NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ
    1. หน้าแรก
    2. NCSA_THAICERT
    • รายละเอียด
    • ติดตาม 0
    • คนติดตาม 2
    • กระทู้ 1,879
    • กระทู้ 1,880
    • ดีที่สุด 0
    • Controversial 0
    • กลุ่ม 2

    NCSA_THAICERT

    @NCSA_THAICERT

    1
    ชื่อเสียง
    48
    ดูข้อมูลส่วนตัว
    1.9k
    กระทู้
    2
    คนติดตาม
    0
    ติดตาม
    เข้าร่วม ออนไลน์ล่าสุด
    เว็บไซต์ www.ncsa.or.th/?fbclid=IwAR0BqJEC-CJzBs98rlBxUbZkNBgp1g814xdDNNaKnHTrxfqZhPD--ksY68I
    NCSA_THAICERT เลิกติดตาม ติดตาม
    Global Moderator administrators

    Latest posts made by NCSA_THAICERT

    • 🚨ตรวจสอบและแก้ไขด่วน! พบช่องโหว่ระดับวิกฤตบนแพลตฟอร์ม n8n อาจถูกใช้เพื่อรันคำสั่งบนระบบ

      🚨ตรวจสอบและแก้ไขด่วน! พบช่องโหว่ระดับวิกฤตบนแพลตฟอร์ม n8n อาจถูกใช้เพื่อรันคำสั่งบนระบบ หากผู้โจมตีสามารถเข้าถึงบัญชีผู้ใช้งานที่มีสิทธิ์สร้างหรือแก้ไข Workflow
      หากไม่ดำเนินการแก้ไข ช่องโหว่นี้อาจส่งผลให้ระบบมีความเสี่ยงต่อการถูกเข้าถึงหรือควบคุมโดยไม่ได้รับอนุญาต

      🔴 รายละเอียดช่องโหว่
      • CVE-2026-25049 เป็นช่องโหว่ระดับความรุนแรงวิกฤต CVSS Score 9.4 คะแนน ช่องโหว่นี้เกิดจากข้อบกพร่องในกระบวนการประมวลผลคำสั่งหรือเงื่อนไข (expression) ภายใน Workflow ของ n8n ซึ่งอาจถูกใช้เพื่อเรียกใช้งานคำสั่งระบบบนเครื่องโฮสต์ที่ให้บริการ n8n ได้ โดยผู้ใช้งานที่ผ่านการยืนยันตัวตนและมีสิทธิ์ในการสร้างหรือแก้ไข Workflow สามารถสร้างคำสั่งหรือเงื่อนไขที่ถูกออกแบบมาเป็นพิเศษ (crafted expressions) ภายใน Workflow ส่งผลให้สามารถเรียกใช้งานคำสั่งระบบบนเครื่องโฮสต์ที่ให้บริการ n8n ได้
      • การโจมตีที่สำเร็จอาจส่งผลให้ผู้โจมตีสามารถเข้าถึงข้อมูล เปลี่ยนแปลงค่าระบบ หรือทำให้ระบบไม่สามารถให้บริการได้

      🎯 ผลิตภัณฑ์และเวอร์ชันที่ได้รับผลกระทบ
      • n8n เวอร์ชัน 1.x ที่ต่ำกว่าเวอร์ชัน 1.123.17
      • n8n เวอร์ชัน 2.x ที่ต่ำกว่าเวอร์ชัน 2.5.2

      ⚠️ ThaiCERT ขอแนะนำให้หน่วยงานที่ใช้งานเวอร์ชันที่ได้รับผลกระทบ เร่งดำเนินการตรวจสอบและแก้ไขทันที

      🔎 แนวทางการตรวจสอบและการป้องกัน

      1. แนวทางการตรวจสอบ
        • ตรวจสอบเวอร์ชันของ n8n ที่ใช้งานอยู่
        • ตรวจสอบบัญชีผู้ใช้งานที่มีสิทธิ์สร้างหรือแก้ไข Workflow
        • ตรวจสอบ Workflow ที่มีการใช้ คำสั่งหรือเงื่อนไขการประมวลผลข้อมูล (expression) ที่ผิดปกติ

      2. แนวทางการป้องกัน
        อัปเดต n8n เป็นเวอร์ชันที่ได้รับการแก้ไขแล้ว
        • สำหรับระบบที่ยังใช้ n8n เวอร์ชัน 1.x สามารถอัปเดตเป็นเวอร์ชันตั้งแต่ 1.123.17 หรือ ใหม่กว่า
        • สำหรับระบบที่ยังใช้ n8n เวอร์ชัน 2.x สามารถอัปเดตเป็นเวอร์ชันตั้งแต่ 2.5.2 หรือ ใหม่กว่า
        • จำกัดสิทธิ์ผู้ใช้งานที่สามารถสร้างหรือแก้ไข Workflow ให้เฉพาะผู้ใช้งานที่เชื่อถือได้เท่านั้น
        • ติดตั้งระบบ n8n ในสภาพแวดล้อมที่มีการกำหนดสิทธิ์ของระบบปฏิบัติการและเครือข่ายอย่างเหมาะสม เพื่อลดผลกระทบในกรณีถูกโจมตี

      3. มาตรการชั่วคราว (กรณียังไม่สามารถอัปเดตได้ทันที)
        • จำกัดสิทธิ์การสร้างและแก้ไข Workflow เฉพาะผู้ใช้งานที่จำเป็น
        • ติดตั้ง n8n ในสภาพแวดล้อมที่มีการจำกัดสิทธิ์ในระดับระบบปฏิบัติการ
        หมายเหตุ: มาตรการดังกล่าวเป็นเพียงการลดความเสี่ยงชั่วคราว ไม่สามารถแก้ไขช่องโหว่ได้อย่างสมบูรณ์
        🔗 อ้างอิง
        https://dg.th/7wyi4sqn6h
        https://dg.th/nom3jy2rlp

      ThaiCERT ขอแนะนำให้ผู้ใช้งานและผู้ดูแลระบบที่ใช้งานผลิตภัณฑ์ดังกล่าว ดำเนินการตรวจสอบและอัปเดตเป็นเวอร์ชันล่าสุดทันที เพื่อลดความเสี่ยงจากการโจมตีและป้องกันความเสียหายที่อาจเกิดขึ้น

      ช่องโหว่วิกฤตบน n8n เสี่ยงถูกยึดระบบผ่าน Workflow.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 06 February 2026

      New Tooling

      • Microsoft Launches LiteBox, a Security-Focused Open-Source Library OS
        "Microsoft has released LiteBox, a project intended to function as a security-focused library OS that can serve as a secure kernel for protecting a guest kernel using virtualization hardware. LiteBox was developed in collaboration with the Linux Virtualization Based Security (LVBS) project. The goal is to isolate and protect a normal guest kernel by running security-critical functionality in a separate, hardened environment."
        https://www.helpnetsecurity.com/2026/02/05/microsoft-litebox-security-focused-open-source-library-os/
        https://github.com/microsoft/litebox

      Vulnerabilities

      • Cisco, F5 Patch High-Severity Vulnerabilities
        "Cisco and F5 this week released patches for multiple vulnerabilities across their products, including high-severity issues leading to denial-of-service (DoS) conditions, command execution, and privilege escalation. Cisco rolled out fixes for five security defects, including two high-severity bugs in TelePresence Collaboration Endpoint (CE) and RoomOS software, and Meeting Management. The first, tracked as CVE-2026-20119, can be exploited remotely without authentication or user interaction to cause a DoS condition by sending a crafted meeting invitation to a vulnerable appliance."
        https://www.securityweek.com/cisco-f5-patch-high-severity-vulnerabilities/
      • Hacking GitHub Codespaces Via VS Code Defaults: A Supply-Chain Attack Vector
        "GitHub Codespaces is a cloud-hosted developer environment that lets users spin up fully configured Visual Studio Code instances in minutes. It integrates tightly with repositories and supports devcontainers for reproducible environments. From a usability perspective, this makes onboarding and collaboration seamless. Developers can review pull requests, test code, or spin up services without configuring local machines. However, this same convenience means that repository-defined configurations like .vscode/ and .devcontainer/ files are automatically executed within Codespaces, creating a fertile attack surface."
        https://orca.security/resources/blog/hacking-github-codespaces-rce-supply-chain-attack/
        https://www.infosecurity-magazine.com/news/malicious-commands-in-github/
        https://www.securityweek.com/vs-code-configs-expose-github-codespaces-to-attacks/
      • BOD 26-02: Mitigating Risk From End-Of-Support Edge Devices
        "The United States faces persistent cyber campaigns that threaten both public and private sectors, directly impacting the security and privacy of the American people. These campaigns are often enabled by unsupported devices that physically reside on the edge of an organization’s network perimeter. Unsupported devices – referred to in this Directive as “end of support (EOS)” – are those that are no longer maintained by their vendors. The imminent threat of exploitation to agency information systems running EOS edge devices is substantial and constant, resulting in a significant threat to federal property. CISA is aware of widespread exploitation campaigns by advanced threat actors targeting EOS edge devices."
        https://www.cisa.gov/news-events/directives/bod-26-02-mitigating-risk-end-support-edge-devices
        https://therecord.media/cisa-gives-federal-agencies-one-year-end-of-life-devices
        https://cyberscoop.com/cisa-bod-directive-unsupported-edge-devices-firewalls-routers/
      • Npx Confusion: Packages That Forgot To Claim Their Own Name
        "Back in July 2025, I was prototyping a new project and decided to try out MikroORM. The docs said to run npx mikro-orm-esm for migrations. So I did."
        https://www.aikido.dev/blog/npx-confusion-unclaimed-package-names

      Malware

      • Zendesk Spam Wave Returns, Floods Users With 'Activate Account' Emails
        "A fresh wave of spam is hitting inboxes worldwide, with users reporting that they are once again being bombarded by automated emails generated through companies' unsecured Zendesk support systems. Some recipients say they are receiving hundreds of messages with strange or alarming subject lines."
        https://www.bleepingcomputer.com/news/security/zendesk-spam-wave-returns-floods-users-with-activate-account-emails/
      • Protests Don't Impede Iranian Spying On Expats, Syrians, Israelis
        "As mass protests flare at home, Iranian attackers have been carrying out spear-phishing attacks against their perceived enemies abroad. The Iranian government has a long, storied history targeting its enemies, be they domestic or abroad, Iranian or foreign nationals, Israeli, American, or Arabic. In recent weeks, though, as protests against the ruling regime have surged, reports of cyber spying have been flaring up."
        https://www.darkreading.com/cyberattacks-data-breaches/iran-spies-expats-syrians-israelis
      • Stan Ghouls Targeting Russia And Uzbekistan With NetSupport RAT
        "Stan Ghouls (also known as Bloody Wolf) is an cybercriminal group that has been launching targeted attacks against organizations in Russia, Kyrgyzstan, Kazakhstan, and Uzbekistan since at least 2023. These attackers primarily have their sights set on the manufacturing, finance, and IT sectors. Their campaigns are meticulously prepared and tailored to specific victims, featuring a signature toolkit of custom Java-based malware loaders and a sprawling infrastructure with resources dedicated to specific campaigns."
        https://securelist.com/stan-ghouls-in-uzbekistan/118738/
      • The Shadow Campaigns: Uncovering Global Espionage
        "This investigation unveils a new cyberespionage group that Unit 42 tracks as TGR-STA-1030. We refer to the group’s activity as the Shadow Campaigns. We assess with high confidence that TGR-STA-1030 is a state-aligned group that operates out of Asia. Over the past year, this group has compromised government and critical infrastructure organizations across 37 countries. This means that approximately one out of every five countries has experienced a critical breach from this group in the past year. Further, between November and December 2025, we observed the group conducting active reconnaissance against government infrastructure associated with 155 countries."
        https://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/
        https://therecord.media/research-cyber-espionage-targeting-dozens-worldwide
        https://www.securityweek.com/cyberspy-group-hacked-governments-and-critical-infrastructure-in-37-countries/
        https://www.theregister.com/2026/02/05/asia_government_spies_hacked_37_critical_networks/
      • Knife Cutting The Edge: Disclosing a China-Nexus Gateway-Monitoring AitM Framework
        "Cisco Talos uncovered “DKnife,” a fully featured gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants that perform deep-packet inspection, manipulate traffic, and deliver malware via routers and edge devices. Based on the artifact metadata, DKnife has been used since at least 2019 and the command and control (C2) are still active as of January 2026. DKnife’s attacks target a wide range of devices, including PCs, mobile devices, and Internet of Things (IoT) devices. It delivers and interacts with the ShadowPad and DarkNimbus backdoors by hijacking binary downloads and Android application updates."
        https://blog.talosintelligence.com/knife-cutting-the-edge/
      • Prince Of Persia, Part II: Covering Tracks, Striking Back & a Revealing Link To The Iranian Regime Amid The Country’s Internet Blackout
        "On December 18, 2025, we shared Part I of our most recent research project on the Iranian state-sponsored threat actor known as “Prince of Persia.” SafeBreach Labs has followed this threat actor since 2019 and originally published research in 2021 that presented evidence they had dramatically reinforced their operations security activities, technical proficiency, and tooling capabilities. However, for the next three years, there was no publicly identified activity from the group. Our research team continued to hunt for evidence based on a variety of anchors and patterns we defined. As a result, we were able to maintain unprecedented visibility into their malicious activity during this time."
        https://www.safebreach.com/blog/prince-of-persia-part-ii/
        https://thehackernews.com/2026/02/infy-hackers-resume-operations-with-new.html
      • Italy Claims Cyberattacks 'of Russian Origin' Are Pelting Winter Olympics
        "Italy's foreign minister says the country has already started swatting away cyberattacks from Russia targeting the Milano Cortina Winter Olympics. Antonio Tajani told reporters on Wednesday that a series of cyberattacks targeted some of the government's foreign offices, including the one in the US capital. He said they were "of Russian origin," but did not specify whether this appeared to be state-backed activity, nor provide details about the nature of the attacks, AP reported."
        https://www.theregister.com/2026/02/05/winter_olympics_russian_attacks/
      • Malicious Use Of Virtual Machine Infrastructure
        "In late 2025, SophosLabs analysts investigated several WantToCry remote ransomware incidents. In each case, the attackers used virtual machines with autogenerated NetBIOS hostnames derived from Windows templates provisioned by ISPsystem, a legitimate provider of IT infrastructure management platforms. Counter Threat Unit™ (CTU) researchers investigated the potential scale of malicious use of these devices and identified multiple internet-exposed systems associated with cybercriminal activity, including ransomware operations and commodity malware delivery. Further investigation identified multiple additional hostnames derived from ISPsystem-provisioned virtual machine templates, some of which were also used in malicious activity."
        https://www.sophos.com/en-gb/blog/malicious-use-of-virtual-machine-infrastructure
        https://www.bleepingcomputer.com/news/security/ransomware-gang-uses-ispsystem-vms-for-stealthy-payload-delivery/
      • SaaS Abuse At Scale: Phone-Based Scam Campaign Leveraging Trusted Platforms
        "This report documents a large-scale phishing campaign in which attackers abused legitimate software-as-a-service (SaaS) platforms to deliver phone-based scam lures that appeared authentic and trustworthy. Rather than spoofing domains or compromising services, the attackers deliberately misused native platform functionality to generate and distribute emails that closely resembled routine service notifications, inheriting the trust, reputation, and authentication posture of well-known SaaS providers."
        https://blog.checkpoint.com/research/saas-abuse-at-scale-phone-based-scam-campaign-leveraging-trusted-platforms/
      • Compromised Routers, DNS, And a TDS Hidden In Aeza Networks
        "When most people say DNS, they are thinking about the global DNS system, the official mechanism for resolving domain names on the internet. But shadow systems exist. Visiting a website relies on a DNS resolution chain that iteratively queries authoritative name servers within the distributed DNS hierarchy to get an IP address. This resolution all happens in the background, and users put a lot of trust into DNS resolvers without even realizing they exist. If the IP address of those resolvers is changed, a website’s domain name might resolve to an entirely different IP address, sending an unwitting visitor to an entirely different location."
        https://www.blogs.infoblox.com/threat-intelligence/compromised-routers-dns-and-a-tds-hidden-in-aeza-networks/
      • **https://hackread.com/sanctioned-bulletproof-host-hijack-old-home-routers/
      • Pro-Russian Group Noname057(16) Launched DDoS Attacks On Milano Cortina 2026 Winter Olympics**
        "Italy has thwarted a series of Russian-linked cyberattacks aimed at Foreign Ministry offices, including one in Washington, as well as Winter Olympics websites and hotels in Cortina d’Ampezzo, according to Foreign Minister Antonio Tajani. “We have foiled a series of cyberattacks on Foreign Ministry offices, starting with Washington, and also on some Winter Olympic sites, including hotels in Cortina,” said Tajani, who is also deputy premier, emphasizing that “these are Russian-led actions.” Foreign Minister Antonio Tajani told reporters during a trip to Washington, as reported the Italian news agency ANSA."
        https://securityaffairs.com/187654/hacktivism/pro-russian-group-noname05716-launched-ddos-attacks-on-milano-cortina-2026-winter-olympics.html
        https://therecord.media/italy-blames-russia-linked-hackers-winter-games-cyberattack
        https://www.securityweek.com/italy-averted-russian-linked-cyberattacks-targeting-winter-olympics-websites-foreign-minister-says/
      • Technical Analysis Of Marco Stealer
        "Zscaler ThreatLabz has discovered an information stealer that we named Marco Stealer, which was first observed in June 2025. Marco Stealer primarily targets browser data, cryptocurrency wallet information, files from popular cloud services like Dropbox and Google Drive, and other sensitive files stored on the victim’s system. Marco Stealer implements several anti-analysis techniques including string encryption and terminating security tools. The malware leverages HTTP for command-and-control (C2) with messages encrypted with 256-bit AES."
        https://www.zscaler.com/blogs/security-research/technical-analysis-marco-stealer
      • Inside a Sophisticated Recovery Scam Network: Evidence From a Live Investigation Into Legal Services Impersonation
        "Business impersonation scams aren’t new. But the way they operate today is very different from what most people expect. Volumes are up 148% year over year, driven by AI-assisted content generation, deepfake tooling, and the increasing ease of cloning entire websites in minutes. Gone are typo-ridden phishing pages.; Today, phishing pages are polished, credible, and designed to look exactly like those created by real businesses, professionals, and trusted institutions."
        https://www.sygnia.co/blog/inside-recovery-scam-network-legal-impersonation/
        https://www.securityweek.com/researchers-expose-network-of-150-cloned-law-firm-websites-in-ai-powered-scam-campaign/
      • APT28’s Stealthy Multi-Stage Campaign Leveraging CVE‑2026‑21509 And Cloud C2 Infrastructure
        "Russian state-sponsored threat group APT28 (aka Fancy Bear or UAC-0001) has launched a sophisticated espionage campaign targeting European military and government entities, specifically targeting maritime and transport organizations across Poland, Slovenia, Turkey, Greece, the UAE, and Ukraine. The attackers weaponized a newly disclosed Microsoft Office 1-day (CVE-2026-21509) within 24 hours of its public revelation, using spear-phishing documents to compromise Ukrainian government agencies and EU institutions [1]. This campaign features a multi-stage infection chain and novel payloads, including a simple initial loader, an Outlook VBA backdoor (NotDoor), and a custom C++ implant dubbed “BeardShell.” The threat actors abuse legitimate cloud storage (filen.io) as command-and-control (C2) infrastructure, blending malicious traffic with normal user activity."
        https://www.trellix.com/blogs/research/apt28-stealthy-campaign-leveraging-cve-2026-21509-cloud-c2/
        https://therecord.media/russian-hackers-microsoft-office-europe

      Breaches/Hacks/Leaks

      • Betterment Data Breach
        "In January 2026, the automated investment platform Betterment confirmed it had suffered a data breach attributed to a social engineering attack. As part of the incident, Betterment customers received fraudulent crypto-related messages promising high returns if funds were sent to an attacker-controlled cryptocurrency wallet. The breach exposed 1.4M unique email addresses, along with names and geographic location data. A subset of records also included dates of birth, phone numbers, and physical addresses. In its disclosure notice, Betterment stated that the incident did not provide attackers with access to customer accounts and did not expose passwords or other login credentials."
        https://haveibeenpwned.com/Breach/Betterment
        https://www.bleepingcomputer.com/news/security/data-breach-at-fintech-firm-betterment-exposes-14-million-accounts/
        https://www.theregister.com/2026/02/05/betterment_hack/
      • Spain's Ministry Of Science Shuts Down Systems After Breach Claims
        "Spain's Ministry of Science (Ministerio de Ciencia) announced a partial shutdown of its IT systems, affecting several citizen- and company-facing services. Ministerio de Ciencia, Innovación y Universidades is the Spanish government body responsible for science policy, research, innovation, and higher education. Among others, it maintains administrative systems used by researchers, universities, and students that handle high-value, sensitive information."
        https://www.bleepingcomputer.com/news/security/spains-ministry-of-science-shuts-down-systems-after-breach-claims/
      • Italian University La Sapienza Goes Offline After Cyberattack
        "Rome’s “La Sapienza” university has been targeted by a cyberattack that impacted its IT systems and caused widespread operational disruptions at the educational institute. The university first disclosed the incident in a social media post earlier this week, saying that its IT infrastructure "has been the target of a cyberattack." “As a precautionary measure, and in order to ensure the integrity and security of data, an immediate shutdown of network systems has been ordered,” the organization said."
        https://www.bleepingcomputer.com/news/security/italian-university-la-sapienza-goes-offline-after-cyberattack/
      • Romanian Oil Pipeline Operator Conpet Discloses Cyberattack
        "Conpet, Romania's national oil pipeline operator, has disclosed that a cyberattack disrupted its business systems and took down the company's website on Tuesday. Conpet operates nearly 4,000 kilometers of pipeline network, supplying domestic and imported crude oil and derivatives, including gasoline and liquid ethane, to refineries nationwide. In a Wednesday press release, the company said the incident affected its corporate IT infrastructure but didn't disrupt its operations or its ability to fulfill its contractual obligations."
        https://www.bleepingcomputer.com/news/security/romanian-oil-pipeline-operator-conpet-discloses-cyberattack-qilin-ransomware/
      • Newsletter Platform Substack Notifies Users Of Data Breach
        "Newsletter platform Substack is notifying users of a data breach after attackers stole their email addresses and phone numbers in October 2025. Although the incident occurred four months ago, CEO Chris Best told affected users that Substack only discovered the breach this week. However, while the attackers stole some users' data, Best added that they didn't access credentials or financial information."
        https://www.bleepingcomputer.com/news/security/newsletter-platform-substack-notifies-users-of-data-breach/
        https://therecord.media/substack-data-breach-notification
        https://securityaffairs.com/187659/uncategorized/hacker-claims-theft-of-data-from-700000-substack-users-company-confirms-breach.html
        https://www.securityweek.com/substack-discloses-security-incident-after-hacker-leaks-data/
        https://www.theregister.com/2026/02/05/substack_admit_security_incident/
        https://hackread.com/substack-breach-user-records-leak-cybercrime-forum/
      • 280+ Leaky Skills: How OpenClaw & ClawHub Are Exposing API Keys And PII
        "On Monday, February 3rd, Snyk Staff Senior Engineer Luca Beurer-Kellner and Senior Incubation Engineer Hemang Sarkar uncovered a massive systemic vulnerability in the ClawHub ecosystem (clawhub.ai). Unlike the malware campaign we reported yesterday involving specific malicious actors, this new finding reveals a broader, perhaps more dangerous trend: widespread insecurity by design. In this write-up, Snyk is presenting Leaky Skills - uncovering exposed and insecure credentials usage in Agent Skills. Scanning the entire ClawHub marketplace (3,984 skills) using Evo Agent Security Analyzer, our researchers found that 283 skills, an estimated 7.1% of the entire registry, contain critical security flaws that expose sensitive credentials."
        https://snyk.io/blog/openclaw-skills-credential-leaks-research/
        https://www.theregister.com/2026/02/05/openclaw_skills_marketplace_leaky_security/

      General News

      • Why Boards Should Be Obsessed With Their Most ‘boring’ Systems
        "Following a series of high-profile cyberattacks, boards of directors are now requiring their organizations to take greater responsibility for the risks posed by enterprise resource planning (ERP) systems pose after a series of high-profile cyberattacks. The Jaguar Land Rover (JLR), incident in Sept. 2025 illustrates the severe consequences of such attacks. The cyberattack forced JLR to halt production for six weeks, making it the costliest cyberattack in Britain’s history. The company’s revenue declined 24 percent that quarter, accounting for potentially over a $1.2 billion drop in earnings, and subsequently reported a 43.3% wholesale sales volume drop the following quarter."
        https://cyberscoop.com/boardroom-erp-cybersecurity-sap-ransomware-resilience-op-ed/
      • Cybersecurity Planning Keeps Moving Toward Whole-Of-Society Models
        "National governments already run cybersecurity through a mix of ministries, regulators, law enforcement, and private operators that own most critical systems. In that environment, guidance circulating among policymakers outlines how national cybersecurity strategies increasingly tie together risk management, workforce planning, technology standards, and coordination across sectors."
        https://www.helpnetsecurity.com/2026/02/05/cybersecurity-planning-national-cybersecurity-strategy/
      • Measuring AI Use Becomes a Business Requirement
        "Enterprise teams already run dozens of AI tools across daily work. Usage stretches from code generation and analytics to customer support drafting and internal research. Oversight remains uneven across roles, functions, and industries. A new Larridin survey of enterprise leaders places measurement and governance at the center of this operating environment."
        https://www.helpnetsecurity.com/2026/02/05/measuring-ai-use-becomes-a-business-requirement/
      • AI-Enabled Voice And Virtual Meeting Fraud Surges 1000%+
        "Fraudsters significantly ramped up their use of AI to enhance campaigns across voice and virtual meeting channels last year, boosting speed and volume, according to Pindrop. The voice authentication and deepfake detection specialist said its new report, Inside the 2025 AI Fraud Spike, is based on its own data collected between January and December 2025. The firm pointed to a 1210% increase in AI-enabled fraud during this time, versus a 195% surge in traditional fraud."
        https://www.infosecurity-magazine.com/news/ai-voice-virtual-meeting-fraud/
      • Cloud Sovereignty Is No Longer Just a Public Sector Concern
        "Sovereignty remains a hot topic in the tech industry, but interpretations of what it actually means – and how much it matters – vary widely between organizations and sectors. While public bodies are often driven by regulation and national policy, the private sector tends to take a more pragmatic, cost-focused view."
        https://www.theregister.com/2026/02/05/opennebula_sovereignty_interview/
      • Cybereason TTP Briefing Q4 2025: Diverse Phishing Tactics And RATs On The Rise
        "Explore the latest trends, techniques, and procedures (TTPs) our incident response (IR) experts are actively facing with the TTP Briefing Q4 2025, a report built on frontline threat intelligence from our global incident response investigations, enriched by noteworthy detections from our SOC."
        https://www.cybereason.com/blog/ttp-briefing-q4-2025
      • Cyber Success Trifecta: Education, Certifications & Experience
        "As organizations grapple with increasingly sophisticated threats, the need for leaders who can balance technological innovation with robust risk management is paramount. In this episode of "Heard It from A CISO," Dark Reading's Kristina Beek sits down with Col. Georgeo Xavier Pulikkathara, a seasoned cybersecurity expert and CISO at iMerit, to explore the challenges, insights, and lessons learned from his ongoing journey in the field."
        https://www.darkreading.com/cybersecurity-operations/the-trifecta-of-cyber-success-education-certifications-and-experience
      • Latest Public Sector AI Adoption Trends: What Government, Healthcare, And Education Security Teams Need To Know
        "The public sector isn’t taking a “trial-and-error” approach to AI adoption. Government, healthcare, and education systems have to work—often under tight budgets, legacy constraints, and high uptime expectations—and data must be protected, especially when it includes citizen records, patient information, and student data. The ThreatLabz 2026 AI Security Report examined 989.3 billion total AI/ML transactions across the Zscaler Zero Trust Exchange throughout 2025, revealing a public sector AI adoption story defined by accelerating (albeit uneven) adoption. Some sectors are scaling quickly; others, more gradually and quietly."
        https://www.zscaler.com/blogs/security-research/latest-public-sector-ai-adoption-trends-what-government-healthcare-and
      • 2025 Q4 DDoS Threat Report: A Record-Setting 31.4 Tbps Attack Caps a Year Of Massive DDoS Assaults
        "Welcome to the 24th edition of Cloudflare’s Quarterly DDoS Threat Report. In this report, Cloudforce One offers a comprehensive analysis of the evolving threat landscape of Distributed Denial of Service (DDoS) attacks based on data from the Cloudflare network. In this edition, we focus on the fourth quarter of 2025, as well as share overall 2025 data. The fourth quarter of 2025 was characterized by an unprecedented bombardment launched by the Aisuru-Kimwolf botnet, dubbed “The Night Before Christmas" DDoS attack campaign. The campaign targeted Cloudflare customers as well as Cloudflare’s dashboard and infrastructure with hyper-volumetric HTTP DDoS attacks exceeding rates of 200 million requests per second (rps), just weeks after a record-breaking 31.4 Terabits per second (Tbps) attack."
        https://blog.cloudflare.com/ddos-threat-report-2025-q4/
        https://thehackernews.com/2026/02/aisurukimwolf-botnet-launches-record.html
      • Smartphones Now Involved In Nearly Every Police Investigation
        "Digital evidence, especially that extracted from smartphones, is now key to nearly all police investigations, a new report from Cellebrite has confirmed. The Israeli forensics company compiled its 2026 Industry Trends Report based on interviews with 1200 law enforcement practitioners in 63 countries. It found that a majority (95%) now agree that digital evidence is key to solving cases, up from 74% two years ago. In fact, nearly all (97%) respondents noted that the public expects it to be used in almost all cases."
        https://www.infosecurity-magazine.com/news/smartphones-involved-every-police/
      • AI Pentesting: Minimum Safety Requirements For Security Testing
        "If you feel uneasy about AI penetration testing, you’re not behind the curve. You’re probably ahead of it. Security testing is one of the first areas where AI is no longer just helping humans, but acting on its own. Modern AI pentesting systems explore applications independently, execute real actions, and adapt based on what they see. That is powerful. It also raises very real questions about control, safety, and trust. This post is not about whether AI pentesting works. It’s about when it is actually safe to run."
        https://www.aikido.dev/blog/ai-pentesting-safety-requirements

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) a0ca3c9c-27bd-42bb-94ff-10e5ca1de4db-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Microsoft เตือนมัลแวร์ขโมยข้อมูลระบาดสู่ macOS ใช้ Python และโฆษณาปลอมแฝงตัวขโมย iCloud Keychain

      011c1172-b40b-47af-8239-d814443b3eba-image.png Microsoft เตือนมัลแวร์ขโมยข้อมูลระบาดสู่ macOS ใช้ Py.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 8d3568c8-f223-4720-9368-440e017cdd31-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • CISA เตือนช่องโหว่ VMware ESXi ถูกนำไปใช้ในแคมเปญแรนซัมแวร์

      7276a7d7-eca2-4172-891c-336eba5b3f35-image.png CISA เตือนช่องโหว่ VMware ESXi ถูกนำไปใช้ในแคมเปญแร.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 5a104c7e-cde1-410e-bf3b-374229a1cce1-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • พบแคมเปญโจมตีเซิร์ฟเวอร์ NGINX มุ่งเป้าเว็บไซต์หน่วยงานรัฐและสถานศึกษาในเอเชีย

      e704dc45-068b-4a4a-befd-e3b5a3ed4553-image.png

      พบแคมเปญโจมตีเซิร์ฟเวอร์ NGINX มุ่งเป้าเว็บไ.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 82ecc1f0-9178-43af-86a8-c4427c7ffa7c-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 05 February 2026

      New Tooling

      • Global Threat Map: Open-Source Real-Time Situational Awareness Platform
        "Global Threat Map is an open-source project offering security teams a live view of reported cyber activity across the globe, pulling together open data feeds into a single interactive map. It visualizes indicators such as malware distribution, phishing activity, and attack traffic by geographic region. Global threat maps have long been used by security vendors to illustrate attack volumes and regional trends. This project takes a different path by relying on open feeds and community-maintained code, making its data sources and logic visible to users."
        https://www.helpnetsecurity.com/2026/02/04/global-threat-map-open-source-osint/
        https://github.com/unicodeveloper/globalthreatmap

      Vulnerabilities

      • n8n Sandbox Escape: Critical Vulnerabilities In n8n Exposes Hundreds Of Thousands Of Enterprise AI Systems To Complete Takeover
        "Pillar Security researchers uncovered critical vulnerabilities in n8n, a popular open-source workflow automation platform powering numerous enterprise deployments. The vulnerabilities allowed any authenticated user to seize complete control of the server, stealing every stored credential, API key, and secret on both self hosted and cloud instances. On n8n Cloud, the shared multi-tenant architecture meant a single malicious user could potentially breach the entire platform, accessing data belonging to all other customers."
        https://www.pillar.security/blog/n8n-sandbox-escape-critical-vulnerabilities-in-n8n-exposes-hundreds-of-thousands-of-enterprise-ai-systems-to-complete-takeover
        https://www.bleepingcomputer.com/news/security/critical-n8n-flaws-disclosed-along-with-public-exploits/
        https://www.infosecurity-magazine.com/news/two-critical-flaws-in-n8n-ai/
      • LookOut: Discovering RCE And Internal Access On Looker (Google Cloud & On-Prem)
        "Tenable Research discovered two novel vulnerabilities in Google Looker that could allow an attacker to completely compromise a Looker instance. Google moved swiftly to patch these issues. Organizations running Looker on-prem should verify they have upgraded to the patched versions."
        https://www.tenable.com/blog/google-looker-vulnerabilities-rce-internal-access-lookout
        https://www.darkreading.com/application-security/google-looker-bugs-cross-tenant-rce-data-exfil
        https://www.securityweek.com/vulnerabilities-allowed-full-compromise-of-google-looker-instances/
        https://www.helpnetsecurity.com/2026/02/04/google-looker-vulnerabilities-cve-2025-12743/

      Malware

      • CISA: VMware ESXi Flaw Now Exploited In Ransomware Attacks
        "CISA confirmed on Wednesday that ransomware gangs have begun exploiting a high-severity VMware ESXi sandbox escape vulnerability that was previously used in zero-day attacks. Broadcom patched this ESXi arbitrary-write vulnerability (tracked as CVE-2025-22225) in March 2025 alongside a memory leak (CVE-2025-22226) and a TOCTOU flaw (CVE-2025-22224), and tagged them all as actively exploited zero-days. "A malicious actor with privileges within the VMX process may trigger an arbitrary kernel write leading to an escape of the sandbox," Broadcom said about the CVE-2025-22225 flaw."
        https://www.bleepingcomputer.com/news/security/cisa-vmware-esxi-flaw-now-exploited-in-ransomware-attacks/
        https://securityaffairs.com/187637/security/cve-2025-22225-in-vmware-esxi-now-used-in-active-ransomware-attacks.html
      • Hackers Compromise NGINX Servers To Redirect User Traffic
        "A threat actor is compromising NGINX servers in a campaign that hijacks user traffic and reroutes it through the attacker's backend infrastructure. NGINX is open-source software for web traffic management. It intermediates connections between users and servers and is employed for web serving, load balancing, caching, and reverse proxying. The malicious campaign, discovered by researchers at DataDog Security Labs, targets NGINX installations and Baota hosting management panels used by sites with Asian top-level domains (.in, .id, .pe, .bd, and .th) and government and educational sites (.edu and .gov)."
        https://www.bleepingcomputer.com/news/security/hackers-compromise-nginx-servers-to-redirect-user-traffic/
      • They Got In Through SonicWall. Then They Tried To Kill Every Security Tool
        "In early February 2026, Huntress responded to an intrusion where threat actors leveraged compromised SonicWall SSLVPN credentials to gain initial access to a victim network. Once inside, the attacker deployed an EDR killer that abuses a legitimate Guidance Software (EnCase) forensic driver with a revoked certificate to terminate security processes from kernel mode, a technique known as Bring Your Own Vulnerable Driver (BYOVD). The attack was disrupted before ransomware deployment, but the case highlights a growing trend: threat actors weaponizing signed, legitimate drivers to blind endpoint security. The EnCase driver's certificate expired in 2010 and was subsequently revoked, yet Windows still loads it, a gap in Driver Signature Enforcement that attackers continue to exploit."
        https://www.huntress.com/blog/encase-byovd-edr-killer
        https://www.bleepingcomputer.com/news/security/edr-killer-tool-uses-signed-kernel-driver-from-forensic-software/
      • Amaranth-Dragon: Weaponizing CVE-2025-8088 For Targeted Espionage In The Southeast Asia
        "Check Point Research has identified several campaigns targeting multiple countries in the Southeast Asian region. These related activities have been collectively categorized under the codename “Amaranth-Dragon”. The campaigns demonstrate a clear focus on government entities across the region, suggesting a motivated threat actor with a strong interest in geopolitical intelligence. The campaigns frequently target law enforcement agencies, particularly the police, and often appear to be timed or themed around ongoing local political events."
        https://research.checkpoint.com/2026/amaranth-dragon-weaponizes-cve-2025-8088-for-targeted-espionage/
        https://blog.checkpoint.com/research/amaranth-dragon-targeted-cyber-espionage-campaigns-across-southeast-asia/
        https://thehackernews.com/2026/02/china-linked-amaranth-dragon-exploits.html
      • The Godfather Of Ransomware? Inside DragonForce’s Cartel Ambitions
        "DragonForce employs advanced methodologies, using a dual-extortion strategy in which they not only encrypt critical business data but also exfiltrate sensitive information, threatening to release it on dark web leak sites unless the ransom is paid. DragonForce has targeted a variety of sectors, with a notable focus on manufacturing and construction, and has impacted several high-profile organizations. The group has shown adaptability by continuously refining its tools and tactics, moving from dedicated victim sites to a centralized domain for hosting leaked data. This rapid evolution keeps them a persistent and growing threat to businesses worldwide."
        https://www.levelblue.com/blogs/spiderlabs-blog/the-godfather-of-ransomware-inside-dragonforces-cartel-ambitions
        https://www.darkreading.com/cyber-risk/ransomware-gang-full-godfather-cartel
      • New Campaign Uses Screensavers For RMM-Based Persistence
        "Attackers are abusing Windows screensaver (.scr) files to silently install commonly used remote monitoring and management (RMM) tools to turn trusted software into persistent remote access. Because this activity can blend into normal IT operations and avoid “classic malware” signals, it gives attackers room to escalate into credential theft, data exfiltration, and ransomware deployment. We’ve observed this campaign across multiple ReliaQuest customers. It stands out because, unlike typical attacks, this marks the first time we’ve identified a campaign using business-themed lures to persuade users to download a .scr file—an often-overlooked executable—that then deploys an RMM tool for durable access and follow-on actions with unusual effectiveness."
        https://reliaquest.com/blog/threat-spotlight-new-campaign-uses-screensavers-RMM-based-persistence/
        https://www.darkreading.com/application-security/attackers-use-screensavers-drop-malware-rmm-tools
      • Shaping Shadows: Breaking Down New ShadowSyndicate Methods And Infrastructure
        "ShadowSyndicate is a malicious activity cluster that unites a wide set of campaigns based on infrastructure overlaps. Despite the huge number of servers involved, the threat actor relies on OpenSSH and usually uses one SSH key for all of them. But each pair of SSH keys is unique, so the presence of the public key on the server is usually associated with a specific person or group that has access to it. Because ShadowSyndicate’s SSH fingerprints are known to be used with a large number of servers, it allows researchers to spot the links and analyze such clusters. ShadowSyndicate’s infrastructure is always connected to various malware families and has links to different ransomware groups or affiliate programs."
        https://www.group-ib.com/blog/new-shadowsyndicate-infrastructure/
        https://www.infosecurity-magazine.com/news/shadowsyndicate/
      • PlugX Diplomacy: A Mustang Panda Campaign
        "The campaign commenced with what initially appeared to be a standard diplomatic email. The subject line alluded to a policy update. The attached document was structured as an internal briefing, authored in informal language, and corresponded with actual and current geopolitical developments. For individuals engaged in government or foreign policy, it closely resembled the typical summary produced by the United States that frequently circulates after meetings, forums, or coordination calls. However, it was not authentic."
        https://dreamgroup.com/plugx-diplomacy-mustang-panda-campaign/
        https://hackread.com/chinese-mustang-panda-briefing-spy-diplomat/
      • Silent Push Identifies More Than 10,000 Infected IPs As Part Of SystemBC Botnet Malware Family
        "Using a custom-built SystemBC tracker, Silent Push Preemptive Cyber Defense Analysts identified more than 10,000 unique infected IP addresses as part of this botnet. While we don’t have immediate visibility on any follow-on malware payloads deployed via this current SystemBC botnet, historically, many threat actors have used SystemBC to deploy ransomware on compromised networks, highlighting the importance of remediation. Our analysis shows SystemBC infections are globally distributed at scale, with the highest concentration of infected IP addresses observed in the United States, followed by Germany, France, Singapore, and India."
        https://www.silentpush.com/blog/systembc/
        https://www.infosecurity-magazine.com/news/global-systembc-botnet-10000/
      • React Server Components Exploitation Consolidates As Two IPs Generate Majority Of Attack Traffic
        "Two months after CVE-2025-55182 was disclosed on December 3, 2025, exploitation activity targeting React Server Components has consolidated significantly. GreyNoise telemetry from the past seven days shows that two IP addresses now account for 56% of all observed exploitation attempts, down from 1,083 unique sources. The dominant sources deploy distinct post-exploitation payloads: one retrieves cryptomining binaries from staging servers, while the other opens reverse shells directly to the scanner IP. Whether this represents two separate actors or compartmentalized infrastructure from a single actor remains unclear, but the behavioral distinction is notable."
        https://www.greynoise.io/blog/react2shell-exploitation-consolidates
        https://www.securityweek.com/cryptominers-reverse-shells-dropped-in-recent-react2shell-attacks/
      • Analyzing Dead#Vax: Analyzing Multi-Stage VHD Delivery And Self-Parsing Batch Scripts To Deploy In-Memory Shellcode
        "Securonix Threat Research has been tracking a stealthy malware campaign that uses an uncommon chain of VHD abuse, script-based execution, self-parsing batch logic, fileless PowerShell injections and ultimately dropping RAT. The attack leverages IPFS-hosted VHD files, extreme script obfuscation, runtime decryption, and in-memory shellcode injection into trusted Windows processes, never dropping a decrypted binary to disk. This research breaks down each stage at code level, highlighting modern attacker tradecraft that bypasses traditional detection mechanisms."
        https://www.securonix.com/blog/deadvax-threat-research-security-advisory/
        https://thehackernews.com/2026/02/deadvax-malware-campaign-deploys.html
      • Nitrogen Ransomware: ESXi Malware Has a Bug!
        "Nitrogen ransomware was derived from the previously leaked Conti 2 builder code, and is similar to Nitrogen ransomware, but a coding mistake in the ESXi malware causes it to encrypt all the files with the wrong public key, irrevocably corrupting them. This means that even the threat actor is incapable of decrypting them, and that victims that are without viable backups have no ability to recover their ESXi encrypted servers. Paying a ransom will not assist these victims, as the decryption key/ tool will not work."
        https://www.coveware.com/blog/2026/2/2/nitrogen-ransomware-esxi-malware-has-a-bug
        https://www.theregister.com/2026/02/04/nitrogen_ransomware_broken_decryptor/

      Breaches/Hacks/Leaks

      • Coinbase Confirms Insider Breach Linked To Leaked Support Tool Screenshots
        "Coinbase has confirmed an insider breach after a contractor improperly accessed the data of approximately thirty customers, which BleepingComputer has learned is a new incident that occurred in December. "Last year our security team detected that a single Coinbase contractor improperly accessed customer information, impacting a very small number of users (approximately 30)," a Coinbase spokesperson told BleepingComputer."
        https://www.bleepingcomputer.com/news/security/coinbase-confirms-insider-breach-linked-to-leaked-support-tool-screenshots/
      • Harvard, UPenn Data Leaked In ShinyHunters Shakedown
        "Cyber extortion group ShinyHunters claimed responsibility Wednesday for late 2025 attacks against Harvard University and the University of Pennsylvania, publishing on a darkweb leak site what they claimed were more than 2 million records stolen from the two Ivy League schools. Threat intelligence firm Hudson Rock, which reviewed the leaked Harvard data, said it includes admissions and fundraising information, and details such as "top donors," as well as spouses, widows, parents, current students and family members who are prospective students. This serves not only as a "social graph" revealing "wealth bands" and details of "domestic intimacy," the firm said."
        https://www.bankinfosecurity.com/harvard-upenn-data-leaked-in-shinyhunters-shakedown-a-30677
      • Big Breach Or Smooth Sailing? Mexican Gov't Faces Leak Allegations
        "The information of more than a quarter (28%) of Mexico's population may be at risk following the leak of 2.3TB of data online by a hacktivist group, but Mexico's cybersecurity and digital-technology agency, the Agencia de Transformación Digital y Telecomunicaciones (ATDT), downplayed the significance of any potential compromise."
        https://www.darkreading.com/cyberattacks-data-breaches/big-breach-or-nada-de-nada-mexican-govt-faces-leak-allegations

      General News

      • Harassment, Scare Tactics, & Why Victims Should Never Pay ShinyHunters
        "There is an unusual wave of ongoing ransomware attacks that involve data theft by members of The Com. This type of ransomware attack threatens to leak the stolen data publicly but does not involve encryption nor does it require the victim to purchase a decryption key. Corporate victims are simultaneously harassed, which is designed to be emotionally triggering and overwhelming. This ransomware campaign is related to a group that calls itself by a number of names, including "ShinyHunters", or "Scattered Lapsus Hunters", or "Scattered Lapsus Shiny Hunters", or "SLSH". This Com group and their activity are distinct from previous iterations of groups that used the moniker "Shiny Hunters" before 2025."
        https://blog.unit221b.com/dont-read-this-blog/harassment-scare-tactics-why-victims-should-never-pay-shinyhunters
        https://www.bankinfosecurity.com/victims-are-rebuffing-ransomware-mass-data-theft-campaigns-a-30676
      • Cofense Report Reveals AI-Powered Phishing Accelerated To One Attack Every 19 Seconds
        "Cofense, the leading provider of intelligence-driven post-perimeter phishing defense, today released its latest threat intelligence report, The New Era of Phishing: Threats Built in the Age of AI, revealing how AI technologies are now central to how threat actors operate, fundamentally transforming the speed, scale, and sophistication of modern phishing attacks."
        https://cofense.com/blog/cofense-report-reveals-ai-powered-phishing-accelerated-to-one-attack-every-19-seconds
        https://www.infosecurity-magazine.com/news/ai-double-volume-phishing-attacks/
      • Ransomware Attacks Have Surged 30% Since Q4 2025
        "Ransomware groups claimed more than 2,000 attacks in the last three months of 2025 – and they’re starting 2026 at the same elevated pace. Cyble recorded 2,018 claimed attacks by ransomware groups in the fourth quarter of 2025, an average of just under 673 a month. The threat groups maintained that pace in January 2026, claiming 679 ransomware victims."
        https://cyble.com/blog/ransomware-groups-q4-2025-cyble-report/
      • AI May Supplant Pen Testers, But Oversight & Trust Are Not There Yet
        "While current artificial intelligence (AI) agents and large language models (LLMs) continue to have significant issues in finding vulnerabilities and conducting penetration tests, they are already augmenting many human pen testers and even supplanting them. Problems such as false positives continue to be significant, and human ingenuity and creativity will remain essential for discovering novel or complex vulnerabilities, such as timing attacks, experts say. However, AI pen-testing tools and services are quickly improving, with the majority of pen testers already augmenting their workflow with AI technologies — a use case that will only increase."
        https://www.darkreading.com/cybersecurity-operations/ai-supplant-pen-testers-oversight-trust-not-there-yet
      • Cyber Insights 2026: Cyberwar And Rising Nation State Threats
        "Entering the cyber world is stepping into a warzone. Cyber is considered a war zone, and what happens there is described as cyberwar. But it’s not that simple. War is conducted by nations (political), not undertaken by criminals (financial). Both are increasing in this war zone we call cyber, but the political threat is growing fast. Cyberwar is a complex subject, and a formal definition is difficult. Opinions vary over whether there is any effective difference between common cybercriminal and nation state aggression – and, if there is, whether defenders need to understand or act upon that difference."
        https://www.securityweek.com/cyber-insights-2026-cyberwar-and-rising-nation-state-threats/
      • Detecting Backdoored Language Models At Scale
        "Today, we are releasing new research on detecting backdoors in open-weight language models. Our research highlights several key properties of language model backdoors, laying the groundwork for a practical scanner designed to detect backdoored models at scale and improve overall trust in AI systems."
        https://www.microsoft.com/en-us/security/blog/2026/02/04/detecting-backdoored-language-models-at-scale/
        https://arxiv.org/pdf/2602.03085
        https://thehackernews.com/2026/02/microsoft-develops-scanner-to-detect.html
      • The First 90 Seconds: How Early Decisions Shape Incident Response Investigations
        "Many incident response failures do not come from a lack of tools, intelligence, or technical skills. They come from what happens immediately after detection, when pressure is high, and information is incomplete. I have seen IR teams recover from sophisticated intrusions with limited telemetry. I have also seen teams lose control of investigations they should have been able to handle. The difference usually appears early. Not hours later, when timelines are built, or reports are written, but in the first moments after a responder realizes something is wrong."
        https://thehackernews.com/2026/02/the-first-90-seconds-how-early.html

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) 83c97042-431f-41d4-9b8d-8d8f4f90cd50-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • Cyber Threat Intelligence 04 February 2026

      Financial Sector

      • The Three Most Disruptive Cyber Trends Impacting The Financial Industry Today
        "The financial sector experienced an unprecedented rise in cyber incidents in 2025, with attacks more than doubling from 864 in 2024 to 1,858 in 2025. This acceleration reflects a dramatic shift in threat actor behavior, ranging from ideologically-motivated disruptions to commercialized cyber crime as a service. Below is a concise snapshot of the three dominant trends before we unpack them in detail."
        https://blog.checkpoint.com/research/the-three-most-disruptive-cyber-trends-impacting-the-financial-industry-today/

      Vulnerabilities

      • SQL Injection Vulnerability In Quiz And Survey Master (QSM) Plugin Affecting 40k+ Sites
        "The QSM plugin, with over 40,000 active installations, is a plugin for creating quizzes, surveys, and forms. It includes advanced features like multimedia support and a drag-and-drop quiz builder. In versions 10.3.1 and below, the QSM plugin is vulnerable to SQL injection, allowing any logged-in user to inject commands into the database. This means any Subscriber or higher user is able to perform a wide variety of unwanted actions, including potentially extracting sensitive information stored in the site's database."
        https://patchstack.com/articles/sql-injection-vulnerability-in-quiz-and-survey-master-qsm-plugin-affecting-40k-sites/
        https://www.infosecurity-magazine.com/news/wordpress-sql-injection-flaw-40000/
      • CISA Adds Four Known Exploited Vulnerabilities To Catalog
        "CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
        CVE-2019-19006 Sangoma FreePBX Improper Authentication Vulnerability
        CVE-2021-39935 GitLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnerability
        CVE-2025-40551 SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
        CVE-2025-64328 Sangoma FreePBX OS Command Injection Vulnerability"
        https://www.cisa.gov/news-events/alerts/2026/02/03/cisa-adds-four-known-exploited-vulnerabilities-catalog
        https://www.bleepingcomputer.com/news/security/cisa-flags-critical-solarwinds-rce-flaw-as-actively-exploited/
        https://therecord.media/cisa-orders-agencies-patch-solarwinds-vuln
        https://securityaffairs.com/187592/security/u-s-cisa-adds-solarwinds-web-help-desk-sangoma-freepbx-and-gitlab-flaws-to-its-known-exploited-vulnerabilities-catalog.html
      • DockerDash: Two Attack Paths, One AI Supply Chain Crisis
        "Noma Labs discloses the discovery of DockerDash. DockerDash is a critical security flaw in Docker’s Ask Gordon AI (beta) assistant that exploits the entire execution chain from AI interpretation to tool execution. In DockerDash, a single malicious metadata label in a Docker image can be used to compromise your Docker environment through a simple three-stage attack: Gordon AI reads and interprets the malicious instruction, forwards it to the MCP Gateway, which then executes it through MCP tools. Every stage happens with zero validation, taking advantage of current agents and MCP Gateway architecture."
        https://noma.security/blog/dockerdash-two-attack-paths-one-ai-supply-chain-crisis/
        https://thehackernews.com/2026/02/docker-fixes-critical-ask-gordon-ai.html
        https://www.infosecurity-magazine.com/news/dockerdash-weakness-dockers-ask/
      • Hacking Moltbook: The AI Social Network Any Human Can Control
        "Moltbook, the weirdly futuristic social network, has quickly gone viral as a forum where AI agents post and chat. But what we discovered tells a different story - and provides a fascinating look into what happens when applications are vibe-coded into existence without proper security controls. We identified a misconfigured Supabase database belonging to Moltbook, allowing full read and write access to all platform data. The exposure included 1.5 million API authentication tokens, 35,000 email addresses, and private messages between agents. We immediately disclosed the issue to the Moltbook team, who secured it within hours with our assistance, and all data accessed during the research and fix verification has been deleted."
        https://www.wiz.io/blog/exposed-moltbook-database-reveals-millions-of-api-keys
        https://www.infosecurity-magazine.com/news/moltbook-exposes-user-data-api/
      • 1-Click RCE To Steal Your Moltbot Data And Keys (CVE-2026-25253)
        "OpenClaw (formerly Moltbot and ClawdBot), the open-source AI personal assistant that can take actions on your behalf, is the most popular topic on X right now. It is already trusted by over 100,000 developers to hold the keys to their digital life, from iMessage/WhatsApp/Slack access to unrestricted local computer control. But when you grant an agent "god mode" permissions, the margin for error vanishes. While the community celebrated its capabilities, depthfirst General Security Intelligence silently audited its code and found a critical vulnerability. I investigated the finding, combined it with a vulnerability I discovered, and chained them into a 1-Click Remote Code Execution (RCE) exploit. With this exploit, a single visit to a malicious webpage was enough to hack your computer and AI assistant."
        https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys
        https://www.securityweek.com/vulnerability-allows-hackers-to-hijack-openclaw-ai-assistant/
      • DIY AI Bot Farm OpenClaw Is a Security 'dumpster Fire'
        "OpenClaw, the AI-powered personal assistant users interact with via messaging apps and sometimes entrust with their credentials to various online services, has prompted a wave of malware and is delivering some shocking bills. Just last week, OpenClaw was known as Clawdbot, a name that its developers changed to Moltbot before settling on the new moniker."
        https://www.theregister.com/2026/02/03/openclaw_security_problems/

      Malware

      • Dual-Mode Citrix Gateway Reconnaissance: When Residential Proxies Meet Version Hunting
        "Between January 28 and February 2, 2026, the GreyNoise Global Observation Grid tracked a coordinated reconnaissance campaign against Citrix ADC Gateway and Netscaler Gateway infrastructure. The campaign ran two distinct modes: a massive distributed login panel discovery operation using residential proxy rotation, and a concentrated AWS-hosted version disclosure sprint. The numbers tell the story: 111,834 sessions, 63,000+ unique source IPs, and a 79% targeting rate against Citrix Gateway honeypots specifically. That last number matters—it’s well above baseline scanning noise, indicating deliberate infrastructure mapping rather than opportunistic crawling."
        https://www.labs.greynoise.io/grimoire/2026-02-02-citrix-recon-residential-proxies/index.html
        https://www.bleepingcomputer.com/news/security/wave-of-citrix-netscaler-scans-use-thousands-of-residential-proxies/
      • Metro4Shell: Exploitation Of React Native’s Metro Server In The Wild
        "VulnCheck observed exploitation of CVE-2025-11953 on December 21, 2025, when our Canary network recorded exploitation of a Metro Development Server. The vulnerability, which we jokingly refer to as Metro4Shell, was automatically added to VulnCheck KEV the same day. Additional exploitation observed in January delivered the same payloads on January 4, 2026 and January 21, 2026, indicating continued operational use. Now, more than a month after initial exploitation in the wild, that activity has yet to see broad public acknowledgment, and EPSS continues to assign a low exploitation probability of 0.00405. This gap between observed exploitation and wider recognition matters, particularly for vulnerabilities that are easy to exploit and, as internet-wide search data shows, exposed on the public internet."
        https://www.vulncheck.com/blog/metro4shell_eitw
        https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-react-native-metro-bug-to-breach-dev-systems/
        https://thehackernews.com/2026/02/hackers-exploit-metro4shell-rce-flaw-in.html
        https://securityaffairs.com/187587/hacking/hackers-abused-react-native-cli-flaw-to-deploy-rust-malware-before-public-disclosure.html
        https://www.securityweek.com/critical-react-native-vulnerability-exploited-in-the-wild/
        https://www.theregister.com/2026/02/03/critical_react_native_metro_server/
      • Fake Installer: Ultimately, ValleyRAT Infection
        "Cybereason Security Services issue Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them. In this Threat Analysis report, Cybereason Security Services investigates a fake installer attack we recently observed multiple times. We identified some findings that have not been documented in previous reports and obtained new threat intelligence insights from the malwares."
        https://www.cybereason.com/blog/fake-installer-valleyrat
      • AI-Assisted Cloud Intrusion Achieves Admin Access In 8 Minutes
        "On November 28, 2025, the Sysdig Threat Research Team (TRT) observed an offensive cloud operation targeting an AWS environment in which the threat actor went from initial access to administrative privileges in less than 10 minutes. The attack stood out not only for its speed, but also for multiple indicators that suggest the threat actor leveraged large language models (LLMs) throughout the operation to automate reconnaissance, generate malicious code, and make real-time decisions."
        https://www.sysdig.com/blog/ai-assisted-cloud-intrusion-achieves-admin-access-in-8-minutes
        https://www.darkreading.com/cloud-security/8-minute-access-ai-aws-environment-breach
      • Researchers Warn Of New “Vect” RaaS Variant
        "Security researchers have discovered a new ransomware-as-a-service (RaaS) group which has already victimized organizations in Brazil and South Africa. Dubbed “Vect,” the group is currently onboarding affiliates after launching a recruitment program in December 2025, according to ransomware specialist Halcyon. The group has claimed that its malware was built using C++ rather than repurposing leaked source code from the likes of Lockbit 3.0 or Conti, as is more common."
        https://www.infosecurity-magazine.com/news/researchers-warn-new-vect-raas/
        https://redpiranha.net/news/threat-intelligence-report-january-6-january-12-2026
      • Infostealers Without Borders: MacOS, Python Stealers, And Platform Abuse
        "Infostealer threats are rapidly expanding beyond traditional Windows-focused campaigns, increasingly targeting macOS environments, leveraging cross-platform languages such as Python, and abusing trusted platforms and utilities to silently deliver credential-stealing malware at scale. Since late 2025, Microsoft Defender Experts has observed macOS targeted infostealer campaigns using social engineering techniques—including ClickFix-style prompts and malicious DMG installers—to deploy macOS-specific infostealers such as DigitStealer, MacSync, and Atomic macOS Stealer (AMOS)."
        https://www.microsoft.com/en-us/security/blog/2026/02/02/infostealers-without-borders-macos-python-stealers-and-platform-abuse/

      Breaches/Hacks/Leaks

      • Step Finance Says Compromised Execs' Devices Led To $40M Crypto Theft
        "Step Finance announced that it lost $40 million worth of digital assets after hackers compromised devices belonging to the company's team of executives. The platform detected the breach on January 31 and engaged cybersecurity researchers who helped it recover some of the stolen assets. Step Finance is a decentralized finance (DeFi) platform and analytics tool built on the Solana blockchain that allows users to visualize, track, analyze, and manage their crypto assets and positions."
        https://www.bleepingcomputer.com/news/security/step-finance-says-compromised-execs-devices-led-to-40m-crypto-theft/
      • Iron Mountain: Data Breach Mostly Limited To Marketing Materials
        "Iron Mountain, a leading data storage and recovery services company, says that a recent breach claimed by the Everest extortion gang is limited to mostly marketing materials. Headquartered in Portsmouth, New Hampshire, and founded in 1951, Iron Mountain specializes in data centers and records management, and has over 240,000 customers worldwide from more than 61 countries, including 95% of the Fortune 1000. The company's statement comes after the cybercrime group claimed on its dark web leak site that it had stolen 1.4 TB of "internal company documents" containing "personal documents and information on clients.""
        https://www.bleepingcomputer.com/news/security/iron-mountain-data-breach-mostly-limited-to-marketing-materials/
      • Everest Ransomware Claims 90GB Data Theft Involving Legacy Polycom Systems
        "The Everest ransomware group has claimed responsibility for a data breach involving systems linked to Polycom, a legacy enterprise communications brand that was acquired by HP Inc. in 2022 and rebranded as Poly (HP Poly). The group alleges it obtained approximately 90GB of internal data. However, available evidence suggests the material may originate from legacy Polycom engineering or development environments that predate HP Inc.’s acquisition of the company."
        https://hackread.com/everest-ransomware-data-theft-legacy-polycom-system/

      General News

      • AI, Explain Yourself: Why Is Explainable AI (XAI) Becoming Critical For Cybersecurity?
        "It is ubiquitously accepted that AI is our most efficient counterpart. We’re all using it to some capacity, trusting and relying on its abilities not to replace, but to enhance our everyday lives. But just like human intelligence, understanding must be subjected to questioning time and again — artificial intelligence needs to be challenged similarly. AI models rely on inputs, perform data processing and normalization, use feature extraction, learn to assign weights and biases during training, to arrive at an output that they consider the most appropriate. This decision-making process is often complex and unclear, raising a critical question: why does AI arrive at a certain output the way it does?"
        https://www.group-ib.com/blog/xai-cybersecurity/
      • Open-Source Attacks Move Through Normal Development Workflows
        "Software development relies on a steady flow of third-party code, automated updates, and fast release cycles. That environment has made the software supply chain a routine point of entry for attackers, with malicious activity blending into normal build and deployment processes. A recent ReversingLabs study documents how these conditions played out across open source ecosystems during 2025, with attackers leaning on scale, trust, and automation to spread malware and harvest credentials."
        https://www.helpnetsecurity.com/2026/02/03/open-source-attacks-supply-chain-development-workflows/
      • Dark Patterns Undermine Security, One Click At a Time
        "Cookie banners with a "no reject" option. Free trial subscriptions that are absurdly difficult to cancel. Hidden refund options. Misleading email access requests. The list of dark patterns – deceptive user interface designs that toe the line between malicious and benign – grows more extensive by the year. Organizations plaster dark patterns across their websites as a marketing tactic or to enhance user experience. But they can be designed in ways that lure consumers into blindly giving more money or personal data."
        https://www.darkreading.com/cyber-risk/dark-patterns-undermine-security-one-click-at-a-time
      • International AI Safety Report 2026
        "The second International AI Safety Report, published in February 2026, is the next iteration of the comprehensive review of latest scientific research on the capabilities and risks of general-purpose AI systems. Led by Turing Award winner Yoshua Bengio and authored by over 100 AI experts, the report is backed by over 30 countries and international organisations. It represents the largest global collaboration on AI safety to date."
        https://internationalaisafetyreport.org/publication/international-ai-safety-report-2026
        https://www.theregister.com/2026/02/03/autonomous_cyberattacks_not_real_yet/
      • CISA Updated Ransomware Intel On 59 Bugs Last Year Without Telling Defenders
        "On 59 occasions throughout 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) silently tweaked vulnerability notices to reflect their use by ransomware crooks. Experts say that's a problem. "Frustrated" by the agency failing to notify defenders when key pieces of intel change, Glenn Thorpe, senior director of security research and detection engineering at GreyNoise, counted the number of missed opportunities to potentially stop ransomware attacks last year."
        https://www.theregister.com/2026/02/03/greynoise_cisa_ransomware_gripe/

      อ้างอิง
      Electronic Transactions Development Agency (ETDA) bff52675-3ff6-4075-993d-12b5a3ea5d50-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • พบ Skills ปลอมกว่า 200 รายการ บน OpenClaw แฝงมัลแวร์ขโมยรหัสผ่าน

      45b52058-ce4f-43f6-aaef-2151a5246dcf-image.png พบ Skills ปลอมกว่า 200 รายการ บน OpenClaw แฝงมัลแวร์ขโม.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 9b2aee6c-bdc1-4d9c-a1f5-88d28257d9f3-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • เหตุข้อมูลรั่วไหล Panera Bread กระทบผู้ใช้งาน 5.1 ล้านบัญชี ยืนยันจาก HIBP

      d64c8924-65fd-4a02-b20e-68814f21f5b6-image.png เหตุข้อมูลรั่วไหล Panera Bread กระทบผู้ใช้งาน 5.1 ล้.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand afdd8ed5-490b-437d-8ee0-f484f009f5a9-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT
    • แฮกเกอร์ APT28 ใช้ช่องโหว่ Microsoft Office ที่เพิ่งแพตช์ โจมตีหน่วยงานรัฐยูเครนและยุโรป

      f2468ba7-9675-4e32-8756-395ef7182aaa-image.png แฮกเกอร์ APT28 ใช้ช่องโหว่ Microsoft Office ที่เพิ่งแพตช.png

      สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand a43e97c7-76f3-467f-a6ec-6b0762b13551-image.png

      โพสต์ใน Cyber Security News
      NCSA_THAICERTN
      NCSA_THAICERT