NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 18 February 2026

    Cyber Security News
    1
    1
    374
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Financial Sector

      • Your Encrypted Data Is Already Being Stolen
        "Quantum computing is often treated as a distant, theoretical cybersecurity issue. According to Ronit Ghose, Global Head, Future of Finance of Citi Institute, that mindset is already putting financial institutions at risk. The biggest misconception, he says, is that quantum threats begin on a single future Q-day, when quantum machines suddenly crack encryption. In reality, adversaries can harvest encrypted data today and decrypt it later, creating long-term exposure for banks handling sensitive identity and transaction data. Ghose argues that quantum risk is both an immediate confidentiality problem and a systemic trust crisis."
        https://www.helpnetsecurity.com/2026/02/17/ronit-ghose-citi-institute-quantum-risk-financial-services/

      Industrial Sector

      • OT Teams Are Losing The Time Advantage Against Industrial Threat Actors
        "In many industrial environments, internet-facing gateways, remote access appliances, and boundary systems sit close enough to production networks that attackers can move from IT intrusion to operational disruption with limited resistance. Dragos’ 2026 OT/ICS Year in Review describes a threat landscape where adversaries are spending more time learning how physical processes work and less time treating OT access as a passive foothold. A shift in 2025 involved multiple state-aligned groups moving into control-loop mapping. That includes identifying engineering workstations, pulling configuration and alarm files, and collecting enough operational context to interfere with physical outcomes. Control-loop mapping removes a key barrier between unauthorized access and physical impact, since attackers no longer need to guess how a process behaves."
        https://www.helpnetsecurity.com/2026/02/17/ot-cybersecurity-threats-2026-research/
        https://www.dragos.com/ot-cybersecurity-year-in-review#download-report-2026
        https://www.darkreading.com/threat-intelligence/poland-energy-attack-wind-solar-infrastructure
        https://www.infosecurity-magazine.com/news/rise-in-ransomware-targeting/
        https://www.securityweek.com/3-threat-groups-started-targeting-ics-ot-in-2025-dragos/
        https://www.theregister.com/2026/02/17/volt_typhoon_dragos/
      • Cyber Insights 2026: The Ongoing Fight To Secure Industrial Control Systems
        "The cybersecurity challenge for Industrial Control Systems (ICS) is they were designed in conditions of peace but now operate in a continuous war zone. Bryson Bort, CEO and founder at SCYTHE, starts his conversations on ICS security with a joke: ‘How can you tell a computer is an ICS?… It’s at least 20 years old.’ The purpose is not to elicit laughter but to make people think. “Once the humor passes and the reality sets in, the scale of the problem – an entrenched ecosystem with the inertia of security challenges baked in for years – becomes apparent..”"
        https://www.securityweek.com/cyber-insights-2026-the-ongoing-fight-to-secure-industrial-control-systems/

      Vulnerabilities

      • From BRICKSTORM To GRIMBOLT: UNC6201 Exploiting a Dell RecoverPoint For Virtual Machines Zero-Day
        "Mandiant and Google Threat Intelligence Group (GTIG) have identified the zero-day exploitation of a high-risk vulnerability in Dell RecoverPoint for Virtual Machines, tracked as CVE-2026-22769, with a CVSSv3.1 score of 10.0. Analysis of incident response engagements revealed that UNC6201, a suspected PRC-nexus threat cluster, has exploited this flaw since at least mid-2024 to move laterally, maintain persistent access, and deploy malware including SLAYSTYLE, BRICKSTORM, and a novel backdoor tracked as GRIMBOLT. The initial access vector for these incidents was not confirmed, but UNC6201 is known to target edge appliances (such as VPN concentrators) for initial access. There are notable overlaps between UNC6201 and UNC5221, which has been used synonymously with the actor publicly reported as Silk Typhoon, although GTIG does not currently consider the two clusters to be the same."
        https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day/
        https://www.dell.com/support/kbdoc/en-us/000426773/dsa-2026-079
        https://www.bleepingcomputer.com/news/security/chinese-hackers-exploiting-dell-zero-day-flaw-since-mid-2024/
        https://www.theregister.com/2026/02/18/dell_0day_brickstorm_campaign/
        https://cyberscoop.com/china-brickstorm-grimbolt-dell-zero-day/
      • Live Server VS Code Extension Allows Remote Exfiltration Of Local Files
        "Live Server is a Visual Studio Code extension that starts a local development HTTP server and automatically reloads the browser when files in the workspace change, supporting both static and dynamic pages. It provides configurable options such as the server root, port, host, default browser, proxy settings, and HTTPS. The extension also supports multiple workspace roots and watches for file changes to trigger live reloads, allowing developers to preview changes in real time without manually refreshing the browser. We discovered a vulnerability in the Live Server extension for VS Code that allows a remote, unauthenticated attacker to exfiltrate files from a developer’s local machine. Attackers only need to send a malicious link to the victim while Live Server is running in the background."
        https://www.ox.security/blog/cve-2025-65717-live-server-vscode-vulnerability/
        https://www.bleepingcomputer.com/news/security/flaws-in-popular-vscode-extensions-expose-developers-to-attacks/
      • CISA Adds Four Known Exploited Vulnerabilities To Catalog
        "CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2008-0015 Microsoft Windows Video ActiveX Control Remote Code Execution Vulnerability
        CVE-2020-7796 Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability
        CVE-2024-7694 TeamT5 ThreatSonar Anti-Ransomware Unrestricted Upload of File with Dangerous Type Vulnerability
        CVE-2026-2441 Google Chromium CSS Use-After-Free Vulnerability"
        https://www.cisa.gov/news-events/alerts/2026/02/17/cisa-adds-four-known-exploited-vulnerabilities-catalog

      Malware

      • Divide And Conquer: How The New Keenadu Backdoor Exposed Links Between Major Android Botnets
        "In April 2025, we reported on a then-new iteration of the Triada backdoor that had compromised the firmware of counterfeit Android devices sold across major marketplaces. The malware was deployed to the system partitions and hooked into Zygote – the parent process for all Android apps – to infect any app on the device. This allowed the Trojan to exfiltrate credentials from messaging apps and social media platforms, among other things."
        https://securelist.com/keenadu-android-backdoor/118913/
        https://thehackernews.com/2026/02/keenadu-firmware-backdoor-infects.html
        https://www.bleepingcomputer.com/news/security/new-keenadu-backdoor-found-in-android-firmware-google-play-apps/
        https://www.darkreading.com/mobile-security/supply-chain-attack-embeds-malware-android-devices
        https://www.helpnetsecurity.com/2026/02/17/firmware-level-android-backdoor-keenadu-tablets/
      • Hackers Abuse ScreenConnect To Hijack PCs Via Fake Social Security Emails
        "A new wave of cyberattacks is stalking organisations across the UK, US, Canada, and Northern Ireland. According to the latest research from Forcepoint X-labs, attackers are impersonating the US Social Security Administration (SSA) to bypass security and take total control of private computers. The report, which was shared with Hackread.com, reveals that the attack succeeds by weakening the system’s built-in defences rather than relying on complex new viruses."
        https://hackread.com/hackers-screenconnect-hijack-pcs-fake-social-security-emails/
      • CRESCENTHARVEST: Iranian Protestors And Dissidents Targeted In Cyberespionage Campaign
        "Acronis' Threat Research Unit (TRU) has uncovered a malware campaign, dubbed CRESCENTHARVEST, potentially targeting supporters of Iran's ongoing protests with the goal of information theft and long-term espionage. Observed shortly after January 9, the campaign exploits recent geopolitical developments to lure victims into opening malicious .LNK files disguised as protest-related images or videos. These files are bundled with authentic media and a Farsi-language report providing updates from "the rebellious cities of Iran." This pro- protest framing appears to be intended to increase credibility and to attract Farsi-speaking Iranians seeking protest-related information."
        https://www.acronis.com/en/tru/posts/crescentharvest-iranian-protestors-and-dissidents-targeted-in-cyberespionage-campaign/
        https://therecord.media/hackers-target-iran-protest-supporters-cyber-campaign
        https://www.bankinfosecurity.com/fresh-cyberespionage-operation-tied-to-iranian-surveillance-a-30771
      • Invitation To Trouble: The Rise Of Calendar Phishing Attacks
        "Before you click “Accept” on calendar invites, think twice — it could be a phishing scheme. The Cofense Phishing Defense Center (PDC) has identified a new tactic involving fake Microsoft and Google Calendar invites designed to steal your login credentials. Phishing invitations are becoming increasingly sophisticated, often mimicking designs from well-known platforms like Microsoft or Google. While they may look convincing, they’re anything but safe. A quick look at the sender's email address is one way to spot an impersonation. It usually doesn't match the actual domain these companies use. Threat actors are taking advantage of emails commonly found in the business world, such as scheduling meetings on calendars. The goal is to deceive employees into entering their login credentials by mimicking routine activities. An example often seen is fake but harmless-looking meeting invites, since these are part of employees’ daily routines, most people don’t think twice before clicking."
        https://cofense.com/blog/invitation-to-trouble-the-rise-of-calendar-phishing-attacks
      • Fake Incident Report Used In Phishing Campaign
        "This morning, I received an interesting phishing email. I’ve a “love & hate” relation with such emails because I always have the impression to lose time when reviewing them but sometimes it’s a win because you spot interesting “TTPs” (“tools, techniques & procedures”). Maybe one day, I'll try to automate this process! Today's email targets Metamask[1] users. It’s a popular software crypto wallet available as a browser extension and mobile app. The mail asks the victim to enable 2FA:"
        https://isc.sans.edu/diary/32722
        https://securityaffairs.com/188116/security/poorly-crafted-phishing-campaign-leverages-bogus-security-incident-report.html
      • SmartLoader Clones Oura Ring MCP To Deploy Supply Chain Attack
        "Straiker's AI Research (STAR) Labs team has uncovered a trojanized MCP server targeting Oura Ring health data and successfully infiltrated legitimate Model Context Protocol (MCP) registries, exposing thousands of developers and end-users to credential theft and data compromise. SmartLoader, an established malware operation known for distributing info-stealers through deceptive installers, first discovered early in 2024, has constructed an elaborate network of fake GitHub accounts and repositories to distribute trojanized MCP servers, successfully poisoning legitimate MCP registries in the process. Our investigation revealed the threat actors cloned a legitimate Oura MCP Server—a tool that connects AI assistants to Oura Ring health data—and built a deceptive infrastructure of fake forks and contributors to manufacture credibility. The trojanized version of the Oura MCP server delivers the StealC infostealer, targeting developer credentials, browser passwords, and cryptocurrency wallets."
        https://www.straiker.ai/blog/smartloader-clones-oura-ring-mcp-to-deploy-supply-chain-attack
        https://thehackernews.com/2026/02/smartloader-attack-uses-trojanized-oura.html
        https://securityaffairs.com/188135/ai/smartloader-hackers-clone-oura-mcp-project-to-spread-stealc-malware.html
      • AI In The Middle: Turning Web-Based AI Services Into C2 Proxies & The Future Of AI Driven Attacks
        "AI is rapidly becoming embedded in day-to-day enterprise workflows, inside browsers, collaboration suites, and developer tooling. As a result, AI service domains increasingly blend into normal corporate traffic, often allowed by default and rarely treated as sensitive egress. Threat actors are already capitalizing on this shift. Across the malware ecosystem, AI is being used to accelerate development and operations: generating and refining code, drafting phishing content, translating lures, producing PowerShell snippets, summarizing stolen data, assisting operators with next decisions during an intrusion, and, in extreme cases, developing full C2 frameworks such as Voidlink. The practical outcome is simple: AI reduces cost and time-to-scale, and helps less-skilled actors execute more complex playbooks."
        https://research.checkpoint.com/2026/ai-in-the-middle-turning-web-based-ai-services-into-c2-proxies-the-future-of-ai-driven-attacks/
        https://thehackernews.com/2026/02/researchers-show-copilot-and-grok-can.html
      • Not Safe For Politics: Cellebrite Used On Kenyan Activist And Politician Boniface Mwangi
        "Following the widely-condemned arrest in July 2025 of prominent Kenyan opposition voice Boniface Mwangi, the Citizen Lab analyzed artefacts from devices seized during the arrest. We found that Cellebrite’s forensic extraction tools were used on his Samsung phone while it was in police custody. This case adds to the concerning pattern of the misuse of Cellebrite technology by government clients."
        https://citizenlab.ca/research/cellebrite-used-on-kenyan-activist-and-politician-boniface-mwangi/
        https://therecord.media/spyware-kenya-cellebrite-activist
      • Spam Campaign Abuses Atlassian Jira, Targets Government And Corporate Entities
        "Threat actors used Atlassian Jira Cloud and its connected email system to run automated spam campaigns, effectively bypassing traditional email security by abusing the strong domain reputation of Atlassian Jira Cloud products. The campaigns were active from late December 2025 through late January 2026, during which organizations and individuals worldwide — particularly English, French, German, Italian, Portuguese, and Russian–speaking targets — received spam emails from legitimate-looking Atlassian Jira Cloud addresses. In addition, campaigns did not appear to generate generic spam. They also targeted specific sectors, most notably government and corporate entities. The emails redirected targets to pages on investment scams and online casino landing sites, suggesting that actors were likely motivated by financial gain."
        https://www.trendmicro.com/en_us/research/26/b/spam-campaign-abuses-atlassian-jira.html
      • Critical Vulnerabilities In Ivanti EPMM Exploited
        "Two critical zero-day vulnerabilities (CVE-2026-1281 and CVE-2026-1340) affecting Ivanti Endpoint Manager Mobile (EPMM) are being actively exploited in the wild, affecting enterprise mobile fleets and corporate networks. These vulnerabilities allow unauthenticated attackers to remotely execute arbitrary code on target servers, granting them full control over mobile device management (MDM) infrastructure without requiring user interaction or credentials."
        https://unit42.paloaltonetworks.com/ivanti-cve-2026-1281-cve-2026-1340/
      • Cato CTRL™ Threat Research: Foxveil – New Malware Loader Abusing Cloudflare, Discord, And Netlify As Staging Infrastructure
        "Cato CTRL has identified a previously undocumented malware loader we track as “Foxveil.” We observed evidence that the malware campaign has been active since August 2025, and we observed two distinct variants (v1 and v2). Foxveil behaves like a modern initial-stage loader: it establishes an initial foothold, frustrates analysis, and retrieves next-stage payloads from threat actor-controlled staging hosted on Cloudflare Pages, Netlify, and, in some cases, Discord attachments. We named the malware Foxveil based on “fox” strings observed within the sample. Its operational advantage comes from blending into trusted cloud infrastructure while relying on in-memory shellcode execution and variant-specific injection and persistence techniques. We also observed a string-mutation routine that rewrites common analysis keywords, which can complicate static detection and reverse engineering."
        https://www.catonetworks.com/blog/cato-ctrl-foxveil-new-malware/
      • The North Korean On Your Payroll
        "In September 2025, Okta Threat Intelligence published research from a large-scale analysis into fraudulent employment schemes conducted by Democratic People’s Republic of Korea (DPRK) IT Workers (ITW). That research collated data from over 130 actors, conducting over 6500 interviews with 500 companies. In this post, we look specifically at the activities of two individual personas. We selected these two examples from a large list of actors that we continue to track because they exemplify the typical tools, techniques and procedures (TTPs) employed by DPRK ITW actors. Additionally, each had novel observables that can further inform defenders against these efforts."
        https://www.okta.com/blog/threat-intelligence/the-north-korean-on-your-payroll/

      General News

      • Poland Arrests Suspect Linked To Phobos Ransomware Operation
        "Polish police have detained a 47-year-old man suspected of ties to the Phobos ransomware group and seized computers and mobile phones containing stolen credentials, credit card numbers, and server access data. Officers from Poland's Central Bureau of Cybercrime Control (CBZC) arrested the suspect in the Małopolska region in a joint operation involving units from Katowice and Kielce. The action is part of "Operation Aether," a broader international effort coordinated by Europol and targeting Phobos ransomware infrastructure and affiliates."
        https://www.bleepingcomputer.com/news/security/poland-arrests-suspect-linked-to-phobos-ransomware-operation/
        https://therecord.media/poland-phobos-ransomware-arrest
        https://cyberscoop.com/phobos-ransomware-affiliate-arrested-poland/
        https://www.securityweek.com/man-linked-to-phobos-ransomware-arrested-in-poland/
        https://securityaffairs.com/188128/cyber-crime/polish-cybercrime-police-arrest-man-linked-to-phobos-ransomware-operation.html
        https://www.helpnetsecurity.com/2026/02/17/phobos-ransomware-affiliate-arrested-in-poland/
        https://www.theregister.com/2026/02/17/poland_phobos_ransomware_arrest/
      • Huntress Cyber Threat Report Exposes The Playbook For Organized Cybercrime
        "Cybercrime has become the world’s third-largest economy, with costs projected to reach $12.2 trillion annually by 2031. Today, Huntress exposes the tactics, techniques, and procedures (TTPs) fueling this multi-trillion-dollar illicit market in its 2026 Cyber Threat Report. The in-depth analysis sheds light on the playbook used by organized, profit-driven cybercriminals, uncovering how they weaponize legitimate tools, exploit everyday behaviors, and leverage a vast underground network to exploit people, businesses, and employees across the globe. To produce this report, Huntress analyzed proprietary telemetry from over four million endpoints and nine million identities across the 230,000+ organizations it protects worldwide. This robust dataset served as the foundation for uncovering critical insights into the evolving ransomware ecosystem, shifting adversary tradecraft, and actionable strategies to help organizations prepare for the year ahead. Key findings include:"
        https://www.huntress.com/press-release/huntress-cyber-threat-report-exposes-the-playbook-for-organized-cybercrime
        https://www.darkreading.com/application-security/rmm-abuse-explodes-hackers-ditch-malware
      • Over-Privileged AI Drives 4.5 Times Higher Incident Rates
        "A majority (69%) of security leaders agree that identity management needs to evolve in order to handle mounting risks in AI infrastructure deployments, according to a new report from Teleport. The security vendor polled over 200 US infrastructure security leaders to compile its latest report: 2026 State of AI in Enterprise Infrastructure Security. It defined “AI in infrastructure” as AI-powered workloads, agentic systems, machine-to-machine communication, ChatOps, compliance automation, and incident detection."
        https://www.infosecurity-magazine.com/news/overprivileged-ai-45-times-higher/
      • API Threats Grow In Scale As AI Expands The Blast Radius
        "Application Programming Interfaces (APIs) remain an attacker-favored exploit route. Aggressors continuously target common failures in identity, access control and exposed interfaces – often at scale and machine speed. AI is increasing the threat surface. In an analysis of more than 60,000 published vulnerabilities disclosed in 2025, Wallarm found more than 11,000 (17%) were API-related. A concurrent analysis of CISA KEV Catalog additions for 2025 found 43% of exploited vulnerabilities were API-related. The report demonstrates the severity of the threat by including details of the top ten API-relevant breaches from 2025. The top three are 700Credit, Qantas, and Salesloft."
        https://www.securityweek.com/api-threats-grow-in-scale-as-ai-expands-the-blast-radius/
        https://hubspot.wallarm.com/hubfs/Wallarm API ThreatStatTM Report-2026.pdf
      • 2026 Unit 42 Global Incident Response Report — Attacks Now 4x Faster
        "Each year, thousands of organizations experience a cyber incident. An incident can begin with a SOC alert, zero-day vulnerability, ransom demand or widespread business disruption. When the call comes, our global incident responders quickly mobilize to investigate, contain and eradicate the threat. This year’s Unit 42® 2026 Global Incident Response Report analyzed over 750 major cyber incidents across every major industry in over 50 countries to reveal emerging patterns and lessons for defenders."
        https://www.paloaltonetworks.com/blog/2026/02/unit-42-global-ir-report/
        https://cyberscoop.com/attackers-abuse-identity-unit42-palo-alto-networks-incident-response-report/
        https://www.infosecurity-magazine.com/news/cybercriminals-ai-vibe-extortion/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) 0d77a448-239c-48cf-a773-e903a21f2b93-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post