สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Industrial Sector

• • Siemens RUGGEDCOM APE1808 Devices
    "Fortinet has published information on vulnerabilities in FORTIOS. This advisory lists the related Siemens Industrial products. Siemens has released a new version for RUGGEDCOM APE1808 and recommends to update to the latest version."
    https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-02
• Siemens SIMATIC
  "SIMATIC S7-1500 devices contain a vulnerability that could allow an attacker to inject code by tricking a legitimate user into importing a specially crafted trace file in the web interface. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-04
• Siemens SIDIS Prime
  "SIDIS Prime before V4.0.800 is affected by multiple vulnerabilities in the components OpenSSL, SQLite, and several Node.js packages as described below. Siemens has released a new version of SIDIS Prime and recommends to update to the latest version."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-03
• Trane Tracer SC, Tracer SC+, And Tracer Concierge
  "Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, execute arbitrary commands, or perform a denial-of-service on the product."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-01
• Siemens Heliox EV Chargers
  "Heliox EV Chargers listed below contain improper access control vulnerability that could allow an attacker to reach unauthorized services via the charging cable. Siemens has released new versions for the affected products and recommends to update to the latest versions."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-05
• Inductive Automation Ignition Software
  "Successful exploitation of this vulnerability could allow an attacker to execute malicious code with OS application service account permissions that the authenticated, privileged application user did not intend on running."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-06
• Beyond CVSS: OT Security Looks For Its Risk Methodology
  "A mainstay of IT security programs across the world, the Common Vulnerability Scoring System, may have terminal flaws when applied to the mirror universe of operational technology - a place where ordinary assumptions about risk don't apply. OT have long argued that CVSS is an inadequate measure for their purposes. In November 2023, the Forum of Incident Response and Security Teams, which maintains CVSS, sought to address those complaints with a new version, CVSS 4.0. But a growing number of OT security experts believe it's becoming clear that CVSS can't be "fixed" - even putting aside issues such as the administrative burden required to implement CVSS 4.0 in the OT world."
  https://www.bankinfosecurity.com/beyond-cvss-ot-security-looks-for-its-risk-methodology-a-31038
• What Smart Factories Keep Getting Wrong About Cybersecurity
  "In this Help Net Security interview, Packsize CSO Troy Rydman breaks down the biggest vulnerabilities in smart factory environments today, from IoT devices and legacy systems to human error. He explains how unmanaged devices, from sensors to robotic components, often go unpatched and become entry points for attackers. Legacy infrastructure is frequently overlooked as organizations move to cloud and SaaS platforms, leaving outdated systems exposed. Employees remain a persistent weak point, not because of negligence, but because human nature can be exploited through social engineering and phishing. Rydman also addresses the ongoing tension between production uptime and security requirements, and how organizations can find the right risk threshold by keeping stakeholders informed, investing in training, and building a security-aware company culture."
  https://www.helpnetsecurity.com/2026/03/16/troy-rydman-packsize-smart-factory-cybersecurity-risks/

New Tooling

• VulHunt: Open-Source Vulnerability Detection Framework
  "Binarly has published VulHunt Community Edition, making the core scanning engine from Binarly’s commercial Transparency Platform available to independent researchers and practitioners. VulHunt Community Edition is a framework for detecting vulnerabilities in compiled software. It operates against multiple binary representations simultaneously, working across disassembly, an intermediate representation layer, and decompiled code. Targets include POSIX executables and UEFI firmware modules."
  https://www.helpnetsecurity.com/2026/03/16/vulhunt-open-source-vulnerability-detection-framework/
  https://github.com/vulhunt-re/vulhunt

Vulnerabilities

• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2025-47813 Wing FTP Server Information Disclosure Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/03/16/cisa-adds-one-known-exploited-vulnerability-catalog
  https://www.bleepingcomputer.com/news/security/cisa-flags-wing-ftp-server-flaw-as-actively-exploited-in-attacks/
  https://securityaffairs.com/189530/security/u-s-cisa-adds-a-flaw-in-wing-ftp-server-to-its-known-exploited-vulnerabilities-catalog.html
• Pwning AI Code Interpreters In AWS Bedrock AgentCore
  "During research into AI code execution environments, BeyondTrust Phantom Labs discovered that AWS Bedrock AgentCore Interpreter’s Sandbox network mode does not fully block outbound communication. AWS originally advertised Sandbox mode as providing “complete isolation with no external access.” However, Phantom Labs discovered that public DNS queries remain allowed. This behavior can enable threat actors to establish command-and-control channels and data exfiltration over DNS in certain scenarios, bypassing the expected network isolation controls. Specifically, the Code Interpreter can query A and AAAA DNS records."
  https://www.beyondtrust.com/blog/entry/aws-bedrock-agentcore-sandbox-breakout
  https://www.infosecurity-magazine.com/news/security-flaw-aws-bedrock/
  https://hackread.com/data-leak-risk-in-aws-bedrock-ai-code-interpreter/

Malware
LiveChat Abuse: How Phishers Are Exploiting SaaS Support Tools To Steal Sensitive Data
"The Cofense Phishing Defense Center (PDC) has recently identified a unique phishing campaign utilizing the software as a service (SaaS) LiveChat - a customer service software featuring live messaging and AI to provide a line of support for businesses. Unlike typical refund scams or credential phish, this campaign engages victims through a real-time chat interface, impersonating well-known brands in order to harvest sensitive data such as account credentials, credit card details, multi-factor authentication (MFA) codes, and other personally identifiable information (PII)."
https://cofense.com/blog/livechat-abuse-how-phishers-are-exploiting-saas-support-tools-to-steal-sensitive-data
https://www.darkreading.com/threat-intelligence/attackers-livechat-phish-credit-card-personal-data
https://hackread.com/phishing-scam-livechat-pose-as-amazon-paypal/

• AI-Assisted Phishing Campaign Exploits Browser Permissions To Capture Victim Data
  "Cyble Research & Intelligence Labs (CRIL) has identified a widespread, highly active social engineering campaign hosted primarily on edgeone.app infrastructure. The initial access vectors are diverse — ranging from “ID Scanner,” and “Telegram ID Freezing,” to “Health Fund AI”—to trick users into granting browser-level hardware permissions such as camera and microphone access under the pretext of verification or service recovery."
  https://cyble.com/blog/ai-assisted-phishing-campaign/
• Malware-As-A-Service Redefined: Why XWorm Is Outpacing Every Other RAT In The Underground Malware Market
  "In the evolving landscape of cybercrime, threat actors are constantly pursuing the "perfect" weapon: malware that is lightweight, modular, and—most importantly—stealthy. The underground market eagerly adopts any tool that balances high functionality with low detection rates. XWorm has emerged as the premier example of this shift. Following the significant disruption caused by XWorm v6.X, the community is now grappling with the even more potent Version 7.x. In this blog, we will see how attackers have tried to target a Taiwan-based network security company. This analysis dissects the active XWorm v7.1 kill chain, explores the market trends fueling its growth, and exposes the Telegram channels where this sophisticated RAT is sold as a high-tier commodity."
  https://www.trellix.com/blogs/research/malware-as-a-service-redefined-xworm-rat/
  https://hackread.com/xworm-7-1-remcos-rat-windows-tools-evade-detection/
• • Global Scam Machines: Inside a Meta-Powered Investment Fraud Ecosystem Spanning 25 Countries
    "In February-March 2026, Bitdefender Labs identified and mapped a sprawling global scam infrastructure and scalable disinformation-for-profit network that uses trusted news brands, real personalities, fabricated media narratives, emotional hooks, and advanced evasion techniques to drive victims into investment fraud funnels. On February 9-March 5, 2026, we analyzed 310 malvertising campaigns distributed through paid advertising on Meta platforms."
    https://www.bitdefender.com/en-us/blog/labs/global-investment-scam-network-using-meta-ads
    https://www.helpnetsecurity.com/2026/03/16/facebook-ads-investment-fraud-campaigns/
• The Rise Of Fake Shipment Tracking Scams In MEA
  "Every day, billions of people rely on postal and courier services to deliver everything from handwritten letters to high value online orders. These services form the backbone of the global marketplace, especially in the age of e-commerce. According to the 2024 Universal Postal Union’s State of the Postal Sector report , postal services now serve a population of 7.3 billion people, and without them, a country’s GDP could drop by a median of 7%. And according to Statista, about 161 billion parcels were shipped worldwide in 2022 alone. Some of the top countries driving this volume include:"
  https://www.group-ib.com/blog/mea-shipment-tracking-scam/
  https://www.infosecurity-magazine.com/news/global-surge-fake-shipment/
• Hacked Sites Deliver Vidar Infostealer To Windows Users
  "In recent years, ClickFix and fake CAPTCHA techniques have become a popular way for cybercriminals to distribute malware. Instead of exploiting a technical vulnerability, these attacks rely on convincing people to run malicious commands themselves. Our researchers have recently detected a campaign that ultimately delivers the Vidar infostealer, using several different infection chains."
  https://www.malwarebytes.com/blog/threat-intel/2026/03/hacked-sites-deliver-vidar-infostealer-to-windows-users
• Free Real Estate: GoPix, The Banking Trojan Living Off Your Memory
  "GoPix is an advanced persistent threat targeting Brazilian financial institutions’ customers and cryptocurrency users. It represents an evolved threat targeting internet banking users through memory-only implants and obfuscated PowerShell scripts. It evolved from the RAT and Automated Transfer System (ATS) threats that were used in other malware campaigns into a unique threat never seen before. Operating as a LOLBin (Living-off-the-Land Binary), GoPix exemplifies a sophisticated approach that integrates malvertising vectors via platforms such as Google Ads to compromise prominent financial institutions’ customers."
  https://securelist.com/gopix-banking-trojan/119173/
• DRILLAPP Backdoor Targets Ukraine, Abuses Microsoft Edge Debugging For Stealth Espionage
  "Ukrainian entities have emerged as the target of a new campaign likely orchestrated by threat actors linked to Russia, according to a report from S2 Grupo's LAB52 threat intelligence team. The campaign, observed in February 2026, has been assessed to share overlaps with a prior campaign mounted by Laundry Bear (aka UAC-0190 or Void Blizzard) aimed at Ukrainian defense forces with a malware family known as PLUGGYAPE. The attack activity "employs various judicial and charity themed lures to deploy a JavaScript‑based backdoor that runs through the Edge browser," the cybersecurity company said. Codenamed DRILLAPP, the malware is capable of uploading and downloading files, leveraging the microphone, and capturing images through the webcam by taking advantage of the web browser's features."
  https://thehackernews.com/2026/03/drillapp-backdoor-targets-ukraine.html
  https://therecord.media/russia-ukraine-cyber-espionage-group
  https://securityaffairs.com/189519/malware/russia-linked-apt-uses-drillapp-backdoor-to-spy-on-ukrainian-targets.html
• Former Germany’s Foreign Intelligence VP Hit In Signal Account Takeover Campaign
  "A cyberattack targeting Signal and WhatsApp users has hit high-ranking German officials, including former BND Vice President Arndt Freytag von Loringhoven. The official reported being contacted by someone posing as Signal support and asked for his PIN. This incident highlights a broader cyber espionage campaign against sensitive individuals in security agencies and political positions. “He is far from the only prominent victim of the global wave of attacks against user accounts at Signal and WhatsApp. According to SPIEGEL, high-ranking German politicians have reported themselves to the authorities as victims, and active officials in security agencies have also been attacked.” reads the report published by SPIEGEL."
  https://securityaffairs.com/189509/intelligence/former-germanys-foreign-intelligence-vp-hit-in-signal-account-takeover-campaign.html
• European Security Vendor Targeted By Hackers Fronting As Cisco Domain
  "On March 13, 2026, the threat intelligence team at Outpost24, Specops’ parent company, discovered a sophisticated multi-chain redirect phishing campaign fronting as Cisco, a global network equipment provider. The attack is quite complex, leveraging several trusted services as well as compromised legitimate infrastructure to conceal the final phishing destination. Several stages redirect victims through legitimate or previously reputable domains, reducing the likelihood that security scanners or reputation-based filtering will block the link."
  https://specopssoft.com/blog/phishing-campaign-cisco/
  https://www.securityweek.com/security-firm-executive-targeted-in-sophisticated-phishing-attack/
• ForceMemo: Hundreds Of GitHub Python Repos Compromised Via Account Takeover And Force-Push
  "The StepSecurity threat intelligence team has discovered an ongoing campaign in which an attacker is compromising hundreds of GitHub accounts and injecting identical malware into hundreds of Python repositories. The earliest injections date to March 8, 2026, and the campaign is still active with new repos continuing to be compromised. The attack targets Python projects — including Django apps, ML research code, Streamlit dashboards, and PyPI packages — by appending obfuscated code to files like setup.py, main.py, and app.py. Anyone who runs pip install from a compromised repo or clones and executes the code will trigger the malware."
  https://www.stepsecurity.io/blog/forcememo-hundreds-of-github-python-repos-compromised-via-account-takeover-and-force-push
  https://thehackernews.com/2026/03/glassworm-attack-uses-stolen-github.html
  https://www.securityweek.com/forcememo-python-repositories-compromised-in-glassworm-aftermath/
• Sandworm: Russia's Global Infrastructure Wrecking Crew
  "Sandworm is a threat group attributed to the Russian Federation (Russia) General Staff Main Intelligence Directorate (GRU). The group operates as a unit within the Russian military and was identified in 2014 while using BlackEnergy malware and a Windows zero‑day (CVE‑2014‑4114) to conduct spear phishing and reconnaissance operations. It wasn’t until December of the following year that the group showed how truly dangerous it was at the time."
  https://blog.barracuda.com/2026/03/16/sandworm--russia-s-global-infrastructure-wrecking-crew
• Evil Evolution: ClickFix And MacOS Infostealers
  "As we noted in December 2025, ClickFix is an increasingly common social engineering technique, which threat actors use to trick users into installing malicious software on their devices. Unlike traditional exploit-based attacks, this method relies entirely on user interaction – usually in the form of copying and executing commands – making it particularly effective against users who may not appreciate the implications of running unknown and obfuscated terminal commands. It’s also worth noting that, unlike most modern phishing techniques, phishing-resistant authentication (e.g., FIDO2) is not an effective defence against ClickFix attacks."
  https://www.sophos.com/en-us/blog/evil-evolution-clickfix-and-macos-infostealers
  https://thehackernews.com/2026/03/clickfix-campaigns-spread-macsync-macos.html
• Cyberattack Disrupts Parking Payments In Russian City
  "The Russian city of Perm has restored its parking payment system after a cyberattack last week knocked the service offline and temporarily made parking free for several days. City authorities confirmed Monday that the system is now fully operational and that all payment methods are working normally. The disruption was caused by a large-scale distributed denial-of-service (DDoS) attack that overwhelmed the city’s automated parking payment infrastructure, according to local officials."
  https://therecord.media/cyberattack-russia-parking-system
• Web Shells, Tunnels, And Ransomware: Dissecting a Warlock Attack
  "We have identified new tactics, techniques, and procedures (TTPs) used by the Warlock ransomware group (tracked by TrendAI as Water Manaul). In our previous article, we detailed how Warlock exploited unpatched Microsoft SharePoint servers to deploy LockBit-derived ransomware with the .x2anylock extension, using Cloudflare tunnels for command and control (C&C) and Rclone for data exfiltration. Warlock’s method of initial access to victim networks has remained consistent; however, it has added new techniques to enhance its persistence, lateral movement, and defense evasion. These new observations include the usage of TightVNC (a remote access tool) to maintain persistent control, abuse of new open-source tools to conduct C&C communications, and a persistent Bring Your Own Vulnerable Driver (BYOVD) technique that leverages a vulnerability in the NSec driver.."
  https://www.trendmicro.com/en_us/research/26/c/dissecting-a-warlock-attack.html
• Boggy Serpens Threat Assessment
  "We have been tracking ongoing cyberespionage campaigns by the threat group Boggy Serpens, also known as MuddyWater. Attributed to the Iranian Ministry of Intelligence and Security (MOIS), the group consistently targets diplomatic and critical infrastructure – including energy, maritime and finance – across the Middle East and other strategic targets around the world. We provide a comprehensive threat assessment of Boggy Serpens’ activities over the last year. Our analysis reveals a highly adaptable threat actor that has refined its operational strategy to focus on trusted relationship compromises and multi-wave targeting of key strategic organizations."
  https://unit42.paloaltonetworks.com/boggy-serpens-threat-assessment/

Breaches/Hacks/Leaks

• UK’s Companies House Confirms Security Flaw Exposed Business Data
  "Companies House, a British government agency that operates the registry for all U.K. companies, says its WebFiling service is back online after it was closed on Friday to fix a security flaw that exposed companies' information since October 2025. Dan Neidle, founder of the non-profit Tax Policy Associates, reported the vulnerability to the U.K. corporate register on Friday after Ghost Mail's John Hewitt (who discovered the flaw) didn't receive a reply. "All that was required was to log in to Companies House using your own details and access your own company's dashboard. Then opt to "file for another company" and enter the company number for any one of the five million companies registered with Companies House," said Neidle."
  https://www.bleepingcomputer.com/news/security/uks-companies-house-confirms-security-flaw-exposed-business-data/
  https://taxpolicy.org.uk/2026/03/13/companies-house-security-vulnerability-directors-addresses/
  https://www.infosecurity-magazine.com/news/companies-house-glitch-exposes/
  https://www.theregister.com/2026/03/16/companies_house_breach/
  https://www.bankinfosecurity.com/uk-agency-exposed-corporate-executive-data-a-31033
  https://hackread.com/companies-house-webfiling-flaw-director-details/
• Stryker Attack Wiped Tens Of Thousands Of Devices, No Malware Needed
  "Last week's cyberattack on medical technology giant Stryker was limited to its internal Microsoft environment and remotely wiped tens of thousands of employee devices. The organization says in an update on Sunday that all its medical devices are safe to use but electronic ordering systems remain offline, and customers must place orders manually through sales representatives. Stryker emphasizes that the incident was not a ransomware attack and that the threat actor did not deploy any malware on its systems."
  https://www.bleepingcomputer.com/news/security/stryker-attack-wiped-tens-of-thousands-of-devices-no-malware-needed/
  https://therecord.media/stryker-cyberattack-impact-iran
• Oracle EBS Hack: Only 4 Corporate Giants Still Silent On Potential Impact
  "Several global giants listed as victims of the recent hacking campaign targeting Oracle E-Business Suite (EBS) customers have remained mum on the impact of the cybersecurity incident. The Cl0p ransomware and extortion group has taken credit for the EBS hacking campaign, which involved exploiting zero-day vulnerabilities to access data stored by organizations in Oracle’s enterprise management software. The compromised data was then leveraged for extortion. While Cl0p serves as the public-facing extortion brand for the campaign, the cybersecurity community believes the operation may have been driven by a cluster of threat actors, most notably FIN11."
  https://www.securityweek.com/oracle-ebs-hack-only-4-corporate-giants-still-silent-on-potential-impact/
• Robotics Surgical Biz Intuitive Discloses Phishing Attack
  "Robotics-assisted surgical tech firm Intuitive said that unauthorized intruders gained access to some of its internal IT business applications after stealing an employee's credentials during a phishing attack. Intuitive's statement on the cybersecurity incident doesn't indicate when the attack occurred or when the company discovered it. The Register has reached out to Intuitive about these and other questions, and we will update this story as soon as we receive any response. Stolen data includes some customer business and contact information, along with Intuitive employee and corporate data, according to the statement."
  https://www.theregister.com/2026/03/16/robotics_surgical_biz_intuitive_discloses/

General News

• Attackers Are Exploiting AI Faster Than Defenders Can Keep Up, New Report Warns
  "Cybersecurity is entering “a new phase” as artificial intelligence tools have matured and given IT defenders significantly less time to respond to cyberattacks and other threats, according to a new report released Monday. The report, authored by federal contractor Booz Allen Hamilton, concludes that threat actors have adopted AI more quickly than governments and private companies have adopted it for cyber defense. It points to multiple incidents over the past two years, like attacks carried out with the help of Anthropic’s Claude, that show both cybercriminals and state-sponsored hacking groups are moving and scaling faster than ever before."
  https://cyberscoop.com/booz-allen-report-ai-helps-attackers-move-faster-than-current-defenses/
  https://www.boozallen.com/expertise/cybersecurity/threat-report-when-cyberattacks-happen-at-ai-speed.html
• Inside Olympic Cybersecurity: Lessons From Paris 2024 To Milan Cortina 2026
  "The Olympics are a global spectacle, uniting nations through the thrill of competition and the celebration of human achievement. During this year's Winter Olympic and Paralympic Games we watched Alysa Liu reclaim figure skating, a sport she once left behind, landing in first place. The US women's and men's ice hockey teams took gold, ending a 46-year Olympic drought for the latter. Lucas Pinheiro Braathen won gold in the men's giant slalom, bringing home the first Winter Olympics medal for Brazil. And on the seventh day of the Paralympic Winter Games, host country Italy surpassed its previous high score of 13 medals, bumping their tally up to 14."
  https://www.darkreading.com/threat-intelligence/olympic-cybersecurity-paris-2024-milan-2026
• Certificate Lifespans Are Shrinking And Most Organizations Aren’t Ready
  "The push for shorter TLS certificate lifespans has been building for years. It started with Google’s internal push toward 90-day certificates, which gained traction inside the industry before resistance from enterprise customers slowed things down. Then Apple proposed 47-day certificates, which reignited the debate and ultimately forced the CA/Browser Forum to set a formal schedule. The timeline that came out of those discussions moves certificate validity from one year down to 200 days, then 100, then 47 over a roughly three-year span. That schedule puts pressure on organizations to overhaul both their purchasing models and their operational processes for managing certificates."
  https://www.helpnetsecurity.com/2026/03/16/globalsign-tls-certificate-lifecycle-management/
• Fortify Your Network Security From Emerging Geopolitical Cyberthreats
  "Since the start of the 2026 conflict in the Middle East on February 28, 2026, Akamai has observed a 245% increase in cybercrime targeting critical businesses and institutions in North America, Europe, and parts of Asia-Pacific. Handala, a hacktivist group that is reported to have links to Iran’s intelligence agencies, has claimed responsibility for a data-wiping attack against Stryker, a global medical technology company headquartered in Kalamazoo, Michigan. Geopolitically motivated hacktivists are using proxy services in countries like Russia and China as a source for billions of designed-for-abuse connection attempts."
  https://www.akamai.com/blog/security/fortify-network-security-emerging-geopolitical-cyberthreats
  https://www.theregister.com/2026/03/16/cybercrime_iran_war_245_percent_rise/
• INTERPOL Report Warns Of Increasingly Sophisticated Global Financial Fraud Threat
  "Financial fraud is now one of the world’s most severe and rapidly evolving transnational crimes, with significant economic and human consequences. The 2026 INTERPOL Global Financial Fraud Threat Assessment warns that with increased global criminal collaboration, fraud is no longer a peripheral threat, it is at the centre of polycriminality, intersecting with organized crime, human trafficking and cybercrime."
  https://www.interpol.int/News-and-Events/News/2026/INTERPOL-report-warns-of-increasingly-sophisticated-global-financial-fraud-threat
  https://www.interpol.int/content/download/24291/file/INTERPOL Global Financial Fraud Threat Assessment 2026.pdf
  https://www.theregister.com/2026/03/16/interpol_ai_fraud/
• Iranian Cyber Threat Evolution: From MBR Wipers To Identity Weaponization
  "Recent cyberattacks attributed to Iranian threat actors extend beyond typical network disruption. Rather than an isolated incident of sabotage, this type of attack sits within a broader context defined by Iran's reliance on asymmetric retaliation and historical proxy doctrine. Iran-aligned threat actors increasingly leverage cyberspace as a strategic equalizer. For the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS), cyber operations provide a low-cost, high-impact mechanism for retaliation without crossing any geographical boundaries. In this environment, global organizations face increased cyber risk, as traditional malware deployment intersects with novel identity abuse. The shift from custom-built wiper malware to native administrative abuse removes a critical detection guardrail that historically protected enterprise networks."
  https://unit42.paloaltonetworks.com/evolution-of-iran-cyber-threats/
• The Ransomware Economy Is Shifting Toward Straight-Up Data Extortion
  "Ransomware remains a scourge that shows some signs of relenting, but incident responders and threat hunters are busier than ever as more financially-motivated attackers lean exclusively on data theft for extortion. Attacks that only involve data theft for extortion may not be more prevalent than traditional ransomware when attackers encrypt systems, but momentum is moving in that direction, Genevieve Stark, head of cybercrime intelligence at Google Threat Intelligence Group, told CyberScoop."
  https://cyberscoop.com/google-threat-intelligence-group-ransomware-report-2026/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Financial Sector

• February 2026 Security Issues Related To The Korean & Global Financial Sector
  "This report comprehensively covers actual cyber threats and related security issues targeting financial institutions in South Korea and abroad. It includes analysis of malware and phishing cases distributed targeting the financial sector, presents the Top 10 major malware targeting the financial sector, and provides statistics on the industry sectors of South Korean accounts leaked via Telegram. It also details cases of phishing emails distributed targeting the financial sector."
  https://asec.ahnlab.com/en/92903/

New Tooling

• Betterleaks, a New Open-Source Secrets Scanner To Replace Gitleaks
  "A new open-source tool called Betterleaks can scan directories, files, and git repositories and identify valid secrets using default or customized rules. Secret scanners are specialized utilities that scour repositories for sensitive information, such as credentials, API keys, private keys, and tokens, that developers accidentally committed in source code. Since threat actors often scan configuration files in public repositories for sensitive details, this type of utility can help identify secrets and protect them before attackers can find them."
  https://www.bleepingcomputer.com/news/security/betterleaks-a-new-open-source-secrets-scanner-to-replace-gitleaks/
  https://github.com/betterleaks/betterleaks

Vulnerabilities

• Google Fixes Two New Chrome Zero-Days Exploited In Attacks
  "Google has released emergency security updates to patch two high-severity Chrome vulnerabilities exploited in zero-day attacks. "Google is aware that exploits for both CVE-2026-3909 & CVE-2026-3910 exist in the wild," Google said in a security advisory published on Thursday. The first zero-day (CVE-2026-3909) stems from an out-of-bounds write weakness in Skia, an open-source 2D graphics library responsible for rendering web content and user interface elements, which attackers can exploit to crash the web browser or even gain code execution."
  https://www.bleepingcomputer.com/news/google/google-fixes-two-new-chrome-zero-days-exploited-in-attacks/
  https://thehackernews.com/2026/03/google-fixes-two-chrome-zero-days.html
  https://www.securityweek.com/chrome-146-update-patches-two-exploited-zero-days/
  https://securityaffairs.com/189373/hacking/google-fixed-two-new-actively-exploited-flaws-in-the-chrome-browser.html
  https://www.malwarebytes.com/blog/news/2026/03/google-patches-two-chrome-zero-days-under-active-attack-update-now
  https://www.theregister.com/2026/03/13/google_zeroday_chrome_update/
• CrackArmor: Critical AppArmor Flaws Enable Local Privilege Escalation To Root
  "Qualys TRU has discovered confused deputy vulnerabilities in AppArmor (named “CrackArmor”) that allow unprivileged users to bypass kernel protections, escalate to root, and break container isolation. The flaw has existed since 2017, and affected over 12.6 million systems globally. Immediate kernel patching is recommended to neutralize these vulnerabilities."
  https://blog.qualys.com/vulnerabilities-threat-research/2026/03/12/crackarmor-critical-apparmor-flaws-enable-local-privilege-escalation-to-root
  https://thehackernews.com/2026/03/nine-crackarmor-flaws-in-linux-apparmor.html
  https://hackread.com/crackarmor-vulnerability-apparmor-linux-systems/
• CISA Adds Two Known Exploited Vulnerabilities To Catalog
  "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2026-3909 Google Skia Out-of-Bounds Write Vulnerability
  CVE-2026-3910 Google Chromium V8 Unspecified Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/03/13/cisa-adds-two-known-exploited-vulnerabilities-catalog
  https://securityaffairs.com/189411/security/u-s-cisa-adds-google-chrome-flaws-to-its-known-exploited-vulnerabilities-catalog.html
• Microsoft Releases Windows 11 OOB Hotpatch To Fix RRAS RCE Flaw
  "Microsoft has released an out-of-band (OOB) update to fix a security vulnerabilities affecting Windows 11 Enterprise devices that receive hotpatch updates instead of the regular Patch Tuesday cumulative updates. The KB5084597 hotpatch update was released yesterday to fix vulnerabilities in the Windows Routing and Remote Access Service (RRAS) management tool that could allow remote code execution when connecting to a malicious server. "Microsoft has identified a security issue in the Windows Routing and Remote Access Service (RRAS) management tool that could allow remote code execution when connecting to a malicious server," reads an advisory from Microsoft."
  https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-windows-11-oob-hotpatch-to-fix-rras-rce-flaw/

Malware

• Poland's Nuclear Research Centre Targeted By Cyberattack
  "Poland’s National Centre for Nuclear Research (NCBJ) says hackers targeted its IT infrastructure, but the attack was detected and blocked before causing any impact. In a statement this week, the organization announced that its security systems and internal procedures, designed to detect threats early, prevented the compromise and allowed its IT staff to quickly secure targeted systems. “Thanks to the rapid and effective actions of security systems and procedures in the event of such an incident, as well as the quick response of our teams, the attack was thwarted, and the integrity of the systems was not compromised," the NCBJ says."
  https://www.bleepingcomputer.com/news/security/polands-nuclear-research-centre-targeted-by-cyberattack/
  https://securityaffairs.com/189399/security/hackers-targeted-polands-national-centre-for-nuclear-research.html
• Storm-2561 Uses SEO Poisoning To Distribute Fake VPN Clients For Credential Theft
  "In mid-January 2026, Microsoft Defender Experts identified a credential theft campaign that uses fake virtual private network (VPN) clients distributed through search engine optimization (SEO) poisoning. The campaign redirects users searching for legitimate enterprise software to malicious ZIP files on attacker-controlled websites to deploy digitally signed trojans that masquerade as trusted VPN clients while harvesting VPN credentials. Microsoft Threat Intelligence attributes this activity to the cybercriminal threat actor Storm-2561."
  https://www.microsoft.com/en-us/security/blog/2026/03/12/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft/
  https://www.bleepingcomputer.com/news/security/fake-enterprise-vpn-downloads-used-to-steal-company-credentials/
  https://thehackernews.com/2026/03/storm-2561-spreads-trojan-vpn-clients.html
  https://www.theregister.com/2026/03/13/vpn_clients_spoofed/
  https://securityaffairs.com/189426/cyber-crime/storm-2561-lures-victims-to-spoofed-vpn-sites-to-harvest-corporate-logins.html
• Attackers Impersonate Temu In ClickFix $Temu Airdrop Scam
  "A Temu spokesperson contacted us to say: “Temu has not issued any cryptocurrency, token, or digital asset—including any so-called “Temu Coin.” Any airdrop, wallet claim, or cryptocurrency offer purporting to be from Temu is fraudulent and has no connection to our company.” We’ve covered ClickFix campaigns before: the fake CAPTCHAs, the fake Windows updates, the trick of getting victims to paste malicious commands into their own machines. Now we’ve identified a campaign that uses the opening initial steps seen in ClickFix attacks, but what happens after is different enough to warrant a closer look."
  https://www.malwarebytes.com/blog/threat-intel/2026/03/fake-temu-coin-airdrop-uses-clickfix-trick-to-install-stealthy-malware
• Investigating a New Click-Fix Variant
  "Atos Researchers identified a new variant of the popular ClickFix technique, where attackers convince the user to execute a malicious command on their own device through the Win + R shortcut. In this variation, a “net use” command is used to map a network drive from an external server, after which a “.cmd” batch file hosted on that drive is executed. Script downloads a ZIP archive, unpacks it, and executes the legitimate WorkFlowy application with modified, malicious logic hidden inside “.asar” archive. This acts as a C2 beacon and a dropper for the final malware payload."
  https://thehackernews.com/2026/03/investigating-new-click-fix-variant.html
• Glassworm Is Back: A New Wave Of Invisible Unicode Attacks Hits Hundreds Of Repositories
  "The invisible threat we've been tracking for nearly a year is back. While the PolinRider campaign has been making headlines for compromising hundreds of GitHub repositories, we are separately seeing a new wave of Glassworm activity hitting GitHub, npm, and VS Code. In October last year, we wrote about how hidden Unicode characters were being used to compromise GitHub repositories, tracing the technique back to a threat actor named Glassworm. This month, the same actor is back, and among the affected repositories are some notable names: a repo from Wasmer, Reworm, and opencode-bench from anomalyco, the organization behind OpenCode and SST."
  https://www.aikido.dev/blog/glassworm-returns-unicode-attack-github-npm-vscode
• Hijacked At The Source: A Trusted Marketing AppsFlyer’s SDK Distributes a Crypto Stealer
  "On 9 March 2026, following requests from our customers, Profero began investigating a possible compromise lead of the AppsFlyer SDK. AppsFlyer is a widely used mobile attribution and marketing analytics platform integrated into thousands of mobile applications, making it a high-value target in third-party supply chain attacks due to its deep SDK-level access to sensitive user and device data across client environments. During the investigation, Profero IRT confirmed the presence of obfuscated attacker-controlled JavaScript being delivered to users visiting websites and applications that loaded the AppsFlyer SDK, consistent with a browser-based cryptocurrency hijacker."
  https://profero.io/blog/hijacked-at-the-source-a-trusted-marketing-appsflyers-sdk-distributes-a-crypto-stealer
  https://www.bleepingcomputer.com/news/security/appsflyer-web-sdk-used-to-spread-crypto-stealer-javascript-code/
• 72 Malicious Open VSX Extensions Linked To GlassWorm Campaign Now Using Transitive Dependencies
  "GlassWorm has not re-emerged so much as evolved, and our latest analysis shows a significant escalation in how it spreads through Open VSX. Instead of requiring every malicious listing to embed the loader directly, the threat actor is now abusing extensionPack and extensionDependencies to turn initially standalone-looking extensions into transitive delivery vehicles in later updates, allowing a benign-appearing package to begin pulling a separate GlassWorm-linked extension only after trust has already been established."
  https://socket.dev/blog/open-vsx-transitive-glassworm-campaign
  https://thehackernews.com/2026/03/glassworm-supply-chain-attack-abuses-72.html

Breaches/Hacks/Leaks

• Starbucks Discloses Data Breach Affecting Hundreds Of Employees
  "Starbucks has disclosed a data breach affecting hundreds of employees after threat actors gained access to their Starbucks Partner Central accounts. As the world's largest coffeehouse chain, Starbucks has over 380,000 employees (also known as partners) and operates nearly 41,000 locations across 88 countries. In data breach notification letters filed with Maine's Attorney General and sent to affected employees on Tuesday, the company says that it discovered the incident on February 6."
  https://www.bleepingcomputer.com/news/security/starbucks-discloses-data-breach-affecting-hundreds-of-employees/
  https://www.securityweek.com/starbucks-data-breach-impacts-employees/
  https://securityaffairs.com/189438/security/starbucks-data-breach-impacts-889-employees.html
• Payload Ransomware Claims The Hack Of Royal Bahrain Hospital
  "The Payload Ransomware group claims to have hacked the Royal Bahrain Hospital (RBH) and stolen 110 GB of data. The ransomware gang added the healthcare facility to its Tor data leak site and published the images of allegedly hacked systems as proof of the attack. The group is threatening to release the stolen data if the ransom is not paid by March 23."
  https://securityaffairs.com/189467/cyber-crime/payload-ransomware-claims-the-hack-of-royal-bahrain-hospital.html

General News

• FBI Seeks Victims Of Steam Games Used To Spread Malware
  "The FBI is asking gamers who installed Steam titles containing malware to provide information as part of an ongoing investigation into eight malicious games uploaded to the gaming platform. In a notice published today by the FBI's Seattle Division, the agency said it is attempting to identify individuals who were affected after installing one of the malicious games on Steam between May 2024 and January 2026. "The FBI's Seattle Division is seeking to identify potential victims installing Steam games embedded with malware. The FBI believes the threat actor primarily targeted users between the timeframe of May 2024 and January 2026," reads the notice."
  https://www.bleepingcomputer.com/news/security/fbi-seeks-victims-of-steam-games-used-to-spread-malware/
• 45,000 Malicious IP Addresses Taken Down In International Cyber Operation
  "An international cybercrime operation targeting phishing, malware and ransomware has taken down more than 45,000 malicious IP addresses and servers. Law enforcement from 72 countries and territories took part in Operation Synergia III (18 July 2025 – 31 January 2026), coordinated by INTERPOL. The operation led to the arrest of 94 people, with another 110 individuals still under investigation. During the operation, INTERPOL transformed data into actionable intelligence, facilitated cross-border collaboration, and provided tactical operational assistance to member countries. Preliminary investigations led to a series of coordinated actions by national authorities, including raids on key locations and the disruption of malicious cyber activities. In total 212 electronic devices and servers were seized."
  https://www.interpol.int/News-and-Events/News/2026/45-000-malicious-IP-addresses-taken-down-in-international-cyber-operation
  https://www.bleepingcomputer.com/news/security/police-sinkholes-45-000-ip-addresses-in-cybercrime-crackdown/
  https://thehackernews.com/2026/03/interpol-dismantles-45000-malicious-ips.html
  https://www.infosecurity-magazine.com/news/interpol-operation-synergia3-94/
  https://hackread.com/interpol-operation-synergia-iii-malicious-ip-94-arrest/
  https://www.theregister.com/2026/03/13/interpol_operation_synergia/
  https://securityaffairs.com/189420/cyber-crime/interpol-operation-synergia-iii-leads-to-45000-malicious-ips-dismantled-and-94-arrests-worldwide.html
  When Liability Turns The CISO Into The Fall Guy
  "The era of the technical specialist is fading. In its place stands a legally exposed executive whose concern is no longer just a system breach but potential personal indictment. Twenty years ago, the cybersecurity remit was defined by network integrity and resilience. Today, it is increasingly defined by the fine print of directors and officers, or D&O, insurance policies and the exact wording of board minutes."
  https://www.bankinfosecurity.com/blogs/when-liability-turns-ciso-into-fall-guy-p-4065
• A Guy Who Wrote The Code Died In 2005. I Still Have To Secure It
  "If you walk the expo floors at any of the Black Hat or RSAC Conferences, the industry tells you the future is here. It's all quantum-resilient encryption, AI-driven security operations centers, and cloud-native architectures. Then, I go back to my day job. With over 20 years of experience spanning federal government, private manufacturing, and enterprise security, I've seen the industry from every angle. In my current dual roles —advising Fortune 100s as a field CISO and protecting a major US city as a sitting practitioner — I spend half my time discussing the "cutting edge," and the other half defending the "rusting edge.""
  https://www.darkreading.com/cyber-risk/a-guy-who-wrote-code-died-in-2005-i-still-must-secure-it
• Why Post-Quantum Cryptography Can't Wait
  "Somewhere in the world right now, a cybercriminal is trying to steal your organization's encrypted data. They can't read it yet, but the technology needed to do so is rapidly approaching. When ready, that technology will allow criminals to break even the most stringent traditional protections in a matter of minutes. This type of attack is part of a new "harvest-now, decrypt-later" approach, and it represents one of the most insidious threats facing organizations today. Unlike traditional cyberattacks, which cause immediate and visible damage, these attacks are invisible."
  https://www.darkreading.com/cyber-risk/why-post-quantum-cryptography-cant-wait
• Cyberattackers Don't Care About Good Causes
  "Nonprofits work to provide free or reduced cost aid, education, and essential resources throughout communities worldwide, but they often struggle to meet their own needs, particularly when it comes to cybersecurity. While they're busy helping others, who's there to help them address increasingly dangerous security gaps? Experts gathered for an exclusive Dark Reading roundtable agree that approaches need to shift. Better incident reporting, technologies, training, and attention are among the measures needed to face a rising threat, they said, yet are skeptical that nonprofits have the resources to build those defenses."
  https://www.darkreading.com/cyber-risk/cyberattackers-dont-care-about-good-causes
  https://www.darkreading.com/threat-intelligence/data-gap-why-nonprofit-cyber-incidents-go-underreported
• Fake PoCs, Misunderstood Risks Cause Cisco SD-WAN Chaos
  "Amid a stream of new vulnerabilities in Cisco's Catalyst SD-WAN Manager, some researchers are arguing that organizations have misplaced their focus, hyperfixating on one critical vulnerability with a lot of noise around it, but overlooking another, quieter bug that's just as serious. On Feb. 25, Cisco publicly disclosed half a dozen newfound bugs in its Software-Defined Wide Area Network (SD-WAN) management product. At least three have been exploited in the wild. One, CVE-2026-20127, in addition to earning the highest possible 10 out of 10 score in the Common Vulnerability Scoring System (CVSS), appears to have been exploited as a zero-day by one threat actor for at least three years."
  https://www.darkreading.com/vulnerabilities-threats/fake-pocs-risks-cisco-sd-wan
• Will AI Save Consumers From Smartphone-Based Phishing Attacks?
  "Phishing attacks continue to dominate as the most prevalent smartphone security issue, according to the latest findings from the Omdia 2025 Omdia Mobile Device Security Consumer Survey. The report highlights that 27% of consumers experienced phishing scams, making it the most common type of incident, followed closely by malware or viruses, at 26%. Despite best efforts, Omdia's testing reveals sophisticated phishing attacks bypass most on-device protection — making it even more prevalent that users stay vigilant."
  https://www.darkreading.com/mobile-security/will-ai-save-consumers-smartphone-phishing-attacks
• Six Supply Chain Attack Groups To Watch Out For In 2026
  "Supply chain attacks have been in the spotlight since at least 2015, when weaponized versions of Apple’s XCode development tool silently infected over 4,000 iOS apps and reached 128 million users. A decade later, however, the conversation has shifted from “Could this happen again?” to “Who was hit this week?”. So, what changed? The attack surface exploded. Even back in 2020, when the infamous SolarWinds attack occurred, organizations were already deeply interconnected, but the scale has grown dramatically since then. Today, the average enterprise depends on dozens of SaaS platforms, hundreds of open-source packages, and several managed service providers."
  https://www.group-ib.com/blog/supply-chain-attack-groups-2026/
• AI Coding Agents Keep Repeating Decade-Old Security Mistakes
  "Coding agents are now writing production features on real development teams, and a new report from DryRun Security shows that those agents introduce security vulnerabilities at a high rate across nearly every type of application they build. “AI coding agents can produce working software at incredible speed, but security isn’t part of their default thinking,” said James Wickett, CEO of DryRun Security. “In our usage and experience, AI coding agents often missed adding security components or created authentication logic flaws. These mistakes and gaps are exactly where attackers win.”"
  https://www.helpnetsecurity.com/2026/03/13/claude-code-openai-codex-google-gemini-ai-coding-agent-security/
• Iran-Linked Hackers Take Aim At US And Other Targets, Raising Risk Of Cyberattacks During War
  "Pro-Iranian hackers are targeting sites in the Middle East and starting to stretch into the United States during the war, raising the risk of American defense contractors, power stations and water plants being swept into a wave of digital chaos that could expand if Tehran’s allies join the fray. Hackers supporting Iran claimed responsibility for a significant cyberattack Wednesday against U.S. medical device company Stryker. Since the war began Feb. 28, they also have tried to penetrate cameras in Middle Eastern countries to improve Iran’s missile targeting. They have targeted data centers in the region, as well as industrial facilities in Israel, a school in Saudi Arabia and an airport in Kuwait."
  https://www.securityweek.com/iran-linked-hackers-take-aim-at-us-and-other-targets-raising-risk-of-cyberattacks-during-war/
• February 2026 APT Group Trends Report
  "Among the activities of APT groups in February 2026, attacks by APT28, Lotus Blossom, TA-RedAnt (APT37), UAT-8616, UNC3886, and UNC6201 were particularly prominent. Lotus Blossom exploited the Notepad++ supply chain infrastructure to inject malicious executables into legitimate update processes, combining DLL sideloading with multi-stage loaders to deploy the Chrysalis backdoor and Cobalt Strike Beacon."
  https://asec.ahnlab.com/en/92906/
• February 2026 Infostealer Trend Report
  "This report provides statistics, trends, and case information regarding the no. of malware distribution cases, distribution methods, and disguise techniques for Infostealer collected and analyzed during the month of February 2026. Below is a summary of the report’s original content."
  https://asec.ahnlab.com/en/92902/
• February 2026 Phishing Email Trends Report
  "This report provides statistics, trends, and case information regarding the distribution volume and attachment threats of phishing emails collected and analyzed during the month of February 2026. The report below contains some statistical data and cases included in the original content."
  https://asec.ahnlab.com/en/92907/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามข่าวสารภัยคุกคามทางไซเบอร์ พบรายงานช่องโหว่ CrackArmor ในระบบรักษาความปลอดภัย AppArmor บน Linux
โดยช่องโหว่ดังกล่าวเปิดโอกาสให้ผู้โจมตีสามารถยกระดับสิทธิ์การเข้าถึงระบบไปสู่ระดับ Root ส่งผลให้ระบบมีความเสี่ยงถูกโจมตีและถูกยึดครองได้ [1]

1. รายละเอียดเหตุการณ์
   นักวิจัยด้านความปลอดภัยของบริษัท Qualys (Qualys Threat Research Unit – TRU) พบช่องโหว่ด้านความปลอดภัย 9 รายการ ในระบบควบคุมสิทธิ์ของระบบปฏิบัติการ Linux ซึ่งเป็นกลไกลด้านความปลอดภัยที่เรียกว่า AppArmor โดยช่องโหว่ดังกล่าวถูกตั้งชื่อว่า “CrackArmor” ช่องโหว่ดังกล่าวส่งผลกระทบต่อระบบปฏิบัติการ Linux ที่มีการใช้งาน AppArmor สำหรับควบคุมสิทธิ์การเข้าถึงของโปรแกรม เช่น Ubuntu, Debian และ SUSE Linux Enterprise ซึ่งอาจทำให้กลไกการจำกัดสิทธิ์ของระบบถูกหลีกเลี่ยง และก่อให้เกิดความเสี่ยงต่อความปลอดภัยของระบบได้

2. พฤติกรรมการโจมตี [2]
   ช่องโหว่ CrackArmor อาศัยเทคนิคที่เรียกว่า “Confused Deputy Attack” ซึ่งเป็นการหลอกให้ process ที่มีสิทธิ์สูงดำเนินการบางอย่างแทนผู้โจมตีที่มีสิทธิ์ต่ำ ลักษณะพฤติกรรมการโจมตี ได้แก่

• ผู้โจมตีที่มีสิทธิ์การเข้าถึงระบบในระดับผู้ใช้ (local user)
• ผู้โจมตีสามารถใช้ประโยชน์จากข้อบกพร่องในการจัดการ AppArmor profiles
• ทำการแก้ไขหรือโหลดโปรไฟล์ผ่านไฟล์ pseudo ภายในระบบ
• อาจใช้เครื่องมือที่มีสิทธิ์สูง เช่น sudo, su หรือ process ที่มีสิทธิ์พิเศษ เพื่อให้ดำเนินการแทนผู้โจมตี
• เมื่อโจมตีสำเร็จ ผู้โจมตีสามารถยกระดับสิทธิ์เป็น root หรือหลบเลี่ยงการควบคุมของ AppArmor

3. ผลกระทบ [3]

• ผู้โจมตีสามารถยกระดับสิทธิ์จากผู้ใช้ทั่วไปเป็น root
• หลบเลี่ยงการป้องกันของ AppArmor
• อาจทำให้เกิด Container Escape
• สามารถแก้ไขนโยบายความปลอดภัยของระบบ
• นำไปสู่การรันโค้ดโดยไม่ได้รับอนุญาต หรือควบคุมระบบทั้งหมด

ในบางกรณีอาจทำให้เกิด Denial-of-Service (DoS) หรือการรั่วไหลของข้อมูลในหน่วยความจำ

4. แนวทางการป้องกันและลดความเสี่ยง

• อัปเดตแพตช์ความปลอดภัย โดยการติดตั้ง Linux kernel security updates จากผู้พัฒนาระบบปฏิบัติการทันที
• จำกัดสิทธิ์ผู้ใช้ภายในระบบ หลีกเลี่ยงการให้สิทธิ์ และบัญชีที่ไม่จำเป็น
• เฝ้าระวังพฤติกรรมที่เกี่ยวข้องกับการแก้ไข AppArmor profile

อ้างอิง
[1] https://dg.th/uv0lc38zwd
[2] https://dg.th/j5kd927lhg
[3] https://dg.th/sim9zatlky

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

ด่วน! Fortinet ประกาศอัปเดตแพตช์แก้ไขช่องโหว่ด้านความมั่นคงปลอดภัยในผลิตภัณฑ์หลายรายการ ขอให้ผู้ใช้งานดำเนินการอัปเดตโดยทันที
ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ช่องโหว่ด้านความมั่นคงปลอดภัยที่ตรวจพบในผลิตภัณฑ์ของบริษัท Fortinet ซึ่งเป็นอุปกรณ์และซอฟต์แวร์ด้านความมั่นคงปลอดภัยเครือข่ายที่องค์กรจำนวนมากใช้งาน โดยบริษัทผู้พัฒนาได้เผยแพร่ประกาศด้านความมั่นคงปลอดภัยเกี่ยวกับช่องโหว่หลายรายการ

1. รายละเอียดช่องโหว่ [1]
   บริษัท Fortinet ได้เผยแพร่ประกาศด้านความมั่นคงปลอดภัยเกี่ยวกับช่องโหว่หลายรายการในผลิตภัณฑ์ของตน ซึ่งอาจนำไปสู่การสั่งให้ระบบประมวลผลคำสั่งที่เป็นอันตรายหรือการยกระดับสิทธิ์ในระบบได้ โดยช่องโหว่ที่สำคัญ ได้แก่
   CVE-2026-22627 (CVSS v3.1: 8.8) – ช่องโหว่ในการประมวลผล Link Layer Discovery Protocol (LLDP) ซึ่งอาจเปิดโอกาสให้ผู้โจมตีที่ไม่ได้รับการยืนยันตัวตนภายในเครือข่ายใกล้เคียงสามารถส่งแพ็กเก็ต LLDP ที่ถูกสร้างขึ้นเป็นพิเศษเพื่อสั่งให้ระบบประมวลผลโค้ดหรือคำสั่งที่ไม่ได้รับอนุญาตบนอุปกรณ์ได้ [2]
   CVE-2026-24017 (CVSS v3.1: 8.1) – ช่องโหว่ประเภท Authentication Rate-Limit Bypass ซึ่งอาจเปิดโอกาสให้ผู้โจมตีที่ไม่ได้รับการยืนยันตัวตนสามารถหลีกเลี่ยงกลไกการจำกัดจำนวนความพยายามในการยืนยันตัวตนผ่านคำร้องที่ถูกสร้างขึ้นเป็นพิเศษ [3]
   CVE-2025-54820 (CVSS v3.1: 8.1) – ช่องโหว่ประเภท Command Injection ซึ่งอาจเปิดโอกาสให้ผู้โจมตีที่ไม่ได้รับการยืนยันตัวตนสามารถสั่งให้ระบบประมวลผลคำสั่งที่ไม่ได้รับอนุญาตผ่านคำร้องที่ถูกสร้างขึ้นเป็นพิเศษ หากบริการที่เกี่ยวข้องถูกเปิดใช้งาน [4]
   CVE-2026-24018 (CVSS v3.1: 7.8) – ช่องโหว่ประเภท Privilege Escalation ซึ่งอาจเปิดโอกาสให้ผู้ใช้งานภายในระบบที่ไม่มีสิทธิ์ระดับสูง (local unprivileged user) สามารถยกระดับสิทธิ์ของตนเองเป็นระดับ root ได้ [5]

2. ลักษณะการโจมตี
   หากผู้โจมตีสามารถใช้ประโยชน์จากช่องโหว่ดังกล่าวได้สำเร็จ อาจส่งผลให้เกิดความเสี่ยงต่อระบบขององค์กร เช่น

• ผู้โจมตีสามารถสั่งให้ระบบประมวลผลคำสั่งหรือโค้ดที่ไม่ได้รับอนุญาตบนอุปกรณ์
• ผู้โจมตีสามารถหลีกเลี่ยงกลไกการจำกัดจำนวนความพยายามในการยืนยันตัวตน
• ผู้โจมตีสามารถสั่งรันคำสั่งบนระบบผ่านคำร้องที่ถูกสร้างขึ้นเป็นพิเศษ
• ผู้ใช้งานภายในระบบที่มีสิทธิ์ต่ำสามารถยกระดับสิทธิ์เป็นระดับ root

3. ผลิตภัณฑ์ที่ได้รับผลกระทบ
   ช่องโหว่ดังกล่าวส่งผลกระทบต่อผลิตภัณฑ์ของ Fortinet ดังต่อไปนี้
   CVE-2026-22627

• FortiSwitchAXFixed 1.0.0 – 1.0.1
  CVE-2026-24017
• FortiWeb 8.0.0 – 8.0.2
• FortiWeb 7.6.0 – 7.6.5
• FortiWeb 7.4.0 – 7.4.10
• FortiWeb 7.2.0 – 7.2.11
• FortiWeb 7.0.0 – 7.0.11
  CVE-2025-54820
• FortiManager 7.4.0 – 7.4.2
• FortiManager 7.2.0 – 7.2.10
• FortiManager 6.4 ทุกเวอร์ชัน
  CVE-2026-24018
• FortiClientLinux 7.4.0 – 7.4.4
• FortiClientLinux 7.2.2 – 7.2.12

4. แนวทางการแก้ไขสำหรับผู้ดูแลระบบ [6]
   ผู้ดูแลระบบควรดำเนินการดังต่อไปนี้
   4.1 อัปเดตผลิตภัณฑ์ Fortinet ที่ใช้งานให้เป็นเวอร์ชันล่าสุดที่ผู้ผลิตได้ออกแพตช์แก้ไขช่องโหว่แล้วโดยเร็วที่สุด
   4.2 ตรวจสอบและจำกัดสิทธิ์ของบัญชีผู้ใช้งานในระบบ โดยเฉพาะบัญชีที่มีสิทธิ์ระดับสูง
   4.3 จำกัดการเข้าถึงอุปกรณ์จากเครือข่ายภายนอก และอนุญาตเฉพาะแหล่งที่จำเป็นเท่านั้น
   4.4 เฝ้าระวังและตรวจสอบบันทึกเหตุการณ์ของระบบและอุปกรณ์เครือข่าย เพื่อค้นหาพฤติกรรมผิดปกติที่อาจเกี่ยวข้องกับการพยายามใช้ช่องโหว่

5. ข้อแนะนำเพิ่มเติม
   หลังจากมีการเผยแพร่รายละเอียดช่องโหว่และแพตช์แก้ไขแล้ว ผู้ไม่หวังดีอาจพยายามพัฒนาเครื่องมือเพื่อใช้โจมตีระบบที่ยังไม่ได้อัปเดต ดังนั้นผู้ดูแลระบบควรดำเนินการอัปเดตระบบโดยเร็วที่สุด รวมถึงตรวจสอบและเฝ้าระวังอุปกรณ์เครือข่ายขององค์กรอย่างสม่ำเสมอ
   ThaiCERT ขอแจ้งเตือนองค์กรที่ใช้งานผลิตภัณฑ์ของ Fortinet ให้เร่งดำเนินการตรวจสอบและอัปเดตแพตช์ทันที เพื่อป้องกันความเสี่ยงจากการถูกโจมตีและการเข้าถึงระบบโดยไม่ได้รับอนุญาต

อ้างอิง
[1] https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2026-024/
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-22627
[3] https://nvd.nist.gov/vuln/detail/CVE-2026-24017
[4] https://nvd.nist.gov/vuln/detail/CVE-2025-54820
[5] https://nvd.nist.gov/vuln/detail/CVE-2026-24018
[6] https://cybersecuritynews.com/fortinet-security-update-march/