NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 02 February 2026

    Cyber Security News
    1
    1
    237
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • Privileged File System Vulnerability Present In a SCADA System
        "This report details a vulnerability we found in the Iconics Suite, tracked as CVE-2025-0921 with a Medium CVSS score of 6.5. Iconics Suite is the name of a supervisory control and data acquisition (SCADA) system. This system is used for controlling and monitoring industrial processes in different industries including automotive, energy and manufacturing."
        https://unit42.paloaltonetworks.com/iconics-suite-cve-2025-0921/

      Vulnerabilities

      • SmarterMail Fixes Critical Unauthenticated RCE Flaw With CVSS 9.3 Score
        "SmarterTools has addressed two more security flaws in SmarterMail email software, including one critical security flaw that could result in arbitrary code execution. The vulnerability, tracked as CVE-2026-24423, carries a CVSS score of 9.3 out of 10.0. "SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method," according to a description of the flaw in CVE.org."
        https://thehackernews.com/2026/01/smartermail-fixes-critical.html
        https://securityaffairs.com/187496/security/smartertools-patches-critical-smartermail-flaw-allowing-code-execution.html
      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2026-1281 Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability"
        https://www.cisa.gov/news-events/alerts/2026/01/29/cisa-adds-one-known-exploited-vulnerability-catalog
        https://securityaffairs.com/187488/security/u-s-cisa-adds-a-flaw-in-ivanti-epmm-to-its-known-exploited-vulnerabilities-catalog.html
      • I Found a Bug That Exposed Private Instagram Posts To Anyone.
        "In October 2025, I discovered a server-side vulnerability in Instagram that allowed completely unauthenticated access to private account posts. No login required. No follower relationship. Just an HTTP request with the right headers. Meta silently patched it within 48 hours of receiving my report. Then they closed my case as “Not Applicable” — officially maintaining the bug never existed, despite fixing exactly what I reported."
        https://medium.com/@jatin.b.rx3/i-found-a-bug-that-exposed-private-instagram-posts-to-anyone-eebb7923f7e3
        https://www.bleepingcomputer.com/news/security/researcher-reveals-evidence-of-private-instagram-profiles-leaking-photos/

      Malware

      • ShadowHS: A Fileless Linux Post‑Exploitation Framework Built On a Weaponized Hackshell
        "Cyble Research & Intelligence Labs (CRIL) has identified a Linux intrusion chain leveraging a highly obfuscated, fileless loader that deploys a weaponized variant of hackshell entirely from memory. Cyble tracks this activity under the name ShadowHS, reflecting its fileless execution model and lineage from the original hackshell utility. Unlike conventional Linux malware that emphasizes automated propagation or immediate monetization, this activity prioritizes stealth, operator safety, and long‑term interactive control over compromised systems."
        https://cyble.com/blog/shadowhs-fileless-linux-post-exploitation-framework/
      • The Rise Of Arsink Rat
        "Arsink is a cloud-native Android Remote Access Trojan (RAT) that aggressively harvests private data and gives remote operators intrusive control over infected devices. We observed multiple variants that use Google Apps Script to upload larger files and media to Google Drive, or Firebase Realtime Database + Firebase Storage & Telegram for C2 and exfiltration. The operation's significant scale is evidenced by the 1,216 distinct APK hashes identified across the observation period (Figure 1). Notably, 774 of these samples incorporate Google Apps Script or "macro" upload mechanisms, pointing to the extensive use of Google services for media and file exfiltration. The operation leverages 317 distinct Firebase Realtime Database endpoints as C2/data sinks, and our infrastructure enumeration extracted 45,000 unique victim IPs, demonstrating both scale and breadth of exposure."
        https://zimperium.com/blog/the-rise-of-arsink-rat
        https://hackread.com/arsink-spyware-whatsapp-youtube-instagram-tiktok/
      • RedKitten: AI-Accelerated Campaign Targeting Iranian Protests
        "RedKitten is a newly identified campaign targeting Iranian interests, likely including non-governmental organizations and individuals involved in documenting recent human rights abuses, first observed in early January 2026. The malware relies on GitHub and Google Drive for configuration and modular payload retrieval, and uses Telegram for command and control. This activity appears aligned with the “Dey 1404 Protests”, a wave of intense civil unrest in Iran that began in late December 2025, following widespread economic strikes in Tehran. The protests were met with a deadly crackdown involving mass arrests and extensive civilian casualties. We assess that the threat actor rapidly built this campaign using AI tools, as indicated by multiple traces of LLM-assisted development."
        https://harfanglab.io/insidethelab/redkitten-ai-accelerated-campaign-targeting-iranian-protests/
        https://thehackernews.com/2026/01/iran-linked-redkitten-cyber-campaign.html
        https://www.infosecurity-magazine.com/news/ai-malware-redkitten-iranian/
      • Malware Brief: New Wave Of Botnets Driving DDoS Chaos
        "The botnet ecosystem continues to evolve rapidly, fueled by a flood of poorly secured consumer and small‑office hardware. Everything from routers and webcams to unauthorized Android TV streaming devices — often shipped with unvetted apps or hidden remote‑access features — has become part of a global substrate powering persistent DDoS operations. Here are three of the most dominant threats in today’s environment."
        https://blog.barracuda.com/2026/01/29/malware-brief-new-wave-botnets-ddos-chaos
      • Malicious Chrome Extension Performs Hidden Affiliate Hijacking
        "Socket's Threat Research Team identified a malicious Chrome extension Amazon Ads Blocker that markets itself as a tool to hide sponsored content on Amazon. The extension does block ads as advertised, but its primary function is hidden: it automatically injects the developer's affiliate tag (10xprofit-20) into every Amazon product link and replaces existing affiliate codes from content creators."
        https://socket.dev/blog/malicious-chrome-extension-performs-hidden-affiliate-hijacking
        https://thehackernews.com/2026/01/researchers-uncover-chrome-extensions.html
      • DynoWiper Update: Technical Analysis And Attribution
        "Sandworm is a Russia-aligned threat group that performs destructive attacks. It is mostly known for its attacks against Ukrainian energy companies in 2015-12 and 2016-12, which resulted in power outages. In 2017-06 Sandworm launched the NotPetya data-wiping attack that used a supply-chain vector by compromising the Ukrainian accounting software M.E.Doc. In 2018-02, Sandworm launched the Olympic Destroyer data-wiping attack against organizers of the 2018 Winter Olympics in Pyeongchang."
        https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution/
      • Meet IClickFix: a Widespread WordPress-Targeting Framework Using The ClickFix Tactic
        "In November 2025, during our threat hunting routine for unveiling emerging adversary clusters, TDR analysts identified a widespread malware distribution campaign leveraging the ClickFix social engineering tactic through a Traffic Distribution System (TDS). This cluster uses a malicious JavaScript framework injected into compromised WordPress sites to display the ClickFix lure and deliver NetSupport RAT. Because the initial JavaScript includes the distinctive HTML tag ic-tracker-js, we named the malicious framework “IClickFix”."
        https://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/
      • When Zoom Phishes You: Unmasking a Novel TOAD Attack Hidden In Legitimate Infrastructure
        ""Living off the Land" has become a preferred tactic for threat actors in many attack scenarios. This time, existing, “benign” components are being used as part of phishing campaigns. By leveraging the reputation of trusted services like PayPal and Zoom, attackers can slip past traditional Secure Email Gateways (SEGs) that whitelist these domains. Recently, Prophet AI investigated a phishing alert that turned out to be related to a highly sophisticated variation of this tactic: a Telephone-Oriented Attack Delivery (TOAD) campaign weaponizing Zoom’s own authentication infrastructure."
        https://www.prophetsecurity.ai/blog/when-zoom-phishes-you-unmasking-a-novel-toad-attack-hidden-in-legitimate-infrastructure
      • Cloud Storage Payment Scam Floods Inboxes With Fake Renewals
        "Over the past few months, a large-scale cloud storage subscription scam campaign has been targeting users worldwide with repeated emails falsely warning recipients that their photos, files, and accounts are about to be blocked or deleted due to an alleged payment failure. Based on numerous emails seen by BleepingComputer, the campaign has escalated over the past few months, with people receiving multiple versions of the scam each day, all appearing to be sent by the same scammers. While the email text, the messages all attempt to create a sense of urgency by claiming a payment problem or storage issue must be resolved immediately, or people's files will be deleted or blocked."
        https://www.bleepingcomputer.com/news/security/cloud-storage-payment-scam-floods-inboxes-with-fake-renewals/
      • Vishing For Access: Tracking The Expansion Of ShinyHunters-Branded SaaS Data Theft
        "Mandiant has identified an expansion in threat activity that uses tactics, techniques, and procedures (TTPs) consistent with prior ShinyHunters-branded extortion operations. These operations primarily leverage sophisticated voice phishing (vishing) and victim-branded credential harvesting sites to gain initial access to corporate environments by obtaining single sign-on (SSO) credentials and multi-factor authentication (MFA) codes. Once inside, the threat actors target cloud-based software-as-a-service (SaaS) applications to exfiltrate sensitive data and internal communications for use in subsequent extortion demands."
        https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft
        https://www.bleepingcomputer.com/news/security/mandiant-details-how-shinyhunters-abuse-sso-to-steal-cloud-data/
        https://thehackernews.com/2026/01/mandiant-finds-shinyhunters-using.html
      • Pulsar RAT Powers Live Chat Driven Remote Control And Advanced Infostealer Delivery Via Donut Loader
        "This investigation uncovered a sophisticated, multi-stage malware campaign leveraging living-off-the-land techniques and in-memory payload delivery to evade traditional security controls. The infection chain begins with a hidden batch file persisted via a per-user Run registry key, which extracts and executes an embedded PowerShell loader while minimizing disk artifacts. The PowerShell stage decrypts and injects Donut-generated-shellcode directly into legitimate Windows processes, employing delayed execution, process migration, and a watchdog mechanism to maintain resilient, stealthy persistence. Decryption of the shellcode revealed a heavily obfuscated .NET payload implementing a full-featured stealer and remote access framework."
        https://www.pointwild.com/threat-intelligence/when-malware-talks-back
        https://hackread.com/windows-malware-pulsar-rat-live-chats-steal-data/
      • CERT Polska Details Coordinated Cyber Attacks On 30+ Wind And Solar Farms
        "CERT Polska, the Polish computer emergency response team, revealed that coordinated cyber attacks targeted more than 30 wind and photovoltaic farms, a private company from the manufacturing sector, and a large combined heat and power plant (CHP) supplying heat to almost half a million customers in the country. The incident took place on December 29, 2025. The agency has attributed the attacks to a threat cluster dubbed Static Tundra, which is also tracked as Berserk Bear, Blue Kraken, Crouching Yeti, Dragonfly, Energetic Bear, Ghost Blizzard (formerly Bromine), and Havex. Static Tundra is assessed to be linked to Russia's Federal Security Service's (FSB) Center 16 unit."
        https://thehackernews.com/2026/01/poland-attributes-december-cyber.html
        https://securityaffairs.com/187503/apt/cyberattacks-disrupt-communications-at-wind-solar-and-heat-facilities-in-poland.html
      • MongoDB Ransom Isn’t Back – It Never Left
        "Between 2017-2021, there was a series of research publications about MongoDB ransomware exploitation campaigns. These blogs described the same pattern. Someone in an organization made a mistake, which left MongoDB exposed to the world. The problem was that this MongoDB didn’t require any special authorization or password. So, anyone over the internet could have accessed and controlled that database."
        https://flare.io/learn/resources/blog/mongodb-ransom/
        https://www.bleepingcomputer.com/news/security/exposed-mongodb-instances-still-targeted-in-data-extortion-attacks/
      • AI Security Startup CEO Posts a Job. Deepfake Candidate Applies, Inner Turmoil Ensues.
        "Nearly every company, from tech giants like Amazon to small startups, has first-hand experience with fake IT workers applying for jobs - and sometimes even being hired. Even so, using a deepfake video to apply for a security researcher role with a company that does threat modeling for AI systems seems incredibly brash. "It's one of the most common discussion points that pops up in the CISO groups I'm in," Expel co-founder and CEO Jason Rebholz told The Register, talking about the North Korean-type job interview scam. "I did not think it was going to happen to me, but here we are.""
        https://www.theregister.com/2026/02/01/ai_security_startup_ceo_posts/

      Breaches/Hacks/Leaks

      • Thousands More Oregon Residents Learn Their Health Data Was Stolen In TriZetto Breach
        "Thousands more Oregonians will soon receive data breach letters in the continued fallout from the TriZetto data breach, in which someone hacked the insurance verification provider and gained access to its healthcare provider customers across multiple US states. The breach occurred back in November 2024, with intruders snooping through protected health information and other sensitive personal information belonging to hundreds of thousands of patients and insurance policy holders. TriZetto Provider Solutions (TPS) did not discover the digital thieves on their network until almost a year later."
        https://www.theregister.com/2026/01/30/trizetto_health_data_stolen/

      General News

      • 2026 Crypto Crime Report
        "Illicit crypto volume reached an all-time high of USD 158 billion in 2025, up nearly 145% from 2024. Despite the increase in absolute illicit volume, illicit volume as a proportion of overall crypto volume fell in 2025, from 1.3% in 2024 to 1.2% in 2025. While illicit activity represented a small share of overall on-chain volume, illicit entities captured 2.7% of available crypto liquidity in 2025, according to a new metric released by TRM that frames risk relative to deployable capital rather than raw transaction volume. Sanctions-related activity in 2025 was overwhelmingly driven by Russia-linked flows, largely due to the rapid growth of the ruble-pegged stablecoin A7A5, which processed more than USD 72 billion in total volume."
        https://www.trmlabs.com/reports-and-whitepapers/2026-crypto-crime-report
        https://www.bleepingcomputer.com/news/security/crypto-wallets-received-a-record-158-billion-in-illicit-funds-last-year/
      • Out-Of-The-Box Expectations For 2026 Reveal a Grab-Bag Of Risk
        "Conventional wisdom says that in the ever-evolving cybersecurity landscape, attackers and defenders are locked in a perennial, never-ending death match: increasing threat sophistication battling it out with corresponding shifts in corporate and governmental responses. The showdown rages on in 2026, made all the more interesting by the rise of AI-augmented everything."
        https://www.darkreading.com/threat-intelligence/cyber-expectations-2026-grab-bag-risk
      • 2026: The Year Agentic AI Becomes The Attack-Surface Poster Child
        "As the digital landscape continues to transform, the security challenges organizations face are naturally evolving as well. The new year brings a bit of consensus around what's shaping security teams' priorities in 2026, and, surprise, surprise, a focus on agentic AI risk leads the pack, according to the latest Dark Reading readership poll."
        https://www.darkreading.com/threat-intelligence/2026-agentic-ai-attack-surface-poster-child
      • One Step Away From a Massive Data Breach: What We Found Inside MoltBot
        "MoltBot (formerly ClawdBot) is a fast-growing, open-source AI “personal assistant” designed to control real accounts on a user’s behalf – including email, calendars, chat apps, browsers, and local files. It can connect to practically any tool or application through APIs and MCP integrations, then take actions by command – such as sending emails, updating calendars, setting reminders, running automations, and triggering other workflows."
        https://www.ox.security/blog/one-step-away-from-a-massive-data-breach-what-we-found-inside-moltbot/
        https://www.darkreading.com/application-security/openclaw-ai-runs-wild-business-environments
      • Security Work Keeps Expanding, Even With AI In The Mix
        "Board attention continues to rise, and security groups now operate closer to executive decision making than in prior years, a pattern reflected the Voice of Security 2026 report by Tines. Within that environment, large numbers of teams already rely on AI, automation, and workflow tools as part of routine operations, creating a baseline expectation that AI plays a central role in security work."
        https://www.helpnetsecurity.com/2026/01/30/central-role-ai-security-workflows/
        https://www.tines.com/access/whitepaper/voice-of-security-2026/
      • Security Teams Are Carrying More Tools With Less Confidence
        "Enterprise environments now span multiple clouds, on-premises systems, and a steady flow of new applications. Hybrid and multi-cloud setups are common across large organizations, and they bring a constant stream of logs, alerts, and operational data. That environment already exists across many enterprises, and it frames a recent Sumo Logic study that examined how security leaders manage tooling, staffing, and detection across these systems."
        https://www.helpnetsecurity.com/2026/01/30/security-operations-tooling-confidence/
      • Badges, Bytes And Blackmail
        "The growing sophistication and diversification of cybercrime have compelled law enforcement agencies worldwide to respond through increasingly coordinated and publicized actions. Yet, despite the visibility of these operations, there remains no comprehensive overview, to our knowledge, on how law enforcement is addressing cybercrime globally. Publicly available information is dispersed across agencies, jurisdictions, case-specific reporting (e.g., "Operation Endgame")[1], and reporting formats, offering fragmented insights rather than a cohesive understanding of what types of crime are being targeted, what actions are taken, and who the offenders are. This results in isolated glimpses rather than a consistent global picture"
        https://thehackernews.com/2026/01/badges-bytes-and-blackmail.html
      • Government Forfeits Over $400M In Assets Tied To Helix Darknet Cryptocurrency Mixer
        "Last week, the government obtained legal title over more than $400 million in seized cryptocurrencies, real estate, and monetary assets tied to the operation of the darknet mixing service, Helix. As a mixing service, Helix blended cryptocurrency from multiple users and routed the funds through a series of transactions designed to obscure the funds’ sources, destinations, and owners."
        https://www.justice.gov/opa/pr/government-forfeits-over-400m-assets-tied-helix-darknet-cryptocurrency-mixer
        https://hackread.com/us-seizes-400m-helix-dark-web-crypto-mixer/
      • DOJ Releases Details Alleged Talented Hacker Working For Jeffrey Epstein
        "An FBI informant said in 2017 that Jeffrey Epstein had a “personal hacker,” according to one of the documents released by the Department of Justice (DoJ) as part of the Epstein Files. The accuracy and reliability of the information remain unclear because the document reflects only the informant’s allegations, not FBI findings. The hacker’s name is redacted, but the document says he was an Italian born in Calabria who sold his company to CrowdStrike in 2017 and later became a VP there, leaving enough clues to identify him."
        https://securityaffairs.com/187515/laws-and-regulations/doj-releases-details-alleged-talented-hacker-working-for-jeffrey-epstein.html

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) f2da985f-82db-4f37-b1e9-90cb807cbe14-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post