สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 
Latest posts made by NCSA_THAICERT
-
ช่องโหว่ร้ายแรงใน Ollama เสี่ยงกระทบกว่า 300,000 อินสแตนซ์ที่เปิดสู่สาธารณะโพสต์ใน Cyber Security News
-
Microsoft เตือนแคมเปญ Phishing ระดับโลก ขโมยโทเคนยืนยันตัวตนกระทบผู้ใช้งานกว่า 35,000 รายโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Vimeo ยืนยันเหตุข้อมูลรั่วไหล กระทบผู้ใช้งานกว่า 1.19 แสนราย แฮกเกอร์กลุ่ม ShinyHunters โจมตีผ่านช่องโหว่ของบริษัทคู่ค้าโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Palo Alto Networks เตรียมออกแพตช์แก้ช่องโหว่ Zero-day หลังพบถูกใช้โจมตีไฟร์วอลล์จริงโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
NCSC สหราชอาณาจักรเตือน AI เร่งค้นหาช่องโหว่ เสี่ยงเกิด “Patch Wave” กระทบทั่วโลกโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
แฮกเกอร์แห่ใช้บริการ Amazon SES ส่งอีเมลฟิชชิงเพื่อทะลุทะลวงระบบรักษาความปลอดภัยโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 06 May 2026โพสต์ใน Cyber Security News
Industrial Sector
- CI Fortify: Strengthening Resilience Across Critical Infrastructure
"U.S. critical infrastructure (CI) operators face constant intrusion attempts from nation-state cyber threat actors. These adversaries aim for more than espionage. To win a wider geopolitical conflict: They have successfully pre-positioned across critical infrastructure to disrupt and destroy the operational technology (OT) running the United States, and they could leverage access to telecommunications infrastructure to take out phone and internet services. CI owners and operators must fortify their systems to allow vital services in the United States to sustain essential operations during a geopolitical conflict. Investing in isolation and recovery capabilities today is essential to maintaining service delivery during a future crisis, when an adversary may disrupt communications and manipulate control systems."
https://www.cisa.gov/topics/industrial-control-systems/ci-fortify
https://cyberscoop.com/cisa-ci-fortify-critical-infrastructure-isolation-recovery-guidance-during-conflict/
Vulnerabilities
- MetInfo CMS CVE-2026-29014 Exploited For Remote Code Execution Attacks
"Threat actors are actively exploiting a critical security flaw impacting an open-source content management system (CMS) known as MetInfo, according to new findings from VulnCheck. The vulnerability in question is CVE-2026-29014 (CVSS score: 9.8), a code injection flaw that could result in arbitrary code execution. "MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code," the NIST National Vulnerability Database (NVD) states."
https://thehackernews.com/2026/05/metinfo-cms-cve-2026-29014-exploited.html
https://www.securityweek.com/metinfo-weaver-e-cology-vulnerabilities-in-attackers-crosshairs/ - Critical Bug Could Expose 300,000 Ollama Deployments To Information Theft
"Roughly 300,000 Ollama deployments are prone to sensitive information theft through a remotely exploitable, unauthenticated critical vulnerability, Cyera warns. Ollama is an open source solution for running LLMs on local machines and is highly popular among organizations as a self-hosted AI inference engine. A heap out-of-bounds read issue in Ollama could be exploited to access sensitive information stored on the heap, including prompts, messages, and environment variables, including API keys, tokens, and secrets, Cyera says. Tracked as CVE-2026-7482 (CVSS score of 9.3) and dubbed Bleeding Llama, the bug affects the GGUF model loader, which accepts an attacker-supplied GGUF file containing a declared tensor offset and size larger than the file’s length."
https://www.securityweek.com/critical-bug-could-expose-300000-ollama-deployments-to-information-theft/ - Critical, High-Severity Vulnerabilities Patched In Apache MINA, HTTP Server
"Apache on Monday released patches for over a dozen vulnerabilities in HTTP Server and MINA, including critical and high-severity issues that could be exploited for remote code execution (RCE). Apache HTTP Server 2.4.67 was released with fixes for 11 vulnerabilities, 10 of which affect all previous releases. The first is CVE-2026-23918, a double-free and possible RCE bug in the HTTP/2 protocol handling. By triggering an early reset, an attacker could cause a denial-of-service (DoS) condition and potentially execute arbitrary code. Next in line is CVE-2026-28780, a heap buffer overflow issue that could allow remote attackers to send crafted AJP messages to cause a DoS condition and execute code."
https://www.securityweek.com/critical-high-severity-vulnerabilities-patched-in-apache-mina-http-server/
https://thehackernews.com/2026/05/critical-apache-http2-flaw-cve-2026.html - Microsoft Edge Stores Passwords In Process Memory, Posing Enterprise Risk
"An attacker with administrative privileges can gain access to Microsoft Edge user passwords even when they're not in use, because the browser stores them in cleartext in process memory as part of a design decision by Microsoft. Security researcher Tom Jøran Sønstebyseter Rønning revealed the issue and how it can be exploited in a proof-of-concept (PoC) tool at Palo Alto Networks Norway's BIG Bite of Tech conference last week. He subsequently posted resources for the PoC and tool on GitHub."
https://www.darkreading.com/cyber-risk/microsoft-edge-passwords-enterprise-risk - WhatsApp Discloses File Spoofing, Arbitrary URL Scheme Vulnerabilities
"Meta-owned WhatsApp has published two new security advisories describing vulnerabilities that were patched earlier this year in the popular messaging app. One of the vulnerabilities is CVE-2026-23863, a medium-impact attachment spoofing issue affecting WhatsApp for Windows prior to version 2.3000.1032164386.258709. An attacker could have exploited the flaw to create a maliciously formatted document with embedded NUL bytes in the file name. When sent as an attachment, the recipient would see it as a harmless file, but it would run as an executable when opened, WhatsApp’s advisory explains. The second vulnerability, CVE-2026-23866, has also been assigned a ‘medium impact’ rating. It affects WhatsApp for iOS (v2.25.8.0-v2.26.15.72) and WhatsApp for Android (v2.25.8.0-v2.26.7.10)."
https://www.securityweek.com/whatsapp-discloses-file-spoofing-arbitrary-url-scheme-vulnerabilities/
https://www.malwarebytes.com/blog/news/2026/05/update-whatsapp-now-two-new-flaws-could-expose-you-to-malicious-files - Critical Remote Code Execution Vulnerability Patched In Android
"Google announced on Monday the release of an Android update patching a critical vulnerability that can be exploited for remote code execution. The flaw, tracked as CVE-2026-0073, affects Android’s System component, allowing an attacker to exploit it to execute code as the shell user without additional execution privileges. User interaction is not required for exploitation. The advisory reveals that the issue impacts ‘adbd’ (Android Debug Bridge daemon), a background process running on Android devices that manages communication between the device and a computer, facilitating debugging and shell access."
https://www.securityweek.com/critical-remote-code-execution-vulnerability-patched-in-android-2/
https://securityaffairs.com/191710/breaking-news/critical-android-vulnerability-cve-2026-0073-fixed-by-google.html
Malware
- DAEMON Tools Software Infected – Supply Chain Attack Ongoing Since April 8, 2026
"In early May 2026, we identified installers of the DAEMON Tools software, used for mounting disk images, to be compromised with a malicious payload. These installers are distributed from the legitimate website of DAEMON Tools and are signed with digital certificates belonging to DAEMON Tools developers. Our analysis revealed that the software installers have been trojanized starting from April 8, 2026. Specifically, we identified versions of DAEMON Tools ranging from 12.5.0.2421 to 12.5.0.2434 to be compromised. At the time of writing this article, the supply chain attack is still active. Artifacts suggesting that the threat actor behind this attack is Chinese-speaking have been identified in the malicious implants observed. We contacted AVB Disc Soft, the developer company of DAEMON Tools, so that further actions could be taken to remediate the attack consequences."
https://securelist.com/tr/daemon-tools-backdoor/119654/
https://www.bleepingcomputer.com/news/security/daemon-tools-trojanized-in-supply-chain-attack-to-deploy-backdoor/
https://thehackernews.com/2026/05/daemon-tools-supply-chain-attack.html - Student Hacked Taiwan High-Speed Rail To Trigger Emergency Brakes
"A 23-year-old university student in Taiwan was arrested for interfering with the TETRA communication system used by the country's high-speed railway network (THSR). According to local media reports, the student halted four trains for 48 minutes on April 5 by using software-defined radio (SDR) communications and handheld radios to transmit a high-priority “General Alarm” signal, triggering emergency braking procedures. THSR is a high-speed railway network in Taiwan that runs a single 350 km (217 miles) two-way line along the western coast of the country, with trains reaching speeds of up to 300 km/h (186 mph)."
https://www.bleepingcomputer.com/news/security/student-hacked-taiwan-high-speed-rail-to-trigger-emergency-brakes/ - CloudZ RAT Potentially Steals OTP Messages Using Pheno Plugin
"Windows Phone Link (formerly "Your Phone") is a synchronization tool developed by Microsoft and built directly into Windows 10 and 11 that bridges a PC and a smartphone (Android or iPhone). By establishing a secure connection via Wi-Fi and Bluetooth, the application mirrors essential phone activities (such as application notifications and SMS messages) onto the computer screen, reducing the user’s need to physically interact with the mobile device while working on the computer. The Phone Link application writes synchronized phone data such as SMS messages, call logs, and the application notification history to the Windows PC in the application’s SQLite database file."
https://blog.talosintelligence.com/cloudz-pheno-infostealer/
https://www.bleepingcomputer.com/news/security/cloudz-malware-abuses-microsoft-phone-link-to-steal-sms-and-otps/ - A Rigged Game: ScarCruft Compromises Gaming Platform In a Supply-Chain Attack
"ESET researchers uncovered a multiplatform supply-chain attack by North Korea-aligned APT group ScarCruft, targeting the Yanbian region in China – home to ethnic Koreans and a crossing point for North Korean refugees and defectors. In the attack, probably ongoing since late 2024, ScarCruft compromised Windows and Android components of a video game platform dedicated to Yanbian-themed games, trojanizing them with a backdoor. The backdoor, named BirdCall by ESET, was originally known to target Windows only; the Android version was discovered as part of this supply-chain attack. In this blogpost, we provide an overview of the attack, and the first public analysis of the Android backdoor."
https://www.welivesecurity.com/en/eset-research/rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack/
https://www.bleepingcomputer.com/news/security/scarcruft-hackers-push-birdcall-android-malware-via-game-platform/
https://thehackernews.com/2026/05/scarcruft-hacks-gaming-platform-to.html
https://therecord.media/north-korean-hackers-target-ethnic-koreans-in-china
https://www.bankinfosecurity.com/north-koreans-spy-on-defectors-via-android-game-apps-a-31592
https://www.infosecurity-magazine.com/news/scarcruft-birdcall-android-yanbian/ - UAT-8302 And Its Box Full Of Malware
"Talos assesses with high confidence that UAT-8302 is a China-nexus advanced persistent threat (APT) group tasked primarily with obtaining and maintaining long-term access to government and related entities around the world. Post-compromise activity consisted of information collection, credential extraction, and proliferation using open-source tooling such as Impacket, proxying tools, and custom-built malware. Malware deployed by UAT-8302 connects it to several previously publicly disclosed threat clusters, indicating a close operating relationship between them at the very least. Overall, the various malicious artifacts deployed by UAT-8302 indicate that the group has access to tools used by other sophisticated APT actors, all of which have been assessed as China-nexus or Chinese-speaking by various third-party industry reports."
https://blog.talosintelligence.com/uat-8302/
https://thehackernews.com/2026/05/china-linked-uat-8302-targets.html - Breaking The Code: Multi-Stage ‘code Of Conduct’ Phishing Campaign Leads To AiTM Token Compromise
"Phishing campaigns continue to improve sophistication and refinement in blending social engineering, delivery and hosting infrastructure, and authentication abuse to remain effective against evolving security controls. A large-scale credential theft campaign observed by Microsoft Defender Research exemplifies this trend, using code of conduct-themed lures, a multi-step attack chain, and legitimate email services to distribute fully authenticated messages from attacker-controlled domains. The campaign targeted tens of thousands of users, primarily in the United States, and directed them through several stages of CAPTCHA and intermediate staging pages designed to reinforce legitimacy while filtering out automated defenses. The lures in this campaign used polished, enterprise-style HTML templates with structured layouts and preemptive authenticity statements, making them appear more credible than typical phishing emails and increasing their plausibility as legitimate internal communications."
https://www.microsoft.com/en-us/security/blog/2026/05/04/breaking-the-code-multi-stage-code-of-conduct-phishing-campaign-leads-to-aitm-token-compromise/
https://thehackernews.com/2026/05/microsoft-details-phishing-campaign.html
https://www.infosecurity-magazine.com/news/microsoft-phishing-fake-compliance/
https://www.securityweek.com/microsoft-warns-of-sophisticated-phishing-campaign-targeting-us-organizations/
https://securityaffairs.com/191695/security/microsoft-warns-of-global-campaign-stealing-auth-tokens-from-35k-users.html - Malicious OpenClaw Skill Distributes Remcos RAT And GhostLoader
"OpenClaw, previously known as Clawdbot, Moltbot, and Molty, is an open-source framework designed for autonomous AI agents that execute complex tasks requiring high-privilege local system access. While intended for automation, its modular "skill" architecture has been weaponized as a significant attack vector. In March 2026, Zscaler ThreatLabz identified a campaign leveraging the framework to exploit the growing adoption of agentic AI workflows. The threat actor published a deceptive "DeepSeek-Claw" skill for the OpenClaw framework, embedding installation instructions designed to trick AI agents or unsuspecting developers into executing hidden malicious payloads under the guise of seemingly legitimate installation and configuration steps."
https://www.zscaler.com/blogs/security-research/malicious-openclaw-skill-distributes-remcos-rat-and-ghostloader - InstallFix And Claude Code: How Fake Install Pages Lead To Real Compromise
"In an era where artificial intelligence tools have become indispensable to modern workflows, threat actors are exploiting this dependency with alarming sophistication. The InstallFix campaign — also known as the Fake Claude Installer threat — represents a dangerous evolution in social engineering, weaponizing trust in legitimate AI platforms to deliver state-linked espionage malware. This report examines how adversaries are impersonating Anthropic's Claude AI assistant, leveraging its 290 million monthly users to distribute malware through meticulously crafted fake installation pages. As organizations rush to integrate AI capabilities, understanding these deceptive tactics is no longer optional, but critical to survival in today's threat landscape. As modern software installation often involves copying and running commands (for example, “curl-to-bash”), attackers take advantage of this behavior by creating fake but realistic installation pages. These pages trick users into executing malicious commands, leading to malware infections."
https://www.trendmicro.com/en_us/research/26/e/installfix-and-claude-code.html
Breaches/Hacks/Leaks
- Instructure Hacker Claims Data Theft From 8,800 Schools, Universities
"The hacker behind a breach at education technology giant Instructure claims to have stolen 280 million records tied to students and staff from 8,809 colleges, school districts, and online education platforms. Instructure is a cloud-based education technology company best known for its Canvas learning management system, which schools and universities use to manage coursework, assignments, grading, and communication. Last Friday, Instructure disclosed that it was investigating a cyberattack and later revealed that it had suffered a data breach, during which users' names, email addresses, and private messages were exposed."
https://www.bleepingcomputer.com/news/security/instructure-hacker-claims-data-theft-from-8-800-schools-universities/
https://securityaffairs.com/191686/cyber-crime/educational-tech-firm-instructure-data-breach-may-have-impacted-9000-schools.html - Vimeo Data Breach Exposes Personal Information Of 119,000 People
"The ShinyHunters extortion gang stole personal information belonging to over 119,000 people after hacking the Vimeo online video platform in April, according to data breach notification service Have I Been Pwned. Vimeo is a video hosting and streaming platform publicly traded on the Nasdaq stock market, with over 300 million registered users and over 1,100 employees, and reported revenues of $417 million for FY2024. The company disclosed on April 27 that customer and user data had been accessed without authorization following a recent breach at Anodot, a data anomaly detection company."
https://www.bleepingcomputer.com/news/security/vimeo-data-breach-exposes-personal-information-of-119-000-people/
https://securityaffairs.com/191715/data-breach/vimeo-confirms-breach-via-third-party-vendor-impacts-119k-users.html
https://www.theregister.com/2026/05/05/shinyhunters_dump_puts_119k_vimeo/ - Anti-ICE Site GTFO ICE Accused Of Exposing Data Of 17,000+ Activists
"Miles Taylor, a former Department of Homeland Security Chief of Staff and former Google security executive, is at the centre of a major data exposure-related controversy. His new project, GTFO ICE, was launched just a couple of weeks ago with a media appearance on The Rachel Maddow Show. The platform, found at GTFOICE.org, was meant to be a tool for people to organise against immigration detention centres. However, it allegedly failed to protect the personal details of every person who signed up. For context, GTFO ICE (“Get The Facilities Out”) is a rapid-response network and advocacy tool launched in April 2026. It enables users to identify, track, and protest proposed Immigration and Customs Enforcement (ICE) detention facilities in their communities, aiming to “crowd cancel” them."
https://hackread.com/anti-ice-site-gtfo-ice-expose-activists-data/
https://blog.hagerstownrapidresponse.com/p/breaking-news-apparent-data-breach-hits-miles-taylors-anti-ice-organizing-site-gtfoice-org - Real Estate Giant Confirms Vishing Incident As ShinyHunters And Qilin Both Come Knocking
"Real estate giant Cushman & Wakefield has confirmed a data breach after two cybercrime groups, ShinyHunters and Qilin, separately claimed responsibility for attacks on the company. A spokesperson told The Register the attack was "limited" in scope and stemmed from vishing (voice phishing), suggesting an employee was socially engineered. The representative said: "Cushman & Wakefield recently became aware of a limited data security incident due to vishing. We have activated our response protocols, including taking steps to contain the unauthorized activity and engaging third-party expert advisors to support a comprehensive response."
https://www.theregister.com/2026/05/05/cushman_wakefield/
General News
- Member Of Prolific Russian Ransomware Group Sentenced To Prison
"A Latvian national was sentenced today to 102 months in prison for his role in a major Russian ransomware organization that stole from and extorted over 54 companies. “With this sentence, a cruel, ruthless, and dangerous international cybercriminal is now behind bars,” said Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division. “Deniss Zolotarjovs helped his ransomware gang profit from hacks of dozens of companies, and even on a government entity whose 911 system was forced offline. He also used stolen children’s health information to increase his leverage to extort victim payments. The Criminal Division will continue to investigate and prosecute international hackers and extortionists from around the world, no matter where they live or operate.”"
https://www.justice.gov/opa/pr/member-prolific-russian-ransomware-group-sentenced-prison
https://www.bleepingcomputer.com/news/security/karakurt-extortion-gang-negotiator-sentenced-to-85-years-in-prison/
https://therecord.media/conti-akira-ransomware-affiliate-sentenced
https://cyberscoop.com/latvian-russia-ransomware-conti-sentenced/
https://www.securityweek.com/karakurt-ransomware-negotiator-sentenced-to-prison/
https://securityaffairs.com/191722/cyber-crime/u-s-court-sentences-karakurt-ransomware-negotiator-to-8-5-years.html - Skills Gap Top CISO Concern, Says New SANS Survey
"Concerns about the skills and capabilities of cybersecurity teams have for the first time overtaken worries about headcount and unfilled vacancies among chief information security officers, according to a new survey. The shift highlights the challenges CISOs face in addressing new threats driven by emergent technologies like artificial intelligence and quantum computing - and the difficulty they confront identifying and quantifying skills among their existing staff. That's even more so the case for new recruits. "Not having the right staff" was picked by 60% compared to only 40% who chose "not enough staff," in the SANS/GIAC 2026 Cybersecurity Workforce Research Report, which surveyed 947 CISOs from a range of companies across the globe."
https://www.bankinfosecurity.com/skills-gap-top-ciso-concern-says-new-sans-survey-a-31603 - AI Adoption Outpaces Safety Policies, Leaving Organizations Exposed To Cyber Risk
"AI has become embedded in organizations, yet fewer than half have any form of AI safety or security policies in place, potentially leaving them exposed to data breaches, privacy failures and other cyber threats. According to new research published by ISACA on May 5, 90% of digital trust professionals believe that employees in their organization use AI tools. However, only 38% said their organization has a formal, comprehensive AI policy in place to manage use of AI tools, while 30% said they have a limited policy in place. Despite the rise of AI in the workplace, 25% of organizations said they don’t have any policies in place around AI at all."
https://www.infosecurity-magazine.com/news/ai-adoption-outpaces-safety-policy/
https://www.isaca.org/-/media/files/isacadp/project/isaca/resources/infographics/2026-taking-the-pulse-of-ai.pdf - Targeting The Defense Industrial Base: What Network Telemetry Reveals About Nation-State Pre-Positioning
"Intelligence drives operations. It provides commanders with options across time and space and enables them to shape the battlefield on their terms. This concept is not new. What has changed is the domain. Nation states are applying the same intelligence playbook in cyberspace, with the Defense Industrial Base as a primary target. What is being observed is not limited to intrusion activity, it is reconnaissance and pre positioning. Analysis of large-scale network telemetry reinforces this, showing sustained patterns of infrastructure mapping and access development long before disruptive activity occurs. In MITRE ATT&CK terms, this maps directly to reconnaissance and resource development. Adversaries are identifying targets, mapping infrastructure, and preparing access long before anything disruptive happens. Volt Typhoon is a clear example. They maintained access to US critical infrastructure for over five years before it was publicly disclosed. This is not an attack. It is intelligence preparation of the battlefield, carried out in cyberspace."
https://www.team-cymru.com/post/defense-industrial-base-nation-state-network-telemetry
https://www.infosecurity-magazine.com/news/small-defense-firms-lack-network/ - Romance Scammers Turn Sweet Talk Into £102M Payday
"Romance fraudsters scammed Britons out of £102 million ($138 million) last year, according to the latest police figures. That works out to roughly £280,000 ($379,000) a day, the City of London Police said Tuesday. The average victim loses around £9,500 ($12,866) per scam, though individual cases have reached £1 million ($1.35 million). The figures come from Report Fraud, a City of London Police service that logged 10,784 romance scam reports in 2025, a 29 percent year-on-year bump. "Romance fraud is particularly harmful because it targets trust and emotional connection," said Detective Superintendent Oliver Little at the City of London Police."
https://www.theregister.com/2026/05/05/romance_scam_figures/
อ้างอิง
- CI Fortify: Strengthening Resilience Across Critical Infrastructure
-
CISA เผยแพร่คำแนะนำด้านระบบควบคุมอุตสาหกรรม (ICS) จำนวน 7 รายการโพสต์ใน OT Cyber Security News
Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 7 รายการ เมื่อวันที่ 5 พฤษภาคม 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้
- ICSA-26-125-01 Hitachi Energy PCM600
- ICSA-26-125-02 ABB B&R PVI
- ICSA-26-125-03 ABB B&R Automation Runtime
- ICSA-26-125-04 ABB B&R Automation Studio
- ICSA-26-125-05 Johnson Controls CEM AC2000
- ICSA-23-227-01 Schneider Electric EcoStruxure Control Expert and Modicon M340, Momentum, MC80, M580 and M580 CPU Safety (Update A)
- ICSA-24-319-06 Hitachi Energy MSM (Update A)
CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)
-
Cyber Threat Intelligence 05 May 2026โพสต์ใน Cyber Security News
New Tooling
- Pipelock: Open-Source AI Agent Firewall
"AI coding agents run with shell access, environment variables containing API keys, and unrestricted internet connectivity, creating a single point of failure where one compromised tool call can leak credentials to an attacker-controlled domain. Pipelock, an open-source security harness developed by Joshua Waldrep under the PipeLab project, addresses this exposure by inserting an enforcement layer between agents and the network. Version 2.3.0 shipped with class-preserving request redaction and generic SSE streaming response scanning."
https://www.helpnetsecurity.com/2026/05/04/pipelock-open-source-ai-agent-firewall/
https://github.com/luckyPipewrench/pipelock
Vulnerabilities
- Progress Warns Of Critical MOVEit Automation Auth Bypass Flaw
"Progress Software warned customers to patch a critical authentication bypass vulnerability in its MOVEit Automation enterprise-grade managed file transfer (MFT) application. MOVEit Automation automates complex data workflows without requiring manual scripting and serves as a central automation orchestrator to schedule and manage file transfers between different systems, including local servers, cloud storage, and external partners. Tracked as CVE-2026-4670, the security flaw affects MOVEit Automation versions before 2025.1.5, 2025.0.9, and 2024.1.8. Remote threat actors can exploit it without privileges on the targeted systems in low-complexity attacks that don't require user interaction."
https://www.bleepingcomputer.com/news/security/moveit-automation-customers-warned-to-patch-critical-auth-bypass-flaw/
https://community.progress.com/s/article/MOVEit-Automation-Critical-Security-Alert-Bulletin-April-2026-CVE-2026-4670-CVE-2026-5174
https://thehackernews.com/2026/05/progress-patches-critical-moveit.html
https://securityaffairs.com/191681/security/moveit-automation-flaws-could-enable-full-system-compromise.html
https://www.helpnetsecurity.com/2026/05/04/critical-moveit-automation-auth-bypass-vulnerability-fixed-cve-2026-4670/
Malware
- Critical cPanel Vulnerability Weaponized To Target Government And MSP Networks
"A previously unknown threat actor has been observed targeting government and military entities in Southeast Asia, alongside a smaller cluster of managed service providers (MSPs) and hosting providers in the Philippines, Laos, Canada, South Africa, and the U.S., by exploiting the recently disclosed vulnerability in cPanel. The activity, detected by Ctrl-Alt-Intel on May 2, 2026, involves the abuse of CVE-2026-41940, a critical vulnerability in cPanel and WebHost Manager (WHM) that could result in an authentication bypass and allow remote attackers to gain elevated control of the control panel."
https://thehackernews.com/2026/05/critical-cpanel-vulnerability.html
https://censys.com/blog/the-cpanel-situation-is/
https://ctrlaltintel.com/research/SEA-CPanel/
https://www.darkreading.com/threat-intelligence/exploit-cyber-frenzy-critical-cpanel-vulnerability
https://www.helpnetsecurity.com/2026/05/04/multiple-threat-actors-actively-exploit-cpanel-vulnerability-cve-2026-41940/
https://www.securityweek.com/over-40000-servers-compromised-in-ongoing-cpanel-exploitation/
https://securityaffairs.com/191666/breaking-news/hackers-target-governments-and-msps-via-critical-cpanel-flaw-cve-2026-41940.html - Ping, Payload, PowerShell: Active Exploitation Of CVE-2026-22679 In Weaver E-Cology
"The Vega Threat Research team identified active exploitation of CVE-2026-22679 - a critical unauthenticated remote code execution (RCE) in the Office Automation and Collaboration platform Weaver E-cology, reachable through an exposed debug endpoint. Our earliest evidence on a compromised host is 2026-03-17, 14 days before Shadowserver’s first public in-the-wild report on 2026-03-31, and 5 days after the vendor patch shipped on 2026-03-12. The intrusion unfolded over roughly a week of operator activity: RCE verification, three failed payload drops, an attempted pivot to an MSI implant that did not produce a working install, and a short burst of attempts to retrieve PowerShell payloads from attacker-controlled infrastructure. While public coverage of this CVE has so far been limited to advisories, this report outlines a real-world exploitation and post-compromise behavior on a victim host."
https://blog.vega.io/posts/cve-2026-22679-weaver-ecology-exploitation/
https://www.bleepingcomputer.com/news/security/weaver-e-cology-critical-bug-exploited-in-attacks-since-march/ - “Legitimate” Phishing: How Attackers Weaponize Amazon SES To Bypass Email Security
"The primary goal for attackers in a phishing campaign is to bypass email security and trick the potential victim into revealing their data. To achieve this, scammers employ a wide range of tactics, from redirect links to QR codes. Additionally, they heavily rely on legitimate sources for malicious email campaigns. Specifically, we’ve recently observed an uptick in phishing attacks leveraging Amazon SES. Amazon Simple Email Service (Amazon SES) is a cloud-based email platform designed for highly reliable transactional and marketing message delivery. It integrates seamlessly with other products in Amazon’s cloud ecosystem, AWS."
https://securelist.com/amazon-ses-phishing-and-bec-attacks/119623/
https://www.bleepingcomputer.com/news/security/amazon-ses-increasingly-abused-in-phishing-to-evade-detection/ - VENOMOUS#HELPER: Dual-RMM Phishing Campaign Leveraging JWrapper-Packaged SimpleHelp And ScreenConnect For Silent Remote Access
"Phishing campaigns leveraging remote management tools is nothing new. Securonix Threat Research has conducted in-depth dynamic analysis of an ongoing phishing campaign targeting multiple vectors, active since at least April 2025. The campaign has impacted over 80 organizations, predominantly in the United States, spanning multiple sectors. This campaign leverages vendor-signed Remote Monitoring and Management (RMM) software to establish silent, persistent access. In this case, a customized SimpleHelp and SecureConnect RMMs are used to bypass defenses as they are legitimately installed by the unsuspecting victim. This campaign appears to have been tracked previously by Sophos (tracked as STAC6405) and Redcanary independently while the indicators and behavior within this advisory support and extend the depth of their respective research."
https://www.securonix.com/blog/venomous-helper-phishing-campaign/
https://www.darkreading.com/cyberattacks-data-breaches/rmm-tools-stealthy-phishing-campaign
https://thehackernews.com/2026/05/phishing-campaign-hits-80-orgs-using.html - Quasar Linux (QLNX) – A Silent Foothold In The Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities
"In previous research, we have demonstrated how AI can be used to improve detection accuracy when new malware families emerge, particularly those that reuse or share code from open-source repositories. A clear example is our earlier work “AI-Automated Threat Hunting Brings GhostPenguin Out of the Shadows,” where AI-driven threat hunting helped us expose the previously elusive GhostPenguin backdoor. In this blog entry, we present another compelling finding from the same approach. Our platform recently flagged an unusual Linux implant with low detection, which caught our attention and prompted a deeper investigation. What followed was the discovery of Quasar Linux (QLNX), a previously undocumented Linux remote access trojan (RAT) with rootkit capabilities and a notably minimal detection footprint."
https://www.trendmicro.com/en_us/research/26/e/quasar-linux-qlnx-a-silent-foothold-in-the-software-supply-chain.html
Breaches/Hacks/Leaks
- Trellix Discloses Data Breach After Source Code Repository Hack
"Cybersecurity firm Trellix disclosed a data breach after attackers gained access to "a portion" of its source code repository. Trellix is a global cybersecurity company formed from the October 2021 merger of McAfee Enterprise and FireEye. It provides services to over 50,000 business and government customers worldwide, protecting more than 200 million endpoints. According to an official statement updated on Monday, the company is now investigating the incident with the help of outside forensic experts. At the moment, Trellix said it has yet to find evidence that the threat actors have exploited or altered the source code they accessed."
https://www.bleepingcomputer.com/news/security/trellix-discloses-data-breach-after-source-code-repository-hack/ - Everest Group Begins Leaking Alleged Liberty Mutual Data
"Ransomware gang Everest Group on Monday began leaking what it claims to be a 108 gigabyte trove of data stolen on April 30 from insurance underwriter Liberty Mutual. The cybercrime group late Monday afternoon published the data after claiming the insurer "failed" to respond to the its demands. "After the full publication, all the data was duplicated across various hacker forums and leak database sites," Everest said on its dark website. Liberty Mutual in a statement acknowledged the claims, saying the Boston company is investigating the matter, which it said appears to involve an incident at a third-party vendor."
https://www.bankinfosecurity.com/everest-group-begins-leaking-alleged-liberty-mutual-data-a-31589 - Ransomware Group Claims Breach Of Pro-Orbán Hungarian Media Firm
"A cyber-extortion group said it was responsible for a recent ransomware attack on Hungarian media company Mediaworks that resulted in the publication of large volumes of stolen data online. The World Leaks group said they released nearly 8.5 terabytes of allegedly sensitive files on their dark web site last week. Local media outlets that reviewed the material said it included payroll records, contracts, financial statements and internal communications. Mediaworks confirmed the incident on Friday, warning that “a significant amount of illegally obtained data may have come into the possession of unauthorized persons,” and said it had launched an investigation."
https://therecord.media/ransomware-group-claims-breach-of-pro-orban-media-firm
General News
- Why Data Centers Now Belong On The Critical Infrastructure List
"Missile and drone attacks that took out cloud data centers in the Middle East underscored a critical vulnerability in the modern economy: reliance on digital infrastructure that sustains competitive advantage and operational continuity for corporations, nations, and militaries. The outages and downstream disruption were a preview of a new form of strategic and operational risk. Data centers have long been the backbone of the digital economy. What is changing is the scale of dependence as AI workloads dramatically increase the compute power required to run businesses, supply chains, and national security systems."
https://cyberscoop.com/data-centers-critical-infrastructure-ai-security-op-ed/ - What Researchers Learned About Building An LLM Security Workflow
"Security operations centers are running into the same wall everywhere. Detection tools generate more alerts than analysts can work through, and the early stages of any investigation involve pulling together logs from several sources to decide whether something is worth escalating. Vendors have spent the past two years pitching LLMs as the answer, with a steady stream of copilots and AI assistants aimed at alert triage. A new paper from researchers at the University of Oslo and the Norwegian Defence Research Establishment offers a useful corrective to that pitch. One finding stands out. When the same language model is handed the same alert and the same data, the difference between useless and accurate output comes down almost entirely to the structure built around it."
https://www.helpnetsecurity.com/2026/05/04/building-llm-security-workflow/
https://arxiv.org/pdf/2604.25846 - Workplace Apps Are Watching, Keeping Tabs, And Sharing What They Learn
"The typical white-collar workplace in 2026 blends the personal and professional in ways previously unheard of. From BYOD (Bring Your Own Device) policies to the multitude of mobile apps required by many employers, personal data (including behavioral and location data) is increasingly finding its way into workplace systems. Even if only employer-provided devices are used for work, apps used to facilitate synchronous and asynchronous communication, as well as planning and organization, continue to have access to individuals’ personal data. Collectively, these apps account for over 12.5 billion downloads on Google Play alone. Given that employees often have little choice but to install these apps for work, understanding their data practices is critical—users may be unknowingly exposing sensitive personal information, including contact details, financial data, and precise location, to their employer’s software stack."
https://blog.incogni.com/workplace-apps-on-personal-devices-research/
https://www.helpnetsecurity.com/2026/05/04/workplace-apps-data-collection-privacy/ - Shadow IT Has Given Way To Shadow AI. Enter AI-BOMs
"When it comes to securing enterprise supply chains, now heavily infused with AI applications and agents, a software bill of materials (SBOM) no longer provides a complete inventory of all the components in the environment. Enter AI-BOMs. While a traditional SBOM includes all of the software packages and dependencies in the organization, an AI-BOM aims to cover the gaps introduced by AI assets by providing visibility across all of the models, datasets, SDK libraries, MCP servers, ML frameworks, agents, agentic skills, prompts, and other AI tools - plus how these AI components interact with each other and connect to workflows."
https://www.theregister.com/2026/05/04/ai_bom_supply_chain/
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Pipelock: Open-Source AI Agent Firewall
-
Microsoft ยืนยันอัปเดต Windows เดือนเมษายนกระทบระบบสำรองข้อมูลบางส่วนโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
