สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

ตรวจพบช่องโหว่ร้ายแรงในกลไก React Server Components (RSC) และ Flight Protocol ซึ่งเป็นส่วนที่ทำให้ React ประมวลผล UI และดึงข้อมูลบนฝั่ง server ก่อนส่งผลลัพธ์ไปประกอบบนฝั่งผู้ใช้ หากถูกโจมตี ผู้ไม่หวังดีสามารถส่ง HTTP Request ที่ถูกปรับแต่งพิเศษเพื่อทำให้ server รันโค้ดที่ไม่พึงประสงค์ได้ทันที (Unauthenticated RCE) โดยไม่ต้องล็อกอินหรือมีสิทธิ์ใด ๆ

กลุ่มระบบที่ “เข้าข่ายเสี่ยง”
•เว็บไซต์หรือระบบที่ใช้ React ในการพัฒนาโปรแกรม และรองรับ RSC
•โปรเจกต์ที่ติดตั้งแพ็กเกจในตระกูล react-server-dom-*
•แม้ไม่ได้สร้าง Server Functions เอง แต่หาก Framework รองรับ RSC → ยังเสี่ยงอยู่
•แอปพลิเคชันฝั่ง Client-only หรือไม่ใช้ RSC → ไม่เข้าข่าย

แพ็กเกจ/เวอร์ชันที่ต้องรีบตรวจสอบ
หากพบแพ็กเกจด้านล่าง และเวอร์ชันเป็น 19.0.0 / 19.1.0 / 19.1.1 / 19.2.0
ถือว่า เสี่ยงทันที
1.react-server-dom-webpack
2.react-server-dom-parcel
3.react-server-dom-turbopack

แนวทางตรวจสอบและบรรเทาความเสี่ยง

1. ตรวจสอบว่ามีแพ็กเกจเสี่ยงหรือไม่
   ใช้คำสั่ง:
   npm ls react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack
   คำสั่งนี้จะค้นหาแพ็กเกจในตระกูล react-server-dom-* ซึ่งเป็นตัวบ่งชี้ความเสี่ยงสำคัญ
2. ผู้ใช้ Next.js ให้ตรวจสอบเพิ่มเติม
   Next.js มีเครื่องมือช่วยสแกนความเสี่ยง:
   npx fix-react2shell-next
3. วิธีตรวจสอบในสภาพแวดล้อมจริง (สำคัญมาก)
   โดยเฉพาะระบบที่ใช้ Docker / Container
   ควรตรวจสอบว่า:
   •dependency ภายใน container เป็นเวอร์ชันเดียวกับใน source code
   •ไม่มี build layer เก่าค้างอยู่ใน image
   •CI/CD pipeline build image ใหม่ทุกครั้งหลังอัปเดตแพ็กเกจ
   •ใช้ image ที่ผ่านการ build และ patch เวอร์ชันล่าสุดแล้ว
   หลายระบบพบว่า container ที่รันจริงใช้แพ็กเกจเก่า แม้ source code จะ update แล้ว
4. อัปเดตแพตช์เป็นเวอร์ชันที่ปลอดภัย ได้แก่:
   React
   •19.0.1
   •19.1.2
   •19.2.1
   Next.js
   •15.0.5 / 15.1.9 / 15.2.6 / 15.3.6 / 15.4.8 / 15.5.7
   •16.0.7
   แนะนำให้อัปเดต ทั้ง React + Framework เพื่อความปลอดภัยสูงสุด
   สำหรับผู้ใช้งานทั่วไป
   ช่องโหว่นี้กระทบ ผู้ให้บริการเว็บไซต์และทีมพัฒนา ไม่ได้กระทบผู้ใช้โดยตรง หากเว็บไซต์บางแห่งปิดปรับปรุงหรือให้บริการช้าลงในช่วงนี้ เป็นเพราะผู้ดูแลอยู่ระหว่างอัปเดตแพตช์เพื่อความปลอดภัย
   ️ ระดับความเร่งด่วน
   มีรายงานว่าเริ่มพบการโจมตีจริงแล้วหลังเปิดเผยช่องโหว่ไม่นาน
   ขอให้ผู้ดูแลระบบรีบตรวจสอบแพ็กเกจของตน อัปเดตแพตช์ และตรวจสอบความผิดปกติของระบบทันที

ด้วยความปรารถนาดี สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT

ที่มา
[1]: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components "Critical Security Vulnerability in React Server Components – React"
[2]: https://nextjs.org/blog/CVE-2025-66478 "Security Advisory: CVE-2025-66478 | Next.js"
[3]: https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478-next/ "Critical Vulnerabilities in React Server Components and Next.js"
[4]: https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r "Critical Security Vulnerability in React Server Components · Advisory · facebook/react · GitHub"
[5]: https://thehackernews.com/2025/12/chinese-hackers-have-started-exploiting.html?utm_source=chatgpt.com "Chinese Hackers Have Started Exploiting the Newly Disclosed React2Shell Vulnerability"

ตรวจพบช่องโหว่ร้ายแรงในระบบภายในของชิปโทรศัพท์มือถือ เสี่ยงถูกแฮกโดยไม่ต้องกดหรือโต้ตอบใด ๆ รีบอัปเดตระบบด่วน️

สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT ขอแจ้งเตือนภัยเกี่ยวกับช่องโหว่หมายเลข CVE-2025-21483 ระดับ Critical คะแนน CVSS 9.8 ซึ่งส่งผลกระทบต่อสมาร์ตโฟน Android ที่ใช้ชิปเซ็ต Qualcomm Snapdragon

ช่องโหว่นี้ถูกตรวจพบและเผยแพร่ข้อมูลในปี 2568
• ผู้ผลิตชิปและผู้ผลิตมือถือออกแพตช์รักษาความปลอดภัย ตั้งแต่ช่วง พฤศจิกายน - ธันวาคม 2568
• ผู้ใช้งานที่ยังไม่ได้อัปเดตเป็นปัจจุบัน ยังเสี่ยงต่อการถูกโจมตี

ช่องทางที่อาจถูกใช้ในการโจมตี
แฮกเกอร์สามารถโจมตีผ่านการส่งข้อมูลจากอินเทอร์เน็ตสู่โทรศัพท์ ซึ่งระบบจะประมวลผลข้อมูลโดยอัตโนมัติ เช่น
• SMS/MMS โดยเฉพาะข้อความแนบภาพหรือวิดีโอ
• แอปพลิเคชันแชทที่มีการโทรผ่านอินเทอร์เน็ต เช่น WhatsApp, LINE, Messenger — การประมวลผลสัญญาณ "การโทรเข้า" อาจเรียกใช้ระบบที่มีช่องโหว่
• ข้อมูลจากอินเทอร์เน็ตบางรูปแบบ ที่ทำให้ระบบในเครื่องเริ่มทำงานอัตโนมัติ (เป็นข้อมูลที่ถูกทำขึ้นมาเฉพาะเพื่อโจมตีระบบ)
เมื่อข้อมูลเหล่านี้เข้ามา เครื่องจะประมวลผลเองทันที หากยังมีช่องโหว่ อาจถูกโจมตีได้โดยที่ผู้ใช้ไม่รู้ตัว

ทำไมไม่ต้องกดลิงก์ก็โดนได้
รูปแบบการโจมตี Zero-Click ผู้ใช้งาน ไม่ต้องกด ไม่ต้องเปิด และไม่ต้องโต้ตอบใด ๆ ระบบก็สามารถถูกโจมตีได้
• โทรศัพท์มือถือจะประมวลผลข้อมูลบางส่วนโดยอัตโนมัติ เพื่อแสดงการแจ้งเตือน เช่น มีคนโทรเข้าหรือได้รับ MMS
• แฮกเกอร์แนบคำสั่งอันตรายไว้ในข้อมูลเหล่านั้น
• ระหว่างที่ระบบกำลังประมวลผลข้อมูล คำสั่งอันตรายนั้นจะทำงานทันที โดยผู้ใช้ไม่ต้องกดลิงก์ รับสาย หรือโต้ตอบใด ๆ

ผู้ที่ได้รับผลกระทบ
• ผู้ที่ใช้สมาร์ตโฟนระบบ Android ทุกยี่ห้อ ควรจะตรวจสอบหากพบว่ายังไม่ได้อัปเดตแพตช์ความปลอดภัยล่าสุด ควรรีบดำเนินการ

️ สัญญาณที่อาจบ่งบอกว่าอาจจะถูกโจมตีแล้ว
· เครื่องร้อนผิดปกติขณะไม่ได้ใช้งาน
· แบตเตอรี่ลดลงรวดเร็วผิดปกติในช่วงเวลาสั้น ๆ
· การใช้อินเทอร์เน็ตพุ่งสูงผิดปกติ
· มีการแจ้งเตือนการโทรเข้า หรือข้อความ แปลก ๆ ที่ไม่ทราบที่มา
หากพบอาการเหล่านี้ร่วมกับการยังไม่ได้อัปเดตแพตช์ความปลอดภัย ถือว่ามีความเสี่ยง

️ วิธีป้องกัน (ควรทำทันที!)
อัปเดตแพตช์ความปลอดภัยเป็นเวอร์ชันล่าสุด
ขั้นตอนการอัปเดต

1. ไปที่ การตั้งค่า (Settings)
2. เลือก อัปเดตซอฟต์แวร์ / เกี่ยวกับโทรศัพท์ (Software Update / About Phone)
3. กด ดาวน์โหลดและติดตั้ง (Download and Install)
4. หากมีอัปเดต ให้ติดตั้งทันที
5. ตรวจสอบว่าแพตช์ความปลอดภัยเป็นเดือน พฤศจิกายน หรือ ธันวาคม 2568

ข้อควรทำก่อนอัปเดต (สำคัญมาก)

1. เชื่อมต่อ Wi-Fi เพื่อความเสถียรและประหยัดเน็ต
2. ชาร์จแบตเตอรี่ให้มีอย่างน้อย 75% ป้องกันเครื่องดับระหว่างดำเนินการ

️ หากอัปเดตไม่ได้/ไม่สำเร็จ
• เช็กพื้นที่จัดเก็บข้อมูล: หากพื้นที่ว่างไม่พอ ระบบอาจไม่ดาวน์โหลดไฟล์อัปเดต ให้ลบไฟล์ที่ไม่จำเป็นออกก่อน
• อุปกรณ์รุ่นเก่า: โทรศัพท์รุ่นเก่าบางรุ่นอาจไม่รองรับ Android เวอร์ชันใหม่หรือแพตช์ความปลอดภัยล่าสุด โปรดตรวจสอบกับผู้ผลิตโทรศัพท์ของท่าน
• สำหรับผู้ที่ยังไม่มีให้อัปเดต หรือใช้เครื่องรุ่นเก่า หากเช็กแล้วยังไม่มีแพตช์ใหม่มา ให้ทำดังนี้เพื่อลดความเสี่ยงชั่วคราว:

1. ปิดการรับ MMS อัตโนมัติ: ไปที่แอปข้อความ (Messages) > การตั้งค่า > ปิด "ดาวน์โหลด MMS อัตโนมัติ" (Auto-retrieve MMS)
2. หลีกเลี่ยงการเปิดไฟล์แปลกปลอมจากคนที่ไม่รู้จักในทุกช่องทาง

ย้ำ! การอัปเดตนี้ฟรีและข้อมูลในเครื่องไม่หาย (เช่น รูปภาพ, รายชื่อผู้ติดต่อ) รีบดำเนินการอัปเดตโดยเร็วที่สุด เพื่อความปลอดภัยของข้อมูลส่วนบุคคลของท่าน

ด้วยความปรารถนาดี
สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT

ที่มา 1.: https://support.google.com/android/answer/7680439
2. https://source.android.com/docs/security/bulletin/2025-11-01?utm&hl=th
3. https://nvd.nist.gov/vuln/detail/CVE-2025-21483

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

เมื่อวันที่ 3 ธันวาคม 2025 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว ดังนี้

• CVE-2021-26828 OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability

ทั้งนี้ คำสั่ง BOD 22-01 ของ CISA กำหนดให้มี แคตตาล็อก Known Exploited Vulnerabilities (KEV) เพื่อรวบรวมช่องโหว่ (CVEs) ที่มีความเสี่ยงสูงและถูกใช้งานโจมตีจริง หน่วยงาน Federal Civilian Executive Branch (FCEB) ต้องดำเนินการแก้ไขช่องโหว่ที่ระบุภายในเวลาที่กำหนด เพื่อปกป้องเครือข่ายจากภัยคุกคาม

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/12/03/cisa-adds-one-known-exploited-vulnerability-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Industrial Sector

• CISA, Australia, And Partners Author Joint Guidance On Securely Integrating Artificial Intelligence In Operational Technology
  "CISA and the Australian Signals Directorate’s Australian Cyber Security Centre, in collaboration with federal and international partners, have released new cybersecurity guidance: Principles for the Secure Integration of Artificial Intelligence in Operational Technology. This guidance aims to help critical infrastructure owners and operators integrate artificial intelligence (AI) into operational technology (OT) systems securely, balancing the benefits of AI—such as increased efficiency, enhanced decision-making, and cost savings—with the unique risks it poses to the safety, security, and reliability of OT environments."
  https://www.cisa.gov/news-events/alerts/2025/12/03/cisa-australia-and-partners-author-joint-guidance-securely-integrating-artificial-intelligence
  https://www.cisa.gov/resources-tools/resources/principles-secure-integration-artificial-intelligence-operational-technology
  https://www.cisa.gov/sites/default/files/2025-12/joint-guidance-principles-for-the-secure-integration-of-artificial-intelligence-in-operational-technology-508c.pdf

New Tooling

• Portmaster: Open-Source Application Firewall
  "Portmaster is a free and open source application firewall built to monitor and control network activity on Windows and Linux. The project is developed in the EU and is designed to give users stronger privacy without asking them to manage every rule by hand."
  https://www.helpnetsecurity.com/2025/12/03/portmaster-open-source-application-firewall/
  https://github.com/safing/portmaster

Vulnerabilities

• Attackers Actively Exploiting Critical Vulnerability In King Addons For Elementor Plugin
  "On July 24th, 2025, we received a submission for a Privilege Escalation vulnerability in King Addons for Elementor, a WordPress plugin with more than 10,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by specifying the administrator user role during registration. The vendor released the patched version on September 25th, 2025, and we originally disclosed this vulnerability in the Wordfence Intelligence vulnerability database on October 30th, 2025. Our records indicate that attackers started exploiting the issue the next day, on October 31st, 2025. The Wordfence Firewall has already blocked over 48,400 exploit attempts targeting this vulnerability."
  https://www.wordfence.com/blog/2025/12/attackers-actively-exploiting-critical-vulnerability-in-king-addons-for-elementor-plugin/
  https://www.bleepingcomputer.com/news/security/critical-flaw-in-wordpress-add-on-for-elementor-exploited-in-attacks/
  https://thehackernews.com/2025/12/wordpress-king-addons-flaw-under-active.html
  https://securityaffairs.com/185286/hacking/king-addons-flaw-lets-anyone-become-wordpress-admin.html
  https://www.securityweek.com/critical-king-addons-vulnerability-exploited-to-hack-wordpress-sites/
• Critical Security Vulnerability In React Server Components
  "On November 29th, Lachlan Davidson reported a security vulnerability in React that allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components. This vulnerability was disclosed as CVE-2025-55182 and is rated CVSS 10.0."
  https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
  https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
  https://thehackernews.com/2025/12/critical-rsc-bugs-in-react-and-nextjs.html
  https://www.darkreading.com/vulnerabilities-threats/critical-react-flaw-triggers-immediate-action
  https://cyberscoop.com/react-server-vulnerability-critical-severity-security-update/
  https://www.theregister.com/2025/12/03/exploitation_is_imminent_react_vulnerability/
• Chrome 143 Patches High-Severity Vulnerabilities
  "Google on Tuesday promoted Chrome 143 to the stable channel with patches for 13 vulnerabilities reported by external researchers. The fresh round of Chrome patches resolves four high-severity flaws, including a type confusion issue in the V8 JavaScript and WebAssembly engine, tracked as CVE-2025-13630. The remaining high-severity defects include inappropriate implementation bugs in Google Updater (CVE-2025-13631) and DevTools (CVE-2025-13632), and a use-after-free flaw in Digital Credentials (CVE-2025-13633)."
  https://www.securityweek.com/chrome-143-patches-high-severity-vulnerabilities/
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2021-26828 OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability"
  https://www.cisa.gov/news-events/alerts/2025/12/03/cisa-adds-one-known-exploited-vulnerability-catalog
• Microsoft "mitigates" Windows LNK Flaw Exploited As Zero-Day
  "Microsoft has silently "mitigated" a high-severity Windows LNK vulnerability exploited by multiple state-backed and cybercrime hacking groups in zero-day attacks. Tracked as CVE-2025-9491, this security flaw allows attackers to hide malicious commands within Windows LNK files, which can be used to deploy malware and gain persistence on compromised devices. However, the attacks require user interaction to succeed, as they involve tricking potential victims into opening malicious Windows Shell Link (.lnk) files. Threat actors distribute these files in ZIP or other archives because email platforms commonly block .lnk attachments due to their risky nature."
  https://www.bleepingcomputer.com/news/microsoft/microsoft-mitigates-windows-lnk-flaw-exploited-as-zero-day/
  https://thehackernews.com/2025/12/microsoft-silently-patches-windows-lnk.html
  https://www.securityweek.com/microsoft-silently-mitigated-exploited-lnk-vulnerability/

Malware

• Shai-Hulud V2 Poses Risk To NPM Supply Chain
  "On November 24, 2025, security researchers detected a second wave of the Shai-Hulud malware campaign targeting the npm ecosystem. Dubbed The Second Coming by its operators, Shai-Hulud V2 builds upon its predecessor, Shai-Hulud V1, and has established itself as an aggressive software supply chain attack. Within hours of its initial detection, the campaign had compromised over 700 npm packages, created more than 27,000 malicious GitHub repositories, and exposed approximately 14,000 secrets across 487 organizations."
  https://www.zscaler.com/blogs/security-research/shai-hulud-v2-poses-risk-npm-supply-chain
• Technical Analysis Of Matanbuchus 3.0
  "Matanbuchus is a malicious downloader, written in C++, which has been offered as a Malware-as-a-Service (MaaS) since 2020. Over this time, Matanbuchus has undergone several development stages. In July 2025, version 3.0 of Matanbuchus was identified in-the-wild. Matanbuchus offers threat actors the option to deploy additional payloads and perform hands-on keyboard activity via shell commands. Despite its simplicity, Matanbuchus has been more recently associated with ransomware operations."
  https://www.zscaler.com/blogs/security-research/technical-analysis-matanbuchus-3-0
• Hook For Gold: Inside GoldFactory's Сampaign That Turns Apps Into Goldmines
  "In February 2024, Group-IB uncovered sophisticated mobile threat campaigns that show how fast banking malware is evolving across the Asia-Pacific region. Ongoing monitoring of this evolving threat revealed a surge of aggressive mobile Trojans targeting both iOS and Android users, all operated by a single threat actor tracked as GoldFactory. Since releasing our initial report, we have continued to monitor the group’s activity and our latest research sheds light on how cybercriminals have evolved in their tactics and tools."
  https://www.group-ib.com/blog/turning-apps-into-gold/
• V3G4 Botnet Evolves: From DDoS To Covert Cryptomining
  "Cyble Research & Intelligence Labs (CRIL) has identified an active Linux-targeting campaign that deploys a Mirai-derived botnet, paired with a stealthy, fileless-configured cryptominer. The threat actor employs a multi-stage infection chain starting with a downloader that delivers architecture-specific V3G4 binaries across x86_64, ARM, and MIPS systems. Once active, the bot masquerades as systemd-logind, performs environment reconnaissance, conducts large-scale raw-socket SSH scanning, maintains persistent C2 communication, and ultimately launches a concealed XMRig-based Monero miner dynamically configured at runtime."
  https://cyble.com/blog/v3g4-mirai-botnet-evolves/
• DIANNA Explains 4: Nimbus Manticore—Monstrous Malware
  "Hey humans, DIANNA here. I’m back again with another malware teardown. This time, we're looking at a piece of malware called Nimbus Manticore, and I'll say this upfront—whoever named this malware has a flair for the dramatic. The capabilities, though? All business. Nimbus Manticore represents a serious challenge for organizations because it's not just designed to compromise a single endpoint. It's built to move laterally through your network, escalate privileges, and establish a persistent presence across multiple systems."
  https://www.deepinstinct.com/blog/dianna-explains-4-nimbus-manticore-monstrous-malware
• How a Fake ChatGPT Installer Tried To Steal My Password
  "Over the Thanksgiving holiday, I embarked on a small project to evaluate AI browsers, including the buzzy ChatGPT Atlas. Like most people, I clicked the first result I saw: a sponsored link. The page looked nearly identical to the real Atlas site: same layout, design, copy. The only subtle giveaway was the domain: a Google Sites URL. That’s increasingly common in modern phishing kits—tools like v0.dev make it trivial to clone a legitimate site in minutes, and hosting on Google Sites adds a false sense of credibility for anyone who thinks Google = trustworthy. Given our work here at Fable, I was pretty excited to have stumbled on this, and decided to give it a whirl and see just how much damage I could cause."
  https://fablesecurity.com/blog-chatgpt-installer-stole-my-password/
  https://hackread.com/fake-chatgpt-atlas-clickfix-steal-passwords/
• French NGO Reporters Without Borders Targeted By Calisto In Recent Campaign
  "In May and June 2025, TDR team analysts were contacted by two organisations — including the French NGO Reporters Without Borders (RSF) — over suspicions of a new spear phishing attempts by the intrusion set Calisto (also known as ColdRiver or Star Blizzard). Calisto is a Russia-nexus intrusion set active since at least April 2017, attributed by the USA, the UK, New Zealand and Australia to the Russian intelligence service FSB, more specifically to the Center 18 for Information Security (TsIB), military unit 64829, also known to operate the intrusion set Gamaredon. Sekoia.io concurs with such attribution as past Calisto operations investigated by TDR analyst showed objectives and victimology that align closely with Russian strategic interests."
  https://blog.sekoia.io/ngo-reporters-without-borders-targeted-by-calisto-in-recent-campaign/
  https://www.infosecurity-magazine.com/news/star-blizzard-targets-reporters/
• The $9M yETH Exploit: How 16 Wei Became Infinite Tokens
  "On November 30, 2025, Check Point Research detected a critical exploit targeting Yearn Finance’s yETH pool on Ethereum. Within hours, approximately $9 million was stolen from the protocol. The attacker achieved this by minting an astronomical number of tokens—235 septillion yETH (a 41-digit number)—while depositing only 16 wei, worth approximately $0.000000000000000045. This represents one of the most capital-efficient exploits in DeFi history."
  https://research.checkpoint.com/2025/16-wei/
  https://www.infosecurity-magazine.com/news/yearn-finance-yeth-pool-exploit/
• DNS Uncovers Infrastructure Used In SSO Attacks
  "We recently received a tip from a customer that their institution was under recurring attacks that targeted their student single sign-on (SSO) portal. The threat actor leveraged Evilginx (likely version 3.0), an open source, advanced phishing adversary-in-the-middle (AITM, aka MITM) framework designed to steal login credentials and session cookies. Evilginx is widely used by cybercriminals to undermine multi-factor authentication (MFA) security, and this actor has used it to target at least 18 universities and educational institutions across the United States since April 2025. The campaigns were delivered through email and the phishing domains used subdomains that mimicked the legitimate SSO sites. Figure 1 shows a timeline of attack volumes, based on DNS, against the schools."
  https://blogs.infoblox.com/threat-intelligence/dns-uncovers-infrastructure-used-in-sso-attacks/
  https://www.malwarebytes.com/blog/news/2025/12/attackers-have-a-new-way-to-slip-past-your-mfa
• How Attackers Use Real IT Tools To Take Over Your Computer
  "A new wave of attacks is exploiting legitimate Remote Monitoring and Management (RMM) tools like LogMeIn Resolve (formerly GoToResolve) and PDQ Connect to remotely control victims’ systems. Instead of dropping traditional malware, attackers trick people into installing these trusted IT support programs under false pretenses–disguising them as everyday utilities. Once installed, the tool gives attackers full remote access to the victim’s machine, evading many conventional security detections because the software itself is legitimate."
  https://www.malwarebytes.com/blog/news/2025/12/how-attackers-use-real-it-tools-to-take-over-your-computer
• Shai Hulud 2.0, Now With a Wiper Flavor
  "In September, a new breed of malware distributed via compromised Node Package Manager (npm) packages made headlines. It was dubbed “Shai-Hulud”, and we published an in-depth analysis of it in another post. Recently, a new version was discovered. Shai Hulud 2.0 is a type of two-stage worm-like malware that spreads by compromising npm tokens to republish trusted packages with a malicious payload. More than 800 npm packages have been infected by this version of the worm. According to our telemetry, the victims of this campaign include individuals and organizations worldwide, with most infections observed in Russia, India, Vietnam, Brazil, China, Türkiye, and France."
  https://securelist.com/shai-hulud-2-0/118214/
• Malicious Rust Crate Evm-Units Serves Cross-Platform Payloads For Silent Execution
  "The Socket Threat Research Team recently discovered a malicious Rust package named evm-units, written by ablerust, with over 7,000 all-time downloads. Based on the victim’s OS and whether Qihoo360 antivirus is running, the package downloads a payload, writes it to the system temp directory, and silently executes it. The package appears to return the Ethereum version number, so the victim is none the wiser. The package names and code behavior (EVM utilities, genuine Uniswap helper library), combined with the Qihoo360 targeting and multi-OS loader pattern, make it likely that the payload steals cryptocurrency. The targeting of Qihoo360 also suggests that the threat actor is focusing on Asian markets, as Qihoo360 is a Chinese-made antivirus with dominant marketshare throughout Asia."
  https://socket.dev/blog/malicious-rust-crate-evm-units-serves-cross-platform-payloads
  https://thehackernews.com/2025/12/malicious-rust-crate-delivers-os.html
• ValleyRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader For DLL Side-Loading
  "Cybercriminal operations continue to escalate in both aggressiveness and sophistication, achieving greater impact through the strategic integration of multiple methods. The campaign investigated in this article demonstrates a layered application of tried-and-tested techniques: social‑engineering lures targeting job seekers, obfuscation through deeply nested directory paths, and execution via DLL sideloading."
  https://www.trendmicro.com/en_us/research/25/l/valleyrat-campaign.html
• Massive Gambling Network Doubles As Hidden C2 And Anonymity Infrastructure, Researchers Say
  "A sprawling network that’s seemingly maintained to serve (illegal) online gambling opportunities and deliver malware to Indonesian citizens is likely also being used to provide threat actors command and control (C2) and anonymity services. “The infrastructure has been active for at least 14 years and currently spans 328,039 domains: 236,433 purchased domains, 90,125 hacked websites, and 1,481 hijacked subdomains, including subdomains of government websites,” says Kobi Ben Naim, CEO and Head of Research at Malanta."
  https://www.helpnetsecurity.com/2025/12/03/indonesian-online-gambling-network/

Breaches/Hacks/Leaks

• Marquis Data Breach Impacts Over 74 US Banks, Credit Unions
  "Financial software provider Marquis Software Solutions is warning that it suffered a data breach that impacted dozens of banks and credit unions across the US. Marquis Software Solutions provides data analytics, CRM tools, compliance reporting, and digital marketing services to over 700 banks, credit unions, and mortgage lenders. In data breach notifications filed with US Attorney General offices, Marquis says it suffered a ransomware attack on August 14, 2025, after its network was breached through its SonicWall firewall."
  https://www.bleepingcomputer.com/news/security/marquis-data-breach-impacts-over-74-us-banks-credit-unions/
  https://www.bankinfosecurity.com/marketing-compliance-software-vendor-to-banks-breached-a-30184
• French DIY Retail Giant Leroy Merlin Discloses a Data Breach
  "French home improvement and gardening retailer Leroy Merlin is notifying customers that their personal info has been compromised in a data breach. Leroy Merlin operates in multiple European countries as well as in South Africa and Brazil, employs 165,000 people, and has an annual revenue of $9.9 billion."
  https://www.bleepingcomputer.com/news/security/french-diy-retail-giant-leroy-merlin-discloses-a-data-breach/
• Freedom Mobile Discloses Data Breach Exposing Customer Data
  "Freedom Mobile, the fourth-largest wireless carrier in Canada, has disclosed a data breach after attackers hacked into its customer account management platform and stole the personal information of an undisclosed number of customers. Founded in 2008 as Wind Mobile by telecommunications provider Globalive, Freedom has over 2,2 million subscribers and now says it provides coverage to 99% of Canadians."
  https://www.bleepingcomputer.com/news/security/freedom-mobile-discloses-data-breach-exposing-customer-data/
• University Of Phoenix Discloses Data Breach After Oracle Hack
  "The University of Phoenix (UoPX) has joined a growing list of U.S. universities breached in a Clop data theft campaign targeting vulnerable Oracle E-Business Suite instances in August 2025. Founded in 1976 and headquartered in Phoenix, Arizona, UoPX is a private for-profit university with nearly 3,000 academic staff and over 100,000 enrolled students. The university disclosed the data breach on its official website on Tuesday, while its parent company, Phoenix Education Partners, filed an 8-K form with the U.S. Securities and Exchange Commission (SEC)."
  https://www.bleepingcomputer.com/news/security/university-of-phoenix-discloses-data-breach-after-oracle-hack/
  https://therecord.media/university-of-phoenix-data-breach
  https://www.securityweek.com/penn-and-phoenix-universities-disclose-data-breach-after-oracle-hack/
  https://securityaffairs.com/185279/data-breach/university-of-pennsylvania-and-university-of-phoenix-disclose-data-breaches.html

General News

• Chinese Researchers Simulate Large-Scale Electronic Warfare Against Elon Musk’s Starlink
  "When Russian forces rolled into Ukraine in early 2022, one of the first moves by Kyiv was sending a post to Elon Musk on X: Ukraine needs satellite internet. Within days, thousands of Starlink terminals arrived, restoring command and control across the battlefield despite Russia’s best efforts to black out communications. Moscow initially tried to jam the signals – and reportedly had some success. But when SpaceX quietly updated its software and reconfigured the constellation, many Russian jammers went silent. The battlefield advantage shifted."
  https://www.scmp.com/news/china/science/article/3333523/chinese-researchers-simulate-large-scale-electronic-warfare-against-elon-musks-starlink
  https://www.darkreading.com/cyberattacks-data-breaches/china-researches-ways-disrupt-satellite-internet
• CISOs Are Questioning What a Crisis Framework Should Look Like
  "CISOs increasingly assume the next breach is coming. What concerns them most is whether their teams will understand the incident quickly enough to limit the fallout. A recent report by Binalyze looks at how investigation practices are holding up across large US enterprises."
  https://www.helpnetsecurity.com/2025/12/03/binalyze-crisis-management-framework-report/
• Threat Intelligence Programs Are Broken, Here Is How To Fix Them
  "Security teams often gather large amounts of threat data but still struggle to improve detection or response. Analysts work through long lists of alerts, leaders get unclear insights, and executives see costs that do not lead to better outcomes. A recent report from ISACA notes that this gap remains wide across enterprises, and explains that organizations collect information at a pace that makes it hard to understand what matters."
  https://www.helpnetsecurity.com/2025/12/03/isaca-threat-intelligence-programs-report/
  DOJ Takes Down Myanmar Scam Center Website Spoofing TickMill Trading Platform
  "The Department of Justice announced the dismantling of a website used by a scam center in Myanmar to siphon thousands of dollars from multiple victims. An affidavit filed this week supported the domain seizure of tickmilleas.com — a spoof of legitimate forex and commodities trading platform TickMill. The recently created Scam Center Strike Force tracked the fake website back to the prominent Tai Chang scam compound in Kyaukhat, Myanmar. This is the third domain taken down by U.S. officials in connection with the Tai Chang scam compound — which international law enforcement agencies raided three weeks ago."
  https://therecord.media/doj-takes-down-myanmar-scam-site-trickmill-spoof
  https://www.helpnetsecurity.com/2025/12/03/law-enforcement-agencies-cybercrime-efforts-2025/
• Cloudflare's 2025 Q3 DDoS Threat Report -- Including Aisuru, The Apex Of Botnets
  "Welcome to the 23rd edition of Cloudflare’s Quarterly DDoS Threat Report. This report offers a comprehensive analysis of the evolving threat landscape of Distributed Denial of Service (DDoS) attacks based on data from the Cloudflare network. In this edition, we focus on the third quarter of 2025. The third quarter of 2025 was overshadowed by the Aisuru botnet with a massive army of an estimated 1–4 million infected hosts globally. Aisuru unleashed hyper-volumetric DDoS attacks routinely exceeding 1 terabit per second (Tbps) and 1 billion packets per second (Bpps). The number of these attacks surged 54% quarter-over-quarter (QoQ), averaging 14 hyper-volumetric attacks daily. The scale was unprecedented, with attacks peaking at 29.7 Tbps and 14.1 Bpps."
  https://blog.cloudflare.com/ddos-threat-report-2025-q3/
  https://www.bleepingcomputer.com/news/security/aisuru-botnet-behind-new-record-breaking-297-tbps-ddos-attack/
• Seasonal Surge: Why HR Phishing Peaks In Q4 And The Seven Themes Behind It
  "Q3 and Q4 of each year tend to see the most Human Resources (HR) task-related phishing threats, but the specific theme used by threat actors changes based on current events. This has led to the explosion of termination as a phishing lure, particularly during Q3 2025. By exploiting fear, threat actors can lower an employee’s guard and increase their likelihood of falling victim to an attack. Such malicious emails can appear legitimate as they spoof trusted and generally known entities, like the HR department."
  https://cofense.com/blog/seasonal-surge-why-hr-phishing-peaks-in-q4-and-the-seven-themes-behind-it
• Ransomware And Supply Chain Attacks Neared Records In November
  "Ransomware attacks hit their second-highest levels on record in November, as the number of attacks rose for the seventh consecutive month. The 640 ransomware attacks recorded by Cyble in November 2025 are second only to February 2025’s record totals (chart below)."
  https://cyble.com/blog/ransomware-attacks-november-2025/
• While ECH Adoption Is Low, Risks Remain For Enterprises, End Users
  "Two years ago, the introduction of Encrypted Client Hello (ECH) divided enterprise cybersecurity professionals and privacy advocates. An extension to the Transport Layer Security (TLS) 1.3 Internet encryption standard, ECH protects communications between an endpoint device and a Web server. While ECH increased user privacy, it reduced visibility, which is not so great for security. You are already familiar with TLS: The padlock symbol and https designation in the address bar of your browser indicate the website uses this Internet standard. However, this only means that the content between the client machine and the server is encrypted after the connection has been established."
  https://www.darkreading.com/data-privacy/while-ech-adoption-is-low-risks-remain-for-enterprises-end-users
• The Ransomware Holiday Bind: Burnout Or Be Vulnerable
  "There's never a good time to get hit by ransomware, but fallout can be even more devastating when attacks hit during off-hours, weekends or holidays. That's the time when threat actors strike, knowing enterprises are understaffed. Ransomware gangs are a steady, rising threat that reports show operate as legitimate businesses, complete with customer service and help desk personnel. That reflects in well-thought out attack steps, including timing which commonly correlates with organizations' weekend and holiday downtime, an important tool against staffer burnout."
  https://www.darkreading.com/cyberattacks-data-breaches/the-ransomware-holiday-bind-burnout-or-be-vulnerable
• UK's Cyber Service For Telcos Blocks 1 Billion Malicious Site Attempts
  "Almost one billion early-stage cyber-attacks have been prevented in the past year in the UK thanks to a recent service deployed by the National Cyber Security Agency (NCSC). The results were announced by British Security Minister, Dan Jarvis, during the Financial Times’ Cyber Resilience Summit: Europe, held in London on December 3. On the morning of the event Jarvis had come from a visit to telecommunications firm, BT, which is a partner of the NCSC’s Share and Defend service."
  https://www.infosecurity-magazine.com/news/uk-cyber-service-blocks-billion/
• Exploits And Vulnerabilities In Q3 2025
  "In the third quarter, attackers continued to exploit security flaws in WinRAR, while the total number of registered vulnerabilities grew again. In this report, we examine statistics on published vulnerabilities and exploits, the most common security issues impacting Windows and Linux, and the vulnerabilities being leveraged in APT attacks that lead to the launch of widespread C2 frameworks. The report utilizes anonymized Kaspersky Security Network data, which was consensually provided by our users, as well as information from open sources."
  https://securelist.com/vulnerabilities-and-exploits-in-q3-2025/118197/
• The Most Interesting Cybercrime Takedowns Of 2025
  "Every year seems to bring with it the next “biggest data breach in history.” But in an encouraging turn of events, more and more of the world’s most prolific attackers are being caught and arrested. 2024 saw a record-setting data breach that compromised over 2.9 billion sensitive files around the world, but it also saw the swift arrest of the person responsible, an attacker going by the alias USDoD. A new trend shows that data breaches from external threats might be the least of your worries, though."
  https://blog.barracuda.com/2025/12/03/cybercrime-takedowns-2025
• Disinformation And Cyber-Threats Among Top Global Exec Concerns
  "Business leaders in the world’s most important economies have ranked misinformation/disinformation, cyber insecurity and the adverse effects of AI among the biggest threats to their respective countries, according to the World Economic Forum (WEF). The WEF Executive Opinion Survey 2025 was compiled from interviews with 11,000 executives across 116 economies. They were asked to select the top five risks most likely to pose the biggest threat to their respective countries in the next two years, out of a total of 34 risks."
  https://www.infosecurity-magazine.com/news/disinformation-cyberthreats-global/
• Twins With Hacking History Charged In Insider Data Breach Affecting Multiple Federal Agencies
  "Twin brothers Muneeb and Sohaib Akhter were arrested in Alexandria, Va., Wednesday for allegedly stealing and destroying government data held by a government contractor minutes after they were fired from the company earlier this year, the Justice Department said. Prosecutors accuse the 34-year-old brothers of the crimes during a weeklong spree in February, compromising data from multiple federal agencies including the Department of Homeland Security, Internal Revenue Service and the Equal Employment Opportunity Commission."
  https://cyberscoop.com/muneeb-sohaib-akhter-government-contractors-insider-attack/

อ้างอิง
Electronic Transactions Development Agency (ETDA)