New Tooling
- AuraInspector: Auditing Salesforce Aura For Data Exposure
"Mandiant is releasing AuraInspector, a new open-source tool designed to help defenders identify and audit access control misconfigurations within the Salesforce Aura framework. Salesforce Experience Cloud is a foundational platform for many businesses, but Mandiant Offensive Security Services (OSS) frequently identifies misconfigurations that allow unauthorized users to access sensitive data including credit card numbers, identity documents, and health information. These access control gaps often go unnoticed until it is too late."
https://cloud.google.com/blog/topics/threat-intelligence/auditing-salesforce-aura-data-exposure
https://github.com/google/aura-inspector
https://www.theregister.com/2026/01/13/mandiant_salesforce_tool/
https://www.helpnetsecurity.com/2026/01/13/aurainspector-open-source-tool-salesforce-aura/
Vulnerabilities
- Adobe Patches Critical Apache Tika Bug In ColdFusion
"Adobe has released security updates for 11 products on January 2026 Patch Tuesday, addressing a total of 25 vulnerabilities, including a critical code execution flaw. The critical-severity issue, tracked as CVE-2025-66516 (CVSS score of 10/10), is an XML External Entity (XXE) injection bug in Apache Tika modules that could be exploited via XFA files placed inside PDF documents. The security defect was patched in early December, when Apache warned that successful exploitation could lead to information leaks, SSRF attacks, denial-of-service (DoS), or remote code execution (RCE)."
https://www.securityweek.com/adobe-patches-critical-apache-tika-bug-in-coldfusion/ - SAP’s January 2026 Security Updates Patch Critical Vulnerabilities
"Enterprise software maker SAP on Tuesday announced the release of 17 new security notes as part of its January 2026 Security Patch Day. Four of the notes address critical-severity vulnerabilities. The first note in SAP’s January 2026 advisory resolves CVE-2026-0501 (CVSS score of 9.9), a critical SQL injection bug in S/4HANA. The issue impacts a Remote Function Call-enabled module relying on the ABAP Database Connectivity (ADBC) framework for the execution of a native SQL statement, explains Onapsis, which discovered and reported the bug."
https://www.securityweek.com/saps-january-2026-security-updates-patch-critical-vulnerabilities/ - Microsoft January 2026 Patch Tuesday Fixes 3 Zero-Days, 114 Flaws
"Today is Microsoft's January 2026 Patch Tuesday with security updates for 114 flaws, including one actively exploited and two publicly disclosed zero-day vulnerabilities. This Patch Tuesday also addresses eight "Critical" vulnerabilities, 6 of which are remote code execution flaws and 2 are elevation-of-privilege flaws."
https://www.bleepingcomputer.com/news/microsoft/microsoft-january-2026-patch-tuesday-fixes-3-zero-days-114-flaws/
https://www.darkreading.com/application-security/microsofts-starts-2026-bang-zero-day
https://blog.talosintelligence.com/microsoft-patch-tuesday-january-2026/
https://cyberscoop.com/microsoft-patch-tuesday-january-2026/
https://www.securityweek.com/microsoft-patches-exploited-windows-zero-day-111-other-vulnerabilities/
https://www.theregister.com/2026/01/14/patch_tuesday_january_2026/ - 'Most Severe AI Vulnerability To Date' Hits ServiceNow
"Authentication issues in ServiceNow potentially opened the door for arbitrary attackers to gain full control over the entire platform and access to the various systems connected to it. ServiceNow is a Fortune 500 company that, according to its promotional materials, acts as an IT services management platform for 85% of the companies that comprise the rest of the Fortune 500. That alone makes it a critical supply chain risk to the US business sector. Beyond that, ServiceNow is deeply integrated into its customers' broader IT infrastructure, more so than most vendors: ServiceNow's tentacles spread through HR, customer service, security, and the various other systems that keep a company running. To an attacker, it's both an ideal launchpad for lateral movement and a treasure trove of sensitive operational and customer data in its own right."
https://www.darkreading.com/remote-workforce/ai-vulnerability-servicenow
https://thehackernews.com/2026/01/servicenow-patches-critical-ai-platform.html
https://cyberscoop.com/servicenow-fixes-critical-ai-vulnerability-cve-2025-12420/ - CyRC Advisory: Vulnerability In Broadcom Chipset Causes Network Disruption And Client Disconnection On Wireless Routers
"The Black Duck Cybersecurity Research Center (CyRC) discovered an issue while testing the interoperability of the Defensics
Fuzzing with 802.11 protocol test suites against ASUS routers. During testing, the CyRC team found Defensics anomaly test cases that caused the network to stop working until the router was manually reset. This vulnerability allows an attacker to make the access point unresponsive to all clients and terminate any ongoing client connections. If data transmission to subsequent systems is ongoing, the data may become corrupted or, at minimum, the transmission will be interrupted."
https://www.blackduck.com/blog/cyrc-discovers-asus-tplink-wlan-vulnerabilities.html
https://www.securityweek.com/broadcom-wi-fi-chipset-flaw-allows-hackers-to-disrupt-networks/
https://www.bankinfosecurity.com/one-simple-trick-to-knock-out-wi-fi-network-a-30502 - Remote Code Execution With Modern AI/ML Formats And Libraries
"We identified vulnerabilities in three open-source artificial intelligence/machine learning (AI/ML) Python libraries published by Apple, Salesforce and NVIDIA on their GitHub repositories. Vulnerable versions of these libraries allow for remote code execution (RCE) when a model file with malicious metadata is loaded."
https://unit42.paloaltonetworks.com/rce-vulnerabilities-in-ai-python-libraries/
https://www.theregister.com/2026/01/13/ai_python_library_bugs_allow/
Malware
- Ukraine's Army Targeted In New Charity-Themed Malware Campaign
"Officials of Ukraine's Defense Forces were targeted in a charity-themed campaign between October and December 2025 that delivered backdoor malware called PluggyApe. Ukraine's CERT says in a report that the attacks were likely launched by the Russian threat group known as 'Void Blizzard' and 'Laundry Bear', although there is medium confidence in attribution. Laundry Bear is the same threat group responsible for breaching the Dutch police's internal systems in 2024 and stealing sensitive information about officers."
https://www.bleepingcomputer.com/news/security/ukraines-army-targeted-in-new-charity-themed-malware-campaign/
https://therecord.media/kremlin-linked-hackers-pose-as-charities-spy-ukraine - Unveiling VoidLink – A Stealthy, Cloud-Native Linux Malware Framework
"In December 2025, Check Point Research identified a small cluster of previously unseen Linux malware samples that appear to originate from a Chinese-affiliated development environment. Many of the binaries included debug symbols and other development artifacts, suggesting we were looking at in-progress builds rather than a finished, widely deployed tool. The speed and variety of changes across the samples indicate a framework that is being iterated upon quickly to achieve broader, real-world use."
https://research.checkpoint.com/2026/voidlink-the-cloud-native-malware-framework/
https://thehackernews.com/2026/01/new-advanced-linux-voidlink-malware.html
https://www.bleepingcomputer.com/news/security/new-voidlink-malware-framework-targets-linux-cloud-servers/
https://www.infosecurity-magazine.com/news/chinese-malware-framework-linux/ - Convincing LinkedIn Comment-Reply Tactic Used In New Phishing
"Scammers are flooding LinkedIn posts this week with fake "reply" comments that appear to come from the platform itself, warning users of bogus policy violations and urging them to visit an external link. The messages convincingly impersonate LinkedIn branding and in some cases even use the company’s official lnkd.in URL shortener, making the phishing links harder to distinguish from legitimate ones."
https://www.bleepingcomputer.com/news/security/convincing-linkedin-comment-reply-tactic-used-in-new-phishing/ - Silent Push Uncovers New Magecart Network: Disrupting Online Shoppers Worldwide
"While investigating intelligence shared with us, a set of indicators that were also found on our Bulletproof Host Indicators Of Future Attack
(IOFA) feeds, our team discovered a vast network of domains related to a long-term and ongoing credit card skimming campaign. Current findings suggest this campaign has been active for several years, dating back to the beginning of 2022. This campaign utilizes scripts targeting at least six major payment network providers: American Express, Diners Club, Discover (a subsidiary of Capital One), JCB Co., Ltd., Mastercard, and UnionPay. Enterprise organizations that are clients of these payment providers are the most likely to be impacted."
https://www.silentpush.com/blog/magecart/
https://thehackernews.com/2026/01/long-running-web-skimming-campaign.html
https://www.bankinfosecurity.com/magecart-hits-continue-stripe-spoofing-supply-chain-risks-a-30507
https://hackread.com/magecart-targets-all-credit-cards-users/
https://www.infosecurity-magazine.com/news/global-magecart-campaign-six-card/ - DeVixor: An Evolving Android Banking RAT With Ransomware Capabilities Targeting Iran
"deVixor is an actively developed Android banking malware campaign operating at scale, targeting Iranian users through phishing websites that masquerade as legitimate automotive businesses. Distributed as malicious APK files, deVixor has evolved from a basic SMS-harvesting threat into a fully featured Remote Access Trojan (RAT) that combines banking fraud, credential theft, ransomware, and persistent device surveillance within a single platform."
https://cyble.com/blog/devixor-an-evolving-android-banking-rat-with-ransomware-capabilities-targeting-iran/ - SHADOW#REACTOR – Text-Only Staging, .NET Reactor, And In-Memory Remcos RAT Deployment
"The Securonix Threat Research team has analyzed a multi-stage Windows malware campaign tracked as SHADOW#REACTOR. The infection chain follows a tightly orchestrated execution path: an obfuscated VBS launcher executed via wscript.exe invokes a PowerShell downloader, which retrieves fragmented, text-based payloads from a remote host. These fragments are reconstructed into encoded loaders, decoded in memory by a .NET Reactor–protected assembly, and used to fetch and apply a remote Remcos configuration. The final stage leverages MSBuild.exe as a living-off-the-land binary (LOLBin) to complete execution, after which the Remcos RAT backdoor is fully deployed and takes control of the compromised system."
https://www.securonix.com/blog/shadowreactor-text-only-staging-net-reactor-and-in-memory-remcos-rat-deployment/
https://thehackernews.com/2026/01/new-malware-campaign-delivers-remcos.html
https://www.darkreading.com/endpoint-security/shadow-reactor-uses-text-files-to-deliver-remcos-rat
https://www.infosecurity-magazine.com/news/shadowreactor-text-staging-remcos/ - Malicious Chrome Extension Steals MEXC API Keys By Masquerading As Trading Tool
"Cybersecurity researchers have disclosed details of a malicious Google Chrome extension that's capable of stealing API keys associated with MEXC, a centralized cryptocurrency exchange (CEX) available in over 170 countries, while masquerading as a tool to automate trading on the platform. The extension, named MEXC API Automator (ID: pppdfgkfdemgfknfnhpkibbkabhghhfh), has 29 downloads and is still available on the Chrome Web Store as of writing. It was first published on September 1, 2025, by a developer named "jorjortan142.""
https://thehackernews.com/2026/01/malicious-chrome-extension-steals-mexc.html - Key Insights On SHADOW-AETHER-015 And Earth Preta From The 2025 MITRE ATT&CK Evaluation With Trend Vision One
"This blog examines notable modern techniques, tactics, and procedures (TTPs) that Trend Research has observed in the two emulations during the MITRE ATT&CK Evaluation Round 7 (ER7 2025) that featured Earth Preta (also known as Mustang Panda), and SHADOW-AETHER-015 (Trend Research’s intrusion name for a particular group of activities with modern TTPs characterized by AI-generated attacks, sophisticated phishing attacks, and/or social engineering). These observed, analyzed, and reported TTPs support the performance of Trend Vision One in ER7, reinforcing the position of TrendAI as a trusted leader in detection and response innovation."
https://www.trendmicro.com/en_us/research/26/a/shadow-aether-015-earth-preta-mitre.html - Stealthy Malware Masking Its Activity, Deploying Infostealer
"Our experts have detected a new wave of malicious emails targeting Russian private-sector organizations. The goal of the attack is to infect victims’ computers with an infostealer. This campaign is particularly noteworthy because the attackers tried to disguise their activity as the operations of legitimate software and traffic to the ubiquitously-used state and municipal services website."
https://www.kaspersky.com/blog/malicious-mailing-masking-activity/55104/
Breaches/Hacks/Leaks
- Belgian Hospital AZ Monica Shuts Down Servers After Cyberattack
"Belgian hospital AZ Monica was forced to shut down all servers, cancel scheduled procedures, and transfer critical patients earlier today due to a cyberattack. The hospital, which operates campuses in Antwerp and Deurne, disconnected all servers at 6:32 AM after its systems were hit. The cyberattack also forced the hospital to suspend all scheduled procedures on Tuesday, as the emergency department continues to operate at reduced capacity, even though emergency medical services and intensive care transport units remain offline."
https://www.bleepingcomputer.com/news/security/belgian-hospital-az-monica-shuts-down-servers-after-cyberattack/
https://securityaffairs.com/186882/cyber-crime/az-monica-hospital-in-belgium-shuts-down-servers-after-cyberattack.html - Central Maine Healthcare Breach Exposed Data Of Over 145,000 People
"A data breach last year at Central Maine Healthcare (CMH) exposed sensitive information of more than 145,000 individuals. The hackers persisted on the organization's systems for more than two months last year, between March 19 and June 1, when CMH discovered the intrusion. The CMH integrated healthcare delivery system serves at least 400,000 people and manages hospitals like Central Maine Medical Center (CMMC), Bridgton Hospital, and Rumford Hospital."
https://www.bleepingcomputer.com/news/security/central-maine-healthcare-breach-exposed-data-of-over-145-000-people/ - Betterment Confirms Data Breach After Wave Of Crypto Scam Emails
"U.S. digital investment advisor Betterment confirmed that hackers breached its systems and sent fake crypto-related messages to some customers. The threat actor last week delivered fraudulent emails from Betterment infrastructure, luring recipients into a reward scam disguised as a company promotion that claimed to triple the amount of cryptocurrency sent to a specific address."
https://www.bleepingcomputer.com/news/security/betterment-confirms-data-breach-after-wave-of-crypto-scam-emails/ - After Goldman, JPMorgan Discloses Law Firm Data Breach
"JPMorgan Chase is informing some investors about a data breach stemming from a recent cybersecurity incident at an outside law firm. The same incident triggered a similar data breach notice from Goldman Sachs in December 2025. The Maine Attorney General’s Office requires companies that have suffered a data breach impacting the state’s residents to submit a report and a copy of the notification letter sent to affected individuals."
https://www.securityweek.com/after-goldman-jpmorgan-discloses-law-firm-data-breach/ - Suspected Ransomware Attack Threatens One Of South Korea’s Largest Companies
"Kyowon Group, one of South Korea’s largest education and lifestyle companies, announced shutting down key parts of its internal computer network this weekend following what it described as a suspected ransomware attack. In a company statement, Kyowon said it identified abnormal activity on Saturday morning, triggering an emergency response plan to isolate the affected servers and prevent hackers compromising more of its systems."
https://therecord.media/kyowon-group-south-korea-suspected-ransomware-attack
General News
- AI Supply Chain Risk: Will CIOs Be Held Accountable?
"When reports of Korean Air losing sensitive data on tens of thousands of employees surfaced, the incident was initially seen as a routine data breach. But reports soon indicated the exposure stemmed from a supply chain attack on a catering vendor responsible for in-flight meals and duty-free retail operations. But the vendor was running Oracle E-Business Suite, which contained a critical-severity vulnerability tracked as CVE-2025-61882. The flaw was discovered in early October 2025, after several enterprises reportedly received emails from attackers claiming to have already exploited the flaw to gain access and steal data."
https://www.bankinfosecurity.com/blogs/ai-supply-chain-risk-will-cios-be-held-accountable-p-4024 - Building a Solid IT Strategy In An Unstable World
"It's not surprising in today's world to wake up to news of dramatic changes in the geopolitical climate, of protests erupting overnight that could destabilize governments, or of nation-state actors launching cyberattacks. Geopolitical instability is a part of reality in 2026, and the stakes are high for CIOs who must rely on global supply chains to develop IT, artificial intelligence, cloud and cybersecurity strategies."
https://www.bankinfosecurity.com/building-solid-strategy-in-unstable-world-a-30512 - Latin America Sees Sharpest Rise In Cyber Attacks In December 2025 As Ransomware Activity Accelerates
"In December 2025, organizations experienced an average of 2,027 cyber attacks per organization per week. This represents a 1% month-over-month increase and a 9% year-over-year increase. While overall growth remained moderate, Latin America recorded the sharpest regional increase, with organizations experiencing an average of 3,065 attacks per week, a 26% increase year over year. The data points to sharper regional and sector-level spikes in activity, driven primarily by ransomware operations and expanding exposure linked to enterprise adoption of generative AI (GenAI)."
https://blog.checkpoint.com/research/latin-america-sees-sharpest-rise-in-cyber-attacks-in-december-2025-as-ransomware-activity-accelerates/ - Doctor Web’s Q4 2025 Review Of Virus Activity On Mobile Devices
"According to detection statistics collected by Dr.Web Security Space for mobile devices, the trojans Android.MobiDash and Android.HiddenAds, which display intrusive ads, were again the most widespread Android threats. At the same time, their activity decreased, and they were detected less frequently on protected devices by 43.24% and 18.06%, respectively. These malicious programs were followed by trojans from the Android.Siggen family, which includes malware whose functionality varies. They were also detected less often—by 27.47%."
https://news.drweb.com/show/review/?lng=en&i=15101
https://hackread.com/q4-2025-malware-telegram-backdoor-joker-google-play/ - Rakuten Viber CISO/CTO On Balancing Encryption, Abuse Prevention, And Platform Resilience
"In this Help Net Security interview, Liad Shnell, CISO and CTO at Rakuten Viber, discusses how messaging platforms have become critical infrastructure during crises and conflicts. He explains how it influences cybersecurity priorities, from encryption and abuse prevention to incident response and user protection. Shnell also outlines how Viber assesses and mitigates risks that blend technical threats with human behavior."
https://www.helpnetsecurity.com/2026/01/13/liad-shnell-rakuten-viber-messaging-cybersecurity-risks/ - Teaching Cybersecurity By Letting Students Break Things
"Cybersecurity students show higher engagement when the work feels tangible. A new study from Airbus Cybersecurity and Dauphine University describes what happens when courses move beyond lectures and place students inside structured hacking scenarios, social engineering exercises, and competitive games."
https://www.helpnetsecurity.com/2026/01/13/gamified-cybersecurity-training-study/
https://www.mdpi.com/2624-800X/6/1/16 - What Insurers Expect From Cyber Risk In 2026
"Technology shifts, policy decisions, and attacker behavior are changing at the same time, and their effects increasingly overlap. Insurers, brokers, and security teams are feeling that pressure across underwriting, claims, and risk management. A new global study by CyberCube examines how these changes are expected to influence cyber risk through 2026. AI remains a top priority across the insurance sector, though adoption still trails ambition. 82% of insurance leaders say AI ranks as a top business imperative. Deployment at scale remains limited."
https://www.helpnetsecurity.com/2026/01/13/cybercube-insurance-cyber-risk-2026/ - Cyber Insights 2026: External Attack Surface Management
"Shadows are dark and dangerous places where bad guys attack anything or anyone they find. In 2026, AI will increase the number and size of shadows, together with the entire external attack surface. External Attack Surface Management (EASM) is the process of finding and managing every asset an organization exposes to the internet. Those assets may be known (and therefore documented and may be secured) or unknown (and therefore invisible and almost certainly insecure). While EASM covers both categories, we are primarily concerned with the invisible assets."
https://www.securityweek.com/cyber-insights-2026-external-attack-surface-management/ - More Than 40 Countries Impacted By North Korea IT Worker Scams, Crypto Thefts
"The U.S. on Monday urged United Nation member states to take a tougher stance against North Korean efforts to skirt sanctions through its IT worker scheme and cryptocurrency heists. Eleven countries led a session at the UN headquarters in New York centered around a 140-page report released last fall that covered North Korea’s extensive cyber-focused efforts to fund its nuclear and ballistic weapons program. The report links the North Korean IT worker scheme — where citizens of the country steal identities and secure employment at western companies — with Pyongyang’s billion-dollar crypto thefts."
https://therecord.media/40-countries-impacted-nk-it-thefts-united-nations - Dutch Cops Cuff Alleged AVCheck Malware Kingpin In Amsterdam
"Dutch police believe they have arrested a man behind the AVCheck online platform - a service used by cybercrims that Operation Endgame shuttered in May. The country's public prosecutor's office (LP) issued a statement on Monday, confirming the arrest of a 33-year-old Dutchman in connection with its investigation into the malware service, without specifying it or the man by name."
https://www.theregister.com/2026/01/13/avcheck_arrest/
อ้างอิง
Electronic Transactions Development Agency (ETDA) 
รายละเอียดช่องโหว่
ผลิตภัณฑ์ที่ได้รับผลกระทบ
อ้างอิง
️ ThaiCERT ย้ำเช็กเวอร์ชันด่วน! ข้อมูลสำรองของคุณอาจไม่ปลอดภัย
