NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 09 January 2026

    Cyber Security News
    1
    1
    190
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      New Tooling

      • StackRox: Open-Source Kubernetes Security Platform
        "Security teams spend a lot of time stitching together checks across container images, running workloads, and deployment pipelines. The work often happens under time pressure, with engineers trying to keep clusters stable while meeting internal policy requirements. The StackRox open source project sits in that space, offering a Kubernetes security platform that teams can run and adapt on their own."
        https://www.helpnetsecurity.com/2026/01/08/stackrox-kubernetes-security-platform-open-source/
        https://github.com/stackrox/stackrox

      Vulnerabilities

      • Coolify Discloses 11 Critical Flaws Enabling Full Server Compromise On Self-Hosted Instances
        "Cybersecurity researchers have disclosed details of multiple critical-severity security flaws affecting Coolify, an open-source, self-hosting platform, that could result in authentication bypass and remote code execution."
        https://thehackernews.com/2026/01/coolify-discloses-11-critical-flaws.html
        https://censys.com/advisory/cve-2025-64424-cve-2025-64420-cve-2025-64419
      • PoC Released For Unauthenticated RCE In Trend Micro Apex Central (CVE-2025-69258)
        "Trend Micro has released a critical patch fixing several remotely exploitable vulnerabilities in Apex Central (on-premise), including a flaw (CVE-2025-69258) that may allow unauthenticated attackers to achieve code execution on affected installations. The three vulnerabilities were unearthed and privately reported by Tenable bug hunters last year, and they now published technical details and PoC exploits for each."
        https://www.helpnetsecurity.com/2026/01/08/trend-micro-apex-central-cve-2025-69258-rce-poc/
        https://www.tenable.com/security/research/tra-2026-01
        https://success.trendmicro.com/en-US/solution/KA-0022071
      • Cisco Warns Of Identity Service Engine Flaw With Exploit Code
        "Cisco has patched a vulnerability in its Identity Services Engine (ISE) network access control solution, with public proof-of-concept exploit code, that can be abused by attackers with admin privileges. Enterprise admins use Cisco ISE to manage endpoint, user, and device access to network resources while enforcing a zero-trust architecture. The security flaw (CVE-2026-20029) affects Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) regardless of device configuration, and remote attackers with high privileges can exploit it to access sensitive information on unpatched devices."
        https://www.bleepingcomputer.com/news/security/cisco-warns-of-identity-service-engine-flaw-with-exploit-code/
        https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xxe-jWSbSDKt
        https://thehackernews.com/2026/01/cisco-patches-ise-security.html
        https://securityaffairs.com/186682/security/public-poc-prompts-cisco-patch-for-ise-ise-pic-vulnerability.html
        https://www.theregister.com/2026/01/08/rcisco_ise_bug_poc/
      • CISA Adds Two Known Exploited Vulnerabilities To Catalog
        "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2009-0556 Microsoft Office PowerPoint Code Injection Vulnerability
        CVE-2025-37164 HPE OneView Code Injection Vulnerability"
        https://www.cisa.gov/news-events/alerts/2026/01/07/cisa-adds-two-known-exploited-vulnerabilities-catalog
        https://thehackernews.com/2026/01/cisa-flags-microsoft-office-and-hpe.html
        https://www.bleepingcomputer.com/news/security/cisa-tags-max-severity-hpe-oneview-flaw-as-actively-exploited/
        https://www.darkreading.com/vulnerabilities-threats/maximum-severity-hpe-oneview-flaw-exploited
        https://www.securityweek.com/critical-hpe-oneview-vulnerability-exploited-in-attacks/
        https://securityaffairs.com/186672/security/u-s-cisa-adds-hpe-oneview-and-microsoft-office-powerpoint-flaws-to-its-known-exploited-vulnerabilities-catalog.html
        https://www.malwarebytes.com/blog/news/2026/01/cisa-warns-of-active-attacks-on-hpe-oneview-and-legacy-powerpoint
        https://www.theregister.com/2026/01/08/cisa_oneview_powerpoint_bugs/
        https://www.helpnetsecurity.com/2026/01/08/hpe-oneview-cve-2025-37164-exploited/
      • ZombieAgent: New ChatGPT Vulnerabilities Let Data Theft Continue (and Spread)
        "To improve user experience and expand ChatGPT’s capabilities, OpenAI has added a feature that allows ChatGPT to connect to external systems such as Gmail, Jira, GitHub, Teams, Outlook, Google Drive and more. The feature, called Connectors, lets users link to these systems in just a few clicks. ChatGPT also includes built-in tools that allow it to browse the internet, open links, analyze, generate images and more. For example, its Memory feature, enabled by default unless the user explicitly disables it, lets ChatGPT store conversations and sensitive information about the user. This allows it to learn about the user and provide better and more accurate responses. ChatGPT can read, create, delete and edit these stored memories."
        https://www.radware.com/blog/threat-intelligence/zombieagent/
        https://www.darkreading.com/endpoint-security/chatgpt-memory-feature-prompt-injection
        https://www.infosecurity-magazine.com/news/new-zeroclick-attack-chatgpt/
        https://www.theregister.com/2026/01/08/openai_chatgpt_prompt_injection/
      • Researchers Expose WHILL Wheelchair Safety Risks Via Remote Hacking
        "Security researchers have demonstrated a critical vulnerability in high-tech electric wheelchairs that allows for unauthorized remote control, highlighting new safety risks for connected mobility devices. On December 30, the US cybersecurity agency CISA published an advisory to inform the public about a serious vulnerability discovered by researchers in electric wheelchairs made by WHILL, a Japan-based company whose personal electric mobility devices are sold around the world. According to CISA’s advisory, WHILL Model C2 and Model F electric wheelchairs are affected by a missing authentication vulnerability. The issue is tracked as CVE-2025-14346 and it has been assigned a critical severity rating."
        https://www.securityweek.com/researchers-expose-whill-wheelchair-safety-risks-via-remote-hacking/
        https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-364-01

      Malware

      • FBI Warns About Kimsuky Hackers Using QR Codes To Phish U.S. Orgs
        "The North Korean state-sponsored hacker group Kimsuki is using malicious QR codes in spearphishing campaigns that target U.S. organizations, the Federal Bureau of Investigation warns in a flash alert. The observed activity targets organizations involved in North Korea-related policy, research, and analysis, including non-governmental organizations, think tanks, academic institutions, strategic advisory firms, and government entities in the U.S. The use of QR codes in phishing, a technique also known as "quishing," isn’t new; the FBI warned about it when cybercriminals used it to steal money, but it remains an effective security bypass."
        https://www.bleepingcomputer.com/news/security/fbi-warns-about-kimsuky-hackers-using-qr-codes-to-phish-us-orgs/
        https://www.ic3.gov/CSA/2026/260108.pdf
      • UAT-7290 Targets High Value Telecommunications Infrastructure In South Asia
        "Talos assesses with high confidence that UAT-7290 is a sophisticated threat actor falling under the China-nexus of Advanced Persistent Threat actors (APTs). UAT-7290 primarily targets telecommunications providers in South Asia. However, in recent months we have also seen UAT-7290 expand their targeting into Southeastern Europe. In addition to conducting espionage focused attacks where UAT-7290 burrows deep inside a victim enterprise’s network infrastructure, their tactics, techniques and procedures (TTPs) and tooling suggests that this actor also establishes Operational Relay Box (ORBs) nodes. The ORB infrastructure may then be used by other China-nexus actors in their malicious operations, signifying UAT-7290's dual role as an espionage motivated threat actor as well as an initial access group."
        https://blog.talosintelligence.com/uat-7290/
        https://www.bleepingcomputer.com/news/security/new-china-linked-hackers-breach-telcos-using-edge-device-exploits/
        https://thehackernews.com/2026/01/china-linked-uat-7290-targets-telecoms.html
        https://www.infosecurity-magazine.com/news/china-uat-7290-targets-telecoms/
      • Guloader Malware Being Disguised As Employee Performance Reports
        "AhnLab SEcurity intelligence Center (ASEC) recently discovered the Guloader malware being distributed via phishing emails disguised as an employee performance report. The email claims to be informing the recipient about the report for October 2025, and prompts the recipient to check the attachment by mentioning the plan to dismiss some employees."
        https://asec.ahnlab.com/en/91825/
      • In-Depth Analysis Report On LockBit 5.0: Operation And Countermeasures
        "Since its first appearance in September 2019, LockBit has been known as one of the most notorious and active Ransomware-as-a-Service (RaaS) groups worldwide. LockBit operates on the RaaS model and is characterized by sophisticated encryption technology and automated propagation capabilities. Initial access is typically gained through vulnerability exploits, brute force attacks, phishing, or leaked login credentials, and the attack follows a three-stage process: initial access, lateral movement and privilege escalation, and ransomware deployment."
        https://asec.ahnlab.com/en/91945/
      • xRAT (QuasarRAT) Malware Being Distributed Through Webhard (Adult Games)
        "AhnLab SEcurity intelligence Center (ASEC) recently discovered that the xRAT (QuasarRAT) malware is being distributed through a webhard disguised as an adult game. In Korea, webhard services are one of the most commonly used platforms for distributing malware. Typically, threat actors use malware that are easily accessible, such as njRAT and XwormRAT. They disguise the malware as legitimate programs (e.g. games) or adult content to distribute them. Numerous cases have been introduced in the AhnLab SEcurity intelligence Center (ASEC) blog post below."
        https://asec.ahnlab.com/en/91930/
      • The Truman Show Scam: Trapped In An AI-Generated Reality
        "The OPCOPRO “Truman Show” operation is a fully synthetic, AI‑powered investment scam that uses legitimate Android and iOS apps from the official mobile app stores, and AI‑generated communities to steal money and identity data from victims. Instead of relying on malicious code, the attackers use social engineering. The attackers pull victims using phishing SMS/ads/Telegram into tightly-controlled WhatsApp and Telegram groups, where AI‑generated “experts” and synthetic peers simulate an institutional‑grade trading community for weeks before any money or personal details are requested."
        https://blog.checkpoint.com/mobile/the-truman-show-scam-trapped-in-an-ai-generated-reality/
      • Boto-Cor-De-Rosa Campaign Reveals Astaroth WhatsApp-Based Worm Activity In Brazil
        "Astaroth is a Brazilian banking malware previously covered in our analysis Astaroth Unleashed, where we detailed its evolution and capabilities. In a newly identified campaign, internally referred to as Boto Cor-de-Rosa, our researchers discovered that Astaroth now exploits WhatsApp Web as part of its propagation strategy. The malware retrieves the victim’s WhatsApp contact list and automatically sends malicious messages to each contact to further spread the infection."
        https://www.acronis.com/en/tru/posts/boto-cor-de-rosa-campaign-reveals-astaroth-whatsapp-based-worm-activity-in-brazil/
        https://thehackernews.com/2026/01/whatsapp-worm-spreads-astaroth-banking.html
        https://hackread.com/astaroth-banking-trojan-brazil-whatsapp-messages/
        https://securityaffairs.com/186685/malware/astaroth-banking-trojan-spreads-in-brazil-via-whatsapp-worm.html
      • Fake WinRAR Downloads Hide Malware Behind a Real Installer
        "A member of our web research team pointed me to a fake WinRAR installer that was linked from various Chinese websites. When these links start to show up, that’s usually a good indicator of a new campaign. So, I downloaded the file and started an analysis, which turned out to be something of a Matryoshka doll. Layer after layer, after layer. WinRAR is a popular utility that’s often downloaded from “unofficial” sites, which gives campaigns offering fake downloads a bigger chance of being effective."
        https://www.malwarebytes.com/blog/threat-intel/2026/01/fake-winrar-downloads-hide-malware-behind-a-real-installer
      • The Great VM Escape: ESXi Exploitation In The Wild
        "In December 2025, Huntress observed an intrusion leading to the deployment of VMware ESXi exploits. Based on indicators we observed, including the workstation name the threat actor was operating from and other TTPs, the Huntress Tactical Response team assesses with high confidence that initial access occurred via SonicWall VPN. The toolkit analyzed in this report also includes simplified Chinese strings in its development paths, including a folder named “全版本逃逸--交付” (translated: “All version escape - delivery”), and evidence suggesting it was potentially built as a zero-day exploit over a year before VMware's public disclosure, pointing to a well-resourced developer likely operating in a Chinese-speaking region."
        https://www.huntress.com/blog/esxi-vm-escape-exploit
        https://www.bleepingcomputer.com/news/security/vmware-esxi-zero-days-likely-exploited-a-year-before-disclosure/
        https://securityaffairs.com/186709/hacking/chinese-speaking-hackers-exploited-esxi-zero-days-long-before-disclosure.html
      • The Ghost In The Machine: Unmasking CrazyHunter's Stealth Tactics
        "CrazyHunter ransomware has emerged as a significant and concerning threat, highlighting the increasing sophistication of cybercriminal tactics. Trellix has been actively tracking this ransomware since its initial appearance, noting its rapid development and growing prevalence. The ransomware executable is a fork of the Prince ransomware, which surfaced in mid-2024. It has introduced notable advancements, particularly in network compromise techniques and anti-malware evasion. This blog provides an in-depth analysis of CrazyHunter ransomware and its attack flow."
        https://www.trellix.com/blogs/research/the-ghost-in-the-machine-crazyhunters-stealth-tactics/

      bolded text

      • December 2025 Phishing Email Trends Report
        "This report provides the distribution quantity, statistics, trends, and case information on phishing emails, which were collected and analyzed for one month in December 2025. The following statistics and cases are included in the original report."
        https://asec.ahnlab.com/en/91944/
      • Initial Access Sales Accelerated Across Australia And New Zealand In 2025
        "The cyber threat environment in Australia and New Zealand experienced a new escalation throughout 2025, driven by a surge in initial access sales, ransomware operations, and high-impact data breaches. According to our Threat Landscape Report Australia and New Zealand 2025, threat activity observed between January and November 2025 reveals a complex and commercialized underground ecosystem, where compromised network access is actively bought, sold, and exploited across multiple sectors."
        https://cyble.com/blog/australia-new-zealand-initial-access-threats/
      • Here's What Cloud Security's Future Holds For The Year Ahead
        "Cloud service providers (CSPs) play an important role in democratizing usage of technology to enable innovation. With cloud platforms, organizations do not need to worry about provisioning hardware and computing infrastructure; they can utilize cloud services and cloud-native development processes to easily build and deploy software applications. Now, as organizations are racing to adopt AI for its benefits, CSPs are fiercely competing to be the platform of choice for AI workloads and similarly democratize access to AI innovation."
        https://www.darkreading.com/cloud-security/heres-cloud-security-holds-year-ahead
      • Fifth Of Breaches Take Two Weeks To Recover From
        "Endpoint disruption following a serious security breach can take up to two weeks to recover from and cost millions for most (87%) US and UK organizations, a new report has revealed. Absolute Security polled 750 CISOs on both sides of the Atlantic to compile the first in a new e-book series, The Resilient CISO: The State of Enterprise Resilience. It revealed that, over the past 12 months, more than half (55%) of respondents had suffered a cyber-attack, ransomware infection, compromise or data breach that took mobile, remote or hybrid endpoint devices out of action."
        https://www.infosecurity-magazine.com/news/fifth-breaches-two-weeks-recover/
      • Rethinking Security For Agentic AI
        "Artificial intelligence has already transformed how enterprises operate, but the next wave of innovation, agentic AI, operates as autonomous or semi‑autonomous agents that can run code, interact with APIs, access databases, and make decisions on the fly. Organizations need to take immediate measures against security threats that can occur when software systems transition from producing passive text output to performing active operational tasks."
        https://www.securityweek.com/rethinking-security-for-agentic-ai/
      • The State Of Ransomware In The U.S.: Report And Statistics 2025
        "Despite arrests, takedowns, and the apparent collapse of several major ransomware groups, 2025 delivered no slowdown in ransomware harm. Victim numbers climbed sharply, new groups emerged, and attackers increasingly found success with social engineering over technical exploits."
        https://www.emsisoft.com/en/blog/47215/the-state-of-ransomware-in-the-u-s-report-and-statistics-2025/
        https://www.theregister.com/2026/01/08/ransomware_2025_emsisoft/
      • Inside Vercel’s Sleep-Deprived Race To Contain React2Shell
        "Talha Tariq and his colleagues at Vercel, the company that maintains Next.js, endured many sleep-deprived nights and weekends when React2Shell was discovered and disclosed soon after Thanksgiving. The defect, which affects vast stretches of the internet’s underlying infrastructure, posed a significant risk for Next.js, an open-source library that depends on vulnerable React Server Components."
        https://cyberscoop.com/vercel-cto-security-react2shell-vulnerability/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) dd357b95-eeb6-48b4-bf67-7cce439e60a1-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post