NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    ETDA Cyber Threat Intelligence 26 June 2026

    Cyber Security News
    1
    1
    6
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • The OT Segmentation Imperative: Why It Can't Wait Any Longer
        "Ask any team running industrial operations about network segmentation and you'll hear a familiar story. Everyone agrees it's critical. It's mandated by IEC 62443, NERC CIP and NIS2. It limits the blast radius and prevents lateral movement across networks. Yet for most organizations, network segmentation has remained at the top of the "planned but not deployed" list for years. That inaction is becoming increasingly difficult to justify."
        https://www.bankinfosecurity.com/blogs/ot-segmentation-imperative-cant-wait-any-longer-p-4136

      Vulnerabilities

      • GitLab Patches Code Execution, Information Disclosure Vulnerabilities
        "GitLab has rolled out Community Edition (CE) and Enterprise Edition (EE) security updates that resolve 13 vulnerabilities, including three high-severity bugs. The most severe is CVE-2026-10086, an XSS flaw in the Analytics dashboard of GitLab EE, rooted in the improper sanitization of user-supplied input. According to GitLab, the security defect could have allowed an authenticated user with developer rights to execute arbitrary client-side code in the context of other users’ sessions."
        https://www.securityweek.com/gitlab-patches-code-execution-information-disclosure-vulnerabilities/
        https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-1-released/
      • Chrome 149 Update Resolves 18 Severe Vulnerabilities
        "Google on Wednesday rolled out a new Chrome 149 update that resolves 18 vulnerabilities, including four critical and 14 high-severity security defects. More than half of the addressed issues, including three critical and seven high-severity, are use-after-free flaws, a type of memory corruption bug that could lead to remote code execution (RCE). In Chrome, use-after-free vulnerabilities can be combined with security holes in the underlying operating system or in a privileged browser process to escape the sandbox."
        https://www.securityweek.com/chrome-149-update-resolves-18-severe-vulnerabilities/
        https://www.malwarebytes.com/blog/news/2026/06/update-chrome-to-patch-critical-browser-security-flaws
      • 25-Year-Old Vulnerability Patched In Curl
        "The open source data transfer tool and library curl has been updated this week with patches for 18 vulnerabilities, including one introduced 25 years ago. The flaws, four medium and 14 low-severity, were discovered as part of a community effort after Anthropic’s Mythos discovered a single curl bug in early May. This release resolves the highest number of CVEs patched with a single curl update, including an issue that was introduced in version 7.7, shipped on March 22, 2001."
        https://www.securityweek.com/25-year-old-vulnerability-patched-in-curl/
        https://curl.se/mail/lib-2026-06/0026.html
        https://securityaffairs.com/194220/security/curl-fixes-a-25-year-old-bug-in-its-largest-cve-release-yet.html
      • BadBlocker: 11 Million Users, One Server Call Away From Compromise
        "Adblock for YouTube (cmedhionkhpnakcndndgjdbohmhepckk) is a Chrome Web Store extension with over 11 million installs and a 4.4-star rating. It blocks ads on YouTube and it works well. It also contains the architectural ingredients for arbitrary JavaScript execution on any website, activated by a single server-side configuration change, without an extension update, without a store review, and without any visible sign that something has changed. In practical terms, that could mean reading pages, stealing data, and acting as the user inside personal accounts, work apps, admin panels, and other sensitive browser sessions."
        https://www.island.io/blog/badblocker-11-million-users-one-server-call-away-from-compromise
        https://thehackernews.com/2026/06/chrome-ad-blocker-with-10m-installs.html

      Malware

      • Fake Invoices Are Moving From Inboxes To Shopping Apps
        "A fake invoice in your email is easy to ignore. A fake invoice inside your order history feels different. Norton customers have reported fake Norton invoices appearing inside the Shop app, the shopping and order-tracking app from Shopify. Public reports suggest the same technique is not limited to Norton. Similar suspicious Shop app notifications have used McAfee, Apple gift cards, iPhones, PayPal-style payment claims and other high-value purchases as bait. The impersonated brand may change, but the mechanics are familiar: make the user believe they have been charged, then give them a phone number to call."
        https://www.gendigital.com/blog/insights/research/fake-invoices-shopping-apps
        https://www.bleepingcomputer.com/news/security/order-tracking-app-shop-abused-to-push-callback-phishing-attacks/
      • Bluekit Phishing-As-a-Service: Browser-In-The-Middle, Evolved
        "Netcraft has identified and is actively detecting live deployments of Bluekit, a sophisticated Phishing-as-a-Service (PhaaS) platform that introduces a meaningful shift in how adversary-in-the-middle (AitM) phishing is executed. While Bluekit was first documented by Varonis Threat Labs — who assessed at the time that it appeared to still be in development — Netcraft can confirm the platform is now operational at scale, with approximately 70 hostnames detected in the last week."
        https://www.netcraft.com/blog/bluekit-phishing-as-a-service-threat
        https://www.bleepingcomputer.com/news/security/bluekit-phishing-kit-adopts-browser-in-the-middle-for-login-theft/
      • Gamaredon In 2025: Leveraging Tunnels, Workers, Dead Drops, And New Alliances
        "Cyberespionage has remained a constant feature of Russia’s war against Ukraine. ESET Research has long tracked Gamaredon, one of the most active Russia-aligned advanced persistent threat (APT) groups targeting Ukraine. The group, attributed by the Security Service of Ukraine (SSU) to the 18th Center of Information Security of Russia’s FSB, maintained a high operational tempo throughout 2025."
        https://www.welivesecurity.com/en/eset-research/gamaredon-2025-leveraging-tunnels-workers-dead-drops-new-alliances/
        https://www.darkreading.com/threat-intelligence/russia-apt-gamaredon-arsenal-defense
        https://www.bankinfosecurity.com/russias-gamaredon-adapts-tactics-to-target-ukraine-a-32068
      • ClickFix: The Attack That Turns Users Into Their Own Attackers
        "ClickFix has quickly become one of the most prevalent social engineering techniques on the web. The attack flips a familiar security assumption on its head: instead of slipping a malicious file past endpoint defenses, the attacker convinces the victim to run the payload themselves. No exploit. No malicious attachment. Just a user, a clipboard, and a convincing prompt."
        https://blog.checkpoint.com/securing-user-and-access/clickfix-the-attack-that-turns-users-into-their-own-attackers/
      • Introduction To COM Usage By Windows Threats
        "Component Object Model (COM) is one of the Windows technologies that analysts regularly encounter but may not always prioritize during triage, as the manual analysis of COM functionality in binary executable files can be labor-intensive. The post starts with a brief introduction into COM, following how binaries utilizing COM can be analyzed, and some examples of malware families and their usage of COM. The post concludes with a list of further resources."
        https://blog.talosintelligence.com/introduction-to-com-usage-by-windows-threats/
      • Russia Breaks Into Human Rights Activist’s Phone With Cellebrite
        "We analyzed Russian activist Andrey Pivovarov’s phone, finding that Russian authorities used forensic extraction tools made by Cellebrite to gain access to his device. A document prepared by Russian authorities confirms that Cellebrite was used to extract information to aid in Pivovarov’s prosecution. Importantly, we found that authorities continued to use Cellebrite for political repression even after the company had cancelled its contracts with Russian customers."
        https://citizenlab.ca/research/russia-breaks-into-human-rights-activists-phone-with-cellebrite/
        https://therecord.media/russia-used-cellebrite-tool-after-company-pulled-out-of-country
        https://cyberscoop.com/russia-cellebrite-activist-phone-hacking/
      • Millenium: A RAT Rewritten, A Threat Multiplied
        "Group-IB analyzes Millenium RAT version 4.*, a remote access trojan that has undergone an architectural shift from .NET to native C++, while continuing to leverage the Telegram Bot API for command and control, requiring no dedicated server infrastructure. This blog also profiles the developer “ShinyEnigma”, and threat actor cluster “Y2K Operators” responsible for active Millenium RAT exploitation campaigns. Over 62,000 compromised endpoints across more than 160 countries have been identified, with infections accelerating sharply in Q1 2026."
        https://www.group-ib.com/blog/millenium-rat-maas/
      • Beware Of “Parcel Expert” Job Offers: They’re Parcel Mule Scams
        "A parcel mule scam, also called a reshipping scam, is a fake job offer designed to recruit people into handling stolen goods. It usually starts with a fake remote job offer that promises easy money for receiving, inspecting, repackaging, and forwarding packages from home. The “employer” may claim to be connected to familiar companies, but the real purpose is to move goods bought with stolen payment information so they are harder to trace. Victims often think they are doing routine logistics work, but they are actually helping criminals launder stolen merchandise."
        https://www.malwarebytes.com/blog/scams/2026/06/beware-of-parcel-expert-job-offers-theyre-parcel-mule-scams
      • Fake Domain Renewal Emails Trick Website Owners Into Paying Scammers
        "You receive an email warning that your website’s domain name is about to expire. Renew now, it says, or your website and email could stop working. The link opens a professional-looking page that already knows your domain name, displays your registrar and expiry date, and starts a countdown timer. It feels urgent and personal, so it feels real."
        https://www.malwarebytes.com/blog/threat-intel/2026/06/fake-domain-renewal-emails-trick-website-owners-into-paying-scammers
      • CL-STA-1062 Targets Southeast Asian Governments And Critical Infrastructure
        "Throughout 2025, we observed a cluster of activity targeting government entities and critical infrastructure in Southeast Asia. Specifically, the activity targeted state-owned enterprises in the energy and government sectors. The Chinese-speaking attackers behind this cluster, which we track as CL-STA-1062, have been active since at least March 2022. We assess with high confidence that this is the same cluster, known as UAT-7237, that was reported for its campaigns against web hosting infrastructure in Taiwan in mid 2025. We also observed CL-STA-1062 campaigns in earlier operations targeting strategic sectors in East Asia, indicating a broader, sustained regional focus."
        https://unit42.paloaltonetworks.com/cl-sta-1062-tinyrct-backdoor/
      • Inside Vidar’s ABE Bypass: From Memory Scanning To APC Injections
        "Infostealers are constantly evolving, and so are the techniques they use to bypass Application-Bound Encryption (ABE). In recent weeks, Vidar has been among the most actively developed stealers and, apart from multiple updates to its string obfuscation and a reworked approach to protecting its configuration, it has also introduced a novel technique for bypassing ABE. And while there have been many other changes in Vidar lately, with new versions dropping every week, in this blog post we focus solely on the ABE bypass and its technical aspects."
        https://www.gendigital.com/blog/insights/research/inside-vidar-abe-bypass
      • Inside Eastern Europe's C2 Sprawl: 3,900+ Servers, 302 Providers, One Host Doing Half The Work
        "Eastern Europe has long served as a reliable foundation for both commodity cybercrime and state-linked threat operations, a region where bulletproof hosting providers, major telecoms, and cloud infrastructure coexist within the same ASN pools. Over a three-month window from March 12 to June 12, 2026, we mapped malicious infrastructure across 10 countries in the region, covering Belarus, Bulgaria, the Czech Republic, Hungary, Poland, Moldova, Romania, Russia, Slovakia, and Ukraine. Across 302 distinct hosting providers, we identified more than 3,900 active C2 servers. The distribution was anything but even. A single Bulgarian provider accounted for more than half of all detected C2 infrastructure, a level of concentration that doesn't surface when you're tracking individual IPs or domains. It only becomes visible when you look at the hosting layer itself, which is exactly what this analysis does."
        https://hunt.io/blog/eastern-europe-malicious-infrastructure-report

      Breaches/Hacks/Leaks

      • Cal Water Says No OT Systems Breached In Iranian Handala Cyberattack
        "The investigation conducted by California Water Service (Cal Water) into the recent cyberattack claimed by the Iranian hacker group Handala found no evidence of activity in the water utility’s operational technology (OT) environment. Handala, which claims to be a hacktivist collective but is widely believed to be a front for Iranian government hacking operations, said it could have disrupted the water supply after gaining access to Cal Water systems but decided not to do so. The statement suggested that the hackers had gained deep access to industrial control systems (ICS)."
        https://www.securityweek.com/cal-water-finds-no-evidence-of-ot-activity-after-hackers-claimed-they-could-disrupt-water-supply/
      • Another Russian Dairy Company Reportedly Disrupted By Cyberattack
        "A cyberattack has snarled logistics and accounting operations at a dairy producer in Russia's republic of Bashkortostan, forcing the company to process shipments and paperwork manually, according to local media. The attack affected the IT systems of Ufagormolzavod, a manufacturer based in Ufa, the regional capital, but did not interrupt production, the company's chief executive, Ildar Faizullin, said."
        https://therecord.media/russia-dairy-producter-cyberattack-ufa
      • Ukraine's State Postal Operator Reports App Disruption After Cyberattack
        "Ukraine's state-owned postal operator, Ukrposhta, said on Thursday that its mobile application is experiencing temporary disruptions following an overnight "enemy" attack on the company's IT systems. "Our specialists are already working to restore the service. We are doing everything we can to ensure you can return to using the app normally as soon as possible," Ukrposhta said."
        https://therecord.media/ukraine-state-postal-operator-reports-disruption

      General News

      • Poland Busts SIM-Swapping Gang Tied To Millions In Crypto Theft
        "Authorities in Poland have arrested four members of an organized cybercrime group accused of breaching telecommunications partners and hijacking email accounts to carry out SIM-swapping attacks. The operation was carried out by the Polish Cybercrime Bureau (CBZC) with support from the FBI and Homeland Security Investigations (HSI) in the United States. According to investigators, the suspects carried out sophisticated cyberattacks to obtain data used in SIM-swapping attacks."
        https://www.bleepingcomputer.com/news/security/poland-busts-sim-swapping-gang-tied-to-millions-in-crypto-theft/
      • Why Patch Directives Only Go So Far
        "When CISA issues an emergency directive, the message to every federal agency and every security team paying attention is to patch now. For CVE-2026-50751, a CVSS 9.3 authentication bypass in Check Point Remote Access VPN, that directive landed on June 21. despite exploitation beginning in early May. That, six-week active intrusion gap is not a footnote. It is the entire story."
        https://cyberscoop.com/why-security-patching-is-not-enough-cve-2026-50751-op-ed/
      • In Less Than 24 Hours, Attackers Weaponize Cisco CUCM Flaw
        "Attackers have begun actively exploiting a critical flaw in Cisco Unified Communications Manager (CUCM) to gain root access on vulnerable systems. The attacks appear to have begun less than 24 hours after researchers at SSD Secure Disclosure this week released proof-of-concept code (PoC) along with a full exploit chain for the vulnerability."
        https://www.darkreading.com/cyberattacks-data-breaches/less-than-24-hours-attackers-weaponize-cisco-cucm-flaw
      • EdTech Attackers Shift From Schools To Their Software Suppliers
        "Threats against the education sector have mounted over the past five years and are becoming even more widespread, as attackers set their sights on educational technology (edtech) vendors. Rather than conducting ransomware or other attacks against an individual school or district, cyberattackers now target learning management systems (LMS) and other educational applications to victimize hundreds, if not thousands, of institutions in one fell swoop."
        https://www.darkreading.com/cyberattacks-data-breaches/edtech-attackers-shift-schools-software-suppliers
      • Europe Evolves Into Ransomware's Favorite Region
        "A specter is haunting Europe — the specter of ransomware. After a global lull in 2024 and 2025, the ransomware-as-a-service (RaaS) ecosystem appears to be back to form, at least in Europe. Researchers from Black Kite tracked 684 ransomware attacks across the continent through the first four months of 2026. That's 55% more than the 441 recorded in the first four months of 2025, even more than the 643 recorded through the first half of 2025."
        https://www.darkreading.com/cybersecurity-analytics/europe-evolves-ransomware-favorite-region
        https://www.infosecurity-magazine.com/news/increase-ransomware-europe/
      • The Uptime Questions Every Engineering Leader Should Ask This Week
        "In this interview with Help Net Security, Mattias Geniar, CTO at Oh Dear, explains why most outages start quietly, as creeping latency or a slow rise in errors. He argues teams alert on the wrong things: absolute numbers instead of changes, isolated endpoints instead of real user outcomes. He covers alert fatigue, the DNS and certificate failures buried deep in the stack, the risk of leaning on one provider, and the mistakes tired engineers make at 3am. Geniar closes with questions leaders should ask to test their uptime story."
        https://www.helpnetsecurity.com/2026/06/25/mattias-geniar-oh-dear-preventing-outages/
      • LLM Security Advice Looks Solid Until You Check The Hard Cases
        "Plenty of people now type their security worries straight into a chatbot. A hacked account, a suspicious email, a stalker who might be tracking a phone, all of it lands in the same window someone would use to ask about dinner. A benchmark called HelpBench tests how well chatbots handle those moments, and the results give security professionals something to watch in what their users are being told."
        https://www.helpnetsecurity.com/2026/06/25/helpbench-llm-security-advice/
        https://arxiv.org/pdf/2606.24819
      • Recommendations When Using LLM-Backed Generative AI Systems For FOSS Contributions
        "The entire community of computer users, which quickly approaches every human, faces the growing conundrum of generative artificial intelligence systems backed by Large Language Models (“LLM-gen-AI”)1. Software freedom activists face particularly difficult challenges in this regard; these LLM-gen-AI systems have been applied in earnest to the endeavors of software creation and modification."
        https://sfconservancy.org/llm-gen-ai/llm-backed-generative-ai-recommendations.html
        https://www.helpnetsecurity.com/2026/06/25/foss-ai-in-open-source/
      • Most Teams Will Ship AI-Written Infrastructure Code With Little Review
        "AI-assisted development has settled into everyday practice across software organizations, and developers using it move from idea to working code in hours. That code does not stay with the developers who prompt it. It flows downstream to the DevOps and platform teams who deploy and maintain it, and those teams are not getting the same speed boost."
        https://www.helpnetsecurity.com/2026/06/25/ai-infrastructure-governance-gap-report/
      • Twenty Million US IP Connections Used By Proxy Services
        "Millions of residential IP connections in the US are collected annually for use in proxy services, with many households unaware that they may ultimately be used by threat actors, a new report has warned. Non-profit the Digital Citizens Alliance claimed in a new report, Cybercrime by Doorbell, that an estimated 20 million or more connections end up as proxies, often without the knowledge of their owners."
        https://www.infosecurity-magazine.com/news/twenty-million-us-ip-connections/
        https://resproxy.digitalcitizensalliance.org/hubfs/resproxy/DCA_Cybercrime-by-Doorbell-Report.pdf
      • Trust In Automated AI Vulnerability Scanning Collapses To 9%, New Study Finds
        "A large number of false negatives has significantly eroded confidence in automated AI testing for vulnerabilities, a new study from Cobalt has found. The Cobalt State of Pentesting Report 2026 is based on two comparative surveys in 2025 and 2026 of around 450 cybersecurity professionals. It found that the percentage of organizations relying entirely on AI automation for testing sank from 29% to 9% over the period, with nearly half (47%) of respondents now preferring a hybrid testing model."
        https://www.infosecurity-magazine.com/news/trust-ai-vulnerability-scanning/
        https://resource.cobalt.io/ai-pentesting-pulse-report-2026-tyd
      • New CISA Guide Assists Federal Agencies With Transitioning To Modernized Zero Trust Architectures
        "Today, the Cybersecurity and Infrastructure Security Agency (CISA) published a guide that helps federal civilian agencies advance their zero trust capabilities and adopt modern architectures supported under the Trusted Internet Connections (TIC) 3.0 Initiative. Part of CISA’s Journey to Zero Trust series, this guide helps agencies transition away from the limitations of using TIC 2.0 and capitalize on TIC 3.0 flexibilities to employ Secure Access Service Edge (SASE) solutions. Federal agencies will better understand, plan and mature to zero trust architecture to improve user experience, increase visibility and control, and enable telemetry sharing with CISA services."
        https://www.cisa.gov/news-events/news/new-cisa-guide-assists-federal-agencies-transitioning-modernized-zero-trust-architectures
        https://www.cisa.gov/resources-tools/resources/using-sase-modern-tic-30-solution
        https://www.cisa.gov/sites/default/files/2026-06/The_Journey_to_Zero_Trust_Using_SASE_in_a_Modern_TIC-3.0_Solution_CB_Approved_508c.pdf
        https://www.infosecurity-magazine.com/news/cisa-sase-tic-3-0-zero-trust/
      • Inside The 2026 SMB Threat Landscape: From Phishing And Scams To Fake AI Tools
        "Small and medium-sized businesses (SMBs) remain attractive targets for cybercriminals – in both mass cyberattacks and sophisticated campaigns targeting larger enterprises through trusted relationship attacks. At the same time, smaller businesses may lack the robust cybersecurity policies and necessary resources to protect themselves against an evolving threat landscape."
        https://securelist.com/smb-threat-report-2026/120357/
      • NIST Opens Updated IoT Security Guidance To Public Review
        "The National Institute of Standards and Technology (NIST) announced Wednesday that it’s seeking public feedback on updated Internet of Things (IoT) security guidelines. Updated to reflect current security needs, the guidance provides general considerations on the impact of IoT products on risk assessments and aims to establish cybersecurity requirements to support security controls. The initial public draft (IPD) of SP 800-213 Revision 1, titled ‘IoT Product Cybersecurity Guidelines for the Federal Government: Establishing IoT Product Cybersecurity Requirements’, is available for download on NIST’s website (PDF), with the public comment period ending August 24."
        https://www.securityweek.com/nist-opens-updated-iot-security-guidance-to-public-review/
        https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-213r1.ipd.pdf
      • SOC Threat Radar — June 2026
        "Incidents mitigated in the last month by Barracuda Managed XDR show how weak access controls and exposed remote services attract mass-targeting adversaries and pave the way for more severe attacks. LemonDuck malware infects endpoints for cryptomining. GoldBrute botnet brute-forces remote services. Password spraying attacks from Iran are targeting VPNs."
        https://blog.barracuda.com/2026/06/25/soc-threat-radar-june-2026
      • Why ShinyHunters Attacks Expose a Growing Data Security Risk
        "While a lot of attention is being paid to a pending apocalypse of vulnerabilities that are being discovered by the latest generation of artificial intelligence (AI) models, a series of relatively simpler cyberattacks from a shadowy syndicate known as ShinyHunters are proving to be the most lethal. The most recent cyberattack launched by this group was against Madison Square Garden (MSG), the parent organization of the New York Knicks and Liberty basketball teams and the New York Rangers hockey team. As fans of the Knicks were celebrating the team’s NBA championship, cybersecurity teams and the executive leadership of MSG were contending with the theft of 45 GB of corporate and customer data."
        https://blog.barracuda.com/2026/06/24/shinyhunters-attacks-data-security-risks

      อ้างอิง

      Electronic Transactions Development Agency (ETDA) 260f1642-b5ca-4730-a438-15817a781cbf-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post