สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 6 รายการ เมื่อวันที่ 16 ธันวาคม 2025 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

• ICSA-25-350-01 Güralp Systems FMUS (Fortimus) Series and MIN (Minimus) Series
• ICSA-25-350-02 Johnson Controls PowerG, IQPanel and IQHub
• ICSA-25-350-03 Hitachi Energy AFS, AFR and AFF Series
• ICSA-25-350-04 Mitsubishi Electric GT Designer3
• ICSA-25-224-02 Johnson Controls iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, iSTAR Edge G2 (Update A)
• ICSA-25-308-01 Fuji Electric Monitouch V-SFT-6 (Update A)

CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)

อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/12/16/cisa-releases-seven-industrial-control-systems-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

เมื่อวันที่ 17 ธันวาคม 2025 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 3 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว ดังนี้

• CVE-2025-20393 Cisco Multiple Products Improper Input Validation Vulnerability
• CVE-2025-40602 SonicWall SMA1000 Missing Authorization Vulnerability
• CVE-2025-59374 ASUS Live Update Embedded Malicious Code Vulnerability

ทั้งนี้ คำสั่ง BOD 22-01 ของ CISA กำหนดให้มี แคตตาล็อก Known Exploited Vulnerabilities (KEV) เพื่อรวบรวมช่องโหว่ (CVEs) ที่มีความเสี่ยงสูงและถูกใช้งานโจมตีจริง หน่วยงาน Federal Civilian Executive Branch (FCEB) ต้องดำเนินการแก้ไขช่องโหว่ที่ระบุภายในเวลาที่กำหนด เพื่อปกป้องเครือข่ายจากภัยคุกคาม

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Financial Sector

• Banks Built Rules For Yesterday’s Crime And RegTech Is Trying To Fix That
  "Criminals are moving money across borders faster, and financial institutions are feeling the squeeze. Compliance teams feel this strain every day as they try to keep up with schemes that shift through accounts, intermediaries, and digital channels. A new academic review of regulatory technology, or RegTech, shows how this pressure is reshaping compliance work and why research in this field is gaining new weight."
  https://www.helpnetsecurity.com/2025/12/17/regulatory-technology-financial-crime-study/

New Tooling

• Zabbix: Open-Source IT And OT Observability Solution
  "Zabbix is an open source monitoring platform designed to track the availability, performance, and integrity of IT environments. It monitors networks along with servers, virtual machines, applications, services, databases, websites, and cloud resources. For cybersecurity professionals, this visibility matters because operational issues and security incidents often overlap. Early signs of compromise can surface as performance changes, service failures, or unusual system behavior that monitoring tools detect first."
  https://www.helpnetsecurity.com/2025/12/17/zabbix-open-source-it-ot-observability-solution/
  https://github.com/zabbix/zabbix

Vulnerabilities

• UAT-9686 Actively Targets Cisco Secure Email Gateway And Secure Email And Web Manager
  "Cisco Talos is tracking the active targeting of Cisco AsyncOS Software for Cisco Secure Email Gateway, formerly known as Cisco Email Security Appliance (ESA), and Cisco Secure Email and Web Manager, formerly known as Cisco Content Security Management Appliance (SMA), enabling attackers to execute system-level commands and deploy a persistent Python-based backdoor, AquaShell. Cisco became aware of this activity on December 10, which has been ongoing since at least late November 2025. Additional tools observed include AquaTunnel (reverse SSH tunnel), chisel (another tunneling tool), and AquaPurge (log-clearing utility). Talos' analysis indicates that appliances with non-standard configurations, as described in Cisco's advisory, are what we have observed as being compromised by the attack."
  https://blog.talosintelligence.com/uat-9686/
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4
  https://www.bleepingcomputer.com/news/security/cisco-warns-of-unpatched-asyncos-zero-day-exploited-in-attacks/
  https://www.theregister.com/2025/12/17/attacks_pummeling_cisco_0day/
  https://www.helpnetsecurity.com/2025/12/17/cisco-secure-email-cve-2025-20393/
• Critical Arbitrary File Upload Vulnerability In Motors Theme Affecting 20k+ Sites
  "This blog post is about a Subscriber+ arbitrary file upload vulnerability in the Motors theme. If you're a Motors theme user, please update to at least version 5.6.82. This vulnerability was discovered and reported by Patchstack Alliance community member Denver Jackson."
  https://patchstack.com/articles/critical-arbitrary-file-upload-vulnerability-in-motors-theme-affecting-20k-sites/
  https://www.infosecurity-magazine.com/news/motors-wordpress-flaw-takeover/
• Sonicwall Warns Of New SMA1000 Zero-Day Exploited In Attacks
  "SonicWall warned customers today to patch a vulnerability in the SonicWall SMA1000 Appliance Management Console (AMC) that was chained in zero-day attacks to escalate privileges. According to SonicWall, this medium-severity local privilege escalation security flaw (CVE-2025-40602) was reported by Clément Lecigne and Zander Work of the Google Threat Intelligence Group, and doesn't affect SSL-VPN running on SonicWall firewalls. "SonicWall PSIRT strongly advises users of the SMA1000 product to upgrade to the latest hotfix release version to address the vulnerability," the company said in a Wednesday advisory."
  https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-new-sma1000-zero-day-exploited-in-attacks/
  https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0019
  https://thehackernews.com/2025/12/sonicwall-fixes-actively-exploited-cve.html
  https://securityaffairs.com/185809/hacking/sonicwall-warns-of-actively-exploited-flaw-in-sma-100-amc.html
  https://www.helpnetsecurity.com/2025/12/17/sonicwall-cve-2025-40602/
• Libbiosig, Grassroot DiCoM, Smallstep Step-Ca Vulnerabilities
  "Cisco Talos’ Vulnerability Discovery & Research team recently disclosed vulnerabilities in Biosig Project Libbiosig, Grassroot DiCoM, and Smallstep step-ca. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy, except for Grassroot, as the DiCoM vulnerabilities are zero-days."
  https://blog.talosintelligence.com/libbiosig-grassroot-dicom-smallstep-step-ca-vulnerabilities/
• Defending Against The CVE-2025-55182 (React2Shell) Vulnerability In React Server Components
  "CVE-2025-55182 (also referred to as React2Shell and includes CVE-2025-66478, which was merged into it) is a critical pre-authentication remote code execution (RCE) vulnerability affecting React Server Components, Next.js, and related frameworks. With a CVSS score of 10.0, this vulnerability could allow attackers to execute arbitrary code on vulnerable servers through a single malicious HTTP request. Exploitation activity related to this vulnerability was detected as early as December 5, 2025."
  https://www.microsoft.com/en-us/security/blog/2025/12/15/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components/
  https://cyberscoop.com/react2shell-vulnerability-fallout-spreads/
• Turning AI Safeguards Into Weapons With HITL Dialog Forging
  "This article provides a deeper technical analysis of the novel agentic AI attack vector: the LITL attack, which we recently developed and documented in Bypassing AI Agent Defenses With Lies-In-The-Loop. The LITL attack directly targets the HITL component, causing the agent to prompt the user with a seemingly benign HITL dialog that can deceive users into approving a remote code execution attack originating from indirect prompt injections."
  https://checkmarx.com/zero-post/turning-ai-safeguards-into-weapons-with-hitl-dialog-forging/
  https://www.infosecurity-magazine.com/news/lies-loop-attack-ai-safety-dialogs/

Malware

• GhostPairing Attacks: From Phone Number To Full Access In WhatsApp
  "Gen has discovered a novel WhatsApp account takeover campaign that we refer to as GhostPairing Attack. On the surface it looks very simple. Victims receive a message from one of their contacts, usually something along the lines of: “Hey, I just found your photo!” The message includes a link that appears as a Facebook style preview. When users open it, they see a page that imitates a Facebook viewer and asks them to “verify” before they can see the content."
  https://www.gendigital.com/blog/insights/research/ghostpairing-whatsapp-attack
  https://www.bleepingcomputer.com/news/security/whatsapp-device-linking-abused-in-account-hijacking-attacks/
• React2Shell Used As Initial Access Vector For Weaxor Ransomware Deployment
  "S-RM has responded to an incident where a threat actor used the recently disclosed critical vulnerability known as React2Shell (CVE-2025-55182) to gain access to a corporate network and deploy ransomware. The deployment of ransomware in S-RM’s cases appears to have been automated, and the scope of compromise remained limited to the server which was vulnerable to React2Shell."
  https://www.s-rminform.com/latest-thinking/react2shell-used-as-initial-access-vector-for-weaxor-ransomware-deployment
  https://www.bleepingcomputer.com/news/security/critical-react2shell-flaw-exploited-in-ransomware-attacks/
• Windows Persistence Explained: Techniques, Risks, And What Defenders Should Know
  "Modern Windows systems include many built-in features that help applications run smoothly and support everyday user activity. Unfortunately, many of these built-in functionalities can be exploited by threat actors in order to have malware payloads remain on a system and run without user interaction. These different features can be abused to be what security researchers call “persistence mechanisms.”"
  https://cofense.com/blog/windows-persistence-explained-techniques,-risks,-and-what-defenders-should-know
• NuGet Malware Targets Nethereum Tools
  "This year, ReversingLabs (RL) researchers have discovered malware on various open-source software (OSS) platforms that target crypto users and developers. This is an attack trend RL saw explode in 2024, and it has continued in 2025 with crypto among threat actors favored prey. This past year alone, RL researchers have identified crypto-focused malware on:"
  https://www.reversinglabs.com/blog/nuget-malware-crypto-oauth-tokens
  https://hackread.com/nuget-malicious-packages-steal-crypto-ad-data/
• ClickFix: DarkGate
  "“ClickFix” is a form of social engineering rather than an autonomous malware. It represents a fast-growing method of initial system compromise, where attackers deceive users into executing harmful commands themselves, typically disguised as routine troubleshooting steps or verification procedures ultimately leading to the unintentional installation of malware."
  https://www.pointwild.com/threat-intelligence/clickfix-darkgate
  https://hackread.com/clickfix-attack-fake-browser-install-darkgate-malware/
• Inside a Purchase Order PDF Phishing Campaign
  "A customer contacted me when Malwarebytes blocked the link inside a “purchase order” email they had received. When I examined the attachment, it soon became clear why we blocked it. The visible content of the PDF showed a button prompting the recipient to view the purchase order. Hovering over the button revealed a long URL that included a reference to a PDF viewer. While this might fool some people at first glance, a closer look raised red flags:"
  https://www.malwarebytes.com/blog/threat-intel/2025/12/inside-a-purchase-order-pdf-phishing-campaign
• Operation ForumTroll Continues: Russian Political Scientists Targeted Using Plagiarism Reports
  "In March 2025, we discovered Operation ForumTroll, a series of sophisticated cyberattacks exploiting the CVE-2025-2783 vulnerability in Google Chrome. We previously detailed the malicious implants used in the operation: the LeetAgent backdoor and the complex spyware Dante, developed by Memento Labs (formerly Hacking Team). However, the attackers behind this operation didn’t stop at their spring campaign and have continued to infect targets within the Russian Federation."
  https://securelist.com/operation-forumtroll-new-targeted-campaign/118492/
  https://thehackernews.com/2025/12/new-forumtroll-phishing-attacks-target.html
• Kimwolf Exposed: The Massive Android Botnet With 1.8 Million Infected Devices
  "On October 24, 2025, a trusted partner in the security community provided us with a brand-new botnet sample. The most distinctive feature of this sample was its C2 domain, 14emeliaterracewestroxburyma02132[.]su, which at the time ranked 2nd in the Cloudflare Domain Rankings. A week later, it even surpassed Google to claim the number one spot in Cloudflare's global domain popularity rankings. There is no doubt that this is a hyper-scale botnet. Based on the information output during runtime and its use of the wolfSSL library, we have named it Kimwolf."
  https://blog.xlab.qianxin.com/kimwolf-botnet-en/
  https://thehackernews.com/2025/12/kimwolf-botnet-hijacks-18-million.html
• BlueDelta’s Persistent Campaign Against UKR.NET
  "Between June 2024 and April 2025, Recorded Future’s Insikt Group identified a sustained credential-harvesting campaign targeting users of UKR.NET, a widely used Ukrainian webmail and news service. The activity is attributed to the Russian state-sponsored threat group BlueDelta (also known as APT28, Fancy Bear, and Forest Blizzard). This campaign builds on BlueDelta’s earlier operations detailed in the May 2024 Insikt Group report “GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns,” which documented GRU-linked credential theft and espionage activity. While this campaign does not reveal specific targets, BlueDelta’s historical focus on credential theft to enable intelligence collection provides strong indicators of likely intent to collect sensitive information from Ukrainian users in support of broader GRU intelligence requirements."
  https://www.recordedfuture.com/research/bluedeltas-persistent-campaign-against-ukrnet
  https://assets.recordedfuture.com/insikt-report-pdfs/2025/cta-ru-2025-1217.pdf
  https://therecord.media/russian-bluedelta-hackers-ran-phishing-ukraine-webmail
  https://thehackernews.com/2025/12/apt28-targets-ukrainian-ukr-net-users.html
• Exclusive: RSF Uncovers New Spyware From Belarus
  "Reporters Without Borders (RSF)’s Digital Security Lab (DSL), working with the Eastern European organisation RESIDENT.NGO, has uncovered a previously unknown spyware tool used by the State Security Committee (KGB) of Belarus to target, among others, journalists and media workers. RSF assesses that this exposure is a serious setback for the KGB’s operations, not least because the software appears to have been in use for several years."
  https://rsf.org/en/exclusive-rsf-uncovers-new-spyware-belarus
  https://therecord.media/spyware-belarus-journalist-rsf
• From Linear To Complex: An Upgrade In RansomHouse Encryption
  "RansomHouse is a ransomware-as-a-service (RaaS) operation run by a group that we track as Jolly Scorpius. Recent samples of the associated binaries used in RansomHouse operations reveal a significant upgrade in encryption. This article explores the upgrade of RansomHouse encryption and the potential impact for defenders. Jolly Scorpius uses a double extortion strategy. This strategy combines stealing and encrypting a victim's data with threats to leak the stolen data."
  https://unit42.paloaltonetworks.com/ransomhouse-encryption-upgrade/

Breaches/Hacks/Leaks

• Auto Parts Giant LKQ Confirms Oracle EBS Breach
  "Automotive parts giant LKQ Corporation has confirmed that it has been impacted by the recent cybercrime campaign targeting customers of the Oracle E-Business Suite (EBS) solution. The Fortune 500 company provides recycled, refurbished, and aftermarket components for cars and other types of vehicles. LKQ was one of the first victims of the Oracle EBS hack named on the Cl0p ransomware website, where the cybercriminals behind the campaign have been listing targeted organizations."
  https://www.securityweek.com/auto-parts-giant-lkq-confirms-oracle-ebs-breach/
  https://www.infosecurity-magazine.com/news/lkq-confirms-oracle-ebs-breach/
• GNV Ferry Fantastic Under Cyberattack Probe Amid Remote Hijack Fears
  "French prosecutors are investigating a suspected cyberattack on the GNV ferry Fantastic, raising fears of a potential remote hijack. The ferry Fantastic sails between Sète and North Africa, and French authorities are investigating a suspected attempt to compromise the ship’s IT systems. Italian intelligence, prompted by GNV, alerted French authorities about two sailors, a Latvian and a Bulgarian, suspected of spying for a foreign power. The Paris prosecutor’s cybercrime unit is investigating an organized attack on automated data systems, allegedly to serve a foreign power."
  https://securityaffairs.com/185800/hacking/gnv-ferry-fantastic-under-cyberattack-probe-amid-remote-hijack-fears.html

General News

• November 2025 APT Attack Trends Report (South Korea)
  "AhnLab is monitoring APT (Advanced Persistent Threat) attacks in South Korea using our own infrastructure. This report covers the classification and statistics of APT attacks in South Korea that were identified over the course of one month in November 2025. It also provides an overview of the features of each attack type."
  https://asec.ahnlab.com/en/91587/
• AI Breaks The Old Security Playbook
  "AI has moved into enterprise operations faster than many security programs expected. It is embedded in workflows, physical systems, and core infrastructure. Some AI tools reach hundreds of millions of users each week. Inference costs have fallen 280 fold, but overall spending is still rising because usage keeps growing. Attackers are using the same tools. CISOs manage a broader attack surface driven by automation, new data paths, and machine led decisions. Deloitte’s Tech Trends 2026 shows how this shift is changing what CISOs and other technology leaders are responsible for."
  https://www.helpnetsecurity.com/2025/12/17/deloitte-enterprise-ai-defense-report/
• Strengthening Cyber Resilience As AI Capabilities Advance
  "Cyber capabilities in AI models are advancing rapidly, bringing meaningful benefits for cyberdefense as well as new dual-use risks that must be managed carefully. For example, capabilities assessed through capture-the-flag (CTF) challenges have improved from 27% on GPT‑5⁠(opens in a new window) in August 2025 to 76% on GPT‑5.1-Codex-Max⁠(opens in a new window) in November 2025."
  https://openai.com/index/strengthening-cyber-resilience/
  https://blog.barracuda.com/2025/12/16/openai-ai-model-cybersecurity-warning
• Zeroday Cloud Hacking Event Awards $320,0000 For 11 Zero Days
  "The Zeroday Cloud hacking competition in London has awarded researchers $320,000 for demonstrating critical remote code execution vulnerabilities in components used in cloud infrastructure. The first hacking event focused on cloud systems, the competition is hosted by Wiz Research in partnership with Amazon Web Services, Microsoft, and Google Cloud. The researchers were successful in 85% of the hacking attempts across 13 hacking sessions, demonstrating 11 zero-day vulnerabilities."
  https://www.bleepingcomputer.com/news/security/zeroday-cloud-hacking-event-awards-320-0000-for-11-zero-days/
• France Arrests Suspect Tied To Cyberattack On Interior Ministry
  "French authorities arrested a 22-year-old suspect on Tuesday for a cyberattack that targeted France's Ministry of the Interior earlier this month. In a statement issued by Public Prosecutor Laure Beccuau, officials said the suspected hacker was arrested on December 17, 2025, as part of an investigation into the attack. "A person was arrested on December 17, 2025, as part of the investigation opened by the cybercrime unit of the Paris public prosecutor's office, on charges including unauthorized access to an automated personal data processing system implemented by the State, committed by an organized group, following the cyberattack against the Ministry of the Interior," reads the statement translated into English."
  https://www.bleepingcomputer.com/news/security/france-arrests-suspect-tied-to-cyberattack-on-interior-ministry/
  https://therecord.media/france-interior-ministry-email-breach-investigation
  https://hackread.com/france-arrests-hacker-interior-ministry-systems/
• 'I Quit!' - When CISOs Need To Take Charge Of Their Careers
  "A recent LinkedIn post has been circulating in cybersecurity circles, written as a CISO's resignation letter - "effective immediately." It resonates with security leaders who know the pattern - budget requests denied, risks that are documented and escalated, and a breach that follows a known vulnerability. Then the CISO was hit by inevitable question: "Why didn't you prevent this?""
  https://www.bankinfosecurity.com/blogs/i-quit-when-cisos-need-to-take-charge-their-careers-p-4002
• In Cybersecurity, Claude Leaves Other LLMs In The Dust
  "New sobering data confirms what many in cybersecurity already know: that while large language models (LLMs) are improving significantly in ways that generate profits for their developers, they're missing the improvements that would keep them safe and secure. In its second Potential Harm Assessment & Risk Evaluation (PHARE) LLM benchmark report, researchers at Giskard tested brand name models from OpenAI, Anthropic, xAI, Meta, Google, and others on their ability to resist jailbreaks, avoid hallucinations and biases, and more. Two things immediately pop out in the data: how little progress is being made across the industry, and how much of it is being carried by Anthropic alone."
  https://www.darkreading.com/cybersecurity-analytics/cybersecurity-claude-llms
• Why You Should Train Your SOC Like a Triathlete
  "Triathletes learn a simple truth early. Fancy gear cannot overcome a junk food diet. The same holds for security operations. AI has become an integral part of daily security operations center work, but its performance is capped by the quality of the evidence it consumes. Thin or noisy inputs slow investigations, increase fatigue, and create doubt."
  https://www.darkreading.com/cybersecurity-operations/why-you-should-train-your-soc-like-triathlete
• AI Is Reshaping Modern Cybercrime
  "Fortinet has been working closely with UC Berkeley’s Center for Long-Term Cybersecurity (CLTC), the Berkeley Risk and Security Lab (BRSL), and public- and private-sector partners, including academia, as part of the AI-Enabled Cybercrime Initiative. This effort uses global tabletop exercises (TTXs), research, and policy analysis to understand how AI is shaping cybercrime and how defenders can stay ahead. As part of this coordinated work, CLTC has published an academic analysis of the Singapore TTX, From Automation to Autonomy: The Next Leap in AI-Enabled Cybercrimes, authored by Dr. Gil Baram, Helena Huang, and me."
  https://www.fortinet.com/blog/industry-trends/ai-is-reshaping-modern-cybercrime
  https://cltc.berkeley.edu/publication/from-automation-to-autonomy-the-next-leap-in-ai-enabled-cybercrimes/
• Why Vulnerability Reports Stall Inside Shared Hosting Companies
  "Security teams keep sending vulnerability notifications, and the same pattern keeps repeating. Many alerts land, few lead to fixes. A new qualitative study digs into what happens after those reports arrive and explains why remediation so often stops short. The research comes from the Center for Information Security Saarbrücken and is based on in depth interviews with 24 hosting provider organizations across shared hosting, VPS services, and web agencies. The researchers focused on how providers receive, process, and act on vulnerability notifications, rather than testing new notification formats or channels."
  https://www.helpnetsecurity.com/2025/12/17/hosting-provider-vulnerability-notifications-remediation/
• NMFTA Warns Of Surge And Sophistication Of Cyber-Enabled Cargo Theft
  "The National Motor Freight Traffic Association (NMFTA) has issued another warning to the logistics and transportation industry as traditional cargo theft is being rapidly replaced by sophisticated, cyber-enabled heists. CargoNet reported in October that it recorded over 700 cargo thefts in the US and Canada in the third quarter of 2025, with the value of the stolen goods totaling more than $111 million. According to the American Trucking Associations, thieves targeting freight shipments cost the US economy up to $35 billion per year. While in the past thieves would in most cases rob truck drivers at gunpoint or break into trailers, this type of crime has become increasingly sophisticated, mainly driven by criminals’ reliance on hacker tactics."
  https://www.securityweek.com/nmfta-warns-of-surge-and-sophistication-of-cyber-enabled-cargo-theft/
• Five Cybersecurity Predictions For 2026: Identity, AI, And The Collapse Of Perimeter Thinking
  "Cybersecurity has always evolved in response to attacker innovation, but the pace of change over the last few years has been unprecedented—particularly with the emergence of weaponized AI to scale phishing, deepfakes, and voice cloning. As we head toward 2026, several structural shifts are becoming impossible to ignore. Traditional security assumptions are breaking down, threat actors are scaling faster than defenders, and identity—not infrastructure—has become the primary battleground. Here are five predictions that will shape the cybersecurity landscape in 2026:"
  https://www.securityweek.com/five-cybersecurity-predictions-for-2026-identity-ai-and-the-collapse-of-perimeter-thinking/
• FBI Disrupts Virtual Money Laundering Service Used To Facilitate Criminal Activity
  "The United States Attorney’s Office for the Eastern District of Michigan announced today a coordinated action with international partners and the Michigan State Police to disrupt and take down the online infrastructure used to operate E-Note, a cryptocurrency exchange that allegedly facilitated money laundering by transnational cyber-criminal organizations, including those targeting U.S. healthcare and critical infrastructure. Since 2017, the FBI identified more than $70,000,000 of illicit proceeds of ransomware attacks and account takeovers transferred via E-Note payment service and money mule network, including laundered funds stolen or extorted from U.S. victims."
  https://www.justice.gov/usao-edmi/pr/fbi-disrupts-virtual-money-laundering-service-used-facilitate-criminal-activity
  https://therecord.media/fbi-takes-down-alleged-money-laundering-operation
• ESET Threat Report H2 2025
  "The second half of the year underscored just how quickly attackers adapt and innovate, with rapid changes sweeping across the threat landscape. AI-powered malware moved from theory to reality in H2 2025, as ESET discovered PromptLock, the first known AI-driven ransomware, capable of generating malicious scripts on the fly. While AI is still mainly used for crafting convincing phishing and scam content, PromptLock – and the handful of other AI-driven threats identified to this day – signal a new era of threats."
  https://www.welivesecurity.com/en/eset-research/eset-threat-report-h2-2025/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Healthcare Sector

• The Messy Data Trails Of Telehealth Are Becoming a Security Nightmare
  "In this Help Net Security interview, Scott Bachand, CIO/CISO at Ro, discusses how telehealth reshapes the flow of patient data and what that means for security. He explains why organizations must strengthen data classification and visibility as systems and vendors multiply. He also outlines how regulations and new technologies are driving a more adaptive approach to protecting patient information."
  https://www.helpnetsecurity.com/2025/12/16/scott-bachand-ro-telehealth-security/

Vulnerabilities

• JUMPSHOT: XM Cyber Uncovers Critical Local Privilege Escalation (CVE-2025-34352) In JumpCloud Agent
  "XM Cyber Researcher Hillel Pinto uncovered CVE-2025-34352, a critical vulnerability in the JumpCloud Remote Assist for Windows agent (versions prior to 0.317.0). The flaw allows any low-privileged local user to exploit insecure file operations—arbitrary file write/delete—performed by the agent running as NT AUTHORITY\SYSTEM within the user’s temporary directory. This vulnerability is immediately exploitable to achieve Local Privilege Escalation (LPE) or cause a Denial of Service (DoS). Users must update immediately to version 0.317.0 or later to patch the issue."
  https://xmcyber.com/blog/jumpshot-xm-cyber-uncovers-critical-local-privilege-escalation-cve-2025-34352-in-jumpcloud-agent/
  https://www.securityweek.com/jumpcloud-remote-assist-vulnerability-can-expose-systems-to-takeover/
  https://www.infosecurity-magazine.com/news/jumpcloud-windows-agent-flaw/
  https://hackread.com/jumpcloud-remote-assist-flaw-full-devices-control/
• God Mode On: Researchers Run Doom On a Vehicle’s Head Unit After Remotely Attacking Its Modem
  "Imagine you are a driver speeding down the highway in your brand-new electric car. All of a sudden, the entire massive multimedia display is filled with Doom, the iconic 3D shooter game, replacing the navigation map or the controls menu, and you realize someone is playing it right now by remotely controlling the character. This is not a dream or an overactive imagination, but a realistic scenario in today’s world, as vividly demonstrated by Kaspersky ICS CERT experts."
  https://ics-cert.kaspersky.com/publications/reports/2025/11/20/god-mode-on-researchers-run-doom-on-a-vehicles-head-unit-after-remotely-attacking-its-modem/

Malware

• Arctic Wolf Observes Malicious SSO Logins On FortiGate Devices Following Disclosure Of CVE-2025-59718 And CVE-2025-59719
  "On December 12, 2025, Arctic Wolf began observing intrusions involving malicious SSO logins on FortiGate appliances. Fortinet had previously released an advisory for two critical authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) on December 9, 2025. Arctic Wolf had also sent out a security bulletin for the vulnerabilities shortly thereafter. These vulnerabilities allow unauthenticated bypass of SSO login authentication via crafted SAML messages, if the FortiCloud SSO feature is enabled on affected Devices. Several product lines were reported to be affected, including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager."
  https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-sso-logins-following-disclosure-cve-2025-59718-cve-2025-59719/
  https://www.bleepingcomputer.com/news/security/hackers-exploit-newly-patched-fortinet-auth-bypass-flaws/
  https://thehackernews.com/2025/12/fortinet-fortigate-under-active-attack.html
  https://www.securityweek.com/in-the-wild-exploitation-of-fresh-fortinet-flaws-begins/
  https://securityaffairs.com/185748/security/hackers-are-exploiting-critical-fortinet-flaws-days-after-patch-release.html
• Inside GhostPoster: How a PNG Icon Infected 50,000 Firefox Users
  "Every extension has a logo. A tiny image sitting in your toolbar, a visual shorthand for trust. You glance at it, you recognize it, you move on. You probably never think about what's actually inside that file. The authors of GhostPoster are counting on that. Our risk engine, Wings, flagged anomalous behavior in a Firefox extension called Free VPN Forever. The extension was reading its own logo file, standard behavior, but then doing something unusual with the raw bytes. When we dug into the code, we found a hidden extraction routine. The extension wasn't just displaying the logo. It was searching through the image data, looking for a marker that shouldn't be there."
  https://www.koi.ai/blog/inside-ghostposter-how-a-png-icon-infected-50-000-firefox-browser-users
  https://www.bleepingcomputer.com/news/security/ghostposter-attacks-hide-malicious-javascript-in-firefox-addon-logos/
• Meet Cellik - A New Android RAT With Play Store Integration
  "Cellik is a newly identified Android RAT that offers full device control and real-time surveillance, with Play Store integration that lets attackers bundle it into legitimate apps. Discovered via cybercrime networks, Cellik comes packed with capabilities previously seen only in advanced spyware: real-time screen streaming, keylogging, remote camera/microphone access, hidden web browsing, notification interception, and even an app-injection system for stealing data from other apps. Uniquely, Cellik integrates with Google Play Store apps and includes a one-click APK builder, allowing attackers to wrap its payload inside legitimate apps for stealthy, widespread deployment."
  https://iverify.io/blog/meet-cellik---a-new-android-rat-with-play-store-integration
  https://www.bleepingcomputer.com/news/security/cellik-android-malware-builds-malicious-versions-from-google-play-apps/
• Ink Dragon Expands With New Tools And a Growing Victim Network
  "Ink Dragon is a long running espionage group that several security vendors allege to be a China-linked threat actor, based on behavioral and infrastructure indicators. Its activity has grown from operations in Southeast Asia and South America to a rising number of intrusions in European government networks. Check Point Research has tracked this expansion through a series of quiet but disciplined campaigns, many of which initially appeared unremarkable until deeper investigation exposed a consistent pattern of stealthy escalation."
  https://blog.checkpoint.com/research/ink-dragon-expands-with-new-tools-and-a-growing-victim-network/
  https://www.theregister.com/2025/12/16/chinas_ink_dragon_hides_out/
• BlindEagle Targets Colombian Government Agency With Caminho And DCRAT
  "In early September 2025, Zscaler ThreatLabz discovered a new spear phishing campaign attributed to BlindEagle, a threat actor who operates in South America and targets users in Spanish-speaking countries, such as Colombia. In this campaign, BlindEagle targeted a government agency under the control of the Ministry of Commerce, Industry and Tourism (MCIT) in Colombia using a phishing email sent from what appears to be a compromised account within the same organization. In this blog post, ThreatLabz explores the attack chain and analyzes the techniques employed, including the use of a fake web portal, nested JavaScript and PowerShell scripts, steganography to conceal malicious payloads, Caminho as a downloader, and DCRAT as the final payload."
  https://www.zscaler.com/blogs/security-research/blindeagle-targets-colombian-government-agency-caminho-and-dcrat
• GuardDuty Extended Threat Detection Uncovers Cryptomining Campaign On Amazon EC2 And Amazon ECS
  "Amazon GuardDuty and our automated security monitoring systems identified an ongoing cryptocurrency (crypto) mining campaign beginning on November 2, 2025. The operation uses compromised AWS Identity and Access Management (IAM) credentials to target Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Compute Cloud (Amazon EC2). GuardDuty Extended Threat Detection was able to correlate signals across these data sources to raise a critical severity attack sequence finding. Using the massive, advanced threat intelligence capability and existing detection mechanisms of Amazon Web Services (AWS), GuardDuty proactively identified this ongoing campaign and quickly alerted customers to the threat. AWS is sharing relevant findings and mitigation guidance to help customers take appropriate action on this ongoing campaign."
  https://aws.amazon.com/blogs/security/cryptomining-campaign-targeting-amazon-ec2-and-amazon-ecs/
  https://thehackernews.com/2025/12/compromised-iam-credentials-power-large.html
• Malicious NuGet Package Typosquats Popular .NET Tracing Library To Steal Wallet Passwords
  "The Socket Threat Research Team uncovered a malicious NuGet package, Tracer.Fody.NLog, that typosquats and impersonates the legitimate Tracer.Fody library and its maintainer. It presents itself as a standard .NET tracing integration but in reality functions as a cryptocurrency wallet stealer. Inside the malicious package, the embedded Tracer.Fody.dll scans the default Stratis wallet directory, reads *.wallet.json files, extracts wallet data, and exfiltrates it together with the wallet password to threat actor-controlled infrastructure in Russia at 176[.]113[.]82[.]163."
  https://socket.dev/blog/malicious-nuget-package-typosquats-popular-net-tracing-library
  https://thehackernews.com/2025/12/rogue-nuget-package-poses-as-tracerfody.html
• React2Shell Vulnerability Actively Exploited To Deploy Linux Backdoors
  "The security vulnerability known as React2Shell is being exploited by threat actors to deliver malware families like KSwapDoor and ZnDoor, according to findings from Palo Alto Networks Unit 42 and NTT Security. "KSwapDoor is a professionally engineered remote access tool designed with stealth in mind," Justin Moore, senior manager of threat intel research at Palo Alto Networks Unit 42, said in a statement."
  https://thehackernews.com/2025/12/react2shell-vulnerability-actively.html
  https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478-next/
  https://jp.security.ntt/insights_resources/tech_blog/react2shell_malware_zndoor/

Breaches/Hacks/Leaks

• Cyberattack Disrupts Venezuelan Oil Giant PDVSA's Operations
  "Petróleos de Venezuela (PDVSA), Venezuela's state-owned oil company, was hit by a cyberattack over the weekend that disrupted its export operations. In a Monday statement, PDVSA denied that the Saturday morning incident affected its operations in any way, adding that the breach was limited to some administrative systems. "Thanks to the expertise of PDVSA's human talent, the operational areas were not affected in any way, with the attack being limited to its administrative system," the company said."
  https://www.bleepingcomputer.com/news/security/cyberattack-disrupts-venezuelan-oil-giant-pdvsas-operations/
  https://therecord.media/venezuela-state-oil-company-blames-cyberattack-on-us
  https://www.darkreading.com/cyber-risk/venezuela-oil-company-downplays-alleged-us-cyberattack
  https://securityaffairs.com/185755/security/a-cyber-attack-hit-petroleos-de-venezuela-pdvsa-disrupting-export-operations.html

General News

• AI Might Be The Answer For Better Phishing Resilience
  "Phishing is still a go-to tactic for attackers, which is why even small gains in user training are worth noticing. A recent research project from the University of Bari looked at whether LLMs can produce training that helps people spot suspicious emails with better accuracy. The research team ran two controlled studies with a total of 480 participants. Both studies used content generated by an LLM to deliver phishing awareness lessons."
  https://www.helpnetsecurity.com/2025/12/16/ai-generated-phishing-training-study/
  https://arxiv.org/pdf/2512.01893
• Passwordless Is Finally Happening, And Users Barely Notice
  "Security teams know the strain that comes from tightening authentication controls while keeping users productive. A new report from Okta suggests this strain is easing. Stronger authentication methods are gaining traction, and many of them let users move through sign in flows with less effort than before. The report indicates that the long held belief that better security slows people down is becoming less relevant as these methods improve both protection and usability."
  https://www.helpnetsecurity.com/2025/12/16/okta-mfa-security-shift-report/
• Fraudulent Call Centres In Ukraine Rolled Up
  "Authorities from the Czech Republic, Latvia, Lithuania and Ukraine with the support of Eurojust took action against a criminal network operating call centres in Dnipro, Ivano-Frankivsk and Kyiv, Ukraine that scammed victims across Europe. The criminal group established a professional organisation with employees who received a percentage of the proceeds for each completed scam. The estimated damage to more than 400 known victims is over EUR 10 million. The fraudsters used various scams, such as posing as police officers to withdraw money using their victims’ cards and details, or pretending that their victims’ bank accounts had been hacked."
  https://www.eurojust.europa.eu/news/fraudulent-call-centres-ukraine-rolled
  https://www.bleepingcomputer.com/news/security/european-authorities-dismantle-call-center-fraud-ring-in-ukraine/
  https://www.helpnetsecurity.com/2025/12/16/ukraine-scam-call-centers/
• Common Holiday Phishing Threats And How To Recognize Them
  "The holiday season brings a flurry of online shopping, travel plans, and end-of-year workplace activity. With that, it also brings a surge of phishing scams that try to take advantage of all that hustle and distraction. With inboxes filling up faster than gift lists, it becomes easier for a convincing message to slip through. The United States FBI notes that holiday scams often involve criminals posing as trusted companies or contacts in order to steal personal information, credentials, or money. This includes emails or messages that encourage victims to click links, provide sensitive data, or download malware."
  https://cofense.com/blog/common-holiday-phishing-threats-and-how-to-recognize-them
• Enterprises Gear Up For 2026’s IT Transformation
  "An IT infrastructure refresh is set for 2026, and while strategies will mainly focus on artificial intelligence (AI), the cloud will also play a pivotal role. First there was COVID, which forced enterprises to adopt more hybrid approaches to the workday. More recently, the industry experienced a shift that put AI front and center. Both of those factors – which ignited the need for better data, access, and security controls - will influence how organizations think about their infrastructure for the coming year."
  https://www.darkreading.com/cybersecurity-operations/enterprises-gear-up-for-2026-s-it-transformation
• Link11 Identifies Five Cybersecurity Trends Set To Shape European Defense Strategies In 2026
  "Link11, a European provider of web infrastructure security solutions, has released new insights outlining five key cybersecurity developments expected to influence how organizations across Europe prepare for and respond to threats in 2026. The findings are based on analysis of current threat activity, industry research, and insights from the Link11 European Cyber Report, alongside broader market indicators such as PwC’s Global Digital Trust Insights 2026."
  https://hackread.com/link11-identifies-five-cybersecurity-trends-set-to-shape-european-defense-strategies-in-2026/
• Android Mobile Adware Surges In Second Half Of 2025
  "Android users spent 2025 walking a tighter rope than ever, with malware, data‑stealing apps, and SMS‑borne scams all climbing sharply while attackers refined their business models around mobile data and access. Looking back, we may view 2025 as the year when one-off scams were replaced on the score charts by coordinated, well-structured, attack frameworks. Comparing two equal six‑month periods—December 2024 through May 2025 versus June through November 2025—our data shows Android adware detections nearly doubled (90% increase), while PUP detections increased by roughly two‑thirds and malware detections by about 20%."
  https://www.malwarebytes.com/blog/mobile/2025/12/android-threats-in-2025-when-your-phone-becomes-the-main-attack-surface
• Where Cloud Security Stands Today And Where AI Breaks It
  "Every year, the cloud is becoming more distributed, automated and tightly wired into the business. Every day, adversaries compress the timeline between compromise and data exfiltration. What once took them 44 days now takes minutes. For the fifth year in a row, Palo Alto Networks State of Cloud Security Report 2025 captures the changes both big and small that security leaders are navigating in the market today. Our report reveals that the rapid adoption of enterprise AI is fueling an unprecedented surge in cloud security risks, driving a massive expansion of the attack surface. We found that 99% of organizations experienced at least one attack on their AI systems within the past year, and the acceleration of GenAI-assisted coding is outstripping security teams' capacity to keep pace. What’s missing isn't just visibility, it’s alignment."
  https://www.paloaltonetworks.com/blog/2025/12/cloud-security-2025-report-insights/
• From Open Source To OpenAI: The Evolution Of Third-Party Risk
  "The Silicon Valley mantra to “move fast and break things” prioritizes growth over anything else. Unfortunately, this velocity extends to efficiently introducing vulnerabilities into the software supply chain. From open source software libraries to AI-enabled coding assistants, these tools enable rapid innovations, but they are also enabling attack vectors that threat actors are looking to exploit. Third-party risks have always been an issue, but they have not always been top of mind. For the past decade, ransomware dominated the headlines and mindshare of cybersecurity leaders."
  https://www.securityweek.com/from-open-source-to-openai-the-evolution-of-third-party-risk/
• CISO Communities – Cybersecurity’s Secret Weapon
  "The only defense better than the expertise of one CISO is the combined expertise of many CISOs. In recent years, closed CISO communities have increased in number and grown in size. They act as an information exchange, advice center, pressure valve, and safe haven from the critical oversight. The need is obvious. CISOs occupy a unique position in business. Despite greater integration with business operations, they remain the only business leaders trying to counter active and adaptive threats; and yet they remain a role that is little understood by the rest of the business. The only other leaders capable of discussing their needs, grouses, pressures and adversaries are other CISOs (although 1001 product vendors claim they understand and offer expensive solutions)."
  https://www.securityweek.com/ciso-communities-cybersecuritys-secret-weapon/
• CAL, MITRE v18 & MITRE ATLAS: The Map I Wish I Had In The SOC
  "I remember a Thursday night at a previous SOC position in FinTech. The alert queue spiked during a credential stuffing incident, and our team had to scramble to keep up with the influx of alerts. We had a SIEM, a SOAR, and a handful of open-source IOCs we continuously retrieved via Google and other search engines. Each analyst grabbed a ticket and went hunting alone, starting their own process from scratch. We could isolate hosts, block domains, and re-image servers, but it was difficult to see the whole picture as we sorted through mountains of data and noise. Speed was the metric that mattered. I knew we were missing critical patterns, but I couldn’t see them or communicate what I thought we might be missing. We were moving fast, but we were still relatively blind."
  https://threatconnect.com/blog/cal-mitre-v18-mitre-atlas-the-map-i-wish-i-had-in-the-soc/
• Cyber Risk Management: Defenders Tell It Like It Is
  "Every year, members of the Trend team pack their bags, blow up their neck pillows, and jet off to share cybersecurity insights with customers and industry leaders across the globe as part of our Trend World Tour. In 2024, we decided to make the event more of a two-way conversation by surveying cybersecurity professionals on the challenges they face and what matters to them. The result was our first-ever Trend Micro Defenders Survey Report, a data-driven account of frontline perspectives on key issues and emerging opportunities for cybersecurity professionals. It was so well received, we repeated the exercise in 2025, tripling the scope with more than 3,000 responses from 88 countries."
  https://www.trendmicro.com/en_us/research/25/l/trend-micros-2025-defenders-survey-report.html

อ้างอิง
Electronic Transactions Development Agency (ETDA)

ThaiCERT ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์อย่างใกล้ชิด และพบว่า Adobe ได้ออกอัปเดตความปลอดภัยเพื่อแก้ไขช่องโหว่ร้ายแรงหลายรายการ ซึ่งส่งผลกระทบต่อผลิตภัณฑ์ที่มีการใช้งานอย่างแพร่หลายในหน่วยงานภาครัฐ ภาคเอกชน และองค์กรขนาดใหญ่ หากยังคงใช้งานเวอร์ชันที่ได้รับผลกระทบโดยไม่ทำการแก้ไข อาจเปิดโอกาสให้ผู้ไม่หวังดีใช้เป็นช่องทางโจมตีระบบ และควบคุมเซิร์ฟเวอร์จากระยะไกลได้

รายละเอียดช่องโหว่ที่สำคัญ

Adobe ColdFusion
• CVE-2025-61809 (CVSS 9.8)
เป็นช่องโหว่ด้านการตรวจสอบข้อมูลนำเข้าที่ไม่เหมาะสม (Improper Input Validation) ผู้โจมตีสามารถส่งข้อมูลที่ถูกปรับแต่งเป็นพิเศษ (Malicious Input) เพื่อหลีกเลี่ยงมาตรการความปลอดภัย และเข้าถึง อ่าน หรือเขียนข้อมูลภายในระบบได้ ซึ่งอาจนำไปสู่การโจมตีแบบ Remote Code Execution (RCE)
• CVE-2025-61808 (CVSS 9.1)
เป็นช่องโหว่ที่เกี่ยวข้องกับกระบวนการอัปโหลดไฟล์ ซึ่งผู้โจมตีที่มีสิทธิ์ระดับสูงสามารถอาศัยช่องโหว่นี้เพื่ออัปโหลดไฟล์อันตราย และนำไปสู่การเรียกใช้โค้ดโดยไม่ได้รับอนุญาต
Adobe Experience Manager (AEM)
• CVE-2025-64537 และ CVE-2025-64539 (CVSS 9.3)
เป็นช่องโหว่ประเภท DOM-based Cross-Site Scripting (XSS) หากถูกโจมตีสำเร็จ ผู้ไม่หวังดีสามารถแทรกสคริปต์อันตรายลงในเว็บแอปพลิเคชัน และหลอกให้ผู้ใช้งานเรียกใช้งานโค้ดดังกล่าว ส่งผลให้ข้อมูลผู้ใช้งานถูกขโมย หรือถูกนำไปใช้โจมตีได้

ผลิตภัณฑ์และเวอร์ชันที่ได้รับผลกระทบ
Adobe ColdFusion
• ColdFusion 2021 – Update 22 และเวอร์ชันก่อนหน้า
• ColdFusion 2023 – Update 16 และเวอร์ชันก่อนหน้า
• ColdFusion 2025 – Update 4 และเวอร์ชันก่อนหน้า
Adobe Experience Manager (AEM)
• AEM Cloud Service (CS)
• AEM 6.5 LTS
• AEM 6.5.23 และเวอร์ชันก่อนหน้า

แนวทางการตรวจสอบและการป้องกัน

1. ผู้ดูแลระบบควรตรวจสอบเวอร์ชันของ Adobe ColdFusion และ Adobe Experience Manager (AEM) ที่ใช้งานอยู่ในปัจจุบัน เพื่อประเมินว่าระบบเข้าข่ายได้รับผลกระทบจากช่องโหว่หรือไม่ โดยให้ความสำคัญกับระบบที่เปิดให้บริการผ่านเครือข่ายอินเทอร์เน็ต
2. แนะนำให้ดำเนินการอัปเดตเป็นเวอร์ชันล่าสุดตามคำแนะนำของ Adobe โดยเร็วที่สุด เนื่องจากเป็นแนวทางการแก้ไขที่มีประสิทธิภาพสูงสุด และสามารถขจัดความเสี่ยงจากช่องโหว่ได้อย่างถาวร

กรณียังไม่สามารถอัปเดตได้ทันที ดำเนินการดังนี้

1. ใช้มาตรการป้องกันผ่าน Web Application Firewall เพื่อช่วยตรวจจับและบล็อกคำขอที่มีพฤติกรรมผิดปกติ โดยเฉพาะคำขอที่เกี่ยวข้องกับการอัปโหลดไฟล์ต้องสงสัย การโจมตีแบบ Remote Code Execution และ Cross-Site Scripting
2. ตรวจสอบ Log ของ Web Server, Application Server รวมถึง ColdFusion และ AEM เพื่อค้นหาพฤติกรรมที่อาจบ่งชี้ถึงการโจมตีหรือการพยายามเข้าถึงระบบโดยไม่ได้รับอนุญาต
3. พิจารณาปิดหรือจำกัดฟังก์ชันที่ไม่จำเป็นต่อการให้บริการ เช่น ฟังก์ชันอัปโหลดไฟล์ หรือ Module และ Plugin ที่ไม่ได้ใช้งาน พร้อมทั้งตรวจสอบและลดสิทธิ์ของบัญชีผู้ใช้งานให้เป็นไปตามหลัก Least Privilege
4. ผู้ดูแลระบบควรสำรองข้อมูลระบบและข้อมูลสำคัญอย่างสม่ำเสมอ และเตรียมแผนการตอบสนองเหตุการณ์ เพื่อให้สามารถดำเนินการได้อย่างรวดเร็ว หากตรวจพบการโจมตีหรือเหตุผิดปกติ

สำหรับผู้ใช้งานทั่วไป
ผู้ใช้งานระบบภายในองค์กรควรหลีกเลี่ยงการคลิกลิงก์หรือเปิดไฟล์จากแหล่งที่ไม่ทราบที่มา และแจ้งผู้ดูแลระบบทันที หากพบพฤติกรรมระบบผิดปกติ เช่น ระบบทำงานช้าลง หรือมีข้อความแจ้งเตือนที่ไม่คุ้นเคย

ที่มา:
1.https://csa.gov.sg/alerts-and-advisories/alerts/al-2025-119/
2.https://nvd.nist.gov/vuln/detail/CVE-2025-61808
3.https://nvd.nist.gov/vuln/detail/CVE-2025-61809
4.https://nvd.nist.gov/vuln/detail/CVE-2025-64537
5.https://nvd.nist.gov/vuln/detail/CVE-2025-64539

ด้วยความปรารถนาดี
สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT

#AdobePatch
#ColdFusion
#AEM
#CVE2025
#CyberSecurity
#ThaiCERT
#ช่องโหว่Adobe

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand