<?xml version="1.0" encoding="UTF-8"?><rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0"><channel><title><![CDATA[ETDA Cyber Threat Intelligence 01 July 2026]]></title><description><![CDATA[<p dir="auto"><strong>Healthcare Sector</strong></p>
<ul>
<li><strong>OFFIS DCMTK Toolkit</strong><br />
"Successful exploitation of these vulnerabilities could allow an attacker to write files, access unauthorized information, exhaust memory, or crash affected DCMTK client or server processes."<br />
<a href="https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-181-01" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-181-01</a><br />
<a href="https://www.bankinfosecurity.com/dicom-toolkit-bugs-raise-medical-imaging-security-risks-a-32114" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.bankinfosecurity.com/dicom-toolkit-bugs-raise-medical-imaging-security-risks-a-32114</a></li>
</ul>
<p dir="auto"><strong>Industrial Sector</strong></p>
<ul>
<li><strong>StoneFly Storage Concentrator</strong><br />
"Successful exploitation of these vulnerabilities could allow attackers to gain broad unauthorized access, execute arbitrary commands with root privileges, steal sensitive data, and perform actions on behalf of legitimate users across interconnected systems."<br />
<a href="https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-06" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-06</a></li>
<li><strong>Delta Electronics DVP12SE PLC</strong><br />
"Successful exploitation of these vulnerabilities could allow an attacker to remotely issue commands, modify operational values, interfere with control logic, and alter device behavior without authentication or privilege enforcement."<br />
<a href="https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-07" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-07</a></li>
<li><strong>Mitsubishi Electric MELSOFT Update Manager SW1DND-UDM-M</strong><br />
"Successful exploitation of these vulnerabilities could allow a local attacker to tamper with or destroy information in the affected product, cause a denial-of-service condition in the affected product, or execute arbitrary code when a specially crafted archive file is decompressed by the 7-Zip component included in MELSOFT Update Manager."<br />
<a href="https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-01" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-01</a></li>
<li><strong>Frangoteam FUXA SCADA/HMI</strong><br />
"Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to enumerate all user accounts and role assignments on a FUXA SCADA/HMI instance."<br />
<a href="https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-02" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-02</a></li>
<li><strong>Schneider Electric EcoStruxure IT Data Center Expert</strong><br />
"Schneider Electric is aware of a vulnerability in its EcoStruxure<img src="https://webboard-nsoc.ncsa.or.th/assets/plugins/nodebb-plugin-emoji/emoji/android/2122.png?v=2sqmsl7eedm" class="not-responsive emoji emoji-android emoji--tm" style="height:23px;width:auto;vertical-align:middle" title=":tm:" alt="™" /> IT Data Center Expert. The EcoStruxure<img src="https://webboard-nsoc.ncsa.or.th/assets/plugins/nodebb-plugin-emoji/emoji/android/2122.png?v=2sqmsl7eedm" class="not-responsive emoji emoji-android emoji--tm" style="height:23px;width:auto;vertical-align:middle" title=":tm:" alt="™" /> IT Data Center Expert product is a scalable monitoring software that collects, organizes, and distributes critical device information providing a comprehensive view of equipment. Failure to apply the remediation provided below may risk information disclosure."<br />
<a href="https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-03" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-03</a></li>
<li><strong>Schneider Electric EasyLogic T150 And Saitel DP RTU</strong><br />
"Successful exploitation of these vulnerabilities can allow an attacker to cause unauthorized access and exposure of sensitive information when the unauthenticated attacker accesses credentials stored within firmware or system files."<br />
<a href="https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-04" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-04</a></li>
<li><strong>XZ Utils Vulnerability Impacting B&amp;R Products</strong><br />
"An update is available that resolves vulnerability in the product versions listed as affected in the advisory. An attacker who successfully exploited this vulnerability could cause the product to stop or corrupt memory data."<br />
<a href="https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-05" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-05</a></li>
</ul>
<p dir="auto"><strong>Vulnerabilities</strong></p>
<ul>
<li><strong>Enterprise Tech In, Shell Out (Progress Kemp LoadMaster Uninitialized Heap To Pre-Auth RCE CVE-2026-8037)</strong><br />
"Welcome back to another watchTowr Labs blog post. This time, we're looking at Progress Kemp LoadMaster, a load balancer that sits at the edge of a lot of enterprise networks. Edge appliances have a habit of becoming the way in rather than the thing keeping people out, and CVE-2026-8037 keeps that streak alive: a pre-authentication Remote Code Execution vulnerability accessible to anyone who can access the API. So, in probably a predictable turn of events, we're back doing what we do best."<br />
<a href="https://labs.watchtowr.com/enterprise-tech-in-shell-out-progress-kemp-loadmaster-uninitialized-heap-to-pre-auth-rce-cve-2026-8037/" target="_blank" rel="noopener noreferrer nofollow ugc">https://labs.watchtowr.com/enterprise-tech-in-shell-out-progress-kemp-loadmaster-uninitialized-heap-to-pre-auth-rce-cve-2026-8037/</a><br />
<a href="https://thehackernews.com/2026/06/progress-kemp-loadmaster-flaw-could-let.html" target="_blank" rel="noopener noreferrer nofollow ugc">https://thehackernews.com/2026/06/progress-kemp-loadmaster-flaw-could-let.html</a></li>
<li><strong>Adobe Security Bulletin</strong><br />
"Adobe has released security updates for ColdFusion versions 2025 and 2023. These updates resolves critical and important vulnerabilities that could lead to arbitrary code execution, privilege escalation, arbitrary file system read, and security feature bypass. Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates."<br />
<a href="https://helpx.adobe.com/security/products/coldfusion/apsb26-68.html" target="_blank" rel="noopener noreferrer nofollow ugc">https://helpx.adobe.com/security/products/coldfusion/apsb26-68.html</a></li>
<li><strong>Citrix Patches a New NetScaler Flaw With Echoes Of CitrixBleed</strong><br />
"Citrix published a security bulletin Tuesday disclosing six vulnerabilities in NetScaler ADC and NetScaler Gateway appliances, including a high-severity memory disclosure flaw that researchers say belongs to a vulnerability class first identified in the 2023 incident known as CitrixBleed. The company rated the overall bulletin severity as high and assigned CVSS scores ranging from 6.9 to 8.8 across the six CVEs. Citrix said customers should install the updated builds and, in one case, manually adjust a configuration parameter even after patching."<br />
<a href="https://cyberscoop.com/citrix-netscaler-flaw-cve-2026-8451-citrixbleed/" target="_blank" rel="noopener noreferrer nofollow ugc">https://cyberscoop.com/citrix-netscaler-flaw-cve-2026-8451-citrixbleed/</a><br />
<a href="https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696604" target="_blank" rel="noopener noreferrer nofollow ugc">https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696604</a></li>
<li><strong>CISA: Windows BlueHammer Flaw Now Exploited By Ransomware Gangs</strong><br />
"CISA confirmed on Monday that ransomware gangs have begun exploiting a high-severity Microsoft Defender privilege escalation vulnerability that has previously been abused in zero-day attacks. Dubbed BlueHammer, the security flaw (CVE-2026-33825) was leaked by a security researcher known as "Nightmare Eclipse" in early April, together with proof-of-concept exploit code, in protest at how the Microsoft Security Response Center (MSRC) handles the disclosure process. "Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally," Microsoft explains in a security advisory."<br />
<a href="https://www.bleepingcomputer.com/news/security/cisa-windows-bluehammer-flaw-now-exploited-by-ransomware-gangs/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.bleepingcomputer.com/news/security/cisa-windows-bluehammer-flaw-now-exploited-by-ransomware-gangs/</a><br />
<a href="https://www.securityweek.com/bluehammer-vulnerability-exploited-in-ransomware-attacks/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.securityweek.com/bluehammer-vulnerability-exploited-in-ransomware-attacks/</a></li>
<li><strong>AirDrop And Quick Share Flaws Let Nearby Attackers Trigger Crashes And Bypass Checks</strong><br />
"Two researchers have found six security flaws in AirDrop and Quick Share, the wireless features that beam files between nearby devices with no cables or shared network. An attacker within wireless range, with just a laptop and no prior connection, can crash the sharing service on a Mac or iPhone set to receive from anyone, with no tap or prompt. The same research found Quick Share flaws that bypass Samsung's session checks and trigger a potentially exploitable crash in Google's Windows app."<br />
<a href="https://thehackernews.com/2026/06/airdrop-and-quick-share-flaws-let.html" target="_blank" rel="noopener noreferrer nofollow ugc">https://thehackernews.com/2026/06/airdrop-and-quick-share-flaws-let.html</a><br />
<a href="https://www.helpnetsecurity.com/2026/06/30/apple-airdrop-google-samsung-quick-share-vulnerabilities/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.helpnetsecurity.com/2026/06/30/apple-airdrop-google-samsung-quick-share-vulnerabilities/</a></li>
<li><strong>Apple Patches 30+ iOS, MacOS, Safari Flaws, Including AI-Discovered WebKit Bugs</strong><br />
"Apple on Monday released security updates for iOS, macOS, and the Safari web browser to address over three dozen flaws, including four vulnerabilities in WebKit that were discovered using artificial intelligence (AI) tools like Anthropic Claude and OpenAI Codex Security."<br />
<a href="https://thehackernews.com/2026/06/apple-patches-30-ios-macos-safari-flaws.html" target="_blank" rel="noopener noreferrer nofollow ugc">https://thehackernews.com/2026/06/apple-patches-30-ios-macos-safari-flaws.html</a><br />
<a href="https://support.apple.com/en-us/100100" target="_blank" rel="noopener noreferrer nofollow ugc">https://support.apple.com/en-us/100100</a><br />
<a href="https://securityaffairs.com/194476/security/apple-fixes-webkit-flaws-in-ios-and-macos-with-help-from-ai-tools.html" target="_blank" rel="noopener noreferrer nofollow ugc">https://securityaffairs.com/194476/security/apple-fixes-webkit-flaws-in-ios-and-macos-with-help-from-ai-tools.html</a><br />
<a href="https://www.malwarebytes.com/blog/news/2026/06/update-time-apple-releases-security-patches-for-ios-macos-tahoe-safari" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.malwarebytes.com/blog/news/2026/06/update-time-apple-releases-security-patches-for-ios-macos-tahoe-safari</a></li>
<li><strong>GuardFall: a Universal Shell Injection Vulnerability In Open-Source AI Agents</strong><br />
"AI coding agents and computer use agents run shell commands with your full account authority: your SSH keys, your cloud credentials, everything in $HOME. Most of them gate that power behind a guard that matches the command string against a list of dangerous patterns. But the string being inspected is different from the command executed. A guard inspects raw text, while system shell (bash) expands, unquotes, and rewrites text before running it. So, when an agent processes untrusted content (for example, an npm package with a poisoned README), the prompt injection can make it run a command that passes all the execution filters. This tactic is not new. It’s a decades-old shell quoting bypass, well known in the security literature. It succeeds against today’s most-used open-source agents. We first met this in the open-source NousResearch/hermes-agent project and surveyed ten others against the same bypass class."<br />
<a href="https://adversa.ai/blog/opensource-ai-coding-agents-shell-injection-vulnerability/" target="_blank" rel="noopener noreferrer nofollow ugc">https://adversa.ai/blog/opensource-ai-coding-agents-shell-injection-vulnerability/</a><br />
<a href="https://thehackernews.com/2026/06/guardfall-exposes-open-source-ai-coding.html" target="_blank" rel="noopener noreferrer nofollow ugc">https://thehackernews.com/2026/06/guardfall-exposes-open-source-ai-coding.html</a><br />
<a href="https://www.securityweek.com/decades-old-bash-tricks-expose-ai-coding-agents-to-supply-chain-attacks/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.securityweek.com/decades-old-bash-tricks-expose-ai-coding-agents-to-supply-chain-attacks/</a></li>
</ul>
<p dir="auto"><strong>Malware</strong></p>
<ul>
<li><strong>How Ransomware Syndicates Weaponize Corporate-Style Organization</strong><br />
"Similar to the events that unfolded with the Conti ransomware group’s demise in 2022, leaked internal chat logs of the Black Basta cybercrime group last year gave us a peek behind the curtain of modern ransomware operations. We found that these groups have continued to evolve into highly sophisticated and organized syndicates, taking a corporate-style approach to extortion. According to our analysis, Black Basta members carefully studied victims to launch advanced phishing and malware campaigns, exploit vulnerabilities and intimidate victims into paying via panic-triggering tactics."<br />
<a href="https://cyberscoop.com/ransomware-syndicates-corporate-organization-op-ed/" target="_blank" rel="noopener noreferrer nofollow ugc">https://cyberscoop.com/ransomware-syndicates-corporate-organization-op-ed/</a><br />
Operation Navy Ghost: How Attackers Planted a Telegram-Powered Backdoor Across Fake * <strong>Pyrogram Packages On PyPI</strong><br />
"A threat actor targeted Telegram bot developers adopting the popular ‘pyrogram’ package on PyPI over the course of six months starting November 2025, in Operation Navy Ghost. This malware is a complete backdoor on servers where infected bots are operated, and uses Telegram itself for C2 and data exfiltration. Learn how it works, how it sneaks by most scanners, and how to detect infections."<br />
<a href="https://checkmarx.com/zero-post/operation-navy-ghost-pyrogram-telegram-supplychain-attack/" target="_blank" rel="noopener noreferrer nofollow ugc">https://checkmarx.com/zero-post/operation-navy-ghost-pyrogram-telegram-supplychain-attack/</a><br />
<a href="https://www.bleepingcomputer.com/news/security/malicious-pypi-packages-give-hackers-control-of-telegram-bot-servers/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.bleepingcomputer.com/news/security/malicious-pypi-packages-give-hackers-control-of-telegram-bot-servers/</a></li>
<li><strong>The Bear Necessities: A Look At The Drivers, Dynamics, And Applications Of The Pro-Russia Influence Ecosystem</strong><br />
"Four years into Russia’s full-scale invasion of Ukraine, the pro-Russia influence ecosystem has evolved from a tool of war back into a global strategic asset. Since the mobilization of this ecosystem to support frontline objectives, we have witnessed the expedited development of new influence assets linked to multiple, expansive, covert information operations (IO) campaigns and a revitalization of pro-Russia hacktivism at an unprecedented scale. While this threat activity initially adapted to encompass Ukraine-related priorities, it is gradually pivoting back to established Russian influence objectives for which the ecosystem was originally honed."<br />
<a href="https://cloud.google.com/blog/topics/threat-intelligence/pro-russia-influence-ecosystem" target="_blank" rel="noopener noreferrer nofollow ugc">https://cloud.google.com/blog/topics/threat-intelligence/pro-russia-influence-ecosystem</a><br />
<a href="https://www.bankinfosecurity.com/google-kremlin-expands-ai-backed-campaigns-across-europe-us-a-32120" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.bankinfosecurity.com/google-kremlin-expands-ai-backed-campaigns-across-europe-us-a-32120</a></li>
<li><strong>Glitch SPY: An Emerging Android RAT Distributed Through a Fake Polish Rental App</strong><br />
"Cyble Research and Intelligence Labs identified an emerging Android malware family tracked as Glitch SPY, distributed through a fraudulent Polish apartment and house rental platform designed to lure users into downloading an Android APK. Based on the Polish-language lure and rental-themed distribution website, the activity appears to be Poland-focused, targeting users in Poland or Polish expats."<br />
<a href="https://cyble.com/blog/glitch-spy-rat-distributed-via-fake-polish-app/" target="_blank" rel="noopener noreferrer nofollow ugc">https://cyble.com/blog/glitch-spy-rat-distributed-via-fake-polish-app/</a></li>
<li><strong>Bring Your Own Agent: Hijacking Exposed AI Backends To Power Offensive Operations</strong><br />
"Some abuse of an internet-exposed AI server can be mundane: someone finds free inference and runs a chatbot on your bill. The cases below are different. Between March and May 2026, our honeypot sensors caught three separate operators hijacking our exposed Ollama and LiteLLM endpoints as the model backend for offensive tooling. Two were autonomous penetration-testing frameworks ("Strix" and "HexStrike AI"), and the third was an OpenAI Codex agent carrying a persona built to suppress safety refusals and assisting in web reverse-engineering work."<br />
<a href="https://labs.zenity.io/p/bring-your-own-agent-hijacking-exposed-ai-backends-to-power-offensive-operations" target="_blank" rel="noopener noreferrer nofollow ugc">https://labs.zenity.io/p/bring-your-own-agent-hijacking-exposed-ai-backends-to-power-offensive-operations</a><br />
<a href="https://www.darkreading.com/cloud-security/attackers-hijack-exposed-ai-endpoints-power-offensive-ops" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.darkreading.com/cloud-security/attackers-hijack-exposed-ai-endpoints-power-offensive-ops</a></li>
<li><strong>New EvilTokens Attack Exposes Browser Visibility Gap In Enterprise SOCs</strong><br />
"A new EvilTokens attack shows how modern phishing can hide critical evidence from enterprise SOCs until the page runs inside the browser. The case highlights a growing visibility gap in phishing triage: suspicious URLs may appear incomplete at first, while the real account takeover flow is revealed only after execution. For security leaders, that gap can mean slower investigations, delayed response, and higher business risk."<br />
<a href="https://hackread.com/eviltokens-attack-browser-visibility-gap-enterprise-socs/" target="_blank" rel="noopener noreferrer nofollow ugc">https://hackread.com/eviltokens-attack-browser-visibility-gap-enterprise-socs/</a></li>
<li><strong>ToddyCat: Your Hidden Email Assistant. Part 2</strong><br />
"We continue to share details on the malicious techniques and toolsets used by the ToddyCat APT group. In the first part of this report, we examined the group’s attacks aimed at stealing data from browsers, as well as from local and cloud email services. The methods used in that campaign indicated that ToddyCat was attempting to access corporate correspondence while evading monitoring tools. However, all of the group’s methods we described previously are effectively detected by EPP and EDR solutions."<br />
<a href="https://securelist.com/toddycat-apt-umbrij-tool-and-oauth/120251/" target="_blank" rel="noopener noreferrer nofollow ugc">https://securelist.com/toddycat-apt-umbrij-tool-and-oauth/120251/</a></li>
<li><strong>RustDuck: An In-Depth Analysis Of a Two-Stage Botnet</strong><br />
"Since February 2026, the XLAB large-scale network threat perception system has detected a new malware family active in cyberspace that adopts a Loader + Core (two-stage loading) architecture. Currently, the family has spawned multiple variants, with the main core functionality being the execution of large-scale Distributed Denial-of-Service (DDoS) attacks. It also possesses strong cross-platform adaptability and continuous evolution capabilities."<br />
<a href="https://blog.xlab.qianxin.com/rustduck-en/" target="_blank" rel="noopener noreferrer nofollow ugc">https://blog.xlab.qianxin.com/rustduck-en/</a><br />
<a href="https://thehackernews.com/2026/06/rustduck-botnet-rebuilds-in-rust-to.html" target="_blank" rel="noopener noreferrer nofollow ugc">https://thehackernews.com/2026/06/rustduck-botnet-rebuilds-in-rust-to.html</a></li>
<li><strong>Silent Swap: A Crypto Clipper Extension Campaign</strong><br />
"McAfee Advanced Threat Research has identified an active browser-extension campaign designed to steal cryptocurrency by silently substituting wallet addresses the moment a user initiates a transaction. The campaign is delivered through unsigned installers — observed in both .NET and Golang variants — that deploy a malicious Chromium extension masquerading as a benign “Google Notes” utility."<br />
<a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/crypto-clipper-wallet-swapping-browser-extension-malware/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.mcafee.com/blogs/other-blogs/mcafee-labs/crypto-clipper-wallet-swapping-browser-extension-malware/</a><br />
<a href="https://thehackernews.com/2026/06/silent-swap-crypto-clipper-uses-fake.html" target="_blank" rel="noopener noreferrer nofollow ugc">https://thehackernews.com/2026/06/silent-swap-crypto-clipper-uses-fake.html</a></li>
<li><strong>INC Ransomware Targets Mainframes: Exposed Servers Reveal Cross-Platform Payloads And APAC Campaign</strong><br />
"A recent infrastructure exposure provided a rare look into an active INC ransomware affiliate targeting the Asia-Pacific region. In mid-June 2026, a pair of open directories were identified on AEZA Group LLC, a known bulletproof hosting environment, revealing an operational staging server. The exposed directories contained Windows and Linux encryptors, Group Policy Object (GPO) deployment scripts for a Japanese food and beverage company, and 675 MB of operator tooling, and exfiltrated victim data. Together, these findings offered a unique view into an active ransomware campaign in near real-time."<br />
<a href="https://cyberandramen.net/2026/06/24/inc-ransomware-targets-mainframes-exposed-servers-reveal-cross-platform-payloads-and-apac-campaign/" target="_blank" rel="noopener noreferrer nofollow ugc">https://cyberandramen.net/2026/06/24/inc-ransomware-targets-mainframes-exposed-servers-reveal-cross-platform-payloads-and-apac-campaign/</a></li>
</ul>
<p dir="auto"><strong>Breaches/Hacks/Leaks</strong></p>
<ul>
<li><strong>Insurance Giant Aflac Discloses Data Breach After Subsidiary Hack</strong><br />
"American insurance giant Aflac has disclosed a new data breach after attackers breached its Japan subsidiary's systems and stole personal and bank account information. Aflac (short for American Family Life Assurance Company) is a Fortune 500 company and the largest supplemental insurance provider in the United States, serving millions of customers in the U.S. and Japan. In a filing with the U.S. Securities and Exchange Commission (SEC) on Monday, the company revealed that threat actors gained access to Aflac Japan's systems earlier this month."<br />
<a href="https://www.bleepingcomputer.com/news/security/insurance-giant-aflac-discloses-data-breach-after-subsidiary-hack/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.bleepingcomputer.com/news/security/insurance-giant-aflac-discloses-data-breach-after-subsidiary-hack/</a><br />
<a href="https://www.securityweek.com/aflac-japan-data-breach-impacts-4-38-million/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.securityweek.com/aflac-japan-data-breach-impacts-4-38-million/</a><br />
<a href="https://securityaffairs.com/194488/data-breach/hackers-steal-data-of-4-38-million-aflac-japan-customers.html" target="_blank" rel="noopener noreferrer nofollow ugc">https://securityaffairs.com/194488/data-breach/hackers-steal-data-of-4-38-million-aflac-japan-customers.html</a></li>
</ul>
<p dir="auto"><strong>General News</strong></p>
<ul>
<li><strong>Shadow AI Is Not a Tool Problem. It’s a Timing Problem.</strong><br />
"Most AI policies are written in the future tense. Employees use AI in the present tense. That gap explains a lot about shadow AI. A governance committee may still be defining good AI use. Meanwhile, AI has already become part of how work moves: in the browser, inside SaaS platforms, and across everyday applications. The mismatch is not only organizational. It is temporal."<br />
<a href="https://blog.checkpoint.com/ai-security/shadow-ai-is-not-a-tool-problem-its-a-timing-problem/" target="_blank" rel="noopener noreferrer nofollow ugc">https://blog.checkpoint.com/ai-security/shadow-ai-is-not-a-tool-problem-its-a-timing-problem/</a></li>
<li><strong>Vulnerability Reports Are Arriving Faster Than GitHub Can Review Them</strong><br />
"Across the open source world, people are reporting software flaws in record numbers, and the systems built to verify those reports are straining under the weight. The GitHub Advisory Database, which feeds automated security alerts to millions of projects, has reached a point where some new advisories take weeks to publish. In May 2026, the database published 1,560 reviewed advisories, the most in its history and several times its usual monthly output. The volume still fell short of what arrived."<br />
<a href="https://www.helpnetsecurity.com/2026/06/30/github-advisory-database-review/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.helpnetsecurity.com/2026/06/30/github-advisory-database-review/</a></li>
<li><strong>Half The Defense Base Still Builds Security Around Compliance</strong><br />
"CMMC requirements are appearing in defense contracts and moving down through supplier networks to thousands of companies new to this kind of compliance work. Many run on limited budgets with lean security teams. The picture comes from nearly 900 defense contractors, C3PAOs, federal suppliers, and cybersecurity professionals who attended the 2026 Secureframe National Cybersecurity Summit."<br />
<a href="https://www.helpnetsecurity.com/2026/06/30/federal-cybersecurity-compliance-report/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.helpnetsecurity.com/2026/06/30/federal-cybersecurity-compliance-report/</a></li>
<li><strong>Over 300 UK Firms Hit By Ransomware In a Year</strong><br />
"UK organizations suffered more than 26 successful ransomware attacks each month last year, with SMEs hit hardest, according to new data from Report Fraud. The UK’s cybercrime and fraud reporting service was contacted by 323 corporate ransomware victims between April 2025 and March 2026, according to City of London Police. Over 50% of reports were from small and mid-sized companies. Financial losses associated with these incidents increased 50% annually to around £270,000 ($357,000), although the police force admitted this was likely an underestimate given many businesses do not fully disclose the figure."<br />
<a href="https://www.infosecurity-magazine.com/news/over-300-uk-firms-hit-ransomware/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.infosecurity-magazine.com/news/over-300-uk-firms-hit-ransomware/</a></li>
<li><strong>What’s The Difference Between Credential Theft And Session Hijacking?</strong><br />
"Credential theft targets login details: Attackers steal usernames and passwords to access accounts, often through phishing or social engineering. Session hijacking targets active access: Attackers steal or manipulate session tokens to impersonate users who have already logged in. Multifactor authentication (MFA) helps, but it isn’t foolproof: Session hijacking can bypass MFA because the attacker is exploiting an already-authenticated session. Stopping these attacks requires layered defenses: Strong authentication, encryption, session monitoring, device checks, and user training all play a role."<br />
<a href="https://blog.barracuda.com/2026/06/29/credential-theft-vs-session-hijacking" target="_blank" rel="noopener noreferrer nofollow ugc">https://blog.barracuda.com/2026/06/29/credential-theft-vs-session-hijacking</a></li>
<li><strong>UK Healthcare Sector Records Tenfold Increase In Cyber-Attacks</strong><br />
"The UK’s healthcare sector is being “stress-tested to breaking point," with a tenfold increase in attacks during January-May 2026 compared to the whole of 2025, according to SonicWall. The security vendor’s data comes from its intrusion prevention system (IPS) sensors dispersed across UK healthcare clients. They recorded 264,000 individual events in the first five months of the year compared to just 27,000 for 2025."<br />
<a href="https://www.infosecurity-magazine.com/news/uk-healthcare-tenfold-increase/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.infosecurity-magazine.com/news/uk-healthcare-tenfold-increase/</a></li>
<li><strong>Accelerating The Quantum-Safe Timeline</strong><br />
"For years, planning for post-quantum cryptography (PQC) was framed as a future problem: important, inevitable, but distant. That perspective is evolving as technology advances and organizations prepare for the scale and complexity of the transition ahead. At Microsoft, we are acting on this shift by bringing our quantum-safe timeline forward so organizations can begin the transition earlier and with greater confidence."<br />
<a href="https://www.microsoft.com/en-us/security/blog/2026/06/30/microsoft-advances-quantum-safe-security-as-the-risk-timeline-shifts/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.microsoft.com/en-us/security/blog/2026/06/30/microsoft-advances-quantum-safe-security-as-the-risk-timeline-shifts/</a><br />
<a href="https://www.bleepingcomputer.com/news/microsoft/microsoft-accelerates-quantum-safe-roadmap-as-risks-grow/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.bleepingcomputer.com/news/microsoft/microsoft-accelerates-quantum-safe-roadmap-as-risks-grow/</a></li>
<li><strong>Communications Security Establishment Canada Annual Report 2025-2026</strong><br />
"For 80 years, the Communications Security Establishment Canada (CSE) has used its expertise in signals intelligence to keep Canada and Canadians safe. As technology has evolved, so has CSE’s role. Through our Canadian Centre for Cyber Security (Cyber Centre), we now provide authoritative, practical advice and technical guidance to help Canadian individuals, businesses, various levels of government and critical infrastructure stay safe from cyber threats. Together, we are Canada’s digital frontline of defence."<br />
<a href="https://www.cse-cst.gc.ca/en/accountability/transparency/reports/communications-security-establishment-canada-annual-report-2025-2026" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.cse-cst.gc.ca/en/accountability/transparency/reports/communications-security-establishment-canada-annual-report-2025-2026</a><br />
<a href="https://www.bankinfosecurity.com/russian-water-system-hack-attempted-to-turn-canada-dry-a-32122" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.bankinfosecurity.com/russian-water-system-hack-attempted-to-turn-canada-dry-a-32122</a></li>
<li><strong>AI-Generated Workflows Are a Silent Security Disaster</strong><br />
"A security analyst at a large enterprise recently found sensitive HR documents being copied into a Microsoft Teams channel that hundreds of employees could access. It was not caused by a malicious insider, a compromised admin account, or a sophisticated attacker. It was caused by a Power Automate workflow. The workflow had been created by a developer who wanted to automate document approvals between SharePoint and Teams. To move faster, the developer used an AI assistant to generate the automation logic. Functionally, the workflow worked. Documents moved from one location to another. Notifications were sent. The approval process became faster."<br />
<a href="https://www.darkreading.com/cyber-risk/ai-generated-workflows-silent-security-disaster" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.darkreading.com/cyber-risk/ai-generated-workflows-silent-security-disaster</a></li>
<li><strong>Two Months In: Assessing The Impact Of NIST's Enrichment Cutbacks</strong><br />
"On April 15, NIST announced that it would no longer attempt enrichment for every CVE. Vulnerabilities are still ingested by the National Vulnerability Database, but enrichment is now reserved for a selected subset. Everything else will be marked as Not Scheduled. That may sound strategic, but is actually problematic. For years, NIST established itself as an authoritative source of vulnerability data. Teams have come to rely on their assessment of CVSS, CWE, and CPE for vulnerability management and automation."<br />
<a href="https://blog.volerion.com/posts/two-months-in-nist-cuts-back-on-enrichment-efforts/" target="_blank" rel="noopener noreferrer nofollow ugc">https://blog.volerion.com/posts/two-months-in-nist-cuts-back-on-enrichment-efforts/</a><br />
<a href="https://www.darkreading.com/vulnerabilities-threats/nist-enrichment-reductions-cve-coverage-accuracy" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.darkreading.com/vulnerabilities-threats/nist-enrichment-reductions-cve-coverage-accuracy</a></li>
<li><strong>Singapore Cyber Landscape 2025/2026</strong><br />
"The cybersecurity landscape over the past year was defined by several prominent trends, underpinned by a threat environment of growing complexity, speed, scale, and sophistication. Key among the drivers of these trends were the proliferation and accessibility of artificial intelligence, as well as the interdependencies inherent in modern supply chains. In line with global trends, Singapore’s cyber landscape saw an increase in ransomware attacks. Locally, there was also a notable rise in the number of infected systems, driven primarily by an expanded attack surface stemming from the increasing adoption of Malware-as-a-Service (MaaS) operations, and the proliferation of consumer-grade Internet-of-Things (IoT) devices with unpatched firmware or default passwords."<br />
<a href="https://www.csa.gov.sg/resources/publications/singapore-cyber-landscape-2025-2026/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.csa.gov.sg/resources/publications/singapore-cyber-landscape-2025-2026/</a></li>
<li><strong>What's Trending: Top Cyber Attacker Techniques, March - May 2026</strong><br />
"Between March 1 and May 31, 2026 (“the reporting period”), attackers achieved their objectives by exploiting trusted identities, devices, and tools rather than malicious code. Because their activity resembled normal behavior, traditional perimeter and file-scanning defenses often failed to catch it. Adversaries leaned on two strategies: social engineering at scale and attacks on unpatched, internet-facing infrastructure. The leading technique “ClickFix” drove the first, shifting delivery from compromised websites to emailed links, while “Qilin,” the period’s most active ransomware operator, continued exploiting unpatched edge devices for mass extortion. What’s more, AI is making social engineering faster, cheaper, and more convincing, accelerating familiar techniques rather than creating new ones."<br />
<a href="https://reliaquest.com/blog/threat-spotlight-whats-trending-top-cyber-attacker-techniques-march-may-2026" target="_blank" rel="noopener noreferrer nofollow ugc">https://reliaquest.com/blog/threat-spotlight-whats-trending-top-cyber-attacker-techniques-march-may-2026</a><br />
<a href="https://www.infosecurity-magazine.com/news/clickfix-cybercriminals-favorite/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.infosecurity-magazine.com/news/clickfix-cybercriminals-favorite/</a></li>
<li><strong>Securing AI Agents: When AI Tools Move From Reading To Acting</strong><br />
"As enterprise deployments mature, some enterprise AI agents are shifting from reading content to taking action. In this post, Microsoft Incident Response walks through an attack pattern that targets the fastest growing part of the agentic AI supply chain: Model Context Protocol (MCP) tools. The post provides a practical playbook for detecting, containing, and preventing this class of attack using Microsoft security controls."<br />
<a href="https://www.microsoft.com/en-us/security/blog/2026/06/30/securing-ai-agents-ai-tools-move-from-reading-acting/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.microsoft.com/en-us/security/blog/2026/06/30/securing-ai-agents-ai-tools-move-from-reading-acting/</a><br />
<a href="https://thehackernews.com/2026/06/microsoft-warns-poisoned-mcp-tool.html" target="_blank" rel="noopener noreferrer nofollow ugc">https://thehackernews.com/2026/06/microsoft-warns-poisoned-mcp-tool.html</a></li>
<li><strong>What The Numbers Say About FIFA 2026 Cyber Risk</strong><br />
"The FIFA World Cup 2026 opened on June 11. By that date, according to Check Point Research, the fraud infrastructure targeting it had already been built, staged, and partially deployed. Threat actor activity was pre-planned, months out, across three sectors and at least ten languages. Check Point Exposure Management published the FIFA World Cup 2026 Cyber Threat Report this month, covering financial services, transportation, hospitality, and gambling. Here are three findings worth reading carefully."<br />
<a href="https://thehackernews.com/2026/06/what-numbers-say-about-fifa-2026-cyber.html" target="_blank" rel="noopener noreferrer nofollow ugc">https://thehackernews.com/2026/06/what-numbers-say-about-fifa-2026-cyber.html</a><br />
<a href="https://checkpoint.cyberint.com/fifa-report-2026" target="_blank" rel="noopener noreferrer nofollow ugc">https://checkpoint.cyberint.com/fifa-report-2026</a></li>
<li><strong>Hacker Conversations: Chris Thompson, Former Head Of IBM X-Force Red, Co-Founder Of RemoteThreat</strong><br />
"From bad game hacker to an elite good red team hacker. Chris Thompson is a hacker. His journey took him from hacking game controls as a teenager to become the founder of IBM’s first dedicated red team and then global head of X-Force Red. In 2024 he founded and remains the organizer of Offensive AI Con, and in 2025 moved from IBM to be co-founder and CEO at RemoteThreat."<br />
<a href="https://www.securityweek.com/hacker-conversations-chris-thompson-former-head-of-ibm-x-force-red-co-founder-of-remotethreat/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.securityweek.com/hacker-conversations-chris-thompson-former-head-of-ibm-x-force-red-co-founder-of-remotethreat/</a></li>
<li><strong>The AI Token Costs That Can Break Cybersecurity</strong><br />
"Imagine this scenario. It’s Tuesday night at 11:47 PM. Your senior SOC analyst is pulled into a critical, high-severity alert. A primary Domain Controller has flagged a deeply anomalous administrative command sequence originating from a mid-level employee’s standard workstation. The analyst triggers “agents” on the organization’s cybersecurity platform to assist with her investigation: mapping the account’s full authentication timeline, cross-referencing internal network logs, scanning active threat intelligence feeds, constructing secondary lookup queries to hunt for lateral movement. The investigation is moving at machine speed."<br />
<a href="https://www.securityweek.com/the-ai-token-costs-that-can-break-cybersecurity/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.securityweek.com/the-ai-token-costs-that-can-break-cybersecurity/</a></li>
<li><strong>XSS Forum: From DaMaGeLaB To The 2025 Takedown</strong><br />
"XSS[.]is, the most influential Russian-language cybercrime forum of the past decade and the direct heir to the legacy board DaMaGeLaB, lost its administrator on 22 July 2025 when French and Ukrainian police arrested a 38-year-old man in Kyiv. Europol, which coordinated Operation Ratatouille, said the forum had more than 50,000 members and that the suspect earned over EUR 7 million arbitrating deals between criminals. The Ransomnews Research Team analysed a leaked copy of the forum database, 123,241 messages across 51 trading sections, to show exactly how the marketplace worked and where it sat in the ransomware kill chain."<br />
<a href="https://ransomnews.com/xss-forum-damagelab-takedown-2025/" target="_blank" rel="noopener noreferrer nofollow ugc">https://ransomnews.com/xss-forum-damagelab-takedown-2025/</a><br />
<a href="https://securityaffairs.com/194524/security/xss-is-the-forum-that-ran-the-ransomware-supply-chain-is-down-the-market-isnt.html" target="_blank" rel="noopener noreferrer nofollow ugc">https://securityaffairs.com/194524/security/xss-is-the-forum-that-ran-the-ransomware-supply-chain-is-down-the-market-isnt.html</a></li>
</ul>
<p dir="auto"><strong>อ้างอิง</strong></p>
<p dir="auto">Electronic Transactions Development Agency (ETDA) <img src="/assets/uploads/files/1782878970060-1a955c1f-3e2a-4cbd-950d-17d1dba3f03d-image.png" alt="1a955c1f-3e2a-4cbd-950d-17d1dba3f03d-image.png" class=" img-fluid img-markdown" /></p>
]]></description><link>https://webboard-nsoc.ncsa.or.th/topic/3045/etda-cyber-threat-intelligence-01-july-2026</link><generator>RSS for Node</generator><lastBuildDate>Wed, 01 Jul 2026 07:11:10 GMT</lastBuildDate><atom:link href="https://webboard-nsoc.ncsa.or.th/topic/3045.rss" rel="self" type="application/rss+xml"/><pubDate>Wed, 01 Jul 2026 04:10:15 GMT</pubDate><ttl>60</ttl></channel></rss>