NCSA_THAICERT

NCSA_THAICERT

Google ออกอัปเดต Chrome 149 แก้ไขช่องโหว่ร้ายแรง 18 ราย.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

ระบบสื่อสารรถไฟ GSM-R ขัดข้องทั่วเยอรมนี ส่งผ.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

เตือนภัย ส่วนขยาย Microsoft Edge ถูกนำมาใช้เป็นช่อง.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

Industrial Sector

The OT Segmentation Imperative: Why It Can't Wait Any Longer
"Ask any team running industrial operations about network segmentation and you'll hear a familiar story. Everyone agrees it's critical. It's mandated by IEC 62443, NERC CIP and NIS2. It limits the blast radius and prevents lateral movement across networks. Yet for most organizations, network segmentation has remained at the top of the "planned but not deployed" list for years. That inaction is becoming increasingly difficult to justify."
https://www.bankinfosecurity.com/blogs/ot-segmentation-imperative-cant-wait-any-longer-p-4136

Vulnerabilities

GitLab Patches Code Execution, Information Disclosure Vulnerabilities
"GitLab has rolled out Community Edition (CE) and Enterprise Edition (EE) security updates that resolve 13 vulnerabilities, including three high-severity bugs. The most severe is CVE-2026-10086, an XSS flaw in the Analytics dashboard of GitLab EE, rooted in the improper sanitization of user-supplied input. According to GitLab, the security defect could have allowed an authenticated user with developer rights to execute arbitrary client-side code in the context of other users’ sessions."
https://www.securityweek.com/gitlab-patches-code-execution-information-disclosure-vulnerabilities/
https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-1-released/
Chrome 149 Update Resolves 18 Severe Vulnerabilities
"Google on Wednesday rolled out a new Chrome 149 update that resolves 18 vulnerabilities, including four critical and 14 high-severity security defects. More than half of the addressed issues, including three critical and seven high-severity, are use-after-free flaws, a type of memory corruption bug that could lead to remote code execution (RCE). In Chrome, use-after-free vulnerabilities can be combined with security holes in the underlying operating system or in a privileged browser process to escape the sandbox."
https://www.securityweek.com/chrome-149-update-resolves-18-severe-vulnerabilities/
https://www.malwarebytes.com/blog/news/2026/06/update-chrome-to-patch-critical-browser-security-flaws
25-Year-Old Vulnerability Patched In Curl
"The open source data transfer tool and library curl has been updated this week with patches for 18 vulnerabilities, including one introduced 25 years ago. The flaws, four medium and 14 low-severity, were discovered as part of a community effort after Anthropic’s Mythos discovered a single curl bug in early May. This release resolves the highest number of CVEs patched with a single curl update, including an issue that was introduced in version 7.7, shipped on March 22, 2001."
https://www.securityweek.com/25-year-old-vulnerability-patched-in-curl/
https://curl.se/mail/lib-2026-06/0026.html
https://securityaffairs.com/194220/security/curl-fixes-a-25-year-old-bug-in-its-largest-cve-release-yet.html
BadBlocker: 11 Million Users, One Server Call Away From Compromise
"Adblock for YouTube (cmedhionkhpnakcndndgjdbohmhepckk) is a Chrome Web Store extension with over 11 million installs and a 4.4-star rating. It blocks ads on YouTube and it works well. It also contains the architectural ingredients for arbitrary JavaScript execution on any website, activated by a single server-side configuration change, without an extension update, without a store review, and without any visible sign that something has changed. In practical terms, that could mean reading pages, stealing data, and acting as the user inside personal accounts, work apps, admin panels, and other sensitive browser sessions."
https://www.island.io/blog/badblocker-11-million-users-one-server-call-away-from-compromise
https://thehackernews.com/2026/06/chrome-ad-blocker-with-10m-installs.html

Malware

Fake Invoices Are Moving From Inboxes To Shopping Apps
"A fake invoice in your email is easy to ignore. A fake invoice inside your order history feels different. Norton customers have reported fake Norton invoices appearing inside the Shop app, the shopping and order-tracking app from Shopify. Public reports suggest the same technique is not limited to Norton. Similar suspicious Shop app notifications have used McAfee, Apple gift cards, iPhones, PayPal-style payment claims and other high-value purchases as bait. The impersonated brand may change, but the mechanics are familiar: make the user believe they have been charged, then give them a phone number to call."
https://www.gendigital.com/blog/insights/research/fake-invoices-shopping-apps
https://www.bleepingcomputer.com/news/security/order-tracking-app-shop-abused-to-push-callback-phishing-attacks/
Bluekit Phishing-As-a-Service: Browser-In-The-Middle, Evolved
"Netcraft has identified and is actively detecting live deployments of Bluekit, a sophisticated Phishing-as-a-Service (PhaaS) platform that introduces a meaningful shift in how adversary-in-the-middle (AitM) phishing is executed. While Bluekit was first documented by Varonis Threat Labs — who assessed at the time that it appeared to still be in development — Netcraft can confirm the platform is now operational at scale, with approximately 70 hostnames detected in the last week."
https://www.netcraft.com/blog/bluekit-phishing-as-a-service-threat
https://www.bleepingcomputer.com/news/security/bluekit-phishing-kit-adopts-browser-in-the-middle-for-login-theft/
Gamaredon In 2025: Leveraging Tunnels, Workers, Dead Drops, And New Alliances
"Cyberespionage has remained a constant feature of Russia’s war against Ukraine. ESET Research has long tracked Gamaredon, one of the most active Russia-aligned advanced persistent threat (APT) groups targeting Ukraine. The group, attributed by the Security Service of Ukraine (SSU) to the 18th Center of Information Security of Russia’s FSB, maintained a high operational tempo throughout 2025."
https://www.welivesecurity.com/en/eset-research/gamaredon-2025-leveraging-tunnels-workers-dead-drops-new-alliances/
https://www.darkreading.com/threat-intelligence/russia-apt-gamaredon-arsenal-defense
https://www.bankinfosecurity.com/russias-gamaredon-adapts-tactics-to-target-ukraine-a-32068
ClickFix: The Attack That Turns Users Into Their Own Attackers
"ClickFix has quickly become one of the most prevalent social engineering techniques on the web. The attack flips a familiar security assumption on its head: instead of slipping a malicious file past endpoint defenses, the attacker convinces the victim to run the payload themselves. No exploit. No malicious attachment. Just a user, a clipboard, and a convincing prompt."
https://blog.checkpoint.com/securing-user-and-access/clickfix-the-attack-that-turns-users-into-their-own-attackers/
Introduction To COM Usage By Windows Threats
"Component Object Model (COM) is one of the Windows technologies that analysts regularly encounter but may not always prioritize during triage, as the manual analysis of COM functionality in binary executable files can be labor-intensive. The post starts with a brief introduction into COM, following how binaries utilizing COM can be analyzed, and some examples of malware families and their usage of COM. The post concludes with a list of further resources."
https://blog.talosintelligence.com/introduction-to-com-usage-by-windows-threats/
Russia Breaks Into Human Rights Activist’s Phone With Cellebrite
"We analyzed Russian activist Andrey Pivovarov’s phone, finding that Russian authorities used forensic extraction tools made by Cellebrite to gain access to his device. A document prepared by Russian authorities confirms that Cellebrite was used to extract information to aid in Pivovarov’s prosecution. Importantly, we found that authorities continued to use Cellebrite for political repression even after the company had cancelled its contracts with Russian customers."
https://citizenlab.ca/research/russia-breaks-into-human-rights-activists-phone-with-cellebrite/
https://therecord.media/russia-used-cellebrite-tool-after-company-pulled-out-of-country
https://cyberscoop.com/russia-cellebrite-activist-phone-hacking/
Millenium: A RAT Rewritten, A Threat Multiplied
"Group-IB analyzes Millenium RAT version 4.*, a remote access trojan that has undergone an architectural shift from .NET to native C++, while continuing to leverage the Telegram Bot API for command and control, requiring no dedicated server infrastructure. This blog also profiles the developer “ShinyEnigma”, and threat actor cluster “Y2K Operators” responsible for active Millenium RAT exploitation campaigns. Over 62,000 compromised endpoints across more than 160 countries have been identified, with infections accelerating sharply in Q1 2026."
https://www.group-ib.com/blog/millenium-rat-maas/
Beware Of “Parcel Expert” Job Offers: They’re Parcel Mule Scams
"A parcel mule scam, also called a reshipping scam, is a fake job offer designed to recruit people into handling stolen goods. It usually starts with a fake remote job offer that promises easy money for receiving, inspecting, repackaging, and forwarding packages from home. The “employer” may claim to be connected to familiar companies, but the real purpose is to move goods bought with stolen payment information so they are harder to trace. Victims often think they are doing routine logistics work, but they are actually helping criminals launder stolen merchandise."
https://www.malwarebytes.com/blog/scams/2026/06/beware-of-parcel-expert-job-offers-theyre-parcel-mule-scams
Fake Domain Renewal Emails Trick Website Owners Into Paying Scammers
"You receive an email warning that your website’s domain name is about to expire. Renew now, it says, or your website and email could stop working. The link opens a professional-looking page that already knows your domain name, displays your registrar and expiry date, and starts a countdown timer. It feels urgent and personal, so it feels real."
https://www.malwarebytes.com/blog/threat-intel/2026/06/fake-domain-renewal-emails-trick-website-owners-into-paying-scammers
CL-STA-1062 Targets Southeast Asian Governments And Critical Infrastructure
"Throughout 2025, we observed a cluster of activity targeting government entities and critical infrastructure in Southeast Asia. Specifically, the activity targeted state-owned enterprises in the energy and government sectors. The Chinese-speaking attackers behind this cluster, which we track as CL-STA-1062, have been active since at least March 2022. We assess with high confidence that this is the same cluster, known as UAT-7237, that was reported for its campaigns against web hosting infrastructure in Taiwan in mid 2025. We also observed CL-STA-1062 campaigns in earlier operations targeting strategic sectors in East Asia, indicating a broader, sustained regional focus."
https://unit42.paloaltonetworks.com/cl-sta-1062-tinyrct-backdoor/
Inside Vidar’s ABE Bypass: From Memory Scanning To APC Injections
"Infostealers are constantly evolving, and so are the techniques they use to bypass Application-Bound Encryption (ABE). In recent weeks, Vidar has been among the most actively developed stealers and, apart from multiple updates to its string obfuscation and a reworked approach to protecting its configuration, it has also introduced a novel technique for bypassing ABE. And while there have been many other changes in Vidar lately, with new versions dropping every week, in this blog post we focus solely on the ABE bypass and its technical aspects."
https://www.gendigital.com/blog/insights/research/inside-vidar-abe-bypass
Inside Eastern Europe's C2 Sprawl: 3,900+ Servers, 302 Providers, One Host Doing Half The Work
"Eastern Europe has long served as a reliable foundation for both commodity cybercrime and state-linked threat operations, a region where bulletproof hosting providers, major telecoms, and cloud infrastructure coexist within the same ASN pools. Over a three-month window from March 12 to June 12, 2026, we mapped malicious infrastructure across 10 countries in the region, covering Belarus, Bulgaria, the Czech Republic, Hungary, Poland, Moldova, Romania, Russia, Slovakia, and Ukraine. Across 302 distinct hosting providers, we identified more than 3,900 active C2 servers. The distribution was anything but even. A single Bulgarian provider accounted for more than half of all detected C2 infrastructure, a level of concentration that doesn't surface when you're tracking individual IPs or domains. It only becomes visible when you look at the hosting layer itself, which is exactly what this analysis does."
https://hunt.io/blog/eastern-europe-malicious-infrastructure-report

Breaches/Hacks/Leaks

Cal Water Says No OT Systems Breached In Iranian Handala Cyberattack
"The investigation conducted by California Water Service (Cal Water) into the recent cyberattack claimed by the Iranian hacker group Handala found no evidence of activity in the water utility’s operational technology (OT) environment. Handala, which claims to be a hacktivist collective but is widely believed to be a front for Iranian government hacking operations, said it could have disrupted the water supply after gaining access to Cal Water systems but decided not to do so. The statement suggested that the hackers had gained deep access to industrial control systems (ICS)."
https://www.securityweek.com/cal-water-finds-no-evidence-of-ot-activity-after-hackers-claimed-they-could-disrupt-water-supply/
Another Russian Dairy Company Reportedly Disrupted By Cyberattack
"A cyberattack has snarled logistics and accounting operations at a dairy producer in Russia's republic of Bashkortostan, forcing the company to process shipments and paperwork manually, according to local media. The attack affected the IT systems of Ufagormolzavod, a manufacturer based in Ufa, the regional capital, but did not interrupt production, the company's chief executive, Ildar Faizullin, said."
https://therecord.media/russia-dairy-producter-cyberattack-ufa
Ukraine's State Postal Operator Reports App Disruption After Cyberattack
"Ukraine's state-owned postal operator, Ukrposhta, said on Thursday that its mobile application is experiencing temporary disruptions following an overnight "enemy" attack on the company's IT systems. "Our specialists are already working to restore the service. We are doing everything we can to ensure you can return to using the app normally as soon as possible," Ukrposhta said."
https://therecord.media/ukraine-state-postal-operator-reports-disruption

General News

Poland Busts SIM-Swapping Gang Tied To Millions In Crypto Theft
"Authorities in Poland have arrested four members of an organized cybercrime group accused of breaching telecommunications partners and hijacking email accounts to carry out SIM-swapping attacks. The operation was carried out by the Polish Cybercrime Bureau (CBZC) with support from the FBI and Homeland Security Investigations (HSI) in the United States. According to investigators, the suspects carried out sophisticated cyberattacks to obtain data used in SIM-swapping attacks."
https://www.bleepingcomputer.com/news/security/poland-busts-sim-swapping-gang-tied-to-millions-in-crypto-theft/
Why Patch Directives Only Go So Far
"When CISA issues an emergency directive, the message to every federal agency and every security team paying attention is to patch now. For CVE-2026-50751, a CVSS 9.3 authentication bypass in Check Point Remote Access VPN, that directive landed on June 21. despite exploitation beginning in early May. That, six-week active intrusion gap is not a footnote. It is the entire story."
https://cyberscoop.com/why-security-patching-is-not-enough-cve-2026-50751-op-ed/
In Less Than 24 Hours, Attackers Weaponize Cisco CUCM Flaw
"Attackers have begun actively exploiting a critical flaw in Cisco Unified Communications Manager (CUCM) to gain root access on vulnerable systems. The attacks appear to have begun less than 24 hours after researchers at SSD Secure Disclosure this week released proof-of-concept code (PoC) along with a full exploit chain for the vulnerability."
https://www.darkreading.com/cyberattacks-data-breaches/less-than-24-hours-attackers-weaponize-cisco-cucm-flaw
EdTech Attackers Shift From Schools To Their Software Suppliers
"Threats against the education sector have mounted over the past five years and are becoming even more widespread, as attackers set their sights on educational technology (edtech) vendors. Rather than conducting ransomware or other attacks against an individual school or district, cyberattackers now target learning management systems (LMS) and other educational applications to victimize hundreds, if not thousands, of institutions in one fell swoop."
https://www.darkreading.com/cyberattacks-data-breaches/edtech-attackers-shift-schools-software-suppliers
Europe Evolves Into Ransomware's Favorite Region
"A specter is haunting Europe — the specter of ransomware. After a global lull in 2024 and 2025, the ransomware-as-a-service (RaaS) ecosystem appears to be back to form, at least in Europe. Researchers from Black Kite tracked 684 ransomware attacks across the continent through the first four months of 2026. That's 55% more than the 441 recorded in the first four months of 2025, even more than the 643 recorded through the first half of 2025."
https://www.darkreading.com/cybersecurity-analytics/europe-evolves-ransomware-favorite-region
https://www.infosecurity-magazine.com/news/increase-ransomware-europe/
The Uptime Questions Every Engineering Leader Should Ask This Week
"In this interview with Help Net Security, Mattias Geniar, CTO at Oh Dear, explains why most outages start quietly, as creeping latency or a slow rise in errors. He argues teams alert on the wrong things: absolute numbers instead of changes, isolated endpoints instead of real user outcomes. He covers alert fatigue, the DNS and certificate failures buried deep in the stack, the risk of leaning on one provider, and the mistakes tired engineers make at 3am. Geniar closes with questions leaders should ask to test their uptime story."
https://www.helpnetsecurity.com/2026/06/25/mattias-geniar-oh-dear-preventing-outages/
LLM Security Advice Looks Solid Until You Check The Hard Cases
"Plenty of people now type their security worries straight into a chatbot. A hacked account, a suspicious email, a stalker who might be tracking a phone, all of it lands in the same window someone would use to ask about dinner. A benchmark called HelpBench tests how well chatbots handle those moments, and the results give security professionals something to watch in what their users are being told."
https://www.helpnetsecurity.com/2026/06/25/helpbench-llm-security-advice/
https://arxiv.org/pdf/2606.24819
Recommendations When Using LLM-Backed Generative AI Systems For FOSS Contributions
"The entire community of computer users, which quickly approaches every human, faces the growing conundrum of generative artificial intelligence systems backed by Large Language Models (“LLM-gen-AI”)1. Software freedom activists face particularly difficult challenges in this regard; these LLM-gen-AI systems have been applied in earnest to the endeavors of software creation and modification."
https://sfconservancy.org/llm-gen-ai/llm-backed-generative-ai-recommendations.html
https://www.helpnetsecurity.com/2026/06/25/foss-ai-in-open-source/
Most Teams Will Ship AI-Written Infrastructure Code With Little Review
"AI-assisted development has settled into everyday practice across software organizations, and developers using it move from idea to working code in hours. That code does not stay with the developers who prompt it. It flows downstream to the DevOps and platform teams who deploy and maintain it, and those teams are not getting the same speed boost."
https://www.helpnetsecurity.com/2026/06/25/ai-infrastructure-governance-gap-report/
Twenty Million US IP Connections Used By Proxy Services
"Millions of residential IP connections in the US are collected annually for use in proxy services, with many households unaware that they may ultimately be used by threat actors, a new report has warned. Non-profit the Digital Citizens Alliance claimed in a new report, Cybercrime by Doorbell, that an estimated 20 million or more connections end up as proxies, often without the knowledge of their owners."
https://www.infosecurity-magazine.com/news/twenty-million-us-ip-connections/
https://resproxy.digitalcitizensalliance.org/hubfs/resproxy/DCA_Cybercrime-by-Doorbell-Report.pdf
Trust In Automated AI Vulnerability Scanning Collapses To 9%, New Study Finds
"A large number of false negatives has significantly eroded confidence in automated AI testing for vulnerabilities, a new study from Cobalt has found. The Cobalt State of Pentesting Report 2026 is based on two comparative surveys in 2025 and 2026 of around 450 cybersecurity professionals. It found that the percentage of organizations relying entirely on AI automation for testing sank from 29% to 9% over the period, with nearly half (47%) of respondents now preferring a hybrid testing model."
https://www.infosecurity-magazine.com/news/trust-ai-vulnerability-scanning/
https://resource.cobalt.io/ai-pentesting-pulse-report-2026-tyd
New CISA Guide Assists Federal Agencies With Transitioning To Modernized Zero Trust Architectures
"Today, the Cybersecurity and Infrastructure Security Agency (CISA) published a guide that helps federal civilian agencies advance their zero trust capabilities and adopt modern architectures supported under the Trusted Internet Connections (TIC) 3.0 Initiative. Part of CISA’s Journey to Zero Trust series, this guide helps agencies transition away from the limitations of using TIC 2.0 and capitalize on TIC 3.0 flexibilities to employ Secure Access Service Edge (SASE) solutions. Federal agencies will better understand, plan and mature to zero trust architecture to improve user experience, increase visibility and control, and enable telemetry sharing with CISA services."
https://www.cisa.gov/news-events/news/new-cisa-guide-assists-federal-agencies-transitioning-modernized-zero-trust-architectures
https://www.cisa.gov/resources-tools/resources/using-sase-modern-tic-30-solution
https://www.cisa.gov/sites/default/files/2026-06/The_Journey_to_Zero_Trust_Using_SASE_in_a_Modern_TIC-3.0_Solution_CB_Approved_508c.pdf
https://www.infosecurity-magazine.com/news/cisa-sase-tic-3-0-zero-trust/
Inside The 2026 SMB Threat Landscape: From Phishing And Scams To Fake AI Tools
"Small and medium-sized businesses (SMBs) remain attractive targets for cybercriminals – in both mass cyberattacks and sophisticated campaigns targeting larger enterprises through trusted relationship attacks. At the same time, smaller businesses may lack the robust cybersecurity policies and necessary resources to protect themselves against an evolving threat landscape."
https://securelist.com/smb-threat-report-2026/120357/
NIST Opens Updated IoT Security Guidance To Public Review
"The National Institute of Standards and Technology (NIST) announced Wednesday that it’s seeking public feedback on updated Internet of Things (IoT) security guidelines. Updated to reflect current security needs, the guidance provides general considerations on the impact of IoT products on risk assessments and aims to establish cybersecurity requirements to support security controls. The initial public draft (IPD) of SP 800-213 Revision 1, titled ‘IoT Product Cybersecurity Guidelines for the Federal Government: Establishing IoT Product Cybersecurity Requirements’, is available for download on NIST’s website (PDF), with the public comment period ending August 24."
https://www.securityweek.com/nist-opens-updated-iot-security-guidance-to-public-review/
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-213r1.ipd.pdf
SOC Threat Radar — June 2026
"Incidents mitigated in the last month by Barracuda Managed XDR show how weak access controls and exposed remote services attract mass-targeting adversaries and pave the way for more severe attacks. LemonDuck malware infects endpoints for cryptomining. GoldBrute botnet brute-forces remote services. Password spraying attacks from Iran are targeting VPNs."
https://blog.barracuda.com/2026/06/25/soc-threat-radar-june-2026
Why ShinyHunters Attacks Expose a Growing Data Security Risk
"While a lot of attention is being paid to a pending apocalypse of vulnerabilities that are being discovered by the latest generation of artificial intelligence (AI) models, a series of relatively simpler cyberattacks from a shadowy syndicate known as ShinyHunters are proving to be the most lethal. The most recent cyberattack launched by this group was against Madison Square Garden (MSG), the parent organization of the New York Knicks and Liberty basketball teams and the New York Rangers hockey team. As fans of the Knicks were celebrating the team’s NBA championship, cybersecurity teams and the executive leadership of MSG were contending with the theft of 45 GB of corporate and customer data."
https://blog.barracuda.com/2026/06/24/shinyhunters-attacks-data-security-risks

อ้างอิง

Electronic Transactions Development Agency (ETDA)

NCSA_THAICERT

Industrial Sector

Where IT Meets OT And Railway Cybersecurity Gets Harder
"In this interview with Help Net Security, Jorge Aldegunde, Global Head of Railway Services at DNV, talks through what happens when old operational technology meets newer IT in monorail systems. He explains why open networks widened the attack surface, how teams decide whether to patch a signalling flaw without stopping trains, and who carries the liability. Aldegunde covers regulation like CRA and NIS2, training veteran engineers to think about threat actors, and spotting intruders who have been inside for months. His main rule: manage your risks and plan for resilience, not perfection."
https://www.helpnetsecurity.com/2026/06/24/jorge-aldegunde-dnv-railway-cybersecurity/

New Tooling

Praxen: Open-Source AI Agent Behavior Verification
"Praxen is an open-source tool with a simple job: it checks whether an AI agent does what it claims to do. The tool takes an agent’s declared policy, looks at how the agent operates, and points out every spot where the two drift apart. It is the reference implementation of Agent Behavior Verification, a control model that hands each agent an authorized role and then confirms the controls hold that agent to it. The idea borrows from how companies manage their own employees. Every person gets a defined set of permissions, and the same logic now applies to software agents, where each one carries a scope of activity it is allowed to perform."
https://www.helpnetsecurity.com/2026/06/24/praxen-open-source-ai-agent-behavior-verification/
https://github.com/open-agent-ai-security/praxen

Vulnerabilities

CISA Adds Four Known Exploited Vulnerabilities To Catalog
"CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2025-67038 Lantronix EDS5000 Code Injection Vulnerability
CVE-2026-34908 Ubiquiti UniFi OS Improper Access Control Vulnerability
CVE-2026-34909 Ubiquiti UniFi OS Path Traversal Vulnerability
CVE-2026-34910 Ubiquiti UniFi OS Improper Input Validation Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/06/23/cisa-adds-four-known-exploited-vulnerabilities-catalog
https://www.bleepingcomputer.com/news/security/cisa-warns-of-max-severity-ubiquiti-flaws-exploited-in-attacks/
https://thehackernews.com/2026/06/cisa-warns-critical-lantronix-eds5000.html
https://www.securityweek.com/critical-ubiquiti-vulnerabilities-in-attackers-crosshairs/
https://securityaffairs.com/194142/security/u-s-cisa-adds-ubiquiti-unifi-os-and-lantronix-eds5000-plugin-flaws-to-its-known-exploited-vulnerabilities-catalog.html
When Defenses Become Attack Surface: CVE-2026-20971, a Samsung Kernel UAF
"Our team found a UAF vulnerability in Samsung's Android kernel. The vulnerability affected Samsung Android devices starting at Galaxy S9 through Galaxy S25, as well as additional devices (we tested S21, S22, S24, A54). Both Qualcomm and Exynos chipset based devices were impacted. The vulnerability could be exploited from any untrusted app, and allowed attackers to obtain multiple memory corruption primitives, potentially leading to complete device takeover."
https://lucidbitlabs.com/blog/when-defenses-become-attack-surface/
https://securityaffairs.com/194090/security/samsung-knox-kernel-uaf-exposes-millions-of-galaxy-devices.html
Researchers Trick AI Browsers Into Leaking Credentials
"A range of AI-powered web browsers have been tricked into abandoning their safety guardrails and leaking user data after being convinced they were playing a game. Researchers at LayerX demonstrated the technique, which they named BioShocking, against six agentic browsers and plugins, including OpenAI's ChatGPT Atlas, Perplexity's Comet and Anthropic's Claude extension. In a proof-of-concept (PoC) attack, all six were steered into copying a user's login credentials and sending them to an attacker."
https://www.infosecurity-magazine.com/news/bioshocking-ai-browser-prompt/

Malware

Backdoor.Mistic: New Backdoor May Be Linked To Ransomware Access Broker
"Stealthy new backdoor used in cybercrime intrusions since April 2026 may be associated with Woodgnat (aka KongTuke), an initial access broker whose ModeloRAT toolkit has fed Qilin and other ransomware operations."
https://www.security.com/threat-intelligence/new-mistic-backdoor-modeloRAT
https://www.bleepingcomputer.com/news/security/stealthy-mistic-backdoor-linked-to-ransomware-access-broker-kongtuke/
https://www.securityweek.com/new-mistic-rat-opens-door-to-several-ransomware-families/
Iran-Linked MuddyWater Poses As Ransomware Gang To Mask Cyber Espionage
"The line between ransomware activity and nation-state backed cyber campaigns is blurring, as state-sponsored cyber espionage groups adopt tools and techniques associated with cyber criminals to disguise their intelligence operations, a report has warned. Analysis by cybersecurity researchers at NCC Group has described how MuddyWater, a hacking and cyber espionage group associated with Iran’s Ministry of Intelligence and Security, posed as the Chaos ransomware group to hide its espionage activity."
https://www.infosecurity-magazine.com/news/iranlinked-muddywater-poses-as/
Total Access To All Your Devices.” Sextortion Scammers Strike Again
"At the moment, we’re seeing all kinds of sextortion emails. The scam is cheap to run, easy to automate, and apparently profitable enough that cybercriminals keep using it. Some criminals put more effort into their messages than others. Sextortion emails are messages claiming that scammers recorded you through your webcam while you watched pornography and now demand payment. They have been around for years and keep evolving with small changes in wording and fake technical detail."
https://www.malwarebytes.com/blog/scams/2026/06/total-access-to-all-your-devices-sextortion-scammers-strike-again
StrikeShark: Investigating a New Campaign Delivering Cobalt Strike Through SharkLoader
"During our research of activity affecting a diplomatic organization in Indonesia, we uncovered a previously undocumented malware family that we have named SharkLoader. What initially appeared to be an isolated case quickly expanded into a broader campaign as we identified additional SharkLoader infections across multiple countries and sectors. Our investigation revealed that SharkLoader serves as a loader designed to deploy Cobalt Strike Beacon on compromised systems. We observed the threat actor deploying SharkLoader through exploitation of internet-facing applications, including Microsoft Exchange, Microsoft SharePoint, and Openfire Server, as well as through malware-based delivery mechanisms."
https://securelist.com/strikeshark-campaign/120326/
The Broker Behind FortiBleed: Anatomy Of a Russian-Speaking Access Operation
"At Mysterium VPN, we often think about who gets to sit in the middle of someone else's connection. Usually, that means a camera, a router, or an internet provider. This time, it’s something heavier: a firewall. The exact device a company buys to keep strangers out of its network turned out to be the front door a criminal crew walked through — and then cataloged, priced, and put up for sale. In mid-June 2026, security researcher Volodymyr "Bob" Diachenko posted on LinkedIn that he had stumbled upon a live, exposed server containing what appeared to be working login credentials for tens of thousands of Fortinet firewalls (Fortinet is one of the world's largest makers of network security hardware)."
https://www.mysteriumvpn.com/news/fortibleed-access-broker
https://securityaffairs.com/194132/cyber-crime/fortibleed-the-broker-who-turned-73000-firewalls-into-a-product-catalog.html
MacOS.Gaslight | Rust Backdoor Turns Prompt Injection On The Analyst, Not The Sandbox
"In early June, an Apple XProtect update surfaced a Mach-O sample that had been uploaded to VirusTotal on May 22. The XProtect rule targets the file purely on its hash rather than on any internal strings or bytecode, yet the sample remains undetected by static engines on VirusTotal at the time of writing. The binary is ad hoc signed and carries the identifier endpoint-macos-aarch64-5555494492fc075f441637fb9d894913dde3a2ea."
https://www.sentinelone.com/labs/macos-gaslight-rust-backdoor-turns-prompt-injection-on-the-analyst-not-the-sandbox/
https://www.infosecurity-magazine.com/news/macos-gaslight-rust-backdoor/
Zero-Day Exploitation Of Vulnerability (CVE-2026-20245) In Cisco Catalyst SD-WAN Manager
"In early 2026, Mandiant identified a threat actor targeting SD-WAN infrastructure at a service provider. After gaining initial access, the threat actor exploited a zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN to escalate privileges from a compromised administrative account to root-level access. The vulnerability stems from the device’s file upload feature lacking the ability to properly filter malicious data."
https://cloud.google.com/blog/topics/threat-intelligence/zero-day-exploitation-cisco-catalyst-sd-wan-manager
https://www.bleepingcomputer.com/news/security/mandiant-reveals-how-cisco-sd-wan-zero-day-attacks-gained-root-access/
https://www.darkreading.com/cyberattacks-data-breaches/attackers-hit-cisco-sd-wan-flaw-2-months-before-disclosure
https://cyberscoop.com/cisco-sd-wan-zero-day-exploit-communications-provider/
GhostShell (MB-0009): Targeting Ukraine’s UAV Operations And Defense Supply Chain
"Today, we are taking a look at malware linked to yet another threat actor, one that has been active since at least February 2026. Since I could not associate the malware with any previously attributed threat actor, I am naming the actor GhostShell (you’ll find out why later in this article) and assigning it the Malwarebox identifier MB-0009."
https://blog.synapticsystems.de/ghostshell-mb-0009-targeting-ukraines-uav-operations-and-defense-supply-chain/
https://hackread.com/ghostshell-hacking-group-ukraine-drone-defense-sector/

Breaches/Hacks/Leaks

KDDI Breach Affects Six Japanese ISPs, Exposes 14.2 Email Credentials
"Japanese telecommunications operator KDDI has confirmed it suffered a breach that has affected five other internet services providers (ISPs) and potentially exposed 14.2 customer email accounts. In a public statement released on June 23, KDDI Corporation said an unauthorized actor unlawfully gained access to an email system it provides to several Japanese ISPs, meaning that data linked to customers of these email services may have leaked. Specifically, KDDI said up to 14.22 million email addresses and passwords have likely been compromised."
https://www.infosecurity-magazine.com/news/kddi-breach-japanese-telcos/
Indian Auto Giant Bajaj Auto Hit By Ransomware Incident
"India's automotive giant Bajaj Auto disclosed on Tuesday that it had been hit by a ransomware attack affecting its operations and a technology-focused subsidiary. The company said in a regulatory filing that it became aware of the incident on Tuesday morning and had taken precautionary measures to contain its impact. It added that its technical team and cybersecurity experts responded immediately and that mitigation efforts had so far been "successful.""
https://therecord.media/indian-auto-giant-bajaj-auto-hit-by-ransomware
German Rail Services Resume After Wireless Communications Outage
"Germany's state-owned rail operator Deutsche Bahn restored train services early Wednesday after a technical failure in its railway communications network brought rail traffic across the country to a standstill for roughly two hours overnight, disrupting both long-distance and regional services. The outage, which began late Tuesday, halted trains nationwide and also affected S-Bahn commuter services connecting major cities with surrounding suburbs. While services resumed Wednesday morning, Deutsche Bahn warned passengers to expect lingering delays and cancellations."
https://therecord.media/deutsche-bahn-railroad-gsmr-outage

General News
Security Is No Longer An IT Problem: Why Boards Must Rethink Cyber Resilience In The Age Of AI
"For years, organisations approached email security as a technology problem. Deploy a secure email gateway (SEG), add filtering tools, automate remediation workflows, and assume the problem was solved. That approach no longer works. Today’s attackers are using AI to create polymorphic phishing campaigns that continuously evolve to evade traditional detection systems. They rotate URLs, vary sender identities, change subject lines, and modify content at scale. The result is that many organisations are discovering that even sophisticated email security tools and Microsoft 365 protections cannot stand alone against modern threats."
https://cofense.com/blog/security-is-no-longer-an-it-problem-why-boards-must-rethink-cyber-resilience-in-the-age-of-ai

Scaling Cybercrime Disruption Through Innovation And AI
"Microsoft is taking a new approach to fighting cybercrime, targeting the cyberattack supply chain, not just individual services. In a case unsealed today, we are simultaneously targeting two widely used cybercrime tools, Amadey and StealC, after AI-assisted analysis revealed they rely on the same infrastructure. This action goes after the cybercrime “assembly line,” where coordinated tools drive ransomware, financial fraud, and disruptions to public services. Amadey and StealC are often used alongside each other: Amadey helps attackers gain access to devices, while StealC steals passwords and sensitive information. Together, they form a critical link in the chain. In the first two weeks of May alone, Amadey and StealC were linked to more than 140,000 infected computers globally, highlighting how widely they are used."
https://blogs.microsoft.com/on-the-issues/2026/06/24/scaling-cybercrime-disruption-through-innovation-and-ai/
https://www.europol.europa.eu/media-press/newsroom/news/global-cyber-strike-disrupts-socgholish-amadey-and-stealc-malware-networks
https://www.proofpoint.com/us/blog/threat-insight/stealc-you-later-proofpoint-and-ibm-x-force-support-operation-endgame
https://www.bleepingcomputer.com/news/security/amadey-stealc-malware-operations-disrupted-in-operation-endgame-action/
https://thehackernews.com/2026/06/amadey-and-stealc-malware-network.html
https://therecord.media/stealc-amadey-socgholish-malware-takedown-europol-microsoft
https://cyberscoop.com/microsoft-amadey-stealc-takedown/
https://www.bankinfosecurity.com/infostealers-stealc-amadey-disrupted-in-police-crackdown-a-32062
https://www.infosecurity-magazine.com/news/operation-endgame-stealc-amadey/
https://hackread.com/operation-endgame-stealc-amadey-socgholish-malware/
https://www.securityweek.com/microsoft-and-allies-smash-shared-infrastructure-of-amadey-and-stealc-malware/
https://securityaffairs.com/194173/cyber-crime/europol-disrupts-stealc-and-amadey-malware-infrastructure-in-operation-endgame.html
https://www.helpnetsecurity.com/2026/06/24/operation-endgame-stealc-amadey-malware-disrupted/
Trust No One: Automating MacOS Privilege Escalation At Scale
"A novel macOS privilege escalation technique allows standard user accounts to silently disable leading enterprise security products—including major Endpoint Detection and Response (EDR) and Mobile Device Management (MDM) solutions—without requiring administrator credentials, kernel exploits, or triggering security alerts. The attack exploits a fundamental flaw in how macOS XPC services establish trust boundaries by chaining CDHash kernel cache exploitation with NIB payload injection to impersonate trusted application components. Consequently, any non-root user can invoke arbitrary privileged XPC methods with zero authentication. This exposure exists widely across applications implementing inter-component XPC communication in the macOS ecosystem."
https://xmcyber.com/blog/faind-my-xpc-breaks-a-key-trust-boundary/
https://www.darkreading.com/application-security/apple-macos-security-gap-users-disable-security-tools
https://www.securityweek.com/macos-weaknesses-chained-to-silently-disable-endpoint-security-agents/
Security Testing Was Built For a Slower World
"Software teams are pushing code into production faster than security testing can keep up. AI is accelerating development cycles and adding pressure to security programs that rely on periodic validation and manual penetration testing. The State of AI in Pentesting report from Aikido Security found that 76% of organizations have had to stop, restrict, or roll back AI-driven behavior in the past 12 months. Another 71% said AI or automation made a security issue harder to detect, investigate, or fix."
https://www.helpnetsecurity.com/2026/06/24/ai-security-testing-report/
How Threat Actors Are Using AI In Real Attacks: Cheaper, Faster, Harder To Spot
"AI is making familiar cyber attacks cheaper to build, faster to scale, easier to tailor, and harder to spot. Across the incidents and dark-web discussions in this report, threat actors used AI to improve what already works: phishing, social engineering, malicious code, identity fraud, and early post-compromise activity. The tradecraft is familiar, but the pace isn’t. We’ve tracked that shift for the past two years. In our 2024 AI-Powered Cybercrime report, we saw early signs of cybercriminal AI use, which consisted mostly of phishing email polish, basic LLM-generated scripts, and the emergence of malicious GPTs like “WormGPT” (now defunct) and “FraudGPT” on the dark web. By mid-2025, the picture had expanded to deepfake services, AI-assisted scripts, and a growing underground market for AI-enabled tools. Over the past year, the core uses have stayed largely the same, but AI has moved closer into the heart of the offensive workflow."
https://reliaquest.com/campaigns/how-threat-actors-use-ai/executive-summary
https://www.infosecurity-magazine.com/news/ai-attacks-cheaper-faster-covert/
Anthropic’s Mythos Model Found Vulnerabilities In Classified US Government Systems, Official Says
"A U.S. official told The Associated Press on Tuesday that one of Anthropic’s artificial intelligence models had identified vulnerabilities in highly sensitive and secure U.S. government computer systems during a testing exercise. The official, who spoke on the condition of anonymity to discuss the matter, said Anthropic had teamed up with U.S. intelligence agencies to conduct tests using the company’s Mythos model. It had identified certain vulnerabilities within hours, but that does not mean the model was able to exploit them within that time, the official said."
https://www.securityweek.com/anthropics-mythos-model-found-vulnerabilities-in-classified-us-government-systems-official-says/
Agentic AI Security: Wrong Context, Wrong Decisions At Machine Speed
"Context is the central plank of AI in general, and agentic AI in particular. If an AI system doesn’t have the correct context, it cannot make the correct decisions. Security is moving toward reliance on the autonomous and automatic action of agentic AI. It has little choice. The increasing speed, volume and efficiency of attacks automated by adversarial use of both generative and agentic AI will only be matched by defensive AI with as little slow human intervention (the proverbial man-in-the-loop) as possible."
https://www.securityweek.com/agentic-ai-security-wrong-context-wrong-decisions-at-machine-speed/
A Closer Look At Africa’s Evolving Cyberthreat Landscape
"The Africa region experiences an interesting mix of cyberattacks, threat actors, victims, and victim types. Ransomware and fraud are not the dominant threat types, and there aren’t many well-known names in the list of top threat actors. It’s not that the region has it easy—far from it—but Africa presents a different kind of threat landscape when we break down the numbers."
https://blog.barracuda.com/2026/06/23/africa-evolving-cyberthreat-landscape
OpenClaw’s Skill Marketplace And The Emerging AI Supply Chain Threat
"OpenClaw is an AI agent that executes third-party skills from ClawHub, its dedicated marketplace. Skills are markdown-driven packages with broad local system access, making ClawHub a critical link in the agentic software supply chain. Following its release, the ecosystem saw several malicious campaigns. Those early findings, published in February 2026, prompted ClawHub to integrate VirusTotal and ClawScan, enabling proactive screening of published skills and code-level analysis to block skills flagged as malicious from download."
https://unit42.paloaltonetworks.com/openclaw-ai-supply-chain-risk/
https://www.darkreading.com/cyber-risk/malicious-openclaw-skills-clawhub-threaten-ai-supply-chain
DraftKings Hacker 'Snoopy' Sentenced To 18 Months In Prison
"A 21-year-old using the alias "Snoopy" was sentenced to 18 months in prison for his role in hacking DraftKings accounts in the November 2022 cyberattack. In December 2025, the man, Nathan Austad of Minnesota, pleaded guilty to conspiracy to commit computer intrusion, admitting that he and co-conspirators compromised 60,000 DraftKings user accounts. During the attack, the hackers added payment methods under their control to 1,600 accounts and stole $600,000."
https://www.bleepingcomputer.com/news/security/draftkings-hacker-snoopy-sentenced-to-18-months-in-prison/
https://www.justice.gov/usao-sdny/pr/third-defendant-sentenced-prison-hacking-fantasy-sports-and-betting-website
https://www.securityweek.com/third-draftkings-hacker-sentenced-to-18-months-in-prison/
Open-Source Security Is Posing Challenges Governments Can’t Easily Solve
"An epidemic of cyberattacks on open-source software has mounted in recent months, making clear how uniquely difficult it is to protect the publicly available code, from both a policy and a technical perspective, that serves as the foundation for so much of the digital world. While open-source software security got a boost in attention under President Joe Biden — whose administration grappled with the fallout from the potentially catastrophic Log4j flaw that emerged in 2021 — a number of open-source experts say that government protection efforts have suffered setbacks under President Donald Trump. Many also say companies that heavily rely on open-source software, which is basically all of them, haven’t shouldered enough of the responsibility for safeguarding it."
https://cyberscoop.com/open-source-software-security-crisis/
Exclusive: Meet AIVEX, a New Triage Model Built To Reduce Supply Chain Threat And Risk
"Remediation priority (vulnerability triaging) traditionally focuses on Software Bill of Materials (SBOMs) and Vulnerability Exploitability eXchange (VEX) statements provided with the software and supplemented by CVSS scores. That is not enough in today’s environment. SBOMs list the components within the software. They emanated from Executive Order 14028 designed to reduce supply chain attacks. VEX statements emerged soon afterward to indicate whether any known vulnerabilities are exploitable. The separate CVSS score is used as a severity indicator for vulnerability remediation priority. It’s not working – supply chain attacks continue."
https://www.securityweek.com/exclusive-meet-aivex-a-new-triage-model-built-to-reduce-supply-chain-threat-and-risk/
Navigating The Threat Landscape Of The 2026 FIFA World Cup
"As the 2026 FIFA World Cup progresses, Flashpoint analysts continue to monitor a dynamic threat environment spanning physical security, civil unrest, cyber threats, and geopolitical developments. While analysts have not identified any credible indications of an imminent attack targeting tournament venues or participants, several notable developments have emerged since our previous assessment:"
https://flashpoint.io/blog/2026-fifa-world-cup-threat-landscape/
https://www.darkreading.com/cybersecurity-operations/2026-fifa-world-cup-faces-surge-cyber-threats
Do CISOs Need a Code Of Ethics?
"Dark Reading Confidential Episode 19: Kickbacks, no-show jobs, "dirty" VCs, and shelf ware — industry expert Robert "RSnake" Hansen explains why he thinks its time for a CISO code of ethics to ensure cybersecurity bosses aren't engaged in self-dealing that could risk enterprise, and even national, security."
https://www.darkreading.com/cybersecurity-operations/ciso-code-of-ethics
When Information Becomes The Attack Surface – Understanding AI Agent Traps
"AI agents go beyond answering questions. They can autonomously browse websites, read emails, search company files, query software tools, and more. AI models producing incorrect answers is hardly a threat, until agents encounter information that’s maliciously designed to influence what it sees, believes, remembers, or executes. An agent leverages webpages, document stores, wikis, images, emails, or tools to produce intended outputs. But what happens when these sources mask malicious instructions?"
https://www.securityweek.com/when-information-becomes-the-attack-surface-understanding-ai-agent-traps/