สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 
Latest posts made by NCSA_THAICERT
-
Microsoft เร่งตรวจสอบปัญหา KB5068781 หลังอัปเดต ESU บน Windows 10 ล้มเหลวโพสต์ใน Cyber Security News
-
ASUS แก้ไขช่องโหว่ร้ายแรง CVE-2025-59367 ในเราเตอร์ DSLโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Logitech ยืนยันเหตุข้อมูลรั่วไหล ฝีมือกลุ่มแฮกเกอร์ Clop ผ่านช่องโหว่ซอฟต์แวร์ Third-partyโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
พบช่องโหว่ด้านความปลอดภัยในผลิตภัณฑ์ FortiWeb แนะนำเร่งอัปเดตระบบทันทีโพสต์ใน Cyber Security News
เมื่อวันที่ 14 พฤศจิกายน 2568 Cybersecurity and Infrastructure Security Agency (CISA) มีการค้นพบช่องโหว่ด้านความปลอดภัยที่สำคัญในผลิตภัณฑ์ FortiWeb ซึ่งเป็นระบบที่ใช้ปกป้องเว็บไซต์ขององค์กรหลายแห่ง ทั้งภาครัฐและเอกชน โดยขณะนี้มีรายงานว่าแฮกเกอร์เริ่มนำช่องโหว่นี้ไปใช้โจมตีแล้ว
ช่องโหว่ดังกล่าวอาจเปิดทางให้ผู้ไม่หวังดีสามารถส่งคำสั่งไปควบคุมอุปกรณ์ได้ โดยไม่ต้องผ่านการยืนยันตัวตน ซึ่งอาจทำให้ระบบขององค์กรถูกแก้ไขหรือถูกสั่งการโดยไม่ได้รับอนุญาต
เวอร์ชันที่ได้รับผลกระทบ
- FortiWeb เวอร์ชัน 8.0.0 – 8.0.1
- FortiWeb เวอร์ชัน 7.6.0 – 7.6.4
- FortiWeb เวอร์ชัน 7.4.0 – 7.4.9
- FortiWeb เวอร์ชัน 7.2.0 – 7.2.11
- FortiWeb เวอร์ชัน 7.0.0 – 7.0.11
คำแนะนำสำหรับหน่วยงานที่ใช้งาน
เพื่อความปลอดภัยของระบบ ขอให้องค์กรดำเนินการดังต่อไปนี้โดยเร็ว:
อัปเดตระบบเป็นเวอร์ชันที่ได้รับการแก้ไขแล้ว ตามคำแนะนำของ Fortinetเวอร์ชันเดิม แนวทางแก้ไข
8.0.0 – 8.0.1 อัปเดตเป็น 8.0.2 ขึ้นไป
7.6.0 – 7.6.4 อัปเดตเป็น 7.6.5 ขึ้นไป
7.4.0 – 7.4.9 อัปเดตเป็น 7.4.10 ขึ้นไป
7.2.0 – 7.2.11 อัปเดตเป็น 7.2.12 ขึ้นไป
7.0.0 – 7.0.11 อัปเดตเป็น 7.0.12 ขึ้นไปหากยังไม่สามารถอัปเดตได้ทันที
- ควรปิดการเข้าถึงระบบจัดการผ่านอินเทอร์เน็ตชั่วคราว
- ให้จำกัดการเข้าถึงระบบเฉพาะภายในองค์กรเท่านั้น
หลังการอัปเดต
- ตรวจสอบการตั้งค่าระบบ
- ตรวจสอบบันทึกเหตุการณ์ว่ามีการเปลี่ยนแปลงผิดปกติ หรือมีบัญชีผู้ดูแลระบบที่ไม่ได้รับอนุญาตเพิ่มขึ้นหรือไม่
ช่องโหว่ดังกล่าวถูกจัดอยู่ในรายการ “ช่องโหว่ที่พบการโจมตีจริง” โดยหน่วยงานความมั่นคงปลอดภัยไซเบอร์ของสหรัฐฯ ซึ่งสะท้อนถึงความเสี่ยงสูงและความจำเป็นในการเร่งดำเนินการป้องกันทันที
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 14 November 2025โพสต์ใน Cyber Security News
Healthcare Sector
- Healthcare Security Is Broken Because Its Systems Can’t Talk To Each Other
"In this Help Net Security interview, Cameron Kracke, CISO at Prime Therapeutics, discusses how the healthcare ecosystem can achieve cohesive security visibility. With hospitals, clinics, telehealth, and cloud partners all in the mix, maintaining visibility remains a complex task. Kracke shares how interoperability, collaboration, and strategic investment can strengthen resilience across the healthcare security landscape."
https://www.helpnetsecurity.com/2025/11/13/cameron-kracke-prime-therapecutics-healthcare-security-ecosystem/
Industrial Sector
- CISA Releases 18 Industrial Control Systems Advisories
"CISA released 18 Industrial Control Systems (ICS) Advisories. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS."
https://www.cisa.gov/news-events/alerts/2025/11/13/cisa-releases-18-industrial-control-systems-advisories
New Tooling
- Sprout: Open-Source Bootloader Built For Speed And Security
"Sprout is an open-source bootloader that delivers sub-second boot times and uses a clean, data-driven configuration format that works across operating systems. “We built Sprout because we were frustrated by how fragile and slow traditional bootloaders are,” said Alex Zenla, CTO at Edera. Sprout is designed for modern infrastructure where every second counts. It can boot Linux in under 50 milliseconds, which is critical for autoscaling and deployment in cloud environments."
https://www.helpnetsecurity.com/2025/11/13/sprout-open-source-bootloader/
https://github.com/edera-dev/sprout
Vulnerabilities
- Firefox 145 And Chrome 142 Patch High-Severity Flaws In Latest Releases
"Google and Mozilla on Tuesday released fresh updates for Chrome and Firefox to resolve multiple high-severity vulnerabilities. Google announced a Chrome 142 update that resolves a high-severity inappropriate implementation issue in the V8 JavaScript engine. The bug is tracked as CVE-2025-13042. The internet giant has not detailed the flaw, but such V8 defects can typically be exploited remotely to cause denial-of-service (DoS) conditions or for code execution, Hong Kong CERT/CC notes. Google has yet to determine the bug bounty reward for the defect."
https://www.securityweek.com/firefox-145-and-chrome-142-patch-high-severity-flaws-in-latest-releases/ - Critical: Remote Code Execution Via Malicious Obfuscated Malware In Imunify360 AV (AI-Bolit)
"Recently a critical Remote Code Execution issue was patched in the Imunify360 AV product. Imunify360 serves up to 56 million websites. Hosting companies should patch the issue immediately. The information about this vulnerability has been spreading since the end of October, so we also recommend affected hosting companies to check whether their servers have been compromised."
https://patchstack.com/articles/remote-code-execution-vulnerability-found-in-imunify360/
https://www.bleepingcomputer.com/news/security/rce-flaw-in-imunifyav-puts-millions-of-linux-hosted-sites-at-risk/ - When GPTs Call Home: Exploiting SSRF In ChatGPT’s Custom Actions
"In cybersecurity, you begin to develop a kind of hacker mindset or “sixth sense”. You start seeing the world not just for what it does, but for what it could do. So, when I was building my first custom GPT in ChatGPT and got to the “Actions” section, that sense started tingling! I wasn’t even on a bug hunt, just curious about the custom GPT feature and building a custom assistant. The goal was to have a GPT pull data from my own external API, but once I realized this feature was returning data from a user-provided URL, alarm bells went off and the hacker instinct took over, telling me to check for SSRF."
https://sirleeroyjenkins.medium.com/when-gpts-call-home-exploiting-ssrf-in-chatgpts-custom-actions-5df9df27dbe9
https://www.securityweek.com/chatgpt-vulnerability-exposed-underlying-cloud-infrastructure/
Malware
- CISA And Partners Release Advisory Update On Akira Ransomware
"Today, Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Federal Bureau of Investigation, Department of Defense Cyber Crime Center, Department of Health and Human Services, and international partners, released an updated joint Cybersecurity Advisory, #StopRansomware: Akira Ransomware, to provide network defenders with the latest indicators of compromise, tactics, techniques, and procedures, and detection methods associated with Akira ransomware activity."
https://www.cisa.gov/news-events/alerts/2025/11/13/cisa-and-partners-release-advisory-update-akira-ransomware
https://www.bleepingcomputer.com/news/security/cisa-warns-of-akira-ransomware-linux-encryptor-targeting-nutanix-vms/
https://therecord.media/akira-gang-received-million
https://cyberscoop.com/akira-ransomware-fbi-cisa-joint-advisory/ - “IndonesianFoods” Worm Publishes More Than 78,000 Malicious NPM Packages
"I’ve identified an NPM worm that has published over 78,000 malicious packages to the NPM registry, affecting at least eleven NPM users. This attack focuses on creating new packages rather than stealing credentials or engaging in other, more immediately malicious behaviours. This attack almost doubles the known number of malicious NPM packages."
https://sourcecodered.com/indonesianfoods-npm-worm/
https://www.endorlabs.com/learn/the-great-indonesian-tea-theft-analyzing-a-npm-spam-campaign
https://thehackernews.com/2025/11/over-46000-fake-npm-packages-flood.html
https://www.bleepingcomputer.com/news/security/new-indonesianfoods-worm-floods-npm-with-100-000-packages/
https://www.infosecurity-magazine.com/news/indonesianfoods-npm-worm-44000/
https://www.securityweek.com/tens-of-thousands-of-malicious-npm-packages-distribute-self-replicating-worm/ - Popular Android-Based Photo Frames Download Malware On Boot
"Uhale Android-based digital picture frames come with multiple critical security vulnerabilities and some of them download and execute malware at boot time. Mobile security company Quokka conducted an in-depth security assessment on the Uhale app and found behavior suggesting a connection with the Mezmess and Voi1d malware families. The researchers reported the issues to ZEASN (now ‘Whale TV’), the Chinese firm behind the Uhale platform used in the digital picture frames of numerous different brands, but received no reply to multiple notificaitions since May."
https://www.bleepingcomputer.com/news/security/popular-android-based-photo-frames-download-malware-on-boot/
https://go.quokka.io/hubfs/App-Intel/Technical_Uhale-Digital-Picture-Frame-Security-Assessment.pdf - Unleashing The Kraken Ransomware Group
"In August 2025, Cisco Talos observed big-game hunting and double extortion attacks carried out by Kraken, a Russian-speaking group that has emerged from the remnants of the HelloKitty ransomware cartel. Talos observed in one intrusion that the Kraken actor exploited Server Message Block (SMB) vulnerabilities for initial access, then used tools like Cloudflared for persistence and SSH Filesystem (SSHFS) for data exfiltration before encryption. Kraken is a cross-platform ransomware with distinct encryptors for Windows, Linux, and VMware ESXi, targeting a wide range of enterprise environments."
https://blog.talosintelligence.com/kraken-ransomware-group/ - Uncovering a Multi-Stage Phishing Kit Targeting Italy's Infrastructure
"Group-IB researchers uncovered a professional phishing framework that mimics trusted brands with remarkable precision. Using layered evasion, CAPTCHA filtering, and Telegram-based data exfiltration, attackers harvest credentials and bypass automated detection. The findings highlight how phishing-as-a-service operations are scaling through automation, lowering technical barriers for cybercriminals, and industrializing one of the oldest yet most effective forms of digital fraud."
https://www.group-ib.com/blog/uncover-phishing-italy/
https://therecord.media/phishing-campaign-targets-italian-web-hosting-customers - We Opened a Fake Invoice And Fell Down a Retro XWorm-Shaped Wormhole
"Somebody forwarded an “invoice” email and asked me to check the attachment because it looked suspicious. Good instinct—it was, and what we found inside was a surprisingly old trick hiding a modern threat."
https://www.malwarebytes.com/blog/threats/2025/11/we-opened-a-fake-invoice-and-fell-down-a-retro-xworm-shaped-wormhole - Thousands Of Domains Target Hotel Guests In Massive Phishing Campaign
"A Russian-speaking threat actor operating an ongoing, mass phishing campaign targeting people who might be planning (or about to leave for) a vacation has registered more than 4,300 domain names used in the attacks since the beginning of the year. The ongoing campaign employs a sophisticated phishing kit that customizes the page presented to the site visitor depending on a unique string in the URL path when the target first visits the website. The customizations use the logos from major online travel industry brands, including Airbnb and Booking.com."
https://www.netcraft.com/blog/thousands-of-domains-target-hotel-guests-in-massive-phishing-campaign
https://thehackernews.com/2025/11/russian-hackers-create-4300-fake-travel.html - Malicious Chrome Extension Exfiltrates Seed Phrases, Enabling Wallet Takeover
"Socket’s Threat Research Team uncovered the malicious Chrome extension Safery: Ethereum Wallet, published on November 12, 2024. Marketed as a simple, secure Ethereum (ETH) wallet, it contains a backdoor that exfiltrates seed phrases by encoding them into Sui addresses and broadcasting microtransactions from a threat actor-controlled Sui wallet."
https://socket.dev/blog/malicious-chrome-extension-exfiltrates-seed-phrases
https://thehackernews.com/2025/11/fake-chrome-extension-safery-steals.html
https://securityaffairs.com/184585/malware/chrome-extension-safery-steals-ethereum-wallet-seed-phrases.html - Chinese Spies Told Claude To Break Into About 30 Critical Orgs. Some Attacks Succeeded
"Chinese cyber spies used Anthropic's Claude Code AI tool to attempt digital break-ins at about 30 high-profile companies and government organizations – and the government-backed snoops "succeeded in a small number of cases," according to a Thursday report from the AI company. The mid-September operation targeted large tech companies, financial institutions, chemical manufacturers, and government agencies."
https://www.theregister.com/2025/11/13/chinese_spies_claude_attacks/
https://assets.anthropic.com/m/ec212e6566a0d47/original/Disrupting-the-first-reported-AI-orchestrated-cyber-espionage-campaign.pdf - Increase In Lumma Stealer Activity Coincides With Use Of Adaptive Browser Fingerprinting Tactics
"In the wake of a targeted doxxing campaign last month that exposed the alleged core members of Lumma Stealer (which Trend Micro tracks as Water Kurita), the underground infostealer landscape experienced a significant upheaval. As detailed in Trend
Research’s previous report, this exposure led to a marked decline in Lumma Stealer's activity, with many of its customers migrating to rival platforms such as Vidar and StealC. However, recent observations from our telemetry indicate a resurgence in Lumma Stealer activity, accompanied by notable changes in its command-and-control (C&C) behaviors, particularly the introduction of browser fingerprinting techniques."
https://www.trendmicro.com/en_us/research/25/k/lumma-stealer-browser-fingerprinting.html
Breaches/Hacks/Leaks
- Washington Post Data Breach Impacts Nearly 10K Employees, Contractors
"The Washington Post is notifying nearly 10,000 employees and contractors that some of their personal and financial data has been exposed in the Oracle data theft attack. The news organization is one of the largest daily newspapers in the U.S. with approximately 2.5 million digital subscribers. Between July 10 and August 22, threat actors accessed parts of its network. They leveraged a vulnerability in Oracle E-Business Suite software that was a zero-day at the time to steal sensitive data."
https://www.bleepingcomputer.com/news/security/washington-post-data-breach-impacts-nearly-10k-employees-contractors/
https://cyberscoop.com/washington-post-oracle-clop-attacks/
https://www.theregister.com/2025/11/13/washington_post_clop/
General News
- Police Disrupts Rhadamanthys, VenomRAT, And Elysium Malware Operations
"Law enforcement authorities from nine countries have taken down over 1,000 servers used by the Rhadamanthys infolstealer, VenomRAT, and Elysium botnet malware operations in the latest phase of Operation Endgame, an international action targeting cybercrime. The joint action, coordinated by Europol and Eurojust, was also supported by multiple private partners, including Cryptolaemus, Shadowserver, Spycloud, Cymru, Proofpoint, CrowdStrike, Lumen, Abuse.ch, HaveIBeenPwned, Spamhaus, DIVD, and Bitdefender. Between 10 and 14 November 2025, police officers conducted searches at 11 locations in Germany, Greece, and the Netherlands, seized 20 domains, and took down 1,025 servers used by the targeted malware operations."
https://www.bleepingcomputer.com/news/security/police-disrupts-rhadamanthys-venomrat-and-elysium-malware-operations/
https://www.europol.europa.eu/media-press/newsroom/news/end-of-game-for-cybercrime-infrastructure-1025-servers-taken-down
https://www.proofpoint.com/us/blog/threat-insight/operation-endgame-quakes-rhadamanthys
https://www.proofpoint.com/us/blog/threat-insight/security-brief-venomrat-defanged
https://therecord.media/operation-endgame-cybercrime-takedowns-rhadamanthys-venomrat-elysium
https://thehackernews.com/2025/11/operation-endgame-dismantles.html
https://www.bankinfosecurity.com/operation-endgame-disrupts-more-malware-a-30028
https://cyberscoop.com/operation-endgame-disrupts-global-malware-networks-rhadamanthys-venomrat-elysium/
https://www.infosecurity-magazine.com/news/operation-endgame-3-dismantles/
https://hackread.com/operation-endgame-rhadamanthys-venomrat-elysium-malware/
https://www.securityweek.com/1000-servers-hit-in-law-enforcement-takedown-of-rhadamanthys-venomrat-elysium/
https://securityaffairs.com/184581/cyber-crime/a-new-round-of-europols-operation-endgame-dismantled-rhadamanthys-venom-rat-and-elysium-botnet.html
https://www.theregister.com/2025/11/13/rhadamanthys_takedown/
https://www.helpnetsecurity.com/2025/11/13/rhadamanthys-infostealer-operation-disrupted/ - The State Of Ransomware In Q3 2025
"The ransomware landscape in Q3 2025 has reached a critical inflection point. Despite multiple law enforcement takedowns earlier in the year, ransomware attacks remain at historically high levels. Check Point Research tracked 1,592 new victims across 85 active extortion groups, marking a 25% increase year-over-year. While major brands like RansomHub and 8Base have vanished, new and smaller threat actors have rapidly filled the void, fragmenting the ransomware-as-a-service (RaaS) market more than ever before."
https://blog.checkpoint.com/research/the-state-of-ransomware-in-q3-2025/ - October 2025 Attacks Soar 30% As New Groups Redefine The Cyber Battlefield
"Near-record ransomware attacks and the rise of new threats like Sinobi highlight the need for rapid detection and response. Ransomware attacks soared to the second-highest total on record in October 2025. October’s 623 ransomware attacks were up more than 30% from September, and below only February 2025’s record totals (chart below). It was the sixth consecutive monthly increase in ransomware attacks."
https://cyble.com/blog/ransomware-attacks-surge-october-2025/ - Orgs Move To SSO, Passkeys To Solve Bad Password Habits
"New survey data indicates that organizations are pushing hard for passwordless authentication. A significant chunk of online account passwords in 2025 remain basic and easy to crack — a fact that will surprise few. But last month, Dark Reading asked readers how their organizations are handling password security these days. The results were, perhaps surprisingly, optimistic."
https://www.darkreading.com/identity-access-management-security/sso-passkeys-password-bad-habits - Wanna Bet? Scammers Are Playing The Odds Better Than You Are
"Placing a bet has never been this easy, and that’s the problem. The convenience of online gambling is the same thing scammers are cashing in on. Whether it’s a fake app, a “can’t-miss” tipster, or a rigged casino, the game is stacked against you. By 2030, the online gambling market is projected to reach around $169 billion. 22 percent of Americans, including 48 percent of men ages 18 to 49, have an account with at least one online sportsbook."
https://www.helpnetsecurity.com/2025/11/13/cybercrime-online-betting-scams/ - Automation Can’t Fix Broken Security Basics
"Most enterprises continue to fall short on basic practices such as patching, access control, and vendor oversight, according to Swimlane’s Cracks in the Foundation: Why Basic Security Still Fails report. Leadership often focuses on broad resilience goals while the day-to-day work that supports them remains inconsistent and underfunded."
https://www.helpnetsecurity.com/2025/11/13/swimlane-security-basics-still-broken-report/ - When Attacks Come Faster Than Patches: Why 2026 Will Be The Year Of Machine-Speed Security
"Based on multiple 2025 industry reports: roughly 50 to 61 percent of newly disclosed vulnerabilities saw exploit code weaponized within 48 hours. Using the CISA Known Exploited Vulnerabilities Catalog as a reference, hundreds of software flaws are now confirmed as actively targeted within days of public disclosure. Each new announcement now triggers a global race between attackers and defenders. Both sides monitor the same feeds, but one moves at machine speed while the other moves at human speed."
https://thehackernews.com/2025/11/when-attacks-come-faster-than-patches.html
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Healthcare Security Is Broken Because Its Systems Can’t Talk To Each Other
-
CISA เผยแพร่คำแนะนำด้านระบบควบคุมอุตสาหกรรม (ICS) จำนวน 13 รายการโพสต์ใน OT Cyber Security News
Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 18 รายการ เมื่อวันที่ 13 พฤศจิกายน 2025 พื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้
ICSA-25-317-01 Mitsubishi Electric MELSEC iQ-F Series
ICSA-25-317-02 AVEVA Application Server IDE
ICSA-25-317-03 AVEVA Edge
ICSA-25-317-04 Brightpick Mission Control / Internal Logic Control
ICSA-25-317-05 Rockwell Automation Verve Asset Manager
ICSA-25-317-06 Rockwell Automation Studio 5000 Simulation Interface
ICSA-25-317-07 Rockwell Automation FactoryTalk DataMosaix Private Cloud
ICSA-25-317-08 General Industrial Controls Lynx+ Gateway
ICSA-25-317-09 Rockwell Automation FactoryTalk Policy Manager
ICSA-25-317-10 Rockwell Automation AADvance-Trusted SIS Workstation
ICSA-25-317-11 Siemens SICAM P850 family and SICAM P855 family
ICSA-25-317-12 Siemens Spectrum Power 4
ICSA-25-317-13 Siemens LOGO! 8 BM Devices
ICSA-25-317-14 Siemens Solid Edge
ICSA-25-317-15 Siemens COMOS
ICSA-25-317-16 Siemens Altair Grid Engine
ICSA-25-317-17 Siemens Software Center and Solid Edge
ICSA-25-273-04 Festo Controller CECC-S,-LK,-D Family Firmware (Update A)CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)
อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/11/13/cisa-releases-18-industrial-control-systems-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 13 November 2025โพสต์ใน Cyber Security News
Financial Sector
- Hidden Risks In The Financial Sector’s Supply Chain
"When a cyber attack hits a major bank or trading platform, attention usually turns to the institution. But new research suggests the real danger may lie elsewhere. BitSight researchers found that many of the technology providers serving the financial sector have weaker cybersecurity performance than the institutions they support. For the Exposed Cyber Risk in the Financial Sector and its Supply Chain report, researchers analyzed more than 41,000 financial organizations and over 50,000 relationships with third-party technology providers. The results point to dependencies, uneven monitoring, and gaps in risk management across the sector’s digital supply chain."
https://www.helpnetsecurity.com/2025/11/11/hidden-financial-sector-cyber-risk/
Vulnerabilities
- Synology Fixes BeeStation Zero-Days Demoed At Pwn2Own Ireland
"Synology has addressed a critical-severity remote code execution (RCE) vulnerability in BeeStation products that was demonstrated at the recent Pwn2Own hacking competition. The security issue (CVE-2025-12686) is described as a ‘buffer copy without checking the size of input’ problem, and can be exploited to allow arbitrary code execution. It impacts multiple versions of BeeStation OS, the software powering Synology’s network-attached storage (NAS) devices marketed as a consumer-oriented “personal cloud.”"
https://www.bleepingcomputer.com/news/security/synology-fixes-beestation-zero-days-demoed-at-pwn2own-ireland/
https://www.synology.com/en-us/security/advisory/Synology_SA_25_12 - SAP Fixes Hardcoded Credentials Flaw In SQL Anywhere Monitor
"SAP has released its November security updates that address multiple security vulnerabilities, including a maximum severity flaw in the non-GUI variant of the SQL Anywhere Monitor and a critical code injection issue in the Solution Manager platform. The security problem in SQL Anywhere Monitor is tracked as CVE-2025-42890 and consists of hardcoded credentials. Because of the elevated risk, the vulnerability received the maximum severity score of 10.0. "SQL Anywhere Monitor (Non-GUI) baked credentials into the code, exposing the resources or functionality to unintended users and providing attackers with the possibility of arbitrary code execution," reads the description for the flaw."
https://www.bleepingcomputer.com/news/security/sap-fixes-hardcoded-credentials-flaw-in-sql-anywhere-monitor/
https://www.securityweek.com/sap-patches-critical-flaws-in-sql-anywhere-monitor-solution-manager/
https://securityaffairs.com/184500/security/sap-fixed-a-maximum-severity-flaw-in-sql-anywhere-monitor.html - Microsoft November 2025 Patch Tuesday Fixes 1 Zero-Day, 63 Flaws
"Today is Microsoft's November 2025 Patch Tuesday, which includes security updates for 63 flaws, including one actively exploited zero-day vulnerability. This Patch Tuesday also addresses four "Critical" vulnerabilities, two of which are remote code execution vulnerabilities, one is an elevation of privileges, and the fourth is an information disclosure flaw."
https://www.bleepingcomputer.com/news/microsoft/microsoft-november-2025-patch-tuesday-fixes-1-zero-day-63-flaws/
https://blog.talosintelligence.com/microsoft-patch-tuesday-november-2025/
https://www.darkreading.com/vulnerabilities-threats/patch-now-microsoft-zero-day-critical-zero-click-bugs
https://cyberscoop.com/microsoft-patch-tuesday-november-2025/
https://www.securityweek.com/microsoft-patches-actively-exploited-windows-kernel-zero-day/ - Adobe Patches 29 Vulnerabilities
"Adobe’s latest round of Patch Tuesday updates addresses 29 vulnerabilities across the company’s InDesign, InCopy, Photoshop, Illustrator, Pass, Substance 3D Stager, and Format Plugins products. Critical vulnerabilities that can be exploited for arbitrary code execution have been addressed in InDesign, InCopy, Photoshop, Illustrator, Substance 3D Stager, and Format Plugins. A critical security bypass issue has been resolved in Pass. It’s worth noting that Adobe assigns a ‘critical’ severity to issues that, based on their CVSS score, have a ‘high’ severity rating."
https://www.securityweek.com/adobe-patches-29-vulnerabilities/
Malware
- You Thought It Was Over? Authentication Coercion Keeps Evolving
"Imagine a scenario where malicious actors don’t need to trick you into giving up your password. They have no need to perform sophisticated social engineering attacks or exploit vulnerabilities in your operating system. Instead, they can simply force your computer to authenticate to an attacker-controlled system, effectively commanding your machine to hand over valuable credentials. This attack method is called authentication coercion."
https://unit42.paloaltonetworks.com/authentication-coercion/ - How a CPU Spike Led To Uncovering a RansomHub Ransomware Attack
"Varonis recently helped a customer who observed a spike in CPU activity on a server in their environment, where a shallow review of the device revealed an in-progress compromise by an advanced threat actor we later attributed to RansomHub affiliates. Over the next 48 hours, our team worked closely with the customer to investigate, hunt, contain, and remediate the threat before it could become ransomware. Due to our team's advanced intervention capabilities, we secured the customer’s network with zero business downtime. Continue reading to see how the incident started."
https://www.bleepingcomputer.com/news/security/how-a-cpu-spike-led-to-uncovering-a-ransomhub-ransomware-attack/ - Malicious NPM Package Found Targeting GitHub By Typosquatting On GitHub Action Packages
"On Friday 7th November Veracode Threat Research identified a malicious npm package “@acitons/artifact”, that was typosquatting on the legitimate package @actions/artifact, which has accumulated over 206k downloads. The malicious package appeared to be targeting GitHub-owned repositories. We think the intent was to have this script execute during a build of a GitHub-owned repository, exfiltrate the tokens available to the build environment, and then use those tokens to publish new malicious artifacts as GitHub."
https://www.veracode.com/blog/malicious-npm-package-targeting-github-actions/
https://thehackernews.com/2025/11/researchers-detect-malicious-npm.html
https://hackread.com/fake-npm-package-downloads-github-credentials/ - How Credentials Get Stolen In Seconds, Even With a Script-Kiddie-Level Phish
"This attempt to phish credentials caught our attention, mostly because of its front-end simplicity. Even though this is a script-kiddie-level type of attack, we figured it was worth writing up—precisely because it’s so easy to follow what they’re up to. The email is direct and to the point. Not a lot of social engineering happening here."
https://www.malwarebytes.com/blog/threat-intel/2025/11/how-credentials-get-stolen-in-seconds-even-with-a-script-kiddie-level-phish - Maverick And Coyote: Analyzing The Link Between Two Evolving Brazilian Banking Trojans
"The CyberProof SOC Team and Threat Hunters responded to an incident involving a suspicious file download spotted through the messaging application WhatsApp. Further investigation helped uncover more related incidents, however the complete infection chain could not be observed or additional files from Command and control failed to deliver in our investigations. VirusTotal hunting of similar files helped us collect more files tied to this Brazilian targeting campaign and we found our analysis related to public research tied to Maverick banking trojan by Kaspersky, WhatsApp worm by Sophos and Sorvepotel by TrendMicro. We saw good number of similarities with the earlier reported Coyote banking malware campaign programmed to target the Brazilian region."
https://www.cyberproof.com/blog/maverick-and-coyote-analyzing-the-link-between-two-evolving-brazilian-banking-trojans/
https://thehackernews.com/2025/11/whatsapp-malware-maverick-hijacks.html - Rhadamanthys Infostealer Disrupted As Cybercriminals Lose Server Access
"The Rhadamanthys infostealer operation has been disrupted, with numerous “customers” of the malware-as-a-service reporting that they no longer have access to their servers. Rhadamanthys is an infostealer malware that steals credentials and authentication cookies from browsers, email clients, and other applications. It is commonly distributed through campaigns promoted as software cracks, YouTube videos, or malicious search advertisements. The malware is offered on a subscription model, where cybercriminals pay the developer a monthly fee for access to the malware, support, and a web panel used to collect stolen data."
https://www.bleepingcomputer.com/news/security/rhadamanthys-infostealer-disrupted-as-cybercriminals-lose-server-access/
Breaches/Hacks/Leaks
- GlobalLogic Warns 10,000 Employees Of Data Theft After Oracle Breach
"GlobalLogic, a provider of digital engineering services part of the Hitachi group, is notifying over 10,000 current and former employees that their data was stolen in an Oracle E-Business Suite (EBS) data breach. Based in Santa Clara, California, this software and product development services company was founded in 2000. Since then, it has expanded to 59 product engineering centers and several offices worldwide. In a breach notification letter filed with the office of Maine's Attorney General, the company states that the attackers exploited an Oracle EBS zero-day vulnerability to steal personal information belonging to 10,471 employees."
https://www.bleepingcomputer.com/news/security/globallogic-warns-10-000-employees-of-data-theft-after-oracle-breach/
https://cyberscoop.com/globallogic-oracle-clop-attacks/
https://www.theregister.com/2025/11/11/hitachiowned_globallogic_admits_data_stolen/ - Cl0p Ransomware Lists NHS UK As Victim, Days After Washington Post Breach
"Cl0p is claiming responsibility for a new data breach affecting the National Health Service (NHS UK). On November 11, 2026, the ransomware group posted on its dark web leak site, accusing the healthcare provider of neglecting its security, stating, “The company doesn’t care about its customers; it ignored their security.” Although the group has not revealed the volume of stolen data, the announcement aligns with ongoing attacks and reports pointing out CL0p of exploiting vulnerabilities in Oracle’s E-Business Suite (EBS)."
https://hackread.com/cl0p-ransomware-nhs-uk-washington-post-breach/ - Have I Been Pwned Adds 1.96B Accounts From Synthient Credential Data
"Have I Been Pwned (HIBP), the popular breach notification service, has added another massive dataset to its platform. This time, 1.96 billion accounts connected to the Synthient Credential Stuffing Threat Data, in collaboration with the threat-intelligence firm Synthient. Users who subscribe to HIBP alerts, including this writer, received an email notification stating: “You’ve been pwned in the Synthient Credential Stuffing Threat Data data breach.”"
https://hackread.com/have-i-been-pwned-synthient-credential-data-accounts/
General News
- Who Owns The Cybersecurity Of Space?
"As a cybersecurity professional, I have spent decades watching humanity build digital castles without moats. We did it with the internet, with artificial intelligence and with critical infrastructure. Now, we are doing it again, this time in orbit. We are racing to commercialize space to connect the unconnected and monetize orbit, yet we are ignoring the most important question: Who owns the cybersecurity of space?"
https://www.bankinfosecurity.com/blogs/who-owns-cybersecurity-space-p-3971 - To Get Funding, CISOs Are Mastering The Language Of Money
"In this Help Net Security interview, Chris Wheeler, CISO at Resilience, talks about how CISOs are managing changing cybersecurity budgets. While overall spending is up, many say the increases don’t match their most pressing needs. Wheeler explains how organizations are reallocating funds, measuring ROI, and linking cybersecurity plans to business goals."
https://www.helpnetsecurity.com/2025/11/11/chris-wheeler-resilience-cisos-cybersecurity-budgets/ - How Far Can Police Push Privacy Before It Breaks
"Police use drones, body cameras, and license plate readers as part of their daily work. Supporters say these tools make communities safer. Critics see something different, a system that collects too much data and opens the door to abuse. When surveillance expands without public oversight, civil liberties start to slip away, especially for people who already face bias and discrimination."
https://www.helpnetsecurity.com/2025/11/11/police-surveillance-privacy-risks/ - CISOs Are Cracking Under Pressure
"Cybersecurity leaders are hitting their limit. A new report from Nagomi Security shows that most CISOs are stretched thin, dealing with nonstop incidents, too many tools, and growing pressure from their boards. The pressures are so intense that many say they are burned out and thinking about walking away. The personal cost is beginning to affect business readiness. Nearly half said burnout has already hurt their ability to prepare for breaches. The researchers warn that when leaders reach this point, the entire organization becomes more vulnerable."
https://www.helpnetsecurity.com/2025/11/11/stress-ciso-burnout-crisis/ - AI Browsers Are Rapidly Becoming Major Risk To Cybersecurity
"As a new type of browser infused with artificial intelligence (AI) capabilities start to become more widely available, significant security concerns are starting to emerge. Like most AI tools, this new type of browser is susceptible to prompt injection attacks. However, the issue is these AI browsers are being connected to a wide range of applications that make it possible to extend the reach of a prompt injection attack well beyond the browser."
https://blog.barracuda.com/2025/11/10/ai-browsers-major-risk-cybersecurity - “Bitcoin Queen” Gets 11 Years In Prison For $7.3 Billion Bitcoin Scam
"A Chinese woman known as the "Bitcoin Queen" was sentenced in London to 11 years and eight months in jail for laundering Bitcoin from a £5.5 billion ($7.3 billion) cryptocurrency investment scheme. The sentence follows a seven-year investigation by the Met's Economic Crime team into international money laundering, which revealed that the 47-year-old woman, Zhimin Qian (also known as Yadi Zhang), was the head of a large-scale fraud campaign that defrauded over 128,000 victims in China between 2014 and 2017. This action also led to the seizure of 61,000 Bitcoin worth hundreds of millions of pounds at the time and now valued at roughly £5.5 billion, the largest cryptocurrency seizure in Britain's history."
https://www.bleepingcomputer.com/news/security/bitcoin-queen-gets-11-years-in-prison-for-73-billion-bitcoin-scam/ - Global Cyber Attacks Surge In October 2025 Amid Explosive Ransomware Growth And Rising GenAI Threats
"In October 2025, the global volume of cyber attacks continued its upward trajectory. Organizations worldwide experienced an average of 1,938 cyber attacks per week, marking a 2% increase from September and a 5% rise compared to October 2024. Check Point Research data reveals that this steady escalation underscores a persistent and evolving cyber threat landscape fuelled by the growing sophistication of ransomware operations and the expanding risks associated with the adoption of generative AI (GenAI)."
https://blog.checkpoint.com/research/global-cyber-attacks-surge-in-october-2025-amid-explosive-ransomware-growth-and-rising-genai-threats/ - Grandparents To C-Suite: Elder Fraud Reveals Gaps In Human-Centered Cybersecurity
"A retiree answers the phone one afternoon and hears what sounds unmistakably like her grandson's voice. He says he's been in an accident and needs money right away. The caller knows her name, her town, and details about the family. Panicked, she sends the funds — only later learning that the voice was generated by artificial intelligence and the personal information came from publicly available data online."
https://www.darkreading.com/cyber-risk/grandparents-to-c-suite-elder-fraud-reveals-gaps-in-human-centered-cybersecurity - Qilin Ransomware Activity Surges As Attacks Target Small Businesses
"A rise in ransomware incidents linked to the Qilin ransomware group, one of the longest-running ransomware-as-a-service (RaaS) operations, has been observed by cybersecurity researchers. According to S-RM’s latest intelligence, Qilin continues to exploit weaknesses such as unpatched VPN appliances, lack of multi-factor authentication (MFA) and exposed management interfaces to gain initial access to corporate networks."
https://www.infosecurity-magazine.com/news/qilin-ransomware-activity-surges/ - Cyber Insurers Paid Out Over Twice As Much For UK Ransomware Attacks Last Year
"The number of successful cyber insurance claims made by UK organizations shot up last year, according to the latest figures from the industry's trade association. The Association of British Insurers (ABI) said £197 million ($259 million) in cyber insurance payouts were made to victimized organizations in 2024, up from £59 million ($77 million) in 2023."
https://www.theregister.com/2025/11/11/ransomware_surge_fuels_230_increase/
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Hidden Risks In The Financial Sector’s Supply Chain
-
CISA เพิ่มช่องโหว่ที่ถูกใช้โจมตี 3 รายการลงในแคตตาล็อกโพสต์ใน Cyber Security News
เมื่อวันที่ 12 พฤศจิกายน 2025 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 3 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว ดังนี้
- CVE-2025-9242 WatchGuard Firebox Out-of-Bounds Write Vulnerability
- CVE-2025-12480 Gladinet Triofox Improper Access Control Vulnerability
- CVE-2025-62215 Microsoft Windows Race Condition Vulnerability
ช่องโหว่ประเภทนี้มักถูกใช้เป็นช่องทางการโจมตีโดยผู้ไม่หวังดี และก่อให้เกิดความเสี่ยงร้ายแรงต่อเครือข่ายของหน่วยงานรัฐบาลกลาง
ทั้งนี้ คำสั่ง BOD 22-01 ของ CISA กำหนดให้มี แคตตาล็อก Known Exploited Vulnerabilities (KEV) เพื่อรวบรวมช่องโหว่ (CVEs) ที่มีความเสี่ยงสูงและถูกใช้งานโจมตีจริง หน่วยงาน Federal Civilian Executive Branch (FCEB) ต้องดำเนินการแก้ไขช่องโหว่ที่ระบุภายในเวลาที่กำหนด เพื่อปกป้องเครือข่ายจากภัยคุกคาม
ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต
อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/11/12/cisa-adds-three-known-exploited-vulnerabilities-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 12 November 2025โพสต์ใน Cyber Security News
Financial Sector
- Hidden Risks In The Financial Sector’s Supply Chain
"When a cyber attack hits a major bank or trading platform, attention usually turns to the institution. But new research suggests the real danger may lie elsewhere. BitSight researchers found that many of the technology providers serving the financial sector have weaker cybersecurity performance than the institutions they support. For the Exposed Cyber Risk in the Financial Sector and its Supply Chain report, researchers analyzed more than 41,000 financial organizations and over 50,000 relationships with third-party technology providers. The results point to dependencies, uneven monitoring, and gaps in risk management across the sector’s digital supply chain."
https://www.helpnetsecurity.com/2025/11/11/hidden-financial-sector-cyber-risk/
Vulnerabilities
- Synology Fixes BeeStation Zero-Days Demoed At Pwn2Own Ireland
"Synology has addressed a critical-severity remote code execution (RCE) vulnerability in BeeStation products that was demonstrated at the recent Pwn2Own hacking competition. The security issue (CVE-2025-12686) is described as a ‘buffer copy without checking the size of input’ problem, and can be exploited to allow arbitrary code execution. It impacts multiple versions of BeeStation OS, the software powering Synology’s network-attached storage (NAS) devices marketed as a consumer-oriented “personal cloud.”"
https://www.bleepingcomputer.com/news/security/synology-fixes-beestation-zero-days-demoed-at-pwn2own-ireland/
https://www.synology.com/en-us/security/advisory/Synology_SA_25_12 - SAP Fixes Hardcoded Credentials Flaw In SQL Anywhere Monitor
"SAP has released its November security updates that address multiple security vulnerabilities, including a maximum severity flaw in the non-GUI variant of the SQL Anywhere Monitor and a critical code injection issue in the Solution Manager platform. The security problem in SQL Anywhere Monitor is tracked as CVE-2025-42890 and consists of hardcoded credentials. Because of the elevated risk, the vulnerability received the maximum severity score of 10.0. "SQL Anywhere Monitor (Non-GUI) baked credentials into the code, exposing the resources or functionality to unintended users and providing attackers with the possibility of arbitrary code execution," reads the description for the flaw."
https://www.bleepingcomputer.com/news/security/sap-fixes-hardcoded-credentials-flaw-in-sql-anywhere-monitor/
https://www.securityweek.com/sap-patches-critical-flaws-in-sql-anywhere-monitor-solution-manager/
https://securityaffairs.com/184500/security/sap-fixed-a-maximum-severity-flaw-in-sql-anywhere-monitor.html - Microsoft November 2025 Patch Tuesday Fixes 1 Zero-Day, 63 Flaws
"Today is Microsoft's November 2025 Patch Tuesday, which includes security updates for 63 flaws, including one actively exploited zero-day vulnerability. This Patch Tuesday also addresses four "Critical" vulnerabilities, two of which are remote code execution vulnerabilities, one is an elevation of privileges, and the fourth is an information disclosure flaw."
https://www.bleepingcomputer.com/news/microsoft/microsoft-november-2025-patch-tuesday-fixes-1-zero-day-63-flaws/
https://blog.talosintelligence.com/microsoft-patch-tuesday-november-2025/
https://www.darkreading.com/vulnerabilities-threats/patch-now-microsoft-zero-day-critical-zero-click-bugs
https://cyberscoop.com/microsoft-patch-tuesday-november-2025/
https://www.securityweek.com/microsoft-patches-actively-exploited-windows-kernel-zero-day/ - Adobe Patches 29 Vulnerabilities
"Adobe’s latest round of Patch Tuesday updates addresses 29 vulnerabilities across the company’s InDesign, InCopy, Photoshop, Illustrator, Pass, Substance 3D Stager, and Format Plugins products. Critical vulnerabilities that can be exploited for arbitrary code execution have been addressed in InDesign, InCopy, Photoshop, Illustrator, Substance 3D Stager, and Format Plugins. A critical security bypass issue has been resolved in Pass. It’s worth noting that Adobe assigns a ‘critical’ severity to issues that, based on their CVSS score, have a ‘high’ severity rating."
https://www.securityweek.com/adobe-patches-29-vulnerabilities/
Malware
- You Thought It Was Over? Authentication Coercion Keeps Evolving
"Imagine a scenario where malicious actors don’t need to trick you into giving up your password. They have no need to perform sophisticated social engineering attacks or exploit vulnerabilities in your operating system. Instead, they can simply force your computer to authenticate to an attacker-controlled system, effectively commanding your machine to hand over valuable credentials. This attack method is called authentication coercion."
https://unit42.paloaltonetworks.com/authentication-coercion/ - How a CPU Spike Led To Uncovering a RansomHub Ransomware Attack
"Varonis recently helped a customer who observed a spike in CPU activity on a server in their environment, where a shallow review of the device revealed an in-progress compromise by an advanced threat actor we later attributed to RansomHub affiliates. Over the next 48 hours, our team worked closely with the customer to investigate, hunt, contain, and remediate the threat before it could become ransomware. Due to our team's advanced intervention capabilities, we secured the customer’s network with zero business downtime. Continue reading to see how the incident started."
https://www.bleepingcomputer.com/news/security/how-a-cpu-spike-led-to-uncovering-a-ransomhub-ransomware-attack/ - Malicious NPM Package Found Targeting GitHub By Typosquatting On GitHub Action Packages
"On Friday 7th November Veracode Threat Research identified a malicious npm package “@acitons/artifact”, that was typosquatting on the legitimate package @actions/artifact, which has accumulated over 206k downloads. The malicious package appeared to be targeting GitHub-owned repositories. We think the intent was to have this script execute during a build of a GitHub-owned repository, exfiltrate the tokens available to the build environment, and then use those tokens to publish new malicious artifacts as GitHub."
https://www.veracode.com/blog/malicious-npm-package-targeting-github-actions/
https://thehackernews.com/2025/11/researchers-detect-malicious-npm.html
https://hackread.com/fake-npm-package-downloads-github-credentials/ - How Credentials Get Stolen In Seconds, Even With a Script-Kiddie-Level Phish
"This attempt to phish credentials caught our attention, mostly because of its front-end simplicity. Even though this is a script-kiddie-level type of attack, we figured it was worth writing up—precisely because it’s so easy to follow what they’re up to. The email is direct and to the point. Not a lot of social engineering happening here."
https://www.malwarebytes.com/blog/threat-intel/2025/11/how-credentials-get-stolen-in-seconds-even-with-a-script-kiddie-level-phish - Maverick And Coyote: Analyzing The Link Between Two Evolving Brazilian Banking Trojans
"The CyberProof SOC Team and Threat Hunters responded to an incident involving a suspicious file download spotted through the messaging application WhatsApp. Further investigation helped uncover more related incidents, however the complete infection chain could not be observed or additional files from Command and control failed to deliver in our investigations. VirusTotal hunting of similar files helped us collect more files tied to this Brazilian targeting campaign and we found our analysis related to public research tied to Maverick banking trojan by Kaspersky, WhatsApp worm by Sophos and Sorvepotel by TrendMicro. We saw good number of similarities with the earlier reported Coyote banking malware campaign programmed to target the Brazilian region."
https://www.cyberproof.com/blog/maverick-and-coyote-analyzing-the-link-between-two-evolving-brazilian-banking-trojans/
https://thehackernews.com/2025/11/whatsapp-malware-maverick-hijacks.html - Rhadamanthys Infostealer Disrupted As Cybercriminals Lose Server Access
"The Rhadamanthys infostealer operation has been disrupted, with numerous “customers” of the malware-as-a-service reporting that they no longer have access to their servers. Rhadamanthys is an infostealer malware that steals credentials and authentication cookies from browsers, email clients, and other applications. It is commonly distributed through campaigns promoted as software cracks, YouTube videos, or malicious search advertisements. The malware is offered on a subscription model, where cybercriminals pay the developer a monthly fee for access to the malware, support, and a web panel used to collect stolen data."
https://www.bleepingcomputer.com/news/security/rhadamanthys-infostealer-disrupted-as-cybercriminals-lose-server-access/
Breaches/Hacks/Leaks
- GlobalLogic Warns 10,000 Employees Of Data Theft After Oracle Breach
"GlobalLogic, a provider of digital engineering services part of the Hitachi group, is notifying over 10,000 current and former employees that their data was stolen in an Oracle E-Business Suite (EBS) data breach. Based in Santa Clara, California, this software and product development services company was founded in 2000. Since then, it has expanded to 59 product engineering centers and several offices worldwide. In a breach notification letter filed with the office of Maine's Attorney General, the company states that the attackers exploited an Oracle EBS zero-day vulnerability to steal personal information belonging to 10,471 employees."
https://www.bleepingcomputer.com/news/security/globallogic-warns-10-000-employees-of-data-theft-after-oracle-breach/
https://cyberscoop.com/globallogic-oracle-clop-attacks/
https://www.theregister.com/2025/11/11/hitachiowned_globallogic_admits_data_stolen/ - Cl0p Ransomware Lists NHS UK As Victim, Days After Washington Post Breach
"Cl0p is claiming responsibility for a new data breach affecting the National Health Service (NHS UK). On November 11, 2026, the ransomware group posted on its dark web leak site, accusing the healthcare provider of neglecting its security, stating, “The company doesn’t care about its customers; it ignored their security.” Although the group has not revealed the volume of stolen data, the announcement aligns with ongoing attacks and reports pointing out CL0p of exploiting vulnerabilities in Oracle’s E-Business Suite (EBS)."
https://hackread.com/cl0p-ransomware-nhs-uk-washington-post-breach/ - Have I Been Pwned Adds 1.96B Accounts From Synthient Credential Data
"Have I Been Pwned (HIBP), the popular breach notification service, has added another massive dataset to its platform. This time, 1.96 billion accounts connected to the Synthient Credential Stuffing Threat Data, in collaboration with the threat-intelligence firm Synthient. Users who subscribe to HIBP alerts, including this writer, received an email notification stating: “You’ve been pwned in the Synthient Credential Stuffing Threat Data data breach.”"
https://hackread.com/have-i-been-pwned-synthient-credential-data-accounts/
General News
- Who Owns The Cybersecurity Of Space?
"As a cybersecurity professional, I have spent decades watching humanity build digital castles without moats. We did it with the internet, with artificial intelligence and with critical infrastructure. Now, we are doing it again, this time in orbit. We are racing to commercialize space to connect the unconnected and monetize orbit, yet we are ignoring the most important question: Who owns the cybersecurity of space?"
https://www.bankinfosecurity.com/blogs/who-owns-cybersecurity-space-p-3971 - To Get Funding, CISOs Are Mastering The Language Of Money
"In this Help Net Security interview, Chris Wheeler, CISO at Resilience, talks about how CISOs are managing changing cybersecurity budgets. While overall spending is up, many say the increases don’t match their most pressing needs. Wheeler explains how organizations are reallocating funds, measuring ROI, and linking cybersecurity plans to business goals."
https://www.helpnetsecurity.com/2025/11/11/chris-wheeler-resilience-cisos-cybersecurity-budgets/ - How Far Can Police Push Privacy Before It Breaks
"Police use drones, body cameras, and license plate readers as part of their daily work. Supporters say these tools make communities safer. Critics see something different, a system that collects too much data and opens the door to abuse. When surveillance expands without public oversight, civil liberties start to slip away, especially for people who already face bias and discrimination."
https://www.helpnetsecurity.com/2025/11/11/police-surveillance-privacy-risks/ - CISOs Are Cracking Under Pressure
"Cybersecurity leaders are hitting their limit. A new report from Nagomi Security shows that most CISOs are stretched thin, dealing with nonstop incidents, too many tools, and growing pressure from their boards. The pressures are so intense that many say they are burned out and thinking about walking away. The personal cost is beginning to affect business readiness. Nearly half said burnout has already hurt their ability to prepare for breaches. The researchers warn that when leaders reach this point, the entire organization becomes more vulnerable."
https://www.helpnetsecurity.com/2025/11/11/stress-ciso-burnout-crisis/ - AI Browsers Are Rapidly Becoming Major Risk To Cybersecurity
"As a new type of browser infused with artificial intelligence (AI) capabilities start to become more widely available, significant security concerns are starting to emerge. Like most AI tools, this new type of browser is susceptible to prompt injection attacks. However, the issue is these AI browsers are being connected to a wide range of applications that make it possible to extend the reach of a prompt injection attack well beyond the browser."
https://blog.barracuda.com/2025/11/10/ai-browsers-major-risk-cybersecurity - “Bitcoin Queen” Gets 11 Years In Prison For $7.3 Billion Bitcoin Scam
"A Chinese woman known as the "Bitcoin Queen" was sentenced in London to 11 years and eight months in jail for laundering Bitcoin from a £5.5 billion ($7.3 billion) cryptocurrency investment scheme. The sentence follows a seven-year investigation by the Met's Economic Crime team into international money laundering, which revealed that the 47-year-old woman, Zhimin Qian (also known as Yadi Zhang), was the head of a large-scale fraud campaign that defrauded over 128,000 victims in China between 2014 and 2017. This action also led to the seizure of 61,000 Bitcoin worth hundreds of millions of pounds at the time and now valued at roughly £5.5 billion, the largest cryptocurrency seizure in Britain's history."
https://www.bleepingcomputer.com/news/security/bitcoin-queen-gets-11-years-in-prison-for-73-billion-bitcoin-scam/ - Global Cyber Attacks Surge In October 2025 Amid Explosive Ransomware Growth And Rising GenAI Threats
"In October 2025, the global volume of cyber attacks continued its upward trajectory. Organizations worldwide experienced an average of 1,938 cyber attacks per week, marking a 2% increase from September and a 5% rise compared to October 2024. Check Point Research data reveals that this steady escalation underscores a persistent and evolving cyber threat landscape fuelled by the growing sophistication of ransomware operations and the expanding risks associated with the adoption of generative AI (GenAI)."
https://blog.checkpoint.com/research/global-cyber-attacks-surge-in-october-2025-amid-explosive-ransomware-growth-and-rising-genai-threats/ - Grandparents To C-Suite: Elder Fraud Reveals Gaps In Human-Centered Cybersecurity
"A retiree answers the phone one afternoon and hears what sounds unmistakably like her grandson's voice. He says he's been in an accident and needs money right away. The caller knows her name, her town, and details about the family. Panicked, she sends the funds — only later learning that the voice was generated by artificial intelligence and the personal information came from publicly available data online."
https://www.darkreading.com/cyber-risk/grandparents-to-c-suite-elder-fraud-reveals-gaps-in-human-centered-cybersecurity - Qilin Ransomware Activity Surges As Attacks Target Small Businesses
"A rise in ransomware incidents linked to the Qilin ransomware group, one of the longest-running ransomware-as-a-service (RaaS) operations, has been observed by cybersecurity researchers. According to S-RM’s latest intelligence, Qilin continues to exploit weaknesses such as unpatched VPN appliances, lack of multi-factor authentication (MFA) and exposed management interfaces to gain initial access to corporate networks."
https://www.infosecurity-magazine.com/news/qilin-ransomware-activity-surges/ - Cyber Insurers Paid Out Over Twice As Much For UK Ransomware Attacks Last Year
"The number of successful cyber insurance claims made by UK organizations shot up last year, according to the latest figures from the industry's trade association. The Association of British Insurers (ABI) said £197 million ($259 million) in cyber insurance payouts were made to victimized organizations in 2024, up from £59 million ($77 million) in 2023."
https://www.theregister.com/2025/11/11/ransomware_surge_fuels_230_increase/
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Hidden Risks In The Financial Sector’s Supply Chain
-
Cyber Threat Intelligence 11 November 2025โพสต์ใน Cyber Security News
New Tooling
- Sqlmap: Open-Source SQL Injection And Database Takeover Tool
"Finding and exploiting SQL injection vulnerabilities is one of the oldest and most common steps in web application testing. sqlmap streamlines this process. It is an open-source penetration testing tool that automates the detection and exploitation of SQL injection flaws and can take over database servers when configured to do so."
https://www.helpnetsecurity.com/2025/11/10/sqlmap-open-source-sql-injection-database-takeover-tool/
https://github.com/sqlmapproject/sqlmap
Vulnerabilities
- Vulnerability In Expr-Eval JavaScript Library Can Lead To Arbitrary Code Execution
"The npm package expr-eval is a JavaScript library that evaluates mathematical expressions and is used in various applications, including NLP and AI. A vulnerability in this library has been disclosed that could allow arbitrary code execution by an attacker using maliciously crafted input."
https://kb.cert.org/vuls/id/263614
https://www.bleepingcomputer.com/news/security/popular-javascript-library-expr-eval-vulnerable-to-rce-flaw/
What’s That Coming Over The Hill? (Monsta FTP Remote Code Execution CVE-2025-34299)
"Happy Friday, friends and.. others. We’re glad/sorry to hear that your week has been good/bad, and it’s the weekend/but at least it’s almost the weekend! Today, in a tale that seems all too familar at this point, we begun as innocently as always - to reproduce an N-day in Monsta FTP as part of our emerging threat rapid reaction process we enact across the watchTowr client base. Yet, somehow, we find ourselves saddled with the reality of discussing another zero-day. “What on earth is Monsta FTP?” you might say. Monsta FTP is a web-based FTP client that lets users manage and transfer files directly through a browser on remote servers, with a minimum of 5,000 instances sitting on the Internet."
https://labs.watchtowr.com/whats-that-coming-over-the-hill-monsta-ftp-remote-code-execution-cve-2025-34299/
https://hackread.com/monsta-ftp-flaw-web-servers-open-server-takeover/ - No Place Like Localhost: Unauthenticated Remote Access Via Triofox Vulnerability CVE-2025-12480
"Mandiant Threat Defense has uncovered exploitation of an unauthenticated access vulnerability within Gladinet’s Triofox file-sharing and remote access platform. This now-patched n-day vulnerability, assigned CVE-2025-12480, allowed an attacker to bypass authentication and access the application configuration pages, enabling the upload and execution of arbitrary payloads."
https://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480/
https://thehackernews.com/2025/11/hackers-exploiting-triofox-flaw-to.html - CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2025-21042 Samsung Mobile Devices Out-of-Bounds Write Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/11/10/cisa-adds-one-known-exploited-vulnerability-catalog
https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-samsung-zero-day-used-in-spyware-attacks/
Malware
- Multi-Brand Themed Phishing Campaign Harvests Credentials Via Telegram Bot API
"Cyble Research and Intelligence Labs (CRIL) have uncovered a widespread phishing campaign targeting multiple brands to steal credentials. Attackers distribute HTML attachments through email, successfully bypassing conventional security checks by not using suspicious URLs or hosting on external servers. The embedded HTML files run JavaScript that steals user credentials and sends them directly to attacker-controlled Telegram bots."
https://cyble.com/blog/multi-brand-phishing-campaign-harvests-credentials/ - Quantum Route Redirect: Anonymous Tool Streamlining Global Phishing Attack
"KnowBe4 Threat Labs has uncovered an emerging advanced phishing campaign targeting Microsoft 365 users globally to steal their credentials. The attackers are wielding a powerful new tool that’s completely changing the game for cybercriminals—turning what used to be complex, technical phishing setups into simple one-click launches that can bypass certain technical controls. Welcome to the era of “Quantum Route Redirect.""
https://blog.knowbe4.com/quantum-route-redirect-anonymous-tool-streamlining-global-phishing-attack
https://www.bleepingcomputer.com/news/security/quantum-route-redirect-phaas-targets-microsoft-365-users-worldwide/ - New Phishing Campaign Exploits Meta Business Suite To Target SMBs Across The U.S. And Beyond
"With more than 5.4 billion users worldwide (according to Statista), Facebook remains the world’s most influential social platform and a critical marketing channel for small and medium-sized businesses. Its vast reach and trusted brand make it a prime target for attackers, meaning that when a phishing campaign abuses Facebook’s name, the consequences can be especially serious."
https://blog.checkpoint.com/email-security/new-phishing-campaign-exploits-meta-business-suite-to-target-smbs-across-the-u-s-and-beyond/
https://www.theregister.com/2025/11/10/5k_facebook_advertising_customers_phishing/ - Fantasy Hub: Another Russian Based RAT As M-a-a-S
"zLabs identified “Fantasy Hub,” an Android Remote Access Trojan sold on Russian-language channels under a Malware-as-a-Service (MaaS) subscription. The developer of this malware promotes its broad capabilities for device control and espionage. These capabilities include the exfiltration of SMS messages, contacts, call logs, and bulk theft of images and videos. The malware can also intercept, reply, and delete incoming notifications, among other features."
https://zimperium.com/blog/fantasy-hub-another-russian-based-rat-as-m-a-a-s
https://www.malwarebytes.com/blog/news/2025/11/fantasy-hub-is-spyware-for-rent-complete-with-fake-app-kits-and-support - State-Sponsored Remote Wipe Tactics Targeting Android Devices
"The Genians Security Center (GSC) has identified new attack activity linked to the KONNI APT campaign, which is known to be associated with the Kimsuky or APT37 groups. During its ongoing investigation into KONNI’s operations, GSC discovered that malicious files disguised as “stress-relief programs” were being widely distributed through South Korea’s KakaoTalk messenger platform. KONNI has overlapping targets and infrastructure with Kimsuky and APT37, leading some researchers to classify them as the same group. All three are recognized as state-sponsored threat actors operating under the direction of the North Korean regime."
https://www.genians.co.kr/en/blog/threat_intelligence/android
https://thehackernews.com/2025/11/konni-hackers-turn-googles-find-hub.html
https://www.bleepingcomputer.com/news/security/apt37-hackers-abuse-google-find-hub-in-android-data-wiping-attacks/
Breaches/Hacks/Leaks
- Allianz UK Joins Growing List Of Clop’s Oracle E-Business Suite Victims
"Allianz UK confirms it was one of the many companies that fell victim to the Clop gang's Oracle E-Business Suite (EBS) attack after crims reported that they had attacked a subsidiary. The criminal crew behind the wave of zero-day data raids claimed to have attacked Allianz-owned British insurer Liverpool Victoria (LV) on Tuesday, but a spokesperson for its parent company waved away these allegations. Allianz UK told The Register that the attack compromised the data of its customers only, and there was no impact on LV's customers or systems at all."
https://www.theregister.com/2025/11/10/allianz_uk_joins_growing_list/
https://www.securityweek.com/nearly-30-alleged-victims-of-oracle-ebs-hack-named-on-cl0p-ransomware-site/
General News
- Wi-Fi Signals May Hold The Key To Touchless Access Control
"Imagine walking into a secure building where the door unlocks the moment your hand hovers near it. No keycards, no PINs, no fingerprints. Instead, the system identifies you by the way your palm distorts the surrounding Wi-Fi signal. That is the idea behind a new study from researchers at the Aeronautics Institute of Technology (ITA) in Brazil."
https://www.helpnetsecurity.com/2025/11/10/research-wi-fi-palm-authentication/
https://arxiv.org/pdf/2510.22133 - Adopting a Counterintelligence Mindset In Luxury Logistics
"In this Help Net Security interview, Andrea Succi, Group CISO at Ferrari Group, discusses how cybersecurity is integrated into every aspect of the logistics industry. He explains why protecting data can be as critical as securing physical assets and how a layered defense approach helps safeguard both. Succi adds that awareness, collaboration, and resilience keep client trust and operations consistent."
https://www.helpnetsecurity.com/2025/11/10/andrea-succi-ferrari-group-logistics-industry-cybersecurity/ - AI Is Rewriting How Software Is Built And Secured
"AI has become part of everyday software development, shaping how code is written and how fast products reach users. A new report from Cycode, The 2026 State of Product Security for the AI Era, explores how deeply AI now runs through development pipelines and how security teams are trying to manage the risks that come with it. Cycode surveyed 400 CISOs, AppSec leaders, and DevSecOps managers across the US and UK. Every organization said they have AI-generated code in their environment, and almost all are already using or testing AI coding assistants."
https://www.helpnetsecurity.com/2025/11/10/ai-product-security-report/ - As AI Enables Bad Actors, How Are 3,000+ Teams Responding?
"This year has shown just how quickly new exposures can emerge, with AI-generated code shipped before review, cloud sprawl racing ahead of controls, and shadow IT opening blind spots. Supply chain compromises have disrupted transport, manufacturing, and other critical services. On the attacker side, AI-assisted exploit development is making it faster than ever to turn those weaknesses into working attacks. Intruder's 2025 Exposure Management Index draws on data from more than 3,000 small and mid-sized businesses (1-2,000 employees) to understand how defenders are adapting – revealing where progress is being made, and where pressure points remain. Below are three key trends shaping exposure management in 2025."
https://www.theregister.com/2025/11/10/ai_enables_bad_actors/ - OWASP Highlights Supply Chain Risks In New Top 10
"OWASP has updated its list of Top 10 software vulnerabilities to align it better with the current threat landscape and modern development practices. The Nov. 6 release is OWASP's first major Top 10 update since 2021 and is notable for its emphasis on supply chain risks and systemic design weakness rather than just common software coding errors. For defenders, the key takeaway is the need to integrate application security, software supply chain oversight, and operational resilience practices more tightly together."
https://www.darkreading.com/application-security/owasp-highlights-supply-chain-risks-new-top-10
https://owasp.org/Top10/2025/0x00_2025-Introduction/
https://www.securityweek.com/two-new-web-application-risk-categories-added-to-owasp-top-10/ - Why Organizations Can’t Ignore Vendor Risk Assessment In Today’s Cyber-Threat Landscape
"In an era where digital ecosystems extend far beyond a company’s internal network, enterprise cybersecurity is no longer solely about firewalls and endpoint protection. It’s about the unseen connections, the suppliers, service providers, cloud vendors and subcontractors who form part of the operational supply chain. One critical practice at the heart of this challenge is vendor risk assessment: the process of evaluating the risks that third parties pose to an organisation’s data, operations and reputation."
https://hackread.com/organizations-vendor-risk-assessment-cyber-threat-landscape/ - Agentic AI In Cybersecurity: Beyond Triage To Strategic Threat Hunting
"With a deficit of 4 million cybersecurity workers worldwide, it’s no surprise that most SOCs are still stuck in triage mode. That’s why agentic AI is stepping in to fill the gap. And this boost to internal cybersecurity capabilities gives security teams the ability to do what was only a pipe dream before: engage in proactive security. In other words, agentic AI is taking low-level decisions off SOC’s plates, so they don’t have to spend their days playing a reactive game of cat-and-mouse. Using these new AI capabilities, they can move beyond emergency response and head into a more mature security stage of strategic threat hunting."
https://securityaffairs.com/184413/uncategorized/agentic-ai-in-cybersecurity-beyond-triage-to-strategic-threat-hunting.html - Exposure Report: 65% Of Leading AI Companies Found With Verified Secret Leaks
"AI companies are racing ahead, but many are leaving their secrets behind. We looked at 50 leading AI companies and found that 65% had leaked verified secrets on GitHub. Think API keys, tokens, and sensitive credentials, often buried deep in deleted forks, gists, and developer repos most scanners never touch. Some of these leaks could have exposed organizational structures, training data, or even private models. For teams building the future of AI, speed and security have to move together."
https://www.wiz.io/blog/forbes-ai-50-leaking-secrets
https://www.securityweek.com/many-forbes-ai-50-companies-leak-secrets-on-github/
https://www.infosecurity-magazine.com/news/leading-ai-companies-secret-leaks/ - Australia Sanctions Hackers Supporting North Korea’s Weapons Program
"The Australian government announced sanctions against four entities and an individual believed to be involved in cybercriminal activities supporting North Korea’s weapons programs. “The Australia Government is taking this action with the United States to apply pressure on North Korea’s illegal revenue generation networks and address its persistent challenges to security and stability,” Foreign Minister Penny Wong said. The financial sanctions, accompanied by travel bans, target entities believed to have deep links with North Korea’s malicious cyber activities, such as cryptocurrency theft, fraudulent IT worker schemes, and espionage."
https://www.securityweek.com/australia-sanctions-hackers-supporting-north-koreas-weapons-program/ - New Browser Security Report Reveals Emerging Threats For Enterprises
"According to the new Browser Security Report 2025, security leaders are discovering that most identity, SaaS, and AI-related risks converge in a single place, the user's browser. Yet traditional controls like DLP, EDR, and SSE still operate one layer too low. What's emerging isn't just a blindspot. It's a parallel threat surface: unmanaged extensions acting like supply chain implants, GenAI tools accessed through personal accounts, sensitive data copy/pasted directly into prompt fields, and sessions that bypass SSO altogether."
https://thehackernews.com/2025/11/new-browser-security-report-reveals.html
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Sqlmap: Open-Source SQL Injection And Database Takeover Tool