NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 29 April 2026

    Cyber Security News
    1
    1
    13
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Healthcare Sector

      • Researchers Find 38 Flaws In OpenEMR. They've Been Fixed
        "Researchers at security firm Aisle said they recently identified 38 vulnerabilities, including two maximum-severity zero-day flaws in an open-source electronic medical record software platform used by about 100,000 healthcare providers globally. The platform, OpenEMR, has patched the problems. Three Aisle researchers said they discovered the bugs during the first months of this year through an artificial intelligence-driven analysis. The latest version of OpenEMR 8.0, released in February, has U.S. government certification as an electronic health record platform."
        https://www.bankinfosecurity.com/researchers-find-38-flaws-in-openemr-theyve-been-fixed-a-31520

      Industrial Sector

      • NSA GRASSMARLIN
        "Successful exploitation of this vulnerability could allow an attacker to disclose sensitive information."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-118-01
      • OT Cybersecurity Frozen Out By Frontier Labs
        "Hyperscalers, security giants and other IT behemoths are on the list. Operational technology companies are not. The list in question is one of the most important in cybersecurity right now - the companies that have special access to powerful new models from the two major U.S. frontier artificial intelligence labs, Anthropic and OpenAI, to identify vulnerabilities before hackers get access to similar technology. "None of the OT companies, none of the organizations that are most representative of that portion of the ecosystem are participating in this and are being represented," said Tatyana Bolton, executive director of the Operational Technology Cybersecurity Coalition, a trade group that represents OT security companies and OT equipment manufacturers."
        https://www.bankinfosecurity.com/ot-cybersecurity-frozen-out-by-frontier-labs-a-31536
      • Threat Landscape For Industrial Automation Systems. Europe, Q4 2025
        "High levels of email threats (phishing) and spyware clearly indicate that industrial systems in the region are highly exposed to advanced attackers. Threats from email are relevant for all industries of the region, foremost for biometrics and building automation. Attacks on computers in these industrial automation sectors significantly raise the risk of supply-chain attacks on other industries. Southern Europe led all regions in the percentage of ICS computers on which threats from email clients were blocked — 2.3 times higher than the global average."
        https://ics-cert.kaspersky.com/publications/reports/2026/04/28/threat-landscape-for-industrial-automation-systems-europe-q4-2025/
      • Electric Motorcycles And Scooters Face Hacking Risks To Security And Rider Safety
        "Electric motorcycles from Zero Motorcycles and electric scooters from Yadea are affected by vulnerabilities that, if exploited, could have a physical security and safety impact. CISA recently published separate advisories for these vulnerabilities, and SecurityWeek has reached out to the researchers who reported the flaws to find out more about their potential real-world impact."
        https://www.securityweek.com/electric-motorcycles-and-scooters-face-hacking-risks-to-security-and-rider-safety/

      Vulnerabilities

      • Hackers Are Exploiting a Critical LiteLLM Pre-Auth SQLi Flaw
        "Hackers are targeting sensitive information stored in the LiteLLM open-source large-language model (LLM) gateway by exploiting a critical vulnerability tracked as CVE-2026-42208. The flaw is an SQL injection issue that occurs during LiteLLM's proxy API key verification step. An attacker can exploit it without authentication by sending a specially crafted Authorization header to any LLM API route. This allows reading data from the proxy's database and modifying it. According to the maintainer's security advisory, threat actors could use it for "unauthorised access to the proxy and the credentials it manages.""
        https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-a-critical-litellm-pre-auth-sqli-flaw/
      • Securing The Git Push Pipeline: Responding To a Critical Remote Code Execution Vulnerability
        "On March 4, 2026, we received a vulnerability report through our Bug Bounty program from researchers at Wiz describing a critical remote code execution vulnerability affecting github.com, GitHub Enterprise Cloud, GitHub Enterprise Cloud with Data Residency, GitHub Enterprise Cloud with Enterprise Managed Users, and GitHub Enterprise Server. In less than two hours we had validated the finding, deployed a fix to github.com, and begun a forensic investigation that concluded there was no exploitation. In this post, we want to share what happened, how we responded, and what we are doing to prevent similar issues in the future."
        https://github.blog/security/securing-the-git-push-pipeline-responding-to-a-critical-remote-code-execution-vulnerability/
        https://thehackernews.com/2026/04/researchers-discover-critical-github.html
        https://securityaffairs.com/191434/security/cve-2026-3854-github-flaw-enables-remote-code-execution.html
      • CVE-2026-25874: Hugging Face LeRobot Unauthenticated RCE Via Pickle Deserialization
        "A critical remote code execution (RCE) vulnerability affects LeRobot, Hugging Face’s open-source robotics platform, specifically the async inference PolicyServer component. The issue stems from insecure deserialization of untrusted data using Python’s pickle module over exposed gRPC endpoints. An unauthenticated attacker who can reach the PolicyServer network port can send a malicious serialized payload and execute arbitrary OS commands on the host machine running the service. This is particularly dangerous because LeRobot is designed for GPU-backed inference systems, which often run with elevated privileges, access to robotics hardware, internal networks, datasets, and expensive compute resources."
        https://www.resecurity.com/blog/article/cve-2026-25874-hugging-face-lerobot-unauthenticated-rce-via-pickle-deserialization
        https://thehackernews.com/2026/04/critical-cve-2026-25874-leaves-hugging.html
      • CISA Adds Two Known Exploited Vulnerabilities To Catalog
        "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2024-1708 ConnectWise ScreenConnect Path Traversal Vulnerability
        CVE-2026-32202 Microsoft Windows Protection Mechanism Failure Vulnerability"
        https://www.cisa.gov/news-events/alerts/2026/04/28/cisa-adds-two-known-exploited-vulnerabilities-catalog

      Malware

      • VECT Ransomware: Why Paying Won’t Get Your Files Back
        "VECT emerged in late 2025 with an unusual ambition: rather than recruiting a small, vetted group of criminal partners in the traditional ransomware model, they opened their doors to everyone. Through a formal partnership with BreachForums, a major cybercrime marketplace, VECT distributed access to their ransomware platform to every registered member of the forum automatically. Thousands of potential operators, almost overnight. At the same time, VECT announced a partnership with TeamPCP, the group responsible for a series of supply-chain attacks earlier this year that compromised popular software tools used by businesses worldwide. The stated goal, openly announced on BreachForums, was to use that existing access as a launchpad for ransomware attacks against companies already affected by those attacks."
        https://blog.checkpoint.com/security/vect-ransomware-why-paying-wont-get-your-files-back/
        https://research.checkpoint.com/2026/vect-ransomware-by-design-wiper-by-accident/
        https://www.bleepingcomputer.com/news/security/broken-vect-20-ransomware-acts-as-a-data-wiper-for-large-files/
        https://thehackernews.com/2026/04/vect-20-ransomware-irreversibly.html
        https://www.theregister.com/2026/04/28/dont_pay_vect_a_ransom/
      • Vidar Rises To Top Of Chaotic Infostealer Market
        "Credential-stealing malware Vidar, which has lurked in the cybercriminal ecosystem since 2018, has vaulted to the top of the infostealer market following law enforcement takedowns of its two biggest rivals last year. That shift was fueled by the malware author's calculated release of a major upgrade and expansion of Vidar's distribution network during the disruption, which positioned it as a go-to alternative for cybercriminals, according to new research from Intrinsec."
        https://www.darkreading.com/vulnerabilities-threats/vidar-top-chaotic-infostealer-market
        https://www.intrinsec.com/wp-content/uploads/2026/04/TLP_CLEAR-20260424-New_Vidar.pdf
      • Inside a Fake DHL Campaign Built To Steal Credentials
        "X-Labs recently identified a consumer-targeted DHL phishing campaign that uses familiar brand impersonation, a fake OTP verification step and client-side credential harvesting to steal passwords from everyday users. The campaign targets individuals rather than specific organizations and shows no geographic concentration. What makes it worth examining is the OTP mechanic: a trust-building layer with no real authentication behind it, engineered entirely to lower the victim's guard before the actual theft begins. The sample analyzed here walks the victim through a spoofed shipment email, a fake parcel OTP page and a DHL-branded login portal. The final stage captures the victim's password, enriches it with IP address, device details and location data, then exfiltrates everything through EmailJS to an attacker-controlled mailbox."
        https://www.forcepoint.com/blog/x-labs/fake-dhl-phishing-campaign-credential-theft
        https://hackread.com/dhl-phishing-scam-attack-chain-steal-passwords/
      • Morpheus: A New Spyware Linked To IPS Intelligence
        "We have analyzed a sample of a previously unknown Android spyware, likely developed in Italy. It is named “Morpheus”, version 2025.3.0, and we describe its capabilities, including abusing accessibility features, automatically enabling ADB and issuing commands, disabling microphone and camera indicators, pairing additional WhatsApp devices, taking screenshots, recording audio and video, and more. We link part of the infrastructure to IPS Intelligence, and discover some potentially related companies, Rever Servicenet and Iris Telecomunicazioni."
        https://osservatorionessuno.org/blog/2026/04/morpheus-a-new-spyware-linked-to-ips-intelligence/
        https://securityaffairs.com/191398/malware/new-android-spyware-morpheus-linked-to-italian-surveillance-firm.html
      • Germany Suspects Russia Is Behind Signal Phishing That Targeted Top Officials
        "The German government suspects Russia is behind a series of phishing attacks on Signal targeting high-ranking politicians, including two government ministers, military personnel and journalists, a government spokesperson said. Federal prosecutors have been conducting a preliminary investigation since mid-February 2026 into alleged cyberattacks on Signal accounts, a spokesperson for the federal prosecutors confirmed on Saturday. Among other things, the investigation involves an initial suspicion of espionage, she added, without specifying which country might be involved. The German government has still not officially attributed the attacks to Russia."
        https://www.securityweek.com/germany-suspects-russia-is-behind-signal-phishing-that-targeted-top-officials/
        https://securityaffairs.com/191425/intelligence/signal-phishing-campaign-targets-german-officials-in-suspected-russian-operation.html
      • LofyStealer: Malware Targeting Minecraft Players
        "During threat hunting activities conducted on the ANY.RUN platform, the artifact was identified in public submissions of the interactive sandbox. The analysis of samples available in the public repository allowed correlating hashes and network behaviors with the already mapped C2 infrastructure (24.152.36.241), confirming that the GrabBot/Slinky campaign is active and being distributed in a real environment. The sandbox results complement the static analysis presented in this report, providing dynamic execution evidence."
        https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft/
        https://thehackernews.com/2026/04/brazilian-lofygang-resurfaces-after.html
      • Tall Tales: How Chinese Actors Use Impersonation And Stolen Narratives To Perpetuate Digital Transnational Repression
        "In collaboration with the International Consortium of Investigative Journalists (ICIJ), we identified two distinct actors aligned with the People’s Republic of China that have been targeting and impersonating journalists and civil society. Our findings provide insight into the Chinese government’s practice of digital transnational repression and its shift to a system of state-sponsored attacks carried out by private contractors."
        https://citizenlab.ca/research/how-chinese-actors-use-impersonation-and-stolen-narratives-to-perpetuate-digital-transnational-repression/
        https://therecord.media/china-linked-hackers-led-phishing-campaigns-journalists
      • Elementary-Data Compromised On PyPI And GHCR: Forged Release Pushed Via GitHub Actions Script Injection
        "A malicious version of elementary-data (0.23.3) was published to PyPI and is, at the time of writing, still listed as the latest release. elementary-data is a widely deployed Python package for dbt data observability. The same release run also pushed a multi-arch container image to GitHub Container Registry at ghcr.io/elementary-data/elementary, tagged both 0.23.3 and latest. Every unpinned docker pull ghcr.io/elementary-data/elementary and every FROM ghcr.io/elementary-data/elementary line without a pinned tag has been pulling the trojaned image since April 24. The attacker exploited a script injection vulnerability in one of the project's own GitHub Actions workflows, then used the workflow's GITHUB_TOKEN to forge a signed release commit and dispatch the legitimate publishing pipeline against it — without ever touching the master branch or opening a pull request."
        https://www.stepsecurity.io/blog/elementary-data-compromised-on-pypi-and-ghcr-forged-release-pushed-via-github-actions-script-injection

      Breaches/Hacks/Leaks

      • Video Service Vimeo Confirms Anodot Breach Exposed User Data
        "Vimeo has disclosed that data belonging to some of its customers and users has been accessed without authorization following the recent breach at the Anodot data anomaly detection company. The video platform says that the threat actor accessed email addresses for some of its customers, but most of the exposed information included technical data, video titles, and metadata. "We have identified that, as a result of the Anodot breach, an unauthorized actor accessed certain Vimeo user and customer data. Our initial findings suggest that the databases accessed primarily contain technical data, video titles and metadata, and, in some cases, customer email addresses," Vimeo states."
        https://www.bleepingcomputer.com/news/security/video-service-vimeo-confirms-anodot-breach-exposed-user-data/
        https://therecord.media/vimeo-blames-security-incident-on-anodot-breach
        https://www.securityweek.com/vimeo-confirms-user-and-customer-data-breach/
      • Have I Been Pwned Claims Pitney Bowes Hit By 8.2M Email Address Leak
        "Logistics technology company Pitney Bowes, which makes franking machines for US postage, is the latest scalp claimed by ShinyHunters and its ongoing spree of pay-or-leak attacks against major organizations. Data breach tracker Have I Been Pwned (HIBP) confirmed the breach on April 27, with 8.2 million unique email addresses included in the dump alongside names, phone numbers, and physical addresses. A smaller subset of the entire data trove pertained to company employment records, which included job titles."
        https://www.theregister.com/2026/04/28/pitney_bowes_is_the_latest/

      General News

      • US Reportedly Charges Scattered Spider Hacker Arrested In Finland
        "A 19-year-old dual United States and Estonian citizen arrested in Finland earlier this month faces federal charges in the U.S. alleging he was a prolific member of the notorious Scattered Spider hacking collective. According to temporarily unsealed court records obtained by the Chicago Tribune, the suspect (who used the online alias "Bouquet") helped extort millions of dollars from multiple large corporations worldwide. The suspected Scattered Spider member, who was allegedly arrested by Finnish law enforcement at Helsinki's airport on April 10 while attempting to board a flight to Japan, is facing wire fraud, conspiracy, and computer intrusion charges."
        https://www.bleepingcomputer.com/news/security/us-reportedly-charges-scattered-spider-hacker-arrested-in-finland/
      • U.S. Companies Hit With Record Fines For Privacy In 2025
        "U.S. states issued $3.45 billion in privacy-related fines to companies in 2025, a total larger than the last five years combined, according to research and advisory firm Gartner. The increase is driven in part by stronger, more established privacy laws in states like California, new interstate partnerships built around enforcing laws across state lines, and a renewed focus to how AI and automation affect privacy. The data indicates that “regulators are shifting their efforts away from awareness to full scale enforcement,” marking a significant shift from even the last few years in how aggressively states are investigating and penalizing companies for privacy law violations."
        https://cyberscoop.com/privacy-companies-hit-with-record-fines-2025-gartner/
      • ANZ Organizations Are In The Ransomware Crosshairs— What The Dark Web Is Telling Us
        "The conversation around ANZ ransomware threats has shifted noticeably over the past year. What once looked like sporadic, high-profile incidents has evolved into a sustained and structured campaign against organizations across Australia and New Zealand. Signals emerging from underground forums and marketplaces reveal a sobering reality: ransomware is no longer just a technical problem; it is an economic strategy driven by efficiency, specialization, and scale."
        https://cyble.com/blog/anz-ransomware-threats-dark-web-intelligence/
      • NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later
        "Dark Reading's Becky Bracken: Hello everyone, and welcome to Dark Reading Confidential. It's a podcast from the editors of Dark Reading, bringing you real-world stories straight from the cyber trenches. We have a really great conversation for you today. I am joined by Chris Inglis, who was the former NSA Deputy Director during the infamous Edward Snowden affair. So he is here 13 years on to unpack a little bit about what we've learned, and hopefully pass some of that knowledge on to our enterprise cybersecurity teams listening today. Welcome, Chris. Thank you so much for joining us. Chris Inglis: Pleasure to be with you, Becky."
        https://www.darkreading.com/cyber-risk/nsa-chief-during-snowden-affair-13-years-later
      • 0APT Vs. KryBit Ransomware Actors List Opposing Operators As Victims
        "On 13 April 2026, the recently emerged Ransomware-as-a-Service (RaaS) actors 0APT and KryBit began leaking each other’s operational and infrastructure data on their respective leak sites. 0APT also claimed to leak data from Everest and RansomHouse ransomware groups. This type of activity is unusual: 0APT used their initially failing affiliate operation and turned it against not only KryBit, but other ransomware operators. However, the impact to Everest and RansomHouse operations was little to none. KryBit instead retaliated and took over full control of the 0APT data leak site. Both 0APT and KryBit operations likely will now attempt to move and rebuild their infrastructure because of the significant impact of the leaks on each of their operations."
        https://www.halcyon.ai/ransomware-research-reports/0apt-vs-krybit-ransomware-actors-list-opposing-operators-as-victims
        https://www.darkreading.com/threat-intelligence/feuding-ransomware-groups-leak-data
        https://www.infosecurity-magazine.com/news/ransomware-turf-war-0apt-krybit/
      • Why Unofficial Download Sources Are Still a Security Risk In 2026
        "When people think about cybersecurity mistakes, they usually think about the obvious ones. Phishing emails, weak passwords, malicious attachments, a malicious browser extension, or a missed update. Those are all real problems. But there is another mistake that still slips past people all the time: downloading software from the wrong place. It may sound minor to many, but in reality, it is a big deal for all the wrong reasons. Many users still find software the same way they always have. They search for it, click the first result that looks right, grab the installer, and move on."
        https://hackread.com/unofficial-download-sources-security-risk-in-2026/
      • No Metrics Are Better Than Bad Metrics In The SOC, Says NCSC
        "Many of the most common metrics used to measure the effectiveness of the security operations center (SOC) are at best inaccurate and at worst actively harm SecOps teams, the National Cyber Security Centre (NCSC) has warned. The NCSC’s CTO for architecture, Dave Chismon, wrote in a blog post that organizations often gravitate to measurements that can be easily expressed numerically to individuals who aren’t security specialists. However, if “number of tickets processed” or “time taken to close a ticket” are used as metrics, staff may perversely be incentivized to rapidly triage and close them as false positives rather than investigate."
        https://www.infosecurity-magazine.com/news/no-metrics-better-bad-metrics-soc/
      • Cyber Insurance Data Gives CISOs New Ammo For Budget Talks
        "CFOs and boards need to understand risk in financial terms. Insurance data can do this. Obtaining adequate cybersecurity budget from the board requires translating technical risk into business financial risk – an ability that is not always available to security technicians. Resilience, a firm that provides insurance, risk decision support and consultancy, can assist. Through its insurance service, Resilience can directly relate financial loss to specific cybersecurity events and their likely occurrence, allowing CISOs to present technical risk as the monetary risk that CFOs and board members readily understand."
        https://www.securityweek.com/cyber-insurance-data-gives-cisos-new-ammo-for-budget-talks/
      • Ukrainian Police Detain Hackers Suspected Of Stealing Thousands Of Roblox Accounts For Resale
        "Ukrainian law enforcement has detained a group of local hackers suspected of stealing more than 610,000 user accounts from the gaming platform Roblox and reselling them for cryptocurrency on Russian websites, authorities said. Police said on Monday the victims included both Ukrainian and foreign players whose accounts contained valuable digital items, rare equipment and in-game currency purchased with real money. Some accounts also held remaining balances of Roblox’s virtual currency, making them particularly attractive to cybercriminals. The suspects face up to 15 years in prison if convicted and have been placed in pretrial detention while the investigation continues."
        https://therecord.media/ukraine-police-detain-hackers-suspected-of-stealing-roblox-accounts

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) 2c34eb9b-11c1-4e6d-890a-6a2122befa53-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post