NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 04 February 2026

    Cyber Security News
    1
    1
    37
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Financial Sector

      • The Three Most Disruptive Cyber Trends Impacting The Financial Industry Today
        "The financial sector experienced an unprecedented rise in cyber incidents in 2025, with attacks more than doubling from 864 in 2024 to 1,858 in 2025. This acceleration reflects a dramatic shift in threat actor behavior, ranging from ideologically-motivated disruptions to commercialized cyber crime as a service. Below is a concise snapshot of the three dominant trends before we unpack them in detail."
        https://blog.checkpoint.com/research/the-three-most-disruptive-cyber-trends-impacting-the-financial-industry-today/

      Vulnerabilities

      • SQL Injection Vulnerability In Quiz And Survey Master (QSM) Plugin Affecting 40k+ Sites
        "The QSM plugin, with over 40,000 active installations, is a plugin for creating quizzes, surveys, and forms. It includes advanced features like multimedia support and a drag-and-drop quiz builder. In versions 10.3.1 and below, the QSM plugin is vulnerable to SQL injection, allowing any logged-in user to inject commands into the database. This means any Subscriber or higher user is able to perform a wide variety of unwanted actions, including potentially extracting sensitive information stored in the site's database."
        https://patchstack.com/articles/sql-injection-vulnerability-in-quiz-and-survey-master-qsm-plugin-affecting-40k-sites/
        https://www.infosecurity-magazine.com/news/wordpress-sql-injection-flaw-40000/
      • CISA Adds Four Known Exploited Vulnerabilities To Catalog
        "CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2019-19006 Sangoma FreePBX Improper Authentication Vulnerability
        CVE-2021-39935 GitLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnerability
        CVE-2025-40551 SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
        CVE-2025-64328 Sangoma FreePBX OS Command Injection Vulnerability"
        https://www.cisa.gov/news-events/alerts/2026/02/03/cisa-adds-four-known-exploited-vulnerabilities-catalog
        https://www.bleepingcomputer.com/news/security/cisa-flags-critical-solarwinds-rce-flaw-as-actively-exploited/
        https://therecord.media/cisa-orders-agencies-patch-solarwinds-vuln
        https://securityaffairs.com/187592/security/u-s-cisa-adds-solarwinds-web-help-desk-sangoma-freepbx-and-gitlab-flaws-to-its-known-exploited-vulnerabilities-catalog.html
      • DockerDash: Two Attack Paths, One AI Supply Chain Crisis
        "Noma Labs discloses the discovery of DockerDash. DockerDash is a critical security flaw in Docker’s Ask Gordon AI (beta) assistant that exploits the entire execution chain from AI interpretation to tool execution. In DockerDash, a single malicious metadata label in a Docker image can be used to compromise your Docker environment through a simple three-stage attack: Gordon AI reads and interprets the malicious instruction, forwards it to the MCP Gateway, which then executes it through MCP tools. Every stage happens with zero validation, taking advantage of current agents and MCP Gateway architecture."
        https://noma.security/blog/dockerdash-two-attack-paths-one-ai-supply-chain-crisis/
        https://thehackernews.com/2026/02/docker-fixes-critical-ask-gordon-ai.html
        https://www.infosecurity-magazine.com/news/dockerdash-weakness-dockers-ask/
      • Hacking Moltbook: The AI Social Network Any Human Can Control
        "Moltbook, the weirdly futuristic social network, has quickly gone viral as a forum where AI agents post and chat. But what we discovered tells a different story - and provides a fascinating look into what happens when applications are vibe-coded into existence without proper security controls. We identified a misconfigured Supabase database belonging to Moltbook, allowing full read and write access to all platform data. The exposure included 1.5 million API authentication tokens, 35,000 email addresses, and private messages between agents. We immediately disclosed the issue to the Moltbook team, who secured it within hours with our assistance, and all data accessed during the research and fix verification has been deleted."
        https://www.wiz.io/blog/exposed-moltbook-database-reveals-millions-of-api-keys
        https://www.infosecurity-magazine.com/news/moltbook-exposes-user-data-api/
      • 1-Click RCE To Steal Your Moltbot Data And Keys (CVE-2026-25253)
        "OpenClaw (formerly Moltbot and ClawdBot), the open-source AI personal assistant that can take actions on your behalf, is the most popular topic on X right now. It is already trusted by over 100,000 developers to hold the keys to their digital life, from iMessage/WhatsApp/Slack access to unrestricted local computer control. But when you grant an agent "god mode" permissions, the margin for error vanishes. While the community celebrated its capabilities, depthfirst General Security Intelligence silently audited its code and found a critical vulnerability. I investigated the finding, combined it with a vulnerability I discovered, and chained them into a 1-Click Remote Code Execution (RCE) exploit. With this exploit, a single visit to a malicious webpage was enough to hack your computer and AI assistant."
        https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys
        https://www.securityweek.com/vulnerability-allows-hackers-to-hijack-openclaw-ai-assistant/
      • DIY AI Bot Farm OpenClaw Is a Security 'dumpster Fire'
        "OpenClaw, the AI-powered personal assistant users interact with via messaging apps and sometimes entrust with their credentials to various online services, has prompted a wave of malware and is delivering some shocking bills. Just last week, OpenClaw was known as Clawdbot, a name that its developers changed to Moltbot before settling on the new moniker."
        https://www.theregister.com/2026/02/03/openclaw_security_problems/

      Malware

      • Dual-Mode Citrix Gateway Reconnaissance: When Residential Proxies Meet Version Hunting
        "Between January 28 and February 2, 2026, the GreyNoise Global Observation Grid tracked a coordinated reconnaissance campaign against Citrix ADC Gateway and Netscaler Gateway infrastructure. The campaign ran two distinct modes: a massive distributed login panel discovery operation using residential proxy rotation, and a concentrated AWS-hosted version disclosure sprint. The numbers tell the story: 111,834 sessions, 63,000+ unique source IPs, and a 79% targeting rate against Citrix Gateway honeypots specifically. That last number matters—it’s well above baseline scanning noise, indicating deliberate infrastructure mapping rather than opportunistic crawling."
        https://www.labs.greynoise.io/grimoire/2026-02-02-citrix-recon-residential-proxies/index.html
        https://www.bleepingcomputer.com/news/security/wave-of-citrix-netscaler-scans-use-thousands-of-residential-proxies/
      • Metro4Shell: Exploitation Of React Native’s Metro Server In The Wild
        "VulnCheck observed exploitation of CVE-2025-11953 on December 21, 2025, when our Canary network recorded exploitation of a Metro Development Server. The vulnerability, which we jokingly refer to as Metro4Shell, was automatically added to VulnCheck KEV the same day. Additional exploitation observed in January delivered the same payloads on January 4, 2026 and January 21, 2026, indicating continued operational use. Now, more than a month after initial exploitation in the wild, that activity has yet to see broad public acknowledgment, and EPSS continues to assign a low exploitation probability of 0.00405. This gap between observed exploitation and wider recognition matters, particularly for vulnerabilities that are easy to exploit and, as internet-wide search data shows, exposed on the public internet."
        https://www.vulncheck.com/blog/metro4shell_eitw
        https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-react-native-metro-bug-to-breach-dev-systems/
        https://thehackernews.com/2026/02/hackers-exploit-metro4shell-rce-flaw-in.html
        https://securityaffairs.com/187587/hacking/hackers-abused-react-native-cli-flaw-to-deploy-rust-malware-before-public-disclosure.html
        https://www.securityweek.com/critical-react-native-vulnerability-exploited-in-the-wild/
        https://www.theregister.com/2026/02/03/critical_react_native_metro_server/
      • Fake Installer: Ultimately, ValleyRAT Infection
        "Cybereason Security Services issue Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them. In this Threat Analysis report, Cybereason Security Services investigates a fake installer attack we recently observed multiple times. We identified some findings that have not been documented in previous reports and obtained new threat intelligence insights from the malwares."
        https://www.cybereason.com/blog/fake-installer-valleyrat
      • AI-Assisted Cloud Intrusion Achieves Admin Access In 8 Minutes
        "On November 28, 2025, the Sysdig Threat Research Team (TRT) observed an offensive cloud operation targeting an AWS environment in which the threat actor went from initial access to administrative privileges in less than 10 minutes. The attack stood out not only for its speed, but also for multiple indicators that suggest the threat actor leveraged large language models (LLMs) throughout the operation to automate reconnaissance, generate malicious code, and make real-time decisions."
        https://www.sysdig.com/blog/ai-assisted-cloud-intrusion-achieves-admin-access-in-8-minutes
        https://www.darkreading.com/cloud-security/8-minute-access-ai-aws-environment-breach
      • Researchers Warn Of New “Vect” RaaS Variant
        "Security researchers have discovered a new ransomware-as-a-service (RaaS) group which has already victimized organizations in Brazil and South Africa. Dubbed “Vect,” the group is currently onboarding affiliates after launching a recruitment program in December 2025, according to ransomware specialist Halcyon. The group has claimed that its malware was built using C++ rather than repurposing leaked source code from the likes of Lockbit 3.0 or Conti, as is more common."
        https://www.infosecurity-magazine.com/news/researchers-warn-new-vect-raas/
        https://redpiranha.net/news/threat-intelligence-report-january-6-january-12-2026
      • Infostealers Without Borders: MacOS, Python Stealers, And Platform Abuse
        "Infostealer threats are rapidly expanding beyond traditional Windows-focused campaigns, increasingly targeting macOS environments, leveraging cross-platform languages such as Python, and abusing trusted platforms and utilities to silently deliver credential-stealing malware at scale. Since late 2025, Microsoft Defender Experts has observed macOS targeted infostealer campaigns using social engineering techniques—including ClickFix-style prompts and malicious DMG installers—to deploy macOS-specific infostealers such as DigitStealer, MacSync, and Atomic macOS Stealer (AMOS)."
        https://www.microsoft.com/en-us/security/blog/2026/02/02/infostealers-without-borders-macos-python-stealers-and-platform-abuse/

      Breaches/Hacks/Leaks

      • Step Finance Says Compromised Execs' Devices Led To $40M Crypto Theft
        "Step Finance announced that it lost $40 million worth of digital assets after hackers compromised devices belonging to the company's team of executives. The platform detected the breach on January 31 and engaged cybersecurity researchers who helped it recover some of the stolen assets. Step Finance is a decentralized finance (DeFi) platform and analytics tool built on the Solana blockchain that allows users to visualize, track, analyze, and manage their crypto assets and positions."
        https://www.bleepingcomputer.com/news/security/step-finance-says-compromised-execs-devices-led-to-40m-crypto-theft/
      • Iron Mountain: Data Breach Mostly Limited To Marketing Materials
        "Iron Mountain, a leading data storage and recovery services company, says that a recent breach claimed by the Everest extortion gang is limited to mostly marketing materials. Headquartered in Portsmouth, New Hampshire, and founded in 1951, Iron Mountain specializes in data centers and records management, and has over 240,000 customers worldwide from more than 61 countries, including 95% of the Fortune 1000. The company's statement comes after the cybercrime group claimed on its dark web leak site that it had stolen 1.4 TB of "internal company documents" containing "personal documents and information on clients.""
        https://www.bleepingcomputer.com/news/security/iron-mountain-data-breach-mostly-limited-to-marketing-materials/
      • Everest Ransomware Claims 90GB Data Theft Involving Legacy Polycom Systems
        "The Everest ransomware group has claimed responsibility for a data breach involving systems linked to Polycom, a legacy enterprise communications brand that was acquired by HP Inc. in 2022 and rebranded as Poly (HP Poly). The group alleges it obtained approximately 90GB of internal data. However, available evidence suggests the material may originate from legacy Polycom engineering or development environments that predate HP Inc.’s acquisition of the company."
        https://hackread.com/everest-ransomware-data-theft-legacy-polycom-system/

      General News

      • AI, Explain Yourself: Why Is Explainable AI (XAI) Becoming Critical For Cybersecurity?
        "It is ubiquitously accepted that AI is our most efficient counterpart. We’re all using it to some capacity, trusting and relying on its abilities not to replace, but to enhance our everyday lives. But just like human intelligence, understanding must be subjected to questioning time and again — artificial intelligence needs to be challenged similarly. AI models rely on inputs, perform data processing and normalization, use feature extraction, learn to assign weights and biases during training, to arrive at an output that they consider the most appropriate. This decision-making process is often complex and unclear, raising a critical question: why does AI arrive at a certain output the way it does?"
        https://www.group-ib.com/blog/xai-cybersecurity/
      • Open-Source Attacks Move Through Normal Development Workflows
        "Software development relies on a steady flow of third-party code, automated updates, and fast release cycles. That environment has made the software supply chain a routine point of entry for attackers, with malicious activity blending into normal build and deployment processes. A recent ReversingLabs study documents how these conditions played out across open source ecosystems during 2025, with attackers leaning on scale, trust, and automation to spread malware and harvest credentials."
        https://www.helpnetsecurity.com/2026/02/03/open-source-attacks-supply-chain-development-workflows/
      • Dark Patterns Undermine Security, One Click At a Time
        "Cookie banners with a "no reject" option. Free trial subscriptions that are absurdly difficult to cancel. Hidden refund options. Misleading email access requests. The list of dark patterns – deceptive user interface designs that toe the line between malicious and benign – grows more extensive by the year. Organizations plaster dark patterns across their websites as a marketing tactic or to enhance user experience. But they can be designed in ways that lure consumers into blindly giving more money or personal data."
        https://www.darkreading.com/cyber-risk/dark-patterns-undermine-security-one-click-at-a-time
      • International AI Safety Report 2026
        "The second International AI Safety Report, published in February 2026, is the next iteration of the comprehensive review of latest scientific research on the capabilities and risks of general-purpose AI systems. Led by Turing Award winner Yoshua Bengio and authored by over 100 AI experts, the report is backed by over 30 countries and international organisations. It represents the largest global collaboration on AI safety to date."
        https://internationalaisafetyreport.org/publication/international-ai-safety-report-2026
        https://www.theregister.com/2026/02/03/autonomous_cyberattacks_not_real_yet/
      • CISA Updated Ransomware Intel On 59 Bugs Last Year Without Telling Defenders
        "On 59 occasions throughout 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) silently tweaked vulnerability notices to reflect their use by ransomware crooks. Experts say that's a problem. "Frustrated" by the agency failing to notify defenders when key pieces of intel change, Glenn Thorpe, senior director of security research and detection engineering at GreyNoise, counted the number of missed opportunities to potentially stop ransomware attacks last year."
        https://www.theregister.com/2026/02/03/greynoise_cisa_ransomware_gripe/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) bff52675-3ff6-4075-993d-12b5a3ea5d50-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post