1. หน้าแรก
  2. กลุ่ม
  3. administrators
ข้อมูลกลุ่ม ส่วนตัว

administrators

รายชื่อสมาชิก
  • โดรนโจมตีศูนย์ข้อมูล AWS ในตะวันออกกลางกระทบบริการคลาวด์เป็นวงกว้าง

    9c4930b2-08b0-4329-8380-1c6dbfb964cb-image.png โดรนโจมตีศูนย์ข้อมูล AWS ในตะวันออกกลางกระท.png

    สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 87c733d2-a6cf-4168-87d4-865392fa8602-image.png

    โพสต์ใน Cyber Security News
    NCSA_THAICERTN
    NCSA_THAICERT
  • Microsoft เตือนแคมเปญฟิชชิงใช้ช่องทาง OAuth Redirect หลอกผู้ใช้และกระจายมัลแวร์

    3652ea86-2acd-43d6-b8cc-e0c2e960d981-image.png

    Microsoft เตือนแคมเปญฟิชชิงใช้ช่องทาง OAuth Redirect หลอก.png

    สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 12054ae6-af64-4ecf-8047-4c573cc9338b-image.png

    โพสต์ใน Cyber Security News
    NCSA_THAICERTN
    NCSA_THAICERT
  • CISA เตือนภัยช่องโหว่ระดับสูงบน VMware Aria Operations พบรายงานการถูกนำไปใช้โจมตีจริงแล้ว

    7f7804b7-4564-4529-82ee-83e9ad3e6582-image.png CISA เตือนภัยช่องโหว่ระดับสูงบน VMware Aria Operations พบรา.png

    สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand bb0217d8-4a52-4bef-a62d-452c3abba150-image.png

    โพสต์ใน Cyber Security News
    NCSA_THAICERTN
    NCSA_THAICERT
  • Cyber Threat Intelligence 05 March 2026

    Industrial Sector

    • Cybersecurity Is Now The Price Of Admission For Industrial AI
      "Industrial organizations are accelerating AI deployment across manufacturing, utilities, and transportation and running straight into a security problem. Cisco’s 2026 State of Industrial AI Report, based on responses from more than 1,000 decision-makers across 19 countries, finds that cybersecurity has become the single largest obstacle to AI adoption, outranking skills gaps, integration challenges, and budget constraints. The shift is notable. In 2024, cybersecurity ranked third among external growth obstacles. By 2026, 40% of respondents cite it as a top barrier to AI adoption specifically, and 48% name it as their biggest networking challenge overall. The rise reflects the reality that connecting more assets and systems to support AI expands the attack surface in ways that traditional security approaches were not designed to handle."
      https://www.helpnetsecurity.com/2026/03/04/cisco-industrial-ai-cybersecurity/

    New Tooling

    • Mquire: Open-Source Linux Memory Forensics Tool
      "Linux memory forensics has long depended on debug symbols tied to specific kernel versions. These symbols are not installed on production systems by default, and sourcing them from external repositories creates a recurring problem: repositories go stale, kernel builds diverge, and analysts working incident response often find no published symbols for the exact kernel they need to examine. Trail of Bits published mquire to address this constraint. The open-source tool analyzes Linux memory dumps without requiring any external debug information."
      https://www.helpnetsecurity.com/2026/03/04/mquire-open-source-linux-memory-forensics-tool/
      https://github.com/trailofbits/mquire

    Vulnerabilities

    Malware

    • Fake LastPass Support Email Threads Try To Steal Vault Passwords
      "Password management software provider LastPass is warning users of a phishing campaign targeting its users with fake unauthorized account access alerts. The emails impersonate a LastPass representative by spoofing the display name and use subject lines crafted to mimic forwarded internal conversations between attackers and the company’s customer support team about a request to change the account’s primary email address. The email chains are forwarded to the target in an attempt to prompt them to respond to the suspicious activity with urgency and click on links named “report suspicious activity,” “disconnect and lock vault,” and “revoke device.”"
      https://www.bleepingcomputer.com/news/security/fake-lastpass-support-email-threads-try-to-steal-vault-passwords/
      https://securityaffairs.com/188911/security/lastpass-warns-of-spoofed-alerts-aimed-at-stealing-master-passwords.html
      https://www.securityweek.com/lastpass-warns-of-new-phishing-campaign/
    • Hacker Mass-Mails HungerRush Extortion Emails To Restaurant Patrons
      "Customers of restaurants using the HungerRush point-of-sale (POS) platform say they received emails from a threat actor attempting to extort the company, warning that restaurant and customer data could be exposed if HungerRush fails to respond. HungerRush is a restaurant technology provider that offers point-of-sale (POS), online ordering, delivery management, and payment processing software to help restaurants manage orders, customer information, and business operations. The company claims to work with over 16,000 restaurants, including Sbarro, Jet's Pizza, Fajita Pete's, Hungry Howie's, and many more."
      https://www.bleepingcomputer.com/news/security/hacker-mass-mails-hungerrush-extortion-emails-to-restaurant-patrons/
    • How a Brute Force Attack Unmasked a Ransomware Infrastructure Network
      "To most defenders, another brute-force alert on exposed RDP is background noise — bread-and-butter activity you triage and move past. For the Huntress Tactical Response Team, one of those “routine” alerts turned into something very different. As we pulled on a single successful login, we uncovered unusual credential-hunting behavior, a web of geo-distributed infrastructure, and a shady VPN service that all pointed toward a ransomware-as-a-service ecosystem and its initial access brokers. This post walks through how a noisy brute-force campaign became our doorway into that operation."
      https://www.bleepingcomputer.com/news/security/how-a-brute-force-attack-unmasked-a-ransomware-infrastructure-network/
    • Signed Malware Impersonating Workplace Apps Deploys RMM Backdoors
      "In February 2026, Microsoft Defender Experts identified multiple phishing campaigns attributed to an unknown threat actor. The campaigns used workplace meeting lures, PDF attachments, and abuse of legitimate binaries to deliver signed malware. Phishing emails directed users to download malicious executables masquerading as legitimate software. The files were digitally signed using an Extended Validation (EV) certificate issued to TrustConnect Software PTY LTD. Once executed, the applications installed remote monitoring and management (RMM) tools that enabled the attacker to establish persistent access on compromised systems."
      https://www.microsoft.com/en-us/security/blog/2026/03/03/signed-malware-impersonating-workplace-apps-deploys-rmm-backdoors/
      https://hackread.com/fake-zoom-teams-invites-malware-certificates/
    • Telegram As The New Operational Layer Of Cyber Threat Activity
      "Telegram is no longer just a messaging application. It has evolved into a primary operational playground for modern threat actors. What underground forums on Tor once represented, Telegram now replicates — but faster, more scalable, and significantly more accessible. Over the past few years, elements of the cybercriminal ecosystem have progressively shifted away from traditional darknet marketplaces and closed forums toward Telegram’s hybrid architecture of public channels, private groups, and automated bots. The barriers that once required Tor access, reputation building, and escrow systems have been replaced with instant channel creation, subscription-based malware distribution, real-time broadcasting, and bot-enabled commerce."
      https://www.cyfirma.com/research/telegram-as-the-new-operational-layer-of-cyber-threat-activity/
      https://hackread.com/telegram-used-sell-access-malware-stolen-logs/
    • Retaliatory Hacktivist DDoS Activity Following Operation Epic Fury/Roaring Lion
      "Since late February 2026, the Middle East has experienced unprecedented kinetic warfare. Following the collapse of nuclear negotiations and a period of internal Iranian instability, a massive, coordinated military campaign dubbed Operation Epic Fury by the United States, also known as Operation Roaring Lion in Israel, was launched on February 28, 2026. This military offensive, which resulted in the death of Iran’s supreme leader and the destruction of over 2,000 strategic targets, has acted as a primary catalyst for global hacktivist mobilization. As the physical conflict expands across many countries in the region, pro-Iranian and allied "axis of resistance" hacktivist groups have pivoted from baseline activity to aggressive, retaliatory distributed denial of service (DDoS) campaigns targeting government and financial infrastructure across the Middle East."
      https://www.radware.com/security/threat-advisories-and-attack-reports/ddos-activity-following-operation-epic-fury-roaring-lion/
      https://thehackernews.com/2026/03/149-hacktivist-ddos-attacks-hit-110.html
    • Malicious Packagist Packages Disguised As Laravel Utilities Deploy Encrypted RAT
      "Socket's Threat Research Team identified a remote access trojan (RAT) distributed across multiple Packagist (PHP) packages published by the threat actor nhattuanbl (nhattuanbl@gmail[.]com). Two packages, nhattuanbl/lara-helper and nhattuanbl/simple-queue, ship an identical payload in src/helper.php. A third package, nhattuanbl/lara-swagger, carries no malicious code itself but lists nhattuanbl/lara-helper as a hard Composer dependency, meaning that installing it pulls in the RAT automatically."
      https://socket.dev/blog/malicious-packagist-packages-disguised-as-laravel-utilities
      https://thehackernews.com/2026/03/fake-laravel-packages-on-packagist.html
    • Interplay Between Iranian Targeting Of IP Cameras And Physical Warfare In The Middle East
      "As highlighted in the Cyber Security Report 2026, cyber operations have increasingly become an additional tool in interstate conflicts, used both to support military operations and to enable ongoing battle damage assessment (BDA). During the 12-day conflict between Israel and Iran in June 2025, the compromise of cameras was likely used to support BDA and/or target-correction efforts. In the current Middle East conflict, Check Point Research has observed intensified targeting of cameras beginning in the first hours of hostilities, including a sharp increase in exploitation attempts against IP cameras not only in Israel but also across Gulf countries: specifically the UAE, Qatar, Bahrain, and Kuwait, as well as similar activity in Lebanon and Cyprus. This activity originated from multiple attack infrastructures that we attribute to several Iran-nexus threat actors."
      https://research.checkpoint.com/2026/interplay-between-iranian-targeting-of-ip-cameras-and-physical-warfare-in-the-middle-east/
      https://www.theregister.com/2026/03/04/iranian_hacking_attempts_ip_cameras/
    • “Malware, From The Outside!”: How a Threat Actor Used Fake OpenClaw Installers To Infect Systems With GhostSocks And Information Stealers
      "Information stealers continue to be an initial access vector for severe attacks against publicly facing systems, such as the Snowflake customer database compromise in 2024, and a Romanian oil pipeline operator compromise in 2026. This blog details an investigation into malicious GitHub repositories posing as OpenClaw installers that were available between the 2nd and 10th of February 2026. The OpenClaw installers were fake with low detection rates, and distributed information stealers that used a novel packer called Stealth Packer."
      https://www.huntress.com/blog/openclaw-github-ghostsocks-infostealer
      https://www.theregister.com/2026/03/04/fake_openclaw_installers_malware/

    General News

    อ้างอิง
    Electronic Transactions Development Agency (ETDA) aea3decd-6598-4959-9c09-f5cceaf7b5d7-image.png

    โพสต์ใน Cyber Security News
    NCSA_THAICERTN
    NCSA_THAICERT
  • 🚨 ตรวจพบการใช้เครื่องมือปัญญาประดิษฐ์ "CyberStrikeAI" ในการโจมตีอุปกรณ์ FortiGate 🚨

    ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ด้านความมั่นคงปลอดภัยทางไซเบอร์ โดยทีมนักวิจัย Team Cymru ได้ตรวจพบกลุ่มผู้ไม่ประสงค์ดีนำเครื่องมือปัญญาประดิษฐ์แบบโอเพนซอร์สที่มีชื่อว่า "CyberStrikeAI" มาใช้ในการสแกนและโจมตีอุปกรณ์เครือข่าย FortiGate ของบริษัท Fortinet แบบอัตโนมัติ
    เครื่องมือ CyberStrikeAI เป็นซอฟต์แวร์ทดสอบความปลอดภัยเชิงรุก (Offensive Security Tool - OST) ที่พัฒนาโดยนักพัฒนา (นามแฝง Ed1s0nZ) โดยเครื่องมือนี้ได้ผสานรวมความสามารถของ Generative AI (เช่น Claude และ DeepSeek) เข้ากับเครื่องมือด้านความปลอดภัยกว่า 100 รายการ ส่งผลให้สามารถดำเนินการดังต่อไปนี้ได้อย่างมีประสิทธิภาพ
    • สแกนหาช่องโหว่ของระบบเครือข่ายได้โดยอัตโนมัติและรวดเร็ว
    • วิเคราะห์ห่วงโซ่การโจมตี (Attack-chain analysis) เพื่อค้นหาจุดอ่อนที่สามารถเจาะระบบได้ง่ายที่สุด
    • ประมวลผลการค้นคืนข้อมูลและสร้างภาพจำลองผลลัพธ์เพื่อวางแผนการโจมตีในขั้นถัดไป
    นอกจากนี้ บัญชีของผู้พัฒนารายดังกล่าวยังมีการเผยแพร่เครื่องมืออันตรายอื่นๆ เช่น มัลแวร์เรียกค่าไถ่ (Ransomware) ที่พัฒนาด้วยภาษา Go และเครื่องมือสำหรับหลบเลี่ยงมาตรการรักษาความปลอดภัย (Jailbreak) ของโมเดล AI ชั้นนำ
    ข้อแนะนำด้านความมั่นคงปลอดภัยสำหรับองค์กรและผู้ดูแลระบบเครือข่าย
    เพื่อเป็นการป้องกันและลดความเสี่ยงจากการโจมตีด้วยเทคโนโลยี AI หน่วยงานควรพิจารณาดำเนินการดังต่อไปนี้โดยเร่งด่วน:

    1. อัปเดตระบบปฏิบัติการ (Firmware Update) ตรวจสอบอุปกรณ์ FortiGate ภายในองค์กร และดำเนินการติดตั้งแพตช์รักษาความปลอดภัยเวอร์ชันล่าสุดทันที
    2. เฝ้าระวังการเข้าถึงระบบ (Log Monitoring) ตรวจสอบบันทึกการใช้งาน (Log) อย่างใกล้ชิด โดยเฉพาะการเชื่อมต่อที่มาจากหมายเลข IP ต้องสงสัย
    3. จำกัดสิทธิ์การเข้าถึงหน้าการจัดการ (Access Control) ปิดกั้นการเข้าถึงหน้า Management Portal จากอินเทอร์เน็ตสาธารณะ หากมีความจำเป็นต้องใช้งาน ควรตั้งค่าให้เข้าถึงผ่านระบบ VPN ที่มีการเข้ารหัสและมีความปลอดภัยเท่านั้น
    4. บังคับใช้การยืนยันตัวตนแบบหลายปัจจัย (MFA) กำหนดให้ผู้ดูแลระบบทุกรายต้องยืนยันตัวตนแบบ Multi-Factor Authentication ก่อนเข้าถึงระบบที่สำคัญ
      ในปัจจุบัน เทคโนโลยีปัญญาประดิษฐ์ (AI) ไม่ได้ถูกจำกัดสิทธิ์ไว้เพียงการป้องกันระบบเท่านั้น แต่ยังถูกนำมาประยุกต์ใช้เพื่อเพิ่มศักยภาพในการโจมตีทางไซเบอร์ หน่วยงานจึงควรยกระดับมาตรการรักษาความปลอดภัยและเฝ้าระวังภัยคุกคามรูปแบบใหม่อย่างต่อเนื่อง

    🔗 แหล่งอ้างอิง: https://dg.th/0tv6njgql3
    CyberStrikeAI.jpg
    #CyberSecurity #CyberStrikeAI #FortiGate #เตือนภัยไซเบอร์ #ความมั่นคงปลอดภัยไซเบอร์ #AIThreats #ITSecurity

    โพสต์ใน Cyber Security News
    NCSA_THAICERTN
    NCSA_THAICERT
  • 🚨 ด่วน!!พบการใช้ประโยชน์จากการเปลี่ยนเส้นทาง OAuth ทำการโจมตีแบบฟิชชิ่งและส่งมัลแวร์

    ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ พบรายงานเกี่ยวการใช้ประโยชน์จากการเปลี่ยนเส้นทาง OAuth ทำการโจมตีแบบฟิชชิ่งและส่งมัลแวร์ เพื่อหลอกให้ผู้ใช้งานคลิกลิงก์และถูกนำไปยังเว็บไซต์ที่ผู้โจมตีควบคุม ซึ่งอาจทำให้ผู้ใช้งานถูกหลอกให้ดาวน์โหลดไฟล์อันตรายหรือทำให้เครื่องคอมพิวเตอร์ติดมัลแวร์ได้

    1. รายละเอียดช่องโหว่
      • แคมเปญการโจมตีดังกล่าวเกี่ยวข้องกับการใช้ประโยชน์จากกลไกการเปลี่ยนเส้นทางของระบบ OAuth โดยผู้โจมตีจะสร้างลิงก์ OAuth ที่มีพารามิเตอร์ผิดปกติหรือไม่ถูกต้อง ซึ่งทำให้กระบวนการยืนยันตัวตนของระบบเข้าสู่ขั้นตอนการจัดการข้อผิดพลาด และเกิดการเปลี่ยนเส้นทางผู้ใช้งานไปยังเว็บไซต์ที่ผู้โจมตีควบคุมได้

    เนื่องจากลิงก์ดังกล่าวมีโดเมนที่เกี่ยวข้องกับผู้ให้บริการระบบตัวตนที่น่าเชื่อถือ จึงอาจทำให้ผู้ใช้งานเข้าใจผิดว่าลิงก์ดังกล่าวมีความปลอดภัย และหลีกเลี่ยงการตรวจจับจากระบบป้องกัน Phishing บางประเภทได้

    1. พฤติกรรมการโจมตี
      • ผู้โจมตีสร้างลิงก์ OAuth โดยใช้พารามิเตอร์ที่ผิดพลาด (เช่น invalid scope หรือ prompt=none) ทำให้ระบบ OAuth ของผู้ให้บริการ เช่น Microsoft Entra ID หรือ Google Workspace เปลี่ยนเส้นทางตามที่ผู้โจมตีกำหนด
      • ลิงก์โจมตีจะถูกส่งผ่านอีเมลในรูปแบบของฟิชชิงที่ออกแบบให้ดูเหมือนข้อความจริงจากองค์กร เช่น การแจ้งเตือนลายเซ็นต์อิเล็กทรอนิกส์ คำเชิญประชุม หรือคำขอรีเซ็ตรหัสผ่าน โดยลิงก์อาจอยู่ในเนื้อหาอีเมลโดยตรงหรือซ่อนไว้ในไฟล์แนบ PDF
      • หน้าให้ดาวน์โหลดไฟล์ ZIP ที่มีมัลแวร์ และเมื่อเปิดไฟล์ ระบบจะรันคำสั่ง PowerShell เพื่อดาวน์โหลดและติดตั้งมัลแวร์อันตราย

    แคมเปญนี้พบว่า มุ่งเป้าไปที่องค์กรภาครัฐ โดยใช้เทคนิคนี้เพื่อข้ามระบบป้องกัน Phishing ทั่วไปในอีเมลและเว็บเบราว์เซอร์ ด้วยการใช้ URL ที่ดูเหมือนถูกต้องและปลอดภัยจากผู้ให้บริการที่เชื่อถือได้

    1. แนวทางป้องกันและลดความเสี่ยง
      • ตรวจสอบและควบคุมแอปพลิเคชัน OAuth ที่อนุญาตให้เข้าถึงบัญชี
      • ลบแอปที่ไม่จำเป็นหรือมีสิทธิ์มากเกินความจำเป็น
      • ใช้มาตรการป้องกัน เช่น Cloud Email Security, Identity Protection, Conditional Access Policies หรือ Monitoring Cross-Domain Activity ทั้งในอีเมล ระบบยืนยันตัวตน และอุปกรณ์ปลายทาง

    2. แหล่งอ้างอิง (References)
      https://dg.th/3ktm176h9j

    เส้นทาง OAuth.png

    โพสต์ใน Cyber Security News
    NCSA_THAICERTN
    NCSA_THAICERT
  • CISA เพิ่มช่องโหว่ที่ถูกใช้โจมตี 2 รายการลงในแคตตาล็อก

    เมื่อวันที่ 3 มีนาคม 2569 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 2 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว ดังนี้

    • CVE-2026-21385 Qualcomm Multiple Chipsets Memory Corruption Vulnerability
    • CVE-2026-22719 Broadcom VMware Aria Operations Command Injection Vulnerability

    อ้างอิง
    https://www.cisa.gov/news-events/alerts/2026/03/03/cisa-adds-two-known-exploited-vulnerabilities-catalog
    สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand b766f345-dcb7-4a7c-8030-21a77042d9e7-image.png

    โพสต์ใน Cyber Security News
    NCSA_THAICERTN
    NCSA_THAICERT
  • CISA เผยแพร่คำแนะนำด้านระบบควบคุมอุตสาหกรรม (ICS) จำนวน 9 รายการ

    Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 9 รายการ เมื่อวันที่ 3 มีนาคม 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

    • ICSA-26-062-01 Mitsubishi Electric MELSEC iQ-F Series EtherNet/IP module and Ethernet Module
    • ICSA-26-062-02 Hitachi Energy Relion REB500
    • ICSA-26-062-03 Hitachi Energy RTU500 Product
    • ICSA-26-062-04 Portwell Engineering Toolkits
    • ICSA-26-062-05 Labkotec LID-3300IP
    • ICSA-26-062-06 Mobiliti e-mobi.hu
    • ICSA-26-062-07 ePower epower.ie
    • ICSA-26-062-08 Everon api.everon.io
    • ICSA-25-023-02 Hitachi Energy RTU500 Series Product (Update B)

    CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)

    อ้างอิง
    https://www.cisa.gov/news-events/ics-advisories
    สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand d6ee99c5-7ef3-4611-b2e4-c8eefd7f2a5b-image.png

    โพสต์ใน OT Cyber Security News
    NCSA_THAICERTN
    NCSA_THAICERT
  • Cyber Threat Intelligence 04 March 2026

    Healthcare Sector

    • Healthcare Organizations Are Accepting Cyber Risk To Cut Costs
      "Healthcare organizations are cutting cybersecurity budgets under financial pressure even as the threats targeting their systems intensify. A PwC survey of 381 global healthcare executives, conducted between May and July 2025, puts numbers to the gap between the risks the sector faces and the controls it has in place. Data protection ranks as the single biggest driver of cybersecurity spending in the sector, yet only 35% of healthcare organizations have implemented data risk controls across the entire data life cycle. The global average across all sectors is 44%."
      https://www.helpnetsecurity.com/2026/03/03/pwc-healthcare-cybersecurity-threats-2026/

    Industrial Sector

    • Honeywell Trend IQ4xx BMS Controller Unauthenticated Remote Web-HMI Control And Lockout
      "The Honeywell IQ4 (Trend IQ4) is a line of intelligent building-management controllers designed to provide advanced unitary control, HVAC integration, and scalable I/O expansion for commercial environments. These controllers use Ethernet and TCP/IP networking with embedded XML, support BACnet over IP, and can expand up to 192 I/O points depending on the model, making them suitable for a wide range of plant-control applications. They offer multiple communication ports (Ethernet, USB, RS232, Wallbus), optional Trend current-loop neworking, and seamless compatability with other Trend IQ controllers - enabling unified, energy-efficient building automation across devices."
      https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5979.php
      https://www.securityweek.com/honeywell-researcher-clash-over-impact-of-building-controller-vulnerability/

    Vulnerabilities

    Malware

    • Exposing a Russian Campaign Targeting Ukraine Using New Malware Duo: BadPaw And MeowMeow
      "ClearSky Team has identified a targeted Russian cyber campaign against Ukraine utilizing two novel malware strains, BadPaw and MeowMeow. The attack chain initiates with a phishing email containing a link to a ZIP archive. Once extracted, an initial HTA file displays a lure document written in Ukrainian concerning border crossing appeals to deceive the victim. Simultaneously, the infection triggers the download of BadPaw, a .NET-based loader. Upon establishing command-and-control (C2) communication, the loader deploys MeowMeow, a sophisticated backdoor."
      https://www.clearskysec.com/russian-campaign-targeting-ukraine-badpaw-and-meowmeow/
    • Silver Dragon: China Nexus Cyber Espionage Group Targeting Governments In Asia And Europe
      "Check Point Research has identified and tracked a cyber espionage campaign targeting government organizations across Southeast Asia and parts of Europe. We designate this activity cluster as Silver Dragon, which has been active since at least mid-2024. The campaign combines server exploitation, phishing, custom malware, and cloud-based command infrastructure to establish long-term access in targeted environments. Based on multiple converging indicators, Check Point Research assesses with high confidence that Silver Dragon is a China nexus threat actor, likely operating within the umbrella of APT41."
      https://blog.checkpoint.com/research/silver-dragon-china-nexus-cyber-espionage-group-targeting-governments-in-asia-and-europe/
    • Coruna: The Mysterious Journey Of a Powerful iOS Exploit Kit
      "Google Threat Intelligence Group (GTIG) has identified a new and powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023). The exploit kit, named “Coruna” by its developers, contained five full iOS exploit chains and a total of 23 exploits. The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses."
      https://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit
      https://iverify.io/press-releases/first-known-mass-ios-attack
      https://cyberscoop.com/coruna-ios-exploit-kit-leaked-us-framework/
      https://www.helpnetsecurity.com/2026/03/03/coruna-ios-exploit-kit/
    • Middle East On The Brink: Iran-US-Israel Hostilities Trigger Cyber-Kinetic Conflict
      "The geopolitical landscape of the Middle East has entered one of its most volatile phases in decades. On February 28, 2026, tensions that had been simmering for years erupted into a full‑blown conflict involving the Islamic Republic of Iran, the United States, and Israel. A confluence of diplomatic stalemate, military posturing, and covert cyber preparations set the stage for what would evolve from a localized confrontation into an expansive, multi‑domain campaign."
      https://cyble.com/blog/middle-east-iran-us-israel-hybrid-conflict/
    • Abusing .arpa: The TLD That Isn’t Supposed To Host Anything
      "Phishing email campaigns are so common that it takes something fundamentally different to stand out. We recently found campaigns using a novel, previously unreported method to get around security controls. Actors are abusing the .arpa top-level domain (TLD), in conjunction with IPv6 tunnels, to host phishing content on domains that should not resolve to an IP address. Unlike familiar TLDs like .com and .net, that are used for domains that host web content, the .arpa TLD has a special role in the domain name system (DNS): it’s primarily used to map IP addresses to domains, providing reverse records. Threat actors have discovered a feature in the DNS record management control of certain providers, which allows them to add IP address records for .arpa domains. From there, they can do whatever they like at the hosting provider. It’s a pretty clever trick."
      https://www.infoblox.com/blog/threat-intelligence/abusing-arpa-the-tld-that-isnt-supposed-to-host-anything/
      https://hackread.com/hackers-arpa-top-level-domain-phishing-scams/
    • RedAlert Trojan Campaign: Fake Emergency Alert App Spread Via SMS Spoofing Israeli Home Front Command
      "CloudSEK has uncovered a malicious SMS spoofing campaign spreading a fake version of Israel’s “Red Alert” emergency app amid the ongoing conflict. Disguised as a trusted warning platform, the trojanized Android app can steal SMS, contacts, and location data while appearing legitimate. The report highlights how cybercriminals are weaponising public fear during crises to deploy mobile spyware with serious security and real-world implications."
      https://www.cloudsek.com/blog/redalert-trojan-campaign-fake-emergency-alert-app-spread-via-sms-spoofing-israeli-home-front-command
      https://www.infosecurity-magazine.com/news/redalert-israel-spyware-campaign/
    • Fake Tech Support Spam Deploys Customized Havoc C2 Across Organizations
      "Threat hunters have called attention to a new campaign as part of which bad actors masqueraded as fake IT support to deliver the Havoc command-and-control (C2) framework as a precursor to data exfiltration or ransomware attack. The intrusions, identified by Huntress last month across five partner organizations, involved the threat actors using email spam as lures, followed by a phone call from an IT desk that activates a layered malware delivery pipeline."
      https://thehackernews.com/2026/03/fake-tech-support-spam-deploys.html
    • Fooling AI Agents: Web-Based Indirect Prompt Injection Observed In The Wild
      "Large language models (LLMs) and AI agents are becoming deeply integrated into web browsers, search engines and automated content-processing pipelines. While these integrations can expand functionality, they also introduce a new and largely underexplored attack surface. One particularly concerning class of threats is indirect prompt injection (IDPI), in which adversaries embed hidden or manipulated instructions within website content that is later ingested by an LLM. This article shares in-the-wild observations from our telemetry, including our first observed case of AI-based ad review evasion."
      https://unit42.paloaltonetworks.com/ai-agent-prompt-injection/
    • Active Reconnaissance Campaign Targets SonicWall Firewalls Through Commercial Proxy Infrastructure
      "GreyNoise observed 84,142 scanning sessions targeting SonicWall SonicOS infrastructure between February 22 and February 25, 2026. The activity originated from 4,305 unique IP addresses across 20 autonomous systems, with three operationally distinct infrastructure clusters executing coordinated VPN enumeration. Ninety-two percent of sessions probed a single API endpoint to determine whether SSL VPN is enabled — the prerequisite check before credential attacks. A commercial proxy service delivered 32% of campaign volume through 4,102 rotating exit IPs in two surgical bursts totaling 16 hours. CVE exploitation was negligible, confirming this as systematic attack surface mapping."
      https://www.greynoise.io/blog/active-reconnaissance-campaign-targets-sonicwall-firewalls-through-commercial-proxy-infrastructure

    Breaches/Hacks/Leaks

    • Paint Maker Giant AkzoNobel Confirms Cyberattack On U.S. Site
      "The multinational Dutch paint company AkzoNobel has confirmed to BleepingComputer that hackers breached the network of one of its U.S. sites. Following a data leak from the Anubis ransomware gang, a company spokesperson said that the intrusion has been contained and that the impact is limited. “AkzoNobel has identified a security incident at one of our sites in the United States. The incident was limited to the respective site and was already contained,” the company told BleepingComputer."
      https://www.bleepingcomputer.com/news/security/paint-maker-giant-akzonobel-confirms-cyberattack-on-us-site/
    • LexisNexis Confirms Data Breach As Hackers Leak Stolen Files
      "American data analytics company LexisNexis Legal & Professional has confirmed to BleepingComputer that hackers breached its servers and accessed some customer and business information. The company's data breach confirmation comes as a threat actor named FulcrumSec leaked 2GB of files on various underground forums and sites. LexisNexis L&P is a global provider of legal, regulatory, and business information, research tools, and analytics used by lawyers, corporations, governments, and academic institutions in more than 150 countries worldwide."
      https://www.bleepingcomputer.com/news/security/lexisnexis-confirms-data-breach-as-hackers-leak-stolen-files/
      https://therecord.media/lexisnexis-says-hackers-accessed-legacy-data
    • Star Citizen Game Dev Discloses Breach Affecting User Data
      "Cloud Imperium Games (CIG), the game company behind Star Citizen and Squadron 42, says attackers breached systems containing some users' personal information in January. The California-based publisher and video game developer was founded in 2012 by game developer Chris Roberts (of Wing Commander fame), and it operates five game studios with a crew of over 700 employees. In 2012, it announced the multiplayer space-simulation game Star Citizen. However, despite a Kickstarter campaign that raised over $2 million from backers, the game has still not exited its "early access" phase 14 years later."
      https://www.bleepingcomputer.com/news/security/star-citizen-game-dev-discloses-breach-affecting-user-data/
    • Cyber Battlefield: Ariomex, Iran-Based Crypto Exchange, Suffers Data Leak
      "Cyber operations against Iran are used not only to disrupt military capabilities but also to pressure senior regime officials and their associates to defect, and to accelerate regime change from within. Current events affect multiple layers of the Iranian regime, including the financial system, where the Iranian government invests substantial efforts in building tools to evade sanctions and finance illegal activity, including via cryptocurrencies. In January 2026, the Central Bank of Iran (CBI) acquired more than half a billion dollars (about $507 million) worth of Tether’s USDT, with indications that the stablecoins were used to prop up the country’s fiat currency."
      https://www.resecurity.com/blog/article/cyber-battlefield-ariomex-iran-based-crypto-exchange-suffers-data-leak
      https://www.infosecurity-magazine.com/news/iranian-crypto-leaked-database/
      https://securityaffairs.com/188848/digital-id/ariomex-iran-based-crypto-exchange-suffers-data-leak.html
    • Cybercriminals Swipe 15.8M Medical Records From French Doctors Ministry
      "Around 15.8 million administrative files were stolen after attackers breached a software supplier to France's health ministry. The supplier, Cegedim Santé, confirmed the data was compromised in late 2025. Approximately 165,000 of these files contained notes penned by doctors, which in "very limited cases" contained sensitive information about an individual's medical history. According to broadcaster France 24, which first reported the news, these medical histories included, in some cases, details of conditions such as HIV/AIDS and individuals' sexual orientations. Top politicians were reportedly among the individuals whose info was extracted."
      https://www.theregister.com/2026/03/03/french_medical_leak/

    General News

    • Compromised Site Management Panels Are a Hot Item In Cybercrime Markets
      "Threat actors are openly advertising access to hacked websites as part of the underground economy. One of the most promising products is a compromised cPanel credential. They are sold in the thousands across at commodity-level pricing and marketed as plug-and-play infrastructure for and scam campaigns. In new research, Flare security researchers analyzed activity across monitored fraudulent groups over a seven-day period, showing a structured ecosystem operating at scale."
      https://www.bleepingcomputer.com/news/security/compromised-site-management-panels-are-a-hot-item-in-cybercrime-markets/
    • AI Agent Overload: How To Solve The Workload Identity Crisis
      "Authenticating workloads is becoming more and more complex, particularly given things like AI agents and the wide range of identity permissions they need. Organizations need to be thinking ahead on securing workloads in complicated modern environments, but it's not an easy task. Researchers at Zscaler hope to explore this evolution in an upcoming RSAC 2026 Conference session entitled, "What Are You, Really? Authenticating Workloads in a Zero Trust World.""
      https://www.darkreading.com/cloud-security/ai-agent-workload-identity-crisis
    • The Tug-Of-War Over Firewall Backlogs In The AI-Driven Development Era
      "The relationship between application developers and security teams has always been fraught with tension. At the core lies an ongoing battle — speed versus security — and that tug of war has been further exacerbated by mounting firewall backlog challenges driven by increased reliance on artificial intelligence and automation. Traditionally, developers submit a firewall rule request before deploying a new application, service, or tool inside an enterprise environment."
      https://www.darkreading.com/cloud-security/tug-of-war-firewall-backlogs-ai-driven-development
    • 5 Years Of Shifting Cybersecurity Behavior
      "Online security is built through routine decisions made across devices and accounts. People choose how to create passwords, how often to reuse them, and how much effort to invest in protecting personal data. The National Cybersecurity Alliance and CybSafe’s Oh, Behave! The Cybersecurity Attitudes and Behaviors Report: 2021–2025 follows those patterns over five years, drawing on responses from more than 24,000 adults and documenting how attitudes and behaviors shift over time."
      https://www.helpnetsecurity.com/2026/03/03/national-cybersecurity-alliance-cybsafe-cybersecurity-behavior-trends-report/
    • Introducing The 2026 Cloudflare Threat Report
      "Today’s threat landscape is more varied and chilling than ever: Sophisticated nation-state actors. Hyper-volumetric DDoS attacks. Deepfakes and fraudsters interviewing at your company. Even stealth attacks via trusted internal tools like Google Calendar, Dropbox, and GitHub. After spending the last year translating trillions of network signals into actionable intelligence, Cloudforce One has identified a fundamental evolution in the threat landscape: the era of brute force entry is fading. In its place is a model of high-trust exploitation that prioritizes results at all costs. In order to equip defenders with a strategic roadmap for this new era, today we are releasing the inaugural 2026 Cloudflare Threat Report. This report provides the intelligence organizations need to navigate the rise of industrialized cyber threats."
      https://blog.cloudflare.com/2026-threat-report/
      https://www.infosecurity-magazine.com/news/ai-deepfakes-supercharge/
      https://www.helpnetsecurity.com/2026/03/03/cloudflare-cyber-threat-report-2026/
    • Half Of US CISOs Work The Equivalent Of a Six-Day Week
      "US cybersecurity leaders are being put under increasing pressure to compensate for process gaps and tackle escalating threats, with many working the equivalent of six or seven days a week, according to Seemplicity. The security vendor polled 300 CISOs and their equivalents to produce its State of the Cybersecurity Workforce Report. It revealed that 45% of respondents work 11+ extra hours per week – equivalent to an additional day – and 20% work an extra 16+ hours weekly."
      https://www.infosecurity-magazine.com/news/half-us-cisos-work-equivalent/
    • Huge “Shadow Layer” Of Organizations Hit By Supply Chain Attacks
      "Security experts have claimed that the blast radius of third-party data breach incidents is far larger than at first thought, with more than 433 million individuals impacted by 136 events last year. Black Kite compiled its seventh annual Third-Party Breach Report from analysis of verified public breach disclosures in 2025, external cyber risk telemetry and supply chain intelligence. It said 136 verified breaches had 5.28 publicly named downstream victims per vendor, amounting to 719 companies and 433 million individual end customers."
      https://www.infosecurity-magazine.com/news/shadow-layer-organizations-supply/
      https://content.blackkite.com/ebook/2026-third-party-breach-report/
    • Quantum Decryption Of RSA Is Much Closer Than Expected
      "There’s a new contender in quantum cryptanalysis. The Jesse-Victor-Gharabaghi (JVG) quantum decryption algorithm is faster and requires fewer quantum resources than Shor’s algorithm. Breaking business and the internet has long been the accepted result of combining quantum computers and Shor’s algorithm to solve the factorization problem employed by Rivest-Shamir-Adleman (RSA) and Elliptic Curve Cryptography (ECC). But Shor’s algorithm requires a relatively large quantum computer (comprising an estimated one million qubits); and that is still believed to be at least a decade away."
      https://www.securityweek.com/quantum-decryption-of-rsa-is-much-closer-than-expected/
      https://www.preprints.org/manuscript/202510.1649
    • Turns Out Most Cybercriminals Are Old Enough To Know Better
      "Contrary to what some believe, cybercrime is not a kids' game. Middle-aged adults, not teenagers, now make up the biggest chunk of people getting busted. That's according to new analysis of 418 publicly announced law enforcement actions between 2021 and mid-2025, which shows offenders aged 35 to 44 account for 37 percent of cases, making it the largest single age group. Add in those aged 25 to 34, who make up another 30 percent, and nearly six in ten cases involve people between 25 and 44. By contrast, the much-hyped 18-24 bracket accounts for 21 percent, while under-18s barely register at under 5 percent."
      https://www.theregister.com/2026/03/03/turns_out_most_cybercriminals_are/
    • CISOs In a Pinch: A Security Analysis Of OpenClaw
      "Anthropic's Claude Code Security is a legitimate leap forward for pre-deployment vulnerability detection - and the market sell-off (Cybersecurity ETF at a 2+ year low) is an overreaction based on a category error. AI-powered code scanning doesn't replace runtime threat detection, identity governance, or endpoint protection. More importantly, the fastest-growing enterprise attack surface is the AI agents themselves. Poisoned model supply chains, runtime behavior drift, and zero observability into autonomous agent actions are threats that live entirely outside the code layer. Claude Code Security is a welcome addition to the defender's toolkit, but a toolkit isn't a security strategy. Enterprises still need the governance, runtime visibility, and platform integration that only a full-lifecycle approach can deliver."
      https://www.trendmicro.com/en_us/research/26/c/cisos-in-a-pinch-security-analysis-of-openclaw.html

    อ้างอิง
    Electronic Transactions Development Agency (ETDA) f64badd1-4c34-467c-9cc4-27fd46de538f-image.png

    โพสต์ใน Cyber Security News
    NCSA_THAICERTN
    NCSA_THAICERT
  • Cyber Threat Intelligence 03 March 2026

    Healthcare Sector

    • Iran Conflict Elevates Cyber Risk For Healthcare
      "United States and Israel military strikes on Iran could erupt into cyberattacks against the healthcare sector in the U.S. and elsewhere by Iranian sympathizers and proxies, experts warned Monday. The life-and-death sensitivity of the healthcare sector, as well as its relative vulnerability to cyber incidents, makes it a target for rising attacks ranging from distributed denial of service, wiper malware, ransomware, data theft and other such assaults."
      https://www.bankinfosecurity.com/iran-conflict-elevates-cyber-risk-for-healthcare-a-30894

    New Tooling

    • BlacksmithAI: Open-Source AI-Powered Penetration Testing Framework
      "BlacksmithAI is an open-source penetration testing framework that uses multiple AI agents to execute different stages of a security assessment lifecycle. BlacksmithAI runs as a hierarchical system in which an orchestrator coordinates task execution across specialized agents. Each agent maps to a common penetration testing function. The recon agent handles attack surface mapping and information gathering. The scan and enumeration agent performs service discovery. A vulnerability analysis agent evaluates weaknesses and potential exposure. An exploit agent executes proof of concept activity. A post-exploitation agent examines impact and potential lateral movement."
      https://www.helpnetsecurity.com/2026/03/02/blacksmithai-open-source-ai-powered-penetration-testing-framework/
      https://github.com/yohannesgk/blacksmith

    Vulnerabilities

    • Google Addresses Actively Exploited Qualcomm Zero-Day In Fresh Batch Of 129 Android Vulnerabilities
      "Google disclosed one actively exploited zero-day vulnerability Monday, warning that the high-severity defect affecting an open-source Qualcomm display component for Android devices “may be under limited, targeted exploitation.” The memory-corruption vulnerability — CVE-2026-21385 — which Google’s Android security team reported to Qualcomm Dec. 18, affects 234 chipsets, Qualcomm said in a security bulletin. Qualcomm said it notified customers of the vulnerability Feb. 2."
      https://cyberscoop.com/android-security-update-march-2026/

    Malware

    Breaches/Hacks/Leaks

    • Pakistan’s Top News Channels Hacked And Hijacked With Anti-Military Messages
      "Several of Pakistan’s most-watched news channels, including Geo News, ARY News, and Samaa TV, faced a serious security breach on Sunday evening, 1 March 2026. Viewers across the country were left confused when regular programming was suddenly interrupted by unauthorized messages. These disruptions happened shortly after Iftar (the meal served at sunset to break the daily fast during the holy month of Ramadan) and continued into the high-traffic 9 pm news bulletins, which is when these channels usually see their largest global audiences."
      https://hackread.com/pakistan-news-channels-hacked-anti-military-messages/
    • Madison Square Garden Data Breach Confirmed Months After Hacker Attack
      "Madison Square Garden has confirmed being impacted by a data breach stemming from a cybercrime campaign targeting customers of Oracle’s E-Business Suite (EBS) solution. In the Oracle EBS hacking campaign, the Cl0p ransomware and extortion group exploited zero-day vulnerabilities to gain access to data stored by more than 100 organizations in the enterprise management software. Madison Square Garden (MSG), the world-famous arena located in New York City, was named by the hackers as a victim of the campaign in November 2025."
      https://www.securityweek.com/madison-square-garden-data-breach-confirmed-months-after-hacker-attack/
    • Cyberattack Briefly Disrupts Russian Internet Regulator And Defense Ministry Websites
      "Russia’s internet regulator and defense ministry said their servers were hit by a large distributed denial-of-service (DDoS) attack that briefly disrupted access to several government websites late last week. The Russian communications watchdog, Roskomnadzor, said in a statement to several local media outlets on Friday that the attack was a “complex multi-vector” operation originating from servers and botnets located mainly in Russia, as well as in the United States, China, the United Kingdom and the Netherlands."
      https://therecord.media/cyberattack-briefly-takes-down-russian-government-websites
    • University Of Hawaiʻi Cancer Center Confirms Data Leak Following Ransomware Attack
      "The University of Hawaiʻi Cancer Center said up to 1.2 million people had information leaked as a result of a ransomware attack on its epidemiology division last year. Hackers accessed records containing Social Security numbers (SSNs) and driver’s license numbers collected from the Hawaiʻi State Department of Transportation as well as City and County of Honolulu voter registration records from 1998, according to a statement released by the organization last week."
      https://therecord.media/university-of-hawaii-ransomware-data-breach

    General News

    อ้างอิง
    Electronic Transactions Development Agency (ETDA) 738d3b18-6531-49f1-9465-153a6b348333-image.png

    โพสต์ใน Cyber Security News
    NCSA_THAICERTN
    NCSA_THAICERT