NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 27 January 2026

    Cyber Security News
    1
    1
    29
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      New Tooling

      • Brakeman: Open-Source Vulnerability Scanner For Ruby On Rails Applications
        "Brakeman is an open-source security scanner used by teams that build applications with Ruby on Rails. The tool focuses on application code and configuration, giving developers and security teams a way to identify common classes of web application risk during development and testing. Brakeman analyzes application source code directly, including controllers, models, views, and templates. The scanner builds an internal representation of how data moves through the application, which allows it to flag patterns associated with security issues."
        https://www.helpnetsecurity.com/2026/01/26/brakeman-open-source-vulnerability-scanner-ruby-on-rails/
        https://github.com/presidentbeef/brakeman

      Vulnerabilities

      • Microsoft Patches Actively Exploited Office Zero-Day Vulnerability
        "Microsoft has released emergency out-of-band security updates to patch a high-severity Microsoft Office zero-day vulnerability exploited in attacks. The security feature bypass vulnerability, tracked as CVE-2026-21509, affects multiple Office versions, including Microsoft Office 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, and Microsoft 365 Apps for Enterprise (the company's cloud-based subscription service). However, as noted in today's advisory, security updates for Microsoft Office 2016 and 2019 are not yet available and will be released as soon as possible."
        https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-actively-exploited-office-zero-day-vulnerability/
        https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509
        https://securityaffairs.com/187349/hacking/emergency-microsoft-update-fixes-in-the-wild-office-zero-day.html
      • Nearly 800,000 Telnet Servers Exposed To Remote Attacks
        "Internet security watchdog Shadowserver tracks nearly 800,000 IP addresses with Telnet fingerprints amid ongoing attacks exploiting a critical authentication bypass vulnerability in the GNU InetUtils telnetd server. The security flaw (CVE-2026-24061) impacts GNU InetUtils versions 1.9.3 (released 11 years ago in 2015) through 2.7 and was patched in version 2.8 (released on January 20). "The telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter," explained open-source contributor Simon Josefsson, who reported it."
        https://www.bleepingcomputer.com/news/security/nearly-800-000-telnet-servers-exposed-to-remote-attacks/
      • Hands-Free Lockpicking: Critical Vulnerabilities In Dormakaba’s Physical Access Control System
        "In this post, Clemens Stockenreitner and Werner Schober of the SEC Consult Vulnerability Lab highlight several critical vulnerabilities found in dormakaba’s physical access control systems based on exos 9300. This access control system originates from the manufacturer's enterprise product line for door and access systems and is predominantly used by large enterprises in Europe, including industrial and service companies, logistics operators, energy providers, and airport operators. It controls access to public and restricted areas, typically in combination with key cards (RFID) or fingerprint readers. According to the manufacturer, several thousand customers were affected, a small proportion of whom operate in environments with high security requirements."
        https://sec-consult.com/blog/detail/hands-free-lockpicking-critical-vulnerabilities-in-dormakabas-physical-access-control-system/
        https://www.securityweek.com/access-system-flaws-enabled-hackers-to-unlock-doors-at-major-european-firms/

      Malware

      • Novel Fake CAPTCHA Chain Delivering Amatera Stealer
        "The Blackpoint SOC has identified a new Fake CAPTCHA campaign that leverages a signed Microsoft Application Virtualization (App-V)1 script, SyncAppvPublishingServer.vbs, as a LOLBIN to proxy execution through a legitimate Windows component. Instead of launching PowerShell directly, the attacker uses this script to control how execution begins and to avoid more common, easily recognized execution paths. Early stages are designed to validate execution order and user behavior rather than exploit a vulnerability. Progression is gated on conditions established during the initial interaction, and when those expectations are not met, execution quietly stalls. This reinforces that the delivery flow itself is a core part of the attack, not just a means to reach the final payload."
        https://blackpointcyber.com/blog/novel-fake-captcha-chain-delivering-amatera-stealer/
        https://www.bleepingcomputer.com/news/security/new-clickfix-attacks-abuse-windows-app-v-scripts-to-push-malware/
        https://hackread.com/fake-captcha-scam-microsoft-tools-amatera-stealer/
      • Stanley — A $6,000 Russian Malware Toolkit With Chrome Web Store Guarantee
        "Browser-based attacks have entered a new phase, one that's more aggressive, more coordinated, and more dangerous than what we saw a few months ago. An attack vector once considered low-impact has become a huge threat targeting millions of online users. In December 2025, DarkSpectre exposed gaps in browser security by compromising 8.8 million Chrome, Edge, and Firefox users through three linked campaigns. January 2026 brought another concern: two extensions with a combined 900,000 installations were caught quietly siphoning ChatGPT and DeepSeek conversations, one of which carried Google's "Featured" badge. Around the same time, the CrashFix campaign manipulated users into installing a remote access trojan by intentionally crashing their browsers and posing as the solution."
        https://www.varonis.com/blog/stanley-malware-kit
        https://www.bleepingcomputer.com/news/security/new-malware-service-guarantees-phishing-extensions-on-chrome-web-store/
        https://hackread.com/stanley-toolkit-russia-forum-fakes-chrome-urls/
        https://www.securityweek.com/stanley-malware-toolkit-enables-phishing-via-website-spoofing/
      • PackageGate: 6 Zero-Days In JS Package Managers But NPM Won't Act
        "After Shai-Hulud ripped through npm last November (700+ packages compromised, 25,000 repos exposed) the ecosystem settled on a defense playbook: disable lifecycle scripts, and commit your lockfiles. It became the standard advice everywhere from GitHub security guides to corporate policy docs. Makes sense. If malicious code can't run on install, and your dependency tree is pinned, you're covered. Right?"
        https://www.koi.ai/blog/packagegate-6-zero-days-in-js-package-managers-but-npm-wont-act
        https://www.bleepingcomputer.com/news/security/hackers-can-bypass-npms-shai-hulud-defenses-via-git-dependencies/
      • APT Attacks Target Indian Government Using GOGITTER, GITSHELLPAD, And GOSHELL | Part 1
        "In September 2025, Zscaler ThreatLabz identified two campaigns, tracked as Gopher Strike and Sheet Attack, by a threat actor that operates in Pakistan and primarily targets entities in the Indian government. In both campaigns, ThreatLabz identified previously undocumented tools, techniques, and procedures (TTPs). While these campaigns share some similarities with the Pakistan-linked Advanced Persistent Threat (APT) group, APT36, we assess with medium confidence that the activity identified during this analysis might originate from a new subgroup or another Pakistan-linked group operating in parallel."
        https://www.zscaler.com/blogs/security-research/apt-attacks-target-indian-government-using-gogitter-gitshellpad-and-goshell
      • Weaponized In China, Deployed In India: The SyncFuture Espionage Targeted Campaign
        "In early December 2025, the eSentire Threat Response Unit (TRU) identified an ongoing campaign deploying a sophisticated, multi-stage backdoor for the likely purpose of long-term espionage. The campaign targets residents of India with phishing emails that impersonate the Income Tax Department of India, luring victims into downloading a malicious archive. The threat actor's primary objective is to gain persistent, elevated access to the victim's machine for continuous monitoring of user activities, file operations, and exfiltration of sensitive information."
        https://www.esentire.com/blog/weaponized-in-china-deployed-in-india-the-syncfuture-espionage-targeted-campaign
        https://thehackernews.com/2026/01/indian-users-targeted-in-tax-phishing.html
      • Special Alert: SLSH Malicious "Supergroup" Targeting 100+ Organizations Via Live Phishing Panels
        "A massive identity-theft campaign is currently active, targeting Okta Single Sign-On (SSO) and other SSO platform accounts across 100+ high-value enterprises. Silent Push has identified a surge in infrastructure deployment that mirrors the TTPs (Tactics, Techniques, and Procedures) of SLSH—a predatory alliance between Scattered Spider, LAPSUS$, and ShinyHunters. This isn’t a standard automated spray-and-pray attack; it is a human-led, high-interaction voice phishing (“vishing”) operation designed to bypass even hardened Multi-Factor Authentication (MFA) setups."
        https://www.silentpush.com/blog/slsh-alert/
        https://www.theregister.com/2026/01/26/shinyhunters_okta_sso_campaign/
      • PeckBirdy: A Versatile Script Framework For LOLBins Exploitation Used By China-Aligned Threat Groups
        "Since 2023, we have been observing threat campaigns employing a previously unseen script-based command-and-control (C&C) framework which we named PeckBirdy, being used against Chinese gambling industries, as well as malicious activities targeting Asian government entities and private organizations. While tracking this framework, we identified at least two campaigns using PeckBirdy, which we were able to link to several China-aligned advanced persistent threat (APT) actors. Note that we’ve previously discussed these campaigns during the HitCon conference last August 2025, and are now publishing this entry to share our findings to a wider audience."
        https://www.trendmicro.com/en_us/research/26/a/peckbirdy-script-framework.html
      • eScan Antivirus Supply Chain Breach Delivers Signed Malware
        "A critical supply chain compromise affecting MicroWorld Technologies’ eScan antivirus product was identified on January 20 2026, after malicious updates were reportedly delivered through the vendor’s legitimate update infrastructure. The incident led to the global distribution of multi-stage malware to enterprise and consumer endpoints, according to findings published today from Morphisec Threat Labs. The malicious packages were allegedly digitally signed using a compromised eScan certificate, allowing them to appear legitimate and bypass standard trust mechanisms. Once deployed, the malware established persistence, enabled remote access capabilities and actively prevented affected systems from receiving further updates."
        https://www.infosecurity-magazine.com/news/escan-antivirus-breach-delivers/
      • SEO Poisoning Marketplace Topping Search Results, Impersonating Top Financial Institutions
        "Fortra Intelligence and Research Experts (FIRE) have uncovered a group of active malicious threat actors operating since 2020. The group refers to themselves as Haxor, a slang word for hackers, and their marketplace as HxSEO, or HaxorSEO. HxSEO has established its primary base of operations and marketplace on Telegram and WhatsApp. HxSEO stands out for their emphasis on unethical search engine optimization (SEO) techniques, selling a service that supports phishing campaigns by improving the perceived legitimacy of malicious pages. Their optimization is impressively successful, with FIRE identifying fraudulent login pages that rank higher than the legitimate pages of global financial institutions."
        https://www.fortra.com/blog/seo-poisoning-marketplace-topping-search-results-impersonating-top-financial-institutions
        https://www.infosecurity-magazine.com/news/researchers-haxor-seo-poisoning/
      • Detection Of Recent RMM Distribution Cases Using AhnLab EDR
        "AhnLab SEcurity intelligence Center (ASEC) has recently observed an increase in attack cases exploiting Remote Monitoring and Management (RMM) tools. Whereas attackers previously exploited remote control tools during the process of seizing control after initial penetration, they now increasingly leverage RMM tools even during the initial distribution phase across diverse attack scenarios. This article covers recently identified RMM exploitation cases and detection methods using AhnLab EDR."
        https://asec.ahnlab.com/en/92319/

      Breaches/Hacks/Leaks

      • FRESH BREACH — LENA HEALTH BREACH PREVIEW — FULL LEAK COMING SOON
        "Lena Health is a company the world will be better off without. To this end, we are working with a plaintiff attorney to contact the true victims of this breach, mostly patients of Lena’s main client, Houston Methodist Hospital, to 1) coördinate a class action against the company, and 2) pressure Houston Methodist to cease their usage of this terrible “digital helper” system."
        https://databreaches.net/2026/01/26/125824/?pk_campaign=feed&pk_kwd=125824

      General News

      • Rethinking Cybersecurity In a Platform World
        "For more than a decade, enterprise cybersecurity has relied on point solutions. Companies invested in separate tools - endpoint detection, firewalls, cloud security, and identity and access management - each designed to address a specific threat or compliance requirement. But that approach is starting to break down. One big reason? Scale. Most large enterprises juggle 40 to 70 different security tools. In a fast-moving business environment, that's not just overwhelming - it's becoming a real barrier to effective risk management."
        https://www.bankinfosecurity.com/blogs/rethinking-cybersecurity-in-platform-world-p-4035
      • Cyber Insights 2026: Threat Hunting In An Age Of Automation And AI
        "Threat hunting is the practice of finding threats within the system. It sits between external attack surface management (EASM), and the security operations center (SOC). EASM seeks to thwart attacks by protecting the interface between the network and the internet. If it fails, and an attacker gets into the system, threat hunting seeks to find and monitor the traces left by the adversary so the attack can be neutralized before damage can be done. SOC engineers take new threat hunter data and build new detection rules for the SIEM. That’s a theoretical representation – precise details vary between different organizations."
        https://www.securityweek.com/cyber-insights-2026-threat-hunting-in-an-age-of-automation-and-ai/
      • BreachForums Disclosure Surfaces Falling Out Among ShinyHunters Thieves
        "Sunlight is said to be the best disinfectant, so now that the real identities of hundreds of thousands of alleged cybercriminals have been revealed, it will be interesting to see how many wind up in prison. Earlier this month a disgruntled member of the cybercrime syndicate known as ShinyHunters decided to disclose detailed information on 323,986 users of an online BreachForums site where cybercriminals acquire tools and share tactics and techniques. Apparently upset about cyberattacks targeting organizations in France, a cybercriminal only identified as “James” decided the time had come to show his former compatriots that they are no longer able to anonymously launch cyberattacks."
        https://blog.barracuda.com/2026/01/26/breachforums-disclosure-shinyhunters

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) 6ae44dbf-9e5d-43e7-a958-6864b282250f-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post