โพสต์ถูกสร้างโดย NCSA_THAICERT

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

เมื่อวันที่ 3 มิถุนายน 2569 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้

• CVE-2026-45247 Mirasvit Full Page Cache Warmer Deserialization of Untrusted Data Vulnerability

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/06/03/cisa-adds-one-known-exploited-vulnerability-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

เมื่อวันที่ 2 มิถุนายน 2569 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 2 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้

• CVE-2022-0492 Linux Kernel Improper Authentication Vulnerability
• CVE-2025-48595 Android Framework Integer Overflow Vulnerability

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/06/02/cisa-adds-two-known-exploited-vulnerabilities-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 7 รายการ เมื่อวันที่ 4 มิถุนายน 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

• ICSA-26-155-01 NAVTOR NavBox
• ICSA-26-155-02 Hitachi Energy ITT600 Explorer
• ICSA-26-155-03 B&R PPT30 Operating System
• ICSA-26-155-04 Hitachi Energy RTU500
• ICSA-26-155-05 Hitachi Energy MACH HiDraw
• ICSA-24-184-03 Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric Products (Update E)
• ICSA-25-238-03 Schneider Electric Modicon M340 Controller and Communication Modules (Update A)

อ้างอิง
https://www.cisa.gov/news-events/ics-advisories

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 2 รายการ เมื่อวันที่ 2 มิถุนายน 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

• ICSA-25-219-06 Dreame Technology iOS and Android Mobile Applications (Update A)
• ICSA-25-079-01 Schneider Electric EcoStruxure Process Expert (Update A)

CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)

อ้างอิง
https://www.cisa.gov/news-events/ics-advisories

Industrial Sector

• From Critical To Controlled: Cutting Vulnerabilities In a Live Manufacturing Environment
  "A vulnerability scanner flags a critical CVSS 10 vulnerability on an industrial asset. The report lands in the boss’ inbox and now he wants to know why we’re sitting on a critical vulnerability. In a normal IT environment, you patch it then close the ticket and call it a day. If, however, you’re in OT or dealing with ICS in a live manufacturing facility, it’s rarely that simple. Here’s framework I use to answer the question “Does this finding represent an exploitable vulnerability in our environment”:"
  https://www.helpnetsecurity.com/2026/06/04/ot-vulnerability-management-process/

Vulnerabilities

• Attackers Actively Exploiting Critical Vulnerability In Everest Forms Pro Plugin
  "On March 30th, 2026, we publicly disclosed a critical Remote Code Execution vulnerability in Everest Forms Pro, a WordPress plugin with an estimated 4,000 active installations. This vulnerability can be leveraged by unauthenticated attackers to execute arbitrary PHP code on the server, leading to complete site compromise. The vendor released the fully patched version on March 18th, 2026. Our records indicate that attackers started exploiting the issue on April 13th, 2026. The Wordfence Firewall has already blocked over 29,300 exploit attempts targeting this vulnerability."
  https://www.wordfence.com/blog/2026/06/attackers-actively-exploiting-critical-vulnerability-in-everest-forms-pro-plugin/
  https://www.infosecurity-magazine.com/news/everest-forms-pro-rce-actively/
• Cisco Warns Of Critical Unified CM Flaw With PoC Exploit Code
  "Cisco has released security updates to patch a critical-severity Unified Communications Manager (Unified CM) flaw that allows attackers to gain root privileges. Cisco Unified CM (formerly known as Cisco CallManager) serves as the central control system for Cisco IP telephony systems, handling device management, call routing, and telephony features. The vulnerability (tracked as CVE-2026-20230) can be exploited remotely by threat actors without privileges in low-complexity server-side request forgery (SSRF) attacks."
  https://www.bleepingcomputer.com/news/security/cisco-warns-of-critical-unified-cm-flaw-with-poc-exploit-code/
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssrf-cXPnHcW
  https://thehackernews.com/2026/06/cisco-patches-cve-2026-20230-in-unified.html
  https://www.securityweek.com/cisco-warns-of-available-poc-for-critical-unified-cm-vulnerability/
  https://securityaffairs.com/193142/hacking/critical-cisco-unified-cm-bug-patched-as-public-exploit-code-emerges.html
• Poisoning Claude Code: One GitHub Issue To Break The Supply Chain
  "Hello, I’m RyotaK ( @ryotkak ), a security researcher at GMO Flatt Security Inc. After publishing my previous article ( Pwning Claude Code in 8 Different Ways ), I continued investigating Claude-related products and found several more vulnerabilities. In this article, I will explain a vulnerability in Claude Code’s GitHub Actions that could allow an attacker to compromise any repository that uses the Claude Code workflow, including Anthropic’s own repositories."
  https://flatt.tech/research/posts/poisoning-claude-code-one-github-issue-to-break-the-supply-chain/
  https://thehackernews.com/2026/06/claude-code-github-action-flaw-let-one.html
• CVE-2026-23479: Redis Use-After-Free In UnblockClientOnKey Leading To RCE
  "CVE-2026-23479 is a use-after-free inside Redis's blocking-client code path that allows an authenticated user to execute arbitrary operating system commands on the Redis host. The use-after-free occurs in unblockClientOnKey() (src/blocked.c), where the function calls processCommandAndResetClient() without checking whether the client was freed as a side effect before continuing to access the client structure. The vulnerability was discovered by Xint Code, a fully autonomous AI-powered security analysis tool, and a working RCE exploit was demonstrated at ZeroDay.Cloud 2025 (London, Dec 10-11, 2025). The Redis team shipped patches on May 5, 2026 across the 7.2.x, 7.4.x, 8.2.x, 8.4.x, and 8.6.x release series."
  https://www.zeroday.cloud/blog/redis-cve-2026-23479-deep-dive
  https://thehackernews.com/2026/06/autonomous-ai-tool-finds-2-year-old-rce.html

Malware

• Hola Browser For Windows Compromised To Deliver Cryptominer
  "The Windows version of the Hola Browser has been compromised in a supply chain attack that delivered an undeclared executable identified by researchers as a cryptocurrency miner. The compromise was uncovered during periodic certification checks on Hola Browser as part of its AppEsteem certification testing procedure, which it had previously passed. Hola is an Israeli company best known for Hola VPN, a service that allows users to route internet traffic through other users' devices or through paid proxy infrastructure to bypass geographic restrictions and access content from different countries."
  https://www.bleepingcomputer.com/news/security/hola-browser-for-windows-compromised-to-deliver-cryptominer/
  https://www.sophos.com/en-us/blog/you-do-surprise-me-exe-an-unexpected-executable-in-hola-browser
• Credit Card Theft Campaign Abuses Stripe To Host Stolen Payment Info
  "A new Magecart campaign is using Stripe's API infrastructure to host the credit card-stealing payload and the data exfiltrated from checkout pages. The entire malicious activity relies on Google Tag Manager and Stripe domains - googletagmanager.com and api.stripe.com - that are trusted implicitly by online stores. The new malware family was discovered by researchers at ecommerce security company Sansec, who found that the malicious code is loaded from a Google Tag Manager (GTM) container and executes on every page that loads it."
  https://www.bleepingcomputer.com/news/security/credit-card-theft-campaign-abuses-stripe-to-host-stolen-payment-info/
• IronWorm: Shai-Hulud's Rustier Cousin
  "In this article we present a research of malicious npm package that led us to IronWorm: a heavy, Rust-built infostealer that scrapes every secret it can find on a developer's machine, hides behind an eBPF kernel rootkit, and answers to its operator over Tor. Like the infamous Shai-Hulud worm, it turns stolen credentials a propagation mechanism, quietly committing itself into victims’ GitHub repositories and using trusted developer workflows publish itself to the NPM registry. This is a self-replicating supply-chain attack, caught in the wild, aimed squarely at the people with the most valuable keychains around: software developers, and crypto/web3 developers in particular."
  https://research.jfrog.com/post/iron-worm-shai-hulud-rustier-cousin/
  https://www.bleepingcomputer.com/news/security/new-ironworm-malware-hits-36-packages-in-npm-supply-chain-attack/
  https://www.darkreading.com/cyberattacks-data-breaches/rust-written-ironworm-npm-supply-chain
• Fraud, Ransomware, And Fake Apps Are Already Targeting FIFA 2026
  "The FIFA World Cup 2026 kicks off on June 11. Across 16 cities in the US, Canada, and Mexico, billions of people will be watching, traveling, betting, and spending. Threat actors have been watching too, and for far longer. Check Point Research and Check Point Exposure Management spent the past year tracking the cyber threat landscape building around this tournament. What emerged is a coordinated pre-positioning effort across three sectors that sit at the center of the World Cup economy: finance, travel and hospitality, and gambling. The infrastructure is already built, with most of them already live."
  https://blog.checkpoint.com/exposure-management/fraud-ransomware-and-fake-apps-are-already-targeting-fifa-2026/
• Cybercriminals Are Targeting The FIFA World Cup 2026
  "Starting June 11, the FIFA World Cup 2026 will unite fans, teams, sponsors, broadcasters, hospitality providers, and businesses in one of the world’s largest sporting events. It also presents a significant opportunity for cybercriminals. Major international sporting events create great anticipation, attract high search volume, evoke strong emotions, and drive large volumes of digital transactions. Fans are searching for tickets, travel offers, merchandise, live streams, betting sites, job openings, and event updates. Meanwhile, organizations are busy with logistics, staffing, travel arrangements, customer service, media tasks, and coordinating with third parties. Threat actors have anticipated these scenarios and have already started exploiting them."
  https://www.fortinet.com/blog/threat-research/cybercriminals-are-targeting-the-fifa-world-cup-2026
• Lazarus Group's Latest: Brandjacking Campaign On Npm
  "Sonatype is tracking a Lazarus Group campaign on npm, consisting of dozens of packages, some with up to 500 weekly downloads, aiming to abuse trust in open source to deploy malware. Leveraging tactics like suffix-addition, embedding, version mimicry, and more, brandjacking packages like this are designed to look like something that would belong in a developer environment. These aren't mere typosquats. In this campaign, attackers seek to dupe developers looking for Buffer, Chai, React, and more, to deploy secondary, more nefarious payloads. We took a closer look at the malicious buffer-utilities package to understand attacker intentions."
  https://www.sonatype.com/blog/lazarus-groups-latest-brandjacking-campaign-on-npm
  https://hackread.com/lazarus-group-npm-brandjacking-target-developers/
• Impersonation, Click Hijacking, And TDS: Inside a Malware Distribution Ecosystem
  "Check Point Research investigated a large-scale operation that impersonates open-source and freeware projects to capture search traffic, including lookalikes for researcher and security tooling such as Ghidra, dnSpy, and SpiderFoot. The sites are well-designed and often look like legitimate project portals at a glance, sometimes referencing real upstream resources. The deception is not in the page content alone, it’s in what happens when a user interacts. Our analysis shows these pages load a CloudFront-hosted JavaScript staging layer that converts a click on a “download” button/link into a handoff to a Traffic Distribution System (TDS). The TDS enforces strict gating: first-visit state, mandatory click confirmation, anti-bot/anti-analysis logic, VPN/datacenter filtering, and frequency capping."
  https://research.checkpoint.com/2026/impersonation-click-hijacking-and-tds-inside-a-malware-distribution-ecosystem/
  https://thehackernews.com/2026/06/fake-sites-mimicking-open-source-tools.html
• Five Eyes Warn Chinese Spies Are Using Job Sites To Recruit Insiders
  "China's military intelligence services are increasingly turning to online job platforms with thousands of adverts intended to recruit people with access to sensitive information, the Five Eyes intelligence partnership warned on Wednesday in its first joint bulletin of its kind. The alert, titled Safeguarding Our Secrets, was issued by the domestic security and counterintelligence agencies of Australia (ASIO), Canada (CSIS), the United States (FBI), the United Kingdom (MI5) and New Zealand (NZSIS). It warned that Chinese intelligence officers are posing as recruiters and consultants for front companies based outside China in order to target Five Eyes government and military personnel “and anyone with access to classified or privileged information.”"
  https://therecord.media/five-eyes-warns-chinese-spies-are-using-job-sites-to-recruit-insiders
  https://www.mi5.gov.uk/sites/default/files/2026-06/SAFEGUARDING OUR SECRETS PUBLICATION.pdf
  https://hackread.com/five-eyes-chinese-spies-fake-job-ads-military-staff/
  https://www.theregister.com/security/2026/06/04/five-eyes-china-expanding-state-secret-recruitment-campaign/5250978
• Pink Is The Latest Goon Squad To Use Fake Helpdesk Calls To Steal Creds
  "A new extortion brand called Pink – which may be a rebrand of BlackFile – uses voice phishing and fake help-desk calls to gain initial access to organizations’ IT environments, steal their sensitive data, and threaten to leak it unless the victims pay a ransom demand. Palo Alto Networks' Unit 42 first spotted the gang, which it tracks as cluster CL-CRI-1147, and its data-leak site, which went live on May 31. “Pink uses vishing and IT impersonation to phish credentials/MFA, then exfiltrates enterprise cloud storage and productivity data to extort victims,” the threat-intelligence biz said in a LinkedIn post."
  https://www.theregister.com/cyber-crime/2026/06/04/pink-is-the-latest-goon-squad-to-use-fake-helpdesk-calls-to-steal-creds/5251434

Breaches/Hacks/Leaks

• DentaQuest Data Breach Exposed Info Of 2.6 Million Accounts
  "A data breach at the dental benefits administrator DentaQuest has reportedly exposed the sensitive data of 2.6 million accounts. The security incident came to light last month, when the infamous extortion group ShinyHunters listed the company on its data leak site and claimed to have stolen more than 234 GB of data. Following what the threat actor describes as a failure to reach an agreement with the company, the data was publicly leaked."
  https://www.bleepingcomputer.com/news/security/dentaquest-data-breach-exposed-info-of-26-million-accounts/
• UN Food Agency Discloses Breach Affecting 600,000 Gaza Households
  "The United Nations' World Food Programme (WFP), the world's largest humanitarian organization, revealed over the weekend that its self-registration application (SRA) for Palestine was breached. The WFP disclosed the incident in a Sunday Telegram message, saying that the self-registration application used for assistance registration in Gaza had been breached. During the breach, the attackers gained access to personal data belonging to beneficiaries across the Gaza Strip, including affected individuals' names, ID numbers, phone numbers, and location information (such as neighborhood data recorded during registration)."
  https://www.bleepingcomputer.com/news/security/un-world-food-programme-breach-affects-600-000-gaza-households/
  https://therecord.media/un-food-agency-investigates-gaza-aid-breach
• iFood Confirms Data Breach Affecting 1.2 Million Users In Brazil
  "Brazilian food delivery app iFood has confirmed becoming the victim of a data breach in December 2025 that affected 1.2 million users (which makes up about 2% of its customer base). According to the iFood announcement on Wednesday, June 3, the incident was an isolated issue where hackers took names, phone numbers, addresses, and CPF numbers. Like Social Security Numbers (SSN) in the United States, CPFs are Brazilian taxpayer identity documents used everywhere for everyday tasks like opening bank accounts, shopping, and verifying identity. Fortunately, iFood clarified that hackers did not get passwords, bank details, or credit card records."
  https://hackread.com/ifood-confirms-data-breach-brazil-users/

General News

• 4 Critical Threats Where Attackers Have The Advantage
  "Enterprise defenses for four critical threats are overmatched and in urgent need of improvement. That's according to several analysts who spoke at the Gartner Security and Risk Management Summit this week. In a session on Monday, John Watts, VP analyst at Gartner, highlighted deepfakes, software supply chain risks, prompt injections, and AI application compromises as the four most pressing threats for enterprises."
  https://www.darkreading.com/vulnerabilities-threats/4-critical-threats-attackers-advantage
• OAuth Marketplace Apps Keep Access After Publishers Vanish
  "Installing an app from the Google Workspace Marketplace or GitHub Marketplace can grant a third party access to company email, files, calendars, code repositories, CI workflows, organization settings, and secrets. Marketplace presence gives these apps the appearance of approval. The OAuth grants behind them often reach into business systems beyond the listed function. An audit by OhAuth, the OAuth research project from identity security company Offroad, covered 2,890 public OAuth app listings, with 1,595 on Google Workspace Marketplace and 1,295 on GitHub Marketplace. Their combined reported install footprint reaches at least 4.39 billion. That figure is a lower bound. Marketplace install labels use rounded values such as 1M+, so the number represents reported installs."
  https://www.helpnetsecurity.com/2026/06/04/oauth-marketplace-apps-audit/
• Spotless Compliance Evidence Can Still Hide a Broken Control
  "In this interview with Help Net Security, Marc Rubbinaccio, Head of Cybersecurity and Compliance at Secureframe, explains where security teams go wrong when preparing for CMMC and FedRAMP 20x. The conversation covers how organizations check the 110 requirements but miss the 320 assessment objectives beneath them, why spotless SOC 2 evidence can hide a broken control, and how continuous monitoring is changing compliance work. It also includes advice for junior practitioners on AI and practical moves a mid-market defense supplier can use to get ready for a CMMC Level 2 assessment on a tight budget."
  https://www.helpnetsecurity.com/2026/06/04/marc-rubbinaccio-secureframe-cmmc-compliance-readiness/
• ETSI Sets Security Requirements For AI Data Centers And Cloud Platforms
  "ETSI has published TS 104 033, a technical specification that defines security requirements for AI computing platforms. The specification establishes a security framework for platforms used to host AI applications in data center and edge computing environments, covering security functions, platform components, interfaces, and services designed to protect AI models, datasets, training processes, and inference workloads. “This work builds on the AI computing platform security framework we have previously developed and marks a significant step forward in establishing concrete and actionable security requirements for the platform itself,” said Scott Cadzow, Chair of the ETSI Technical Committee Securing AI."
  https://www.helpnetsecurity.com/2026/06/04/etsi-securing-ai-computing-platforms-standard/
  https://www.etsi.org/deliver/etsi_ts/104000_104099/104033/01.01.01_60/ts_104033v010101p.pdf
• Infosecurity Europe: AI Adoption Creates New Opportunities For Attackers To Distribute Malware, Microsoft Warns
  "The Microsoft Detection and Response Team (DART) has issued advice on how organizations and their security teams should respond to the rising issue of AI-powered cyber threats. “AI is amazing, it makes our job easier. “But the same AI that’s useful can be easily manipulated by threat actors, we’ve seen it in social engineering and in our day-do-day investigations," said Mary Asaolu, senior security researcher at Microsoft, during Infosecurity Europe on June 3."
  https://www.infosecurity-magazine.com/news/attackers-ai-adoption-malware/
• Agentic AI Is Transforming Defense, But Only Secure IT Infrastructure Will Maximize It
  "Over the past several weeks, the cybersecurity community has been reminded how quickly frontier and agentic AI in defense networks can challenge our assumptions. When Anthropic's Claude Mythos model was made available to a limited set of organizations as a technical preview, it was reported that an unauthorized group claimed that it had gained access within hours. The incident, if true, was more than a possible breach. It was a warning."
  https://thehackernews.com/2026/06/agentic-ai-is-transforming-defense-but.html
• Scam Center Strike Force Announces Results Of U.S. & Private Industry “Disruption Week”
  "The Department of Justice, through U.S. Attorney Jeanine Ferris Pirro for the District of Columbia and Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division, today announced the results of a first-of-its-kind event combining the focus of government entities and private industries to tackle cyber-enabled and cryptocurrency fraud targeting Americans. During “Disruption Week,” the private sector took voluntary action to interrupt millions of social media, email, and internet access accounts used by transnational organized crime actors in Southeast Asia that were being used to defraud Americans, and the government shared information which enabled private sector actors to voluntarily freeze over $3.8 million in cryptocurrency involved in laundering of funds stolen from Americans."
  https://www.justice.gov/opa/pr/scam-center-strike-force-announces-results-us-private-industry-disruption-week
  https://thehackernews.com/2026/06/doj-disrupts-southeast-asia-crypto.html
  https://www.securityweek.com/over-1-4-million-accounts-disrupted-in-cybercrime-crackdown/
• Russia Seeks To Label Two Anti-Kremlin Hacker Groups As ‘extremist’
  "Russia is seeking to designate two hacker groups, Belarusian Cyber Partisans and Silent Crow, as extremist organizations and ban their activities in the country. The groups have previously claimed responsibility for cyberattacks targeting critical infrastructure and government institutions in Russia and Belarus. Russia’s Supreme Court said on Wednesday it would consider a request to ban the groups during a closed-door hearing. The court did not explain why it was seeking to designate them as extremist organizations."
  https://therecord.media/russia-seeks-extremist-label-for-hacker-groups

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Vulnerabilities

• Acer Working To Patch Max Severity Zero-Days In Wave 7 Routers
  "Acer confirmed that it's working to address two maximum-severity zero-day vulnerabilities affecting its Wave 7 mesh routers. According to a Friday security advisory, the two security flaws were reported by security researcher Gergo Pap and affect Wave 7 routers running firmware version T7c_GBL_1.01.000055 or earlier. The first zero-day, a broken access control vulnerability tracked as CVE-2026-49200, can allow unauthenticated attackers to remotely access plaintext credentials stored in log archives."
  https://www.bleepingcomputer.com/news/security/acer-warns-of-max-severity-zero-days-affecting-wave-7-routers/
• New 'HTTP/2 Bomb' DoS Attack Crashes Web Servers In Under a Minute
  "A new denial-of-service (DoS) attack dubbed HTTP/2 Bomb can be launched from a single machine to take down web servers within seconds. The technique works on default HTTP/2 configurations of major web servers, including NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora. Discovered by OpenAI's Codex software agent under the guidance of researchers at offensive security firm Calif, HTTP/2 Bomb combines two previously known HTTP/2 DoS methods: the HPACK compression amplification and Slowloris-style resource retention via HTTP/2 flow-control stalling."
  https://www.bleepingcomputer.com/news/security/new-http-2-bomb-dos-attack-crashes-web-servers-in-under-a-minute/
  https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb
  http://github.com/califio/publications/tree/main/MADBugs/http2-bomb
  https://thehackernews.com/2026/06/new-http2-bomb-vulnerability-allows.html
  https://www.securityweek.com/http-2-bomb-exploit-knocks-web-servers-offline-in-seconds/
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2026-45247 Mirasvit Full Page Cache Warmer Deserialization of Untrusted Data Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/06/03/cisa-adds-one-known-exploited-vulnerability-catalog
• VS Code Zero-Day Lets Hackers Steal GitHub Tokens In One Click
  "A security researcher has released exploit code for a Visual Studio Code (VS Code) zero-day vulnerability that allows attackers to steal GitHub authentication tokens by tricking users into clicking a link. Microsoft classifies a software flaw as a zero-day if it is publicly disclosed and/or actively exploited with no official patch currently available. As researcher Ammar Askar explained in a blog post on Tuesday, this VS Code vulnerability allows attackers to install malicious extensions that steal GitHub OAuth tokens when they are passed to github.dev (a browser-based version of Visual Studio Code used to work on GitHub repositories) by exploiting VS Code's sandboxed webview message-passing system."
  https://www.bleepingcomputer.com/news/security/vs-code-zero-day-lets-hackers-steal-github-tokens-in-one-click/
  https://blog.ammaraskar.com/github-token-stealing/
  https://thehackernews.com/2026/06/one-click-github-dev-attack-lets.html
  https://www.theregister.com/security/2026/06/03/another-bug-hunter-leaks-microsoft-exploits-in-defiance-of-companys-handling-of-vulnerability-disclosures/5250590
• Gemini’s Secret Affair: Exploiting Gemini Voice Assistant Through Instant Messaging Apps
  "SafeBreach Labs researchers discovered a new security vulnerability that allows attackers to exploit Google Gemini through notification-based indirect prompt injections from messaging apps like WhatsApp, Slack, and SMS. By bypassing Google’s previous defenses using a novel technique called “Fake Context Alignment,” researchers demonstrated how an attacker can manipulate conversational context silently—hiding malicious instructions in foreign languages or muted hyperlinks—to force the assistant into executing unauthorized actions. These exploits include controlling smart home devices, launching unauthorized video streams, orchestrating large-scale social engineering by faking messages from trusted contacts, and poisoning long-term memory for persistent access."
  https://www.safebreach.com/blog/gemini-voice-assistant-prompt-injection-exploit
  https://www.darkreading.com/application-security/malicious-notifications-could-trick-google-gemini-users
  https://thehackernews.com/2026/06/whatsapp-slack-notifications-could.html

Malware

• TA4922: The Suspected Chinese Crime Group Is Going Global
  "The Chinese-speaking cybercriminal ecosystem has grown dramatically in recent years. Many of the threats observed in the landscape are descendants of malware first used by Chinese espionage threat actors, namely Gh0stRAT and related payloads, and frequently targeted Chinese-speaking users. But as Chinese-speaking cybercriminals develop better capabilities in malware, social engineering, and global targeting, their footprint is expanding, and more actor clusters are emerging. In this report, we’ll dive into TA4922, a newly designated Chinese-speaking threat actor largely targeting East Asia."
  https://www.proofpoint.com/us/blog/threat-insight/ta4922-suspected-chinese-crime-group-going-global
  https://www.bleepingcomputer.com/news/security/chinese-hackers-use-new-atlas-rat-malware-in-european-cyberattacks/
  https://hackread.com/china-ta4922-hackers-uk-europe-silentrunloader-malware/
• CISA Warns Of Cyberattacks Targeting Fuel Tank Monitoring Systems
  "CISA, the FBI, the NSA, the Department of Energy, and other US government partners are warning that hackers are targeting internet-exposed automatic tank gauge (ATG) systems used to monitor fuel and liquid storage tanks across various critical infrastructure sectors. The cybersecurity agency says that ATG systems are commonly used in the Energy, Chemical, Food and Agriculture, and Transportation Systems sectors to remotely monitor storage tank levels, temperatures, and potential leaks. The US government says threat actors are targeting exposed devices and modifying system settings through command execution."
  https://www.bleepingcomputer.com/news/security/cisa-warns-of-cyberattacks-targeting-fuel-tank-monitoring-systems/
  https://www.ic3.gov/CSA/2026/260602.pdf
• Inside The Cross-Platform Propagation Of a New Gafgyt Variant C0XMO
  "This past March, FortiGuard Labs discovered a new Gafgyt botnet variant, C0XMO, that spreads by exploiting CVE-2021-27137. Our analysis revealed that, unlike earlier versions, this malware separates its lateral movement into a standalone Python script. This approach helps the attacker target various system architectures and device types more efficiently. Below is a detailed technical overview of its structure, propagation methods, and attack features. The threat actor delivered the malware by exploiting CVE-2021-27137, a stack buffer overflow in the UPnP service of vulnerable DD-WRT router firmware versions. The vulnerability occurs when the SSDP parser mishandles oversized ST:uuid: values in specially crafted M-SEARCH requests sent via UDP port 1900."
  https://www.fortinet.com/blog/threat-research/inside-cross-platform-propagation-of-new-gafgyt-variant-c0xmo
• Error 524 Decoy: Unmasking a Global Smishing Operation Hiding Behind Error Pages
  "Latin America, characterized by high mobile penetration and uneven SMS anti-spoofing controls, is often exploited by fraud operators. Group-IB researchers have identified a sophisticated, large-scale smishing and phishing operation, active since the second half of 2025, that uses the region as its primary theater and has expanded to 72 countries across the globe. This campaign has impersonated over 267 unique brands across sectors like telecommunications and financial services, successfully generating thousands of phishing domain instances aimed at harvesting full credit card credentials and personal identifiers."
  https://www.group-ib.com/blog/error-524-decoy-smishing/
• How Attackers Are Gaining Access To LLM Inference
  "The most capable commercial AI models are now useful enough to attackers that they have become an integral part of their kill chain, in multiple steps. The Cybench benchmark tests models on offensive cyber tasks. Its current top performers (Claude Opus 4.6, Claude Sonnet 4.5, Grok 4) can write functional exploit code, reason through credential chains, and sustain complex reconnaissance workflows: multi-step offensive work that previously required human expertise. Malware families are already using this. Instead of generating a payload offline and shipping it, they wire a live LLM API into the malware itself so it can adapt its behavior at runtime on the infected host."
  https://intezer.com/blog/how-attackers-access-llm-inference/
• We Found This Fake-Invoice Campaign While Scammers Were Still Building It
  "A new batch of fake payment invoices is being staged right now, and we caught the campaign while it was still being put together. The emails impersonate PayPal, Amazon, and Geek Squad, and others, and they all share one goal: to scare you into calling a phone number where a fake “support agent” is waiting. What makes this wave unusual is that some of the templates we recovered still contained blank fields where the phone number and price should have been, while others were already complete and in circulation. We caught the campaign mid-rollout."
  https://www.malwarebytes.com/blog/threat-intel/2026/06/we-found-this-fake-invoice-campaign-while-scammers-were-still-building-it
• Argamal: Malware Hidden In Hentai Games
  "In April 2026, we discovered a new malware campaign targeting players of “hentai” games. Once launched, the infected games install a previously unknown malicious implant on the user’s machine. After a few days, the implant downloads and executes a Trojan, resulting in full system compromise and broad remote control capabilities for the attackers. We dubbed this malware family “Argamal”. The malware uses COM hijacking to persist on the victim’s machine, replacing the InprocServer32 entry for Windows Color System Calibration Loader DLL. This task is triggered when the user logs in, effectively allowing the malware to run at startup."
  https://securelist.com/argamal-rat-distributed-with-hentai-games/119999/
• Espionage Campaign Targeted Stock Exchange Executive For Five Months
  "A five-month espionage campaign targeted the email account of a senior figure at a major global stock exchange. For an espionage actor, a senior executive's mailbox is a high-value intelligence target. An Outlook profile may yield details of external negotiations, internal deliberations, the executive's calendar, travel pattern, and their contacts. Organizations such as exchanges and regulators may hold non-public information about listings, enforcement actions and market-moving events. Months of unfettered access to that mailbox lets an attacker build a near-complete picture of the target's working life and the organization's near-term direction without ever having to move laterally elsewhere on the network."
  https://www.security.com/threat-intelligence/stock-exchange-espionage
  https://www.securityweek.com/hackers-target-global-stock-exchange-in-espionage-operation/
  https://securityaffairs.com/193086/intelligence/cyber-espionage-campaign-targeted-stock-exchange-executives-outlook-account.html
• From Malspam To DesckVB RAT Deployment
  "In May 2026, the Huntress SOC responded to a DesckVB RAT infection that began with a malspam. Short for “malicious spam,” malspam is email crafted to deliver malware or trick a user into taking an action that starts the infection chain, whether that is opening a booby-trapped attachment, clicking a malicious link, or handing over credentials on a fake login page. Still to this day, malspam remains one of the most prolific initial access vectors for attackers. At first glance, this case could be mistaken for just another malspam infection, but the delivery chain tells a more interesting story."
  https://www.huntress.com/blog/malspam-to-deskcvb-rat-delivery-chain-analysis
  https://thehackernews.com/2026/06/google-doubleclick-abused-in-new.html
• When "Moderate" Means "Sometimes"
  "On April 14, 2026, Microsoft patched CVE-2026-33829, an NTLM credential leakage bug in the Windows Snipping Tool with a CVSS score of 4.3. The issue lived in the Snipping Tool’s ms-screensketch: URI handler, the part of Windows that decides what to do when someone clicks a special kind of link. Technically, the Snipping Tool’s URI handler accepted a filePath parameter, didn't validate it, and would happily reach out to whatever UNC path you handed it. That connection could trigger NTLM authentication and expose the victim’s Net-NTLMv2 hash. In plain English: a user could be tricked into clicking what looks like an ordinary link, and their computer would automatically try to “check in” with a server controlled by the attacker."
  https://www.huntress.com/blog/unpatched-ntlm-leak-windows-search-uri-handler
  https://thehackernews.com/2026/06/unpatched-windows-search-uri.html

Breaches/Hacks/Leaks

• IMA Diligence Services Data Breach Impacts 525,000 People
  "IMA Diligence Services is notifying over 525,000 individuals that their personal information was stolen in a data breach. The incident, the company says, was identified in mid-December after a legacy server managed by a third party became inaccessible. “Upon discovery, we notified law enforcement and promptly commenced an investigation to confirm the nature and scope of this incident,” an incident notice on the company’s website reads."
  https://www.securityweek.com/ima-diligence-services-data-breach-impacts-525000-people/

General News

• Economic Fury Targets Iran’s Largest Digital Asset Exchange For Terror Finance And Sanctions Evasion
  "Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated Nobitex, Iran’s largest digital asset exchange, along with three other Iranian digital asset exchanges, as part of Economic Fury and the Trump Administration’s efforts to eliminate the threat posed by the Iranian regime. “While Iran’s economy is in free fall, the regime has chosen to co-opt digital asset technologies for its own corrupt agenda, including evading sanctions and transferring wealth out of the country. Iran’s current economic chaos is proof that President Trump’s maximum pressure campaign has been a success,” said Secretary of the Treasury Scott Bessent."
  https://home.treasury.gov/news/press-releases/sb0519
  https://www.bleepingcomputer.com/news/security/the-us-sanctions-nobitex-crypto-exchange-used-by-ransomware/
• Embedded Threats: How Attackers Weaponize Legitimate Emails
  "Cofense Intelligence has been tracking how threat actors abuse various legitimate online services to deliver malicious content embedded in legitimate business emails via arbitrary text fields. Legitimate websites often need to collect arbitrary text input from users to fill out usernames, meeting descriptions, or similar kinds of information. This text is often embedded within legitimate emails when the user performs actions such as sending meeting invitations, sharing documents, or resetting passwords."
  https://cofense.com/blog/embedded-threats-how-attackers-weaponize-legitimate-emails
• Autonomous AI-Driven Worm Can Reason Its Way Through Corporate Networks
  "Researchers at the University of Toronto, the Vector Institute, and the University of Cambridge have built and tested a proof-of-concept AI-driven worm that does not operate on a fixed list of exploits. Instead, it analyzes each target it encounters, reasons about how to attack it, and creates a strategy on the fly, all with the help of a small, free large language model (LLM) running directly on machines it has already compromised."
  https://www.helpnetsecurity.com/2026/06/03/autonomous-ai-worm-prototype/
  https://arxiv.org/pdf/2606.03811
• Security Of 100 AI Agents Tested And Ranked – What You Need To Know
  "AI is our new leader. We just accept and do what it tells us. Maybe we should be a bit more circumspect. Concern over the performance of AI agents has been constant, ranging from ‘leaky’ to just plain wrong decision-making. Since the pressure to use more agents more autonomously because of supercharged AI-assisted attacks is now constant, Adversa AI’s decision to measure and compare the performance and security of 100 agents across ten categories is welcome. But the results are not. Of the 100 agents tested, and positioned within a new AI Risk Quadrant, only 11 are categorized as ‘capable well-defended’."
  https://www.securityweek.com/security-of-100-ai-agents-tested-and-ranked-what-you-need-to-know/
  https://www.helpnetsecurity.com/2026/06/03/research-ai-agent-security-capability/
• A Small Slovenian Team Handles 6,000 Cyber Incidents a Year
  "Online fraud complaints, ransomware cases, and phishing tips reach Slovenia’s national cyber response center in steady volume, and a team of around a dozen analysts sorts through them. Gorazd Božič, who manages SI-CERT at the public agency ARNES, described that work in an interview conducted in person at the Span Cyber Security Arena conference. He put the original proposal for a Slovenian CERT to ARNES leadership in 1994, and the center now records about 6,000 incidents a year, up from roughly 300 ten to fifteen years earlier."
  https://www.helpnetsecurity.com/2026/06/03/gorazd-bozic-si-cert-cyber-incident-response/
• Known Vulnerabilities Behind Most Application Security Incidents
  "Eight in ten organizations took an application security hit during the past year tied to a vulnerability their team had already cataloged, according to a survey of 902 IT and security professionals conducted by the Cloud Security Alliance. The pattern points to a structural condition across the industry, where the window between identifying a flaw and closing it in production stays open long enough for attackers to act. The National Vulnerability Database logged more than 40,000 CVEs in 2025, and VulnCheck recorded exploitation activity following disclosure within days. Frontier AI systems capable of generating working exploits at machine speed, including one called Mythos, have compressed that window further, raising the operational stakes for any organization carrying unresolved findings in live environments."
  https://www.helpnetsecurity.com/2026/06/03/csa-application-security-incidents/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Vulnerabilities

• Unauthenticated Privilege Escalation Vulnerability Patched In Kirki WordPress Plugin
  "On May 4th, 2026, we received a submission for an Unauthenticated Privilege Escalation vulnerability in the Kirki WordPress plugin. Although the plugin has more than 500,000 active installations, we estimate that only around 150,000 sites are using a vulnerable version, as the issue was introduced in the 6.0 major release. This vulnerability makes it possible for unauthenticated attackers to take over arbitrary user accounts on the site, including administrator accounts, by leveraging the plugin’s password reset functionality to have the password reset link delivered to an attacker-controlled email address."
  https://www.wordfence.com/blog/2026/06/unauthenticated-privilege-escalation-vulnerability-patched-in-kirki-wordpress-plugin/
  https://www.bleepingcomputer.com/news/security/critical-kirki-flaw-exploited-to-hijack-wordpress-admin-accounts/
• Google Fixes One Actively Exploited Android Zero-Day, 124 Flaws
  "Google has released the June 2026 Android security patches to address 124 vulnerabilities, including one zero-day flaw exploited in targeted attacks. Local attackers can exploit the actively abused high-severity Android Framework vulnerability (tracked as CVE-2025-48595) to gain code execution and escalate privileges on devices running Android 14 or later. "There are indications that CVE-2025-48595 may be under limited, targeted exploitation," the company said on Monday in its March 2025 Android Security Bulletin."
  https://www.bleepingcomputer.com/news/security/google-fixes-one-actively-exploited-android-zero-day-124-flaws/
  https://thehackernews.com/2026/06/google-june-2026-android-update-patches.html
  https://www.securityweek.com/android-update-patches-exploited-zero-day-123-other-vulnerabilities/
  https://www.helpnetsecurity.com/2026/06/02/android-vulnerability-exploited-cve-2025-48595/
• CVE-2026-0826: Critical Unauthenticated Stack Buffer Overflow In HP Poly VVX And Trio VoIP Phones (FIXED)
  "Rapid7 Labs conducted a zero-day research project against an HP Poly VVX 450 Voice over Internet Protocol (VoIP) phone. This research resulted in the discovery of a critical unauthenticated stack-based buffer overflow vulnerability, CVE-2026-0826. A remote attacker can leverage CVE-2026-0826 to achieve unauthenticated remote code execution (RCE) with root privileges on a target device. The vulnerability is present in the device's parsing of Session Description Protocol (SDP) attributes for Interactive Connectivity Establishment (ICE). The ICE feature, which is not enabled by default, must be enabled for the device to be exploitable by a remote attacker."
  https://www.rapid7.com/blog/post/ve-cve-2026-0826-critical-unauthenticated-stack-buffer-overflow-hp-poly-vvx-trio-voip-phones-fixed/
  https://www.securityweek.com/critical-vulnerability-in-hp-voip-phones-enables-enterprise-network-breaches/
• CISA Adds Two Known Exploited Vulnerabilities To Catalog
  "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2022-0492 Linux Kernel Improper Authentication Vulnerability
  CVE-2025-48595 Android Framework Integer Overflow Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/06/02/cisa-adds-two-known-exploited-vulnerabilities-catalog
• FlagLeft: We Found A Forgotten Flag That Turned Microsoft 365 Apps Into a Silent Account Takeover Pipeline For Billions Of Users
  "Our research found that any app installed on the same Android device could silently access a Microsoft 365 account’s token. It could then act as the signed-in account (read email, open files, access documents, send messages, view calendars), without the user’s knowledge. The issue has been patched, but if you use Microsoft 365 apps on Android, update them now. If your organization manages Android devices, make sure Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote are on patched versions."
  https://enclave.ai/blog/flagleft-microsoft-365-android-forgotten-flag-account-takeover
  https://www.securityweek.com/exclusive-how-one-line-of-code-put-billions-of-microsoft-android-app-downloads-at-risk/

Malware

• Crypto Guest At Dawn Endpoint (Midnight) Ransomware Analysis
  "EndPoint is a ransomware variant formerly known as Midnight, which is believed to be built on the Babuk ransomware framework. It targets not only Windows environments, but also ESXi and NAS environments, and uses a double extortion method that combines file encryption with Data exfiltration threats. Since the Babuk source code leak, several derivative ransomware have emerged, and EndPoint is one of them. infected files are given the .endpoint extension, and the ransom note includes a uTox ID to contact the victim. in the past, the [email protected] account in the ransom note impersonated the director of the East Asia Institute, which has been identified as being used by North Korea-linked threat actors since 2024."
  https://asec.ahnlab.com/en/93932/
• Game Over: WeedHack – The Rise Of Minecraft Malware-As-a-Service Campaigns
  "Minecraft is a 2011 sandbox game developed and published by Mojang Studios. It is the best-selling video game in the world and has sold over 350 million copies worldwide. Its popularity has spanned over a decade due to its versatile gameplay, offering multiple game modes, including one of the most memorable Story Mode in gaming history. It allows players to create and host multiplayer servers with a variety of gameplay options and offers a wide range of custom launchers, game mods, and cheats to choose from."
  https://www.mcafee.com/blogs/other-blogs/mcafee-labs/weedhack-minecraft-malware-as-a-service-campaign-research/
  https://www.bleepingcomputer.com/news/security/over-116-000-mincraft-systems-infected-in-weedhack-malware-campaign/
• Pointing a Cursor At Evading Detection
  "Sophos X-Ops analysts observed a threat actor using artificial intelligence (AI) technologies to test endpoint detection and response (EDR) evasion tactics in a “red team” post-exploitation framework. The activity was detected when an anomalous endpoint registered within a customer tenant triggered alerts for payloads originating from C:\Users\User\Documents\test. Multiple files in this directory were malicious and indicative of a broader attack framework focused on evading detection:"
  https://www.sophos.com/en-us/blog/pointing-a-cursor-at-evading-detection
  https://www.bleepingcomputer.com/news/security/ai-built-ransomware-toolkit-automates-edr-evasion-ad-discovery/
  https://www.infosecurity-magazine.com/news/ai-edr-evasion-tooling/
  https://www.helpnetsecurity.com/2026/06/02/ai-agents-edr-evasion-techniques/
• Instagram Users Locked Out After Meta AI Abused To Steal Accounts
  "Multiple Instagram users had their accounts hijacked after attackers convinced Meta’s AI-powered support tools that they were the legitimate owners. In many cases, impacted users are unable to recover access due to the platform's use of automated assistance that involves only AI/chatbot loops and no human support agents. On Monday, multiple holders of rare and high-value accounts reported suddenly losing access to their accounts, claiming that their identities had been verified via facial scans and that they had enabled safeguards such as two-factor authentication (2FA)."
  https://www.bleepingcomputer.com/news/security/instagram-users-locked-out-after-meta-ai-abused-to-steal-accounts/
  https://hackread.com/hackers-abuse-meta-ai-bot-hijack-instagram-accounts/
  https://www.securityweek.com/meta-ai-hands-over-high-profile-instagram-accounts-to-hackers/
  https://securityaffairs.com/193034/hacking/instagram-account-hijacks-expose-the-security-risks-of-ai-powered-support.html
• From Token Bingo To MAX Takeover: Kali365 Operator Expands Operation Across Microsoft Outlook, Okta, Xerox DocuShare, And Other Services
  "In our previous post, Token Bingo: Don’t Let Your Code Be the Winner, we documented Kali365, a phishing-as-a-service (PhaaS) kit abusing Microsoft’s OAuth 2.0 device authorization flow to steal Entra ID tokens. In this follow-up report, we track the same operator into new territory as they expand their operation and infrastructure. Our latest findings include: The operator’s full panel infrastructure, including a live command-and-control (C2) panel for token capture status. A phishing page impersonating MAX Messenger, Russia’s state-backed national messenger, used to take over MAX accounts via a fake “prize-claim” attack flow."
  https://arcticwolf.com/resources/blog/kali365-expands-into-aws-microsoft-okta-xerox-max-messenger/
  https://www.darkreading.com/cyber-risk/fbi-flagged-phishing-kit-kali365-expands-its-reach
• These Convincing Copyright Notices Are Designed To Steal Google Logins
  "A new scam is targeting people who publish Chrome extensions. The scam arrives as an official-looking “copyright removal request” claiming your extension is about to be removed from the Chrome Web Store and that you have 48 hours to appeal. It even looks personalized. After you enter your extension’s ID to “verify” it, the page pulls in your extension’s real name and icon. But it’s all part of a phishing attack designed to steal your Google username and password. If attackers gain access to a developer account, they may be able to take over the extension, access developer resources, or potentially push malicious updates to users."
  https://www.malwarebytes.com/blog/threat-intel/2026/06/these-convincing-copyright-notices-are-designed-to-steal-google-logins
• Russia Claims Foreign Spy Agencies Hacked Officials' Phones
  "Russia's domestic security agency on Tuesday accused foreign intelligence services of conducting an espionage operation against senior Russian officials, alleging that spies used the infrastructure and capabilities of major international technology companies to secretly collect sensitive government information. In a statement, Russia's Federal Security Service (FSB) said it had uncovered what it described as a "large-scale operation" involving malicious software installed on the mobile devices of senior Russian officials. The agency alleged the malware was used to extract data, intercept communications and conduct covert audio and video surveillance."
  https://therecord.media/russia-claims-foreign-spy-agencies-hacked-gov-officials
  https://www.theregister.com/security/2026/06/02/russian-spy-agency-says-foreign-spies-turned-officials-smartphones-into-surveillance-devices/5250099
• Operation FlutterBridge: MacOS Malvertising Campaign Spreads New FlutterShell Backdoor
  "We are tracking an increasingly widespread malvertising campaign targeting macOS. This campaign appears to be the next stage of a previous campaign known as JSCoreRunner, which was first identified in August 2025. In recent months, the financially-motivated attackers behind these campaigns transitioned from delivering standard adware, to delivering adware with full backdoor capabilities. We designate this campaign Operation FlutterBridge, and we call the payload that it delivers FlutterShell. Built using the Flutter framework, FlutterShell infects targets with adware via malicious desktop applications. In addition to its adware functionality, the payload possesses backdoor capabilities, including shell command execution and file system manipulation."
  https://unit42.paloaltonetworks.com/flutterbridge-new-fluttershell-backdoor/

Breaches/Hacks/Leaks

• 'Dumbass' Criminal Breaks The 'first Rule Of Ransomware Club'
  "Even ransomware cartels make mistakes, and in this case, it was a biggie that could have landed the responsible crim in a Russian gulag: accidentally infecting a company located in a Commonwealth of Independent States country. In what threat-hunter Dominic Alvieri deemed the ransom “dumbass of the day,” Nova, the affiliate program for ransomware crew RAlord, on Tuesday issued an apology to Eriell Group, a major oilfield services company with headquarters in Uzbekistan and a corporate office in Moscow. Apparently, Eriell contacted Nova and notified the ransomware operators about an affiliate's mess-up."
  https://www.theregister.com/cyber-crime/2026/06/02/dumbass-criminal-breaks-the-first-rule-of-ransomware-club/5250380

General News

• The Meta AI Account Recovery Incident Wasn’t Just a Chatbot Problem
  "When people hear about hackers “asking an AI chatbot” to help them take over Instagram accounts, the instinctive reaction is to file it under prompt injection, jailbreaks, or “the model got tricked.” That may be the wrong lesson. According to reporting from 404 Media, hackers claimed they used Meta’s AI support chatbot to gain access to high-profile Instagram accounts by asking it to change the email address associated with the target account. The reported incidents coincided with several high-profile account takeovers, including accounts linked to the Obama White House, Sephora, and the Chief Master Sergeant of the Space Force."
  https://blog.checkpoint.com/ai-security/the-meta-ai-account-recovery-incident-wasnt-just-a-chatbot-problem/
• Why Traditional Phishing “Red Flags” Fail Against AI-Generated Attacks
  "For years, phishing awareness was taught through a simple lens: look for bad grammar, suspicious links, generic greetings, and urgent requests. That advice is not wrong. It is just no longer enough. Today’s phishing attacks are increasingly built to avoid those classic tells. Threat actors use AI to generate emails that are grammatically correct, contextually relevant, and tailored to specific people, roles, and organizations. Instead of sending one sloppy template, they can create endless variations that look legitimate on the surface. That shift breaks one of the oldest assumptions in phishing defense: that malicious emails will usually look suspicious."
  https://cofense.com/blog/why-traditional-phishing-red-flags”-fail-against-ai-generated-attacks
• Zoom CISO: AI As Security Enabler, Not Role-Replacer
  "In an era where artificial intelligence is reshaping the cybersecurity landscape at unprecedented speed, Sandra McLeod, CISO at Zoom, offers a compelling perspective on the future of digital defense. With years of security experience spanning from penetration testing at Cisco to leading security initiatives at one of the world's most widely used communication platforms, McLeod brings a unique technical foundation to her leadership role. Her journey to the CISO position reflects the evolving nature of cybersecurity leadership itself."
  https://www.darkreading.com/cybersecurity-operations/zoom-ciso-ai-security-enabler-role-replacer
• Securing AI Agents Before They Go Rogue Is Next To Impossible
  "Agentic AI adoption is in full swing, but unfortunately for enterprises, completely securing these agents might not be feasible. That's according to Dennis Xu, research vice president at Gartner, who spoke about the dangers of rogue AI agents during the Gartner Security & Risk Management Summit on Monday. "There's a lot of them coming at us — whether we like it or not, whether we know it or not," he said during his presentation."
  https://www.darkreading.com/cyber-risk/securing-ai-agents-rogue
• Zero Trust Physical Security Needs Trust Decisions At The Edge
  "In this interview with Help Net Security, Chuck Davis, VP, Global Information Security at Hikvision, explains how zero trust applies to physical security systems like cameras and door controllers. He breaks down how to make trust decisions at the edge without recreating old perimeter assumptions, why these devices should be treated as IT assets, and what the Mirai botnet taught the industry. Davis also covers posture assessment for devices that cannot run standard agents, and how to manage device identity and revoke trust across tens of thousands of endpoints during a live incident."
  https://www.helpnetsecurity.com/2026/06/02/chuck-davis-hikvision-zero-trust-physical-security/
• This AI Model Backdoor Attack Stays Hidden Until You Customize The Model
  "Most teams that deploy AI start with a backbone model. They download a large pre-trained system, adapt it to a specific task, and put it into production. The download step carries a security question: the origin of the model. A research team built an attack called BadBone. It plants a backdoor inside a backbone model. Downstream tasks that adapt the model inherit the backdoor. The name points at the target. Corrupt the skeleton, and systems built on top of it carry the flaw."
  https://www.helpnetsecurity.com/2026/06/02/ai-model-backdoor-attack-research/
  https://arxiv.org/pdf/2605.31246
• Wardriving Assessment Across Mexico: Preparing For The 2026 World Cup
  "Mexico is one of the host countries for the 2026 FIFA World Cup, with matches to be played in three major cities: Mexico City, Monterrey, and Guadalajara. These locations are expected to see a large influx of international visitors, increasing the potential security risks. Many of those risks arise from users connecting to public wireless networks. To better understand the wireless environments that visitors may encounter, we at Kaspersky GReAT conducted a wardriving assessment in the three host cities. The aim of the study was to analyze characteristics, deployment patterns, security configurations and potential exposure risks of public Wi-Fi infrastructure in urban wireless environments."
  https://securelist.com/wardriving-assessment-in-mexico-fifa-world-cup-2026/119996/
• Two New Reports Offer Competing Explanations For Cybersecurity’s Growing Crisis
  "Two reports offer differing viewpoints. One suggests a failure of tools to provide what security teams really need. The other suggests the tools exist but are not properly managed. The industrialization of cybercrime threatens to overwhelm cyber defense. It’s a process that started before the arrival of ChatGPT, was supercharged by the age of AI, and is now typified as the post-Mythos era. It’s a time when defenders must improve their performance or cede the battleground to the adversary. Applications are the battlefield. The speed, scale and sophistication of AI-assisted attacks is difficult to contain."
  https://www.securityweek.com/two-new-reports-offer-competing-explanations-for-cybersecuritys-growing-crisis/
• The Zero-Knowledge Threat Actor And The End Of Responsible Disclosure
  "One of the most dangerous outcomes of the rise of AI in cybersecurity is the rise of the zero-knowledge threat actor. A threat actor who has negligible technical expertise but enough malicious intent. This actor can leverage AI, turn limited skills into usable offensive capability via generating malicious code, exploiting vulnerabilities, shaping attack steps and guiding execution. AI has not changed the traditional objectives of cybercrime: stealing credentials, exploiting vulnerabilities, gaining privileged access, stealing sensitive data, disrupting operations, and impacting business continuity. What has changed is the speed of discovery, the democratization of capability, and the acceleration of attacks."
  https://www.securityweek.com/the-zero-knowledge-threat-actor-and-the-end-of-responsible-disclosure/
• ENISA NIS360 2026: Progress Across The Board, But The Sectors That Matter Most Are Still Falling Short
  "ENISA has published its third annual NIS360 report, assessing the cybersecurity maturity and criticality of all sectors covered by the NIS2 directive. The headline finding is that things are improving across the board. The more important finding is that the improvement is uneven, slow where it matters most, and being outpaced by a threat landscape that’s getting harder faster than defenses are getting better. Banking, electricity, and telecommunications remain the most mature and most critical sectors, as they have been since the assessment began. Three sectors moved up into the high maturity band for the first time: trust services, aviation, and financial market infrastructures. Four more strengthened their position within the moderate band: gas, road, maritime, and health."
  https://securityaffairs.com/193002/reports/enisa-nis360-2026-progress-across-the-board-but-the-sectors-that-matter-most-are-still-falling-short.html
  https://www.enisa.europa.eu/enisa-nis360-2026

อ้างอิง
Electronic Transactions Development Agency (ETDA)

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ และพบประกาศด้านความปลอดภัยจาก Cyber Security Agency of Singapore (CSA) เกี่ยวกับช่องโหว่ร้ายแรง CVE-2025-34291 ใน Langflow ซึ่งเป็นแพลตฟอร์มสำหรับสร้างและใช้งาน AI-powered agents และ workflows โดย CSA ระบุว่าช่องโหว่นี้ถูกค้นพบตั้งแต่เดือนธันวาคม 2025 และขณะนี้มีการนำไปใช้โจมตีจริงแล้ว ผู้ใช้งานและผู้ดูแลระบบที่ใช้งาน Langflow เวอร์ชันที่ได้รับผลกระทบควรอัปเดตเป็นเวอร์ชันล่าสุดโดยทันที [1]

1. รายละเอียดช่องโหว่
   CVE-2025-34291 - Langflow Origin Validation Error Vulnerability / Account Takeover and Remote Code Execution (RCE) (CVSS v3.1: 8.8 )[2] ช่องโหว่นี้เกิดจากข้อผิดพลาดด้านการตรวจสอบ Origin รวมถึงการตั้งค่า CORS ที่เปิดกว้างเกินไป เช่น การอนุญาต allow_origins='*' พร้อมกับ allow_credentials=True ร่วมกับ refresh token cookie ที่กำหนดเป็น SameSite=None ทำให้เว็บไซต์ที่ผู้โจมตีควบคุมสามารถส่งคำขอข้าม Origin พร้อมข้อมูลรับรองของผู้ใช้งานได้ในบางเงื่อนไข หากโจมตีสำเร็จ ผู้ไม่หวังดีอาจได้รับ access token / refresh token ของ session ผู้ใช้งาน และนำ token ดังกล่าวไปเข้าถึง endpoint ที่ต้องยืนยันตัวตน รวมถึงฟังก์ชันที่เกี่ยวข้องกับการรันโค้ดใน Langflow ส่งผลให้สามารถสั่งรันโค้ดยึดครองบัญชีผู้ใช้งาน และอาจนำไปสู่การยึดครองระบบได้ทั้งหมด

2. ผลิตภัณฑ์ที่ได้รับผลกระทบ[3]
   Langflow เวอร์ชัน 1.6.9 และเวอร์ชันก่อนหน้า

3. แนวทางการแก้ไข
   3.1 ผู้ใช้งานและผู้ดูแลระบบที่ใช้งาน Langflow เวอร์ชัน 1.6.9 หรือต่ำกว่า ควรอัปเดตเป็นเวอร์ชันล่าสุดโดยทันที ตามคำแนะนำของ CSA
   3.2 ตรวจสอบระบบที่ติดตั้ง Langflow ทั้งหมด โดยเฉพาะระบบที่เปิดให้เข้าถึงผ่านอินเทอร์เน็ต หรือระบบที่มีผู้ใช้งานหลายบัญชี
   3.3 หลังอัปเดต ควรตรวจสอบการตั้งค่า CORS และการจัดการ cookie/session ให้สอดคล้องกับแนวทางความปลอดภัย โดยหลีกเลี่ยงการอนุญาต Origin แบบกว้างเกินความจำเป็น
   3.4 พิจารณาเพิกถอนหรือหมุนเวียน token, API key, credential, secret และค่าเชื่อมต่อสำคัญที่จัดเก็บหรือใช้งานผ่าน Langflow หากสงสัยว่าระบบเคยถูกเข้าถึงโดยไม่ได้รับอนุญาต

4. แนวทางลดความเสี่ยง
   4.1 จำกัดการเข้าถึง Langflow จากอินเทอร์เน็ตเท่าที่จำเป็น และควรให้เข้าถึงผ่าน VPN, Zero Trust Access, reverse proxy หรือเครือข่ายภายในที่ควบคุมได้
   4.2 ตรวจสอบ log และพฤติกรรมผิดปกติที่เกี่ยวข้องกับการขอ refresh token, การใช้งาน session ที่ผิดปกติ, การเรียกใช้งาน endpoint สำคัญ และการรันโค้ดภายใน Langflow
   4.3 ตรวจสอบบัญชีผู้ใช้งานใน Langflow ว่ามีการสร้างบัญชีใหม่ เปลี่ยนสิทธิ์ หรือมี activity ที่ไม่สอดคล้องกับการใช้งานปกติหรือไม่
   4.4 หากยังไม่สามารถอัปเดตได้ทันที ให้จำกัดสิทธิ์การใช้งาน Langflow เฉพาะผู้ใช้ที่จำเป็น ปิดการเข้าถึงจากเครือข่ายภายนอก และเพิ่มการตรวจจับผ่าน WAF / reverse proxy / SIEM
   4.5 แจ้งเตือนผู้ใช้งานไม่ให้เปิดลิงก์หรือเว็บไซต์ที่ไม่น่าเชื่อถือในขณะที่ยังมี session ใช้งาน Langflow อยู่ เนื่องจากลักษณะช่องโหว่เกี่ยวข้องกับการส่งคำขอข้าม Origin ผ่าน browser session ของผู้ใช้งาน
   4.6 ผู้ดูแลระบบควรติดตามประกาศจาก CSA, GitHub Advisory, NVD และผู้พัฒนา Langflow อย่างใกล้ชิด เพื่อรับทราบคำแนะนำด้านแพตช์และมาตรการบรรเทาผลกระทบล่าสุด
   
   แหล่งอ้างอิง
   [1] https://dg.th/bdesg19iwx
   [2] https://dg.th/x4f3ez7wdb
   [3] https://dg.th/qi4hezjfgo

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ข่าวสารภัยคุกคามทางไซเบอร์ พบรายงานผู้ไม่หวังดีกำลังใช้ช่องโหว่ระดับวิกฤต หมายเลข CVE-2026-41089 ใน Windows Netlogon ทำการโจมตีระบบอย่างต่อเนื่อง (Active Exploitation) เหตุการณ์นี้ส่งผลให้เกิดความเสี่ยงขั้นสูง เนื่องจากผู้โจมตีสามารถยึดครองระบบ Active Directory ได้ทั้งหมดโดยไม่ต้องมีรหัสผ่าน ผลกระทบโดยตรงจะเกิดกับทุกองค์กรที่มีการใช้งาน Windows Server เป็น Domain Controller และยังไม่ได้ทำการอัปเดตแพตช์รักษาความปลอดภัย [1]

1. รายละเอียดของภัยคุกคาม [2]
   ช่องโหว่ CVE-2026-41089 มีระดับความรุนแรงตามมาตรฐาน CVSS v3.1 ที่คะแนน 9.8 ซึ่งเป็นช่องโหว่ Remote Code Execution (RCE) ที่เกิดจากข้อผิดพลาดประเภทหน่วยความจำล้น (Stack-based Buffer Overflow) ในบริการ Netlogon ซึ่งทำหน้าที่สำคัญในการพิสูจน์ตัวตนและการสื่อสารระหว่างเครื่องลูกข่ายกับ Domain Controller ภายในระบบ Active Directory ขององค์กร

ทั้งนี้ หน่วยงานสามารถตรวจสอบข้อมูลเพิ่มเติมได้ที่ https://dg.th/x7al8id2ft

2. พฤติกรรมการโจมตี
   ผู้โจมตีสามารถเจาะระบบได้โดยการส่งคำขอเครือข่ายที่ถูกสร้างขึ้นมาเป็นพิเศษ (Specially Crafted Network Request)ไปยังบริการ Netlogon บนระบบ Windows Server ที่ทำหน้าที่เป็น Domain Controller เพื่อกระตุ้นให้เกิดข้อผิดพลาดในการประมวลผลข้อมูล ส่งผลให้เกิดช่องโหว่ประเภท Buffer Overflow ภายในหน่วยความจำของระบบ โดยไม่ต้องใช้บัญชีผู้ใช้งานหรือสิทธิ์การเข้าถึงใด ๆ ภายในระบบ หากเจาะระบบสำเร็จ ผู้โจมตีจะสามารถสั่งรันโค้ดอัตรายที่สร้างขึ้นเอง (Arbitrary Code Execution) ด้วยสิทธิ์ของระบบบน Domain Controller ส่งผลให้สามารถเข้าควบคุมโดเมน ยกระดับสิทธิ์บัญชีผู้ใช้งาน ขโมยหรือทำลายข้อมูลสำคัญ รวมถึงสามารถติดตั้งมัลแวร์ เพื่อขยายผลการโจมตีไปยังระบบอื่น ๆ ภายในเครือข่ายขององค์กรได้

3. ผลกระทบที่อาจเกิดขึ้น
   3.1 ผู้โจมตีสามารถรันคำสั่งหรือโปรแกรมบนเครื่อง Domain Controller ได้
   3.2 ได้รับสิทธิ์ระดับ SYSTEM ซึ่งเป็นสิทธิ์สูงสุดของระบบปฏิบัติการ Windows Server
   3.3 เข้าถึง แก้ไข หรือทำลายข้อมูลสำคัญขององค์กร
   3.4 ยึดครอง Active Directory และบัญชีผู้ใช้งานภายในโดเมน
   3.5 ติดตั้งมัลแวร์ หรือ Backdoor เพิ่มเติม

4. แนวทางการป้องกันและลดความเสี่ยง
   4.1 ติดตั้งแพตช์ความปลอดภัยจาก Microsoft
   4.2 ตรวจสอบ Domain Controller ภายในองค์กร
   4.3 จำกัดการเข้าถึงบริการ Netlogon

5.มาตรการชั่วคราวหากยังไม่สามารถแก้ไขได้ทันที
5.1 จำกัดการเข้าถึง Domain Controller เช่น ปิดกั้นการเข้าถึงจากเครือข่ายที่ไม่เกี่ยวข้อง เป็นต้น
5.2 แยก Domain Controller ออกจากเครือข่ายผู้ใช้งานทั่วไป
5.3 จำกัดการสื่อสารระหว่าง VLAN หรือ Security Zone เฉพาะที่จำเป็น
5.4 จำกัดและตรวจสอบบัญชีสิทธิ์สูง เช่น ลดจำนวนผู้ใช้งานที่มีสิทธิ์ระดับสูงให้น้อยที่สุด, เปิดใช้งาน Multi-Factor Authentication (MFA) เป็นต้น

แหล่งอ้างอิง
[1] https://dg.th/h6439ag50y
[2] https://dg.th/e7op9w6z8k

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 11 รายการ เมื่อวันที่ 28 พฤษภาคม 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

• ICSA-26-148-01 MacGregor Voyage Data Recorder (VDR) G4e
• ICSA-26-148-02 Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter
• ICSA-26-148-03 ABB EIBPORT
• ICSA-26-148-04 ABB Busch-Welcome 2 Wire Door Opener Actuator
• ICSA-26-148-05 CP Plus 8 Ch. Network Video Recorder
• ICSA-26-148-06 KMW CCTV Security Cameras
• ICSA-26-148-07 Schnieider Electric EcoStruxure Machine Expert HVAC
• ICSA-26-148-08 XCharge C6
• ICSMA-26-148-01 Fourth Frontier Frontier X Mobile Application, Frontier X2
• ICSA-20-212-04 Mitsubishi Electric Factory Automation Engineering Products (Update L)
• ICSA-26-146-03 ABB Ability Zenon Remote Transport Vulnerability (Update A)

CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)

อ้างอิง
https://www.cisa.gov/news-events/ics-advisories

เมื่อวันที่ 1 มิถุนายน 2569 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว มีรายละเอียดดังนี้

• CVE-2024-21182 Oracle WebLogic Server Unspecified Vulnerability

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/06/01/cisa-adds-one-known-exploited-vulnerability-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand