1. หน้าแรก
  2. กลุ่ม
  3. Global Moderators
ข้อมูลกลุ่ม ส่วนตัว

Global Moderators

Forum wide moderators

รายชื่อสมาชิก
  • Payouts King Ransomware ใช้ QEMU สร้าง VM แฝงในระบบ หลบเลี่ยงการตรวจจับของ Endpoint Security

    Payouts King Ransomware ใช้ QEMU สร้าง VM แฝงในระบบ หลบเลี่ยงกา.png

    สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand b2f18597-bb25-4e12-91cf-f403f18e7190-image.png

    โพสต์ใน Cyber Security News
    NCSA_THAICERTN
    NCSA_THAICERT
  • พบมัลแวร์ Nexcorium สายพันธุ์ Mirai ใช้ช่องโหว่ TBK DVR แพร่กระจายและโจมตี DDoS

    พบมัลแวร์ Nexcorium สายพันธุ์ Mirai ใช้ช่องโหว่ TBK DVR แ.png

    สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 2c11ad6b-1ccb-4f0e-a704-66685c04fb3b-image.png

    โพสต์ใน Cyber Security News
    NCSA_THAICERTN
    NCSA_THAICERT
  • พบ 4 มัลแวร์บน Android จ้องดูดเงินแอปธนาคารกว่า 800 แห่งทั่วโลก

    พบ 4 มัลแวร์บน Android จ้องดูดเงินแอปธนาคารกว่า 8.png

    สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand ff23905a-fd87-436d-bcf7-8d0bfe5d009e-image.png

    โพสต์ใน Cyber Security News
    NCSA_THAICERTN
    NCSA_THAICERT
  • Cyber Threat Intelligence 20 April 2026

    Financial Sector

    • March 2026 Security Issues In The Korean & Global Financial Sector
      "a number of malware samples including phishing, web shell, droppers, backdoor malware, downloaders, Infostealer, and CoinMiner targeting the financial sector have been distributed. we observed a number of cases where Korean disguised attachment names and HTML/JS execution methods were utilized to propagate phishing. account compromise campaigns through the Telegram API were confirmed, with approximately 4% of the compromised accounts coming from the financial sector. The AnySign4PC vulnerability was exploited in a watering hole attack by the Lazarus group, resulting in remote code execution, and multiple watering hole distribution sites were found to be continuously used."
      https://asec.ahnlab.com/en/93421/

    Vulnerabilities

    Malware

    Breaches/Hacks/Leaks

    General News

    • March 2026 Threat Trend Report On APT Groups
      "this report analyzes the strategies, techniques, and impacts of APT groups believed to be state-sponsored. it excludes financial crimes groups from its scope and organizes major threat behaviors by ATIP’s representative names. the activities of 13 APT groups were aggregated based on publicly available data for the most recent month."
      https://asec.ahnlab.com/en/93416/
    • Man Gets 30 Months For Selling Thousands Of Hacked DraftKings Accounts
      "23-year-old Kamerin Stokes of Memphis, Tennessee, was sentenced to 30 months in prison for selling access to tens of thousands of hacked DraftKings accounts. According to court documents, the accounts were hijacked by Nathan Austad (aka Snoopy) with the help of Joseph Garrison (a third accomplice charged in May 2023) in a massive November 2022 credential-stuffing attack that compromised nearly 68,000 DraftKings accounts. U.S. prosecutors said Austad and Garrison used a list of credentials stolen in multiple breaches to hack into DraftKings accounts, then sold access to others who stole around $635,000 from roughly 1,600 compromised accounts."
      https://www.bleepingcomputer.com/news/security/man-gets-30-months-for-selling-thousands-of-hacked-draftkings-accounts/
      https://www.securityweek.com/another-draftkings-hacker-sentenced-to-prison/
      https://securityaffairs.com/190943/cyber-crime/draftkings-hacker-sentenced-to-prison-ordered-to-pay-1-4-million.html
    • Scattered Spider Hacker Pleads Guilty In US Federal Court
      "A senior figure in the Scattered Spider cybercrime group pleaded guilty to one count of conspiracy to commit wire fraud and one count of aggravated identity theft on Friday in an Orange County, California, federal district court. The plea marks the conclusion of a digital crime spree by Tyler Robert Buchanan, 24, of Scotland. Buchanan has been in federal custody since April 2025, when Spanish authorities extradited Buchanan after arresting him in the Mediterranean resort city of Palma de Mallorca just as he attempted to leave the country for Naples on a chartered flight."
      https://www.bankinfosecurity.com/scattered-spider-hacker-pleads-guilty-in-us-federal-court-a-31459
    • Tycoon 2FA Phishers Scatter, Adopt Device Code Phishing
      "In the wake of a major takedown of phishing's biggest brand name, Tycoon 2FA, phishers worldwide have scattered. Some have stuck around, but many have moved to other phishing service providers, and some seem to be jumping on a fast-growing trend toward device code phishing. It would be shortchanging Tycoon 2FA to merely distinguish it as the world's premiere phishing-as-a-service (PhaaS) group. A year ago, it accounted for nearly 90% of all PhaaS activity everywhere, according to data from Barracuda. It essentially owned the PhaaS ecosystem."
      https://www.darkreading.com/threat-intelligence/tycoon-2fa-hackers-device-code-phishing
    • Every Old Vulnerability Is Now An AI Vulnerability
      "On March 10, 2026, Microsoft patched CVE-2026-26144, a cross-site scripting (XSS) vulnerability in Excel. XSS in Office isn't anything new, but what makes this XSS different is what happens after the script executes. The vulnerability chains with Copilot Agent mode. An attacker embeds a malicious payload in an Excel file. After a user opens it, the XSS fires without the user ever clicking anything. However, unlike most XSS attacks, which aim to steal a session cookie or redirect the user to a phishing site, this attack hijacks the Copilot Agent and silently exfiltrates data from the spreadsheet to an attacker-controlled endpoint: no user interaction, no visual prompt to indicate that anything had happened. The AI does the exfiltration for you."
      https://www.darkreading.com/vulnerabilities-threats/every-old-vulnerability-ai-vulnerability
    • Coast Guard's New Cybersecurity Rules Offers Lessons For CISOs
      "The US Coast Guard's first-ever mandatory cybersecurity framework for ports, vessels, and offshore facilities has taken effect, ending two decades of voluntary compliance and putting operators on a countdown with a 2027 deadline. The regulations affect any US-flagged vessel or maritime facility subject to the Maritime Transportation Security Act of 2002 and requires that they develop and maintain a cybersecurity plan, designate a cybersecurity officer (CySO), conduct annual assessments, and train any information- and operational-technology workers on their cybersecurity duties."
      https://www.darkreading.com/cybersecurity-operations/coast-guards-cybersecurity-rules-lessons-cisos
    • Gemini Is Stopping Harmful Ads Before People Ever See Them
      "Our safety teams work around the clock to stop bad actors that use increasingly sophisticated, malicious ads. In 2025, Gemini-powered tools dramatically improved our ability to detect and stop bad ads: Our systems caught over 99% of policy-violating ads before they ever served, and we’re continuing to evolve our defenses to stay ahead of even the most advanced schemes. Our teams have long used advanced AI to identify and stop scammers, and Gemini takes that work even further. Our models analyze hundreds of billions of signals — including account age, behavioral cues and campaign patterns — to stop threats before they reach people. Unlike earlier keyword-based systems, our latest models better understand intent, helping us spot malicious content and preemptively block it, even when it’s designed to evade detection."
      https://blog.google/products/ads-commerce/2025-ads-safety-report/
      https://thehackernews.com/2026/04/google-blocks-83b-policy-violating-ads.html
      https://www.helpnetsecurity.com/2026/04/17/google-gemini-harmful-ads-blocking/
    • Commercial AI Models Show Rapid Gains In Vulnerability Research
      "While non-public frontier AI models, like Anthorpic’s Claude Mythos, have been shown to identify thousands of zero-day vulnerabilities across major operating systems, commercial models are also indicating progress in the discovery of software bugs. Forescout’s Verde Labs found that just a year ago 55% of AI models failed basic vulnerability research and 93% failed exploit development tasks. Progress has been made however, and in 2026 the cybersecurity firm said all tested models’ complete vulnerability research tasks, and half can generate working exploits autonomously."
      https://www.infosecurity-magazine.com/news/ai-models-rapid-gains/
    • Machine Identities: The Invisible Cyber Risk You Probably Aren’t Managing
      "When we talk about identity in cybersecurity, most people think about users logging in. But modern IT environments rely on a far larger and less visible population of non‑human identities. Machine identities are the credentials that applications, scripts, APIs, cloud workloads, industrial devices, and automation tools use to authenticate. They include service accounts, API keys, certificates, tokens, and embedded credentials that let systems communicate automatically and continuously. In manufacturing, this might include production systems pulling data from ERP software, industrial controllers updating configurations, remote monitoring tools, or third‑party vendors accessing plant networks. These identities are essential for efficiency and uptime, but they also introduce risk."
      https://blog.barracuda.com/2026/04/17/machine-identities-invisible-risk
    • Supply Chain Dependencies: Have You Checked Your Blind Spot?
      "Some cyber business risks only show up when you take a closer look. Supply chain blind spots are a perfect example. Behind these essential third-party connections, products and services can lurk unseen vulnerabilities that precipitate major cyber incidents – halting operations, triggering downstream chaos, and making headlines with their financial, reputational, and legal/compliance impacts. As supply chains become increasingly digitized and complex, they provide cybercriminals a bigger “risk surface” to aim for. Organizations need to understand their supply chain dependencies in depth so they can map the risks and deploy effective resilience strategies to protect sensitive data and sustain business continuity. Yet according to the latest research from ESET and other sources, SMBs largely underestimate the potential risks they face from disruption caused by their supply chain, either from a malicious attack or operational outage."
      https://www.welivesecurity.com/en/business-security/supply-chain-dependencies-have-you-checked-your-blind-spot/
    • Exposing Russian Malicious Infrastructure: 1,250+ C2 Servers Mapped Across 165 Providers
      "Infrastructure analytics and ISP mapping reveal the hidden backbone of cyber threats. By examining hosting providers, cloud services, and telecom networks, analysts can identify patterns of persistent malware, phishing campaigns, and C2 infrastructure. During the last three months (1 Jan 2026 - 1 Apr 2026) analysis window, we identified more than 1,250 active command-and-control (C2) servers operating across 165 Russian infrastructure providers, spanning shared hosting platforms, virtual server providers, and telecommunications networks. That provider-level view is what separates actionable intelligence from an endless list of disposable indicators."
      https://hunt.io/blog/russian-malicious-infrastructure-c2-servers-mapped
    • Defending Your Enterprise When AI Models Can Find Vulnerabilities Faster Than Ever
      "Advances in AI model-powered exploitation have demonstrated that general-purpose AI models can excel at vulnerability discovery, even without being purpose-built for the task. Eventually, capabilities such as these will be integrated directly into the development cycle, and code will be more difficult to exploit than ever; however, this transition creates a critical window of risk. As we harden existing software with AI, threat actors will use it to discover and exploit novel vulnerabilities. Faced with this scenario, defenders have two critical tasks: hardening the software we use as rapidly as possible, and preparing to defend systems that have not yet been hardened."
      https://cloud.google.com/blog/topics/threat-intelligence/defending-enterprise-ai-vulnerabilities
    • The German Cyber Criminal Überfall: Shifts In Europe's Data Leak Landscape
      "Germany has reclaimed its position as a primary focus for cyber extortion in Europe. While data leak site (DLS) posts rose almost 50% globally in 2025, Google Threat Intelligence (GTI) data shows that the surge is hitting German infrastructure harder and faster than its regional neighbors, marking a significant return to the high-pressure levels previously observed in the country during 2022 and 2023. Germany moved to the forefront of European data leak targets in 2025. Following a 2024 period where the UK led in DLS victims, this pivot reflects a resurgence of the intense pressure observed across German infrastructure during 2022 and 2023."
      https://cloud.google.com/blog/topics/threat-intelligence/europe-data-leak-landscape
    • That Data Breach Alert Might Be a Trap
      "Receiving a data breach notice may have once been a rare event. With data breaches hitting record numbers, however, these notifications are no longer as surprising as they once were. In the US alone, there were 3,322 such breaches reported last year, resulting in nearly 280 million notices being emailed to victims. In Europe, daily incidents grew by 22% annually in 2025 to reach 443 on average per day. This represents a growing opportunity for fraudsters. They know that many people may be on the lookout for these notifications. And when they receive one, they may be more predisposed to follow the advice contained in it."
      https://www.welivesecurity.com/en/scams/data-breach-alert-might-be-trap/

    อ้างอิง
    Electronic Transactions Development Agency (ETDA) 9bd646aa-bb9e-459b-848f-d18cef362230-image.png

    โพสต์ใน Cyber Security News
    NCSA_THAICERTN
    NCSA_THAICERT
  • Cyber Threat Intelligence 17 April 2026

    Industrial Sector

    Vulnerabilities

    Malware

    • Inside ZionSiphon: Darktrace’s Analysis Of OT Malware Targeting Israeli Water Systems
      "Darktrace analysis reveals ZionSiphon, an OT‑focused malware targeting Israeli water treatment and desalination systems. The malware combines privilege escalation, persistence, USB propagation, and ICS scanning with sabotage capabilities aimed at chlorine and pressure controls, highlighting growing experimentation with politically motivated critical ‑infrastructure attacks against industrial operational technologies globally."
      https://www.darktrace.com/blog/inside-zionsiphon-darktraces-analysis-of-ot-malware-targeting-israeli-water-systems
      https://www.bleepingcomputer.com/news/security/zionsiphon-malware-designed-to-sabotage-water-treatment-systems/
    • CVE-2026-39987 Update: How Attackers Weaponized Marimo To Deploy a Blockchain Botnet Via HuggingFace
      "Three days after the April 8, 2026, disclosure of a critical pre-authorization remote code execution (RCE) in the marimo Python notebook platform, the Sysdig Threat Research Team (TRT) observed multiple unique attacks, including a threat actor deploying malware that was hosted on HuggingFace Spaces using a marimo exploit. The malware binary we captured was a previously undocumented variant of NKAbuse, a Go-based backdoor using the NKN blockchain for C2."
      https://www.sysdig.com/blog/cve-2026-39987-update-how-attackers-weaponized-marimo-to-deploy-a-blockchain-botnet-via-huggingface
      https://www.bleepingcomputer.com/news/security/hackers-exploit-marimo-flaw-to-deploy-nkabuse-malware-from-hugging-face/
    • AI Meets Voice Phishing: How ATHR Automates The Full TOAD Attack Chain
      "Telephone-oriented attack delivery (TOAD) remains an especially effective way to get past email security controls. Instead of embedding malicious links or attachments, attackers send benign-looking emails with nothing more than a phone number. When the target calls, an operator talks them through installing remote access software or handing over credentials. Because the email itself carries few traditional technical indicators of compromise, legacy defenses struggle to catch it. Running these operations at scale has typically meant stitching together separate infrastructure for telephony, phishing panels, and email delivery, which limits who can pull it off."
      https://abnormal.ai/blog/athr-ai-voice-phishing-toad-attacks
      https://www.bleepingcomputer.com/news/security/new-athr-vishing-platform-uses-ai-voice-agents-for-automated-attacks/
    • Beyond The Breach: Inside a Cargo Theft Actor’s Post-Compromise Playbook
      "In late February 2026, Proofpoint researchers executed a malicious payload from a threat actor targeting transportation organizations inside a controlled decoy environment operated by our partners at Deception.pro. While the environment did not represent a transportation carrier, it remained compromised for more than a month—offering rare, extended visibility into post‑compromise operations, tooling, and decision‑making. Proofpoint previously documented this actor’s campaigns against trucking and logistics companies to facilitate cargo theft and freight fraud. In this case, the extended interaction revealed persistence through multiple remote management tools, the use of a previously unknown signing‑as‑a‑service capability designed to evade detection and suppress security warnings, and extensive post-compromise reconnaissance activity."
      https://www.proofpoint.com/us/blog/threat-insight/beyond-breach-inside-cargo-theft-actors-post-compromise-playbook
      https://therecord.media/cargo-thieving-hackers-running-sophisticated-campaigns
      https://www.bankinfosecurity.com/freight-hacker-wields-code-signing-service-to-evade-defenses-a-31433
      https://www.helpnetsecurity.com/2026/04/16/cargo-theft-malware-actor-decoy-network/
    • PowMix Botnet Targets Czech Workforce
      "Cisco Talos discovered an ongoing malicious campaign, operating since at least December 2025, affecting a broader workforce in the Czech Republic with a previously undocumented botnet we call “PowMix.” PowMix employs randomized command-and-control (C2) beaconing intervals, rather than persistent connection to the C2 server, to evade the network signature detections. PowMix embeds the encrypted heartbeat data along with unique identifiers of the victim machine into the C2 URL paths, mimicking legitimate REST API URLs. PowMix has the capability to remotely update the new C2 domain to the botnet configuration file dynamically."
      https://blog.talosintelligence.com/powmix-botnet-targets-czech-workforce/
      https://thehackernews.com/2026/04/newly-discovered-powmix-botnet-hits.html
    • Dissecting Sapphire Sleet’s MacOS Intrusion From Lure To Compromise
      "Microsoft Threat Intelligence uncovered a macOS‑focused cyber campaign by the North Korean threat actor Sapphire Sleet that relies on social engineering rather than software vulnerabilities. By impersonating a legitimate software update, threat actors tricked users into manually running malicious files, allowing them to steal passwords, cryptocurrency assets, and personal data while avoiding built‑in macOS security checks. This activity highlights how convincing user prompts and trusted system tools can be abused, and why awareness and layered security defenses remain critical."
      https://www.microsoft.com/en-us/security/blog/2026/04/16/dissecting-sapphire-sleets-macos-intrusion-from-lure-to-compromise/
      https://www.darkreading.com/application-security/north-korea-clickfix-target-macos-users-data
      https://www.theregister.com/2026/04/16/north_korea_social_engineering_macos/
    • Unpacking The Unpackable: Malformed APKs As An Anti-Analysis Technique
      "As Android malware continues to evolve, APK malformation has emerged as a key anti-analysis technique, now seen in over 3,000 Android malware samples and increasingly employed across a broad range of malicious campaigns. By deliberately crafting broken or non-standard APK structures, attackers can evade static analysis tools, conceal malicious payloads, and delay detection. This tactic has already been observed in advanced malware families such as Teabot, TrickMo, and SpyNote, underlining its effectiveness in circumventing traditional defenses."
      https://www.cleafy.com/cleafy-labs/malformed-apks-as-an-anti-analysis-technique-malfixer-tool
      https://www.infosecurity-magazine.com/news/apk-malformation-android-malware/
    • “iCloud Storage Is Full” Scam Is Back, And Now It Wants Your Payment Details
      "A few months ago, we reported on a fake cloud storage alert that triggered a redirect chain to an app that has since been delisted from the Apple Store. The threat of losing your photos is a powerful lure, so scammers are now using it to steal personal and financial details. The Guardian warns about an iCloud-themed campaign that start with a few “your iCloud storage is full’ messages, then escalates to threats. If you don’t respond or take action, the emails claim your data will be wiped on a specific date. US Consumer Affairs has urged users not to click any links and to contact Apple directly if they receive such messages."
      https://www.malwarebytes.com/blog/news/2026/04/icloud-storage-is-full-scam-is-back-and-now-it-wants-your-payment-details
    • A Fake Slack Download Is Giving Attackers a Hidden Desktop On Your Machine
      "A trojanized Slack download from a typosquatting website is giving attackers something most users wouldn’t even know to look for: a hidden desktop running on their machine. The installer looks legitimate and even launches a working copy of Slack. But in the background, it can create an invisible session where attackers can browse, access accounts, and interact with your system without anything appearing on your screen. To be clear, this campaign has nothing to do with Slack, the company, and we’ve let them know what we found."
      https://www.malwarebytes.com/blog/threat-intel/2026/04/a-fake-slack-download-is-giving-attackers-a-hidden-desktop-on-your-machine
    • Payouts King Takes Aim At The Ransomware Throne
      "In February 2022, BlackBasta emerged as a successor to Conti ransomware and quickly rose to prominence. BlackBasta was operational for three years until February 2025 when their internal chat logs were leaked online, exposing the group’s inner workings. This led the group to disband and shutter the operation. However, similar to many ransomware groups, BlackBasta was largely driven by initial access brokers that launch attacks against organizations and then steal sensitive information and encrypt files. Although the BlackBasta brand disappeared, the group’s former affiliates have continued attacks by deploying different ransomware families such as Cactus. Zscaler ThreatLabz has observed continued ransomware activity that is consistent with attacks launched by former affiliates of BlackBasta. Some of these attacks have been attributed to a relatively unknown ransomware group that calls itself the Payouts King."
      https://www.zscaler.com/blogs/security-research/payouts-king-takes-aim-ransomware-throne
    • Threat Spotlight: Tycoon 2FA Didn’t Die — It’s Scattered Everywhere
      "A year ago, Tycoon 2FA accounted for 89% of the phishing-as-a-service (PhaaS) activity seen by Barracuda threat analysts. This picture changed suddenly in March 2026 when Europol and other organizations launched a coordinated operation to disrupt and disable Tycoon 2FA’s attack infrastructure. The operation seized more than 300 domains and dismantled backend services supporting Tycoon’s large-scale MFA-bypassing phishing campaigns. A few weeks later, some security researchers reported that Tycoon 2FA activity was already back to pre-disruption levels. Barracuda’s own threat intelligence paints a more nuanced and complex picture of what happened in the wake of the initial disruption — one that has significant implications for security teams trying to monitor and detect attacker tools and behaviors."
      https://blog.barracuda.com/2026/04/16/threat-spotlight-tycoon-2fa-scattered-everywhere
    • Phantom In The Vault: Obsidian Abused To Deliver PhantomPulse RAT
      "Elastic Security Labs has identified a novel social engineering campaign that abuses the popular note-taking application, Obsidian, as an initial access vector. The campaign, which we track as REF6598, targets individuals in the financial and cryptocurrency sectors through elaborate social engineering on LinkedIn and Telegram. The threat actors abuse Obsidian's legitimate community plugin ecosystem, specifically the Shell Commands and Hider plugins, to silently execute code when a victim opens a shared cloud vault. In the observed intrusion, Elastic Defend detected and blocked the attack at the early stage, preventing the threat actors from achieving their objectives on the victim's machine."
      https://www.elastic.co/security-labs/phantom-in-the-vault
      https://thehackernews.com/2026/04/obsidian-plugin-abuse-delivers.html
    • A Deep Dive Into Attempted Exploitation Of CVE-2023-33538
      "CVE-2023-33538 was publicly reported in June 2023, affecting the aforementioned end-of-life TP-Link routers. Proof-of-concept (PoC) exploits for the different routers appeared earlier that month. The PoC exploits were removed from their original GitHub post but can be retrieved via Web Archive. According to the report, the /userRpm/WlanNetworkRpm endpoint contains a vulnerability in processing the ssid1 parameter sent through an HTTP GET request, because the parameter value is not sanitized when the Wi-Fi router processes it. Consequently, an attacker could send commands to this parameter. This would allow remote attackers to submit special requests, resulting in command injection and theoretically leading to arbitrary system command execution on the Wi-Fi router."
      https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/
    • ChainShell: MuddyWater’s Russian MaaS Link
      "This report documents a direct operational link between the exposed infrastructure of Iranian threat actor MuddyWater and TAG-150 CastleRAT malware – a modular malware-as-a-service (MaaS) platform developed by Russian-speaking cybercriminals. Through our analysis of a misconfigured C2 web server, 15 malware samples, and a novel PE payload, JUMPSEC assesses that MuddyWater operates at least two CastleRAT builds against Israeli targets with high confidence, and that they deploy additional TAG-150 JavaScript RAT variants from the same infrastructure with moderate confidence."
      https://www.jumpsec.com/guides/chainshell-muddywater-russian-criminal-infrastructure/

    Breaches/Hacks/Leaks

    • Researchers Say Fiverr Left User Files Open To Google Search
      "A security researcher named Morpheuskafka has found that thousands of private files from the Tel Aviv-based gig-work website Fiverr were left open for anyone to view online. The leaked data allegedly includes very sensitive items like tax forms, photos of driving licences, and work contracts. These documents were not stored on a private, restricted server but were actually indexed and appeared in Google search results. Fiverr uses a third-party service called Cloudinary to manage and store the images and PDFs that users send to each other. And, instead of using signed or expiring URLs that only authorised users could open, the platform, reportedly, used public URLs."
      https://hackread.com/fiverr-left-user-files-open-to-google-search/
    • Data Breach At Tennessee Hospital Affects 337,000
      "The Cookeville Regional Medical Center (CRMC) in Tennessee was targeted in a ransomware attack last year, and the cybersecurity incident resulted in a significant data breach. The medical center, which offers a wide range of healthcare services at its 289-bed hospital and outpatient locations, said in a data breach notice on its website that a network intrusion was discovered on July 14, 2025, and an investigation revealed that certain files had been stolen in the prior days. The probe showed that the compromised information could include name, date of birth, address, SSN, driver’s license number, financial account number, medical treatment information, and health insurance policy information."
      https://www.securityweek.com/data-breach-at-tennessee-hospital-affects-337000/
      https://securityaffairs.com/190898/cyber-crime/cookeville-regional-medical-center-hospital-data-breach-impacts-337917-people.html
      https://www.infosecurity-magazine.com/news/cookeville-medical-center-data/

    General News

    • Europol-Supported Global Operation Targets Over 75 000 Users Engaged In DDoS Attacks
      "On 13 April 2026, 21 countries joined forces in a coordinated action week that focused on enforcement and prevention measures against over 75 000 criminal users engaging in distributed denial-of-service (DDoS)-for-hire services. With over 75 000 warning emails and letters being sent to identified criminal users and 4 arrests, the action week also led to the takedown of 53 domains and the issuing of 25 search warrants. The following countries participated in the joint action: Australia, Austria, Belgium, Brazil, Bulgaria, Denmark, Estonia, Finland, Germany, Japan, Latvia, Lithuania, Luxembourg, the Netherlands, Poland, Portugal, Sweden, Thailand, the United Kingdom and theUnited States."
      https://www.europol.europa.eu/media-press/newsroom/news/europol-supported-global-operation-targets-over-75-000-users-engaged-in-ddos-attacks
      https://www.bleepingcomputer.com/news/security/operation-poweroff-identifies-75k-ddos-users-takes-down-53-domains/
      https://cyberscoop.com/ddos-for-hire-takedowns-operation-poweroff/
    • US Nationals Behind DPRK IT Worker 'laptop Farm' Sent To Prison
      "Two U.S. nationals have been sent to prison for helping North Korean remote information technology (IT) workers to pose as U.S. residents and get hired by over 100 companies across the country, including many Fortune 500 firms. 42-year-old Kejia Wang and 39-year-old Zhenxing Wang were charged in June 2025 following a coordinated law enforcement action against the Democratic People's Republic of Korea (DPRK) government's fundraising operations led by the U.S. Department of Justice (DoJ). According to court documents, between 2021 and October 2024, the two generated more than $5 million in illicit revenue for the DPRK's government and an estimated $3 million in financial damages to companies that hired North Korean workers who were using the stolen identities of more than 80 U.S. citizens."
      https://www.bleepingcomputer.com/news/security/us-nationals-behind-north-korean-it-worker-laptop-farm-sent-to-prison/
      https://therecord.media/new-jersey-men-sentenced-north-korean-laptop-farms
      https://cyberscoop.com/us-nationals-sentenced-facilitate-north-korea-tech-worker-scheme/
      https://www.infosecurity-magazine.com/news/us-nationals-jailed-north-korea/
      https://www.helpnetsecurity.com/2026/04/16/north-korean-it-workers-scheme-us-facilitators/
      https://www.theregister.com/2026/04/16/nork_it_worker_scam_facilitators_sentenced_200_months/
    • The Phishing Paradox: The World’s Most Trusted Brands Are Cyber Criminals’ Entry Point Of Choice
      "In Q1 2026, Microsoft continued to be the most impersonated brand in phishing attacks, accounting for 22% of all brand impersonation attempts, according to data from Check Point Research (CPR). The results reinforce a long‑standing trend: attackers consistently exploit highly trusted brands to steal credentials and gain initial access to personal and enterprise environments. Apple climbed to second place with 11%, reflecting attackers’ increasing focus on consumer ecosystems tied to payments, identity, and personal devices. Google followed closely in third place at 9%, while Amazon ranked fourth with 7%. LinkedIn rose to fifth place with 6%, highlighting sustained attacker interest in professional identities and corporate access."
      https://blog.checkpoint.com/research/the-phishing-paradox-the-worlds-most-trusted-brands-are-cyber-criminals-entry-point-of-choice/
    • Ghost Breaches: How AI-Mediated Narratives Have Become a New Threat Vector
      "A company wakes up to a news story claiming it has suffered a major data breach. The details are specific, technical and convincing. But the breach didn’t happen. No systems were compromised. No data was taken. A language model generated the entire story, filling in plausible details from scratch. And before the company can figure out what’s going on, a reporter at a reputable outlet picks up the story and requests comment. Within hours, the company is drafting statements and mobilizing its communications team to address a fictional event. A second incident begins with something real. Years earlier, a company had suffered a genuine breach that received wide media coverage. The incident was investigated, resolved and closed. Then one of the outlets that originally reported on it redesigned its website. Old articles received new URLs and updated timestamps, and search engines re-indexed them as fresh content."
      https://cyberscoop.com/ai-generated-breach-narratives-ghost-threat-vector-op-ed/
    • Two-Factor Authentication Breaks Free From The Desktop
      "These days, organizations require two-factor authentication (2FA) to log into a variety of platforms and applications, such as messaging apps, cloud services and virtual private networks (VPNs). However, the average driver may not be aware that 2FA can protect the car sitting in their driveway. Authentication measures are consistently crucial as phishing campaigns become more sophisticated, and attackers steal credentials in mounting data leaks. Now 2FA is expanding beyond traditional IT computer use cases to include the physical world as well. Protocols can keep hackers from compromising the heat pump warming the house, breaching medical devices treating patients, or driving away in a stolen car."
      https://www.darkreading.com/endpoint-security/two-factor-authentication-breaks-free-from-the-desktop
    • W3LL Unmasked
      "For more than seven years, a shadowy threat actor known as W3LL orchestrated one of the most sophisticated BEC-focused phishing ecosystems around. Group-IB’s long-running investigation has provided in-depth visibility into the W3LL phishing ecosystem and uncovered crucial leads into the individuals behind this cybercriminal enterprise. The company has shared relevant findings with law enforcement authorities as part of broader efforts to disrupt this activity.W3LL’s tools and services, including an underground PhaaS marketplace called the W3LL Store, enabled over 500 cybercriminals to carry out business email compromise (BEC) attacks targeting organizations worldwide. The criminal empire was built around a phishing kit called W3LL Panel (aka OV6 panel) — designed to bypass multi-factor authentication (MFA), along with a suite of 16 other tools for compromising corporate Microsoft 365 accounts."
      https://www.group-ib.com/blog/w3ll-phishing-ecosystem-takedown/
    • EU Cybersecurity Standards Are At Risk If Supplier Ban Passes
      "Today, the European standards body ETSI sent a formal position paper to the European Commission, calling for changes to the proposed Cybersecurity Act 2 (CSA2), the EU’s planned revision to its existing cybersecurity certification framework. The paper focuses on two provisions: a proposed expansion of ENISA’s role in developing technical specifications, and a clause in Article 100(4)(a) that would bar entities from countries designated as posing cybersecurity concerns from participating in European standardization work tied to Commission requests. ETSI is one of three European Standardization Organizations (ESOs) recognized under EU law to develop harmonized standards. Its membership includes over 900 organizations across 64 countries."
      https://www.helpnetsecurity.com/2026/04/16/etsi-eu-cybersecurity-standards/
    • Command Integrity Breaks In The LLM Routing Layer
      "Systems that rely on LLM agents often send requests through intermediary routing services before reaching a model. These routers connect to different providers through a single endpoint and manage how requests are handled. This layer can influence what gets executed and what data is exposed. A recent study examined 28 paid routers and 400 free routers used to access model APIs. In testing, 1 paid router and 8 free routers injected malicious code into tool calls. “This is not a purely hypothetical threat,” the researchers wrote, noting that the behavior appears in paid and free router markets."
      https://www.helpnetsecurity.com/2026/04/16/llm-router-security-risk-agent-commands/
      https://arxiv.org/pdf/2604.08407
    • Automotive Ransomware Attacks Double In a Year
      "Ransomware is now the fastest growing and most disruptive cyber threat facing the automotive sector, accounting for 44% of attacks on carmakers in 2025, according to Halcyon. The security vendor crunched data from multiple sources to compile a new report on the industry. It claimed that ransomware attacks on carmakers more than doubled in 2025. “The surge in attacks reflects a calculated shift by cybercriminals who increasingly view the automotive industry as a lucrative target, driven by its rapid adoption of connected technology, growing reliance on cloud services, and a sprawling network of third-party suppliers that broadens criminals' opportunities to strike,” the report noted."
      https://www.infosecurity-magazine.com/news/automotive-ransomware-attacks/
    • Government Can’t Win The Cyber War Without The Private Sector
      "Cybersecurity is a contest between attackers and defenders. For far too long, governments have been defending their turf alone while attackers frequently target public-sector entities with little to no resistance, launching attacks with national ramifications. Despite rules and regulations meant to establish baseline controls, attacks continue to define a growing threat landscape. The harsh reality is that the threat surface has grown wildly beyond what governments can realistically defend. The digital infrastructure that governments aim to secure is a product of private companies. There are limits to what the state can secure on its own, which means the focus must shift to closer collaboration with the private sector."
      https://www.securityweek.com/government-cant-win-the-cyber-war-without-the-private-sector/

    อ้างอิง
    Electronic Transactions Development Agency (ETDA) eb61dc02-e9b5-4300-9775-20c52e70920a-image.png

    โพสต์ใน Cyber Security News
    NCSA_THAICERTN
    NCSA_THAICERT
  • แจ้งเตือนช่องโหว่ในไลบรารี Axios (CVE-2026-40175) ขอให้ผู้ดูแลระบบเร่งดำเนินการแก้ไขโดยด่วน

    ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ช่องโหว่ด้านความมั่นคงปลอดภัยในไลบรารี Axios ซึ่งเป็นไลบรารี JavaScript ที่ได้รับความนิยมอย่างแพร่หลายในการพัฒนาเว็บไซต์และเว็บแอปพลิเคชัน โดยพบช่องโหว่ที่อาจถูกใช้ในการโจมตีแบบ Server-Side Request Forgery (SSRF) ซึ่งอาจนำไปสู่การเข้าถึงระบบโดยไม่ได้รับอนุญาต ขอให้ผู้ดูแลระบบเร่งดำเนินการตรวจสอบและอัปเดตแพตช์ความปลอดภัยโดยทันที

    1. รายละเอียดช่องโหว่ [1]

    ช่องโหว่หมายเลข CVE-2026-40175 (CVSS 3.1: 10.0) [2] เป็นช่องโหว่ประเภท Server-Side Request Forgery (SSRF) ที่เกิดขึ้นในไลบรารี Axios ซึ่งเปิดโอกาสให้ผู้โจมตีสามารถควบคุมหรือบิดเบือนคำร้องขอ (HTTP Request) ที่เซิร์ฟเวอร์เป็นผู้ส่งออกไป

    ลักษณะของช่องโหว่นี้อาจเกี่ยวข้องกับการจัดการ request ที่ไม่ปลอดภัย ทำให้ผู้โจมตีสามารถหลีกเลี่ยงข้อจำกัดด้านการเข้าถึงทรัพยากรภายใน และใช้เซิร์ฟเวอร์เป็นตัวกลางในการเข้าถึงระบบหรือบริการที่ไม่ควรเข้าถึงได้

    1. รูปแบบการโจมตี [3]

    ผู้โจมตีสามารถใช้ช่องโหว่นี้ผ่านการส่งข้อมูลที่ถูกออกแบบมาเป็นพิเศษไปยังแอปพลิเคชันที่ใช้งาน Axios โดยมีรูปแบบการโจมตีที่สำคัญ ได้แก่

    2.1 การส่ง request เพื่อให้เซิร์ฟเวอร์ไปเรียกใช้งานทรัพยากรภายใน (Internal Services)
    2.2 การเข้าถึง Cloud Metadata เช่นบริการของผู้ให้บริการ Cloud
    2.3 การใช้เป็น pivot เพื่อโจมตีระบบภายในเครือข่าย
    2.4 การยกระดับไปสู่ Remote Code Execution (RCE) ในบางกรณี

    1. ผลิตภัณฑ์ที่ได้รับผลกระทบ
    • Axios ทุกเวอร์ชันที่ต่ำกว่า 1.13.2
    1. แนวทางการแก้ไข

    ผู้ดูแลระบบควรดำเนินการอัปเดต Axios เป็นเวอร์ชัน 1.15.0 หรือเวอร์ชันล่าสุดโดยทันที [4] สำหรับระบบที่ใช้ npm สามารถดำเนินการได้ด้วยคำสั่ง npm install axios@latest [5] ในกรณีที่ยังไม่สามารถอัปเดตได้ทันที ควรดำเนินมาตรการชั่วคราวเพื่อลดความเสี่ยง (Workaround) ดังนี้

    • จำกัดปลายทาง (destination) ที่สามารถเรียกใช้งานได้ (Allowlist)
    • ป้องกันการเข้าถึงที่อยู่เครือข่าย (IP) ภายในระบบ
    • ปิดการเข้าถึง metadata service ของ Cloud หากไม่จำเป็น
    • ใช้ Web Application Firewall (WAF) เพื่อช่วยกรอง request ที่ผิดปกติ
    1. คำแนะนำด้านความปลอดภัยเพิ่มเติม

    5.1 ตรวจสอบช่องโหว่ประเภท Prototype Pollution ในไลบรารีที่ใช้งานร่วมอื่น ๆ
    5.2 ใช้เครื่องมือ SCA (Software Composition Analysis) เพื่อตรวจสอบช่องโหว่ใน third-party libraries
    5.3 กำหนดนโยบาย egress filtering เพื่อควบคุมการเชื่อมต่อออกจากเซิร์ฟเวอร์
    5.4 บันทึกและตรวจสอบ log การเชื่อมต่อที่ผิดปกติอย่างสม่ำเสมอ
    5.6 อัปเดตแพตช์ความปลอดภัยของระบบและไลบรารีอื่น ๆ อย่างต่อเนื่อง

    Axios.png

    แหล่งอ้างอิง
    [1] https://dg.th/vyp38h5m46
    [2] https://dg.th/bw3efhs42z
    [3] https://dg.th/kv1noebhw2
    [4] https://dg.th/9lvz6n7gsk
    [5] https://dg.th/lgf9b3ceho

    โพสต์ใน Cyber Security News
    NCSA_THAICERTN
    NCSA_THAICERT
  • CISA เผยแพร่คำแนะนำด้านระบบควบคุมอุตสาหกรรม (ICS) จำนวน 4 รายการ

    Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 4 รายการ เมื่อวันที่ 16 เมษายน 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

    • ICSA-26-106-01 Delta Electronics ASDA-Soft
    • ICSA-26-106-02 Horner Automation Cscape and XL4, XL7 PLC
    • ICSA-26-106-03 Anviz Multiple Products
    • ICSA-26-106-04 AVEVA Pipeline Simulation

    CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)

    อ้างอิง
    https://www.cisa.gov/news-events/ics-advisories 47279cbb-d866-462b-901b-0987540594d2-image.png

    โพสต์ใน OT Cyber Security News
    NCSA_THAICERTN
    NCSA_THAICERT
  • CISA เพิ่มช่องโหว่ที่ถูกใช้โจมตี 1 รายการลงในแคตตาล็อก

    เมื่อวันที่ 16 เมษายน 2026 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้

    • CVE-2026-34197 Apache ActiveMQ Improper Input Validation Vulnerability

    ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

    อ้างอิง
    https://www.cisa.gov/news-events/alerts/2026/04/16/cisa-adds-one-known-exploited-vulnerability-catalog
    สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand c03b6af8-77f6-4106-b0fc-310e951a64ea-image.png

    โพสต์ใน Cyber Security News
    NCSA_THAICERTN
    NCSA_THAICERT
  • Cyber Threat Intelligence 16 April 2026

    Industrial Sector

    • ICS Patch Tuesday: 8 Industrial Giants Publish New Security Advisories
      "Industrial giants Siemens, Schneider Electric, Aveva, Rockwell Automation, ABB, Phoenix Contact, Mitsubishi Electric, and Moxa have published new ICS security advisories since the previous Patch Tuesday. Siemens has published nine new advisories since the previous Patch Tuesday. Vulnerabilities with a ‘critical’ severity rating are mentioned only in one advisory covering older Wi-Fi vulnerabilities affecting Scalance W-700 devices. Siemens has addressed high-severity vulnerabilities in Sinec NMS (authentication/authorization bypass), Ruggedcom Crossbow (privilege escalation, code execution, DoS), and Industrial Edge Management (authorization bypass). Medium-severity issues have been resolved in TPM and Analytics Toolkit."
      https://www.securityweek.com/ics-patch-tuesday-8-industrial-giants-publish-new-security-advisories/
    • Sweden Blames Pro-Russian Group For Cyberattack Last Year On Its Energy Infrastructure
      "Sweden said Wednesday that a pro-Russian group with links to Russia’s security and intelligence services was behind a cyberattack on a heating plant last year. The announcement followed warnings from officials in Poland, Norway, Denmark and Latvia that Russia is attacking critical infrastructure across Europe. In what was Sweden’s first public mention of the attack, the country’s minister for civil defense, Carl-Oskar Bohlin, said it targeted a heating plant in western Sweden but the attack failed. He gave no further details. Bohlin compared it to incidents in Poland in December, when coordinated cyberattacks hit combined heat and power plants supplying heat to almost 500,000 customers, as well as wind and solar farms. Poland later said evidence indicated hackers were “directly linked to the Russian services.”"
      https://www.securityweek.com/sweden-blames-pro-russian-group-for-cyberattack-last-year-on-its-energy-infrastructure/
      https://therecord.media/sweden-hackers-russia-power-plant

    New Tooling

    • Legitify: Open-Source Scanner For Security Misconfigurations On GitHub And GitLab
      "Misconfigured source code management platforms remain a common entry point in software supply chain attacks, and organizations often lack visibility into which settings put them at risk. Legitify, an open-source tool from Legit Security, addresses that gap by scanning GitHub and GitLab environments and reporting policy violations across organizations, repositories, members, and CI/CD runner groups. Legitify evaluates configurations across five namespaces: organization-level settings, GitHub Actions configurations, member accounts, repositories, and runner groups. Example checks include whether two-factor authentication is enforced across an organization, whether GitHub Actions runs are restricted to verified actions, whether stale admins exist, and whether code review requirements are in place for repositories."
      https://www.helpnetsecurity.com/2026/04/15/legitify-open-source-scanner-security-misconfigurations-github-gitlab/
      https://github.com/Legit-Labs/legitify

    Vulnerabilities

    • Fortinet Patches Critical FortiSandbox Vulnerabilities
      "Fortinet on Tuesday released 26 advisories detailing 27 vulnerabilities across its products, including two critical-severity flaws in FortiSandbox. Tracked as CVE-2026-39813, the first of the critical bugs impacts the FortiSandbox JRPC API and could allow attackers to bypass authentication. The second one, tracked as CVE-2026-39808, is an OS command injection issue that can be exploited for arbitrary code or command execution. Both security defects have a CVSS score of 9.1 and could be exploited without authentication via specially crafted HTTP requests."
      https://www.securityweek.com/fortinet-patches-critical-fortisandbox-vulnerabilities/
      https://www.theregister.com/2026/04/15/critical_fortinet_sandbox_bugs/
    • PipeLeak: The Lead That Stole Your Database - Exploiting Salesforce Agentforce With Indirect Prompt Injection
      "A prompt injection vulnerability exists in Salesforce Agentforce when processing untrusted lead data. An attacker can embed malicious instructions inside a standard lead form submission that are later executed by an Agent Flow with email capabilities. When an internal employee asks the agent to review or analyze the lead, the agent complies with the attacker’s embedded instructions while exfiltrating sensitive data to an external email address. This results in unauthorized data disclosure and potential mass exfiltration of CRM data."
      https://www.capsulesecurity.io/blog-post/pipeleak-the-lead-that-stole-your-database-exploiting-salesforce-agentforce-with-indirect-prompt-injection
      https://www.darkreading.com/cloud-security/microsoft-salesforce-patch-ai-agent-data-leak-flaws
    • ‘By Design’ Flaw In MCP Could Enable Widespread AI Supply Chain Attacks
      "Model Context Protocol (MCP) has been a boon to agentic AI users and is widely used and trusted locally by companies adopting agentic AI internally. Introduced by Anthropic in November 2024, it provides a standard connector between agents and data. Enterprises use it locally to avoid the pain of developing their own connectors, and it is in widespread use as a local STDIO MCP server. There are multiple providers of MCP servers, almost all inheriting Anthropic’s code. The problem, reports OX Security, is what it terms an architectural flaw in Anthropic’s MCP code embedded within most of these local STDIO MCPs."
      https://www.securityweek.com/by-design-flaw-in-mcp-could-enable-widespread-ai-supply-chain-attacks/
      https://20204725.hs-sites.com/the-mother-of-all-ai-supply-chains
    • Two Vulnerabilities Patched In Ivanti Neurons For ITSM
      "Ivanti on Tuesday updated Neurons for ITSM to resolve two medium-severity vulnerabilities affecting both on-premises and cloud deployments. The first bug, tracked as CVE-2026-4913 (CVSS score of 5.7), is described as the improper protection of an alternate path. According to Ivanti, it could allow “a remote authenticated attacker to retain access when their account has been disabled”. The second flaw, CVE-2026-4914 (CVSS score of 5.4), is described as a stored cross-site scripting (XSS) issue that can be abused remotely to obtain limited information from other user sessions."
      https://www.securityweek.com/two-vulnerabilities-patched-in-ivanti-neurons-for-itsm/

    Malware

    Breaches/Hacks/Leaks

    • Automotive Data Biz Autovista Blames Ransomware For Service Disruption
      "Autovista confirms that it called in outside support to help clean up a ransomware infection currently affecting systems in Europe and Australia. The automotive data and analytics biz issued a public statement on Wednesday confirming the incident, and said that it's working to contain the attack. London-headquartered Autovista offers a broad suite of applications to customers, all built around its data offerings, and it's these applications that are experiencing disruptions, it said."
      https://www.theregister.com/2026/04/15/automotive_data_biz_autovista_ransomware/

    General News

    • NIST Updates NVD Operations To Address Record CVE Growth
      "New risk-based model will allow NIST to manage current CVE volume while modernizing the NVD for long-term sustainability. NIST is changing the way it handles cybersecurity vulnerabilities and exposures, or CVEs, listed in its National Vulnerability Database (NVD). In the past, NIST’s NVD program aimed to analyze all CVEs to add details — such as severity scores and product lists — that help cybersecurity professionals prioritize and mitigate vulnerabilities. Going forward, NIST will add details, or “enrich,” those CVEs that meet certain criteria, which are explained below. CVEs that do not meet those criteria will still be listed in the NVD but will not automatically be enriched by NIST."
      https://www.nist.gov/news-events/news/2026/04/nist-updates-nvd-operations-address-record-cve-growth
      https://therecord.media/nist-to-limit-work-on-cve-entries-surge
      https://cyberscoop.com/nist-narrows-cve-analysis-nvd/
    • Navigating The Unique Security Risks Of Asia's Digital Supply Chain
      "Asia's digital supply chain has unique challenges compared to other parts of the world, and organizations must respond accordingly. That's the upshot of an upcoming session at Black Hat Asia 2026, "Securing the Supply Chain: Managing Third‑Party Risk in Asia's Hyper‑Connected Digital Ecosystem." Security experts from Bitdefender, ISACA, Varonis, and more will convene April 22 to discuss the risks organizations in Asia face due to the complex web of third-party tools, AI models, cloud platforms, data vendors, and automation that make up many networks today."
      https://www.darkreading.com/cloud-security/navigating-unique-security-risks-asias-digital-supply-chain
    • Prepping For 'Q-Day': Why Quantum Risk Management Should Start Now
      "Preparing for the post-quantum cryptography (PQC) era is going to take more than a simple migration plan. That's the advice of cryptography expert Jean-Philippe Aumasson, who co-authored the FIPS 205 stateless hash-based digital signature algorithm (SLH-DSA), a quantum-resistant encryption scheme. Aumasson, who is also co-founder and chief security officer of Taurus SA, will be speaking next week at Black Hat Asia 2026 in Singapore in a session titled "Post-Quantum Cryptography: A Realistic Guide to Manage the Transition.""
      https://www.darkreading.com/cyber-risk/preparing-q-day-quantum-risk-management
    • Why Orgs Need To Test Networks To Withstand DDoS Attacks During Peak Loads
      "QUESTION: How should security teams ensure they are effectively testing their DDoS defenses against their environment? Matthew Andriani, co-founder and CEO MazeBolt: Millions of people wait until the final days, if not the last day, before the tax filing deadline. Any platform handling tax filings, refund processing, or document uploads should recognize that the filing rush creates a perfect storm in which attacks can have a greater operational impact, as cyberattackers often carry out their activities during these peak-demand periods. During these peak loads, availability risk increases, and Layer 7 endpoints like login, account creation, and submission APIs can become harder to protect without blocking legitimate users. Filers are already worried about the deadline, so repeated login failures, stalling, or unexplained timeouts quickly erode trust."
      https://www.darkreading.com/cloud-security/test-networks-withstand-ddos-attacks-peak-loads
    • Q1 2026 DDoS, Bad Bots, And BGP Incidents Statistics And Overview
      "The largest DDoS botnet we first detected in March 2025 has grown significantly over the past year, expanding from 1.33 million to 13.5 million infected devices. The majority of these devices are located in the United States, Brazil, and India. In Q1 2026, we discovered the Aeternum C2 botnet, which uses the Polygon blockchain as its primary command-and-control infrastructure, making it highly resistant to traditional takedown methods. The most intensive DDoS attack observed in Q1 2026 targeted an organization in the Betting segment. At its peak, it exceeded 2 Tbps and reached nearly 1 Bpps. Notably, the high-intensity phase lasted for more than 40 minutes, which is unusually long for attacks of this scale."
      https://qrator.net/blog/details/Q1-2026-DDoS-bad-bots-and-BGP-incidents-statistics-and-overview/
      https://hackread.com/botnet-device-drives-2-tbps-ddos-attacks-fintech/
    • Coordinated Vulnerability Disclosure Is Now An EU Obligation, But Cultural Change Takes Time
      "In this Help Net Security interview, Nuno Rodrigues Carvalho, Head of Sector for Incident and Vulnerability Services at ENISA, discusses the recent CVE funding scare and what it exposed about the fragility of global vulnerability disclosure infrastructure. He outlines how EU regulations, including the Cyber Resilience Act and NIS2, are creating stronger accountability for vendors and organizations. ENISA is building out European vulnerability services to support member states. Carvalho also addresses how practitioners navigate conflicting enrichment sources, and argues the CVE program needs a distributed model with no single point of failure."
      https://www.helpnetsecurity.com/2026/04/15/nuno-rodrigues-carvalho-enisa-cve-program-vulnerability-disclosure/
    • Network Segmentation Projects Fail In Predictable Patterns
      "Most enterprise networks have segmentation on the roadmap. Many have had it there for years. A survey of 400 U.S.-based network security practitioners who lived through failed segmentation projects finds that failure clusters into four distinct patterns, and the type of failure a team experiences depends heavily on the kind of environment and approach they attempted. The research, conducted in early 2026, applied latent class analysis to survey responses measuring both general IT project failure factors and segmentation-specific technical barriers."
      https://www.helpnetsecurity.com/2026/04/15/network-segmentation-failure-research/
      https://arxiv.org/pdf/2604.08632
    • European Cybersecurity Agency ENISA Seeks Top-Tier Status In CVE Program
      "ENISA, the EU’s Cybersecurity Agency, is strengthening its ties with the US-funded Common Vulnerabilities and Exposures (CVE) program, a top leader of the agency has announced. Invited to speak at VulnCon26's opening keynote in Scottsdale, Arizona, on April 14, Nuno Rodrigues Carvalho, head of sector for Incidents and Vulnerability Services at ENISA, revealed that the agency was currently being onboarded by the US Cybersecurity and Infrastructure Security Agency (CISA), sole sponsor of the program, to become a top-level root CVE Numbering Authority (TL-Root CNA). Speaking to Infosecurity after the session, Carvalho said he hopes the European agency can obtain this status “in 2026 or early 2027.”"
      https://www.infosecurity-magazine.com/news/enisa-europe-seeks-top-level-root/
    • AI Companies To Play Bigger Role In CVE Program, Says CISA
      "AI companies like OpenAI and Anthropic should play a bigger role in software vulnerability disclosures in the future, according to a leader of the world’s largest vulnerability disclosure scheme. Speaking at the opening of VulnCon26 in Scottsdale, Arizona, on April 14, Lindsey Cerkovnik said AI companies “should be better represented" in the Common Vulnerabilities and Exposures (CVE) program. As chief of the Vulnerability Response & Coordination (VRC) Branch at the US Cybersecurity and Infrastructure Security Agency (CISA), sole sponsor of the MITRE-run CVE program, Cerkovnik and her team manage coordinated vulnerabilities disclosures for the CVE program."
      https://www.infosecurity-magazine.com/news/ai-companies-to-play-bigger-role/
    • CISO Conversations: Ross McKerchar, CISO At Sophos
      "Ross McKerchar began his Sophos career as the firm’s first security engineer 18 years ago and is now the company’s CISO. We discussed his journey and the role of the CISO. “Like most youngsters, I played video games as a child. By the time I was 16, I was already convinced that IT would be a good, solid career – so I went on to take a computer science degree at the University of Edinburgh.” But then came a realization. “I’m probably going to offend a lot of people with this, but much of IT is quite boring.” When you talk about IT, people’s eyes glaze over, he continues. But if you talk about cybercrime, they become engaged. “It’s whole of world rather than just the box in the computer room. It’s geopolitical, it’s adversarial, and it affects everybody, everywhere.” Conflict, he adds, makes for good stories – so, he shifted his interest from IT to cybersecurity."
      https://www.securityweek.com/ciso-conversations-ross-mckerchar-ciso-at-sophos/
    • Tracking CVEs Attributed To Anthropic Researchers And Project Glasswing
      "Anthropic's Project Glasswing has generated significant attention—but very little concrete data. One question keeps coming up: what exactly did it find, disclose, and receive CVEs for? We've fielded this question repeatedly, so I did the work of tracking down publicly disclosed CVEs credited to the Anthropic research team at this time."
      https://www.vulncheck.com/blog/anthropic-glasswing-cves
      https://www.theregister.com/2026/04/15/project_glasswing_cves/
    • Agents Hooked Into GitHub Can Steal Creds – But Anthropic, Google, And Microsoft Haven't Warned Users
      "Security researchers hijacked three popular AI agents that integrate with GitHub Actions by using a new type of prompt injection attack to steal API keys and access tokens, and the vendors who run agents didn’t disclose the problem. The researchers targeted Anthropic's Claude Code Security Review, Google's Gemini CLI Action, and Microsoft's GitHub Copilot, then disclosed the flaws and received bug bounties from all three. But none of the vendors assigned CVEs or published public advisories, and this, according to researcher Aonan Guan, "is a problem." "I know for sure that some of the users are pinned to a vulnerable version," Guan said in an exclusive interview with The Register about how he and a team from Johns Hopkins University discovered this prompt injection pattern and pwned the agents. "If they don't publish an advisory, those users may never know they are vulnerable – or under attack.""
      https://www.theregister.com/2026/04/15/claude_gemini_copilot_agents_hijacked/

    อ้างอิง
    Electronic Transactions Development Agency (ETDA) 4c270a6d-c62f-464b-aa99-d3ccd6f99cc2-image.png

    โพสต์ใน Cyber Security News
    NCSA_THAICERTN
    NCSA_THAICERT
  • Booking.com ยืนยันเหตุข้อมูลรั่วไหล แฮกเกอร์เข้าถึงรายละเอียดการจอง หวั่นถูกใช้ทำแคมเปญฟิชชิ่ง

    Booking.com ยืนยันเหตุข้อมูลรั่วไหล แฮกเกอร์เข้า.png

    สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 62286cd4-ed8d-44ba-af48-e5371f339e11-image.png

    โพสต์ใน Cyber Security News
    NCSA_THAICERTN
    NCSA_THAICERT