สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 
ข้อมูลกลุ่ม
ส่วนตัว
administrators
รายชื่อสมาชิก
-
พบการโจมตี Supply Chain ผ่านระบบอัปเดต ShapedPlugin กระทบเว็บไซต์ WordPressโพสต์ใน Cyber Security News
-
Kodak ยืนยันเหตุข้อมูลรั่วไหล หลังกลุ่ม ShinyHunters อ้างขโมยข้อมูลกว่า 2.2 ล้านรายการโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
ระวังภัยมัลแวร์ขโมย Crypto โดยอาศัยเครือข่ายรีวิวปลอม เพื่อสร้างความน่าเชื่อถือหลอกลวงผู้ใช้งานโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 18 June 2026โพสต์ใน Cyber Security News
Industrial Sector
- Rockwell Automation Patches Vulnerabilities In ICS Controllers And Software
"Rockwell Automation informed customers on Tuesday that patches are available for several vulnerabilities affecting its Logix and CompactLogix controllers, Flex I/O dual-port Ethernet/IP adapters, RSLinx industrial communication software, and FactoryTalk automation suite. In FactoryTalk Historian Site Edition the industrial giant patched three high- and critical-severity vulnerabilities that can be exploited to bypass authentication and launch DoS attacks."
https://www.securityweek.com/rockwell-automation-patches-vulnerabilities-in-ics-controllers-and-software/
New Tooling
- Microsoft AntiSSRF Open-Source Library Helps Block Server-Side Request Forgery
"AntiSSRF is an open-source code library from Microsoft that validates URLs and network connections to reduce server-side request forgery (SSRF) risks in web applications. It supports .NET and Node.js applications and is distributed under the MIT license. The library works as a drop-in component, giving developers a way to check untrusted input before their applications make outbound requests."
https://www.helpnetsecurity.com/2026/06/17/microsoft-antissrf-open-source-library/
https://github.com/microsoft/AntiSSRF
Vulnerabilities
- Oracle’s Second Monthly Security Updates Deliver 245 Patches
"Oracle on Tuesday announced the release of its June 2026 Critical Security Patch Update (CSPU), the second since it began releasing monthly patches. The company still releases its quarterly Critical Patch Updates, but it recently decided to supplement them with monthly patches to address more severe vulnerabilities. The software giant said the latest round of CSPU updates delivers 245 new patches, including for Communications, E-Business Suite, Enterprise Manager, Fusion Middleware, JD Edwards, MySQL, PeopleSoft, Siebel CRM, Supply Chain, Systems, and Virtualization products."
https://www.securityweek.com/oracles-second-monthly-security-updates-deliver-245-patches/ - Microsoft Working On Defender Patch For RoguePlanet Zero-Day
"Microsoft confirmed that it's working on a security patch for a Defender zero-day vulnerability named "RoguePlanet," disclosed one week ago. The security researcher who published a RoguePlanet exploit during the June 2026 Patch Tuesday (known as Nightmare Eclipse) said it affects fully patched Windows 10 and Windows 11 devices and allows attackers to spawn command prompts with SYSTEM privileges via a Microsoft Defender race condition. He shared a proof-of-concept exploit in a self-hosted Git repository, claiming that Microsoft had previously targeted and removed their repos hosting exploits on GitHub and GitLab."
https://www.bleepingcomputer.com/news/microsoft/microsoft-working-on-defender-patch-for-rogueplanet-zero-day/
https://thehackernews.com/2026/06/microsoft-confirms-rogueplanet-defender_02022423645.html
https://www.securityweek.com/microsoft-working-on-patch-for-rogueplanet-zero-day/
https://www.helpnetsecurity.com/2026/06/17/rogueplanet-zero-day-cve-2026-50656/
Malware
- FortiBleed: 75,000 Fortinet Firewalls Compromised: Global Enterprises Exposed – Claim Your Ethical Disclosure
"Fortinet firewalls and VPN gateways serve as the primary defensive perimeter for countless organizations worldwide. However, a massive new cyber espionage campaign has silently compromised these highly trusted devices on an unprecedented global scale. Originally discovered by security researcher Volodymyr “Bob” Diachenko, with further analysis from Hudson Rock and cybersecurity expert Kevin Beaumont, this dataset exposes a massive, automated operation. Threat actors successfully targeted 73,932 unique firewall URLs across 194 countries, resulting in 21,632 unique affected domains. Astonishingly, as Beaumont highlighted, this represents roughly 50% of all Fortinet firewall devices currently facing the internet."
https://www.infostealers.com/article/fortibleed-75000-fortinet-firewalls-compromised-global-enterprises-exposed-claim-your-ethical-disclosure/
https://www.bleepingcomputer.com/news/security/fortibleed-leak-exposes-fortinet-vpn-credentials-for-73-000-devices/
https://www.darkreading.com/cyberattacks-data-breaches/sweeping-credential-harvesting-heist-compromises-30k-fortinet-devices
https://cyberscoop.com/fortinet-fortisandbox-vulnerabilities-exploits/
https://hackread.com/fortibleed-attack-fortinet-firewalls-credentials/
https://www.theregister.com/cyber-crime/2026/06/17/massive-password-stealing-attack-hits-75k-fortinet-firewalls/5257877 - What Is The True Nature Of The Shortcut File I Thought Was a Privacy Consent Form?
"Evidence has recently emerged that Malicious Files posing as “Consent Forms for the Collection and Use of Personal Information” have been circulating. Threat actors use file names that are easily mistaken for work documents to trick users into running them. These files are not actual documents but shortcut files; when executed, they collect PC information through hidden commands and may lead to further malicious behavior."
https://asec.ahnlab.com/en/94164/ - It Looks Like a Normal Resume, But The Infection Begins The Moment It Is Opened.
"Malicious shortcut files disguised as resume files have recently been circulating, requiring corporate users to exercise caution. Threat actors name the files to resemble resume documents containing company names and job titles, and when executed, they display a legitimate decoy file alongside the malicious file to lower the user’s suspicion. The file then downloads additional malicious files and attempts to execute backdoor malware, establishing persistence through methods such as registering with the Task Scheduler, adding items to the Startup folder, and DLL side-loading."
https://asec.ahnlab.com/en/94165/ - 144 Mastra Npm Packages Compromised Via Hijacked Contributor Account
"As many as 144 npm packages associated with the Mastra namespace ("@mastra/*"), a popular open-source JavaScript and TypeScript framework for building artificial intelligence (AI) applications, have been compromised as part of a software supply chain attack codenamed easy-day-js, per findings from Endor Labs, JFrog, SafeDep, Socket, and StepSecurity. "A single npm account (ehindero) mass-published more than 140 malicious packages across the Mastra scope within a short window on 2026-06-17," Socket said."
https://thehackernews.com/2026/06/144-mastra-npm-packages-compromised-via.html
https://socket.dev/blog/mastra-npm-packages-compromised
https://www.bankinfosecurity.com/mastra-ai-framework-poisoned-in-npm-supply-chain-attack-a-32003 - From Stars To Upvotes: The Fake Reputation Economy Behind a Crypto Clipboard Hijackers
"Most malware campaigns try to hide. This one does the opposite, it works hard to look loved. Check Point Research analyzed a cryptocurrency clipboard hijacker (a “clipper”) hidden inside a collection of “tools” that promise users an unfair edge: Solana and Pump.fun sniper bots, an “Aviator Predictor,” and various crash-game predictors. The targets are crypto holders and online gamblers already hunting for shortcuts and quick, automated profits."
https://blog.checkpoint.com/research/from-stars-to-upvotes-the-fake-reputation-economy-behind-a-crypto-clipboard-hijackers/
https://research.checkpoint.com/2026/from-stars-to-upvotes-fake-reputation-fueling-a-crypto-clipboard-hijacker/
https://thehackernews.com/2026/06/crypto-clipper-campaign-abuses-fake.html - Elon Musk, The IRS, And Your Bank Account: Anatomy Of a Multi-Stage Financial Scam
"Recently, the Cofense Intelligence team reported on an Internal Revenue Service (IRS)-spoofing email that claims to offer a $5,000 tax refund through an Elon Musk cryptocurrency initiative. This email instead redirects to a credential phishing page and a fake cryptocurrency market that is used to steal personally identifiable information (PII) and Bitcoin. This campaign is notable for its extensive amount of stolen PII, which would allow threat actors to easily steal identities and pivot to social engineering attacks on a victim’s financial, government, or online service accounts. This report is a follow-up from a prior report, From Tax Refund to Total Compromise: IRS-Themed Phishing Email Drives Full-Stack Financial Fraud, that covered this campaign at a high level. This report will focus more heavily on details regarding the full extent of the cryptocurrency scam website and how the threat actors are able to use stolen PII from this campaign to pivot towards other tactics."
https://cofense.com/blog/elon-musk,-the-irs,-and-your-bank-account-anatomy-of-a-multi-stage-financial-scam - From Emerging Threat To Top-Tier Ransomware-As-a-Service: The Evolution Of INC Ransomware
"INC has evolved from an emerging ransomware-as-a-service (RaaS) operation into one of the most active ransomware groups in 2026, claiming more than 800 victims since 2023. The disruption of LockBit and the shutdown of BlackCat created opportunities for INC to expand as affiliates migrated to alternative ransomware operations. Both the Windows and Linux/ESXi encryptors have been rewritten in Rust, enabling cross-platform development and increasing analysis complexity."
https://www.acronis.com/en/tru/posts/from-emerging-threat-to-top-tier-ransomware-as-a-service-the-evolution-of-inc-ransomware/
https://www.darkreading.com/cyberattacks-data-breaches/inc-ransomware-thrives-by-mastering-the-basics - GitBait: Phishing The Mexican Financial Sector
"A modular phishing infrastructure targeting multiple Mexican banks has been uncovered, abusing GitHub-hosted Pages, employing obfuscated scripts, and featuring a centralized credential exfiltration via SheetBest API, indicating a scalable and persistent multi-brand phishing operation."
https://www.group-ib.com/blog/gitbait-phishing-mexico-banking-finance/
https://www.infosecurity-magazine.com/news/gitbait-github-pages-sheetbest/ - Roblox Developers Are Losing Entire Games To Malware Attacks
"Account theft usually ends with someone losing a password. This one ends with hackers walking off with the entire game. Developers behind some of Roblox’s millions of games told 404 Media that attackers persuaded them to run a single file. Then they watched their group, their game, and their Robux (in-platform currency) balance vanish into someone else’s account within hours. In several cases, Roblox support didn’t help them get the games back until a reporter called the company for comment."
https://www.malwarebytes.com/blog/scams/2026/06/roblox-developers-are-losing-entire-games-to-malware-attacks - ClickFix Campaign Generated Via AI Delivers SmartRAT
"In March 2026, Zscaler ThreatLabz observed multiple instances of typosquatting domains hosting malicious content generated with AI-powered website creation tools. Threat actors are leveraging website builders to create convincing lures quickly and at scale, with capabilities ranging from basic credential theft to a ClickFix campaign that delivers remote access trojans (RATs)."
https://www.zscaler.com/blogs/security-research/clickfix-campaign-generated-ai-delivers-smartrat - Cato CTRL
Threat Research: Operation Poisson – Analyzing a Cybercriminal’s Entire Operation
"Cato CTRL recently analyzed an operator’s command-and-control (C2) server’s entire 33 days operation, including the steps he took to preserve access after the takedown. 339 commands. Four French victims. Between March 30 and May 1, 2026, Cato CTRL studied every command issued by a French-speaking threat actor (“Poisson”) against one French automotive small business and four French individuals. With that insight, we can say with certainty, not as a prediction, that techniques like VPN-mesh-based-persistence are already in active use right now, and that taking down a C2 server is no longer sufficient for remediation."
https://www.catonetworks.com/blog/cato-ctrl-operation-poisson-analyzing-a-cybercriminals-entire-operation/
https://thehackernews.com/2026/06/junior-hacker-used-tailscale-and.html - Inside a WooCommerce Payment Skimmer: How Carders Moved From Phishing Pages To Checkout Backdoors
"For years, the entry point for stolen card data was the fake page: bogus loan portals, reward-claim sites, parcel-redelivery lures, and lookalike bank logins that tricked victims into typing their card details into an attacker-controlled form. CloudSEK's HUMINT engagements with operators active on carding marketplaces (Savastan0, Cvvhub, Jerrys, Zillion, Proton, VClub, Pepe, CVV-focused shops, and several invite-only forums) indicate a clear shift in tradecraft. The more technical actors have largely abandoned standalone phishing for direct compromise of legitimate e-commerce sites gaining web-shell access, planting a backdoor in or around the payment flow, and silently harvesting card data from real customers during genuine purchases."
https://www.cloudsek.com/blog/woocommerce-payment-skimmer-card-data-theft-checkout-backdoor - GoFlateLoader: A Widespread Golang Loader Delivering Multiple Infostealers
"Not every threat that matters is technically sophisticated, and that is also the case with GoFlateLoader, which is a rather simple loader written in Go, whose sole purpose is to decode and execute the payload in memory. What stands out the most is not what the loader does but rather what it does not do – it comes without anti-debugging, anti-VM, or sandbox-evasion checks, and also lacks API hashing or CFG obfuscation, the kind of tricks that loaders almost always come with. Instead, GoFlateLoader relies on one of the simplest yet still effective tricks to stay under the radar – it appends a massive PE overlay at the end of the file, deliberately inflating the binary's size (hence the name GoFlateLoader)."
https://www.gendigital.com/blog/insights/research/goflateloader-delivers-multiple-infostealers
Breaches/Hacks/Leaks
- Kodak Confirms Data Breach Claimed By ShinyHunters Extortion Gang
"Kodak has confirmed that it's working with external cybersecurity experts to investigate a security breach after hackers gained access to some of the company's data. Founded in 1880 as the Eastman Kodak Company and headquartered in Rochester, New York, Kodak has 79,000 worldwide patents and provides commercial print, advanced materials, and chemical products. A company spokesperson told BleepingComputer that attackers only accessed a "limited amount" of data in the incident, but didn't reply to a subsequent email asking if they breached Kodak's internal network."
https://www.bleepingcomputer.com/news/security/kodak-confirms-data-breach-claimed-by-shinyhunters-extortion-gang/
General News
- SpyCloud Report Finds Phishing Attacks Surge As Employee Data Is Exposed At 86% Of Fortune 100 Companies
"SpyCloud, the leader in identity threat protection, today released its 2026 Phishing Pulse Report, revealing that phishing attacks continue to increase in both volume and sophistication for enterprise organizations as artificial intelligence and phishing-as-a-service (PhaaS) platforms enable threat actors to launch highly effective campaigns at scale. Based on a survey of security professionals at organizations with more than 1,000 employees, SpyCloud found that 78% of organizations experienced an increase in phishing volume over the past 12 months, while 84% say AI-generated phishing attacks are becoming more prevalent or harder to defend against."
https://hackread.com/spycloud-report-finds-phishing-attacks-surge-as-employee-data-is-exposed-at-86-of-fortune-100-companies/
https://spycloud.com/resource/report/phishing-pulse-report-2026/ - Low-Skilled Attacker Used Claude, Codex To Breach 14 Companies
"Researchers have long warned that AI agents could lower the skill floor for offensive cyber operations, and a recent report by OALABS (Open Analysis) researchers bears that out. After recovering and analyzing over 1,000 agent sessions from a compromised server on which an attacker deployed Anthropic’s Claude Code and OpenAI’s Codex agents, the researchers discovered how easily the attacker was able to bypass most of the agents’ guardrails, and how little he actually needed to know and do himself."
https://www.helpnetsecurity.com/2026/06/17/ai-agents-offensive-cyber-operations-claude-codex/ - The SOC’s Visibility Gap Comes Down To Staffing
"AI has settled into security operations centers faster than any earlier wave of technology. Around four in five practitioners report reaching for AI or machine learning tools in their daily work. The catch shows up one layer down. Roughly a third of those same teams have built these tools into a defined workflow with structure, governance, and consistent validation. The rest pick up AI on their own, case by case, with no shared playbook for how it gets used or checked."
https://www.helpnetsecurity.com/2026/06/17/sans-ai-in-the-soc/
https://www.infosecurity-magazine.com/news/staffing-top-soc-challenge-ai/ - The Checklist Problem Behind Critical Infrastructure Cyber Safety
"An asset owner can meet major federal cyber compliance standards and still run equipment that lacks the engineering to withstand an attack or a failure. New research from George Mason University examines how United States cyber policy defines reasonable care for systems that control physical processes, and it finds that compliance has become a stand-in for safety."
https://www.helpnetsecurity.com/2026/06/17/usa-critical-infrastructure-cyber-safety/ - Sensitive Enterprise Data Uploads To AI Models Double In a Year
"The amount of sensitive enterprise data which employees uploaded to AI and machine learning applications has almost doubled in the last year, putting organizations at increased risk of data breaches and cyber espionage, a new report has warned. Published on June 17, the Zscaler 2026 AI Threat Report said that there has been a 93% year-over-year increase in employees transferring enterprise data to AI tools."
https://www.infosecurity-magazine.com/news/sensitive-ai-data-upload-doubles/ - AI Threats And Alert Fatigue Challenge Cybersecurity Teams
"A study conducted during Infosecurity Europe 2026 has found that AI-powered attacks at scale are the biggest security concern facing many cybersecurity professionals. The survey of 168 cybersecurity leaders across various sectors conducted by Filigran during the three-day event found 41% cited AI-powered attacks as a top challenge, double that of those who cited supply chain risk (21%) or unknown threats (21%)."
https://www.infosecurity-magazine.com/news/ai-threats-alert-fatigue-challenge/ - Cybercriminals Are Targeting EdTech: Data Breaches And Ransomware Attacks On The Rise
"The education technology (EdTech) sector has become a prime target for cybercriminals as attacks against educational institutions and related platforms continue to escalate. With sensitive data, including student records, employee information, and payment data, stored on EdTech systems, the sector has become an appealing target for cybercriminals seeking financial gain, data exploitation, and reputational damage. Recent high-profile incidents, including attacks by groups such as ShinyHunters and FulcrumSec, highlight the vulnerability of educational organizations and the increasing sophistication of cyber extortion tactics."
https://www.resecurity.com/blog/article/cybercriminals-are-targeting-edtech-data-breaches-and-ransomware-attacks-on-the-rise
https://securityaffairs.com/193777/data-breach/edtech-faces-a-cybersecurity-crisis-data-breaches-surge.html - What The ThreatLabz 2026 Phishing And Initial Access Report Means For The Public Sector
"It only takes one click. One convincing credential page, one well-timed lure impersonating a trusted agency workflow, and an attacker gains the initial access needed to move from inbox to identity to impact. That reality sits at the center of the ThreatLabz 2026 Phishing and Initial Access Report. While overall phishing volume in the Zscaler cloud fell 20% year over year, the campaigns that remain are more targeted, more AI-powered, and harder to distinguish from legitimate activity. ThreatLabz identified 413,524 AI-generated site instances across the analysis period, flagging 9% as malicious. These were produced by platforms like Manus AI, BlackBox AI, and Anything AI that allow attackers to spin up high-fidelity phishing infrastructure in minutes rather than days."
https://www.zscaler.com/blogs/security-research/what-threatlabz-2026-phishing-and-initial-access-report-means-public-sector - The Top 10 Attack Surface Exposures In 2026
"Breaches don't always start with a zero-day. An exposed admin panel can get brute-forced, or credentials reused from a previous attack. But when a vulnerability does drop — like MongoBleed earlier this year, which let attackers pull credentials and session tokens from server memory without authentication — anything internet-facing is immediately at risk. With time-to-exploit now down to a single day, the question isn't just how fast you can patch. It's why the service was exposed in the first place."
https://thehackernews.com/2026/06/the-top-10-attack-surface-exposures-in.html - Hostile States Behind Three-Quarters Of Attacks On Britain's Critical Infrastructure, Cyber Chief Warns
"Britain is already fighting the opening exchanges of future conflicts in cyberspace, the country’s cyber chief warned Wednesday, as he disclosed that hostile states are responsible for three-quarters of the attacks striking the country's critical national infrastructure. Richard Horne, chief executive of the National Cyber Security Centre (NCSC), said his teams had handled more than 200 incidents affecting critical infrastructure and its supporting ecosystem in the year to May, of which about 75% were believed to be the work of state actors."
https://therecord.media/britain-nation-state-cyberattacks-richard-horne-rusi
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Rockwell Automation Patches Vulnerabilities In ICS Controllers And Software
-
Cyber Threat Intelligence 17 June 2026โพสต์ใน Cyber Security News
Industrial Sector
- Rockwell Automation FLEX I/O EtherNet/IP Adapters
"Successful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access, account takeover, and cause loss of availability."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-167-05 - Rockwell Automation FactoryTalk Analytics PavilionX
"Successful exploitation of this vulnerability could result in an attacker executing privileged operations."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-167-01 - Rockwell Automation RSLinx
"Successful exploitation of this vulnerability can lead to a denial of service, where the application will become unresponsive and will not recover on its own."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-167-02 - Rockwell Automation Logix 5370 & 5570 Controllers Vulnerable To Denial Of Service Via CIP
"Successful exploitation of this vulnerability could cause a denial-of-service condition that may result in a major nonrecoverable fault (MNRF)."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-167-03 - Rockwell Automation CompactLogix
"Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-167-04 - Implementing Zero Trust In Operational Technology: A Practical Case Study
"While zero trust guidance for enterprise information technology (EIT) systems is well established, its direct application to operational technology (OT) environments is problematic due to fundamental differences in system architecture and operational priorities. Zero trust frameworks tailored to the unique requirements of OT systems are just beginning to emerge. The Software Engineering Institute (SEI) is pioneering research into the application of zero trust principles within weapon system environments with embedded OT. In this blog post, we explore a specific case study and examine how findings from our research on weapon systems driven by embedded OT translate to the broader OT landscape."
https://www.sei.cmu.edu/blog/implementing-zero-trust-in-operational-technology-a-practical-case-study/
Vulnerabilities
- Critical Fortinet FortiSandbox Flaws Now Exploited In Attacks
"Attackers are now exploiting several critical vulnerabilities in Fortinet's FortiSandbox cyber threat detection platform, according to threat intelligence company Defused. Fortinet released security updates for these three critical-severity security flaws (tracked as CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089) on April 14. These flaws allow unauthenticated threat actors to escalate privileges and execute unauthorized code remotely through low-complexity command injection attacks that require no user interaction. To resolve these issues and block incoming attacks, admins must upgrade affected deployments to the latest released versions."
https://www.bleepingcomputer.com/news/security/critical-fortinet-fortisandbox-flaws-now-exploited-in-attacks/
https://thehackernews.com/2026/06/attackers-exploit-three-fortinet.html
https://securityaffairs.com/193709/ai/fortinet-warned-as-three-critical-fortisandbox-bugs-come-under-attack.html
https://www.theregister.com/security/2026/06/16/three-critical-fortinet-sandbox-bugs-splattered-by-unknown-attackers/5256461
https://www.helpnetsecurity.com/2026/06/16/fortisandbox-vulnerabilities-cve-2026-39813-cve-2026-39808-cve-2026-25089/ - CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-48907 Widget Factory Joomla Content Editor Improper Access Control Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/06/16/cisa-adds-one-known-exploited-vulnerability-catalog - Emerging Threat: (CVE-2026-49975) Apache HTTP Server Denial Of Service Via HTTP/2 Memory Exhaustion
"CVE-2026-49975 is a memory exhaustion vulnerability in the mod_http2 module of Apache HTTP Server that allows a remote attacker to cause a denial of service through maliciously crafted HTTP/2 requests. It is classified as CWE-789, Memory Allocation with Excessive Size Value, and was publicly disclosed as part of an attack technique nicknamed the “HTTP/2 Bomb.” The vulnerability carries a CVSS v3.1 base score of 7.5 (High). The Apache Software Foundation rated the issue Moderate in its own advisory, while the National Vulnerability Database scores it High. The scoring vector reflects an availability-only impact: no loss of confidentiality or integrity, but full loss of service."
https://www.cycognito.com/blog/emerging-threat-cve-2026-49975-apache-http-server-denial-of-service-via-http-2-memory-exhaustion/
https://www.darkreading.com/vulnerabilities-threats/http-2-bomb-attacks-telcos-healthcare
Malware
- Multiple JetBrains IDE Plugins Caught Stealing AI Keys
"We detected a coordinated malware campaign on the JetBrains Marketplace. At least 15 IDE plugins, published under seven vendor accounts, share the same hidden behavior. Each one exfiltrates the AI provider API key that you stored into its settings, and together they have been installed close to 70,000 times. Every plugin poses as an AI coding assistant built on DeepSeek and other large language models, offering chat, commit messages, code review, bug finding, and unit tests. They function exactly as advertised. However, the AI provider API key you enter gets exfiltrated to a server controlled by the attacker."
https://www.aikido.dev/blog/multiple-jetbrains-ide-plugins-caught-stealing-ai-keys
https://www.bleepingcomputer.com/news/security/malicious-jetbrains-marketplace-plugins-steal-ai-api-keys-from-developers/ - Rokarolla : Android Banker With Complete Device Takeover Capabilities
"The zLabs research team has discovered Rokarolla, a newly identified Android banking trojan named after its Command and Control (C2) infrastructure. Primarily distributed through malicious websites such as hxxps[://]infocontablidades[.]it[.]com/, where it masquerades as popular applications like TikTok or Google Chrome, this highly invasive malware is specifically designed to target and compromise 217 distinct cryptocurrency and banking applications."
https://zimperium.com/blog/rokarolla-android-banker-with-complete-device-takeover-capabilities
https://github.com/Zimperium/IOC/blob/master/2026-06-Rokarolla/commands.md
https://www.bleepingcomputer.com/news/security/new-rokarolla-android-malware-targets-217-banking-crypto-apps/
https://thehackernews.com/2026/06/new-rokarolla-android-malware-steals.html
https://www.darkreading.com/endpoint-security/rokarolla-android-trojan
https://www.bankinfosecurity.com/rokarolla-android-banking-trojan-enables-device-takeover-a-31996
https://www.infosecurity-magazine.com/news/rokarolla-android-banking-trojan/
https://hackread.com/rokarolla-android-trojan-crypto-and-banking-apps/ - Dozens Of Malicious Wallpapers Found On Steam Workshop: Gamers’ Accounts At Risk
"Since late 2025, malware has been spreading rapidly through the Steam Workshop, the gaming platform’s built-in service for players to create and share custom content. The attackers are primarily targeting gamers in China and Russia, aiming to hijack their accounts. To pull this off, they are exploiting Wallpaper Engine – a popular live wallpaper app available on Steam – specifically leveraging its Workshop sharing feature. The malware is hidden inside the wallpaper packages users share with one another. Running one of these compromised wallpapers can lead to a stolen Steam account or leave the victim’s system infected with backdoors or crypto miners."
https://securelist.com/dozens-of-malicious-wallpapers-found-on-steam-workshop/120186/
https://www.bleepingcomputer.com/news/security/steam-workshop-abused-to-spread-malware-via-wallpaper-engine-app/ - GhostTree Attack Abused Recursive Windows Junctions To Hide Malware
"Most security teams think of NTFS junctions and symbolic links as niche file system features. They let one directory point to another, like a shortcut that the OS treats as real. They exist for backward compatibility, storage management, things that rarely come up in a SOC. But they have a property that makes them interesting from an offensive perspective: any user can create them. No admin privileges are required, and no special permissions beyond write access to the target folder. We discovered that by pointing a junction back at its own parent directory, an attacker can create recursive loops that generate effectively infinite file paths. Tools that try to scan the directory recursively, including EDR products, could follow the loop and never finish."
https://www.bleepingcomputer.com/news/security/ghosttree-attack-abused-recursive-windows-junctions-to-hide-malware/ - Hidden In Teams: DragonForce Attackers Weaponize Microsoft Teams Relays To Stay Hidden
"Attackers deploying the DragonForce ransomware against a major U.S. services firm hid their command and-control traffic (C&C) inside Microsoft Teams’ own relay infrastructure, using a custom Go-based backdoor that Symantec is tracking as Backdoor.Turn. To network defenders, the only traffic they could see was outbound connections to legitimate Microsoft Teams servers. The attackers were on the victim network for between one and two months. Backdoor.Turn obtains an anonymous Teams visitor token from Microsoft’s Skype-backed identity services, uses a legitimate Microsoft TURN relay to set up the connection, and then runs a QUIC session to the attacker’s real command-and-control (C2) server. To our knowledge this is the first time TURN relay infrastructure has been abused this way in the wild. It is relatively unusual to see ransomware attackers using their own custom tools, and it is particularly unusual to see them using a custom tool as sophisticated as Backdoor.Turn."
https://www.security.com/threat-intelligence/dragonforce-msteams-backdoor
https://www.bleepingcomputer.com/news/security/ransomware-gang-abuses-microsoft-teams-relays-to-hide-malicious-traffic/
https://www.infosecurity-magazine.com/news/dragonforce-ransomware-hidden/
https://www.theregister.com/cyber-crime/2026/06/16/crooks-found-a-new-way-to-collaborate-using-teams-by-hiding-command-and-control-traffic/5256296
https://www.helpnetsecurity.com/2026/06/16/dragonforce-microsoft-teams-malware-backdoor-turn/ - FishMonger’s Arsenal Upgraded: SprySOCKS For Windows
"ESET researchers have discovered two as-yet undocumented Windows variants of SprySOCKS, a previously Linux-only backdoor reportedly used by FishMonger, the group believed to be operated by a Chinese contractor named I‑SOON. While we initially discovered the malware samples on VirusTotal, ESET telemetry shows real activity between 2023 and 2024, with several victims in Honduras, Taiwan, Thailand, and Pakistan, targeting mostly government organizations."
https://www.welivesecurity.com/en/eset-research/fishmongers-arsenal-upgraded-sprysocks-windows/
https://www.bleepingcomputer.com/news/security/windows-version-of-sprysocks-linux-malware-used-to-attack-govt-orgs/
https://www.darkreading.com/threat-intelligence/sprysocks-windows-variant-kernel-drivers
https://thehackernews.com/2026/06/china-linked-sprysocks-backdoor-expands.html
https://www.infosecurity-magazine.com/news/sprysocks-backdoor-windows/ - Phishing Campaign Targets Banks With Fileless Phantom Stealer Malware
"Fortra Intelligence and Research Experts (FIRE) have identified an active phishing campaign targeting high-capital organizations, particularly those operating within the banking sector. The campaign uses evasive techniques to distribute Phantom Stealer, a commercially available Malware-as-a-Service (MaaS) infostealer used to steal credentials, financial data, and sensitive information. The tool is sold under a subscription model by a threat actor operating under the alias Oldphantomoftheopera, affiliated with the Phantom Softwares group. The attack begins with phishing emails containing malicious attachments disguised as business documents. Once executed, the malware runs entirely in memory, helping it evade traditional defenses."
https://www.fortra.com/blog/phishing-campaign-targets-banks-fileless-phantom-stealer-malware
https://www.darkreading.com/cyberattacks-data-breaches/fileless-phantom-stealer-targets-browser-credentials
Lorem Ipsum Revisited
"BlueVoyant Security Operations Center (SOC) and Threat Fusion Cell (TFC) researchers have been tracking an active * ClickFix campaign that manipulates users into believing their web browser requires a security update. If the user complies, the ClickFix lure initiates a multi-stage infection chain that ultimately deploys the Lorem Ipsum Loader, a malware family BlueVoyant first documented in May 2026. The current campaign represents a notable evolution from the previous Lorem Ipsum operation, which distributed trojanized Microsoft Teams installers through SEO-poisoned and malvertised fake download portals. The pivot to ClickFix lures hosted on compromised WordPress (WP) sites significantly broadens the potential victim pool and demonstrates the operators' willingness to rapidly adapt their initial access techniques."
https://www.bluevoyant.com/blog/orem-ipsum-clickfix-rapid-brigantine
https://www.darkreading.com/cyberattacks-data-breaches/lorem-ipsum-malware-clickfix-delivery
https://thehackernews.com/2026/06/clickfix-campaigns-expand-malware.html - Inside Amos Stealer: How This Threat Targets MacOS Credentials And Keychains
"Amos Stealer remains a prominent and highly active malware family specifically engineered to target macOS users and extract sensitive information from compromised systems. Typically distributed via deceptive software downloads, malicious websites, or sophisticated social engineering lures, this info-stealer is designed to harvest user credentials, browser data, cryptocurrency wallet configurations, and other proprietary files. The sustained activity of Amos Stealer underscores a broader cyber threat trend: threat actors are increasingly shifting their focus toward macOS environments to execute financially motivated campaigns."
https://www.cyberproof.com/blog/inside-amos-stealer-how-this-threat-targets-macos-credentials-and-keychains/
https://hackread.com/amos-stealer-macos-keychain-files-browser-passwords/ - Pickle In The Middle – Hijacking Vertex AI Model Uploads For Cross-Tenant RCE
"We discovered a vulnerability in the Google Cloud Vertex AI software development kit (SDK) for Python, and responsibly disclosed it to Google. Before Google’s fix, the vulnerability would have allowed an attacker operating entirely from their own Google Cloud project to hijack a victim's model upload and poison it. By exploiting this flaw in vulnerable versions of the SDK, an attacker can achieve remote code execution (RCE) within a target’s Vertex AI serving infrastructure, with zero initial access to the victim's project. The root enabler of this attack is a predictable default bucket name, combined with a missing ownership check in the SDK's staging logic. When a Vertex AI user uploads a model without specifying a custom staging bucket, the SDK constructs a bucket name using a deterministic pattern based on the project ID and region."
https://unit42.paloaltonetworks.com/hijacking-vertex-ai-model/
https://thehackernews.com/2026/06/google-vertex-ai-sdk-flaw-let-attackers.html - Analysis Of APT37 NarwhalRAT Leveraging MS-Themed Phishing And Dead-Drop C2
"Genians Security Center recently confirmed the continued distribution of compiled Python-based malware. This threat shows strong similarities to the attack scenario and TTPs identified in the report "Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign", published on May 11, 2026. This attack was carried out through a spear phishing email titled "[Urgent] Security Check Notice Regarding Repeated One-Time Password (OTP) Generation". The sender was displayed as "Microsoft Account Team", making the email appear as though it had been sent by an official account security team. However, the actual sender domain was confirmed to be unrelated to Microsoft’s official domains."
https://www.genians.co.kr/en/blog/threat_intelligence/narwhalrat
https://thehackernews.com/2026/06/fake-microsoft-alerts-used-to-deploy.html - EvilTokens: A Phishing Attack That Doesn’t Steal Your Password
"Much has been written about how the days of phishing emails laden with broken grammar and crude design are numbered, largely thanks to AI. Meanwhile, EvilTokens offers a somewhat different example of how far the phishing craft has moved. EvilTokens is a phishing-as-a-service (PhaaS) kit built to compromise Microsoft 365 accounts by abusing the OAuth 2.0 device authorization grant flow. As attacks that use the kit rely on device code phishing, they sidestep the need for convincing replicas of genuine login pages where the victims would hand over their passwords. Instead, attackers get the victim to complete a legitimate authentication process – including two-factor authentication (2FA) – on a real Microsoft login page."
https://www.welivesecurity.com/en/cybercrime/eviltokens-phishing-doesnt-steal-password/
Breaches/Hacks/Leaks
- iRhythm Discloses Data Breach, Says Hackers Stole Patient Info
"Digital healthcare company iRhythm Holdings has disclosed a data breach after hackers stole patients' personal and health information stored on third-party-hosted business applications. The company says its cardiac monitoring service has been used to analyze more than 2 billion hours of curated heartbeat data from over 12 million patients. In a filing with the U.S. Securities and Exchange Commission (SEC) on Monday, iRhythm said it discovered the incident one day earlier, prompting it to launch an investigation with external cybersecurity experts and activate its cybersecurity response plan to contain the breach."
https://www.bleepingcomputer.com/news/security/irhythm-discloses-data-breach-says-hackers-stole-patient-info/
https://www.malwarebytes.com/blog/news/2026/06/cardiac-patients-medical-data-stolen-and-held-to-ransom
https://securityaffairs.com/193721/data-breach/irhythm-hit-by-cyberattack-patient-data-stolen-and-ransom-demanded.html
https://www.securityweek.com/irhythm-confirms-data-stolen-in-hack/
https://www.theregister.com/cyber-crime/2026/06/16/cardiac-monitor-makers-security-skips-a-beat-as-data-thieves-go-for-the-jugular/5256038 - Scoop: FulcrumSec Leaks Novo Nordisk Data After $25M Demand Goes Unpaid (2)
"Danish pharma giant Novo Nordisk disclosed a cybersecurity incident last week, and although the firm’s name may not be familiar to everyone, they are a major producer of insulin and semaglutide. Semaglutide is marketed as Wegovy for weight loss and Ozempic for Type 2 diabetes. In its June 11 update, the firm stated that the incident affected a limited amount of information related to patients participating in some of its clinical trials. As they described it, the information was pseudoanonymized, i.e., the information was not directly linked to any patients by name or other direct identifiers:"
https://databreaches.net/2026/06/15/scoop-fulcrumsec-leaks-novo-nordisk-data-after-25m-demand-goes-unpaid/
https://www.securityweek.com/cybercrime-group-claims-novo-nordisk-hack/
General News
- May 2026 Threat Trend Report On APT Group
"The May 2026 APT Trends report identified supply chain attacks, developer environment attacks, automated Initial Breach, and exploitation of runtime environments as key developments. Lazarus, Famous Chollima, Gamaredon, MuddyWater, and Nimbus Manticore are of particular concern."
https://asec.ahnlab.com/en/94145/ - FTC Data Show People Reported Losing $3.5 Billion To Imposter Scams In 2025
"New data from the Federal Trade Commission reveal that people reported losing a staggering $3.5 billion to imposter scams in 2025, with reported losses increasing nearly three times since 2020. FTC data also show that people reported imposter scams more than any other fraud category in 2025—nearly one in three fraud reports were about imposter scams. These scams lured consumers through text, phone, email, social media, search engine results and other means. Some of the costliest impersonation scams start with a fake security alert, often from a bank. People are convinced to move money to “protect” it, with their losses often limited only by their available funds."
https://www.ftc.gov/news-events/news/press-releases/2026/06/ftc-data-show-people-reported-losing-3-point-5-billion-imposter-scams-2025
https://www.bleepingcomputer.com/news/security/ftc-warns-of-record-35-billion-losses-to-imposter-scams-in-2025/ - Phishing No Longer Looks Wrong: What Security Leaders Should Do Next
"Traditional defenses were built around prevention. Block malicious email before delivery. Train users to recognize suspicious messages. Investigate what slips through. That model still has value, but it is under pressure from a new class of attacks that are:"
https://cofense.com/blog/phishing-no-longer-looks-wrong-what-security-leaders-should-do-next - Most CISOs Report Pressure To Bury Bad Security News
"CISOs contend with increasingly advanced attacks, evolving compliance and regulation standards, and constant worry about what will happen to the company and themselves if a breach occurs. Stress, blame, and panic have become synonymous with the role. Now comes another burden. According to a recent Checkmarx report, "The Future of Application Security in the Era of AI," 95% of CISOs "feel pressured to suppress or delay compliance-related security findings.""
https://www.darkreading.com/cyber-risk/most-cisos-report-pressure-to-bury-bad-security-news - Reachability Makes AI Threat Modeling Worth The Trust
"In this interview with Help Net Security, Oscar Andersson, CTO at Oplane, explains why most scanning tools fail. They cry wolf, flagging threats that cannot run in real code. The argument centers on reachability. A finding counts only when someone walks the path to impact on a working build. He shows how a chain of small design choices led to account takeover in a popular open-source project, then covers how to test a vendor’s claims, handle attacks aimed at the AI itself, and why reviewing every code change beats one yearly audit."
https://www.helpnetsecurity.com/2026/06/16/oscar-andersson-oplane-ai-threat-modeling/ - EU Cybersecurity Act 2.0: When Good Regulation Goes Bad
"Over recent years we’ve witnessed the EU becoming increasingly serious about cybersecurity. After years of watching high profile breaches, many resulting from supply chain attacks targeting our critical infrastructure, that seriousness is welcome. But good intentions and good policy are not the same thing, and the proposed EU Cybersecurity Act 2.0 is starting to look a lot more like the former than the latter."
https://www.helpnetsecurity.com/2026/06/16/eu-cybersecurity-act-2-0-regulation/ - Over Two-Thirds Of Security Pros Say Cyber Is Getting Harder
"Cybersecurity professionals say their job is harder than ever, with 68% reporting it has become more difficult over the past two years, according to a new report. The study, The Life and Times of Cybersecurity Professionals, Volume VIII, from industry body ISSA and analyst Omdia, surveyed 380 practitioners. It found that over 70% of respondents are facing workplace challenges linked to being locked out of key technology decisions."
https://www.infosecurity-magazine.com/news/security-pros-cyber-cyber-harder/
https://issa.org/life-and-times-of-cybersecurity-professionals-volume-viii/ - Hacker Conversations: Isira Adithya, The Evolution Of An Ethical Hacker
"Like many hackers, Sri Lankan-born Isira Adithya was a child prodigy, building LED bulbs and selling them to his teachers when he was just 11 years old. But he has never used his skills for nefarious purposes. “Hackers,” says Adithya, “are people who refuse to take technology at face value. They probe, test, and dismantle to understand what’s inside and how it behaves. This can be used for security research, building better systems, or, in the wrong hands, for malicious gain.”"
https://www.securityweek.com/hacker-conversations-isira-adithya-the-evolution-of-an-ethical-hacker/ - AI And Cybersecurity – Everything You Wanted To Know, But Were Afraid To Ask
"To better understand the current state of artificial intelligence (AI) in cybersecurity, SecurityWeek spoke with dozens of security practitioners, researchers, vendors, analysts, and AI experts. The result is a comprehensive snapshot of how AI is being used across the security landscape today."
https://www.securityweek.com/ai-and-cybersecurity-everything-you-wanted-to-know-but-were-afraid-to-ask/ - Tech Coalition ‘Athena’ Targets OSS Vulnerabilities Ahead Of Disclosure
"Over two dozen fintech and technology organizations have formed a coalition to secure open source software (OSS) from accelerated, AI-driven exploitation. Named Athena, it has gathered industry leaders such as BNY, Chainguard, Cisco, Cloudflare, Corridor, DepthFirst, Docker, JPMorganChase, Kyndryl, LTM, PwC, and more, under a shared goal: to find vulnerabilities in OSS and to triage, fix, and protect against their exploitation even before patches arrive.
https://www.securityweek.com/tech-coalition-athena-targets-oss-vulnerabilities-ahead-of-disclosure/ - Survey: 94% Of Incidents Involve Anonymized Infrastructure. Teams Are Still Reactive
"Security teams have never had more IP data at their disposal. Every day, analysts ingest enrichment feeds, geolocation data, reputation scores, telemetry, and threat intelligence from a growing ecosystem of vendors and platforms. Yet despite this abundance of information, many organizations continue to face a fundamental challenge: sifting through the noise to understand who is behind an IP and what action should follow."
https://thehackernews.com/2026/06/survey-94-of-incidents-involve.html
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Rockwell Automation FLEX I/O EtherNet/IP Adapters
-
CISA เผยแพร่คำแนะนำด้านระบบควบคุมอุตสาหกรรม (ICS) จำนวน 7 รายการโพสต์ใน OT Cyber Security News
Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 5 รายการ เมื่อวันที่ 16 มิถุนายน 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้
- ICSA-26-167-01 Rockwell Automation FactoryTalk, Analytics, PavilionX
- ICSA-26-167-02 Rockwell Automation RSLinx
- ICSA-26-167-03 Rockwell Automation Logix 5370 & 5570 Controllers Vulnerable To Denial of Service Via CIP
- ICSA-26-167-04 Rockwell Automation CompactLogix
- ICSA-26-167-05 Rockwell Automation FLEX I/O EtherNet/IP Adapters
-
Steam Workshop ถูกใช้แพร่มัลแวร์ผ่าน Wallpaper Engine เสี่ยงยึดบัญชี Steam และฝัง Backdoorโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
FulcrumSec อ้างขโมยข้อมูล 1.3 TB จาก Novo Nordisk หลังบริษัทพบเหตุเข้าถึงระบบโดยไม่ได้รับอนุญาตโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
มัลแวร์ Android ตัวใหม่ Rokarolla มุ่งเป้าขโมยข้อมูลแอปพลิเคชันทางการเงินโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
พบช่องโหว่ Microsoft 365 Copilot เสี่ยงถูกขโมยข้อมูลผ่านการคลิกลิงก์โพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
