สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Healthcare Sector

• A Quarter Of Healthcare Organizations Report Medical Device Cyber-Attacks
  "One-in-four (24%) healthcare organizations (HCOs) experienced cyber-attacks impacting medical devices over the past year, causing potentially significant disruption to patient care, according to RunSafe Security. The security vendor polled 551 healthcare professionals across the US, UK and Germany to produce its 2026 Medical Device Cybersecurity Index. It revealed that, in 80% of cases, attacks affecting devices had a “moderate” or “significant” impact on patients. This could range from delayed imaging and postponed procedures to interruptions to critical care delivery, RunSafe claimed."
  https://www.infosecurity-magazine.com/news/quarter-healthcare-medical-device/

Industrial Sector

• RDP Security: CPS Threats Spark Need For Secure Remote Access
  "Hybrid work, remote monitoring and maintenance, and third-party access for system integrators or device vendors are now essential business requirements across many industries. This is especially true in critical infrastructure sectors with mission-critical remote sites, including utilities, transportation, and oil and gas. Historically, organizations have managed remote access to cyber-physical system (CPS) networks at these sites through traditional VPNs or jump hosts using technologies, such as Remote Desktop Protocol (RDP) and Virtual Network Computing (VNC). These approaches were designed to extend networks, not control interactions, which increase the attack surface."
  https://www.forescout.com/blog/rdp-security-cps-threats-spark-need-for-secure-remote-access/
  https://www.securityweek.com/hundreds-of-internet-facing-vnc-servers-expose-ics-ot/
• Threat Landscape For Industrial Automation Systems. South And North America (Canada), Q4 2025
  "In South America, the percentage of ICS computers on which threats from email clients were blocked was significantly higher than the global average, by a factor of 1.9. On this metric, the region ranked second globally. High percentage figures for threats distributed via email clients (phishing) and spyware clearly indicate that OT systems in the region are highly exposed to advanced categories of threat actors. High percentage figures for malicious scripts and phishing pages, many of which target specifically employee authentication data for corporate services, also point to a high risk of targeted attacks against the OT infrastructure of industrial enterprises in the region."
  https://ics-cert.kaspersky.com/publications/reports/2026/04/29/threat-landscape-for-industrial-automation-systems-south-and-north-america-canada-q4-2025/

Vulnerabilities

• cPanel, WHM Emergency Update Fixes Critical Auth Bypass Bug
  "A critical vulnerability affecting all but the latest versions of cPanel and the WebHost Manager (WHM) dashboard could be exploited to obtain access to the control panel without authentication. The security issue, currently identified as CVE-2026-41940 and with a severity score of 9.8, has been addressed in an emergency update that requires running a command manually to retrieve a patched version of the software. Owned by WebPros International, WHM and cPanel are Linux-based web hosting control panels for server and website management. While WHM provides server-level control, cPanel provides administrator access to the website backend, webmail, and databases."
  https://www.bleepingcomputer.com/news/security/cpanel-whm-emergency-update-fixes-critical-auth-bypass-bug/
  https://thehackernews.com/2026/04/critical-cpanel-authentication.html
  https://securityaffairs.com/191465/security/all-supported-cpanel-versions-hit-by-critical-auth-bug-now-patched.html
• Chrome 147, Firefox 150 Security Updates Rolling Out
  "Google and Mozilla on Tuesday announced fresh security updates for Chrome and Firefox users, addressing multiple memory safety vulnerabilities. The new Chrome 147 update is rolling out with 30 security fixes, including four for critical-severity use-after-free flaws reported by external researchers. Tracked as CVE-2026-7363, CVE-2026-7361, CVE-2026-7344, and CVE-2026-7343, the bugs impact the Canvas, iOS, Accessibility, and Views browser components."
  https://www.securityweek.com/chrome-147-firefox-150-security-updates-rolling-out/
• Your AI Coding Agent Will Run This Exploit For You: How We Found a High-Severity CVE In Cursor
  "Novee’s research team identified a high-severity arbitrary code execution vulnerability in Cursor, the popular AI-powered IDE. Cursor has published the vulnerability as CVE-2026-26268. The root cause is not a flaw in Cursor’s core product logic, but rather a consequence of a feature interaction in Git, one that becomes exploitable the moment an AI agent starts autonomously executing Git operations inside a repository it doesn’t control. The end result is attacker code execution directly on a developer’s machine."
  https://novee.security/blog/cursor-ide-cve-2026-26268-git-hook-arbitrary-code-execution/
  https://hackread.com/cursor-ai-ide-vulnerability-code-execution-git-hooks/
• CursorJacking: Every Cursor User Is Vulnerable To API Key Theft By Rogue Extensions
  "LayerX security researchers have found that any extension of the popular AI development tool Cursor can access the developer’s API keys and session tokens, leading to full credential compromise, with no need for user interaction or activity at all. LayerX discovered that since Cursor doesn’t store keys in protected storage, any Cursor extension can execute this access. As a result, every Cursor user is vulnerable to API key theft by rogue Cursor extensions. Exploitation of this vulnerability can lead to exposure of session tokens and API keys, unauthorized access to Cursor backend services, and data theft via user impersonation."
  https://layerxsecurity.com/blog/cursorjacking-every-cursor-user-is-vulnerable-to-api-key-theft-by-rogue-extensions/
  https://www.infosecurity-magazine.com/news/cursor-extension-flaw-exposes-api/
• Linux Cryptographic Code Flaw Offers Fast Route To Root
  "Developers of major Linux distributions have begun shipping patches to address a local privilege escalation (LPE) vulnerability arising from a logic flaw. The newly disclosed LPE, dubbed Copy Fail (CVE-2026-31431), comes from a vulnerability in the Linux kernel's authencesn cryptographic template. "An unprivileged local user can write four controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root," the writeup from security biz Theori explains."
  https://www.theregister.com/2026/04/30/linux_cryptographic_code_flaw/

Malware

• TeamPCP-Linked Supply Chain Attack Hits SAP CAP And Cloud MTA Npm Packages
  "Compromised SAP CAP npm packages download and execute unverified binaries, creating urgent supply chain risk for affected developers and CI/CD environments. Socket is investigating a suspected supply chain attack affecting multiple npm packages associated with SAP’s JavaScript and cloud application development ecosystem."
  https://socket.dev/blog/sap-cap-npm-packages-supply-chain-attack
  https://www.aikido.dev/blog/mini-shai-hulud-has-appeared
  https://www.bleepingcomputer.com/news/security/official-sap-npm-packages-compromised-to-steal-credentials/
  https://thehackernews.com/2026/04/sap-npm-packages-compromised-by-mini.html
• Popular WordPress Redirect Plugin Hid Dormant Backdoor For Years
  "The Quick Page/Post Redirect plugin, installed on more than 70,000 WordPress sites, had a backdoor added five years ago that allows injecting arbitrary code into users’ sites. The malware was uncovered by Austin Ginder, the founder of WordPress hosting provider Anchor, who found it after 12 infected sites on his fleet triggered a security alert. Quick Page/Post Redirect plugin, available on WordPress.org for several years, is a basic utility plugin used for creating redirects in posts, pages, and custom URLs."
  https://www.bleepingcomputer.com/news/security/popular-wordpress-redirect-plugin-hid-dormant-backdoor-for-years/
  https://anchor.host/the-plugin-author-was-the-supply-chain-attacker/
• Qinglong Task Scheduler RCE Vulnerabilities Exploited In The Wild For Cryptomining
  "In early February 2026, users of Qinglong (青龙), a popular open source timed task management platform with over 19,000 GitHub stars, began reporting that their servers were maxing out CPU usage. The cause was a cryptominer binary called .fullgc, deployed through two authentication bypass vulnerabilities that allowed unauthenticated remote code execution. The attacks went largely unnoticed in the English-speaking security community. But across Chinese developer forums and GitHub issues, the picture was clear: attackers were exploiting publicly accessible Qinglong panels to deploy cryptocurrency miners."
  https://snyk.io/blog/qinglong-task-scheduler-rce-vulnerabilities/
  https://www.bleepingcomputer.com/news/security/hackers-exploit-rce-flaws-in-qinglong-task-scheduler-for-cryptomining/
• AI-Powered Honeypots: Turning The Tables On Malicious AI Agents
  "Just as AI brings time-saving advantages to our lives, it brings similar advantages to threat actors. The laborious, time-consuming tasks of finding potentially vulnerable systems, identifying their vulnerabilities, and executing exploit code can be automated and orchestrated using AI. Clearly, these new capabilities put defenders at a disadvantage, as they expose new vulnerabilities for the threat actor. Attackers seek to minimize exposure. The more that a defender knows about a potential attack, the better they can prepare to repel or detect an attack. Using AI-orchestrated tooling to gain access to systems trades stealth for capability. That trade-off increases attacker visibility, and increased visibility is something defenders can exploit."
  https://blog.talosintelligence.com/ai-powered-honeypots-turning-the-tables-on-malicious-ai-agents/
• Phoenix Rising: Exposing The PhaaS Kit Behind Global Mass Phishing Campaigns
  "According to the Group-IB High-Tech Crime Trends Report 2026, Financial Services, Logistics, and Telecommunications were identified as three of the top five industries most targeted by phishing in 2025. And SMS phishing (smishing) still remains one of the most effective and fastest-growing fraud vectors worldwide. This effectiveness has been further amplified by the rise of phishing-as-a-service (PhaaS) platforms, which provide affiliates with pre-built templates, traffic filtering mechanisms, and real-time victim management dashboards. By combining high-delivery SMS distribution methods with scalable, subscription-based phishing ecosystems, threat actors can rapidly deploy campaigns, replicate proven attack workflows, and expand operations across multiple regions with minimal technical overhead."
  https://www.group-ib.com/blog/phoenix-phaas-kit-smishing/
• Meet Bluekit: The AI-Powered All-In-One Phishing Kit
  "At one point in time, the phishing kit market was specialized. Operators bought a credential-harvesting page from one seller, a domain rotator from another, and an SMS gateway from a third. Then they stitched the rest together on their own infrastructure. Varonis Threat Labs recently discovered Bluekit, a new phishing kit pitching a broader model. It advertises 40+ website templates, automated domain purchase and registration, 2FA support, spoofing, geolocation emulation, Telegram and browser notifications, antibot cloaking, and add-ons like an AI assistant, voice cloning, and a mail sender. The templates we reviewed covered email and cloud accounts, developer platforms, social media, retail, and crypto services, including iCloud, Apple ID, Gmail, Outlook, Hotmail, Yahoo, ProtonMail, GitHub, Twitter, Zoho, Zara, and Ledger."
  https://www.varonis.com/blog/bluekit
  https://hackread.com/bluekit-phishing-kit-targets-platforms-mfa-bypass-attack/
• Claude Adds Malware To Crypto Agent
  "ReversingLabs (RL) researchers discovered malicious code in a crypto trading project after an AI-based coding agent added a malicious package as a dependency. The @validate-sdk/v2 package poses as a routine data validation tool while siphoning off sensitive secrets from its host environment. The new malware campaign, which RL has dubbed PromptMink, involves a tainted package that was introduced in a Feb. 28 commit to an autonomous trading agent. The commit was co-authored by Anthropic’s Claude Opus large language model (LLM). It allows attackers to access users’ crypto wallets and funds."
  https://www.reversinglabs.com/blog/claude-promptmink-malware-crypto
  https://thehackernews.com/2026/04/new-wave-of-dprk-attacks-uses-ai.html
  https://www.infosecurity-magazine.com/news/ai-npm-dependency-targets-crypto/
• Iranian Cyber Group Handala Targets US Troops In Bahrain
  "The Iran-linked threat actor Handala this week targeted US troops in Bahrain in an influence campaign carried out on WhatsApp. The messages, signed Handala and containing a link to the group’s website, claimed the service members were under surveillance and soon to be targeted with drones and missiles. “Your identities are fully known to our missile units, and every move you make is under our surveillance. Very soon, you will be targeted by our Shahed drones and Kheibar and Ghadeer missiles,” the messages reportedly read."
  https://www.securityweek.com/iranian-cyber-group-handala-targets-us-troops-in-bahrain/
• Another Day, Another Malicious JPEG
  "In his last two diaries, Xavier discussed recent malware campaigns that download JPEG files with embedded malicious payload[1,2]. At that point in time, I’ve not come across the malicious “MSI image” myself, but while I was going over malware samples that were caught by one of my customer’s e-mail proxies during last week, I found another campaign in which the same technique was used. Xavier already discussed how the final portion of a payload that was embedded in the JPEG was employed, but since the campaign he came across used a batch downloader as the first stage, and the one I found employed JScript instead, I thought it might be worthwhile to look at the first part of the infection chain in more detail, and discuss few tips and tricks that may ease analysis of malicious scripts along the way."
  https://isc.sans.edu/diary/Another+day+another+malicious+JPEG/32738/
  https://blog.barracuda.com/2026/04/28/picture-imperfect-risk-malicious-jpgs
• Threat Spotlight: Boutique Phishing Kit Saiga 2FA Hides Behind ‘lorem Ipsum’ Metadata
  "In early 2025, a sophisticated phishing kit, Saiga 2FA, was seen targeting legal organizations in Australia. Since then, the kit has stayed largely under the radar. New Barracuda detection data shows that its activity has ramped up in recent months, with a significant wave of phishing campaigns beginning in February 2026. Saiga 2FA belongs to a class of advanced phishing kits that function more like a boutique service than an automated platform. It features a structured, modular and infrastructure-driven design. This article examines the attack flow, tools and techniques seen by Barracuda threat analysts in Saiga’s recent campaign."
  https://blog.barracuda.com/2026/04/28/threat-spotlight--boutique-phishing-kit-saiga-2fa
• Kuse Web App Abused To Host Phishing Document
  "As AI increases its role in work and daily life, AI apps are also increasing in number. Along with this emergence are expanding attack vectors that threat actors are actively exploring. AI is reshaping the cybersecurity landscape, introducing both unprecedented opportunities and complex risks. On April 9, 2026, the TrendAI Managed Services Team encountered a phishing attack that revealed another vulnerability that enabled attackers to store phishing chains, breach trust, and eventually expose credentials. In this case, attackers abused the storage and sharing features of Kuse, a free AI web app. This breach involved a Supply Chain Attack, particularly a Vendor Email Compromise (VEC), wherein a compromised mailbox from a trusted vendor was used to send a specifically crafted phishing email that leveraged the existing relationship level between the two organizations. Because of this, some IOCs are partly redacted in this article due to the usage of specific organization names."
  https://www.trendmicro.com/en_us/research/26/d/kuse-web-app-abused-to-host-phishing-document.html
• Fake Document, Real Access: Foxit Impersonation Enables Stealth VNC Control
  "Foxit Software has more than 650 million users and is widely trusted as a lightweight PDF reader. That reputation is exactly what makes it valuable to attackers. The more familiar the software, the easier it is to convince someone that what they are downloading is safe. Instead of exploiting a vulnerability in Foxit, the attacker does something simpler: They pretend to be Foxit. That is enough to get users to install malware themselves. A fake installer that looks legitimate can deliver remote access tools, steal credentials, or quietly maintain long term access to a system. This approach has been used repeatedly. In 2024, several campaigns relied on trojanized installers and search engine poisoning to distribute fake PDF software at scale. No exploit required, just trust. Exploitiong weak spots in legitimate programs is another often used tactic - see our article on ConnectWise."
  https://blog.gdatasoftware.com/2026/04/38409-fake-foxit-vnc
• DinDoor's Caddy Problem: How One HTTP Header Exposed 20 Active C2 Servers
  "Runtime code environments like Node.js, Deno, and Python are increasingly being utilized as an instrument to execute malicious code. Rather than deploying traditional compiled implants, these trusted, signed runtimes are exploited to run attacker-controlled scripts, which complicates detection in networks where these tools are allowlisted, and coverage is lacking. DinDoor, tracked as a variant of the Tsundere Botnet, follows this model. Delivered primarily via MSI files and relying on the Deno runtime for execution, the malware runs obfuscated JavaScript to communicate with its command and control (C2) infrastructure, while fingerprinting victims and fetching follow-on payloads. A recent report from Broadcom linked DinDoor activity to the Iranian APT group Seedworm, also tracked as MuddyWater, targeting U.S. organizations."
  https://hunt.io/blog/dindoor-deno-runtime-backdoor-msi-analysis
• Inside The Coinbase Cartel: How Infostealer Credentials Fueled a 100+ Company Ransomware Spree
  "A rapidly expanding ransomware and extortion group known as Coinbase Cartel has officially claimed over 100 targets. The group, which first emerged in September 2025, has made a name for itself through pure data exfiltration and extortion, completely bypassing the use of traditional file encryptors. While many victim organizations and incident response firms have incorrectly attributed the initial access of these breaches to sophisticated zero-day exploits or complex social engineering, Hudson Rock‘s cybercrime intelligence reveals a different, much simpler reality: Coinbase Cartel exclusively uses old Infostealer credentials to compromise cloud environments, FTP servers, and file transfer services."
  https://www.infostealers.com/article/inside-the-coinbase-cartel-how-infostealer-credentials-fueled-a-100-company-ransomware-spree/

Breaches/Hacks/Leaks

• Polymarket Rejects Data Breach Claims As Hacker Alleges 300K Records Stolen
  "A hacker called Xorcat claims to have stolen a massive 300,000 records from Polymarket. It is the world’s largest decentralised cryptocurrency-based prediction market where users bet on world events. The alleged stolen data was posted on a cybercrime forum and Telegram on 27 April 2026. However, Polymarket has rejected these claims. Xorcat claims to have taken advantage of several flaws in the website’s code. One method involved using undocumented API endpoints. Another method was a pagination bypass on Polymarket’s CLOB (Central Limit Order Book) trading system."
  https://hackread.com/polymarket-rejects-data-breach-hacker-records-stolen/

General New

• Call Centres Dismantled And Ten Arrested In EUR 50 Million Online Fraud Case
  "A criminal network operating a large-scale online fraud scheme has been dismantled through a collaborative investigation involving Austrian and Albanian authorities, with support from Europol and Eurojust. The operation, which spanned over two years, resulted in the arrest of ten individuals, the search of multiple premises, and the seizure of nearly EUR 900 000 in cash. The criminal network, allegedly operating several call centres in Tirana, Albania, is believed to have caused significant financial damage, totalling at least EUR 50 million. The call centres were professionally set up and organised, resembling legitimate business structures featuring a clear division of roles and hierarchical management."
  https://www.europol.europa.eu/media-press/newsroom/news/call-centres-dismantled-and-ten-arrested-in-eur-50-million-online-fraud-case
  https://www.bleepingcomputer.com/news/security/european-police-dismantles-50-million-crypto-investment-fraud-ring/
• Coordinated Takedown Of Scam Centers Leads To At Least 276 Arrests; Alleged Managers And Recruiters Charged In San Diego
  "Unprecedented cooperation between the FBI, Dubai Police Department, and Chinese Ministry of Public Security has resulted in the arrest of at least 276 individuals and the dismantlement of at least nine scam centers used for cryptocurrency investment fraud schemes. These centers targeted Americans who have suffered millions of dollars in losses from such schemes. This international crackdown last week was spearheaded by the Dubai Police, under the United Arab Emirates (UAE) Ministry of Interior. Among the 275 arrested by Dubai authorities were three defendants charged in the Southern District of California with federal wire fraud and money laundering charges. An additional person was arrested by the Royal Thai Police."
  https://www.justice.gov/opa/pr/coordinated-takedown-scam-centers-leads-least-276-arrests-alleged-managers-and-recruiters
  https://therecord.media/us-china-partner-on-dubai-scam-compound-takedown
  https://www.bankinfosecurity.com/fbi-backed-takedown-hits-crypto-scam-centers-a-31551
• Cursor AI Agent Wipes PocketOS Database And Backups In 9 Seconds
  "On 24 April 2026, a disaster hit PocketOS, a Vertical SaaS provider providing the core operational infrastructure for car rental companies. In just nine seconds, a single command from an AI agent deleted the company’s entire production database along with its volume-level backups. Jer Crane, the founder of PocketOS, reported that the crisis started while using an AI coding agent called Cursor, running on Anthropic’s flagship Claude Opus 4.6 model. The agent was performing a routine task in a staging environment (private area used to test code) when it hit a credential mismatch, and instead of stopping, the agent searched through unrelated files and found a root-level API token."
  https://hackread.com/cursor-ai-agent-wipes-pocketos-database-backups/
• Researchers Track 2.9 Billion Compromised Credentials
  "The threat landscape in 2025 was characterized by a surge in compromised credentials, extortion and vulnerability exploitation, according to a new report from KELA. The threat intelligence firm tracked nearly 2.9 billion compromised credentials last year globally, it said in its latest report, The State of Cybercrime 2026: Emerging Threats & Predictions. These included usernames, passwords, session tokens, cookies found in URL, login and password (ULP) lists, breached email repositories and cybercrime marketplaces. At least 347 million were originally obtained by infostealers found on around 3.9 million infected machines."
  https://www.infosecurity-magazine.com/news/29-billion-compromised-credentials/
  https://www.kelacyber.com/resources/research/state-of-cybercrime-2026/
• Swiss Police Arrest 10 Suspected Members Of Nigeria-Linked Crime Group Black Axe
  "Swiss and German law enforcement have arrested 10 suspected members of the Nigerian criminal network Black Axe, including a regional leader believed to oversee operations in Southern Europe, authorities said on Tuesday. The arrests followed house searches across several Swiss cantons, according to a statement from Europol and Zurich authorities. The suspects, aged between 32 and 54, are accused of carrying out romance scams that caused millions of Swiss francs in losses, alongside money-laundering operations designed to move illicit profits through international financial networks."
  https://therecord.media/black-axe-switzerland-germany-cyber

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Healthcare Sector

• Researchers Find 38 Flaws In OpenEMR. They've Been Fixed
  "Researchers at security firm Aisle said they recently identified 38 vulnerabilities, including two maximum-severity zero-day flaws in an open-source electronic medical record software platform used by about 100,000 healthcare providers globally. The platform, OpenEMR, has patched the problems. Three Aisle researchers said they discovered the bugs during the first months of this year through an artificial intelligence-driven analysis. The latest version of OpenEMR 8.0, released in February, has U.S. government certification as an electronic health record platform."
  https://www.bankinfosecurity.com/researchers-find-38-flaws-in-openemr-theyve-been-fixed-a-31520

Industrial Sector

• NSA GRASSMARLIN
  "Successful exploitation of this vulnerability could allow an attacker to disclose sensitive information."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-118-01
• OT Cybersecurity Frozen Out By Frontier Labs
  "Hyperscalers, security giants and other IT behemoths are on the list. Operational technology companies are not. The list in question is one of the most important in cybersecurity right now - the companies that have special access to powerful new models from the two major U.S. frontier artificial intelligence labs, Anthropic and OpenAI, to identify vulnerabilities before hackers get access to similar technology. "None of the OT companies, none of the organizations that are most representative of that portion of the ecosystem are participating in this and are being represented," said Tatyana Bolton, executive director of the Operational Technology Cybersecurity Coalition, a trade group that represents OT security companies and OT equipment manufacturers."
  https://www.bankinfosecurity.com/ot-cybersecurity-frozen-out-by-frontier-labs-a-31536
• Threat Landscape For Industrial Automation Systems. Europe, Q4 2025
  "High levels of email threats (phishing) and spyware clearly indicate that industrial systems in the region are highly exposed to advanced attackers. Threats from email are relevant for all industries of the region, foremost for biometrics and building automation. Attacks on computers in these industrial automation sectors significantly raise the risk of supply-chain attacks on other industries. Southern Europe led all regions in the percentage of ICS computers on which threats from email clients were blocked — 2.3 times higher than the global average."
  https://ics-cert.kaspersky.com/publications/reports/2026/04/28/threat-landscape-for-industrial-automation-systems-europe-q4-2025/
• Electric Motorcycles And Scooters Face Hacking Risks To Security And Rider Safety
  "Electric motorcycles from Zero Motorcycles and electric scooters from Yadea are affected by vulnerabilities that, if exploited, could have a physical security and safety impact. CISA recently published separate advisories for these vulnerabilities, and SecurityWeek has reached out to the researchers who reported the flaws to find out more about their potential real-world impact."
  https://www.securityweek.com/electric-motorcycles-and-scooters-face-hacking-risks-to-security-and-rider-safety/

Vulnerabilities

• Hackers Are Exploiting a Critical LiteLLM Pre-Auth SQLi Flaw
  "Hackers are targeting sensitive information stored in the LiteLLM open-source large-language model (LLM) gateway by exploiting a critical vulnerability tracked as CVE-2026-42208. The flaw is an SQL injection issue that occurs during LiteLLM's proxy API key verification step. An attacker can exploit it without authentication by sending a specially crafted Authorization header to any LLM API route. This allows reading data from the proxy's database and modifying it. According to the maintainer's security advisory, threat actors could use it for "unauthorised access to the proxy and the credentials it manages.""
  https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-a-critical-litellm-pre-auth-sqli-flaw/
• Securing The Git Push Pipeline: Responding To a Critical Remote Code Execution Vulnerability
  "On March 4, 2026, we received a vulnerability report through our Bug Bounty program from researchers at Wiz describing a critical remote code execution vulnerability affecting github.com, GitHub Enterprise Cloud, GitHub Enterprise Cloud with Data Residency, GitHub Enterprise Cloud with Enterprise Managed Users, and GitHub Enterprise Server. In less than two hours we had validated the finding, deployed a fix to github.com, and begun a forensic investigation that concluded there was no exploitation. In this post, we want to share what happened, how we responded, and what we are doing to prevent similar issues in the future."
  https://github.blog/security/securing-the-git-push-pipeline-responding-to-a-critical-remote-code-execution-vulnerability/
  https://thehackernews.com/2026/04/researchers-discover-critical-github.html
  https://securityaffairs.com/191434/security/cve-2026-3854-github-flaw-enables-remote-code-execution.html
• CVE-2026-25874: Hugging Face LeRobot Unauthenticated RCE Via Pickle Deserialization
  "A critical remote code execution (RCE) vulnerability affects LeRobot, Hugging Face’s open-source robotics platform, specifically the async inference PolicyServer component. The issue stems from insecure deserialization of untrusted data using Python’s pickle module over exposed gRPC endpoints. An unauthenticated attacker who can reach the PolicyServer network port can send a malicious serialized payload and execute arbitrary OS commands on the host machine running the service. This is particularly dangerous because LeRobot is designed for GPU-backed inference systems, which often run with elevated privileges, access to robotics hardware, internal networks, datasets, and expensive compute resources."
  https://www.resecurity.com/blog/article/cve-2026-25874-hugging-face-lerobot-unauthenticated-rce-via-pickle-deserialization
  https://thehackernews.com/2026/04/critical-cve-2026-25874-leaves-hugging.html
• CISA Adds Two Known Exploited Vulnerabilities To Catalog
  "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2024-1708 ConnectWise ScreenConnect Path Traversal Vulnerability
  CVE-2026-32202 Microsoft Windows Protection Mechanism Failure Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/04/28/cisa-adds-two-known-exploited-vulnerabilities-catalog

Malware

• VECT Ransomware: Why Paying Won’t Get Your Files Back
  "VECT emerged in late 2025 with an unusual ambition: rather than recruiting a small, vetted group of criminal partners in the traditional ransomware model, they opened their doors to everyone. Through a formal partnership with BreachForums, a major cybercrime marketplace, VECT distributed access to their ransomware platform to every registered member of the forum automatically. Thousands of potential operators, almost overnight. At the same time, VECT announced a partnership with TeamPCP, the group responsible for a series of supply-chain attacks earlier this year that compromised popular software tools used by businesses worldwide. The stated goal, openly announced on BreachForums, was to use that existing access as a launchpad for ransomware attacks against companies already affected by those attacks."
  https://blog.checkpoint.com/security/vect-ransomware-why-paying-wont-get-your-files-back/
  https://research.checkpoint.com/2026/vect-ransomware-by-design-wiper-by-accident/
  https://www.bleepingcomputer.com/news/security/broken-vect-20-ransomware-acts-as-a-data-wiper-for-large-files/
  https://thehackernews.com/2026/04/vect-20-ransomware-irreversibly.html
  https://www.theregister.com/2026/04/28/dont_pay_vect_a_ransom/
• Vidar Rises To Top Of Chaotic Infostealer Market
  "Credential-stealing malware Vidar, which has lurked in the cybercriminal ecosystem since 2018, has vaulted to the top of the infostealer market following law enforcement takedowns of its two biggest rivals last year. That shift was fueled by the malware author's calculated release of a major upgrade and expansion of Vidar's distribution network during the disruption, which positioned it as a go-to alternative for cybercriminals, according to new research from Intrinsec."
  https://www.darkreading.com/vulnerabilities-threats/vidar-top-chaotic-infostealer-market
  https://www.intrinsec.com/wp-content/uploads/2026/04/TLP_CLEAR-20260424-New_Vidar.pdf
• Inside a Fake DHL Campaign Built To Steal Credentials
  "X-Labs recently identified a consumer-targeted DHL phishing campaign that uses familiar brand impersonation, a fake OTP verification step and client-side credential harvesting to steal passwords from everyday users. The campaign targets individuals rather than specific organizations and shows no geographic concentration. What makes it worth examining is the OTP mechanic: a trust-building layer with no real authentication behind it, engineered entirely to lower the victim's guard before the actual theft begins. The sample analyzed here walks the victim through a spoofed shipment email, a fake parcel OTP page and a DHL-branded login portal. The final stage captures the victim's password, enriches it with IP address, device details and location data, then exfiltrates everything through EmailJS to an attacker-controlled mailbox."
  https://www.forcepoint.com/blog/x-labs/fake-dhl-phishing-campaign-credential-theft
  https://hackread.com/dhl-phishing-scam-attack-chain-steal-passwords/
• Morpheus: A New Spyware Linked To IPS Intelligence
  "We have analyzed a sample of a previously unknown Android spyware, likely developed in Italy. It is named “Morpheus”, version 2025.3.0, and we describe its capabilities, including abusing accessibility features, automatically enabling ADB and issuing commands, disabling microphone and camera indicators, pairing additional WhatsApp devices, taking screenshots, recording audio and video, and more. We link part of the infrastructure to IPS Intelligence, and discover some potentially related companies, Rever Servicenet and Iris Telecomunicazioni."
  https://osservatorionessuno.org/blog/2026/04/morpheus-a-new-spyware-linked-to-ips-intelligence/
  https://securityaffairs.com/191398/malware/new-android-spyware-morpheus-linked-to-italian-surveillance-firm.html
• Germany Suspects Russia Is Behind Signal Phishing That Targeted Top Officials
  "The German government suspects Russia is behind a series of phishing attacks on Signal targeting high-ranking politicians, including two government ministers, military personnel and journalists, a government spokesperson said. Federal prosecutors have been conducting a preliminary investigation since mid-February 2026 into alleged cyberattacks on Signal accounts, a spokesperson for the federal prosecutors confirmed on Saturday. Among other things, the investigation involves an initial suspicion of espionage, she added, without specifying which country might be involved. The German government has still not officially attributed the attacks to Russia."
  https://www.securityweek.com/germany-suspects-russia-is-behind-signal-phishing-that-targeted-top-officials/
  https://securityaffairs.com/191425/intelligence/signal-phishing-campaign-targets-german-officials-in-suspected-russian-operation.html
• LofyStealer: Malware Targeting Minecraft Players
  "During threat hunting activities conducted on the ANY.RUN platform, the artifact was identified in public submissions of the interactive sandbox. The analysis of samples available in the public repository allowed correlating hashes and network behaviors with the already mapped C2 infrastructure (24.152.36.241), confirming that the GrabBot/Slinky campaign is active and being distributed in a real environment. The sandbox results complement the static analysis presented in this report, providing dynamic execution evidence."
  https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft/
  https://thehackernews.com/2026/04/brazilian-lofygang-resurfaces-after.html
• Tall Tales: How Chinese Actors Use Impersonation And Stolen Narratives To Perpetuate Digital Transnational Repression
  "In collaboration with the International Consortium of Investigative Journalists (ICIJ), we identified two distinct actors aligned with the People’s Republic of China that have been targeting and impersonating journalists and civil society. Our findings provide insight into the Chinese government’s practice of digital transnational repression and its shift to a system of state-sponsored attacks carried out by private contractors."
  https://citizenlab.ca/research/how-chinese-actors-use-impersonation-and-stolen-narratives-to-perpetuate-digital-transnational-repression/
  https://therecord.media/china-linked-hackers-led-phishing-campaigns-journalists
• Elementary-Data Compromised On PyPI And GHCR: Forged Release Pushed Via GitHub Actions Script Injection
  "A malicious version of elementary-data (0.23.3) was published to PyPI and is, at the time of writing, still listed as the latest release. elementary-data is a widely deployed Python package for dbt data observability. The same release run also pushed a multi-arch container image to GitHub Container Registry at ghcr.io/elementary-data/elementary, tagged both 0.23.3 and latest. Every unpinned docker pull ghcr.io/elementary-data/elementary and every FROM ghcr.io/elementary-data/elementary line without a pinned tag has been pulling the trojaned image since April 24. The attacker exploited a script injection vulnerability in one of the project's own GitHub Actions workflows, then used the workflow's GITHUB_TOKEN to forge a signed release commit and dispatch the legitimate publishing pipeline against it — without ever touching the master branch or opening a pull request."
  https://www.stepsecurity.io/blog/elementary-data-compromised-on-pypi-and-ghcr-forged-release-pushed-via-github-actions-script-injection

Breaches/Hacks/Leaks

• Video Service Vimeo Confirms Anodot Breach Exposed User Data
  "Vimeo has disclosed that data belonging to some of its customers and users has been accessed without authorization following the recent breach at the Anodot data anomaly detection company. The video platform says that the threat actor accessed email addresses for some of its customers, but most of the exposed information included technical data, video titles, and metadata. "We have identified that, as a result of the Anodot breach, an unauthorized actor accessed certain Vimeo user and customer data. Our initial findings suggest that the databases accessed primarily contain technical data, video titles and metadata, and, in some cases, customer email addresses," Vimeo states."
  https://www.bleepingcomputer.com/news/security/video-service-vimeo-confirms-anodot-breach-exposed-user-data/
  https://therecord.media/vimeo-blames-security-incident-on-anodot-breach
  https://www.securityweek.com/vimeo-confirms-user-and-customer-data-breach/
• Have I Been Pwned Claims Pitney Bowes Hit By 8.2M Email Address Leak
  "Logistics technology company Pitney Bowes, which makes franking machines for US postage, is the latest scalp claimed by ShinyHunters and its ongoing spree of pay-or-leak attacks against major organizations. Data breach tracker Have I Been Pwned (HIBP) confirmed the breach on April 27, with 8.2 million unique email addresses included in the dump alongside names, phone numbers, and physical addresses. A smaller subset of the entire data trove pertained to company employment records, which included job titles."
  https://www.theregister.com/2026/04/28/pitney_bowes_is_the_latest/

General News

• US Reportedly Charges Scattered Spider Hacker Arrested In Finland
  "A 19-year-old dual United States and Estonian citizen arrested in Finland earlier this month faces federal charges in the U.S. alleging he was a prolific member of the notorious Scattered Spider hacking collective. According to temporarily unsealed court records obtained by the Chicago Tribune, the suspect (who used the online alias "Bouquet") helped extort millions of dollars from multiple large corporations worldwide. The suspected Scattered Spider member, who was allegedly arrested by Finnish law enforcement at Helsinki's airport on April 10 while attempting to board a flight to Japan, is facing wire fraud, conspiracy, and computer intrusion charges."
  https://www.bleepingcomputer.com/news/security/us-reportedly-charges-scattered-spider-hacker-arrested-in-finland/
• U.S. Companies Hit With Record Fines For Privacy In 2025
  "U.S. states issued $3.45 billion in privacy-related fines to companies in 2025, a total larger than the last five years combined, according to research and advisory firm Gartner. The increase is driven in part by stronger, more established privacy laws in states like California, new interstate partnerships built around enforcing laws across state lines, and a renewed focus to how AI and automation affect privacy. The data indicates that “regulators are shifting their efforts away from awareness to full scale enforcement,” marking a significant shift from even the last few years in how aggressively states are investigating and penalizing companies for privacy law violations."
  https://cyberscoop.com/privacy-companies-hit-with-record-fines-2025-gartner/
• ANZ Organizations Are In The Ransomware Crosshairs— What The Dark Web Is Telling Us
  "The conversation around ANZ ransomware threats has shifted noticeably over the past year. What once looked like sporadic, high-profile incidents has evolved into a sustained and structured campaign against organizations across Australia and New Zealand. Signals emerging from underground forums and marketplaces reveal a sobering reality: ransomware is no longer just a technical problem; it is an economic strategy driven by efficiency, specialization, and scale."
  https://cyble.com/blog/anz-ransomware-threats-dark-web-intelligence/
• NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later
  "Dark Reading's Becky Bracken: Hello everyone, and welcome to Dark Reading Confidential. It's a podcast from the editors of Dark Reading, bringing you real-world stories straight from the cyber trenches. We have a really great conversation for you today. I am joined by Chris Inglis, who was the former NSA Deputy Director during the infamous Edward Snowden affair. So he is here 13 years on to unpack a little bit about what we've learned, and hopefully pass some of that knowledge on to our enterprise cybersecurity teams listening today. Welcome, Chris. Thank you so much for joining us. Chris Inglis: Pleasure to be with you, Becky."
  https://www.darkreading.com/cyber-risk/nsa-chief-during-snowden-affair-13-years-later
• 0APT Vs. KryBit Ransomware Actors List Opposing Operators As Victims
  "On 13 April 2026, the recently emerged Ransomware-as-a-Service (RaaS) actors 0APT and KryBit began leaking each other’s operational and infrastructure data on their respective leak sites. 0APT also claimed to leak data from Everest and RansomHouse ransomware groups. This type of activity is unusual: 0APT used their initially failing affiliate operation and turned it against not only KryBit, but other ransomware operators. However, the impact to Everest and RansomHouse operations was little to none. KryBit instead retaliated and took over full control of the 0APT data leak site. Both 0APT and KryBit operations likely will now attempt to move and rebuild their infrastructure because of the significant impact of the leaks on each of their operations."
  https://www.halcyon.ai/ransomware-research-reports/0apt-vs-krybit-ransomware-actors-list-opposing-operators-as-victims
  https://www.darkreading.com/threat-intelligence/feuding-ransomware-groups-leak-data
  https://www.infosecurity-magazine.com/news/ransomware-turf-war-0apt-krybit/
• Why Unofficial Download Sources Are Still a Security Risk In 2026
  "When people think about cybersecurity mistakes, they usually think about the obvious ones. Phishing emails, weak passwords, malicious attachments, a malicious browser extension, or a missed update. Those are all real problems. But there is another mistake that still slips past people all the time: downloading software from the wrong place. It may sound minor to many, but in reality, it is a big deal for all the wrong reasons. Many users still find software the same way they always have. They search for it, click the first result that looks right, grab the installer, and move on."
  https://hackread.com/unofficial-download-sources-security-risk-in-2026/
• No Metrics Are Better Than Bad Metrics In The SOC, Says NCSC
  "Many of the most common metrics used to measure the effectiveness of the security operations center (SOC) are at best inaccurate and at worst actively harm SecOps teams, the National Cyber Security Centre (NCSC) has warned. The NCSC’s CTO for architecture, Dave Chismon, wrote in a blog post that organizations often gravitate to measurements that can be easily expressed numerically to individuals who aren’t security specialists. However, if “number of tickets processed” or “time taken to close a ticket” are used as metrics, staff may perversely be incentivized to rapidly triage and close them as false positives rather than investigate."
  https://www.infosecurity-magazine.com/news/no-metrics-better-bad-metrics-soc/
• Cyber Insurance Data Gives CISOs New Ammo For Budget Talks
  "CFOs and boards need to understand risk in financial terms. Insurance data can do this. Obtaining adequate cybersecurity budget from the board requires translating technical risk into business financial risk – an ability that is not always available to security technicians. Resilience, a firm that provides insurance, risk decision support and consultancy, can assist. Through its insurance service, Resilience can directly relate financial loss to specific cybersecurity events and their likely occurrence, allowing CISOs to present technical risk as the monetary risk that CFOs and board members readily understand."
  https://www.securityweek.com/cyber-insurance-data-gives-cisos-new-ammo-for-budget-talks/
• Ukrainian Police Detain Hackers Suspected Of Stealing Thousands Of Roblox Accounts For Resale
  "Ukrainian law enforcement has detained a group of local hackers suspected of stealing more than 610,000 user accounts from the gaming platform Roblox and reselling them for cryptocurrency on Russian websites, authorities said. Police said on Monday the victims included both Ukrainian and foreign players whose accounts contained valuable digital items, rare equipment and in-game currency purchased with real money. Some accounts also held remaining balances of Roblox’s virtual currency, making them particularly attractive to cybercriminals. The suspects face up to 15 years in prison if convicted and have been placed in pretrial detention while the investigation continues."
  https://therecord.media/ukraine-police-detain-hackers-suspected-of-stealing-roblox-accounts

อ้างอิง
Electronic Transactions Development Agency (ETDA)

เมื่อวันที่ 28 เมษายน 2026 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 2 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้

• CVE-2024-1708 ConnectWise ScreenConnect Path Traversal Vulnerability
• CVE-2026-32202 Microsoft Windows Protection Mechanism Failure Vulnerability

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/04/28/cisa-adds-two-known-exploited-vulnerabilities-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 1 รายการ เมื่อวันที่ 28 เมษายน 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

• ICSA-26-118-01 NSA GrassMarlin

CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)

อ้างอิง
https://www.cisa.gov/news-events/ics-advisories