สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

เมื่อวันที่ 3 มิถุนายน 2569 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้

• CVE-2026-45247 Mirasvit Full Page Cache Warmer Deserialization of Untrusted Data Vulnerability

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/06/03/cisa-adds-one-known-exploited-vulnerability-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

เมื่อวันที่ 2 มิถุนายน 2569 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 2 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้

• CVE-2022-0492 Linux Kernel Improper Authentication Vulnerability
• CVE-2025-48595 Android Framework Integer Overflow Vulnerability

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/06/02/cisa-adds-two-known-exploited-vulnerabilities-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 7 รายการ เมื่อวันที่ 4 มิถุนายน 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

• ICSA-26-155-01 NAVTOR NavBox
• ICSA-26-155-02 Hitachi Energy ITT600 Explorer
• ICSA-26-155-03 B&R PPT30 Operating System
• ICSA-26-155-04 Hitachi Energy RTU500
• ICSA-26-155-05 Hitachi Energy MACH HiDraw
• ICSA-24-184-03 Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric Products (Update E)
• ICSA-25-238-03 Schneider Electric Modicon M340 Controller and Communication Modules (Update A)

อ้างอิง
https://www.cisa.gov/news-events/ics-advisories

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 2 รายการ เมื่อวันที่ 2 มิถุนายน 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

• ICSA-25-219-06 Dreame Technology iOS and Android Mobile Applications (Update A)
• ICSA-25-079-01 Schneider Electric EcoStruxure Process Expert (Update A)

CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)

อ้างอิง
https://www.cisa.gov/news-events/ics-advisories

Industrial Sector

• From Critical To Controlled: Cutting Vulnerabilities In a Live Manufacturing Environment
  "A vulnerability scanner flags a critical CVSS 10 vulnerability on an industrial asset. The report lands in the boss’ inbox and now he wants to know why we’re sitting on a critical vulnerability. In a normal IT environment, you patch it then close the ticket and call it a day. If, however, you’re in OT or dealing with ICS in a live manufacturing facility, it’s rarely that simple. Here’s framework I use to answer the question “Does this finding represent an exploitable vulnerability in our environment”:"
  https://www.helpnetsecurity.com/2026/06/04/ot-vulnerability-management-process/

Vulnerabilities

• Attackers Actively Exploiting Critical Vulnerability In Everest Forms Pro Plugin
  "On March 30th, 2026, we publicly disclosed a critical Remote Code Execution vulnerability in Everest Forms Pro, a WordPress plugin with an estimated 4,000 active installations. This vulnerability can be leveraged by unauthenticated attackers to execute arbitrary PHP code on the server, leading to complete site compromise. The vendor released the fully patched version on March 18th, 2026. Our records indicate that attackers started exploiting the issue on April 13th, 2026. The Wordfence Firewall has already blocked over 29,300 exploit attempts targeting this vulnerability."
  https://www.wordfence.com/blog/2026/06/attackers-actively-exploiting-critical-vulnerability-in-everest-forms-pro-plugin/
  https://www.infosecurity-magazine.com/news/everest-forms-pro-rce-actively/
• Cisco Warns Of Critical Unified CM Flaw With PoC Exploit Code
  "Cisco has released security updates to patch a critical-severity Unified Communications Manager (Unified CM) flaw that allows attackers to gain root privileges. Cisco Unified CM (formerly known as Cisco CallManager) serves as the central control system for Cisco IP telephony systems, handling device management, call routing, and telephony features. The vulnerability (tracked as CVE-2026-20230) can be exploited remotely by threat actors without privileges in low-complexity server-side request forgery (SSRF) attacks."
  https://www.bleepingcomputer.com/news/security/cisco-warns-of-critical-unified-cm-flaw-with-poc-exploit-code/
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssrf-cXPnHcW
  https://thehackernews.com/2026/06/cisco-patches-cve-2026-20230-in-unified.html
  https://www.securityweek.com/cisco-warns-of-available-poc-for-critical-unified-cm-vulnerability/
  https://securityaffairs.com/193142/hacking/critical-cisco-unified-cm-bug-patched-as-public-exploit-code-emerges.html
• Poisoning Claude Code: One GitHub Issue To Break The Supply Chain
  "Hello, I’m RyotaK ( @ryotkak ), a security researcher at GMO Flatt Security Inc. After publishing my previous article ( Pwning Claude Code in 8 Different Ways ), I continued investigating Claude-related products and found several more vulnerabilities. In this article, I will explain a vulnerability in Claude Code’s GitHub Actions that could allow an attacker to compromise any repository that uses the Claude Code workflow, including Anthropic’s own repositories."
  https://flatt.tech/research/posts/poisoning-claude-code-one-github-issue-to-break-the-supply-chain/
  https://thehackernews.com/2026/06/claude-code-github-action-flaw-let-one.html
• CVE-2026-23479: Redis Use-After-Free In UnblockClientOnKey Leading To RCE
  "CVE-2026-23479 is a use-after-free inside Redis's blocking-client code path that allows an authenticated user to execute arbitrary operating system commands on the Redis host. The use-after-free occurs in unblockClientOnKey() (src/blocked.c), where the function calls processCommandAndResetClient() without checking whether the client was freed as a side effect before continuing to access the client structure. The vulnerability was discovered by Xint Code, a fully autonomous AI-powered security analysis tool, and a working RCE exploit was demonstrated at ZeroDay.Cloud 2025 (London, Dec 10-11, 2025). The Redis team shipped patches on May 5, 2026 across the 7.2.x, 7.4.x, 8.2.x, 8.4.x, and 8.6.x release series."
  https://www.zeroday.cloud/blog/redis-cve-2026-23479-deep-dive
  https://thehackernews.com/2026/06/autonomous-ai-tool-finds-2-year-old-rce.html

Malware

• Hola Browser For Windows Compromised To Deliver Cryptominer
  "The Windows version of the Hola Browser has been compromised in a supply chain attack that delivered an undeclared executable identified by researchers as a cryptocurrency miner. The compromise was uncovered during periodic certification checks on Hola Browser as part of its AppEsteem certification testing procedure, which it had previously passed. Hola is an Israeli company best known for Hola VPN, a service that allows users to route internet traffic through other users' devices or through paid proxy infrastructure to bypass geographic restrictions and access content from different countries."
  https://www.bleepingcomputer.com/news/security/hola-browser-for-windows-compromised-to-deliver-cryptominer/
  https://www.sophos.com/en-us/blog/you-do-surprise-me-exe-an-unexpected-executable-in-hola-browser
• Credit Card Theft Campaign Abuses Stripe To Host Stolen Payment Info
  "A new Magecart campaign is using Stripe's API infrastructure to host the credit card-stealing payload and the data exfiltrated from checkout pages. The entire malicious activity relies on Google Tag Manager and Stripe domains - googletagmanager.com and api.stripe.com - that are trusted implicitly by online stores. The new malware family was discovered by researchers at ecommerce security company Sansec, who found that the malicious code is loaded from a Google Tag Manager (GTM) container and executes on every page that loads it."
  https://www.bleepingcomputer.com/news/security/credit-card-theft-campaign-abuses-stripe-to-host-stolen-payment-info/
• IronWorm: Shai-Hulud's Rustier Cousin
  "In this article we present a research of malicious npm package that led us to IronWorm: a heavy, Rust-built infostealer that scrapes every secret it can find on a developer's machine, hides behind an eBPF kernel rootkit, and answers to its operator over Tor. Like the infamous Shai-Hulud worm, it turns stolen credentials a propagation mechanism, quietly committing itself into victims’ GitHub repositories and using trusted developer workflows publish itself to the NPM registry. This is a self-replicating supply-chain attack, caught in the wild, aimed squarely at the people with the most valuable keychains around: software developers, and crypto/web3 developers in particular."
  https://research.jfrog.com/post/iron-worm-shai-hulud-rustier-cousin/
  https://www.bleepingcomputer.com/news/security/new-ironworm-malware-hits-36-packages-in-npm-supply-chain-attack/
  https://www.darkreading.com/cyberattacks-data-breaches/rust-written-ironworm-npm-supply-chain
• Fraud, Ransomware, And Fake Apps Are Already Targeting FIFA 2026
  "The FIFA World Cup 2026 kicks off on June 11. Across 16 cities in the US, Canada, and Mexico, billions of people will be watching, traveling, betting, and spending. Threat actors have been watching too, and for far longer. Check Point Research and Check Point Exposure Management spent the past year tracking the cyber threat landscape building around this tournament. What emerged is a coordinated pre-positioning effort across three sectors that sit at the center of the World Cup economy: finance, travel and hospitality, and gambling. The infrastructure is already built, with most of them already live."
  https://blog.checkpoint.com/exposure-management/fraud-ransomware-and-fake-apps-are-already-targeting-fifa-2026/
• Cybercriminals Are Targeting The FIFA World Cup 2026
  "Starting June 11, the FIFA World Cup 2026 will unite fans, teams, sponsors, broadcasters, hospitality providers, and businesses in one of the world’s largest sporting events. It also presents a significant opportunity for cybercriminals. Major international sporting events create great anticipation, attract high search volume, evoke strong emotions, and drive large volumes of digital transactions. Fans are searching for tickets, travel offers, merchandise, live streams, betting sites, job openings, and event updates. Meanwhile, organizations are busy with logistics, staffing, travel arrangements, customer service, media tasks, and coordinating with third parties. Threat actors have anticipated these scenarios and have already started exploiting them."
  https://www.fortinet.com/blog/threat-research/cybercriminals-are-targeting-the-fifa-world-cup-2026
• Lazarus Group's Latest: Brandjacking Campaign On Npm
  "Sonatype is tracking a Lazarus Group campaign on npm, consisting of dozens of packages, some with up to 500 weekly downloads, aiming to abuse trust in open source to deploy malware. Leveraging tactics like suffix-addition, embedding, version mimicry, and more, brandjacking packages like this are designed to look like something that would belong in a developer environment. These aren't mere typosquats. In this campaign, attackers seek to dupe developers looking for Buffer, Chai, React, and more, to deploy secondary, more nefarious payloads. We took a closer look at the malicious buffer-utilities package to understand attacker intentions."
  https://www.sonatype.com/blog/lazarus-groups-latest-brandjacking-campaign-on-npm
  https://hackread.com/lazarus-group-npm-brandjacking-target-developers/
• Impersonation, Click Hijacking, And TDS: Inside a Malware Distribution Ecosystem
  "Check Point Research investigated a large-scale operation that impersonates open-source and freeware projects to capture search traffic, including lookalikes for researcher and security tooling such as Ghidra, dnSpy, and SpiderFoot. The sites are well-designed and often look like legitimate project portals at a glance, sometimes referencing real upstream resources. The deception is not in the page content alone, it’s in what happens when a user interacts. Our analysis shows these pages load a CloudFront-hosted JavaScript staging layer that converts a click on a “download” button/link into a handoff to a Traffic Distribution System (TDS). The TDS enforces strict gating: first-visit state, mandatory click confirmation, anti-bot/anti-analysis logic, VPN/datacenter filtering, and frequency capping."
  https://research.checkpoint.com/2026/impersonation-click-hijacking-and-tds-inside-a-malware-distribution-ecosystem/
  https://thehackernews.com/2026/06/fake-sites-mimicking-open-source-tools.html
• Five Eyes Warn Chinese Spies Are Using Job Sites To Recruit Insiders
  "China's military intelligence services are increasingly turning to online job platforms with thousands of adverts intended to recruit people with access to sensitive information, the Five Eyes intelligence partnership warned on Wednesday in its first joint bulletin of its kind. The alert, titled Safeguarding Our Secrets, was issued by the domestic security and counterintelligence agencies of Australia (ASIO), Canada (CSIS), the United States (FBI), the United Kingdom (MI5) and New Zealand (NZSIS). It warned that Chinese intelligence officers are posing as recruiters and consultants for front companies based outside China in order to target Five Eyes government and military personnel “and anyone with access to classified or privileged information.”"
  https://therecord.media/five-eyes-warns-chinese-spies-are-using-job-sites-to-recruit-insiders
  https://www.mi5.gov.uk/sites/default/files/2026-06/SAFEGUARDING OUR SECRETS PUBLICATION.pdf
  https://hackread.com/five-eyes-chinese-spies-fake-job-ads-military-staff/
  https://www.theregister.com/security/2026/06/04/five-eyes-china-expanding-state-secret-recruitment-campaign/5250978
• Pink Is The Latest Goon Squad To Use Fake Helpdesk Calls To Steal Creds
  "A new extortion brand called Pink – which may be a rebrand of BlackFile – uses voice phishing and fake help-desk calls to gain initial access to organizations’ IT environments, steal their sensitive data, and threaten to leak it unless the victims pay a ransom demand. Palo Alto Networks' Unit 42 first spotted the gang, which it tracks as cluster CL-CRI-1147, and its data-leak site, which went live on May 31. “Pink uses vishing and IT impersonation to phish credentials/MFA, then exfiltrates enterprise cloud storage and productivity data to extort victims,” the threat-intelligence biz said in a LinkedIn post."
  https://www.theregister.com/cyber-crime/2026/06/04/pink-is-the-latest-goon-squad-to-use-fake-helpdesk-calls-to-steal-creds/5251434

Breaches/Hacks/Leaks

• DentaQuest Data Breach Exposed Info Of 2.6 Million Accounts
  "A data breach at the dental benefits administrator DentaQuest has reportedly exposed the sensitive data of 2.6 million accounts. The security incident came to light last month, when the infamous extortion group ShinyHunters listed the company on its data leak site and claimed to have stolen more than 234 GB of data. Following what the threat actor describes as a failure to reach an agreement with the company, the data was publicly leaked."
  https://www.bleepingcomputer.com/news/security/dentaquest-data-breach-exposed-info-of-26-million-accounts/
• UN Food Agency Discloses Breach Affecting 600,000 Gaza Households
  "The United Nations' World Food Programme (WFP), the world's largest humanitarian organization, revealed over the weekend that its self-registration application (SRA) for Palestine was breached. The WFP disclosed the incident in a Sunday Telegram message, saying that the self-registration application used for assistance registration in Gaza had been breached. During the breach, the attackers gained access to personal data belonging to beneficiaries across the Gaza Strip, including affected individuals' names, ID numbers, phone numbers, and location information (such as neighborhood data recorded during registration)."
  https://www.bleepingcomputer.com/news/security/un-world-food-programme-breach-affects-600-000-gaza-households/
  https://therecord.media/un-food-agency-investigates-gaza-aid-breach
• iFood Confirms Data Breach Affecting 1.2 Million Users In Brazil
  "Brazilian food delivery app iFood has confirmed becoming the victim of a data breach in December 2025 that affected 1.2 million users (which makes up about 2% of its customer base). According to the iFood announcement on Wednesday, June 3, the incident was an isolated issue where hackers took names, phone numbers, addresses, and CPF numbers. Like Social Security Numbers (SSN) in the United States, CPFs are Brazilian taxpayer identity documents used everywhere for everyday tasks like opening bank accounts, shopping, and verifying identity. Fortunately, iFood clarified that hackers did not get passwords, bank details, or credit card records."
  https://hackread.com/ifood-confirms-data-breach-brazil-users/

General News

• 4 Critical Threats Where Attackers Have The Advantage
  "Enterprise defenses for four critical threats are overmatched and in urgent need of improvement. That's according to several analysts who spoke at the Gartner Security and Risk Management Summit this week. In a session on Monday, John Watts, VP analyst at Gartner, highlighted deepfakes, software supply chain risks, prompt injections, and AI application compromises as the four most pressing threats for enterprises."
  https://www.darkreading.com/vulnerabilities-threats/4-critical-threats-attackers-advantage
• OAuth Marketplace Apps Keep Access After Publishers Vanish
  "Installing an app from the Google Workspace Marketplace or GitHub Marketplace can grant a third party access to company email, files, calendars, code repositories, CI workflows, organization settings, and secrets. Marketplace presence gives these apps the appearance of approval. The OAuth grants behind them often reach into business systems beyond the listed function. An audit by OhAuth, the OAuth research project from identity security company Offroad, covered 2,890 public OAuth app listings, with 1,595 on Google Workspace Marketplace and 1,295 on GitHub Marketplace. Their combined reported install footprint reaches at least 4.39 billion. That figure is a lower bound. Marketplace install labels use rounded values such as 1M+, so the number represents reported installs."
  https://www.helpnetsecurity.com/2026/06/04/oauth-marketplace-apps-audit/
• Spotless Compliance Evidence Can Still Hide a Broken Control
  "In this interview with Help Net Security, Marc Rubbinaccio, Head of Cybersecurity and Compliance at Secureframe, explains where security teams go wrong when preparing for CMMC and FedRAMP 20x. The conversation covers how organizations check the 110 requirements but miss the 320 assessment objectives beneath them, why spotless SOC 2 evidence can hide a broken control, and how continuous monitoring is changing compliance work. It also includes advice for junior practitioners on AI and practical moves a mid-market defense supplier can use to get ready for a CMMC Level 2 assessment on a tight budget."
  https://www.helpnetsecurity.com/2026/06/04/marc-rubbinaccio-secureframe-cmmc-compliance-readiness/
• ETSI Sets Security Requirements For AI Data Centers And Cloud Platforms
  "ETSI has published TS 104 033, a technical specification that defines security requirements for AI computing platforms. The specification establishes a security framework for platforms used to host AI applications in data center and edge computing environments, covering security functions, platform components, interfaces, and services designed to protect AI models, datasets, training processes, and inference workloads. “This work builds on the AI computing platform security framework we have previously developed and marks a significant step forward in establishing concrete and actionable security requirements for the platform itself,” said Scott Cadzow, Chair of the ETSI Technical Committee Securing AI."
  https://www.helpnetsecurity.com/2026/06/04/etsi-securing-ai-computing-platforms-standard/
  https://www.etsi.org/deliver/etsi_ts/104000_104099/104033/01.01.01_60/ts_104033v010101p.pdf
• Infosecurity Europe: AI Adoption Creates New Opportunities For Attackers To Distribute Malware, Microsoft Warns
  "The Microsoft Detection and Response Team (DART) has issued advice on how organizations and their security teams should respond to the rising issue of AI-powered cyber threats. “AI is amazing, it makes our job easier. “But the same AI that’s useful can be easily manipulated by threat actors, we’ve seen it in social engineering and in our day-do-day investigations," said Mary Asaolu, senior security researcher at Microsoft, during Infosecurity Europe on June 3."
  https://www.infosecurity-magazine.com/news/attackers-ai-adoption-malware/
• Agentic AI Is Transforming Defense, But Only Secure IT Infrastructure Will Maximize It
  "Over the past several weeks, the cybersecurity community has been reminded how quickly frontier and agentic AI in defense networks can challenge our assumptions. When Anthropic's Claude Mythos model was made available to a limited set of organizations as a technical preview, it was reported that an unauthorized group claimed that it had gained access within hours. The incident, if true, was more than a possible breach. It was a warning."
  https://thehackernews.com/2026/06/agentic-ai-is-transforming-defense-but.html
• Scam Center Strike Force Announces Results Of U.S. & Private Industry “Disruption Week”
  "The Department of Justice, through U.S. Attorney Jeanine Ferris Pirro for the District of Columbia and Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division, today announced the results of a first-of-its-kind event combining the focus of government entities and private industries to tackle cyber-enabled and cryptocurrency fraud targeting Americans. During “Disruption Week,” the private sector took voluntary action to interrupt millions of social media, email, and internet access accounts used by transnational organized crime actors in Southeast Asia that were being used to defraud Americans, and the government shared information which enabled private sector actors to voluntarily freeze over $3.8 million in cryptocurrency involved in laundering of funds stolen from Americans."
  https://www.justice.gov/opa/pr/scam-center-strike-force-announces-results-us-private-industry-disruption-week
  https://thehackernews.com/2026/06/doj-disrupts-southeast-asia-crypto.html
  https://www.securityweek.com/over-1-4-million-accounts-disrupted-in-cybercrime-crackdown/
• Russia Seeks To Label Two Anti-Kremlin Hacker Groups As ‘extremist’
  "Russia is seeking to designate two hacker groups, Belarusian Cyber Partisans and Silent Crow, as extremist organizations and ban their activities in the country. The groups have previously claimed responsibility for cyberattacks targeting critical infrastructure and government institutions in Russia and Belarus. Russia’s Supreme Court said on Wednesday it would consider a request to ban the groups during a closed-door hearing. The court did not explain why it was seeking to designate them as extremist organizations."
  https://therecord.media/russia-seeks-extremist-label-for-hacker-groups

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Vulnerabilities

• Acer Working To Patch Max Severity Zero-Days In Wave 7 Routers
  "Acer confirmed that it's working to address two maximum-severity zero-day vulnerabilities affecting its Wave 7 mesh routers. According to a Friday security advisory, the two security flaws were reported by security researcher Gergo Pap and affect Wave 7 routers running firmware version T7c_GBL_1.01.000055 or earlier. The first zero-day, a broken access control vulnerability tracked as CVE-2026-49200, can allow unauthenticated attackers to remotely access plaintext credentials stored in log archives."
  https://www.bleepingcomputer.com/news/security/acer-warns-of-max-severity-zero-days-affecting-wave-7-routers/
• New 'HTTP/2 Bomb' DoS Attack Crashes Web Servers In Under a Minute
  "A new denial-of-service (DoS) attack dubbed HTTP/2 Bomb can be launched from a single machine to take down web servers within seconds. The technique works on default HTTP/2 configurations of major web servers, including NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora. Discovered by OpenAI's Codex software agent under the guidance of researchers at offensive security firm Calif, HTTP/2 Bomb combines two previously known HTTP/2 DoS methods: the HPACK compression amplification and Slowloris-style resource retention via HTTP/2 flow-control stalling."
  https://www.bleepingcomputer.com/news/security/new-http-2-bomb-dos-attack-crashes-web-servers-in-under-a-minute/
  https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb
  http://github.com/califio/publications/tree/main/MADBugs/http2-bomb
  https://thehackernews.com/2026/06/new-http2-bomb-vulnerability-allows.html
  https://www.securityweek.com/http-2-bomb-exploit-knocks-web-servers-offline-in-seconds/
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2026-45247 Mirasvit Full Page Cache Warmer Deserialization of Untrusted Data Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/06/03/cisa-adds-one-known-exploited-vulnerability-catalog
• VS Code Zero-Day Lets Hackers Steal GitHub Tokens In One Click
  "A security researcher has released exploit code for a Visual Studio Code (VS Code) zero-day vulnerability that allows attackers to steal GitHub authentication tokens by tricking users into clicking a link. Microsoft classifies a software flaw as a zero-day if it is publicly disclosed and/or actively exploited with no official patch currently available. As researcher Ammar Askar explained in a blog post on Tuesday, this VS Code vulnerability allows attackers to install malicious extensions that steal GitHub OAuth tokens when they are passed to github.dev (a browser-based version of Visual Studio Code used to work on GitHub repositories) by exploiting VS Code's sandboxed webview message-passing system."
  https://www.bleepingcomputer.com/news/security/vs-code-zero-day-lets-hackers-steal-github-tokens-in-one-click/
  https://blog.ammaraskar.com/github-token-stealing/
  https://thehackernews.com/2026/06/one-click-github-dev-attack-lets.html
  https://www.theregister.com/security/2026/06/03/another-bug-hunter-leaks-microsoft-exploits-in-defiance-of-companys-handling-of-vulnerability-disclosures/5250590
• Gemini’s Secret Affair: Exploiting Gemini Voice Assistant Through Instant Messaging Apps
  "SafeBreach Labs researchers discovered a new security vulnerability that allows attackers to exploit Google Gemini through notification-based indirect prompt injections from messaging apps like WhatsApp, Slack, and SMS. By bypassing Google’s previous defenses using a novel technique called “Fake Context Alignment,” researchers demonstrated how an attacker can manipulate conversational context silently—hiding malicious instructions in foreign languages or muted hyperlinks—to force the assistant into executing unauthorized actions. These exploits include controlling smart home devices, launching unauthorized video streams, orchestrating large-scale social engineering by faking messages from trusted contacts, and poisoning long-term memory for persistent access."
  https://www.safebreach.com/blog/gemini-voice-assistant-prompt-injection-exploit
  https://www.darkreading.com/application-security/malicious-notifications-could-trick-google-gemini-users
  https://thehackernews.com/2026/06/whatsapp-slack-notifications-could.html

Malware

• TA4922: The Suspected Chinese Crime Group Is Going Global
  "The Chinese-speaking cybercriminal ecosystem has grown dramatically in recent years. Many of the threats observed in the landscape are descendants of malware first used by Chinese espionage threat actors, namely Gh0stRAT and related payloads, and frequently targeted Chinese-speaking users. But as Chinese-speaking cybercriminals develop better capabilities in malware, social engineering, and global targeting, their footprint is expanding, and more actor clusters are emerging. In this report, we’ll dive into TA4922, a newly designated Chinese-speaking threat actor largely targeting East Asia."
  https://www.proofpoint.com/us/blog/threat-insight/ta4922-suspected-chinese-crime-group-going-global
  https://www.bleepingcomputer.com/news/security/chinese-hackers-use-new-atlas-rat-malware-in-european-cyberattacks/
  https://hackread.com/china-ta4922-hackers-uk-europe-silentrunloader-malware/
• CISA Warns Of Cyberattacks Targeting Fuel Tank Monitoring Systems
  "CISA, the FBI, the NSA, the Department of Energy, and other US government partners are warning that hackers are targeting internet-exposed automatic tank gauge (ATG) systems used to monitor fuel and liquid storage tanks across various critical infrastructure sectors. The cybersecurity agency says that ATG systems are commonly used in the Energy, Chemical, Food and Agriculture, and Transportation Systems sectors to remotely monitor storage tank levels, temperatures, and potential leaks. The US government says threat actors are targeting exposed devices and modifying system settings through command execution."
  https://www.bleepingcomputer.com/news/security/cisa-warns-of-cyberattacks-targeting-fuel-tank-monitoring-systems/
  https://www.ic3.gov/CSA/2026/260602.pdf
• Inside The Cross-Platform Propagation Of a New Gafgyt Variant C0XMO
  "This past March, FortiGuard Labs discovered a new Gafgyt botnet variant, C0XMO, that spreads by exploiting CVE-2021-27137. Our analysis revealed that, unlike earlier versions, this malware separates its lateral movement into a standalone Python script. This approach helps the attacker target various system architectures and device types more efficiently. Below is a detailed technical overview of its structure, propagation methods, and attack features. The threat actor delivered the malware by exploiting CVE-2021-27137, a stack buffer overflow in the UPnP service of vulnerable DD-WRT router firmware versions. The vulnerability occurs when the SSDP parser mishandles oversized ST:uuid: values in specially crafted M-SEARCH requests sent via UDP port 1900."
  https://www.fortinet.com/blog/threat-research/inside-cross-platform-propagation-of-new-gafgyt-variant-c0xmo
• Error 524 Decoy: Unmasking a Global Smishing Operation Hiding Behind Error Pages
  "Latin America, characterized by high mobile penetration and uneven SMS anti-spoofing controls, is often exploited by fraud operators. Group-IB researchers have identified a sophisticated, large-scale smishing and phishing operation, active since the second half of 2025, that uses the region as its primary theater and has expanded to 72 countries across the globe. This campaign has impersonated over 267 unique brands across sectors like telecommunications and financial services, successfully generating thousands of phishing domain instances aimed at harvesting full credit card credentials and personal identifiers."
  https://www.group-ib.com/blog/error-524-decoy-smishing/
• How Attackers Are Gaining Access To LLM Inference
  "The most capable commercial AI models are now useful enough to attackers that they have become an integral part of their kill chain, in multiple steps. The Cybench benchmark tests models on offensive cyber tasks. Its current top performers (Claude Opus 4.6, Claude Sonnet 4.5, Grok 4) can write functional exploit code, reason through credential chains, and sustain complex reconnaissance workflows: multi-step offensive work that previously required human expertise. Malware families are already using this. Instead of generating a payload offline and shipping it, they wire a live LLM API into the malware itself so it can adapt its behavior at runtime on the infected host."
  https://intezer.com/blog/how-attackers-access-llm-inference/
• We Found This Fake-Invoice Campaign While Scammers Were Still Building It
  "A new batch of fake payment invoices is being staged right now, and we caught the campaign while it was still being put together. The emails impersonate PayPal, Amazon, and Geek Squad, and others, and they all share one goal: to scare you into calling a phone number where a fake “support agent” is waiting. What makes this wave unusual is that some of the templates we recovered still contained blank fields where the phone number and price should have been, while others were already complete and in circulation. We caught the campaign mid-rollout."
  https://www.malwarebytes.com/blog/threat-intel/2026/06/we-found-this-fake-invoice-campaign-while-scammers-were-still-building-it
• Argamal: Malware Hidden In Hentai Games
  "In April 2026, we discovered a new malware campaign targeting players of “hentai” games. Once launched, the infected games install a previously unknown malicious implant on the user’s machine. After a few days, the implant downloads and executes a Trojan, resulting in full system compromise and broad remote control capabilities for the attackers. We dubbed this malware family “Argamal”. The malware uses COM hijacking to persist on the victim’s machine, replacing the InprocServer32 entry for Windows Color System Calibration Loader DLL. This task is triggered when the user logs in, effectively allowing the malware to run at startup."
  https://securelist.com/argamal-rat-distributed-with-hentai-games/119999/
• Espionage Campaign Targeted Stock Exchange Executive For Five Months
  "A five-month espionage campaign targeted the email account of a senior figure at a major global stock exchange. For an espionage actor, a senior executive's mailbox is a high-value intelligence target. An Outlook profile may yield details of external negotiations, internal deliberations, the executive's calendar, travel pattern, and their contacts. Organizations such as exchanges and regulators may hold non-public information about listings, enforcement actions and market-moving events. Months of unfettered access to that mailbox lets an attacker build a near-complete picture of the target's working life and the organization's near-term direction without ever having to move laterally elsewhere on the network."
  https://www.security.com/threat-intelligence/stock-exchange-espionage
  https://www.securityweek.com/hackers-target-global-stock-exchange-in-espionage-operation/
  https://securityaffairs.com/193086/intelligence/cyber-espionage-campaign-targeted-stock-exchange-executives-outlook-account.html
• From Malspam To DesckVB RAT Deployment
  "In May 2026, the Huntress SOC responded to a DesckVB RAT infection that began with a malspam. Short for “malicious spam,” malspam is email crafted to deliver malware or trick a user into taking an action that starts the infection chain, whether that is opening a booby-trapped attachment, clicking a malicious link, or handing over credentials on a fake login page. Still to this day, malspam remains one of the most prolific initial access vectors for attackers. At first glance, this case could be mistaken for just another malspam infection, but the delivery chain tells a more interesting story."
  https://www.huntress.com/blog/malspam-to-deskcvb-rat-delivery-chain-analysis
  https://thehackernews.com/2026/06/google-doubleclick-abused-in-new.html
• When "Moderate" Means "Sometimes"
  "On April 14, 2026, Microsoft patched CVE-2026-33829, an NTLM credential leakage bug in the Windows Snipping Tool with a CVSS score of 4.3. The issue lived in the Snipping Tool’s ms-screensketch: URI handler, the part of Windows that decides what to do when someone clicks a special kind of link. Technically, the Snipping Tool’s URI handler accepted a filePath parameter, didn't validate it, and would happily reach out to whatever UNC path you handed it. That connection could trigger NTLM authentication and expose the victim’s Net-NTLMv2 hash. In plain English: a user could be tricked into clicking what looks like an ordinary link, and their computer would automatically try to “check in” with a server controlled by the attacker."
  https://www.huntress.com/blog/unpatched-ntlm-leak-windows-search-uri-handler
  https://thehackernews.com/2026/06/unpatched-windows-search-uri.html

Breaches/Hacks/Leaks

• IMA Diligence Services Data Breach Impacts 525,000 People
  "IMA Diligence Services is notifying over 525,000 individuals that their personal information was stolen in a data breach. The incident, the company says, was identified in mid-December after a legacy server managed by a third party became inaccessible. “Upon discovery, we notified law enforcement and promptly commenced an investigation to confirm the nature and scope of this incident,” an incident notice on the company’s website reads."
  https://www.securityweek.com/ima-diligence-services-data-breach-impacts-525000-people/

General News

• Economic Fury Targets Iran’s Largest Digital Asset Exchange For Terror Finance And Sanctions Evasion
  "Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated Nobitex, Iran’s largest digital asset exchange, along with three other Iranian digital asset exchanges, as part of Economic Fury and the Trump Administration’s efforts to eliminate the threat posed by the Iranian regime. “While Iran’s economy is in free fall, the regime has chosen to co-opt digital asset technologies for its own corrupt agenda, including evading sanctions and transferring wealth out of the country. Iran’s current economic chaos is proof that President Trump’s maximum pressure campaign has been a success,” said Secretary of the Treasury Scott Bessent."
  https://home.treasury.gov/news/press-releases/sb0519
  https://www.bleepingcomputer.com/news/security/the-us-sanctions-nobitex-crypto-exchange-used-by-ransomware/
• Embedded Threats: How Attackers Weaponize Legitimate Emails
  "Cofense Intelligence has been tracking how threat actors abuse various legitimate online services to deliver malicious content embedded in legitimate business emails via arbitrary text fields. Legitimate websites often need to collect arbitrary text input from users to fill out usernames, meeting descriptions, or similar kinds of information. This text is often embedded within legitimate emails when the user performs actions such as sending meeting invitations, sharing documents, or resetting passwords."
  https://cofense.com/blog/embedded-threats-how-attackers-weaponize-legitimate-emails
• Autonomous AI-Driven Worm Can Reason Its Way Through Corporate Networks
  "Researchers at the University of Toronto, the Vector Institute, and the University of Cambridge have built and tested a proof-of-concept AI-driven worm that does not operate on a fixed list of exploits. Instead, it analyzes each target it encounters, reasons about how to attack it, and creates a strategy on the fly, all with the help of a small, free large language model (LLM) running directly on machines it has already compromised."
  https://www.helpnetsecurity.com/2026/06/03/autonomous-ai-worm-prototype/
  https://arxiv.org/pdf/2606.03811
• Security Of 100 AI Agents Tested And Ranked – What You Need To Know
  "AI is our new leader. We just accept and do what it tells us. Maybe we should be a bit more circumspect. Concern over the performance of AI agents has been constant, ranging from ‘leaky’ to just plain wrong decision-making. Since the pressure to use more agents more autonomously because of supercharged AI-assisted attacks is now constant, Adversa AI’s decision to measure and compare the performance and security of 100 agents across ten categories is welcome. But the results are not. Of the 100 agents tested, and positioned within a new AI Risk Quadrant, only 11 are categorized as ‘capable well-defended’."
  https://www.securityweek.com/security-of-100-ai-agents-tested-and-ranked-what-you-need-to-know/
  https://www.helpnetsecurity.com/2026/06/03/research-ai-agent-security-capability/
• A Small Slovenian Team Handles 6,000 Cyber Incidents a Year
  "Online fraud complaints, ransomware cases, and phishing tips reach Slovenia’s national cyber response center in steady volume, and a team of around a dozen analysts sorts through them. Gorazd Božič, who manages SI-CERT at the public agency ARNES, described that work in an interview conducted in person at the Span Cyber Security Arena conference. He put the original proposal for a Slovenian CERT to ARNES leadership in 1994, and the center now records about 6,000 incidents a year, up from roughly 300 ten to fifteen years earlier."
  https://www.helpnetsecurity.com/2026/06/03/gorazd-bozic-si-cert-cyber-incident-response/
• Known Vulnerabilities Behind Most Application Security Incidents
  "Eight in ten organizations took an application security hit during the past year tied to a vulnerability their team had already cataloged, according to a survey of 902 IT and security professionals conducted by the Cloud Security Alliance. The pattern points to a structural condition across the industry, where the window between identifying a flaw and closing it in production stays open long enough for attackers to act. The National Vulnerability Database logged more than 40,000 CVEs in 2025, and VulnCheck recorded exploitation activity following disclosure within days. Frontier AI systems capable of generating working exploits at machine speed, including one called Mythos, have compressed that window further, raising the operational stakes for any organization carrying unresolved findings in live environments."
  https://www.helpnetsecurity.com/2026/06/03/csa-application-security-incidents/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand