Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) 5 รายการ เมื่อวันที่ 17 มิถุนายน 2568 ซึ่งคำแนะนำเหล่านี้ให้ข้อมูลที่ทันท่วงทีเกี่ยวกับปัญหาด้านความปลอดภัยช่องโหว่ และช่องโหว่ที่อยู่รอบ ๆ ICS ในปัจจุบัน มีดังต่อไปนี้

• ICSA-25-168-01 Siemens Mendix Studio Pro
• ICSA-25-168-02 LS Electric GMWin 4
• ICSA-25-168-04 Fuji Electric Smart Editor
• ICSA-25-168-05 Dover Fueling Solutions ProGauge MagLink LX Consoles
• ICSA-24-347-10 Siemens SENTRON Powercenter 1000 (Update A)

ทั้งนี้ CISA สนับสนุนให้ผู้ใช้และผู้ดูแลระบบตรวจสอบคำแนะนำ ICS ที่เผยแพร่ใหม่สำหรับรายละเอียดทางเทคนิคและการบรรเทาผลกระทบ รายละเอียดเพิ่มเติมที่ https://www.cisa.gov/news-events/alerts/2025/06/17/cisa-releases-five-industrial-control-systems-advisories

อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/06/17/cisa-releases-five-industrial-control-systems-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) 10 รายการ เมื่อวันที่ 12 มิถุนายน 2568 ซึ่งคำแนะนำเหล่านี้ให้ข้อมูลที่ทันท่วงทีเกี่ยวกับปัญหาด้านความปลอดภัยช่องโหว่ และช่องโหว่ที่อยู่รอบ ๆ ICS ในปัจจุบัน มีดังต่อไปนี้

• ICSA-25-162-01 Siemens Tecnomatix Plant Simulation
• ICSA-25-162-02 Siemens RUGGEDCOM APE1808
• ICSA-25-162-03 Siemens SCALANCE and RUGGEDCOM
• ICSA-25-162-04 Siemens SCALANCE and RUGGEDCOM
• ICSA-25-162-05 Siemens SIMATIC S7-1500 CPU Family
• ICSA-25-162-06 Siemens Energy Services
• ICSA-25-162-07 AVEVA PI Data Archive
• ICSA-25-162-08 AVEVA PI Web API
• ICSA-25-162-09 AVEVA PI Connector for CygNet
• ICSA-25-162-10 PTZOptics and Other Pan-Tilt-Zoom Cameras

ทั้งนี้ CISA สนับสนุนให้ผู้ใช้และผู้ดูแลระบบตรวจสอบคำแนะนำ ICS ที่เผยแพร่ใหม่สำหรับรายละเอียดทางเทคนิคและการบรรเทาผลกระทบ รายละเอียดเพิ่มเติมที่ https://www.cisa.gov/news-events/alerts/2025/06/12/cisa-releases-ten-industrial-control-systems-advisories

อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/06/12/cisa-releases-ten-industrial-control-systems-advisories

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Industrial Sector

• APT And Financial Attacks On Industrial Organizations In Q1 2025
  "This summary provides an overview of the reports of APT and financial attacks on industrial enterprises disclosed in Q1 2025, as well as the related activities of groups that have been observed attacking industrial organizations and critical infrastructure facilities. For each topic, we summarize the key facts, findings and conclusions of researchers that we believe may be of use to professionals addressing practical issues of cybersecurity for industrial enterprises."
  https://ics-cert.kaspersky.com/publications/reports/2025/06/19/apt-and-financial-attackson-industrial-organizations-in-q1-2025/

Vulnerabilities

• High-Severity Vulnerabilities Patched By Cisco, Atlassian
  "Cisco and Atlassian on Wednesday announced the rollout of patches for multiple high-severity vulnerabilities in their products, many leading to denial-of-service (DoS) conditions. Cisco released firmware updates for Meraki devices to resolve a high-severity flaw allowing attackers to cause the AnyConnect VPN server on these products to restart, leading to a DoS condition. Tracked as CVE-2025-20271 (CVSS score of 8.6), the bug can be exploited remotely."
  https://www.securityweek.com/high-severity-vulnerabilities-patched-by-cisco-atlassian/

Malware

• TxTag Takedown: Busting Phishing Email Schemes
  "Have you received any alerts in your inbox recently telling you that your account will be suspended unless you pay the balance immediately? Interacting with emails like this could jeopardize not only your personal info but also your company's reputation. As summer approaches, threat actors are ramping up their phishing efforts, launching numerous targeted campaigns. Below, we highlight an example to help you recognize these tactics and empower you to be the first line of defense against phishing threats."
  https://cofense.com/blog/txtag-takedown-busting-phishing-email-schemes
• Iran-Israel War Triggers a Maelstrom In Cyberspace
  "As they trade missile strikes, Iran and Israel have also faced heavy waves of cyberattacks this past week. On June 13, Israel initiated a military offensive it called "Operation Rising Lion," aimed at crippling Iran's nuclear weapons program. The two countries' covert war has become overt since then, shifting power in the region and causing dozens of civilian deaths in Israel and hundreds in Iran along the way. As expected, hacktivists have flocked to the scene like vultures. Analysts are now tracking more than 100 different threat actors carrying out, or at least claiming to carry out, cyberattacks against either Iran or, more often, Israel."
  https://www.darkreading.com/threat-intelligence/iran-israel-war-maelstrom-cyberspace
• Declaration Trap: Crypto Drainers Masquerading As European Tax Authorities
  "Crypto isn’t just for tech enthusiasts anymore – it’s becoming part of everyday financial life. More people are investing, more businesses are accepting crypto payments, the market keeps growing, and with it, so does the number of people involved. But where there’s money, scammers are watching and inventing new methods to steal it. They know the ecosystem is still full of confusion, especially around regulation and taxes. And they’ve found ways to use that to their advantage."
  https://www.group-ib.com/blog/declaration-trap/
• Threat Actor Banana Squad Exploits GitHub Repos In New Campaign
  "Trends in open-source software supply chain attacks – ones that exploit the public platforms developers rely on for software development – have changed quite a bit in recent years. While the number of malicious packages uploaded to open-source repositories like npm and the Python Package Index (PyPI) has decreased, the stealth and sophistication of threat actors to pull off less obvious attacks on platforms like GitHub is increasing."
  https://www.reversinglabs.com/blog/threat-actor-banana-squad-exploits-github-repos-in-new-campaign
  https://hackread.com/banana-squad-data-stealing-malware-github-repositories/
  https://www.infosecurity-magazine.com/news/banana-squads-github-malware/
  https://www.securityweek.com/new-campaigns-distribute-malware-via-open-source-hacking-tools/
• Cato CTRL Threat Research: PoC Attack Targeting Atlassian’s Model Context Protocol (MCP) Introduces New “Living Off AI” Risk
  "Most organizations assume a clear boundary between external users, who submit support tickets or service requests, and internal users, who handle them using privileged access. However, when an internal user triggers an AI action from a model context protocol (MCP) tool, such as summarizing a ticket, that boundary can break. The AI action is executed with the internal user’s permissions (whether a human agent, a bot, or an automated integration), meaning a malicious ticket submitted by an external threat actor can be used to inject harmful instructions."
  https://www.catonetworks.com/blog/cato-ctrl-poc-attack-targeting-atlassians-mcp/
  https://www.infosecurity-magazine.com/news/atlassian-ai-agent-mcp-attack/
• AntiDot
  "AntiDot is an Android botnet malware that lets cybercriminals control their victim devices with high capability. LARVA-398 operates and sells this botnet as a Malware as a Service (MaaS) on underground forums. The malware is promoted as a "3-in-1" tool, incorporating its own loader, packer, and botnet infrastructure. It features a range of capabilities, including screen recording and interface cloning through abuse of Android’s accessibility services. Additionally, it can intercept SMS messages and harvest logs from other applications to exfiltrate user data. Campaign activity indicates that threat actors are selectively targeting victims based on language and geographic location, suggesting the malware is likely distributed via malicious advertising networks or through highly tailored phishing campaigns. Our analysis uncovered at least 11 active command-and-control (C2) servers currently in operation."
  https://catalyst.prodaft.com/public/report/antidot
  https://thehackernews.com/2025/06/new-android-malware-surge-hits-devices.html

Breaches/Hacks/Leaks

• The 16-Billion-Record Data Breach That No One’s Ever Heard Of
  "Unnecessarily compiling sensitive information can be as damaging as actively trying to steal it. For example, the Cybernews research team discovered a plethora of supermassive datasets, housing billions upon billions of login credentials. From social media and corporate platforms to VPNs and developer portals, no stone was left unturned. Our team has been closely monitoring the web since the beginning of the year. So far, they’ve discovered 30 exposed datasets containing from tens of millions to over 3.5 billion records each. In total, the researchers uncovered an unimaginable 16 billion records."
  https://cybernews.com/security/billions-credentials-exposed-infostealers-data-leak/
  https://www.bleepingcomputer.com/news/security/no-the-16-billion-credentials-leak-is-not-a-new-data-breach/
  https://www.malwarebytes.com/blog/news/2025/06/billions-of-logins-for-apple-google-facebook-telegram-and-more-found-exposed-online
  https://securityaffairs.com/179149/data-breach/researchers-discovered-the-largest-data-breach-ever-exposing-16-billion-login-credentials.html
• Telecom Giant Viasat Breached By China's Salt Typhoon Hackers
  "Satellite communications company Viasat is the latest victim of China's Salt Typhoon cyber-espionage group, which has previously hacked into the networks of multiple other telecom providers in the United States and worldwide. Viasat provides satellite broadband services to governments worldwide and aviation, military, energy, maritime, and enterprise customers. Last month, the telecom giant told shareholders that it had approximately 189,000 broadband subscribers in the United States. The company discovered the Salt Typhoon breach earlier this year and has been working with federal authorities to investigate the attack, as Bloomberg first reported."
  https://www.bleepingcomputer.com/news/security/telecom-giant-viasat-breached-by-chinas-salt-typhoon-hackers/
  https://securityaffairs.com/179146/security/china-linked-group-salt-typhoon-breached-satellite-firm-viasat.html
• Krispy Kreme Says November Data Breach Impacts Over 160,000 People
  "U.S. doughnut chain Krispy Kreme confirmed that attackers stole the personal information of over 160,000 individuals in a November 2024 cyberattack. The American multinational coffeehouse chain employed 22,800 people in 40 countries as of December 2023 and operates 1,521 shops and 15,800 points of access. It also manages four "Doughnut Factories" in the United States and 37 others internationally, and it partners with McDonald's to have its products sold in thousands of McDonald's locations worldwide."
  https://www.bleepingcomputer.com/news/security/krispy-kreme-says-november-data-breach-impacts-over-160-000-people/
  https://www.infosecurity-magazine.com/news/krispy-kreme-data-breach-financial/
  https://www.securityweek.com/krispy-kreme-confirms-data-breach-after-ransomware-attack/
  https://www.theregister.com/2025/06/19/krispy_kreme_reveals_staggering_breadth/
• Chain IQ, UBS Data Stolen In Ransomware Attack
  "Swiss procurement service provider Chain IQ has confirmed falling victim to a cyberattack that led to the theft of customer data. The Zug, Switzerland-based firm says it learned of the incident after a threat actor published data allegedly stolen from its systems on the dark web. “On June 12, 2025, Chain IQ, along with 19 other companies, was the target of a cyberattack that had never before been seen on a global scale. This cyberattack resulted in data theft. Data from some Chain IQ customers was published on the dark web,” the company says in an incident notice."
  https://www.securityweek.com/chain-iq-ubs-data-stolen-in-ransomware-attack/
  https://www.infosecurity-magazine.com/news/ubs-employee-data-exposed-third/

General News

• US Recovers $225 Million Of Crypto Stolen In Investment Scams
  "The U.S. Department of Justice has seized more than $225 million in cryptocurrency linked to investment fraud and money laundering operations, the largest crypto seizure in the history of the U.S. Secret Service. The state's investigators used blockchain analysis to trace the funds stolen from over 400 victims, which were then laundered through a complex network of cryptocurrency addresses to obscure their origin."
  https://www.bleepingcomputer.com/news/legal/us-recovers-225-million-of-crypto-stolen-in-investment-scams/
  https://therecord.media/doj-moves-to-seize-225-million-in-stolen-crypto
• Ryuk Ransomware’s Initial Access Expert Extradited To The U.S.
  "A member of the notorious Ryuk ransomware operation who specialized in gaining initial access to corporate networks has been extradited to the United States. The suspect is a 33-year-old foreign man who was arrested in April 2025 in his home in Kyiv at the request of the FBI. He was extradited to the United States yesterday, June 18. In 2023, the Ukrainian cyber police, the National Police, and international law enforcement partners began investigating a ransomware operation whose members carried out attacks on companies in France, Norway, Germany, the Netherlands, Canada, and the USA."
  https://www.bleepingcomputer.com/news/security/ryuk-ransomwares-initial-access-expert-extradited-to-the-us/
  https://therecord.media/alleged-ryuk-member-arrest-ukraine-extradited-us
  https://www.bankinfosecurity.com/ukraine-extradites-suspected-ransomware-group-member-to-us-a-28754
  https://www.infosecurity-magazine.com/news/alleged-ryuk-initial-access-broker/
• The Hidden AI Threat To Your Software Supply Chain
  "AI-powered coding assistants like GitHub’s Copilot, Cursor AI and ChatGPT have swiftly transitioned from intriguing gadgets to indispensable sidekicks for modern developers. A recent survey by Stack Overflow revealed that over 76% of developers now rely on these assistants, with more than 80% reporting significant productivity improvements by using AI code generators & augmented code editors. These “virtual teammates” simplify complex tasks, streamline development workflows, and significantly accelerate project timelines."
  https://blog.checkpoint.com/research/the-hidden-ai-threat-to-your-software-supply-chain/
• Security Evolution: From Pothole Repair To Road Building
  "There are three categories of security controls, generally speaking: preventive (stop the adversary), detective (notice the adversary), and corrective (fix what the adversary broke). Implicitly, all three of these assume that the adversary can exploit your environment, and you're trying to defeat them. But why do we assume adversaries have that capability? Because, like an escort mission in a real-time strategy game, we have no control over the actions of the party we're defending. Instead of a courier on a secret mission, it's our business partner, deploying apps at lightning speed to make our businesses successful."
  https://www.darkreading.com/cloud-security/security-evolution-pothole-repair-road-building
• Why AI Code Assistants Need a Security Reality Check
  "In this Help Net Security interview, Silviu Asandei, Security Specialist and Security Governance at Sonar, discusses how AI code assistants are transforming development workflows and impacting security. He explains how these tools can boost productivity but may also propagate vulnerabilities if not properly reviewed."
  https://www.helpnetsecurity.com/2025/06/19/silviu-asandei-sonar-ai-code-assistants-security/
• Thieves Don’t Need Your Car Keys, Just a Wireless Signal
  "A recent study by researchers at the University of Padova reveals that despite the rise in car thefts involving Remote Keyless Entry (RKE) systems, the auto industry has made little progress in strengthening security. Since RKE’s introduction in the early 1980s, automakers have worked to improve security by adding features such as immobilizers, which prevent the engine from starting without proper authentication."
  https://www.helpnetsecurity.com/2025/06/19/keyless-car-theft-research/
  https://arxiv.org/pdf/2505.02713
• 91% Noise: A Look At What’s Wrong With Traditional SAST Tools
  "Traditional static application security testing (SAST) tools are falling short. That’s the key takeaway from a recent report that tested these tools against nearly 3,000 open-source code repositories. The results: more than 91% of flagged vulnerabilities were false positives. The Exorcising the SAST Demons report comes from Ghost Security, which scanned public GitHub projects in Go, Python, and PHP. The study focused on three vulnerability types commonly found in real-world apps: SQL injection, command injection, and arbitrary file upload."
  https://www.helpnetsecurity.com/2025/06/19/traditional-sast-tools/
  https://reports.ghostsecurity.com/cast.pdf
• How C-Suite Roles Are Shaping The Future Of Tech Leadership
  "As companies accelerate towards technology-driven business models, the tech C-suite is embracing new skills, greater influence, and a unified approach to business transformation, according to Deloitte. With insights from a range of C-level tech leaders, including more than 600 US CIOs, CTOs, CDAOs and CISOs, the Deloitte survey found that evolving roles and responsibilities, the rise of AI, and an imperative for cross-functional collaboration are providing a new platform to expand their influence and impact."
  https://www.helpnetsecurity.com/2025/06/19/deloitte-tech-c-suite-roles/
• Encryption Backdoors: The Security Practitioners’ View
  "Backdoors don’t just let law enforcement in—they open the door to attackers, insider threats, and broken trust. When government demands something, ‘No’ is not an acceptable response. Government simply waits, rephrases the demand, and then demands again. The debate over law enforcement access to encrypted content is not new – it has been almost continuous since the 1970s. We hear much about the views of government (favorable), vendors (disapproval), and civil liberty groups (total rejection of the idea). But we hear little of the views of the security professionals who are tasked with navigating regulations and maintaining the security of IP, PII, and business continuity."
  https://www.securityweek.com/encryption-backdoors-the-security-practitioners-view/
• Choosing a Clear Direction In The Face Of Growing Cybersecurity Demands
  "For years, Chief Information Security Officers (CISOs) have faced an uphill battle in securing the resources they need to protect their organizations. Often, security budgets are only increased when a data breach happens or after a significant compliance failure, when the damage has already been done. This approach leaves organizations vulnerable and security leaders struggling to justify proactive investments."
  https://www.securityweek.com/choosing-a-clear-direction-in-the-face-of-growing-cybersecurity-demands/
• Argentina Uncovers Suspected Russian Spy Ring Behind Disinformation Campaigns
  "Argentina’s intelligence service reportedly has uncovered a group of suspected Russian spies accused of spreading disinformation to promote Moscow's interests in the region. Local media, citing sources at Argentina’s State Intelligence Secretariat (SIDE), reported that Russian citizens collaborated with Argentines to interfere in the country’s domestic affairs through propaganda and disinformation campaigns. The group was allegedly part of an organization called “The Company,” which is reportedly linked to the Kremlin and Project Lakhta — a Russian interference operation targeting citizens in the U.S., Europe and Ukraine."
  https://therecord.media/argentina-russia-spies-disinformation-project-lakhta

อ้างอิง
Electronic Transactions Development Agency(ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Vulnerabilities

• BeyondTrust Remote Support: How Template Injection Can Lead To Remote Code Execution
  "In April 2025, Jorren Geurts, an ethical hacker at Resillion, identified a vulnerability within BeyondTrust Remote Desktop that enabled attackers to leverage Server-Side Template Injection (SSTI) to gain both authenticated and unauthenticated Remote Code Execution (RCE) on the target system. The vulnerability was disclosed to BeyondTrust through their Responsible Disclosure program on 6 May 2025. A couple of weeks later, CVE-2025-5309 was reserved and later published on 16 June 2025. The following account, written by Jorren, details the processes he went through to identify these vulnerabilities."
  https://www.resillion.com/latest-news/beyondtrust-remote-support-how-template-injection-can-lead-to-remote-code-execution/
  https://www.beyondtrust.com/trust-center/security-advisories/bt25-04
  https://www.bleepingcomputer.com/news/security/beyondtrust-warns-of-pre-auth-rce-in-remote-support-software/
  https://www.securityweek.com/code-execution-vulnerabilities-patched-in-veeam-beyondtrust-products/
• Critical Vulnerability Patched In Citrix NetScaler
  "Citrix on Tuesday announced patches for four vulnerabilities across three products, including a critical-severity issue in NetScaler ADC and NetScaler Gateway. The critical flaw, tracked as CVE-2025-5777 (CVSS score of 9.3), is described as an out-of-bounds memory read caused by insufficient input validation. Only NetScaler deployments configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as Authentication, Authorization, and Accounting (AAA) virtual server are affected, Citrix explains in its advisory."
  https://www.securityweek.com/critical-vulnerability-patched-in-citrix-netscaler/
  https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420&articleURL=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2025_5349_and_CVE_2025_5777
• Chrome 137 Update Patches High-Severity Vulnerabilities
  "Google on Tuesday announced patches for three vulnerabilities in Chrome 137, including two high-severity issues reported by external researchers. The first of the externally reported bugs is CVE-2025-6191, described as an integer overflow defect in the V8 JavaScript engine. Google says it handed out a $7,000 reward to the reporting researcher. The second flaw, tracked as CVE-2025-6192, is a use-after-free vulnerability in Chrome’s Profiler component that earned the reporting researcher a $4,000 reward."
  https://www.securityweek.com/chrome-137-update-patches-high-severity-vulnerabilities/
• Qualys TRU Uncovers Chained LPE: SUSE 15 PAM To Full Root Via Libblockdev/udisks
  "The Qualys Threat Research Unit (TRU) has discovered two linked local privilege escalation (LPE) flaws. The first (CVE-2025-6018) resides in the PAM configuration of openSUSE Leap 15 and SUSE Linux Enterprise 15. Using this vulnerability, an unprivileged local attacker—for example, via SSH—can elevate to the “allow_active” user and invoke polkit actions normally reserved for a physically present user. The second (CVE-2025-6019) affects libblockdev, is exploitable via the udisks daemon included by default on most Linux distributions, and allows an “allow_active” user to gain full root privileges. Although CVE-2025-6019 on its own requires existing allow_active context, chaining it with CVE-2025-6018 enables a purely unprivileged attacker to achieve full root access."
  https://blog.qualys.com/vulnerabilities-threat-research/2025/06/17/qualys-tru-uncovers-chained-lpe-suse-15-pam-to-full-root-via-libblockdev-udisks
  https://www.bleepingcomputer.com/news/linux/new-linux-udisks-flaw-lets-attackers-get-root-on-major-linux-distros/
  https://www.infosecurity-magazine.com/news/linux-flaws-allowing-root-access/
  https://www.securityweek.com/linux-security-new-flaws-allow-root-access-cisa-warns-of-old-bug-exploitation/
  https://www.helpnetsecurity.com/2025/06/18/chaining-two-lpes-to-get-root-most-linux-distros-vulnerable-cve-2025-6018-cve-2025-6019/
• GerriScary: Hacking The Supply Chain Of Popular Google Products (ChromiumOS, Chromium, Bazel, Dart & More)
  "Tenable Cloud Research discovered a supply chain compromise vulnerability in Google's Gerrit code-collaboration platform which we dubbed GerriScary. GerriScary allowed unauthorized code submission to at least 18 Google projects including ChromiumOS (CVE-2025-1568), Chromium, Dart and Bazel, which are now remediated. Third-party organizations that use Gerrit may also be at risk from GerriScary."
  https://www.tenable.com/blog/gerriscary-hacking-the-supply-chain-of-popular-google-products-chromiumos-chromium-bazel-dart
  https://www.securityweek.com/gerrit-misconfiguration-exposed-google-projects-to-code-injection/

Malware

• Case Of Attacks Targeting MySQL Servers To Install RAT Malware
  "AhnLab SEcurity intelligence Center (ASEC) is monitoring attacks targeting poorly managed services, and has confirmed that MySQL servers have remained a continuous target of attacks. Threat actors are believed to be targeting various externally accessible systems, leading to the infection of multiple systems in Korea with malware."
  https://asec.ahnlab.com/en/88514/
• North Korean Hackers Deepfake Execs In Zoom Call To Spread Mac Malware
  "The North Korean BlueNoroff hacking group is deepfaking company executives during Zoom calls to trick employees into installing custom malware on their macOS devices. BlueNoroff (aka Sapphire Sleet or TA444) is a North Korean advanced persistent threat (APT) group known for conducting cryptocurrency theft attacks using Windows and Mac malware. Huntress researchers uncovered a new BlueNoroff attack on June 11, 2025, when they were called to investigate a potential intrusion on a partner's network."
  https://www.bleepingcomputer.com/news/security/north-korean-hackers-deepfake-execs-in-zoom-call-to-spread-mac-malware/
• Fake Minecraft Mods Distributed By The Stargazers Ghost Network To Steal Gamers’ Data
  "Minecraft is a popular video game with a massive global player base, with over 200 million monthly active players. The game has also sold over 300 million copies, making it one of the best-selling video games ever. Minecraft supports mods (user-created modifications), which enrich the user experience by improving gameplay, fixing bugs, enhancing graphics, and adding new content. It is estimated that more than 1 million players are actively involved in modding Minecraft. Check Point Research discovered malicious repositories distributing malware via the Stargazers Ghost Network, which operates as a Distribution as a Service (DaaS)."
  https://research.checkpoint.com/2025/minecraft-mod-malware-stargazers/
  https://blog.checkpoint.com/research/minecraft-players-targeted-in-sophisticated-malware-campaign/
  https://www.bleepingcomputer.com/news/security/stargazers-use-fake-minecraft-mods-to-steal-player-passwords/
  https://thehackernews.com/2025/06/1500-minecraft-players-infected-by-java.html
  https://www.theregister.com/2025/06/18/minecraft_mod_malware/
• Your Mobile App, Their Playground: The Dark Side Of The Virtualization
  "Zimperium zLabs has uncovered a sophisticated evolution of the GodFather banking malware that leverages an advanced on-device virtualization technique to hijack several legitimate applications, with a focus on mobile banking and cryptocurrency applications. This method marks a significant leap in mobile threat capabilities, moving beyond traditional overlays to a more deceptive and effective form of attack."
  https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization
  https://www.darkreading.com/cloud-security/godfather-banking-trojan-debuts-virtualization-tactic
  https://www.bankinfosecurity.com/godfather-malware-turns-real-banking-apps-into-spy-tools-a-28740
  https://hackread.com/godfather-android-malware-apps-sandbox-steal-data/
  https://www.infosecurity-magazine.com/news/godfather-upgraded-hijack-mobile/
• Ransomware Gangs Collapse As Qilin Seizes Control
  "The ransomware landscape is undergoing a turbulent realignment, marked by collapses, takeovers, and unexpected internal betrayals. Once-dominant groups such as RansomHub, LockBit, Everest, and BlackLock have recently suffered abrupt shutdowns, operational failures, and defacements of their dark web infrastructure, revealing deep instability in the cybercriminal ecosystem."
  https://www.cybereason.com/blog/threat-alert-qilin-seizes-control
  https://www.infosecurity-magazine.com/news/ransomware-qilin-offers-legal/
• Famous Chollima Deploying Python Version Of GolangGhost RAT
  "Since mid-2024, the threat actor group Famous Chollima (aka Wagemole), a North Korean-aligned threat actor, has been very active through several well-documented campaigns. These campaigns include using variants of Contagious Interview (aka DeceptiveDevelopment) and creating fake job advertisements and skill-testing pages. In the latter, users are instructed to copy and paste (ClickFix) a malicious command line in order to install drivers necessary to conduct the final skill-testing stage. Toward the end of the year, researchers documented Famous Chollima’s remote access trojan (RAT) called “GolangGhost” in its source code format, which was frequently used as the final payload in the threat actor’s ClickFix campaigns."
  https://blog.talosintelligence.com/python-version-of-golangghost-rat/
  https://therecord.media/north-korea-india-crypto-applicants
• Immunity Evasion: Defeating Security With Active Measures & Long-Lived Domains
  "Starting in Q1 2025, Cofense Intelligence detected a unique tactic combination for bypassing secure email gateways (SEGs). Threat actors have combined a long-lived domain with a unique CAPTCHA page and anti-automated analysis measures. Each technique is effective in hampering automated and manual analysis; however, the combination of techniques demonstrates remarkable sophistication from the threat actor."
  https://cofense.com/blog/immunity-evasion-defeating-security-with-active-measures-long-lived-domains
• Same Sea, New Phish: Russian Government-Linked Social Engineering Targets App-Specific Passwords
  "In recent years, users’ familiarity with common phishing tactics, increasingly advanced detection and blocking by platforms, and the rise in use of Multi-Factor Authentication (MFA), have all contributed to changes in the ways that attackers phish accounts. The introduction of more secure forms of MFA, such as hardware security keys, has also closed off certain avenues of social engineering. These pressures, among others, are driving attackers towards more complex social-engineering tactics, and more technically sophisticated attack frameworks, including targeting MFA. For example, a recent analysis by Cisco’s Talos reported that nearly half of all recent incidents that their team responded to involved attackers trying to bypass MFA."
  https://citizenlab.ca/2025/06/russian-government-linked-social-engineering-targets-app-specific-passwords/
  https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia
  https://therecord.media/keir-giles-russia-expert-email-attack-gtig-citizen-lab-reports
  https://cyberscoop.com/russian-hackers-state-department-sophisticated-attacks-researchers-citizen-lab/
  https://www.securityweek.com/russian-hackers-bypass-gmail-mfa-with-app-specific-password-ruse/
• Analyzing SERPENTINE#CLOUD: Threat Actors Abuse Cloudflare Tunnels To Infect Systems With Stealthy Python-Based Malware
  "Securonix threat researchers have been tracking a stealthy campaign involving (.lnk) files to deliver remote payloads hosted on attacker-controlled Cloudflare Tunnel subdomains. The infection chain ends in a Python-based shellcode loader that executes Donut-packed payloads entirely in memory."
  https://www.securonix.com/blog/analyzing_serpentinecloud-threat-actors-abuse-cloudflare-tunnels-threat-research/
  https://thehackernews.com/2025/06/new-malware-campaign-uses-cloudflare.html
  https://www.darkreading.com/cloud-security/serpentinecloud-cloudflare-tunnels-sneak-attacks
• Half The Spam In Your Inbox Is Generated By AI – Its Use In Advanced Attacks Is At An Earlier Stage
  "Cyber attackers are leveraging the power of AI to boost their chances of success in email-based attacks. AI tools can help them to develop and launch more attacks, more frequently, and to make these attacks more evasive, convincing and targeted. But to what extent are they doing these things? Determining whether or how AI has been used in an email attack is not always straightforward, and this makes it harder to see what is really going on under the hood. We believe that to build effective defenses against AI-based email attacks, we need to have a better understanding of how attackers are using these tools today and what for and how that is evolving."
  https://blog.barracuda.com/2025/06/18/half-spam-inbox-ai-generated
  https://www.infosecurity-magazine.com/news/ai-generates-spam-malicious-emails/
• Scammers Hijack Websites Of Bank Of America, Netflix, Microsoft, And More To Insert Fake Phone Number
  "Cybercriminals frequently use fake search engine listings to take advantage of our trust in popular brands, and then scam us. It often starts, as with so many attacks, with a sponsored search result on Google. In the latest example of this type of scam, we found tech support scammers hijacking the results of people looking for 24/7 support for Apple, Bank of America, Facebook, HP, Microsoft, Netflix, and PayPal."
  https://www.malwarebytes.com/blog/news/2025/06/scammers-hijack-websites-of-bank-of-america-netflix-microsoft-and-more-to-insert-fake-phone-number
• Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication
  "Proofpoint has been closely monitoring a stealer malware formerly known as ACR Stealer. In 2025, Proofpoint analysts identified a new, unnamed malware exhibiting significant code overlap, shared features, and capabilities with ACR Stealer. Further investigation revealed that ACR Stealer was significantly updated and rebranded as Amatera Stealer. While Amatera Stealer retains the core of its predecessor, it has undergone enough development and enhancement to stand out as a distinct and noteworthy threat."
  https://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication

Breaches/Hacks/Leaks

• Pro-Israel Hackers Hit Iran's Nobitex Exchange, Burn $90M In Crypto
  "The pro-Israel "Predatory Sparrow" hacking group claims to have stolen over $90 million in cryptocurrency from Nobitex, Iran's largest crypto exchange, and burned the funds in a politically motivated cyberattack. The attack occurred on June 18, 2025, with Nobitex first reporting the breach on X at 2:24 AM EST. "This morning, June 19, our technical team detected signs of unauthorized access to a portion of our reporting infrastructure and hot wallet," reads Nobitex's post."
  https://www.bleepingcomputer.com/news/security/pro-israel-hackers-hit-irans-nobitex-exchange-burn-90m-in-crypto/
  https://cyberscoop.com/iran-nobitex-cyberattack-predatory-sparrow/
• Healthcare SaaS Firm Says Data Breach Impacts 5.4 Million Patients
  "Episource warns of a data breach after hackers stole health information of over 5 million people in the United States in a January cyberattack. Episource is an American healthcare services company that provides risk adjustment, medical coding, data analytics, and technology solutions to health plans and providers. They help insurers optimize payments and compliance in government programs like Medicare Advantage. In a data breach notification on its website, Episource says it detected unusual activity on its systems on February 6, 2025. An investigation revealed that hackers accessed and exfiltrated sensitive data stored on these systems between January 27 and the time of the discovery."
  https://www.bleepingcomputer.com/news/security/episource-says-data-breach-impacts-54-million-patients/
  https://therecord.media/5-million-affected-episource-data-breach
  https://www.securityweek.com/data-breach-at-healthcare-services-firm-episource-impacts-5-4-million-people/
  https://securityaffairs.com/179115/data-breach/healthcare-services-company-episource-data-breach-impacts-5-4-million-people.html
• Asana Warns MCP AI Feature Exposed Customer Data To Other Orgs
  "Work management platform Asana is warning users of its new Model Context Protocol (MCP) feature that a flaw in its implementation potentially led to data exposure from their instances to other users and vice versa. The data exposure was due to a logic flaw in the MCP system and not the result of a hack, but the risk that arises from the incident could still be significant in some cases. Asana is a project and task management SaaS platform used by organizations to plan, track, and manage work, assign tasks to team members, set deadlines, and collaborate from a centralized interface."
  https://www.bleepingcomputer.com/news/security/asana-warns-mcp-ai-feature-exposed-customer-data-to-other-orgs/
  https://www.theregister.com/2025/06/18/asana_mcp_server_bug/
• World Leaks Claims Data Theft From State Agency Contractor
  "Cybercriminal gang World Leaks - formerly Hunters International - claims to have stolen 52.4 gigabytes of data containing 42,204 files from Massachusetts-based Freedman HealthCare, a contractor that provides data integration and analytics services to state health agencies. World Leaks reportedly threatened on Monday to begin leaking on Tuesday data allegedly stolen from FHC, media outlet The Register said. By Wednesday, World Leaks appeared to have leaked on its dark website some information, including management and user accounts and passwords and state contracts, but no protected health information, so far, The Register said."
  https://www.bankinfosecurity.com/world-leaks-claims-data-theft-from-state-agency-contractor-a-28746

General News

• When Legitimate Tools Go Rogue
  "Late one Tuesday night, Elena’s phone buzzed with an alert from her company’s SIEM. Her team had set up a rule to flag when certain system tools — whoami, nltest and nslookup—were run one after another in quick succession. That exact pattern had just triggered on a computer in the Finance Department. The time? 2:13 a.m. Concerned, Elena logged in from home to investigate. Almost immediately, two more alerts appeared. One signaled that Mimikatz (a tool popular with threat actors to steal credentials) had been used on the same Finance machine. The other reported a PsExec download (a command line tool used to execute processes) on a domain controller."
  https://blog.talosintelligence.com/when-legitimate-tools-go-rogue/
• The Triple Threat Of Burnout: Overworked, Unsatisfied, Trapped
  "The stigma surrounding burnout among security staffers may be fading, but organizations need to continue expanding the conversations about managing a fast-moving list of stressors. From CISOs to new hires, cybersecurity professionals are being asked to do more to stay a step ahead of threats, but their job satisfaction and career prospects are not compensating for the stress. Many feel trapped in their jobs, and in critical fields like healthcare, lives can literally be on the line as a result."
  https://www.darkreading.com/cybersecurity-operations/triple-threat-burnout-overworked-unsatisfied-trapped
• How CISOs Can Govern AI & Meet Evolving Regulations
  "Not long ago, the role of the chief information security officer (CISO) was well-defined: protect infrastructure, secure applications, safeguard customer data, manage risk, and ensure compliance across a growing partner ecosystem. But as artificial intelligence (AI) transforms how enterprises operate, a new mandate has emerged: Govern its use responsibly, end to end. AI unlocks powerful capabilities, but without governance and oversight, risk accelerates. It's like sending an F1 car onto the track without a pit crew — fast, but dangerously unsustainable."
  https://www.darkreading.com/vulnerabilities-threats/cisos-govern-ai-evolving-regulations
• Employees Are Using AI Where They Know They Shouldn’t
  "Despite widespread anticipation about AI’s positive impact on workforce productivity, most employees feel they were overpromised on its potential, according to GoTo. In fact, 62% believe AI has been significantly overhyped. However, this is likely because employees aren’t making the most of what these tools have to offer. 86% admit they’re not using AI tools to their full potential, and 82% say they aren’t very familiar with how AI can be used practically in their day-to-day work."
  https://www.helpnetsecurity.com/2025/06/18/employees-ai-potential/
• AI Is Changing Cybersecurity Roles, And Entry-Level Jobs Are At Risk
  "Will humans remain essential in cybersecurity, or is AI set to take over? According to Wipro, many CISOs are leveraging AI to improve threat detection and response times and to build enhanced incident response capabilities. AI systems can now perform a variety of tasks that were once handled by entry-level analysts, such as drafting reports, generating alerts, and assembling presentations for management."
  https://www.helpnetsecurity.com/2025/06/18/ai-humans-cybersecurity/
• What’s Trending: Top Cyber Attacker Techniques, March–May 2025
  "In our latest quarterly analysis (March–May 2025, the “reporting period”), ReliaQuest analyzed new and prevalent attacker techniques, malware trends, and ransomware group activity. These findings reveal how adversaries are refining their tactics, techniques, and procedures (TTPs); adapting to defenses; and exploiting vulnerabilities to infiltrate organizations. This report examines emerging patterns through real-world attack methods, highlighting how attackers leverage trusted tools and target human weaknesses to achieve their goals. With insights relevant across industries, it provides actionable recommendations to help organizations strengthen defenses, anticipate threats, and stay ahead of increasingly sophisticated adversaries."
  https://reliaquest.com/blog/whats-trending-top-cyber-attacker-techniques-march-2025-may-2025/
  https://www.infosecurity-magazine.com/news/clickfix-infostealers-mhsta/
• Mitigating AI Threats: Bridging The Gap Between AI And Legacy Security
  "The quantum leap in artificial intelligence is transforming sectors at an unparalleled pace, with large language models (LLMs) and agentic systems becoming critical to modern workflows. This rapid deployment has unveiled gaping vulnerabilities, as legacy tools such as firewalls, EDR, and SIEM are struggling to keep pace with AI-specific threats, including adaptive threat patterns, and covert prompt engineering."
  https://www.securityweek.com/mitigating-ai-threats-bridging-the-gap-between-ai-and-legacy-security/
• Amazon CISO: Iranian Hacking Crews ‘on High Alert’ Since Israel Attack
  "Iran's state-sponsored cyber operatives and hacktivists have all increased their activities since the military conflict with Israel erupted last week – but not necessarily in the way that Amazon chief information security officer CJ Moses expected. Like most world powers and wannabes, Iran has a substantive crew of government-supported hackers who do all of the usual cyber dirty work for the state: espionage, meddling in elections , spear phishing, stealing data and credentials, deploying ransomware, and in some cases breaking into water utilities and other critical infrastructure."
  https://www.theregister.com/2025/06/18/amazon_ciso_agentic_acceleration/

อ้างอิง
Electronic Transactions Development Agency(ETDA)

เมื่อวันที่ 19 มิถุนายน 2568 Cyber Security Agency of Singapore (CSA)ได้เผยแพร่ว่ามีนักวิจัยด้านความปลอดภัยได้ระบุแคมเปญโจมตีแบบ active ที่กำลังใช้ประโยชน์จากช่องโหว่ร้ายแรง หมายเลข CVE-2025-3248 ใน Langflow เพื่อทำการโจมตีแบบ DDoS (Distributed Denial-of-Service)

Langflow เป็นเครื่องมือสำหรับสร้างและจัดการระบบ AI รวมถึงเซิร์ฟเวอร์ Mission Control Platform (MCP) ซึ่งเคยออกแพตช์อัปเดตเพื่อแก้ไขช่องโหว่นี้ตั้งแต่เดือนมีนาคม 2025 แล้ว คะแนนความร้ายแรง CVSS v3.1(9.8)
ถือเป็นช่องโหว่ระดับ "วิกฤต"

ผลกระทบ
ช่องโหว่นี้เกิดจากระบบไม่มีการยืนยันตัวตน (Missing Authentication)
แฮกเกอร์สามารถส่งคำสั่งผ่าน HTTP เพื่อรันโค้ดได้จากระยะไกล (Remote Code Execution – RCE) โดยไม่ต้องล็อกอิน หากถูกโจมตีสำเร็จ อาจโดนควบคุมระบบทั้งหมด หรือข้อมูลสำคัญถูกขโมยไปได้ ยังพบว่ามีการใช้ช่องโหว่นี้ปล่อย มัลแวร์ Flodrix botnet เพื่อใช้ยิง DDoS

ระบบที่ได้รับผลกระทบ
Langflow เวอร์ชันก่อนหน้า 1.3.0

แนวทางป้องกัน

• อัปเกรด Langflow เป็นเวอร์ชัน 1.3.0 ขึ้นไปทันที เวอร์ชันนี้มีระบบยืนยันตัวตนที่เข้มงวดขึ้น
• ปิดการเข้าถึงระบบ Langflow จากภายนอก (Public access)
• ตรวจสอบระบบ ว่ามีสัญญาณการโจมตีที่เกี่ยวกับ Flodrix botnet หรือไม่

อ้างอิง
https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-059/

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand