สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cyber Security Agency of Singapore (CSA)ได้เผยแพร่เกี่ยวกับ นักวิจัยด้านความปลอดภัยได้ค้นพบช่องโหว่ในระบบ OneDrive File Picker ของ Microsoft ซึ่งอาจเปิดช่องให้แอปพลิเคชันของบุคคลที่สามสามารถเข้าถึงพื้นที่จัดเก็บข้อมูลใน OneDrive ของผู้ใช้ได้อย่างเต็มรูปแบบ แม้ว่าผู้ใช้จะตั้งใจเพียงแค่อัปโหลดไฟล์เดียวเท่านั้น

ช่องโหว่นี้เกิดขึ้นในกระบวนการทำงานของ OneDrive File Picker ซึ่งอนุญาตให้แอปพลิเคชันของบุคคลที่สามสามารถใช้สิทธิ์เข้าถึงข้อมูลบน OneDrive ผ่าน OAuth โดยช่องโหว่นี้อาจทำให้แอปฯ ได้สิทธิ์เข้าถึงทั้งบัญชี แทนที่จะจำกัดอยู่เพียงไฟล์เดียวที่ผู้ใช้เลือก

ผลกระทบ
หากมีการโจมตีสำเร็จ แอปพลิเคชันของบุคคลที่สามอาจเข้าถึงข้อมูลทั้งหมดใน OneDrive ของผู้ใช้ได้โดยไม่ได้รับอนุญาต ซึ่งอาจนำไปสู่การอ่าน แก้ไข หรือลบข้อมูลโดยที่ผู้ใช้ไม่ตั้งใจ ส่งผลให้เกิดการสูญหายของข้อมูลและการละเมิดกฎระเบียบด้านความปลอดภัยของข้อมูล

ผลิตภัณฑ์ที่ได้รับผลกระทบ
ช่องโหว่นี้ส่งผลกระทบต่อแอปพลิเคชันใดๆ ที่ใช้ OneDrive File Picker ของ Microsoft เพื่อขอสิทธิ์ผ่าน OAuth รวมถึงบัญชี OneDrive ส่วนบุคคลและธุรกิจในชุด Microsoft 365 และแอปฯ ที่ใช้ OAuth consent flow เพื่อขอสิทธิ์การเข้าถึง OneDrive

แนวทางป้องกัน
ผู้ใช้งานและผู้ดูแลระบบควรตรวจสอบและเพิกถอนสิทธิ์ของแอปพลิเคชันของบุคคลที่สามที่ไม่จำเป็นหรือไม่น่าเชื่อถือ

องค์กรควรจำกัดการอนุญาตแอป OAuth ผ่านการตั้งค่าใน Azure Active Directory
ควรเปิดใช้งานระบบขออนุมัติจากผู้ดูแลระบบก่อนให้สิทธิ์แอปฯ
ติดตามกิจกรรมที่ผิดปกติใน OneDrive อย่างสม่ำเสมอ
ผู้ใช้งานควรระมัดระวังในการให้สิทธิ์เข้าถึง OneDrive กับแอปพลิเคชันต่างๆ

อ้างอิง
https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-051/

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Healthcare Sector

• Santesoft Sante DICOM Viewer Pro
  "Successful exploitation of this vulnerability could allow an attacker to disclose information or execute arbitrary code."
  https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-148-01

Industrial Sector

• Siemens SiPass Integrated
  "Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to cause a denial-of-service condition."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-148-02
• Consilium Safety CS5000 Fire Panel
  "Successful exploitation of these vulnerabilities could allow an attacker to gain high-level access to and remotely operate the device, potentially putting it into a non-functional state."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-148-03
• Instantel Micromate
  "Successful exploitation of this vulnerability could allow an unauthenticated attacker to access the device's configuration port and execute commands."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-148-04
• Siemens SiPass
  "Successful exploitation of this vulnerability could allow an attacker to upload a maliciously modified firmware onto the device."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-148-01

Vulnerabilities

• Unpatched Critical Vulnerability In TI WooCommerce Wishlist Plugin
  "This blog post is about an unauthenticated arbitrary file upload in the TI WooCommerce Wishlist plugin. If you're a TI WooCommerce Wishlist user, deactivate and delete the plugin since there is no patched version available. All paid Patchstack users are protected from this vulnerability. Sign up for the free Community account first, to scan for vulnerabilities and apply protection for only $5 / site per month with Patchstack. For plugin developers, we have security audit services and Enterprise API for hosting companies."
  https://patchstack.com/articles/unpatched-critical-vulnerability-in-ti-woocommerce-wishlist-plugin/
  https://thehackernews.com/2025/05/over-100000-wordpress-sites-at-risk.html
• Safari Vulnerability Enables Attackers To Steal Credentials With Fullscreen BitM Attacks
  "According to MITRE, Browser-in-the-Middle (BitM) is an attack where “an adversary exploits the inherent functionalities of a web browser, in order to establish an unnoticed remote desktop connection in the victim’s browser to the adversary’s system.” This attack has been used by many attackers to trick victims into unknowingly entering credentials and providing sensitive information on an attacker controlled window. The attack was first disclosed in a paper by researchers from the University of Salento in 2021, and we have seen many cases of BitM being used in the wild since then."
  https://labs.sqrx.com/fullscreen-bitm-f2634a91e6a5
  https://www.bleepingcomputer.com/news/security/apple-safari-exposes-users-to-fullscreen-browser-in-the-middle-attacks/
  https://hackread.com/fullscreen-bitm-attack-discovered-by-squarex-exploits-browser-fullscreen-apis-to-steal-credentials-in-safari/
  https://www.infosecurity-magazine.com/news/browser-exploit-technique/

Malware

• Haozi’s Plug-And-Play Phishing-As-a-Service Has Facilitated $280,000 Of Criminal Transactions Over Past Five Months
  "Phishing-as-a-Service operations are becoming increasingly user-friendly, and Haozi epitomizes this trend. Unlike legacy phishing kits that require attackers to configure scripts or infrastructure manually, Haozi offers a sleek, public-facing web panel. Once an attacker purchases a server and puts its credentials into the panel, the phishing software is automatically set up, with no need to run a single command."
  https://www.netcraft.com/blog/haozi-s-plug-and-play-phishing-as-a-service-has-facilitated-280-000-of-criminal-transactions
  https://www.darkreading.com/threat-intelligence/haozi-gang-sells-turnkey-phishing-tools-amateurs
• Behind The Script: Unmasking Phishing Attacks Using Google Apps Script
  "When we think about phishing attacks, we typically picture suspicious emails containing questionable links that lead to fake websites designed to mimic authentic ones. However, threat actors are becoming more strategic, now leveraging tools from trusted tech giants to exploit users. The Cofense Phishing Defense Center recently identified a phishing campaign that takes this approach to the next level. The attack uses an email masquerading as an invoice, containing a link to a webpage that uses Google Apps Script, a development platform integrated across Google’s suite of products. By hosting the phishing page within Google’s trusted environment, attackers create an illusion of authenticity. This makes it easier to trick recipients into handing over sensitive information."
  https://cofense.com/blog/behind-the-script-unmasking-phishing-attacks-using-google-apps-script
  https://www.bleepingcomputer.com/news/security/threat-actors-abuse-google-apps-script-in-evasive-phishing-attacks/
• Cybercriminals Camouflaging Threats As AI Tool Installers
  "AI has increasingly proliferated across various business verticals, leading to a transformation of industries through automation, data-driven decision-making and enhanced customer engagements. However, as AI continues to propel multiple industry sectors forward, malicious actors are exploiting its popularity by distributing a range of malware disguised as AI solutions’ installers and tools. Threat actors are employing a variety of techniques and channels to distribute these fraudulent installers, including SEO-poisoning tactics to manipulate search engine rankings and cause their malicious websites or download links to appear at the top of search engine results, as well as platforms such as Telegram or social media messengers."
  https://blog.talosintelligence.com/fake-ai-tool-installers/
  https://www.bleepingcomputer.com/news/security/cybercriminals-exploit-ai-hype-to-spread-ransomware-malware/
  https://thehackernews.com/2025/05/cybercriminals-target-ai-users-with.html
  https://hackread.com/fake-chatgpt-invideo-ai-downloads-deliver-ransomware/
• Lumma Infostealer – Down But Not Out?
  "On May 21, 2025, Europol, FBI, and Microsoft, in collaboration with other public and private sector partners, announced an operation to dismantle the activity of the Lumma infostealer. The malware, considered to be one of the most prolific infostealers, is distributed through a malware-as-a-service model. In addition to its use by common cyber criminals for stealing credentials, Lumma was observed to be part of the arsenal of several prominent threat actor groups, including Scattered Spider, Angry Likho, and CoralRaider."
  https://blog.checkpoint.com/security/lumma-infostealer-down-but-not-out/
• Deep Dive Into a Dumped Malware Without a PE Header
  "This analysis is part of an incident investigation led by the FortiGuard Incident Response Team. We discovered malware that had been running on a compromised machine for several weeks. The threat actor had executed a batch of scripts and PowerShell to run the malware in a Windows process. Although obtaining the original malware executable was difficult, a memory dump of the running malware process and a full memory dump of the compromised machine (the “fullout” file, size 33GB) were successfully acquired."
  https://www.fortinet.com/blog/threat-research/deep-dive-into-a-dumped-malware-without-a-pe-header
  https://thehackernews.com/2025/05/new-windows-rat-evades-detection-for.html
  https://hackread.com/new-malware-corrupts-its-headers-block-analysis/
  https://www.infosecurity-magazine.com/news/rat-corrupted-headers/

Breaches/Hacks/Leaks

• ConnectWise Breached In Cyberattack Linked To Nation-State Hackers
  "IT management software firm ConnectWise says a suspected state-sponsored cyberattack breached its environment and impacted a limited number of ScreenConnect customers. "ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation state actor, which affected a very small number of ScreenConnect customers," ConnectWise shared in a brief advisory. "We have launched an investigation with one of the leading forensic experts, Mandiant. We have contacted all affected customers and are coordinating with law enforcement.""
  https://www.bleepingcomputer.com/news/security/connectwise-breached-in-cyberattack-linked-to-nation-state-hackers/
  https://therecord.media/connectwise-nation-state-attack-targeted-some-customers
  https://www.infosecurity-magazine.com/news/connectwise-confirms-hack/
• Covenant Health Dealing With Cyberattack Affecting Hospitals
  "Covenant Health, a network of Catholic healthcare organizations serving New England and parts of Pennsylvania, is dealing with a cyber incident affecting services at several facilities where healthcare is still mostly being delivered normally. A Covenant Health spokeswoman in a Thursday statement said the health system has been responding to the incident since its discovery earlier this week."
  https://www.bankinfosecurity.com/covenant-health-dealing-cyberattack-affecting-hospitals-a-28544
• Billions Of Cookies Up For Grabs As Experts Warn Over Session Security
  "A VPN vendor says billions of stolen cookies currently on sale either on dark web or Telegram-based marketplaces remain active and exploitable. More than 93.7 billion of them are currently available for criminals to buy online and of those, between 7-9 percent are active, on average, according to NordVPN's breakdown of stolen cookies by country. Adrianus Warmenhoven, cybersecurity advisor at NordVPN, said: "Cookies may seem harmless, but in the wrong hands, they're digital keys to our most private information. What was designed to enhance convenience is now a growing vulnerability exploited by cybercriminals worldwide."
  https://www.theregister.com/2025/05/29/billions_of_cookies_available/

General News

• What CISOs Can Learn From The Frontlines Of Fintech Cybersecurity
  "At Span Cyber Security Arena, I sat down with Ria Shetty, Director, Cyber Security & Resilience for Europe at Mastercard. Our conversation cut through the hype and focused on what CISOs deal with every day: how to embed security into innovation, manage supply chain risk, and prepare both systems and people for the threats ahead."
  https://www.helpnetsecurity.com/2025/05/29/ria-shetty-mastercard-cybersecurity-innovation/
• How CISOs Can Regain Ground In The AI Fraud War
  "Fraudsters are winning the AI arms race, first-party fraud is rising, and siloed systems are holding back defenses, according to DataVisor. Their 2025 Fraud & AML Executive Report, based on surveys of banks, fintechs, credit unions, and digital platforms, outlines clear signals for CISOs trying to build resilient, forward-looking strategies."
  https://www.helpnetsecurity.com/2025/05/29/ciso-ai-fraud-war/
• CISOs Prioritize AI-Driven Automation To Optimize Cybersecurity Spending
  "Cybersecurity leaders and consultants identified AI-driven automation and cost optimization as top organizational priorities, according to Wipro. 30% of respondents are investing in AI automation to enhance their cybersecurity operations. AI-driven automation can help in detecting and responding to threats more quickly and accurately, thereby reducing the need for extensive manual intervention."
  https://www.helpnetsecurity.com/2025/05/29/ai-automation-investing/
• #Infosec2025: Over 90% Of Top Email Domains Vulnerable To Spoofing Attacks
  "Over 90% of the world’s top email domains are vulnerable to spoofing, enabling cybercriminals to launch sophisticated phishing attacks, according to new research by EasyDMARC. The email authentication firm found that just 7.7% of the world’s top 1.8 million email domains have implemented the most stringent Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy. This configuration, known as ‘p=reject’, actively blocks malicious emails from reaching inboxes."
  https://www.infosecurity-magazine.com/news/infosec2025-email-domains-spoofing/
• Beyond GenAI: Why Agentic AI Was The Real Conversation At RSA 2025
  "Having just returned from the RSA Conference 2025, without a doubt the word on everyone’s lips and the dominant theme on every vendor stand was – you’ve guessed it – AI. AI is a phenomenon that just keeps evolving. Today analysts are predicting a $632B+ AI spend by 2028. What was interesting is that the conversation has also evolved and moved from GenAI to SynthAI and agentic AI."
  https://www.securityweek.com/beyond-genai-why-agentic-ai-was-the-real-conversation-at-rsa-2025/
• Treasury Takes Action Against Major Cyber Scam Facilitator
  "Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Funnull Technology Inc., a Philippines-based company that provides computer infrastructure for hundreds of thousands of websites involved in virtual currency investment scams, commonly known as “pig butchering,” along with its administrator, Liu Lizhi. Americans lose billions of dollars annually to these cyber scams, with revenues generated from these crimes rising to record levels in 2024. Funnull has directly facilitated several of these schemes, resulting in over $200 million in U.S. victim-reported losses."
  https://home.treasury.gov/news/press-releases/sb0149
  https://www.bleepingcomputer.com/news/security/us-sanctions-company-linked-to-hundreds-of-thousands-of-cyber-scam-sites/
  https://therecord.media/southeast-asian-provider-of-scam-infrastructure-sanctioned
  https://cyberscoop.com/funnull-cryptocurrency-scam-sanctions/
  https://www.theregister.com/2025/05/30/fbi_treasury_funnull_sanctions/
• The 2025 Cybersecurity Pulse Report
  "The 2025 Cybersecurity Pulse Report is the latest intelligence briefing from ISMG, delivering essential insights from 150+ expert interviews and four days of carefully curated programming from the RSAC 2025 Conference. Synthesized through ISMG's AI-powered editorial workflow, this report captures the pivotal conversations, innovations and strategic shifts defining the cybersecurity landscape in 2025."
  https://www.bankinfosecurity.com/2025-cybersecurity-pulse-report-a-28529
  https://dd80b675424c132b90b3-e48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/cybersecurity-pulse-report-rsac-2025.pdf
• A Defense-In-Depth Approach For The Modern Era
  "As we reflect on the rapid evolution of technology, particularly over the past decade, it's evident that security strategies must adapt. With enterprises increasingly shifting toward cloud computing, software-as-a-service (SaaS), and interconnected Internet of Things (IoT) ecosystems, traditional security models are no longer sufficient. Organizations must embrace a defense-in-depth approach — one that extends beyond data centers and into every network edge, from branch offices to IoT devices."
  https://www.darkreading.com/vulnerabilities-threats/defense-depth-approach-modern-era
• Certified Randomness Uses Quantum Cryptography To Make Stronger Keys
  "Key generators are a foundational technology in cryptography to keep enterprise communication and systems secure. Threat actors are attempting to predict patterns of conventional key generators to break the encryption, leading scientists to explore combining quantum-circuit unpredictability and encryption algorithms to generate random keys that are harder to crack."
  https://www.darkreading.com/endpoint-security/certified-randomnes-squantum-cryptography-stronger-keys

อ้างอิง
Electronic Transactions Development Agency(ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Industrial Sector

• Johnson Controls iSTAR Configuration Utility (ICU) Tool
  "Successful exploitation of this vulnerability may allow an attacker to gain access to memory leaked from the ICU."
  https://www.cisa.gov/news-events/ics-advisories/icsa-25-146-01

Vulnerabilities

• Remote Prompt Injection In GitLab Duo Leads To Source Code Theft
  "GitLab Duo, the AI assistant integrated into GitLab and powered by Anthropic’s Claude, is designed to help developers with tasks like code suggestions, security reviews, and merge request analysis. But what if the same AI meant to secure your code could be manipulated into leaking it? That’s exactly what we uncovered: a remote prompt injection vulnerability that allows attackers to steal source code from private projects, manipulate code suggestions shown to other users, and even exfiltrate confidential, undisclosed zero-day vulnerabilities — all through GitLab Duo Chat. In this blog post, we break down how the attack works — from prompt injection to HTML injection — and walk through a real-world end-to-end exploit scenario."
  https://www.legitsecurity.com/blog/remote-prompt-injection-in-gitlab-duo
  https://www.bankinfosecurity.com/patched-gitlab-duo-flaws-risked-code-leak-malicious-content-a-28499
• NASA’s Software Security Vulnerabilities Found For Fun, Not Profit
  "Long time ago, in a galaxy far, far away, fifteen years ago (in 2009), I was a 25 year old hacker and cofounder of my first cybersecurity startup Infigo and just finished a one year long side project security research collaboration with NASA Goddard Space Flight Center. During the security research I discovered 12 dangerous security vulnerabilities in Common Data Format (CDF) software library (some of them critical severity). NASA’s CDF software library (https://cdf.gsfc.nasa.gov/) is according to its documentation developed and used by NASA and hundreds other government agencies, academic community and various organizations for the purpose (in very simple words) - of tracking objects locations in space."
  https://threatleap.com/publications/NASAs-Software-Security-Vulnerabilities-Found-For-Fun-Not-Profit
  https://www.helpnetsecurity.com/2025/05/27/nasa-open-source-software-vulnerabilities/

Malware

• DragonForce Actors Target SimpleHelp Vulnerabilities To Attack MSP, Customers
  "Sophos MDR recently responded to a targeted attack involving a Managed Service Provider (MSP). In this incident, a threat actor gained access to the MSP’s remote monitoring and management (RMM) tool, SimpleHelp, and then used it to deploy DragonForce ransomware across multiple endpoints. The attackers also exfiltrated sensitive data, leveraging a double extortion tactic to pressure victims into paying the ransom."
  https://news.sophos.com/en-us/2025/05/27/dragonforce-actors-target-simplehelp-vulnerabilities-to-attack-msp-customers/
  https://www.bleepingcomputer.com/news/security/dragonforce-ransomware-abuses-simplehelp-in-msp-supply-chain-attack/
  https://www.darkreading.com/application-security/dragonforce-ransomware-msp-supply-chain-attack
  https://www.infosecurity-magazine.com/news/dragonforce-ransomware-msp-attack/
  https://www.securityweek.com/dragonforce-ransomware-hackers-exploiting-simplehelp-vulnerabilities/
  https://securityaffairs.com/178350/cyber-crime/dragonforce-operator-chained-simplehelp-flaws-to-target-an-msp.html
• Russian Laundry Bear Cyberspies Linked To Dutch Police Hack
  "A previously unknown Russian-backed cyberespionage group tracked as Laundry Bear has been linked to a September 2024 Dutch police security breach. As the Dutch national police (Politie) revealed last year, the attackers stole work-related contact information of multiple officers, including names, email addresses, phone numbers, and, in some cases, private details. The Netherlands General Intelligence and Security Service (AIVD) and the Netherlands Defence Intelligence and Security Service (MIVD) on Tuesday linked Laundry Bear to this breach in a joint advisory issued on Tuesday, warning that it is highly probable that these Russian hackers also breached other Dutch organizations."
  https://www.bleepingcomputer.com/news/security/russian-void-blizzard-cyberspies-linked-to-dutch-police-breach/
  https://www.aivd.nl/binaries/aivd_nl/documenten/publicaties/2025/05/27/aivd-en-mivd-onderkennen-nieuwe-russische-cyberactor/Advisory+AIVD+en+MIVD+Public+report+on+new+cyber+actor.pdf
  https://therecord.media/laundry-bear-void-blizzard-russia-hackers-netherlands
  https://www.bankinfosecurity.com/nato-countries-targeted-by-new-russian-espionage-group-a-28492
  https://cyberscoop.com/laundry-bear-void-blizzard-russia-apt/
  https://www.securityweek.com/dutch-intelligence-agencies-say-russian-hackers-stole-police-data-in-cyberattack/
  https://securityaffairs.com/178338/apt/russia-linked-apt-laundry-bear-linked-to-2024-dutch-police-attack.html
  https://www.theregister.com/2025/05/27/new_russian_cyberspy_crew_laundry_bear/
• New Russia-Affiliated Actor Void Blizzard Targets Critical Sectors For Espionage
  "Void Blizzard is a new threat actor Microsoft Threat Intelligence has observed conducting espionage operations primarily targeting organizations that are important to Russian government objectives. These include organizations in government, defense, transportation, media, NGOs, and healthcare, especially in Europe and North America. They often use stolen sign-in details that they likely buy from online marketplaces to gain access to organizations. Once inside, they steal large amounts of emails and files. In April 2025, Microsoft Threat Intelligence observed Void Blizzard begin using more direct methods to steal passwords, such as sending fake emails designed to trick people into giving away their login information."
  https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/
  https://thehackernews.com/2025/05/russian-hackers-breach-20-ngos-using.html
  https://www.securityweek.com/russian-government-hackers-caught-buying-passwords-from-cybercriminals/
  https://www.helpnetsecurity.com/2025/05/27/microsoft-dutch-security-agencies-lift-veil-on-laundry-bear-void-blizzard-cyber-espionage-group/
• Text-To-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites
  "Since November 2024, Mandiant Threat Defense has been investigating an UNC6032 campaign that weaponizes the interest around AI tools, in particular those tools which can be used to generate videos based on user prompts. UNC6032 utilizes fake “AI video generator” websites to distribute malware leading to the deployment of payloads such as Python-based infostealers and several backdoors. Victims are typically directed to these fake websites via malicious social media ads that masquerade as legitimate AI video generator tools like Luma AI, Canva Dream Lab, and Kling AI, among others."
  https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites/
  https://www.bankinfosecurity.com/fake-ai-tools-lure-users-in-year-long-malware-campaign-a-28494
  https://cyberscoop.com/ai-video-generator-malware-mandiant-unc5032-vietnam/
  https://www.theregister.com/2025/05/27/fake_social_media_ads_ai_tool/
• Infostealer Malware FormBook Spread Via Phishing Campaign – Part II
  "This is part II of the FormBook analysis blog. In the previous post (Part I), I covered the campaign’s initialization via a phishing email, the CVE-2017-11882 vulnerability it exploited to execute an extracted 64-bit DLL, and the download and decryption of a FormBook variant hidden in a fake PNG file. Finally, I elaborated on how the 64-bit DLL mapped the FormBook payload in a target process (ImagingDevices.exe) and executed it using the process hollowing technique."
  https://www.fortinet.com/blog/threat-research/infostealer-malware-formbook-spread-via-phishing-campaign
• Threat Spotlight: Hijacked Routers And Fake Searches Fueling Payroll Heist
  "In May 2025, ReliaQuest uncovered a unique search engine optimization (SEO) poisoning attack that led to payroll fraud affecting a customer in the manufacturing sector. SEO poisoning is a highly deceptive tactic where attackers create fake authentication portals mimicking legitimate organizations. The malicious sites rank at the top of search results, tricking employees into unknowingly handing over their credentials. In this attack, the adversary specifically targeted employee mobile devices with a fake website impersonating the organization’s login page. Armed with stolen credentials, the adversary gained access to the organization’s payroll portal, changed direct deposit information, and redirected employees’ paychecks into their own accounts."
  https://reliaquest.com/blog/threat-spotlight-payroll-fraud-attackers-stealing-paychecks-seo-poisoning/
  https://thehackernews.com/2025/05/employees-searching-payroll-portals-on.html
• China Accuses Taiwan-Linked Group Of Cyberattack On Local Tech Company
  "Chinese authorities have accused a hacker group allegedly backed by Taiwan of carrying out a cyberattack on a local technology company and targeting sensitive infrastructure across the mainland, state media reported. According to police in Guangzhou, the group — allegedly linked to Taiwan’s ruling Democratic Progressive Party (DPP) — has targeted more than 1,000 key networks in over 10 Chinese provinces, including military, energy, transportation and government systems. Authorities said the campaign involved large-scale espionage efforts, crude hacking tools and a range of low-sophistication tactics such as phishing emails, exploitation of known software vulnerabilities and brute-force password attacks."
  https://therecord.media/china-accuses-taiwan-linked-group-of-cyberattacks
• Earth Lamia Develops Custom Arsenal To Target Multiple Industries
  "We have been tracking an active intrusion set that primarily targets organizations located in countries including Brazil, India, and Southeast Asia since 2023. The threat actor mainly targets the SQL injection vulnerabilities discovered on web applications to access the SQL servers of targeted organizations. The actor also takes advantage of various known vulnerabilities to exploit public-facing servers. Research reports have also mentioned their aggressive operations, including REF0657, STAC6451, and CL-STA-0048. Evidence we collected during our research indicates this group is a China-nexus intrusion set, which we now track as Earth Lamia."
  https://www.trendmicro.com/en_us/research/25/e/earth-lamia.html
• Malicious Attack Method On Hosted ML Models Now Targets PyPI
  "Artificial intelligence (AI) and machine learning (ML) are now inextricably linked to the software supply chain. ML models, which are based on large language models (LLMs), are powering the enterprise — and offer an infinite number of solutions to organizations’ mission-critical needs. The widespread and increasing use of generative AI tools like OpenAI’s ChatGPT, in addition to developer community resources like Hugging Face – a platform dedicated to collaboration and sharing of ML projects – show how software, coding and AI/ML are now one and the same."
  https://www.reversinglabs.com/blog/malicious-attack-method-on-hosted-ml-models-now-targets-pypi
  https://www.infosecurity-magazine.com/news/malicious-machine-learning-model/

Breaches/Hacks/Leaks

• Adidas Warns Of Data Breach After Customer Service Provider Hack
  "German sportswear giant Adidas disclosed a data breach after attackers hacked a customer service provider and stole some customers' data. "adidas recently became aware that an unauthorized external party obtained certain consumer data through a third-party customer service provider," the company said. "We immediately took steps to contain the incident and launched a comprehensive investigation, collaborating with leading information security experts.""
  https://www.bleepingcomputer.com/news/security/adidas-warns-of-data-breach-after-customer-service-provider-hack/
  https://www.darkreading.com/vulnerabilities-threats/adidas-victim-third-party-data-breach
  https://hackread.com/adidas-confirms-cyber-attack-customer-data-stolen/
  https://www.theregister.com/2025/05/27/adidas_confirms_data_theft/
• MATLAB Dev Confirms Ransomware Attack Behind Service Outage
  "MathWorks, a leading developer of mathematical computing and simulation software, has revealed that a recent ransomware attack is behind an ongoing service outage. Headquartered in Natick, Massachusetts, and founded in 1984, MathWorks now has over 6,500 employees in 34 offices worldwide. MathWorks develops the MATLAB numeric computing platform and the Simulink simulation, which are used by over 100,000 organizations and over 5 million customers. "MathWorks experienced a ransomware attack. We have notified federal law enforcement of this matter. The attack affected our IT systems," the company disclosed in an incident report published on its official status page."
  https://www.bleepingcomputer.com/news/security/mathworks-blames-ransomware-attack-for-ongoing-outages/
  https://www.darkreading.com/vulnerabilities-threats/mathworks-confirms-ransomware-attack
  https://therecord.media/matlab-developer-bringing-systems-online-ransomware
  https://www.theregister.com/2025/05/27/mathworks_ransomware_attack_leaves_ondeadline/
• Nearly 70,000 Impacted By Ransomware Attack On Sheboygan, Wisconsin
  "The Wisconsin city of Sheboygan warned about 67,000 people that a ransomware attack in October gave hackers access to their personal information. The city filed breach notification letters with regulators on Friday explaining that Social Security numbers, state IDs and license plate numbers were taken when hackers breached the city’s systems on October 31, 2024. Officials in Sheboygan hired a cybersecurity firm to conduct an investigation that concluded on May 14 and confirmed that data was stolen."
  https://therecord.media/ransomware-sheboygan-breach-notice

General News

• Why App Modernization Can Leave You Less Secure
  "Enterprises typically “modernize” access patterns for an application by enabling industry standard protocols like OIDC or SAML to provide single sign-on (SSO) for legacy apps via a cloud identity provider (IDP). That’s a major step towards better user experience, improved credential hygiene, and centralized authentication, but it is not enough. Most modernization projects stop at the authentication layer, believing that identity transformation is complete once SAML or OIDC is wired up. What’s often overlooked is one of the most critical components of application security: session management."
  https://www.helpnetsecurity.com/2025/05/27/application-identity-modernization-risks/
• How AI Agents Reshape Industrial Automation And Risk Management
  "In this Help Net Security interview, Michael Metzler, Vice President Horizontal Management Cybersecurity for Digital Industries at Siemens, discusses the cybersecurity implications of deploying AI agents in industrial environments. He talks about the risks that come with AI agents making semi-autonomous decisions, and why a layered security approach like Defense-in-Depth is key to keeping industrial systems safe."
  https://www.helpnetsecurity.com/2025/05/27/michael-metzler-siemens-ai-agents-industrial-environments/
• How Well Do You Know Your Remote IT Worker?
  "Is the remote IT worker you recently hired really who he says he is? Fake IT workers are slipping into companies around the world, gaining access to sensitive data. Recently, more of these schemes have been linked to North Korea. They don’t just steal crypto or deliver malware. Now, they log into your systems as employees. This is no longer just a cybersecurity issue, it’s a growing geopolitical threat."
  https://www.helpnetsecurity.com/2025/05/27/fake-it-workers-cybersecurity-threat/
• 4.5% Of Breaches Now Extend To Fourth Parties
  "Security teams can no longer afford to treat third-party security as a compliance checkbox, according to SecurityScorecard. Traditional vendor risk assessments, conducted annually or quarterly, are too slow to detect active threats. 35.5% of all breaches in 2024 were third-party related, a 6.5% increase from 2023. This figure is likely conservative due to underreporting and misclassification. So while you’re updating your firewall rules, somewhere in your supply chain a vendor might be inadvertently letting in the very attackers you’ve been working to keep out."
  https://www.helpnetsecurity.com/2025/05/27/third-party-breaches-increase/
• New Guidance For SIEM And SOAR Implementation
  "Today, CISA, in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) and other international and U.S. partners, released new guidance for organizations seeking to procure Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) platforms."
  https://www.cisa.gov/news-events/alerts/2025/05/27/new-guidance-siem-and-soar-implementation
  https://www.cisa.gov/resources-tools/resources/guidance-siem-and-soar-implementation
  https://www.infosecurity-magazine.com/news/governments-prioritize-siem-soar/
• Iranian Man Pleaded Guilty To Role In Robbinhood Ransomware
  "An Iranian national pleaded guilty today to participating in an international ransomware and extortion scheme involving the Robbinhood ransomware. According to court documents and statements made in court, Sina Gholinejad, 37, and his co-conspirators compromised the computer networks of cities, corporations, health care organizations, and other entities around the United States, and encrypted files on these victim networks with the Robbinhood ransomware variant to extort ransom payments. These cyber attacks caused significant disruptions and tens of millions in losses, including to the City of Greenville, North Carolina, and the City of Baltimore, Maryland."
  https://www.justice.gov/opa/pr/iranian-man-pleaded-guilty-role-robbinhood-ransomware
  https://www.bleepingcomputer.com/news/security/iranian-pleads-guilty-to-robbinhood-ransomware-attacks-faces-30-years/
  https://therecord.media/iranian-years-decades-guilty-ransomware
  https://www.bankinfosecurity.com/robbinhood-ransomware-hacker-pleads-guilty-in-us-court-a-28498
  https://cyberscoop.com/iranian-man-pleads-guilty-in-robbinhood-ransomware-scheme/
• **https://www.securityweek.com/iranian-man-pleads-guilty-to-role-in-baltimore-ransomware-attack/
• How The New Hacker Millionaire Class Was Built**
  "HackerOne recently announced that over the past six years, the bug bounty platform has minted 50 fresh million-dollar bounty hunters by providing them an easily accessible platform to help companies ferret out security vulnerabilities in software, for big cash payouts. But it wasn't always this easy to make a whole hustle out of ethical hacking. There's been a shift in the culture, from "fringe activity to financially viable profession," according to HackerOne. That change didn't happen by chance. It was intentionally crafted by the will of infosec's earliest pioneers."
  Priority: 3 - Important
  Relevance: General
  https://www.darkreading.com/remote-workforce/hacker-millionaire-class-built
• CVE Uncertainty Underlines Importance Of Cyber Resilience
  "The tumult triggered by news that MITRE funding to support the Common Vulnerabilities and Exposures (CVE) program was at risk has been a wake-up call for the security community. However, this evolving, active, fragile ecosystem has never been simple; challenges to its operation have persisted for quite some time. In 2024, a record-breaking 40,009 CVEs were published. That's a 38% increase from 2023. According to the National Institute of Standards and Technology (NIST), the surge in CVEs and the lack of support contributed to a backlog in processing new CVEs beginning in February 2024. As a result, some CVEs aren't enriched with the necessary context to enable prioritization and response."
  https://www.darkreading.com/vulnerabilities-threats/cve-uncertainty-underlines-importance-cyber-resilience
• Why Quiet Expertise No Longer Wins Cybersecurity Clients
  "There’s a graveyard of brilliant cybersecurity companies that no one has ever heard of. These firms had incredible technical talent, were able to spot vulnerabilities others missed, and poured blood, sweat, and tears into building elegant solutions to complex problems. In other words, they knew their stuff. And yet, they failed. Meanwhile, there are plenty of companies out there with decent but not amazing technology that are thriving, growing, and still gathering plenty of investment. So what is happening here?"
  https://hackread.com/why-quiet-expertise-no-win-cybersecurity-clients/

อ้างอิง
Electronic Transactions Development Agency(ETDA)

New Tooling

• LlamaFirewall: Open-Source Framework To Detect And Mitigate AI Centric Security Risks
  "LlamaFirewall is a system-level security framework for LLM-powered applications, built with a modular design to support layered, adaptive defense. It is designed to mitigate a wide spectrum of AI agent security risks including jailbreaking and indirect prompt injection, goal hijacking, and insecure code outputs."
  https://www.helpnetsecurity.com/2025/05/26/llamafirewall-open-source-framework-detect-mitigate-ai-centric-security-risks/

Malware

• SilverRAT Source Code Leaked Online: Here’s What You Need To Know
  "The full source code of SilverRAT, a notorious remote access trojan (RAT), has been leaked online briefly appearing on GitHub under the repository “SilverRAT-FULL-Source-Code” before being swiftly taken down. A snapshot of the repository, captured by Hackread.com via the Wayback Machine, reveals the entire project, its features, build instructions, and even a flashy marketing-style dashboard screenshot."
  https://hackread.com/silverrat-source-code-leaked-online-you-need-to-know/
• CVE-2025-32756: Low-Rise Jeans Are Back And So Are Buffer Overflows
  "On May 13, 2025, FortiGuard Labs published an advisory detailing CVE-2025-32756, which affects a variety of Fortinet products: FortiCamera, FortiMail, FortiNDR, FortiRecorder, and FortiVoice. In their advisory, FortiGuard Labs states that Fortinet has observed this issue being exploited in the wild. The next day, May 14, the vulnerability was added to the CISA KEV catalog."
  https://horizon3.ai/attack-research/attack-blogs/cve-2025-32756-low-rise-jeans-are-back-and-so-are-buffer-overflows/
  https://hackread.com/researchers-poc-fortinet-cve-2025-32756-quick-patch/

Breaches/Hacks/Leaks

• Now It’s Tiffany: Another LVMH Luxury Brand Hit By Hackers
  "First it was Dior. Now it’s Tiffany & Co. Seok Nam-jun and Kim Mi-geon report: Tiffany & Co. has confirmed a data breach affecting customers in South Korea, marking the second such incident involving an LVMH Moët Hennessy Louis Vuitton brand after a similar case at Dior. On May 26, Tiffany Korea notified select customers via email of a cybersecurity breach involving unauthorized access to a vendor platform used for managing customer data."
  https://databreaches.net/2025/05/26/now-its-tiffany-another-lvmh-luxury-brand-hit-by-hackers/

General News

• Why Layoffs Increase Cybersecurity Risks
  "A wave of layoffs has swept through the tech industry, leaving IT teams in a rush to revoke all access those employees may have had. Additionally, 54% of tech hiring managers say their companies are likely to conduct layoffs within the next year, and 45% say employees whose roles can be replaced by AI are most likely to be let go, according to General Assembly."
  https://www.helpnetsecurity.com/2025/05/26/layoffs-cybersecurity-risks/
• AI Forces Security Leaders To Rethink Hybrid Cloud Strategies
  "Hybrid cloud infrastructure is under mounting strain from the growing influence of AI, according to Gigamon. As cyberthreats increase in both scale and sophistication, breach rates have surged to 55% during the past year, representing a 17% year-on-year rise, with AI-generated attacks emerging as a key driver of this growth."
  https://www.helpnetsecurity.com/2025/05/26/ai-hybrid-cloud-infrastructure-concerns/

อ้างอิง
Electronic Transactions Development Agency(ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand