Cyber Threat Intelligence 05 March 2026

NCSA_THAICERT

Industrial Sector

Cybersecurity Is Now The Price Of Admission For Industrial AI
"Industrial organizations are accelerating AI deployment across manufacturing, utilities, and transportation and running straight into a security problem. Cisco’s 2026 State of Industrial AI Report, based on responses from more than 1,000 decision-makers across 19 countries, finds that cybersecurity has become the single largest obstacle to AI adoption, outranking skills gaps, integration challenges, and budget constraints. The shift is notable. In 2024, cybersecurity ranked third among external growth obstacles. By 2026, 40% of respondents cite it as a top barrier to AI adoption specifically, and 48% name it as their biggest networking challenge overall. The rise reflects the reality that connecting more assets and systems to support AI expands the attack surface in ways that traditional security approaches were not designed to handle."
https://www.helpnetsecurity.com/2026/03/04/cisco-industrial-ai-cybersecurity/

New Tooling

Mquire: Open-Source Linux Memory Forensics Tool
"Linux memory forensics has long depended on debug symbols tied to specific kernel versions. These symbols are not installed on production systems by default, and sourcing them from external repositories creates a recurring problem: repositories go stale, kernel builds diverge, and analysts working incident response often find no published symbols for the exact kernel they need to examine. Trail of Bits published mquire to address this constraint. The open-source tool analyzes Linux memory dumps without requiring any external debug information."
https://www.helpnetsecurity.com/2026/03/04/mquire-open-source-linux-memory-forensics-tool/
https://github.com/trailofbits/mquire

Vulnerabilities

Cisco Warns Of Max Severity Secure FMC Flaws Giving Root Access
"Cisco has released security updates to patch two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software. Secure FMC is a web or SSH-based interface for admins to manage Cisco firewalls and configure application control, intrusion prevention, URL filtering, and advanced malware protection. Both vulnerabilities can be exploited remotely by unauthenticated attackers: the authentication bypass flaw (CVE-2026-20079) allows attackers to gain root access to the underlying operating system, while the remote code execution (RCE) vulnerability (CVE-2026-20131) lets them execute arbitrary Java code as root on unpatched devices."
https://www.bleepingcomputer.com/news/security/cisco-warns-of-max-severity-secure-fmc-flaws-giving-root-access/
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-onprem-fmc-authbypass-5JPp45V2
https://securityaffairs.com/188921/security/cisco-fixes-maximum-severity-secure-fmc-bugs-threatening-firewall-security.html
Sometimes, You Can Just Feel The Security In The Design (Juniper Junos Evolved CVE-2026-21902 Pre-Auth RCE)
"On today’s ‘good news disguised as other things’ segment, we’re turning our gaze to CVE-2026-21902 - a recently disclosed “Incorrect Permission Assignment for Critical Resource” vulnerability affecting Juniper’s Junos OS Evolved platform. This vulnerability affects only Juniper’s PTX Series of devices, apparently."
https://labs.watchtowr.com/sometimes-you-can-just-feel-the-security-in-the-design-junos-os-evolved-cve-2026-21902-rce/
https://www.bankinfosecurity.com/juniper-ptx-routers-at-risk-critical-takeover-flaw-disclosed-a-30904
Mail2Shell – CVE-2026-28289: New Zero-Click RCE On FreeScout
"A few days ago, we published research detailing a FreeScout vulnerability that allowed authenticated attackers to achieve full system compromise via RCE – originally reported by Offensive.sa. On the same day, we discovered a patch bypass that allowed us to reproduce the same RCE on newly updated servers, demonstrating how quickly incomplete fixes can be circumvented. During our deeper analysis, we escalated the attack chain further — converting it into a Zero‑Click RCE. By sending a single crafted email to any address configured in FreeScout, an attacker can execute code on the server without authentication and without user interaction."
https://www.ox.security/blog/freescout-rce-cve-2026-28289/
https://www.bleepingcomputer.com/news/security/mail2shell-zero-click-attack-lets-hackers-hijack-freescout-mail-servers/
https://www.securityweek.com/critical-freescout-vulnerability-leads-to-full-server-compromise/
Over 1,200 IceWarp Servers Still Vulnerable To Unauthenticated RCE Flaw (CVE-2025-14500)
"A critical RCE vulnerability (CVE-2025-14500) in IceWarp, an EU-made business communication and collaboration platform, may be exploited by attackers to gain unauthorized access to exposed unpatched servers. According to the Shadowserver Foundation, there are currently over 1,200 internet-facing instances that have yet to receive a fix, and the organization is sending out alerts to the owners, urging them to update."
https://www.helpnetsecurity.com/2026/03/04/icewarp-rce-cve-2025-14500/

Malware

Fake LastPass Support Email Threads Try To Steal Vault Passwords
"Password management software provider LastPass is warning users of a phishing campaign targeting its users with fake unauthorized account access alerts. The emails impersonate a LastPass representative by spoofing the display name and use subject lines crafted to mimic forwarded internal conversations between attackers and the company’s customer support team about a request to change the account’s primary email address. The email chains are forwarded to the target in an attempt to prompt them to respond to the suspicious activity with urgency and click on links named “report suspicious activity,” “disconnect and lock vault,” and “revoke device.”"
https://www.bleepingcomputer.com/news/security/fake-lastpass-support-email-threads-try-to-steal-vault-passwords/
https://securityaffairs.com/188911/security/lastpass-warns-of-spoofed-alerts-aimed-at-stealing-master-passwords.html
https://www.securityweek.com/lastpass-warns-of-new-phishing-campaign/
Hacker Mass-Mails HungerRush Extortion Emails To Restaurant Patrons
"Customers of restaurants using the HungerRush point-of-sale (POS) platform say they received emails from a threat actor attempting to extort the company, warning that restaurant and customer data could be exposed if HungerRush fails to respond. HungerRush is a restaurant technology provider that offers point-of-sale (POS), online ordering, delivery management, and payment processing software to help restaurants manage orders, customer information, and business operations. The company claims to work with over 16,000 restaurants, including Sbarro, Jet's Pizza, Fajita Pete's, Hungry Howie's, and many more."
https://www.bleepingcomputer.com/news/security/hacker-mass-mails-hungerrush-extortion-emails-to-restaurant-patrons/
How a Brute Force Attack Unmasked a Ransomware Infrastructure Network
"To most defenders, another brute-force alert on exposed RDP is background noise — bread-and-butter activity you triage and move past. For the Huntress Tactical Response Team, one of those “routine” alerts turned into something very different. As we pulled on a single successful login, we uncovered unusual credential-hunting behavior, a web of geo-distributed infrastructure, and a shady VPN service that all pointed toward a ransomware-as-a-service ecosystem and its initial access brokers. This post walks through how a noisy brute-force campaign became our doorway into that operation."
https://www.bleepingcomputer.com/news/security/how-a-brute-force-attack-unmasked-a-ransomware-infrastructure-network/
Signed Malware Impersonating Workplace Apps Deploys RMM Backdoors
"In February 2026, Microsoft Defender Experts identified multiple phishing campaigns attributed to an unknown threat actor. The campaigns used workplace meeting lures, PDF attachments, and abuse of legitimate binaries to deliver signed malware. Phishing emails directed users to download malicious executables masquerading as legitimate software. The files were digitally signed using an Extended Validation (EV) certificate issued to TrustConnect Software PTY LTD. Once executed, the applications installed remote monitoring and management (RMM) tools that enabled the attacker to establish persistent access on compromised systems."
https://www.microsoft.com/en-us/security/blog/2026/03/03/signed-malware-impersonating-workplace-apps-deploys-rmm-backdoors/
https://hackread.com/fake-zoom-teams-invites-malware-certificates/
Telegram As The New Operational Layer Of Cyber Threat Activity
"Telegram is no longer just a messaging application. It has evolved into a primary operational playground for modern threat actors. What underground forums on Tor once represented, Telegram now replicates — but faster, more scalable, and significantly more accessible. Over the past few years, elements of the cybercriminal ecosystem have progressively shifted away from traditional darknet marketplaces and closed forums toward Telegram’s hybrid architecture of public channels, private groups, and automated bots. The barriers that once required Tor access, reputation building, and escrow systems have been replaced with instant channel creation, subscription-based malware distribution, real-time broadcasting, and bot-enabled commerce."
https://www.cyfirma.com/research/telegram-as-the-new-operational-layer-of-cyber-threat-activity/
https://hackread.com/telegram-used-sell-access-malware-stolen-logs/
Retaliatory Hacktivist DDoS Activity Following Operation Epic Fury/Roaring Lion
"Since late February 2026, the Middle East has experienced unprecedented kinetic warfare. Following the collapse of nuclear negotiations and a period of internal Iranian instability, a massive, coordinated military campaign dubbed Operation Epic Fury by the United States, also known as Operation Roaring Lion in Israel, was launched on February 28, 2026. This military offensive, which resulted in the death of Iran’s supreme leader and the destruction of over 2,000 strategic targets, has acted as a primary catalyst for global hacktivist mobilization. As the physical conflict expands across many countries in the region, pro-Iranian and allied "axis of resistance" hacktivist groups have pivoted from baseline activity to aggressive, retaliatory distributed denial of service (DDoS) campaigns targeting government and financial infrastructure across the Middle East."
https://www.radware.com/security/threat-advisories-and-attack-reports/ddos-activity-following-operation-epic-fury-roaring-lion/
https://thehackernews.com/2026/03/149-hacktivist-ddos-attacks-hit-110.html
Malicious Packagist Packages Disguised As Laravel Utilities Deploy Encrypted RAT
"Socket's Threat Research Team identified a remote access trojan (RAT) distributed across multiple Packagist (PHP) packages published by the threat actor nhattuanbl (nhattuanbl@gmail[.]com). Two packages, nhattuanbl/lara-helper and nhattuanbl/simple-queue, ship an identical payload in src/helper.php. A third package, nhattuanbl/lara-swagger, carries no malicious code itself but lists nhattuanbl/lara-helper as a hard Composer dependency, meaning that installing it pulls in the RAT automatically."
https://socket.dev/blog/malicious-packagist-packages-disguised-as-laravel-utilities
https://thehackernews.com/2026/03/fake-laravel-packages-on-packagist.html
Interplay Between Iranian Targeting Of IP Cameras And Physical Warfare In The Middle East
"As highlighted in the Cyber Security Report 2026, cyber operations have increasingly become an additional tool in interstate conflicts, used both to support military operations and to enable ongoing battle damage assessment (BDA). During the 12-day conflict between Israel and Iran in June 2025, the compromise of cameras was likely used to support BDA and/or target-correction efforts. In the current Middle East conflict, Check Point Research has observed intensified targeting of cameras beginning in the first hours of hostilities, including a sharp increase in exploitation attempts against IP cameras not only in Israel but also across Gulf countries: specifically the UAE, Qatar, Bahrain, and Kuwait, as well as similar activity in Lebanon and Cyprus. This activity originated from multiple attack infrastructures that we attribute to several Iran-nexus threat actors."
https://research.checkpoint.com/2026/interplay-between-iranian-targeting-of-ip-cameras-and-physical-warfare-in-the-middle-east/
https://www.theregister.com/2026/03/04/iranian_hacking_attempts_ip_cameras/
“Malware, From The Outside!”: How a Threat Actor Used Fake OpenClaw Installers To Infect Systems With GhostSocks And Information Stealers
"Information stealers continue to be an initial access vector for severe attacks against publicly facing systems, such as the Snowflake customer database compromise in 2024, and a Romanian oil pipeline operator compromise in 2026. This blog details an investigation into malicious GitHub repositories posing as OpenClaw installers that were available between the 2nd and 10th of February 2026. The OpenClaw installers were fake with low detection rates, and distributed information stealers that used a novel packer called Stealth Packer."
https://www.huntress.com/blog/openclaw-github-ghostsocks-infostealer
https://www.theregister.com/2026/03/04/fake_openclaw_installers_malware/

General News

United States Leads Dismantlement Of One Of The World’s Largest Hacker Forums
"The Department of Justice announced today the seizure of the LeakBase database, one of the world’s largest online forums for cybercriminals to buy and sell stolen data and cybercrime tools. According to an affidavit unsealed on March 3, the LeakBase forum had over 142,000 members and more than 215,000 messages between members. Available on the open web and in English, the forum had an enormous and continuously updated archive of hacked databases including many from high profile attacks, including hundreds of millions of account credentials."
https://www.justice.gov/opa/pr/united-states-leads-dismantlement-one-worlds-largest-hacker-forums
https://www.bleepingcomputer.com/news/security/fbi-seizes-leakbase-cybercrime-forum-data-of-142-000-members/
https://therecord.media/leakbase-cybercrime-fbi-europe-takedown
https://cyberscoop.com/leakbase-cybercrime-forum-seized/
Global Phishing-As-a-Service Platform Taken Down In Coordinated Public-Private Action
"A major phishing-as-a-service platform used to bypass multi-factor authentication (MFA) and enable large-scale account compromise has been disrupted following a coordinated international operation supported by Europol. The service, known as Tycoon 2FA, provided cybercriminals with a subscription-based toolkit designed to intercept live authentication sessions and gain unauthorised access to online accounts, including those protected by additional security layers."
https://www.europol.europa.eu/media-press/newsroom/news/global-phishing-service-platform-taken-down-in-coordinated-public-private-action
https://www.trendmicro.com/en_us/research/26/c/tycoon2fa-takedown.html
https://www.proofpoint.com/us/blog/threat-insight/disruption-targets-tycoon-2fa-popular-aitm-phaas
https://www.bleepingcomputer.com/news/security/europol-coordinated-action-disrupts-tycoon2fa-phishing-platform/
https://cyberscoop.com/tycoon-2fa-phishing-kit-takedown-microsoft/
https://www.infosecurity-magazine.com/news/global-takedown-tycoon2fa-phishing/
https://www.securityweek.com/tycoon-2fa-phishing-platform-dismantled-in-global-takedown/
The Whitelist Illusion – When Your Trusted List Becomes a Billion Dollar Attack Path
"When a bank or institution holds significant digital assets on a public blockchain, something unique happens: every aspect of their security posture becomes visible to attackers. On-chain balances are public. Transaction patterns are traceable. The addresses you interact with, your whitelist, are not a secret. They are broadcast to the entire world with every transaction. For professional threat groups, particularly state-sponsored actors like North Korea’s Lazarus Group (responsible for over $2B in crypto theft since 2017), this transparency is a gift. They don’t need to guess your security architecture. They can map it."
https://blog.checkpoint.com/crypto/the-whitelist-illusion-when-your-trusted-list-becomes-a-billion-dollar-attack-path/
The Most Common Swap Scams In 2026, And How To Avoid Them
"Crypto swaps are fast and permissionless, which is exactly why scammers love them. Before you hit “Swap,” decide where you’ll execute: a DEX router you trust (Uniswap, 1inch) or a centralized venue where you can sanity-check tickers, fees, and withdrawals (Binance, Kraken, Coinbase). A simple way to cut risk is by reducing unknown interfaces and “too-good-to-be-true” rate widgets. If you’re comparing venues, using a low fee crypto exchange can help you avoid hidden costs scammers often mask with wide spreads or fake fee breakdowns, especially if you stick to well-known brands and consistent workflows."
https://hackread.com/common-swap-scams-2026-how-to-avoid/
Cybersecurity Professionals Are Burning Out On Extra Hours Every Week
"Cybersecurity professionals in the U.S. are working an average of 10.8 extra hours per week beyond their contracted schedules, according to survey data collected from 300 cybersecurity and IT leaders by Sapio Research. That figure effectively adds a sixth working day to the standard week for a large portion of the field. Nearly half of respondents reported working 11 or more overtime hours weekly, and one in five logged more than 16 additional hours. The psychological strain is measurable. Nearly half of respondents said their job feels emotionally exhausting more often than it feels rewarding, a sentiment most pronounced among C-level executives. A significant share said they are unable to take time off without returning to a significant backlog of stress, and roughly a third reported weekly anticipatory anxiety about the upcoming work week."
https://www.helpnetsecurity.com/2026/03/04/ciso-cybersecurity-workforce-burnout/
Why Workforce Identity Is Still a Vulnerability, And What To Do About It
"Most organizations believe they have workforce identity under control. New hires are verified. Accounts are provisioned. Multi-factor authentication is enforced. Audits are passed. Then a breach happens, often through an account that was “properly secured.” But the problem can be traced back to the fact that identity verification, provisioning, authentication, and recovery operate as separate events, not a continuous system of trust. When trust breaks between those checkpoints, attackers don’t need to defeat strong authentication. They simply walk around it."
https://www.helpnetsecurity.com/2026/03/04/workforce-identity-assurance/
Mobile Malware Evolution In 2025
"Starting from the third quarter of 2025, we have updated our statistical methodology based on the Kaspersky Security Network. These changes affect all sections of the report except for the installation package statistics, which remain unchanged. To illustrate trends between reporting periods, we have recalculated the previous year’s data; consequently, these figures may differ significantly from previously published numbers. All subsequent reports will be generated using this new methodology, ensuring accurate data comparisons with the findings presented in this article."
https://securelist.com/mobile-threat-report-2025/119076/
Automate Or Orchestrate? Implementing a Streamlined Remediation Program To Shorten MTTR
"Almost all security teams want to reduce their Mean Time to Remediate (MTTR). And for good reason: research from 2024 found that it takes an average of 4.5 months to remediate critical vulnerabilities. The problem is that most organizations are going about it all wrong. Their approaches lack nuance: some teams respond to every exposure with a fire drill, others with a simple patch. Neither approach really works."
https://securityaffairs.com/188917/security/automate-or-orchestrate-implementing-a-streamlined-remediation-program-to-shorten-mttr.html
Threat Spotlight: The Business Risks Of Pirate Software
"Over the last month, Barracuda’s SOC tools and analysts have detected multiple instances of users trying to download and activate pirate or cracked versions of software and unauthorized installers onto corporate endpoints. Pirate and cracked software are traditionally associated with gaming — players looking for free upgrades, enhancements or special hacks. Pirate software refers to programs that have been illegally copied, while cracked software refers to programs that have been modified to bypass licensing or protection mechanisms designed to prevent piracy."
https://blog.barracuda.com/2026/03/04/threat-spotlight-business-risks-pirate-software
https://www.securityweek.com/how-pirated-software-turns-helpful-employees-into-malware-delivery-agents/
The Five Pillars Of Software Assurance In System Acquisition
"Today’s systems are increasingly software-intensive and complex with a growing reliance on third-party technology. Through software reuse, systems can be assembled faster with less development cost. Traditionally, systems were primarily hardware-driven, and operational risks were primarily linked to reliability. Now systems are largely software-based. They do not wear out like hardware, so critical risks are different. Software components almost without exception contain vulnerabilities that are difficult to manage directly. Inheritance of these vulnerabilities through the supply chain, as more software is acquired, increases the management challenges and magnifies the risk of potential compromise. In addition, we have seen situations where suppliers unintentionally become propagators of malware and ransomware (e.g., SolarWinds) through features that provide automatic updates. Attacks on the software supply chain (e.g., Shai-Hulud, a self-replicating worm) are increasingly frequent and devastating."
https://www.sei.cmu.edu/blog/the-five-pillars-of-software-assurance-in-system-acquisition/

อ้างอิง
Electronic Transactions Development Agency (ETDA)