Vulnerabilities
- HPE Warns Of Critical AOS-CX Flaw Allowing Admin Password Resets
"Hewlett Packard Enterprise (HPE) has patched multiple security vulnerabilities in the Aruba Networking AOS-CX operating system, including several authentication and code execution issues. AOS-CX is a cloud-native network operating system (NOS) developed by HPE subsidiary Aruba Networks for the company's CX-series campus and data center switch devices. The most severe security flaw today is a critical authentication bypass vulnerability (tracked as CVE-2026-23813) that attackers without privileges can exploit in low-complexity attacks to reset admin passwords."
https://www.bleepingcomputer.com/news/security/hpe-warns-of-critical-aos-cx-flaw-allowing-admin-password-resets/ - SAP Patches Critical FS-QUO, NetWeaver Vulnerabilities
"Enterprise security firm SAP on Tuesday announced the release of 15 new security notes as part of its March 2026 Security Patch Day. The most important of these notes resolves critical-severity vulnerabilities in Quotation Management Insurance (FS-QUO) and NetWeaver Enterprise Portal Administration. SAP describes the FS-QUO bug, tracked as CVE-2019-17571 (CVSS score of 9.8), as a code injection issue."
https://www.securityweek.com/sap-patches-critical-fs-quo-netweaver-vulnerabilities/ - Critical Defect In Java Security Engine Poses Serious Downstream Security Risks
"A maximum-severity vulnerability in pac4j, an open-source library integrated into hundreds of software packages and repositories, poses a significant security threat, but has thus far received scant attention. The defect in the Java security engine, which handles authentication across multiple frameworks, has not been exploited in the wild since code review firm CodeAnt AI published a proof-of-concept exploit last week. The company discovered the vulnerability and privately reported it to pac4j’s maintainer, which disclosed the defect and released patches for affected versions of the library within two days."
https://cyberscoop.com/pac4j-open-source-library-vulnerability-max-severity-risk/ - Microsoft March 2026 Patch Tuesday Fixes 2 Zero-Days, 79 Flaws
"Today is Microsoft's March 2026 Patch Tuesday with security updates for 79 flaws, including 2 publicly disclosed zero-day vulnerabilities. This Patch Tuesday also addresses three "Critical" vulnerabilities, 2 of which are remote code execution flaws and the other is an information disclosure flaw."
https://www.bleepingcomputer.com/news/microsoft/microsoft-march-2026-patch-tuesday-fixes-2-zero-days-79-flaws/
https://blog.talosintelligence.com/microsoft-patch-tuesday-march-2026/
https://www.darkreading.com/application-security/microsoft-patches-83-cves-march-update
https://cyberscoop.com/microsoft-patch-tuesday-march-2026/
https://securityaffairs.com/189266/security/microsoft-patch-tuesday-security-updates-for-march-2026-fixed-84-bugs.html
https://www.securityweek.com/microsoft-patches-83-vulnerabilities/
https://www.theregister.com/2026/03/10/zeroclick_microsoft_info_disclosure_bug/ - Adobe Patches 80 Vulnerabilities Across Eight Products
"Adobe on Tuesday announced patches for 80 vulnerabilities across 8 products, including Commerce, Illustrator, Acrobat Reader, and Premiere Pro. The company rolled out fixes for 19 flaws in Adobe Commerce and Magento Open Source, urging users to apply the patches within the next 30 days, based on these products being a known target for threat actors. The update resolves six high-severity bugs, five of which could lead to privilege escalation: CVE-2026-21290, CVE-2026-21361, CVE-2026-21284, CVE-2026-21311, and CVE-2026-21309. The sixth, tracked as CVE-2026-21289, leads to security feature bypass."
https://www.securityweek.com/adobe-patches-80-vulnerabilities-across-eight-products/ - LeakyLooker: Hacking Google Cloud’s Data Via Dangerous Looker Studio Vulnerabilities
"Tenable Research revealed "LeakyLooker," a set of nine novel cross-tenant vulnerabilities in Google Looker Studio. These flaws could have let attackers exfiltrate or modify data across Google services like BigQuery and Google Sheets. Google has since remediated all identified issues."
https://www.tenable.com/blog/leakylooker-google-cloud-looker-studio-vulnerabilities
https://thehackernews.com/2026/03/new-leakylooker-flaws-in-google-looker.html - Auditing The Gatekeepers: Fuzzing "AI Judges" To Bypass Security Controls
"As organizations scale AI operations, they increasingly deploy AI judges — large language models (LLMs) acting as automated security gatekeepers to enforce safety policies and evaluate output quality. Our research investigates a critical security issue in these systems: They can be manipulated into authorizing policy violations through stealthy input sequences, a type of prompt injection. To do this investigation, we designed an automated fuzzer for internal use for red-team style assessments called AdvJudge-Zero. Fuzzers are tools that identify software vulnerabilities by providing unexpected input, and we apply the same approach to attacking AI judges. It identifies specific trigger sequences that exploit a model's decision-making logic to bypass security controls."
https://unit42.paloaltonetworks.com/fuzzing-ai-judges-security-bypass/
Malware
- New ‘BlackSanta’ EDR Killer Spotted Targeting HR Departments
"For more than a year, a Russian-speaking threat actor targeted human resource (HR) departments with malware that delivers a new EDR killer named BlackSanta. Described as "sophisticated," the campaign mixes social engineering with advanced evasion techniques to steal sensitive information from compromised systems. It is unclear how the attack begins, but researchers at Aryaka, a network and security solutions provider, suspect that the malware is distributed via spear-phishing emails."
https://www.bleepingcomputer.com/news/security/new-blacksanta-edr-killer-spotted-targeting-hr-departments/
http://www.aryaka.com/docs/reports/blacksanta-edr-killer-threat-report.pdf
https://www.darkreading.com/threat-intelligence/blacksanta-edr-killer-hr-workflows
https://www.theregister.com/2026/03/10/malware_targeting_hr/
https://www.helpnetsecurity.com/2026/03/10/hr-recruiters-malware-resume/ - BeatBanker: A Dual‑mode Android Trojan
"Recently, we uncovered BeatBanker, an Android‑based malware campaign targeting Brazil. It spreads primarily through phishing attacks via a website disguised as the Google Play Store. To achieve their goals, the malicious APKs carry multiple components, including a cryptocurrency miner and a banking Trojan capable of completely hijacking the device and spoofing screens, among other things. In a more recent campaign, the attackers switched from the banker to a known RAT."
https://securelist.com/beatbanker-miner-and-banker/119121/
https://www.bleepingcomputer.com/news/security/new-beatbanker-android-malware-poses-as-starlink-app-to-hijack-devices/ - Antivirus And Endpoint Detection And Response Archive Scanning Engines May Not Properly Scan Malformed Zip Archives
"Malformed ZIP headers can cause antivirus and endpoint detection and response software (EDR) to produce false negatives. Despite the presence of malformed headers, some extraction software is still able to decompress the ZIP archive, allowing potentially malicious payloads to run upon file decompression."
https://kb.cert.org/vuls/id/976247
https://www.bleepingcomputer.com/news/security/new-zombie-zip-technique-lets-malware-slip-past-security-tools/ - Silence Of The Hops: The KadNap Botnet
"The Black Lotus Labs team at Lumen has discovered a sophisticated new malware named “KadNap.” This threat primarily targets Asus routers, conscripting them into a botnet that proxies malicious traffic. Since August 2025, we have been monitoring the growth of this network, which is now above 14,000 infected devices. KadNap employs a custom version of the Kademlia Distributed Hash Table (DHT) protocol, which is used to conceal the IP address of their infrastructure within a peer-to-peer system to evade traditional network monitoring. Infected devices use the DHT protocol to locate and connect with a command-and-control (C2) server, while defenders cannot easily find and add those C2s to threat lists."
https://blog.lumen.com/silence-of-the-hops-the-kadnap-botnet/
https://www.bleepingcomputer.com/news/security/new-kadnap-botnet-hijacks-asus-routers-to-fuel-cybercrime-proxy-network/
https://thehackernews.com/2026/03/kadnap-malware-infects-14000-edge.html - Sednit Reloaded: Back In The Trenches
"Since April 2024, Sednit’s advanced development team has reemerged with a modern toolkit centered on two paired implants, BeardShell and Covenant, each using a different cloud provider for resilience. This dual‑implant approach enabled long‑term surveillance of Ukrainian military personnel. Interestingly, these current toolsets show a direct code lineage to the group’s 2010‑era implants."
https://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/
https://www.bleepingcomputer.com/news/security/apt28-hackers-deploy-customized-variant-of-covenant-open-source-tool/
https://thehackernews.com/2026/03/apt28-uses-beardshell-and-covenant.html
https://www.darkreading.com/cyber-risk/sednit-resurfaces-with-sophisticated-new-toolkit
https://therecord.media/russia-apt-28-revives-malware-to-spy-on-ukraine
https://securityaffairs.com/189230/apt/apt28-conducts-long-term-espionage-on-ukrainian-forces-using-custom-malware.html
https://www.helpnetsecurity.com/2026/03/10/sednit-espionage-toolkit-stealing-data/ - Study Finds ROME AI Agent Attempted Cryptomining Without Instructions
"A recent research paper describing the training of an experimental AI agent has started a discussion after the system attempted to start cryptocurrency mining without being instructed to do so. The incident was reported in a study published on arXiv that describes the development of ROME AI, an agentic AI model designed to perform complex, multi-step tasks such as writing software, debugging code, and interacting with command-line tools. Unlike standard AI chatbots that respond to single prompts, agentic models can take actions, use tools, and interact with computing environments to complete tasks."
https://hackread.com/rome-ai-agent-cryptomining-without-instructions/
https://arxiv.org/pdf/2512.24873 - North Korea Tried To Hack Our CEO Through a Fake Job Interview On LinkedIn
"If you're a founder, CTO, or senior engineer in crypto or Web3, you already know: the recruiter DMs never stop. LinkedIn is a constant stream of unsolicited pitches. Most are legitimate. This one wasn't. A LinkedIn member — later identified as operating under the name "Nazar" — messaged me out of the blue about a role at 0G Labs, pitching it as "a fast-growing team building the first decentralized AI operating system." The message included a polished Google Docs job description and a Calendly link to book a call with the "hiring manager" — Pedro Perez de Ayala."
https://www.allsecure.io/blog/lazarus-linkedin-attack/
https://hackread.com/fake-linkedin-interview-lazarus-hackers-allsecure-ceo/ - Behind The Console: Active Phishing Campaign Targeting AWS Console Credentials
"Datadog Security Research identified a credential-harvesting campaign targeting AWS Console users through typosquatted domains that mimic AWS infrastructure naming conventions. The operation uses real-time adversary-in-the-middle (AiTM) proxying to capture validated credentials and session material. We identified two active phishing infrastructure clusters and a third related domain sharing registrar metadata. In one observed case, the operator authenticated to a compromised AWS account within 20 minutes of credential submission."
https://securitylabs.datadoghq.com/articles/behind-the-console-aws-aitm-phishing-campaign/
https://www.helpnetsecurity.com/2026/03/10/aitm-phishing-aws-accounts/ - FortiGate Edge Intrusions | Stolen Service Accounts Lead To Rogue Workstations And Deep AD Compromise
"Throughout early 2026, SentinelOne’s
Digital Forensics & Incident Response (DFIR) team has responded to several incidents where FortiGate Next-Generation Firewall (NGFW) appliances have been compromised to establish a foothold into the targeted environment. Each incident was detected and stopped during the lateral movement phase of the attack. Fortinet has disclosed and issued patches for several high-severity vulnerabilities allowing unauthorized access during the activity period of our investigations."
https://www.sentinelone.com/blog/fortigate-edge-intrusions/
https://thehackernews.com/2026/03/fortigate-devices-exploited-to-breach.html
https://securityaffairs.com/189241/security/attackers-exploit-fortigate-devices-to-access-sensitive-network-information.html - Finnish Intelligence Warns Of Persistent Cyber Espionage From Russia, China
"Finland’s intelligence service warned that Russia and China continue to conduct extensive cyberespionage and influence operations targeting the country’s technology sector, research institutions and government, according to a new national security assessment released Tuesday. The Finnish Security and Intelligence Service (SUPO), which is responsible for foreign intelligence as well as domestic counterintelligence, was last year reorganized to “enhance information gathering."
https://therecord.media/finnish-intel-warns-espionage-china-russia - When Trusted Websites Turn Malicious: WordPress Compromises Advance Global Stealer Operation
"Rapid7 Labs has identified and analyzed an ongoing, widespread compromise of legitimate, potentially highly trusted WordPress websites, misused by an unidentified threat actor to inject a ClickFix implant impersonating a Cloudflare human verification challenge (CAPTCHA). The lure is designed to infect visitors with a multi-stage malware chain that ultimately steals and exfiltrates credentials and digital wallets from Windows systems. The stolen credentials can subsequently be used for financial theft or to conduct further, more targeted attacks against organizations."
https://www.rapid7.com/blog/post/tr-malicious-websites-wordpress-compromise-advances-global-stealer-operation/
https://www.theregister.com/2026/03/10/crooks_hijack_wordpress_sites/ - Aye-Coruna: Tracing The iOS Exploit Kit From Ukraine To Iran War Lures
"On March 3, 2026, Google Threat Intelligence Group (GTIG) and the iVerify Team both detailed findings related to an exploit kit targeting Apple iPhone users nicknamed “Coruna,” publishing indicators related to initial exploit exposure (the infection vector), configuration and implant servers, and C2 communication. Examples of the implants are also published on Github by matteyeux. First appearing in February 2025, the iOS exploitation kit is significant due to its breadth and mass deployment."
https://www.validin.com/blog/aye_coruna_ios_exploit_kit_c2/ - Fake ImToken Chrome Extension Steals Seed Phrases Via Phishing Redirects
"Socket’s Threat Research Team uncovered a malicious Chrome extension, lmΤoken Chromophore (extension ID bbhaganppipihlhjgaaeeeefbaoihcgi), that impersonates imToken while presenting itself as a hex color visualizer in the Chrome Web Store. Instead of providing the harmless tool it promises, the extension automatically opens a threat actor-controlled phishing site as soon as it is installed, and again whenever the user clicks it."
https://socket.dev/blog/fake-imtoken-chrome-extension-steals-seed-phrases-via-phishing-redirects - Through The Lens Of MDR: Analysis Of KongTuke’s ClickFix Abuse Of Compromised WordPress Sites
"In January 2026, Huntress researchers identified a new initial access technique used by the threat actor KongTuke, dubbed as “CrashFix”. In this ClickFix variation, the users are tricked into installing a malicious Chrome extension that displays a fake security warning, stating that the browser has “stopped abnormally.” It then prompts the unsuspecting users to follow remediation instructions. Once they follow the instructions, they’ll inadvertently execute a malicious PowerShell command."
https://www.trendmicro.com/en_us/research/26/c/kongtuke-clickfix-abuse-of-compromised-wordpress-sites.html
Breaches/Hacks/Leaks
- Cal AI, New Owner Of MyFitnessPal, Hit By Alleged Breach Of 3 Million Users
"A hacker using the alias “vibecodelegend” is claiming responsibility for breaching Cal AI, a smartphone application that uses artificial intelligence to track calories and nutritional information. The alleged breach was announced on Monday, March 9, 2026, through a post on the cybercrime marketplace BreachForums. Cal AI has grown rapidly in popularity due to its use of artificial intelligence to help users track calories by analyzing food images and nutritional information. The platform recently attracted further attention after acquiring the widely used fitness app MyFitnessPal, expanding its presence in the health and nutrition tracking market."
https://hackread.com/cal-ai-myfitnesspal-data-breach-3m-users/
General News
- Stop Chasing Threats, Start Containing Them
"Security teams aren't short on tools or effort. Yet many organizations are still falling behind. According to Cyderes' recent white paper, 88% of organizations maintain a security operations center but only 45% report effectiveness in proactive threat hunting. The picture is clear: SOCs are overwhelmed and additional investments aren't closing the gap. Alerts are piling up. Talent is burning out. Identity is fragmented across IT, security and HR, with no clear ownership. As cloud workloads grow, confidence in stopping identity-based attacks remains low."
https://www.bankinfosecurity.com/blogs/stop-chasing-threats-start-containing-them-p-4058
https://www.cyderes.com/hubfs/FINAL WhitePaper Design_02_18_26.pdf - Global Cyber Attacks Remain Near Record Highs In February 2026 Despite Ransomware Decline
"In February 2026, global cyber attack activity remained near record levels, confirming that elevated attack volumes are becoming the new normal for organizations worldwide. The average number of weekly cyber attacks per organization reached 2,086, representing a 9.6% increase year over year, while remaining essentially flat month over month (-0.2% compared to January 2026). This stabilization at a high baseline reflects a sustained pressure environment rather than a short‑term surge."
https://blog.checkpoint.com/research/global-cyber-attacks-remain-near-record-highs-in-february-2026-despite-ransomware-decline/ - Teen Crew Caught Selling DDoS Attack Tools
"Seven minors who distributed online programs designed to facilitate DDoS attacks have been identified by Poland’s Central Bureau for Combating Cybercrime (CBZC). They were between 12 and 16 at the time of the crime. According to investigators, using the tools they administered, the minors attacked popular websites, including auction and sales portals, IT domains, hosting services and accommodation booking sites. The activity was profit-driven, with the suspects earning money from the operation."
https://www.helpnetsecurity.com/2026/03/10/poland-minors-identified-distributing-ddos-attack-tools/
https://www.theregister.com/2026/03/10/poland_ddos_teens_bust/ - Airbus CSO On Supply Chain Blind Spots, Space Threats, And The Limits Of AI Red-Teaming
"Pascal Andrei, CSO at Airbus, knows that the aerospace and defense sector is facing a threat environment that is evolving faster than most organizations can track. From sub-tier suppliers quietly becoming entry points for state-backed attackers, to satellites emerging as targets in an increasingly contested space domain, the risks are real and growing. In this interview with Help Net Security, Andrei addresses the blind spots that defenders are underestimating, the gap between compliance paperwork and actual security outcomes, and why current AI red-teaming models fall dangerously short."
https://www.helpnetsecurity.com/2026/03/10/pascal-andrei-airbus-aerospace-defense-cybersecurity/ - The People Behind Cyber Extortion Are Often In Their Forties
"Many cybercrime investigations end with arrests or indictments that reveal little about the people behind the operations. When authorities do disclose demographic details, the pattern that emerges does not match the common assumption that cyber offenders are mostly very young. Analysis in the Security Navigator 2026 report from Orange Cyberdefense points to a different age profile, with a strong concentration of offenders in mid-career adulthood."
https://www.helpnetsecurity.com/2026/03/10/cyber-extortion-cybercrime-age-profile/ - Bug Bounties Are Broken, And The Best Security Pros Are Moving On
"Penetration testing engagements are organized as scheduled contracts with defined scope, set testing windows, and direct communication channels with client teams. Cobalt’s 2026 Pentester Profile Report describes growing preference for penetration testing as a service (PTaaS) and contract-based testing models. Many participants prefer contract-based testing over open bug bounty programs and prioritize predictable professional income tied to guaranteed engagements. Pentesting serves as the primary occupation for a large share of this group. Most participants bring years of field experience and describe career goals centered on staying hands-on and maintaining technical standards."
https://www.helpnetsecurity.com/2026/03/10/cobalt-ptaas-gains-pentester-support/ - Only 24% Of Organizations Test Identity Recovery Every Six Months
"Just 24% of organizations test their identity disaster recovery plans every six months, according to new research which examined how businesses prepare for identity-focused cyber-attacks. The findings suggested that despite rising investment in identity threat detection and response (ITDR), many organizations remain poorly prepared to restore critical authentication systems after a breach. The data comes from Quest Software’s latest report, a global survey of 650 IT and security practitioners and executives. The study found that many companies place heavy emphasis on preventative controls and threat detection while neglecting response and recovery readiness."
https://www.infosecurity-magazine.com/news/organizations-test-identity-sec-6/ - SIM Swaps Expose a Critical Flaw In Identity Security
"For years, organizations have treated mobile phone numbers as trusted identity anchors. They are used to reset passwords, deliver one-time passcodes, and verify user identity. That trust is now fundamentally misplaced. SIM swap attacks have exposed a structural weakness in how identity is verified, recovered, and monitored across consumer and enterprise systems. In a SIM swap attack, criminals persuade a mobile carrier representative — often through social engineering or insider collusion — to transfer a victim’s phone number to a SIM card under the attacker’s control."
https://www.securityweek.com/sim-swaps-expose-a-critical-flaw-in-identity-security/ - Protecting Democracy Means Democratizing Cybersecurity. Bring On The Hackers
"The hacker mind is a curious way to be. To have it means to embody endless analytical curiosity, an awareness of any given rule set as just one system among many, and an ability to see any system in ways that its creators never expected. Combine this with a drive to find the bad and make things better, and you become one of the fundamental forces of the technological universe."
https://www.theregister.com/2026/03/10/democratizing_security_opinion/ - CISOs In a Pinch: A Security Analysis Of OpenClaw
"The viral rise of OpenClaw (formerly Clawdbot) marks the end of the "chatbot" era and the beginning of the "sovereign agent" era. While the productivity gains of having a locally hosted AI that controls your terminal are immense, the security implications are catastrophic. We are effectively granting root access to probabilistic models that can be tricked by a simple WhatsApp message. The "Lethal Trifecta" of AI security just got a fourth dimension: Persistence."
https://www.trendmicro.com/en_us/research/26/c/cisos-in-a-pinch-a-security-analysis-openclaw.html
อ้างอิง
Electronic Transactions Development Agency (ETDA) 
แหล่งอ้างอิง: Hackread (
️ ThaiCERT ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ และพบประกาศด้านความมั่นคงปลอดภัยจาก WatchGuard เกี่ยวกับช่องโหว่ CVE-2026-3342 ซึ่งเป็นช่องโหว่ประเภท Out-of-bounds Write ใน WatchGuard Fireware OS โดยอาจเปิดโอกาสให้ ผู้โจมตีที่ยืนยันตัวตนแล้วและมีสิทธิ์ผู้ดูแลระดับ privileged administrator สามารถใช้ management interface ที่เปิดเข้าถึงได้ เพื่อ รันโค้ดด้วยสิทธิ์ root บนอุปกรณ์ที่ได้รับผลกระทบ ส่งผลให้มีความเสี่ยงสูงต่อการถูกยึดระบบหรือแก้ไขการตั้งค่าความมั่นคงปลอดภัยของอุปกรณ์.
