1. หน้าแรก
  2. กลุ่ม
  3. administrators
ข้อมูลกลุ่ม ส่วนตัว

administrators

รายชื่อสมาชิก
  • Google ออกแพตช์อุดช่องโหว่ Zero-day บน Chrome ถูกใช้โจมตีแล้ว รีบอัปเดตทันที

    2600d876-483a-4a19-8465-cdf655f78898-image.png Google ออกแพตช์อุดช่องโหว่ Zero-day บน Chrome ถูกใช้โจมต.png

    สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand fc9077a0-4c7d-4227-bfcf-b074b3acbf40-image.png

    โพสต์ใน Cyber Security News
    NCSA_THAICERTN
    NCSA_THAICERT
  • Microsoft แก้ไขช่องโหว่ Zero-day ที่กำลังถูกใช้โจมตีในแพตช์ความปลอดภัยประจำเดือนธันวาคม 2025

    820769ff-2e11-4ee9-84d3-65e7618019a9-image.png

    Microsoft แก้ไขช่องโหว่ Zero-day ที่กำลังถูกใช้โจมตีใ.png

    สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand e3b34d92-e120-4b53-923a-b1dc6e8c4715-image.png

    โพสต์ใน Cyber Security News
    NCSA_THAICERTN
    NCSA_THAICERT
  • วิกฤตช่องโหว่ React2Shell ระบาดหนัก ถูกใช้โจมตีแล้วกว่า 50 องค์กรทั่วโลก รีบอัปเดตแพตช์ด่วนก่อนสาย

    ef146579-4846-49ad-b5ee-a855e71e81b7-image.png วิกฤตช่องโหว่ React2Shell ระบาดหนัก ถูกใช้โจมตีแล.png

    สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand f4f139b4-2023-4efe-9532-a308f3466eb6-image.png

    โพสต์ใน Cyber Security News
    NCSA_THAICERTN
    NCSA_THAICERT
  • CISA เผยแพร่คำแนะนำด้านระบบควบคุมอุตสาหกรรม (ICS) จำนวน 5 รายการ

    Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 12 รายการ เมื่อวันที่ 2 ธันวาคม 2025 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

    • ICSA-25-345-01 Johnson Controls iSTAR
    • ICSA-25-345-02 Johnson Controls iSTAR Ultra
    • ICSA-25-345-03 AzeoTech DAQFactory
    • ICSA-25-345-04 Siemens IAM Client
    • ICSA-25-345-05 Siemens Advanced Licensing (SALT) Toolkit
    • ICSA-25-345-06 Siemens SINEMA Remote Connect Server
    • ICSA-25-345-07 Siemens Building X - Security Manager Edge Controller
    • ICSA-25-345-08 Siemens Energy Services
    • ICSA-25-345-09 Siemens Gridscale X Prepay
    • ICSA-25-345-10 OpenPLC_V3
    • ICSMA-25-345-01 Grassroots DICOM (GDCM)
    • ICSMA-25-345-02 Varex Imaging Panoramic Dental Imaging Software

    CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)

    อ้างอิง
    https://www.cisa.gov/news-events/alerts/2025/12/11/cisa-releases-12-industrial-control-systems-advisories
    สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 15d1a5a1-1c61-4ffd-9187-e4f45e2ac3f7-image.png

    โพสต์ใน OT Cyber Security News
    NCSA_THAICERTN
    NCSA_THAICERT
  • CISA เพิ่มช่องโหว่ที่ถูกใช้โจมตี 1 รายการลงในแคตตาล็อก

    เมื่อวันที่ 11 ธันวาคม 2025 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว ดังนี้

    • CVE-2025-58360 OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability

    ทั้งนี้ คำสั่ง BOD 22-01 ของ CISA กำหนดให้มี แคตตาล็อก Known Exploited Vulnerabilities (KEV) เพื่อรวบรวมช่องโหว่ (CVEs) ที่มีความเสี่ยงสูงและถูกใช้งานโจมตีจริง หน่วยงาน Federal Civilian Executive Branch (FCEB) ต้องดำเนินการแก้ไขช่องโหว่ที่ระบุภายในเวลาที่กำหนด เพื่อปกป้องเครือข่ายจากภัยคุกคาม

    ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

    อ้างอิง
    https://www.cisa.gov/news-events/alerts/2025/12/11/cisa-adds-one-known-exploited-vulnerability-catalog

    สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand afd056fe-551a-463b-aeb5-b87d51b8e738-image.png

    โพสต์ใน Cyber Security News
    NCSA_THAICERTN
    NCSA_THAICERT
  • Cyber Threat Intelligence 12 December 2025

    Financial Sector

    • Fighting Credit Fraud In Uzbekistan: An Uphill Battle Against Social Engineering
      "Imagine you enter a bank with the intention of applying for a loan but your application gets rejected as the bank’s worker tells you that there has already been a loan taken out in your name and your credit limit has been maxed out. You have just found out that you’re a victim of credit fraud. Online lending is rapidly gaining popularity in Uzbekistan, and with it, the number of credit fraud cases is also on the rise. According to data from the Central Bank of Uzbekistan (CBU), there were 463 reported cases of remote online loans issued in someone’s name via apps or a fake identity, resulting in financial losses totaling approximately 15 billion UZS in 2024 alone."
      https://www.group-ib.com/blog/credit-fraud-in-uzbekistan/

    Industrial Sector

    Vulnerabilities

    Malware

    Breaches/Hacks/Leaks

      • Pierce County Library Data Breach Impacts 340,000
        "Pierce County Library System (PCLS) is notifying over 340,000 people that their personal information was compromised in a data breach. Between April 15 and April 21, 2025, threat actors accessed PCLS’s network and stole certain data from its systems, the public library says. “Upon discovering the issue, PCLS immediately commenced an investigation to confirm the nature and scope, and to identify what information could have been affected,” PCLS says in an incident notice on its website."
        https://www.securityweek.com/pierce-county-library-data-breach-impacts-340000/
    • Hackers Reportedly Breach Developer Involved With Russia’s Military Draft Database
      "An anonymous hacker group has reportedly breached the servers of a little-known Russian tech firm alleged to be involved in building the country’s unified military registration database. According to Grigory Sverdlov, head of the Russian anti-war human rights group Idite Lesom (“Get Lost”), the hackers contacted him and handed over a trove of internal Mikord documents, including source code, technical and financial records, and internal correspondence."
      https://therecord.media/hackers-reportedly-breach-developer-involved-in-russian-military-database

    General News

    • LLM Vulnerability Patching Skills Remain Limited
      "Security teams are wondering whether LLMs can help speed up patching. A new study tests that idea and shows where the tools hold up and where they fall short. The researchers tested LLMs from OpenAI, Meta, DeepSeek, and Mistral to see how well they could fix vulnerable Java functions in a single attempt."
      https://www.helpnetsecurity.com/2025/12/11/llms-software-vulnerability-patching-study/
      https://arxiv.org/pdf/2511.23408
    • Teamwork Is Failing In Slow Motion And Security Feels It
      "Security leaders often track threats in code, networks, and policies. But a quieter risk is taking shape in the everyday work of teams. Collaboration is getting harder even as AI use spreads across the enterprise. That tension creates openings for mistakes, shadow tools, and uncontrolled data flows. A recent Forrester study shows how this break in teamwork forms and how leaders can respond before it grows."
      https://www.helpnetsecurity.com/2025/12/11/forrester-teamwork-security-gaps-report/
    • 2025 CWE Top 25 Most Dangerous Software Weaknesses
      "The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Homeland Security Systems Engineering and Development Institute (HSSEDI), operated by the MITRE Corporation, has released the 2025 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses. This annual list identifies the most critical weaknesses adversaries exploit to compromise systems, steal data, or disrupt services."
      https://www.cisa.gov/news-events/alerts/2025/12/11/2025-cwe-top-25-most-dangerous-software-weaknesses
    • Malicious Apprentice | How Two Hackers Went From Cisco Academy To Cisco CVEs
      "First publicly reported in September 2024, Salt Typhoon’s campaign is now known to have penetrated more than 80 telecommunications companies globally. The group’s campaign collected unencrypted calls and texts between US presidential candidates, key staffers, and many China-experts in Washington, DC. However, Salt Typhoon’s collection activity went beyond those intercepts. Systems embedded in telecommunications companies for CALEA, which facilitates lawful intercept of criminals’ communications, were also breached by Salt Typhoon. A recent Joint Cybersecurity Advisory published by the U.S. and more than 30 allies sheds light on how Salt Typhoon came to penetrate global telecommunications infrastructure."
      https://www.sentinelone.com/labs/malicious-apprentice-how-two-hackers-went-from-cisco-academy-to-cisco-cves/
      https://www.theregister.com/2025/12/11/salt_typhoon_cisco_training/

    อ้างอิง
    Electronic Transactions Development Agency (ETDA) fa57f2cd-ed3f-41d5-8f20-1407e7463234-image.png

    โพสต์ใน Cyber Security News
    NCSA_THAICERTN
    NCSA_THAICERT
  • 🚨แจ้งเตือนช่องโหว่ร้ายแรงใน Apache Tika CVE-2025-66516 ความรุนแรงระดับ 10 ตรวจสอบและแก้ไข ด่วน!!

    ตรวจพบช่องโหว่ที่มีความรุนแรงสูงสุดใน Apache Tika เป็นช่องโหว่แบบ XML External Entity (XXE) เปิดโอกาสให้ผู้โจมตีใช้ไฟล์ PDF ที่สร้างขึ้นเป็นพิเศษเพื่อเจาะระบบ โดยระบบจะประมวลผลไฟล์ดังกล่าวอัตโนมัติเมื่อมีการอัปโหลดหรือส่งเข้าไปในกระบวนการประมวลผลเอกสาร (ingest) นำไปสู่การเข้าถึงข้อมูลหรือทรัพยากรภายในที่ควรถูกป้องกันได้

    ✅กลุ่มเป้าหมายที่อาจได้รับผลกระทบจากช่องโหว่
    • ใช้ Apache Tika โดยตรงในแอปพลิเคชัน (เช่น Java application, microservice ที่เรียก Tika เพื่ออ่านและแปลงข้อความจากเอกสาร)
    • Apache Tika ที่ให้ผู้ใช้ อัปโหลดไฟล์ PDF จากภายนอก แล้วนำไฟล์เหล่านั้นไปประมวลผลต่อ เช่น ระบบยื่นคำร้องออนไลน์, ระบบส่งเอกสาร, ระบบรับไฟล์แนบต่าง ๆ
    • ใช้ระบบค้นหาเอกสารที่ผสาน Apache Tika กับ Solr/Elasticsearch เพื่อค้นหาเนื้อหาภายในไฟล์ได้
    • ใช้ระบบจัดการเอกสารหรือแพลตฟอร์มวิเคราะห์เอกสาร เช่น ECM, DMS, e-Discovery, DLP หรือระบบวิเคราะห์ข้อมูลที่อาศัย Tika ในการอ่านและแปลงเนื้อหาจากไฟล์
    • ใช้ซอฟต์แวร์หรือแพลตฟอร์มที่ มี Apache Tika เป็นส่วนประกอบภายในระบบ

    🎯 แพ็กเกจ/เวอร์ชันที่ต้องรีบตรวจสอบ
    หากพบการใช้แพ็กเกจและเวอร์ชันต่อไปนี้ ให้ถือว่า “เข้าข่ายเสี่ยงทันที”

    1. Apache Tika core
      แพ็กเกจ: org.apache.tika:tika-core
      เวอร์ชันที่มีช่องโหว่: 1.13 – 3.2.1
      ควรอัปเดตเป็น: 3.2.2 ขึ้นไป
    2. Apache Tika parsers
      แพ็กเกจ: org.apache.tika:tika-parsers
      เวอร์ชันที่มีช่องโหว่: 1.13 ก่อน 2.0.0
      ควรอัปเดตเป็น: 2.0.0 ขึ้นไป (โดยรวมควรให้ core อยู่ในช่วง 3.2.2 ขึ้นไป)
    3. Apache Tika PDF parser module
      แพ็กเกจ: org.apache.tika:tika-parser-pdf-module
      เวอร์ชันที่มีช่องโหว่: 2.0.0 – 3.2.1
      ควรอัปเดตเป็น: 3.2.2 ขึ้นไป
      ช่องโหว่นี้เป็นการขยายขอบเขตจาก CVE-2025-54988 และยืนยันว่าปัญหาหลักอยู่ที่ tika-core หากอัปเดตเฉพาะส่วนประกอบสำหรับประมวลผลไฟล์ PDF แต่ไม่อัปเดต tika-core เป็นเวอร์ชัน 3.2.2 ขึ้นไป ระบบยังคงมีความเสี่ยงอยู่

    ✅ ข้อควรทำก่อนอัปเดต
    • สำรองข้อมูลและ configuration ที่เกี่ยวข้องกับระบบก่อนทำการอัปเดต (source code, image, config)
    • ทดสอบในสภาพแวดล้อมทดสอบ (staging) ก่อนนำขึ้นระบบจริง โดยเฉพาะระบบที่มีความสำคัญสูง
    • ประสานงานระหว่างทีมพัฒนา ทีมโครงสร้างพื้นฐาน และทีมความมั่นคงปลอดภัย ให้เรียบร้อยก่อนวางแผนการหยุดให้บริการ (downtime) หรือ ดำเนินการปรับปรุงระบบ (deploy)

    ⚠️ หากยังไม่สามารถอัปเดต
    ในกรณีที่ระบบมีข้อจำกัด (เช่น ระบบเก่า, ขึ้นกับ third-party ที่ยังไม่ออกแพตช์) ให้ดำเนินการลดความเสี่ยงชั่วคราวดังนี้

    1. ลดความเสี่ยงจากไฟล์ PDF
      • ปิดหรือจำกัดฟังก์ชันที่รับไฟล์ PDF ที่มาจากแหล่งภายนอก หากไม่จำเป็นต้องเปิดให้ใช้งานในช่วงที่ยังไม่สามารถอัปเดตแพตช์ได้
      • ใช้เครื่องมือ pre-process PDF เช่น qpdf, pdfid.py เพื่อตรวจจับ/บล็อกไฟล์ที่มี XFA หรือฟิลด์ /AcroForm ก่อนส่งเข้า Apache Tika
      • แยก Apache Tika ที่ใช้ประมวลผลไฟล์จากภายนอก ออกมาอยู่ในโซนที่มีการทำ sandbox และจำกัดสิทธิ์เข้มงวด
    2. ควบคุมการเชื่อมต่อออกของเซิร์ฟเวอร์ที่ใช้ Apache Tika
      • กำหนดค่า Firewall/Proxy อนุญาตเฉพาะปลายทางที่จำเป็นต่อการทำงานของระบบเท่านั้น
      • บล็อกการเข้าถึง metadata service, IP ภายในที่สำคัญ หรือระบบจัดการที่ไม่ควรถูกเรียกจาก Apache Tika
    3. เสริมการป้องกันในระดับโฮสต์และระบบตรวจจับ (Host / EDR)
      • กำหนดให้ Apache Tika ทำงานภายใต้บัญชีผู้ใช้ที่มีสิทธิ์จำกัด ตามหลักการ least privilege
      • ใช้ container/sandbox/AppArmor/SELinux จำกัดสิทธิ์และขอบเขตการเข้าถึง
      • ตั้ง rule ใน EDR/SIEM ให้แจ้งเตือนกรณี:
      • การที่โปรเซสของ Tika พยายามอ่านไฟล์ระบบหรือไฟล์ credential ที่ไม่ควรถูกเข้าถึง
      • การตรวจพบทราฟฟิกเชื่อมต่อออกจากเซิร์ฟเวอร์ที่รัน Apache Tika ไปยังปลายทางที่ไม่เคยอยู่ในรูปแบบการใช้งานปกติ

    ⚠️ ระดับความเร่งด่วน
    ช่องโหว่นี้มีศักยภาพในการนำไปสู่การรั่วไหลข้อมูลและการเข้าถึงระบบภายใน หากยังไม่ได้ดำเนินการอัปเดตหรือบรรเทาความเสี่ยง ให้ถือว่าระบบดังกล่าวอยู่ในสถานะความเสี่ยงสูง และควรเร่งดำเนินการลดความเสี่ยงโดยทันที

    ด้วยความปรารถนาดี
    สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT
    🔗 ที่มา
    [1]:NVD – CVE-2025-66516
    https://nvd.nist.gov/vuln/detail/CVE-2025-66516
    [2] NVD – CVE-2025-54988
    https://nvd.nist.gov/vuln/detail/CVE-2025-54988
    [3] Apache Tika Advisory (Mailing List)
    https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k
    [4] The Hacker News – Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika
    https://thehackernews.com/2025/12/critical-xxe-bug-cve-2025-66516-cvss.html
    [5] Upwind – Apache Tika XXE Vulnerability (CVE-2025-66516)
    https://www.upwind.io/feed/apache-tika-rce-cve-2025-66516

    Apache Tika.png 37b17729-06e7-40f7-a154-631fbc04c4ef-image.png สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

    โพสต์ใน Cyber Security News
    NCSA_THAICERTN
    NCSA_THAICERT
  • Cyber Threat Intelligence 11 December 2025

    Industrial Sector

      • ICS Patch Tuesday: Vulnerabilities Fixed By Siemens, Rockwell, Schneider
        "Industrial giants Siemens, Rockwell Automation, Schneider Electric, and Phoenix Contact have published Patch Tuesday advisories informing customers about vulnerabilities found in their ICS/OT products. Siemens has published 14 new advisories. An overall severity rating of ‘critical’ has been assigned to three advisories covering dozens of third-party component vulnerabilities affecting Comos, Sicam T, and Ruggedcom ROX products."
        https://www.securityweek.com/ics-patch-tuesday-vulnerabilities-fixed-by-siemens-rockwell-schneider/

    New Tooling

    Vulnerabilities

    Malware

    Breaches/Hacks/Leaks

    • Thousands Of Exposed Secrets Found On Docker Hub, Putting Organizations At Risk
      "For years, there’s been a saying in the security world: hackers don’t need to hack anymore – the keys are handed to them on a silver platter. But is that really true? That question is what sparked our research into exposed secrets on Docker Hub. We designed a methodology to analyze leaked credentials, validate which were real, and investigate their origin: who they belonged to, the environments they granted access to, and the potential blast radius to both the affected organizations and the wider ecosystem."
      https://flare.io/learn/resources/docker-hub-secrets-exposed/
      https://www.bleepingcomputer.com/news/security/over-10-000-docker-hub-images-found-leaking-credentials-auth-keys/
    • Russia’s Flagship Airline Hacked Through Little-Known Tech Vendor, According To New Report
      "A cyberattack that forced Russia’s flagship airline to cancel dozens of flights this summer was linked to a little-known Moscow software developer that had maintained access to the carrier’s internal systems, according to a new investigation. The report by the independent outlet The Bell, which is designated a “foreign agent” in Russia, is based on interviews with anonymous sources close to the company and involved in the incident’s investigation. It offers the most detailed account to date of what has become one of the largest cyberattacks in Russia since the full-scale invasion of Ukraine began."
      https://therecord.media/russia-flagship-airline-hacked-through-little-known-vendor

    General News

    • Stranger Threats Are Coming: Group-IB Cyber Predictions For 2026 And Beyond
      "The speed, nature, and intent of cybercrime have been evolving faster than we can keep up with. With the use of AI, we’ve all been anticipating it, but the extent has been underestimated. The cybersecurity landscape is becoming hyperactive – AI, evolving adversary ambitions, geopolitical shifts, and changing business dynamics, all combine to play a role in this acceleration."
      https://www.group-ib.com/blog/cyber-predictions-2026/

    • Henkel CISO On The Messy Truth Of Monitoring Factories Built Across Decades
      "In this Help Net Security interview, Stefan Braun, CISO at Henkel, discusses how smart manufacturing environments introduce new cybersecurity risks. He explains where single points of failure hide, how attackers exploit legacy systems, and why monitoring must adapt to mixed-generation equipment. His insights show why resilience depends on visibility, autonomy, and disciplined vendor accountability."
      https://www.helpnetsecurity.com/2025/12/10/stefan-braun-henkel-smart-manufacturing-cybersecurity/

    • The Hidden Dynamics Shaping Who Produces Influential Cybersecurity Research
      "Cybersecurity leaders spend much of their time watching how threats and tools change. A new study asks a different question, how has the research community itself changed over the past two decades. Researchers from the University of Southampton examined two long running conference communities, SOUPS and Financial Cryptography and Data Security, to see how teams form, who contributes, and which kinds of work gain attention. The result is a rare look at the structure behind the papers that influence security practice."
      https://www.helpnetsecurity.com/2025/12/10/interesting-cybersecurity-research-trends/

    • LLMs Are Everywhere In Your Stack And Every Layer Brings New Risk
      "LLMs are moving deeper into enterprise products and workflows, and that shift is creating new pressure on security leaders. A new guide from DryRun Security outlines how these systems change long standing assumptions about data handling, application behavior, and internal boundaries. It is built around the OWASP Top 10 for LLM Applications, which the company uses as the structure for a full risk model and a reference architecture for teams building with LLMs."
      https://www.helpnetsecurity.com/2025/12/10/enterprise-llm-security-risks-analysis/

    • UK Sanctions Russian And Chinese Firms Suspected Of Being ‘Malign Actors’ In Information Warfare
      "Britain announced sanctions against Russian media and ideas outlets on Tuesday as the U.K’s top diplomat warned Western nations must raise their game to combat information warfare from “malign foreign states. Foreign Secretary Yvette Cooper said the U.K. was imposing sanctions on the microblogging Telegram channel Rybar and its co-owner Mikhail Sergeevich Zvinchuk, the Foundation for the Support and Protection of the Rights of Compatriots Living Abroad — also known as Pravfond and described by Estonian intelligence as a front for the GRU spy agency — and the Center for Geopolitical Expertise, a think-tank run by Russian ultranationalist ideologue Alexander Dugin."
      https://www.securityweek.com/uk-sanctions-russian-and-chinese-firms-suspected-of-being-malign-actors-in-information-warfare/
      https://therecord.media/uk-sanctions-russia-china-entities-information-warfare

    • The Big Catch: How Whaling Attacks Target Top Executives
      "When a hedge fund manager opened up an innocuous Zoom meeting invite, he had little idea of the corporate carnage that was to follow. That invite was booby-trapped with malware, enabling threat actors to hijack his email account. From there they moved swiftly, authorizing money transfers on Fagan’s behalf for fake invoices they sent to the hedge fund. In total, they approved $8.7 million worth of invoices in this way. The incident was ultimately the undoing of Levitas Capital, after it forced the exit of one of the firm’s biggest clients."
      https://www.welivesecurity.com/en/business-security/big-catch-how-whaling-attacks-target-top-executives/

      • Experience Really Matters - But Now You're Fighting AI Hacks
        "When Anthropic disclosed a cyberespionage campaign conducted largely through an artificial intelligence system, it provided a detailed view of how offensive operations can unfold when an autonomous tool performs most of the technical work. The Cumberland County, Pennsylvania, intrusion still needed human direction, but the operational tasks were executed by an AI system that performed reconnaissance, generated exploits, escalated privileges and moved laterally through the network."
        https://www.bankinfosecurity.com/blogs/experience-really-matters-but-now-youre-fighting-ai-hacks-p-3996
      • Ransomware Victim Warning: The Streisand Effect May Apply
        "Paying off ransomware hackers to avoid notoriety is a losing proposition, finds a study of LockBit victims that identified a correlation between unwanted attention and succumbing to extortionists, as opposed to standing firm. "It seems that paying the ransom doesn't at all appear to reduce public exposure - if anything, it increases it," Max Smeets, co-director of Virtual Routes - formerly known as the European Cyber Conflict Research Initiative - said in a keynote presentation at the Black Hat Europe conference in London."
        https://www.bankinfosecurity.com/ransomware-victim-warning-streisand-effect-may-apply-a-30247

    • Global Cyber Attacks Increase In November 2025 Driven By Ransomware Surge And GenAI Risks
      "In November 2025, global cyber activity continued its upward trend, with organizations experiencing an average of 2,003 cyber-attacks per week. This represents a 3% increase from October, and a 4% rise compared to November 2024. Check Point Research data shows that this steady escalation reflects a threat landscape shaped by intensified ransomware activity, expanded attack surfaces, and the growing exposure risks associated with generative AI tools inside organizations."
      https://blog.checkpoint.com/research/global-cyber-attacks-increase-in-november-2025-driven-by-ransomware-surge-and-genai-risks/

      • list itemOverconfident And Underprepared: IT Leaders Misjudge AI Cyber Risk
        "AI-generated malware is exploding in volume and sophistication. Legacy cyber tools, built on signatures, heuristics, and aging machine learning, are failing spectacularly in this new era of Dark AI. Yet confidence in these legacy cyber tools remains remarkably high, creating a widening disconnect between perception and reality. In this blog, we dig into the results from our new study of 500 U.S. IT professionals, which clearly highlights that IT professionals, especially in management positions, don’t realize just how quickly the new AI-driven threat landscape is shifting beneath their feet."
        https://www.deepinstinct.com/blog/overconfident-and-underprepared-it-leaders-misjudge-ai-cyber-risk
      • HTTPS Certificate Industry Phasing Out Less Secure Domain Validation Methods
        "Secure connections are the backbone of the modern web, but a certificate is only as trustworthy as the validation process and issuance practices behind it. Recently, the Chrome Root Program and the CA/Browser Forum have taken decisive steps toward a more secure internet by adopting new security requirements for HTTPS certificate issuers."
        https://security.googleblog.com/2025/12/https-certificate-industry-phasing-out.html

    • Log4Shell Downloaded 40 Million Times In 2025
      "Tens of millions of downloads of the popular Java logging library Log4j this year were vulnerable to a CVSS 10.0-rated vulnerability that first surfaced four years ago, according to Sonatype. The security vendor claimed 13% of Log4j downloads in 2025 were still vulnerable to Log4Shell, hinting at the challenge of persistent risks in the open source ecosystem. “On one side, there’s unfixed risk: vulnerabilities that never get patched upstream. On the other, there’s corrosive risk: vulnerabilities that do have fixes, but continue to spread because consumers don’t move,” it explained."
      https://www.infosecurity-magazine.com/news/log4shell-downloaded-40-million/

    อ้างอิง
    Electronic Transactions Development Agency (ETDA) f0944bb2-f14f-4bc6-8733-d445a2f189de-image.png

    โพสต์ใน Cyber Security News
    NCSA_THAICERTN
    NCSA_THAICERT
  • Cyber Threat Intelligence 10 December 2025

    Financial Sector

    • Russian Police Bust Bank-Account Hacking Gang That Used NFCGate-Based Malware
      "Russian police said they have dismantled a criminal group that stole millions from bank customers using malware built on NFCGate, a legitimate open-source tool increasingly exploited by cybercriminals worldwide. According to Russia’s Interior Ministry, police detained several suspected members of the group — including the developer and main administrator of the malicious tool — late last week. The ministry did not identify the malware variant."
      https://therecord.media/russian-police-bust-banking-hackers-nfcgate-based-malware

    New Tooling

    • The Bastion: Open-Source Access Control For Complex Infrastructure
      "Operational teams know that access sprawl grows fast. Servers, virtual machines and network gear all need hands-on work and each new system adds more identities to manage. A bastion host tries to bring order to this problem. It acts as a single entry point for sysadmins and developers who connect to infrastructure through ssh. This model is old in theory, but The Bastion open-source project shows how far a purpose-built access layer can go."
      https://www.helpnetsecurity.com/2025/12/08/open-source-bastion-host-security/
      https://github.com/ovh/the-bastion

    Vulnerabilities

    • Attackers Actively Exploiting Critical Vulnerability In Sneeit Framework Plugin
      "On June 10th, 2025, we received a submission for a Remote Code Execution vulnerability in Sneeit Framework, a WordPress plugin with an estimated 1,700 active installations. The plugin is bundled in multiple premium themes. This vulnerability can be leveraged to execute code remotely. The vendor released the patched version on August 5th, 2025, and we publicly disclosed this vulnerability in the Wordfence Intelligence Vulnerability Database on November 24th, 2025. Our records indicate that attackers started exploiting the issue the same day on November 24th, 2025. The Wordfence Firewall has already blocked over 131,000 exploit attempts targeting this vulnerability."
      https://www.wordfence.com/blog/2025/12/attackers-actively-exploiting-critical-vulnerability-in-sneeit-framework-plugin/
      https://thehackernews.com/2025/12/sneeit-wordpress-rce-exploited-in-wild.html
    • CISA Adds Two Known Exploited Vulnerabilities To Catalog
      "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
      CVE-2022-37055 D-Link Routers Buffer Overflow Vulnerability
      CVE-2025-66644 Array Networks ArrayOS AG OS Command Injection Vulnerability"
      https://www.cisa.gov/news-events/alerts/2025/12/08/cisa-adds-two-known-exploited-vulnerabilities-catalog
    • Prompt Injection Is Not SQL Injection (it May Be Worse)
      "The term ‘prompt injection’ was coined in 2022 to describe a new class of application vulnerability in genAI applications. Prompt injection is where developers concatenate their own instructions with untrusted content in a single prompt, and then treat the model’s response as if there were a robust boundary between ‘what the app asked for’ and anything in the untrusted content. Whilst initially reported as command execution, the underlying issue has turned out to be more fundamental than classic client/server vulnerabilities. Current large language models (LLMs) simply do not enforce a security boundary between instructions and data inside a prompt."
      https://www.ncsc.gov.uk/blog-post/prompt-injection-is-not-sql-injection
      https://cyberscoop.com/uk-warns-ai-prompt-injection-unfixable-security-flaw/

    Malware

    • The VS Code Malware That Captures Your Screen
      "Over the past year we've detected dozens of malicious VS Code extensions. Most steal credentials or mine crypto. But this malware goes further - it captures your screen and sends it to the attacker. Your code. Your emails. Your Slack DMs. Whatever's on your screen, they're seeing it too. And that's just the start. It also steals your WiFi passwords, reads your clipboard, and hijacks your browser sessions. All delivered through two extensions - a color theme and an AI coding assistant. Both from the same publisher."
      https://www.koi.ai/blog/the-vs-code-malware-that-captures-your-screen
      https://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-on-microsofts-registry-drop-infostealers/
    • Cydome Research Team Identified "Broadside", A New Mirai Botnet Variant, Active In The Wild
      "Cydome’s Cybersecurity Research Team has identified an active campaign of a new variant of the Mirai botnet, designated as “Broadside”. This campaign targets the maritime logistics sector, exploiting a critical-severity vulnerability (CVE-2024-3721) in TBK DVR (Digital Video Recorders) devices in use by shipping companies on vessels (among others). Cydome has been tracking the associated infrastructure over the past months, observing that active IPs rise and fall in alignment with the campaign’s activity."
      https://cydome.io/cydome-identifies-broadside-a-new-mirai-botnet-variant-targeting-maritime-iot/
      https://www.darkreading.com/threat-intelligence/broadside-mirai-variant-maritime-logistics
    • Inside Shanya, a Packer-As-a-Service Fueling Modern Attacks
      "We have covered packer-as-a-service offerings from the computer underworld in the past, previously dissecting impersonation campaigns and the rise of HeartCrypt, both popular among ransomware groups. However, it is a fast-changing landscape, and now we are watching a new incarnation of the same type of service: the Shanya crypter — already favored by ransomware groups and taking over (to some degree) the role that HeartCrypt has played in the ransomware toolkit. We’ll look at its apparent origins, unpack the code, and examine a targeted infection leveraging this tool. Sophos protections against this specific packer are covered at the end of the article."
      https://news.sophos.com/en-us/2025/12/06/inside-shanya-a-packer-as-a-service-fueling-modern-attacks/
      https://www.bleepingcomputer.com/news/security/ransomware-gangs-turn-to-shanya-exe-packer-to-hide-edr-killers/
    • Bellerophon Could Never Have Imagined. The ChimeraWire Trojan Boosts Website Popularity By Skillfully Pretending To Be Human
      "While analyzing one of the affiliate programs, Doctor Web’s experts discovered a unique piece of malware with clicker functionality and dubbed it Trojan.ChimeraWire. This malware targets computers running Microsoft Windows and is based on the open-source projects zlsgo and Rod for automated website and web application management. Trojan.ChimeraWire allows cybercriminals to simulate user actions and boost the behavioral factor of websites by artificially increasing their rankings in search engine results. For this, the malicious app searches target Internet resources in the Google and Bing search engines and then loads them."
      https://news.drweb.com/show/?i=15090&lng=en
      https://hackread.com/chrimerawire-trojan-fakes-chrome-search-activity/
    • JS#SMUGGLER: Multi-Stage - Hidden Iframes, Obfuscated JavaScript, Silent Redirectors & NetSupport RAT Delivery
      "The Securonix Threat Research team has analyzed a sophisticated web-based multi-stage malware campaign. The attack chain unfolds across three distinct stages: (1) an obfuscated JavaScript loader injected into a compromised website, (2) a stealthy HTA (HTML Application) that executes encrypted PowerShell stagers via mshta.exe, and (3) a final PowerShell payload that downloads, extracts, executes, and establishes persistence for a Windows-based remote access Trojan."
      https://www.securonix.com/blog/jssmuggler-multi-stage-hidden-iframes-obfuscated-javascript-silent-redirectors-netsupport-rat-delivery/
      https://thehackernews.com/2025/12/experts-confirm-jssmuggler-uses.html
      https://hackread.com/jssmuggler-netsupport-rat-infected-sites/
    • How Phishers Hide Banking Scams Behind Free Cloudflare Pages
      "During a recent investigation, we uncovered a phishing operation that combines free hosting on developer platforms with compromised legitimate websites to build convincing banking and insurance login portals. These fake pages don’t just grab a username and password–they also ask for answers to secret questions and other “backup” data that attackers can use to bypass multi-factor authentication and account recovery protections."
      https://www.malwarebytes.com/blog/news/2025/12/how-phishers-hide-banking-scams-behind-free-cloudflare-pages
    • AI-Automated Threat Hunting Brings GhostPenguin Out Of The Shadows
      "Hunting high-impact, advanced malware is a difficult task. It becomes even harder and more time-consuming when defenders focus on low-detection or zero-detection samples. Every day, a huge number of files are sent to platforms like VirusTotal, and the relevant ones often get lost in all that noise. Identifying malware with low or no detections is a particularly challenging process, especially when the malware is new, undocumented, and built largely from scratch. When threat actors avoid publicly available libraries, known GitHub code, or code borrowed from other malware families, they create previously unseen samples that can evade detection and make hunting them significantly harder."
      https://www.trendmicro.com/en_us/research/25/l/ghostpenguin.html
    • LockBit 5.0 Infrastructure Exposed In New Server, IP, And Domain Leak
      "LockBit 5.0 key infrastructure exposed, revealing the IP address 205[.]185[.]116[.]233, and the domain karma0[.]xyz is hosting the ransomware group’s latest leak site. According to researcher Rakesh Krishnan, hosted under AS53667 (PONYNET, operated by FranTech Solutions), a network frequently abused for illicit activities, the server displays a DDoS protection page branded with “LOCKBITS.5.0,” confirming its role in the group’s operations. This operational security lapse arrives amid LockBit’s resurgence with enhanced malware capabilities.​"
      https://cybersecuritynews.com/lockbit-5-0-infrastructure-exposed/

    Breaches/Hacks/Leaks

    • Space Bears Ransomware Claims Comcast Data Theft Through Quasar Breach
      "Space Bears ransomware group is claiming that it obtained internal Comcast material by exploiting a breach at Quasar Inc., a telecommunications engineering contractor based in Georgia. The claims were published on the group’s dark web leak site. The same leak site also lists Quasar as an independent victim, which indicates the group is presenting two connected incidents rather than a single combined breach."
      https://hackread.com/space-bears-ransomware-comcast-quasar-breach/
    • Tri-Century Eye Care Data Breach Impacts 200,000 Individuals
      "A recently disclosed Tri-Century Eye Care data breach affects roughly 200,000 individuals, according to the healthcare data breach tracker maintained by the US Department of Health and Human Services (HHS). Tri-Century Eye Care provides comprehensive eye care services at several locations in Bucks County, Pennsylvania. In a data security incident notice posted on its website in late October, Tri-Century Eye Care informed patients and employees that their personal and protected health information may have been compromised as a result of a breach detected on September 3."
      https://www.securityweek.com/tri-century-eye-care-data-breach-impacts-200000-individuals/

    General News

    อ้างอิง
    Electronic Transactions Development Agency (ETDA)1b814f60-281b-45f5-bc37-dfc54156618d-image.png

    โพสต์ใน Cyber Security News
    NCSA_THAICERTN
    NCSA_THAICERT
  • Cyber Threat Intelligence 09 December 2025

    Financial Sector

    • Russian Police Bust Bank-Account Hacking Gang That Used NFCGate-Based Malware
      "Russian police said they have dismantled a criminal group that stole millions from bank customers using malware built on NFCGate, a legitimate open-source tool increasingly exploited by cybercriminals worldwide. According to Russia’s Interior Ministry, police detained several suspected members of the group — including the developer and main administrator of the malicious tool — late last week. The ministry did not identify the malware variant."
      https://therecord.media/russian-police-bust-banking-hackers-nfcgate-based-malware

    New Tooling

    • The Bastion: Open-Source Access Control For Complex Infrastructure
      "Operational teams know that access sprawl grows fast. Servers, virtual machines and network gear all need hands-on work and each new system adds more identities to manage. A bastion host tries to bring order to this problem. It acts as a single entry point for sysadmins and developers who connect to infrastructure through ssh. This model is old in theory, but The Bastion open-source project shows how far a purpose-built access layer can go."
      https://www.helpnetsecurity.com/2025/12/08/open-source-bastion-host-security/
      https://github.com/ovh/the-bastion

    Vulnerabilities

    • Attackers Actively Exploiting Critical Vulnerability In Sneeit Framework Plugin
      "On June 10th, 2025, we received a submission for a Remote Code Execution vulnerability in Sneeit Framework, a WordPress plugin with an estimated 1,700 active installations. The plugin is bundled in multiple premium themes. This vulnerability can be leveraged to execute code remotely. The vendor released the patched version on August 5th, 2025, and we publicly disclosed this vulnerability in the Wordfence Intelligence Vulnerability Database on November 24th, 2025. Our records indicate that attackers started exploiting the issue the same day on November 24th, 2025. The Wordfence Firewall has already blocked over 131,000 exploit attempts targeting this vulnerability."
      https://www.wordfence.com/blog/2025/12/attackers-actively-exploiting-critical-vulnerability-in-sneeit-framework-plugin/
      https://thehackernews.com/2025/12/sneeit-wordpress-rce-exploited-in-wild.html
    • CISA Adds Two Known Exploited Vulnerabilities To Catalog
      "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
      CVE-2022-37055 D-Link Routers Buffer Overflow Vulnerability
      CVE-2025-66644 Array Networks ArrayOS AG OS Command Injection Vulnerability"
      https://www.cisa.gov/news-events/alerts/2025/12/08/cisa-adds-two-known-exploited-vulnerabilities-catalog
    • Prompt Injection Is Not SQL Injection (it May Be Worse)
      "The term ‘prompt injection’ was coined in 2022 to describe a new class of application vulnerability in genAI applications. Prompt injection is where developers concatenate their own instructions with untrusted content in a single prompt, and then treat the model’s response as if there were a robust boundary between ‘what the app asked for’ and anything in the untrusted content. Whilst initially reported as command execution, the underlying issue has turned out to be more fundamental than classic client/server vulnerabilities. Current large language models (LLMs) simply do not enforce a security boundary between instructions and data inside a prompt."
      https://www.ncsc.gov.uk/blog-post/prompt-injection-is-not-sql-injection
      https://cyberscoop.com/uk-warns-ai-prompt-injection-unfixable-security-flaw/

    Malware

    • The VS Code Malware That Captures Your Screen
      "Over the past year we've detected dozens of malicious VS Code extensions. Most steal credentials or mine crypto. But this malware goes further - it captures your screen and sends it to the attacker. Your code. Your emails. Your Slack DMs. Whatever's on your screen, they're seeing it too. And that's just the start. It also steals your WiFi passwords, reads your clipboard, and hijacks your browser sessions. All delivered through two extensions - a color theme and an AI coding assistant. Both from the same publisher."
      https://www.koi.ai/blog/the-vs-code-malware-that-captures-your-screen
      https://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-on-microsofts-registry-drop-infostealers/
    • Cydome Research Team Identified "Broadside", A New Mirai Botnet Variant, Active In The Wild
      "Cydome’s Cybersecurity Research Team has identified an active campaign of a new variant of the Mirai botnet, designated as “Broadside”. This campaign targets the maritime logistics sector, exploiting a critical-severity vulnerability (CVE-2024-3721) in TBK DVR (Digital Video Recorders) devices in use by shipping companies on vessels (among others). Cydome has been tracking the associated infrastructure over the past months, observing that active IPs rise and fall in alignment with the campaign’s activity."
      https://cydome.io/cydome-identifies-broadside-a-new-mirai-botnet-variant-targeting-maritime-iot/
      https://www.darkreading.com/threat-intelligence/broadside-mirai-variant-maritime-logistics
    • Inside Shanya, a Packer-As-a-Service Fueling Modern Attacks
      "We have covered packer-as-a-service offerings from the computer underworld in the past, previously dissecting impersonation campaigns and the rise of HeartCrypt, both popular among ransomware groups. However, it is a fast-changing landscape, and now we are watching a new incarnation of the same type of service: the Shanya crypter — already favored by ransomware groups and taking over (to some degree) the role that HeartCrypt has played in the ransomware toolkit. We’ll look at its apparent origins, unpack the code, and examine a targeted infection leveraging this tool. Sophos protections against this specific packer are covered at the end of the article."
      https://news.sophos.com/en-us/2025/12/06/inside-shanya-a-packer-as-a-service-fueling-modern-attacks/
      https://www.bleepingcomputer.com/news/security/ransomware-gangs-turn-to-shanya-exe-packer-to-hide-edr-killers/
    • Bellerophon Could Never Have Imagined. The ChimeraWire Trojan Boosts Website Popularity By Skillfully Pretending To Be Human
      "While analyzing one of the affiliate programs, Doctor Web’s experts discovered a unique piece of malware with clicker functionality and dubbed it Trojan.ChimeraWire. This malware targets computers running Microsoft Windows and is based on the open-source projects zlsgo and Rod for automated website and web application management. Trojan.ChimeraWire allows cybercriminals to simulate user actions and boost the behavioral factor of websites by artificially increasing their rankings in search engine results. For this, the malicious app searches target Internet resources in the Google and Bing search engines and then loads them."
      https://news.drweb.com/show/?i=15090&lng=en
      https://hackread.com/chrimerawire-trojan-fakes-chrome-search-activity/
    • JS#SMUGGLER: Multi-Stage - Hidden Iframes, Obfuscated JavaScript, Silent Redirectors & NetSupport RAT Delivery
      "The Securonix Threat Research team has analyzed a sophisticated web-based multi-stage malware campaign. The attack chain unfolds across three distinct stages: (1) an obfuscated JavaScript loader injected into a compromised website, (2) a stealthy HTA (HTML Application) that executes encrypted PowerShell stagers via mshta.exe, and (3) a final PowerShell payload that downloads, extracts, executes, and establishes persistence for a Windows-based remote access Trojan."
      https://www.securonix.com/blog/jssmuggler-multi-stage-hidden-iframes-obfuscated-javascript-silent-redirectors-netsupport-rat-delivery/
      https://thehackernews.com/2025/12/experts-confirm-jssmuggler-uses.html
      https://hackread.com/jssmuggler-netsupport-rat-infected-sites/
    • How Phishers Hide Banking Scams Behind Free Cloudflare Pages
      "During a recent investigation, we uncovered a phishing operation that combines free hosting on developer platforms with compromised legitimate websites to build convincing banking and insurance login portals. These fake pages don’t just grab a username and password–they also ask for answers to secret questions and other “backup” data that attackers can use to bypass multi-factor authentication and account recovery protections."
      https://www.malwarebytes.com/blog/news/2025/12/how-phishers-hide-banking-scams-behind-free-cloudflare-pages
    • AI-Automated Threat Hunting Brings GhostPenguin Out Of The Shadows
      "Hunting high-impact, advanced malware is a difficult task. It becomes even harder and more time-consuming when defenders focus on low-detection or zero-detection samples. Every day, a huge number of files are sent to platforms like VirusTotal, and the relevant ones often get lost in all that noise. Identifying malware with low or no detections is a particularly challenging process, especially when the malware is new, undocumented, and built largely from scratch. When threat actors avoid publicly available libraries, known GitHub code, or code borrowed from other malware families, they create previously unseen samples that can evade detection and make hunting them significantly harder."
      https://www.trendmicro.com/en_us/research/25/l/ghostpenguin.html
    • LockBit 5.0 Infrastructure Exposed In New Server, IP, And Domain Leak
      "LockBit 5.0 key infrastructure exposed, revealing the IP address 205[.]185[.]116[.]233, and the domain karma0[.]xyz is hosting the ransomware group’s latest leak site. According to researcher Rakesh Krishnan, hosted under AS53667 (PONYNET, operated by FranTech Solutions), a network frequently abused for illicit activities, the server displays a DDoS protection page branded with “LOCKBITS.5.0,” confirming its role in the group’s operations. This operational security lapse arrives amid LockBit’s resurgence with enhanced malware capabilities.​"
      https://cybersecuritynews.com/lockbit-5-0-infrastructure-exposed/

    Breaches/Hacks/Leaks

    • Space Bears Ransomware Claims Comcast Data Theft Through Quasar Breach
      "Space Bears ransomware group is claiming that it obtained internal Comcast material by exploiting a breach at Quasar Inc., a telecommunications engineering contractor based in Georgia. The claims were published on the group’s dark web leak site. The same leak site also lists Quasar as an independent victim, which indicates the group is presenting two connected incidents rather than a single combined breach."
      https://hackread.com/space-bears-ransomware-comcast-quasar-breach/
    • Tri-Century Eye Care Data Breach Impacts 200,000 Individuals
      "A recently disclosed Tri-Century Eye Care data breach affects roughly 200,000 individuals, according to the healthcare data breach tracker maintained by the US Department of Health and Human Services (HHS). Tri-Century Eye Care provides comprehensive eye care services at several locations in Bucks County, Pennsylvania. In a data security incident notice posted on its website in late October, Tri-Century Eye Care informed patients and employees that their personal and protected health information may have been compromised as a result of a breach detected on September 3."
      https://www.securityweek.com/tri-century-eye-care-data-breach-impacts-200000-individuals/

    General News

    อ้างอิง
    Electronic Transactions Development Agency (ETDA) a45b3e66-5cc1-47b0-bf47-370ba29534e1-image.png

    โพสต์ใน Cyber Security News
    NCSA_THAICERTN
    NCSA_THAICERT