NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 09 March 2026

    Cyber Security News
    1
    1
    86
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • APT And Financial Attacks On Industrial Organizations In Q4 2025
        "In the last quarter of 2025, information security researchers published numerous interesting reports on attacks against industrial organizations. Most of them highlight the persistence of long-standing problems: untimely installation of security updates, including on internet-accessible systems; insecure provision of remote access to internal systems; the difficulty of monitoring the security of trusted partners and suppliers; the inability to guarantee 100% protection for traditional operating systems with their inherent information security issues (DLL hijacking, BYOVD, and malware); and the lack of staff preparedness to resist basic social engineering techniques."
        https://ics-cert.kaspersky.com/publications/reports/2026/03/06/apt-and-financial-attacks-on-industrial-organizations-in-q4-2025/

      New Tooling

      • Codex Security: Now In Research Preview
        "Today we’re introducing Codex Security, our application security agent. It builds deep context about your project to identify complex vulnerabilities that other agentic tools miss, surfacing higher-confidence findings with fixes that meaningfully improve the security of your system while sparing you from the noise of insignificant bugs."
        https://openai.com/index/codex-security-now-in-research-preview/
        https://thehackernews.com/2026/03/openai-codex-security-scanned-12.html

      Vulnerabilities

      • Critical Nginx UI Flaw CVE-2026-27944 Exposes Server Backups
        "A critical vulnerability in Nginx UI, tracked as CVE-2026-27944 (CVSS score of 9.8), allows attackers to download and decrypt full server backups without authentication. The flaw poses a serious risk to organizations exposing the management interface, potentially revealing sensitive configuration data, credentials, and encryption keys. “The /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header.” reads the advisory. “This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately.”"
        https://securityaffairs.com/189123/security/critical-nginx-ui-flaw-cve-2026-27944-exposes-server-backups.html
        https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-g9w5-qffc-6762
      • Recent Cisco Catalyst SD-WAN Vulnerability Now Widely Exploited
        "Exposure management company WatchTowr reports that a recent Cisco Catalyst SD-WAN vulnerability, initially exploited as a zero-day, is now being used more frequently by threat actors. The in-the-wild exploitation of four Cisco Catalyst SD-WAN vulnerabilities came to light in recent weeks. One of them is CVE-2026-20127, which had been exploited as a zero-day in combination with an older vulnerability, CVE-2022-20775, to bypass authentication, escalate privileges, and establish persistence on systems."
        https://www.securityweek.com/recent-cisco-catalyst-sd-wan-vulnerability-now-widely-exploited/

      Malware

      • InstallFix: How Attackers Are Weaponizing Malvertized Install Guides
        "There was a time, not that long ago, when pasting a command from a website straight into your terminal was something you’d only try once before some grizzled senior engineer beat it out of you. That’s because you’re effectively handing a website a blank cheque to execute whatever it wants on your system. But somehow, it’s now the default. Homebrew, Rust, nvm, Bun, oh-my-zsh and hundreds of the most widely used developer tools on the planet now ship with the same instructions."
        https://pushsecurity.com/blog/installfix/
        https://www.bleepingcomputer.com/news/security/fake-claude-code-install-guides-push-infostealers-in-installfix-attacks/
      • Cyberattacks And Unpredictable Targeting Remain An Iran Risk
        "Cyberattacks launched by Iranian nation-state hackers in reprisal for what the United States has codenamed Operation Epic Fury so far have been evident mainly in their absence. Whether the regime's military or intelligence forces have the inclination or ability to launch such attacks isn't clear. The country continues to operate in a near-total internet blackout initiated for reasons unknown at the start of hostilities by the United States and Israel on Feb. 28, monitoring firm Netblocks reported early Friday."
        https://www.bankinfosecurity.com/cyberattacks-unpredictable-targeting-remain-iran-risk-a-30930
      • AI As Tradecraft: How Threat Actors Operationalize AI
        "Threat actors are operationalizing AI along the cyberattack lifecycle to accelerate tradecraft, abusing both intended model capabilities and jailbreaking techniques to bypass safeguards and perform malicious activity. As enterprises integrate AI to improve efficiency and productivity, threat actors are adopting the same technologies as operational enablers, embedding AI into their workflows to increase the speed, scale, and resilience of cyber operations."
        https://www.microsoft.com/en-us/security/blog/2026/03/06/ai-as-tradecraft-how-threat-actors-operationalize-ai/
        https://www.darkreading.com/threat-intelligence/north-korean-apts-ai-it-worker-scams
        https://www.bleepingcomputer.com/news/security/microsoft-hackers-abusing-ai-at-every-stage-of-cyberattacks/
        https://cyberscoop.com/microsoft-north-korea-ai-operations/
      • Fake CleanMyMac Site Installs SHub Stealer And Backdoors Crypto Wallets
        "A convincing fake version of the popular Mac utility CleanMyMac is tricking users into installing malware. The site instructs visitors to paste a command into Terminal. If they do, it installs SHub Stealer, macOS malware designed to steal sensitive data including saved passwords, browser data, Apple Keychain contents, cryptocurrency wallets, and Telegram sessions. It can even modify wallet apps such as Exodus, Atomic Wallet, Ledger Wallet, and Ledger Live so attackers can later steal the wallet’s recovery phrase."
        https://www.malwarebytes.com/blog/threat-intel/2026/03/fake-cleanmymac-site-installs-shub-stealer-and-backdoors-crypto-wallets
      • Middle East Conflict Fuels Opportunistic Cyber Attacks
        "Threat actors often take advantage of major global events to fuel interest in their malicious activities. Zscaler ThreatLabz is diligently tracking a surge in cybercriminal activity that capitalizes on the elevated political climate in the Middle East. This increased malicious activity includes discoveries that are directly tied to the ongoing conflict, alongside other related findings."
        https://www.zscaler.com/blogs/security-research/middle-east-conflict-fuels-opportunistic-cyber-attacks
      • Malware Brief: When The Supply Chain Becomes The Attack Surface
        "For a long time, defenders focused on hardening the perimeter: patch your systems, train your users, lock down your endpoints. But as supply-chain threats multiply, attackers are increasingly bypassing perimeter defenses and walking straight in through trusted software, services and dependencies. That’s what makes software supply‑chain attacks so effective. Instead of compromising one company at a time, threat actors target a single vendor, developer account or build system and let trust do the rest of the work for them."
        https://blog.barracuda.com/2026/03/05/malware-brief-supply-chain-attack-surface
        VOID#GEIST: Stealthy Multi-Stage Python Loader With Embedded Runtime Deployment, Startup * Persistence, And Fileless Early Bird APC Injection Into Explorer.exe
        "Securonix Threat Research analyzed a stealthy, multi-stage malware intrusion chain utilizing an obfuscated batch script (non.bat) to deliver multiple encrypted RAT shellcode payloads corresponding to XWorm, XenoRAT, and AsyncRAT. The script establishes persistence by deploying a secondary batch script (spol.bat) into the Windows Startup folder, stages a legitimate embedded Python runtime from python.org, and decrypts encrypted shellcode blobs (new.bin, pul.bin, xn.bin) at runtime using external XOR key material (a.json, p.json, n.json)."
        https://www.securonix.com/blog/voidgeist-stealthy-multi-stage-python-loader/
        https://thehackernews.com/2026/03/multi-stage-voidgeist-malware.html
      • Microsoft Reveals ClickFix Campaign Using Windows Terminal To Deploy Lumma Stealer
        "Microsoft on Thursday disclosed details of a new widespread ClickFix social engineering campaign that has leveraged the Windows Terminal app as a way to activate a sophisticated attack chain and deploy the Lumma Stealer malware. The activity, observed in February 2026, makes use of the terminal emulator program instead of instructing users to launch the Windows Run dialog and paste a command into it."
        https://thehackernews.com/2026/03/microsoft-reveals-clickfix-campaign.html
        https://securityaffairs.com/189046/malware/microsoft-warns-of-clickfix-campaign-exploiting-windows-terminal-for-lumma-stealer.html
        https://www.theregister.com/2026/03/06/microsoft_spots_clickfix_campaign_abusing/
      • Mobile Spyware Campaign Impersonates Israel's Red Alert Rocket Warning System
        "Acronis Threat Research Unit (TRU) has been actively monitoring malware campaigns and threat activity leveraging recent geopolitical developments across the Middle East and abusing these events to deliver malware to individuals. During our investigation, TRU identified a targeted campaign distributing a trojanized version of the Red Alert rocket warning Android app to Israeli users via SMS messages impersonating official Home Front Command communications, aimed at Israeli individuals."
        https://www.acronis.com/en/tru/posts/mobile-spyware-campaign-impersonates-israels-red-alert-rocket-warning-system/
        https://www.theregister.com/2026/03/06/spyware_disguised_as_emergency_alert/
        https://hackread.com/hackers-fake-red-alert-rocket-alert-app-spy-israel-users/
      • An Investigation Into Years Of Undetected Operations Targeting High-Value Sectors
        "Since at least 2020, we have observed a cluster of activity targeting high-value organizations across South, Southeast and East Asia. The attacks focus on critical sectors such as aviation, energy, government, law enforcement, pharmaceutical, technology and telecommunications. Unit 42 is tracking this ongoing, previously undocumented activity as CL-UNK-1068. We designate the term UNK to clusters of activity whose affiliation with either nation-state or cybercrime activity we have not yet determined."
        https://unit42.paloaltonetworks.com/cl-unk-1068-targets-critical-sectors/
      • Dark Web Profile: APT41
        "APT41 stands out in the threat landscape because it doesn’t stick to a single playbook. It has been repeatedly linked to both cyber espionage and financially motivated cybercrime, sometimes running those missions side by side. That dual-track model, paired with exploit-driven access and long-dwell intrusions, makes APT41 a high-signal profile for defenders looking to understand how modern operations blend strategy, stealth, and scale."
        https://socradar.io/blog/dark-web-profile-apt41/
      • Iranian APT Infrastructure In Focus: Mapping State-Aligned Clusters During Geopolitical Escalation
        "Tensions between the United States, Israel, and Iran have reached a critical point following a series of diplomatic breakdowns, which led to escalating military exchanges and proxy engagements across the Middle East. History has shown that when hostilities rise to this degree, cyber operations do not lag far behind kinetic activity. They precede it. These operations, whether infrastructure reconnaissance, pre-positioning, or network intrusion, are part of the operational groundwork of modern conflict. Disrupting communications and compromising critical systems can weaken response capabilities long before physical engagement begins. Iranian state-aligned actors have historically targeted energy, financial services, government networks, and defense-related organizations across the U.S., Israel, and allied regions."
        https://hunt.io/blog/iranian-apt-infrastructure-state-aligned-clusters
      • OCRFix Botnet Hides C2 In BNB Smart Chain Contracts
        "OCRFix is a three-stage botnet that stores its C2 URLs inside BNB Smart Chain testnet smart contracts. Each stage queries a contract via JSON-RPC at runtime to get the current C2 domain. To rotate infrastructure, the author updates the contract storage with a single blockchain transaction. Every infected machine follows on next check-in. No binary update required. Initial access is ClickFix -- a fake CAPTCHA that walks the victim through opening Windows Run and pasting a PowerShell command the page has placed in their clipboard."
        https://www.derp.ca/research/ocrfix-etherhiding-botnet/
      • Termite Ransomware Breaches Linked To ClickFix CastleRAT Attacks
        "Ransomware threat actors tracked as Velvet Tempest are using the ClickFix technique and legitimate Windows utilities to deploy the DonutLoader malware and the CastleRAT backdoor. Researchers at cyber-deception threat intelligence firm MalBeacon observed the hackers' actions in an emulated organization environment over a period of 12 days. Velvet Tempest, also tracked as DEV-0504, is a threat group that has been involved in ransomware attacks as an affiliate for at least five years."
        https://www.bleepingcomputer.com/news/security/termite-ransomware-breaches-linked-to-clickfix-castlerat-attacks/

      Breaches/Hacks/Leaks

      • Cognizant TriZetto Breach Exposes Health Data Of 3.4 Million Patients
        "TriZetto Provider Solutions, a healthcare IT company that develops software and services used by health insurers and healthcare providers, has suffered a data breach that exposed the sensitive information of over 3.4 million people. The firm, which has been operating under the Cognizant umbrella since 2014, disclosed that it detected suspicious activity on a web portal on October 2, 2025, and launched an investigation with the help of external cybersecurity experts."
        https://www.bleepingcomputer.com/news/security/cognizant-trizetto-breach-exposes-health-data-of-34-million-patients/
      • 2,622 Valid Certificates Exposed: A Google-GitGuardian Study Maps Private Key Leaks To Real-World Risk
        "When a private key leaks on GitHub or DockerHub, detecting it is easy. What's harder, sometimes impossible, is understanding its real-world impact. Unlike AWS keys or OpenAI tokens, which are tied to their respective service, a leaked private key is just a mathematical object without an obvious owner. Private keys are challenging to attribute at scale: they are used in many different contexts, ranging from SSH authentication to JWT signatures. When one leaks, where do you start assessing the impact? Among leaked private keys, those used in X.509 infrastructure are most critical. They authenticate web servers in HTTPS: a compromised key enables attackers to impersonate websites or intercept data. That's why GitGuardian partnered with Google's researchers to answer a deceptively simple question: what happens when private keys leak?"
        https://blog.gitguardian.com/certificates-exposed-a-google-gitguardian-study/
        https://hackread.com/certificates-fortune-500-gov-exposed-key-leaks/
      • Transport For London Says 2024 Breach Affected 7M Customers, Not 5,000
        "Transport for London has confirmed that a 2024 breach exposed the data of more than 7 million people – a far larger crowd than the few thousand customers originally warned that their details might be at risk. The BBC reported on Friday that the 2024 intrusion into TfL's systems potentially gave attackers access to a database covering as many as 10 million customers who had interacted with the capital's transport network."
        https://www.theregister.com/2026/03/06/tfl_2024_breach_numbers/

      General News

      • Cyberattack On Mexico's Gov't Agencies Highlight AI Threat
        "For any cyber-defender continuing to deny the impact of AI on attacker efficiency, welcome to Exhibit A. Over the past few months, a small group of hacktivists compromised the computers and networks of at least nine Mexican government agencies, stealing more than 195 million identities and tax records, along with vehicle registrations and more than 2.2 million property records, startup Gambit Security stated in a blog post this week that detailed the attack."
        https://www.darkreading.com/application-security/cyberattack-mexico-government-ai-threat
      • Backup Strategies Are Working, And Ransomware Gangs Are Responding With Data Theft
        "Business email compromise (BEC) and funds transfer fraud combined for 58% of all cyber insurance claims filed in 2025, according to data from Coalition covering more than 100,000 policyholders across the United States, Canada, the United Kingdom, Australia, and Germany. BEC was the single most common claim type at 31%, with frequency rising 15% year over year to 0.47%. Average losses per BEC incident dropped 28% to $27,000, a decline attributed to faster detection and response by affected organizations."
        https://www.helpnetsecurity.com/2026/03/06/cyber-claims-report-ransomware-gangs-data-theft/
      • What Happens When AI Teams Compete Against Human Hackers
        "A cybersecurity competition produced what may be the largest controlled dataset comparing AI-augmented teams to human-only teams on professional-grade offensive security tasks. The event, called NeuroGrid, ran for 72 hours on the Hack The Box platform and drew 1,337 registered human-only teams and 156 registered AI-agent teams competing across 36 challenges in nine security domains at four difficulty levels. AI teams operated through Model Context Protocol with human oversight in the loop. The analysis covers 958 human teams and 120 AI-agent teams that each attempted at least one challenge."
        https://www.helpnetsecurity.com/2026/03/06/cybersecurity-competition-ai-vs-human-hackers/
      • Exploits And Vulnerabilities In Q4 2025
        "The fourth quarter of 2025 went down as one of the most intense periods on record for high-profile, critical vulnerability disclosures, hitting popular libraries and mainstream applications. Several of these vulnerabilities were picked up by attackers and exploited in the wild almost immediately. In this report, we dive into the statistics on published vulnerabilities and exploits, as well as the known vulnerabilities leveraged with popular C2 frameworks throughout Q4 2025."
        https://securelist.com/vulnerabilities-and-exploits-in-q4-2025/119105/
      • Viral AI, Invisible Risks: What OpenClaw Reveals About Agentic Assistants
        "The name OpenClaw might not immediately be recognizable, partly because it has undergone several name changes, from Clawdbot to Moltbot, then finally to OpenClaw. Yet one thing is certain: This new digital assistant feels genuinely groundbreaking. It remembers past interactions, keeps data on the user’s device, and adapts to individual preferences, making it feel like a leap in capabilities reminiscent of the first ChatGPT release. At the same time, its development is not without caveats, as there have been media headlines that warn of its potential as a security nightmare."
        https://www.trendmicro.com/en_us/research/26/b/what-openclaw-reveals-about-agentic-assistants.html
      • AI Agents Now Help Attackers, Including North Korea, Manage Their Drudge Work
        "AI agents allow cybercriminals and nation-state hackers to outsource the "janitorial-type work" needed to plan and carry out cyberattacks, according to Sherrod DeGrippo, Microsoft's GM of global threat intelligence. North Korea is taking advantage. This includes tasks such as performing reconnaissance on compromised computers, and standing up and managing attack infrastructure - which may not sound as thrilling as plotting and carrying out digital intrusions, but are real-world criminal use cases for agentic AI that should make threat hunters sit up and take notice."
        https://www.theregister.com/2026/03/08/deploy_and_manage_attack_infrastructure/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) 3709bc93-b715-4aa5-80ff-2b994be63a58-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post