เมื่อวันที่ 30 มิถุนายน 2568 Cyber Security Agency of Singapore (CSA) ได้เผยแพร่เกี่ยวกับกรณีที่ บริษัท Citrix ได้ออกประกาศอัปเดตด้านความปลอดภัย เพื่อแก้ไขช่องโหว่ร้ายแรงหลายรายการในผลิตภัณฑ์ NetScaler ADC และ NetScaler Gateway จึงขอแนะนำให้ผู้ใช้งานและผู้ดูแลระบบของผลิตภัณฑ์ที่ได้รับผลกระทบ ดำเนินการอัปเดตซอฟต์แวร์เป็นเวอร์ชันล่าสุดโดยทันที เพื่อป้องกันความเสี่ยงจากการถูกโจมตี

บริษัท Citrix ได้เผยแพร่การอัปเดตด้านความปลอดภัยเพื่อแก้ไขช่องโหว่ร้ายแรง หมายเลข CVE-2025-5777 และ CVE-2025-6543 ซึ่งตรวจพบในผลิตภัณฑ์ NetScaler ADC และ NetScaler Gateway

ผลกระทบของช่องโหว่

• CVE-2025-5777
  ช่องโหว่ดังกล่าวเปิดโอกาสให้ผู้ไม่หวังดีสามารถข้ามกระบวนการยืนยันตัวตน รวมถึงระบบการยืนยันตัวตนแบบหลายปัจจัย (Multi-Factor Authentication: MFA) ได้ โดยอาศัยการโจรกรรมโทเคนของเซสชันที่ถูกเปิดเผย ซึ่งอาจส่งผลให้สามารถเข้าถึงระบบโดยไม่ได้รับอนุญาต

• CVE-2025-6543
  ช่องโหว่ด้านหน่วยความจำนี้ อาจเปิดช่องให้ผู้โจมตีสามารถดำเนินการโจมตีแบบปฏิเสธการให้บริการ (Denial-of-Service: DoS) ส่งผลกระทบต่อความพร้อมใช้งานของระบบ

สถานการณ์ปัจจุบัน
จากรายงานล่าสุด พบว่าช่องโหว่ทั้งสองรายการดังกล่าว กำลังถูกนำไปใช้โจมตีจริงในหลายกรณี จึงถือเป็นภัยคุกคามที่มีความเร่งด่วนในการแก้ไข

ผลิตภัณฑ์ที่ได้รับผลกระทบ
ช่องโหว่ที่ตรวจพบส่งผลกระทบต่อผลิตภัณฑ์ในเวอร์ชันต่อไปนี้:

• NetScaler ADC และ NetScaler Gateway เวอร์ชันก่อน 14.1-43.56
• NetScaler ADC และ NetScaler Gateway เวอร์ชันก่อน 13.1-58.32
• NetScaler ADC 13.1-FIPS และ 13.1-NDcPP เวอร์ชันก่อน 13.1-37.235
• NetScaler ADC 12.1-FIPS เวอร์ชันก่อน 12.1-55.328

แนวทางการแก้ไข
ขอให้ผู้ใช้งานและผู้ดูแลระบบของผลิตภัณฑ์ดังกล่าว ดำเนินการอัปเดตระบบให้เป็นเวอร์ชันล่าสุดโดยทันที เพื่อป้องกันความเสี่ยงจากการถูกโจมตี และเพื่อเสริมสร้างความมั่นคงปลอดภัยของระบบ

อ้างอิง
https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-064

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Healthcare Sector

• Feds Warn Patients, Healthcare Entities Of Phishing Scams
  "U.S. federal authorities are warning the public and healthcare sector organizations of email and fax phishing scams by fraudsters seeking to steal personal information about patients or payments. The warnings come as three large U.S. insurers continue to recover from recent cyberattacks. The FBI and its Internet Crime Complaint Center in a joint alert issued Friday warned the public about criminals impersonating legitimate health insurers and their investigative team members."
  https://www.bankinfosecurity.com/feds-warn-patients-healthcare-entities-phishing-scams-a-28852
  https://www.ic3.gov/PSA/2025/PSA250627
  https://www.theregister.com/2025/06/27/patients_providers_records_payment_scam/

Vulnerabilities

• Hackers Make Hay? Smart Tractors Vulnerable To Full Takeover
  "Researchers have figured out how to simultaneously spy on tens of thousands of smart tractors around the world, and even take full control over any of them. Smart farming is on the rise, in an effort to enhance farming practices by improving efficiency, reducing labor costs, and optimizing resources. Tractors are thus increasingly equipped with advanced technologies like GPS, sensors, and artificial intelligence, which enable them to operate autonomously in some cases, or be controlled remotely. In their most basic form, there's still someone inside the vehicle, but the tractor is connected to the cloud in order to get real-time weather data or location information, among other things."
  https://www.darkreading.com/cloud-security/hackers-hay-smart-tractors-vulnerable-takeover
• How We Turned a Real Car Into a Mario Kart Controller By Intercepting CAN Data
  "If you went to our PTP Cyber Fest over the Infosec week you may have seen the PTP hack car being used as a games controller for the game SuperTuxKart (a free and open-source Mario Kart type game). You really could steer, accelerate and brake using the car, ‘driving’ the on screen kart! This was based on a silly idea I had last year as a way of making a more fun demo than just teaching people how to intercept and replay CAN messages. Here is the post that explains it."
  https://www.pentestpartners.com/security-blog/how-we-turned-a-real-car-into-a-mario-kart-controller-by-intercepting-can-data/
  https://www.theregister.com/2025/06/27/renault_clio_racing_controller/
• Security Advisory: Airoha-Based Bluetooth Headphones And Earbuds
  "During our research on Bluetooth headphones and earbuds, we identified several vulnerabilities in devices that incorporate Airoha Systems on a Chip (SoCs). In this blog post, we briefly want to describe the vulnerabilities, point out their impact and provide some context to currently running patch delivery processes as described at this year’s TROOPERS Conference."
  https://insinuator.net/2025/06/airoha-bluetooth-security-vulnerabilities/
  https://www.bleepingcomputer.com/news/security/bluetooth-flaws-could-let-hackers-spy-through-your-microphone/

Malware

• Threat Spotlight: CVE-2025-5777: Citrix Bleed 2 Opens Old Wounds
  "Citrix released an advisory for CVE-2025-5777 affecting NetScaler ADC and Gateway devices, allowing attackers to hijack user sessions and bypass authentication. While no public reporting of exploitation for this vulnerability has emerged, ReliaQuest has observed indications of exploitation to gain initial access. Citrix recommends patching affected systems to the latest versions and terminating active sessions to mitigate session hijacking and further risks of exploitation."
  https://reliaquest.com/blog/threat-spotlight-citrix-bleed-2-vulnerability-in-netscaler-adc-gateway-devices/
  https://www.bleepingcomputer.com/news/security/citrix-bleed-2-flaw-now-believed-to-be-exploited-in-attacks/
  https://www.darkreading.com/vulnerabilities-threats/citrixbleed-2-active-exploitation
  https://www.infosecurity-magazine.com/news/citrixbleed-2-vulnerability/
  https://www.securityweek.com/evidence-suggests-exploitation-of-citrixbleed-2-vulnerability/
• Case Of Attacks Targeting South Korean Web Servers Using MeshAgent And SuperShell
  "Lately, attacks on South Korean web servers utilizing MeshAgent and SuperShell have been identified. The presence of ELF-based malware at the malicious code distribution address suggests that the attackers are targeting not only Windows servers but also Linux servers. It is assumed that the attackers installed a web shell using a file upload vulnerability and used it to install additional payloads. Through reconnaissance and lateral movement, the attackers attempted to infect not only the compromised system but also other systems within the organization."
  https://asec.ahnlab.com/en/88627/
• Scattered Spider Hackers Shift Focus To Aviation, Transportation Firms
  "Hackers associated with "Scattered Spider" tactics have expanded their targeting to the aviation and transportation industries after previously attacking insurance and retail sectors. These threat actors have employed a sector-by-sector approach, initially targeting retail companies, such as M&S and Co-op, in the United Kingdom and the United States and subsequently shifting their focus to insurance companies. While the threat actors were not officially named as responsible for insurance sector attacks at first, recent incidents have impacted Aflac, Erie Insurance, and Philadelphia Insurance Companies."
  https://www.bleepingcomputer.com/news/security/scattered-spider-hackers-shift-focus-to-aviation-transportation-firms/
  https://thehackernews.com/2025/06/fbi-warns-of-scattered-spiders.html
  https://securityaffairs.com/179413/cyber-crime/the-fbi-warns-that-scattered-spider-is-now-targeting-the-airline-sector.html
• Scattered Spider’s Calculated Path From CFO To Compromise
  "“Scattered Spider” targets executive and administrative accounts, exploiting human trust and workflows to bypass multi-factor authentication (MFA) and infiltrate critical systems. The group showed technical sophistication by dumping NTDS.dit and harvesting over 1,400 secrets. By leveraging unmanaged virtual machines (VMs), ngrok, and privileged service principals, Scattered Spider maintained persistence while evading detection. To counter these threats, organizations should monitor privileged accounts, enforce strict identity verification protocols, implement hypervisor-level logging, conduct social engineering assessments, and train employees to recognize manipulation tactics."
  https://reliaquest.com/blog/scattered-spiders-calculated-path-from-cfo-to-compromise/
  https://www.darkreading.com/cloud-security/scattered-spider-cfo-scorched-earth-attack
  https://www.bankinfosecurity.com/teardown-how-scattered-spider-hacked-logistics-firm-a-28846
• The New Face Of Remcos: Path Bypass And Masquerading
  "Since last year and well into this year, Remcos malware campaigns stayed very active, continually morphing to stay hidden. Attackers usually send phishing emails with malicious files like malicious shortcuts, scripts or documents. When a victim opens the file, it quietly drops the Remcos program and hides it in new folders with similar names to legitimate Windows system folders on the PC. Once installed, Remcos lets the attackers control the PC, steal passwords and record keystrokes. The malware keeps a backdoor open by setting up scheduled tasks or other sneaky tricks. This way, they stay on the system for a long time without being detected."
  https://www.forcepoint.com/blog/x-labs/remcos-malware-new-face
  https://hackread.com/remcos-malware-campaigns-hit-businesses-and-schools/
• Fake DocuSign Email Hides Tricky Phishing Attempt
  "On my daily rounds, I encountered a phishing attempt that used a not completely unusual, yet clever delivery method. What began as a seemingly routine DocuSign notification turned into a multi-layered deception involving Webflow, a shady redirect, and a legitimate Google login page. Webflow is a visual website builder that allows designers and developers to create custom, responsive websites. It’s a no-code solution that allows users to visually design, build, and launch websites directly in the browser The attack all starts with an email claiming to be from a known contact, referencing a completed DocuSign document."
  https://www.malwarebytes.com/blog/news/2025/06/fake-docusign-email-hides-tricky-phishing-attempt
• DeepSeek Deception: Sainbox RAT & Hidden Rootkit Delivery
  "Netskope Threat Labs has discovered a campaign using fake installers to deliver the Sainbox RAT and Hidden rootkit. During our threat hunting activities, we encountered multiple installers disguised as legitimate software, including WPS Office, Sogou, and DeepSeek. These installers were mainly MSI files that were delivered via phishing websites. Both the phishing pages and installers were in Chinese, indicating that the targets are Chinese speakers. We can attribute this attack to Silver Fox (a China-based adversary group) with medium confidence based on the TTPs, particularly the phishing websites, the fake installers for popular Chinese software, the use of Gh0stRAT variants, and the targeting of Chinese speakers."
  https://www.netskope.com/blog/deepseek-deception-sainbox-rat-hidden-rootkit-delivery
  https://thehackernews.com/2025/06/chinese-group-silver-fox-uses-fake.html
  https://www.securityweek.com/chinese-hackers-target-chinese-users-with-rat-rootkit/
• Hive0154 Aka Mustang Panda Shifts Focus On Tibetan Community To Deploy Pubload Backdoor
  "In June 2025, IBM X-Force researchers discovered China-aligned threat actor, Hive0154, spreading Pubload malware featuring lure documents and filenames targeting the Tibetan community. The Tibetan sovereignty dispute is often invoked by Chinese threat groups in their cyber operations, with the latest campaign coinciding with activities leading up to a major event for the Tibetan community, the Dalai Lama's 90th birthday."
  https://www.ibm.com/think/x-force/hive0154-mustang-panda-shifts-focus-tibetan-community-deploy-pubload-backdoor
  https://thehackernews.com/2025/06/pubload-and-pubshell-malware-used-in.html
• GIFTEDCROOK’s Strategic Pivot: From Browser Stealer To Data Exfiltration Platform During Critical Ukraine Negotiations
  "The Arctic Wolf Labs team has discovered that the cyber-espionage group UAC-0226, known for utilising the infostealer GIFTEDCROOK, has significantly evolved its capabilities. It has transitioned the malware from a basic browser data stealer (which we’re referring to as v1), through two new upgrades (v1.2 and v1.3) into a robust intelligence-gathering tool. Analysis of early files from February 2025 suggests that the GIFTEDCROOK project began as a demo during that period. It subsequently matured and was put into production in March 2025, with new capabilities continuously being developed and added since then."
  https://arcticwolf.com/resources/blog-uk/giftedcrooks-strategic-pivot-from-browser-stealer-to-data-exfiltration-platform-during-critical-ukraine-negotiations/
  https://thehackernews.com/2025/06/giftedcrook-malware-evolves-from.html
• Anubis Ransomware Targets Global Victims With Wiper Functionality
  "This blog provides a detailed technical analysis of Anubis ransomware, an emerging RaaS threat known for combining data encryption with an optional file-wiping feature that permanently destroys victim data. By mapping its behavior to the MITRE ATT&CK Enterprise framework, we explore the full attack chain, from initial access via spear-phishing to the use of ECIES-based encryption and file-wiping mechanisms that amplify impact."
  https://www.picussecurity.com/resource/blog/anubis-ransomware-targets-global-victims-with-wiper-functionality

Breaches/Hacks/Leaks

• Hawaiian Airlines Discloses Cyberattack, Flights Not Affected
  "Hawaiian Airlines, the tenth-largest commercial airline in the United States, is investigating a cyberattack that has disrupted access to some of its systems. With over 7,000 employees, 235 average daily flights, and a fleet of over 60 airplanes, Hawaiian Airlines connects Hawai'i with 15 U.S. mainland cities and 10 other destinations across Asia and the Pacific. The airline stated in a statement issued on Thursday morning that the incident didn't affect flight safety and has already contacted relevant authorities to assist in investigating the attack."
  https://www.bleepingcomputer.com/news/security/hawaiian-airlines-discloses-cyberattack-flights-not-affected/
  https://therecord.media/hawaiian-airlines-cyberattack-flights-safe
  https://cyberscoop.com/scattered-spider-aviation-hawaiian-airlines-cyberattack/
  https://www.infosecurity-magazine.com/news/hawaiian-airlines-cybersecurity/
  https://www.theregister.com/2025/06/27/aloha_youve_been_pwned_hawaiian/
• Retail Giant Ahold Delhaize Says Data Breach Affects 2.2 Million People
  "Ahold Delhaize, one of the world's largest food retail chains, is notifying over 2.2 million individuals that their personal, financial, and health information was stolen in a November ransomware attack that impacted its U.S. systems. The multinational retailer and wholesale company operates over 9,400 local stores across Europe, the United States, and Indonesia, employing more than 393,000 people and serving approximately 60 million customers each week in-store and online."
  https://www.bleepingcomputer.com/news/security/retail-giant-ahold-delhaize-says-data-breach-affects-22-million-people/
  https://therecord.media/hackers-cyberattack-grocery-chain
  https://www.bankinfosecurity.com/food-retail-giants-breach-22-million-employees-affected-a-28842
  https://www.theregister.com/2025/06/27/ahold_delhaize_breach/

General News

• Money Mule Networks Evolve Into Hierarchical, Business-Like Criminal Enterprises
  "In this Help Net Security interview, Michal Tresner, CEO of ThreatMark, discusses how cybercriminals are weaponizing AI, automation, and social engineering to industrialize money mule operations. He looks at how these networks have changed and how behavioral intelligence is helping to catch fraud. Tresner also shares practical tips for CISOs trying to stop mule activity before it gets out of hand."
  https://www.helpnetsecurity.com/2025/06/27/michal-tresner-threatmark-money-mule-networks/
• After a Hack Many Firms Still Say Nothing, And That’s a Problem
  "Attackers are more inclined to “log in rather than break in,” using stolen credentials, legitimate tools, and native access to stealthily blend into their target’s environment, according to Bitdefender’s 2025 Cybersecurity Assessment Report. 68% of security leaders are focusing on reducing the number of tools and applications running in their environments. Why? Because every unused admin account, unnecessary app, or extra permission is a potential doorway for attackers, and a place for them to hide once they’re in. By turning off what’s not needed, organizations give attackers fewer options."
  https://www.helpnetsecurity.com/2025/06/27/cybersecurity-risk-reduction-breach-transparency/
• We Know GenAI Is Risky, So Why Aren’t We Fixing Its Flaws?
  "Even though GenAI threats are a top concern for both security teams and leadership, the current level of testing and remediation for LLM and AI-powered applications isn’t keeping up with the risks, according to Cobalt. Pentesting data from the report highlights a troubling reality: LLM applications often have serious security vulnerabilities. These high-risk issues appear more frequently in LLMs than in any other type of system, showing that LLM deployments carry a particularly elevated risk."
  https://www.helpnetsecurity.com/2025/06/27/cobalt-research-llm-security-vulnerabilities/
• Vulnerability Debt: How Do You Put a Price On What To Fix?
  "As defined by the UK National Cyber Security Centre, a vulnerability is "a weakness in an IT system that can be exploited by an attacker to deliver a successful attack. They can occur through flaws, features or user error, and attackers will look to exploit any of them, often combining one or more, to achieve their end goal.""
  https://www.darkreading.com/vulnerabilities-threats/vulnerability-debt-fix-price

อ้างอิง
Electronic Transactions Development Agency(ETDA)

เมื่อวันที่ 30 มิถุนายน 2568 Cyber Security Agency of Singapore (CSA) ได้เผยแพร่เกี่ยวกับ Notepad++ ได้ออกอัปเดตด้านความปลอดภัยเพื่อแก้ไขช่องโหว่ที่ส่งผลกระทบต่อผลิตภัณฑ์ ขอแนะนำให้ผู้ใช้งานและผู้ดูแลระบบของผลิตภัณฑ์ที่ได้รับผลกระทบ อัปเดตเป็นเวอร์ชันล่าสุดโดยเร็ว

Notepad++ ได้ออกอัปเดตด้านความปลอดภัยเพื่อแก้ไขช่องโหว่หมายเลข CVE-2025-49144 ที่มีผลกระทบต่อผลิตภัณฑ์ โดยในขณะนี้ มีการเปิดเผยโค้ดทดสอบการเจาะระบบ (Proof-of-Concept) สำหรับช่องโหว่นี้ต่อสาธารณะแล้ว

ผลกระทบ
หากผู้ไม่หวังดีสามารถเจาะระบบผ่านช่องโหว่นี้ได้สำเร็จ
อาจทำให้ผู้โจมตีที่มีสิทธิ์เข้าถึงในระดับต่ำ สามารถยกระดับสิทธิ์ของตน (Privilege Escalation) โดยการรันไฟล์ที่ถูกออกแบบมาอย่างเป็นอันตรายด้วยสิทธิ์ระดับระบบ (System-level Privileges) ซึ่งอาจนำไปสู่การยึดครองระบบที่ได้รับผลกระทบโดยสมบูรณ์

ผลิตภัณฑ์ที่ได้รับผลกระทบ
ช่องโหว่นี้มีผลกระทบต่อ Notepad++ เวอร์ชัน 8.8.1 และก่อนหน้านี้

แนวทางการแก้ไข
ขอแนะนำให้ผู้ใช้งานและผู้ดูแลระบบของผลิตภัณฑ์ที่ได้รับผลกระทบ อัปเดตเป็นเวอร์ชันล่าสุดโดยทันที

อ้างอิง
https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-063/

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

เมื่อวันที่ 25 มิถุนาย 2568 Cybersecurity and Infrastructure Security Agency (CISA) ได้มีการเผยแพร่การเพิ่มช่องโหว่ใหม่ 2 รายการในแค็ตตาล็อก ช่องโหว่อาจเป็นที่รู้จักของกลุ่มแฮกเกอร์ ซึ่งการเพิ่มนี้ขึ้นอยู่กับข้อมูลของการแสวงหาผลประโยชน์จากการโจมตีช่องโหว่ดังกล่าวนั้นได้ ช่องโหว่เหล่านี้เป็นการโจมตีบ่อยครั้งสำหรับผู้ที่ไม่ประสงค์ดีด้านภัยคุกคามทางไซเบอร์และก่อให้เกิดความเสี่ยงที่สำคัญต่อองค์กรนั้นได้ มีรายละเอียดดังนี้

• CVE-2024-54085 AMI MegaRAC SPx Authentication Bypass by Spoofing Vulnerability
• CVE-2024-0769 D-Link DIR-859 Router Path Traversal Vulnerability
• CVE-2019-6693 Fortinet FortiOS Use of Hard-Coded Credentials Vulnerability

อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/06/25/cisa-adds-three-known-exploited-vulnerabilities-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) 2 รายการ เมื่อวันที่ 26 มิถุนายน 2568 ซึ่งคำแนะนำเหล่านี้ให้ข้อมูลที่ทันท่วงทีเกี่ยวกับปัญหาด้านความปลอดภัยช่องโหว่ และช่องโหว่ที่อยู่รอบ ๆ ICS ในปัจจุบัน มีดังต่อไปนี้

• ICSA-25-177-01 Mitsubishi Electric Air Conditioning Systems
• ICSA-25-177-02 TrendMakers Sight Bulb Pro

ทั้งนี้ CISA สนับสนุนให้ผู้ใช้และผู้ดูแลระบบตรวจสอบคำแนะนำ ICS ที่เผยแพร่ใหม่สำหรับรายละเอียดทางเทคนิคและการบรรเทาผลกระทบ รายละเอียดเพิ่มเติมที่ https://www.cisa.gov/news-events/alerts/2025/06/26/cisa-releases-two-industrial-control-systems-advisories

อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/06/26/cisa-releases-two-industrial-control-systems-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) 8 รายการ เมื่อวันที่ 24 มิถุนายน 2568 ซึ่งคำแนะนำเหล่านี้ให้ข้อมูลที่ทันท่วงทีเกี่ยวกับปัญหาด้านความปลอดภัยช่องโหว่ และช่องโหว่ที่อยู่รอบ ๆ ICS ในปัจจุบัน มีดังต่อไปนี้

• ICSA-25-175-01 Kaleris Navis N4 Terminal Operating System
• ICSA-25-175-02 Delta Electronics CNCSoft
• ICSA-25-175-03 Schneider Electric Modicon Controllers
• ICSA-25-175-04 Schneider Electric EVLink WallBox
• ICSA-25-175-05 ControlID iDSecure On-Premises
• ICSA-25-175-06 Parsons AccuWeather Widget
• ICSA-25-175-07 MICROSENS NMP Web+
• ICSA-19-029-02 Mitsubishi Electric MELSEC-Q Series PLCs (Update B)

ทั้งนี้ CISA สนับสนุนให้ผู้ใช้และผู้ดูแลระบบตรวจสอบคำแนะนำ ICS ที่เผยแพร่ใหม่สำหรับรายละเอียดทางเทคนิคและการบรรเทาผลกระทบ รายละเอียดเพิ่มเติมที่ https://www.cisa.gov/news-events/alerts/2025/06/24/cisa-releases-eight-industrial-control-systems-advisories

อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/06/24/cisa-releases-eight-industrial-control-systems-advisories

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Industrial Sector

• Mitsubishi Electric Air Conditioning Systems
  "Successful exploitation of this vulnerability could allow an attacker to control the air conditioning system."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-177-01
• A Brief Overview Of The Main Incidents In Industrial Cybersecurity. Q1 2025
  "In Q1 2025, 118 incidents were publicly confirmed by victims. All of these incidents are included in the table at the end of the overview, with select incidents described in detail. This quarter, organizations from multiple industrial sectors around the world reported serious incidents caused by cyberattacks. These attacks resulted in the loss of confidential data and the interruption of IT services and key operational processes, including the production and supply of products. The most high-profile story of the quarter was undoubtedly the attack on Kuala Lumpur airport, which knocked out many of its information systems, including departure and arrival boards, check-in terminals and baggage handling systems, for 10 hours."
  https://ics-cert.kaspersky.com/publications/reports/2025/06/26/a-brief-overview-of-the-main-incidents-in-industrial-cybersecurity-q1-2025/
• TrendMakers Sight Bulb Pro
  "Successful exploitation of these vulnerabilities could allow an attacker to capture sensitive information and execute arbitrary shell commands on the target device as root if connected to the local network segment."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-177-02

New Tooling

• Kanister: Open-Source Data Protection Workflow Management Tool
  "Kanister is an open-source tool that lets domain experts define how to manage application data using blueprints that are easy to share and update. It handles the complex parts of running these tasks on Kubernetes and gives a consistent way to manage different applications at scale."
  https://www.helpnetsecurity.com/2025/06/26/kanister-open-source-data-protection-workflow-management-tool/
  https://github.com/kanisterio/kanister

Vulnerabilities

• Decrement By One To Rule Them All: AsIO3.sys Driver Exploitation
  "Armory Crate and AI Suite are applications used to manage and monitor ASUS motherboards and related components such as the processor, RAM or the increasingly popular RGB lighting. These types of applications often install drivers in the system, which are necessary for direct communication with hardware to configure settings or retrieve critical parameters such as CPU temperature, fan speeds and firmware updates. Therefore, it is critical to ensure that drivers are well-written with security in mind and designed such that access to the driver interfaces are limited only to certain services and administrators."
  https://blog.talosintelligence.com/decrement-by-one-to-rule-them-all/
• Marketplace Takeover: How We Could’ve Taken Over Every Developer Using a VSCode Fork; Putting Millions At Risk
  "We discovered a critical vulnerability in open-vsx.org, the open-source VS Code extensions marketplace powering popular VSCode forks like Cursor, Windsurf and VSCodium, used by over 8,000,000 developers. This vulnerability provides attackers full control over the entire extensions marketplace, and in turn, full control over millions of developer machines. By exploiting a CI issue a malicious actor could publish malicious updates to every extension on Open VSX. One bug. Full marketplace takeover. Millions of developers and their organizations — compromised. If you control the extensions, you control the machine, the code, and the business."
  https://blog.koi.security/marketplace-takeover-how-we-couldve-taken-over-every-developer-using-a-vscode-fork-f0f8cf104d44
  https://thehackernews.com/2025/06/critical-open-vsx-registry-flaw-exposes.html

Malware

• Ongoing Campaign Abuses Microsoft 365’s Direct Send To Deliver Phishing Emails
  "Varonis’ Managed Data Detection and Response (MDDR) Forensics team has uncovered a novel phishing campaign targeting more than 70 organizations. In this post, we dive into the specifics to help you better understand what happened, how to detect the attack and how to prevent it moving forward. This campaign exploits a lesser-known feature in Microsoft 365: Direct Send. Designed to allow internal devices like printers to send emails without authentication, Varonis warns that threat actors are abusing the feature to spoof internal users and deliver phishing emails without ever needing to compromise an account. Identified victims spanned multiple verticals and locations but were predominantly US-based organizations."
  https://www.varonis.com/blog/direct-send-exploit
  https://www.bleepingcomputer.com/news/security/microsoft-365-direct-send-abused-to-send-phishing-as-internal-users/
• Surge In MOVEit Transfer Scanning Could Signal Emerging Threat Activity
  "GreyNoise has identified a notable surge in scanning activity targeting MOVEit Transfer systems, beginning on May 27, 2025. Prior to this date, scanning was minimal — typically fewer than 10 IPs observed per day. But on May 27, that number spiked to over 100 unique IPs, followed by 319 IPs on May 28. Since that initial jump, daily scanner IP volume has remained intermittently elevated between 200 to 300 IPs per day — a significant deviation from baseline and an indicator that MOVEit Transfer is once again in the crosshairs."
  https://www.greynoise.io/blog/surge-moveit-transfer-scanning-activity
  https://www.bankinfosecurity.com/scans-probing-for-moveit-systems-may-be-precursor-to-attacks-a-28832
• CapCut Con: Apple Phishing & Card-Stealing Refund Ruse
  "As CapCut continues to dominate the short-form video editing scene, cybercriminals are seizing the opportunity to exploit its popularity. In a recent phishing campaign observed by the Cofense PDC team, threat actors have crafted convincing fake CapCut invoice lures (Figure 1) designed to harvest Apple ID credentials along with credit card information. By leveraging the app's widespread appeal and mimicking its official branding, these attackers aim to deceive users into divulging sensitive information. This blog post delves into the mechanics of this phishing scheme, highlights the tactics used, and provides insights on how to recognize and avoid such threats."
  https://cofense.com/blog/capcut-con-apple-phishing-card-stealing-refund-ruse

Breaches/Hacks/Leaks

• Central Kentucky Radiology Data Breach Impacts 167,000
  "Radiology services provider Central Kentucky Radiology (CKR) is notifying roughly 167,000 people that their personal information was compromised in an October 2024 data breach. The incident, the organization says, was discovered after certain systems within its network were disrupted by a cyberattack. CKR determined that a threat actor had access to its network between October 16 and October 18, 2024, and copied files from its systems."
  https://www.securityweek.com/central-kentucky-radiology-data-breach-impacts-167000/

General News

• Building Cyber Resilience In Always-On Industrial Environments
  "In this Help Net Security interview, Dr. Tim Sattler, CISO at Jungheinrich, discusses the cybersecurity risks tied to smart warehouses and industrial control systems. He explains how to maintain operational continuity while building real cyber resilience in always-on environments. Dr. Sattler also shares practical strategies for working with third-party partners and preparing for the next wave of automation."
• **https://www.helpnetsecurity.com/2025/06/26/tim-sattler-jungheinrich-industrial-environments-cybersecurity/
• Introducing CC Signals: A New Social Contract For The Age Of AI**
  "Creative Commons (CC) today announces the public kickoff of the CC signals project, a new preference signals framework designed to increase reciprocity and sustain a creative commons in the age of AI. The development of CC signals represents a major step forward in building a more equitable, sustainable AI ecosystem rooted in shared benefits. This step is the culmination of years of consultation and analysis. As we enter this new phase of work, we are actively seeking input from the public."
  https://creativecommons.org/2025/06/25/introducing-cc-signals-a-new-social-contract-for-the-age-of-ai/
  https://www.helpnetsecurity.com/2025/06/26/cc-signals-ai-boundaries/
• When Synthetic Identity Fraud Looks Just Like a Good Customer
  "People may assume synthetic identity fraud has no victims. They believe fake identities don’t belong to real people, so no one gets hurt. But this assumption is wrong. Criminals create fake identities by combining stolen pieces of personal information such as Social Security numbers, names, and birthdates. This type of fraud is often called Frankenstein fraud because it stitches together real and fake components to form a new, convincing identity."
  https://www.helpnetsecurity.com/2025/06/26/synthetic-identity-fraud-consequences/
• Most AI And SaaS Apps Are Outside IT’s Control
  "60% of enterprise SaaS and AI applications operate outside IT’s visibility, according to CloudEagle.ai. This surge in invisible IT is fueling a crisis in AI identity governance, leading to increased breaches, audit failures, and compliance risk across enterprises. A survey of 1,000 enterprise CIOs and CISOs shows a shift: most security breaches now start inside the organization. The main problems are too many user permissions, unused accounts, and poor identity management. Manual onboarding, rare access checks, and disconnected offboarding make things worse."
  https://www.helpnetsecurity.com/2025/06/26/ai-identity-governance/
• Ex-Student Charged Over Hacking University For Cheap Parking, Data Breaches
  "New South Wales police in Australia have arrested a 27-year-old former Western Sydney University (WSU) student for allegedly hacking into the University's systems on multiple occasions, starting with a scheme to obtain cheaper parking. Specifically, the woman, identified by local media reports as Birdie Kingston, is accused of unauthorized access, data theft, and compromising university infrastructure since 2021, affecting hundreds of staff and students. "Since 2021, Western Sydney University experienced a series of cyber hacks involving unauthorized access, data exfiltration, system compromise, and misuse of university infrastructure – including threatening the sale of student information on the dark web," reads the NSW Police press release."
  https://www.bleepingcomputer.com/news/security/ex-student-charged-over-hacking-university-for-cheap-parking-data-breaches/
• Man Pleads Guilty To Hacking Networks To Pitch Security Services
  "A Kansas City man has pleaded guilty to hacking multiple organizations to advertise his cybersecurity services, the U.S. Department of Justice announced on Wednesday. 32-year-old Nicholas Michael Kloster was indicted last year for hacking into the networks of three organizations in 2024, including a health club and a Missouri nonprofit corporation. According to court documents, Kloster accessed the systems of a health club that operates multiple gyms in Missouri after breaching a restricted area. Next, he sent an email to one of the gym chain's owners, claiming he had hacked their network and offering his services in the same message, seemingly seeking to secure a cybersecurity consulting contract with the company."
  https://www.bleepingcomputer.com/news/security/man-pleads-guilty-to-hacking-networks-to-pitch-security-services/
  https://www.securityweek.com/man-who-hacked-organizations-to-advertise-security-services-pleads-guilty/
• The AI Arms Race: When Attackers Leverage Cutting-Edge Tech
  "For too long, the narrative around AI in cyber security has focused on its defensive capabilities. While AI is revolutionizing how organizations protect themselves – bringing unprecedented speed, accuracy, and automation – it’s crucial to acknowledge the other side of the coin. Cyber criminals are quickly embracing AI, using large language models (LLMs) and advanced agentic AI to craft more potent and elusive attacks."
  https://blog.checkpoint.com/infinity-global-services/the-ai-arms-race-when-attackers-leverage-cutting-edge-tech/
• How Geopolitical Tensions Are Shaping Cyber Warfare
  "As global conflicts intensify, cyberspace is becoming just as contentious as the physical world. Digital frontlines are expanding rapidly, with nation-state-backed actors launching attacks against governments, infrastructure, finance, and private enterprise. What's changing isn't just the scale; it's also the focus. Today's adversaries adapt faster and act smarter, blending old tactics with new delivery methods and exploiting the same weaknesses that have gone unpatched for years. Cybersecurity professionals don't just need more data; they need to know what's happening in their neighborhood."
  https://www.darkreading.com/vulnerabilities-threats/geopolitical-tensions-shape-cyber-warfare
• Cloud Repatriation Driven By AI, Cost, And Security
  "The acceleration of artificial intelligence (AI) has changed the way many enterprises are run, with the technology automating business processes and executing business queries. So it's not a huge surprise that AI is also transforming how companies use their cloud infrastructures. The focus on cloud migration over the past few years is plateauing as many organizations begin to embrace cloud repatriation — moving data, assets, and workloads out of the cloud and back to the data center. The difference is that organizations may not be going back to on-premises but rather to a private cloud or a hybrid cloud. Continued concerns about security in the cloud and a soaring price tag are also driving the cloud repatriation trend."
  https://www.darkreading.com/cloud-security/cloud-repatriation-ai-cost-security
• Taming Agentic AI Risks Requires Securing Non-Human Identities
  "From service accounts and Web application programming interfaces (APIs) to serverless applications and now artificial intelligence (AI) agents, the landscape of non-human identities is quickly becoming more complex. Companies are struggling to monitor and manage machine identities with security controls. In the past, machine identities focused on devices, services, and workloads. Developers connected their applications to online application programming interfaces (API) with a secret key or token. More complex applications integrate data from numerous applications through APIs."
  https://www.darkreading.com/cybersecurity-operations/taming-agentic-ai-risks-securing-nhi
• ESET Threat Report H1 2025
  "From novel social engineering techniques to sophisticated mobile threats and major infostealer disruptions, the threat landscape in the first half of 2025 was anything but boring. One of the most striking developments this period was the emergence of ClickFix, a new, deceptive attack vector that skyrocketed by over 500% compared to H2 2024 in ESET telemetry. Now the second most common attack vector after phishing, ClickFix manipulates internet users into executing malicious commands under the guise of fixing a fake error. The payloads at the end of ClickFix attacks vary widely – from infostealers to ransomware and even to nation-state malware – making this a versatile and formidable threat across Windows, Linux, and macOS."
  https://www.welivesecurity.com/en/eset-research/eset-threat-report-h1-2025/
  https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h12025.pdf
  https://thehackernews.com/2025/06/new-filefix-method-emerges-as-threat.html
  https://www.infosecurity-magazine.com/news/clickfix-attacks-surge-2025/
  https://www.helpnetsecurity.com/2025/06/26/clickfix-attacks-fakecaptcha-eset-report/
• Qilin Ransomware Attack On NHS Supplier Contributed To Patient Fatality
  "The NHS says Qilin's ransomware attack on pathology services provider Synnovis last year led to the death of a patient. King's College Hospital NHS Trust, one of the many trusts affected by Qilin's attack, confirmed the news on Wednesday. An NHS spokesperson told The Register: "One patient sadly died unexpectedly during the cyberattack. As is standard practice when this happens, we undertook a detailed review of their care."
  https://www.theregister.com/2025/06/26/qilin_ransomware_nhs_death/

อ้างอิง
Electronic Transactions Development Agency(ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand