สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 
ข้อมูลกลุ่ม
ส่วนตัว
administrators
รายชื่อสมาชิก
-
พบแคมเปญฟิชชิงปลอมเป็นอีเมลร้องเรียนจากลูกค้า มุ่งโจมตีธุรกิจโรงแรมและที่พักโพสต์ใน Cyber Security News
-
Polymarket เตรียมชดเชยผู้ใช้งานเต็มจำนวน หลังถูกโจมตีแบบ Supply Chainโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
ตรวจพบแคมเปญมัลแวร์ Miasma แฝงรหัสอันตรายในแพ็กเกจ npm กว่า 20 รายการ มุ่งเป้าขโมยข้อมูลสำคัญของนักพัฒนาโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
ETDA Cyber Threat Intelligence 29 June 2026โพสต์ใน Cyber Security News
Healthcare Sector
- Healthcare Leaders See a Fatal Cyber Incident As Inevitable
"Healthcare practices run on a chain of outside vendors. An EMR system holds clinical records, a billing platform processes claims, a telehealth tool supports remote visits, and a cloud provider stores data. Every one of those connections gives an outside company a path into the practice, and any one of them can break. That is what happened across the sector over the past year. According to Omega Systems’ 2026 Healthcare IT Landscape Report, the large majority of practices dealt with at least one operational disruption that traced back to a vendor or a vendor’s own supplier. The disruptions ranged from brief outages to repeated failures that froze patient intake and slowed cash flow."
https://www.helpnetsecurity.com/2026/06/26/cyber-incident-healthcare-vendor-risk/
New Tooling
- Modelplane: Open-Source Control Plane For AI Inference
"Organizations that run open-weight models on hardware they own operate GPU fleets spread across clouds, neoclouds, and on-premise data centers. Each fleet handles model placement, replica scaling, infrastructure provisioning, weight distribution, and traffic routing. Teams have built this coordination layer by hand, one operator at a time. Upbound, the company behind the Crossplane project, released Modelplane, an open-source control plane that manages fleet-wide coordination for AI inference. The software installs in a user’s own environment and orchestrates models, the serving stack, and the infrastructure beneath them. It runs across cloud, neocloud, and on-premise systems, from a single GPU to multi-node deployments. The first public version, v0.1.0, carries the Apache 2.0 license."
https://www.helpnetsecurity.com/2026/06/26/modelplane-open-source-control-plane-ai-inference/
https://github.com/modelplaneai/modelplane
Vulnerabilities
- Synology Issues Critical Fix For MailPlus Server Vulnerabilities
"Synology has has fixed critical vulnerabilities in MailPlus Server, a software package used to run private email infrastructure on Synology NAS devices.
The security update fixes three flaws:
CVE-2026-13136, stemming from faulty authorization checks, may allow remote attackers to read or write arbitrary files and conduct denial-of-service (DoS) attacks
CVE-2026-13135, caused by improper restriction of communication channel to intended endpoints, may allow remote attackers to access internal services
CVE-2025-15660, arising from the use of a cryptographically weak pseudo-random number generator, may allow adjacent attackers to read or write arbitrary files and conduct DoS attacks."
https://www.helpnetsecurity.com/2026/06/26/synology-mailplus-server-vulnerabilities/
https://www.synology.com/en-global/security/advisory/Synology_SA_26_11 - Critical Unauthenticated Remote Code Execution In Splunk Enterprise (CVE-2026-20253)
"Splunk disclosed a critical unauthenticated remote code execution (RCE) vulnerability in Splunk Enterprise tracked as CVE-2026-20253 on June 10, 2026. The vulnerability has a CVSS score of 9.8 and stems from missing authentication on a PostgreSQL sidecar service recovery endpoint that can be reached through the Splunk Web interface, which proxies requests to the internal PostgreSQL sidecar service without enforcing authentication. A successful attacker can create or truncate arbitrary files and ultimately achieve arbitrary code execution under the Splunk service account."
https://www.zscaler.com/blogs/security-research/critical-unauthenticated-remote-code-execution-splunk-enterprise-cve-2026 - MCP Auto-Execution: From Git Clone To Cloud Compromise In Amazon Q VS Code Extension
"Wiz Research discovered a high-severity vulnerability in Amazon Q Developer Extension for Visual Studio Code (VS Code), Amazon's AI-powered coding assistant for VS Code, which allowed attackers to achieve arbitrary code execution and cloud credential theft simply by having a developer open a malicious repository. Amazon Q automatically loaded MCP server configurations from workspace files without user consent. Combined with full environment inheritance, this enabled immediate code execution. Amazon has remediated this issue in language server version 1.65.0."
https://www.wiz.io/blog/amazon-q-vulnerability
https://aws.amazon.com/security/security-bulletins/2026-047-aws/
https://thehackernews.com/2026/06/amazon-q-developer-flaw-could-let.html
https://www.securityweek.com/amazon-q-flaw-enabled-cloud-credential-theft-via-malicious-repositories/
https://www.theregister.com/cyber-crime/2026/06/26/amazon-q-flaw-let-booby-trapped-git-repos-execute-code-swipe-cloud-creds/5263202 - CISA Adds Two Known Exploited Vulnerabilities To Catalog
"CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-12569 PTC Windchill and FlexPLM Improper Input Validation Vulnerability
CVE-2026-20230 Cisco Unified Communications Manager Server-Side Request Forgery (SSRF) Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/06/25/cisa-adds-two-known-exploited-vulnerabilities-catalog
https://www.bleepingcomputer.com/news/security/cisa-sets-urgent-deadline-to-fix-cisco-flaw-exploited-in-attacks/
https://thehackernews.com/2026/06/cisa-adds-exploited-ptc-windchill-rce.html
https://www.securityweek.com/first-ever-exploitation-of-ptc-windchill-vulnerability-discovered-in-the-wild/
https://securityaffairs.com/194290/security/u-s-cisa-adds-cisco-and-ptc-windchill-and-flexplm-flaws-to-its-known-exploited-vulnerabilities-catalog.html - New Linux Pedit COW Exploit Enables Root Access By Poisoning Cached Binaries
"A flaw in the Linux kernel's traffic-control subsystem can let a local unprivileged user gain root on affected systems. CVE-2026-46331, nicknamed "pedit COW," is an out-of-bounds write in the packet-editing action (act_pedit) that corrupts shared page-cache memory. A public, working exploit appeared within a day of the CVE assignment on June 16. Red Hat rates the flaw as important."
https://thehackernews.com/2026/06/new-linux-pedit-cow-exploit-enables.html - Dissecting And Exploiting Linux LPE Variant: DirtyClone (CVE-2026-43503)
"During an audit of recent Linux kernel patches, the JFrog Security Research team identified that despite fixes addressing the DirtyFrag vulnerability family, a residual issue remained unaddressed. This gap allowed the same vulnerability class to persist through a different packet processing path in the XFRM/IPsec subsystem. We reported the issue to the Linux kernel maintainers on May 19. This coincided with a related broader report from the original DirtyFrag researcher “Hyunwoo Kim" on May 16. The variants were patched and merged into mainline on May 21 (v7.1-rc5, 9e171fc1d7d7), and assigned CVE-2026-43503."
https://research.jfrog.com/post/dissecting-and-exploiting-linux-lpe-variant-dirtyclone-cve-2026-43503/
https://thehackernews.com/2026/06/new-dirtyclone-linux-kernel-flaw-lets.html
https://securityaffairs.com/194338/uncategorized/dirtyclone-fourth-linux-kernel-flaw-in-six-weeks-escalates-to-root.html
Malware
- FBI: Russian Hackers Now Target Signal Backup Recovery Keys
"The FBI and CISA are warning that a phishing campaign targeting Signal users tied to Russian intelligence services has evolved to steal Signal Backup Recovery Keys, allowing attackers to access victims' historical messages. The updated public service announcement is an update to a March 2026 advisory that warned the threat actors were targeting users of commercial messaging applications, particularly Signal, through phishing campaigns designed to hijack accounts rather than break end-to-end encryption."
https://www.bleepingcomputer.com/news/security/fbi-russian-hackers-now-target-signal-backup-recovery-keys/
https://www.ic3.gov/PSA/2026/PSA260626
https://thehackernews.com/2026/06/fbi-warns-russian-intelligence-hackers.html
https://securityaffairs.com/194360/intelligence/new-fbi-alert-russian-intelligence-uses-signal-recovery-keys-to-access-messages.html - We Coined The Poisoned Tenant Attack In 2023; In 2026, Someone Used It On Us
"Three years ago, we published the poisoned tenant attack as part of the Browser and Identity Attacks matrix. Last week, someone used it to target Push Security employees and customers through OpenAI's organization invitation feature. This post breaks down what happened, explores what the payoff is for an attacker, and connects the incident to a broader pattern of SaaS platform abuse that is accelerating across the industry."
https://pushsecurity.com/blog/openai-poisoned-tenant-attack
https://www.bleepingcomputer.com/news/security/cybersecurity-firms-targeted-by-fraudulent-openai-organization-invites/ - From CI/CD To Cloud Data: How Shai Hulud Persistence Leads To Redshift Breach
"Organizations with modern CI/CD pipelines face threats from the Shai Hulud supply chain campaign, a software worm attributed to TeamPCP that has been targeting npm and PyPI packages since late 2025. Named after the giant sandworms in Dune, Shai Hulud injects malicious packages that execute during installs or CI jobs, harvesting build credentials to move into cloud infrastructure. Organizations running modern CI/CD are learning a critical lesson from the Shai Hulud supply chain campaign: a poisoned build dependency doesn't stop at the pipeline—it becomes a bridge into the production cloud."
https://www.fortinet.com/blog/threat-research/from-ci-cd-to-cloud-data-how-shai-hulud-persistence-leads-to-redshift-breach - Mirage2FA: Obfuscated HTML Loader Delivers Microsoft 365 MFA Phishing Kit
"Fortra Intelligence and Research Experts (FIRE) have identified a multi-stage Microsoft 365 phishing kit, which we have named Mirage2FA, delivered through a secure document and payment-themed email lure. The attack uses short-lived HTML smuggling and obfuscated JavaScript-loaders in a single phishing workflow, creating a “mirage” effect that helps it evade detection while targeting 2FA/MFA protections. It is an example of phishing campaigns increasingly using multiple tactics to harvest credentials and bypass or intercept 2FA/MFA workflows. The impact of such an attack on businesses could result in account takeover, fraudulent payment redirection, data theft, internal phishing, unauthorized access to sensitive documents, and more."
https://www.fortra.com/blog/mirage2fa-obfuscated-html-loader-delivers-microsoft-365-mfa-phishing-kit
https://www.helpnetsecurity.com/2026/06/26/mirage2fa-phishing-kit-microsoft-365-html-smuggling/ - Breaking Out Of Chrome’s Sandbox: A Native Messaging Backdoor Observed In Italy
"In June 2026, we analysed a malware campaign distributed through Italian-language phishing emails. The message pretended to deliver an invoice and used the subject Fattura #2818999851. The victim was shown what looked like a PDF document. The downloaded file was instead an obfuscated Windows JavaScript file named Fattura-2819889242.pfd.js. The unusual pfd.js ending was likely intended to look similar to .pdf at a quick glance."
https://www.d3lab.net/breaking-out-of-chromes-sandbox-a-native-messaging-backdoor-observed-in-italy/
https://www.malwarebytes.com/blog/news/2026/06/malware-steals-chrome-session-cookies-to-take-over-your-accounts - STOCKSTAY Another Day: The Latest Addition To Turla’s Intelligence Gathering Apparatus
"Google Threat Intelligence Group (GTIG) has conducted an in-depth analysis of a .NET backdoor, tracked as STOCKSTAY, that has been continually developed and deployed by the Russia-linked threat actor Turla (aka SUMMIT, Secret Blizzard, VENOMOUS BEAR, UAC-0194) since at least December 2022. Turla has deployed STOCKSTAY against government and military organizations in Ukraine, as well as entities with an interest in Italian foreign policy. Used for ongoing cyber espionage, this backdoor shares significant code and functional overlaps with KAZUAR, a successful toolkit previously attributed to Turla. The group has a long history of targeting a wide range of industries, with a particular focus on western Ministries of Foreign Affairs, and defense organizations within the context of heightened political tensions."
https://cloud.google.com/blog/topics/threat-intelligence/stockstay-turla-intelligence-gathering
https://thehackernews.com/2026/06/google-details-turlas-new-stockstay.html
https://therecord.media/russia-turla-espionage-ukraine-stockstay-malware
https://www.securityweek.com/russian-apt-deploys-stockstay-backdoor-against-ukrainian-targets/ - Malware Brief: Banking Trojans Are Still With Us, And They’re More Dangerous
"Banking trojans are still widely used in 2026 but now operate as part of broader attack chains. Modern variants combine credential theft, remote access and device takeover capabilities. Mobile banking trojans are expanding quickly, shifting attacks closer to users and unmanaged devices. Threat actors are pairing familiar malware with newer lures, including AI-themed tools and social engineering. For SMBs, banking trojans are often the first step toward account takeover, fraud or ransomware."
https://blog.barracuda.com/2026/06/25/banking-trojans-2026-account-takeover-fraud - Miasma Mini Shai-Hulud Hits LeoPlatform Npm Packages And GitHub Actions, Expands To The Go Ecosystem
"Socket Threat Research is tracking a new supply chain attack wave tied to the Mini Shai-Hulud, Miasma, and Hades malware family. The latest activity includes malicious npm releases affecting LeoPlatform and RStreams packages, GitHub Actions workflow abuse, and a related Go module compromise involving the Verana Blockchain project. While many of the affected npm packages were published through the czirker account, the activity is not limited to that publisher: three additional malicious packages, hexo-deployer-wrangler, hexo-shoka-swiper, and prism-silq, were published by the npm user llxlr."
https://socket.dev/blog/miasma-mini-shai-hulud-hits-leoplatform-npm-packages-go-ecosystem
https://thehackernews.com/2026/06/miasma-malware-targets-npm-packages-and.html
https://www.theregister.com/security/2026/06/26/miasma-campaign-poisons-20-plus-npm-packages-hunts-for-developer-secrets/5262886 - Photo ZIP Campaign Targeting Hospitality Industry Delivers Node.js Implant For Persistent Access
"Microsoft Threat Intelligence has identified an active multi-stage intrusion campaign targeting organizations in the hospitality and hotel industry since April 2026. We’ve observed this activity through aggregated threat intelligence and security signals across multiple organizations in Europe and Asia. Microsoft has not attributed this campaign to a known threat actor. The campaign uses photo-themed ZIP archives that the target users download through the browser. These archives contain fake image shortcut files that, when launched, start an attack chain that relies on obfuscated PowerShell, a Node.js-based implant, dual registry persistence, and command-and-control (C2) communications over non-standard ports."
https://www.microsoft.com/en-us/security/blog/2026/06/25/photo-zip-campaign-targeting-hospitality-industry-delivers-node-js-implant-persistent-access/
https://thehackernews.com/2026/06/microsoft-warns-of-photo-zip-phishing.html
https://securityaffairs.com/194349/uncategorized/hospitality-sector-hit-by-phishing-campaign-using-fake-guest-complaint-emails.html - Russia Used Social Engineering To Breach Prominent Messaging Accounts, Ukraine Says
"Ukraine's security agency said it had uncovered, together with the FBI, a long-running Russian campaign to compromise the messaging accounts of government officials, military personnel, politicians and activists in Ukraine, Europe and the United States. The campaign was aimed at gaining access to sensitive military, political and economic information exchanged through messaging applications, while also stealing victims' personal data, the Security Service of Ukraine (SBU) said in a statement on Thursday."
https://therecord.media/russia-ukraine-social-engineering-messaging-accounts
https://thehackernews.com/2026/06/ukraine-says-russian-intelligence-used.html - Malware-Laced USBs Breach Japanese Military Networks
"Counterfeit flash drives embedded with a Chinese-linked computer virus and used by the Japanese army are now dispensing malware throughout other secure networks in the country. First reported by The Nikkei newspaper, the virus was overlooked until February 2025, when military personnel reported slower device speeds - almost a full year after the flash drives were delivered to Japan's Self-Defense Forces in March 2024. According to internal documents, the original source of procurement for the drives is no longer verifiable. An investigation by the army's Cyber Defense Unit found that six of eight USB drives analyzed contained the malicious program, with more than 50 out of 480 computers infected. Roughly half of the computers affected ran on closed internal networks."
https://www.bankinfosecurity.com/malware-laced-usbs-breach-japanese-military-networks-a-32094 - Fake Shops Target Shoppers Across Europe With Fake Samsung Deals, Counterfeit Goods And World Cup Scams
"Cybercriminals are scaling fake online stores into a coordinated multinational business. A Bitdefender Labs investigation identified more than 55 fake-shop campaigns targeting consumers across 12 European countries between March and May 2026. The campaigns mimicked some of the world’s most recognizable brands, including Samsung, Nike, Adidas, ZARA, H&M, Amazon, Lidl, and SHEIN."
https://www.bitdefender.com/en-us/blog/labs/fake-shops-europe-samsung-world-cup-scams - Clone This Repo And I Own Your Machine
"Indirect prompt injection is far more than just another chatbot problem; it is a very real and serious attack vector that can result in catastrophic damage, much of which will be irreversible. Take, for example, modern agentic IDEs and coding agents, which can request the use of various tools. Once such tools are authorized, the LLM can ask to execute shell commands, open local files, and make network calls. This sort of tool usage sets the stage for very serious exploits. As an example, this blog post will show how, in the absence of any red flags or systemic suspicion from Claude code, an attacker gained shell access to a developer machine."
https://0din.ai/blog/clone-this-repo-and-i-own-your-machine
https://www.bleepingcomputer.com/news/security/clean-github-repo-tricks-ai-coding-agents-into-running-malware/ - From San Pedro To Salinas: How a Chinese Framework “DCloud Uni-App” Powers a Global Scam Economy
"In 2024, a small Argentine town called San Pedro became the focus of international press coverage after thousands of residents (approximately 20% of the total population), including the chief of police and members of the city council, discovered that a cryptocurrency platform they had invested in and been promoting was a coordinated scam. The platform, called RainbowEx, displayed fictional trading activity, pulled deposits from victims through stablecoin transfers, and blocked withdrawals once the scheme was publicly exposed. The complex scandal was covered by The New York Times, La Opinión Semanario, Buenos Aires Herald, and other prominent news outlets."
https://www.infoblox.com/blog/threat-intelligence/from-san-pedro-to-salinas-how-a-chinese-framework-dcloud-uni-app-powers-a-global-scam-economy/
https://www.securityweek.com/chinese-framework-powers-200000-scam-sites/
Breaches/Hacks/Leaks
Polymarket Customers Lose $3 Million In Supply-Chain Attack
"Polymarket says it will fully reimburse customers who lost an estimated $3 million after hackers injected a malicious script into the platform's frontend following a breach at a third-party vendor. The company states in a brief announcement that the hack was the result of a supply-chain attack that impacted a dependency on its website."
https://www.bleepingcomputer.com/news/security/polymarket-customers-lose-3-million-in-supply-chain-attack/
https://www.securityweek.com/3-million-reportedly-stolen-in-polymarket-hack/
https://securityaffairs.com/194266/security/third-party-breach-at-polymarket-leads-to-2-94m-crypto-theft.html- CMC Releases Analysis And Guidance For Education Sector After Canvas Data Breach
"The UK’s Cyber Monitoring Centre (CMC) has shared its analysis of the Canvas cyber incident affecting Instructure’s Learning Management System as the education technology firm prepares to share its own findings next week. The CMC said that approximately 160 UK higher education institutions were affected and threat actors exfiltrated confidential course and user data. In total, around 9000 educational institutions are thought to have been affected worldwide."
https://www.infosecurity-magazine.com/news/cmc-analysis-education-canvas-data/ - More Klue Breach Victims Identified As Hackers Get Hacked
"Roughly two dozen Klue customers have come forward and confirmed that their Salesforce instances were compromised in a supply chain attack earlier this month. The attack unfolded between June 11 and 12, when hackers used compromised legacy credentials to access the market intelligence platform Klue, obtain OAuth tokens for customers’ Klue integrations, and exfiltrate data in bulk. Salesforce disabled the Klue integration on June 17, and its status page shows it has yet to re-enable it. Gong also disabled the integration."
https://www.securityweek.com/more-klue-breach-victims-identified-as-hackers-get-hacked/
General News
The AI Pentesting Pulse: Decoding The 2.7x Risk Multiplier In LLM Deployments
"Right now, the media and regulators are hyper-focused on frontier models being pulled back by the government for being "too dangerous"—despite heavy debate over whether their extreme guardrails actually rendered them useless in the first place. But while the world is distracted by theoretical doomsday scenarios of super-intelligent models escaping the lab, Cobalt pentesting data in 2026 reveals the actual, immediate danger is already inside your network: well-meaning developers rushing to bolt standard LLMs onto legacy architectures."
https://www.cobalt.io/blog/the-ai-pentesting-pulse-decoding-the-2.7x-risk-multiplier-in-llm-deployments
https://www.darkreading.com/cybersecurity-operations/ai-decline-confidence-autonomous-penetration-testing- Linux Foundation And Industry Leaders Launch Akrites To Defend Critical Open Source Software Against AI-Enabled Cyber Threats
"The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced Akrites, a coordinated industry effort to harden the world’s most critical open source software in the era of AI-assisted vulnerability discovery. Backed by founding commitments from Amazon Web Services, Anthropic, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorganChase, Microsoft and GitHub, NVIDIA, OpenAI, RapidFort, Red Hat, Rust Foundation, Sonatype, Vodafone and Zscaler, the initiative unites major technology companies, AI labs, financial institutions, and security vendors around a shared mission: to coordinate the remediation of vulnerabilities in widely used open source projects with upstream maintainers before those vulnerabilities can be exploited."
https://www.linuxfoundation.org/press/linux-foundation-and-industry-leaders-launch-akrites-to-defend-critical-open-source-software-against-ai-enabled-cyber-threats
https://www.securityweek.com/linux-foundation-unveils-new-open-source-security-project-akrites/
https://www.helpnetsecurity.com/2026/06/26/akrites-open-source-security-framework/ - A Privacy-First Take On Local Malware Analysis
"Submitting a suspicious file to VirusTotal or MalwareBazaar places a copy of that file on a platform other people can search. Analysts across the industry rely on these services to get a quick verdict on whether a binary is dangerous. The convenience carries a condition many overlook. Once a sample reaches a public repository, the person who wrote it can locate it there. Skilled operators watch these platforms for the hashes of their own tools, and a match tells them their campaign has been detected. Files tied to a targeted intrusion can also carry sensitive material from the victim, which then sits on a third-party system."
https://www.helpnetsecurity.com/2026/06/26/burnyard-local-malware-analysis/
https://arxiv.org/pdf/2606.24778 - Two CEOs On Why Security And AI Readiness Belong Together
"SuperOps and Guardz are bundling PSA, RMM, MDM, and agentic SecOps into one offering for MSPs. In this Help Net Security Q&A, SuperOps CEO Arvind Parthiban and Guardz CEO Dor Eisner explain how a connected stack cuts the time and context lost to tool-switching, lowers costs against multi-vendor setups, and helps close the gap between average MSP margins of 8% and the 18% top performers reach. They also discuss what makes a platform AI-native, and why they treat security readiness and AI readiness as one conversation."
https://www.helpnetsecurity.com/2026/06/26/superops-guardz-ceo-partnership/ - The New MCP Specification: What Security Teams Must Prepare For
"The upcoming MCP 2026-07-28 specification represents the most significant architectural evolution of the Model Context Protocol (MCP) since it began. What began as a local, single-user AI integration tool is transforming into a platform capable of supporting enterprise-scale, cloud native deployments. Following the release candidate published on May 21, 2026, the final specification is scheduled for release on July 28, 2026, accompanied by a formal 12-month deprecation window for select legacy functionality."
https://www.akamai.com/blog/security-research/new-mcp-specification-security-teams-must-prepare
https://www.securityweek.com/new-enterprise-ready-mcp-specification-brings-new-security-challenges/ - Third-Party Breaches Teach Education Sector a Costly Lesson In Vendor Risk
"Cybercriminals have long viewed the education sector, with its mix of legacy technology and new applications, uneven IT resources, and large amounts of data, as an easy and enticing target. From the smallest rural K-12 districts to the world's most prestigious universities, IT professionals in education are focused on getting and keeping students and staff online, rather than protecting the systems their devices run on. Many have slim security budgets and are chronically understaffed. And the vast amounts of operational and personal data they hold could be ransomed or sold for use in future cybercrimes."
https://www.darkreading.com/cyber-risk/third-party-breaches-teaches-education-lesson-vendor-risk
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Healthcare Leaders See a Fatal Cyber Incident As Inevitable
-
Google ออกอัปเดต Chrome 149 แก้ไขช่องโหว่ร้ายแรง 18 รายการโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
ระบบสื่อสารรถไฟ GSM-R ขัดข้องทั่วเยอรมนี ส่งผลให้รถไฟหยุดให้บริการเป็นวงกว้างโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
เตือนภัย ส่วนขยาย Microsoft Edge ถูกนำมาใช้เป็นช่องทางโจมตีด้วย Ransomwareโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
ETDA Cyber Threat Intelligence 26 June 2026โพสต์ใน Cyber Security News
Industrial Sector
- The OT Segmentation Imperative: Why It Can't Wait Any Longer
"Ask any team running industrial operations about network segmentation and you'll hear a familiar story. Everyone agrees it's critical. It's mandated by IEC 62443, NERC CIP and NIS2. It limits the blast radius and prevents lateral movement across networks. Yet for most organizations, network segmentation has remained at the top of the "planned but not deployed" list for years. That inaction is becoming increasingly difficult to justify."
https://www.bankinfosecurity.com/blogs/ot-segmentation-imperative-cant-wait-any-longer-p-4136
Vulnerabilities
- GitLab Patches Code Execution, Information Disclosure Vulnerabilities
"GitLab has rolled out Community Edition (CE) and Enterprise Edition (EE) security updates that resolve 13 vulnerabilities, including three high-severity bugs. The most severe is CVE-2026-10086, an XSS flaw in the Analytics dashboard of GitLab EE, rooted in the improper sanitization of user-supplied input. According to GitLab, the security defect could have allowed an authenticated user with developer rights to execute arbitrary client-side code in the context of other users’ sessions."
https://www.securityweek.com/gitlab-patches-code-execution-information-disclosure-vulnerabilities/
https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-1-released/ - Chrome 149 Update Resolves 18 Severe Vulnerabilities
"Google on Wednesday rolled out a new Chrome 149 update that resolves 18 vulnerabilities, including four critical and 14 high-severity security defects. More than half of the addressed issues, including three critical and seven high-severity, are use-after-free flaws, a type of memory corruption bug that could lead to remote code execution (RCE). In Chrome, use-after-free vulnerabilities can be combined with security holes in the underlying operating system or in a privileged browser process to escape the sandbox."
https://www.securityweek.com/chrome-149-update-resolves-18-severe-vulnerabilities/
https://www.malwarebytes.com/blog/news/2026/06/update-chrome-to-patch-critical-browser-security-flaws - 25-Year-Old Vulnerability Patched In Curl
"The open source data transfer tool and library curl has been updated this week with patches for 18 vulnerabilities, including one introduced 25 years ago. The flaws, four medium and 14 low-severity, were discovered as part of a community effort after Anthropic’s Mythos discovered a single curl bug in early May. This release resolves the highest number of CVEs patched with a single curl update, including an issue that was introduced in version 7.7, shipped on March 22, 2001."
https://www.securityweek.com/25-year-old-vulnerability-patched-in-curl/
https://curl.se/mail/lib-2026-06/0026.html
https://securityaffairs.com/194220/security/curl-fixes-a-25-year-old-bug-in-its-largest-cve-release-yet.html - BadBlocker: 11 Million Users, One Server Call Away From Compromise
"Adblock for YouTube (cmedhionkhpnakcndndgjdbohmhepckk) is a Chrome Web Store extension with over 11 million installs and a 4.4-star rating. It blocks ads on YouTube and it works well. It also contains the architectural ingredients for arbitrary JavaScript execution on any website, activated by a single server-side configuration change, without an extension update, without a store review, and without any visible sign that something has changed. In practical terms, that could mean reading pages, stealing data, and acting as the user inside personal accounts, work apps, admin panels, and other sensitive browser sessions."
https://www.island.io/blog/badblocker-11-million-users-one-server-call-away-from-compromise
https://thehackernews.com/2026/06/chrome-ad-blocker-with-10m-installs.html
Malware
- Fake Invoices Are Moving From Inboxes To Shopping Apps
"A fake invoice in your email is easy to ignore. A fake invoice inside your order history feels different. Norton customers have reported fake Norton invoices appearing inside the Shop app, the shopping and order-tracking app from Shopify. Public reports suggest the same technique is not limited to Norton. Similar suspicious Shop app notifications have used McAfee, Apple gift cards, iPhones, PayPal-style payment claims and other high-value purchases as bait. The impersonated brand may change, but the mechanics are familiar: make the user believe they have been charged, then give them a phone number to call."
https://www.gendigital.com/blog/insights/research/fake-invoices-shopping-apps
https://www.bleepingcomputer.com/news/security/order-tracking-app-shop-abused-to-push-callback-phishing-attacks/ - Bluekit Phishing-As-a-Service: Browser-In-The-Middle, Evolved
"Netcraft has identified and is actively detecting live deployments of Bluekit, a sophisticated Phishing-as-a-Service (PhaaS) platform that introduces a meaningful shift in how adversary-in-the-middle (AitM) phishing is executed. While Bluekit was first documented by Varonis Threat Labs — who assessed at the time that it appeared to still be in development — Netcraft can confirm the platform is now operational at scale, with approximately 70 hostnames detected in the last week."
https://www.netcraft.com/blog/bluekit-phishing-as-a-service-threat
https://www.bleepingcomputer.com/news/security/bluekit-phishing-kit-adopts-browser-in-the-middle-for-login-theft/ - Gamaredon In 2025: Leveraging Tunnels, Workers, Dead Drops, And New Alliances
"Cyberespionage has remained a constant feature of Russia’s war against Ukraine. ESET Research has long tracked Gamaredon, one of the most active Russia-aligned advanced persistent threat (APT) groups targeting Ukraine. The group, attributed by the Security Service of Ukraine (SSU) to the 18th Center of Information Security of Russia’s FSB, maintained a high operational tempo throughout 2025."
https://www.welivesecurity.com/en/eset-research/gamaredon-2025-leveraging-tunnels-workers-dead-drops-new-alliances/
https://www.darkreading.com/threat-intelligence/russia-apt-gamaredon-arsenal-defense
https://www.bankinfosecurity.com/russias-gamaredon-adapts-tactics-to-target-ukraine-a-32068 - ClickFix: The Attack That Turns Users Into Their Own Attackers
"ClickFix has quickly become one of the most prevalent social engineering techniques on the web. The attack flips a familiar security assumption on its head: instead of slipping a malicious file past endpoint defenses, the attacker convinces the victim to run the payload themselves. No exploit. No malicious attachment. Just a user, a clipboard, and a convincing prompt."
https://blog.checkpoint.com/securing-user-and-access/clickfix-the-attack-that-turns-users-into-their-own-attackers/ - Introduction To COM Usage By Windows Threats
"Component Object Model (COM) is one of the Windows technologies that analysts regularly encounter but may not always prioritize during triage, as the manual analysis of COM functionality in binary executable files can be labor-intensive. The post starts with a brief introduction into COM, following how binaries utilizing COM can be analyzed, and some examples of malware families and their usage of COM. The post concludes with a list of further resources."
https://blog.talosintelligence.com/introduction-to-com-usage-by-windows-threats/ - Russia Breaks Into Human Rights Activist’s Phone With Cellebrite
"We analyzed Russian activist Andrey Pivovarov’s phone, finding that Russian authorities used forensic extraction tools made by Cellebrite to gain access to his device. A document prepared by Russian authorities confirms that Cellebrite was used to extract information to aid in Pivovarov’s prosecution. Importantly, we found that authorities continued to use Cellebrite for political repression even after the company had cancelled its contracts with Russian customers."
https://citizenlab.ca/research/russia-breaks-into-human-rights-activists-phone-with-cellebrite/
https://therecord.media/russia-used-cellebrite-tool-after-company-pulled-out-of-country
https://cyberscoop.com/russia-cellebrite-activist-phone-hacking/ - Millenium: A RAT Rewritten, A Threat Multiplied
"Group-IB analyzes Millenium RAT version 4.*, a remote access trojan that has undergone an architectural shift from .NET to native C++, while continuing to leverage the Telegram Bot API for command and control, requiring no dedicated server infrastructure. This blog also profiles the developer “ShinyEnigma”, and threat actor cluster “Y2K Operators” responsible for active Millenium RAT exploitation campaigns. Over 62,000 compromised endpoints across more than 160 countries have been identified, with infections accelerating sharply in Q1 2026."
https://www.group-ib.com/blog/millenium-rat-maas/ - Beware Of “Parcel Expert” Job Offers: They’re Parcel Mule Scams
"A parcel mule scam, also called a reshipping scam, is a fake job offer designed to recruit people into handling stolen goods. It usually starts with a fake remote job offer that promises easy money for receiving, inspecting, repackaging, and forwarding packages from home. The “employer” may claim to be connected to familiar companies, but the real purpose is to move goods bought with stolen payment information so they are harder to trace. Victims often think they are doing routine logistics work, but they are actually helping criminals launder stolen merchandise."
https://www.malwarebytes.com/blog/scams/2026/06/beware-of-parcel-expert-job-offers-theyre-parcel-mule-scams - Fake Domain Renewal Emails Trick Website Owners Into Paying Scammers
"You receive an email warning that your website’s domain name is about to expire. Renew now, it says, or your website and email could stop working. The link opens a professional-looking page that already knows your domain name, displays your registrar and expiry date, and starts a countdown timer. It feels urgent and personal, so it feels real."
https://www.malwarebytes.com/blog/threat-intel/2026/06/fake-domain-renewal-emails-trick-website-owners-into-paying-scammers - CL-STA-1062 Targets Southeast Asian Governments And Critical Infrastructure
"Throughout 2025, we observed a cluster of activity targeting government entities and critical infrastructure in Southeast Asia. Specifically, the activity targeted state-owned enterprises in the energy and government sectors. The Chinese-speaking attackers behind this cluster, which we track as CL-STA-1062, have been active since at least March 2022. We assess with high confidence that this is the same cluster, known as UAT-7237, that was reported for its campaigns against web hosting infrastructure in Taiwan in mid 2025. We also observed CL-STA-1062 campaigns in earlier operations targeting strategic sectors in East Asia, indicating a broader, sustained regional focus."
https://unit42.paloaltonetworks.com/cl-sta-1062-tinyrct-backdoor/ - Inside Vidar’s ABE Bypass: From Memory Scanning To APC Injections
"Infostealers are constantly evolving, and so are the techniques they use to bypass Application-Bound Encryption (ABE). In recent weeks, Vidar has been among the most actively developed stealers and, apart from multiple updates to its string obfuscation and a reworked approach to protecting its configuration, it has also introduced a novel technique for bypassing ABE. And while there have been many other changes in Vidar lately, with new versions dropping every week, in this blog post we focus solely on the ABE bypass and its technical aspects."
https://www.gendigital.com/blog/insights/research/inside-vidar-abe-bypass - Inside Eastern Europe's C2 Sprawl: 3,900+ Servers, 302 Providers, One Host Doing Half The Work
"Eastern Europe has long served as a reliable foundation for both commodity cybercrime and state-linked threat operations, a region where bulletproof hosting providers, major telecoms, and cloud infrastructure coexist within the same ASN pools. Over a three-month window from March 12 to June 12, 2026, we mapped malicious infrastructure across 10 countries in the region, covering Belarus, Bulgaria, the Czech Republic, Hungary, Poland, Moldova, Romania, Russia, Slovakia, and Ukraine. Across 302 distinct hosting providers, we identified more than 3,900 active C2 servers. The distribution was anything but even. A single Bulgarian provider accounted for more than half of all detected C2 infrastructure, a level of concentration that doesn't surface when you're tracking individual IPs or domains. It only becomes visible when you look at the hosting layer itself, which is exactly what this analysis does."
https://hunt.io/blog/eastern-europe-malicious-infrastructure-report
Breaches/Hacks/Leaks
- Cal Water Says No OT Systems Breached In Iranian Handala Cyberattack
"The investigation conducted by California Water Service (Cal Water) into the recent cyberattack claimed by the Iranian hacker group Handala found no evidence of activity in the water utility’s operational technology (OT) environment. Handala, which claims to be a hacktivist collective but is widely believed to be a front for Iranian government hacking operations, said it could have disrupted the water supply after gaining access to Cal Water systems but decided not to do so. The statement suggested that the hackers had gained deep access to industrial control systems (ICS)."
https://www.securityweek.com/cal-water-finds-no-evidence-of-ot-activity-after-hackers-claimed-they-could-disrupt-water-supply/ - Another Russian Dairy Company Reportedly Disrupted By Cyberattack
"A cyberattack has snarled logistics and accounting operations at a dairy producer in Russia's republic of Bashkortostan, forcing the company to process shipments and paperwork manually, according to local media. The attack affected the IT systems of Ufagormolzavod, a manufacturer based in Ufa, the regional capital, but did not interrupt production, the company's chief executive, Ildar Faizullin, said."
https://therecord.media/russia-dairy-producter-cyberattack-ufa - Ukraine's State Postal Operator Reports App Disruption After Cyberattack
"Ukraine's state-owned postal operator, Ukrposhta, said on Thursday that its mobile application is experiencing temporary disruptions following an overnight "enemy" attack on the company's IT systems. "Our specialists are already working to restore the service. We are doing everything we can to ensure you can return to using the app normally as soon as possible," Ukrposhta said."
https://therecord.media/ukraine-state-postal-operator-reports-disruption
General News
- Poland Busts SIM-Swapping Gang Tied To Millions In Crypto Theft
"Authorities in Poland have arrested four members of an organized cybercrime group accused of breaching telecommunications partners and hijacking email accounts to carry out SIM-swapping attacks. The operation was carried out by the Polish Cybercrime Bureau (CBZC) with support from the FBI and Homeland Security Investigations (HSI) in the United States. According to investigators, the suspects carried out sophisticated cyberattacks to obtain data used in SIM-swapping attacks."
https://www.bleepingcomputer.com/news/security/poland-busts-sim-swapping-gang-tied-to-millions-in-crypto-theft/ - Why Patch Directives Only Go So Far
"When CISA issues an emergency directive, the message to every federal agency and every security team paying attention is to patch now. For CVE-2026-50751, a CVSS 9.3 authentication bypass in Check Point Remote Access VPN, that directive landed on June 21. despite exploitation beginning in early May. That, six-week active intrusion gap is not a footnote. It is the entire story."
https://cyberscoop.com/why-security-patching-is-not-enough-cve-2026-50751-op-ed/ - In Less Than 24 Hours, Attackers Weaponize Cisco CUCM Flaw
"Attackers have begun actively exploiting a critical flaw in Cisco Unified Communications Manager (CUCM) to gain root access on vulnerable systems. The attacks appear to have begun less than 24 hours after researchers at SSD Secure Disclosure this week released proof-of-concept code (PoC) along with a full exploit chain for the vulnerability."
https://www.darkreading.com/cyberattacks-data-breaches/less-than-24-hours-attackers-weaponize-cisco-cucm-flaw - EdTech Attackers Shift From Schools To Their Software Suppliers
"Threats against the education sector have mounted over the past five years and are becoming even more widespread, as attackers set their sights on educational technology (edtech) vendors. Rather than conducting ransomware or other attacks against an individual school or district, cyberattackers now target learning management systems (LMS) and other educational applications to victimize hundreds, if not thousands, of institutions in one fell swoop."
https://www.darkreading.com/cyberattacks-data-breaches/edtech-attackers-shift-schools-software-suppliers - Europe Evolves Into Ransomware's Favorite Region
"A specter is haunting Europe — the specter of ransomware. After a global lull in 2024 and 2025, the ransomware-as-a-service (RaaS) ecosystem appears to be back to form, at least in Europe. Researchers from Black Kite tracked 684 ransomware attacks across the continent through the first four months of 2026. That's 55% more than the 441 recorded in the first four months of 2025, even more than the 643 recorded through the first half of 2025."
https://www.darkreading.com/cybersecurity-analytics/europe-evolves-ransomware-favorite-region
https://www.infosecurity-magazine.com/news/increase-ransomware-europe/ - The Uptime Questions Every Engineering Leader Should Ask This Week
"In this interview with Help Net Security, Mattias Geniar, CTO at Oh Dear, explains why most outages start quietly, as creeping latency or a slow rise in errors. He argues teams alert on the wrong things: absolute numbers instead of changes, isolated endpoints instead of real user outcomes. He covers alert fatigue, the DNS and certificate failures buried deep in the stack, the risk of leaning on one provider, and the mistakes tired engineers make at 3am. Geniar closes with questions leaders should ask to test their uptime story."
https://www.helpnetsecurity.com/2026/06/25/mattias-geniar-oh-dear-preventing-outages/ - LLM Security Advice Looks Solid Until You Check The Hard Cases
"Plenty of people now type their security worries straight into a chatbot. A hacked account, a suspicious email, a stalker who might be tracking a phone, all of it lands in the same window someone would use to ask about dinner. A benchmark called HelpBench tests how well chatbots handle those moments, and the results give security professionals something to watch in what their users are being told."
https://www.helpnetsecurity.com/2026/06/25/helpbench-llm-security-advice/
https://arxiv.org/pdf/2606.24819 - Recommendations When Using LLM-Backed Generative AI Systems For FOSS Contributions
"The entire community of computer users, which quickly approaches every human, faces the growing conundrum of generative artificial intelligence systems backed by Large Language Models (“LLM-gen-AI”)1. Software freedom activists face particularly difficult challenges in this regard; these LLM-gen-AI systems have been applied in earnest to the endeavors of software creation and modification."
https://sfconservancy.org/llm-gen-ai/llm-backed-generative-ai-recommendations.html
https://www.helpnetsecurity.com/2026/06/25/foss-ai-in-open-source/ - Most Teams Will Ship AI-Written Infrastructure Code With Little Review
"AI-assisted development has settled into everyday practice across software organizations, and developers using it move from idea to working code in hours. That code does not stay with the developers who prompt it. It flows downstream to the DevOps and platform teams who deploy and maintain it, and those teams are not getting the same speed boost."
https://www.helpnetsecurity.com/2026/06/25/ai-infrastructure-governance-gap-report/ - Twenty Million US IP Connections Used By Proxy Services
"Millions of residential IP connections in the US are collected annually for use in proxy services, with many households unaware that they may ultimately be used by threat actors, a new report has warned. Non-profit the Digital Citizens Alliance claimed in a new report, Cybercrime by Doorbell, that an estimated 20 million or more connections end up as proxies, often without the knowledge of their owners."
https://www.infosecurity-magazine.com/news/twenty-million-us-ip-connections/
https://resproxy.digitalcitizensalliance.org/hubfs/resproxy/DCA_Cybercrime-by-Doorbell-Report.pdf - Trust In Automated AI Vulnerability Scanning Collapses To 9%, New Study Finds
"A large number of false negatives has significantly eroded confidence in automated AI testing for vulnerabilities, a new study from Cobalt has found. The Cobalt State of Pentesting Report 2026 is based on two comparative surveys in 2025 and 2026 of around 450 cybersecurity professionals. It found that the percentage of organizations relying entirely on AI automation for testing sank from 29% to 9% over the period, with nearly half (47%) of respondents now preferring a hybrid testing model."
https://www.infosecurity-magazine.com/news/trust-ai-vulnerability-scanning/
https://resource.cobalt.io/ai-pentesting-pulse-report-2026-tyd - New CISA Guide Assists Federal Agencies With Transitioning To Modernized Zero Trust Architectures
"Today, the Cybersecurity and Infrastructure Security Agency (CISA) published a guide that helps federal civilian agencies advance their zero trust capabilities and adopt modern architectures supported under the Trusted Internet Connections (TIC) 3.0 Initiative. Part of CISA’s Journey to Zero Trust series, this guide helps agencies transition away from the limitations of using TIC 2.0 and capitalize on TIC 3.0 flexibilities to employ Secure Access Service Edge (SASE) solutions. Federal agencies will better understand, plan and mature to zero trust architecture to improve user experience, increase visibility and control, and enable telemetry sharing with CISA services."
https://www.cisa.gov/news-events/news/new-cisa-guide-assists-federal-agencies-transitioning-modernized-zero-trust-architectures
https://www.cisa.gov/resources-tools/resources/using-sase-modern-tic-30-solution
https://www.cisa.gov/sites/default/files/2026-06/The_Journey_to_Zero_Trust_Using_SASE_in_a_Modern_TIC-3.0_Solution_CB_Approved_508c.pdf
https://www.infosecurity-magazine.com/news/cisa-sase-tic-3-0-zero-trust/ - Inside The 2026 SMB Threat Landscape: From Phishing And Scams To Fake AI Tools
"Small and medium-sized businesses (SMBs) remain attractive targets for cybercriminals – in both mass cyberattacks and sophisticated campaigns targeting larger enterprises through trusted relationship attacks. At the same time, smaller businesses may lack the robust cybersecurity policies and necessary resources to protect themselves against an evolving threat landscape."
https://securelist.com/smb-threat-report-2026/120357/ - NIST Opens Updated IoT Security Guidance To Public Review
"The National Institute of Standards and Technology (NIST) announced Wednesday that it’s seeking public feedback on updated Internet of Things (IoT) security guidelines. Updated to reflect current security needs, the guidance provides general considerations on the impact of IoT products on risk assessments and aims to establish cybersecurity requirements to support security controls. The initial public draft (IPD) of SP 800-213 Revision 1, titled ‘IoT Product Cybersecurity Guidelines for the Federal Government: Establishing IoT Product Cybersecurity Requirements’, is available for download on NIST’s website (PDF), with the public comment period ending August 24."
https://www.securityweek.com/nist-opens-updated-iot-security-guidance-to-public-review/
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-213r1.ipd.pdf - SOC Threat Radar — June 2026
"Incidents mitigated in the last month by Barracuda Managed XDR show how weak access controls and exposed remote services attract mass-targeting adversaries and pave the way for more severe attacks. LemonDuck malware infects endpoints for cryptomining. GoldBrute botnet brute-forces remote services. Password spraying attacks from Iran are targeting VPNs."
https://blog.barracuda.com/2026/06/25/soc-threat-radar-june-2026 - Why ShinyHunters Attacks Expose a Growing Data Security Risk
"While a lot of attention is being paid to a pending apocalypse of vulnerabilities that are being discovered by the latest generation of artificial intelligence (AI) models, a series of relatively simpler cyberattacks from a shadowy syndicate known as ShinyHunters are proving to be the most lethal. The most recent cyberattack launched by this group was against Madison Square Garden (MSG), the parent organization of the New York Knicks and Liberty basketball teams and the New York Rangers hockey team. As fans of the Knicks were celebrating the team’s NBA championship, cybersecurity teams and the executive leadership of MSG were contending with the theft of 45 GB of corporate and customer data."
https://blog.barracuda.com/2026/06/24/shinyhunters-attacks-data-security-risks
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- The OT Segmentation Imperative: Why It Can't Wait Any Longer
-
ETDA Cyber Threat Intelligence 25 June 2026โพสต์ใน Cyber Security News
Industrial Sector
- Where IT Meets OT And Railway Cybersecurity Gets Harder
"In this interview with Help Net Security, Jorge Aldegunde, Global Head of Railway Services at DNV, talks through what happens when old operational technology meets newer IT in monorail systems. He explains why open networks widened the attack surface, how teams decide whether to patch a signalling flaw without stopping trains, and who carries the liability. Aldegunde covers regulation like CRA and NIS2, training veteran engineers to think about threat actors, and spotting intruders who have been inside for months. His main rule: manage your risks and plan for resilience, not perfection."
https://www.helpnetsecurity.com/2026/06/24/jorge-aldegunde-dnv-railway-cybersecurity/
New Tooling
- Praxen: Open-Source AI Agent Behavior Verification
"Praxen is an open-source tool with a simple job: it checks whether an AI agent does what it claims to do. The tool takes an agent’s declared policy, looks at how the agent operates, and points out every spot where the two drift apart. It is the reference implementation of Agent Behavior Verification, a control model that hands each agent an authorized role and then confirms the controls hold that agent to it. The idea borrows from how companies manage their own employees. Every person gets a defined set of permissions, and the same logic now applies to software agents, where each one carries a scope of activity it is allowed to perform."
https://www.helpnetsecurity.com/2026/06/24/praxen-open-source-ai-agent-behavior-verification/
https://github.com/open-agent-ai-security/praxen
Vulnerabilities
- CISA Adds Four Known Exploited Vulnerabilities To Catalog
"CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2025-67038 Lantronix EDS5000 Code Injection Vulnerability
CVE-2026-34908 Ubiquiti UniFi OS Improper Access Control Vulnerability
CVE-2026-34909 Ubiquiti UniFi OS Path Traversal Vulnerability
CVE-2026-34910 Ubiquiti UniFi OS Improper Input Validation Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/06/23/cisa-adds-four-known-exploited-vulnerabilities-catalog
https://www.bleepingcomputer.com/news/security/cisa-warns-of-max-severity-ubiquiti-flaws-exploited-in-attacks/
https://thehackernews.com/2026/06/cisa-warns-critical-lantronix-eds5000.html
https://www.securityweek.com/critical-ubiquiti-vulnerabilities-in-attackers-crosshairs/
https://securityaffairs.com/194142/security/u-s-cisa-adds-ubiquiti-unifi-os-and-lantronix-eds5000-plugin-flaws-to-its-known-exploited-vulnerabilities-catalog.html - When Defenses Become Attack Surface: CVE-2026-20971, a Samsung Kernel UAF
"Our team found a UAF vulnerability in Samsung's Android kernel. The vulnerability affected Samsung Android devices starting at Galaxy S9 through Galaxy S25, as well as additional devices (we tested S21, S22, S24, A54). Both Qualcomm and Exynos chipset based devices were impacted. The vulnerability could be exploited from any untrusted app, and allowed attackers to obtain multiple memory corruption primitives, potentially leading to complete device takeover."
https://lucidbitlabs.com/blog/when-defenses-become-attack-surface/
https://securityaffairs.com/194090/security/samsung-knox-kernel-uaf-exposes-millions-of-galaxy-devices.html - Researchers Trick AI Browsers Into Leaking Credentials
"A range of AI-powered web browsers have been tricked into abandoning their safety guardrails and leaking user data after being convinced they were playing a game. Researchers at LayerX demonstrated the technique, which they named BioShocking, against six agentic browsers and plugins, including OpenAI's ChatGPT Atlas, Perplexity's Comet and Anthropic's Claude extension. In a proof-of-concept (PoC) attack, all six were steered into copying a user's login credentials and sending them to an attacker."
https://www.infosecurity-magazine.com/news/bioshocking-ai-browser-prompt/
Malware
- Backdoor.Mistic: New Backdoor May Be Linked To Ransomware Access Broker
"Stealthy new backdoor used in cybercrime intrusions since April 2026 may be associated with Woodgnat (aka KongTuke), an initial access broker whose ModeloRAT toolkit has fed Qilin and other ransomware operations."
https://www.security.com/threat-intelligence/new-mistic-backdoor-modeloRAT
https://www.bleepingcomputer.com/news/security/stealthy-mistic-backdoor-linked-to-ransomware-access-broker-kongtuke/
https://www.securityweek.com/new-mistic-rat-opens-door-to-several-ransomware-families/ - Iran-Linked MuddyWater Poses As Ransomware Gang To Mask Cyber Espionage
"The line between ransomware activity and nation-state backed cyber campaigns is blurring, as state-sponsored cyber espionage groups adopt tools and techniques associated with cyber criminals to disguise their intelligence operations, a report has warned. Analysis by cybersecurity researchers at NCC Group has described how MuddyWater, a hacking and cyber espionage group associated with Iran’s Ministry of Intelligence and Security, posed as the Chaos ransomware group to hide its espionage activity."
https://www.infosecurity-magazine.com/news/iranlinked-muddywater-poses-as/ - Total Access To All Your Devices.” Sextortion Scammers Strike Again
"At the moment, we’re seeing all kinds of sextortion emails. The scam is cheap to run, easy to automate, and apparently profitable enough that cybercriminals keep using it. Some criminals put more effort into their messages than others. Sextortion emails are messages claiming that scammers recorded you through your webcam while you watched pornography and now demand payment. They have been around for years and keep evolving with small changes in wording and fake technical detail."
https://www.malwarebytes.com/blog/scams/2026/06/total-access-to-all-your-devices-sextortion-scammers-strike-again - StrikeShark: Investigating a New Campaign Delivering Cobalt Strike Through SharkLoader
"During our research of activity affecting a diplomatic organization in Indonesia, we uncovered a previously undocumented malware family that we have named SharkLoader. What initially appeared to be an isolated case quickly expanded into a broader campaign as we identified additional SharkLoader infections across multiple countries and sectors. Our investigation revealed that SharkLoader serves as a loader designed to deploy Cobalt Strike Beacon on compromised systems. We observed the threat actor deploying SharkLoader through exploitation of internet-facing applications, including Microsoft Exchange, Microsoft SharePoint, and Openfire Server, as well as through malware-based delivery mechanisms."
https://securelist.com/strikeshark-campaign/120326/ - The Broker Behind FortiBleed: Anatomy Of a Russian-Speaking Access Operation
"At Mysterium VPN, we often think about who gets to sit in the middle of someone else's connection. Usually, that means a camera, a router, or an internet provider. This time, it’s something heavier: a firewall. The exact device a company buys to keep strangers out of its network turned out to be the front door a criminal crew walked through — and then cataloged, priced, and put up for sale. In mid-June 2026, security researcher Volodymyr "Bob" Diachenko posted on LinkedIn that he had stumbled upon a live, exposed server containing what appeared to be working login credentials for tens of thousands of Fortinet firewalls (Fortinet is one of the world's largest makers of network security hardware)."
https://www.mysteriumvpn.com/news/fortibleed-access-broker
https://securityaffairs.com/194132/cyber-crime/fortibleed-the-broker-who-turned-73000-firewalls-into-a-product-catalog.html - MacOS.Gaslight | Rust Backdoor Turns Prompt Injection On The Analyst, Not The Sandbox
"In early June, an Apple XProtect update surfaced a Mach-O sample that had been uploaded to VirusTotal on May 22. The XProtect rule targets the file purely on its hash rather than on any internal strings or bytecode, yet the sample remains undetected by static engines on VirusTotal at the time of writing. The binary is ad hoc signed and carries the identifier endpoint-macos-aarch64-5555494492fc075f441637fb9d894913dde3a2ea."
https://www.sentinelone.com/labs/macos-gaslight-rust-backdoor-turns-prompt-injection-on-the-analyst-not-the-sandbox/
https://www.infosecurity-magazine.com/news/macos-gaslight-rust-backdoor/ - Zero-Day Exploitation Of Vulnerability (CVE-2026-20245) In Cisco Catalyst SD-WAN Manager
"In early 2026, Mandiant identified a threat actor targeting SD-WAN infrastructure at a service provider. After gaining initial access, the threat actor exploited a zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN to escalate privileges from a compromised administrative account to root-level access. The vulnerability stems from the device’s file upload feature lacking the ability to properly filter malicious data."
https://cloud.google.com/blog/topics/threat-intelligence/zero-day-exploitation-cisco-catalyst-sd-wan-manager
https://www.bleepingcomputer.com/news/security/mandiant-reveals-how-cisco-sd-wan-zero-day-attacks-gained-root-access/
https://www.darkreading.com/cyberattacks-data-breaches/attackers-hit-cisco-sd-wan-flaw-2-months-before-disclosure
https://cyberscoop.com/cisco-sd-wan-zero-day-exploit-communications-provider/ - GhostShell (MB-0009): Targeting Ukraine’s UAV Operations And Defense Supply Chain
"Today, we are taking a look at malware linked to yet another threat actor, one that has been active since at least February 2026. Since I could not associate the malware with any previously attributed threat actor, I am naming the actor GhostShell (you’ll find out why later in this article) and assigning it the Malwarebox identifier MB-0009."
https://blog.synapticsystems.de/ghostshell-mb-0009-targeting-ukraines-uav-operations-and-defense-supply-chain/
https://hackread.com/ghostshell-hacking-group-ukraine-drone-defense-sector/
Breaches/Hacks/Leaks
- KDDI Breach Affects Six Japanese ISPs, Exposes 14.2 Email Credentials
"Japanese telecommunications operator KDDI has confirmed it suffered a breach that has affected five other internet services providers (ISPs) and potentially exposed 14.2 customer email accounts. In a public statement released on June 23, KDDI Corporation said an unauthorized actor unlawfully gained access to an email system it provides to several Japanese ISPs, meaning that data linked to customers of these email services may have leaked. Specifically, KDDI said up to 14.22 million email addresses and passwords have likely been compromised."
https://www.infosecurity-magazine.com/news/kddi-breach-japanese-telcos/ - Indian Auto Giant Bajaj Auto Hit By Ransomware Incident
"India's automotive giant Bajaj Auto disclosed on Tuesday that it had been hit by a ransomware attack affecting its operations and a technology-focused subsidiary. The company said in a regulatory filing that it became aware of the incident on Tuesday morning and had taken precautionary measures to contain its impact. It added that its technical team and cybersecurity experts responded immediately and that mitigation efforts had so far been "successful.""
https://therecord.media/indian-auto-giant-bajaj-auto-hit-by-ransomware - German Rail Services Resume After Wireless Communications Outage
"Germany's state-owned rail operator Deutsche Bahn restored train services early Wednesday after a technical failure in its railway communications network brought rail traffic across the country to a standstill for roughly two hours overnight, disrupting both long-distance and regional services. The outage, which began late Tuesday, halted trains nationwide and also affected S-Bahn commuter services connecting major cities with surrounding suburbs. While services resumed Wednesday morning, Deutsche Bahn warned passengers to expect lingering delays and cancellations."
https://therecord.media/deutsche-bahn-railroad-gsmr-outage
General News
Security Is No Longer An IT Problem: Why Boards Must Rethink Cyber Resilience In The Age Of AI
"For years, organisations approached email security as a technology problem. Deploy a secure email gateway (SEG), add filtering tools, automate remediation workflows, and assume the problem was solved. That approach no longer works. Today’s attackers are using AI to create polymorphic phishing campaigns that continuously evolve to evade traditional detection systems. They rotate URLs, vary sender identities, change subject lines, and modify content at scale. The result is that many organisations are discovering that even sophisticated email security tools and Microsoft 365 protections cannot stand alone against modern threats."
https://cofense.com/blog/security-is-no-longer-an-it-problem-why-boards-must-rethink-cyber-resilience-in-the-age-of-ai- Scaling Cybercrime Disruption Through Innovation And AI
"Microsoft is taking a new approach to fighting cybercrime, targeting the cyberattack supply chain, not just individual services. In a case unsealed today, we are simultaneously targeting two widely used cybercrime tools, Amadey and StealC, after AI-assisted analysis revealed they rely on the same infrastructure. This action goes after the cybercrime “assembly line,” where coordinated tools drive ransomware, financial fraud, and disruptions to public services. Amadey and StealC are often used alongside each other: Amadey helps attackers gain access to devices, while StealC steals passwords and sensitive information. Together, they form a critical link in the chain. In the first two weeks of May alone, Amadey and StealC were linked to more than 140,000 infected computers globally, highlighting how widely they are used."
https://blogs.microsoft.com/on-the-issues/2026/06/24/scaling-cybercrime-disruption-through-innovation-and-ai/
https://www.europol.europa.eu/media-press/newsroom/news/global-cyber-strike-disrupts-socgholish-amadey-and-stealc-malware-networks
https://www.proofpoint.com/us/blog/threat-insight/stealc-you-later-proofpoint-and-ibm-x-force-support-operation-endgame
https://www.bleepingcomputer.com/news/security/amadey-stealc-malware-operations-disrupted-in-operation-endgame-action/
https://thehackernews.com/2026/06/amadey-and-stealc-malware-network.html
https://therecord.media/stealc-amadey-socgholish-malware-takedown-europol-microsoft
https://cyberscoop.com/microsoft-amadey-stealc-takedown/
https://www.bankinfosecurity.com/infostealers-stealc-amadey-disrupted-in-police-crackdown-a-32062
https://www.infosecurity-magazine.com/news/operation-endgame-stealc-amadey/
https://hackread.com/operation-endgame-stealc-amadey-socgholish-malware/
https://www.securityweek.com/microsoft-and-allies-smash-shared-infrastructure-of-amadey-and-stealc-malware/
https://securityaffairs.com/194173/cyber-crime/europol-disrupts-stealc-and-amadey-malware-infrastructure-in-operation-endgame.html
https://www.helpnetsecurity.com/2026/06/24/operation-endgame-stealc-amadey-malware-disrupted/ - Trust No One: Automating MacOS Privilege Escalation At Scale
"A novel macOS privilege escalation technique allows standard user accounts to silently disable leading enterprise security products—including major Endpoint Detection and Response (EDR) and Mobile Device Management (MDM) solutions—without requiring administrator credentials, kernel exploits, or triggering security alerts. The attack exploits a fundamental flaw in how macOS XPC services establish trust boundaries by chaining CDHash kernel cache exploitation with NIB payload injection to impersonate trusted application components. Consequently, any non-root user can invoke arbitrary privileged XPC methods with zero authentication. This exposure exists widely across applications implementing inter-component XPC communication in the macOS ecosystem."
https://xmcyber.com/blog/faind-my-xpc-breaks-a-key-trust-boundary/
https://www.darkreading.com/application-security/apple-macos-security-gap-users-disable-security-tools
https://www.securityweek.com/macos-weaknesses-chained-to-silently-disable-endpoint-security-agents/ - Security Testing Was Built For a Slower World
"Software teams are pushing code into production faster than security testing can keep up. AI is accelerating development cycles and adding pressure to security programs that rely on periodic validation and manual penetration testing. The State of AI in Pentesting report from Aikido Security found that 76% of organizations have had to stop, restrict, or roll back AI-driven behavior in the past 12 months. Another 71% said AI or automation made a security issue harder to detect, investigate, or fix."
https://www.helpnetsecurity.com/2026/06/24/ai-security-testing-report/ - How Threat Actors Are Using AI In Real Attacks: Cheaper, Faster, Harder To Spot
"AI is making familiar cyber attacks cheaper to build, faster to scale, easier to tailor, and harder to spot. Across the incidents and dark-web discussions in this report, threat actors used AI to improve what already works: phishing, social engineering, malicious code, identity fraud, and early post-compromise activity. The tradecraft is familiar, but the pace isn’t. We’ve tracked that shift for the past two years. In our 2024 AI-Powered Cybercrime report, we saw early signs of cybercriminal AI use, which consisted mostly of phishing email polish, basic LLM-generated scripts, and the emergence of malicious GPTs like “WormGPT” (now defunct) and “FraudGPT” on the dark web. By mid-2025, the picture had expanded to deepfake services, AI-assisted scripts, and a growing underground market for AI-enabled tools. Over the past year, the core uses have stayed largely the same, but AI has moved closer into the heart of the offensive workflow."
https://reliaquest.com/campaigns/how-threat-actors-use-ai/executive-summary
https://www.infosecurity-magazine.com/news/ai-attacks-cheaper-faster-covert/ - Anthropic’s Mythos Model Found Vulnerabilities In Classified US Government Systems, Official Says
"A U.S. official told The Associated Press on Tuesday that one of Anthropic’s artificial intelligence models had identified vulnerabilities in highly sensitive and secure U.S. government computer systems during a testing exercise. The official, who spoke on the condition of anonymity to discuss the matter, said Anthropic had teamed up with U.S. intelligence agencies to conduct tests using the company’s Mythos model. It had identified certain vulnerabilities within hours, but that does not mean the model was able to exploit them within that time, the official said."
https://www.securityweek.com/anthropics-mythos-model-found-vulnerabilities-in-classified-us-government-systems-official-says/ - Agentic AI Security: Wrong Context, Wrong Decisions At Machine Speed
"Context is the central plank of AI in general, and agentic AI in particular. If an AI system doesn’t have the correct context, it cannot make the correct decisions. Security is moving toward reliance on the autonomous and automatic action of agentic AI. It has little choice. The increasing speed, volume and efficiency of attacks automated by adversarial use of both generative and agentic AI will only be matched by defensive AI with as little slow human intervention (the proverbial man-in-the-loop) as possible."
https://www.securityweek.com/agentic-ai-security-wrong-context-wrong-decisions-at-machine-speed/ - A Closer Look At Africa’s Evolving Cyberthreat Landscape
"The Africa region experiences an interesting mix of cyberattacks, threat actors, victims, and victim types. Ransomware and fraud are not the dominant threat types, and there aren’t many well-known names in the list of top threat actors. It’s not that the region has it easy—far from it—but Africa presents a different kind of threat landscape when we break down the numbers."
https://blog.barracuda.com/2026/06/23/africa-evolving-cyberthreat-landscape - OpenClaw’s Skill Marketplace And The Emerging AI Supply Chain Threat
"OpenClaw is an AI agent that executes third-party skills from ClawHub, its dedicated marketplace. Skills are markdown-driven packages with broad local system access, making ClawHub a critical link in the agentic software supply chain. Following its release, the ecosystem saw several malicious campaigns. Those early findings, published in February 2026, prompted ClawHub to integrate VirusTotal and ClawScan, enabling proactive screening of published skills and code-level analysis to block skills flagged as malicious from download."
https://unit42.paloaltonetworks.com/openclaw-ai-supply-chain-risk/
https://www.darkreading.com/cyber-risk/malicious-openclaw-skills-clawhub-threaten-ai-supply-chain - DraftKings Hacker 'Snoopy' Sentenced To 18 Months In Prison
"A 21-year-old using the alias "Snoopy" was sentenced to 18 months in prison for his role in hacking DraftKings accounts in the November 2022 cyberattack. In December 2025, the man, Nathan Austad of Minnesota, pleaded guilty to conspiracy to commit computer intrusion, admitting that he and co-conspirators compromised 60,000 DraftKings user accounts. During the attack, the hackers added payment methods under their control to 1,600 accounts and stole $600,000."
https://www.bleepingcomputer.com/news/security/draftkings-hacker-snoopy-sentenced-to-18-months-in-prison/
https://www.justice.gov/usao-sdny/pr/third-defendant-sentenced-prison-hacking-fantasy-sports-and-betting-website
https://www.securityweek.com/third-draftkings-hacker-sentenced-to-18-months-in-prison/ - Open-Source Security Is Posing Challenges Governments Can’t Easily Solve
"An epidemic of cyberattacks on open-source software has mounted in recent months, making clear how uniquely difficult it is to protect the publicly available code, from both a policy and a technical perspective, that serves as the foundation for so much of the digital world. While open-source software security got a boost in attention under President Joe Biden — whose administration grappled with the fallout from the potentially catastrophic Log4j flaw that emerged in 2021 — a number of open-source experts say that government protection efforts have suffered setbacks under President Donald Trump. Many also say companies that heavily rely on open-source software, which is basically all of them, haven’t shouldered enough of the responsibility for safeguarding it."
https://cyberscoop.com/open-source-software-security-crisis/ - Exclusive: Meet AIVEX, a New Triage Model Built To Reduce Supply Chain Threat And Risk
"Remediation priority (vulnerability triaging) traditionally focuses on Software Bill of Materials (SBOMs) and Vulnerability Exploitability eXchange (VEX) statements provided with the software and supplemented by CVSS scores. That is not enough in today’s environment. SBOMs list the components within the software. They emanated from Executive Order 14028 designed to reduce supply chain attacks. VEX statements emerged soon afterward to indicate whether any known vulnerabilities are exploitable. The separate CVSS score is used as a severity indicator for vulnerability remediation priority. It’s not working – supply chain attacks continue."
https://www.securityweek.com/exclusive-meet-aivex-a-new-triage-model-built-to-reduce-supply-chain-threat-and-risk/ - Navigating The Threat Landscape Of The 2026 FIFA World Cup
"As the 2026 FIFA World Cup progresses, Flashpoint analysts continue to monitor a dynamic threat environment spanning physical security, civil unrest, cyber threats, and geopolitical developments. While analysts have not identified any credible indications of an imminent attack targeting tournament venues or participants, several notable developments have emerged since our previous assessment:"
https://flashpoint.io/blog/2026-fifa-world-cup-threat-landscape/
https://www.darkreading.com/cybersecurity-operations/2026-fifa-world-cup-faces-surge-cyber-threats - Do CISOs Need a Code Of Ethics?
"Dark Reading Confidential Episode 19: Kickbacks, no-show jobs, "dirty" VCs, and shelf ware — industry expert Robert "RSnake" Hansen explains why he thinks its time for a CISO code of ethics to ensure cybersecurity bosses aren't engaged in self-dealing that could risk enterprise, and even national, security."
https://www.darkreading.com/cybersecurity-operations/ciso-code-of-ethics - When Information Becomes The Attack Surface – Understanding AI Agent Traps
"AI agents go beyond answering questions. They can autonomously browse websites, read emails, search company files, query software tools, and more. AI models producing incorrect answers is hardly a threat, until agents encounter information that’s maliciously designed to influence what it sees, believes, remembers, or executes. An agent leverages webpages, document stores, wikis, images, emails, or tools to produce intended outputs. But what happens when these sources mask malicious instructions?"
https://www.securityweek.com/when-information-becomes-the-attack-surface-understanding-ai-agent-traps/
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Where IT Meets OT And Railway Cybersecurity Gets Harder
-
พบ Mistic RAT ถูกใช้เป็นช่องทางเข้าถึงองค์กร เสี่ยงนำไปสู่การโจมตีแรนซัมแวร์โพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
