NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    ETDA Cyber Threat Intelligence 30 June 2026

    Cyber Security News
    1
    1
    11
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Healthcare Sector

      • Pydicom Pynetdicom Library
        "Successful exploitation of this vulnerability could allow an unauthenticated attacker to write to arbitrary file paths."
        https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-176-01
      • OHIF Viewers DICOM
        "Successful exploitation of this vulnerability in a custom integration version could allow an attacker to steal an authenticated clinician's token via a crafted link."
        https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-176-02

      Industrial Sector

      • EVoke Systems Charging Station Management System
        "Successful exploitation of these vulnerabilities could enable attackers to gain unauthorized administrative control over vulnerable charging stations or disrupt charging services through denial-of-service attacks."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-176-02
      • Yokogawa FAST/TOOLS And CI Server
        "Successful exploitation of this vulnerability may return a response containing the CI Server setting information."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-176-01
      • Horner Automation Cscape
        "Successful exploitation of this vulnerability could allow a local attacker to disclose information and execute arbitrary code."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-176-03
      • Daktronics Controller Firmware
        "Successful exploitation of these vulnerabilities could could provide an unauthenticated user with complete root-level access and control of the system."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-176-04
      • H.VIEW HV-500S6 IP Camera
        "Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code and upload malicious files to the affected device."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-176-05
      • Delta Electronics DTM Soft
        "Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-176-06
      • Schneider Electric PowerLogic P7
        "Schneider Electric is aware of a vulnerability in its PowerLogic™ P7 product. The PowerLogic™ P7 is a protection and control platform designed for complex and advanced electrical network applications. Failure to apply the remediation provided below may risk unauthorized execution of privileged commands or loss of HMI operability and configuration functionality, which could result in loss of control over system operations and disruption of critical services."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-176-07
      • Beware Of The License Manager: How a Schneider Electric Software Vulnerability Puts Industrial Facilities At Risk
        "The CVE-2024-2658 vulnerability was discovered in 2024 within the FlexNet Publisher component of the Schneider Electric Floating License Manager. This software handles license management across various Schneider Electric products used for comprehensive industrial automation ranging from PLC programming to centralized control room implementation. Below, we break down how a single flaw can jeopardize an entire industrial facility, how to detect it on your workstations, and how to minimize the risks. This vulnerability is a CWE-427: Uncontrolled Search Path Element issue. It stems from a system application referencing an OpenSSL configuration file at a hardcoded path without proper access controls."
        https://securelist.com/tr/schneider-electric-cve-2024-2658-vulnerability/120436/

      New Tooling

      • DarkMoon: Open-Source AI Pentesting Platform
        "Penetration testing has long run on expert time, with specialists spending days probing a network or web application by hand. Manual engagements stretch across weeks, expert consultants run into thousands of dollars a day, and results vary with the tester. Automation promises to narrow those gaps. A growing set of projects now hands the work to AI agents that plan and execute on their own. DarkMoon, an open-source platform, sits in that group. It runs a security assessment end to end and delivers an evidence-backed report at the finish."
        https://www.helpnetsecurity.com/2026/06/29/darkmoon-open-source-ai-pentesting-platform/
        https://github.com/ASCIT31/Dark-Moon

      Vulnerabilities

      • Public PoC Released For Critical Libssh2 CVE-2026-55200 Client-Side SSH Flaw
        "A public proof-of-concept is now out for CVE-2026-55200, a critical flaw in libssh2 that lets a malicious or compromised SSH server trigger memory corruption on a connecting client, with possible code execution. No credentials, no user interaction. The bug affects every release up to and including 1.11.1 and carries a CVSS 4.0 score of 9.2. libssh2 is a client-side SSH library, not a server. That distinction matters. It is embedded in curl, Git, PHP, backup agents, firmware updaters, and a long tail of appliances."
        https://thehackernews.com/2026/06/public-poc-released-for-critical.html
      • Hackers Now Exploit Critical Oracle E-Business Flaw In Attacks
        "Attackers have begun exploiting a critical vulnerability (tracked as CVE-2026-46817) in the Oracle E-Business Suite (EBS) financial application, according to threat intelligence company Defused. This security flaw was found in the File Transmission component of EBS's Oracle Payments product and enables unauthenticated malicious actors with HTTP network access to take over vulnerable systems through low-complexity attacks. Oracle released security updates to address the vulnerability with its May 2026 Critical Security Patch Update and urged customers to patch their systems immediately."
        https://www.bleepingcomputer.com/news/security/new-oracle-e-business-suite-flaw-now-exploited-in-attacks/
      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2026-48558 SimpleHelp Authentication Bypass Vulnerability"
        https://www.cisa.gov/news-events/alerts/2026/06/29/cisa-adds-one-known-exploited-vulnerability-catalog

      Malware
      Hijacked Npm Packages Use Novel VSCode Autorun And Blockchain Dead Drops To Deploy a Credential/Crypto Stealer
      "Following our report, Nextron Research identified an additional 16 Go packages containing the same malware. Most appear to be legitimate packages whose latest released version included the malware alongside the original package contents, using the same structure and fake font file. The full list is available in the Go packages identified containing the same malicious payload section below. Some of the malicious packages are still live, even years after their commit timestamp."
      https://research.jfrog.com/post/hijacked-npm-vscode-tasks-blockchain/
      https://thehackernews.com/2026/06/hijacked-npm-and-go-packages-use-vs.html

      • A Djinn In The Machine: TaskWeaver’s Node.js Intrusion Chain
        "Blackpoint’s Adversary Pursuit Group (APG) investigated and contained an intrusion that began with the exploitation of CVE-2026-48558, a critical authentication bypass vulnerability affecting the OpenID Connect authentication flow in SimpleHelp Remote Monitoring and Management (RMM) software. By exploiting this vulnerability, the threat actor obtained an authenticated technician session on an internet-facing SimpleHelp server without possessing valid credentials. Using this access, the threat actor deployed two previously undocumented malware samples, which the APG has named TaskWeaver and Djinn Stealer."
        https://blackpointcyber.com/blog/a-djinn-in-the-machine-taskweavers-node-js-intrusion-chain/
        https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-simplehelp-flaw-deploy-new-djinn-infostealer-taskweaver-malware/
        https://www.darkreading.com/cyberattacks-data-breaches/djinn-stealer-targets-cloud-ai-credentials
      • Threat Intelligence Report: Nation-State Targeting Of Water Systems 2024–2026
        "Water and wastewater systems have become favored gray-zone targets because they are highly vulnerable and hold disproportionate strategic value. The combination of chronic underinvestment and weak baseline operational technology (OT) security make many of these critical systems easy to compromise. Such intrusions can have both physical and psychological impact, and disruptions often affect civilian life, public health, and trust in government. Recent nation-state cyber activity targeting water systems includes Iranian IRGC-linked targeting of exposed programmable logic controllers (PLCs), Russian and pro-Russian access to municipal water-control environments, and PRC-linked pre-positioning in U.S. critical infrastructure, including water and wastewater systems."
        https://dti.domaintools.com/research/threat-intelligence-report-nation-state-targeting-of-water-systems-2024-2026
        https://www.darkreading.com/ics-ot-security/iran-russia-china-target-water-systems-sabotage
      • 212 Domains Reference Venezuela’s Earthquake, Most Within Two Days
        "A small, high‑confidence set of current domain registrations that clearly reference the Venezuela earthquake, likely a fraction of the wider registration activity the event has driven, profiled across creation dates, registrars, registrant emails, name servers and naming intent. A magnitude‑7.2 foreshock and magnitude‑7.5 mainshock struck north‑central Venezuela on 24 June 2026; 50% of these domains were filed on 25 June alone, the day after. Full data access is available to verified organizations through our research and media collaborations program."
        https://threat-news.whoisxmlapi.com/2026-venezuela-earthquake
        https://hackread.com/venezuela-earthquake-domains-donation-scam-warnings/
      • Microsoft Removes 119 Edge Extensions That Hid Malware In Images And Fonts
        "Microsoft has shut down a long-running malicious extension operation on the Edge Add-ons store that hid its payloads inside ordinary image and font files, then woke up days after install to steal credentials and run ad fraud. The company calls it StegoAd, a mash-up of steganography and adware, and ties 119 extensions to a single threat actor it says has been active since at least 2021. The extensions were the kind people install without a second thought: ad blockers, VPNs, translators, video downloaders. Each one did its job and earned reviews. The malicious code stayed dormant until the extension cleared a stack of evasion checks, which is how it sat in the store for years."
        https://thehackernews.com/2026/06/microsoft-removes-119-edge-extensions.html
        https://microsoftedge.github.io/edgevr/assets/files/stego_ad/Microsoft_Edge_Security_StegoAd.pdf
        https://www.malwarebytes.com/blog/news/2026/06/119-edge-extensions-promised-useful-tools-instead-downloaded-malware
        https://securityaffairs.com/194409/malware/stegoad-how-119-fake-browser-extensions-stole-credentials-and-ran-ad-fraud-for-two-years.html
      • The Gentlemen Are Knocking: сustom Backdoors And Evolving Tactics
        "This year saw the emergence of The Gentlemen, a prominent example of a group operating under the ransomware-as-a-service (RaaS) model. Although our initial assessment suggested the group first appeared in mid-2025, it actually started ramping up its activities at the beginning of 2026. According to public reports, in the first half of 2026, this group ranks among the top 10 ransomware actors by the number of victim announcements on its data leak site (DLS)."
        https://securelist.com/the-gentlemen-raas/120447/
      • Chromium Extension Uses AI‑related Branding To Redirect Browser Search
        "Microsoft Threat Intelligence has identified a malicious Chromium-based extension that spoofs the AI-powered answer engine Perplexity AI to trick unsuspecting users into installing it. Based on our observation of the extension’s behavior, we assess its primary objective to be search traffic interception and data collection, which might enable downstream use cases such as profiling, targeted advertising, or other forms of misuse depending on operator intent. Through responsible disclosure, we reported this extension to Google, and it has been taken down as of this writing. We’d like to thank Google for responding to and addressing this issue."
        https://www.microsoft.com/en-us/security/blog/2026/06/29/chromium-extension-uses-airelated-branding-redirect-browser-search/
        https://thehackernews.com/2026/06/malicious-perplexity-chrome-extension.html
      • Mustang Panda Targets India's Government And Energy Sectors With ZOHOMURK And MINIRECON
        "Acronis TRU has identified two espionage-focused campaigns targeting India's hydropower sector and government entities, using lure documents themed around cooperation agreements between Indian and Taiwanese institutions. Both campaigns delivered previously undocumented DLL-based loaders, which we track as SHARDLOADER, through hydropower- and government-themed lure documents distributed in compressed archives. Upon execution, one SHARDLOADER variant decrypts and launches MINIRECON, a newly identified implant derived from the Toneshell malware family, while the second variant deploys ZOHOMURK, a novel implant that leverages legitimate cloud services for command-and-control, data exfiltration and remote task execution."
        https://www.acronis.com/en/tru/posts/mustang-panda-targets-indias-government-and-energy-sectors/
        https://thehackernews.com/2026/06/mustang-panda-uses-zoho-workdrive-as.html
      • TONResolver RAT Abuses TON Blockchain To Target Japan's Hotel Industry
        "In late May 2026, suspicious emails were identified being sent to Japanese partner companies of Booking.com, with the subject line “Important: Guest Stay Review Request” (重要:ゲスト滞在レビュー依頼). In this attack, a zip file was downloaded by accessing a hyperlink to a suspicious web site, and the infection began when the user clicked a shortcut link file (LNK) disguised as a photo file within the zip archive. Unlike conventional phishing campaigns, the malware abuses The Open Network (TON) blockchain platform as a dead drop resolver, a technique that allows attackers to update their command-and-control (C&C) server destination without hardcoding it into the malware, making detection and takedown significantly more difficult."
        https://www.trendmicro.com/en_us/research/26/f/tonresolver.html
      • A Multi-Stage Steganographic Loader Campaign Deploying Diverse Payloads Globally
        "During the routine telemetry monitoring, we identified a detection on a suspicious file named “GST Debit Note Apr_26.com”, based on the telemetry data observed. This prompted us to investigate the sample further. Our analysis revealed that the payload was a variant of the Remcos RAT malware family, distributed via a phishing campaign as an archive attachment. One notable characteristic of this infection chain was its reliance on in-memory execution techniques / fileless malware & Steganography. By avoiding disk-based artifacts, the threat reduces forensic evidence and increases its ability to evade traditional security tools and signature-based detection methods."
        https://labs.k7computing.com/index.php/a-multi-stage-steganographic-loader-campaign-deploying-diverse-payloads-globally/

      Breaches/Hacks/Leaks

      • Nissan Discloses Employee Data Breach Linked To Oracle Zero-Day Attacks
        "Nissan is warning that it suffered a data breach affecting current and former employees after threat actors exploited an Oracle PeopleSoft vulnerability in data theft attacks previously linked to the ShinyHunters extortion group. In breach notifications filed with the California Attorney General's Office, Oracle says these data theft attacks impacted hundreds of companies and that Nissan was specifically targeted in the campaign. "Nissan Americas uses Oracle PeopleSoft software to manage employee information, including payroll, tax administration, and other personnel records," reads the breach notifications."
        https://www.bleepingcomputer.com/news/security/nissan-discloses-employee-data-breach-linked-to-oracle-zero-day-attacks/
      • NAIC Says Public Data Stolen In ShinyHunters' PeopleSoft Breach
        "The National Association of Insurance Commissioners (NAIC) says the ShinyHunters extortion group stole only publicly available data, outdated logs, and configuration files after breaching its systems by exploiting a zero-day vulnerability in an Oracle PeopleSoft server. NAIC is a U.S. insurance regulatory organization present in all 50 states. The organization identified on June 11 that its PeopleSoft system had been accessed by an unauthorized party and discovered that "an unauthorized third party gained access to a portion of our IT systems." ShinyHunters claimed the attack and leaked the stolen data after the organization refused to pay a ransom."
        https://www.bleepingcomputer.com/news/security/naic-says-public-data-stolen-in-shinyhunters-peoplesoft-breach/
        https://www.infosecurity-magazine.com/news/us-insurance-regulator-confirms/
        https://www.securityweek.com/insurance-regulators-group-naic-hit-in-oracle-peoplesoft-hack/
      • Russian Hackers Accused Of Destructive Cyber-Attack On Jaguar Land Rover
        "Security experts and practitioners have weighed in on a new report claiming that Russia was behind the Jaguar Land Rover (JLR) breach last year. The New York Times report cited people close to the investigation in its story on June 26 linking Russian hackers to the incident, which is estimated to have cost the British economy £1.9bn ($2.5bn). Microsoft, which was tracking the Russians, reportedly raised the alarm with JLR. However, while the report didn’t explicitly link the Putin regime with the attack, experts have been more forthright."
        https://www.infosecurity-magazine.com/news/russian-hackers-destructive-jaguar/

      General News

      • Sycophantic Chatbots And The Harms That Build Over Many Chats
        "People use AI chatbots for company, advice, and emotional support, and these systems answer in ways meant to hold their attention. Researchers describe the resulting risks as affective safety, a class of harm that exists because humans are emotional beings and because the systems engage directly with that emotional life. The damage happens during ordinary use, with no breach and no intruder. These systems work as designed, optimizing for the goals their builders set, and the harm comes out of that optimization."
        https://www.helpnetsecurity.com/2026/06/29/sycophantic-chatbots-affective-ai-safety/
        https://arxiv.org/pdf/2606.23380
      • Most Teams Accept Higher Risk For Faster AI Database Work
        "Database professionals are using AI for everyday work like writing queries, building schemas, and reviewing code, and a growing share rely on autonomous tools that act on the database itself. The use of AI in database management has almost tripled in a year, climbing from 15% to 44% of organizations, according to Redgate’s 2026 State of the Database Landscape report. That puts AI inside the systems holding an organization’s most sensitive data, often with permission to change that data directly."
        https://www.helpnetsecurity.com/2026/06/29/teams-ai-database-security/
      • May 2026 Threat Trend Report On APT Attacks (South Korea)
        "AhnLab monitored APT (Advanced Persistent Threat) attacks—covert, sustained targeted attacks—using its own infrastructure. This report summarizes the types and statistics on domestic APT attacks identified during the month of May 2026 and discusses the characteristics of each type as well as AhnLab Response Overview."
        https://asec.ahnlab.com/en/94271/
      • U.S. Offers $10 Million For Hackers Targeting WhatsApp, Signal Users
        "The U.S. Department of State is offering up to $10 million for information that helps identify or locate members of the UNC5792 and UNC4221 hacker groups, which are linked to Russia's intelligence and military services. The bounty is part of the ‘Rewards for Justice’ (RFJ) program, which targets foreign state actors carrying out cyberattacks against U.S. critical infrastructure. “RFJ is seeking information on UNC5792, a malicious cyber group associated with the Russian Federal Security Service (FSB) Border Guards, and UNC4221, a malicious group of cyber actors working on behalf of the Russian military services,” reads the U.S. government's announcement."
        https://www.bleepingcomputer.com/news/security/us-offers-10-million-for-hackers-targeting-whatsapp-signal-users/
        https://rewardsforjustice.net/rewards/unc5792/
        https://therecord.media/10million-reward-us-russian-hackers-unc4221-unc5792
        https://www.securityweek.com/us-offers-10-million-bounty-for-russian-state-hackers-as-messaging-app-attacks-evolve/
        https://securityaffairs.com/194441/security/u-s-offers-10-million-reward-for-russian-hackers-behind-signal-and-whatsapp-phishing.html
      • Vulnerabilities Expose Private Data In Indian Government Systems
        "An independent security researcher identified 14 vulnerabilities affecting Indian government IT systems, which put an array of citizen data at risk. Two of the issues qualified as critical severity, and four as high severity. They affected major national platforms, including education and civil service portals used by millions of students and job aspirants, exposing highly sensitive personally identifying information (PII) like birthdays, addresses, and bank account numbers. Thankfully, the government of the world's largest country listened to the young researcher and patched all of the vulnerabilities in two to three weeks' time."
        https://www.darkreading.com/vulnerabilities-threats/vulnerabilities-private-data-indian-government-systems
      • Email Threat Radar — June 2026
        "Over the last month, Barracuda researchers have seen the following email threats targeting organizations and their employees: Real Microsoft login phishing used to steal session tokens in Tycoon 2FA attack, PDF attachments used for device code phishing with a built-in kill switch, Sneaky 2FA ‘split-click’ phishing attack where one button has two outcomes, and Shift from credential theft to malware delivery in phishing campaigns."
        https://blog.barracuda.com/2026/06/29/email-threat-radar-june-2026
      • Why Post-Quantum Cryptography Starts With Credentials
        "Today’s encrypted data, such as credentials, may no longer remain confidential in the future because the public-key cryptography protecting it will soon be broken by quantum computers. Although no machine today can break elliptic curve cryptography or RSA, quantum hardware is advancing rapidly and will inevitably change how organizations protect their data. Ciphertext and credentials captured by attackers can now be stored and decrypted as soon as quantum computing catches up."
        https://thehackernews.com/2026/06/why-post-quantum-cryptography-starts.html
      • Inside The Inbox: Why Cybercriminals Want To Break Into Your Email Account
        "Email is not just a means of communication, or yet another online account. In both our personal and work lives, it holds the keys to the kingdom: possibly even a mechanism to reset other account passwords and verify your identity. Email accounts are also the place where password-reset links arrive, account alerts are stored, bookings are confirmed, invoices are filed and identity checks begin. The inbox may, therefore, contain years’ worth of detailed information about you, including what you own, which services you use, where you go, who you trust and how other accounts can be reached."
        https://www.welivesecurity.com/en/cybersecurity/inside-inbox-cybercriminals-want-break-email-account/

      อ้างอิง

      Electronic Transactions Development Agency (ETDA) 0f35e3ba-5d1c-43f2-827d-7d63d8ac2c6a-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post