NCSA Webboard

NCSA_THAICERT

พบช่องโหว่ใน CrewAI เปิดทางแฮกเกอร์เจาะ Sandbox และ.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

เหตุระบบขัดข้องของ Lloyds Banking Group ทำข้อมูลธุรกรร.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

Google อนุญาตให้ผู้ใช้งานเปลี่ยนชื่อที่อยู่อ.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

Vulnerabilities

CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-3055 Citrix NetScaler Out-of-Bounds Read Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/03/30/cisa-adds-one-known-exploited-vulnerability-catalog
When AI Trust Breaks: The ChatGPT Data Leakage Flaw That Redefined AI Vendor Security Trust
"AI assistants like ChatGPT have quickly become trusted environments for handling some of the most sensitive data people own. Users discuss medical symptoms, upload financial records, analyze contracts, and paste internal documents—often assuming that what they share remains safely contained within the platform. That assumption was challenged when new research uncovered a previously unknown vulnerability that enabled silent data leakage from ChatGPT conversations without user knowledge or consent. While the issue has since been fully resolved by OpenAI, the discovery delivers a much broader lesson for enterprises and security leaders: AI tools should not be assumed secure by default."
https://blog.checkpoint.com/research/when-ai-trust-breaks-the-chatgpt-data-leakage-flaw-that-redefined-ai-vendor-security-trust/
https://research.checkpoint.com/2026/chatgpt-data-leakage-via-a-hidden-outbound-channel-in-the-code-execution-runtime/
https://thehackernews.com/2026/03/openai-patches-chatgpt-data.html
https://www.theregister.com/2026/03/30/openai_chatgpt_dns_data_snuggling_flaw/
Storm Brews Over Critical, No-Click Telegram Flaw
"A storm is brewing over a purported critical Telegram Messenger flaw that allows for full system hijack, with full details of the unpatched vulnerability not set to be disclosed until July. The vulnerability, which could impact some 1 billion users of the popular chat app, was discovered by researcher Michael DePlante of the Trend Micro Zero Day Initiative (ZDI). ZDI first revealed the existence of the flaw, which it tracks as ZDI-CAN-30207, on Thursday and set a deadline for full disclose on July 26."
https://www.darkreading.com/application-security/storm-brews-critical-no-click-telegram-flaw
https://securityaffairs.com/190167/security/its-a-mystery-alleged-unpatched-telegram-zero-day-allows-device-takeover-but-telegram-denies.html
How Command Injection Vulnerability In OpenAI Codex Leads To GitHub Token Compromise
"BeyondTrust Phantom Labs has discovered a critical command injection vulnerability in OpenAI's Codex cloud environment that exposed sensitive GitHub credential data. The vulnerability exists within the task creation HTTP request, which allows an attacker to inject arbitrary commands through the GitHub branch name parameter. This can result in the theft of a victim's GitHub User Access Token—the same token Codex uses to authenticate with GitHub. Through automated techniques, this exploit can scale to compromise multiple users interacting with a shared environment or GitHub repository. The vulnerability affects the ChatGPT website, Codex CLI, Codex SDK, and the Codex IDE Extension. All reported issues have since been remediated in coordination with OpenAI’s security team."
https://www.beyondtrust.com/blog/entry/openai-codex-command-injection-vulnerability-github-token
https://hackread.com/openai-codex-vulnerability-steal-github-tokens/
StrongSwan CVE-2026-25075: Integer Underflow In VPN Authentication
"Bishop Fox researchers successfully exploited an integer underflow vulnerability affecting the EAP-TTLS plugin in strongSwan versions 4.5.0 through 6.0.4. The vulnerability allows remote, unauthenticated attackers to crash the VPN server's IKE daemon through a carefully crafted EAP-TTLS message, resulting in denial of service. What makes this vulnerability particularly interesting is that exploitation often requires a two-phase attack. In some scenarios, a single malicious packet corrupts the heap but doesn't crash the daemon; only a second connection triggers the segmentation fault. Our researchers also developed a safe detection method that identifies vulnerable servers without causing any disruption, which you can download here."
https://bishopfox.com/blog/strongswan-cve-2026-25075-integer-underflow-in-vpn-authentication
https://hackread.com/strongswan-flaw-attackers-crash-vpn-integer-underflow/

Malware

Critical Fortinet Forticlient EMS Flaw Now Exploited In Attacks
"Attackers are now actively exploiting a critical vulnerability in Fortinet's FortiClient EMS platform, according to threat intelligence company Defused. Tracked as CVE-2026-21643, this SQL injection vulnerability allows unauthenticated threat actors to execute arbitrary code or commands on unpatched systems through low-complexity attacks targeting the FortiClientEMS GUI (web interface) via maliciously crafted HTTP requests. "Fortinet Forticlient EMS CVE-2026-21643 - currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists - has seen first exploitation already 4 days ago according to our data," Defused warned over the weekend."
https://www.bleepingcomputer.com/news/security/critical-fortinet-forticlient-ems-flaw-now-exploited-in-attacks/
https://securityaffairs.com/190158/security/critical-fortinet-forticlient-ems-flaw-exploited-for-remote-code-execution.html
https://www.helpnetsecurity.com/2026/03/30/forticlient-ems-cve-2026-21643-reported-exploitation/
Hacked Hospitals, Hidden Spyware: Iran Conflict Shows How Digital Fight Is Ingrained In Warfare
"As they fled an Iranian missile strike, some Israelis with Android phones received a text offering a link to real-time information about bomb shelters. But instead of a helpful app, the link downloaded spyware giving hackers access to the device’s camera, location and all its data. The operation, attributed to Iran, showed sophisticated coordination and is just the latest tactic in a cyber conflict that pits the U.S. and Israel against Iran and its digital proxies. As Iran and its supporters seek to use their cyber capabilities to compensate for their military disadvantages, they are demonstrating how disinformation, artificial intelligence and hacking are now ingrained in modern warfare."
https://www.securityweek.com/hacked-hospitals-hidden-spyware-iran-conflict-shows-how-digital-fight-is-ingrained-in-warfare/
Under CTRL: Dissecting a Previously Undocumented Russian .Net Access Framework
"“CTRL” is a custom-built .NET remote access toolkit developed by a Russian-speaking operator and distributed via weaponized LNK files disguised as private key folders. The toolkit was discovered through Censys open directory scanning, which identified an exposed payload hosting directory at hui228.ru:82/hosted/ containing three .NET executables. Together, the executables provide encrypted payload loading, credential harvesting via a polished Windows Hello phishing UI, keylogging, RDP session hijacking, and reverse proxy tunneling through FRP."
https://censys.com/blog/under-ctrl-dissecting-a-previously-undocumented-russian-net-access-framework/
https://thehackernews.com/2026/03/russian-ctrl-toolkit-delivered-via.html
RoadK1ll: A WebSocket Based Pivoting Implant
"During analysis of a recent intrusion, the Blackpoint Response Operations Center (BROC) identified a Node.js based implant deployed within the compromised environment which the BROC is tracking as RoadK1ll. At a glance, it might not look like your typical piece of malware, as there are no large command sets or obvious operator tooling built in. Instead, RoadK1ll is built to solve a very specific problem for the attacker: maintaining reliable, flexible access into an internal network after initial compromise. RoadK1ll is a Node.js-based reverse tunneling implant that establishes an outbound WebSocket connection to attacker-controlled infrastructure and uses that connection to broker TCP traffic on demand. Unlike a traditional remote access trojan, it carries no large command set and requires no inbound listener on the victim host."
https://blackpointcyber.com/blog/roadk1ll-a-websocket-based-pivoting-implant/
https://www.bleepingcomputer.com/news/security/new-roadk1ll-websocket-implant-used-to-pivot-on-breached-networks/
One Click Away: Inside a LinkedIn Phishing Attack
"You’re checking your inbox like any other day when a LinkedIn notification pops up, hinting at a promising opportunity. It feels exciting and completely normal to click. Yet with that single action, your login credentials may already be slipping into the hands of a cybercriminal. This is the danger hiding in plain sight: phishing emails that look so ordinary they disarm even the most cautious users. A moment of curiosity or urgency is all it takes for an attack to succeed. This is consistent with a recent trend observed by the Cofense Phishing Defense Center (PDC). The analysts in the PDC have identified a phishing campaign that uses LinkedIn message notifications to lure users into logging in to view a supposed opportunity, ultimately disguising itself to steal users’ credentials."
https://cofense.com/blog/one-click-away-inside-a-linkedin-phishing-attack
DeepLoad Malware Pairs ClickFix Delivery With AI-Generated Evasion
"ReliaQuest has observed the new “DeepLoad” malware being exploited in enterprise environments. What sets this campaign apart isn’t any single stand-out technique, but how the entire attack chain was engineered to defeat the controls most organizations rely on, turning one user action into persistent, credential-stealing access. In this report, we provide a full attack chain for DeepLoad, showing that newly surfaced threats can arrive operationally mature. Based on what we’ve observed, organizations must prioritize behavioral, runtime detection—not file-based scanning—to catch this campaign (and similar ones) early."
https://reliaquest.com/blog/threat-spotlight-deepload-malware-pairs-clickfix-delivery-with-ai-generated-evasion/
https://thehackernews.com/2026/03/deepload-malware-uses-clickfix-and-wmi.html
https://www.darkreading.com/cyberattacks-data-breaches/ai-powered-deepload-steals-credentials-evades-detection
https://cyberscoop.com/deepload-ai-malware-obfuscation-at-every-stage-reliaquest/
https://www.infosecurity-magazine.com/news/deepload-malware-clickfix-ai-code/
Professional Networks Under Attack: Vietnam-Linked Actors Deploy PXA Stealer In Global Infostealer Campaign
"CRIL has been actively tracking a surge in PXA Stealer activity deployed in a sophisticated, financially motivated threat campaign attributed with high confidence to a Vietnam-based cybercriminal group. The primary targets in this campaign are job seekers across India, Bangladesh, the Netherlands, Sweden, and the United States. Threat actors leverage LinkedIn as their primary initial access vector, distributing fraudulent recruitment messages via compromised accounts that impersonate legitimate job opportunities."
https://cyble.com/blog/professional-networks-under-attack-by-infostealer/

Breaches/Hacks/Leaks

Healthcare Tech Firm CareCloud Says Hackers Stole Patient Data
"Healthcare IT firm CareCloud has disclosed a data breach incident that exposed sensitive data and caused a network disruption lasting approximately eight hours. The New Jersey-based company said in a filing with the U.S. Securities and Exchange Commission (SEC) that the intrusion occurred on March 16 when hackers accessed its IT infrastructure. “On March 16, 2026, CareCloud, Inc. experienced a temporary network disruption in its CareCloud Health division that partially impacted the functionality and data access to 1 of its 6 electronic health record environments for approximately 8 hours until the Company fully restored all functionality and data access during that evening,” the company says in the SEC filing."
https://www.bleepingcomputer.com/news/security/healthcare-tech-firm-carecloud-says-hackers-stole-patient-data/
https://therecord.media/carecloud-hack-data-breach-sec
https://www.securityweek.com/healthcare-it-platform-carecloud-probing-potential-data-breach/
Dark Web Market Lists Alleged 375TB Lockheed Martin Data For $600M
"Hackers are claiming to have stolen a trove of data belonging to Lockheed Martin, the world’s largest defense contractor and an American aerospace company. They are now selling it on the dark web. The situation began on March 26, 2026, when a Telegram account linked to a dark web marketplace known as Threat Market, which posts in both Russian and English, claimed it had been approached by a group described as “APT IRAN.” According to the post, the group requested infrastructure support to sell what was described as 375 terabytes of data allegedly taken from Lockheed Martin."
https://hackread.com/dark-web-market-375tb-lockheed-martin-data/

General News

Why Risk Alone Doesn’t Get You To Yes
"I have been in security rooms for years, from military operations centers to corporate boardrooms. In all those years I can tell you that the hardest mission that most security leaders will face is not identifying a threat, but getting someone to act on it. We’re trained to see exposure before they are identified by others. We continually assess likely threats, evaluate impact, and design controls to prevent disruption long before it reaches operations or shareholders. That’s the job. But here’s what I’ve watched happen, over and over again: a security leader walks into a meeting with a technically sound brief, well-supported recommendations, and a clear picture of the risk. The room nods. The CFO asks for more context. The conversation gets tabled for next quarter."
https://www.helpnetsecurity.com/2026/03/30/cyber-security-executive-buy-in/
Breaking Out: Can AI Agents Escape Their Sandboxes?
"Container sandboxes are part of routine AI agent testing and deployment. Agents use them to run code, edit files, and interact with system resources without direct access to the host. The SandboxEscapeBench benchmark, developed by researchers at the University of Oxford and the AI Security Institute, evaluates whether an agent with shell access can escape a container and reach the host system."
https://www.helpnetsecurity.com/2026/03/30/ai-agents-container-breakout-capabilities-research/
https://arxiv.org/pdf/2603.02277
Don’t Count On Government Guidance After a Smart Home Breach
"People are filling their homes with internet-connected cameras, speakers, locks, and routers. When one of those devices is compromised, the next steps are often unclear. Researchers reviewing government cybersecurity advice in 11 countries found that most guidance focuses on prevention, leaving households with limited support after a breach. The analysis covers Australia, Austria, Canada, Finland, France, Germany, Japan, New Zealand, Singapore, the United Kingdom, and the United States."
https://www.helpnetsecurity.com/2026/03/30/smart-home-cybersecurity-recovery-guidance-gap/
Iranian Cyberthreats Test US Infrastructure Defenses
"Warnings from Iranian-linked hacking groups threatening "irreparable damages" to U.S. water systems are raising concerns across the federal cybersecurity community - as officials weigh both the credibility of the threat and the government's ability to respond amid ongoing cyber resource strains. The reported threat involves a coalition of pro-Iranian hacking groups signaling potential retaliation against U.S. critical infrastructure - including water and wastewater systems - if geopolitical tensions continue to escalate."
**https://www.bankinfosecurity.com/iranian-cyberthreats-test-us-infrastructure-defenses-a-31299
Hybrid Warfare 2026: When Cyber Operations And Kinetic Attacks Converge**
"In 2026, hybrid warfare is no longer a theoretical construct discussed in policy circles; it is shaping geopolitical conflict in real time. The convergence of cyber warfare and kinetic attacks has transformed how nations project power, blending missiles, malware, and misinformation into unified campaigns. What distinguishes modern hybrid warfare from earlier conflicts is not just the presence of digital operations, but their synchronization with physical strikes to produce layered, systemic disruption. Nowhere is this more evident than in the Middle East, where escalating tensions have turned the region into a proving ground for cyber-physical warfare."
https://cyble.com/blog/hybrid-warfare-2026-cyber-kinetic-threats/
Manufacturing And Healthcare Share Struggles With Passwords
"Two disparate industries, manufacturing and healthcare, share several weaknesses that lead to significant security gaps, especially in password hygiene. To address in the short term will require shifting security culture mindsets. The industries are two of the biggest ransomware targets. Black Kite's "2025 Manufacturing Research Report" found that manufacturing was the No. 1 target for ransomware groups four years in a row."
https://www.darkreading.com/cyber-risk/manufacturing-and-healthcare-share-struggles-with-passwords
TeamPCP’s Attack Spree Slows, But Threat Escalates With Ransomware Pivot
"TeamPCP’s destructive run of supply chain breaches has stopped, for now: it has been three days since the group published malicious versions of Telnyx’s SDK on PyPI, and there haven’t been reports of new open-source project compromises."
https://www.helpnetsecurity.com/2026/03/30/teampcp-supply-chain-attacks-ransomware/
Silent Drift: How LLMs Are Quietly Breaking Organizational Access Control
"Business efficiency demands maximum use of AI assistance, but where policy as code is concerned, AI can introduce serious policy flaws. The shift to policy as code for organizational security, compliance, and operational rules, is being followed by increased use of LLM artificial intelligence to help produce the raw code. This makes sense. A primary purpose of AI within business is to improve human efficiency, and writing policy in languages like Rego or Cedar is not easy. AI is increasingly used to streamline the process."
https://www.securityweek.com/silent-drift-how-llms-are-quietly-breaking-organizational-access-control/
Audit Finds Application Security Issues Are Worse Than Ever
"An audit of 947 commercial codebases spanning 17 industries finds the number of vulnerabilities inside applications has surged a startling 107% over the past year. Conducted by Black Duck Software, the audit also finds there are now, on average, 581 vulnerabilities per codebase. Alas, many of these vulnerabilities can be traced back to open-source software components that create dependencies in code bases that are challenging to fix because the code is managed by an independent maintainer that might not yet have created a patch to address the issue."
https://blog.barracuda.com/2026/03/30/audit-application-security-issues-open-source

อ้างอิง
Electronic Transactions Development Agency (ETDA)

NCSA_THAICERT

เมื่อวันที่ 27 มีนาคม 2026 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว ดังนี้

CVE-2025-53521 F5 BIG-IP Remote Code Execution Vulnerability

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/03/27/cisa-adds-one-known-exploited-vulnerability-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

Vulnerabilities

LangDrained: 3 Paths To Your Data Through LangChain, The World’s Most Popular AI Framework
"When we think about AI security, our minds often jump to futuristic threats: rogue autonomous agents, complex model jailbreaks, or clever prompt injections. We imagine attackers outsmarting the AI itself. But over the past few months, our research team has discovered that the biggest threat to your enterprise AI data might not be as complex as you think. In fact, it hides in the invisible, foundational plumbing that connects your AI to your business. This layer is vulnerable to some of the oldest tricks in the hacker playbook."
https://www.cyera.com/research/langdrained-3-paths-to-your-data-through-the-worlds-most-popular-ai-framework
https://thehackernews.com/2026/03/langchain-langgraph-flaws-expose-files.html
CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2025-53521 F5 BIG-IP Remote Code Execution Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/03/27/cisa-adds-one-known-exploited-vulnerability-catalog
https://thehackernews.com/2026/03/cisa-adds-cve-2025-53521-to-kev-after.html
https://securityaffairs.com/190076/uncategorized/u-s-cisa-adds-a-flaw-in-f5-big-ip-amp-to-its-known-exploited-vulnerabilities-catalog.html
https://www.helpnetsecurity.com/2026/03/28/big-ip-apm-vulnerability-cve-2025-53521-exploited/
Open Sesame: How a Fail-Open Bug In Open VSX's New Scanner Let Malware Walk Right In
"‍Open VSX, the extension marketplace behind Cursor, Windsurf, and the broader VS Code fork ecosystem, recently rolled out a pre-publish scanning pipeline. That's a big deal, and the right move. Malware detection, secret scanning, binary analysis, name-squatting prevention. Exactly the kind of infrastructure the ecosystem desperately needed. Here's the thing. The pipeline had a single boolean return value that meant both "no scanners are configured" and "all scanners failed to run." The caller couldn't tell the difference. So when scanners failed under load, Open VSX treated it as "nothing to scan for" and waved the extension right through."
https://www.koi.ai/blog/open-sesame-how-a-fail-open-bug-in-open-vsxs-new-scanner-let-malware-walk-right-in
https://thehackernews.com/2026/03/open-vsx-bug-let-malicious-vs-code.html
800,000 WordPress Sites Affected By Arbitrary File Read Vulnerability In Smart Slider 3 WordPress Plugin
"On February 23, 2026, we received a submission for an Arbitrary File Read vulnerability in Smart Slider 3, a WordPress plugin with an estimated more than 800,000 active installations. This vulnerability makes it possible for an authenticated attacker, with subscriber-level permissions or higher, to read arbitrary files on the server, which may contain sensitive information. Props to Dmitrii Ignatyev who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $2,208.00 for this discovery."
https://www.wordfence.com/blog/2026/03/800000-wordpress-sites-affected-by-arbitrary-file-read-vulnerability-in-smart-slider-3-wordpress-plugin/
https://www.bleepingcomputer.com/news/security/file-read-flaw-in-smart-slider-plugin-impacts-500k-wordpress-sites/

Malware

Popular Telnyx Package Compromised On PyPI By TeamPCP
"This morning's telnyx compromise is the latest move in what is now a weeks-long TeamPCP supply chain campaign crossing multiple ecosystems. Trivy. Checkmarx. LiteLLM. And now Telnyx on PyPI, uploaded hours ago at 03:51 UTC on March 27. The pattern is consistent: steal credentials from a trusted security tool, use those credentials to push malicious versions of whatever that tool had access to, collect whatever's running in the next environment, repeat."
https://www.aikido.dev/blog/telnyx-pypi-compromised-teampcp-canisterworm
https://socket.dev/blog/telnyx-python-sdk-compromised
https://www.endorlabs.com/learn/teampcp-strikes-again-telnyx-compromised-three-days-after-litellm
https://thehackernews.com/2026/03/teampcp-pushes-malicious-telnyx.html
https://www.bleepingcomputer.com/news/security/backdoored-telnyx-pypi-package-pushes-malware-hidden-in-wav-audio/
https://www.infosecurity-magazine.com/news/teampcp-targets-telnyx-pypi-package/
https://www.helpnetsecurity.com/2026/03/27/teampcp-telnyx-supply-chain-compromise/
Dutch Police Discloses Security Breach After Phishing Attack
"The Dutch National Police (Politie) says a security breach resulting from a successful phishing attack has had a limited impact and hasn't affected citizens' data. It also stated that the incident is still under investigation by the agency's security experts and that the attackers' access to compromised systems has been blocked. "The police have been the target of a phishing attack. The police's Security Operations Center detected the incident very quickly and immediately blocked access," the police said in a Wednesday press release."
https://www.bleepingcomputer.com/news/security/dutch-police-discloses-security-breach-after-phishing-attack/
Widespread GitHub Campaign Uses Fake VS Code Security Alerts To Deliver Malware
"A large-scale phishing campaign is targeting developers directly inside GitHub, using fake Visual Studio Code security alerts posted through Discussions to trick users into installing malicious software. Here's one example, saved to the Internet Archive, as we assume these will quickly be taken down:"
https://socket.dev/blog/widespread-github-campaign-uses-fake-vs-code-security-alerts-to-deliver-malware
https://www.bleepingcomputer.com/news/security/fake-vs-code-alerts-on-github-spread-malware-to-developers/
China’s APT41 And The Expanding Enterprise Attack Surface: What Security Teams Must Prepare For
"The modern enterprise attack surface is no longer confined to corporate networks and endpoints; it now stretches across cloud workloads, supply chains, remote devices, and even operational technology environments. Within this fragmented landscape, the activities of the APT41 threat group stand out as a signal of how hackers and adversaries are adapting. Known for blending state-sponsored espionage with financially motivated operations, APT41 represents a dual-purpose threat model that security teams can no longer afford to treat as an edge case."
https://cyble.com/blog/apt41-enterprise-attack-surface-cyber-risk/
New BianLian Ransomware Activity Detected: SVG Phishing Campaign Targeting Venezuelan Companies
"WatchGuard telemetry identified some malicious files being downloaded by victims, and almost all of them originated in Venezuela, indicating a possible malicious campaign targeting companies in this country. The malicious files are distributed via phishing emails that have a SVG file with a filename in Spanish, generally indicating invoices, receipts, or budgets. SVG stands for Scalable Vector Graphics, a file format for two-dimensional vector images. It allows images to be scaled without loss of quality, making it ideal for web graphics like logos and illustrations."
https://www.watchguard.com/wgrd-security-hub/secplicity-blog/new-bianlian-ransomware-activity-detected-svg-phishing-campaign
https://hackread.com/bianlian-ransomware-fake-invoice-svg-images-attacks/
Bogus Avast Website Fakes Virus Scan, Installs Venom Stealer Instead
"A fake website impersonating Avast antivirus is tricking people into infecting their own computers. The site looks legitimate, runs what appears to be a virus scan, and claims your system is full of threats. But the results are fake: when you’re prompted to “fix” the problem, the download you’re given is actually Venom Stealer—a type of malware designed to steal passwords, session cookies, and cryptocurrency wallet data. This is a classic scare-and-fix scam: create panic, then offer a solution. In this case, the “solution” abuses the trusted Avast brand to deliver the attack."
https://www.malwarebytes.com/blog/threat-intel/2026/03/bogus-avast-website-fakes-virus-scan-installs-venom-stealer-instead
NICKEL ALLEY Strategy: Fake It ‘til You Make It
"Counter Threat Unit (CTU) researchers continue to investigate trends in Contagious Interview campaign activity conducted by NICKEL ALLEY, a threat group operating on behalf of the North Korean government. The group notoriously targets professionals in the technology sector by advertising fake job opportunities, deceiving prospective candidates through a fake job interview process, and ultimately delivering malware. In targeted attacks, NICKEL ALLEY often creates a fake LinkedIn company page to build credibility and maintains a coordinating GitHub account for malware delivery. In some instances, the threat actors have used the popular ‘ClickFix’ tactic to deliver malware via fake job skills assessment tasks. Additionally, the group has conducted opportunistic attacks by compromising npm package repositories and establishing typosquatted npm packages. Figure 1 highlights NICKEL ALLEY’s three areas of focus."
https://www.sophos.com/en-us/blog/nickel-alley-strategy-fake-it-til-you-make-it
Citrix NetScaler Under Active Recon For CVE-2026-3055 (CVSS 9.3) Memory Overread Bug
"A recently disclosed critical security flaw impacting Citrix NetScaler ADC and NetScaler Gateway is witnessing active reconnaissance activity, according to Defused Cyber and watchTowr. The vulnerability, CVE-2026-3055 (CVSS score: 9.3), refers to a case of insufficient input validation leading to memory overread, which an attacker could exploit to leak potentially sensitive information. Per Citrix, successful exploitation of the flaw hinges on the appliance being configured as a SAML Identity Provider (SAML IDP)."
https://thehackernews.com/2026/03/citrix-netscaler-under-active-recon-for.html
https://securityaffairs.com/190131/hacking/urgent-alert-netscaler-bug-cve-2026-3055-probed-by-attackers-could-leak-sensitive-data.html
TA446 Deploys DarkSword iOS Exploit Kit In Targeted Spear-Phishing Campaign
"Proofpoint has disclosed details of a targeted email campaign in which threat actors with ties to Russia are leveraging the recently disclosed DarkSword exploit kit to target iOS devices. The activity has been attributed with high confidence to the Russian state-sponsored threat group known as TA446, which is also tracked by the broader cybersecurity community under the monikers Callisto, COLDRIVER, and Star Blizzard (formerly SEABORGIUM). It's assessed to be affiliated with Russia's Federal Security Service (FSB). The hacking group is known for spear-phishing campaigns aimed at harvesting credentials from targets of interest. However, attacks mounted by the threat actor over the past year have targeted victims' WhatsApp accounts, as well as leveraged various custom malware families to steal sensitive data."
https://thehackernews.com/2026/03/ta446-deploys-leaked-darksword-ios.html
A Cunning Predator: How Silver Fox Preys On Japanese Firms This Tax Season
"Japan has entered its annual tax filing and organizational change season, a period when companies generate a high volume of legitimate financial and HR‑related communications. A threat actor known as Silver Fox is actively exploiting this busy period by conducting a targeted spearphishing campaign against Japanese manufacturers and other businesses. The ongoing campaign uses convincing phishing lures related to tax compliance violations, salary adjustments, job position changes, and employee stock ownership plans. All emails share the same goal – trick the recipients into opening malicious links or attachments. As employees actually expect to receive emails about these subjects this time of year, they’re more likely to trust and act on such messages without a second thought. Needless to say, this significantly increases the risk of compromise."
https://www.welivesecurity.com/en/business-security/cunning-predator-how-silver-fox-preys-japanese-firms-tax-season/

Breaches/Hacks/Leaks

European Commission Investigating Breach After Amazon Cloud Account Hack
"The European Commission, the European Union's main executive body, is investigating a security breach after a threat actor gained access to the Commission's Amazon cloud environment. Although the EU's executive cabinet has yet to disclose the incident publicly, BleepingComputer has learned that the breach affected at least one of the Commission's AWS (Amazon Web Services) accounts. "AWS did not experience a security event, and our services operated as designed," an AWS spokesperson told BleepingComputer after publishing time."
https://www.bleepingcomputer.com/news/security/european-commission-investigating-breach-after-amazon-cloud-account-hack/
https://securityaffairs.com/190067/data-breach/the-european-commission-confirmed-a-cyberattack-affecting-part-of-its-cloud-systems.html
https://hackread.com/shinyhunters-350gb-data-breach-european-commission/
https://securityaffairs.com/190095/data-breach/shinyhunters-claims-the-hack-of-the-european-commission.html
ShinyHunters Walk Away From BreachForums, Leak 300,000-User Database
"The infamous ShinyHunters hacker group has stepped away from BreachForums, calling it a “waste of time” after the FBI seizure in October 2025. At the same time, the group has released an updated database affecting more than 300,000 BreachForums users. Early checks indicate that even recently created accounts are included in the leak. Analysis of the leaked data by Hackread.com confirms that it contains full account profiles, not just basic user credentials."
https://hackread.com/shinyhunters-breachforums-leak-300000-user-database/
Pro-Iranian Hacking Group Claims Credit For Hack Of FBI Director Kash Patel’s Personal Account
"A pro-Iranian hacking group claimed Friday to have hacked an account of FBI Director Kash Patel and has posted online what appear to be years-old photographs of him, along with a work resume and other personal documents. Many of those records appeared to be more than a decade old. “Kash Patel, the current head of the FBI, who once saw his name displayed with pride on the agency’s headquarters, will now find his name among the list of successfully hacked victims,” said a message posted Friday from the group Handala."
https://www.securityweek.com/pro-iranian-hacking-group-claims-credit-for-hack-of-fbi-director-kash-patels-personal-account/
https://therecord.media/fbi-confirms-theft-of-directors-personal-emails-iran-group
https://thehackernews.com/2026/03/iran-linked-hackers-breach-fbi.html
https://www.bleepingcomputer.com/news/security/fbi-confirms-hack-of-director-patels-personal-email-inbox/
https://cyberscoop.com/handala-hackers-target-fbi-director-kash-patel-email/
https://www.bankinfosecurity.com/handala-hacks-fbi-director-kash-patels-personal-email-a-31244
https://hackread.com/iran-handala-hackers-fbi-chief-kash-patel-gmail-breach/
https://securityaffairs.com/190088/intelligence/iran-linked-group-handala-hacked-fbi-director-kash-patels-personal-email-account.html

General News

Security Boffins Scoured The Web And Found Hundreds Of Valid API Keys
"Computer security boffins have conducted an analysis of 10 million websites and found almost 2,000 API credentials strewn across 10,000 webpages. The researchers detail their findings in a preprint paper titled "Keys on Doormats: Exposed API Credentials on the Web," and say they conducted the study because much of the attention on exposed credentials has focused on scouring code repositories and source code. They argue that dynamic analysis of production websites is essential to understand the scope of the problem."
https://www.theregister.com/2026/03/27/security_boffins_harvest_bumper_crop/
https://arxiv.org/abs/2603.12498
Security Leaders Say The Next Two Years Are Going To Be ‘insane’
"Every RSA Conference has its buzzwords. Cloud. Ransomware. Zero trust. Plastered across the 87-acre Moscone Center complex on every booth, banner and bar. This year was AI, with vendors pitching AI-powered solutions to every security problem imaginable. But 2026 stood out for a different reason: Industry leaders spent the conference warning about disruption from the very technology everyone was selling."
https://cyberscoop.com/ai-cyberattacks-two-years-insane-vulnerabilities-kevin-mandia-alex-stamos-morgan-adamski-rsac-2026/
Wartime Usage Of Compromised IP Cameras Highlight Their Danger
"Compromised Internet-connected cameras — once the fodder of botnet operators and online voyeurs — have become an important military asset in recent conflicts, with Russian and Ukrainian forces hacking cameras to gather intelligence on the other side, Iran using compromised devices for targeted strikes, and a joint US-Israeli mission reportedly relying on connected cameras for the successful strike on Iran's leader. In the latest incident, Israel and the US reportedly hijacked Iran's network of traffic cameras, which the government used to surveil protesters and to track the movements of Iranian leader Ayatollah Ali Khamenei prior to targeting him with an air strike, killing him on Feb. 28, according to reports this month by the Financial Times and the Associated Press. Following that attack, Iran responded by increasing its attempts to gain eyes in Israel, Qatar, Bahrain, Kuwait, the United Arab Emirates, and Cyprus, according to a report from Israeli cybersecurity firm Check Point Software."
https://www.darkreading.com/cyber-risk/wartime-usage-of-compromised-ip-cameras-highlight-their-danger
Disrupting Cybercrime Networks At Scale Requires Sustained Global Collaboration
"Cybercrime today operates less like isolated criminal activity and more like a globalized digital economy in which specialized actors provide services, infrastructure, and expertise that allow attacks to scale efficiently across borders. Ransomware groups rely on initial access brokers to obtain footholds into enterprise networks, malware developers package tools for sale in underground marketplaces, and money-laundering networks specialize in converting illicit gains into financial assets that can move through global financial systems. Taken together, these roles form an industrialized criminal supply chain that mirrors many characteristics of legitimate digital economies. More, the rise of shadow agents is poised to accelerate growth of the cybercriminal ecosystem."
https://www.fortinet.com/blog/industry-trends/disrupting-cybercrime-networks-at-scale-requires-sustained-global-collaboration
Quantum Frontiers May Be Closer Than They Appear
"Google’s introducing a 2029 timeline to secure the quantum era with post-quantum cryptography (PQC) migration. Last month, we called to secure the quantum era before a future quantum computer can break current encryption. This new timeline reflects migration needs for the PQC era in light of progress on quantum computing hardware development, quantum error correction, and quantum factoring resource estimates. As a pioneer in both quantum and PQC, it’s our responsibility to lead by example and share an ambitious timeline. By doing this, we hope to provide the clarity and urgency needed to accelerate digital transitions not only for Google, but also across the industry."
https://blog.google/innovation-and-ai/technology/safety-security/cryptography-migration-timeline/
https://www.darkreading.com/application-security/google-2029-deadline-quantum-safe-cryptography
https://cyberscoop.com/google-moves-post-quantum-encryption-timeline-to-2029/
https://www.infosecurity-magazine.com/news/quantum-encryption-q-day-closer/
https://www.bankinfosecurity.com/googles-2029-quantum-deadline-wake-up-call-a-31247
https://hackread.com/google-2029-deadline-quantum-computers-encryption/
https://www.helpnetsecurity.com/2026/03/26/google-pqc-migration-timeline-2029/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

NCSA_THAICERT

Energy Sector

The Energy Sector’s Ransomware Nightmare: Why Critical Infrastructure Can’t Catch a Break
"Let’s talk about the sector that keeps our lights on, water running, and industries humming—and why it’s become ransomware’s favorite target. In 2025, the global energy and utilities sector faced 187 confirmed ransomware attacks. Not attempts. Confirmed, successful intrusions where attackers locked systems, stole data, and demanded payment. And that’s just what we know about. If you think that number sounds alarming, you’re paying attention."
https://cyble.com/blog/energy-sector-ransomware-attack-report/

Industrial Sector

WAGO GmbH & Co. KG Industrial Managed Switches
"An unauthenticated remote attacker can exploit a hidden function in the CLI prompt to escape the restricted interface, leading to full compromise of the device."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-085-01
PTC Windchill Product Lifecycle Management
"Successful exploitation of this vulnerability could allow an attacker to achieve remote code execution."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-085-03
OpenCode Systems OC Messaging And USSD Gateway
"Successful exploitation of this vulnerability could allow an authenticated low-privileged user to gain access to SMS messages outside of their authorized tenant scope via a crafted company or tenant identifier parameter."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-085-02

Vulnerabilities

BIND Updates Patch High-Severity Vulnerabilities
"Internet Systems Consortium (ISC) on Wednesday rolled out a fresh round of BIND 9 updates to resolve four vulnerabilities, including two high-severity bugs. Tracked as CVE-2026-3104, the first high-severity flaw is described as a memory leak issue impacting code preparing DNSSEC proofs of non-existence. The security defect can be exploited via crafted domains to cause a memory leak in BIND resolvers. Authoritative servers may not be impacted, ISC notes in its advisory."
https://www.securityweek.com/bind-updates-patch-high-severity-vulnerabilities-2/
CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-33634 Aqua Security Trivy Embedded Malicious Code Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/03/26/cisa-adds-one-known-exploited-vulnerability-catalog
TP-Link, Canva, HikVision Vulnerabilities
"Cisco Talos’ Vulnerability Discovery & Research team recently disclosed a vulnerability in HikVision, as well as 10 in TP-Link, and 19 in Canva. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy. For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website."
https://blog.talosintelligence.com/tp-link-canva-hikvision-vulnerabilities/
Cisco Patches Multiple Vulnerabilities In IOS Software
"Cisco on Wednesday announced patches for a dozen high- and medium-severity vulnerabilities in IOS and IOS XE, most of which could be exploited to cause denial-of-service (DoS) conditions. The patches were rolled out as part of Cisco’s semiannual IOS and IOS XE security advisory bundle. While none of the bugs appear to have been exploited in the wild, technical information on four of them has been published. The publicly disclosed issues, tracked as CVE-2026-20110, CVE-2026-20112, CVE-2026-20113, and CVE-2026-20114, are medium-severity defects affecting Cisco Catalyst 9300 Series switches."
https://www.securityweek.com/cisco-patches-multiple-vulnerabilities-in-ios-software/

Malware

BPFdoor In Telecom Networks: Sleeper Cells In The Backbone
"A months-long investigation by Rapid7 Labs has uncovered evidence of an advanced China-nexus threat actor, Red Menshen, placing some of the stealthiest digital sleeper cells the team has ever seen in telecommunications networks. The goal of these campaigns is to carry out high-level espionage, including against government networks. Telecommunications networks are the central nervous system of the digital world. They carry government communications, coordinate critical industries, and underpin the digital identities of billions of people. When these networks are compromised, the consequences extend far beyond a single provider or region. That level of access is, and should be, a national concern as it compromises not just one company or organization, but the communications of entire populations. Over the past decade, telecom intrusions have been reported across multiple countries. In several cases, state-backed actors accessed call detail records, monitored sensitive communications, and exploited trusted interconnections between operators. While these incidents often appear isolated, a broader pattern is emerging."
https://www.rapid7.com/blog/post/tr-bpfdoor-telecom-networks-sleeper-cells-threat-research-report/
https://thehackernews.com/2026/03/china-linked-red-menshen-uses-stealthy.html
https://www.securityweek.com/chinese-hackers-caught-deep-within-telecom-backbone-infrastructure/
https://www.helpnetsecurity.com/2026/03/26/telecom-bpfdoor-detection-script/
Attackers Are Now Targeting Business TikTok Accounts Using Session-Stealing Phishing Kits
"We recently detected and blocked a new style of phishing page targeting TikTok for Business accounts — used by company marketing teams to manage ad campaigns. On closer analysis, we identified a cluster of linked pages featuring both TikTok themes, and Google themed “Schedule a Call” imitation pages, similar to a campaign reported late last year, suggesting a continuity of this previous campaign."
https://pushsecurity.com/blog/tiktok-phishing
https://www.bleepingcomputer.com/news/security/tiktok-for-business-accounts-targeted-in-new-phishing-campaign/
Coruna: The Framework Used In Operation Triangulation
"On March 4, 2026, Google and iVerify published reports about a highly sophisticated exploit kit targeting Apple iPhone devices. According to Google, the exploit kit was first discovered in targeted attacks conducted by a customer of an unnamed surveillance vendor. It was later used by other attackers in watering-hole attacks in Ukraine and in financially motivated attacks in China. Additionally, researchers discovered an instance with the debug version of the exploit kit, which revealed the internal names of the exploits and the framework name used by its developers — Coruna. Analysis of the kit showed that it relies on the exploitation of many previously patched vulnerabilities and also includes exploits for CVE-2023-32434 and CVE-2023-38606. These two vulnerabilities particularly caught our attention because they had been first discovered as zero-days used in Operation Triangulation."
https://securelist.com/coruna-framework-updated-operation-triangulation-exploit/119228/
https://thehackernews.com/2026/03/coruna-ios-kit-reuses-2023.html
https://www.bleepingcomputer.com/news/security/coruna-ios-exploit-framework-linked-to-triangulation-attacks/
https://securityaffairs.com/190010/security/coruna-exploit-reveals-evolution-of-triangulation-ios-exploitation-framework.html
Xiaomi Phishing Attempt - Red Flags You Can't Afford To Ignore
"Xiaomi, founded in 2010, has grown into a global technology brand known for delivering powerful smartphones and smart devices at competitive prices. With a strong presence in China, India, Southeast Asia, and parts of Europe, the company has built a loyal user base by combining innovation, sleek design, and value-driven technology. Because of its massive global footprint, Xiaomi accounts and services can become attractive targets for cybercriminals. Threat actors often exploit the company’s popularity by crafting phishing emails that appear to come from trusted Xiaomi sources such as HR, IT support, or account services. These emails are designed to look legitimate and often create a sense of urgency, encouraging recipients to click on malicious links before they have time to verify the message."
https://cofense.com/blog/xiaomi-phishing-attempt-red-flags-you-can-t-afford-to-ignore
Quish Splash - When The QR Code Is The Weapon: A Multi-Wave Phishing Campaign That Slipped Past Every Filter.
"Over a 20-day period, a threat actor identified by 7AI conducted a multi-wave QR code phishing campaign against a large enterprise, while targeting many others in parallel. Tracking data suggests the campaign scaled significantly, with over 1.6 million emails sent between waves to other organizations. In this environment, 33 emails were sent to 32 unique recipients across three waves. Of those emails, 28 were delivered directly to inboxes. Zero were blocked, and no automated remediation occurred."
https://blog.7ai.com/quish-splash-when-the-qr-code-is-the-weapon-a-multi-wave-phishing-campaign-that-slipped-past-every-filter
https://hackread.com/quish-splash-qr-code-phishing-hits-users/
From Phishing To Exfiltration: A Deep Dive Into PXA Stealer
"CyberProof MDR analysts and Threat Researchers have identified a significant surge in PXA Stealer activity targeting global financial institutions during Q1 2026. These campaigns primarily leverage phishing emails containing malicious URLs that trigger the download of compromised ZIP attachments. Threat actors have demonstrated high levels of adaptability, utilizing diverse lures ranging from curriculum vitae and Adobe Photoshop installers to tax forms and legal documentation. This opportunistic approach highlights the attackers’ ability to target a broad spectrum of victims. Following the 2025 takedowns of major infostealers such as Lumma, Rhadamanthys, and RedLine, CyberProof observes that PXA Stealer activity has filled the resulting vacuum, seeing an estimated growth of 8-10%."
https://www.cyberproof.com/blog/a-deep-dive-into-pxa-stealer/
https://hackread.com/financial-firms-rise-pxa-stealer-attacks/
Sonatype Discovers Two Malicious Npm Packages
"Sonatype Security Research has identified a potential compromise of a trusted npm maintainer account that has now published two malicious npm packages — sbx-mask and touch-adv — designed to exfiltrate secrets from victims' computers. The evidence strongly suggests account takeover of a legitimate publisher, rather than intentional malicious activity. Sonatype did not observe any indication that these were test packages, though touch-adv has now been removed. Hijacked publisher accounts are particularly concerning as, over time, maintainers build trust with the users of their components. Attackers aim to take advantage of that trust in order to steal valuable, or profitable, information."
https://www.sonatype.com/blog/sonatype-discovers-two-malicious-npm-packages
https://hackread.com/suspected-hijacked-developer-accounts-npm-malware/
Infiniti Stealer: a New MacOS Infostealer Using ClickFix And Python/Nuitka
"A previously undocumented macOS infostealer has surfaced during our routine threat hunting. We initially tracked it as NukeChain, but shortly before publication, the malware’s operator panel became publicly visible, revealing its real name: Infiniti Stealer. This malware is designed to steal sensitive data from Macs. It spreads through a fake CAPTCHA page that tricks users into running a command themselves: a technique known as ClickFix. Instead of exploiting a bug, it relies on social engineering."
https://www.malwarebytes.com/blog/threat-intel/2026/03/infiniti-stealer-a-new-macos-infostealer-using-clickfix-and-python-nuitka
ShadowPrompt: How Any Website Could Have Hijacked Claude's Chrome Extension
"Anthropic's Claude Chrome Extension has over 3 million users. It's an AI assistant in your browser sidebar that can navigate pages, read content, execute JavaScript, and interact with websites on your behalf. We found a vulnerability that allowed any website to silently inject prompts into that assistant as if the user wrote them. No clicks, no permission prompts. Just visit a page, and an attacker completely controls your browser."
https://www.koi.ai/blog/shadowprompt-how-any-website-could-have-hijacked-anthropic-claude-chrome-extension
https://thehackernews.com/2026/03/claude-extension-flaw-enabled-zero.html
Pro-Ukraine Hacker Group Bearlyfy Targets Russian Companies With Custom Ransomware
"A pro-Ukrainian hacker group known as Bearlyfy has carried out more than 70 cyberattacks against Russian companies over the past year and is now escalating its campaign with newly developed ransomware tools, researchers have found. Bearlyfy first appeared in January 2025 and initially targeted smaller Russian businesses. In its early operations, the attackers showed limited skills and demanded modest ransoms of only a few thousand dollars, according to a report by the Russian cybersecurity firm F6. “Within a year this group has become a real nightmare for large Russian businesses,” researchers said, adding that the group’s ransom demands in recent attacks have grown to hundreds of thousands of dollars."
https://therecord.media/ransomware-ukraine-russia-bearlyfy
Indian Government Probes CCTV Espionage Operation Linked To Pakistan
"Indian authorities have reportedly ordered an audit of the nation’s CCTV cameras, after police uncovered what they claim was a Pakistan-backed surveillance operation. This story begins on March 14th, when police in Ghaziabad – a city adjacent to India’s capital Delhi – announced they had arrested suspects after finding CCTV cameras aimed at railway stations and other infrastructure. The solar-powered cameras streamed video over cellular networks – perhaps using accounts tied to stolen SIM cards – to viewers in Pakistan. Indian authorities investigated further and found multiple cameras in other locations, all located near important infrastructure. It’s alleged that Pakistan-backed operatives recruited Indian citizens to install the cameras."
https://www.theregister.com/2026/03/26/india_pakistan_cctv/
Pawn Storm Campaign Deploys PRISMEX, Targets Government And Critical Infrastructure Entities
"Prolific Russian-aligned cyber espionage group Pawn Storm has deployed a new malware suite that TrendAI Research identifies as PRISMEX. The APT group also known as APT28, Fancy Bear, UAC-0001 and Forest Blizzard in its latest observed campaigns target the operational backbone of Ukrainian defense and Western humanitarian and military aid infrastructure. The campaigns, which have been active since at least September 2025, significantly escalated in January 2026, and continue the long-lasting brazen attacks that Pawn Storm deploys against Ukraine since 2014."
https://www.trendmicro.com/en_us/research/26/c/pawn-storm-targets-govt-infra.html
Converging Interests: Analysis Of Threat Clusters Targeting a Southeast Asian Government
"Unit 42 researchers uncovered a series of cyberespionage campaigns targeting a government organization in Southeast Asia. Our initial investigation began with tracking Stately Taurus activity between June 1–Aug. 15, 2025. This activity involves USB-propagated malware called USBFect (aka HIUPAN), which deploys a PUBLOAD backdoor. Our investigation led to the discovery of two additional, distinct activity clusters we’re tracking as CL-STA-1048 and CL-STA-1049."
https://unit42.paloaltonetworks.com/espionage-campaigns-target-se-asian-government-org/
Honey For Hackers: A Study Of Attacks Targeting The Recent CVE-2026-21962 And Other Critical WebLogic * Vulnerabilities On a High Interactive Oracle Honeypot
"This report analyzes attack data collected from a high-interaction honeypot simulating a vulnerable Oracle WebLogic Server (v14.1.1.0.0) over a 12-day period (Jan 22 - Feb 3, 2026). The primary focus is the immediate and widespread exploitation of the newly disclosed, critical unauthenticated Remote Code Execution (RCE) vulnerability, CVE-2026-21962 (CVSS: 10.0). Attack attempts targeting this zero-day-like flaw were observed immediately following the public release of its exploit code, demonstrating the rapid weaponization of critical Oracle WebLogic vulnerabilities. In addition to CVE-2026-21962, the honeypot captured attacks targeting other persistent, critical WebLogic RCE flaws, including CVE-2020-14882/14883 (Console RCE), CVE-2020-2551 (IIOP RCE), and CVE-2017-10271 (WLS-WSAT RCE). This confirms that threat actors continue to rely on a small set of highly-effective, simple-to-exploit vulnerabilities to compromise WebLogic environments."
https://www.cloudsek.com/blog/honey-for-hackers-a-study-of-attacks-targeting-the-recent-cve-2026-21962-and-other-critical-weblogic-vulnerabilities-on-a-high-interactive-oracle-honeypot
https://www.infosecurity-magazine.com/news/critical-oracle-weblogic-rce/
EtherRAT & SYS_INFO Module: C2 On Ethereum (EtherHiding), Target Selection, CDN-Like Beacons
"In March 2026, eSentire's Threat Response Unit (TRU) detected EtherRAT in a customer's environment in the Retail industry. EtherRAT is a Node.js-based backdoor reportedly linked by Sysdig to a North Korean advanced persistent threat (APT) group due to significant overlaps with "Contagious Interview" tactics, techniques, and procedures (TTPs). EtherRAT allows threat actors to run arbitrary commands on compromised hosts, gather extensive system information, and steal assets such as cryptocurrency wallets and cloud credentials. Command-and-Control (C2) addresses are retrieved using "EtherHiding", a technique to make C2 addresses more resilient by storing and updating them in Ethereum smart contracts, allowing threat actors to rotate infrastructure at a small cost and avoid takedowns by law enforcement. After retrieving the C2 address through public Ethereum RPC providers, the malware blends in with normal network traffic through CDN-like beaconing."
https://www.esentire.com/blog/etherrat-sys-info-module-c2-on-ethereum-etherhiding-target-selection-cdn-like-beacons
https://www.infosecurity-magazine.com/news/etherrat-bypass-security-ethereum/
From Invitation To Infection: How SILENTCONNECT Delivers ScreenConnect
"Elastic Security Labs is observing malicious campaigns delivering a multi-stage infection involving a previously undocumented loader. The infection begins when users are diverted to a Cloudflare Turnstile CAPTCHA page under the guise of a digital invitation. After the link is clicked, a VBScript file is downloaded to the machine. Upon execution, the script retrieves C# source code, which is then compiled and executed in memory using PowerShell. The final payload observed in these campaigns is ScreenConnect, a remote monitoring and management (RMM) tool used to control victim machines. This campaign highlights a common theme: attackers abusing living-off-the-land binaries (LOLBins) to facilitate execution, as well as using trusted hosting providers such as Google Drive and Cloudflare. While the loader is small and straightforward, it appears to be quite effective and has remained under the radar since March 2025."
https://www.elastic.co/security-labs/silentconnect-delivers-screenconnect

Breaches/Hacks/Leaks

Ajax Football Club Hack Exposed Fan Data, Enabled Ticket Hijack
"Dutch professional football club Ajax Amsterdam (AFC Ajax) disclosed that a hacker exploited vulnerabilities in its IT systems and accessed data belonging to a few hundred people. The security issues also allowed transferring purchased tickets to others and enabled modifications to stadium bans imposed to certain individuals. The club learned about the security issues and their effect from journalists who were tipped off by the hacker. AFC Ajax is one of the most successful football clubs, winning the UEFA Champions League four times and with 36 Eredivisie titles, the premier professional football league in the Netherlands."
https://www.bleepingcomputer.com/news/security/ajax-football-club-hack-exposed-fan-data-enabled-ticket-hijack/
Hightower Holding Data Breach Impacts 130,000
"Hightower Holding, the parent company of financial management services provider Hightower Advisors, is notifying over 130,000 individuals of a data breach. Operating as a holding company, Hightower Holding provides financial management, retirement planning, wealth and investment advisory, and other services through subsidiaries such as Hightower Advisors, Hightower Securities, and Hightower Trust Company. In a written notification letter sent to the impacted individuals this week, the company revealed that it fell victim to a cyberattack in early January 2026, and that the hackers exfiltrated certain files from its environment between January 8 and 9."
https://www.securityweek.com/hightower-holding-data-breach-impacts-130000/

General News

UK Crackdown On Vile Scam Centres Steps Up With Sanctions On Illicit Crypto Network
"A cryptocurrency network through which stolen personal data can be sold to fraudsters is sanctioned today as part of efforts to dismantle a network of ‘scam centres’, protect British nationals from online fraud, and prevent the exploitation of trafficked victims. Across Southeast Asia, scam centres are using sophisticated schemes, including scams in which people are lured into fake romantic relationships, to defraud victims on an industrial scale, including in the UK. Those conducting the scams are often trafficked foreign nationals, who have been lured into purpose-built scam compounds under the pretence of legitimate jobs, only to be trapped and forced to carry out online fraud under the threat of torture."
https://www.gov.uk/government/news/uk-crackdown-on-vile-scam-centres-steps-up-with-sanctions-on-illicit-crypto-network
https://www.bleepingcomputer.com/news/security/uk-sanctions-xinbi-marketplace-linked-to-asian-scam-centers/
https://therecord.media/xinbi-crypto-marketplace-sanctioned
Suspected RedLine Infostealer Malware Admin Extradited To US
"An Armenian suspect was extradited to the United States to face criminal charges for allegedly helping manage RedLine, one of the most prolific infostealer malware operations in recent years. Hambardzum Minasyan was arrested on Monday, March 23, and appeared in federal court in Austin on Tuesday, when U.S. prosecutors accused him of registering virtual private servers that were part of RedLine's infrastructure and two web domains used during RedLine attacks. He also allegedly registered a cryptocurrency account in November 2021 that the RedLine cybercrime gang used to receive affiliate payments and created online file-sharing repositories used to distribute the malware to affiliates."
https://www.bleepingcomputer.com/news/security/suspected-redline-infostealer-administrator-extradited-to-us/
https://therecord.media/redline-malware-developer-extradited-to-us-faces-30-years
https://www.securityweek.com/alleged-redline-malware-administrator-extradited-to-us/
https://www.helpnetsecurity.com/2026/03/26/redline-infostealer-developer-extradited-us-charged/
Automotive Cybersecurity Threats Grow In Era Of Connected, Autonomous Vehicles
"Automotive security has made great strides over the past 10 years, ever since a pair of researchers first demonstrated they could remotely take control of a Jeep Cherokee. However, threats to vehicles have also heightened, thanks to the increasingly connected nature of vehicles, Kamel Ghali, vice president of the nonprofit Car Hacking Village, and Julio Padilha, chief information security officer for Volkswagen & Audi South America, said at RSAC Conference this week. "A totally connected system means threats," Padilha said. "It's a dangerous situation. You have to be aware. You have to fix this to have a properly secured vehicle.""
https://www.darkreading.com/vulnerabilities-threats/automotive-cybersecurity-threats-grow-connected-autonomous-vehicles
How Organizations Can Use Blunders To Level Up Their Security Programs
"Regardless of sector or size, organizations keep making the same cybersecurity mistakes. Ports exposed to the Internet, passwords that are weak or reused, poor patching practices, and insufficient logging and monitoring are among the most common weaknesses that result in data breaches. In some cases, attackers abuse those security gaps to breach an organization's defenses and cause wider damage. But mistakes also offer organizations plenty of learning opportunities, Megan Benoit, lead security engineer at Nebraska Medicine, said in a presentation at this week's RSAC Conference. Benoit shared eight common mistakes she's observed on the job over the last 20 years; if she had more time, she could highlight even more, she said."
https://www.darkreading.com/cybersecurity-operations/blunders-level-up-security-programs
Making AI Software Development Safe At Machine Scale
"AI models are becoming highly effective at generating code, but they remain structurally weak at dependency decisions. In Part 1 of this study, published in the 2026 State of the Software Supply Chain Report, Sonatype analyzed 36,870 dependency upgrade recommendations across Maven Central, npm, PyPI, and NuGet against GPT-5 and found that it often recommended versions, upgrade paths, or fixes that did not hold up in real software ecosystems. In practice, those failures drive wasted AI spend, wasted developer time, unresolved vulnerability exposure, and technical debt before code reaches production."
https://www.sonatype.com/resources/research/making-ai-work-safely
https://www.darkreading.com/application-security/ai-powered-dependency-decisions-security-bugs
Intermediaries Driving Global Spyware Market Expansion
"Efforts to shine a light on the activities of spyware vendors has grown more difficult because of the proliferation of intermediaries — the spyware resellers, exploit brokers, contractors, and partners that allow government and private entities to circumvent transparency laws and spyware restrictions, experts say. These intermediaries, which often can be governments in permissive states, have fueled the spread of spyware across the globe, according to a report from policy think tank Atlantic Council published on March 18. Atlantic Council researchers cited several examples, including a South African intermediary acting as a representative for Memento Labs to sell its Dante spyware to the local market, and a third-party firm reportedly helping Israeli firm Passitora sell its spyware product to Bangladesh, despite the two countries having no diplomatic relations and Bangladesh having banned imports from Israel."
https://www.darkreading.com/cyber-risk/intermediaries-driving-global-spyware-market-expansion
A Nearly Undetectable LLM Attack Needs Only a Handful Of Poisoned Samples
"Prompt engineering has become a standard part of how large language models are deployed in production, and it introduces an attack surface most organizations have not yet addressed. Researchers have developed and tested a prompt-based backdoor attack method, called ProAttack, that achieves attack success rates approaching 100% on multiple text classification benchmarks without altering sample labels or injecting external trigger words."
https://www.helpnetsecurity.com/2026/03/26/llm-backdoor-attack-research/
https://www.sciencedirect.com/science/article/abs/pii/S0957417424027234
Your Facilities Run On Fragile Supply Chains And Nobody Wants To Admit It
"In this Help Net Security interview, Christa Dodoo, Global Chair at IFMA, discusses how facility managers are managing supply chain risk in critical building systems. She explains how sourcing, localized redundancy, and flexible infrastructure design are being integrated into resilience planning. Dodoo also shares practical approaches such as regional vendor networks, alternative contracts, and strategic inventory to maintain continuity during disruptions."
https://www.helpnetsecurity.com/2026/03/26/christa-dodoo-ifma-facility-resilience-risk/
Who Owns AI Agent Access? At Most Companies, Nobody Knows
"AI agents are operating across production enterprise environments at scale, and the identity infrastructure managing their access has not kept up with their deployment. A January 2026 survey of 228 IT and security professionals, conducted by the Cloud Security Alliance, finds that the majority of organizations have AI agents active in core systems, with fragmented ownership of how those agents authenticate and what they can access."
https://www.helpnetsecurity.com/2026/03/26/ciso-ai-agent-identity-security-report/
Security Researchers Sound The Alarm On Vulnerabilities In AI-Generated Code
"Vibe coding tools like Anthropic's Claude Code are flooding software with new vulnerabilities, Georgia Tech researchers have warned. At least 35 new common vulnerabilities and exposures (CVE) entries were disclosed in March 2026 that were the direct result of AI-generated code. This is up from from six in January and 15 in February. The vulnerabilities are being tracked as part of the ‘Vibe Security Radar’ project which was started in May 2025 by the Systems Software & Security Lab (SSLab), part of Georgia Tech’s School of Cybersecurity and Privacy."
https://www.infosecurity-magazine.com/news/ai-generated-code-vulnerabilities/
Virtual Machines, Virtually Everywhere – And With Real Security Gaps
"Twenty years ago, almost to the day, Amazon Web Services (AWS) launched Simple Storage Service (S3). A few months later, the company’s Elastic Compute Cloud (EC2) service opened for public beta testing before rolling out officially in 2008. These events sparked the era of modern on-demand cloud storage and computing that changed how organizations of all sizes think about their IT infrastructure. Fast-forward to the present and you would be hard-pressed to find many organizations that haven’t ‘lifted and shifted’ at least part of their workloads to the cloud, or aren’t planning to do so soon. Indeed, some now run entirely in the cloud, while many others have paired cloud workloads, often in multi-cloud setups, with on-prem resources that won’t be retired anytime soon."
https://www.welivesecurity.com/en/business-security/virtual-machines-virtually-everywhere-real-security-gaps/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

NCSA_THAICERT

พบแคมเปญ ClickFix ปลอมหน้า Cloudflare แพร่มัลแวร์ Infiniti Steale.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

กลุ่ม ShinyHunters อ้างเจาะระบบคณะกรรมาธิการยุโรป.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

แจ้งเตือน พบแฮกเกอร์เริ่มสแกนหาช่องโหว่ร.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand unnamed__5_-removebg-preview (1).png

A	admin
N	narisara.t
N	NCSA_THAICERT
N	NCSA_KANC
I	IT NCSA
A	atiwatt
อ	อบต.บาโงสะโต 1
N	NCSA
D	deen dbjk
T	tachanuanchainat
Y	yutthapong
S	saharit

administrators