NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ
    1. หน้าแรก
    2. NCSA_THAICERT
    • รายละเอียด
    • ติดตาม 0
    • คนติดตาม 2
    • กระทู้ 1,818
    • กระทู้ 1,819
    • ดีที่สุด 0
    • Controversial 0
    • กลุ่ม 2

    NCSA_THAICERT

    @NCSA_THAICERT

    1
    ชื่อเสียง
    48
    ดูข้อมูลส่วนตัว
    1.8k
    กระทู้
    2
    คนติดตาม
    0
    ติดตาม
    เข้าร่วม ออนไลน์ล่าสุด
    เว็บไซต์ www.ncsa.or.th/?fbclid=IwAR0BqJEC-CJzBs98rlBxUbZkNBgp1g814xdDNNaKnHTrxfqZhPD--ksY68I
    NCSA_THAICERT เลิกติดตาม ติดตาม
    Global Moderator administrators

    Latest posts made by NCSA_THAICERT

    • พบส่วนขยาย Chrome อันตรายขโมยคุกกี้เซสชันและยึดบัญชีแพลตฟอร์ม HR/ERP องค์กร

      c391484d-6a11-4ad2-9936-edc80bebecf1-image.png พบส่วนขยาย Chrome อันตรายขโมยคุกกี้เซสชันและย.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand cd873117-4cf1-4732-ba91-0849927c7f0b-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • พบช่องโหว่ใน Google Vertex AI เปิดทางผู้ใช้สิทธิ์ต่ำยกระดับสิทธิ์เป็น Service Agent

      938ec80c-00a2-482c-861d-d7c1fb9e9660-image.png พบช่องโหว่ใน Google Vertex AI เปิดทางผู้ใช้สิทธิ์ต่.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand e8cd0b6e-d7dd-473d-99fd-46f75ab6fddd-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • พบส่วนขยายเบราว์เซอร์อันตราย 17 รายการ ยอดติดตั้งกว่า 8.4 แสนครั้ง ที่แฝงมัลแวร์ขโมยข้อมูล

      98800cce-36eb-4e96-8165-0aa299e86f49-image.png พบส่วนขยายเบราว์เซอร์อันตราย 17 รายการ ยอดต.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 5d761ab8-da02-41a7-ad2c-a74332598591-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • CISA เผยแพร่คำแนะนำด้านระบบควบคุมอุตสาหกรรม (ICS) จำนวน 14 รายการ

      Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 14 รายการ เมื่อวันที่ 15 มกราคม 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

      • ICSA-26-015-01 AVEVA Process Optimization
      • ICSA-26-015-02 Festo Firmware
      • ICSA-26-015-03 Siemens TeleControl Server Basic
      • ICSA-26-015-04 Siemens SIMATIC and SIPLUS products
      • ICSA-26-015-05 Siemens RUGGEDCOM ROS
      • ICSA-26-015-06 Siemens SINEC Security Monitor
      • ICSA-26-015-07 Siemens RUGGEDCOM APE1808 Devices
      • ICSA-26-015-08 Siemens Industrial Edge Devices
      • ICSA-26-015-09 Siemens Industrial Edge Device Kit
      • ICSA-26-015-10 Schneider Electric EcoStruxure Power Build Rapsody
      • ICSA-26-015-11 Siemens RUGGEDCOM ROX II
      • ICSA-26-015-12 Siemens SIMATIC CN 4100
      • ICSA-22-202-04 ICONICS Suite and Mitsubishi Electric MC Works64 Products (Update B)
      • ICSA-24-135-04 Mitsubishi Electric Multiple FA Engineering Software Products (Update E)
      • ICSA-25-352-08 Axis Communications Camera Station Pro, Camera Station, and Device Manager (Update A)

      CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)

      อ้างอิง
      https://www.cisa.gov/news-events/ics-advisories
      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 6e24da13-53b9-4557-8f4a-1b8abbda9f24-image.png

      โพสต์ใน OT Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 19 January 2026

      Vulnerabilities

      • Patch Now: Active Exploitation Underway For Critical HPE OneView Vulnerability
        "Check Point Research has identified an active, coordinated exploitation campaign targeting CVE-2025-37164, a critical remote code execution vulnerability affecting HPE OneView. The activity, observed directly in Check Point telemetry, is attributed to the RondoDox botnet and represents a sharp escalation from early probing attempts to large-scale, automated attacks. Check Point has already blocked tens of thousands of exploitation attempts, underscoring both the severity of the vulnerability and the urgency for organizations to act. On January 7, 2026 Check Point Research reported the campaign to CISA, and the vulnerability was added to the Known Exploited Vulnerabilities KEV catalog the same day."
        https://blog.checkpoint.com/research/patch-now-active-exploitation-underway-for-critical-hpe-oneview-vulnerability/
        https://www.theregister.com/2026/01/16/rondodox_botnet_hpe_oneview/
        https://www.infosecurity-magazine.com/news/rondodox-botnet-targets-hpe/
      • Hackers Now Exploiting Critical Fortinet FortiSIEM Flaw In Attacks
        "A critical Fortinet FortiSIEM vulnerability with publicly available proof-of-concept exploit code is now being abused in attacks. According to security researcher Zach Hanley at penetration testing company Horizon3.ai, who reported the vulnerability (CVE-2025-64155), it is a combination of two issues that allow arbitrary writes with admin permissions and privilege escalation to root access. "An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests," Fortinet explained on Tuesday, when it released security updates to patch the flaw."
        https://www.bleepingcomputer.com/news/security/hackers-now-exploiting-critical-fortinet-fortisiem-vulnerability-in-attacks/
        https://www.darkreading.com/vulnerabilities-threats/fortinet-critical-fortisiem-flaw-exploited

      Malware

      • UNO Reverse Card: Stealing Cookies From Cookie Stealers
        "Criminal infrastructure often fails for the same reasons it succeeds: it is rushed, reused, and poorly secured. In the case of StealC, the thin line between attacker and victim turned out to be highly exploitable. StealC is an infostealer malware that has been circulating since early 2023, sold under a Malware-as-a-Service (MaaS) model and marketed to threat actors seeking to steal cookies, passwords, and other sensitive data from infected computers. Like many MaaS offerings, it comes with a polished web panel, campaign tracking, and just enough operational security to appear professional."
        https://www.cyberark.com/resources/threat-research-blog/uno-reverse-card-stealing-cookies-from-cookie-stealers
        https://www.bleepingcomputer.com/news/security/stealc-hackers-hacked-as-researchers-hijack-malware-control-panels/
      • TamperedChef Serves Bad Ads, With Infostealers As The Main Course
        "In September 2025, Sophos Managed Detection and Response (MDR) teams identified a malvertising campaign distributing an infostealer dubbed TamperedChef – believed to be part of a wider campaign known as EvilAI. Previous coverage of this campaign suggests it began on June 26, 2025, with many of the associated websites being registered or first identified on that date. The sites were promoting a trojanized PDF editing application called AppSuite PDF Editor via Google Ads. This application appeared legitimate to users, but silently deployed an infostealer upon installation, targeting Windows devices."
        https://www.sophos.com/pt-br/blog/tamperedchef-serves-bad-ads-with-infostealers-as-the-main-course
        https://www.infosecurity-magazine.com/news/tamperedchef-malvertising-fake-pdf/
      • 5 Malicious Chrome Extensions Enable Session Hijacking In Enterprise HR And ERP Systems
        "Socket's Threat Research Team identified five malicious Chrome extensions targeting enterprise HR and ERP platforms including Workday, NetSuite, and SuccessFactors. The extensions work in concert to steal authentication tokens, block incident response capabilities, and enable complete account takeover through session hijacking. Four extensions are published under the name databycloud1104, while the fifth operates under different branding softwareaccess but shares identical infrastructure patterns. Combined, these extensions have reached over 2,300 users."
        https://socket.dev/blog/5-malicious-chrome-extensions-enable-session-hijacking
        https://thehackernews.com/2026/01/five-malicious-chrome-extensions.html
        https://www.bleepingcomputer.com/news/security/credential-stealing-chrome-extensions-target-enterprise-hr-platforms/
      • Anatomy Of An Attack: The Payroll Pirates And The Power Of Social Engineering
        "No employee wants their paycheck to go missing. One organization learned about an incident when they started hearing exactly this complaint. It turned out that an attacker had modified direct-deposit details in order to redirect an organization’s paychecks into attacker-controlled accounts. What happened to this organization started with nothing more than a phone call."
        https://unit42.paloaltonetworks.com/social-engineering-payroll-pirates/
      • Hunting Lazarus: Inside The Contagious Interview C2 Infrastructure
        "When you vet enough freelancer code repositories, you develop instincts. A .vscode/tasks.json with runOn: folderOpen. A getCookie() function that fetches from a Vercel domain. An errorHandler.js with Function.constructor. These patterns don't belong in legitimate projects. In early January 2026, during routine vetting of a cryptocurrency project sourced via Upwork, Red Asgard's threat research team discovered all three. The contractor—using a fake identity—had embedded malware in a legitimate-looking code repository. What followed was a five-day investigation into active Lazarus Group infrastructure. This article documents what we found."
        https://redasgard.com/blog/hunting-lazarus-contagious-interview-c2-infrastructure

      Breaches/Hacks/Leaks

      • 750,000 Impacted By Data Breach At Canadian Investment Watchdog
        "The Canadian Investment Regulatory Organization (CIRO) this week revealed that hackers compromised the personal information of 750,000 individuals in an August 2025 cyberattack. The data breach, CIRO says, was the result of a sophisticated phishing attack, and resulted in some systems being shut down. The incident did not impact the organization’s critical functions. “We are confident that the incident is contained and that there is no active threat in ClRO’s environment,” the organization says."
        https://www.securityweek.com/750000-impacted-by-data-breach-at-canadian-investment-watchdog/
        https://therecord.media/canada-ciro-investing-regulator-confirms-data-breach
        https://www.bleepingcomputer.com/news/security/ciro-data-breach-last-year-exposed-info-on-750-000-canadian-investors/
        https://securityaffairs.com/186993/data-breach/data-breach-at-canadas-investment-watchdog-canadian-investment-regulatory-organization-impacts-750000-people.html

      General News

      • December 2025 APT Attack Trend Report (South Korea)
        "AhnLab monitoring APT (Advanced Persistent Threat) attacks in South Korea using its own infrastructure. This report covers the classification and statistics of APT attacks in South Korea that were identified over the course of one month in December 2025. It also provides an overview of the features of each attack type."
        https://asec.ahnlab.com/en/92137/
      • December 2025 Threat Trend Report On Ransomware
        "This report provides the number of affected systems confirmed during December 2025, DLS-based ransomware-related statistics, and notable ransomware issues in Korea and abroad. Below is a summary of some information. The statistics on the number of ransomware samples and affected systems are based on the diagnostic names assigned by AhnLab. Please note that the statistics on affected companies are based on the information publicly available on the DLS (Dedicated Leak Sites, equivalent to what is referred to as ransomware PR sites or PR pages) of the ransomware groups and were collected by the ATIP infrastructure."
        https://asec.ahnlab.com/en/92139/
      • December 2025 Infostealer Trend Report
        "This report provides statistics, trends, and case information on Infostealer malware collected and analyzed during the month of December 2025, including distribution volume, distribution channels, and disguising techniques. The following is a summary of the report."
        https://asec.ahnlab.com/en/92142/
      • CISOs Rise To Prominence: Security Leaders Join The Executive Suite
        "Businesses are increasingly giving top cybersecurity leaders the title of chief information security officer (CISO) and treating them as high-ranking executives — a reflection of how digitally dependent the world has become. CISOs agree the trend reflects how pivotal cybersecurity now is to an enterprise, but additional benefits are not totally clear. Implementing effective cybersecurity strategies in the wake of rising attacks and data breaches is paramount to an organization's infrastructure. Then there's the compliance angle, where new laws, regulations, and standards are emerging too fast for businesses to maintain."
        https://www.darkreading.com/cybersecurity-operations/cisos-rise-to-prominence-security-leaders-join-the-executive-suite
      • As AI Raises The Stakes, App Modernization And Security Are Becoming Inseparable
        "Security leaders are under pressure to support AI programs that move from pilots into production. New Cloudflare research suggests that success depends less on experimentation and more on disciplined application modernization tied closely to security strategy. The survey examines how application architecture, decision structures, and security alignment affect AI readiness at scale."
        https://www.helpnetsecurity.com/2026/01/16/cloudflare-ai-application-modernization-report/
      • New Intelligence Is Moving Faster Than Enterprise Controls
        "AI is being integrated into core enterprise systems faster than many organizations can secure and govern it. A new global study from NTT shows companies expanding AI deployment while gaps in infrastructure readiness, data integrity controls, and governance frameworks continue to limit safe operation at scale."
        https://www.helpnetsecurity.com/2026/01/16/ntt-data-enterprise-ai-governance/
      • Who’s On The Other End? Rented Accounts Are Stress-Testing Trust In Gig Platforms
        "Fraud has become a routine part of gig work for many earners, and the ways workers respond are creating new security problems for platforms. A recent TransUnion study of U.S. gig workers shows broad exposure to fraud, inconsistent reporting, and growing participation in prohibited practices such as account renting and selling."
        https://www.helpnetsecurity.com/2026/01/16/transunion-gig-worker-fraud-risks/
      • Account Compromise Surged 389% In 2025, Says eSentire
        "Cyber threat actors went all in on credential theft in 2025, with eSentire reporting a 389% year-over-year rise in account compromise, making up 55% of all attacks observed by the cybersecurity firm. The firm’s 2025 Year in Review & 2026 Threat Landscape Outlook Report, published on January 15, 2026, showed that credential access represented 75% of the malicious activity observed in the wild by its Threat Response Unit (TRU) over the reported period. Two-thirds of it was aimed at conducting account takeovers and another third to deliver phishing campaigns. Microsoft 365 accounts were prime targets, noted eSentire"
        https://www.infosecurity-magazine.com/news/account-compromise-surged-2025/
        https://www.esentire.com/resources/library/esentire-2026-annual-cyber-threat-report
      • Cyber Insights 2026: Social Engineering
        "The most successful breaches in 2026 are likely to exploit trust, not vulnerabilities. All courtesy of artificial intelligence (AI). We’re going to explore how AI-assisted social engineering attacks might evolve from 2026 onward, and how cybersecurity could, and perhaps should, adapt to meet the new challenge. The threat is no longer against individuals, nor even businesses, but entire cultures."
        https://www.securityweek.com/cyber-insights-2026-social-engineering/
      • Qilin Ransomware Surges Into 2026
        "It is not unusual for high-profile groups to go dark after causing a large disruption to public resources, whether it’s healthcare, fuel or some other critical resource. Qilin also grew quickly. Affiliates leaving the RansomHub and LockBit ransomware‑as‑a‑service (RaaS) operations brought experience and momentum that strengthened the group. That was a nice boost for Qilin, but these weren’t loyal affiliates. They had already proven they would leave a RaaS operation at any hint of instability. So in July 2025, there were doubts as to whether Qilin would remain a relevant threat through the rest of the year. But wow, that group is thriving."
        https://blog.barracuda.com/2026/01/15/qilin-ransomware-surges-into-2026
      • Police Raid Homes Of Alleged Black Basta Hackers, Hunt Suspected Russian Ringleader
        "Ukrainian and German law enforcement authorities have identified two Ukrainians suspected of working for the Russia-linked ransomware group Black Basta and have placed the group’s alleged leader, a Russian national, on an international wanted list, officials said on Thursday. Black Basta has been active since at least early 2022 and is believed to be responsible for extorting hundreds of companies, hospitals and public institutions worldwide — including Swiss industrial giant ABB and U.S. healthcare provider Ascension — causing hundreds of millions of dollars in estimated damages."
        https://therecord.media/police-raid-homes-of-alleged-black-basta-hackers
        https://thehackernews.com/2026/01/black-basta-ransomware-hacker-leader.html
        https://securityaffairs.com/187008/cyber-crime/ukraine-germany-operation-targets-black-basta-russian-leader-wanted.html
      • Closing The Door On Net-NTLMv1: Releasing Rainbow Tables To Accelerate Protocol Deprecation
        "Mandiant is publicly releasing a comprehensive dataset of Net-NTLMv1 rainbow tables to underscore the urgency of migrating away from this outdated protocol. Despite Net-NTLMv1 being deprecated and known to be insecure for over two decades—with cryptanalysis dating back to 1999—Mandiant consultants continue to identify its use in active environments. This legacy protocol leaves organizations vulnerable to trivial credential theft, yet it remains prevalent due to inertia and a lack of demonstrated immediate risk."
        https://cloud.google.com/blog/topics/threat-intelligence/net-ntlmv1-deprecation-rainbow-tables
      • Your 100 Billion Parameter Behemoth Is a Liability
        "The "bigger is better" era of AI is hitting a wall. We are in an LLM bubble, characterized by ruinous inference costs and diminishing returns. The future belongs to Agentic AI powered by specialized Small Language Models (SLMs). Think of it as a shift from hiring a single expensive genius to running a highly efficient digital factory. It’s cheaper, faster, and frankly, the only way to make agents work at scale."
        https://www.trendmicro.com/en_us/research/26/a/your-100-billion-parameter-behemoth-is-a-liability.html

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) e39e5e14-ca50-48a8-8662-4fca19d434f3-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • พบความพยายามโจมตีระบบ AI กว่า 91,000 ครั้ง มุ่งเป้า Ollama และระบบที่เกี่ยวข้องกับ OpenAI

      3e2cf1cb-aee3-4212-9e53-21fd874807a1-image.png พบความพยายามโจมตีระบบ AI กว่า 91,000 ครั้ง มุ่งเ.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 5f1a4d6f-77fc-408e-ad10-8e7d736593da-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Kyowon ยืนยันเกิดเหตุแรนซัมแวร์ ข้อมูลถูกขโมยออกจากระบบ

      c238ebdf-7422-4af5-ae4c-bf6375a67e6e-image.png Kyowon ยืนยันเกิดเหตุแรนซัมแวร์ ข้อมูลถูกขโมย.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 48e2dc04-4956-4247-af88-731a1636300e-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Kimwolf Botnet ภัยคุกคามใหม่ ระบาดหนักในกล่อง Android TV มากกว่า 2 ล้านเครื่อง

      07410ac3-c517-4278-8683-202ab9c60530-image.png Kimwolf Botnet ภัยคุกคามใหม่ ระบาดหนักในกล่อง Android TV ม.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand de485d36-ef23-493f-b086-3819a956e930-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 16 January 2026

      Industrial Sector

      • Trio Of Critical Bugs Spotted In Delta Industrial PLCs
        "Researchers have identified one high- and three critical-severity vulnerabilities in a brand of programmable logic controller (PLC) popular at industrial sites in Asia. The DVP-12SE11T, by Taiwan's Delta Electronics, is a cut-rate PLC popular in a variety of sensitive sectors in Asia, such as water treatment and food and beverage processing. In August 2025, researchers from OPSWAT's Unit 515 decided to crack into it, and in doing so discovered four serious vulnerabilities, three of which ranked above a 9 out of 10 in the Common Vulnerability Scoring System (CVSS)."
        https://www.darkreading.com/ics-ot-security/critical-bugs-delta-industrial-plcs
      • ICS Patch Tuesday: Vulnerabilities Fixed By Siemens, Schneider, Aveva, Phoenix Contact
        "Industrial giants Siemens, Schneider Electric, Phoenix Contact, and Aveva have published a dozen Patch Tuesday advisories to inform customers about vulnerabilities found in their ICS/OT products. Siemens has released five new advisories. Two of them describe the same critical authorization bypass flaw in Industrial Edge Devices that can be leveraged by an unauthenticated, remote attacker to bypass authentication and impersonate a user. One advisory covers Industrial Edge Devices, while the other is for the Industrial Edge Device Kit. The remaining advisories inform customers about the availability of fixes for high-severity vulnerabilities in Ruggedcom, ET 200SP, and TeleControl Server Basic products."
        https://www.securityweek.com/ics-patch-tuesday-vulnerabilities-fixed-by-siemens-schneider-aveva-phoenix-contact/
      • Cyber Threat Actors Ramp Up Attacks On Industrial Environments
        "Both cybercriminals and hacktivists have increased cyber-attacks against industrial technology environments, with vulnerability exploits in these systems almost doubling in 2025, according to Cyble. This according the Cyble Research & Intelligence Labs’ (CRIL) Annual Threat Landscape Report 2025, published on January 15, 2026."
        https://www.infosecurity-magazine.com/news/cyber-threat-actors-ramp-up-ics/

      Vulnerabilities

      • Critical Privilege Escalation Vulnerability In Modular DS Plugin Affecting 40k+ Sites Exploited In The Wild
        "This blog post is about an Unauthenticated Privilege Escalation vulnerability in the Modular DS plugin. Patchstack has issued a mitigation rule to protect against exploitation of this vulnerability. If you're a Modular DS user, please update to at least version 2.5.2. This vulnerability was discovered and reported to Patchstack by Teemu Saarentaus from group.one."
        https://patchstack.com/articles/critical-privilege-escalation-vulnerability-in-modular-ds-plugin-affecting-40k-sites-exploited-in-the-wild/
        https://thehackernews.com/2026/01/critical-wordpress-modular-ds-plugin.html
        https://www.bleepingcomputer.com/news/security/hackers-exploit-modular-ds-wordpress-plugin-flaw-for-admin-access/
      • Cisco Finally Fixes Max-Severity Bug Under Active Attack For Weeks
        "Cisco finally delivered a fix for a maximum-severity bug in AsyncOS that has been under attack for at least a month. The networking giant disclosed the vulnerability, tracked as CVE-2025-20393, on December 17. It affects some Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. Cisco first became aware of attackers targeting the appliances on December 10."
        https://www.theregister.com/2026/01/15/cisco_fixes_cve_2025_20393/
        Palo Alto Networks Warns Of DoS Bug Letting Hackers Disable Firewalls
        "Palo Alto Networks patched a high-severity vulnerability that could allow unauthenticated attackers to disable firewall protections in denial-of-service (DoS) attacks. Tracked as CVE-2026-0227, this security flaw affects next-generation firewalls (running PAN-OS 10.1 or later) and Palo Alto Networks' Prisma Access configurations when the GlobalProtect gateway or portal is enabled. The cybersecurity company says that most cloud-based Prisma Access instances have already been patched, with those left to be secured already scheduled for an upgrade."
        https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-dos-bug-letting-hackers-disable-firewalls/
        https://security.paloaltonetworks.com/CVE-2026-0227
        https://thehackernews.com/2026/01/palo-alto-fixes-globalprotect-dos-flaw.html
        https://securityaffairs.com/186948/hacking/palo-alto-networks-addressed-a-globalprotect-flaw-poc-exists.html
      • WhisperPair: Hijacking Bluetooth Accessories Using Google Fast Pair
        "Google Fast Pair enables one-tap pairing and account synchronisation across supported Bluetooth accessories. While Fast Pair has been adopted by many popular consumer brands, we discovered that many flagship products have not implemented Fast Pair correctly, introducing a flaw that allows an attacker to hijack devices and track victims using Google's Find Hub network. We introduce WhisperPair, a family of practical attacks that leverages a flaw in the Fast Pair implementation on flagship audio accessories. Our findings show how a small usability 'add-on' can introduce large-scale security and privacy risks for hundreds of millions of users."
        https://whisperpair.eu/
        https://www.bleepingcomputer.com/news/security/critical-flaw-lets-hackers-track-eavesdrop-via-bluetooth-audio-devices/
      • CodeBreach: Infiltrating The AWS Console Supply Chain And Hijacking AWS GitHub Repositories Via CodeBuild
        "Wiz Research uncovered CodeBreach, a critical vulnerability that placed the AWS Console supply chain at risk. The issue allowed a complete takeover of key AWS GitHub repositories - most notably the AWS JavaScript SDK, a core library that powers the AWS Console. By exploiting CodeBreach, attackers could have injected malicious code to launch a platform-wide compromise, potentially affecting not just the countless applications depending on the SDK, but the Console itself, threatening every AWS account."
        https://www.wiz.io/blog/wiz-research-codebreach-vulnerability-aws-codebuild
        https://thehackernews.com/2026/01/aws-codebuild-misconfiguration-exposed.html
        https://www.infosecurity-magazine.com/news/codebuild-flaw-aws-console-risk/
        https://www.theregister.com/2026/01/15/codebuild_flaw_aws/
      • New ‘StackWarp’ Attack Threatens Confidential VMs On AMD Processors
        "A team of researchers from the CISPA Helmholtz Center for Information Security in Germany has disclosed the details of a new hardware vulnerability affecting AMD processors. Dubbed StackWarp, the issue has been found to impact AMD Zen 1 through Zen 5 processors, enabling an attacker to hack confidential virtual machines (CVMs). The researchers described StackWarp as a software-based architectural attack that “exploits a synchronization failure in the stack engine that manages stack pointer updates in the CPU frontend”."
        https://www.securityweek.com/new-stackwarp-attack-threatens-confidential-vms-on-amd-processors/
        https://www.theregister.com/2026/01/15/stackwarp_bug_amd_cpus/
      • Claude Cowork Exfiltrates Files
        "Two days ago, Anthropic released the Claude Cowork research preview (a general-purpose AI agent to help anyone with their day-to-day work). In this article, we demonstrate how attackers can exfiltrate user files from Cowork by exploiting an unremediated vulnerability in Claude’s coding environment, which now extends to Cowork. The vulnerability was first identified in Claude.ai chat before Cowork existed by Johann Rehberger, who disclosed the vulnerability — it was acknowledged but not remediated by Anthropic."
        https://www.promptarmor.com/resources/claude-cowork-exfiltrates-files
        https://www.theregister.com/2026/01/15/anthropics_claude_bug_cowork/

      Malware

      • Planned Failure: Gootloader’s Malformed ZIP Actually Works Perfectly
        "The Gootloader developer has been involved in ransomware for a long time. Their role within ransomware has been initial access: getting the foot in the door. Once the malware runs on a system, they hand their access to someone else. In being responsible for this job, the Gootloader developer has incentive to ensure that their malware receives a low detection score and can bypass most security tools. They’ve been very successful with this over the years. In years past, Gootloader malware made up 11% of all malware we saw bypassing other security tools."
        https://expel.com/blog/gootloaders-malformed-zip/
        https://www.bleepingcomputer.com/news/security/gootloader-now-uses-1-000-part-zip-archives-for-stealthy-delivery/
      • UAT-8837 Targets Critical Infrastructure Sectors In North America
        "Cisco Talos is closely tracking UAT-8837, a threat actor we assess with medium confidence is a China-nexus advanced persistent threat (APT) actor based on overlaps in tactics, techniques, and procedures (TTPs) with those of other known China-nexus threat actors. Based on UAT-8837's TTPs and post-compromise activity Talos has observed across multiple intrusions, we assess with medium confidence that this actor is primarily tasked with obtaining initial access to high-value organizations. Although UAT-8837's targeting may appear sporadic, since at least 2025, the group has clearly focused on targets within critical Infrastructure sectors in North America."
        https://blog.talosintelligence.com/uat-8837/
        https://therecord.media/china-hackers-apt-cisco-talos
      • New Remcos Campaign Distributed Through Fake Shipping Document
        "FortiGuard Labs discovered a new phishing campaign in the wild. The campaign delivers a new variant of Remcos, a commercial lightweight remote access tool (RAT) with a wide range of capabilities, including system resource management, remote surveillance, network management, and Remcos agent management. I conducted an in-depth investigation into this malicious campaign. This analysis covers how the phishing email initializes the attack, how the attached Word document downloads an RTF file, the vulnerability the attack leverages within the RTF file, the VBScript and PowerShell code, how a fileless .NET module is loaded and executed in a PowerShell process, and how the fileless Remcos agent is downloaded and loaded using process hollowing."
        https://www.fortinet.com/blog/threat-research/new-remcos-campaign-distributed-through-fake-shipping-document
      • New PayPal Scam Sends Verified Invoices With Fake Support Numbers
        "A new phishing scam is leveraging PayPal’s legitimate invoice system to trick unsuspecting users, even appearing with the coveted “blue tick” verification mark in their inboxes. This sophisticated attack is bypassing traditional email security filters and leaving even tech-savvy individuals confused. Hackread.com has obtained direct evidence of this escalating threat, confirming that attackers are exploiting PayPal’s own services to send fraudulent money requests, making them appear entirely authentic."
        https://hackread.com/paypal-scam-verified-invoices-fake-support-numbers/
      • Browser Extensions Gone Rogue: The Full Scope Of The GhostPoster Campaign
        "Last month, researchers at Koi Security published a detailed analysis of a malicious Firefox extension they dubbed GhostPoster – a browser-based malware leveraging an uncommon and stealthy payload delivery method: steganography within a PNG icon file. This innovative approach allowed the malware to evade traditional extension security reviews and static analysis tools. Following their publication, our investigation identified 17 additional extensions associated with the same infrastructure and tactics, techniques, and procedures (TTPs). Collectively, these extensions were downloaded over 840,000 times, with some remaining active in the wild for up to five years."
        https://layerxsecurity.com/blog/browser-extensions-gone-rogue-the-full-scope-of-the-ghostposter-campaign/
        https://hackread.com/ghostposter-browser-malware-840000-installs/
      • New CastleLoader Variant Linked To 469 Infections Across Critical Sectors
        "A new name is surfacing in cyber intelligence reports that has security teams on edge. Known as CastleLoader, it has become a go-to tool for attackers targeting high-security environments since early 2025. As Hackread.com reported in December 2025, earlier versions of CastleLoader were analysed in July and August 2025. Cybersecurity analysis firm ANY.RUN has now detected a newer and more stealthy version."
        https://hackread.com/castleloader-variant-infections-critical-sectors/
      • Ransomware: Tactical Evolution Fuels Extortion Epidemic
        "The cyber-extortion epidemic reached new heights in 2025, with a record number of attacks recorded. As outlined in our new whitepaper, this increase is being powered by a new breed of attackers who eschew encryption and rely solely on data theft as leverage for extortion. By using zero-day vulnerabilities or exploiting weaknesses in the software supply chain, attackers can steal data from even the best-defended organizations before they become aware of the issue."
        https://www.security.com/threat-intelligence/ransomware-extortion-epidemic
        https://sed-cms.broadcom.com/sites/default/files/2026-01/RWN-2026-WP100_1.pdf
        https://www.infosecurity-magazine.com/news/hackers-shun-encryption-in-favour/
      • LOTUSLITE: Targeted Espionage Leveraging Geopolitical Themes
        "Acronis Threat Research Unit (TRU) has been actively monitoring malware campaigns and threat activity leveraging recent geopolitical developments between the United States and Venezuela as thematic lures. During this tracking, TRU identified a targeted campaign delivering a previously undocumented DLL-based backdoor, tracked as LOTUSLITE, aimed at U.S. government–related entities."
        https://www.acronis.com/en/tru/posts/lotuslite-targeted-espionage-leveraging-geopolitical-themes/
        https://www.theregister.com/2026/01/15/chinese_spies_used_maduros_capture/
      • Sicarii Ransomware: Truth Vs Myth
        "In December 2025, a previously unknown Ransomware-as-a-Service (RaaS) operation calling itself Sicarii began advertising its services across multiple underground platforms. The group’s name references the Sicarii, a 1st-century Jewish assassins group that opposed Roman rule in Judea. From its initial appearance, the Sicarii ransomware group distinguished itself through unusually explicit and persistent use of Israeli and Jewish symbolism in its branding, communications, and malware logic."
        https://research.checkpoint.com/2026/sicarii-ransomware-truth-vs-myth/
      • Inside China’s Hosting Ecosystem: 18,000+ Malware C2 Servers Mapped Across Major ISPs
        "Threat hunting often begins with a single indicator, such as a suspicious IP address, a beaconing domain, or a known malware family. Looking at those indicators individually makes the underlying infrastructure easy to miss. While analyzing malicious activity across Chinese hosting environments, we repeatedly observed the same networks and providers appearing across unrelated campaigns. Commodity malware, phishing operations, and state-linked tooling were often hosted side by side within the same infrastructure, even as individual IPs and domains changed."
        https://hunt.io/blog/china-hosting-malware-c2-infrastructure

      Breaches/Hacks/Leaks

      • Grubhub Confirms Hackers Stole Data In Recent Security Breach
        "Food delivery platform Grubhub has confirmed a recent data breach after hackers accessed its systems, with sources telling BleepingComputer the company is now facing extortion demands. "We're aware of unauthorized individuals who recently downloaded data from certain Grubhub systems," Grubhub told BleepingComputer. "We quickly investigated, stopped the activity, and are taking steps to further increase our security posture. Sensitive information, such as financial information or order history, was not affected.""
        https://www.bleepingcomputer.com/news/security/grubhub-confirms-hackers-stole-data-in-recent-security-breach/
      • ICE Agent Doxxing Site DDoS-Ed Via Russian Servers
        "A controversial website launched following an apparent insider breach at the Department of Homeland Security (DHS) has been taken offline by a sustained DDoS attack, its founder has revealed. Dominick Skinner told The Daily Beast that his ICE List site is being hit with a “prolonged and sophisticated” cyber-attack which began on Tuesday evening. At the time of writing, it was still down, making it impossible for interested parties to uncover the identities of agents working for US Immigration and Customs Enforcement (ICE) and Border Patrol."
        https://www.infosecurity-magazine.com/news/ice-agent-doxxing-site-ddosed/

      General News

      • CISOs Flag Gaps In Third-Party Risk Management
        "Third-party cyber risk continues to concern security leaders as vendor ecosystems grow, supply chains stretch, and AI plays a larger role in business operations. A recent Panorays survey of U.S. CISOs shows rising third-party incidents and growing regulatory attention, while visibility beyond direct vendors and the resources to manage that risk continue to fall short."
        https://www.helpnetsecurity.com/2026/01/15/panorays-cisos-ai-vendor-risk/
      • Cybersecurity Spending Keeps Rising, So Why Is Business Impact Still Hard To Explain?
        "Cybersecurity budgets keep climbing, but many security leaders still struggle to explain what that spending delivers to the business. A new study by Expel examines that disconnect through a survey of security and finance executives at large enterprises. The research looks at how the two groups view risk, investment decisions, and their working relationship."
        https://www.helpnetsecurity.com/2026/01/15/expel-cybersecurity-investment-decisions/
      • The NSA Lays Out The First Steps For Zero Trust Adoption
        "Security pros often say that zero trust sounds straightforward until they try to apply it across real systems, real users, and real data. Many organizations are still sorting out what they own, how access works, and where authority sits. That day-to-day reality is the context for a new set of implementation documents released by the National Security Agency."
        https://www.helpnetsecurity.com/2026/01/15/nsa-zero-trust-implementation-guidelines/
        https://media.defense.gov/2026/Jan/08/2003852320/-1/-1/0/CTR_ZERO_TRUST_IMPLEMENTATION_GUIDELINE_PRIMER.PDF
      • Microsoft Remains The Most Imitated Brand In Phishing Attacks In Q4 2025
        "In Q4 2025, Microsoft once again ranked as the most impersonated brand in phishing attacks, accounting for 22% of all brand phishing attempts, according to data from Check Point Research. This continues a multi-quarter trend in which attackers increasingly abuse trusted enterprise and consumer brands to harvest credentials and gain initial access. Google followed in second place with 13%, while Amazon climbed into third position at 9%, fueled by Black Friday and holiday sales, overtaking Apple. After a prolonged absence, Facebook (Meta) re-entered the top 10, landing in fifth place, highlighting renewed interest among attackers in social media account takeover."
        https://blog.checkpoint.com/research/microsoft-remains-the-most-imitated-brand-in-phishing-attacks-in-q4-2025/
      • Winter Olympics Could Share Podium With Cyberattackers
        "When the Milano Cortina Winter Games begin Feb. 6, it won't be just the athletes hunting for gold, but cybercriminals as well. Everything is on the table, experts warn — from Wi-Fi and digital infrastructure disruptions like those seen at the 2018 Winter Olympics in PyeongChang, to distributed denial-of-service (DDoS) and ransomware attacks of the sort French authorities faced during the 2024 Olympics. State-linked cyber espionage could be part of the mix too."
        https://www.darkreading.com/remote-workforce/winter-olympics-podium-cyberattackers
      • Vulnerabilities Surge, But Messy Reporting Blurs Picture
        "Another year, another record for vulnerability reports. For the ninth year in a row, the number of reported vulnerabilities set a new record, with 48,177 issues assigned a 2025 Common Vulnerabilities and Exposures (CVE) identifier, according to data analyzed from the National Vulnerability Database (NVD). While the deluge of security issues complicates companies' efforts to prioritize their patching processes, ongoing changes in the CVE-reporting ecosystem have more to do with the surge than an increase in cybersecurity risk."
        https://www.darkreading.com/cybersecurity-analytics/vulnerabilities-surge-messy-reporting-blurs-picture
        https://jerrygamblin.com/2026/01/01/2025-cve-data-review/
      • Years-Old Apache Struts2 Vulnerability Downloaded 387K+ Times In The Past Week
        "Apache Struts has a newly disclosed vulnerability, CVE-2025-68493, affecting Struts' XWork component and raising renewed concern about unsafe XML handling and XXE-style risk in certain deployments. According to NVD, affected versions span Struts 2.0.0 up to 6.1.0, with 6.1.1 identified as the fixed release. What makes this disclosure especially urgent is what we're seeing in Maven Central download telemetry: in just the past 7 days, we observed 387,549 downloads of org.apache.struts:*, and ~98% of that activity was concentrated on end-of-life (EOL) Struts 2.x lines with only ~1.8% on Struts 6.0.0 – 6.1.0."
        https://www.sonatype.com/blog/years-old-apache-struts2-vulnerability-downloaded-325k-times-in-the-past-week
        https://hackread.com/years-old-vulnerable-apache-struts-2-downloads/
      • LinkedIn Wants To Make Verification a Portable Trust Signal
        "In this Help Net Security interview, Oscar Rodriguez, VP Trust Product at LinkedIn, discusses how verification is becoming a portable trust signal across the internet. He explains how LinkedIn is extending professional identity beyond its platform to address rising AI-driven fraud, impersonation, and online scams. Rodriguez also outlines how LinkedIn views its role in digital trust alongside platforms, partners, and existing identity systems."
        https://www.helpnetsecurity.com/2026/01/15/oscar-rodriguez-linkedin-identity-verification/
      • QR Codes Are Getting Colorful, Fancy, And Dangerous
        "QR codes have become a routine part of daily life, showing up on emails, posters, menus, invoices, and login screens. Security-savvy users have learned to treat links with caution, but QR codes still carry an assumption of safety. Researchers from Deakin University have examined how visually stylized QR codes are being used in quishing attacks. Their study introduces a detection method that evaluates QR codes based on their structure rather than the link they contain, with a focus on visually stylized designs that use colors, shapes, logos, and background images."
        https://www.helpnetsecurity.com/2026/01/15/fancy-qr-codes-phishing-risk/
        https://arxiv.org/pdf/2601.06768
      • CISO Role Reaches “Inflexion Point” With Executive-Level Titles
        "The role of chief information security officer (CISO) is now more likely to be regarded as an executive-level position than VP or director, signifying its growing importance to the business, according to IANS. The research and advisory firm put together its 2026 State of the CISO Report based on interviews with 662 North American CISOs. It revealed that 46% of respondents now hold executive titles (e.g., EVP, SVP), while 27% are VPs and 27% are directors. This indicates a “structural shift” in the security leadership landscape, IANS claimed."
        https://www.infosecurity-magazine.com/news/ciso-role-inflexion-point/
      • Forget Predictions: True 2026 Cybersecurity Priorities From Leaders
        "Every December and January we see multiple public relations-driven “next year predictions” and these predictions are, unsurprisingly, self-serving to their clients. Why not go straight to the source? For this article, I spoke with several security leaders and asked them all the same question: “What people, process, or technology shift will help you most to do your job more efficiently in 2026?”"
        https://www.securityweek.com/forget-predictions-true-2026-cybersecurity-priorities-from-leaders/
      • Insider Threats: Turning 2025 Intelligence Into a 2026 Defense Strategy
        "Every organization houses sensitive assets that threat actors actively seek. Whether it is proprietary trade secrets, intellectual property, or the personally identifiable information (PII) of employees and customers, these datasets are the lifeblood of the modern enterprise—and highly lucrative commodities within the illicit underground. In 2025, Flashpoint observed 91,321 instances of insider recruiting, advertising, and threat actor discussions involving insider-related illicit activity. This underscores a critical reality—it is far more efficient for threat actors to recruit an “insider” to circumvent multi-million dollar security stacks than it is to develop a complex exploit from the outside."
        https://flashpoint.io/blog/insider-threats-2025-intelligence-2026-strategy/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) 4bf8d906-4781-44d9-8872-f958c96a5272-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 15 January 2026

      Industrial Sector

      • Western Cyber Agencies Warn About Threats To Industrial Operational Technology
        "A group of Western cyber agencies warned on Wednesday about the growing digital threats facing the operational technology at the heart of industrial systems. New guidance issued by Britain’s National Cyber Secure Centre (NCSC), a part of signals and cyber intelligence agency GCHQ, sets out how organizations should securely connect equipment such as industrial control systems, sensors and other critical services. These types of technology are often at the heart of critical infrastructure, from energy generation plants through to water treatment facilities, manufacturing lines and transportation networks."
        https://therecord.media/cyber-agencies-warn-of-industrial-system-threats
        https://www.ncsc.gov.uk/files/ncsc-secure-connectivity-for-operational-technology.pdf

      New Tooling

      • CISO Assistant: Open-Source Cybersecurity Management And GRC
        "CISO Assistant is an open-source governance, risk, and compliance (GRC) platform designed to help security teams document risks, controls, and framework alignment in a structured system. The community edition is maintained as a self-hosted tool for organizations that want direct access to the code and data. The community edition focuses on foundational GRC functions. It allows teams to define assets, document risks, create controls, and map those controls to security and compliance frameworks. All of these elements are connected through a shared data model that emphasizes traceability."
        https://www.helpnetsecurity.com/2026/01/14/ciso-assistant-open-source-cybersecurity-management-grc/
        https://github.com/intuitem/ciso-assistant-community

      Vulnerabilities

      • Fortinet Patches Critical Vulnerabilities In FortiFone, FortiSIEM
        "Fortinet on Tuesday announced patches for six vulnerabilities across its products, including two critical-severity bugs in FortiFone and FortiSIEM. The most severe of these flaws is CVE-2025-64155 (CVSS score of 9.4), an OS command injection issue in FortiSIEM that could be exploited by unauthenticated attackers for code and command execution. Exploitable via crafted TCP requests, the security defect was resolved in FortiSIEM versions 7.1.9, 7.2.7, 7.3.5, and 7.4.1."
        https://www.securityweek.com/fortinet-patches-critical-vulnerabilities-in-fortifone-fortisiem/
        https://thehackernews.com/2026/01/fortinet-fixes-critical-fortisiem-flaw.html
        https://securityaffairs.com/186902/security/fortinet-fixed-two-critical-flaws-in-fortifone-and-fortisiem.html
      • Chrome 144, Firefox 147 Patch High-Severity Vulnerabilities
        "Google and Mozilla on Tuesday announced the release of Chrome 144 and Firefox 147 with patches for a total of 26 vulnerabilities. Chrome 144 was rolled out to the stable channel with fixes for 10 security defects, including three high-severity bugs. Two of the high-severity flaws affect V8, the browser’s JavaScript and WebAssembly engine: CVE-2026-0899 is an out-of-bounds memory access issue, while CVE-2026-0900 is an inappropriate implementation weakness."
        https://www.securityweek.com/chrome-144-firefox-147-patch-high-severity-vulnerabilities/
      • CVE-2025-64155: Three Years Of Remotely Rooting The Fortinet FortiSIEM
        "In August of 2025, Fortinet released an advisory for CVE-2025-25256, a command injection vulnerability which affected the FortiSIEM appliance. After the August advisory, we decided to dive in and assess the situation, ultimately leading to the discovery of:
      • An unauthenticated argument injection vulnerability resulting in arbitrary file write allowing for remote code execution as the admin user
      • A file overwrite privilege escalation vulnerability leading to root access
        These vulnerabilities were reported and assigned CVE-2025-64155. Our proof of concept exploit can be found on our GitHub."
        https://horizon3.ai/attack-research/disclosures/cve-2025-64155-three-years-of-remotely-rooting-the-fortinet-fortisiem/
        https://www.bleepingcomputer.com/news/security/exploit-code-public-for-critical-fortisiem-command-injection-flaw/
      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2026-20805 Microsoft Windows Information Disclosure Vulnerability"
        https://www.cisa.gov/news-events/alerts/2026/01/13/cisa-adds-one-known-exploited-vulnerability-catalog
        https://therecord.media/desktop-windows-manager-vulnerability-added-to-cisa-list
        https://securityaffairs.com/186898/security/u-s-cisa-adds-a-flaw-in-microsoft-windows-to-its-known-exploited-vulnerabilities-catalog.html
      • Mitigating Denial-Of-Service Vulnerability From Unrecoverable Stack Space Exhaustion For React, Next.js, And APM Users
        "Node.js/V8 makes a best-effort attempt to recover from stack space exhaustion with a catchable error, which frameworks have come to rely on for service availability. A bug that only reproduces when async_hooks are used would break this attempt, causing Node.js to exit with 7 directly without throwing a catchable error when recursions in user code exhaust the stack space. This makes applications whose recursion depth is controlled b
        https://nodejs.org/en/blog/vulnerability/january-2026-dos-mitigation-async-hooks
        https://thehackernews.com/2026/01/critical-nodejs-vulnerability-can-cause.html

      Malware

      • ConsentFix Debrief: Insights From The New OAuth Phishing Attack
        "In December, the Push Security research team discovered and blocked a brand new attack technique that we coined ConsentFix. This technique merged ClickFix-style social engineering with OAuth consent phishing to hijack Microsoft accounts. We saw this attack running across a large network of compromised websites that attackers were injecting the malicious payload into, forming a large-scale campaign that was detected across multiple customer estates."
        https://www.bleepingcomputer.com/news/security/consentfix-debrief-insights-from-the-new-oauth-phishing-attack/
      • Predator's Kill Switch: Undocumented Anti-Analysis Techniques In iOS Spyware
        "n December 2024, Google's Threat Intelligence Group (GTIG) published extensive research on Intellexa's Predator spyware, documenting its zero-day exploit chains and the PREYHUNTER stager component. Their research identified that the "watcher" module detects developer mode, jailbreak tools, security applications and network interception configurations. However, while conducting independent reverse engineering of a Predator sample, Jamf Threat Labs discovered several undocumented mechanisms that reveal how sophisticated this spyware's anti-analysis capabilities truly are."
        https://www.jamf.com/blog/predator-spyware-anti-analysis-techniques-ios-error-codes-detection/
        https://cyberscoop.com/predator-spyware-demonstrates-troubleshooting-researcher-dodging-capabilities/
        https://www.securityweek.com/predator-spywares-granular-anti-analysis-features-exposed/
      • Microsoft Disrupts Global Cybercrime Subscription Service Responsible For Millions In Fraud Losses
        "Today, Microsoft is announcing a coordinated legal action in the United States and, for the first time, the United Kingdom to disrupt RedVDS, a global cybercrime subscription service fueling millions in fraud losses. These efforts are part of a broader joint operation with international law enforcement, including German authorities and Europol, which has allowed Microsoft and its partners to seize key malicious infrastructure and take the RedVDS marketplace offline, a major step toward dismantling the networks behind AI-enabled fraud, such as real estate scams."
        https://blogs.microsoft.com/on-the-issues/2026/01/14/microsoft-disrupts-cybercrime/
        https://www.darkreading.com/threat-intelligence/microsoft-disrupts-cybercrime-service-redvds
        https://therecord.media/microsoft-redvds-cybercrime-scam
        https://cyberscoop.com/microsoft-seizes-disrupts-redvds-cybercrime-marketplace/
        https://www.infosecurity-magazine.com/news/criminal-subscription-service/
        https://www.securityweek.com/redvds-cybercrime-service-disrupted-by-microsoft-and-law-enforcement/
      • Inside The Latest PayPal Scam: RMM Abuse And Credential Theft
        "Over the past two months, cybercriminals have increasingly abused Remote Monitoring and Management (RMM) tools in multi-stage attack campaigns. These attacks often begin with phishing emails disguised as holiday party invitations, overdue invoices, tax notices, Zoom meeting requests, or document signing notifications. While these lures appear harmless, their true intent is credential theft and unauthorized access. Recent public research released on November 19, 2025, highlighted this trend, noting that attackers frequently use seasonal lures such as “Party Invitation” or “December Holiday Party” to trick victims into engaging with malicious content."
        https://www.cyberproof.com/blog/inside-the-latest-paypal-scam-rmm-abuse-and-credential-theft/
        https://www.infosecurity-magazine.com/news/hackers-fake-paypal-notices-deploy/
      • DeadLock Ransomware Group Utilizes Polygon Smart Contracts
        "A newly emerged digital extortion group is using blockchain smart contracts to store proxy server addresses for facilitating ransomware negotiations with victim organizations. The DeadLock ransomware group - it dates to July 2025 - has been using smart contracts on Polygon, a cryptocurrency blockchain platform designed to run alongside the ethereum blockchain. Known as "EtherHiding," the technique embeds malicious instructions in blockchain smart contracts. In many cases, such activities leave no trace. Devotees have included a North Korean nation-state group targeting developers and cryptocurrency firms and a financially motivated cybercrime group (see: Hackers Use Blockchain to Hide Malware in Plain Sight)."
        https://www.bankinfosecurity.com/deadlock-ransomware-group-utilizes-polygon-smart-contracts-a-30518
        https://www.infosecurity-magazine.com/news/deadlock-polygon-smart-contracts/
        https://www.theregister.com/2026/01/14/deadlock_ransomware_smart_contracts/
      • How Real Software Downloads Can Hide Remote Backdoors
        "It starts with a simple search. You need to set up remote access to a colleague’s computer. You do a Google search for “RustDesk download,” click one of the top results, and land on a polished website with documentation, downloads, and familiar branding. You install the software, launch it, and everything works exactly as expected. What you don’t see is the second program that installs alongside it—one that quietly gives attackers persistent access to your computer."
        https://www.malwarebytes.com/blog/threat-intel/2026/01/how-real-software-downloads-can-hide-remote-backdoors
      • Researchers Null-Route Over 550 Kimwolf And Aisuru Botnet Command Servers
        "The Black Lotus Labs team at Lumen Technologies said it null-routed traffic to more than 550 command-and-control (C2) nodes associated with the AISURU/Kimwolf botnet since early October 2025. AISURU and its Android counterpart, Kimwolf, have emerged as some of the biggest botnets in recent times, capable of directing enslaved devices to participate in distributed denial-of-service (DDoS) attacks and relay malicious traffic for residential proxy services."
        https://thehackernews.com/2026/01/kimwolf-botnet-infected-over-2-million.html
        https://cyberscoop.com/kimwolf-aisuru-botnet-lumen-technologies/
      • Hiding In Plain Sight: Deconstructing The Multi-Actor DLL Sideloading Campaign Abusing Ahost.exe
        "The Trellix Advanced Research Center has uncovered an active malware campaign that exploits a DLL sideloading vulnerability within the legitimate ahost.exe utility. This utility is a component of the open-source c-ares library (used for asynchronous DNS lookups) and is commonly bundled within Git for Windows installations, including those embedded in developer tools like GitKraken or GitHub Desktop. Attackers achieve evasion by pairing a malicious libcares-2.dll with any signed version of the legitimate ahost.exe (which they often rename) to execute their code. This DLL sideloading technique allows the malware to bypass traditional signature-based security defenses."
        https://www.trellix.com/en-au/blogs/research/hiding-in-plain-sight-multi-actor-ahost-exe-attacks/
        https://thehackernews.com/2026/01/hackers-exploit-c-ares-dll-side-loading.html
      • Reprompt: The Single-Click Microsoft Copilot Attack That Silently Steals Your Personal Data
        "Varonis Threat Labs uncovered a new attack flow, dubbed Reprompt, that gives threat actors an invisible entry point to perform a data‑exfiltration chain that bypasses enterprise security controls entirely and accesses sensitive data without detection — all from one click. First discovered in Microsoft Copilot Personal, Reprompt is important for multiple reasons:"
        https://www.varonis.com/blog/reprompt
        https://www.bleepingcomputer.com/news/security/reprompt-attack-let-hackers-hijack-microsoft-copilot-sessions/
      • NFC Skimming Attacks
        "Thanks to the convenience of NFC and smartphone payments, many people no longer carry wallets or remember their bank card PINs. All their cards reside in a payment app, and using that is quicker than fumbling for a physical card. Mobile payments are also secure — the technology was developed relatively recently and includes numerous anti-fraud protections. Still, criminals have invented several ways to abuse NFC and steal your money. Fortunately, protecting your funds is straightforward: just know about these tricks and avoid risky NFC usage scenarios."
        https://www.kaspersky.com/blog/nfc-gate-relay-attacks-2026/55116/

      Breaches/Hacks/Leaks

      • Victorian Department Of Education Says Hackers Stole Students’ Data
        "The Department of Education in Victoria, Australia, notified parents that attackers accessed a database containing the personal information and email addresses of current and former students, prompting password resets. The department disclosed the breach in letters sent to parents, stating that an unauthorized third party accessed students' names, school names, year levels, and school-issued email addresses, as well as encrypted passwords for accounts that use them."
        https://www.bleepingcomputer.com/news/security/victorian-department-of-education-notifies-parents-of-data-breach/
      • Monroe University Says 2024 Data Breach Affects 320,000 People
        "Monroe University revealed that threat actors stole the personal, financial, and health information of over 320,000 people after breaching its systems in a December 2024 cyberattack. Founded in 1933 as a Bronx secretarial school, Monroe University is now a private institution with over 9,000 students each year across campuses in New York (Bronx and New Rochelle), and in the Caribbean nation of Saint Lucia. As the school explained in data breach notifications filed with the Office of the Maine Attorney General this week, the attackers had access to its network for 2 weeks, from December 9 to December 23."
        https://www.bleepingcomputer.com/news/security/monroe-university-says-2024-data-breach-affects-320-000-people/
      • Hacker Claims Full Breach Of Russia’s Max Messenger, Threatens Public Leak
        "A hacker using the alias CamelliaBtw has claimed responsibility for a major data breach involving Max Messenger, according to a post published yesterday on the DarkForums cybercrime marketplace and hacker forum. The forum thread, titled “ Max Messenger – Full User Infrastructure & SQL Dump,” alleges that the attacker gained complete access to the messaging platform’s production systems exactly one year after its public launch. The post describes what would amount to a total compromise of user data, backend infrastructure, and proprietary source code."
        https://hackread.com/hacker-russia-max-messenger-breach-data-leak/
      • Eurail Passengers Taken For a Ride As Data Breach Spills Passports, Bank Details
        "Eurail has confirmed customer information was stolen in a data breach, according to notification emails sent out this week. The European travel company, also known as Interrail to EU residents, initially posted the news on January 10, but affected customers, the number of whom was not disclosed, began receiving emails on January 13."
        https://www.theregister.com/2026/01/14/eurail_breach/

      General News

      • International Threats: How Malware Campaigns Vary Across Non-English Languages
        "Cofense Intelligence relies on over 35 million trained employees from around the world. As a result, a considerable number of analyzed campaigns are written in languages other than English. This report covers from May 2023 to May 2025, providing a historical perspective that demonstrates long-term patterns and trends seen over the last several years. It focuses on the malware families delivered by campaigns bypassing secure email gateways (SEGs) in the top five languages, excluding English, most commonly seen delivering malware by Cofense Intelligence."
        https://cofense.com/blog/international-threats-how-malware-campaigns-vary-across-non-english-languages
      • Retail, Services Industries Under Fire In Oceania
        "New data suggests that in Australia and New Zealand, hackers are increasingly targeting companies in non-critical sectors like retail and construction. Cyble's "Threat Landscape Report 2024" for Australia and New Zealand focused on the threat to industries critical to the functioning of modern society: government, healthcare, and finance, for example. These are the kinds of sectors that tend to top most cybersecurity year-in-review lists — they carry the most significance to state-level attackers, and have the most money floating around for cybercriminals."
        https://www.darkreading.com/cybersecurity-analytics/retail-services-industries-oceania
      • Survey: Rapid AI Adoption Causes Major Cyber Risk Visibility Gaps
        "As software supply chains become longer and more interconnected, enterprises have become well aware of the need to protect themselves against third-party vulnerabilities. However, the rampant adoption of artificial intelligence chatbots and AI agents means they’re struggling to do this. On the contrary, the majority of organizations are exposing themselves to unknown risks by allowing employees to access AI services and software packages that include AI integrations, with little oversight. This revelation is one of the main findings of Panorays’ latest CISO Survey for Third-Party Cyber Risk Management, which revealed that 60% of CISOs rate AI vendors as “uniquely risky,” primarily due to their opaque nature."
        https://hackread.com/survey-rapid-ai-adoption-cyber-risk-visibility-gaps/
        https://panorays.com/resources/reports-whitepapers/2026-ciso-survey/
      • How Cybercrime Markets Launder Breach Proceeds And What Security Teams Miss
        "A corporate customer database is breached on a quiet Sunday night. Millions of credentials and card numbers are quietly exfiltrated, sorted, and listed on a well‑known fraud shop on a cybercrime forum. Over the next few days, small crews buy slices of that data and start testing logins, draining loyalty points, taking over e‑commerce accounts, and running carding scripts against online merchants. The successful hits are funnelled into mule accounts and digital wallets. From there, the proceeds converge. Balances spread across multiple services are swept into a single exchange and converted into liquid, dollar‑pegged assets for rapid movement across chains and borders."
        https://hackread.com/cybercrime-markets-stablecoins-launder-breach-proceeds/
      • Firmware Scanning Time, Cost, And Where Teams Run EMBA
        "Security teams that deal with connected devices often end up running long firmware scans overnight, checking progress in the morning, and trying to explain to colleagues why a single image consumed a workday of compute time. That routine sets the context for a new research paper that examines how the EMBA firmware analysis tool behaves when it runs in different environments."
        https://www.helpnetsecurity.com/2026/01/14/emba-iot-firmware-security/
        https://www.preprints.org/frontend/manuscript/46bc80aec11f8fa7c0eb1e55f5634d27/download_pub
      • How AI Image Tools Can Be Tricked Into Making Political Propaganda
        "A single image can shift public opinion faster than a long post. Text to image systems can be pushed to create misleading political visuals, even when safety filters are in place, according to a new study. The researchers examined whether commercial text to image tools can be tricked into producing politically sensitive images of actual public figures. They focused on scenes that could be used for propaganda or disinformation, such as elected leaders holding extremist symbols or performing gestures tied to hate movements. Tests were carried out on GPT-4o, GPT-5, and GPT-5.1, using the gpt-image-1 image generator through standard web interfaces."
        https://www.helpnetsecurity.com/2026/01/14/ai-generated-political-propaganda-study/
        https://arxiv.org/pdf/2601.05150
      • G7 Sets 2034 Deadline For Finance To Adopt Quantum-Safe Systems
        "Financial businesses and public entities should have fully transitioned to post-quantum cryptography (PQC) by 2034 at the latest, according to the G7. In a new document published on January 13, the G7 Cyber Expert Group (CEG) set a recommended roadmap for financial entities to test, migrate and fully transition to quantum-resistant cryptographic systems in order to anticipate the risk of potential quantum-enabled cyber-attacks in the future that would break current cryptographic systems."
        https://www.infosecurity-magazine.com/news/g7-2034-deadline-finance-pqc/
        https://home.treasury.gov/system/files/136/G7-CEG-Quantum-Roadmap.pdf

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) 13dc71b3-26c9-41e0-8560-72b0da9f27b0-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT