Vulnerabilities
- Oracle Pushes Emergency Fix For Critical Identity Manager RCE Flaw
"Oracle has released an out-of-band security update to fix a critical unauthenticated remote code execution vulnerability in Identity Manager and Web Services Manager tracked as CVE-2026-21992. Oracle Identity Manager is used for managing identities and access across an enterprise, while Oracle Web Services Manager provides security and management controls for web services. In an advisory released yesterday, Oracle is "strongly" recommending that customers apply the patches as soon as possible."
https://www.bleepingcomputer.com/news/security/oracle-pushes-emergency-fix-for-critical-identity-manager-rce-flaw/
https://www.oracle.com/security-alerts/alert-cve-2026-21992.html
https://www.darkreading.com/vulnerabilities-threats/patch-oracle-fusion-middleware-rce-flaw
https://thehackernews.com/2026/03/oracle-patches-critical-cve-2026-21992.html
https://securityaffairs.com/189796/security/oracle-fixes-critical-rce-flaw-cve-2026-21992-in-identity-manager.html - CISA Adds Five Known Exploited Vulnerabilities To Catalog
"CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2025-31277 Apple Multiple Products Buffer Overflow Vulnerability
CVE-2025-32432 Craft CMS Code Injection Vulnerability
CVE-2025-43510 Apple Multiple Products Improper Locking Vulnerability
CVE-2025-43520 Apple Multiple Products Classic Buffer Overflow Vulnerability
CVE-2025-54068 Laravel Livewire Code Injection Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/03/20/cisa-adds-five-known-exploited-vulnerabilities-catalog
https://thehackernews.com/2026/03/cisa-flags-apple-craft-cms-laravel-bugs.html
https://securityaffairs.com/189776/security/u-s-cisa-adds-apple-laravel-livewire-and-craft-cms-flaws-to-its-known-exploited-vulnerabilities-catalog.html
Malware
- Trivy Under Attack Again: Widespread GitHub Actions Tag Compromise Exposes CI/CD Secrets
"A new supply chain attack targeting Trivy has been disclosed today by Paul McCarty, marking the second distinct compromise affecting the Trivy ecosystem in March. This latest incident impacts GitHub Actions, and is separate from the earlier OpenVSX compromise involving the VS Code extension. Initial reports have focused on the compromise of Trivy v0.69.4, with downstream ecosystems such as Homebrew already rolling back affected versions. The first known detection of suspicious activity traces back to approximately 19:15 UTC."
https://socket.dev/blog/trivy-under-attack-again-github-actions-compromise
https://github.com/aquasecurity/trivy/discussions/10425
https://www.wiz.io/blog/trivy-compromised-teampcp-supply-chain-attack
https://www.aikido.dev/blog/teampcp-deploys-worm-npm-trivy-compromise
https://thehackernews.com/2026/03/trivy-security-scanner-github-actions.html
https://thehackernews.com/2026/03/trivy-supply-chain-attack-triggers-self.html
https://www.bleepingcomputer.com/news/security/trivy-vulnerability-scanner-breach-pushed-infostealer-via-github-actions/ - Attack Case Against MS-SQL Server Installing ICE Cloud Scanner (Larva-26002)
"AhnLab SEcurity intelligence Center (ASEC) has confirmed that the Larva-26002 threat actor continues to target improperly managed MS-SQL servers in 2026. The Larva-26002 threat actor has distributed Trigona and Mimic ransomware in the past, and has since seized control of infected systems and installed scanners. the latest confirmed attack utilizes the ICE Cloud Client, a scanner malware written in Go language. In January 2024, the Larva-26002 threat actor attacked MS-SQL servers to install the Trigona and Mimic ransomware [1]. The email address used in the Mimic ransomware is not known from other attack cases, but the email address used in the Trigona ransomware is the same as the email address used by Palo Alto [2] and Zscaler [3]."
https://asec.ahnlab.com/en/92988/ - Russian Intelligence Services Target Commercial Messaging Application Accounts
"CISA and the Federal Bureau of Investigation released a Public Service Announcement (PSA) warning about ongoing phishing campaigns by cyber actors associated with the Russian Intelligence Services targeting commercial messaging applications (CMAs). These campaigns aim to bypass encryption to compromise to individual user accounts with targets including current and former U.S. government officials, military personnel, political figures, and journalists. Evidence shows that cyber actors have been able to compromise individual CMA accounts, but not encryption of the applications themselves. The actors’ global campaigns have resulted in unauthorized access to thousands of individual CMA accounts to view the victims’ messages and contact lists, send messages, and conduct additional phishing against other CMA accounts."
https://www.cisa.gov/resources-tools/resources/russian-intelligence-services-target-commercial-messaging-application-accounts
https://www.ic3.gov/PSA/2026/PSA260320
https://www.bleepingcomputer.com/news/security/fbi-links-signal-phishing-attacks-to-russian-intelligence-services/
https://thehackernews.com/2026/03/fbi-warns-russian-hackers-target-signal.html
https://cyberscoop.com/fbi-cisa-issue-psa-on-russian-intelligence-campaign-to-target-messaging-apps/
https://securityaffairs.com/189808/intelligence/russia-linked-actors-target-whatsapp-and-signal-in-phishing-campaign.html - Libyan Oil Refinery Among Targets In Long-Running Likely Espionage Campaign
"A series of attacks on Libyan organizations hit an oil refinery, a telecoms organization and a state institution between November 2025 and February 2026. These attacks delivered the AsyncRAT backdoor, which is a publicly available backdoor that has previously been used by state-sponsored groups. This, and the organizations targeted, point to the possibility that this activity could be state sponsored. While this activity dates from before U.S. and Israeli strikes on Iran led to conflict in the Gulf region and turmoil on the world’s oil markets, the targeting of an oil refinery is notable. Libyan oil production hit 1.37 million barrels a day last year, the highest in about 12 years. With so much disruption in the Middle East, it's possible that attacks against oil producers in other countries could ramp up as fears grow about global energy supplies."
https://www.security.com/threat-intelligence/asyncrat-libya-oil-cyberattack
https://www.bankinfosecurity.com/multi-month-cyberespionage-campaign-hits-libyan-oil-refinery-a-31091 - Advanced Fake Zoom Installer Used For Delivering Malware
"Zoom abuse and impersonation have become popular lure tactics for attackers. Over the past year, we’ve posted blogs about Zoom impersonation for delivering malware, Zoom impersonation to deliver phishing payloads, Zoom Docs abuse, and more. But recently, we observed an impersonation-based attack that stood out for the length it went to fool the target."
https://sublime.security/blog/advanced-fake-zoom-installer-used-for-delivering-malware/
https://hackread.com/fake-zoom-meeting-invite-scam-windows-pc-malware/ - CVE-2026-33017: How Attackers Compromised Langflow AI Pipelines In 20 Hours
"On March 17, 2026, a critical vulnerability was disclosed in Langflow, the open-source visual framework for building AI agents and Retrieval-Augmented Generation (RAG) pipelines. The vulnerability, CVE-2026-33017, is an unauthenticated remote code execution (RCE) in the public flow build endpoint that allows attackers to execute arbitrary Python code on any exposed Langflow instance, with no credentials required and only a single HTTP request to get moving. Within 20 hours of the advisory’s publication, the Sysdig Threat Research Team (TRT) observed the first exploitation attempts in the wild. No public proof-of-concept (PoC) code existed at the time. Attackers built working exploits directly from the advisory description and began scanning the internet for vulnerable instances. Exfiltrated information included keys and credentials, which provided access to connected databases and potential software supply chain compromise."
https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours
https://thehackernews.com/2026/03/critical-langflow-flaw-cve-2026-33017.html
https://www.securityweek.com/critical-langflow-vulnerability-exploited-hours-after-public-disclosure/
https://www.infosecurity-magazine.com/news/hackers-exploit-critical-langflow/ - That “job Brief” On Google Forms Could Infect Your Device
"We’ve identified a campaign using business-related lures, such as job interviews, project briefs, and financial document, to distribute malware, including the PureHVNC Remote Access Trojan (RAT). It’s not the malware that’s new, but how the attack starts. Instead of the usual phishing email or fake download page, attackers are using Google Forms to kick off the infection chain. The attack typically begins when a victim downloads a business-themed ZIP file linked from a Google Form. Inside is a malicious file that sets off a multi-stage infection process, eventually installing malware on the system."
https://www.malwarebytes.com/blog/threat-intel/2026/03/that-job-brief-on-google-forms-could-infect-your-device - Large-Scale Magento Defacement Campaign Impacts Global Brands And Government Domains
"Netcraft researchers have identified an ongoing campaign involving the compromise and defacement of thousands of Magento ecommerce sites across multiple sectors and geographies. Beginning 27 February 2026, attackers have deployed defacement txt files across approximately 15,000 hostnames spanning 7,500 domains, including infrastructure associated with prominent global brands, e-commerce platforms, and government services. While a small number of defacements included geopolitical messaging, the majority appear to be opportunistic compromises carried out for attribution and reputation within the defacement ecosystem, rather than targeted hacktivism."
https://www.netcraft.com/blog/large-scale-magento-defacement-campaign
https://www.securityweek.com/thousands-of-magento-sites-hit-in-ongoing-defacement-campaign/
https://securityaffairs.com/189734/hacking/7500-magento-sites-defaced-in-global-hacking-campaign.html - Copyright Lures Mask a Multi‑Stage PureLog Stealer Attack On Key Industries
"We identified a targeted malware campaign delivering PureLog Stealer, an information‑stealing malware that uses multi‑stage packed assemblies to harvest sensitive data, including Chrome browser credentials, extensions, cryptocurrency wallets, and system information, through a file disguised as a legal copyright violation notice. It’s considered a low‑cost, easy‑to‑use infostealer, making it accessible even to less‑skilled threat actors. The attack likely relies on phishing emails that lure victims into downloading a malicious executable tailored to the victim’s local language."
https://www.trendmicro.com/en_us/research/26/c/copyright-lures-mask-a-multistage-purelog-stealer-attack.html - The Beast Returns: Analysis Of a Beast Ransomware Server
"Team Cymru analyzes and collects a wide variety of internet telemetry. This includes global NetFlow communications and open ports data, among other types of data such as X509 certificates, passive DNS, and WHOIS records. While other organisations attempt to scan the entire Internet or guess which ports are statistically likely to be listening, our Open Ports data collection leverages Team Cymru’s unique NetFlow visibility to prioritize and perform targeted scans of hosts that are actively communicating. By filling in the known gaps, Team Cymru's informed scanning enables faster discovery of live assets and operational infrastructure."
https://www.team-cymru.com/post/beast-ransomware-server-toolkit-analysis
https://www.darkreading.com/threat-intelligence/opsec-beast-gang-exposes-ransomware-server - Microsoft Azure Monitor Alerts Abused For Callback Phishing Attacks
"Microsoft Azure Monitor alerts are being abused to send callback phishing emails that impersonate warnings from the Microsoft Security Team about unauthorized charges on your account. Azure Monitor is Microsoft's cloud-based monitoring service that collects and analyzes data from Azure resources, applications, and infrastructure. It enables users to track performance, notify about billing changes, detect issues, and trigger alerts based on various conditions. Over the past month, numerous people have reported receiving Azure Monitor alerts warning of suspicious charges or invoice activity on their accounts, urging them to call an enclosed phone number."
https://www.bleepingcomputer.com/news/security/microsoft-azure-monitor-alerts-abused-in-callback-phishing-campaigns/ - CVE-2025-32975: Arctic Wolf Observes Exploitation Of Quest KACE Systems Management Appliance
"Starting the week of March 9, 2026, Arctic Wolf observed malicious activity in customer environments potentially linked to the exploitation of CVE-2025-32975 on unpatched Quest KACE Systems Management Appliance (SMA) instances that were publicly exposed to the internet. This vulnerability was patched in May 2025. Quest KACE SMA is an on-premises appliance for centralized endpoint management, providing inventory, software deployment, patching, and endpoint monitoring capabilities. CVE-2025-32975 is a critical authentication bypass vulnerability that allows threat actors to impersonate legitimate users without valid credentials. The flaw exists in the SSO authentication handling mechanism and can result in complete administrative takeover."
https://arcticwolf.com/resources/blog/cve-2025-32975/
https://www.securityweek.com/critical-quest-kace-vulnerability-potentially-exploited-in-attacks/ - VoidStealer: Debugging Chrome To Steal Its Secrets
"When Google introduced Application-Bound Encryption (ABE) in July 2024 with Chrome 127, it didn't mark the end of infostealers – as expected, infostealers adopted quickly and came up with various methods to bypass it. Still, it undoubtedly raised the bar for accessing sensitive browser data, and, more importantly, significantly increased the visibility of such data theft attempts, as bypassing ABE now requires attackers to perform additional steps that are inherently more suspicious. Various bypass techniques have emerged since then, and since each comes with its own trade-offs, new approaches continue to appear as threat actors seek to minimize the footprint and evade detection."
https://www.gendigital.com/blog/insights/research/voidstealer-abe-bypass
https://www.bleepingcomputer.com/news/security/voidstealer-malware-steals-chrome-master-key-via-debugger-trick/
Breaches/Hacks/Leaks
- Hacker Group LAPSUS$ Claims Alleged AstraZeneca Data Breach
"A threat actor group identifying itself as “LAPSUS$” is claiming responsibility for an alleged data breach involving AstraZeneca, one of the world’s largest multinational pharmaceutical and biotechnology company. The group claims to have obtained approximately 3GB of internal data, including source code, cloud infrastructure configurations, and employee-related information."
https://hackread.com/hacker-group-lapsus-astrazeneca-data-breach/ - WorldLeaks Ransomware Group Breached The City Of Los Angels
"WorldLeaks group hit Los Angeles and its Metro, forcing a shutdown, while two Bay Area cities declared emergencies after ransomware attacks. This week, local media reported that an unauthorized activity hit Metro’s internal systems, forcing the agency to limit access and disrupting station arrival displays. “Unauthorized activity on internal administrative computer systems prompted Metro to limit access to those systems, resulting in station monitors not displaying arrival times, the transit agency announced Thursday.” reported NBC Los Angeles."
https://securityaffairs.com/189753/data-breach/worldleaks-group-breached-the-city-of-los-angels.html
General News
- Global Cybercrime Crackdown: Over 373 000 Dark Web Sites Shut Down
"On 9 March 2026, a global operation led by German authorities and supported by Europol was launched against one of the largest networks of fraudulent platforms in the dark web. The investigation began in mid-2021 against the dark web platform “Alice with Violence CP”. During the investigation, authorities discovered that the platform’s operator was running more than 373 000 fraudulent websites advertising child sexual abuse material (CSAM) and cybercrime-as-a-service (CaaS) offerings."
https://www.europol.europa.eu/media-press/newsroom/news/global-cybercrime-crackdown-over-373-000-dark-web-sites-shut-down
https://www.bleepingcomputer.com/news/security/police-take-down-373-000-fake-csam-sites-in-operation-alice/
https://therecord.media/police-dismantle-dark-web-network-exploiting-child-abuse-images - Authorities Disrupt World’s Largest IoT DDoS Botnets Responsible For Record Breaking Attacks Targeting Victims Worldwide
"The U.S. Justice Department participated in a court-authorized law enforcement operation today to disrupt Command and Control (C2) infrastructure used by the Aisuru, KimWolf, JackSkid and Mossad Internet of Things (IoT) botnets. The operation was conducted simultaneously to law enforcement actions conducted in Canada and Germany, which targeted individuals who operated these botnets. The four botnets launched Distributed Denial of Service (DDoS) attacks targeting victims around the world. Some of these attacks measured approximately 30 Terabits per second, which were record-breaking attacks."
https://www.justice.gov/usao-ak/pr/authorities-disrupt-worlds-largest-iot-ddos-botnets-responsible-record-breaking-attacks
https://www.bleepingcomputer.com/news/security/aisuru-kimwolf-jackskid-and-mossad-botnets-disrupted-in-joint-action/
https://thehackernews.com/2026/03/doj-disrupts-3-million-device-iot.html
https://therecord.media/us-seizes-botnet-infrastructure-four-large-networks
https://www.bankinfosecurity.com/aisuru-kimwolf-botnets-disrupted-in-international-operation-a-31105
https://cyberscoop.com/botnet-disruption-aisuru-kimwolf-jackskid-mossad/
https://www.securityweek.com/aisuru-and-kimwolf-ddos-botnets-disrupted-in-international-operation/
https://securityaffairs.com/189710/cyber-crime/global-law-enforcement-operation-targets-aisuru-kimwolf-jackskid-botnet-operators.html
https://www.theregister.com/2026/03/20/botnet_disruption/
https://www.helpnetsecurity.com/2026/03/20/us-disrupts-iot-botnets-ddos-attacks-aisuru-kimwolf/ - Three Men Sentenced For Facilitating Employment Of Foreign Workers In North Korean Sanctions Evasion Scheme
"Three men have been sentenced in federal court after pleading guilty to their roles in a nationwide scheme that enabled North Korean workers to access U.S.-based computer networks. Each defendant pleaded guilty to a criminal Information charging them with one count of Wire Fraud Conspiracy, said Margaret E. “Meg” Heap, U.S. Attorney for the Southern District of Georgia. The defendants were sentenced by U.S. District Court Judge J. Randal Hall."
https://www.justice.gov/usao-sdga/pr/three-men-sentenced-providing-computer-access-foreign-workers-potential-espionage-plot
https://cyberscoop.com/north-korea-it-worker-scheme-three-sentenced/ - Post-Quantum Web Could Be Safer, Faster
"With practical quantum computers predicted to arrive in the next decade or so, technologists worry about the risks to encrypted data traveling over current Web protocols, but a new infrastructure proposed by an Internet standards group could future-proof against quantum attacks. Cryptographically relevant quantum computers (CRQCs) could allow the decryption of secure traffic using HTTPS and the spoofing of secure servers. Shoring up the security of the Internet with the structures used today requires adopting post-quantum algorithms that come with significant trade-offs."
https://www.darkreading.com/cloud-security/post-quantum-web-could-be-safer-faster - Field Workers Don’t Need More Access, They Need Better Security
"In this Help Net Security interview, Chris Thompson, CISO at West Shore Home, discusses least privilege and credential hygiene for a field-based workforce. He covers access management, authentication practices, and data risk processes that support employees in the field. Thompson also outlines security awareness efforts and how field teams are integrated into an organization’s security posture."
https://www.helpnetsecurity.com/2026/03/20/chris-thompson-west-shore-home-field-worker-cybersecurity/ - NCA Boss Warns That Teens Are Being “Radicalized” Into Cybercrime Online
"The head of the UK’s National Crime Agency (NCA) has warned that the country’s teens are being “radicalized” into becoming cybercriminals by online platforms. The NCA was set up over a decade ago to tackle serious and organized crime. In a speech to launch the NCA's National Strategic Assessment this week, Graeme Biggar, NCA director general, argued that “the same toxic online spaces” and algorithms are turning teens into cybercriminals, sex offenders and terrorists."
https://www.infosecurity-magazine.com/news/nca-boss-warns-teens-radicalized/ - Who’s Really Shopping? Retail Fraud In The Age Of Agentic AI
"From targeting the “digital contract” with gift card theft to potentially liquidating the cash reserve of a retailer, this blog explores the potential for AI-enabled fraud that retailers could now face. We also explain how organizations can better defend themselves and their guests from AI-enabled fraud."
https://unit42.paloaltonetworks.com/retail-fraud-agentic-ai/
อ้างอิง
Electronic Transactions Development Agency (ETDA) 
Automation Expert product. The EcoStruxure
ThaiCERT ขอแจ้งเตือนหน่วยงานที่ใช้งาน Cisco Secure Firewall Management Center (FMC) ให้เร่งดำเนินการตรวจสอบเวอร์ชันของระบบ และอัปเดตแพตช์ความปลอดภัยตามที่ผู้พัฒนาแนะนำโดยเร็ว พร้อมทั้งดำเนินมาตรการควบคุมการเข้าถึงระบบบริหารจัดการอย่างเหมาะสม เพื่อลดความเสี่ยงจากการถูกโจมตีและการเข้าถึงระบบโดยไม่ได้รับอนุญาต
