สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ข่าวสารภัยคุกคามทางไซเบอร์ พบ Microsoft ออกแพตช์แก้ไขช่องโหว่ Zero-Day ใน Microsoft Defender หลังพบว่าช่องโหว่ดังกล่าวถูกนำไปใช้ในการโจมตีจริง [1]

1. รายละเอียดเหตุการณ์
   Microsoft ออกแพตช์แก้ไขช่องโหว่ Zero-Day ใน Microsoft Defender โดยมีช่องโหว่ที่สำคัญจำนวน 2 รายการดังนี้
   1.1 CVE-2026-41091 (CVSS v3.1: 7.8) เป็นช่องโหว่ประเภท Elevation of Privilege (EoP) ใน Microsoft Defender เกิดจากข้อบกพร่อง Improper Link Resolution Before File Access (Link Following / Symlink Handling) ซึ่งทำให้ Microsoft Defender ตรวจสอบหรือเข้าถึงไฟล์ผ่านลิงก์ (symbolic link / hard link) อย่างไม่ปลอดภัย ส่งผลให้ผู้โจมตีที่มีสิทธิ์ในเครื่องอยู่แล้วสามารถใช้ช่องโหว่นี้เพื่อยกระดับสิทธิ์ (Local Privilege Escalation) ไปสู่สิทธิ์ที่สูงขึ้นในระบบได้ [2]
   1.2 CVE-2026-45498 (CVSS v3.1: 7.5) เป็นช่องโหว่ประเภท Denial of Service (DoS) ใน Microsoft Defender ซึ่งอาจทำให้ผู้โจมตีสามารถทำให้บริการหรือกระบวนการของ Microsoft Defender หยุดทำงานหรือไม่สามารถให้บริการได้ (Availability Impact) ส่งผลให้ระบบป้องกันมัลแวร์อาจทำงานผิดปกติหรือหยุดตอบสนองชั่วคราว [3]

2. ผลกระทบที่อาจเกิดขึ้น
   2.1 ยกระดับสิทธิ์จากผู้ใช้ทั่วไปไปเป็น SYSTEM-level privileges
   2.2 ปิดการทำงานหรือหลบเลี่ยงการป้องกันของ Microsoft Defender
   2.3 เข้าถึงข้อมูลสำคัญหรือ Credential ภายในระบบ
   2.4 ใช้เป็นฐานการโจมตีไปยังระบบอื่น
   2.5 เพิ่มความสามารถในการคงอยู่ในระบบ (Persistence) และหลบเลี่ยงการตรวจจับของระบบรักษาความปลอดภัย

3. ระบบที่ได้รับผลกระทบ
   ระบบที่ใช้งาน Microsoft Defender Antivirus หรือ Microsoft Defender for Endpoint

4. แนวทางการป้องกันและแก้ไข
   4.1 ติดตั้งแพตช์ความปลอดภัยล่าสุดจาก Microsoft ทันที
   4.2 ตรวจสอบการยกระดับสิทธิ์ที่ผิดปกติ
   4.3 ตรวจสอบการปิดการทำงานของ Defender

5. มาตรการชั่วคราว (กรณียังไม่สามารถอัปเดตได้ทันที)
   5.1 จำกัดสิทธิ์ผู้ใช้งานภายใน
   5.2 เปิดใช้งาน Tamper Protection เพื่อป้องกันการแก้ไขค่าของ Microsoft Defender
   5.3 ใช้ Application Control / WDAC / AppLocker เพื่อลดโอกาสการรันโค้ดที่ไม่ได้รับอนุญาต
   5.4 เฝ้าระวัง Event Logs ที่เกี่ยวข้องกับ Defender Service, Security Center และ Privilege Escalation
   5.5 แยกระบบที่มีความเสี่ยงสูงออกจากเครือข่ายสำคัญ
   
   แหล่งอ้างอิง
   [1] https://dg.th/7w6lp1cg0u
   [2] https://dg.th/h9a71ny8k2
   [3] https://dg.th/lm57t0a1wx

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ข่าวสารภัยคุกคามทางไซเบอร์ พบ Microsoft ออกมาตรการป้องกันและแก้ไขช่องโหว่ความปลอดภัยใน ASP.NET Machine Key และ ASP.NET Core [1]

1. รายละเอียดช่องโหว่
   บริษัท Microsoft ได้ออกประกาศแจ้งเตือนด้านความมั่นคงปลอดภัยไซเบอร์เกี่ยวกับการโจมตีที่มุ่งเป้าไปยังระบบเว็บแอปพลิเคชันที่พัฒนาด้วย ASP.NET และ ASP.NET Core หมายเลข CVE-2026-45585 (CVSS v3.1: 6.8) หรือที่เรียกว่า “YellowKey” โดยพบว่าผู้ไม่หวังดีสามารถใช้ Machine Key ที่เปิดเผยสู่สาธารณะ หรือใช้ประโยชน์จากช่องโหว่ด้านการตรวจสอบ Cryptographic Signature Verification เพื่อปลอมแปลงข้อมูลยืนยันตัวตนและยกระดับสิทธิ์ในระบบได้ [2]

ทั้งนี้ หน่วยงานสามารถดูรายละเอียดเพิ่มเติมได้ที่ https://dg.th/wc6dv0xjog

2. ระบบที่ได้รับผลกระทบ ได้แก่
   • Microsoft.AspNetCore.DataProtection เวอร์ชัน 10.0.0 ถึง 10.0.6 โดยเฉพาะระบบที่ทำงานบน Linux, macOS และระบบ Non-Windows

3. พฤติกรรมการโจมตี
   ผู้โจมตีสามารถใช้ Machine Keys ที่รั่วไหลหรือถูกเผยแพร่สาธารณะ สร้าง ViewState ปลอมที่ผ่านการตรวจสอบความถูกต้องของระบบ ASP.NET ได้ เมื่อเซิร์ฟเวอร์ประมวลผลข้อมูลดังกล่าว ระบบจะทำการถอดรหัสและรันโค้ดอันตรายภายในหน่วยความจำของ IIS Web Server ส่งผลให้ผู้โจมตีสามารถควบคุมระบบจากระยะไกล (Remote Code Execution: RCE)

4. ผลกระทบ
   4.1 เข้าควบคุมเว็บเซิร์ฟเวอร์หรือระบบงานสำคัญ
   4.2 เข้าถึงข้อมูลสำคัญหรือข้อมูลส่วนบุคคล รวมถึงแก้ไขข้อมูลสำคัญภายในระบบ
   4.3 ปลอมแปลง Session, Cookie หรือ Password Reset Token
   4.4 ใช้ระบบที่ถูกโจมตีเป็นฐานสำหรับโจมตีระบบอื่นภายในองค์กร
   4.5 แก้ไขหรือลบข้อมูลสำคัญขององค์กร

5. แนวทางการป้องกันและลดความเสี่ยง
   5.1 อัปเดต Microsoft.AspNetCore.DataProtection เป็นเวอร์ชัน 10.0.7 หรือเวอร์ชันล่าสุดโดยทันที
   5.2 ตรวจสอบไฟล์ web.config และการตั้งค่าของ IIS ว่ามีการกำหนดค่า Machine Keys แบบ Static หรือไม่
   5.3 ตรวจสอบระบบย้อนหลังเพื่อค้นหาร่องรอยการฝัง Web Shell, Godzilla Framework เป็นต้น

6. มาตรการชั่วคราว (กรณียังไม่สามารถอัปเดตได้ทันที)
   6.1 Rotate ASP.NET Machine Keys และ Data Protection Keys ใหม่ทันที โดยสร้างกุญแจใหม่ที่มีความซับซ้อนสูง และไม่ใช้ค่าที่คัดลอกจากสาธารณะ หรือ Git Repository
   6.2 ปิดการใช้งาน Machine Keys แบบ Static
   6.3 จำกัดการเข้าถึงระบบจากภายนอก
   6.4 เปิดใช้งาน Web Application Firewall (WAF)
   6.5 ปิดฟังก์ชันหรือบริการที่ไม่จำเป็นชั่วคราว
   6.6 บังคับ Reset Session และ Authentication Token เป็นระยะ
   
   แหล่งอ้างอิง
   [1] https://dg.th/tfcokpxrz0
   [2] https://dg.th/wuarfe8z9j

เมื่อวันที่ 21 พฤษภาคม 2569 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 2 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้

• CVE-2025-34291 Langflow Origin Validation Error Vulnerability
• CVE-2026-34926 Trend Micro Apex One (On-Premise) Directory Traversal Vulnerability

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/05/21/cisa-adds-two-known-exploited-vulnerabilities-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Financial Sector

• 2026 Report: Industrialized Attacks Target Financial Services
  "The financial services industry’s digital transformation has created a dangerous visibility gap. With 73% of firms unable to see which APIs expose sensitive data, attackers are exploiting the connective tissue of modern banking. Download this exclusive report to see the latest threat intelligence for an industry under attack. Key findings include:"
  https://www.akamai.com/lp/soti/financial-services-security-trends
  https://www.akamai.com/content/dam/site/en/documents/state-of-the-internet/2026/financial-services-security-trends-report-pdf-preview.pdf
  https://www.bankinfosecurity.com/ai-botnets-drive-surge-in-financial-sector-ddos-attacks-a-31730

Industrial Sector

• Siemens RUGGEDCOM APE1808 Devices
  "A buffer overflow vulnerability in the User-ID Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. Siemens is preparing fix versions and recommends countermeasures for products where fixes are not, or not yet available. Customers are advised to consult and implement the workarounds provided in Palo Alto Networks' upstream security notifications. [1] https://security.paloaltonetworks.com/"
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-02
• ScadaBR
  "Successful exploitation of these vulnerabilities could allow an attacker to perform unauthenticated remote code execution."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-03
• ZKTeco CCTV Cameras
  "Successful exploitation of this vulnerability could result in information disclosure, including capture of camera account credentials."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-04
• Real-World ICS Security Tales From The Trenches
  "Industrial control systems (ICS) and operational technology (OT) environments are often described as quiet, highly controlled worlds. In reality, they contain a range of risks, unexpected configurations, and operational complexities that are difficult to fully uncover through standard penetration testing or conventional risk assessments. SecurityWeek spoke with several ICS security experts and companies about their most memorable experiences in the field. These are not theoretical scenarios or lab simulations — they are real situations they encountered while working directly with organizations."
  https://www.securityweek.com/real-world-ics-security-tales-from-the-trenches/
• ABB CoreSense HM And CoreSense M10
  "An update is available that resolves vulnerability in the product versions listed as affected in this advisory. A path traversal vulnerability in these products can allow unauthenticated users to gain access to restricted directories. Exploiting this vulnerability can lead to complete system compromise and exposure of sensitive information."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-01
• Kieback & Peter DDC Building Controllers
  "Successful exploitation of this vulnerability could allow an attacker to take control of the victim's browser."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-05

New Tooling

• CVE Lite CLI: Open-Source Dependency Vulnerability Scanner
  "Dependency vulnerability scanning in JavaScript and TypeScript projects has long sat at the end of the development pipeline. Pull requests get opened, continuous integration runs, and a security scanner returns a list of CVE identifiers that developers then have to triage hours or days after writing the code. CVE Lite CLI, now an officially recognized OWASP Incubator Project, moves that check to the developer’s terminal. The open-source tool, maintained by Sonu Kapoor, reads a project’s lockfile, queries the Open Source Vulnerabilities database, and returns copy-and-run fix commands scoped to the relevant package manager. It supports npm, pnpm, Yarn, and Bun."
  https://www.helpnetsecurity.com/2026/05/20/cve-lite-cli-open-source-dependency-vulnerability-scanner/
  https://github.com/OWASP/cve-lite-cli
• Microsoft Open-Sources RAMPART And Clarity To Secure AI Agents During Development
  "Microsoft has unveiled two new open-source tools called RAMPART and Clarity to assist developers in better testing the security of artificial intelligence (AI) agents. RAMPART, short for Risk Assessment and Measurement Platform for Agentic Red Teaming, functions as a Pytest-native safety and security testing framework for writing and running safety and security tests for AI agents, covering both adversarial and benign issues, as well as various harm categories."
  https://thehackernews.com/2026/05/microsoft-open-sources-rampart-and.html
  https://github.com/microsoft/RAMPART

Vulnerabilities

• Drupal Core - Highly Critical - SQL Injection - SA-CORE-2026-004
  "Drupal core includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases. This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks. This vulnerability can be exploited by anonymous users. This SQL injection vulnerability only affects sites using PostgreSQL. However, the third-party dependency updates in these releases apply to all sites."
  https://www.drupal.org/sa-core-2026-004
• Exploit Released For New PinTheft Arch Linux Root Escalation Flaw
  "A recently patched Linux privilege escalation vulnerability now has a publicly available proof-of-concept (PoC) exploit that allows local attackers to gain root privileges on Arch Linux systems. The vulnerability, named PinTheft by the V12 security team and still waiting to be assigned a CVE ID for easier tracking, exists in the Linux kernel's RDS (Reliable Datagram Sockets) and was patched earlier this month. "PinTheft is a Linux local privilege escalation exploit for an RDS zerocopy double-free that can be turned into a page-cache overwrite through io_uring fixed buffers," V12 said in a Tuesday advisory."
  https://www.bleepingcomputer.com/news/linux/exploit-released-for-new-pintheft-arch-linux-root-escalation-flaw/
  https://github.com/v12-security/pocs/tree/09e835b587bf71249775654061ae4c79e92cf430/pintheft
  https://securityaffairs.com/192456/security/pintheft-another-linux-privilege-escalation-another-working-exploit-this-time-targeting-arch.html
• Microsoft Shares Mitigation For YellowKey Windows Zero-Day
  "Microsoft has shared mitigations for YellowKey, a recently disclosed Windows BitLocker zero-day vulnerability that grants access to protected drives. The security flaw was disclosed last week by an anonymous security researcher known as 'Nightmare Eclipse,' who described it as a backdoor and published a proof-of-concept (PoC) exploit. Nightmare Eclipse said that exploiting this zero-day involves placing specially crafted 'FsTx' files on a USB drive or EFI partition, rebooting into WinRE, and then triggering a shell with unrestricted access to the BitLocker-protected storage volume by holding down the CTRL key."
  https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-mitigation-for-yellowkey-windows-zero-day/
  https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45585
  https://thehackernews.com/2026/05/microsoft-releases-mitigation-for.html
  https://www.securityweek.com/microsoft-rolls-out-mitigations-for-yellowkey-bitlocker-bypass/
  https://securityaffairs.com/192449/hacking/microsoft-issues-yellowkey-mitigation-no-patch-yet.html
  https://www.helpnetsecurity.com/2026/05/20/yellowkey-bitlocker-mitigation-cve-2026-45585/
• Firefox 151 Packs Big Privacy Upgrades Into a Small Update
  "Mozilla has published release notes for Firefox browser version 151.0, and this update includes several genuinely meaningful privacy and security improvements."
  https://www.malwarebytes.com/blog/privacy/2026/05/firefox-151-packs-big-privacy-upgrades-into-a-small-update
• Second Time, Same Sandbox: Another Anthropic Claude Code Network Sandbox Bypass Enables Data Exfiltration
  "For the second time in five months, Anthropic Claude Code's network sandbox lets a process inside reach hosts the user's policy says to block, and exfiltrate any data the process touches. Every Claude Code release from 2.0.24 (sandbox GA on 2025-10-20) through 2.1.89 was vulnerable to a SOCKS5 hostname null-byte injection. About 5.5 months and ~130 versions, including the release that silently fixed the first sandbox bypass. Both findings ended in a silent fix and no Claude Code security advisory."
  https://oddguan.com/blog/second-time-same-sandbox-anthropic-claude-code-network-allowlist-bypass-data-exfiltration/
  https://www.securityweek.com/anthropic-silently-patches-claude-code-sandbox-bypass/
  https://www.theregister.com/security/2026/05/20/even-claude-agrees-hole-in-its-sandbox-was-real-and-dangerous/5243662
• CISA Adds Seven Known Exploited Vulnerabilities To Catalog
  "CISA has added seven new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2008-4250 Microsoft Windows Buffer Overflow Vulnerability
  CVE-2009-1537 Microsoft DirectX NULL Byte Overwrite Vulnerability
  CVE-2009-3459 Adobe Acrobat and Reader Heap-Based Buffer Overflow Vulnerability
  CVE-2010-0249 Microsoft Internet Explorer Use-After-Free Vulnerability
  CVE-2010-0806 Microsoft Internet Explorer Use-After-Free Vulnerability
  CVE-2026-41091 Microsoft Defender Elevation of Privilege Vulnerability
  CVE-2026-45498 Microsoft Defender Denial of Service Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/05/20/cisa-adds-seven-known-exploited-vulnerabilities-catalog
• Hackers Bypass SonicWall VPN MFA Due To Incomplete Patching
  "Threat actors brute-forced VPN credentials and bypassed multi-factor authentication (MFA) on SonicWall Gen6 SSL-VPN appliances to deploy tools used in ransomware attacks. During the intrusions, the hacker took between 30 and 60 minutes to log in, do network reconnaissance, test credential reuse on internal systems, and log out. SonicWall warned in a security advisory for CVE-2024-12802 that installing the firmware update alone on Gen6 devices does not fully mitigate the vulnerability, and a manual reconfiguration of the LDAP server is required. Failing to do so leaves open the possibility of bypassing MFA protection."
  https://www.bleepingcomputer.com/news/security/hackers-bypass-sonicwall-vpn-mfa-due-to-incomplete-patching/
• Google Publishes Exploit Code Threatening Millions Of Chromium Users
  "Google on Wednesday published exploit code for an unfixed vulnerability in its Chromium browser codebase that threatens millions of people using Chrome, Microsoft Edge, and virtually all other Chromium-based browsers. The proof-of-concept code exploits the Browser Fetch programming interface, a standard that allows long videos and other large files to be downloaded in the background. An attacker can use the exploit to create a connection for monitoring some aspects of a user’s browser usage and as a proxy for viewing sites and launching denial-of-service attacks. Depending on the browser, the connections either reopen or remain open even after it or the device running it has rebooted."
  https://arstechnica.com/security/2026/05/google-publishes-exploit-code-threatening-millions-of-chromium-users/

Malware

• After Two Years, Telegram Smishing Is Back, And Account Takeovers Are Here To Stay
  "Following the Telegram account takeover campaign in 2024, a smishing attack has recently been identified that uses Telegram security issues to steal users’ account information. threat actors hijack Telegram accounts by tricking users into entering their phone numbers and login codes on phishing sites. once an account is compromised, it can lead to personal information and chats being leaked, as well as secondary damage. let’s take a look at the main Telegram login smishing schemes and the security tips you should keep in mind."
  https://asec.ahnlab.com/en/93790/
• Steganography Secrets: Malware Hidden In Plain Sight
  "Threat actors are abusing image file hosting websites and file sharing services to deliver malware while evading enterprise security controls. Unlike more common, relatively simplistic, modern-day threats, these threat actors appear to be more sophisticated and less likely to send large-scale, minimally targeted attacks. The threat actors use a combination of steganography, encodings, and multiple delivery mechanisms to deliver remote access trojans (RATs), information stealers, and other malware, and are often successful at evading Endpoint Detection and Response (EDR) tools. The evidence for greater threat actor effort is also made apparent by the increased use of personally identifying information to customize email subjects and attachments, as compared to regular phishing. This report covers the infection chain, the image file hosting websites, and the malware used in steganographic campaigns."
  https://cofense.com/blog/steganography-secrets-malware-hidden-in-plain-sight
• Misconfigured, Enrolled And Dormant: Anatomy Of a P2Pinfect Kubernetes Compromise
  "FortiGuard Labs recently identified persistent P2Pinfect presences within Google Kubernetes Engine (GKE) clusters at several client companies, with one compromise spanning six months. The compromises originated from exposed Redis instances, which allowed the botnet to gain an initial foothold. The botnet's beaconing was repeatedly flagged in FortiCNAPP's Composite Alerts, underscoring how a single misconfiguration can enable long-term compromise in cloud environments. The IOCs observed across our customers also had significant overlap."
  https://www.fortinet.com/blog/threat-research/misconfigured-enrolled-and-dormant-anatomy-of-a-p2pinfect-kubernetes-compromise
• Volume Obfuscation Game: The Lead Data Brokers Out To Waste Your Time
  "Group-IB has observed a growing number of data advertisements targeting organizations worldwide across multiple industries, circulating within Chinese-language cybercrime ecosystems on dark web forums and Telegram. These sources typically advertise a large volume of data in short time frames, however Group-IB’s past analyses revealed that most claims consist of data compiled from prior breaches, generated and contain no indications of a data breach. A combination of rapid, high-volume messaging, frequent low-credibility claims, plus the lack of wider understanding and analysis of these sources and data contributes to a misunderstanding of their nature, operations and credibility."
  https://www.group-ib.com/blog/lead-data-obfuscation-brokers/
  Fake Word Phishing Reveals Enterprise Blind Spot In Trusted Remote Access Tools
  "A fake Word Online phishing page has exposed a growing enterprise blind spot: attackers using trusted tools to gain remote access without raising immediate alarms. The attack chain observed by ANY.RUN moved from an Outlook email to an MSI installer, silent execution, ScreenConnect remote access, and HideUL-based concealment. For CISOs, this is a warning that phishing investigations must focus on full behavior, not just malicious files."
  https://hackread.com/fake-word-phishing-enterprise-blind-spot-trusted-remote-access-tools/
• How An Image Could Compromise Your Mac: Understanding An ExifTool Vulnerability (CVE-2026-3102)
  "ExifTool is a widely adopted utility for reading and writing metadata in image, PDF, audio, and video files. It is available both as a standalone command-line application and as a library that can be embedded in other software. In this article, we break down CVE-2026-3102, an ExifTool vulnerability discovered by Kaspersky’s Global Research and Analysis Team (GReAT) in February 2026 and patched by the developers within the same month. Affecting macOS systems with ExifTool version 13.49 and earlier, this flaw could let an attacker run arbitrary commands by hiding instructions inside an image file’s metadata."
  https://securelist.com/exiftool-compromise-mac/119866/
• Webworm: New Burrowing Techniques
  "SET researchers analyzed the 2025 activity of Webworm, a China-aligned APT group that started out targeting organizations in Asia, but has recently shifted its focus to Europe. Even though this is our first public blogpost on the group, we have been observing Webworm’s activities ever since Symantec first reported on this threat actor in 2022. Over the years, we have seen that this threat actor continually changes its tactics, techniques, and procedures (TTPs)."
  https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/
  https://thehackernews.com/2026/05/webworm-deploys-echocreep-and-graphworm.html
  https://www.infosecurity-magazine.com/news/webworm-apt-evolves-tactics/
  https://www.helpnetsecurity.com/2026/05/20/webworm-apt-campaign-targets-europe/
• Ukraine Says Russia Is Deploying AI-Powered Malware On The Battlefield
  "Russia’s use of artificial intelligence in its cyberwar against Ukraine has expanded beyond fake news and propaganda campaigns, according to Ukrainian government officials. Moscow is now embedding AI directly into malware to generate malicious commands “on the fly.” A new report from Ukraine’s National Security and Defense Council says Russia’s use of AI across cyber operations expanded dramatically over the past year, reshaping everything from social engineering campaigns to malware development and creating what Ukrainian officials describe as a growing imbalance between attackers and defenders."
  https://therecord.media/ukraine-says-russia-using-ai-malware-on-battlefield
• Tracking TamperedChef Clusters Via Certificate And Code Reuse
  "This article documents novel activity clusters that have significant overlap with the publicly described threat known as TamperedChef (aka EvilAI). TamperedChef-style malware is trojanized productivity software, such as PDF editors or calendars, that deliver malicious payloads. These campaigns typically employ malicious ads that direct users to sites hosting the applications. While this style of malware shares many similarities in technical operation, installation lures and distribution methods, we do not attribute it to a single author or group."
  https://origin-unit42.paloaltonetworks.com/tracking-tampered-chef-clusters/
• Premium Deception: Uncovering a Global Android Carrier Billing Fraud Campaign
  "zLabs has identified a sophisticated Android malware campaign conducting carrier billing fraud through premium SMS abuse across Malaysia, Thailand, Romania, and Croatia. The campaign comprises almost 250 malicious applications that selectively target users based on their mobile operator, silently subscribing victims to premium services without consent."
  https://zimperium.com/blog/premium-deception-uncovering-a-global-android-carrier-billing-fraud-campaign
  https://www.darkreading.com/mobile-security/fake-android-apps-carrier-billing-fraud
  https://www.infosecurity-magazine.com/news/android-carrier-billing-fraud-four/
• VELVET CHOLLIMA Infostealer Campaign Using Trading App As Lure
  "Hybrid Analysis has identified a low-detection malicious installer masquerading as a legitimate cryptocurrency trading application called Tralert FX. The sample, a 100 MB Windows MSI submitted to VirusTotal in March 2026, achieved only a 3/52 detection rate. This low detection rate was largely due to a valid EV code signing certificate issued to a likely front company, AgilusTech LLC. What initially appeared to be a routine low-confidence detection quickly escalated into the exposure of a sophisticated, long-running, multi-stage infostealer campaign with infrastructure spanning five GitLab repositories, a dedicated C2 server, and a network of cryptocurrency trading lure domains."
  https://hybrid-analysis.blogspot.com/2026/05/velvet-chollima-infostealer-campaign.html

Breaches/Hacks/Leaks

• GitHub Confirms Breach Of 3,800 Repos Via Malicious VSCode Extension
  "GitHub has confirmed that roughly 3,800 internal repositories were breached after one of its employees installed a malicious VS Code extension. The company has since removed the unnamed trojanized extension from the VS Code marketplace and has secured the compromised device. "Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately," the company said."
  https://www.bleepingcomputer.com/news/security/github-confirms-breach-of-3-800-repos-via-malicious-vscode-extension/
  https://thehackernews.com/2026/05/github-investigating-teampcp-claimed.html
  https://therecord.media/github-confirms-teampcp-hack-customers-unaffected
  https://www.darkreading.com/application-security/github-confirms-breach-4k-internal-repos-stolen
  https://www.helpnetsecurity.com/2026/05/20/github-breached-teampcp/
  https://www.infosecurity-magazine.com/news/github-confirms-breach-vs-code/
  https://www.securityweek.com/github-confirms-hack-impacting-3800-internal-repositories/
  https://securityaffairs.com/192440/cyber-crime/a-malicious-vs-code-extension-just-breached-github-s-internal-repositories.html
  https://www.theregister.com/devops/2026/05/20/github-says-internal-repos-exfiltrated-after-poisoned-vs-code-extension-attack/5243206
  https://cyberscoop.com/github-internal-repositories-vs-code-extension-attack/
  https://hackread.com/github-breach-teampcp-repositories-vs-code-extension/
• Grafana Breach Caused By Missed Token Rotation After TanStack Attack
  "The Grafana data breach was caused by a single GitHub workflow token that slipped through the rotation process following the TanStack npm supply-chain attack last week. In the ongoing Shai-Hulud malware campaign attributed to TeamPCP hackers, dozens of TanStack packages infected with credential-stealing code were published on the npm index, compromising developer environments, including Grafana's. When the malicious npm package was released, Grafana’s CI/CD workflow consumed it, and the info-stealer module executed in its GitHub environment, exfiltrating GitHub workflow tokens to the attackers."
  https://www.bleepingcomputer.com/news/security/grafana-breach-caused-by-missed-token-rotation-after-tanstack-attack/

General News

• What Will Make AI BOMs Real?
  "Standards bodies, open-source projects, and commercial vendors are already building meaningful momentum for realizing the promise of AI BOM. OWASP, with its CycloneDX SBOM standard, and the Linux Foundation, with its SPDX standard, have both released AI-specific extensions. The OWASP AI SBOM Initiative holds weekly open meetings and has developed the OWASP AI BOM Generator, the first open-source tool to automatically generate AIBOMs from Hugging Face models in CycloneDX format. And the SPDX standard added dedicated AI and dataset profiles in version 3.0, providing field mappings for model training and data provenance. Meanwhile, the OpenSSF AI/ML Working Group formalized a model-signing specification in 2025, with contributions from Google, HiddenLayer, and NVIDIA. Additionally, CISA's AI SBOM Tiger Team published foundational guidance in 2025, though the agency's significant personnel cuts this year have cast uncertainty over many of its ongoing initiatives."
  https://www.darkreading.com/cybersecurity-analytics/what-make-ai-bom-real
  https://www.darkreading.com/cyber-risk/make-ai-bom-usable-modern-security-program
• Communicating Cyber Risk In Dollars Boards Understand
  "In this Help Net Security interview, Nick Nieuwenhuis, Cybersecurity Architect at Nedscaper, explains why cybersecurity has not delivered the resilience that decades of investment have promised. He argues that spending has leaned too heavily on technical controls while neglecting people, processes, and organizational dynamics. He unpacks the gap between security teams and boards, pointing to weak risk communication and a reliance on qualitative heatmaps over hard evidence. He pushes back on root cause analysis as a reductionist habit, makes the case for treating resilience as a serious capability, and outlines what stronger organizations do differently, including investment in communication, rehearsed playbooks, and continuous learning across the security function."
  https://www.helpnetsecurity.com/2026/05/20/nick-nieuwenhuis-nedscaper-cyber-resilience-strategy/
• When Your AI Assistant Has The Keys To Production
  "Large language models in operational roles query telemetry, propose configuration changes, and in some deployments execute those changes against live infrastructure. Ticket drafting and alert summarization were the starting point. Vendors describe this work as autonomous remediation or self-healing infrastructure. A recent survey on agentic AI in network and IT operations gives it a more useful name: a confused-deputy problem waiting to happen."
  https://www.helpnetsecurity.com/2026/05/20/agentic-ai-security-llm-research/
  https://arxiv.org/pdf/2605.12729
• Typosquatting Is No Longer a User Problem. It's a Supply Chain Problem
  "On December 24, 2025, Trust Wallet users started losing money. Not because they clicked a phishing link. Not because they reused a weak password. Not because they did anything wrong at all. A self-replicating npm worm called Shai-Hulud had spent months harvesting developer credentials: GitHub tokens, npm publishing keys, and Chrome Web Store API credentials. Those keys allowed attackers to push a trojanized version of the Trust Wallet Chrome extension through official channels. Chrome's verification passed it."
  https://thehackernews.com/2026/05/typosquatting-is-no-longer-user-problem.html
• Threat Spotlight: CypherLoc, An Advanced Browser-Locking Scareware Targeting Millions
  "Barracuda Research, the threat intelligence arm of Barracuda, has identified CypherLoc, a sophisticated web‑based scareware kit that combines advanced evasion techniques, aggressive browser controls and psychological manipulation to push victims into calling fraudulent technical support phone numbers. Since the start of 2026, Barracuda researchers have observed around 2.8 million attacks featuring this kit. CypherLoc shows how scareware has evolved from simple frozen‑screen scams into stealthy, browser‑resident attack frameworks that rely on user fear rather than malware installation. In the case of CypherLoc, this includes the new and innovative use of encrypted loaders, hash-gated execution, and page replacement during operational runtime."
  https://blog.barracuda.com/2026/05/20/threat-spotlight-cypherloc-scareware
  https://www.infosecurity-magazine.com/news/researchers-cypherloc-scareware/
• Ukraine Identifies Infostealer Operator Tied To 28,000 Stolen Accounts
  "The Ukrainian cyberpolice, working in conjunction with U.S. law enforcement, has identified an 18-year-old man from Odesa suspected of running an infostealer malware operation targeting users of an online store in California. According to the Ukrainian police, the threat actor used information-stealing malware between 2024 and 2025 to infect users’ devices and steal browser sessions and account credentials. Infostealers are a popular type of malware that harvests sensitive data, including passwords, browser cookies, session tokens, crypto wallets, and payment information, from infected devices and sends it to cybercriminals for account theft, fraud, and resale."
  https://www.bleepingcomputer.com/news/security/ukraine-identifies-infostealer-operator-tied-to-28-000-stolen-accounts/
  https://therecord.media/ukraine-probes-teen-suspect-cyber-theft-scheme
• Processes And Culture Top Reasons Behind Data Breaches
  "Municipal leaders, utility personnel, and even one retired city auditor were eager to learn which cyber threats are targeting local governments, and more importantly how to address them because, as one panelist emphasized: "Nowadays, you will eventually be hit." Massachusetts state officials and technology specialists gathered to discuss the findings of a new study that examined all the breaches in 2024 against MA residents and found some troubling security gaps persist. Those same gaps – weak passwords and insufficient patch management - affect businesses nationwide. The threat vectors also echoed what vendors, like Verizon Business' Data Breach Investigation reports, have been saying for years: System intrusions and internet-facing vulnerabilities are how attackers gain access."
  https://www.darkreading.com/cyberattacks-data-breaches/processes-and-culture-top-reasons-behind-data-breaches
• ISC2 Research Deep Dive: AI And Emerging Technologies Signal Disruption For Cybersecurity
  "For cybersecurity professionals, emerging technologies are no longer distant innovations. They are active forces reshaping day-to-day work. Nowhere is this more evident than with artificial intelligence (AI). As organizations accelerate adoption of AI, security teams are being asked to harness AI’s potential while simultaneously defending against the new risks it introduces. The result is a security landscape defined by opportunity and unease, where the same technologies driving efficiency are also expanding the attack surface."
  https://www.isc2.org/Insights/2026/05/ai-and-emerging-technologies-disrupt-cybersecurity
  https://www.darkreading.com/cybersecurity-analytics/cyber-pros-ai

อ้างอิง
Electronic Transactions Development Agency (ETDA)