Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 5 รายการ เมื่อวันที่ 2 ธันวาคม 2025 พื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

• ICSA-25-336-01 Industrial Video & Control Longwatch
• ICSA-25-336-02 Iskra iHUB and iHUB Lite
• ICSMA-25-336-01 Mirion Medical EC2 Software NMIS BioDose
• ICSA-25-201-01 Mitsubishi Electric CNC Series (Update A)
• ICSA-23-157-02 Mitsubishi Electric MELSEC iQ-R Series/iQ-F Series (Update C)

CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)

อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/12/02/cisa-releases-five-industrial-control-systems-advisories

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Healthcare Sector

• Mirion Medical EC2 Software NMIS BioDose
  "Successful exploitation of these vulnerabilities could allow an attacker to modify program executables, gain access to sensitive information, gain unauthorized access to the application, and execute arbitrary code."
  https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-336-01

Industrial Sector

• Industrial Video & Control Longwatch
  "Successful exploitation of this vulnerability could allow an unauthenticated attacker to gain remote code execution with elevated privileges."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-336-01
• Iskra iHUB And iHUB Lite
  "Successful exploitation of this vulnerability could allow a remote attacker to reconfigure devices, update firmware, and manipulate connected systems without any credentials."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-336-02

Vulnerabilities

• PyTorch Users At Risk: Unveiling 3 Zero-Day PickleScan Vulnerabilities
  "JFrog Security Research found 3 zero-day critical vulnerabilities in PickleScan, which would allow attackers to bypass the most popular Pickle model scanning tool. PickleScan is a widely used, industry-standard tool for scanning ML models and ensuring they contain no malicious content. Each discovered vulnerability enables attackers to evade PickleScan’s malware detection and potentially execute a large-scale supply chain attack by distributing malicious ML models that conceal undetectable malicious code. In this blog post, we will explain how PickleScan works and why, despite using model scanning tools, Pickle is still unsafe given these recently discovered zero-day vulnerabilities."
  https://jfrog.com/blog/unveiling-3-zero-day-vulnerabilities-in-picklescan/
  https://www.infosecurity-magazine.com/news/picklescan-flaws-expose-ai-supply/
• CISA Adds Two Known Exploited Vulnerabilities To Catalog
  "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2025-48572 Android Framework Privilege Escalation Vulnerability
  CVE-2025-48633 Android Framework Information Disclosure Vulnerability"
  https://www.cisa.gov/news-events/alerts/2025/12/02/cisa-adds-two-known-exploited-vulnerabilities-catalog
  https://securityaffairs.com/185252/security/u-s-cisa-adds-android-framework-flaws-to-its-known-exploited-vulnerabilities-catalog.html
• CVE-2025-61260 — OpenAI Codex CLI: Command Injection Via Project-Local Configuration
  "OpenAI Codex CLI is OpenAI’s command-line tool that brings AI model-backed reasoning into developer workflows. It can read, edit, and run code directly from the terminal, making it possible to interact with projects using natural language commands, automate tasks, and streamline day-to-day development One of its key features is MCP (Model Context Protocol) – a standardized way to integrate external tools and services into the Codex environment, allowing developers to extend the CLI’s capabilities with custom functionality and automated workflows."
  https://research.checkpoint.com/2025/openai-codex-cli-command-injection-vulnerability/
  https://www.securityweek.com/vulnerability-in-openai-coding-agent-could-facilitate-attacks-on-developers/

Malware

• Shai-Hulud 2.0 Aftermath: Trends, Victimology And Impact
  "Wiz Research and Wiz CIRT have been responding to the Shai-Hulud 2.0 incident (aka Sha1-Hulud) since news first broke on November 24, 2025. As of now we’re continuing to observe active spread, albeit at a significantly lower pace. This gives us an opportunity to step back and share what we’ve learned throughout this incident, and reflect on the future. This blog post assumes familiarity with the phases of Sha1-Hulud. For a detailed account of the initial incident, and our recommendations on response, refer to our previous blog post."
  https://www.wiz.io/blog/shai-hulud-2-0-aftermath-ongoing-supply-chain-attack
  https://www.bleepingcomputer.com/news/security/shai-hulud-20-npm-malware-attack-exposed-up-to-400-000-dev-secrets/
• North Korea Lures Engineers To Rent Identities In Fake IT Worker Scheme
  "In an unprecedented intelligence operation, security researchers exposed how North Korean IT recruiters target and lure developers into renting their identities for illicit fundraising. Famous Chollima (also known as WageMole), part of North Korea’s state-sponsored Lazarus group, is known for social-engineering campaigns to infiltrate Western companies for espionage and revenue generation for the regime."
  https://www.bleepingcomputer.com/news/security/north-korea-lures-engineers-to-rent-identities-in-fake-it-worker-scheme/
  https://thehackernews.com/2025/12/researchers-capture-lazarus-apts-remote.html
• Uncovering a Calendly-Themed Phishing Campaign Targeting Business Ad Manager Accounts
  "We recently investigated a sophisticated phishing campaign targeting Google Workspace and Facebook Business accounts with Calendly-themed phishing lures, based around a fake job opportunity. We were first alerted to the campaign when a Push customer was hit with a highly targeted email-based attack, where the attacker used an Attacker-in-the-Middle (AiTM) phishing toolkit to target the customer’s Google Workspace account."
  https://pushsecurity.com/blog/uncovering-a-calendly-themed-phishing-campaign
  https://www.bleepingcomputer.com/news/security/fake-calendly-invites-spoof-top-brands-to-hijack-ad-manager-accounts/
• MuddyWater: Snakes By The Riverbank
  "ESET researchers have identified new MuddyWater activity primarily targeting organizations in Israel, with one confirmed target in Egypt. MuddyWater, also referred to as Mango Sandstorm or TA450, is an Iran-aligned cyberespionage group known for its persistent targeting of government and critical infrastructure sectors, often leveraging custom malware and publicly available tools. In this campaign, the attackers deployed a set of previously undocumented, custom tools with the objective of improving defense evasion and persistence. Among these tools is a custom Fooder loader designed to execute MuddyViper, a C/C++ backdoor. Several versions of Fooder masquerade as the classic Snake game, and its internal logic includes a custom delay function inspired by the game’s mechanics, combined with frequent use of Sleep API calls."
  https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/
  https://thehackernews.com/2025/12/iran-linked-hackers-hits-israeli_2.html
  https://www.darkreading.com/cyberattacks-data-breaches/irans-muddywater-levels-up-muddyviper-backdoor
  https://therecord.media/iran-linked-hackers-target-israel-egypt-phishing
  https://www.bankinfosecurity.com/iran-hackers-take-inspiration-from-snake-video-game-a-30177
  https://securityaffairs.com/185244/apt/muddywater-strikes-israel-with-advanced-muddyviper-malware.html
  https://www.helpnetsecurity.com/2025/12/02/eset-muddywater-cyber-campaign/
• New eBPF Filters For Symbiote And BPFdoor Malware
  "eBPF—extended Berkeley Packet Filter—is a very interesting kernel technology that lets users load tiny, sandboxed programs into the Linux kernel to inspect or modify network packets, system calls, and more. The technology was introduced in 2015 to renovate the “old” BPF technology of 1992, which was no longer adapted to modern computer architectures (e.g., 64-bit). As usual, the technology was quickly noticed by malware authors, resulting in the Bvp47 malware in 2015, as well as a collection of rootkits, such as Ebpfkit and TripleCross. However, due to the required skills needed to use or exploit eBPF, the malware remains rare (in number). Today, the malware scene mostly consists of two families: Symbiote and BPFDoor, both from 2021."
  https://www.fortinet.com/blog/threat-research/new-ebpf-filters-for-symbiote-and-bpfdoor-malware
• Dragons In Thunder
  "During investigations into two incidents at Russian companies, we identified malicious activity that involved the exploitation of RCE vulnerabilities, including CVE-2025-53770 in Microsoft SharePoint, as well as CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile. In addition to the exploitation of vulnerabilities, we discovered samples of the KrustyLoader and Sliver malware, as well as traces of the Tactical RMM and MeshAgent tools. Detailed analysis showed the presence of at least two groups: QuietCrabs (also known as UTA0178 and UNC5221) and Thor. QuietCrabs were seen exploiting these vulnerabilities within just a few hours of PoC code being published."
  https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/dragons-in-thunder/
  https://www.helpnetsecurity.com/2025/12/02/threat-research-ransomware-espionage-attack/
• Unraveling Water Saci's New Multi-Format, AI-Enhanced Attacks Propagated Via WhatsApp
  "Brazil has seen a recent surge of threats delivered via WhatsApp. As observed in our previously published research on the SORVEPOTEL malware and the broader Water Saci campaign, this popular platform has been used to launch sophisticated campaigns. Unsuspecting users receive convincing messages from trusted contacts, often crafted to exploit social engineering tactics and encourage interaction with malicious content. While the core objectives of these campaigns remain consistent, this wave showcases advanced techniques in infection, persistence, and evasion, underscoring how legitimate platforms are increasingly being exploited to reach Brazilian targets more effectively."
  https://www.trendmicro.com/en_us/research/25/l/water-saci.html
• CastleLoader & CastleRAT: Behind TAG150’s Modular Malware Delivery System
  "TAG-150, a MaaS operator active since March 2025, uses CastleLoader and CastleRAT in multi-stage attacks. CastleLoader acts as a loader that retrieves and executes additional malware through deceptive domains and malicious GitHub repositories, while CastleRAT functions as a remote access trojan providing attackers with system control, command execution, and data theft capabilities. Darktrace detected and blocked early attack activity, leveraging Autonomous Response to prevent further compromise and protect enterprise networks."
  https://www.darktrace.com/blog/castleloader-castlerat-behind-tag150s-modular-malware-delivery-system
• APT36 Python Based ELF Malware Targeting Indian Government Entities
  "CYFIRMA has uncovered an active cyber-espionage campaign conducted by APT36 (Transparent Tribe), a Pakistan-based threat actor known for persistent targeting of Indian government and strategic sectors. The latest activity demonstrates the group’s growing technical maturity and adaptability, as it deploys tailored malware specifically crafted to compromise Linux-based BOSS operating environments. The intrusion begins with spear-phishing emails designed to lure recipients into opening weaponized Linux shortcut files. Once executed, these files silently download and run malicious components in the background while presenting benign content to the user, thereby facilitating stealthy initial access and follow-on exploitation."
  https://www.cyfirma.com/research/apt36-python-based-elf-malware-targeting-indian-government-entities/

Breaches/Hacks/Leaks

• University Of Pennsylvania Confirms New Data Breach After Oracle Hack
  "The University of Pennsylvania (Penn) has announced a new data breach after attackers stole documents containing personal information from its Oracle E-Business Suite servers in August. The private Ivy League research university was founded in 1740 and has 5,827 faculty members and 29,109 students, with an 8:1 student-to-faculty ratio. It also has an academic operating budget of $4.7 billion and an endowment of $24.8 billion as of June 30, 2025."
  https://www.bleepingcomputer.com/news/security/university-of-pennsylvania-confirms-data-theft-after-oracle-ebs-hack/
  https://cyberscoop.com/university-pennsylvania-oracle-e-business-suite-clop-attacks/
  https://www.theregister.com/2025/12/02/clop_university_of_pennsylvania/
• Everest Ransomware Claims ASUS Breach And 1TB Data Theft
  "A new claim by the Everest ransomware group suggests that ASUS, one of the world’s largest hardware and electronics companies, has been compromised. According to a post on the group’s dark web leak site, they are in possession of more than 1TB of stolen data, which they say includes camera source code. In this case, “Camera Source Code” likely refers to proprietary firmware or software used in ASUS devices with built-in cameras, such as laptops or smartphones. This could include low-level control code for camera modules, internal drivers, or even entire applications tied to image processing or device integration."
  https://hackread.com/everest-ransomware-asus-breach-1tb-data/

General News

• The Collapse Of Trust At The Identity Layer
  "Identity verification has become the latest front in the fight against industrialized fraud, according to a new report from Regula. The shift is visible across sectors that once relied on predictable verification routines. Criminals have learned to target the identity step itself, and the impact is spreading through financial services, healthcare, telecoms, crypto platforms, and aviation."
  https://www.helpnetsecurity.com/2025/12/02/regula-identity-verification-threats-report/
• Creative Cybersecurity Strategies For Resource-Constrained Institutions
  "In this Help Net Security interview, Dennis Pickett, CISO at RTI International, talks about how research institutions can approach cybersecurity with limited resources and still build resilience. He discusses the tension between open research and the need to protect sensitive information, noting that workable solutions come from understanding how people get their jobs done. Pickett explains how security teams can partner with researchers to set guardrails that support innovation rather than slow it. He also shares observations on emerging risks, state interest in advanced technologies, and the challenge of managing data across diverse disciplines."
  https://www.helpnetsecurity.com/2025/12/02/dennis-pickett-rti-international-research-institutions-cybersecurity/
• Attackers Keep Finding New Ways To Fool AI
  "AI development keeps accelerating while the safeguards around it move on uneven ground, according to The International AI Safety Report. Security leaders are being asked to judge exposure without dependable benchmarks. Across the AI ecosystem, developers are adopting layered controls throughout the lifecycle. They combine training safeguards, deployment filters, and post release tracking tools. A model may be trained to refuse harmful prompts. After release, its inputs and outputs may pass through filters. Provenance tags and watermarking can support incident reviews."
  https://www.helpnetsecurity.com/2025/12/02/ai-safety-risks-report/
• Korea Arrests Suspects Selling Intimate Videos From Hacked IP Cameras
  "The Korean National Police have arrested four individuals suspected of hacking over 120,000 IP cameras across the country and then selling stolen footage to a foreign adult site. Although the suspects or the websites haven’t been named, the police are already taking action against viewers of the illicitly gained content, as well as the operators of the website, through international collaboration."
  https://www.bleepingcomputer.com/news/security/korea-arrests-suspects-selling-intimate-videos-from-hacked-ip-cameras/
• Researchers Use Poetry To Jailbreak AI Models
  "Three years into the "AI future," researchers' creative jailbreaking efforts never cease to amaze. Researchers from the Sapienza University of Rome, the Sant’Anna School of Advanced Studies, and large language model (LLM) safety and compliance consultancy Dexai showed how one can jailbreak leading AI models by framing prompts as a rhyming poem. The group published their findings in a white paper Nov. 19."
  https://www.darkreading.com/threat-intelligence/researchers-use-poetry-to-jailbreak-ai-models
  https://arxiv.org/html/2511.15304v1
  https://www.malwarebytes.com/blog/news/2025/12/whispering-poetry-at-ai-can-make-it-break-its-own-rules
• Most Companies Fear State-Sponsored Cyber-Attacks And Want More Government Help
  "The vast majority of British and American cybersecurity professionals are worried about state-sponsored cyber-attacks, and a quarter (23%) say their biggest concern for the year ahead is a lack of preparedness for “geopolitical escalation or wartime cyber operations," according to research by IO. The compliance software vendor polled 3000 cybersecurity managers in the US and UK to compile its State of Information Security Report 2025."
  https://www.infosecurity-magazine.com/news/companies-fear-state-attacks-more/
• The Great Disconnect: Unmasking The ‘Two Separate Conversations’ In Security
  "It is often the case that I witness a conversation that is actually two separate conversations. What do I mean by that? If you are an astute listener and observer, you have probably noticed how often two people are having two completely different conversations. It is seldom the case that either person realizes it, and thus, more often than not, people have difficulty communicating effectively with one another. Quite simply put, they are not having the same conversation."
  https://www.securityweek.com/the-great-disconnect-unmasking-the-two-separate-conversations-in-security/
• SOC Threat Radar — December 2025
  "The SOC team recently noticed a rise in the suspicious use of ScreenConnect. This includes attackers attempting to connect endpoints to targets’ ScreenConnect deployments, and attackers deploying ScreenConnect themselves to control hosts remotely. ScreenConnect is a trusted and popular remote device management tool used by many organizations and their managed service providers. As a result, the detection of ScreenConnect does not immediately arouse suspicion."
  https://blog.barracuda.com/2025/12/02/soc-threat-radar-december-2025
• The Browser Defense Playbook: Stopping The Attacks That Start On Your Screen
  "The predominance of cloud-based apps and the trend towards remote work have made the browser the place where most work happens. In fact, about 85% of daily work takes place there. In many ways, it’s a win for all involved. Users can work from a wider range of locations and devices, accessing full “desktops” inside a browser tab. Organizations can manage apps and browser access easier than through localized desktop software. This all allows for greater central management, lower costs and better flexibility."
  https://unit42.paloaltonetworks.com/browser-defense-playbook/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Industrial Sector

• APT And Financial Attacks On Industrial Organizations In Q3 2025
  "This summary provides an overview of reports on APT and financial attacks on industrial enterprises disclosed in Q3 2025, as well as the related activities of groups observed attacking industrial organizations. For each topic, we summarize the key facts, findings and conclusions of researchers that we believe may be useful to professionals addressing practical issues of cybersecurity in industrial enterprises."
  https://ics-cert.kaspersky.com/publications/reports/2025/12/01/apt-and-financial-attacks-on-industrial-organizations-in-q3-2025/

Vulnerabilities

• Google Addresses 107 Android Vulnerabilities, Including Two Zero-Days
  "Google disclosed two actively exploited zero-day vulnerabilities Monday, which it addressed among a total of 107 defects in the company’s monthly security update for Android devices. The zero-days — CVE-2025-48633 and CVE-2025-48572 — are both high-severity defects affecting the Android framework, which attackers can exploit to access information and escalate privileges, respectively. Google said both vulnerabilities, which had not been added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog as of Monday afternoon, may be under limited, targeted exploitation."
  https://cyberscoop.com/android-security-update-december-2025/

Malware

• SmartTube YouTube App For Android TV Breached To Push Malicious Update
  "The popular open-source SmartTube YouTube client for Android TV was compromised after an attacker gained access to the developer's signing keys, leading to a malicious update being pushed to users. The compromise became known when multiple users reported that Play Protect, Android's built-in antivirus module, blocked SmartTube on their devices and warned them of a risk. The developer of SmartTube, Yuriy Yuliskov, admitted that his digital keys were compromised late last week, leading to the injection of malware into the app."
  https://www.bleepingcomputer.com/news/security/smarttube-youtube-app-for-android-tv-breached-to-push-malicious-update/
• Glassworm's Resurgence
  "Security can't take holidays off, but the code marketplace scanners just might. Over the past week, we've identified and tracked an unprecedented 23 extensions which copy other popular extensions, update after publishing with malware, manipulate download counts, and use KNOWN attack signatures which have been in use for months. Many of these relate to Glassworm malware, but there could be mulitple campaigns at work also."
  https://secureannex.com/blog/glassworm-continued/
  https://www.bleepingcomputer.com/news/security/glassworm-malware-returns-in-third-wave-of-malicious-vs-code-packages/
• 4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign
  "Koi researchers have identified a threat actor we're calling ShadyPanda - responsible for a seven-year browser extension campaign that has infected 4.3 million Chrome and Edge users. Our investigation uncovered two active operations: A 300,000-user RCE backdoor: Five extensions, including the "Featured" and "Verified" Clean Master, were weaponized in mid-2024 after years of legitimate operation. These extensions now run hourly remote code execution - downloading and executing arbitrary JavaScript with full browser access. They monitor every website visit, exfiltrate encrypted browsing history, and collect complete browser fingerprints."
  https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign
  https://thehackernews.com/2025/12/shadypanda-turns-popular-browser.html
  https://www.bleepingcomputer.com/news/security/shadypanda-browser-extensions-amass-43m-installs-in-malicious-campaign/
  https://www.theregister.com/2025/12/01/chrome_edge_malicious_browser_extensions/
• Albiriox Exposed: A New RAT Mobile Malware Targeting Global Finance And Crypto Wallets
  "Over the past few months, the Cleafy Threat Intelligence team has identified and analyzed Albiriox, a newly emerging Android malware family promoted as a Malware-as-a-Service (MaaS) within underground cybercrime forums. First observed in September 2025 during a limited recruitment phase targeting high-reputation forum members, the project transitioned to a publicly available MaaS offering in October 2025. Forum activity, linguistic patterns, and infrastructure analysis indicate that Russian-speaking Threat Actors (TAs) are behind the operation."
  https://www.cleafy.com/cleafy-labs/albiriox-rat-mobile-malware-targeting-global-finance-and-crypto-wallets
  https://thehackernews.com/2025/12/new-albiriox-maas-malware-targets-400.html
  https://www.infosecurity-magazine.com/news/android-maas-malware-albiriox-dark/
  https://www.malwarebytes.com/blog/news/2025/12/new-android-malware-lets-criminals-control-your-phone-and-drain-your-bank-account
  https://www.securityweek.com/new-albiriox-android-malware-developed-by-russian-cybercriminals/
  https://securityaffairs.com/185194/malware/emerging-android-threat-albiriox-enables-full-on‑device-fraud.html
• Two Years, 17K Downloads: The NPM Malware That Tried To Gaslight Security Scanners
  "We train our AI risk engine to look for something most scanners don't: code that tries to manipulate AI-based security tools. As LLMs become part of the security stack, from code review to package analysis, attackers will adapt. They'll start writing code that's designed not just to evade detection, but to actively mislead the AI doing the analysis. We built our engine to catch that. This week, it caught something interesting."
  https://www.koi.ai/blog/two-years-17k-downloads-the-npm-malware-that-tried-to-gaslight-security-scanners
  https://www.infosecurity-magazine.com/news/malware-ai-detection-npm-package/

Breaches/Hacks/Leaks

• Retail Giant Coupang Data Breach Impacts 33.7 Million Customers
  "South Korea's largest retailer, Coupang, has suffered a data breach that exposed the personal information of 33.7 million customers. The firm has warned on its Korean-language site that the incident occurred on June 24, 2025, but it only discovered it and began the investigation on November 18, 2025. "On November 18, 2025, Coupang became aware of unauthorized access to personal information related to the accounts of approximately 4,500 customers," reads the public statement."
  https://www.bleepingcomputer.com/news/security/retail-giant-coupang-suffers-data-breach-impacting-337-million-people/
  https://hackread.com/coupang-data-breach-south-korean-accounts/
  https://www.infosecurity-magazine.com/news/south-korea-coupang-34m-customer/
  https://www.theregister.com/2025/12/01/coupang_breach/
• Royal Borough Of Kensington And Chelsea Reveals Data Breach
  "The Royal Borough of Kensington and Chelsea (RBKC) has told residents that their data may have been compromised in a cyber-attack on an IT service provider discovered last week. The council, London’s smallest but most densely populated, revealed the news in an update on Friday. “After discovering unusual activity first thing Monday morning, we have been taking all necessary steps to shut down and isolate systems and make them as safe as possible,” it said."
  https://www.infosecurity-magazine.com/news/royal-borough-kensington-chelsea/

General News

• Treating MCP Like An API Creates Security Blind Spots
  "In this Help Net Security interview, Michael Yaroshefsky, CEO at MCP Manager, discusses how Model Context Protocol’s (MCP) trust model creates security gaps that many teams overlook and why MCP must not be treated like a standard API. He explains how misunderstandings about MCP’s runtime behavior, governance, and identity requirements can create exposure. With MCP usage expanding across organizations, well-defined controls and a correct understanding of the protocol become necessary."
  https://www.helpnetsecurity.com/2025/12/01/michael-yaroshefsky-mcp-manager-mcp-security-gaps/
• Offensive Cyber Power Is Spreading Fast And Changing Global Security
  "Offensive cyber activity has moved far beyond a handful of major powers. More governments now rely on digital operations to project influence during geopolitical tension, which raises new risks for organizations caught in the middle. A new policy brief from the Geneva Centre for Security Policy examines how these developments influence international stability and what steps could lower the chance of dangerous escalation."
  https://www.helpnetsecurity.com/2025/12/01/global-offensive-cyber-operations-risks/
• The Weekend Is Prime Time For Ransomware
  "Over half of organizations that experienced a ransomware event in the past year were hit during a weekend or holiday, according to a Semperis report. Those periods often come with thin staffing, slower investigation, and fewer eyes on identity systems. Intruders know that reduced attention allows them to move deeper before alarms are raised. 60% of incidents happened after a merger, acquisition, restructuring, or similar shift inside the business. The most common trigger was an M&A effort. When identity environments are being consolidated, inconsistencies appear. Attackers look for these weak points and move quickly when they find them."
  https://www.helpnetsecurity.com/2025/12/01/semperis-ransomware-risk-trends-report/
• When Hackers Wear Suits: Protecting Your Team From Insider Cyber Threats
  "In the ever-evolving landscape of cyber threats, a new and insidious danger is emerging, shifting focus from external attacks to internal infiltration. Hackers are now impersonating seasoned cybersecurity and IT professionals to gain privileged access within organizations. These aren't just phishing attempts; they are calculated schemes where malicious actors manipulate the hiring process to become "trusted" staff, all with the intent of breaching company databases or stealing sensitive information."
  https://www.bleepingcomputer.com/news/security/when-hackers-wear-suits-protecting-your-team-from-insider-cyber-threats/
• Europol And Partners Shut Down ‘Cryptomixer’
  "From 24 to 28 November 2025, Europol supported an action week conducted by law enforcement authorities from Switzerland and Germany in Zurich, Switzerland. The operation focused on taking down the illegal cryptocurrency mixing service ‘Cryptomixer’, which is suspected of facilitating cybercrime and money laundering."
  https://www.europol.europa.eu/media-press/newsroom/news/europol-and-partners-shut-down-cryptomixer
  https://www.eurojust.europa.eu/news/cryptocurrency-mixing-service-used-launder-money-taken-down
  https://therecord.media/cryptomixer-service-takedown-bitcoin-seized
  https://www.bleepingcomputer.com/news/security/police-takes-down-cryptomixer-cryptocurrency-mixing-service/
  https://www.darkreading.com/cyberattacks-data-breaches/police-disrupt-cryptomixer-seize-millions-crypto
  https://cyberscoop.com/cryptomixer-takedown-seizure-europol/
  https://www.infosecurity-magazine.com/news/europol-takes-down-illegal/
  https://hackread.com/cryptomixer-domains-infrastructure-bitcoin-seized/
  https://www.securityweek.com/29-million-worth-of-bitcoin-seized-in-cryptomixer-takedown/
  https://securityaffairs.com/185217/cyber-crime/law-enforcement-shuts-down-cryptomixer-in-major-crypto-crime-takedown.html
  https://www.helpnetsecurity.com/2025/12/01/cryptomixer-takedown-seizure/
• Officials Accuse North Korea’s Lazarus Of $30 Million Theft From Crypto Exchange
  "A recent cyberattack on South Korea’s largest cryptocurrency exchange was allegedly conducted by a North Korean government-backed hacking group. Yonhap News Agency reported on Friday that South Korean government officials are involved in the investigation surrounding $30 million worth of cryptocurrency that was stolen from Upbit on Wednesday evening. On Friday, South Korean officials told the news outlet that North Korea’s Lazarus hacking group was likely involved in the theft based on the tactics used to break into the cryptocurrency platform and the methods deployed to launder the stolen funds."
  https://therecord.media/officials-accuse-north-korea-hackers-of-attack-on-crypto-exchange

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

เมื่อวันที่ 28 พฤศจิกายน 2025 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว ดังนี้

• CVE-2021-26829 OpenPLC ScadaBR Cross-site Scripting Vulnerability

ทั้งนี้ คำสั่ง BOD 22-01 ของ CISA กำหนดให้มี แคตตาล็อก Known Exploited Vulnerabilities (KEV) เพื่อรวบรวมช่องโหว่ (CVEs) ที่มีความเสี่ยงสูงและถูกใช้งานโจมตีจริง หน่วยงาน Federal Civilian Executive Branch (FCEB) ต้องดำเนินการแก้ไขช่องโหว่ที่ระบุภายในเวลาที่กำหนด เพื่อปกป้องเครือข่ายจากภัยคุกคาม

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/11/28/cisa-adds-one-known-exploited-vulnerability-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand