Cyber Threat Intelligence 03 June 2026

NCSA_THAICERT

Vulnerabilities

Unauthenticated Privilege Escalation Vulnerability Patched In Kirki WordPress Plugin
"On May 4th, 2026, we received a submission for an Unauthenticated Privilege Escalation vulnerability in the Kirki WordPress plugin. Although the plugin has more than 500,000 active installations, we estimate that only around 150,000 sites are using a vulnerable version, as the issue was introduced in the 6.0 major release. This vulnerability makes it possible for unauthenticated attackers to take over arbitrary user accounts on the site, including administrator accounts, by leveraging the plugin’s password reset functionality to have the password reset link delivered to an attacker-controlled email address."
https://www.wordfence.com/blog/2026/06/unauthenticated-privilege-escalation-vulnerability-patched-in-kirki-wordpress-plugin/
https://www.bleepingcomputer.com/news/security/critical-kirki-flaw-exploited-to-hijack-wordpress-admin-accounts/
Google Fixes One Actively Exploited Android Zero-Day, 124 Flaws
"Google has released the June 2026 Android security patches to address 124 vulnerabilities, including one zero-day flaw exploited in targeted attacks. Local attackers can exploit the actively abused high-severity Android Framework vulnerability (tracked as CVE-2025-48595) to gain code execution and escalate privileges on devices running Android 14 or later. "There are indications that CVE-2025-48595 may be under limited, targeted exploitation," the company said on Monday in its March 2025 Android Security Bulletin."
https://www.bleepingcomputer.com/news/security/google-fixes-one-actively-exploited-android-zero-day-124-flaws/
https://thehackernews.com/2026/06/google-june-2026-android-update-patches.html
https://www.securityweek.com/android-update-patches-exploited-zero-day-123-other-vulnerabilities/
https://www.helpnetsecurity.com/2026/06/02/android-vulnerability-exploited-cve-2025-48595/
CVE-2026-0826: Critical Unauthenticated Stack Buffer Overflow In HP Poly VVX And Trio VoIP Phones (FIXED)
"Rapid7 Labs conducted a zero-day research project against an HP Poly VVX 450 Voice over Internet Protocol (VoIP) phone. This research resulted in the discovery of a critical unauthenticated stack-based buffer overflow vulnerability, CVE-2026-0826. A remote attacker can leverage CVE-2026-0826 to achieve unauthenticated remote code execution (RCE) with root privileges on a target device. The vulnerability is present in the device's parsing of Session Description Protocol (SDP) attributes for Interactive Connectivity Establishment (ICE). The ICE feature, which is not enabled by default, must be enabled for the device to be exploitable by a remote attacker."
https://www.rapid7.com/blog/post/ve-cve-2026-0826-critical-unauthenticated-stack-buffer-overflow-hp-poly-vvx-trio-voip-phones-fixed/
https://www.securityweek.com/critical-vulnerability-in-hp-voip-phones-enables-enterprise-network-breaches/
CISA Adds Two Known Exploited Vulnerabilities To Catalog
"CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2022-0492 Linux Kernel Improper Authentication Vulnerability
CVE-2025-48595 Android Framework Integer Overflow Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/06/02/cisa-adds-two-known-exploited-vulnerabilities-catalog
FlagLeft: We Found A Forgotten Flag That Turned Microsoft 365 Apps Into a Silent Account Takeover Pipeline For Billions Of Users
"Our research found that any app installed on the same Android device could silently access a Microsoft 365 account’s token. It could then act as the signed-in account (read email, open files, access documents, send messages, view calendars), without the user’s knowledge. The issue has been patched, but if you use Microsoft 365 apps on Android, update them now. If your organization manages Android devices, make sure Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote are on patched versions."
https://enclave.ai/blog/flagleft-microsoft-365-android-forgotten-flag-account-takeover
https://www.securityweek.com/exclusive-how-one-line-of-code-put-billions-of-microsoft-android-app-downloads-at-risk/

Malware

Crypto Guest At Dawn Endpoint (Midnight) Ransomware Analysis
"EndPoint is a ransomware variant formerly known as Midnight, which is believed to be built on the Babuk ransomware framework. It targets not only Windows environments, but also ESXi and NAS environments, and uses a double extortion method that combines file encryption with Data exfiltration threats. Since the Babuk source code leak, several derivative ransomware have emerged, and EndPoint is one of them. infected files are given the .endpoint extension, and the ransom note includes a uTox ID to contact the victim. in the past, the [email protected] account in the ransom note impersonated the director of the East Asia Institute, which has been identified as being used by North Korea-linked threat actors since 2024."
https://asec.ahnlab.com/en/93932/
Game Over: WeedHack – The Rise Of Minecraft Malware-As-a-Service Campaigns
"Minecraft is a 2011 sandbox game developed and published by Mojang Studios. It is the best-selling video game in the world and has sold over 350 million copies worldwide. Its popularity has spanned over a decade due to its versatile gameplay, offering multiple game modes, including one of the most memorable Story Mode in gaming history. It allows players to create and host multiplayer servers with a variety of gameplay options and offers a wide range of custom launchers, game mods, and cheats to choose from."
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/weedhack-minecraft-malware-as-a-service-campaign-research/
https://www.bleepingcomputer.com/news/security/over-116-000-mincraft-systems-infected-in-weedhack-malware-campaign/
Pointing a Cursor At Evading Detection
"Sophos X-Ops analysts observed a threat actor using artificial intelligence (AI) technologies to test endpoint detection and response (EDR) evasion tactics in a “red team” post-exploitation framework. The activity was detected when an anomalous endpoint registered within a customer tenant triggered alerts for payloads originating from C:\Users\User\Documents\test. Multiple files in this directory were malicious and indicative of a broader attack framework focused on evading detection:"
https://www.sophos.com/en-us/blog/pointing-a-cursor-at-evading-detection
https://www.bleepingcomputer.com/news/security/ai-built-ransomware-toolkit-automates-edr-evasion-ad-discovery/
https://www.infosecurity-magazine.com/news/ai-edr-evasion-tooling/
https://www.helpnetsecurity.com/2026/06/02/ai-agents-edr-evasion-techniques/
Instagram Users Locked Out After Meta AI Abused To Steal Accounts
"Multiple Instagram users had their accounts hijacked after attackers convinced Meta’s AI-powered support tools that they were the legitimate owners. In many cases, impacted users are unable to recover access due to the platform's use of automated assistance that involves only AI/chatbot loops and no human support agents. On Monday, multiple holders of rare and high-value accounts reported suddenly losing access to their accounts, claiming that their identities had been verified via facial scans and that they had enabled safeguards such as two-factor authentication (2FA)."
https://www.bleepingcomputer.com/news/security/instagram-users-locked-out-after-meta-ai-abused-to-steal-accounts/
https://hackread.com/hackers-abuse-meta-ai-bot-hijack-instagram-accounts/
https://www.securityweek.com/meta-ai-hands-over-high-profile-instagram-accounts-to-hackers/
https://securityaffairs.com/193034/hacking/instagram-account-hijacks-expose-the-security-risks-of-ai-powered-support.html
From Token Bingo To MAX Takeover: Kali365 Operator Expands Operation Across Microsoft Outlook, Okta, Xerox DocuShare, And Other Services
"In our previous post, Token Bingo: Don’t Let Your Code Be the Winner, we documented Kali365, a phishing-as-a-service (PhaaS) kit abusing Microsoft’s OAuth 2.0 device authorization flow to steal Entra ID tokens. In this follow-up report, we track the same operator into new territory as they expand their operation and infrastructure. Our latest findings include: The operator’s full panel infrastructure, including a live command-and-control (C2) panel for token capture status. A phishing page impersonating MAX Messenger, Russia’s state-backed national messenger, used to take over MAX accounts via a fake “prize-claim” attack flow."
https://arcticwolf.com/resources/blog/kali365-expands-into-aws-microsoft-okta-xerox-max-messenger/
https://www.darkreading.com/cyber-risk/fbi-flagged-phishing-kit-kali365-expands-its-reach
These Convincing Copyright Notices Are Designed To Steal Google Logins
"A new scam is targeting people who publish Chrome extensions. The scam arrives as an official-looking “copyright removal request” claiming your extension is about to be removed from the Chrome Web Store and that you have 48 hours to appeal. It even looks personalized. After you enter your extension’s ID to “verify” it, the page pulls in your extension’s real name and icon. But it’s all part of a phishing attack designed to steal your Google username and password. If attackers gain access to a developer account, they may be able to take over the extension, access developer resources, or potentially push malicious updates to users."
https://www.malwarebytes.com/blog/threat-intel/2026/06/these-convincing-copyright-notices-are-designed-to-steal-google-logins
Russia Claims Foreign Spy Agencies Hacked Officials' Phones
"Russia's domestic security agency on Tuesday accused foreign intelligence services of conducting an espionage operation against senior Russian officials, alleging that spies used the infrastructure and capabilities of major international technology companies to secretly collect sensitive government information. In a statement, Russia's Federal Security Service (FSB) said it had uncovered what it described as a "large-scale operation" involving malicious software installed on the mobile devices of senior Russian officials. The agency alleged the malware was used to extract data, intercept communications and conduct covert audio and video surveillance."
https://therecord.media/russia-claims-foreign-spy-agencies-hacked-gov-officials
https://www.theregister.com/security/2026/06/02/russian-spy-agency-says-foreign-spies-turned-officials-smartphones-into-surveillance-devices/5250099
Operation FlutterBridge: MacOS Malvertising Campaign Spreads New FlutterShell Backdoor
"We are tracking an increasingly widespread malvertising campaign targeting macOS. This campaign appears to be the next stage of a previous campaign known as JSCoreRunner, which was first identified in August 2025. In recent months, the financially-motivated attackers behind these campaigns transitioned from delivering standard adware, to delivering adware with full backdoor capabilities. We designate this campaign Operation FlutterBridge, and we call the payload that it delivers FlutterShell. Built using the Flutter framework, FlutterShell infects targets with adware via malicious desktop applications. In addition to its adware functionality, the payload possesses backdoor capabilities, including shell command execution and file system manipulation."
https://unit42.paloaltonetworks.com/flutterbridge-new-fluttershell-backdoor/

Breaches/Hacks/Leaks

'Dumbass' Criminal Breaks The 'first Rule Of Ransomware Club'
"Even ransomware cartels make mistakes, and in this case, it was a biggie that could have landed the responsible crim in a Russian gulag: accidentally infecting a company located in a Commonwealth of Independent States country. In what threat-hunter Dominic Alvieri deemed the ransom “dumbass of the day,” Nova, the affiliate program for ransomware crew RAlord, on Tuesday issued an apology to Eriell Group, a major oilfield services company with headquarters in Uzbekistan and a corporate office in Moscow. Apparently, Eriell contacted Nova and notified the ransomware operators about an affiliate's mess-up."
https://www.theregister.com/cyber-crime/2026/06/02/dumbass-criminal-breaks-the-first-rule-of-ransomware-club/5250380

General News

The Meta AI Account Recovery Incident Wasn’t Just a Chatbot Problem
"When people hear about hackers “asking an AI chatbot” to help them take over Instagram accounts, the instinctive reaction is to file it under prompt injection, jailbreaks, or “the model got tricked.” That may be the wrong lesson. According to reporting from 404 Media, hackers claimed they used Meta’s AI support chatbot to gain access to high-profile Instagram accounts by asking it to change the email address associated with the target account. The reported incidents coincided with several high-profile account takeovers, including accounts linked to the Obama White House, Sephora, and the Chief Master Sergeant of the Space Force."
https://blog.checkpoint.com/ai-security/the-meta-ai-account-recovery-incident-wasnt-just-a-chatbot-problem/
Why Traditional Phishing “Red Flags” Fail Against AI-Generated Attacks
"For years, phishing awareness was taught through a simple lens: look for bad grammar, suspicious links, generic greetings, and urgent requests. That advice is not wrong. It is just no longer enough. Today’s phishing attacks are increasingly built to avoid those classic tells. Threat actors use AI to generate emails that are grammatically correct, contextually relevant, and tailored to specific people, roles, and organizations. Instead of sending one sloppy template, they can create endless variations that look legitimate on the surface. That shift breaks one of the oldest assumptions in phishing defense: that malicious emails will usually look suspicious."
https://cofense.com/blog/why-traditional-phishing-red-flags”-fail-against-ai-generated-attacks
Zoom CISO: AI As Security Enabler, Not Role-Replacer
"In an era where artificial intelligence is reshaping the cybersecurity landscape at unprecedented speed, Sandra McLeod, CISO at Zoom, offers a compelling perspective on the future of digital defense. With years of security experience spanning from penetration testing at Cisco to leading security initiatives at one of the world's most widely used communication platforms, McLeod brings a unique technical foundation to her leadership role. Her journey to the CISO position reflects the evolving nature of cybersecurity leadership itself."
https://www.darkreading.com/cybersecurity-operations/zoom-ciso-ai-security-enabler-role-replacer
Securing AI Agents Before They Go Rogue Is Next To Impossible
"Agentic AI adoption is in full swing, but unfortunately for enterprises, completely securing these agents might not be feasible. That's according to Dennis Xu, research vice president at Gartner, who spoke about the dangers of rogue AI agents during the Gartner Security & Risk Management Summit on Monday. "There's a lot of them coming at us — whether we like it or not, whether we know it or not," he said during his presentation."
https://www.darkreading.com/cyber-risk/securing-ai-agents-rogue
Zero Trust Physical Security Needs Trust Decisions At The Edge
"In this interview with Help Net Security, Chuck Davis, VP, Global Information Security at Hikvision, explains how zero trust applies to physical security systems like cameras and door controllers. He breaks down how to make trust decisions at the edge without recreating old perimeter assumptions, why these devices should be treated as IT assets, and what the Mirai botnet taught the industry. Davis also covers posture assessment for devices that cannot run standard agents, and how to manage device identity and revoke trust across tens of thousands of endpoints during a live incident."
https://www.helpnetsecurity.com/2026/06/02/chuck-davis-hikvision-zero-trust-physical-security/
This AI Model Backdoor Attack Stays Hidden Until You Customize The Model
"Most teams that deploy AI start with a backbone model. They download a large pre-trained system, adapt it to a specific task, and put it into production. The download step carries a security question: the origin of the model. A research team built an attack called BadBone. It plants a backdoor inside a backbone model. Downstream tasks that adapt the model inherit the backdoor. The name points at the target. Corrupt the skeleton, and systems built on top of it carry the flaw."
https://www.helpnetsecurity.com/2026/06/02/ai-model-backdoor-attack-research/
https://arxiv.org/pdf/2605.31246
Wardriving Assessment Across Mexico: Preparing For The 2026 World Cup
"Mexico is one of the host countries for the 2026 FIFA World Cup, with matches to be played in three major cities: Mexico City, Monterrey, and Guadalajara. These locations are expected to see a large influx of international visitors, increasing the potential security risks. Many of those risks arise from users connecting to public wireless networks. To better understand the wireless environments that visitors may encounter, we at Kaspersky GReAT conducted a wardriving assessment in the three host cities. The aim of the study was to analyze characteristics, deployment patterns, security configurations and potential exposure risks of public Wi-Fi infrastructure in urban wireless environments."
https://securelist.com/wardriving-assessment-in-mexico-fifa-world-cup-2026/119996/
Two New Reports Offer Competing Explanations For Cybersecurity’s Growing Crisis
"Two reports offer differing viewpoints. One suggests a failure of tools to provide what security teams really need. The other suggests the tools exist but are not properly managed. The industrialization of cybercrime threatens to overwhelm cyber defense. It’s a process that started before the arrival of ChatGPT, was supercharged by the age of AI, and is now typified as the post-Mythos era. It’s a time when defenders must improve their performance or cede the battleground to the adversary. Applications are the battlefield. The speed, scale and sophistication of AI-assisted attacks is difficult to contain."
https://www.securityweek.com/two-new-reports-offer-competing-explanations-for-cybersecuritys-growing-crisis/
The Zero-Knowledge Threat Actor And The End Of Responsible Disclosure
"One of the most dangerous outcomes of the rise of AI in cybersecurity is the rise of the zero-knowledge threat actor. A threat actor who has negligible technical expertise but enough malicious intent. This actor can leverage AI, turn limited skills into usable offensive capability via generating malicious code, exploiting vulnerabilities, shaping attack steps and guiding execution. AI has not changed the traditional objectives of cybercrime: stealing credentials, exploiting vulnerabilities, gaining privileged access, stealing sensitive data, disrupting operations, and impacting business continuity. What has changed is the speed of discovery, the democratization of capability, and the acceleration of attacks."
https://www.securityweek.com/the-zero-knowledge-threat-actor-and-the-end-of-responsible-disclosure/
ENISA NIS360 2026: Progress Across The Board, But The Sectors That Matter Most Are Still Falling Short
"ENISA has published its third annual NIS360 report, assessing the cybersecurity maturity and criticality of all sectors covered by the NIS2 directive. The headline finding is that things are improving across the board. The more important finding is that the improvement is uneven, slow where it matters most, and being outpaced by a threat landscape that’s getting harder faster than defenses are getting better. Banking, electricity, and telecommunications remain the most mature and most critical sectors, as they have been since the assessment began. Three sectors moved up into the high maturity band for the first time: trust services, aviation, and financial market infrastructures. Four more strengthened their position within the moderate band: gas, road, maritime, and health."
https://securityaffairs.com/193002/reports/enisa-nis360-2026-progress-across-the-board-but-the-sectors-that-matter-most-are-still-falling-short.html
https://www.enisa.europa.eu/enisa-nis360-2026

อ้างอิง
Electronic Transactions Development Agency (ETDA)