• Where IT Meets OT And Railway Cybersecurity Gets Harder
  "In this interview with Help Net Security, Jorge Aldegunde, Global Head of Railway Services at DNV, talks through what happens when old operational technology meets newer IT in monorail systems. He explains why open networks widened the attack surface, how teams decide whether to patch a signalling flaw without stopping trains, and who carries the liability. Aldegunde covers regulation like CRA and NIS2, training veteran engineers to think about threat actors, and spotting intruders who have been inside for months. His main rule: manage your risks and plan for resilience, not perfection."
  https://www.helpnetsecurity.com/2026/06/24/jorge-aldegunde-dnv-railway-cybersecurity/

New Tooling

• Praxen: Open-Source AI Agent Behavior Verification
  "Praxen is an open-source tool with a simple job: it checks whether an AI agent does what it claims to do. The tool takes an agent’s declared policy, looks at how the agent operates, and points out every spot where the two drift apart. It is the reference implementation of Agent Behavior Verification, a control model that hands each agent an authorized role and then confirms the controls hold that agent to it. The idea borrows from how companies manage their own employees. Every person gets a defined set of permissions, and the same logic now applies to software agents, where each one carries a scope of activity it is allowed to perform."
  https://www.helpnetsecurity.com/2026/06/24/praxen-open-source-ai-agent-behavior-verification/
  https://github.com/open-agent-ai-security/praxen

Vulnerabilities

• CISA Adds Four Known Exploited Vulnerabilities To Catalog
  "CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2025-67038 Lantronix EDS5000 Code Injection Vulnerability
  CVE-2026-34908 Ubiquiti UniFi OS Improper Access Control Vulnerability
  CVE-2026-34909 Ubiquiti UniFi OS Path Traversal Vulnerability
  CVE-2026-34910 Ubiquiti UniFi OS Improper Input Validation Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/06/23/cisa-adds-four-known-exploited-vulnerabilities-catalog
  https://www.bleepingcomputer.com/news/security/cisa-warns-of-max-severity-ubiquiti-flaws-exploited-in-attacks/
  https://thehackernews.com/2026/06/cisa-warns-critical-lantronix-eds5000.html
  https://www.securityweek.com/critical-ubiquiti-vulnerabilities-in-attackers-crosshairs/
  https://securityaffairs.com/194142/security/u-s-cisa-adds-ubiquiti-unifi-os-and-lantronix-eds5000-plugin-flaws-to-its-known-exploited-vulnerabilities-catalog.html
• When Defenses Become Attack Surface: CVE-2026-20971, a Samsung Kernel UAF
  "Our team found a UAF vulnerability in Samsung's Android kernel. The vulnerability affected Samsung Android devices starting at Galaxy S9 through Galaxy S25, as well as additional devices (we tested S21, S22, S24, A54). Both Qualcomm and Exynos chipset based devices were impacted. The vulnerability could be exploited from any untrusted app, and allowed attackers to obtain multiple memory corruption primitives, potentially leading to complete device takeover."
  https://lucidbitlabs.com/blog/when-defenses-become-attack-surface/
  https://securityaffairs.com/194090/security/samsung-knox-kernel-uaf-exposes-millions-of-galaxy-devices.html
• Researchers Trick AI Browsers Into Leaking Credentials
  "A range of AI-powered web browsers have been tricked into abandoning their safety guardrails and leaking user data after being convinced they were playing a game. Researchers at LayerX demonstrated the technique, which they named BioShocking, against six agentic browsers and plugins, including OpenAI's ChatGPT Atlas, Perplexity's Comet and Anthropic's Claude extension. In a proof-of-concept (PoC) attack, all six were steered into copying a user's login credentials and sending them to an attacker."
  https://www.infosecurity-magazine.com/news/bioshocking-ai-browser-prompt/

Malware

• Backdoor.Mistic: New Backdoor May Be Linked To Ransomware Access Broker
  "Stealthy new backdoor used in cybercrime intrusions since April 2026 may be associated with Woodgnat (aka KongTuke), an initial access broker whose ModeloRAT toolkit has fed Qilin and other ransomware operations."
  https://www.security.com/threat-intelligence/new-mistic-backdoor-modeloRAT
  https://www.bleepingcomputer.com/news/security/stealthy-mistic-backdoor-linked-to-ransomware-access-broker-kongtuke/
  https://www.securityweek.com/new-mistic-rat-opens-door-to-several-ransomware-families/
• Iran-Linked MuddyWater Poses As Ransomware Gang To Mask Cyber Espionage
  "The line between ransomware activity and nation-state backed cyber campaigns is blurring, as state-sponsored cyber espionage groups adopt tools and techniques associated with cyber criminals to disguise their intelligence operations, a report has warned. Analysis by cybersecurity researchers at NCC Group has described how MuddyWater, a hacking and cyber espionage group associated with Iran’s Ministry of Intelligence and Security, posed as the Chaos ransomware group to hide its espionage activity."
  https://www.infosecurity-magazine.com/news/iranlinked-muddywater-poses-as/
• Total Access To All Your Devices.” Sextortion Scammers Strike Again
  "At the moment, we’re seeing all kinds of sextortion emails. The scam is cheap to run, easy to automate, and apparently profitable enough that cybercriminals keep using it. Some criminals put more effort into their messages than others. Sextortion emails are messages claiming that scammers recorded you through your webcam while you watched pornography and now demand payment. They have been around for years and keep evolving with small changes in wording and fake technical detail."
  https://www.malwarebytes.com/blog/scams/2026/06/total-access-to-all-your-devices-sextortion-scammers-strike-again
• StrikeShark: Investigating a New Campaign Delivering Cobalt Strike Through SharkLoader
  "During our research of activity affecting a diplomatic organization in Indonesia, we uncovered a previously undocumented malware family that we have named SharkLoader. What initially appeared to be an isolated case quickly expanded into a broader campaign as we identified additional SharkLoader infections across multiple countries and sectors. Our investigation revealed that SharkLoader serves as a loader designed to deploy Cobalt Strike Beacon on compromised systems. We observed the threat actor deploying SharkLoader through exploitation of internet-facing applications, including Microsoft Exchange, Microsoft SharePoint, and Openfire Server, as well as through malware-based delivery mechanisms."
  https://securelist.com/strikeshark-campaign/120326/
• The Broker Behind FortiBleed: Anatomy Of a Russian-Speaking Access Operation
  "At Mysterium VPN, we often think about who gets to sit in the middle of someone else's connection. Usually, that means a camera, a router, or an internet provider. This time, it’s something heavier: a firewall. The exact device a company buys to keep strangers out of its network turned out to be the front door a criminal crew walked through — and then cataloged, priced, and put up for sale. In mid-June 2026, security researcher Volodymyr "Bob" Diachenko posted on LinkedIn that he had stumbled upon a live, exposed server containing what appeared to be working login credentials for tens of thousands of Fortinet firewalls (Fortinet is one of the world's largest makers of network security hardware)."
  https://www.mysteriumvpn.com/news/fortibleed-access-broker
  https://securityaffairs.com/194132/cyber-crime/fortibleed-the-broker-who-turned-73000-firewalls-into-a-product-catalog.html
• MacOS.Gaslight | Rust Backdoor Turns Prompt Injection On The Analyst, Not The Sandbox
  "In early June, an Apple XProtect update surfaced a Mach-O sample that had been uploaded to VirusTotal on May 22. The XProtect rule targets the file purely on its hash rather than on any internal strings or bytecode, yet the sample remains undetected by static engines on VirusTotal at the time of writing. The binary is ad hoc signed and carries the identifier endpoint-macos-aarch64-5555494492fc075f441637fb9d894913dde3a2ea."
  https://www.sentinelone.com/labs/macos-gaslight-rust-backdoor-turns-prompt-injection-on-the-analyst-not-the-sandbox/
  https://www.infosecurity-magazine.com/news/macos-gaslight-rust-backdoor/
• Zero-Day Exploitation Of Vulnerability (CVE-2026-20245) In Cisco Catalyst SD-WAN Manager
  "In early 2026, Mandiant identified a threat actor targeting SD-WAN infrastructure at a service provider. After gaining initial access, the threat actor exploited a zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN to escalate privileges from a compromised administrative account to root-level access. The vulnerability stems from the device’s file upload feature lacking the ability to properly filter malicious data."
  https://cloud.google.com/blog/topics/threat-intelligence/zero-day-exploitation-cisco-catalyst-sd-wan-manager
  https://www.bleepingcomputer.com/news/security/mandiant-reveals-how-cisco-sd-wan-zero-day-attacks-gained-root-access/
  https://www.darkreading.com/cyberattacks-data-breaches/attackers-hit-cisco-sd-wan-flaw-2-months-before-disclosure
  https://cyberscoop.com/cisco-sd-wan-zero-day-exploit-communications-provider/
• GhostShell (MB-0009): Targeting Ukraine’s UAV Operations And Defense Supply Chain
  "Today, we are taking a look at malware linked to yet another threat actor, one that has been active since at least February 2026. Since I could not associate the malware with any previously attributed threat actor, I am naming the actor GhostShell (you’ll find out why later in this article) and assigning it the Malwarebox identifier MB-0009."
  https://blog.synapticsystems.de/ghostshell-mb-0009-targeting-ukraines-uav-operations-and-defense-supply-chain/
  https://hackread.com/ghostshell-hacking-group-ukraine-drone-defense-sector/

Breaches/Hacks/Leaks

• KDDI Breach Affects Six Japanese ISPs, Exposes 14.2 Email Credentials
  "Japanese telecommunications operator KDDI has confirmed it suffered a breach that has affected five other internet services providers (ISPs) and potentially exposed 14.2 customer email accounts. In a public statement released on June 23, KDDI Corporation said an unauthorized actor unlawfully gained access to an email system it provides to several Japanese ISPs, meaning that data linked to customers of these email services may have leaked. Specifically, KDDI said up to 14.22 million email addresses and passwords have likely been compromised."
  https://www.infosecurity-magazine.com/news/kddi-breach-japanese-telcos/
• Indian Auto Giant Bajaj Auto Hit By Ransomware Incident
  "India's automotive giant Bajaj Auto disclosed on Tuesday that it had been hit by a ransomware attack affecting its operations and a technology-focused subsidiary. The company said in a regulatory filing that it became aware of the incident on Tuesday morning and had taken precautionary measures to contain its impact. It added that its technical team and cybersecurity experts responded immediately and that mitigation efforts had so far been "successful.""
  https://therecord.media/indian-auto-giant-bajaj-auto-hit-by-ransomware
• German Rail Services Resume After Wireless Communications Outage
  "Germany's state-owned rail operator Deutsche Bahn restored train services early Wednesday after a technical failure in its railway communications network brought rail traffic across the country to a standstill for roughly two hours overnight, disrupting both long-distance and regional services. The outage, which began late Tuesday, halted trains nationwide and also affected S-Bahn commuter services connecting major cities with surrounding suburbs. While services resumed Wednesday morning, Deutsche Bahn warned passengers to expect lingering delays and cancellations."
  https://therecord.media/deutsche-bahn-railroad-gsmr-outage

General News
Security Is No Longer An IT Problem: Why Boards Must Rethink Cyber Resilience In The Age Of AI
"For years, organisations approached email security as a technology problem. Deploy a secure email gateway (SEG), add filtering tools, automate remediation workflows, and assume the problem was solved. That approach no longer works. Today’s attackers are using AI to create polymorphic phishing campaigns that continuously evolve to evade traditional detection systems. They rotate URLs, vary sender identities, change subject lines, and modify content at scale. The result is that many organisations are discovering that even sophisticated email security tools and Microsoft 365 protections cannot stand alone against modern threats."
https://cofense.com/blog/security-is-no-longer-an-it-problem-why-boards-must-rethink-cyber-resilience-in-the-age-of-ai

• Scaling Cybercrime Disruption Through Innovation And AI
  "Microsoft is taking a new approach to fighting cybercrime, targeting the cyberattack supply chain, not just individual services. In a case unsealed today, we are simultaneously targeting two widely used cybercrime tools, Amadey and StealC, after AI-assisted analysis revealed they rely on the same infrastructure. This action goes after the cybercrime “assembly line,” where coordinated tools drive ransomware, financial fraud, and disruptions to public services. Amadey and StealC are often used alongside each other: Amadey helps attackers gain access to devices, while StealC steals passwords and sensitive information. Together, they form a critical link in the chain. In the first two weeks of May alone, Amadey and StealC were linked to more than 140,000 infected computers globally, highlighting how widely they are used."
  https://blogs.microsoft.com/on-the-issues/2026/06/24/scaling-cybercrime-disruption-through-innovation-and-ai/
  https://www.europol.europa.eu/media-press/newsroom/news/global-cyber-strike-disrupts-socgholish-amadey-and-stealc-malware-networks
  https://www.proofpoint.com/us/blog/threat-insight/stealc-you-later-proofpoint-and-ibm-x-force-support-operation-endgame
  https://www.bleepingcomputer.com/news/security/amadey-stealc-malware-operations-disrupted-in-operation-endgame-action/
  https://thehackernews.com/2026/06/amadey-and-stealc-malware-network.html
  https://therecord.media/stealc-amadey-socgholish-malware-takedown-europol-microsoft
  https://cyberscoop.com/microsoft-amadey-stealc-takedown/
  https://www.bankinfosecurity.com/infostealers-stealc-amadey-disrupted-in-police-crackdown-a-32062
  https://www.infosecurity-magazine.com/news/operation-endgame-stealc-amadey/
  https://hackread.com/operation-endgame-stealc-amadey-socgholish-malware/
  https://www.securityweek.com/microsoft-and-allies-smash-shared-infrastructure-of-amadey-and-stealc-malware/
  https://securityaffairs.com/194173/cyber-crime/europol-disrupts-stealc-and-amadey-malware-infrastructure-in-operation-endgame.html
  https://www.helpnetsecurity.com/2026/06/24/operation-endgame-stealc-amadey-malware-disrupted/
• Trust No One: Automating MacOS Privilege Escalation At Scale
  "A novel macOS privilege escalation technique allows standard user accounts to silently disable leading enterprise security products—including major Endpoint Detection and Response (EDR) and Mobile Device Management (MDM) solutions—without requiring administrator credentials, kernel exploits, or triggering security alerts. The attack exploits a fundamental flaw in how macOS XPC services establish trust boundaries by chaining CDHash kernel cache exploitation with NIB payload injection to impersonate trusted application components. Consequently, any non-root user can invoke arbitrary privileged XPC methods with zero authentication. This exposure exists widely across applications implementing inter-component XPC communication in the macOS ecosystem."
  https://xmcyber.com/blog/faind-my-xpc-breaks-a-key-trust-boundary/
  https://www.darkreading.com/application-security/apple-macos-security-gap-users-disable-security-tools
  https://www.securityweek.com/macos-weaknesses-chained-to-silently-disable-endpoint-security-agents/
• Security Testing Was Built For a Slower World
  "Software teams are pushing code into production faster than security testing can keep up. AI is accelerating development cycles and adding pressure to security programs that rely on periodic validation and manual penetration testing. The State of AI in Pentesting report from Aikido Security found that 76% of organizations have had to stop, restrict, or roll back AI-driven behavior in the past 12 months. Another 71% said AI or automation made a security issue harder to detect, investigate, or fix."
  https://www.helpnetsecurity.com/2026/06/24/ai-security-testing-report/
• How Threat Actors Are Using AI In Real Attacks: Cheaper, Faster, Harder To Spot
  "AI is making familiar cyber attacks cheaper to build, faster to scale, easier to tailor, and harder to spot. Across the incidents and dark-web discussions in this report, threat actors used AI to improve what already works: phishing, social engineering, malicious code, identity fraud, and early post-compromise activity. The tradecraft is familiar, but the pace isn’t. We’ve tracked that shift for the past two years. In our 2024 AI-Powered Cybercrime report, we saw early signs of cybercriminal AI use, which consisted mostly of phishing email polish, basic LLM-generated scripts, and the emergence of malicious GPTs like “WormGPT” (now defunct) and “FraudGPT” on the dark web. By mid-2025, the picture had expanded to deepfake services, AI-assisted scripts, and a growing underground market for AI-enabled tools. Over the past year, the core uses have stayed largely the same, but AI has moved closer into the heart of the offensive workflow."
  https://reliaquest.com/campaigns/how-threat-actors-use-ai/executive-summary
  https://www.infosecurity-magazine.com/news/ai-attacks-cheaper-faster-covert/
• Anthropic’s Mythos Model Found Vulnerabilities In Classified US Government Systems, Official Says
  "A U.S. official told The Associated Press on Tuesday that one of Anthropic’s artificial intelligence models had identified vulnerabilities in highly sensitive and secure U.S. government computer systems during a testing exercise. The official, who spoke on the condition of anonymity to discuss the matter, said Anthropic had teamed up with U.S. intelligence agencies to conduct tests using the company’s Mythos model. It had identified certain vulnerabilities within hours, but that does not mean the model was able to exploit them within that time, the official said."
  https://www.securityweek.com/anthropics-mythos-model-found-vulnerabilities-in-classified-us-government-systems-official-says/
• Agentic AI Security: Wrong Context, Wrong Decisions At Machine Speed
  "Context is the central plank of AI in general, and agentic AI in particular. If an AI system doesn’t have the correct context, it cannot make the correct decisions. Security is moving toward reliance on the autonomous and automatic action of agentic AI. It has little choice. The increasing speed, volume and efficiency of attacks automated by adversarial use of both generative and agentic AI will only be matched by defensive AI with as little slow human intervention (the proverbial man-in-the-loop) as possible."
  https://www.securityweek.com/agentic-ai-security-wrong-context-wrong-decisions-at-machine-speed/
• A Closer Look At Africa’s Evolving Cyberthreat Landscape
  "The Africa region experiences an interesting mix of cyberattacks, threat actors, victims, and victim types. Ransomware and fraud are not the dominant threat types, and there aren’t many well-known names in the list of top threat actors. It’s not that the region has it easy—far from it—but Africa presents a different kind of threat landscape when we break down the numbers."
  https://blog.barracuda.com/2026/06/23/africa-evolving-cyberthreat-landscape
• OpenClaw’s Skill Marketplace And The Emerging AI Supply Chain Threat
  "OpenClaw is an AI agent that executes third-party skills from ClawHub, its dedicated marketplace. Skills are markdown-driven packages with broad local system access, making ClawHub a critical link in the agentic software supply chain. Following its release, the ecosystem saw several malicious campaigns. Those early findings, published in February 2026, prompted ClawHub to integrate VirusTotal and ClawScan, enabling proactive screening of published skills and code-level analysis to block skills flagged as malicious from download."
  https://unit42.paloaltonetworks.com/openclaw-ai-supply-chain-risk/
  https://www.darkreading.com/cyber-risk/malicious-openclaw-skills-clawhub-threaten-ai-supply-chain
• DraftKings Hacker 'Snoopy' Sentenced To 18 Months In Prison
  "A 21-year-old using the alias "Snoopy" was sentenced to 18 months in prison for his role in hacking DraftKings accounts in the November 2022 cyberattack. In December 2025, the man, Nathan Austad of Minnesota, pleaded guilty to conspiracy to commit computer intrusion, admitting that he and co-conspirators compromised 60,000 DraftKings user accounts. During the attack, the hackers added payment methods under their control to 1,600 accounts and stole $600,000."
  https://www.bleepingcomputer.com/news/security/draftkings-hacker-snoopy-sentenced-to-18-months-in-prison/
  https://www.justice.gov/usao-sdny/pr/third-defendant-sentenced-prison-hacking-fantasy-sports-and-betting-website
  https://www.securityweek.com/third-draftkings-hacker-sentenced-to-18-months-in-prison/
• Open-Source Security Is Posing Challenges Governments Can’t Easily Solve
  "An epidemic of cyberattacks on open-source software has mounted in recent months, making clear how uniquely difficult it is to protect the publicly available code, from both a policy and a technical perspective, that serves as the foundation for so much of the digital world. While open-source software security got a boost in attention under President Joe Biden — whose administration grappled with the fallout from the potentially catastrophic Log4j flaw that emerged in 2021 — a number of open-source experts say that government protection efforts have suffered setbacks under President Donald Trump. Many also say companies that heavily rely on open-source software, which is basically all of them, haven’t shouldered enough of the responsibility for safeguarding it."
  https://cyberscoop.com/open-source-software-security-crisis/
• Exclusive: Meet AIVEX, a New Triage Model Built To Reduce Supply Chain Threat And Risk
  "Remediation priority (vulnerability triaging) traditionally focuses on Software Bill of Materials (SBOMs) and Vulnerability Exploitability eXchange (VEX) statements provided with the software and supplemented by CVSS scores. That is not enough in today’s environment. SBOMs list the components within the software. They emanated from Executive Order 14028 designed to reduce supply chain attacks. VEX statements emerged soon afterward to indicate whether any known vulnerabilities are exploitable. The separate CVSS score is used as a severity indicator for vulnerability remediation priority. It’s not working – supply chain attacks continue."
  https://www.securityweek.com/exclusive-meet-aivex-a-new-triage-model-built-to-reduce-supply-chain-threat-and-risk/
• Navigating The Threat Landscape Of The 2026 FIFA World Cup
  "As the 2026 FIFA World Cup progresses, Flashpoint analysts continue to monitor a dynamic threat environment spanning physical security, civil unrest, cyber threats, and geopolitical developments. While analysts have not identified any credible indications of an imminent attack targeting tournament venues or participants, several notable developments have emerged since our previous assessment:"
  https://flashpoint.io/blog/2026-fifa-world-cup-threat-landscape/
  https://www.darkreading.com/cybersecurity-operations/2026-fifa-world-cup-faces-surge-cyber-threats
• Do CISOs Need a Code Of Ethics?
  "Dark Reading Confidential Episode 19: Kickbacks, no-show jobs, "dirty" VCs, and shelf ware — industry expert Robert "RSnake" Hansen explains why he thinks its time for a CISO code of ethics to ensure cybersecurity bosses aren't engaged in self-dealing that could risk enterprise, and even national, security."
  https://www.darkreading.com/cybersecurity-operations/ciso-code-of-ethics
• When Information Becomes The Attack Surface – Understanding AI Agent Traps
  "AI agents go beyond answering questions. They can autonomously browse websites, read emails, search company files, query software tools, and more. AI models producing incorrect answers is hardly a threat, until agents encounter information that’s maliciously designed to influence what it sees, believes, remembers, or executes. An agent leverages webpages, document stores, wikis, images, emails, or tools to produce intended outputs. But what happens when these sources mask malicious instructions?"
  https://www.securityweek.com/when-information-becomes-the-attack-surface-understanding-ai-agent-traps/

อ้างอิง

Electronic Transactions Development Agency (ETDA)