NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 21 January 2026

    Cyber Security News
    1
    1
    55
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Vulnerabilities

      • 100,000 WordPress Sites Affected By Privilege Escalation Vulnerability In Advanced Custom Fields: Extended WordPress Plugin
        "On December 10th, 2025, we received a submission for a Privilege Escalation vulnerability in Advanced Custom Fields: Extended, a WordPress plugin with more than 100,000+ active installations. This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by updating the user role on a user action form where a role can be selected. Props to andrea bocchetti who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program."
        https://www.wordfence.com/blog/2026/01/100000-wordpress-sites-affected-by-privilege-escalation-vulnerability-in-advanced-custom-fields-extended-wordpress-plugin/
        https://www.bleepingcomputer.com/news/security/acf-plugin-bug-gives-hackers-admin-on-50-000-wordpress-sites/
      • ChainLeak: Critical AI Framework Vulnerabilities Expose Data, Enable Cloud Takeover
        "Zafran Labs identified two critical vulnerabilities in Chainlit, a widely used open source AI framework. These vulnerabilities affect internet-facing AI systems that are actively deployed across multiple industries, including large enterprises. The flaws allow attackers to leak cloud environment API keys and steal sensitive files (CVE-2026-22218), as well as perform Server-Side Request Forgery (SSRF) against servers hosting AI applications (CVE-2026-22219). These vulnerabilities can be triggered with no user interaction. Zafran confirmed the vulnerabilities in real world, internet-facing applications operated by major enterprises."
        https://www.zafran.io/resources/chainleak-critical-ai-framework-vulnerabilities-expose-data-enable-cloud-takeover
        https://www.darkreading.com/vulnerabilities-threats/vulnerabilities-break-chainlit-ai-framework
        https://www.infosecurity-magazine.com/news/chainlit-security-flaws-ai-apps/
        https://www.securityweek.com/chainlit-vulnerabilities-may-leak-sensitive-information/
        https://www.theregister.com/2026/01/20/ai_framework_flaws_enterprise_clouds/
      • Cyata Research: Breaking Anthropic’s Official MCP Server
        "Cyata discovered three security vulnerabilities in mcp-server-git, the official Git MCP server maintained by Anthropic. These flaws can be exploited through prompt injection, meaning an attacker who can influence what an AI assistant reads (a malicious README, a poisoned issue description, a compromised webpage) can weaponize these vulnerabilities without any direct access to the victim’s system."
        https://cyata.ai/blog/cyata-research-breaking-anthropics-official-mcp-server/
        https://www.darkreading.com/application-security/microsoft-anthropic-mcp-servers-risk-takeovers
        https://thehackernews.com/2026/01/three-flaws-in-anthropic-mcp-git-server.html
        https://www.infosecurity-magazine.com/news/prompt-injection-bugs-anthropic/
        https://www.theregister.com/2026/01/20/anthropic_prompt_injection_flaws/
      • Cloudflare Fixes ACME Validation Bug Allowing WAF Bypass To Origin Servers
        "Cloudflare has addressed a security vulnerability impacting its Automatic Certificate Management Environment (ACME) validation logic that made it possible to bypass security controls and access origin servers. "The vulnerability was rooted in how our edge network processed requests destined for the ACME HTTP-01 challenge path (/.well-known/acme-challenge/*)," the web infrastructure company's Hrushikesh Deshpande, Andrew Mitchell, and Leland Garofalo said. The web infrastructure company said it found no evidence that the vulnerability was ever exploited in a malicious context."
        https://thehackernews.com/2026/01/cloudflare-fixes-acme-validation-bug.html
        https://fearsoff.org/research/cloudflare-acme
        https://www.theregister.com/2026/01/20/cloudflare_fixes_acme_validation/
      • DNS OverDoS: Are Private Endpoints Too Private?
        "We discovered an aspect of Azure’s Private Endpoint architecture that could expose Azure resources to denial of service (DoS) attacks. In this article, we explore how both intentional and inadvertent acts could result in limited access to Azure resources through the Azure Private Link mechanism. We uncovered this issue while investigating irregular behavior in Azure test environments."
        https://unit42.paloaltonetworks.com/dos-attacks-and-azure-private-endpoint/

      Malware

      • Proxyware Disguised As Notepad++ Tool
        "AhnLab SEcurity intelligence Center(ASEC) is monitoring Proxyjacking attacks and continuously disclosing distribution cases and IoCs identified in South Korea. The threat actor Larva‑25012, known for deploying Proxyware, has recently begun using malware disguised as a Notepad++ installer. In addition, the attacker is actively changing techniques to evade detection—such as injecting Proxyware into the Windows Explorer process or leveraging Python-based loaders."
        https://asec.ahnlab.com/en/92183/
      • VoidLink Signals The Start Of a New Era In AI-Generated Malware
        "Artificial intelligence is rapidly reshaping how organizations operate, innovate, and compete. But as AI becomes more powerful, it is also changing how cyber threats are created. Recent research from Check Point highlights a significant turning point: the emergence of VoidLink, was identified at an early stage of development and was not deployed against victims or used in active attacks. This discovery marks an important moment in cyber security, moving AI-enabled attacks from theory into reality."
        https://blog.checkpoint.com/research/voidlink-signals-the-start-of-a-new-era-in-ai-generated-malware/
        https://research.checkpoint.com/2026/voidlink-early-ai-generated-malware-framework/
        https://www.bleepingcomputer.com/news/security/voidlink-cloud-malware-shows-clear-signs-of-being-ai-generated/
        https://www.theregister.com/2026/01/20/voidlink_ai_developed/
      • Mass Spam Attacks Leverage Zendesk Instances
        "In the past few days, multiple users have reported receiving numerous spam emails coming from a Zendesk domain, leveraging instances belonging to real companies and often bypassing email spam filters. One user on the X platform reported receiving 800 emails from different Zendesk instances, saying many bypassed iCloud's junk filters. Other users reported receiving Zendesk emails from services they'd never used. More worrying, it remains unclear how the spam emails are getting through. Company help desks being leveraged include those belonging to Live Nation, video game publisher Capcom, Tinder, and many more."
        https://www.darkreading.com/threat-intelligence/mass-spam-attacks-zendesk-instances
      • Inside a Multi-Stage Windows Malware Campaign
        "FortiGuard Labs recently identified a multi-stage malware campaign primarily targeting users in Russia. The attack begins with social engineering lures delivered via business-themed documents crafted to appear routine and benign. These documents and accompanying scripts serve as visual distractions, diverting victims to fake tasks or status messages while malicious activity runs silently in the background. As the attack chain progresses, it escalates into a full-system compromise that includes security-control bypass, surveillance, system restriction, deployment of Amnesia RAT, and ransomware delivery."
        https://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign
      • Open-Source Python Script Drives Social Media Phishing Campaign
        "We investigated a phishing campaign that exploited social media private messages to deliver weaponized files via Dynamic Link Library (DLL) sideloading, combined with a legitimate, open-source Python pen-testing script—likely to deploy a remote access trojan (RAT). This approach allows attackers to bypass detection and scale their operations with minimal effort while maintaining persistent control over compromised systems. Once inside, they can escalate privileges, move laterally across networks, and exfiltrate data. To mitigate these threats, organizations should implement social media-specific security awareness training to help employees identify phishing attempts and avoid risky downloads."
        https://reliaquest.com/blog/threat-spotlight-open-source-python-script-drives-social-media-phishing-campaign
        https://thehackernews.com/2026/01/hackers-use-linkedin-messages-to-spread.html
        https://www.infosecurity-magazine.com/news/linkedin-phishing-campaign-targets/
      • Threat Actors Expand Abuse Of Microsoft Visual Studio Code
        "At the end of last year, Jamf Threat Labs published research related to the Contagious Interview campaign, which has been attributed to a threat actor operating on behalf of North Korea (DPRK). Around the same time, researchers from OpenSourceMalware (OSM) released additional findings that highlighted an evolution in the techniques used during earlier stages of the campaign. Specifically, these newer observations highlight an additional delivery technique alongside the previously documented ClickFix-based techniques. In these cases, the infection chain abuses Microsoft Visual Studio Code task configuration files, allowing malicious payloads to be executed on the victim system."
        https://www.jamf.com/blog/threat-actors-expand-abuse-of-visual-studio-code/
        https://thehackernews.com/2026/01/north-korea-linked-hackers-target.html
      • Operation Nomad Leopard: Targeted Spear-Phishing Campaign Against Government Entities In Afghanistan
        "The SEQRITE Labs APT Team has been analyzing threats across different regions and recently started tracking a threat group that is targeting Afghan government employees. The attackers are using a fake lure that mimics an official government document to target ministries and administrative offices. In this blog, we explain the complete infection chain used in this campaign along with operational security mistakes made by the actor. We also highlight how the attacker paid attention to small details in the document, making it look like a genuine Afghan government notice."
        https://www.seqrite.com/blog/operation-nomad-leopard-targeted-spear-phishing-campaign-against-government-entities-in-afghanistan/
        https://therecord.media/hackers-target-afghan-workers

      Breaches/Hacks/Leaks

      • Minnesota Agency Notifies 304,000 Of Vendor Breach
        "The Minnesota Department of Human Services is notifying nearly 304,000 people of a data breach involving someone at a healthcare provider who inappropriately accessed information from an IT system managed by a vendor. State officials are monitoring the incident for potential fraud. The Minnesota agency said the incident involved its MnChoices system, which is used by counties, tribal nations and managed care organizations to assess adults, children and families' eligibility for long-term services and support, including disability assistance, food and housing assistance, and mental health services."
        https://www.bankinfosecurity.com/minnesota-agency-notifies-304000-vendor-breach-a-30570
      • Everest Ransomware Claims McDonalds India Breach Involving Customer Data
        "The notorious Everest ransomware group is claiming to have breached McDonald’s India, the Indian subsidiary of the American fast-food giant. The claim was published on the group’s official dark web leak site earlier today, January 20, 2026, stating that they exfiltrated a massive 861 GB of customer data and internal company documents. As reviewed by Hackread.com, the group also published internal screenshots to support the authenticity of its claims. A closer look at these screenshots reveals financial reports from 2023 to 2026, audit trails, cost tracking sheets, ERP migration files, pricing data, and other sensitive internal communications."
        https://hackread.com/everest-ransomware-mcdonalds-india-breach-customer-data/
      • RansomHouse Claims Data Breach At Major Apple Contractor Luxshare
        "A ransomware and extortion group called RansomHouse claims to have breached Luxshare Precision Industry, a China-based key manufacturing partner and contractor of Apple Inc. The group published a victim profile on its dark web leak site, naming Luxshare and listing several of its major clients. The group’s post outlines Luxshare’s scale, revenue, and role across consumer electronics, communications, and automotive sectors. Apple is highlighted as a major client, alongside names like Nvidia, Meta, Qualcomm, and others."
        https://hackread.com/ransomhouse-data-breach-apple-contractor-luxshare/

      General News

      • December 2025 APT Group Trends
        "North Korean state‑sponsored threat groups have increasingly relied on fake IT employment schemes, actively exploiting legitimate hiring platforms and fabricated identities to infiltrate corporate environments. These actors frequently take advantage of remote‑work infrastructures to obtain elevated access and conduct long‑term social engineering operations aimed at gaining access to internal systems. Some groups continue to employ loader techniques such as DLL hijacking, while accelerating modifications to their malware delivery methods to evade detection."
        https://asec.ahnlab.com/en/92184/
      • Predator Bots Are Exploiting APIs At Scale. Here’s How Defenders Must Respond.
        "The rise of malicious bots is changing how the internet operates, underscoring the need for stronger safeguards that keep humans firmly in control. Bots now account for more than half of global web traffic, and a new class of “predator bots” has emerged, unleashing self-learning programs that adapt in real time, mimic human behavior, and exploit APIs and business logic in order to steal data, scalp goods, and hijack transactions."
        https://cyberscoop.com/malicious-bots-predator-bots-api-security-machine-speed-defense/
      • Weaponised AI Is Powering The Fifth Wave Of Cybercrime, Group-IB Warns
        "Group-IB, a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime, has published its first Weaponized AI: Inside the criminal ecosystem fuelling the fifth wave of cybercrime whitepaper, uncovering how AI is changing the criminal ecosystem and fuelling the fifth wave of cybercrime. Over the past thirty years, cybercrime has evolved through successive waves, from manual phishing in the late 90s, industrialised ransomware, all the way to supply chain and ecosystem attacks that characterised the early 2020s. Group-IB has found there has been a 371% surge in dark web forum posts featuring AI keywords since 2019, and a ten-fold increase in replies (1199%). Now, adversaries are industrialising AI, turning once specialist skills such as persuasion, impersonation and malware development into on-demand services available to anyone with a credit card."
        https://www.group-ib.com/media-center/press-releases/weaponised-ai-cybercrime/
        https://www.infosecurity-magazine.com/news/ai-supercharges-attacks-cybercrime/
        https://www.theregister.com/2026/01/20/group_ib_ai_cycercrime_subscriptions/
      • Confusion And Fear Send People To Reddit For Cybersecurity Advice
        "A strange charge appears on a bank account. An email claims a package is on the way. A social media account stops accepting a password that worked yesterday. When these moments hit, many people do the same thing. They open Reddit and ask strangers for help. A new study shows how often this happens and what people ask when they do. Researchers affiliated with Google and University College London built an analysis pipeline that sifted through 1.1 billion Reddit posts over four years to understand how users seek help."
        https://www.helpnetsecurity.com/2026/01/20/reddit-cybersecurity-help-questions/
        https://arxiv.org/pdf/2601.11398
      • Privacy Teams Feel The Strain As AI, Breaches, And Budgets Collide
        "Privacy programs are under strain as organizations manage breach risk, new technology, and limited resources. A global study from ISACA shows that AI is gaining ground in privacy work, with use shaped by governance, funding, and how consistently privacy is built into systems."
        https://www.helpnetsecurity.com/2026/01/20/isaca-privacy-program-pressures/
      • Cyber Risks Among CEOs’ Top Worries Amid Weak Short Term Growth Outlook
        "Alongside macroeconomic volatility and geopolitical conflict, cyber risk is one of the top threats worrying today’s CEOs as they grow less confident about the short-term growth outlook for their companies. This is according to PwC’s 29th Global CEO Survey which is based on responses from 4454 chief executives across 95 countries and territories. The firms said that almost a third (31%) CEOs say their company is highly or extremely exposed to the risk of a significant financial loss from cyber threats in the year ahead, up from 24% in 2024’s survey and 21% in 2025."
        https://www.infosecurity-magazine.com/news/cyber-risks-among-ceos-top-worries/
      • Tudou Guarantee Winds Down Operations After $12 Billion In Transactions
        "Tudou Guarantee, the Telegram-based marketplace that emerged as a dominant force in Southeast Asia's scam economy following the shutdown of Huione Guarantee, appears to be shuttering its operations. Following a period of intense growth, Elliptic’s blockchain analytics and open source research show that the guarantee marketplace has effectively ceased transactions through its public Telegram groups. Since its inception, Tudou (translated as “Potato”) has processed over $12 billion in transactions, placing it as the third-largest illicit marketplace of all time."
        https://www.elliptic.co/blog/tudou-guarantee-winds-down-operations-after-12-billion-in-transactions
        https://thehackernews.com/2026/01/tudou-guarantee-marketplace-halts.html
        https://www.infosecurity-magazine.com/news/scam-market-tudou-guarantee-shut/
        https://securityaffairs.com/187102/cyber-crime/telegram-based-illicit-billionaire-marketplace-tudou-guarantee-stopped-transactions.html
      • EU Vulnerability Database Goes Live
        "The GCVE initiative has given the green light for its vulnerability database with a decentralized approach. A free, publicly accessible database for IT security vulnerabilities, the db.gcve.eu, has been created by GCVE (Global Cybersecurity Vulnerability Enumeration). The aim is to end dependence on US databases and strengthen digital sovereignty in Europe. The initiative came together after a brief scare over the possible discontinuation of the Common Vulnerabilities and Exposures (CVE) program in 2025. The risk got many concerned forcing the cybersecurity industry to start thinking of alternatives."
        https://www.csoonline.com/article/4118848/new-eu-vulnerability-database-launched.html
        https://hackread.com/eu-launches-gcve-track-vulnerabilities-us/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) 46b69cbd-ab7c-4484-a948-b8d4f57156ad-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post