สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Healthcare Sector

• Grassroots DICOM (GDCM)
  "Successful exploitation of this vulnerability could allow an attacker to send a specially crafted file, and when parsed, could result in a denial-of-service condition."
  https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-083-01

Industrial Sector

• Pharos Controls Mosaic Show Controller
  "Successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary commands with root privileges."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-083-01
• Schneider Electric Plant iT/Brewmaxx
  "Successful exploitation of these vulnerabilities could risk privilege escalation, which could result in remote code execution."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-083-03
• Schneider Electric EcoStruxure Foxboro DCS
  "Schneider Electric is aware of a vulnerability in its EcoStruxure Foxboro DCS Control Software on Foxboro DCS workstations and servers. Control Core Services and all runtime software, like FCPs, FDCs, and FBMs, are not affected. The EcoStruxure Foxboro DCS product is an innovative family of fault-tolerant, highly available control components, which consolidates critical information and elevates staff capabilities to ensure flawless, continuous plant operation. Failure to apply the remediation provided below may risk deserialization of untrusted data, which could result in loss of confidentiality, integrity and potential remote code execution on the compromised workstation."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-083-02

Vulnerabilities

• TP-Link Warns Users To Patch Critical Router Auth Bypass Flaw
  "TP-Link has patched several vulnerabilities in its Archer NX router series, including a critical-severity flaw that may allow attackers to bypass authentication and upload new firmware. Tracked as CVE-2025-15517, this security flaw affects Archer NX200, NX210, NX500, and NX600 wireless routers and stems from a missing authentication weakness that attackers can exploit without privileges. "A missing authentication check in the HTTP server to certain cgi endpoints allows unauthenticated access intended for authenticated users," TP-Link explained earlier this week when it released security updates that address the vulnerability. "An attacker may perform privileged HTTP actions without authentication, including firmware upload and configuration operations.""
  https://www.bleepingcomputer.com/news/security/tp-link-warns-users-to-patch-critical-router-auth-bypass-flaw/
  https://nvd.nist.gov/vuln/detail/CVE-2025-15517
  https://securityaffairs.com/189980/iot/patch-now-tp-link-archer-nx-routers-vulnerable-to-firmware-takeover.html
• iOS, MacOS 26.4 Roll Out With Fresh Security Patches
  "Apple on Tuesday rolled out a fresh wave of security updates to resolve more than 80 vulnerabilities across its mobile and desktop operating systems. iOS 26.4 and iPadOS 26.4 were released for the latest generation iPhone and iPad devices with patches for nearly 40 security defects. WebKit received fixes for eight bugs that could be exploited by malicious websites to bypass policy enforcement, mount XSS attacks, fingerprint users, escape the sandbox, or crash the process. Issues addressed in the kernel could be exploited to disclose kernel memory, leak sensitive kernel state, corrupt kernel memory, or write kernel memory."
  https://www.securityweek.com/ios-macos-26-4-roll-out-with-fresh-security-updates/
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2026-33017 Langflow Code Injection Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/03/25/cisa-adds-one-known-exploited-vulnerability-catalog
• AI Supply Chain Attacks Don’t Even Require Malware…just Post Poisoned Documentation
  "A new service that helps coding agents stay up to date on their API calls could be dialing in a massive supply chain vulnerability. Two weeks ago, Andrew Ng, an AI entrepreneur and adjunct professor at Stanford, launched Context Hub, a service for supplying coding agents with API documentation. "Coding agents often use outdated APIs and hallucinate parameters," Ng wrote in a LinkedIn post. "For example, when I ask Claude Code to call OpenAI's GPT-5.2, it uses the older chat completions API instead of the newer responses API, even though the newer one has been out for a year. Context Hub solves this.""
  https://www.theregister.com/2026/03/25/ai_agents_supply_chain_attack_context_hub/

Malware

• Cloud Phones: The Invisible Threat
  "What began as a simple scheme to inflate social media metrics has evolved into a sophisticated threat that is quietly reshaping the economics of digital fraud. Over the past decade, fraud prevention teams have invested heavily in device fingerprinting and emulator detection and that investment paid off; classic emulators and bot activities became predictable, easy to detect and block. However, attackers adapted. They moved to cloud phones – remote-access Android devices running in data centers. For all intents and purposes, these are real phones, running genuine firmware, exhibiting natural sensor behavior, and presenting valid hardware attestation. Plus, they’re accessible to anyone with just $10 to spare and an internet connection. What makes this threat unlike any other is its invisibility. To fraud detection systems, cloud phone activity such as mobile banking appears indistinguishable from a legitimate device. This report traces the evolution of cloud phones from harmless social media engagement automation to industrial-scale financial fraud, examines why traditional device fingerprinting fails against cloud phones, and reveals updated detection methodologies that are beginning to close this dangerous gap."
  https://www.group-ib.com/blog/cloud-phones-invisible-threat/
  https://www.infosecurity-magazine.com/news/cloud-phones-financial-fraud/
  https://www.theregister.com/2026/03/25/virtual_smartphones_fraud/

• On The Radar: ChatGPT Stealer
  "For many folks, using an AI assistant in browser means opening a new tab, navigating to a website, and asking questions. This works for many use cases, but often means bringing content to the agent, either by summarizing or copy/pasting from other locations. The assistant in this case has no awareness of the conversations, context, or history in the other browser tabs. In short, the agent is effectively siloed. This isolation can be seen as good from a security and privacy perspective, but presents challenges from a usability standpoint. This usability gap has led to the creation of tools that bring further awareness to the AI tools. While this shift has taken several forms, one area of rapid growth is AI-powered browser extensions. These extensions afford users the ability to work across browser tabs, simplifying the ingestion of content into the AI agent and streamlining the experience significantly."
  https://expel.com/blog/on-the-radar-chatgpt-stealer/
  https://www.infosecurity-magazine.com/news/experts-prompt-poaching-browser/

• The Unintentional Enabler: How Cloudflare Services Are Abused For Credential Theft And Malware Distribution
  "Cloudflare's suite of services like Workers, Tunnels, Turnstile, Pages and Cloudflare R2 (*[.]r2[.]dev) continue to be abused by threat actors to orchestrate stealthy phishing attacks and deliver malware in ways that are difficult for traditional security measures to detect or prevent. This abuse underscores a perilous shift wherein Cloudflare’s legitimate services are now being repurposed by malicious actors to bypass security defenses and evade detection. Here we will explore specifically how Cloudflare services, especially Workers and Tunnels, became powerful enablers of cyber threats, drawing from actual campaigns that Cofense Intelligence has seen that have bypassed defenses to end up in employee inboxes."
  https://cofense.com/blog/how-cloudflare-services-are-abused-for-credential-theft-and-malware-distribution

• Novel WebRTC Skimmer Bypasses Security Controls At $100+ Billion Car Maker
  "What sets this attack apart is the skimmer itself. Instead of the usual HTTP requests or image beacons, this malware uses WebRTC DataChannels to load its payload and exfiltrate stolen payment data. This is the first time Sansec has observed WebRTC used as a skimming channel. The car manufacturer is the latest victim in a streak of major ecommerce breaches. Sansec has now found payment skimmers on five multi-billion dollar companeis in the past two months, including a top-3 US bank and a top-10 global supermarket chain."
  https://sansec.io/research/webrtc-skimmer
  https://www.bleepingcomputer.com/news/security/polyshell-attacks-target-56-percent-of-all-vulnerable-magento-stores/

• Bubble: a New Tool For Phishing Scams
  "A variety of AI-powered app builders promise to bring your ideas to life quickly and effortlessly. Unfortunately, we know exactly who’s always on the lookout for new ideas to bring to life — mostly because we’re rather good at spotting and blocking their old ones. We’re talking about phishers, of course. Recently, we discovered they’ve added a new trick to their arsenal: generating websites using the Bubble AI-powered web-app builder. It’s highly likely that this tactic is now available through one or more phishing-as-a-service platforms, which virtually guarantees these decoys will start appearing in a wide range of attacks. But let’s break this down step-by-step."
  https://www.kaspersky.com/blog/bubble-no-code-phishing/55488/
  https://www.bleepingcomputer.com/news/security/bubble-ai-app-builder-abused-to-steal-microsoft-account-credentials/

• Torg Grabber: Anatomy Of a New Credential Stealer
  "It started with a lie. A sample walked into the lab wearing a Vidar label like a cheap suit two sizes too small. We pulled the threads, and the whole thing came apart. What fell out was a previously unknown information stealer we named Torg Grabber – 334 samples compiled over three months, a rapid evolution from Telegram dead drops through an encrypted TCP protocol nobody asked for, all the way to a production-grade REST API that worked like a Swiss watch dipped in poison. Over 40 operator tags pulled from the binaries – a mix of nicknames, date-encoded batch IDs, and confirmed Telegram user IDs – fingerprinted individual MaaS customers and confirmed what we already suspected: this was a builder-and-panel operation, crime as a service, infrastructure included. OSINT resolution of the numeric tags peeled back the curtain on eight operators as Telegram accounts buried up to their necks in the Russian cybercrime ecosystem. The bot tokens gave us the developer accounts behind the whole show. Nobody said crime doesn’t pay, but nobody said it doesn’t leave fingerprints either."
  https://www.gendigital.com/blog/insights/research/torg-grabber-credential-stealer-analysis
  https://www.bleepingcomputer.com/news/security/new-torg-grabber-infostealer-malware-targets-728-crypto-wallets/

• The Operations Of The Swarm: Inside The Complex World Of Mirai-Based Botnets
  "Botnets are always an interesting threat to discuss, simply because of their prevalence and the difficulty of restricting and mitigating them. Spamhaus noted that July to December 2025 saw a 24% increase in the number of botnet command & control servers identified when compared to the previous 6-month period. This blog started off as a focused discussion of Aisuru-Kimwolf, what it is, and what has been observed recently; however, since there are so many botnet families that are related to each other, we decided to expand the scope and treat this as more of a technical primer to botnets. This blog will describe observations on several botnets and discuss their key similarities and differences."
  https://blog.pulsedive.com/the-operations-of-the-swarm-inside-the-complex-world-of-mirai-based-botnets/
  https://hackread.com/mirai-malware-variants-botnet-growth/

• GlassWorm Hides a RAT Inside a Malicious Chrome Extension
  "A couple of days ago, we covered GlassWorm compromising hundreds of GitHub repositories and a popular React phone number package on npm. We kept digging into the full payload and found a multi-stage framework that installs a persistent RAT and, deep in Stage 3, force-installs a Chrome extension posing as Google Docs Offline. It logs keystrokes, dumps cookies and session tokens, captures screenshots, and takes commands from a C2 server hidden in a Solana blockchain memo."
  https://www.aikido.dev/blog/glassworm-chrome-extension-rat
  https://thehackernews.com/2026/03/glassworm-malware-uses-solana-dead.html

• Breaches/Hacks/Leaks
  Hackers Claim To Have Accessed Data Tied To Millions Of Crime Tipsters
  "Millions of crime tips may have been exposed after a hacker group claims to have compromised systems used by Crime Stoppers programs and other organizations worldwide. The incident centers on P3 Global Intel, a Texas-based provider of cloud-based tip and intelligence management software owned by Navigate360. The hacktivists, known as “Internet Yiff Machine,” submitted the stolen data to Straight Arrow News (SAN). According to SAN, the group supplied a cache of more than 8.3 million records said to be taken from P3. The data reportedly spans from as far back as 1987, up to 2025, and is said to include crime tips submitted through Crime Stoppers programs, law enforcement agencies, schools, and parts of the US federal government."
  https://www.malwarebytes.com/blog/news/2026/03/hackers-claim-to-have-accessed-data-tied-to-millions-of-crime-tipsters

• Ransomware Attack Disrupts Operation At Major Spanish Fishing Port
  "A ransomware attack has disrupted digital systems at Spain’s Port of Vigo, forcing authorities to disconnect parts of its network and temporarily manage cargo operations manually, port officials said Wednesday. The attack was detected early Tuesday and affected computer servers used to manage cargo traffic and other digital services at the port, located in the Galicia region on Spain’s northwest coast. Officials told local media the incident locked some equipment and involved a ransom demand. In response, the port authority’s technology team isolated the affected systems from external networks to limit the impact."
  https://therecord.media/port-of-vigo-ransomware

• Puerto Rico Government Agency Cancels Driver’s License Appointments After Cyberattack
  "Puerto Rico’s Department of Transportation was forced to cancel all upcoming appointments at the agency that handles driver’s licenses, permits and vehicle registrations due to a cyberattack. Government officials announced the incident on Tuesday and provided an update on Wednesday, writing that the Puerto Rico Innovation and Technology Service (PRITS) is working with the Department of Transportation to restore systems at the agency. Poincaré Díaz, executive director of PRITS, said they were forced to disconnect all of the Transportation Department’s systems after a cyberattack was discovered on Monday."
  https://therecord.media/puerto-rico-gov-agency-cancels-driver-license-appointments-cyber-incident

General News

• Russian Cybercriminal Sentenced To Prison For Using a “botnet” To Steal Millions From American Businesses
  "A Russian national was sentenced yesterday to twenty-four months in prison after having pleaded guilty to managing the operation of a botnet (a network of computers infected by malware and controlled remotely by cybercriminals) that was used to launch ransomware attacks on the networks of dozens of U.S. corporations, announced United States Attorney Jerome F. Gorgon Jr. and Special Agent in Charge Jennifer Runyan of the FBI Detroit Field Division. Ilya Angelov, 40, of Tolyatti, Russia was sentenced by U.S. District Court Judge Nancy Edmunds, who also fined Angelov $100,000 and entered a money judgment against him in the amount of $1.6 million dollars."
  https://www.justice.gov/usao-edmi/pr/russian-cybercriminal-sentenced-prison-using-botnet-steal-millions-american-businesses
  https://thehackernews.com/2026/03/russian-hacker-sentenced-to-2-years-for.html
  https://www.bleepingcomputer.com/news/security/russian-man-sentenced-for-operating-botnet-used-in-ransomware-attacks/
  https://therecord.media/russian-botnet-operator-sentenced-ransomware
  https://www.securityweek.com/russian-cybercriminal-gets-2-year-prison-sentence-in-us/
  https://securityaffairs.com/189987/cyber-crime/russian-national-convicted-for-running-botnet-used-in-attacks-on-u-s-firms.html
  https://www.helpnetsecurity.com/2026/03/25/russian-botnet-operator-sentenced-mario-kart-ransomware/
• Cybersecurity, AI, And Sovereignty: What’s Next For Global Digital Infrastructure
  "Today’s digital systems are advancing faster than the governance models, infrastructure, and security frameworks designed to support them. Artificial intelligence (AI) is driving productivity and innovation, but its rapid deployment is colliding with a more fragmented geopolitical environment. Governments and enterprises are being forced to reconsider how data, platforms, and infrastructure are controlled, shared, and protected. These pressures are already shaping system design and long-term investment decisions. They were central to discussions at the World Economic Forum’s Industry Strategy Meeting (ISM) in Munich, where leaders examined how to translate Davos priorities into operational strategy. The meeting built on priorities established at the World Economic Forum Annual Meeting in Davos earlier this year and focused on translating those insights into practical industry strategies."
  https://www.fortinet.com/blog/industry-trends/cybersecurity-ai-and-sovereignty-whats-next-for-global-digital-infrastructure
• AI-Native Security Is a Must To Counter AI-Based Attacks
  "Slow human-controlled defenses won't be enough for autonomous agents spun off by technologies like OpenClaw, say experts. Artificial intelligence-native security will be needed to fend off threats. "You're going to see an AI-led attack, full agentic attacks that we're starting to see already today. The only way to deal with those is a full agentic defense," Francis deSouza, Google Cloud's chief operating officer and president of security products, said during a panel discussion at Nvidia’s GTC conference earlier this month. During the discussion, panelists noted that AI-native security models prevent rogue agent break-ins. Such models include agents that spot security weaknesses and scan sub-agents before deployment, control dynamic system access for agents, and generate audit trails to track agent identity and activity."
  https://www.darkreading.com/cybersecurity-operations/ai-native-security-counter-attacks
• Training An AI Agent To Attack LLM Applications Like a Real Adversary
  "Most enterprise software development teams now ship AI-powered applications faster than traditional penetration testing can keep up with. A security team with 500 applications may test each one once a year, or less. In the time between tests, the underlying models, integrations, and behaviors can change, with no corresponding security review. Novee launched a product it calls AI Red Teaming for LLM Applications, an AI pentesting agent built specifically to probe LLM-powered software. The company introduced the product at RSAC 2026 Conference in San Francisco and is demonstrating it at booth S-0262."
  https://www.helpnetsecurity.com/2026/03/25/novee-ai-pentesting-agent/
• Your Security Stack Looks Fine From The Dashboard And That’s The Problem
  "One in five enterprise endpoints is operating outside a protected and enforceable state on any given day, according to device telemetry collected across tens of millions of corporate PCs. That figure, drawn from Absolute Security’s 2026 Resilience Risk Index, has barely moved in a year, even as organizations continue to add security tools and increase spending. The report, which draws on multi-year endpoint telemetry alongside external research, finds that the gap between security deployment and security enforcement is widening. Controls are installed. Dashboards report coverage. The underlying devices are frequently in a different condition."
  https://www.helpnetsecurity.com/2026/03/25/ciso-enterprise-endpoint-security-gaps/
• Operation Henhouse Nets Over 500 Arrests In UK Fraud Crackdown
  "UK police arrested over 500 suspects and moved to seize and freeze millions connected to suspected fraud in the latest iteration of Operation Henhouse, the National Crime Agency (NCA) has revealed. Now in its fifth year, the law enforcement operation is led by the NCA and City of London Police. They claimed this year was the strongest yet in the fight against offline and digital fraud. It led to 557 arrests, 172 voluntary interviews and 249 cease-and-desist notices, as well as account freezing orders against £9m ($12m), and seizures of cash and assets worth £18.1m ($24.3m)."
  https://www.infosecurity-magazine.com/news/police-fraud-crackdown-leads-to/
• Anatomy Of a Cyber World Global Report 2026
  "Kaspersky Security Services provide a comprehensive cybersecurity ecosystem, taking enterprise threat protection to another level. Services like Kaspersky Managed Detection and Response and Compromise Assessment allow for timely detection of threats and cyberattacks. SOC Consulting provides a practical approach ensuring the corporate infrastructure stays secured, while Incident Response is suited for timely remediation with a maximized recovery rate. This new report brings together statistics across regions and industries from our Managed Detection and Response and Incident Response services, and for the first time, it also includes insights from our Compromise Assessment and SOC Consulting services — all to provide you with more comprehensive view of different aspects of corporate information security worldwide."
  https://securelist.com/global-report-security-services-2026/119233/
• North America’s Cyber Security Threat Reality In 2026
  "The North America cyber security statistics are out. Cyber risk in North America accelerated, concentrated, and repeated itself at scale in 2025. Data from the 2025 North America Threat Landscape Report shows a threat environment defined less by surprise and more by pressure. The same attack types, the same actors, and the same windows of opportunity appeared again and again, particularly in the United States, which accounted for roughly 93 percent of all recorded incidents in the Americas (note: this is all publicly recorded incidents, not attempted attacks). Three dynamics stand out, each shaping how organizations experienced risk over the past year and what they should expect next."
  https://blog.checkpoint.com/research/north-americas-cyber-security-threat-reality-in-2026/
  https://checkpoint.cyberint.com/north-america-threat-landscape-2025
• Enterprise PCs Are Unreliable, Unpatched, And Unloved Compared To Macs
  "End-user compute vendor Omnissa, the company formed by the spin-out of VMware’s virtual desktops, applications, and device management biz, has dug into the telemetry it collects from customers and painted a picture of the world’s enterprise hardware fleet – and the news is better for Google and Apple than it is for Microsoft. Omnissa’s State of Digital Workspace report suffers from the same problem as all research published by vendors in that its authors conclude its findings demonstrate many fine reasons reason why you should consider the company’s products."
  https://www.theregister.com/2026/03/25/omnissa_digital_workspace_report/
• Cloud Workload Security: Mind The Gaps
  "Complexity is said to be the enemy of many things, but when it comes to organizations and their IT systems and processes, complexity is arguably the worst enemy of cybersecurity. For many IT and security practitioners, this plays out daily as they scramble to manage what IBM once called a "Frankencloud," a patchwork of private and public cloud environments, often further entangled with various on-premise and possibly legacy resources. The ease with which some cloud assets, notably virtual machines, can be spun up contrasts sharply with the reality of keeping them hardened and monitored once they begin to multiply. The machine and software sprawl often produces environments that are heterogenous and beset by inconsistent rules, which ultimately makes them difficult to defend."
  https://www.welivesecurity.com/en/business-security/cloud-workload-security-mind-gaps/
• Ex-NSA Directors Discuss 'Red Line' For Offensive Cyberattacks
  "When it comes to cyberattacks, what crosses the "red line" and justifies a kinetic response? That was one of the major questions posed to four former National Security Agency (NSA) directors and US Cyber Command leaders, who weighed in on the US government's offensive cybersecurity strategy as part of a keynote panel at RSAC 2026 Conference on Tuesday. The keynote, titled "Inside Offensive Cyber: Lessons from Four NSA Directors" featured Tim Haugh, Paul Nakasone, Mike Rogers, and Keith Alexander. Alexander was appointed by former President Barack Obama to establish and lead the US Cyber Command, and was succeeded in the post by Rogers, Nakasone, and Haugh, respectively."
  https://www.darkreading.com/cyber-risk/ex-nsa-directors-red-line-offensive-cyberattacks
• The Agentic AI Attack Surface: Prompt Injection, Memory Poisoning, And How To Defend Against Them
  "The rise of agentic systems is changing how organizations think about defense and risk. As enterprises embrace autonomous decision-making, the agentic AI attack surface expands in ways that traditional security models were never designed to handle. These systems don’t just process inputs; they interpret goals, make decisions, and act independently. That shift introduces a new category of AI security vulnerabilities, where manipulation doesn’t target code directly but the reasoning layer itself. Two new threats, prompt injection attacks and memory poisoning in AI, are quickly becoming central concerns in agentic AI security. Understanding how they work and how to defend against them is more than critical for any organization deploying autonomous systems at scale."
  https://cyble.com/blog/prompt-injection-attacks-agentic-ai-security/
• The 'Expert' AI Prompt That Kills Accuracy
  "A coder tells its chatbot: You're an expert. A full stack developer. It's machine massaging technique that's a cornerstone of persona-based artificial intelligence prompting - and it backfires spectacularly, find academics in a studying showing the practice produces worst results, when the goal is accuracy. Researchers at the University of Southern California in a preprint. The study found that the effect of stoking a large language model with the "you're an expert" prompt consistently damaged performance. Their advice is to avoid persona-based prompts for tasks that require models to tap into their pre-trained knowledge - the heaps of coding examples fed into models before they're ready to interact with customers."
  https://www.bankinfosecurity.com/expert-ai-prompt-that-kills-accuracy-a-31170
  https://arxiv.org/abs/2603.18507
• Blame Game: Why Public Cyber Attribution Carries Risks
  "Questions about threat actor attribution, including how to do it and why you might want to hold off, are not as straightforward as they may first seem. Attribution is a wide-ranging topic that mostly boils down to "Whodunnit?" for cyberattacks. Depending on the attack and various circumstances, you may read somewhere that a bespoke threat group, such as a ransomware gang, compromised an organization's network. Sometimes it's a "cluster," designed to connect a pattern of activity without strictly connecting a threat actor or nation to that activity with complete certainty. Often, a cybersecurity vendor will use their own custom naming taxnomy to track threat groups, like Salt Typhoon or Sandworm, even though the threat actors themselves would never use those names."
  https://www.darkreading.com/cyber-risk/blame-game-public-cyber-attribution-risks
• SANS: Top 5 Most Dangerous New Attack Techniques To Watch
  "Each year SANS researchers head to the RSAC Conference to reveal the five top attack techniques. But 2026 marks a distinct shift: all are powered by artificial intelligence. "We would be lying to you if we pointed out a trend in attacks that did not involve AI," SANS president and presentation moderator Ed Skoudis explained to the audience during a keynote session covering the Top 5. "That is just where we are in the industry.""
  https://www.darkreading.com/threat-intelligence/sans-most-dangerous-attack-techniques
• Why a 'Near Miss' Database Is Key To Improving Information Sharing
  "When people talk about transparency in cybersecurity, they are usually referring to organizations disclosing breaches and incidents. At RSAC Conference this week, two security experts made the case for why success stories deserve equal attention, and why focusing on near-misses can strengthen security defenses. Wendy Nather, senior research initiatives director at 1Password and Bob Lord, head of consumer working group at hacklore.org, emphasized how the industry needs to prioritize transparency, and outlined ways to do so – starting with sharing near-misses. Information sharing, which encompasses threat intelligence, indicators of compromise, and reports of vulnerability exploitation, is an essential component to combat and stay ahead of cyber threats. The victim blame game, shame, finger-pointing, and regulatory punishments contribute to a lack of transparency, particularly when it comes to ransomware. But that needs to change if organizations want to be proactive, even when it feels daunting."
  https://www.darkreading.com/cyber-risk/experts-near-miss-database-improve-information-sharing

อ้างอิง
Electronic Transactions Development Agency (ETDA)

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ช่องโหว่ด้านความมั่นคงปลอดภัยที่ตรวจพบในผลิตภัณฑ์ของบริษัท Citrix โดยเฉพาะ Citrix NetScaler ADC และ NetScaler Gateway ซึ่งเป็นอุปกรณ์สำคัญที่ใช้สำหรับให้บริการระบบเครือข่ายและการเข้าถึงจากภายนอกองค์กร โดยมีรายงานจากผู้เชี่ยวชาญด้านความมั่นคงปลอดภัยว่าช่องโหว่ดังกล่าวมีความเสี่ยงสูงที่จะถูกนำไปใช้ในการโจมตีในระยะเวลาอันใกล้

1. รายละเอียดช่องโหว่ [1]
   บริษัท Citrix ได้เผยแพร่ประกาศแจ้งเตือนช่องโหว่ด้านความมั่นคงปลอดภัยในผลิตภัณฑ์ NetScaler ซึ่งเป็นอุปกรณ์หรือซอฟต์แวร์ประเภท Application Delivery Controller (ADC) ที่ทำหน้าที่เป็นตัวกลางในการให้บริการแอปพลิเคชันขององค์กร เช่น การกระจายโหลด การให้บริการเชื่อมต่อจากภายนอก (Gateway/VPN) และการจัดการ session ของผู้ใช้งาน โดยช่องโหว่ดังกล่าวอาจส่งผลให้ผู้โจมตีสามารถเข้าถึงข้อมูลในหน่วยความจำของระบบ เช่น session token หรือข้อมูลที่มีความละเอียดอ่อน โดยไม่ได้รับอนุญาต และอาจถูกใช้เป็นช่องทางในการเข้าถึงหรือขยายขอบเขตการโจมตีภายในระบบ ทั้งนี้ เนื่องจาก NetScaler มักถูกติดตั้งเป็นจุดเชื่อมต่อหลักระหว่างเครือข่ายภายในและภายนอกองค์กร หากถูกโจมตีอาจส่งผลกระทบในวงกว้างต่อระบบภายในองค์กร โดยมีช่องโหว่ที่สำคัญ ได้แก่

1.1 CVE-2026-3055 (CVSS v4.0: 9.3) เป็นช่องโหว่ประเภท Insufficient Input Validation ที่นำไปสู่ การอ่านข้อมูลนอกขอบเขตหน่วยความจำ (Out-of-Bounds Read) ซึ่งอาจเปิดโอกาสให้ผู้โจมตีที่ไม่ได้รับการยืนยันตัวตนสามารถส่งคำร้องที่ถูกสร้างขึ้นเป็นพิเศษไปยังอุปกรณ์ NetScaler เพื่ออ่านข้อมูลสำคัญจากหน่วยความจำของระบบได้ เช่น session token หรือข้อมูลที่มีความละเอียดอ่อน

ทั้งนี้ ช่องโหว่ดังกล่าวจะส่งผลกระทบเฉพาะกรณีที่ NetScaler ถูกตั้งค่าให้ทำหน้าที่เป็น SAML Identity Provider (SAML IdP) ซึ่งเป็นกลไกสำหรับการยืนยันตัวตนแบบ Single Sign-On (SSO) โดยระบบจะทำหน้าที่ตรวจสอบตัวตนของผู้ใช้งานและออกข้อมูลยืนยันตัวตนเพื่อใช้เข้าถึงระบบอื่น ๆ โดยค่าเริ่มต้นของระบบ (Default Configuration) จะไม่ได้รับผลกระทบจากช่องโหว่ดังกล่าว

1.2 CVE-2026-4368 (CVSS v4.0: 7.7) เป็นช่องโหว่ประเภท Race Condition ซึ่งอาจนำไปสู่ปัญหา User Session Mix-up ส่งผลให้เกิดการสลับ session ของผู้ใช้งาน โดยช่องโหว่ดังกล่าวจะส่งผลกระทบในกรณีที่อุปกรณ์ถูกตั้งค่าเป็น Gateway (เช่น SSL VPN, ICA Proxy, CVPN, RDP Proxy) หรือ Authentication, Authorization and Accounting (AAA) virtual server ซึ่งเป็นองค์ประกอบที่ใช้สำหรับควบคุมการเข้าถึงและยืนยันตัวตนของผู้ใช้งาน

2. ผลกระทบที่อาจเกิดขึ้น
   หากผู้โจมตีสามารถใช้ประโยชน์จากช่องโหว่ดังกล่าวได้สำเร็จ อาจส่งผลกระทบต่อระบบขององค์กร ดังนี้
   2.1 ผู้โจมตีสามารถอ่านข้อมูลสำคัญจากหน่วยความจำของระบบได้โดยไม่ต้องผ่านการยืนยันตัวตน เช่น session token หรือข้อมูลที่มีความละเอียดอ่อน
   2.2 ผู้โจมตีอาจสามารถยึด session หรือเข้าถึงบัญชีของผู้ใช้งานรายอื่นได้
   2.3 ผู้โจมตีอาจใช้ระบบดังกล่าวเป็นจุดเริ่มต้นในการเข้าถึงเครือข่ายภายในองค์กร (Initial Access)
   2.4 อาจเกิดปัญหาการสลับ session ของผู้ใช้งาน (User Session Mix-up) ส่งผลกระทบต่อความถูกต้องของกระบวนการยืนยันตัวตน

3. ผลิตภัณฑ์ที่ได้รับผลกระทบ [2]
   ช่องโหว่ดังกล่าวส่งผลกระทบต่อผลิตภัณฑ์ของ Citrix ดังต่อไปนี้
   CVE-2026-3055 ได้แก่
   • Citrix NetScaler ADC เวอร์ชันก่อน 14.1-66.59
   • Citrix NetScaler ADC เวอร์ชันก่อน 13.1-62.23
   • Citrix NetScaler ADC 13.1-FIPS และ 13.1-NDcPP เวอร์ชันก่อน 13.1-37.262
   CVE-2026-4368 ได้แก่
   • Citrix NetScaler ADC เวอร์ชันก่อน 14.1-66.54

4. แนวทางการแก้ไขสำหรับผู้ดูแลระบบ
   ผู้ดูแลระบบควรดำเนินการดังต่อไปนี้
   4.1 อัปเดตผลิตภัณฑ์ Citrix NetScaler ที่ใช้งานให้เป็นเวอร์ชันล่าสุดที่ผู้ผลิตได้ออกแพตช์แก้ไขช่องโหว่แล้วโดยเร็วที่สุด โดยสามารถตรวจสอบข้อมูลอัพเดทเพิ่มเติมได้ที่ https://dg.th/ds0mpj3ybk
   4.2 ตรวจสอบการตั้งค่าของระบบว่าเข้าข่ายมีเงื่อนไขที่ช่องโหว่สามารถถูกใช้ประโยชน์ได้หรือไม่ โดยสามารถตรวจสอบจากไฟล์ configuration ของระบบ ดังนี้
   4.2.1 สำหรับ CVE-2026-3055
   หากตรวจพบการตั้งค่าดังกล่าวในระบบ ให้พิจารณาว่าระบบเข้าข่ายมีเงื่อนไขที่ช่องโหว่สามารถถูกใช้ประโยชน์ได้ โดยพิจารณาจากการมีคำสั่งในไฟล์ configuration ดังต่อไปนี้
   • add authentication samlIdPProfile
   4.2.2 สำหรับ CVE-2026-4368
   หากตรวจพบการตั้งค่าดังกล่าวในระบบ ให้พิจารณาว่าระบบเข้าข่ายมีเงื่อนไขที่ช่องโหว่สามารถถูกใช้ประโยชน์ได้ โดยพิจารณาจากการมีคำสั่งในไฟล์ configuration ดังต่อไปนี้
   • add authentication vserver
   • add vpn vserver
   4.3 ตรวจสอบและเฝ้าระวังบันทึกเหตุการณ์ (Log) ของระบบ เพื่อค้นหาพฤติกรรมผิดปกติที่อาจเกี่ยวข้องกับการพยายามใช้ช่องโหว่
   4.4 จำกัดการเข้าถึงอุปกรณ์จากเครือข่ายภายนอก และอนุญาตเฉพาะแหล่งที่จำเป็นเท่านั้น

5. ข้อแนะนำเพิ่มเติม
   แม้ปัจจุบันยังไม่พบรายงานการใช้ประโยชน์จากช่องโหว่ดังกล่าว ณ ปัจจุบัน แต่ช่องโหว่ในระบบ NetScaler เคยถูกนำไปใช้เป็นช่องทางเริ่มต้นในการโจมตีองค์กรมาแล้วหลายครั้งในอดีต ดังนั้น ผู้ไม่หวังดีอาจพัฒนาเครื่องมือเพื่อใช้โจมตีระบบที่ยังไม่ได้อัปเดตในระยะเวลาอันใกล้ ผู้ดูแลระบบจึงควรดำเนินการอัปเดตแพตช์โดยเร็วที่สุด และเฝ้าระวังระบบอย่างต่อเนื่อง

ThaiCERT ขอแจ้งเตือนองค์กรที่ใช้งานผลิตภัณฑ์ของ Citrix ให้เร่งดำเนินการตรวจสอบและอัปเดตแพตช์ทันที เพื่อป้องกันความเสี่ยงจากการรั่วไหลของข้อมูลและการเข้าถึงระบบโดยไม่ได้รับอนุญาต
แหล่งอ้างอิง
[1] https://dg.th/pa1437dq5g
[2] https://dg.th/ds0mpj3ybk

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ข้อมูลข่าวสารเกี่ยวกับภัยคุกคามทางไซเบอร์ใน Ubiquiti UniFi Network Application ซึ่งอาจถูกใช้เป็นช่องทางในการโจมตีระบบหรือยกระดับสิทธิ์ของผู้โจมตีได้ จึงขอแจ้งเตือนผู้ดูแลระบบที่เกี่ยวข้องให้เร่งดำเนินการตรวจสอบและแก้ไขโดยเร็วที่สุด

1. รายละเอียดช่องโหว่
   Ubiquiti ได้เผยแพร่ประกาศด้านความปลอดภัย (Security Advisory Bulletin 062) [1] เกี่ยวกับช่องโหว่ใน Ubiquiti UniFi Network Application โดยมีรายละเอียดดังนี้
   1.1 ช่องโหว่ประเภท Path Traversal ที่หมายเลข CVE-2026-22557 (คะแนน CVSSv3.1: 10.0) [2] ผู้โจมตีสามารถใช้ช่องโหว่นี้เพื่อเข้าถึงไฟล์ภายในระบบได้โดยไม่ได้รับอนุญาต ซึ่งอาจนำไปสู่การเปิดเผยข้อมูลสำคัญ หรือถูกนำไปใช้เพื่อยึดครองบัญชีผู้ใช้งานและระบบได้
   1.2 ช่องโหว่ประเภท Authenticated NoSQL Injection ที่หมายเลข CVE-2026-22558 (คะแนน CVSSv3.1: 7.7) [3] ผู้โจมตีที่มีสิทธิ์เข้าถึงระบบอยู่แล้ว สามารถใช้ช่องโหว่นี้ในการส่งคำสั่งที่เป็นอันตรายผ่านฐานข้อมูล เพื่อยกระดับสิทธิ์ (Privilege Escalation) และเข้าถึงทรัพยากรที่ไม่ได้รับอนุญาต

2. ผลิตภัณฑ์ที่ได้รับผลกระทบ
   2.1 Official Release: UniFi Network Application เวอร์ชัน 10.1.85 และเวอร์ชันก่อนหน้า
   2.2 Release Candidate: UniFi Network Application เวอร์ชัน 10.2.93 และเวอร์ชันก่อนหน้า
   2.3 UniFi Express (UX): UniFi Network Application เวอร์ชัน 9.0.114 และเวอร์ชันก่อนหน้า

3. แนวทางการแก้ไข
   ปัจจุบันยังไม่มีวิธีแก้ไขชั่วคราว (Workaround) ที่มีประสิทธิภาพ ผู้ดูแลระบบจึงควรอัปเดต UniFi Network Application เป็นเวอร์ชันที่แก้ไขช่องโหว่แล้วทันที โดยมีรายละเอียดดังนี้
   3.1 Official Release: อัปเดต UniFi Network Application เป็นเวอร์ชัน 10.1.89 หรือใหม่กว่า
   3.2 Release Candidate: อัปเดต UniFi Network Application เป็นเวอร์ชัน 10.2.97 หรือใหม่กว่า
   3.3 UniFi Express (UX): อัปเดตเฟิร์มแวร์ UniFi Express เป็นเวอร์ชัน 4.0.13 หรือใหม่กว่า ซึ่งจะทำให้ UniFi Network Application ถูกอัปเดตเป็นเวอร์ชัน 9.0.118 หรือใหม่กว่า

4. คำแนะนำด้านความปลอดภัยเพิ่มเติม
   4.1 ตรวจสอบ Log การใช้งานย้อนหลัง เพื่อค้นหาพฤติกรรมผิดปกติหรือความพยายามโจมตี
   4.2 เฝ้าระวังการเข้าถึงระบบจากแหล่งที่ไม่น่าเชื่อถือ
   4.3 จำกัดสิทธิ์ผู้ใช้งานตามหลัก Least Privilege
   4.4 ใช้งานระบบยืนยันตัวตนหลายปัจจัย (Multi-Factor Authentication: MFA) หากรองรับ
   4.5 อัปเดตแพตช์ด้านความปลอดภัยของระบบและซอฟต์แวร์ที่เกี่ยวข้องอย่างสม่ำเสมอ
   4.6 สำรองข้อมูลสำคัญอย่างสม่ำเสมอ เพื่อรองรับกรณีเกิดเหตุการณ์ไม่พึงประสงค์

5. แหล่งอ้างอิง
   [1] https://dg.th/adm6slfevx
   [2] https://dg.th/e0lg7k23r1
   [3] https://dg.th/fy23zu0q6p

Energy Sector

• DoE Publishes 5-Year Energy Security Plan
  "Energy, especially electricity, could be described as the most critical industry – all other critical industries are fundamentally dependent on access to energy. It is essential for peoples’ daily lives (citizens), business operation (economy), and national security (the nation). As such, it is a primary target for criminals, hacktivists, and adversarial nation state actors. The office of Cybersecurity, Energy Security, and Emergency Response (CESER, part of the U.S. Department of Energy) has published a three-pronged 5-year security plan for the fiscal years 2026 to 2030. The three prongs (or goals of the plan) are to develop ‘world-class’ security technologies, to harden the US energy infrastructure, and establish emergency preparedness for response and recovery from incidents."
  https://www.securityweek.com/doe-publishes-5-year-energy-security-plan/
  https://ismg-cdn.nyc3.cdn.digitaloceanspaces.com/asset_files/external/ceser-strategic-plan2026-2030.pdf

Vulnerabilities

• PTC Warns Of Imminent Threat From Critical Windchill, FlexPLM RCE Bug
  "PTC Inc. is warning of a critical vulnerability in Windchill and FlexPLM, widely used product lifecycle management (PLM) solutions, that could allow remote code execution. The security issue, identified as CVE-2026-4681, could be leveraged through the deserialization of trusted data. Its severity has prompted emergency action from German authorities, with the federal police (BKA) reportedly sending agents to affected companies to alert them to the cybersecurity risk."
  https://www.bleepingcomputer.com/news/security/ptc-warns-of-imminent-threat-from-critical-windchill-flexplm-rce-bug/
  https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability
  https://www.heise.de/en/news/WTF-Police-responded-on-Saturday-night-due-to-a-zero-day-11221590.html
• CVE-2026-3055: Citrix NetScaler ADC And NetScaler Gateway Out-Of-Bounds Read
  "On March 23, 2026, Citrix published a security advisory for a critical vulnerability affecting their NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) products. This vulnerability, CVE-2026-3055, which is classified as an out-of-bounds read and holds a CVSS score of 9.3, allows unauthenticated remote attackers to leak potentially sensitive information from the appliance's memory. The Citrix advisory states that systems configured as a SAML Identity Provider (SAML IDP) are vulnerable, whereas default configurations are unaffected. This SAML IDP configuration is likely a very common configuration for organizations utilizing single sign-on. Per the advisory, organizations can determine if they have an appliance configured as a SAML IDP Profile by inspecting their NetScaler Configuration for the specified string: add authentication samlIdPProfile .*"
  https://www.rapid7.com/blog/post/etr-cve-2026-3055-citrix-netscaler-adc-and-netscaler-gateway-out-of-bounds-read/
  https://thehackernews.com/2026/03/citrix-urges-patching-critical.html
  https://www.infosecurity-magazine.com/news/citrix-patch-netscaler/
  https://www.securityweek.com/critical-citrix-netscaler-vulnerability-poised-for-exploitation-security-firms-warn/
  https://securityaffairs.com/189908/security/citrix-netscaler-critical-flaw-could-leak-data-update-now.html
  https://www.helpnetsecurity.com/2026/03/24/netscaler-adc-gateway-cve-2026-3055/
• Chrome 146 Update Patches High-Severity Vulnerabilities
  "Google on Monday announced a fresh Chrome 146 update that resolves eight high-severity memory safety vulnerabilities. First on the list is CVE-2026-4673, a heap buffer overflow issue in WebAudio that earned the reporting researcher a $7,000 bug bounty reward. The same researcher discovered and reported CVE-2026-4677, an out-of-bounds read bug in WebAudio, but Google says it has yet to determine the bounty amount to be awarded for it. In fact, the internet giant has disclosed only the amount paid for the first WebAudio flaw, but not the amounts to be handed out for the remaining vulnerabilities."
  https://www.securityweek.com/chrome-146-update-patches-high-severity-vulnerabilities/

Malware

• Checkmarx KICS Code Scanner Targeted In Widening Supply Chain Hit
  "Hard on the heels of a broad supply chain attack that impacted the Aqua Security-maintained Trivy open source security-scanner project, Checkmarx on Tuesday disclosed that attackers had compromised a version of Keeping Infrastructure as Code Secure (KICS), the open source static code analysis project that it develops and maintains. Specifically, the cybercriminals infiltrated KICS GitHub Action, which organizations use to run KICS scans within their CI/CD pipelines, and poisoned multiple versions of the software. Any organization that had its automated CI/CD pipelines configured to run the KICS GitHub Action during a four-hour window on the morning of March 23 could potentially be impacted, Checkmarx said."
  https://www.darkreading.com/application-security/checkmarx-kics-code-scanner-widening-supply-chain
  https://checkmarx.com/blog/checkmarx-security-update/
  https://thehackernews.com/2026/03/teampcp-hacks-checkmarx-github-actions.html
• TeamPCP Isn't Done: Threat Actor Behind Trivy And KICS Compromises Now Hits LiteLLM's 95 Million Monthly Downloads On PyPI
  "On March 24, 2026, Endor Labs identified that litellm versions 1.82.7 and 1.82.8 on PyPI contain malicious code not present in the upstream GitHub repository. litellm is a widely used open source library with over 95 million month downloads. It lets developers route requests across LLM providers through a single API. Both compromised versions include a backdoored file that decodes and executes a hidden payload the moment the file is imported. Version 1.82.8 goes further: it installs a .pth file that runs the payload on any Python invocation, even if litellm is never imported. Version 1.82.6 is the last known-clean release."
  https://www.endorlabs.com/learn/teampcp-isnt-done
  https://www.bleepingcomputer.com/news/security/popular-litellm-pypi-package-compromised-in-teampcp-supply-chain-attack/
  https://thehackernews.com/2026/03/teampcp-backdoors-litellm-versions.html
  https://www.theregister.com/2026/03/24/trivy_compromise_litellm/
• Someone Has Publicly Leaked An Exploit Kit That Can Hack Millions Of iPhones
  "Last week, cybersecurity researchers uncovered a hacking campaign targeting iPhone users that used an advanced hacking tool called DarkSword. Now someone has leaked a newer version of DarkSword and published it on the code-sharing site GitHub. Researchers are warning that this will allow any hacker to easily use the tools to target iPhone users running older versions of Apple’s operating systems who have not yet updated to its latest iOS 26 software. This likely affects hundreds of millions of actively used iPhones and iPads, according to Apple’s own data on out-of-date devices."
  https://techcrunch.com/2026/03/23/someone-has-publicly-leaked-an-exploit-kit-that-can-hack-millions-of-iphones/
  https://cyberscoop.com/darksword-iphone-spyware-leak-ios-18-exploit-threat/
  https://hackread.com/darksword-iphone-exploit-leaked-online/
• OpenClaw Trap: AI-Assisted Lure Factory Targets Developers & Gamers
  "Netskope Threat Labs identified a link to a malware campaign operating across at multiple GitHub repositories, spanning over 300 delivery packages, including an OpenClaw deployment, an AI developer tool lure, a Telegram-promoted phone tracker, a Fishing Planet game cheat, Roblox scripts, crypto bots, and VPN crackers—all distributing LuaJIT payloads. The lure names suggest AI-assisted generation: obscure biological taxonomy, archaic Latin, and medical terminology applied systematically at scale. Each victim is geolocated, and their desktop screenshot is sent to a server in Frankfurt. We are tracking this cluster as the TroyDen’s Lure Factory."
  https://www.netskope.com/blog/openclaw-trap-ai-assisted-lure-factory-targets-developers-gamers
  https://www.darkreading.com/application-security/github-openclaw-deployer-repo-delivers-trojan
  https://www.helpnetsecurity.com/2026/03/24/github-malware-split-payload/
• Silver Fox: The Only Tax Audit Where The Fine Print Installs Malware
  "Since early 2025, TDR has focused on tracking Silver Fox, a China-based intrusion set. Originally known for financially motivated attacks, the group has been shifting toward more sophisticated, APT-style operations since at least 2024. This dual focus reflects a broader trend observed throughout 2025, which is the increasingly blurred lines between financially motivated cybercrime operators and state-sponsored espionage. Silver Fox relies on ValleyRAT (aka Winos), which can be considered as its primary modular backdoor. Despite the leak of ValleyRAT builder in March 2025, the intrusion set continued to use it, exploiting zero-day driver plugin and using kernel-mode rootkit likely for intelligence collection. In addition, Silver Fox relies on other malicious payloads like HoldingHands, which is a variant of Gh0st RAT. Rather than replacing ValleyRAT, it appears to be deployed alongside it to achieve specific operational goals."
  https://blog.sekoia.io/silver-fox-the-only-tax-audit-where-the-fine-print-installs-malware/
  https://www.infosecurity-magazine.com/news/silver-fox-cyber-dual-espionage/
• Fake Install Logs In Npm Packages Load RAT
  "When it comes to supply chain attacks, last year was a lot for software security teams to get their heads around. There were several large scale attacks that struck npm repositories, the most impactful being Shai-hulud — the first open source package repository worm. Then there were several smaller campaigns that didn’t have as big of an impact, but were very important nonetheless. In February 2026, for example, the ReversingLabs research team documented a North Korea connected campaign we dubbed “Graphalgo.” That campaign started in May 2025, and is part of a larger fake job recruiter scheme conducted by North Korea-backed hackers and targeting crypto developers. It is ongoing, phishing developers with fake job interviews and using “coding tests” as a pretext for pushing downloaders to developers’ systems that retrieve a custom remote access trojan (RAT) as the final stage."
  https://www.reversinglabs.com/blog/npm-fake-install-logs-rat
  https://thehackernews.com/2026/03/ghost-campaign-uses-7-npm-packages-to.html
  https://www.infosecurity-magazine.com/news/npm-ghost-campaign-fake-install/
• From W-2 To BYOVD: How a Tax Search Leads To Kernel-Mode AV/EDR Kill
  "As the saying goes, only two things are guaranteed in life: death and taxes. But, with the April 15 tax filing deadline quickly approaching, there's a third guarantee that threat actors have learned to count on: millions of users searching for the same tax forms, under time pressure, trusting the first Google result they see. During retrospective threat hunting, the Huntress Tactical Response team recently uncovered a large-scale malvertising campaign that has been active since at least January 2026, targeting U.S.-based individuals searching for tax-related documents. The lures are specifically U.S. tax forms (W-2, W-9), and the fake landing pages reference IRS compliance, casting a wide net across employees, freelancers, contractors, and small businesses during filing season. The campaign abuses Google Ads to serve rogue ScreenConnect (ConnectWise Control) installers, ultimately delivering a BYOVD EDR killer that drops a kernel driver to blind security tools before further compromise. Across our customer base, we reported over 60 instances of rogue ScreenConnect sessions tied to this campaign being used as the initial access vector."
  https://www.huntress.com/blog/w2-malvertising-to-kernel-mode-edr-kill
  https://thehackernews.com/2026/03/tax-search-ads-deliver-screenconnect.html
  Analyzing FAUX#ELEVATE: Threat Actors Target France With CV Lures To Deploy Crypto Miners And Infostealers * Targeting Enterprise Environments
  "Securonix threat researchers have been tracking an ongoing campaign targeting French-speaking corporate environments through fake resumes. The campaign uses highly obfuscated VBScript file disguised as resume/CV documents, delivered through phishing emails. Once executed, the malware deploys a mutli-purpose toolkit that combines credential theft, data exfiltration, and Monero cryptocurrency mining for maximum monetization. What makes this campaign notable is the dropper’s extreme approach to evasion. Of its 224,471 lines, only 266 lines (0.12%) are actual executable code, the remainder consists entirely of junk VBS comments sourced from real English sentences. The malware also uses a domain-join gate using WMI, ensuring that payloads are only delivered on enterprise machines, and standalone home systems are excluded entirely. The campaign uses Dropbox for payload hosting, compromised Moroccan WordPress sites for C2 configuration, and mail.ru SMTP infrastructure for exfiltrating stolen browser credentials and desktop files."
  https://www.securonix.com/blog/faux-elevate-threat-actors-crypto-miners-and-infostealers/
  https://thehackernews.com/2026/03/hackers-use-fake-resumes-to-steal.html
• Stryker Says Malware Was Involved In Recent Cyberattack As Production Lines Reopen
  "The medical device firm Stryker said it is ramping production lines back up two weeks after alleged Iranian cyber actors wiped more than 200,000 company devices. The company sought to reassure customers in a notice on Monday, sharing a letter from cybersecurity firm Palo Alto Networks confirming that the hackers behind the incident have been removed from Stryker systems. Stryker officials said they are in the process of rebuilding the wiped systems or restoring them from backups predating the known window of compromise to further prevent threat actors from reentering. The impacted systems that have not been restored yet are isolated from the network."
  https://therecord.media/stryker-cyberattack-malware-iran
  https://www.securityweek.com/stryker-says-malicious-file-found-during-probe-into-iran-linked-attack/
• Threat Brief: Recruiting Scheme Impersonating Palo Alto Networks Talent Acquisition Team
  "Since August 2025, Unit 42 has tracked a series of sophisticated phishing campaigns where attackers impersonate Palo Alto Networks talent acquisition staff. These attacks specifically target senior-level professionals by leveraging scraped LinkedIn data to craft highly personalized lures. The specific attack vector uses social engineering to manufacture a bureaucratic barrier regarding the candidate’s curriculum vitae (CV) and push the candidate toward taking actions such as reformatting their resumes for a fee."
  https://unit42.paloaltonetworks.com/phishing-attackers-pose-as-panw-recruiters/
• Android Devices Ship With Firmware-Level Malware
  "In late February 2026, SophosLabs analysts identified multiple detections on Android devices for malicious activity associated with the Keenadu backdoor. According to Kaspersky, Keenadu is a firmware infection embedded in the libandroid_runtime.so (shared object library) that injects itself into the Zygote process. As Zygote is the parent process for all Android apps, an attacker effectively gains total control over an infected device. Keenadu acts as a downloader for second-stage malware modules that can be used to target the data in multiple applications. All Android apps rely on libandroid_runtime.so to run, so a copy of Keenadu is copied into the address space of every app installed on an infected device."
  https://www.sophos.com/en-us/blog/android-devices-ship-with-firmware-level-malware
• OpenClaw Developers Targeted In Crypto-Wallet Phishing Attack
  "OX Security has detected an active phishing campaign abusing the OpenClaw name and spreading through GitHub. The threat actor creates fake GitHub accounts, opens issue threads in attacker-controlled repositories, and tags dozens of GitHub developers. The posts claim that recipients have won $5,000 worth of CLAW tokens and can collect them by visiting a linked site and connecting their crypto wallet. The linked site is an almost identical clone of openclaw.ai, with one key difference: it adds a “Connect your wallet” button designed to initiate wallet theft."
  https://www.ox.security/blog/openclaw-github-phishing-crypto-wallet-attack/

Breaches/Hacks/Leaks

• Dutch Ministry Of Finance Discloses Breach Affecting Employees
  "The Dutch Ministry of Finance confirmed on Monday that some of its systems were breached in a cyberattack detected last week. Officials said the ministry was notified by a third party of the breach on March 19, and it's still investigating the cyberattack. An ongoing investigation found that the incident affects some employees. "The Ministry of Finance's ICT security detected unauthorized access to systems for a number of primary processes within the policy department on Thursday, March 19," an official statement revealed. "Following the alert, an immediate investigation was launched, and access to these systems has been blocked as of today. This affects the work of a portion of the employees.""
  https://www.bleepingcomputer.com/news/security/dutch-ministry-of-finance-discloses-breach-affecting-employees/
  https://therecord.media/netherlands-finance-ministry-cyberattack-breach
  https://securityaffairs.com/189929/data-breach/data-breach-at-dutch-ministry-of-finance-impacts-staff-following-cyberattack.html
• HackerOne Discloses Employee Data Breach After Navia Hack
  "Bug bounty platform HackerOne is notifying hundreds of employees that their data was stolen after attackers hacked Navia, one of its U.S. benefits administrators. HackerOne manages over 1,950 bug bounty programs and provides vulnerability disclosure, penetration testing, and code security services to high-profile companies like General Motors, Goldman Sachs, Anthropic, GitHub, and Uber, as well as to U.S. government agencies such as the Department of Defense. Navia is a leading consumer-focused benefits administrator serving over 10,000 employers across the United States."
  https://www.bleepingcomputer.com/news/security/hackerone-discloses-employee-data-breach-after-navia-hack/
  https://hackread.com/hackerone-mazda-infinite-campus-dutch-ministry-data-breaches/
  https://www.theregister.com/2026/03/24/hackerone_supplier_breach/
• Infinite Campus Warns Of Breach After ShinyHunters Claims Data Theft
  "Infinite Campus, a widely used K-12 student information system, is warning customers of a data breach following an extortion attempt by a threat actor. In the breach notification sent to customers, Infinite Campus states that hackers accessed an employee's Salesforce account, exposing information that was mostly publicly available. The company has not published an official statement, but customers reported the incident on various public platforms."
  https://www.bleepingcomputer.com/news/security/infinite-campus-warns-of-breach-after-shinyhunters-claims-data-theft/
• OVHcloud Founder Denies Massive 590TB Data Breach Claims
  "A major French tech firm, OVHcloud, has been forced to address claims of a massive data breach after a user on a dark web forum boasted about stealing nearly 600 terabytes of its private data. On 23 March 2026, a poster using the name Normal claimed on BreachForums that they had infiltrated the company’s server infrastructure, potentially affecting millions of websites and customers. The scale of the alleged theft is stunning. The hacker claimed to have snatched information belonging to 1.6 million OVH Fresh customers and nearly 6 million active websites. According to the post, this included everything from the internal source code and private databases of these sites to server settings for users in the EU and the US."
  https://hackread.com/ovhcloud-founder-denies-590tb-data-breach-claims/
• 3.1 Million Impacted By QualDerm Data Breach
  "Healthcare management services provider QualDerm Partners is notifying more than 3.1 million people that their personal, medical, and health insurance information was stolen in a December 2025 data breach. The incident, the company says, was discovered on December 24 and involved unauthorized access to its network for two days. During this window, the attackers exfiltrated certain information from the “limited number of systems” that they compromised, the company notes in an incident notification (PDF)."
  https://www.securityweek.com/3-1-million-impacted-by-qualderm-data-breach/
  https://securityaffairs.com/189917/data-breach/qualderm-partners-december-2025-data-breach-impacts-over-3-million-people.html
• Iran-Linked Ransomware Gang Targeted US Healthcare Org Amid Military Conflict
  "A U.S. healthcare organization was targeted in late February by an Iranian ransomware gang with ties to the country’s government, according to a new report. Incident responders at Beazley Security helped the unnamed healthcare organization deal with an attack involving the Pay2Key ransomware — a strain used by Iranian actors for a variety of purposes since 2020. Halcyon Ransomware Research Center assisted in the investigation and found several improvements in the ransomware that made it tougher to detect and more damaging."
  https://therecord.media/iran-linked-ransomware-gang-targeted-us-healthcare-org

General News

• India’s Evolving Cyber Threat Landscape: State-Sponsored Attacks, Hacktivism, And What’s Next In 2026
  "The India cyber threat landscape 2026 is no longer defined by isolated incidents or opportunistic attacks. It has become a dynamic, constantly shifting battleground shaped by geopolitical tensions, rapid digitization, and highly advanced hackers. What once looked like sporadic cybercrime has matured into a layered ecosystem of state-sponsored cyber attacks, organized ransomware groups, and a growing wave of Hacktivism in India. Recent threat intelligence observations reveal a new pattern: attackers are not only becoming more capable, but also more strategic. They are targeting supply chains, exploiting systemic weaknesses, and adapting their methods faster than most organizations can respond."
  https://cyble.com/blog/india-cyber-threat-landscape-2026-attacks-trends/
• Measuring Security Performance In Real-Time, Not Once a Quarter
  "Most organizations have invested heavily in security products over the past decade. The assumption embedded in that spending is that more tools equal better protection. Tim Nan, CEO of digiDations, says that assumption is the most persistent misconception he encounters when working with security leaders across industries. “Adversaries don’t operate on averages,” Nan says. “They only need one path that works. The issue isn’t whether your defenses work most of the time. It’s whether they ever fail in a way that can be chained into a real attack.”"
  https://www.helpnetsecurity.com/2026/03/24/tim-nan-digidations-continuous-security-validation/
• Russian Citizen Sentenced To Prison For Hacking Into U.S. Companies And Enabling Major Cybercrime Groups To Extort Tens Of Millions Of Dollars
  "A court in the Southern District of Indiana today sentenced a Russian citizen, Aleksei Volkov, to 81 months in prison for assisting major cybercrime groups, including the Yanluowang ransomware group, in carrying out numerous attacks against U.S. companies and other organizations. Volkov facilitated dozens of ransomware attacks throughout the United States, causing over $9 million in actual losses and over $24 million in intended losses. Volkov was indicted for this activity in both the Southern District of Indiana and Eastern District of Pennsylvania. Police in Rome, Italy, then arrested Volkov, and he was extradited to the United States. He pleaded guilty to charges from both indictments."
  https://www.justice.gov/opa/pr/russian-citizen-sentenced-prison-hacking-us-companies-and-enabling-major-cybercrime-groups
  https://thehackernews.com/2026/03/us-sentences-russian-hacker-to-675.html
  https://www.bleepingcomputer.com/news/security/yanluowang-ransomware-access-broker-gets-81-months-in-prison/
  https://therecord.media/hacker-russian-ransomware-sentenced-doj
  https://cyberscoop.com/aleksei-volkov-russian-initial-access-broker-sentenced-ransomware/
  https://www.infosecurity-magazine.com/news/russian-initial-access-broker/
  https://securityaffairs.com/189900/cyber-crime/81-month-sentence-for-russian-hacker-behind-major-ransomware-campaigns.html
  https://www.theregister.com/2026/03/24/russian_iab_sentenced/
  https://www.helpnetsecurity.com/2026/03/24/russian-initial-access-broker-sentenced-ransomware-attacks/
• Ransomware's New Era: Moving At AI Speed
  "Ransomware is not only growing; threat actors are accelerating the pace of their attacks by using offensive tools to exploit valid credentials and hit targets with speed and precision. The practice has undergone big changes over the past five years. Initially, attacks focused on encrypting data; now, threat actors threaten to extract it to pressure victims into paying. Double-extortion tactics quickly shifted to triple-extortion threats to expose stolen data. Threat actors also transitioned from extorting companies to contacting victims directly — whatever it takes to rake in the cash."
  https://www.darkreading.com/endpoint-security/ransomware-new-era-moving-ai-speed
  https://www.halcyon.ai/lp/2026-security-leadership-survey-report
• Gcore Radar Report Reveals 150% Surge In DDoS Attacks Year-On-Year
  "Gcore, the global infrastructure and software provider for AI, cloud, network, and security solutions, today announced the findings of its Q3-Q4 2025 Gcore Radar report DDoS attack trends. The report reveals growing attack volumes, increasingly sophisticated tactics, and changes in attack locations driven by evolving botnet infrastructure. The DDoS attack landscape is at a clear inflection point: threats are not just growing; they are accelerating and diversifying. To prevent disruption, businesses must act quickly and adopt integrated solutions capable of detecting intent, analysing behaviour, and responding to threats across multiple attack surfaces."
  https://hackread.com/gcore-radar-report-reveals-150-surge-in-ddos-attacks-year-on-year/
• Why Agentic AI Systems Need Better Governance – Lessons From OpenClaw
  "OpenClaw is an open-source platform for autonomous AI agents that you can self-host and run locally on your machine for task automation. Taking this platform to task, AI agents are now interacting with one another via an experimental social network for AI agents called Moltbook. Even an experienced AI security researcher at Meta learned that OpenClaw is not without its wild-west frontier status. An AI agent accidentally deleted her emails. This news has again put the spotlight on the nature of authority and agency granted to agentic AI systems, as well as the need for better security and governance."
  https://www.securityweek.com/why-agentic-ai-systems-need-better-governance-lessons-from-openclaw/
• Poland Faced a Surge In Cyberattacks In 2025, Including a Major Assault On The Energy Sector
  "Poland experienced 2½ times more cyberattacks in 2025 compared to the previous year, and the numbers are constantly rising, a government official said Tuesday. The attacks included a destructive infiltration of the country’s energy system in December that was believed to be unprecedented among NATO and European Union members, and was suspected of originating in Russia. Over the last year, Poland was the target of 270,000 cyberattacks, Deputy Minister of Digital Affairs Paweł Olszewski said Tuesday. “We’ve been waging a war in cyberspace for many years now,” the official said. “The number of incidents and attacks has been increasing significantly and radically year after year.”"
  https://www.securityweek.com/poland-faced-a-surge-in-cyberattacks-in-2025-including-a-major-assault-on-the-energy-sector/
• Iran Built a Vast Camera Network To Control Dissent. Israel Turned It Into a Targeting Tool
  "The role of Israel’s hijacking of Iran’s street cameras in the killing of the country’s supreme leader underscores how surveillance systems are increasingly being targeted by adversaries in wartime. Hundreds of millions of cameras have been installed above shops, in homes and on street corners across the world, many connected to the internet and poorly secured. Recent advances in artificial intelligence have enabled militaries and intelligence agencies to sift through vast amounts of surveillance footage and identify targets. On Feb. 28, Israel vividly demonstrated the potential of such systems to be hacked and used against adversaries when Israel tracked down Iranian leader Ayatollah Ali Khamenei with the help of Tehran’s own street cameras – despite repeated warnings that Iran’s surveillance systems had been compromised, according to interviews and an Associated Press review of leaked data, public statements and news reports."
  https://www.securityweek.com/iran-built-a-vast-camera-network-to-control-dissent-israel-turned-it-into-a-targeting-tool/
• Enterprise Cybersecurity Software Fails 20% Of The Time, Warns Absolute Security
  "Endpoint cybersecurity software fails to protect one in five enterprise devices, leaving organizations vulnerable to cyber threats, research by Absolute Security has warned. This protection gap means that organizations face the equivalent of 76 days a year in which they’re providing cybercriminals which increased access to their network, potentially leading to data breaches and downtime. The findings come from Absolute Security’s 2026 Resilience Risk Index. The report, published on March 23, is based on analysis of device-level telemetry across tens of millions of enterprise endpoints, which have been validated as using endpoint management and cybersecurity software."
  https://www.infosecurity-magazine.com/news/cybersecurity-software-failure-20/

อ้างอิง
Electronic Transactions Development Agency (ETDA)