NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 03 April 2026

    Cyber Security News
    1
    1
    13
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Healthcare Sector

      • Ransomware Will Hit Hospitals. Rehearsals Are Key To Defense
        "Joseph Izzo, chief medical information officer for San Joaquin General Hospital, received ransomware training during a downtime period. He practiced responding and maintaining patient care in the event that the facility is forced to operate offline. But when the hospital where he was working was actually hit with ransomware, he realized very quickly how "different it was under pressure." Izzo shared his story at RSAC 2026 Conference and provided key incident response (IR) recommendations for healthcare organizations, a sector frequently targeted by ransomware gangs due to highly sensitive information."
        https://www.darkreading.com/cybersecurity-operations/ransomware-hospitals-preparation-key-defense

      Industrial Sector

      • Hitachi Energy Ellipse
        "Hitachi Energy is aware of a Jasper Report vulnerability that affects the Ellipse product versions mentioned in this document below. This vulnerability can be exploited to carry out remote code execution (RCE) attack on the product. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-092-03
      • Siemens SICAM 8 Products
        "Multiple SICAM 8 products are affected by multiple vulnerabilities that could lead to denial of service, namely: - SICAM A8000 Device firmware - CPCI85 for CP-8031/CP-8050 - SICORE for CP-8010/CP-8012 - RTUM85 for CP-8010/CP-8012 - SICAM EGS Device firmware - CPCI85 - SICAM S8000 - SICORE - RTUM85 Siemens has released new versions for the affected products and recommends to update to the latest versions."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-092-01
      • Yokogawa CENTUM VP
        "Successful exploitation of this vulnerability could allow an attacker to login as the PROG user and modify permissions."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-092-02

      Vulnerabilities

      • Critical Cisco IMC Auth Bypass Gives Attackers Admin Access
        "Cisco has released updates to address a critical security flaw in the Integrated Management Controller (IMC) that, if successfully exploited, could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system with elevated privileges. The vulnerability, tracked as CVE-2026-20093, carries a CVSS score of 9.8 out of a maximum of 10.0. "This vulnerability is due to incorrect handling of password change requests," Cisco said in an advisory released Wednesday. "An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device.""
        https://thehackernews.com/2026/04/cisco-patches-98-cvss-imc-and-ssm-flaws.html
        https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-auth-bypass-AgG2BxTn
        https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ssm-cli-execution-cHUcWuNr
        https://www.bleepingcomputer.com/news/security/critical-cisco-imc-auth-bypass-gives-attackers-admin-access/
        https://securityaffairs.com/190295/security/cisco-fixed-critical-and-high-severity-flaws.html
        https://www.securityweek.com/cisco-patches-critical-and-high-severity-vulnerabilities/

      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2026-3502 TrueConf Client Download of Code Without Integrity Check Vulnerability"
        https://www.cisa.gov/news-events/alerts/2026/04/02/cisa-adds-one-known-exploited-vulnerability-catalog

      • You’re Not Supposed To ShareFile With Everyone (Progress ShareFile Pre-Auth RCE Chain CVE-2026-2699 & CVE-2026-2701)
        "If you squint and look at the CISA KEV list, you might think it's made up exclusively of vulnerabilities in file transfer solutions. While this would be wrong (and you shouldn’t squint, it’s bad for your eyes), file transfer solutions do play a decent role in the CISA KEV list due to how fondly threat actors, APT groups, and ransomware gangs alike perceive them."
        https://labs.watchtowr.com/youre-not-supposed-to-sharefile-with-everyone-progress-sharefile-pre-auth-rce-chain-cve-2026-2699-cve-2026-2701/
        https://www.bleepingcomputer.com/news/security/new-progress-sharefile-flaws-can-be-chained-in-pre-auth-rce-attacks/

      • Over 14,000 F5 BIG-IP APM Instances Still Exposed To RCE Attacks
        "Internet threat-monitoring non-profit Shadowserver has found over 14,000 BIG-IP APM instances exposed online amid ongoing attacks exploiting a critical-severity remote code execution (RCE) vulnerability. BIG-IP APM (short for Access Policy Manager) is F5's centralized access management proxy solution designed to help admins secure access to their organizations' networks, cloud, applications, and application programming interfaces (APIs). This 5-month-old flaw (tracked as CVE-2025-53521) was disclosed in October as a denial-of-service (DoS) vulnerability and was reclassified as an RCE bug over the weekend."
        https://www.bleepingcomputer.com/news/security/over-14-000-f5-big-ip-apm-instances-still-exposed-to-rce-attacks/

      • OpenSSH 10.3 Patches Five Security Bugs And Drops Legacy Rekeying Support
        "OpenSSH 10.3 shipped carrying five security fixes alongside feature additions and a set of behavior changes that will break compatibility with older SSH implementations that do not support rekeying. SSH clients and servers that lack rekeying support will fail when they attempt to interoperate with OpenSSH going forward. The project removed the bug-compatibility code that previously allowed such implementations to keep working. Deployments running non-standard or legacy SSH software should verify rekeying support before upgrading."
        https://www.helpnetsecurity.com/2026/04/02/openssh-10-3-released/

      • Apple Expands iOS 18.7.7 Update To More Devices To Block DarkSword Exploit
        "Apple on Wednesday expanded the availability of iOS 18.7.7 and iPadOS 18.7.7 to a broader range of devices to protect users from the risk posed by a recently disclosed exploit kit known as DarkSword. "We enabled the availability of iOS 18.7.7 for more devices on April 1, 2026, so users with Automatic Updates turned on can automatically receive important security protections from web attacks called DarkSword," the company said. "The fixes associated with the DarkSword exploit first shipped in 2025.""
        https://thehackernews.com/2026/04/apple-expands-ios-1877-update-to-more.html
        https://www.infosecurity-magazine.com/news/apple-ios-18-updates-darksword/
        https://www.malwarebytes.com/blog/news/2026/04/apple-expands-darksword-patches-to-ios-18-7-7
        https://www.securityweek.com/apple-rolls-out-darksword-exploit-protection-to-more-devices/

      • Critical Claude Code Vulnerability: Deny Rules Silently Bypassed Because Security Checks Cost Too Many Tokens
        "In 1898, cryptographer Auguste Kerckhoffs established a principle that every security professional learns in their first week: a system must remain secure even if everything about it is public knowledge. In 2026, Anthropic — the Multibillion “safety-first” Frontier AI lab currently preparing for an IPO — shipped a product where the entire security model breaks if you type more than 50 commands in a row. The vulnerability: Claude Code — Anthropic’s flagship AI coding agent that executes shell commands on developers’ machines — silently ignores user-configured security deny rules when a command contains more than 50 subcommands. A developer who configures “never run rm” will see rm blocked when run alone, but the same rm runs without restriction if preceded by 50 harmless statements. The security policy silently vanishes."
        https://adversa.ai/claude-code-security-bypass-deny-rules-disabled/
        https://www.securityweek.com/critical-vulnerability-in-claude-code-emerges-days-after-source-leak/

      • Malware

      • The Invisible Army: Residential Proxy Abuse In Internet-Scale Attack Traffic
        "Every enterprise firewall processes traffic from residential IP space. Traditional reputation feeds fail to flag IPs that rotate before they can be cataloged. GreyNoise analyzed 4 billion sessions over 90 days and found that 39% of unique IPs targeting the edge come from home internet connections — and 78% vanish before any reputation system can flag them. To a reputation feed, the source IP is indistinguishable from a legitimate user's connection — the same ISPs, the same address ranges. Attackers route malicious traffic through ordinary home broadband, mobile data, and small-business connections — the same IP address ranges used by employees, customers, and partners. This report quantifies the residential proxy threat at internet scale and identifies what defenders can do about it."
        https://www.greynoise.io/resources/invisible-army-residential-proxy-abuse-report
        https://www.bleepingcomputer.com/news/security/residential-proxies-evaded-ip-reputation-checks-in-78-percent-of-4b-sessions/

      • Adversaries Exploit Vacant Homes To Intercept Mail In Hybrid Cybercrime
        "Fraud operations have expanded beyond traditional hacking techniques to include methods that exploit legitimate services and real-world infrastructure. By combining publicly available data, weak identity verification processes, and operational gaps, threat actors are building scalable fraud workflows that are both low-cost and difficult to detect. A tutorial shared in a fraud-focused chat group and analyzed by Flare analysts provides step-by-step guidance on how to identify and exploit vacant residential properties to intercept sensitive mail, revealing a low-tech but highly effective method for enabling identity theft and financial fraud."
        https://www.bleepingcomputer.com/news/security/adversaries-exploit-vacant-homes-to-intercept-mail-in-hybrid-cybercrime/

      • Tax Season 2026: How Cyber Criminals Are Preparing Their Attacks Months In Advance
        "Tax season remains one of the most attractive periods of the year for cyber criminals. As individuals and organizations exchange sensitive financial and identity data online, attackers take advantage of increased tax‑related activity to launch phishing campaigns, fraudulent websites, and malware attacks. Check Point Research shows that these campaigns are not opportunistic. Threat actors begin preparing their infrastructure months in advance."
        https://blog.checkpoint.com/research/tax-season-2026-how-cyber-criminals-are-preparing-their-attacks-months-in-advance/

      • UAT-10608: Inside a Large-Scale Automated Credential Harvesting Operation Targeting Web Applications
        "Talos is disclosing a large-scale automated credential harvesting campaign carried out by a threat cluster we currently track as UAT-10608. The campaign is primarily leveraging a collection framework dubbed “NEXUS Listener.” The systematic exploitation and exfiltration campaign has resulted in the compromise of at least 766 hosts, as of time of writing, across multiple geographic regions and cloud providers. The operation is targeting Next.js applications vulnerable to React2Shell (CVE-2025-55182) to gain initial access, then is deploying a multi-phase credential harvesting tool that harvests credentials, SSH keys, cloud tokens, and environment secrets at scale."
        https://blog.talosintelligence.com/uat-10608-inside-a-large-scale-automated-credential-harvesting-operation-targeting-web-applications/
        https://thehackernews.com/2026/04/hackers-exploit-cve-2025-55182-to.html

      • Qilin EDR Killer Infection Chain
        "This blog post provides an in-depth technical analysis of the malicious dynamic-link library (DLL) “msimg32.dll”, which Cisco Talos observed being deployed in Qilin ransomware attacks. The broader activities and attacks of Qilin was previously introduced and described in the blog post here. This DLL represents the initial stage of a sophisticated, multi-stage infection chain designed to disable local endpoint detection and response (EDR) solutions present on compromised systems. Figure 1 shows a high-level diagram demonstrating the overall execution flow of this infection chain."
        https://blog.talosintelligence.com/qilin-edr-killer/

      • An Overview Of Ransomware Threats In Japan In 2025 And Early Detection Insights From Qilin Cases
        "In 2025, the number of ransomware incidents increased compared to 2024. Notably, it was a year in which attacks leveraging Qilin ransomware were observed most frequently. There were 134 ransomware incidents reported in Japan in 2025, representing a 17.5% year-over-year increase from 2024. Figure 1 presents the monthly number of ransomware incidents. The data was compiled based on information obtained from data leak sites, official disclosures by affected organizations, and publicly available media reports. On average, approximately 11 incidents were observed per month."
        https://blog.talosintelligence.com/an-overview-of-ransomware-threats-in-japan-in-2025-and-early-detection-insights-from-qilin-cases/

      • Akira Ransomware Attacks In Under An Hour
        "Akira is an established ransomware group active since March 2023, known for being highly organized and effective. Halcyon directly observed the following tactics that are designed to force payment through complete domain compromise and reliance on the Akira decryptor: After gaining a foothold, Akira operators can complete the entire ransomware attack lifecycle in less than four hours, and in some cases under one hour. Akira uses a well-polished recovery process for large and critical files by leveraging .arika checkpoint files. They can also recover partially encrypted files even if interrupted."
        https://www.halcyon.ai/ransomware-research-reports/akira-ransomware-attacks-in-under-an-hour
        https://cyberscoop.com/akira-ransomware-initial-access-to-encryption-in-hours/
        https://www.infosecurity-magazine.com/news/researchers-subonehour-ransomware/

      • DPRK-Related Campaigns With LNK And GitHub C2
        "FortiGuard Labs recently detected a series of LNK files targeting users in South Korea. These attacks use a multi-stage scripting process and leverage GitHub as Command and Control (C2) infrastructure to evade detection. Although these LNK files can be traced back to 2024, earlier versions had less obfuscation and contained significant metadata, allowing us to track similar attacks spreading the XenoRAT malware. In recent months, the threat actor has altered their tactics. They now embed decoding functions within LNK arguments and include encoded payloads directly inside the files. Based on the decoy PDF titles we collected, the attacker seems to be targeting various companies in Korea to expand their surveillance operations. Below are the decoy PDF files identified in these campaigns. In this article, we will detail each stage."
        https://www.fortinet.com/blog/threat-research/dprk-related-campaigns-with-lnk-and-github-c2
        https://www.infosecurity-magazine.com/news/github-covert-multi-stage-malware/

      • Stranger Strings: Yurei Ransomware Operator Toolkit Exposed
        "Active since September 2025, Yurei is a double extortion ransomware campaign. The operators run their own Tor data leak site with a low number of victims listed at the time of writing. It is reportedly derived from Prince Ransomware, an open-source ransomware family written in Go. Check Point researchers noted that all samples were first submitted to VirusTotal from Morocco, and that one sample did not include a ticket ID, indicating that this could be a test build, possibly uploaded by the developer themselves. Yurei ransomware samples also contained a link to SatanLockv2, based on the presence of the PDB path string “D:\satanlockv2” present in the Yurei samples. Based on an analysis of the Yurei Tor data leak site by RansomwareLive, only three victims have been listed since the Yurei Blog Tor data leak site appeared in September."
        https://www.team-cymru.com/post/yurei-double-extortion-ransomware-campaign-toolkit
        https://hackread.com/yurei-ransomware-tools-stranger-things-references/

      • A Quiet "Storm": Infostealer Hijacks Sessions, Decrypts Server-Side
        "A new infostealer called Storm appeared on underground cybercrime networks in early 2026, representing a shift in how credential theft is developing. For under $1,000 a month, operators get a stealer that harvests browser credentials, session cookies, and crypto wallets, then quietly ships everything to the attacker's server for decryption. To understand why enterprises should care, it helps to know what changed. Stealers used to decrypt browser credentials on the victim's machine by loading SQLite libraries and accessing credential stores directly. Endpoint security tools got good at catching this, making local browser database access one of the clearest signs that something malicious was running."
        https://www.varonis.com/blog/storm-infostealer
        https://hackread.com/storm-infostealer-sold-as-service-browsers-wallets/
        https://www.infosecurity-magazine.com/news/storm-infostealer-remotely/

      • Italian Spyware Vendor Creates Fake WhatsApp App, Targeting 200 Users
        "WhatsApp has recently uncovered a malicious fake version of its app that targeted roughly 200 users, most of whom are in Italy. The platform confirmed that the unofficial client contained spyware and was developed by Italian firm Asigint, a subsidiary of SIO Spa, a company known for providing surveillance tools to law enforcement and government agencies. “Our security team identified around 200 users, mostly in Italy, who we believe may have downloaded this unofficial and harmful client. We logged them out and alerted them to the privacy and security risks,” WhatsApp stated. “We believe this was a social engineering attempt targeting a limited number of users with the goal of inducing them to install harmful software impersonating WhatsApp, likely to gain access to their devices."
        https://securityaffairs.com/190276/malware/italian-spyware-vendor-creates-fake-whatsapp-app-targeting-200-users.html

      • **https://thehackernews.com/2026/04/whatsapp-alerts-200-users-after-fake.html

      • Fake Installers To Monero: A Multi-Tool Mining Operation**
        "Elastic Security Labs has been tracking a financially motivated operation, designated REF1695, that has been active since at least late 2023. The operator deploys a combination of RATs, cryptominers, and custom XMRig loaders through fake installer packages. Across all observed campaigns, the infection chains share a consistent packing technique, overlapping C2 infrastructure, and common social engineering patterns, linking them to a single operator. Beyond cryptomining, the threat actor monetizes infections through CPA (Cost Per Action) fraud, directing victims to content locker pages under the guise of software registration. In this report, we trace the operation's evolution across multiple campaign builds, analyze the C2 communication protocols, document a previously unreported .NET implant (CNB Bot), and track the operator's financial returns via public Monero mining pool dashboards."
        https://www.elastic.co/security-labs/fake-installers-to-monero
        https://thehackernews.com/2026/04/researchers-uncover-mining-operation.html

      • Anthropic Claude Code Leak
        "On March 31, 2026, Anthropic accidentally exposed the full source code of Claude Code (its flagship terminal-based AI coding agent) through a 59.8 MB JavaScript source map (.map) file bundled in the public npm package @anthropic-ai/claude-code version 2.1.88. A security researcher, Chaofan Shou (@Fried_rice), publicly disclosed Anthropic’s leak on X which triggered an immediate viral response. The leaked file contained approximately 513,000 lines of unobfuscated TypeScript across 1,906 files, revealing the complete client-side agent harness, according to online publications. Within hours, the codebase was downloaded from Anthropic’s own Cloudflare R2 bucket, mirrored to GitHub, and forked tens of thousands of times. Thousands of developers, researchers, and threat actors are actively analyzing, forking, porting to Rust/Python and redistributing it. Some of the GitHub repositories have gained over 84,000 stars and 82,000 forks. Anthropic has issued Digital Millennium Copyright Act (DMCA) notices on some mirrors, but the code is now available across hundreds of public repositories."
        https://www.zscaler.com/blogs/security-research/anthropic-claude-code-leak
        https://www.bleepingcomputer.com/news/security/claude-code-leak-used-to-push-infostealer-malware-on-github/
        https://www.theregister.com/2026/04/02/trojanized_claude_code_leak_github/

      Breaches/Hacks/Leaks

      • 250,000 Affected By Data Breach At Nacogdoches Memorial Hospital
        "Nacogdoches Memorial Hospital (NMH) is notifying 250,000 people that their personal and health information was compromised in a data breach. The incident, the hospital says, occurred on January 31, after a threat actor hacked into its internal network and information systems. This week, NMH notified the Maine Attorney General’s Office that the hackers likely accessed the information of 257,073 individuals."
        https://www.securityweek.com/250000-affected-by-data-breach-at-nacogdoches-memorial-hospital/

      General News

      • Security Bosses Are All-In On AI. Here's Why
        "Dark Reading's Becky Bracken: Hello everybody and welcome back to Dark Reading Confidential. It's a podcast from the editors of Dark Reading, bringing you real world stories straight from the cyber trenches. Today I am joined by my colleague Alexander Culafi, who is going to talk to us today about AI in the security world. Alex?"
        https://www.darkreading.com/cybersecurity-operations/security-bosses-all-in-ai
      • Why GitHub Developers Are Targeted By Token Giveaway Scams
        "GitHub used to feel like one of the calmer parts of the internet. It was mostly about code, collaboration, version control, and the quiet satisfaction of building something step by step. That feeling has not gone away, but it is not as intact as it once was. As crypto projects, open source communities, AI tools, and developer platforms overlap more, scam operators have started to pay attention. Developers sit in an unusual position. They are curious, visible through their work, and often connected to tools, wallets, or communities where a fake token giveaway can look convincing at first glance."
        https://hackread.com/github-developers-targettoken-giveaway-scams/
      • Trust, Friction, And ROI: A CISO’s Take On Making Security Work For The Business
        "In this Help Net Security interview, John O’Rourke, CISO at PPG, talks about what it means for security to drive business value. He explains how mature security programs reduce friction in sales cycles and M&A processes, and how trust is built over time. O’Rourke also addresses how buyer sophistication has raised the bar for suppliers, why less-regulated industries lag behind their more-regulated counterparts, and which companies will benefit from foundational security investments. The interview covers five questions on cybersecurity strategy, ROI, and the cost of deferring security work."
        https://www.helpnetsecurity.com/2026/04/02/john-orourke-ppg-security-as-business-strategy/
      • NCSC Warns Of Messaging App Targeting
        "Messaging apps such as WhatsApp, Messenger and Signal are an important part of how we communicate every day. The NCSC and international partners have seen growing malicious activity from Russia-based actors using messaging apps to target high-risk individuals."
        https://www.ncsc.gov.uk/news/ncsc-warns-of-messaging-app-targeting
        https://www.infosecurity-magazine.com/news/ncsc-alert-hackers-whatsapp-signal/
      • The Language Of Emojis In Threat Intelligence: How Adversaries Signal, Obfuscate, And Coordinate Online
        "As threat actor activity continues to shift toward informal, fast-moving communication platforms such as Telegram and Discord, the way adversaries communicate is evolving. Emojis, often dismissed as casual or nontechnical, have become a meaningful part of that evolution. Across illicit forums, messaging apps, and closed communities, emojis are used not just for expression, but for signaling intent, categorizing activity, and, in some cases, obscuring meaning from outsiders. For analysts, this introduces an additional layer of context that can influence how communications are interpreted, prioritized, and actioned."
        https://flashpoint.io/blog/the-language-of-emojis-in-threat-intelligence/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) 9d9178d7-c8fe-4789-a003-81ba4d3d95cc-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post