NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 12 May 2026

    Cyber Security News
    1
    1
    8
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Vulnerabilities

      • New GhostLock Tool Abuses Windows API To Block File Access
        "A security researcher has released a proof-of-concept tool named GhostLock that demonstrates how a legitimate Windows file API can be abused in attacks to block access to files stored locally or on SMB network shares. This technique, created by Kim Dvash of Israel Aerospace Industries, abuses the Windows 'CreateFileW' API and file-sharing modes to prevent other users and applications from opening files while handles remain active. The GhostLock technique abuses the 'dwShareMode' parameter in the CreateFileW() function, which specifies the type of access other processes have to a file while it is opened."
        https://www.bleepingcomputer.com/news/security/new-ghostlock-tool-abuses-windows-api-to-block-file-access/
        https://ghostlock.io/
        https://github.com/kimd155/ghostlock

      Malware

      • Official CheckMarx Jenkins Package Compromised With Infostealer
        "Checkmarx warned over the weekend that a rogue version of its Jenkins Application Security Testing (AST) plugin had been published on the Jenkins Marketplace. The compromise was claimed by the TeamPCP hacker group, which initiated a spree of supply-chain attacks that included the Shai-Hulud campaigns on npm and the Trivy vulnerability scanner breach, resulting in the delivery of credential-stealing malware. Jenkins is one of the most widely used Continuous Integration/Continuous Deployment (CI/CD) automation solutions for software building, testing, code scanning, application packaging, and deploying updates to servers."
        https://www.bleepingcomputer.com/news/security/official-checkmarx-jenkins-package-compromised-with-infostealer/
        https://thehackernews.com/2026/05/teampcp-compromises-checkmarx-jenkins.html
        https://www.securityweek.com/checkmarx-jenkins-ast-plugin-compromised-in-supply-chain-attack/
        https://www.theregister.com/devops/2026/05/11/checkmarx-tackles-another-teampcp-intrusion-as-jenkins-plugin-sabotaged/5237780
      • New TrickMo Variant: Device Take Over Malware Targeting Banking, Fintech, Wallet & Auth Apps
        "Modern Android banking malware increasingly evolves through architectural redesigns intended to improve stealth, resilience, and operational flexibility rather than through entirely new user-facing capabilities. As platform protections and detection measures continue to improve, operators adapt by redesigning communication layers, modularising offensive functionality, and strengthening persistence and remote-control mechanisms."
        https://www.threatfabric.com/blogs/new-trickmo-variant-device-take-over-malware-targeting-banking-fintech-wallet-auth-app
        https://www.bleepingcomputer.com/news/security/trickmo-android-banker-adopts-ton-blockchain-for-covert-comms/
        https://www.infosecurity-magazine.com/news/trickmo-c-ton-network-android/
      • Behind a Fake Claude Code Installer
        "Ontinue’s Cyber Defense Center has been observing an ongoing campaign targeting developers through fake installation pages that mimic popular developer tools, including counterfeit Claude Code installers. These lures swap legitimate one-line installers for attacker-controlled commands. Since the beginning of the year, multiple documented cases have highlighted similar fake agent/installer schemes targeting developers. This report details an additional payload stream not documented elsewhere: the same lure with a different payload."
        https://www.ontinue.com/resource/blog-behind-a-fake-claude-code-installer/
        https://www.infosecurity-magazine.com/news/fake-claude-code-installer/
        https://www.theregister.com/security/2026/05/11/cookie-thieves-caught-stealing-dev-secrets/5238248
        Operation HookedWing: 4-Year Multi-Sector Phishing Campaign
        "From 2022 to the present, a persistent phishing campaign that has not been publicly documented until now, referred to in this report as Operation HookedWing, has been compromising organizations across multiple sectors and countries. The SOCRadar Threat Research team has identified that the campaign operates a custom phishing kit which, at the time of publication, has not been attributed to any known threat actor."
        https://socradar.io/blog/operation-hookedwing-4-year-phishing/
        https://www.securityweek.com/over-500-organizations-hit-in-years-long-phishing-campaign/
      • Threat Actor Mr_Rot13 Actively Exploits CVE-2026-41940 For Backdoor Deployment
        "CVE-2026-41940 is a high-severity unauthenticated authentication bypass vulnerability affecting cPanel & WHM. This product is widely used in Linux server operations and virtual hosting management. The vulnerability has a CVSS score as high as 9.8 (Critical). Without providing any account or password, an attacker can remotely bypass authentication and take over the cPanel / WHM control panel, allowing an unauthenticated remote attacker to gain administrator privileges on the affected server."
        https://blog.xlab.qianxin.com/mr_rot13-the-elusive-6-year-hacker-group-weaponizing-critical-cpanel-flaws-for-backdoor-deployment/
        https://thehackernews.com/2026/05/cpanel-cve-2026-41940-under-active.html
      • Inside AD CS Escalation: Unpacking Advanced Misuse Techniques And Tools
        "Active Directory Certificate Services (AD CS) is a foundational component of Windows enterprise infrastructure, responsible for managing public key infrastructure (PKI) and issuing certificates that enable authentication and encryption across networks. Despite its critical role in the enterprise identity infrastructure, AD CS is often undermined by insecure default configurations and design complexities, resulting in exploitable attack surfaces. Due to misconfigured templates and overly permissive enrollment rights, AD CS has emerged as a high-impact, under-monitored vector for privilege escalation and unauthorized identity impersonation in modern environments."
        https://origin-unit42.paloaltonetworks.com/active-directory-certificate-services-exploitation/
      • OpenClaw’s Hologram: Fake Installer Ships Rust Infostealer
        "Hologram is dropper-delivered via a fake OpenClaw installer, undetected by automated sandboxes. The operator abuses Azure DevOps, Telegram, and Hookdeck as infrastructure—legitimate services inside most enterprise allowlists. While Huntress documented the first wave in February1, this post covers the second wave: six-binary modular implant framework, novel Hookdeck C2 relay, and the first documented use of clroxide in a crimeware campaign: built by the same developer, eleven weeks later. A third wave rotated infrastructure during analysis with some new capabilities."
        https://www.netskope.com/blog/openclaw-hologram-fake-installer-ships-rust-infostealer
      • TanStack Npm Packages Compromised In Ongoing Mini Shai-Hulud Supply-Chain Attack
        "The Socket Threat Research team detected a compromise across 84 npm package artifacts in the tanstack namespace. Affected packages were modified to add a suspected credential stealer targeting various CI systems, including Github Actions. All packages were flagged by Socket AI Scanner in six minutes or less after publication. Several of the newly turned malicious packages, like pkg:npm/@tanstack/react-router have over 12 million weekly downloads, and are widely consumed both directly and transitively across the npm ecosystem, making this compromise especially significant from a software supply-chain perspective."
        https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack

      Breaches/Hacks/Leaks

      • Instructure Confirms Hackers Used Canvas Flaw To Deface Portals
        "Education technology giant Instructure has confirmed that a security vulnerability allowed hackers to modify Canvas login portals and leave an extortion message. BleepingComputer has learned that both the breach and defacements involved multiple cross-site scripting (XSS) vulnerabilities that enabled the attacker to obtain authenticated admin sessions. The second hack was to draw attention and to pressure Instructure into entering negotiations to pay a ransom following an initial breach disclosed a week before. Instructure is the developer of Canvas, a popular learning management system (LMS) used by schools and universities around the world to handle assignments and coursework."
        https://www.bleepingcomputer.com/news/security/instructure-confirms-hackers-used-canvas-flaw-to-deface-portals/
        https://cyberscoop.com/canvas-instructure-data-theft-extortion-the-com/
        https://www.infosecurity-magazine.com/news/shinyhunters-escalates-canvas/
        https://www.securityweek.com/canvas-system-is-online-after-a-cyberattack-disrupted-thousands-of-schools/
        https://www.theregister.com/security/2026/05/12/double-canvas-intrusion-confirmed-as-shinyhunters-resets-leak-deadline/5238361
      • Skoda Data Breach Hits Online Shop Customers
        "Automobile manufacturer Skoda has disclosed a data breach impacting the personal information of its online shop’s users. The incident, the company says, was discovered as part of its technical security monitoring and was the result of a vulnerability in the portal’s software. Immediately after learning of the cyberattack, the car maker took the shop offline, patched the exploited vulnerability, reviewed existing security mechanisms, and retained external forensics experts to help with the investigation. It also notified the relevant authorities."
        https://www.securityweek.com/skoda-data-breach-hits-online-shop-customers/
      • SailPoint Discloses GitHub Repository Hack
        "Identity management and governance provider SailPoint has disclosed a cybersecurity incident involving its GitHub repositories. In a filing with the Securities and Exchange Commission (SEC), the company revealed that the incident occurred on April 20 and was immediately contained. “On April 20, 2026, we detected unauthorized access to a subset of our GitHub repositories. Our incident response team quickly terminated the unauthorized activity and resolved the issue,” the SEC filing reads."
        https://www.securityweek.com/sailpoint-discloses-github-repository-hack/
        https://securityaffairs.com/191997/data-breach/identity-security-firm-sailpoint-discloses-github-repository-breach.html
      • BWH Hotels Guests Warned After Reservation Data Checks Out With Cybercrooks
        "BWH Hotels is informing customers about a third-party data breach that gave cybercriminals access to six months' worth of data. The notification email stated that BWH Hotels, which owns the WorldHotels, Best Western Hotels & Resorts, and Sure Hotels brands, identified the intrusion on April 22, but the affected data goes back to October 14, 2025. BWH Hotels CTO Bill Ryan, who penned the notification email, said names, email addresses, telephone numbers, and/or home addresses belonging to "certain guests" were accessed by an unauthorized third party. The intruders also accessed reservation details, such as reservation numbers, dates of stay, and any special requests."
        https://www.theregister.com/security/2026/05/11/best-western-hotels-confirms-web-app-data-breach/5238020
      • Tables Turned: Gentlemen Ransomware Group Suffers Data Leak
        "A ransomware organization is suffering an extreme case of turnabout is fair play through a data breach that splaying internal correspondence across the internet. "The Gentlemen" surfaced as a ransomware-as-a-service organization in mid-2025 with - as SOCRadar has noted - little intention of playing nice. Hints that The Gentlemen suffered a data breach first surfaced on May 4, in a post to cybercrime forum Breached with the subject line "The Gentlemen - hacked data for sale," requested $10,000, payable in bitcoin, "for the full data," with samples available on request. Whether or not someone paid isn't clear, but on Friday, the same user listed a link to file-sharing site MediaFire, for downloading the stolen data for free."
        https://www.bankinfosecurity.com/tables-turned-gentlemen-ransomware-group-suffers-data-leak-a-31654

      General News

      • April 2026 Dark Web Breach Incident Trend Report
        "the April 2026 Dark Web Breach Incident Trend Report is compiled from data breach cases posted on the deep web and dark web forums. some information is included in cases where it is difficult to fully verify the factuality of the information due to the nature of the source."
        https://asec.ahnlab.com/en/93628/
      • April 2026 Dark Web Issue Trend Report
        "the April 2026 Dark Web Issue Trend Report summarizes the Major Issues that occurred on the deep web and dark web. due to the nature of the sources, some of the information is difficult to fully verify."
        https://asec.ahnlab.com/en/93633/
      • Dark Web Threat Actor Trend Report, April 2026
        "the April 2026 Dark Web Threat Actor Trend Report summarizes trends in hacktivists and threat actors operating on the deep web and dark web. due to the nature of the sources, some of the information is difficult to fully verify as factual."
        https://asec.ahnlab.com/en/93634/
      • Q1 2026 Ransomware Report: Fewer Groups, Higher Impact
        "Ransomware activity remained elevated in Q1 2026, continuing the trend established over the past year. According to the State of Ransomware Q1 2026 report from Check Point Research, overall attack volume stayed near historic highs. At the same time, the structure of the ransomware ecosystem changed materially. After two years of increasing fragmentation, activity is consolidating around a smaller number of dominant groups. For organizations, this shift reduces the number of active actors but increases the potential impact of individual incidents."
        https://blog.checkpoint.com/research/q1-2026-ransomware-report-fewer-groups-higher-impact/
      • GTIG AI Threat Tracker: Adversaries Leverage AI For Vulnerability Exploitation, Augmented Operations, And Initial Access
        "Since our February 2026 report on AI-related threat activity, Google Threat Intelligence Group (GTIG) has continued to track a maturing transition from nascent AI-enabled operations to the industrial-scale application of generative models within adversarial workflows. This report, based on insights derived from Mandiant incident response engagements, Gemini, and GTIG’s proactive research, highlights the dual nature of the current threat environment where AI serves as both a sophisticated engine for adversary operations and a high-value target for attacks."
        https://cloud.google.com/blog/topics/threat-intelligence/ai-vulnerability-exploitation-initial-access
        https://thehackernews.com/2026/05/hackers-used-ai-to-develop-first-known.html
        https://www.bleepingcomputer.com/news/security/google-hackers-used-ai-to-develop-zero-day-exploit-for-web-admin-tool/
        https://www.darkreading.com/cloud-security/hackers-ai-exploit-dev-attack-automation
        https://cyberscoop.com/google-threat-intelligence-group-ai-developed-zero-day-exploit/
        https://www.infosecurity-magazine.com/news/hackers-using-ai-zero-day-first/
        https://hackread.com/google-hackers-used-ai-develop-zero-day-exploit/
        https://www.securityweek.com/google-detects-first-ai-generated-zero-day-exploit/
        https://securityaffairs.com/191984/ai/google-warns-artificial-intelligence-is-accelerating-cyberattacks-and-zero-day-exploits.html
      • Tech Can't Stop These Threats — Your People Can
        "I begin, as every strong article should, with a caveat: Technical security controls are critically important. Deploy them all — the SOAR playbooks, the SIEM log ingestions, the EDR clients — and use as many as you have budget and time and manpower to use. And, for the love of all that's secure, don't stop tuning them. However, those same technical controls can't stop a growing category of cyberattacks that are specifically engineered to evade or abuse real systems and trusted employees to do their dirty work. For these cases, your best (and sometimes only) defense isn't another dashboard or detection; it's an employee who knows what they're looking at and what they can do to stop it."
        https://www.darkreading.com/cyberattacks-data-breaches/tech-cant-stop-these-threats-people-can

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) 26ee964d-9740-4f00-8143-8f58a3b3744b-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post