• • Mitsubishi Electric GENESIS64 And ICONICS Suite Products
    "Successful exploitation of these vulnerabilities could allow a local attacker to disclose SQL Server credentials used by the affected products and use them to disclose, tamper with, or destroy data, or to cause a denial-of-service (DoS) condition on the system."
    https://www.cisa.gov/news-events/ics-advisories/icsa-26-097-01

Vulnerabilities

• Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed
  "Threat actors are exploiting a maximum-severity security flaw in Flowise, an open-source artificial intelligence (AI) platform, according to new findings from VulnCheck. The vulnerability in question is CVE-2025-59528 (CVSS score: 10.0), a code injection vulnerability that could result in remote code execution. "The CustomMCP node allows users to input configuration settings for connecting to an external MCP (Model Context Protocol) server," Flowise said in an advisory released in September 2025. "This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation.""
  https://thehackernews.com/2026/04/flowise-ai-agent-builder-under-active.html
  https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-3gcm-f6qx-ff7p
  https://www.bleepingcomputer.com/news/security/max-severity-flowise-rce-vulnerability-now-exploited-in-attacks/
  https://www.securityweek.com/critical-flowise-vulnerability-in-attacker-crosshairs/
  https://securityaffairs.com/190471/security/attackers-exploit-critical-flowise-flaw-cve-2025-59528-for-remote-code-execution.html
• 50,000 WordPress Sites Affected By Arbitrary File Upload Vulnerability In Ninja Forms – File Upload WordPress Plugin
  "On January 8th, 2026, we received a submission for an Arbitrary File Upload vulnerability in Ninja Forms – File Upload, a WordPress plugin with an estimated 50,000 active installations. This vulnerability makes it possible for an
  https://www.wordfence.com/blog/2026/04/50000-wordpress-sites-affected-by-arbitrary-file-upload-vulnerability-in-ninja-forms-file-upload-wordpress-plugin/
  https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-flaw-in-ninja-forms-wordpress-plugin/
• One Megabyte To Root: How a Size Check Broke Docker’s Last Line Of Defense
  "Your Docker security policy can be silently bypassed with a single HTTP request. An attacker pads a container creation request to over 1MB, and Docker's authorization middleware drops the body before your security plugin ever sees it. The plugin allows the request because it sees nothing to block. The Docker daemon processes the full request and creates a privileged container with root access to the host: your AWS credentials, SSH keys, Kubernetes configs, and everything else on the machine. This works against every AuthZ plugin in the ecosystem (OPA, Prisma Cloud, Casbin, custom). We confirmed it against Docker Engine 27.5.1. Patched in 29.3.1."
  https://www.cyera.com/research/one-megabyte-to-root-how-a-size-check-broke-dockers-last-line-of-defense
  https://thehackernews.com/2026/04/docker-cve-2026-34040-lets-attackers.html
• GrafanaGhost: The Phantom Stealing Your Data
  "At Noma, our mission is simple: identify and reduce emerging AI risk before it impacts your business. Following our discoveries of ForcedLeak, GeminiJack, and DockerDash, the Noma Labs Team has identified a new critical vulnerability: GrafanaGhost. This exploit enables silent exfiltration of sensitive business data in Grafana. By bypassing the client-side protections and security guardrails that restrict external data requests, GrafanaGhost allows an attacker to bridge the gap between your private data environment and an external server. Because the exploit ignores model restrictions and operates autonomously, sensitive enterprise data can be leaked silently in the background."
  https://noma.security/blog/grafana-ghost/
  https://www.darkreading.com/application-security/grafana-patches-ai-bug-leaked-user-data
  https://cyberscoop.com/grafanaghost-grafana-prompt-injection-vulnerability-data-exfiltration/
  https://hackread.com/grafanaghost-vulnerability-data-theft-via-ai-injection/
  https://www.infosecurity-magazine.com/news/grafanaghost-silent-data/
  https://www.securityweek.com/grafanaghost-attackers-can-abuse-grafana-to-leak-enterprise-data/
• Severe StrongBox Vulnerability Patched In Android
  "The latest Android security updates address only two vulnerabilities: a critical denial-of-service (DoS) issue, and a StrongBox flaw whose impact does not appear to have been disclosed. The DoS vulnerability is tracked as CVE-2026-0049 and it affects Android’s Framework component. The weakness can be exploited by a local attacker with no additional execution privileges and without user interaction to cause a DoS condition. The second vulnerability affects StrongBox, Android’s hardware-backed secure keystore that adds a higher level of protection for cryptographic keys."
  https://www.securityweek.com/severe-strongbox-vulnerability-patched-in-android/
• Cracks In The Bedrock: Escaping The AWS AgentCore Sandbox
  "When researching the boundaries of cloud services, two of the main aspects that come to mind are network and identity. In this two-part series, we present our research into the boundaries and resilience of Amazon Bedrock AgentCore. In this first part, we explore how AgentCore’s Code Interpreter sandbox network isolation mode could be bypassed in a way that allows sending and receiving of data from external endpoints via DNS tunneling. In the second part, we explore the identity side, and how an attacker can leverage weaknesses in default identities and permissions to compromise other AgentCore agents within an AWS account and exfiltrate sensitive data from other services."
  https://unit42.paloaltonetworks.com/bypass-of-aws-sandbox-network-isolation-mode/

Malware

• • US Warns Of Iranian Hackers Targeting Critical Infrastructure
    "Iranian-linked hackers are targeting Internet-exposed Rockwell/Allen-Bradley programmable logic controllers (PLCs) on the networks of U.S. critical infrastructure organizations. The warning came earlier today in the form of a joint advisory authored by the FBI, CISA, NSA, the Environmental Protection Agency (EPA), Department of Energy (DOE), and the United States Cyber Command – Cyber National Mission Force (CNMF). The authoring agencies said that these ongoing attacks have targeted organizations across multiple U.S. critical infrastructure sectors (including Government Services and Facilities, Water and Wastewater Systems, and Energy), and have resulted in financial losses and operational disruptions since March 2026."
    https://www.bleepingcomputer.com/news/security/us-warns-of-iranian-hackers-targeting-critical-infrastructure/
    https://www.ic3.gov/CSA/2026/260407.pdf
    https://therecord.media/fbi-pentagon-warn-iran-hacking-groups-target-ot
    https://cyberscoop.com/iranian-hackers-cyberattacks-us-energy-water-infrastructure-plc-scada-warning/
    https://www.theregister.com/2026/04/07/iran_hackers_disrupting_us_water_energy/
• **https://www.bankinfosecurity.com/us-critical-infrastructure-facing-iranian-linked-ot-threats-a-31360
• Authorities Disrupt Router DNS Hijacks Used To Steal Microsoft 365 Logins**
  "An international operation from law enforcement authorities in partnership with private companies has disrupted FrostArmada, an APT28 campaign hijacking local traffic from MikroTik and TP-Link routers to steal Microsoft account credentials. The Russian threat group APT28, also tracked as Fancy Bear, Sofacy, Forest Blizzard, Strontium, Storm-2754, and Sednit, has been linked to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. In the FrostArmada attacks, the hackers compromised mainly small office/home office (SOHO) routers and altered the domain name system (DNS) settings to point to virtual private servers (VPS) under their control, which acted as DNS resolvers."
  https://www.bleepingcomputer.com/news/security/authorities-disrupt-dns-hijacks-used-to-steal-microsoft-365-logins/
  https://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-dns-hijacking-network-controlled
  https://www.microsoft.com/en-us/security/blog/2026/04/07/soho-router-compromise-leads-to-dns-hijacking-and-adversary-in-the-middle-attacks/
• APT28 Exploit Routers To Enable DNS Hijacking Operations
  "Russian cyber actors APT28 have been exploiting routers to overwrite Dynamic Host Configuration Protocol (DHCP)/Domain Name System (DNS) settings to redirect traffic through attacker-controlled DNS servers. Resulting malicious DNS resolutions enable adversary-in-the-middle (AitM) attacks that harvest passwords, OAuth tokens and other credentials for web and email related services. This puts organisations at risk of credential theft, data manipulation and broader compromise. The DNS hijacking operations are believed to be opportunistic in nature, with the actor targeting a wide pool of victims and then likely filtering down for users of potential intelligence value at each stage of the exploitation chain."
  https://www.ncsc.gov.uk/news/apt28-exploit-routers-to-enable-dns-hijacking-operations
  https://thehackernews.com/2026/04/russian-state-linked-apt28-exploits.html
  https://therecord.media/uk-exposes-russian-cyber-unit-hacking-home-routers
  https://www.bankinfosecurity.com/russian-hackers-hit-soho-routers-in-cyberespionage-campaign-a-31354
  https://cyberscoop.com/forest-blizzard-apt28-routers-espionage-campaign-operation-masquerade/
  https://www.helpnetsecurity.com/2026/04/07/russian-hackers-router-hijacking-dns-credential-theft/
  https://www.infosecurity-magazine.com/news/russia-apt28-hijack-routers-uk-ncsc/
  https://www.theregister.com/2026/04/07/russia_fancy_bear_ncsc_router_attack/
• The Trojan Horse Of Cybercrime: Weaponizing SaaS Notification Pipelines
  "Recent telemetry indicates an increase in threat actors leveraging the automated notification infrastructure of legitimate Software-as-a-Service (SaaS) platforms to facilitate social engineering campaigns. By embedding malicious lures within system-generated commit notifications, attackers bypass traditional reputation-based email security filters. This Platform-as-a-Proxy (PaaP) technique exploits the implicit trust organizations place in traffic originating from verified SaaS providers, effectively weaponizing legitimate infrastructure to bypass standard email authentication protocols. Talos' analysis explores how attackers abuse the notification pipelines of platforms like GitHub and Atlassian to facilitate credential harvesting and social engineering."
  https://blog.talosintelligence.com/weaponizing-saas-notification-pipelines/
• AI-Enabled Device Code Phishing Campaign Exploits OAuth Flow For Account Takeover
  "A phishing campaign that bypasses the standard 15-minute expiration window through automation and dynamic code generation, leveraging the OAuth Device Code Authentication flow to compromise organizational accounts at scale, has been observed by the Microsoft Defender Security Research team. The campaign uses AI-assisted infrastructure and end-to-end automation."
  https://www.helpnetsecurity.com/2026/04/07/microsoft-device-code-phishing-campaign/
  https://www.microsoft.com/en-us/security/blog/2026/04/06/ai-enabled-device-code-phishing-campaign-april-2026/
  https://www.theregister.com/2026/04/07/microsoft_device_code_phishing/
• Hackers Are Attempting To Turn ComfyUI Servers Into a Cryptomining Proxy Botnet
  "On March 12, 2026, we became aware of an open directory (77[.]110[.]96[.]200 (Censys)) on a known bulletproof hosting provider (AEZA) that had been flagged as suspicious by an internal system. Over the following days, the directory rapidly grew from just a handful of files to over a hundred, indicating active development of an unknown toolset. Our analysis showed that the individual was conducting Internet-wide scans for exposed ComfyUI instances and exploiting a misconfiguration that allowed arbitrary code execution through custom nodes. Compromised hosts were used to deploy cryptocurrency miners and what looks to be a Hysteria v2 VPN node, effectively enrolling them into a controlled proxy network; all of which appeared to be centrally managed through a web-based command-and-control dashboard."
  https://censys.com/blog/comfyui-servers-cryptomining-proxy-botnet/
  https://thehackernews.com/2026/04/over-1000-exposed-comfyui-instances.html
• Cyberattack On Telecom Giant Rostelecom Disrupts Internet Services Across Russia
  "A “large-scale” distributed denial-of-service (DDoS) attack targeted the network of Russian state-run telecom giant Rostelecom on Monday evening, temporarily disrupting online banking, government platforms and other digital services across dozens of cities. Rostelecom told state-owned media the attack was quickly contained, adding the disruption to internet services was a consequence of emergency filtering introduced to mitigate the attack. DDoS attacks overwhelm websites and online services with large volumes of junk traffic, making them temporarily unavailable to legitimate users."
  https://therecord.media/rostelecom-cyberattack-disrupts-russian-internet-access
• • Claude Code Packaging Error Remains a Lure In An Active Campaign: What Defenders Should Do
    "TrendAI Research is continuously monitoring an active campaign that continues to leverage the packaging error in  Anthropic's Claude Code npm release to distribute Vidar, GhostSocks, and PureLog Stealer payloads. The distribution hub for the leaked Claude Code brand lure campaign was identified as https://github[.]com/leaked-claude-code/leaked-claude-code. It is operated by a GitHub account identified as idbzoomh1, who used the legitimate Claude Code source map leak incident as a lure to deliver payloads via a release asset.  A previous account, idbzoomh, has been blocked by GitHub. As of publishing there are no other identified repositories connected to the campaign; TrendAI Research will update this blog in the event of new findings."
    https://www.trendmicro.com/en_us/research/26/d/claude-code-remains-a-lure-what-defenders-should-do.html

Breaches/Hacks/Leaks

• Wynn Resorts Says 21,000 Employees Affected By ShinyHunters Hack
  "High-end casino and hotel operator Wynn Resorts says more than 21,000 individuals are affected by the recently disclosed data breach. Wynn Resorts confirmed in late February that hackers had obtained employee data. The admission came after the notorious ShinyHunters cybercrime group claimed to have stolen more than 800,000 records containing personally identifiable information, including SSNs."
  https://www.securityweek.com/wynn-resorts-says-21000-employees-affected-by-shinyhunters-hack/
• Snowflake Customers Hit In Data Theft Attacks After SaaS Integrator Breach
  "Over a dozen companies have suffered data theft attacks after a SaaS integration provider was breached and authentication tokens stolen. While numerous cloud storage and SaaS vendors were targeted using the stolen tokens, BleepingComputer has learned that the majority of the data theft attacks targeted the cloud data platform Snowflake. Snowflake confirmed "unusual activity" to BleepingComputer, stating that a small number of its customers were impacted."
  https://www.bleepingcomputer.com/news/security/snowflake-customers-hit-in-data-theft-attacks-after-saas-integrator-breach/
• Massachusetts Hospital Turning Ambulances Away After Cyberattack
  "A cyberattack on a prominent hospital system in Massachusetts has been forced to turn away ambulances and deploy down-time procedures. Signature Healthcare and Signature Healthcare Brockton Hospital said on Monday that the cyber incident is impacting many of their information systems. Officials at the hospital said they are working with outside experts to investigate the incident and restore downed systems. Inpatient, walk-in emergency services and scheduled surgeries are still being conducted, but chemotherapy infusion services for cancer patients were cancelled on Tuesday."
  https://therecord.media/massachusetts-hospital-turning-ambulances-away-cyberattack
  https://www.bankinfosecurity.com/mass-hospital-diverting-ambulances-as-deals-attack-a-31356
• Cyberattack Hits Northern Ireland’s Centralized School Network, Disrupting Access For Thousands
  "A cyberattack on a centralized school IT network in Northern Ireland has disrupted access to educational systems for hundreds of thousands of students, with authorities still working to fully restore services and determine whether any personal data was compromised. The Education Authority (EA), which oversees school support services in Northern Ireland, said in an official statement it became aware of the incident affecting the “C2K” system last week and took immediate steps to contain the breach, including shutting down access to the system."
  https://therecord.media/cyberattack-hits-northern-ireland-schools

General News

• The Case For Fixing CWE Weakness Patterns Instead Of Patching One Bug At a Time
  "In this Help Net Security interview, Alec Summers, MITRE CVE/CWE Project Lead, discusses how CWE is moving from a background reference into active use in vulnerability disclosure. More CVE records now include CWE mappings from CNAs, which tends to produce more precise root-cause data. Automation tools help analysts map weaknesses faster, but can reinforce bad patterns if trained on poor examples. Summers argues that fixing weakness patterns reduces recurring work for security teams, even those operating on tight budgets. The core problem is framing: the industry defaults to vulnerability language, while CWE asks teams to focus on what made the bad outcome possible in the first place."
  https://www.helpnetsecurity.com/2026/04/07/alec-summers-mitre-cwe-vulnerability-mapping/
• Google Study Finds LLMs Are Embedded At Every Stage Of Abuse Detection
  "Online platforms are running large language models at every stage of LLM content moderation, from generating training data to auditing their own systems for bias. Researchers at Google mapped how this is happening across what the authors call the Abuse Detection Lifecycle, a four-stage framework covering labeling, detection, review and appeals, and auditing. Earlier moderation systems, built on models like BERT and RoBERTa fine-tuned on static hate-speech datasets, could identify explicit slurs with reasonable accuracy. They struggled with sarcasm, coded language, and culturally specific abuse. LLMs address some of those gaps through contextual reasoning, but they introduce new operational and governance problems at each stage they enter."
  https://www.helpnetsecurity.com/2026/04/07/google-llm-content-moderation/
  https://arxiv.org/pdf/2604.00323
• Lies, Damned Lies, And Cybersecurity Metrics
  "Despite years of increased spending, investments in more tooling, and more talent flooding into the industry, cybersecurity outcomes seem to be getting worse. During a panel discussion in Las Vegas last month, a group of cybersecurity leaders said the problem runs deeper than attackers or technology. The panel, titled "Hard Truths in Cybersecurity: Fear, Liability, and the Industry's Biggest Lies," focused on what's broken in cybersecurity. "Every year, we do more, and every year, the results get worse," said Andrew Rubin, CEO of Illumio. "The number of breaches, the size of the breaches, and the economic losses have gone up.""
  https://www.darkreading.com/cyber-risk/lies-damned-lies-cybersecurity-metrics
• AI Agents And Non-Human Identities Creating Critical Security Gaps, Report
  "Businesses are rushing to adopt automation, but they are leaving a significant security gap in their infrastructure as new data suggests this technological race is moving much faster than the security needed to protect it. On 7 April 2026, password security firm Keeper Security released a report at the RSA Conference in San Francisco, according to which many companies are failing to manage non-human identities (NHIs). These are basically software-based assets, such as service accounts, API keys, and AI-powered tools, that allow system-to-system interactions without any human involvement."
  https://hackread.com/ai-agents-non-human-identities-security-gaps/
• Anthropic Unveils ‘Claude Mythos’ – A Cybersecurity Breakthrough That Could Also Supercharge Attacks
  "Anthropic may have just announced the future of AI – and it is both very exciting and very, very scary. Mythos is the Ancient Greek word that eventually gave us ‘mythology’. It is also the name for Anthropic’s latest foundational AI Model: it evokes the connective tissue that links together knowledge and ideas. Industry excitement over Anthropic’s Claude Mythos began at the end of March 2026 when Fortune magazine published information on an upcoming Anthropic development. The information came from a leak of almost 3,000 files from a misconfigured CMS. Anthropic confirmed the details."
  https://www.securityweek.com/anthropic-unveils-claude-mythos-a-cybersecurity-breakthrough-that-could-also-supercharge-attacks/
  https://www.theregister.com/2026/04/07/anthropic_all_your_zerodays_are_belong_to_us/
  https://www.bankinfosecurity.com/anthropic-calls-its-new-model-too-dangerous-to-release-a-31361
• The New Rules Of Engagement: Matching Agentic Attack Speed
  "The cybersecurity industry has been drowning in waves of speculation about the impact of AI-enabled attacks since ChatGPT was launched. Today, that speculation has come crashing down. AI-enabled cyberwarfare isn’t coming, it’s here. In September 2025, Anthropic reported the first documented case of a large-scale cyberattack executed without substantial human intervention. Additionally, Armis’ 2026 State of Cyberwarfare Report (PDF) found that 92% of IT decision-makers in the U.S. are concerned about the impact of cyberwarfare on their organizations, with 64% reporting that they have already been impacted by an AI-generated or AI-led attack over the last 12 months."
  https://www.securityweek.com/the-new-rules-of-engagement-matching-agentic-attack-speed/
  https://media.armis.com/rp-state-of-cyberwarfare-2026-en.pdf

อ้างอิง
Electronic Transactions Development Agency (ETDA)