NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    ETDA Cyber Threat Intelligence 23 June 2026

    Cyber Security News
    1
    1
    10
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      New Tooling

      • Agent Beacon: Open-Source Telemetry Layer For AI Agents
        "AI coding agents such as Claude Code, Codex CLI, Cursor, and Claude Cowork run on developer laptops, CI jobs, cloud environments, where they edit files, run commands, and call outside tools. Beacon, an open-source project from Asymptote Labs, configures telemetry for those runtimes and writes a normalized record of what each agent does across local, CI, and cloud-agent surfaces."
        https://www.helpnetsecurity.com/2026/06/22/agent-beacon-open-source-telemetry-layer-ai-agents/
        https://github.com/Asymptote-Labs/agent-beacon/
      • Sniff Out Stale AI Override Advice With This Open Source CLI
        "The JavaScript development ecosystem may be a security nightmare, but it's also ripe for improvement. One such tool is the CVE Lite CLI, a free open source dependency scanner that helps reduce the risk of software supply chain attacks. It runs locally and provides actionable vulnerability fixes, if any are available. The tool, endorsed by OWASP, has recently been updated to include override auditing, which has the potential to avert transitive dependency vulnerabilities such as the March 2022 node-ipc package incident."
        https://www.theregister.com/security/2026/06/23/sniff-out-stale-ai-override-advice-with-this-open-source-cli/5259853
        https://owasp.org/cve-lite-cli/

      Vulnerabilities

      • PixelSmash – Critical FFmpeg Vulnerability Turns Media Files Into Weapons
        "JFrog Security Research recently discovered and disclosed a critical vulnerability in FFmpeg, the world’s most widely deployed media processing framework. The discovered vulnerability, which we’ve named PixelSmash, is CVE-2026-8461 – a heap out-of-bounds write in the MagicYUV decoder (CVSS 8.8 High). We escalated this vulnerability from a simple crash all the way to reliable remote code execution – all it takes is processing a single malicious media file."
        https://jfrog.com/blog/pixelsmash-critical-ffmpeg-vulnerability-turns-media-files-into-weapons/
        https://www.bleepingcomputer.com/news/security/ffmpeg-fixes-pixelsmash-flaw-in-widely-used-video-decoder/
      • Squidbleed (CVE-2026-47729)
        "Two weeks ago, we dropped an HTTP/2 bomb cooked up by Codex Cyber. This time, we sent Claude Mythos Preview spelunking through Squid’s guts, and it surfaced clutching a 29-year-old bug. Meet Squidbleed: a Heartbleed-style vulnerability that leaks internal memory from every version of Squid Proxy, in its default configuration."
        https://blog.calif.io/p/squidbleed-cve-2026-47729
        https://thehackernews.com/2026/06/29-year-old-squid-proxy-bug-squidbleed.html
        https://www.securityweek.com/decades-old-squid-proxy-flaw-squidbleed-can-expose-user-data/
      • DifyTap: Zafran Discovers How Attackers Can Silently Wiretap AI Data Across Tenants On a Platform Powering 1M+ Apps
        "Zafran Security uncovered four vulnerabilities in Dify, the open-source AI platform powering over one million applications and used by enterprises including Volvo, Maersk, Panasonic, and Thermo Fisher. Two were critical severity, two required no authentication, and three carried cross-tenant impact on Dify's multi-tenant cloud service, allowing one customer's data to be exposed to another."
        https://www.zafran.io/resources/difytap-zafran-discovers-how-attackers-can-silently-wiretap-ai-data-across-tenants-on-a-platform-powering-1m-apps
        https://thehackernews.com/2026/06/researchers-detail-difytap-flaws-in.html
      • The Global Namespace Risk: Universal Bucket Hijacking Technique For Cloud Data Exfiltration
        "We recently identified a bucket hijacking technique impacting multiple services across major cloud service providers (CSPs). The attack technique exploits a fundamental architectural flaw that is common across cloud providers and could potentially affect other cloud providers as well. Our research reveals that an attacker can silently compromise an organization's active data streams by rerouting data into an external storage bucket. Because a storage bucket name is globally unique, an attacker can simply delete the bucket and then recreate it under the attacker's own account using the same name. This therefore creates a global namespace risk. This bucket hijacking reroutes critical logs and sensitive data directly to the attacker’s environment."
        https://unit42.paloaltonetworks.com/cloud-bucket-hijacking-risks/

      Malware

      • A VBScript Campaign Distributed Through WhatsApp Deploying RMM Software
        "In June 2026, we observed a malware campaign distributing malicious VBScript files through direct messages in WhatsApp. The campaign affected users across multiple countries and territories, including Malaysia, Brazil, India, Mexico, Singapore, UK, Spain, Taiwan, Australia, Russia and Vietnam, with the highest number of victims observed in Malaysia. At the time of writing this article, the campaign is still active."
        https://securelist.com/whatsapp-vbs-rmm-campaign/120290/
        https://www.bleepingcomputer.com/news/security/whatsapp-phishing-attack-uses-fake-business-docs-to-hack-pcs/
        https://securityaffairs.com/194031/malware/whatsapp-malware-campaign-hijacks-trust-installs-legitimate-admin-tools.html
      • Dismantling FortiBleed: Inside a Russian Fortinet Compromise Operation
        "Dismantling FortiBleed investigates an active credential-harvesting operation identified by the SOCRadar Threat Research Unit (STRU). The report traces the campaign from large-scale reconnaissance and credential sourcing through initial access, passive sniffer deployment, offline hash cracking, and targeted exfiltration. STRU assesses the operator to be an Initial Access Broker (IAB) motivated by financial gain, with tooling comments in the Cyrillic alphabet pointing to a likely Russian origin. The investigation began with a single exposed directory flagged by researcher Volodymyr “Bob” Diachenko and expanded into more than 260 operation servers."
        https://socradar.io/resources/whitepapers/dismantling-fortibleed-inside-a-russian-fortinet-compromise-operation/
        https://www.bleepingcomputer.com/news/security/fortibleed-campaign-used-custom-fortigate-sniffer-to-steal-credentials/
        https://securityaffairs.com/194004/hacking/fortibleed-the-most-detailed-breakdown-yet-of-an-active-russian-credential-harvesting-operation.html
      • More Than 4,000 Legacy Routers Compromised By AryStinger, Turned Into Global Attack Proxies For Hackers
        "On May 20, 2026, the Ministry of State Security's WeChat official account published an article "Your internet is slow, and the culprit turns out to be this!", highlighting that outdated routers are becoming a key entry point for threat actors to conduct cyber espionage. Inspired by this article, we feel it is imperative to take the compromise of old routers seriously. This article introduces an unusual attack campaign observed within QiAnXin XLab's field of view, specifically targeting router devices based on the RTL819X series chips. The mainstream active period of the RTL819X series chips was concentrated around 2012 to 2015. The attackers exploited vulnerabilities disclosed 13 years ago to compromise a large number of old routers, building reconnaissance and attack clusters for use in the pre-intrusion footprinting stage. (Note: The campaign disclosed in this article has no direct relationship to what the Ministry of State Security described.)"
        https://blog.xlab.qianxin.com/arystinger-botnet-hijacks-legacy-routers-for-global-attacks-en/
        https://thehackernews.com/2026/06/arystinger-malware-infects-4300-legacy.html
        https://www.bleepingcomputer.com/news/security/arystinger-botnet-infected-thousands-of-d-link-routers-worldwide/
        https://www.bankinfosecurity.com/arystinger-botnet-converts-legacy-routers-to-global-proxies-a-32045
        https://www.malwarebytes.com/blog/news/2026/06/thousands-of-d-link-routers-under-control-of-arystinger-botnet
        https://securityaffairs.com/193987/security/4300-outdated-routers-hijacked-in-stealthy-spy-infrastructure-by-arystinger-malware.html
      • Prinz Eugen Ransomware: a Deep Dive Into a New Go-Based Encryptor
        "On May 11, 2026, our research team investigated a customer infected with a brand-new ransomware family called Prinz Eugen. The encryptor is freshly built, written in Go, and more technically deliberate than many first-wave ransomware samples. It performs recursive encryption, prioritizes recently modified files, uses ChaCha20-Poly1305 with integrity checks, and leaves no ransom note on disk. The first public report related to this family is dated April 16, when a public social media post noted that a new ransomware leak portal had appeared to extort Standard Bank Group, a leading financial institution in South Africa."
        https://www.threatdown.com/blog/prinz-eugen-ransomware-a-deep-dive-into-a-new-go-based-encryptor/
        https://www.bleepingcomputer.com/news/security/new-prinz-eugen-ransomware-prioritizes-recent-files-for-encryption/
      • From Package To Postinstall Payload: Inside The Mastra Npm Supply Chain Compromise By Sapphire Sleet
        "Microsoft assesses with high confidence that this activity is attributable to Sapphire Sleet, a North Korean state actor that primarily targets the financial sector. The infrastructure and post-compromise TTPs observed in this campaign are consistent with previously documented Sapphire Sleet activity. Sapphire Sleet also conducted a separate npm supply chain compromise affecting Axios, a popular JavaScript HTTP client, in April 2026."
        https://www.microsoft.com/en-us/security/blog/2026/06/17/postinstall-payload-inside-mastra-npm-supply-chain-compromise/
        https://www.bleepingcomputer.com/news/security/microsoft-links-mastra-ai-supply-chain-attack-to-north-korean-hackers/
        https://www.infosecurity-magazine.com/news/mastra-ai-supply-chain-attack/
        https://www.securityweek.com/north-korean-hackers-blamed-for-mastra-npm-supply-chain-attack/
      • Threat Hunting Beyond Alerts: Finding The Activity Detection Misses
        "Threat hunting is meant to uncover malicious activity before it becomes an incident. In reality, it can easily turn into a long expedition through noisy logs, vague indicators, and detection rules that lack the context needed to separate real risk from routine activity. The issue is rarely the analyst’s skill. The real bottleneck is intelligence quality. A standalone IP address, domain, or hash may be useful for blocking, but it does not explain the campaign behind it, the behaviors it leaves on endpoints, or the infrastructure likely to appear next."
        https://hackread.com/threat-hunting-alerts-finding-activity-detection-misses/
      • Lost In Relocation: Analysis Of a New Loader Distributing CASTLESTEALER
        "A previously undocumented Windows loader tracked as OXLOADER is delivering the CASTLESTEALER infostealer via malicious Google Ads, with low detection rates across static engines and sandbox detonations. The loader uses several obfuscation layers (control-flow flattening, opaque predicates, mixed Boolean-Arithmetic), self-modifying decryption stubs, and abuses the Windows .reloc section to stage shellcode. Elastic Security Labs identified OXLOADER in an active campaign targeting one of our customers; CIS-region and Russian-language exclusions point to a financially motivated, Russian-speaking threat actor. We have found no prior public reporting on this family."
        https://www.elastic.co/security-labs/oxloader-malware-loader-infostealer
        https://thehackernews.com/2026/06/new-oxloader-loader-uses-malicious.html
      • Gizmodo Readers Hit With ClickFix Malware Prompts After Account Compromise
        "Veteran tech website Gizmodo confirmed a compromise on Saturday after readers reported ClickFix malware prompts appearing on article pages. Users posted screenshots of fake CAPTCHA windows appearing on Gizmodo's site. The attack aims to fool users into running malicious code via their terminals. According to Proofpoint threat researcher Tommy M, the attack was seemingly launched by an affiliate of ErrTraffic, a ClickFix-as-a-service program that allows attackers to deliver whichever malware they choose."
        https://www.theregister.com/security/2026/06/22/gizmodo-readers-hit-with-clickfix-malware-prompts-after-account-compromise/5259226
      • Analyzing SHEET#CREEP: SHEETCREEP Is Up Again With Different Config Obfuscation
        "The Securonix Threat Research team has identified an ongoing espionage campaign, tracked as SHEETCREEP, where threat actors deliver a C# remote access trojan through a diplomatic-themed ISO phishing lure. Building upon the initial discovery and excellent research of the SHEETCREEP malware family by Zscaler’s ThreatLabz, we observed that the RAT abuses the Google Sheets API as its command-and-control (C2) channelauthenticating via an embedded GCP service account private key and using individual spreadsheet tabs per victim for bidirectional communication. Our team successfully extracted the embedded credentials, authenticated to the live C2 spreadsheet, and identified 91 active victim tabs including a high-confidence target located in Pakistan."
        https://www.securonix.com/blog/sheetcreep-evolved-google-sheets-rat
      • Ababil Of Minab Exposed: LA Metro SCADA Backups And Israeli Victim Data Left Open On An Iranian Staging Server
        "Ababil of Minab is a pro-Iranian threat actor that surfaced in late March 2026, claiming destructive intrusions against targets in the United States, Israel, Saudi Arabia, and Turkey, including a confirmed breach of the Los Angeles County Metropolitan Transportation Authority. On May 26, 2026, Gambit Security published a technical report documenting SQL Server deletion, VM partition wipes, Veeam backup destruction, and file system damage across four victim environments, but deliberately withheld the identities of additional targets."
        https://hunt.io/blog/ababil-of-minab-iranian-hackers-exposed-la-metro-breach-open-directory

      Breaches/Hacks/Leaks

      • JaredFromSubway MEV Bot Hacked In $15 Million Crypto Theft
        "The JaredFromSubway Ethereum MEV (Maximal Extractable Value) bot suffered a $15 million loss after an attacker manipulated the opportunity-detection logic by creating fake cryptocurrency trading opportunities. The drain was detected on Saturday by blockchain security firm Blockaid, and today, JaredFromSubway confirmed that the attacker used fake pools and tokens to trick the bot into approving helper contracts. According to Blockaid, the attacker deployed contracts designed to appear as profitable MEV opportunities to JaredFromSubway's automated execution system."
        https://www.bleepingcomputer.com/news/security/jaredfromsubway-mev-bot-hacked-in-15-million-crypto-theft/
      • Hundreds Of AI-Powered iOS Apps Found Exposing Credentials
        "Mobile app developers are packing AI features into everything from writing assistants to productivity tools and lifestyle apps. New research shows that securing access to those services remains a challenge. Researchers from Wake Forest University analyzed 444 iOS applications with LLM features and found 282 that exposed exploitable credentials or backend access mechanisms. The affected apps covered 13 categories, including productivity, entertainment, lifestyle, education, utilities, and health and fitness. LLM-powered applications reached 17 billion downloads in 2025 and accounted for 13% of all mobile app downloads."
        https://www.helpnetsecurity.com/2026/06/22/llm-api-credential-leakage-ios-apps/
        https://arxiv.org/pdf/2606.12212
      • Suspected Cyberattack Triggers False Emergency Alerts Across Parts Of Brazil
        "Brazil suspended its mobile phone emergency alert system after a suspected cyberattack triggered false warnings on phones across several states. The incident occurred early Saturday when at least a dozen unauthorized alerts were sent through Brazil's Civil Defense Alert system, a platform designed to warn residents about imminent threats such as floods, landslides and other natural disasters."
        https://therecord.media/suspected-cyberattack-triggers-false-emergency-alerts-brazil
        https://www.theregister.com/security/2026/06/22/brazil-begins-investigating-emergency-alert-system-breach/5259421
      • Canadian Utility Fesses Up To Data Breach, But Key Details Remain Off-Grid
        "A Canadian power utility says customer data may have walked out the door during a security incident, but isn't yet saying whether the intruders got anywhere near the systems responsible for keeping the lights on. London Hydro, which distributes electricity to more than 160,000 customers in and around London, Ontario, said on Saturday that it is investigating a data security incident that "may have impacted a portion of personal information on some accounts" and has started notifying affected customers."
        https://www.theregister.com/security/2026/06/22/canadian-utility-fesses-up-to-data-breach-but-key-details-remain-off-grid/5259309

      General News

      • Who Pays When You Gate Cyber-Capable AI Models?
        "In this interview with Help Net Security, Jaya Baloo, COO & CISO at Aisle, examines the debate over restricting access to cyber-capable AI models. She lays out the strongest argument for gating these tools, then explains where it breaks down for security teams who depend on the same capabilities for defense. Baloo argues that policymakers misread how attackers and defenders operate, that open-weight models cut both ways, and that limiting access can widen the gap between well-resourced organizations and everyone else."
        https://www.helpnetsecurity.com/2026/06/22/jaya-baloo-aisle-gating-cyber-capable-ai-models/
      • Encrypted DNS Still Tells An Eavesdropper Where To Look
        "Encrypted DNS runs across much of the Internet. DNS over TLS, HTTPS, and QUIC keep the contents of a query away from anyone watching a network link. The encryption covers the message inside each packet. The packet still carries plaintext headers, and those values mark a flow as DNS. A new study measures this gap for the Internet of Things and offers a way to close part of it."
        https://www.helpnetsecurity.com/2026/06/22/research-encrypted-dns-privacy/
        https://arxiv.org/pdf/2606.10097
      • What The Latest ShinyHunters Breaches Reveal About Modern Cyberattacks
        "The latest wave of breaches attributed to the ShinyHunters cybercrime collective (e.g., University of Nottingham, DentaQuest, 7-Eleven, Medtronic, and Wynn Resorts), reinforces a hard truth security leaders can no longer ignore: attackers are increasingly bypassing traditional perimeter defenses and targeting identities, authentication workflows, SaaS integrations, and trusted access paths instead of exploiting software vulnerabilities directly. Over the past several months, ShinyHunters has been linked to attacks involving Salesforce environments, Snowflake customers, SaaS integrations, and identity platforms such as Okta. Researchers and incident responders have consistently observed the same pattern: stolen credentials, compromised OAuth tokens, social engineering, vishing, and abuse of legitimate access privileges."
        https://www.securityweek.com/what-the-latest-shinyhunters-breaches-reveal-about-modern-cyberattacks/
      • Stop Your Legacy Infrastructure From Hijacking Your AI Agents
        "Earlier this month, I spoke at the Gartner Security & Risk Management Summit about a blind spot most security programs are still not accounting for - how attackers are circumventing AI security programs by using legacy infrastructure to hijack AI agents. AI adoption is moving faster than security programs can account for. Roughly 71% of organizations are piloting AI agents across their enterprise applications, and 31% have already moved them into production workflows."
        https://thehackernews.com/2026/06/stop-your-legacy-infrastructure-from.html
      • Canada’s Spy Agency Used First-Of-Its-Kind Warrant To Clean Botnet-Infected Devices
        "Canada's spy service got a judge's permission to reach into infected servers, home routers, and IoT gear sitting on Canadian soil and neutralize two foreign-run botnets. The Federal Court released a public version of the ruling on June 15. It is the first time the Canadian Security Intelligence Service has used its threat reduction warrant powers this way. The warrant let CSIS alter, degrade, and destroy botnet data on the infected machines and cut the devices loose from the networks."
        https://thehackernews.com/2026/06/canadas-spy-agency-used-first-of-its.html
        https://www.fct-cf.ca/en/pages/media/news-bulletins/file-c-6-24
      • Intel Agencies: Frontier AI Models Will Reshape Cybersecurity Faster Than Expected
        "Intelligence agencies for the United States, Canada, UK, Australia and New Zealand are warning that advanced AI models capable of wreaking havoc in the cyber domain are “months away” from being publicly available. In a joint statement, the Five Eyes alliance say they expect the kind of advanced hacking capabilities provided by frontier models like Anthropic’s Fable 5 and OpenAI’s Daybreak to become broadly available the public within the year, despite efforts by AI companies to withhold them or restrict their access."
        https://cyberscoop.com/five-eyes-alliance-say-advanced-ai-hacking-models-months-away/

      อ้างอิง

      Electronic Transactions Development Agency (ETDA) 8f4fc4df-6756-4fde-a355-01b40d872bb0-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post