NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 11 February 2026

    Cyber Security News
    1
    1
    34
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • Poland Energy Sector Cyber Incident Highlights OT And ICS Security Gaps
        "In December 2025, a malicious cyber actor(s) targeted and compromised operational technology (OT) and industrial control systems (ICS) in Poland’s Energy Sector—specifically renewable energy plants, a combined heat and power plant, and a manufacturing sector company—in a cyber incident. The malicious cyber activity highlights the need for critical infrastructure entities with vulnerable edge devices to act now to strengthen their cybersecurity posture against cyber threat activities targeting OT and ICS."
        https://www.cisa.gov/news-events/alerts/2026/02/10/poland-energy-sector-cyber-incident-highlights-ot-and-ics-security-gaps
        https://cyberscoop.com/cisa-warning-russian-cyberattack-poland-power-grid/
      • OT Attacks Get Scary With 'Living-Off-The-Plant' Techniques
        "Operational technology (OT) cyberattacks in recent years have been relatively tame, thanks to attackers' ignorance of bespoke and legacy systems. But there are early indications that attackers are growing more interested in and accustomed to dealing with industrial machines, and that they might be on the precipice of causing much more serious damage to them. A decade ago, it might have seemed like the world was entering a new, more dangerous era of cyberattacks. Russia hacked Ukraine's power grid. Israel and the United States sabotaged an Iranian nuclear facility. Attackers were targeting dams, and manufacturing plants. This was cyberactivity with real-world, sometimes life-threatening consequences."
        https://www.darkreading.com/ics-ot-security/ot-attacks-living-off-the-plant

      New Tooling

      • Meet Quantickle: I Needed a New Tool To Visually Represent And Connect Disparate Sorts Of Threat Research Data, So I Vibe-Coded One
        "For some time, I have wanted a simple, browser-based network graphing tool that could truly handle the complexities of threat research. This is the reality of threat intelligence: while some data is standardized, the most critical leads are often 'weird and off-the-wall'. These one-to-many relationships are exactly where Excel fails, yet they are where graphs excel. Because existing commercial software is often too rigid to allow for major changes or true customization, I was left with a gap in my toolkit. So, I set out to build the solution myself."
        https://www.rsaconference.com/library/blog/meet-quantickle
        https://github.com/RSAC-Labs/Quantickle
        https://www.securityweek.com/rsac-releases-quantickle-open-source-threat-intelligence-visualization-tool/

      Vulnerabilities

      • SAP Patches Critical CRM, S/4HANA, NetWeaver Vulnerabilities
        "SAP on Tuesday announced the release of 27 new and updated security notes, including two that address critical-severity vulnerabilities. The first critical security note released on SAP’s February 2026 security patch day addresses CVE-2026-0488 (CVSS score of 9.9), a code injection bug in CRM and S/4HANA. Impacting the Scripting Editor component of the applications, the flaw can be exploited by authenticated attackers to execute arbitrary SQL statements."
        https://www.securityweek.com/sap-patches-critical-crm-s-4hana-netweaver-vulnerabilities/
      • Microsoft February 2026 Patch Tuesday Fixes 6 Zero-Days, 58 Flaws
        "Today is Microsoft's February 2026 Patch Tuesday with security updates for 58 flaws, including 6 actively exploited and three publicly disclosed zero-day vulnerabilities. This Patch Tuesday also addresses five "Critical" vulnerabilities, 3 of which are elevation of privileges flaws and 2 information disclosure flaws."
        https://www.bleepingcomputer.com/news/microsoft/microsoft-february-2026-patch-tuesday-fixes-6-zero-days-58-flaws/
        https://www.darkreading.com/vulnerabilities-threats/microsoft-fixes-6-actively-exploited-zero-days
        https://blog.talosintelligence.com/microsoft-patch-tuesday-february-2026/
        https://cyberscoop.com/microsoft-patch-tuesday-february-2026/
        https://securityaffairs.com/187848/uncategorized/microsoft-patch-tuesday-security-updates-for-february-2026-fix-six-actively-exploited-zero-days.html
        https://www.securityweek.com/6-actively-exploited-zero-days-patched-by-microsoft-with-february-2026-updates/
        https://www.theregister.com/2026/02/10/microsofts_valentines_gift_to_admins/
      • Patch Tuesday: Adobe Fixes 44 Vulnerabilities In Creative Apps
        "Adobe’s February 2026 Patch Tuesday updates address a total of 44 vulnerabilities discovered by external security researchers in the company’s products. The software giant has published nine new advisories announcing patches for Audition, After Effects, InDesign Desktop, Substance 3D Designer, Substance 3D Stager, Substance 3D Modeler, Bridge, Lightroom Classic, and the DNG SDK. The company has assigned a critical severity rating to over two dozen vulnerabilities that can be exploited for arbitrary code execution, but they are all rated high based on their CVSS scores."
        https://www.securityweek.com/patch-tuesday-adobe-fixes-44-vulnerabilities-in-creative-apps/
      • Security Advisory EPM February 2026 For EPM 2024
        "Ivanti has released updates for Ivanti Endpoint Manager which addresses one high severity vulnerability and one medium severity vulnerability. Successful exploitation could allow a remote authenticated attacker to leak arbitrary data or compromise user sessions. Additionally, 11 medium severity vulnerabilities previously disclosed in October 2025 have been resolved with this update. We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure."
        https://hub.ivanti.com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024?language=en_US

      Malware

      • Old-School IRC, New Victims: Inside The Newly Discovered SSHStalker Linux Botnet
        "Flare’s research team has uncovered a previously undocumented Linux botnet operation we’re calling SSHStalker. To the best of our knowledge, no other research team has reported on this threat actor. Our SSH honeypot captured multiple attacks over two months, revealing a sophisticated operation that blends 2009-era Internet Relay Chat (IRC) botnet tactics with modern mass-compromise automation."
        https://flare.io/learn/resources/blog/old-school-irc-new-victims-inside-the-newly-discovered-sshstalker-linux-botnet
        https://www.bleepingcomputer.com/news/security/new-linux-botnet-sshstalker-uses-old-school-irc-for-c2-comms/
        https://www.securityweek.com/new-sshstalker-linux-botnet-uses-old-techniques/
      • Breaking Down ZeroDayRAT - New Spyware Targeting Android And iOS
        "We recently identified a new mobile spyware platform called ZeroDayRAT being sold openly via Telegram (with activity first observed February 2nd). The developer runs dedicated channels for sales, customer support, and regular updates, giving buyers a single point of access to a fully operational spyware panel. From that panel, an operator gains full remote control over a user’s Android or iOS device, with support spanning Android 5 through 16 and iOS up to 26, including the iPhone 17 Pro. No technical expertise is required. The platform goes beyond typical data collection into real-time surveillance and direct financial theft."
        https://iverify.io/blog/breaking-down-zerodayrat---new-spyware-targeting-android-and-ios
        https://www.bleepingcomputer.com/news/security/zerodayrat-malware-grants-full-access-to-android-ios-devices/
        https://www.darkreading.com/threat-intelligence/zerodayrat-brings-commercial-spyware-to-mass-market
        https://www.infosecurity-magazine.com/news/zerodayrat-mobile-spyware-android/
        https://www.securityweek.com/new-zerodayrat-spyware-kit-enables-total-compromise-of-ios-android-devices/
        https://securityaffairs.com/187820/malware/zerodayrat-spyware-grants-attackers-total-access-to-mobile-devices.html
      • Beyond The Battlefield: Threats To The Defense Industrial Base
        "In modern warfare, the front lines are no longer confined to the battlefield; they extend directly into the servers and supply chains of the industry that safeguards the nation. Today, the defense sector faces a relentless barrage of cyber operations conducted by state-sponsored actors and criminal groups alike. In recent years, Google Threat Intelligence Group (GTIG) has observed several distinct areas of focus in adversarial targeting of the defense industrial base (DIB)."
        https://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base
        https://www.bankinfosecurity.com/google-warns-relentless-cyber-siege-on-defense-industry-a-30729
      • Deep Dive Into New XWorm Campaign Utilizing Multiple-Themed Phishing Emails
        "FortiGuard Labs recently captured a phishing campaign in the wild delivering a new variant of XWorm. XWorm is a multi-functional Remote Access Trojan (RAT) first identified in 2022 that remains actively distributed, including through Telegram-based marketplaces. Once deployed, it provides attackers with full remote control of compromised Windows systems. This campaign relies on multiple phishing emails that use social engineering to persuade recipients to open a malicious attachment. The following analysis details these phishing lures and shows how the attached Excel file exploits CVE-2018-0802 to download and execute an HTA file on the victim’s device."
        https://www.fortinet.com/blog/threat-research/deep-dive-into-new-xworm-campaign-utilizing-multiple-themed-phishing-emails
      • Threat Actors Exploit Social Causes To Manipulate User Behavior
        "Mimecast Threat Research Team has identified threat actors weaponizing social causes, specifically Pride Month and diversity initiatives, to manipulate organizations into hasty actions. These campaigns deliberately misuse legitimate organizational values to generate the urgency attackers need for successful credential theft. This tactic is particularly effective because it exploits genuine organizational commitment to diversity and inclusion. Whether recipients support or oppose the initiative, attackers count on either reaction driving engagement with malicious links without sufficient scrutiny."
        https://www.mimecast.com/threat-intelligence-hub/exploiting-diversity-values/
        https://hackread.com/pride-month-phishing-employees-trusted-email-services/
      • Espionage Without Noise: Understanding APT36’s Enduring Campaigns
        "Critical infrastructure all over the world is under threat from highly organized, state-sponsored “espionage ecosystems”. These loosely knit but well-resourced organizations are deploying a variety of tools aimed both at disrupting essential services and gathering intelligence. Some work by launching dedicated denial of service (DDoS) attacks against transport and communications hubs as well as commercial supply chains. Others are seeking geopolitical, military or economic advantage, adept at mining for sensitive information and skilled at bypassing traditional security measures. Everything is a target and nowhere is safe."
        https://www.aryaka.com/blog/espionage-without-noise-apt36-enduring-campaigns/
        https://www.securityweek.com/rats-in-the-machine-inside-a-pakistan-linked-three-pronged-cyber-assault-on-india/
      • DPRK Operatives Impersonate Professionals On LinkedIn To Infiltrate Companies
        "The information technology (IT) workers associated with the Democratic People's Republic of Korea (DPRK) are now applying to remote positions using real LinkedIn accounts of individuals they're impersonating, marking a new escalation of the fraudulent scheme. "These profiles often have verified workplace emails and identity badges, which DPRK operatives hope will make their fraudulent applications appear legitimate," Security Alliance (SEAL) said in a series of posts on X."
        https://thehackernews.com/2026/02/dprk-operatives-impersonate.html
      • Data Exfil From Agents In Messaging Apps
        "Communicating with AI agents (like OpenClaw) via messaging apps (like Slack and Telegram) has become much more popular. But it can expose users to a largely unrecognized LLM-specific data exfiltration risk, because these apps support ‘link previews’ as a feature. With previews enabled, user data can be exfiltrated automatically after receiving a malicious link in an LLM-generated message -- whereas without previews, the user would typically have to click the malicious link to exfiltrate data. For example, OpenClaw via Telegram is exposed by default. Test any agent / communication app pairing below!"
        https://www.promptarmor.com/resources/llm-data-exfiltration-via-url-previews-(with-openclaw-example-and-test)
        https://www.theregister.com/2026/02/10/ai_agents_messaging_apps_data_leak/
      • A Peek Into Muddled Libra’s Operational Playbook
        "During a September 2025 incident response investigation, Unit 42 discovered a rogue virtual machine (VM) which we believe with high confidence to be used by the cybercrime group Muddled Libra (aka Scattered Spider, UNC3944). The contents of this rogue VM and activity from the attack provide valuable insight into the operational playbook of this threat actor. Muddled Libra created the VM after the group successfully gained unauthorized access to the target's VMware vSphere environment."
        https://unit42.paloaltonetworks.com/muddled-libra-ops-playbook/
      • New Threat Actor, UAT-9921, Leverages VoidLink Framework In Campaigns
        "VoidLink is a new modular framework that targets Linux based systems. Modular frameworks are prevalent on the landscape today with the likes of Cobalt Strike, Manjusaka, Alchimist, and SuperShell among the many operating today. This framework is yet another implant management framework denoting a consistent and concerning evolution with shorter development cycles. Cisco Talos is tracking the threat actor first seen to be using the VoidLink framework as UAT-9921. This threat actor seems to have been active since 2019, although they have not necessarily used VoidLink over the duration of their activity. UAT-9921 uses compromised hosts to install VoidLink command and control (C2) which are then used to launch scanning activities both internal and external to the network."
        https://blog.talosintelligence.com/voidlink/

      Breaches/Hacks/Leaks

      • Volvo Group North America Customer Data Exposed In Conduent Hack
        "Volvo Group North America disclosed that it suffered an indirect data breach stemming from the compromise of IT systems at American business services giant Conduent, of which Volvo is a customer. Volvo Group North America is the Swedish multinational's operating arm in the United States, Canada, and Mexico. It focuses on manufacturing commercial vehicles and heavy equipment, including trucks, buses, construction equipment, engines, and industrial power systems. Mack Trucks, a very popular brand in the U.S., is one of its subsidiaries. Volvo Group is not the same as Volvo Cars, and does not manufacture passenger cars."
        https://www.bleepingcomputer.com/news/security/volvo-group-north-america-customer-data-exposed-in-conduent-hack/
        https://www.theregister.com/2026/02/10/conduent_volvo_breach/
      • Billing Services Firm Notifying Medical Lab Patients Of Hack
        "A revenue cycle management software firm is notifying patients of several related medical diagnostic laboratories that hackers stole their sensitive information, including diagnoses and medical treatments, in a November hack. Ransomware gang Everest Group claimed to be behind the incident, publishing stolen data on its leak website. Catalyst RCM, which is headquartered in Texas, is sending breach notification letters to an undisclosed number patients of at least three of its diagnostic laboratory clients."
        https://www.bankinfosecurity.com/billing-services-firm-notifying-medical-lab-patients-hack-a-30727

      General News

      • Man Sentenced To 20 Years In Prison For Role In $73 Million Global Cryptocurrency Investment Scam
        "A dual national of China and St. Kitts and Nevis was sentenced in absentia today in the Central District of California to the statutory maximum of 20 years in prison and three years of supervised release for his role in an international cryptocurrency investment conspiracy carried out from scam centers in the Kingdom of Cambodia. The defendant, Daren Li, 42, is a fugitive after cutting off his ankle electronic monitoring device and absconding in December 2025."
        https://www.justice.gov/opa/pr/man-sentenced-20-years-prison-role-73-million-global-cryptocurrency-investment-scam
        https://www.bleepingcomputer.com/news/security/fugitive-behind-73m-pig-butchering-scheme-gets-20-years-in-prison/
        https://therecord.media/chinese-crypto-scammer-sentenced-after-fleeing-us
      • Global Cyber Attacks Rise In January 2026 Amid Increasing Ransomware Activity And Expanding GenAI Risks
        "In January 2026, the global volume of cyber attacks continued its steady escalation. Organizations worldwide experienced an average of 2,090 cyber‑attacks per organization per week, marking a 3% increase from December and a 17% rise compared to January 2025. This growth reflects a landscape increasingly shaped by the expansion of ransomware activity and mounting data‑exposure risks driven by widespread GenAI adoption. Check Point Research data shows that January’s upward trajectory underscores a persistent and evolving cyber threat environment — one defined by fast‑moving ransomware operations and intensifying GenAI‑related risks."
        https://blog.checkpoint.com/research/global-cyber-attacks-rise-in-january-2026-amid-increasing-ransomware-activity-and-expanding-genai-risks/
      • What Organizations Need To Change When Managing Printers
        "QUESTION: Managed printers are still unprotected. What needs to change at the leadership level to effectively secure printers? Jim LaRoe, CEO of Smyphion: Managed is not the same as protected. When most enterprises "manage" their printers, they focus on uptime and the cost of toner, paper, and repairs. That's not security. Not protection. Printers often make up 20% to 30% of an organization's endpoints. They receive, transmit, process, and store the most sensitive data and are the softest path to compromise — because no one owns their protection. Here's the uncomfortable truth: The leadership challenge precedes the technical challenge."
        https://www.darkreading.com/cybersecurity-operations/what-organizations-need-to-change-when-managing-printers
      • What Happens When Cybersecurity Knowledge Walks Out The Door
        "In this Help Net Security interview, Andrew Northern, Principal Security Researcher at Censys, explains why mentorship matters and what organizations risk losing when senior staff disengage. He argues that institutional memory and judgment under pressure are difficult to rebuild once they disappear. Northern also pushes back on the idea that mentoring makes someone replaceable, saying it can strengthen both the mentor and the team. He discusses how mentorship can tie directly to measurable security outcomes, including faster incident response. He also outlines where organizations are lowering technical expectations through tool-first training and over-reliance on automation. Finally, he explains which foundational skills early-career defenders still need, even as security environments become more automated."
        https://www.helpnetsecurity.com/2026/02/10/andrew-northern-censys-cybersecurity-mentorship/
      • NCSC Issues Warning Over “Severe” Cyber-Attacks Targeting Critical National Infrastructure
        "The National Cyber Security Centre (NCSC) has issued an alert to critical national infrastructure (CNI) providers, urging them to act now to protect against “severe” cyber threats. The alert comes following coordinated cyber-attacks which targeted Poland’s energy infrastructure with malware in December. Jonathan Ellison, director for national resilience at the NCSC, has urged CNI operators that they must act now to ensure they can respond to any similar campaigns targeting UK critical infrastructure. “Cyber-attacks disrupting everyday essential services may sound far-fetched, but we know it’s not,” he wrote in a LinkedIn post."
        https://www.infosecurity-magazine.com/news/ncsc-warning-severe-cyberattacks/
      • From Ransomware To Residency: Inside The Rise Of The Digital Parasite
        "Are ransomware and encryption still the defining signals of modern cyberattacks, or has the industry been too fixated on noise while missing a more dangerous shift happening quietly all around them? According to Picus Labs’ new Red Report 2026, which analyzed over 1.1 million malicious files and mapped 15.5 million adversarial actions observed across 2025, attackers are no longer optimizing for disruption. Instead, their goal is now long-term, invisible access."
        https://thehackernews.com/2026/02/from-ransomware-to-residency-inside.html
        https://www.infosecurity-magazine.com/news/digital-parasite-attackers-stealth/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) f7138a53-5667-4c48-a2c9-ed2b61a0e7c9-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post