NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ
    1. หน้าแรก
    2. NCSA_THAICERT
    • รายละเอียด
    • ติดตาม 0
    • คนติดตาม 3
    • กระทู้ 2,385
    • กระทู้ 2,386
    • ดีที่สุด 0
    • Controversial 0
    • กลุ่ม 2

    NCSA_THAICERT

    @NCSA_THAICERT

    1
    ชื่อเสียง
    56
    ดูข้อมูลส่วนตัว
    2.4k
    กระทู้
    3
    คนติดตาม
    0
    ติดตาม
    เข้าร่วม ออนไลน์ล่าสุด
    เว็บไซต์ www.ncsa.or.th/?fbclid=IwAR0BqJEC-CJzBs98rlBxUbZkNBgp1g814xdDNNaKnHTrxfqZhPD--ksY68I

    NCSA_THAICERT เลิกติดตาม ติดตาม
    Global Moderator administrators

    Latest posts made by NCSA_THAICERT

    • Microsoft ออกแพตช์กรกฎาคม 2026 แก้ไข 622 ช่องโหว่ และ 2 Zero-Day ที่ถูกใช้โจมตีจริง

      Microsoft ออกแพตช์กรกฎาคม 2026 แก้ไข 622 ช่องโหว่ และ 2 Z.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand ca4c90e4-339e-49ac-9ea4-91f8acac505b-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • F5 ออกแพตช์แก้ช่องโหว่หลายรายการใน NGINX และ BIG-IP เสี่ยง DoS และรันโค้ดบนระบบ

      F5 ออกแพตช์แก้ช่องโหว่ใน NGINX และ BIG-IP เสี่ยง DoS แล.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 12120ecf-1e73-49f3-947f-8da081fc25e6-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Zoom แจ้งเตือนช่องโหว่ เสี่ยงถูกยึดบัญชีผู้ใช้งานบนระบบปฏิบัติการ Windows

      Zoom แจ้งเตือนช่องโหว่ เสี่ยงถูกยึดบัญชีผู้.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 5a7859bd-399f-440e-908c-5cf14fdcdb6b-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 17 July 2026

      Industrial Sector

      • Rockwell Automation CompactLogix, ControlLogix, Compact GuardLogix And GuardLogix
        "Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-06
      • Rockwell Automation Arena
        "Successful exploitation these vulnerabilities could allow an attacker to execute arbitrary code in the context of the current process."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-01
      • Rockwell Automation 1756-EN2, 1756-EN3, And 1756-ENBT
        "Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-02
      • NASA Core Flight System (cFS) Health & Safety (HS) Application
        "Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-03
      • AutomationDirect Productivity Suite
        "Successful exploitation of these vulnerabilities could allow an attacker with local or physical access to cause memory corruption, unintended information disclosure, application instability, or a denial-of-service condition in the affected product."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-04
      • Siemens SICAM 8
        "Multiple SICAM 8 products are affected by multiple vulnerabilities that could lead to denial of service, namely: - SICAM A8000 Device firmware - CPCI85 for CP-8031/CP-8050 - SICORE for CP-8010/CP-8012 - SICAM EGS Device firmware - CPCI85 - SICAM S8000 - SICORE Siemens has released new versions for the affected products and recommends to update to the latest versions."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-05
      • SALTO ProAccess Space
        "Successful exploitation of this vulnerability allows an authenticated attacker to escalate privileges and access spaces outside their assigned partition, within the same Salto ProAccess Space installation or system. Exploitation requires valid authenticated operator credentials and the partition feature to be enabled; installations without partitioning are not affected."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-07
      • Rockwell Automation Flex 5000 Adapter
        "Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition on the affected product."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-08
      • Rockwell Automation FactoryTalk DataMosaix
        "Successful exploitation of this vulnerability could allow an authenticated attacker to inject malicious scripts on the server."
        https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-09
      • Legacy Systems, Real-World Impacts: The Reality Of OT Security
        "I’m here today to write about one particularly thorny area of operational technology (OT) and security that I run into somewhat routinely. Given my own particular interests as an incorrigible vulnerability-gazer, and my professional role as vice president of security research at runZero, I deal with OT security issues more often than the average bear. I’ve noticed that there’s definitely a vibe of, “IT be like this, but OT be like that” going on in the wider world of vulnerability management. The process of discovering, documenting, and disclosing vulnerabilities all have their own little quirks here in OT-land, so let’s jump into it!"
        https://www.securityweek.com/legacy-systems-real-world-impacts-the-reality-of-ot-security/

      Vulnerabilities

      • Splunk, Zoom Patch Critical Vulnerabilities
        "Splunk and Zoom this week announced patches for multiple vulnerabilities across their products, including several critical and high-severity security defects. Only three of the five advisories that Splunk published address flaws that are specific to its products, while the other two resolve dozens of bugs in third-party components. The Splunk-specific issues include CVE-2026-20296 (a high-severity command safeguards bypass), CVE-2026-20297 (a high-severity path traversal), and CVE-2026-20298 (a medium-severity information disclosure)."
        https://www.securityweek.com/splunk-zoom-patch-critical-vulnerabilities/
      • F5 Patches Multiple NGINX, BIG-IP Vulnerabilities
        "F5 on Wednesday announced an out-of-band security rollout that patches eight vulnerabilities in NGINX and BIG-IP. The most severe flaw is CVE-2026-42533 (CVSS score of 9.2), a critical issue in NGINX Plus and NGINX Open Source that could be exploited via crafted HTTP requests to cause a heap buffer overflow and restart the NGINX worker process. “A vulnerability exists in NGINX Plus and NGINX Open Source when a map directive uses regex matching and a string expression references the map’s regex capture variables before referencing the map output variable. Alternatively, the same result could be achieved by using a non-cacheable variable in a string expression under certain conditions,” F5 explains."
        https://www.securityweek.com/f5-patches-multiple-nginx-big-ip-vulnerabilities/
      • Trend Micro, Tanium, ESET And Tenable Patch Severe Product Vulnerabilities
        "Cybersecurity companies Trend Micro, ESET, Tenable, and Tanium released product updates this month to patch severe vulnerabilities. Tenable told customers this week that it has fixed a critical-severity path traversal in the Tenable Agent. The security hole, tracked as CVE-2026-15265, may allow an attacker to achieve remote code execution. ESET informed customers on Tuesday that it has discovered and patched a high-severity local privilege escalation vulnerability in Inspect Connector for Windows. “On systems with the affected ESET product installed, an attacker could send self-crafted Advanced Local Procedure Call (ALPC) requests to the vulnerable process’ interface,” ESET explained in its advisory. “Without proper authentication or origin validation in place, this message would be accepted and processed, enabling the attacker to access restricted functionality.”"
        https://www.securityweek.com/trend-micro-tanium-eset-and-tenable-patch-severe-product-vulnerabilities/
        https://www.tenable.com/security/tns-2026-18
        https://support.eset.com/en/ca8970-eset-customer-advisory-local-privilege-escalation-via-unauthenticated-alpc-in-eset-inspect-connector-for-windows-fixed
        https://security.tanium.com/TAN-2026-016/
        https://helpcenter.trendlife.com/en-us/article/tmka-12951
      • CISA Adds Three Known Exploited Vulnerabilities To Catalog
        "CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2026-25089 Fortinet FortiSandbox OS Command Injection Vulnerability
        CVE-2026-39808 Fortinet FortiSandbox OS Command Injection Vulnerability
        CVE-2026-58644 Microsoft SharePoint Deserialization of Untrusted Data Vulnerability"
        https://www.cisa.gov/news-events/alerts/2026/07/16/cisa-adds-three-known-exploited-vulnerabilities-catalog
      • Same Subject, Wrong User: A Cross-Issuer Account Takeover In n8n
        "Months ago, we ran Strix against n8n and it came back with an authentication bug in the token-exchange flow. We submitted the finding and forgot about it. Then, a few weeks ago, we learned it had been assigned CVE-2026-59208 (High). Short version: n8n trusts who signed a token when it verifies it — but forgets who signed it when it decides whose account you are. This is a small post about a small diff with a large blast radius."
        https://www.strix.ai/blog/n8n-cross-issuer-account-takeover
        https://thehackernews.com/2026/07/n8n-token-exchange-flaw-could-let.html
      • New Agent Data Injection Attack Can Make AI Agents Misclick Or Run Attacker Commands
        "Ask an AI agent to summarize the reviews on a product page, and a single planted review can make it click "Buy Now" instead. Ask a coding assistant to apply a maintainer's fix from a GitHub thread, and a fake comment can make it run a stranger's command on your computer. Neither trick hijacks the agent's task. Each one just corrupts the facts it trusts and lets it carry on with the job you asked for. That is the shape of a new class of attack laid out in a paper posted July 6 by researchers from Seoul National University, the University of Illinois Urbana-Champaign, and Largosoft."
        https://thehackernews.com/2026/07/new-agent-data-injection-attack-can.html
        https://arxiv.org/abs/2607.05120
      • No Shark Is Safe: Millions Of Shark Vacuums Are Vulnerable To RCE
        "Millions of Shark vacuums are currently vulnerable to remote code execution. This critical vulnerability leaves hackable cameras with wheels inside the homes of Shark vacuum owners. The vulnerability is trivially exploited as demonstrated in the writeup below. Attempts to remediate the issue with Shark have been unsuccessful as they have downplayed the severity and questioned whether "a CVE is appropriate" for the situation (really?)."
        https://tokay0.com/posts/millions-of-shark-vacuums-vulnerable-to-rce.html
        https://thehackernews.com/2026/07/unpatched-shark-vacuum-flaw-could-let.html
      • OpenAI Admits GPT-5.6 Occasionally Deletes Files – But It's An 'honest Mistake'
        "OpenAI has confirmed reports that GPT-5.6 has deleted users' files without authorization but insists these rare erasures represent an "honest mistake." Following the release of OpenAI's GPT‑5.6 family of models on July 9, 2026, tech investor Matt Shumer reported, "GPT-5.6-Sol just accidentally deleted almost ALL of my Mac's files." A few days later, software engineer Bruno Lemos said, "GPT-5.6 Sol just deleted my whole production database. That's it. Not a joke. This had never happened to me before, with any other model, ever. It's not safe.""
        https://www.theregister.com/ai-and-ml/2026/07/16/openai-admits-gpt-56-occasionally-deletes-files-but-its-an-honest-mistake/5274008
      • 7-Zip XZ Decompression Heap-Based Buffer Overflow Remote Code Execution Vulnerability
        "This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of XZ chunked data. Crafted XZ-compressed data can trigger an overflow of a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process."
        https://www.zerodayinitiative.com/advisories/ZDI-26-444/

      Malware

      • ClickLock Stealer: Paste Once, Lose Everything
        "Malware targeting macOS users are usually considered rare and advanced: the system’s built-in protections like Gatekeeper, TCC, System Integrity Protection, mandatory code signing and lower number of users require higher commitments and bring less profit for the attackers compared to other platforms. Although the macOS threat landscape has grown considerably in recent years, with malware like Atomic Stealer (AMOS), Banshee Stealer, Poseidon, Cuckoo, Cthulhu Stealer and MacStealer, the total number of known macOS malware families remains relatively small in contrast to other systems, which means the discovery of a previously undocumented sample with zero detections is always something worth digging into."
        https://www.group-ib.com/blog/clicklock-stealer-macos-malware/
        https://thehackernews.com/2026/07/new-clicklock-macos-stealer-kills-apps.html
        https://www.bleepingcomputer.com/news/security/new-clicklock-macos-malware-traps-users-into-revealing-login-password/
        https://www.infosecurity-magazine.com/news/clicklock-macos-stealer-clickfix/
        https://www.securityweek.com/clicklock-stealer-bypasses-macos-security-with-social-engineering-process-killing/
        https://www.theregister.com/cyber-crime/2026/07/16/cmon-just-copy-this-text-string-and-paste-it-into-your-macos-terminal-itll-fix-your-computer-honest/5273701
      • UAT-11795 Deploys Novel Starland RAT And Bespoke WLDR C2 Implant In Financially Motivated Campaign
        "Cisco Talos is disclosing UAT-11795, a sophisticated, Russian-speaking, financially motivated adversary that has been conducting a malicious campaign targeting users in the U.S. and Europe since at least June 2025. Talos has discovered that the actor in this campaign delivers a Python-based remote access tool (RAT) that we track as “Starland RAT” and a command-and-control (C2) memory implant known as the “WLDR agent.” The WLDR agent is a sophisticated PowerShell-based C2 memory implant that features encrypted beaconing, task queuing, and a Runspace execution engine for executing additional payloads. UAT-11795 also has CastleStealer and Remcos RAT as alternative payload implants in their arsenal."
        https://blog.talosintelligence.com/uat-11795-deploys-novel-starland-rat-and-bespoke-wldr-c2-implant-in-financially-motivated-campaign/
        https://www.bleepingcomputer.com/news/security/russian-hackers-trojanize-webex-zoom-apps-to-push-starland-malware/
      • Spirals: New Stealthy Ransomware Deployed Against Asian IT Company
        "A previously unseen ransomware family, named Spirals by its operators, was deployed in a double extortion attack against an IT services company in South Asia in June 2026, the Symantec Threat Hunter Team can reveal. The Rust-based payload is either a new ransomware threat or one purpose-built for this attack. The actor behind the attack remains unknown. The attackers moved quickly. Less than 24 hours after the initial breach, the ransomware payload was being pushed to machines on the network. They obtained initial access by compromising an internet-facing IIS web server and uploading an ASP.NET web shell. Over a rapid three-hour interactive session, they established persistent access, uninstalled endpoint security software, dumped the Security Account Manager (SAM) hive, and set up covert remote access before later deploying the payload across the network."
        https://www.security.com/threat-intelligence/ransomware-spirals-extortion
        https://www.bleepingcomputer.com/news/security/new-spirals-ransomware-encrypts-victim-network-in-under-24-hours/
      • Threat Spotlight: How ‘text Salting’ Confuses AI-Powered Email Defenses
        "Traditional spam filters work by scoring emails on the prevalence of unwanted or malicious terms. Hiding large amounts of harmless-looking text inside an email that can only be seen by security tools helps to dilute the concentration of “bad” words. This makes the emails look benign and legitimate, while the recipient sees only the intended phishing content. The techniques used to hide content are known as “text salting.” Over the last year, researchers have seen an escalation in the use of text salting to confuse not just language detection and keyword analysis, but also machine learning models and, increasingly, LLM-based security tools into misclassifying phishing or spam messages as legitimate and allowing them to be delivered to recipients."
        https://blog.barracuda.com/2026/07/16/text-salting-ai-email-security
        https://www.darkreading.com/threat-intelligence/1m-emails-hidden-text-dupe-ai-security-filters
      • The TTF Trap: A Global Campaign Of a Low-Detection Lua Loader
        "Since late March, 2026, we have been observing large-scale campaigns that use a combination of fileless techniques and Lua-based loaders with low detection rates to deploy various malware families, including Agent Tesla, Remcos, XWorm, and Best Private LOGGER. In these attack campaigns, the threat actor impersonates several well-known companies, using the guise of business cooperation to launch phishing attacks. To evade detection, the actor employs multi-layered, highly obfuscated stages, including extensive junk code and an AutoIt/Lua loader masquerading as a TrueType Font (.ttf) file."
        https://www.fortinet.com/blog/threat-research/the-ttf-trap-a-global-campaign-of-a-low-detection-lua-loader
        https://www.infosecurity-magazine.com/news/phishing-lua-loader-truetype-font/
      • HelloNet Campaign — New Malicious Modules Launched Through The ViPNet Update System
        "We discovered a new APT attack using previously unknown tooling, which started at least in May 2026 and remains active at the time of publication. It is notable in that the implants used during it were launched through the ViPNet update system (a software suite for creating secure networks). During our research, we identified attempts of targeted infection of large Russian organizations from the government, energy, transport, education, and logistics sectors, as well as industry. This is not the first time an advanced group has targeted computers connected to ViPNet networks. For example, last year we discovered a complex backdoor mimicking ViPNet updates."
        https://securelist.com/tr/hellonet-vipnet/120700/
      • GoSerpent: a Persistent Threat Evolves With Sophisticated Data Collection And Exfiltration
        "In February 2026 we discovered a set of malicious activities that have been ongoing since late 2025. These activities involved a RAT module written in Go with proxy capabilities, serving as the main stage of the attack. The attack targeted government and diplomatic entities in Southeast Asia and showed a level of sophistication which caught our attention. During the attack, the main malware, dubbed GoSerpent, received an encrypted argument and started communication with a remote server. It was also used to deploy further malicious tools for sensitive data collection and credential dumping on the system."
        https://securelist.com/goserpent-backdoor-in-southeast-asia/120687/
      • TELEPUZ: a Modular MaaS Malware Spreading Via CLICKFIX-VIDAR Chains
        "Elastic Security Labs is tracking an emerging threat named TELEPUZ, which we have discovered spreading widely via a CLICKFIX-VIDAR chain. This malware is in active development and has been operating since late April 2026, according to the infrastructure information we collected. The malware is full-featured, lightweight, and modular. While the number of C2 domains is currently small, the daily volume of builds uploaded to VirusTotal and the rapid pace of updates indicate active development and likely further growth."
        https://www.elastic.co/security-labs/telepuz-maas-malware-clickfix
        https://thehackernews.com/2026/07/new-telepuz-malware-spreads-via.html
      • 20+ Hijacked Government Websites Became
an Attack Channel
        "More than 20 Brazilian government websites were hijacked and turned into malware delivery channels in an active PhantomEnigma campaign uncovered by ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions. The investigation revealed previously undocumented backdoor behavior, hidden infrastructure relationships, and multiple attack arms behind a campaign putting banks and public agencies at risk. By connecting hundreds of seemingly unrelated sandbox sessions, ANY.RUN researchers exposed the operation’s broader scope and showed how trusted .gov.br links and authenticated emails helped the activity remain hidden."
        https://thehackernews.com/2026/07/20-hijacked-government-websites.html
      • Daxin Returns: Stealthy Malware Resurfaces In Taiwan Alongside a New Backdoor
        "More than four years after Symantec first uncovered Backdoor.Daxin, the malware has resurfaced. Symantec's Threat Hunter Team uncovered Daxin in active use on a compromised host in Taiwan in May 2026, long after the tool was last found. Alongside it, our researchers found a previously undocumented backdoor (Backdoor.Stupig) that uses a technically distinctive approach to persistence and pre-authentication code execution. No code-level relationship between the two tools has been established. However, their co-deployment on the same host, complementary functions, and similarities in development practices suggest a link. The two samples also carry compile timestamps a few weeks apart in early 2013. While such timestamps can be edited, it is more likely that both samples were created within a short window of one another, which would be consistent with their use by the same actor."
        https://www.security.com/threat-intelligence/daxin-returns-stupig
        https://thehackernews.com/2026/07/daxin-resurfaces-in-taiwan-alongside.html
      • Sandworm Hackers Have a CAPTCHA Trick For Ukrainians
        "Russian military intelligence hackers have begun using fake CAPTCHA prompts on compromised websites to trick Ukrainian targets into infecting their own computers, researchers have found. In a report published Wednesday, Ukraine's computer emergency response team (CERT-UA) said it observed a shift this spring and summer in how the Kremlin-backed hacking group Sandworm gains initial access to the systems of Ukrainian targets. The agency said the group has increasingly adopted a version of the social engineering technique known as ClickFix. In this case, victims are directed to compromised websites displaying a fake CAPTCHA security check designed to distinguish humans from computers."
        https://therecord.media/ukraine-sandworm-hacks-captcha-powershell

      Breaches/Hacks/Leaks

      • Coca-Cola Says Fairlife Ransomware Attack Halts US Dairy Production
        "The Coca-Cola Company disclosed today that a ransomware attack impacting its Fairlife dairy subsidiary has disrupted operations, temporarily suspending production of Fairlife products across the United States. In a Form 8-K filing with the U.S. Securities and Exchange Commission (SEC), Coca-Cola said Fairlife detected unauthorized access to some of its systems, including its production-related systems, in connection with a ransomware attack. "After detecting the issue, the Company promptly activated its incident response and business continuity protocols," Coca-Cola said in the filing."
        https://www.bleepingcomputer.com/news/security/coca-cola-says-fairlife-ransomware-attack-halts-us-dairy-production/
      • Romania’s Land Registry Hit By Cyber Attack, Data Allegedly For Sale
        "Romania’s National Agency for Cadastre and Land Registration (ANCPI) suffered a major disruption on Tuesday, July 14, when its e-Terra cadastre and land registry app became unavailable to users. What was first declared to be a “major technical incident” has now been confirmed as a cyber attack. While the circumstances are still being investigated by the competent state institutions, ANCPI stated that the data administered through its IT systems has not been compromised as a result of this incident."
        https://www.helpnetsecurity.com/2026/07/16/romania-ancpi-cyber-attack/
      • Cyberattack On Japan's Largest Cold-Chain Operator Disrupts KFC, Supermarket Supplies
        "A cyberattack on Japan's largest refrigerated logistics company has rippled through the country's food supply chain, leaving Kentucky Fried Chicken restaurants short on ingredients and major restaurant chains struggling to keep up with deliveries. Nichirei Logistics Group, which transports frozen and refrigerated food for about 5,000 customers across Japan, said it experienced a system outage on Monday. The company confirmed Thursday that hackers breached its servers. To contain the attack and protect customer data, the company disconnected key systems, bringing parts of its logistics network to a standstill."
        https://therecord.media/cyberattack-japan-nichirei-logistics-impacts-kfc
        https://www.theregister.com/security/2026/07/16/cyberattack-threatens-utterly-critical-infrastructure-in-japan-kfc/5272220
      • Tech Support Scam Caused Massive Data Breach At Australian Airline Qantas
        "Australia’s Privacy Commissioner has revealed a tech support scam was the cause of the massive 2025 data breach at Australian airline Qantas and found the carrier didn’t breach its privacy obligations despite leaking personally identifiable information for 5.7 million customers. The Commissioner reached that conclusion, and a decision not to open a formal privacy probe, in a report published today. Qantas has previously admitted the incident was the result of a social engineering attack on a contact center. The Commissioner’s report goes deeper, explaining a crook who claimed to represent “Qantas IT help” made the call and told a contact center agent to access a CRM system and perform certain actions needed to close a support ticket."
        https://www.theregister.com/cyber-crime/2026/07/16/tech-support-scam-caused-massive-data-breach-at-australian-airline-qantas/5272267
        https://www.oaic.gov.au/privacy/privacy-assessments-and-decisions/privacy-decisions/Investigation-inquiry-reports/report-into-preliminary-inquiries-of-qantas

      General News

      • Scattered Spider Members Behind TfL Hack Get Five Years In Prison
        "Two leading members of the Scattered Spider cybercrime collective were sentenced to five years and six months in prison each for hacking Transport for London (TfL) in 2024. On September 2, 2024, TfL (which provides transportation services to more than 8.4 million Londoners) disclosed that its network was breached in August 2024, with the attack disrupting internal systems and online services. Affected services and platforms included TfL's Dial-a-Ride service, concessionary travel cards, digital payments, and contactless ticketing rollout, as well as the public transportation agency's ability to process refunds. Additionally, 148 systems became inoperable across TfL's network, and all 27,000 TfL employees had to reset their passwords in person after the breach."
        https://www.bleepingcomputer.com/news/security/scattered-spider-members-behind-transport-for-london-hack-get-five-years-in-prison/
        https://www.infosecurity-magazine.com/news/selfish-bravado-behind-tfl/
        https://www.theregister.com/cyber-crime/2026/07/16/brit-scattered-spider-duo-handed-tickets-to-prison-over-transport-for-london-attack/5272446
        https://thehackernews.com/2026/07/two-scattered-spider-hackers-get-55.html
        https://therecord.media/scattered-spider-hackers-tfl-sentenced
        https://hackread.com/two-scattered-spider-members-sentenced-tfl-cyberattack/
        https://www.securityweek.com/two-scattered-spider-hackers-sentenced-to-jail-in-uk/
        https://securityaffairs.com/195501/cyber-crime/two-scattered-spider-members-sentenced-to-prison-over-29-million-tfl-cyberattack.html
        https://www.helpnetsecurity.com/2026/07/16/ransport-for-london-cyberattack-prison-time/
      • The Hunter's Paradox: Is It Time To Embrace Automated Threat Hunting?
        "Should we let AI run our threat hunts? The debate usually splits into two camps. One says, "Yes, obviously! The sheer scale of our security telemetry is impossible for humans to deal with." The other says, "Absolutely not! You can't trust an AI with something this important." The thing is, I think both are wrong, or at least incomplete. I've spent a long time as one of the louder voices saying that hunting is specifically a human-driven process. I created the first widely recognized definition of threat hunting back in 2015, and the version I'd have given you until very recently put a human firmly at the center of it."
        https://blog.talosintelligence.com/the-hunters-paradox-is-it-time-to-embrace-automated-threat-hunting/
      • Agentic AI Is Untamable: Ask The Right Security Questions
        "Agentic security challenges stem from a mindset, not the technology so solving them requires a fundamental shift in how organizations think about control. While agentic systems can save organizations time across several operations, from cybersecurity and software development to customer support, agents also introduce significant risks to the organization. These systems require alarmingly high levels of access to sensitive information, as well as the use of external tools, to complete tasks with little to no human oversight. They constitute yet another attack surface for threat actors to target."
        https://www.darkreading.com/cybersecurity-operations/agentic-ai-untamable-ask-the-right-security-questions
      • Reading Between The Lines Of a Cyber Insurance Policy
        "Enterprises in regulated industries often carry cyber insurance policies because contracts require it or boards ask for documented risk transfer. The global market for these policies reached about $16 billion in premiums in 2024. Coverage has become widespread. Payouts have grown less predictable. The Global Federation of Insurance Associations, which represents insurers accounting for close to 90 percent of premiums worldwide, quantified the cyber protection gap at about $900 billion in a 2023 report, with annual economic losses from cyber incidents exceeding that figure."
        https://www.helpnetsecurity.com/2026/07/16/cyber-insurance-coverage-gap/
      • Companies Keep Getting Breached By Vulnerabilities They Already Knew About
        "Scanning tools have gotten good at their work. Organizations now find more weaknesses across more of their systems than at any earlier point in the industry’s history. A survey from the security firm Vicarius points to a gap that opens after that discovery, in the work of assigning, approving, deploying, and confirming a fix. The company surveyed 300 IT and cybersecurity leaders in the United States and the United Kingdom, at organizations with 500 to 2,000 employees. On average, 58% of remediation activities require direct human intervention. Automated discovery, scanning, and reporting have become common across the sample. The work of deciding what to fix and pushing the change through still runs on people. Only a small share of organizations have removed people from the loop entirely, at 7%, and that pattern held steady across company sizes and industries."
        https://www.helpnetsecurity.com/2026/07/16/ciso-vulnerability-remediation-gap/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) 3d054581-a441-44d7-805b-bba88a908b8b-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 16 July 2026

      Industrial Sector

      • ICS Patch Tuesday: Vulnerabilities Fixed By Siemens, Schneider, Rockwell
        "Industrial giants Siemens, Schneider Electric, and Rockwell Automation have published July 2026 Patch Tuesday advisories to inform customers about vulnerabilities found in their ICS products. Siemens published nine new advisories, including six that cover critical vulnerabilities (based on CVSS score). A CVSS score of 10 has been assigned to a token invalidation vulnerability in Opencenter X that allows an attacker to bypass authentication and gain full access to the application. Critical vulnerabilities have also been patched or mitigated by Siemens in Mendix, Sidis Secured SmartPlug, Simatic S7-1500, Cadra, and Desigo CC. The security holes, many of which affect third-party components, can be exploited to launch DoS attacks, execute code, obtain sensitive data, and escalate privileges."
        https://www.securityweek.com/ics-patch-tuesday-vulnerabilities-fixed-by-siemens-schneider-rockwell/

      New Tooling

      • SingGuard-NSFA: Open-Source Guardrails For Agentic AI
        "SingGuard-NSFA is an open-source guardrail framework aimed at operational threats in agent workflows. Four models ship at 0.8B, 2B, 4B, and 9B parameters, all built on Qwen3.5 base backbones. The NSFA risk taxonomy organizes threats along the CIA triad of confidentiality, integrity, and availability. It defines 185 risk variants grouped under a smaller set of top-level domains and mid-level categories, cross-validated against three OWASP guidelines."
        https://www.helpnetsecurity.com/2026/07/15/singguard-nsfa-open-source-agentic-ai-guardrails/
        https://github.com/inclusionAI/SingGuard-NSFA

      Vulnerabilities

      • Zoom Warns Of Critical Account Takeover Vulnerability
        "Zoom is warning of a critical vulnerability in its desktop client and software development kit for Windows that could be exploited by an unauthenticated party to hijack accounts. Discovered internally, the security issue is tracked as CVE-2026-53412 and received a severity score of 9.8 out of 10. In an advisory this week, the messaging platform says that the flaw affects Zoom Workplace for Windows before version 7.0.0, the Windows VDI Client before versions 7.0.10, 6.6.15, and 6.5.18, and the Meeting SDK for Windows before version 7.0.0."
        https://www.bleepingcomputer.com/news/security/zoom-warns-of-critical-account-takeover-vulnerability/
        https://www.zoom.com/en/trust/security-bulletin/zsb-26014/
      • Vulnerabilities Patched By Fortinet, Ivanti, ServiceNow
        "Fortinet, Ivanti, and ServiceNow on Tuesday rolled out patches for 15 vulnerabilities across their products. ServiceNow resolved a critical remote code execution (RCE) flaw in the ServiceNow AI platform that can be exploited without authentication. The bug is tracked as CVE-2026-6875 (CVSS score of 9.5). “ServiceNow addressed this vulnerability by deploying a security update to hosted instances. Relevant security updates have also been provided to ServiceNow self-hosted customers and partners,” the company said. Ivanti released fixes for two security defects in its data aggregation and visualization tool Xtraction, tracked as CVE-2026-14902 and CVE-2026-14903."
        https://www.securityweek.com/vulnerabilities-patched-by-fortinet-ivanti-servicenow/
      • Critical Vulnerabilities Patched With Fresh Chrome 150, Firefox 152 Updates
        "Google and Mozilla have released fresh Chrome 150 and Firefox 152 updates that resolve critical-severity vulnerabilities. Mozilla rolled out Firefox 152.0.6 with patches for two critical security defects, warning that exploit code has been published for both. The bugs are tracked as CVE-2026-15718 and CVE-2026-15719, and are described as an invalid pointer in the ‘JavaScript: WebAssembly’ component and a site isolation issue in the ‘DOM: Navigation’ component."
        https://www.securityweek.com/critical-vulnerabilities-patched-with-fresh-chrome-150-firefox-152-updates/
        https://thehackernews.com/2026/07/firefox-chrome-adobe-and-vmware-updates.html
      • CISA Adds Two Known Exploited Vulnerabilities To Catalog
        "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2023-4346 KNX Association KNX Protocol Connection Authorization Option 1 Overly Restrictive Account Lockout Mechanism Vulnerability
        CVE-2026-46817 Oracle E-Business Suite Improper Privilege Management Vulnerability"
        https://www.cisa.gov/news-events/alerts/2026/07/15/cisa-adds-two-known-exploited-vulnerabilities-catalog
      • PromptFiction: One-Click Claude Desktop Vulnerability
        "A single click on a trusted-looking link runs an attacker's instructions inside Claude Desktop. No confirmation, no review. Claude Desktop registers a claude:// URL scheme. Click a link that uses it and the app opens, takes a prompt from the link, and submits it. The user never sees the full prompt, and never approves it. We proved it with a decoy ASCII-art tool: the link it hands you carries a request you can read and an instruction you cannot. The same channel can plant a hidden prompt, exfiltrate conversation history, read the file system, or execute code."
        https://www.oasis.security/resources/reports/claude-url-scheme-prompt-injection
        https://pages.oasis.security/rs/106-PZV-596/images/promptfiction-claude-desktop-technical-report.pdf?version=0
        https://www.darkreading.com/vulnerabilities-threats/claude-flaw-malicious-prompts-ai-agents
        https://hackread.com/promptfiction-flaw-auto-prompts-claude-desktop/
      • The Cursor Deeplink Vulnerability That Turns a “review This PR” Click Into Remote Code Execution
        "A crafted cursor:// link installs an attacker-controlled MCP server that executes unsandboxed commands under your account. The install dialog is supposed to be the safeguard, but it doesn’t reliably show the command being approved. The attack comes in two variants. Both hide the real command inside the dialog, one also disguises the link as a routine code review. Cursor’s own triage named the root cause in writing, closed the report as a duplicate, but the latest build is still vulnerable. An attacker, posing as a teammate, sends you a link to review a pull request. You click it, Cursor opens, and a dialog asks you to install an MCP server with a command that looks routine. You approve it the way you approve a dozen prompts a day. The MCP server is attacker-controlled, and it now runs commands as you, with no sandbox between it and your files, your tokens, and your shell."
        https://adversa.ai/blog/cursor-security-deepjack-deeplink-vulnerability-mcp-rce/
        https://www.darkreading.com/application-security/2-click-cursor-exploit-dev-environment-takeover
      • An AI Overthinking Attack Can Tie a Robot Up For Over a Minute
        "Robots that read the world through cameras now lean on large vision-language models to interpret what they see and decide what to do next. These models handle images and text together, so any words that fall inside the camera frame become part of the input. A stop sign, a street name, a sticker on a wall. Researchers at Michigan Technological University have shown that this reading habit opens a door for attackers, and the door leads to a denial-of-service problem that looks nothing like the ones most defenders track."
        https://www.helpnetsecurity.com/2026/07/15/robot-ai-overthinking-attack/
        https://arxiv.org/pdf/2607.01518
      • Researcher Drops New Windows Zero-Day PoC Hours After Microsoft Patch Tuesday
        "Security researcher Chaotic Eclipse (aka Nightmare-Eclipse) has released a new proof-of-concept (PoC) exploit called LegacyHive. It has been described as a Windows User Profile Service arbitrary hive load elevation of privileges vulnerability. The Windows User Profile Service, also referred to as ProfSvc, is a core system component that manages user accounts and environments. "The PoC requires another standard user credential and a third username (which can be an administrator account)," Chaotic Eclipse said. "If the PoC is successful, it will end up mounting the target user hive in the current user classes root.""
        https://thehackernews.com/2026/07/researcher-drops-new-windows-zero-day.html
        https://securityaffairs.com/195418/hacking/chaotic-eclipse-unveils-legacyhive-exploit-affecting-fully-patched-windows-systems.html
        https://www.theregister.com/security/2026/07/15/microsofts-serial-tormentor-drops-legacyhive-0-day/5271723

      Malware

      • Case Study: Distribution Of a CoinMiner Targeting Linux SSH Servers Via Malware Distribution Via Network Transmission
        "The AhnLab SEcurity intelligence Center (ASEC) is monitoring attacks targeting poorly managed Linux servers using multiple honeypots. Recently, ASEC identified cases where malware with propagation capabilities was used to install the XMRig CoinMiner. In these attack cases, malware such as ShellBot, MIG LogCleaner, and XHide were used. The threat actors created and used downloaders and propagation malware written in the Go programming language; they also built and used scripts with Shc (Shell Script Compiler). The same threat actors appear to have been carrying out these attacks since at least 2023."
        https://asec.ahnlab.com/en/94484/
      • Six Minutes To Compromise: How ‘Patriot Bait’ Actor Used AI To Build And Deploy a C&C Botnet
        "TrendAI™ Research obtained and analyzed 200 Gemini CLI session logs from the Russian-speaking threat actor known as “bandcampro” that provided a month-long window (March 19-April 21, 2026) into the actor's daily AI-assisted operations. The logs documented how the threat actor used an AI agent to migrate a command-and-control (C&C) server, and to control a small-scale botnet, among other hacking activities. The actor used Google Gemini CLI to deploy and operate a C&C infrastructure to control eight computers in a dental clinic and access their OpenDental database."
        https://www.trendmicro.com/en_us/research/26/g/actor-behind-patriot-bait-used-ai-to-deploy-c2-botnet.html
        https://www.bleepingcomputer.com/news/security/google-gemini-cli-abused-as-a-hacking-agent-malware-botnet-operator/
      • Coordinated AsyncAPI Supply Chain Attack: Miasma RAT Delivered Via Compromised CI/CD Pipelines In Two Repositories
        "On July 14, 2026 at 07:10 UTC, three packages in the AsyncAPI generator monorepo (@asyncapi/[email protected], @asyncapi/[email protected], and @asyncapi/[email protected]) were published to npm carrying an obfuscated dropper that fires the moment the library is loaded, not on install. The packages were published through the project's own legitimate GitHub Actions release workflow and carry valid npm OIDC provenance attestations, because the attacker didn't steal an npm token: they gained push access to the repository's next branch and let the project's real CI/CD pipeline do the publishing for them."
        https://www.stepsecurity.io/blog/compromised-next-branch-pushes-malicious-asyncapi-generator-generator-helpers-and-generator-components-to-npm
        https://www.ox.security/blog/asyncapi-npm-organization-compromised-2m-weekly-downloads-affected/
        https://safedep.io/asyncapi-generator-supply-chain-attack-miasma-rat/
        https://socket.dev/blog/asyncapi-supply-chain-attack
        https://www.bleepingcomputer.com/news/security/-asyncapi-npm-packages-infected-with-credential-stealing-malware/
        https://thehackernews.com/2026/07/compromised-asyncapi-npm-packages.html
        https://securityaffairs.com/195395/security/asyncapi-npm-supply-chain-attack-malware-injected-into-packages-with-2-million-weekly-downloads.html
      • When Routine Becomes The Threat: The Evolution Of Finance-Themed Phishing
        "Finance-themed phishing campaigns are evolving toward process-oriented messaging tactics, in which email subject lines are utilizing more process-driven language rather than pressure-driven. Threat actors are shifting away from messaging that uses overt emotional urgency and toward ordinary business language that mirrors daily financial workflows. We are seeing these campaigns more frequently, which may indicate a shift towards a more widely adopted approach. This trend also presents detection challenges, making these messages harder to distinguish as they closely resemble legitimate finance-related email correspondences such as invoices, remittance notices, procurement requests, contract revisions, and vendor follow-ups that are likely to bypass AI-based security email gateways (SEGs) and other email security technologies."
        https://cofense.com/blog/when-routine-becomes-the-threat-the-evolution-of-finance-themed-phishing
      • Cyberstalkers Are Exploiting Chrome Sync To Spy On Victims
        "Emma* (not her real name) thought she’d finally found a way out. Late one night, while her partner was asleep, she spent twenty minutes searching for a family lawyer and reading through a domestic abuse support website, careful to close the tabs afterwards. Two days later, her partner brought it up. He knew which website she’d visited and exactly when. Emma had been careful to only ever use her own device, and she hadn’t noticed any new apps appear on her phone. What she didn’t know was that weeks earlier, during a few unattended minutes with her phone, he had opened the Chrome app and quietly signed it into a Google account of his own."
        https://www.certosoftware.com/insights/cyberstalkers-exploiting-chrome-sync-to-spy/
        https://cyberscoop.com/google-chrome-sync-cyberstalking-exploit/
      • The Agentic Attacker: One Objective, One Prompt, Forty Minutes, Domain Admin – Game Over
        "In a controlled enterprise lab, we tested how far an agentic attack stack could go by harnessing a frontier model with an agent platform, MCP-enabled tooling, operational context, and enough autonomy to execute a complete attack path. We demonstrated a complete end-to-end attack chain, from external access to Domain Administrator privileges, using an agentic attack stack in a controlled Active Directory environment. A condensed video demonstration of the successful execution is included as part of this research."
        https://www.catonetworks.com/blog/the-agentic-attacker-one-objective-one-prompt-forty-minutes-domain-admin-game-over/
        https://cyberscoop.com/ai-cybersecurity-harness-autonomous-hacking/
      • SeasonalInvite: New Phishing Campaign Abuses eCards And RMM
        "A phishing campaign we named SeasonalInvite has been deploying and abusing commercial Remote Monitoring and Management (RMM) tools on victims since at least January 2026, using social engineering themes tied to the seasonal calendar. The campaign targets both Windows and macOS users. This investigation confirmed abuse of four RMM tools: ConnectWise ScreenConnect, LogMeIn Resolve, Kaseya, and O&O Syspectr. We identified 959 eCard-themed domains and a Traffic Distribution System (TDS) using 2,658 gate pages to route victims to phishing pages while blocking automated security scanners."
        https://www.forescout.com/blog/seasonalinvite-new-phishing-campaign-abuses-ecards-and-rmm/
        https://www.infosecurity-magazine.com/news/seasonalinvite-phishing-ecards-rmm/
      • OkoBot: New Sophisticated Malware Framework Targets Cryptocurrency Users
        "In January 2026, we identified multiple attacks involving unknown malware that captures the contents of cryptocurrency wallet windows. During the investigation, we reconstructed the complete infection chain, which consisted of four tightly linked stages initiated by the execution of the previously described malicious PowerShell script TookPS. However, this campaign differs from previous activity in that it uses a new framework to deliver all malicious modules and orchestrate them via an SSH tunnel. In total, the framework includes more than 20 malicious payloads and implants, covering a wide variety of functions. At the time of writing, the threat remains active."
        https://securelist.com/okobot-framework-targets-cryptocurrency-wallets/120660/
        https://thehackernews.com/2026/07/okobot-malware-framework-injects-seed.html
      • ClaudeFix: Shared Claude Chats Meet ClickFix
        "ClickFix is a widely employed attack technique, first seen in 2024, where a victim is instructed to paste-and-run instructions on their system to “fix” a problem or install software. The seemingly benign instructions are, in fact, malicious and lead to the deployment of malware onto the victim’s system. Zscaler Threat Hunting has identified recent ClickFix attacks abusing Anthropic’s Claude platform through the use of shareable Claude chats to host these instructions, which marks a shift from typical attacks. As AI platforms have grown in popularity, threat actors have increasingly abused legitimate features such as shareable chats to lend credibility to malicious content. In this blog post, the Zscaler Threat Hunting team examines a MacSync Stealer campaign distributed through shared Claude chats."
        https://www.zscaler.com/blogs/security-research/claudefix-shared-claude-chats-meet-clickfix
      • Bind Link Abuse: One Windows Feature, Many Ways To Blind Your EDR
        "Windows includes a file-system virtualization feature that can redirect one local path to another without modifying the original file or leaving a persistent filesystem artifact. It is implemented by bindflt.sys, the Bind Filter minifilter driver, and used legitimately by Store apps, Windows Sandbox, and Windows containers. Bitdefender Labs documented and named three new techniques that an attacker running as a local administrator can use to blind EDR sensors and bypass built-in Windows defenses such as AMSI and AppLocker."
        https://businessinsights.bitdefender.com/bind-link-abuses-windows-feature-edr-evasion-technique
        https://www.securityweek.com/windows-bind-link-attacks-can-hide-malware-from-edr-tools/
      • TuxBot v3: Inside An IoT Botnet Framework With LLM-Assisted Development
        "We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution. The malware authors leveraged an LLM to assist in their code development, yielding mixed results. While the AI complied with their request to generate botnet code, it included a safety disclaimer that the developer failed to remove before shipping. Although the LLM clearly aided in constructing the botnet, several functions in the analyzed samples failed to work correctly. While a manual code review could have easily resolved these errors, the authors neglected this step. However, it is highly likely that corrected, more polished iterations exist, which significantly elevates the potential threat posed by this malware."
        https://unit42.paloaltonetworks.com/tuxbot-v3-evolution-iot-botnet/
        https://thehackernews.com/2026/07/tuxbot-v3-evolution-shows-signs-of-llm.html
      • 'The Bots Are Alive!' Jailbroken Gemini Spun Up New C2 Server For Russian Fraudster In Just 6 Minutes
        "A jailbroken Google Gemini did 90 percent of the work in a credential- and cryptocurrency-stealing spree, including spinning up a new command-and-control (C2) server in just six minutes, according to a TrendAI report shared exclusively with The Register. The human behind the heist – a solo Russian-speaking miscreant known as “bandcampro” – acted as the manager of the cyber-fraud operation, which targeted hardcore Trump supporters and conspiracy theorists."
        https://www.theregister.com/research/2026/07/14/the-bots-are-alive-jailbroken-gemini-spun-up-new-c2-server-for-russian-fraudster-in-just-6-minutes/5270131
      • Clubfoot Wolf Launches Massive Offensive On Russian Businesses
        "In May and June 2026, the Clubfoot Wolf cluster conducted a large‑scale campaign targeting Russian organizations across the following sectors: manufacturing, retail, e‑commerce, agriculture, IT, transportation, healthcare, and science. The primary targets were Russian wholesale distributors of chemical products. The adversary also attacked several organizations in Belarus."
        https://bi.zone/eng/expertise/blog/clubfoot-wolf-massovo-komprometiruet-rossiyskie-kompanii/
      • Suspected Chinese Operators Use Claude Code And DeepSeek To Target Government And Financial Systems Across Four Countries
        "In June 2026, a pivot from known TencShell C2 infrastructure led us to an open directory exposing an active intrusion campaign. TencShell is a Go-based implant derived from the open-source Rshell framework, first documented by Cato CTRL in May 2026 and assessed there as suspected China-linked. The directory held victim source code, custom exploit scripts, operational logs, and cloned login pages, with the attack notes written in Simplified Chinese. What caught our attention was the tooling behind it. Claude Code and DeepSeek-v4-pro ran as working parts of the intrusion, not tools off to the side. They handled reasoning for bypass techniques, reworked exploits after failed attempts, and built the phishing pages used to harvest credentials. That puts this campaign alongside Anthropic's November 2025 disclosure of a China-linked operation that used Claude Code to automate large-scale intrusions."
        https://hunt.io/blog/chinese-operators-claude-deepseek-government-intrusion
      • No Single Pane Of Glass: Anatomy Of An Azure Permission Takeover
        "The Sysdig Threat Research Team (TRT) recently watched as an attacker started with a single leaked service-principal credential and, by the next morning, owned the tenant. This attacker took complete, dual-plane control of the tenant with Global Administrator (GA) ownership of the directory and root-level access over every resource. They planted persistence across dozens of identities and took the keys to the telemetry pipeline that was supposed to be watching them. Stopping this attack was easy. However, analyzing the attack was actually quite complex, and it came down to one question with many answers:"
        https://www.sysdig.com/blog/no-single-pane-of-glass-anatomy-of-an-azure-permission-takeover

      Breaches/Hacks/Leaks

      • Infostealer Malware Triggers Major Database Breach At The Argentine Football Association
        "When the Argentine Football Association (AFA) suffered a significant cyberattack, media outlets were quick to cover the fallout. The breach resulted in sensitive database leaks and unauthorized communications originating from official AFA domains, causing severe reputational and operational damage. The incident was also widely reported on X, including from accounts like Polymarket with tens of thousands of likes."
        https://www.infostealers.com/article/infostealer-malware-triggers-major-database-breach-at-the-argentine-football-association/
        https://www.theregister.com/security/2026/07/13/world-cup-grudge-attackers-may-have-scored-argentine-fa-access-via-year-old-infostealer-infection/5270302

      General News

      • Establishing a Coordinated Vulnerability Disclosure Program To Work With Security Researchers
        "Developed by CISA, the National Security Agency (NSA) and international partners, this joint guidance contains best practices for software manufacturers and online service providers to design and implement a coordinated vulnerability disclosure (CVD) program for working with external security researchers that includes a clear vulnerability disclosure policy (VDP) and process for triaging, remediating and assigning Common Vulnerabilities and Exposures (CVE) identifiers to reported vulnerabilities. The guidance also provides considerations for leveraging third-party intermediaries, like CISA or other national computer security incident response teams, to substitute or supplement a CVD program."
        https://www.cisa.gov/resources-tools/resources/establishing-coordinated-vulnerability-disclosure-program-work-security-researchers
        https://www.cisa.gov/sites/default/files/2026-07/joint-guide-establishing-a-cvd-program-to-work-with-security-researchers_508c.pdf
      • June 2026 Infostealer Trend Report
        "This report summarizes the distribution channels, number of Infostealers, number of detections, and information on companies disguised by new Infostealers collected during June 2026. The collected samples were obtained through an automated data collection system, an email honeypot system, and an automated malware C2 analysis system operated by ASEC (AhnLab SEcurity intelligence Center)."
        https://asec.ahnlab.com/en/94486/
      • Dutch Police Bust Investment Fraud Ring Stealing Over €100 Million
        "The Dutch Police announced the arrest of multiple individuals suspected of being part of an international investment fraud scheme estimated to have tens of thousands of victims. The group is believed to have operated 20 call centers, with more than 700 people posing as financial advisers. Authorities estimate that the criminal organization at one point made more than 100 million euros ($114 million) per month. The call centers were located in different places across multiple countries, and each hosted several teams with distinct roles and targeting focuses."
        https://www.bleepingcomputer.com/news/security/dutch-police-bust-investment-fraud-ring-stealing-over-100-million/
        https://therecord.media/dutch-police-dismantle-global-crypto-investment-scam
      • US Charges Alleged Operators Of Russian Bulletproof Hosting Service
        "U.S. federal prosecutors have unsealed charges against three Russian nationals, accusing them of providing bulletproof hosting (BPH) services to ransomware gangs that caused over $62 million in damages to victims worldwide. BPH providers lease servers that help hinder disruption efforts targeting their malicious activities, including malware delivery, command-and-control operations, phishing attacks, and illicit content hosting. They market themselves as "bulletproof" by ignoring victims' complaints and subsequent law enforcement takedown requests."
        https://www.bleepingcomputer.com/news/security/us-charges-alleged-russian-bulletproof-hosting-service-operators/
        https://www.bankinfosecurity.com/feds-target-widely-used-russian-bulletproof-hosting-services-a-32230
        https://www.securityweek.com/us-charges-russian-individuals-and-firms-for-running-cybercrime-services/
      • The State Of Ransomware 2026: Payments Are Dropping But Encryption Is Climbing
        "This year's data has a few eyebrow-raising departures from the patterns of past State of Ransomware reports. Exploited vulnerabilities lost their three-year grip on the top root-cause spot. Median ransom demands and payments both dropped, yet the average recovery bill still climbed. And small organizations (100-250 employees) are falling further behind their larger peers on the one metric that matters most: stopping the attack before data gets encrypted. The seventh annual Sophos State of Ransomware report is based on a vendor-agnostic survey of 2,158 IT and security leaders whose organizations were hit by ransomware in the last 12 months."
        https://www.sophos.com/en-us/blog/sophos-state-of-ransomware-2026
        https://www.darkreading.com/identity-access-management-security/identity-attacks-overtake-exploits-top-ransomware-cause
        https://www.infosecurity-magazine.com/news/compromised-logins-ransomware-entry/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) 0f940cfe-606c-472c-ac6d-a3d012ad250a-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Progress ยืนยันช่องโหว่ Zero-Day ใน ShareFile พร้อมออกแพตช์แก้ไข

      Progress ยืนยันช่องโหว่ Zero-Day ใน ShareFile พร้อมออกแพตช์.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 815f51ab-f04d-475b-8897-0f54d7226399-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • CISA เตือนผู้ดูแลระบบเร่งแพตช์ช่องโหว่ SharePoint Server ที่ถูกใช้โจมตี

      CISA เตือนผู้ดูแลระบบเร่งแพตช์ช่องโหว่ SharePoint Ser.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand db9e6d25-4b92-4e97-864c-0a3c4f501b94-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • SonicWall แจ้งเตือนช่องโหว่ Zero-Day บนอุปกรณ์ SMA1000 แนะผู้ดูแลระบบเร่งอัปเดตแพตช์เพื่อความปลอดภัย

      SonicWall แจ้งเตือนช่องโหว่ Zero-Day บนอุปกรณ์ SMA1000 แนะผ.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 88d0bc81-4a7d-4742-a48f-29d55c066510-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • CISA เผยแพร่คำแนะนำด้านระบบควบคุมอุตสาหกรรม (ICS) จำนวน 5 รายการ

      Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 5 รายการ เมื่อวันที่ 14 กรกฏาคม 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

      • ICSA-26-195-01 ABB Advant Master Online Builder
      • ICSA-26-195-02 ABB Ability Edgenius
      • ICSA-26-195-03 ABB T-MAC Plus
      • ICSA-26-195-04 Rockwell Automation 1715 EtherNet/IP Communications Module
      • ICSA-25-352-01 Inductive Automation Ignition (Update A)

      อ้างอิง
      https://www.cisa.gov/news-events/ics-advisories c6e2e267-7840-4c4e-aa21-fd663bcc6015-image.png

      โพสต์ใน OT Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • CISA เพิ่มช่องโหว่ที่ถูกใช้โจมตี 4 รายการลงในแคตตาล็อก

      เมื่อวันที่ 14 กรกฏาคม 2569 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 4 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้

      • CVE-2026-15409 SonicWall SMA1000 Appliances Server-Side Request Forgery Vulnerability
      • CVE-2026-15410 SonicWall SMA1000 Appliances Code Injection Vulnerability
      • CVE-2026-56155 Microsoft Active Directory Federation Services Insufficient Granularity of Access Control Vulnerability
      • CVE-2026-56164 Microsoft SharePoint Server Missing Authentication for Critical Function Vulnerability

      อ้างอิง
      https://www.cisa.gov/news-events/alerts/2026/07/14/cisa-adds-four-known-exploited-vulnerabilities-catalog

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 554f257a-9846-40a0-b0e2-2eb315006ebd-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT