NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 01 June 2026

    Cyber Security News
    1
    1
    9
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Vulnerabilities

      • 1-Click RCE In Flowise (CVE-2026-40933): When Is Stdio MCP Actually a Vulnerability?
        "Security researchers at Obsidian Security discovered a one-click RCE in Flowise (CVE-2026-40933), an open-source platform for building LLM workflows and AI agents with over 52k GitHub stars. An attacker can fully compromise a server by convincing an authorized user to import a crafted chatflow. Import alone is enough to trigger arbitrary server-side code execution."
        https://www.obsidiansecurity.com/blog/when-is-stdio-mcp-actually-a-vulnerability
        https://www.securityweek.com/exploit-code-published-for-critical-flowise-rce-vulnerability/
      • 15,000 WordPress Sites Affected By Administrator Account Creation Vulnerability In WP Maps Pro WordPress Plugin
        "On March 24th, 2026, we received a submission for an Unauthenticated Administrator Account Creation vulnerability in WP Maps Pro, a WordPress plugin with more than 15,000 sales. This vulnerability makes it possible for unauthenticated attackers to create new administrator accounts on the affected sites, leading to complete site takeover."
        https://www.wordfence.com/blog/2026/05/15000-wordpress-sites-affected-by-administrator-account-creation-vulnerability-in-wp-maps-pro-wordpress-plugin/
        https://www.bleepingcomputer.com/news/security/wp-maps-pro-bug-exploited-to-create-admin-accounts-on-wordpress-sites/
      • Oracle Critical Security Patch Update Advisory - May 2026
        "A Critical Security Patch Update (CSPU) provides targeted, high-priority security fixes in a smaller, more focused format, making them easier to apply with minimal disruption. Critical Security Patch Updates complement Oracle’s existing quarterly cumulative Critical Patch Updates (CPUs). These patches address vulnerabilities in Oracle code and in third party components included in Oracle products. Prior Critical Patch Update and Critical Security Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to Critical Patch Updates, Critical Security Patch Updates, Security Alerts and Bulletins for information about Oracle Security advisories."
        https://www.oracle.com/security-alerts/cspumay2026.html
      • Chrome 148 Update Patches 151 Vulnerabilities
        "Google this week released a fresh Chrome 148 update that resolves 151 vulnerabilities, including 22 critical-severity flaws. Based on the paid bug bounties, the most severe of the resolved bugs are CVE-2026-9872 (out-of-bounds write issue in GPU) and CVE-2026-9873 (use-after-free weakness in Network), each earning the reporting researchers a $43,000 reward. Three other critical security defects were also reported by external researchers: CVE-2026-9874 (use-after-free in Dawn), CVE-2026-9875 (out-of-bounds read in WebGL), and CVE-2026-9876 (use-after-free in WebGL)."
        https://www.securityweek.com/chrome-148-update-patches-151-vulnerabilities/
      • Rapid7 Observed Exploitation Of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257)
        "On May 13, 2026, Palo Alto Networks published a security advisory for CVE-2026-0257, a medium severity authentication bypass affecting PAN-OS and Prisma Access when a specific configuration is present. Successful exploitation of this vulnerability allows a remote unauthenticated attacker to successfully establish a VPN connection through the GlobalProtect gateway of an affected appliance. Rapid7 MDR identified successful exploitation across numerous customers, however we did not observe any indication of successful lateral movement from the devices. The earliest date for observed exploitation was May 17, 2026. As of May 29, 2026, this vulnerability has been added to the CISA KEV."
        https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/
        https://www.bleepingcomputer.com/news/security/palo-alto-globalprotect-vpn-auth-bypass-flaw-now-exploited-in-attacks/
        https://thehackernews.com/2026/05/pan-os-globalprotect-authentication.html
        https://securityaffairs.com/192933/security/cve-2026-0257-rapid7-caught-attackers-abusing-forged-vpn-cookies-against-multiple-customers.html
      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2026-0257 Palo Alto Networks PAN-OS Authentication Bypass Vulnerability"
        https://www.cisa.gov/news-events/alerts/2026/05/29/cisa-adds-one-known-exploited-vulnerability-catalog
      • CIFSwitch: a Non-Universal Linux Local Root Vulnerability
        "In Getting LLMs Drunk to Find Remote Linux Kernel OOB Writes (and More), I’d mentioned how improving LLMs’ ability to compose existing knowledge is a promising avenue for unlocking “creative” – or at least non-trivial – vulnerability findings. Incidentally, among the latest slew of Linux LPEs, CopyFail stood out for – among other things – exquisitely composing several logic bugs, serving as a reminder of the massive potential value of the approach. Unfortunately, training a capable looped transformer to improve compositionality was a non-starter, so I started looking for harness-level improvements instead."
        https://heyitsas.im/posts/cifswitch/
        https://www.bleepingcomputer.com/news/security/new-cifswitch-linux-flaw-gives-root-on-multiple-distributions/

      Malware

      • LLMShare: How Attackers Are Turning AI Chatbot Pages Into Malware Delivery Platforms
        "Shared conversations on AI chatbot platforms have become the latest delivery mechanism for malware campaigns targeting macOS and Windows users. Attackers create content on platforms like ChatGPT and Claude that appears to offer installation guidance or service updates, then drive traffic to it via search engine results in the form of malvertising and SEO poisoning. The content lives on chatgpt.com or claude.ai — domains that users and security tools trust implicitly — so the attack bypasses URL reputation checks before the victim even reaches the malicious payload."
        https://pushsecurity.com/blog/llmshare-malvertising-campaign
        https://www.bleepingcomputer.com/news/security/chatgpt-share-links-abused-to-host-fake-outage-pages-to-deliver-malware/
      • Dutch Govt Disrupts Malware Botnet With 17 Million Infected Devices
        "Dutch authorities have taken offline a massive botnet of 17 million devices and seized more than 200 servers at a local provider that supported the operation. The action was carried out following an investigation from the Police in collaboration with the country's cybersecurity agency, the National Cyber ​​Security Centre (NCSC). According to the authorities, the seized servers controlled "computers, tablets, and smartphones to carry out cyberattacks.""
        https://www.bleepingcomputer.com/news/security/dutch-govt-disrupts-malware-botnet-with-17-million-infected-devices/
        https://thehackernews.com/2026/05/dutch-authorities-dismantle-botnet.html
        https://www.helpnetsecurity.com/2026/05/29/dutch-police-disrupts-botnet-composed-of-17-million-devices/
        https://www.theregister.com/security/2026/05/29/dutch-cops-liberate-17m-devices-from-botnets-clutches/5248312
        https://securityaffairs.com/192890/malware/botnet-of-17-million-devices-dismantled-in-the-netherlands.html
      • 'The Com' Cyberattacks Support Violence & Sexploitation
        "Organizations that don't secure their cloud environments and software-as-a-service (SaaS) platforms are inadvertently funding violent crime and the exploitation of minors. An analysis this week from Flashpoint of the disturbing cybercriminal group known as The Com confirms that as major Russian groups have splintered and withered away in recent years, the new class of predominantly North American cybercriminal groups that has emerged all trace back in one way or another to the same source. Sometimes these threat groups go by different names: ShinyHunters, Lapsus$, or Scattered Spider. As previously reported, sometimes they combine into a single, inelegant unit — "Scattered Lapsus$ Hunters" — betraying that they in fact come from the same place."
        https://www.darkreading.com/threat-intelligence/the-com-cyberattacks-violence-sexploitation
      • Signal Users Targeted In Backup-Stealing Phishing Attacks
        "A new phishing campaign is targeting Signal users by attempting to steal their backup recovery keys to access encrypted message archives. The attack is initiated by a text message pretending to come from Signal Support."
        https://www.malwarebytes.com/blog/news/2026/05/signal-users-targeted-in-backup-stealing-phishing-attacks
        https://securityaffairs.com/192899/security/signal-phishing-campaign-targets-journalists-and-activists-to-steal-backup-recovery-keys.html
      • ChatGPhish: The Page Is The Payload
        "In our previous research on Copilot prompt injection, we looked at a phishing primitive hiding inside email summaries. The setup was simple: an attacker-controlled email contained text that looked like instructions to the model. When a user asked Copilot to summarize that email, the assistant could be steered into producing attacker-shaped output inside a trusted Microsoft surface. The risk was not the email alone. The risk was the trust transfer from raw email content into polished AI output. This research takes that same class of problem into another dimension. Different product. Different LLM surface. Different delivery primitive. This time, the primitive is not the email. It is the browser."
        https://permiso.io/blog/chatgpt-markdown-rendering-vulnerability
        https://thehackernews.com/2026/05/chatgphish-vulnerability-turns-chatgpt.html
        https://www.theregister.com/research/2026/05/29/chatgpt-prompt-injection-turns-web-pages-into-phishing-lures/5248137
      • AI Agent At The Wheel: How An Attacker Used LLMs To Move From a CVE To An Internal Database In 4 Pivots
        "On May 10, 2026, the Sysdig Threat Research Team (TRT) observed an intrusion driven by a large language model (LLM) agent in its post-exploitation phase. The attacker compromised an internet-reachable marimo notebook via CVE-2026-39987, extracted two cloud credentials from the compromised host, replayed them through a fanned-out egress pool to retrieve an SSH private key from AWS Secrets Manager, and used that key to drive eight short SSH sessions against a downstream SSH bastion server. The bastion phase exfiltrated the schema and full contents of an internal PostgreSQL database in under two minutes."
        https://www.sysdig.com/blog/ai-agent-at-the-wheel-how-an-attacker-used-llms-to-move-from-a-cve-to-an-internal-database-in-4-pivots
        https://thehackernews.com/2026/05/attackers-use-llm-agent-for-post.html
      • Malicious NuGet Package Impersonates Sicoob SDK To Exfiltrate Banking Certificates And Passwords
        "We analyzed a Sicoob-branded NuGet package, Sicoob.Sdk, that claimed to be an official C# SDK for Sicoob API integrations. Sicoob, formally the Sistema de Cooperativas de Crédito do Brasil, is one of Brazil’s largest cooperative financial systems, offering banking and financial services through credit cooperatives, digital channels, and thousands of physical service points nationwide. Public sources describe Sicoob as serving millions of cooperative members across Brazil, with Fitch reporting 9 million members, 328 single cooperatives, and 5,219 service points."
        https://socket.dev/blog/malicious-nuget-package-impersonates-sicoob-sdk
        https://thehackernews.com/2026/05/malicious-sicoob-nuget-steals-banking.html
      • Kimsuky's Advanced Attack Techniques: JSONPing, Webex Spoofing, And a New HttpSpy Variant
        "This report details how Kimsuky targeted South Korean military and enterprises through April 2026, combining tailored social engineering with a revamped HttpSpy execution chain. Our analysis of the Webex-spoofing case revealed the full execution chain of the final payload, an HttpSpy variant. Unlike previous versions of HttpSpy that operated as a single binary, this variant splits the installation process into three stages. In the Zsecurity software-spoofing case, we were only able to recover artifacts up to the downloader stage; however, we attributed both campaigns to the same threat actor based on shared RC4 keys, infrastructure, and code patterns."
        https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant
        https://thehackernews.com/2026/05/kimsuky-deploys-httpspy-expands-arsenal.html
      • Typosquatted Npm Packages Used To Steal Cloud And CI/CD Secrets
        "Microsoft has identified an active supply chain attack targeting the npm package ecosystem. On May 28, 2026, a single threat actor operating under the newly created maintainer alias vpmdhaj (a39155771@gmail[.]com) published 14 malicious packages within a four-hour window. The packages typosquat well-known OpenSearch, ElasticSearch, DevOps, and environment-configuration libraries, and several spoof the upstream OpenSearch project’s repository URL in their package.json to appear legitimate. Once installed, the packages harvest AWS credentials, HashiCorp Vault tokens, and CI/CD pipeline secrets from the host environment."
        https://www.microsoft.com/en-us/security/blog/2026/05/28/typosquatted-npm-packages-used-steal-cloud-ci-cd-secrets/
        https://www.theregister.com/security/2026/05/29/14-malicious-npm-packages-impersonated-opensearch-elasticsearch-libraries/5248792
      • Bad Ads, Worse Binaries: Fake Claude Code Installer Drops Infostealer
        "A first-time builder searched for "Claude Code install" because they finally believed they could build something. Claude Code has put software development within reach of people who never thought it possible. A small business owner who wants to automate their invoicing. A teacher building a custom grading tool. An entrepreneur who has an app idea and, for the first time, has a realistic path to shipping it. The barrier that kept non-technical people out of software creation for decades is collapsing fast, and Claude Code is at the center of that shift. That enthusiasm is exactly what this campaign exploits."
        https://www.cyderes.com/howler-cell/fake-claude-code-installer-infostealer
        https://hackread.com/fake-anthropic-sites-fileless-infostealer-claude-code-users/
      • Legitimate-Looking Codex Remote UI Secretly Steals Your AI Tokens
        "There's a new playbook in the supply chain threat landscape, where an someone builds something genuinely useful, growing a real user base. But all while stealing credentials. codexui-android is a remote web UI for OpenAI Codex. Real GitHub repo. Active development. Polished enough to get 27.000 weekly downloads. And for the past month, every single invocation has been quietly exfiltrating your Codex authentication tokens to an attacker-controlled server. It's a functional tool that developers actually wanted rather than a typosquat or throwaway package. That's what makes it dangerous."
        https://www.aikido.dev/blog/codex-remote-ui-steals-ai-tokens
        https://hackread.com/codex-ui-tool-secretly-stole-openai-refresh-tokens/

      Breaches/Hacks/Leaks

      • Charter Communications Data Breach Affects 4.9 Million Accounts
        "The ShinyHunters extortion gang stole personal information from 4.9 million accounts after hacking the U.S. telecom giant Charter Communications in early April, according to data breach notification service Have I Been Pwned. Charter has over 92,000 employees and provides internet, mobile, video, and voice services to more than 32 million customers and over 57 million homes in 41 states across the U.S. through its Spectrum brand. The company confirmed the breach earlier this week, saying that the attackers did not steal sensitive personal customer information and that it had alerted authorities about the incident."
        https://www.bleepingcomputer.com/news/security/charter-communications-data-breach-affects-49-million-accounts/
        https://haveibeenpwned.com/Breach/Charter
        https://www.securityweek.com/charter-communications-data-breach-could-impact-nearly-5-million/
        https://securityaffairs.com/192907/uncategorized/shinyhunters-leaks-charter-communications-data-potentially-impacting-5-million-customers.html
        https://www.theregister.com/cyber-crime/2026/05/29/shinyhunters-adds-charter-to-trophy-shelf-after-49m-customer-records-leak/5248281

      General News

      • From $5 Attacks To Botnet-Powered Platforms: Inside The DDoS-As-a- Service Market
        "You have probably experienced the following scenario yourself. A website suddenly stops loading, a login page times out, or an online service becomes unreachable at the worst possible moment. Sometimes the cause is not an internal outage, but a Distributed Denial-of-Service (DDoS) attack designed to overwhelm the service from the outside. DDoS attacks have long been one of the simplest ways to disrupt an online service:flooding it with enough traffic, exhausting its infrastructure, and making it unreachable without breaking into the target’s systems. Now more than ever DDoS is being packaged, branded, and sold with the language of a mature online service, and the impact is well recorded in the real world."
        https://www.bleepingcomputer.com/news/security/from-5-attacks-to-botnet-powered-platforms-inside-the-ddos-as-a-service-market/
      • Man Sent To Prison For Selling Data Of 7 Millions Elderly Americans
        "A North Carolina man was sentenced to more than 10 years in prison for selling the personal information of over 7 million elderly Americans to Jamaican scammers. 57-year-old Troy Murray (who used the Steve Dixon pseudonym) pleaded guilty in January 2026 to one count of conspiracy to commit wire fraud and was sentenced Thursday to 121 months in prison, three years of supervised release, and ordered to forfeit $5,2 million. Prosecutors said that Murray's alias was so widely known among Jamaican scammers that it was referenced in a 2022 song lyric by a Jamaican musical artist."
        https://www.bleepingcomputer.com/news/security/man-sent-to-prison-for-selling-data-of-7-millions-elderly-americans/
      • Asia's Cyber Insurance Market Shows Signs Of Life
        "Relatively few organizations in the Asia-Pacific (APAC) region use cyber insurance, but there is reason to believe that is slowly changing. Cyber insurance is a subset of insurance that has gained popularity in recent years as ransomware attacks became an ever-present threat. Cyber insurance is intended to offset the losses incurred by cyberattacks, including, in some cases, policy holders paying ransoms to cybercriminals."
        https://www.darkreading.com/cybersecurity-operations/asias-cyber-insurance-market-signs-of-life
      • Websites Can Spy On User Activity By Analyzing SSD Behavior
        "Websites have spent years collecting information about visitors through browser fingerprinting, tracking scripts, and other techniques designed to identify devices and monitor behavior. Researchers have demonstrated another method that relies on something most users would never expect a website to observe: activity on their SSD (Solid-State Drive), the storage device where applications and files are stored. Dubbed FROST, short for Fingerprinting Remotely using OPFS-based SSD Timing, the technique allows a website to infer information about websites and applications active on a user’s system."
        https://www.helpnetsecurity.com/2026/05/29/website-tracking-ssd-activity-research/
        https://hannesweissteiner.com/pdfs/frost.pdf
      • The Behavioral Signals That Sharpen Trojan Malware Detection
        "Malware analysts spend a lot of time deciding which signals from a sandbox run are worth keeping. A sample executed in a controlled environment can generate hundreds of measurable attributes covering file structure, registry edits, process behavior, and network traffic. Most of those attributes add noise. A recent study works through this problem in detail, and the part that earns attention from working defenders is the feature selection, not the deep learning model attached to it."
        https://www.helpnetsecurity.com/2026/05/29/trojan-malware-detection-research/
        https://www.mdpi.com/2624-800X/6/3/90
      • DIL Observatory: When The World Escalates, The Underground Responds
        "Digital Intelligence Lab (DIL) launches an observatory for reading cyber events as what they actually are: signals of a broader social and geopolitical reality. The timing rarely lies, and the connection between real-world events and cyber activity is no longer a theoretical framework. It is a documented pattern, traceable across months and geographies. This new Observatory available for the community extends that work into a broader question: not just what cyber events are happening, but why now, where, and what else is happening around them."
        https://securityaffairs.com/192870/security/dil-observatory-when-the-world-escalates-the-underground-responds.html
      • What Companies Patch, And What They Don’t
        "Vulnerability scanners find far more issues than any team can fix. Whatever is still open in the scanner today is, by definition, what’s left after deciding what to fix first, what to live with, and what to monitor. By comparing what’s left to the full list of all published Common Vulnerabilities and Exposures (CVEs), we can work out what customers actually focus on."
        https://blog.barracuda.com/2026/05/29/ciso-what-companies-patch
      • What 2,000 Exposed Vibe-Coded Apps Reveal About The Limits Of Most Security Stacks
        "Shadow AI used to mean employees pasting things they shouldn't into ChatGPT. It now means something bigger: employees building full applications with AI, wiring them into production systems, and publishing them on the open internet. Without Security or IT in the loop. The artifact moved from a prompt to a product. The risk surface moved with it. In The Shadow Builders report (get it here), a new category-level investigation covered in May by Axios, WIRED, and VentureBeat, Red Access identified more than 380,000 publicly accessible web assets across the leading vibe-coding platforms."
        https://thehackernews.com/2026/05/what-2000-exposed-vibe-coded-apps.html
        https://info.redaccess.io/shadow-ai-builders-security-report
      • Russian Spies Are Aggressively Seeking Western Technology As Sanctions Bite, Officials Say
        "Russia’s intelligence agencies have grown more aggressive in their efforts to steal Western technology and defense secrets as sanctions squeeze the country’s wartime economy, three senior European intelligence officials told The Associated Press. Moscow’s agents are building fake companies, recruiting middlemen and deploying cyber spies and hackers who are gathering information that could also be used to attack key infrastructure, they said."
        https://www.securityweek.com/russian-spies-are-aggressively-seeking-western-technology-as-sanctions-bite-officials-say/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) b340e985-ca1d-46cc-872d-bd1415985a7b-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post