สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Healthcare Sector

• Researchers Find 38 Flaws In OpenEMR. They've Been Fixed
  "Researchers at security firm Aisle said they recently identified 38 vulnerabilities, including two maximum-severity zero-day flaws in an open-source electronic medical record software platform used by about 100,000 healthcare providers globally. The platform, OpenEMR, has patched the problems. Three Aisle researchers said they discovered the bugs during the first months of this year through an artificial intelligence-driven analysis. The latest version of OpenEMR 8.0, released in February, has U.S. government certification as an electronic health record platform."
  https://www.bankinfosecurity.com/researchers-find-38-flaws-in-openemr-theyve-been-fixed-a-31520

Industrial Sector

• NSA GRASSMARLIN
  "Successful exploitation of this vulnerability could allow an attacker to disclose sensitive information."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-118-01
• OT Cybersecurity Frozen Out By Frontier Labs
  "Hyperscalers, security giants and other IT behemoths are on the list. Operational technology companies are not. The list in question is one of the most important in cybersecurity right now - the companies that have special access to powerful new models from the two major U.S. frontier artificial intelligence labs, Anthropic and OpenAI, to identify vulnerabilities before hackers get access to similar technology. "None of the OT companies, none of the organizations that are most representative of that portion of the ecosystem are participating in this and are being represented," said Tatyana Bolton, executive director of the Operational Technology Cybersecurity Coalition, a trade group that represents OT security companies and OT equipment manufacturers."
  https://www.bankinfosecurity.com/ot-cybersecurity-frozen-out-by-frontier-labs-a-31536
• Threat Landscape For Industrial Automation Systems. Europe, Q4 2025
  "High levels of email threats (phishing) and spyware clearly indicate that industrial systems in the region are highly exposed to advanced attackers. Threats from email are relevant for all industries of the region, foremost for biometrics and building automation. Attacks on computers in these industrial automation sectors significantly raise the risk of supply-chain attacks on other industries. Southern Europe led all regions in the percentage of ICS computers on which threats from email clients were blocked — 2.3 times higher than the global average."
  https://ics-cert.kaspersky.com/publications/reports/2026/04/28/threat-landscape-for-industrial-automation-systems-europe-q4-2025/
• Electric Motorcycles And Scooters Face Hacking Risks To Security And Rider Safety
  "Electric motorcycles from Zero Motorcycles and electric scooters from Yadea are affected by vulnerabilities that, if exploited, could have a physical security and safety impact. CISA recently published separate advisories for these vulnerabilities, and SecurityWeek has reached out to the researchers who reported the flaws to find out more about their potential real-world impact."
  https://www.securityweek.com/electric-motorcycles-and-scooters-face-hacking-risks-to-security-and-rider-safety/

Vulnerabilities

• Hackers Are Exploiting a Critical LiteLLM Pre-Auth SQLi Flaw
  "Hackers are targeting sensitive information stored in the LiteLLM open-source large-language model (LLM) gateway by exploiting a critical vulnerability tracked as CVE-2026-42208. The flaw is an SQL injection issue that occurs during LiteLLM's proxy API key verification step. An attacker can exploit it without authentication by sending a specially crafted Authorization header to any LLM API route. This allows reading data from the proxy's database and modifying it. According to the maintainer's security advisory, threat actors could use it for "unauthorised access to the proxy and the credentials it manages.""
  https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-a-critical-litellm-pre-auth-sqli-flaw/
• Securing The Git Push Pipeline: Responding To a Critical Remote Code Execution Vulnerability
  "On March 4, 2026, we received a vulnerability report through our Bug Bounty program from researchers at Wiz describing a critical remote code execution vulnerability affecting github.com, GitHub Enterprise Cloud, GitHub Enterprise Cloud with Data Residency, GitHub Enterprise Cloud with Enterprise Managed Users, and GitHub Enterprise Server. In less than two hours we had validated the finding, deployed a fix to github.com, and begun a forensic investigation that concluded there was no exploitation. In this post, we want to share what happened, how we responded, and what we are doing to prevent similar issues in the future."
  https://github.blog/security/securing-the-git-push-pipeline-responding-to-a-critical-remote-code-execution-vulnerability/
  https://thehackernews.com/2026/04/researchers-discover-critical-github.html
  https://securityaffairs.com/191434/security/cve-2026-3854-github-flaw-enables-remote-code-execution.html
• CVE-2026-25874: Hugging Face LeRobot Unauthenticated RCE Via Pickle Deserialization
  "A critical remote code execution (RCE) vulnerability affects LeRobot, Hugging Face’s open-source robotics platform, specifically the async inference PolicyServer component. The issue stems from insecure deserialization of untrusted data using Python’s pickle module over exposed gRPC endpoints. An unauthenticated attacker who can reach the PolicyServer network port can send a malicious serialized payload and execute arbitrary OS commands on the host machine running the service. This is particularly dangerous because LeRobot is designed for GPU-backed inference systems, which often run with elevated privileges, access to robotics hardware, internal networks, datasets, and expensive compute resources."
  https://www.resecurity.com/blog/article/cve-2026-25874-hugging-face-lerobot-unauthenticated-rce-via-pickle-deserialization
  https://thehackernews.com/2026/04/critical-cve-2026-25874-leaves-hugging.html
• CISA Adds Two Known Exploited Vulnerabilities To Catalog
  "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2024-1708 ConnectWise ScreenConnect Path Traversal Vulnerability
  CVE-2026-32202 Microsoft Windows Protection Mechanism Failure Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/04/28/cisa-adds-two-known-exploited-vulnerabilities-catalog

Malware

• VECT Ransomware: Why Paying Won’t Get Your Files Back
  "VECT emerged in late 2025 with an unusual ambition: rather than recruiting a small, vetted group of criminal partners in the traditional ransomware model, they opened their doors to everyone. Through a formal partnership with BreachForums, a major cybercrime marketplace, VECT distributed access to their ransomware platform to every registered member of the forum automatically. Thousands of potential operators, almost overnight. At the same time, VECT announced a partnership with TeamPCP, the group responsible for a series of supply-chain attacks earlier this year that compromised popular software tools used by businesses worldwide. The stated goal, openly announced on BreachForums, was to use that existing access as a launchpad for ransomware attacks against companies already affected by those attacks."
  https://blog.checkpoint.com/security/vect-ransomware-why-paying-wont-get-your-files-back/
  https://research.checkpoint.com/2026/vect-ransomware-by-design-wiper-by-accident/
  https://www.bleepingcomputer.com/news/security/broken-vect-20-ransomware-acts-as-a-data-wiper-for-large-files/
  https://thehackernews.com/2026/04/vect-20-ransomware-irreversibly.html
  https://www.theregister.com/2026/04/28/dont_pay_vect_a_ransom/
• Vidar Rises To Top Of Chaotic Infostealer Market
  "Credential-stealing malware Vidar, which has lurked in the cybercriminal ecosystem since 2018, has vaulted to the top of the infostealer market following law enforcement takedowns of its two biggest rivals last year. That shift was fueled by the malware author's calculated release of a major upgrade and expansion of Vidar's distribution network during the disruption, which positioned it as a go-to alternative for cybercriminals, according to new research from Intrinsec."
  https://www.darkreading.com/vulnerabilities-threats/vidar-top-chaotic-infostealer-market
  https://www.intrinsec.com/wp-content/uploads/2026/04/TLP_CLEAR-20260424-New_Vidar.pdf
• Inside a Fake DHL Campaign Built To Steal Credentials
  "X-Labs recently identified a consumer-targeted DHL phishing campaign that uses familiar brand impersonation, a fake OTP verification step and client-side credential harvesting to steal passwords from everyday users. The campaign targets individuals rather than specific organizations and shows no geographic concentration. What makes it worth examining is the OTP mechanic: a trust-building layer with no real authentication behind it, engineered entirely to lower the victim's guard before the actual theft begins. The sample analyzed here walks the victim through a spoofed shipment email, a fake parcel OTP page and a DHL-branded login portal. The final stage captures the victim's password, enriches it with IP address, device details and location data, then exfiltrates everything through EmailJS to an attacker-controlled mailbox."
  https://www.forcepoint.com/blog/x-labs/fake-dhl-phishing-campaign-credential-theft
  https://hackread.com/dhl-phishing-scam-attack-chain-steal-passwords/
• Morpheus: A New Spyware Linked To IPS Intelligence
  "We have analyzed a sample of a previously unknown Android spyware, likely developed in Italy. It is named “Morpheus”, version 2025.3.0, and we describe its capabilities, including abusing accessibility features, automatically enabling ADB and issuing commands, disabling microphone and camera indicators, pairing additional WhatsApp devices, taking screenshots, recording audio and video, and more. We link part of the infrastructure to IPS Intelligence, and discover some potentially related companies, Rever Servicenet and Iris Telecomunicazioni."
  https://osservatorionessuno.org/blog/2026/04/morpheus-a-new-spyware-linked-to-ips-intelligence/
  https://securityaffairs.com/191398/malware/new-android-spyware-morpheus-linked-to-italian-surveillance-firm.html
• Germany Suspects Russia Is Behind Signal Phishing That Targeted Top Officials
  "The German government suspects Russia is behind a series of phishing attacks on Signal targeting high-ranking politicians, including two government ministers, military personnel and journalists, a government spokesperson said. Federal prosecutors have been conducting a preliminary investigation since mid-February 2026 into alleged cyberattacks on Signal accounts, a spokesperson for the federal prosecutors confirmed on Saturday. Among other things, the investigation involves an initial suspicion of espionage, she added, without specifying which country might be involved. The German government has still not officially attributed the attacks to Russia."
  https://www.securityweek.com/germany-suspects-russia-is-behind-signal-phishing-that-targeted-top-officials/
  https://securityaffairs.com/191425/intelligence/signal-phishing-campaign-targets-german-officials-in-suspected-russian-operation.html
• LofyStealer: Malware Targeting Minecraft Players
  "During threat hunting activities conducted on the ANY.RUN platform, the artifact was identified in public submissions of the interactive sandbox. The analysis of samples available in the public repository allowed correlating hashes and network behaviors with the already mapped C2 infrastructure (24.152.36.241), confirming that the GrabBot/Slinky campaign is active and being distributed in a real environment. The sandbox results complement the static analysis presented in this report, providing dynamic execution evidence."
  https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft/
  https://thehackernews.com/2026/04/brazilian-lofygang-resurfaces-after.html
• Tall Tales: How Chinese Actors Use Impersonation And Stolen Narratives To Perpetuate Digital Transnational Repression
  "In collaboration with the International Consortium of Investigative Journalists (ICIJ), we identified two distinct actors aligned with the People’s Republic of China that have been targeting and impersonating journalists and civil society. Our findings provide insight into the Chinese government’s practice of digital transnational repression and its shift to a system of state-sponsored attacks carried out by private contractors."
  https://citizenlab.ca/research/how-chinese-actors-use-impersonation-and-stolen-narratives-to-perpetuate-digital-transnational-repression/
  https://therecord.media/china-linked-hackers-led-phishing-campaigns-journalists
• Elementary-Data Compromised On PyPI And GHCR: Forged Release Pushed Via GitHub Actions Script Injection
  "A malicious version of elementary-data (0.23.3) was published to PyPI and is, at the time of writing, still listed as the latest release. elementary-data is a widely deployed Python package for dbt data observability. The same release run also pushed a multi-arch container image to GitHub Container Registry at ghcr.io/elementary-data/elementary, tagged both 0.23.3 and latest. Every unpinned docker pull ghcr.io/elementary-data/elementary and every FROM ghcr.io/elementary-data/elementary line without a pinned tag has been pulling the trojaned image since April 24. The attacker exploited a script injection vulnerability in one of the project's own GitHub Actions workflows, then used the workflow's GITHUB_TOKEN to forge a signed release commit and dispatch the legitimate publishing pipeline against it — without ever touching the master branch or opening a pull request."
  https://www.stepsecurity.io/blog/elementary-data-compromised-on-pypi-and-ghcr-forged-release-pushed-via-github-actions-script-injection

Breaches/Hacks/Leaks

• Video Service Vimeo Confirms Anodot Breach Exposed User Data
  "Vimeo has disclosed that data belonging to some of its customers and users has been accessed without authorization following the recent breach at the Anodot data anomaly detection company. The video platform says that the threat actor accessed email addresses for some of its customers, but most of the exposed information included technical data, video titles, and metadata. "We have identified that, as a result of the Anodot breach, an unauthorized actor accessed certain Vimeo user and customer data. Our initial findings suggest that the databases accessed primarily contain technical data, video titles and metadata, and, in some cases, customer email addresses," Vimeo states."
  https://www.bleepingcomputer.com/news/security/video-service-vimeo-confirms-anodot-breach-exposed-user-data/
  https://therecord.media/vimeo-blames-security-incident-on-anodot-breach
  https://www.securityweek.com/vimeo-confirms-user-and-customer-data-breach/
• Have I Been Pwned Claims Pitney Bowes Hit By 8.2M Email Address Leak
  "Logistics technology company Pitney Bowes, which makes franking machines for US postage, is the latest scalp claimed by ShinyHunters and its ongoing spree of pay-or-leak attacks against major organizations. Data breach tracker Have I Been Pwned (HIBP) confirmed the breach on April 27, with 8.2 million unique email addresses included in the dump alongside names, phone numbers, and physical addresses. A smaller subset of the entire data trove pertained to company employment records, which included job titles."
  https://www.theregister.com/2026/04/28/pitney_bowes_is_the_latest/

General News

• US Reportedly Charges Scattered Spider Hacker Arrested In Finland
  "A 19-year-old dual United States and Estonian citizen arrested in Finland earlier this month faces federal charges in the U.S. alleging he was a prolific member of the notorious Scattered Spider hacking collective. According to temporarily unsealed court records obtained by the Chicago Tribune, the suspect (who used the online alias "Bouquet") helped extort millions of dollars from multiple large corporations worldwide. The suspected Scattered Spider member, who was allegedly arrested by Finnish law enforcement at Helsinki's airport on April 10 while attempting to board a flight to Japan, is facing wire fraud, conspiracy, and computer intrusion charges."
  https://www.bleepingcomputer.com/news/security/us-reportedly-charges-scattered-spider-hacker-arrested-in-finland/
• U.S. Companies Hit With Record Fines For Privacy In 2025
  "U.S. states issued $3.45 billion in privacy-related fines to companies in 2025, a total larger than the last five years combined, according to research and advisory firm Gartner. The increase is driven in part by stronger, more established privacy laws in states like California, new interstate partnerships built around enforcing laws across state lines, and a renewed focus to how AI and automation affect privacy. The data indicates that “regulators are shifting their efforts away from awareness to full scale enforcement,” marking a significant shift from even the last few years in how aggressively states are investigating and penalizing companies for privacy law violations."
  https://cyberscoop.com/privacy-companies-hit-with-record-fines-2025-gartner/
• ANZ Organizations Are In The Ransomware Crosshairs— What The Dark Web Is Telling Us
  "The conversation around ANZ ransomware threats has shifted noticeably over the past year. What once looked like sporadic, high-profile incidents has evolved into a sustained and structured campaign against organizations across Australia and New Zealand. Signals emerging from underground forums and marketplaces reveal a sobering reality: ransomware is no longer just a technical problem; it is an economic strategy driven by efficiency, specialization, and scale."
  https://cyble.com/blog/anz-ransomware-threats-dark-web-intelligence/
• NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later
  "Dark Reading's Becky Bracken: Hello everyone, and welcome to Dark Reading Confidential. It's a podcast from the editors of Dark Reading, bringing you real-world stories straight from the cyber trenches. We have a really great conversation for you today. I am joined by Chris Inglis, who was the former NSA Deputy Director during the infamous Edward Snowden affair. So he is here 13 years on to unpack a little bit about what we've learned, and hopefully pass some of that knowledge on to our enterprise cybersecurity teams listening today. Welcome, Chris. Thank you so much for joining us. Chris Inglis: Pleasure to be with you, Becky."
  https://www.darkreading.com/cyber-risk/nsa-chief-during-snowden-affair-13-years-later
• 0APT Vs. KryBit Ransomware Actors List Opposing Operators As Victims
  "On 13 April 2026, the recently emerged Ransomware-as-a-Service (RaaS) actors 0APT and KryBit began leaking each other’s operational and infrastructure data on their respective leak sites. 0APT also claimed to leak data from Everest and RansomHouse ransomware groups. This type of activity is unusual: 0APT used their initially failing affiliate operation and turned it against not only KryBit, but other ransomware operators. However, the impact to Everest and RansomHouse operations was little to none. KryBit instead retaliated and took over full control of the 0APT data leak site. Both 0APT and KryBit operations likely will now attempt to move and rebuild their infrastructure because of the significant impact of the leaks on each of their operations."
  https://www.halcyon.ai/ransomware-research-reports/0apt-vs-krybit-ransomware-actors-list-opposing-operators-as-victims
  https://www.darkreading.com/threat-intelligence/feuding-ransomware-groups-leak-data
  https://www.infosecurity-magazine.com/news/ransomware-turf-war-0apt-krybit/
• Why Unofficial Download Sources Are Still a Security Risk In 2026
  "When people think about cybersecurity mistakes, they usually think about the obvious ones. Phishing emails, weak passwords, malicious attachments, a malicious browser extension, or a missed update. Those are all real problems. But there is another mistake that still slips past people all the time: downloading software from the wrong place. It may sound minor to many, but in reality, it is a big deal for all the wrong reasons. Many users still find software the same way they always have. They search for it, click the first result that looks right, grab the installer, and move on."
  https://hackread.com/unofficial-download-sources-security-risk-in-2026/
• No Metrics Are Better Than Bad Metrics In The SOC, Says NCSC
  "Many of the most common metrics used to measure the effectiveness of the security operations center (SOC) are at best inaccurate and at worst actively harm SecOps teams, the National Cyber Security Centre (NCSC) has warned. The NCSC’s CTO for architecture, Dave Chismon, wrote in a blog post that organizations often gravitate to measurements that can be easily expressed numerically to individuals who aren’t security specialists. However, if “number of tickets processed” or “time taken to close a ticket” are used as metrics, staff may perversely be incentivized to rapidly triage and close them as false positives rather than investigate."
  https://www.infosecurity-magazine.com/news/no-metrics-better-bad-metrics-soc/
• Cyber Insurance Data Gives CISOs New Ammo For Budget Talks
  "CFOs and boards need to understand risk in financial terms. Insurance data can do this. Obtaining adequate cybersecurity budget from the board requires translating technical risk into business financial risk – an ability that is not always available to security technicians. Resilience, a firm that provides insurance, risk decision support and consultancy, can assist. Through its insurance service, Resilience can directly relate financial loss to specific cybersecurity events and their likely occurrence, allowing CISOs to present technical risk as the monetary risk that CFOs and board members readily understand."
  https://www.securityweek.com/cyber-insurance-data-gives-cisos-new-ammo-for-budget-talks/
• Ukrainian Police Detain Hackers Suspected Of Stealing Thousands Of Roblox Accounts For Resale
  "Ukrainian law enforcement has detained a group of local hackers suspected of stealing more than 610,000 user accounts from the gaming platform Roblox and reselling them for cryptocurrency on Russian websites, authorities said. Police said on Monday the victims included both Ukrainian and foreign players whose accounts contained valuable digital items, rare equipment and in-game currency purchased with real money. Some accounts also held remaining balances of Roblox’s virtual currency, making them particularly attractive to cybercriminals. The suspects face up to 15 years in prison if convicted and have been placed in pretrial detention while the investigation continues."
  https://therecord.media/ukraine-police-detain-hackers-suspected-of-stealing-roblox-accounts

อ้างอิง
Electronic Transactions Development Agency (ETDA)

เมื่อวันที่ 28 เมษายน 2026 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 2 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้

• CVE-2024-1708 ConnectWise ScreenConnect Path Traversal Vulnerability
• CVE-2026-32202 Microsoft Windows Protection Mechanism Failure Vulnerability

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/04/28/cisa-adds-two-known-exploited-vulnerabilities-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 1 รายการ เมื่อวันที่ 28 เมษายน 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

• ICSA-26-118-01 NSA GrassMarlin

CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)

อ้างอิง
https://www.cisa.gov/news-events/ics-advisories

เมื่อวันที่ 24 เมษายน 2026 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 4 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้

• CVE-2024-7399 Samsung MagicINFO 9 Server Path Traversal Vulnerability
• CVE-2024-57726 SimpleHelp Missing Authorization Vulnerability
• CVE-2024-57728 SimpleHelp Path Traversal Vulnerability
• CVE-2025-29635 D-Link DIR-823X Command Injection Vulnerability

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/04/24/cisa-adds-four-known-exploited-vulnerabilities-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Industrial Sector

• Threat Landscape For Industrial Automation Systems. Asia, Q4 2025
  "Southeast Asia has high rates of self-propagating malware. The region ranked first in the world in terms of the percentage of ICS computers on which viruses and malware for AutoCAD were blocked. In both cases, it led by a wide margin. In most cases, malware for AutoCAD is distributed in the same way as viruses. This explains the high percentage exhibited by this malware category."
  https://ics-cert.kaspersky.com/publications/reports/2026/04/27/threat-landscape-for-industrial-automation-systems-asia-q4-2025/

Vulnerabilities

• A Shortcut To Coercion: Incomplete Patch Of APT28's Zero-Day Leads To CVE-2026-32202
  "According to CERT-UA, the APT28 threat actor (also known as Fancy Bear) launched a cyberattack targeting Ukraine and several EU countries in December 2025. As detailed in our February 2026 Inside the Fix blog post, this campaign leveraged a weaponized LNK file to exploit CVE-2026-21513. To ensure responsible disclosure, we deliberately withheld details of a second exploit in the chain that wasn't completely patched. The second vulnerability (CVE-2026-21510) bypasses security features such as the Microsoft Defender SmartScreen and executes attacker-controlled code, which is stored on the attacker's remote server. APT28 leverages the Windows shell namespace parsing mechanism to load a dynamic link library (DLL) from a remote server using a UNC path. The DLL is loaded as part of the Control Panel (CPL) objects without proper network zone validation."
  https://www.akamai.com/blog/security-research/2026/apr/incomplete-patch-apt28s-zero-day-cve-2026-32202
  https://www.securityweek.com/incomplete-windows-patch-opens-door-to-zero-click-attacks/
• We Found a Stable Firefox Identifier Linking All Your Private Tor Identities
  "We recently discovered a privacy vulnerability affecting all Firefox-based browsers. The issue allows websites to derive a unique, deterministic, and stable process-lifetime identifier from the order of entries returned by IndexedDB, even in contexts where users expect stronger isolation. This means a website can create a set of IndexedDB databases, inspect the returned ordering, and use that ordering as a fingerprint for the running browser process. Because the behavior is process-scoped rather than origin-scoped, unrelated websites can independently observe the same identifier and link activity across origins during the same browser runtime."
  https://fingerprint.com/blog/firefox-tor-indexeddb-privacy-vulnerability/
  https://www.securityweek.com/firefox-vulnerability-allows-tor-user-fingerprinting/
  https://securityaffairs.com/191374/security/firefox-bug-cve-2026-6770-enabled-cross-site-tracking-and-tor-fingerprinting.html

Malware

• Robinhood Account Creation Flaw Abused To Send Phishing Emails
  "Online trading platform Robinhood's account creation process was exploited by threat actors to inject phishing messages into legitimate emails, tricking users into believing their accounts had suspicious activity. Starting last night, Robinhood customers began receiving "Your recent login to Robinhood" emails stating that an "Unrecognized Device Linked to Your Account" was detected, containing unusual IP addresses and partial phone numbers. "We detected a login attempt from a device that is not recognized," reads the phishing email. "If this was not you, please review your account activity immediately to secure your account.""
  https://www.bleepingcomputer.com/news/security/robinhood-account-creation-flaw-abused-to-send-phishing-emails/
• 73 Open VSX Sleeper Extensions Linked To GlassWorm Show New Malware Activations
  "The GlassWorm campaign targeting Open VSX continues to escalate. Socket is now tracking a new cluster of 73 impersonation extensions connected to the same sleeper-extension activity reported in March 2026. Beginning in April 2026, and continuing as of this writing, additional cloned versions of popular code extensions have appeared on the Open VSX marketplace. These extensions did not initially contain malware, but they were published by newly created GitHub accounts with only one or two public repositories. In each case, one repository is empty and named with an eight-character string."
  https://socket.dev/blog/73-open-vsx-sleeper-extensions-glassworm
  https://www.bleepingcomputer.com/news/security/glassworm-malware-attacks-return-via-73-openvsx-sleeper-extensions/
  https://thehackernews.com/2026/04/researchers-uncover-73-fake-vs-code.html
• PyPI Package With 1.1M Monthly Downloads Hacked To Push Infostealer
  "An attacker pushed a malicious version of the popular elementary-data package Python Package Index (PyPI) to steal sensitive developer data and cryptocurrency wallets. The dangerous release is 0.23.3, and it extended to the Docker image due to the package's workflow that creates the image from the code and uploads it to a container registry for deployment. Community member crisperik spotted the malicious upload and opened an issue on the project’s GitHub on Saturday, alerting the maintainer and decreasing the exposure window."
  https://www.bleepingcomputer.com/news/security/pypi-package-with-11m-monthly-downloads-hacked-to-push-infostealer/
• BlueNoroff Uses ClickFix, Fileless PowerShell, And AI-Generated Fake Zoom Meetings To Target Web3 Sector
  "Arctic Wolf has identified a targeted intrusion against a North American Web3/cryptocurrency company, which we attribute with a high confidence level to BlueNoroff, a financially motivated subgroup of DPRK’s Lazarus Group. Arctic Wolf observed an active malicious intrusion where the threat actor impersonated a reputable figure in the Fintech legal space, using spear-phishing to deliver a manipulated Calendly calendar invite containing a typo-squatted Zoom link. Upon clicking the link, the victim was presented with a fake Zoom meeting interface that covertly exfiltrated their live camera feed to use as a lure in future attacks, while simultaneously deploying a ClickFix-style clipboard injection attack. A multi-stage credential extraction pipeline then plundered info from the victim’s device and browsers, focusing on cryptocurrency wallet extensions."
  https://arcticwolf.com/resources/blog/bluenoroff-uses-clickfix-fileless-powershell-and-ai-generated-zoom-meetings-to-target-web3-sector/
  https://www.bankinfosecurity.com/crypto-targeting-north-koreans-wield-fake-zoom-meetings-a-31516
• The Meta 2FA Trap: From Verified Badge To Account Takeover
  "Meta, the parent company of platforms such as Facebook and Instagram, plays a major role in both personal communication and business operations worldwide. A new phishing campaign is emerging that abuses Meta’s verification system and 2FA tokens to gain account access and steal sensitive information. This campaign is particularly convincing and targets both individual users and businesses. Below, we examine how it works and how to better protect against it. The Cofense Phishing Defense Center (PDC) has identified a credential phishing scheme targeting Meta users by impersonating the Meta brand and its verification system."
  https://cofense.com/blog/the-meta-2fa-trap-from-verified-badge-to-account-takeover
• Extension Developers Sell The Data Of At Least 6.5 Million Users – And It’s All Completely Legal
  "New research by LayerX Security uncovers multiple networks of browser extensions that collect user data and resell it for profit – and it’s all completely legal. For, unlike malicious extensions that disguise themselves as legitimate extensions and do their bidding in the dark, these extensions explicitly tell users that they’re going to collect and sell their data. It’s right there in the Privacy Policy; except that nobody reads it. LayerX analyzed the privacy policies of thousands of extensions and uncovered over 80 different extensions that collect and sell customer data."
  https://layerxsecurity.com/blog/your-extensions-sell-your-data-and-its-perfectly-legal/
  https://www.infosecurity-magazine.com/news/browser-extensions-sell-user-data/
  https://hackread.com/82-chrome-extensions-selling-user-data/
• Inside Vidar (2026): From Infection To Memory Execution Via JPEG And TXT Payloads
  "Vidar has evolved significantly from 2018 to 2026, transitioning from a basic Arkei-based credential stealer into a multi-stage, stealth-driven attack framework. Over time, it has adopted MaaS distribution, advanced evasion techniques, social media-based C2 (Telegram), and high-performance data theft capabilities. Recent research from Malwarebytes, Acronis TRU, and Zscaler highlights the rapid evolution of the Vidar infostealer into a more adaptive and socially engineered threat landscape."
  https://www.pointwild.com/threat-intelligence/inside-vidar-2026-from-infection-to-memory-execution-via-jpeg-and-txt-payloads/
  https://hackread.com/vidar-infostealer-fake-captchas-jpeg-txt-files/
• LINKEDIN BROWSERGATE
  "BrowserGate claims LinkedIn secretly fingerprints users via extensions and device data, sending encrypted results to third parties for tracking. BrowserGate is an investigation conducted by Fairlinked (https://browsergate.eu/), an association of commercial LinkedIn users, which documents what it describes as one of the largest data breach and corporate espionage scandals in digital history. The central thesis: every time one of the billions of users visits linkedin.com, hidden code scans the computer for installed software, collects the results, and transmits them to LinkedIn servers and third-party companies, including a US-Israeli cybersecurity firm. The user is never informed nor asked for consent. LinkedIn’s privacy policy makes no mention of it."
  https://securityaffairs.com/191383/security/linkedin-browsergate.html
• PhantomCore Exploits TrueConf Vulnerabilities To Breach Russian Networks
  "A pro-Ukrainian hacktivist group called PhantomCore has been attributed to attacks actively targeting servers running TrueConf video conferencing software in Russia since September 2025. That's according to a report published by Positive Technologies, which found the threat actors to be leveraging an exploit chain comprising three vulnerabilities to execute commands remotely on susceptible servers. "Despite the fact that there are no exploits for this chain of vulnerability in public access, attackers from PhantomCore managed to conduct their research and reproduce vulnerabilities, which led to a large number of cases of its operation in Russian organizations," researchers Daniil Grigoryan and Georgy Khandozhko said."
  https://thehackernews.com/2026/04/phantomcore-exploits-trueconf.html

Breaches/Hacks/Leaks

• Medtronic Confirms Breach After Hackers Claim 9 Million Records Theft
  "Medical device giant Medtronic disclosed last week that hackers breached its network and accessed data in “certain corporate IT systems.” The confirmation comes after the infamous data extortion group ‘ShinyHunters’ claimed the intrusion and the theft of more than 9 million records from the company. Medtronic is an international medical equipment giant with 90,000 employees and operations in 150 countries. It is the largest medical device maker in the world by revenue ($33.5 billion) and also develops healthcare technologies and therapies."
  https://www.bleepingcomputer.com/news/security/medtronic-confirms-breach-after-hackers-claim-9-million-records-theft/
  https://www.bankinfosecurity.com/medical-device-maker-medtronic-says-its-been-hacked-a-31518
  https://securityaffairs.com/191391/cyber-crime/medtronic-discloses-security-incident-after-shinyhunters-claimed-theft-of-9m-records.html
  https://www.theregister.com/2026/04/27/itron_medtronic_hacked/
• ShinyHunters Leaks Data Of Udemy, Zara, 7-Eleven In Salesforce Linked Breach
  "A series of new data leak listings posted on a dark web site linked to the ShinyHunters hacker group has put three well-known companies in the limelight, with claims of stolen corporate and customer data now circulating online. The posts name Zara, 7-Eleven, and Udemy, each accompanied by a direct download option and a message accusing the companies of ignoring attempts to reach an agreement. Zara and 7-Eleven were both published on April 22, 2026, while Udemy appeared later on April 27, 2026. In all three cases, the group repeats the same claim that negotiations failed, followed by the release of data described as internal records and customer information."
  https://hackread.com/shinyhunters-leak-udemy-zara-7-eleven-data-breach/
• Checkmarx Confirms GitHub Repository Data Posted On Dark Web After March 23 Attack
  "Checkmarx has disclosed that its ongoing investigation tied to the supply chain security incident has revealed that a cybercriminal group published data related to the company on the dark web. "Based on current evidence, we believe this data originated from Checkmarx's GitHub repository, and that access to that repository was facilitated through the initial supply chain attack of March 23, 2026," the Israeli security company said. It also emphasized that the GitHub repository is maintained separately from its customer production environment, adding that no customer data is stored in the repository. Checkmarx said its forensic probe into the incident is ongoing and that it's actively working to verify the nature and scope of the posted data."
  https://thehackernews.com/2026/04/checkmarx-confirms-github-repository.html
  https://checkmarx.com/blog/checkmarx-security-update-april-26/
  https://www.theregister.com/2026/04/27/supply_chain_campaign_targets_security/

General News

• Canada Arrests Three For Operating “SMS Blaster” Device In Toronto
  "Canadian authorities have arrested three men for operating an "SMS blaster" device that pretends to be a cellular tower to send phishing texts to nearby phones. Such tools trick devices into connecting to them by emitting signals that mimic a legitimate tower. Mobile phones in its range automatically link to them as there is stronger reception. Once the connection is established, the operators of these rogue cellular base stations can push SMS messages directly to connected devices, which appear to come from trusted entities such as banks or the government."
  https://www.bleepingcomputer.com/news/security/canada-arrests-three-for-operating-sms-blaster-device-in-toronto/
  https://www.tps.ca/media-centre/stories/unprecedented-sms-blaster-arrests/
• Alleged Silk Typhoon Hacker Extradited To US For Cyberespionage
  "A Chinese national accused of carrying out cyberespionage operations for China's intelligence services has been extradited from Italy to the United States to face criminal charges. According to a DOJ announcement, Xu Zewei is alleged to be a contract hacker for China's Ministry of State Security (MSS) who conducted breaches between February 2020 and June 2021 as part of a coordinated intelligence-gathering campaign. Xu was previously arrested in Milan, Italy, in 2025 at the request of U.S. authorities for his alleged ties to the Silk Typhoon hacking group."
  https://www.bleepingcomputer.com/news/security/alleged-silk-typhoon-hacker-extradited-to-us-for-cyberespionage/
  https://therecord.media/chinese-hacker-italy-extradited
  https://cyberscoop.com/xu-zewei-extradited-china-national-silk-typhoon-hafnium/
  https://securityaffairs.com/191368/apt/italy-moves-to-extradite-chinese-national-to-the-u-s-over-hacking-charges.html
• New FTC Data Show People Have Lost Billions To Social Media Scams
  "New data from the Federal Trade Commission show that, in 2025, nearly 30% of people who reported losing money to a scam said that it started on social media, with reported losses reaching a staggering $2.1 billion. Social media scams produced far more in losses—an eightfold increase since 2020—than any other contact method used by scammers to reach consumers, according to the new data. The Data Spotlight notes that social media creates easy access to billions of people from anywhere in the world, making a scammer’s job easier at very little cost. Scammers may hack a user’s account, exploit what a user posts to figure out how to target them, or buy ads and use the same tools used by real businesses to target people by age, interests or shopping habits."
  https://www.ftc.gov/news-events/news/press-releases/2026/04/new-ftc-data-show-people-have-lost-billions-social-media-scams
  https://www.bleepingcomputer.com/news/security/ftc-americans-lost-over-21-billion-to-social-media-scams-in-2025/
• Money Launderer Linked To $230M Crypto Heist Gets 70 Months In Prison
  "22-year-old Evan Tangeman of Newport Beach, California, was sentenced to 70 months in prison for laundering funds stolen in a massive $230 million cryptocurrency heist. According to court documents, Tangeman (also known as "E," "Tate," and "Evan|Exchanger") helped the suspects behind the crypto-heist launder at least $3.5 million between October 2023 and May 2025. Fourteen suspects were charged in September 2024 and May 2025 in a RICO conspiracy for over $230 million in cryptocurrency and laundering the funds using crypto exchanges and mixing services."
  https://www.bleepingcomputer.com/news/security/money-launderer-linked-to-230m-crypto-heist-gets-70-months-in-prison/
  https://therecord.media/cryptocurrency-launderer-sentenced-californai
• AI Red Teaming Is Not Equal To Prompt Injection
  "Artificial intelligence red teamers and classical pen testers can be likened to two painters. The former has access to an entirely new palette of colors, while the latter relies on a conventional palette that lacks these additions. On their own, neither fully meets the demands of the present threat landscape. AI red teaming gained traction when prompts became easily accessible. As more security professionals started experimenting with prompt injection in their environments - to evaluate risk and assess security posture - attacks such as "do-anything-now," or DAN, anti-DAN, "strive-to-avoid-norms," DUDE, and Mongo Tom became commonplace."
  https://www.bankinfosecurity.com/blogs/ai-red-teaming-equal-to-prompt-injection-p-4106
• Why U.S. Critical Infrastructure Is The Highest-Value Target In The Global Cyber War
  "The idea that cyber conflict operates quietly in the background no longer holds. What used to be a shadow contest of espionage and occasional disruption has evolved into something far more direct and consequential. Today, the cyber war on US infrastructure is not a supporting element of geopolitical tension—it is one of its primary arenas. Recent global conflicts have shown that digital operations are now tightly woven into military and political strategy. Critical systems that sustain everyday life, energy, water, communications, and transportation have become high-value targets. The logic is simple: disrupting infrastructure creates immediate, visible consequences without crossing traditional thresholds of war."
  https://cyble.com/blog/critical-infrastructure-cyberattack-threats-2026/
• Parsing Agentic Offensive Security's Existential Threat
  "The emergence of large language models (LLM) like Anthropic's Mythos and, this week, OpenAI's GPT-5.5, has set the security world a twitter with dark speculation that we are entering an era of industrialized, autonomous, mass exploitation across any platform or infrastructure — a nuclear threat that no organization, anywhere, can hide from. But not so fast, argues RunSybil CEO Ari Herbert-Voss: while defenders need to change their risk calculus to prepare for ever-accelerating threats from AI, the limits of human effort still matter when it comes to how successful those threats become; and it's a teachable moment for the security industry."
  https://www.darkreading.com/cyber-risk/industrialized-exploitation-agentic-offensive-security-existential-threat
• Most Cybersecurity Professionals Feel Undervalued And Underpaid
  "Over three quarters of cybersecurity professionals were not granted a pay rise last year, contributing to feelings of being undervalued among half of the workforce and prompting many to consider seeking a new role in the near future. A new Harvey Nash Global Tech Talent & Salary Report, published on April 27, found that information security professionals were also amongst the most pessimistic about the prospects receiving a pay rise in the next year. Just 45% of employees in cybersecurity expect that they may receive a pay increase during the next 12 months, the specialist global technology recruitment firm found."
  https://www.infosecurity-magazine.com/news/cybersecurity-pros-feel/
  https://www.theregister.com/2026/04/27/from_a_massive_skills_gap/
• Data Poisoning In AI Models: The Case For Chain Of Custody Controls
  "If a machine learning model is trained on 50,000 images, an attacker need alter only 50 of them, or 0.1 percent of the training data, to achieve a data poisoning attack. Consider a data curation pipeline involving a drone camera that captures images and stores them on disk, (data generation and storage). These images are labeled and split into datasets (data curation), and a machine learning model is then trained using these datasets (model training). This pipeline involves multiple instances where data is at rest or in transit and presumes the involvement of multiple people (perhaps one person to curate the data and another to train the model). Each instance presents an opportunity to alter the data while each person involved presents a potential insider threat. For example, an on-path attacker could modify the images when they are transferred from the drone to be curated, or after the data is labeled, the attacker could modify some labels, leaving the images themselves unaltered."
  https://www.sei.cmu.edu/blog/data-poisoning-in-ai-models-the-case-for-chain-of-custody-controls/
• Why Air Gapped Networks Aren’t As Secure As You Think
  "Air‑gapped networks have long been held up as the safest way to protect sensitive systems. No internet connection, no remote access, no problem. Or so the thinking goes. In reality, that confidence often turns out to be misplaced. Air‑gapping does reduce risk, but it does not remove it. And in industrial and operational environments, where systems still need to be maintained, updated and used by real people, that gap is rarely as airtight as it looks on paper."
  https://blog.barracuda.com/2026/04/27/why-air-gapped-networks-aren-t-as-secure-as-you-think
• Hiding An Ear In Plain Sight: On The Practicality And Implications Of Acoustic Eavesdropping With Telecom Fiber Optic Cables
  "Optical fibers are widely regarded as reliable communication channels due to their resistance to external interference and low signal loss. This paper demonstrates a critical side channel within telecommunication optical fiber that allows for acoustic eavesdropping. By exploiting the sensitivity of optical fibers to acoustic vibrations, attackers can remotely monitor sound-induced deformations in the fiber structure and further recover information from the original sound waves."
  https://www.ndss-symposium.org/ndss-paper/hiding-an-ear-in-plain-sight-on-the-practicality-and-implications-of-acoustic-eavesdropping-with-telecom-fiber-optic-cables/
  https://www.kaspersky.com/blog/fiber-optics-eavesdropping/55658/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand