NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 28 April 2026

    Cyber Security News
    1
    1
    7
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • Threat Landscape For Industrial Automation Systems. Asia, Q4 2025
        "Southeast Asia has high rates of self-propagating malware. The region ranked first in the world in terms of the percentage of ICS computers on which viruses and malware for AutoCAD were blocked. In both cases, it led by a wide margin. In most cases, malware for AutoCAD is distributed in the same way as viruses. This explains the high percentage exhibited by this malware category."
        https://ics-cert.kaspersky.com/publications/reports/2026/04/27/threat-landscape-for-industrial-automation-systems-asia-q4-2025/

      Vulnerabilities

      • A Shortcut To Coercion: Incomplete Patch Of APT28's Zero-Day Leads To CVE-2026-32202
        "According to CERT-UA, the APT28 threat actor (also known as Fancy Bear) launched a cyberattack targeting Ukraine and several EU countries in December 2025. As detailed in our February 2026 Inside the Fix blog post, this campaign leveraged a weaponized LNK file to exploit CVE-2026-21513. To ensure responsible disclosure, we deliberately withheld details of a second exploit in the chain that wasn't completely patched. The second vulnerability (CVE-2026-21510) bypasses security features such as the Microsoft Defender SmartScreen and executes attacker-controlled code, which is stored on the attacker's remote server. APT28 leverages the Windows shell namespace parsing mechanism to load a dynamic link library (DLL) from a remote server using a UNC path. The DLL is loaded as part of the Control Panel (CPL) objects without proper network zone validation."
        https://www.akamai.com/blog/security-research/2026/apr/incomplete-patch-apt28s-zero-day-cve-2026-32202
        https://www.securityweek.com/incomplete-windows-patch-opens-door-to-zero-click-attacks/
      • We Found a Stable Firefox Identifier Linking All Your Private Tor Identities
        "We recently discovered a privacy vulnerability affecting all Firefox-based browsers. The issue allows websites to derive a unique, deterministic, and stable process-lifetime identifier from the order of entries returned by IndexedDB, even in contexts where users expect stronger isolation. This means a website can create a set of IndexedDB databases, inspect the returned ordering, and use that ordering as a fingerprint for the running browser process. Because the behavior is process-scoped rather than origin-scoped, unrelated websites can independently observe the same identifier and link activity across origins during the same browser runtime."
        https://fingerprint.com/blog/firefox-tor-indexeddb-privacy-vulnerability/
        https://www.securityweek.com/firefox-vulnerability-allows-tor-user-fingerprinting/
        https://securityaffairs.com/191374/security/firefox-bug-cve-2026-6770-enabled-cross-site-tracking-and-tor-fingerprinting.html

      Malware

      • Robinhood Account Creation Flaw Abused To Send Phishing Emails
        "Online trading platform Robinhood's account creation process was exploited by threat actors to inject phishing messages into legitimate emails, tricking users into believing their accounts had suspicious activity. Starting last night, Robinhood customers began receiving "Your recent login to Robinhood" emails stating that an "Unrecognized Device Linked to Your Account" was detected, containing unusual IP addresses and partial phone numbers. "We detected a login attempt from a device that is not recognized," reads the phishing email. "If this was not you, please review your account activity immediately to secure your account.""
        https://www.bleepingcomputer.com/news/security/robinhood-account-creation-flaw-abused-to-send-phishing-emails/
      • 73 Open VSX Sleeper Extensions Linked To GlassWorm Show New Malware Activations
        "The GlassWorm campaign targeting Open VSX continues to escalate. Socket is now tracking a new cluster of 73 impersonation extensions connected to the same sleeper-extension activity reported in March 2026. Beginning in April 2026, and continuing as of this writing, additional cloned versions of popular code extensions have appeared on the Open VSX marketplace. These extensions did not initially contain malware, but they were published by newly created GitHub accounts with only one or two public repositories. In each case, one repository is empty and named with an eight-character string."
        https://socket.dev/blog/73-open-vsx-sleeper-extensions-glassworm
        https://www.bleepingcomputer.com/news/security/glassworm-malware-attacks-return-via-73-openvsx-sleeper-extensions/
        https://thehackernews.com/2026/04/researchers-uncover-73-fake-vs-code.html
      • PyPI Package With 1.1M Monthly Downloads Hacked To Push Infostealer
        "An attacker pushed a malicious version of the popular elementary-data package Python Package Index (PyPI) to steal sensitive developer data and cryptocurrency wallets. The dangerous release is 0.23.3, and it extended to the Docker image due to the package's workflow that creates the image from the code and uploads it to a container registry for deployment. Community member crisperik spotted the malicious upload and opened an issue on the project’s GitHub on Saturday, alerting the maintainer and decreasing the exposure window."
        https://www.bleepingcomputer.com/news/security/pypi-package-with-11m-monthly-downloads-hacked-to-push-infostealer/
      • BlueNoroff Uses ClickFix, Fileless PowerShell, And AI-Generated Fake Zoom Meetings To Target Web3 Sector
        "Arctic Wolf has identified a targeted intrusion against a North American Web3/cryptocurrency company, which we attribute with a high confidence level to BlueNoroff, a financially motivated subgroup of DPRK’s Lazarus Group. Arctic Wolf observed an active malicious intrusion where the threat actor impersonated a reputable figure in the Fintech legal space, using spear-phishing to deliver a manipulated Calendly calendar invite containing a typo-squatted Zoom link. Upon clicking the link, the victim was presented with a fake Zoom meeting interface that covertly exfiltrated their live camera feed to use as a lure in future attacks, while simultaneously deploying a ClickFix-style clipboard injection attack. A multi-stage credential extraction pipeline then plundered info from the victim’s device and browsers, focusing on cryptocurrency wallet extensions."
        https://arcticwolf.com/resources/blog/bluenoroff-uses-clickfix-fileless-powershell-and-ai-generated-zoom-meetings-to-target-web3-sector/
        https://www.bankinfosecurity.com/crypto-targeting-north-koreans-wield-fake-zoom-meetings-a-31516
      • The Meta 2FA Trap: From Verified Badge To Account Takeover
        "Meta, the parent company of platforms such as Facebook and Instagram, plays a major role in both personal communication and business operations worldwide. A new phishing campaign is emerging that abuses Meta’s verification system and 2FA tokens to gain account access and steal sensitive information. This campaign is particularly convincing and targets both individual users and businesses. Below, we examine how it works and how to better protect against it. The Cofense Phishing Defense Center (PDC) has identified a credential phishing scheme targeting Meta users by impersonating the Meta brand and its verification system."
        https://cofense.com/blog/the-meta-2fa-trap-from-verified-badge-to-account-takeover
      • Extension Developers Sell The Data Of At Least 6.5 Million Users – And It’s All Completely Legal
        "New research by LayerX Security uncovers multiple networks of browser extensions that collect user data and resell it for profit – and it’s all completely legal. For, unlike malicious extensions that disguise themselves as legitimate extensions and do their bidding in the dark, these extensions explicitly tell users that they’re going to collect and sell their data. It’s right there in the Privacy Policy; except that nobody reads it. LayerX analyzed the privacy policies of thousands of extensions and uncovered over 80 different extensions that collect and sell customer data."
        https://layerxsecurity.com/blog/your-extensions-sell-your-data-and-its-perfectly-legal/
        https://www.infosecurity-magazine.com/news/browser-extensions-sell-user-data/
        https://hackread.com/82-chrome-extensions-selling-user-data/
      • Inside Vidar (2026): From Infection To Memory Execution Via JPEG And TXT Payloads
        "Vidar has evolved significantly from 2018 to 2026, transitioning from a basic Arkei-based credential stealer into a multi-stage, stealth-driven attack framework. Over time, it has adopted MaaS distribution, advanced evasion techniques, social media-based C2 (Telegram), and high-performance data theft capabilities. Recent research from Malwarebytes, Acronis TRU, and Zscaler highlights the rapid evolution of the Vidar infostealer into a more adaptive and socially engineered threat landscape."
        https://www.pointwild.com/threat-intelligence/inside-vidar-2026-from-infection-to-memory-execution-via-jpeg-and-txt-payloads/
        https://hackread.com/vidar-infostealer-fake-captchas-jpeg-txt-files/
      • LINKEDIN BROWSERGATE
        "BrowserGate claims LinkedIn secretly fingerprints users via extensions and device data, sending encrypted results to third parties for tracking. BrowserGate is an investigation conducted by Fairlinked (https://browsergate.eu/), an association of commercial LinkedIn users, which documents what it describes as one of the largest data breach and corporate espionage scandals in digital history. The central thesis: every time one of the billions of users visits linkedin.com, hidden code scans the computer for installed software, collects the results, and transmits them to LinkedIn servers and third-party companies, including a US-Israeli cybersecurity firm. The user is never informed nor asked for consent. LinkedIn’s privacy policy makes no mention of it."
        https://securityaffairs.com/191383/security/linkedin-browsergate.html
      • PhantomCore Exploits TrueConf Vulnerabilities To Breach Russian Networks
        "A pro-Ukrainian hacktivist group called PhantomCore has been attributed to attacks actively targeting servers running TrueConf video conferencing software in Russia since September 2025. That's according to a report published by Positive Technologies, which found the threat actors to be leveraging an exploit chain comprising three vulnerabilities to execute commands remotely on susceptible servers. "Despite the fact that there are no exploits for this chain of vulnerability in public access, attackers from PhantomCore managed to conduct their research and reproduce vulnerabilities, which led to a large number of cases of its operation in Russian organizations," researchers Daniil Grigoryan and Georgy Khandozhko said."
        https://thehackernews.com/2026/04/phantomcore-exploits-trueconf.html

      Breaches/Hacks/Leaks

      • Medtronic Confirms Breach After Hackers Claim 9 Million Records Theft
        "Medical device giant Medtronic disclosed last week that hackers breached its network and accessed data in “certain corporate IT systems.” The confirmation comes after the infamous data extortion group ‘ShinyHunters’ claimed the intrusion and the theft of more than 9 million records from the company. Medtronic is an international medical equipment giant with 90,000 employees and operations in 150 countries. It is the largest medical device maker in the world by revenue ($33.5 billion) and also develops healthcare technologies and therapies."
        https://www.bleepingcomputer.com/news/security/medtronic-confirms-breach-after-hackers-claim-9-million-records-theft/
        https://www.bankinfosecurity.com/medical-device-maker-medtronic-says-its-been-hacked-a-31518
        https://securityaffairs.com/191391/cyber-crime/medtronic-discloses-security-incident-after-shinyhunters-claimed-theft-of-9m-records.html
        https://www.theregister.com/2026/04/27/itron_medtronic_hacked/
      • ShinyHunters Leaks Data Of Udemy, Zara, 7-Eleven In Salesforce Linked Breach
        "A series of new data leak listings posted on a dark web site linked to the ShinyHunters hacker group has put three well-known companies in the limelight, with claims of stolen corporate and customer data now circulating online. The posts name Zara, 7-Eleven, and Udemy, each accompanied by a direct download option and a message accusing the companies of ignoring attempts to reach an agreement. Zara and 7-Eleven were both published on April 22, 2026, while Udemy appeared later on April 27, 2026. In all three cases, the group repeats the same claim that negotiations failed, followed by the release of data described as internal records and customer information."
        https://hackread.com/shinyhunters-leak-udemy-zara-7-eleven-data-breach/
      • Checkmarx Confirms GitHub Repository Data Posted On Dark Web After March 23 Attack
        "Checkmarx has disclosed that its ongoing investigation tied to the supply chain security incident has revealed that a cybercriminal group published data related to the company on the dark web. "Based on current evidence, we believe this data originated from Checkmarx's GitHub repository, and that access to that repository was facilitated through the initial supply chain attack of March 23, 2026," the Israeli security company said. It also emphasized that the GitHub repository is maintained separately from its customer production environment, adding that no customer data is stored in the repository. Checkmarx said its forensic probe into the incident is ongoing and that it's actively working to verify the nature and scope of the posted data."
        https://thehackernews.com/2026/04/checkmarx-confirms-github-repository.html
        https://checkmarx.com/blog/checkmarx-security-update-april-26/
        https://www.theregister.com/2026/04/27/supply_chain_campaign_targets_security/

      General News

      • Canada Arrests Three For Operating “SMS Blaster” Device In Toronto
        "Canadian authorities have arrested three men for operating an "SMS blaster" device that pretends to be a cellular tower to send phishing texts to nearby phones. Such tools trick devices into connecting to them by emitting signals that mimic a legitimate tower. Mobile phones in its range automatically link to them as there is stronger reception. Once the connection is established, the operators of these rogue cellular base stations can push SMS messages directly to connected devices, which appear to come from trusted entities such as banks or the government."
        https://www.bleepingcomputer.com/news/security/canada-arrests-three-for-operating-sms-blaster-device-in-toronto/
        https://www.tps.ca/media-centre/stories/unprecedented-sms-blaster-arrests/
      • Alleged Silk Typhoon Hacker Extradited To US For Cyberespionage
        "A Chinese national accused of carrying out cyberespionage operations for China's intelligence services has been extradited from Italy to the United States to face criminal charges. According to a DOJ announcement, Xu Zewei is alleged to be a contract hacker for China's Ministry of State Security (MSS) who conducted breaches between February 2020 and June 2021 as part of a coordinated intelligence-gathering campaign. Xu was previously arrested in Milan, Italy, in 2025 at the request of U.S. authorities for his alleged ties to the Silk Typhoon hacking group."
        https://www.bleepingcomputer.com/news/security/alleged-silk-typhoon-hacker-extradited-to-us-for-cyberespionage/
        https://therecord.media/chinese-hacker-italy-extradited
        https://cyberscoop.com/xu-zewei-extradited-china-national-silk-typhoon-hafnium/
        https://securityaffairs.com/191368/apt/italy-moves-to-extradite-chinese-national-to-the-u-s-over-hacking-charges.html
      • New FTC Data Show People Have Lost Billions To Social Media Scams
        "New data from the Federal Trade Commission show that, in 2025, nearly 30% of people who reported losing money to a scam said that it started on social media, with reported losses reaching a staggering $2.1 billion. Social media scams produced far more in losses—an eightfold increase since 2020—than any other contact method used by scammers to reach consumers, according to the new data. The Data Spotlight notes that social media creates easy access to billions of people from anywhere in the world, making a scammer’s job easier at very little cost. Scammers may hack a user’s account, exploit what a user posts to figure out how to target them, or buy ads and use the same tools used by real businesses to target people by age, interests or shopping habits."
        https://www.ftc.gov/news-events/news/press-releases/2026/04/new-ftc-data-show-people-have-lost-billions-social-media-scams
        https://www.bleepingcomputer.com/news/security/ftc-americans-lost-over-21-billion-to-social-media-scams-in-2025/
      • Money Launderer Linked To $230M Crypto Heist Gets 70 Months In Prison
        "22-year-old Evan Tangeman of Newport Beach, California, was sentenced to 70 months in prison for laundering funds stolen in a massive $230 million cryptocurrency heist. According to court documents, Tangeman (also known as "E," "Tate," and "Evan|Exchanger") helped the suspects behind the crypto-heist launder at least $3.5 million between October 2023 and May 2025. Fourteen suspects were charged in September 2024 and May 2025 in a RICO conspiracy for over $230 million in cryptocurrency and laundering the funds using crypto exchanges and mixing services."
        https://www.bleepingcomputer.com/news/security/money-launderer-linked-to-230m-crypto-heist-gets-70-months-in-prison/
        https://therecord.media/cryptocurrency-launderer-sentenced-californai
      • AI Red Teaming Is Not Equal To Prompt Injection
        "Artificial intelligence red teamers and classical pen testers can be likened to two painters. The former has access to an entirely new palette of colors, while the latter relies on a conventional palette that lacks these additions. On their own, neither fully meets the demands of the present threat landscape. AI red teaming gained traction when prompts became easily accessible. As more security professionals started experimenting with prompt injection in their environments - to evaluate risk and assess security posture - attacks such as "do-anything-now," or DAN, anti-DAN, "strive-to-avoid-norms," DUDE, and Mongo Tom became commonplace."
        https://www.bankinfosecurity.com/blogs/ai-red-teaming-equal-to-prompt-injection-p-4106
      • Why U.S. Critical Infrastructure Is The Highest-Value Target In The Global Cyber War
        "The idea that cyber conflict operates quietly in the background no longer holds. What used to be a shadow contest of espionage and occasional disruption has evolved into something far more direct and consequential. Today, the cyber war on US infrastructure is not a supporting element of geopolitical tension—it is one of its primary arenas. Recent global conflicts have shown that digital operations are now tightly woven into military and political strategy. Critical systems that sustain everyday life, energy, water, communications, and transportation have become high-value targets. The logic is simple: disrupting infrastructure creates immediate, visible consequences without crossing traditional thresholds of war."
        https://cyble.com/blog/critical-infrastructure-cyberattack-threats-2026/
      • Parsing Agentic Offensive Security's Existential Threat
        "The emergence of large language models (LLM) like Anthropic's Mythos and, this week, OpenAI's GPT-5.5, has set the security world a twitter with dark speculation that we are entering an era of industrialized, autonomous, mass exploitation across any platform or infrastructure — a nuclear threat that no organization, anywhere, can hide from. But not so fast, argues RunSybil CEO Ari Herbert-Voss: while defenders need to change their risk calculus to prepare for ever-accelerating threats from AI, the limits of human effort still matter when it comes to how successful those threats become; and it's a teachable moment for the security industry."
        https://www.darkreading.com/cyber-risk/industrialized-exploitation-agentic-offensive-security-existential-threat
      • Most Cybersecurity Professionals Feel Undervalued And Underpaid
        "Over three quarters of cybersecurity professionals were not granted a pay rise last year, contributing to feelings of being undervalued among half of the workforce and prompting many to consider seeking a new role in the near future. A new Harvey Nash Global Tech Talent & Salary Report, published on April 27, found that information security professionals were also amongst the most pessimistic about the prospects receiving a pay rise in the next year. Just 45% of employees in cybersecurity expect that they may receive a pay increase during the next 12 months, the specialist global technology recruitment firm found."
        https://www.infosecurity-magazine.com/news/cybersecurity-pros-feel/
        https://www.theregister.com/2026/04/27/from_a_massive_skills_gap/
      • Data Poisoning In AI Models: The Case For Chain Of Custody Controls
        "If a machine learning model is trained on 50,000 images, an attacker need alter only 50 of them, or 0.1 percent of the training data, to achieve a data poisoning attack. Consider a data curation pipeline involving a drone camera that captures images and stores them on disk, (data generation and storage). These images are labeled and split into datasets (data curation), and a machine learning model is then trained using these datasets (model training). This pipeline involves multiple instances where data is at rest or in transit and presumes the involvement of multiple people (perhaps one person to curate the data and another to train the model). Each instance presents an opportunity to alter the data while each person involved presents a potential insider threat. For example, an on-path attacker could modify the images when they are transferred from the drone to be curated, or after the data is labeled, the attacker could modify some labels, leaving the images themselves unaltered."
        https://www.sei.cmu.edu/blog/data-poisoning-in-ai-models-the-case-for-chain-of-custody-controls/
      • Why Air Gapped Networks Aren’t As Secure As You Think
        "Air‑gapped networks have long been held up as the safest way to protect sensitive systems. No internet connection, no remote access, no problem. Or so the thinking goes. In reality, that confidence often turns out to be misplaced. Air‑gapping does reduce risk, but it does not remove it. And in industrial and operational environments, where systems still need to be maintained, updated and used by real people, that gap is rarely as airtight as it looks on paper."
        https://blog.barracuda.com/2026/04/27/why-air-gapped-networks-aren-t-as-secure-as-you-think
      • Hiding An Ear In Plain Sight: On The Practicality And Implications Of Acoustic Eavesdropping With Telecom Fiber Optic Cables
        "Optical fibers are widely regarded as reliable communication channels due to their resistance to external interference and low signal loss. This paper demonstrates a critical side channel within telecommunication optical fiber that allows for acoustic eavesdropping. By exploiting the sensitivity of optical fibers to acoustic vibrations, attackers can remotely monitor sound-induced deformations in the fiber structure and further recover information from the original sound waves."
        https://www.ndss-symposium.org/ndss-paper/hiding-an-ear-in-plain-sight-on-the-practicality-and-implications-of-acoustic-eavesdropping-with-telecom-fiber-optic-cables/
        https://www.kaspersky.com/blog/fiber-optics-eavesdropping/55658/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) e3bd5835-f6e1-4a99-9991-a59990986919-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post