เมื่อวันที่ 11 มีนาคม 2026 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว ดังนี้

• CVE-2025-68613 n8n Improper Control of Dynamically-Managed Code Resources Vulnerability

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/03/11/cisa-adds-one-known-exploited-vulnerability-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Industrial Sector

• Apeman Cameras
  "Successful exploitation of these vulnerabilities could allow an attacker to take control of the device or view camera feeds."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-01
• Lantronix EDS3000PS And EDS5000
  "Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication and execute code with root-level privileges."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02
• Honeywell IQ4x BMS Controller
  "Successful exploitation of this vulnerability could allow an unauthorized attacker to access controller management settings, control components, disclose information, or cause a denial-of-service condition."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-03
• ICS Patch Tuesday: Vulnerabilities Fixed By Siemens, Schneider, Moxa, Mitsubishi Electric
  "Industrial giants Siemens, Schneider Electric, Mitsubishi Electric, and Moxa have published new Patch Tuesday advisories for vulnerabilities found recently in their ICS products. Siemens and Schneider Electric have each published six new advisories. Each of Schneider’s new advisories addresses one vulnerability. The company has informed customers about high-severity issues in EcoStruxure IT Data Center Expert (hardcoded credentials), EcoStruxure Power Monitoring Expert and Power Operation (local arbitrary code execution), and EcoStruxure Automation Expert (command execution and full system compromise)."
  https://www.securityweek.com/ics-patch-tuesday-vulnerabilities-fixed-by-siemens-schneider-moxa-mitsubishi-electric/
• Ceragon Siklu MultiHaul And EtherHaul Series
  "Successful exploitation of this vulnerability could result in arbitrary file upload to the target equipment."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-04

New Tooling

• Cloud-Audit: Fast, Open-Source AWS Security Scanner
  "Running AWS security audits without a dedicated security team typically means choosing between enterprise platforms with per-check billing and generic open-source scanners that produce findings with no remediation guidance. Cloud-audit, a Python CLI tool published on GitHub by Mariusz Gebala, takes a narrower scope and attaches a fix to every finding it generates."
  https://www.helpnetsecurity.com/2026/03/11/cloud-audit-open-source-aws-security-scanner/
  https://github.com/gebalamariusz/cloud-audit

Vulnerabilities

• Fortinet, Ivanti, Intel Patch High-Severity Vulnerabilities
  "Fortinet, Ivanti, and Intel on Tuesday rolled out security fixes for dozens of vulnerabilities, including high-severity bugs that could be exploited for arbitrary code execution, privilege escalation, or security protection bypasses. Fortinet announced patches for 22 security defects across its products, including high-severity flaws in FortiWeb, FortiSwitchAXFixed, FortiManager, and FortiClientLinux. The FortiWeb, FortiSwitchAXFixed, and FortiManager issues could be exploited by remote, unauthenticated attackers to bypass the authentication rate limit or execute unauthorized code or commands."
  https://www.securityweek.com/fortinet-ivanti-intel-patch-high-severity-vulnerabilities/
• Zero Click Unauthenticated RCE In n8n: A Contact Form That Executes Shell Commands
  "Pillar Research team found a zero-click, unauthenticated RCE in n8n. Anyone who can reach a public multi-step form with an HTML rendering can execute shell commands on the server. We worked with the n8n team to fix it. If you use n8n Cloud, you're already protected. If you're self-hosting, update to 2.10.1 / 2.9.3 / 1.123.22 now. This is CVE-2026-27493: an unauthenticated, zero-click RCE affecting every n8n instance that exposes a multi-step form with an HTML rendering step that displays user input back to the submitter. We scanned for publicly accessible n8n form endpoints and identified over 50,000 potentially vulnerable forms exposed to the internet. The attack requires nothing more than a browser."
  https://www.pillar.security/blog/zero-click-unauthenticated-rce-in-n8n-a-contact-form-that-executes-shell-commands
  https://thehackernews.com/2026/03/critical-n8n-flaws-allow-remote-code.html
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2025-68613 n8n Improper Control of Dynamically-Managed Code Resources Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/03/11/cisa-adds-one-known-exploited-vulnerability-catalog
  https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-n8n-rce-flaw-exploited-in-attacks/
• 400,000 WordPress Sites Affected By Unauthenticated SQL Injection Vulnerability In Ally WordPress Plugin
  "On February 4th, 2026, we received a submission for an SQL Injection vulnerability in Ally, a WordPress plugin estimated to have more than 400,000 active installations. This vulnerability can be leveraged to extract sensitive data from the database, such as password hashes. Props to Drew Webber (mcdruid) who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This vulnerability was reported to our program just five days after it was introduced. This researcher earned a bounty of $800.00 for this discovery. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program."
  https://www.wordfence.com/blog/2026/03/400000-wordpress-sites-affected-by-unauthenticated-sql-injection-vulnerability-in-ally-wordpress-plugin/
  https://www.bleepingcomputer.com/news/security/sqli-flaw-in-elementor-ally-plugin-impacts-250k-plus-wordpress-sites/
• DirectX, OpenFOAM, Libbiosig Vulnerabilities
  "Cisco Talos’ Vulnerability Discovery & Research team recently disclosed vulnerabilities in the BioSig Project Libbiosig library and OpenCFD OpenFOAM, as well as an unpatched vulnerability in Microsoft DirectX. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy, apart from the DirectX vulnerability."
  https://blog.talosintelligence.com/directx-openfoam-libbiosig-vulnerabilities/

Malware

• The Return Of PhantomRaven: Detecting Three New Waves Of Npm Supply Chain Attacks
  "Endor Labs identified 88 new malicious npm packages belonging to three new waves (Wave 2, 3, and 4) of the PhantomRaven campaign distributed between November 2025 and February 2026. At the time of writing, the campaign remains active: 81 of the 88 packages are still available on npm, and two of the three new command-and-control servers continue to operate. PhantomRaven is a software supply chain attack that uses Remote Dynamic Dependencies (RDD) to hide credential-stealing malware in non-registry dependencies that bypass standard security scanning. The first wave affecting 126+ packages with over 86,000 downloads, was first described by Koi Security in October 2025."
  https://www.endorlabs.com/learn/return-of-phantomraven
  https://www.bleepingcomputer.com/news/security/new-phantomraven-npm-attack-wave-steals-dev-data-via-88-packages/
• Weaponizing Telegram Bots: How Threat Actors Exfiltrate Credentials
  "Telegram is a free, online instant messenger platform that is also commonly abused by threat actors for a wide range of malicious activities. One of Telegram’s notable features is its extensive collection of web APIs, one of which is used to interact with automated bot accounts. Notably, Telegram bot accounts are still capable of posting messages in chats and uploading arbitrary files such as screenshots or archives of stolen information. As such, Telegram bots are often used by threat actors as a method of data exfiltration through a technically legitimate service."
  https://cofense.com/blog/weaponizing-telegram-bots-how-threat-actors-exfiltrate-credentials
• Inside p1bot: A Vishing Platform Weaponizing ElevenLabs
  "The threat intelligence community has been sounding the alarm on AI-powered social engineering for over a year. OpenAI's quarterly disruption reports have documented threat actors using LLMs to craft phishing lures, generate fake resumes, and scale influence operations. Google's Mandiant team published research in 2024 showing how AI-powered voice spoofing has been incorporated into red team operations, demonstrating just how convincing synthetic voices have become. Academic researchers have even built proof-of-concept vishing bots using off-the-shelf APIs (OpenAI's GPT for conversation, ElevenLabs for voice synthesis, Twilio for telephony) and demonstrated them against human subjects."
  https://www.miragesecurity.ai/blog/inside-p1bot-vishing-platform-weaponizing-elevenlabs
  https://www.helpnetsecurity.com/2026/03/11/researchers-uncover-ai-powered-vishing-platform/
• Phishers Hide Scam Links With IPv6 Trick In “free Toothbrush” Emails
  "A recurring lure in phishing emails impersonating United Healthcare is the promise of a free Oral-B toothbrush. But the interesting part isn’t the toothbrush. It’s the link. Recently we found that these phishers have moved from using Microsoft Azure Blob Storage (links looking like this: https://{string}.blob.core.windows.net/{same string}/1.html to links obfuscated by using an IPv6-mapped IPv4 address to hide the IP in a way that looks confusing but is still perfectly valid and routable. For example: http://[::ffff:5111:8e14]/"
  https://www.malwarebytes.com/blog/scams/2026/03/phishers-hide-scam-links-with-ipv6-trick-in-free-toothbrush-emails
• Iran Conflict Drives Heightened Espionage Activity Against Middle East Targets
  "On 28 February 2026, the US and Israel conducted strikes targeting assets inside Iran, in a campaign the US called Operation Epic Fury. According to public sourcing, the attacks targeted Iranian missiles and air defenses, other military infrastructure, and Iranian leadership. Iran responded with retaliatory missile and drone strikes in the region, targeting US embassies and military installations. As the war continues into its second week, several Iranian hacktivist groups and personas have claimed responsibility for various disruptive operations. Iranian espionage-focused threat groups remain somewhat active despite the Iranian government’s shutdown of the internet immediately following the initial US and Israeli attacks."
  https://www.proofpoint.com/us/blog/threat-insight/iran-conflict-drives-heightened-espionage-activity-against-middle-east-targets
• “AgenticBlabbering”: How AI Browsers’ Verbose Reasoning Fuels The Ultimate Scamming Machine
  "AI Browsers are not just browsing for us, they are browsing as us, with full access to our personal private data. And while they do it, they also talk way too much. This is AgenticBlabbering: a stream of internal reasoning, tool calls, screenshots, and security hesitations that reveals how the browser decides what is “safe enough” to click. By sniffing Comet’s agent traffic, we got a first-of-its-kind view into how an AI Browser actually thinks, and how much of that thinking leaks out. Then we put the black hat on and weaponized it. We fed that blabbering into a GAN-style loop that auto-generates scam flows, critiques and reshapes them using the agent’s own reactions, and iterates until the guardrails go quiet. We expected it to take hours."
  https://guard.io/labs/agenticblabbering---how-ai-browsers-verbose-reasoning-fuels-the-ultimate-scamming-machine
  https://thehackernews.com/2026/03/researchers-trick-perplexitys-comet-ai.html
• 5 Malicious Rust Crates Posed As Time Utilities To Exfiltrate .env Files
  "Socket’s Threat Research Team uncovered a coordinated supply chain campaign in the Rust ecosystem involving five malicious crates: chrono_anchor, dnp3times, time_calibrator, time_calibrators, and time-sync. RustSec and the GitHub Advisory Database document that crates.io security yanked four of these packages shortly after publication. The fifth package, chrono_anchor, shows the threat actor is adapting. It introduced minor obfuscation and operational changes that reduced obvious indicators and helped it remain listed on crates.io until we identified and reported it."
  https://socket.dev/blog/5-malicious-rust-crates-posed-as-time-utilities-to-exfiltrate-env-files
  https://thehackernews.com/2026/03/five-malicious-rust-crates-and-ai-bot.html

Breaches/Hacks/Leaks

• Medtech Giant Stryker Offline After Iran-Linked Wiper Malware Attack
  "Leading medical technology company Stryker has been hit by a wiper malware attack claimed by Handala, an Iranian-linked and pro-Palestinian hacktivist group. The medtech giant manufactures a range of products, including surgical and neurotechnology equipment. With over 53,000 employees, Stryker is a Fortune 500 company that reported global sales of $22.6 billion in 2024. Handala says they stole 50 terabytes of data before wiping tens of thousands of systems and servers across the company's network, forcing Stryker to shut down in "an unprecedented blow.""
  https://www.bleepingcomputer.com/news/security/medtech-giant-stryker-offline-after-iran-linked-wiper-malware-attack/
  https://therecord.media/stryker-cyberattack-iran-hackers
  https://www.bankinfosecurity.com/medtech-firm-stryker-disrupted-by-pro-iran-hackers-a-30980
  https://hackread.com/iran-handala-hackers-verifone-stryker-hacks/
  https://www.securityweek.com/medtech-giant-stryker-crippled-by-iran-linked-hacker-attack/
  https://securityaffairs.com/189304/hacktivism/pro-palestinian-hacktivist-group-handala-targets-stryker-in-global-disruption.html
  https://www.theregister.com/2026/03/11/us_medtech_firm_stryker_cyberattack_iran/
• Xygeni GitHub Action Compromised Via Tag Poison
  "An unidentified threat actor breached one of application security vendor Xygeni's GitHub Actions this month via tag poisoning. Xygeni, which sells a number of AI-powered AppSec products, said in a March 10 security incident report that it "detected suspicious activity affecting the repository used to publish the xygeni/xygeni-action GitHub Action." The attacker used pull requests in an effort to introduce malicious code (a compact command-and-control implant) into the repository, though Xygeni said the attempts were blocked via existing branch detection rules."
  https://www.darkreading.com/application-security/xygeni-github-action-compromised-via-tag-poison
  https://xygeni.io/blog/security-incident-report-xygeni-action-github-action-compromise/
• 238,000 Impacted By Bell Ambulance Data Breach
  "Ambulance services provider Bell Ambulance is notifying nearly 238,000 individuals that their personal, financial account, medical, and health insurance information was compromised in a February 2025 data breach. The Milwaukee, Wisconsin-based healthcare organization detected the network intrusion on February 13, 2025, and disclosed the incident on April 14, roughly a month after the Medusa ransomware gang claimed responsibility for it. Bell Ambulance said at the time that 114,000 people had been impacted."
  https://www.securityweek.com/238000-impacted-by-bell-ambulance-data-breach/
  https://therecord.media/235000-affected-cyberattack-ambulance-provider
• Michelin Confirms Data Breach Linked To Oracle EBS Attack
  "Tire giant Michelin has confirmed a data breach stemming from the massive cybercrime campaign that targeted organizations using Oracle’s E-Business Suite (EBS) solution. The Cl0p ransomware and extortion group has taken credit for the EBS hacking campaign, which involved the exploitation of zero-day vulnerabilities to gain access to data stored by the targeted organizations in Oracle’s enterprise management software. It’s worth noting that while Cl0p serves as the public-facing extortion brand for the Oracle EBS campaign, cybersecurity researchers believe the operation was driven by a sophisticated cluster of threat actors, most notably FIN11."
  https://www.securityweek.com/michelin-confirms-data-breach-linked-to-oracle-ebs-attack/
• Iran-Linked Hackers Claim Cyberattack On Albania’s Parliament Email Systems
  "Albania’s parliament said late Tuesday that it had been targeted by a “sophisticated” cyberattack aimed at deleting data and compromising several internal systems. In a statement shared with local media, parliament said its main systems and official website remained operational but confirmed that internal email services used by the parliamentary administration had been temporarily suspended. The disruption affected both incoming and outgoing communications."
  https://therecord.media/iran-linked-hackers-claim-cyberattack-albania-parliament

General News

• The Bridge To AI Value Will Be Built, Not Bought
  "The conversation around artificial intelligence often feels like a pendulum swinging between two extremes: a utopian future of effortless productivity and a dystopian vision of mass job displacement and hollowed-out economic growth. This "ghost GDP" thesis—the idea that AI will create statistical gains that fail to circulate through the real economy—stokes anxiety for business leaders and the public alike. But the facts on the ground from enterprises tell a different story. It’s a more pragmatic, grounded and ultimately more optimistic narrative. The evidence doesn't point to a speculative bubble or a workforce collapse. Instead, it shows a global economy in a period of foundational construction."
  https://www.cognizant.com/us/en/insights/insights-blog/bridge-to-ai-value-will-be-built-not-bought
  https://www.bankinfosecurity.com/plug-and-play-ai-myth-for-enterprises-a-30977
• Agentic AI Security: Why You Need To Know About Autonomous Agents Now
  "Agentic AI is making headlines worldwide for its potential force-multiplying capabilities, and organizations are understandably intrigued by how it can improve throughput and capabilities. However, as with any technological revolution, unforeseen issues are inevitable, and agentic AI is no exception. In organizations, these issues often arise from deploying personal assistants like OpenClaw or AI agents designed to optimize business and IT processes. Additionally, when personal assistants interact with “social networks” such as Moltbook, they introduce many hidden threats for organizations. These specific risks fall beyond the scope of this article, and will be addressed in a future blog."
  https://blog.talosintelligence.com/agentic-ai-security-why-you-need-to-know-about-autonomous-agents-now/
• Middle East Conflict Highlights Cloud Resilience Gaps
  "Businesses that counted on the cloud's distributed nature to guarantee their data's availability have had a cold dose of reality during the past two weeks. On Feb. 28, following military strikes by the US and Israel, Iran's Internet traffic fell to less than 1% across all major networks in the country, according to Cloudflare Radar, which tracks Internet traffic internationally. Within 24 hours, Iran responded, targeting infrastructure in the United Arab Emirates, Bahrain, and other Gulf States, hitting two Amazon Web Services' facilities in the UAE with drone strikes, while a third facility in Bahrain suffered "physical impacts to [its] infrastructure," Amazon Web Services stated March 2 on its AWS Health Dashboard."
  https://www.darkreading.com/cyber-risk/middle-east-conflict-highlights-cloud-resilience-gaps
• France: National Cybersecurity Agency Reports Ransomware Attack Drop In 2025
  "The French Cybersecurity Agency (ANSSI) has confirmed the decline of known ransomware attacks in 2025, in part due to successful law enforcement operations. The latest edition of the agency’s annual threat report, published on March 11, dives into the range of cyber threats that French public and private organizations have faced in 2025. According to ANSSI data, there were 128 ransomware attacks reported in France in 2025, slightly fewer than the 141 such attacks recorded in 2024."
  https://www.infosecurity-magazine.com/news/france-anssi-ransomware-attack/
• Cyber-Attacks On UK Firms Increase At Four Times Global Rate
  "UK organizations were hit by far fewer cyber-attacks in February than the global average, but the year-on-year (YoY) increase was nearly four times the growth rate worldwide, according to Check Point. The security vendor’s February 2026 Global Threat Intelligence report revealed that it blocked an average of 2086 cyber-attacks per organization per week globally, a 9.8% year-on-year (YoY) increase. In the UK, the figure was only 1504 per week, but that represented a 36% YoY increase. Education, energy & utilities, government, healthcare and financial services were among the most frequently targeted sectors in the UK."
  https://www.infosecurity-magazine.com/news/cyberattacks-uk-firms-increase/
• How To 10x Your Vulnerability Management Program In The Agentic Era
  "The age of agentic cyberattacks isn’t coming; it’s here. In November 2025, Anthropic disclosed that a Chinese threat actor had weaponized Claude to launch an agentic cyberattack, operating autonomously with minimal human intervention. The artificial intelligence (AI) conducted reconnaissance, exploit development, credential theft, lateral movement and data exfiltration at a speed that no human team could match."
  https://www.securityweek.com/how-to-10x-your-vulnerability-management-program-in-the-agentic-era/
• Automotive Tech: A Vast New Cyber Attack Surface
  "For decades, the biggest risks associated with cars were tangible and immediate. Vehicles crashed. Engines failed. People were injured or killed. In response, and under pressure from regulatory agencies and insurers, automakers poured enormous effort into physical safety: crash testing, safety standards, recalls, airbags, and structural engineering. Over time, safety became non‑negotiable."
  https://blog.barracuda.com/2026/03/11/automotive-tech-new-cyber-attack-surface
• SOC Threat Radar — March 2026
  "Identity-based threats continue to rise — particularly those involving anomalous logins using stolen credentials (see SOC Threat Radar — December 2025). During February, around one in every 16 suspicious logins came from Romania. This is an unexpected and anomalous increase compared to previous months, which is a clear indicator of suspicious activity."
  https://blog.barracuda.com/2026/03/11/soc-threat-radar-march-2026
• Global Law Enforcement Agencies, With Support From Meta, Disrupt Major Criminal Scam Networks Based In Southeast Asia
  "Online scams have become significantly more sophisticated and industrialized in recent years, with criminal networks often based in Southeast Asia in countries like Cambodia, Myanmar, and Laos running what amount to full-scale business operations. These operations cause real harm — they upend lives, destroy trust, and are deliberately designed to avoid detection and disruption. The work to protect people against scammers is never done, and requires ongoing collaboration with partners across the tech industry and law enforcement to ensure a safer experience for everyone online."
  https://about.fb.com/news/2026/03/meta-global-law-enforcement-disrupt-major-southeast-asia-criminal-scam-networks/
  https://thehackernews.com/2026/03/meta-disables-150k-accounts-linked-to.html
  https://www.theregister.com/2026/03/11/meta_international_cops_ai_scammers/
• What Boards Must Demand In The Age Of AI-Automated Exploitation
  "“You knew, and you could have acted. Why didn’t you?” This is the question you do not want to be asked. And increasingly, it’s the question leaders are forced to answer after an incident. For years, many executive teams and boards have treated a large vulnerability backlog as an uncomfortable but tolerable fact of life: “we’ve accepted the risk.” If you’ve ever seen a report showing thousands (or tens of thousands) of open Highs and Critical CVEs, you’ve probably also heard the usual rationalizations from folks that would rather look the other way: we have other priorities, this will take years of engineering time to fix, how do you know these are really Critical, we’re still prioritizing, we’ll get to it."
  https://thehackernews.com/2026/03/what-boards-must-demand-in-age-of-ai.html
• Meta Says It Culled Millions Of Scam Ads Amid Accusations That It Profits From Them
  "Meta said it removed 159 million scam ads in 2025, amid calls from U.S. lawmakers for an investigation into the company’s “facilitation of and profiting from” fraudulent advertising. The company said it also removed 10.9 million Facebook and Instagram accounts associated with criminal scam centers as it rolled out new tools aimed at stopping online fraud, something Meta describes as “one of the fastest-growing forms of organized crime globally.” Americans lost more than $10 billion to scams in 2023, according to the Federal Trade Commission (FTC), with hundreds of billions stolen globally through schemes that often begin on social media."
  https://therecord.media/meta-scam-advertising-crackdown

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

ThaiCERT ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ พบรายงานการแก้ไขช่องโหว่ใน HPE Aruba Networking AOS-CX (ใช้งานบนสวิตช์ตระกูล CX-Series) ซึ่งเกี่ยวข้องกับ Web-based Management Interface องค์กรที่ใช้งานควรเร่งตรวจสอบเวอร์ชัน และอัปเดตแพตช์ตามคำแนะนำของผู้ผลิตโดยเร็ว พร้อมจำกัดการเข้าถึงหน้า Management เฉพาะเครือข่าย ไอพีที่เชื่อถือได้

1. รายละเอียดช่องโหว่ [1]
   CVE-2026-23813 (CVSS V3.1:9.8) Authentication Bypass ช่องโหว่ในหน้า Web Management ของ AOS-CX อาจถูกใช้โดยผู้โจมตีจากระยะไกลที่ไม่ต้องมีสิทธิ์ใด ๆ เพื่อข้ามการยืนยันตัวตน และบางกรณีอาจนำไปสู่การรีเซ็ตรหัสผ่านผู้ดูแลระบบได้ ส่งผลให้ผู้โจมตีอาจยึดสิทธิ์การบริหารอุปกรณ์เครือข่าย เช่น เปลี่ยนค่าคอนฟิก Policy, ACL, VLAN เสี่ยงต่อการถูกดักฟังหรือเปลี่ยนเส้นทางการสื่อสารภายในเครือข่าย และขยายผลไปยังระบบสำคัญอื่น กระทบความต่อเนื่องทางธุรกิจหากอุปกรณ์เครือข่ายหลักถูกปรับค่าหรือทำให้ไม่พร้อมใช้งาน

2. เวอร์ชันที่ได้รับผลกระทบ
   • AOS-CX 10.17.0001 และต่ำกว่า
   • AOS-CX 10.16.1020 และต่ำกว่า
   • AOS-CX 10.13.1160 และต่ำกว่า
   • AOS-CX 10.10.1170 และต่ำกว่า

3. เวอร์ชันที่แก้ไขแล้ว [2]
   • AOS-CX 10.17.1001 ขึ้นไป
   • AOS-CX 10.16.1030 ขึ้นไป
   • AOS-CX 10.13.1161 ขึ้นไป
   • AOS-CX 10.10.1180 ขึ้นไป

4. กรณีไม่สามารถอัปเดตได้ทันที (Mitigation ชั่วคราว)
   4.1 จำกัดการเข้าถึงด้วย Access Control Lists (ACLs): ตั้งค่า Control Plane ACLs ให้อนุญาตเฉพาะ IP ที่เชื่อถือได้ในการเข้าถึง HTTP/HTTPS หรือ REST สำหรับบริหารจัดการ
   4.2 แยกเครือข่ายบริหารจัดการ: จัดให้อินเทอร์เฟซบริหารจัดการอยู่ใน VLAN หรือ Layer 2 segment ที่แยกส่วนชัดเจน เพื่อลดความเสี่ยงจากการเข้าถึงโดยไม่ได้รับอนุญาต
   4.3 ปิดการใช้งาน Web UI บนพอร์ตที่ไม่จำเป็น: ปิดอินเทอร์เฟซ HTTP/HTTPS บนพอร์ตที่มีการส่งข้อมูลทั่วไป (Routed ports) หากไม่มีความจำเป็นต้องใช้งานสำหรับการบริหารจัดการ

5. แหล่งอ้างอิง
   5.1 https://dg.th/g08wydt3ae
   5.2 https://dg.th/z67ye0d3v4

แม้จะใช้ VPN แต่ก็ยังเสี่ยงถูกขโมยรหัสผ่าน หลอกผ่านเว็บปลอม หรือถูกโจมตีผ่านอุปกรณ์ที่ไม่ได้อัปเดตได้
VPN ช่วยป้องกันข้อมูลระหว่างทาง แต่ ไม่สามารถป้องกันฟิชชิงหรือมัลแวร์ได้ทั้งหมด

ความเสี่ยงที่พบบ่อย

• ถูกหลอกให้กรอกชื่อผู้ใช้/รหัสผ่านผ่านอีเมลหรือเว็บปลอม (phishing)
• ใช้รหัสผ่านซ้ำหลายระบบ
• ไม่เปิดใช้ MFA
• ใช้ Wi-Fi สาธารณะหรือเครือข่ายบ้านที่ตั้งค่าไม่ปลอดภัย
• ใช้อุปกรณ์ส่วนตัวหรือโปรแกรมรีโมตที่องค์กรไม่ได้อนุญาต
• ไม่อัปเดตระบบหรือ VPN client ให้เป็นเวอร์ชันล่าสุด

ดังนั้นก่อนล็อกอินเข้าระบบงาน อย่าลืม

• ใช้ VPN ขององค์กร
• เปิด MFA
• ไม่ใช้ Wi-Fi สาธารณะ
• อัปเดตเครื่องและแอปเสมอ
• ใช้เฉพาะโปรแกรมที่องค์กรอนุญาต

หากมีแจ้งเตือนล็อกอินหรือ MFA ที่ไม่ได้ทำเอง ให้รีบแจ้งผู้ดูแลระบบทันที

WFH อย่างปลอดภัย ต้องระวังมากกว่าแค่เรื่องรหัสผ่าน
ด้วยความห่วงใยจาก NCSA Thailand

#ThaiCERT #CyberSecurity #WorkFromHome #WFH #VPN #MFA #Phishing #CyberHygiene

แหล่งอ้างอิง

• https://dg.th/rzphgu08bt
• https://dg.th/ctpdoxrqe3
• https://dg.th/bk2973nuhy
• https://dg.th/vwiq8zekor
• https://dg.th/ua39lkwchm
  

Vulnerabilities

• HPE Warns Of Critical AOS-CX Flaw Allowing Admin Password Resets
  "Hewlett Packard Enterprise (HPE) has patched multiple security vulnerabilities in the Aruba Networking AOS-CX operating system, including several authentication and code execution issues. AOS-CX is a cloud-native network operating system (NOS) developed by HPE subsidiary Aruba Networks for the company's CX-series campus and data center switch devices. The most severe security flaw today is a critical authentication bypass vulnerability (tracked as CVE-2026-23813) that attackers without privileges can exploit in low-complexity attacks to reset admin passwords."
  https://www.bleepingcomputer.com/news/security/hpe-warns-of-critical-aos-cx-flaw-allowing-admin-password-resets/
• SAP Patches Critical FS-QUO, NetWeaver Vulnerabilities
  "Enterprise security firm SAP on Tuesday announced the release of 15 new security notes as part of its March 2026 Security Patch Day. The most important of these notes resolves critical-severity vulnerabilities in Quotation Management Insurance (FS-QUO) and NetWeaver Enterprise Portal Administration. SAP describes the FS-QUO bug, tracked as CVE-2019-17571 (CVSS score of 9.8), as a code injection issue."
  https://www.securityweek.com/sap-patches-critical-fs-quo-netweaver-vulnerabilities/
• Critical Defect In Java Security Engine Poses Serious Downstream Security Risks
  "A maximum-severity vulnerability in pac4j, an open-source library integrated into hundreds of software packages and repositories, poses a significant security threat, but has thus far received scant attention. The defect in the Java security engine, which handles authentication across multiple frameworks, has not been exploited in the wild since code review firm CodeAnt AI published a proof-of-concept exploit last week. The company discovered the vulnerability and privately reported it to pac4j’s maintainer, which disclosed the defect and released patches for affected versions of the library within two days."
  https://cyberscoop.com/pac4j-open-source-library-vulnerability-max-severity-risk/
• Microsoft March 2026 Patch Tuesday Fixes 2 Zero-Days, 79 Flaws
  "Today is Microsoft's March 2026 Patch Tuesday with security updates for 79 flaws, including 2 publicly disclosed zero-day vulnerabilities. This Patch Tuesday also addresses three "Critical" vulnerabilities, 2 of which are remote code execution flaws and the other is an information disclosure flaw."
  https://www.bleepingcomputer.com/news/microsoft/microsoft-march-2026-patch-tuesday-fixes-2-zero-days-79-flaws/
  https://blog.talosintelligence.com/microsoft-patch-tuesday-march-2026/
  https://www.darkreading.com/application-security/microsoft-patches-83-cves-march-update
  https://cyberscoop.com/microsoft-patch-tuesday-march-2026/
  https://securityaffairs.com/189266/security/microsoft-patch-tuesday-security-updates-for-march-2026-fixed-84-bugs.html
  https://www.securityweek.com/microsoft-patches-83-vulnerabilities/
  https://www.theregister.com/2026/03/10/zeroclick_microsoft_info_disclosure_bug/
• Adobe Patches 80 Vulnerabilities Across Eight Products
  "Adobe on Tuesday announced patches for 80 vulnerabilities across 8 products, including Commerce, Illustrator, Acrobat Reader, and Premiere Pro. The company rolled out fixes for 19 flaws in Adobe Commerce and Magento Open Source, urging users to apply the patches within the next 30 days, based on these products being a known target for threat actors. The update resolves six high-severity bugs, five of which could lead to privilege escalation: CVE-2026-21290, CVE-2026-21361, CVE-2026-21284, CVE-2026-21311, and CVE-2026-21309. The sixth, tracked as CVE-2026-21289, leads to security feature bypass."
  https://www.securityweek.com/adobe-patches-80-vulnerabilities-across-eight-products/
• LeakyLooker: Hacking Google Cloud’s Data Via Dangerous Looker Studio Vulnerabilities
  "Tenable Research revealed "LeakyLooker," a set of nine novel cross-tenant vulnerabilities in Google Looker Studio. These flaws could have let attackers exfiltrate or modify data across Google services like BigQuery and Google Sheets. Google has since remediated all identified issues."
  https://www.tenable.com/blog/leakylooker-google-cloud-looker-studio-vulnerabilities
  https://thehackernews.com/2026/03/new-leakylooker-flaws-in-google-looker.html
• Auditing The Gatekeepers: Fuzzing "AI Judges" To Bypass Security Controls
  "As organizations scale AI operations, they increasingly deploy AI judges — large language models (LLMs) acting as automated security gatekeepers to enforce safety policies and evaluate output quality. Our research investigates a critical security issue in these systems: They can be manipulated into authorizing policy violations through stealthy input sequences, a type of prompt injection. To do this investigation, we designed an automated fuzzer for internal use for red-team style assessments called AdvJudge-Zero. Fuzzers are tools that identify software vulnerabilities by providing unexpected input, and we apply the same approach to attacking AI judges. It identifies specific trigger sequences that exploit a model's decision-making logic to bypass security controls."
  https://unit42.paloaltonetworks.com/fuzzing-ai-judges-security-bypass/

Malware

• New ‘BlackSanta’ EDR Killer Spotted Targeting HR Departments
  "For more than a year, a Russian-speaking threat actor targeted human resource (HR) departments with malware that delivers a new EDR killer named BlackSanta. Described as "sophisticated," the campaign mixes social engineering with advanced evasion techniques to steal sensitive information from compromised systems. It is unclear how the attack begins, but researchers at Aryaka, a network and security solutions provider, suspect that the malware is distributed via spear-phishing emails."
  https://www.bleepingcomputer.com/news/security/new-blacksanta-edr-killer-spotted-targeting-hr-departments/
  http://www.aryaka.com/docs/reports/blacksanta-edr-killer-threat-report.pdf
  https://www.darkreading.com/threat-intelligence/blacksanta-edr-killer-hr-workflows
  https://www.theregister.com/2026/03/10/malware_targeting_hr/
  https://www.helpnetsecurity.com/2026/03/10/hr-recruiters-malware-resume/
• BeatBanker: A Dual‑mode Android Trojan
  "Recently, we uncovered BeatBanker, an Android‑based malware campaign targeting Brazil. It spreads primarily through phishing attacks via a website disguised as the Google Play Store. To achieve their goals, the malicious APKs carry multiple components, including a cryptocurrency miner and a banking Trojan capable of completely hijacking the device and spoofing screens, among other things. In a more recent campaign, the attackers switched from the banker to a known RAT."
  https://securelist.com/beatbanker-miner-and-banker/119121/
  https://www.bleepingcomputer.com/news/security/new-beatbanker-android-malware-poses-as-starlink-app-to-hijack-devices/
• Antivirus And Endpoint Detection And Response Archive Scanning Engines May Not Properly Scan Malformed Zip Archives
  "Malformed ZIP headers can cause antivirus and endpoint detection and response software (EDR) to produce false negatives. Despite the presence of malformed headers, some extraction software is still able to decompress the ZIP archive, allowing potentially malicious payloads to run upon file decompression."
  https://kb.cert.org/vuls/id/976247
  https://www.bleepingcomputer.com/news/security/new-zombie-zip-technique-lets-malware-slip-past-security-tools/
• Silence Of The Hops: The KadNap Botnet
  "The Black Lotus Labs team at Lumen has discovered a sophisticated new malware named “KadNap.” This threat primarily targets Asus routers, conscripting them into a botnet that proxies malicious traffic. Since August 2025, we have been monitoring the growth of this network, which is now above 14,000 infected devices. KadNap employs a custom version of the Kademlia Distributed Hash Table (DHT) protocol, which is used to conceal the IP address of their infrastructure within a peer-to-peer system to evade traditional network monitoring. Infected devices use the DHT protocol to locate and connect with a command-and-control (C2) server, while defenders cannot easily find and add those C2s to threat lists."
  https://blog.lumen.com/silence-of-the-hops-the-kadnap-botnet/
  https://www.bleepingcomputer.com/news/security/new-kadnap-botnet-hijacks-asus-routers-to-fuel-cybercrime-proxy-network/
  https://thehackernews.com/2026/03/kadnap-malware-infects-14000-edge.html
• Sednit Reloaded: Back In The Trenches
  "Since April 2024, Sednit’s advanced development team has reemerged with a modern toolkit centered on two paired implants, BeardShell and Covenant, each using a different cloud provider for resilience. This dual‑implant approach enabled long‑term surveillance of Ukrainian military personnel. Interestingly, these current toolsets show a direct code lineage to the group’s 2010‑era implants."
  https://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/
  https://www.bleepingcomputer.com/news/security/apt28-hackers-deploy-customized-variant-of-covenant-open-source-tool/
  https://thehackernews.com/2026/03/apt28-uses-beardshell-and-covenant.html
  https://www.darkreading.com/cyber-risk/sednit-resurfaces-with-sophisticated-new-toolkit
  https://therecord.media/russia-apt-28-revives-malware-to-spy-on-ukraine
  https://securityaffairs.com/189230/apt/apt28-conducts-long-term-espionage-on-ukrainian-forces-using-custom-malware.html
  https://www.helpnetsecurity.com/2026/03/10/sednit-espionage-toolkit-stealing-data/
• Study Finds ROME AI Agent Attempted Cryptomining Without Instructions
  "A recent research paper describing the training of an experimental AI agent has started a discussion after the system attempted to start cryptocurrency mining without being instructed to do so. The incident was reported in a study published on arXiv that describes the development of ROME AI, an agentic AI model designed to perform complex, multi-step tasks such as writing software, debugging code, and interacting with command-line tools. Unlike standard AI chatbots that respond to single prompts, agentic models can take actions, use tools, and interact with computing environments to complete tasks."
  https://hackread.com/rome-ai-agent-cryptomining-without-instructions/
  https://arxiv.org/pdf/2512.24873
• North Korea Tried To Hack Our CEO Through a Fake Job Interview On LinkedIn
  "If you're a founder, CTO, or senior engineer in crypto or Web3, you already know: the recruiter DMs never stop. LinkedIn is a constant stream of unsolicited pitches. Most are legitimate. This one wasn't. A LinkedIn member — later identified as operating under the name "Nazar" — messaged me out of the blue about a role at 0G Labs, pitching it as "a fast-growing team building the first decentralized AI operating system." The message included a polished Google Docs job description and a Calendly link to book a call with the "hiring manager" — Pedro Perez de Ayala."
  https://www.allsecure.io/blog/lazarus-linkedin-attack/
  https://hackread.com/fake-linkedin-interview-lazarus-hackers-allsecure-ceo/
• Behind The Console: Active Phishing Campaign Targeting AWS Console Credentials
  "Datadog Security Research identified a credential-harvesting campaign targeting AWS Console users through typosquatted domains that mimic AWS infrastructure naming conventions. The operation uses real-time adversary-in-the-middle (AiTM) proxying to capture validated credentials and session material. We identified two active phishing infrastructure clusters and a third related domain sharing registrar metadata. In one observed case, the operator authenticated to a compromised AWS account within 20 minutes of credential submission."
  https://securitylabs.datadoghq.com/articles/behind-the-console-aws-aitm-phishing-campaign/
  https://www.helpnetsecurity.com/2026/03/10/aitm-phishing-aws-accounts/
• FortiGate Edge Intrusions | Stolen Service Accounts Lead To Rogue Workstations And Deep AD Compromise
  "Throughout early 2026, SentinelOne’s Digital Forensics & Incident Response (DFIR) team has responded to several incidents where FortiGate Next-Generation Firewall (NGFW) appliances have been compromised to establish a foothold into the targeted environment. Each incident was detected and stopped during the lateral movement phase of the attack. Fortinet has disclosed and issued patches for several high-severity vulnerabilities allowing unauthorized access during the activity period of our investigations."
  https://www.sentinelone.com/blog/fortigate-edge-intrusions/
  https://thehackernews.com/2026/03/fortigate-devices-exploited-to-breach.html
  https://securityaffairs.com/189241/security/attackers-exploit-fortigate-devices-to-access-sensitive-network-information.html
• Finnish Intelligence Warns Of Persistent Cyber Espionage From Russia, China
  "Finland’s intelligence service warned that Russia and China continue to conduct extensive cyberespionage and influence operations targeting the country’s technology sector, research institutions and government, according to a new national security assessment released Tuesday. The Finnish Security and Intelligence Service (SUPO), which is responsible for foreign intelligence as well as domestic counterintelligence, was last year reorganized to “enhance information gathering."
  https://therecord.media/finnish-intel-warns-espionage-china-russia
• When Trusted Websites Turn Malicious: WordPress Compromises Advance Global Stealer Operation
  "Rapid7 Labs has identified and analyzed an ongoing, widespread compromise of legitimate, potentially highly trusted WordPress websites, misused by an unidentified threat actor to inject a ClickFix implant impersonating a Cloudflare human verification challenge (CAPTCHA). The lure is designed to infect visitors with a multi-stage malware chain that ultimately steals and exfiltrates credentials and digital wallets from Windows systems. The stolen credentials can subsequently be used for financial theft or to conduct further, more targeted attacks against organizations."
  https://www.rapid7.com/blog/post/tr-malicious-websites-wordpress-compromise-advances-global-stealer-operation/
  https://www.theregister.com/2026/03/10/crooks_hijack_wordpress_sites/
• Aye-Coruna: Tracing The iOS Exploit Kit From Ukraine To Iran War Lures
  "On March 3, 2026, Google Threat Intelligence Group (GTIG) and the iVerify Team both detailed findings related to an exploit kit targeting Apple iPhone users nicknamed “Coruna,” publishing indicators related to initial exploit exposure (the infection vector), configuration and implant servers, and C2 communication. Examples of the implants are also published on Github by matteyeux. First appearing in February 2025, the iOS exploitation kit is significant due to its breadth and mass deployment."
  https://www.validin.com/blog/aye_coruna_ios_exploit_kit_c2/
• Fake ImToken Chrome Extension Steals Seed Phrases Via Phishing Redirects
  "Socket’s Threat Research Team uncovered a malicious Chrome extension, lmΤoken Chromophore (extension ID bbhaganppipihlhjgaaeeeefbaoihcgi), that impersonates imToken while presenting itself as a hex color visualizer in the Chrome Web Store. Instead of providing the harmless tool it promises, the extension automatically opens a threat actor-controlled phishing site as soon as it is installed, and again whenever the user clicks it."
  https://socket.dev/blog/fake-imtoken-chrome-extension-steals-seed-phrases-via-phishing-redirects
• Through The Lens Of MDR: Analysis Of KongTuke’s ClickFix Abuse Of Compromised WordPress Sites
  "In January 2026, Huntress researchers identified a new initial access technique used by the threat actor KongTuke, dubbed as “CrashFix”. In this ClickFix variation, the users are tricked into installing a malicious Chrome extension that displays a fake security warning, stating that the browser has “stopped abnormally.” It then prompts the unsuspecting users to follow remediation instructions. Once they follow the instructions, they’ll inadvertently execute a malicious PowerShell command."
  https://www.trendmicro.com/en_us/research/26/c/kongtuke-clickfix-abuse-of-compromised-wordpress-sites.html

Breaches/Hacks/Leaks

• Cal AI, New Owner Of MyFitnessPal, Hit By Alleged Breach Of 3 Million Users
  "A hacker using the alias “vibecodelegend” is claiming responsibility for breaching Cal AI, a smartphone application that uses artificial intelligence to track calories and nutritional information. The alleged breach was announced on Monday, March 9, 2026, through a post on the cybercrime marketplace BreachForums. Cal AI has grown rapidly in popularity due to its use of artificial intelligence to help users track calories by analyzing food images and nutritional information. The platform recently attracted further attention after acquiring the widely used fitness app MyFitnessPal, expanding its presence in the health and nutrition tracking market."
  https://hackread.com/cal-ai-myfitnesspal-data-breach-3m-users/

General News

• Stop Chasing Threats, Start Containing Them
  "Security teams aren't short on tools or effort. Yet many organizations are still falling behind. According to Cyderes' recent white paper, 88% of organizations maintain a security operations center but only 45% report effectiveness in proactive threat hunting. The picture is clear: SOCs are overwhelmed and additional investments aren't closing the gap. Alerts are piling up. Talent is burning out. Identity is fragmented across IT, security and HR, with no clear ownership. As cloud workloads grow, confidence in stopping identity-based attacks remains low."
  https://www.bankinfosecurity.com/blogs/stop-chasing-threats-start-containing-them-p-4058
  https://www.cyderes.com/hubfs/FINAL WhitePaper Design_02_18_26.pdf
• Global Cyber Attacks Remain Near Record Highs In February 2026 Despite Ransomware Decline
  "In February 2026, global cyber attack activity remained near record levels, confirming that elevated attack volumes are becoming the new normal for organizations worldwide. The average number of weekly cyber attacks per organization reached 2,086, representing a 9.6% increase year over year, while remaining essentially flat month over month (-0.2% compared to January 2026). This stabilization at a high baseline reflects a sustained pressure environment rather than a short‑term surge."
  https://blog.checkpoint.com/research/global-cyber-attacks-remain-near-record-highs-in-february-2026-despite-ransomware-decline/
• Teen Crew Caught Selling DDoS Attack Tools
  "Seven minors who distributed online programs designed to facilitate DDoS attacks have been identified by Poland’s Central Bureau for Combating Cybercrime (CBZC). They were between 12 and 16 at the time of the crime. According to investigators, using the tools they administered, the minors attacked popular websites, including auction and sales portals, IT domains, hosting services and accommodation booking sites. The activity was profit-driven, with the suspects earning money from the operation."
  https://www.helpnetsecurity.com/2026/03/10/poland-minors-identified-distributing-ddos-attack-tools/
  https://www.theregister.com/2026/03/10/poland_ddos_teens_bust/
• Airbus CSO On Supply Chain Blind Spots, Space Threats, And The Limits Of AI Red-Teaming
  "Pascal Andrei, CSO at Airbus, knows that the aerospace and defense sector is facing a threat environment that is evolving faster than most organizations can track. From sub-tier suppliers quietly becoming entry points for state-backed attackers, to satellites emerging as targets in an increasingly contested space domain, the risks are real and growing. In this interview with Help Net Security, Andrei addresses the blind spots that defenders are underestimating, the gap between compliance paperwork and actual security outcomes, and why current AI red-teaming models fall dangerously short."
  https://www.helpnetsecurity.com/2026/03/10/pascal-andrei-airbus-aerospace-defense-cybersecurity/
• The People Behind Cyber Extortion Are Often In Their Forties
  "Many cybercrime investigations end with arrests or indictments that reveal little about the people behind the operations. When authorities do disclose demographic details, the pattern that emerges does not match the common assumption that cyber offenders are mostly very young. Analysis in the Security Navigator 2026 report from Orange Cyberdefense points to a different age profile, with a strong concentration of offenders in mid-career adulthood."
  https://www.helpnetsecurity.com/2026/03/10/cyber-extortion-cybercrime-age-profile/
• Bug Bounties Are Broken, And The Best Security Pros Are Moving On
  "Penetration testing engagements are organized as scheduled contracts with defined scope, set testing windows, and direct communication channels with client teams. Cobalt’s 2026 Pentester Profile Report describes growing preference for penetration testing as a service (PTaaS) and contract-based testing models. Many participants prefer contract-based testing over open bug bounty programs and prioritize predictable professional income tied to guaranteed engagements. Pentesting serves as the primary occupation for a large share of this group. Most participants bring years of field experience and describe career goals centered on staying hands-on and maintaining technical standards."
  https://www.helpnetsecurity.com/2026/03/10/cobalt-ptaas-gains-pentester-support/
• Only 24% Of Organizations Test Identity Recovery Every Six Months
  "Just 24% of organizations test their identity disaster recovery plans every six months, according to new research which examined how businesses prepare for identity-focused cyber-attacks. The findings suggested that despite rising investment in identity threat detection and response (ITDR), many organizations remain poorly prepared to restore critical authentication systems after a breach. The data comes from Quest Software’s latest report, a global survey of 650 IT and security practitioners and executives. The study found that many companies place heavy emphasis on preventative controls and threat detection while neglecting response and recovery readiness."
  https://www.infosecurity-magazine.com/news/organizations-test-identity-sec-6/
• SIM Swaps Expose a Critical Flaw In Identity Security
  "For years, organizations have treated mobile phone numbers as trusted identity anchors. They are used to reset passwords, deliver one-time passcodes, and verify user identity. That trust is now fundamentally misplaced. SIM swap attacks have exposed a structural weakness in how identity is verified, recovered, and monitored across consumer and enterprise systems. In a SIM swap attack, criminals persuade a mobile carrier representative — often through social engineering or insider collusion — to transfer a victim’s phone number to a SIM card under the attacker’s control."
  https://www.securityweek.com/sim-swaps-expose-a-critical-flaw-in-identity-security/
• Protecting Democracy Means Democratizing Cybersecurity. Bring On The Hackers
  "The hacker mind is a curious way to be. To have it means to embody endless analytical curiosity, an awareness of any given rule set as just one system among many, and an ability to see any system in ways that its creators never expected. Combine this with a drive to find the bad and make things better, and you become one of the fundamental forces of the technological universe."
  https://www.theregister.com/2026/03/10/democratizing_security_opinion/
• CISOs In a Pinch: A Security Analysis Of OpenClaw
  "The viral rise of OpenClaw (formerly Clawdbot) marks the end of the "chatbot" era and the beginning of the "sovereign agent" era. While the productivity gains of having a locally hosted AI that controls your terminal are immense, the security implications are catastrophic. We are effectively granting root access to probabilistic models that can be tricked by a simple WhatsApp message. The "Lethal Trifecta" of AI security just got a fourth dimension: Persistence."
  https://www.trendmicro.com/en_us/research/26/c/cisos-in-a-pinch-a-security-analysis-openclaw.html

อ้างอิง
Electronic Transactions Development Agency (ETDA)

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ด้านความมั่นคงปลอดภัยทางไซเบอร์ พบว่าช่องโหว่บนระบบปฏิบัติการ macOS กำลังเพิ่มสูงขึ้นอย่างต่อเนื่อง ล่าสุดนักวิจัยด้านความปลอดภัยพบแคมเปญแพร่กระจายมัลแวร์ "SHub Stealer" ที่แฝงตัวมาในคราบโปรแกรมทำความสะอาดเครื่องยอดฮิตอย่าง CleanMyMac เพื่อมุ่งเป้าขโมยสินทรัพย์ดิจิทัลและข้อมูลสำคัญ ซึ่งสอดคล้องกับเทรนด์การโจมตีทางไซเบอร์ที่มุ่งเป้าไปที่กระเป๋าเงินดิจิทัลทั่วโลก

1. กลุ่มเป้าหมายหลักที่ตกอยู่ในความเสี่ยง
   ผู้ใช้งาน Mac ที่กำลังมองหาโปรแกรมทำความสะอาดระบบ (System Cleanup) และผู้ที่ถือครองคริปโตเคอร์เรนซี (Cryptocurrency) ผ่านแอปพลิเคชันอย่าง Exodus, Ledger หรือ Trezor
   สาเหตุที่กลุ่มนี้มีความเสี่ยงสูง เนื่องจากแฮกเกอร์จงใจออกแบบมัลแวร์มาเพื่อเจาะกระเป๋าเงินดิจิทัลโดยเฉพาะ รวมถึงมุ่งเป้าไปที่การดึงข้อมูลรหัสผ่านที่ถูกบันทึกไว้ใน macOS Keychain

2. รูปแบบการโจมตีที่พบ
   2.1 การหลอกลวงให้ผู้ใช้รันสคริปต์อันตรายด้วยตนเอง เว็บไซต์ปลอมจะหลอกให้เหยื่อคัดลอกคำสั่งไปรันใน Terminal ด้วยตัวเอง ซึ่งวิธีการนี้ทำให้ตัวมัลแวร์สามารถข้ามระบบรักษาความปลอดภัย (Gatekeeper) ของ Mac ไปได้อย่างแนบเนียน
   2.2 หลบเลี่ยงการตรวจจับ มัลแวร์จะเช็กภาษาของแป้นพิมพ์ หากพบว่าเป็นภาษารัสเซียจะหยุดทำงานทันที เพื่อหลบหนีการตรวจสอบและลดความสนใจจากหน่วยงานบังคับใช้กฎหมายในพื้นที่ของผู้พัฒนา
   2.3 ดักขโมยข้อมูลสำคัญ มัลแวร์จะแสดงหน้าต่างปลอมเพื่อหลอกให้กรอกรหัสผ่านของเครื่อง หากผู้ใช้หลงเชื่อ แฮกเกอร์จะสามารถเข้าถึงรหัสผ่านทั้งหมดที่เก็บไว้ใน Keychain รวมถึงข้อมูล Wi-Fi ได้ทันที
   2.4 แทรกแซงกระเป๋าเงินคริปโต ตัวมัลแวร์จะเข้าไปปรับเปลี่ยนแอปฯ กระเป๋าเงินยอดนิยม เพื่อสร้างหน้าต่างหลอกให้กรอก "วลีกู้คืน (Seed Phrase)" หากป้อนข้อมูลลงไป แฮกเกอร์จะสามารถสูบเงินคริปโตออกไปได้ทั้งหมด
   2.5 แฝงตัวถาวรแนบเนียน มัลแวร์จะสร้างการทำงานเบื้องหลัง (LaunchAgent) โดยใช้ชื่อไฟล์เลียนแบบระบบอัปเดตที่ถูกต้องของ Google (Keystone) เพื่อแอบส่งข้อมูลกลับไปหาแฮกเกอร์ในทุกๆ นาที

ความน่ากลัวของมัลแวร์ "SHub Stealer" คือแฝงตัวอยู่ในเครื่องของเราได้โดยปลอมแปลงตัวเองเป็นไฟล์อัปเดตของ Google การทำแบบนี้ช่วยให้สามารถทำงานอยู่เบื้องหลัง และคอยส่งข้อมูลกลับไปหาแฮกเกอร์ได้อย่างต่อเนื่อง ทำให้แฮกเกอร์ควบคุมเครื่องและดึงข้อมูลเพิ่มเติมได้ตลอดเวลา

3. วิธีป้องกันตัวและรับมือการโจมตี
   3.1 ดาวน์โหลด ซอฟต์แวร์จากเว็บไซต์ทางการ (Official) ของผู้พัฒนา หรือโหลดผ่าน Mac App Store เท่านั้น
   3.2 ตรวจสอบ URL ของเว็บไซต์ให้แน่ใจทุกครั้งว่าสะกดถูกต้อง ไม่มีตัวอักษรผิดเพี้ยนก่อนกดโหลดโปรแกรมใดๆ
   3.3 หลีกเลี่ยง การก๊อปปี้คำสั่งจากเว็บไซต์ที่ไม่คุ้นเคยไปรันใน Terminal เด็ดขาด หากคุณไม่เข้าใจว่าคำสั่งนั้นทำงานอย่างไร
   3.4 เฝ้าระวัง หน้าต่าง Pop-up ที่เด้งขึ้นมาขอรหัสผ่านเครื่อง หรือขอ Seed Phrase ของคริปโต หากมีข้อความแปลกๆ หรือสะกดผิดแกรมม่า ห้ามกรอกเด็ดขาด
   3.5 อัปเดตระบบปฏิบัติการ macOS และโปรแกรมแอนตี้ไวรัส (ถ้ามี) ให้เป็นเวอร์ชันล่าสุดอยู่เสมอ เพื่ออุดช่องโหว่ความปลอดภัย

แหล่งอ้างอิง: Hackread (https://dg.th/i7aehpvk1n)
#CyberSecurity #macOS #CleanMyMac #MalwareAlert #CryptoSecurity #SHubStealer #Infostealer

เมื่อวันที่ 9 มีนาคม 2026 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 3 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว ดังนี้

• CVE-2021-22054 Omnissa Workspace ONE Server-Side Request Forgery
• CVE-2025-26399 SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
• CVE-2026-1603 Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/03/09/cisa-adds-three-known-exploited-vulnerabilities-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand