ความเสี่ยงหลักในปี 2026 ของ AI ต่อความมั่นคงและสังคมในปัจจุบัน

1. ประเภทของความเสี่ยงจากเทคโนโลยีปัญญาประดิษฐ์ (AI)

• ความเสี่ยงจากการนำ AI ไปใช้ในทางที่ผิด
  AI อาจถูกผู้ไม่หวังดีนำไปใช้เพิ่มประสิทธิภาพการโจมตีทางไซเบอร์ เช่น การสร้างอีเมลหรือข้อความหลอกลวงที่แนบเนียน การปลอมแปลงภาพ เสียง หรือวิดีโอ (Deepfake) เพื่อฉ้อโกงหรือคุกคาม รวมถึงการผลิตและเผยแพร่ข้อมูลบิดเบือนในวงกว้างเพื่อชักจูงความคิดเห็นของสังคม ทำให้การหลอกลวงมีความสมจริงและแพร่กระจายได้รวดเร็วกว่าที่ผ่านมา

• ความเสี่ยงจากความผิดพลาดของระบบ AI
  แม้ AI จะมีศักยภาพสูง แต่ยังอาจให้ข้อมูลคลาดเคลื่อนหรือสร้างข้อมูลที่ไม่ถูกต้องแต่ดูน่าเชื่อถือ ซึ่งอาจก่อให้เกิดผลกระทบหากนำไปใช้ในบริบทที่มีความสำคัญ เช่น การแพทย์ การเงิน หรือกฎหมาย นอกจากนี้ ระบบที่มีความซับซ้อนมากขึ้นอาจทำงานเกินขอบเขตที่กำหนด หากขาดการกำกับดูแลและการตรวจสอบที่เหมาะสม

• ความเสี่ยงเชิงโครงสร้างต่อสังคม
  การขยายตัวของ AI อาจส่งผลต่อโครงสร้างตลาดแรงงาน โดยเฉพาะงานด้านข้อมูลและงานเอกสาร อาจทำให้เกิดการเปลี่ยนแปลงรูปแบบการจ้างงานและความเหลื่อมล้ำทางรายได้ ขณะเดียวกัน การพึ่งพา AI มากเกินไปอาจลดทอนทักษะการคิดวิเคราะห์ของมนุษย์ และส่งผลกระทบต่อปฏิสัมพันธ์ทางสังคมหรือสุขภาวะทางจิตในบางกรณี

2. แนวทางการบรรเทาและป้องกันความเสี่ยง

• ใช้ AI อย่างมีวิจารณญาณ ตรวจสอบข้อมูลจากหลายแหล่งก่อนเชื่อหรือเผยแพร่
• ใช้ AI เป็นเครื่องมือสนับสนุนการตัดสินใจ ไม่ใช่ทดแทนการตัดสินใจของมนุษย์
• หลีกเลี่ยงการเปิดเผยข้อมูลส่วนบุคคลโดยไม่จำเป็น
• พัฒนาทักษะดิจิทัลและทักษะการคิดวิเคราะห์อย่างต่อเนื่อง

3. คำแนะนำด้านความปลอดภัยเพิ่มเติม

• เปิดใช้การยืนยันตัวตนหลายขั้นตอน (MFA) และตั้งค่าความปลอดภัยบัญชีออนไลน์อย่างเหมาะสม
• ระมัดระวังเนื้อหาที่สร้างความตื่นตระหนกหรือเร่งรัดให้ดำเนินการทันที
• ตรวจสอบความถูกต้องของคลิปเสียงหรือวิดีโอ ก่อนโอนเงินหรือให้ข้อมูลสำคัญ
• ส่งเสริมการเรียนรู้และสร้างความตระหนักรู้เกี่ยวกับ AI ภายในครอบครัวและองค์กร

ข้อสำคัญ: ปัญญาประดิษฐ์เป็นเทคโนโลยีที่สามารถสร้างประโยชน์อย่างมหาศาล หากใช้อย่างมีความรับผิดชอบ รอบคอบ และรู้เท่าทัน ความร่วมมือจากภาครัฐ ภาคเอกชน และประชาชน จะเป็นกลไกสำคัญในการสร้างสังคมดิจิทัลที่มั่นคงปลอดภัยและยั่งยืน

4. แหล่งอ้างอิง: https://dg.th/g057uz32qe

ThaiCERT ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ พบช่องโหว่ระดับร้ายแรงจำนวน 4 รายการ ในซอฟต์แวร์ SolarWinds Serv-U Managed File Transfer (MFT) ซึ่งอาจเปิดโอกาสให้ผู้ไม่หวังดีสามารถรันคำสั่งจากระยะไกล (Remote Code Execution: RCE) และยกระดับสิทธิ์จนควบคุมเซิร์ฟเวอร์ในระดับ Root / Administrator ได้

1. รายละเอียดช่องโหว่
   1.1 CVE-2025-40538 – Broken Access Control คะแนน CVSS v3.1 : 9.1 (Critical) เกิดจากการควบคุมสิทธิ์ที่ไม่เหมาะสม อาจทำให้ผู้โจมตีที่มีสิทธิ์ระดับสูงอยู่แล้ว สามารถสร้างบัญชีผู้ดูแลระบบ และรันคำสั่งระดับ Root/Administrator ได้
   1.2 CVE-2025-40539 – Type Confusion คะแนน CVSS v3.1 : 9.1 (Critical) เกิดจากการจัดการชนิดข้อมูลไม่เหมาะสม ส่งผลให้ระบบประมวลผลข้อมูลผิดประเภท และอาจนำไปสู่การรันโค้ดระดับระบบ (Native Code Execution)
   1.3 CVE-2025-40540 – Type Confusion คะแนน CVSS v3.1 : 9.1 (Critical) เป็นช่องโหว่เกี่ยวข้องกับการจัดการหน่วยความจำหรือชนิดข้อมูลผิดพลาด อาจถูกใช้เพื่อรันคำสั่งจากระยะไกลได้
   1.4 CVE-2025-40541 – Insecure Direct Object Reference (IDOR) คะแนน CVSS v3.1 : 9.1 (Critical) เกิดจากการเข้าถึงทรัพยากรภายในระบบโดยไม่มีการตรวจสอบสิทธิ์ที่เหมาะสม อาจถูกใช้ร่วมกับกระบวนการของระบบเพื่อรันโค้ดจากระยะไกล
2. เวอร์ชันที่ได้รับผลกระทบ
   • SolarWinds Serv-U 15.5
3. เวอร์ชันที่แก้ไขแล้ว
   • SolarWinds Serv-U 15.5.4
4. แนวทางการแก้ไขและป้องกัน
   4.1 อัปเดตเป็น Serv-U เวอร์ชัน 15.5.4 ทันที
   4.2 เปิดใช้งาน Multi-Factor Authentication (MFA)
5. กรณีไม่สามารถอัปเดตได้ทันที (Mitigation ชั่วคราว)
   5.1 ปิดหรือจำกัดการเข้าถึงหน้า Web Management Interface ไม่เปิดใช้งานสู่สาธารณะ
   5.2 จำกัดสิทธิ์บัญชีผู้ใช้งานระดับสูง
   ปิดใช้งานบัญชีที่ไม่จำเป็น ลบบัญชีที่ไม่ทราบที่มา และเปลี่ยนรหัสผ่านบัญชีผู้ดูแลระบบทั้งหมด
   5.3 จำกัดพอร์ตที่เปิดใช้งานและปิดพอร์ตหรือบริการที่ไม่จำเป็น
6. แหล่งอ้างอิง
   6.1 https://dg.th/vly3ebz7n9
   6.2 https://dg.th/k6cv1e4wfx
   6.3 https://dg.th/nucmbe01ql
   6.4 https://dg.th/5pneah9zmx
   6.5 https://dg.th/xoq9c1zumg
   6.6 https://dg.th/tb9y8nuiha
   แม้ยังไม่มีรายงานการถูกโจมตีในวงกว้าง แต่เนื่องจากคะแนนความรุนแรงอยู่ในระดับ Critical และเกี่ยวข้องกับการยกระดับสิทธิ์ระบบ จึงควรดำเนินการอัปเดตโดยเร็ว
   #CyberSecurity #SolarWinds #ServU #CriticalVulnerability #RCE #PatchNow #ThaiCERT

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) แจ้งเตือนผู้ดูแลระบบและหน่วยงานที่ใช้งานผลิตภัณฑ์ VMware เกี่ยวกับช่องโหว่ความปลอดภัยระดับรุนแรง (High Severity) จำนวน 3 รายการ ซึ่งอาจส่งผลให้ผู้ไม่ประสงค์ดีสามารถเข้าควบคุมระบบได้โดยไม่จำเป็นต้องผ่านการยืนยันตัวตน

1. รายละเอียดช่องโหว่

1.1 CVE-2026-22719 (CVSS v3.1: 8.1)
ช่องโหว่ประเภท Command Injection ซึ่งอาจเปิดโอกาสให้ผู้โจมตีสามารถรันโค้ดอันตราย (Remote Code Execution: RCE) ได้ โดยเฉพาะในช่วงกระบวนการย้ายข้อมูล (Product Migration)
1.2 CVE-2026-22720 (CVSS v3.1: 8.0)
ช่องโหว่ประเภท Stored Cross-Site Scripting (Stored XSS) ผู้โจมตีสามารถฝังสคริปต์อันตรายผ่านฟังก์ชันการสร้าง Custom Benchmarks เพื่อดำเนินการในสิทธิ์ของผู้ดูแลระบบ
1.3 CVE-2026-22721
ช่องโหว่ประเภท Privilege Escalation ที่อาจถูกใช้เพื่อยกระดับสิทธิ์เข้าถึงทรัพยากรระบบในระดับ Administrator เกินกว่าที่ได้รับอนุญาต

2. ผลิตภัณฑ์ที่ได้รับผลกระทบ
   2.1 VMware Aria Operations: เวอร์ชันก่อน 8.18.6
   2.2 VMware Cloud Foundation: เวอร์ชันก่อน 9.0.2.0
   2.3 VMware vSphere Foundation: เวอร์ชันก่อน 9.0.2.0
   หากใช้งานเวอร์ชันต่ำกว่าที่ระบุ ถือว่ามีความเสี่ยง

3. แนวทางการแก้ไขและป้องกัน
   3.1 อัปเดตระบบเป็นเวอร์ชันล่าสุด

• VMware Aria Operations เวอร์ชัน 8.18.6 ขึ้นไป
• VMware Cloud Foundation / vSphere Foundation เวอร์ชัน 9.0.2.0
  3.2 ตรวจสอบและเฝ้าระวัง (Monitoring)
  ตรวจสอบ Log การทำงานของระบบ โดยเฉพาะในช่วงที่มีการทำ Data Migration หรือการตั้งค่าระบบที่อาจมีความผิดปกติ

4. กรณียังไม่สามารถอัปเดตได้ทันที
   4.1 ปิดการเข้าถึง Management Interface จากอินเทอร์เน็ต
   4.2 จำกัดการเข้าถึงเฉพาะ IP ภายในองค์กร หรือผ่าน VPN เท่านั้น
   4.3 ลดสิทธิ์และตรวจสอบบัญชีผู้ดูแลระบบ (Administrator)

อ้างอิง
1.https://dg.th/8y4h0zi3ed
2.https://dg.th/5jms1gdn3e
3.https://dg.th/319i0lrufz
4.https://dg.th/rpxf2wjvac

เมื่อวันที่ 24 กุมภาพันธ์ 2026 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว ดังนี้

• CVE-2026-25108 Soliton Systems K.K. FileZen OS Command Injection Vulnerability

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/02/24/cisa-adds-one-known-exploited-vulnerability-catalog

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 5 รายการ เมื่อวันที่ 26 กุมภาพันธ์ 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

• ICSA-26-055-01 InSAT MasterSCADA BUK-TS
• ICSA-26-055-02 Schneider Electric EcoStruxure Building Operation Workstation
• ICSA-26-055-03 Gardyn Home Kit IoT Device
• ICSA-22-202-04 ICONICS Suite and Mitsubishi Electric MC Works64 Products (Update C)
• ICSA-24-296-01 Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric Products (Update C)

CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)

อ้างอิง
https://www.cisa.gov/news-events/ics-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Financial Sector

• PCI Council Says Threats To Payments Systems Are Speeding Up
  "A new report on the payment card industry (PCI) reflects an increased dependency on global coordination to address threats that are growing more sophisticated, and expanding the remit for the trade group itself. The PCI Security Standards Council (SSC) 2025 annual report highlighted training, education, collaboration, and outreach initiatives conducted throughout the year to advance payment security worldwide for merchants, retailers, and vendors. It is the first time the group has published a report since its founding in 2006."
  https://www.darkreading.com/cyber-risk/pci-council-threats-payments-systems-speeding-up
  https://www.pcisecuritystandards.org/about_us/annual-report/

Industrial Sector

• 'Richter Scale' Model Measures Magnitude Of OT Cyber Incidents
  "A newly developed method for gauging the impact of an OT cybersecurity incident could pave the way for more accurate measurement and response to an event, and also shine light on risk and business ramifications. The Operational Technology Incident (OTI) Impact Score — which will be unveiled today at the ICS/OT industry's S4x26 Conference in Miami — aims to provide rapid clarity on the actual effects of OT cyber incidents, which often get over- or under-hyped, according to Dale Peterson, co-creator of the OTI model and head of ICS/OT consulting and research firm Digital Bond."
  https://www.darkreading.com/ics-ot-security/richter-scale-model-measures-cyber-incidents

Vulnerabilities

• Critical Cisco SD-WAN Bug Exploited In Zero-Day Attacks Since 2023
  "Cisco is warning that a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN, tracked as CVE-2026-20127, was actively exploited in zero-day attacks that allowed remote attackers to compromise controllers and add malicious rogue peers to targeted networks. CVE-2026-20127 has a maximum severity of 10.0 and impacts Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage) in on-prem and SD-WAN Cloud installations. Cisco credited the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) for reporting the vulnerability."
  https://www.bleepingcomputer.com/news/security/critical-cisco-sd-wan-bug-exploited-in-zero-day-attacks-since-2023/
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
  https://blog.talosintelligence.com/uat-8616-sd-wan/
  https://www.cisa.gov/news-events/alerts/2026/02/25/cisa-and-partners-release-guidance-ongoing-global-exploitation-cisco-sd-wan-systems
  https://cyberscoop.com/cisco-zero-days-cisa-emergency-directive-five-eyes/
  https://www.helpnetsecurity.com/2026/02/25/cisco-sd-wan-zero-day-cve-2026-20127/
• Zyxel Warns Of Critical RCE Flaw Affecting Over a Dozen Routers
  "Taiwan networking provider Zyxel has released security updates to address a critical vulnerability affecting over a dozen router models that can allow unauthenticated attackers to gain remote command execution on unpatched devices. Tracked as CVE-2025-13942, this command injection security flaw was found in the UPnP function of Zyxel 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, and wireless extenders. Zyxel says that unauthenticated remote attackers can exploit it to execute operating system (OS) commands on an affected device using maliciously crafted UPnP SOAP requests."
  https://www.bleepingcomputer.com/news/security/zyxel-warns-of-critical-rce-flaw-affecting-over-a-dozen-routers/
  https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026
  https://securityaffairs.com/188501/security/critical-zyxel-router-flaw-exposed-devices-to-remote-attacks.html
• CISA Adds Two Known Exploited Vulnerabilities To Catalog
  "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2022-20775 Cisco Catalyst SD-WAN Path Traversal Vulnerability
  CVE-2026-20127 Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/02/25/cisa-adds-two-known-exploited-vulnerabilities-catalog
  https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
  https://therecord.media/five-eyes-warn-hackers-exploit-cisco-sd-wan
  https://www.bankinfosecurity.com/feds-scramble-amid-shutdown-to-secure-cisco-sd-wan-systems-a-30849
• Check Point Researchers Expose Critical Claude Code Flaws
  "As organizations rapidly adopt agentic AI development tools into enterprise workflows, the trust boundaries between configuration and execution are increasingly blurred. Check Point Research identified critical vulnerabilities in Anthropic’s Claude Code that enabled remote code execution and API credential theft through malicious repository-based configuration files. By abusing built-in mechanisms such as Hooks, Model Context Protocol (MCP) integrations, and environment variables, attackers could execute arbitrary shell commands and exfiltrate API keys when developers cloned and opened untrusted projects – without any additional action beyond launching the tool."
  https://blog.checkpoint.com/research/check-point-researchers-expose-critical-claude-code-flaws/
  https://research.checkpoint.com/2026/rce-and-api-token-exfiltration-through-claude-code-project-files-cve-2025-59536/
  https://www.darkreading.com/application-security/flaws-claude-code-developer-machines-risk
  https://thehackernews.com/2026/02/claude-code-flaws-allow-remote-code.html
  https://securityaffairs.com/188508/security/untrusted-repositories-turn-claude-code-into-an-attack-vector.html
  https://www.theregister.com/2026/02/26/clade_code_cves/

Malware

• Developer-Targeting Campaign Using Malicious Next.js Repositories
  "Microsoft Defender Experts identified a coordinated developer-targeting campaign delivered through malicious repositories disguised as legitimate Next.js projects and technical assessment materials. Telemetry collected during this investigation indicates the activity aligns with a broader cluster of threats that use job-themed lures to blend into routine developer workflows and increase the likelihood of code execution."
  https://www.microsoft.com/en-us/security/blog/2026/02/24/c2-developer-targeting-campaign/
  https://www.bleepingcomputer.com/news/security/fake-nextjs-job-interview-tests-backdoor-developers-devices/
  https://www.darkreading.com/cyberattacks-data-breaches/malicious-nextjs-repos-developers-fake-job-interviews
  https://www.theregister.com/2026/02/25/jobseeking_nextjs_devs_attack/
• Abusing Windows File Explorer And WebDAV For Malware Delivery
  "Cofense Intelligence has been tracking how threat actors are abusing Windows File Explorer’s ability to retrieve remote files over Web-based Distributed Authoring and Versioning (WebDAV), and HTTP-based file management protocol, to trick victims into downloading malware. WebDAV is a relatively unpopular method of file transfer and remote file storage nowadays, but it is natively supported within the Windows File Explorer (though deprecated as of November 2023) as a way of remotely accessing a file server."
  https://cofense.com/blog/abusing-windows-file-explorer-and-webdav-for-malware-delivery
• Unmasking Agent Tesla: A Deep Dive Into a Multi-Stage Campaign
  "Agent Tesla remains one of the most persistent threats in the cyber landscape today. It allows even low-skilled threat actors to harvest sensitive data through a highly sophisticated delivery pipeline. This research blog breaks down a recent multi-stage infection chain that utilizes a blend of phishing, obfuscated and encrypted scripts, and advanced in-memory execution and evasion techniques."
  https://www.fortinet.com/blog/threat-research/unmasking-agent-tesla-deep-dive-into-multi-stage-campaign
• Oblivion: The New $300 Android RAT That Beats Every Major Phone Manufacturer’s Security
  "Every so often, a piece of malware surfaces that feels like a genuine step-change. Not just another recycled threat, but something built from the ground up to be harder to stop. Oblivion, a newly emerged Android Remote Access Trojan (RAT), is being positioned as exactly that. Certo’s security researchers have been analyzing the threat — and the evidence suggests the claim deserves serious attention. Advertised openly on a clear web hacking forum and backed by a full video demonstration, Oblivion targets Android devices running versions 8 through 16. That covers virtually every Android phone in active use today."
  https://www.certosoftware.com/insights/oblivion-the-new-300-android-rat-that-beats-every-major-phone-manufacturers-security/
  https://hackread.com/android-malware-oblivion-fake-updates-hijack-phones/
• Malicious NuGet Package Targets Stripe
  "In December 2025, the ReversingLabs research team wrote about a malicious NuGet campaign that targeted developers and packages linked to cryptocurrency platforms such as Coinbase, Binance, Solana and Nethereum. Following that, the malicious NuGet activity appeared to slow. However, our researchers recently discovered a malicious package that mimics Stripe.net, a NuGet package by the popular online payments platform with more than 70 million downloads. The latest incident shows that while the threat actors have shifted away from blockchain-related targets on NuGet, they remain active and focused on the financial sector."
  https://www.reversinglabs.com/blog/malicious-nuget-package-targets-stripe
  https://www.infosecurity-magazine.com/news/malicious-nuget-package-stripe-devs/
• Exposing The Undercurrent: Disrupting The GRIDTIDE Global Cyber Espionage Campaign
  "Last week, Google Threat Intelligence Group (GTIG), Mandiant, and partners took action to disrupt a global espionage campaign targeting telecommunications and government organizations in dozens of nations across four continents. The threat actor, UNC2814, is a suspected People's Republic of China (PRC)-nexus cyber espionage group that GTIG has tracked since 2017. This prolific, elusive actor has a long history of targeting international governments and global telecommunications organizations across Africa, Asia, and the Americas and had confirmed intrusions in 42 countries when the disruption was executed. The attacker was using API calls to communicate with SaaS apps as command-and-control (C2) infrastructure to disguise their malicious traffic as benign, a common tactic used by threat actors when attempting to improve the stealth of their intrusions."
  https://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign
  https://thehackernews.com/2026/02/google-disrupts-unc2814-gridtide.html
  https://www.securityweek.com/google-disrupts-chinese-cyberespionage-campaign-targeting-telecoms-governments/
  https://www.theregister.com/2026/02/25/google_and_friends_disrupt_unc2814/
• Cyber Intel Brief: Scattered Lapsus$ Hunters (SLH) Kicks Off Campaign To Recruit Women
  "On February 22, 2026, Dataminr detected activity on a public Telegram board indicating that the Scattered Lapsus$ Hunters (SLH) hacking collective is recruiting women for an upcoming vishing-based social engineering campaign. The group is offering to pay recruited individuals $500 to $1,000 upfront per call and promises to provide the necessary scripts for the operation. This recruitment drive represents a calculated evolution in SLH’s tactics. By specifically seeking female voices, the group likely aims to bypass the “traditional” profiles of attackers that IT help desk staff may be trained to identify, thereby increasing the effectiveness of their impersonation efforts."
  https://www.dataminr.com/resources/intel-brief/slh-recruiting-women-for-vishing/
  https://thehackernews.com/2026/02/slh-offers-5001000-per-call-to-recruit.html
• Four Malicious NuGet Packages Target ASP.NET Developers With JIT Hooking And Credential Exfiltration
  "Socket's Threat Research Team discovered a NuGet supply chain attack involving four malicious packages targeting ASP.NET web application developers. The campaign deploys a multi-stage payload where NCryptYo acts as a stage-1 dropper that establishes a local proxy on localhost:7152, while companion packages DOMOAuth2_ and IRAOAuth2.0 exfiltrate ASP.NET Identity data (user accounts, role assignments, permission mappings) and accept threat actor-controlled authorization rules that create persistent backdoors in victim applications. SimpleWriter_ adds unconditional file writing and hidden process execution to the toolkit. All four packages were published between August 12-21, 2024 by threat actor hamzazaheer. Together, these packages have accumulated a little over 4,500 downloads so far. We've submitted takedown requests to the NuGet security team."
  https://socket.dev/blog/four-malicious-nuget-packages-target-asp-net-developers-with-jit-hooking-and-credential
  https://thehackernews.com/2026/02/malicious-nuget-packages-stole-aspnet.html
• Understanding The DarkCloud Infostealer
  "Infostealers continue to dominate the initial access landscape in 2026, lowering the barrier to breach through scalable credential theft. DarkCloud illustrates how low-cost, commercialized malware is reshaping the initial access landscape. First observed in 2022 and attributed to a developer known as “Darkcloud Coder” (formerly “BluCoder” on Telegram), DarkCloud is openly sold through Telegram and a clearnet storefront with subscription tiers starting at just US$30. Despite being marketed as “surveillance software,” its technical focus is unmistakable: high-volume credential harvesting and structured data exfiltration across browsers, email clients, financial data, and contact networks."
  https://flashpoint.io/blog/understanding-darkcloud-infostealer/
• Apache ActiveMQ Exploit Leads To LockBit Ransomware
  "A threat actor exploited CVE-2023-46604 on an internet-facing Apache ActiveMQ server. Despite being evicted after the initial intrusion, they successfully breached the same server on a second occasion 18 days later. After compromising the server, the threat actor used Metasploit, possibly along with Meterpreter, to perform post-exploitation activities. These activities included escalating privileges, accessing LSASS process memory, and moving laterally across the network. After regaining access following their eviction, the threat actor swiftly transitioned to deploying ransomware. They leveraged credentials extracted during their previous breach to deploy LockBit ransomware via RDP."
  https://thedfirreport.com/2026/02/23/apache-activemq-exploit-leads-to-lockbit-ransomware/

Breaches/Hacks/Leaks

• Medical Device Maker UFP Technologies Warns Of Data Stolen In Cyberattack
  "American manufacturer of medical devices, UFP Technologies, has disclosed that a cybersecurity incident has compromised its IT systems and data. UFP Technologies is a publicly traded medical engineering and manufacturing company that produces a broad range of devices and components used in surgery, wound care, implants, orthopedic applications, and healthcare wearables. The company employs 4,300 people, has an annual revenue of $600 million, and a market cap of $1.86 billion, according to recent data."
  https://www.bleepingcomputer.com/news/security/medical-device-maker-ufp-technologies-warns-of-data-stolen-in-cyberattack/
  https://therecord.media/ufp-technologies-medical-devices-sec-filing-cyberattack
  https://www.bankinfosecurity.com/medical-device-maker-reports-data-theft-hack-to-sec-a-30847
  https://www.securityweek.com/medical-device-maker-ufp-technologies-hit-by-cyberattack/
• Canadian Tire Data Breach
  "In October 2025, retailer Canadian Tire was the victim of a data breach that exposed almost 42M records. The data contained 38M unique email addresses along with names, phone numbers and physical addresses. Passwords were stored as PBKDF2 hashes and for a subset of records, dates of birth and partial credit card data were also included (card type, expiry and masked card number). In its disclosure notice, Canadian Tire advised that the incident did not impact bank account information or loyalty program data."
  https://haveibeenpwned.com/Breach/CanadianTire

General News

• Ex-L3Harris Exec Jailed For Selling Zero-Days To Russian Exploit Broker
  "The former head of Trenchant, a specialized U.S. defense contractor unit, was sentenced Tuesday to more than seven years in federal prison for stealing and selling zero-day exploits to a Russian exploit broker whose clients include the Russian government. 39-year-old Australian national Peter Williams served as the general manager of Trenchant, a cybersecurity unit of defense contractor L3Harris that develops surveillance tools and zero-day exploits for the U.S. government and its Five Eyes intelligence partners."
  https://www.bleepingcomputer.com/news/security/ex-l3harris-exec-jailed-for-selling-zero-days-to-russian-exploit-broker/
  https://thehackernews.com/2026/02/defense-contractor-employee-jailed-for.html
  https://www.helpnetsecurity.com/2026/02/25/peter-williams-l3harris-executive-sentenced-trade-secrets-theft-russia/
  https://www.infosecurity-magazine.com/news/defense-contractor-boss-7-years/
  https://securityaffairs.com/188482/intelligence/former-u-s-defense-contractor-executive-sentenced-for-selling-zero-day-exploits-to-russian-broker-operation-zero.html
  https://www.securityweek.com/ex-us-defense-contractor-executive-jailed-for-selling-exploits-to-russia/
  https://www.theregister.com/2026/02/25/former_l3harris_exec_jailed/
• Airline Brands Become Launchpads For Phishing, Crypto Fraud
  "Airline brands sit at the center of peak travel booking cycles, loyalty programs, and high value transactions. Criminal groups continue to register thousands of lookalike domains tied to these brands, targeting travelers, employees, and business partners. Recent threat intelligence from BforeAI’s PreCrime Labs identifies sustained impersonation activity across the global commercial airline sector."
  https://www.helpnetsecurity.com/2026/02/25/airline-phishing-campaigns-crypto-fraud/
  Beyond Borders: How Threat Intelligence Provenance Can Save Global Cybersecurity From * Geopolitical Fragmentation
  "In mid-January 2026, the Chinese government allegedly announced a sweeping ban on cybersecurity software from more than a dozen U.S. and Israeli firms, including industry giants like Palo Alto Networks, CrowdStrike, and Check Point. The stated reason: concerns that foreign software could collect and transmit confidential information abroad. This move represents more than just another salvo in ongoing tech tensions between the two governments. It threatens to fracture a foundational practice of internet cybersecurity: the global threat intelligence ecosystem that allows defenders worldwide to collect, analyze, and share information about emerging attacks and responses to cyber threats that know no borders."
  https://www.internetgovernance.org/2026/02/23/beyond-borders-how-threat-intelligence-provenance-can-save-global-cybersecurity-from-geopolitical-fragmentation/
  https://www.theregister.com/2026/02/25/threat_intelligence_supply_chain_research/
• 2026 VulnCheck Exploit Intelligence Report
  "In 2025, barely 1% of disclosed vulnerabilities were exploited in the wild. Yet those that were exploited were operationalized quickly, attracted diverse threat actors, and often caused outsized damage before organizations had a chance to respond. This report identifies which vulnerabilities mattered, why attackers targeted them, and where timing failures left organizations exposed."
  https://wwv.vulncheck.com/2026-vulncheck-exploit-intelligence-report
  https://cyberscoop.com/vulncheck-exploited-vulnerabilities-report-2025/
  The Post-RAMP Era: Allegations, Fragmentation, And The Rebuilding Of The Ransomware * Underground
  "The January 2026 seizure of RAMP disrupted a major ransomware coordination hub, but it did not dismantle the ecosystem behind it. Instead, it destabilized trust and accelerated fragmentation across the underground. Rather than consolidating around a single successor, ransomware actors are redistributing across both gated platforms like T1erOne and accessible forums such as Rehub. This shift reflects adaptation, not decline. For defenders, visibility into centralized coordination is shrinking. Monitoring must evolve beyond tracking individual forums to identifying actor migration, recruitment signals, and early indicators of regrouping. Disruption rarely eliminates ecosystems; it reshapes them. Organizations that adapt their intelligence strategies accordingly will be best positioned to stay ahead."
  https://www.rapid7.com/blog/post/tr-post-ramp-allegations-fragmentation-ransomware-underground-rebuild/
  https://www.darkreading.com/threat-intelligence/ramp-forum-seizure-fractures-ransomware-ecosystem
• Why 'Call This Number' TOAD Emails Beat Gateways
  "While much of the conversation surrounding phishing concerns not clicking a suspicious link or downloading a malicious attachment, there's an attack technique gaining prominence in which the email payload consists of nothing but a phone number. And these emails are getting past defenses. Researchers from email security vendor StrongestLayer today published an analysis of roughly 5,000 email-based threat detections that bypassed secure email gateways across multiple enterprise environments between December 2025 and now."
  https://www.darkreading.com/threat-intelligence/why-call-this-number-toad-emails-beat-gateways
  https://www.strongestlayer.com/white-paper/enterprise-phishing-evasion-techniques-2026
• Autonomous Endpoint Management Isn’t Just Efficiency, It’s a Security Imperative
  "We are looking at a math problem that no longer balances. On one side, CrowdStrike’s 2025 Global Threat Report pegs the average eCrime breakout time at 48 minutes, with the fastest intrusion clocking in at 51 seconds. On the other side, the 2025 Verizon DBIR shows edge device remediation dragging out to a median of 32 days. That disconnect represents the biggest liability in cybersecurity today. Exposure time has graduated from an operational KPI to a defining security metric."
  https://hackread.com/autonomous-endpoint-management-security-imperative/
• The Blast Radius Problem: Stolen Credentials Are Weaponizing Agentic AI
  "Weak access controls, AI confusion, and the interconnection of business continue to expand Threat. More than half (56%) of the 400,000 vulnerabilities IBM X-Force tracked in 2025 required no authentication before exploitation. This is revealed in the X-Force 2025 Threat Intelligence Index. The report also highlights the continuing success of infostealer credential theft, pointing to the discovery of 300,000 ChatGPT credentials on the dark web (almost certainly stolen by infostealers)."
  https://www.securityweek.com/the-blast-radius-problem-stolen-credentials-are-weaponizing-agentic-ai/
  https://www.infosecurity-magazine.com/news/app-exploits-surge-ai-speeds/
• Moscow Man Accused Of Posing As FSB Officer To Extort Conti Ransomware Gang
  "A Moscow resident has been accused of trying to extort money from the notorious Conti ransomware group by posing as an officer of Russia’s Federal Security Service (FSB), according to local media reports. Russian outlet RBC, citing sources familiar with the investigation, reported on Wednesday that the suspect, Ruslan Satuchin, allegedly presented himself as an FSB officer and demanded a large payment from Conti members in exchange for avoiding criminal prosecution."
  https://therecord.media/moscow-man-accused-of-extorting-conti-gang

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Healthcare Sector

• Digital Risk Is Now a Clinical Challenge
  "The recent breach of New Zealand's ManageMyHealth patient portal exposed sensitive information from roughly 120,000 people, making it one of the country's most significant healthcare privacy incidents. For affected patients, the consequences are deeply personal and potentially lifelong. Unlike a stolen credit card, you can't reset your medical history."
  https://www.bankinfosecurity.com/blogs/digital-risk-now-clinical-challenge-p-4051

Industrial Sector

• Bring The Fight To The Edge: Turning Time Into An Advantage In OT Security
  "Industrial organizations are facing a growing paradox in cybersecurity. While operational technology (OT) environments are increasingly connected, most security strategies still assume threats will only materialize once attackers reach the plant floor. In reality, attacks that disrupt industrial operations rarely begin in OT environments. They originate upstream, progress over time and frequently exploit the persistent assumption of isolation. This shift fundamentally changes how defenders must think about visibility, detection and response across Information Technology (IT) and OT domains."
  https://unit42.paloaltonetworks.com/ot-edge-security/
  https://www.paloaltonetworks.com/resources/whitepapers/securing-ot-environments

New Tooling

• Explore, Analyse And Correlate Malware At Scale With Azul
  "The Australian Signals Directorate (ASD) has publicly released its open‑source malware analysis tool called Azul. Azul enables government and private sector partners to collaborate on threat understanding, quickly identify common malware behaviours, and improve the speed and precision of response activities."
  https://www.cyber.gov.au/about-us/view-all-content/news/explore-analyse-and-correlate-malware-at-scale-with-azul
  https://www.cyber.gov.au/business-government/detecting-responding-to-threats/cyber-security-incident-response/azul-malware-analysis-tool
  https://github.com/AustralianCyberSecurityCentre/azul

Vulnerabilities

• Critical SolarWinds Serv-U Flaws Offer Root Access To Servers
  "SolarWinds has released security updates to patch four critical Serv-U remote code execution vulnerabilities that could grant attackers root access to unpatched servers. Serv-U is the company's self-hosted Windows and Linux file transfer software that comes with both Managed File Transfer (MFT) and FTP server capabilities, enabling organizations to securely exchange files via FTP, FTPS, SFTP, and HTTP/S. The most severe of the four security flaws patched by SolarWinds today in Serv-U 15.5.4 is tracked as CVE-2025-40538, and it allows attackers with high privileges to gain root or admin permissions on vulnerable servers."
  https://www.bleepingcomputer.com/news/security/critical-solarwinds-serv-u-flaws-offer-root-access-to-servers/
  https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-4_release_notes.htm
  https://securityaffairs.com/188454/hacking/solarwinds-patches-four-critical-serv-u-flaws-enabling-root-access.html
  https://www.theregister.com/2026/02/24/patch_these_4_critical_makemeroot/
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2026-25108 Soliton Systems K.K. FileZen OS Command Injection Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/02/24/cisa-adds-one-known-exploited-vulnerability-catalog
• VMware Aria Operations Vulnerability Could Allow Remote Code Execution
  "Broadcom has released patches for several vulnerabilities affecting VMware Aria Operations, including high-severity flaws. The most important of the newly patched vulnerabilities based on CVSS score (8.1) is CVE-2026-22719, a command injection issue that can be exploited by an unauthenticated attacker. “A malicious unauthenticated actor may exploit this issue to execute arbitrary commands which may lead to remote code execution in VMware Aria Operations while support-assisted product migration is in progress,” Broadcom explained in its advisory."
  https://www.securityweek.com/vmware-aria-operations-vulnerability-could-allow-remote-code-execution/
  https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947
  https://securityaffairs.com/188445/security/vmware-aria-operations-flaws-could-enable-remote-attacks.html
• Astro Full-Read SSRF Via Host Header Injection
  "Astro is a JavaScript frontend and backend framework in use by many large organizations for making website development much easier. Recently, one of the agents in our Aikido Attack product identified a medium-severity vulnerability in the server-side implementation of this framework. It made any servers directly accessible by the attacker vulnerable to Server-Side Request Forgery (SSRF)."
  https://www.aikido.dev/blog/astro-full-read-ssrf-via-host-header-injection

Malware

• SURXRAT: Android RAT Downloads Large LLM Module From Hugging Face To Impact Device Performance
  "SURXRAT is an actively developed Android Remote Access Trojan (RAT) commercially distributed through a Telegram-based malware-as-a-service (MaaS) ecosystem under the SURXRAT V5 branding. The malware is marketed using structured reseller and partner licensing tiers, allowing affiliates to generate and distribute customized builds while the operator maintains centralized infrastructure and operational control. This distribution model reflects the increasing professionalization of the Android threat landscape, where malware developers focus on scalability and monetization through affiliate-driven campaigns."
  https://cyble.com/blog/surxrat-downloads-large-llm-module-from-hugging-face/
• Refund Scam Impersonates Avast To Harvest Credit Card Details
  "A fraudulent website dressed in Avast’s brand is tricking French-speaking users into handing over their full credit card details—card number, expiry date, and three-digit security code—under the cover story of processing a €499.99 refund that was never owed to them. The operation combines live chat “support,” a hardcoded alarming transaction amount, and a convincing replica of Avast’s visual identity to create urgency and harvest payment data at scale."
  https://www.malwarebytes.com/blog/threat-intel/2026/02/refund-scam-impersonates-avast-to-harvest-credit-card-details
• 1Campaign: A New Cloaking Platform Helping Attackers Abuse Google Ads
  "Varonis Threat Labs uncovered 1Campaign, a full-service cloaking platform built to help threat actors run malicious Google Ads at scale. The tool passes Google's screening, filters out security researchers, and keeps phishing and crypto drainer pages online for as long as possible, funneling real users to attacker-controlled sites. The developer behind it, operating under the handle DuppyMeister, has been maintaining the platform for over three years with dedicated Telegram channels for support. It combines real-time visitor filtering, fraud scoring, geographic targeting, and a bot guard script generator into a single dashboard."
  https://www.varonis.com/blog/1campaign
  https://www.bleepingcomputer.com/news/security/1campaign-platform-helps-malicious-google-ads-evade-detection/
• North Korean Lazarus Group Now Working With Medusa Ransomware
  "North Korean state-backed attackers are now using the Medusa ransomware and are continuing to mount extortion attacks on the U.S. healthcare sector. North Korea has long been involved in ransomware attacks and has been previously associated with the Maui and Play ransomware families. However, the Symantec and Carbon Black Threat Hunter Team has uncovered evidence North Korean actors using Medusa in an attack on a target in the Middle East. The same attackers also mounted an unsuccessful attack against a healthcare organization in the U.S."
  https://www.security.com/threat-intelligence/lazarus-medusa-ransomware
  https://www.bleepingcomputer.com/news/security/north-korean-lazarus-group-linked-to-medusa-ransomware-attacks/
  https://thehackernews.com/2026/02/lazarus-group-uses-medusa-ransomware-in.html
  https://www.darkreading.com/cyberattacks-data-breaches/lazarus-group-new-position-medusa-ransomware
  https://therecord.media/north-korean-hackers-using-medusa-ransomware
  https://www.bankinfosecurity.com/north-korean-hackers-continue-to-target-us-healthcare-a-30832
  https://www.infosecurity-magazine.com/news/north-korean-lazarus-group-medusa/
  https://www.theregister.com/2026/02/24/north_koreas_lazarus_group_healthcare_medusa_ransomware/
• Diesel Vortex: Inside The Russian Cybercrime Group Targeting US & EU Freight
  "In February 2026, Have I Been Squatted, in joint collaboration with Ctrl-Alt-Intel, uncovered a sophisticated criminal phishing operation run by a Russian threat actor group we are designating Diesel Vortex. The group spent at least five months systematically targeting freight and logistics companies across the United States and Europe, stealing over 1,600 unique login credentials from users of major logistics platforms including DAT Truckstop, Penske Logistics, Electronic Funds Source (EFS), and Timocom. Telegram webhook logs recovered from the platform show Armenian-language coordination among operators, indicating an Armenian-speaking component alongside the Russian infrastructure ties."
  https://haveibeensquatted.com/blog/diesel-vortex-inside-the-russian-cybercrime-group-targeting-us-eu-freight
  https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-freight-and-logistics-orgs-in-the-us-europe/
  https://therecord.media/phishing-operation-russia-armenia-targeting-us-european-cargo
• Punchbowl Phishing Attack Explained: How Digital Invites Are Used To Steal Credentials
  "In today's digital age, receiving online invitations to events has become commonplace. Sending and receiving invites has never been more convenient. However, not all electronic invitations are as trustworthy as they may appear. Punchbowl and Paperless Post are two of the largest digital invitation platforms, enabling individuals and organizations to create customized invitations, track RSVPs, and send event updates. Unfortunately, these trusted platforms also provide threat actors with an opportunity to exploit brand familiarity, particularly during certain seasons when digital invitations surge."
  https://cofense.com/blog/punchbowl-phishing-attack-explained-how-digital-invites-are-used-to-steal-credentials
• ZeroDayRAT: A Next-Generation Mobile Espionage And Financial Theft Platform
  "The MaaS (Malware as a Service) model continues to evolve in the world of cybercrime. This new mobile spyware platform, dubbed “ZeroDayRAT” and examined by Cyberthint researchers, allows anyone without technical expertise to become an advanced cyber spy. Actively marketed through Telegram channels since February 2, 2026, this platform targets Android and iOS devices, combining real-time surveillance with direct financial theft within a single browser panel."
  https://cyberthint.io/zerodayrat-a-next-generation-mobile-espionage-and-financial-theft-platform/
  https://hackread.com/zerodayrat-malware-monitoring-android-ios-devices/
• Fake Zoom Meeting “update” Silently Installs Surveillance Software
  "A fake Zoom meeting website is silently pushing surveillance software onto Windows machines. Visitors land on a convincing imitation of a Zoom video call. Moments later, an automatic “Update Available” countdown downloads a malicious installer—without asking for permission. The software being installed is a covert build of Teramind, a commercial monitoring tool companies use to record what employees do on work computers. In this campaign, it is being quietly dropped onto the machines of ordinary people who thought they were joining a meeting."
  https://www.malwarebytes.com/blog/scams/2026/02/fake-zoom-meeting-update-silently-installs-surveillance-software
• RoguePilot: Exploiting GitHub Copilot For a Repository Takeover
  "We forced GitHub to prompt-inject itself. It allowed us to control Copilot’s responses and exfiltrate Codespaces’ GITHUB_TOKEN secret. The end result was a repository takeover. This vulnerability is a type of Passive Prompt Injection, where malicious instructions are embedded in data, content, or environments that the model later processes automatically, without any direct interaction from the attacker."
  https://orca.security/resources/blog/roguepilot-github-copilot-vulnerability/
  https://thehackernews.com/2026/02/roguepilot-flaw-in-github-codespaces.html
  https://www.securityweek.com/github-issues-abused-in-copilot-attack-leading-to-repository-takeover/
• Mercenary Akula Hits Ukraine-Supporting Financial Institution
  "BlueVoyant’s Security Operations Center (BVSOC) recently identified and responded to a targeted social engineering attack on a European financial institution involved in regional development and reconstruction initiatives. The attack exhibits hallmarks of activity attributed to the Russia-aligned Mercenary Akula (tracked by CERT UA as UAC-0050), a financially motivated mercenary entity also linked to cyber espionage and psychological operations. The attack spoofed a Ukrainian judicial domain to deliver an email containing a link to a remote access payload. The target was a senior legal and policy advisor involved in procurement, a role with privileged insight into institutional operations and financial mechanisms."
  https://www.bluevoyant.com/blog/mercenary-akula-hits-financial-institution
  https://thehackernews.com/2026/02/uac-0050-targets-european-financial.html
• UnsolicitedBooker Targets Central Asian Telecoms With LuciDoor And MarsSnake Backdoors
  "The threat activity cluster known as UnsolicitedBooker has been observed targeting telecommunications companies in Kyrgyzstan and Tajikistan, marking a shift from prior attacks aimed at Saudi Arabian entities. The attacks involve the deployment of two distinct backdoors codenamed LuciDoor and MarsSnake, according to a report published by Positive Technologies last week. "The group used several unique and rare instruments of Chinese origin," researchers Alexander Badaev and Maxim Shamanov said."
  https://thehackernews.com/2026/02/unsolicitedbooker-targets-central-asian.html
• UAE Claims It Stopped ‘terrorist’ Ransomware Attack
  "The United Arab Emirates said it stopped a ransomware attack this weekend that allegedly targeted the country’s digital infrastructure. The country’s Cyber Security Council published a statement on Saturday that said they “successfully thwarted organized cyberattacks of a terrorist nature that targeted the country’s digital infrastructure and vital sectors in an attempt to destabilize the nation and disrupt essential services.”"
  https://therecord.media/uae-claims-it-stopped-terrorist-ransomware-attack
• Fake Homebrew Typosquats Used To Deliver Cuckoo Stealer Via ClickFix
  "ClickFix has become a reliable trick for attackers who don't want to fight the operating system. Instead of exploiting software, they exploit habits. A fake web page shows what looks like a normal installation command. The user clicks "Copy," pastes it into Terminal, and the attack runs with the victim's own hands. In this case, the lure was Homebrew. We started with a single typosquatted domain and pivoted outward using Hunt.io. What looked like one fake install page turned out to be a coordinated infrastructure cluster delivering a credential-harvesting loader and a second-stage macOS infostealer we've designated Cuckoo Stealer."
  https://hunt.io/blog/fake-homebrew-clickfix-cuckoo-stealer-macos
• 2025: The Untold Stories Of Check Point Research
  "Check Point Research (CPR) continuously tracks threats, following the clues that lead to major players and incidents in the threat landscape. Whether it’s high-end financially-motivated campaigns or state-sponsored activity, our focus is to figure out what the threat is, report our findings to the relevant parties, and make sure Check Point customers stay protected. Some of our work naturally makes it into the spotlight through public reports and deep blog posts. However, a large portion of what we uncover remains in the shadows but is used on a day-to-day basis to improve protections, connect the dots between incidents, and keep a watchful eye on known threat actors and infrastructure."
  https://research.checkpoint.com/2026/2025-the-untold-stories-of-check-point-research/

Breaches/Hacks/Leaks

• Wynn Resorts Confirms Employee Data Breach After Extortion Threat
  "Wynn Resorts has confirmed that a hacker stole employee data from its systems after the company was listed on the ShinyHunters extortion gang's data leak site. In a statement shared today, the company said it activated its incident response procedures and launched an investigation, with assistance from external cybersecurity experts, after discovering the breach. "We have learned that an unauthorized third party acquired certain employee data," reads a statement shared with BleepingComputer."
  https://www.bleepingcomputer.com/news/security/wynn-resorts-confirms-employee-data-breach-after-extortion-threat/
• ShinyHunters Extortion Gang Claims Odido Breach Affecting Millions
  "The ShinyHunters extortion gang has claimed responsibility for breaching Dutch telecommunications provider Odido and stealing millions of user records from its compromised systems. Odido is one of the largest telecommunications companies in the Netherlands and offers mobile, broadband, and television services to millions of customers nationwide. The company disclosed the breach on February 12, revealing that attackers downloaded the personal data of many of its users after gaining access to its customer contact system on February 7. However, Odido added that no Mijn Odido passwords, call details, location, data, billing data, or scans of identity documents were exposed during the incident."
  https://www.bleepingcomputer.com/news/security/shinyhunters-extortion-gang-claims-odido-breach-affecting-millions/

General News

• Security And Complexity Slow The Next Phase Of Enterprise AI Agent Adoption
  "Enterprise AI agents are embedded in routine business processes, particularly inside engineering and IT operations. Many organizations report active production deployments, and agent development ranks high on strategic agendas. A new study from Docker, The State of Agentic AI Report, examines how enterprises are deploying agentic systems and the challenges emerging as deployments scale. The data shows that 60% of organizations run AI agents in production environments. Nearly all describe building agents as a strategic priority."
  https://www.helpnetsecurity.com/2026/02/24/ai-agents-business-processes-security-complexity/
• Faking It On The Phone: How To Tell If a Voice Call Is AI Or Not
  "There was a time when we could believe everything we saw and heard. Unfortunately, those days are probably long gone. Generative AI (GenAI) has democratized the creation of deepfake audio and video, to the point where generating a fabricated clip is as easy as pushing a button or two. This is bad news for everyone, including businesses. Deepfakes are helping scammers bypass Know Your Customer and account authentication checks. They can even enable malicious state actors to masquerade as job candidates. But arguably the biggest threat they pose is financial/wire transfer fraud and the hijacking of executive accounts."
  https://www.welivesecurity.com/en/business-security/faking-it-phone-how-tell-voice-call-ai/
• CrowdStrike Says Attackers Are Moving Through Networks In Under 30 Minutes
  "Cyberattacks reached victims faster and came from a wider range of threat groups than ever last year, CrowdStrike said in its annual global threat report released Tuesday, adding that cybercriminals and nation-states increasingly relied on predictable tactics to evade detection by exploiting trusted systems. The average breakout time — how long it took financially-motivated attackers to move from initial intrusion to other network systems — dropped to 29 minutes in 2025, a 65% increase in speed from the year prior. “The fastest breakout time a year ago was 51 seconds. This year it’s 27 seconds,” Adam Meyers, head of counter adversary operations at CrowdStrike, told CyberScoop."
  https://cyberscoop.com/crowdstrike-annual-global-threat-report-attack-breakout-time/
  https://www.crowdstrike.com/explore/2026-global-threat-report
  https://www.darkreading.com/cyber-risk/attackers-now-need-just-29-minutes-to-own-a-network
  https://www.infosecurity-magazine.com/news/ai-powered-cyberattacks-up/
• Why SOCs Are Moving Toward Autonomous Security Operations In 2026
  "The modern security operations center faces a crisis of scale that human effort cannot fix. With alert volumes exponentially growing and threat actors automating their attacks, organizations must pivot to autonomous SOC strategies. This shift to AI-driven defense is the only way to survive the operational realities of 2026."
  https://www.helpnetsecurity.com/2026/02/24/socs-autonomous-security-operations-strategies/
• AI Is Becoming Part Of Everyday Criminal Workflows
  "Underground forums include long threads about chatbots drafting phishing emails, generating code snippets, and coaching social engineering calls. A new study examined conversations captured between January 1, 2025 and July 31, 2025 across dozens of cybercrime forums to map how AI tools are entering day to day criminal operations."
  https://www.helpnetsecurity.com/2026/02/24/ai-in-cybercrime-research/
  https://arxiv.org/pdf/2602.14783
• January 2026 Threat Trend Report On APT Attacks (South Korea)
  "Ahnlabs is monitoring APT (Advanced Persistent Threat) attacks in South Korea by utilizing their own infrastructure. This report covers the classification, statistics, and features of APT attacks in South Korea that were identified in January 2026."
  https://asec.ahnlab.com/en/92685/
• Nowhere, Man: The 2026 Active Adversary Report
  "In a world where so much changes rapidly, it can be interesting and informative to identify when things stay the same. Throughout 2025 many people claimed — as they have for a couple of years now — that this was going to be the year in which AI was going to make a meaningful difference in the threat landscape. Aside from some provable uses of AI to supercharge phishing and other social scams, and a fair number of overdramatic headlines, it just didn't happen. This year’s Active Adversary Report details what happened instead — including a change that does demand your attention."
  https://www.sophos.com/en-us/blog/2026-sophos-active-adversary-report
  https://www.bankinfosecurity.com/hackers-gain-speed-major-new-tradecraft-using-ai-tools-a-30838
• As Cybersecurity Firms Chase AI, VC Market Skyrockets
  "The cybersecurity venture capital market experienced unprecedented activity in 2025, driven primarily by the rush to AI-native security solutions and a massive surge in mergers and acquisitions that reached record levels. In 2025, VC firms invested $119 billion in cybersecurity businesses, with 400 M&A transactions accounting for the majority of funding and another 820 financing deals totaling nearly $21 billion, according to data from Momentum Cyber, a cybersecurity investment bank. The total value of M&A, financing, and IPO activity in 2025 nearly tripled that of deals in the previous year."
  https://www.darkreading.com/cybersecurity-analytics/cybersecurity-firms-chase-ai-vc-market-skyrockets
• More Than Dashboards: AI Decisions Must Be Provable
  "Enterprise leaders are asking a blunt question about artificial intelligence (AI) systems: What did it actually do? Not what it was designed to do. Not what the dashboard says it usually does. But what actually happened at the moment the system acted. As AI systems are deployed into regulated and high-risk environments, that question stops being theoretical. Boards, auditors, and regulators increasingly expect organizations to account for specific AI decisions, not just overall performance or intent."
  https://www.darkreading.com/cyber-risk/more-dashboards-ai-decisions-provable
• Cost Of Insider Incidents Surges 20% To Nearly $20m
  "Employee negligence driven by shadow AI cost organizations more than any other type of insider risk last year, accounting for 53% of the $19.5m lost on average per business, according to DTEX. The security vendor’s Cost of Insider Risks 2026 report was produced by the Ponemon Institute and based on interviews with 8750 IT and security practitioners in 354 global organizations. Malicious incidents such as sabotage, data theft, fraud and unauthorized disclosure accounted for 27% ($4.7m) of the total lost to insider risks last year, DTEX claimed."
  https://www.infosecurity-magazine.com/news/cost-of-insider-incidents-surges/
• AI Accelerates Attacker Breakout Time To Just Four Minutes
  "AI is helping threat actors to accelerate attacks, but it can also empower incident responders to quickly contain threats, ReliaQuest has claimed in a new report. The firm's Annual Cyber-Threat Report 2026 is based on an analysis of customer incidents. It found that breakout time last year took on average just 34 minutes; 29% quicker than in 2024. The fastest ever recorded time taken from access to lateral movement was just four minutes – 85% faster than the year before. The fastest recorded exfiltration time was just six minutes; down from 4 hours 29 minutes in 2024."
  https://www.infosecurity-magazine.com/news/ai-accelerates-attack-breakout/
  https://reliaquest.com/campaigns/annual-threat-report-2026/
• US ‘committed’ To Fighting Transnational Gangs Behind Southeast Asian Scam Compounds: FBI
  "The U.S. is “fully committed to leading the global fight” against the transnational criminal networks that have set up scamming compounds throughout Southeast Asia, a senior FBI official said Tuesday. Scott Schelble, the deputy assistant director of the FBI’s International Operations Division, told reporters that he recently met with law enforcement officials in Thailand, Cambodia and Vietnam to discuss the region’s scam operations."
  https://therecord.media/us-committed-to-fighting-southeast-asia-scam-compounds
• Turn Dependabot Off
  "Dependabot is a noise machine. It makes you feel like you’re doing work, but you’re actually discouraging more useful work. This is especially true for security alerts in the Go ecosystem. I recommend turning it off and replacing it with a pair of scheduled GitHub Actions, one running govulncheck, and the other running your test suite against the latest version of your dependencies."
  https://words.filippo.io/dependabot/
  https://www.theregister.com/2026/02/24/github_dependabot_noise_machine/
• 2026 GreyNoise State Of The Edge Report: Where Attacks Concentrate And Defenses Fall Short
  "GreyNoise analyzed 2.97 billion sessions over 162 days in H2 2025, and the patterns reveal where edge defenses hold up — and where they fall short. The data exposes specific concentration points in VPN targeting, infrastructure sourcing, and exploitation behavior that challenge conventional defensive assumptions."
  https://www.greynoise.io/blog/2026-greynoise-state-of-the-edge-report-where-attacks-concentrate-defenses-fall-short

อ้างอิง
Electronic Transactions Development Agency (ETDA)

New Tooling

• Coroot: Open-Source Observability And APM Tool
  "Coroot is an open-source observability and application performance monitoring tool. The core software, published in Go and accompanied by companion repositories such as coroot-node-agent, focuses on collecting telemetry data across systems. It uses extended Berkeley Packet Filter (eBPF) technology to gather metrics and trace inter-service communications without manual instrumentation of application code. Coroot collects standard observability signals that engineering teams rely on. The software aggregates metrics, logs, traces, and continuous profiling data and makes them available in dashboards and structured views. Users can track service health, follow request paths through service maps, and examine performance profiles down to CPU and memory behavior over time."
  https://www.helpnetsecurity.com/2026/02/23/coroot-open-source-observability-apm-tool/
  https://github.com/coroot/coroot

Vulnerabilities

• Android Mental Health Apps With 14.7M Installs Filled With Security Flaws
  "Several mental health mobile apps with millions of downloads on Google Play contain security vulnerabilities that could expose users’ sensitive medical information. In one of the apps, security researchers discovered more than 85 medium- and high-severity vulnerabilities that could be exploited to compromise users’ therapy data and privacy. Some of the products are AI companions designed to help people suffering from clinical depression, multiple forms of anxiety, panic attacks, stress, and bipolar disorder."
  https://www.bleepingcomputer.com/news/security/android-mental-health-apps-with-147m-installs-filled-with-security-flaws/

Malware

• PII Pillage: How Attackers Use BitPanda To Plunder Credentials
  "Given cryptocurrency’s rise in popularity, it has slowly worked its way into the mainstream economy. Coins such as Bitcoin, Ethereum, Sol, and other digital currencies are commonly used in place of traditional currencies to complete transactions. To help manage transactions, an individual will need brokerage apps and services to ensure a safe, smooth, and secure money flow. But what happens when a new method of payment becomes mainstream? Attackers will try to find a way to exploit these systems and take advantage of individuals."
  https://cofense.com/blog/pii-pillage-how-attackers-use-bitpanda-to-plunder-credentials
• New Large-Scale OpenClaw Malware Campaign Spreading On ClawHub
  "OpenGuardrails has identified a new, rapidly spreading malware campaign targeting the OpenClaw ecosystem through the ClawHub skill community."
  https://openguardrails.com/blog/clawhub-trojan-liucomment-malware-campaign
  https://www.helpnetsecurity.com/2026/02/23/clawhub-malicious-comment-infostealer/
• From ‘svchoss’ To P(a)yday
  "Alertness and vigilance are crucial in cybersecurity. When repeating this truism, most of us think about social engineering attacks and educating the user how to recognize a phishing mail or a scam call. However, an attentive user can also provide valuable insights on a more technical aspect. A recent incident response case was started, when the user noticed „strange black windows” on the desktop and took screenshots of them. This was accompanied by PayPal transfers from the user’s account, not authorized by the user."
  https://www.secuinfra.com/en/techtalk/from-svchoss-to-payday/
  https://www.infosecurity-magazine.com/news/fraud-investigation-python-malware/
• Fake Huorong Security Site Infects Users With ValleyRAT
  "A convincing lookalike of the popular Huorong Security antivirus has been used to deliver ValleyRAT, a sophisticated Remote Access Trojan (RAT) built on the Winos4.0 framework, to users who believed they were improving their security. The campaign, attributed to the Silver Fox APT group—a Chinese-speaking threat group known for distributing trojanized versions of popular Chinese software—uses a typosquatted domain to serve a trojanized NSIS installer that deploys a full-featured backdoor with advanced user-mode stealth and injection capabilities."
  https://www.malwarebytes.com/blog/scams/2026/02/huorong
• Built On ClawHub, Spread On Moltbook: The New Agent-To-Agent Attack Chain
  "Claude Skills have rapidly emerged as one of the most powerful ways to extend Claude's capabilities, enabling users to automate workflows, interact with external services, and build custom tooling directly within the Claude ecosystem. Platforms like clawhub.ai have accelerated this adoption by providing a centralized marketplace for discovering, sharing, and deploying community-built skills. However, our research at Straiker reveals a darker reality lurking beneath the surface. Through systematic analysis of publicly available skills on clawhub.ai, we uncovered a significant number of malicious, deceptive, and high-risk skills actively being distributed to unsuspecting users."
  https://www.straiker.ai/blog/built-on-clawhub-spread-on-moltbook-the-new-agent-to-agent-attack-chain
  https://www.securityweek.com/autonomous-ai-agents-provide-new-class-of-supply-chain-attack/
• APT28 Targeted European Entities Using Webhook-Based Macro Malware
  "The Russia-linked state-sponsored threat actor tracked as APT28 has been attributed to a new campaign targeting specific entities in Western and Central Europe. The activity, per S2 Grupo's LAB52 threat intelligence team, was active between September 2025 and January 2026. It has been codenamed Operation MacroMaze. "The campaign relies on basic tooling and the exploitation of legitimate services for infrastructure and data exfiltration," the cybersecurity company said."
  https://thehackernews.com/2026/02/apt28-targeted-european-entities-using.html
• SANDWORM_MODE: Shai-Hulud-Style Npm Worm Hijacks CI Workflows And Poisons AI Toolchains
  "An active Shai-Hulud-like supply chain worm campaign spreads via typosquatting and AI toolchain poisoning, across at least 19 malicious npm packages and linked to two npm aliases. The sample retains Shai-Hulud hallmarks and adds GitHub API exfiltration with DNS fallback, hook-based persistence, SSH propagation fallback, MCP server injection with embedded prompt injection targeting AI coding assistants, and LLM API Key harvesting."
  https://socket.dev/blog/sandworm-mode-npm-worm-ai-toolchain-poisoning
  https://thehackernews.com/2026/02/malicious-npm-packages-harvest-crypto.html
  https://www.infosecurity-magazine.com/news/shai-hulud-like-worm-devs-npm-ai/
• Would You Click ‘Accept’? Automatically Detecting Malicious Azure OAuth Applications Using LLMs
  "OAuth applications in Microsoft Entra ID are a common persistence and privilege escalation mechanism used by attackers. Because OAuth apps are frequently created, modified, and forgotten, malicious applications often blend in with legitimate business integrations. By analyzing known OAuth attack campaigns across multiple environments, we developed OAuth Apps Scout - a proactive detection pipeline that automatically surfaces emerging malicious OAuth applications, and has so far helped us identify many malicious apps across dozens of affected organizations."
  https://www.wiz.io/blog/detecting-malicious-oauth-applications
• Malicious OpenClaw Skills Used To Distribute Atomic MacOS Stealer
  "TrendAI Research observed an evolution in how Atomic Stealer (AMOS) is being distributed. Historically spread via “cracked” macOS software, a trend we documented in September 2025, we found the malware being delivered under the guise of OpenClaw skills. This campaign represents a critical evolution in supply chain attacks: the attacker has shifted from deceiving humans into manipulating AI agentic workflows into installing the first stage of the malware. This is an old malware trying to use “social engineering” on AI agents, marking a shift from prompt injection to using the AI itself as a trusted intermediary to trick humans."
  https://www.trendmicro.com/en_us/research/26/b/openclaw-skills-used-to-distribute-atomic-macos-stealer.html

Breaches/Hacks/Leaks

• Ad Tech Firm Optimizely Confirms Data Breach After Vishing Attack
  "New York-based ad tech company Optimizely has notified an undisclosed number of customers of a data breach after threat actors compromised some of its systems in a voice phishing attack. Optimizely has nearly 1,500 employees across 21 global offices, and its customer list includes over 10,000 businesses, including high-profile brands like H&M, PayPal, Zoom, Toyota, Vodafone, Shell, Salesforce, and Nike. In breach notification letters sent to affected customers, the company, the threat actors reached out on February 11, claiming they had access to its systems."
  https://www.bleepingcomputer.com/news/security/ad-tech-firm-optimizely-confirms-data-breach-after-vishing-attack/
• US Healthcare Diagnostic Firm Says 140,000 Affected By Data Breach
  "Nearly 140,000 people are affected by a data breach disclosed by healthcare diagnostic company Vikor Scientific. The number of affected individuals came to light in recent days on the healthcare data breach tracker maintained by the US Department of Health and Human Services (HHS). However, the narrative is not straightforward."
  https://www.securityweek.com/us-healthcare-diagnostic-firm-says-140000-affected-by-data-breach/
• Air Côte d'Ivoire Confirms Cyberattack Following Ransomware Claims
  "The main airline serving the West African nation of Côte d'Ivoire was hit with a cyberattack earlier this month that forced it to institute business continuity plans. Air Côte d'Ivoire did not respond to requests for comment but released a statement on Friday confirming reports that hackers had breached its systems on February 8. Last week, the INC ransomware gang claimed it stole 208 GB of data from the airline. In its statement, the airline said the cyberattack “affected parts of its information system” and it had to call in technical teams to assist with flights and other operations."
  https://therecord.media/air-cote-divoire-confirms-cyberattack

General News

• The Hidden Security Cost Of Treating Labs Like Data Centers
  "In this Help Net Security interview, Rich Kellen, VP, CISO at IFF, explains why security teams should not treat OT labs like IT environments. He discusses how compromise can damage scientific integrity and create safety risks that backups cannot fix. Kellen also outlines what “good enough” OT visibility looks like, why compensating controls can backfire, and how partnering with scientists improves security outcomes."
  https://www.helpnetsecurity.com/2026/02/23/rich-kellen-iff-ot-lab-cybersecurity/
• Enterprises Are Racing To Secure Agentic AI Deployments
  "AI assistants are tied into ticketing systems, source code repositories, chat platforms, and cloud dashboards across many enterprises. In some environments, these systems can open pull requests, query internal databases, book services, and trigger automated workflows with limited human involvement. The State of AI Security 2026 from Cisco places this level of access inside a growing pattern of AI-driven operations that connect directly to core business systems."
  https://www.helpnetsecurity.com/2026/02/23/ai-agent-security-risks-enterprise/
• Identity Verification Systems Are Struggling With Synthetic Fraud
  "Fake and expired IDs keep showing up in routine customer transactions, from alcohol purchases to credit card applications. The problem shows up most often in industries that depend on fast onboarding and remote transactions, where identity checks rely heavily on scanned documents and automated workflows. Intellicheck analyzed nearly 100 million identity verification transactions collected through its cloud-based verification service during 2025. The company said the dataset covers about half of the adult population in the U.S. and Canada."
  https://www.helpnetsecurity.com/2026/02/23/analysis-identity-verification-fraud-report/
• Spain Arrests Suspected Hacktivists For DDoSing Govt Sites
  "Spanish authorities have arrested four alleged members of a hacktivist group believed to have carried out cyberattacks targeting government ministries, political parties, and various public institutions. The group, which called itself "Anonymous Fénix" and claimed they were affiliated with the Anonymous hacker collective, conducted distributed denial-of-service (DDoS) attacks against targets in Spain and several South American countries, according to the Spanish Civil Guard."
  https://www.bleepingcomputer.com/news/security/spain-arrests-suspected-anonymous-fenix-hacktivists-for-ddosing-govt-sites/
  https://www.theregister.com/2026/02/23/anonymous_arrests_spain/
  https://www.helpnetsecurity.com/2026/02/23/spain-guardia-civil-arrests-anonymous-fenix-ddos-attacks/
• Enigma Cipher Device Still Holds Secrets For Cyber Pros
  "Enigma cipher machines have endured in the minds of history buffs and cryptography hobbyists for more than a century, still discovered at dusty French flea markets and dredged up from under beach sludge by treasure hunters. And a dive at this year's upcoming RSAC Conference into lessons the Enigma can teach today's defenders suggests cybersecurity professionals should keep the history of the Nazis' hubris and failure of imagination in mind."
  https://www.darkreading.com/threat-intelligence/enigma-cipher-device-secrets-cyber-pros

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand