สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

️ ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ข่าวสารภัยคุกคามทางไซเบอร์ พบ Microsoft ออกอัปเดตความปลอดภัยประจำเดือนเมษายน 2569 [1]

Microsoft ออกอัปเดตความปลอดภัยประจำเดือนเมษายน 2569 โดยมีช่องโหว่ที่สำคัญดังนี้

1. รายละเอียดช่องโหว่
   1.1 CVE-2026-33825 (CVSS3.1: 7.8) เป็นช่องโหว่ใน Microsoft Defender (Antimalware Platform) เกิดจากการควบคุมสิทธิ์ (Access Control) ทำให้ผู้โจมตีสามารถยกระดับสิทธิ์ได้ [2]
   1.2 CVE-2026-32201 (CVSS3.1: 6.5) เป็นช่องโหว่ประเภท Spoofing ในระบบ Microsoft SharePoint ซึ่งเกิดจากการตรวจสอบข้อมูลนำเข้าไม่เหมาะสม [3]

ทั้งนี้ หน่วยงานสามารถอัปเดตความปลอดภัยได้ที่ https://dg.th/0buaqrh76m และ https://dg.th/vh2nxtyr31

2. คำแนะนำในการป้องกัน
   • ดำเนินการอัปเดตแพตช์ทันที โดยเฉพาะระบบที่ใช้งาน Microsoft SharePoint และ Microsoft Defender
   • ตรวจสอบระบบที่เปิดให้เข้าถึงจากภายนอก เช่น SharePoint Server หรือบริการที่เชื่อมต่ออินเทอร์เน็ต
   • เฝ้าระวังพฤติกรรมผิดปกติ เช่น การเข้าถึงระบบโดยไม่ได้รับอนุญาต หรือการเปลี่ยนแปลงสิทธิ์ผู้ใช้งาน
   • ใช้หลักการ Least Privilege จำกัดสิทธิ์ผู้ใช้งานให้เท่าที่จำเป็น
   • ติดตั้งระบบ Endpoint Detection & Response (EDR) เพื่อช่วยตรวจจับและตอบสนองต่อภัยคุกคามได้อย่างรวดเร็ว

3. มาตรการชั่วคราว (กรณียังไม่สามารถอัปเดตได้ทันที)
   3.1 จำกัดการเข้าถึงระบบที่มีความเสี่ยง
   3.2 ใช้มาตรการป้องกันระดับเครือข่าย เช่น กำหนด Firewall / ACL เพื่อจำกัด IP ที่สามารถเข้าถึงระบบได้
   3.3 ควบคุมสิทธิ์ผู้ใช้งาน รวมถึงปิดใช้งานบัญชีที่ไม่ใช้งานหรือบัญชีที่ไม่จำเป็น

แหล่งอ้างอิง
[1] https://dg.th/h1is7ofytl
[2] https://dg.th/0vnq3g81ui
[3] https://dg.th/3hy4z7cge1

️ ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ข่าวสารภัยคุกคามทางไซเบอร์ พบ Fortinet ออกประกาศแจ้งเตือนเกี่ยวกับช่องโหว่ด้านความปลอดภัยในผลิตภัณฑ์ FortiSandbox ซึ่งผู้โจมตีสามารถรันคำสั่งบนระบบได้โดยไม่ได้รับอนุญาต ขอให้ผู้ดูแลระบบที่ใช้งานผลิตภัณฑ์ดังกล่าวดำเนินการอัปเดตแพตช์ตามคำแนะนำของผู้พัฒนา เพื่อลดความเสี่ยงจากการถูกโจมตี [1]

1. รายละเอียดช่องโหว่
   1.1 CVE-2026-39813 (CVSS3.1: 9.1) เป็นช่องโหว่ประเภท Authentication Bypass ที่ส่งผลกระทบต่อ JRPC API ของ FortiSandbox ผู้โจมตีสามารถใช้ประโยชน์จากช่องโหว่ดังกล่าวเข้าถึงระบบโดยไม่ผ่านการยืนยันตัวตน และสามารถยกระดับสิทธิ์ผ่าน Path Traversal [2]
   1.2 CVE-2026-39808 (CVSS3.1: 9.1) เป็นช่องโหว่ประเภท Command Injection ผู้โจมตีสามารถรันคำสั่งหรือโค้ดบนระบบได้ โดยการโจมตีผ่าน HTTP request ที่ถูกปรับแต่งเป็นพิเศษและไม่ผ่านการยืนยันตัวตน [3]

2. ผลกระทบที่เกิดขึ้น
   หากผู้ไม่หวังดีโจมตีสำเร็จ
   • เข้าถึงระบบโดยไม่ได้รับอนุญาต
   • ยกระดับสิทธิ์จนควบคุมระบบได้ทั้งหมด
   • รันคำสั่งอันตรายหรือฝังมัลแวร์

3. เวอร์ชันที่ได้รับผลกระทบ
   FortiSandbox เวอร์ชัน 4.4.0 – 4.4.8
   FortiSandbox เวอร์ชัน 5.0.0 – 5.0.5

4. แนวทางการแก้ไข
   4.1 อัปเดตแพตช์ความปลอดภัยเป็นเวอร์ชันล่าสุดจากผู้พัฒนาโดยทันที
   4.2 ตรวจสอบระบบที่ใช้งาน FortiSandbox ว่ายังอยู่ในเวอร์ชันที่มีช่องโหว่หรือไม่

5. คำแนะนำด้านความปลอดภัยเพิ่มเติม
   5.1 จำกัดการเข้าถึงจากภายนอก
   5.2 ใช้ Firewall หรือ ACL เพื่อควบคุมการเข้าถึง
   5.3 เฝ้าระวัง Log และพฤติกรรมที่ผิดปกติ
   5.4 ใช้ระบบตรวจจับการบุกรุก (IDS/IPS) เพื่อช่วยป้องกันการโจมตี

6. มาตรการชั่วคราว (กรณียังไม่สามารถอัปเดตได้ทันที)
   6.1 ปิดการเข้าถึง Management Interface จากเครือข่ายภายนอก
   6.2 ใช้ Firewall / ACL ควบคุมการเข้าถึง
   6.3 ปิดหรือจำกัดฟังก์ชันที่มีความเสี่ยง เช่น ปิดการใช้งาน JRPC API ชั่วคราว
   

แหล่งอ้างอิง
[1] https://dg.th/le4o86ja3q
[2] https://dg.th/ax7pb9okiw
[3] https://dg.th/0i1g2mt46c

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) แจ้งเตือนผู้ดูแลระบบและผู้ใช้งานโซลูชันของ SAP ให้เร่งตรวจสอบและติดตั้งแพตช์ความปลอดภัย เนื่องจากมีการตรวจพบช่องโหว่ร้ายแรงระดับวิกฤต (Critical) ในส่วนประกอบของ SAP ABAP Platform (Advanced Business Application Programming Platform)
ซึ่งเป็นโครงสร้างพื้นฐานสำคัญของระบบ SAP หลายประเภท ส่งผลให้ผู้ไม่หวังดีอาจเข้าควบคุมระบบหรือเข้าถึงข้อมูลทางธุรกิจที่สำคัญได้โดยไม่ต้องผ่านการพิสูจน์ตัวตน [1]

ช่องโหว่ที่สำคัญที่สุด คือ CVE-2026-34256 (CVSS 3.1 : 7.1 ) โดยช่องโหว่นี้เปิดโอกาสให้ผู้โจมตีสามารถส่งคำสั่งอันตรายเข้าไปทำงานในระบบได้ (Remote Code Execution)

1. รายละเอียดและพฤติการณ์ของภัยคุกคาม [2]
   ช่องโหว่ CVE-2026-34256 เกิดจากข้อผิดพลาดในการตรวจสอบสิทธิ์ภายในระบบ SAP ABAP Platform ทำให้ผู้โจมตีสามารถข้ามผ่านขั้นตอนการล็อกอินตามปกติ (Authentication Bypass) และเข้าถึงฟังก์ชันการทำงานระดับสูงได้
   โดยผู้โจมตีสามารถส่งแพ็กเก็ตข้อมูลที่สร้างขึ้นมาเป็นพิเศษผ่านเครือข่ายไปยังพอร์ตบริการของ SAP โดยไม่จำเป็นต้องมีบัญชีผู้ใช้งานหรือสิทธิ์ใดๆ ในระบบ เมื่อโจมตีสำเร็จจะสามารถรันสคริปต์เพื่อแก้ไขข้อมูล ขโมยฐานข้อมูลลูกค้า หรือสั่งปิดการทำงานของระบบทั้งหมด
   หากไม่ได้รับการแก้ไข ระบบ SAP S/4HANA และ ERP ที่รันบนแพลตฟอร์มที่ได้รับผลกระทบจะตกอยู่ในความเสี่ยงที่จะถูกยึดครองระบบ (System Compromise) อย่างสมบูรณ์

2. ผลิตภัณฑ์ที่ได้รับผลกระทบ [3]
   2.1 SAP ABAP Platform รวมถึงเวอร์ชัน 7.00, 7.31, 7.40, 7.50 จนถึงเวอร์ชันล่าสุดที่ระบุใน Security Note
   2.2 SAP NetWeaver Application Server ABAP
   2.3 SAP S/4HANA (เวอร์ชันที่ใช้งานร่วมกับ ABAP Platform รุ่นที่มีช่องโหว่)
   2.5 ผลิตภัณฑ์อื่นๆ ของ SAP ที่มีการใช้งานโมดูลที่เกี่ยวข้องกับการประมวลผลคำสั่งผ่าน ABAP

3. แนวทางการแก้ไขและป้องกันสำหรับผู้ใช้งาน [4]
   3.1 ผู้ดูแลระบบควรล็อกอินเข้าสู่ SAP Support Portal และตรวจสอบรายการ "SAP Security Notes - April 2026"
   3.2 ติดตั้งแพตช์ด่วน ดำเนินการติดตั้งแพตช์ความปลอดภัยตามคำแนะนำของ SAP สำหรับเวอร์ชันของซอฟต์แวร์ที่องค์กรใช้งานอยู่ทันที เพื่อปิดช่องทางที่ผู้ไม่หวังดีจะใช้โจมตี
   3.3 อัปเดต Kernel ในบางกรณีอาจจำเป็นต้องมีการอัปเดต SAP Kernel ควบคู่ไปกับการลงแพตช์ในระดับแอปพลิเคชัน เพื่อให้การป้องกันครอบคลุมทุกเลเยอร์

4. มาตรการลดความเสี่ยงเร่งด่วน [4]
   4.1 จำกัดการเข้าถึงเครือข่าย ในระหว่างที่ยังไม่สามารถติดตั้งแพตช์ได้ ให้จำกัดการเข้าถึงพอร์ตบริการของ SAP (เช่น พอร์ต 32xx, 33xx) โดยให้เข้าถึงได้เฉพาะจากเครือข่ายภายในที่เชื่อถือได้ หรือผ่าน VPN เท่านั้น
   4.2 ตรวจสอบ Log ความผิดปกติ เฝ้าระวังการพยายามล็อกอินที่ล้มเหลวจำนวนมาก หรือการเรียกใช้ฟังก์ชันแปลกปลอมใน Gateway Log และ System Log ของ SAP
   4.3 ตรวจสอบว่าได้ตั้งค่า Firewall และระบบตรวจจับการบุกรุก (IDS/IPS) เพื่อคัดกรองทราฟฟิกที่มุ่งเป้ามายังช่องโหว่ของ SAP โดยเฉพาะ

แหล่งอ้างอิง
[1] https://dg.th/dmantif6e3
[2] https://dg.th/yez5ft4hjr
[3] https://dg.th/y9id0k6o24
[4] https://dg.th/p1bgw4scmd

ThaiCERT ย้ำ "ระบบ SAP เป็นหัวใจสำคัญของข้อมูลธุรกิจ องค์กรควรให้ความสำคัญกับการอัปเดตแพตช์ความปลอดภัยตามรอบเดือน (Patch Day) อย่างเคร่งครัด เพื่อป้องกันความเสียหายต่อข้อมูลและชื่อเสียงของหน่วยงาน"
———————————
ด้วยความปรารถนาดี สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT

#ThaiCERT #CyberSecurity #Alert #SAP #ABAP #CVE202634256 #PatchTuesday #CyberAwareness
#ความมั่นคงปลอดภัยไซเบอร์ #แจ้งเตือนภัยคุกคาม #ช่องโหว่วิกฤต #SAPSecurity

Industrial Sector

• Threat Landscape For Industrial Automation Systems. Q4 2025
  "In Q4 2025, the percentage of ICS computers on which malicious objects were blocked continued to decrease, reaching its lowest level since 2022 — 19.7%. Regionally, the percentage ranged from 8.5% in Northern Europe to 27.3% in Africa. Four regions saw increases. Southern Europe led the way in terms of growth for this indicator."
  https://ics-cert.kaspersky.com/publications/reports/2026/04/02/threat-landscape-for-industrial-automation-systems-q4-2025/

Vulnerabilities

• SAP Patches Critical ABAP Vulnerability
  "SAP on Tuesday announced the release of 20 new and updated security notes as part of its April 2026 security patch day. The most severe of the resolved flaws is CVE-2026-27681 (CVSS score of 9.9), a critical SQL injection bug in Business Planning and Consolidation and Business Warehouse that could lead to arbitrary code execution. “The vulnerable ABAP program allows a low-privileged user to upload a file with arbitrary SQL statements that will then be executed,” software security firm Onapsis explains."
  https://www.securityweek.com/sap-patches-critical-abap-vulnerability/
• ShowDoc RCE Flaw CVE-2025-0520 Actively Exploited On Unpatched Servers
  "A critical security vulnerability impacting ShowDoc, a document management and collaboration service popular in China, has come under active exploitation in the wild. The vulnerability in question is CVE-2025-0520 (aka CNVD-2020-26585), which carries a CVSS score of 9.4 out of 10.0. It relates to a case of unrestricted file upload that stems from improper validation of file extension, allowing an attacker to upload arbitrary PHP files and achieve remote code execution."
  https://thehackernews.com/2026/04/showdoc-rce-flaw-cve-2025-0520-actively.html
  https://securityaffairs.com/190790/hacking/attackers-target-unpatched-showdoc-servers-via-cve-2025-0520.html
• Microsoft April 2026 Patch Tuesday Fixes 167 Flaws, 2 Zero-Days
  "Today is Microsoft's April 2026 Patch Tuesday with security updates for 167 flaws, including 2 zero-day vulnerabilities. This Patch Tuesday also addresses eight "Critical" vulnerabilities, 7 of which are remote code execution flaws and the other is a denial of service flaw. The number of bugs in each vulnerability category is listed below:"
  https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2026-patch-tuesday-fixes-167-flaws-2-zero-days/
  https://www.darkreading.com/vulnerabilities-threats/privilege-elevation-dominates-microsoft-patch-update
  https://blog.talosintelligence.com/microsoft-patch-tuesday-april-2026/
  https://cyberscoop.com/microsoft-patch-tuesday-april-2026/
  https://www.securityweek.com/microsoft-patches-exploited-sharepoint-zero-day-and-160-other-vulnerabilities/
  https://www.theregister.com/2026/04/14/microsofts_massive_patch_tuesday/
• Adobe Patches 55 Vulnerabilities Across 11 Products
  "Adobe’s latest Patch Tuesday updates fix 55 vulnerabilities across 11 of the company’s products. Nearly all of the 11 new advisories have a priority rating of 3, which indicates that the software giant does not expect them to be exploited in attacks. However, an advisory describing five critical ColdFusion vulnerabilities has a priority rating of 1, indicating that companies should prioritize patching because the product has historically been targeted by threat actors. Several ColdFusion vulnerabilities have been exploited in attacks in recent years."
  https://www.securityweek.com/adobe-patches-55-vulnerabilities-across-11-products/
• New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released
  "Two high-severity security vulnerabilities have been disclosed in Composer, a package manager for PHP, that, if successfully exploited, could result in arbitrary command execution. The vulnerabilities have been described as command injection flaws affecting the Perforce VCS (version control software) driver. Details of the two flaws are below -"
  https://thehackernews.com/2026/04/new-php-composer-flaws-enable-arbitrary.html
• CISA Adds Two Known Exploited Vulnerabilities To Catalog
  "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2009-0238 Microsoft Office Remote Code Execution Vulnerability
  CVE-2026-32201 Microsoft SharePoint Server Improper Input Validation Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/04/14/cisa-adds-two-known-exploited-vulnerabilities-catalog

Malware

• 108 Chrome Extensions Linked To Data Exfiltration And Session Theft Via Shared C2 Infrastructure
  "Socket's Threat Research Team identified 108 malicious Chrome extensions operating as a coordinated campaign under a shared C2 infrastructure at cloudapi[.]stream. The extensions are published under five distinct publisher identities (Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt) and collectively account for approximately 20k Chrome Web Store installs. All 108 route stolen credentials, user identities, and browsing data to servers controlled by the same operator. The extensions remain live at the time of writing. We have submitted takedown requests to the Chrome Web Store security team and Google Safe Browsing."
  https://socket.dev/blog/108-chrome-ext-linked-to-data-exfil-session-theft-shared-c2
  https://thehackernews.com/2026/04/108-malicious-chrome-extensions-steal.html
  https://www.bleepingcomputer.com/news/security/over-100-chrome-extensions-in-web-store-target-users-accounts-and-data/
  https://www.infosecurity-magazine.com/news/chrome-extensions-expose-user-data/
• Fake Ledger Live App On Apple’s App Store Stole $9.5M In Crypto
  "A malicious Ledger Live app for macOS available from Apple’s App Store has drained approximately $9.5 million in cryptocurrency from 50 victims in just a few days this month. Users who downloaded the fake Ledger app were tricked into entering their seed/recovery phrases, thus giving attackers full access to their wallets and allowing them to send digital assets to external addresses under their control. According to blockchain investigator ZachXBT, the attackers used several wallet addresses to receive funds across multiple chains, including Bitcoin, Ethereum, Tron, Solana, and Ripple."
  https://www.bleepingcomputer.com/news/security/fake-ledger-live-app-on-apples-app-store-stole-95m-in-crypto/
• Are Former Black Basta Affiliates Automating Executive Targeting?
  "A new campaign is successfully evolving “Black Basta’s” signature social engineering playbook into a faster, more targeted, and increasingly automated intrusion method aimed at senior leadership. Black Basta was a prolific Russia-linked ransomware-as-a-service (RaaS) group active from early 2022 until its internal chat logs were leaked in February 2025. This campaign, likely conducted by former affiliates, uses an automated, two-pronged social engineering attack: mass email bombing to overwhelm a target’s inbox followed by Microsoft Teams-based help desk impersonation to gain remote access. In some cases, attackers moved from initial chat engagement to executing malicious scripts in as little as 12 minutes."
  https://reliaquest.com/blog/threat-spotlight-are-former-black-basta-affiliates-automating-executive-targeting
  https://cyberscoop.com/black-basta-affiliates-senior-executives-reliaquest/
• Slithering Through The Noise - Deep Dive Into The VIPERTUNNEL Python Backdoor
  "During a recent DragonForce ransomware engagement, we identified several artefacts indicative of anomalous behaviour inconsistent with typical campaign activity. During a persistence review, we aggregated Autoruns output from all endpoints to identify anomalies. A scheduled task named 523135538 was identified, configured to execute C:\ProgramData\cp49s\pythonw.exe without command-line arguments. Executing pythonw.exe without a script path or -c argument is atypical in legitimate Windows environments. Although DLL sideloading was initially suspected, analysis of the containing directory indicated a different persistence mechanism. Within the directory, we found C:\ProgramData\cp49s\Lib\sitecustomize.py. In Python, this module auto-imports at startup. Placing malicious code here ensures it runs whenever pythonw.exe starts, without command-line input. Analysis of sitecustomize.py clarified why the absence of command-line arguments was sufficient."
  https://labs.infoguard.ch/posts/slithering_through_the_noise/
  https://hackread.com/ransomware-vipertunnel-malware-uk-us-businesses/
• Post-Sanction Persistence: Triad Nexus' Operations Infrastructure Reborn As Threat Actor Distances Activity From FUNNULL CDN
  "Triad Nexus is responsible for over $200 million in reported losses, driven largely by sophisticated “pig-butchering” and virtual currency scams. Individual victim losses average $150,000, highlighting the high conversion nature of its operations. Despite federal sanctions in 2025, the group has reinstated its global fraud engine, shifting its focus toward emerging markets while maintaining a persistent threat to Western enterprise assets. Triad Nexus continues to pose a direct risk to corporate brand integrity and customer trust. The group manages an industrialized catalog of impersonation assets targeting:"
  https://www.silentpush.com/blog/triad-nexus-funnull-2026/
  https://www.infosecurity-magazine.com/news/triad-nexus-expands-fraud/
  https://www.securityweek.com/triad-nexus-evades-sanctions-to-fuel-cybercrime/
• Omnistealer Uses The Blockchain To Steal Everything It Can
  "A new infostealer dubbed Omnistealer is turning the blockchain into a permanent malware hosting platform, which is bad news for both companies and everyday users. It’s pretty common for malware to store its payload on a public platform, ideally one that adds some trustworthiness to the download location, like Google docs, OneDrive, GitHub, npm, PyPI, and so on. The problem for malware peddlers is that these can be taken down. It can sometimes take a while and a lot of trouble, but it’s possible. Omnistealer gets around this by storing its staging code inside transactions on public blockchains like TRON, Aptos, and Binance Smart Chain."
  https://www.malwarebytes.com/blog/news/2026/04/omnistealer-uses-the-blockchain-to-steal-everything-it-can
• Satori Threat Intelligence Alert: Pushpaganda Manipulates Google Discovery Feeds With AI-Generated Content To Spread Malicious Notifications
  "HUMAN’s Satori Threat Intelligence and Research Team has identified a novel ad fraud, social engineering, and scareware threat dubbed Pushpaganda. This operation, named for push notifications central to the scheme, generates invalid organic traffic from real mobile devices by tricking users into subscribing to enabling notifications that presented alarming messages. Pushpaganda’s primary mechanism for luring unsuspecting users is through Google’s Discovery feeds, the collection of news stories that appear on many Google properties. The threat actors use advanced SEO techniques and AI-generated content to inject deceptive news stories into the personalized content streams of Android and Chrome users. Once a user is lured to an actor-controlled domain, they are manipulated into enabling push notifications that later deliver scareware, fake legal threats, and financial scams."
  https://www.humansecurity.com/learn/resource/satori-threat-intelligence-alert-pushpaganda-manipulates-google-discovery-feeds-with-ai-generated-content-to-spread-malicious-notifications/
  https://thehackernews.com/2026/04/ai-driven-pushpaganda-scam-exploits.html
• New JanaWare Ransomware Targets Turkey Via Adwind RAT
  "The Acronis TRU team identified a threat cluster leveraging a customized Adwind (Java RAT) variant with polymorphic characteristics to deliver a ransomware module, tracked as ‘JanaWare.’ Analysis of malware samples, infrastructure and telemetry indicates the campaign is likely focused on Turkish users. The malware enforces execution constraints based on system locale and external IP geolocation, which likely restricts activity to systems located in Turkey. Observed samples and telemetry suggest the activity has been ongoing since at least 2020. A sample compiled in November 2025 indicates that associated command-and-control infrastructure remains active. Obfuscation, polymorphism and geographic restrictions have likely contributed to limited visibility."
  https://www.acronis.com/en/tru/posts/new-janaware-ransomware-targets-turkey-via-adwind-rat/
  https://therecord.media/new-janaware-ransomware-targeting-turkey
• No Honor Among Thieves As 0APT Threatens Rival Ransomware Gang Krybit
  "Two rival ransomware gangs have locked horns after 0APT threatened to expose people affiliated with Krybit. Dark web watchers spotted the move on Sunday, though 0APT's motive for extorting a fellow criminal outfit remains unclear. The notion seems even more bizarre given that 0APT hypocritically described Krybit in its leak blog post as a ransomware group, and that "such groups pose significant risks to cybersecurity and data privacy worldwide." "If the group does not make the payment or contact us, we will reveal their identity photos, names, location, and other," 0APT said. "And if you are one of their victims, contact us to get your data unlocked.""
  https://www.theregister.com/2026/04/14/0apt_krybit_spat/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

เมื่อวันที่ 14 เมษายน 2026 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 2 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้

• CVE-2009-0238 Microsoft Office Remote Code Execution Vulnerability
• CVE-2026-32201 Microsoft SharePoint Server Improper Input Validation Vulnerability

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/04/14/cisa-adds-two-known-exploited-vulnerabilities-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Industrial Sector

• Contemporary Controls BASC 20T
  "Successful exploitation of this vulnerability could allow an attacker to enumerate the functionality of each component associated with the PLC, reconfigure, rename, delete, perform file transfers, and make remote procedure calls."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-099-01
• GPL Odorizers GPL750
  "Successful exploitation of this vulnerability could allow a low privileged remote attacker to manipulate register values, which would result in too much or too little odorant being injected into a gas line."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-099-02
• Why Manufacturing Cyber Security Is Becoming More Complex As Cyber Attacks Accelerate
  "The global manufacturing sector entered 2025 facing one of the most aggressive cyber threat environments in its history. Digital transformation, smart factories, and interconnected supply chains have expanded operational efficiency to places 50 years ago we wouldn’t have thought possible. But, this comes with unprecedented cyber risk. According to the Manufacturing Threat Landscape 2025 report, cyber incidents targeting manufacturing increased sharply year over year, placing the industry at the center of global ransomware activity."
  https://blog.checkpoint.com/security/why-manufacturing-cyber-security-is-becoming-more-complex-as-cyber-attacks-accelerate/
• Empty Attestations: OT Lacks The Tools For Cryptographic Readiness
  "In 2003, 55 million people lost power across the US and Canada because of a software bug and a failure to communicate. Nobody attacked anything. And more than two decades later, the same infrastructure faces sophisticated adversaries who are planning very carefully. Operational technology (OT) operates on a different set of priorities than the rest of us. In IT, confidentiality and integrity come first. In OT — the systems that open and close breakers, adjust voltage, and monitor load and faults — only one thing matters: availability."
  https://www.darkreading.com/ics-ot-security/ot-lacks-tools-cryptographic-readiness

New Tooling

• ZeroID: Open-Source Identity Platform For Autonomous AI Agents
  "ZeroID is an open-source identity platform that implements an identity and credentialing layer specifically for autonomous agents and multi-agent systems. The core issue ZeroID targets is attribution in agentic workflows. When an orchestrator agent spawns sub-agents to carry out parts of a task, each sub-agent may call APIs, write files, or execute shell commands. Existing approaches offer limited traceability: shared service accounts carry no delegation trail, and standard OAuth 2.0 and OIDC flows were not designed for scenarios where agents operate asynchronously, spawn subordinates, or cross organizational boundaries without a human in the loop at each step."
  https://www.helpnetsecurity.com/2026/04/13/zeroid-open-source-identity-platform-autonomous-ai-agents/
  https://github.com/highflame-ai/zeroid

Vulnerabilities

• Critical Flaw In WolfSSL Library Enables Forged Certificate Use
  "A critical vulnerability in the wolfSSL SSL/TLS library can weaken security via improper verification of the hash algorithm or its size when checking Elliptic Curve Digital Signature Algorithm (ECDSA) signatures. Researchers warn that an attacker could exploit the issue to force a target device or application to accept forged certificates for malicious servers or connections. wolfSSL is a lightweight TLS/SSL implementation written in C, designed for embedded systems, IoT devices, industrial control systems, routers, appliances, sensors, automotive systems, and even aerospace or military equipment."
  https://www.bleepingcomputer.com/news/security/critical-flaw-in-wolfssl-library-enables-forged-certificate-use/
• CISA Adds Seven Known Exploited Vulnerabilities To Catalog
  "CISA has added seven new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2012-1854 Microsoft Visual Basic for Applications Insecure Library Loading Vulnerability
  CVE-2020-9715 Adobe Acrobat Use-After-Free Vulnerability
  CVE-2023-21529 Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability
  CVE-2023-36424 Microsoft Windows Out-of-Bounds Read Vulnerability
  CVE-2025-60710 Microsoft Windows Link Following Vulnerability
  CVE-2026-21643 Fortinet SQL Injection Vulnerability
  CVE-2026-34621 Adobe Acrobat and Reader Prototype Pollution Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/04/13/cisa-adds-seven-known-exploited-vulnerabilities-catalog
  https://www.theregister.com/2026/04/13/ransomware_gang_other_crims_attacking/
• OpenAI Rotates MacOS Certs After Axios Attack Hit Code-Signing Workflow
  "OpenAI is rotating potentially exposed macOS code-signing certificates after a GitHub Actions workflow executed a malicious Axios package during a recent supply chain attack. The company said that on March 31, 2026, the legitimate workflow downloaded and executed a compromised Axios package (version 1.14.1) that was used in attacks to deploy malware on devices. That workflow had access to code-signing certificates used to sign OpenAI's macOS apps, including ChatGPT Desktop, Codex, Codex CLI, and Atlas."
  https://www.bleepingcomputer.com/news/security/openai-rotates-macos-certs-after-axios-attack-hit-code-signing-workflow/
  https://thehackernews.com/2026/04/openai-revokes-macos-app-certificate.html
  https://cyberscoop.com/openai-axios-supply-chain-attack/
  https://hackread.com/openai-macos-certificates-axios-supply-chain-breach/
  https://www.securityweek.com/openai-impacted-by-north-korea-linked-axios-supply-chain-hack/

Malware

• The Silent “Storm”: New Infostealer Hijacks Sessions, Decrypts Server-Side
  "A new infostealer called Storm appeared on underground cybercrime networks in early 2026, representing a shift in how credential theft is developing. For under $1,000 a month, operators get a stealer that harvests browser credentials, session cookies, and crypto wallets, then quietly ships everything to the attacker's server for decryption. To understand why enterprises should care, it helps to know what changed. Stealers used to decrypt browser credentials on the victim's machine by loading SQLite libraries and accessing credential stores directly. Endpoint security tools got good at catching this, making local browser database access one of the clearest signs that something malicious was running."
  https://www.bleepingcomputer.com/news/security/the-silent-storm-new-infostealer-hijacks-sessions-decrypts-server-side/
• Interactive Brokers Phishing Scam: Fake IRS W-8BEN Renewal Alert
  "Online trading platforms are popular among investors. Both beginners and professionals use them to study the financial markets, manage investments, and make profits online. Interactive Brokers is one such trusted platform, known for its low pricing and global market access. With presence in over 200 countries, the brand has now become a viable target for threat actors. The Cofense Phishing Defence Center (PDC) recently uncovered phishing campaigns impersonating Interactive Brokers, potentially putting accounts and financial investments at serious risk. The campaign starts with an email shown in Figure 1. The subject appears to be an IRS Compliance Requirement from Interactive Brokers, requesting a renewal of Form W-8BEN. This form is a mandatory requirement for non-US individual account holders of Interactive Brokers (IBKR) to certify foreign status."
  https://cofense.com/blog/interactive-brokers-phishing-scam-fake-irs-w-8ben-renewal-alert
• APT41 Winnti ELF Cloud Credential Harvester: Alibaba Typosquat Infrastructure & 6-Year Lineage
  "A zero-detection ELF backdoor attributed to APT41 (Winnti) has been identified targeting Linux cloud workloads across AWS, GCP, Azure, and Alibaba Cloud environments. The implant uses SMTP port 25 as a covert command-and-control channel, harvests cloud provider credentials and metadata, and phones home to three Alibaba-themed typosquat domains hosted on Alibaba Cloud infrastructure in Singapore. A selective C2 handshake validation mechanism renders the server invisible to conventional scanning tools like Shodan and Censys."
  https://intel.breakglass.tech/post/apt41-winnti-elf-cloud-credential-harvester-alibaba-typosquat
  https://www.darkreading.com/cloud-security/apt41-zero-detection-backdoor-harvest-cloud-credentials
• OpenSSF Flags Malware Campaign On Slack Posing As Linux Foundation Figures
  "Open Source Security Foundation (OpenSSF), a group of open source software security specialists, is warning about a new phishing scam where hackers are targeting software developers using the Slack chat app. These scammers pretend to be well-known leaders from the Linux Foundation, with the aim of getting developers to download malware that could give them total control over a computer. Their modus operandi is based on mimicking a legitimate Google Workspace flow, which redirects unsuspecting developers to a malicious page."
  https://hackread.com/openssf-malware-slack-linux-foundation-figures/
  https://lists.openssf-vuln.org/g/siren/message/7
  https://www.theregister.com/2026/04/13/linux_foundation_social_engineering/
• Mailbox Rules In O365—a Post-Exploitation Tactic In Cloud ATO
  "When was the last time you checked your mailbox rules? In Microsoft 365 environments, attackers typically gain initial access through credential phishing, password spraying, brute-force, or OAuth consent abuse. Once inside, adversaries focus on persistence and stealth rather than immediate disruption. Instead of deploying malware or C2 infrastructure, they abuse native platform features to operate undetected under the compromised identity. One especially effective technique for maintaining persistence is creating malicious mailbox rules. While mailbox rules are designed to help users organize email, attackers leverage them to delete, hide, forward, or mark messages as read, silently controlling email flow without alerting the victim."
  https://www.proofpoint.com/us/blog/threat-insight/mailbox-rules-o365-post-exploitation-tactic-cloud-ato
  https://www.infosecurity-magazine.com/news/mailbox-rule-abuse-stealthy-post/
• Mirax: a New Android RAT Turning Infected Devices Into Potential Residential Proxy Nodes
  "New Maas spreading: Mirax has emerged as a sophisticated Malware-as-a-Service (MaaS) offering, specifically targeting Android devices across Europe. It is actively marketed and distributed through underground malware forums. At the time of writing, Cleafy Threat Intelligence Team has seen multiple campaigns targeting Spanish-speaking countries and reaching over 200.000 accounts through Meta advertisements. Remote Access functionalities & Dynamic HTML Overlays: Mirax integrates advanced Remote Access Trojan (RAT) capabilities, allowing threat actors to fully interact with compromised devices in real time. This includes executing commands, navigating the user interface, and monitoring activity. A key feature is its use of dynamically fetched HTML overlays from its command-and-control (C2) infrastructure, which are rendered over legitimate applications."
  https://www.cleafy.com/cleafy-labs/mirax-a-new-android-rat-turning-infected-devices-into-potential-residential-proxy-nodes
  https://www.infosecurity-magazine.com/news/mirax-trojan-devices-proxy-nodes/
• JanelaRAT: a Financial Threat Targeting Users In Latin America
  "JanelaRAT is a malware family that takes its name from the Portuguese word “janela” which means “window”. JanelaRAT looks for financial and cryptocurrency data from specific banks and financial institutions in the Latin America region. JanelaRAT is a modified variant of BX RAT that has targeted users since June 2023. One of the key differences between these Trojans is that JanelaRAT uses a custom title bar detection mechanism to identify desired websites in victims’ browsers and perform malicious actions. The threat actors behind JanelaRAT campaigns continuously update the infection chain and malware versions by adding new features."
  https://securelist.com/janelarat-financial-threat-in-latin-america/119332/
  https://thehackernews.com/2026/04/janelarat-malware-targets-latin.html
• North Korea's APT37 Uses Facebook Social Engineering To Deliver RokRAT Malware
  "The North Korean hacking group tracked as APT37 (aka ScarCruft) has been attributed to a fresh multi-stage, social engineering campaign in which threat actors approached targets on Facebook and added them as friends on the social media platform, turning the trust-building exercise into a delivery channel for a remote access trojan called RokRAT. "The threat actor used two Facebook accounts with their location set to Pyongyang and Pyongsong, North Korea, to identify and screen targets," the Genians Security Center (GSC) said in a technical breakdown of the campaign. "After building trust through friend requests, the actor moved the conversation to Messenger and used specific topics to lure targets as part of the initial social engineering stage of the attack.""
  https://thehackernews.com/2026/04/north-koreas-apt37-uses-facebook-social.html

Breaches/Hacks/Leaks

• European Gym Giant Basic-Fit Data Breach Affects 1 Million Members
  "Dutch fitness giant Basic-Fit announced that hackers breached its systems and gained access to information belonging to a million of its customers. The company operates the largest gym chain in Europe, owning more than 1,700 clubs and over 430 franchises in 12 countries, including the Netherlands, Belgium, France, Spain, and Germany. In a disclosure published on its website earlier today, Basic-Fit states that club members impacted by the cyberattack have been informed directly."
  https://www.bleepingcomputer.com/news/security/european-gym-giant-basic-fit-data-breach-affects-1-million-members/
  https://therecord.media/dutch-gym-chain-basic-fit-hit-by-hackers
  https://www.theregister.com/2026/04/13/basicfit_breach/
• New Booking.com Data Breach Forces Reservation PIN Resets
  "Booking.com has confirmed in a statement to BleepingComputer that hackers accessed some users' data from booking information associated with their reservations. The company took immediate action, forced PIN resets for existing and past reservations, and informed impacted users directly via email. Booking.com is one of the largest online travel platforms in the world, allowing users to book accommodation, flights, car rentals, airport taxis, and travel experiences. The service acts as a middleman between travelers and hospitality providers."
  https://www.bleepingcomputer.com/news/security/new-bookingcom-data-breach-forces-reservation-pin-resets/
  https://www.securityweek.com/booking-com-says-hackers-accessed-user-information/
  https://securityaffairs.com/190757/data-breach/hackers-access-booking-com-user-data-company-secures-systems.html
  https://www.theregister.com/2026/04/13/bookingcom_breach/
• Iran-Linked Group Handala Claims To Have Breached Three Major UAE Organizations
  "The group Handala claimed a major cyberattack against the UAE, targeting Dubai Courts Department, Dubai Land Department, and Dubai Roads and Transport Authority. They alleged destroying 6 petabytes of data and stealing 149 TB of sensitive information, framing the attack as retaliation and a warning to regional governments, though such claims remain unverified. “In response to the blatant betrayal of the Resistance Axis by the Epsteinist leaders of the UAE, and as a serious, preemptive warning to all treacherous governments in the region, Handala has launched one of its most powerful cyberattacks against the country’s critical infrastructure.” the group wrote on its Tor website. “During this operation, 6 petabytes of data have been completely destroyed…”"
  https://securityaffairs.com/190716/hacking/iran-linked-group-handala-claims-to-have-breached-three-major-uae-organizations.html

General News

• Q1 2026 Malware Statistics Report For Windows Web Servers
  "AhnLab SEcurity intelligence Center (ASEC) analyzed the attack status and malware statistics of Windows web servers in the first quarter of 2026 based on AhnLab Smart Defense (ASD) logs. the analysis covers Internet Information Services (IIS) and Apache Tomcat web servers in Windows environments. command execution through the web shell is the main path of compromise, and subsequent malicious behaviors such as privilege escalation, proxy tools, backdoors, and CoinMiners are frequently identified."
  https://asec.ahnlab.com/en/93335/
• Q1 2026 Malware Statistics Report For Linux SSH Servers
  "ASEC analyzed the statistics of attacks against Linux SSH servers in Q1 2026 based on honeypot logs. The P2PInfect worm dominated, accounting for 70.3% of all attack sources, and DDoS bots such as Mirai, XMRig, Prometei, and CoinMiner were identified as the main threats."
  https://asec.ahnlab.com/en/93336/
• Q1 2026 Malware Statistics Report For Windows Database Servers
  "analysis of ASEC’s ASD logs for Q1 2026 showed a consistent trend of attacks against MS-SQL and MySQL. the number of attacks tended to decrease temporarily in February before increasing again in March."
  https://asec.ahnlab.com/en/93333/
• March 2026 Dark Web Issue Trends Report
  "this report is a summary of deep web and dark web source-based material and contains some facts that cannot be fully verified due to the nature of the sources."
  https://asec.ahnlab.com/en/93323/
• March 2026 Dark Web Threat Actor Trends Report
  "this report is a compilation of trends centered on hacktivists operating on the deep web and dark web. some alleged attacks are labeled as observations due to limited independent technical verification."
  https://asec.ahnlab.com/en/93324/
• March 2026 Dark Web Breach Trends Report
  "this report is based on reports of data breaches and the sale of initial access rights posted on deep web-dark web forums. some parts of the report contain information that cannot be fully verified as factual due to the nature of the source."
  https://asec.ahnlab.com/en/93325/
• CSA: CISOs Should Prepare For Post-Mythos Exploit Storm
  "As Anthropic's Claude Mythos model threatens to upend the vulnerability management ecosystem, security luminaries warn that chief information security officers (CISOs) should start getting ready now. Earlier this month, Anthropic unveiled Claude Mythos Preview, a new version of its large language model (LLM) that, while general purpose, was flagged by the AI firm for its skill at handling security tasks. Mythos can discover and exploit complex, high-severity vulnerabilities across major operating systems and Web browsers, according to Anthropic. Recent experimentation led to the discovery of thousands of bugs, Anthropic said, including an exploit of a patched 27-year-old flaw in OpenBSD."
  https://www.darkreading.com/cloud-security/csa-cisos-prepare-post-mythos-exploit-storm
• Alleged German DDoS-For-Hire Kingpin Behind Fluxstress Caught In Thailand
  "Noah Christopher, a German national, was at his luxury flat in Thong Lor Soi 25 when he was arrested by Thai police last Friday. Christopher, 27, was arrested from the Watthana district of Bangkok following a years-long investigation by the German and EU law enforcement authorities. In the world of cybercrime, Christopher was a known figure. Between 2021 and 2025, he allegedly ran a Cybercrime-as-a-Service (CaaS) business to earn money. He, reportedly, created and operated two notorious CaaS platforms called Fluxstress and Neldowner that provided tools for hire. These platforms allowed customers anywhere in the world to launch Distributed Denial of Service (DDoS) attacks in which hackers bombard a website with so much fake traffic that it collapses and stops working for real users."
  https://hackread.com/german-ddos-for-hire-kingpin-fluxstress-thailand/
• Seized VerifTools Servers Expose 915,655 Fake IDs, 8 Arrested
  "On April 7 and 8, Dutch police arrested eight suspects in a nationwide operation targeting users of the VerifTools platform as part of an identity fraud investigation. The suspects, all men aged 20 to 34, are accused of identity fraud, forgery, and cybercrime-related offenses. During searches, officers seized smartphones, laptops, cash, cryptocurrency, and weapons or items resembling them."
  https://www.helpnetsecurity.com/2026/04/13/dutch-police-veriftools-identity-fraud-arrests/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Healthcare Sector

• Health Insurance Lead Sites Sell Personal Data Within Seconds Of Form Submission
  "Lead generation websites that offer health insurance quotes collect sensitive personal data and sell it to multiple buyers within seconds of a user clicking submit. A study by researchers at UC Davis, Stanford University, and Maastricht University mapped this process across 105 health insurance lead generation sites and monitored what happened to the data over 60 days. The researchers created 210 synthetic user profiles, each with a unique phone number and email address, and submitted forms across all 105 sites. They then tracked every inbound call, text, and email those profiles received."
  https://www.helpnetsecurity.com/2026/04/10/health-insurance-lead-generation-privacy/
  https://arxiv.org/pdf/2604.06759
• Multiple Heap Buffer Overflows In Orthanc DICOM Server
  "Multiple vulnerabilities have been identified in Orthanc DICOM Server version, 1.12.10 and earlier, that affect image decoding and HTTP request handling components. These vulnerabilities include heap buffer overflows, out-of-bounds reads, and resource exhaustion vulnerabilities that may allow attackers to crash the server, leak memory contents, or potentially execute arbitrary code."
  https://kb.cert.org/vuls/id/536588
  https://www.securityweek.com/orthanc-dicom-vulnerabilities-lead-to-crashes-rce/

Industrial Sector

• Industrial Controllers Still Vulnerable As Conflicts Move To Cyber
  "As the US government warns energy companies, water utilities, and industrial firms that state-sponsored adversaries are targeting Internet-connected operational technology, researchers have found a small number of older industrial control systems allow direct access without requiring authentication. A scan of the Internet for operational technology (OT) using the Modbus protocol found at least 179 devices that allow unauthenticated access, according to researchers at technology-evaluation firm Comparitech. While representing a relatively small number of devices, the dozens of public-facing systems are likely being targeted by cyberthreat actors, experts say."
  https://www.darkreading.com/ics-ot-security/industrial-controllers-vulnerable-conflicts-cyber
• Industry Reactions To Iran Hacking ICS In Critical Infrastructure: Feedback Friday
  "The US government warned this week that Iran-linked hackers have targeted critical infrastructure organizations, hacking industrial control systems (ICS) and other operational technology (OT). According to an advisory written by CISA, the FBI, and several other agencies, hackers have targeted programmable logic controllers (PLCs) made by Rockwell Automation, but devices from other vendors are also at risk. Both Rockwell and Siemens have published advisories to alert customers. The attacks caused operational disruption and financial loss through tampering with vulnerable human-machine interfaces (HMIs) and supervisory control and data acquisition (SCADA) systems."
  https://www.securityweek.com/industry-reactions-to-iran-hacking-ics-in-critical-infrastructure-feedback-friday/

New Tooling

• Little Snitch For Linux Shows What Your Apps Are Connecting To
  "Network monitoring on Linux has long been a gap for users who want per-process visibility into outbound connections. Existing tools either operate at the command line or were designed for server security rather than desktop privacy. Objective Development, the Austrian company behind the macOS firewall utility Little Snitch, released a Linux version of the tool. It is free and, according to the company, will remain so."
  https://www.helpnetsecurity.com/2026/04/10/little-snitch-for-linux-privacy/
  https://github.com/obdev/littlesnitch-linux

Vulnerabilities

• Juniper Networks Patches Dozens Of Junos OS Vulnerabilities
  "Juniper Networks this week released patches for nearly three dozen vulnerabilities, including Junos OS and Junos OS Evolved bugs that could lead to privilege escalation, denial-of-service (DoS), and command execution. The most severe of the flaws is CVE-2026-33784 (CVSS score of 9.8), a default password in the Support Insights (JSI) Virtual Lightweight Collector (vLWC) that could be exploited remotely to take over a vulnerable device. “vLWC software images ship with an initial password for a high-privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible,” Juniper Networks explains."
  https://www.securityweek.com/juniper-networks-patches-dozens-of-junos-os-vulnerabilities/
• Chrome 147 Patches 60 Vulnerabilities, Including Two Critical Flaws Worth $86,000
  "Google announced this week the first stable version of Chrome 147, which includes patches for 60 vulnerabilities, including two that have been rated critical. The critical vulnerabilities both impact Chrome’s WebML component, which is designed for running machine learning models directly in the browser. The security holes, reported by anonymous researchers, have been described as a heap buffer overflow (CVE-2026-5858) and an integer overflow (CVE-2026-5859). The reporting researchers each earned $43,000 for their findings. The significant bug bounty rewards coupled with the severity rating suggest that the vulnerabilities can be exploited for sandbox escapes and/or remote code execution."
  https://www.securityweek.com/chrome-147-patches-60-vulnerabilities-including-two-critical-flaws-worth-86000/
• Marimo OSS Python Notebook RCE: From Disclosure To Exploitation In Under 10 Hours
  "On April 8, 2026, a critical vulnerability was disclosed in marimo, an open-source reactive Python notebook platform. Currently being tracked as GHSA-2679-6mx9-h9xc, it is a pre-authentication remote code execution (RCE) vulnerability in the terminal WebSocket endpoint that allows attackers to obtain a full interactive shell on any exposed marimo instance through a single WebSocket connection – no credentials required. At the time of this writing, a CVE number has yet to be assigned. Within 9 hours and 41 minutes of the vulnerability advisory’s publication, the Sysdig Threat Research Team (TRT) observed the first exploitation attempt in the wild, and a complete credential theft operation was executed in under 3 minutes. No public proof-of-concept (PoC) code existed at the time."
  https://www.sysdig.com/blog/marimo-oss-python-notebook-rce-from-disclosure-to-exploitation-in-under-10-hours
  https://thehackernews.com/2026/04/marimo-rce-flaw-cve-2026-39987.html
  https://www.bleepingcomputer.com/news/security/critical-marimo-pre-auth-rce-flaw-now-under-active-exploitation/
  https://www.securityweek.com/critical-marimo-flaw-exploited-hours-after-public-disclosure/
  https://securityaffairs.com/190623/hacking/cve-2026-39987-marimo-rce-exploited-in-hours-after-disclosure.html
• Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621
  "Adobe has released emergency updates to fix a critical security flaw in Acrobat Reader that has come under active exploitation in the wild. The vulnerability, assigned the CVE identifier CVE-2026-34621, carries a CVSS score of 8.6 out of 10.0. Successful exploitation of the flaw could allow an attacker to run malicious code on affected installations. It has been described as a case of prototype pollution that could result in arbitrary code execution. Prototype pollution refers to a JavaScript security vulnerability that permits an attacker to manipulate an application'sobjects and properties."
  https://thehackernews.com/2026/04/adobe-patches-actively-exploited.html
  https://www.securityweek.com/adobe-patches-reader-zero-day-exploited-for-months/
  https://securityaffairs.com/190697/security/adobe-fixes-actively-exploited-acrobat-reader-flaw-cve-2026-34621.html

Malware

• LOLBins – Analyzing Attack Techniques With MSBuild
  "in recent years, cyber threat actors have consistently attempted to exploit living off the land binaries (LOLBins) built into systems to bypass detection by security products. such attack methods effectively evade traditional signature-based detection by not distributing a separate malicious file, but instead relying on tools trusted by the operating system. among them, MSBuild.exe is a Microsoft-signed Windows native development tool that can build and execute C# code through XML-based project files. threat actors exploit such characteristics to execute arbitrary code without explicitly leaving malware on disk, and covertly perform additional actions in the post-infiltration phase. in this article, we will introduce how the attack technique utilizing MSBuild works, look at actual attack cases, and suggest countermeasures."
  https://asec.ahnlab.com/en/93290/

• CPUID Hacked To Deliver Malware Via CPU-Z, HWMonitor Downloads
  "Hackers gained access to an API for the CPUID project and changed the download links on the official website to serve malicious executables for the popular CPU-Z and HWMonitor tools. The two utilities have millions of users who rely on them for tracking the physical health of internal computer hardware and for comprehensive specifications of a system. Users who downloaded either tool reported on Reddit recently that the official download portal points to the Cloudflare R2 storage service and fetches a trojanized version of HWiNFO, another diagnostic and monitoring tool from a different developer."
  https://www.bleepingcomputer.com/news/security/supply-chain-attack-at-cpuid-pushes-malware-with-cpu-z-hwmonitor/
  https://thehackernews.com/2026/04/cpuid-breach-distributes-stx-rat-via.html
  https://www.theregister.com/2026/04/10/cpuid_site_hijacked/

• Investigating Storm-2755: “Payroll Pirate” Attacks Targeting Canadian Employees
  "Microsoft Incident Response – Detection and Response Team (DART) researchers observed an emerging, financially motivated threat actor that Microsoft tracks as Storm-2755 conducting payroll pirate attacks targeting Canadian users. In this campaign, Storm-2755 compromised user accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts, resulting in direct financial loss for affected individuals and organizations. While similar payroll pirate attacks have been observed in other malicious campaigns, Storm-2755’s campaign is distinct in both its delivery and targeting. Rather than focusing on a specific industry or organization, the actor relied exclusively on geographic targeting of Canadian users and used malvertising and search engine optimization (SEO) poisoning on industry agnostic search terms to identify victims."
  https://www.microsoft.com/en-us/security/blog/2026/04/09/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees/
  https://www.bleepingcomputer.com/news/microsoft/microsoft-canadian-employees-targeted-in-payroll-pirate-attacks/
  https://www.helpnetsecurity.com/2026/04/10/poisoned-office-365-search-results-lead-to-stolen-paychecks/

• Scams, Slaves And (Malware-As-a) Service: Tracking a Trojan To Cambodia’s Scam Centers
  "Incidents of malware-enabled fraud and remote access scams have been on the rise against the backdrop of proliferating industrial-scale scam operations in Southeast Asia, with many countries in the region issuing official warnings over the past three years. But connecting specific malware to the notorious compounds has been elusive … until now. In collaboration with the Vietnamese non-profit Chong Lua Dao, we uncovered an Android banking trojan that is likely operated from multiple locations including the K99 Triumph City compound in Cambodia. This conclusion relies on technical analysis, testimony from an escapee, and evidence taken from the facility by the human trafficking victim. The compound has been widely reported by the United Nations and other organizations as a scam center with connections to high-ranking political elites and the use of forced labor to run extensive malicious text, voice, and email campaigns."
  https://www.infoblox.com/blog/threat-intelligence/scams-slaves-and-malware-as-a-service-tracking-a-trojan-to-cambodias-scam-centers/
  https://hackread.com/android-banking-trojan-cambodia-scam-compounds/

• Graphalgo Fake Recruiter Campaign Returns
  "In February, the ReversingLabs research team described a malicious campaign featuring fake job interviews that the team called “graphalgo.” Two months later, RL researchers detected a larger set of fake companies that are part of the same graphalgo campaign — yet more sophisticated. These organizations link to several GitHub organizations related to blockchain companies that have been active on GitHub since June 2025. Their purpose is to provide trustworthiness to fake job offerings, and to host fake job interview tasks. RL researchers also identified several new techniques being used by threat actors. Here’s what we found."
  https://www.reversinglabs.com/blog/graphalgo-campaign-respawned
  https://hackread.com/graphalgo-scam-lazarus-hackers-us-llcs-malware/

• Fake Claude Site Installs Malware That Gives Attackers Access To Your Computer
  "Claude’s rapid growth—nearly 290 million web visits per month—has made it an attractive target for attackers, and this campaign shows how easy it is to fall for a fake site. We discovered a fake website impersonating Anthropic’s Claude to serve a trojanized installer. The domain mimics Claude’s official site, and visitors who download the ZIP archive receive a copy of Claude that installs and runs as expected. But in the background, it deploys a PlugX malware chain that gives attackers remote access to the system."
  https://www.malwarebytes.com/blog/scams/2026/04/fake-claude-site-installs-malware-that-gives-attackers-access-to-your-computer

• GlassWorm Goes Native: New Zig Dropper Infects Every IDE On Your Machine
  "We have been tracking GlassWorm for over a year. It first appeared in March 2025, when Aikido discovered malicious npm packages hiding payloads inside invisible Unicode characters. The campaign has expanded repeatedly since then, compromising hundreds of projects across GitHub, npm, and VS Code, and most recently delivering a persistent RAT through a fake Chrome extension that logged keystrokes and dumped session cookies. The group keeps iterating, and they just made a meaningful jump."
  https://www.aikido.dev/blog/glassworm-zig-dropper-infects-every-ide-on-your-machine
  https://thehackernews.com/2026/04/glassworm-campaign-uses-zig-dropper-to.html
  https://securityaffairs.com/190638/malware/glassworm-evolves-with-zig-dropper-to-infect-multiple-developer-tools.html

• OtterCookie Expands Targeting To AI Coding Tools: Analysis Of a Trojanized Npm Campaign
  "On March 20, 2026, an npm account operating under the username gemini-check published a package titled gemini-ai-checker, presenting itself as a utility to verify Google Gemini AI tokens. Interestingly, the package README displayed wording copied from the legitimate package chai-await-async, a JavaScript assertion library with no obvious relationship to Gemini. Code analysis revealed the package contacts a Vercel-hosted staging endpoint, server-check-genimi.vercel[.]app to retrieve and execute a JavaScript payload. The account continues to host two malicious packages sharing the same infrastructure: express-flowlimit and chai-extensions-extras, which have been downloaded more than 500 times combined as of publication."
  https://cyberandramen.net/2026/04/04/ottercookie-expands-targeting-to-ai-coding-tools-analysis-of-a-trojanized-npm-campaign/

• Uncovering Webloc: An Analysis Of Penlink’s Ad-Based Geolocation Surveillance Tech
  "Targeted and mass surveillance based on everyday consumer data from mobile apps and digital advertising has been referred to as advertising intelligence (ADINT). We refer to it as “ad-based surveillance technologies.” These technologies have proliferated alongside the personal data surveillance economy. They are poorly regulated and often sold by firms that operate without transparency, raising serious security, privacy, and civil liberties concerns – especially when used by authoritarian governments that lack proper oversight. In this report, we investigate, summarize and document what we know about the ad-based geolocation surveillance system Webloc. Developed by Cobwebs Technologies, Webloc is now sold by Penlink, after the companies merged in 2023."
  https://citizenlab.ca/research/analysis-of-penlinks-ad-based-geolocation-surveillance-tech/
  https://thehackernews.com/2026/04/citizen-lab-law-enforcement-used-webloc.html

• Breaches/Hacks/Leaks

• RaaS Gang Anubis Claims Signature Healthcare Data Theft
  "A ransomware gang claimed late Thursday that it stole 2 terabytes of "critical" and "sensitive" patient information in an attack earlier this week on Massachusetts-based Signature Healthcare. The Anubis ransomware operation said it did not encrypt computer systems. But as of Friday morning, Signature Healthcare was no longer listed as a victim on Anubis' leak site. A Signature Healthcare spokeswoman on Friday declined comment on Anubis' claims and whether it is negotiating to pay a ransom, leading Anubis to take the health system off its darkweb leak site. The spokeswoman said the healthcare organization's medical group and its 125-year-old community hospital expects to be back online "in two weeks.""
  https://www.bankinfosecurity.com/raas-gang-anubis-claims-signature-healthcare-data-theft-a-31394

• ShinyHunters Claims Rockstar Games Snowflake Breach Via Anodot
  "Rockstar Games is back in the news, not over Grand Theft Auto VI delays, but because the ShinyHunters hacking group claims it accessed the company’s Snowflake environment and may be holding a large volume of data at risk of being leaked. The message, published on the group’s dark web leak site on April 11 (UK time), sets a deadline of April 14 and follows a familiar pattern of pay or face public exposure. This case differs from a typical direct breach because the attackers pointed to Anodot, a SaaS platform used for cloud cost monitoring and analytics, as the entry point. In their post, they claimed, “Rockstar Games! Your Snowflake instances were compromised thanks to Anodot.com. Pay or leak.”"
  https://hackread.com/shinyhunters-rockstar-games-snowflake-breach-anodot/

• ‘Snoopy’, ‘Adolf’ And ‘Password’: The Hungarian Government Passwords Exposed Online
  "Almost 800 Hungarian government email addresses and associated passwords are circulating online, revealing basic vulnerabilities in the security protocols of ministries involved in classified and sensitive work. A Bellingcat analysis of breach data shows that 12 out of the government’s 13 ministries have been affected, which in some cases have exposed the confidential information of military personnel and civil servants posted abroad. Among those affected were a senior military officer responsible for information security, a counter terrorism coordinator in the foreign affairs department, and an employee whose role was to identify hybrid threats against the country."
  https://www.bellingcat.com/news/2026/04/09/the-hungarian-government-passwords-exposed-online/
  https://www.theregister.com/2026/04/11/hungary_government_logins_breach/

• A Single Operator, Two AI Platforms, Nine Government Agencies: The Full Technical Report
  "In February, we published our initial findings on the AI-assisted breach of Mexico's government infrastructure, warning of the elevated risk that AI-powered threat actors now pose. A single operator used AI to breach nine Mexican government organizations and exfiltrate hundreds of millions of citizen records. Today, we release the full technical report. We delayed publishing the report at the request of all parties involved in order to allow more time for corresponding incident response efforts. Incident response efforts have now progressed such that we are ready to publish our detailed findings. The report was shared with all relevant parties well in advance of publishing, adjusting accordingly based on feedback received, including requests to de-risk elements of the report."
  https://gambit.security/blog-post/a-single-operator-two-ai-platforms-nine-government-agencies-the-full-technical-report
  https://hackread.com/hacker-claude-code-gpt-4-1-mexican-records/

• Hackers Claim Control Over Venice San Marco Anti-Flood Pumps
  "Hackers breached Venice ’s San Marco flood system, claiming control of pumps and the ability to disable defenses and flood coastal areas. The technologies that govern the physical world are the quiet infrastructure of modern life. From energy grids to water systems, from factories to flood defenses, operational technology (OT) has long had one essential mission: to keep everything running. But today, that is no longer enough. The question the market is asking has fundamentally changed: can these systems withstand a cyberattack? If the answer is no, then what we are building is not infrastructure, it is vulnerability at scale. This shift is not theoretical. It is happening now, and recent events in Venice have made it painfully real."
  https://securityaffairs.com/190679/hacktivism/hackers-claim-control-over-venice-san-marco-anti-flood-pumps.html

General News

• March 2026 Infostealer Trend Report
  "this report analyzes Infostealer distribution trends and cases collected during the month of March 2026. It is based on data collected through ASEC’s automated collection and analysis system and ATIP’s real-time IOC service."
  https://asec.ahnlab.com/en/93293/
• Q1 2026 Vulnerability Trends Report
  "q1 2026 saw a number of high-risk vulnerabilities reported with either public disclosures or confirmed exploits. an increase in remote code execution and authentication bypass family vulnerabilities was observed. Early publication of PoCs accelerated threat propagation. the potential for chain attacks through the perimeter and middle layers expanded."
  https://asec.ahnlab.com/en/93285/
• Analysis Of One Billion CISA KEV Remediation Records Exposes Limits Of Human-Scale Security
  "Analysis of CISA's Known Exploited Vulnerabilities over the past four years shows critical vulnerabilities still open at Day 7 worsened from 56% to 63% despite teams closing 6.5x more tickets. Staffing cannot solve this. Of the 52 tracked weaponized vulnerabilities in our study, 88% were patched more slowly than they were exploited — half were weaponized before any patch existed. The problem is not speed. It is the operational model itself. Cumulative exposure, not CVE counts, is the true risk metric that security teams now need to measure. While dashboards reward the sprint to get patches implemented, breaches exploit the tail. AI is not another attack surface — instead, the transition period where AI-powered attackers face human defenders is the industry's most dangerous window."
  Priority: 3 - Important
  Relevance: General, Trends and statistics

https://www.bleepingcomputer.com/news/security/analysis-of-one-billion-cisa-kev-remediation-records-exposes-limits-of-human-scale-security/
https://www.qualys.com/forms/whitepapers/the-broken-physics-of-remediation

• When Geopolitical Conflict Spills Into Cyberspace — How US Organizations Should Respond
  "Modern conflict no longer begins with troops crossing borders; it often starts with packets crossing networks. For example, the escalation on February 28, 2026, involving Iran, the United States, and Israel gives insights on how quickly geopolitical cyber threats can evolve into full-spectrum confrontations. What unfolded was not just a regional clash but a preview of how cyber warfare attacks now operate alongside missiles, drones, and information campaigns. In this environment, cybersecurity for US organizations can no longer be treated as a purely technical function. It has become a matter of strategic resilience. Nation-state cyberattacks are synchronized with real-world conflict, creating ripple effects that extend far beyond the immediate battlefield."
  https://cyble.com/blog/cyber-warfare-attacks/
• Your Next Breach Will Look Like Business As Usual
  "Your perimeter is hardened, your SOC is on high alert for zero-days, and your firewalls are pristine. But while you're watching the fences, the adversary is walking through the front door with a smile and a valid employee ID. In the modern threat landscape, attackers aren't always "breaking in" — they're simply logging in. Nearly one in three cyber intrusions now involve valid employee credentials, making this a leading attack vector. Armed with stolen credentials and supercharged by AI, threat actors are now operating as a trusted colleague, turning the very identity of your workforce into your greatest vulnerability."
  https://www.darkreading.com/identity-access-management-security/your-next-breach-business-as-usual
• What Vibe Hunting Gets Right About AI Threat Hunting, And Where It Breaks Down
  "In this Help Net Security interview, Aqsa Taylor, Chief Security Evangelist, Exaforce, explains vibe hunting, an AI-driven approach to threat detection that inverts traditional hypothesis-driven methods. Instead of analysts defining attack vectors upfront, the AI scans datasets for anomalous patterns and surfaces potential threats. Taylor draws a firm line on responsibility: analysts must be able to explain their reasoning. When they cannot, the AI is steering the hunt. She also addresses enrichment, junior analyst development, and the failure modes that emerge when teams follow AI output without questioning it."
  https://www.helpnetsecurity.com/2026/04/10/aqsa-taylor-exaforce-vibe-hunting/
• MITRE Releases Fight Fraud Framework
  "The non-profit MITRE Corporation on Thursday released a new framework to help organizations fight fraudsters. MITRE’s Fight Fraud Framework (MITRE F3) is a curated knowledge base that provides a behavior-based model of the tactics, techniques, and procedures (TTPs) fraudsters employ, informed by real-world attacks. “These incidents involve the intentional use of deceptive or illegal practices to fraudulently obtain money, assets, or information from individuals or institutions, and include actions carried out over cyber channels,” MITRE says."
  https://www.securityweek.com/mitre-releases-fight-fraud-framework/
  https://ctid.mitre.org/fraud#/

อ้างอิง
Electronic Transactions Development Agency (ETDA)