOLINK X6000R: Three New Vulnerabilities Uncovered
        "We have uncovered three vulnerabilities in the firmware of the TOTOLINK X6000R router, version V9.4.0cu.1360_B20241207, released on March 28, 2025"
        https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/
      • OpenSSL Vulnerabilities Allow Private Key Recovery, Code Execution, DoS Attacks
        "The OpenSSL Project has announced the availability of several new versions of the open source SSL/TLS toolkit, which include patches for three vulnerabilities. Versions 3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18, 1.0.2zm and 1.1.1zd of the OpenSSL Library have been released. Most of them fix all three vulnerabilities, tracked as CVE-2025-9230, CVE-2025-9231 and CVE-2025-9232. Two of the vulnerabilities have been assigned a ‘moderate severity’ rating. One of them is CVE-2025-9231, which may allow an attacker to recover the private key."
        https://www.securityweek.com/openssl-vulnerabilities-allow-private-key-recovery-code-execution-dos-attacks/
        https://openssl-library.org/news/secadv/20250930.txt
        https://securityaffairs.com/182845/security/openssl-patches-3-vulnerabilities-urging-immediate-updates.html
      • OneLogin, Many Secrets: Clutch Uncovers Critical API Vulnerability Exposing Client Credentials
        "Clutch Security has identified a critical security vulnerability in OneLogin's API that exposed sensitive OIDC (OpenID Connect) application client secrets through the standard application listing endpoint. This vulnerability, tracked as with a CVSS base score of 7.7 (High severity), allowed attackers with valid API credentials to enumerate and retrieve client secrets for all OIDC applications within an organization's OneLogin tenant."
        https://www.clutch.security/blog/onelogin-many-secrets-clutch-uncovers-vulnerability-exposing-client-credentials
        https://thehackernews.com/2025/10/onelogin-bug-let-attackers-use-api-keys.html
      • Nvidia And Adobe Vulnerabilities
        "Cisco Talos’ Vulnerability Discovery & Research team recently disclosed five vulnerabilities in Nvidia and one in Adobe Acrobat. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy. For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website."
        https://blog.talosintelligence.com/nvidia-and-adobe-vulnerabilities/
      • New WireTap Attack Extracts Intel SGX ECDSA Key Via DDR4 Memory-Bus Interposer
        "In yet another piece of research, academics from Georgia Institute of Technology and Purdue University have demonstrated that the security guarantees offered by Intel's Software Guard eXtensions (SGX) can be bypassed on DDR4 systems to passively decrypt sensitive data. SGX is designed as a hardware feature in Intel server processors that allows applications to be run in a Trusted Execution Environment (TEE). It essentially isolates trusted code and resources within what's called enclaves, preventing attackers from viewing their memory or CPU state. In doing so, the mechanism ensures that the data stays confidential even when the underlying operating system has been tampered with or compromised by other means. However, the latest findings show the limitations of SGX."
        https://thehackernews.com/2025/10/new-wiretap-attack-extracts-intel-sgx.html
        https://wiretap.fail/

      Malware

      • Forensic Journey: Hunting Evil Within AmCache
        "When it comes to digital forensics, AmCache plays a vital role in identifying malicious activities in Windows systems. This artifact allows the identification of the execution of both benign and malicious software on a machine. It is managed by the operating system, and at the time of writing this article, there is no known way to modify or remove AmCache data. Thus, in an incident response scenario, it could be the key to identifying lost artifacts (e.g., ransomware that auto-deletes itself), allowing analysts to search for patterns left by the attacker, such as file names and paths. Furthermore, AmCache stores the SHA-1 hashes of executed files, which allows DFIR professionals to search public threat intelligence feeds — such as OpenTIP and VirusTotal — and generate rules for blocking this same file on other systems across the network."
        https://securelist.com/amcache-forensic-artifact/117622/
      • Ukraine Warns Of CABINETRAT Backdoor + XLL Add-Ins Spread Via Signal ZIPs
        "The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of new targeted cyber attacks in the country using a backdoor called CABINETRAT. The activity, observed in September 2025, has been attributed to a threat cluster it tracks as UAC-0245. The agency said it spotted the attack following the discovery of software tools taking the form of XLL files, which refer to Microsoft Excel add-ins that are typically used to extend the functionality of Excel with custom functions. Further investigation has uncovered that the XLL files are distributed within ZIP archives shared on the Signal messaging app, disguised as a document concerning the detention of individuals who had attempted to cross the Ukrainian border."
        https://thehackernews.com/2025/10/ukraine-warns-of-cabinetrat-backdoor.html
      • Detour Dog: DNS Malware Powers Strela Stealer Campaigns
        "Tens of thousands of websites worldwide are infected with malware that utilizes the Domain Name System (DNS) to conditionally redirect visitors to malicious content. These DNS requests are made server-side, meaning from the website itself, and are not visible to the visitor. We have tracked the threat actor that operates this malware since August 2023. The malicious name server conditionally instructs the website to redirect the visitor based on their location and device type. While traditionally these redirects led to scams, the malware has evolved recently to execute remote content through the DNS-based command-and-control (C2) system. We are tracking the threat actor who controls this malware as Detour Dog."
        https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/
        https://hackread.com/detour-dog-dns-hijacking-websites-strela-stealer/
      • Cybercrime Observations From The Frontlines: UNC6040 Proactive Hardening Recommendations
        "Protecting software-as-a-service (SaaS) platforms and applications requires a comprehensive security strategy. Drawing from analysis of UNC6040’s specific attack methodologies, this guide presents a structured defensive framework encompassing proactive hardening measures, comprehensive logging protocols, and advanced detection capabilities. While emphasizing Salesforce-specific security recommendations, these strategies provide organizations with actionable approaches to safeguard their SaaS ecosystem against current threats."
        https://cloud.google.com/blog/topics/threat-intelligence/unc6040-proactive-hardening-recommendations/
        https://www.darkreading.com/threat-intelligence/google-sheds-light-shinyhunters-salesforce-tactics
      • Paperwork To Payload: From Shortcut Clicks To Rundll32 Execution
        "The Blackpoint SOC is tracking a new campaign that uses identity themed phishing archives to deliver malicious Windows shortcuts. Victims receive a ZIP of “certified” documents that contains .lnk files which, when clicked, silently launch obfuscated PowerShell in a minimized window. The script downloads a payload from hp05[.]com/gwt/ with filenames that appear to be PowerPoint slides, then writes a randomly named DLL to the user profile. This mirrors tactics seen in prior shortcut-based delivery chains that weaponize familiar document themes to gain initial access."
        https://blackpointcyber.com/blog/paperwork-to-payload-from-shortcut-clicks-to-rundll32-execution/
        https://www.infosecurity-magazine.com/news/shortcut-credential-lures-deliver/

      Breaches/Hacks/Leaks

      • Adobe Analytics Bug Leaked Customer Tracking Data To Other Tenants
        "Adobe is warning its Analytics customers that an ingestion bug caused data from some organizations to appear in the analytics instances of others for approximately one day. Adobe disclosed the issue on its status page, stating that it began on September 17, 2025, at 12:20 UTC, when a performance optimization change introduced a bug in Analytics Edge data collection. The status page states that the flaw caused "errant values" to appear in Analysis Workspace reports and that Adobe engineering teams are working to cleanse impacted datasets."
        https://www.bleepingcomputer.com/news/security/adobe-analytics-bug-leaked-customer-tracking-data-to-other-tenants/
      • Data Breach At Dealership Software Provider Impacts 766k Clients
        "A ransomware attack at Motility Software Solutions, a provider of dealer management software (DMS), has exposed the sensitive data of 766,000 customers. Motility (formerly known as Systems 2000/Sys2K) is a provider of DMS software used by 7,000 dealerships (automotive, powersports, marine, heavy-duty, and RV retail) across the United States. Its products cover customer relationship management (CRM), inventory management, sales, accounting, financials, service operations, rental and fleet tracking, as well as mobile or web access to control dashboards."
        https://www.bleepingcomputer.com/news/security/data-breach-at-dealership-software-provider-impacts-766k-clients/
      • Allianz Life Says July Data Breach Impacts 1.5 Million People
        "Allianz Life has completed the investigation into the cyberattack it suffered in July and determined that nearly 1.5 million individuals are impacted. The American insurance giant has notified all potentially affected individuals that their names, addresses, dates of birth, and social security numbers (SSN) has been compromised. Allianz Life is part of Allianz SE and provides annuities and life insurance for more than 1.4 million Americans. Allianz SE, which is a global giant with over 125 million customers, was not impacted."
        https://www.bleepingcomputer.com/news/security/allianz-life-says-july-data-breach-impacts-15-million-people/
        https://therecord.media/millions-impacted-by-data-breaches-insurance-car-dealership-software
      • Air Force Admits SharePoint Privacy Issue As Reports Trickle Out Of Possible Breach
        "The US Air Force confirmed it's investigating a "privacy-related issue" amid reports of a Microsoft SharePoint-related breach and subsequent service-wide shutdown, rendering mission files and other critical tools potentially unavailable to service members. "The Department of the Air Force is aware of a privacy-related issue," an Air Force spokesperson told The Register on Wednesday, while declining to answer specific questions about the alleged digital intrusion. The Air Force's confirmation follows what looks like a breach notification, shared with The Register and on social media, that purports to come from the Air Force Personnel Center Directorate of Technology and Information."
        https://www.theregister.com/2025/10/01/us_air_force_investigates_breach/

      General News

      • Inside Dark Web Exploit Markets In 2025: Pricing, Access & Active Sellers
        "Exploit marketplaces are the backbone of cybercrime infrastructure. In 2025, these underground markets don’t just sell stolen data, they also broker zero-day exploits, don’t-patch tools, and access credentials, offering them with sliding pricing. For threat hunters and defenders, understanding how exploit sellers price, distribute, and rotate access is as vital as knowing their malware families. Strategies and marketplaces overlap with themes explored previously in Dark Web Search Engines in 2025 – Rankings, Risks & Ethical Trade-offs."
        https://www.darknet.org.uk/2025/10/inside-dark-web-exploit-markets-in-2025-pricing-access-active-sellers/
      • A2AS Framework Targets Prompt Injection And Agentic AI Security Risks
        "AI systems are now deeply embedded in business operations, and this introduces new security risks that traditional controls are not built to handle. The newly released A2AS framework is designed to protect AI agents at runtime and prevent real-world incidents like fraud, data theft, and malware spread. Many companies are still figuring out how to secure AI systems, often with mixed results. Eugene Neelou, project leader for A2AS, told Help Net Security that defenses are both fragmented and fragile."
        https://www.helpnetsecurity.com/2025/10/01/a2as-framework-agentic-ai-security-risks/
      • Biometric Spoofing Isn’t As Complex As It Sounds
        "Biometric technologies were originally designed to improve security and streamline authentication, but they’re often misused in ways most people don’t notice. Like any system, biometrics has weaknesses that attackers can exploit. Biometric spoofing isn’t as complex as it sounds. It’s basically when someone imitates your biometric traits to fool a system. This could be a printed photo, a 3D-printed fingerprint, or even a recorded voice. Basic facial recognition systems can be fooled with images from social media, and AI-generated voices can mimic people with surprising accuracy."
        https://www.helpnetsecurity.com/2025/10/01/biometric-spoofing/
      • Ransomware Remains The Leading Cause Of Costly Cyber Claims
        "Cyber threats are shifting in 2025, and while large companies are still targets, attackers are turning their attention to smaller and mid-sized firms. According to Allianz’s Cyber Security Resilience 2025 report, hardened defenses at major corporates have pushed criminals to go after easier prey. The data shows ransomware was involved in 88% of breaches at small and medium firms compared to 39% at larger enterprises."
        https://www.helpnetsecurity.com/2025/10/01/insurance-claims-ransomware-h1-2025/
        https://www.theregister.com/2025/10/01/north_american_data_breaches/
      • NIST Publishes Guide For Protecting ICS Against USB-Borne Threats
        "NIST has published a new guide designed to help organizations reduce cybersecurity risks associated with the use of removable media devices in operational technology (OT) environments. NIST Special Publication (SP) 1334 was authored by the National Cybersecurity Center of Excellence (NCCoE) and it focuses on the use of USB flash drives, but also mentions other types of removable media such as external hard drives and CD/DVD drives. USB flash drives are often used in OT environments to conduct firmware updates or to retrieve data for diagnostics purposes, but such devices are also often a source of malware infections."
        https://www.securityweek.com/nist-publishes-guide-for-protecting-ics-against-usb-borne-threats/
        https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1334.pdf
      • Cybersecurity Awareness Month 2025: Prioritizing Identity To Safeguard Critical Infrastructure
        "This October marks the 22nd anniversary of Cybersecurity Awareness Month, an initiative launched under the guidance of the U.S. Department of Homeland Security. Its purpose is to highlight the importance of taking daily action to reduce risks when online and when using connected devices. This year’s theme focuses on government entities and small and medium-sized businesses that are vital to protecting the systems and services that keep our communities running. These organizations play a central role in safeguarding the nation’s critical infrastructure. Under the Cybersecurity and Infrastructure Security Agency’s (CISA) banner of “Building a Cyber Strong America,” state, local, tribal, and territorial governments, as well as private companies that own and operate critical infrastructure, are urged to strengthen their defenses against cyber threats to improve resilience and security."
        https://www.securityweek.com/cybersecurity-awareness-month-2025prioritizing-identity-to-safeguard-critical-infrastructure/
      • 2025 Cybersecurity Reality Check: Breaches Hidden, Attack Surfaces Growing, And AI Misperceptions Rising
        "Bitdefender's 2025 Cybersecurity Assessment Report paints a sobering picture of today's cyber defense landscape: mounting pressure to remain silent after breaches, a gap between leadership and frontline teams, and a growing urgency to shrink the enterprise attack surface. The annual research combines insights from over 1,200 IT and security professionals across six countries, along with an analysis of 700,000 cyber incidents by Bitdefender Labs. The results reveal hard truths about how organizations are grappling with threats in an increasingly complex environment."
        https://thehackernews.com/2025/10/2025-cybersecurity-reality-check.html
        https://www.bitdefender.com/en-us/business/campaign/2025-cybersecurity-assessment?cid=ref|b|-CORE-EPP-Gartner-THN-AR
      • Gartner Survey Finds Just 15% Of IT Application Leaders Are Considering, Piloting, Or Deploying Fully Autonomous AI Agents
        "Only 15% of IT application leaders said they are currently considering, piloting, or deploying fully autonomous AI agents (goal driven AI tools that do not require human oversight), according to a survey by Gartner, Inc., a business and technology insights company. In May and June 2025, Gartner conducted an industry-wide survey of 360 IT application leaders from organizations with at least 250 full-time employees in North America, Europe and Asia/Pacific, with the aim of understanding the impact of generative AI (GenAI) and agentic AI across enterprise applications."
        https://www.gartner.com/en/newsroom/press-releases/2025-09-30-gartner-survey-finds-just-15-percent-of-it-application-leaders-are-considering-piloting-or-deploying-fully-autonomous-ai-agents
        https://www.theregister.com/2025/10/01/gartner_ai_agents/
      • Findings From The 2025 Unit 42 Global Incident Response Report
        "Cyberattacks rarely follow a linear path. While security teams often zero-in on initial access vectors, like phishing emails, exposed services and credential abuse, these only mark the starting point. What happens next is far more complex. According to the 2025 Global Incident Response Report, 84% of investigated cases involved activity across multiple attack fronts, with 70% spanning at least three vectors and some touching as many as six. These are not isolated incidents; they're coordinated campaigns. Today’s attackers move laterally, escalating privileges, targeting identities, exploiting cloud misconfigurations and exfiltrating data, sometimes simultaneously. That level of sophistication and the multipronged approach makes for a strong case against operating in silos. Tools that only monitor one domain or that lack integration can leave critical threat signals buried under alert noise or trapped in disconnected logs."
        https://www.paloaltonetworks.com/blog/2025/10/case-for-multidomain-visibility/
        https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report
      • EU Consistently Targeted By Diverse Yet Convergent Threat Groups
        "Through a more threat-centric approach and further contextual analysis, this latest edition of the ENISA Threat Landscape analyses 4875 incidents over a period spanning from 1 July 2024 to 30 June 2025. At its core, this report provides an overview of the most prominent cybersecurity threats and trends the EU faces in the current cyber threat ecosystem."
        https://www.enisa.europa.eu/news/etl-2025-eu-consistently-targeted-by-diverse-yet-convergent-threat-groups
        https://www.enisa.europa.eu/publications/enisa-threat-landscape-2025
        https://www.bankinfosecurity.com/russia-chinese-hacking-buffets-europe-a-29616
      • Undead By Design: Benchmarking End-Of-Life Operating Systems
        "End-of-life (EOL) operating systems remain an underestimated risk for enterprise networks. This study analyzes millions of assets across hundreds of U.S.-based enterprises to quantify how prevalent unsupported OSes are today, how different industries fare, and what lies ahead as major platforms enter the Sunless Lands. Across all enterprises studied, 8.56% of assets are running an EOL OS, with 5% of all observed assets already beyond security support unable to receive timely, critical patches. These “undead” systems are disproportionately visible to threat actors, provide unique opportunities for routine exploitation, and often indicate broader gaps in maintenance and IT hygiene."
        https://www.runzero.com/resources/undead-by-design-report/
        https://www.darkreading.com/endpoint-security/undead-operating-systems-haunt-enterprise-security-networks

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) f4418656-6807-43d4-9b13-b483cc70a52c-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 01 October 2025

      Industrial Sector

      • Festo Controller CECC-S,-LK,-D Family Firmware
        "Successful exploitation of these vulnerabilities could allow an attacker to crash services, escalate privileges, bypass authentication, or gain unauthorized access to sensitive systems and data."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-273-04
      • MegaSys Enterprises Telenium Online Web Application
        "Successful exploitation of this vulnerability could allow an unauthenticated attacker to inject arbitrary operating system commands through a crafted HTTP request, leading to remote code execution on the server in the security context of the web application service account."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-273-01
      • LG Innotek Camera Multiple Models
        "Successful exploitation of this vulnerability could allow an attacker to gain administrative access to the device."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-273-07
      • Festo SBRD-Q/SBOC-Q/SBOI-Q
        "Successful exploitation of these vulnerabilities may allow the attacker to read arbitrary data or cause a denial-of-service condition."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-273-02
      • Festo CPX-CEC-C1 And CPX-CMXX
        "Successful exploitation of this vulnerability could allow unauthenticated, remote access to critical webpage functions which may cause a denial of service."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-273-03
      • OpenPLC_V3
        "Successful exploitation of this vulnerability could cause a denial of service, making the PLC runtime process crash."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-273-05
      • National Instruments Circuit Design Suite
        "Successful exploitation of these vulnerabilities could allow an attacker to cause memory corruption, potentially leading to information disclosure and execution of arbitrary code."
        https://www.cisa.gov/news-events/ics-advisories/icsa-25-273-06

      Vulnerabilities

      • Critical WD My Cloud Bug Allows Remote Command Injection
        "Western Digital has released firmware updates for multiple My Cloud NAS models to patch a critical-severity vulnerability that could be exploited remotely to execute arbitrary system commands. Tracked as CVE-2025-30247, the flaw is an OS command injection in the user interface of My Cloud and can be leveraged through specially crafted HTTP POST requests sent to vulnerable endpoints."
        https://www.bleepingcomputer.com/news/security/critical-wd-my-cloud-bug-allows-remote-command-injection/
        https://www.westerndigital.com/support/product-security/wdc-25006-western-digital-my-cloud-os-5-firmware-5-31-108
        https://www.helpnetsecurity.com/2025/09/30/western-digital-my-cloud-nas-cve-2025-30247/
      • Broadcom Fixes High-Severity VMware NSX Bugs Reported By NSA
        "Broadcom has released security updates to patch two high-severity VMware NSX vulnerabilities reported by the U.S. National Security Agency (NSA). VMware NSX is a networking virtualization solution within VMware Cloud Foundation that enables administrators to deploy traditional and modern applications in private/hybrid clouds. The first security flaw reported by the NSA, tracked as CVE-2025-41251, is due to a weakness in the password recovery mechanism that can let unauthenticated attackers enumerate valid usernames, which could later be used in brute-force attacks."
        https://www.bleepingcomputer.com/news/security/broadcom-fixes-high-severity-vmware-nsx-bugs-reported-by-nsa/
        https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36150
        https://www.securityweek.com/high-severity-vulnerabilities-patched-in-vmware-aria-operations-nsx-vcenter/
        https://securityaffairs.com/182816/uncategorized/broadcom-patches-vmware-zero-day-actively-exploited-by-unc5174.html
      • Nearly 50,000 Cisco Firewalls Vulnerable To Actively Exploited Flaws
        "Roughly 50,000 Cisco Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) appliances exposed on the public web are vulnerable to two vulnerabilities actively leveraged by hackers. The flaws, tracked as CVE-2025-20333 and CVE-2025-20362, enable arbitrary code execution and access to restricted URL endpoints associated with VPN access. Both security issues can be exploited remotely without authentication. On September 25, Cisco warned that the issues were actively exploited in attacks that started before patches were available to customers."
        https://www.bleepingcomputer.com/news/security/nearly-50-000-cisco-firewalls-vulnerable-to-actively-exploited-flaws/
        https://www.theregister.com/2025/09/30/cisco_firewall_vulns/
      • The Trifecta: How Three New Gemini Vulnerabilities In Cloud Assist, Search Model, And Browsing Allowed Private Data Exfiltration
        "Tenable Research discovered three vulnerabilities (now remediated) within Google’s Gemini AI assistant suite, which we dubbed the Gemini Trifecta. These vulnerabilities exposed users to severe privacy risks. They made Gemini vulnerable to search-injection attacks on its Search Personalization Model; log-to-prompt injection attacks against Gemini Cloud Assist; and exfiltration of the user’s saved information and location data via the Gemini Browsing Tool."
        https://www.tenable.com/blog/the-trifecta-how-three-new-gemini-vulnerabilities-in-cloud-assist-search-model-and-browsing
        https://thehackernews.com/2025/09/researchers-disclose-google-gemini-ai.html
        https://www.darkreading.com/vulnerabilities-threats/trifecta-google-gemini-flaws-ai-attack-vehicle
        https://www.infosecurity-magazine.com/news/gemini-trifecta-dangers-indirect/
        https://www.securityweek.com/google-patches-gemini-ai-hacks-involving-poisoned-logs-search-results/
      • Apple Updates iOS And MacOS To Prevent Malicious Font Attacks
        "Apple on Monday released a fresh round of security updates that address a single medium-severity vulnerability affecting both iOS and macOS. Tracked as CVE-2025-43400, the security defect is described as an out-of-bounds write issue in the operating system’s FontParser component that could lead to a denial-of-service (DoS) condition or memory corruption. “Processing a maliciously crafted font may lead to unexpected app termination or corrupt process memory,” Apple explains."
        https://www.securityweek.com/apple-updates-ios-and-macos-to-prevent-malicious-font-attacks/
        https://www.malwarebytes.com/blog/news/2025/09/apple-fixes-critical-font-processing-bug-update-now
      • $50 Battering RAM Attack Breaks Intel And AMD Cloud Security Protections
        "A group of academics from KU Leuven and the University of Birmingham has demonstrated a new vulnerability called Battering RAM to bypass the latest defenses on Intel and AMD cloud processors. "We built a simple, $50 interposer that sits quietly in the memory path, behaving transparently during startup and passing all trust checks," researchers Jesse De Meulemeester, David Oswald, Ingrid Verbauwhede, and Jo Van Bulck said on a website publicizing the findings. "Later, with just a flip of a switch, our interposer turns malicious and silently redirects protected addresses to attacker-controlled locations, allowing corruption or replay of encrypted memory.""
        https://thehackernews.com/2025/10/50-battering-ram-attack-breaks-intel.html
        https://batteringram.eu/

      Malware

      • Trinity Of Chaos: The LAPSUS$, ShinyHunters, And Scattered Spider Alliance Embarks On Global Cybercrime Spree
        "LAPSUS$, Scattered Spider, and ShinyHunters are three of the most notorious English-speaking cybercrime groups operating today. While each group has its own distinct origins and operational history, recent developments (especially since 2023 to 2025) reveal significant connections, tactical overlaps, and even direct collaboration. These connections are evident in their shared proclivity for social engineering, overlapping membership, joint public channels, and coordinated attacks on high-profile targets. The lines between these groups have become increasingly blurred, with cybersecurity researchers and law enforcement now viewing them as part of a loosely connected and highly adaptive cybercrime ecosystem."
        https://www.resecurity.com/blog/article/trinity-of-chaos-the-lapsus-shinyhunters-and-scattered-spider-alliance-embarks-on-global-cybercrime-spree
        https://securityaffairs.com/182799/cyber-crime/scattered-spider-shinyhunters-restructure-new-attacks-underway.html
      • XiebroC2 Identified In MS-SQL Server Attack Cases
        "AhnLab SEcurity intelligence Center (ASEC) monitors attacks targeting poorly managed MS-SQL servers and recently confirmed a case involving the use of XiebroC2. XiebroC2 is a C2 framework with open-source code that supports various features such as information collection, remote control, and defense evasion, similar to CobaltStrike."
        https://asec.ahnlab.com/en/90369/
      • MatrixPDF Puts Gmail Users At Risk With Malicious PDF Attachments
        "MatrixPDF turns ordinary PDF files into phishing and malware delivery tools. It uses overlays, clickable prompts, and embedded JavaScript to bypass email filters and fetch malicious payloads. Cybercriminals don't need to look for new exploits when they can weaponize what people already trust. PDF files are a prime example; they slip past email filters, render inline in Gmail, and most recipients open them without hesitation. MatrixPDF, found on cybercrime networks, exploits that trust."
        https://www.varonis.com/blog/matrixpdf
        https://www.bleepingcomputer.com/news/security/new-matrixpdf-toolkit-turns-pdfs-into-phishing-and-malware-lures/
      • You Name It, VMware Elevates It (CVE-2025-41244)
        "On September 29th, 2025, Broadcom disclosed a local privilege escalation vulnerability, CVE-2025-41244, impacting VMware’s guest service discovery features. NVISO has identified zero-day exploitation in the wild beginning mid-October 2024. The vulnerability impacts both the VMware Tools and VMware Aria Operations. When successful, exploitation of the local privilege escalation results in unprivileged users achieving code execution in privileged contexts (e.g., root)."
        https://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244/
        https://www.bleepingcomputer.com/news/security/chinese-hackers-exploiting-vmware-zero-day-since-october-2024/
        https://www.darkreading.com/remote-workforce/china-exploited-new-vmware-bug-nearly
        https://thehackernews.com/2025/09/urgent-china-linked-hackers-exploit-new.html
      • Phantom Taurus: A New Chinese Nexus APT And The Discovery Of The NET-STAR Malware Suite
        "Phantom Taurus is a previously undocumented nation-state actor whose espionage operations align with People’s Republic of China (PRC) state interests. Over the past two and a half years, Unit 42 researchers have observed Phantom Taurus targeting government and telecommunications organizations across Africa, the Middle East, and Asia. Our observations show that Phantom Taurus’ main focus areas include ministries of foreign affairs, embassies, geopolitical events and military operations. The group’s primary objective is espionage. Its attacks demonstrate stealth, persistence and an ability to quickly adapt their tactics, techniques and procedures (TTPs)."
        https://unit42.paloaltonetworks.com/phantom-taurus/
        https://thehackernews.com/2025/09/phantom-taurus-new-china-linked-hacker.html
        https://www.darkreading.com/cyberattacks-data-breaches/new-china-apt-strikes-precision-persistence
        https://www.bankinfosecurity.com/chinas-phantom-taurus-hacks-middle-east-a-29602
        https://cyberscoop.com/phantom-taurus-china-espionage-group/
        https://hackread.com/chinese-apt-phantom-taurus-ms-exchange-servers/
      • Klopatra: Exposing a New Android Banking Trojan Operation With Roots In Turkey
        "In late August 2025, Cleafy's Threat Intelligence team discovered Klopatra, a new, highly sophisticated Android malware currently used in active campaigns against financial institutions and their customers. The analysis identified two major botnets targeting users primarily in Spain and Italy, with the number of compromised devices already exceeding 3,000. Klopatra operates as a powerful banking trojan and Remote Access Trojan (RAT), allowing its operators to gain complete control over infected devices, steal sensitive credentials, and execute fraudulent transactions. What elevates Klopatra above the typical mobile threat is its advanced architecture, built for stealth and resilience. The malware authors have integrated Virbox, a commercial-grade code protection tool rarely seen in the Android threat landscape."
        https://www.cleafy.com/cleafy-labs/klopatra-exposing-a-new-android-banking-trojan-operation-with-roots-in-turkey
        https://www.darkreading.com/threat-intelligence/klopatra-trojan-bank-transfers-sleep
        https://www.infosecurity-magazine.com/news/android-rat-klopatra-targets/
      • Silent Smishing : The Hidden Abuse Of Cellular Router APIs
        "The monitoring and analysis of vulnerability exploitations are among the primary responsibilities of Sekoia.io’s Threat Detection & Research (TDR) team. Using our honeypots, we monitor traffic targeting various edge devices and internet-facing applications. On 22 July 2025, suspicious network traces were observed via our honeypots. Our analysis revealed that a cellular router’s API was exploited to send malicious SMS messages containing phishing URLs — an attack that leverages SMS as a delivery vector for phishing, often categorized under smishing tactics."
        https://blog.sekoia.io/silent-smishing-the-hidden-abuse-of-cellular-router-apis/
        https://www.infosecurity-magazine.com/news/smishing-exploit-cellular-routers/
      • Datzbro: RAT Hiding Behind Senior Travel Scams
        "In August 2025, multiple scam alerts were issued in Australia. Users reported scammers managing Facebook groups promoting “active senior trips.” ThreatFabric researchers analyzed the campaign and identified several groups, managed by fraudsters, targeting various regions and using multiple disguises. Moreover, a new Device-Takeover Android Trojan, which we named “Datzbro”, was discovered as part of the campaign. This report uncovers the capabilities of this Trojan. While most of its features are typically seen in spyware, our research shows how Datzbro is actively used in financial fraud, leveraging its remote access capabilities."
        https://www.threatfabric.com/blogs/datzbro-rat-hiding-behind-senior-travel-scams
        https://thehackernews.com/2025/09/new-android-trojan-datzbro-tricking.html
      • North Korea’s IT Workers Expand Beyond US Big Tech
        "Okta Threat Intelligence has conducted a large-scale analysis revealing that the Democratic People’s Republic of Korea (DPRK) IT worker scheme threatens nearly every industry that hires remote talent. While public reporting has primarily focused on DPRK nationals targeting software development roles at major US technology companies, our analysis shows that this threat is not limited to the tech sector, nor the US. North Korean IT Workers (ITW) now pose a real threat to a wide range of industries. Impacted industries include finance, healthcare, public administration, and professional services across a growing number of countries. This widespread scheme aims to gain illicit employment and — in some cases — steal sensitive data."
        https://www.okta.com/newsroom/articles/north-korea-s-it-workers-expand-beyond-us-big-tech/
        https://therecord.media/north-korea-it-worker-scheme-expands-outisde-us-tech
        https://www.theregister.com/2025/09/30/north_korean_it_workers_okta/

      Breaches/Hacks/Leaks

      • WestJet Confirms Recent Breach Exposed Customers' Passports
        "Canadian airline WestJet is informing customers that the cyberattack disclosed in June compromised their sensitive information, including passports and ID documents. WestJet is a major airline in North America that operates a fleet of 153 aircrafts and services 104 destinations, carrying over 25 million travelers annually. On June 13, the company disclosed a cybersecurity incident that disrupted certain internal systems and made the WestJet app unavailable to customers. Around that time, the Scattered Spider threat group focused their attacks on organizations in the aviation industry. However, there is no official attribution for the hackers behind the WestJet breach."
        https://www.bleepingcomputer.com/news/security/westjet-confirms-recent-breach-exposed-customers-passports/
      • Hour-Long Email Phishing Breach Affects PHI Of 150,000
        "A Florida-based technology firm that provides medication therapy management and other services to health plans is notifying nearly 150,000 people that their information was potentially compromised in a phishing attack affecting just one employee's email account for only about an hour. OutcomesOne, which reported the breach to several state regulators last week, discovered the incident on July 1 when an employee noticed "unusual activity" in his work email account and quickly reported it to the company's security team, the tech firm said."
        https://www.bankinfosecurity.com/hour-long-email-phishing-breach-affects-phi-150000-a-29603

      General News

      • AI-Powered Voice Cloning Raises Vishing Risks
        "As vishing becomes more frequently used amongst threat actors, researchers have discovered that AI-generated voice clones from as little as five minutes of recorded audio are well on the rise. NCC Group's research team has explored how voice impersonation using AI allows for classic social engineering attacks to become even more refined, blurring the lines of what is real and what is simulated. This could put enterprises, their employees, and everyday individuals at increased risk of voice phishing or vishing attacks from bad actors trying to gain access to their personal information, financial accounts, sensitive corporate data, and more."
        https://www.darkreading.com/cyberattacks-data-breaches/ai-voice-cloning-vishing-risks
      • The Hidden Risks Inside Open-Source Code
        "Open-source software is everywhere. It runs the browsers we use, the apps we rely on, and the infrastructure that keeps businesses connected. For many security leaders, it is simply part of the environment, not something they think about every day. That is where trouble can start. James Cusick, a researcher at Ritsumeikan University, recently set out to answer a question: how secure is the code we depend on? His study looked at both open-source and proprietary software, scanning millions of lines of code to see where vulnerabilities hide and how serious they are. What he found shows why static code scanning should be a key part of every security strategy."
        https://www.helpnetsecurity.com/2025/09/30/hidden-risks-open-source-code-scanning/
      • Cyber Risk Quantification Helps CISOs Secure Executive Support
        "In this Help Net Security interview, Vivien Bilquez, Global Head of Cyber Resilience at Zurich Resilience Solutions, discusses how organizations are rethinking cyber resilience. He talks about the priorities CISOs should focus on and the risks that are often overlooked. Bilquez also explains how to align cybersecurity efforts with business goals to gain executive support."
        https://www.helpnetsecurity.com/2025/09/30/vivien-bilquez-zurich-resilience-solutions-cyber-resilience-priorities/
      • Your Budget Android Phone Might Be Spying On You
        "Researchers have found that many low-cost Android devices come with pre-installed apps that have high-level access to the system. Unlike apps from the Google Play Store, many of these are not subject to thorough checks and can serve as vectors for malware or privacy-invasive features. Researchers studying the African mobile device market focused on three brands selling Android devices under $100, all running Android Go Edition. To investigate, the team developed PiPLAnD, an automated framework for extracting and analyzing Android package kit (APK) files from physical devices."
        https://www.helpnetsecurity.com/2025/09/30/low-cost-android-devices-security-risks/
      • Keeping The Internet Afloat: How To Protect The Global Cable Network
        "The resilience of the world’s submarine cable network is under new pressure from geopolitical tensions, supply chain risks, and slow repair processes. A new report from the Center for Cybersecurity Policy and Law outlines how governments and industry can work together to strengthen this critical infrastructure. The report comes at a time when physical disruptions to cables are drawing more attention. While most breaks are caused by fishing or anchoring accidents, recent incidents in the Baltic Sea and the Taiwan Strait have raised concerns about potential sabotage."
        https://www.helpnetsecurity.com/2025/09/30/protect-undersea-cable-security/
      • Greg Kroah-Hartman Explains The Cyber Resilience Act For Open Source Developers
        "There has been considerable worry about the impact of the European Union's Cyber Resilience Act on open source programmers. Linux stable kernel maintainer Greg Kroah-Hartman says, however, that there won't be much of an impact at all. When the news of the EU's Cyber Resilience Act (CRA) first emerged, open source software developers and companies were worried sick. As the Python Software Foundation (PSF) executive director Deb Nicholson said at the time, "Under the current language, the PSF could potentially be financially liable for any product that includes Python code, while never having received any monetary gain from any of these products." Ouch!"
        https://www.theregister.com/2025/09/30/cyber_reiliance_act_opinion_column/
      • The Rising Cyber Threat To Manufacturing: A Call To Action For Executives
        "Manufacturing continues to be one of the most attractive targets for cyber attackers, with attacks only increasing. Once overlooked in favor of data-rich industries, today’s factories are caught in the crossfire of ransomware economics, geopolitical conflict, and global supply chain disruption. For executives, this means that cyber security is no longer just an IT issue. It’s a core business risk that directly impacts revenue, resilience, and reputation. Download the full Manufacturing Security Report to explore the data, trends, and case studies shaping the future of industrial cyber resilience."
        https://blog.checkpoint.com/research/the-rising-cyber-threat-to-manufacturing-a-call-to-action-for-executives/
      • **https://engage.checkpoint.com/2025-cpr-manufacturing-report
      • CIISec Members Say Budgets Are Falling Behind Threats**
        "Cybersecurity budgets in the UK are stagnating, even as job prospects and industry growth improves, a new poll of industry professionals has revealed. The Chartered Institute of Information Security (CIISec) published the latest findings from its upcoming State of the Security Profession report, which is based on interviews with its members. Just 5% agreed that budgets are in line with or ahead of threats, while 84% claimed the opposite. However, over three-quarters (78%) claimed their job prospects are good or excellent, and a similar share (73%) expect the security market to grow over the next three years."
        https://www.infosecurity-magazine.com/news/ciisec-members-budget-falling/
      • Tile Tracking Tags Can Be Exploited By Tech-Savvy Stalkers, Researchers Say
        "Tile trackers, used to locate everything from lost keys to stolen pets, are used by more than 88 million people worldwide, according to Tile’s parent company, Life360. But researchers who examined the tracking technology have found design flaws that would let stalkers—or potentially the manufacturer itself—track the location of Tile users and their devices, contrary to claims the company has made about the security and privacy of its devices. The researchers—Akshaya Kumar, Anna Raymaker, and Michael Specter of Georgia Institute of Technology—found that each tag broadcasts an unencrypted MAC address and unique ID that can be picked up by other Bluetooth devices or radio-frequency antennas in a tag’s vicinity to track the movements of the tag and its owner."
        https://www.wired.com/story/tile-tracking-tags-can-be-exploited-by-tech-savvy-stalkers-researchers-say/
        https://www.malwarebytes.com/blog/news/2025/09/tile-trackers-plagued-by-weak-security-researchers-warn
        https://www.theregister.com/2025/09/30/tile_trackers_unencrypted_info/
      • CISO Conversations: John ‘Four’ Flynn, VP Of Security At Google DeepMind
        "DeepMind, an AI research laboratory founded in London in 2010, was acquired by Google in 2014. In April 2023, it merged with the Google Brain division to become Google DeepMind. John Flynn, usually known as ‘Four’, has been DeepMind’s VP of security since May 2024. Before then he had been a CISO with Amazon, CISO at Uber, director of information security at Facebook, and (between 2005 and 2011) manager of the security operations team at Google."
        https://www.securityweek.com/ciso-conversations-john-four-flynn-vp-of-security-at-google-deepmind/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 399696e3-8d66-462d-85b8-0d2931875c81-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 30 September 2025

      Industrial Sector

      • CISA And UK NCSC Release Joint Guidance For Securing OT Systems
        "CISA, in collaboration with the Federal Bureau of Investigation, the United Kingdom’s National Cyber Security Centre, and other international partners has released new joint cybersecurity guidance: Creating and Maintaining a Definitive View of Your Operational Technology (OT) Architecture. Building on the recent Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators, this guidance explains how organizations can leverage data sources, such as asset inventories and manufacturer-provided resources like software bill of materials to establish and maintain an accurate, up-to-date view of their OT systems."
        https://www.cisa.gov/news-events/alerts/2025/09/29/cisa-and-uk-ncsc-release-joint-guidance-securing-ot-systems
        https://www.cisa.gov/resources-tools/resources/creating-and-maintaining-definitive-view-your-operational-technology-ot-architecture
        https://www.ncsc.gov.uk/files/ncsc-creating-and-maintaining-a-definitive-view-of-your-operational-technology-architecture.pdf
        https://www.bankinfosecurity.com/ot-operators-urged-to-map-networks-or-risk-major-blind-spots-a-29596
        https://www.infosecurity-magazine.com/news/national-cyber-authorities-ot/

      New Tooling

      • Firezone: Open-Source Platform To Securely Manage Remote Access
        "Firezone is an open-source platform that helps organizations of any size manage secure remote access. Unlike most VPNs, it uses a least-privileged model, giving users only the access they need. Firezone was built to scale from the start, so you can add more gateways as traffic grows. It uses WireGuard, a fast and secure VPN protocol, and adds extra protections like short-lived encryption keys and firewall hole-punching to reduce the attack surface. It is also simple to manage, with a Policy Engine that removes the need for complex firewall rules or ACLs and makes it easier to control and review access."
        https://www.helpnetsecurity.com/2025/09/29/firezone-open-source-secure-remote-access-management/
        https://github.com/firezone/firezone

      Vulnerabilities

      • CISA Adds Five Known Exploited Vulnerabilities To Catalog
        "CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2021-21311 Adminer Server-Side Request Forgery Vulnerability
        CVE-2025-20352 Cisco IOS and IOS XE Stack-based Buffer Overflow Vulnerability
        CVE-2025-10035 Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability
        CVE-2025-59689 Libraesva Email Security Gateway Command Injection Vulnerability
        CVE-2025-32463 Sudo Inclusion of Functionality from Untrusted Control Sphere Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/09/29/cisa-adds-five-known-exploited-vulnerabilities-catalog

      Malware

      • Eye Of The Storm: Analyzing DarkCloud's Latest Capabilities
        "Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes. We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware. Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team."
        https://www.esentire.com/blog/eye-of-the-storm-analyzing-darkclouds-latest-capabilities
        https://hackread.com/darkcloud-infostealer-grab-credentials-crypto-contacts/

      Breaches/Hacks/Leaks

      • Japan's Largest Brewer Suspends Operations Due To Cyberattack
        "Asahi Group Holdings, Ltd (Asahi), the brewer of Japan’s top-selling beer, has disclosed a cyberattack that disrupted several of its operations. According to the company, the incident has affected its ordering and shipping activity, which have been completely suspended. Call center operations and customer service desk are currently unavailable to the public due to the cyberattack. Asahi is one of Japan’s largest breweries, holding roughly one-third of the domestic market share. It employs 30,000 people, produces 100 million hectoliters of beverages, and in 2024 the company reported an annual revenue of nearly $20 billion USD."
        https://www.bleepingcomputer.com/news/security/japans-largest-brewer-suspends-operations-due-to-cyberattack/
        https://www.theregister.com/2025/09/29/asahi_hacking_outage/
      • Company That Sells Spyware For Monitoring Sex Offenders Hacked
        "A company that sells spyware that monitors individuals on parole and probation had its data leaked to a cybercrime forum this week. The leak, according to an analysis by Straight Arrow News, exposed highly sensitive information regarding employees of the corrections system and those under court-ordered supervision. The affected company, RemoteCOM, describes itself as “the premier computer, smartphone and tablet monitoring service for the management of pretrial, probation and parole clients.” The data indicates that RemoteCOM’s services are used by parole and probation officers in 49 states."
        https://san.com/cc/company-that-sells-spyware-for-monitoring-sex-offenders-hacked/
        https://www.malwarebytes.com/blog/news/2025/09/sex-offenders-terrorists-drug-dealers-exposed-in-spyware-breach

      General News

      • How Attackers Poison AI Tools And Defenses
        "Cyberattackers are using generative AI to draft polished spam, create malicious code and write persuasive phishing lures. They are also learning how to turn AI systems themselves into points of compromise. Recent findings highlight this shift. Researchers from Columbia University and the University of Chicago studied malicious email traffic collected over three years. Barracuda Research has also tracked attackers exploiting weaknesses in AI assistants and tampering with AI-driven security tools."
        https://www.helpnetsecurity.com/2025/09/29/poisoned-ai-prompt/
        https://www.ee.columbia.edu/news/ai-now-powers-over-half-spam-emails-columbia-engineering-research-finds
      • Cybersecurity Leaders Underreport Cyber Incidents To Executives
        "Cyberattacks are becoming more frequent and severe, with 71% of surveyed security leaders saying attacks have grown more common in the past year and 61% reporting greater impact when incidents occur, according to a new report from VikingCloud. Nearly 80% of surveyed security leaders said they are concerned about being targeted by a nation-state attack within the next year. The study shows how geopolitical tensions are fueling activity that no longer hits only government or critical infrastructure. Software supply chain compromises are spilling into industries like retail, healthcare, and hospitality."
        https://www.helpnetsecurity.com/2025/09/29/cyberattacks-frequency-impact-growth/
      • When AI Is Trained For Treachery, It Becomes The Perfect Agent
        "Last year, The Register reported on AI sleeper agents. A major academic study explored how to train an LLM to hide destructive behavior from its users, and how to find it before it triggered. The answers were unambiguously asymmetric — the first is easy, the second very difficult. Not what anyone wanted to hear."
        https://www.theregister.com/2025/09/29/when_ai_is_trained_for/
      • 'You'll Never Need To Work Again': Criminals Offer Reporter Money To Hack BBC
        "Like many things in the shadowy world of cyber-crime, an insider threat is something very few people have experience of. Even fewer people want to talk about it. But I was given a unique and worrying experience of how hackers can leverage insiders when I myself was recently propositioned by a criminal gang. "If you are interested, we can offer you 15% of any ransom payment if you give us access to your PC." That was the message I received out of the blue from someone called Syndicate who pinged me in July on the encrypted chat app Signal."

      https://www.bbc.com/news/articles/c3w5n903447o
      https://www.bleepingcomputer.com/news/security/ransomware-gang-sought-bbc-reporters-help-in-hacking-media-giant/
      "The fastest-growing user group inside the enterprise typically doesn't show up in HR systems. It logs in through service accounts, API keys bots and automated workflows. It's a machine identity - which already outnumber human users in many organizations. Who owns them, who rotates their keys, audits their actions and takes the fall when something goes wrong often depends on who's responding, and the answers rarely align."
      https://www.bankinfosecurity.com/whos-minding-machines-identity-crisis-nobody-owns-a-29594

      • IoT Security Flounders Amid Churning Risk
        "The use of Internet of Things (IoT) devices is exploding, but cybersecurity considerations on the part of the device-makers continue to lag, leaving enterprises vulnerable to distributed denial-of-service (DDoS) and other attacks that can lead to data theft. New initiatives are underway to curb the issues, but progress remains slow. In this edition of what will become a regular "Reporters' Notebook" video series, two intrepid cybersecurity journalists, Dark Reading's Arielle Waldman, and Cybersecurity Dive's Eric Geller, break down their recent findings around IoT security woes, and emerging government-backed safety efforts for connected devices."
        https://www.darkreading.com/iot/iot-security-flounders-amid-churning-risk
      • Two-Thirds Of Organizations Have Unfilled Cybersecurity Positions
        "Organizations continue to experience significant cybersecurity skills shortages, with 65% of firms reporting unfilled cyber positions, a new ISACA survey has found. Over a third (38%) of cybersecurity professionals surveyed revealed it takes three to six months to hire for entry-level roles and 39% said the same for non-entry-level positions. Additionally, half of organizations admitted that they struggle to retain cyber talent. In total, 55% of respondents believe their security teams are understaffed. This represents a small drop from 2024, when 61% said their team is understaffed."
        https://www.infosecurity-magazine.com/news/two-thirds-unfilled-cybersecurity/
        https://www.isaca.org/resources/infographics/state-of-cybersecurity-2025-infographic
        https://www.isaca.org/resources/reports/state-of-cybersecurity-2025
      • The State Of AI In The SOC 2025 - Insights From Recent Study
        "Security leaders are embracing AI for triage, detection engineering, and threat hunting as alert volumes and burnout hit breaking points. A comprehensive survey of 282 security leaders at companies across industries reveals a stark reality facing modern Security Operations Centers: alert volumes have reached unsustainable levels, forcing teams to leave critical threats uninvestigated. You can download the full report here. The research, conducted primarily among US-based organizations, shows that AI adoption in security operations has shifted from experimental to essential as teams struggle to keep pace with an ever-growing stream of security alerts. The findings paint a picture of an industry at a tipping point, where traditional SOC models are buckling under operational pressure and AI-powered solutions are emerging as the primary path forward."
        https://thehackernews.com/2025/09/the-state-of-ai-in-soc-2025-insights.html
        https://resources.prophetsecurity.ai/state-of-ai-in-security-operations
      • Chinese Scammer Pleads Guilty After UK Seizes Nearly $7 Billion In Bitcoin
        "A Chinese national accused of running a fraudulent investment scheme pleaded guilty in a London court on Monday after U.K. police seized nearly $7 billion worth of Bitcoin during a raid of her home in north London. Zhimin Qian, 47, ran a large fraud scheme in China through her company Tianjin Lantian Gerui Electronic Technology — offering people investment products and promising outlandish returns of nearly 300 percent. The Metropolitan Police say Qian ran the fraud between 2014 and 2017, stealing billions of dollars from more than 128,000 victims. She stored the stolen money in Bitcoin and fled China for the U.K. using a fake passport from St. Kitts and Nevis."
        https://therecord.media/chinese-scammer-guilty-seizure-uk
        https://www.bleepingcomputer.com/news/security/uk-convicts-bitcoin-queen-in-worlds-largest-cryptocurrency-seizure/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA)

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • นักวิจัยเตือน AI เลียนเสียงจริงได้ภายในไม่กี่นาที องค์กรเสี่ยงตกเป็นเหยื่อ Vishing

      96f0538c-d349-49bc-8350-38e06f5dd0d7-image.png นักวิจัยเตือน AI เลียนเสียงจริงได้ภายในไม่.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 10435787-8d4b-40bd-8ee5-979df2af75a0-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Asahi ผู้ผลิตเบียร์รายใหญ่ของญี่ปุ่นหยุดดำเนินการสั่งซื้อและจัดส่ง หลังถูกโจมตีทางไซเบอร์

      66e9e520-3b55-495d-ab59-30560034b0b3-image.png

      Asahi ผู้ผลิตเบียร์รายใหญ่ของญี่ปุ่นหยุดดำเ.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 5276f31c-df73-4829-9549-fb79c450943c-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • นักวิจัยเตือนโทรจัน Android “Datzbro” หลอกผู้สูงอายุด้วยอีเวนต์การท่องเที่ยวบน Facebook

      0a0411a6-da33-4ce8-9472-3530c8312591-image.png

      นักวิจัยเตือนโทรจัน Android “Datzbro” หลอกผู้สูงอาย.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 0bcd5c86-dd96-4c43-bb94-1bb038e785f8-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • DarkCloud Infostealer เวอร์ชัน 4.2 กลับมาโจมตีผ่านอีเมลฟิชชิง ขโมยรหัสผ่าน คริปโต และข้อมูลธุรกรรม

      83bfe86a-01a5-4809-a8c8-8e79071ae895-image.png

      DarkCloud Infostealer เวอร์ชัน 4.2 กลับมาโจมตีผ่านอีเมลฟิ.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand be1c2482-6b2f-455b-a41b-76bd22665c5b-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • นักวิจัยพบ Malicious MCP Server ครั้งแรก ในแพ็กเกจ Rogue Postmark-MCP ขโมยอีเมลผู้ใช้

      e97b59d0-e71b-4922-8fa9-400f2838cc8d-image.png

      นักวิจัยพบ Malicious MCP Server ครั้งแรก ในแพ็กเกจ Rogue Postmark.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand d298ea28-3cf7-4210-8e17-23614da83dd4-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT