NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 30 April 2026

    Cyber Security News
    1
    1
    22
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Healthcare Sector

      • A Quarter Of Healthcare Organizations Report Medical Device Cyber-Attacks
        "One-in-four (24%) healthcare organizations (HCOs) experienced cyber-attacks impacting medical devices over the past year, causing potentially significant disruption to patient care, according to RunSafe Security. The security vendor polled 551 healthcare professionals across the US, UK and Germany to produce its 2026 Medical Device Cybersecurity Index. It revealed that, in 80% of cases, attacks affecting devices had a “moderate” or “significant” impact on patients. This could range from delayed imaging and postponed procedures to interruptions to critical care delivery, RunSafe claimed."
        https://www.infosecurity-magazine.com/news/quarter-healthcare-medical-device/

      Industrial Sector

      • RDP Security: CPS Threats Spark Need For Secure Remote Access
        "Hybrid work, remote monitoring and maintenance, and third-party access for system integrators or device vendors are now essential business requirements across many industries. This is especially true in critical infrastructure sectors with mission-critical remote sites, including utilities, transportation, and oil and gas. Historically, organizations have managed remote access to cyber-physical system (CPS) networks at these sites through traditional VPNs or jump hosts using technologies, such as Remote Desktop Protocol (RDP) and Virtual Network Computing (VNC). These approaches were designed to extend networks, not control interactions, which increase the attack surface."
        https://www.forescout.com/blog/rdp-security-cps-threats-spark-need-for-secure-remote-access/
        https://www.securityweek.com/hundreds-of-internet-facing-vnc-servers-expose-ics-ot/
      • Threat Landscape For Industrial Automation Systems. South And North America (Canada), Q4 2025
        "In South America, the percentage of ICS computers on which threats from email clients were blocked was significantly higher than the global average, by a factor of 1.9. On this metric, the region ranked second globally. High percentage figures for threats distributed via email clients (phishing) and spyware clearly indicate that OT systems in the region are highly exposed to advanced categories of threat actors. High percentage figures for malicious scripts and phishing pages, many of which target specifically employee authentication data for corporate services, also point to a high risk of targeted attacks against the OT infrastructure of industrial enterprises in the region."
        https://ics-cert.kaspersky.com/publications/reports/2026/04/29/threat-landscape-for-industrial-automation-systems-south-and-north-america-canada-q4-2025/

      Vulnerabilities

      • cPanel, WHM Emergency Update Fixes Critical Auth Bypass Bug
        "A critical vulnerability affecting all but the latest versions of cPanel and the WebHost Manager (WHM) dashboard could be exploited to obtain access to the control panel without authentication. The security issue, currently identified as CVE-2026-41940 and with a severity score of 9.8, has been addressed in an emergency update that requires running a command manually to retrieve a patched version of the software. Owned by WebPros International, WHM and cPanel are Linux-based web hosting control panels for server and website management. While WHM provides server-level control, cPanel provides administrator access to the website backend, webmail, and databases."
        https://www.bleepingcomputer.com/news/security/cpanel-whm-emergency-update-fixes-critical-auth-bypass-bug/
        https://thehackernews.com/2026/04/critical-cpanel-authentication.html
        https://securityaffairs.com/191465/security/all-supported-cpanel-versions-hit-by-critical-auth-bug-now-patched.html
      • Chrome 147, Firefox 150 Security Updates Rolling Out
        "Google and Mozilla on Tuesday announced fresh security updates for Chrome and Firefox users, addressing multiple memory safety vulnerabilities. The new Chrome 147 update is rolling out with 30 security fixes, including four for critical-severity use-after-free flaws reported by external researchers. Tracked as CVE-2026-7363, CVE-2026-7361, CVE-2026-7344, and CVE-2026-7343, the bugs impact the Canvas, iOS, Accessibility, and Views browser components."
        https://www.securityweek.com/chrome-147-firefox-150-security-updates-rolling-out/
      • Your AI Coding Agent Will Run This Exploit For You: How We Found a High-Severity CVE In Cursor
        "Novee’s research team identified a high-severity arbitrary code execution vulnerability in Cursor, the popular AI-powered IDE. Cursor has published the vulnerability as CVE-2026-26268. The root cause is not a flaw in Cursor’s core product logic, but rather a consequence of a feature interaction in Git, one that becomes exploitable the moment an AI agent starts autonomously executing Git operations inside a repository it doesn’t control. The end result is attacker code execution directly on a developer’s machine."
        https://novee.security/blog/cursor-ide-cve-2026-26268-git-hook-arbitrary-code-execution/
        https://hackread.com/cursor-ai-ide-vulnerability-code-execution-git-hooks/
      • CursorJacking: Every Cursor User Is Vulnerable To API Key Theft By Rogue Extensions
        "LayerX security researchers have found that any extension of the popular AI development tool Cursor can access the developer’s API keys and session tokens, leading to full credential compromise, with no need for user interaction or activity at all. LayerX discovered that since Cursor doesn’t store keys in protected storage, any Cursor extension can execute this access. As a result, every Cursor user is vulnerable to API key theft by rogue Cursor extensions. Exploitation of this vulnerability can lead to exposure of session tokens and API keys, unauthorized access to Cursor backend services, and data theft via user impersonation."
        https://layerxsecurity.com/blog/cursorjacking-every-cursor-user-is-vulnerable-to-api-key-theft-by-rogue-extensions/
        https://www.infosecurity-magazine.com/news/cursor-extension-flaw-exposes-api/
      • Linux Cryptographic Code Flaw Offers Fast Route To Root
        "Developers of major Linux distributions have begun shipping patches to address a local privilege escalation (LPE) vulnerability arising from a logic flaw. The newly disclosed LPE, dubbed Copy Fail (CVE-2026-31431), comes from a vulnerability in the Linux kernel's authencesn cryptographic template. "An unprivileged local user can write four controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root," the writeup from security biz Theori explains."
        https://www.theregister.com/2026/04/30/linux_cryptographic_code_flaw/

      Malware

      • TeamPCP-Linked Supply Chain Attack Hits SAP CAP And Cloud MTA Npm Packages
        "Compromised SAP CAP npm packages download and execute unverified binaries, creating urgent supply chain risk for affected developers and CI/CD environments. Socket is investigating a suspected supply chain attack affecting multiple npm packages associated with SAP’s JavaScript and cloud application development ecosystem."
        https://socket.dev/blog/sap-cap-npm-packages-supply-chain-attack
        https://www.aikido.dev/blog/mini-shai-hulud-has-appeared
        https://www.bleepingcomputer.com/news/security/official-sap-npm-packages-compromised-to-steal-credentials/
        https://thehackernews.com/2026/04/sap-npm-packages-compromised-by-mini.html
      • Popular WordPress Redirect Plugin Hid Dormant Backdoor For Years
        "The Quick Page/Post Redirect plugin, installed on more than 70,000 WordPress sites, had a backdoor added five years ago that allows injecting arbitrary code into users’ sites. The malware was uncovered by Austin Ginder, the founder of WordPress hosting provider Anchor, who found it after 12 infected sites on his fleet triggered a security alert. Quick Page/Post Redirect plugin, available on WordPress.org for several years, is a basic utility plugin used for creating redirects in posts, pages, and custom URLs."
        https://www.bleepingcomputer.com/news/security/popular-wordpress-redirect-plugin-hid-dormant-backdoor-for-years/
        https://anchor.host/the-plugin-author-was-the-supply-chain-attacker/
      • Qinglong Task Scheduler RCE Vulnerabilities Exploited In The Wild For Cryptomining
        "In early February 2026, users of Qinglong (青龙), a popular open source timed task management platform with over 19,000 GitHub stars, began reporting that their servers were maxing out CPU usage. The cause was a cryptominer binary called .fullgc, deployed through two authentication bypass vulnerabilities that allowed unauthenticated remote code execution. The attacks went largely unnoticed in the English-speaking security community. But across Chinese developer forums and GitHub issues, the picture was clear: attackers were exploiting publicly accessible Qinglong panels to deploy cryptocurrency miners."
        https://snyk.io/blog/qinglong-task-scheduler-rce-vulnerabilities/
        https://www.bleepingcomputer.com/news/security/hackers-exploit-rce-flaws-in-qinglong-task-scheduler-for-cryptomining/
      • AI-Powered Honeypots: Turning The Tables On Malicious AI Agents
        "Just as AI brings time-saving advantages to our lives, it brings similar advantages to threat actors. The laborious, time-consuming tasks of finding potentially vulnerable systems, identifying their vulnerabilities, and executing exploit code can be automated and orchestrated using AI. Clearly, these new capabilities put defenders at a disadvantage, as they expose new vulnerabilities for the threat actor. Attackers seek to minimize exposure. The more that a defender knows about a potential attack, the better they can prepare to repel or detect an attack. Using AI-orchestrated tooling to gain access to systems trades stealth for capability. That trade-off increases attacker visibility, and increased visibility is something defenders can exploit."
        https://blog.talosintelligence.com/ai-powered-honeypots-turning-the-tables-on-malicious-ai-agents/
      • Phoenix Rising: Exposing The PhaaS Kit Behind Global Mass Phishing Campaigns
        "According to the Group-IB High-Tech Crime Trends Report 2026, Financial Services, Logistics, and Telecommunications were identified as three of the top five industries most targeted by phishing in 2025. And SMS phishing (smishing) still remains one of the most effective and fastest-growing fraud vectors worldwide. This effectiveness has been further amplified by the rise of phishing-as-a-service (PhaaS) platforms, which provide affiliates with pre-built templates, traffic filtering mechanisms, and real-time victim management dashboards. By combining high-delivery SMS distribution methods with scalable, subscription-based phishing ecosystems, threat actors can rapidly deploy campaigns, replicate proven attack workflows, and expand operations across multiple regions with minimal technical overhead."
        https://www.group-ib.com/blog/phoenix-phaas-kit-smishing/
      • Meet Bluekit: The AI-Powered All-In-One Phishing Kit
        "At one point in time, the phishing kit market was specialized. Operators bought a credential-harvesting page from one seller, a domain rotator from another, and an SMS gateway from a third. Then they stitched the rest together on their own infrastructure. Varonis Threat Labs recently discovered Bluekit, a new phishing kit pitching a broader model. It advertises 40+ website templates, automated domain purchase and registration, 2FA support, spoofing, geolocation emulation, Telegram and browser notifications, antibot cloaking, and add-ons like an AI assistant, voice cloning, and a mail sender. The templates we reviewed covered email and cloud accounts, developer platforms, social media, retail, and crypto services, including iCloud, Apple ID, Gmail, Outlook, Hotmail, Yahoo, ProtonMail, GitHub, Twitter, Zoho, Zara, and Ledger."
        https://www.varonis.com/blog/bluekit
        https://hackread.com/bluekit-phishing-kit-targets-platforms-mfa-bypass-attack/
      • Claude Adds Malware To Crypto Agent
        "ReversingLabs (RL) researchers discovered malicious code in a crypto trading project after an AI-based coding agent added a malicious package as a dependency. The @validate-sdk/v2 package poses as a routine data validation tool while siphoning off sensitive secrets from its host environment. The new malware campaign, which RL has dubbed PromptMink, involves a tainted package that was introduced in a Feb. 28 commit to an autonomous trading agent. The commit was co-authored by Anthropic’s Claude Opus large language model (LLM). It allows attackers to access users’ crypto wallets and funds."
        https://www.reversinglabs.com/blog/claude-promptmink-malware-crypto
        https://thehackernews.com/2026/04/new-wave-of-dprk-attacks-uses-ai.html
        https://www.infosecurity-magazine.com/news/ai-npm-dependency-targets-crypto/
      • Iranian Cyber Group Handala Targets US Troops In Bahrain
        "The Iran-linked threat actor Handala this week targeted US troops in Bahrain in an influence campaign carried out on WhatsApp. The messages, signed Handala and containing a link to the group’s website, claimed the service members were under surveillance and soon to be targeted with drones and missiles. “Your identities are fully known to our missile units, and every move you make is under our surveillance. Very soon, you will be targeted by our Shahed drones and Kheibar and Ghadeer missiles,” the messages reportedly read."
        https://www.securityweek.com/iranian-cyber-group-handala-targets-us-troops-in-bahrain/
      • Another Day, Another Malicious JPEG
        "In his last two diaries, Xavier discussed recent malware campaigns that download JPEG files with embedded malicious payload[1,2]. At that point in time, I’ve not come across the malicious “MSI image” myself, but while I was going over malware samples that were caught by one of my customer’s e-mail proxies during last week, I found another campaign in which the same technique was used. Xavier already discussed how the final portion of a payload that was embedded in the JPEG was employed, but since the campaign he came across used a batch downloader as the first stage, and the one I found employed JScript instead, I thought it might be worthwhile to look at the first part of the infection chain in more detail, and discuss few tips and tricks that may ease analysis of malicious scripts along the way."
        https://isc.sans.edu/diary/Another+day+another+malicious+JPEG/32738/
        https://blog.barracuda.com/2026/04/28/picture-imperfect-risk-malicious-jpgs
      • Threat Spotlight: Boutique Phishing Kit Saiga 2FA Hides Behind ‘lorem Ipsum’ Metadata
        "In early 2025, a sophisticated phishing kit, Saiga 2FA, was seen targeting legal organizations in Australia. Since then, the kit has stayed largely under the radar. New Barracuda detection data shows that its activity has ramped up in recent months, with a significant wave of phishing campaigns beginning in February 2026. Saiga 2FA belongs to a class of advanced phishing kits that function more like a boutique service than an automated platform. It features a structured, modular and infrastructure-driven design. This article examines the attack flow, tools and techniques seen by Barracuda threat analysts in Saiga’s recent campaign."
        https://blog.barracuda.com/2026/04/28/threat-spotlight--boutique-phishing-kit-saiga-2fa
      • Kuse Web App Abused To Host Phishing Document
        "As AI increases its role in work and daily life, AI apps are also increasing in number. Along with this emergence are expanding attack vectors that threat actors are actively exploring. AI is reshaping the cybersecurity landscape, introducing both unprecedented opportunities and complex risks. On April 9, 2026, the TrendAI Managed Services Team encountered a phishing attack that revealed another vulnerability that enabled attackers to store phishing chains, breach trust, and eventually expose credentials. In this case, attackers abused the storage and sharing features of Kuse, a free AI web app. This breach involved a Supply Chain Attack, particularly a Vendor Email Compromise (VEC), wherein a compromised mailbox from a trusted vendor was used to send a specifically crafted phishing email that leveraged the existing relationship level between the two organizations. Because of this, some IOCs are partly redacted in this article due to the usage of specific organization names."
        https://www.trendmicro.com/en_us/research/26/d/kuse-web-app-abused-to-host-phishing-document.html
      • Fake Document, Real Access: Foxit Impersonation Enables Stealth VNC Control
        "Foxit Software has more than 650 million users and is widely trusted as a lightweight PDF reader. That reputation is exactly what makes it valuable to attackers. The more familiar the software, the easier it is to convince someone that what they are downloading is safe. Instead of exploiting a vulnerability in Foxit, the attacker does something simpler: They pretend to be Foxit. That is enough to get users to install malware themselves. A fake installer that looks legitimate can deliver remote access tools, steal credentials, or quietly maintain long term access to a system. This approach has been used repeatedly. In 2024, several campaigns relied on trojanized installers and search engine poisoning to distribute fake PDF software at scale. No exploit required, just trust. Exploitiong weak spots in legitimate programs is another often used tactic - see our article on ConnectWise."
        https://blog.gdatasoftware.com/2026/04/38409-fake-foxit-vnc
      • DinDoor's Caddy Problem: How One HTTP Header Exposed 20 Active C2 Servers
        "Runtime code environments like Node.js, Deno, and Python are increasingly being utilized as an instrument to execute malicious code. Rather than deploying traditional compiled implants, these trusted, signed runtimes are exploited to run attacker-controlled scripts, which complicates detection in networks where these tools are allowlisted, and coverage is lacking. DinDoor, tracked as a variant of the Tsundere Botnet, follows this model. Delivered primarily via MSI files and relying on the Deno runtime for execution, the malware runs obfuscated JavaScript to communicate with its command and control (C2) infrastructure, while fingerprinting victims and fetching follow-on payloads. A recent report from Broadcom linked DinDoor activity to the Iranian APT group Seedworm, also tracked as MuddyWater, targeting U.S. organizations."
        https://hunt.io/blog/dindoor-deno-runtime-backdoor-msi-analysis
      • Inside The Coinbase Cartel: How Infostealer Credentials Fueled a 100+ Company Ransomware Spree
        "A rapidly expanding ransomware and extortion group known as Coinbase Cartel has officially claimed over 100 targets. The group, which first emerged in September 2025, has made a name for itself through pure data exfiltration and extortion, completely bypassing the use of traditional file encryptors. While many victim organizations and incident response firms have incorrectly attributed the initial access of these breaches to sophisticated zero-day exploits or complex social engineering, Hudson Rock‘s cybercrime intelligence reveals a different, much simpler reality: Coinbase Cartel exclusively uses old Infostealer credentials to compromise cloud environments, FTP servers, and file transfer services."
        https://www.infostealers.com/article/inside-the-coinbase-cartel-how-infostealer-credentials-fueled-a-100-company-ransomware-spree/

      Breaches/Hacks/Leaks

      • Polymarket Rejects Data Breach Claims As Hacker Alleges 300K Records Stolen
        "A hacker called Xorcat claims to have stolen a massive 300,000 records from Polymarket. It is the world’s largest decentralised cryptocurrency-based prediction market where users bet on world events. The alleged stolen data was posted on a cybercrime forum and Telegram on 27 April 2026. However, Polymarket has rejected these claims. Xorcat claims to have taken advantage of several flaws in the website’s code. One method involved using undocumented API endpoints. Another method was a pagination bypass on Polymarket’s CLOB (Central Limit Order Book) trading system."
        https://hackread.com/polymarket-rejects-data-breach-hacker-records-stolen/

      General New

      • Call Centres Dismantled And Ten Arrested In EUR 50 Million Online Fraud Case
        "A criminal network operating a large-scale online fraud scheme has been dismantled through a collaborative investigation involving Austrian and Albanian authorities, with support from Europol and Eurojust. The operation, which spanned over two years, resulted in the arrest of ten individuals, the search of multiple premises, and the seizure of nearly EUR 900 000 in cash. The criminal network, allegedly operating several call centres in Tirana, Albania, is believed to have caused significant financial damage, totalling at least EUR 50 million. The call centres were professionally set up and organised, resembling legitimate business structures featuring a clear division of roles and hierarchical management."
        https://www.europol.europa.eu/media-press/newsroom/news/call-centres-dismantled-and-ten-arrested-in-eur-50-million-online-fraud-case
        https://www.bleepingcomputer.com/news/security/european-police-dismantles-50-million-crypto-investment-fraud-ring/
      • Coordinated Takedown Of Scam Centers Leads To At Least 276 Arrests; Alleged Managers And Recruiters Charged In San Diego
        "Unprecedented cooperation between the FBI, Dubai Police Department, and Chinese Ministry of Public Security has resulted in the arrest of at least 276 individuals and the dismantlement of at least nine scam centers used for cryptocurrency investment fraud schemes. These centers targeted Americans who have suffered millions of dollars in losses from such schemes. This international crackdown last week was spearheaded by the Dubai Police, under the United Arab Emirates (UAE) Ministry of Interior. Among the 275 arrested by Dubai authorities were three defendants charged in the Southern District of California with federal wire fraud and money laundering charges. An additional person was arrested by the Royal Thai Police."
        https://www.justice.gov/opa/pr/coordinated-takedown-scam-centers-leads-least-276-arrests-alleged-managers-and-recruiters
        https://therecord.media/us-china-partner-on-dubai-scam-compound-takedown
        https://www.bankinfosecurity.com/fbi-backed-takedown-hits-crypto-scam-centers-a-31551
      • Cursor AI Agent Wipes PocketOS Database And Backups In 9 Seconds
        "On 24 April 2026, a disaster hit PocketOS, a Vertical SaaS provider providing the core operational infrastructure for car rental companies. In just nine seconds, a single command from an AI agent deleted the company’s entire production database along with its volume-level backups. Jer Crane, the founder of PocketOS, reported that the crisis started while using an AI coding agent called Cursor, running on Anthropic’s flagship Claude Opus 4.6 model. The agent was performing a routine task in a staging environment (private area used to test code) when it hit a credential mismatch, and instead of stopping, the agent searched through unrelated files and found a root-level API token."
        https://hackread.com/cursor-ai-agent-wipes-pocketos-database-backups/
      • Researchers Track 2.9 Billion Compromised Credentials
        "The threat landscape in 2025 was characterized by a surge in compromised credentials, extortion and vulnerability exploitation, according to a new report from KELA. The threat intelligence firm tracked nearly 2.9 billion compromised credentials last year globally, it said in its latest report, The State of Cybercrime 2026: Emerging Threats & Predictions. These included usernames, passwords, session tokens, cookies found in URL, login and password (ULP) lists, breached email repositories and cybercrime marketplaces. At least 347 million were originally obtained by infostealers found on around 3.9 million infected machines."
        https://www.infosecurity-magazine.com/news/29-billion-compromised-credentials/
        https://www.kelacyber.com/resources/research/state-of-cybercrime-2026/
      • Swiss Police Arrest 10 Suspected Members Of Nigeria-Linked Crime Group Black Axe
        "Swiss and German law enforcement have arrested 10 suspected members of the Nigerian criminal network Black Axe, including a regional leader believed to oversee operations in Southern Europe, authorities said on Tuesday. The arrests followed house searches across several Swiss cantons, according to a statement from Europol and Zurich authorities. The suspects, aged between 32 and 54, are accused of carrying out romance scams that caused millions of Swiss francs in losses, alongside money-laundering operations designed to move illicit profits through international financial networks."
        https://therecord.media/black-axe-switzerland-germany-cyber

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) e67975c2-caad-4743-9a33-8589e02fd2ae-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post