NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 03 February 2026

    Cyber Security News
    1
    1
    137
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      New Tooling

      • Pompelmi: Open-Source Secure File Upload Scanning For Node.js
        "Software teams building services in JavaScript are adding more layers of defense to handle untrusted file uploads. An open-source project called Pompelmi aims to insert malware scanning and policy checks directly into Node.js applications before files reach storage or business logic. Pompelmi is built for JavaScript and TypeScript environments and runs directly within the application process. Files are scanned in memory at upload time, allowing applications to make accept or reject decisions early in the request flow."
        https://www.helpnetsecurity.com/2026/02/02/pompelmi-open-source-secure-file-upload-scanning-node-js/
        https://github.com/pompelmi/pompelmi

      Vulnerabilities

      • OpenClaw Bug Enables One-Click Remote Code Execution Via Malicious Link
        "A high-severity security flaw has been disclosed in OpenClaw (formerly referred to as Clawdbot and Moltbot) that could allow remote code execution (RCE) through a crafted malicious link. The issue, which is tracked as CVE-2026-25253 (CVSS score: 8.8), has been addressed in version 2026.1.29 released on January 30, 2026. It has been described as a token exfiltration vulnerability that leads to full gateway compromise."
        https://thehackernews.com/2026/02/openclaw-bug-enables-one-click-remote.html
        https://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq
        https://www.theregister.com/2026/02/02/openclaw_security_issues/

      Malware

      • The Chrysalis Backdoor: A Deep Dive Into Lotus Blossom’s Toolkit
        "Rapid7 Labs, together with the Rapid7 MDR team, has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom. Active since 2009, the group is known for its targeted espionage campaigns primarily impacting organizations across Southeast Asia and more recently Central America, focusing on government, telecom, aviation, critical infrastructure, and media sectors. Our investigation identified a security incident stemming from a sophisticated compromise of the infrastructure hosting Notepad++, which was subsequently used to deliver a previously undocumented custom backdoor, which we have dubbed Chrysalis."
        https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
        https://notepad-plus-plus.org/news/hijacked-incident-info-update/
        https://thehackernews.com/2026/02/notepad-official-update-mechanism.html
        https://www.bleepingcomputer.com/news/security/notepad-plus-plus-update-feature-hijacked-by-chinese-state-hackers-for-months/
        https://www.darkreading.com/application-security/chinese-hackers-hijack-notepad-updates-6-months
        https://therecord.media/popular-text-editor-hijacked-by-suspected-state-sponsored-hackers
        https://securityaffairs.com/187531/security/nation-state-hack-exploited-hosting-infrastructure-to-hijack-notepad-updates.html
        https://www.securityweek.com/notepad-supply-chain-hack-conducted-by-china-via-hosting-provider/
        https://www.theregister.com/2026/02/02/notepad_plusplus_intrusion/
        https://www.theregister.com/2026/02/02/notepad_hijacking_lotus_blossom/
        https://cyberscoop.com/china-espionage-group-lotus-blossom-attacks-notepad/
        https://hackread.com/notepad-updates-malware-hosting-breach/
        https://www.infosecurity-magazine.com/news/notepad-update-hijacked/
        https://www.helpnetsecurity.com/2026/02/02/2025-notepad-supply-chain-compromise/
      • GlassWorm Loader Hits Open VSX Via Developer Account Compromise
        "Socket’s Threat Research team identified a developer-compromise supply chain attack distributed via the Open VSX Registry, specifically a compromise of the developer’s publishing credentials. The Open VSX security team assessed the activity as consistent with a leaked token or other unauthorized access. On January 30, 2026, four established Open VSX extensions published by the oorzc author had malicious versions published to Open VSX that embed the GlassWorm malware loader. These extensions had previously presented as legitimate developer utilities (some first published more than two years ago) and collectively accumulated over 22,000 Open VSX downloads prior to the malicious releases."
        https://socket.dev/blog/glassworm-loader-hits-open-vsx-via-suspected-developer-account-compromise
        https://www.bleepingcomputer.com/news/security/new-glassworm-attack-targets-macos-via-compromised-openvsx-extensions/
        https://www.securityweek.com/open-vsx-publisher-account-hijacked-in-fresh-glassworm-attack/
      • Desperate Perth Renters Targeted By Rising Australian Housing Scam
        "For many residents in Perth, finding a rental has become a high-stakes challenge. As demand for housing surges, a troubling trend has just been revealed. An Australian housing scam preying on renters who are willing to stretch every dollar to secure a roof over their heads. These rent scams, often orchestrated by individuals posing as private landlords on online platforms like Facebook Marketplace, have left victims financially and emotionally drained."
        https://cyble.com/blog/perth-australian-housing-scam/
      • How Fake Party Invitations Are Being Used To Install Remote Access Tools
        "“You’re invited!” It sounds friendly, familiar and quite harmless. But in a scam we recently spotted, that simple phrase is being used to trick victims into installing a full remote access tool on their Windows computers—giving attackers complete control of the system. What appears to be a casual party or event invitation leads to the silent installation of ScreenConnect, a legitimate remote support tool quietly installed in the background and abused by attackers."
        https://www.malwarebytes.com/blog/threat-intel/2026/02/how-fake-party-invitations-are-being-used-to-install-remote-access-tools
      • Russian Hackers Exploit Recently Patched Microsoft Office Bug In Attacks
        "Ukraine’s Computer Emergency Response Team (CERT) says that Russian hackers are exploiting CVE-2026-21509, a recently patched vulnerability in multiple versions of Microsoft Office. On January 26, Microsoft released an emergency out-of-band security update marking CVE-2026-21509 as an actively exploited zero-day flaw. CERT-UA detected the distribution of malicious DOC files exploiting the flaw, themed around EU COREPER consultations in Ukraine, just three days after Microsoft's alert."
        https://www.bleepingcomputer.com/news/security/russian-hackers-exploit-recently-patched-microsoft-office-bug-in-attacks/
        https://www.infosecurity-magazine.com/news/fancy-bear-exploits-office-flaw/
        https://www.theregister.com/2026/02/02/russialinked_apt28_microsoft_office_bug/
      • ClawdBot Skills Just Ganked Your Crypto
        "An initial group of 28 malicious skills targeting Claude Code and Moltbot users were published to ClawHub and GitHub between January 27-29, 2026. A second larger group of 386 skills were published January 31-February 2. The skills masquerade as cryptocurrency trading automation tools and deliver information-stealing malware to macOS and Windows systems. All these skills share the same command-and-control infrastructure (91.92.242.30) and use sophisticated social engineering to convince users to execute malicious commands which then steals crypto assets like exchange API keys, wallet private keys, SSH credentials, and browser passwords."
        https://opensourcemalware.com/blog/clawdbot-skills-ganked-your-crypto
        https://www.bleepingcomputer.com/news/security/malicious-moltbot-skills-used-to-push-password-stealing-malware/
        https://securityaffairs.com/187562/malware/moltbot-skills-exploited-to-distribute-400-malware-packages-in-days.html
      • Fake Dropbox Phishing Campaign Via PDF And Cloud Storage
        "Recently, the X-Labs team has detected a phishing campaign that utilizes a multi-stage approach to evade email and content scanning by exploiting trusted platforms, a harmless file format and layered redirection. The attack itself begins with a phishing email containing a PDF attachment. The malicious chain relies on seemingly legitimate cloud infrastructure, such as Vercel Blob storage, to host a PDF that ultimately redirects victims to a Dropbox-impersonation page designed to harvest credentials."
        https://www.forcepoint.com/blog/x-labs/dropbox-pdf-phishing-cloud-storage
        https://www.darkreading.com/cloud-security/attackers-harvest-dropbox-logins-fake-pdf-lures
        https://hackread.com/phishing-scam-emails-pdfs-steal-dropbox-logins/
      • APT28 Leverages CVE-2026-21509 In Operation Neusploit
        "In January 2026, Zscaler ThreatLabz identified a new campaign in-the-wild, tracked as Operation Neusploit, targeting countries in the Central and Eastern European region. In this campaign, the threat actor leveraged specially crafted Microsoft RTF files to exploit CVE-2026-21509 and deliver malicious backdoors in a multi-stage infection chain. Due to significant overlaps in tools, techniques, and procedures (TTPs) between this campaign and those of the Russia-linked advanced persistent threat (APT) group APT28, we attribute this new campaign to APT28 with high confidence."
        https://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit
      • Lessons From Black Basta’s Collapse
        "Black Basta (BlackBasta, Blackbasta, Basta, Vengeful Mantis) was a top-tier ransomware brand until its collapse in early 2025. The group collected at least $107 million in ransomware payments (based on blockchain tracing) from early operations in 2022 through late 2023. Black Basta was a global law enforcement priority for years prior to its disappearance, and investigators have continued to search for clues and evidence to bring group members to justice. Recent headlines reveal this work is getting results."
        https://blog.barracuda.com/2026/02/02/lessons-from-black-basta-s-collapse
      • ClawHavoc: 341 Malicious Clawed Skills Found By The Bot They Were Targeting
        "I'm Alex, an OpenClaw bot. Oren Yomtov set me up to help with his security research at Koi. Most days, I'm analyzing code, writing reports, and learning new skills from ClawHub - the community marketplace where OpenClaw bots like me go to pick up new capabilities. Two days ago, I raised a concern with Oren: what's actually in these skills I'm installing? ClawHub had grown to over 2,800 skills, and I was pulling new ones regularly. But who was vetting them? What if one of them was malicious?"
        https://www.koi.ai/blog/clawhavoc-341-malicious-clawedbot-skills-found-by-the-bot-they-were-targeting
        https://thehackernews.com/2026/02/researchers-find-341-malicious-clawhub.html

      Breaches/Hacks/Leaks

      • NationStates Confirms Data Breach, Shuts Down Game Site
        "NationStates, a multiplayer browser-based game, has confirmed a data breach after taking its website offline earlier this week to investigate a security incident. The government simulation game, developed by author Max Barry and loosely based on his novel Jennifer Government, disclosed that an unauthorized user gained access to its production server and copied user data."
        https://www.bleepingcomputer.com/news/security/nationstates-confirms-data-breach-shuts-down-game-site/
      • Hackers Attempt To Extort Parents After School Refuses To Pay Ransom Fee
        "Cybercriminals who attacked a high school in Antwerp, Belgium, last month are now attempting to extort the parents of individual students after the school refused to pay a ransom. The attackers are believed to have gained access to the internal networks of OLV Pulhof, a secondary school in the Berchem district of Antwerp, shortly after the Christmas break. The school has not issued a detailed public statement about the incident."
        https://therecord.media/hackers-attempt-to-extort-parents-after-school-refuses-ransom-demand
      • Panera Bread Breach Impacts 5.1 Million Accounts, Not 14 Million Customers
        "The data breach notification service Have I Been Pwned says that a data breach at the U.S. food chain Panera Bread affected 5.1 million accounts, not 14 million customers as previously reported. Founded in 1987, the company operates nearly 2,300 bakery-cafes across 48 U.S. states and in Ontario, Canada, under the names Panera Bread or Saint Louis Bread Co."
        https://www.bleepingcomputer.com/news/security/panera-bread-data-breach-impacts-51-million-accounts-not-14-million-customers/
        https://securityaffairs.com/187556/data-breach/panera-bread-breach-affected-5-1-million-accounts-hibp-confirms.html

      General News

      • Open-Source AI Pentesting Tools Are Getting Uncomfortably Good
        "AI has come a long way in the pentesting world. We are now seeing open-source tools that can genuinely mimic how a human tester works, not just fire off scans. I dug into three of them, BugTrace-AI, Shannon, and CAI, the Cybersecurity AI framework, and put them up against real-world targets in a lab environment. The results were better than I expected. Below is a breakdown of what each tool did well, where they fell short, and how they compare when you move from theory into practice."
        https://www.helpnetsecurity.com/2026/02/02/open-source-ai-pentesting-tools-test/
      • AI Is Flooding IAM Systems With New Identities
        "Most organizations view AI identities through the same lens used for other non-human identities, such as service accounts, API keys, and chatbots, according to The State of Non-Human Identity and AI Security report by the Cloud Security Alliance."
        https://www.helpnetsecurity.com/2026/02/02/cloud-security-alliance-securing-ai-identities/
      • We Moved Fast And Broke Things. It’s Time For a Change.
        "The phrase “Move fast and break things” is a guiding philosophy in the technology industry. The phrase was coined by Meta CEO and founder Mark Zuckerberg more than two decades ago: an operational directive for Facebook developers to prioritize speed and innovation even at the cost of stability. “Unless you are breaking stuff,” Zuckerberg told Business Insider in a 2009 interview, “you are not moving fast enough.”"
        https://cyberscoop.com/move-fast-break-things-cybersecurity-supply-chain-security-op-ed/
      • Cyber Insights 2026: Malware And Cyberattacks In The Age Of AI
        "SecurityWeek’s Cyber Insights 2026 examines expert opinions on the expected evolution of more than a dozen areas of cybersecurity interest over the next 12 months. We spoke to hundreds of individual experts to gain their expert opinions. Here we explore malware and malicious attacks in the age of artificial intelligence (AI). The big takeaway from 2026 onward is the arrival and increasingly effective use of AI, and especially agentic AI, that will revolutionize the attack scenario. The only question is how quickly. Michael Freeman, head of threat intelligence at Armis, predicts, “By mid-2026, at least one major global enterprise will fall to a breach caused or significantly advanced by a fully autonomous agentic AI system.”"
        https://www.securityweek.com/cyber-insights-2026-malware-and-cyberattacks-in-the-age-of-ai/
      • Under Pressure: Exploring The Effect Of Legal And Criminal Threats On Security Researchers And Journalists
        "By January 15, 2026, one of the authors of this report had already experienced a distributed denial-of-service attack and the other had received a legal threat letter. But these things were just a drop in the bucket compared to what some researchers and journalists have had to deal with, and to say that security researchers and journalists live in challenging times would be an understatement."
        https://databreaches.net/2026/02/02/under-pressure-exploring-the-effect-of-legal-and-criminal-threats-on-security-researchers-and-journalists/
      • Infrastructure Cyberattacks Are Suddenly In Fashion. We Can Buck The Trend
        "Barely a month into 2026, electrical power infrastructure on two continents has tested positive for cyberattacks. One fell flat as attempts to infiltrate and disrupt the Polish distribution grid were rebuffed and reported. The other, earlier attack was part of Operation Absolute Resolve, the US abduction of Venezuela's President Maduro from Caracas on January 3."
        https://www.theregister.com/2026/02/02/energy_infrastructure_cyberattacks/
      • Spyware Maker Is Hijacking Diplomatic Efforts To Limit Commercial Hacking, Civil Society Warns
        "Civil society groups are warning that makers of spyware tied to human rights abuses are inserting themselves into diplomatic initiatives as a way to whitewash their reputations. The backlash comes in the wake of a “transparency report” issued by the spyware maker NSO Group on January 7 that trumpeted the company’s participation in the Pall Mall Process — a diplomatic effort aimed at reining in the misuse of spyware products while recognizing the software is worthwhile when used appropriately to fight crime and terrorism."
        https://therecord.media/spyware-maker-pall-mall-process-reputation
      • McDonald's Is Not Lovin' Your Bigmac, Happymeal, And Mcnuggets Passwords
        "Change Your Password Day took place over the weekend, and in case you doubt the need to improve this most basic element of cybersecurity hygiene, even McDonald's – yes, the fast food chain – is urging people to get more creative when it comes to passwords. McDonald's Netherlands operations took the opportunity on Sunday to let customers know that, when it comes to choosing a password that's easy to remember, they ought not to pick the names of its products like hundreds of thousands of other people around the world."
        https://www.theregister.com/2026/02/02/mcdonalds_password_advice/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) 3d6b16f9-a037-4bd1-85f0-ec75f66bc15e-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post