Industrial Sector
- Rockwell Automation Patches Vulnerabilities In ICS Controllers And Software
"Rockwell Automation informed customers on Tuesday that patches are available for several vulnerabilities affecting its Logix and CompactLogix controllers, Flex I/O dual-port Ethernet/IP adapters, RSLinx industrial communication software, and FactoryTalk automation suite. In FactoryTalk Historian Site Edition the industrial giant patched three high- and critical-severity vulnerabilities that can be exploited to bypass authentication and launch DoS attacks."
https://www.securityweek.com/rockwell-automation-patches-vulnerabilities-in-ics-controllers-and-software/
New Tooling
- Microsoft AntiSSRF Open-Source Library Helps Block Server-Side Request Forgery
"AntiSSRF is an open-source code library from Microsoft that validates URLs and network connections to reduce server-side request forgery (SSRF) risks in web applications. It supports .NET and Node.js applications and is distributed under the MIT license. The library works as a drop-in component, giving developers a way to check untrusted input before their applications make outbound requests."
https://www.helpnetsecurity.com/2026/06/17/microsoft-antissrf-open-source-library/
https://github.com/microsoft/AntiSSRF
Vulnerabilities
- Oracle’s Second Monthly Security Updates Deliver 245 Patches
"Oracle on Tuesday announced the release of its June 2026 Critical Security Patch Update (CSPU), the second since it began releasing monthly patches. The company still releases its quarterly Critical Patch Updates, but it recently decided to supplement them with monthly patches to address more severe vulnerabilities. The software giant said the latest round of CSPU updates delivers 245 new patches, including for Communications, E-Business Suite, Enterprise Manager, Fusion Middleware, JD Edwards, MySQL, PeopleSoft, Siebel CRM, Supply Chain, Systems, and Virtualization products."
https://www.securityweek.com/oracles-second-monthly-security-updates-deliver-245-patches/ - Microsoft Working On Defender Patch For RoguePlanet Zero-Day
"Microsoft confirmed that it's working on a security patch for a Defender zero-day vulnerability named "RoguePlanet," disclosed one week ago. The security researcher who published a RoguePlanet exploit during the June 2026 Patch Tuesday (known as Nightmare Eclipse) said it affects fully patched Windows 10 and Windows 11 devices and allows attackers to spawn command prompts with SYSTEM privileges via a Microsoft Defender race condition. He shared a proof-of-concept exploit in a self-hosted Git repository, claiming that Microsoft had previously targeted and removed their repos hosting exploits on GitHub and GitLab."
https://www.bleepingcomputer.com/news/microsoft/microsoft-working-on-defender-patch-for-rogueplanet-zero-day/
https://thehackernews.com/2026/06/microsoft-confirms-rogueplanet-defender_02022423645.html
https://www.securityweek.com/microsoft-working-on-patch-for-rogueplanet-zero-day/
https://www.helpnetsecurity.com/2026/06/17/rogueplanet-zero-day-cve-2026-50656/
Malware
- FortiBleed: 75,000 Fortinet Firewalls Compromised: Global Enterprises Exposed – Claim Your Ethical Disclosure
"Fortinet firewalls and VPN gateways serve as the primary defensive perimeter for countless organizations worldwide. However, a massive new cyber espionage campaign has silently compromised these highly trusted devices on an unprecedented global scale. Originally discovered by security researcher Volodymyr “Bob” Diachenko, with further analysis from Hudson Rock and cybersecurity expert Kevin Beaumont, this dataset exposes a massive, automated operation. Threat actors successfully targeted 73,932 unique firewall URLs across 194 countries, resulting in 21,632 unique affected domains. Astonishingly, as Beaumont highlighted, this represents roughly 50% of all Fortinet firewall devices currently facing the internet."
https://www.infostealers.com/article/fortibleed-75000-fortinet-firewalls-compromised-global-enterprises-exposed-claim-your-ethical-disclosure/
https://www.bleepingcomputer.com/news/security/fortibleed-leak-exposes-fortinet-vpn-credentials-for-73-000-devices/
https://www.darkreading.com/cyberattacks-data-breaches/sweeping-credential-harvesting-heist-compromises-30k-fortinet-devices
https://cyberscoop.com/fortinet-fortisandbox-vulnerabilities-exploits/
https://hackread.com/fortibleed-attack-fortinet-firewalls-credentials/
https://www.theregister.com/cyber-crime/2026/06/17/massive-password-stealing-attack-hits-75k-fortinet-firewalls/5257877 - What Is The True Nature Of The Shortcut File I Thought Was a Privacy Consent Form?
"Evidence has recently emerged that Malicious Files posing as “Consent Forms for the Collection and Use of Personal Information” have been circulating. Threat actors use file names that are easily mistaken for work documents to trick users into running them. These files are not actual documents but shortcut files; when executed, they collect PC information through hidden commands and may lead to further malicious behavior."
https://asec.ahnlab.com/en/94164/ - It Looks Like a Normal Resume, But The Infection Begins The Moment It Is Opened.
"Malicious shortcut files disguised as resume files have recently been circulating, requiring corporate users to exercise caution. Threat actors name the files to resemble resume documents containing company names and job titles, and when executed, they display a legitimate decoy file alongside the malicious file to lower the user’s suspicion. The file then downloads additional malicious files and attempts to execute backdoor malware, establishing persistence through methods such as registering with the Task Scheduler, adding items to the Startup folder, and DLL side-loading."
https://asec.ahnlab.com/en/94165/ - 144 Mastra Npm Packages Compromised Via Hijacked Contributor Account
"As many as 144 npm packages associated with the Mastra namespace ("@mastra/*"), a popular open-source JavaScript and TypeScript framework for building artificial intelligence (AI) applications, have been compromised as part of a software supply chain attack codenamed easy-day-js, per findings from Endor Labs, JFrog, SafeDep, Socket, and StepSecurity. "A single npm account (ehindero) mass-published more than 140 malicious packages across the Mastra scope within a short window on 2026-06-17," Socket said."
https://thehackernews.com/2026/06/144-mastra-npm-packages-compromised-via.html
https://socket.dev/blog/mastra-npm-packages-compromised
https://www.bankinfosecurity.com/mastra-ai-framework-poisoned-in-npm-supply-chain-attack-a-32003 - From Stars To Upvotes: The Fake Reputation Economy Behind a Crypto Clipboard Hijackers
"Most malware campaigns try to hide. This one does the opposite, it works hard to look loved. Check Point Research analyzed a cryptocurrency clipboard hijacker (a “clipper”) hidden inside a collection of “tools” that promise users an unfair edge: Solana and Pump.fun sniper bots, an “Aviator Predictor,” and various crash-game predictors. The targets are crypto holders and online gamblers already hunting for shortcuts and quick, automated profits."
https://blog.checkpoint.com/research/from-stars-to-upvotes-the-fake-reputation-economy-behind-a-crypto-clipboard-hijackers/
https://research.checkpoint.com/2026/from-stars-to-upvotes-fake-reputation-fueling-a-crypto-clipboard-hijacker/
https://thehackernews.com/2026/06/crypto-clipper-campaign-abuses-fake.html - Elon Musk, The IRS, And Your Bank Account: Anatomy Of a Multi-Stage Financial Scam
"Recently, the Cofense Intelligence team reported on an Internal Revenue Service (IRS)-spoofing email that claims to offer a $5,000 tax refund through an Elon Musk cryptocurrency initiative. This email instead redirects to a credential phishing page and a fake cryptocurrency market that is used to steal personally identifiable information (PII) and Bitcoin. This campaign is notable for its extensive amount of stolen PII, which would allow threat actors to easily steal identities and pivot to social engineering attacks on a victim’s financial, government, or online service accounts. This report is a follow-up from a prior report, From Tax Refund to Total Compromise: IRS-Themed Phishing Email Drives Full-Stack Financial Fraud, that covered this campaign at a high level. This report will focus more heavily on details regarding the full extent of the cryptocurrency scam website and how the threat actors are able to use stolen PII from this campaign to pivot towards other tactics."
https://cofense.com/blog/elon-musk,-the-irs,-and-your-bank-account-anatomy-of-a-multi-stage-financial-scam - From Emerging Threat To Top-Tier Ransomware-As-a-Service: The Evolution Of INC Ransomware
"INC has evolved from an emerging ransomware-as-a-service (RaaS) operation into one of the most active ransomware groups in 2026, claiming more than 800 victims since 2023. The disruption of LockBit and the shutdown of BlackCat created opportunities for INC to expand as affiliates migrated to alternative ransomware operations. Both the Windows and Linux/ESXi encryptors have been rewritten in Rust, enabling cross-platform development and increasing analysis complexity."
https://www.acronis.com/en/tru/posts/from-emerging-threat-to-top-tier-ransomware-as-a-service-the-evolution-of-inc-ransomware/
https://www.darkreading.com/cyberattacks-data-breaches/inc-ransomware-thrives-by-mastering-the-basics - GitBait: Phishing The Mexican Financial Sector
"A modular phishing infrastructure targeting multiple Mexican banks has been uncovered, abusing GitHub-hosted Pages, employing obfuscated scripts, and featuring a centralized credential exfiltration via SheetBest API, indicating a scalable and persistent multi-brand phishing operation."
https://www.group-ib.com/blog/gitbait-phishing-mexico-banking-finance/
https://www.infosecurity-magazine.com/news/gitbait-github-pages-sheetbest/ - Roblox Developers Are Losing Entire Games To Malware Attacks
"Account theft usually ends with someone losing a password. This one ends with hackers walking off with the entire game. Developers behind some of Roblox’s millions of games told 404 Media that attackers persuaded them to run a single file. Then they watched their group, their game, and their Robux (in-platform currency) balance vanish into someone else’s account within hours. In several cases, Roblox support didn’t help them get the games back until a reporter called the company for comment."
https://www.malwarebytes.com/blog/scams/2026/06/roblox-developers-are-losing-entire-games-to-malware-attacks - ClickFix Campaign Generated Via AI Delivers SmartRAT
"In March 2026, Zscaler ThreatLabz observed multiple instances of typosquatting domains hosting malicious content generated with AI-powered website creation tools. Threat actors are leveraging website builders to create convincing lures quickly and at scale, with capabilities ranging from basic credential theft to a ClickFix campaign that delivers remote access trojans (RATs)."
https://www.zscaler.com/blogs/security-research/clickfix-campaign-generated-ai-delivers-smartrat - Cato CTRL
Threat Research: Operation Poisson – Analyzing a Cybercriminal’s Entire Operation
"Cato CTRL recently analyzed an operator’s command-and-control (C2) server’s entire 33 days operation, including the steps he took to preserve access after the takedown. 339 commands. Four French victims. Between March 30 and May 1, 2026, Cato CTRL studied every command issued by a French-speaking threat actor (“Poisson”) against one French automotive small business and four French individuals. With that insight, we can say with certainty, not as a prediction, that techniques like VPN-mesh-based-persistence are already in active use right now, and that taking down a C2 server is no longer sufficient for remediation."
https://www.catonetworks.com/blog/cato-ctrl-operation-poisson-analyzing-a-cybercriminals-entire-operation/
https://thehackernews.com/2026/06/junior-hacker-used-tailscale-and.html - Inside a WooCommerce Payment Skimmer: How Carders Moved From Phishing Pages To Checkout Backdoors
"For years, the entry point for stolen card data was the fake page: bogus loan portals, reward-claim sites, parcel-redelivery lures, and lookalike bank logins that tricked victims into typing their card details into an attacker-controlled form. CloudSEK's HUMINT engagements with operators active on carding marketplaces (Savastan0, Cvvhub, Jerrys, Zillion, Proton, VClub, Pepe, CVV-focused shops, and several invite-only forums) indicate a clear shift in tradecraft. The more technical actors have largely abandoned standalone phishing for direct compromise of legitimate e-commerce sites gaining web-shell access, planting a backdoor in or around the payment flow, and silently harvesting card data from real customers during genuine purchases."
https://www.cloudsek.com/blog/woocommerce-payment-skimmer-card-data-theft-checkout-backdoor - GoFlateLoader: A Widespread Golang Loader Delivering Multiple Infostealers
"Not every threat that matters is technically sophisticated, and that is also the case with GoFlateLoader, which is a rather simple loader written in Go, whose sole purpose is to decode and execute the payload in memory. What stands out the most is not what the loader does but rather what it does not do – it comes without anti-debugging, anti-VM, or sandbox-evasion checks, and also lacks API hashing or CFG obfuscation, the kind of tricks that loaders almost always come with. Instead, GoFlateLoader relies on one of the simplest yet still effective tricks to stay under the radar – it appends a massive PE overlay at the end of the file, deliberately inflating the binary's size (hence the name GoFlateLoader)."
https://www.gendigital.com/blog/insights/research/goflateloader-delivers-multiple-infostealers
Breaches/Hacks/Leaks
- Kodak Confirms Data Breach Claimed By ShinyHunters Extortion Gang
"Kodak has confirmed that it's working with external cybersecurity experts to investigate a security breach after hackers gained access to some of the company's data. Founded in 1880 as the Eastman Kodak Company and headquartered in Rochester, New York, Kodak has 79,000 worldwide patents and provides commercial print, advanced materials, and chemical products. A company spokesperson told BleepingComputer that attackers only accessed a "limited amount" of data in the incident, but didn't reply to a subsequent email asking if they breached Kodak's internal network."
https://www.bleepingcomputer.com/news/security/kodak-confirms-data-breach-claimed-by-shinyhunters-extortion-gang/
General News
- SpyCloud Report Finds Phishing Attacks Surge As Employee Data Is Exposed At 86% Of Fortune 100 Companies
"SpyCloud, the leader in identity threat protection, today released its 2026 Phishing Pulse Report, revealing that phishing attacks continue to increase in both volume and sophistication for enterprise organizations as artificial intelligence and phishing-as-a-service (PhaaS) platforms enable threat actors to launch highly effective campaigns at scale. Based on a survey of security professionals at organizations with more than 1,000 employees, SpyCloud found that 78% of organizations experienced an increase in phishing volume over the past 12 months, while 84% say AI-generated phishing attacks are becoming more prevalent or harder to defend against."
https://hackread.com/spycloud-report-finds-phishing-attacks-surge-as-employee-data-is-exposed-at-86-of-fortune-100-companies/
https://spycloud.com/resource/report/phishing-pulse-report-2026/ - Low-Skilled Attacker Used Claude, Codex To Breach 14 Companies
"Researchers have long warned that AI agents could lower the skill floor for offensive cyber operations, and a recent report by OALABS (Open Analysis) researchers bears that out. After recovering and analyzing over 1,000 agent sessions from a compromised server on which an attacker deployed Anthropic’s Claude Code and OpenAI’s Codex agents, the researchers discovered how easily the attacker was able to bypass most of the agents’ guardrails, and how little he actually needed to know and do himself."
https://www.helpnetsecurity.com/2026/06/17/ai-agents-offensive-cyber-operations-claude-codex/ - The SOC’s Visibility Gap Comes Down To Staffing
"AI has settled into security operations centers faster than any earlier wave of technology. Around four in five practitioners report reaching for AI or machine learning tools in their daily work. The catch shows up one layer down. Roughly a third of those same teams have built these tools into a defined workflow with structure, governance, and consistent validation. The rest pick up AI on their own, case by case, with no shared playbook for how it gets used or checked."
https://www.helpnetsecurity.com/2026/06/17/sans-ai-in-the-soc/
https://www.infosecurity-magazine.com/news/staffing-top-soc-challenge-ai/ - The Checklist Problem Behind Critical Infrastructure Cyber Safety
"An asset owner can meet major federal cyber compliance standards and still run equipment that lacks the engineering to withstand an attack or a failure. New research from George Mason University examines how United States cyber policy defines reasonable care for systems that control physical processes, and it finds that compliance has become a stand-in for safety."
https://www.helpnetsecurity.com/2026/06/17/usa-critical-infrastructure-cyber-safety/ - Sensitive Enterprise Data Uploads To AI Models Double In a Year
"The amount of sensitive enterprise data which employees uploaded to AI and machine learning applications has almost doubled in the last year, putting organizations at increased risk of data breaches and cyber espionage, a new report has warned. Published on June 17, the Zscaler 2026 AI Threat Report said that there has been a 93% year-over-year increase in employees transferring enterprise data to AI tools."
https://www.infosecurity-magazine.com/news/sensitive-ai-data-upload-doubles/ - AI Threats And Alert Fatigue Challenge Cybersecurity Teams
"A study conducted during Infosecurity Europe 2026 has found that AI-powered attacks at scale are the biggest security concern facing many cybersecurity professionals. The survey of 168 cybersecurity leaders across various sectors conducted by Filigran during the three-day event found 41% cited AI-powered attacks as a top challenge, double that of those who cited supply chain risk (21%) or unknown threats (21%)."
https://www.infosecurity-magazine.com/news/ai-threats-alert-fatigue-challenge/ - Cybercriminals Are Targeting EdTech: Data Breaches And Ransomware Attacks On The Rise
"The education technology (EdTech) sector has become a prime target for cybercriminals as attacks against educational institutions and related platforms continue to escalate. With sensitive data, including student records, employee information, and payment data, stored on EdTech systems, the sector has become an appealing target for cybercriminals seeking financial gain, data exploitation, and reputational damage. Recent high-profile incidents, including attacks by groups such as ShinyHunters and FulcrumSec, highlight the vulnerability of educational organizations and the increasing sophistication of cyber extortion tactics."
https://www.resecurity.com/blog/article/cybercriminals-are-targeting-edtech-data-breaches-and-ransomware-attacks-on-the-rise
https://securityaffairs.com/193777/data-breach/edtech-faces-a-cybersecurity-crisis-data-breaches-surge.html - What The ThreatLabz 2026 Phishing And Initial Access Report Means For The Public Sector
"It only takes one click. One convincing credential page, one well-timed lure impersonating a trusted agency workflow, and an attacker gains the initial access needed to move from inbox to identity to impact. That reality sits at the center of the ThreatLabz 2026 Phishing and Initial Access Report. While overall phishing volume in the Zscaler cloud fell 20% year over year, the campaigns that remain are more targeted, more AI-powered, and harder to distinguish from legitimate activity. ThreatLabz identified 413,524 AI-generated site instances across the analysis period, flagging 9% as malicious. These were produced by platforms like Manus AI, BlackBox AI, and Anything AI that allow attackers to spin up high-fidelity phishing infrastructure in minutes rather than days."
https://www.zscaler.com/blogs/security-research/what-threatlabz-2026-phishing-and-initial-access-report-means-public-sector - The Top 10 Attack Surface Exposures In 2026
"Breaches don't always start with a zero-day. An exposed admin panel can get brute-forced, or credentials reused from a previous attack. But when a vulnerability does drop — like MongoBleed earlier this year, which let attackers pull credentials and session tokens from server memory without authentication — anything internet-facing is immediately at risk. With time-to-exploit now down to a single day, the question isn't just how fast you can patch. It's why the service was exposed in the first place."
https://thehackernews.com/2026/06/the-top-10-attack-surface-exposures-in.html - Hostile States Behind Three-Quarters Of Attacks On Britain's Critical Infrastructure, Cyber Chief Warns
"Britain is already fighting the opening exchanges of future conflicts in cyberspace, the country’s cyber chief warned Wednesday, as he disclosed that hostile states are responsible for three-quarters of the attacks striking the country's critical national infrastructure. Richard Horne, chief executive of the National Cyber Security Centre (NCSC), said his teams had handled more than 200 incidents affecting critical infrastructure and its supporting ecosystem in the year to May, of which about 75% were believed to be the work of state actors."
https://therecord.media/britain-nation-state-cyberattacks-richard-horne-rusi
อ้างอิง
Electronic Transactions Development Agency (ETDA) 
