Cyber Threat Intelligence 05 May 2026

NCSA_THAICERT

New Tooling

Pipelock: Open-Source AI Agent Firewall
"AI coding agents run with shell access, environment variables containing API keys, and unrestricted internet connectivity, creating a single point of failure where one compromised tool call can leak credentials to an attacker-controlled domain. Pipelock, an open-source security harness developed by Joshua Waldrep under the PipeLab project, addresses this exposure by inserting an enforcement layer between agents and the network. Version 2.3.0 shipped with class-preserving request redaction and generic SSE streaming response scanning."
https://www.helpnetsecurity.com/2026/05/04/pipelock-open-source-ai-agent-firewall/
https://github.com/luckyPipewrench/pipelock

Vulnerabilities

Progress Warns Of Critical MOVEit Automation Auth Bypass Flaw
"Progress Software warned customers to patch a critical authentication bypass vulnerability in its MOVEit Automation enterprise-grade managed file transfer (MFT) application. MOVEit Automation automates complex data workflows without requiring manual scripting and serves as a central automation orchestrator to schedule and manage file transfers between different systems, including local servers, cloud storage, and external partners. Tracked as CVE-2026-4670, the security flaw affects MOVEit Automation versions before 2025.1.5, 2025.0.9, and 2024.1.8. Remote threat actors can exploit it without privileges on the targeted systems in low-complexity attacks that don't require user interaction."
https://www.bleepingcomputer.com/news/security/moveit-automation-customers-warned-to-patch-critical-auth-bypass-flaw/
https://community.progress.com/s/article/MOVEit-Automation-Critical-Security-Alert-Bulletin-April-2026-CVE-2026-4670-CVE-2026-5174
https://thehackernews.com/2026/05/progress-patches-critical-moveit.html
https://securityaffairs.com/191681/security/moveit-automation-flaws-could-enable-full-system-compromise.html
https://www.helpnetsecurity.com/2026/05/04/critical-moveit-automation-auth-bypass-vulnerability-fixed-cve-2026-4670/

Malware

Critical cPanel Vulnerability Weaponized To Target Government And MSP Networks
"A previously unknown threat actor has been observed targeting government and military entities in Southeast Asia, alongside a smaller cluster of managed service providers (MSPs) and hosting providers in the Philippines, Laos, Canada, South Africa, and the U.S., by exploiting the recently disclosed vulnerability in cPanel. The activity, detected by Ctrl-Alt-Intel on May 2, 2026, involves the abuse of CVE-2026-41940, a critical vulnerability in cPanel and WebHost Manager (WHM) that could result in an authentication bypass and allow remote attackers to gain elevated control of the control panel."
https://thehackernews.com/2026/05/critical-cpanel-vulnerability.html
https://censys.com/blog/the-cpanel-situation-is/
https://ctrlaltintel.com/research/SEA-CPanel/
https://www.darkreading.com/threat-intelligence/exploit-cyber-frenzy-critical-cpanel-vulnerability
https://www.helpnetsecurity.com/2026/05/04/multiple-threat-actors-actively-exploit-cpanel-vulnerability-cve-2026-41940/
https://www.securityweek.com/over-40000-servers-compromised-in-ongoing-cpanel-exploitation/
https://securityaffairs.com/191666/breaking-news/hackers-target-governments-and-msps-via-critical-cpanel-flaw-cve-2026-41940.html
Ping, Payload, PowerShell: Active Exploitation Of CVE-2026-22679 In Weaver E-Cology
"The Vega Threat Research team identified active exploitation of CVE-2026-22679 - a critical unauthenticated remote code execution (RCE) in the Office Automation and Collaboration platform Weaver E-cology, reachable through an exposed debug endpoint. Our earliest evidence on a compromised host is 2026-03-17, 14 days before Shadowserver’s first public in-the-wild report on 2026-03-31, and 5 days after the vendor patch shipped on 2026-03-12. The intrusion unfolded over roughly a week of operator activity: RCE verification, three failed payload drops, an attempted pivot to an MSI implant that did not produce a working install, and a short burst of attempts to retrieve PowerShell payloads from attacker-controlled infrastructure. While public coverage of this CVE has so far been limited to advisories, this report outlines a real-world exploitation and post-compromise behavior on a victim host."
https://blog.vega.io/posts/cve-2026-22679-weaver-ecology-exploitation/
https://www.bleepingcomputer.com/news/security/weaver-e-cology-critical-bug-exploited-in-attacks-since-march/
“Legitimate” Phishing: How Attackers Weaponize Amazon SES To Bypass Email Security
"The primary goal for attackers in a phishing campaign is to bypass email security and trick the potential victim into revealing their data. To achieve this, scammers employ a wide range of tactics, from redirect links to QR codes. Additionally, they heavily rely on legitimate sources for malicious email campaigns. Specifically, we’ve recently observed an uptick in phishing attacks leveraging Amazon SES. Amazon Simple Email Service (Amazon SES) is a cloud-based email platform designed for highly reliable transactional and marketing message delivery. It integrates seamlessly with other products in Amazon’s cloud ecosystem, AWS."
https://securelist.com/amazon-ses-phishing-and-bec-attacks/119623/
https://www.bleepingcomputer.com/news/security/amazon-ses-increasingly-abused-in-phishing-to-evade-detection/
VENOMOUS#HELPER: Dual-RMM Phishing Campaign Leveraging JWrapper-Packaged SimpleHelp And ScreenConnect For Silent Remote Access
"Phishing campaigns leveraging remote management tools is nothing new. Securonix Threat Research has conducted in-depth dynamic analysis of an ongoing phishing campaign targeting multiple vectors, active since at least April 2025. The campaign has impacted over 80 organizations, predominantly in the United States, spanning multiple sectors. This campaign leverages vendor-signed Remote Monitoring and Management (RMM) software to establish silent, persistent access. In this case, a customized SimpleHelp and SecureConnect RMMs are used to bypass defenses as they are legitimately installed by the unsuspecting victim. This campaign appears to have been tracked previously by Sophos (tracked as STAC6405) and Redcanary independently while the indicators and behavior within this advisory support and extend the depth of their respective research."
https://www.securonix.com/blog/venomous-helper-phishing-campaign/
https://www.darkreading.com/cyberattacks-data-breaches/rmm-tools-stealthy-phishing-campaign
https://thehackernews.com/2026/05/phishing-campaign-hits-80-orgs-using.html
Quasar Linux (QLNX) – A Silent Foothold In The Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities
"In previous research, we have demonstrated how AI can be used to improve detection accuracy when new malware families emerge, particularly those that reuse or share code from open-source repositories. A clear example is our earlier work “AI-Automated Threat Hunting Brings GhostPenguin Out of the Shadows,” where AI-driven threat hunting helped us expose the previously elusive GhostPenguin backdoor. In this blog entry, we present another compelling finding from the same approach. Our platform recently flagged an unusual Linux implant with low detection, which caught our attention and prompted a deeper investigation. What followed was the discovery of Quasar Linux (QLNX), a previously undocumented Linux remote access trojan (RAT) with rootkit capabilities and a notably minimal detection footprint."
https://www.trendmicro.com/en_us/research/26/e/quasar-linux-qlnx-a-silent-foothold-in-the-software-supply-chain.html

Breaches/Hacks/Leaks

Trellix Discloses Data Breach After Source Code Repository Hack
"Cybersecurity firm Trellix disclosed a data breach after attackers gained access to "a portion" of its source code repository. Trellix is a global cybersecurity company formed from the October 2021 merger of McAfee Enterprise and FireEye. It provides services to over 50,000 business and government customers worldwide, protecting more than 200 million endpoints. According to an official statement updated on Monday, the company is now investigating the incident with the help of outside forensic experts. At the moment, Trellix said it has yet to find evidence that the threat actors have exploited or altered the source code they accessed."
https://www.bleepingcomputer.com/news/security/trellix-discloses-data-breach-after-source-code-repository-hack/
Everest Group Begins Leaking Alleged Liberty Mutual Data
"Ransomware gang Everest Group on Monday began leaking what it claims to be a 108 gigabyte trove of data stolen on April 30 from insurance underwriter Liberty Mutual. The cybercrime group late Monday afternoon published the data after claiming the insurer "failed" to respond to the its demands. "After the full publication, all the data was duplicated across various hacker forums and leak database sites," Everest said on its dark website. Liberty Mutual in a statement acknowledged the claims, saying the Boston company is investigating the matter, which it said appears to involve an incident at a third-party vendor."
https://www.bankinfosecurity.com/everest-group-begins-leaking-alleged-liberty-mutual-data-a-31589
Ransomware Group Claims Breach Of Pro-Orbán Hungarian Media Firm
"A cyber-extortion group said it was responsible for a recent ransomware attack on Hungarian media company Mediaworks that resulted in the publication of large volumes of stolen data online. The World Leaks group said they released nearly 8.5 terabytes of allegedly sensitive files on their dark web site last week. Local media outlets that reviewed the material said it included payroll records, contracts, financial statements and internal communications. Mediaworks confirmed the incident on Friday, warning that “a significant amount of illegally obtained data may have come into the possession of unauthorized persons,” and said it had launched an investigation."
https://therecord.media/ransomware-group-claims-breach-of-pro-orban-media-firm

General News

Why Data Centers Now Belong On The Critical Infrastructure List
"Missile and drone attacks that took out cloud data centers in the Middle East underscored a critical vulnerability in the modern economy: reliance on digital infrastructure that sustains competitive advantage and operational continuity for corporations, nations, and militaries. The outages and downstream disruption were a preview of a new form of strategic and operational risk. Data centers have long been the backbone of the digital economy. What is changing is the scale of dependence as AI workloads dramatically increase the compute power required to run businesses, supply chains, and national security systems."
https://cyberscoop.com/data-centers-critical-infrastructure-ai-security-op-ed/
What Researchers Learned About Building An LLM Security Workflow
"Security operations centers are running into the same wall everywhere. Detection tools generate more alerts than analysts can work through, and the early stages of any investigation involve pulling together logs from several sources to decide whether something is worth escalating. Vendors have spent the past two years pitching LLMs as the answer, with a steady stream of copilots and AI assistants aimed at alert triage. A new paper from researchers at the University of Oslo and the Norwegian Defence Research Establishment offers a useful corrective to that pitch. One finding stands out. When the same language model is handed the same alert and the same data, the difference between useless and accurate output comes down almost entirely to the structure built around it."
https://www.helpnetsecurity.com/2026/05/04/building-llm-security-workflow/
https://arxiv.org/pdf/2604.25846
Workplace Apps Are Watching, Keeping Tabs, And Sharing What They Learn
"The typical white-collar workplace in 2026 blends the personal and professional in ways previously unheard of. From BYOD (Bring Your Own Device) policies to the multitude of mobile apps required by many employers, personal data (including behavioral and location data) is increasingly finding its way into workplace systems. Even if only employer-provided devices are used for work, apps used to facilitate synchronous and asynchronous communication, as well as planning and organization, continue to have access to individuals’ personal data. Collectively, these apps account for over 12.5 billion downloads on Google Play alone. Given that employees often have little choice but to install these apps for work, understanding their data practices is critical—users may be unknowingly exposing sensitive personal information, including contact details, financial data, and precise location, to their employer’s software stack."
https://blog.incogni.com/workplace-apps-on-personal-devices-research/
https://www.helpnetsecurity.com/2026/05/04/workplace-apps-data-collection-privacy/
Shadow IT Has Given Way To Shadow AI. Enter AI-BOMs
"When it comes to securing enterprise supply chains, now heavily infused with AI applications and agents, a software bill of materials (SBOM) no longer provides a complete inventory of all the components in the environment. Enter AI-BOMs. While a traditional SBOM includes all of the software packages and dependencies in the organization, an AI-BOM aims to cover the gaps introduced by AI assets by providing visibility across all of the models, datasets, SDK libraries, MCP servers, ML frameworks, agents, agentic skills, prompts, and other AI tools - plus how these AI components interact with each other and connect to workflows."
https://www.theregister.com/2026/05/04/ai_bom_supply_chain/

อ้างอิง
Electronic Transactions Development Agency (ETDA)