Cyber Threat Intelligence 05 June 2026

NCSA_THAICERT

Industrial Sector

From Critical To Controlled: Cutting Vulnerabilities In a Live Manufacturing Environment
"A vulnerability scanner flags a critical CVSS 10 vulnerability on an industrial asset. The report lands in the boss’ inbox and now he wants to know why we’re sitting on a critical vulnerability. In a normal IT environment, you patch it then close the ticket and call it a day. If, however, you’re in OT or dealing with ICS in a live manufacturing facility, it’s rarely that simple. Here’s framework I use to answer the question “Does this finding represent an exploitable vulnerability in our environment”:"
https://www.helpnetsecurity.com/2026/06/04/ot-vulnerability-management-process/

Vulnerabilities

Attackers Actively Exploiting Critical Vulnerability In Everest Forms Pro Plugin
"On March 30th, 2026, we publicly disclosed a critical Remote Code Execution vulnerability in Everest Forms Pro, a WordPress plugin with an estimated 4,000 active installations. This vulnerability can be leveraged by unauthenticated attackers to execute arbitrary PHP code on the server, leading to complete site compromise. The vendor released the fully patched version on March 18th, 2026. Our records indicate that attackers started exploiting the issue on April 13th, 2026. The Wordfence Firewall has already blocked over 29,300 exploit attempts targeting this vulnerability."
https://www.wordfence.com/blog/2026/06/attackers-actively-exploiting-critical-vulnerability-in-everest-forms-pro-plugin/
https://www.infosecurity-magazine.com/news/everest-forms-pro-rce-actively/
Cisco Warns Of Critical Unified CM Flaw With PoC Exploit Code
"Cisco has released security updates to patch a critical-severity Unified Communications Manager (Unified CM) flaw that allows attackers to gain root privileges. Cisco Unified CM (formerly known as Cisco CallManager) serves as the central control system for Cisco IP telephony systems, handling device management, call routing, and telephony features. The vulnerability (tracked as CVE-2026-20230) can be exploited remotely by threat actors without privileges in low-complexity server-side request forgery (SSRF) attacks."
https://www.bleepingcomputer.com/news/security/cisco-warns-of-critical-unified-cm-flaw-with-poc-exploit-code/
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssrf-cXPnHcW
https://thehackernews.com/2026/06/cisco-patches-cve-2026-20230-in-unified.html
https://www.securityweek.com/cisco-warns-of-available-poc-for-critical-unified-cm-vulnerability/
https://securityaffairs.com/193142/hacking/critical-cisco-unified-cm-bug-patched-as-public-exploit-code-emerges.html
Poisoning Claude Code: One GitHub Issue To Break The Supply Chain
"Hello, I’m RyotaK ( @ryotkak ), a security researcher at GMO Flatt Security Inc. After publishing my previous article ( Pwning Claude Code in 8 Different Ways ), I continued investigating Claude-related products and found several more vulnerabilities. In this article, I will explain a vulnerability in Claude Code’s GitHub Actions that could allow an attacker to compromise any repository that uses the Claude Code workflow, including Anthropic’s own repositories."
https://flatt.tech/research/posts/poisoning-claude-code-one-github-issue-to-break-the-supply-chain/
https://thehackernews.com/2026/06/claude-code-github-action-flaw-let-one.html
CVE-2026-23479: Redis Use-After-Free In UnblockClientOnKey Leading To RCE
"CVE-2026-23479 is a use-after-free inside Redis's blocking-client code path that allows an authenticated user to execute arbitrary operating system commands on the Redis host. The use-after-free occurs in unblockClientOnKey() (src/blocked.c), where the function calls processCommandAndResetClient() without checking whether the client was freed as a side effect before continuing to access the client structure. The vulnerability was discovered by Xint Code, a fully autonomous AI-powered security analysis tool, and a working RCE exploit was demonstrated at ZeroDay.Cloud 2025 (London, Dec 10-11, 2025). The Redis team shipped patches on May 5, 2026 across the 7.2.x, 7.4.x, 8.2.x, 8.4.x, and 8.6.x release series."
https://www.zeroday.cloud/blog/redis-cve-2026-23479-deep-dive
https://thehackernews.com/2026/06/autonomous-ai-tool-finds-2-year-old-rce.html

Malware

Hola Browser For Windows Compromised To Deliver Cryptominer
"The Windows version of the Hola Browser has been compromised in a supply chain attack that delivered an undeclared executable identified by researchers as a cryptocurrency miner. The compromise was uncovered during periodic certification checks on Hola Browser as part of its AppEsteem certification testing procedure, which it had previously passed. Hola is an Israeli company best known for Hola VPN, a service that allows users to route internet traffic through other users' devices or through paid proxy infrastructure to bypass geographic restrictions and access content from different countries."
https://www.bleepingcomputer.com/news/security/hola-browser-for-windows-compromised-to-deliver-cryptominer/
https://www.sophos.com/en-us/blog/you-do-surprise-me-exe-an-unexpected-executable-in-hola-browser
Credit Card Theft Campaign Abuses Stripe To Host Stolen Payment Info
"A new Magecart campaign is using Stripe's API infrastructure to host the credit card-stealing payload and the data exfiltrated from checkout pages. The entire malicious activity relies on Google Tag Manager and Stripe domains - googletagmanager.com and api.stripe.com - that are trusted implicitly by online stores. The new malware family was discovered by researchers at ecommerce security company Sansec, who found that the malicious code is loaded from a Google Tag Manager (GTM) container and executes on every page that loads it."
https://www.bleepingcomputer.com/news/security/credit-card-theft-campaign-abuses-stripe-to-host-stolen-payment-info/
IronWorm: Shai-Hulud's Rustier Cousin
"In this article we present a research of malicious npm package that led us to IronWorm: a heavy, Rust-built infostealer that scrapes every secret it can find on a developer's machine, hides behind an eBPF kernel rootkit, and answers to its operator over Tor. Like the infamous Shai-Hulud worm, it turns stolen credentials a propagation mechanism, quietly committing itself into victims’ GitHub repositories and using trusted developer workflows publish itself to the NPM registry. This is a self-replicating supply-chain attack, caught in the wild, aimed squarely at the people with the most valuable keychains around: software developers, and crypto/web3 developers in particular."
https://research.jfrog.com/post/iron-worm-shai-hulud-rustier-cousin/
https://www.bleepingcomputer.com/news/security/new-ironworm-malware-hits-36-packages-in-npm-supply-chain-attack/
https://www.darkreading.com/cyberattacks-data-breaches/rust-written-ironworm-npm-supply-chain
Fraud, Ransomware, And Fake Apps Are Already Targeting FIFA 2026
"The FIFA World Cup 2026 kicks off on June 11. Across 16 cities in the US, Canada, and Mexico, billions of people will be watching, traveling, betting, and spending. Threat actors have been watching too, and for far longer. Check Point Research and Check Point Exposure Management spent the past year tracking the cyber threat landscape building around this tournament. What emerged is a coordinated pre-positioning effort across three sectors that sit at the center of the World Cup economy: finance, travel and hospitality, and gambling. The infrastructure is already built, with most of them already live."
https://blog.checkpoint.com/exposure-management/fraud-ransomware-and-fake-apps-are-already-targeting-fifa-2026/
Cybercriminals Are Targeting The FIFA World Cup 2026
"Starting June 11, the FIFA World Cup 2026 will unite fans, teams, sponsors, broadcasters, hospitality providers, and businesses in one of the world’s largest sporting events. It also presents a significant opportunity for cybercriminals. Major international sporting events create great anticipation, attract high search volume, evoke strong emotions, and drive large volumes of digital transactions. Fans are searching for tickets, travel offers, merchandise, live streams, betting sites, job openings, and event updates. Meanwhile, organizations are busy with logistics, staffing, travel arrangements, customer service, media tasks, and coordinating with third parties. Threat actors have anticipated these scenarios and have already started exploiting them."
https://www.fortinet.com/blog/threat-research/cybercriminals-are-targeting-the-fifa-world-cup-2026
Lazarus Group's Latest: Brandjacking Campaign On Npm
"Sonatype is tracking a Lazarus Group campaign on npm, consisting of dozens of packages, some with up to 500 weekly downloads, aiming to abuse trust in open source to deploy malware. Leveraging tactics like suffix-addition, embedding, version mimicry, and more, brandjacking packages like this are designed to look like something that would belong in a developer environment. These aren't mere typosquats. In this campaign, attackers seek to dupe developers looking for Buffer, Chai, React, and more, to deploy secondary, more nefarious payloads. We took a closer look at the malicious buffer-utilities package to understand attacker intentions."
https://www.sonatype.com/blog/lazarus-groups-latest-brandjacking-campaign-on-npm
https://hackread.com/lazarus-group-npm-brandjacking-target-developers/
Impersonation, Click Hijacking, And TDS: Inside a Malware Distribution Ecosystem
"Check Point Research investigated a large-scale operation that impersonates open-source and freeware projects to capture search traffic, including lookalikes for researcher and security tooling such as Ghidra, dnSpy, and SpiderFoot. The sites are well-designed and often look like legitimate project portals at a glance, sometimes referencing real upstream resources. The deception is not in the page content alone, it’s in what happens when a user interacts. Our analysis shows these pages load a CloudFront-hosted JavaScript staging layer that converts a click on a “download” button/link into a handoff to a Traffic Distribution System (TDS). The TDS enforces strict gating: first-visit state, mandatory click confirmation, anti-bot/anti-analysis logic, VPN/datacenter filtering, and frequency capping."
https://research.checkpoint.com/2026/impersonation-click-hijacking-and-tds-inside-a-malware-distribution-ecosystem/
https://thehackernews.com/2026/06/fake-sites-mimicking-open-source-tools.html
Five Eyes Warn Chinese Spies Are Using Job Sites To Recruit Insiders
"China's military intelligence services are increasingly turning to online job platforms with thousands of adverts intended to recruit people with access to sensitive information, the Five Eyes intelligence partnership warned on Wednesday in its first joint bulletin of its kind. The alert, titled Safeguarding Our Secrets, was issued by the domestic security and counterintelligence agencies of Australia (ASIO), Canada (CSIS), the United States (FBI), the United Kingdom (MI5) and New Zealand (NZSIS). It warned that Chinese intelligence officers are posing as recruiters and consultants for front companies based outside China in order to target Five Eyes government and military personnel “and anyone with access to classified or privileged information.”"
https://therecord.media/five-eyes-warns-chinese-spies-are-using-job-sites-to-recruit-insiders
https://www.mi5.gov.uk/sites/default/files/2026-06/SAFEGUARDING OUR SECRETS PUBLICATION.pdf
https://hackread.com/five-eyes-chinese-spies-fake-job-ads-military-staff/
https://www.theregister.com/security/2026/06/04/five-eyes-china-expanding-state-secret-recruitment-campaign/5250978
Pink Is The Latest Goon Squad To Use Fake Helpdesk Calls To Steal Creds
"A new extortion brand called Pink – which may be a rebrand of BlackFile – uses voice phishing and fake help-desk calls to gain initial access to organizations’ IT environments, steal their sensitive data, and threaten to leak it unless the victims pay a ransom demand. Palo Alto Networks' Unit 42 first spotted the gang, which it tracks as cluster CL-CRI-1147, and its data-leak site, which went live on May 31. “Pink uses vishing and IT impersonation to phish credentials/MFA, then exfiltrates enterprise cloud storage and productivity data to extort victims,” the threat-intelligence biz said in a LinkedIn post."
https://www.theregister.com/cyber-crime/2026/06/04/pink-is-the-latest-goon-squad-to-use-fake-helpdesk-calls-to-steal-creds/5251434

Breaches/Hacks/Leaks

DentaQuest Data Breach Exposed Info Of 2.6 Million Accounts
"A data breach at the dental benefits administrator DentaQuest has reportedly exposed the sensitive data of 2.6 million accounts. The security incident came to light last month, when the infamous extortion group ShinyHunters listed the company on its data leak site and claimed to have stolen more than 234 GB of data. Following what the threat actor describes as a failure to reach an agreement with the company, the data was publicly leaked."
https://www.bleepingcomputer.com/news/security/dentaquest-data-breach-exposed-info-of-26-million-accounts/
UN Food Agency Discloses Breach Affecting 600,000 Gaza Households
"The United Nations' World Food Programme (WFP), the world's largest humanitarian organization, revealed over the weekend that its self-registration application (SRA) for Palestine was breached. The WFP disclosed the incident in a Sunday Telegram message, saying that the self-registration application used for assistance registration in Gaza had been breached. During the breach, the attackers gained access to personal data belonging to beneficiaries across the Gaza Strip, including affected individuals' names, ID numbers, phone numbers, and location information (such as neighborhood data recorded during registration)."
https://www.bleepingcomputer.com/news/security/un-world-food-programme-breach-affects-600-000-gaza-households/
https://therecord.media/un-food-agency-investigates-gaza-aid-breach
iFood Confirms Data Breach Affecting 1.2 Million Users In Brazil
"Brazilian food delivery app iFood has confirmed becoming the victim of a data breach in December 2025 that affected 1.2 million users (which makes up about 2% of its customer base). According to the iFood announcement on Wednesday, June 3, the incident was an isolated issue where hackers took names, phone numbers, addresses, and CPF numbers. Like Social Security Numbers (SSN) in the United States, CPFs are Brazilian taxpayer identity documents used everywhere for everyday tasks like opening bank accounts, shopping, and verifying identity. Fortunately, iFood clarified that hackers did not get passwords, bank details, or credit card records."
https://hackread.com/ifood-confirms-data-breach-brazil-users/

General News

4 Critical Threats Where Attackers Have The Advantage
"Enterprise defenses for four critical threats are overmatched and in urgent need of improvement. That's according to several analysts who spoke at the Gartner Security and Risk Management Summit this week. In a session on Monday, John Watts, VP analyst at Gartner, highlighted deepfakes, software supply chain risks, prompt injections, and AI application compromises as the four most pressing threats for enterprises."
https://www.darkreading.com/vulnerabilities-threats/4-critical-threats-attackers-advantage
OAuth Marketplace Apps Keep Access After Publishers Vanish
"Installing an app from the Google Workspace Marketplace or GitHub Marketplace can grant a third party access to company email, files, calendars, code repositories, CI workflows, organization settings, and secrets. Marketplace presence gives these apps the appearance of approval. The OAuth grants behind them often reach into business systems beyond the listed function. An audit by OhAuth, the OAuth research project from identity security company Offroad, covered 2,890 public OAuth app listings, with 1,595 on Google Workspace Marketplace and 1,295 on GitHub Marketplace. Their combined reported install footprint reaches at least 4.39 billion. That figure is a lower bound. Marketplace install labels use rounded values such as 1M+, so the number represents reported installs."
https://www.helpnetsecurity.com/2026/06/04/oauth-marketplace-apps-audit/
Spotless Compliance Evidence Can Still Hide a Broken Control
"In this interview with Help Net Security, Marc Rubbinaccio, Head of Cybersecurity and Compliance at Secureframe, explains where security teams go wrong when preparing for CMMC and FedRAMP 20x. The conversation covers how organizations check the 110 requirements but miss the 320 assessment objectives beneath them, why spotless SOC 2 evidence can hide a broken control, and how continuous monitoring is changing compliance work. It also includes advice for junior practitioners on AI and practical moves a mid-market defense supplier can use to get ready for a CMMC Level 2 assessment on a tight budget."
https://www.helpnetsecurity.com/2026/06/04/marc-rubbinaccio-secureframe-cmmc-compliance-readiness/
ETSI Sets Security Requirements For AI Data Centers And Cloud Platforms
"ETSI has published TS 104 033, a technical specification that defines security requirements for AI computing platforms. The specification establishes a security framework for platforms used to host AI applications in data center and edge computing environments, covering security functions, platform components, interfaces, and services designed to protect AI models, datasets, training processes, and inference workloads. “This work builds on the AI computing platform security framework we have previously developed and marks a significant step forward in establishing concrete and actionable security requirements for the platform itself,” said Scott Cadzow, Chair of the ETSI Technical Committee Securing AI."
https://www.helpnetsecurity.com/2026/06/04/etsi-securing-ai-computing-platforms-standard/
https://www.etsi.org/deliver/etsi_ts/104000_104099/104033/01.01.01_60/ts_104033v010101p.pdf
Infosecurity Europe: AI Adoption Creates New Opportunities For Attackers To Distribute Malware, Microsoft Warns
"The Microsoft Detection and Response Team (DART) has issued advice on how organizations and their security teams should respond to the rising issue of AI-powered cyber threats. “AI is amazing, it makes our job easier. “But the same AI that’s useful can be easily manipulated by threat actors, we’ve seen it in social engineering and in our day-do-day investigations," said Mary Asaolu, senior security researcher at Microsoft, during Infosecurity Europe on June 3."
https://www.infosecurity-magazine.com/news/attackers-ai-adoption-malware/
Agentic AI Is Transforming Defense, But Only Secure IT Infrastructure Will Maximize It
"Over the past several weeks, the cybersecurity community has been reminded how quickly frontier and agentic AI in defense networks can challenge our assumptions. When Anthropic's Claude Mythos model was made available to a limited set of organizations as a technical preview, it was reported that an unauthorized group claimed that it had gained access within hours. The incident, if true, was more than a possible breach. It was a warning."
https://thehackernews.com/2026/06/agentic-ai-is-transforming-defense-but.html
Scam Center Strike Force Announces Results Of U.S. & Private Industry “Disruption Week”
"The Department of Justice, through U.S. Attorney Jeanine Ferris Pirro for the District of Columbia and Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division, today announced the results of a first-of-its-kind event combining the focus of government entities and private industries to tackle cyber-enabled and cryptocurrency fraud targeting Americans. During “Disruption Week,” the private sector took voluntary action to interrupt millions of social media, email, and internet access accounts used by transnational organized crime actors in Southeast Asia that were being used to defraud Americans, and the government shared information which enabled private sector actors to voluntarily freeze over $3.8 million in cryptocurrency involved in laundering of funds stolen from Americans."
https://www.justice.gov/opa/pr/scam-center-strike-force-announces-results-us-private-industry-disruption-week
https://thehackernews.com/2026/06/doj-disrupts-southeast-asia-crypto.html
https://www.securityweek.com/over-1-4-million-accounts-disrupted-in-cybercrime-crackdown/
Russia Seeks To Label Two Anti-Kremlin Hacker Groups As ‘extremist’
"Russia is seeking to designate two hacker groups, Belarusian Cyber Partisans and Silent Crow, as extremist organizations and ban their activities in the country. The groups have previously claimed responsibility for cyberattacks targeting critical infrastructure and government institutions in Russia and Belarus. Russia’s Supreme Court said on Wednesday it would consider a request to ban the groups during a closed-door hearing. The court did not explain why it was seeking to designate them as extremist organizations."
https://therecord.media/russia-seeks-extremist-label-for-hacker-groups

อ้างอิง
Electronic Transactions Development Agency (ETDA)