NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 26 February 2026

    Cyber Security News
    1
    1
    91
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Financial Sector

      • PCI Council Says Threats To Payments Systems Are Speeding Up
        "A new report on the payment card industry (PCI) reflects an increased dependency on global coordination to address threats that are growing more sophisticated, and expanding the remit for the trade group itself. The PCI Security Standards Council (SSC) 2025 annual report highlighted training, education, collaboration, and outreach initiatives conducted throughout the year to advance payment security worldwide for merchants, retailers, and vendors. It is the first time the group has published a report since its founding in 2006."
        https://www.darkreading.com/cyber-risk/pci-council-threats-payments-systems-speeding-up
        https://www.pcisecuritystandards.org/about_us/annual-report/

      Industrial Sector

      • 'Richter Scale' Model Measures Magnitude Of OT Cyber Incidents
        "A newly developed method for gauging the impact of an OT cybersecurity incident could pave the way for more accurate measurement and response to an event, and also shine light on risk and business ramifications. The Operational Technology Incident (OTI) Impact Score — which will be unveiled today at the ICS/OT industry's S4x26 Conference in Miami — aims to provide rapid clarity on the actual effects of OT cyber incidents, which often get over- or under-hyped, according to Dale Peterson, co-creator of the OTI model and head of ICS/OT consulting and research firm Digital Bond."
        https://www.darkreading.com/ics-ot-security/richter-scale-model-measures-cyber-incidents

      Vulnerabilities

      • Critical Cisco SD-WAN Bug Exploited In Zero-Day Attacks Since 2023
        "Cisco is warning that a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN, tracked as CVE-2026-20127, was actively exploited in zero-day attacks that allowed remote attackers to compromise controllers and add malicious rogue peers to targeted networks. CVE-2026-20127 has a maximum severity of 10.0 and impacts Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage) in on-prem and SD-WAN Cloud installations. Cisco credited the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) for reporting the vulnerability."
        https://www.bleepingcomputer.com/news/security/critical-cisco-sd-wan-bug-exploited-in-zero-day-attacks-since-2023/
        https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
        https://blog.talosintelligence.com/uat-8616-sd-wan/
        https://www.cisa.gov/news-events/alerts/2026/02/25/cisa-and-partners-release-guidance-ongoing-global-exploitation-cisco-sd-wan-systems
        https://cyberscoop.com/cisco-zero-days-cisa-emergency-directive-five-eyes/
        https://www.helpnetsecurity.com/2026/02/25/cisco-sd-wan-zero-day-cve-2026-20127/
      • Zyxel Warns Of Critical RCE Flaw Affecting Over a Dozen Routers
        "Taiwan networking provider Zyxel has released security updates to address a critical vulnerability affecting over a dozen router models that can allow unauthenticated attackers to gain remote command execution on unpatched devices. Tracked as CVE-2025-13942, this command injection security flaw was found in the UPnP function of Zyxel 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, and wireless extenders. Zyxel says that unauthenticated remote attackers can exploit it to execute operating system (OS) commands on an affected device using maliciously crafted UPnP SOAP requests."
        https://www.bleepingcomputer.com/news/security/zyxel-warns-of-critical-rce-flaw-affecting-over-a-dozen-routers/
        https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026
        https://securityaffairs.com/188501/security/critical-zyxel-router-flaw-exposed-devices-to-remote-attacks.html
      • CISA Adds Two Known Exploited Vulnerabilities To Catalog
        "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2022-20775 Cisco Catalyst SD-WAN Path Traversal Vulnerability
        CVE-2026-20127 Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability"
        https://www.cisa.gov/news-events/alerts/2026/02/25/cisa-adds-two-known-exploited-vulnerabilities-catalog
        https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
        https://therecord.media/five-eyes-warn-hackers-exploit-cisco-sd-wan
        https://www.bankinfosecurity.com/feds-scramble-amid-shutdown-to-secure-cisco-sd-wan-systems-a-30849
      • Check Point Researchers Expose Critical Claude Code Flaws
        "As organizations rapidly adopt agentic AI development tools into enterprise workflows, the trust boundaries between configuration and execution are increasingly blurred. Check Point Research identified critical vulnerabilities in Anthropic’s Claude Code that enabled remote code execution and API credential theft through malicious repository-based configuration files. By abusing built-in mechanisms such as Hooks, Model Context Protocol (MCP) integrations, and environment variables, attackers could execute arbitrary shell commands and exfiltrate API keys when developers cloned and opened untrusted projects – without any additional action beyond launching the tool."
        https://blog.checkpoint.com/research/check-point-researchers-expose-critical-claude-code-flaws/
        https://research.checkpoint.com/2026/rce-and-api-token-exfiltration-through-claude-code-project-files-cve-2025-59536/
        https://www.darkreading.com/application-security/flaws-claude-code-developer-machines-risk
        https://thehackernews.com/2026/02/claude-code-flaws-allow-remote-code.html
        https://securityaffairs.com/188508/security/untrusted-repositories-turn-claude-code-into-an-attack-vector.html
        https://www.theregister.com/2026/02/26/clade_code_cves/

      Malware

      • Developer-Targeting Campaign Using Malicious Next.js Repositories
        "Microsoft Defender Experts identified a coordinated developer-targeting campaign delivered through malicious repositories disguised as legitimate Next.js projects and technical assessment materials. Telemetry collected during this investigation indicates the activity aligns with a broader cluster of threats that use job-themed lures to blend into routine developer workflows and increase the likelihood of code execution."
        https://www.microsoft.com/en-us/security/blog/2026/02/24/c2-developer-targeting-campaign/
        https://www.bleepingcomputer.com/news/security/fake-nextjs-job-interview-tests-backdoor-developers-devices/
        https://www.darkreading.com/cyberattacks-data-breaches/malicious-nextjs-repos-developers-fake-job-interviews
        https://www.theregister.com/2026/02/25/jobseeking_nextjs_devs_attack/
      • Abusing Windows File Explorer And WebDAV For Malware Delivery
        "Cofense Intelligence has been tracking how threat actors are abusing Windows File Explorer’s ability to retrieve remote files over Web-based Distributed Authoring and Versioning (WebDAV), and HTTP-based file management protocol, to trick victims into downloading malware. WebDAV is a relatively unpopular method of file transfer and remote file storage nowadays, but it is natively supported within the Windows File Explorer (though deprecated as of November 2023) as a way of remotely accessing a file server."
        https://cofense.com/blog/abusing-windows-file-explorer-and-webdav-for-malware-delivery
      • Unmasking Agent Tesla: A Deep Dive Into a Multi-Stage Campaign
        "Agent Tesla remains one of the most persistent threats in the cyber landscape today. It allows even low-skilled threat actors to harvest sensitive data through a highly sophisticated delivery pipeline. This research blog breaks down a recent multi-stage infection chain that utilizes a blend of phishing, obfuscated and encrypted scripts, and advanced in-memory execution and evasion techniques."
        https://www.fortinet.com/blog/threat-research/unmasking-agent-tesla-deep-dive-into-multi-stage-campaign
      • Oblivion: The New $300 Android RAT That Beats Every Major Phone Manufacturer’s Security
        "Every so often, a piece of malware surfaces that feels like a genuine step-change. Not just another recycled threat, but something built from the ground up to be harder to stop. Oblivion, a newly emerged Android Remote Access Trojan (RAT), is being positioned as exactly that. Certo’s security researchers have been analyzing the threat — and the evidence suggests the claim deserves serious attention. Advertised openly on a clear web hacking forum and backed by a full video demonstration, Oblivion targets Android devices running versions 8 through 16. That covers virtually every Android phone in active use today."
        https://www.certosoftware.com/insights/oblivion-the-new-300-android-rat-that-beats-every-major-phone-manufacturers-security/
        https://hackread.com/android-malware-oblivion-fake-updates-hijack-phones/
      • Malicious NuGet Package Targets Stripe
        "In December 2025, the ReversingLabs research team wrote about a malicious NuGet campaign that targeted developers and packages linked to cryptocurrency platforms such as Coinbase, Binance, Solana and Nethereum. Following that, the malicious NuGet activity appeared to slow. However, our researchers recently discovered a malicious package that mimics Stripe.net, a NuGet package by the popular online payments platform with more than 70 million downloads. The latest incident shows that while the threat actors have shifted away from blockchain-related targets on NuGet, they remain active and focused on the financial sector."
        https://www.reversinglabs.com/blog/malicious-nuget-package-targets-stripe
        https://www.infosecurity-magazine.com/news/malicious-nuget-package-stripe-devs/
      • Exposing The Undercurrent: Disrupting The GRIDTIDE Global Cyber Espionage Campaign
        "Last week, Google Threat Intelligence Group (GTIG), Mandiant, and partners took action to disrupt a global espionage campaign targeting telecommunications and government organizations in dozens of nations across four continents. The threat actor, UNC2814, is a suspected People's Republic of China (PRC)-nexus cyber espionage group that GTIG has tracked since 2017. This prolific, elusive actor has a long history of targeting international governments and global telecommunications organizations across Africa, Asia, and the Americas and had confirmed intrusions in 42 countries when the disruption was executed. The attacker was using API calls to communicate with SaaS apps as command-and-control (C2) infrastructure to disguise their malicious traffic as benign, a common tactic used by threat actors when attempting to improve the stealth of their intrusions."
        https://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign
        https://thehackernews.com/2026/02/google-disrupts-unc2814-gridtide.html
        https://www.securityweek.com/google-disrupts-chinese-cyberespionage-campaign-targeting-telecoms-governments/
        https://www.theregister.com/2026/02/25/google_and_friends_disrupt_unc2814/
      • Cyber Intel Brief: Scattered Lapsus$ Hunters (SLH) Kicks Off Campaign To Recruit Women
        "On February 22, 2026, Dataminr detected activity on a public Telegram board indicating that the Scattered Lapsus$ Hunters (SLH) hacking collective is recruiting women for an upcoming vishing-based social engineering campaign. The group is offering to pay recruited individuals $500 to $1,000 upfront per call and promises to provide the necessary scripts for the operation. This recruitment drive represents a calculated evolution in SLH’s tactics. By specifically seeking female voices, the group likely aims to bypass the “traditional” profiles of attackers that IT help desk staff may be trained to identify, thereby increasing the effectiveness of their impersonation efforts."
        https://www.dataminr.com/resources/intel-brief/slh-recruiting-women-for-vishing/
        https://thehackernews.com/2026/02/slh-offers-5001000-per-call-to-recruit.html
      • Four Malicious NuGet Packages Target ASP.NET Developers With JIT Hooking And Credential Exfiltration
        "Socket's Threat Research Team discovered a NuGet supply chain attack involving four malicious packages targeting ASP.NET web application developers. The campaign deploys a multi-stage payload where NCryptYo acts as a stage-1 dropper that establishes a local proxy on localhost:7152, while companion packages DOMOAuth2_ and IRAOAuth2.0 exfiltrate ASP.NET Identity data (user accounts, role assignments, permission mappings) and accept threat actor-controlled authorization rules that create persistent backdoors in victim applications. SimpleWriter_ adds unconditional file writing and hidden process execution to the toolkit. All four packages were published between August 12-21, 2024 by threat actor hamzazaheer. Together, these packages have accumulated a little over 4,500 downloads so far. We've submitted takedown requests to the NuGet security team."
        https://socket.dev/blog/four-malicious-nuget-packages-target-asp-net-developers-with-jit-hooking-and-credential
        https://thehackernews.com/2026/02/malicious-nuget-packages-stole-aspnet.html
      • Understanding The DarkCloud Infostealer
        "Infostealers continue to dominate the initial access landscape in 2026, lowering the barrier to breach through scalable credential theft. DarkCloud illustrates how low-cost, commercialized malware is reshaping the initial access landscape. First observed in 2022 and attributed to a developer known as “Darkcloud Coder” (formerly “BluCoder” on Telegram), DarkCloud is openly sold through Telegram and a clearnet storefront with subscription tiers starting at just US$30. Despite being marketed as “surveillance software,” its technical focus is unmistakable: high-volume credential harvesting and structured data exfiltration across browsers, email clients, financial data, and contact networks."
        https://flashpoint.io/blog/understanding-darkcloud-infostealer/
      • Apache ActiveMQ Exploit Leads To LockBit Ransomware
        "A threat actor exploited CVE-2023-46604 on an internet-facing Apache ActiveMQ server. Despite being evicted after the initial intrusion, they successfully breached the same server on a second occasion 18 days later. After compromising the server, the threat actor used Metasploit, possibly along with Meterpreter, to perform post-exploitation activities. These activities included escalating privileges, accessing LSASS process memory, and moving laterally across the network. After regaining access following their eviction, the threat actor swiftly transitioned to deploying ransomware. They leveraged credentials extracted during their previous breach to deploy LockBit ransomware via RDP."
        https://thedfirreport.com/2026/02/23/apache-activemq-exploit-leads-to-lockbit-ransomware/

      Breaches/Hacks/Leaks

      • Medical Device Maker UFP Technologies Warns Of Data Stolen In Cyberattack
        "American manufacturer of medical devices, UFP Technologies, has disclosed that a cybersecurity incident has compromised its IT systems and data. UFP Technologies is a publicly traded medical engineering and manufacturing company that produces a broad range of devices and components used in surgery, wound care, implants, orthopedic applications, and healthcare wearables. The company employs 4,300 people, has an annual revenue of $600 million, and a market cap of $1.86 billion, according to recent data."
        https://www.bleepingcomputer.com/news/security/medical-device-maker-ufp-technologies-warns-of-data-stolen-in-cyberattack/
        https://therecord.media/ufp-technologies-medical-devices-sec-filing-cyberattack
        https://www.bankinfosecurity.com/medical-device-maker-reports-data-theft-hack-to-sec-a-30847
        https://www.securityweek.com/medical-device-maker-ufp-technologies-hit-by-cyberattack/
      • Canadian Tire Data Breach
        "In October 2025, retailer Canadian Tire was the victim of a data breach that exposed almost 42M records. The data contained 38M unique email addresses along with names, phone numbers and physical addresses. Passwords were stored as PBKDF2 hashes and for a subset of records, dates of birth and partial credit card data were also included (card type, expiry and masked card number). In its disclosure notice, Canadian Tire advised that the incident did not impact bank account information or loyalty program data."
        https://haveibeenpwned.com/Breach/CanadianTire

      General News

      • Ex-L3Harris Exec Jailed For Selling Zero-Days To Russian Exploit Broker
        "The former head of Trenchant, a specialized U.S. defense contractor unit, was sentenced Tuesday to more than seven years in federal prison for stealing and selling zero-day exploits to a Russian exploit broker whose clients include the Russian government. 39-year-old Australian national Peter Williams served as the general manager of Trenchant, a cybersecurity unit of defense contractor L3Harris that develops surveillance tools and zero-day exploits for the U.S. government and its Five Eyes intelligence partners."
        https://www.bleepingcomputer.com/news/security/ex-l3harris-exec-jailed-for-selling-zero-days-to-russian-exploit-broker/
        https://thehackernews.com/2026/02/defense-contractor-employee-jailed-for.html
        https://www.helpnetsecurity.com/2026/02/25/peter-williams-l3harris-executive-sentenced-trade-secrets-theft-russia/
        https://www.infosecurity-magazine.com/news/defense-contractor-boss-7-years/
        https://securityaffairs.com/188482/intelligence/former-u-s-defense-contractor-executive-sentenced-for-selling-zero-day-exploits-to-russian-broker-operation-zero.html
        https://www.securityweek.com/ex-us-defense-contractor-executive-jailed-for-selling-exploits-to-russia/
        https://www.theregister.com/2026/02/25/former_l3harris_exec_jailed/
      • Airline Brands Become Launchpads For Phishing, Crypto Fraud
        "Airline brands sit at the center of peak travel booking cycles, loyalty programs, and high value transactions. Criminal groups continue to register thousands of lookalike domains tied to these brands, targeting travelers, employees, and business partners. Recent threat intelligence from BforeAI’s PreCrime Labs identifies sustained impersonation activity across the global commercial airline sector."
        https://www.helpnetsecurity.com/2026/02/25/airline-phishing-campaigns-crypto-fraud/
        Beyond Borders: How Threat Intelligence Provenance Can Save Global Cybersecurity From * Geopolitical Fragmentation
        "In mid-January 2026, the Chinese government allegedly announced a sweeping ban on cybersecurity software from more than a dozen U.S. and Israeli firms, including industry giants like Palo Alto Networks, CrowdStrike, and Check Point. The stated reason: concerns that foreign software could collect and transmit confidential information abroad. This move represents more than just another salvo in ongoing tech tensions between the two governments. It threatens to fracture a foundational practice of internet cybersecurity: the global threat intelligence ecosystem that allows defenders worldwide to collect, analyze, and share information about emerging attacks and responses to cyber threats that know no borders."
        https://www.internetgovernance.org/2026/02/23/beyond-borders-how-threat-intelligence-provenance-can-save-global-cybersecurity-from-geopolitical-fragmentation/
        https://www.theregister.com/2026/02/25/threat_intelligence_supply_chain_research/
      • 2026 VulnCheck Exploit Intelligence Report
        "In 2025, barely 1% of disclosed vulnerabilities were exploited in the wild. Yet those that were exploited were operationalized quickly, attracted diverse threat actors, and often caused outsized damage before organizations had a chance to respond. This report identifies which vulnerabilities mattered, why attackers targeted them, and where timing failures left organizations exposed."
        https://wwv.vulncheck.com/2026-vulncheck-exploit-intelligence-report
        https://cyberscoop.com/vulncheck-exploited-vulnerabilities-report-2025/
        The Post-RAMP Era: Allegations, Fragmentation, And The Rebuilding Of The Ransomware * Underground
        "The January 2026 seizure of RAMP disrupted a major ransomware coordination hub, but it did not dismantle the ecosystem behind it. Instead, it destabilized trust and accelerated fragmentation across the underground. Rather than consolidating around a single successor, ransomware actors are redistributing across both gated platforms like T1erOne and accessible forums such as Rehub. This shift reflects adaptation, not decline. For defenders, visibility into centralized coordination is shrinking. Monitoring must evolve beyond tracking individual forums to identifying actor migration, recruitment signals, and early indicators of regrouping. Disruption rarely eliminates ecosystems; it reshapes them. Organizations that adapt their intelligence strategies accordingly will be best positioned to stay ahead."
        https://www.rapid7.com/blog/post/tr-post-ramp-allegations-fragmentation-ransomware-underground-rebuild/
        https://www.darkreading.com/threat-intelligence/ramp-forum-seizure-fractures-ransomware-ecosystem
      • Why 'Call This Number' TOAD Emails Beat Gateways
        "While much of the conversation surrounding phishing concerns not clicking a suspicious link or downloading a malicious attachment, there's an attack technique gaining prominence in which the email payload consists of nothing but a phone number. And these emails are getting past defenses. Researchers from email security vendor StrongestLayer today published an analysis of roughly 5,000 email-based threat detections that bypassed secure email gateways across multiple enterprise environments between December 2025 and now."
        https://www.darkreading.com/threat-intelligence/why-call-this-number-toad-emails-beat-gateways
        https://www.strongestlayer.com/white-paper/enterprise-phishing-evasion-techniques-2026
      • Autonomous Endpoint Management Isn’t Just Efficiency, It’s a Security Imperative
        "We are looking at a math problem that no longer balances. On one side, CrowdStrike’s 2025 Global Threat Report pegs the average eCrime breakout time at 48 minutes, with the fastest intrusion clocking in at 51 seconds. On the other side, the 2025 Verizon DBIR shows edge device remediation dragging out to a median of 32 days. That disconnect represents the biggest liability in cybersecurity today. Exposure time has graduated from an operational KPI to a defining security metric."
        https://hackread.com/autonomous-endpoint-management-security-imperative/
      • The Blast Radius Problem: Stolen Credentials Are Weaponizing Agentic AI
        "Weak access controls, AI confusion, and the interconnection of business continue to expand Threat. More than half (56%) of the 400,000 vulnerabilities IBM X-Force tracked in 2025 required no authentication before exploitation. This is revealed in the X-Force 2025 Threat Intelligence Index. The report also highlights the continuing success of infostealer credential theft, pointing to the discovery of 300,000 ChatGPT credentials on the dark web (almost certainly stolen by infostealers)."
        https://www.securityweek.com/the-blast-radius-problem-stolen-credentials-are-weaponizing-agentic-ai/
        https://www.infosecurity-magazine.com/news/app-exploits-surge-ai-speeds/
      • Moscow Man Accused Of Posing As FSB Officer To Extort Conti Ransomware Gang
        "A Moscow resident has been accused of trying to extort money from the notorious Conti ransomware group by posing as an officer of Russia’s Federal Security Service (FSB), according to local media reports. Russian outlet RBC, citing sources familiar with the investigation, reported on Wednesday that the suspect, Ruslan Satuchin, allegedly presented himself as an FSB officer and demanded a large payment from Conti members in exchange for avoiding criminal prosecution."
        https://therecord.media/moscow-man-accused-of-extorting-conti-gang

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) 2fd38279-6dcf-4d8d-8356-b3ec7d7f40ce-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post