NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 19 February 2026

    Cyber Security News
    1
    1
    44
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • Honeywell CCTV Products
        "Successful exploitation of this vulnerability could lead to account takeovers and unauthorized access to camera feeds; an unauthenticated attacker may change the recovery email address, potentially leading to further network compromise."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-048-04
        https://www.bleepingcomputer.com/news/security/critical-infra-honeywell-cctvs-vulnerable-to-auth-bypass-flaw/
      • GE Vernova Enervista UR Setup
        "Successful exploitation of these vulnerabilities may allow code execution with elevated privileges."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-048-03
      • Delta Electronics ASDA-Soft
        "Successful exploitation of this vulnerability may allow an attacker to write arbitrary data beyond the bounds of a stack-allocated buffer, leading to the corruption of a structured exception handler (SEH)."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-048-02
      • Siemens Simcenter Femap And Nastran
        "Siemens Simcenter Femap and Nastran is affected by multiple file parsing vulnerabilities that could be triggered when the application reads files in NDB and XDB formats. If a user is tricked to open a malicious file with any of the affected products, this could lead the application to crash or potentially lead to arbitrary code execution. Siemens has released new versions for the affected products and recommends to update to the latest versions."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-048-01

      New Tooling

      • SecureClaw: Dual Stack Open-Source Security Plugin And Skill For OpenClaw
        "AI agent frameworks are being used to automate work that involves tools, files, and external services. That type of automation creates security questions around what an agent can access, what it can change, and how teams can detect risky behavior. SecureClaw is an open-source project that adds security auditing and rule-based controls to OpenClaw agent environments. The tool is published by Adversa AI and is designed to work with OpenClaw and related agents such as Moltbot and Clawdbot."
        https://www.helpnetsecurity.com/2026/02/18/secureclaw-open-source-security-plugin-skill-openclaw/
        https://github.com/adversa-ai/secureclaw

      Vulnerabilities

      • From PDF To Pwn: Scalable 0day Discovery In PDF Engines And Services Using Multi-Agent LLMs
        "When preparing to emerge from stealth, we sought to demonstrate the efficacy of our research workflow by targeting Apryse WebViewer (formerly PDFTron) and Foxit PDF cloud services. These platforms are widely deployed, feature-rich, and combine client-side UI logic with complex server-side SDKs, making them an ideal proving ground for vulnerability research. Our strategy involved a human-agent symbiosis: our researchers manually identified foundational vulnerability patterns, which were then taught to the Novee agent. Once the agent internalized the “scent” of these bugs, it autonomously explored the massive attack surface of both vendors. The result was the discovery of 13 distinct vulnerability categories, ranging from critical XSS to OS Command Injection."
        https://novee.security/blog/from-pdf-to-pwn-scalable-0day-discovery-in-pdf-engines-and-services-using-multi-agent-llms-2/
        https://www.securityweek.com/vulnerabilities-in-popular-pdf-platforms-allowed-account-takeover-data-exfiltration/
      • CVE-2026-2329: Critical Unauthenticated Stack Buffer Overflow In Grandstream GXP1600 VoIP Phones (FIXED)
        "Rapid7 Labs conducted a zero-day research project against the Grandstream GXP1600 series of Voice over Internet Protocol (VoIP) phones. This research resulted in the discovery of a critical unauthenticated stack-based buffer overflow vulnerability, CVE-2026-2329. A remote attacker can leverage CVE-2026-2329 to achieve unauthenticated remote code execution (RCE) with root privileges on a target device. A vendor supplied firmware update, version 1.0.7.81, is available to fully remediate CVE-2026-2329. The vulnerability is present in the device's web-based API service, and is accessible in a default configuration. As all models in the GXP1600 series share a common firmware image, the vulnerability affects all six models in the series: GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630. CVE-2026-2329 has a CVSSv4 score of 9.3 (Critical), and a Common Weakness Enumeration (CWE) of CWE-121: Stack-based Buffer Overflow."
        https://www.rapid7.com/blog/post/ve-cve-2026-2329-critical-unauthenticated-stack-buffer-overflow-in-grandstream-gxp1600-voip-phones-fixed/
        https://www.darkreading.com/threat-intelligence/grandstream-bug-voip-security-blind-spot
        https://thehackernews.com/2026/02/grandstream-gxp1600-voip-phones-exposed.html
      • Four Vulnerabilities Expose a Massive Security Blind Spot In IDE Extensions
        "IDEs are the weakest link in an organization’s supply chain security, and extensions are often a blind spot for security teams. Developers store their most sensitive information – business logic, API keys, database configurations, environment variables, and sometimes even customer data – on their local file systems, all accessible through the IDE. The OX Security Research team found vulnerabilities in four popular VS Code extensions (later confirmed on Cursor and Windsurf). Three were assigned CVEs – CVE-2025-65715, CVE-2025-65716, and CVE-2025-65717 – totaling over 120 million downloads and posing a significant threat to developers worldwide."
        https://www.ox.security/blog/four-vulnerabilities-expose-a-massive-security-blind-spot-in-ide-extensions/
        https://thehackernews.com/2026/02/critical-flaws-found-in-four-vs-code.html
        https://securityaffairs.com/188185/security/vs-code-extensions-with-125m-installs-expose-users-to-cyberattacks.html
      • Notepad++ Fixes Hijacked Update Mechanism Used To Deliver Targeted Malware
        "Notepad++ has released a security fix to plug gaps that were exploited by an advanced threat actor from China to hijack the software update mechanism to selectively deliver malware to targets of interest. The version 8.9.2 update incorporates what maintainer Don Ho calls a "double lock" design that aims to make the update process "robust and effectively unexploitable." This includes verification of the signed installer downloaded from GitHub (implemented in version 8.8.9 and later), as well as the newly added verification of the signed XML returned by the update server at notepad-plus-plus[.]org."
        https://thehackernews.com/2026/02/notepad-fixes-hijacked-update-mechanism.html
        https://www.bleepingcomputer.com/news/security/notepad-plus-plus-boosts-update-security-with-double-lock-mechanism/
        https://securityaffairs.com/188192/hacking/notepad-patches-flaw-used-to-hijack-update-system.html
        https://www.theregister.com/2026/02/18/notepadplusplus_security_update/
        https://www.helpnetsecurity.com/2026/02/18/notepad-secure-update-download/
      • CISA Adds Two Known Exploited Vulnerabilities To Catalog
        "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2021-22175 GitLab Server-Side Request Forgery (SSRF) Vulnerability
        CVE-2026-22769 Dell RecoverPoint for Virtual Machines (RP4VMs) Use of Hard-coded Credentials Vulnerability"
        https://www.cisa.gov/news-events/alerts/2026/02/18/cisa-adds-two-known-exploited-vulnerabilities-catalog
        https://therecord.media/fed-agencies-ordered-to-patch-dell-bug-after-exploitation-warning
      • Firebase Misconfiguration Exposes 300M Messages From Chat & Ask AI Users
        "A massive security failure has put the private conversations of millions at risk after an unprotected database was left accessible online. Discovered by an independent researcher, the leak exposed roughly 300 million messages from more than 25 million users of Chat & Ask AI, a popular app with over 50 million downloads across the Google Play and Apple App Stores. The app is owned by Codeway, a Turkish technology firm founded in Istanbul in 2020, and acts as a ‘wrapper’, allowing a single gateway for users to interact with famous AI models like OpenAI’s ChatGPT, Google’s Gemini, and Anthropic’s Claude. Because it serves as a gateway to multiple systems, a single technical slip-up can have a massive impact on the privacy of its global user base."
        https://hackread.com/firebase-misconfiguration-chat-ask-ai-users-expose/
      • Microsoft Says Bug Causes Copilot To Summarize Confidential Emails
        "Microsoft says a Microsoft 365 Copilot bug has been causing the AI assistant to summarize confidential emails since late January, bypassing data loss prevention (DLP) policies that organizations rely on to protect sensitive information. According to a service alert seen by BleepingComputer, this bug (tracked under CW1226324 and first detected on January 21) affects the Copilot "work tab" chat feature, which incorrectly reads and summarizes emails stored in users' Sent Items and Drafts folders, including messages that carry confidentiality labels explicitly designed to restrict access by automated tools."
        https://www.bleepingcomputer.com/news/microsoft/microsoft-says-bug-causes-copilot-to-summarize-confidential-emails/

      Malware

      • Telegram Channels Expose Rapid Weaponization Of SmarterMail Flaws
        "Flare researchers monitoring underground Telegram channels and cybercrime forums have observed threat actors rapidly sharing proof-of-concept exploits, offensive tools, and stolen administrator credentials related to recently disclosed SmarterMail vulnerabilities, providing insight into how quickly attackers weaponize new security flaws. The activity occurred within days of the vulnerabilities being disclosed, with threat actors sharing and selling exploit code and compromised access tied to CVE-2026-24423 and CVE-2026-23760, critical flaws that enable remote code execution and authentication bypass on exposed email servers."
        https://www.bleepingcomputer.com/news/security/telegram-channels-expose-rapid-weaponization-of-smartermail-flaws/
      • Scammers Use Fake “Gemini” AI Chatbot To Sell Fake “Google Coin”
        "Scammers have found a new use for AI: creating custom chatbots posing as real AI assistants to pressure victims into buying worthless cryptocurrencies. We recently came across a live “Google Coin” presale site featuring a chatbot that claimed to be Google’s Gemini AI assistant. The bot guided visitors through a polished sales pitch, answered their questions about investment, projecting returns, and ultimately ended with victims sending an irreversible crypto payment to the scammers."
        https://www.malwarebytes.com/blog/ai/2026/02/scammers-use-fake-gemini-ai-chatbot-to-sell-fake-google-coin
        https://www.darkreading.com/endpoint-security/scam-abuses-gemini-chatbots-convince-people-buy-fake-crypto
      • Technical Deep Dive: The Monero Mining Campaign
        "In the contemporary threat landscape, while ransomware grabs headlines with high-impact disruptions, cryptojacking operations have quietly evolved into sophisticated, persistent threats. This report details a comprehensive forensic analysis of a recently identified cryptocurrency mining campaign. This operation distinguishes itself not merely by its payload but by its high level of technical integration and redundant persistence mechanisms."
        https://www.trellix.com/blogs/research/technical-deep-dive-the-monero-mining-campaign/
        https://www.infosecurity-magazine.com/news/cryptojacking-driver-boost-monero/
      • Job Scam Uses Fake Google Forms Site To Harvest Google Logins
        "As part of our investigation into a job-themed phishing campaign, we came across several suspicious URLs that all looked like this: https://forms.google.ss-o[.]com/forms/d/e/{unique_id}/viewform?form=opportunitysec&promo= The subdomain forms.google.ss-o[.]com is a clear attempt to impersonate the legitimate forms.google.com. The “ss-o” is likely introduced to look like “single sign-on,” an authentication method that allows users to securely log in to multiple, independent applications or websites using one single set of credentials (username and password)."
        https://www.malwarebytes.com/blog/scams/2026/02/job-scam-uses-fake-google-forms-site-to-harvest-google-logins
      • Journalism Under Attack: Predator Spyware In Angola
        "A new investigation by Amnesty International’s Security Lab has discovered evidence that the Predator spyware was used in 2024 to target Teixeira Cândido – an Angolan journalist, jurist, press freedom activist, and former Secretary-General of the Syndicate of Angolan Journalists (Sindicato dos Journalists Angolanos). This is the first forensically confirmed case of the Predator spyware being used to target civil society in Angola."
        https://securitylab.amnesty.org/latest/2026/02/journalism-under-attack-predator-spyware-in-angola/
        https://therecord.media/predator-spyware-used-to-infect-phone-angola-journalist
      • The Booking.com Phishing Campaign Targeting Hotels And Customers
        "Since the start of January, we have observed a resurgence in malicious activity targeting the hotel and retail sector. The primary motivation driving this incident is financial fraud, targeting two victims: hotel businesses and hotel customers, in sequential order. The threat actor(s) utilise impersonation of the Booking.com platform through two distinct phishing kits dedicated to harvesting credentials and banking information from each victim respectively."
        https://www.bridewell.com/insights/blogs/detail/the-booking.com-phishing-campaign-targeting-hotels-and-customers

      Breaches/Hacks/Leaks

      • French Ministry Confirms Data Access To 1.2 Million Bank Accounts
        "A hacker gained access to data from 1.2 million French bank accounts using stolen credentials belonging to a government official, according to the French Economy Ministry. French authorities said affected account holders will be notified in the coming days. “The French Economy Ministry said on Wednesday, February 18, that a hacker gained access to a national bank account database and consulted information on 1.2 million accounts.” reports French daily newspaper LeMonde. “Since the end of January, the hacker used the stolen credentials of an official to access and consult “parts of the file of all of the accounts open in French banks and which contains personal data such as bank account numbers, name of the account holder, address and in certain cases the account owner’s tax number,” the ministry said in a statement.”"
        https://securityaffairs.com/188200/hacking/french-ministry-confirms-data-access-to-1-2-million-bank-accounts.html
      • Adidas Investigates Third-Party Data Breach After Criminals Claim They Pwned The Sportswear Giant
        "Adidas has confirmed it is investigating a third-party breach at one of its partner companies after digital thieves claimed they stole information and technical data from the German sportswear giant. "We have been made aware of a potential data protection incident at one of our independent licensing partners and distributor for martial arts products," an Adidas spokesperson told The Register. "This is an independent company with its own IT systems.""
        https://www.theregister.com/2026/02/18/adidas_investigates_thirdparty_data_breach/
      • ShinyHunters Allegedly Drove Off With 1.7M CarGurus Records
        "CarGurus allegedly suffered a data breach with 1.7 million corporate records stolen, according to a notorious cybercrime crew that posted the online vehicle marketplace on its leak site on Wednesday. "This is a final warning to reach out by 20 Feb 2026 before we leak along with several annoying (digital) problems that'll come your way," ShinyHunters wrote in its announcement, seen by The Register and shared on social media. The digital crooks claimed the compromised files included personally identifiable information and "other internal corporate data.""
        https://www.theregister.com/2026/02/18/shinyhunters_cargurus_breach/

      General News

      • The UK’s Cyber Threat Has Changed. Most Organizations Haven’t.
        "For years, ransomware shaped how UK organizations thought about cyber risk. In 2025, that assumption quietly broke. The UK became the most targeted country in Europe, accounting for 16% of all recorded attacks across the region. But volume alone doesn’t explain what changed. The real shift was intent. Attackers didn’t just increase activity; they changed tactics. Disruption overtook monetization. Organizations that spent years preparing for one dominant threat model found themselves exposed to another."
        https://blog.checkpoint.com/research/the-uks-cyber-threat-has-changed-most-organizations-havent/
      • The Defense Industrial Base Is a Prime Target For Cyber Disruption
        "Cyber threats against the defense industrial base (DIB) are intensifying, with adversaries shifting from traditional espionage toward operations designed to disrupt production capacity and compromise supply chains. In this Help Net Security interview, Luke McNamara, Deputy Chief Analyst, Google Threat Intelligence Group, explains how attackers target the broader defense ecosystem and why identity has become the new security boundary."
        https://www.helpnetsecurity.com/2026/02/18/luke-mcnamara-google-dib-defense-industrial-base-cybersecurity/
      • Everyone Uses Open Source, But Patching Still Moves Too Slowly
        "Enterprise security teams rely on open source across infrastructure, development pipelines, and production applications, even when they do not track it as a separate category of technology. Open source has become a default building block in many environments, and the operational risks now look like standard enterprise security problems: patch delays, version sprawl, and aging platforms that stay online longer than planned. TuxCare’s 2026 Open Source Landscape Report describes an open source footprint that continues to expand through developer-led adoption, with security incidents still closely tied to unpatched vulnerabilities."
        https://www.helpnetsecurity.com/2026/02/18/open-source-adoption-patching-challenges/
      • 'Promptware' Attacks Await An Unprepared AI Industry
        "The large language model industry has mostly treated prompt injection attacks as a risk analogous to traditional web server prompt injection attacks. Researchers now say the industry has been solving the wrong problem. Prompt injection, or feeding rogue instructions to an artificial intelligence system, merits its own classification as "promptware" - malware that uses a large language model as its own execution engine, say researchers in a paper co-authored by researchers at Tel Aviv University, Ben-Gurion University of the Negev and Harvard University."
        https://www.bankinfosecurity.com/promptware-attacks-await-unprepared-ai-industry-a-30785
        https://arxiv.org/pdf/2601.09625v2
      • Hackers Increasingly Prefer Fast And Low-Complexity Attacks
        "There's no need to invest into sophisticated hacking operations when moving fast and exploiting well-trod techniques gives threat actors all the access they want. Across a range of different types of attacks, "threat actors are increasingly prioritizing accessible and low-complexity entry points, rather than investing in sophisticated exploits," says a new report from cybersecurity firm Arctic Wolf. Unsurprisingly, phishing is a regular standby. The vast majority of business email compromise attacks started with an infection from a phishing email, a figure that probably will only climb upward as artificial intelligence makes "fraudulent messages more convincing and scalable.""
        https://www.bankinfosecurity.com/hackers-increasingly-prefer-fast-low-complexity-attacks-a-30787
        https://arcticwolf.com/resource/aw/arctic-wolf-threat-report-2026
      • “Good Enough” Emulation: Fuzzing a Single Thread To Uncover Vulnerabilities
        "This blog describes efforts at emulating functionality of the Socomec DIRIS M-70 gateway to discover vulnerabilities. In vulnerability research, knowing which tool to use for the job at hand is crucial. This post will highlight multiple emulation tools and approaches used, detail the benefits and drawbacks of each, and reveal how a "good enough" approach can really pay off."
        https://blog.talosintelligence.com/good-enough-emulation/
      • A CISO's Playbook For Defending Data Assets Against AI Scraping
        "Areejit Banerjee, Senior Manager of Data Protection Strategy & Product Trust; Researcher in AI Governance, Purdue University: Organizations with commercially valuable data face a near-certainty that AI-driven scrapers are already trying to harvest it at scale, turning public endpoints into high-throughput extraction pipelines. Many security teams still treat scraping as a nuisance bot problem to be handled by a vendor, a few WAF rules, and wishful thinking. That framing breaks down as soon as the scraped data underpins revenue or competitive advantage. When attackers can lift the very datasets that fund your business, scraping is no longer a low-priority ticket; it is a board-level risk."
        https://www.darkreading.com/cyber-risk/ciso-playbook-defending-data-assets-against-ai-scraping
      • The Era Of The Digital Parasite: Why Stealth Has Replaced Ransomware
        "For years, ransomware encryption functioned as the industry’s alarm bell. When systems locked up, defenders knew an attack had occurred. Not anymore. New empirical data show that attackers are actively dismantling that signal. According to Picus Security’s Red Report 2026, adversaries are no longer optimizing for disruption; they’re optimizing for residency. Based on a thorough analysis of more than 1.1 million malicious files and 15.5 million adversarial actions from 2025, this year’s report documents a decisive shift in attacker behavior: a noticeable impact has become a liability. Stealthy long-term presence is now the objective."
        https://www.helpnetsecurity.com/2026/02/18/picus-security-red-report-identity-driven-cyberattacks/
      • Record Number Of Ransomware Victims And Groups In 2025
        "Security researchers observed a 30% annual increase in ransomware victims listed on extortion sites last year, with AI helping to lower the barrier to entry for new threat groups. Searchlight Cyber's new report, Ransomware’s Record Year: Tracking a Volatile Landscape in H2 2025, tracked 7458 victims on dark web leak sites in 2025. These numbers were split virtually 50:50 between the first and second half of the year. To put the annual growth figure in perspective, victim numbers increased by just 13% between 2023 and 2024. At the same time, the number of ransomware groups hit a new high of 124, with 73 new groups identified in 2025."
        https://www.infosecurity-magazine.com/news/record-number-ransomware-victims/
        https://slcyber.io/whitepapers-reports/the-ransomware-landscape-in-h2-2025/
      • Your AI-Generated Password Isn't Random, It Just Looks That Way
        "Generative AI tools are surprisingly poor at suggesting strong passwords, experts say. AI security company Irregular looked at Claude, ChatGPT, and Gemini, and found all three GenAI tools put forward seemingly strong passwords that were, in fact, easily guessable. Prompting each of them to generate 16-character passwords featuring special characters, numbers, and letters in different cases, produced what appeared to be complex passphrases. When submitted to various online password strength checkers, they returned strong results. Some said they would take centuries for standard PCs to crack."
        https://www.theregister.com/2026/02/18/generating_passwords_with_llms/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) a62162bd-8606-40a9-a64b-c8bcdc6fc996-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post