ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ข้อมูลข่าวสารเกี่ยวกับภัยคุกคามทางไซเบอร์ใน Ubiquiti UniFi Network Application ซึ่งอาจถูกใช้เป็นช่องทางในการโจมตีระบบหรือยกระดับสิทธิ์ของผู้โจมตีได้ จึงขอแจ้งเตือนผู้ดูแลระบบที่เกี่ยวข้องให้เร่งดำเนินการตรวจสอบและแก้ไขโดยเร็วที่สุด

1. รายละเอียดช่องโหว่
   Ubiquiti ได้เผยแพร่ประกาศด้านความปลอดภัย (Security Advisory Bulletin 062) [1] เกี่ยวกับช่องโหว่ใน Ubiquiti UniFi Network Application โดยมีรายละเอียดดังนี้
   1.1 ช่องโหว่ประเภท Path Traversal ที่หมายเลข CVE-2026-22557 (คะแนน CVSSv3.1: 10.0) [2] ผู้โจมตีสามารถใช้ช่องโหว่นี้เพื่อเข้าถึงไฟล์ภายในระบบได้โดยไม่ได้รับอนุญาต ซึ่งอาจนำไปสู่การเปิดเผยข้อมูลสำคัญ หรือถูกนำไปใช้เพื่อยึดครองบัญชีผู้ใช้งานและระบบได้
   1.2 ช่องโหว่ประเภท Authenticated NoSQL Injection ที่หมายเลข CVE-2026-22558 (คะแนน CVSSv3.1: 7.7) [3] ผู้โจมตีที่มีสิทธิ์เข้าถึงระบบอยู่แล้ว สามารถใช้ช่องโหว่นี้ในการส่งคำสั่งที่เป็นอันตรายผ่านฐานข้อมูล เพื่อยกระดับสิทธิ์ (Privilege Escalation) และเข้าถึงทรัพยากรที่ไม่ได้รับอนุญาต

2. ผลิตภัณฑ์ที่ได้รับผลกระทบ
   2.1 Official Release: UniFi Network Application เวอร์ชัน 10.1.85 และเวอร์ชันก่อนหน้า
   2.2 Release Candidate: UniFi Network Application เวอร์ชัน 10.2.93 และเวอร์ชันก่อนหน้า
   2.3 UniFi Express (UX): UniFi Network Application เวอร์ชัน 9.0.114 และเวอร์ชันก่อนหน้า

3. แนวทางการแก้ไข
   ปัจจุบันยังไม่มีวิธีแก้ไขชั่วคราว (Workaround) ที่มีประสิทธิภาพ ผู้ดูแลระบบจึงควรอัปเดต UniFi Network Application เป็นเวอร์ชันที่แก้ไขช่องโหว่แล้วทันที โดยมีรายละเอียดดังนี้
   3.1 Official Release: อัปเดต UniFi Network Application เป็นเวอร์ชัน 10.1.89 หรือใหม่กว่า
   3.2 Release Candidate: อัปเดต UniFi Network Application เป็นเวอร์ชัน 10.2.97 หรือใหม่กว่า
   3.3 UniFi Express (UX): อัปเดตเฟิร์มแวร์ UniFi Express เป็นเวอร์ชัน 4.0.13 หรือใหม่กว่า ซึ่งจะทำให้ UniFi Network Application ถูกอัปเดตเป็นเวอร์ชัน 9.0.118 หรือใหม่กว่า

4. คำแนะนำด้านความปลอดภัยเพิ่มเติม
   4.1 ตรวจสอบ Log การใช้งานย้อนหลัง เพื่อค้นหาพฤติกรรมผิดปกติหรือความพยายามโจมตี
   4.2 เฝ้าระวังการเข้าถึงระบบจากแหล่งที่ไม่น่าเชื่อถือ
   4.3 จำกัดสิทธิ์ผู้ใช้งานตามหลัก Least Privilege
   4.4 ใช้งานระบบยืนยันตัวตนหลายปัจจัย (Multi-Factor Authentication: MFA) หากรองรับ
   4.5 อัปเดตแพตช์ด้านความปลอดภัยของระบบและซอฟต์แวร์ที่เกี่ยวข้องอย่างสม่ำเสมอ
   4.6 สำรองข้อมูลสำคัญอย่างสม่ำเสมอ เพื่อรองรับกรณีเกิดเหตุการณ์ไม่พึงประสงค์

5. แหล่งอ้างอิง
   [1] https://dg.th/adm6slfevx
   [2] https://dg.th/e0lg7k23r1
   [3] https://dg.th/fy23zu0q6p

Energy Sector

• DoE Publishes 5-Year Energy Security Plan
  "Energy, especially electricity, could be described as the most critical industry – all other critical industries are fundamentally dependent on access to energy. It is essential for peoples’ daily lives (citizens), business operation (economy), and national security (the nation). As such, it is a primary target for criminals, hacktivists, and adversarial nation state actors. The office of Cybersecurity, Energy Security, and Emergency Response (CESER, part of the U.S. Department of Energy) has published a three-pronged 5-year security plan for the fiscal years 2026 to 2030. The three prongs (or goals of the plan) are to develop ‘world-class’ security technologies, to harden the US energy infrastructure, and establish emergency preparedness for response and recovery from incidents."
  https://www.securityweek.com/doe-publishes-5-year-energy-security-plan/
  https://ismg-cdn.nyc3.cdn.digitaloceanspaces.com/asset_files/external/ceser-strategic-plan2026-2030.pdf

Vulnerabilities

• PTC Warns Of Imminent Threat From Critical Windchill, FlexPLM RCE Bug
  "PTC Inc. is warning of a critical vulnerability in Windchill and FlexPLM, widely used product lifecycle management (PLM) solutions, that could allow remote code execution. The security issue, identified as CVE-2026-4681, could be leveraged through the deserialization of trusted data. Its severity has prompted emergency action from German authorities, with the federal police (BKA) reportedly sending agents to affected companies to alert them to the cybersecurity risk."
  https://www.bleepingcomputer.com/news/security/ptc-warns-of-imminent-threat-from-critical-windchill-flexplm-rce-bug/
  https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability
  https://www.heise.de/en/news/WTF-Police-responded-on-Saturday-night-due-to-a-zero-day-11221590.html
• CVE-2026-3055: Citrix NetScaler ADC And NetScaler Gateway Out-Of-Bounds Read
  "On March 23, 2026, Citrix published a security advisory for a critical vulnerability affecting their NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) products. This vulnerability, CVE-2026-3055, which is classified as an out-of-bounds read and holds a CVSS score of 9.3, allows unauthenticated remote attackers to leak potentially sensitive information from the appliance's memory. The Citrix advisory states that systems configured as a SAML Identity Provider (SAML IDP) are vulnerable, whereas default configurations are unaffected. This SAML IDP configuration is likely a very common configuration for organizations utilizing single sign-on. Per the advisory, organizations can determine if they have an appliance configured as a SAML IDP Profile by inspecting their NetScaler Configuration for the specified string: add authentication samlIdPProfile .*"
  https://www.rapid7.com/blog/post/etr-cve-2026-3055-citrix-netscaler-adc-and-netscaler-gateway-out-of-bounds-read/
  https://thehackernews.com/2026/03/citrix-urges-patching-critical.html
  https://www.infosecurity-magazine.com/news/citrix-patch-netscaler/
  https://www.securityweek.com/critical-citrix-netscaler-vulnerability-poised-for-exploitation-security-firms-warn/
  https://securityaffairs.com/189908/security/citrix-netscaler-critical-flaw-could-leak-data-update-now.html
  https://www.helpnetsecurity.com/2026/03/24/netscaler-adc-gateway-cve-2026-3055/
• Chrome 146 Update Patches High-Severity Vulnerabilities
  "Google on Monday announced a fresh Chrome 146 update that resolves eight high-severity memory safety vulnerabilities. First on the list is CVE-2026-4673, a heap buffer overflow issue in WebAudio that earned the reporting researcher a $7,000 bug bounty reward. The same researcher discovered and reported CVE-2026-4677, an out-of-bounds read bug in WebAudio, but Google says it has yet to determine the bounty amount to be awarded for it. In fact, the internet giant has disclosed only the amount paid for the first WebAudio flaw, but not the amounts to be handed out for the remaining vulnerabilities."
  https://www.securityweek.com/chrome-146-update-patches-high-severity-vulnerabilities/

Malware

• Checkmarx KICS Code Scanner Targeted In Widening Supply Chain Hit
  "Hard on the heels of a broad supply chain attack that impacted the Aqua Security-maintained Trivy open source security-scanner project, Checkmarx on Tuesday disclosed that attackers had compromised a version of Keeping Infrastructure as Code Secure (KICS), the open source static code analysis project that it develops and maintains. Specifically, the cybercriminals infiltrated KICS GitHub Action, which organizations use to run KICS scans within their CI/CD pipelines, and poisoned multiple versions of the software. Any organization that had its automated CI/CD pipelines configured to run the KICS GitHub Action during a four-hour window on the morning of March 23 could potentially be impacted, Checkmarx said."
  https://www.darkreading.com/application-security/checkmarx-kics-code-scanner-widening-supply-chain
  https://checkmarx.com/blog/checkmarx-security-update/
  https://thehackernews.com/2026/03/teampcp-hacks-checkmarx-github-actions.html
• TeamPCP Isn't Done: Threat Actor Behind Trivy And KICS Compromises Now Hits LiteLLM's 95 Million Monthly Downloads On PyPI
  "On March 24, 2026, Endor Labs identified that litellm versions 1.82.7 and 1.82.8 on PyPI contain malicious code not present in the upstream GitHub repository. litellm is a widely used open source library with over 95 million month downloads. It lets developers route requests across LLM providers through a single API. Both compromised versions include a backdoored file that decodes and executes a hidden payload the moment the file is imported. Version 1.82.8 goes further: it installs a .pth file that runs the payload on any Python invocation, even if litellm is never imported. Version 1.82.6 is the last known-clean release."
  https://www.endorlabs.com/learn/teampcp-isnt-done
  https://www.bleepingcomputer.com/news/security/popular-litellm-pypi-package-compromised-in-teampcp-supply-chain-attack/
  https://thehackernews.com/2026/03/teampcp-backdoors-litellm-versions.html
  https://www.theregister.com/2026/03/24/trivy_compromise_litellm/
• Someone Has Publicly Leaked An Exploit Kit That Can Hack Millions Of iPhones
  "Last week, cybersecurity researchers uncovered a hacking campaign targeting iPhone users that used an advanced hacking tool called DarkSword. Now someone has leaked a newer version of DarkSword and published it on the code-sharing site GitHub. Researchers are warning that this will allow any hacker to easily use the tools to target iPhone users running older versions of Apple’s operating systems who have not yet updated to its latest iOS 26 software. This likely affects hundreds of millions of actively used iPhones and iPads, according to Apple’s own data on out-of-date devices."
  https://techcrunch.com/2026/03/23/someone-has-publicly-leaked-an-exploit-kit-that-can-hack-millions-of-iphones/
  https://cyberscoop.com/darksword-iphone-spyware-leak-ios-18-exploit-threat/
  https://hackread.com/darksword-iphone-exploit-leaked-online/
• OpenClaw Trap: AI-Assisted Lure Factory Targets Developers & Gamers
  "Netskope Threat Labs identified a link to a malware campaign operating across at multiple GitHub repositories, spanning over 300 delivery packages, including an OpenClaw deployment, an AI developer tool lure, a Telegram-promoted phone tracker, a Fishing Planet game cheat, Roblox scripts, crypto bots, and VPN crackers—all distributing LuaJIT payloads. The lure names suggest AI-assisted generation: obscure biological taxonomy, archaic Latin, and medical terminology applied systematically at scale. Each victim is geolocated, and their desktop screenshot is sent to a server in Frankfurt. We are tracking this cluster as the TroyDen’s Lure Factory."
  https://www.netskope.com/blog/openclaw-trap-ai-assisted-lure-factory-targets-developers-gamers
  https://www.darkreading.com/application-security/github-openclaw-deployer-repo-delivers-trojan
  https://www.helpnetsecurity.com/2026/03/24/github-malware-split-payload/
• Silver Fox: The Only Tax Audit Where The Fine Print Installs Malware
  "Since early 2025, TDR has focused on tracking Silver Fox, a China-based intrusion set. Originally known for financially motivated attacks, the group has been shifting toward more sophisticated, APT-style operations since at least 2024. This dual focus reflects a broader trend observed throughout 2025, which is the increasingly blurred lines between financially motivated cybercrime operators and state-sponsored espionage. Silver Fox relies on ValleyRAT (aka Winos), which can be considered as its primary modular backdoor. Despite the leak of ValleyRAT builder in March 2025, the intrusion set continued to use it, exploiting zero-day driver plugin and using kernel-mode rootkit likely for intelligence collection. In addition, Silver Fox relies on other malicious payloads like HoldingHands, which is a variant of Gh0st RAT. Rather than replacing ValleyRAT, it appears to be deployed alongside it to achieve specific operational goals."
  https://blog.sekoia.io/silver-fox-the-only-tax-audit-where-the-fine-print-installs-malware/
  https://www.infosecurity-magazine.com/news/silver-fox-cyber-dual-espionage/
• Fake Install Logs In Npm Packages Load RAT
  "When it comes to supply chain attacks, last year was a lot for software security teams to get their heads around. There were several large scale attacks that struck npm repositories, the most impactful being Shai-hulud — the first open source package repository worm. Then there were several smaller campaigns that didn’t have as big of an impact, but were very important nonetheless. In February 2026, for example, the ReversingLabs research team documented a North Korea connected campaign we dubbed “Graphalgo.” That campaign started in May 2025, and is part of a larger fake job recruiter scheme conducted by North Korea-backed hackers and targeting crypto developers. It is ongoing, phishing developers with fake job interviews and using “coding tests” as a pretext for pushing downloaders to developers’ systems that retrieve a custom remote access trojan (RAT) as the final stage."
  https://www.reversinglabs.com/blog/npm-fake-install-logs-rat
  https://thehackernews.com/2026/03/ghost-campaign-uses-7-npm-packages-to.html
  https://www.infosecurity-magazine.com/news/npm-ghost-campaign-fake-install/
• From W-2 To BYOVD: How a Tax Search Leads To Kernel-Mode AV/EDR Kill
  "As the saying goes, only two things are guaranteed in life: death and taxes. But, with the April 15 tax filing deadline quickly approaching, there's a third guarantee that threat actors have learned to count on: millions of users searching for the same tax forms, under time pressure, trusting the first Google result they see. During retrospective threat hunting, the Huntress Tactical Response team recently uncovered a large-scale malvertising campaign that has been active since at least January 2026, targeting U.S.-based individuals searching for tax-related documents. The lures are specifically U.S. tax forms (W-2, W-9), and the fake landing pages reference IRS compliance, casting a wide net across employees, freelancers, contractors, and small businesses during filing season. The campaign abuses Google Ads to serve rogue ScreenConnect (ConnectWise Control) installers, ultimately delivering a BYOVD EDR killer that drops a kernel driver to blind security tools before further compromise. Across our customer base, we reported over 60 instances of rogue ScreenConnect sessions tied to this campaign being used as the initial access vector."
  https://www.huntress.com/blog/w2-malvertising-to-kernel-mode-edr-kill
  https://thehackernews.com/2026/03/tax-search-ads-deliver-screenconnect.html
  Analyzing FAUX#ELEVATE: Threat Actors Target France With CV Lures To Deploy Crypto Miners And Infostealers * Targeting Enterprise Environments
  "Securonix threat researchers have been tracking an ongoing campaign targeting French-speaking corporate environments through fake resumes. The campaign uses highly obfuscated VBScript file disguised as resume/CV documents, delivered through phishing emails. Once executed, the malware deploys a mutli-purpose toolkit that combines credential theft, data exfiltration, and Monero cryptocurrency mining for maximum monetization. What makes this campaign notable is the dropper’s extreme approach to evasion. Of its 224,471 lines, only 266 lines (0.12%) are actual executable code, the remainder consists entirely of junk VBS comments sourced from real English sentences. The malware also uses a domain-join gate using WMI, ensuring that payloads are only delivered on enterprise machines, and standalone home systems are excluded entirely. The campaign uses Dropbox for payload hosting, compromised Moroccan WordPress sites for C2 configuration, and mail.ru SMTP infrastructure for exfiltrating stolen browser credentials and desktop files."
  https://www.securonix.com/blog/faux-elevate-threat-actors-crypto-miners-and-infostealers/
  https://thehackernews.com/2026/03/hackers-use-fake-resumes-to-steal.html
• Stryker Says Malware Was Involved In Recent Cyberattack As Production Lines Reopen
  "The medical device firm Stryker said it is ramping production lines back up two weeks after alleged Iranian cyber actors wiped more than 200,000 company devices. The company sought to reassure customers in a notice on Monday, sharing a letter from cybersecurity firm Palo Alto Networks confirming that the hackers behind the incident have been removed from Stryker systems. Stryker officials said they are in the process of rebuilding the wiped systems or restoring them from backups predating the known window of compromise to further prevent threat actors from reentering. The impacted systems that have not been restored yet are isolated from the network."
  https://therecord.media/stryker-cyberattack-malware-iran
  https://www.securityweek.com/stryker-says-malicious-file-found-during-probe-into-iran-linked-attack/
• Threat Brief: Recruiting Scheme Impersonating Palo Alto Networks Talent Acquisition Team
  "Since August 2025, Unit 42 has tracked a series of sophisticated phishing campaigns where attackers impersonate Palo Alto Networks talent acquisition staff. These attacks specifically target senior-level professionals by leveraging scraped LinkedIn data to craft highly personalized lures. The specific attack vector uses social engineering to manufacture a bureaucratic barrier regarding the candidate’s curriculum vitae (CV) and push the candidate toward taking actions such as reformatting their resumes for a fee."
  https://unit42.paloaltonetworks.com/phishing-attackers-pose-as-panw-recruiters/
• Android Devices Ship With Firmware-Level Malware
  "In late February 2026, SophosLabs analysts identified multiple detections on Android devices for malicious activity associated with the Keenadu backdoor. According to Kaspersky, Keenadu is a firmware infection embedded in the libandroid_runtime.so (shared object library) that injects itself into the Zygote process. As Zygote is the parent process for all Android apps, an attacker effectively gains total control over an infected device. Keenadu acts as a downloader for second-stage malware modules that can be used to target the data in multiple applications. All Android apps rely on libandroid_runtime.so to run, so a copy of Keenadu is copied into the address space of every app installed on an infected device."
  https://www.sophos.com/en-us/blog/android-devices-ship-with-firmware-level-malware
• OpenClaw Developers Targeted In Crypto-Wallet Phishing Attack
  "OX Security has detected an active phishing campaign abusing the OpenClaw name and spreading through GitHub. The threat actor creates fake GitHub accounts, opens issue threads in attacker-controlled repositories, and tags dozens of GitHub developers. The posts claim that recipients have won $5,000 worth of CLAW tokens and can collect them by visiting a linked site and connecting their crypto wallet. The linked site is an almost identical clone of openclaw.ai, with one key difference: it adds a “Connect your wallet” button designed to initiate wallet theft."
  https://www.ox.security/blog/openclaw-github-phishing-crypto-wallet-attack/

Breaches/Hacks/Leaks

• Dutch Ministry Of Finance Discloses Breach Affecting Employees
  "The Dutch Ministry of Finance confirmed on Monday that some of its systems were breached in a cyberattack detected last week. Officials said the ministry was notified by a third party of the breach on March 19, and it's still investigating the cyberattack. An ongoing investigation found that the incident affects some employees. "The Ministry of Finance's ICT security detected unauthorized access to systems for a number of primary processes within the policy department on Thursday, March 19," an official statement revealed. "Following the alert, an immediate investigation was launched, and access to these systems has been blocked as of today. This affects the work of a portion of the employees.""
  https://www.bleepingcomputer.com/news/security/dutch-ministry-of-finance-discloses-breach-affecting-employees/
  https://therecord.media/netherlands-finance-ministry-cyberattack-breach
  https://securityaffairs.com/189929/data-breach/data-breach-at-dutch-ministry-of-finance-impacts-staff-following-cyberattack.html
• HackerOne Discloses Employee Data Breach After Navia Hack
  "Bug bounty platform HackerOne is notifying hundreds of employees that their data was stolen after attackers hacked Navia, one of its U.S. benefits administrators. HackerOne manages over 1,950 bug bounty programs and provides vulnerability disclosure, penetration testing, and code security services to high-profile companies like General Motors, Goldman Sachs, Anthropic, GitHub, and Uber, as well as to U.S. government agencies such as the Department of Defense. Navia is a leading consumer-focused benefits administrator serving over 10,000 employers across the United States."
  https://www.bleepingcomputer.com/news/security/hackerone-discloses-employee-data-breach-after-navia-hack/
  https://hackread.com/hackerone-mazda-infinite-campus-dutch-ministry-data-breaches/
  https://www.theregister.com/2026/03/24/hackerone_supplier_breach/
• Infinite Campus Warns Of Breach After ShinyHunters Claims Data Theft
  "Infinite Campus, a widely used K-12 student information system, is warning customers of a data breach following an extortion attempt by a threat actor. In the breach notification sent to customers, Infinite Campus states that hackers accessed an employee's Salesforce account, exposing information that was mostly publicly available. The company has not published an official statement, but customers reported the incident on various public platforms."
  https://www.bleepingcomputer.com/news/security/infinite-campus-warns-of-breach-after-shinyhunters-claims-data-theft/
• OVHcloud Founder Denies Massive 590TB Data Breach Claims
  "A major French tech firm, OVHcloud, has been forced to address claims of a massive data breach after a user on a dark web forum boasted about stealing nearly 600 terabytes of its private data. On 23 March 2026, a poster using the name Normal claimed on BreachForums that they had infiltrated the company’s server infrastructure, potentially affecting millions of websites and customers. The scale of the alleged theft is stunning. The hacker claimed to have snatched information belonging to 1.6 million OVH Fresh customers and nearly 6 million active websites. According to the post, this included everything from the internal source code and private databases of these sites to server settings for users in the EU and the US."
  https://hackread.com/ovhcloud-founder-denies-590tb-data-breach-claims/
• 3.1 Million Impacted By QualDerm Data Breach
  "Healthcare management services provider QualDerm Partners is notifying more than 3.1 million people that their personal, medical, and health insurance information was stolen in a December 2025 data breach. The incident, the company says, was discovered on December 24 and involved unauthorized access to its network for two days. During this window, the attackers exfiltrated certain information from the “limited number of systems” that they compromised, the company notes in an incident notification (PDF)."
  https://www.securityweek.com/3-1-million-impacted-by-qualderm-data-breach/
  https://securityaffairs.com/189917/data-breach/qualderm-partners-december-2025-data-breach-impacts-over-3-million-people.html
• Iran-Linked Ransomware Gang Targeted US Healthcare Org Amid Military Conflict
  "A U.S. healthcare organization was targeted in late February by an Iranian ransomware gang with ties to the country’s government, according to a new report. Incident responders at Beazley Security helped the unnamed healthcare organization deal with an attack involving the Pay2Key ransomware — a strain used by Iranian actors for a variety of purposes since 2020. Halcyon Ransomware Research Center assisted in the investigation and found several improvements in the ransomware that made it tougher to detect and more damaging."
  https://therecord.media/iran-linked-ransomware-gang-targeted-us-healthcare-org

General News

• India’s Evolving Cyber Threat Landscape: State-Sponsored Attacks, Hacktivism, And What’s Next In 2026
  "The India cyber threat landscape 2026 is no longer defined by isolated incidents or opportunistic attacks. It has become a dynamic, constantly shifting battleground shaped by geopolitical tensions, rapid digitization, and highly advanced hackers. What once looked like sporadic cybercrime has matured into a layered ecosystem of state-sponsored cyber attacks, organized ransomware groups, and a growing wave of Hacktivism in India. Recent threat intelligence observations reveal a new pattern: attackers are not only becoming more capable, but also more strategic. They are targeting supply chains, exploiting systemic weaknesses, and adapting their methods faster than most organizations can respond."
  https://cyble.com/blog/india-cyber-threat-landscape-2026-attacks-trends/
• Measuring Security Performance In Real-Time, Not Once a Quarter
  "Most organizations have invested heavily in security products over the past decade. The assumption embedded in that spending is that more tools equal better protection. Tim Nan, CEO of digiDations, says that assumption is the most persistent misconception he encounters when working with security leaders across industries. “Adversaries don’t operate on averages,” Nan says. “They only need one path that works. The issue isn’t whether your defenses work most of the time. It’s whether they ever fail in a way that can be chained into a real attack.”"
  https://www.helpnetsecurity.com/2026/03/24/tim-nan-digidations-continuous-security-validation/
• Russian Citizen Sentenced To Prison For Hacking Into U.S. Companies And Enabling Major Cybercrime Groups To Extort Tens Of Millions Of Dollars
  "A court in the Southern District of Indiana today sentenced a Russian citizen, Aleksei Volkov, to 81 months in prison for assisting major cybercrime groups, including the Yanluowang ransomware group, in carrying out numerous attacks against U.S. companies and other organizations. Volkov facilitated dozens of ransomware attacks throughout the United States, causing over $9 million in actual losses and over $24 million in intended losses. Volkov was indicted for this activity in both the Southern District of Indiana and Eastern District of Pennsylvania. Police in Rome, Italy, then arrested Volkov, and he was extradited to the United States. He pleaded guilty to charges from both indictments."
  https://www.justice.gov/opa/pr/russian-citizen-sentenced-prison-hacking-us-companies-and-enabling-major-cybercrime-groups
  https://thehackernews.com/2026/03/us-sentences-russian-hacker-to-675.html
  https://www.bleepingcomputer.com/news/security/yanluowang-ransomware-access-broker-gets-81-months-in-prison/
  https://therecord.media/hacker-russian-ransomware-sentenced-doj
  https://cyberscoop.com/aleksei-volkov-russian-initial-access-broker-sentenced-ransomware/
  https://www.infosecurity-magazine.com/news/russian-initial-access-broker/
  https://securityaffairs.com/189900/cyber-crime/81-month-sentence-for-russian-hacker-behind-major-ransomware-campaigns.html
  https://www.theregister.com/2026/03/24/russian_iab_sentenced/
  https://www.helpnetsecurity.com/2026/03/24/russian-initial-access-broker-sentenced-ransomware-attacks/
• Ransomware's New Era: Moving At AI Speed
  "Ransomware is not only growing; threat actors are accelerating the pace of their attacks by using offensive tools to exploit valid credentials and hit targets with speed and precision. The practice has undergone big changes over the past five years. Initially, attacks focused on encrypting data; now, threat actors threaten to extract it to pressure victims into paying. Double-extortion tactics quickly shifted to triple-extortion threats to expose stolen data. Threat actors also transitioned from extorting companies to contacting victims directly — whatever it takes to rake in the cash."
  https://www.darkreading.com/endpoint-security/ransomware-new-era-moving-ai-speed
  https://www.halcyon.ai/lp/2026-security-leadership-survey-report
• Gcore Radar Report Reveals 150% Surge In DDoS Attacks Year-On-Year
  "Gcore, the global infrastructure and software provider for AI, cloud, network, and security solutions, today announced the findings of its Q3-Q4 2025 Gcore Radar report DDoS attack trends. The report reveals growing attack volumes, increasingly sophisticated tactics, and changes in attack locations driven by evolving botnet infrastructure. The DDoS attack landscape is at a clear inflection point: threats are not just growing; they are accelerating and diversifying. To prevent disruption, businesses must act quickly and adopt integrated solutions capable of detecting intent, analysing behaviour, and responding to threats across multiple attack surfaces."
  https://hackread.com/gcore-radar-report-reveals-150-surge-in-ddos-attacks-year-on-year/
• Why Agentic AI Systems Need Better Governance – Lessons From OpenClaw
  "OpenClaw is an open-source platform for autonomous AI agents that you can self-host and run locally on your machine for task automation. Taking this platform to task, AI agents are now interacting with one another via an experimental social network for AI agents called Moltbook. Even an experienced AI security researcher at Meta learned that OpenClaw is not without its wild-west frontier status. An AI agent accidentally deleted her emails. This news has again put the spotlight on the nature of authority and agency granted to agentic AI systems, as well as the need for better security and governance."
  https://www.securityweek.com/why-agentic-ai-systems-need-better-governance-lessons-from-openclaw/
• Poland Faced a Surge In Cyberattacks In 2025, Including a Major Assault On The Energy Sector
  "Poland experienced 2½ times more cyberattacks in 2025 compared to the previous year, and the numbers are constantly rising, a government official said Tuesday. The attacks included a destructive infiltration of the country’s energy system in December that was believed to be unprecedented among NATO and European Union members, and was suspected of originating in Russia. Over the last year, Poland was the target of 270,000 cyberattacks, Deputy Minister of Digital Affairs Paweł Olszewski said Tuesday. “We’ve been waging a war in cyberspace for many years now,” the official said. “The number of incidents and attacks has been increasing significantly and radically year after year.”"
  https://www.securityweek.com/poland-faced-a-surge-in-cyberattacks-in-2025-including-a-major-assault-on-the-energy-sector/
• Iran Built a Vast Camera Network To Control Dissent. Israel Turned It Into a Targeting Tool
  "The role of Israel’s hijacking of Iran’s street cameras in the killing of the country’s supreme leader underscores how surveillance systems are increasingly being targeted by adversaries in wartime. Hundreds of millions of cameras have been installed above shops, in homes and on street corners across the world, many connected to the internet and poorly secured. Recent advances in artificial intelligence have enabled militaries and intelligence agencies to sift through vast amounts of surveillance footage and identify targets. On Feb. 28, Israel vividly demonstrated the potential of such systems to be hacked and used against adversaries when Israel tracked down Iranian leader Ayatollah Ali Khamenei with the help of Tehran’s own street cameras – despite repeated warnings that Iran’s surveillance systems had been compromised, according to interviews and an Associated Press review of leaked data, public statements and news reports."
  https://www.securityweek.com/iran-built-a-vast-camera-network-to-control-dissent-israel-turned-it-into-a-targeting-tool/
• Enterprise Cybersecurity Software Fails 20% Of The Time, Warns Absolute Security
  "Endpoint cybersecurity software fails to protect one in five enterprise devices, leaving organizations vulnerable to cyber threats, research by Absolute Security has warned. This protection gap means that organizations face the equivalent of 76 days a year in which they’re providing cybercriminals which increased access to their network, potentially leading to data breaches and downtime. The findings come from Absolute Security’s 2026 Resilience Risk Index. The report, published on March 23, is based on analysis of device-level telemetry across tens of millions of enterprise endpoints, which have been validated as using endpoint management and cybersecurity software."
  https://www.infosecurity-magazine.com/news/cybersecurity-software-failure-20/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 4 รายการ เมื่อวันที่ 24 มีนาคม 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

• ICSMA-26-083-01 Grassroots DICOM (GDCM)
• ICSA-26-083-01 Pharos Controls Mosaic Show Controller
• ICSA-26-083-03 Schneider Electric Plant iT/Brewmaxx
• ICSMA-25-364-01 WHILL Model C2 Electric Wheelchairs and Model F Power Chairs (Update A)

CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)

อ้างอิง
https://www.cisa.gov/news-events/ics-advisories

New Tooling

• Plumber: Open-Source Scanner Of GitLab CI/CD Pipelines For Compliance Gaps
  "GitLab CI/CD pipelines often accumulate configuration decisions that drift from security baselines over time. Container images get pinned to mutable tags, branches lose protection settings, and required templates go missing. An open-source tool called Plumber automates the detection of those conditions by scanning pipeline configuration and repository settings directly."
  https://www.helpnetsecurity.com/2026/03/23/plumber-open-source-gitlab-ci-cd-compliance-scanner/
  https://github.com/getplumber/plumber

Vulnerabilities

• QNAP Patches Four Vulnerabilities Exploited At Pwn2Own
  "QNAP on Friday announced patches for multiple vulnerabilities across its products, including four issues that were demonstrated at the Pwn2Own Ireland hacking contest in October 2025. The four security defects, tracked as CVE-2025-62843 to CVE-2025-62846, impact the company’s SD-WAN routers and were addressed in QuRouter version 2.6.3.009. According to QNAP’s advisory, the first bug requires physical access to a vulnerable device to gain specific privileges, while the second flaw could be exploited over the local network to obtain sensitive information."
  https://www.securityweek.com/qnap-patches-four-vulnerabilities-exploited-at-pwn2own/
  https://securityaffairs.com/189871/security/qnap-fixed-four-vulnerabilities-demonstrated-at-pwn2own-ireland-2025.html
• We Found Eight Attack Vectors Inside AWS Bedrock. Here's What Attackers Can Do With Them
  "AWS Bedrock is Amazon's platform for building AI-powered applications. It gives developers access to foundation models and the tools to connect those models directly to enterprise data and systems. That connectivity is what makes it powerful – but it’s also what makes Bedrock a target. When an AI agent can query your Salesforce instance, trigger a Lambda function, or pull from a SharePoint knowledge base, it becomes a node in your infrastructure - with permissions, with reachability, and with paths that lead to critical assets. The XM Cyber threat research team mapped exactly how attackers could exploit that connectivity inside Bedrock environments. The result: eight validated attack vectors spanning log manipulation, knowledge base compromise, agent hijacking, flow injection, guardrail degradation, and prompt poisoning."
  https://thehackernews.com/2026/03/we-found-eight-attack-vectors-inside.html

Malware

• CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran
  "We found a new payload in the TeamPCP arsenal, and this one doesn't just steal credentials or install backdoors. It wipes entire Kubernetes clusters. The script uses the exact same ICP canister (tdtqy-oyaaa-aaaae-af2dq-cai[.]raw[.]icp0[.]io) we documented in the CanisterWorm campaign. Same C2, same backdoor code, same /tmp/pglog drop path. The Kubernetes-native lateral movement via DaemonSets is consistent with TeamPCP's known playbook, but this variant adds something we haven't seen from them before: a geopolitically targeted destructive payload aimed specifically at Iranian systems."
  https://www.aikido.dev/blog/teampcp-stage-payload-canisterworm-iran
  https://www.bleepingcomputer.com/news/security/teampcp-deploys-iran-targeted-wiper-in-kubernetes-attacks/
• Trivy Supply Chain Attack Expands To Compromised Docker Images
  "Socket's threat research team has identified additional compromised Trivy artifacts published to Docker Hub, following the recently disclosed GitHub Actions compromise affecting the aquasecurity/trivy-action repository. New image tags 0.69.5 and 0.69.6 were pushed on March 22 without corresponding GitHub releases or tags. Both images contain indicators of compromise associated with the same TeamPCP infostealer observed in earlier stages of this campaign. The latest tag currently points to 0.69.6, which is also compromised. Analysis of the binaries confirms the presence of known IOCs, including the typosquatted C2 domain scan.aquasecurtiy.org, exfiltration artifacts (payload.enc, tpcp.tar.gz), and references to the fallback tpcp-docs GitHub repository."
  https://socket.dev/blog/trivy-docker-images-compromised
  https://opensourcemalware.com/blog/teampcp-aquasec-com-github-org-compromise
  https://thehackernews.com/2026/03/trivy-hack-spreads-infostealer-via.html
  https://www.bleepingcomputer.com/news/security/trivy-supply-chain-attack-spreads-to-docker-github-repos/
  https://www.infosecurity-magazine.com/news/trivy-supply-chain-attack-expands/
  https://securityaffairs.com/189856/uncategorized/44-aqua-security-repositories-defaced-after-trivy-supply-chain-breach.html
• Green Blood v2.0 Ransomware Analysis With Decryption
  "The Green Blood ransomware group, which has been active since January 2026, has been targeting countries in South Asia, Africa, and parts of South America, and is characterized by its Golang-based ransomware payload. in this post, we will analyze the main characteristics of the Green Blood ransomware, its encryption method, and the technical reasons why it is decryptable, in order to provide insights to help you effectively respond to similar threats in the future. The Green Blood ransomware group, like other ransomware groups, uses file encryption on infected systems to steal sensitive data from victimized organizations, and pressures victims for ransom payments through threatening messages that promise to permanently destroy the encryption key if the ransom is not paid."
  https://asec.ahnlab.com/en/92997/
• Tycoon2FA Phishing-As-a-Service Platform Persists Following Takedown
  "On March 4, 2026, Europol announced the technical disruption of Tycoon2FA, a subscription-based phishing-as-a-service (PhaaS) platform that enabled cybercriminals to bypass multifactor authentication (MFA) and compromise email accounts. Law enforcement authorities from six countries worked with industry partners to seize 330 domains that formed the platform’s core infrastructure. Infrastructure takedowns are a challenging and important aspect of adversary disruption and a centerpiece of law enforcement and private sector cooperation in cybersecurity. In situations where direct physical enforcement actions such as arrests are infeasible, disrupting bad actors' operational means can often be the most efficacious and direct way to impose costs on criminals who otherwise act with relative impunity."
  https://www.crowdstrike.com/en-us/blog/tycoon2fa-phishing-as-a-service-platform-persists-following-takedown/
  https://www.bleepingcomputer.com/news/security/tycoon2fa-phishing-platform-returns-after-recent-police-disruption/
  https://www.infosecurity-magazine.com/news/tycoon2fa-phishing-service-resumes/
  https://www.securityweek.com/tycoon-2fa-fully-operational-despite-law-enforcement-takedown/
• FBI Warns Of Handala Hackers Using Telegram In Malware Attacks
  "The U.S. Federal Bureau of Investigation (FBI) warned network defenders that Iranian hackers linked to the country's Ministry of Intelligence and Security (MOIS) are using Telegram in malware attacks. In a flash alert issued on Friday, the FBI says Telegram is being used as command-and-control (C2) infrastructure by malware targeting journalists criticizing the Iranian government, Iranian dissidents, and various other oppositional groups worldwide. "Due to the elevated geopolitical climate of the Middle East and current conflict, the FBI is highlighting this MOIS cyber activity," the bureau said."
  https://www.bleepingcomputer.com/news/security/fbi-warns-of-handala-hackers-using-telegram-in-malware-attacks/
  https://www.ic3.gov/CSA/2026/260320.pdf
  https://therecord.media/russia-iran-cyber-fbi-hacks
  https://cyberscoop.com/fbi-iranian-hackers-targeting-opponents-with-telegram-malware/
  https://securityaffairs.com/189820/malware/iran-linked-actors-use-telegram-as-c2-in-malware-attacks-on-dissidents.html
• Riding The Rails: Threat Actors Abuse Railway.com PaaS As Microsoft 365 Token Attack Infrastructure
  "In partnership with our friends at Flare.io and other contacts across the community, Huntress has attributed the Railway attack to the EvilTokens Phishing as a Service (PhaaS) platform. First advertised on the NOIRLEGACY GROUP telegram channel, EvilTokens spun up its own Telegram channels and made a first public post on February 16th, 2026. This activity corresponds with the first handful of compromises Huntress saw from Railway infrastructure on February 19th and 24th, 2026."
  https://www.huntress.com/blog/railway-paas-m365-token-replay-campaign
  https://cyberscoop.com/huntress-railway-ai-phishing-campaign-compromised-hundreds-of-organizations/
• How LevelBlue OTX And Cybereason XDR Detected a North Korea-Linked Remote IT Worker
  "Talk about dodging the insider threat from hell. From August 15 to 25, 2025, the SpiderLabs threat intel team, through the integration of LevelBlue OTX threat intelligence with Cybereason XDR behavioral analytics, detected a North Korea attempt to infiltrate an organization by replying to a help wanted ad. Let’s take a look at how this organization, with LevelBlue’s help, was able to detect and block this sneaky infiltration attempt. It took just 10 days for a nation-state threat actor to go from new hire to terminated employee. What appeared to be routine onboarding quickly unraveled when behavioral analytics flagged suspicious login patterns, and threat intelligence confirmed the worst: the organization had unknowingly hired a suspected North Korea-linked operative."
  https://www.levelblue.com/blogs/spiderlabs-blog/how-levelblue-otx-and-cybereason-xdr-detected-a-north-korea-linked-remote-it-worker
  https://hackread.com/north-korean-hacker-remote-it-job-vpn-slip/
• FriendlyDealer Mimics Official App Stores To Push Unvetted Gambling Apps
  "We’ve identified a huge social-engineering campaign designed to steer people into online gambling sites under the impression they’re installing a legitimate app. We’re calling it FriendlyDealer. It’s been observed across at least 1,500 domains, each hosting a website that impersonates the Google Play or Apple App Store. Users think they’re downloading a gambling app from a trusted source, with all the checks, reviews, and safeguards that implies. But they’re actually still on a website, installing a web app that then redirects them to casino offers through affiliate links."
  https://www.malwarebytes.com/blog/scams/2026/03/friendlydealer-mimics-official-app-stores-to-push-unvetted-gambling-apps
• Pro-Iranian Nasir Security Is Targeting The Energy Sector In The Middle East
  "Resecurity is tracking a relatively new cybercriminal group called Nasir Security, presumably associated with Iran, that is targeting energy organizations in the Middle East. The energy sector is one of the most impacted areas because of Iranian malicious activity in the region, including the lockdown of the Strait of Hormuz and drone/missile attacks against the energy infrastructure of neighboring countries in the GCC, allies of the US. Based on the artifacts collected by the threat intelligence team at Resecurity, the group is attacking supply chain vendors involved in engineering, safety, and construction. The data stolen as a result of such incidents is authentic but originates from a third party (of the target company), which may lead to incorrect assumptions about the origin of the breach. Notably, the focus of the attacks is centered on the energy sector, which has experienced significant financial and technological damage since the start of the war in Iran. Cyberspace is used to amplify it, following recent attacks against LNG and logistics providers."
  https://www.resecurity.com/blog/article/pro-iranian-nasir-security-is-targeting-the-energy-sector-in-the-middle-east
• StoatWaffle, Malware Used By WaterPlum
  "WaterPlum is regarded as an attacking group related to North Korea. They are known to have been operating Contagious Interview attacking campaign. WaterPlum can be classified into multiple clusters (or teams), and among them, activity by Team 8 (also known as Moralis or Modilus family) has been observed. In Contagious Interview campaign, Team 8 has been mainly using OtterCookie. Starting around December 2025, Team 8 started using new malware. We named this malware StoatWaffle. In this article, we'll introduce the latest attacking flow for WaterPlum Team 8 and in deep analysis result of StoatWaffle, new malware that they started using just recently."
  https://jp.security.ntt/insights_resources/tech_blog/stoatwaffle_malware_en/
  https://thehackernews.com/2026/03/north-korean-hackers-abuse-vs-code-auto.html
• When Tax Season Becomes Cyberattack Season: Phishing And Malware Campaigns Using Tax-Related Lures
  "During tax season, threat actors reliably take advantage of the urgency and familiarity of time-sensitive emails, including refund notices, payroll forms, filing reminders, and requests from tax professionals, to trick targets into opening malicious attachments, scanning QR codes, or following multi-step link chains. Every year, there is an observable uptick in tax-themed campaigns as Tax Day (April 15) approaches in the United States, and this year is no different. In recent months, Microsoft Threat Intelligence identified email campaigns using lures around W-2, tax forms, or similar themes, or posing as government tax agencies, tax services firms, and relevant financial institutions. Many campaigns target individuals for personal and financial data theft, but others specifically target accountants and other professionals who handle sensitive documents, have access to financial data, and are accustomed to receiving tax-related emails during this period."
  https://www.microsoft.com/en-us/security/blog/2026/03/19/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures/
  https://thehackernews.com/2026/03/microsoft-warns-irs-phishing-hits-29000.html
• Hacker Walks Away With $24.5 Million After Breaching Resolv DeFi Platform
  "Decentralized finance platform Resolv said a recent cyberattack allowed a threat actor to compromise the company’s infrastructure and illicitly create $80 million worth of its USR stablecoin. USR is pegged to the U.S. dollar but plummeted in value on Saturday when the hacker created the uncollateralized coins and traded them for about 11,408 ETH, which is worth about $24.5 million. The company published a statement confirming the incident. USR was depegged from the U.S. dollar after the incident and is now worth about 26 cents."
  https://therecord.media/hacker-breaches-resolv-defi-25-million
• Russia-Linked Malware Operation Collapses After Security Failures, Developer’s Arrest
  "An Android spyware operation that briefly gained traction in Russia appears to have collapsed within months of its launch after security flaws exposed its infrastructure and authorities arrested its suspected developer, cybersecurity researchers said. The malware, known as ClayRat, was designed for espionage and remote control of infected Android devices. Once installed, it could intercept SMS messages and call logs, access contacts, take photos, record screens, and execute commands sent from a remote command-and-control server. Despite attracting attention shortly after emerging in October 2025, ClayRat’s infrastructure deteriorated rapidly. By December, all known command servers associated with the malware had gone offline, researchers at the Russian cybersecurity firm Solar said in a report released Friday. Solar is a subsidiary of Russian state-owned telecom giant Rostelecom."
  https://therecord.media/russia-malware-arrest-clayrat

Breaches/Hacks/Leaks

• Mazda Discloses Security Breach Exposing Employee And Partner Data
  "Mazda Motor Corporation (Mazda) announced that information belonging to its employees and business partners had been exposed in a security incident detected last December. Mazda is one of Japan’s largest automotive manufacturers, with an annual production of 1.2 million vehicles and revenue of nearly $24 billion. The company said the attackers exploited a vulnerability in a system related to warehouse management for parts procured from Thailand. The system did not contain any customer data. Also, the breach is limited to 692 records."
  https://www.bleepingcomputer.com/news/security/mazda-discloses-security-breach-exposing-employee-and-partner-data/
• Crunchyroll Probes Breach After Hacker Claims To Steal 6.8M Users' Data
  "Popular anime streaming platform Crunchyroll is investigating a breach after hackers claimed to have stolen personal information for approximately 6.8 million people. "We are aware of recent claims and are currently working closely with leading cyber security experts to investigate the matter," Crunchyroll initially told BleepingComputer. "Our investigation is ongoing, and we continue to work with leading cybersecurity experts. At this time, we believe that the information is primarily limited to customer service ticket data following an incident with a third-party vendor," Crunchyroll shared in a later statement."
  https://www.bleepingcomputer.com/news/security/crunchyroll-probes-breach-after-hacker-claims-to-steal-68m-users-data/
• Chip Services Firm Trio-Tech Says Subsidiary Hit By Ransomware
  "Semiconductor services firm Trio-Tech says one of its subsidiaries in Singapore fell victim to a ransomware attack. The incident, the company said in a filing with the Securities and Exchange Commission, occurred on March 11 and resulted in the encryption of certain files within its network. The subsidiary, it told the SEC, immediately activated response protocols, proactively taking its systems offline to contain the incident. Additionally, the subsidiary launched an investigation into the attack with help from third-party cybersecurity professionals and notified law enforcement."
  https://www.securityweek.com/chip-services-firm-trio-tech-says-subsidiary-hit-by-ransomware/
  https://therecord.media/ransomware-trio-tech-semiconductor-sec
  https://www.theregister.com/2026/03/23/us_chip_testing_firm_shrugged/
• Education Company Kaplan Reports Data Breach Impacting More Than 230,000
  "The educational services company Kaplan told state regulators last week that at least 230,000 people had Social Security and driver’s license numbers leaked following a cybersecurity incident in the fall of 2025. The Florida-based company filed breach notification letters in at least seven states but did not respond to requests for comment about the total number of people impacted by the security incident. The letters sent to victims say law enforcement was called after the incident was discovered and an investigation revealed the hackers had access to Kaplan servers from October 30 to November 18."
  https://therecord.media/kaplan-data-breach-hack-notification

General News

• NIST Updates Its DNS Security Guidance For The First Time In Over a Decade
  "DNS infrastructure underpins nearly every network connection an organization makes, yet security configurations for it have gone largely unrevised at the federal guidance level for more than twelve years. NIST published SP 800-81r3, the Secure Domain Name System Deployment Guide, superseding a version that dates to 2013. The document covers three main areas: using DNS as an active security control, securing the DNS protocol itself, and protecting the servers and infrastructure that run DNS services. It is directed at two groups: cybersecurity executives and decision-makers, and the operational networking and security teams who configure and maintain DNS environments."
  https://www.helpnetsecurity.com/2026/03/23/nist-dns-security-guide-sp-800-81r3/
  https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81r3.pdf
• Your AI Agents Are Moving Sensitive Data. Do You Know Where?
  "In this Help Net Security interview, Gidi Cohen, CEO at Bonfy.AI, addresses what he sees as the most pressing gap in AI agent security: data-layer risk. While the industry focuses on prompt injection and model behavior, Cohen argues the deeper threat is autonomous AI agents operating across systems with no visibility into what data they access, combine, or expose. He explains how Bonfy.AI approaches this through three areas: controlling what data agents can access for grounding, monitoring content as it moves through tool calls and MCP servers, and letting agents query Bonfy in real time to check whether an action is safe before they take it. The conversation covers threat modeling, anomaly detection, multi-agent delegation, model versioning, and practical advice for CISOs navigating pressure to deploy AI at scale."
  https://www.helpnetsecurity.com/2026/03/23/gidi-cohen-bonfy-ai-agent-security/
• US Soldier Sentenced For Helping North Korean IT Workers
  "A District Court judge sentenced three men for their involvement in a scheme that allowed several North Korean IT workers to use their identities and gain employment at U.S. companies. One of the men, 35-year-old Alexander Paul Travis, was an active duty member of the U.S. Army and was stationed at Fort Gordon in Georgia while participating in the scheme from September 2019, until November 2022. Travis pleaded guilty to accusations that he allowed North Korean IT workers to use his identity on resumes and during employer vetting processes that involved interviews, drug tests and fingerprints. The North Korean IT workers also opened bank accounts in his name to receive payment from employers."
  https://therecord.media/us-soldier-sentencer-for-helping-nk-it-workers
  https://www.bankinfosecurity.com/ex-us-soldier-among-3-sentenced-for-dprk-worker-scam-a-31125
• 2025 Talos Year In Review: Speed, Scale, And Staying Power
  "The 2025 Talos Year in Review is now available to view online. The pace and scale of adversary activity in 2025 placed sustained pressure on security teams across industries. As with each annual report, our goal at Talos is to provide the security community with a clear analysis of the tactics, techniques, and procedures that shaped adversary operations, and to help organizations prioritize the actions that reduce exposure and strengthen defenses."
  https://blog.talosintelligence.com/2025-talos-year-in-review-speed-scale-and-staying-power/
  https://blog.talosintelligence.com/2025yearinreview
  https://www.theregister.com/2026/03/23/cisco_talos_cybersecurity_report_patch_fast/
• AI In The SOC: What Could Go Wrong?
  "External, internal, and operational pressures to deploy AI to unlock its promise of increased speed and efficiency has left enterprise cybersecurity professionals in a tough spot — finding they need to enable innovation, while trying to foresee the risks it might introduce. Two enterprise cybersecurity leaders decided to take on the AI challenge and share at this year's RSAC 2026 Conference what they determined it can do well, and what it isn’t ready to take on."
  https://www.darkreading.com/cybersecurity-operations/ai-soc-go-wrong
• Quantum Threats Are Already Active And The Defense Response Remains Fragmented
  "Enterprises are moving toward post-quantum security at uneven speeds, and the gap between organizations that have built crypto-agility into their infrastructure and those that have adopted the label without the underlying capability is widening. Dr. Tan Teik Guan, CEO of Singapore-based cybersecurity company pQCee, draws a sharp line between the two. Crypto-agility, in his view, requires more than support for multiple algorithms or protocol-level negotiation. It demands the ability to respond with appropriate cryptographic defenses in a cost-effective, timely, and non-disruptive way. That means intelligence, governance, and mitigation working together across a layered defense architecture to maintain a quantum-safe state."
  https://www.helpnetsecurity.com/2026/03/23/ciso-post-quantum-crypto-agility/
• The Devices Winning The Race To Get Hacked In 2026
  "Enterprise networks keep adding connected devices, expanding the attack surface as threat actors target a wider range of systems, many of which are difficult to inventory, secure, and patch consistently. Forescout’s 2026 Riskiest Devices research maps that shift in IT, IoT, OT, and IoMT environments, with 11 new riskiest asset types entering the list this year. That is the second-largest year-over-year increase on record, and two of the new entries moved straight into the top five riskiest IT assets: serial-to-IP-converters and workstations."
  https://www.helpnetsecurity.com/2026/03/23/connected-devices-security-risk-2026-research/
  https://www.forescout.com/resources/riskiest-devices-2026-report/
• AI Pulse Poll Reveals Rampant Uncertainty On Enterprise Landscape
  "The artificial landscape remains murky when it comes to accountability, transparency and capabilities for many organizations, as shown in ISACA’s 2026 AI Pulse Poll. The global pulse poll, reflecting responses from more than 3,400 digital trust professionals across IT audit, governance, cybersecurity, privacy and emerging technology roles, finds that even as AI usage accelerates across the enterprise landscape, there appears to be limited human oversight over AI decision-making, little disclosure around AI use, and uncertainty around AI security incident response and accountability for AI system harm. Below are five sneak-peek findings from the 2026 AI Pulse Poll. The full 2026 AI Pulse Poll from ISACA will be released in early May."
  https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2026/ai-pulse-poll-reveals-rampant-uncertainty-on-enterprise-landscape
  https://www.infosecurity-magazine.com/news/cyber-staff-unsure-on-preventing/
• M-Trends 2026: Data, Insights, And Strategies From The Frontlines
  "Every year, the cyber threat landscape forces defenders to adapt to evolving adversary tactics, techniques, and procedures (TTPs). In 2025, Mandiant observed a clear divergence in adversary pacing that closely aligns with the trends we have been documenting for defenders over the past year. On one end of the spectrum, cyber criminal groups optimized for immediate impact and deliberate recovery denial. On the other end, sophisticated cyber espionage groups and insider threats optimized for extreme persistence, utilizing unmonitored edge devices and native network functionalities to evade detection. Today, we release M-Trends 2026. Grounded in over 500,000 hours of frontline incident investigations conducted by Mandiant globally in 2025, this report provides a definitive look at the TTPs actively being used in breaches today."
  https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2026
  https://www.infosecurity-magazine.com/news/high-tech-top-target-cyberattacks/
  https://cyberscoop.com/social-engineering-surge-intrusion-vector-mandiant-m-trends/
  https://www.securityweek.com/m-trends-2026-initial-access-handoff-shrinks-from-hours-to-22-seconds/
  https://www.theregister.com/2026/03/23/voice_phishing_skyrockets_as_smooth/
• Google Authenticator: The Hidden Mechanisms Of Passwordless Authentication
  "Passwordless authentication is often presented as the end of account takeover. But to understand the real threat landscape, we need to examine how passwordless is actually deployed in the real world. Attackers do not break protocols in theory. They target the most common implementations, the places where usability, scale and architecture intersect. Focusing on one of those common implementations, we examine Google Authenticator. This discussion explores the hidden mechanisms behind synced passkeys and their implementation within the Google ecosystem. Our aim is to help defenders better understand the technology, to lay the groundwork to show how new attack vectors could emerge in a passwordless environment."
  https://unit42.paloaltonetworks.com/passwordless-authentication/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) แจ้งเตือนหน่วยงานและผู้ดูแลระบบเกี่ยวกับการนำบริการ Microsoft Azure Monitor เพื่อส่งอีเมลฟิชชิงแบบ Callback Phishing โดยอีเมลดังกล่าวปลอมเป็นการแจ้งเตือนจากทีมความปลอดภัยหรือฝ่ายเรียกเก็บเงินของ Microsoft เนื้อหาอีเมลอ้างพบบิลหรือรายการเรียกเก็บเงินผิดปกติในบัญชี และเร่งให้ผู้รับติดต่อไปยังหมายเลขโทรศัพท์ที่แนบมา ขอให้ผู้ใช้งานเพิ่มความระมัดระวัง ไม่ติดต่อกลับตามหมายเลขในอีเมล ตรวจสอบข้อเท็จจริงผ่านช่องทางที่เชื่อถือได้ และหลีกเลี่ยงการเปิดเผยข้อมูลสำคัญโดยเด็ดขาด

1. รายละเอียดเหตุการณ์ [1]
   การโจมตีดังกล่าวเป็นการโจมตีแบบ Callback Phishing โดยผู้โจมตีอาศัยฟังก์ชันการสร้าง Alert ใน Azure Monitor เพื่อกำหนดข้อความหลอกลวงลงในฟิลด์คำอธิบาย (description) ของการแจ้งเตือน จากนั้นตั้งค่าให้ระบบส่งอีเมลแจ้งเตือนไปยังเป้าหมายที่ต้องการ เนื้อหาอีเมลอ้างว่าพบธุรกรรมต้องสงสัย ใบแจ้งหนี้ หรือการเรียกเก็บเงินที่ไม่ได้รับอนุญาต และกดดันให้ผู้ใช้ติดต่อไปยังหมายเลขโทรศัพท์ที่ระบุในข้อความ
   ตัวอย่างข้อความที่พบในการหลอกลวงระบุลักษณะคล้าย “billing and account security notice” พร้อมแจ้งว่าพบการเรียกเก็บเงินผิดปกติ เช่น ค่าใช้จ่ายของ “Windows Defender” มูลค่า 389.90 ดอลลาร์สหรัฐ และอ้างว่าหากไม่รีบดำเนินการอาจถูกระงับบัญชีหรือมีค่าธรรมเนียมเพิ่มเติม เป้าหมายคือหลอกให้ผู้เสียหายติดต่อไปยังหมายเลขโทรศัพท์ของมิจฉาชีพเพื่อเข้าสู่ขั้นตอนหลอกลวงถัดไป

2. ลักษณะการโจมตีและผลกระทบ
   อีเมลเหล่านี้ไม่ได้ปลอมแปลงโดเมนผู้ส่งแบบทั่วไป แต่ถูกส่งออกจากแพลตฟอร์ม Microsoft Azure Monitor จริง จึงทำให้ส่วนหัวอีเมลและการยืนยันตัวตนดูถูกต้อง นอกจากนี้ผู้โจมตียังใช้ชื่อกฎแจ้งเตือนที่ทำให้ดูคล้ายการแจ้งเตือนอัตโนมัติด้านการชำระเงิน ใบแจ้งหนี้ หรือกิจกรรมในระบบ เพื่อเพิ่มความน่าเชื่อถือและลดความสงสัยของผู้รับ
   แม้รายงานดังกล่าวไม่ได้ยืนยันผลลัพธ์ของการติดต่อในเคสนี้โดยตรง แต่แคมเปญ Callback Phishing ในลักษณะเดียวกันที่ผ่านมาเคยนำไปสู่การขโมยข้อมูลรับรอง การหลอกให้ชำระเงิน หรือการติดตั้งซอฟต์แวร์ควบคุมบนเครื่องของเหยื่อได้ อีกทั้งด้วยธีมอีเมลที่เป็นทางการและเกี่ยวข้องกับองค์กร จึงมีความเป็นไปได้ว่าผู้โจมตีต้องการเข้าถึงเบื้องต้นในเครือข่ายองค์กรเพื่อใช้โจมตีต่อเนื่องในลำดับถัดไป

3. ผลิตภัณฑ์/บริการที่เกี่ยวข้อง
   กรณีนี้เกี่ยวข้องกับบริการ Microsoft Azure Monitor และ Action Groups/Email Notifications ของระบบแจ้งเตือน ซึ่ง Microsoft ระบุว่าอีเมลแจ้งเตือนจากระบบสามารถถูกส่งจากที่อยู่อีเมล [email protected] ได้ จึงอาจทำให้ผู้ใช้งานเข้าใจผิดว่าเป็นการแจ้งเตือนความปลอดภัยหรือการเงินที่ถูกต้องตามปกติ [2]

4. แนวทางการป้องกันและลดความเสี่ยง
   4.1 ผู้ใช้งานและเจ้าหน้าที่ Helpdesk ตรวจสอบอีเมลที่อ้างว่าเป็นการแจ้งเตือนจาก Microsoft หรือ Azure โดยเฉพาะกรณีที่แนบหมายเลขโทรศัพท์และเร่งให้ติดต่อเพื่อยืนยันบิล ยกเลิกรายการ หรือแก้ปัญหาบัญชีอย่างเร่งด่วน
   4.2 กำหนดนโยบายภายในองค์กร ไม่ควรติดต่อตามหมายเลขโทรศัพท์ที่ระบุในอีเมลแจ้งเตือน แต่ให้ตรวจสอบผ่านพอร์ทัล Microsoft อย่างเป็นทางการ หรือใช้ช่องทางติดต่อที่องค์กรยืนยันแล้วเท่านั้น
   4.3 ผู้ดูแลระบบอีเมลและ SOC ควรเพิ่มการเฝ้าระวังอีเมลจากผู้ส่งที่เป็นโดเมน Microsoft จริง แต่มีเนื้อหาเรียกเก็บเงินผิดปกติ การขอให้ติดต่อกลับ หรือการใช้ถ้อยคำเร่งด่วนผิดธรรมชาติ
   4.4 หากองค์กรใช้งาน Azure Monitor ควรตรวจสอบการสร้าง Alert Rules และ Action Groups ที่ผิดปกติ รวมถึงรายการอีเมลปลายทางที่ใช้รับการแจ้งเตือน เพื่อค้นหาการใช้งานในทางที่ผิดหรือการตั้งค่าที่ไม่สอดคล้องกับวัตถุประสงค์ของระบบ
   4.5 แจ้งเตือนผู้ใช้งาน “อีเมลจาก Microsoft จริง” ไม่ได้หมายความว่า “เนื้อหาภายในอีเมลนั้นปลอดภัยหรือเป็นของแท้ทั้งหมด” เพราะกรณีนี้อาศัยแพลตฟอร์มที่ถูกต้องในการส่งอีเมล

5. หากสงสัยว่าได้รับอีเมลลักษณะดังกล่าว
   5.1 ห้ามติดต่อตามหมายเลขโทรศัพท์ในอีเมล ห้ามกดลิงก์ หรือให้ข้อมูลส่วนบุคคล ข้อมูลบัตร หรือข้อมูลบัญชีผู้ใช้
   5.2 ตรวจสอบการเรียกเก็บเงินหรือสถานะบัญชีผ่าน Microsoft/Azure โดยตรง
   5.3 กรณีที่ผู้ใช้งานติดต่อกลับหรือให้ข้อมูลไปแล้ว ควรเปลี่ยนรหัสผ่าน ตรวจสอบบัญชีที่เกี่ยวข้อง และเฝ้าระวังการเข้าถึงหรือติดตั้งโปรแกรมที่ไม่ได้รับอนุญาต
   5.4 ส่งอีเมลที่ต้องสงสัยให้ทีมความมั่นคงปลอดภัยสารสนเทศขององค์กรเพื่อตรวจสอบ

อ้างอิง
[1] https://dg.th/e4xncphqrd
[2] https://dg.th/5uroh2sw7b

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ช่องโหว่ด้านความมั่นคงปลอดภัยที่อาจส่งผลกระทบต่อระบบของหน่วยงาน โดยพบช่องโหว่ร้ายแรงในผลิตภัณฑ์ในกลุ่ม Oracle Fusion Middleware โดยเฉพาะระบบจัดการอัตลักษณ์และตัวจัดการเว็บเซอร์วิส ซึ่งสามารถถูกโจมตีผ่านเครือข่ายและนำไปสู่การยึดครองหรือควบคุมระบบได้ จึงขอแนะนำให้ผู้ดูแลระบบเร่งดำเนินการอัปเดตแพตช์เพื่อแก้ไขช่องโหว่โดยทันที

1. รายละเอียดช่องโหว่
   Oracle ได้เผยแพร่ประกาศด้านความปลอดภัย [1] เกี่ยวกับช่องโหว่ CVE-2026-21992 (คะแนน CVSSv3.1: 9.8) [2] ซึ่งส่งผลกระทบต่อ Oracle Identity Manager ของ Oracle Fusion Middleware (ส่วนประกอบ REST WebServices) และ Oracle Web Services Manager ของ Oracle Fusion Middleware (ส่วนประกอบ Web Services Security) โดยช่องโหว่นี้สามารถถูกใช้เพื่อเข้าควบคุมระบบที่ได้รับผลกระทบได้ผ่านโปรโตคอล HTTP โดยไม่ต้องยืนยันตัวตน (Unauthenticated Remote Exploit) และอาจนำไปสู่การรันโค้ดจากระยะไกล (Remote Code Execution - RCE) ส่งผลให้ผู้โจมตีสามารถยึดครองระบบ Oracle Identity Manager และ Oracle Web Services Manager ได้อย่างสมบูรณ์

2. ผลิตภัณฑ์ที่ได้รับผลกระทบ
   2.1 Oracle Identity Manager เวอร์ชัน 12.2.1.4.0 และเวอร์ชัน 14.1.2.1.0
   2.2 Oracle Web Services Manager เวอร์ชัน 12.2.1.4.0 และเวอร์ชัน 14.1.2.1.0

3. แนวทางการแก้ไข
   แนะนำให้ดำเนินการอัปเดตแพตช์จาก Oracle โดยทันที ผ่านชุดอัปเดตของ Fusion Middleware [3] และควรตรวจสอบว่าใช้งานเวอร์ชันที่ยังอยู่ในช่วงการสนับสนุน (Premier / Extended Support) หากไม่สามารถอัปเดตได้ทันที ให้พิจารณามาตรการชั่วคราว (Workaround) ดังนี้

• จำกัดการเข้าถึงระบบผ่าน HTTP/HTTPS จากภายนอก (เช่น allowlist เฉพาะ IP ที่จำเป็น)
• ปิดหรือจำกัดการเข้าถึง service ที่ไม่จำเป็น
• ใช้ Web Application Firewall (WAF) เพื่อช่วยกรองคำขอที่ผิดปกติ
• แยกระบบ (segmentation) เพื่อลดผลกระทบหากถูกโจมตี

4. คำแนะนำด้านความปลอดภัยเพิ่มเติม
   4.1 ตรวจสอบ Log การใช้งานย้อนหลัง เพื่อค้นหาพฤติกรรมผิดปกติหรือความพยายามโจมตี
   4.2 เฝ้าระวังการเข้าถึงระบบจากแหล่งที่ไม่น่าเชื่อถือ
   4.3 อัปเดตแพตช์ด้านความปลอดภัยของระบบและซอฟต์แวร์อย่างสม่ำเสมอ
   4.4 จัดทำและทบทวนนโยบายควบคุมการเข้าถึง (Access Control) ให้เหมาะสม
   4.5 จัดทำระบบสำรองข้อมูล (Backup) และทดสอบการกู้คืนอย่างสม่ำเสมอ

5. แหล่งอ้างอิง
   [1] https://dg.th/gtrvcxjald
   [2] https://dg.th/8uhowa7tmf
   [3] https://dg.th/7dqh5rjcyf

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand