NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 08 June 2026

    Cyber Security News
    1
    1
    10
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      New Tooling

      • AgentGG: Open-Source Agentic SAST Scanner
        "Static analysis tools have spent years matching source code against known-bad patterns and handing engineers long lists of candidate issues to triage by hand. AgentGG approaches the same job with AI agents that read the code, follow imports, walk the call graph, and confirm a finding before they report it. The project is an open-source agentic SAST scanner released under the Apache 2.0 license."
        https://www.helpnetsecurity.com/2026/06/05/agentgg-open-source-agentic-sast-scanner/
        https://github.com/agentgg-dev/agentgg

      Vulnerabilities

      • Chrome 149 Patches 429 Vulnerabilities
        "Google this week promoted Chrome 149 to the stable channel with patches for 429 vulnerabilities, a record for a single Chrome refresh. Already exceeding several times the total number of Chrome security fixes released in 2025, the surge in Chrome flaws is likely driven by AI use, which led Google to lower Chrome bug bounties in April. Over 100 of the newly resolved security defects are critical and high-severity issues, most of which are use-after-free and insufficient validation of untrusted input flaws."
        https://www.securityweek.com/chrome-149-patches-429-vulnerabilities/
      • Cisco Warns Of Unpatched SD-WAN Zero-Day Exploited In Attacks
        "On Thursday, Cisco warned of a high-severity, unpatched zero-day in the Cisco Catalyst SD-WAN Manager (tracked as CVE-2026-20245) actively exploited in attacks enabling root privilege escalation. The zero-day flaw impacts all deployment types, including On-Prem Deployment, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP). In a Thursday advisory, Cisco said the issue stems from insufficient validation of user-supplied input, and it can allow local attackers with low privileges to execute arbitrary commands as root."
        https://www.bleepingcomputer.com/news/security/new-cisco-sd-wan-flaw-exploited-in-zero-day-attacks-to-gain-root/
        https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx
        https://thehackernews.com/2026/06/cisco-catalyst-sd-wan-manager-cve-2026.html
        https://www.securityweek.com/cisco-warns-of-7th-sd-wan-zero-day-exploited-in-2026/
        https://securityaffairs.com/193203/security/cisco-sd-wan-has-a-new-root-level-problem-and-theres-no-fix-yet.html
        https://www.theregister.com/security/2026/06/05/yet-another-cisco-sd-wan-0-day-under-attack-and-no-patch-in-sight/5251855
        https://www.helpnetsecurity.com/2026/06/05/cisco-sd-wan-cve-2026-20245-0-day-exploited/
      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2026-28318 SolarWinds Serv-U Uncontrolled Resource Consumption Vulnerability"
        https://www.cisa.gov/news-events/alerts/2026/06/05/cisa-adds-one-known-exploited-vulnerability-catalog
        https://www.bleepingcomputer.com/news/security/cisa-hackers-now-exploit-solarwinds-serv-u-flaw-to-crash-servers/
        https://thehackernews.com/2026/06/cisa-adds-actively-exploited-solarwinds.html
        https://securityaffairs.com/193245/security/u-s-cisa-adds-solarwinds-serv-u-flaw-to-its-known-exploited-vulnerabilities-catalog.html
      • AI Agent Uncovers 21 Zero-Days In FFmpeg; Chrome Patches Record 429 Bugs
        "Two things landed within days of each other this week. A security startup reported 21 previously unknown vulnerabilities in FFmpeg, the media library inside almost everything that touches video, all of them found by an autonomous AI agent. The same week, Google shipped Chrome 149 with patches for 429 security bugs, the most ever in a single release."
        https://thehackernews.com/2026/06/ai-agent-uncovers-21-zero-days-in.html
      • Claude Opus Found a Four-Year-Old Hole In Zcash’s Privacy Layer. Nobody Knows If Someone Already Used It.
        "On May 29, the security researcher Taylor Hornby found a critical vulnerability in Zcash Orchard privacy pool using Claude Opus 4.8. The Zcash team hired Hornby specifically to look for this kind of issue. He found one fast enough to be embarrassing. The Orchard pool is the newest and most advanced shielded transaction system in the cryptocurrency Zcash. Introduced in 2022, it allows users to send and receive ZEC while keeping transaction details private. It uses zero-knowledge proofs to validate transactions without revealing amounts or participants. The bug: a specific check that was supposed to validate transaction inputs wasn’t actually enforcing the rules it appeared to enforce. An attacker could have exploited the flaw to feed false inputs into that check and generate ZEC from nothing, with the zero-knowledge proof system blessing the fraudulent transaction as valid."
        https://securityaffairs.com/193224/hacking/claude-opus-found-a-four-year-old-hole-in-zcashs-privacy-layer-nobody-knows-if-someone-already-used-it.html

      Malware

      • VerdantBamboo: Just Another BRICKSTORM In The Firewall
        "In September 2025, Volexity conducted an incident response engagement that began after suspicious network traffic was observed from a Linux-based virtual machine appliance on a customer’s network. The virtual machine was an Egnyte Storage Sync system, which is designed to facilitate syncing local on-premise files with the cloud. Volexity discovered that instead of connecting to a domain affiliated with Egnyte, the appliance was connecting to a threat-actor-controlled domain behind Cloudflare IP addresses. The appliance was also making TLS connections to one of Google’s public DNS servers (8.8.8.8). It appeared to be using Google to perform queries via DNS over HTTPS, as there was no DNS activity for the domain observed in the connections. Later in the investigation, this was confirmed to be the case after Volexity obtained snapshots of the Storage Sync system for analysis."
        https://www.volexity.com/blog/2026/06/04/verdantbamboo-just-another-brickstorm-in-the-firewall/
        https://www.bleepingcomputer.com/news/security/chinese-apt-deploys-new-malware-to-keep-access-to-hacked-networks/
      • Suspicious Polyfill Login Prompts Pop Up On Toshiba, Muji Websites
        "Tech giant Toshiba and mega-retailer Muji warned visitors that suspicious sign-in screens popping up on their websites could collect credentials. Both Japanese companies advised users who entered their account login data in the authentication screens to change their passwords to access the service. The login pop-ups were generated by the external service hosted at polyfill[.]io, which in 2024 introduced malicious code in scripts delivered by its CDN."
        https://www.bleepingcomputer.com/news/security/suspicious-polyfill-login-prompts-pop-up-on-toshiba-muji-websites/
      • New Mac Stealer SHub Reaper Is Spoofing Apple, Google, And Microsoft
        "Threat actors are using fake websites for popular software to distribute an updated version of SHub Stealer, a piece of macOS malware. What’s different about this malware and why Mac users should care? The malware is using a technique for distribution that is automating ClickFix, which we have seen before. This technique makes it more difficult for Mac users to spot the cyberattack. Let’s dive in."
        https://moonlock.com/mac-stealer-shub-reaper
        https://hackread.com/reaper-macos-infostealer-script-editor-crypto-passwords/
      • Silent Ransom Group (SRG): Uncovering DNS Fast Flux Infrastructure
        "The Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753, is a sophisticated cyber extortion group that has been active since at least 2022. Unlike traditional ransomware groups that encrypt data, SRG focuses on data theft and extortion without relying on encryption. The group is particularly known for targeting industries that handle sensitive information, such as law firms, healthcare, hotels, finance, and insurance . The FBI recently issued an advisory about the SRG, which is actively targeting U.S.-based law firms and other industries through social engineering and in-person attacks. In this threat intelligence report, Resecurity highlights the notable tactics used by the SRG — specifically, the use of Clearnet Data Leak Sites (DLS) and DNS Fast Flux, an evasion technique used by cybercriminals to hide servers behind a continuously rotating network of compromised devices (often a botnet) acting as proxies. By changing the DNS records and using short Time-To-Live (TTL) values, attackers make their malicious infrastructure resilient against takedowns."
        https://www.resecurity.com/blog/article/silent-ransom-group-srg-uncovering-dns-fast-flux-infrastructure
        https://securityaffairs.com/193215/cyber-crime/silent-ransom-group-srg-switching-to-dns-fast-flux-infrastructure.html
      • PCPJack Hijacked 230 AWS, GCP, And Azure Servers To Run a Hidden SMTP Relay Network
        "SentinelOne documented PCPJack in April 2026, covering how the campaign gains initial access and harvests credentials from compromised Linux servers. What that report didn't cover was what happens next. During a routine infrastructure hunting session, our team found an open directory on 213.136.80[.]73, a server already tied to PCPJack's C2 infrastructure. No authentication required. Twelve files sitting exposed on port 8444, including source code, compiled binaries, and deployment state logs. A second open directory on port 9443 exposed the operator's live working directory, active scanners, exploitation tooling, and a Sliver C2 configuration, all accessible at the same time."
        https://hunt.io/blog/pcpjack-230-cloud-servers-smtp-proxy-network-sliver-chisel
        https://thehackernews.com/2026/06/pcpjack-hijacks-230-aws-google-cloud.html
        https://securityaffairs.com/193189/cyber-crime/pcpjack-exposed-researchers-uncover-230-node-cloud-email-relay-network.html
      • Android Spyware Asin Targets Arabic Users Via Fake News, PDF And War Map Apps
        "Arabic-speaking users have emerged as the target of a new Android spyware codenamed Asin, according to findings from ESET. The Slovakian cybersecurity company said it first detected the malware spread via multiple campaigns in early 2025, with each attack wave making use of distinct websites mimicking utilities, war-related updates, and a government news source:"
        https://thehackernews.com/2026/06/android-spyware-asin-targets-arabic.html
      • ReliaQuest's Agentic AI Uncovers New China-Linked Cluster OP-512
        "ReliaQuest’s Agentic AI recently surfaced what we assess with moderate-high confidence to be a new China-linked cluster, which we’re tracking as “OP-512.” Our AI agent stitched together a high volume of seemingly unrelated suspicious events across a customer’s environment into one high-priority incident, revealing a coordinated intrusion that manual review alone would have been unlikely to reconstruct at the same speed, if at all. ReliaQuest threat research analysts then reviewed and validated the findings."
        https://reliaquest.com/blog/threat-spotlight-reliaquests-agentic-ai-uncovers-new-china-linked-cluster-op-512
        https://thehackernews.com/2026/06/new-threat-cluster-op-512-targets.html
      • Seeking Counsel: Ongoing Targeted Campaign Against US Law Firms
        "From January through May 2026, Mandiant identified a financially motivated data theft extortion campaign executed by the threat cluster UNC3753 (also tracked as "Luna Moth," “Chatty Spider,” and "Silent Ransom Group") targeting dozens of organizations across professional, legal, and financial services in the United States. UNC3753 leverages voice phishing (vishing) and social engineering deception techniques to achieve remote access into corporate environments. Using pretexts such as data migration or invoice related emails, the threat actors initiate phone conversations posing as IT support and convince targets to host screen-sharing sessions and download remote monitoring and management (RMM) utilities. Once inside the environment, the threat actors either directly conduct searches to locate and exfiltrate highly sensitive data, or manipulate the victim into executing these actions on their behalf. This data typically includes proprietary legal agreements, personally identifiable information (PII), and financial records for subsequent extortion demands."
        https://cloud.google.com/blog/topics/threat-intelligence/targeted-campaign-us-law-firms
        https://www.bleepingcomputer.com/news/security/silent-ransom-group-targets-law-firms-with-fake-it-support-calls/
        https://www.theregister.com/cyber-crime/2026/06/05/if-you-dont-fall-for-these-extortionists-calls-theyll-show-up-with-usb-sticks/5251891
      • Threat Brief: Active Exploitation Of PAN-OS CVE-2026-0257
        "Palo Alto Networks Unit 42 has observed active exploitation of PAN-OS vulnerability CVE-2026-0257 by an unidentified threat actor attempting to access GlobalProtect. This security flaw involves an authentication bypass in the portal and gateway components of vulnerable versions of PAN-OS® software, which could allow unauthorized attackers to circumvent security controls and initiate VPN connections. This CVE was added to the Known Exploited Vulnerability (KEV) catalog on May 29."
        https://unit42.paloaltonetworks.com/active-exploitation-of-pan-os-cve-2026-0257/
      • FSB’s Matryoshka #3/3 – Gamaredon’s Gifts That Keeps Unpacking – GammaSteel
        "Gamaredon is a cyberespionage group specialized in long-term and persistent intrusion operations targeting Ukraine. Officially operated by Russia’s FSB, the group is focusing government, military, and critical infrastructure networks, and is still actively operating at the time of this publication. This report analyses over a decade of malware families and establishes a unified naming taxonomy to cut through the fragmented nomenclature. The infection chain is designed to be invisible: by hiding inside legitimate Windows features and abusing trusted platforms like Telegram, Cloudflare, and standard cloud storage, Gamaredon leaves almost no trace on infected machines."
        https://blog.sekoia.io/fsbs-matryoshka-3-3-gamaredons-gifts-that-keeps-unpacking-gammasteel/
      • Miasma Worm Hits 73 Microsoft GitHub Repositories In Major Supply Chain Attack
        "Microsoft's GitHub repositories have become the latest to fall victim to the ongoing Miasma self-replicating supply chain attack campaign. The incident impacted 73 Microsoft repositories across four of its GitHub organizations, including Azure, Azure-Samples, Microsoft, and MicrosoftDocs, per OpenSourceMalware. The development has GitHub to disable access to those repositories. "Access to this repository has been disabled by GitHub Staff due to a violation of GitHub's terms of service," reads the message when attempting to access the "Azure/azure-functions-host" repository. "If you are the owner of the repository, you may reach out to GitHub Support for more information.""
        https://thehackernews.com/2026/06/miasma-worm-hits-73-microsoft-github.html
        https://safedep.io/miasma-worm-ai-coding-agent-config-injection/
        https://falconfeeds.io/blogs/shai-hulud-npm-pypi-supply-chain-worm-analysis/

      Breaches/Hacks/Leaks

      • Nightclub Giant RCI Says Data Breach Affects 40,000 Individuals
        "Adult nightclub giant RCI Hospitality Holdings has informed authorities that a data breach disclosed in April affects roughly 40,000 individuals. RCI Hospitality is one of the largest adult nightclub operators in the United States, and its portfolio also includes sports bars and dance clubs. The company told the SEC in mid-April that its RCI Internet Services subsidiary discovered an insecure direct object reference (IDOR) vulnerability on March 23 in an IIS web server, allowing unauthorized access to personal information."
        https://www.securityweek.com/nightclub-giant-rci-says-data-breach-affects-40000-individuals/
      • Attackers Obtained Encrypted Password Vaults From Some Dashlane User Accounts
        "Dashlane has disclosed new details about a brute-force attack that let a threat actor access some customer accounts and copy encrypted vaults. Dashlane said it found no evidence that the attackers compromised its internal systems. The company first acknowledged the incident on May 31 after users reported receiving account suspension emails and experiencing login problems. “Your account has been temporarily suspended for security reasons as someone has attempted to register a new device and didn’t enter the correct token after several tries,” the emails read, instructing affected users to contact customer support to restore access."
        https://www.helpnetsecurity.com/2026/06/05/dashlane-brute-force-attack-vaults-customer-accounts/
      • Oxford Uni Student Data Pwned Yet Again - This Time Via Career Platform Breach
        "Oxford University students seeking work will be dismayed to learn that crooks have breached a second external platform provider for the university in as many months. The institution’s CareerConnect platform, provided by Group GTI, was the target of the intrusion, which exposed users’ full names and email addresses. Those who don’t use single sign-on (SSO) had their encrypted passwords leaked, too. CareerConnect forms part of Oxford University’s career services department, supporting students and alumni to find work opportunities. It is available to students, alumni, research staff, and recruiters."
        https://www.theregister.com/security/2026/06/06/oxford-university-data-pwned-again-by-career-platform-breach/5251754

      General News

      • Nightmare Eclipse Incident Shows The Researcher-Vendor Fights May Never Fully Go Away
        "Microsoft reopened some wounds and has reignited debate over the past couple weeks about vulnerability disclosure and the sometimes adversarial dynamic it creates between security researchers and vendors. The latest controversy ensued when Microsoft threatened criminal legal action against a security researcher who publicly disclosed a series of zero-day vulnerabilities with proof-of-concept exploits. Microsoft insisted it received no details about the vulnerabilities prior to release, adding that the defects were not responsibly disclosed and put its customers at unnecessary risk."
        https://cyberscoop.com/microsoft-coordinated-vulnerability-disclosure-debacle/
      • C-Suite Impersonation In The Gulf: How Threat Actors Are Targeting UAE & Saudi Executives In 2026
        "When a senior executive at a Dubai-based energy conglomerate receives a WhatsApp message that appears to come directly from their CEO — complete with the right profile photo, a familiar tone, and an urgent wire transfer request. This type of CEO fraud, CEO impersonation scam, or executive impersonation attack is becoming one of the most effective forms of financial cybercrime targeting Gulf organizations. According to Cyble’s Middle East & Africa Threat Landscape Report: Q1 2026 report, executive impersonation has emerged as one of the most targeted and financially damaging attack vectors facing organizations in the UAE, Saudi Arabia, and Qatar in 2026."
        https://cyble.com/blog/ceo-fraud-executive-impersonation-gulf-firms/
        https://cyble.com/resources/research-reports/meta-cyber-threat-landscape-report-q1-2026/
      • Adaptive, Agentic AI Worms Loom As Next Enterprise Threat
        "The hunt is on to find protections against the coming generation of adaptive AI worm malware, to head off a global incident on the scale of other famous worm events, such as NotPetya, Stuxnet, MSBlast, or the SQL Slammer worm. AI adaptive worms will be autonomous agents that rapidly self-propagate by searching for zero-day bugs, known but unpatched software flaws, and unprotected secrets — and they will be able to do this across multiple environments, morphing dynamically as they go."
        https://www.darkreading.com/cyber-risk/adaptive-agentic-ai-worms-enterprise-cyber-threat
      • AI Is Helping Low-Skill Hackers Pull Off Advanced Cyberattacks
        "Anthropic has published an analysis of cyber-related misuse of its AI systems, examining 832 accounts that were banned for malicious cyber activity between March 2025 and March 2026. The company mapped the observed behavior to the MITRE ATT&CK framework, which documents tactics and techniques used by attackers. “These 832 cases are just a subset of the total number of accounts banned during this period, but they represent those where we had enough detail to conduct a thorough assessment of the attackers’ techniques,” the company said."
        https://www.helpnetsecurity.com/2026/06/05/anthropic-ai-cyber-activity-analysis/
      • Most Pros Have Seen AI Hallucinations In IT Operations
        "Autonomous AI is taking action inside enterprise IT environments. Software is restarting services, isolating risky devices, and applying patches without waiting for a human to approve the step. The capability is spreading at the same time IT professionals are reporting frequent encounters with AI output errors that can carry operational impact. Ivanti’s 2026 AI Maturity Report, drawn from responses by 1,500 IT professionals across six countries, finds that 68% have personally seen AI produce hallucinations with potential operational impact. About 52% of those respondents say their team caught the errors before they caused issues. The remaining 16% report cases where the errors slipped through and reached production environments.

      https://www.helpnetsecurity.com/2026/06/05/ai-hallucinations-it-operations-research/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) b7ea2bc4-e075-4425-9718-1ff1e8c4ca20-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post