Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 7 รายการ เมื่อวันที่ 23 เมษายน 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

ICSA-26-113-01 YADEA T5 Electric Bike
ICSA-26-113-02 Carlson Software VASCO-B GNSS Receiver
ICSA-26-113-03 Milesight Cameras
ICSA-26-113-04 SpiceJet Online Booking System
ICSA-26-113-05 Hangzhou Xiongmai Technology Co., Ltd XM530 IP Camera
ICSA-26-113-06 Intrado 911 Emergency Gateway (EGW)
ICSA-25-114-01 Schneider Electric Modicon Controllers (Update A)

CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)

อ้างอิง
https://www.cisa.gov/news-events/ics-advisories

เมื่อวันที่ 23 เมษายน 2026 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 8 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้

• CVE-2026-39987 Marimo Remote Code Execution Vulnerability

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/04/23/cisa-adds-one-known-exploited-vulnerability-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Financial Sector

• Shadow AI, Deepfakes, And Supply Chain Compromise Are Rewriting The Financial Sector Threat Playbook
  "Financially motivated attacks continued to drive the bulk of cyber incidents against banks, insurers, and payment processors in 2025. Approximately 90% of breaches affecting financial institutions carried a financial motive, with data breaches accounting for roughly 64% of incidents and ransomware making up the remaining 36%. The average cost of a data breach in the sector reached $5.56 million per incident, placing finance second among all industries by breach cost. Personal data was the most frequently compromised category, appearing in 54% of cases. Internal organizational data accounted for 35% of compromised data, and credentials for 22%. Attackers used that access to enable downstream fraud, credential resale, and persistent network presence."
  https://www.helpnetsecurity.com/2026/04/22/financial-sector-cyber-threats-report/

Industrial Sector

• Silex Technology SD-330AC And AMC Manager
  "Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, cause a denial-of-service, or configuration information may be altered without authentication."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-10
• SenseLive X3050
  "Successful exploitation of these vulnerabilities could allow an attacker to take complete control of the device."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-12
• Siemens RUGGEDCOM CROSSBOW Secure Access Manager Primary
  "RUGGEDCOM CROSSBOW Secure Access Manager Primary (SAM-P) contains a vulnerability that could allow an attacker to escalate their own privileges. Siemens has released a new version for RUGGEDCOM CROSSBOW Secure Access Manager Primary (SAM-P) and recommends to update to the latest version."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-02
• Siemens SCALANCE
  "SCALANCE W-700 IEEE 802.11n family before V6.6.0 are affected by multiple vulnerabilities. Siemens has released a new version for SCALANCE W-700 IEEE 802.11n family and recommends to update to the latest version."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-07
• Siemens SINEC NMS
  "SINEC NMS before V4.0 SP3 contains an Authorization Bypass vulnerability that could allow an attacker to bypass authorization checks, leading to the ability to reset the password of any arbitrary user account. Siemens has released a new version for SINEC NMS and recommends to update to the latest version."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-09
• Siemens TPM 2.0
  "The products listed below contain a vulnerability that could allow an attacker to perform an out-of-bound read, potentially leading to information disclosure or denial of service of the TPM. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-01
• Siemens SINEC NMS
  "Siemens SINEC NMS when used with User Management Component (UMC) contains an authentication bypass vulnerability due to insufficient validation of user identity. This could allow an unauthenticated remote attacker to bypass authentication and gain unauthorized access to the application. Siemens has released a new version for SINEC NMS and recommends to update to the latest version."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-03
• Siemens Analytics Toolkit
  "Multiple Siemens applications are affected by improper certificate validation in Siemens Analytics Toolkit. This could allow an unauthenticated remote attacker to perform man in the middle attacks. Siemens has released new versions for the affected products and recommends to update to the latest versions."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-04
• Hardy Barth Salia EV Charge Controller
  "Successful exploitation of these vulnerabilities could crash the device being accessed; a buffer overflow condition may allow remote code execution."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-05
• Zero Motorcycles Firmware
  "Successful exploitation of this vulnerability could allow an attacker to pair via Bluetooth with a motorcycle, gaining unauthorized access to all Bluetooth functions, including changing the firmware."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-06
• Siemens RUGGEDCOM CROSSBOW Station Access Controller (SAC)
  "RUGGEDCOM CROSSBOW Station Access Controller (SAC) contains a vulnerability that could allow an attacker to achieve arbitrary code execution and to create a denial of service condition. Siemens has released a new version for RUGGEDCOM CROSSBOW Station Access Controller (SAC) and recommends to update to the latest version."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-08
• Siemens Industrial Edge Management
  "Industrial Edge Management contains an authorization bypass vulnerability that could be exploited by an unauthenticated remote attacker to circumvent authentication and to access connected Industrial Edge Devices through the remote connection feature. Siemens has released new versions for the affected products and recommends to update to the latest versions."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-11

New Tooling

• PentAGI: Open-Source Autonomous AI Penetration Testing System
  "Penetration testers have long relied on collections of specialized tools, manual coordination, and documented runbooks to work through a target assessment. PentAGI, an open-source project from VXControl, attempts to automate that entire workflow using a multi-agent AI system that plans, researches, and executes penetration tests with minimal human direction. PentAGI organizes work into a hierarchy of flows, tasks, subtasks, and actions. An orchestrator agent receives a goal and coordinates three specialist agents: a researcher that gathers information and queries known vulnerability sources, a developer that plans attack strategies, and an executor that runs commands in isolated containers."
  https://www.helpnetsecurity.com/2026/04/22/pentagi-autonomous-ai-penetration-testing/
  https://github.com/vxcontrol/pentagi

Vulnerabilities

• Microsoft Releases Emergency Patches For Critical ASP.NET Flaw
  "Microsoft has released out-of-band (OOB) security updates to patch a critical ASP.NET Core privilege escalation vulnerability. The security flaw (tracked as CVE-2026-40372) was found in the ASP.NET Core Data Protection cryptographic APIs, and it could allow unauthenticated attackers to gain SYSTEM privileges on affected devices by forging authentication cookies. Microsoft discovered the flaw following user reports that decryption was failing in their applications after installing the .NET 10.0.6 update release during this month's Patch Tuesday."
  https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergency-security-updates-for-critical-aspnet-flaw/
  https://thehackernews.com/2026/04/microsoft-patches-critical-aspnet-core.html
  https://securityaffairs.com/191130/security/microsoft-out-of-band-updates-fixed-critical-asp-net-core-privilege-escalation-flaw.html
• Oracle Patches 450 Vulnerabilities With April 2026 CPU
  "Oracle on Tuesday announced the release of 481 new security patches as part of its April 2026 Critical Patch Update (CPU). Across the 28 product families that received security updates, more than 300 patches address vulnerabilities that are remotely exploitable without authentication. Roughly three dozen fixes resolve critical-severity security defects. There appear to be approximately 450 unique CVEs listed on the latest Oracle CPU page. Approximately 240 are included in the risk matrix tables, but additional CVEs have been fixed as well, along with third-party issues not exploitable in Oracle’s products."
  https://www.securityweek.com/oracle-patches-450-vulnerabilities-with-april-2026-cpu/
• Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution, Container Escape
  "A critical security vulnerability has been disclosed in a Python-based sandbox called Terrarium that could result in arbitrary code execution. The vulnerability, tracked as CVE-2026-5752, is rated 9.3 on the CVSS scoring system. "Sandbox escape vulnerability in Terrarium allows arbitrary code execution with root privileges on a host process via JavaScript prototype chain traversal," according to a description of the flaw in CVE.org. Developed by Cohere AI as an open-source project, Terrarium is a Python sandbox that's used as a Docker-deployed container for running untrusted code written by users or generated with assistance from a large language model (LLM)."
  https://thehackernews.com/2026/04/cohere-ai-terrarium-sandbox-flaw.html
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2026-33825 Microsoft Defender Insufficient Granularity of Access Control Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/04/22/cisa-adds-one-known-exploited-vulnerability-catalog
• Apple Fixes iOS Bug That Retained Deleted Notification Data
  "Apple has released out-of-band security updates for iPhone and iPad devices to fix a Notification Services flaw that could allow notifications marked for deletion to remain stored on the device. The bug, tracked as CVE-2026-28950, was fixed on April 22, 2026, in iOS 26.4.2 and iPadOS 26.4.2 and in iOS 18.7.8 and iPadOS 18.7.8. "Notifications marked for deletion could be unexpectedly retained on the device," reads the Apple security bulletin."
  https://www.bleepingcomputer.com/news/security/apple-fixes-ios-bug-that-retained-deleted-notification-data/
  https://support.apple.com/en-us/127002
  https://www.helpnetsecurity.com/2026/04/22/apple-intelligence-token-vulnerability-serpent-attack/
• Over 1,300 Microsoft SharePoint Servers Vulnerable To Spoofing Attacks
  "Over 1,300 Microsoft SharePoint servers exposed online remain unpatched against a spoofing vulnerability that was exploited as a zero-day and is still being abused in ongoing attacks. The security flaw, tracked as CVE-2026-32201, affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition (the latest on-premises version, which uses a "continuous update" model). As Microsoft explained when it patched this security issue as part of the April 2026 Patch Tuesday, successful exploitation allows threat actors without privileges to perform network spoofing by taking advantage of an improper input validation weakness in low-complexity attacks that don't require user interaction."
  https://www.bleepingcomputer.com/news/security/over-1-300-microsoft-sharepoint-servers-vulnerable-to-ongoing-attacks/
• The Zero-Days Are Numbered
  "Since February, the Firefox team has been working around the clock using frontier AI models to find and fix latent security vulnerabilities in the browser. We wrote previously about our collaboration with Anthropic to scan Firefox with Opus 4.6, which led to fixes for 22 security-sensitive bugs in Firefox 148. As part of our continued collaboration with Anthropic, we had the opportunity to apply an early version of Claude Mythos Preview to Firefox. This week’s release of Firefox 150 includes fixes for 271 vulnerabilities identified during this initial evaluation. As these capabilities reach the hands of more defenders, many other teams are now experiencing the same vertigo we did when the findings first came into focus. For a hardened target, just one such bug would have been red-alert in 2025, and so many at once makes you stop to wonder whether it’s even possible to keep up."
  https://blog.mozilla.org/en/privacy-security/ai-security-zero-day-vulnerabilities/
  https://www.securityweek.com/claude-mythos-finds-271-firefox-vulnerabilities/
  https://www.theregister.com/2026/04/22/mozilla_firefox_mythos_future_defenders/

Malware

• CVE-2025-29635: Mirai Campaign Targets D-Link Devices
  "The Akamai SIRT discovered active exploitation attempts of the D-Link command injection vulnerability CVE-2025-29635 in our global network of honeypots in early March 2026. This vulnerability exists in D-Link DIR-823X series routers in firmware versions 240126 and 24082, and allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to the /goform/set_prohibiting endpoint via the corresponding function, which can trigger remote command execution."
  https://www.akamai.com/blog/security-research/cve-2025-29635-mirai-campaign-targets-d-link-devices
  https://www.bleepingcomputer.com/news/security/new-mirai-campaign-exploits-rce-flaw-in-eol-d-link-routers/
  https://www.securityweek.com/mirai-botnet-targets-flaw-in-discontinued-d-link-routers/
  https://securityaffairs.com/191135/malware/mirai-botnet-exploits-cve-2025-29635-to-target-legacy-d-link-routers.html
  https://www.helpnetsecurity.com/2026/04/22/new-mirai-variants-target-routers-and-dvrs-via-old-flaws/
• Kyber Ransomware Double Trouble: Windows And ESXi Attacks Explained
  "For executive leadership, the emergence of Kyber ransomware represents a significant and immediate threat due to its specialized, dual-platform deployment capability targeting mission-critical virtualization infrastructure (VMware ESXi) and core Windows file systems. This cross-platform approach, coupled with effective anti-recovery measures, drastically elevates the risk of a total operational disruption. Organizations should treat Kyber not merely as another ransomware strain, but as a specialized tool capable of causing a complete operational blackout. Recent real-world incidents have demonstrated that this approach can result in large-scale operational impact across enterprise environments."
  https://www.rapid7.com/blog/post/tr-kyber-ransomware-double-trouble-windows-esxi-attacks-explained/
  https://www.bleepingcomputer.com/news/security/kyber-ransomware-gang-toys-with-post-quantum-encryption-on-windows/
• Namastex.ai Npm Packages Hit With TeamPCP-Style CanisterWorm Malware
  "Last month, we responded to CanisterWorm, a worm-enabled npm supply chain campaign that compromised legitimate publisher space, replaced package contents with install-time malware, used stolen publishing access to republish malicious versions, and relied on an Internet Computer Protocol (ICP) canister as a dead-drop command and control (C2) channel. This campaign was attributed to a set of TeamPCP supply chain attacks. In this newly discovered npm incident, the malware uses the same core adversarial methods: install-time execution, credential theft from developer environments, off-host exfiltration, canister-backed infrastructure, and self-propagation logic intended to compromise additional packages. The overlap is notable enough on its own, and malicious packages included an explicit code reference to a TeamPCP/LiteLLM method inside the malicious payload."
  https://socket.dev/blog/namastex-npm-packages-compromised-canisterworm
  https://www.stepsecurity.io/blog/pgserve-compromised-on-npm-malicious-versions-harvest-credentials
  https://thehackernews.com/2026/04/self-propagating-supply-chain-worm.html
  https://www.bleepingcomputer.com/news/security/new-npm-supply-chain-attack-self-spreads-to-steal-auth-tokens/
  https://www.theregister.com/2026/04/22/another_npm_supply_chain_attack/
• Harvester: APT Group Expands Toolset With New GoGra Linux Backdoor
  "The Harvester APT group has developed a new, highly-evasive, Linux version of its GoGra backdoor. The malware uses the legitimate Microsoft Graph API and Outlook mailboxes as a covert command-and-control (C2) channel, allowing it to bypass traditional perimeter network defenses. The Symantec and Carbon Black Threat Hunter Team linked this new Linux malware to a previously known Windows espionage campaign by Harvester due to similarities in code, demonstrating that the threat actor is actively expanding its cross-platform capabilities."
  https://www.security.com/blog-post/harvester-new-linux-backdoor-gogra
  https://www.bleepingcomputer.com/news/security/new-gogra-malware-for-linux-uses-microsoft-graph-api-for-comms/
  https://thehackernews.com/2026/04/harvester-deploys-linux-gogra-backdoor.html
• Weaponizing Apathy: How Threat Actors Exploit Vulnerabilities And Legitimate Software
  "In today’s world, there is an increasingly high focus on malware trends rather than repurposed legitimate tools. Repurposed or legitimate software is often overlooked, even though these have the capability to compromise devices, deliver and execute malicious payloads, and steal information from users. Legitimate websites being abused is very common and often mentioned in media. Yet, the actual programs and software are less often looked at due to the false assumption that there is little that can be done to avoid these. An example of a legitimate program that threat actors have repeatedly repurposed or abused is Microsoft products."
  https://cofense.com/blog/weaponizing-apathy-how-threat-actors-exploit-vulnerabilities-and-legitimate-software
• Anatomy Of a Fraud Operation: Mule Account Creation On B2B Fintech Platforms In France
  "Fintech platforms such as Revolut, Wise and N26 offer fast, fully remote account opening, streamlined KYC, and business-grade payment infrastructure — SEPA transfers, invoicing, payment processing, and in some cases cryptocurrency integration. These platforms built for freelancers and individual entrepreneurs have become a significant target for organised fraud networks across Europe. For a legitimate freelancer or micro-business owner, this combination of services are exactly what they need. For a fraud operator, it is exactly what they are looking for."
  https://www.group-ib.com/blog/french-fintech-mule-accounts/
• Silent Lures: The Rise Of Empty Subject Email Attacks
  "Silent Subject Campaigns, also known as Null Subject/Empty Subject campaigns are a lure phishing campaign or scam tactic where emails are sent without a subject line or with an extremely vague subject line. This is designed to encourage users to open the email out of curiosity, confusion, or a false sense of urgency. The primary objective of a Silent Subject Campaign is to gain initial access through social engineering, leading to credential compromise, unauthorized access, and potential lateral movement within targeted environments, especially focusing on high-value or VIP users. Cyberproof Threat Hunting and Managed Detection & Response Teams detected a widespread Null Subject phishing campaign targeting VIP users across multiple organizations from multiple sender domains."
  https://www.cyberproof.com/blog/silent-lures-the-rise-of-empty-subject-email-attacks/
  https://www.infosecurity-magazine.com/news/silent-subject-phishing-campaigns/
• Malicious Trading Website Drops Malware That Hands Your Browser To Attackers
  "During our threat hunting, we found a campaign using the same malware loader from our previous research to deliver a different threat: Needle Stealer, data-stealing malware designed to quietly harvest sensitive information from infected devices, including browser data, login sessions, and cryptocurrency wallets. In this case, attackers used a website promoting a tool called TradingClaw (tradingclaw[.]pro), which claims to be an AI-powered assistant for TradingView."
  https://www.malwarebytes.com/blog/threat-intel/2026/04/malicious-trading-website-drop-malware-that-hands-over-your-browser-to-attackers
• Anthropic Secretly Installs Spyware When You Install Claude Desktop
  "I was working on a personal project, debugging a Native Messaging helper I had written for it. In the process I needed to check what Brave Browser had registered on my laptop. What I found was a file I had never put there. It was not mine. I had not installed it. I had not authorised it. I had not even been told about it. It was from Anthropic."
  https://www.thatprivacyguy.com/blog/anthropic-spyware/
  https://www.malwarebytes.com/blog/news/2026/04/researcher-claims-claude-desktop-installs-spyware-on-macos
• Tropic Trooper Pivots To AdaptixC2 And Custom Beacon Listener
  "On March 12, 2026, Zscaler ThreatLabz discovered a malicious ZIP archive containing military-themed document lures targeting Chinese-speaking individuals. Our analysis of this sample uncovered a campaign leveraging a multi-stage attack chain where a trojanized SumatraPDF reader deploys an AdaptixC2 Beacon agent, ultimately leading to the download and abuse of Visual Studio (VS) Code tunnels for remote access. During our analysis, we observed that the threat actor likely targeted Chinese-speaking individuals in Taiwan, and individuals in South Korea and Japan. Based on the tactics, techniques, and procedures (TTPs) observed in this attack, ThreatLabz attributes this activity to Tropic Trooper (also known as Earth Centaur and Pirate Panda) with high confidence. In this blog post, ThreatLabz covers the Tropic Trooper campaign and the tools that were deployed to conduct intelligence gathering."
  https://www.zscaler.com/blogs/security-research/tropic-trooper-pivots-adaptixc2-and-custom-beacon-listener
• After Bluesky, Mastodon Targeted In DDoS Attack
  "Following a similar assault on Bluesky just days prior, the decentralized social media platform Mastodon has also been targeted in a major distributed denial-of-service (DDoS) attack. The attack targeted Mastodon.social, the flagship Mastodon server, and caused what the organization classified as a ‘major outage’. According to the Mastodon status page, the DDoS attack started on April 20 at around 1 PM, and by 4 PM mitigations were rolled out and the site became accessible."
  https://www.securityweek.com/after-bluesky-mastodon-targeted-in-ddos-attack/
  https://securityaffairs.com/191144/cyber-crime/ddos-wave-continues-as-mastodon-hit-after-bluesky-incident.html
• North Korean Hackers Use AppleScript, ClickFix In Fresh MacOS Attacks
  "North Korean hackers have been using various social engineering and evasion techniques in recently observed attacks targeting macOS users within financial organizations. A campaign uncovered by Any.Run has relied on the infamous ClickFix technique to trick macOS users into installing information-stealing malware. The hackers have been mounting the attacks over Telegram, targeting business leaders, often using the compromised accounts of people known to the victim, with fake meeting invitations. The victims have been directed to websites mimicking Zoom, Microsoft Teams, or Google Meet, and prompted to “fix” a fake connection issue by copying and executing a command in the Terminal."
  https://www.securityweek.com/north-korean-hackers-use-applescript-clickfix-in-fresh-macos-attacks/
• Malicious Checkmarx Artifacts Found In Official KICS Docker Repository And Code Extensions
  "Docker alerted Socket to malicious images pushed to the official checkmarx/kics Docker Hub repository after internal monitoring flagged suspicious new activity around KICS image tags. Our investigation found that attackers appear to have overwritten existing tags, including v2.1.20 and alpine, while also introducing a new v2.1.21 tag that does not correspond to a legitimate upstream release. Analysis of the poisoned image indicates that the bundled KICS binary was modified to include data collection and exfiltration capabilities not present in the legitimate version. Our investigation found evidence that the malware could generate an uncensored scan report, encrypt it, and send it to an external endpoint, creating a serious risk for teams using KICS to scan infrastructure-as-code files that may contain credentials or other sensitive configuration data."
  https://socket.dev/blog/checkmarx-supply-chain-compromise
  https://thehackernews.com/2026/04/malicious-kics-docker-images-and-vs.html
• Inside Lazarus: How North Korea Uses AI To Industrialize Attacks On Developers
  "Expel is actively tracking an APT group that we assess with high confidence to be North Korean (DPRK) state-sponsored. We suspect that the threat actor is a subgroup or spin-off of a larger organization, potentially starting out as fraudulent IT workers before pivoting to malware. The group is extremely active in targeting Web3 developers and is primarily focused on stealing high-value digital assets such as cryptocurrency and NFTs. As much as $12M worth of cryptocurrency wallets were exfiltrated by the threat actor in 3 months, though hardware security tokens may limit damage."
  https://expel.com/blog/inside-lazarus-how-north-korea-uses-ai-to-industrialize-attacks-on-developers/
  https://therecord.media/north-korean-hackers-siphon-12-million-from-crypto-users
• TeamPCP Strikes Again: Xinference PyPI Package Compromised
  "The JFrog security research team recently identified a supply chain attack targeting the xinference package on PyPI. Versions 2.6.0, 2.6.1, and 2.6.2 were compromised and yanked by maintainers after users reported suspicious behavior. If you installed or imported these versions, you must assume your environment is compromised. This is the latest hit in an ongoing multi-ecosystem campaign by the threat actor tracked as TeamPCP, who have recently compromised PyPI packages including litellm and telnyx, as well as npm, Go, OpenVSX, and GitHub repositories. The same actor marker, payload structure, and targeting profile tie this incident directly to that campaign."
  https://research.jfrog.com/post/xinference-compromise/

Breaches/Hacks/Leaks

• Discord-Linked Group Accessed Anthropic’s Claude Mythos AI In Vendor Breach
  "Two weeks after Anthropic announced Claude Mythos Preview (aka Claude Mythos and Mythos AI) as part of its Project Glasswing initiative, the company is investigating unauthorized access to the model through a third-party vendor environment. Reportedly, a handful of users on a Discord channel gained access to Mythos. Their focus was on gathering intelligence about unreleased AI models and appears to have used a combination of tactics to access the system. Bloomberg News reported on April 21, 2026, that the group made an “educated guess” about the model’s online location based on familiarity with Anthropic’s URL formatting conventions for other models."
  https://hackread.com/discord-access-anthropic-claude-mythos-ai-breach/
  https://www.engadget.com/ai/anthropic-is-investigating-unauthorized-access-of-its-mythos-cybersecurity-tool-091017168.html
  https://www.theregister.com/2026/04/22/anthropic_mythos_hype_nothingburger/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ด้านความมั่นคงปลอดภัยไซเบอร์ กรณี Oracle เผยแพร่การอัปเดต Critical Patch Update Advisory เดือนเมษายน 2569 ซึ่งมีการแก้ไขช่องโหว่ด้านความมั่นคงปลอดภัยในผลิตภัณฑ์ Oracle ขอให้ผู้ดูแลระบบที่เกี่ยวข้องดำเนินการตรวจสอบและอัปเดตระบบโดยเร็ว เพื่อให้เป็นไปตามแนวทางด้านความมั่นคงปลอดภัยไซเบอร์ และลดความเสี่ยงจากการถูกโจมตีทางไซเบอร์

1. รายละเอียดของการอัปเดต [1]

Oracle เผยแพร่การอัปเดต Critical Patch Update Advisory เดือนเมษายน 2569 จำนวน 481 รายการ ครอบคลุม 28 กลุ่มผลิตภัณฑ์ โดยมากกว่า 300 รายการเป็นช่องโหว่ที่สามารถถูกโจมตีได้โดยไม่ต้องยืนยันตัวตน (Remote Unauthenticated Exploitation) และมีช่องโหว่ระดับร้ายแรง (Critical) ประมาณ 30 รายการ ทั้งนี้ มีการระบุช่องโหว่รวมประมาณ 450 CVEs ซึ่งบางรายการถูกแก้ไขในผลิตภัณฑ์ที่เกี่ยวข้อง และบางส่วนเป็นช่องโหว่จาก third-party ที่ได้รับการแก้ไขร่วมด้วย

2. ลักษณะและผลกระทบของช่องโหว่

ช่องโหว่ที่ถูกแก้ไขในครั้งนี้ส่วนใหญ่เป็นช่องโหว่ที่มีความเสี่ยงสูง ได้แก่

2.1 การโจมตีโดยไม่ต้องยืนยันตัวตน (Remote Unauthenticated Exploitation)
2.2 การรันโค้ดโดยไม่ต้องยืนยันตัวตน (Remote Code Execution)
2.3 การเข้าถึงข้อมูลสำคัญหรือควบคุมระบบโดยไม่ได้รับอนุญาต
2.4 การยกระดับสิทธิ์ (Privilege Escalation)

หากผู้ไม่หวังดีสามารถใช้ประโยชน์จากช่องโหว่ดังกล่าวได้สำเร็จ อาจส่งผลให้ระบบถูกเข้าควบคุม ข้อมูลรั่วไหล หรือเกิดการหยุดชะงักของบริการ ทั้งนี้ Oracle ได้ออกแพตช์ฉุกเฉินก่อนหน้า สำหรับช่องโหว่ CVE-2026-21992 ซึ่งเป็นช่องโหว่ระดับร้ายแรงที่สามารถนำไปสู่การโจมตีแบบ Remote Code Execution ได้

3. ผลิตภัณฑ์ที่ได้รับผลกระทบ [2]

แบ่งตามกลุ่มที่มีจำนวนแพตช์สูง ได้แก่

• Oracle Communications (139 รายการ)
• Financial Services Applications (75 รายการ)
• Fusion Middleware (59 รายการ)

นอกจากนี้ยังรวมถึงผลิตภัณฑ์สำคัญอื่น เช่น

• MySQL
• PeopleSoft
• E-Business Suite
• Siebel CRM
• Java SE
• Oracle Database Server
• Oracle Enterprise Manager
• Oracle GoldenGate
• Oracle Analytics และ Retail Applications

รวมถึงระบบอื่น ๆ เช่น Blockchain Platform, REST Data Services, JD Edwards, Supply Chain และ Utilities Applications

4. แนวทางการแก้ไข ผู้ดูแลระบบควรดำเนินการดังนี้

4.1 ตรวจสอบผลิตภัณฑ์ Oracle ที่ใช้งานภายในหน่วยงาน
4.2 อัปเดตแพตช์ความปลอดภัยตาม Critical Patch Update Advisory เดือนเมษายน 2569 โดยทันที
4.3 ให้ความสำคัญกับระบบที่เปิดให้บริการผ่านเครือข่ายภายนอก (Internet-facing systems)
4.4 ตรวจสอบและอัปเดต third-party components ที่เกี่ยวข้อง
4.5 ทดสอบระบบหลังการอัปเดตเพื่อป้องกันผลกระทบต่อการให้บริการ

5. คำแนะนำด้านความปลอดภัยเพิ่มเติม

5.1 จำกัดการเข้าถึงระบบสำคัญเฉพาะผู้ใช้งานที่จำเป็น (Principle of Least Privilege)
5.2 ใช้ระบบยืนยันตัวตนแบบหลายปัจจัย (Multi-Factor Authentication: MFA)
5.3 ตรวจสอบบันทึกเหตุการณ์ (Logs) เพื่อเฝ้าระวังพฤติกรรมผิดปกติ
5.4 แยกเครือข่าย (Network Segmentation) เพื่อลดผลกระทบหากถูกโจมตี
5.5 จัดทำแผนสำรองข้อมูล (Backup) และแผนตอบสนองเหตุการณ์ (Incident Response Plan)
5.6 ติดตามประกาศด้านความมั่นคงปลอดภัยจาก Oracle และหน่วยงานที่เกี่ยวข้องอย่างต่อเนื่อง

แหล่งอ้างอิง

[1] https://dg.th/y0p2msi9uo
[2] https://dg.th/9jw2i1zeu0

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ตรวจพบการโจมตีทางไซเบอร์ต่อผู้ให้บริการแพลตฟอร์มคลาวด์และผู้สร้าง Next.js โดยผู้โจมตีใช้มัลแวร์ประเภท Infostealer ขโมยข้อมูลประจำตัวของพนักงาน นำไปสู่การเจาะระบบภายในและเข้าถึงข้อมูลสภาพแวดล้อม ซึ่งส่งผลกระทบต่อความปลอดภัยของซอร์สโค้ดและบัญชีผู้ใช้งานบางส่วน [1]

1. รายละเอียดลักษณะการทำงานของมัลแวร์ [2]
   1.1 ขโมยข้อมูลผ่าน Infostealer มัลแวร์ "Lumma Stealer" แอบดึงข้อมูลประจำตัว (Credentials) และ Session Cookies จากเครื่องคอมพิวเตอร์ของพนักงานที่ใช้งานเครื่องมือ AI ของบุคคลที่สาม
   1.2 ยึดสิทธิ์บัญชีองค์กร ผู้โจมตีนำข้อมูลที่ได้ไปเข้ายึดบัญชี Google Workspace ของพนักงาน เพื่อใช้เป็นฐานเจาะเข้าระบบอื่นภายในองค์กร
   1.3 เจาะระบบและดึงข้อมูล อาศัยสิทธิ์บัญชีที่ยึดมาได้ เข้าถึงระบบภายในและรวบรวมตัวแปรสภาพแวดล้อมที่ตั้งค่าไว้ว่า "ไม่ละเอียดอ่อน" รวมถึงพยายามเข้าถึงฐานข้อมูลและซอร์สโค้ด

2. กลุ่มเป้าหมายและระบบที่ได้รับผลกระทบ
   2.1 อุปกรณ์พนักงานที่ติดตั้งซอฟต์แวร์หรือเครื่องมือบุคคลที่สามที่ขาดมาตรการรักษาความปลอดภัย
   2.2 บัญชีลูกค้าผู้ใช้งานแพลตฟอร์มบางส่วน โดยผู้ที่ได้รับผลกระทบจะได้รับการติดต่อให้รีเซ็ตรหัสผ่านโดยตรง
   2.3 ระบบแอปพลิเคชันที่ตั้งค่าแบบไม่เข้ารหัส หรือไม่ได้ระบุว่าเป็นข้อมูลละเอียดอ่อน

3. รูปแบบการแพร่กระจายและการโจมตี
   เป็นการโจมตีแบบห่วงโซ่อุปทาน (Supply Chain Attack) โดยพุ่งเป้าไปที่จุดอ่อนของซอฟต์แวร์บุคคลที่สาม (Context.ai) ผู้โจมตีใช้มัลแวร์ Lumma Stealer ซึ่งมักแฝงมากับซอฟต์แวร์เถื่อนหรือไฟล์หลอกดาวน์โหลดออนไลน์ เพื่อขโมยสิทธิ์การเข้าถึงจากเครื่องพนักงาน

4. แนวทางการป้องกัน
   4.1 จำกัดสิทธิ์ ตรวจสอบและจำกัดสิทธิ์ของแอปพลิเคชันบุคคลที่สามที่เชื่อมต่อกับบัญชีองค์กรอย่างเคร่งครัด
   4.2 บังคับใช้ MFA ใช้การยืนยันตัวตนหลายปัจจัย โดยเน้น Hardware Security Key เพื่อป้องกันการถูกขโมย Session Cookies
   4.3 เข้ารหัสข้อมูลสำคัญ จัดเก็บความลับ เช่น API Keys หรือรหัสผ่าน ไว้ในรูปแบบ "Sensitive/Secret Environment Variables" เพื่อให้ระบบเข้ารหัสข้อมูลขั้นสูง
   4.4 รักษาความปลอดภัยอุปกรณ์ (Endpoint) ติดตั้งและอัปเดตระบบป้องกัน (EDR/Antivirus) บนเครื่องพนักงาน และหลีกเลี่ยงการใช้งานซอฟต์แวร์เถื่อน
   
   #CyberSecurity #ThaiCERT #LummaStealer #DataBreach #SupplyChainAttack #Infosec #ITAdmin

แหล่งอ้างอิง
[1] https://dg.th/ncl46w2kqz
[2] https://dg.th/det6hsmwyb

Vulnerabilities

• Progress Patches Multiple Vulnerabilities In MOVEit WAF, LoadMaster
  "Progress Software on Monday rolled out patches for multiple MOVEit WAF and LoadMaster vulnerabilities that could lead to remote code execution (RCE) and OS command injection. Two of the bugs, CVE-2026-3517 and CVE-2026-3519, impact APIs in Progress ADC products and could be exploited by users with ‘Geo Administration’ and ‘VS Administration’ permissions for the execution of arbitrary commands on the LoadMaster appliance. The flaws exist because the ‘addcountry’ and ‘aclcontrol’ commands do not properly sanitize user-supplied input."
  https://www.securityweek.com/progress-patches-multiple-vulnerabilities-in-moveit-waf-loadmaster/
  https://community.progress.com/s/article/MOVEit-WAF-Critical-Security-Bulletin-April-2026-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876
• Actively Exploited Apache ActiveMQ Flaw Impacts 6,400 Servers
  "Nonprofit security organization Shadowserver found that over 6,400 Apache ActiveMQ servers exposed online are vulnerable to ongoing attacks exploiting a high-severity code injection vulnerability. Apache ActiveMQ is the most popular open-source multi-protocol message broker for asynchronous communication between Java applications. Tracked as CVE-2026-34197, the vulnerability was discovered by Horizon3 researcher Naveen Sunkavally using the Claude AI assistant after remaining undetected for 13 years."
  https://www.bleepingcomputer.com/news/security/actively-exploited-apache-activemq-flaw-impacts-6-400-servers/
• Unsecured Perforce Servers Expose Sensitive Data From Major Orgs
  "A researcher has analyzed internet-facing Perforce P4 servers and found that many are still misconfigured, exposing highly sensitive information. Perforce P4 (formerly Helix Core) is a centralized version control platform built to handle the massive data requirements of industries like AAA gaming and semiconductor design. While P4 serves an important role, it can be valuable for threat actors if left unprotected. Australian security researcher Morgan Robertson conducted an analysis of internet-exposed Perforce servers in the spring of 2025 and found 6,122 instances."
  https://www.securityweek.com/unsecured-perforce-servers-expose-sensitive-data-from-major-orgs/
  https://morganrobertson.net/p4wned/

Malware

• Lotus Wiper: a New Threat Targeting The Energy And Utilities Sector
  "In light of geopolitical tensions that occurred in the Caribbean region in late 2025 and early 2026, artifacts associated with the attack chain of a destructive wiping campaign targeting the energy and utilities sector in Venezuela were identified on a publicly available resource. They were uploaded in mid-December. Two batch scripts are responsible for initiating the destructive phase of the attack and preparing the environment for executing the final wiper payload. These scripts coordinate the start of the operation across the network, weaken system defenses, and disrupt normal operations before retrieving, deobfuscating and executing a previously unknown wiper that we dubbed ‘Lotus Wiper’. The wiper removes recovery mechanisms, overwrites the content of physical drives, and systematically deletes files across affected volumes, ultimately leaving the system in an unrecoverable state."
  https://securelist.com/tr/lotus-wiper/119472/
  https://www.bleepingcomputer.com/news/security/new-lotus-data-wiper-used-against-venezuelan-energy-utility-firms/
• New NGate Variant Hides In a Trojanized NFC Payment App
  "ESET Research has discovered a new variant of the NGate malware family that abuses a legitimate Android application called HandyPay, instead of the previously leveraged NFCGate tool. The threat actors took the app, which is used to relay NFC data, and patched it with malicious code that appears to have been AI-generated. As with previous iterations of NGate, the malicious code allows the attackers to transfer NFC data from the victim’s payment card to their own device and use it for contactless ATM cash-outs and unauthorized payments. Additionally, the code can also capture the victim’s payment card PIN and exfiltrate it to the operators’ C&C server."
  https://www.welivesecurity.com/en/eset-research/new-ngate-variant-hides-in-a-trojanized-nfc-payment-app/
  https://thehackernews.com/2026/04/ngate-campaign-targets-brazil.html
  https://www.bleepingcomputer.com/news/security/ngate-android-malware-uses-handypay-nfc-app-to-steal-card-data/
  https://www.infosecurity-magazine.com/news/trojanized-android-handle-nfc/
  https://www.helpnetsecurity.com/2026/04/21/android-ngate-nfc-malware/
• Bad Apples: Weaponizing Native MacOS Primitives For Movement And Execution
  "As macOS adoption in the enterprise reaches record highs, with over 45 percent of organizations now utilizing the platform, the traditional "security through obscurity" narrative surrounding the OS has been rendered obsolete. Mac endpoints, once relegated to creative departments, are now the primary workstations for developers, DevOps engineers, and system administrators. Consequently, these machines have become high-value targets that serve as gateways to source code repositories, cloud infrastructure, and sensitive production credentials. Despite this shift, macOS-native lateral movement and execution tradecraft remain significantly understudied compared to their Windows counterparts. This research was conducted to address this critical knowledge gap. Through a systematic validation of native macOS protocols and system binaries, it is demonstrated how adversaries can “live off the land” (LOTL) by repurposing legitimate administrative tools."
  https://blog.talosintelligence.com/bad-apples-weaponizing-native-macos-primitives-for-movement-and-execution/
• Threat Advisory: Uptick In Bomgar RMM Exploitation
  "Over the past two weeks, the Huntress Security Operations Center (SOC) has seen an uptick in incidents involving compromised Bomgar remote monitoring and management (RMM) instances. The uptick follows intermittent waves of exploitation we have seen over the past two months, after BeyondTrust first disclosed a critical-severity flaw (CVE-2026-1731) in Bomgar in February. On February 6, 2026, BeyondTrust issued fixes for the flaw in Bomgar (rebranded as BeyondTrust Remote Support), which could be exploited by an unauthenticated attacker to remotely execute code. During this timeframe, the SOC observed an initial spike in exploitation of Bomgar RMMs starting on February 12, which involved at least 10 impacted organizations. Then, starting around April 3, the SOC saw another increase in attacks."
  https://www.huntress.com/blog/uptick-bomgar-exploitation
  https://www.darkreading.com/cyberattacks-data-breaches/surge-bomgar-rmm-exploitation-demonstrates-supply-chain-risk
• MacOS ClickFix Campaign: AppleScript Stealers & New Terminal Protections
  "Netskope Threat Labs is continuing its coverage of a ClickFix campaign targeting both Windows and macOS users. While our previous post focused on a modular NodeJS-based remote access trojan (RAT) for Windows, this post details a parallel infection chain delivering an AppleScript-based infostealer to macOS users. The macOS infostealer is designed to harvest a wide range of sensitive data, including keychain databases, login credentials, and live session cookies from 12 different browsers, over 200 browser extensions, and 16 standalone cryptocurrency wallets. To secure the victim’s credentials, the malware uses a non-closable persistent dialog box that forces users to provide their system password. This box is highly convincing; it mimics a legitimate system prompt and loads the standard macOS icons from local resources to trick the user into entering their device password."
  https://www.netskope.com/blog/macos-clickfix-campaign-applescript-stealers-new-terminal-protections
  https://www.theregister.com/2026/04/21/macos_clickfix_attacks_deliver_applescript/
• Weaponizing Trust Signals: Claude Code Lures And GitHub Release Payloads
  "In late March 2026, Anthropic inadvertently released the internal Claude Code source material as part of an npm package that included a large internal source map file. Although the incident stemmed from a simple packaging mistake, threat actors were quick to capitalize on the resulting attention. Only 24 hours after the leak, they were able to create fake GitHub repositories to distribute credential-stealing malware disguised as “leaked” Claude Code downloads. This incident demonstrates that security compromise is not limited to software vulnerabilities: human factors and organizational control gaps often serve as catalyst for threats and are primary drivers of material impact. In this blog entry, we will talk about our analysis of the threats capitalizing on this incident, the downstream risks of the leaked source code, and the actions organizations should take next."
  https://www.trendmicro.com/en_us/research/26/d/weaponizing-trust-claude-code-lures-and-github-release-payloads.html
• Void Dokkaebi Uses Fake Job Interview Lure To Spread Malware Via Code Repositories
  "Void Dokkaebi, also tracked as Famous Chollima, is a North Korea-aligned intrusion set that systematically targets software developers who hold cryptocurrency wallet credentials, signing keys, and access to continuous integration/continuous delivery (CI/CD) pipelines and production infrastructure. As previously documented by TrendAI Research, the group poses as recruiters from cryptocurrency and AI firms, luring developers into cloning and executing code repositories as part of fabricated job interviews. This is a pattern independently tracked across the industry since 2024, but less attention has been paid to what happens after the initial compromise."
  https://www.trendmicro.com/en_us/research/26/d/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories.html
• Chinese APT Targets Indian Banks, Korean Policy Circles
  "If you knew only two things about China's state-sponsored advanced persistent threat (APT) Mustang Panda (aka TA416, Bronze President, Stately Taurus), they would probably be, first, that it frequently shifts its tactics, techniques, and procedures (TTPs), and second, that its focus is solely on geopolitical espionage. But Mustang Panda seems to have diverged from that target and has trained its sights on India's banking sector. Square that with its most newly discovered campaign, which employs no interesting TTPs, and though partly focused against American and Korean public policy circles, is aimed largely at financial organizations in India. Despite the differences, researchers at Acronis believe this string of activity belongs to Mustang Panda, thanks to shared code, operational patterns, and more."
  https://www.darkreading.com/cyberattacks-data-breaches/chinese-apt-indian-banks-korean-policy
• Analyzing The RondoDox Botnet: A DDoS And Mining Threat
  "A few weeks ago we published the first part of this series where we described the infrastructure used by the RondoDox threat actors to scan and exploit vulnerable systems. In this second post we’ll take a deep dive into the malware that is deployed into vulnerable systems. Specifically, we’ll look at the initial implant used to fetch the RondoDox binary and the binary itself, detailing its behaviour, how it communicates with the Command and Control (C2), and its malicious capabilities."
  https://www.bitsight.com/blog/rondodox-botnet-malware-analysis
• Multi-Stage SEO Poisoning Campaign Targets Chinese-Speaking Developers With Kong RAT
  "In March 2026, eSentire's Threat Response Unit detected a sophisticated multi-stage malware campaign targeting Chinese-speaking developers and IT professionals through Search engine optimization (SEO) poisoning. Victims searching for popular Chinese developer tools including FinalShell SSH client, Xshell, QuickQ VPN, and Clash proxy, were redirected to convincing lookalike domains that delivered trojanized installers. TRU is tracking this threat as Kong RAT, named for its consistent use of the string "Kong" across registry keys/file paths used by the malware. The campaign's infrastructure consists of a network of spoofed Chinese software domains hosted on shared infrastructure, active from May 2025 through March 2026. Initial payloads were delivered via Alibaba Cloud Object Storage (Hong Kong region), and all stages consistently used oss-cn-hongkong.aliyuncs[.]com for payload hosting and C2 telemetry."
  https://www.esentire.com/blog/multi-stage-seo-poisoning-campaign-targets-chinese-speaking-developers-with-kong-rat

Breaches/Hacks/Leaks

• Data Breaches At Healthcare Organizations In Illinois And Texas Affect 600,000
  "Three US healthcare organizations — two in Illinois and one in Texas — have disclosed data breaches affecting a total of nearly 600,000 individuals. The data breach tracker operated by the US Department of Health and Human Services (HHS) was updated this week to add three healthcare-related cybersecurity incidents impacting a significant number of people. The biggest breach was disclosed by the North Texas Behavioral Health Authority, affecting 285,000 individuals."
  https://www.securityweek.com/data-breaches-at-healthcare-organizations-in-illinois-and-texas-affect-600000/
• Crook Claims To Leak 'video Surveillance Footage' Of Companies
  "A Mexican IT infrastructure and digital transformation biz is on clean-up duty after a criminal posted screenshots of what they claimed was company video surveillance footage to a cybercrime forum. Monterrey-based Be Prime confirmed that it was the victim of a "cybersecurity incident" on Thursday, after the criminal, who used the alias "dylanmarly," made sweeping claims about an attack they claim to have carried out. Screenshots published by the attacker depicted access to Be Prime's Cisco Meraki Vision panel, which, if true, would have allowed access to live feeds around its clients' offices, including cameras overlooking different teams' workspaces."
  https://www.theregister.com/2026/04/21/be_prime_cctv_leak/
• Adaptavist Group Breach Spawns Imposter Emails As Ransomware Crew Claims Mega-Haul
  "UK enterprise software consultancy The Adaptavist Group is investigating a security breach after an intruder logged in with stolen credentials, while a ransomware crew claims it grabbed far more than the company is currently admitting. In a letter to customers, Adaptavist's CEO Simon Haighton-Williams said the biz detected an "IT security incident" in late March after an attacker used compromised login details to gain unauthorized access to some of its systems. The company, which builds and sells tools and services around platforms like Atlassian's Jira and Confluence, has brought in external security specialists and says a forensic investigation is underway to work out what, if anything, was accessed or taken."
  https://www.theregister.com/2026/04/21/adaptavist_group_breach_spawns_impostor/
  https://www.theadaptavistgroup.com/letters/april-2026

General News

• Researchers Build An Encrypted Routing Layer For Private AI Inference
  "Organizations in healthcare, finance, and other sensitive industries want to use large AI models without exposing private data to the cloud servers running those models. A cryptographic technique called Secure Multi-Party Computation (MPC) makes this possible. It splits data into encrypted fragments, distributes them across two or more servers that do not share information with each other, and lets those servers compute an AI result without either one ever seeing the raw input. The catch is speed. A standard mid-sized language model that returns a result in under a second when running normally can take more than 60 seconds when processed under MPC. The encryption overhead is that large."
  https://www.helpnetsecurity.com/2026/04/21/securerouter-encrypted-ai-inference/
  https://arxiv.org/pdf/2604.15499
• Iran Claims US Used Backdoors To Knock Out Networking Equipment During War
  "Iranian media is claiming that the US used backdoors and/or botnets to disable networking equipment during the current war, and Chinese state media is dining out on the allegations. Reports from Iran claim hardware made by Cisco, Juniper, Fortinet, and MikroTik either rebooted or disconnected during recent attacks on Iran – despite the regime disconnecting the nation from the global internet. The reports suggest that’s only possible because someone – probably the US – can sabotage the equipment at will."
  https://www.theregister.com/2026/04/21/iran_claims_us_used_backdoors/
• Former Ransomware Negotiator Pleads Guilty To BlackCat Attacks
  "41-year-old Angelo Martino, a former employee of cybersecurity incident response company DigitalMint, has pleaded guilty to targeting U.S. companies in BlackCat (ALPHV) ransomware attacks in 2023. Together with two other Sygnia and DigitalMint ransomware negotiators (33-year-old Ryan Clifford Goldberg and 28-year-old Kevin Tyler Martin), Martino was charged with conspiracy to interfere with interstate commerce by extortion, interference with interstate commerce by extortion, and intentional damage to protected computers. Martino was initially identified only as "Co-Conspirator 1" in an October 2025 indictment, but was named in court documents unsealed in March. Martin and Goldberg also pleaded guilty to conspiracy to obstruct commerce by extortion and are facing up to 20 years in prison each."
  https://www.bleepingcomputer.com/news/security/former-ransomware-negotiator-pleads-guilty-to-blackcat-attacks/
  https://thehackernews.com/2026/04/ransomware-negotiator-pleads-guilty-to.html
  https://www.darkreading.com/insider-threats/ransomware-negotiator-pleads-guilty-blackcat-scheme
  https://cyberscoop.com/digitalmint-ransomware-negotiator-angelo-martino-guilty-plea/
  https://www.securityweek.com/third-us-security-expert-admits-helping-ransomware-gang/
  https://securityaffairs.com/191100/security/ransomware-negotiator-caught-secretly-assisting-blackcat-extortion-scheme.html
  https://www.helpnetsecurity.com/2026/04/21/ransomware-negotiator-blackcat-alphv-group/
  https://www.theregister.com/2026/04/21/yet_another_ex_ransomware_negotiator_pleads/
• Mythos Can Find The Vulnerability. It Can’t Tell You What To Do About It.
  "Mythos matters. It is a significant step forward in AI-assisted vulnerability discovery. But it does not mean cybersecurity changed overnight, nor does it mean enterprises are suddenly facing fully automated exploitation at internet scale tomorrow. It does mean the offensive side of AI is continuing to improve. The defensive side needs to catch up now. Mythos is the latest step in a longer trend. Over the next several years, expect the same pattern to repeat: incremental progress, then a jump; incremental progress, then a jump. Models will get more capable and cheaper with each cycle, and each jump will put more pressure on security teams still operating at human speed."
  https://cyberscoop.com/anthropic-mythos-vulnerability-discovery-op-ed/
• Microsoft Vulnerabilities Drop, But Critical Flaws Double, Report Warns
  "The total number of security flaws in Microsoft software has dropped by 6% to 1,273 this year, which on the surface indicates that things are actually getting better. However, it hides a dangerous trend- the most dangerous or critical flaws have doubled. BeyondTrust, a privilege-centric identity security leader, just released its 13th annual Microsoft Vulnerabilities Report, which reveals that while hackers are finding fewer bugs overall, the ones they are finding are far more powerful. “Don’t be distracted by the dip in total vulnerabilities,” says James Maude, Field CTO at BeyondTrust, “critical vulnerabilities doubled. This is a warning that risk is not decreasing, it is concentrating, and it is concentrating around privilege.”"
  https://hackread.com/microsoft-vulnerabilities-drop-critical-flaws-double/
• 2026 CISO AI Risk Report [Saviynt]
  "Many security leaders didn’t authorize AI expansion. It happened around them. Someone plugged in a copilot in a SaaS tool or an engineering team tested an agent or a business unit installed an assistant without waiting for approval. None of these choices feel significant in isolation, but together they create systems acting on behalf of people, without the structures we rely on to govern human access. In our survey of more than 200 CISOs and security leaders, the same concerns surfaced repeatedly. AI systems already have meaningful access, often with privilege levels no one explicitly granted. They generate activity that can be difficult to trace, behave in ways that don’t match human patterns, and sometimes leave behind incomplete or temporary records. None of this is catastrophic on its own, but it complicates the basic questions security teams rely on, namely: “Who did this?” and “Should this action have been allowed?”"
  https://www.cybersecurity-insiders.com/portfolio/2026-ciso-ai-risk-report-saviynt/
  https://www.cybersecurity-insiders.com/wp-content/uploads/2026-AI-Identity-Risk-Report-Saviynt-by-CSI-1.6.pdf
  https://hackread.com/the-ungoverned-workforce-cybersecurity-insiders-finds-92-lack-visibility-into-ai-identities/
• Unchecked AI Agents Cause Cybersecurity Incidents At Two Thirds Of Firms
  "Two thirds of organizations have suffered from a cybersecurity incident related to the deployment of AI agents during the last year, research by the Cloud Security Alliance (CSA) has warned. According to research, conducted alongside Token Security, unchecked AI agents operating on corporate networks caused damage including data exposure, operational disruption and financial losses. The CSA paper, titled Autonomous but Not Controlled: AI Agent Incidents Now Common in Enterprises, published on April 21, warned that the majority of organizations have no strategy set up around decommissioning AI agents, further putting them at risk of cybersecurity incidents."
  https://www.infosecurity-magazine.com/news/unchecked-ai-agents-cause/
• Outdated Software Has Become a Major Cybersecurity Liability
  "In the artificial intelligence (AI) era, IT and cybersecurity teams must ensure every device runs the most secure software version available. As cybercriminals gain access to more advanced AI models, the amount of time and effort required to first discover a vulnerability and develop a means to exploit it is now approaching zero. While that is likely to increase the number of unknown zero-day vulnerabilities that might be exploited, most cybercriminals will—at least initially—focus on exploiting known vulnerabilities faster than ever."
  https://blog.barracuda.com/2026/04/21/outdated-software-has-become-a-major-cybersecurity-liability
• No Exploit Needed: How Attackers Walk Through The Front Door Via Identity-Based Attacks
  "The cybersecurity industry has spent the last several years chasing sophisticated threats like zero-days, supply chain compromises, and AI-generated exploits. However, the most reliable entry point for attackers still hasn't changed: stolen credentials. Identity-based attacks remain a dominant initial access vector in breaches today. Attackers obtain valid credentials through credential stuffing from prior breach databases, password spraying against exposed services, or phishing campaigns — and use them to walk through the front door. No exploits needed. Just a valid username and password."
  https://thehackernews.com/2026/04/no-exploit-needed-how-attackers-walk.html
• Ukraine Busts ‘bot Farm’ Supplying Thousands Of Fake Telegram Accounts To Russian Spies
  "Ukrainian authorities have dismantled a so-called “bot farm” that police say was supplying thousands of fake social media accounts to Russian intelligence services for use in disinformation campaigns against Ukraine. Ukraine’s Security Service (SBU) and the National Police said on Monday they detained the suspected organizer of the network in the northern city of Zhytomyr and blocked nearly 20,000 fraudulent online profiles allegedly used in information operations directed by Moscow."
  https://therecord.media/ukraine-sbu-busts-bot-farm-supplying-russian-spies
• Nation-States Want To Cause Harm, Not Just Steal Cash - Stop Handing Your Cyber Defenses To The Cheapest Contractor
  "State-sponsored cyberattacks from Chinese intelligence and military agencies display "an eye-watering level of sophistication," UK National Cyber Security Centre CEO Richard Horne is expected to say in a less-than-cheery opening speech to kick off its annual conference. The NCSC has in previous years labelled the threat posed by China in cyberspace as "epoch-defining," although Horne re-jiggered this description in his opening plenary at CYBERUK 2026. According to a transcript of his speech shared with The Register ahead of time, Horne will tell delegates attending the Glasgow conference on Wednesday that China is no longer just a capable cyber threat, but thanks to its whole-of-state approach, it now represents "a peer competitor in cyberspace.""
  https://www.theregister.com/2026/04/21/ncsc_chinas_cyberattacks_uk/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand