NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 16 January 2026

    Cyber Security News
    1
    1
    18
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • Trio Of Critical Bugs Spotted In Delta Industrial PLCs
        "Researchers have identified one high- and three critical-severity vulnerabilities in a brand of programmable logic controller (PLC) popular at industrial sites in Asia. The DVP-12SE11T, by Taiwan's Delta Electronics, is a cut-rate PLC popular in a variety of sensitive sectors in Asia, such as water treatment and food and beverage processing. In August 2025, researchers from OPSWAT's Unit 515 decided to crack into it, and in doing so discovered four serious vulnerabilities, three of which ranked above a 9 out of 10 in the Common Vulnerability Scoring System (CVSS)."
        https://www.darkreading.com/ics-ot-security/critical-bugs-delta-industrial-plcs
      • ICS Patch Tuesday: Vulnerabilities Fixed By Siemens, Schneider, Aveva, Phoenix Contact
        "Industrial giants Siemens, Schneider Electric, Phoenix Contact, and Aveva have published a dozen Patch Tuesday advisories to inform customers about vulnerabilities found in their ICS/OT products. Siemens has released five new advisories. Two of them describe the same critical authorization bypass flaw in Industrial Edge Devices that can be leveraged by an unauthenticated, remote attacker to bypass authentication and impersonate a user. One advisory covers Industrial Edge Devices, while the other is for the Industrial Edge Device Kit. The remaining advisories inform customers about the availability of fixes for high-severity vulnerabilities in Ruggedcom, ET 200SP, and TeleControl Server Basic products."
        https://www.securityweek.com/ics-patch-tuesday-vulnerabilities-fixed-by-siemens-schneider-aveva-phoenix-contact/
      • Cyber Threat Actors Ramp Up Attacks On Industrial Environments
        "Both cybercriminals and hacktivists have increased cyber-attacks against industrial technology environments, with vulnerability exploits in these systems almost doubling in 2025, according to Cyble. This according the Cyble Research & Intelligence Labs’ (CRIL) Annual Threat Landscape Report 2025, published on January 15, 2026."
        https://www.infosecurity-magazine.com/news/cyber-threat-actors-ramp-up-ics/

      Vulnerabilities

      • Critical Privilege Escalation Vulnerability In Modular DS Plugin Affecting 40k+ Sites Exploited In The Wild
        "This blog post is about an Unauthenticated Privilege Escalation vulnerability in the Modular DS plugin. Patchstack has issued a mitigation rule to protect against exploitation of this vulnerability. If you're a Modular DS user, please update to at least version 2.5.2. This vulnerability was discovered and reported to Patchstack by Teemu Saarentaus from group.one."
        https://patchstack.com/articles/critical-privilege-escalation-vulnerability-in-modular-ds-plugin-affecting-40k-sites-exploited-in-the-wild/
        https://thehackernews.com/2026/01/critical-wordpress-modular-ds-plugin.html
        https://www.bleepingcomputer.com/news/security/hackers-exploit-modular-ds-wordpress-plugin-flaw-for-admin-access/
      • Cisco Finally Fixes Max-Severity Bug Under Active Attack For Weeks
        "Cisco finally delivered a fix for a maximum-severity bug in AsyncOS that has been under attack for at least a month. The networking giant disclosed the vulnerability, tracked as CVE-2025-20393, on December 17. It affects some Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. Cisco first became aware of attackers targeting the appliances on December 10."
        https://www.theregister.com/2026/01/15/cisco_fixes_cve_2025_20393/
        Palo Alto Networks Warns Of DoS Bug Letting Hackers Disable Firewalls
        "Palo Alto Networks patched a high-severity vulnerability that could allow unauthenticated attackers to disable firewall protections in denial-of-service (DoS) attacks. Tracked as CVE-2026-0227, this security flaw affects next-generation firewalls (running PAN-OS 10.1 or later) and Palo Alto Networks' Prisma Access configurations when the GlobalProtect gateway or portal is enabled. The cybersecurity company says that most cloud-based Prisma Access instances have already been patched, with those left to be secured already scheduled for an upgrade."
        https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-dos-bug-letting-hackers-disable-firewalls/
        https://security.paloaltonetworks.com/CVE-2026-0227
        https://thehackernews.com/2026/01/palo-alto-fixes-globalprotect-dos-flaw.html
        https://securityaffairs.com/186948/hacking/palo-alto-networks-addressed-a-globalprotect-flaw-poc-exists.html
      • WhisperPair: Hijacking Bluetooth Accessories Using Google Fast Pair
        "Google Fast Pair enables one-tap pairing and account synchronisation across supported Bluetooth accessories. While Fast Pair has been adopted by many popular consumer brands, we discovered that many flagship products have not implemented Fast Pair correctly, introducing a flaw that allows an attacker to hijack devices and track victims using Google's Find Hub network. We introduce WhisperPair, a family of practical attacks that leverages a flaw in the Fast Pair implementation on flagship audio accessories. Our findings show how a small usability 'add-on' can introduce large-scale security and privacy risks for hundreds of millions of users."
        https://whisperpair.eu/
        https://www.bleepingcomputer.com/news/security/critical-flaw-lets-hackers-track-eavesdrop-via-bluetooth-audio-devices/
      • CodeBreach: Infiltrating The AWS Console Supply Chain And Hijacking AWS GitHub Repositories Via CodeBuild
        "Wiz Research uncovered CodeBreach, a critical vulnerability that placed the AWS Console supply chain at risk. The issue allowed a complete takeover of key AWS GitHub repositories - most notably the AWS JavaScript SDK, a core library that powers the AWS Console. By exploiting CodeBreach, attackers could have injected malicious code to launch a platform-wide compromise, potentially affecting not just the countless applications depending on the SDK, but the Console itself, threatening every AWS account."
        https://www.wiz.io/blog/wiz-research-codebreach-vulnerability-aws-codebuild
        https://thehackernews.com/2026/01/aws-codebuild-misconfiguration-exposed.html
        https://www.infosecurity-magazine.com/news/codebuild-flaw-aws-console-risk/
        https://www.theregister.com/2026/01/15/codebuild_flaw_aws/
      • New ‘StackWarp’ Attack Threatens Confidential VMs On AMD Processors
        "A team of researchers from the CISPA Helmholtz Center for Information Security in Germany has disclosed the details of a new hardware vulnerability affecting AMD processors. Dubbed StackWarp, the issue has been found to impact AMD Zen 1 through Zen 5 processors, enabling an attacker to hack confidential virtual machines (CVMs). The researchers described StackWarp as a software-based architectural attack that “exploits a synchronization failure in the stack engine that manages stack pointer updates in the CPU frontend”."
        https://www.securityweek.com/new-stackwarp-attack-threatens-confidential-vms-on-amd-processors/
        https://www.theregister.com/2026/01/15/stackwarp_bug_amd_cpus/
      • Claude Cowork Exfiltrates Files
        "Two days ago, Anthropic released the Claude Cowork research preview (a general-purpose AI agent to help anyone with their day-to-day work). In this article, we demonstrate how attackers can exfiltrate user files from Cowork by exploiting an unremediated vulnerability in Claude’s coding environment, which now extends to Cowork. The vulnerability was first identified in Claude.ai chat before Cowork existed by Johann Rehberger, who disclosed the vulnerability — it was acknowledged but not remediated by Anthropic."
        https://www.promptarmor.com/resources/claude-cowork-exfiltrates-files
        https://www.theregister.com/2026/01/15/anthropics_claude_bug_cowork/

      Malware

      • Planned Failure: Gootloader’s Malformed ZIP Actually Works Perfectly
        "The Gootloader developer has been involved in ransomware for a long time. Their role within ransomware has been initial access: getting the foot in the door. Once the malware runs on a system, they hand their access to someone else. In being responsible for this job, the Gootloader developer has incentive to ensure that their malware receives a low detection score and can bypass most security tools. They’ve been very successful with this over the years. In years past, Gootloader malware made up 11% of all malware we saw bypassing other security tools."
        https://expel.com/blog/gootloaders-malformed-zip/
        https://www.bleepingcomputer.com/news/security/gootloader-now-uses-1-000-part-zip-archives-for-stealthy-delivery/
      • UAT-8837 Targets Critical Infrastructure Sectors In North America
        "Cisco Talos is closely tracking UAT-8837, a threat actor we assess with medium confidence is a China-nexus advanced persistent threat (APT) actor based on overlaps in tactics, techniques, and procedures (TTPs) with those of other known China-nexus threat actors. Based on UAT-8837's TTPs and post-compromise activity Talos has observed across multiple intrusions, we assess with medium confidence that this actor is primarily tasked with obtaining initial access to high-value organizations. Although UAT-8837's targeting may appear sporadic, since at least 2025, the group has clearly focused on targets within critical Infrastructure sectors in North America."
        https://blog.talosintelligence.com/uat-8837/
        https://therecord.media/china-hackers-apt-cisco-talos
      • New Remcos Campaign Distributed Through Fake Shipping Document
        "FortiGuard Labs discovered a new phishing campaign in the wild. The campaign delivers a new variant of Remcos, a commercial lightweight remote access tool (RAT) with a wide range of capabilities, including system resource management, remote surveillance, network management, and Remcos agent management. I conducted an in-depth investigation into this malicious campaign. This analysis covers how the phishing email initializes the attack, how the attached Word document downloads an RTF file, the vulnerability the attack leverages within the RTF file, the VBScript and PowerShell code, how a fileless .NET module is loaded and executed in a PowerShell process, and how the fileless Remcos agent is downloaded and loaded using process hollowing."
        https://www.fortinet.com/blog/threat-research/new-remcos-campaign-distributed-through-fake-shipping-document
      • New PayPal Scam Sends Verified Invoices With Fake Support Numbers
        "A new phishing scam is leveraging PayPal’s legitimate invoice system to trick unsuspecting users, even appearing with the coveted “blue tick” verification mark in their inboxes. This sophisticated attack is bypassing traditional email security filters and leaving even tech-savvy individuals confused. Hackread.com has obtained direct evidence of this escalating threat, confirming that attackers are exploiting PayPal’s own services to send fraudulent money requests, making them appear entirely authentic."
        https://hackread.com/paypal-scam-verified-invoices-fake-support-numbers/
      • Browser Extensions Gone Rogue: The Full Scope Of The GhostPoster Campaign
        "Last month, researchers at Koi Security published a detailed analysis of a malicious Firefox extension they dubbed GhostPoster – a browser-based malware leveraging an uncommon and stealthy payload delivery method: steganography within a PNG icon file. This innovative approach allowed the malware to evade traditional extension security reviews and static analysis tools. Following their publication, our investigation identified 17 additional extensions associated with the same infrastructure and tactics, techniques, and procedures (TTPs). Collectively, these extensions were downloaded over 840,000 times, with some remaining active in the wild for up to five years."
        https://layerxsecurity.com/blog/browser-extensions-gone-rogue-the-full-scope-of-the-ghostposter-campaign/
        https://hackread.com/ghostposter-browser-malware-840000-installs/
      • New CastleLoader Variant Linked To 469 Infections Across Critical Sectors
        "A new name is surfacing in cyber intelligence reports that has security teams on edge. Known as CastleLoader, it has become a go-to tool for attackers targeting high-security environments since early 2025. As Hackread.com reported in December 2025, earlier versions of CastleLoader were analysed in July and August 2025. Cybersecurity analysis firm ANY.RUN has now detected a newer and more stealthy version."
        https://hackread.com/castleloader-variant-infections-critical-sectors/
      • Ransomware: Tactical Evolution Fuels Extortion Epidemic
        "The cyber-extortion epidemic reached new heights in 2025, with a record number of attacks recorded. As outlined in our new whitepaper, this increase is being powered by a new breed of attackers who eschew encryption and rely solely on data theft as leverage for extortion. By using zero-day vulnerabilities or exploiting weaknesses in the software supply chain, attackers can steal data from even the best-defended organizations before they become aware of the issue."
        https://www.security.com/threat-intelligence/ransomware-extortion-epidemic
        https://sed-cms.broadcom.com/sites/default/files/2026-01/RWN-2026-WP100_1.pdf
        https://www.infosecurity-magazine.com/news/hackers-shun-encryption-in-favour/
      • LOTUSLITE: Targeted Espionage Leveraging Geopolitical Themes
        "Acronis Threat Research Unit (TRU) has been actively monitoring malware campaigns and threat activity leveraging recent geopolitical developments between the United States and Venezuela as thematic lures. During this tracking, TRU identified a targeted campaign delivering a previously undocumented DLL-based backdoor, tracked as LOTUSLITE, aimed at U.S. government–related entities."
        https://www.acronis.com/en/tru/posts/lotuslite-targeted-espionage-leveraging-geopolitical-themes/
        https://www.theregister.com/2026/01/15/chinese_spies_used_maduros_capture/
      • Sicarii Ransomware: Truth Vs Myth
        "In December 2025, a previously unknown Ransomware-as-a-Service (RaaS) operation calling itself Sicarii began advertising its services across multiple underground platforms. The group’s name references the Sicarii, a 1st-century Jewish assassins group that opposed Roman rule in Judea. From its initial appearance, the Sicarii ransomware group distinguished itself through unusually explicit and persistent use of Israeli and Jewish symbolism in its branding, communications, and malware logic."
        https://research.checkpoint.com/2026/sicarii-ransomware-truth-vs-myth/
      • Inside China’s Hosting Ecosystem: 18,000+ Malware C2 Servers Mapped Across Major ISPs
        "Threat hunting often begins with a single indicator, such as a suspicious IP address, a beaconing domain, or a known malware family. Looking at those indicators individually makes the underlying infrastructure easy to miss. While analyzing malicious activity across Chinese hosting environments, we repeatedly observed the same networks and providers appearing across unrelated campaigns. Commodity malware, phishing operations, and state-linked tooling were often hosted side by side within the same infrastructure, even as individual IPs and domains changed."
        https://hunt.io/blog/china-hosting-malware-c2-infrastructure

      Breaches/Hacks/Leaks

      • Grubhub Confirms Hackers Stole Data In Recent Security Breach
        "Food delivery platform Grubhub has confirmed a recent data breach after hackers accessed its systems, with sources telling BleepingComputer the company is now facing extortion demands. "We're aware of unauthorized individuals who recently downloaded data from certain Grubhub systems," Grubhub told BleepingComputer. "We quickly investigated, stopped the activity, and are taking steps to further increase our security posture. Sensitive information, such as financial information or order history, was not affected.""
        https://www.bleepingcomputer.com/news/security/grubhub-confirms-hackers-stole-data-in-recent-security-breach/
      • ICE Agent Doxxing Site DDoS-Ed Via Russian Servers
        "A controversial website launched following an apparent insider breach at the Department of Homeland Security (DHS) has been taken offline by a sustained DDoS attack, its founder has revealed. Dominick Skinner told The Daily Beast that his ICE List site is being hit with a “prolonged and sophisticated” cyber-attack which began on Tuesday evening. At the time of writing, it was still down, making it impossible for interested parties to uncover the identities of agents working for US Immigration and Customs Enforcement (ICE) and Border Patrol."
        https://www.infosecurity-magazine.com/news/ice-agent-doxxing-site-ddosed/

      General News

      • CISOs Flag Gaps In Third-Party Risk Management
        "Third-party cyber risk continues to concern security leaders as vendor ecosystems grow, supply chains stretch, and AI plays a larger role in business operations. A recent Panorays survey of U.S. CISOs shows rising third-party incidents and growing regulatory attention, while visibility beyond direct vendors and the resources to manage that risk continue to fall short."
        https://www.helpnetsecurity.com/2026/01/15/panorays-cisos-ai-vendor-risk/
      • Cybersecurity Spending Keeps Rising, So Why Is Business Impact Still Hard To Explain?
        "Cybersecurity budgets keep climbing, but many security leaders still struggle to explain what that spending delivers to the business. A new study by Expel examines that disconnect through a survey of security and finance executives at large enterprises. The research looks at how the two groups view risk, investment decisions, and their working relationship."
        https://www.helpnetsecurity.com/2026/01/15/expel-cybersecurity-investment-decisions/
      • The NSA Lays Out The First Steps For Zero Trust Adoption
        "Security pros often say that zero trust sounds straightforward until they try to apply it across real systems, real users, and real data. Many organizations are still sorting out what they own, how access works, and where authority sits. That day-to-day reality is the context for a new set of implementation documents released by the National Security Agency."
        https://www.helpnetsecurity.com/2026/01/15/nsa-zero-trust-implementation-guidelines/
        https://media.defense.gov/2026/Jan/08/2003852320/-1/-1/0/CTR_ZERO_TRUST_IMPLEMENTATION_GUIDELINE_PRIMER.PDF
      • Microsoft Remains The Most Imitated Brand In Phishing Attacks In Q4 2025
        "In Q4 2025, Microsoft once again ranked as the most impersonated brand in phishing attacks, accounting for 22% of all brand phishing attempts, according to data from Check Point Research. This continues a multi-quarter trend in which attackers increasingly abuse trusted enterprise and consumer brands to harvest credentials and gain initial access. Google followed in second place with 13%, while Amazon climbed into third position at 9%, fueled by Black Friday and holiday sales, overtaking Apple. After a prolonged absence, Facebook (Meta) re-entered the top 10, landing in fifth place, highlighting renewed interest among attackers in social media account takeover."
        https://blog.checkpoint.com/research/microsoft-remains-the-most-imitated-brand-in-phishing-attacks-in-q4-2025/
      • Winter Olympics Could Share Podium With Cyberattackers
        "When the Milano Cortina Winter Games begin Feb. 6, it won't be just the athletes hunting for gold, but cybercriminals as well. Everything is on the table, experts warn — from Wi-Fi and digital infrastructure disruptions like those seen at the 2018 Winter Olympics in PyeongChang, to distributed denial-of-service (DDoS) and ransomware attacks of the sort French authorities faced during the 2024 Olympics. State-linked cyber espionage could be part of the mix too."
        https://www.darkreading.com/remote-workforce/winter-olympics-podium-cyberattackers
      • Vulnerabilities Surge, But Messy Reporting Blurs Picture
        "Another year, another record for vulnerability reports. For the ninth year in a row, the number of reported vulnerabilities set a new record, with 48,177 issues assigned a 2025 Common Vulnerabilities and Exposures (CVE) identifier, according to data analyzed from the National Vulnerability Database (NVD). While the deluge of security issues complicates companies' efforts to prioritize their patching processes, ongoing changes in the CVE-reporting ecosystem have more to do with the surge than an increase in cybersecurity risk."
        https://www.darkreading.com/cybersecurity-analytics/vulnerabilities-surge-messy-reporting-blurs-picture
        https://jerrygamblin.com/2026/01/01/2025-cve-data-review/
      • Years-Old Apache Struts2 Vulnerability Downloaded 387K+ Times In The Past Week
        "Apache Struts has a newly disclosed vulnerability, CVE-2025-68493, affecting Struts' XWork component and raising renewed concern about unsafe XML handling and XXE-style risk in certain deployments. According to NVD, affected versions span Struts 2.0.0 up to 6.1.0, with 6.1.1 identified as the fixed release. What makes this disclosure especially urgent is what we're seeing in Maven Central download telemetry: in just the past 7 days, we observed 387,549 downloads of org.apache.struts:*, and ~98% of that activity was concentrated on end-of-life (EOL) Struts 2.x lines with only ~1.8% on Struts 6.0.0 – 6.1.0."
        https://www.sonatype.com/blog/years-old-apache-struts2-vulnerability-downloaded-325k-times-in-the-past-week
        https://hackread.com/years-old-vulnerable-apache-struts-2-downloads/
      • LinkedIn Wants To Make Verification a Portable Trust Signal
        "In this Help Net Security interview, Oscar Rodriguez, VP Trust Product at LinkedIn, discusses how verification is becoming a portable trust signal across the internet. He explains how LinkedIn is extending professional identity beyond its platform to address rising AI-driven fraud, impersonation, and online scams. Rodriguez also outlines how LinkedIn views its role in digital trust alongside platforms, partners, and existing identity systems."
        https://www.helpnetsecurity.com/2026/01/15/oscar-rodriguez-linkedin-identity-verification/
      • QR Codes Are Getting Colorful, Fancy, And Dangerous
        "QR codes have become a routine part of daily life, showing up on emails, posters, menus, invoices, and login screens. Security-savvy users have learned to treat links with caution, but QR codes still carry an assumption of safety. Researchers from Deakin University have examined how visually stylized QR codes are being used in quishing attacks. Their study introduces a detection method that evaluates QR codes based on their structure rather than the link they contain, with a focus on visually stylized designs that use colors, shapes, logos, and background images."
        https://www.helpnetsecurity.com/2026/01/15/fancy-qr-codes-phishing-risk/
        https://arxiv.org/pdf/2601.06768
      • CISO Role Reaches “Inflexion Point” With Executive-Level Titles
        "The role of chief information security officer (CISO) is now more likely to be regarded as an executive-level position than VP or director, signifying its growing importance to the business, according to IANS. The research and advisory firm put together its 2026 State of the CISO Report based on interviews with 662 North American CISOs. It revealed that 46% of respondents now hold executive titles (e.g., EVP, SVP), while 27% are VPs and 27% are directors. This indicates a “structural shift” in the security leadership landscape, IANS claimed."
        https://www.infosecurity-magazine.com/news/ciso-role-inflexion-point/
      • Forget Predictions: True 2026 Cybersecurity Priorities From Leaders
        "Every December and January we see multiple public relations-driven “next year predictions” and these predictions are, unsurprisingly, self-serving to their clients. Why not go straight to the source? For this article, I spoke with several security leaders and asked them all the same question: “What people, process, or technology shift will help you most to do your job more efficiently in 2026?”"
        https://www.securityweek.com/forget-predictions-true-2026-cybersecurity-priorities-from-leaders/
      • Insider Threats: Turning 2025 Intelligence Into a 2026 Defense Strategy
        "Every organization houses sensitive assets that threat actors actively seek. Whether it is proprietary trade secrets, intellectual property, or the personally identifiable information (PII) of employees and customers, these datasets are the lifeblood of the modern enterprise—and highly lucrative commodities within the illicit underground. In 2025, Flashpoint observed 91,321 instances of insider recruiting, advertising, and threat actor discussions involving insider-related illicit activity. This underscores a critical reality—it is far more efficient for threat actors to recruit an “insider” to circumvent multi-million dollar security stacks than it is to develop a complex exploit from the outside."
        https://flashpoint.io/blog/insider-threats-2025-intelligence-2026-strategy/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) 4bf8d906-4781-44d9-8872-f958c96a5272-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post