NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 23 January 2026

    Cyber Security News
    1
    1
    146
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Financial Sector

      • December 2025 Security Issues In Korean & Global Financial Sector
        "This report comprehensively covers real-world cyber threats and security issues that have occurred in the financial industry in Korea and worldwide. It includes an analysis of malware and phishing cases targeting the financial industry, a list of the top 10 malware strains targeting the industry, and statistics on the sectors of Korean accounts leaked on Telegram. A detailed analysis of a phishing email campaign targeting financial institutions is also included."
        https://asec.ahnlab.com/en/92207/

      Vulnerabilities

      • Critical Arbitrary File Upload Vulnerability In RealHomes CRM Plugin Affecting 30k+ Sites
        "This blog post is about a Subscriber+ arbitrary file upload vulnerability in the RealHomes CRM. If you're a RealHomes CRM user, please update to at least version 1.0.1."
        https://patchstack.com/articles/critical-arbitrary-file-upload-vulnerability-in-realhomes-crm-plugin-affecting-30k-sites/
        https://www.infosecurity-magazine.com/news/realhomes-crm-plugin-flaw/
      • Critical GNU InetUtils Telnetd Flaw Lets Attackers Bypass Login And Gain Root Access
        "A critical security flaw has been disclosed in the GNU InetUtils telnet daemon (telnetd) that went unnoticed for nearly 11 years. The vulnerability, tracked as CVE-2026-24061, is rated 9.8 out of 10.0 on the CVSS scoring system. It affects all versions of GNU InetUtils from version 1.9.3 up to and including version 2.7. "Telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a '-f root' value for the USER environment variable," according to a description of the flaw in the NIST National Vulnerability Database (NVD)."
        https://thehackernews.com/2026/01/critical-gnu-inetutils-telnetd-flaw.html
        https://www.theregister.com/2026/01/22/root_telnet_bug/
      • Foxit, Epic Games Store, MedDreams Vulnerabilities
        "Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three vulnerabilities in Foxit PDF Editor, one in the Epic Games Store, and twenty-one in MedDream PACS.. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy."
        https://blog.talosintelligence.com/foxi-and-epic-games/
      • CVE-2026-22794: Changing The Origin Header To Take Over Appsmith Accounts
        "Resecurity is tracking the exploitation of CVE-2026-22794, a critical authentication vulnerability in Appsmith that allows attackers to take over user accounts by manipulating the HTTP Origin header during the password reset process. The flaw occurs because Appsmith uses a client-controlled header to construct password reset links, exposing sensitive tokens. An attacker can request a password reset for a victim’s email while providing a malicious Origin (e.g., https://evil.com). The victim receives a legitimate email, but the link points to the attacker’s server. Clicking the link leaks the reset token, allowing the attacker to change the victim’s password and take full control of the account."
        https://www.resecurity.com/es/blog/article/cve-2026-22794-changing-the-origin-header-to-take-over-appsmith-accounts
        https://www.infosecurity-magazine.com/news/appsmith-flaw-account-takeovers/
      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2026-20045 Cisco Unified Communications Products Code Injection Vulnerability"
        https://www.cisa.gov/news-events/alerts/2026/01/21/cisa-adds-one-known-exploited-vulnerability-catalog
        https://www.securityweek.com/hackers-targeting-cisco-unified-cm-zero-day/
        https://securityaffairs.com/187181/uncategorized/u-s-cisa-adds-a-flaw-in-cisco-unified-communications-products-to-its-known-exploited-vulnerabilities-catalog.html
      • Old Attack, New Speed: Researchers Optimize Page Cache Exploits
        "team of researchers from the Graz University of Technology (TU Graz) in Austria has revived Linux page cache attacks, demonstrating that they are not as impractical as previously believed. Page caches are designed to store file-backed memory pages, such as application binaries, libraries, and data files. By keeping a copy of recently accessed disk data in the system’s memory, the operating system can fulfill subsequent requests more quickly, significantly improving overall performance. Back in 2019, researchers from the Austrian university and several other organizations showed that Windows and Linux page caches can be abused for both local and remote attacks."
        https://www.securityweek.com/old-attack-new-speed-researchers-optimize-page-cache-exploits/
        https://snee.la/pdf/pubs/eviction-notice.pdf
      • An Open Source Tool To Unravel UEFI And Its Vulnerabilities
        "As recently as December 2025, the SEI’s CERT Coordination Center (CERT/CC) documented a UEFI-related vulnerability in certain motherboard models, illustrating that early-boot firmware behavior continues to present security challenges despite requiring local physical access to exploit. UEFI is a critical element of system firmware because it initializes hardware and boots up the operating system. Tampering with UEFI can support attacks that are particularly difficult to detect and mitigate."
        https://www.sei.cmu.edu/blog/an-open-source-tool-to-unravel-uefi-and-its-vulnerabilities/

      Malware

      • Arctic Wolf Observes Malicious Configuration Changes On Fortinet FortiGate Devices Via SSO Accounts
        "Starting on January 15, 2026, Arctic Wolf began observing a new cluster of automated malicious activity involving unauthorized firewall configuration changes on FortiGate devices. This activity involved the creation of generic accounts intended for persistence, configuration changes granting VPN access to those accounts, as well as exfiltration of firewall configurations. This is a developing situation, and we will share more technical details of this threat with the public as more information becomes available. While the parameters of initial access details have not been fully confirmed, the current campaign bears similarity to a campaign described by Arctic Wolf in December 2025. In the December security bulletin, we provided details of SSO login activity for administrator accounts, followed by configuration changes and exfiltration on affected firewall devices."
        https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-configuration-changes-fortinet-fortigate-devices-via-sso-accounts/
        https://thehackernews.com/2026/01/automated-fortigate-attacks-exploit.html
        https://www.bleepingcomputer.com/news/security/hackers-breach-fortinet-fortigate-devices-steal-firewall-configs/
        https://www.darkreading.com/cloud-security/fortinet-firewalls-malicious-configuration-changes
        https://securityaffairs.com/187194/hacking/arctic-wolf-detects-surge-in-automated-fortinet-fortigate-firewall-configuration-attacks.html
        https://www.securityweek.com/new-wave-of-attacks-targeting-fortigate-firewalls/
        https://www.theregister.com/2026/01/22/fortigate_firewalls_hit_by_silent/
      • Phishing Kits Adapt To The Script Of Callers
        "Okta Threat Intelligence has detected and dissected multiple custom phishing kits that have evolved to meet the specific needs of voice-based social engineers (“callers”) in vishing campaigns. These custom kits are made available on an as-a-service basis and are increasingly used by a growing number of intrusion actors targeting Google, Microsoft, Okta and a range of cryptocurrency providers. The kits are capable of intercepting the credentials of targeted users, while also presenting the supporting context required to convince users to approve MFA challenges, or to take other actions in the interests of the attacker on the phone."
        https://www.okta.com/blog/threat-intelligence/phishing-kits-adapt-to-the-script-of-callers/
        https://www.bleepingcomputer.com/news/security/okta-sso-accounts-targeted-in-vishing-based-data-theft-attacks/
        https://www.theregister.com/2026/01/22/crims_sell_voice_phishing_kits/
      • Attackers With Decompilers Strike Again (SmarterTools SmarterMail WT-2026-0001 Auth Bypass)
        "Well, well, well - look what we’re back with. You may recall that merely two weeks ago, we analyzed CVE-2025-52691 - a pre-auth RCE vulnerability in the SmarterTools SmarterMail email solution with a timeline that is typically reserved for KEV hall-of-famers. The plot of that story had everything; A government agency, Vague patch notes (in our opinion), Fairly tense forum posts, and Accusations of in-the-wild exploitation. The sort of thing dreams are made of~"
        https://labs.watchtowr.com/attackers-with-decompilers-strike-again-smartertools-smartermail-wt-2026-0001-auth-bypass/
        https://thehackernews.com/2026/01/smartermail-auth-bypass-exploited-in.html
        https://www.bleepingcomputer.com/news/security/smartermail-auth-bypass-flaw-now-exploited-to-hijack-admin-accounts/
        https://securityaffairs.com/187201/hacking/critical-smartermail-vulnerability-under-attack-no-cve-yet.html
      • When Ransomware Makes a Mistake Inside INC Ransomware’s Backup Infrastructure
        "This article documents how Cyber Centaurs identified, validated, and safely accessed attacker-controlled data repositories operated by the INC Ransomware Group, resulting in the recovery of stolen data belonging to twelve unrelated U.S. corporations. What made this possible was not a vulnerability or a takedown, but forensic discipline applied to attacker tooling. Specifically, artifacts left behind from Restic, a legitimate backup utility repeatedly repurposed by INC in other campaigns, exposed a persistent layer of attacker infrastructure that extended well beyond a single victim environment."
        https://cybercentaurs.com/blog/when-ransomware-makes-a-mistake-inside-inc-ransomwares-backup-infrastructure/
        https://www.bleepingcomputer.com/news/security/inc-ransomware-opsec-fail-allowed-data-recovery-for-12-us-orgs/
      • AI-Powered North Korean Konni Malware Targets Developers
        "Check Point Research is tracking an active phishing campaign involving KONNI, a North Korea-affiliated threat actor active since at least 2014. Historically, KONNI focused on South Korean diplomatic, academic, and government-linked targets, using geopolitical themes as phishing lures. This latest activity marks a clear shift. In the current campaign, KONNI targets software developers and engineering teams, particularly those involved in blockchain and cryptocurrency projects."
        https://blog.checkpoint.com/research/ai-powered-north-korean-konni-malware-targets-developers/
      • Attackers Continue To Target Trusted Collaboration Platforms: 12,000+ Emails Target Teams Users
        "This report describes a phishing campaign in which attackers abuse Microsoft Teams functionality to distribute phishing content that appears to originate from legitimate Microsoft services. The attack leverages guest invitations and phishing-themed team names to impersonate billing and subscription notifications, encouraging victims to contact a fraudulent support phone number."
        https://blog.checkpoint.com/email-security/attackers-continue-to-target-trusted-collaboration-platforms-12000-emails-target-teams-users/
      • Darktrace Identifies Campaign Targeting South Korea Leveraging VS Code For Remote Access
        "Darktrace identified a DPRK‑linked campaign targeting South Korean users with JSE‑based spear‑phishing lures. The attackers used government‑themed decoy documents to deploy a VS Code tunnel, enabling covert remote access via trusted Microsoft infrastructure. The activity highlights growing abuse of legitimate tools to evade detection and maintain persistent access."
        https://www.darktrace.com/blog/darktrace-identifies-campaign-targeting-south-korea-leveraging-vs-code-for-remote-access
        https://www.darkreading.com/endpoint-security/dprk-vs-code-tunnels-remote-hacking
      • Analysis Of Single Sign-On Abuse On FortiOS
        "In December 2025, Fortinet issued an advisory related to two FortiCloud single sign-on (SSO) bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) that the Fortinet product security team had internally discovered during a code audit (FG-IR-25-647). The vulnerabilities described in the advisory allowed for unauthenticated bypass of SSO login authentication via crafted SAML sent to FortiOS, FortiWeb, FortiProxy, and FortiSwitch Manager devices when the FortiCloud SSO feature was enabled."
        https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios
      • VoidLink Threat Analysis: Sysdig Discovers C2-Compiled Kernel Rootkits
        "On January 13, 2026, Check Point Research published its analysis of VoidLink, a Chinese-developed Linux malware framework designed to target cloud environments. Following its discovery, the Sysdig Threat Research Team (TRT) took a deeper look at Voidlink, examining its binaries to better understand the malware’s loader chain, rootkit internals, and control mechanisms."
        https://www.sysdig.com/blog/voidlink-threat-analysis-sysdig-discovers-c2-compiled-kernel-rootkits
        https://hackread.com/voidlink-malware-cloud-system-custom-built-attack/
      • Resurgence Of a Multi‑stage AiTM Phishing And BEC Campaign Abusing SharePoint
        "Microsoft Defender Researchers uncovered a multi‑stage adversary‑in‑the‑middle (AiTM) phishing and business email compromise (BEC) campaign targeting multiple organizations in the energy sector, resulting in the compromise of various user accounts. The campaign abused SharePoint file‑sharing services to deliver phishing payloads and relied on inbox rule creation to maintain persistence and evade user awareness. The attack transitioned into a series of AiTM attacks and follow-on BEC activity spanning multiple organizations."
        https://www.microsoft.com/en-us/security/blog/2026/01/21/multistage-aitm-phishing-bec-campaign-abusing-sharepoint/
        https://www.helpnetsecurity.com/2026/01/22/energy-sector-aitm-phishing-sharepoint-misuse/
        https://www.theregister.com/2026/01/22/crims_compromised_energy_firms_microsoft/
      • Osiris: New Ransomware, Experienced Attackers?
        "A new ransomware family called Osiris was used in an attack targeting a major food service franchisee operator in Southeast Asia in November 2025. While this Osiris ransomware shares a name with a ransomware family from 2016, which was a variant of the Locky ransomware, there is no indication that there is any link between these two families. Investigation by the Symantec and Carbon Black Threat Hunter Team found that this threat is unique and appears to be a completely new ransomware family."
        https://www.security.com/threat-intelligence/new-ransomware-osiris
        https://thehackernews.com/2026/01/new-osiris-ransomware-emerges-as-new.html
      • PyPI Package Impersonates SymPy To Deliver Cryptomining Malware
        "Socket’s Threat Research Team identified a malicious PyPI package, sympy-dev, that impersonates SymPy, a widely used symbolic mathematics library with roughly 85 million downloads per month. The threat actor copied SymPy’s project description and branding cues into the sympy-dev listing, increasing the likelihood of accidental installation. PyPI shows four releases, versions 1.2.3 through 1.2.6, all containing malicious code and published on January 17, 2026, with Nanit listed as the maintainer. In its first day on PyPI, sympy-dev surpassed 1,000 downloads. Downloads do not equate to infections, but early uptake suggests the package began reaching real developer and CI environments quickly."
        https://socket.dev/blog/pypi-package-impersonates-sympy-to-deliver-cryptomining-malware
        https://thehackernews.com/2026/01/malicious-pypi-package-impersonates.html
      • From Protest To Peril: Cellebrite Used Against Jordanian Civil Society
        "Through a multi-year investigation, we find that the Jordanian security apparatus has deployed forensic extraction products manufactured by Cellebrite against civil society devices. We release these findings alongside reporting from the Organized Crime and Corruption Reporting Project (OCCRP) which includes interviews with a few of the victims."
        https://citizenlab.ca/research/from-protest-to-peril-cellebrite-used-against-jordanian-civil-society/
        https://therecord.media/jordan-used-cellebrite-against-activists-critical-gaza-war
      • Watering Hole Attack Targets EmEditor Users With Information-Stealing Malware
        "In late December 2025, EmEditor, a highly extensible and widely used text, code, and CSV editor developed by U.S.-based Emurasoft, published a security advisory warning users that its download page had been compromised. The attackers’ objective was to distribute a compromised version of the program to unsuspecting users. EmEditor has longstanding recognition within Japanese developer communities as a recommended Windows-based editor. This suggests that the attackers are targeting this specific user base, or that they have a particular target among EmEditor users and used the compromised download page as delivery mechanism."
        https://www.trendmicro.com/en_us/research/26/a/watering-hole-attack-targets-emeditor-users.html
      • The Next Frontier Of Runtime Assembly Attacks: Leveraging LLMs To Generate Phishing JavaScript In Real Time
        "Imagine visiting a webpage that looks perfectly safe. It has no malicious code, no suspicious links. Yet, within seconds, it transforms into a personalized phishing page. This isn't merely an illusion. It's the next frontier of web attacks where attackers use generative AI (GenAI) to build a threat that’s loaded after the victim has already visited a seemingly innocuous webpage."
        https://unit42.paloaltonetworks.com/real-time-malicious-javascript-through-llms/

      General News

      • Hackers Exploit 29 Zero-Days On Second Day Of Pwn2Own Automotive
        "On the second day of Pwn2Own Automotive 2026, security researchers collected $439,250 in cash awards after exploiting 29 unique zero-days. The Pwn2Own Automotive hacking contest focuses on automotive technologies and takes place this week in Tokyo, Japan, from January 21 to January 23, during the Automotive World auto conference. Throughout the competition, security researchers target fully patched electric vehicle (EV) chargers, in-vehicle infotainment (IVI) systems, and car operating systems (e.g., Automotive Grade Linux)."
        https://www.bleepingcomputer.com/news/security/hackers-exploit-29-zero-day-vulnerabilities-on-second-day-of-pwn2own-automotive/
      • AI Agents Undermine Progress In Browser Security
        "Browser security is far from perfect, but technologists and cybersecurity researchers have built a security model that, for the most part, works. However, artificial intelligence (AI) agents could be manipulated to wipe out that progress. Agentic browsers suffer from a key security weakness — inadequate isolation — according to research published last week by Trail of Bits, a cybersecurity research consultancy. The current crop of agentic browsers treat the agent as a proxy for the user, allowing it to cross different tabs and even the local system, as if the agent were an authorized, known user."
        https://www.darkreading.com/application-security/ai-agents-undermine-progress-browser-security
      • The Internet’s Oldest Trust Mechanism Is Still One Of Its Weakest Links
        "Attackers continue to rely on domain names as an entry point into enterprise systems. A CSC domain security study finds that large organizations leave this part of their attack surface underprotected, even as attacks become more frequent. The research examined the Forbes Global 2000 and compared them with the world’s top 100 privately held unicorn companies."
        https://www.helpnetsecurity.com/2026/01/22/csc-domain-security-practices/
      • VulnCheck State Of Exploitation 2026
        "In 2025, VulnCheck identified 884 Known Exploited Vulnerabilities (KEVs) for which evidence of exploitation was observed for the first time. By using the CVE publication date as a proxy for when defenders often gain awareness of a vulnerability, we can better understand how quickly exploitation follows disclosure and awareness. Our analysis shows that 28.96% of KEVs in 2025 were exploited on or before the day their CVE was published, an increase from the 23.6% observed in our 2024 trends in exploitation report, highlighting the continued prevalence of both zero-day[1] and n-day exploitation. This reinforces the urgency for organizations to act quickly on newly disclosed vulnerabilities while continuing to reduce long-standing vulnerability backlogs."
        https://www.vulncheck.com/blog/state-of-exploitation-2026
        https://www.infosecurity-magazine.com/news/zeroday-exploits-surge-vulncheck/
      • UK Executives Warn They May Not Survive a Major Cyber-Attack, Vodafone Survey Finds
        "Major cybersecurity breaches at UK retailers and carmakers last year have raised boardroom awareness of online threats, but many senior executives warn they may go out of business if hit by similar incidents. Vodafone Business polled 1000 senior leaders across businesses of all sizes to better understand their attitudes to cyber risk. Some 89% claimed that big-name breaches at M&S, Jaguar Land Rover (JLR) and other firms last year made them more alert to the potential impact of cyber threats. Yet a worrying 10% admitted their organization would likely not survive a similar incident."
        https://www.infosecurity-magazine.com/news/uk-execs-warn-may-not-suruvie/
      • Email Threat Radar — January 2026
        "Over the last month, Barracuda threat analysts have investigated the following email threats targeting organizations and their employees: Tycoon phishing kit using QR codes built out of HTML tables, Callback phishing through Microsoft Teams, Facebook-themed ‘infringement warnings’ using fake pop-ups, and How using (∕) instead of (/) can sneak malicious links past detection."
        https://blog.barracuda.com/2026/01/22/email-threat-radar-january-2026
      • Leader Of Ransomware Crew Pleads Guilty To Four-Year Crime Spree
        "A Russian national pleaded guilty to leading a ransomware conspiracy that targeted at least 50 victims during a four-year period ending in August 2022. Ianis Aleksandrovich Antropenko began participating in ransomware attacks before moving to the United States, but conducted many of his crimes while living in Florida and California, where he’s been out on bond enjoying rare leniency since his arrest in 2024."
        https://cyberscoop.com/ianis-antropenko-russian-ransomware-leader-guilty/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) a548f790-c73b-4276-87da-83655e8e81ee-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post