NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    ETDA Cyber Threat Intelligence 14 July 2026

    Cyber Security News
    1
    1
    7
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Vulnerabilities

      • Full Broker Takeover, No Login Required: Miggo Discovers Critical RabbitMQ Vulnerabilities Putting Application Data At Risk
        "Miggo's security team discovered two critical access-control flaws in RabbitMQ: one that leaks the broker's confidential OAuth secret to an unauthenticated attacker in a single request, a direct path to full broker takeover in the configurations that use that secret, and one that lets any logged-in user silently read other tenants' data. Both are now patched."
        https://www.miggo.io/post/full-broker-takeover-no-login-required-miggo-discovers-critical-rabbitmq-vulnerabilities-putting-application-data-at-risk
        https://www.securityweek.com/rabbitmq-vulnerability-threatens-enterprise-systems/
      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2008-4128 Cisco IOS Cross-Site Request Forgery Vulnerability"
        https://www.cisa.gov/news-events/alerts/2026/07/13/cisa-adds-one-known-exploited-vulnerability-catalog
        https://securityaffairs.com/195262/security/u-s-cisa-adds-a-cisco-ios-flaw-to-its-known-exploited-vulnerabilities-catalog.html
      • New MemGhost Attack Plants Persistent False Memories In AI Agents Through One Email
        "Give an AI assistant a memory and access to your inbox, and you hand an attacker a way to rewrite what it thinks it knows about you. A single email can trick that agent into saving a false "fact" about the user, hide the change, and quietly steer its answers in later sessions. When it works, the person reads an ordinary-looking reply and never learns their assistant was tampered with. The researchers named the attack stealth memory injection and built a tool that writes the emails automatically. The paper, "When Claws Remember but Do Not Tell," landed on arXiv on 6 July 2026."
        https://thehackernews.com/2026/07/new-memghost-attack-plants-persistent.html
        https://arxiv.org/abs/2607.05189v1

      Malware
      Beware Of Phishing Emails Disguised As Money Transfer Confirmations
      "Recently, the AhnLab SEcurity intelligence Center (ASEC) identified a case of phishing emails that disguise themselves as payment confirmation notices. These emails impersonate employees of a specific company in Korea and trick recipients into opening a malicious XLS file attached to the email, which is disguised as a payment confirmation notice."
      https://asec.ahnlab.com/en/94432/

      • Beware Of Phishing Emails Disguised As Project Proposals
        "The AhnLab SEcurity intelligence Center (ASEC) recently confirmed that phishing emails disguised as project proposals are being circulated. The body of the email pretends to request that the proposal and confirmed delivery schedule be submitted as soon as possible, and prompts the recipient to download the attached compressed file."
        https://asec.ahnlab.com/en/94433/
      • One Misconfigured Server, Three Active Campaigns: Full Exposure Of Three AiTM Phishing Operators
        "On a late April 2026 afternoon, a routine internet scan flagged an open directory on 185.163.204.7: a server located in Budapest, running python3 -m http.server 8080 on a public interface with directory listing enabled. What was exposed was not a misconfigured web root, it was a complete operational snapshot of a live attack platform. Phishing configurations, credential harvesting logs, backup archives, RMM installers, combolists and the operator's own Telegram session files were all publicly accessible. The command that left it open was still sitting in the .bash_history file, readable through the same listing. Behind the open directory was an active threat actor running an Evilginx-based Adversary-in-the-Middle (AiTM) phishing platform and a SimpleHelp remote management console, all on the same host."
        https://blog.lexfo.fr/opendir-to-phishing-operator.html
        https://thehackernews.com/2026/07/misconfigured-server-reveals-three.html
        https://www.infosecurity-magazine.com/news/open-directory-exposes-evilginx/
      • CrashStealer: C++ MacOS Infostealer Posing As Crash Reporter
        "In early May, a suspicious macOS sample uploaded to VirusTotal surfaced through our sample-processing pipeline, and Jamf Threat Labs began tracking it. It impersonated Apple's crash reporting framework and, at that point, looked like an infostealer still in development. By early July we were seeing in-the-wild detections of the payload matching one of our in-house rules, indicating the project had matured from development into active use. We track this malware under the name CrashStealer."
        https://www.jamf.com/blog/crashstealer-macos-infostealer-analysis/
        https://www.bleepingcomputer.com/news/security/new-crashstealer-malware-poses-as-apple-crash-reporting-tool/
        https://thehackernews.com/2026/07/crashstealer-macos-malware-uses.html
      • US And Allies Warn Of Russian Critical Infrastructure Attacks
        "Cybersecurity agencies from the United States and eight other countries have issued a joint warning that Russian state hackers are targeting vulnerable and poorly configured routers to infiltrate critical infrastructure networks. The joint advisory, co-authored by the NSA, FBI, and CISA, along with 15 other agencies from Australia, the United Kingdom, Canada, New Zealand, Estonia, Finland, France, and Italy, attributes the attacks to hackers from the Russian Federal Security Service (FSB) Center 16."
        https://www.bleepingcomputer.com/news/security/us-and-allies-share-defense-tips-against-russian-hackers-targeting-critical-infrastructure/
        https://www.ic3.gov/CSA/2026/260713.pdf
        https://www.darkreading.com/endpoint-security/weak-security-fuel-russian-cyberattacks
        https://cyberscoop.com/russian-fsb-cisco-joint-cybersecurity-advisory/
        https://www.infosecurity-magazine.com/news/russian-state-hackers-vulnerable/
      • Software Developers Are The Target. New Trojan Attacks Supply Chains And Inflicts Multifaceted Damage On Infected PCs
        "A new trojan engaging in supply chain attacks has recently come under the scrutiny of our antivirus laboratory. The malware primarily targets C++ and C# project files. This malicious sample is particularly dangerous as its payload incorporates multiple damaging features, allowing it to steal data, access clipboard content, operate as a backdoor, engage in rogue mining. and also infect other files. First discovered in the last quarter of 2025, the malware has been updated and upgraded by its makers ever since. It mainly spreads over the Internet via infected executable files and Python scripts. The infection process is quite complex, so let’s examine the entire sequence phase by phase."
        https://news.drweb.com/show/?i=15276&lng=en
        https://hackread.com/siggen-backdoor-windows-developers-visual-studio-projects/
      • OAuth Client ID Spoofing: Why Fake Client IDs Are Gaining Traction For Stealthy Enumeration
        "What if attackers could enumerate your entire organization's accounts without generating a single successful sign-in event? The Entra sign‑in logs are a primary telemetry source for identifying malicious authentication activity, including user enumeration, password spraying, and initial access attempts. To evade detection, attackers routinely distribute requests using rotating user agents (as seen in UNK_CustomCloak) and proxy services that cycle source IPs per request. Proofpoint researchers have identified multiple campaigns where attackers extend this evasive tradecraft by spoofing the OAuth client ID (application ID), a globally unique identifier (GUID) assigned to applications. The identifier is passed as client_id in authentication requests and recorded as the application ID in Entra sign-in logs."
        https://www.proofpoint.com/us/blog/threat-insight/oauth-client-id-spoofing-why-fake-client-ids-are-gaining-traction-stealthy
        https://www.infosecurity-magazine.com/news/novel-spoofing-technique-targets/
        https://www.helpnetsecurity.com/2026/07/13/entra-id-oauth-client-id-spoofing/
      • Fake Crypto Gift Card Sites Are Getting Harder To Spot
        "You want to turn some crypto into a gift card. You search, click a promising result, and land on a site that looks polished and legitimate: a dark theme, trust badges, and promises of instant delivery and no ID checks. You wouldn’t think to question it. But a professional-looking website isn’t proof that it’s legitimate."
        https://www.malwarebytes.com/blog/threat-intel/2026/07/fake-crypto-gift-card-sites-are-getting-harder-to-spot
      • Google And Microsoft Pull ModHeader With 1.6 Million Installs After Dormant Collector Found
        "Google and Microsoft have pulled ModHeader, a popular header-editing extension with roughly 1.6 million installs across Chrome and Edge, after researchers found a hidden browsing-history collector built into its official store version. The collector was dormant. An empty allow-list kept it switched off, and no proof has emerged that it ever gathered or sent a single browsing domain. The analysis came from Stripe OLT, a UK security firm, which checked the code against Google's own Web Store signature and confirmed the collector shipped inside the genuine extension, not a counterfeit."
        https://thehackernews.com/2026/07/google-and-microsoft-pull-modheader.html

      Breaches/Hacks/Leaks

      • Centers Laboratory Data Breach Affects 540,000 Individuals
        "Healthcare diagnostics company Centers Laboratory (Centers Lab NJ LLC) has informed the US government that a data breach discovered nearly one year ago affects more than 540,000 individuals. According to a data breach notice posted on its website, the New Jersey-based provider of testing and laboratory services for healthcare organizations discovered an intrusion in its IT environment in August 2025. An investigation showed that threat actors had gained “limited access” to Centers Laboratory systems between August 9 and August 14, exfiltrating personal and protected health information, including names, dates of birth, SSNs, driver’s license or state identification numbers, passport numbers, and health insurance and medical information."
        https://www.securityweek.com/centers-laboratory-data-breach-affects-540000-individuals/
      • Japan's Largest Taxi Operator Shuts Systems After Cyberattack
        "Japan's largest taxi operator, Nihon Kotsu, announced that its systems were compromised in a cyberattack, forcing the company to shut down part of its infrastructure. The incident occurred over the weekend, early Saturday morning, and impacted operations, including the company's taxi dispatch system, which remains offline as of today. Nihon Kotsu is Japan's largest taxi and chauffeur (hire) operator by group revenue, with annual revenue of roughly $1 billion (¥155 billion)."
        https://www.bleepingcomputer.com/news/security/japans-largest-taxi-operator-shuts-systems-after-cyberattack/
      • Lidl Discloses Online Shop Breach After Service Provider Hack
        "German discount supermarket chain Lidl notified customers in Germany, Belgium, and the Netherlands that attackers stole their personal information in a breach at a service provider. Lidl, owned by Schwarz Group, the largest food retailer in Europe, has over 376,000 employees and operates 12,000 stores across Europe and the United States. The discount giant notified affected customers of the incident over email last week and published separate notifications on its support websites in Belgium and the Netherlands."
        https://www.bleepingcomputer.com/news/security/lidl-discloses-online-shop-breach-after-service-provider-hack/
        https://securityaffairs.com/195270/data-breach/lidl-notified-online-shop-customers-in-germany-belgium-and-the-netherlands-of-a-data-breach.html
        https://www.helpnetsecurity.com/2026/07/13/lidl-data-breach-customer-data/
      • Russian Celebrity Journalist Ksenia Sobchak Says Hackers Accessed Telegram Channels Via Email Breach
        "Hackers briefly took control of several Telegram channels belonging to the controversial Russian journalist and media executive Ksenia Sobchak last week, publishing what they claimed were excerpts from her private correspondence. The posts appeared on Sobchak's Telegram channels, Sobchak and Bloody Lady, last week. Her news channel, Caution, News, later said the posts were published by hackers who had compromised the channels."
        https://therecord.media/ksenia-sobchak-russian-hackers-leak

      General News

      • 99.9% Of Fixable AI Vulnerabilities Remain Unpatched
        "Organizations build, deploy, and operate AI in the cloud, but basic cybersecurity hygiene is often sacrificed for speed, according to Orca Security’s 2026 State of AI Security Report. Fifty-six percent of AI adopters have deployed agent frameworks into production, and 51.5% use AI to build custom applications. Orca also found that 81.2% of companies running AI packages have at least one known vulnerability, and 99.9% of AI vulnerability alerts with an available fix remain unpatched. These findings show how quickly AI has become operational infrastructure without a corresponding increase in security maturity."
        https://www.helpnetsecurity.com/2026/07/13/ai-infrastructure-security-risks-report/
      • Enterprises Are Rethinking Where Their AI Applications Run
        "Growing demand for compute capacity, power, cooling and low-latency connectivity is prompting organizations to reassess where AI applications run, according to CoreSite. Public cloud continues to support experimentation and rapid deployment, while colocation is increasingly used for workloads that require predictable performance, dedicated infrastructure or close proximity to cloud services and enterprise data."
        https://www.helpnetsecurity.com/2026/07/13/colocation-for-ai-workloads-report/
      • Why SBOMs, Signing, And Provenance Still Don’t Tell You If Software Is Safe
        "We have made real progress in software supply chain security, improving visibility into software components, authenticity and build integrity. Much of this progress traces back to Executive Order 14028, which pushed agencies, contractors and enterprises to invest in SBOMs, signing and provenance. All of that matters, but it is not enough. The current software trust model still stops short of the question that determines risk at execution: What is this code capable of doing if it runs?"
        https://www.helpnetsecurity.com/2026/07/13/sbom-zero-trust-for-code/
      • Cyber / Russia: Statement By The High Representative On Behalf Of The European Union Denouncing Russia’s Malicious Cyber Ecosystem Targeting The EU, Its Member States And International Partners
        "The EU and its member states denounce Russia’s malicious cyber activities and leveraging of a cyber ecosystem encompassing state and non-state actors, ranging from intelligence services to cybercriminals groups, hacktivists and private companies. Today, we expose the 16th Centre of Russia’s Federal Security Service (FSB) as controlling a variety of cyber threat groups including TURLA. For years, the FSB has conducted a wide range of malicious cyber activities with growing severity affecting the EU, its member states, as well as international partners, notably Ukraine. These activities have included infiltration of governmental networks and sabotage of critical infrastructure."
        https://www.consilium.europa.eu/en/press/press-releases/2026/07/13/cyber-russia-statement-by-the-high-representative-on-behalf-of-the-european-union-denouncing-russia-s-malicious-cyber-ecosystem-targeting-the-eu-its-member-states-and-international-partners/
        https://www.bleepingcomputer.com/news/security/eu-and-uk-hit-russia-with-first-joint-cyber-sanctions-package/
        https://therecord.media/russia-blamed-for-poland-grid-cyberattack-in-joint-uk-eu-sanctions-package
        https://www.bankinfosecurity.com/eu-uk-sanction-russian-nation-state-hackers-a-32213
        https://cyberscoop.com/eu-uk-russian-cyberespionage-sanctions/
        https://www.securityweek.com/eu-targets-russian-intelligence-officers-accused-of-running-a-yearslong-cyber-spying-campaign/
        https://securityaffairs.com/195242/intelligence/eu-targets-fsb-linked-hackers-in-new-sanctions-over-cyber-sabotage.html
        https://www.helpnetsecurity.com/2026/07/13/eu-uk-russia-cyber-activity-sanctions/
      • AI-Generated Code Has Made Security Debt a Governance Problem
        "AI-generated code is part of everyday software development. Developers use it to prototype, refactor, troubleshoot, and move from idea to implementation with less friction than ever before. The productivity gains are undeniable, which means that security leaders now face a hard question: whether their organizations can govern the risk that AI creates at that same speed. That challenge is rooted in scale. AI changes how quickly software can be created, while many application security programs still depend on controls designed for a slower development model."
        https://cyberscoop.com/governing-ai-code-security-risks-op-ed/
      • 'Yellow Teams' Are Defining The Future Of AI Security
        "A small number of engineering teams are developing the defenses that organizations will need against future advanced AI attacks. They're also building the frameworks attackers will utilize to carry out those attacks. In April, Anthropic invited more than 50 organizations to participate in its Project Glasswing initiative to preview Claude Mythos, which the company claimed at the time was the most advanced cybersecurity AI. OpenAI followed suit shortly after, inviting organizations to play with its own GPT 5.5 under the Daybreak program."
        https://www.darkreading.com/cybersecurity-operations/yellow-teams-defining-future-ai-security
      • Hacker Conversations: Jesse McGraw (GhostExodus), From Blackhat Hacker To Redemption
        "Jesse McGraw isn’t a hacker; at least, not by his own definition. He accepts he was a hacker, and a blackhat hacker, and that he still retains the mindset of a hacker. But he is no longer a hacker, he says. He realized he was a hacker while in high school. “My one and only friend was a hacker, and I had never seen anything like what he did.” Before then, McGraw had thought computers were just something used for word processing; a tool that could be used for its intended purpose. Then he saw this person programming in math class."
        https://www.securityweek.com/hacker-conversations-jesse-mcgraw-ghostexodus-from-blackhat-hacker-to-redemption/
      • Treasury Sanctions Malware And Infrastructure Providers Supporting Ransomware Attacks Against Americans
        "Today, the Office of Foreign Assets Control (OFAC) is designating two individuals and one entity enabling ransomware actors’ and other cybercriminals’ malign activities, notably ransomware attacks against Americans. These include First VPN Service (1VPNS), a virtual private network (VPN) provider selling services to ransomware groups, and its administrator, Dmytro Rashevskyi (Rashevskyi). OFAC is also designating Yegeniy Vladimirovich Silayev (Silayev), an individual who sells “cryptors,” which are tools used to disguise ransomware and other malware as safe programs to prevent security systems from detecting or deactivating them. Ransomware groups utilizing these individuals’ services have caused billions of dollars in losses to U.S. businesses and critical infrastructure providers."
        https://home.treasury.gov/news/press-releases/sb0559
        https://therecord.media/first-vpn-administrator-us-sanctions-ransomware-groups
      • AI Security Threats In 2026: Annual Insights From Check Point Research
        "For years, the cyber security industry tracked AI as a force multiplier: something that made existing attack techniques faster, cheaper, and more accessible. That framing was accurate. But the annual AI Security Report 2026 from Check Point Research documents a transition that goes further. AI has crossed from assistant to operator. Where it once helped attackers prepare, it now runs the operation. What follows is a structured review of the report’s key findings, grounded in original incidents and case studies from the past twelve months."
        https://blog.checkpoint.com/ai-security/ai-security-threats-in-2026-insights-from-check-point-research/

      อ้างอิง

      Electronic Transactions Development Agency (ETDA) 68cdc970-377f-4b0d-b739-a36d4d9818e2-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post