โพสต์ถูกสร้างโดย NCSA_THAICERT

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ พบรายงานเกี่ยวการใช้ประโยชน์จากการเปลี่ยนเส้นทาง OAuth ทำการโจมตีแบบฟิชชิ่งและส่งมัลแวร์ เพื่อหลอกให้ผู้ใช้งานคลิกลิงก์และถูกนำไปยังเว็บไซต์ที่ผู้โจมตีควบคุม ซึ่งอาจทำให้ผู้ใช้งานถูกหลอกให้ดาวน์โหลดไฟล์อันตรายหรือทำให้เครื่องคอมพิวเตอร์ติดมัลแวร์ได้

1. รายละเอียดช่องโหว่
   • แคมเปญการโจมตีดังกล่าวเกี่ยวข้องกับการใช้ประโยชน์จากกลไกการเปลี่ยนเส้นทางของระบบ OAuth โดยผู้โจมตีจะสร้างลิงก์ OAuth ที่มีพารามิเตอร์ผิดปกติหรือไม่ถูกต้อง ซึ่งทำให้กระบวนการยืนยันตัวตนของระบบเข้าสู่ขั้นตอนการจัดการข้อผิดพลาด และเกิดการเปลี่ยนเส้นทางผู้ใช้งานไปยังเว็บไซต์ที่ผู้โจมตีควบคุมได้

เนื่องจากลิงก์ดังกล่าวมีโดเมนที่เกี่ยวข้องกับผู้ให้บริการระบบตัวตนที่น่าเชื่อถือ จึงอาจทำให้ผู้ใช้งานเข้าใจผิดว่าลิงก์ดังกล่าวมีความปลอดภัย และหลีกเลี่ยงการตรวจจับจากระบบป้องกัน Phishing บางประเภทได้

2. พฤติกรรมการโจมตี
   • ผู้โจมตีสร้างลิงก์ OAuth โดยใช้พารามิเตอร์ที่ผิดพลาด (เช่น invalid scope หรือ prompt=none) ทำให้ระบบ OAuth ของผู้ให้บริการ เช่น Microsoft Entra ID หรือ Google Workspace เปลี่ยนเส้นทางตามที่ผู้โจมตีกำหนด
   • ลิงก์โจมตีจะถูกส่งผ่านอีเมลในรูปแบบของฟิชชิงที่ออกแบบให้ดูเหมือนข้อความจริงจากองค์กร เช่น การแจ้งเตือนลายเซ็นต์อิเล็กทรอนิกส์ คำเชิญประชุม หรือคำขอรีเซ็ตรหัสผ่าน โดยลิงก์อาจอยู่ในเนื้อหาอีเมลโดยตรงหรือซ่อนไว้ในไฟล์แนบ PDF
   • หน้าให้ดาวน์โหลดไฟล์ ZIP ที่มีมัลแวร์ และเมื่อเปิดไฟล์ ระบบจะรันคำสั่ง PowerShell เพื่อดาวน์โหลดและติดตั้งมัลแวร์อันตราย

แคมเปญนี้พบว่า มุ่งเป้าไปที่องค์กรภาครัฐ โดยใช้เทคนิคนี้เพื่อข้ามระบบป้องกัน Phishing ทั่วไปในอีเมลและเว็บเบราว์เซอร์ ด้วยการใช้ URL ที่ดูเหมือนถูกต้องและปลอดภัยจากผู้ให้บริการที่เชื่อถือได้

3. แนวทางป้องกันและลดความเสี่ยง
   • ตรวจสอบและควบคุมแอปพลิเคชัน OAuth ที่อนุญาตให้เข้าถึงบัญชี
   • ลบแอปที่ไม่จำเป็นหรือมีสิทธิ์มากเกินความจำเป็น
   • ใช้มาตรการป้องกัน เช่น Cloud Email Security, Identity Protection, Conditional Access Policies หรือ Monitoring Cross-Domain Activity ทั้งในอีเมล ระบบยืนยันตัวตน และอุปกรณ์ปลายทาง

4. แหล่งอ้างอิง (References)
   • https://dg.th/3ktm176h9j

เมื่อวันที่ 3 มีนาคม 2569 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 2 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว ดังนี้

• CVE-2026-21385 Qualcomm Multiple Chipsets Memory Corruption Vulnerability
• CVE-2026-22719 Broadcom VMware Aria Operations Command Injection Vulnerability

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/03/03/cisa-adds-two-known-exploited-vulnerabilities-catalog
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 9 รายการ เมื่อวันที่ 3 มีนาคม 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

• ICSA-26-062-01 Mitsubishi Electric MELSEC iQ-F Series EtherNet/IP module and Ethernet Module
• ICSA-26-062-02 Hitachi Energy Relion REB500
• ICSA-26-062-03 Hitachi Energy RTU500 Product
• ICSA-26-062-04 Portwell Engineering Toolkits
• ICSA-26-062-05 Labkotec LID-3300IP
• ICSA-26-062-06 Mobiliti e-mobi.hu
• ICSA-26-062-07 ePower epower.ie
• ICSA-26-062-08 Everon api.everon.io
• ICSA-25-023-02 Hitachi Energy RTU500 Series Product (Update B)

CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)

อ้างอิง
https://www.cisa.gov/news-events/ics-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Healthcare Sector

• Healthcare Organizations Are Accepting Cyber Risk To Cut Costs
  "Healthcare organizations are cutting cybersecurity budgets under financial pressure even as the threats targeting their systems intensify. A PwC survey of 381 global healthcare executives, conducted between May and July 2025, puts numbers to the gap between the risks the sector faces and the controls it has in place. Data protection ranks as the single biggest driver of cybersecurity spending in the sector, yet only 35% of healthcare organizations have implemented data risk controls across the entire data life cycle. The global average across all sectors is 44%."
  https://www.helpnetsecurity.com/2026/03/03/pwc-healthcare-cybersecurity-threats-2026/

Industrial Sector

• Honeywell Trend IQ4xx BMS Controller Unauthenticated Remote Web-HMI Control And Lockout
  "The Honeywell IQ4 (Trend IQ4) is a line of intelligent building-management controllers designed to provide advanced unitary control, HVAC integration, and scalable I/O expansion for commercial environments. These controllers use Ethernet and TCP/IP networking with embedded XML, support BACnet over IP, and can expand up to 192 I/O points depending on the model, making them suitable for a wide range of plant-control applications. They offer multiple communication ports (Ethernet, USB, RS232, Wallbus), optional Trend current-loop neworking, and seamless compatability with other Trend IQ controllers - enabling unified, energy-efficient building automation across devices."
  https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5979.php
  https://www.securityweek.com/honeywell-researcher-clash-over-impact-of-building-controller-vulnerability/

Vulnerabilities

• CISA Adds Two Known Exploited Vulnerabilities To Catalog
  "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2026-21385 Qualcomm Multiple Chipsets Memory Corruption Vulnerability
  CVE-2026-22719 Broadcom VMware Aria Operations Command Injection Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/03/03/cisa-adds-two-known-exploited-vulnerabilities-catalog
  https://www.bleepingcomputer.com/news/security/cisa-flags-vmware-aria-operations-rce-flaw-as-exploited-in-attacks/
• Zenity Labs Discloses PleaseFix Vulnerability Family In Perplexity Comet And Other Agentic Browsers
  "Zenity Labs today disclosed PleaseFix, a family of critical vulnerabilities affecting agentic browsers, including Perplexity Comet, that allow attackers to silently hijack AI agents, access local files and steal credentials within authenticated user sessions. The vulnerabilities can be triggered through malicious content embedded in routine workflows, enabling unauthorized actions without user awareness. The disclosure includes PerplexedBrowser, a subfamily of vulnerabilities in the Perplexity Comet browser that consists of two distinct exploit paths."
  https://zenity.io/company-overview/newsroom/company-news/zenity-labs-discloses-pleasefix-perplexedagent-vulnerability
  https://cyberscoop.com/agentic-ai-browsers-allow-hijacking-zenity-labs-comet/
  https://www.theregister.com/2026/03/03/perplexity_comet_browser_hole_cal_invite/
• New ‘AirSnitch’ Attack Shows Wi-Fi Client Isolation Could Be a False Sense Of Security
  "Researchers from UC Riverside developed attacks able to bypass client isolation in Wi-Fi networks used at home, at work, in airports, and in coffee shops. Four computer scientists from Riverside, and one from KU Leuven (Belgium) found that every router and network they tested was vulnerable to at least one attack. Their findings are detailed in a paper (AirSnitch: Demystifying and Breaking Client Isolation in Wi-Fi Networks) presented at the NDSS Symposium 2026."
  https://www.securityweek.com/new-airsnitch-attack-shows-wi-fi-client-isolation-could-be-a-false-sense-of-security/
  https://www.ndss-symposium.org/wp-content/uploads/2026-f1282-paper.pdf
• CVE-2026–2256: From AI Prompt To Full System Compromise
  "AI agents are amazing coworkers. They read logs at 3 a.m., automate boring tasks, and never complain about documentation. Unfortunately, they also share one small flaw: when given too much autonomy, they can become exceptionally obedient — including obedient to attacker-controlled input. This research demonstrates how an MS-Agent, while simply doing what it was designed to do, can be quietly manipulated into executing arbitrary system commands and compromising its own host."
  https://medium.com/@itamar.yochpaz/cve-2026-2256-from-ai-prompt-to-full-system-compromise-a4114c718326
  https://www.securityweek.com/vulnerability-in-ms-agent-ai-framework-can-allow-full-system-compromise/

Malware

• Exposing a Russian Campaign Targeting Ukraine Using New Malware Duo: BadPaw And MeowMeow
  "ClearSky Team has identified a targeted Russian cyber campaign against Ukraine utilizing two novel malware strains, BadPaw and MeowMeow. The attack chain initiates with a phishing email containing a link to a ZIP archive. Once extracted, an initial HTA file displays a lure document written in Ukrainian concerning border crossing appeals to deceive the victim. Simultaneously, the infection triggers the download of BadPaw, a .NET-based loader. Upon establishing command-and-control (C2) communication, the loader deploys MeowMeow, a sophisticated backdoor."
  https://www.clearskysec.com/russian-campaign-targeting-ukraine-badpaw-and-meowmeow/
• Silver Dragon: China Nexus Cyber Espionage Group Targeting Governments In Asia And Europe
  "Check Point Research has identified and tracked a cyber espionage campaign targeting government organizations across Southeast Asia and parts of Europe. We designate this activity cluster as Silver Dragon, which has been active since at least mid-2024. The campaign combines server exploitation, phishing, custom malware, and cloud-based command infrastructure to establish long-term access in targeted environments. Based on multiple converging indicators, Check Point Research assesses with high confidence that Silver Dragon is a China nexus threat actor, likely operating within the umbrella of APT41."
  https://blog.checkpoint.com/research/silver-dragon-china-nexus-cyber-espionage-group-targeting-governments-in-asia-and-europe/
• Coruna: The Mysterious Journey Of a Powerful iOS Exploit Kit
  "Google Threat Intelligence Group (GTIG) has identified a new and powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023). The exploit kit, named “Coruna” by its developers, contained five full iOS exploit chains and a total of 23 exploits. The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses."
  https://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit
  https://iverify.io/press-releases/first-known-mass-ios-attack
  https://cyberscoop.com/coruna-ios-exploit-kit-leaked-us-framework/
  https://www.helpnetsecurity.com/2026/03/03/coruna-ios-exploit-kit/
• Middle East On The Brink: Iran-US-Israel Hostilities Trigger Cyber-Kinetic Conflict
  "The geopolitical landscape of the Middle East has entered one of its most volatile phases in decades. On February 28, 2026, tensions that had been simmering for years erupted into a full‑blown conflict involving the Islamic Republic of Iran, the United States, and Israel. A confluence of diplomatic stalemate, military posturing, and covert cyber preparations set the stage for what would evolve from a localized confrontation into an expansive, multi‑domain campaign."
  https://cyble.com/blog/middle-east-iran-us-israel-hybrid-conflict/
• Abusing .arpa: The TLD That Isn’t Supposed To Host Anything
  "Phishing email campaigns are so common that it takes something fundamentally different to stand out. We recently found campaigns using a novel, previously unreported method to get around security controls. Actors are abusing the .arpa top-level domain (TLD), in conjunction with IPv6 tunnels, to host phishing content on domains that should not resolve to an IP address. Unlike familiar TLDs like .com and .net, that are used for domains that host web content, the .arpa TLD has a special role in the domain name system (DNS): it’s primarily used to map IP addresses to domains, providing reverse records. Threat actors have discovered a feature in the DNS record management control of certain providers, which allows them to add IP address records for .arpa domains. From there, they can do whatever they like at the hosting provider. It’s a pretty clever trick."
  https://www.infoblox.com/blog/threat-intelligence/abusing-arpa-the-tld-that-isnt-supposed-to-host-anything/
  https://hackread.com/hackers-arpa-top-level-domain-phishing-scams/
• RedAlert Trojan Campaign: Fake Emergency Alert App Spread Via SMS Spoofing Israeli Home Front Command
  "CloudSEK has uncovered a malicious SMS spoofing campaign spreading a fake version of Israel’s “Red Alert” emergency app amid the ongoing conflict. Disguised as a trusted warning platform, the trojanized Android app can steal SMS, contacts, and location data while appearing legitimate. The report highlights how cybercriminals are weaponising public fear during crises to deploy mobile spyware with serious security and real-world implications."
  https://www.cloudsek.com/blog/redalert-trojan-campaign-fake-emergency-alert-app-spread-via-sms-spoofing-israeli-home-front-command
  https://www.infosecurity-magazine.com/news/redalert-israel-spyware-campaign/
• Fake Tech Support Spam Deploys Customized Havoc C2 Across Organizations
  "Threat hunters have called attention to a new campaign as part of which bad actors masqueraded as fake IT support to deliver the Havoc command-and-control (C2) framework as a precursor to data exfiltration or ransomware attack. The intrusions, identified by Huntress last month across five partner organizations, involved the threat actors using email spam as lures, followed by a phone call from an IT desk that activates a layered malware delivery pipeline."
  https://thehackernews.com/2026/03/fake-tech-support-spam-deploys.html
• Fooling AI Agents: Web-Based Indirect Prompt Injection Observed In The Wild
  "Large language models (LLMs) and AI agents are becoming deeply integrated into web browsers, search engines and automated content-processing pipelines. While these integrations can expand functionality, they also introduce a new and largely underexplored attack surface. One particularly concerning class of threats is indirect prompt injection (IDPI), in which adversaries embed hidden or manipulated instructions within website content that is later ingested by an LLM. This article shares in-the-wild observations from our telemetry, including our first observed case of AI-based ad review evasion."
  https://unit42.paloaltonetworks.com/ai-agent-prompt-injection/
• Active Reconnaissance Campaign Targets SonicWall Firewalls Through Commercial Proxy Infrastructure
  "GreyNoise observed 84,142 scanning sessions targeting SonicWall SonicOS infrastructure between February 22 and February 25, 2026. The activity originated from 4,305 unique IP addresses across 20 autonomous systems, with three operationally distinct infrastructure clusters executing coordinated VPN enumeration. Ninety-two percent of sessions probed a single API endpoint to determine whether SSL VPN is enabled — the prerequisite check before credential attacks. A commercial proxy service delivered 32% of campaign volume through 4,102 rotating exit IPs in two surgical bursts totaling 16 hours. CVE exploitation was negligible, confirming this as systematic attack surface mapping."
  https://www.greynoise.io/blog/active-reconnaissance-campaign-targets-sonicwall-firewalls-through-commercial-proxy-infrastructure

Breaches/Hacks/Leaks

• Paint Maker Giant AkzoNobel Confirms Cyberattack On U.S. Site
  "The multinational Dutch paint company AkzoNobel has confirmed to BleepingComputer that hackers breached the network of one of its U.S. sites. Following a data leak from the Anubis ransomware gang, a company spokesperson said that the intrusion has been contained and that the impact is limited. “AkzoNobel has identified a security incident at one of our sites in the United States. The incident was limited to the respective site and was already contained,” the company told BleepingComputer."
  https://www.bleepingcomputer.com/news/security/paint-maker-giant-akzonobel-confirms-cyberattack-on-us-site/
• LexisNexis Confirms Data Breach As Hackers Leak Stolen Files
  "American data analytics company LexisNexis Legal & Professional has confirmed to BleepingComputer that hackers breached its servers and accessed some customer and business information. The company's data breach confirmation comes as a threat actor named FulcrumSec leaked 2GB of files on various underground forums and sites. LexisNexis L&P is a global provider of legal, regulatory, and business information, research tools, and analytics used by lawyers, corporations, governments, and academic institutions in more than 150 countries worldwide."
  https://www.bleepingcomputer.com/news/security/lexisnexis-confirms-data-breach-as-hackers-leak-stolen-files/
  https://therecord.media/lexisnexis-says-hackers-accessed-legacy-data
• Star Citizen Game Dev Discloses Breach Affecting User Data
  "Cloud Imperium Games (CIG), the game company behind Star Citizen and Squadron 42, says attackers breached systems containing some users' personal information in January. The California-based publisher and video game developer was founded in 2012 by game developer Chris Roberts (of Wing Commander fame), and it operates five game studios with a crew of over 700 employees. In 2012, it announced the multiplayer space-simulation game Star Citizen. However, despite a Kickstarter campaign that raised over $2 million from backers, the game has still not exited its "early access" phase 14 years later."
  https://www.bleepingcomputer.com/news/security/star-citizen-game-dev-discloses-breach-affecting-user-data/
• Cyber Battlefield: Ariomex, Iran-Based Crypto Exchange, Suffers Data Leak
  "Cyber operations against Iran are used not only to disrupt military capabilities but also to pressure senior regime officials and their associates to defect, and to accelerate regime change from within. Current events affect multiple layers of the Iranian regime, including the financial system, where the Iranian government invests substantial efforts in building tools to evade sanctions and finance illegal activity, including via cryptocurrencies. In January 2026, the Central Bank of Iran (CBI) acquired more than half a billion dollars (about $507 million) worth of Tether’s USDT, with indications that the stablecoins were used to prop up the country’s fiat currency."
  https://www.resecurity.com/blog/article/cyber-battlefield-ariomex-iran-based-crypto-exchange-suffers-data-leak
  https://www.infosecurity-magazine.com/news/iranian-crypto-leaked-database/
  https://securityaffairs.com/188848/digital-id/ariomex-iran-based-crypto-exchange-suffers-data-leak.html
• Cybercriminals Swipe 15.8M Medical Records From French Doctors Ministry
  "Around 15.8 million administrative files were stolen after attackers breached a software supplier to France's health ministry. The supplier, Cegedim Santé, confirmed the data was compromised in late 2025. Approximately 165,000 of these files contained notes penned by doctors, which in "very limited cases" contained sensitive information about an individual's medical history. According to broadcaster France 24, which first reported the news, these medical histories included, in some cases, details of conditions such as HIV/AIDS and individuals' sexual orientations. Top politicians were reportedly among the individuals whose info was extracted."
  https://www.theregister.com/2026/03/03/french_medical_leak/

General News

• Compromised Site Management Panels Are a Hot Item In Cybercrime Markets
  "Threat actors are openly advertising access to hacked websites as part of the underground economy. One of the most promising products is a compromised cPanel credential. They are sold in the thousands across at commodity-level pricing and marketed as plug-and-play infrastructure for and scam campaigns. In new research, Flare security researchers analyzed activity across monitored fraudulent groups over a seven-day period, showing a structured ecosystem operating at scale."
  https://www.bleepingcomputer.com/news/security/compromised-site-management-panels-are-a-hot-item-in-cybercrime-markets/
• AI Agent Overload: How To Solve The Workload Identity Crisis
  "Authenticating workloads is becoming more and more complex, particularly given things like AI agents and the wide range of identity permissions they need. Organizations need to be thinking ahead on securing workloads in complicated modern environments, but it's not an easy task. Researchers at Zscaler hope to explore this evolution in an upcoming RSAC 2026 Conference session entitled, "What Are You, Really? Authenticating Workloads in a Zero Trust World.""
  https://www.darkreading.com/cloud-security/ai-agent-workload-identity-crisis
• The Tug-Of-War Over Firewall Backlogs In The AI-Driven Development Era
  "The relationship between application developers and security teams has always been fraught with tension. At the core lies an ongoing battle — speed versus security — and that tug of war has been further exacerbated by mounting firewall backlog challenges driven by increased reliance on artificial intelligence and automation. Traditionally, developers submit a firewall rule request before deploying a new application, service, or tool inside an enterprise environment."
  https://www.darkreading.com/cloud-security/tug-of-war-firewall-backlogs-ai-driven-development
• 5 Years Of Shifting Cybersecurity Behavior
  "Online security is built through routine decisions made across devices and accounts. People choose how to create passwords, how often to reuse them, and how much effort to invest in protecting personal data. The National Cybersecurity Alliance and CybSafe’s Oh, Behave! The Cybersecurity Attitudes and Behaviors Report: 2021–2025 follows those patterns over five years, drawing on responses from more than 24,000 adults and documenting how attitudes and behaviors shift over time."
  https://www.helpnetsecurity.com/2026/03/03/national-cybersecurity-alliance-cybsafe-cybersecurity-behavior-trends-report/
• Introducing The 2026 Cloudflare Threat Report
  "Today’s threat landscape is more varied and chilling than ever: Sophisticated nation-state actors. Hyper-volumetric DDoS attacks. Deepfakes and fraudsters interviewing at your company. Even stealth attacks via trusted internal tools like Google Calendar, Dropbox, and GitHub. After spending the last year translating trillions of network signals into actionable intelligence, Cloudforce One has identified a fundamental evolution in the threat landscape: the era of brute force entry is fading. In its place is a model of high-trust exploitation that prioritizes results at all costs. In order to equip defenders with a strategic roadmap for this new era, today we are releasing the inaugural 2026 Cloudflare Threat Report. This report provides the intelligence organizations need to navigate the rise of industrialized cyber threats."
  https://blog.cloudflare.com/2026-threat-report/
  https://www.infosecurity-magazine.com/news/ai-deepfakes-supercharge/
  https://www.helpnetsecurity.com/2026/03/03/cloudflare-cyber-threat-report-2026/
• Half Of US CISOs Work The Equivalent Of a Six-Day Week
  "US cybersecurity leaders are being put under increasing pressure to compensate for process gaps and tackle escalating threats, with many working the equivalent of six or seven days a week, according to Seemplicity. The security vendor polled 300 CISOs and their equivalents to produce its State of the Cybersecurity Workforce Report. It revealed that 45% of respondents work 11+ extra hours per week – equivalent to an additional day – and 20% work an extra 16+ hours weekly."
  https://www.infosecurity-magazine.com/news/half-us-cisos-work-equivalent/
• Huge “Shadow Layer” Of Organizations Hit By Supply Chain Attacks
  "Security experts have claimed that the blast radius of third-party data breach incidents is far larger than at first thought, with more than 433 million individuals impacted by 136 events last year. Black Kite compiled its seventh annual Third-Party Breach Report from analysis of verified public breach disclosures in 2025, external cyber risk telemetry and supply chain intelligence. It said 136 verified breaches had 5.28 publicly named downstream victims per vendor, amounting to 719 companies and 433 million individual end customers."
  https://www.infosecurity-magazine.com/news/shadow-layer-organizations-supply/
  https://content.blackkite.com/ebook/2026-third-party-breach-report/
• Quantum Decryption Of RSA Is Much Closer Than Expected
  "There’s a new contender in quantum cryptanalysis. The Jesse-Victor-Gharabaghi (JVG) quantum decryption algorithm is faster and requires fewer quantum resources than Shor’s algorithm. Breaking business and the internet has long been the accepted result of combining quantum computers and Shor’s algorithm to solve the factorization problem employed by Rivest-Shamir-Adleman (RSA) and Elliptic Curve Cryptography (ECC). But Shor’s algorithm requires a relatively large quantum computer (comprising an estimated one million qubits); and that is still believed to be at least a decade away."
  https://www.securityweek.com/quantum-decryption-of-rsa-is-much-closer-than-expected/
  https://www.preprints.org/manuscript/202510.1649
• Turns Out Most Cybercriminals Are Old Enough To Know Better
  "Contrary to what some believe, cybercrime is not a kids' game. Middle-aged adults, not teenagers, now make up the biggest chunk of people getting busted. That's according to new analysis of 418 publicly announced law enforcement actions between 2021 and mid-2025, which shows offenders aged 35 to 44 account for 37 percent of cases, making it the largest single age group. Add in those aged 25 to 34, who make up another 30 percent, and nearly six in ten cases involve people between 25 and 44. By contrast, the much-hyped 18-24 bracket accounts for 21 percent, while under-18s barely register at under 5 percent."
  https://www.theregister.com/2026/03/03/turns_out_most_cybercriminals_are/
• CISOs In a Pinch: A Security Analysis Of OpenClaw
  "Anthropic's Claude Code Security is a legitimate leap forward for pre-deployment vulnerability detection - and the market sell-off (Cybersecurity ETF at a 2+ year low) is an overreaction based on a category error. AI-powered code scanning doesn't replace runtime threat detection, identity governance, or endpoint protection. More importantly, the fastest-growing enterprise attack surface is the AI agents themselves. Poisoned model supply chains, runtime behavior drift, and zero observability into autonomous agent actions are threats that live entirely outside the code layer. Claude Code Security is a welcome addition to the defender's toolkit, but a toolkit isn't a security strategy. Enterprises still need the governance, runtime visibility, and platform integration that only a full-lifecycle approach can deliver."
  https://www.trendmicro.com/en_us/research/26/c/cisos-in-a-pinch-security-analysis-of-openclaw.html

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Healthcare Sector

• Iran Conflict Elevates Cyber Risk For Healthcare
  "United States and Israel military strikes on Iran could erupt into cyberattacks against the healthcare sector in the U.S. and elsewhere by Iranian sympathizers and proxies, experts warned Monday. The life-and-death sensitivity of the healthcare sector, as well as its relative vulnerability to cyber incidents, makes it a target for rising attacks ranging from distributed denial of service, wiper malware, ransomware, data theft and other such assaults."
  https://www.bankinfosecurity.com/iran-conflict-elevates-cyber-risk-for-healthcare-a-30894

New Tooling

• BlacksmithAI: Open-Source AI-Powered Penetration Testing Framework
  "BlacksmithAI is an open-source penetration testing framework that uses multiple AI agents to execute different stages of a security assessment lifecycle. BlacksmithAI runs as a hierarchical system in which an orchestrator coordinates task execution across specialized agents. Each agent maps to a common penetration testing function. The recon agent handles attack surface mapping and information gathering. The scan and enumeration agent performs service discovery. A vulnerability analysis agent evaluates weaknesses and potential exposure. An exploit agent executes proof of concept activity. A post-exploitation agent examines impact and potential lateral movement."
  https://www.helpnetsecurity.com/2026/03/02/blacksmithai-open-source-ai-powered-penetration-testing-framework/
  https://github.com/yohannesgk/blacksmith

Vulnerabilities

• Google Addresses Actively Exploited Qualcomm Zero-Day In Fresh Batch Of 129 Android Vulnerabilities
  "Google disclosed one actively exploited zero-day vulnerability Monday, warning that the high-severity defect affecting an open-source Qualcomm display component for Android devices “may be under limited, targeted exploitation.” The memory-corruption vulnerability — CVE-2026-21385 — which Google’s Android security team reported to Qualcomm Dec. 18, affects 234 chipsets, Qualcomm said in a security bulletin. Qualcomm said it notified customers of the vulnerability Feb. 2."
  https://cyberscoop.com/android-security-update-march-2026/

Malware

• A Fake FileZilla Site Hosts a Malicious Download
  "A trojanized copy of the open-source FTP client FileZilla 3.69.5 is circulating online. The archive contains the legitimate FileZilla application, but with a single malicious DLL added to the folder. When someone downloads this tampered version, extracts it, and launches FileZilla, Windows loads the malicious library first. From that moment on, the malware runs inside what appears to be a normal FileZilla session. Because the infected copy looks and behaves like the real software, victims may not realize anything is wrong. Meanwhile, the malware can access saved FTP credentials, contact its command-and-control server, and potentially remain active on the system. The risk does not stop with the local computer. Stolen credentials could expose the web servers or hosting accounts the user connects to."
  https://www.malwarebytes.com/blog/threat-intel/2026/03/a-fake-filezilla-site-hosts-a-malicious-download
• Purchase Order Attachment Isn’t a PDF. It’s Phishing For Your Password
  "An attachment named New PO 500PCS.pdf.hTM, posing as a purchase order in PDF form, turned out to be something entirely different: a credential-harvesting web page that quietly sent passwords and IP/location data straight to a Telegram bot controlled by an attacker. Imagine you’re in accounts payable, sales, or operations. Your day is a steady flow of invoices, purchase orders, and approvals. An email like this may look like just another item in your daily queue."
  https://www.malwarebytes.com/blog/threat-intel/2026/03/purchase-order-attachment-isnt-a-pdf-its-phishing-for-your-password
• US-Israel And Iran Trade Cyberattacks: Pro-West Hacks Cause Disruption As Tehran Retaliates
  "The escalating conflict between the United States, Israel, and Iran has unfolded alongside extensive cyber operations, with reports of widespread internet disruptions, hacking of Iranian sites and apps, and infrastructure interference, while Western entities brace for potential Iranian cyberattacks. The conflict erupted on February 28, when the United States and Israel initiated coordinated airstrikes across Iran, targeting military installations, missile facilities, nuclear sites, and high-level officials, resulting in the deaths of Supreme Leader Ali Khamenei and several other leaders."
  https://www.securityweek.com/us-israel-and-iran-trade-cyberattacks-pro-west-hacks-cause-disruption-as-tehran-retaliates/
  https://therecord.media/iran-cyber-us-command-attack
  https://www.bankinfosecurity.com/iranian-cyber-proxies-active-but-nation-state-hackers-a-30892
  https://www.infosecurity-magazine.com/news/iran-cyber-attacks-global-google/
  https://www.theregister.com/2026/03/02/cyber_warfighters_iran/
• Inside The Fix: Analysis Of In-The-Wild Exploit Of CVE-2026-21513
  "Microsoft’s February 2026 Patch Tuesday addressed 59 vulnerabilities, including six actively exploited zero-days. CVE-2026-21513 stands out because of its active exploitation, high impact, and ability to bypass browser security boundaries and trigger arbitrary file execution. We used the multi-agent system called PatchDiff-AI to analyze CVE-2026-21513 and its patch. PatchDiff-AI generated a detailed report that reveals insights about the vulnerable component and the attack vector."
  https://www.akamai.com/blog/security-research/2026/feb/inside-the-fix-cve-2026-21513-mshtml-exploit-analysis
  https://thehackernews.com/2026/03/apt28-tied-to-cve-2026-21513-mshtml-0.html
  https://securityaffairs.com/188782/security/russia-linked-apt28-exploited-mshtml-zero-day-cve-2026-21513-before-patch.html
• Novel DPRK Stager Using Pastebin And Text Steganography
  "This is a quick one as FAMOUS CHOLLIMA has been keeping me busy this week by testing Google Drive as a stager and my longer write-up on tracking their IP addresses through temporary mailboxes. I just cannot help writing about this one as it’s really fun — it also helps that having a sleeping baby strapped to the chest for three hours makes for idle hands, and you know what they say about idle hands!"
  https://kmsec.uk/blog/dprk-text-steganography/
  https://thehackernews.com/2026/03/north-korean-hackers-publish-26-npm.html
• Situation Report: Middle East Escalation (February 27–1st March, 2026)
  "The report examines the sharp escalation following the 28 February 2026 joint Israel–U.S. strikes on Iran, triggering a hybrid conflict blending kinetic attacks with unprecedented cyber operations. Iran faced near-total internet disruption, while retaliatory missile and cyber activity spread across Israel, the Gulf, and beyond. Over 150 hacktivist incidents were recorded, with global spillover risks to energy, finance, IT, and critical infrastructure sectors"
  https://www.cloudsek.com/blog/middle-east-escalation-israel-iran-us-cyber-war-2026
  https://www.infosecurity-magazine.com/news/middle-east-conflict-surge-global/
• Dust Specter APT Targets Government Officials In Iraq
  "In January 2026, Zscaler ThreatLabz observed activity by a suspected Iran-nexus threat actor targeting government officials in Iraq. ThreatLabz discovered previously undocumented malware including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. Due to significant overlap in tools, techniques, and procedures (TTPs), as well as victimology, between this campaign and activity associated with Iran-nexus APT groups, ThreatLabz assesses with medium-to-high confidence that an Iran-nexus threat actor conducted this operation. ThreatLabz tracks this group internally as Dust Specter. As additional high-confidence indicators become available, ThreatLabz will update our attribution accordingly."
  https://www.zscaler.com/blogs/security-research/dust-specter-apt-targets-government-officials-iraq
• Alleged India-Linked Espionage Campaign Targeted Pakistan, Bangladesh, Sri Lanka
  "An espionage campaign last year targeted government agencies and critical infrastructure operators in Pakistan, Bangladesh and Sri Lanka, researchers at the cybersecurity firm Arctic Wolf said Monday. The researchers attributed the campaign to an India-nexus threat actor they call SloppyLemming and said it was an expansion of threat activity previously identified by Cloudflare in September 2024."
  https://therecord.media/india-pakistan-cyber-campaign-apt
• Tracking CyberStrikeAI Usage
  "Team Cymru is continuously monitoring our global netflow visibility to uncover patterns of adversary activity, identify malicious operations, and gain actionable intelligence. In this post, we are diving into CyberStrikeAI, an open-source artificial intelligence (AI) offensive security tool (OST) developed by a China-based developer who we assess has some ties to the Chinese government."
  https://www.team-cymru.com/post/tracking-cyberstrikeai-usage
  https://www.bleepingcomputer.com/news/security/cyberstrikeai-tool-adopted-by-hackers-for-ai-powered-attacks/
• OAuth Redirection Abuse Enables Phishing And Malware Delivery
  "Microsoft observed phishing-led exploitation of OAuth’s by-design redirection mechanisms. The activity targets government and public-sector organizations and uses silent OAuth authentication flows and intentionally invalid scopes to redirect victims to attacker-controlled infrastructure without stealing tokens. Microsoft Defender flagged malicious activity across email, identity, and endpoint signals. Microsoft Entra disabled the observed OAuth applications; however, related OAuth activity persists and requires ongoing monitoring."
  https://www.microsoft.com/en-us/security/blog/2026/03/02/oauth-redirection-abuse-enables-phishing-malware-delivery/
  https://www.theregister.com/2026/03/03/microsoft_oauth_scams/

Breaches/Hacks/Leaks

• Pakistan’s Top News Channels Hacked And Hijacked With Anti-Military Messages
  "Several of Pakistan’s most-watched news channels, including Geo News, ARY News, and Samaa TV, faced a serious security breach on Sunday evening, 1 March 2026. Viewers across the country were left confused when regular programming was suddenly interrupted by unauthorized messages. These disruptions happened shortly after Iftar (the meal served at sunset to break the daily fast during the holy month of Ramadan) and continued into the high-traffic 9 pm news bulletins, which is when these channels usually see their largest global audiences."
  https://hackread.com/pakistan-news-channels-hacked-anti-military-messages/
• Madison Square Garden Data Breach Confirmed Months After Hacker Attack
  "Madison Square Garden has confirmed being impacted by a data breach stemming from a cybercrime campaign targeting customers of Oracle’s E-Business Suite (EBS) solution. In the Oracle EBS hacking campaign, the Cl0p ransomware and extortion group exploited zero-day vulnerabilities to gain access to data stored by more than 100 organizations in the enterprise management software. Madison Square Garden (MSG), the world-famous arena located in New York City, was named by the hackers as a victim of the campaign in November 2025."
  https://www.securityweek.com/madison-square-garden-data-breach-confirmed-months-after-hacker-attack/
• Cyberattack Briefly Disrupts Russian Internet Regulator And Defense Ministry Websites
  "Russia’s internet regulator and defense ministry said their servers were hit by a large distributed denial-of-service (DDoS) attack that briefly disrupted access to several government websites late last week. The Russian communications watchdog, Roskomnadzor, said in a statement to several local media outlets on Friday that the attack was a “complex multi-vector” operation originating from servers and botnets located mainly in Russia, as well as in the United States, China, the United Kingdom and the Netherlands."
  https://therecord.media/cyberattack-briefly-takes-down-russian-government-websites
• University Of Hawaiʻi Cancer Center Confirms Data Leak Following Ransomware Attack
  "The University of Hawaiʻi Cancer Center said up to 1.2 million people had information leaked as a result of a ransomware attack on its epidemiology division last year. Hackers accessed records containing Social Security numbers (SSNs) and driver’s license numbers collected from the Hawaiʻi State Department of Transportation as well as City and County of Honolulu voter registration records from 1998, according to a statement released by the organization last week."
  https://therecord.media/university-of-hawaii-ransomware-data-breach

General News

• How Threat Intelligence And Multi-Source Data Drive Smarter Vulnerability Prioritization
  "For years, CVSS scores have been the default metric for vulnerability severity. But severity does not equal risk. A CVSS 9.8 vulnerability that is never exploited is less dangerous than a CVSS 6.5 actively used in ransomware campaigns. Yet many organizations still chase the highest scores first, wasting time and leaving real threats exposed. KEV lists help, but they are reactive and often lag behind active exploitation. Attackers move faster than static scoring systems. If your prioritization strategy starts and ends with CVSS, you are playing catch-up."
  https://blog.checkpoint.com/executive-insights/how-threat-intelligence-and-multi-source-data-drive-smarter-vulnerability-prioritization/
• How ‘silent Probing’ Can Make Your Security Playbook a Liability
  "For years, cyberattacks followed a familiar pattern: reconnaissance, exploitation, persistence, impact. Defenders built their strategies around that cycle, patching vulnerabilities, monitoring indicators, and working to reduce dwell time. But a quieter shift is underway. Today’s most sophisticated adversaries are using AI to study how organizations defend themselves. They run what we call “silent probing campaigns:” long-term, subtle operations designed to map how a team detects threats, escalates issues, and responds under pressure. These campaigns focus on learning the defender’s habits, workflow and decision points so attackers can time and tailor follow-on actions to evade detection. This reframes cyber risk, turning it from a technical problem into a behavioral one."
  https://cyberscoop.com/ai-silent-probing-cyber-risk-behavioral-defense-op-ed/
• Taming Agentic Browsers: Vulnerability In Chrome Allowed Extensions To Hijack New Gemini Panel
  "We uncovered a High severity security vulnerability CVE-2026-0628 in Google's implementation of the new Gemini feature in Chrome. This vulnerability allows the attacker to tap into the browser environment and access files on the local operating system. Specifically, this vulnerability could have allowed malicious extensions with basic permissions to hijack the new Gemini Live in Chrome browser panel. Such an attack could have led to privilege escalation, enabling actions including:"
  https://unit42.paloaltonetworks.com/gemini-live-in-chrome-hijacking/
  https://nvd.nist.gov/vuln/detail/CVE-2026-0628
  https://www.darkreading.com/endpoint-security/bug-google-gemini-ai-panel-hijacking
  https://thehackernews.com/2026/03/new-chrome-vulnerability-let-malicious.html
  https://www.securityweek.com/vulnerability-allowed-hijacking-chromes-gemini-live-ai-assistant/
• Link11 Releases European Cyber Report 2026: DDoS Attacks Become a Constant Threat
  "Link11 has published its European Cyber Report 2026, revealing that DDoS attacks reached a new level in 2025 and have become a permanent stress factor for digital infrastructures. The report shows that the number of documented attacks in the Link11 network rose by 75% in 2025, following explosive growth in the previous year (+137%). This establishes DDoS attacks as a permanent structural burden for companies and critical infrastructures in Europe."
  https://hackread.com/link11-releases-european-cyber-report-2026-ddos-attacks-become-a-constant-threat/
• Your Dependencies Are 278 Days Out Of Date And Your Pipelines Aren’t Protected
  "Applications continue to ship with known weaknesses even as development workflows speed up. A new Datadog State of DevSecOps 2026 report examines how dependency management and pipeline practices are influencing exposure across cloud native environments. Across the environments studied, 87% of organizations run at least one exploitable vulnerability in production services, affecting 40% of those services. This condition points to a persistent accumulation of security debt inside deployed software stacks."
  https://www.helpnetsecurity.com/2026/03/02/devsecops-supply-chain-risk-security-debt/
• AI Risk Moves Into The Security Budget Spotlight
  "Enterprises are pushing AI deeper into workflows that touch sensitive data across cloud platforms and SaaS apps. The 2026 Thales Data Threat Report, based on a survey of 3,120 respondents in 20 countries, places that shift alongside growing pressure on data protection, identity controls, and cloud security. A dedicated budget for AI security is becoming more common. Thirty percent of respondents report having a dedicated AI security budget, up from 20% in the prior year. Many organizations continue to fund AI initiatives through existing security allocations, which keeps AI risk management closely tied to broader cyber programs."
  https://www.helpnetsecurity.com/2026/03/02/ai-security-spending-budget-2026/
• Alert: NCSC Advises UK Organisations To Take Action Following Conflict In The Middle East
  "In response to the evolving events in the Middle East, the NCSC is advising that UK organisations review their cyber security posture. As a result of the ongoing conflict in the Middle East, there is likely no current significant change in the direct cyber threat from Iran to the UK, however due to the fast-evolving nature of the conflict, this assessment may be subject to change."
  https://www.ncsc.gov.uk/news/ncsc-advises-uk-organisations-take-action-following-conflict-in-middle-east
  https://www.bleepingcomputer.com/news/security/uk-warns-of-iranian-cyberattack-risks-amid-middle-east-conflict/
  https://securityaffairs.com/188800/apt/middle-east-crisis-prompts-uk-warning-on-potential-iranian-cyber-activity.html
  https://www.theregister.com/2026/03/02/ncsc_security_iran/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) แจ้งเตือนช่องโหว่ความปลอดภัยระดับสูงในระบบปฏิบัติการ Android หมายเลข CVE-2026-21385 ส่งผลกระทบต่ออุปกรณ์ที่ใช้ชิปเซ็ต Qualcomm และมีรายงานว่าถูกนำไปใช้ในการโจมตี
1.รายละเอียดสำคัญ
CVE-2026-21385 เป็นช่องโหว่ระดับสูง ( CVSS v3.1 : 7.8 ) ในส่วนประมวลผลกราฟิกของชิป Qualcomm บนอุปกรณ์ Android ที่อาจถูกใช้เพื่อรันคำสั่งอันตราย ทำให้ระบบหยุดทำงาน หรือยกระดับสิทธิ์การเข้าถึงภายในเครื่องได้ และมีรายงานว่าถูกนำไปใช้ในการโจมตีแล้ว
2.อุปกรณ์ที่ได้รับผลกระทบ
• สมาร์ทโฟนและแท็บเล็ตที่ใช้ระบบปฏิบัติการ Android โดยเฉพาะรุ่นที่ใช้ชิปเซ็ต Qualcomm
3.วิธีป้องกันและลดความเสี่ยง
3.1 อัปเดต Security Patch ให้เป็นเวอร์ชันล่าสุด
3.2 เปิดใช้งาน “Safe Browsing” บน Google Chrome
4.หากยังไม่สามารถอัปเดตได้ทันที
4.1 หลีกเลี่ยงการติดตั้งไฟล์ .APK จากแหล่งที่ไม่น่าเชื่อถือ
4.2 ระวังลิงก์จาก SMS หรืออีเมลที่ไม่รู้จัก
4.3 หลีกเลี่ยงการใช้ Wi-Fi สาธารณะที่ไม่ปลอดภัย
4.4 งดใช้อุปกรณ์ที่ยังไม่ได้อัปเดตเข้าถึงระบบสำคัญขององค์กร เช่น VPN หรือฐานข้อมูล
5. วิธีตรวจสอบโทรศัพท์ใช้ชิปอะไร
5.1 ค้นหาข้อมูลรุ่นโทรศัพท์ผ่านเว็บไซต์ที่น่าเชื่อถือ โดยพิมพ์ “ชื่อรุ่นโทรศัพท์ + สเปก” จากนั้นตรวจสอบหัวข้อ Processor หรือ Chipset
5.2 ดาวน์โหลดแอป CPU-Z จาก Google Play Store แล้วตรวจสอบหัวข้อ SoC หากปรากฏคำว่า “Snapdragon” แสดงว่าอุปกรณ์ใช้ชิปของ Qualcomm
ขอให้ผู้ใช้งาน Android ตรวจสอบและอัปเดตอุปกรณ์โดยเร็ว เพื่อลดความเสี่ยงจากการถูกโจมตี
อ้างอิง
1.https://dg.th/tn0cra8kop
2.https://dg.th/ydlx0wf8g2
3.https://dg.th/ael42ci38h
4.https://dg.th/nq8wycjdhe

#ThaiCERT #CyberSecurity #AndroidSecurity #CVE202621385

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

ThaiCERT ติดตามข่าวสารภัยคุกคามทางไซเบอร์ พบช่องโหว่บนเว็บไซต์ WordPress ในปลั๊กอิน Worry Proof Backup ผู้โจมตีสามารถอัปโหลดไฟล์และรันโค้ดอันตราย

1. รายละเอียดเหตุการณ์
   • CVE-2026-1311 (CVSS:v3.1: 8.8) เป็นช่องโหว่ความปลอดภัย WordPress ในปลั๊กอิน Worry Proof Backup โดยพบช่องโหว่ที่ Path Traversal ผ่านฟังก์ชันอัปโหลดไฟล์สำรองข้อมูล ทำให้ผู้โจมตีที่มีสิทธิ์ในระดับ Subscriber หรือสูงกว่า สามารถอัปโหลดไฟล์ ZIP ที่มีการจัดการ path traversal และผู้โจมตีจะทำการเขียนไฟล์บนเซิร์ฟเวอร์ได้
   • หากผู้โจมตีทำการเขียนไฟล์ลงเซิร์ฟเวอร์ ผู้โจมตีจะสามารถรันโค้ดอันตรายได้ (Remote Code Execution: RCE)

2. เวอร์ชันที่ได้รับผลกระทบ
   • WordPress ทุกเวอร์ชัน ถึง 0.2.4

3. พฤติกรรมการโจมตี
   • ผู้โจมตีที่มีบัญชีผู้ใช้ WordPress ในระดับ Subscriber หรือระดับที่สามารถเข้าถึงฟังก์ชันของปลั๊กอินได้
   • ใช้ฟังก์ชัน backup upload ของปลั๊กอินเพื่อส่งไฟล์ ZIP ที่ path traversal
   • เมื่อระบบแตกไฟล์ ZIP จะเกิดการเขียนไฟล์ไปยังไดเรกทอรีสำคัญของเซิร์ฟเวอร์
   • วางไฟล์สคริปต์ เช่น PHP, web shell และรันโค้ดอันตราย

4. แนวทางการป้องกันและลดความเสี่ยง
   4.1 อัปเดตปลั๊กอินและปฏิบัติตามคำแนะนำของผู้พัฒนาอย่างเคร่งครัด
   4.2 ตรวจสอบสิทธิ์ผู้ใช้และลดจำนวนบัญชีที่ไม่จำเป็น
   4.3 จำกัดการอัปโหลดไฟล์ ดำเนินการปิดฟังก์ชันอัปโหลดไฟล์สำหรับผู้ใช้ที่มีสิทธิ์ต่ำกว่า Editor หรือ Administrator (ถ้าไม่จำเป็น)
   4.4 ตั้งค่าการสแกนไฟล์อัตโนมัติ โดยการใช้ระบบป้องกันมัลแวร์และตรวจจับการเปลี่ยนแปลงไฟล์ (File Integrity Monitoring)
   4.5 ปิด execution สำหรับ Directory ที่ไม่จำเป็น
   4.6 ใช้ Web Application Firewall (WAF) เพื่อบล็อก payload ที่มี path traversal patterns

5. มาตรการชั่วคราว (กรณียังไม่สามารถอัปเดตได้ทันที)
   5.1 ปิดการใช้งานฟีเจอร์ “Upload Backup” ในปลั๊กอินเป็นการชั่วคราว
   5.2 จำกัดสิทธิ์ผู้ใช้ โดยการลดสิทธิ์ของผู้ใช้ทั่วไป ไม่ให้สามารถเข้าถึงฟังก์ชันที่มีความเสี่ยง และใช้ Two-Factor Authentication (2FA) สำหรับบัญชีที่มีสิทธิ์ระดับสูง

6. แหล่งอ้างอิง (References)
   6.1 https://dg.th/uckbt9hwdz
   6.1 https://dg.th/kta7ohgmu8

ทั้งนี้ หน่วยงานสามารถตรวจสอบ Plugin Directory ได้ที่ https://dg.th/jte7m0or6k และ https://dg.th/e2fp5it7bo

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ช่องโหว่ด้านความมั่นคงปลอดภัยเกี่ยวกับช่องโหว่ OS Command Injection ในอุปกรณ์เครือข่าย Totolink N300RH หากถูกโจมตีสำเร็จ อาจนำไปสู่การยึดควบคุมอุปกรณ์ การแก้ไขค่าการตั้งค่าโดยไม่ได้รับอนุญาต การดักฟังหรือแก้ไขทราฟฟิกเครือข่าย ตลอดจนกระทบต่อความลับ ความถูกต้อง และความพร้อมใช้งานของระบบเครือข่ายโดยรวม

1. รายละเอียดช่องโหว่

พบช่องโหว่ประเภท OS Command Injection (CWE-78) หมายเลขช่องโหว่ CVE-2026-3301 (มีคะแนน CVSSv3.1: 8.9) ภายในฟังก์ชัน setWebWlanIdx ของไฟล์ /cgi-bin/cstecgi.cgi ในส่วน Web Management Interface ของอุปกรณ์ Totolink N300RH โดยผู้โจมตีสามารถปรับแต่งพารามิเตอร์ webWlanIdx เพื่อแทรกคำสั่งระบบปฏิบัติการ (OS commands) และทำให้อุปกรณ์ประมวลผลคำสั่งดังกล่าวได้โดยตรง ช่องโหว่นี้สามารถถูกโจมตีได้จากระยะไกล โดยไม่ต้องยืนยันตัวตน และไม่ต้องอาศัยการโต้ตอบจากผู้ใช้ ปัจจุบันมีการเผยแพร่โค้ดตัวอย่างโจมตี (Proof-of-Concept) ต่อสาธารณะแล้ว ทำให้มีความเสี่ยงสูงต่อการถูกนำไปใช้โจมตีจริง

2. หากถูกโจมตีสำเร็จ ผู้ไม่หวังดีสามารถดำเนินการได้ดังนี้

2.1 รันคำสั่งบนระบบปฏิบัติการของเราเตอร์
2.2 เปลี่ยนแปลงค่าการตั้งค่าโดยไม่ได้รับอนุญาต
2.3 ดักฟังหรือแก้ไขทราฟฟิกเครือข่าย
2.4 ใช้อุปกรณ์เป็นจุดเริ่มต้นในการโจมตีระบบภายใน (Lateral Movement)
2.5 ฝัง backdoor เพื่อคงอยู่ในระบบ

3. ผลิตภัณฑ์ที่ได้รับผลกระทบ: Totolink N300RH Firmware เวอร์ชัน 6.1c.1353_B20190305

4. แนวทางการแก้ไข

4.1 ตรวจสอบเวอร์ชันเฟิร์มแวร์ของอุปกรณ์ทั้งหมดทันที
4.2 จำกัดการเข้าถึง Web Management Interface เฉพาะเครือข่ายภายในที่เชื่อถือได้
4.3 ปิดการใช้งาน Remote Management หากไม่จำเป็น
4.4 ติดตามประกาศด้านความปลอดภัยเพิ่มเติมจากผู้ผลิต
4.5 หากไม่มีแพตช์ในระยะเวลาอันเหมาะสม ควรพิจารณาเปลี่ยนอุปกรณ์ในสภาพแวดล้อมที่มีความสำคัญสูง

5. คำแนะนำด้านความปลอดภัยเพิ่มเติม

5.1 ใช้ Firewall จำกัดการเข้าถึงพอร์ตบริหารจัดการจากภายนอก
5.2 แยกเครือข่ายบริหารจัดการ (Management Network Segmentation)
5.3 เปิดใช้งานและตรวจสอบ Log อย่างสม่ำเสมอ
5.4 ใช้ IDS/IPS เพื่อตรวจจับพฤติกรรมผิดปกติที่เกี่ยวข้องกับการโจมตี Command Injection
5.5 ดำเนินการประเมินความเสี่ยงของอุปกรณ์เครือข่ายอื่น ๆ ที่มีลักษณะการจัดการผ่าน Web Interface

6.แหล่งอ้างอิง

6.1 https://dg.th/hcqag6v4yp
6.2 https://dg.th/1f4r6siao5
6.3 https://dg.th/b20eg835pa
6.4 https://dg.th/2d9pntayli

ในช่วงที่ผ่านมา สถานการณ์ความตึงเครียดด้านความมั่นคงระหว่างประเทศในหลายภูมิภาคของโลกมีแนวโน้มเพิ่มสูงขึ้นอย่างต่อเนื่อง นอกจากผลกระทบในมิติทางการเมือง เศรษฐกิจ และความมั่นคงแล้ว ผู้เชี่ยวชาญด้านความมั่นคงปลอดภัยไซเบอร์ยังพบสัญญาณการเพิ่มขึ้นของกิจกรรมโจมตีทางอินเทอร์เน็ตที่เกี่ยวข้องกับแรงจูงใจทางภูมิรัฐศาสตร์ ซึ่งเริ่มขยายผลเข้าสู่ภาคธุรกิจเอกชนและองค์กรทั่วไปมากขึ้น

ลักษณะของภัยคุกคามในปัจจุบันสะท้อนให้เห็นว่า การโจมตีไซเบอร์ไม่ได้จำกัดอยู่เฉพาะหน่วยงานรัฐหรือโครงสร้างพื้นฐานสำคัญอีกต่อไป แต่สามารถมุ่งเป้าไปยังองค์กรที่มีระบบเชื่อมต่อออนไลน์หรืออยู่ในห่วงโซ่อุปทานดิจิทัล แม้องค์กรนั้นจะไม่ได้มีความเกี่ยวข้องกับเหตุการณ์ความขัดแย้งโดยตรงก็ตาม

แนวโน้มการเปลี่ยนเป้าหมายสู่ “ภาคธุรกิจเอกชน”
จากการประเมินของนักวิเคราะห์ พบว่ากลุ่มผู้โจมตีที่มีศักยภาพสูงมีแนวโน้มขยายขอบเขตการดำเนินการจากเป้าหมายเชิงยุทธศาสตร์ไปสู่ภาคธุรกิจเอกชนมากขึ้น เนื่องจากองค์กรจำนวนมากยังมีข้อจำกัดด้านทรัพยากร บุคลากร และมาตรการด้านความมั่นคงปลอดภัยไซเบอร์

การโจมตีลักษณะนี้อาจไม่ได้มีเป้าหมายเฉพาะองค์กรใดองค์กรหนึ่ง แต่ใช้วิธีโจมตีแบบกระจายเป้าหมาย (Distributed Targeting) เพื่อสร้างผลกระทบเชิงเศรษฐกิจหรือก่อให้เกิดแรงกดดันในวงกว้างผ่านระบบดิจิทัล

เหตุใดธุรกิจขนาดกลางและขนาดย่อม (Small and Medium-Sized Businesses: SMBs) จึงมีความเสี่ยงสูง
• เป็นเป้าหมายที่เข้าถึงได้ง่าย (Soft Targets)
องค์กรขนาดเล็กหรือขนาดกลางมักมีงบประมาณด้านความปลอดภัยไซเบอร์จำกัด ทำให้ระบบเฝ้าระวังหรือการอัปเดตแพตช์ไม่ต่อเนื่อง ส่งผลให้ผู้โจมตีสามารถเข้าถึงระบบได้ง่ายกว่า
• ความเสี่ยงผลกระทบแบบลูกโซ่ (Supply Chain Exposure)
การเจาะระบบองค์กรหนึ่งอาจถูกใช้เป็นช่องทางเข้าถึงองค์กรคู่ค้าหรือพันธมิตรทางธุรกิจที่มีการเชื่อมต่อระบบร่วมกัน ส่งผลให้ความเสียหายขยายตัวในวงกว้างโดยไม่ตั้งใจ

รายละเอียดภัยคุกคาม
ผู้เชี่ยวชาญพบว่าผู้โจมตีมีการปรับเปลี่ยนวิธีการดำเนินการให้ยืดหยุ่นและหลบเลี่ยงการตรวจจับมากขึ้น โดยอาศัยช่องทางเครือข่ายหรือระบบที่ได้รับอนุญาตเพื่อดำเนินกิจกรรมอย่างต่อเนื่อง

รูปแบบการโจมตีที่อาจพบ ได้แก่
• การเจาะระบบเครือข่ายองค์กรและการเข้าถึงข้อมูลโดยไม่ได้รับอนุญาต
• การก่อกวนหรือทำให้บริการออนไลน์หยุดชะงัก
• การใช้มัลแวร์ควบคุมระบบจากระยะไกล หรือการเข้ารหัสข้อมูลเพื่อเรียกค่าไถ่
• การเคลื่อนย้ายภายในเครือข่าย (Lateral Movement) เพื่อขยายผลการโจมตี

ในบางกรณี มีการส่งสัญญาณหรือประกาศผ่านช่องทางสาธารณะเกี่ยวกับกิจกรรมทางไซเบอร์ ซึ่งอาจสะท้อนถึงความพยายามสร้างผลกระทบทางจิตวิทยาหรือแรงกดดันต่อภาคธุรกิจ

ตัวชี้วัดความเสี่ยงที่องค์กรควรเฝ้าระวัง
องค์กรสามารถใช้สัญญาณต่อไปนี้เป็นตัวบ่งชี้ว่าระบบอาจกำลังเผชิญความเสี่ยง:
• เว็บไซต์หรือบริการออนไลน์ตอบสนองช้าหรือหยุดชะงักผิดปกติ
• การ Login จากตำแหน่งหรืออุปกรณ์ที่ไม่เคยใช้งานมาก่อน
• ปริมาณทราฟฟิกขาออก (Outbound Traffic) เพิ่มสูงผิดปกติ
• การเข้าถึงข้อมูลจำนวนมากนอกเวลาทำการ
• มีการสร้างบัญชีผู้ดูแลระบบใหม่โดยไม่ทราบสาเหตุ

ความเสี่ยงและผลกระทบที่อาจเกิดขึ้น
ในยุคที่องค์กรเชื่อมโยงกันผ่านคลาวด์และระบบออนไลน์ การโจมตีเพียงจุดเดียวสามารถสร้างผลกระทบเป็นลูกโซ่ได้อย่างรวดเร็ว เช่น
• การรั่วไหลของข้อมูลลูกค้าและข้อมูลทางธุรกิจ
• การหยุดชะงักของเว็บไซต์หรือกระบวนการให้บริการ
• ค่าใช้จ่ายด้านการกู้คืนระบบและตอบสนองเหตุการณ์ที่สูงกว่าคาดการณ์
• ความเสียหายต่อชื่อเสียงและความเชื่อมั่นขององค์กร
โดยเฉพาะธุรกิจที่พึ่งพาระบบออนไลน์เป็นหลัก อาจได้รับผลกระทบต่อการดำเนินงานหลายวัน แม้จะเป็นเหตุการณ์เพียงครั้งเดียว

️ ข้อควรระวังและแนวทางปฏิบัติสำหรับองค์กร
ความมั่นคงปลอดภัยไซเบอร์ในปัจจุบันไม่ใช่เรื่องขององค์กรขนาดใหญ่เพียงอย่างเดียว แต่เป็นความรับผิดชอบร่วมกันของทุกภาคส่วน การตั้งค่าระบบที่ไม่เหมาะสมหรือการขาดการเฝ้าระวังอย่างต่อเนื่องอาจกลายเป็นช่องทางให้ผู้ไม่หวังดีเข้าถึงระบบได้โดยง่าย

1️⃣ แนวทางการตรวจสอบ
หน่วยงานควรเพิ่มการเฝ้าระวังและตรวจสอบระบบสารสนเทศอย่างต่อเนื่อง เพื่อให้สามารถตรวจพบความผิดปกติได้อย่างทันท่วงที ดังนี้
• ตรวจสอบบันทึกเหตุการณ์ (Log) และกิจกรรมการใช้งานย้อนหลัง เพื่อค้นหาการเข้าถึงระบบที่ผิดปกติหรือไม่ได้รับอนุญาต
• เฝ้าระวังการเข้าใช้งานบัญชีผู้ใช้จากตำแหน่ง อุปกรณ์ หรือช่วงเวลาที่ไม่สอดคล้องกับพฤติกรรมปกติ
• ตรวจสอบบัญชีผู้ใช้งานสิทธิ์ระดับสูง และการเข้าถึงระบบจากระยะไกลให้เป็นไปตามนโยบายที่กำหนด
• ใช้ข้อมูลข่าวกรองภัยคุกคามและระบบเฝ้าระวัง เพื่อสนับสนุนการตรวจจับและติดตามความเสี่ยงอย่างต่อเนื่อง

2️⃣ แนวทางการป้องกันและลดผลกระทบ
หน่วยงานควรดำเนินมาตรการเชิงป้องกันเพื่อลดความเสี่ยงและจำกัดผลกระทบจากการโจมตีทางไซเบอร์ ดังนี้
• ใช้การยืนยันตัวตนหลายปัจจัย (MFA) สำหรับบัญชีสำคัญและบัญชีที่มีสิทธิ์ระดับสูง
• อัปเดตแพตช์ความปลอดภัยของระบบ ซอฟต์แวร์ และอุปกรณ์เครือข่ายอย่างสม่ำเสมอ
• กำหนดสิทธิ์การเข้าถึงข้อมูลตามหลักความจำเป็น (Least Privilege)
• เสริมสร้างความตระหนักรู้เกี่ยวกับภัย Phishing และ Social Engineering แก่บุคลากร
• สำรองข้อมูลสำคัญและแยกพื้นที่จัดเก็บ เพื่อรองรับกรณีระบบถูกโจมตีหรือเสียหาย
• ทบทวนแผนตอบสนองเหตุการณ์ รวมถึงแผน BCP และ DRP ให้พร้อมใช้งานอยู่เสมอ

แหล่งอ้างอิง:
https://dg.th/ajtcoub51i
️ ThaiCERT ขอแนะนำให้องค์กรและประชาชนเพิ่มระดับการเฝ้าระวังภัยคุกคามไซเบอร์ในช่วงที่สถานการณ์ระหว่างประเทศมีความผันผวน และใช้ตัวชี้วัดด้านเทคนิคประกอบการประเมินความเสี่ยง เพื่อเตรียมความพร้อมในการตรวจจับและตอบสนองเหตุการณ์ได้อย่างทันท่วงที

Industrial Sector

• InSAT MasterSCADA BUK-TS
  "Successful exploitation of these vulnerabilities may allow remote code execution."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-01
• Copeland XWEB And XWEB Pro
  "Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication, cause a denial-of-service condition, cause memory corruption, and execute arbitrary code."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-10
• Gardyn Home Kit
  "Successful exploitation of these vulnerabilities could allow unauthenticated users to access and control edge devices, access cloud-based devices and user information without authentication, and pivot to other edge devices managed in the Gardyn cloud environment."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03
  https://www.securityweek.com/critical-flaws-exposed-gardyn-smart-gardens-to-remote-hacking/
• Mobility46 Mobility46.se
  "Successful exploitation of these vulnerabilities could enable attackers to gain unauthorized administrative control over vulnerable charging stations or disrupt charging services through denial-of-service attacks."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-08
• EV Energy Ev.energy
  "Successful exploitation of these vulnerabilities could enable attackers to gain unauthorized administrative control over vulnerable charging stations or disrupt charging services through denial-of-service attacks."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-07
• SWITCH EV Swtchenergy.com
  "Successful exploitation of these vulnerabilities could allow attackers to impersonate charging stations, hijack sessions, suppress or misroute legitimate traffic to cause large-scale denial of service, and manipulate data sent to the backend."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-06
• EV2GO Ev2go.io
  "Successful exploitation of these vulnerabilities could allow attackers to impersonate charging stations, hijack sessions, suppress or misroute legitimate traffic to cause large-scale denial of service, and manipulate data sent to the backend."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-04
• CloudCharge Cloudcharge.se
  "Successful exploitation of these vulnerabilities could allow attackers to impersonate charging stations, hijack sessions, suppress or misroute legitimate traffic to cause large-scale denial of service, and manipulate data sent to the backend."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-03
• Johnson Controls, Inc. Frick Controls Quantum HD
  "Successful exploitation of these vulnerabilities can lead to pre-authentication remote code execution, information leak or denial of service."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-01
• Industrial Networks Continue To Leak Onto The Internet
  "Industrial operators continue to run remote access portals, building automation servers, and other operational technology services on public IP address ranges. Palo Alto Networks, Siemens, and Idaho National Laboratory describe the scope of that exposure in the Intelligence-Driven Active Defense Report 2026. Cortex Xpanse made over 110 million observations of OT devices exposed to the internet in 2024, a 138% increase over 2023. From those observations, 19,633,628 unique OT devices and services were fingerprinted, a 332% increase over 2023. Those devices were hosted on 1.77 million IPv4 addresses, a 41.6% increase over 2023."
  https://www.helpnetsecurity.com/2026/02/27/ot-internet-exposure-cybersecurity-risk/
• Schneider Electric EcoStruxure Building Operation Workstation
  "Schneider Electric is aware of a vulnerability in EcoStruxure Building Operation Workstation and EcoStruxure Building Operation WebStation. EcoStruxure Building Operation (EBO) is an open and scalable software platform providing insight, control and management of multiple building systems and devices in one mobile-enabled convenient view. It delivers valuable data for decision-making to improve energy management and increase efficiency for better building performance and comfort, reduced carbon, and more sustainable building environments. Failure to apply the remediations below may risk exposure of local files or denial of service, which could result in data breaches, and operational disruptions."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-02
• Yokogawa CENTUM VP R6, R7
  "Successful exploitation of these vulnerabilities could allow an attacker to terminate the software stack process, cause a denial-of-service condition, or execute arbitrary code."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-09
• Pelco, Inc. Sarix Pro 3 Series IP Cameras
  "Successful exploitation of this vulnerability could allow attackers to gain unauthorized access to sensitive device data, bypass surveillance controls, and expose facilities to privacy breaches, operational risks, and regulatory compliance issues."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-02

New Tooling

• IronCurtain: An Open-Source, Safeguard Layer For Autonomous AI Assistants
  "Veteran security engineer Niels Provos is working on a new technical approach designed to stop autonomous AI agents from taking actions you haven’t specifically authorized. His open-source software solution, called IronCurtain, aims to neutralize the risk of an LLM-powered agent “going rogue” – whether through prompt injection or the agent gradually deviating from the user’s original intent over the course of a long session."
  https://www.helpnetsecurity.com/2026/02/27/ironcurtain-open-source-ai-agent-security/
  https://github.com/provos/ironcurtain

Vulnerabilities

• Millions Of Publicly Exposed .env Files Put Internet Services At Risk: A Mysterium VPN Research
  "Configuration mistakes rarely look dramatic. A single forgotten deployment rule, an overlooked web server setting, or an uploaded project folder that contains hidden files can quietly make a website’s most sensitive secrets accessible to anyone on the internet. Often, these secrets are stored in environment configuration files called .env files. Researchers here at Mysterium VPN identified over 12 million IP addresses with publicly accessible .env-style files, revealing credentials and tokens, including JWT signing keys, API keys, database passwords, and service tokens. This discovery indicates a significant and persistent digital security hygiene issue affecting companies, developers, and end users across multiple countries and industries."
  https://www.mysteriumvpn.com/blog/news/millions-exposed-env-files
  https://securityaffairs.com/188590/hacking/12-million-exposed-env-files-reveal-widespread-security-failures.html
• OpenClaw Vulnerability: Website-To-Local Agent Takeover
  "OpenClaw, the open-source AI agent that rocketed to over 100,000 GitHub stars in five days, has become the default personal assistant for thousands of developers. It runs on their laptops, connects to their messaging apps, calendars, and dev tools, and takes autonomous actions on their behalf. It has also, as we discovered, been trivially vulnerable to hijacking from any website the developer visits. Oasis Security researchers found a vulnerability chain in OpenClaw that allows any website to silently take full control of a developer's AI agent—with no plugins, extensions, or user interaction required. The OpenClaw team classified this as High severity and shipped a fix within 24 hours."
  https://www.oasis.security/blog/openclaw-vulnerability
  https://thehackernews.com/2026/02/clawjacked-flaw-lets-malicious-sites.html
  https://www.bleepingcomputer.com/news/security/clawjacked-attack-let-malicious-websites-hijack-openclaw-to-steal-data/
  https://hackread.com/openclaw-vulnerability-openclaw-hijack-ai-agents/

Malware

• Inside a Fake Google Security Check That Becomes a Browser RAT
  "A website styled to resemble a Google Account security page is distributing what may be one of the most fully featured browser-based surveillance toolkits we have observed in the wild. Disguised as a routine security checkup, it walks victims through a four-step flow that grants the attacker push notification access, the device’s contact list, real-time GPS location, and clipboard contents—all without installing a traditional app. For victims who follow every prompt, the site also delivers an Android companion package introducing a native implant that includes a custom keyboard (enabling keystroke capture), accessibility-based screen reading capabilities, and permissions consistent with call log access and microphone recording."
  https://www.malwarebytes.com/blog/privacy/2026/02/inside-a-fake-google-security-check-that-becomes-a-browser-rat
• 900 Sangoma FreePBX Instances Infected With Web Shells
  "Approximately 900 Sangoma FreePBX instances remain infected with web shells in attacks that exploited a command injection vulnerability starting December 2025. Sangoma FreePBX is a web-based, open source graphical user interface that serves as a widely deployed management tool for Asterisk-based IP telephone systems. The exploited bug, tracked as CVE-2025-64328 (CVSS score of 8.6) and patched in November 2025, impacts the filestore module of the endpoint manager’s administrative interface."
  https://www.securityweek.com/900-sangoma-freepbx-instances-infected-with-web-shells/
  https://thehackernews.com/2026/02/900-sangoma-freepbx-instances.html
  https://securityaffairs.com/188679/uncategorized/cve-2025-64328-exploitation-impacts-900-sangoma-freepbx-instances.html
• Trojanized Gaming Tools Spread Java-Based RAT Via Browser And Chat Platforms
  "Threat actors are luring unsuspecting users into running trojanized gaming utilities that are distributed via browsers and chat platforms to distribute a remote access trojan (RAT). "A malicious downloader staged a portable Java runtime and executed a malicious Java archive (JAR) file named jd-gui.jar," the Microsoft Threat Intelligence team said in a post on X. "This downloader used PowerShell and living-off-the-land binaries (LOLBins) like cmstp.exe for stealthy execution." The attack chain is also designed to evade detection by deleting the initial downloader and by configuring Microsoft Defender exclusions for the RAT components."
  https://thehackernews.com/2026/02/trojanized-gaming-tools-spread-java.html
  https://securityaffairs.com/188639/uncategorized/microsoft-warns-of-rat-delivered-through-trojanized-gaming-utilities.html
  https://hackread.com/microsoft-fake-xeno-roblox-utilities-windows-rat/
• How Infostealers Industrialize The Brute-Forcing Of Corporate SSO Gateways
  "Recently, the cybersecurity community was alerted to a significant credential stuffing attack targeting F5 devices. The activity was first brought to light by threat intelligence group Defused Cyber, who noted that threat actors were attempting to access F5 infrastructure using seemingly legitimate corporate credentials."
  https://www.infostealers.com/article/how-infostealers-industrialize-the-brute-forcing-of-corporate-sso-gateways/
• Moonrise RAT: A New Low-Detection Threat With High-Cost Consequences
  "Security professionals rely on early detection signals to prioritize and contain incidents. But what happens when a fully capable RAT generates none? In a recent investigation, the ANY.RUN experts uncovered a new Go-based remote access trojan we named Moonrise. At the time of analysis, it wasn’t detected on VirusTotal and had no vendor signatures tied to it. That’s the problem teams can’t ignore: credential theft, remote command execution, and persistence can be active while static checks stay silent. The result is slower triage, and more escalations."
  https://any.run/cybersecurity-blog/cybersecurity-blog/moonrise-rat-detected/
• Emulating The Mutative BlackByte Ransomware
  "Since its emergence, BlackByte has targeted organizations worldwide, including entities within U.S. critical infrastructure sectors such as Government, Financial Services, Manufacturing, and Energy. Its early activity prompted a joint advisory from the Federal Bureau of Investigation (FBI) and the U.S. Secret Service (USSS), highlighting the group’s rapid operational expansion. Its tradecraft includes exploiting vulnerabilities such as ProxyShell for initial access, leveraging vulnerable drivers to neutralize security controls, and deploying self-propagating ransomware with worm-like capabilities. Operators frequently abuse Living-off-the-Land Binaries (LoLBins) and legitimate commercial tools to blend malicious activity with normal system operations."
  https://www.attackiq.com/2026/02/25/emulating-blackbyte-ransomware/
• CISA Warns That RESURGE Malware Can Be Dormant On Ivanti Devices
  "The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released new details about RESURGE, a malicious implant used in zero-day attacks exploiting CVE-2025-0282 to breach Ivanti Connect Secure devices. The update focuses on the implant's undetected latency on the appliances and its "sophisticated network-level evasion and authentication techniques" that enable covert communication with the attacker. CISA originally documented the malware on March 28 last year, saying that it can survive reboots, create webshells for stealing credentials, create accounts, reset passwords, and escalate privileges."
  https://www.bleepingcomputer.com/news/security/cisa-warns-that-resurge-malware-can-be-dormant-on-ivanti-devices/
• Malicious Go “crypto” Module Steals Passwords And Deploys Rekoobe Backdoor
  "Socket’s Threat Research Team uncovered a malicious Go module, github[.]com/xinfeisoft/crypto, that imitates the legitimate golang.org/x/crypto codebase but inserts a backdoor in ssh/terminal/terminal.go. That choice was strategic: golang.org/x/crypto is one of the Go ecosystem’s foundational cryptography codebases, maintained by the Go project and widely relied on for primitives and packages such as bcrypt, argon2, chacha20, and ssh, which makes it a high-trust impersonation target in dependency graphs."
  https://socket.dev/blog/malicious-go-crypto-module-steals-passwords-and-deploys-rekoobe-backdoor
  https://thehackernews.com/2026/02/malicious-go-crypto-module-steals.html
• Steaelite RAT Enables Double Extortion Attacks From a Single Panel
  "A new remote access trojan called Steaelite is being sold on underground cybercrime networks. The tool gives operators browser-based control over infected Windows machines, covering remote code execution, credential theft, live surveillance, file exfiltration, and ransomware deployment from a single dashboard. What makes Steaelite notable is what it bundles together: data theft and ransomware, traditionally separate parts of the cybercrime toolchain, are packaged into one web panel, with an Android ransomware module already in development."
  https://www.blackfog.com/steaelite-rat-double-extortion-from-single-panel/
  https://www.theregister.com/2026/02/27/double_extortion_whammy_steaelite_rat/
• QuickLens Chrome Extension Steals Crypto, Shows ClickFix Attack
  "A Chrome extension named "QuickLens - Search Screen with Google Lens" has been removed from the Chrome Web Store after it was compromised to push malware and attempt to steal crypto from thousands of users. QuickLens was initially published as a Chrome extension that lets users run Google Lens searches directly in their browser. The extension grew to roughly 7,000 users and, at one point, received a featured badge from Google. However, on February 17, 2026, a new version 5.8 was released that contained malicious scripts that introduced ClickFix attacks and info-stealing functionality for those using the extension."
  https://www.bleepingcomputer.com/news/security/quicklens-chrome-extension-steals-crypto-shows-clickfix-attack/
• What Defenders Need To Know About Iran’s Cyber Capabilities
  "With the current Iran crisis at its peak, cyber activity is a relevant part of the threat picture alongside kinetic and political pressure. Iran’s ecosystem includes multiple clusters aligned with state entities, the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS), as well as deniable operators and “hacktivist” groups. This ecosystem supports a broad set of objectives: espionage to gain intelligence and footholds; disruption and destructive activity, including DDoS attacks, pseudo-ransomware, and data wipers to impose costs; and information operations that pair destructive activity or data leaks with coordinated online amplification."
  https://blog.checkpoint.com/research/what-defenders-need-to-know-about-irans-cyber-capabilities/

Breaches/Hacks/Leaks

• 38 Million Allegedly Impacted By ManoMano Data Breach
  "Roughly 38 million people were likely impacted by a data breach at European DIY store chain ManoMano after hackers compromised a support portal. The attack occurred in January and was disclosed this week, when ManoMano started notifying the potentially affected customers of the incident. According to the company’s notification, copies of which were shared on X, the data was stolen after a customer service subcontractor was compromised."
  https://www.securityweek.com/38-million-allegedly-impacted-by-manomano-data-breach/
  https://securityaffairs.com/188582/data-breach/manomano-data-breach-impacted-38-million-customer-accounts.html
  https://www.theregister.com/2026/02/27/manomano_breach/
• $4.8M In Crypto Stolen After Korean Tax Agency Exposes Wallet Seed
  "Someone jumped at the opportunity to steal $4.4 million in crypto assets after South Korea’s National Tax Service exposed publicly the mnemonic recovery phrase of a seized cryptocurrency wallet. The funds were stored in a Ledger cold wallet seized in law enforcement raids at 124 high-value tax evaders that resulted in confiscating digital assets worth 8.1 billion won (currently approximately $5.6 million). When announcing the success of the operation, the agency released photos of a Ledger device, a popular hardware wallet for crypto storage and management."
  https://www.bleepingcomputer.com/news/security/48m-in-crypto-stolen-after-korean-tax-agency-exposes-wallet-seed/
• Claude Didn't Just Plan An Attack On Mexico's Government. It Executed One For a Month — Across Four Domains Your Security Stack Can't See.
  "Attackers jailbroke Anthropic’s Claude and ran it against multiple Mexican government agencies for approximately a month. They stole 150 GB of data from Mexico’s federal tax authority, the national electoral institute, four state governments, Mexico City’s civil registry, and Monterrey’s water utility, Bloomberg reported. The haul included documents related to 195 million taxpayer records, voter records, government employee credentials, and civil registry files. The attackers' weapon of choice wasn’t malware or sophisticated tradecraft created in stealth. It was a chatbot available to anyone."
  https://venturebeat.com/security/claude-mexico-breach-four-blind-domains-security-stack
  https://www.securityweek.com/hackers-weaponize-claude-code-in-mexican-government-cyberattack/
  https://securityaffairs.com/188696/ai/claude-code-abused-to-steal-150gb-in-cyberattack-on-mexican-agencies.html

General News

• Ukrainian Man Pleads Guilty To Running AI-Powered Fake ID Site
  "A Ukrainian man has pleaded guilty to operating OnlyFake, an AI-powered website that generated and sold more than 10,000 photos of fake identification documents to customers worldwide. 27-year-old Yurii Nazarenko (also known as "John Wick," "Tor Ford," and "Uriel Septimberus") admitted that his OnlyFake subscription-based platform used artificial intelligence to generate realistic-looking counterfeit passports, driver's licenses, and Social Security cards."
  https://www.bleepingcomputer.com/news/security/ukrainian-man-pleads-guilty-to-running-ai-powered-fake-id-site/
• DeVry University’s CISO On Higher Education Cybersecurity Risk
  "In this Help Net Security interview, Fred Kwong, VP, CISO at DeVry University, outlines how the university balances academic openness with cyber risk. He describes how systems for students are separated from back end operations to limit exposure. Kwong also discusses how student data has changed over the past decade. Data is now centralized in learning management systems, which improves reporting but raises the stakes if a breach occurs. The interview also covers hybrid learning, identity protection, third party connections, and research security. With students logging in from unmanaged devices worldwide, layered controls, strong authentication, and active monitoring are central to protecting accounts and sensitive data."
  https://www.helpnetsecurity.com/2026/02/27/fred-kwong-devry-university-higher-education-cybersecurity-risk/
• The CISO Role Keeps Getting Heavier
  "Personal liability is becoming a routine part of the CISO job. In Splunk’s 2026 CISO Report, titled From Risk to Resilience in the AI Era, 78% of CISOs said they are concerned about their own liability for security incidents, up from 56% last year. The role carries personal exposure alongside operational accountability, and that shift is influencing how security leaders approach risk, documentation, and board communication. The mandate continues to grow. Nearly all respondents said AI governance and risk management fall under their responsibility. Oversight of generative and other AI systems has joined established duties in detection, response, compliance, and reporting. Many CISOs are responsible for setting internal guardrails around how AI tools are used, what data they can access, and how outputs are reviewed before use in production environments."
  https://www.helpnetsecurity.com/2026/02/27/splunk-ciso-liability-risk-report/
• UK Vulnerability Monitoring Service Cuts Unresolved Security Flaws By 75%
  "The UK government has claimed it has reduced its backlog of critical vulnerabilities by 75% and reduced cyber-attack fix times by 87%. Serious security weaknesses in public sector websites are fixed six times faster, cutting the average time from nearly two months to just over a week, the UK government said in an update published on 26 February. According to the official statement, the progress comes following the introduction of a specialist government vulnerability monitoring service (VMS), which came about as part of the blueprint for modern digital government policy paper published on January 21."
  https://www.infosecurity-magazine.com/news/uk-vuln-monitoring-service-cuts/
• The Case For Why Better Breach Transparency Matters
  "Cybersecurity experts are calling for a major shift in how companies handle data breaches and security failures, arguing that greater transparency and specific detail disclosure about how and why they occur is essential if the industry hopes to effectively reduce cyber-risk. At the upcoming RSAC Conference, threat research experts Adam Shostack and Adrian Sanabria will make the case for greater incident transparency and the need for structured feedback loops in cybersecurity, in a session aptly titled "A Failure Is a Terrible Thing to Waste: The Case for Breach Transparency," scheduled for Monday, March 23."
  https://www.darkreading.com/cyberattacks-data-breaches/why-better-breach-transparency-matters
• Agentic AI: The 2026 Threat Multiplier Reshaping Cyberattacks
  "There are several new threats emerging in 2026, though most are coming from groups that we’ve seen before. Ransomware groups like Qilin and Cl0p aren’t new, but they’re moving faster and using more sophisticated tactics. DireWolf and The Gentlemen were observed in 2025 but are becoming high-velocity groups with hundreds of new victims in 2026. One of the most dangerous new threats of 2026 is not a group but a tool that adds new capabilities and enables faster attacks. Threat actors have been using generative AI (GenAI) for years to write and localize phishing content and develop malware to infect their targets."
  https://blog.barracuda.com/2026/02/27/agentic-ai--the-2026-threat-multiplier-reshaping-cyberattacks
• U.S. Attorney’s Office EDNC Announces Seizure Of $61 Million Dollars’ Worth Of Cryptocurrency
  "The United States Attorney’s Office for the Eastern District of North Carolina announced that federal agents seized over $61 million worth of Tether, a cryptocurrency pegged to the U.S. dollar. Investigators traced the seized funds to cryptocurrency addresses allegedly associated with the laundering of criminally derived proceeds stolen from victims of cryptocurrency investment scams, commonly known as a “pig butchering scheme”."
  https://www.justice.gov/usao-ednc/pr/us-attorneys-office-ednc-announces-seizure-61-million-dollars-worth-cryptocurrency
  https://thehackernews.com/2026/02/doj-seizes-61-million-in-tether-linked.html

อ้างอิง
Electronic Transactions Development Agency (ETDA)

Vulnerabilities

• Trend Micro Patches Critical Apex One Vulnerabilities
  "TrendAI, the new name of Trend Micro’s enterprise business, on Wednesday announced patches for several critical and high-severity vulnerabilities found in the Windows and macOS versions of the Apex One endpoint security solution. A total of eight vulnerabilities have been addressed, including two with a critical severity rating based on their CVSS scores. The critical flaws both impact the Trend Micro Apex One management console and “could allow a remote attacker to upload malicious code and execute commands on affected installations”"
  https://www.securityweek.com/trend-micro-patches-critical-apex-one-vulnerabilities/
  https://success.trendmicro.com/en-US/solution/KA-0022458
  https://www.bleepingcomputer.com/news/security/trend-micro-warns-of-critical-apex-one-rce-vulnerabilities/
  https://securityaffairs.com/188572/security/trend-micro-fixes-two-critical-flaws-in-apex-one.html
• Critical Juniper Networks PTX Flaw Allows Full Router Takeover
  "A critical vulnerability in the Junos OS Evolved network operating system running on PTX Series routers from Juniper Networks could allow an unauthenticated attacker to execute code remotely with root privileges. PTX Series routers are high-performance core and peering routers built for high throughput, low latency, and scale. They are commonly used by internet service providers, telecommunication services, and cloud network applications. The security issue is identified as CVE-2026-21902 and is caused by incorrect permission assignment in the ‘On-Box Anomaly Detection’ framework, which should be exposed to internal processes only over the internal routing interface."
  https://www.bleepingcomputer.com/news/security/critical-juniper-networks-ptx-flaw-allows-full-router-takeover/
  https://supportportal.juniper.net/s/article/2026-02-Out-of-Cycle-Security-Bulletin-Junos-OS-Evolved-PTX-Series-A-vulnerability-allows-a-unauthenticated-network-based-attacker-to-execute-code-as-root-CVE-2026-21902
• Google API Keys Weren't Secrets. But Then Gemini Changed The Rules.
  "Google spent over a decade telling developers that Google API keys (like those used in Maps, Firebase, etc.) are not secrets. But that's no longer true: Gemini accepts the same keys to access your private data. We scanned millions of websites and found nearly 3,000 Google API keys, originally deployed for public services like Google Maps, that now also authenticate to Gemini even though they were never intended for it. With a valid key, an attacker can access uploaded files, cached data, and charge LLM-usage to your account. Even Google themselves had old public API keys, which they thought were non-sensitive, that we could use to access Google’s internal Gemini."
  https://trufflesecurity.com/blog/google-api-keys-werent-secrets-but-then-gemini-changed-the-rules
  https://www.bleepingcomputer.com/news/security/previously-harmless-google-api-keys-now-expose-gemini-ai-data/

Malware

• GTFire Phishing Scheme: Avoiding Detection Using Google Services
  "Over the past several years, phishing campaigns have evolved beyond simple spoofed emails and low-effort fake login pages. Modern threat actors increasingly rely on legitimate cloud services, trusted domains, and well-known technology platforms to blend malicious activity into normal internet traffic. One such campaign, tracked as GTFire, demonstrates how attackers can systematically abuse Google-owned infrastructure to distribute phishing pages, evade security controls, and harvest credentials from thousands of victims worldwide."
  https://www.group-ib.com/blog/gtfire-phishing-scheme/
• New Dohdoor Malware Campaign Targets Education And Health Care
  "Talos discovered a multi-stage attack campaign targeting the victims in education and health care sectors, predominantly in the United States. The campaign involves a multi-stage attack chain, where initial access is likely achieved through social engineering phishing techniques. The infection chain executes a PowerShell script that downloads and runs a Windows batch script from a remote staging server through a URL. Subsequently, the batch script facilitates the download of a malicious Windows dynamic-link library (DLL), which is disguised as a legitimate Windows DLL file. The batch script then executes the malicious DLL dubbed as Dohdoor, by sideloading it to a legitimate Windows executable."
  https://blog.talosintelligence.com/new-dohdoor-malware-campaign/
  https://thehackernews.com/2026/02/uat-10027-targets-us-education-and.html
  https://securityaffairs.com/188558/apt/uat-10027-campaign-hits-u-s-education-and-healthcare-with-stealthy-dohdoor-backdoor.html
• Exploring Aeternum C2: a New Botnet That Lives On The Blockchain
  "Botnets have always had an Achilles’ heel. Find the command-and-control server, seize the domain, or sinkhole the traffic, and the entire network goes dark. Law enforcement agencies and security vendors have relied on this weakness for years, dismantling operations like Emotet, TrickBot, and QakBot by targeting their centralized infrastructure. While monitoring cybercrime networks, Qrator Research Lab identified a new botnet loader called Aeternum C2 that appears to remove that weakness entirely."
  https://qrator.net/blog/details/Exploring-Aeternum-C2/
  https://thehackernews.com/2026/02/aeternum-c2-botnet-stores-encrypted.html
  https://hackread.com/aeternum-c2-botnet-polygon-blockchain/
  https://www.infosecurity-magazine.com/news/aeternum-botnet-c2-polygon/
• ChatGPT In Your Inbox? Investigating Entra Apps That Request Unexpected Permissions
  "As Red Canary continues to observe OAuth application attacks in the wild, our Threat Research team is pivoting off real-world tradecraft to anticipate new innovations in attack techniques. The following research breaks down a hypothetical OAuth attack in Entra ID that leverages ChatGPT to ultimately gain access to a user’s email account. Using the framework we apply when analyzing data sources for detection, we’ll investigate detection and remediation strategies that can be applied more generally to OAuth consent attacks."
  https://redcanary.com/blog/threat-detection/entra-id-oauth-attacks/
  https://hackread.com/entra-id-oauth-consent-chatgpt-emails-access/
• Fake Zoom And Google Meet Scams Install Teramind: A Technical Deep Dive
  "On February 24, 2026, we published an article about how a fake Zoom meeting “update” silently installs monitoring software, documenting a campaign that used a convincing fake Zoom waiting room to push a legitimate Teramind installer abused for unauthorized surveillance onto Windows machines. Teramind has stated they are not affiliated with the threat actors described, did not deploy the software referenced, and condemn any unauthorized misuse of commercial monitoring technologies."
  https://www.malwarebytes.com/blog/threat-intel/2026/02/fake-zoom-and-google-meet-scams-install-teramind-a-technical-deep-dive
• APT37 Adds New Capabilities For Air-Gapped Networks
  "In December 2025, Zscaler ThreatLabz discovered a campaign linked to APT37 (also known as ScarCruft, Ruby Sleet, and Velvet Chollima), which is a DPRK-backed threat group. In this campaign, tracked as Ruby Jumper by ThreatLabz, APT37 uses Windows shortcut (LNK) files to initiate an attack that utilizes a set of newly discovered tools. These tools, RESTLEAF, SNAKEDROPPER, THUMBSBD, and VIRUSTASK, download a payload that delivers FOOTWINE and BLUELIGHT, which enable surveillance on a victim’s system."
  https://www.zscaler.com/blogs/security-research/apt37-adds-new-capabilities-air-gapped-networks
• Variations Of The ClickFix
  "About a year ago, we published a post about the ClickFix technique, which was gaining popularity among attackers. The essence of attacks using ClickFix boils down to convincing the victim, under various pretexts, to run a malicious command on their computer. That is, from the cybersecurity solutions point of view, it’s run on behalf of the active user and with their privileges. In early uses of this technique, cybercriminals tried to convince victims that they need to execute a command to fix some problem or to pass a captcha, and in the vast majority of cases, the malicious command was a PowerShell script."
  https://www.kaspersky.com/blog/clickfix-attack-variations/55340/

Breaches/Hacks/Leaks

• European DYI Chain ManoMano Data Breach Impacts 38 Million Customers
  "DIY store chain ManoMano is notifying customers of a data breach that was caused by hackers compromising a third-party service provider. The company confirmed to BleepingComputer that it learned of the hack in January 2026. An investigation into the incident determined that 38 million individuals are affected. “We can confirm that ManoMano has recently notified customers about a security incident involving one of our third-party customer service providers (a subcontractor),” the company told BleepingComputer."
  https://www.bleepingcomputer.com/news/security/european-dyi-chain-manomano-data-breach-impacts-38-million-customers/
• Olympique Marseille Confirms 'attempted' Cyberattack After Data Leak
  "French professional football club Olympique de Marseille has confirmed a cyberattack after a threat actor claimed on Monday that it breached the club's systems earlier this month. Founded 126 years ago, Olympique Marseille competes in the Ligue 1, the top tier of the French football league system, and was the first French club to win the UEFA Champions League in 1993. On Tuesday, Olympique Marseille issued a statement confirming that it had been hit by a cyberattack, following claims by a threat actor that they had breached some of its servers."
  https://www.bleepingcomputer.com/news/security/olympique-marseille-football-club-confirms-cyberattack-after-data-leak/

General News

• The ENISA Cybersecurity Exercise Methodology
  "The methodology offers an end-to-end theoretical framework for planning, running and evaluating cybersecurity exercises. It ensures the right profiles and stakeholders are involved at the right time. It provides theoretical material based on lessons identified, industry best practices and cybersecurity expertise, and is designed to be used alongside a support toolkit, including a set of templates and guiding material to empower planners to organise effective exercises."
  https://www.enisa.europa.eu/publications/the-enisa-cybersecurity-exercise-methodology
  https://www.enisa.europa.eu/sites/default/files/2026-02/The ENISA Cybersecurity Exercise Methodology.pdf
  https://cyble.com/blog/enisa-cybersecurity-exercise-methodology/
• The $19.5 Million Insider Risk Problem
  "Routine employee activity across corporate systems carries an average annual cost of $19.5 million per organization. That figure comes from the 2026 Cost of Insider Risks Global Report, conducted by the Ponemon Institute and based on data from 354 organizations that experienced one or more material insider related incidents over the past year."
  https://www.helpnetsecurity.com/2026/02/26/insider-risk-costs-2026/
• Open-Source Security Debt Grows Across Commercial Software
  "Open source code sits inside nearly every commercial application, and development teams continue to add new dependencies. Black Duck’s 2026 Open Source Security and Risk Analysis Report data shows that nearly all audited codebases contain open source components, with average component counts rising sharply over the past year. That growth brings a parallel increase in exposure. Mean vulnerabilities per codebase climbed from 280 to 581 in one year, more than doubling. Median vulnerabilities also rose. The spread between mean and median points to a long tail of heavily burdened applications, including extreme outliers with tens of thousands of findings."
  https://www.helpnetsecurity.com/2026/02/26/open-source-vulnerability-surge-risk-analysis/
• Total Ransomware Payments Stagnate For Second Consecutive Year, While Attacks Escalate
  "Ransomware today is best understood not as isolated attacks, but rather as an interconnected marketplace of access, infrastructure, and monetization services. In 2025, total on-chain payments remained relatively stagnant even as claimed attacks increased and median ransom sizes rose. At the same time, coordinated law enforcement actions and sanctions increasingly targeted the infrastructure layer — including bulletproof hosting providers — increasing costs across both cybercrime syndicates and state-linked actors."
  https://www.chainalysis.com/blog/crypto-ransomware-2026/
  https://www.bleepingcomputer.com/news/security/ransomware-payment-rate-drops-to-record-low-as-attacks-surge/
  https://therecord.media/ransomware-payments-chainalysis-cybercrime
• National Cyber Resilience In The AI Era
  "Cyber security is no longer something that happens quietly in server rooms or security operations centers. It now affects fuel availability, hospital operations, elections, financial markets, and public trust. What has changed is not just the volume of cyber attacks, but their intent. Adversaries are no longer satisfied with stealing data. They are embedding themselves into systems, waiting patiently, and positioning for disruption at moments of national stress. Cloud platforms, AI systems, and operational technology have dramatically expanded the attack surface, turning digital risk into national risk."
  https://blog.checkpoint.com/executive-insights/national-cyber-resilience-in-the-ai-era/
• Project Compass: First Operational Results Against The Com Network
  "In its first year of operation, Project Compass has delivered concrete operational results against “The Com”, a decentralised extremist network targeting minors and vulnerable individuals both online and offline. Coordinated by Europol’s European Counter Terrorism Centre, the initiative brings together law enforcement authorities from EU Member States, as well as Norway, Switzerland, the United Kingdom, the United States, Canada, Australia, and New Zealand. The project strengthens cross-border cooperation to prevent, detect and investigate the criminal activities linked to this network."
  https://www.europol.europa.eu/media-press/newsroom/news/project-compass-first-operational-results-against-com-network
  https://www.bankinfosecurity.com/police-target-violent-online-predators-incubated-by-com-a-30856
  https://cyberscoop.com/project-compass-the-com-europol/
• Fraudsters Integrate ChatGPT Into Global Scam Campaigns
  "AI models are being folded into fraud and influence operations that follow long standing tactics. A February 2026 update to OpenAI’s Disrupting Malicious Uses of Our Models report details how ChatGPT and related API access were used in romance scams, fake legal services, coordinated influence campaigns, and a state linked harassment effort."
  https://www.helpnetsecurity.com/2026/02/26/openai-malicious-chatgpt-use-report/
• Telegram Rises To Top Spot In Job Scam Activity
  "Encrypted messaging platforms are becoming a primary channel for Authorised Push Payment (APP) fraud, with Telegram representing a growing share of reported cases, according to the Revolut report. The platform generates over 20% of authorised fraud origination, surpassing WhatsApp and posting growth of more than 30% in its share of scam cases compared to 2024."
  https://www.helpnetsecurity.com/2026/02/26/telegram-job-scams-activity/
  https://assets.revolut.com/pdf/Revolut_Consumer_Security_and_FinCrime_Report_compressed.pdf
• Darktrace Flags 32 Million Phishing Emails In 2025 As Identity Attacks Intensify
  "More than 32 million high-confidence phishing emails were detected by Darktrace in 2025, showcasing a substantial escalation in identity-driven cyber threats. The data was collected by Darktrace from incidents across its global customer base and points to a year defined by automation, convergence and accelerating attacker speed. Over 8.2 million phishing emails targeted VIPs, accounting for more than 25% of all observed phishing attempts."
  https://www.infosecurity-magazine.com/news/32m-phishing-emails-detected-2025/
  https://www.darktrace.com/resource/annual-threat-report-2026
  https://cdn.prod.website-files.com/626ff19cdd07d1258d49238d/699db1ba8d377a68f7d697b7_Threat Report 2026 v4.pdf
• Exploitable Vulnerabilities Present In 87% Of Organizations
  "Eighty-seven percent of organizations have at least one exploitable software vulnerability in production, affecting 40% of all services, a new report from DataDog has revealed. The observability and security specialist revealed the findings in its State of DevSecOps Report, which is based on telemetry from tens of thousands of applications and additional datasets. It noted that vulnerabilities are most common in Java services (59%), followed by .NET (47%) and Rust (40%)."
  https://www.infosecurity-magazine.com/news/exploitable-vulnerabilities-in-87/
• Four Risks Boards Cannot Treat As Background Noise
  "The year 2025 redefined the cyber threat landscape, as attacks escalated from data breaches to crippling business-wide disruptions. Last year’s cyberattack on Jaguar Land Rover halted production lines for five weeks, prompting the British government to step in with a $2 billion bailout. This episode captures what changed in 2025: Rather than stolen data making headlines, it was business stoppage that triggered attention. Moving into 2026, the board’s focus should be on ensuring business continuity and building resilience in the face of emerging risks generated by AI usage and attack vectors, quantum computing and geopolitics."
  https://www.securityweek.com/four-risks-boards-cannot-treat-as-background-noise/
• Expert Recommends: Prepare For PQC Right Now
  "Digital evolution is unstoppable, and though the pace may vary, things tend to fall into place sooner rather than later. That, of course, applies to adversaries as well. The rise of ransomware and cyber extortion generated funding for a complex and highly professional criminal ecosystem. The era of the cloud brought general availability of almost infinite amounts of storage. So there is literally nothing that stops criminals from stealing and trafficking heaps of data, be it encrypted or not."
  https://thehackernews.com/2026/02/expert-recommends-prepare-for-pqc-right.html
• 2026 State Of Software Security: Risky Debt Is Rising, But Your Strategy Starts Here
  "You can’t fix what you ignore. For years, organizations have raced to deploy software faster, often leaving a trail of unresolved vulnerabilities in their wake. We call this trail security debt, or flaws that are left unresolved over a year since being discovered, and it isn’t just a technical metric. It’s a compounding business risk that is growing harder to manage every year. Today, we are releasing the 2026 State of Software Security (SoSS) report. The data is clear: the volume of risky code lingering in codebases is expanding, and high-severity flaws are becoming more common. But this year’s report offers more than just a warning. It provides a structured, data-backed strategy to regain control."
  https://www.veracode.com/blog/2026-state-of-software-security-report-risky-security-debt/
  https://www.theregister.com/2026/02/26/veracode_security_ai/
• Preparing For Russia’s New Generation Warfare In Europe
  "Since its full-scale invasion of Ukraine in February 2022, Russia has waged what we assess is largely opportunistic, though increasingly aggressive, hybrid warfare in NATO territory. Moscow has very likely not yet leveraged its full capability to integrate cyber, political, and sabotage tools into a full-scale campaign. Over the next two years, Russian President Vladimir Putin will likely escalate Russia’s hybrid warfare campaign against NATO members into a full-fledged campaign likely consistent with a Russian military doctrine called New Generation Warfare (NGW)."
  https://www.recordedfuture.com/research/preparing-for-russias-new-generation-warfare-in-europe

อ้างอิง
Electronic Transactions Development Agency (ETDA)

ความเสี่ยงหลักในปี 2026 ของ AI ต่อความมั่นคงและสังคมในปัจจุบัน

1. ประเภทของความเสี่ยงจากเทคโนโลยีปัญญาประดิษฐ์ (AI)

• ความเสี่ยงจากการนำ AI ไปใช้ในทางที่ผิด
  AI อาจถูกผู้ไม่หวังดีนำไปใช้เพิ่มประสิทธิภาพการโจมตีทางไซเบอร์ เช่น การสร้างอีเมลหรือข้อความหลอกลวงที่แนบเนียน การปลอมแปลงภาพ เสียง หรือวิดีโอ (Deepfake) เพื่อฉ้อโกงหรือคุกคาม รวมถึงการผลิตและเผยแพร่ข้อมูลบิดเบือนในวงกว้างเพื่อชักจูงความคิดเห็นของสังคม ทำให้การหลอกลวงมีความสมจริงและแพร่กระจายได้รวดเร็วกว่าที่ผ่านมา

• ความเสี่ยงจากความผิดพลาดของระบบ AI
  แม้ AI จะมีศักยภาพสูง แต่ยังอาจให้ข้อมูลคลาดเคลื่อนหรือสร้างข้อมูลที่ไม่ถูกต้องแต่ดูน่าเชื่อถือ ซึ่งอาจก่อให้เกิดผลกระทบหากนำไปใช้ในบริบทที่มีความสำคัญ เช่น การแพทย์ การเงิน หรือกฎหมาย นอกจากนี้ ระบบที่มีความซับซ้อนมากขึ้นอาจทำงานเกินขอบเขตที่กำหนด หากขาดการกำกับดูแลและการตรวจสอบที่เหมาะสม

• ความเสี่ยงเชิงโครงสร้างต่อสังคม
  การขยายตัวของ AI อาจส่งผลต่อโครงสร้างตลาดแรงงาน โดยเฉพาะงานด้านข้อมูลและงานเอกสาร อาจทำให้เกิดการเปลี่ยนแปลงรูปแบบการจ้างงานและความเหลื่อมล้ำทางรายได้ ขณะเดียวกัน การพึ่งพา AI มากเกินไปอาจลดทอนทักษะการคิดวิเคราะห์ของมนุษย์ และส่งผลกระทบต่อปฏิสัมพันธ์ทางสังคมหรือสุขภาวะทางจิตในบางกรณี

2. แนวทางการบรรเทาและป้องกันความเสี่ยง

• ใช้ AI อย่างมีวิจารณญาณ ตรวจสอบข้อมูลจากหลายแหล่งก่อนเชื่อหรือเผยแพร่
• ใช้ AI เป็นเครื่องมือสนับสนุนการตัดสินใจ ไม่ใช่ทดแทนการตัดสินใจของมนุษย์
• หลีกเลี่ยงการเปิดเผยข้อมูลส่วนบุคคลโดยไม่จำเป็น
• พัฒนาทักษะดิจิทัลและทักษะการคิดวิเคราะห์อย่างต่อเนื่อง

3. คำแนะนำด้านความปลอดภัยเพิ่มเติม

• เปิดใช้การยืนยันตัวตนหลายขั้นตอน (MFA) และตั้งค่าความปลอดภัยบัญชีออนไลน์อย่างเหมาะสม
• ระมัดระวังเนื้อหาที่สร้างความตื่นตระหนกหรือเร่งรัดให้ดำเนินการทันที
• ตรวจสอบความถูกต้องของคลิปเสียงหรือวิดีโอ ก่อนโอนเงินหรือให้ข้อมูลสำคัญ
• ส่งเสริมการเรียนรู้และสร้างความตระหนักรู้เกี่ยวกับ AI ภายในครอบครัวและองค์กร

ข้อสำคัญ: ปัญญาประดิษฐ์เป็นเทคโนโลยีที่สามารถสร้างประโยชน์อย่างมหาศาล หากใช้อย่างมีความรับผิดชอบ รอบคอบ และรู้เท่าทัน ความร่วมมือจากภาครัฐ ภาคเอกชน และประชาชน จะเป็นกลไกสำคัญในการสร้างสังคมดิจิทัลที่มั่นคงปลอดภัยและยั่งยืน

4. แหล่งอ้างอิง: https://dg.th/g057uz32qe

ThaiCERT ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ พบช่องโหว่ระดับร้ายแรงจำนวน 4 รายการ ในซอฟต์แวร์ SolarWinds Serv-U Managed File Transfer (MFT) ซึ่งอาจเปิดโอกาสให้ผู้ไม่หวังดีสามารถรันคำสั่งจากระยะไกล (Remote Code Execution: RCE) และยกระดับสิทธิ์จนควบคุมเซิร์ฟเวอร์ในระดับ Root / Administrator ได้

1. รายละเอียดช่องโหว่
   1.1 CVE-2025-40538 – Broken Access Control คะแนน CVSS v3.1 : 9.1 (Critical) เกิดจากการควบคุมสิทธิ์ที่ไม่เหมาะสม อาจทำให้ผู้โจมตีที่มีสิทธิ์ระดับสูงอยู่แล้ว สามารถสร้างบัญชีผู้ดูแลระบบ และรันคำสั่งระดับ Root/Administrator ได้
   1.2 CVE-2025-40539 – Type Confusion คะแนน CVSS v3.1 : 9.1 (Critical) เกิดจากการจัดการชนิดข้อมูลไม่เหมาะสม ส่งผลให้ระบบประมวลผลข้อมูลผิดประเภท และอาจนำไปสู่การรันโค้ดระดับระบบ (Native Code Execution)
   1.3 CVE-2025-40540 – Type Confusion คะแนน CVSS v3.1 : 9.1 (Critical) เป็นช่องโหว่เกี่ยวข้องกับการจัดการหน่วยความจำหรือชนิดข้อมูลผิดพลาด อาจถูกใช้เพื่อรันคำสั่งจากระยะไกลได้
   1.4 CVE-2025-40541 – Insecure Direct Object Reference (IDOR) คะแนน CVSS v3.1 : 9.1 (Critical) เกิดจากการเข้าถึงทรัพยากรภายในระบบโดยไม่มีการตรวจสอบสิทธิ์ที่เหมาะสม อาจถูกใช้ร่วมกับกระบวนการของระบบเพื่อรันโค้ดจากระยะไกล
2. เวอร์ชันที่ได้รับผลกระทบ
   • SolarWinds Serv-U 15.5
3. เวอร์ชันที่แก้ไขแล้ว
   • SolarWinds Serv-U 15.5.4
4. แนวทางการแก้ไขและป้องกัน
   4.1 อัปเดตเป็น Serv-U เวอร์ชัน 15.5.4 ทันที
   4.2 เปิดใช้งาน Multi-Factor Authentication (MFA)
5. กรณีไม่สามารถอัปเดตได้ทันที (Mitigation ชั่วคราว)
   5.1 ปิดหรือจำกัดการเข้าถึงหน้า Web Management Interface ไม่เปิดใช้งานสู่สาธารณะ
   5.2 จำกัดสิทธิ์บัญชีผู้ใช้งานระดับสูง
   ปิดใช้งานบัญชีที่ไม่จำเป็น ลบบัญชีที่ไม่ทราบที่มา และเปลี่ยนรหัสผ่านบัญชีผู้ดูแลระบบทั้งหมด
   5.3 จำกัดพอร์ตที่เปิดใช้งานและปิดพอร์ตหรือบริการที่ไม่จำเป็น
6. แหล่งอ้างอิง
   6.1 https://dg.th/vly3ebz7n9
   6.2 https://dg.th/k6cv1e4wfx
   6.3 https://dg.th/nucmbe01ql
   6.4 https://dg.th/5pneah9zmx
   6.5 https://dg.th/xoq9c1zumg
   6.6 https://dg.th/tb9y8nuiha
   แม้ยังไม่มีรายงานการถูกโจมตีในวงกว้าง แต่เนื่องจากคะแนนความรุนแรงอยู่ในระดับ Critical และเกี่ยวข้องกับการยกระดับสิทธิ์ระบบ จึงควรดำเนินการอัปเดตโดยเร็ว
   #CyberSecurity #SolarWinds #ServU #CriticalVulnerability #RCE #PatchNow #ThaiCERT

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) แจ้งเตือนผู้ดูแลระบบและหน่วยงานที่ใช้งานผลิตภัณฑ์ VMware เกี่ยวกับช่องโหว่ความปลอดภัยระดับรุนแรง (High Severity) จำนวน 3 รายการ ซึ่งอาจส่งผลให้ผู้ไม่ประสงค์ดีสามารถเข้าควบคุมระบบได้โดยไม่จำเป็นต้องผ่านการยืนยันตัวตน

1. รายละเอียดช่องโหว่

1.1 CVE-2026-22719 (CVSS v3.1: 8.1)
ช่องโหว่ประเภท Command Injection ซึ่งอาจเปิดโอกาสให้ผู้โจมตีสามารถรันโค้ดอันตราย (Remote Code Execution: RCE) ได้ โดยเฉพาะในช่วงกระบวนการย้ายข้อมูล (Product Migration)
1.2 CVE-2026-22720 (CVSS v3.1: 8.0)
ช่องโหว่ประเภท Stored Cross-Site Scripting (Stored XSS) ผู้โจมตีสามารถฝังสคริปต์อันตรายผ่านฟังก์ชันการสร้าง Custom Benchmarks เพื่อดำเนินการในสิทธิ์ของผู้ดูแลระบบ
1.3 CVE-2026-22721
ช่องโหว่ประเภท Privilege Escalation ที่อาจถูกใช้เพื่อยกระดับสิทธิ์เข้าถึงทรัพยากรระบบในระดับ Administrator เกินกว่าที่ได้รับอนุญาต

2. ผลิตภัณฑ์ที่ได้รับผลกระทบ
   2.1 VMware Aria Operations: เวอร์ชันก่อน 8.18.6
   2.2 VMware Cloud Foundation: เวอร์ชันก่อน 9.0.2.0
   2.3 VMware vSphere Foundation: เวอร์ชันก่อน 9.0.2.0
   หากใช้งานเวอร์ชันต่ำกว่าที่ระบุ ถือว่ามีความเสี่ยง

3. แนวทางการแก้ไขและป้องกัน
   3.1 อัปเดตระบบเป็นเวอร์ชันล่าสุด

• VMware Aria Operations เวอร์ชัน 8.18.6 ขึ้นไป
• VMware Cloud Foundation / vSphere Foundation เวอร์ชัน 9.0.2.0
  3.2 ตรวจสอบและเฝ้าระวัง (Monitoring)
  ตรวจสอบ Log การทำงานของระบบ โดยเฉพาะในช่วงที่มีการทำ Data Migration หรือการตั้งค่าระบบที่อาจมีความผิดปกติ

4. กรณียังไม่สามารถอัปเดตได้ทันที
   4.1 ปิดการเข้าถึง Management Interface จากอินเทอร์เน็ต
   4.2 จำกัดการเข้าถึงเฉพาะ IP ภายในองค์กร หรือผ่าน VPN เท่านั้น
   4.3 ลดสิทธิ์และตรวจสอบบัญชีผู้ดูแลระบบ (Administrator)

อ้างอิง
1.https://dg.th/8y4h0zi3ed
2.https://dg.th/5jms1gdn3e
3.https://dg.th/319i0lrufz
4.https://dg.th/rpxf2wjvac

เมื่อวันที่ 24 กุมภาพันธ์ 2026 Cybersecurity and Infrastructure Security Agency (CISA) ได้เพิ่มช่องโหว่ใหม่ 1 รายการลงในแคตตาล็อก Known Exploited Vulnerabilities (KEV) จากหลักฐานที่พบว่ามีการโจมตีใช้งานจริงแล้ว ดังนี้

• CVE-2026-25108 Soliton Systems K.K. FileZen OS Command Injection Vulnerability

ทาง CISA จะปรับปรุงและเพิ่มช่องโหว่ใหม่เข้าสู่แคตตาล็อก KEV อย่างต่อเนื่อง เพื่อให้ครอบคลุมความเสี่ยงที่ตรวจพบจริงในปัจจุบันและอนาคต

อ้างอิง
https://www.cisa.gov/news-events/alerts/2026/02/24/cisa-adds-one-known-exploited-vulnerability-catalog

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 5 รายการ เมื่อวันที่ 26 กุมภาพันธ์ 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

• ICSA-26-055-01 InSAT MasterSCADA BUK-TS
• ICSA-26-055-02 Schneider Electric EcoStruxure Building Operation Workstation
• ICSA-26-055-03 Gardyn Home Kit IoT Device
• ICSA-22-202-04 ICONICS Suite and Mitsubishi Electric MC Works64 Products (Update C)
• ICSA-24-296-01 Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric Products (Update C)

CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)

อ้างอิง
https://www.cisa.gov/news-events/ics-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Financial Sector

• PCI Council Says Threats To Payments Systems Are Speeding Up
  "A new report on the payment card industry (PCI) reflects an increased dependency on global coordination to address threats that are growing more sophisticated, and expanding the remit for the trade group itself. The PCI Security Standards Council (SSC) 2025 annual report highlighted training, education, collaboration, and outreach initiatives conducted throughout the year to advance payment security worldwide for merchants, retailers, and vendors. It is the first time the group has published a report since its founding in 2006."
  https://www.darkreading.com/cyber-risk/pci-council-threats-payments-systems-speeding-up
  https://www.pcisecuritystandards.org/about_us/annual-report/

Industrial Sector

• 'Richter Scale' Model Measures Magnitude Of OT Cyber Incidents
  "A newly developed method for gauging the impact of an OT cybersecurity incident could pave the way for more accurate measurement and response to an event, and also shine light on risk and business ramifications. The Operational Technology Incident (OTI) Impact Score — which will be unveiled today at the ICS/OT industry's S4x26 Conference in Miami — aims to provide rapid clarity on the actual effects of OT cyber incidents, which often get over- or under-hyped, according to Dale Peterson, co-creator of the OTI model and head of ICS/OT consulting and research firm Digital Bond."
  https://www.darkreading.com/ics-ot-security/richter-scale-model-measures-cyber-incidents

Vulnerabilities

• Critical Cisco SD-WAN Bug Exploited In Zero-Day Attacks Since 2023
  "Cisco is warning that a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN, tracked as CVE-2026-20127, was actively exploited in zero-day attacks that allowed remote attackers to compromise controllers and add malicious rogue peers to targeted networks. CVE-2026-20127 has a maximum severity of 10.0 and impacts Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage) in on-prem and SD-WAN Cloud installations. Cisco credited the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) for reporting the vulnerability."
  https://www.bleepingcomputer.com/news/security/critical-cisco-sd-wan-bug-exploited-in-zero-day-attacks-since-2023/
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
  https://blog.talosintelligence.com/uat-8616-sd-wan/
  https://www.cisa.gov/news-events/alerts/2026/02/25/cisa-and-partners-release-guidance-ongoing-global-exploitation-cisco-sd-wan-systems
  https://cyberscoop.com/cisco-zero-days-cisa-emergency-directive-five-eyes/
  https://www.helpnetsecurity.com/2026/02/25/cisco-sd-wan-zero-day-cve-2026-20127/
• Zyxel Warns Of Critical RCE Flaw Affecting Over a Dozen Routers
  "Taiwan networking provider Zyxel has released security updates to address a critical vulnerability affecting over a dozen router models that can allow unauthenticated attackers to gain remote command execution on unpatched devices. Tracked as CVE-2025-13942, this command injection security flaw was found in the UPnP function of Zyxel 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, and wireless extenders. Zyxel says that unauthenticated remote attackers can exploit it to execute operating system (OS) commands on an affected device using maliciously crafted UPnP SOAP requests."
  https://www.bleepingcomputer.com/news/security/zyxel-warns-of-critical-rce-flaw-affecting-over-a-dozen-routers/
  https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026
  https://securityaffairs.com/188501/security/critical-zyxel-router-flaw-exposed-devices-to-remote-attacks.html
• CISA Adds Two Known Exploited Vulnerabilities To Catalog
  "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2022-20775 Cisco Catalyst SD-WAN Path Traversal Vulnerability
  CVE-2026-20127 Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/02/25/cisa-adds-two-known-exploited-vulnerabilities-catalog
  https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
  https://therecord.media/five-eyes-warn-hackers-exploit-cisco-sd-wan
  https://www.bankinfosecurity.com/feds-scramble-amid-shutdown-to-secure-cisco-sd-wan-systems-a-30849
• Check Point Researchers Expose Critical Claude Code Flaws
  "As organizations rapidly adopt agentic AI development tools into enterprise workflows, the trust boundaries between configuration and execution are increasingly blurred. Check Point Research identified critical vulnerabilities in Anthropic’s Claude Code that enabled remote code execution and API credential theft through malicious repository-based configuration files. By abusing built-in mechanisms such as Hooks, Model Context Protocol (MCP) integrations, and environment variables, attackers could execute arbitrary shell commands and exfiltrate API keys when developers cloned and opened untrusted projects – without any additional action beyond launching the tool."
  https://blog.checkpoint.com/research/check-point-researchers-expose-critical-claude-code-flaws/
  https://research.checkpoint.com/2026/rce-and-api-token-exfiltration-through-claude-code-project-files-cve-2025-59536/
  https://www.darkreading.com/application-security/flaws-claude-code-developer-machines-risk
  https://thehackernews.com/2026/02/claude-code-flaws-allow-remote-code.html
  https://securityaffairs.com/188508/security/untrusted-repositories-turn-claude-code-into-an-attack-vector.html
  https://www.theregister.com/2026/02/26/clade_code_cves/

Malware

• Developer-Targeting Campaign Using Malicious Next.js Repositories
  "Microsoft Defender Experts identified a coordinated developer-targeting campaign delivered through malicious repositories disguised as legitimate Next.js projects and technical assessment materials. Telemetry collected during this investigation indicates the activity aligns with a broader cluster of threats that use job-themed lures to blend into routine developer workflows and increase the likelihood of code execution."
  https://www.microsoft.com/en-us/security/blog/2026/02/24/c2-developer-targeting-campaign/
  https://www.bleepingcomputer.com/news/security/fake-nextjs-job-interview-tests-backdoor-developers-devices/
  https://www.darkreading.com/cyberattacks-data-breaches/malicious-nextjs-repos-developers-fake-job-interviews
  https://www.theregister.com/2026/02/25/jobseeking_nextjs_devs_attack/
• Abusing Windows File Explorer And WebDAV For Malware Delivery
  "Cofense Intelligence has been tracking how threat actors are abusing Windows File Explorer’s ability to retrieve remote files over Web-based Distributed Authoring and Versioning (WebDAV), and HTTP-based file management protocol, to trick victims into downloading malware. WebDAV is a relatively unpopular method of file transfer and remote file storage nowadays, but it is natively supported within the Windows File Explorer (though deprecated as of November 2023) as a way of remotely accessing a file server."
  https://cofense.com/blog/abusing-windows-file-explorer-and-webdav-for-malware-delivery
• Unmasking Agent Tesla: A Deep Dive Into a Multi-Stage Campaign
  "Agent Tesla remains one of the most persistent threats in the cyber landscape today. It allows even low-skilled threat actors to harvest sensitive data through a highly sophisticated delivery pipeline. This research blog breaks down a recent multi-stage infection chain that utilizes a blend of phishing, obfuscated and encrypted scripts, and advanced in-memory execution and evasion techniques."
  https://www.fortinet.com/blog/threat-research/unmasking-agent-tesla-deep-dive-into-multi-stage-campaign
• Oblivion: The New $300 Android RAT That Beats Every Major Phone Manufacturer’s Security
  "Every so often, a piece of malware surfaces that feels like a genuine step-change. Not just another recycled threat, but something built from the ground up to be harder to stop. Oblivion, a newly emerged Android Remote Access Trojan (RAT), is being positioned as exactly that. Certo’s security researchers have been analyzing the threat — and the evidence suggests the claim deserves serious attention. Advertised openly on a clear web hacking forum and backed by a full video demonstration, Oblivion targets Android devices running versions 8 through 16. That covers virtually every Android phone in active use today."
  https://www.certosoftware.com/insights/oblivion-the-new-300-android-rat-that-beats-every-major-phone-manufacturers-security/
  https://hackread.com/android-malware-oblivion-fake-updates-hijack-phones/
• Malicious NuGet Package Targets Stripe
  "In December 2025, the ReversingLabs research team wrote about a malicious NuGet campaign that targeted developers and packages linked to cryptocurrency platforms such as Coinbase, Binance, Solana and Nethereum. Following that, the malicious NuGet activity appeared to slow. However, our researchers recently discovered a malicious package that mimics Stripe.net, a NuGet package by the popular online payments platform with more than 70 million downloads. The latest incident shows that while the threat actors have shifted away from blockchain-related targets on NuGet, they remain active and focused on the financial sector."
  https://www.reversinglabs.com/blog/malicious-nuget-package-targets-stripe
  https://www.infosecurity-magazine.com/news/malicious-nuget-package-stripe-devs/
• Exposing The Undercurrent: Disrupting The GRIDTIDE Global Cyber Espionage Campaign
  "Last week, Google Threat Intelligence Group (GTIG), Mandiant, and partners took action to disrupt a global espionage campaign targeting telecommunications and government organizations in dozens of nations across four continents. The threat actor, UNC2814, is a suspected People's Republic of China (PRC)-nexus cyber espionage group that GTIG has tracked since 2017. This prolific, elusive actor has a long history of targeting international governments and global telecommunications organizations across Africa, Asia, and the Americas and had confirmed intrusions in 42 countries when the disruption was executed. The attacker was using API calls to communicate with SaaS apps as command-and-control (C2) infrastructure to disguise their malicious traffic as benign, a common tactic used by threat actors when attempting to improve the stealth of their intrusions."
  https://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign
  https://thehackernews.com/2026/02/google-disrupts-unc2814-gridtide.html
  https://www.securityweek.com/google-disrupts-chinese-cyberespionage-campaign-targeting-telecoms-governments/
  https://www.theregister.com/2026/02/25/google_and_friends_disrupt_unc2814/
• Cyber Intel Brief: Scattered Lapsus$ Hunters (SLH) Kicks Off Campaign To Recruit Women
  "On February 22, 2026, Dataminr detected activity on a public Telegram board indicating that the Scattered Lapsus$ Hunters (SLH) hacking collective is recruiting women for an upcoming vishing-based social engineering campaign. The group is offering to pay recruited individuals $500 to $1,000 upfront per call and promises to provide the necessary scripts for the operation. This recruitment drive represents a calculated evolution in SLH’s tactics. By specifically seeking female voices, the group likely aims to bypass the “traditional” profiles of attackers that IT help desk staff may be trained to identify, thereby increasing the effectiveness of their impersonation efforts."
  https://www.dataminr.com/resources/intel-brief/slh-recruiting-women-for-vishing/
  https://thehackernews.com/2026/02/slh-offers-5001000-per-call-to-recruit.html
• Four Malicious NuGet Packages Target ASP.NET Developers With JIT Hooking And Credential Exfiltration
  "Socket's Threat Research Team discovered a NuGet supply chain attack involving four malicious packages targeting ASP.NET web application developers. The campaign deploys a multi-stage payload where NCryptYo acts as a stage-1 dropper that establishes a local proxy on localhost:7152, while companion packages DOMOAuth2_ and IRAOAuth2.0 exfiltrate ASP.NET Identity data (user accounts, role assignments, permission mappings) and accept threat actor-controlled authorization rules that create persistent backdoors in victim applications. SimpleWriter_ adds unconditional file writing and hidden process execution to the toolkit. All four packages were published between August 12-21, 2024 by threat actor hamzazaheer. Together, these packages have accumulated a little over 4,500 downloads so far. We've submitted takedown requests to the NuGet security team."
  https://socket.dev/blog/four-malicious-nuget-packages-target-asp-net-developers-with-jit-hooking-and-credential
  https://thehackernews.com/2026/02/malicious-nuget-packages-stole-aspnet.html
• Understanding The DarkCloud Infostealer
  "Infostealers continue to dominate the initial access landscape in 2026, lowering the barrier to breach through scalable credential theft. DarkCloud illustrates how low-cost, commercialized malware is reshaping the initial access landscape. First observed in 2022 and attributed to a developer known as “Darkcloud Coder” (formerly “BluCoder” on Telegram), DarkCloud is openly sold through Telegram and a clearnet storefront with subscription tiers starting at just US$30. Despite being marketed as “surveillance software,” its technical focus is unmistakable: high-volume credential harvesting and structured data exfiltration across browsers, email clients, financial data, and contact networks."
  https://flashpoint.io/blog/understanding-darkcloud-infostealer/
• Apache ActiveMQ Exploit Leads To LockBit Ransomware
  "A threat actor exploited CVE-2023-46604 on an internet-facing Apache ActiveMQ server. Despite being evicted after the initial intrusion, they successfully breached the same server on a second occasion 18 days later. After compromising the server, the threat actor used Metasploit, possibly along with Meterpreter, to perform post-exploitation activities. These activities included escalating privileges, accessing LSASS process memory, and moving laterally across the network. After regaining access following their eviction, the threat actor swiftly transitioned to deploying ransomware. They leveraged credentials extracted during their previous breach to deploy LockBit ransomware via RDP."
  https://thedfirreport.com/2026/02/23/apache-activemq-exploit-leads-to-lockbit-ransomware/

Breaches/Hacks/Leaks

• Medical Device Maker UFP Technologies Warns Of Data Stolen In Cyberattack
  "American manufacturer of medical devices, UFP Technologies, has disclosed that a cybersecurity incident has compromised its IT systems and data. UFP Technologies is a publicly traded medical engineering and manufacturing company that produces a broad range of devices and components used in surgery, wound care, implants, orthopedic applications, and healthcare wearables. The company employs 4,300 people, has an annual revenue of $600 million, and a market cap of $1.86 billion, according to recent data."
  https://www.bleepingcomputer.com/news/security/medical-device-maker-ufp-technologies-warns-of-data-stolen-in-cyberattack/
  https://therecord.media/ufp-technologies-medical-devices-sec-filing-cyberattack
  https://www.bankinfosecurity.com/medical-device-maker-reports-data-theft-hack-to-sec-a-30847
  https://www.securityweek.com/medical-device-maker-ufp-technologies-hit-by-cyberattack/
• Canadian Tire Data Breach
  "In October 2025, retailer Canadian Tire was the victim of a data breach that exposed almost 42M records. The data contained 38M unique email addresses along with names, phone numbers and physical addresses. Passwords were stored as PBKDF2 hashes and for a subset of records, dates of birth and partial credit card data were also included (card type, expiry and masked card number). In its disclosure notice, Canadian Tire advised that the incident did not impact bank account information or loyalty program data."
  https://haveibeenpwned.com/Breach/CanadianTire

General News

• Ex-L3Harris Exec Jailed For Selling Zero-Days To Russian Exploit Broker
  "The former head of Trenchant, a specialized U.S. defense contractor unit, was sentenced Tuesday to more than seven years in federal prison for stealing and selling zero-day exploits to a Russian exploit broker whose clients include the Russian government. 39-year-old Australian national Peter Williams served as the general manager of Trenchant, a cybersecurity unit of defense contractor L3Harris that develops surveillance tools and zero-day exploits for the U.S. government and its Five Eyes intelligence partners."
  https://www.bleepingcomputer.com/news/security/ex-l3harris-exec-jailed-for-selling-zero-days-to-russian-exploit-broker/
  https://thehackernews.com/2026/02/defense-contractor-employee-jailed-for.html
  https://www.helpnetsecurity.com/2026/02/25/peter-williams-l3harris-executive-sentenced-trade-secrets-theft-russia/
  https://www.infosecurity-magazine.com/news/defense-contractor-boss-7-years/
  https://securityaffairs.com/188482/intelligence/former-u-s-defense-contractor-executive-sentenced-for-selling-zero-day-exploits-to-russian-broker-operation-zero.html
  https://www.securityweek.com/ex-us-defense-contractor-executive-jailed-for-selling-exploits-to-russia/
  https://www.theregister.com/2026/02/25/former_l3harris_exec_jailed/
• Airline Brands Become Launchpads For Phishing, Crypto Fraud
  "Airline brands sit at the center of peak travel booking cycles, loyalty programs, and high value transactions. Criminal groups continue to register thousands of lookalike domains tied to these brands, targeting travelers, employees, and business partners. Recent threat intelligence from BforeAI’s PreCrime Labs identifies sustained impersonation activity across the global commercial airline sector."
  https://www.helpnetsecurity.com/2026/02/25/airline-phishing-campaigns-crypto-fraud/
  Beyond Borders: How Threat Intelligence Provenance Can Save Global Cybersecurity From * Geopolitical Fragmentation
  "In mid-January 2026, the Chinese government allegedly announced a sweeping ban on cybersecurity software from more than a dozen U.S. and Israeli firms, including industry giants like Palo Alto Networks, CrowdStrike, and Check Point. The stated reason: concerns that foreign software could collect and transmit confidential information abroad. This move represents more than just another salvo in ongoing tech tensions between the two governments. It threatens to fracture a foundational practice of internet cybersecurity: the global threat intelligence ecosystem that allows defenders worldwide to collect, analyze, and share information about emerging attacks and responses to cyber threats that know no borders."
  https://www.internetgovernance.org/2026/02/23/beyond-borders-how-threat-intelligence-provenance-can-save-global-cybersecurity-from-geopolitical-fragmentation/
  https://www.theregister.com/2026/02/25/threat_intelligence_supply_chain_research/
• 2026 VulnCheck Exploit Intelligence Report
  "In 2025, barely 1% of disclosed vulnerabilities were exploited in the wild. Yet those that were exploited were operationalized quickly, attracted diverse threat actors, and often caused outsized damage before organizations had a chance to respond. This report identifies which vulnerabilities mattered, why attackers targeted them, and where timing failures left organizations exposed."
  https://wwv.vulncheck.com/2026-vulncheck-exploit-intelligence-report
  https://cyberscoop.com/vulncheck-exploited-vulnerabilities-report-2025/
  The Post-RAMP Era: Allegations, Fragmentation, And The Rebuilding Of The Ransomware * Underground
  "The January 2026 seizure of RAMP disrupted a major ransomware coordination hub, but it did not dismantle the ecosystem behind it. Instead, it destabilized trust and accelerated fragmentation across the underground. Rather than consolidating around a single successor, ransomware actors are redistributing across both gated platforms like T1erOne and accessible forums such as Rehub. This shift reflects adaptation, not decline. For defenders, visibility into centralized coordination is shrinking. Monitoring must evolve beyond tracking individual forums to identifying actor migration, recruitment signals, and early indicators of regrouping. Disruption rarely eliminates ecosystems; it reshapes them. Organizations that adapt their intelligence strategies accordingly will be best positioned to stay ahead."
  https://www.rapid7.com/blog/post/tr-post-ramp-allegations-fragmentation-ransomware-underground-rebuild/
  https://www.darkreading.com/threat-intelligence/ramp-forum-seizure-fractures-ransomware-ecosystem
• Why 'Call This Number' TOAD Emails Beat Gateways
  "While much of the conversation surrounding phishing concerns not clicking a suspicious link or downloading a malicious attachment, there's an attack technique gaining prominence in which the email payload consists of nothing but a phone number. And these emails are getting past defenses. Researchers from email security vendor StrongestLayer today published an analysis of roughly 5,000 email-based threat detections that bypassed secure email gateways across multiple enterprise environments between December 2025 and now."
  https://www.darkreading.com/threat-intelligence/why-call-this-number-toad-emails-beat-gateways
  https://www.strongestlayer.com/white-paper/enterprise-phishing-evasion-techniques-2026
• Autonomous Endpoint Management Isn’t Just Efficiency, It’s a Security Imperative
  "We are looking at a math problem that no longer balances. On one side, CrowdStrike’s 2025 Global Threat Report pegs the average eCrime breakout time at 48 minutes, with the fastest intrusion clocking in at 51 seconds. On the other side, the 2025 Verizon DBIR shows edge device remediation dragging out to a median of 32 days. That disconnect represents the biggest liability in cybersecurity today. Exposure time has graduated from an operational KPI to a defining security metric."
  https://hackread.com/autonomous-endpoint-management-security-imperative/
• The Blast Radius Problem: Stolen Credentials Are Weaponizing Agentic AI
  "Weak access controls, AI confusion, and the interconnection of business continue to expand Threat. More than half (56%) of the 400,000 vulnerabilities IBM X-Force tracked in 2025 required no authentication before exploitation. This is revealed in the X-Force 2025 Threat Intelligence Index. The report also highlights the continuing success of infostealer credential theft, pointing to the discovery of 300,000 ChatGPT credentials on the dark web (almost certainly stolen by infostealers)."
  https://www.securityweek.com/the-blast-radius-problem-stolen-credentials-are-weaponizing-agentic-ai/
  https://www.infosecurity-magazine.com/news/app-exploits-surge-ai-speeds/
• Moscow Man Accused Of Posing As FSB Officer To Extort Conti Ransomware Gang
  "A Moscow resident has been accused of trying to extort money from the notorious Conti ransomware group by posing as an officer of Russia’s Federal Security Service (FSB), according to local media reports. Russian outlet RBC, citing sources familiar with the investigation, reported on Wednesday that the suspect, Ruslan Satuchin, allegedly presented himself as an FSB officer and demanded a large payment from Conti members in exchange for avoiding criminal prosecution."
  https://therecord.media/moscow-man-accused-of-extorting-conti-gang

อ้างอิง
Electronic Transactions Development Agency (ETDA)