NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 10 February 2026

    Cyber Security News
    1
    1
    37
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย NCSA_THAICERT

      Vulnerabilities

      • BeyondTrust Warns Of Critical RCE Flaw In Remote Support Software
        "BeyondTrust warned customers to patch a critical security flaw in its Remote Support (RS) and Privileged Remote Access (PRA) software that could allow unauthenticated attackers to execute arbitrary code remotely. Tracked as CVE-2026-1731, this pre-authentication remote code execution vulnerability stems from an OS command injection weakness discovered by Harsh Jaiswal and the Hacktron AI team, and it affects BeyondTrust Remote Support 25.3.1 or earlier and Privileged Remote Access 24.3.4 or earlier. Threat actors with no privileges can exploit it through maliciously crafted client requests in low-complexity attacks that don't require user interaction."
        https://www.bleepingcomputer.com/news/security/beyondtrust-warns-of-critical-rce-flaw-in-remote-support-software/
        https://www.beyondtrust.com/trust-center/security-advisories/bt26-02
        https://thehackernews.com/2026/02/beyondtrust-fixes-critical-pre-auth-rce.html
        https://securityaffairs.com/187776/security/beyondtrust-fixes-critical-pre-auth-bug-allowing-remote-code-execution.html
        https://www.helpnetsecurity.com/2026/02/09/beyondtrust-remote-access-vulnerability-cve-2026-1731/
      • Claude Desktop Extensions Exposes Over 10,000 Users To Remote Code Execution Vulnerability
        "LayerX discovered a zero-click remote code execution (RCE) vulnerability in Claude Desktop Extensions (DXT), in which a single Google Calendar event can silently compromise a system running Claude Desktop Extensions. The flaw impacts more than 10,000 active users and 50 DXT extensions. Unlike traditional browser extensions, Claude Desktop Extensions run unsandboxed with full system privileges. As a result, Claude can autonomously chain low-risk connectors (e.g., Google Calendar) to high-risk local executors, without user awareness or consent. If exploited by a bad actor, even a benign prompt (“take care of it”), coupled with a maliciously worded calendar event, is sufficient to trigger arbitrary local code execution that compromises the entire system."
        https://layerxsecurity.com/blog/claude-desktop-extensions-rce/
        https://www.infosecurity-magazine.com/news/zeroclick-flaw-claude-dxt/
      • Critical Fortinet FortiClientEMS Flaw Allows Remote Code Execution
        "Fortinet issued an urgent advisory to address a critical FortiClientEMS vulnerability, tracked as CVE-2026-21643 (CVSS score of 9.1). The vulnerability is an improper neutralization of special elements used in an SQL Command (‘SQL Injection’) issue in FortiClientEMS. An unauthenticated attacker can trigger the flaw to execute unauthorized code or commands via specifically crafted HTTP requests. “An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.” reads the advisory."
        https://securityaffairs.com/187787/security/critical-fortinet-forticlientems-flaw-allows-remote-code-execution.html
        https://fortiguard.fortinet.com/psirt/FG-IR-25-1142

      Malware

      • Active Exploitation Of SolarWinds Web Help Desk
        "On February 7, 2026, Huntress SOC analyst Dipo Rodipe investigated a case of SolarWinds Web Help Desk exploitation, in which the threat actor rapidly deployed Zoho Meetings and Cloudflare tunnels for persistence, as well as Velociraptor for means of command and control. This intrusion stemmed from the many recently disclosed vulnerabilities affecting SolarWinds WHD. The most critical vulnerabilities grant an adversary arbitrary code execution via untrusted deserialization -- CVE-2025-40551 was recently added to CISA’s Known Exploited Vulnerabilities database, and CVE-2025-26399 was just recently discussed by Microsoft and other vendors who have also observed active in-the-wild exploitation."
        https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399
        https://www.bleepingcomputer.com/news/security/threat-actors-exploit-solarwinds-wdh-flaws-to-deploy-velociraptor/
        https://thehackernews.com/2026/02/solarwinds-web-help-desk-exploited-for.html
        https://www.securityweek.com/recent-solarwinds-flaws-potentially-exploited-as-zero-days/
        https://securityaffairs.com/187761/security/attackers-abuse-solarwinds-web-help-desk-to-install-zoho-agents-and-velociraptor.html
        https://www.theregister.com/2026/02/09/solarwinds_mystery_whd_attack/
      • Largest Multi-Agency Cyber Operation Mounted To Counter Threat Posed By Advanced Persistent Threat (APT) Actor UNC3886 To Singapore’s Telecommunications Sector
        "On 18 July 2025, Coordinating Minister for National Security Mr K Shanmugam shared that Advanced Persistent Threat (APT) actor UNC3886 had been detected attacking our critical infrastructure. No further details were shared then, to preserve operational security. Over the past months, our investigations have indicated that UNC3886 had launched a deliberate, targeted, and well-planned campaign against Singapore’s telecommunications sector. All four of Singapore’s major telecommunications operators (“telcos”) – M1, SIMBA Telecom, Singtel and StarHub – have been the target of attacks."
        https://www.csa.gov.sg/news-events/press-releases/largest-multi-agency-cyber-operation-mounted-to-counter-threat-posed-by-advanced-persistent-threat--apt--actor-unc3886-to-singapore-s-telecommunications-sector/
        https://www.bleepingcomputer.com/news/security/chinese-cyberspies-breach-singapores-four-largest-telcos/
        https://thehackernews.com/2026/02/china-linked-unc3886-targets-singapore.html
        https://therecord.media/singapore-attributes-telecoms-hacks-unc3886
      • Storm-2603 Exploits CVE-2026-23760 To Stage Warlock Ransomware
        "ReliaQuest has identified active exploitation of a vulnerability in SmarterTools SmarterMail email server software (CVE-2026-23760), attributed with moderate-to-high confidence to “Storm-2603.” This appears to be the first observed exploitation linking the China-based actor to the vulnerability as an entry point for its “Warlock” ransomware operations. While this vulnerability allows attackers to bypass authentication and reset administrator passwords, Storm-2603 chains this access with the software’s built-in “Volume Mount” feature to gain full system control. Upon entry, the group installs Velociraptor, a legitimate digital forensics tool it has used in previous campaigns, to maintain access and set the stage for ransomware."
        https://reliaquest.com/blog/threat-spotlight-storm-2603-exploits-CVE-2026-23760-to-stage-warlock-ransomware/
        https://www.bleepingcomputer.com/news/security/hackers-breach-smartertools-network-using-flaw-in-its-own-software/
        https://www.darkreading.com/application-security/warlock-gang-breaches-smartertools-smartermail-bugs
        https://www.securityweek.com/smartertools-hit-by-ransomware-via-vulnerability-in-its-own-product/
        https://www.helpnetsecurity.com/2026/02/09/smartertools-breach-smartermail-vulnerability/
      • Threat Alert: TeamPCP, An Emerging Force In The Cloud Native And Ransomware Landscape
        "TeamPCP (a.k.a. PCPcat, ShellForce, and DeadCatx3) launched a massive campaign in December 2025 targeting cloud native environments as part of a worm-driven operation that systematically abused exposed Docker APIs, Kubernetes clusters, Ray dashboards, Redis servers, and the React2Shell vulnerability. The operation’s goals were to build a distributed proxy and scanning infrastructure at scale, then compromise servers to exfiltrate data, deploy ransomware, conduct extortion, and mine cryptocurrency."
        https://flare.io/learn/resources/blog/teampcp-cloud-native-ransomware
        https://thehackernews.com/2026/02/teampcp-worm-exploits-cloud.html
        https://www.darkreading.com/cloud-security/teampcp-cloud-infrastructure-crime-bots
      • Reynolds: Defense Evasion Capability Embedded In Ransomware Payload
        "A recent Reynolds ransomware campaign was notable because the ransomware contained a bring-your-own-vulnerable-driver (BYOVD) defense evasion component embedded within the ransomware payload itself. Normally the BYOVD defense evasion component of an attack would involve a distinct tool that would be deployed on the system prior to the ransomware payload in order to disable security software. However, in this attack, the vulnerable driver (an NsecSoft NSecKrnl driver) was bundled with the ransomware itself."
        https://www.security.com/threat-intelligence/black-basta-ransomware-byovd
        https://www.darkreading.com/threat-intelligence/black-basta-bundles-byovd-ransomware-payload
      • Phorpiex Phishing Campaign Delivers GLOBAL GROUP Ransomware
        "We recently observed a high-volume Phorpiex campaign delivered through phishing emails with the subject "Your Document.” It’s a subject line that’s been heavily used in largescale campaigns throughout 2024 and 2025. The phishing email includes a seemingly harmless attachment that is in fact a weaponised Windows Shortcut (.lnk) file. This malicious shortcut highlights how attackers continue to exploit everyday file types to gain an initial foothold in a victim’s system. By combining social engineering, stealthy execution, and LivingofftheLand (LotL) techniques, the file silently retrieves and launches a second stage payload raising suspicion."
        https://www.forcepoint.com/blog/x-labs/phorpiex-global-group-ransomware-lnk-phishing
        https://hackread.com/hackers-global-group-ransomware-offline-phishing-emails/
      • VoidLink: Dissecting An AI-Generated C2 Implant
        "VoidLink is a Linux C2 framework capable of generating implant binaries for deployment across cloud and enterprise environments. This analysis focuses on the implant “the agent component” which is designed for long-term access, credential theft, and data exfiltration. Our analysis found strong indicators that the implant was built using an LLM coding agent. Structured “Phase X:” labels, verbose debug logging, and documentation patterns left in the production binary point to automated code generation with minimal human review."
        https://www.ontinue.com/resource/voidlink-dissecting-an-ai-generated-c2-implant/
        https://www.infosecurity-magazine.com/news/voidlink-malware-multi-cloud-ai/
      • Fake 7-Zip Downloads Are Turning Home PCs Into Proxy Nodes
        "A convincing lookalike of the popular 7-Zip archiver site has been serving a trojanized installer that silently converts victims’ machines into residential proxy nodes—and it has been hiding in plain sight for some time. A PC builder recently turned to Reddit’s r/pcmasterrace community in a panic after realizing they had downloaded 7‑Zip from the wrong website. Following a YouTube tutorial for a new build, they were instructed to download 7‑Zip from 7zip[.]com, unaware that the legitimate project is hosted exclusively at 7-zip.org."
        https://www.malwarebytes.com/blog/threat-intel/2026/02/fake-7-zip-downloads-are-turning-home-pcs-into-proxy-nodes
      • Technical Analysis Of GuLoader Obfuscation Techniques
        "GuLoader (also known as CloudEye) is a highly obfuscated malware family that was first observed in December 2019. It serves primarily as a downloader for Remote Access Trojans (RATs) and information stealers, which are delivered to compromised systems. The threat actors that distribute GuLoader often host malware on legitimate platforms including Google Drive and OneDrive to evade reputation-based detection. In this blog post, Zscaler ThreatLabz explores the anti-analysis techniques that GuLoader employs including polymorphic code to dynamically construct constant and string values, as well as complex exception-based control flow obfuscation."
        https://www.zscaler.com/blogs/security-research/technical-analysis-guloader-obfuscation-techniques
      • Leaked Technical Documents Show China Rehearsing Cyberattacks On Neighbors’ Critical Infrastructure
        "China appears to be using a secret training platform to rehearse cyberattacks against the critical infrastructure of its closest neighbors, according to a cache of leaked technical documents reviewed by Recorded Future News. Beijing has long been accused of running extensive offensive cyber campaigns by Western officials and cybersecurity researchers, with those allegations usually based on intelligence assessments and technical forensics obtained following a hack. The leaked materials, which include source code, training information and software assets, provide rare documentary insight into the preparation that could support such attacks before they take place."
        https://therecord.media/leaked-china-documents-show-testing-cyber-neighbors
      • Killings, Torturing, And Smuggling: How An Infostealer Exposed An ISIS Cell’s XMPP Network
        "A compromised machine in Lebanon – most likely belonging to a person named قسورة (Qasura), a local ISIS cell commander – contained explosive synthesis manuals, jihadist propaganda, and locally stored XMPP chat logs that should have been encrypted. The chats reveal Qasura receiving direct instructions from Syria-based operatives, coordinating IED attacks that killed security personnel, requesting religious permission for torture, managing cross-border smuggling routes, handling money transfers through Turkey and Syria, and shipping detonator components across the region. Through this single compromised machine, we were able to map the entire cell hierarchy from local commander to senior leadership."
        https://www.infostealers.com/article/killings-torturing-and-smuggling-how-an-infostealer-exposed-an-isis-cells-xmpp-network/
      • UNC1069 Targets Cryptocurrency Sector With New Tooling And AI-Enabled Social Engineering
        "North Korean threat actors continue to evolve their tradecraft to target the cryptocurrency and decentralized finance (DeFi) verticals. Mandiant recently investigated an intrusion targeting a FinTech entity within this sector, attributed to UNC1069, a financially motivated threat actor active since at least 2018. This investigation revealed a tailored intrusion resulting in the deployment of seven unique malware families, including a new set of tooling designed to capture host and victim data: SILENCELIFT, DEEPBREATH and CHROMEPUSH. The intrusion relied on a social engineering scheme involving a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated video to deceive the victim."
        https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering

      Breaches/Hacks/Leaks

      • Fallout From Latest Ivanti Zero-Days Spreads To Nearly 100 Victims
        "Ivanti customers, including major government agencies, face mounting pressure as attackers expand their scope of targets to exploit a pair of vulnerabilities the vendor disclosed late January after in-the-wild attacks already occurred. The Netherlands’ Dutch Data Protection Authority and the Council for the Judiciary confirmed both agencies were impacted by attacks linked to the Ivanti Endpoint Manager Mobile (EPMM) zero-day vulnerabilities, according to a notice sent to the country’s parliament Friday. The European Commission also said it found evidence of a cyberattack on its “central infrastructure managing mobile devices,” but it did not identify the vendor in a statement Thursday."
        https://cyberscoop.com/ivanti-zero-day-vulnerabilities-netherlands-european-commission-shadowserver/
        https://ec.europa.eu/commission/presscorner/detail/en/ip_26_342
        https://www.bankinfosecurity.com/ivanti-zero-days-likely-deployed-in-eu-dutch-hacks-a-30717
        https://www.bleepingcomputer.com/news/security/european-commission-discloses-breach-that-exposed-staff-data/
        https://therecord.media/eu-dutch-government-announce-hacks-ivanti-zero-days
        https://hackread.com/cyber-attack-european-commission-staff-mobile-systems/
        https://www.securityweek.com/european-commission-investigating-cyberattack/
        https://securityaffairs.com/187768/data-breach/european-commission-probes-cyberattack-on-mobile-device-management-system.html
        https://www.theregister.com/2026/02/09/dutch_data_protection_ivanti/
        https://www.theregister.com/2026/02/09/european_commission_phone_breach/
        https://www.helpnetsecurity.com/2026/02/09/european-commission-ivanti-epmm-vulnerabilities/
      • AI Chat App Leak Exposes 300 Million Messages Tied To 25 Million Users
        "An independent security researcher uncovered a major data breach affecting Chat & Ask AI, one of the most popular AI chat apps on Google Play and Apple App Store, with more than 50 million users. The researcher claims to have accessed 300 million messages from over 25 million users due to an exposed database. These messages reportedly included, among other things, discussions of illegal activities and requests for suicide assistance."
        https://www.malwarebytes.com/blog/news/2026/02/ai-chat-app-leak-exposes-300-million-messages-tied-to-25-million-users
      • Senegal Confirms Breach Of National ID Card Department After Ransomware Claims
        "A cybersecurity incident affecting the government of Senegal has forced the closure of an office tasked with managing sensitive information, including national ID cards, passports and other biometric data. The Directorate of File Automation (DAF) sent out a notice last week warning the country’s 19.5 million residents that a cyberattack had forced the government to temporarily suspend the office’s operations."
        https://therecord.media/senegal-breach-national-id-agency

      General News

      • United Airlines CISO On Building Resilience When Disruption Is Inevitable
        "Aviation runs on complex digital systems built for stability, safety, and long lifecycles. That reality creates a unique cybersecurity challenge for airlines, where disruption can quickly become an operational and public trust crisis. In this Help Net Security interview, Deneen DeFiore, VP and CISO at United Airlines, explains how the company approaches modernization without compromising safety-critical environments, why resilience and continuity matter as much as prevention, and how the airline manages risk across an interconnected ecosystem of vendors, partners, and infrastructure providers. DeFiore also shares how cross-functional collaboration shapes incident response when the stakes include passengers in the air."
        https://www.helpnetsecurity.com/2026/02/09/deneen-defiore-united-airlines-aviation-cybersecurity-strategy/
      • AI Agents Behave Like Users, But Don’t Follow The Same Rules
        "Security and governance approaches to autonomous AI agents rely on static credentials, inconsistent controls, and limited visibility. Securing these agents requires the same rigor and traceability applied to human users, according to Cloud Security Alliance’s Securing Autonomous AI Agents report. Autonomous AI agents act on behalf of humans, accessing data and making decisions with business impact. Organizations are deploying them across production environments, pilots, tests, and broader AI or automation initiatives. As a result, agents operate across multiple environments, expanding the agentic workforce without corresponding governance and IAM controls."
        https://www.helpnetsecurity.com/2026/02/09/securing-autonomous-ai-agents-rules/
      • Social Media Platforms Earn Billions From Scam Ads
        "Social media sites received nearly £3.8bn ($5.2bn) in revenue from malicious ads in Europe in 2025, off the back of almost one trillion impressions, according to Juniper Research. The analyst used publicly available data to study ads on Facebook, Instagram, TikTok, Snapchat, X (formerly Twitter) and LinkedIn, across 11 European markets including the UK. It defined a scam ad as a “deceptive paid post that misleads users into giving money, personal information, or account access by falsely advertising products, services, or investment opportunities.”"
        https://www.infosecurity-magazine.com/news/social-media-platforms-billions/
        https://www.juniperresearch.com/resources/free-research/protecting-users-from-scam-ads-a-call-for-social-media-platform-accountability/
      • Beyond The Hype: Moltbot’s Real Risk Is Exposed Infrastructure, Not AI Superintelligence
        "Over the past several days, OpenClaw (formerly known as Clawdbot and and Moltbot) has drawn intense attention across social media and headlines. Much of that attention has focused on speculation about artificial general intelligence (AGI) and the Singularity or autonomous AI agents operating without human control. Some posts focus on the OpenClaw agents interacting on Moltbook, a supposed social media network for agents, where they claim to have created their own religion and plans to revolt. That framing misses the real issue. The SecurityScorecard STRIKE Threat Intelligence Team is releasing research today that shows that the actual risk behind OpenClaw is access and exposed infrastructure. Our live reconnaissance data reveals tens of thousands of internet-facing OpenClaw deployments, many running vulnerable versions, many already correlated with prior breaches. Some users are configuring bots with personal names and company names, revealing who is using these tools."
        https://securityscorecard.com/blog/beyond-the-hype-moltbots-real-risk-is-exposed-infrastructure-not-ai-superintelligence/
        https://www.theregister.com/2026/02/09/openclaw_instances_exposed_vibe_code/
        https://www.infosecurity-magazine.com/news/researchers-40000-exposed-openclaw/
      • Why Zero-Day Downstream Mass Data Extortion Campaigns Are Losing Their Bite
        "Q4 of 2025 was marked by the latest large-scale data theft campaign by the CL0P ransomware gang, this time exploiting a zero-day vulnerability in Oracle E-Business Suite (EBS). The campaign came from a playbook CL0P pioneered nearly five years ago. The strategy involves: purchase a zero-day exploit of a widely used enterprise file transfer or data storage appliance, compromise as many instances as possible before detection, exfiltrate as much data as possible from as many downstream customers as possible, and finally monetize at scale the attack through extortion of each unique downstream party. This strategy does not involve the encryption of the target assets. Often the entire attack chain occurs outside of the victim’s network. This was the 5th campaign where CL0P followed this playbook, and the financial outcome for CL0P tells an interesting story about the current state of cyber extortion."
        https://www.coveware.com/blog/2026/2/3/mass-data-exfiltration-campaigns-lose-their-edge-in-q4-2025
        https://www.securityweek.com/ransomware-groups-may-pivot-back-to-encryption-as-data-theft-tactics-falter/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) 298222f6-70e9-4bcd-918e-551885ed4d30-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post