สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 
ข้อมูลกลุ่ม
ส่วนตัว
Global Moderators
Forum wide moderators
-
Microsoft ยืนยันอัปเดต Windows เดือนเมษายนกระทบระบบสำรองข้อมูลบางส่วนโพสต์ใน Cyber Security News
-
เหตุโจมตี Sistemi Informativi ในอิตาลี แสดงถึงความเสี่ยงโครงสร้างพื้นฐานดิจิทัลยุโรปโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Google ปรับยุทธศาสตร์ Bug Bounty เพิ่มรางวัล Android สูงสุด 1.5 ล้านดอลลาร์ สู้ภัยไซเบอร์ยุค AIโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 04 May 2026โพสต์ใน Cyber Security News
New Tooling
- Open-Source Privacy Proxy Masks PII Before Prompts Reach External AI Services
"Enterprise developers routinely send prompts to external large language models that contain customer emails, support transcripts, and other identifying information, often without a sanitization layer between the application and the API. Dataiku has released Kiji Privacy Proxy, an open-source local gateway that detects and masks personally identifiable information before requests leave the network."
https://www.helpnetsecurity.com/2026/05/01/open-source-pii-privacy-proxy/ - Introducing Model Provenance Kit: Know Where Your AI Models Come From
"Enterprises pulling models from Hugging Face and other open repositories rarely keep records of how those models are altered after download, leaving organizations with little ability to confirm what they are running in production. The State of AI Security 2026 from Cisco places this level of access inside a growing pattern of AI-driven operations that connect directly to core business systems, and identifies AI supply chain exposure as a recurring risk. Cisco has published the Model Provenance Kit, an open-source Python toolkit and command-line interface that determines whether two transformer models share a common origin by examining architecture metadata, tokenizer structure, and the learned weights themselves."
https://blogs.cisco.com/ai/model-provenance-kit
https://github.com/cisco-ai-defense/model-provenance-kit
https://huggingface.co/datasets/cisco-ai/model-provenance-kit
https://www.helpnetsecurity.com/2026/04/30/cisco-ai-model-provenance-kit/
Vulnerabilities
- CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-31431 Linux Kernel Incorrect Resource Transfer Between Spheres Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/05/01/cisa-adds-one-known-exploited-vulnerability-catalog
https://thehackernews.com/2026/05/cisa-adds-actively-exploited-linux-root.html
Malware
- Critrical cPanel Flaw Mass-Exploited In "Sorry" Ransomware Attacks
"A new disclosed cPanel flaw tracked as CVE-2026-41940 is being mass-exploited to breach websites and encrypt data in "Sorry" ransomware attacks. This week, an emergency update for WHM and cPanel was released to fix a critical authentication bypass flaw that allows attackers to access control panels. WHM and cPanel are Linux-based web hosting control panels for server and website management. While WHM provides server-level control, cPanel provides administrator access to the website backend, webmail, and databases. Soon after its release, it was reported that the flaw was being actively exploited in the wild as a zero-day, with exploitation attempts dating back to late February."
https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/ - Chinese Cybercrime Infrastructure Detected: Automated Exploitation & Harvesting Infrastructure
"SOCRadar Threat Research Team identified automated Chinese cybercrime infrastructure that blends large-scale exploitation with structured orchestration and monetization. The operation is coordinated through a centralized backend (referred to as ‘paperclip‘) and an agent-based workflow system OpenClaw, enabling operators to manage campaigns through structured missions."
https://socradar.io/blog/chinese-cybercrime-exploitation-harvesting/
https://hackread.com/45k-attacks-53k-backdoor-china-cybercrime-operation/ - Darktrace Malware Analysis: Jenkins Honeypot Reveals Emerging Botnet Targeting Online Games
"Darktrace analysts observed attackers exploiting a Jenkins honeypot to deploy a new DDoS botnet targeting video game servers. Leveraging Jenkins scriptText abuse, the malware installs a multi-platform payload, evades detection, and launches UDP, TCP, and application-layer attacks, highlighting ongoing risks from opportunistic botnet activity across internet-facing environments."
https://www.darktrace.com/blog/darktrace-malware-analysis-jenkins-honeypot-reveals-emerging-botnet-targeting-online-games
https://hackread.com/hackers-jenkins-ddos-botnet-gaming-servers/ - Poisoning The Well: AI Supply Chain Attacks On Hugging Face And OpenClaw
"Acronis Threat Research Unit has identified in-the-wild threat activity abusing AI distribution platforms such as Hugging Face and ClawHub to deliver malware disguised as models, datasets and agent extensions. Unlike traditional software supply chain attacks that result in a single system compromise, these campaigns exploit trust in AI ecosystems and agents, enabling malicious functionality to be executed on behalf of users and extending the impact beyond the initial infection. Hugging Face alone hosts over one million machine learning models and hundreds of thousands of datasets, making it a primary distribution layer for AI development."
https://www.acronis.com/en/tru/posts/poisoning-the-well-ai-supply-chain-attacks-on-hugging-face-and-openclaw/
https://www.securityweek.com/hugging-face-clawhub-abused-for-malware-distribution/ - NightSpire: Wannabe Warlords In Ransomware’s Shadow Realm
"NightSpire is a financially motivated ransomware group that was first observed in February 2025 and has claimed 259 victims across dozens of countries as of May 1, 2026. The group has an interesting backstory that will take us beyond its emergence, into 2024 when the NightSpire operators appear to have been working with other developers and different tools. We’ll come back to that."
https://blog.barracuda.com/2026/05/01/nightspire-wannabe-warlords-in-ransomwares-shadow-realm - "AccountDumpling": Hunting Down The Google-Sent Phishing Wave Compromising 30,000+ Facebook Accounts
"30,000 Facebook accounts have been compromised by phishing emails Google itself delivers. Authenticated, signed, and never blocked. We call this ”AccountDumpling”: a Vietnamese-linked operation that turns Google AppSheet into a phishing relay, then sells the stolen accounts back through a storefront run by the same hands. Pulling on that thread led us through Netlify-hosted Facebook clones, Vercel-hosted reward traps, Google Drive-hosted PDFs, and recruiter-style social engineering, all riding the same Google-authenticated relay and feeding the same Telegram bot infrastructure. We mapped roughly 30,000 victims and traced the operation back to a Vietnamese name embedded in a Canva-generated PDF the attackers forgot to scrub. We also recovered enough victim data to reach out directly to many of them, telling them they had been compromised and helping them act before more damage was done."
https://guard.io/labs/accountdumpling---hunting-down-the-google-sent-phishing-wave-compromising-30-000-facebook-accounts
https://thehackernews.com/2026/05/30000-facebook-accounts-hacked-via.html
https://hackread.com/google-appsheet-facebook-accountdumpling-scam/- Malicious Ruby Gems And Go Modules Impersonate Developer Tools To Steal Secrets And Poison CI
"We investigated the GitHub account BufferZoneCorp, which published a cluster of repositories linked to malicious Ruby gems and Go modules. The account is part of a software supply chain campaign targeting developers, CI runners, and build environments across two ecosystems. On the Ruby side, the analyzed gems automate secret theft. They harvest secret-bearing environment variables and read local credential material such as SSH keys, AWS credentials, .npmrc, .netrc, GitHub CLI configuration, and RubyGems credentials, then send the collected data to a hidden exfiltration endpoint."
https://socket.dev/blog/malicious-ruby-gems-and-go-modules-steal-secrets-poison-ci
https://thehackernews.com/2026/05/poisoned-ruby-gems-and-go-modules.html - Cyber Spies Target Russian Aviation Firms To Steal Satellite And GPS Data
"A cyber-espionage group has been targeting Russian government agencies and companies in the aviation industry to steal sensitive geospatial data, according to a report released this week. The group, known as HeartlessSoul, has been active since at least September 2025 and has carried out cyberattacks designed to infiltrate Russian organizations and individual users, researchers at Russian cybersecurity firm Kaspersky said. The attackers appear particularly interested in obtaining geographic information system (GIS) data — specialized file formats that can reveal detailed information about infrastructure such as roads, engineering networks, terrain and potentially strategic facilities. Such files are commonly used by engineering, government and industrial organizations and can contain detailed mapping data."
https://therecord.media/russia-cyber-espionage-aviation - Pro-Iran Crew Turns DDoS Into Shakedown As Ubuntu.com Stays Down
"Canonical says its web infrastructure is under attack after a pro-Iran hacktivist group instructed its members to target the open source giant. "I can confirm that Canonical's web infrastructure is under a sustained, cross-border Distributed Denial of Service (DDoS) attack" a Canonical spokesperson told The Register. "Our teams are working to restore full availability to all affected services. We will provide updates in our official channels as soon as we are able to.""
https://www.theregister.com/2026/05/01/canonical_confirms_ubuntu_infrastructure_under/ - ConsentFix v3 Attacks Target Azure With Automated OAuth Abuse
"A new attack type, dubbed ConsentFix v3, has been circulating on hacker forums as an improved technique that automates attacks against Microsoft Azure. The first version of ConsentFix was presented by Push Security last December as a variation of ClickFix for OAuth phishing attacks, which tricks victims into completing a legitimate Microsoft login flow via the Azure CLI. Using social engineering, the attacker fooled victims into pasting a localhost URL containing an OAuth authorization code that can be used to obtain tokens and hijack the account without passwords, despite multi-factor authentication (MFA)."
https://www.bleepingcomputer.com/news/security/consentfix-v3-attacks-target-azure-with-automated-oauth-abuse/ - Telegram Mini Apps Abused For Crypto Scams, Android Malware Delivery
"Cybersecurity researchers have uncovered a large-scale fraud operation that uses Telegram’s Mini App feature to run crypto scams, impersonate well-known brands, and distribute Android malware. A new report by CTM360 says the platform, dubbed FEMITBOT, is based on a string found in API responses and uses Telegram bots and embedded Mini Apps to create convincing, app-like experiences directly within the messaging platform. Telegram Mini Apps are lightweight web applications that run inside Telegram’s built-in browser, enabling services such as payments, account access, and interactive tools without requiring users to leave the app."
https://www.bleepingcomputer.com/news/security/telegram-mini-apps-abused-for-crypto-scams-android-malware-delivery/
https://www.ctm360.com/reports/femitbot-telegram-mini-apps-fraud-campaigns - MiniRAT: A Go-Based MacOS RAT Delivered Via Malicious Npm Package
"A newly analyzed Go-based macOS remote access trojan (RAT), internally named Minirat, has surfaced in the wild using anti-VM checks, LaunchAgent persistence, and AES-encrypted command and control (C2) configuration to maintain stealthy, long-term access on victim endpoints. According to SafeDep, the initial infection vector was a malicious npm package (velora-dex-sdk) that dropped the Go-based macOS RAT onto developer endpoints."
https://www.iru.com/blog/minirat
Breaches/Hacks/Leaks
- Edu Tech Firm Instructure Discloses Cyber Incident, Probes Impact
"Instructure, the company behind the widely used Canvas learning platform, has disclosed that it recently suffered a cybersecurity incident and is now investigating its impact. The U.S.-based education technology company is best known for developing Canvas, a widely used learning management system that helps schools, universities, and organizations manage coursework, assignments, and online learning. "Instructure recently experienced a cybersecurity incident perpetrated by a criminal threat actor. We are actively investigating this incident with the help of outside forensics experts," reads a statement from Steve Proud, Chief Security Officer."
https://www.bleepingcomputer.com/news/security/edu-tech-firm-instructure-discloses-cyber-incident-probes-impact/
https://www.bleepingcomputer.com/news/security/instructure-confirms-data-breach-shinyhunters-claims-attack/ - Trellix Confirms Source Code Breach With Unauthorized Repository Access
"Cybersecurity company Trellix has announced that it suffered a breach that enabled unauthorized access to a "portion" of its source code. It said it "recently identified" the compromise of its source code repository and that it began working with "leading forensic experts" to resolve the matter immediately. It also said it has notified law enforcement of the matter. Trellix did not disclose the exact nature of the data that may have been accessed by the attackers. However, it pointed out that there are no indications that its source code has been affected or exploited."
https://thehackernews.com/2026/05/trellix-confirms-source-code-breach.html
https://securityaffairs.com/191584/data-breach/trellix-discloses-the-breach-of-a-code-repository.html - Salt Typhoon Breach IBM Subsidiary In Italy: a Warning For Europe’s Digital Defenses
"In late April 2026, the Italian cybersecurity landscape was shaken by a significant breach targeting Sistemi Informativi, a company wholly owned by IBM Italy that provides IT infrastructure management for key public and private institutions. The incident, first reported by La Repubblica, has raised fresh concerns about the growing reach of Chinese-linked cyber operations in Europe. Sistemi Informativi is central to Italy’s digital infrastructure, managing systems for public agencies and key industries. Its outage quickly raised alarms among cybersecurity authorities and critical infrastructure operators. IBM confirmed the security breach through an official statement, acknowledging that it had “identified and contained a cybersecurity incident” and had activated incident response protocols involving both in-house and external specialists. The company said systems are now stable and services restored, but gave no details on the breach’s scope. Its website stayed offline for hours during containment."
https://securityaffairs.com/191638/apt/salt-typhoon-breach-ibm-subsidiary-in-italy-a-warning-for-europes-digital-defenses.html
General News
- 15-Year-Old Detained Over French Govt Agency Data Breach
"French authorities have detained a 15-year-old suspected of selling data stolen in a cyberattack on France Titres (ANTS), the country’s agency for issuing and managing administrative documents. The government agency confirmed the breach and the authenticity of the data offered for sale on a cybercriminal forum by someone using the alias ‘breach3d’. On April 13, ANTS detected suspicious activity on its network and notified authorities a few days later, on April 16, the Paris Prosecutor’s Office said. Following an investigation, the authorities believe that the suspected 15-year-old used the moniker ‘breach3d’ to offer for sale between 12 and 18 million records stolen in the ANTS data breach."
https://www.bleepingcomputer.com/news/security/15-year-old-detained-over-french-govt-agency-data-breach/ - North Korea Stole 76% Of All Crypto Hack Value In 2026 — With Just Two Attacks
"North Korean hacking groups accounted for 76% of all crypto hack losses in 2026 through April — not because North Korea launched a wave of attacks, but because two attacks totaling USD 577 million dwarfed everything else. The Drift Protocol breach on April 1 (USD 285 million) and the KelpDAO bridge exploit on April 18 (USD 292 million) represent 3% of 2026 incident count and 76% of stolen value. That ratio — small number of attacks, outsized share of losses — has characterized North Korea's approach across most years since 2017."
https://www.trmlabs.com/resources/blog/north-korea-stole-76-of-all-crypto-hack-value-in-2026-with-just-two-attacks
https://www.darkreading.com/cybersecurity-analytics/crypto-stolen-2026-north-korea - Preparing For a ‘vulnerability Patch Wave’
"Whether they are technology producers and vendors, or consumers and operators, all organisations have ‘technical debt’; a backlog of technical issues – that is both expensive and time-consuming – as a result of prioritising short-term gains over building resilient products. Artificial Intelligence, when used by sufficiently-skilled and knowledgeable individuals, is showing the ability to exploit this technical debt at scale and at pace across the technology ecosystem. As a result, the NCSC expect there will be a ‘forced correction’ to address this technical debt across all types of software, including open source, commercial, proprietary and software as a service."
https://www.ncsc.gov.uk/blogs/prepare-for-vulnerability-patch-wave
https://therecord.media/british-cyber-ai-patch-wave
https://www.theregister.com/2026/05/02/ncsc_brace_for_patch_tsunami/ - Careful Adoption Of Agentic AI Services
"CISA, in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) and other international and U.S. partners, released guidance for organizations on adopting agentic artificial intelligence (AI) systems. This guide outlines key security challenges and risks associated with agentic AI, and provides actionable steps for designing, deploying, and operating these systems safely. It helps organizations align AI risk management with existing cybersecurity frameworks and strengthen oversight as agentic AI adoption grows."
https://www.cisa.gov/resources-tools/resources/careful-adoption-agentic-ai-services
https://www.cyber.gov.au/business-government/secure-design/artificial-intelligence/careful-adoption-of-agentic-ai-services
https://www.cyber.gov.au/sites/default/files/2026-05/careful_adoption_of_agentic_ai_services.pdf
https://cyberscoop.com/cisa-nsa-five-eyes-guidance-secure-deployment-ai-agents/ - Microsoft Defender Wrongly Flags DigiCert Certs As Trojan:Win32/Cerdigent.A!dha
"Microsoft Defender is detecting legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha, resulting in widespread false-positive alerts, and in some cases, removing certificates from Windows. According to cybersecurity expert Florian Roth, the issue first appeared after Microsoft added the detections to a Defender signature update on April 30th. Today, administrators worldwide began reporting that DigiCert root certificate entries were flagged as malware and, on affected systems, removed from the Windows trust store."
https://www.bleepingcomputer.com/news/security/microsoft-defender-wrongly-flags-digicert-certs-as-trojan-win32-cerdigentadha/
https://bugzilla.mozilla.org/show_bug.cgi?id=2033170 - Shadow AI Risks Deepen As 31% Of Users Get No Employer Training
"Between one-fifth and one-third of workers use AI outside the influence and governance of the IT function, according to a global survey of 6,000 full-time employees at enterprise organizations. Researchers found a widening gap between employee AI adoption and the controls organizations have in place to manage it. The Lenovo Work Reborn Research Series 2026 report documents a workforce split into two groups: employees equipped with IT-managed tools, training, and oversight, and those operating independently with consumer AI services."
https://www.helpnetsecurity.com/2026/05/01/shadow-ai-risks-it-oversight/ - Network Stats For Q1 2026: Neocloud Traffic Trends
"Welcome to our second quarterly Network Stats report covering Q1 of 2026. Along with Drive Stats and Performance Stats, Network Stats pulls back the curtain on real-world infrastructure data, particularly how network-level analytics reflect emerging AI industry trends and usage patterns. One of the roles of the Network Engineering (NetEng) team at Backblaze is to monitor how traffic moves into, out of, and across our platform—not just day-to-day, but over time as customer behavior and industry dynamics evolve. Right now, few forces are reshaping networks faster than AI. With the launch of B2 Overdrive in April 2025, we built a direct, high-performance path between our storage layers and neoclouds where processing, inference, and modeling take place. It has given us a front-row seat to the impact of AI and how network behavior is changing with it. This quarter, in addition to our regular data analysis, we’ve added some geographic heatmaps to understand where and how data is moving."
https://www.backblaze.com/blog/network-stats-for-q1-2026-neocloud-traffic-trends/
https://www.helpnetsecurity.com/2026/05/01/backblaze-ai-network-traffic-trends-report/ - Ransomware And Cyber Extortion In Q1 2026
"In Q1 2026, ransomware pressure increased in two directions: established groups like “Akira” and “Qilin” maintained high victim volumes, while newer actors added noise and uncertainty. “The Gentlemen” broke into the top tier, showing how quickly a capable group can scale. Meanwhile, “0APT” and “ALP-001” appeared to use questionable leak claims to pressure large enterprises. Extortion group “ShinyHunters” showed that identity-first intrusions and software-as-a-service (SaaS)-native data theft can deliver major impact without deploying encryptors. Defenders must prioritize the common behaviors that drive ransomware impact, including abuse of external remote services, identity compromise, lateral movement over administrative protocols, and defense evasion."
https://reliaquest.com/blog/threat-spotlight-ransomware-and-cyber-extortion-in-q1-2026/
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Open-Source Privacy Proxy Masks PII Before Prompts Reach External AI Services
-
Cyber Threat Intelligence 01 May 2026โพสต์ใน Cyber Security News
Industrial Sector
- ABB Edgenius Management Portal
"Successful exploitation of this vulnerability could allow an attacker to send a specially crafted message to the system node allowing the attacker to install and run arbitrary code, uninstall applications, and modify the configuration of installed applications."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-120-03 - ABB Ability Symphony Plus Engineering
"ABB became aware of vulnerability in the products versions listed as affected in the advisory. The ABB S+ Engineering product versions are affected by vulnerabilities in PostgreSQL version 13.11 and earlier versions. If an attacker gains access to a site’s S+ Client Server network, they could exploit such vulnerabilities by executing arbitrary code and potentially compromising the entire system."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-120-06 - ABB System 800xA, Symphony Plus IEC 61850
"This vulnerability was privately reported relating to ABB’s implementation of the IEC 61850 communication stack for MMS client applications used in some Automation control system products. Note: IEC 61850 communication typically supports MMS and GOOSE protocols. Some ABB products support both, others only MMS (e.g. S+ Operations and PM 877). In any case, GOOSE communication is not impacted by this reported vulnerability. If an attacker gains access to a site’s IEC 61850 network, then exploiting this vulnerability will result in a device fault (PM 877, CI850 and CI868 modules) and will require a manual restart. If this attack is directed at a S+ Operations node running IEC 61850 connectivity, this will result in a crash in the IEC 61850 communication driver which, if continued a repeating basis, will also result in a denial-of-service situation. Note that this does not have an impact on the overall availability and functionality of the S+ Operations node, only the IEC 61850 communication function. The System 800xA IEC61850 Connect is not affected."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-120-01 - ABB PCM600
"Successful exploitation of this vulnerability could allow an attacker to send specially crafted messages to the system node resulting in execution of arbitrary code."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-120-02 - ABB Ability OPTIMAX
"Successful exploitation of this vulnerability could allow an attacker to bypass user authentication on OPTIMAX installations that make use of the Azure Active Directory Single-Sign On integration."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-120-04 - ABB AWIN Gateways
"Successful exploitation of these vulnerabilities could allow an attacker to remotely reboot the device or complete an unauthenticated query to reveal system configuration, including sensitive details."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-120-05 - Threat Landscape For Industrial Automation Systems. Australia And New Zealand, Q4 2025
"The cybersecurity situation in Australia and New Zealand is among the most favorable across all regions. In Q4 2025, the region ranked 11th in the percentage of ICS computers on which malicious objects were blocked."
https://ics-cert.kaspersky.com/publications/reports/2026/04/30/threat-landscape-for-industrial-automation-systems-australia-and-new-zealand-q4-2025/ - Exploiting EnOcean SmartServer To Attack Connected Building Management Systems
"Team82’s previous research into the LonTalk protocol and the CEA-852 standard demonstrates the means by which a legacy protocol such as LonTalk is being retro-fitted to support connectivity for building management systems and other smart internet-of-things devices critical to the operation of facilities in various critical industries. While this activity does improve overall management of power systems, heating and cooling systems, physical security systems, and other BMS, it does open up new attackable exposures that could put facilities at risk. We present our research on EnOcean’s SmartServer IoT and i.LON controllers, which connect building automation and management systems to the internet. SmartServer IoT is EnOcean’s modern BMS controller, while the i.LON controllers are legacy devices originally developed by Echelon."
https://claroty.com/team82/research/exploiting-enocean-smartserver-to-attack-connected-building-management-systems
https://www.securityweek.com/enocean-smartserver-flaws-expose-buildings-to-remote-hacking/ - Adapting Zero Trust Principles To Operational Technology
"CISA, in coordination with the Department of War, Department of Energy, Federal Bureau of Investigation, and Department of State, released Adapting Zero Trust Principles to Operational Technology, joint guidance for organizations applying zero trust (ZT) principles to operational technology (OT). Zero trust is a modern, adaptive approach to cybersecurity that eliminates implicit trust and requires continuously validating access based on identity, context, and risk. With advancements in technology, OT systems that were traditionally isolated or manually operated are now increasingly interconnected, digitally monitored, and remotely controlled. This IT-OT convergence introduces new cybersecurity risks that make perimeter-based defenses and implicit trust models inadequate for safeguarding OT systems and the critical physical processes they control."
https://www.cisa.gov/resources-tools/resources/adapting-zero-trust-principles-operational-technology
https://www.cisa.gov/sites/default/files/2026-04/joint-guide-adapting-zero-trust-principles-to-operational-technology_508c.pdf
https://www.infosecurity-magazine.com/news/zero-trust-guidance-operational/
Vulnerabilities
- Critical cPanel And WHM Bug Exploited As a Zero-Day, PoC Now Available
"The critical CVE-2026-41940 authentication bypass vulnerability in cPanel, WHM, and WP Squared is being actively exploited in the wild and has been leveraged in attempts since late February. It is unclear when exploitation started, but KnownHost, a hosting provider that uses cPanel, said the day the vulnerability was disclosed that "successful exploits have been seen in the wild" before a fix became available. However, KnownHost CEO Daniel Pearson stated that the company has "seen execution attempts as early as 2/23/2026.""
https://www.bleepingcomputer.com/news/security/critical-cpanel-and-whm-bug-exploited-as-a-zero-day-poc-now-available/
https://www.cisa.gov/news-events/alerts/2026/04/30/cisa-adds-one-known-exploited-vulnerability-catalog
https://cyberscoop.com/cpanel-authentication-bypass-vulnerability-cve-2026-41940-exploited/
https://www.securityweek.com/critical-cpanel-whm-vulnerability-exploited-as-zero-day-for-months/
https://www.theregister.com/2026/04/30/cpanel_whn_cves/ - A CVSS 10.0 In Gemini CLI: How Agentic Workflows Are Reshaping Supply Chain Risk
"The flaw lived in how Gemini CLI handled workspace trust in non-interactive environments. When running in headless mode – like a CI/CD job – Gemini CLI automatically trusted the current workspace folder, loading any agent configuration it found there without review, sandboxing, or human approval. That meant an attacker who could place content in a repository’s workspace – by opening a pull request, for example – could plant configuration that the agent would silently trust and act on. The result was direct command execution on the host running the agent, before its sandbox ever initialized. Across every affected workflow, the impact was the same: code execution on the host running the agent gave an unprivileged outsider access to whatever secrets, credentials, and source code the workflow could reach. Enough for token theft, supply-chain pivots, and lateral movement into downstream systems."
https://novee.security/blog/google-gemini-cli-rce-vulnerability-cvss-10-critical-security-advisory/
https://thehackernews.com/2026/04/google-fixes-cvss-10-gemini-cli-ci-rce.html
https://www.securityweek.com/critical-gemini-cli-flaw-enabled-host-code-execution-supply-chain-attacks/
https://www.theregister.com/2026/04/30/googles_fix_for_critical_gemini/ - SonicWall Urges Immediate Patching Of Firewall Vulnerabilities
"SonicWall on Wednesday rolled out fixes for three SonicOS vulnerabilities, urging customers to immediately patch their Gen 6, Gen 7, and Gen 8 firewalls. “These vulnerabilities require immediate firmware updates to maintain security posture. One CVE is rated high severity, and two are rated medium severity,” the company warned. The high-severity flaw, tracked as CVE-2026-0204, allows attackers to bypass access controls and access certain management interface functions, SonicWall notes in an advisory."
https://www.securityweek.com/sonicwall-urges-immediate-patching-of-firewall-vulnerabilities/
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0004
Malware
- FBI Links Cybercriminals To Sharp Surge In Cargo Theft Attacks
"The U.S. Federal Bureau of Investigation (FBI) warned the transportation and logistics industry of a sharp rise in cyber-enabled cargo theft, with estimated losses in the United States and Canada reaching nearly $725 million in 2025. This represents a 60% surge in losses compared to the previous year, fueled by criminals increasingly using hacking and impersonation tactics to hijack high-value freight. Confirmed cargo theft incidents have risen 18 percent last year alone, while the average value per theft grew 36 percent to $273,990, due to more selective targeting of high-value loads. The bureau said in a public service announcement on Wednesday that threat actors have been infiltrating the computer systems of freight brokers and carriers through spoofed emails and fake web links since at least 2024."
https://www.bleepingcomputer.com/news/security/fbi-links-cybercriminals-to-sharp-surge-in-cargo-theft-attacks/
https://www.ic3.gov/PSA/2026/PSA260430
https://therecord.media/hackers-earning-millions-from-hijacked-cargo-fbi - Defending Against CORDIAL SPIDER And SNARKY SPIDER With Falcon Shield
"Since October 2025, CrowdStrike Counter Adversary Operations has observed a shift in intrusion tradecraft: Threat actors are executing high-speed, SaaS-centric attacks that bypass traditional endpoint visibility. CORDIAL SPIDER and SNARKY SPIDER exemplify this evolution as distinct adversaries conducting rapid data theft and extortion campaigns with striking operational similarities. In most cases, these adversaries use voice phishing (vishing) to direct targeted users to malicious, SSO-themed adversary-in-the-middle (AiTM) pages, where they capture authentication data and pivot directly into SSO-integrated SaaS applications. By operating almost exclusively within trusted SaaS environments, they minimize their footprint while accelerating time to impact. The combination of speed, precision, and SaaS-only activity creates significant detection and visibility challenges for defenders."
https://www.crowdstrike.com/en-us/blog/defending-against-cordial-spider-and-snarky-spider-with-falcon-shield/
https://cyberscoop.com/crowdstrike-cordial-spider-snarky-spider-extortion-attacks/ - Deep#Door Stealer: Stealthy Python Backdoor And Credential Stealer Leveraging Tunneling, Multi-Layer Persistence, And In-Memory Surveillance Capabilities
"Securonix Threat Research analyzed a stealthy Python-based backdoor framework, dubbed Deep#Door, which uses an obfuscated batch loader to deploy a persistent surveillance and credential-stealing implant on Windows systems. The intrusion chain begins with execution of a batch script (install_obf.bat) that disables Windows security controls, dynamically extracts an embedded Python payload (svc.py), and establishes persistence through multiple mechanisms including Startup folder scripts, registry Run keys, scheduled tasks, and optional WMI subscriptions. Unlike traditional malware loaders that rely on external payload downloads, Deep#Door embeds its Python implant directly inside the dropper script and reconstructs it in-memory and on disk during execution."
https://www.securonix.com/blog/deepdoor-python-backdoor-and-credential-stealer/
https://thehackernews.com/2026/04/new-python-backdoor-uses-tunneling.html
https://www.infosecurity-magazine.com/news/deepdoor-python-backdoor-windows/ - More PayPal Emails Hijacked To Deliver Tech Support Scams
"Scammers have found another way to get deceptive messages delivered through PayPal’s legitimate services. In December 2025, we reported that PayPal closed a loophole that let scammers send real emails with fake purchase notices. In those cases, scammers created a PayPal subscription and then paused it, which triggered PayPal’s genuine “Your automatic payment is no longer active” notification. They also set up a fake subscriber account, likely a Google Workspace mailing list, which automatically forwarded any email it received to all other group members."
https://www.malwarebytes.com/blog/news/2026/04/more-paypal-emails-hijacked-to-deliver-tech-support-scams - Silver Fox Uses The New ABCDoor Backdoor To Target Organizations In Russia And India
"In December 2025, we detected a wave of malicious emails designed to look like official correspondence from the Indian tax service. A few weeks later, in January 2026, a similar campaign began targeting Russian organizations. We have attributed this activity to the Silver Fox threat group. Both waves followed a nearly identical structure: phishing emails were styled as official notices regarding tax audits or prompted users to download an archive containing a “list of tax violations”. Inside the archive was a modified Rust-based loader pulled from a public repository. This loader would download and execute the well-known ValleyRAT backdoor. The campaign impacted organizations across the industrial, consulting, retail, and transportation sectors, with over 1600 malicious emails recorded between early January and early February."
https://securelist.com/silver-fox-tax-notification-campaign/119575/
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- ABB Edgenius Management Portal
-
พบช่องโหว่ SQL Injection ใน LiteLLM เสี่ยงถูกเข้าถึงคีย์และข้อมูลลับของระบบโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Vimeo ยืนยันเหตุข้อมูลรั่วไหลจากเหตุเจาะระบบ Anodot กระทบข้อมูลผู้ใช้งานบางส่วนโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
ศึกภายในวงการแรนซัมแวร์ 0APT ปะทะ KryBit จนข้อมูลลับรั่วไหลโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 30 April 2026โพสต์ใน Cyber Security News
Healthcare Sector
- A Quarter Of Healthcare Organizations Report Medical Device Cyber-Attacks
"One-in-four (24%) healthcare organizations (HCOs) experienced cyber-attacks impacting medical devices over the past year, causing potentially significant disruption to patient care, according to RunSafe Security. The security vendor polled 551 healthcare professionals across the US, UK and Germany to produce its 2026 Medical Device Cybersecurity Index. It revealed that, in 80% of cases, attacks affecting devices had a “moderate” or “significant” impact on patients. This could range from delayed imaging and postponed procedures to interruptions to critical care delivery, RunSafe claimed."
https://www.infosecurity-magazine.com/news/quarter-healthcare-medical-device/
Industrial Sector
- RDP Security: CPS Threats Spark Need For Secure Remote Access
"Hybrid work, remote monitoring and maintenance, and third-party access for system integrators or device vendors are now essential business requirements across many industries. This is especially true in critical infrastructure sectors with mission-critical remote sites, including utilities, transportation, and oil and gas. Historically, organizations have managed remote access to cyber-physical system (CPS) networks at these sites through traditional VPNs or jump hosts using technologies, such as Remote Desktop Protocol (RDP) and Virtual Network Computing (VNC). These approaches were designed to extend networks, not control interactions, which increase the attack surface."
https://www.forescout.com/blog/rdp-security-cps-threats-spark-need-for-secure-remote-access/
https://www.securityweek.com/hundreds-of-internet-facing-vnc-servers-expose-ics-ot/ - Threat Landscape For Industrial Automation Systems. South And North America (Canada), Q4 2025
"In South America, the percentage of ICS computers on which threats from email clients were blocked was significantly higher than the global average, by a factor of 1.9. On this metric, the region ranked second globally. High percentage figures for threats distributed via email clients (phishing) and spyware clearly indicate that OT systems in the region are highly exposed to advanced categories of threat actors. High percentage figures for malicious scripts and phishing pages, many of which target specifically employee authentication data for corporate services, also point to a high risk of targeted attacks against the OT infrastructure of industrial enterprises in the region."
https://ics-cert.kaspersky.com/publications/reports/2026/04/29/threat-landscape-for-industrial-automation-systems-south-and-north-america-canada-q4-2025/
Vulnerabilities
- cPanel, WHM Emergency Update Fixes Critical Auth Bypass Bug
"A critical vulnerability affecting all but the latest versions of cPanel and the WebHost Manager (WHM) dashboard could be exploited to obtain access to the control panel without authentication. The security issue, currently identified as CVE-2026-41940 and with a severity score of 9.8, has been addressed in an emergency update that requires running a command manually to retrieve a patched version of the software. Owned by WebPros International, WHM and cPanel are Linux-based web hosting control panels for server and website management. While WHM provides server-level control, cPanel provides administrator access to the website backend, webmail, and databases."
https://www.bleepingcomputer.com/news/security/cpanel-whm-emergency-update-fixes-critical-auth-bypass-bug/
https://thehackernews.com/2026/04/critical-cpanel-authentication.html
https://securityaffairs.com/191465/security/all-supported-cpanel-versions-hit-by-critical-auth-bug-now-patched.html - Chrome 147, Firefox 150 Security Updates Rolling Out
"Google and Mozilla on Tuesday announced fresh security updates for Chrome and Firefox users, addressing multiple memory safety vulnerabilities. The new Chrome 147 update is rolling out with 30 security fixes, including four for critical-severity use-after-free flaws reported by external researchers. Tracked as CVE-2026-7363, CVE-2026-7361, CVE-2026-7344, and CVE-2026-7343, the bugs impact the Canvas, iOS, Accessibility, and Views browser components."
https://www.securityweek.com/chrome-147-firefox-150-security-updates-rolling-out/ - Your AI Coding Agent Will Run This Exploit For You: How We Found a High-Severity CVE In Cursor
"Novee’s research team identified a high-severity arbitrary code execution vulnerability in Cursor, the popular AI-powered IDE. Cursor has published the vulnerability as CVE-2026-26268. The root cause is not a flaw in Cursor’s core product logic, but rather a consequence of a feature interaction in Git, one that becomes exploitable the moment an AI agent starts autonomously executing Git operations inside a repository it doesn’t control. The end result is attacker code execution directly on a developer’s machine."
https://novee.security/blog/cursor-ide-cve-2026-26268-git-hook-arbitrary-code-execution/
https://hackread.com/cursor-ai-ide-vulnerability-code-execution-git-hooks/ - CursorJacking: Every Cursor User Is Vulnerable To API Key Theft By Rogue Extensions
"LayerX security researchers have found that any extension of the popular AI development tool Cursor can access the developer’s API keys and session tokens, leading to full credential compromise, with no need for user interaction or activity at all. LayerX discovered that since Cursor doesn’t store keys in protected storage, any Cursor extension can execute this access. As a result, every Cursor user is vulnerable to API key theft by rogue Cursor extensions. Exploitation of this vulnerability can lead to exposure of session tokens and API keys, unauthorized access to Cursor backend services, and data theft via user impersonation."
https://layerxsecurity.com/blog/cursorjacking-every-cursor-user-is-vulnerable-to-api-key-theft-by-rogue-extensions/
https://www.infosecurity-magazine.com/news/cursor-extension-flaw-exposes-api/ - Linux Cryptographic Code Flaw Offers Fast Route To Root
"Developers of major Linux distributions have begun shipping patches to address a local privilege escalation (LPE) vulnerability arising from a logic flaw. The newly disclosed LPE, dubbed Copy Fail (CVE-2026-31431), comes from a vulnerability in the Linux kernel's authencesn cryptographic template. "An unprivileged local user can write four controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root," the writeup from security biz Theori explains."
https://www.theregister.com/2026/04/30/linux_cryptographic_code_flaw/
Malware
- TeamPCP-Linked Supply Chain Attack Hits SAP CAP And Cloud MTA Npm Packages
"Compromised SAP CAP npm packages download and execute unverified binaries, creating urgent supply chain risk for affected developers and CI/CD environments. Socket is investigating a suspected supply chain attack affecting multiple npm packages associated with SAP’s JavaScript and cloud application development ecosystem."
https://socket.dev/blog/sap-cap-npm-packages-supply-chain-attack
https://www.aikido.dev/blog/mini-shai-hulud-has-appeared
https://www.bleepingcomputer.com/news/security/official-sap-npm-packages-compromised-to-steal-credentials/
https://thehackernews.com/2026/04/sap-npm-packages-compromised-by-mini.html - Popular WordPress Redirect Plugin Hid Dormant Backdoor For Years
"The Quick Page/Post Redirect plugin, installed on more than 70,000 WordPress sites, had a backdoor added five years ago that allows injecting arbitrary code into users’ sites. The malware was uncovered by Austin Ginder, the founder of WordPress hosting provider Anchor, who found it after 12 infected sites on his fleet triggered a security alert. Quick Page/Post Redirect plugin, available on WordPress.org for several years, is a basic utility plugin used for creating redirects in posts, pages, and custom URLs."
https://www.bleepingcomputer.com/news/security/popular-wordpress-redirect-plugin-hid-dormant-backdoor-for-years/
https://anchor.host/the-plugin-author-was-the-supply-chain-attacker/ - Qinglong Task Scheduler RCE Vulnerabilities Exploited In The Wild For Cryptomining
"In early February 2026, users of Qinglong (青龙), a popular open source timed task management platform with over 19,000 GitHub stars, began reporting that their servers were maxing out CPU usage. The cause was a cryptominer binary called .fullgc, deployed through two authentication bypass vulnerabilities that allowed unauthenticated remote code execution. The attacks went largely unnoticed in the English-speaking security community. But across Chinese developer forums and GitHub issues, the picture was clear: attackers were exploiting publicly accessible Qinglong panels to deploy cryptocurrency miners."
https://snyk.io/blog/qinglong-task-scheduler-rce-vulnerabilities/
https://www.bleepingcomputer.com/news/security/hackers-exploit-rce-flaws-in-qinglong-task-scheduler-for-cryptomining/ - AI-Powered Honeypots: Turning The Tables On Malicious AI Agents
"Just as AI brings time-saving advantages to our lives, it brings similar advantages to threat actors. The laborious, time-consuming tasks of finding potentially vulnerable systems, identifying their vulnerabilities, and executing exploit code can be automated and orchestrated using AI. Clearly, these new capabilities put defenders at a disadvantage, as they expose new vulnerabilities for the threat actor. Attackers seek to minimize exposure. The more that a defender knows about a potential attack, the better they can prepare to repel or detect an attack. Using AI-orchestrated tooling to gain access to systems trades stealth for capability. That trade-off increases attacker visibility, and increased visibility is something defenders can exploit."
https://blog.talosintelligence.com/ai-powered-honeypots-turning-the-tables-on-malicious-ai-agents/ - Phoenix Rising: Exposing The PhaaS Kit Behind Global Mass Phishing Campaigns
"According to the Group-IB High-Tech Crime Trends Report 2026, Financial Services, Logistics, and Telecommunications were identified as three of the top five industries most targeted by phishing in 2025. And SMS phishing (smishing) still remains one of the most effective and fastest-growing fraud vectors worldwide. This effectiveness has been further amplified by the rise of phishing-as-a-service (PhaaS) platforms, which provide affiliates with pre-built templates, traffic filtering mechanisms, and real-time victim management dashboards. By combining high-delivery SMS distribution methods with scalable, subscription-based phishing ecosystems, threat actors can rapidly deploy campaigns, replicate proven attack workflows, and expand operations across multiple regions with minimal technical overhead."
https://www.group-ib.com/blog/phoenix-phaas-kit-smishing/ - Meet Bluekit: The AI-Powered All-In-One Phishing Kit
"At one point in time, the phishing kit market was specialized. Operators bought a credential-harvesting page from one seller, a domain rotator from another, and an SMS gateway from a third. Then they stitched the rest together on their own infrastructure. Varonis Threat Labs recently discovered Bluekit, a new phishing kit pitching a broader model. It advertises 40+ website templates, automated domain purchase and registration, 2FA support, spoofing, geolocation emulation, Telegram and browser notifications, antibot cloaking, and add-ons like an AI assistant, voice cloning, and a mail sender. The templates we reviewed covered email and cloud accounts, developer platforms, social media, retail, and crypto services, including iCloud, Apple ID, Gmail, Outlook, Hotmail, Yahoo, ProtonMail, GitHub, Twitter, Zoho, Zara, and Ledger."
https://www.varonis.com/blog/bluekit
https://hackread.com/bluekit-phishing-kit-targets-platforms-mfa-bypass-attack/ - Claude Adds Malware To Crypto Agent
"ReversingLabs (RL) researchers discovered malicious code in a crypto trading project after an AI-based coding agent added a malicious package as a dependency. The @validate-sdk/v2 package poses as a routine data validation tool while siphoning off sensitive secrets from its host environment. The new malware campaign, which RL has dubbed PromptMink, involves a tainted package that was introduced in a Feb. 28 commit to an autonomous trading agent. The commit was co-authored by Anthropic’s Claude Opus large language model (LLM). It allows attackers to access users’ crypto wallets and funds."
https://www.reversinglabs.com/blog/claude-promptmink-malware-crypto
https://thehackernews.com/2026/04/new-wave-of-dprk-attacks-uses-ai.html
https://www.infosecurity-magazine.com/news/ai-npm-dependency-targets-crypto/ - Iranian Cyber Group Handala Targets US Troops In Bahrain
"The Iran-linked threat actor Handala this week targeted US troops in Bahrain in an influence campaign carried out on WhatsApp. The messages, signed Handala and containing a link to the group’s website, claimed the service members were under surveillance and soon to be targeted with drones and missiles. “Your identities are fully known to our missile units, and every move you make is under our surveillance. Very soon, you will be targeted by our Shahed drones and Kheibar and Ghadeer missiles,” the messages reportedly read."
https://www.securityweek.com/iranian-cyber-group-handala-targets-us-troops-in-bahrain/ - Another Day, Another Malicious JPEG
"In his last two diaries, Xavier discussed recent malware campaigns that download JPEG files with embedded malicious payload[1,2]. At that point in time, I’ve not come across the malicious “MSI image” myself, but while I was going over malware samples that were caught by one of my customer’s e-mail proxies during last week, I found another campaign in which the same technique was used. Xavier already discussed how the final portion of a payload that was embedded in the JPEG was employed, but since the campaign he came across used a batch downloader as the first stage, and the one I found employed JScript instead, I thought it might be worthwhile to look at the first part of the infection chain in more detail, and discuss few tips and tricks that may ease analysis of malicious scripts along the way."
https://isc.sans.edu/diary/Another+day+another+malicious+JPEG/32738/
https://blog.barracuda.com/2026/04/28/picture-imperfect-risk-malicious-jpgs - Threat Spotlight: Boutique Phishing Kit Saiga 2FA Hides Behind ‘lorem Ipsum’ Metadata
"In early 2025, a sophisticated phishing kit, Saiga 2FA, was seen targeting legal organizations in Australia. Since then, the kit has stayed largely under the radar. New Barracuda detection data shows that its activity has ramped up in recent months, with a significant wave of phishing campaigns beginning in February 2026. Saiga 2FA belongs to a class of advanced phishing kits that function more like a boutique service than an automated platform. It features a structured, modular and infrastructure-driven design. This article examines the attack flow, tools and techniques seen by Barracuda threat analysts in Saiga’s recent campaign."
https://blog.barracuda.com/2026/04/28/threat-spotlight--boutique-phishing-kit-saiga-2fa - Kuse Web App Abused To Host Phishing Document
"As AI increases its role in work and daily life, AI apps are also increasing in number. Along with this emergence are expanding attack vectors that threat actors are actively exploring. AI is reshaping the cybersecurity landscape, introducing both unprecedented opportunities and complex risks. On April 9, 2026, the TrendAI Managed Services Team encountered a phishing attack that revealed another vulnerability that enabled attackers to store phishing chains, breach trust, and eventually expose credentials. In this case, attackers abused the storage and sharing features of Kuse, a free AI web app. This breach involved a Supply Chain Attack, particularly a Vendor Email Compromise (VEC), wherein a compromised mailbox from a trusted vendor was used to send a specifically crafted phishing email that leveraged the existing relationship level between the two organizations. Because of this, some IOCs are partly redacted in this article due to the usage of specific organization names."
https://www.trendmicro.com/en_us/research/26/d/kuse-web-app-abused-to-host-phishing-document.html - Fake Document, Real Access: Foxit Impersonation Enables Stealth VNC Control
"Foxit Software has more than 650 million users and is widely trusted as a lightweight PDF reader. That reputation is exactly what makes it valuable to attackers. The more familiar the software, the easier it is to convince someone that what they are downloading is safe. Instead of exploiting a vulnerability in Foxit, the attacker does something simpler: They pretend to be Foxit. That is enough to get users to install malware themselves. A fake installer that looks legitimate can deliver remote access tools, steal credentials, or quietly maintain long term access to a system. This approach has been used repeatedly. In 2024, several campaigns relied on trojanized installers and search engine poisoning to distribute fake PDF software at scale. No exploit required, just trust. Exploitiong weak spots in legitimate programs is another often used tactic - see our article on ConnectWise."
https://blog.gdatasoftware.com/2026/04/38409-fake-foxit-vnc - DinDoor's Caddy Problem: How One HTTP Header Exposed 20 Active C2 Servers
"Runtime code environments like Node.js, Deno, and Python are increasingly being utilized as an instrument to execute malicious code. Rather than deploying traditional compiled implants, these trusted, signed runtimes are exploited to run attacker-controlled scripts, which complicates detection in networks where these tools are allowlisted, and coverage is lacking. DinDoor, tracked as a variant of the Tsundere Botnet, follows this model. Delivered primarily via MSI files and relying on the Deno runtime for execution, the malware runs obfuscated JavaScript to communicate with its command and control (C2) infrastructure, while fingerprinting victims and fetching follow-on payloads. A recent report from Broadcom linked DinDoor activity to the Iranian APT group Seedworm, also tracked as MuddyWater, targeting U.S. organizations."
https://hunt.io/blog/dindoor-deno-runtime-backdoor-msi-analysis - Inside The Coinbase Cartel: How Infostealer Credentials Fueled a 100+ Company Ransomware Spree
"A rapidly expanding ransomware and extortion group known as Coinbase Cartel has officially claimed over 100 targets. The group, which first emerged in September 2025, has made a name for itself through pure data exfiltration and extortion, completely bypassing the use of traditional file encryptors. While many victim organizations and incident response firms have incorrectly attributed the initial access of these breaches to sophisticated zero-day exploits or complex social engineering, Hudson Rock‘s cybercrime intelligence reveals a different, much simpler reality: Coinbase Cartel exclusively uses old Infostealer credentials to compromise cloud environments, FTP servers, and file transfer services."
https://www.infostealers.com/article/inside-the-coinbase-cartel-how-infostealer-credentials-fueled-a-100-company-ransomware-spree/
Breaches/Hacks/Leaks
- Polymarket Rejects Data Breach Claims As Hacker Alleges 300K Records Stolen
"A hacker called Xorcat claims to have stolen a massive 300,000 records from Polymarket. It is the world’s largest decentralised cryptocurrency-based prediction market where users bet on world events. The alleged stolen data was posted on a cybercrime forum and Telegram on 27 April 2026. However, Polymarket has rejected these claims. Xorcat claims to have taken advantage of several flaws in the website’s code. One method involved using undocumented API endpoints. Another method was a pagination bypass on Polymarket’s CLOB (Central Limit Order Book) trading system."
https://hackread.com/polymarket-rejects-data-breach-hacker-records-stolen/
General New
- Call Centres Dismantled And Ten Arrested In EUR 50 Million Online Fraud Case
"A criminal network operating a large-scale online fraud scheme has been dismantled through a collaborative investigation involving Austrian and Albanian authorities, with support from Europol and Eurojust. The operation, which spanned over two years, resulted in the arrest of ten individuals, the search of multiple premises, and the seizure of nearly EUR 900 000 in cash. The criminal network, allegedly operating several call centres in Tirana, Albania, is believed to have caused significant financial damage, totalling at least EUR 50 million. The call centres were professionally set up and organised, resembling legitimate business structures featuring a clear division of roles and hierarchical management."
https://www.europol.europa.eu/media-press/newsroom/news/call-centres-dismantled-and-ten-arrested-in-eur-50-million-online-fraud-case
https://www.bleepingcomputer.com/news/security/european-police-dismantles-50-million-crypto-investment-fraud-ring/ - Coordinated Takedown Of Scam Centers Leads To At Least 276 Arrests; Alleged Managers And Recruiters Charged In San Diego
"Unprecedented cooperation between the FBI, Dubai Police Department, and Chinese Ministry of Public Security has resulted in the arrest of at least 276 individuals and the dismantlement of at least nine scam centers used for cryptocurrency investment fraud schemes. These centers targeted Americans who have suffered millions of dollars in losses from such schemes. This international crackdown last week was spearheaded by the Dubai Police, under the United Arab Emirates (UAE) Ministry of Interior. Among the 275 arrested by Dubai authorities were three defendants charged in the Southern District of California with federal wire fraud and money laundering charges. An additional person was arrested by the Royal Thai Police."
https://www.justice.gov/opa/pr/coordinated-takedown-scam-centers-leads-least-276-arrests-alleged-managers-and-recruiters
https://therecord.media/us-china-partner-on-dubai-scam-compound-takedown
https://www.bankinfosecurity.com/fbi-backed-takedown-hits-crypto-scam-centers-a-31551 - Cursor AI Agent Wipes PocketOS Database And Backups In 9 Seconds
"On 24 April 2026, a disaster hit PocketOS, a Vertical SaaS provider providing the core operational infrastructure for car rental companies. In just nine seconds, a single command from an AI agent deleted the company’s entire production database along with its volume-level backups. Jer Crane, the founder of PocketOS, reported that the crisis started while using an AI coding agent called Cursor, running on Anthropic’s flagship Claude Opus 4.6 model. The agent was performing a routine task in a staging environment (private area used to test code) when it hit a credential mismatch, and instead of stopping, the agent searched through unrelated files and found a root-level API token."
https://hackread.com/cursor-ai-agent-wipes-pocketos-database-backups/ - Researchers Track 2.9 Billion Compromised Credentials
"The threat landscape in 2025 was characterized by a surge in compromised credentials, extortion and vulnerability exploitation, according to a new report from KELA. The threat intelligence firm tracked nearly 2.9 billion compromised credentials last year globally, it said in its latest report, The State of Cybercrime 2026: Emerging Threats & Predictions. These included usernames, passwords, session tokens, cookies found in URL, login and password (ULP) lists, breached email repositories and cybercrime marketplaces. At least 347 million were originally obtained by infostealers found on around 3.9 million infected machines."
https://www.infosecurity-magazine.com/news/29-billion-compromised-credentials/
https://www.kelacyber.com/resources/research/state-of-cybercrime-2026/ - Swiss Police Arrest 10 Suspected Members Of Nigeria-Linked Crime Group Black Axe
"Swiss and German law enforcement have arrested 10 suspected members of the Nigerian criminal network Black Axe, including a regional leader believed to oversee operations in Southern Europe, authorities said on Tuesday. The arrests followed house searches across several Swiss cantons, according to a statement from Europol and Zurich authorities. The suspects, aged between 32 and 54, are accused of carrying out romance scams that caused millions of Swiss francs in losses, alongside money-laundering operations designed to move illicit profits through international financial networks."
https://therecord.media/black-axe-switzerland-germany-cyber
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- A Quarter Of Healthcare Organizations Report Medical Device Cyber-Attacks
-
พบช่องโหว่ CVE-2026-6770 ใน Firefox และ Tor Browser เสี่ยงถูกใช้ทำ Fingerprinting ติดตามผู้ใช้ข้ามเว็บไซต์โพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
