NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    ETDA Cyber Threat Intelligence 24 June 2026

    Cyber Security News
    1
    1
    12
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Vulnerabilities

      • Cisco Unified CM Flaw CVE-2026-20230 Now Exploited In Attacks
        "A high-severity SSRF vulnerability, tracked as CVE-2026-20230, in Cisco Unified Communications Manager Server is now being exploited in attacks. Cisco released security updates for the CVE-2026-20230 flaw on June 3, warning that exploitation could give attackers root privileges on the device. "A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct server-side request forgery (SSRF) attacks through an affected device," warned Cisco."
        https://www.bleepingcomputer.com/news/security/cisco-unified-cm-sme-flaw-cve-2026-20230-now-exploited-in-attacks/
      • Security Vulnerabilities Endanger Connections Via Libssh2
        "The open-source SSH library libssh2 is vulnerable. Attackers can exploit two security vulnerabilities to attack systems. In the worst case, malicious code can compromise computers. According to currently available information, the patch status is unclear. At the time of this report, there are no reports of attackers already exploiting the vulnerabilities. Companies use the library in sensitive areas of the network, for example, to remotely control routers and IoT devices and to manage servers. Consequently, successful attacks could have far-reaching consequences."
        https://www.heise.de/en/news/Security-vulnerabilities-endanger-connections-via-libssh2-11339594.html
      • Eight-Year-Old Samsung KNOX Flaw Exposed Millions Of Galaxy Devices To Kernel Attacks
        "Researchers found an eight-year old high severity vulnerability affecting nearly all Samsung devices from the Galaxy S9 to S25 living within the KNOX kernel. The flaw (CVE‑2026‑20971, CVSS 7.8) could be exploited through the interaction between PROCA and FIVE. PROCA, the process authenticator, is a proprietary subsystem in the kernel of the Samsung devices designed to prevent unauthorized processes from executing. It validates process authenticity using FIVE, the kernel side integrity subsystem, based on the Linux integrity-measurement model and extended by Samsung."
        https://www.securityweek.com/eight-year-old-samsung-knox-flaw-exposed-millions-of-galaxy-devices-to-kernel-attacks/
      • Vendor-Signed UEFI Applications Found Vulnerable To Secure Boot Bypass
        "Multiple vendor-signed UEFI applications are vulnerable to Secure Boot bypass via a "Bring Your Own Vulnerable Driver" (BYOVD)-style attack. If a target system trusts the affected vendor’s certificate, an attacker can exploit these applications to execute arbitrary code during the early pre-boot phase before the operating system initializes. To mitigate this risk, system administrators should apply updates to the UEFI Forbidden Signature Database (DBX) that revoke trust in the affected vendor-signed binaries, preventing these vulnerable applications from executing during the boot process."
        https://kb.cert.org/vuls/id/457458

      Malware

      • “Free World Cup Stream” Sites Are Serving Scams, Not Football
        "With the World Cup on, you’ll find no shortage of websites promising every match, live, in HD, for free. They look convincing, usually with a video player, a “Live Stream Available” indicator, a row of server buttons, maybe a match schedule, and a “Watch Live” button. There’s no signup, no paywall, and seemingly, no catch. But of course there’s a catch. These sites aren’t really in the business of streaming football. What the page is really built to do is fire pop-ups, hidden ads, and redirects through an advertising network we detect as malicious. Instead of watching the match, visitors end up facing scams, malware, and fraudulent downloads."
        https://www.malwarebytes.com/blog/threat-intel/2026/06/free-world-cup-stream-sites-are-serving-scams-not-football
        https://www.helpnetsecurity.com/2026/06/23/fake-world-cup-streaming-sites-scams/
      • Phishing Through Collaboration: Outlook Groups As An Attack Path And The Usage Of CalPhishing
        "Fortra Intelligence and Research Experts (FIRE) is tracking phishing activity that abuses Outlook Groups and Microsoft 365 collaboration features to make malicious activity appear routine. The technique shifts malicious intent away from a single phishing email into a trusted productivity workflow. A user may see what looks like a normal group addition, internal update, shared resource, or calendar item before being pushed toward an action."
        https://www.fortra.com/blog/phishing-through-collaboration
        https://www.helpnetsecurity.com/2026/06/23/microsoft-365-collaboration-features-phishing/
      • From PostCSS Masquerading To Windows RAT
        "The package name is not random. The legitimate postcss-selector-parser package is widely used across the JavaScript build ecosystem, with npm reporting more than 150M weekly downloads. postcss-minify-selector-parser is not a classic one-character typo. Instead, it sits close enough to the legitimate package to look plausible during a quick dependency review. It uses the same postcss, selector, parser, and css keyword space, and it also depends on the real postcss-selector-parser. At the time of this report, the package remained live and accessible."
        https://research.jfrog.com/post/from-postcss-typosquat-to-windows-rat/
        https://thehackernews.com/2026/06/malicious-npm-packages-pose-as-postcss.html
        https://www.infosecurity-magazine.com/news/lookalike-npm-package-postcss/
      • GTA 6 Early Access Is Nothing But a Scam
        "A new wave of scam websites is offering something millions of people want: a way to play Grand Theft Auto VI before it comes out. “Get GTA 6 before everyone else.” “Buy VIP early access.” Pay a few hundred dollars in cryptocurrency, enter a payment code, and supposedly unlock the game. But it’s a scam."
        https://www.malwarebytes.com/blog/threat-intel/2026/06/gta-6-early-access-is-nothing-but-a-scam
        https://www.infosecurity-magazine.com/news/gta-6-scams-emerge-as-preorders/
        https://www.helpnetsecurity.com/2026/06/23/gta-6-early-access-scam/
      • From Langflow To Monero: Inside CVE-2026-33017 Cryptominer
        "This cryptocurrency-mining campaign shows how exposed AI application endpoints are becoming another route into enterprise environments. The payload might be familiar, but the delivery vector is not. A Langflow vulnerability gives commodity cryptominer operators a new front door into systems running AI application infrastructure."
        https://www.trendmicro.com/en_us/research/26/f/from-langflow-to-monero-inside-cve-2026-33017-cryptominer.html
      • Malware à La Mode: Tracking Dropping Elephant Tradecraft Through a China-Themed Loader Chain
        "Rapid7 researchers have identified a sophisticated malware campaign attributed to the threat actor "Dropping Elephant," characterized by the use of a China-themed decoy document to deliver a heavily reworked, in-memory remote access trojan (RAT). This campaign demonstrates advanced evasion techniques, including DLL side-loading with a legitimate Microsoft binary (Fondue.exe) and the use of "Donut" shellcode to map the RAT directly into memory, effectively bypassing traditional disk-based security controls."
        https://www.rapid7.com/blog/post/tr-malware-tracking-dropping-elephant-tradecraft-china-themed-loader-chain/
      • Cordyceps: The Silent Parasite Consuming Your Supply Chain
        "Novee identified a systemic class of exploitable CI/CD vulnerabilities across the open-source supply chain – command injection, broken authentication logic, artifact poisoning chains, and privilege escalation in GitHub Actions workflows. Our team scanned roughly 30,000 high-impact repositories, validated hundreds of fully exploitable attack chains, and received confirmation of fixes at dozens of organizations, including Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation. There are millions of repositories that are potentially affected by this same pattern."
        https://novee.security/blog/cordyceps/
        https://www.darkreading.com/application-security/cordyceps-malicious-pull-requests-developer-workflows
        https://hackread.com/cordyceps-ci-cd-flaw-microsoft-google-apache-repos-hijack/
      • Inside The FortiBleed Open Directory: A Technical Analysis Of What The Attacker Left Behind
        "CloudSEK’s threat intelligence team is tracking FortiBleed, an active, large-scale credential-compromise campaign targeting internet-facing Fortinet FortiGate firewalls and SSL VPN gateways worldwide. Despite the name, FortiBleed is not a software vulnerability and is not linked to any newly disclosed Fortinet flaw or zero-day. It is the label given to a verified dataset of working device credentials that a threat group assembled through credential reuse, brute force, and offline hash cracking against exposed devices."
        https://www.cloudsek.com/blog/inside-the-fortibleed-open-directory-a-technical-analysis-of-what-the-attacker-left-behind
        https://www.helpnetsecurity.com/2026/06/23/fortibleed-investigation-remediation/
      • Payouts King Ransomware Initial Access Broker Deploys New Edgecution Malware
        "Zscaler ThreatLabz has been monitoring ransomware operations that align with tactics previously employed by an initial access broker affiliated with Payouts King ransomware. In recent attacks, the threat actor leverages social engineering tactics paired with an innovative malware delivery mechanism. The technique utilizes a malicious Microsoft Edge browser extension that exploits the Chrome native messaging protocol to interact with host-native applications beyond the confines of the browser sandbox. By abusing this interface, the attackers gain direct host access, enabling them to manipulate the local filesystem, launch processes, and execute arbitrary code on the compromised host. We have dubbed this web browser-based malware Edgecution."
        https://www.zscaler.com/blogs/security-research/payouts-king-ransomware-initial-access-broker-deploys-new-edgecution

      Breaches/Hacks/Leaks

      • Xsolis Data Breach Affects 1.4 Million Individuals
        "Healthcare technology company Xsolis, Inc. has disclosed a data breach affecting nearly 1.4 million individuals. Tennessee-based Xsolis provides utilization management and revenue cycle solutions for hospitals, health systems, and payers. The company published a data security notice in early June, revealing that unauthorized activity was detected on its systems on January 22. The intrusion resulted from a targeted phishing attack carried out two days earlier."
        https://www.securityweek.com/xsolis-data-breach-affects-1-4-million-individuals/
        https://www.bleepingcomputer.com/news/security/healthtech-firm-xolis-suffers-data-breach-impacting-14-million-people/
        https://securityaffairs.com/194067/cyber-crime/xsolis-data-breach-impacts-1-4-million-people.html
        https://www.bankinfosecurity.com/xsolis-hack-affecting-14m-raises-ai-vendor-risk-concerns-a-32051
      • Tata Electronics Confirms Cyberattack As Hackers Leak Data
        "Tata Electronics has confirmed in a statement to BleepingComputer that it was the target of a cyberattack that impacted parts of its IT infrastructure. The company emphasizes that its operations continued to run normally and were not affected by the incident. "A few weeks ago, Tata Electronics identified a cybersecurity incident on some of our systems,” a Tata Electronics spokesperson told BleepingComputer."
        https://www.bleepingcomputer.com/news/security/tata-electronics-confirms-cyberattack-as-hackers-leak-data/
        https://therecord.media/tata-electronics-confirms-cyberattack
      • LastPass Confirms Data Breach In Klue Supply Chain Attack
        "LastPass announced that hackers accessed customer data from its Salesforce environment after stealing the company's OAuth tokens in the Klue supply chain attack earlier this month. The password management platform says its products, services, and infrastructure were not affected by the incident and that customer vaults remained secure. “On June 12th, LastPass was made aware of an incident that occurred at Klue (klue.com), a third-party market intelligence platform utilized by our go-to-market teams, which integrates with our Salesforce and Gong systems,” LastPass says."
        https://www.bleepingcomputer.com/news/security/lastpass-confirms-data-breach-in-klue-supply-chain-attack/
        https://blog.lastpass.com/posts/klue-supply-chain-incident-and-lastpass-response
        https://www.darkreading.com/cyberattacks-data-breaches/scope-salesforce-attacks-expands-icarus-leaks-data
        https://hackread.com/lastpass-customer-data-breach-klue-oauth-token/

      General News

      • Nearly Half Of LG Smart TV Apps Are Laced With Proxies
        "Everyone worries about the apps on their phone. Almost no one looks at the ones on their TV. We scanned 6,038 of them across LG and Samsung; 2,058 were selling your IP address. On screen, it's a relaxing fish tank. Or a clock. Or solitaire. Or puppies. Under the hood, it is a residential proxy: software that can send other people's internet traffic out through your living room. And we found it everywhere."
        https://spur.us/blog/smart-tv-apps-residential-proxy-sdks
        https://www.helpnetsecurity.com/2026/06/23/tv-residential-proxy-sdk/
      • Only 7% Of Companies Are Ready For The AI Agents They Deployed
        "Most organizations now run or pilot AI agents that operate on company data with limited human direction at each step, a share that reaches 88% in Veeam Software’s Data and AI Trust Gap report. The systems that are supposed to keep an eye on them have not caught up. That gap is the heart of the report. Most executives say their data problems are already holding their AI back. The issues are familiar ones: data that is out of date, data that contradicts itself, and data locked away in systems that do not talk to each other. An agent acting on shaky data does more than make a single mistake. It can repeat that mistake across thousands of decisions before anyone notices."
        https://www.helpnetsecurity.com/2026/06/23/ai-trust-gap-research/
      • Daybreak: Tools For Securing Every Organization In The World
        "We’re expanding Daybreak⁠ to help democratize patching vulnerable software at machine speed. For example, we’ve applied our models to discover and generate patches for critical vulnerabilities⁠ in major browsers, network infrastructure, and operating systems such as FreeBSD and the Linux kernel. To scale the impact of these capabilities:"
        https://openai.com/index/daybreak-securing-the-world/
        https://thehackernews.com/2026/06/openai-expands-daybreak-with-gpt-55.html
        https://www.infosecurity-magazine.com/news/openai-daybreak-gpt-5-5-cyber/
        https://www.securityweek.com/openai-refocuses-cybersecurity-efforts-on-patching-over-discovery/
        https://www.helpnetsecurity.com/2026/06/23/openai-expanded-daybreak-cybersecurity-initiative/
      • Scattered Spider Teens Convicted Of TfL Cyber-Attack
        "Two British youngsters who hacked Transport for London (TfL) in 2024 have pleaded guilty to their crimes, according to the National Crime Agency (NCA). Thalha Jubair, 20, from East London, and Owen Flowers, 18, from Walsall, West Midlands, were teenagers when they hacked London’s transport authority between August 31 and September 3 2024. Both are said to be members of the infamous Scattered Spider collective. The incident cost TfL £29m ($38m) in loss and recovery costs, according to the NCA. It apparently impacted TfL’s customer refund system for some time, downed the application system for Oyster photocards for children and young people, and forced all 28,000 employees to attend a TfL office for a password reset."
        https://www.infosecurity-magazine.com/news/scattered-spider-teens-convicted/
        https://therecord.media/guilty-plea-tfl-cyberattack-scattered-spider-members
        https://www.bleepingcomputer.com/news/security/scattered-spider-members-plead-guilty-to-hacking-transport-for-london/
        https://hackread.com/scattered-spider-hackers-guilty-tfl-cyberattack/
        https://www.bankinfosecurity.com/2-british-men-plead-guilty-to-transport-for-london-hacks-a-32048
      • Algerian Man Extradited To US For Running Cybercrime Marketplaces
        "Abdellah Belmili, a 26-year-old Algerian national, was recently arrested in Spain and extradited to the United States, where he faces up to 30 years in prison for allegedly running two cybercrime marketplaces. According to the US Justice Department, Belmili, also known as Dila Belmili and Spox, was the administrator of a cybercrime marketplace called Market0Day between September and December 2020. Authorities said Spox was known for developing phishing kits targeting major American financial institutions."
        https://www.securityweek.com/algerian-man-extradited-to-us-for-running-cybercrime-marketplaces/
        https://cyberscoop.com/algerian-man-charged-cybercrime-marketplaces/
      • He Thought He Was Secure; His Phone Number Got Stolen Anyway
        "Torsten George, chief cybersecurity evangelist at ID Dataweb, Inc., felt helpless as he sat with his personal cell phone up to one ear and realized he was in the throes of an active attack. The person on the other end claimed to be an AT&T customer service representative looking to give George a discount for being a loyal customer. But it didn't take long to recognize that the “representative” was a threat actor with inside information on George's account history, derived through social engineering."
        https://www.darkreading.com/cyber-risk/how-a-sim-swap-attack-led-to-a-near-account-takeover
      • CISO Conversations: Carl Froggett – Combining CISO And CIO At Deep Instinct
        "Carl Froggett combines CISO and CIO. He currently occupies both positions at Deep Instinct. Before then, he was CISO at Citi for almost 17 years. Froggett has long believed the two roles overlap, making a combined role attractive. But it doesn’t work for all companies. Citi has more than 200,000 employees. Deep Instinct has fewer than 200. Combining CISO and CIO would be too much for one person at Citi, but works well at Deep Instinct."
        https://www.securityweek.com/ciso-conversations-carl-froggett-combining-ciso-and-cio-at-deep-instinct/
      • Justice Department Seizes Backend Infrastructure Used By The Huione Group For Money Laundering Services
        "Today, the Justice Department announced the seizure of a cloud computing account used by subsidiaries of the Huione Group, a Cambodia-based corporate conglomerate. These subsidiaries are alleged to have assisted individuals and organizations in transferring proceeds of cryptocurrency investment frauds, cyber scams, and other criminal activities on cryptocurrency blockchains and allowing for the conversion of the proceeds of these schemes to the legitimate banking sector undetected.The seized account hosted backend infrastructure for the subsidiaries."
        https://www.justice.gov/opa/pr/justice-department-seizes-backend-infrastructure-used-huione-group-money-laundering-services
        https://home.treasury.gov/news/press-releases/sb0538
        https://therecord.media/feds-seize-alleged-cyber-scam-infrastructure-southeast-asia
        https://cyberscoop.com/doj-huione-group-cybercrime-seizure/
      • Using Reddit To Manipulate AI Search Results Is Surprisingly Easy
        "A Reddit comment that takes only a few seconds to write can end up influencing the answers generated by AI research tools. A Cornell Tech study found that a short snippet of user-generated text, sometimes as little as 13 words, was enough to affect the output of deep-research agents, AI systems that search the web, gather information from multiple sources, and generate reports with citations. The risks of relying on community-generated content are already familiar to many internet users. Google’s AI Overviews famously recommended adding glue to pizza sauce after pulling information from an old joke Reddit post."
        https://www.helpnetsecurity.com/2026/06/23/reddit-ai-search-poisoning-research/
        https://arxiv.org/pdf/2605.24245
      • Inside The Dark Web: Stolen Identities For 95¢, Malware, And Scams-For-Hire
        "Most people have heard of the dark web, but few understand what it actually looks like or what goes on there. To separate fact from fiction, our research team spent 48 hours exploring it firsthand and documenting what we found. The dark web isn’t inherently bad. It also serves legitimate purposes, providing a layer of privacy for journalists, whistleblowers, activists, and others who need to communicate anonymously. Accessing it typically requires the Tor browser, and a number of reputable organizations operate official dark web sites."
        https://www.malwarebytes.com/blog/threat-intel/2026/06/inside-the-dark-web-stolen-identities-for-95¢-malware-and-scams-for-hire
      • Software-Defined Warfare: Crossing The Chasm In Two Software Areas
        "Software-defined warfare is today’s reality for national security, shifting the emphasis in military operations from hardware to software, “the core of every weapon and supporting system” fielded for defense. The Atlantic Council’s 2025 Commission on Software-Defined Warfare: Final Report defines software-defined warfare as the “continuous integration and delivery of cutting-edge technology and leading interoperable software into legacy and future defense systems.” The report emphasizes the need for speed through artificial intelligence (AI) by calling on national security organizations to “acquire and sustain unified, shared platforms that support and accelerate the end-to-end development, deployment, and governance of AI solutions.”"
        https://www.sei.cmu.edu/blog/software-defined-warfare-crossing-the-chasm-in-two-software-areas/
      • Fake AI Agent Skill Passed Security Scans And Reportedly Reached 26,000 Agents
        "Security firm AIR built a fake AI agent skill, pushed it through a popular skill marketplace and an Instagram ad, and says it reached roughly 26,000 agents, including some on corporate accounts. Every skill security scanner the firm tested it against marked it safe. The payload was harmless by design: it collected the user's email address and did nothing else. The point was to show that none of the signals people lean on to trust a skill caught it: not the scanners, not the GitHub stars, not the open-source reputation."
        https://thehackernews.com/2026/06/fake-ai-agent-skill-passed-security.html

      อ้างอิง

      Electronic Transactions Development Agency (ETDA) f484afa5-7d4c-4473-b27b-010e355d335c-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post