เมื่อวันที่ 21 เมษายน 2026 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 8 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้

• CVE-2023-27351 PaperCut NG/MF Improper Authentication Vulnerability
• CVE-2024-27199 JetBrains TeamCity Relative Path Traversal Vulnerability
• CVE-2025-2749 Kentico Xperience Path Traversal Vulnerability
• CVE-2025-32975 Quest KACE Systems Management Appliance (SMA) Improper Authentication Vulnerability
• CVE-2025-48700 Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability
• CVE-2026-20122 Cisco Catalyst SD-WAN Manager Incorrect Use of Privileged APIs Vulnerability
• CVE-2026-20128 Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format Vulnerability
• CVE-2026-20133 Cisco Catalyst SD-WAN Manager Exposure of Sensitive Information to an Unauthorized Actor Vulnerability

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/04/20/cisa-adds-eight-known-exploited-vulnerabilities-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 12 รายการ เมื่อวันที่ 21 เมษายน 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

• ICSA-26-111-01 Siemens TPM 2.0
• ICSA-26-111-02 Siemens RUGGEDCOM CROSSBOW Secure Access Manager Primary
• ICSA-26-111-03 Siemens SINEC NMS
• ICSA-26-111-04 Siemens Analytics Toolkit
• ICSA-26-111-05 Hardy Barth Salia EV Charge Controller
• ICSA-26-111-06 Zero Motorcycles Firmware
• ICSA-26-111-07 Siemens SCALANCE
• ICSA-26-111-08 Siemens RUGGEDCOM CROSSBOW Station Access Controller (SAC)
• ICSA-26-111-09 Siemens SINEC NMS
• ICSA-26-111-10 Silex Technology SD-330AC and AMC Manager
• ICSA-26-111-11 Siemens Industrial Edge Management
• ICSA-26-111-12 SenseLive X3050

CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)
อ้างอิง
https://www.cisa.gov/news-events/ics-advisories

Industrial Sector

• Serial-To-IP Devices Hide Thousands Of Old And New Bugs
  "Researchers have identified 20 new vulnerabilities in popular models of serial-to-IP converters — devices that sit at the heart of modern industrial networks. Even more worryingly, the same researchers counted thousands of known vulnerabilities in these very same devices' software stacks. Complex on the inside, serial-to-IP converters — also known as serial device servers, or serial-to-Ethernet converters — do a relatively straightforward job: they translate the language of old industrial machinery into Internet-speak, and vice versa. It goes without saying just how significant this job is: without it, plant operators wouldn't be able to monitor older machinery from the comfort of their newfangled computers."
  https://www.darkreading.com/ics-ot-security/serial-ip-devices-thousands-of-bugs
  https://www.securityweek.com/serial-to-ip-converter-flaws-expose-ot-and-healthcare-systems-to-hacking/

New Tooling

• SmokedMeat: Open-Source Tool Shows What Attackers Do Inside CI/CD Pipelines
  "Boost Security has released SmokedMeat, an open-source framework that runs attack chains against CI/CD infrastructure so engineering and security teams can see what an attacker would do in their specific environment. SmokedMeat takes a flagged pipeline vulnerability and executes a live demonstration against a team’s own infrastructure. Starting from a single vulnerability, it deploys a payload, compromises the runner, harvests credentials from process memory, exchanges those credentials for cloud access, exposes private repositories, and maps the blast radius of the attack."
  https://www.helpnetsecurity.com/2026/04/20/smokedmeat-ci-cd-pipeline-attacks/
  https://github.com/boostsecurityio/smokedmeat

Vulnerabilities

• SGLang Is Vulnerable To Remote Code Execution When Rendering Chat Templates From a Model File
  "A remote code execution vulnerability has been discovered in the SGLang project, specifically in the reranking endpoint (/v1/rerank). A CVE has been assigned to track the vulnerability; CVE-2026-5760. An attacker can create a malicious model for SGLang to achieve RCE. Successful exploitation could allow arbitrary code execution in the context of the SGLang service, potentially leading to host compromise, lateral movement, data exfiltration, or denial-of-service (DoS) attacks. No response was obtained from the project maintainers during coordination."
  https://kb.cert.org/vuls/id/915947
  https://thehackernews.com/2026/04/sglang-cve-2026-5760-cvss-98-enables.html
• CISA Adds Eight Known Exploited Vulnerabilities To Catalog
  "CISA has added eight new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2023-27351 PaperCut NG/MF Improper Authentication Vulnerability
  CVE-2024-27199 JetBrains TeamCity Relative Path Traversal Vulnerability
  CVE-2025-2749 Kentico Xperience Path Traversal Vulnerability
  CVE-2025-32975 Quest KACE Systems Management Appliance (SMA) Improper Authentication Vulnerability
  CVE-2025-48700 Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability
  CVE-2026-20122 Cisco Catalyst SD-WAN Manager Incorrect Use of Privileged APIs Vulnerability
  CVE-2026-20128 Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format Vulnerability
  CVE-2026-20133 Cisco Catalyst SD-WAN Manager Exposure of Sensitive Information to an Unauthorized Actor Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/04/20/cisa-adds-eight-known-exploited-vulnerabilities-catalog
• Prompt Injection Leads To RCE And Sandbox Escape In Antigravity
  "Pillar Security researchers have uncovered a vulnerability in Antigravity, Google's agentic IDE. This technique exploits insufficient input sanitization of the find_by_name tool's Pattern parameter, allowing attackers to inject command-line flags into the underlying fd utility, converting a file search operation into arbitrary code execution. Critically, this vulnerability bypasses Antigravity's Secure Mode, the product's most restrictive security configuration. Secure Mode is designed to restrict network access, prevent out-of-workspace writes, and ensure all command operations run strictly under a sandbox context. None of these controls prevent exploitation, because the find_by_name tool call fires before any of these restrictions are evaluated. The agent treats it as a native tool invocation, not a shell command, so it never reaches the security boundary that Secure Mode enforces."
  https://www.pillar.security/blog/prompt-injection-leads-to-rce-and-sandbox-escape-in-antigravity
  https://cyberscoop.com/google-antigravity-pillar-security-agent-sandbox-escape-remote-code-execution/
• KLCERT-25-012: Qualcomm Chipset Series. Write-What-Where Condition Vulnerability In BootROM
  "A CWE-123: Write-what-where Condition vulnerability exists in Qualcomm MDM9x07, MDM9x45, MDM9x65, MSM8909, MSM8916, MSM8952, and SDX50 chipset series that could allow an attacker with physical access to the target system to bypass the secure boot chain and execute arbitrary code on the targeted system with maximum privileges."
  https://ics-cert.kaspersky.com/vulnerabilities/qualcomm-chipsets-series-write-what-where-condition-vulnerability-in-bootrom/
• Fabricked: Misconfiguring Infinity Fabric To Break AMD SEV-SNP
  "Confidential computing allows cloud tenants to offload sensitive computations and data to remote resources without needing to trust the cloud service provider. Hardware-based trusted execution environments, like AMD SEV-SNP, achieve this by creating Confidential Virtual Machines (CVMs). With Fabricked, we present a novel software-based attack that manipulates memory routing to compromise AMD SEV-SNP. By redirecting memory transactions, a malicious hypervisor can deceive the secure co-processor (PSP) into improperly initializing SEV-SNP. This enables the attacker to perform arbitrary read and write access within the CVM address space, thus breaking SEV-SNP core security guarantees."
  https://fabricked-attack.github.io/

Malware

• Supply Chain Compromise Impacts Axios Node Package Manager
  "The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this alert to provide guidance in response to the software supply chain compromise of the Axios node package manager (npm).1 Axios is an HTTP client for JavaScript that developers commonly use in Node.js and browser environments. On March 31, 2026, two npm packages for versions [email protected] and [email protected] of Axios npm injected the malicious dependency [email protected] that downloads multi-stage payloads from cyber threat actor infrastructure, including a remote access trojan.2"
  https://www.cisa.gov/news-events/alerts/2026/04/20/supply-chain-compromise-impacts-axios-node-package-manager
• FakeWallet Crypto Stealer Spreading Through iOS Apps In The App Store
  "In March 2026, we uncovered more than twenty phishing apps in the Apple App Store masquerading as popular crypto wallets. Once launched, these apps redirect users to browser pages designed to look similar to the App Store and distributing trojanized versions of legitimate wallets. The infected apps are specifically engineered to hijack recovery phrases and private keys. Metadata from the malware suggests this campaign has been flying under the radar since at least the fall of 2025. We’ve seen this happen before. Back in 2022, ESET researchers spotted compromised crypto wallets distributed through phishing sites. By abusing iOS provisioning profiles to install malware, attackers were able to steal recovery phrases from major hot wallets like Metamask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken, and OneKey."
  https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/
  https://www.bleepingcomputer.com/news/security/chinas-apple-app-store-infiltrated-by-crypto-stealing-wallet-apps/
• Cross‑tenant Helpdesk Impersonation To Data Exfiltration: A Human-Operated Intrusion Playbook
  "Threat actors are initiating cross-tenant Microsoft Teams communications while impersonating IT or helpdesk personnel to socially engineer users into granting remote desktop access. After access is established through Quick Assist or similar remote support tools, attackers often execute trusted vendor-signed applications alongside attacker-supplied modules to enable malicious code execution. This access pathway might be used to perform credential-backed lateral movement using native administrative protocols such as Windows Remote Management (WinRM), allowing threat actors to pivot toward high-value assets including domain controllers."
  https://www.microsoft.com/en-us/security/blog/2026/04/18/crosstenant-helpdesk-impersonation-data-exfiltration-human-operated-intrusion-playbook/
  https://www.bleepingcomputer.com/news/security/microsoft-teams-increasingly-abused-in-helpdesk-impersonation-attacks/
• The Gentlemen: A New Ransomware Threat Climbing The Charts — Fast
  "Most ransomware groups that emerge with fanfare are gone within months. The Gentlemen are not following that script. Since surfacing in mid-2025, the group has grown at a pace that rivals the early years of LockBit 3, a program widely considered the gold standard of ransomware operations. By April 2026, The Gentlemen have publicly listed over 320 victims on their data leak site, with 240 of those occurring in the first months of 2026 alone. That figure only reflects organizations that refused to pay; the actual number of victims is almost certainly higher. Check Point Research (CPR) has been tracking this group since its emergence, and their latest analysis, including findings from an active incident response engagement and access to a live attacker-controlled server, reveals why this operation is scaling so quickly, and what it means for enterprise security teams."
  https://blog.checkpoint.com/research/the-gentlemen-a-new-ransomware-threat-climbing-the-charts-fast/
  https://research.checkpoint.com/2026/dfir-report-the-gentlemen/
  https://www.bleepingcomputer.com/news/security/the-gentlemen-ransomware-now-uses-systembc-for-bot-powered-attacks/
• StealTok: 130k Users Compromised By Data Stealing TikTok Video “Downloaders”
  "LayerX security researchers have uncovered a campaign of at least 12 interrelated browser extensions that masquerade as TikTok video downloaders but in reality track user activity and collect data. The extensions share a common codebase and are all clones or lightly modified versions of each other, indicating that this is a long-standing and persistent campaign by the same threat actors. The extensions also implement a mechanism for dynamic remote configuration, which allows them to bypass marketplace review processes. This enables the malicious extensions to modify their behavior and functionality after installation, without users or marketplaces being aware. According to LayerX research, the extensions typically operate legitimately for 6–12 months before introducing malicious features."
  https://layerxsecurity.com/blog/stealtok-130k-users-compromised-by-data-stealing-tiktok-video-downloaders/
  https://hackread.com/fake-tiktok-downloaders-chrome-edge-spy-users/
• Bluesky Disrupted By Sophisticated DDoS Attack
  "Bluesky, the decentralized microblogging social media platform, reported service outages last week due to a distributed denial-of-service (DDoS) attack aimed at its systems. The DDoS attack appears to have started late on April 15 (Pacific Time) and continued into the next day. The company described it as a sophisticated attack that caused intermittent app outages. “The attack is impacting our application, with users experiencing intermittent interruptions in service for their feeds, notifications, threads and search,” Bluesky said. “We have not seen any evidence of unauthorized access to private user data,” it added."
  https://www.securityweek.com/bluesky-disrupted-by-sophisticated-ddos-attack/
  https://therecord.media/bluesky-blames-app-outage-on-ddos
• Formbook Malware Campaign Uses Multiple Obfuscation Techniques To Avoid Detection
  "Two phishing campaigns, each using a different stealthy infection technique, are targeting organizations in attacks which aim to deliver data stealing malware to devices running on Microsoft Windows. The goal of the campaigns is to install Formbook, a notorious form of infostealer which has been available as part of malware-as-a-service schemes since 2016. The infostealer malware is designed to gather sensitive information including login credentials, browser data and screenshots. It is also equipped with advanced evasion techniques to avoid detection."
  https://www.infosecurity-magazine.com/news/formbook-malware-multiple/

Breaches/Hacks/Leaks

• KelpDAO Suffers $290 Million Heist Tied To Lazarus Hackers
  "State-sponsored North Korean hackers are likely behind the $290 million crypto-heist that impacted the KelpDAO DeFi project on Saturday. The attack reportedly also impacted the lending protocols Compound, Euler, and Aave, with the latter announcing a freeze and blocking new deposits or borrowing using rsETH as collateral. KelpDAO is a decentralized finance (DeFi) project built around liquid restaking on the Ethereum network. It accepts user ETH deposits, restakes them, and returns a liquid token named ‘rsETH,’ that represents the restaked position."
  https://www.bleepingcomputer.com/news/security/kelpdao-suffers-290-million-heist-tied-to-lazarus-hackers/
  https://therecord.media/crypto-north-korea-theft-kelp
• Seiko USA Website Defaced As Hacker Claims Customer Data Theft
  "The Seiko USA website was defaced over the weekend, displaying a message from attackers claiming they stole its Shopify customer database and threatening to leak it unless a ransom is paid. Visitors to the "Press Lounge" section of the site were shown a page titled "HACKED," which replaced normal content with what appeared to be a ransom demand and data breach notification. The message warned that attackers had gained access to the company's Shopify backend and exfiltrated sensitive customer information."
  https://www.bleepingcomputer.com/news/security/seiko-usa-website-defaced-as-hacker-claims-customer-data-theft/
• WhatsApp Leaks User Metadata To Attackers
  "Tal Be'ery knew that I was online the night before I called him. He knew what kind of device I was using. I didn't share this information with him. All he had was my phone number. I had no way to know that he was learning that information about me, either. Be’ery, cofounder and chief technology officer (CTO) of Zengo — whose $70 million acquisition by eToro was announced during our call — silently pried into my online habits (with my permission) using a jerry-rigged program he designed to plug into WhatsApp, and exploit the thin layer of metadata it leaks. In a presentation at Black Hat Asia 2026, he'll show that anyone can perform the same tricks, be they sophisticated nation-state advanced persistent threats (APTs) or lowly scammers. It doesn't require any kind of sophisticated zero-day; all one has to do is leverage WhatsApp's own design choices."
  https://www.darkreading.com/endpoint-security/whatsapp-leaks-user-metadata
• Cyberattack At French Identity Document Agency May Have Exposed Personal Data
  "A cyberattack targeting a French government website used to manage identity documents and driver’s licenses may have exposed users’ personal data, the Interior Ministry said on Monday. The incident affected the website of the National Agency for Secure Documents (ANTS), a government service responsible for processing applications for passports, national identity cards, residence permits and driver’s licenses. In a statement, the Interior Ministry said a “security incident that may involve the disclosure of data from both individual and professional accounts” was detected on April 15."
  https://therecord.media/france-cyberattack-agency-passports
  https://securityaffairs.com/191069/data-breach/frances-ants-id-system-website-hit-by-cyberattack-possible-data-breach.html
• Vibe Coding Upstart Lovable Denies Data Leak, Cites 'intentional Behavior,' Then Throws HackerOne Under The Bus
  "Vibe-coding platform Lovable is pooh-poohing a researcher’s finding that anyone could open a free account on the service and read other users' sensitive info, including credentials, chat history, and source code. However, the company’s story keeps changing: First it attributed the publicly exposed info to "intentional behavior" and "unclear documentation," then threw bug-bounty service HackerOne under the bus. The drama appears to be the latest example of an AI firm, in this case a startup that claims a $6.6 billion valuation, shirking responsibility for security flaws in its products. Companies including Uber, Zendesk, and Deutsche Telekom all use Lovable's vibe coding AI tool, according to its latest funding announcement."
  https://www.theregister.com/2026/04/20/lovable_denies_data_leak/

General News

• Why The Axios Attack Proves AI Is Mandatory For Supply Chain Security
  "Two weeks ago, a suspected North Korean threat actor slipped malicious code into a package within Axios, a widely used JavaScript library. The immediate concern was the blast radius: roughly 100 million weekly downloads spanning enterprises, startups, and government systems. But beyond the sheer scale, the attack’s speed was just as worrisome – a stark reminder of the tempo modern adversaries now operate at. The Axios compromise was identified within minutes of publication by an Elastic researcher using an AI-powered monitoring tool that analyzed package registry changes in real time. The approach was right: AI classifying code changes at machine speed, at the moment of publication, before the damage compounds. By any standard, it was a fast response. The compromised package was removed in about three hours. But even in those three hours, the widely-used package may have been downloaded over half a million times."
  https://cyberscoop.com/ai-powered-security-operations-axios-supply-chain-attack/
• Network ‘background Noise’ May Predict The Next Big Edge-Device Vulnerability
  "Attackers rarely exploit an edge-device vulnerability indiscriminately. Typically, they first test how widely the flaw can be used and how much access it can provide, then move on to steal data or disrupt operations. Pre-attack surveillance and planning leaves a lot of noise in its wake. These signals — particularly spikes in traffic that are hitting specific vendors — can act as an early-warning system, often preceding public vulnerability disclosures, according to research GreyNoise shared exclusively with CyberScoop prior to its release. Roughly half of every activity surge GreyNoise detected during a 103-day study last winter was followed by a vulnerability disclosure from the same targeted vendor within three weeks, GreyNoise said in its report."
  https://cyberscoop.com/greynoise-traffic-surge-early-warning-system-network-edge-device-vulnerabilities/
  https://www.greynoise.io/resources/ten-days-before-zero
• Threat Landscape March 2026: Ransomware Dominance, Access Brokers, Data Leaks, And Critical Exploitation Trends
  "Cyble Research & Intelligence Labs (CRIL) in its monthly threat landscape analysis observed a highly active threat environment throughout March 2026, shaped by large-scale ransomware campaigns, persistent data breach activity, growing initial access brokerage markets, and exploitation of critical vulnerabilities affecting widely deployed enterprise systems. Threat actors continued to prioritize financial extortion, credential access, and operational disruption, while increasingly targeting sectors rich in sensitive data or dependent on business continuity."
  https://cyble.com/blog/monthly-threat-landscape-march-2026/
• FTP Exposure Brief: Examining The 55-Year-Old Protocol Used By Millions
  "It’s the 1990s. You probably use FTP to push website files. Your users use it to grab new software releases. You run wu-ftpd or ProFTPD and think mostly about disk quotas, not encryption. AUTH TLS doesn’t exist yet (RFC 2228 wouldn’t arrive until 1997), and the concept of sending credentials or files in cleartext doesn’t matter so much since the Internet is smaller and less adversarial. FTP was designed for a world where every node on a network was probably going to be a university server or a government computer that you more or less trusted automatically."
  https://censys.com/blog/ftp-exposure-brief/
  https://www.securityweek.com/half-of-the-6-million-internet-facing-ftp-servers-lack-encryption/
• What The Ransom Note Won't Say
  "In March 2024, an affiliate of the BlackCat ransomware gang took to a cybercrime forum with a complaint. They’d carried out the attack on Change Healthcare – one of the largest healthcare data breaches in U.S. history – but never got their cut of the $22 million ransom payment. BlackCat’s operators had taken the money and vanished, putting up a fake FBI seizure notice on their leak site to cover the exit. The grievance almost feels like a contractor dispute. Strip away the criminal element along with the apparent double-cross, and what’s left is (hints of) something any company executive might recognize: business arrangements complete with supply chains, pricing, competition, and customers who expect their money’s worth. Today’s ransomware runs on this very logic."
  https://www.welivesecurity.com/en/ransomware/what-ransom-note-doesnt-say/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Financial Sector

• March 2026 Security Issues In The Korean & Global Financial Sector
  "a number of malware samples including phishing, web shell, droppers, backdoor malware, downloaders, Infostealer, and CoinMiner targeting the financial sector have been distributed. we observed a number of cases where Korean disguised attachment names and HTML/JS execution methods were utilized to propagate phishing. account compromise campaigns through the Telegram API were confirmed, with approximately 4% of the compromised accounts coming from the financial sector. The AnySign4PC vulnerability was exploited in a watering hole attack by the Lazarus group, resulting in remote code execution, and multiple watering hole distribution sites were found to be continuously used."
  https://asec.ahnlab.com/en/93421/

Vulnerabilities

• The Dangers Of Reusing Protobuf Definitions: Critical Code Execution In Protobuf.js (GHSA-Xq3m-2v4x-88gg)
  "Endor Labs researchers discovered a critical vulnerability in protobuf.js, the most widely used JavaScript runtime for Protocol Buffers, a data format used by millions of applications to exchange information, including services built on Google Cloud, Firebase, and most modern cloud platforms. The protobuf.js package is downloaded roughly 52 million times per week and is often installed as a hidden dependency of other popular libraries, meaning many development teams ship it without realizing it.Exploitation is straightforward. It requires an attacker to supply a malicious configuration file (protobuf schema) to the target application — a precondition that sounds narrow but is common in practice. Applications routinely load these files from shared registries, partner integrations, or third-party servers. Once a poisoned file is in memory, exploitation is trivial: the first message the application processes triggers the payload, with no authentication or user interaction required."
  https://www.endorlabs.com/learn/the-dangers-of-reusing-protobuf-definitions-critical-code-execution-in-protobuf-js-ghsa-xq3m-2v4x-88gg
  https://www.bleepingcomputer.com/news/security/critical-flaw-in-protobuf-library-enables-javascript-code-execution/
• NomShub: Weaponizing Cursor's Remote Tunnel Through Indirect Prompt Injection And Sandbox Breakout
  "NomShub is a critical vulnerability chain in the Cursor AI code editor where a malicious repository can silently hijack a developer's machine, combining indirect prompt injection, a sandbox escape via shell builtins, and Cursor's built-in remote tunnel to give attackers persistent, undetected shell access triggered simply by opening a repo."
  https://www.straiker.ai/blog/nomshub-cursor-remote-tunneling-sandbox-breakout
  https://www.securityweek.com/cursor-ai-vulnerability-exposed-developer-devices/

Malware

• Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched
  "Huntress is warning that threat actors are exploiting three recently disclosed security flaws in Microsoft Defender to gain elevated privileges in compromised systems. The activity involves the exploitation of three vulnerabilities that are codenamed BlueHammer (requires GitHub sign-in), RedSun, and UnDefend, all of which were released as zero-days by a researcher known as Chaotic Eclipse (aka Nightmare-Eclipse) in response to Microsoft's handling of the vulnerability disclosure process. While both BlueHammer and RedSun are local privilege escalation (LPE) flaws impacting Microsoft Defender, UnDefend can be used to trigger a denial-of-service (DoS) condition and effectively block definition updates."
  https://thehackernews.com/2026/04/three-microsoft-defender-zero-days.html
  https://www.bleepingcomputer.com/news/security/recently-leaked-windows-zero-days-now-exploited-in-attacks/
  https://www.helpnetsecurity.com/2026/04/17/microsoft-defender-zero-days-exploited/
  https://securityaffairs.com/190961/hacking/microsoft-defender-under-attack-as-three-zero-days-two-of-them-still-unpatched-enable-elevated-access.html
• QEMU Abused To Evade Detection And Enable Ransomware Delivery
  "Sophos analysts are investigating the active abuse of QEMU, an “open-source machine emulator and virtualizer,” by threat actors seeking to hide malicious activity within virtualized environments. Attackers are drawn to QEMU and more common hypervisor-based virtualization tools like Hyper-V, VirtualBox, and VMware because malicious activity within a virtual machine (VM) is essentially invisible to endpoint security controls and leaves little forensic evidence on the host itself."
  https://www.sophos.com/en-us/blog/qemu-abused-to-evade-detection-and-enable-ransomware-delivery
  https://www.bleepingcomputer.com/news/security/payouts-king-ransomware-uses-qemu-vms-to-bypass-endpoint-security/
  https://securityaffairs.com/190982/security/hidden-vms-how-hackers-leverage-qemu-to-stealthily-steal-data-and-spread-malware.html
• Tracking Mirai Variant Nexcorium: A Vulnerability-Driven IoT Botnet Campaign
  "IoT devices are increasingly prime targets for large-scale attacks due to their widespread use, lack of patching, and often weak security settings. Threat actors continue exploiting known vulnerabilities to gain initial access and deploy malware that can persist, spread, and cause distributed denial-of-service (DDoS) attacks. FortiGuard Labs has analyzed a recent campaign exploiting CVE-2024-3721 in TBK DVR devices to deliver a multi-architecture Mirai variant called Nexcorium. By examining the infection chain, persistence mechanisms, and attack capabilities, we offer insights into the operational behavior of the associated threat actor and its potential impact on targeted environments."
  https://www.fortinet.com/blog/threat-research/tracking-mirai-variant-nexcorium-a-vulnerability-driven-iot-botnet-campaign
  https://thehackernews.com/2026/04/mirai-variant-nexcorium-exploits-cve.html
  https://hackread.com/mirai-variant-nexcorium-dvr-devices-ddos-attacks/
  https://securityaffairs.com/190974/malware/nexcorium-mirai-variant-exploits-tbk-dvr-flaw-to-launch-ddos-attacks.html
• Unpacking Direct-Sys Loader And CGrabber Stealer: Inside a Stealthy, Five-Stage Malware Chain
  "Howler Cell has identified a multistage intrusion sequence that delivers two new malware families: Direct-Sys Loader, and CGrabber Stealer. Both families exhibit strong technical alignment, identical anti-analysis methods, and consistent cryptographic routines. This strongly suggests the loader and stealer originate from the same developer or development group."
  https://www.cyderes.com/howler-cell/direct-sys-loader-cgrabber-stealer-five-stage-malware-chain
  https://hackread.com/cgrabber-direct-sys-malware-github-zip-files/
• Android Bankers: 4 Campaigns In A Row
  "In recent months, Zimperium’s zLabs team has identified a surge in Android Banking Trojan activity, marking a sophisticated shift in the mobile threat landscape. Our researchers successfully tracked four distinct campaigns, RecruitRat, SaferRat, Astrinox, and Massiv, each leveraging robust Command-and-Control (C2) frameworks to facilitate credential theft, unauthorized financial transactions, and large-scale data exfiltration. Collectively, these campaigns target over 800 applications across the banking, cryptocurrency, and social media sectors. By employing advanced anti-analysis techniques and structural APK tampering, these families often maintain near-zero detection rates against traditional signature-based security mechanisms."
  https://zimperium.com/blog/android-bankers-4-campaigns-in-a-row
  https://hackread.com/recruitrat-saferrat-astrinox-massiv-android-malware/
• This Old-School Scam Is Still Working
  "When we read about this new malware tactic, or that novel social engineering approach, it’s easy to forget that there are scammers out there making a living from ancient methods. Recently, one of our researchers received this variation on the good old Nigerian advance-fee scam."
  https://www.malwarebytes.com/blog/news/2026/04/this-old-school-scam-is-still-working
• “Your Shipment Has Arrived” Email Hides Remote Access Software
  "An attachment in an email impersonating DHL about a shipment contains a link to a preconfigured SimpleHelp remote access tool—an ideal starting point for attackers to explore a network, steal data, and drop additional malware. A German industrial spare parts and equipment supplier received an email pretending to be from DHL, claiming a shipment had arrived."
  https://www.malwarebytes.com/blog/news/2026/04/your-shipment-has-arrived-email-hides-remote-access-software
• Ukraine Confirms Suspected APT28 Campaign Targeting Prosecutors, Anti-Corruption Agencies
  "A Ukrainian cyber official has confirmed that several local government agencies were targeted in a long-running cyber-espionage campaign attributed to a Russian state-linked hacker group. Taras Dzyuba, head of the information communications department at Ukraine’s State Service of Special Communications and Information Protection (SSSCIP), told Recorded Future News that authorities are aware of the attacks, which Western researchers say compromised email accounts belonging to Ukrainian prosecutors and investigators. Earlier this week, Reuters reported that hackers linked to Russia had broken into more than 170 email accounts belonging to prosecutors and investigators across Ukraine in recent months."
  https://therecord.media/ukraine-confirms-suspected-apt28-campaign-targeting-prosecutors
• Apple Account Change Alerts Abused To Send Phishing Emails
  "Apple account change notifications are being abused to send fake iPhone purchase phishing scams within legitimate emails sent from Apple's servers, increasing legitimacy and potentially allowing them to bypass spam filters. A reader shared an email with BleepingComputer that appeared to be a standard Apple security notification that stated their account information had been updated. However, embedded within the message was a phishing lure claiming that an $899 iPhone purchase had been made via PayPal, along with a phone number to call to cancel the transaction."
  https://www.bleepingcomputer.com/news/security/apple-account-change-alerts-abused-to-send-phishing-emails/

Breaches/Hacks/Leaks

• Grinex Exchange Blames "Western Intelligence" For $13.7M Crypto Hack
  "Kyrgyzstan-based cryptocurrency exchange Grinex has suspended its operations after suffering a $13.7 million hack attributed to Western intelligence agencies. The funds were stolen from cryptocurrency wallets belonging to Russian users, as the platform enables crypto-ruble exchange operations between Russian businesses and individuals. Launched early last year, Grinex has Russian links and is believed to be a rebrand of Garantex, a Russian crypto exchange whose admin was arrested and whose domains were seized over allegations of processing more than $100 million in illicit transactions and enabling money laundering."
  https://www.bleepingcomputer.com/news/security/grinex-exchange-blames-western-intelligence-for-137m-crypto-hack/
  https://thehackernews.com/2026/04/1374m-hack-shuts-down-sanctioned-grinex.html
  https://securityaffairs.com/190950/security/kyrgyzstan-based-crypto-exchange-grinex-shuts-down-after-13-7m-cyber-heist-blames-western-intelligence.html
• Vercel Confirms Breach As Hackers Claim To Be Selling Stolen Data
  "Cloud development platform Vercel has disclosed a security incident after threat actors claimed to have breached its systems and are attempting to sell stolen data. Vercel is a cloud platform that provides hosting and deployment infrastructure for developers, with a strong focus on JavaScript frameworks. The company is known for developing Next.js, a widely used React framework, and for offering services such as serverless functions, edge computing, and CI/CD pipelines that enable developers to build, preview, and deploy applications."
  https://www.bleepingcomputer.com/news/security/vercel-confirms-breach-as-hackers-claim-to-be-selling-stolen-data/

General News

• March 2026 Threat Trend Report On APT Groups
  "this report analyzes the strategies, techniques, and impacts of APT groups believed to be state-sponsored. it excludes financial crimes groups from its scope and organizes major threat behaviors by ATIP’s representative names. the activities of 13 APT groups were aggregated based on publicly available data for the most recent month."
  https://asec.ahnlab.com/en/93416/
• Man Gets 30 Months For Selling Thousands Of Hacked DraftKings Accounts
  "23-year-old Kamerin Stokes of Memphis, Tennessee, was sentenced to 30 months in prison for selling access to tens of thousands of hacked DraftKings accounts. According to court documents, the accounts were hijacked by Nathan Austad (aka Snoopy) with the help of Joseph Garrison (a third accomplice charged in May 2023) in a massive November 2022 credential-stuffing attack that compromised nearly 68,000 DraftKings accounts. U.S. prosecutors said Austad and Garrison used a list of credentials stolen in multiple breaches to hack into DraftKings accounts, then sold access to others who stole around $635,000 from roughly 1,600 compromised accounts."
  https://www.bleepingcomputer.com/news/security/man-gets-30-months-for-selling-thousands-of-hacked-draftkings-accounts/
  https://www.securityweek.com/another-draftkings-hacker-sentenced-to-prison/
  https://securityaffairs.com/190943/cyber-crime/draftkings-hacker-sentenced-to-prison-ordered-to-pay-1-4-million.html
• Scattered Spider Hacker Pleads Guilty In US Federal Court
  "A senior figure in the Scattered Spider cybercrime group pleaded guilty to one count of conspiracy to commit wire fraud and one count of aggravated identity theft on Friday in an Orange County, California, federal district court. The plea marks the conclusion of a digital crime spree by Tyler Robert Buchanan, 24, of Scotland. Buchanan has been in federal custody since April 2025, when Spanish authorities extradited Buchanan after arresting him in the Mediterranean resort city of Palma de Mallorca just as he attempted to leave the country for Naples on a chartered flight."
  https://www.bankinfosecurity.com/scattered-spider-hacker-pleads-guilty-in-us-federal-court-a-31459
• Tycoon 2FA Phishers Scatter, Adopt Device Code Phishing
  "In the wake of a major takedown of phishing's biggest brand name, Tycoon 2FA, phishers worldwide have scattered. Some have stuck around, but many have moved to other phishing service providers, and some seem to be jumping on a fast-growing trend toward device code phishing. It would be shortchanging Tycoon 2FA to merely distinguish it as the world's premiere phishing-as-a-service (PhaaS) group. A year ago, it accounted for nearly 90% of all PhaaS activity everywhere, according to data from Barracuda. It essentially owned the PhaaS ecosystem."
  https://www.darkreading.com/threat-intelligence/tycoon-2fa-hackers-device-code-phishing
• Every Old Vulnerability Is Now An AI Vulnerability
  "On March 10, 2026, Microsoft patched CVE-2026-26144, a cross-site scripting (XSS) vulnerability in Excel. XSS in Office isn't anything new, but what makes this XSS different is what happens after the script executes. The vulnerability chains with Copilot Agent mode. An attacker embeds a malicious payload in an Excel file. After a user opens it, the XSS fires without the user ever clicking anything. However, unlike most XSS attacks, which aim to steal a session cookie or redirect the user to a phishing site, this attack hijacks the Copilot Agent and silently exfiltrates data from the spreadsheet to an attacker-controlled endpoint: no user interaction, no visual prompt to indicate that anything had happened. The AI does the exfiltration for you."
  https://www.darkreading.com/vulnerabilities-threats/every-old-vulnerability-ai-vulnerability
• Coast Guard's New Cybersecurity Rules Offers Lessons For CISOs
  "The US Coast Guard's first-ever mandatory cybersecurity framework for ports, vessels, and offshore facilities has taken effect, ending two decades of voluntary compliance and putting operators on a countdown with a 2027 deadline. The regulations affect any US-flagged vessel or maritime facility subject to the Maritime Transportation Security Act of 2002 and requires that they develop and maintain a cybersecurity plan, designate a cybersecurity officer (CySO), conduct annual assessments, and train any information- and operational-technology workers on their cybersecurity duties."
  https://www.darkreading.com/cybersecurity-operations/coast-guards-cybersecurity-rules-lessons-cisos
• Gemini Is Stopping Harmful Ads Before People Ever See Them
  "Our safety teams work around the clock to stop bad actors that use increasingly sophisticated, malicious ads. In 2025, Gemini-powered tools dramatically improved our ability to detect and stop bad ads: Our systems caught over 99% of policy-violating ads before they ever served, and we’re continuing to evolve our defenses to stay ahead of even the most advanced schemes. Our teams have long used advanced AI to identify and stop scammers, and Gemini takes that work even further. Our models analyze hundreds of billions of signals — including account age, behavioral cues and campaign patterns — to stop threats before they reach people. Unlike earlier keyword-based systems, our latest models better understand intent, helping us spot malicious content and preemptively block it, even when it’s designed to evade detection."
  https://blog.google/products/ads-commerce/2025-ads-safety-report/
  https://thehackernews.com/2026/04/google-blocks-83b-policy-violating-ads.html
  https://www.helpnetsecurity.com/2026/04/17/google-gemini-harmful-ads-blocking/
• Commercial AI Models Show Rapid Gains In Vulnerability Research
  "While non-public frontier AI models, like Anthorpic’s Claude Mythos, have been shown to identify thousands of zero-day vulnerabilities across major operating systems, commercial models are also indicating progress in the discovery of software bugs. Forescout’s Verde Labs found that just a year ago 55% of AI models failed basic vulnerability research and 93% failed exploit development tasks. Progress has been made however, and in 2026 the cybersecurity firm said all tested models’ complete vulnerability research tasks, and half can generate working exploits autonomously."
  https://www.infosecurity-magazine.com/news/ai-models-rapid-gains/
• Machine Identities: The Invisible Cyber Risk You Probably Aren’t Managing
  "When we talk about identity in cybersecurity, most people think about users logging in. But modern IT environments rely on a far larger and less visible population of non‑human identities. Machine identities are the credentials that applications, scripts, APIs, cloud workloads, industrial devices, and automation tools use to authenticate. They include service accounts, API keys, certificates, tokens, and embedded credentials that let systems communicate automatically and continuously. In manufacturing, this might include production systems pulling data from ERP software, industrial controllers updating configurations, remote monitoring tools, or third‑party vendors accessing plant networks. These identities are essential for efficiency and uptime, but they also introduce risk."
  https://blog.barracuda.com/2026/04/17/machine-identities-invisible-risk
• Supply Chain Dependencies: Have You Checked Your Blind Spot?
  "Some cyber business risks only show up when you take a closer look. Supply chain blind spots are a perfect example. Behind these essential third-party connections, products and services can lurk unseen vulnerabilities that precipitate major cyber incidents – halting operations, triggering downstream chaos, and making headlines with their financial, reputational, and legal/compliance impacts. As supply chains become increasingly digitized and complex, they provide cybercriminals a bigger “risk surface” to aim for. Organizations need to understand their supply chain dependencies in depth so they can map the risks and deploy effective resilience strategies to protect sensitive data and sustain business continuity. Yet according to the latest research from ESET and other sources, SMBs largely underestimate the potential risks they face from disruption caused by their supply chain, either from a malicious attack or operational outage."
  https://www.welivesecurity.com/en/business-security/supply-chain-dependencies-have-you-checked-your-blind-spot/
• Exposing Russian Malicious Infrastructure: 1,250+ C2 Servers Mapped Across 165 Providers
  "Infrastructure analytics and ISP mapping reveal the hidden backbone of cyber threats. By examining hosting providers, cloud services, and telecom networks, analysts can identify patterns of persistent malware, phishing campaigns, and C2 infrastructure. During the last three months (1 Jan 2026 - 1 Apr 2026) analysis window, we identified more than 1,250 active command-and-control (C2) servers operating across 165 Russian infrastructure providers, spanning shared hosting platforms, virtual server providers, and telecommunications networks. That provider-level view is what separates actionable intelligence from an endless list of disposable indicators."
  https://hunt.io/blog/russian-malicious-infrastructure-c2-servers-mapped
• Defending Your Enterprise When AI Models Can Find Vulnerabilities Faster Than Ever
  "Advances in AI model-powered exploitation have demonstrated that general-purpose AI models can excel at vulnerability discovery, even without being purpose-built for the task. Eventually, capabilities such as these will be integrated directly into the development cycle, and code will be more difficult to exploit than ever; however, this transition creates a critical window of risk. As we harden existing software with AI, threat actors will use it to discover and exploit novel vulnerabilities. Faced with this scenario, defenders have two critical tasks: hardening the software we use as rapidly as possible, and preparing to defend systems that have not yet been hardened."
  https://cloud.google.com/blog/topics/threat-intelligence/defending-enterprise-ai-vulnerabilities
• The German Cyber Criminal Überfall: Shifts In Europe's Data Leak Landscape
  "Germany has reclaimed its position as a primary focus for cyber extortion in Europe. While data leak site (DLS) posts rose almost 50% globally in 2025, Google Threat Intelligence (GTI) data shows that the surge is hitting German infrastructure harder and faster than its regional neighbors, marking a significant return to the high-pressure levels previously observed in the country during 2022 and 2023. Germany moved to the forefront of European data leak targets in 2025. Following a 2024 period where the UK led in DLS victims, this pivot reflects a resurgence of the intense pressure observed across German infrastructure during 2022 and 2023."
  https://cloud.google.com/blog/topics/threat-intelligence/europe-data-leak-landscape
• That Data Breach Alert Might Be a Trap
  "Receiving a data breach notice may have once been a rare event. With data breaches hitting record numbers, however, these notifications are no longer as surprising as they once were. In the US alone, there were 3,322 such breaches reported last year, resulting in nearly 280 million notices being emailed to victims. In Europe, daily incidents grew by 22% annually in 2025 to reach 443 on average per day. This represents a growing opportunity for fraudsters. They know that many people may be on the lookout for these notifications. And when they receive one, they may be more predisposed to follow the advice contained in it."
  https://www.welivesecurity.com/en/scams/data-breach-alert-might-be-trap/

อ้างอิง
Electronic Transactions Development Agency (ETDA)