NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ
    1. หน้าแรก
    2. NCSA_THAICERT
    • รายละเอียด
    • ติดตาม 0
    • คนติดตาม 2
    • กระทู้ 1,684
    • กระทู้ 1,685
    • ดีที่สุด 0
    • Controversial 0
    • กลุ่ม 2

    NCSA_THAICERT

    @NCSA_THAICERT

    1
    ชื่อเสียง
    47
    ดูข้อมูลส่วนตัว
    1.7k
    กระทู้
    2
    คนติดตาม
    0
    ติดตาม
    เข้าร่วม ออนไลน์ล่าสุด
    เว็บไซต์ www.ncsa.or.th/?fbclid=IwAR0BqJEC-CJzBs98rlBxUbZkNBgp1g814xdDNNaKnHTrxfqZhPD--ksY68I
    NCSA_THAICERT เลิกติดตาม ติดตาม
    Global Moderator administrators

    Latest posts made by NCSA_THAICERT

    • พบเครือข่ายเว็บช้อปปิ้งปลอมกว่า 2,000 แห่ง หลอกผู้ซื้อช่วงแคมเปญลดราคา

      290f4300-4221-4bfa-8577-6e6e1123f239-image.png พบเครือข่ายเว็บช้อปปิ้งปลอมกว่า 2,000 แห่ง หล.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand b0c79267-c10b-42c5-b6e0-506ceb318692-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • พบมัลแวร์ Android ตัวใหม่ “Albiriox” พัฒนาโดยกลุ่มอาชญากรไซเบอร์รัสเซีย

      5fbf1d3e-eac1-4fc6-9a3f-e4704be2c569-image.png พบมัลแวร์ Android ตัวใหม่ “Albiriox” พัฒนาโดยกลุ่มอา.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand da243077-10d8-4b9a-b03a-ab8b13ed969b-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • เตือนภัยนักพัฒนา แฮกเกอร์เกาหลีเหนือปล่อย 197 แพ็กเกจ npm อันตราย ฝังมัลแวร์ผ่านแคมเปญหลอกสัมภาษณ์งาน

      240213e6-b2cb-41cf-9f82-8ca974f5e7ef-image.png เตือนภัยนักพัฒนา แฮกเกอร์เกาหลีเหนือปล่อ_.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand a8202f4d-c1b8-43d4-8683-60366d0521d0-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 02 December 2025

      Industrial Sector

      • APT And Financial Attacks On Industrial Organizations In Q3 2025
        "This summary provides an overview of reports on APT and financial attacks on industrial enterprises disclosed in Q3 2025, as well as the related activities of groups observed attacking industrial organizations. For each topic, we summarize the key facts, findings and conclusions of researchers that we believe may be useful to professionals addressing practical issues of cybersecurity in industrial enterprises."
        https://ics-cert.kaspersky.com/publications/reports/2025/12/01/apt-and-financial-attacks-on-industrial-organizations-in-q3-2025/

      Vulnerabilities

      • Google Addresses 107 Android Vulnerabilities, Including Two Zero-Days
        "Google disclosed two actively exploited zero-day vulnerabilities Monday, which it addressed among a total of 107 defects in the company’s monthly security update for Android devices. The zero-days — CVE-2025-48633 and CVE-2025-48572 — are both high-severity defects affecting the Android framework, which attackers can exploit to access information and escalate privileges, respectively. Google said both vulnerabilities, which had not been added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog as of Monday afternoon, may be under limited, targeted exploitation."
        https://cyberscoop.com/android-security-update-december-2025/

      Malware

      • SmartTube YouTube App For Android TV Breached To Push Malicious Update
        "The popular open-source SmartTube YouTube client for Android TV was compromised after an attacker gained access to the developer's signing keys, leading to a malicious update being pushed to users. The compromise became known when multiple users reported that Play Protect, Android's built-in antivirus module, blocked SmartTube on their devices and warned them of a risk. The developer of SmartTube, Yuriy Yuliskov, admitted that his digital keys were compromised late last week, leading to the injection of malware into the app."
        https://www.bleepingcomputer.com/news/security/smarttube-youtube-app-for-android-tv-breached-to-push-malicious-update/
      • Glassworm's Resurgence
        "Security can't take holidays off, but the code marketplace scanners just might. Over the past week, we've identified and tracked an unprecedented 23 extensions which copy other popular extensions, update after publishing with malware, manipulate download counts, and use KNOWN attack signatures which have been in use for months. Many of these relate to Glassworm malware, but there could be mulitple campaigns at work also."
        https://secureannex.com/blog/glassworm-continued/
        https://www.bleepingcomputer.com/news/security/glassworm-malware-returns-in-third-wave-of-malicious-vs-code-packages/
      • 4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign
        "Koi researchers have identified a threat actor we're calling ShadyPanda - responsible for a seven-year browser extension campaign that has infected 4.3 million Chrome and Edge users. Our investigation uncovered two active operations: A 300,000-user RCE backdoor: Five extensions, including the "Featured" and "Verified" Clean Master, were weaponized in mid-2024 after years of legitimate operation. These extensions now run hourly remote code execution - downloading and executing arbitrary JavaScript with full browser access. They monitor every website visit, exfiltrate encrypted browsing history, and collect complete browser fingerprints."
        https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign
        https://thehackernews.com/2025/12/shadypanda-turns-popular-browser.html
        https://www.bleepingcomputer.com/news/security/shadypanda-browser-extensions-amass-43m-installs-in-malicious-campaign/
        https://www.theregister.com/2025/12/01/chrome_edge_malicious_browser_extensions/
      • Albiriox Exposed: A New RAT Mobile Malware Targeting Global Finance And Crypto Wallets
        "Over the past few months, the Cleafy Threat Intelligence team has identified and analyzed Albiriox, a newly emerging Android malware family promoted as a Malware-as-a-Service (MaaS) within underground cybercrime forums. First observed in September 2025 during a limited recruitment phase targeting high-reputation forum members, the project transitioned to a publicly available MaaS offering in October 2025. Forum activity, linguistic patterns, and infrastructure analysis indicate that Russian-speaking Threat Actors (TAs) are behind the operation."
        https://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets
        https://thehackernews.com/2025/12/new-albiriox-maas-malware-targets-400.html
        https://www.infosecurity-magazine.com/news/android-maas-malware-albiriox-dark/
        https://www.malwarebytes.com/blog/news/2025/12/new-android-malware-lets-criminals-control-your-phone-and-drain-your-bank-account
        https://www.securityweek.com/new-albiriox-android-malware-developed-by-russian-cybercriminals/
        https://securityaffairs.com/185194/malware/emerging-android-threat-albiriox-enables-full-on‑device-fraud.html
      • Two Years, 17K Downloads: The NPM Malware That Tried To Gaslight Security Scanners
        "We train our AI risk engine to look for something most scanners don't: code that tries to manipulate AI-based security tools. As LLMs become part of the security stack, from code review to package analysis, attackers will adapt. They'll start writing code that's designed not just to evade detection, but to actively mislead the AI doing the analysis. We built our engine to catch that. This week, it caught something interesting."
        https://www.koi.ai/blog/two-years-17k-downloads-the-npm-malware-that-tried-to-gaslight-security-scanners
        https://www.infosecurity-magazine.com/news/malware-ai-detection-npm-package/

      Breaches/Hacks/Leaks

      • Retail Giant Coupang Data Breach Impacts 33.7 Million Customers
        "South Korea's largest retailer, Coupang, has suffered a data breach that exposed the personal information of 33.7 million customers. The firm has warned on its Korean-language site that the incident occurred on June 24, 2025, but it only discovered it and began the investigation on November 18, 2025. "On November 18, 2025, Coupang became aware of unauthorized access to personal information related to the accounts of approximately 4,500 customers," reads the public statement."
        https://www.bleepingcomputer.com/news/security/retail-giant-coupang-suffers-data-breach-impacting-337-million-people/
        https://hackread.com/coupang-data-breach-south-korean-accounts/
        https://www.infosecurity-magazine.com/news/south-korea-coupang-34m-customer/
        https://www.theregister.com/2025/12/01/coupang_breach/
      • Royal Borough Of Kensington And Chelsea Reveals Data Breach
        "The Royal Borough of Kensington and Chelsea (RBKC) has told residents that their data may have been compromised in a cyber-attack on an IT service provider discovered last week. The council, London’s smallest but most densely populated, revealed the news in an update on Friday. “After discovering unusual activity first thing Monday morning, we have been taking all necessary steps to shut down and isolate systems and make them as safe as possible,” it said."
        https://www.infosecurity-magazine.com/news/royal-borough-kensington-chelsea/

      General News

      • Treating MCP Like An API Creates Security Blind Spots
        "In this Help Net Security interview, Michael Yaroshefsky, CEO at MCP Manager, discusses how Model Context Protocol’s (MCP) trust model creates security gaps that many teams overlook and why MCP must not be treated like a standard API. He explains how misunderstandings about MCP’s runtime behavior, governance, and identity requirements can create exposure. With MCP usage expanding across organizations, well-defined controls and a correct understanding of the protocol become necessary."
        https://www.helpnetsecurity.com/2025/12/01/michael-yaroshefsky-mcp-manager-mcp-security-gaps/
      • Offensive Cyber Power Is Spreading Fast And Changing Global Security
        "Offensive cyber activity has moved far beyond a handful of major powers. More governments now rely on digital operations to project influence during geopolitical tension, which raises new risks for organizations caught in the middle. A new policy brief from the Geneva Centre for Security Policy examines how these developments influence international stability and what steps could lower the chance of dangerous escalation."
        https://www.helpnetsecurity.com/2025/12/01/global-offensive-cyber-operations-risks/
      • The Weekend Is Prime Time For Ransomware
        "Over half of organizations that experienced a ransomware event in the past year were hit during a weekend or holiday, according to a Semperis report. Those periods often come with thin staffing, slower investigation, and fewer eyes on identity systems. Intruders know that reduced attention allows them to move deeper before alarms are raised. 60% of incidents happened after a merger, acquisition, restructuring, or similar shift inside the business. The most common trigger was an M&A effort. When identity environments are being consolidated, inconsistencies appear. Attackers look for these weak points and move quickly when they find them."
        https://www.helpnetsecurity.com/2025/12/01/semperis-ransomware-risk-trends-report/
      • When Hackers Wear Suits: Protecting Your Team From Insider Cyber Threats
        "In the ever-evolving landscape of cyber threats, a new and insidious danger is emerging, shifting focus from external attacks to internal infiltration. Hackers are now impersonating seasoned cybersecurity and IT professionals to gain privileged access within organizations. These aren't just phishing attempts; they are calculated schemes where malicious actors manipulate the hiring process to become "trusted" staff, all with the intent of breaching company databases or stealing sensitive information."
        https://www.bleepingcomputer.com/news/security/when-hackers-wear-suits-protecting-your-team-from-insider-cyber-threats/
      • Europol And Partners Shut Down ‘Cryptomixer’
        "From 24 to 28 November 2025, Europol supported an action week conducted by law enforcement authorities from Switzerland and Germany in Zurich, Switzerland. The operation focused on taking down the illegal cryptocurrency mixing service ‘Cryptomixer’, which is suspected of facilitating cybercrime and money laundering."
        https://www.europol.europa.eu/media-press/newsroom/news/europol-and-partners-shut-down-cryptomixer
        https://www.eurojust.europa.eu/news/cryptocurrency-mixing-service-used-launder-money-taken-down
        https://therecord.media/cryptomixer-service-takedown-bitcoin-seized
        https://www.bleepingcomputer.com/news/security/police-takes-down-cryptomixer-cryptocurrency-mixing-service/
        https://www.darkreading.com/cyberattacks-data-breaches/police-disrupt-cryptomixer-seize-millions-crypto
        https://cyberscoop.com/cryptomixer-takedown-seizure-europol/
        https://www.infosecurity-magazine.com/news/europol-takes-down-illegal/
        https://hackread.com/cryptomixer-domains-infrastructure-bitcoin-seized/
        https://www.securityweek.com/29-million-worth-of-bitcoin-seized-in-cryptomixer-takedown/
        https://securityaffairs.com/185217/cyber-crime/law-enforcement-shuts-down-cryptomixer-in-major-crypto-crime-takedown.html
        https://www.helpnetsecurity.com/2025/12/01/cryptomixer-takedown-seizure/
      • Officials Accuse North Korea’s Lazarus Of $30 Million Theft From Crypto Exchange
        "A recent cyberattack on South Korea’s largest cryptocurrency exchange was allegedly conducted by a North Korean government-backed hacking group. Yonhap News Agency reported on Friday that South Korean government officials are involved in the investigation surrounding $30 million worth of cryptocurrency that was stolen from Upbit on Wednesday evening. On Friday, South Korean officials told the news outlet that North Korea’s Lazarus hacking group was likely involved in the theft based on the tactics used to break into the cryptocurrency platform and the methods deployed to launder the stolen funds."
        https://therecord.media/officials-accuse-north-korea-hackers-of-attack-on-crypto-exchange

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) 1e80bf92-ee7b-46df-bd69-6e6d3b531813-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Windows 11 พบปัญหาไอคอนรหัสผ่านหายหลังอัปเดตเดือนสิงหาคม 2025

      015cf92d-5919-4217-a5f5-d8ea7b2e27f4-image.png Windows 11 พบปัญหาไอคอนรหัสผ่านหายหลังอัปเดตเดื.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 19d2d96f-3993-4368-b0a3-879d91ac67e9-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • ผู้โจมตีขโมยข้อมูลสมาชิกจากสหพันธ์ฟุตบอลฝรั่งเศส (French Soccer Federation)

      a14a1778-3904-4a09-a6b7-4d1de82c88bc-image.png

      ผู้โจมตีขโมยข้อมูลสมาชิกจากสหพันธ์ฟุตบอ.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 51145fef-0697-4249-8a3e-12f0114b094d-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • GreyNoise เปิดตัวเครื่องมือฟรี ช่วยผู้ใช้งานตรวจสอบว่า IP ถูกนำไปใช้ในเครือข่าย Botnet หรือไม่

      bcc3303d-1b2c-4d61-91e9-f6cc74a819b7-image.png GreyNoise เปิดตัวเครื่องมือฟรี ช่วยผู้ใช้งานตรว.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 26611d2a-ef5b-4722-8999-dce380f089fd-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • CISA เพิ่มช่องโหว่ที่ถูกใช้โจมตี 1 รายการลงในแคตตาล็อก

      เมื่อวันที่ 28 พฤศจิกายน 2025 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว ดังนี้

      • CVE-2021-26829 OpenPLC ScadaBR Cross-site Scripting Vulnerability

      ทั้งนี้ คำสั่ง BOD 22-01 ของ CISA กำหนดให้มี แคตตาล็อก Known Exploited Vulnerabilities (KEV) เพื่อรวบรวมช่องโหว่ (CVEs) ที่มีความเสี่ยงสูงและถูกใช้งานโจมตีจริง หน่วยงาน Federal Civilian Executive Branch (FCEB) ต้องดำเนินการแก้ไขช่องโหว่ที่ระบุภายในเวลาที่กำหนด เพื่อปกป้องเครือข่ายจากภัยคุกคาม

      ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

      อ้างอิง
      https://www.cisa.gov/news-events/alerts/2025/11/28/cisa-adds-one-known-exploited-vulnerability-catalog
      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand a3cd8a72-3cbb-4726-b17e-1123e8fad5c3-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 01 December 2025

      New Tooling

      • Your IP Address Might Be Someone Else's Problem (And Here's How To Find Out)
        "We built something new at GreyNoise Labs, and it started with a question we kept hearing: “How do I know if my home network has been compromised?” It’s not a theoretical concern. Over the past year, residential proxy networks have exploded and have been turning home internet connections into exit points for other people’s traffic. Sometimes folks knowingly install software that does this in exchange for a few dollars. More often, malware sneaks onto devices, usually via nefarious apps or browser extensions, and quietly turns them into nodes in someone else’s infrastructure."
        https://www.greynoise.io/blog/your-ip-address-might-be-someone-elses-problem
        https://check.labs.greynoise.io/
        https://www.bleepingcomputer.com/news/security/greynoise-launches-free-scanner-to-check-if-youre-part-of-a-botnet/

      Vulnerabilities

      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2021-26829 OpenPLC ScadaBR Cross-site Scripting Vulnerability"
        https://www.cisa.gov/news-events/alerts/2025/11/28/cisa-adds-one-known-exploited-vulnerability-catalog
        https://thehackernews.com/2025/11/cisa-adds-actively-exploited-xss-bug.html
      • The Hidden Dangers Of Calendar Subscriptions: 4 Million Devices At Risk
        "Day-to-day workload can become overwhelming as time passes alongside the growing tasks and responsibilities of both personal and professional lives. Therefore, a well-structured digital calendar may be an essential organizational tool to navigate through the day, helping with the support we need to manage our time and ongoing commitments."
        https://www.bitsight.com/blog/hidden-dangers-calendar-subscriptions-4-million-devices-risk
        https://www.infosecurity-magazine.com/news/threat-actors-exploit-calendar-subs/

      Malware

      • Tomiris Wreaks Havoc: New Tools And Techniques Of The APT Group
        "While tracking the activities of the Tomiris threat actor, we identified new malicious operations that began in early 2025. These attacks targeted foreign ministries, intergovernmental organizations, and government entities, demonstrating a focus on high-value political and diplomatic infrastructure. In several cases, we traced the threat actor’s actions from initial infection to the deployment of post-exploitation frameworks. These attacks highlight a notable shift in Tomiris’s tactics, namely the increased use of implants that leverage public services (e.g., Telegram and Discord) as command-and-control (C2) servers. This approach likely aims to blend malicious traffic with legitimate service activity to evade detection by security tools."
        https://securelist.com/tomiris-new-tools/118143/
      • Bootstrap Script Exposes PyPI To Domain Takeover Attacks
        "ReversingLabs researchers have discovered vulnerable code in legacy Python packages that could make possible an attack on the Python Package Index (PyPI) via a domain compromise. Although the vulnerable code is mostly unused in modern development environments, it may still be used in legacy production. RL Spectra Assure Community’s machine learning model, which detects packages with behaviors similar to known malware, found the vulnerability in bootstrap files for a build tool that installs the Python package distribute and performs other tasks in the bootstrapping process."
        https://www.reversinglabs.com/blog/bootstrap-script-exposes-pypi-to-domain-takeover-attack
        https://thehackernews.com/2025/11/legacy-python-bootstrap-scripts-create.html
      • Inside The GitHub Infrastructure Powering North Korea’s Contagious Interview Npm Attacks
        "The Socket Threat Research Team continues to track North Korea’s Contagious Interview operation as it systematically infiltrates the npm ecosystem. Since we last reported on this campaign, it has added at least 197 more malicious npm packages and over 31,000 additional downloads, with state-sponsored threat actors targeting blockchain and Web3 developers through fake job interviews and “test assignments”. This sustained tempo makes Contagious Interview one of the most prolific campaigns exploiting npm, and it shows how thoroughly North Korean threat actors have adapted their tooling to modern JavaScript and crypto-centric development workflows."
        https://socket.dev/blog/north-korea-contagious-interview-npm-attacks
        https://thehackernews.com/2025/11/north-korean-hackers-deploy-197-npm.html
        https://securityaffairs.com/185170/apt/contagious-interview-campaign-expands-with-197-npm-ppackages-spreading-new-ottercookie-malware.html
      • PostHog Admits Shai-Hulud 2.0 Was Its Biggest Ever Security Bungle
        "PostHog says the Shai-Hulud 2.0 npm worm compromise was "the largest and most impactful security incident" it's ever experienced after attackers slipped malicious releases into its JavaScript SDKs and tried to auto-loot developer credentials. In a postmortem released by PostHog, one of the various package maintainers impacted by Shai-Hulud 2.0, the company says contaminated packages – which included core SDKs like posthog-node, posthog-js, and posthog-react-native – contained a pre-install script that ran automatically when the software was installed. That script ran TruffleHog to scan for credentials, exfiltrated any found secrets to new public GitHub repositories, then used stolen npm credentials to publish further malicious packages – enabling the worm to spread."
        https://www.theregister.com/2025/11/28/posthog_shaihulud/
        https://posthog.com/blog/nov-24-shai-hulud-attack-post-mortem
      • Over 2,000 Fake Shopping Sites Spotted Before Cyber Monday
        "Shoppers looking for great deals this holiday season need to be extra careful, as a massive operation involving over 2,000 fake online stores has been found, timed perfectly to steal money and personal details during peak sales like Black Friday and Cyber Monday. Cybersecurity firm CloudSEK recently discovered this huge network and shared its research with Hackread.com. According to CloudSEK’s analysis, these aren’t isolated incidents; they are highly organised operations using identical methods to trick people, making this one of the largest coordinated scam efforts seen this shopping season."
        https://hackread.com/fake-shopping-sites-cyber-monday/

      Breaches/Hacks/Leaks

      • Public GitLab Repositories Exposed More Than 17,000 Secrets
        "After scanning all 5.6 million public repositories on GitLab Cloud, a security engineer discovered more than 17,000 exposed secrets across over 2,800 unique domains. Luke Marshall used the TruffleHog open-source tool to check the code in the repositories for sensitive credentials like API keys, passwords, and tokens. The researcher previously scanned Bitbucket, where he found 6,212 secrets spread over 2.6 million repositories. He also checked the Common Crawl dataset that is used to train AI models, which exposed 12,000 valid secrets."
        https://www.bleepingcomputer.com/news/security/public-gitlab-repositories-exposed-more-than-17-000-secrets/
        https://trufflesecurity.com/blog/scanning-5-6-million-public-gitlab-repositories-for-secrets
      • French Football Federation Discloses Data Breach After Cyberattack
        "The French Football Federation (FFF) disclosed a data breach on Friday after attackers used a compromised account to gain access to administrative management software used by football clubs. After detecting the unauthorized access, FFF's security team disabled the compromised account and reset all user passwords across the system. However, before they were detected and evicted from the breached systems, the threat actors stole personal and contact information from members of French football clubs."
        https://www.bleepingcomputer.com/news/security/french-football-federation-fff-discloses-data-breach-after-cyberattack/
        https://www.infosecurity-magazine.com/news/french-football-federation-data/
        https://www.securityweek.com/french-soccer-federation-hit-by-cyberattack-member-data-stolen/
        https://securityaffairs.com/185160/data-breach/attackers-stole-member-data-from-french-soccer-federation.html
      • Brit Telco Brsk Confirms Breach As Bidding Begins For 230K+ Customer Records
        "British telco Brsk is investigating claims that it was attacked by cybercriminals who made off with more than 230,000 files. An advert posted to a cybercrime forum last week claimed to list 230,105 records stolen from the telco, with interested parties invited to bid for access to the data via Telegram. According to the advert, the stolen data includes customers' full names, email and home addresses, installation details, location data, phone numbers, and indicators of whether they are considered a vulnerable person."
        https://www.theregister.com/2025/11/28/brsk_breach/

      General News

      • Man Behind In-Flight Evil Twin WiFi Attacks Gets 7 Years In Prison
        "A 44-year-old man was sentenced to seven years and four months in prison for operating an “evil twin” WiFi network to steal the data of unsuspecting travelers during flights and at various airports across Australia. The man, an Australian national, was charged in July 2024 after Australian authorities had confiscated his equipment in April and confirmed that he was engaging in malicious activities during domestic flights and at airports in Perth, Melbourne, and Adelaide."
        https://www.bleepingcomputer.com/news/security/man-behind-in-flight-evil-twin-wifi-attacks-gets-7-years-in-prison/
      • Social Data Puts User Passwords At Risk In Unexpected Ways
        "Many CISOs already assume that social media creates new openings for password guessing, but new research helps show what that risk looks like in practice. The findings reveal how much information can be reconstructed from public profiles and how that data influences the strength of user passwords. The study also examines how LLMs behave when asked to generate or evaluate passwords based on that same personal information."
        https://www.helpnetsecurity.com/2025/11/28/research-social-media-password-risk/
        https://arxiv.org/pdf/2511.16716
      • Fragmented Tooling Slows Vulnerability Management
        "Security leaders know vulnerability backlogs are rising, but new data shows how quickly the gap between exposures and available resources is widening, according to a new report by Hackuity. Organizations use a formalized approach to manage vulnerabilities, but their tooling remains fragmented. Respondents rely on an average of four detection tools, and cloud or container configuration audits are the most common at 85%. This mix suggests broad coverage, but it also explains why teams struggle with visibility, correlation of findings, and consistent prioritization."
        https://www.helpnetsecurity.com/2025/11/28/hackuity-vulnerability-management-trends-report/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) ee49f089-7d58-4fb7-a62b-99f1c3f4b82c-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 28 November 2025

      Financial Sector

      • Criminal Networks Industrialize Payment Fraud Operations
        "Fraud operations are expanding faster than payment defenses can adjust. Criminal groups function like coordinated businesses that develop tools, automate tasks, and scale attacks. New data from a Visa report shows how these shifts are reshaping risk across the financial sector."
        https://www.helpnetsecurity.com/2025/11/27/visa-payment-fraud-trends-report/

      Malware

      • Shai-Hulud 2.0 Campaign Targets Cloud And Developer Ecosystems
        "This blog continues our investigation on the Node Package Manager (NPM) supply chain attack that took place on September 15, where attackers executed a highly targeted phishing campaign to compromise the account of an NPM package maintainer. Our previous blog detailed how the malicious code injected onto JavaScript packages diverted cryptocurrency assets by hijacking web APIs and manipulating network traffic, and how the Shai-hulud worm in the attack payload steals cloud service tokens, deploys secret-scanning tools, and spreads to additional accounts. An incident this November 24 reported hundreds of NPM repositories compromised by what appears to be a new Shai-hulud campaign with the repository description, "Sha1-Hulud: The Second Coming.""
        https://www.trendmicro.com/en_us/research/25/k/shai-hulud-2-0-targets-cloud-and-developer-systems.html
        • Is Zendesk Scattered Lapsus$ Hunters’ Latest Campaign Target?
          "ReliaQuest has uncovered indications of a potential new campaign from the notorious threat collective “Scattered Lapsus$ Hunters,” this time targeting users of the customer support software Zendesk. ReliaQuest’s Threat Research team identified Zendesk-related domains, including more than 40 typosquatted domains and impersonating URLs, created within the past six months. These domains, such as znedesk[.]com or vpn-zendesk[.]com, are clearly designed to mimic legitimate Zendesk environments. Some host phishing pages, like fake single sign-on (SSO) portals that appear before Zendesk authentication. It’s a classic tactic probably aimed at stealing credentials from unsuspecting users. We also identified Zendesk-related impersonating domains that contained multiple different organizations’ names or brands within the URL, making it even more likely that unsuspecting users would trust and click on these links."
          https://reliaquest.com/blog/zendesk-scattered-lapsus-hunters-latest-target/
          https://www.infosecurity-magazine.com/news/scattered-lapsus-hunters-zendesk/
          https://www.theregister.com/2025/11/27/scattered_lapsus_hunters_zendesk/
      • Meet Rey, The Admin Of ‘Scattered Lapsus$ Hunters’
        "A prolific cybercriminal group that calls itself “Scattered LAPSUS$ Hunters” has dominated headlines this year by regularly stealing data from and publicly mass extorting dozens of major corporations. But the tables seem to have turned somewhat for “Rey,” the moniker chosen by the technical operator and public face of the hacker group: Earlier this week, Rey confirmed his real life identity and agreed to an interview after KrebsOnSecurity tracked him down and contacted his father."
        https://krebsonsecurity.com/2025/11/meet-rey-the-admin-of-scattered-lapsus-hunters/
        https://hackread.com/report-names-teen-scattered-lapsus-hunters-group/

      Breaches/Hacks/Leaks

      • OpenAI Discloses API Customer Data Breach Via Mixpanel Vendor Hack
        "OpenAI is notifying some ChatGPT API customers that limited identifying information was exposed following a breach at its third-party analytics provider Mixpanel. Mixpanel offers event analytics that OpenAI uses to track user interactions on the frontend interface for the API product. According to the AI company, the cyber incident affected “limited analytics data related to some users of the API” and did not impact users of ChatGPT or other products."
        https://www.bleepingcomputer.com/news/security/openai-discloses-api-customer-data-breach-via-mixpanel-vendor-hack/
        https://openai.com/index/mixpanel-incident/
        https://www.infosecurity-magazine.com/news/openai-warns-mixpanel-data-breach/
        https://www.securityweek.com/openai-user-data-exposed-in-mixpanel-hack/
        https://hackread.com/openai-api-mixpanel-data-breach-chatgpt/
        https://securityaffairs.com/185121/data-breach/openai-data-may-have-been-exposed-after-a-cyberattack-on-analytics-firm-mixpanel.html
        https://www.theregister.com/2025/11/27/openai_mixpanel_api/
      • Asahi Admits Ransomware Gang May Have Spilled Almost 2M People's Data
        "Asahi has finally done the sums on September's ransomware attack in Japan, conceding the crooks may have helped themselves to personal data tied to almost 2 million people. Back on September 29, Asahi disclosed a "system failure caused by a cyberattack" that knocked out ordering, shipping, and call center systems across its Japanese operations. Days later, the attack was claimed by the Qilin ransomware crew, which reckons it stole some 27 GB of internal files – including employee records, contracts, financial documents, and other sensitive assets."
        https://www.theregister.com/2025/11/27/asahi_ransomware_numbers/
        https://www.infosecurity-magazine.com/news/asahi-15-million-customers/
        https://www.securityweek.com/asahi-data-breach-impacts-2-million-individuals/
        https://securityaffairs.com/185126/data-breach/asahi-says-crooks-stole-data-of-approximately-2m-customers-and-employees.html

      General News

      • Your Critical Infrastructure Is Running Out Of Time
        "Cyber attackers often succeed not because they are inventive, but because the systems they target are old. A new report by Cisco shows how unsupported technology inside national infrastructure creates openings that attackers can exploit repeatedly. The findings show how widespread this problem has become and how much it influences national resilience."
        https://www.helpnetsecurity.com/2025/11/27/cisco-legacy-system-vulnerabilities-report/
      • The Identity Mess Your Customers Feel Before You Do
        "Customer identity has become one of the most brittle parts of the enterprise security stack. Teams know authentication matters, but organizations keep using methods that frustrate users and increase risk. New research from Descope shows how companies manage customer identity and the issues that have been building in the background."
        https://www.helpnetsecurity.com/2025/11/27/descope-customer-identity-issues-report/
      • Fraud Fears But No Breach Spike Expected This Festive Season
        "Security experts have dismissed fears that threat actors could step up cyber-attacks on distracted retailers this Black Friday and in the run up to Christmas, although concerns persist. Huntsman Security analyzed data security incidents reported to the UK's Information Commissioner's Office (ICO) between Q3 2024 and Q2 2025. It found that the 1381 incidents reported by the retail and manufacturing sector had only minor seasonal peaks, with none outside a margin of error. Some 355 incidents were reported to the regulator in the busiest time of the year for retailers (Q4), versus 323 in Q3 2024, 317 in Q2 2025 and 386 in Q2 2025. The latter period included the massive ransomware breaches at M&S and the Co-Op Group."
        https://www.infosecurity-magazine.com/news/fraud-fears-no-breach-spike/
      • Ransomware Reshaping Cyber As National Security Priority
        "Non-stop, high-profile ransomware attacks against Britain and the United States have transformed cybersecurity into a national security priority, Anne Neuberger, the former White House deputy national security adviser for cyber, said at a Wednesday event in London. "For too long, it's been a tech thing, 'go get your CIO to fix it,'" Neuberger told attendees at an event hosted by think tank Royal United Services Institute, where she serves as a distinguished fellow."
        https://www.bankinfosecurity.com/ransomware-reshaping-cyber-as-national-security-priority-a-30160
      • As Space Becomes Warfare Domain, Cyber Is On The Frontlines
        "Space is becoming a domain of warfare, with private sector companies on the front lines - and the first shots will likely be fired in cyberspace, a senior U.S. intelligence official warned this month. "Cybersecurity for space systems is very likely to be on the front lines of conflict involving space," said Johnathon Martin, acting deputy director of the Office of the Chief Architect at the National Reconnaissance Office, which builds, launches and operates U.S. spy satellites."
        https://www.bankinfosecurity.com/as-space-becomes-warfare-domain-cyber-on-frontlines-a-30148
      • FCC Warns Of Hackers Hijacking Radio Equipment For False Alerts
        "Hackers have been hijacking US radio transmission equipment to air bogus emergency tones and offensive material, according to a notice issued Wednesday by the US Federal Communications Commission (FCC). The wave of intrusions triggered unauthorized uses of the Emergency Alert System’s distinctive Attention Signal, which is normally reserved for tornadoes, hurricanes, earthquakes and other urgent threats. In particular, threat actors appeared to target Barix network audio devices and reconfigure them to capture attacker-controlled streams instead of regular programming."
        https://www.infosecurity-magazine.com/news/fcc-hackers-hijacking-radio/
        https://docs.fcc.gov/public/attachments/DA-25-996A1.pdf
        https://www.theregister.com/2025/11/27/fcc_radio_hijack/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) 225ed552-b6c2-4fe8-a082-8ba991511cdc-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT